Production Safety

Backup Readiness

WarpIntel keeps recovery planning visible as aggregate counts while database connection values, migration tags, SQL dumps, restore artifacts, provider console details, token ciphertext, and private EVE data stay out of public pages, health snapshots, smoke logs, screenshots, and readiness feeds.

StatusReady

Public backup readiness is count-only and protected setup details remain private.

Migrations25

Migration ledger count is tracked without exposing migration names, SQL, or rollback targets.

Protected Checks3

Setup packet and dry-run coverage stay behind protected admin routes.

Restore DrillPending

Recovery drill status is honest: ready to review, but no public claim of a verified restore yet.

Acceptance Criteria5

Required pass/fail evidence is defined before any real restore drill can be marked verified.

Activation Criteria8

Recovery stays gated until all public-safe activation criteria are ready.

Owner Handoff6

Restore-drill owner handoff steps are ready for secret-free review.

Rollback Paths3

Deployment, data, and environment rollback decisions are documented before a drill.

4/5Ready checks

4Proof targets

5Safe exports

OnNo-mutation dry run

5Required criteria

7Criteria ready

1Criteria gated

6Owner review steps

Ready

WarpIntel Neon project boundary

Protected recovery guidance requires the dedicated WarpIntel Neon project and excludes separate-project backup paths.

Ready

Migration ledger ready

Drizzle migration count is recorded so restore review can compare schema state without exposing migration tags or SQL bodies publicly.

Ready

Runtime database gate

The production database connection must be present in protected runtime configuration before a restore drill can be attempted.

Ready

Protected heartbeat gate

Protected cron health checks must be able to authenticate before recovery evidence can prove scheduled health after a restore.

Ready

Safe recovery exports ready

Protected no-secret exports cover ops snapshot, ops review, queue CSV, route smoke, and account export comparison evidence.

Ready

Restore acceptance criteria ready

A real restore drill must prove release fingerprint, route smoke, migration ledger, ops snapshot, and tracker evidence.

Ready

Protected dry run without provider mutation

Protected dry runs validate the recovery boundary without restoring Neon, rolling back Vercel, reading env vars, writing database rows, or dumping secrets.

Gated

Owner-reviewed restore drill gate

Backup recovery is not launch-ready until a real restore drill is owner-reviewed and recorded with secret-free evidence.

Ready

Coverage

Recovery prerequisites are tracked as public-safe counts while restore artifacts stay protected.

25 recorded

Migration Ledger

Migration count is visible without exposing migration tags, SQL bodies, or database connection values.

3 checks

Protected Review

Setup packet, recovery dry-run, and restore-drill rehearsal coverage stay behind protected admin routes.

Ready

Restore Drill

The app is ready for an owner-reviewed drill; the public page does not claim a real restore is verified.

5 required

Acceptance Criteria

A real restore drill must prove release fingerprint, route smoke, migration ledger, ops snapshot, and tracker evidence before it is marked verified.

6 steps

Owner Handoff

The restore drill has a secret-free handoff covering baseline, provider boundary, isolated restore, migration reconcile, proof review, and tracker record.

3 paths

Rollback Decisions

Deployment, data-restore, and environment-boundary rollback decisions are documented without exposing provider artifacts.

Owner Review

Pre-drill baseline

Record the current commit, deployment host, route-smoke floor, and no-secret health status.

Owner Review

Provider scope check

Confirm the drill uses only WarpIntel provider projects and does not touch separate-project assets.

Owner Review

Isolated restore path

Use an isolated branch/restore target first, then record only provider name and pass/fail status.

Owner Review

Migration reconcile

Confirm migration count alignment without publishing migration tags, SQL, or database URLs.

Owner Review

App proof review

Compare protected route and ops summaries before and after the drill without exporting secrets.

Owner Review

Tracker and release record

Record secret-free commit, deployment, route status, and owner decision notes.

Decision

Deployment regression

Rollback evidence is limited to commit, deployment, status code, and route count.

Decision

Data restore mismatch

Provider artifacts, SQL dumps, token ciphertext, and row-level private data stay excluded.

Decision

Environment boundary mismatch

Decision notes identify the boundary category only, not secret names or values.

Covered

migration ledger

Represented in public readiness as aggregate status only; private implementation evidence stays protected.

Covered

runtime readiness

Represented in public readiness as aggregate status only; private implementation evidence stays protected.

Covered

ops heartbeat

Represented in public readiness as aggregate status only; private implementation evidence stays protected.

Covered

safe exports

Represented in public readiness as aggregate status only; private implementation evidence stays protected.

Covered

restore drill

Represented in public readiness as aggregate status only; private implementation evidence stays protected.

Covered

acceptance criteria

Represented in public readiness as aggregate status only; private implementation evidence stays protected.

Covered

owner handoff

Represented in public readiness as aggregate status only; private implementation evidence stays protected.

Covered

rollback decision points

Represented in public readiness as aggregate status only; private implementation evidence stays protected.

excluded