Backend Or Oracle Outage¶

1. declare degraded mode and notify governance/security channels.
2. suspend non-essential claim operations if freshness cannot be maintained.
3. fail closed rather than accepting ambiguous observations.
4. restore pipeline with replay validation.
5. run postmortem with durability and monitoring fixes.

Operational Detail¶

Backend outages are protocol-risk events because stale or missing observations can affect claimability, reserve readiness, receipt posting, and deposit readiness. Operators should not compensate by manually widening freshness windows or posting unverified receipts.

During outage response, identify affected vaults, last finalized epoch, last accepted source id, pending receipt batches, and claims initiated under old assumptions. If the outage overlaps an upgrade queue, notify governance monitoring because execution can change the code path while evidence is incomplete.

Evidence To Archive¶

Archive incident start/end time, affected services, feed lag, missed epochs, replay command, reconciled source ids, on-chain update txs, post-recovery claimability reads, and signoff from backend/oracle owner and operations lead.