Sync wiki from project files

2026-07-07 11:33:47 +02:00
parent 0057fe9755
commit 3bc3f388c3
2 changed files with 23 additions and 12 deletions

@@ -1,4 +1,4 @@
<!-- codex-wiki-sync:09c0491dd182c85f3a2ff2a2 -->
<!-- codex-wiki-sync:d433db8d4ef5105a2d129c83 -->
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`.
> Origin: `repository`.
@@ -411,10 +411,11 @@ The package install-plan API records operator intent only:
after preflight passes, snapshots `pip freeze` and WebUI package files, writes
a run record under the runtime installer directory, and marks planned rows as
applied after success.
- `govoplan-module-installer --supervise --health-url http://127.0.0.1:8000/health --restart-command '<restart govoplan server>'`
is the preferred disruptive-change path. It applies the plan, runs the
restart command if provided, polls health, and automatically rolls packages
back from the run snapshot if commands, restart, or health recovery fail.
- `govoplan-module-installer --supervise --migrate --health-url http://127.0.0.1:8000/health --restart-command '<restart govoplan server>'`
is the preferred disruptive-change path. It applies the plan, optionally runs
migrations in a fresh Python process, runs the restart command if provided,
polls health, and automatically rolls packages back from the run snapshot if
commands, migrations, restart, or health recovery fail.
- `govoplan-module-installer --rollback <run-id>` restores the saved package
snapshots and reruns package installation from the previous freeze file.
@@ -437,6 +438,11 @@ request handler cannot reliably restart or roll back the process that is
currently executing the request. The admin UI therefore remains an operator
planning surface; the trusted daemon/CLI is the executor.
Automatic rollback covers Python and WebUI package state. It does not roll back
database migrations; production installs must take a database backup before
running `--migrate`, and module uninstall remains blocked until data and
migration-state retirement rules are satisfied.
The running FastAPI server still reports `package_mutation_supported=false`
because dependency-manager operations are not executed inside request handlers.
The trusted mutation boundary is the operator CLI. This keeps the interpreter,

@@ -1,4 +1,4 @@
<!-- codex-wiki-sync:f704473ca192138039ea485f -->
<!-- codex-wiki-sync:0894c1e07ab69fb1385a588d -->
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/RELEASE_DEPENDENCIES.md`.
> Origin: `repository`.
@@ -74,6 +74,7 @@ restart command and health endpoint:
```bash
govoplan-module-installer \
--supervise \
--migrate \
--build-webui \
--health-url http://127.0.0.1:8000/health \
--restart-command '<restart govoplan server>'
@@ -84,12 +85,16 @@ The installer uses a runtime lock, snapshots `pip freeze` plus WebUI
`runtime/module-installer/runs`, and marks planned rows as applied only after
all commands succeed.
Supervised mode treats package command failure, restart failure, and health
timeout as rollback triggers. It restores the Python/WebUI package snapshots,
re-runs the restart command when supplied, and restores the saved install plan
state so the operator can correct it. The supervisor must run outside the
FastAPI server process; the admin UI saves and validates plans but does not
mutate packages from an HTTP request.
Supervised mode treats package command failure, migration failure, restart
failure, and health timeout as rollback triggers. It restores the Python/WebUI
package snapshots, re-runs the restart command when supplied, and restores the
saved install plan state so the operator can correct it. The supervisor must
run outside the FastAPI server process; the admin UI saves and validates plans
but does not mutate packages from an HTTP request.
Package rollback is automatic. Database rollback is not automatic; take a
database backup before running migrations in production and restore that backup
if a migration must be reverted.
Rollback uses the saved run snapshot: