Cargo A/C
Operations

Restore Runbook

Tested disaster-recovery procedure for the auth.cargo.ac identity store.

RPO

≤ 5 min

Max acceptable data loss (via PITR)

RTO

≤ 60 min

Max time to restore service

Encryption

AES-256

Dumps encrypted before upload

Retention

12 mo

Longest archive horizon

Recovery procedure

  1. 1

    Declare the incident

    Freeze writes, notify on-call, record the recovery objective (RPO/RTO).

  2. 2

    Select a restore point

    Choose the latest clean PITR timestamp or pg_dump artifact before the fault.

  3. 3

    Provision a staging target

    Restore into an isolated staging backend before touching production.

  4. 4

    Verify integrity

    Run row-count + checksum checks on profiles, user_roles and audit_log.

  5. 5

    Cut over

    Repoint auth.cargo.ac, rotate the OAuth signing keys (JWKS) if compromise is suspected.

  6. 6

    Post-mortem

    Record timeline in the audit log and update this runbook.

Rehearse this runbook against a staging restore each quarter. A restore that has never been tested is not a backup.