jwilger
diff --git a/‎adr/0007-eventcore-as-central-audit-mechanism.md‎
Lines changed: 1 addition & 1 deletion b/‎adr/0007-eventcore-as-central-audit-mechanism.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎adr/0008-dual-path-architecture.md‎
Lines changed: 110 additions & 0 deletions b/‎adr/0008-dual-path-architecture.md‎
Lines changed: 110 additions & 0 deletions
diff --git a/‎adr/0009-ring-buffer-pattern.md‎
Lines changed: 147 additions & 0 deletions b/‎adr/0009-ring-buffer-pattern.md‎
Lines changed: 147 additions & 0 deletions
@@ -1,4 +1,4 @@
-# EventCore as Central Audit Mechanism
+# ADR-0007: EventCore as Central Audit Mechanism
 
 - Status: proposed
 - Deciders: John Wilger, Claude
 
@@ -0,0 +1,110 @@
+# ADR-0008: Dual-path Architecture (Hot Path vs Audit Path)
+
+## Status
+
+Accepted
+
+## Context
+
+Union Square acts as a proxy between applications and LLM providers, requiring us to:
+1. Forward requests to LLM providers with minimal latency (<5ms overhead)
+2. Capture comprehensive audit data for every request/response
+3. Provide analytics, testing, and debugging capabilities
+4. Never become a single point of failure
+
+These requirements create competing concerns:
+- Fast forwarding requires minimal processing
+- Comprehensive capture requires significant processing
+- Reliability requires the proxy to be optional
+
+## Decision
+
+We will implement a dual-path architecture that separates concerns:
+
+1. **Hot Path (Request Forwarding)**
+   - Receives incoming LLM API requests
+   - Performs minimal validation
+   - Immediately forwards to the appropriate provider
+   - Captures raw request/response data in a ring buffer
+   - Returns the provider's response to the caller
+   - Target: <5ms overhead, <1μs for ring buffer write
+
+2. **Audit Path (Async Processing)**
+   - Reads from the ring buffer asynchronously
+   - Processes captured data into EventCore events
+   - Handles all non-critical operations:
+     - Session tracking
+     - Analytics calculation
+     - Test case extraction
+     - Privacy compliance (PII detection)
+     - Cost tracking
+     - Error analysis
+
+### Data Flow
+
+```
+Client Request → Hot Path → LLM Provider
+       ↓            ↓            ↓
+  Ring Buffer ← Raw Data ← Provider Response
+       ↓                         ↓
+  Audit Path                Client Response
+       ↓
+  EventCore Events
+```
+
+### Key Design Principles
+
+1. **Fire and Forget**: Hot path never waits for audit path
+2. **Graceful Degradation**: If ring buffer is full, drop audit data rather than block
+3. **Eventual Consistency**: Analytics and session data are eventually consistent
+4. **Bypass Capability**: Clients can fallback to direct provider connections
+
+## Consequences
+
+### Positive
+
+- Minimal latency impact on LLM API calls
+- System remains responsive even under heavy audit load
+- Can scale hot path and audit path independently
+- Audit processing can be paused/resumed without affecting traffic
+- Supports complex processing without impacting response times
+
+### Negative
+
+- Audit data may be lost if ring buffer overflows
+- Debugging requires correlating across two paths
+- Real-time analytics have eventual consistency delays
+- Additional complexity in deployment and monitoring
+- Requires careful capacity planning for ring buffer
+
+### Mitigation Strategies
+
+1. **Ring Buffer Monitoring**: Alert on high watermarks before overflow
+2. **Backpressure**: Slow audit processing triggers capacity scaling
+3. **Correlation IDs**: Unique IDs link hot path and audit path data
+4. **Health Checks**: Monitor both paths independently
+5. **Replay Capability**: Store raw data for replay if audit processing fails
+
+## Alternatives Considered
+
+1. **Single Path Processing**
+   - Process everything inline
+   - Rejected: Would violate <5ms latency requirement
+
+2. **Queue-based Separation**
+   - Use message queue between paths
+   - Rejected: Adds external dependency and latency
+
+3. **Sidecar Pattern**
+   - Run audit processing as separate process
+   - Rejected: More complex deployment, harder to maintain <1μs handoff
+
+4. **Database Write-through**
+   - Write directly to database from hot path
+   - Rejected: Database writes would exceed latency budget
+
+## Related Decisions
+
+- ADR-0007: EventCore as Central Audit Mechanism (audit path output)
+- ADR-0009: Ring Buffer Pattern for Event Recording (handoff mechanism)
+- ADR-0010: Tiered Projection Strategy (audit path processing)
@@ -0,0 +1,147 @@
+# ADR-0009: Ring Buffer Pattern for Event Recording
+
+## Status
+
+Accepted
+
+## Context
+
+The dual-path architecture (ADR-0008) requires a mechanism to hand off data from the hot path to the audit path with minimal overhead. Our requirements are:
+
+1. <1 microsecond write latency from hot path
+2. No memory allocations in hot path
+3. No blocking operations
+4. Handle variable-sized LLM request/response payloads
+5. Graceful handling of buffer overflow
+6. Support concurrent writers (multiple request threads)
+
+Traditional approaches like queues, channels, or direct database writes would violate our latency requirements.
