diff --git a/bayanat b/bayanat
index 378e143df..c5d350958 100755
--- a/bayanat
+++ b/bayanat
@@ -85,6 +85,469 @@ swap_symlink() {
     mv -Tf "$CURRENT_LINK.tmp" "$CURRENT_LINK"
 }
 
+# --- Snapshot helpers ---
+
+SNAPSHOT_RETENTION_DAYS="${BAYANAT_SNAPSHOT_RETENTION_DAYS:-30}"
+readonly SNAPSHOT_RETENTION_COUNT=5
+
+_pg_load() {
+    # Loads POSTGRES_* from shared/.env into the current shell env WITHOUT
+    # eval. Must be invoked inside a subshell so the exports do not leak.
+    #
+    # Why no eval: a malicious .env value (writable by the bayanat user)
+    # could smuggle shell commands that would run as root under `bayanat
+    # update`. `export "$key=$val"` treats $val as a literal string, no
+    # interpretation.
+    local env_file="$SHARED_DIR/.env"
+    [[ -f "$env_file" ]] || die "missing $env_file"
+    local key val
+    while IFS='=' read -r key val; do
+        case "$key" in
+            POSTGRES_HOST|POSTGRES_PORT|POSTGRES_USER|POSTGRES_PASSWORD|POSTGRES_DB)
+                # Strip matching surrounding quotes (common .env convention).
+                if [[ ${#val} -ge 2 ]]; then
+                    if [[ "${val:0:1}" == '"' && "${val: -1}" == '"' ]] \
+                        || [[ "${val:0:1}" == "'" && "${val: -1}" == "'" ]]; then
+                        val="${val:1:${#val}-2}"
+                    fi
+                fi
+                export "$key=$val"
+                ;;
+        esac
+    done < "$env_file"
+}
+
+snapshot_pg_dump() {
+    # $1 = previous tag, $2 = target tag
+    # Writes shared/backups/pre-<prev>-to-<target>-<ts>.dump via .partial rename.
+    # Mirrors enferno/utils/backup_utils.py:pg_dump logic: localhost + no
+    # password -> socket peer auth; else TCP with PGPASSWORD.
+    local prev="$1" target="$2"
+    local ts name partial final
+    ts=$(date -u +%Y%m%d-%H%M)
+    name="pre-${prev}-to-${target}-${ts}.dump"
+    partial="$SHARED_DIR/backups/${name}.partial"
+    final="$SHARED_DIR/backups/${name}"
+    # Log goes to stderr so `$(snapshot_pg_dump ...)` captures only the
+    # basename from the trailing `echo "$name"`.
+    log "Taking pre-update snapshot: $name" >&2
+    (
+        _pg_load
+        local user="${POSTGRES_USER:-$APP_USER}"
+        local db="${POSTGRES_DB:-$APP_USER}"
+        local host="${POSTGRES_HOST:-localhost}"
+        if [[ "$host" == "localhost" && -z "${POSTGRES_PASSWORD:-}" ]]; then
+            sudo -u "$user" pg_dump -Fc -f "$partial" "$db"
+        else
+            PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+                pg_dump -Fc \
+                    -h "$host" \
+                    -p "${POSTGRES_PORT:-5432}" \
+                    -U "$user" \
+                    -f "$partial" \
+                    "$db"
+        fi
+    )
+    mv -Tf "$partial" "$final"
+    echo "$name"
+}
+
+prune_snapshots() {
+    # Keep last $SNAPSHOT_RETENTION_COUNT snapshots OR last
+    # $SNAPSHOT_RETENTION_DAYS days, whichever is greater.
+    local backups="$SHARED_DIR/backups"
+    [[ -d "$backups" ]] || return 0
+    # Sweep any leaked .partial snapshot files from interrupted dumps
+    rm -f "$backups"/*.dump.partial 2>/dev/null || true
+    local cutoff_epoch
+    cutoff_epoch=$(date -d "-${SNAPSHOT_RETENTION_DAYS} days" +%s 2>/dev/null \
+        || date -v-"${SNAPSHOT_RETENTION_DAYS}"d +%s)
+    local idx=0 name path mtime
+    while IFS= read -r path; do
+        idx=$((idx + 1))
+        name=$(basename "$path")
+        mtime=$(stat -c %Y "$path" 2>/dev/null || stat -f %m "$path")
+        if [[ "$idx" -le "$SNAPSHOT_RETENTION_COUNT" ]]; then
+            continue
+        fi
+        if [[ "$mtime" -lt "$cutoff_epoch" ]]; then
+            log "Pruning snapshot: $name"
+            rm -f "$path"
+        fi
+    done < <(ls -1t "$backups"/pre-*.dump 2>/dev/null || true)
+}
+
+list_snapshots() {
+    local backups="$SHARED_DIR/backups"
+    [[ -d "$backups" ]] || { echo "No snapshots directory."; return; }
+    printf '%-60s %10s %20s\n' "NAME" "SIZE" "AGE"
+    local name size mtime age
+    while IFS= read -r path; do
+        name=$(basename "$path")
+        size=$(du -h "$path" | cut -f1)
+        mtime=$(stat -c %Y "$path" 2>/dev/null || stat -f %m "$path")
+        age="$(( ($(date +%s) - mtime) / 3600 ))h"
+        printf '%-60s %10s %20s\n' "$name" "$size" "$age"
+    done < <(ls -1t "$backups"/pre-*.dump 2>/dev/null || true)
+}
+
+restore_pg() {
+    # $1 = snapshot basename (no path). Stops services, restores, starts services.
+    local name="$1"
+    local path="$SHARED_DIR/backups/$name"
+    [[ -f "$path" ]] || die "snapshot not found: $path"
+    log "Restoring $name (this will DROP and RECREATE tables)"
+    read -r -p "Type 'yes' to confirm: " reply
+    [[ "$reply" == "yes" ]] || die "aborted"
+    systemctl stop bayanat bayanat-celery
+    if ! (
+        _pg_load
+        local user="${POSTGRES_USER:-$APP_USER}"
+        local db="${POSTGRES_DB:-$APP_USER}"
+        local host="${POSTGRES_HOST:-localhost}"
+        if [[ "$host" == "localhost" && -z "${POSTGRES_PASSWORD:-}" ]]; then
+            sudo -u "$user" pg_restore --clean --if-exists -d "$db" "$path"
+        else
+            PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+                pg_restore --clean --if-exists \
+                    -h "$host" \
+                    -p "${POSTGRES_PORT:-5432}" \
+                    -U "$user" \
+                    -d "$db" \
+                    "$path"
+        fi
+    ); then
+        systemctl start bayanat bayanat-celery
+        die "pg_restore failed; services restarted on existing DB"
+    fi
+    systemctl start bayanat bayanat-celery
+    log "Restore complete"
+}
+
+# --- Update state + lock ---
+
+readonly STATE_DIR="$BAYANAT_ROOT/state"
+readonly STATE_FILE="$STATE_DIR/update.json"
+readonly LOCK_FILE="$STATE_DIR/update.lock"
+
+_now_iso() { date -u +%Y-%m-%dT%H:%M:%SZ; }
+
+write_state() {
+    # write_state <phase> <phase_label>
+    # Reads STATE_TARGET / STATE_PREVIOUS / STATE_SNAPSHOT /
+    # STATE_STARTED_AT / STATE_PROGRESS / STATE_ERROR_JSON from environment.
+    local phase="$1" label="$2"
+    mkdir -p "$STATE_DIR"
+    chown "$APP_USER:$APP_USER" "$STATE_DIR" 2>/dev/null || true
+    local tmp="$STATE_FILE.tmp"
+    cat > "$tmp" <<EOF
+{
+  "phase": "$phase",
+  "phase_label": "$label",
+  "target": "${STATE_TARGET:-}",
+  "previous": "${STATE_PREVIOUS:-}",
+  "snapshot": "${STATE_SNAPSHOT:-}",
+  "started_at": "${STATE_STARTED_AT:-$(_now_iso)}",
+  "updated_at": "$(_now_iso)",
+  "progress_text": "${STATE_PROGRESS:-}",
+  "error": ${STATE_ERROR_JSON:-null},
+  "pid": $$,
+  "unit": "${BAYANAT_UPDATE_UNIT:-bayanat-update.service}"
+}
+EOF
+    mv -Tf "$tmp" "$STATE_FILE"
+    chown "$APP_USER:$APP_USER" "$STATE_FILE" 2>/dev/null || true
+}
+
+clear_state() {
+    rm -f "$STATE_FILE"
+}
+
+read_phase() {
+    [[ -f "$STATE_FILE" ]] || { echo IDLE; return; }
+    python3 -c "import json,sys; print(json.load(open('$STATE_FILE')).get('phase','IDLE'))" \
+        2>/dev/null || echo IDLE
+}
+
+read_field() {
+    # $1 = field name
+    [[ -f "$STATE_FILE" ]] || return 1
+    python3 -c "import json,sys; print(json.load(open('$STATE_FILE')).get('$1',''))" 2>/dev/null
+}
+
+acquire_lock() {
+    mkdir -p "$STATE_DIR"
+    if [[ -f "$LOCK_FILE" ]]; then
+        local pid
+        pid=$(cat "$LOCK_FILE" 2>/dev/null || echo 0)
+        if [[ "$pid" -gt 0 ]] && kill -0 "$pid" 2>/dev/null; then
+            die "another update is running (pid $pid)"
+        fi
+        log "Removing stale lock (pid $pid)"
+        rm -f "$LOCK_FILE"
+    fi
+    echo $$ > "$LOCK_FILE"
+    chown "$APP_USER:$APP_USER" "$LOCK_FILE" 2>/dev/null || true
+}
+
+release_lock() {
+    rm -f "$LOCK_FILE"
+}
+
+# --- Recovery dispatch ---
+
+recover_state() {
+    local phase
+    phase=$(read_phase)
+    case "$phase" in
+        IDLE)
+            return 0
+            ;;
+        PREPARE_DONE)
+            log "Recovery: PREPARE_DONE — cleaning partial release and clearing state"
+            local target
+            target=$(read_field target || true)
+            if [[ -n "$target" ]]; then
+                rm -rf "$RELEASES_DIR/$target.partial" "$RELEASES_DIR/$target"
+            fi
+            clear_state
+            release_lock
+            ;;
+        MIGRATE_DONE)
+            log "Recovery: MIGRATE_DONE — starting services on previous release"
+            systemctl start bayanat bayanat-celery
+            if _wait_healthy 60; then
+                log "Recovery OK; operator should re-run update to finish"
+                clear_state
+                release_lock
+            else
