Context
BSFG transports durable facts across independent zones (Enterprise, IDMZ, Plants). The boundary layer must guarantee:
- durable append before transmission
- replayability after network partition
- deterministic audit reconstruction
- zone autonomy
The buffering substrate therefore determines whether the system naturally preserves audit-grade historical evidence or behaves primarily as a task queue.
Options Considered
| Option | Description | Benefits | Drawbacks |
|---|---|---|---|
| Queue-centric messaging | Traditional broker queues (consume-and-delete semantics). | simple task dispatch mature tooling |
history disappears after consumption weak audit reconstruction replay requires external archiving |
| Database-backed event table | Append events into relational database tables. | familiar infrastructure SQL querying |
poor streaming characteristics operational coupling with application schema limited replay semantics |
| Log-centric streaming substrate (Selected) | Append-only fact streams retained for replay. | deterministic history natural replay fits compliance-by-design supports asynchronous replication |
requires retention governance log growth must be managed |
Decision
BSFG will use a log-centric fact transport. Facts are appended to retained streams and replicated between zones.
Each zone operates its own JetStream domain containing a small fixed set of streams:
- facts.operational
- facts.audit
- facts.documents
Streams are partitioned by subject prefix rather than proliferating streams.
Consequences
Benefits:
- durable fact history
- deterministic replay across partitions
- compliance-friendly audit reconstruction
- clear separation between transport and interpretation
Tradeoffs:
- log retention must be governed
- large artifacts must be stored out-of-band in object storage