From 2c89ed497889b16800de4deb45be1a0a585a3e88 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:06:57 +0200
Subject: [PATCH 01/37] feat(cli): add pg_dump snapshot, restore, and retention
 helpers

---
 bayanat | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)

diff --git a/bayanat b/bayanat
index 378e143df..54b05d6d6 100755
--- a/bayanat
+++ b/bayanat
@@ -85,6 +85,104 @@ swap_symlink() {
     mv -Tf "$CURRENT_LINK.tmp" "$CURRENT_LINK"
 }
 
+# --- Snapshot helpers ---
+
+SNAPSHOT_RETENTION_DAYS="${BAYANAT_SNAPSHOT_RETENTION_DAYS:-30}"
+SNAPSHOT_RETENTION_COUNT=5
+
+_pg_env() {
+    # Emits pg_dump / pg_restore env from shared/.env. All callers must
+    # `eval "$(_pg_env)"` in a subshell.
+    local env_file="$SHARED_DIR/.env"
+    [[ -f "$env_file" ]] || die "missing $env_file"
+    grep -E '^(POSTGRES_HOST|POSTGRES_PORT|POSTGRES_USER|POSTGRES_PASSWORD|POSTGRES_DB)=' \
+        "$env_file" | sed 's/^/export /'
+}
+
+snapshot_pg_dump() {
+    # $1 = previous tag, $2 = target tag
+    # Writes shared/backups/pre-<prev>-to-<target>-<ts>.dump via .partial rename.
+    local prev="$1" target="$2"
+    local ts name partial final
+    ts=$(date -u +%Y%m%d-%H%M)
+    name="pre-${prev}-to-${target}-${ts}.dump"
+    partial="$SHARED_DIR/backups/${name}.partial"
+    final="$SHARED_DIR/backups/${name}"
+    log "Taking pre-update snapshot: $name"
+    (
+        eval "$(_pg_env)"
+        PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+            pg_dump -Fc \
+                -h "${POSTGRES_HOST:-localhost}" \
+                -p "${POSTGRES_PORT:-5432}" \
+                -U "$POSTGRES_USER" \
+                -f "$partial" \
+                "$POSTGRES_DB"
+    )
+    mv -Tf "$partial" "$final"
+    echo "$name"
+}
+
+prune_snapshots() {
+    # Keep last $SNAPSHOT_RETENTION_COUNT snapshots OR last
+    # $SNAPSHOT_RETENTION_DAYS days, whichever is greater.
+    local backups="$SHARED_DIR/backups"
+    [[ -d "$backups" ]] || return 0
+    local cutoff_epoch
+    cutoff_epoch=$(date -d "-${SNAPSHOT_RETENTION_DAYS} days" +%s 2>/dev/null \
+        || date -v-"${SNAPSHOT_RETENTION_DAYS}"d +%s)
+    local idx=0 name path mtime
+    while IFS= read -r path; do
+        idx=$((idx + 1))
+        name=$(basename "$path")
+        mtime=$(stat -c %Y "$path" 2>/dev/null || stat -f %m "$path")
+        if [[ "$idx" -le "$SNAPSHOT_RETENTION_COUNT" ]]; then
+            continue
+        fi
+        if [[ "$mtime" -lt "$cutoff_epoch" ]]; then
+            log "Pruning snapshot: $name"
+            rm -f "$path"
+        fi
+    done < <(ls -1t "$backups"/pre-*.dump 2>/dev/null || true)
+}
+
+list_snapshots() {
+    local backups="$SHARED_DIR/backups"
+    [[ -d "$backups" ]] || { echo "No snapshots directory."; return; }
+    printf '%-60s %10s %20s\n' "NAME" "SIZE" "AGE"
+    local name size mtime age
+    for path in $(ls -1t "$backups"/pre-*.dump 2>/dev/null); do
+        name=$(basename "$path")
+        size=$(du -h "$path" | cut -f1)
+        mtime=$(stat -c %Y "$path" 2>/dev/null || stat -f %m "$path")
+        age="$(( ($(date +%s) - mtime) / 3600 ))h"
+        printf '%-60s %10s %20s\n' "$name" "$size" "$age"
+    done
+}
+
+restore_pg() {
+    # $1 = snapshot basename (no path). Stops services, restores, starts services.
+    local name="$1"
+    local path="$SHARED_DIR/backups/$name"
+    [[ -f "$path" ]] || die "snapshot not found: $path"
+    log "Restoring $name (this will DROP and RECREATE tables)"
+    read -r -p "Type 'yes' to confirm: " reply
+    [[ "$reply" == "yes" ]] || die "aborted"
+    systemctl stop bayanat bayanat-celery
+    (
+        eval "$(_pg_env)"
+        PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+            pg_restore --clean --if-exists \
+                -h "${POSTGRES_HOST:-localhost}" \
+                -p "${POSTGRES_PORT:-5432}" \
+                -U "$POSTGRES_USER" \
+                -d "$POSTGRES_DB" \
+                "$path"
+    )
+    systemctl start bayanat bayanat-celery
+    log "Restore complete"
+}
+
 # --- Step functions (each is idempotent) ---
 
 _install_system_packages() {

From 8539c7f89852fe44feb928de6a07c794b121706c Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:11:43 +0200
Subject: [PATCH 02/37] fix(cli): restart services if pg_restore fails during
 bayanat restore

---
 bayanat | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/bayanat b/bayanat
index 54b05d6d6..e5a646efb 100755
--- a/bayanat
+++ b/bayanat
@@ -169,7 +169,7 @@ restore_pg() {
     read -r -p "Type 'yes' to confirm: " reply
     [[ "$reply" == "yes" ]] || die "aborted"
     systemctl stop bayanat bayanat-celery
-    (
+    if ! (
         eval "$(_pg_env)"
         PGPASSWORD="${POSTGRES_PASSWORD:-}" \
             pg_restore --clean --if-exists \
@@ -178,7 +178,10 @@ restore_pg() {
                 -U "$POSTGRES_USER" \
                 -d "$POSTGRES_DB" \
                 "$path"
-    )
+    ); then
+        systemctl start bayanat bayanat-celery
+        die "pg_restore failed; services restarted on existing DB"
+    fi
     systemctl start bayanat bayanat-celery
     log "Restore complete"
 }

From aa77971a51468255c967fb2643757242d8f42b8f Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:11:59 +0200
Subject: [PATCH 03/37] refactor(cli): use while-read pattern in list_snapshots
 (matches prune_snapshots)

---
 bayanat | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bayanat b/bayanat
index e5a646efb..07744fc67 100755
--- a/bayanat
+++ b/bayanat
@@ -151,13 +151,13 @@ list_snapshots() {
     [[ -d "$backups" ]] || { echo "No snapshots directory."; return; }
     printf '%-60s %10s %20s\n' "NAME" "SIZE" "AGE"
     local name size mtime age
-    for path in $(ls -1t "$backups"/pre-*.dump 2>/dev/null); do
+    while IFS= read -r path; do
         name=$(basename "$path")
         size=$(du -h "$path" | cut -f1)
         mtime=$(stat -c %Y "$path" 2>/dev/null || stat -f %m "$path")
         age="$(( ($(date +%s) - mtime) / 3600 ))h"
         printf '%-60s %10s %20s\n' "$name" "$size" "$age"
-    done
+    done < <(ls -1t "$backups"/pre-*.dump 2>/dev/null || true)
 }
 
 restore_pg() {

From a1b8f4b54a5d780179830e90e7a1bfd85af015d9 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:12:09 +0200
Subject: [PATCH 04/37] refactor(cli): make SNAPSHOT_RETENTION_COUNT readonly

---
 bayanat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bayanat b/bayanat
index 07744fc67..c80b6a2a2 100755
--- a/bayanat
+++ b/bayanat
@@ -88,7 +88,7 @@ swap_symlink() {
 # --- Snapshot helpers ---
 
 SNAPSHOT_RETENTION_DAYS="${BAYANAT_SNAPSHOT_RETENTION_DAYS:-30}"
-SNAPSHOT_RETENTION_COUNT=5
+readonly SNAPSHOT_RETENTION_COUNT=5
 
 _pg_env() {
     # Emits pg_dump / pg_restore env from shared/.env. All callers must

From f3ead095db24c85c9f7d743f64a1d684394ec1d0 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:14:23 +0200
Subject: [PATCH 05/37] feat(cli): add update state file and PID lock
 primitives

---
 bayanat | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/bayanat b/bayanat
index c80b6a2a2..d776e2e76 100755
--- a/bayanat
+++ b/bayanat
@@ -186,6 +186,76 @@ restore_pg() {
     log "Restore complete"
 }
 
+# --- Update state + lock ---
+
+STATE_DIR="$BAYANAT_ROOT/state"
+STATE_FILE="$STATE_DIR/update.json"
+LOCK_FILE="$STATE_DIR/update.lock"
+
+_now_iso() { date -u +%Y-%m-%dT%H:%M:%SZ; }
+
+write_state() {
+    # write_state <phase> <phase_label>
+    # Reads STATE_TARGET / STATE_PREVIOUS / STATE_SNAPSHOT /
+    # STATE_STARTED_AT / STATE_PROGRESS / STATE_ERROR_JSON from environment.
+    local phase="$1" label="$2"
+    mkdir -p "$STATE_DIR"
+    chown "$APP_USER:$APP_USER" "$STATE_DIR" 2>/dev/null || true
+    local tmp="$STATE_FILE.tmp"
+    cat > "$tmp" <<EOF
+{
+  "phase": "$phase",
+  "phase_label": "$label",
+  "target": "${STATE_TARGET:-}",
+  "previous": "${STATE_PREVIOUS:-}",
+  "snapshot": "${STATE_SNAPSHOT:-}",
+  "started_at": "${STATE_STARTED_AT:-$(_now_iso)}",
+  "updated_at": "$(_now_iso)",
+  "progress_text": "${STATE_PROGRESS:-}",
+  "error": ${STATE_ERROR_JSON:-null},
+  "pid": $$,
+  "unit": "${BAYANAT_UPDATE_UNIT:-bayanat-update.service}"
+}
+EOF
+    mv -Tf "$tmp" "$STATE_FILE"
+    chown "$APP_USER:$APP_USER" "$STATE_FILE" 2>/dev/null || true
+}
+
+clear_state() {
+    rm -f "$STATE_FILE"
+}
+
+read_phase() {
+    [[ -f "$STATE_FILE" ]] || { echo IDLE; return; }
+    python3 -c "import json,sys; print(json.load(open('$STATE_FILE')).get('phase','IDLE'))" \
+        2>/dev/null || echo IDLE
+}
+
+read_field() {
+    # $1 = field name
+    [[ -f "$STATE_FILE" ]] || return 1
+    python3 -c "import json,sys; print(json.load(open('$STATE_FILE')).get('$1',''))" 2>/dev/null
+}
+
+acquire_lock() {
+    mkdir -p "$STATE_DIR"
+    if [[ -f "$LOCK_FILE" ]]; then
+        local pid
+        pid=$(cat "$LOCK_FILE" 2>/dev/null || echo 0)
+        if [[ "$pid" -gt 0 ]] && kill -0 "$pid" 2>/dev/null; then
+            die "another update is running (pid $pid)"
+        fi
+        log "Removing stale lock (pid $pid)"
+        rm -f "$LOCK_FILE"
+    fi
+    echo $$ > "$LOCK_FILE"
+    chown "$APP_USER:$APP_USER" "$LOCK_FILE" 2>/dev/null || true
+}
+
+release_lock() {
+    rm -f "$LOCK_FILE"
+}
+
 # --- Step functions (each is idempotent) ---
 
 _install_system_packages() {

From bfd5b315a72098b9f31de9051e4510cc8d9926c1 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:15:02 +0200
Subject: [PATCH 06/37] feat(cli): add recover_state phase-dispatch for update
 crash recovery

