All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
19 lines
1.6 KiB
Markdown
19 lines
1.6 KiB
Markdown
# Upgrade and Installed-Asset Drift
|
|
|
|
Fleet source assets and installed assets can differ after an update, but FCM-M5-001 does not add a trustworthy source-versus-installed revision detector or refresh command. Do not infer freshness from checkout presence, timestamps, generated environment files, running sessions, or a ready migration preview.
|
|
|
|
## Current safe boundary
|
|
|
|
- The canonical roster remains authority and must survive package/framework refresh.
|
|
- Generated projections are rebuilt from that roster after the installed contract is independently verified.
|
|
- Operator `roles.local`, `.env.local`, and private quarantine evidence are not generated assets and must not be overwritten.
|
|
- Baseline roles, schemas, examples, service presets, launcher helpers, and systemd templates must move as one reviewed release set.
|
|
- Remote/connector inventory and `mos-comms` are not promoted into permanent architecture by an update.
|
|
- No update may start an agent persisted stopped, adopt an unmanaged session, or bypass generation/ownership checks.
|
|
|
|
## Explicit hold
|
|
|
|
FCM-M5-002 owns deterministic asset-drift checks, safe package/update refresh evidence, rolling local canary, independent validation certificate, and release evidence. Until that card lands, this page is an operational hold rather than an executable procedure: use the repository/release review path, preserve backups, and do not claim source/installed parity without exact revision evidence from the future validator.
|
|
|
|
See [approved deferrals](../../reports/deferred/758-fleet-config-deferrals.md) and [backup/restore boundary](backup-restore.md).
|