hermes-brain/ideas/upgrade-lifecycle.org

Upgrade and Distribution Lifecycle

Once instances diverge in both code and knowledge, naive git pull breaks things. Passepartout's architecture already has the primitives for safe upgrades:

• Ontology versioning: every fact stores the ontology version at assertion. On upgrade, facts with old versions are flagged for re-verification.
• Degradation, not crash: if an upgrade breaks the fact store, the system degrades to the pre-macro state (hash-table fallback, text-scan fallback). Still works — just proves less.
• Reversible upgrades (Phase 0 undo): every upgrade produces a Merkle snapshot before applying.
• Delta distribution: upgrades delivered as diffs against the current ontology version. Migration script runs automatically.

The upgrade is verified by the upgraded system before committing. The distributor ships the new gate vector; ACL2 reports which rules are compatible and which need review. The operator reviews only the incompatible subset. This verified upgrade process creates infrastructure lock-in — switching costs are high when all knowledge is deeply coupled to the ontology version.

Business model for upgrades:

• Code upgrades: free (AGPL)
• Migration scripts: subscription. The verified migration path from current ontology version to new one.
• Domain knowledge package upgrades: subscription. When HIPAA updates, the healthcare package updates.
• Verification appliance firmware: bundled with hardware. Signed and verified against hardware root of trust.