---
 bayanat | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/bayanat b/bayanat
index d776e2e76..3e938eb0a 100755
--- a/bayanat
+++ b/bayanat
@@ -256,6 +256,60 @@ release_lock() {
     rm -f "$LOCK_FILE"
 }
 
+# --- Recovery dispatch ---
+
+recover_state() {
+    local phase
+    phase=$(read_phase)
+    case "$phase" in
+        IDLE)
+            return 0
+            ;;
+        PREPARE_DONE)
+            log "Recovery: PREPARE_DONE — cleaning partial release and clearing state"
+            local target
+            target=$(read_field target || true)
+            if [[ -n "$target" ]]; then
+                rm -rf "$RELEASES_DIR/$target.partial" "$RELEASES_DIR/$target"
+            fi
+            clear_state
+            release_lock
+            ;;
+        MIGRATE_DONE)
+            log "Recovery: MIGRATE_DONE — starting services on previous release"
+            systemctl start bayanat bayanat-celery
+            if _wait_healthy 60; then
+                log "Recovery OK; operator should re-run update to finish"
+                clear_state
+                release_lock
+            else
+                STATE_ERROR_JSON='"MIGRATE_DONE recovery: previous release unhealthy"'
+                write_state NEEDS_INTERVENTION "Services unhealthy after recovery; restore snapshot manually"
+                exit 2
+            fi
+            ;;
+        SWITCH_DONE)
+            log "Recovery: SWITCH_DONE — running code rollback"
+            rollback_code
+            ;;
+        SUCCESS|ROLLED_BACK)
+            clear_state
+            release_lock
+            ;;
+        NEEDS_INTERVENTION)
+            local snap prev
+            snap=$(read_field snapshot || true)
+            prev=$(read_field previous || true)
+            die "Operator intervention required. Snapshot: $snap  Previous tag: $prev  See: sudo -u $APP_USER bayanat snapshots"
+            ;;
+        *)
+            warn "Unknown phase '$phase' — clearing and starting fresh"
+            clear_state
+            release_lock
+            ;;
+    esac
+}
+
 # --- Step functions (each is idempotent) ---
 
 _install_system_packages() {

From ebfbdfce1c135f9d7dd84ae1ed47de84ef5da0e4 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:18:30 +0200
Subject: [PATCH 07/37] refactor(cli): mark state/lock file constants readonly

---
 bayanat | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/bayanat b/bayanat
index 3e938eb0a..04d2e53d8 100755
--- a/bayanat
+++ b/bayanat
@@ -188,9 +188,9 @@ restore_pg() {
 
 # --- Update state + lock ---
 
-STATE_DIR="$BAYANAT_ROOT/state"
-STATE_FILE="$STATE_DIR/update.json"
-LOCK_FILE="$STATE_DIR/update.lock"
+readonly STATE_DIR="$BAYANAT_ROOT/state"
+readonly STATE_FILE="$STATE_DIR/update.json"
+readonly LOCK_FILE="$STATE_DIR/update.lock"
 
 _now_iso() { date -u +%Y-%m-%dT%H:%M:%SZ; }
 

From c21913d4384f1aedc9340f1f893b24217102a8f6 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:19:11 +0200
Subject: [PATCH 08/37] feat(cli): add update health probe helpers (socket + db
 + redis)

---
 bayanat | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/bayanat b/bayanat
index 04d2e53d8..3e76b972f 100755
--- a/bayanat
+++ b/bayanat
@@ -310,6 +310,41 @@ recover_state() {
     esac
 }
 
+# --- Health probe ---
+
+_socket_health() {
+    # curl the Flask /health over the unix socket. Returns 0 on HTTP 200.
+    curl -s --unix-socket "$CURRENT_LINK/bayanat.sock" \
+        --max-time 3 -o /dev/null -w '%{http_code}' \
+        http://localhost/health 2>/dev/null | grep -q '^200$'
+}
+
+_db_ping() {
+    (
+        eval "$(_pg_env)"
+        PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+            psql -h "${POSTGRES_HOST:-localhost}" \
+                 -U "$POSTGRES_USER" -d "$POSTGRES_DB" \
+                 -c 'SELECT 1' -t >/dev/null 2>&1
+    )
+}
+
+_redis_ping() {
+    redis-cli ping 2>/dev/null | grep -q '^PONG$'
+}
+
+_wait_healthy() {
+    # $1 = deadline in seconds (default 60)
+    local deadline=$(( $(date +%s) + ${1:-60} ))
+    while (( $(date +%s) < deadline )); do
+        if _socket_health && _db_ping && _redis_ping; then
+            return 0
+        fi
+        sleep 1
+    done
+    return 1
+}
+
 # --- Step functions (each is idempotent) ---
 
 _install_system_packages() {

From f73b3950ac6084f84b89f114a615b5c87b4bbab8 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:21:04 +0200
Subject: [PATCH 09/37] feat(cli): update pipeline PREPARE phase

---
 bayanat | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/bayanat b/bayanat
index 3e76b972f..0d0eab9a9 100755
--- a/bayanat
+++ b/bayanat
@@ -345,6 +345,61 @@ _wait_healthy() {
     return 1
 }
 
+# --- Update pipeline ---
+
+update_preflight() {
+    preflight_checks
+    _verify_service_health
+    command -v pg_dump >/dev/null || die "pg_dump not in PATH"
+    command -v pg_restore >/dev/null || die "pg_restore not in PATH"
+    # pg_dump major version must match Postgres server major version
+    local client_major server_major
+    client_major=$(pg_dump --version | awk '{print $3}' | cut -d. -f1)
+    server_major=$(
+        eval "$(_pg_env)"
+        PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+            psql -h "${POSTGRES_HOST:-localhost}" \
+                 -U "$POSTGRES_USER" -d "$POSTGRES_DB" \
+                 -c 'SHOW server_version_num' -t 2>/dev/null \
+                 | tr -d ' ' | cut -c1-2
+    )
+    [[ -n "$client_major" && -n "$server_major" ]] \
+        || die "could not determine pg_dump/server versions"
+    [[ "$client_major" == "$server_major" ]] \
+        || die "pg_dump major ($client_major) != server major ($server_major)"
+    # Disk in backups (need >= 2 GB for snapshot headroom)
+    local backups_free_kb
+    backups_free_kb=$(df --output=avail "$SHARED_DIR/backups" | tail -1 | tr -d ' ')
+    [[ "$backups_free_kb" -ge 2097152 ]] \
+        || die "need >= 2GB free in $SHARED_DIR/backups for snapshot"
+    # Schema aligned with models
+    flask_run "$(current_version)" check-db-alignment >/dev/null \
+        || die "schema drift detected; run 'flask check-db-alignment' for details"
+    # Flask doctor
+    flask_run "$(current_version)" doctor >/dev/null \
+        || die "flask doctor failed"
+}
+
+do_prepare() {
+    # $1 = target tag
+    local target="$1"
+    local current
+    current=$(current_version || echo 0)
+    [[ "$target" != "$current" ]] || die "already on $target"
+    log "PREPARE: fetching $target"
+    update_preflight
+    _clone_release "$target"
+    _install_deps "$target"
+    _link_shared "$target"
+    acquire_lock
+    export STATE_TARGET="$target"
+    export STATE_PREVIOUS="$current"
+    export STATE_STARTED_AT
+    STATE_STARTED_AT="$(_now_iso)"
+    export STATE_PROGRESS="Fetched $target, ready to migrate"
+    write_state PREPARE_DONE "Prepared $target, ready to migrate"
+}
+
 # --- Step functions (each is idempotent) ---
 
 _install_system_packages() {

From 820c658d6c033d6664ce5e56d97b33e05e7474e8 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:22:02 +0200
Subject: [PATCH 10/37] feat(cli): update pipeline MIGRATE phase

---
 bayanat | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/bayanat b/bayanat
index 0d0eab9a9..a5bf37c3c 100755
--- a/bayanat
+++ b/bayanat
@@ -400,6 +400,33 @@ do_prepare() {
     write_state PREPARE_DONE "Prepared $target, ready to migrate"
 }
 
+do_migrate() {
+    local target="$STATE_TARGET"
+    local prev="$STATE_PREVIOUS"
+    log "MIGRATE: stopping services"
+    export STATE_PROGRESS="Stopping services"
+    write_state MIGRATE "Stopping services for maintenance window"
+    systemctl stop bayanat bayanat-celery
+    log "MIGRATE: pruning old snapshots"
+    prune_snapshots
+    export STATE_PROGRESS="Taking pre-update snapshot"
+    write_state MIGRATE "Taking pre-update snapshot"
+    export STATE_SNAPSHOT
+    STATE_SNAPSHOT=$(snapshot_pg_dump "$prev" "$target")
+    log "MIGRATE: running migrations"
+    export STATE_PROGRESS="Running migrations"
+    write_state MIGRATE "Running migrations"
+    if ! flask_run "$target" db upgrade; then
+        export STATE_ERROR_JSON='"db upgrade failed"'
+        write_state NEEDS_INTERVENTION "Migration failed; previous release remains linked"
+        systemctl start bayanat bayanat-celery || true
+        release_lock
+        exit 2
+    fi
+    export STATE_PROGRESS="Migration complete"
+    write_state MIGRATE_DONE "Migration complete, switching to new release"
+}
+
 # --- Step functions (each is idempotent) ---
 
 _install_system_packages() {

From d7dd110f5d7390a1808fc50209564fce4208d807 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:22:55 +0200
Subject: [PATCH 11/37] feat(cli): update pipeline SWITCH, VERIFY, and
 ROLLBACK_CODE

---
 bayanat | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/bayanat b/bayanat
index a5bf37c3c..32e765179 100755
--- a/bayanat
+++ b/bayanat
@@ -427,6 +427,53 @@ do_migrate() {
     write_state MIGRATE_DONE "Migration complete, switching to new release"
 }
 
+do_switch_verify() {
+    local target="$STATE_TARGET"
+    export STATE_PROGRESS="Swapping to $target"
+    write_state SWITCH "Swapping current -> $target"
+    swap_symlink "$RELEASES_DIR/$target"
+    systemctl start bayanat bayanat-celery
+    write_state SWITCH_DONE "Verifying new release"
+    export STATE_PROGRESS="Waiting for health probe"
+    if _wait_healthy 60; then
+        export STATE_PROGRESS="Update successful"
+        write_state SUCCESS "Update to $target complete"
+        clear_state
+        release_lock
+        log "SUCCESS: running $target"
+        return 0
+    else
+        warn "Health probe failed; rolling back code"
+        rollback_code
+        return 1
+    fi
+}
+
+rollback_code() {
+    local prev="$STATE_PREVIOUS"
+    if [[ -z "$prev" ]]; then
+        export STATE_ERROR_JSON='"cannot roll back: no previous tag recorded"'
+        write_state NEEDS_INTERVENTION "Cannot roll back: no previous tag recorded"
+        exit 2
+    fi
+    write_state ROLLBACK "Reverting symlink to $prev"
+    systemctl stop bayanat bayanat-celery || true
+    swap_symlink "$RELEASES_DIR/$prev"
+    systemctl start bayanat bayanat-celery
+    if _wait_healthy 60; then
+        export STATE_PROGRESS="Rolled back to $prev"
+        write_state ROLLED_BACK "Rolled back to $prev; snapshot retained"
+        clear_state
+        release_lock
+        log "ROLLED_BACK: on $prev; snapshot: ${STATE_SNAPSHOT:-none}"
+        exit 1
+    else
+        export STATE_ERROR_JSON='"code rollback failed health probe"'
+        write_state NEEDS_INTERVENTION "Rollback to $prev unhealthy; restore snapshot ${STATE_SNAPSHOT:-} manually"
+        exit 2
+    fi
+}
+
 # --- Step functions (each is idempotent) ---
 
 _install_system_packages() {

From 473b04713786142731e6242a751a8b0017718604 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:24:49 +0200
Subject: [PATCH 12/37] feat(cli): wire update/snapshots/restore subcommands
 and extend status

