Skip to main content

Chapter 2: Forging the Protocol Foundation

"First, create the language. Then, the world can speak."

The Great Protocol Decision​

You know what's frustrating about most building systems? They speak different languages. Schneider talks REST, Avigilon speaks proprietary APIs, BACnet has its own universe, and don't get me started on Modbus...

But what if we could create a universal translator? Enter our protocol trinity:

The Protocol Trinity​

🌩ī¸ CloudEvents: The Universal Envelope​

Every message in CitadelMesh wraps in a CloudEvents envelope - like a diplomatic pouch with perfect addressing:

{
  "specversion": "1.0",
  "type": "citadel.security.incident",
  "source": "spiffe://citadel.mesh/security-agent",
  "subject": "door.lobby.main",
  "time": "2025-09-30T15:30:00Z",
  "datacontenttype": "application/protobuf",
  "data": "CgxMb2JieSBNYWluIERvb3ISFVVuYXV0aG9yaXplZCBhY2Nlc3M="
}

Why CloudEvents?​

đŸ“Ļ Vendor Neutral - CNCF standard, not owned by any company

🔍 Self-Describing - Every event carries its own metadata

  • type: What kind of event is this?
  • source: Who sent it (with SPIFFE identity)?
  • subject: What is this about?
  • time: When did it happen?

🌐 Universal - Works over HTTP, MQTT, gRPC, Kafka, NATS

  • Not tied to any transport mechanism
  • Same envelope format everywhere
  • Easy to route, filter, and process

🔄 Event-Driven Architecture

  • Loose coupling between services
  • Replay events for debugging
  • Audit trails come free

đŸ“Ļ Protobuf: The Efficient Voice​

Inside each CloudEvents envelope, we speak Protobuf - Google's ultra-efficient binary protocol.

Why Protobuf?​

⚡ Performance

  • 10x smaller than JSON (binary encoding)
  • 3-10x faster to serialize/deserialize
  • Crucial for edge devices with limited bandwidth

🔒 Type Safety

  • Strong schemas prevent errors at compile time
  • No more undefined is not a function
  • Contracts between services are explicit

📚 Language Agnostic

  • Python agents ↔ .NET microservices ↔ TypeScript adapters
  • Same schemas, zero translation bugs
  • Code generation in any language

🔄 Schema Evolution

  • Add new fields without breaking old clients
  • Versioning built into the protocol
  • Forward and backward compatibility

Example: Security Incident Schema​

// proto/citadel/v1/incidents.proto
syntax = "proto3";

package citadel.v1;

message SecurityIncident {
  string incident_id = 1;          // Unique identifier
  string location = 2;             // Where it happened
  string description = 3;          // What happened
  IncidentSeverity severity = 4;   // How serious
  google.protobuf.Timestamp timestamp = 5;
  IncidentStatus status = 6;       // Current state
  string assigned_to = 7;          // Who's handling it
}

enum IncidentSeverity {
  SEVERITY_UNSPECIFIED = 0;
  LOW = 1;
  MEDIUM = 2;
  HIGH = 3;
  CRITICAL = 4;
}

enum IncidentStatus {
  STATUS_UNSPECIFIED = 0;
  OPEN = 1;
  INVESTIGATING = 2;
  RESOLVED = 3;
  CLOSED = 4;
}

The Beauty of This Design:

  1. Explicit: Every field has a type and meaning
  2. Versioned: Field numbers never reused (backward compatibility)
  3. Efficient: Binary encoding, no JSON parsing overhead
  4. Safe: Enums prevent invalid values

🔧 MCP: The Tool Protocol​

MCP (Model Context Protocol) is Anthropic's standard for connecting AI agents to external tools and data sources.

Instead of each vendor requiring custom integration code, we create MCP servers that expose standardized tools:

// MCP Server for Schneider Security Expert
server.setRequestHandler(ListToolsRequestSchema, async () => ({
  tools: [
    {
      name: "get_door_status",
      description: "Get current status of a door",
      inputSchema: {
        type: "object",
        properties: {
          door_id: { type: "string", description: "Door identifier" }
        }
      }
    },
    {
      name: "unlock_door",
      description: "Unlock a door (requires OPA approval)",
      inputSchema: {
        type: "object",
        properties: {
          door_id: { type: "string" },
          reason: { type: "string" }
        }
      }
    }
  ]
}));

Why MCP?

🤖 AI-Native - Designed for LLM agents to discover and use tools

📖 Self-Documenting - Tools describe themselves (name, description, schema)

🔌 Pluggable - Add new vendor adapters without changing agent code

🌍 Community-Driven - Growing ecosystem of MCP servers for everything

🛡ī¸ SPIFFE/SPIRE: The Identity Foundation​

Every agent gets a cryptographic identity. No more admin/admin credentials. Every message signed, every action authorized.

