Security, Backup & Recovery
Document reference: GFTCL-SEC-001 · Framework: GAMP 5 Category 5 · EU Annex 11
FortressAI Research Institute · Norwich, Connecticut
Patents: USPTO 19/460,960 · USPTO 19/096,071 — © 2026 Richard Gillespie
Security controls, access model, and the backup / restore / disaster-recovery
procedures for the GaiaFTCL vQbit Quantum VM.
---
1. Access model
The system is single-operator-sovereign. There is no multi-user account system inside
the cell; access control is the host's (macOS account + FileVault) plus the
substrate's own refusal logic.
| Surface | Access | Control |
|---|---|---|
Franklin.app GUI |
Local operator | macOS user session |
gaiaftcl CLI |
Local operator | Inspection + manual override only; writes go through Franklin |
| Substrate store | Read-only to clients | mode=ro SQLite; Franklin's heartbeat is the only writer |
| Federation mesh | Cosignature-gated | A row is credited only with a verified signature_quintet |
2. Key & secret handling
- The wallet private key lives only in
~/.gaiaftcl/franklin_local_wallet_key.toml
(mode 0600) and Secure-Enclave/Keychain paths. It is never displayed, logged,
or emitted to NATS — the substrate refuses to export it through any CLI direction.
- Keys are never agent-generated outside
SecRandomCopyBytes/ Keychain / substrate
secure-RNG paths; the QC-026 Rule 30 surface composes substrate-natural randomness
with V211 provenance.
- API-key files (
eth_mainnet_rpc_api_key.txt) are operator-owned references, mode0600.
A pre-commit audit gate greps the source for any key-exposure, non-mainnet, or
hedging-language regression and blocks the commit on a hit.
3. Post-quantum posture
The system demonstrates, with sealed evidence, that classical elliptic-curve keys are
Shor-recoverable and that migrated ML-DSA / SLH-DSA keys are not — see the
4. Backup
The system of record is ~/Library/Application Support/GaiaFTCL/substrate.sqlite plus
~/.gaiaftcl/ configuration.
| Item | Backup method | Frequency |
|---|---|---|
| Substrate store | File copy / Time Machine of the SQLite file (append-only → safe to snapshot) | Continuous / daily |
| Configuration | Encrypted copy of ~/.gaiaftcl/ (contains secrets) |
On change |
| Qualification receipts | Retained in-repo (qualification_receipts/) under version control |
Per run |
| Federation continuity | Sealed rows broadcast to the mesh — off-host redundancy by design | Real-time |
Because the store is append-only and every row is self-verifying, a backup's integrity
is checkable after restore by re-computing witness hashes.
5. Restore & disaster recovery
1. Reinstall Franklin.app per the Installation Guide.
2. Restore ~/.gaiaftcl/ configuration (including the wallet key file) from the
encrypted backup.
3. Restore the substrate SQLite file.
4. Run IQ — confirms components + schema integrity.
5. Run gaiaftcl qc020 replay --from-anchor <a> --to-anchor <b> — confirms the restored
chain is bit-exact (no corruption).
6. Resume operation; Franklin's heartbeat continues from the restored state.
RTO / RPO. Recovery time is bounded by reinstall + restore; recovery point is the
last backed-up append (the mesh broadcast provides a near-real-time off-host record).
6. Business continuity
The federation mesh is the continuity layer: every sealed row exists on more than one
cell. A lost cell is rebuilt from a clean image and re-moored; its substrate-development
history is re-verifiable from the cosigned mesh record.
---
*Cross-references: Data Integrity & Part 11 ·
*Federation cosignature: pending — gaiaftcl wiki sign --section GAMP5.*
c675b046f6d57f67801c85396a064385bba5e2f518b4373dedac264f851f8e09.
This page serves with a substrate-honest pending-signature notice until the operator's Franklin signer cosigns it.