+                STATE_ERROR_JSON='"MIGRATE_DONE recovery: previous release unhealthy"'
+                write_state NEEDS_INTERVENTION "Services unhealthy after recovery; restore snapshot manually"
+                exit 2
+            fi
+            ;;
+        SWITCH_DONE)
+            log "Recovery: SWITCH_DONE — running code rollback"
+            rollback_code
+            ;;
+        SUCCESS|ROLLED_BACK)
+            clear_state
+            release_lock
+            ;;
+        NEEDS_INTERVENTION)
+            local snap prev
+            snap=$(read_field snapshot || true)
+            prev=$(read_field previous || true)
+            die "Operator intervention required. Snapshot: $snap  Previous tag: $prev  See: sudo -u $APP_USER bayanat snapshots"
+            ;;
+        MIGRATE|SWITCH|ROLLBACK)
+            log "Recovery: $phase — attempting to restart services"
+            systemctl start bayanat bayanat-celery 2>/dev/null || true
+            if _wait_healthy 60; then
+                warn "Services healthy but update was interrupted mid-$phase"
+                warn "DB schema state is uncertain; re-run 'bayanat update' to finish"
+                clear_state
+                release_lock
+            else
+                export STATE_ERROR_JSON="\"interrupted during $phase; services unhealthy\""
+                write_state NEEDS_INTERVENTION "Update interrupted mid-$phase; manual recovery required"
+                exit 2
+            fi
+            ;;
+        *)
+            warn "Unknown phase '$phase' — clearing and starting fresh"
+            clear_state
+            release_lock
+            ;;
+    esac
+}
+
+# --- Health probe ---
+
+_socket_health() {
+    # curl the Flask /health over the unix socket. Returns 0 on HTTP 200.
+    curl -s --unix-socket "$CURRENT_LINK/bayanat.sock" \
+        --max-time 3 -o /dev/null -w '%{http_code}' \
+        http://localhost/health 2>/dev/null | grep -q '^200$'
+}
+
+_db_ping() {
+    (
+        _pg_load
+        local user="${POSTGRES_USER:-$APP_USER}"
+        local db="${POSTGRES_DB:-$APP_USER}"
+        local host="${POSTGRES_HOST:-localhost}"
+        if [[ "$host" == "localhost" && -z "${POSTGRES_PASSWORD:-}" ]]; then
+            sudo -u "$user" psql -d "$db" -c 'SELECT 1' -t >/dev/null 2>&1
+        else
+            PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+                psql -h "$host" -U "$user" -d "$db" \
+                     -c 'SELECT 1' -t >/dev/null 2>&1
+        fi
+    )
+}
+
+_redis_ping() {
+    redis-cli ping 2>/dev/null | grep -q '^PONG$'
+}
+
+_wait_healthy() {
+    # $1 = deadline in seconds (default 60)
+    local deadline=$(( $(date +%s) + ${1:-60} ))
+    while (( $(date +%s) < deadline )); do
+        if _socket_health && _db_ping && _redis_ping; then
+            return 0
+        fi
+        sleep 1
+    done
+    return 1
+}
+
+# --- Update pipeline ---
+
+update_preflight() {
+    preflight_checks
+    _verify_service_health
+    command -v pg_dump >/dev/null || die "pg_dump not in PATH"
+    command -v pg_restore >/dev/null || die "pg_restore not in PATH"
+    # pg_dump major version must match Postgres server major version
+    local client_major server_major
+    client_major=$(pg_dump --version | awk '{print $3}' | cut -d. -f1)
+    server_major=$(
+        _pg_load
+        local user="${POSTGRES_USER:-$APP_USER}"
+        local db="${POSTGRES_DB:-$APP_USER}"
+        local host="${POSTGRES_HOST:-localhost}"
+        if [[ "$host" == "localhost" && -z "${POSTGRES_PASSWORD:-}" ]]; then
+            sudo -u "$user" psql -d "$db" \
+                -c 'SHOW server_version_num' -t 2>/dev/null
+        else
+            PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+                psql -h "$host" -U "$user" -d "$db" \
+                     -c 'SHOW server_version_num' -t 2>/dev/null
+        fi | tr -d ' ' | cut -c1-2
+    )
+    [[ -n "$client_major" && -n "$server_major" ]] \
+        || die "could not determine pg_dump/server versions"
+    [[ "$client_major" == "$server_major" ]] \
+        || die "pg_dump major ($client_major) != server major ($server_major)"
+    # Disk in backups (need >= 2 GB for snapshot headroom)
+    local backups_free_kb
+    backups_free_kb=$(df --output=avail "$SHARED_DIR/backups" | tail -1 | tr -d ' ')
+    [[ "$backups_free_kb" -ge 2097152 ]] \
+        || die "need >= 2GB free in $SHARED_DIR/backups for snapshot"
+    # Schema aligned with models
+    flask_run "$(current_version)" check-db-alignment >/dev/null \
+        || die "schema drift detected; run 'flask check-db-alignment' for details"
+    # Flask doctor
+    flask_run "$(current_version)" doctor >/dev/null \
+        || die "flask doctor failed"
+}
+
+do_prepare() {
+    # $1 = target tag
+    local target="$1"
+    local current
+    current=$(current_version || echo 0)
+    [[ "$target" != "$current" ]] || die "already on $target"
+    log "PREPARE: fetching $target"
+    update_preflight
+    _clone_release "$target"
+    _install_deps "$target"
+    _link_shared "$target"
+    acquire_lock
+    export STATE_TARGET="$target"
+    export STATE_PREVIOUS="$current"
+    export STATE_STARTED_AT
+    STATE_STARTED_AT="$(_now_iso)"
+    export STATE_PROGRESS="Fetched $target, ready to migrate"
+    write_state PREPARE_DONE "Prepared $target, ready to migrate"
+}
+
+do_migrate() {
+    local target="$STATE_TARGET"
+    local prev="$STATE_PREVIOUS"
+    log "MIGRATE: stopping services"
+    export STATE_PROGRESS="Stopping services"
+    write_state MIGRATE "Stopping services for maintenance window"
+    systemctl stop bayanat bayanat-celery
+    log "MIGRATE: pruning old snapshots"
+    prune_snapshots
+    export STATE_PROGRESS="Taking pre-update snapshot"
+    write_state MIGRATE "Taking pre-update snapshot"
+    export STATE_SNAPSHOT
+    if ! STATE_SNAPSHOT=$(snapshot_pg_dump "$prev" "$target"); then
+        export STATE_ERROR_JSON='"snapshot failed"'
+        write_state NEEDS_INTERVENTION "Pre-update snapshot failed; check backups disk and pg_dump"
+        systemctl start bayanat bayanat-celery || true
+        release_lock
+        exit 2
+    fi
+    log "MIGRATE: running migrations"
+    export STATE_PROGRESS="Running migrations"
+    write_state MIGRATE "Running migrations"
+    if ! flask_run "$target" db upgrade; then
+        export STATE_ERROR_JSON='"db upgrade failed"'
+        write_state NEEDS_INTERVENTION "Migration failed; previous release remains linked"
+        systemctl start bayanat bayanat-celery || true
+        release_lock
+        exit 2
+    fi
+    export STATE_PROGRESS="Migration complete"
+    write_state MIGRATE_DONE "Migration complete, switching to new release"
+}
+
+do_switch_verify() {
+    local target="$STATE_TARGET"
+    export STATE_PROGRESS="Swapping to $target"
+    write_state SWITCH "Swapping current -> $target"
+    swap_symlink "$RELEASES_DIR/$target"
+    systemctl start bayanat bayanat-celery
+    write_state SWITCH_DONE "Verifying new release"
+    export STATE_PROGRESS="Waiting for health probe"
+    if _wait_healthy 60; then
+        # Refresh /usr/local/bin/bayanat from the now-active release so the
+        # system CLI stays in lockstep with the deployed code. Done AFTER the
+        # health probe so a bad release never overwrites a working CLI.
+        _install_self "$target"
+        export STATE_PROGRESS="Update successful"
+        write_state SUCCESS "Update to $target complete"
+        clear_state
+        release_lock
+        log "SUCCESS: running $target"
+        return 0
+    else
+        warn "Health probe failed; rolling back code"
+        rollback_code
+        return 1
+    fi
+}
+
+rollback_code() {
+    local prev="$STATE_PREVIOUS"
+    if [[ -z "$prev" ]]; then
+        export STATE_ERROR_JSON='"cannot roll back: no previous tag recorded"'
+        write_state NEEDS_INTERVENTION "Cannot roll back: no previous tag recorded"
+        exit 2
+    fi
+    write_state ROLLBACK "Reverting symlink to $prev"
+    systemctl stop bayanat bayanat-celery || true
+    swap_symlink "$RELEASES_DIR/$prev"
+    systemctl start bayanat bayanat-celery
+    if _wait_healthy 60; then
+        export STATE_PROGRESS="Rolled back to $prev"
+        write_state ROLLED_BACK "Rolled back to $prev; snapshot retained"
+        clear_state
+        release_lock
+        log "ROLLED_BACK: on $prev; snapshot: ${STATE_SNAPSHOT:-none}"
+        exit 1
+    else
+        export STATE_ERROR_JSON='"code rollback failed health probe"'
+        write_state NEEDS_INTERVENTION "Rollback to $prev unhealthy; restore snapshot ${STATE_SNAPSHOT:-} manually"
+        exit 2
+    fi
+}
+
 # --- Step functions (each is idempotent) ---
 
