Restore

Restore a primary from backup

For v1 multi-machine governance, the supported recovery path is primary restore from a backed-up gov_runtime. Full remote promotion is deferred.

Required runtime contents

A usable backup includes the decision chain, signing key material, machine identity, machine registry, approval store, policy rules, imported remote sidecars, sync state, telemetry logs, Communications logs, and license state. If the primary signing key is missing, remotes must be explicitly paired again because the trust relationship changed.

Procedure

# stop services on the replacement primary
./atested stop

# restore gov_runtime from backup, then validate it
./atested restore verify --runtime /path/to/gov_runtime

# start as primary after validation passes
GOV_RUNTIME_DIR=/path/to/gov_runtime ./atested start --role primary

Restore verification checks the chain, signing material, machine identity, registry hash, import sidecars, and optional runtime components. It exits non-zero when the restored runtime is not usable as a primary.