CottonBackups and auto-restore
Backups and auto-restore

Backups that live inside the same protected storage model.

Cotton treats database backup artifacts as part of the product's operating model. PostgreSQL dumps can be chunked, stored through Cotton storage, discovered through latest backup metadata, verified, and used for startup restore when the database is empty.

PostgreSQL dumpChunked backupsAuto-restoreHash verificationAdmin notifications

PostgreSQL dump artifacts

Cotton can periodically create PostgreSQL dumps and store the resulting backup artifacts through its own storage pipeline. That means backup bytes are not a separate mystery folder beside the product model.

  • Backup artifacts are stored through Cotton's chunk pipeline.
  • The same storage model can protect backup bytes and normal file bytes.
  • The database remains the source of truth for live product metadata.

Manifest and latest pointer

Backup discovery depends on metadata, not filename guessing. Cotton can keep manifest and pointer records for the latest backup so startup restore can find the intended artifact.

  • The latest backup pointer identifies the current candidate.
  • The backup manifest describes chunks that make up the dump.
  • Pointer and manifest data are part of the protected backup surface.

Manual checkpoint

Admins can trigger a backup job on demand through the server API when they want an immediate checkpoint before a risky maintenance step or upgrade.

Empty database auto-restore

When restore-if-empty mode is explicitly configured, Cotton can check at startup whether the database is empty, find the latest backup manifest, rebuild the dump from stored chunks, verify hash and size integrity, and restore automatically.

Verification before trust

The restore path should not blindly stream whatever bytes exist. Cotton can verify backup size and hash before restoring so corruption is a recovery signal instead of a silent partial import.

Admin notification

After auto-restore, Cotton can ensure required PostgreSQL extensions and send high-priority admin notifications with backup metadata. Operators should know that recovery ran and which artifact was used.

Recovery path proof

The backup flow is concrete: PostgreSQL dump, chunked storage artifact, latest pointer, backup manifest, hash/size verification, empty-database startup restore, extension check, and high-priority admin notification.

Recovery belongs in the product

Cotton is easier to operate when recovery is not a README footnote. Database backups are visible as an operating model, tied to the same storage discipline that protects normal content.

Still not your whole backup strategy

Storage-native database restore is useful, but it is not a replacement for tested off-box backups. Full host loss, broken storage, wrong key custody, operator mistakes, ransomware, and disaster recovery still need an external backup plan.

Recovery proof

A database backup should be discoverable, verified, and visible.

Cotton's backup story is operational rather than theatrical. It gives the app a product-level recovery layer without pretending it replaces the boring external backup discipline serious operators still need.

Backup/restore eventBackup metadata and auto-restore completion belong in the operator surface so recovery is visible when it happens.

Dump

Cotton creates a PostgreSQL dump through the server backup job.

Store

The dump becomes chunked backup artifacts inside Cotton storage.

Point

Latest pointer and manifest metadata identify the restore candidate.

Verify

Restore can validate hash and size before trusting the rebuilt dump.

Restore

An empty database can be restored on startup when explicitly configured.

Notify

Admins receive high-priority recovery metadata after auto-restore.

Configured restore

Auto-restore is explicit because recovery is dangerous when implicit.

The startup restore path belongs behind COTTON_RESTORE_DATABASE_IF_EMPTY=true and an empty database check. A normal restart should not overwrite an existing database just because a backup exists.

  • Keep the chunk storage volume durable.
  • Keep the master key recoverable outside the host.
  • Test restore before treating backups as real.
  • Keep off-box backups for full host or storage loss.
  • Watch admin notifications after automatic restore.
  • Document who can trigger manual backup checkpoints.
FAQ

Direct answers

Does auto-restore run on every startup?

No. The intended path is explicitly configured empty-database restore. Existing databases should not be overwritten just because the app restarts.

Can this replace offsite backups?

No. It is a useful product-level recovery layer, but serious deployments still need tested off-box backups for full machine loss, storage loss, key loss, or operator mistakes.

Why store database backups through Cotton storage?

It keeps backup artifacts in the same protected storage model: chunks, manifest metadata, latest pointer discovery, and integrity verification instead of an unrelated loose dump file.

What should admins see after restore?

Admins should get a high-priority notification with enough metadata to know that auto-restore ran and which backup artifact was used.