Arxi Recorder Runtime and Bundle Architecture

Audience: Engineers changing ingest/runtime behavior, bundle export, or verification paths.

---

Table of Contents

1. Executive Overview
2. Recorder Engine Lifecycle
3. Auto-Seal and Segment Sealing
4. Adapter Boundary
5. Bundle Builder Pipeline
6. 7-Phase Verifier
7. Evidence Provider Boundary
8. Runtime Hardening Status
9. File-by-File Cross Reference

---

Executive Overview

arxi-recorder is the runtime orchestration layer. It seals untrusted input into append-only chain-linked envelopes, controls segment lifecycle, builds portable bundles from selector algebra, and verifies bundles offline in-memory.

F:crates/arxi-recorder/src/lib.rs L11-L29 F:crates/arxi-recorder/src/lib.rs L34-L56

---

Recorder Engine Lifecycle

RecorderEngine owns active segment state and enforces invariants:

• zero or one active segment,
• sequence starts at 0 per segment,
• chain head progression per append,
• append-only behavior.

F:crates/arxi-recorder/src/engine.rs L22-L35 F:crates/arxi-recorder/src/engine.rs L108-L137

Startup behavior:

• validates RecorderConfig,
• rejects malformed recorder_id values during config validation,
• recovers active segment metadata if present,
• executes startup read-back verification for active segment tails when startup_verification_depth > 0. F:crates/arxi-recorder/src/engine.rs L154-L197 F:crates/arxi-recorder/src/engine.rs L372-L543

Ingest behavior:

• content hash and chain hash calculation,
• optional signature injection,
• store append,
• in-memory chain-head and envelope-count update. F:crates/arxi-recorder/src/engine.rs L376-L436

---

Auto-Seal and Segment Sealing

Configuration supports None, AfterCount, AfterDuration, and Combined. Zero-value thresholds are rejected at validation. recorder_id must satisfy the same identity-shape constraints used by runtime actor identifiers, so invalid IDs fail closed at startup instead of later in segment/seal flows. F:crates/arxi-recorder/src/config.rs L36-L85 F:crates/arxi-recorder/src/config.rs L117-L165

Sealing flow:

• seal appends system.segment.sealed as final envelope,
• persists SealRecord,
• marks segment sealed and clears active state. F:crates/arxi-recorder/src/engine.rs L438-L503

Auto-seal evaluation is invoked after each successful data-envelope append. F:crates/arxi-recorder/src/engine.rs L505-L565

---

Adapter Boundary

LocalRecorderAdapter wraps RecorderEngine in tokio::sync::Mutex to satisfy shared Send + Sync trait requirements while preserving exclusive mutable runtime access. F:crates/arxi-recorder/src/local_adapter.rs L20-L24

emit_envelope and emit_with_attachments both call explicit fail-closed validation before recorder delegation. F:crates/arxi-recorder/src/local_adapter.rs L120-L165 F:crates/arxi-recorder/src/validation.rs L46-L83

---

Bundle Builder Pipeline

BundleBuilder::build pipeline:

1. resolve selector,
2. group envelopes by segment deterministically,
3. build per-segment inclusion metadata,
4. compute omitted parents and attachment closure,
5. assemble verification manifest.

F:crates/arxi-recorder/src/bundle_builder.rs L17-L35 F:crates/arxi-recorder/src/bundle_builder.rs L129-L172

Selector algebra includes segment/time/filter/ID selectors and composite unions with deterministic dedup via BTreeMap. F:crates/arxi-recorder/src/bundle_builder.rs L415-L479

Partial segments use proof anchors (chain_hash immediately preceding first included envelope) for continuity verification. F:crates/arxi-recorder/src/bundle_builder.rs L255-L290

---

7-Phase Verifier

Verifier::verify executes in-memory bundle checks in this order:

1. manifest format/hash-algorithm and structural-integrity checks,
2. attachment hash integrity,
3. envelope content hash and attachment presence,
4. per-segment chain continuity,
5. cross-segment predecessor linkage,
6. signature verification with optional trust root + trust policy,
7. verdict assembly.

Before phase execution, the verifier enforces a bounded-work policy and fails closed if limits are exceeded (segments, per-segment envelopes, total envelopes, total attachments, and per-envelope attachment refs).

F:crates/arxi-recorder/src/verifier.rs L13-L26 F:crates/arxi-recorder/src/verifier.rs L95-L136 F:crates/arxi-recorder/src/verifier.rs L500-L651

All hash comparisons use constant-time equality. F:crates/arxi-recorder/src/verifier.rs L29-L52

---

Evidence Provider Boundary

RecorderEvidenceProvider implements the EvidenceProvider trait by delegating to store query, bundle builder, and verifier. F:crates/arxi-recorder/src/evidence_provider.rs L48-L67

Methods:

• list_bundles enumerates sealed segments with stable IDs derived from segment IDs and supports cursor/limit semantics,
• fetch_bundle resolves the requested bundle ID to a sealed segment and builds with BundleSelector::BySegment,
• verify_bundle delegates to 7-phase verifier,
• query_envelopes delegates to envelope store filter queries.

Provider boundary controls now include explicit fail-closed limit normalization/rejection for request limits and segment-envelope materialization bounds.

F:crates/arxi-recorder/src/evidence_provider.rs L123-L286

---

Runtime Hardening Status

Recently completed in runtime:

1. Verifier phase 6 now enforces trust-root key lookup, cryptographic signature validation, and trust-policy checks when a trust root is provided.
2. Recorder startup now performs fail-closed read-back verification over the last N envelopes of the active segment (startup_verification_depth).
3. Evidence provider now exposes stable bundle IDs and true fetch-by-ID semantics for sealed segments.
4. Verifier phase 1 now fail-closes on manifest structural tampering (segment metadata and attachment list mismatches).
5. Recorder config validation now fail-closes malformed recorder_id values before runtime open/seal behavior is reached.
6. Verifier now enforces explicit bounded-work limits at the library boundary.
7. Evidence provider now enforces bounded query/list/materialization limits and rejects oversized caller-provided limits.
8. System tests now cover manifest structural tamper, single-open-segment enforcement, and persistence corruption fail-closed paths end-to-end.

F:crates/arxi-recorder/src/verifier.rs L509-L651 F:crates/arxi-recorder/src/engine.rs L154-L197 F:crates/arxi-recorder/src/engine.rs L380-L543 F:crates/arxi-recorder/src/evidence_provider.rs L52-L300 F:system-tests/tests/suites/bundle.rs L563-L684 F:system-tests/tests/suites/recorder.rs L279-L327 F:system-tests/tests/suites/persistence.rs L375-L468

---

File-by-File Cross Reference

Area	File	Notes
Engine lifecycle	crates/arxi-recorder/src/engine.rs	Open/record/seal flow and chain progression.
Runtime config	crates/arxi-recorder/src/config.rs	Auto-seal and startup configuration invariants.
Adapter boundary	crates/arxi-recorder/src/local_adapter.rs	In-process adapter implementation.
Input validation	crates/arxi-recorder/src/validation.rs	Fail-closed unsealed envelope checks.
Bundle builder	crates/arxi-recorder/src/bundle_builder.rs	Selector resolution and deterministic bundle assembly.
Verifier	crates/arxi-recorder/src/verifier.rs	7-phase verification algorithm.
Evidence provider	crates/arxi-recorder/src/evidence_provider.rs	Pull-side evidence interface implementation.
Error model	crates/arxi-recorder/src/error.rs	Recorder-specific failure taxonomy.