Local checkout only
The current updater source strategy is the current source checkout with guarded local-prefix reinstall, not a remote update service.
Local Checkout, Closed Delivery, No Apply Authority
Signed-updater delivery gate
Latticra Panel has a local-checkout updater lane and a closed signed-delivery gate. The records describe missing manifest, signature, artifact, rollback, validation, receipt, and operator-confirmation evidence; they do not enable network self-update or signed update apply.
Current Rule
Local checkout reinstall is not secure update delivery.
The implemented updater surface stays Panel-owned, local, and guarded: it uses the current reviewed checkout and local-prefix reinstall posture. The signed-updater gate stays closed until a future design has signed manifests, verified artifacts, channel policy, compatibility policy, rollback evidence, post-update validation, operator confirmation, and receipts.
Signed manifest missing
Signed manifest, manifest signature verification, artifact hash verification, and artifact signature verification are required and currently absent.
Rollback and receipts missing
Rollback plan, rollback evidence, post-update validation, operator confirmation, and update receipt writing are required before promotion.
State remains blocked
Manifest and state fixtures are no-effect review inputs. They do not execute transitions, stage material, activate updates, or apply signatures.
Current Snapshot
The gate records requirements while keeping update authority closed.
These fields describe a denial boundary. They are not evidence of secure update delivery, trusted repository access, artifact verification, or production update readiness.
Delivery Gate
Signed or network-delivered updates need every required control.
The gate prevents update wording from drifting from a local evidence lane into a production delivery claim. A future signed update path must prove trust, compatibility, rollback, validation, operator review, and receipt behavior before staging or apply can open.
Present now
Panel-owned updater, local-checkout source strategy, guarded local-prefix reinstall mode, closed delivery gate, denial transcript, manifest fixture, manifest fixture validation, state fixture, status records, and guard scripts.
Required before delivery
Signed manifest, manifest signature verification, artifact hash verification, artifact signature verification, channel policy, compatibility policy, rollback plan, rollback evidence, post-update validation, operator confirmation, and update receipt writing.
Denied now
Remote update repository trust, network fetch authority, staged update materialization, signed update apply, update activation, host mutation, root authority, system mutation, kernel mutation, systemd mutation, SELinux mutation, boot mutation, production update readiness, and production installer readiness.
No-Effect Fixtures
The supporting records explain the closed gate without opening it.
The signed-updater lane now has reviewable shapes for denial, manifest, validation, and state. Each remains stdout-only or fixture-only, with authority fields locked to zero.
Denial record
The denial transcript records why signed update delivery is refused and performs no transcript file writes.
Manifest shape
The local manifest fixture gives the gate a reviewable update-shaped record without trusting it for apply.
Shape checks only
Manifest validation checks schema and closed-authority fields, not a real signed update or artifact chain.
State execution
The state fixture names future states while keeping current state blocked and transition execution disabled.
Local Commands
Validate the update boundary without fetching or applying updates.
These commands are deterministic local checks. They do not fetch from a network, trust a repository, verify production artifacts, stage updates, activate updates, mutate the host, or write update receipts.
Delivery gate
sh scripts/test-latticra-panel-signed-updater-delivery-gate.sh
sh scripts/latticra-panel-signed-updater-delivery-gate.shDenial and manifest
sh scripts/test-latticra-panel-signed-updater-denial-transcript.sh
sh scripts/test-latticra-panel-signed-updater-manifest-fixture-validation.shState and Panel context
sh scripts/test-latticra-panel-signed-updater-state-fixture-contract.sh
sh scripts/test-latticra-panel-updater.shSource Records
Use exact records before repeating update-delivery wording.
Self-update modelPanel-owned local-checkout updater policy, current channels, closed signed-delivery gate, and non-claims.
Signed-updater delivery gateClosed future update-delivery gate for signed manifests, artifact verification, rollback, validation, and receipts.
Delivery gate statusStatus fields for the current local-checkout updater and closed signed-delivery boundary.
Denial transcriptStdout-only denial decision with network fetch, staging, apply, and mutation disabled.
Denial statusStatus checkpoint for the no-effect signed-updater denial transcript.
Manifest fixture contractLocal no-effect signed-updater manifest fixture and trust boundary.
Manifest fixture validationShape and closed-authority validation for the local fixture.
State fixture contractBlocked state fixture with transition execution, staging, activation, rollback, and receipts disabled.
State fixture statusStatus checkpoint for local state naming without transition execution.
Backup and recovery resilienceRollback planning, restore testing, recovery authorization, and no production update recovery claims.
Network exposure and remote accessNetwork fetch blockers, internet-facing service boundaries, DNS/TLS non-claims, and no remote update authority.
Supply-chain gatesRelease authority, SBOM, signing, update delivery, runtime authority, and production security blockers.
Panel overviewGuided GUI workbench, dry-run-first install flow, receipts, updater, and user-local evidence.
Installer readinessProduction installer gates, local artifact manifest fixture, and release non-claims.
Local validationPanel install evidence, package guards, disposable VM gates, and dry-run contracts.
Security overviewSafe testing, effect gates, runtime boundary, and security non-claims.