Files
stack/docs/fleet/operations/upgrade-assets.md
Jarvis 0aee2c0981
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
docs(fleet): add operator configuration guide
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-16 09:27:43 -05:00

1.6 KiB

Upgrade and Installed-Asset Drift

Fleet source assets and installed assets can differ after an update, but FCM-M5-001 does not add a trustworthy source-versus-installed revision detector or refresh command. Do not infer freshness from checkout presence, timestamps, generated environment files, running sessions, or a ready migration preview.

Current safe boundary

  • The canonical roster remains authority and must survive package/framework refresh.
  • Generated projections are rebuilt from that roster after the installed contract is independently verified.
  • Operator roles.local, .env.local, and private quarantine evidence are not generated assets and must not be overwritten.
  • Baseline roles, schemas, examples, service presets, launcher helpers, and systemd templates must move as one reviewed release set.
  • Remote/connector inventory and mos-comms are not promoted into permanent architecture by an update.
  • No update may start an agent persisted stopped, adopt an unmanaged session, or bypass generation/ownership checks.

Explicit hold

FCM-M5-002 owns deterministic asset-drift checks, safe package/update refresh evidence, rolling local canary, independent validation certificate, and release evidence. Until that card lands, this page is an operational hold rather than an executable procedure: use the repository/release review path, preserve backups, and do not claim source/installed parity without exact revision evidence from the future validator.

See approved deferrals and backup/restore boundary.