---
 bayanat | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 61 insertions(+), 4 deletions(-)

diff --git a/bayanat b/bayanat
index 32e765179..fc90a2862 100755
--- a/bayanat
+++ b/bayanat
@@ -837,6 +837,43 @@ _verify_service_health() {
     warn "Application not responding on socket after $((retries * delay))s (may still be starting)"
 }
 
+# --- Update ---
+
+cmd_update() {
+    local flag="${1:-}"
+    case "$flag" in
+        --check)
+            local cur latest
+            cur=$(current_version || echo "not installed")
+            latest=$(latest_remote_tag | sed 's/^v//')
+            echo "current: $cur"
+            echo "latest:  $latest"
+            if [[ "$cur" == "$latest" ]]; then
+                echo "up to date"
+            else
+                echo "update available"
+            fi
+            return 0
+            ;;
+        --recover)
+            require_root
+            recover_state
+            return 0
+            ;;
+    esac
+    require_root
+    recover_state
+    local target="${1:-}"
+    if [[ -z "$target" ]]; then
+        target=$(latest_remote_tag | sed 's/^v//')
+    else
+        target="${target#v}"
+    fi
+    do_prepare "$target"
+    do_migrate
+    do_switch_verify
+}
+
 # --- Status ---
 
 cmd_status() {
@@ -863,6 +900,17 @@ cmd_status() {
     for svc in bayanat bayanat-celery caddy; do
         printf "  %-20s %s\n" "$svc" "$(systemctl is-active "$svc" 2>/dev/null || echo 'unknown')"
     done
+
+    echo ""
+    local phase
+    phase=$(read_phase)
+    echo "Update state: $phase"
+    if [[ "$phase" != "IDLE" ]]; then
+        echo "  target:     $(read_field target || echo '')"
+        echo "  previous:   $(read_field previous || echo '')"
+        echo "  snapshot:   $(read_field snapshot || echo '')"
+        echo "  updated_at: $(read_field updated_at || echo '')"
+    fi
 }
 
 # --- Usage ---
@@ -875,18 +923,27 @@ Usage: bayanat <command> [options]
 
 Commands:
   install [domain]    Install Bayanat (default: localhost)
-  status              Show version and service status
+  update [<tag>]      Update Bayanat to <tag> (default: latest release)
+  update --check      Show current vs latest; no changes
+  update --recover    Recover from a stuck update state file
+  snapshots           List pre-update snapshots
+  restore <name>      Restore a pre-update snapshot (prompts confirmation)
+  status              Show version, services, and update state
 
 Environment:
-  BAYANAT_REPO        GitHub repo (default: sjacorg/bayanat)
+  BAYANAT_REPO                        GitHub repo (default: sjacorg/bayanat)
+  BAYANAT_SNAPSHOT_RETENTION_DAYS     Snapshot retention floor (default: 30)
 EOF
 }
 
 # --- Main ---
 
 case "${1:-}" in
-    install) shift; cmd_install "$@" ;;
-    status)  cmd_status ;;
+    install)    shift; cmd_install "$@" ;;
+    update)     shift; cmd_update "$@" ;;
+    snapshots)  require_root; list_snapshots ;;
+    restore)    require_root; [[ -n "${2:-}" ]] || die "usage: bayanat restore <snapshot-name>"; restore_pg "$2" ;;
+    status)     cmd_status ;;
     -h|--help|help) usage ;;
     *) usage; exit 1 ;;
 esac

From f2e3c43b41519db593c12d0fed79e683cb582b77 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:25:57 +0200
Subject: [PATCH 13/37] feat(installer): create /opt/bayanat/state directory
 for update CLI

---
 bayanat | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bayanat b/bayanat
index fc90a2862..742b928df 100755
--- a/bayanat
+++ b/bayanat
@@ -559,7 +559,8 @@ _setup_database() {
 
 _create_directories() {
     mkdir -p "$RELEASES_DIR" "$SHARED_DIR/media" "$SHARED_DIR/backups" \
-             "$LOGS_DIR"
+             "$LOGS_DIR" "$STATE_DIR"
+    chown -R "$APP_USER:$APP_USER" "$STATE_DIR"
 }
 
 _clone_release() {

From ea544b988b87a41ae5233675f2777bf04dfe45a7 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:26:14 +0200
Subject: [PATCH 14/37] feat(installer): install bayanat-start-update wrapper
 and new sudoers grants

---
 bayanat | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/bayanat b/bayanat
index 742b928df..bc48222b3 100755
--- a/bayanat
+++ b/bayanat
@@ -738,11 +738,29 @@ EOF
 
 _install_sudoers() {
     cat > /etc/sudoers.d/bayanat << 'EOF'
-bayanat ALL=(root) NOPASSWD: /usr/local/bin/bayanat update
+bayanat ALL=(root) NOPASSWD: /usr/local/sbin/bayanat-start-update
 bayanat ALL=(root) NOPASSWD: /usr/local/bin/bayanat status
+bayanat ALL=(root) NOPASSWD: /usr/local/bin/bayanat snapshots
 bayanat ALL=(root) NOPASSWD: /usr/bin/systemctl restart bayanat-celery
 EOF
     chmod 440 /etc/sudoers.d/bayanat
+    visudo -cf /etc/sudoers.d/bayanat >/dev/null || die "sudoers syntax invalid"
+}
+
+_install_update_wrapper() {
+    # Root-owned wrapper. Launches `bayanat update` as a transient systemd
+    # unit so the update outlives Flask restart, SSH disconnect, and
+    # browser close. Must be in sudoers at this exact path.
+    install -m 0755 -o root -g root /dev/stdin /usr/local/sbin/bayanat-start-update <<'EOF'
+#!/bin/bash
+# Installed root:root 0755 by `bayanat install`. Do not edit.
+set -euo pipefail
+exec /usr/bin/systemd-run \
+    --unit=bayanat-update \
+    --collect \
+    --property=Restart=no \
+    /usr/local/bin/bayanat update
+EOF
 }
 
 # --- Install ---
@@ -794,6 +812,7 @@ cmd_install() {
     _install_systemd
     _configure_caddy "$domain"
     _install_sudoers
+    _install_update_wrapper
 
     chown -R "$APP_USER:$APP_USER" "$BAYANAT_ROOT"
     systemctl daemon-reload

From 06a8b61018f77ec494ab20044f2ffd13b32c5f5d Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:28:00 +0200
Subject: [PATCH 15/37] feat(api): add /health readiness endpoint for bayanat
 updater

---
 enferno/public/views.py | 34 +++++++++++++++++++++++++++++++---
 tests/test_health.py    | 13 +++++++++++++
 2 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 tests/test_health.py

diff --git a/enferno/public/views.py b/enferno/public/views.py
index 23cec85d8..92175efd2 100755
--- a/enferno/public/views.py
+++ b/enferno/public/views.py
@@ -1,8 +1,12 @@
-from flask import request, redirect, Blueprint, send_from_directory, Response, jsonify
+import os
 from typing import Optional
-from enferno.utils.logging_utils import get_logger
-from enferno.extensions import db, limiter
+
+from flask import Blueprint, Response, jsonify, redirect, request, send_from_directory
 from flask_wtf.csrf import generate_csrf
+from sqlalchemy import text
+
+from enferno.extensions import db, limiter, rds
+from enferno.utils.logging_utils import get_logger
 
 bp_public = Blueprint("public", __name__, static_folder="../static")
 
@@ -29,6 +33,30 @@ def get_csrf_token() -> Response:
     return jsonify({"csrf_token": token})
 
 
+@bp_public.route("/health")
+@limiter.exempt
+def health() -> Response:
+    """Readiness probe used by the bayanat updater. Touches DB and Redis."""
+    try:
+        db.session.execute(text("SELECT 1"))
+        rds.ping()
+    except Exception as e:
+        logger.error(f"health check failed: {e}")
+        return jsonify({"status": "error", "error": str(e)[:120]}), 503
+    version = os.environ.get("BAYANAT_VERSION") or _read_version_from_pyproject()
+    return jsonify({"status": "ok", "version": version})
+
+
+def _read_version_from_pyproject() -> Optional[str]:
+    try:
+        import tomllib
+
+        with open("pyproject.toml", "rb") as fh:
+            return tomllib.load(fh).get("project", {}).get("version")
+    except Exception:
+        return None
+
+
 @bp_public.teardown_app_request
 def shutdown_global_session(exception: Optional[Exception] = None) -> None:
     """Remove database session at the end of each request."""
diff --git a/tests/test_health.py b/tests/test_health.py
new file mode 100644
index 000000000..20121b8ec
--- /dev/null
+++ b/tests/test_health.py
@@ -0,0 +1,13 @@
+def test_health_returns_ok(anonymous_client):
+    resp = anonymous_client.get("/health")
+    assert resp.status_code == 200
+    data = resp.get_json()
+    assert data["status"] == "ok"
+    assert "version" in data
+
+
+def test_health_is_exempt_from_rate_limit(anonymous_client):
+    # 20 rapid requests should all succeed (limiter.exempt).
+    for _ in range(20):
+        resp = anonymous_client.get("/health")
+        assert resp.status_code == 200

From bacd7cae7a877fd763098cdf33ec2cbb2abfabe8 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:29:25 +0200
Subject: [PATCH 16/37] feat(config): add AUTO_APPLY_PATCH_UPDATES default
 (off)

---
 enferno/utils/config_utils.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/enferno/utils/config_utils.py b/enferno/utils/config_utils.py
index 7e40a505d..7cd720ce8 100644
--- a/enferno/utils/config_utils.py
+++ b/enferno/utils/config_utils.py
@@ -166,6 +166,7 @@ class ConfigManager:
                 "twitter.com",
             ],
             "YTDLP_COOKIES": "",
+            "AUTO_APPLY_PATCH_UPDATES": False,
             "NOTIFICATIONS": NOTIFICATIONS_DEFAULT_CONFIG,  # Import from notification_config.py
         }
     )
@@ -240,6 +241,7 @@ class ConfigManager:
             "YTDLP_PROXY": "Proxy URL to use with Web Import",
             "YTDLP_ALLOWED_DOMAINS": "Allowed Domains for Web Import",
             "YTDLP_COOKIES": "Cookies to use with Web Import",
+            "AUTO_APPLY_PATCH_UPDATES": "Auto-apply patch releases",
             "NOTIFICATIONS": "Notifications",
         }
     )

From 211d36245bc14219b2186c88a369ac13fa11f93d Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:31:36 +0200
Subject: [PATCH 17/37] feat(tasks): periodic update check with opt-in patch
 auto-apply

---
 enferno/tasks/__init__.py    |  12 ++++
 enferno/tasks/maintenance.py | 103 ++++++++++++++++++++++++++++++++++-
 tests/test_update_check.py   |  28 ++++++++++
 3 files changed, 142 insertions(+), 1 deletion(-)
 create mode 100644 tests/test_update_check.py

diff --git a/enferno/tasks/__init__.py b/enferno/tasks/__init__.py
index e96e07b13..b7a7bd309 100644
--- a/enferno/tasks/__init__.py
+++ b/enferno/tasks/__init__.py
@@ -140,6 +140,16 @@ def setup_periodic_tasks(sender: Any, **kwargs: dict[str, Any]) -> None:
             f"Backup periodic task is set up. Backups will run at 3:00 every {cfg.BACKUP_INTERVAL} day(s)."
         )
 
+    # Update-check periodic task (every 6 hours)
+    from enferno.tasks.maintenance import check_for_updates
+
+    sender.add_periodic_task(
+        6 * 60 * 60,
+        check_for_updates.s(),
+        name="Check for Updates",
+    )
+    logger.info("Update-check periodic task is set up (every 6h).")
+
     # session cleanup task
     sender.add_periodic_task(24 * 60 * 60, session_cleanup.s(), name="Session Cleanup Cron")
 