 _install_system_packages() {
@@ -170,7 +633,8 @@ _setup_database() {
 
 _create_directories() {
     mkdir -p "$RELEASES_DIR" "$SHARED_DIR/media" "$SHARED_DIR/backups" \
-             "$LOGS_DIR"
+             "$LOGS_DIR" "$STATE_DIR"
+    chown -R "$APP_USER:$APP_USER" "$STATE_DIR"
 }
 
 _clone_release() {
@@ -191,6 +655,7 @@ _clone_release() {
 
     log "Cloning $tag..."
     git clone --depth 1 --branch "$tag" "$GIT_URL" "$dest"
+    chown -R "$APP_USER:$APP_USER" "$dest"
 }
 
 _generate_env() {
@@ -215,6 +680,12 @@ FORCE_HTTPS=$force_https
 
 LOG_DIR=$LOGS_DIR
 BACKUPS_LOCAL_PATH=$SHARED_DIR/backups
+
+POSTGRES_HOST=localhost
+POSTGRES_PORT=5432
+POSTGRES_USER=$APP_USER
+POSTGRES_PASSWORD=
+POSTGRES_DB=$APP_USER
 EOF
 }
 
@@ -348,11 +819,41 @@ EOF
 
 _install_sudoers() {
     cat > /etc/sudoers.d/bayanat << 'EOF'
-bayanat ALL=(root) NOPASSWD: /usr/local/bin/bayanat update
+bayanat ALL=(root) NOPASSWD: /usr/local/sbin/bayanat-start-update
 bayanat ALL=(root) NOPASSWD: /usr/local/bin/bayanat status
+bayanat ALL=(root) NOPASSWD: /usr/local/bin/bayanat snapshots
 bayanat ALL=(root) NOPASSWD: /usr/bin/systemctl restart bayanat-celery
 EOF
     chmod 440 /etc/sudoers.d/bayanat
+    visudo -cf /etc/sudoers.d/bayanat >/dev/null || die "sudoers syntax invalid"
+}
+
+_install_update_wrapper() {
+    # Root-owned wrapper. Launches `bayanat update` as a transient systemd
+    # unit so the update outlives Flask restart, SSH disconnect, and
+    # browser close. Must be in sudoers at this exact path.
+    install -m 0755 -o root -g root /dev/stdin /usr/local/sbin/bayanat-start-update <<'EOF'
+#!/bin/bash
+# Installed root:root 0755 by `bayanat install`. Do not edit.
+set -euo pipefail
+exec /usr/bin/systemd-run \
+    --unit=bayanat-update \
+    --collect \
+    --property=Restart=no \
+    /usr/local/bin/bayanat update
+EOF
+}
+
+_install_self() {
+    # Copy the bayanat CLI from the given release directory to
+    # /usr/local/bin/bayanat. Source is $RELEASES_DIR/$tag/bayanat, NOT $0 —
+    # under `curl ... | sudo bash -s install`, $0 is "bash" and readlink
+    # resolves to the shell binary. $1 = tag.
+    local tag="${1:?_install_self requires a tag arg}"
+    local src="$RELEASES_DIR/$tag/bayanat"
+    [[ -f "$src" ]] || die "cannot find CLI source at $src"
+    install -m 0755 -o root -g root "$src" /usr/local/bin/bayanat
+    log "Installed CLI at /usr/local/bin/bayanat"
 }
 
 # --- Install ---
@@ -404,6 +905,8 @@ cmd_install() {
     _install_systemd
     _configure_caddy "$domain"
     _install_sudoers
+    _install_update_wrapper
+    _install_self "$tag"
 
     chown -R "$APP_USER:$APP_USER" "$BAYANAT_ROOT"
     systemctl daemon-reload
@@ -448,6 +951,44 @@ _verify_service_health() {
     warn "Application not responding on socket after $((retries * delay))s (may still be starting)"
 }
 
+# --- Update ---
+
+cmd_update() {
+    local flag="${1:-}"
+    case "$flag" in
+        --check)
+            local cur latest
+            cur=$(current_version || echo "not installed")
+            latest=$(latest_remote_tag)
+            echo "current: $cur"
+            echo "latest:  $latest"
+            if [[ "${cur#v}" == "${latest#v}" ]]; then
+                echo "up to date"
+            else
+                echo "update available"
+            fi
+            return 0
+            ;;
+        --recover)
+            require_root
+            recover_state
+            return 0
+            ;;
+    esac
+    require_root
+    recover_state
+    local target="${1:-}"
+    if [[ -z "$target" ]]; then
+        target=$(latest_remote_tag)
+    fi
+    # Keep $target verbatim. Tags and release dir names use the v-prefix form
+    # (e.g. v4.0.0), matching the installer's convention in _clone_release and
+    # _link_shared. Stripping is only for display / comparison.
+    do_prepare "$target"
+    do_migrate
+    do_switch_verify
+}
+
 # --- Status ---
 
 cmd_status() {
@@ -474,6 +1015,17 @@ cmd_status() {
     for svc in bayanat bayanat-celery caddy; do
         printf "  %-20s %s\n" "$svc" "$(systemctl is-active "$svc" 2>/dev/null || echo 'unknown')"
     done
+
+    echo ""
+    local phase
+    phase=$(read_phase)
+    echo "Update state: $phase"
+    if [[ "$phase" != "IDLE" ]]; then
+        echo "  target:     $(read_field target || echo '')"
+        echo "  previous:   $(read_field previous || echo '')"
+        echo "  snapshot:   $(read_field snapshot || echo '')"
+        echo "  updated_at: $(read_field updated_at || echo '')"
+    fi
 }
 
 # --- Usage ---
@@ -486,18 +1038,27 @@ Usage: bayanat <command> [options]
 
 Commands:
   install [domain]    Install Bayanat (default: localhost)
-  status              Show version and service status
+  update [<tag>]      Update Bayanat to <tag> (default: latest release)
+  update --check      Show current vs latest; no changes
+  update --recover    Recover from a stuck update state file
+  snapshots           List pre-update snapshots
+  restore <name>      Restore a pre-update snapshot (prompts confirmation)
+  status              Show version, services, and update state
 
 Environment:
-  BAYANAT_REPO        GitHub repo (default: sjacorg/bayanat)
+  BAYANAT_REPO                        GitHub repo (default: sjacorg/bayanat)
+  BAYANAT_SNAPSHOT_RETENTION_DAYS     Snapshot retention floor (default: 30)
 EOF
 }
 
