Update System

The Cortex update system provides dual-mode updates (binary and source), SHA-256 verification, optional GPG signature validation, channel management, and atomic rollback support.

Architecture

┌──────────────────────────────────────────────────────────┐
│                    Update System                           │
│                                                           │
│  ┌──────────────────────────────────────────────────┐    │
│  │                    Channels                       │    │
│  │              stable ←→ pre                       │    │
│  └──────────────────────────────────────────────────┘    │
│                         │                                  │
│  ┌──────────────────────┼──────────────────────────┐    │
│  │                 Update Modes                     │    │
│  │                                                  │    │
│  │  Binary Mode          Source Mode                │    │
│  │  ┌──────────┐         ┌──────────────┐          │    │
│  │  │ Download │         │ Git pull     │          │    │
│  │  │ SHA-256  │         │ deno compile │          │    │
│  │  │ GPG sig  │         │ Install bin  │          │    │
│  │  │ Replace  │         └──────────────┘          │    │
│  │  └──────────┘                                    │    │
│  └──────────────────────────────────────────────────┘    │
│                         │                                  │
│  ┌──────────────────────┼──────────────────────────┐    │
│  │                  Rollback                        │    │
│  │        Previous binary → restore                 │    │
│  └──────────────────────────────────────────────────┘    │
└──────────────────────────────────────────────────────────┘

Update Modes

Binary Mode

Check GitHub releases for latest version
Download binary for platform and architecture
Verify SHA-256 checksum against release manifest
Optionally verify GPG signature (if gpgKeyPath configured)
Atomically replace current binary with new version
Archive previous binary for rollback

Source Mode

Pull latest source from git repository
Run deno compile to build new binary
Install binary to system path
No signature verification (source is self-built)

Channels

Channel	Description	Update Frequency
`stable`	Production-ready releases	Weekly/monthly
`pre`	Pre-release builds	Daily/as-needed

Configuration

{
  "update": {
    "channel": "stable",
    "checkOnStartup": true,
    "autoUpdate": false,
    "checkIntervalHours": 24,
    "githubToken": "ghp_...",
    "gpgKeyPath": "/path/to/gpg/key"
  }
}

Configuration Options

Option	Description	Default
`channel`	Update channel (`stable` or `pre`)	`stable`
`checkOnStartup`	Check for updates on cortex start	`true`
`autoUpdate`	Automatically apply updates	`false`
`checkIntervalHours`	Periodic check interval	`24`
`githubToken`	GitHub token for API rate limits	`""`
`gpgKeyPath`	Path to GPG key for signature verification	`""`

Verification

All updates include:

SHA-256: Checksum comparison against release manifest
GPG Signatures: Optional detached signature verification
Atomic Replacement: rename() ensures no partial updates
Rollback Safety: Previous binary preserved for --rollback