@@ -175,6 +185,7 @@ def setup_periodic_tasks(sender: Any, **kwargs: dict[str, Any]) -> None:
 from enferno.tasks.graph import generate_graph  # noqa: E402
 from enferno.tasks.maintenance import (  # noqa: E402
     activity_cleanup_cron,
+    check_for_updates,
     daily_backup_cron,
     regenerate_locations,
     reload_app,
@@ -224,6 +235,7 @@ def setup_periodic_tasks(sender: Any, **kwargs: dict[str, Any]) -> None:
     "generate_graph",
     # maintenance
     "activity_cleanup_cron",
+    "check_for_updates",
     "daily_backup_cron",
     "regenerate_locations",
     "reload_app",
diff --git a/enferno/tasks/maintenance.py b/enferno/tasks/maintenance.py
index c3f512085..615687373 100644
--- a/enferno/tasks/maintenance.py
+++ b/enferno/tasks/maintenance.py
@@ -1,17 +1,118 @@
 # -*- coding: utf-8 -*-
+import json
 import os
-from datetime import date, timedelta
+import subprocess
+from datetime import date, datetime, timedelta, timezone
 
+import requests
+from packaging.version import Version
+
+from enferno.admin.constants import Constants
 from enferno.admin.models import Activity, Location
+from enferno.admin.models.Notification import Notification
 from enferno.extensions import db, rds
 from enferno.tasks import celery, cfg
 from enferno.user.models import Session
 from enferno.utils.backup_utils import pg_dump, upload_to_s3
+from enferno.utils.config_utils import ConfigManager
 from enferno.utils.date_helper import DateHelper
 from enferno.utils.logging_utils import get_logger
 
 logger = get_logger("celery.tasks.maintenance")
 
+GITHUB_LATEST_URL = "https://api.github.com/repos/sjacorg/bayanat/releases/latest"
+UPDATE_CACHE_KEY = "bayanat:update:available"
+UPDATE_NOTIFIED_KEY = "bayanat:update:available:notified"
+
+
+def _strip_v(tag: str) -> str:
+    return tag[1:] if tag.startswith("v") else tag
+
+
+def _redis_get_str(key: str):
+    val = rds.get(key)
+    if val is None:
+        return None
+    return val.decode() if isinstance(val, (bytes, bytearray)) else val
+
+
+def _current_version() -> str:
+    try:
+        import tomllib
+
+        with open("pyproject.toml", "rb") as fh:
+            return tomllib.load(fh).get("project", {}).get("version", "0.0.0")
+    except Exception:
+        return "0.0.0"
+
+
+def _is_patch_bump(current: str, target: str) -> bool:
+    try:
+        c, t = Version(current), Version(target)
+    except Exception:
+        return False
+    if t <= c:
+        return False
+    return c.major == t.major and c.minor == t.minor
+
+
+@celery.task
+def check_for_updates():
+    """Poll GitHub releases. Cache latest. Notify admins on new tag. Optionally auto-apply patch."""
+    try:
+        resp = requests.get(GITHUB_LATEST_URL, timeout=10)
+        resp.raise_for_status()
+        release = resp.json()
+    except Exception as e:
+        logger.warning(f"update check failed: {e}")
+        return
+
+    latest_tag = _strip_v(release.get("tag_name", ""))
+    if not latest_tag:
+        return
+
+    rds.set(
+        UPDATE_CACHE_KEY,
+        json.dumps(
+            {
+                "latest": latest_tag,
+                "release_notes_url": release.get("html_url"),
+                "checked_at": datetime.now(timezone.utc).isoformat(),
+            }
+        ),
+    )
+
+    current = _current_version()
+    if latest_tag == current:
+        return
+    if _redis_get_str(UPDATE_NOTIFIED_KEY) == latest_tag:
+        return
+
+    try:
+        auto_apply = ConfigManager.get_config("AUTO_APPLY_PATCH_UPDATES", False)
+    except Exception:
+        auto_apply = False
+
+    if auto_apply and _is_patch_bump(current, latest_tag):
+        logger.info(f"auto-applying patch update {current} -> {latest_tag}")
+        try:
+            subprocess.run(
+                ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"],
+                check=True,
+                timeout=10,
+            )
+            rds.set(UPDATE_NOTIFIED_KEY, latest_tag)
+            return
+        except Exception as e:
+            logger.warning(f"auto-apply failed, falling back to notification: {e}")
+
+    Notification.create_for_admins(
+        title=f"Update available: {latest_tag}",
+        message=f"A new Bayanat release is available. {release.get('html_url', '')}",
+        category=Constants.NotificationCategories.UPDATE.value,
+    )
+    rds.set(UPDATE_NOTIFIED_KEY, latest_tag)
+
 
 @celery.task
 def activity_cleanup_cron() -> None:
diff --git a/tests/test_update_check.py b/tests/test_update_check.py
new file mode 100644
index 000000000..f328e4821
--- /dev/null
+++ b/tests/test_update_check.py
@@ -0,0 +1,28 @@
+from enferno.tasks.maintenance import _strip_v, _is_patch_bump
+
+
+def test_strip_v_prefix():
+    assert _strip_v("v4.1.0") == "4.1.0"
+    assert _strip_v("4.1.0") == "4.1.0"
+    assert _strip_v("") == ""
+
+
+def test_is_patch_bump_true():
+    assert _is_patch_bump("4.1.0", "4.1.1") is True
+    assert _is_patch_bump("4.1.2", "4.1.10") is True
+
+
+def test_is_patch_bump_false_for_minor():
+    assert _is_patch_bump("4.1.0", "4.2.0") is False
+
+
+def test_is_patch_bump_false_for_major():
+    assert _is_patch_bump("4.1.0", "5.0.0") is False
+
+
+def test_is_patch_bump_false_for_same():
+    assert _is_patch_bump("4.1.0", "4.1.0") is False
+
+
+def test_is_patch_bump_false_for_downgrade():
+    assert _is_patch_bump("4.1.5", "4.1.3") is False

From 639c6fa63a7c8ad4f9a0c7ef86af1e14bec6c6b7 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:33:15 +0200
Subject: [PATCH 18/37] feat(api): admin endpoints for update availability,
 start, and status

---
 enferno/admin/views/system.py  | 81 ++++++++++++++++++++++++++++++++++
 tests/test_update_endpoints.py | 78 ++++++++++++++++++++++++++++++++
 2 files changed, 159 insertions(+)
 create mode 100644 tests/test_update_endpoints.py

diff --git a/enferno/admin/views/system.py b/enferno/admin/views/system.py
index 5496f1db9..c217aea96 100644
--- a/enferno/admin/views/system.py
+++ b/enferno/admin/views/system.py
@@ -184,3 +184,84 @@ def get_data(table: str) -> list[dict[str, Any]] | list[dict[str, dict[str, Any
         return [{"en": item.title, "tr": item.title_tr or ""} for item in items]
 
     return None
+
+
+import json
+import subprocess
+from pathlib import Path
+
+from enferno.extensions import rds
+from enferno.tasks.maintenance import UPDATE_CACHE_KEY, _current_version
+
+UPDATE_STATE_FILE = "/opt/bayanat/state/update.json"
+TERMINAL_PHASES = {"SUCCESS", "ROLLED_BACK", "NEEDS_INTERVENTION", "IDLE"}
+
+
+def _idle_status(current):
+    return {
+        "phase": "IDLE",
+        "phase_label": "No update in progress",
+        "running": False,
+        "target": None,
+        "previous": None,
+        "snapshot": None,
+        "started_at": None,
+        "updated_at": None,
+        "progress_text": None,
+        "error": None,
+        "current": current,
+    }
+
+
+@admin.get("/api/updates/available")
+@roles_required("Admin")
+def api_updates_available() -> Response:
+    """Return the latest cached GitHub release info."""
+    raw = rds.get(UPDATE_CACHE_KEY)
+    cached = {}
+    if raw:
+        try:
+            cached = json.loads(raw.decode() if isinstance(raw, (bytes, bytearray)) else raw)
+        except Exception:
+            cached = {}
+    payload = {
+        "current": _current_version(),
+        "latest": cached.get("latest"),
+        "release_notes_url": cached.get("release_notes_url"),
+        "checked_at": cached.get("checked_at"),
+    }
+    return HTTPResponse.success(data=payload)
+
+
+@admin.post("/api/updates/start")
+@roles_required("Admin")
+def api_updates_start() -> Response:
+    """Launch `bayanat update` out-of-process via the sudoers-granted wrapper."""
+    try:
+        subprocess.run(
+            ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"],
+            check=True,
+            timeout=10,
+        )
+    except subprocess.TimeoutExpired:
+        return HTTPResponse.error("Update start timed out", status=504)
+    except subprocess.CalledProcessError as e:
+        return HTTPResponse.error(f"Failed to start update: {e}", status=500)
+    return HTTPResponse.success(data={"status": "started"})
+
+
+@admin.get("/api/updates/status")
+@roles_required("Admin")
+def api_updates_status() -> Response:
+    """Return the current update state (from the CLI-written JSON file)."""
+    current = _current_version()
+    path = Path(UPDATE_STATE_FILE)
+    if not path.exists():
+        return HTTPResponse.success(data=_idle_status(current))
+    try:
+        state = json.loads(path.read_text())
+    except Exception:
+        return HTTPResponse.success(data=_idle_status(current))
+    state["running"] = state.get("phase") not in TERMINAL_PHASES
+    state["current"] = current
+    return HTTPResponse.success(data=state)
diff --git a/tests/test_update_endpoints.py b/tests/test_update_endpoints.py
new file mode 100644
index 000000000..71bd82aa1
--- /dev/null
+++ b/tests/test_update_endpoints.py
@@ -0,0 +1,78 @@
+import json
+from unittest.mock import patch
+
+
+def test_available_returns_cached(admin_client):
+    from enferno.extensions import rds
+
+    rds.set(
+        "bayanat:update:available",
+        json.dumps(
+            {
+                "latest": "4.1.1",
+                "release_notes_url": "https://example.com",
+                "checked_at": "2026-04-16T00:00:00+00:00",
+            }
+        ),
+    )
+    resp = admin_client.get("/admin/api/updates/available")
+    assert resp.status_code == 200
+    data = resp.get_json()["data"]
+    assert data["latest"] == "4.1.1"
+    assert data["release_notes_url"] == "https://example.com"
+
+
+def test_available_returns_empty_when_no_cache(admin_client):
+    from enferno.extensions import rds
+
+    rds.delete("bayanat:update:available")
+    resp = admin_client.get("/admin/api/updates/available")
+    assert resp.status_code == 200
+    data = resp.get_json()["data"]
+    assert data["latest"] is None
+
+
+def test_status_idle_when_no_state_file(admin_client, tmp_path, monkeypatch):
+    monkeypatch.setattr(
+        "enferno.admin.views.system.UPDATE_STATE_FILE",
+        str(tmp_path / "missing.json"),
+    )
+    resp = admin_client.get("/admin/api/updates/status")
+    assert resp.status_code == 200
+    data = resp.get_json()["data"]
+    assert data["phase"] == "IDLE"
+    assert data["running"] is False
+
+
+def test_status_running_when_midway(admin_client, tmp_path, monkeypatch):
+    state = tmp_path / "update.json"
+    state.write_text(json.dumps({"phase": "MIGRATE", "target": "4.1.1"}))
+    monkeypatch.setattr("enferno.admin.views.system.UPDATE_STATE_FILE", str(state))
+    resp = admin_client.get("/admin/api/updates/status")
+    data = resp.get_json()["data"]
+    assert data["phase"] == "MIGRATE"
+    assert data["running"] is True
+
+
+def test_status_terminal_when_success(admin_client, tmp_path, monkeypatch):
+    state = tmp_path / "update.json"
+    state.write_text(json.dumps({"phase": "SUCCESS", "target": "4.1.1"}))
+    monkeypatch.setattr("enferno.admin.views.system.UPDATE_STATE_FILE", str(state))
+    resp = admin_client.get("/admin/api/updates/status")
+    data = resp.get_json()["data"]
+    assert data["running"] is False
+
+
+def test_start_calls_wrapper(admin_client):
+    with patch("enferno.admin.views.system.subprocess.run") as run:
+        resp = admin_client.post("/admin/api/updates/start")
+        assert resp.status_code == 200
+        run.assert_called_once()
+        args = run.call_args.args[0]
+        assert args == ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"]
+
+
+def test_non_admin_cannot_start(da_client):
+    resp = da_client.post("/admin/api/updates/start")
+    # roles_required returns 403 (Forbidden) for wrong-role users
+    assert resp.status_code in (401, 403)

