{"results":[{"id":"automated-recovery-impossible-without-external-tooling","text":"Automated server recovery is impossible without comprehensive external tooling — rescue mode requires manual multi-step intervention (explicit reboot, per-attempt SSH key setup, type selection) while the broader safety model is fundamentally user-responsible (explicit backup strategy, shallow protection flags), creating a gap where no platform-native path exists from failure detection to restored operation.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-two-strategies-cost-control-tradeoff","text":"Hetzner offers two complementary data protection strategies with inverse cost/control tradeoffs: automatic backups (simple, fixed 20% server cost, max 7 retained, no user intervention) and manual snapshots (full control over timing and retention, per-GB billing, unlimited count).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"complete-ingress-zero-downtime-safe","text":"The fully managed Hetzner ingress pipeline — DNS zones with granular RRSet mutation, managed TLS certificates, hybrid load balancers with health checks — supports zero-downtime production traffic management with resource protection and incremental record updates at every layer.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"data-protection-requires-explicit-strategy","text":"Server operations include destructive paths (rebuild replaces root disk, poweroff/reset are non-graceful) and Hetzner's two data protection strategies have inverse cost/control tradeoffs (automatic backups: simple but capped at 7; snapshots: flexible but manual and per-GB), meaning data protection requires deliberate architectural decisions — there is no implicit safety net covering both convenience and retention depth.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ddos-protection-free-hardware-based","text":"Hetzner DDoS protection is free and hardware-based, applied at the datacenter perimeter.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"deletion-safety-net-comprehensive","text":"Hetzner's multi-layer deletion safeguards (protection flags requiring explicit disable, deprecated image blocking, required flags for destructive operations) combined with the consistent delete-only protection pattern form a comprehensive safety net across all resource types — when the DNS zone import destructive-replace behavior is addressed as the remaining gap.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"destructive-operation-multi-layer-safeguards","text":"Hetzner Cloud employs multiple safeguard layers against destructive operations: resource protection (must disable before delete), deprecated image blocking (opt-in required), and explicit required flags — preventing accidental data loss through defense in depth.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"dns-zone-management-production-safe","text":"Hetzner DNS zone management supports production-safe workflows with resource protection, granular RRSet-level mutation (append/replace/delete independently), and secondary zone replication for redundancy.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"governance-gap-widens-at-scale","text":"Hetzner's governance gap widens super-linearly with deployment complexity — single-project deployments face shallow protection and billing traps, but multi-project deployments compound credential explosion with API paradigm bridging requirements, demanding progressively heavier external governance infrastructure as scope grows.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"governance-must-bridge-api-paradigms","text":"External governance tooling for Hetzner must itself bridge the API paradigm gap — resource protection gaps (predominantly delete-only, no RBAC) and billing transparency issues span both the Cloud API (modern Bearer/JSON) and Robot API (legacy Basic/URL-encoded), meaning governance cannot be implemented against a single API surface and no unified governance integration point exists within the platform.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-ddos-protection-free","text":"DDoS protection is free and implemented via hardware appliances","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-free-services-list","text":"DDoS protection, firewalls, private networks, 24/7 support, and IPv6 are all free on Hetzner Cloud.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-lb-protection-type-delete-only","text":"The only protection type available for Hetzner Cloud Load Balancers is `delete`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-network-only-protection-type-is-delete","text":"Delete protection is the only protection type available for Hetzner Cloud networks.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-network-resource-protection","text":"Hetzner Cloud Networks support resource protection that must be explicitly enabled/disabled via `enable-protection` and `disable-protection` subcommands.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-primary-ip-protection-type-delete-only","text":"The `--enable-protection` flag on `hcloud primary-ip create` only supports the `delete` protection type.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-server-create-protection-options","text":"Server protection options are limited to `delete` and `rebuild`, set via `--enable-protection`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-server-resource-protection","text":"Server resource protection in Hetzner Cloud prevents accidental deletion and rebuild.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-volume-create-protection-only-delete","text":"`hcloud volume create --enable-protection` only supports `delete` protection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"hcloud-volume-protection-must-disable-before-delete","text":"Volume resource protection must be explicitly disabled before a protected volume can be deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":40,"limit":20,"offset":0}