Arxi System Architecture

Audience: Engineers working across Arxi crates or integrating Arxi with control-plane systems such as Decision Gate.

Executive Overview
Layered Architecture
End-to-End Data Flow
Trust Boundaries and Security Posture
Determinism Model
Current Implementation Scope
File-by-File Cross Reference

Executive Overview

Arxi is a data plane for deterministic evidence recording. It captures unsealed events at adapter boundaries, seals them into hash-chained envelopes, persists them in append-only segment histories, and exports portable bundles for offline verification.

The system is organized as a Rust workspace with strict crate boundaries: core contracts, envelope model, recorder orchestration, storage backends, canonical sidecar config semantics, CLI operations, and a sidecar HTTP service runtime. F:Cargo.toml L9-L26

Layered Architecture

Core contracts (arxi-core)
- Identity newtypes, hash/signature abstractions, filters, schema versioning, and boundary error algebras. F:crates/arxi-core/src/lib.rs L53-L109
Evidence model (arxi-envelope)
- Envelope/segment/bundle types, canonical encoding functions, adapter and provider contracts, and verification result algebra. F:crates/arxi-envelope/src/lib.rs L53-L111
Integration adapters (arxi-decision-gate-adapter)
- First-party deterministic adapter implementing Decision Gate MCP/runpack transcript mapping, redaction/bounds policy, and runpack-integrity checks. F:crates/arxi-decision-gate-adapter/src/lib.rs L1-L40
Recording runtime (arxi-recorder)
- RecorderEngine, BundleBuilder, Verifier, local adapter, and provider implementation. F:crates/arxi-recorder/src/lib.rs L34-L56
Persistence (arxi-store)
- Store traits with SQLite and in-memory implementations. F:crates/arxi-store/src/lib.rs L49-L71
Sidecar config authority (arxi-sidecar-config)
- Canonical sidecar config model, fail-closed runtime validation, and deterministic config projection helpers consumed by arxi-contract. F:crates/arxi-sidecar-config/src/lib.rs
Operational surface (arxi-cli)
- CLI command groups for segment lifecycle, recording, query, bundle, config validation, diagnostics, attachment-aware ingest, and Decision Gate fixture ingest, with handlers split into command and support helper modules. F:crates/arxi-cli/src/main.rs L137-L272 F:crates/arxi-cli/src/commands.rs L19-L29 F:crates/arxi-cli/src/support.rs L19-L23
Network service surface (arxi-sidecar)
- Sidecar HTTP/JSON runtime with auth/bounds/idempotency middleware and recorder/store integration over Unix/TCP listeners, including explicit liveness/startup/readiness probes and enterprise-aware readiness modes. F:crates/arxi-sidecar/src/lib.rs L1-L41 F:crates/arxi-sidecar/src/server.rs L42-L247
Projection contract generation (arxi-contract)
- Deterministic artifact generation/check (Docs/generated/arxi/**) and manifest hash authority (index.json). F:crates/arxi-contract/src/lib.rs

End-to-End Data Flow

Adapter / CLI input
    -> UnsealedEnvelope
    -> RecorderEngine computes content_hash + chain_hash + sequence
    -> EnvelopeStore append (chain continuity enforced)
    -> Segment lifecycle (open/seal, predecessor linkage)
    -> BundleBuilder resolves selector + attachment closure + manifest
    -> Verifier runs 7 phases offline
    -> EvidenceProvider serves bundles/envelope queries to control-plane bridge

Key flow entry points:

Ingest path: RecorderEngine::record_envelope F:crates/arxi-recorder/src/engine.rs L207-L214
Segment lifecycle: open_segment, seal_segment F:crates/arxi-recorder/src/engine.rs L280-L343
Bundle export path: BundleBuilder::build F:crates/arxi-recorder/src/bundle_builder.rs L129-L172
Offline verification path: Verifier::verify F:crates/arxi-recorder/src/verifier.rs L95-L136

