UK-only multi-region state replication across Oracle UK-South, MacBook M4 Pro, and GCHQ-certified clusters. CRDT-based SIGIL ledger with quorum writes, eventual consistency, and zero foreign-jurisdiction exposure.
A UK MOD / NHS / civil-service deployment cannot legally replicate state to a US, EU, or non-UK Five Eyes jurisdiction without breaching data-residency clauses, OPSI guidance, and the UK GDPR. Conventional multi-region patterns β global Cosmos DB, Spanner, DynamoDB Global Tables, CockroachDB clusters β place replica nodes in US, EU, or APAC regions by default, putting sovereignty at risk.
DEFONEOS implements multi-region replication entirely across UK sovereign infrastructure: Oracle UK-South (London), Oracle UK-Gov (Newport), MacBook M4 Pro (orchestrator), GCHQ-certified clusters (defence deployments), and UK academic HPC (Cardiff, Edinburgh). All replicas stay within UK jurisdiction, all traffic uses WireGuard tunnels between UK IP ranges, and the SIGIL ledger provides a CRDT-based conflict-free replicated data type for all state.
| Region | Location | Operator | Capacity | Use Case |
|---|---|---|---|---|
| R1 Oracle UK-South | London | Oracle UK | 2xVM.Standard.E4.Flex-16 OCPU | Primary BFT gateway + SIGIL ledger |
| R2 Oracle UK-Gov | Newport | Oracle UK Gov | Reserved (SC-cleared only) | Defence deployments + secret-tier |
| R3 MacBook M4 Pro | York (mobile) | DEFONEOS operator | 16GB unified memory | Orchestrator + edge cache + WebUI |
| R4 GCHQ cluster | Cheltenham | GCHQ / NCSC | Reserved (TOP SECRET) | Defence / intelligence deployment |
| R5 UK academic HPC | Cardiff / Edinburgh | Cardiff Met / EPCC | Shared via Janet6 | Research-grade compute + audit |
Each region runs an independent DEFONEOS substrate instance with its own MacBook-orchestrated or VM-resident SIGIL ledger replica. Regions communicate via WireGuard tunnels over Janet6 (the UK academic network) for R5, dedicated cross-connects for R1/R2/R4, and BFT council gateway for R3.
| Model | Latency | Use Case | Quorum |
|---|---|---|---|
| Strong (linearisable) | ~50ms p50 UK-wide | DEFONEOS-SEAL issuance, BFT vote tally | 23/33 synchronous |
| Causal | ~10ms p50 | SIGIL entries, audit logs, MCP calls | 17/33 eventual |
| Eventual | ~2s p50 | Telemetry, metrics, dashboard state | 11/33 best-effort |
Used for DEFONEOS-SEAL issuance, BFT vote tally, key rotation, MCP admission. Each write requires 23/33 synchronous acknowledgements from BFT council agents before returning success. PBFT-style two-phase commit with view-change protocol on coordinator failure. Reads also require quorum for linearisability.
Used for SIGIL entries, audit logs, MCP call records, identity attestations. Each write is a CRDT operation (Append-Only Counter, OR-Set, MV-Register) tagged with vector clocks. Conflicts are resolved deterministically by care_score x ring_weight x recency. Reads return locally-merged state with vector clock per entry.
Used for telemetry, metrics, Grafana dashboard state, non-critical alerts. SWIM-style gossip protocol with anti-entropy every 10s. Each peer gossips 1KB digests to 3 random peers; receivers pull diffs and merge. Eventual consistency guaranteed within 5 minutes under partition.
33-agent BFT council with f ≤ 10 Byzantine-fault tolerance. Replication factor 5 (one per region). Write quorum Q_w = 23/33 for strong consistency, Q_w = 17/33 for causal, Q_w = 11/33 for eventual. Read quorum Q_r = 23/33 for strong (symmetric to write), Q_r = 1 for causal/eventual (CRDT merge).
Conflicts in causal consistency are resolved by the following priority:
All conflict resolutions emit a SIGIL with conflict_resolution:{motion_id} entry including the four priority factors and the chosen winner. Audit trail is complete and verifiable.
| Scenario | Detection | Recovery | RPO | RTO |
|---|---|---|---|---|
| Single region failure | 5 missed heartbeats | Other regions continue; quorum still met | 0s | 0s |
| Two region failure | 10 missed heartbeats | Strong consistency falls back to causal | <1s | <5s |
| Three region failure | BFT governor SIGIL | Degraded mode; causal + eventual only | <5s | <30s |
| Network partition (Janet6) | Partition detection | Surviving partition continues with available quorum | 0s | <60s |
| Total UK infrastructure loss | Cross-region deadman timer | Owner-seat offline recovery + cold USB restore | <1h | <24h |
Cold-restore mechanism: encrypted USB drives in UK bank safe deposit boxes (one in Leeds, one in London, one in Edinburgh), 3-of-5 Shamir-shared KEK reconstruction. Restoring from cold takes ~6 hours including manual verification by 2-of-3 trustees.
All backups stay within UK jurisdiction. Daily full snapshots, hourly incremental. Snapshots are encrypted with envelope encryption (per-secret DEK, Shamir 3-share KEK) and stored on:
| Standard | Requirement | How This Spec Satisfies It |
|---|---|---|
| UK GDPR Art 28 | Processor locations | All replicas UK-only |
| DPA 2018 Sch 21 | Lawful international transfers | No transfers β all UK |
| NCSC CAF A2 | Asset inventory | 5 UK regions enumerated |
| NCSC CAF C1 | Service continuity | Multi-region quorum writes |
| ISO 27001 A.12.3 | Backup | Encrypted UK-only backups |
| ISO 27018 Β§A.11 | PII geographic location | UK-only replicas + backups |
| JSP 440 Ch 7 | MOD network resilience | 5-region topology + DR |
| JSP 936 Β§5.2 | AI system resilience | CRDT ledger + quorum |
| EU AI Act Art 9 | Risk management for availability | RPO/RTO targets met |
| NIST SP 800-34 | Contingency planning | 5-scenario DR matrix |
Violation triggers immediate BFT quorum vote on isolation and 33/33 owner-seat vote on remediation.