From a928922deb47e27c9aa6752d850765d3fade3281 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:37:20 +0200
Subject: [PATCH 19/37] feat(ui): UpdateBanner and UpdateProgressDialog
 components

Adds nav-bar chip that polls /admin/api/updates/available every 6h and
shows a confirm dialog to trigger an update. Adds polling progress dialog
that opens on update-started event and tracks /admin/api/updates/status
at 2s intervals until the run completes.
---
 enferno/admin/templates/nav-bar.html          |  2 +
 enferno/static/js/components/UpdateBanner.js  | 89 +++++++++++++++++
 .../js/components/UpdateProgressDialog.js     | 98 +++++++++++++++++++
 enferno/static/js/mixins/global-mixin.js      |  2 +
 enferno/templates/layout.html                 |  2 +
 5 files changed, 193 insertions(+)
 create mode 100644 enferno/static/js/components/UpdateBanner.js
 create mode 100644 enferno/static/js/components/UpdateProgressDialog.js

diff --git a/enferno/admin/templates/nav-bar.html b/enferno/admin/templates/nav-bar.html
index 3a724aae3..a6be982fd 100644
--- a/enferno/admin/templates/nav-bar.html
+++ b/enferno/admin/templates/nav-bar.html
@@ -11,6 +11,8 @@
   <v-spacer></v-spacer>
 
   <template v-slot:append>
+    <update-banner @update-started="$refs.progressDialog && $refs.progressDialog.open()"></update-banner>
+    <update-progress-dialog ref="progressDialog"></update-progress-dialog>
     {% if config.OCR_PROVIDER == 'google_vision' %}
     <v-tooltip location="bottom">
       <template v-slot:activator="{ props }">
diff --git a/enferno/static/js/components/UpdateBanner.js b/enferno/static/js/components/UpdateBanner.js
new file mode 100644
index 000000000..983979de0
--- /dev/null
+++ b/enferno/static/js/components/UpdateBanner.js
@@ -0,0 +1,89 @@
+const UpdateBanner = Vue.defineComponent({
+  data() {
+    return {
+      current: null,
+      latest: null,
+      releaseNotesUrl: null,
+      dialog: false,
+      starting: false,
+    };
+  },
+  computed: {
+    hasUpdate() {
+      return !!(this.latest && this.current && this.latest !== this.current);
+    },
+  },
+  mounted() {
+    this.fetchAvailable();
+    this.pollTimer = setInterval(this.fetchAvailable, 6 * 60 * 60 * 1000);
+  },
+  beforeUnmount() {
+    if (this.pollTimer) clearInterval(this.pollTimer);
+  },
+  methods: {
+    async fetchAvailable() {
+      try {
+        const resp = await axios.get('/admin/api/updates/available');
+        const data = resp?.data?.data ?? {};
+        this.current = data.current ?? null;
+        this.latest = data.latest ?? null;
+        this.releaseNotesUrl = data.release_notes_url ?? null;
+      } catch (_e) {
+        // silent: background poll should never spam the UI
+      }
+    },
+    async startUpdate() {
+      this.starting = true;
+      try {
+        await axios.post('/admin/api/updates/start');
+        this.dialog = false;
+        this.$emit('update-started');
+      } catch (e) {
+        const msg = (e?.response?.data?.message) || 'Failed to start update';
+        if (this.$root && typeof this.$root.showSnack === 'function') {
+          this.$root.showSnack(msg, 'error');
+        } else {
+          console.error(msg);
+        }
+      } finally {
+        this.starting = false;
+      }
+    },
+  },
+  template: `
+    <v-chip
+      v-if="hasUpdate"
+      color="amber-accent-4"
+      variant="elevated"
+      prepend-icon="mdi-arrow-up-bold-circle"
+      @click="dialog = true"
+      class="ms-2 me-2"
+    >
+      Update available: {{ latest }}
+      <v-dialog v-model="dialog" max-width="520">
+        <v-card>
+          <v-card-title>Update Bayanat to {{ latest }}</v-card-title>
+          <v-card-text>
+            <p>Current: <strong>{{ current }}</strong></p>
+            <p>Target: <strong>{{ latest }}</strong></p>
+            <p v-if="releaseNotesUrl">
+              <a :href="releaseNotesUrl" target="_blank" rel="noopener">Release notes</a>
+            </p>
+            <v-alert type="info" variant="tonal" density="compact" class="mt-3">
+              The update will take about 60 seconds. The app will be briefly
+              unavailable. A pre-update database snapshot will be taken
+              automatically.
+            </v-alert>
+          </v-card-text>
+          <v-card-actions>
+            <v-spacer />
+            <v-btn variant="text" @click="dialog = false">Cancel</v-btn>
+            <v-btn color="primary" :loading="starting" @click="startUpdate">
+              Update now
+            </v-btn>
+          </v-card-actions>
+        </v-card>
+      </v-dialog>
+    </v-chip>
+  `,
+});
diff --git a/enferno/static/js/components/UpdateProgressDialog.js b/enferno/static/js/components/UpdateProgressDialog.js
new file mode 100644
index 000000000..590512612
--- /dev/null
+++ b/enferno/static/js/components/UpdateProgressDialog.js
@@ -0,0 +1,98 @@
+const UpdateProgressDialog = Vue.defineComponent({
+  data() {
+    return {
+      open_: false,
+      state: null,
+      timer: null,
+    };
+  },
+  methods: {
+    open() {
+      this.open_ = true;
+      this.poll();
+    },
+    close() {
+      this.open_ = false;
+      if (this.timer) {
+        clearInterval(this.timer);
+        this.timer = null;
+      }
+    },
+    async poll() {
+      await this.fetchState();
+      if (this.timer) clearInterval(this.timer);
+      this.timer = setInterval(this.fetchState, 2000);
+    },
+    async fetchState() {
+      try {
+        const resp = await axios.get('/admin/api/updates/status');
+        const data = resp?.data?.data ?? {};
+        this.state = data;
+        if (!data.running) {
+          if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+          }
+        }
+      } catch (_e) {
+        // tolerate transient errors; dialog stays visible
+      }
+    },
+    phaseColor() {
+      const phase = (this.state && this.state.phase) || 'IDLE';
+      if (phase === 'SUCCESS') return 'success';
+      if (phase === 'ROLLED_BACK') return 'warning';
+      if (phase === 'NEEDS_INTERVENTION') return 'error';
+      return 'primary';
+    },
+  },
+  beforeUnmount() {
+    if (this.timer) clearInterval(this.timer);
+  },
+  template: `
+    <v-dialog v-model="open_" max-width="520" persistent>
+      <v-card v-if="state">
+        <v-card-title>
+          <v-icon :color="phaseColor()" class="me-2">mdi-autorenew</v-icon>
+          {{ state.phase_label || state.phase }}
+        </v-card-title>
+        <v-card-text>
+          <p v-if="state.target"><strong>Target:</strong> {{ state.target }}</p>
+          <p v-if="state.previous"><strong>Previous:</strong> {{ state.previous }}</p>
+          <v-progress-linear
+            v-if="state.running"
+            indeterminate
+            :color="phaseColor()"
+            class="my-3"
+          />
+          <p v-if="state.progress_text" class="text-body-2">
+            {{ state.progress_text }}
+          </p>
+          <v-alert
+            v-if="state.error"
+            type="error"
+            variant="tonal"
+            density="compact"
+            class="mt-2"
+          >
+            {{ state.error }}
+          </v-alert>
+          <v-alert
+            v-if="state.phase === 'NEEDS_INTERVENTION'"
+            type="error"
+            variant="tonal"
+            class="mt-2"
+          >
+            Operator intervention required. Snapshot:
+            <code>{{ state.snapshot }}</code>. See the update runbook for
+            recovery steps.
+          </v-alert>
+        </v-card-text>
+        <v-card-actions>
+          <v-spacer />
+          <v-btn @click="close" :disabled="state.running">Close</v-btn>
+        </v-card-actions>
+      </v-card>
+    </v-dialog>
+  `,
+});
diff --git a/enferno/static/js/mixins/global-mixin.js b/enferno/static/js/mixins/global-mixin.js
index 622715595..d203bd4e8 100644
--- a/enferno/static/js/mixins/global-mixin.js
+++ b/enferno/static/js/mixins/global-mixin.js
@@ -4,6 +4,8 @@ const globalMixin = {
     'ConfirmDialog': ConfirmDialog,
     'Toast': Toast,
     'ProfileDropdown': ProfileDropdown,
+    'UpdateBanner': UpdateBanner,
+    'UpdateProgressDialog': UpdateProgressDialog,
   },
   data: () => ({
     snackbar: false,
diff --git a/enferno/templates/layout.html b/enferno/templates/layout.html
index 8df04455f..e701bb1d5 100644
--- a/enferno/templates/layout.html
+++ b/enferno/templates/layout.html
@@ -133,6 +133,8 @@
     {%  include 'admin/jsapi.jinja2' %}
 </script>
 <script src="/static/js/components/ProfileDropdown.js"></script>
+<script src="/static/js/components/UpdateBanner.js"></script>
+<script src="/static/js/components/UpdateProgressDialog.js"></script>
 <script src="/static/js/components/NotificationsList.js"></script>
 <script src="/static/js/components/ConfirmDialog.js"></script>
 <script src="/static/js/components/Toast.js"></script>

From c2d9b217030c1d21b4716e0b749ac647f2dd53e3 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:39:24 +0200
Subject: [PATCH 20/37] feat(ui): snapshots list page (read-only)

---
 enferno/admin/templates/admin/snapshots.html  | 28 +++++++++++
 enferno/admin/views/system.py                 | 32 ++++++++++++
 enferno/static/js/components/SnapshotsList.js | 49 +++++++++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 enferno/admin/templates/admin/snapshots.html
 create mode 100644 enferno/static/js/components/SnapshotsList.js

diff --git a/enferno/admin/templates/admin/snapshots.html b/enferno/admin/templates/admin/snapshots.html
new file mode 100644
index 000000000..71d82847f
--- /dev/null
+++ b/enferno/admin/templates/admin/snapshots.html
@@ -0,0 +1,28 @@
+{% extends 'layout.html' %} {% block content %}
+
+    <v-main>
+        <v-container fluid>
+            <snapshots-list></snapshots-list>
+        </v-container>
+    </v-main>
+
+{% endblock %} {% block js %}
+    <script src="/static/js/components/SnapshotsList.js?v=1"></script>
+    <script nonce="{{ csp_nonce() }}">
+        const {createApp} = Vue;
+        const {createVuetify} = Vuetify;
+        const vuetify = createVuetify(vuetifyConfig);
+
+        const app = createApp({
+            delimiters: delimiters,
+            mixins: [globalMixin],
+            data: () => ({}),
+        });
+        app.component('SnapshotsList', SnapshotsList);
+        app.use(router).use(vuetify);
+        router.isReady().then(() => {
+            app.mount('#app');
+            window.app = app;
+        });
+    </script>
+{% endblock %}
diff --git a/enferno/admin/views/system.py b/enferno/admin/views/system.py
index c217aea96..7b743e3a1 100644
--- a/enferno/admin/views/system.py
+++ b/enferno/admin/views/system.py
@@ -250,6 +250,38 @@ def api_updates_start() -> Response:
     return HTTPResponse.success(data={"status": "started"})
 