Trust Boundaries and Security Posture

Adapter inputs are treated as untrusted and validated fail-closed before recorder append. F:crates/arxi-recorder/src/validation.rs L46-L83
Core identity constructors fail closed on blank/control-character strings, and KeyId enforces canonical lowercase SHA-256 hex shape. String-backed identity types now also enforce explicit max-length policies and constructor-validated serde deserialization. F:crates/arxi-core/src/identity.rs L31-L55 F:crates/arxi-core/src/identity.rs L37-L47 F:crates/arxi-core/src/identity.rs L516-L647
Envelope-layer attachment and segment constructors reject empty/blank/control text inputs for content_type and recorder_id, enforce max-length bounds, and validate serde deserialize boundaries through constructors. F:crates/arxi-envelope/src/attachment.rs L35-L44 F:crates/arxi-envelope/src/attachment.rs L79-L96 F:crates/arxi-envelope/src/segment.rs L42-L56 F:crates/arxi-envelope/src/segment.rs L91-L118
Store append enforces chain continuity and rejects writes to sealed segments. F:crates/arxi-store/src/traits.rs L47-L66
Verifier and provider library boundaries enforce bounded-work fail-closed policies to protect embedding wrappers from unbounded in-memory workloads. F:crates/arxi-recorder/src/verifier.rs L73-L246 F:crates/arxi-recorder/src/evidence_provider.rs L52-L300
SQLite dispatch now uses bounded queue admission and deterministic saturation rejection rather than unbounded operation buffering. F:crates/arxi-store/src/sqlite/connection.rs L42-L136
Sidecar HTTP boundary enforces request identity, optional bearer-token auth with constant-time compare, protocol/header/body bounds, bounded queue and active concurrency gates, timeout fail-closed behavior, and persistent idempotency replay/conflict controls. Probe routes (/health, /startup, /ready) are explicitly exempt from those request gates so orchestration liveness/startup/readiness signals remain observable under stress. F:crates/arxi-sidecar/src/middleware/request_id.rs L15-L30 F:crates/arxi-sidecar/src/middleware/auth.rs L21-L84 F:crates/arxi-sidecar/src/middleware/bounds.rs L21-L172 F:crates/arxi-sidecar/src/idempotency.rs L20-L316
Sidecar container packaging is first-party in-repo and keeps the same fail-closed config + token-hardening model under distroless nonroot runtime and explicit UID/GID bind-mount mapping. F:docker/sidecar/Dockerfile F:docker/sidecar/docker-compose.yml F:docker/sidecar/config/sidecar.toml
Hash equality uses constant-time comparison in core, verifier, and stores. F:crates/arxi-core/src/hash.rs L102-L174 F:crates/arxi-recorder/src/verifier.rs L29-L52 F:crates/arxi-store/src/sqlite/envelope_ops.rs L62-L79

Determinism Model

Determinism is achieved by combining:

canonical JCS encoding for hashable data,
deterministic ordering structures (BTreeMap, sorted vectors),
stable hash and selector logic,
replayable offline verification.

F:crates/arxi-envelope/src/encoding.rs L13-L31 F:crates/arxi-recorder/src/bundle_builder.rs L27-L30 F:crates/arxi-recorder/src/bundle_builder.rs L466-L477

Current Implementation Scope

Implemented now:

Full local recording lifecycle and bundle verification.
SQLite/in-memory store backends.
CLI-driven operations and localized output.
CLI attachment-aware recording (record-with-attachments) with bounded file and inline attachment inputs.
CLI Decision Gate fixture ingest command path wired to production adapter implementation.
System-test harness with registry-driven coverage, including OpenClaw gateway/CLI mock-flow and Decision Gate runpack-flow adapter-ingest integration tests.
CLI expansion system-tests for recorder-id shape validation parity, attachment-recording fail-closed boundaries, auto-seal duration/combined lifecycle behavior, query JSON pagination/limit guardrails, and Decision Gate CLI ingest-fixture success/strict-fail paths.
Production Decision Gate adapter crate (crates/arxi-decision-gate-adapter) with deterministic MCP/runpack mapping, runpack-integrity strict/anomaly policy handling, and transcript redaction/bounds controls.
OpenClaw integration harness mapping policy with deterministic sensitive-field redaction and bounded payload handling for fixture-driven coupling tests.
Decision Gate integration system-tests wired to the production adapter crate, covering signed/unsigned lanes, root-hash and manifest-integrity mismatch fail-closed behavior, and deterministic replay/hash stability.
Sidecar Docker operator profile (docker/sidecar) and system-test coverage for Dockerfile/Compose hardening plus containerized probe/open/record/query flow.
Sidecar readiness semantics now support fail-closed dependency modes: storage-only readiness and storage+enterprise-control readiness.

Current post-core gaps in system-level behavior:

P2 stress/performance system-test expansion remains open.
Sidecar release-grade perf/soak promotion remains opt-in via ARXI_SIDECAR_PERF_GATE=1 and still requires CI profile tuning.

