Back to SIPswarm
Data Integrity

Every transaction. Every penny.
Provably correct.

Unbillable traffic is lost revenue. Audit failures are compliance risk. SIPswarm generates rated CDRs in the same Rust process that handles the SIP transaction — then proves their integrity with cryptographic hash chains, cross-node Merkle verification, and at-least-once delivery.

Lifecycle

Four phases. One immutable record.

A CDR is born at session start and accumulates data through every phase of the transaction. No data is written after the fact. No log scraping. No reconstruction.

1. INVITE CdrBuilder::new() session_id locked traffic_type set ratesheet_price captured node_id + node_uuid ingress / egress / routing CDR stored to CdrStore 2. NEGOTIATION BidLogEntry (immutable) bid rounds logged negotiation_id correlates bid_price / ask_price receipt GUID proposed prev_hash chains entries append-only, never mutated 3. ACCEPTANCE Receipt confirmed Receipt GUID in ACK = binding negotiated rate cached pricing.negotiated = true rounds finalized winner from parallel fork 4. FINALIZE build_with_timing() timestamp_end set duration_ms calculated quality metrics populated disposition + release_party SHA-256 prev_hash computed Final CDR stored
Record Structure

68 fields. 10 sections. One record.

Every CDR captures the complete story of a transaction — identity, timing, pricing in all directions, quality metrics per traffic type, routing decisions, and a cryptographic audit trail.

Identity (6 fields)

Who, what, and the bilateral proof

cdr_id, session_id, receipt_guid, account_id, transaction_id, traffic_type

Timing (5 fields)

Microsecond-precise session boundaries

timestamp_start, timestamp_end, duration_ms, setup_time_ms, connect_time

Disposition (3 fields)

How and why the session ended

sip_response_code, disconnect_cause, release_party

Parties (5 fields)

Both sides of every transaction

customer_id, customer_group, provider_id, carrier_group, destination

Pricing (7 fields)

Revenue in all three directions

customer_price, provider_price, ratesheet_price, negotiated, negotiation_rounds, currency, price_unit

Quality (11 fields, polymorphic)

Per-traffic-type quality envelope

AI: tokens_in/out, ttft_ms, model_id • Media: mos, codec, packet_loss, jitter • SMS: delivery_status, latency

Routing (9 fields)

The complete routing decision path

node_id, node_uuid, bid_group_hit, lcr_score, failover, routes_attempted, original_digits, stripped_digits, digits_to_carrier

Audit (9 fields)

SHA-256 chain + migration evidence

negotiation_id, bid_log_ref, session_migrated, migration_source_node, inbound_call_id, outbound_call_id, account_id, transaction_id, prev_hash

Ingress (8 fields)

Originating leg capture

source_ip, source_port, customer_name, from_uri, to_uri, request_uri, strip_prefix, transport

Egress (5 fields)

Terminating leg capture

dest_ip, dest_port, provider_name, prepend_prefix, transport
CDR File Naming Convention
cdr_2026-03-23_prod-us-east_node_0001_a7f3c21e_001a.csv
type   date        swarm_id      node_id     node_uuid   hex_seq
Cryptographic Integrity

Tamper one record. Break the entire chain.

Every CDR and bid log entry carries a SHA-256 hash of its predecessor. This is not blockchain. There is no consensus, no mining, no distributed ledger. It is a single-writer-per-node append chain — the simplest possible tamper-evident structure.

Periodically, each node computes a Merkle tree over its chain and exchanges roots with peers via admin SIP PUBLISH. Any discrepancy between nodes triggers an immediate audit alert.

  • SHA-256 hash chain — ~4 microseconds per record in Rust
  • Single writer per node — no consensus overhead
  • Merkle trees computed periodically per node
  • Roots exchanged via admin SIP PUBLISH over mTLS
  • Mismatch = alert + automatic audit trigger
SHA-256 Hash Chain CDR #N-3 prev: 9a1f... H: a3f8... CDR #N-2 prev: a3f8... H: 7c21... CDR #N-1 TAMPERED H: ??? CDR #N prev: MISMATCH H: e91b... CDR #N+1 Chain breaks visibly Merkle Tree + Cross-Node Verification Root H(A+B) H(C+D) A B C D Roots Exchanged via Admin SIP PUBLISH N-01 N-02 N-03 Match = verified Differ = audit alert
Pipeline

At-least-once delivery. Zero-loss architecture.