 
+@admin.get("/snapshots/")
+@auth_required(within=15, grace=0)
+@roles_required("Admin")
+def snapshots_page() -> str:
+    """Render the snapshots list page."""
+    return render_template("admin/snapshots.html")
+
+
+@admin.get("/api/snapshots/")
+@roles_required("Admin")
+def api_snapshots() -> Response:
+    """List pre-update snapshots by shelling `bayanat snapshots`."""
+    try:
+        out = subprocess.run(
+            ["sudo", "-n", "/usr/local/bin/bayanat", "snapshots"],
+            check=True,
+            capture_output=True,
+            text=True,
+            timeout=5,
+        ).stdout
+    except subprocess.TimeoutExpired:
+        return HTTPResponse.error("Listing snapshots timed out", status=504)
+    except subprocess.CalledProcessError as e:
+        return HTTPResponse.error(f"Failed to list snapshots: {e}", status=500)
+    items = []
+    for line in out.strip().splitlines()[1:]:  # skip header row
+        parts = line.split()
+        if len(parts) >= 3:
+            items.append({"name": parts[0], "size": parts[1], "age": parts[2]})
+    return HTTPResponse.success(data=items)
+
+
 @admin.get("/api/updates/status")
 @roles_required("Admin")
 def api_updates_status() -> Response:
diff --git a/enferno/static/js/components/SnapshotsList.js b/enferno/static/js/components/SnapshotsList.js
new file mode 100644
index 000000000..018f3267c
--- /dev/null
+++ b/enferno/static/js/components/SnapshotsList.js
@@ -0,0 +1,49 @@
+const SnapshotsList = Vue.defineComponent({
+  data() {
+    return {
+      items: [],
+      loading: false,
+    };
+  },
+  mounted() {
+    this.load();
+  },
+  methods: {
+    async load() {
+      this.loading = true;
+      try {
+        const resp = await axios.get('/admin/api/snapshots/');
+        this.items = resp?.data?.data ?? [];
+      } catch (_e) {
+        this.items = [];
+      } finally {
+        this.loading = false;
+      }
+    },
+  },
+  template: `
+    <v-card>
+      <v-card-title>
+        Pre-update Snapshots
+        <v-spacer />
+        <v-btn icon="mdi-refresh" variant="text" @click="load" :loading="loading"></v-btn>
+      </v-card-title>
+      <v-card-text>
+        <v-alert type="info" variant="tonal" density="compact" class="mb-3">
+          Restore is CLI-only for safety. SSH to the server and run
+          <code>sudo -u bayanat bayanat restore &lt;name&gt;</code>.
+        </v-alert>
+        <v-data-table
+          :items="items"
+          :headers="[
+            { title: 'Name', key: 'name' },
+            { title: 'Size', key: 'size' },
+            { title: 'Age', key: 'age' }
+          ]"
+          :loading="loading"
+          no-data-text="No snapshots available yet."
+        ></v-data-table>
+      </v-card-text>
+    </v-card>
+  `,
+});

From d4e07cda1604f32c0620b71f257ea8f3d17ece70 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:40:16 +0200
Subject: [PATCH 21/37] docs: operator runbook for bayanat update

---
 docs/deployment/auto-update-runbook.md | 124 +++++++++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 docs/deployment/auto-update-runbook.md

diff --git a/docs/deployment/auto-update-runbook.md b/docs/deployment/auto-update-runbook.md
new file mode 100644
index 000000000..e7d49a756
--- /dev/null
+++ b/docs/deployment/auto-update-runbook.md
@@ -0,0 +1,124 @@
+# Bayanat Auto-Update Runbook
+
+Short operator reference for the `bayanat update` flow. Design notes live
+in the development spec (not shipped with the repo).
+
+## Triggering an update
+
+- **One-click from UI:** an admin-role user clicks "Update now" from the
+  "Update available: X.Y.Z" banner in the nav bar.
+- **From the shell:** `sudo -u bayanat bayanat update [<tag>]`
+  (defaults to the latest GitHub release).
+- **Check only (no changes):** `sudo -u bayanat bayanat update --check`.
+
+The update runs as `bayanat-update.service`, a transient systemd unit
+that outlives Flask restarts, SSH disconnects, and browser closes. Tail
+live logs with:
+
+```
+sudo journalctl -u bayanat-update -f
+```
+
+## Opt-in auto-apply for patch releases
+
+In the admin UI under System Administration, toggle "Auto-apply patch
+releases" on. With the toggle on, any bump within the same minor line
+(e.g. `4.1.0` to `4.1.1`) installs silently every 6 hours via the same
+pipeline. Minor and major bumps (e.g. `4.1.x` to `4.2.0`) always notify
+and wait for a manual click.
+
+## Expected timing
+
+| Phase | Duration | Production impact |
+|---|---|---|
+| PREPARE (fetch + deps) | 1-5 min | None, old version serves traffic |
+| Stop services | ~3 s | 502 from Caddy begins |
+| Snapshot (`pg_dump -Fc`) | 10-60 s | 502 |
+| Migrate (`flask db upgrade`) | 1-30 s | 502 |
+| Swap + start services | ~5 s | 502 |
+| Verify (health probe) | 1-10 s | New version serving |
+| **Total visible downtime** | **~30-90 s** | |
+
+Caddy returns `502 Bad Gateway` during the maintenance window. Browsers
+retry automatically; partners see a brief "service unavailable" view.
+
+## If something goes wrong
+
+### Migration failed (Alembic transaction rolled back)
+
+Nothing to do. Services restart on the previous release automatically.
+The UI shows the `error` field. Report the broken release; the previous
+version keeps running.
+
+### Health probe failed after swap (auto-rollback succeeded)
+
+Nothing to do. The updater reverted the symlink and restarted on the
+previous release. The pre-update snapshot is retained at
+`/opt/bayanat/shared/backups/`.
+
+### NEEDS_INTERVENTION
+
+This state only happens when two independent failures compound: the new
+release was broken AND rolling back did not reach a healthy state. The
+maintenance flag stays up so users see a 502 instead of raw errors.
+Recover:
+
+```
+sudo -u bayanat bayanat status                   # confirm state
+sudo -u bayanat bayanat snapshots                # list snapshots
+sudo -u bayanat bayanat restore pre-<ts>.dump    # restores DB
+sudo systemctl start bayanat bayanat-celery
+```
+
+Then file a bug with journal logs from `journalctl -u bayanat-update`.
+
+### Stuck state (process died, state file orphaned)
+
+```
+sudo -u bayanat bayanat update --recover
+```
+
+## Snapshots
+
+- Location: `/opt/bayanat/shared/backups/pre-*.dump`
+- Format: `pg_dump -Fc` (PostgreSQL custom format)
+- Retention: last 5 snapshots OR last 30 days, whichever is greater
+- Override retention: `export BAYANAT_SNAPSHOT_RETENTION_DAYS=60`
+- List: `sudo -u bayanat bayanat snapshots` or visit
+  `/admin/snapshots/` in the UI (read-only)
+- Restore: `sudo -u bayanat bayanat restore <name>` (prompts for
+  confirmation; stops services; pipes through `pg_restore --clean
+  --if-exists`; restarts services). Not available from the web UI by
+  design.
+
+## Files
+
+| Path | Purpose |
+|---|---|
+| `/usr/local/bin/bayanat` | The CLI script |
+| `/usr/local/sbin/bayanat-start-update` | Root wrapper the UI invokes via sudo |
+| `/etc/sudoers.d/bayanat` | Granted commands for the `bayanat` user |
+| `/opt/bayanat/state/update.json` | Current update state (sanitized JSON) |
+| `/opt/bayanat/state/update.lock` | PID lock file |
+| `/opt/bayanat/shared/backups/` | Pre-update snapshots |
+| `/health` (Flask endpoint) | 200 = DB + Redis reachable |
+
+## Admin UI surface
+
+- Nav-bar banner chip: shows when `latest != current`
+- Progress dialog: polls `/admin/api/updates/status` every 2 s during an
+  active update
+- Settings toggle: System Administration -> "Auto-apply patch releases"
+- Snapshots page: `/admin/snapshots/` (read-only list; restore stays on
+  the CLI)
+
+## Manual CLI reference
+
+```
+bayanat update [<tag>]       # default: latest GitHub release
+bayanat update --check       # show current vs latest; no changes
+bayanat update --recover     # recover a stuck state file
+bayanat snapshots            # list pre-update snapshots
+bayanat restore <name>       # interactive restore from a snapshot
+bayanat status               # version + services + update state
+```

From a6e7235ebe6687503b6162389dfc0dd0f9ac36a1 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:46:05 +0200
Subject: [PATCH 22/37] fix(cli): recover mid-phase crashes and escalate
 snapshot failures

---
 bayanat | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/bayanat b/bayanat
index bc48222b3..7100faee7 100755
--- a/bayanat
+++ b/bayanat
@@ -302,6 +302,20 @@ recover_state() {
             prev=$(read_field previous || true)
             die "Operator intervention required. Snapshot: $snap  Previous tag: $prev  See: sudo -u $APP_USER bayanat snapshots"
             ;;
+        MIGRATE|SWITCH|ROLLBACK)
+            log "Recovery: $phase — attempting to restart services"
+            systemctl start bayanat bayanat-celery 2>/dev/null || true
+            if _wait_healthy 60; then
+                warn "Services healthy but update was interrupted mid-$phase"
+                warn "DB schema state is uncertain; re-run 'bayanat update' to finish"
+                clear_state
+                release_lock
+            else
+                export STATE_ERROR_JSON="\"interrupted during $phase; services unhealthy\""
+                write_state NEEDS_INTERVENTION "Update interrupted mid-$phase; manual recovery required"
+                exit 2
+            fi
+            ;;
         *)
             warn "Unknown phase '$phase' — clearing and starting fresh"
             clear_state
@@ -412,7 +426,13 @@ do_migrate() {
     export STATE_PROGRESS="Taking pre-update snapshot"
     write_state MIGRATE "Taking pre-update snapshot"
     export STATE_SNAPSHOT
-    STATE_SNAPSHOT=$(snapshot_pg_dump "$prev" "$target")
+    if ! STATE_SNAPSHOT=$(snapshot_pg_dump "$prev" "$target"); then
+        export STATE_ERROR_JSON='"snapshot failed"'
+        write_state NEEDS_INTERVENTION "Pre-update snapshot failed; check backups disk and pg_dump"
+        systemctl start bayanat bayanat-celery || true
+        release_lock
+        exit 2
+    fi
     log "MIGRATE: running migrations"
     export STATE_PROGRESS="Running migrations"
     write_state MIGRATE "Running migrations"

From 0dc7af020ffe00f72f1e6ae18f26a7b9995f23da Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 00:46:17 +0200
Subject: [PATCH 23/37] fix(cli): clean up leaked .partial snapshot files
 during retention prune

---
 bayanat | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bayanat b/bayanat
index 7100faee7..789cf7b1b 100755
--- a/bayanat
+++ b/bayanat
@@ -128,6 +128,8 @@ prune_snapshots() {
     # $SNAPSHOT_RETENTION_DAYS days, whichever is greater.
     local backups="$SHARED_DIR/backups"
     [[ -d "$backups" ]] || return 0
+    # Sweep any leaked .partial snapshot files from interrupted dumps
+    rm -f "$backups"/*.dump.partial 2>/dev/null || true
     local cutoff_epoch
     cutoff_epoch=$(date -d "-${SNAPSHOT_RETENTION_DAYS} days" +%s 2>/dev/null \
         || date -v-"${SNAPSHOT_RETENTION_DAYS}"d +%s)

From 5781cf5a93465531af9b0c56632080d3ff4a9750 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 11:49:00 +0200
Subject: [PATCH 24/37] fix(cli): preserve v-prefix on git tags; strip only for
 comparison

