IPPANVerifiable infrastructure for AI agents
Menu
OverviewEvidenceTechnologyExplorer
IPPAN · Infrastructure trust

Verifiable Recovery for IPPAN

IPPAN ledgers can be exported, hashed, encrypted, restored, replay-verified, and rehearsed on independent recovery infrastructure. This page explains what Verifiable Recovery is, how it works, and what guarantees it offers — and what it deliberately does not contain.

Read-only trust page · no operator controls
IPPAN recovery is deterministic, encrypted, independently rehearseable, non-destructive, and evidence-producing by design.

Recovery properties at a glance

  • Deterministic
  • Encrypted
  • Replay Verified
  • Independently Rehearseable
  • Evidence Producing
  • Non-destructive

What Verifiable Recovery means

Verifiable Recovery is the property that an IPPAN ledger can be taken out of a running production node, copied to an independent host, and brought back to a byte-identical state that any qualified party can audit. Every step in that path produces machine-readable evidence and never executes a production-changing action on its own.

Where traditional database backups answer the question "can we restore?", Verifiable Recovery answers a stricter one: "can we restore, prove the restore is correct, and rehearse the whole pipeline against real production artifacts without touching production?"

Why deterministic recovery matters

IPPAN's ledger is deterministic: replaying the same sealed batches in the same order against the same starting state must produce exactly the same state root, anchor log, and receipts. This is the invariant that makes IPPAN auditable in the first place.

Recovery inherits that invariant. A correctly restored ledger re-derives the operator's published state root to the bit. If it does not, the restore fails loudly with evidence — never silently — and the restored data is never promoted into production.

Cold, hot, and incremental backup

Cold export

Captured while the node is paused. Strongest correctness guarantee. Used for major snapshots and disaster-recovery seed bundles.

Hot finalized export

Captured at a finalized batch boundary on a running node. Verified against a stable hot boundary to guarantee the bundle is internally consistent.

Incremental delta

Records only the finalized batches added since a previously published bundle. Applied on top of its base bundle into a clean target — never in-place.

Strict replay verification

Every export bundle carries a manifest, file-by-file SHA-256 digests, the expected state root, the finalized block height, the anchor count, and the anchor-log SHA-256. The verifier replays the sealed batches in isolated read-only mode and recomputes those values. The bundle is accepted only when every recomputed value matches the manifest exactly.

Replay verification runs both as part of the operator's release process and again on the independent recovery node. The two runs must agree.

Staged restore without production activation

Restore writes the verified ledger into a fresh target directory. It never touches the running production data directory. The operator decides, separately and manually, whether to promote the restored target — and the tooling never makes that decision on its own. Promotion is an explicit, evidence-gated, two-person change.

Encrypted off-host backup

Backups are encrypted with an audited authenticated encryption scheme using X25519 key agreement and ChaCha20-Poly1305 with bound associated data. The recipient public key is the only key required on the source host; the matching private key lives on the recovery host. A separate test-only scheme exists for engineering rehearsals and is explicitly disabled in production.

S3-compatible object storage readiness

Recovery bundles can be published to either a filesystem target or an S3-compatible object store. The S3 transport is feature-gated and routes through the same provider abstraction as the local filesystem path, so the same evidence and verification guarantees apply uniformly. Cloud credentials are sourced from environment variables on the operator host only — never from the page, the bundle, or any published manifest.

Independent disaster-recovery rehearsal

The recovery host fetches the encrypted bundle from the chosen remote target, verifies it strictly, restores it into a clean workspace, re-validates the restored ledger, and emits an inert promotion plan that an operator must manually review. The whole rehearsal runs end-to-end against real published artifacts and produces a marker file plus JSON and Markdown reports.

No part of the rehearsal contacts production, starts or stops a service, or activates any restored data.

The recovery lifecycle

The diagram below describes the controlled recovery workflow. These steps are not public user functionality — they are run by the operator under change control. Each step produces evidence the next step (or an auditor) can verify.

  1. STEP 1
    Export
    Cold, hot, or incremental bundle written from the source ledger.
  2. STEP 2
    Verify
    Strict replay against the bundle's own manifest.
  3. STEP 3
    Encrypt
    Authenticated encryption with audited primitives.
  4. STEP 4
    Publish
    Manifest-last commit to a filesystem or S3-compatible target.
  5. STEP 5
    Fetch
    Independent recovery host pulls the encrypted bundle.
  6. STEP 6
    Restore
    Decrypt and stage into a clean target — never in-place.
  7. STEP 7
    Replay Validate
    Strict re-replay confirms the restored state root.
  8. STEP 8
    Plan Promotion
    Inert, evidence-gated text plan. Operators apply it manually.

What is never included in backups

Backup bundles never include

  • Private keys of any kind
  • Admin tokens or session tokens
  • TLS private keys or certificate signing material
  • Cloud credentials, including access keys and secret access keys
  • .env files or any environment-variable dumps
  • Secret configuration files or operator passphrases

Recovery tooling refuses to package these even by accident: a secret-scanner runs over every bundle, and bundles that fail that scan never leave the operator host.

Evidence artifacts

Every stage in Verifiable Recovery emits machine-readable evidence so a future auditor can re-derive the same conclusions. Typical artifacts include:

  • Manifests
    Version, file list, expected state root, anchor count, anchor-log SHA-256.
  • SHA256SUMS
    Per-file checksums for the entire bundle.
  • Backup drill reports
    JSON + Markdown record of an end-to-end export → verify → restore → validate run.
  • DR rehearsal reports
    JSON + Markdown record of an independent fetch → verify → restore → validate → plan-promotion run, with a marker file.
  • Preflight evidence
    JSON marker, JSON + Markdown report, future-evidence manifest, and a plain-English next-steps file produced before a controlled drill is scheduled.

IPPAN ledgers are not locked inside a server. They can be exported, hashed, encrypted, restored, replay-verified, and rehearsed on independent recovery infrastructure. This makes IPPAN suitable for enterprise-grade continuity, auditability, and regulated AI-agent infrastructure.

Operator console roadmap · ops.ippan.net

Private / admin onlyRead-only first

A private operator console at ops.ippan.net is planned as the eventual home for live recovery status. The console is gated for IPPAN operators only and will be delivered in three phases:

  1. Phase A — read-only status: latest backup drill verdict, latest export type, truncated verified state root, truncated anchor-log SHA, encryption scheme, remote provider kind, latest evidence bundle hash. No action buttons.
  2. Phase B — admin-gated evidence downloads: report, manifest, and evidence-bundle downloads behind strong operator authentication.
  3. Phase C — admin-gated operational controls: run backup drill, publish backup, run DR rehearsal, run preflight, generate promotion plan. Every control produces evidence; promotion remains a separate, manually confirmed change.

The console will never expose private keys, admin tokens, or cloud credentials to the browser, and it will never offer a one-click path that activates a restored ledger in production.

Operational recovery tooling is available only through the private operator environment at ops.ippan.net.

This page is read-only and public. It does not initiate, schedule, or authorise any backup, restore, publish, fetch, promotion, or service action. For information on access to the private operator console at ops.ippan.net, contact your IPPAN operator point of contact.

For public DevNet ledger visibility, visit IPPAN Explorer. The Explorer is a separate read-only public app and is distinct from the operator console.