Walwarden Docs
Reference

Honest capability claims

The exact table of what walwarden can and cannot claim, kept in sync with shipping code.

This page is the canonical source for what walwarden can claim. Marketing copy, pitch decks, and technical writeups must not exceed these claims. The design commitment is copy-equals-code parity.

Update this page alongside each capability landing. Do not add a claim before the behavior is shipped and tested.

Shipping (as of 2026-05-26)

CapabilityNotes
Scheduled logical backup (pg_dump) to BYO S3Neon and Supabase-compatible Postgres. Worker streams bytes direct to customer-owned S3.
Ed25519-signed manifests and audit chainEvery artifact is signed at write time. Verifiable offline via @walwarden/verifier without trusting the walwarden dashboard.
Dashboard backup history and RPO-at-a-glanceShows last backup time, artifact size, manifest hash, and loss window at a glance.
Operator-driven restore via @walwarden/cliDashboard issues a short-lived token; CLI runs pg_restore on the customer's machine; full audit chain written for every state transition.
Live restore progress on dashboard (SSE)State transitions stream to the dashboard in real time via the audit event channel.
Evidence bundle exportDownloadable bundle including the signed manifest and full audit event chain. Verifiable offline.

Not yet shipped

CapabilityStatus
Automated restore drill (cron-driven, ephemeral target)Deferred. Operator-driven restore only.
Continuous PITR / WAL streamingDeferred. Scheduled logical backups only.
Automated restore verification (unattended drill)Deferred.

Do not use the following phrases in documentation, marketing copy, or customer communications until the corresponding capability has shipped:

  • "Automated restore drill" or "automated restore verification"
  • "PITR" or "point-in-time recovery"
  • "continuous backup"
  • "unattended restore"

Trust boundary claims (always true)

These are architectural invariants, not features. They hold for every restore.

  • Walwarden never holds the customer's target-DB write credentials.
  • Walwarden never proxies or stores the dump bytes. The CLI pulls directly from S3 via a short-lived presigned URL.
  • The restore audit chain records every state transition. Customers see the full evidence trail in the dashboard.
  • The signed manifest can be verified offline without trusting walwarden's servers.

Source documents

These claims are derived from and must remain consistent with:

  • CLAUDE.md (repo root) — Shipping capabilities table
  • docs/marketing/brand-and-positioning-anchor.md — Honest capability claims section
  • docs/runbooks/cli-restore-live-e2e.md — Honest claims after a successful run

Exit codes

The five exit codes walwarden restore returns and what each means.

Trust boundary

What walwarden holds, what walwarden never holds, and how the architecture enforces it.

On this page

Shipping (as of 2026-05-26)Not yet shippedTrust boundary claims (always true)Source documents