Centurion Day-0 Topology¶

Generated artifacts:

reports/aws_ec2_reserved_pricing_candidates.json
reports/aws_core_contract_options.md
reports/gurobi_topology_model.lp
reports/gurobi_topology_model.mps
reports/gurobi_solution_pool.json
reports/gurobi_iis.ilp
reports/topology_launch_recommendation.json
reports/topology_cost_model.json
reports/topology_failure_matrix.md
reports/topology_optimizer_summary.md
reports/topology_roadmap.md

Executive Summary¶

AWS is the Day-0 CORE cornerstone. The launch topology is exactly 3 private AWS CORE validator nodes in three distinct AWS Regions, exactly 2 EDGE validator nodes on Hetzner and GCP, and exactly 2 cheap public keyless boot/sentry nodes. The selected profile is balanced_day0 with V=18, T=12, c=4, and e=3.

The AWS CORE year-1 budget is $1,400.00. Official AWS pricing shows the selected CORE capacity costs $3,381.00 ($281.75/mo amortized), so the budget fit is FAIL. The optimizer does not reduce below 3 AWS CORE nodes, move CORE off AWS, or place two CORE nodes in one AWS Region to fake budget success.

Current Topology Audit¶

The repository contains the optimizer, tests, config, generated reports, README, and this topology document. It does not contain deployment scripts, service units, Vouch/Dirk configuration, peering files, or client startup flags. Client flag validation therefore cannot be claimed from local scripts; this document states the required exposure policy and the generated reports enforce it as model data.

Real Day-0 Launch Constraints¶

Exactly 3 AWS CORE validator nodes.
Exactly 2 EDGE validator nodes: Hetzner and GCP.
Exactly 2 public boot/sentry nodes.
CORE nodes are trusted private oracle and seat-manager truth sources.
EDGE nodes carry validators for diversity but are not trusted oracle truth sources by default.
Boot/sentry nodes are keyless and non-validating.
The number of validators is optimizer-selected; V=45 is a future target only.

Threat And Failure Model¶

The model evaluates one CORE node, one AWS Region, one AWS AZ, EDGE outages, boot/sentry outages, provider outages, EL/CL family outages, signer-domain outage, oracle writer failure, accidental active/active writer, CORE/EDGE partitions, public P2P degradation, and private CORE overlay failure.

Complete AWS provider outage is an accepted Day-0 risk, not a production-grade pass.

Validator-Count And Finality-Threshold Model¶

V = 3c + 2e
T = ceil(2V/3)
offline_budget = V - T
C = 3c
E = 2e

The selected values are V=18, T=12, offline_budget=6, C=12, and E=6.

Gurobi Optimization Formulation¶

Gurobi builds binary AWS contract, Region, instance, contract-class, payment-option, and validator-pair choices. Integer c/e choices are represented through selected c/e pair binaries. The hard budget model is solved first; when infeasible, Gurobi writes IIS diagnostics and then solves a relaxed-budget model that minimizes budget violation before topology quality, cost, upgrade flexibility, and operational complexity.

AWS First-Year Contract Optimization¶

The AWS pricing path uses the AWS Pricing API for On-Demand and gp3 prices, and EC2 DescribeReservedInstancesOfferings for 1-year Standard and Convertible RI offerings. Deterministic estimates are only used for missing rows and are labeled estimate_only.

Selected contract set: standard_reserved_1yr with payment all_upfront.

Candidate Profile Summary¶

See reports/topology_optimizer_summary.md for all profiles. The intended Day-0 profile is balanced_day0; future profiles are not Day-0.

Selected Day-0 Topology¶

The selected family is aws_core_plus_edge_plus_public_boot_sentry. It keeps AWS CORE at two-thirds of validators exactly, keeps one AWS Region outage live, and keeps both EDGE nodes offline live.

Exact Node Inventory¶

AWS CORE¶

Node	Validators	Region	AZ	Instance	EL	CL	Contract	Payment
aws-core-a	4	us-east-1	us-east-1a	m6a.xlarge	go-centurion	Prysm	standard_reserved_1yr	all_upfront
aws-core-b	4	us-east-2	us-east-2a	m6a.xlarge	reth/rustcen	Lodestar	standard_reserved_1yr	all_upfront
aws-core-c	4	us-west-2	us-west-2a	m6a.xlarge	nethermind	Lighthouse	standard_reserved_1yr	all_upfront

EDGE¶

Node	Provider	Region	Validators	EL	CL	Instance
edge-hetzner-a	Hetzner	fsn1	3	go-centurion	Prysm	CX42 or CPX41 equivalent
edge-gcp-a	GCP	europe-west4	3	reth/rustcen	Lodestar	n2-standard-4 equivalent

Public Boot/Sentry¶

Node	Provider	Region	Validators	Signer keys	Public ports
boot-sentry-a	Hetzner	nbg1	0	no	30303/tcp, 30303/udp, 9000/tcp, 9000/udp
boot-sentry-b	OVH	bhs	0	no	30303/tcp, 30303/udp, 9000/tcp, 9000/udp

Exact Validator Allocation¶

Each AWS CORE node carries c=4 validators. Each EDGE node carries e=3 validators. Public boot/sentry nodes carry zero validators.

