31 lines
1.7 KiB
Markdown
31 lines
1.7 KiB
Markdown
# ADR-005: Connector Trust and Caching Strategy
|
|
|
|
## Status
|
|
|
|
Accepted.
|
|
|
|
## Context
|
|
|
|
Connectors ingest data from external or file-based sources (SMP/SML, file, SS7 feeds). Trust anchors, signature validation, caching, and resilience must be defined so that bad or stale data does not compromise resolution.
|
|
|
|
## Decision
|
|
|
|
### Per-Connector Requirements
|
|
|
|
For each connector (SMP/SML, file, SS7, etc.) the following must be defined and documented (see [connectors.md](../architecture/connectors.md)):
|
|
|
|
- **Trust anchors and signature validation:** Which certificates or keys are trusted for signed payloads; how to validate signatures on ingested bundles. Pinning and trust anchor refresh policy.
|
|
- **Caching and refresh:** TTL for cached data, jitter to avoid thundering herd, negative caching (how long to cache "not found" or fetch failure).
|
|
- **Resilience:** Timeouts, retries, circuit-breaker thresholds. Behavior on failure: fall back to cached only, fail closed, or fail open (document per connector).
|
|
- **Data provenance tagging:** Every ingested record or edge must be tagged with source (e.g. "smp", "file", "gtt_feed"), last_verified (or fetched_at), and optional confidence score. Exposed in resolution evidence and resolution_trace.
|
|
|
|
### SMP/SML Specifics
|
|
|
|
- Cache TTL policy: document default TTL for SMP metadata and SML lookups; jitter on refresh.
|
|
- Pinning and trust anchors: SML and SMP TLS and optional payload signing; which CAs or pins are accepted.
|
|
- Failure behavior: on network or SMP failure, fall back to cached data only; do not serve stale beyond max stale window (document). No silent fallback to unrelated data.
|
|
|
|
## Consequences
|
|
|
|
- Operators can configure trust and cache per connector. Provenance is always available for audit and explainability.
|