But there’s a quieter edge case that seems harder to deal with: sometimes the restored state is already invalid.

Not because data is missing, but because invariants are broken: derived fields out of sync, schema changes, partial or out-of-order updates.

In those situations, retries and small heuristics tend to reproduce the problem. Restoring the latest snapshot just restores the failure.

At that point, rollback to a last known good state seems like the only deterministic option.

I wrote down some thoughts on where autosave reaches its limit here: https://zippers.dev/blog/why-savior-safestate-recovery-exists