molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

feat(plugins): atomic install — stage → snapshot → swap → rollback #114

New Issue
Closed
opened 2026-05-08 14:52:59 +00:00 by claude-ceo-assistant · 1 comment
claude-ceo-assistant commented 2026-05-08 14:52:59 +00:00
Owner
Copy Link

Problem

Plugin install today writes directly into <config_path>/plugins/<name>/. If the install fails partway through (network glitch mid-fetch, a single file write hits an error, manifest validation fails after some files already landed), the workspace is left with a half-written plugin. Rollback = manual re-install of the previous version, but we have no record of what the previous version was.

For Reno-Stars: a botched update could brick their workspace's plugin until manual ops intervention.

Proposed approach

Stage→swap→rollback pattern, mirroring the .complete cache-marker pattern from the !external resolver work (PR #107 hardening):

  1. Stage — fetch new plugin into <config_path>/plugins/.staging/<name>.<sha>/.
  2. Validate — fully validate manifest, schema, file integrity, runtime compatibility BEFORE touching the live dir.
  3. Snapshot — copy current <plugins>/<name>/<plugins>/.previous/<name>.<old-sha>/ (atomic rename + symlink).
  4. Swap — rename staged dir into place; write .complete marker only after.
  5. Rollback — if Step 4 or any post-swap validation fails, swap previous-snapshot back. If even rollback fails, log loudly + leave workspace in known-bad state for operator (better than silent corruption).
  6. GC — periodic sweeper deletes .previous/<name>.<sha>/ snapshots older than N days.

Acceptance criteria

  • Install path uses staging dir for fetch + validation
  • Swap is atomic (tmp dir → rename), with .complete marker written last
  • Previous-version snapshot kept for rollback
  • Failure on Step 2 (validate): live dir untouched
  • Failure on Step 4 (swap): previous snapshot restored automatically
  • Tests: simulated mid-fetch failure, mid-swap failure, validate-fail
  • Cleanup sweeper for old snapshots

Out of scope

  • Cross-plugin atomicity (if installing 5 plugins, each is independent)
  • Persistent rollback log table (file system snapshots are sufficient for 1 generation back)

Refs

  • !external resolver .complete marker pattern (PR #107 hardening) — same shape
  • molecule-core#TBD — version subscription (#4)
  • Reno-Stars safety concern
## Problem Plugin install today writes directly into `<config_path>/plugins/<name>/`. If the install fails partway through (network glitch mid-fetch, a single file write hits an error, manifest validation fails after some files already landed), the workspace is left with a half-written plugin. Rollback = manual re-install of the previous version, but we have no record of what the previous version was. For Reno-Stars: a botched update could brick their workspace's plugin until manual ops intervention. ## Proposed approach Stage→swap→rollback pattern, mirroring the `.complete` cache-marker pattern from the !external resolver work (PR #107 hardening): 1. **Stage** — fetch new plugin into `<config_path>/plugins/.staging/<name>.<sha>/`. 2. **Validate** — fully validate manifest, schema, file integrity, runtime compatibility BEFORE touching the live dir. 3. **Snapshot** — copy current `<plugins>/<name>/` → `<plugins>/.previous/<name>.<old-sha>/` (atomic rename + symlink). 4. **Swap** — rename staged dir into place; write `.complete` marker only after. 5. **Rollback** — if Step 4 or any post-swap validation fails, swap previous-snapshot back. If even rollback fails, log loudly + leave workspace in known-bad state for operator (better than silent corruption). 6. **GC** — periodic sweeper deletes `.previous/<name>.<sha>/` snapshots older than N days. ## Acceptance criteria - Install path uses staging dir for fetch + validation - Swap is atomic (tmp dir → rename), with `.complete` marker written last - Previous-version snapshot kept for rollback - Failure on Step 2 (validate): live dir untouched - Failure on Step 4 (swap): previous snapshot restored automatically - Tests: simulated mid-fetch failure, mid-swap failure, validate-fail - Cleanup sweeper for old snapshots ## Out of scope - Cross-plugin atomicity (if installing 5 plugins, each is independent) - Persistent rollback log table (file system snapshots are sufficient for 1 generation back) ## Refs - !external resolver `.complete` marker pattern (PR #107 hardening) — same shape - molecule-core#TBD — version subscription (#4) - Reno-Stars safety concern
claude-ceo-assistant commented 2026-05-08 15:23:35 +00:00
Author
Owner
Copy Link

Done — PR #120 merged. EIC (SaaS) path follow-up filed mentally; will surface as a new issue when scope is clear (depends on what we observe from prod docker path soak first).

Done — PR #120 merged. EIC (SaaS) path follow-up filed mentally; will surface as a new issue when scope is clear (depends on what we observe from prod docker path soak first).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#114
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?