+
+## Decision
+
+We will implement a lock-free ring buffer specifically designed for our use case:
+
+### Design
+
+1. **Fixed-size Ring Buffer**
+   - Pre-allocated memory pool (configurable, default 1GB)
+   - Divided into fixed-size slots (default 64KB per slot)
+   - Power-of-2 slot count for efficient modulo operations
+
+2. **Lock-free Multi-Producer Single-Consumer (MPSC)**
+   - Multiple hot path threads write concurrently
+   - Single audit path thread reads sequentially
+   - Uses atomic operations for coordination
+
+3. **Slot Structure**
+   ```rust
+   struct Slot {
+       state: AtomicU8,      // EMPTY, WRITING, READY, READING
+       size: AtomicU32,      // Actual payload size
+       timestamp: u64,       // Capture timestamp
+       request_id: Uuid,     // Correlation ID
+       data: [u8; SLOT_SIZE] // Raw payload
+   }
+   ```
+
+4. **Write Algorithm**
+   ```
+   1. Atomically claim next write position
+   2. If slot not EMPTY, increment overflow counter and return
+   3. CAS slot state to WRITING
+   4. Copy data (with size limit)
+   5. Store size and metadata
+   6. CAS slot state to READY
+   ```
+
+5. **Read Algorithm**
+   ```
+   1. Check slot at read position
+   2. If READY, CAS to READING
+   3. Process data
+   4. CAS to EMPTY
+   5. Advance read position
+   ```
+
+### Overflow Handling
+
+- Large payloads are truncated to slot size
+- Truncation flag is set in metadata
+- Full payloads can be requested via separate async path
+- Overflow metrics are tracked for capacity planning
+
+### Memory Layout
+
+```
+[Header (4KB)]
+[Slot 0 (64KB)] [Slot 1 (64KB)] ... [Slot N (64KB)]
+```
+
+Header contains:
+- Write position (atomic)
+- Read position (atomic)
+- Overflow counter (atomic)
+- Configuration parameters
+
+## Consequences
+
+### Positive
+
+- Predictable <1μs write latency
+- No memory allocations after initialization
+- No system calls in hot path
+- CPU cache-friendly sequential access
+- Graceful degradation under load
+- Simple crash recovery (can resume from read position)
+
+### Negative
+
+- Fixed memory overhead (1GB default)
+- Large requests/responses need truncation
+- Lost data on overflow (by design)
+- Single audit reader constraint
+- Complex testing of concurrent scenarios
+
+### Mitigation Strategies
+
+1. **Dynamic Sizing**: Monitor typical payload sizes and adjust slot size
+2. **Overflow Handling**: Track overflow rate and auto-scale buffer size
+3. **Chunking**: Split large payloads across multiple slots if needed
+4. **Backup Writer**: Overflow data can write to secondary storage
+5. **Monitoring**: Extensive metrics on buffer utilization
+
+## Alternatives Considered
+
+1. **LMAX Disruptor Pattern**
+   - More complex, designed for different use case
+   - Rejected: Overkill for our simple handoff needs
+
+2. **Channel/Queue Libraries**
+   - Standard MPSC channels
+   - Rejected: Allocation overhead, unpredictable latency
+
+3. **Memory-mapped Files**
+   - Persistent buffer with mmap
+   - Rejected: System call overhead, page fault risks
+
+4. **Direct Audit Path Calls**
+   - Call audit path directly with async handoff
+   - Rejected: Thread pool overhead, allocation costs
+
+5. **Shared Memory with Semaphores**
+   - Traditional IPC approach
+   - Rejected: System call overhead for synchronization
+
+## Implementation Notes
+
+- Use Rust's `std::sync::atomic` with `Ordering::Relaxed` for counters
+- Use `Ordering::AcqRel` for state transitions
+- Align slots to cache line boundaries (64 bytes)
+- Use `#[repr(C)]` for stable memory layout
+- Benchmark with real LLM payloads to tune parameters
+
+## Related Decisions
+
+- ADR-0008: Dual-path Architecture (defines the need for this pattern)
+- ADR-0007: EventCore as Central Audit Mechanism (consumer of ring buffer data)
+- ADR-0016: Performance Monitoring (ring buffer metrics are critical)
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# EventCore as Central Audit Mechanism`
	`1`	`+# ADR-0007: EventCore as Central Audit Mechanism`
`2`	`2`
`3`	`3`	`- Status: proposed`
`4`	`4`	`- Deciders: John Wilger, Claude`