Canton CRO orchestrates party & participant recovery: offline party replication, backup validation, and restore drills. No keys, no wallet, no dashboard — just a CLI you can trust in CI.
Every recovery run walks the same auditable pipeline. Each step writes its state to disk, so any run can be inspected, resumed, or re-run safely.
Create the run directory and scaffold state for a named recovery run.
Generate the step-by-step recovery plan from the manual 13-step baseline.
Validate backups and topology before anything is touched. Fail early, fail safe.
Execute the plan: offline party replication with proof artifacts at every step.
Inspect any run, or resume a safely-stopped one exactly where it halted.
apply never leaves you guessing — CRO stops safely, writes diagnosis.json, and resume picks up from the exact failed step.
Everything you need to rehearse disaster recovery on Canton — and prove it worked.
CRO operates on backups and topology only. It never sees, moves, or requires signing material — the safest possible boundary for a recovery tool.
Run apply twice and the second run is a clean no-op. Safe re-runs mean you can automate recovery without fear of double-execution.
Break the ACS import on purpose. Simulated drills run in seconds with no Canton needed; the live drill corrupts a real snapshot and Canton rejects it with a genuine error — then CRO restores and resumes.
A two-participant Canton topology on H2 persistent storage ships with the repo. Rehearse full drills with zero external infrastructure.
Every run leaves an audit trail: state JSON, diagnosis.json, and execution logs in the run directory. Evidence you can hand to compliance.
GitHub Actions workflows run LocalNet and fault-injection drills automatically. Your recovery procedure is tested on every change, not once a year.
Three proven scenarios, from clean runs to deliberately corrupted imports on real Canton.
End-to-end recovery run: plan, validate, apply. Running it a second time is a verified no-op.
Rehearse the failure path in seconds, no Canton needed: safe stop, diagnosis.json, resume from the failed step. (partial-acs-import is simulation-only by design.)
Two real participants, 13 real steps, H2 persistence — plus a real corrupted-import recovery: genuine Canton error, safe stop, restore, resume.
Clone the repo, pick a scenario, run the pipeline. Click a step to see the commands.
Clone and install dependencies — Node.js is all you need.
Walk the full pipeline against the demo run.
Inject an ACS fault and watch the safe stop + resume.
Spin up two participants and drill against real Canton.
diagnosis.json is written explaining what failed and why, and the run state is preserved. cro resume then continues from the exact failed step — no restart from scratch.demo, demo-happy, demo-broken, demo-partial) use a simulated runner and need nothing but Node.js. For the real thing, the live drill scripts bring up a two-participant Canton LocalNet on H2 persistent storage automatically (JDK 17 required; Canton OSS downloads on first run).Run your first recovery drill today — locally, safely, with proof.
Star on GitHub