Skip to content

Observability Matrix

Status: Roadmap

Last reviewed: 2026-05-15

This roadmap defines the future monitoring and audit telemetry plane for NexusNet. It is a design target, not current behavior.

The goal is to make every agent produce structured observations that can be used by:

  • user-facing system status checks.
  • node health monitoring.
  • network performance monitoring.
  • SD-WAN path selection and failover.
  • security audit and compromise detection.
  • long-term TimeDB / TimescaleDB analysis.

Target Architecture

text
agent runtime
  -> observability collector modules
  -> local bounded queue
  -> secure control stream MetricsReport frame
  -> backend telemetry ingest module
  -> hot status cache + audit event stream + TimeDB hypertables
  -> dashboard, health checks, SD-WAN decision engine, alerting

Module Boundaries

ComponentPlanned moduleResponsibility
Agent collector rootnexus-agent/src/observability/mod.rsOwns the collection loop, local queue, rate limits, and report batching.
Agent system collectornexus-agent/src/observability/system.rsCPU, memory, disk, process, boot identity, binary measurement, and runtime health.
Agent network collectornexus-agent/src/observability/network.rsInterfaces, IP addresses, DNS view, public address view, route table, socket/listener status.
Agent performance collectornexus-agent/src/observability/perf.rsRTT, jitter, packet loss, throughput, TCP_INFO, QUIC DATAGRAM, Noise, and L3 metrics.
Agent security collectornexus-agent/src/observability/security.rsConfig hash, credential epoch, pin validation, config replay/apply state, suspicious events, and integrity signals.
Agent event packernexus-agent/src/observability/report.rsNormalizes events into protobuf envelopes and sends them over the secure control stream.
Backend ingest rootnexus-backend/src/telemetry/mod.rsVerifies report identity, deduplicates events, classifies severity, and dispatches to storage.
Backend status enginenexus-backend/src/telemetry/status.rsMaintains current node/link/system state for dashboard and health APIs.
Backend TimeDB writernexus-backend/src/telemetry/timedb.rsWrites time-series samples into the TimescaleDB instance.
Backend audit bridgenexus-backend/src/telemetry/audit.rsConverts security and control-plane observations into durable audit entries.
SD-WAN signal buildernexus-backend/src/telemetry/sdwan.rsProduces path score inputs for route selection and failover.

gRPC Envelope

The existing secure control stream already has SECURE_FRAME_KIND_METRICS_REPORT. Future work should extend MetricsReport into a versioned observability envelope rather than creating another unauthenticated channel.

Planned shape:

protobuf
message ObservabilityReport {
  string node_id = 1;
  uint64 sequence = 2;
  google.protobuf.Timestamp collected_at = 3;
  string schema_version = 4;
  string agent_version = 5;
  string config_hash = 6;
  uint64 config_version = 7;
  string credential_epoch = 8;
  repeated Observation observations = 9;
}

message Observation {
  string id = 1;
  string category = 2;       // system, network, performance, security, audit
  string subject_type = 3;   // node, link, listener, route, upstream, credential
  string subject_id = 4;
  string severity = 5;       // debug, info, warn, critical
  google.protobuf.Timestamp observed_at = 6;
  map<string, string> labels = 7;
  bytes payload_json = 8;
}

Rules:

  • Reports are sent only inside the encrypted secure control stream.
  • node_id, sequence, config_hash, and credential_epoch are mandatory.
  • Backend must reject stale or replayed sequences per active control session.
  • Payloads are typed by category and subject_type; backend persists raw JSON and extracts indexed fields into typed tables.
  • Reports must be bounded. Large detail objects are sampled, truncated, or sent as diagnostic artifacts in a later design.

Data Matrix

Security And Audit Signals

SignalLabelsFieldsUse
Config appliedconfig_version, config_hash, signature_idapply result, listener hash, route hash, durationDetect stale config, failed rollout, rollback.
Config replay stateconfig_version, config_hash, replay_sourcerequested version, applied hash, duplicate skipped, replay latency, backend session id hashRestart recovery, stale config detection, and rollout audit.
Credential epochcredential_epoch, credential_ids_hashactive key ids hash, revoked key ids hash, next rotation timeRevocation and stale-key detection.
SPKI pin validationupstream_id, pin_id, transportexpected pins, observed SPKI SHA-256, result, peer addressDetect MITM between agent and upstream.
REALITY validationcredential_id, server_name, short_id, listeneraccept/reject reason, target host, protocol, peer addressREALITY abuse detection and route audit.
Noise handshakecredential_id, listener, peer_node_idresult, handshake duration, rekey count, error kindDetect Noise failure spikes or stale keys.
Control sessionsession_id_hash, psk_fingerprintopen/close reason, sequence window, rekey ageDetect duplicate sessions, replay, abnormal disconnects.
Node identity driftnode_idboot id hash, machine id hash, binary hash, public IP/ASN, regionDetect cloned nodes or unexpected relocation.
Integrity signalbinary_hash, config_hashprocess start time, executable path hash, container image digestDetect replaced agent binary or unexpected runtime.
Operator action echoaudit_id, resource_typeapplied version, node ack set, failed node setCorrelate user action with distributed apply state.

System Status Signals

SignalLabelsFieldsUse
Node resource snapshotnode_idCPU, memory, load average, uptime, process RSS, fd countNode health and capacity planning.
Disk statemountfree bytes, inode pressure, read-only flagDetect host storage pressure and agent instability.
Process statepid, agent_versionrestart count, panic count, last error class, runtime thread countAgent health status.
Clock statenode_idwall clock offset, monotonic drift estimate, NTP sync stateTLS/REALITY validity and log ordering.
Capability reportfeaturesupported, enabled, reason, kernel versionDCO, GSO/GRO, TUN, QUIC DATAGRAM readiness.
Listener statetransport, listen_addr, listen_portbound, owner, route count, policy hash, bind errorPort conflict and routing status.