 # --- Main ---
 
 case "${1:-}" in
-    install) shift; cmd_install "$@" ;;
-    status)  cmd_status ;;
+    install)    shift; cmd_install "$@" ;;
+    update)     shift; cmd_update "$@" ;;
+    snapshots)  require_root; list_snapshots ;;
+    restore)    require_root; [[ -n "${2:-}" ]] || die "usage: bayanat restore <snapshot-name>"; restore_pg "$2" ;;
+    status)     cmd_status ;;
     -h|--help|help) usage ;;
     *) usage; exit 1 ;;
 esac
diff --git a/docs/deployment/auto-update-runbook.md b/docs/deployment/auto-update-runbook.md
new file mode 100644
index 000000000..f6a598588
--- /dev/null
+++ b/docs/deployment/auto-update-runbook.md
@@ -0,0 +1,128 @@
+# Bayanat Auto-Update Runbook
+
+Short operator reference for the `bayanat update` flow. Design notes live
+in the development spec (not shipped with the repo).
+
+## Triggering an update
+
+- **One-click from UI:** an admin-role user clicks "Update now" from the
+  "Update available: X.Y.Z" banner in the nav bar.
+- **From the shell (as root):** `sudo bayanat update [<tag>]`
+  (defaults to the latest GitHub release). The CLI requires root to stop
+  / start services, write `/opt/bayanat`, and take snapshots.
+- **Check only (no changes, no root):** `sudo -u bayanat bayanat update --check`.
+
+The update runs as `bayanat-update.service`, a transient systemd unit
+that outlives Flask restarts, SSH disconnects, and browser closes. Tail
+live logs with:
+
+```
+sudo journalctl -u bayanat-update -f
+```
+
+## Opt-in auto-apply for patch releases
+
+In the admin UI under System Administration, toggle "Auto-apply patch
+releases" on. With the toggle on, any bump within the same minor line
+(e.g. `4.1.0` to `4.1.1`) installs silently every 6 hours via the same
+pipeline. Minor and major bumps (e.g. `4.1.x` to `4.2.0`) always notify
+and wait for a manual click.
+
+## Expected timing
+
+| Phase | Duration | Production impact |
+|---|---|---|
+| PREPARE (fetch + deps) | 1-5 min | None, old version serves traffic |
+| Stop services | ~3 s | 502 from Caddy begins |
+| Snapshot (`pg_dump -Fc`) | 10-60 s | 502 |
+| Migrate (`flask db upgrade`) | 1-30 s | 502 |
+| Swap + start services | ~5 s | 502 |
+| Verify (health probe) | 1-10 s | New version serving |
+| **Total visible downtime** | **~30-90 s** | |
+
+Caddy returns `502 Bad Gateway` during the maintenance window. Browsers
+retry automatically; partners see a brief "service unavailable" view.
+
+## If something goes wrong
+
+### Migration failed (Alembic transaction rolled back)
+
+Nothing to do. Services restart on the previous release automatically.
+The UI shows the `error` field. Report the broken release; the previous
+version keeps running.
+
+### Health probe failed after swap (auto-rollback succeeded)
+
+Nothing to do. The updater reverted the symlink and restarted on the
+previous release. The pre-update snapshot is retained at
+`/opt/bayanat/shared/backups/`.
+
+### NEEDS_INTERVENTION
+
+This state only happens when two independent failures compound: the new
+release was broken AND rolling back did not reach a healthy state. The
+maintenance flag stays up so users see a 502 instead of raw errors.
+Recover:
+
+```
+sudo -u bayanat bayanat status            # read-only; confirm state
+sudo bayanat snapshots                    # list snapshots (needs root)
+sudo bayanat restore pre-<ts>.dump        # restores DB (needs root)
+sudo systemctl start bayanat bayanat-celery
+```
+
+Then file a bug with journal logs from `journalctl -u bayanat-update`.
+
+### Stuck state (process died, state file orphaned)
+
+```
+sudo bayanat update --recover
+```
+
+## Snapshots
+
+- Location: `/opt/bayanat/shared/backups/pre-*.dump`
+- Format: `pg_dump -Fc` (PostgreSQL custom format)
+- Retention: last 5 snapshots OR last 30 days, whichever is greater
+- Override retention: `export BAYANAT_SNAPSHOT_RETENTION_DAYS=60`
+- List: `sudo bayanat snapshots` or visit `/admin/snapshots/` in the UI
+  (read-only)
+- Restore: `sudo bayanat restore <name>` (prompts for confirmation;
+  stops services; pipes through `pg_restore --clean --if-exists`;
+  restarts services). Requires root. Not available from the web UI by
+  design.
+
+## Files
+
+| Path | Purpose |
+|---|---|
+| `/usr/local/bin/bayanat` | The CLI script |
+| `/usr/local/sbin/bayanat-start-update` | Root wrapper the UI invokes via sudo |
+| `/etc/sudoers.d/bayanat` | Granted commands for the `bayanat` user |
+| `/opt/bayanat/state/update.json` | Current update state (sanitized JSON) |
+| `/opt/bayanat/state/update.lock` | PID lock file |
+| `/opt/bayanat/shared/backups/` | Pre-update snapshots |
+| `/health` (Flask endpoint) | 200 = DB + Redis reachable |
+
+## Admin UI surface
+
+- Nav-bar banner chip: shows when `latest != current`
+- Progress dialog: polls `/admin/api/updates/status` every 2 s during an
+  active update
+- Settings toggle: System Administration -> "Auto-apply patch releases"
+- Snapshots page: `/admin/snapshots/` (read-only list; restore stays on
+  the CLI)
+
+## Manual CLI reference
+
+Commands marked `(root)` require `sudo bayanat ...`; the others can run
+as the app user via `sudo -u bayanat bayanat ...`.
+
+```
+bayanat update [<tag>]       (root)  default: latest GitHub release
+bayanat update --check               show current vs latest; no changes
+bayanat update --recover     (root)  recover a stuck state file
+bayanat snapshots            (root)  list pre-update snapshots
+bayanat restore <name>       (root)  interactive restore from a snapshot
+bayanat status                       version + services + update state
+```
diff --git a/e2e-auto-update.sh b/e2e-auto-update.sh
new file mode 100755
index 000000000..8f9b3a5a0
--- /dev/null
+++ b/e2e-auto-update.sh
@@ -0,0 +1,229 @@
+#!/usr/bin/env bash
+#
+# End-to-end test for the `bayanat update` pipeline on a disposable
+# Hetzner VM. Provisions → installs → runs S1-S4 → teardown.
+#
+# Requires:
+#   - hcloud CLI authenticated to the right project (see `hcloud context list`)
+#   - ssh-agent loaded with the private key matching the registered hcloud key
+#   - a public test fork with tags v4.0.0 (baseline), v4.0.1 (additive),
+#     v4.0.2 (bad migration), v4.0.3 (/health 503 at runtime), v4.0.4 (recovery)
+#
+# Usage:
+#   ./e2e-auto-update.sh                    # full run: provision → S1-S4 → destroy
+#   KEEP_VM=1 ./e2e-auto-update.sh          # leave VM running at end
+#   VM_IP=1.2.3.4 ./e2e-auto-update.sh      # reuse an existing VM (skip provision)
+#   SCENARIOS="S1 S2" ./e2e-auto-update.sh  # run a subset
+#   TEST_FORK=you/yourfork ./e2e-auto-update.sh
+#
+set -euo pipefail
+
+# --- Config ---
+TEST_FORK="${TEST_FORK:-level09/bayanat-update-test}"
+SSH_KEY="${SSH_KEY:-level09@Black09}"
+SERVER_TYPE="${SERVER_TYPE:-cpx22}"
+LOCATION="${LOCATION:-nbg1}"
+SCENARIOS="${SCENARIOS:-S1 S2 S3 S4}"
+KEEP_VM="${KEEP_VM:-0}"
+VM_IP="${VM_IP:-}"
+SERVER_NAME=""
+
+SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=5"
+
+log()  { printf '\n\033[1;34m[%s] %s\033[0m\n' "$(date +%H:%M:%S)" "$*"; }
+pass() { printf '\033[1;32m  ✓ %s\033[0m\n' "$*"; }
+fail() { printf '\033[1;31m  ✗ %s\033[0m\n' "$*" >&2; exit 1; }
+
+on_vm() { ssh $SSHOPTS "root@$VM_IP" "$@"; }
+
+# --- Prereqs ---
+command -v hcloud >/dev/null || { echo "hcloud CLI not found"; exit 2; }
+command -v gh >/dev/null || { echo "gh CLI not found (needed to rewrite tags)"; exit 2; }
+git ls-remote --tags "https://github.com/$TEST_FORK.git" >/dev/null \
+    || { echo "test fork $TEST_FORK not reachable"; exit 2; }
+
+# --- Tag ladder prep: hide upper tags so installer picks v4.0.0 ---
+stash_upper_tags() {
+    log "Hiding upper tags on $TEST_FORK so installer picks v4.0.0"
+    for t in v4.0.1 v4.0.2 v4.0.3 v4.0.4; do
+        gh api -X DELETE "repos/$TEST_FORK/git/refs/tags/$t" 2>&1 \
+            | grep -v '^$' | head -1 || true
+    done
+}
+
+restore_upper_tags() {
+    log "Restoring upper tags v4.0.1..v4.0.4"
+    # Must push via a configured remote (SSH auth), not an HTTPS URL.
+    for t in v4.0.1 v4.0.2 v4.0.3 v4.0.4; do
+        if ! git show-ref --tags --verify --quiet "refs/tags/$t"; then
+            echo "  LOCAL TAG MISSING: $t (run the rebase block in the README)"; continue
+        fi
+        git push test-fork "+refs/tags/$t:refs/tags/$t" 2>&1 | tail -1
+    done
+    # Sanity: confirm remote has them
+    local remote_tags
+    remote_tags=$(git ls-remote --tags test-fork | awk '{print $2}' | grep -E 'v4\.0\.[1-4]$' | wc -l | tr -d ' ')
+    [[ "$remote_tags" == "4" ]] || fail "expected 4 upper tags on remote, found $remote_tags"
+    pass "4 upper tags visible on remote"
+}
+
+# --- Provision ---
+provision() {
+    SERVER_NAME="bayanat-update-test-$(date +%Y%m%d-%H%M%S)"
+    log "Provisioning Hetzner VM $SERVER_NAME ($SERVER_TYPE in $LOCATION)"
+    VM_IP=$(hcloud server create \
+        --name "$SERVER_NAME" \
+        --type "$SERVER_TYPE" \
+        --image ubuntu-24.04 \
+        --ssh-key "$SSH_KEY" \
+        --location "$LOCATION" \
+        -o json | python3 -c 'import json,sys; print(json.load(sys.stdin)["server"]["public_net"]["ipv4"]["ip"])')
+    log "IP: $VM_IP"
+    log "Waiting for SSH..."
+    until on_vm 'true' 2>/dev/null; do sleep 3; done
+    pass "SSH ready"
+}
+
+teardown() {
+    if [[ "$KEEP_VM" == "1" ]]; then
+        log "KEEP_VM=1 — leaving $SERVER_NAME (IP $VM_IP) alive"
+        return
+    fi
+    if [[ -n "$SERVER_NAME" ]]; then
+        log "Destroying $SERVER_NAME"
+        hcloud server delete "$SERVER_NAME" >/dev/null
+        pass "destroyed"
+    fi
+}
+
+# --- Install ---
+install_baseline() {
+    log "Installing v4.0.0 via curl | sudo bash -s install (validates \$0-free install)"
+    on_vm 'echo "BAYANAT_REPO='"$TEST_FORK"'" >> /etc/environment'
+    on_vm 'curl -fsSL https://raw.githubusercontent.com/'"$TEST_FORK"'/v4.0.0/bayanat | BAYANAT_REPO='"$TEST_FORK"' sudo -E bash -s install localhost' \
+        >/tmp/e2e-install.log 2>&1 \
+        || { tail -30 /tmp/e2e-install.log; fail "install failed"; }
+    pass "install succeeded"
+
+    # Work around the SETUP_COMPLETE gating until that lands in installer
+    on_vm 'echo "BAYANAT_CONFIG_FILE=/opt/bayanat/shared/config.json" >> /opt/bayanat/shared/.env
+           echo "{\"SETUP_COMPLETE\": true}" > /opt/bayanat/shared/config.json
+           chown bayanat:bayanat /opt/bayanat/shared/config.json
+           systemctl restart bayanat bayanat-celery'
+    sleep 3
+
+    local health
+    health=$(on_vm 'curl -s --unix-socket /opt/bayanat/current/bayanat.sock http://localhost/health')
+    [[ "$health" == *'"status":"ok"'* ]] || fail "/health not ok: $health"
+    pass "/health OK: $health"
+
+    local cur
+    cur=$(on_vm 'bayanat status | grep "Current version" | awk "{print \$3}"')
+    [[ "$cur" == "v4.0.0" ]] || fail "expected v4.0.0, got $cur"
+    pass "installed version: $cur"
+}
+
+# --- Scenario helpers ---
+assert_version() {
+    local expected="$1"
+    local actual
+    actual=$(on_vm 'bayanat status | grep "Current version" | awk "{print \$3}"')
+    [[ "$actual" == "$expected" ]] || fail "expected version $expected, got $actual"
+    pass "version = $expected"
+}
+
+assert_state() {
+    local expected="$1"
+    local actual
+    actual=$(on_vm 'bayanat status | grep "Update state" | awk "{print \$3}"')
+    [[ "$actual" == "$expected" ]] || fail "expected state $expected, got $actual"
+    pass "update state = $expected"
+}
+
+assert_state_file_phase() {
+    local expected="$1"
+    local phase
+    phase=$(on_vm 'python3 -c "import json; print(json.load(open(\"/opt/bayanat/state/update.json\")).get(\"phase\",\"\"))"' 2>/dev/null || echo "")
+    [[ "$phase" == "$expected" ]] || fail "expected state file phase $expected, got '$phase'"
+    pass "state file phase = $expected"
+}
+
+assert_services_active() {
+    on_vm 'systemctl is-active --quiet bayanat bayanat-celery caddy' \
+        || fail "services not all active"
+    pass "services all active"
+}
+
+clear_state_file() {
+    on_vm 'rm -f /opt/bayanat/state/update.json /opt/bayanat/state/update.lock'
+}
+
+run_update() {
+    local tag="$1"
+    log "  -> bayanat update $tag"
+    on_vm 'sudo BAYANAT_REPO='"$TEST_FORK"' /usr/local/bin/bayanat update '"$tag" \
+        >/tmp/e2e-update.log 2>&1 || true   # we inspect state, exit code is scenario-dependent
+    tail -5 /tmp/e2e-update.log | sed 's/^/    /'
+}
+
+# --- Scenarios ---
+S1() {
+    log "S1: happy path v4.0.0 -> v4.0.1"
+    run_update v4.0.1
+    assert_version v4.0.1
+    assert_state IDLE
+    assert_services_active
+    on_vm 'sudo -u bayanat psql -d bayanat -c "\d bulletin" | grep -q auto_update_test' \
+        || fail "auto_update_test column missing"
+    pass "auto_update_test column present"
+}
+
+S2() {
+    log "S2: bad migration v4.0.1 -> v4.0.2 -> NEEDS_INTERVENTION"
+    run_update v4.0.2
+    assert_version v4.0.1
+    assert_state_file_phase NEEDS_INTERVENTION
+    assert_services_active
+    clear_state_file
+}
+
+S3() {
+    log "S3: bad /health v4.0.1 -> v4.0.3 -> ROLLED_BACK"
+    run_update v4.0.3
+    assert_version v4.0.1
+    assert_state IDLE
+    assert_services_active
+    local health
+    health=$(on_vm 'curl -s --unix-socket /opt/bayanat/current/bayanat.sock http://localhost/health')
+    [[ "$health" == *'"status":"ok"'* ]] || fail "/health not ok after rollback"
+    pass "/health back to OK after rollback"
+}
+
+S4() {
+    log "S4: recovery v4.0.1 -> v4.0.4"
+    run_update v4.0.4
+    assert_version v4.0.4
+    assert_state IDLE
+    assert_services_active
+    on_vm 'sudo -u bayanat psql -d bayanat -c "\d bulletin" | grep -q auto_update_recovery_test' \
+        || fail "auto_update_recovery_test column missing"
+    pass "auto_update_recovery_test column present"
+}
+
+# --- Main ---
+trap 'restore_upper_tags; teardown' EXIT
+
+if [[ -z "$VM_IP" ]]; then
+    stash_upper_tags
+    provision
+    install_baseline
+    restore_upper_tags
+else
+    log "Reusing existing VM at $VM_IP"
+fi
+
+for s in $SCENARIOS; do
+    "$s"
+done
+
+log "ALL PASSED"
diff --git a/enferno/admin/templates/admin/snapshots.html b/enferno/admin/templates/admin/snapshots.html
new file mode 100644
index 000000000..71d82847f
--- /dev/null
+++ b/enferno/admin/templates/admin/snapshots.html
@@ -0,0 +1,28 @@
+{% extends 'layout.html' %} {% block content %}
+
+    <v-main>
+        <v-container fluid>
+            <snapshots-list></snapshots-list>
+        </v-container>
+    </v-main>
+
+{% endblock %} {% block js %}
+    <script src="/static/js/components/SnapshotsList.js?v=1"></script>
+    <script nonce="{{ csp_nonce() }}">
+        const {createApp} = Vue;
+        const {createVuetify} = Vuetify;
+        const vuetify = createVuetify(vuetifyConfig);
+
+        const app = createApp({
+            delimiters: delimiters,
+            mixins: [globalMixin],
+            data: () => ({}),
+        });
+        app.component('SnapshotsList', SnapshotsList);
+        app.use(router).use(vuetify);
+        router.isReady().then(() => {
+            app.mount('#app');
+            window.app = app;
+        });
+    </script>
+{% endblock %}
diff --git a/enferno/admin/templates/nav-bar.html b/enferno/admin/templates/nav-bar.html
index 3a724aae3..a6be982fd 100644
--- a/enferno/admin/templates/nav-bar.html
+++ b/enferno/admin/templates/nav-bar.html
@@ -11,6 +11,8 @@
   <v-spacer></v-spacer>
 