Recently closed system-level hardening items:

Provider listing/fetch now uses stable bundle IDs and fetch-by-ID segment selectors. F:crates/arxi-recorder/src/evidence_provider.rs L125-L229
Recorder verifier/provider now enforce explicit bounded-work policy and reject oversized workloads fail-closed at library boundaries. F:crates/arxi-recorder/src/verifier.rs L73-L246 F:crates/arxi-recorder/src/evidence_provider.rs L52-L300
SQLite operation dispatch now applies bounded queue backpressure with deterministic saturation failure behavior. F:crates/arxi-store/src/sqlite/connection.rs L42-L203
Contract generation now overlays inferred schemas with authoritative runtime constraints and fail-closes on missing constraint pointer targets. F:crates/arxi-contract/src/lib.rs L565-L742
Sidecar contract-generation/projection integration is now implemented with generated API artifacts (openapi/errors/enums/examples/compat) and fail-closed compatibility gates in CI orchestration. F:crates/arxi-contract/src/lib.rs F:scripts/ci/sidecar_contract_gates.py F:scripts/ci/generate_all.sh
Verifier phase 6 now executes trust-root signature checks with policy evaluation (skip warning only when no trust root is provided). F:crates/arxi-recorder/src/verifier.rs L509-L651
Startup read-back verification now executes from RecorderEngine::new when startup_verification_depth > 0. F:crates/arxi-recorder/src/engine.rs L154-L197 F:crates/arxi-recorder/src/engine.rs L380-L543

File-by-File Cross Reference

Area	File	Notes
Workspace boundaries	`Cargo.toml`	Crate membership and lint posture.
Core contracts	`crates/arxi-core/src/lib.rs`	Shared domain primitives and traits.
Envelope model	`crates/arxi-envelope/src/lib.rs`	Evidence data model and contracts.
Recorder runtime	`crates/arxi-recorder/src/engine.rs`	Ingest, chain progression, segment lifecycle.
Bundle + verifier	`crates/arxi-recorder/src/bundle_builder.rs`	Selector resolution and bundle materialization.
Bundle verification	`crates/arxi-recorder/src/verifier.rs`	7-phase offline verification.
Storage traits	`crates/arxi-store/src/traits.rs`	Persistence contract invariants.
SQLite queue boundary	`crates/arxi-store/src/sqlite/connection.rs`	Bounded async-to-sync dispatch and saturation fail-closed behavior.
CLI surface	`crates/arxi-cli/src/main.rs`, `crates/arxi-cli/src/commands.rs`, `crates/arxi-cli/src/support.rs`	Operational command architecture split across dispatch, command handlers, and runtime/utility helpers.
Sidecar service	`crates/arxi-sidecar/src/lib.rs`, `crates/arxi-sidecar/src/server.rs`	HTTP runtime, middleware stack, and transport lifecycle.
Sidecar config/security	`crates/arxi-sidecar-config/src/config.rs`, `crates/arxi-sidecar-config/src/validation.rs`, `crates/arxi-sidecar/src/middleware/auth.rs`, `crates/arxi-sidecar/src/middleware/bounds.rs`, `crates/arxi-sidecar/src/idempotency.rs`	Fail-closed config validation and projection authority plus sidecar auth/bounds controls and persistent idempotency behavior.
Sidecar container packaging	`docker/sidecar/Dockerfile`, `docker/sidecar/docker-compose.yml`, `docker/sidecar/config/sidecar.toml`	First-party container build/runtime profile aligned to sidecar validation/security invariants.
Contract generator	`crates/arxi-contract/src/lib.rs`, `crates/arxi-contract/src/sidecar_api.rs`, `crates/arxi-contract/src/sidecar_api/openapi.rs`, `crates/arxi-contract/src/sidecar_api/artifacts.rs`, `crates/arxi-contract/src/sidecar_api/specs/mod.rs`	Deterministic generated artifact authority + drift checks.
System-tests	`system-tests/README.md`	End-to-end validation contract.
Decision Gate adapter	`crates/arxi-decision-gate-adapter/src/adapter.rs`	Production mapping/redaction/integrity policy implementation for Decision Gate ingest.
OpenClaw integration tests	`system-tests/tests/suites/integration_openclaw.rs`	Fixture-driven adapter ingest verification for external workflow coupling.
OpenClaw integration architecture	Docs/architecture/arxi_openclaw_integration_architecture.md	Versioned mapping and redaction/bounded payload policy contract.
Decision Gate integration tests	`system-tests/tests/suites/integration_decision_gate.rs`	Fixture-driven MCP runpack flow ingest verification for control-plane coupling.
Decision Gate integration architecture	Docs/architecture/arxi_decision_gate_integration_architecture.md	Versioned MCP flow mapping, runpack integrity policy, and transcript redaction/bounds contract.