# Architecture

See §4 of `ai/p4-rca-agent-briefing.md` for the full layered design.

## Layer Summary

```
Layer 4: Action Execution      — governed tool calls within configured tier
Layer 3: SLM Reasoning         — Ollama / Phi-4, on-demand only
Layer 2: Anomaly Detection     — rule-based + statistical thresholds
Layer 1: Signal Extraction     — go-libp4dlog + p4 monitor + lsof + lslocks
```

The SLM is activated by Layer 2 only — it does not consume raw log stream.

## Key Data Flows

- P4LOG → `tailer.py` (via log2sql subprocess) → SQLite rolling window
- Cron/timer → `collector.py` → SQLite rolling window
- SQLite → `detector.py` → `CandidateIncident`
- `CandidateIncident` → `context_builder.py` → context bundle
- Context bundle → `agent.py` (Ollama) → `RCAResult`
- `RCAResult` → `audit.py` (always) → `actions.py` (if tier allows)