---
 bayanat | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/bayanat b/bayanat
index 789cf7b1b..d79f47e35 100755
--- a/bayanat
+++ b/bayanat
@@ -887,10 +887,10 @@ cmd_update() {
         --check)
             local cur latest
             cur=$(current_version || echo "not installed")
-            latest=$(latest_remote_tag | sed 's/^v//')
+            latest=$(latest_remote_tag)
             echo "current: $cur"
             echo "latest:  $latest"
-            if [[ "$cur" == "$latest" ]]; then
+            if [[ "${cur#v}" == "${latest#v}" ]]; then
                 echo "up to date"
             else
                 echo "update available"
@@ -907,10 +907,11 @@ cmd_update() {
     recover_state
     local target="${1:-}"
     if [[ -z "$target" ]]; then
-        target=$(latest_remote_tag | sed 's/^v//')
-    else
-        target="${target#v}"
+        target=$(latest_remote_tag)
     fi
+    # Keep $target verbatim. Tags and release dir names use the v-prefix form
+    # (e.g. v4.0.0), matching the installer's convention in _clone_release and
+    # _link_shared. Stripping is only for display / comparison.
     do_prepare "$target"
     do_migrate
     do_switch_verify

From 6d7814f0822d2ef05bbf7adb89227e7b8468b7c2 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 11:50:22 +0200
Subject: [PATCH 25/37] fix(cli): generate POSTGRES_* in .env + add fallback
 defaults in pg helpers

---
 bayanat | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/bayanat b/bayanat
index d79f47e35..357439269 100755
--- a/bayanat
+++ b/bayanat
@@ -115,9 +115,9 @@ snapshot_pg_dump() {
             pg_dump -Fc \
                 -h "${POSTGRES_HOST:-localhost}" \
                 -p "${POSTGRES_PORT:-5432}" \
-                -U "$POSTGRES_USER" \
+                -U "${POSTGRES_USER:-$APP_USER}" \
                 -f "$partial" \
-                "$POSTGRES_DB"
+                "${POSTGRES_DB:-$APP_USER}"
     )
     mv -Tf "$partial" "$final"
     echo "$name"
@@ -177,8 +177,8 @@ restore_pg() {
             pg_restore --clean --if-exists \
                 -h "${POSTGRES_HOST:-localhost}" \
                 -p "${POSTGRES_PORT:-5432}" \
-                -U "$POSTGRES_USER" \
-                -d "$POSTGRES_DB" \
+                -U "${POSTGRES_USER:-$APP_USER}" \
+                -d "${POSTGRES_DB:-$APP_USER}" \
                 "$path"
     ); then
         systemctl start bayanat bayanat-celery
@@ -340,7 +340,7 @@ _db_ping() {
         eval "$(_pg_env)"
         PGPASSWORD="${POSTGRES_PASSWORD:-}" \
             psql -h "${POSTGRES_HOST:-localhost}" \
-                 -U "$POSTGRES_USER" -d "$POSTGRES_DB" \
+                 -U "${POSTGRES_USER:-$APP_USER}" -d "${POSTGRES_DB:-$APP_USER}" \
                  -c 'SELECT 1' -t >/dev/null 2>&1
     )
 }
@@ -375,7 +375,7 @@ update_preflight() {
         eval "$(_pg_env)"
         PGPASSWORD="${POSTGRES_PASSWORD:-}" \
             psql -h "${POSTGRES_HOST:-localhost}" \
-                 -U "$POSTGRES_USER" -d "$POSTGRES_DB" \
+                 -U "${POSTGRES_USER:-$APP_USER}" -d "${POSTGRES_DB:-$APP_USER}" \
                  -c 'SHOW server_version_num' -t 2>/dev/null \
                  | tr -d ' ' | cut -c1-2
     )
@@ -627,6 +627,12 @@ FORCE_HTTPS=$force_https
 
 LOG_DIR=$LOGS_DIR
 BACKUPS_LOCAL_PATH=$SHARED_DIR/backups
+
+POSTGRES_HOST=localhost
+POSTGRES_PORT=5432
+POSTGRES_USER=$APP_USER
+POSTGRES_PASSWORD=
+POSTGRES_DB=$APP_USER
 EOF
 }
 

From 4ffa99f9bc81cd67f38925265e2139eef5050d94 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 11:55:23 +0200
Subject: [PATCH 26/37] fix(tasks): read AUTO_APPLY_PATCH_UPDATES via
 settings.Config + wire through serialize/validation

---
 enferno/admin/validation/models.py |  1 +
 enferno/settings.py                |  4 ++
 enferno/tasks/maintenance.py       |  6 +--
 enferno/utils/config_utils.py      |  1 +
 tests/test_update_check.py         | 68 ++++++++++++++++++++++++++++++
 5 files changed, 75 insertions(+), 5 deletions(-)

diff --git a/enferno/admin/validation/models.py b/enferno/admin/validation/models.py
index d67dabc44..65057f6e2 100644
--- a/enferno/admin/validation/models.py
+++ b/enferno/admin/validation/models.py
@@ -1902,6 +1902,7 @@ class FullConfigValidationModel(ConfigValidationModel):
     SECURITY_FRESHNESS: int = Field(gt=0)
     SECURITY_FRESHNESS_GRACE_PERIOD: int = Field(ge=0)
     DISABLE_MULTIPLE_SESSIONS: bool
+    AUTO_APPLY_PATCH_UPDATES: bool = False
     RECAPTCHA_ENABLED: bool
     RECAPTCHA_PUBLIC_KEY: Optional[str] = None
     RECAPTCHA_PRIVATE_KEY: Optional[str] = None
diff --git a/enferno/settings.py b/enferno/settings.py
index 0cb2dca5e..c116bc6de 100644
--- a/enferno/settings.py
+++ b/enferno/settings.py
@@ -126,6 +126,10 @@ class Config(object):
     DISABLE_MULTIPLE_SESSIONS = manager.get_config("DISABLE_MULTIPLE_SESSIONS")
     SESSION_RETENTION_PERIOD = manager.get_config("SESSION_RETENTION_PERIOD")
 
+    # Auto-apply patch releases (e.g. 4.1.0 -> 4.1.1) in the background.
+    # Minor and major bumps always require manual approval regardless.
+    AUTO_APPLY_PATCH_UPDATES = manager.get_config("AUTO_APPLY_PATCH_UPDATES")
+
     # Recaptcha
     RECAPTCHA_ENABLED = manager.get_config("RECAPTCHA_ENABLED")
     RECAPTCHA_PUBLIC_KEY = manager.get_config("RECAPTCHA_PUBLIC_KEY")
diff --git a/enferno/tasks/maintenance.py b/enferno/tasks/maintenance.py
index 615687373..26da251e8 100644
--- a/enferno/tasks/maintenance.py
+++ b/enferno/tasks/maintenance.py
@@ -14,7 +14,6 @@
 from enferno.tasks import celery, cfg
 from enferno.user.models import Session
 from enferno.utils.backup_utils import pg_dump, upload_to_s3
-from enferno.utils.config_utils import ConfigManager
 from enferno.utils.date_helper import DateHelper
 from enferno.utils.logging_utils import get_logger
 
@@ -88,10 +87,7 @@ def check_for_updates():
     if _redis_get_str(UPDATE_NOTIFIED_KEY) == latest_tag:
         return
 
-    try:
-        auto_apply = ConfigManager.get_config("AUTO_APPLY_PATCH_UPDATES", False)
-    except Exception:
-        auto_apply = False
+    auto_apply = bool(getattr(cfg, "AUTO_APPLY_PATCH_UPDATES", False))
 
     if auto_apply and _is_patch_bump(current, latest_tag):
         logger.info(f"auto-applying patch update {current} -> {latest_tag}")
diff --git a/enferno/utils/config_utils.py b/enferno/utils/config_utils.py
index 7cd720ce8..4b999dce6 100644
--- a/enferno/utils/config_utils.py
+++ b/enferno/utils/config_utils.py
@@ -289,6 +289,7 @@ def serialize():
             "SECURITY_ZXCVBN_MINIMUM_SCORE": cfg.SECURITY_ZXCVBN_MINIMUM_SCORE,
             "DISABLE_MULTIPLE_SESSIONS": cfg.DISABLE_MULTIPLE_SESSIONS,
             "SESSION_RETENTION_PERIOD": cfg.SESSION_RETENTION_PERIOD,
+            "AUTO_APPLY_PATCH_UPDATES": cfg.AUTO_APPLY_PATCH_UPDATES,
             "RECAPTCHA_ENABLED": cfg.RECAPTCHA_ENABLED,
             "RECAPTCHA_PUBLIC_KEY": cfg.RECAPTCHA_PUBLIC_KEY,
             "RECAPTCHA_PRIVATE_KEY": ConfigManager.MASK_STRING if cfg.RECAPTCHA_PRIVATE_KEY else "",
diff --git a/tests/test_update_check.py b/tests/test_update_check.py
index f328e4821..be52edf8a 100644
--- a/tests/test_update_check.py
+++ b/tests/test_update_check.py
@@ -1,3 +1,5 @@
+from unittest.mock import MagicMock, patch
+
 from enferno.tasks.maintenance import _strip_v, _is_patch_bump
 
 
@@ -26,3 +28,69 @@ def test_is_patch_bump_false_for_same():
 
 def test_is_patch_bump_false_for_downgrade():
     assert _is_patch_bump("4.1.5", "4.1.3") is False
+
+
+def _github_response(tag):
+    return MagicMock(
+        raise_for_status=lambda: None,
+        json=lambda: {"tag_name": tag, "html_url": f"https://example/tag/{tag}"},
+    )
+
+
+def test_auto_apply_patch_triggers_wrapper_when_flag_on():
+    from enferno.tasks import maintenance
+
+    fake_redis = MagicMock()
+    fake_redis.get.return_value = None  # nothing notified yet
+    with (
+        patch.object(maintenance, "cfg", MagicMock(AUTO_APPLY_PATCH_UPDATES=True)),
+        patch.object(maintenance, "requests") as req,
+        patch.object(maintenance, "rds", fake_redis),
+        patch.object(maintenance, "subprocess") as sp,
+        patch.object(maintenance, "_current_version", return_value="4.1.0"),
+        patch.object(maintenance, "Notification") as notif,
+    ):
+        req.get.return_value = _github_response("v4.1.1")
+        maintenance.check_for_updates()
+        sp.run.assert_called_once()
+        args = sp.run.call_args.args[0]
+        assert args == ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"]
+        notif.create_for_admins.assert_not_called()
+
+
+def test_auto_apply_off_falls_back_to_notification():
+    from enferno.tasks import maintenance
+
+    fake_redis = MagicMock()
+    fake_redis.get.return_value = None
+    with (
+        patch.object(maintenance, "cfg", MagicMock(AUTO_APPLY_PATCH_UPDATES=False)),
+        patch.object(maintenance, "requests") as req,
+        patch.object(maintenance, "rds", fake_redis),
+        patch.object(maintenance, "subprocess") as sp,
+        patch.object(maintenance, "_current_version", return_value="4.1.0"),
+        patch.object(maintenance, "Notification") as notif,
+    ):
+        req.get.return_value = _github_response("v4.1.1")
+        maintenance.check_for_updates()
+        sp.run.assert_not_called()
+        notif.create_for_admins.assert_called_once()
+
+
+def test_auto_apply_on_but_minor_bump_still_notifies():
+    from enferno.tasks import maintenance
+
+    fake_redis = MagicMock()
+    fake_redis.get.return_value = None
+    with (
+        patch.object(maintenance, "cfg", MagicMock(AUTO_APPLY_PATCH_UPDATES=True)),
+        patch.object(maintenance, "requests") as req,
+        patch.object(maintenance, "rds", fake_redis),
+        patch.object(maintenance, "subprocess") as sp,
+        patch.object(maintenance, "_current_version", return_value="4.1.0"),
+        patch.object(maintenance, "Notification") as notif,
+    ):
+        req.get.return_value = _github_response("v4.2.0")
+        maintenance.check_for_updates()
+        sp.run.assert_not_called()
+        notif.create_for_admins.assert_called_once()

From 03bd58dfe02241501eaa8ea29b9ab0cf651e01da Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 11:56:46 +0200
Subject: [PATCH 27/37] docs(runbook): use sudo for update/snapshots/restore
 (require_root)

---
 docs/deployment/auto-update-runbook.md | 40 ++++++++++++++------------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/docs/deployment/auto-update-runbook.md b/docs/deployment/auto-update-runbook.md
index e7d49a756..f6a598588 100644
--- a/docs/deployment/auto-update-runbook.md
+++ b/docs/deployment/auto-update-runbook.md
@@ -7,9 +7,10 @@ in the development spec (not shipped with the repo).
 
