# Rollback contract

## Image rollback (production)

If a published `vX.Y.Z` image is found to be broken or vulnerable:

```mermaid
flowchart TD
    Issue[Issue detected in vX.Y.Z] --> Decide{Patch fast or rollback?}
    Decide -->|patch fast| Patch[Tag vX.Y.Z+1<br/>same-day]
    Decide -->|rollback| Bump[Bump infra pin<br/>to last-known-good]
    Patch --> Bump
    Bump --> Verify[Smoke test prod]
    Verify --> Note[Mark broken tag<br/>in release notes]
    Note --> Done[Leave broken tag in GHCR<br/>do not delete]
```

**Rules:**

1. **Do not delete the broken tag.** Delete-and-re-push leaves consumers' deployments referring to nothing.
2. Publish `vX.Y.(Z+1)` with the fix.
3. Edit `edge-infra` to bump the pinned version.
4. Mark the broken tag in the GitHub release notes; **do not yank from GHCR** — retention is a compliance requirement.

See [Registry Strategy](https://github.com/NKAP360-dev/edge-governance/blob/main/REGISTRY_STRATEGY.md) for the full lifecycle.

## Data rollback (PocketBase)

```bash
# 1. Stop the pod
kubectl scale deploy/edge --replicas=0

# 2. Restore from backup (see Backup & recovery)
restic restore latest --target /var/lib/edge/pb_data

# 3. Restart
kubectl scale deploy/edge --replicas=1

# 4. Verify
curl https://edge.internal.bank/health
```

Restoring a backup means losing changes between the backup and the rollback point. Tenant ops should be notified before this is exercised.

## Cutover rollback (post-migration)

Reversibility for the GitLab→GitHub cutover was **7 days** after the DONE stamp. Window expired 2026-06-03 — see [Cutover history](/banking-readiness/cutover-history.md).

For future cutovers, the rollback contract is documented in the cutover plan **before** the GO. A rollback document `ROLLBACK_<incident-id>.md` lands in the governance repo if exercised.

## RBAC rollback

If a CODEOWNER becomes hostile or is compromised:

1. Owner revokes their GitHub org membership.
2. Owner removes them from `.github/CODEOWNERS` in a single PR (no self-approval).
3. Open `admin_actions` and identify any of their recent actions to be reviewed for revert.
4. Rotate any secret they had access to (see [Gate 01](/banking-readiness/gate-01-secret-management.md) rotation SLA).

## What you can never roll back

* A leaked secret. Rotation is forward-only; the leaked credential is dead.
* A communicated incident. Once the bank GRC has been told, the timeline is fixed.
* A force-push to a public commit history. Don't do it; preserve history.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.edge.nyami.fr/operations/rollback.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.