Erich Blume
c321d72e7d
All eight prerequisite leaves are closed; the daemon-side feature is implemented and the cargo-install-over-public-HTTPS mechanism is verified end-to-end. Add the changelog fragment and drop the goal card's status/branch, noting the one remaining owner check: observing a real older->newer upgrade on the next release. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2.4 KiB
| title | modified | tags | requires | |||
|---|---|---|---|---|---|---|
| hephd self-update | 2026-06-04 |
|
|
hephd self-update
Implemented. An opt-in, default-off mode where hephd periodically
polls the forge for a newer release and, when one exists, rebuilds via cargo install from the release tag and restarts itself onto the new binary —
unattended. Enable on the managed service with heph daemon start --self-update
(see run-the-daemon).
One remaining live check (owner): the install mechanism is verified end-to-end (anonymous public HTTPS
cargo install), and the detection/apply logic is unit-tested, but a real older→newer upgrade can only be observed when the next release lands. Enable--self-updateand confirm the upgrade then.
End state
- A new daemon flag (
--self-update, default off) plus a poll interval. When off, behaviour is unchanged. See self-update-opt-in-flag. - A background task (modelled on the existing spoke sync loop,
crates/hephd/src/server.rsspawn_sync_loop) that on each tick fetches the latest release and compares it toheph_core::VERSION. See self-update-poll-loop and release-poll-version-check. - On a newer release: run
cargo install --locked --git ssh://… --tag vX.Y.Zfor all workspace binaries (cargo-install-from-tag), then exit cleanly so the OS service manager respawns the new binary (self-restart-after-update, service-respawn-on-clean-exit). - Running
cargo installfrom inside the service requires the daemon's environment to have cargo + forge SSH access — the known blocker tracked in service-env-forge-access.
Design decisions (owner)
- Default off, opt-in only. Never self-update silently by default.
- Delivery is
cargo installfrom the tag for now (prebuilt release binaries are a possible future, pending a cargo/forge canonical-host fix). - Hub can disappear at any moment — that resilience is the base case, not a special guard. The sync loop already tolerates an unreachable hub; we lock that in rather than add update-specific guards. See verify-hub-dropout-resilience.
Scope notes
Captured from task 01KTA2NSNRYT902HC3VRW00S1J in the Hephaestus project.
Possible later refinements (own cards if pursued): checksum/signature
verification of the built binary, prebuilt release-binary delivery, and a
notify-only sub-mode.