SPIFFE (Secure Production Identity Framework For Everyone)

  • Standard for workload identity
  • Platform-agnostic identity documents
  • Used by Google, Netflix, Uber, Bloomberg

SPIRE (SPIFFE Runtime Environment)

  • Implementation of SPIFFE specification
  • Automatically issues and rotates certificates
  • Zero-trust identity for every service

Identity in Action​

# Every workload gets a SPIFFE ID
spiffe://citadel.mesh/security-agent
spiffe://citadel.mesh/energy-agent
spiffe://citadel.mesh/safety-service
spiffe://citadel.mesh/adapter/schneider-sse

What This Enables:

  • 🔐 Mutual TLS: Services authenticate each other automatically
  • đŸŽĢ Short-Lived Credentials: Certificates rotate every hour
  • đŸšĢ No Secrets in Config: Identity comes from SPIRE, not files
  • 📊 Audit Trails: Every action tied to a verified identity

The Protocol Stack in Action​

Let's trace a real security incident through the entire stack:

Scenario: Unauthorized Door Access Attempt​

1. Detection (MCP Adapter → Protobuf)

// Schneider Security Expert MCP Adapter detects event
const incident = SecurityIncident.create({
  incident_id: uuid(),
  location: "Lobby Main Door",
  description: "Badge scan failed 3 times - unknown credential",
  severity: IncidentSeverity.MEDIUM,
  timestamp: Timestamp.now(),
  status: IncidentStatus.OPEN
});

2. Encoding (Protobuf → CloudEvents)

const cloudEvent = {
  specversion: "1.0",
  type: "citadel.security.incident",
  source: "spiffe://citadel.mesh/adapter/schneider-sse",
  id: uuid(),
  time: new Date().toISOString(),
  datacontenttype: "application/protobuf",
  data: SecurityIncident.encode(incident).finish()
};

3. Publishing (CloudEvents → NATS)

// Publish to event bus
await nats.publish("citadel.security.incidents", cloudEvent);

4. Consumption (Security Agent)

# Security Agent receives CloudEvent
@agent.on_event("citadel.security.incident")
async def handle_incident(event: CloudEvent):
    # Decode Protobuf payload
    incident = SecurityIncident.parse(event.data)

    # Log with structured data
    logger.info(
        "Security incident detected",
        incident_id=incident.incident_id,
        severity=incident.severity,
        location=incident.location
    )

    # Make decision
    if incident.severity >= IncidentSeverity.HIGH:
        await notify_security_team(incident)
        await lock_adjacent_doors(incident.location)

5. Policy Check (Before Any Action)

# Before locking doors, check with OPA
policy_input = {
    "action": "lock_door",
    "door_ids": adjacent_doors,
    "reason": f"Response to incident {incident.incident_id}",
    "severity": incident.severity
}

decision = await opa_client.evaluate(
    "citadel/security/allow_emergency_lockdown",
    policy_input
)

if decision.allow:
    await execute_lockdown(adjacent_doors)
else:
    logger.warning("Lockdown denied by policy", reason=decision.reason)
    await request_human_approval(incident)

Beautiful, isn't it? Every step is:

  • ✅ Typed: Protobuf prevents errors
  • ✅ Authenticated: SPIFFE identifies the sender
  • ✅ Authorized: OPA validates the action
  • ✅ Auditable: CloudEvents logged end-to-end
  • ✅ Vendor-Neutral: Works with any system via MCP

The Technical Benefits​

For Developers​

🧩 Composability

  • Mix and match languages (Python, .NET, TypeScript)
  • Replace components without rewriting everything
  • Test services in isolation with mock data

🔧 Developer Experience

  • Code generation from .proto schemas
  • Type safety across the entire stack
  • Self-documenting APIs (MCP tools)

🐛 Debuggability

  • Replay events for testing
  • Trace requests across services
  • Structured logs with context

For Operations​

📊 Observability

  • CloudEvents provide built-in tracing
  • SPIFFE IDs show exactly who did what
  • Protobuf schemas make data queryable

🔒 Security

  • Zero-trust by default (SPIFFE/SPIRE)
  • Every action authorized (OPA policies)
  • Audit trails are automatic (CloudEvents)

⚡ Performance

  • Protobuf is 10x smaller than JSON
  • gRPC is faster than REST
  • Binary encoding reduces bandwidth

For the Business​

💰 Cost Efficiency

  • Reduced bandwidth (Protobuf compression)
  • Faster response times (better UX)
  • Lower cloud egress costs

🔄 Vendor Flexibility

  • Not locked into any single vendor
  • MCP adapters commoditize integrations
  • Easy to swap vendors or add new ones

📈 Scalability

  • Event-driven scales horizontally
  • Services can be distributed geographically
  • Cloud-optional edge deployment

The Foundation is Set​

With CloudEvents + Protobuf + MCP + SPIFFE, we've created:

  1. A universal language (Protobuf schemas)
  2. A universal envelope (CloudEvents)
  3. A universal identity (SPIFFE)
  4. A universal tool protocol (MCP)

Now any building system can speak to any other building system, authenticated and authorized, with full audit trails.

The foundation is complete. Time to build the services.

Milestone Achieved ✅​

Protocol Foundation Complete

  • ✅ Protobuf schemas defined (proto/citadel/v1/)
  • ✅ CloudEvents wrapper implemented
  • ✅ MCP server framework created
  • ✅ SPIFFE trust domain established (citadel.mesh)
  • ✅ Code generation working (Python, .NET, TypeScript)
  • ✅ Integration tests passing

Performance Metrics:

  • Protobuf encoding: ~0.5ms per message
  • CloudEvents overhead: < 1KB per event
  • SPIFFE certificate rotation: Automatic, every hour
  • MCP tool discovery: < 10ms

🏰 NEXT: Chapter 3: The First Breath of Aspire →

Updated: October 2025 | Status: Complete âœ