librelad aced021aea docs(distribution): fold design-panel refinements into the artifact spec
The four-lens design panel finished (marketplace-first ranked top) and
confirmed the format; graft in the strongest refinements it surfaced so
the spec is genuinely "done":

- Publishers MAP trust anchor: `publisher` is now a key into an index-root
  `publishers` map ({display, role, key}) the team-signed index vouches
  for, not an inline {name,trust}. An artifact's claimed trust is honored
  only if the publisher's role permits AND its sig verifies against that
  key — so a community key can never self-certify as official. This is the
  load-bearing trust mechanism for the marketplace seam.
- Two-tier reversibility: a per-op `undo` array (precise revert) plus the
  snapshot (dirty-op fallback).
- All-or-nothing dry-precheck-all before any snapshot; unknown op rejects
  the whole artifact at validation.
- Canonical-bytes signing rule (sign the exact artifact bytes, never
  re-serialize on the box) + warrant-canary countersigning index_serial.
- Op vocabulary grown to the full set (set-data-file as the bridge to
  bundles; set/unset-compose-env; ensure-compose-up/restart-service).
- Envelope gains version/supersedes/reversible + richer applies_when
  (image_match/requires/conflicts).
- CFG_HOTFIX_AUTO + staged rollout / randomized delay / recall-via-supersedes.
- Flag the VERIFIED existing bug: updaterRecordHistory silently skips the
  audit entry when jq is absent (cli_updater_commands.sh:154-168) — Phase 2
  must make it fail-closed; "nothing silent" depends on it.
- Phases re-sequenced (P2 heart, P3 auto-apply, P4 WebUI, P5 make_hotfix.sh,
  deferred registry).

Spec-only change — no code; the Phase 1 read primitive is unaffected (it's
a generic verified fetch; publisher/envelope internals are Phase 2).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-31 17:01:35 +01:00
..