# Backup and Rollback Design

Phase 1 backup and rollback support is designed for signed updates and marketplace-safe self-hosted installs.

## Backup Manifest

Every pre-update backup should produce a portable manifest:

```text
format
format_version
reason
version
created_at
artifacts[]
redaction_required
restore_requires_signature_check
```

Required artifacts:

- files snapshot
- database snapshot
- previous release manifest

## Rollback Plan

Rollback must:

1. Enter maintenance mode.
2. Verify backup manifest.
3. Verify file snapshot.
4. Restore files.
5. Restore database snapshot.
6. Restore previous release manifest.
7. Clear caches.
8. Run health checks.
9. Exit maintenance mode.
10. Record rollback audit event.

## Hard Stops

- missing backup manifest
- manifest checksum mismatch
- database snapshot missing
- target version incompatible