Open Source · Apache-2.0

Recovery drills for Canton, before you need them.

Canton CRO orchestrates party & participant recovery: offline party replication, backup validation, and restore drills. No keys, no wallet, no dashboard — just a CLI you can trust in CI.

Get Started
$ git clone https://github.com/canton-cro/canton-cro
No key material touched Idempotent by design Proven on real Canton
operator@recovery — canton-cro
How it works

One pipeline, five verbs.

Every recovery run walks the same auditable pipeline. Each step writes its state to disk, so any run can be inspected, resumed, or re-run safely.

init

Initialize

Create the run directory and scaffold state for a named recovery run.

plan

Plan

Generate the step-by-step recovery plan from the manual 13-step baseline.

pre

Preflight

Validate backups and topology before anything is touched. Fail early, fail safe.

apply

Apply

Execute the plan: offline party replication with proof artifacts at every step.

▸▸

Status / Resume

Inspect any run, or resume a safely-stopped one exactly where it halted.

A failed apply never leaves you guessing — CRO stops safely, writes diagnosis.json, and resume picks up from the exact failed step.
Features

Built for operators, not demos.

Everything you need to rehearse disaster recovery on Canton — and prove it worked.

No keys, no custody

CRO operates on backups and topology only. It never sees, moves, or requires signing material — the safest possible boundary for a recovery tool.

Idempotent by design

Run apply twice and the second run is a clean no-op. Safe re-runs mean you can automate recovery without fear of double-execution.

Fault injection drills

Break the ACS import on purpose. Simulated drills run in seconds with no Canton needed; the live drill corrupts a real snapshot and Canton rejects it with a genuine error — then CRO restores and resumes.

LocalNet included

A two-participant Canton topology on H2 persistent storage ships with the repo. Rehearse full drills with zero external infrastructure.

Proof artifacts

Every run leaves an audit trail: state JSON, diagnosis.json, and execution logs in the run directory. Evidence you can hand to compliance.

CI-ready drills

GitHub Actions workflows run LocalNet and fault-injection drills automatically. Your recovery procedure is tested on every change, not once a year.

Drill scenarios

Rehearse every outcome.

Three proven scenarios, from clean runs to deliberately corrupted imports on real Canton.

Happy path

Full orchestration

End-to-end recovery run: plan, validate, apply. Running it a second time is a verified no-op.

$ cro init --run demo-happy
$ cro plan --run demo-happy
$ cro preflight --run demo-happy
$ cro apply --run demo-happy
✔ COMPLETE — re-run is a no-op
Fault injection · simulated

Broken & partial ACS

Rehearse the failure path in seconds, no Canton needed: safe stop, diagnosis.json, resume from the failed step. (partial-acs-import is simulation-only by design.)

$ cro drill --run demo-broken \
  --fault broken-acs-import
■ SAFE STOP — diagnosis.json written
$ cro resume --run demo-broken
✔ resumed from failed step
Live · Real Canton

LocalNet live drills

Two real participants, 13 real steps, H2 persistence — plus a real corrupted-import recovery: genuine Canton error, safe stop, restore, resume.

$ bash cli/scripts/live-drill.sh
# participant1 ⇄ participant2 · H2
✔ 13/13 real steps · ACS assert OK
$ bash cli/scripts/live-fault-drill.sh
✔ real break → restore → resume
Quickstart

Your first drill in minutes.

Clone the repo, pick a scenario, run the pipeline. Click a step to see the commands.

1

Install

Clone and install dependencies — Node.js is all you need.

2

Run the happy path

Walk the full pipeline against the demo run.

3

Break it on purpose

Inject an ACS fault and watch the safe stop + resume.

4

Go live on LocalNet

Spin up two participants and drill against real Canton.

# clone & install (CLI lives in cli/)
git clone https://github.com/canton-cro/canton-cro.git
cd canton-cro/cli
npm install

# verify the CLI
npm run cro -- --help
# the full pipeline
npm run cro -- init --run demo
npm run cro -- plan --run demo
npm run cro -- preflight --run demo
npm run cro -- apply --run demo

# inspect the run
npm run cro -- status --run demo
# inject a broken ACS import
npm run cro -- drill --run demo-broken \
  --fault broken-acs-import

# safe stop → diagnosis.json → resume
npm run cro -- resume --run demo-broken
# from the repo root (needs JDK 17; Canton OSS auto-downloads)
# 13 real steps against two real participants on H2
bash cli/scripts/live-drill.sh

# real break → diagnose → restore → resume
bash cli/scripts/live-fault-drill.sh
FAQ

Frequently asked questions.

What exactly does Canton CRO do?
It orchestrates party and participant recovery on Canton: offline party replication, backup validation, and restore drills. Think of it as a rehearsal harness for the day something goes wrong — with proof that your procedure works.
Does it touch my keys or funds?
No. CRO requires no keys, no wallet, and no dashboard. It works exclusively with backups and participant topology. The threat model in the repo documents exactly what it touches — and what it never can.
What happens when a recovery step fails?
CRO performs a safe stop: execution halts, a diagnosis.json is written explaining what failed and why, and the run state is preserved. cro resume then continues from the exact failed step — no restart from scratch.
Can I try it without any Canton infrastructure?
Yes. The demo runs (demo, demo-happy, demo-broken, demo-partial) use a simulated runner and need nothing but Node.js. For the real thing, the live drill scripts bring up a two-participant Canton LocalNet on H2 persistent storage automatically (JDK 17 required; Canton OSS downloads on first run).
How do I know the drills reflect reality?
The orchestration follows the documented 13-step baseline, executed and logged end to end on real Canton (see the live run log in the repo). The fault drill is real too: it corrupts an exported snapshot and Canton rejects the import with a genuine error before CRO restores and resumes. Both run in CI on every push.
Is it open source?
Yes — Apache-2.0 licensed. Source, threat model, operator runbook, and live drill logs are all public on GitHub. Issues and contributions welcome.

Don't wait for the incident.

Run your first recovery drill today — locally, safely, with proof.

Star on GitHub