Scrapbook: MVP Architecture Design

Date: 2026-02-16T16:00:00Z

Goal

Design a 60-day MVP architecture for an on-prem CDC-based audit overlay, targeting MySQL first. Must be easy to install, minimal dependencies, secure, and deliver value quickly.

Components from Prompt

A) CDC ingestion (chosen: Debezium Server HTTP or Maxwell HTTP)
B) Event normalization (raw → canonical)
C) Semantic event inference (canonical → business events)
D) Storage (append-only event log + query index)
E) AI layer (summaries, anomaly explanations, semantic search)
F) Interfaces (CLI, optional web UI, MCP server)

Constraints

On-prem friendly: Docker Compose or single binaries.

Minimal dependencies: avoid Kafka; use direct HTTP ingestion.

Security: RBAC, secrets, data minimization.

Quick value: demo with synthetic pharmacy schema.

Initial Thoughts

Ingestion: Run Debezium Server (Java) configured for MySQL connector with HTTP sink. It POSTs JSON events to our Go service endpoint `/ingest`. Alternatively, Maxwell HTTP does similar. Debezium gives richer metadata (transaction ID, source ts) and handles schema changes gracefully.

Normalization: Define `CanonicalChangeEvent` that abstracts DB specifics. Includes: `event_id` (UUID derived from source transaction ID + seq), `source` (db name, table, pk), `operation` (INSERT/UPDATE/DELETE), `before`, `after`, `timestamp`, `transaction_id`. Preserve raw payload as JSON for debugging.

Inference: Simple rule engine (maybe Go-based) that watches sequences of changes to infer higher-level business events. E.g., if an `inventory_adjustments` row changes `quantity` and `reason_code='SALE'`, maybe combine with `sales` table insert to mark a sale completion. Could start with coarse-grained: treat any adjustment as an `InventoryAdjustment` business event. For MVP, inference can be minimal; we mainly want audit trail and anomaly detection on raw changes. But the requirement says semantic event inference, so we need at least a taxonomy.

Storage: Append-only log: store canonical events in a simple table with indexes: `(event_id)` primary key, `(timestamp)`, `(entity_type, entity_id)`, `(event_type)` maybe. SQLite would be simplest (single file, no server). But for query performance and concurrency, Postgres is better. For a single-user on-prem demo, SQLite might suffice; but if we expect high volume, Postgres is safer. Given it's an MVP for a pilot, we can go with SQLite for simplicity (zero ops) and later swap to Postgres if needed. However, our overlay service will be the only writer; indexing a few million rows is fine in SQLite. We'll design repository interface to be swappable.

AI Layer: We need daily audit summaries, anomaly explanations, semantic search. Options:

On-prem LLM via Ollama (e.g., Llama 3.2 70B? Too big? maybe Mistral 7B). Requires GPU or CPU-bound; quality may be lower.

Cloud LLM (OpenRouter, Anthropic) with data minimization: we send only sanitized event snippets (no PII). But on-prem may disallow outbound. We'll support both; default to on-prem for pilot compliance.

Implementation: Precompute daily summary at end-of-day: query events of the day, feed to LLM with prompt: "Summarize audit events for today in 3–4 paragraphs, highlighting anomalies and significant changes." Also anomaly detection could be rule-based (sudden inventory drops, adjustments outside business hours) plus LLM to explain why it's suspicious (reference specific values). Semantic search: use embeddings? Could use local embedding model (BGE) + vector store (SQLite with sqlite-vss) or simple keyword search for MVP. Simpler: use LLM to answer natural language queries by retrieving relevant events via keyword, then summarizing. For MVP, skip full semantic search; just provide filters and a natural language query interface that the LLM can answer with context.

Interfaces:

CLI: `auditctl` commands: `summary --date=YYYY-MM-DD`, `anomalies --start=... --end=...`, `trace entity_type id`, `export format`.

Web UI: optional but nice for demo; could be a simple single-page app (Vite + React) served from the same Go binary? Might be out of scope for MVP; focus on CLI and maybe a simple status page.

MCP server: Model Context Protocol server that exposes tools: `search_events(query)`, `get_daily_summary(date)`, `get_anomalies(date_range, severity)`, `trace_entity(entity_type, id)`, `export_report(format, params)`. This allows ChatGPT or Claude to interact with the overlay directly (Antonio's use case). We'll implement MCP as part of the Go service (MCP SDK exists for Go? Could do JSON-RPC over stdio or HTTP). For MVP, we can implement a simple stdio-based MCP server mode.

Deployment Topology:



+----------------+      +------------------+      +-------------------+

|   MySQL        | ---> |  Debezium Server| ---> |                   |

| (primary or    |      |  (Java)          |      |   Audit Overlay   |

|  replica)      |      +------------------+      |   Service (Go)    |

+----------------+                               |   - Normalizer    |

                                                |   - Inference     |

                                                |   - Storage (SQLite)|

                                                |   - AI (LLM client)|

                                                |   - CLI/MCP       |

                                                +-------------------+

All components run on-prem inside Docker Compose or as systemd services. Single Docker network. The Go service is the core; Debezium Server is an auxiliary process.

Security:

Use environment variables for secrets (DB passwords, LLM API keys).

TLS for internal HTTP between Debezium and overlay? Could use HTTPS with self-signed; or keep on localhost only if same host. For remote DB, use TLS for DB connection.

RBAC: The overlay itself may not need complex RBAC; but we could have basic admin vs read-only users for the CLI? Not needed initially.

Data minimization: Before sending data to LLM, strip or hash PII columns (e.g., customer_name, email). We'll need a configurable masking rule set.

On-prem LLM: by default use Ollama; allow override to cloud LLM with API key and endpoint.

Install Experience:

`docker-compose.yml` defines services: `mysql` (optional, if customer provides their own DB we just connect), `debezium-server`, `audit-overlay`. Or if real DB is external, only our services run.

`./install.sh` sets up config, generates secrets, initializes SQLite db, enables CDC on MySQL (if we have permissions) or prints SQL to run.

`auditctl` CLI binary included.

Single command: `docker-compose up -d` and the system starts consuming.

60-day Milestones:

Week 1–2: Ingestion from MySQL working, events stored.

Week 3: Normalization layer stable, canonical schema defined.

Week 4: Basic inference (e.g., detect inventory adjustments).

Week 5: Storage layer implemented (SQLite), basic queries.

Week 6: AI layer: daily summary + simple anomaly detection (heuristic).

Week 7: CLI polished, initial MCP server.

Week 8: Demo with synthetic pharmacy data; docs and installer.

Build vs Buy (Deliverable 8):

Buy: Use Debezium Server (OSS) as-is; it's a build (but we buy the software? It's free). That's OSS, not custom.

Build vs Buy decision: We are not building a custom MySQL CDC engine; we rely on Debezium (or Maxwell). Building a custom binlog parser in Go would be risky and time-consuming; Debezium is battle-tested. So recommendation: use Debezium Server as the ingestion component. If later we need more control or lower cost (no Java), we could consider building a minimal Go binlog reader, but that's Phase 2, not MVP.

Staged path:

1. MVP: Debezium Server HTTP → overlay.
2. If customers demand lighter footprint, explore Maxwell or Go binlog libs (e.g., `go-mysql`).

Time estimate: Debezium Server integration: 5-7 days (config, testing). Custom Go CDC would be 4-6 weeks for reliability.

---

This scrapbook entry will be refined into Report 2.