   <template v-slot:append>
+    <update-banner @update-started="$refs.progressDialog && $refs.progressDialog.open()"></update-banner>
+    <update-progress-dialog ref="progressDialog"></update-progress-dialog>
     {% if config.OCR_PROVIDER == 'google_vision' %}
     <v-tooltip location="bottom">
       <template v-slot:activator="{ props }">
diff --git a/enferno/admin/validation/models.py b/enferno/admin/validation/models.py
index d67dabc44..65057f6e2 100644
--- a/enferno/admin/validation/models.py
+++ b/enferno/admin/validation/models.py
@@ -1902,6 +1902,7 @@ class FullConfigValidationModel(ConfigValidationModel):
     SECURITY_FRESHNESS: int = Field(gt=0)
     SECURITY_FRESHNESS_GRACE_PERIOD: int = Field(ge=0)
     DISABLE_MULTIPLE_SESSIONS: bool
+    AUTO_APPLY_PATCH_UPDATES: bool = False
     RECAPTCHA_ENABLED: bool
     RECAPTCHA_PUBLIC_KEY: Optional[str] = None
     RECAPTCHA_PRIVATE_KEY: Optional[str] = None
diff --git a/enferno/admin/views/system.py b/enferno/admin/views/system.py
index 5496f1db9..e6c146052 100644
--- a/enferno/admin/views/system.py
+++ b/enferno/admin/views/system.py
@@ -184,3 +184,122 @@ def get_data(table: str) -> list[dict[str, Any]] | list[dict[str, dict[str, Any
         return [{"en": item.title, "tr": item.title_tr or ""} for item in items]
 
     return None
+
+
+import json
+import subprocess
+from pathlib import Path
+
+from enferno.extensions import rds
+from enferno.tasks.maintenance import UPDATE_CACHE_KEY, _current_version
+
+UPDATE_STATE_FILE = "/opt/bayanat/state/update.json"
+TERMINAL_PHASES = {"SUCCESS", "ROLLED_BACK", "NEEDS_INTERVENTION", "IDLE"}
+
+
+def _idle_status(current):
+    return {
+        "phase": "IDLE",
+        "phase_label": "No update in progress",
+        "running": False,
+        "target": None,
+        "previous": None,
+        "snapshot": None,
+        "started_at": None,
+        "updated_at": None,
+        "progress_text": None,
+        "error": None,
+        "current": current,
+    }
+
+
+@admin.get("/api/updates/available")
+@roles_required("Admin")
+def api_updates_available() -> Response:
+    """Return the latest cached GitHub release info."""
+    raw = rds.get(UPDATE_CACHE_KEY)
+    cached = {}
+    if raw:
+        try:
+            cached = json.loads(raw.decode() if isinstance(raw, (bytes, bytearray)) else raw)
+        except Exception:
+            cached = {}
+    payload = {
+        "current": _current_version(),
+        "latest": cached.get("latest"),
+        "release_notes_url": cached.get("release_notes_url"),
+        "checked_at": cached.get("checked_at"),
+    }
+    return HTTPResponse.success(data=payload)
+
+
+@admin.post("/api/updates/start")
+@auth_required(within=15, grace=0)
+@roles_required("Admin")
+def api_updates_start() -> Response:
+    """Launch `bayanat update` out-of-process via the sudoers-granted wrapper.
+
+    Fresh-auth required (within 15 min) to limit stale-cookie exposure: a
+    compromised admin session cannot trigger a privileged update without a
+    recent password prompt.
+    """
+    try:
+        subprocess.run(
+            ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"],
+            check=True,
+            timeout=10,
+        )
+    except subprocess.TimeoutExpired:
+        return HTTPResponse.error("Update start timed out", status=504)
+    except subprocess.CalledProcessError as e:
+        return HTTPResponse.error(f"Failed to start update: {e}", status=500)
+    return HTTPResponse.success(data={"status": "started"})
+
+
+@admin.get("/snapshots/")
+@auth_required(within=15, grace=0)
+@roles_required("Admin")
+def snapshots_page() -> str:
+    """Render the snapshots list page."""
+    return render_template("admin/snapshots.html")
+
+
+@admin.get("/api/snapshots/")
+@roles_required("Admin")
+def api_snapshots() -> Response:
+    """List pre-update snapshots by shelling `bayanat snapshots`."""
+    try:
+        out = subprocess.run(
+            ["sudo", "-n", "/usr/local/bin/bayanat", "snapshots"],
+            check=True,
+            capture_output=True,
+            text=True,
+            timeout=5,
+        ).stdout
+    except subprocess.TimeoutExpired:
+        return HTTPResponse.error("Listing snapshots timed out", status=504)
+    except subprocess.CalledProcessError as e:
+        return HTTPResponse.error(f"Failed to list snapshots: {e}", status=500)
+    items = []
+    for line in out.strip().splitlines()[1:]:  # skip header row
+        parts = line.split()
+        if len(parts) >= 3:
+            items.append({"name": parts[0], "size": parts[1], "age": parts[2]})
+    return HTTPResponse.success(data=items)
+
+
+@admin.get("/api/updates/status")
+@roles_required("Admin")
+def api_updates_status() -> Response:
+    """Return the current update state (from the CLI-written JSON file)."""
+    current = _current_version()
+    path = Path(UPDATE_STATE_FILE)
+    if not path.exists():
+        return HTTPResponse.success(data=_idle_status(current))
+    try:
+        state = json.loads(path.read_text())
+    except Exception:
+        return HTTPResponse.success(data=_idle_status(current))
+    state["running"] = state.get("phase") not in TERMINAL_PHASES
+    state["current"] = current
+    return HTTPResponse.success(data=state)
diff --git a/enferno/public/views.py b/enferno/public/views.py
index 23cec85d8..5bee348a2 100755
--- a/enferno/public/views.py
+++ b/enferno/public/views.py
@@ -1,8 +1,12 @@
-from flask import request, redirect, Blueprint, send_from_directory, Response, jsonify
+import os
 from typing import Optional
-from enferno.utils.logging_utils import get_logger
-from enferno.extensions import db, limiter
+
+from flask import Blueprint, Response, jsonify, redirect, request, send_from_directory
 from flask_wtf.csrf import generate_csrf
+from sqlalchemy import text
+
+from enferno.extensions import db, limiter, rds
+from enferno.utils.logging_utils import get_logger
 
 bp_public = Blueprint("public", __name__, static_folder="../static")
 
