:PROPERTIES:
:ID:       29e4dbf3-cf19-589c-8b14-389e8a39d564
:END:
#+title: Upgrade and Distribution Lifecycle
#+filetags: :passepartout:economics:upgrade:distribution:ontology:

Once instances diverge in both code and knowledge, naive git pull breaks things. Passepartout's architecture already has the primitives for safe upgrades:

- **Ontology versioning:** every fact stores the ontology version at assertion. On upgrade, facts with old versions are flagged for re-verification.
- **Degradation, not crash:** if an upgrade breaks the fact store, the system degrades to the pre-macro state (hash-table fallback, text-scan fallback). Still works — just proves less.
- **Reversible upgrades (Phase 0 undo):** every upgrade produces a Merkle snapshot before applying.
- **Delta distribution:** upgrades delivered as diffs against the current ontology version. Migration script runs automatically.

**The upgrade is verified by the upgraded system before committing.** The distributor ships the new gate vector; ACL2 reports which rules are compatible and which need review. The operator reviews only the incompatible subset.

**Business model for upgrades:**
- Code upgrades: free (AGPL)
- Migration scripts: subscription. The verified migration path from current ontology version to new one.
- Domain knowledge package upgrades: subscription. When HIPAA updates, the healthcare package updates.
- Verification appliance firmware: bundled with hardware. Signed and verified against hardware root of trust.

See also: [[id:2f783eb4-638e-5afa-9b59-6224d086a712][Infrastructure lock-in]], [[id:84a537b4-4256-50c8-91f5-dd5b4538418f][Verification appliance]], [[id:c34940cc-090e-57c4-8020-e78b1d32b96c][Domain gate packages]]