Architecture Decision Records
This directory contains accepted and proposed architecture decisions for the OpenPacketCore SDK hardening and management-plane work.
ADRs are the durable record of architectural intent. The audit completion reports and implementation status matrix record what was validated; these ADRs record why the shape of the SDK is what it is. Proposed ADRs are included here when they gate in-progress work, but they do not authorize implementation until accepted.
Index
| ADR | Decision |
|---|---|
| 0001 | Config management is secure by default, commit-confirmed, audited, and explicitly authorized. |
| 0002 | Config persistence HA uses ConsensusConfigStore with Raft-style quorum safety, authenticated transport, durable membership, and snapshot integrity. |
| 0003 | Authoritative session state uses quorum ordered-log replication with majority-supported repair, not standalone SQLite HA. |
| 0004 | Production identity, TLS, keys, and audit integrity are explicit SDK substrates with fail-closed adapters. |
| 0005 | Runtime health, admin/probe routes, metrics, and alarms are shared SDK surfaces with production authorization and redaction. |
| 0006 | Storage, security, runtime, HA, and release evidence are validated through fail-closed fault injection. |
| 0007 | Operator lifecycle policy logic lives in Rust SDK crates as reusable policy engines. |
| 0008 | Kubernetes operator integration is demonstrated by a Go reference harness without becoming a product CNF operator. |
| 0009 | Production data-plane claims require explicit node-resource, BPF, pod-security, and fallback validation. |
| 0010 | RFC 006 evidence, SBOM/VEX, provenance, bundle verification, performance baselines, and gates are first-class release inputs. |
| 0011 | opc-amf-lite is the SDK vertical integration proof, not a product NF. |
| 0012 | Diagnostics safety and privacy governance boundaries are structured, fail-closed, and compile-gated. |
| 0013 | NGAP requires generated ASN.1 APER code; hand-written and FFI codecs are rejected. |
| 0014 | rustls/tokio-only dependency policy, no gRPC stack in SDK crates, and a measured (not aspirational) MSRV. |
| 0015 | Protocol codecs are proven against spec-authored byte fixtures, never only their own encoder output. |
| 0016 | (proposed) tonic/prost are permitted only for opc-gnmi-server as the ADR 0014 §3 exception; core SDK crates stay gRPC-free. |
| 0017 | Explicitly allowlisted Linux kernel UAPI sys crates, including opc-libsctp-sys and opc-linux-xfrm-sys, hold all unsafe UAPI FFI; this OS-transport exception to ADR 0014 §8 does not reopen ADR 0013's rejection of foreign C codec FFI. |
| 0018 | EPC and untrusted-access additions are limited to SDK-owned reusable mechanisms; product policy, deployment defaults, ePDG orchestration, and carrier-readiness claims remain product-owned. |