Native File Ingestion Pipelines: Implementation Architecture & Production Patterns
Native file ingestion represents the foundational stage of any defensible ESI Ingestion & Processing Workflows. Unlike converted or normalized formats, native files preserve original filesystem metadata, embedded objects, and application-specific structures that must be captured without modification. A production-grade ingestion pipeline must enforce strict chain-of-custody boundaries, implement memory-aware asynchronous processing, and route files deterministically based on type, size, and schema compliance. This guide details the implementation architecture for native file ingestion, emphasizing production-ready Python patterns, structured observability, and deterministic fallback routing.
Memory-Aware Async Architecture & Backpressure Control
Native file processing demands strict control over memory footprint and I/O concurrency. Litigation datasets routinely contain multi-terabyte volumes with highly variable file sizes, from kilobyte text files to multi-gigabyte CAD or PST containers. Blocking I/O and unbounded buffering will trigger out-of-memory (OOM) conditions or stall worker threads. The pipeline must leverage asyncio for non-blocking disk operations, enforce explicit memory ceilings per batch, and apply backpressure through bounded queues.
File ingestion should stream data in fixed-size chunks (typically 4–8 MB) rather than loading entire files into RAM. Each chunk is processed sequentially for integrity verification, MIME classification, and metadata extraction before being flushed to downstream stages. Batching is governed by a sliding window that respects both memory limits and worker concurrency caps. When memory pressure exceeds thresholds, the pipeline must pause intake, drain pending tasks, and resume only when resources normalize.
import asyncio
import aiofiles
import hashlib
import logging
from pathlib import Path
from typing import AsyncGenerator, Dict, Any
from dataclasses import dataclass
logger = logging.getLogger("native_ingestion")
@dataclass(frozen=True)
class PipelineConfig:
chunk_size: int = 4 * 1024 * 1024 # 4 MB
max_queue_depth: int = 50
memory_ceiling_mb: int = 2048
worker_concurrency: int = 8
class AsyncIngestionWorker:
def __init__(self, config: PipelineConfig):
self.config = config
self.queue: asyncio.Queue[Path] = asyncio.Queue(maxsize=config.max_queue_depth)
self.active_bytes = 0
self._lock = asyncio.Lock()
async def _check_memory_pressure(self, file_size: int) -> bool:
async with self._lock:
if self.active_bytes + file_size > self.config.memory_ceiling_mb * 1024 * 1024:
return True
self.active_bytes += file_size
return False
async def _release_memory(self, file_size: int):
async with self._lock:
self.active_bytes -= file_size
async def stream_file_chunks(self, file_path: Path) -> AsyncGenerator[bytes, None]:
async with aiofiles.open(file_path, mode="rb") as f:
while chunk := await f.read(self.config.chunk_size):
yield chunk
async def process_file(self, file_path: Path) -> Dict[str, Any]:
file_size = file_path.stat().st_size
# Apply backpressure with an iterative wait loop rather than recursion,
# which would otherwise risk stack exhaustion under sustained pressure.
while await self._check_memory_pressure(file_size):
logger.warning("Memory ceiling reached. Backpressure applied. Waiting for drain.")
await asyncio.sleep(0.5)
hasher = hashlib.sha256()
try:
async for chunk in self.stream_file_chunks(file_path):
hasher.update(chunk)
finally:
await self._release_memory(file_size)
return {
"path": str(file_path),
"size_bytes": file_size,
"sha256": hasher.hexdigest(),
"status": "ingested"
}
MIME Detection & Deterministic Routing
Accurate file classification precedes all downstream processing. Extension-based detection is legally insufficient; binary signature analysis is required to satisfy evidentiary standards. Implementing Using libmagic for accurate MIME type detection in eDiscovery ensures that files are routed to appropriate handlers based on actual content rather than superficial naming conventions. Misclassified files must be quarantined immediately to prevent pipeline corruption or downstream extraction failures.
Routing decisions should be encoded as a deterministic state machine. Supported MIME types proceed to hashing and metadata extraction. Unsupported or encrypted formats trigger a fallback route to a secure quarantine directory with structured audit logging. Ambiguous files undergo secondary signature scanning before final disposition.