The MQAL (Message Queue Abstraction Layer) provides pluggable streaming for CDRs, bid logs, and rate sync. Backend selectable per stream: LocalBackend for dev, NATS JetStream for production.

CdrStore DashMap<Uuid, CdrRecord> generated: N shipped: N backlog: N lock-free concurrent atomic counters drain_batch Atomic remove + return batch batch: 100, every 5s records leave store MqalRouter MqalMessage envelope message_id (dedup) sequence (monotonic) payload (JSON batch) CDRs BidLog Rates Events NATS JetStream Publish + Server Ack Consumer group Offset tracking At-least-once ETL Agent Harvests via IPC Writes to disk Local + S3 Azure + GCS SFTP Publish failure → re-store for next cycle Records loop back. Zero loss.
ETL Agent

Write-through. Dual-handle. Sub-millisecond rotation.

The CdrFileWriter maintains two open file handles per type (CDR and attempt): current and next. Records hit local disk within the harvest cycle. When a file reaches its threshold, rotation swaps next to current in under 1 millisecond — the pre-created file is already open and ready.

If local writes fail 3 consecutive times, the CDR Restriction triggers: the node drains all active sessions to prevent unbillable traffic. This is a financial safety mechanism — a node that cannot record transactions must not accept new ones.

  • Harvest loop — drain CDRs every 10s from Rust via IPC
  • Dual file handles — current + next, <1ms rotation
  • CDR Restriction — 3 write failures triggers node drain
  • Multi-destination — local + S3 + Azure Blob + GCS + SFTP
  • Retry buffer — exponential backoff (1, 2, 4, 8, 16, 60s max)
Dual File Handle Rotation current accepting writes fd open + ready next pre-created fd open + waiting <1ms Harvest Loop (every 10s) drain_cdrs(100) write to disk rotate + ship local disk S3 Azure GCS SFTP CDR Restriction (Financial Safety) X X X 3 write failures NODE DRAIN prevents unbillable traffic recover writes ok cancel drain 68 fields per CDR • 2K+ CPS sustainable • pre-formatted CSV from Rust
Bilateral Proof

Dispute evidence built into the protocol.

The Receipt GUID is a bilateral proof of the negotiated rate. The terminating carrier proposes it in the 200 OK. The originator confirms it by echoing in the ACK. From that point, both parties hold the same GUID — immutable evidence of the agreed price.

Originator SIPswarm Terminator INVITE + X-BF-Bid-Price 200 OK + X-BF-Receipt: a7f3 Proposed ACK + X-BF-Receipt: a7f3 Confirmed BYE + X-BF-Receipt: a7f3 In CDR

Proposed

Terminator generates GUID on acceptance. Not yet binding. Either party can still withdraw.

Confirmed

Originator echoes in ACK. Agreement is now binding. Negotiated rate cached for future reference.

Dispute Evidence

Both parties hold the same GUID. Matches the CDR audit trail. Settlement evidence built into the protocol.

Safeguards

Eight layers of data integrity.

Every CDR passes through multiple independent integrity mechanisms before it leaves the node. No single point of failure in the data path.

Born In-Process

CDRs created in the same Rust process that handles SIP. No sidecar. No log scraper. No separate system that might miss a record.

Immutable Records

Append-only data structures. Once a CDR or bid log entry is written, it is never modified. Rust ownership model enforces this at compile time.

Tamper-Evident

SHA-256 prev_hash on every record. Alter one entry and the entire chain breaks. Detectable in microseconds.

Cross-Node Verified

Periodic Merkle trees per node. Roots exchanged via admin SIP PUBLISH. Mismatch triggers immediate audit.

At-Least-Once Delivery

MQAL re-stores CDRs on publish failure. Records loop back to CdrStore for the next drain cycle. Zero loss.

CDR Restriction

3 consecutive local write failures triggers node drain. Node will not accept traffic it cannot record. Financial safety net.

Financial-Grade Audit

Receipt GUID bilateral proof. BidLogEntry immutable per round. Rated CDR with customer + provider + spread. SOC 2 ready.

Multi-Destination

Local filesystem always. Plus S3, Azure Blob, GCS, SFTP. Retry buffer with exponential backoff. Every record arrives.

Ready to see CDR reliability in action?

SIPswarm generates, secures, and delivers rated CDRs with cryptographic proof. No billing system does this.

Request a Demo Technical Questions