Update System

Made Open updates are delivered as signed JSON manifests and applied by pluggable runners (Docker Compose, Kubernetes/Helm, bare-source). Every update:

1. Verifies an Ed25519 signature on the manifest before trusting its contents.
2. Snapshots the database and volumes where the runner owns them.
3. Applies pinned image digests and runs migrations.
4. Health-checks the new hub for 60 seconds before admitting traffic.
5. Auto-rolls-back on health-check failure.

Every update is observable data: attempts land in the update_history table and emit platform.UpdateStarted|Completed|RolledBack events.

See the full design spec for the complete architecture, data model, and security model.