Credentialed Topology Graph

Mechanism

The credentialed topology graph G = (V, E, A) is a directed multigraph in which V is the set of mesh-participant nodes, E is the set of cascade-relevant edges, and A is the attestation function mapping each element to one or more authority signatures. Each node v in V carries a node credential containing the participant identifier, the participant class (sensor, effector, gateway, governance authority, etc.), the issuing authority's public-key identifier, and a validity interval. Each edge e in E carries an edge credential containing the source node, the destination node, the dependency class (control, data, power, timing, spectrum, logical), the cascade-coupling parameters (latency bound, failure-correlation coefficient, bandwidth dependency), and one or more witness signatures attesting that the relationship has been observed or declared by an authority with jurisdiction over both endpoints.

Cascade-propagation evaluation walks G under a credential-admissibility predicate. When the architecture must determine whether a fault, refusal, or environmental event at node v_0 can propagate to node v_n, the traversal enumerates candidate paths v_0 to v_n and rejects any path containing an edge whose attestation has expired, has been revoked, or originates from an authority outside the operative trust domain. The result is not merely a reachability set but a credentialed reachability set: every cascade path returned by the evaluator is accompanied by the chain of attestations that admits it, allowing downstream mitigation logic to target specific edges by credential identifier rather than by physical address. Revocation of a single edge credential structurally severs all cascade paths that traverse it, without requiring physical reconfiguration of the underlying network.

Mutations to G are themselves credentialed events. A node-join, node-leave, edge-creation, edge-modification, or edge-revocation event is admitted into the graph only when accompanied by an authority signature whose jurisdiction covers the affected element. The mutation log forms an append-only lineage; any historical state of the topology can be reconstructed by replaying admitted mutations up to a chosen timestamp, and any cascade analysis performed against a historical state can be re-verified against the original lineage.

The admissibility predicate itself is parameterized rather than hard-coded. At evaluation time, the calling subsystem supplies a trust-domain manifest enumerating the recognized authorities, an acceptable signature-algorithm set, a maximum credential age, and an optional jurisdictional filter that restricts admission to edges whose endpoints lie within a declared geographic, regulatory, or operational zone. The same physical graph G can therefore be traversed under multiple distinct admissibility regimes by the same evaluator without graph rewriting: a peacetime regime admitting all civilian-authority edges, a contested-domain regime admitting only edges countersigned by two or more independent authorities, and a degraded-trust regime admitting only edges whose authority chains terminate in hardware-rooted credentials. Switching regimes is a constant-time configuration change at the evaluator, and the regime under which a cascade analysis was produced is itself recorded in the analysis output so that downstream consumers can reproduce the result deterministically.

Edge attestation packets are structurally distinct from the underlying transport. A given edge in G may be realized over any number of physical paths between its endpoint nodes, and the cascade-coupling parameters describe the dependency relationship rather than the transport. This separation allows transport-layer reconfiguration (a link reroute, a failover to a backup carrier, a software-defined-networking flow update) to proceed without invalidating the credentialed edge, and conversely allows revocation of a credentialed edge to take effect even when the underlying physical transport remains functional. The graph thus expresses governance topology rather than wiring topology, and cascade reasoning operates against the governance layer.

Operating Parameters

Edge attestations carry a dependency-class taxonomy with at least the following enumerated classes: hard-control (loss of source disables destination within a bounded latency), soft-control (loss of source degrades destination function), data (destination consumes source telemetry), timing (destination relies on source-derived clock or sequence), power (destination draws operational power from source-controlled bus), spectrum (destination shares an RF resource gated by source-held license), and logical (destination's policy decisions are bound by source-issued credentials). Each class carries a default cascade-coupling coefficient in the interval [0, 1] which the evaluator multiplies along path traversal to produce a cumulative cascade-probability estimate.

Validity intervals on credentials are typically expressed as an issuance timestamp and a maximum-age parameter; representative values are 24 hours for high-churn tactical meshes, 30 days for civilian critical-infrastructure meshes, and indefinite (with explicit revocation) for governance-authority bindings. The architecture supports re-attestation events that extend a credential's validity without changing its identifier, preserving cascade-path identity across credential refresh.

Traversal depth is bounded by a configurable cascade horizon, typically expressed in hops or in cumulative coupling product. Practical deployments use horizons between four and twelve hops with a coupling-product floor of 10^-3, beyond which cascade contribution is treated as negligible. Witness multiplicity (the minimum number of independent authority signatures required to admit an edge) is parameterized per dependency class; safety-critical hard-control edges typically require two or more independent witnesses, while data-class edges may admit on a single witness.

Edge weight evolution under operational telemetry is bounded by a coupling-update protocol: an edge's coupling coefficient may be revised within a credentialed update event whose evidence package includes the prior coefficient, the proposed coefficient, the supporting telemetry window, and the witnessing authority's signature. Updates that move the coefficient by more than 25% in a single event require corroborating signatures, preventing a single compromised witness from steering cascade analysis through gradual coefficient drift. The architecture exposes a per-edge revision counter and a coefficient-history accessor, both consumable by the audit primitive. Storage cost for the graph scales linearly with the number of edges times the average attestation chain depth; representative deployments observe 800 to 1500 bytes per edge for ECDSA-P256 attestations with a single witness, and roughly 2 KB per edge for two-witness safety-critical edges. Mutation throughput is bounded by signature verification cost on the topology-authority replica set; commodity hardware sustains 5000 to 12000 mutation admissions per second per replica without batching.

