RECOVERY

RECOVERY

CANONIC survives any single point of failure.

FAILURE MODES

Failure Modes

FailureImpactRecovery
Laptop lossLocal GOV + runtime lostClone from GitHub + restore runtime from backup
GitHub account compromiseRemote GOV repos at riskRotate tokens, restore from offsite backup, re-push
GitHub outageCI/CD unavailableLocal magic validate continues; push when restored
LEDGER corruptionEconomic history lostRestore from backup; reconcile via CLOSE
VAULT breachPrivate data exposedRotate keys, revoke access, audit LEDGER for unauthorized events
BACKUP TARGETS

Backup Targets

GOV repos: ~/CANONIC/ (git bundle or mirror) Runtime: ~/.canonic/ (encrypted archive) LEDGER: ~/.canonic/LEDGER/ (append-only, versioned) VAULT: ~/.canonic/VAULT/ (encrypted, auth-gated) CI secrets: GitHub Actions secrets (documented, not backed up in tree)

SLAS

SLAs

RTO (Recovery Time Objective): 4 hours from fresh machine RPO (Recovery Point Objective): last committed state (git push cadence) Backup cadence: daily (automated) or per-push (manual) Restore test cadence: quarterly

AUTOMATION

Automation

Backup Commands

`` backup snapshot — encrypted tar.gz of VAULT, LEDGER, SERVICES, learning backup restore — decrypt and restore from snapshot backup verify — decrypt, validate LEDGER chain, verify WALLETs `

Encryption: gpg –symmetric –cipher-algo AES256 (passphrase from BACKUP_PASSPHRASE env var).

LEDGER Archival

Monthly encrypted snapshot of LEDGER to offsite storage. Append-only — never prune active LEDGER.

` Schedule: 1st of each month Target: ~/.canonic/BACKUPS/LEDGER-{YYYY-MM}.tar.gz.gpg Retention: permanent (LEDGER is economic truth) `

VAULT Backup

Daily encrypted snapshot of VAULT directory.

` Schedule: daily (cron or CI) Target: ~/.canonic/BACKUPS/VAULT-{YYYY-MM-DD}.tar.gz.gpg Retention: 30 days rolling `

Restore Test Procedure

Quarterly SLA verification:

` Create fresh temporary directory Run: backup restore Run: vault verify (LEDGER chain integrity) Run: vault verify-wallet --user DEXTER (balance derivation) Run: vault verify-sig (signature verification) Document result in LEARNING.md ``

*RECOVERY SPEC COMPLIANCE*
TALK AUTO