@@ -29,6 +33,30 @@ def get_csrf_token() -> Response:
     return jsonify({"csrf_token": token})
 
 
+@bp_public.route("/health")
+@limiter.exempt
+def health() -> Response:
+    """Readiness probe used by the bayanat updater. Touches DB and Redis."""
+    try:
+        db.session.execute(text("SELECT 1"))
+        rds.ping()
+    except Exception:
+        logger.error("health check failed", exc_info=True)
+        return jsonify({"status": "error", "error": "Service unavailable"}), 503
+    version = os.environ.get("BAYANAT_VERSION") or _read_version_from_pyproject()
+    return jsonify({"status": "ok", "version": version})
+
+
+def _read_version_from_pyproject() -> Optional[str]:
+    try:
+        import tomllib
+
+        with open("pyproject.toml", "rb") as fh:
+            return tomllib.load(fh).get("project", {}).get("version")
+    except Exception:
+        return None
+
+
 @bp_public.teardown_app_request
 def shutdown_global_session(exception: Optional[Exception] = None) -> None:
     """Remove database session at the end of each request."""
diff --git a/enferno/settings.py b/enferno/settings.py
index 0cb2dca5e..f9db8f882 100644
--- a/enferno/settings.py
+++ b/enferno/settings.py
@@ -126,6 +126,10 @@ class Config(object):
     DISABLE_MULTIPLE_SESSIONS = manager.get_config("DISABLE_MULTIPLE_SESSIONS")
     SESSION_RETENTION_PERIOD = manager.get_config("SESSION_RETENTION_PERIOD")
 
+    # Auto-apply patch releases (e.g. 4.1.0 -> 4.1.1) in the background.
+    # Minor and major bumps always require manual approval regardless.
+    AUTO_APPLY_PATCH_UPDATES = manager.get_config("AUTO_APPLY_PATCH_UPDATES")
+
     # Recaptcha
     RECAPTCHA_ENABLED = manager.get_config("RECAPTCHA_ENABLED")
     RECAPTCHA_PUBLIC_KEY = manager.get_config("RECAPTCHA_PUBLIC_KEY")
@@ -607,6 +611,9 @@ class TestConfig:
     # Notifications
     NOTIFICATIONS = NOTIFICATIONS_DEFAULT_CONFIG
 
+    # Auto-update
+    AUTO_APPLY_PATCH_UPDATES = False
+
     # Dependencies (from dep_utils)
     HAS_WHISPER = dep_utils.has_whisper  # Use actual dependency detection
     HAS_TESSERACT = dep_utils.has_tesseract  # Use actual dependency detection
diff --git a/enferno/setup/views.py b/enferno/setup/views.py
index 295dc077c..1e1f8cbc5 100644
--- a/enferno/setup/views.py
+++ b/enferno/setup/views.py
@@ -4,7 +4,6 @@
     request,
     redirect,
     Blueprint,
-    send_from_directory,
     render_template,
     Response,
     current_app,
@@ -49,6 +48,7 @@ def handle_installation_check() -> Optional[Response]:
         "/api/complete-setup",
         "/admin/api/reload",
         "/fs-static",
+        "/health",
     ]
     login_flow_paths = [
         "/login",
@@ -101,7 +101,7 @@ def create_admin() -> Any:
             message="Admin user installed successfully",
             data={"item": new_admin.to_dict()},
         )
-    except Exception as e:
+    except Exception:
         db.session.rollback()
         return HTTPResponse.error("Failed to create admin user", status=500)
 
@@ -123,7 +123,7 @@ def import_data() -> Response:
     try:
         import_default_data()
         return HTTPResponse.success(message="Default data imported successfully")
-    except Exception as e:
+    except Exception:
         return HTTPResponse.error("Failed to import default data", status=500)
 
 
diff --git a/enferno/static/js/components/SnapshotsList.js b/enferno/static/js/components/SnapshotsList.js
new file mode 100644
index 000000000..e704c199c
--- /dev/null
+++ b/enferno/static/js/components/SnapshotsList.js
@@ -0,0 +1,50 @@
+const SnapshotsList = Vue.defineComponent({
+  data() {
+    return {
+      items: [],
+      loading: false,
+    };
+  },
+  mounted() {
+    this.load();
+  },
+  methods: {
+    async load() {
+      this.loading = true;
+      try {
+        const resp = await axios.get('/admin/api/snapshots/');
+        this.items = resp?.data?.data ?? [];
+      } catch (_e) {
+        this.items = [];
+      } finally {
+        this.loading = false;
+      }
+    },
+  },
+  template: `
+    <v-card>
+      <v-card-title>
+        Pre-update Snapshots
+        <v-spacer />
+        <v-btn icon="mdi-refresh" variant="text" @click="load" :loading="loading"></v-btn>
+      </v-card-title>
+      <v-card-text>
+        <v-alert type="info" variant="tonal" density="compact" class="mb-3">
+          Restore is CLI-only for safety. SSH to the server and run
+          <code>sudo bayanat restore &lt;name&gt;</code> (needs root; it stops
+          services, runs <code>pg_restore</code>, and starts services again).
+        </v-alert>
+        <v-data-table
+          :items="items"
+          :headers="[
+            { title: 'Name', key: 'name' },
+            { title: 'Size', key: 'size' },
+            { title: 'Age', key: 'age' }
+          ]"
+          :loading="loading"
+          no-data-text="No snapshots available yet."
+        ></v-data-table>
+      </v-card-text>
+    </v-card>
+  `,
+});
diff --git a/enferno/static/js/components/UpdateBanner.js b/enferno/static/js/components/UpdateBanner.js
new file mode 100644
index 000000000..983979de0
--- /dev/null
+++ b/enferno/static/js/components/UpdateBanner.js
@@ -0,0 +1,89 @@
+const UpdateBanner = Vue.defineComponent({
+  data() {
+    return {
+      current: null,
+      latest: null,
+      releaseNotesUrl: null,
+      dialog: false,
+      starting: false,
+    };
+  },
+  computed: {
+    hasUpdate() {
+      return !!(this.latest && this.current && this.latest !== this.current);
+    },
+  },
+  mounted() {
+    this.fetchAvailable();
+    this.pollTimer = setInterval(this.fetchAvailable, 6 * 60 * 60 * 1000);
+  },
+  beforeUnmount() {
+    if (this.pollTimer) clearInterval(this.pollTimer);
+  },
+  methods: {
+    async fetchAvailable() {
+      try {
+        const resp = await axios.get('/admin/api/updates/available');
+        const data = resp?.data?.data ?? {};
+        this.current = data.current ?? null;
+        this.latest = data.latest ?? null;
+        this.releaseNotesUrl = data.release_notes_url ?? null;
+      } catch (_e) {
+        // silent: background poll should never spam the UI
+      }
+    },
+    async startUpdate() {
+      this.starting = true;
+      try {
+        await axios.post('/admin/api/updates/start');
+        this.dialog = false;
+        this.$emit('update-started');
+      } catch (e) {
+        const msg = (e?.response?.data?.message) || 'Failed to start update';
+        if (this.$root && typeof this.$root.showSnack === 'function') {
+          this.$root.showSnack(msg, 'error');
+        } else {
+          console.error(msg);
+        }
+      } finally {
+        this.starting = false;
+      }
+    },
+  },
+  template: `
+    <v-chip
+      v-if="hasUpdate"
+      color="amber-accent-4"
+      variant="elevated"
+      prepend-icon="mdi-arrow-up-bold-circle"
+      @click="dialog = true"
+      class="ms-2 me-2"
+    >
+      Update available: {{ latest }}
+      <v-dialog v-model="dialog" max-width="520">
+        <v-card>
+          <v-card-title>Update Bayanat to {{ latest }}</v-card-title>
+          <v-card-text>
+            <p>Current: <strong>{{ current }}</strong></p>
+            <p>Target: <strong>{{ latest }}</strong></p>
+            <p v-if="releaseNotesUrl">
+              <a :href="releaseNotesUrl" target="_blank" rel="noopener">Release notes</a>
+            </p>
+            <v-alert type="info" variant="tonal" density="compact" class="mt-3">
+              The update will take about 60 seconds. The app will be briefly
+              unavailable. A pre-update database snapshot will be taken
+              automatically.
+            </v-alert>
+          </v-card-text>
+          <v-card-actions>
+            <v-spacer />
+            <v-btn variant="text" @click="dialog = false">Cancel</v-btn>
+            <v-btn color="primary" :loading="starting" @click="startUpdate">
+              Update now
+            </v-btn>
+          </v-card-actions>
+        </v-card>
+      </v-dialog>
+    </v-chip>
+  `,
+});
diff --git a/enferno/static/js/components/UpdateProgressDialog.js b/enferno/static/js/components/UpdateProgressDialog.js
new file mode 100644
index 000000000..590512612
--- /dev/null
+++ b/enferno/static/js/components/UpdateProgressDialog.js
@@ -0,0 +1,98 @@
+const UpdateProgressDialog = Vue.defineComponent({
+  data() {
+    return {
+      open_: false,
+      state: null,
+      timer: null,
+    };
+  },
+  methods: {
+    open() {
+      this.open_ = true;
+      this.poll();
+    },
+    close() {
+      this.open_ = false;
+      if (this.timer) {
+        clearInterval(this.timer);
+        this.timer = null;
+      }
+    },
+    async poll() {
+      await this.fetchState();
+      if (this.timer) clearInterval(this.timer);
+      this.timer = setInterval(this.fetchState, 2000);
+    },
+    async fetchState() {
+      try {
+        const resp = await axios.get('/admin/api/updates/status');
+        const data = resp?.data?.data ?? {};
+        this.state = data;
+        if (!data.running) {
+          if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+          }
+        }
+      } catch (_e) {
+        // tolerate transient errors; dialog stays visible
+      }
+    },
+    phaseColor() {
+      const phase = (this.state && this.state.phase) || 'IDLE';
+      if (phase === 'SUCCESS') return 'success';
+      if (phase === 'ROLLED_BACK') return 'warning';
+      if (phase === 'NEEDS_INTERVENTION') return 'error';
+      return 'primary';
+    },
+  },
+  beforeUnmount() {
+    if (this.timer) clearInterval(this.timer);
+  },
+  template: `
+    <v-dialog v-model="open_" max-width="520" persistent>
+      <v-card v-if="state">
+        <v-card-title>
+          <v-icon :color="phaseColor()" class="me-2">mdi-autorenew</v-icon>
+          {{ state.phase_label || state.phase }}
+        </v-card-title>
+        <v-card-text>
+          <p v-if="state.target"><strong>Target:</strong> {{ state.target }}</p>
+          <p v-if="state.previous"><strong>Previous:</strong> {{ state.previous }}</p>
+          <v-progress-linear
+            v-if="state.running"
+            indeterminate
+            :color="phaseColor()"
+            class="my-3"
+          />
+          <p v-if="state.progress_text" class="text-body-2">
+            {{ state.progress_text }}
+          </p>
+          <v-alert
+            v-if="state.error"
+            type="error"
+            variant="tonal"
+            density="compact"
+            class="mt-2"
+          >
+            {{ state.error }}
+          </v-alert>
+          <v-alert
+            v-if="state.phase === 'NEEDS_INTERVENTION'"
+            type="error"
+            variant="tonal"
+            class="mt-2"
+          >
+            Operator intervention required. Snapshot:
+            <code>{{ state.snapshot }}</code>. See the update runbook for
+            recovery steps.
+          </v-alert>
+        </v-card-text>
+        <v-card-actions>
+          <v-spacer />
+          <v-btn @click="close" :disabled="state.running">Close</v-btn>
+        </v-card-actions>
+      </v-card>
+    </v-dialog>
+  `,
+});
diff --git a/enferno/static/js/mixins/global-mixin.js b/enferno/static/js/mixins/global-mixin.js
index 622715595..d203bd4e8 100644
--- a/enferno/static/js/mixins/global-mixin.js
+++ b/enferno/static/js/mixins/global-mixin.js
@@ -4,6 +4,8 @@ const globalMixin = {
     'ConfirmDialog': ConfirmDialog,
     'Toast': Toast,
     'ProfileDropdown': ProfileDropdown,
+    'UpdateBanner': UpdateBanner,
+    'UpdateProgressDialog': UpdateProgressDialog,
   },
   data: () => ({
     snackbar: false,
diff --git a/enferno/tasks/__init__.py b/enferno/tasks/__init__.py
index e96e07b13..b7a7bd309 100644
--- a/enferno/tasks/__init__.py
+++ b/enferno/tasks/__init__.py
@@ -140,6 +140,16 @@ def setup_periodic_tasks(sender: Any, **kwargs: dict[str, Any]) -> None:
             f"Backup periodic task is set up. Backups will run at 3:00 every {cfg.BACKUP_INTERVAL} day(s)."
         )
 
