Page 1: Constraints & Architectural Topology
The Autonomy Requirement
Modern plant architectures require two operational modes: Normal (direct synchronous exchange possible) and Autonomous (boundary sealed due to network partition). In Autonomous mode, neither zone may block the other; both must continue operating with data surviving the partition and reconciling exactly-once upon reconnection.
Objectives vs. Non-Objectives
| Architectural Objectives | Explicit Non-Objectives |
|---|---|
| Producer Non-Blocking: Emitters complete writes immediately regardless of remote state | Not Shared Database: No 2PC or synchronous replication across zones |
| Effectively-Once Boundary: No loss within envelope; no duplication at gateway via idempotent insertion | Not Sync RPC: No request/response coupling or open connections awaiting remote ack |
| Mechanism Agnosticism: Supports messages, state snapshots, deltas as opaque byte sequences | Not Global Ordering: No causality enforcement; vector clocks transported as opaque metadata only |
| Fast Swappability: Any component replaceable via hexagonal ports | Not Semantic Transformation: No schema normalization at boundary |
The Four-Buffer Decomposition
BSFG implements the minimal factorization of durability × availability × directionality:
- Ingress Store Buffer (ISB): External perimeter. Durable write-ahead log; retains until explicit acknowledgment from IFB. Guarantees producer non-blocking.
- Ingress Forward Buffer (IFB): Internal perimeter. Idempotent staging with
putIfAbsent(idempotencyKey, payload). Configurable keys:H(payload)(default),H(canonicalized payload), or explicitproducer_event_id. Provides local read availability. - Egress Store Buffer (ESB): Internal perimeter. Mirrors ISB for outbound flow.
- Egress Forward Buffer (EFB): External perimeter. Mirrors IFB for external pickup.
The Gate Abstraction: A logical circuit breaker separating connectivity from communication. When closed, synchronous paths drop but asynchronous buffer-to-buffer handoffs continue via replay from cursors.
Idempotency Without Reconciliation Workers
Unlike traditional exactly-once implementations requiring active deduplication services, BSFG pushes idempotency to the storage interface layer. The atomic putIfAbsent operation at IFB/EFB (linearizable per key) eliminates duplicates without background workers, satisfying the fast swappability constraint.
Page 2: Protocol, Implementation & Proof
Handoff Protocol & Frontier Semantics
- Proposal: ISB proposes entry at offset n with payload p and idempotency key k
- Insertion: IFB executes atomic
putIfAbsent(key=k, payload=p)- If k exists: returns
AlreadyExists(duplicate suppressed) - If k new: writes and returns
Confirmed(offset=n)
- If k exists: returns
- Cursor Advancement: Cursor Tracker updates
highest_contiguous_committed_offsetto the maximal contiguous confirmed prefix. ISB truncates only entries ≤ this frontier. - Recovery: On restart, replay from checkpointed cursor; duplicates rejected by IFB idempotency layer.
Critical Constraint: Ack frontier is contiguous by offset; truncation is safe only for the maximal contiguous confirmed prefix, ensuring no gaps in durability.
Hexagonal Implementation & Backends
All buffers implement narrow interfaces:
interface StoreBuffer {
append(payload: Bytes, metadata: Headers) → Promise<Offset>;
truncateBefore(offset: Offset) → Promise<void>; // contiguous prefix only
replay(from: Offset) → AsyncIterator<Entry>;
}
interface ForwardBuffer {
putIfAbsent(key: Key, payload: Bytes) → Promise<Status>;
}
Storage adapters implement the StoreBuffer, ForwardBuffer, and CursorTracker ports. See Hexagonal Architecture for the port interfaces and NATS/JetStream Reference for the reference implementation.
Proof by Exclusion (EIP Analysis)
Within the Enterprise Integration Patterns taxonomy, BSFG is the minimal viable composition:
- Request-Reply (#154): Eliminated—violates Producer Non-Blocking (synchronous wait)
- Message Bus (non-durable): Eliminated—violates No Loss (volatile in-flight data)
- Guaranteed Delivery (#101, unidirectional): Eliminated—fails bidirectional autonomy
- Shared Database: Eliminated—violates transactional autonomy (requires 2PC)
- Messaging Bridge (#133): Eliminated—assumes simultaneous availability, lacks staging
Result: BSFG uniquely satisfies all constraints via dual Store-and-Forward channels + Idempotent Receiver pattern (content-addressed) + Gateway abstraction.
Operational Posture & Safety
Backpressure: Configurable policies—standard deployments may drop oldest unacknowledged; safety-critical/SIL-regulated deployments must use reject-new-writes with operator escalation.
Threat Mitigation:
- Replay Attacks: TTL windows + timestamp metadata validation
- Hash Flooding: Cryptographic hash (SHA-256) with collision fallback to bytewise compare
- Tampering: Content-hash verifies integrity; authenticity via mTLS + optional signed metadata
Standards: IEC 62264 (Gateway), ISA-95 (Level 3/4), OPC UA PubSub Store-and-Forward (IEC 62541-14), EIP #101/#128/#201.
Normative authority: Architecture Specification