Alternative Embodiments

In a first alternative embodiment, the topology graph is sharded across multiple mesh sub-domains, each maintaining a local view and exchanging credentialed boundary edges via a federation protocol. Cross-domain cascade traversal admits boundary edges only when both originating and receiving authorities have countersigned the federation manifest. In a second alternative embodiment, the graph is replicated across a Byzantine-robust ensemble using a quorum-signed mutation log, allowing topology evolution to proceed even when a minority of authority replicas are compromised or partitioned.

A third alternative embodiment composes the topology graph with a learned-relationship primitive (see the companion topology-learning disclosure), in which observed dependency manifestations are admitted as candidate edges and promoted to credentialed edges upon corroborating witness signature. A fourth embodiment composes with a cascade-mitigation primitive, in which graph traversal results drive automated isolation actions: identified cascade-source edges are credentially suspended, propagating structural cut-points without manual reconfiguration. A fifth embodiment realizes the graph in a hardware-rooted form, with edge credentials sealed to TPM or HSM identities such that revocation of a hardware root structurally invalidates all edges attested by that root.

A sixth alternative embodiment supports time-bounded provisional edges, in which an edge credential admits a candidate cascade-coupling relationship for a short interval (typically minutes to hours) pending corroborating witness signatures. Provisional edges are admitted to traversal under a degraded coupling coefficient and are either promoted to full attestation upon receipt of corroborating signatures or expire silently. A seventh embodiment composes the graph with a secrecy primitive that selectively redacts edge metadata for unprivileged traversers; the redacted form preserves cascade-reachability but withholds cascade-coupling magnitudes and dependency-class labels, allowing low-trust audit consumers to receive structural cascade information without exposure of operationally sensitive coupling detail.

Composition With Other Primitives

The credentialed topology graph composes with the broader cascade-propagation step and with adjacent architectural primitives. It supplies the substrate over which cascade-propagation evaluation runs, accepts mutations from the topology-learning primitive, exports cascade-source identifiers to the cascade-mitigation primitive, and exposes its lineage log to the audit and dispute primitives. The graph is also a consumer of the credential-issuance primitive: every node and edge attestation derives from a credential whose chain terminates in a recognized governance authority.

Composition with environmental-disruption primitives is direct. Spectrum-class edges in the topology graph reference spectrum-licensing credentials, allowing the architecture to traverse RF dependency cascades using the same evaluator that handles control-class cascades. Composition with the refusal primitive allows refusals at one node to be evaluated as cascade sources whose blast radius is bounded by the credentialed-edge admissibility predicate, ensuring that a refusal cannot unintentionally cascade through edges outside the refusing authority's jurisdiction.

Distinction From Prior Art

The credentialed topology graph is structurally distinct from physical-only network maps such as those produced by SNMP topology discovery, link-layer neighbor protocols (LLDP, CDP), and IP-route inspection: those mechanisms produce a graph of physical reachability without governance attestation, and admit any observed adjacency regardless of authority. It is distinct from BGP and analogous inter-domain routing graphs, which carry policy attributes but lack a credentialing layer binding edges to signing authorities with revocation semantics; BGP route advertisements are not authority-signed in the sense disclosed here, and BGP path selection has no notion of cascade-class taxonomy.

It is distinct from service-mesh control planes such as Linkerd, Istio, and Consul Connect, which maintain mTLS-authenticated service identities and traffic policies but do not maintain a graph of cascade-relevant dependency relationships across heterogeneous physical, logical, and regulatory domains; service-mesh identity binds a service to a certificate, not a dependency edge to a governance authority. It is distinct from dependency graphs in software supply-chain tooling (SBOM graphs, package-manifest graphs), which describe build-time composition rather than runtime cascade coupling and which lack the per-edge multi-witness attestation structure disclosed here. The combination of dependency-class taxonomy, per-edge multi-authority attestation, credentialed mutation lineage, and admissibility-gated cascade traversal is not found in any prior art known to the inventor.

Disclosure Scope

This disclosure encompasses any mesh architecture in which cascade analysis operates over a graph whose nodes and edges carry authority-signed attestations, whose mutations are admitted only via credentialed events, and whose traversal admits only edges passing a credential-admissibility predicate. The scope is intended to cover implementations across signature schemes (RSA, ECDSA, EdDSA, post-quantum signature families), graph storage substrates (in-memory, distributed key-value, append-only ledger), and operational domains (defense mesh resilience, civilian critical-infrastructure resilience, industrial control system fault containment, multi-tenant cloud cascade isolation). Specific signature algorithms, storage technologies, and application domains are recited as illustrative embodiments and are not intended to limit the claims.