A behavioral analysis system that detects application modifications by analyzing event patterns and identifying anomalies from expected behavior.
Causality collects events from mobile and web applications, stores them in a data warehouse, and enables SQL-based analytics for behavioral pattern analysis and anomaly detection.
┌─────────────────┐ ┌─────────────────┐
│ Mobile Apps │ │ Web Apps │
│ (iOS/Android) │ │ (Browser) │
└────────┬────────┘ └────────┬────────┘
│ │
└───────────┬───────────┘
│
┌──────▼──────┐
│ HTTP Server │ :8080
└──────┬──────┘
│
┌──────▼──────┐
│ NATS │ JetStream
└──────┬──────┘
│
┌───────────┴───────────┐
│ │
┌──────▼──────┐ ┌──────▼──────┐
│ Warehouse │ │ Reaction │
│ Sink │ │ Engine │
└──────┬──────┘ └──────┬──────┘
│ │
┌──────▼──────┐ ┌──────▼──────┐
│ MinIO │ │ Webhooks/ │
│ (Parquet) │ │ Alerts │
└──────┬──────┘ └─────────────┘
│
┌──────▼──────┐
│ Trino │ SQL Analytics
└──────┬──────┘
│
┌──────▼──────┐
│ Redash │ Visualization
└─────────────┘
- HTTP Server: RESTful API for event ingestion (
/v1/events/ingest,/v1/events/batch) - NATS JetStream: Event streaming and reliable delivery
- Warehouse Sink: Consumes events, writes Parquet files to S3
- Reaction Engine: Rule evaluation, anomaly detection, webhook delivery
- MinIO: S3-compatible object storage for event data
- Hive Metastore: Schema registry for Trino
- Trino: SQL query engine for analytics on Parquet files
- Redash: Data visualization and dashboards
- Docker and Docker Compose
- Go 1.24+ (for development)
- Make
# Start all services (clean)
make dev
# Or start without cleaning existing data
make docker-upThis starts:
- HTTP Server: http://localhost:8080
- NATS Monitoring: http://localhost:8222
- MinIO Console: http://localhost:9001 (minioadmin/minioadmin)
- Trino: http://localhost:8085
- Redash: http://localhost:5050 (admin@causality.local/admin123)
# Send a single event
make test-event
# Send a batch of events
make test-batch
# Send 100 uniform events
make test-load
# Send random events with variation (better for graphs)
make test-random# Open Trino CLI
make trino-cli
# Sync partitions and count events
make trino-sync
make trino-count
# View event statistics
make trino-statsOr use Redash at http://localhost:5050 with SQL:
SELECT
event_type,
count(*) AS event_count
FROM hive.causality.events
GROUP BY event_type
ORDER BY event_count DESCcurl -X POST http://localhost:8080/v1/events/ingest \
-H "Content-Type: application/json" \
-d '{
"event": {
"appId": "my-app",
"deviceId": "device-001",
"screenView": {"screenName": "HomeScreen"}
}
}'curl -X POST http://localhost:8080/v1/events/batch \
-H "Content-Type: application/json" \
-d '{
"events": [
{"appId": "my-app", "deviceId": "d1", "screenView": {"screenName": "Home"}},
{"appId": "my-app", "deviceId": "d1", "buttonTap": {"buttonId": "login", "screenName": "Home"}}
]
}'screenView: Screen/page viewsscreenExit: Screen exit with durationbuttonTap: Button/UI interactionsuserLogin/userLogout: Authentication eventsproductView/addToCart/purchaseComplete: E-commerce eventsappStart/appBackground/appForeground: Lifecycle eventsnetworkChange: Connectivity changescustomEvent: Custom events with arbitrary parameters
causality/
├── cmd/
│ ├── server/ # HTTP server
│ ├── warehouse-sink/ # NATS consumer → Parquet → S3
│ └── reaction-engine/ # Rule evaluation and anomaly detection
├── internal/
│ ├── events/ # Shared event categorization
│ ├── gateway/ # HTTP routing and handlers
│ ├── nats/ # JetStream client
│ ├── warehouse/ # Parquet writer and S3 upload
│ └── reaction/ # Rule engine, anomaly detection, webhooks
├── pkg/proto/ # Generated protobuf code
├── proto/ # Protocol buffer definitions
├── docker/
│ ├── hive/ # Hive Metastore config
│ ├── trino/ # Trino config
│ ├── redash/ # Redash setup scripts
│ └── postgres/ # PostgreSQL init
├── sql/ # Trino table definitions
├── docker-compose.yml # Development environment
├── Dockerfile # Multi-stage build
└── Makefile # Development commands
# Build server binary
make build-server
# Build warehouse sink
make build-sink
# Build reaction engine
make build-reaction
# Build all
make buildmake testmake help # Show all available commands
make docker-logs # Tail all service logs
make docker-ps # Show running containers
make minio-ls # List objects in MinIO
make nats-info # Show NATS server infoHTTP Server:
HTTP_ADDR: Listen address (default::8080)NATS_URL: NATS server URL (default:nats://localhost:4222)
Warehouse Sink:
NATS_URL: NATS server URLS3_ENDPOINT: S3/MinIO endpointS3_BUCKET: Bucket name (default:causality-events)S3_ACCESS_KEY_ID/S3_SECRET_ACCESS_KEY: CredentialsBATCH_MAX_EVENTS: Events per Parquet file (default:1000)BATCH_FLUSH_INTERVAL: Max time before flush (default:30s)
Reaction Engine:
NATS_URL: NATS server URLDATABASE_HOST/DATABASE_PORT: PostgreSQL connectionDATABASE_USER/DATABASE_PASSWORD: PostgreSQL credentialsDATABASE_NAME: Database name (default:reaction_engine)ENGINE_RULE_REFRESH_INTERVAL: Rule cache refresh interval (default:30s)DISPATCHER_WORKERS: Webhook delivery workers (default:5)
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.