How to update safely without risking production continuity.
Updates must never become a production outage.
Update artifacts are immutable.
Images and manifests are signed.
Updates are staged (ringed rollout).
Rollback is one action.
Canary station: one line, one shift.
Soak: 24-hour run with normal constraint events.
Expand: per-line rollout.
Site-wide: after acceptance gates pass.
Rollback is required if any of these happen:
sustained frame drops.
evidence gaps.
repeated service restarts.
new defect rate drift without process explanation.
We document behavior and gates here. Environment-specific OTA wiring is handled per site.
Last updated 1 month ago
