Topology Failure Matrix¶
Selected profile: balanced_day0. V=18, T=12, offline_budget=6.
| Scenario | Validators online | Validators offline | Online share | T | Finality | Oracle quorum | Writer | Accepted Day-0 risk | Notes |
|---|---|---|---|---|---|---|---|---|---|
| one_aws_core_node_outage | 14 | 4 | 0.778 | 12 | PASS | PASS | safe | no | One CORE node loss leaves two private CORE Beacon sources. |
| one_aws_core_region_outage | 14 | 4 | 0.778 | 12 | PASS | PASS | safe | no | AWS CORE Regions are distinct; one Region loss removes one CORE node. |
| one_aws_core_az_outage | 14 | 4 | 0.778 | 12 | PASS | PASS | safe | no | Each CORE node is in a distinct AZ for the selected Region set. |
| one_edge_node_outage | 15 | 3 | 0.833 | 12 | PASS | PASS | safe | no | A single EDGE outage is inside the finality budget. |
| hetzner_edge_outage | 15 | 3 | 0.833 | 12 | PASS | PASS | safe | no | Hetzner EDGE carries validators but is not oracle truth by default. |
| gcp_edge_outage | 15 | 3 | 0.833 | 12 | PASS | PASS | safe | no | GCP EDGE carries validators but is not oracle truth by default. |
| both_edge_nodes_offline | 12 | 6 | 0.667 | 12 | PASS | PASS | safe | no | AWS CORE alone is sized to meet T for the selected profile. |
| one_public_boot_sentry_node_outage | 18 | 0 | 1.000 | 12 | PASS | PASS | safe | no | Boot/sentry nodes are keyless and carry no validators. |
| both_public_boot_sentry_nodes_offline | 18 | 0 | 1.000 | 12 | PASS | PASS | safe | yes | Public joinability degrades; private CORE and validators remain live. |
| complete_aws_provider_outage | 6 | 12 | 0.333 | 12 | FAIL | FAIL | unsafe | yes | Accepted Day-0 risk: AWS is the private CORE cornerstone. |
| complete_gcp_provider_outage | 15 | 3 | 0.833 | 12 | PASS | PASS | safe | no | Only the GCP EDGE node is lost. |
| complete_hetzner_provider_outage | 15 | 3 | 0.833 | 12 | PASS | PASS | safe | no | Hetzner EDGE and one boot/sentry are lost; boot/sentry has no validators. |
| one_el_client_family_outage | 11 | 7 | 0.611 | 12 | FAIL | PASS | safe | yes | Exact one-third EL equality is infeasible under one-client-pair-per-host; minimal deviation is reported. |
| one_cl_client_family_outage | 11 | 7 | 0.611 | 12 | FAIL | PASS | safe | yes | Exact one-third CL equality is infeasible under one-client-pair-per-host; minimal deviation is reported. |
| one_signer_domain_outage | 14 | 4 | 0.778 | 12 | PASS | PASS | safe | no | One active Dirk signer cell exists per validator-bearing node. |
| one_active_oracle_writer_outage | 18 | 0 | 1.000 | 12 | PASS | PASS | safe | no | Standby writer can take over only after fencing/lease transfer. |
| standby_oracle_writer_mistakenly_active | 18 | 0 | 1.000 | 12 | PASS | PASS | unsafe | no | Rejected configuration: active/active writer authority is unsafe. |
| network_partition_between_core_and_edge | 12 | 6 | 0.667 | 12 | PASS | PASS | safe | yes | Partitioning EDGE away leaves CORE finality live but reduces provider diversity. |
| public_p2p_layer_degradation_private_core_healthy | 18 | 0 | 1.000 | 12 | PASS | PASS | safe | yes | External joinability degrades; raw CORE APIs remain private. |
| private_core_overlay_vpn_failure | 6 | 12 | 0.333 | 12 | FAIL | FAIL | unsafe | yes | Private CORE overlay failure can halt the control plane and CORE validators. |