The flowchart below shows how a classified MIME type is routed to one of the three terminal dispositions.
flowchart TD
C["Classify MIME type"] --> D{"In allowlist?"}
D -->|"yes"| P["PROCESS hash and extract"]
D -->|"no"| A{"Ambiguous container?"}
A -->|"yes"| S["SECONDARY_SCAN signature recheck"]
A -->|"no"| Q["QUARANTINE with audit log"]
S --> D
import magic
from enum import Enum, auto
class RouteDecision(Enum):
PROCESS = auto()
QUARANTINE = auto()
SECONDARY_SCAN = auto()
ALLOWED_MIMES = {
"application/pdf", "text/plain", "application/msword",
"application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"message/rfc822", "application/vnd.ms-outlook"
}
def classify_and_route(file_path: Path) -> RouteDecision:
mime = magic.from_file(str(file_path), mime=True)
if mime in ALLOWED_MIMES:
return RouteDecision.PROCESS
elif mime in ("application/x-executable", "application/x-dosexec", "application/zip"):
return RouteDecision.SECONDARY_SCAN
else:
return RouteDecision.QUARANTINE
Chain-of-Custody Hashing & Schema Validation
Every native file must be cryptographically hashed at the point of ingestion to establish an immutable chain of custody. Streaming hash computation, as detailed in Cryptographic Hash Generation, guarantees that memory constraints do not compromise digest accuracy. SHA-256 is the industry standard for litigation holds and production exports.
Following hash generation, extracted metadata and structural attributes must be validated against recognized legal data models. Validating each record against the Electronic Discovery Reference Model (EDRM) XML schema ensures that custodian, date, and file-attribute fields conform to a defensible standard. Schema validation failures should not halt the pipeline; instead, they must be logged as non-fatal compliance warnings and routed to a reconciliation queue.
import xmlschema
from lxml import etree
# In production, cache the XSD locally to avoid network dependencies.
EDRM_XSD_PATH = Path("/opt/edrm/edrm_xml_v1.0.xsd")
# Compile the schema once at module load; it is immutable and reusable.
_EDRM_SCHEMA = xmlschema.XMLSchema(str(EDRM_XSD_PATH))
def _metadata_to_xml(metadata: Dict[str, Any]) -> etree._Element:
"""Serialize a flat metadata mapping into an EDRM-compatible XML element."""
root = etree.Element("Document")
for key, value in metadata.items():
field = etree.SubElement(root, "Field", name=str(key))
field.text = "" if value is None else str(value)
return root
def validate_esi_metadata(metadata: Dict[str, Any]) -> bool:
# xmlschema validates XML sources, not raw dicts; serialize first.
document = _metadata_to_xml(metadata)
try:
_EDRM_SCHEMA.validate(document)
return True
except xmlschema.XMLSchemaValidationError as e:
logger.error(f"Schema validation failed: {e}")
return False
Downstream Handoff & Metadata Reconciliation
Once native files pass classification, hashing, and schema validation, they are serialized into a normalized payload and dispatched to extraction services. PDF & Text Extraction Engines consume these payloads to generate searchable text layers, OCR outputs, and embedded object inventories. The ingestion pipeline must guarantee idempotent delivery: duplicate payloads are detected via the SHA-256 digest and silently acknowledged to prevent redundant processing.
Post-extraction, metadata drift is common because of parser inconsistencies or timezone normalization. A reconciliation step closes the loop by comparing the original filesystem attributes against the extracted values, flagging discrepancies for legal review, and updating the central case database.
Production Observability & Error Categorization
A defensible pipeline requires structured, machine-readable logging. Each ingestion event must emit JSON-formatted records containing trace IDs, file paths, MIME types, hash digests, routing decisions, and latency metrics. Errors are categorized into three severity tiers:
- Transient (Retryable): Network timeouts, temporary file locks, or queue backpressure. Handled via exponential backoff with jitter.
- Structural (Non-Retryable): Corrupted file headers, unreadable sectors, or invalid encodings. Routed to dead-letter queues with forensic snapshots.
- Compliance (Audit-Only): Schema mismatches, missing custodian fields, or policy exceptions. Logged for legal hold review without halting throughput.
The following flowchart maps each error tier to its handling path.
flowchart TD
E["Ingestion error"] --> T{"Error tier?"}
T -->|"Transient"| R["Retry with backoff and jitter"]
T -->|"Structural"| DL["Dead-letter with forensic snapshot"]
T -->|"Compliance"| AU["Log for audit and continue"]
For authoritative implementation references, consult the official Python asyncio documentation for event loop tuning, the NIST SP 800-107 Rev 1 for cryptographic hash compliance, and the Python hashlib reference for secure digest generation.
Pipeline throughput should be monitored via Prometheus metrics or OpenTelemetry spans, tracking ingestion_queue_depth, hash_compute_latency, mime_classification_accuracy, and quarantine_rate. Alerting thresholds must be calibrated to trigger before memory exhaustion or queue saturation, ensuring continuous, auditable processing across multi-terabyte litigation datasets.