as4-411/docs/adr/005-connector-trust-and-caching.md

ADR-005: Connector Trust and Caching Strategy

Status

Accepted.

Context

Connectors ingest data from external or file-based sources (SMP/SML, file, SS7 feeds). Trust anchors, signature validation, caching, and resilience must be defined so that bad or stale data does not compromise resolution.

Decision

Per-Connector Requirements

For each connector (SMP/SML, file, SS7, etc.) the following must be defined and documented (see connectors.md):

• Trust anchors and signature validation: Which certificates or keys are trusted for signed payloads; how to validate signatures on ingested bundles. Pinning and trust anchor refresh policy.
• Caching and refresh: TTL for cached data, jitter to avoid thundering herd, negative caching (how long to cache "not found" or fetch failure).
• Resilience: Timeouts, retries, circuit-breaker thresholds. Behavior on failure: fall back to cached only, fail closed, or fail open (document per connector).
• Data provenance tagging: Every ingested record or edge must be tagged with source (e.g. "smp", "file", "gtt_feed"), last_verified (or fetched_at), and optional confidence score. Exposed in resolution evidence and resolution_trace.

SMP/SML Specifics

• Cache TTL policy: document default TTL for SMP metadata and SML lookups; jitter on refresh.
• Pinning and trust anchors: SML and SMP TLS and optional payload signing; which CAs or pins are accepted.
• Failure behavior: on network or SMP failure, fall back to cached data only; do not serve stale beyond max stale window (document). No silent fallback to unrelated data.

Consequences

• Operators can configure trust and cache per connector. Provenance is always available for audit and explainability.