+    # Update-check periodic task (every 6 hours)
+    from enferno.tasks.maintenance import check_for_updates
+
+    sender.add_periodic_task(
+        6 * 60 * 60,
+        check_for_updates.s(),
+        name="Check for Updates",
+    )
+    logger.info("Update-check periodic task is set up (every 6h).")
+
     # session cleanup task
     sender.add_periodic_task(24 * 60 * 60, session_cleanup.s(), name="Session Cleanup Cron")
 
@@ -175,6 +185,7 @@ def setup_periodic_tasks(sender: Any, **kwargs: dict[str, Any]) -> None:
 from enferno.tasks.graph import generate_graph  # noqa: E402
 from enferno.tasks.maintenance import (  # noqa: E402
     activity_cleanup_cron,
+    check_for_updates,
     daily_backup_cron,
     regenerate_locations,
     reload_app,
@@ -224,6 +235,7 @@ def setup_periodic_tasks(sender: Any, **kwargs: dict[str, Any]) -> None:
     "generate_graph",
     # maintenance
     "activity_cleanup_cron",
+    "check_for_updates",
     "daily_backup_cron",
     "regenerate_locations",
     "reload_app",
diff --git a/enferno/tasks/maintenance.py b/enferno/tasks/maintenance.py
index c3f512085..26da251e8 100644
--- a/enferno/tasks/maintenance.py
+++ b/enferno/tasks/maintenance.py
@@ -1,8 +1,15 @@
 # -*- coding: utf-8 -*-
+import json
 import os
-from datetime import date, timedelta
+import subprocess
+from datetime import date, datetime, timedelta, timezone
 
+import requests
+from packaging.version import Version
+
+from enferno.admin.constants import Constants
 from enferno.admin.models import Activity, Location
+from enferno.admin.models.Notification import Notification
 from enferno.extensions import db, rds
 from enferno.tasks import celery, cfg
 from enferno.user.models import Session
@@ -12,6 +19,96 @@
 
 logger = get_logger("celery.tasks.maintenance")
 
+GITHUB_LATEST_URL = "https://api.github.com/repos/sjacorg/bayanat/releases/latest"
+UPDATE_CACHE_KEY = "bayanat:update:available"
+UPDATE_NOTIFIED_KEY = "bayanat:update:available:notified"
+
+
+def _strip_v(tag: str) -> str:
+    return tag[1:] if tag.startswith("v") else tag
+
+
+def _redis_get_str(key: str):
+    val = rds.get(key)
+    if val is None:
+        return None
+    return val.decode() if isinstance(val, (bytes, bytearray)) else val
+
+
+def _current_version() -> str:
+    try:
+        import tomllib
+
+        with open("pyproject.toml", "rb") as fh:
+            return tomllib.load(fh).get("project", {}).get("version", "0.0.0")
+    except Exception:
+        return "0.0.0"
+
+
+def _is_patch_bump(current: str, target: str) -> bool:
+    try:
+        c, t = Version(current), Version(target)
+    except Exception:
+        return False
+    if t <= c:
+        return False
+    return c.major == t.major and c.minor == t.minor
+
+
+@celery.task
+def check_for_updates():
+    """Poll GitHub releases. Cache latest. Notify admins on new tag. Optionally auto-apply patch."""
+    try:
+        resp = requests.get(GITHUB_LATEST_URL, timeout=10)
+        resp.raise_for_status()
+        release = resp.json()
+    except Exception as e:
+        logger.warning(f"update check failed: {e}")
+        return
+
+    latest_tag = _strip_v(release.get("tag_name", ""))
+    if not latest_tag:
+        return
+
+    rds.set(
+        UPDATE_CACHE_KEY,
+        json.dumps(
+            {
+                "latest": latest_tag,
+                "release_notes_url": release.get("html_url"),
+                "checked_at": datetime.now(timezone.utc).isoformat(),
+            }
+        ),
+    )
+
+    current = _current_version()
+    if latest_tag == current:
+        return
+    if _redis_get_str(UPDATE_NOTIFIED_KEY) == latest_tag:
+        return
+
+    auto_apply = bool(getattr(cfg, "AUTO_APPLY_PATCH_UPDATES", False))
+
+    if auto_apply and _is_patch_bump(current, latest_tag):
+        logger.info(f"auto-applying patch update {current} -> {latest_tag}")
+        try:
+            subprocess.run(
+                ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"],
+                check=True,
+                timeout=10,
+            )
+            rds.set(UPDATE_NOTIFIED_KEY, latest_tag)
+            return
+        except Exception as e:
+            logger.warning(f"auto-apply failed, falling back to notification: {e}")
+
+    Notification.create_for_admins(
+        title=f"Update available: {latest_tag}",
+        message=f"A new Bayanat release is available. {release.get('html_url', '')}",
+        category=Constants.NotificationCategories.UPDATE.value,
+    )
+    rds.set(UPDATE_NOTIFIED_KEY, latest_tag)
+
 
