Recovery
Everything fails eventually; recovery is the plan for when it does. Critical state is backed up to a dedicated backup server the sending hosts can write to but never read or delete — so a compromised host can’t reach back and destroy its own backups. The off-Hetzner watch and the most-protected backup target are positioned so a single failure can’t take both the system and its safety net.
What is backed up, how often, and what is deliberately not — the ephemeral practice forks, for instance — is recorded here as policy, with the as-built intervals and targets in the Hardware Manifest.