# Upgrade and Installed-Asset Drift Fleet source assets and installed assets can differ after an update, but FCM-M5-001 does not add a trustworthy source-versus-installed revision detector or refresh command. Do not infer freshness from checkout presence, timestamps, generated environment files, running sessions, or a ready migration preview. ## Current safe boundary - The canonical roster remains authority and must survive package/framework refresh. - Generated projections are rebuilt from that roster after the installed contract is independently verified. - Operator `roles.local`, `.env.local`, and private quarantine evidence are not generated assets and must not be overwritten. - Baseline roles, schemas, examples, service presets, launcher helpers, and systemd templates must move as one reviewed release set. - Remote/connector inventory and `mos-comms` are not promoted into permanent architecture by an update. - No update may start an agent persisted stopped, adopt an unmanaged session, or bypass generation/ownership checks. ## Explicit hold FCM-M5-002 owns deterministic asset-drift checks, safe package/update refresh evidence, rolling local canary, independent validation certificate, and release evidence. Until that card lands, this page is an operational hold rather than an executable procedure: use the repository/release review path, preserve backups, and do not claim source/installed parity without exact revision evidence from the future validator. See [approved deferrals](../../reports/deferred/758-fleet-config-deferrals.md) and [backup/restore boundary](backup-restore.md).