Network State Signals

SignalLabelsFieldsUse
Interface snapshotifnameaddresses, MTU, carrier, rx/tx counters, drops, errorsLink health and SD-WAN availability.
Route table snapshottable, ifnamedefault route, route count, managed route hashDetect route drift and L3 apply failures.
Public address viewsourceobserved IPv4/IPv6, ASN, region, changed flagNode reachability and clone detection.
DNS viewresolveranswer set hash, latency, failure rateDetect poisoned DNS or regional divergence.
Peer reachabilitypeer_node_id, transportreachable, last success, failure reason, NAT observationSD-WAN peer graph.
Upstream reachabilityupstream_id, transportconnect success, error class, observed peer cert pinOrigin health and MITM detection.

Network Performance Signals

SignalLabelsFieldsUse
Peer link metricpeer_node_id, transportRTT, jitter, packet loss, throughput estimateSD-WAN path score.
TCP_INFO snapshotlistener, upstreamsrtt, rttvar, cwnd, retrans, pmtuTCP path quality and congestion insight.
QUIC connection metricroute_id, upstreamhandshake time, RTT, loss, cwnd, datagram sent/received/droppedQUIC REALITY path score.
Noise session metricpeer_node_idhandshake duration, packets, bytes, decrypt failuresUDP ENC health.
L3 tunnel metricnetwork_id, endpoint_id, peer_endpoint_idpackets, bytes, drops, MTU errors, route installsL3 health and routing decisions.
Listener route metricchain_id, listeneractive connections, total connections, errors, bytes in/outCapacity and policy tuning.
Health probe metricupstream_idTCP connect time, TLS pin result, REALITY resultOrigin selection and alerting.

User-Facing Status Signals

StatusInputsOutput
Node statuscontrol session, resource snapshot, config ack, listener stateonline, degraded, offline, maintenance, compromised-suspected
Link statuspeer reachability, RTT, loss, jitter, QUIC/Noise errorshealthy, degraded, unstable, down
Upstream statusreachability, pin validation, route errors, health probeshealthy, degraded, pin-mismatch, unreachable
Security statuspin mismatch, identity drift, stale credential epoch, config replay mismatchnormal, suspicious, compromised-suspected
SD-WAN scorelatency, loss, jitter, throughput, stability, security flagsnumeric route score and reason codes

TimeDB Storage Plan

The backend compose file already includes a postgres-timescale service for future metrics. The ingest module should separate current-state tables from time-series hypertables.

Planned hypertables:

HypertableTime columnPrimary dimensionsExamples
node_metric_tstimenode_id, metricCPU, memory, disk, process counters.
link_metric_tstimenode_id, peer_node_id, transportRTT, jitter, loss, throughput.
listener_metric_tstimenode_id, transport, listen_addr, listen_portroute counts, active connections, errors.
route_metric_tstimenode_id, route_id, chain_id, network_idbytes, packets, connection count.
security_event_tstimenode_id, event_type, severitypin mismatch, identity drift, stale config.
probe_result_tstimenode_id, target_id, probe_typeTCP connect, TLS pin, REALITY, DNS.
sdwan_score_tstimesrc_node_id, dst_node_id, transportscore, selected path, reason codes.

Retention:

  • high-frequency raw samples: 7-14 days.
  • downsampled 1-minute rollups: 30-90 days.
  • security events and audit-derived records: retain according to audit policy.

Backend Processing Pipeline

Planned ingest flow:

  1. Decrypt SecureFrame.
  2. Decode ObservabilityReport.
  3. Verify node identity, active session, sequence, config hash, and schema version.
  4. Deduplicate observations by (node_id, sequence, observation_id).
  5. Update hot status cache.
  6. Write selected samples to TimeDB.
  7. Convert security observations to audit log entries.
  8. Emit SD-WAN decision inputs.

Backend must not trust node-reported compromise signals alone. Security status should combine self-reports with cross-node probes and backend-side facts.

Cross-Node Verification

To detect MITM or compromised routes, backend should schedule independent probes:

  • Ask multiple nodes to observe the same upstream SPKI pin.
  • Compare DNS answers and public address views across regions.
  • Compare REALITY handshake result and observed target behavior.
  • Mark a node as suspicious when only that node reports divergent pins or route behavior.

Cross-node verification is a detection layer; it is not a replacement for TPM or remote attestation.

Security Requirements

  • Never send plaintext private keys or PSKs in telemetry.
  • Hash identifiers when exact values are not needed.
  • Redact IPs only when the feature can still function; SD-WAN and health logic often need exact endpoint addresses.
  • Treat agent telemetry as untrusted input until verified against control-plane state and cross-node observations.
  • Security observations must include enough context for audit review but must not include secret material.

Implementation Phases

PhaseStateWork
1. Schema and modulesPlannedAdd observability agent module, telemetry backend module, and versioned report protobuf.
2. Config replay auditPlannedReport config hash, signature id, replay/apply state, listener hash, and apply result.
3. Security pinsPlannedReport SPKI pin validation results and pin mismatch events.
4. System and listener statusPlannedReport resource snapshots, listener bind state, route counts, and capability reports.
5. Network performancePlannedReport peer link, TCP_INFO, QUIC, Noise, L3, and health probe metrics.
6. TimeDB ingestPlannedAdd typed TimescaleDB hypertables, retention, and rollup policy.
7. SD-WAN signalsPlannedFeed route score inputs from TimeDB/current status into SD-WAN policy.
8. Attestation-ready signalsPlannedAdd boot id, binary hash, image digest, TPM measurement placeholders, and trust-level scoring.

NexusNet documentation