Client-Family Allocation¶

Mode: minimal_family_deviation.

Exact EL equality: no. Exact CL equality: no.

Reason: Repository artifacts do not prove safe multiple isolated EL/CL service groups per host; node-level single-client assignment cannot hit exact one-third family weights for the selected c/e.

AWS CORE Placement And Contract Selection¶

Selected AWS Regions: us-east-1, us-east-2, us-west-2. Selected AZs: us-east-1a, us-east-2a, us-west-2a. Disk is 200 GB gp3 per CORE node. The selected AWS instance type set is m6a.xlarge.

EDGE Placement¶

Hetzner EDGE is in fsn1; GCP EDGE is in europe-west4. EDGE nodes may expose P2P if policy permits, but raw APIs stay private.

Public Boot/Sentry Placement¶

The public boot/sentry nodes are cheap, keyless, non-validating nodes. They expose P2P/discovery only and do not carry signer keys, Dirk keys, validator keys, raw RPC, Beacon API, Engine API, or metrics.

P2P Topology¶

CORE peers with CORE over private mesh. EDGE peers with CORE over private/allowlisted channels and with boot/sentry nodes. Boot/sentry nodes provide public P2P joinability. P2P joinability is not RPC/Beacon API access.

RPC/Beacon/API Exposure Policy¶

CORE has no public raw RPC, raw Beacon API, Engine API, metrics endpoint, Dirk endpoint, or signer endpoint. EDGE follows the same raw API policy. Boot/sentry is public P2P only.

Firewall/Security Policy¶

Sensitive ports are private by default: 8551, 8545, 8546, 5052, 6061, 6062, and 13141. P2P ports 30303 TCP/UDP and 9000 TCP/UDP may be public only on roles that require public P2P.

Dirk/Remote Signer Topology¶

There is one active Dirk signer cell per validator-bearing node. There is no centralized active signer cluster for all keys and no active-active signer authority for the same key. Vouch talks to Dirk over mTLS or an equivalent private authenticated channel.

Slashing-Protection And Key-Custody Model¶

Each validator key has one active validator-client authority and one active signer domain. Standby signers are fenced, offline, or passive until failover. Boot/sentry, archive, public RPC, and public Beacon roles carry zero validator and signer keys.

Risk-Oracle And Seat-Manager Topology¶

The risk oracle reads from 3 private AWS CORE Beacon APIs with 2-of-3 quorum. User-node truth is rejected. EDGE nodes are not trusted oracle truth sources by default. The seat-manager control plane uses private CORE truth, not public or user-operated Beacon APIs. The writer model is active/standby; active/active writer authority is rejected.

Stale or bad Beacon sources are detected by comparing finalized checkpoints, head slots, and divergence across CORE sources. Seat-manager transitions require 2 matching CORE sources.

Failure Matrix¶

Scenario	Online	Offline	Finality	Oracle	Accepted risk
one_aws_core_node_outage	14	4	PASS	PASS	no
one_aws_core_region_outage	14	4	PASS	PASS	no
one_aws_core_az_outage	14	4	PASS	PASS	no
one_edge_node_outage	15	3	PASS	PASS	no
hetzner_edge_outage	15	3	PASS	PASS	no
gcp_edge_outage	15	3	PASS	PASS	no
both_edge_nodes_offline	12	6	PASS	PASS	no
one_public_boot_sentry_node_outage	18	0	PASS	PASS	no
both_public_boot_sentry_nodes_offline	18	0	PASS	PASS	yes
complete_aws_provider_outage	6	12	FAIL	FAIL	yes
complete_gcp_provider_outage	15	3	PASS	PASS	no
complete_hetzner_provider_outage	15	3	PASS	PASS	no
one_el_client_family_outage	11	7	FAIL	PASS	yes
one_cl_client_family_outage	11	7	FAIL	PASS	yes
one_signer_domain_outage	14	4	PASS	PASS	no
one_active_oracle_writer_outage	18	0	PASS	PASS	no
standby_oracle_writer_mistakenly_active	18	0	PASS	PASS	no
network_partition_between_core_and_edge	12	6	PASS	PASS	yes
public_p2p_layer_degradation_private_core_healthy	18	0	PASS	PASS	yes
private_core_overlay_vpn_failure	6	12	FAIL	FAIL	yes

Monitoring And Alerting¶

Alert on CORE Beacon divergence, stale head/finalized checkpoints, failed 2-of-3 quorum, signer mTLS failure, duplicate validator authority, public exposure on sensitive ports, EDGE partition, boot/sentry P2P health, and AWS RI/budget drift.

