5. Edge Computing & Buffering

Summary: when connectivity is flaky or bandwidth is tight, the edge (meter or gateway) must keep proof moving. That means build windows locally, canonicalize to JSON, sign the bytes, and store-and-forward through a durable queue until ingestion succeeds—without ever creating overlapping windows or replaying data.

What the edge must guarantee

Edge software (on the meter or a site gateway) is responsible for four things:

Window assembly — aggregate raw samples into a single window with start_ts, end_ts, quantity_wh and a unique batch_id per device.
Canonicalization — emit the exact canonical JSON (sorted, minified, fixed units) used to compute evidenceHash.
Signing — sign the canonical JSON bytes (or their SHA-256) with the device key; attach signature in headers.
Durable queue — persist the canonical payload and headers; retry with backoff until the server acknowledges, ensuring idempotency on batch_id.

If any of those fail, do not send. Fix locally, then continue.

Window building

A window is valid when the tuple (device_id, start_ts, end_ts) is strictly increasing and quantity_wh is non-negative. Do not produce overlapping windows. If samples are missing, close the window with what you have, set samples count, and include source_file_hash if you aggregated from exports.

To avoid accidental overlaps, keep the last committed end_ts on disk and start the next window at exactly that value.

Store-and-forward (how buffering works)

When online, send immediately. When offline, write the canonical JSON plus headers to a disk queue. On retry, send the same bytes and the same batch_id. This guarantees idempotency: the server will accept a duplicate only if the bytes are identical.

For time skew handling during outages, include both X-Timestamp (current ms) and X-Orig-Timestamp (ms when the window first closed). The server can apply standard skew to X-Timestamp and relaxed policy to X-Orig-Timestamp.

Security at the edge

Encrypt the local queue at rest. Bind a device certificate to device_id at commissioning. Sign every submission with that key; rotate keys under policy and revoke compromised ones. Keep a tamper-evident log (monotonic counter with hash chain) so you can prove the order of queued windows.

Backoff and backpressure

Use exponential backoff with jitter. Respect a maximum retry period. If the queue grows beyond a threshold (for example, more than N windows or oldest older than T minutes), switch to reduced sampling or shorter windows to lower loss risk, but never violate canonical rules or overlap constraints.

Pseudocode (TypeScript): durable, idempotent queue

type Canonical = string; // exact canonical JSON bytes
type Headers = {
  xDeviceId: string;       // 0x...
  xWindowId: string;       // batch_id
  xNonce: string;          // 0x...
  xTimestamp: number;      // now (ms)
  xOrigTimestamp: number;  // first close (ms)
  xSignature: string;      // base64(sig(canonical))
};

type Item = { canonical: Canonical; headers: Headers };

class DiskQueue {
  constructor(private dir: string) {}
  async push(it: Item) { /* write file; fsync */ }
  async peek(): Promise<Item | null> { /* read head without removing */ return null; }
  async pop() { /* delete head; fsync */ }
  size(): number { return 0; }
}

async function sendOnce(it: Item) {
  const res = await fetch("https://api.edma.app/v1/ingest/meter-window", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "X-Device-Id": it.headers.xDeviceId,
      "X-Window-Id": it.headers.xWindowId,
      "X-Nonce": it.headers.xNonce,
      "X-Timestamp": String(it.headers.xTimestamp),
      "X-Orig-Timestamp": String(it.headers.xOrigTimestamp),
      "X-Signature": it.headers.xSignature
    },
    body: it.canonical
  });
  if (res.ok) return true;
  // 409 with identical payload = idempotent accept; treat as success
  if (res.status === 409 && (await res.text()) === "DUPLICATE_BATCH_SAME_BYTES") return true;
  return false;
}

async function pump(q: DiskQueue, opts: { baseMs: number; maxMs: number }) {
  let delay = opts.baseMs;
  for (;;) {
    const head = await q.peek();
    if (!head) { await sleep(opts.baseMs); continue; }

    // refresh live timestamp; keep original bytes unchanged
    head.headers.xTimestamp = Date.now();

    const ok = await sendOnce(head);
    if (ok) {
      await q.pop();
      delay = opts.baseMs; // reset backoff
    } else {
      await sleep(delay + Math.floor(Math.random() * 500));
      delay = Math.min(delay * 2, opts.maxMs);
    }
  }
}

This keeps the canonical JSON and batch_id stable (idempotent), updates only X-Timestamp on retry, and never mutates content that would change evidenceHash.

Minimal fields to persist per queued window

Store at least: canonical_json, batch_id, device_id, start_ts, end_ts, quantity_wh, nonce, x_orig_timestamp, signature, and a seq_no (monotonic). With those, you can prove what was produced and in which order.

Health signals to expose

Export simple counters: queue depth, oldest age, send success rate, average retries, overlap rejects, signature failures, and end-to-end latency (window close to server accept). These let you alert before data loss.

Conformance

Assemble windows without overlap; write canonical JSON; compute evidenceHash locally; sign canonical bytes; persist to an encrypted queue; retry with backoff and idempotency on batch_id; send both X-Timestamp and X-Orig-Timestamp; never mutate canonical bytes after enqueue; if the queue grows too large, degrade sampling but keep all rules intact.

Bottom line: compute, sign, and queue at the edge so proof survives bad networks. When the link returns, the pipeline drains safely—with the exact same bytes the attestors will verify.

Last updated 2 months ago