Architecture Decision Records

This directory contains accepted and proposed architecture decisions for the OpenPacketCore SDK hardening and management-plane work.

ADRs are the durable record of architectural intent. The audit completion reports and implementation status matrix record what was validated; these ADRs record why the shape of the SDK is what it is. Proposed ADRs are included here when they gate in-progress work, but they do not authorize implementation until accepted.

Index

ADRDecision
0001Config management is secure by default, commit-confirmed, audited, and explicitly authorized.
0002Config persistence HA uses ConsensusConfigStore with Raft-style quorum safety, authenticated transport, durable membership, and snapshot integrity.
0003Authoritative session state uses quorum ordered-log replication with majority-supported repair, not standalone SQLite HA.
0004Production identity, TLS, keys, and audit integrity are explicit SDK substrates with fail-closed adapters.
0005Runtime health, admin/probe routes, metrics, and alarms are shared SDK surfaces with production authorization and redaction.
0006Storage, security, runtime, HA, and release evidence are validated through fail-closed fault injection.
0007Operator lifecycle policy logic lives in Rust SDK crates as reusable policy engines.
0008Kubernetes operator integration is demonstrated by a Go reference harness without becoming a product CNF operator.
0009Production data-plane claims require explicit node-resource, BPF, pod-security, and fallback validation.
0010RFC 006 evidence, SBOM/VEX, provenance, bundle verification, performance baselines, and gates are first-class release inputs.
0011opc-amf-lite is the SDK vertical integration proof, not a product NF.
0012Diagnostics safety and privacy governance boundaries are structured, fail-closed, and compile-gated.
0013NGAP requires generated ASN.1 APER code; hand-written and FFI codecs are rejected.
0014rustls/tokio-only dependency policy, no gRPC stack in SDK crates, and a measured (not aspirational) MSRV.
0015Protocol codecs are proven against spec-authored byte fixtures, never only their own encoder output.
0016(proposed) tonic/prost are permitted only for opc-gnmi-server as the ADR 0014 §3 exception; core SDK crates stay gRPC-free.
0017Explicitly allowlisted Linux kernel UAPI sys crates, including opc-libsctp-sys and opc-linux-xfrm-sys, hold all unsafe UAPI FFI; this OS-transport exception to ADR 0014 §8 does not reopen ADR 0013's rejection of foreign C codec FFI.
0018EPC and untrusted-access additions are limited to SDK-owned reusable mechanisms; product policy, deployment defaults, ePDG orchestration, and carrier-readiness claims remain product-owned.