Deployment Verification Checklist¶

[x] threshold_computed_from_v: T=12
[x] offline_budget_computed_from_v: B=6
[x] fixed_model_v_equals_3c_plus_2e: V=18, c=4, e=3
[x] aws_core_count_exactly_3: 3
[x] edge_validator_count_exactly_2: 2
[x] public_boot_sentry_count_exactly_2: 2
[x] aws_core_nodes_aws_only: AWS only
[x] aws_core_regions_distinct: us-east-1,us-east-2,us-west-2
[x] aws_core_azs_distinct: us-east-1a,us-east-2a,us-west-2a
[x] aws_core_capacity_minimums: >=4 vCPU, >=16 GiB, >=200 GB gp3
[ ] aws_core_budget_fit: 3381.00 <= 1400.00
[x] core_nodes_not_archive: CORE normal full nodes
[x] public_boot_sentry_keyless: boot/sentry zero validators and zero keys
[x] no_public_signer: signer private
[x] no_public_engine_api: Engine API private
[x] no_public_raw_rpc_or_beacon_on_validator_nodes: validator APIs private
[x] oracle_private_2_of_3_core: 2-of-3 private AWS CORE sources
[x] oracle_writer_active_standby: active/standby writer, active-active rejected
[x] one_aws_core_region_outage_keeps_finality: AWS CORE Regions are distinct; one Region loss removes one CORE node.
[x] one_edge_node_outage_keeps_finality: A single EDGE outage is inside the finality budget.
[x] both_edge_nodes_offline_core_liveness: AWS CORE alone is sized to meet T for the selected profile.
[x] exact_el_family_equality_or_reported_relaxation: Repository artifacts do not prove safe multiple isolated EL/CL service groups per host; node-level single-client assignment cannot hit exact one-third family weights for the selected c/e.
[x] exact_cl_family_equality_or_reported_relaxation: Repository artifacts do not prove safe multiple isolated EL/CL service groups per host; node-level single-client assignment cannot hit exact one-third family weights for the selected c/e.

Migration Plan From Current GCP-Only S5 Deployment¶

Freeze the current GCP-only S5 deployment as test-only.
Build the 3 AWS CORE nodes in selected Regions.
Build Hetzner and GCP EDGE nodes.
Build two keyless public boot/sentry nodes.
Import only each node's assigned validator keys into its signer domain.
Verify slashing-protection handoff before starting Vouch.
Confirm no public 8545, 8546, 5052, 8551, metrics, Dirk, or signer exposure.
Enable oracle reads only after 2-of-3 CORE quorum is healthy.

Day-0 Risks And Accepted Compromises¶

AWS CORE year-1 budget infeasible for three 4-vCPU/16-GiB AWS CORE nodes: Selected AWS CORE cost is $3381.00 versus $1400.00 budget.
Complete AWS provider outage may fail finality and oracle/control-plane quorum: All trusted Day-0 CORE oracle sources live on AWS.
Client-family exact equality is mathematically infeasible with one client pair per validator node: Minimal deviation is 2.0 validators from the one-third target.
Small Day-0 validator set: V=18 is launch-sized rather than the future V=45 target.

Future Roadmap To Multi-Provider Production CORE¶

The next target is adding non-AWS oracle-capable CORE sources. The future maximum-resilience target can grow to 7 to 9 validator-bearing nodes with separate public RPC, public Beacon, boot/sentry, and archive tiers. Archive and public-service nodes remain keyless and outside the validator finality path.

Final Recommendation¶

Use the fixed aws_core_plus_edge_plus_public_boot_sentry architecture as the Day-0 launch plan, but treat the AWS CORE budget as infeasible at the configured $1,400.00. The topology should not be weakened to hide that fact. Raise the AWS CORE budget, accept a clearly labeled temporary On-Demand/RI cost above budget, or explicitly select the ultra-low-cost burstable profile with CPU-credit risk called out.