 @celery.task
 def activity_cleanup_cron() -> None:
diff --git a/enferno/templates/layout.html b/enferno/templates/layout.html
index 8df04455f..e701bb1d5 100644
--- a/enferno/templates/layout.html
+++ b/enferno/templates/layout.html
@@ -133,6 +133,8 @@
     {%  include 'admin/jsapi.jinja2' %}
 </script>
 <script src="/static/js/components/ProfileDropdown.js"></script>
+<script src="/static/js/components/UpdateBanner.js"></script>
+<script src="/static/js/components/UpdateProgressDialog.js"></script>
 <script src="/static/js/components/NotificationsList.js"></script>
 <script src="/static/js/components/ConfirmDialog.js"></script>
 <script src="/static/js/components/Toast.js"></script>
diff --git a/enferno/utils/config_utils.py b/enferno/utils/config_utils.py
index 7e40a505d..4b999dce6 100644
--- a/enferno/utils/config_utils.py
+++ b/enferno/utils/config_utils.py
@@ -166,6 +166,7 @@ class ConfigManager:
                 "twitter.com",
             ],
             "YTDLP_COOKIES": "",
+            "AUTO_APPLY_PATCH_UPDATES": False,
             "NOTIFICATIONS": NOTIFICATIONS_DEFAULT_CONFIG,  # Import from notification_config.py
         }
     )
@@ -240,6 +241,7 @@ class ConfigManager:
             "YTDLP_PROXY": "Proxy URL to use with Web Import",
             "YTDLP_ALLOWED_DOMAINS": "Allowed Domains for Web Import",
             "YTDLP_COOKIES": "Cookies to use with Web Import",
+            "AUTO_APPLY_PATCH_UPDATES": "Auto-apply patch releases",
             "NOTIFICATIONS": "Notifications",
         }
     )
@@ -287,6 +289,7 @@ def serialize():
             "SECURITY_ZXCVBN_MINIMUM_SCORE": cfg.SECURITY_ZXCVBN_MINIMUM_SCORE,
             "DISABLE_MULTIPLE_SESSIONS": cfg.DISABLE_MULTIPLE_SESSIONS,
             "SESSION_RETENTION_PERIOD": cfg.SESSION_RETENTION_PERIOD,
+            "AUTO_APPLY_PATCH_UPDATES": cfg.AUTO_APPLY_PATCH_UPDATES,
             "RECAPTCHA_ENABLED": cfg.RECAPTCHA_ENABLED,
             "RECAPTCHA_PUBLIC_KEY": cfg.RECAPTCHA_PUBLIC_KEY,
             "RECAPTCHA_PRIVATE_KEY": ConfigManager.MASK_STRING if cfg.RECAPTCHA_PRIVATE_KEY else "",
diff --git a/tests/test_health.py b/tests/test_health.py
new file mode 100644
index 000000000..20121b8ec
--- /dev/null
+++ b/tests/test_health.py
@@ -0,0 +1,13 @@
+def test_health_returns_ok(anonymous_client):
+    resp = anonymous_client.get("/health")
+    assert resp.status_code == 200
+    data = resp.get_json()
+    assert data["status"] == "ok"
+    assert "version" in data
+
+
+def test_health_is_exempt_from_rate_limit(anonymous_client):
+    # 20 rapid requests should all succeed (limiter.exempt).
+    for _ in range(20):
+        resp = anonymous_client.get("/health")
+        assert resp.status_code == 200
diff --git a/tests/test_update_check.py b/tests/test_update_check.py
new file mode 100644
index 000000000..f0b12a9aa
--- /dev/null
+++ b/tests/test_update_check.py
@@ -0,0 +1,96 @@
+from unittest.mock import MagicMock, patch
+
+from enferno.tasks.maintenance import _strip_v, _is_patch_bump
+
+
+def test_strip_v_prefix():
+    assert _strip_v("v4.1.0") == "4.1.0"
+    assert _strip_v("4.1.0") == "4.1.0"
+    assert _strip_v("") == ""
+
+
+def test_is_patch_bump_true():
+    assert _is_patch_bump("4.1.0", "4.1.1") is True
+    assert _is_patch_bump("4.1.2", "4.1.10") is True
+
+
+def test_is_patch_bump_false_for_minor():
+    assert _is_patch_bump("4.1.0", "4.2.0") is False
+
+
+def test_is_patch_bump_false_for_major():
+    assert _is_patch_bump("4.1.0", "5.0.0") is False
+
+
+def test_is_patch_bump_false_for_same():
+    assert _is_patch_bump("4.1.0", "4.1.0") is False
+
+
+def test_is_patch_bump_false_for_downgrade():
+    assert _is_patch_bump("4.1.5", "4.1.3") is False
+
+
+def _github_response(tag):
+    return MagicMock(
+        raise_for_status=lambda: None,
+        json=lambda: {"tag_name": tag, "html_url": f"https://example/tag/{tag}"},
+    )
+
+
+def test_auto_apply_patch_triggers_wrapper_when_flag_on():
+    from enferno.tasks import maintenance
+
+    fake_redis = MagicMock()
+    fake_redis.get.return_value = None  # nothing notified yet
+    with (
+        patch.object(maintenance, "cfg", MagicMock(AUTO_APPLY_PATCH_UPDATES=True)),
+        patch.object(maintenance, "requests") as req,
+        patch.object(maintenance, "rds", fake_redis),
+        patch.object(maintenance, "subprocess") as sp,
+        patch.object(maintenance, "_current_version", return_value="4.1.0"),
+        patch.object(maintenance, "Notification") as notif,
+    ):
+        req.get.return_value = _github_response("v4.1.1")
+        maintenance.check_for_updates.run()
+        sp.run.assert_called_once()
+        args = sp.run.call_args.args[0]
+        assert args == ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"]
+        notif.create_for_admins.assert_not_called()
+
+
+def test_auto_apply_off_falls_back_to_notification():
+    from enferno.tasks import maintenance
+
+    fake_redis = MagicMock()
+    fake_redis.get.return_value = None
+    with (
+        patch.object(maintenance, "cfg", MagicMock(AUTO_APPLY_PATCH_UPDATES=False)),
+        patch.object(maintenance, "requests") as req,
+        patch.object(maintenance, "rds", fake_redis),
+        patch.object(maintenance, "subprocess") as sp,
+        patch.object(maintenance, "_current_version", return_value="4.1.0"),
+        patch.object(maintenance, "Notification") as notif,
+    ):
+        req.get.return_value = _github_response("v4.1.1")
+        maintenance.check_for_updates.run()
+        sp.run.assert_not_called()
+        notif.create_for_admins.assert_called_once()
+
+
+def test_auto_apply_on_but_minor_bump_still_notifies():
+    from enferno.tasks import maintenance
+
+    fake_redis = MagicMock()
+    fake_redis.get.return_value = None
+    with (
+        patch.object(maintenance, "cfg", MagicMock(AUTO_APPLY_PATCH_UPDATES=True)),
+        patch.object(maintenance, "requests") as req,
+        patch.object(maintenance, "rds", fake_redis),
+        patch.object(maintenance, "subprocess") as sp,
+        patch.object(maintenance, "_current_version", return_value="4.1.0"),
+        patch.object(maintenance, "Notification") as notif,
+    ):
+        req.get.return_value = _github_response("v4.2.0")
+        maintenance.check_for_updates.run()
+        sp.run.assert_not_called()
+        notif.create_for_admins.assert_called_once()
diff --git a/tests/test_update_endpoints.py b/tests/test_update_endpoints.py
new file mode 100644
index 000000000..5f71d849a
--- /dev/null
+++ b/tests/test_update_endpoints.py
@@ -0,0 +1,99 @@
+import json
+import time
+from unittest.mock import patch
+
+
+def _fresh_session(client):
+    """Mark the test-client session as freshly authenticated so
+    `@auth_required(within=15)` passes. Flask-Security stores the primary
+    auth timestamp in session key 'fs_paa'.
+    """
+    with client.session_transaction() as sess:
+        sess["fs_paa"] = time.time()
+
+
+def test_available_returns_cached(admin_client):
+    from enferno.extensions import rds
+
+    rds.set(
+        "bayanat:update:available",
+        json.dumps(
+            {
+                "latest": "4.1.1",
+                "release_notes_url": "https://example.com",
+                "checked_at": "2026-04-16T00:00:00+00:00",
+            }
+        ),
+    )
+    resp = admin_client.get("/admin/api/updates/available")
+    assert resp.status_code == 200
+    data = resp.get_json()["data"]
+    assert data["latest"] == "4.1.1"
+    assert data["release_notes_url"] == "https://example.com"
+
+
+def test_available_returns_empty_when_no_cache(admin_client):
+    from enferno.extensions import rds
+
+    rds.delete("bayanat:update:available")
+    resp = admin_client.get("/admin/api/updates/available")
+    assert resp.status_code == 200
+    data = resp.get_json()["data"]
+    assert data["latest"] is None
+
+
+def test_status_idle_when_no_state_file(admin_client, tmp_path, monkeypatch):
+    monkeypatch.setattr(
+        "enferno.admin.views.system.UPDATE_STATE_FILE",
+        str(tmp_path / "missing.json"),
+    )
+    resp = admin_client.get("/admin/api/updates/status")
+    assert resp.status_code == 200
+    data = resp.get_json()["data"]
+    assert data["phase"] == "IDLE"
+    assert data["running"] is False
+
+
+def test_status_running_when_midway(admin_client, tmp_path, monkeypatch):
+    state = tmp_path / "update.json"
+    state.write_text(json.dumps({"phase": "MIGRATE", "target": "4.1.1"}))
+    monkeypatch.setattr("enferno.admin.views.system.UPDATE_STATE_FILE", str(state))
+    resp = admin_client.get("/admin/api/updates/status")
+    data = resp.get_json()["data"]
+    assert data["phase"] == "MIGRATE"
+    assert data["running"] is True
+
+
+def test_status_terminal_when_success(admin_client, tmp_path, monkeypatch):
+    state = tmp_path / "update.json"
+    state.write_text(json.dumps({"phase": "SUCCESS", "target": "4.1.1"}))
+    monkeypatch.setattr("enferno.admin.views.system.UPDATE_STATE_FILE", str(state))
+    resp = admin_client.get("/admin/api/updates/status")
+    data = resp.get_json()["data"]
+    assert data["running"] is False
+
+
+def test_start_calls_wrapper(admin_client):
+    _fresh_session(admin_client)
+    with patch("enferno.admin.views.system.subprocess.run") as run:
+        resp = admin_client.post("/admin/api/updates/start")
+        assert resp.status_code == 200
+        run.assert_called_once()
+        args = run.call_args.args[0]
+        assert args == ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"]
+
+
+def test_start_requires_fresh_auth(admin_client):
+    # No _fresh_session call -> session is stale -> auth_required(within=15)
+    # should reject with redirect/401/403.
+    with patch("enferno.admin.views.system.subprocess.run") as run:
+        resp = admin_client.post("/admin/api/updates/start")
+        assert resp.status_code in (302, 401, 403)
+        run.assert_not_called()
+
+
+def test_non_admin_cannot_start(da_client):
+    _fresh_session(da_client)
+    resp = da_client.post("/admin/api/updates/start")
+    # roles_required returns 403 (Forbidden) for wrong-role users
+    assert resp.status_code in (401, 403)