 - **One-click from UI:** an admin-role user clicks "Update now" from the
   "Update available: X.Y.Z" banner in the nav bar.
-- **From the shell:** `sudo -u bayanat bayanat update [<tag>]`
-  (defaults to the latest GitHub release).
-- **Check only (no changes):** `sudo -u bayanat bayanat update --check`.
+- **From the shell (as root):** `sudo bayanat update [<tag>]`
+  (defaults to the latest GitHub release). The CLI requires root to stop
+  / start services, write `/opt/bayanat`, and take snapshots.
+- **Check only (no changes, no root):** `sudo -u bayanat bayanat update --check`.
 
 The update runs as `bayanat-update.service`, a transient systemd unit
 that outlives Flask restarts, SSH disconnects, and browser closes. Tail
@@ -64,9 +65,9 @@ maintenance flag stays up so users see a 502 instead of raw errors.
 Recover:
 
 ```
-sudo -u bayanat bayanat status                   # confirm state
-sudo -u bayanat bayanat snapshots                # list snapshots
-sudo -u bayanat bayanat restore pre-<ts>.dump    # restores DB
+sudo -u bayanat bayanat status            # read-only; confirm state
+sudo bayanat snapshots                    # list snapshots (needs root)
+sudo bayanat restore pre-<ts>.dump        # restores DB (needs root)
 sudo systemctl start bayanat bayanat-celery
 ```
 
@@ -75,7 +76,7 @@ Then file a bug with journal logs from `journalctl -u bayanat-update`.
 ### Stuck state (process died, state file orphaned)
 
 ```
-sudo -u bayanat bayanat update --recover
+sudo bayanat update --recover
 ```
 
 ## Snapshots
@@ -84,11 +85,11 @@ sudo -u bayanat bayanat update --recover
 - Format: `pg_dump -Fc` (PostgreSQL custom format)
 - Retention: last 5 snapshots OR last 30 days, whichever is greater
 - Override retention: `export BAYANAT_SNAPSHOT_RETENTION_DAYS=60`
-- List: `sudo -u bayanat bayanat snapshots` or visit
-  `/admin/snapshots/` in the UI (read-only)
-- Restore: `sudo -u bayanat bayanat restore <name>` (prompts for
-  confirmation; stops services; pipes through `pg_restore --clean
-  --if-exists`; restarts services). Not available from the web UI by
+- List: `sudo bayanat snapshots` or visit `/admin/snapshots/` in the UI
+  (read-only)
+- Restore: `sudo bayanat restore <name>` (prompts for confirmation;
+  stops services; pipes through `pg_restore --clean --if-exists`;
+  restarts services). Requires root. Not available from the web UI by
   design.
 
 ## Files
@@ -114,11 +115,14 @@ sudo -u bayanat bayanat update --recover
 
 ## Manual CLI reference
 
+Commands marked `(root)` require `sudo bayanat ...`; the others can run
+as the app user via `sudo -u bayanat bayanat ...`.
+
 ```
-bayanat update [<tag>]       # default: latest GitHub release
-bayanat update --check       # show current vs latest; no changes
-bayanat update --recover     # recover a stuck state file
-bayanat snapshots            # list pre-update snapshots
-bayanat restore <name>       # interactive restore from a snapshot
-bayanat status               # version + services + update state
+bayanat update [<tag>]       (root)  default: latest GitHub release
+bayanat update --check               show current vs latest; no changes
+bayanat update --recover     (root)  recover a stuck state file
+bayanat snapshots            (root)  list pre-update snapshots
+bayanat restore <name>       (root)  interactive restore from a snapshot
+bayanat status                       version + services + update state
 ```

From b4d5e271e7c983e0bf7922ea82b14ed4d26b8c0d Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 12:23:16 +0200
Subject: [PATCH 28/37] fix(installer): use pg socket by default, self-install
 CLI to /usr/local/bin, exempt /health from setup redirect

---
 bayanat                | 22 +++++++++++++++++-----
 enferno/setup/views.py |  6 +++---
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/bayanat b/bayanat
index 357439269..591e67a6e 100755
--- a/bayanat
+++ b/bayanat
@@ -113,7 +113,7 @@ snapshot_pg_dump() {
         eval "$(_pg_env)"
         PGPASSWORD="${POSTGRES_PASSWORD:-}" \
             pg_dump -Fc \
-                -h "${POSTGRES_HOST:-localhost}" \
+                -h "${POSTGRES_HOST:-/var/run/postgresql}" \
                 -p "${POSTGRES_PORT:-5432}" \
                 -U "${POSTGRES_USER:-$APP_USER}" \
                 -f "$partial" \
@@ -175,7 +175,7 @@ restore_pg() {
         eval "$(_pg_env)"
         PGPASSWORD="${POSTGRES_PASSWORD:-}" \
             pg_restore --clean --if-exists \
-                -h "${POSTGRES_HOST:-localhost}" \
+                -h "${POSTGRES_HOST:-/var/run/postgresql}" \
                 -p "${POSTGRES_PORT:-5432}" \
                 -U "${POSTGRES_USER:-$APP_USER}" \
                 -d "${POSTGRES_DB:-$APP_USER}" \
@@ -339,7 +339,7 @@ _db_ping() {
     (
         eval "$(_pg_env)"
         PGPASSWORD="${POSTGRES_PASSWORD:-}" \
-            psql -h "${POSTGRES_HOST:-localhost}" \
+            psql -h "${POSTGRES_HOST:-/var/run/postgresql}" \
                  -U "${POSTGRES_USER:-$APP_USER}" -d "${POSTGRES_DB:-$APP_USER}" \
                  -c 'SELECT 1' -t >/dev/null 2>&1
     )
@@ -374,7 +374,7 @@ update_preflight() {
     server_major=$(
         eval "$(_pg_env)"
         PGPASSWORD="${POSTGRES_PASSWORD:-}" \
-            psql -h "${POSTGRES_HOST:-localhost}" \
+            psql -h "${POSTGRES_HOST:-/var/run/postgresql}" \
                  -U "${POSTGRES_USER:-$APP_USER}" -d "${POSTGRES_DB:-$APP_USER}" \
                  -c 'SHOW server_version_num' -t 2>/dev/null \
                  | tr -d ' ' | cut -c1-2
@@ -628,7 +628,7 @@ FORCE_HTTPS=$force_https
 LOG_DIR=$LOGS_DIR
 BACKUPS_LOCAL_PATH=$SHARED_DIR/backups
 
-POSTGRES_HOST=localhost
+POSTGRES_HOST=/var/run/postgresql
 POSTGRES_PORT=5432
 POSTGRES_USER=$APP_USER
 POSTGRES_PASSWORD=
@@ -791,6 +791,17 @@ exec /usr/bin/systemd-run \
 EOF
 }
 
+_install_self() {
+    # Copy this script to /usr/local/bin/bayanat so sudoers grants +
+    # bayanat-start-update can invoke it by absolute path. Safe to re-run:
+    # `install -m 0755` replaces atomically.
+    local src
+    src=$(readlink -f "$0")
+    [[ -f "$src" ]] || die "cannot resolve installer source path"
+    install -m 0755 -o root -g root "$src" /usr/local/bin/bayanat
+    log "Installed CLI at /usr/local/bin/bayanat"
+}
+
 # --- Install ---
 
 cmd_install() {
@@ -841,6 +852,7 @@ cmd_install() {
     _configure_caddy "$domain"
     _install_sudoers
     _install_update_wrapper
+    _install_self
 
     chown -R "$APP_USER:$APP_USER" "$BAYANAT_ROOT"
     systemctl daemon-reload
diff --git a/enferno/setup/views.py b/enferno/setup/views.py
index 295dc077c..1e1f8cbc5 100644
--- a/enferno/setup/views.py
+++ b/enferno/setup/views.py
@@ -4,7 +4,6 @@
     request,
     redirect,
     Blueprint,
-    send_from_directory,
     render_template,
     Response,
     current_app,
@@ -49,6 +48,7 @@ def handle_installation_check() -> Optional[Response]:
         "/api/complete-setup",
         "/admin/api/reload",
         "/fs-static",
+        "/health",
     ]
     login_flow_paths = [
         "/login",
@@ -101,7 +101,7 @@ def create_admin() -> Any:
             message="Admin user installed successfully",
             data={"item": new_admin.to_dict()},
         )
-    except Exception as e:
+    except Exception:
         db.session.rollback()
         return HTTPResponse.error("Failed to create admin user", status=500)
 
@@ -123,7 +123,7 @@ def import_data() -> Response:
     try:
         import_default_data()
         return HTTPResponse.success(message="Default data imported successfully")
-    except Exception as e:
+    except Exception:
         return HTTPResponse.error("Failed to import default data", status=500)
 
 

From 3df979ef3af3f8f0e2b9a1aced4a4477a24a0154 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 12:29:33 +0200
Subject: [PATCH 29/37] fix(cli): use socket peer auth for
 pg_dump/psql/pg_restore when localhost+no-password (matches backup_utils.py)

---
 bayanat | 76 +++++++++++++++++++++++++++++++++++++++------------------
 1 file changed, 52 insertions(+), 24 deletions(-)

diff --git a/bayanat b/bayanat
index 591e67a6e..0c85a6e97 100755
--- a/bayanat
+++ b/bayanat
@@ -102,6 +102,8 @@ _pg_env() {
 snapshot_pg_dump() {
     # $1 = previous tag, $2 = target tag
     # Writes shared/backups/pre-<prev>-to-<target>-<ts>.dump via .partial rename.
+    # Mirrors enferno/utils/backup_utils.py:pg_dump logic: localhost + no
+    # password -> socket peer auth; else TCP with PGPASSWORD.
     local prev="$1" target="$2"
     local ts name partial final
     ts=$(date -u +%Y%m%d-%H%M)
@@ -111,13 +113,20 @@ snapshot_pg_dump() {
     log "Taking pre-update snapshot: $name"
     (
         eval "$(_pg_env)"
-        PGPASSWORD="${POSTGRES_PASSWORD:-}" \
-            pg_dump -Fc \
-                -h "${POSTGRES_HOST:-/var/run/postgresql}" \
-                -p "${POSTGRES_PORT:-5432}" \
-                -U "${POSTGRES_USER:-$APP_USER}" \
-                -f "$partial" \
-                "${POSTGRES_DB:-$APP_USER}"
+        local user="${POSTGRES_USER:-$APP_USER}"
+        local db="${POSTGRES_DB:-$APP_USER}"
+        local host="${POSTGRES_HOST:-localhost}"
+        if [[ "$host" == "localhost" && -z "${POSTGRES_PASSWORD:-}" ]]; then
+            sudo -u "$user" pg_dump -Fc -f "$partial" "$db"
+        else
+            PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+                pg_dump -Fc \
+                    -h "$host" \
+                    -p "${POSTGRES_PORT:-5432}" \
+                    -U "$user" \
+                    -f "$partial" \
+                    "$db"
+        fi
     )
     mv -Tf "$partial" "$final"
     echo "$name"
@@ -173,13 +182,20 @@ restore_pg() {
     systemctl stop bayanat bayanat-celery
     if ! (
         eval "$(_pg_env)"
-        PGPASSWORD="${POSTGRES_PASSWORD:-}" \
-            pg_restore --clean --if-exists \
-                -h "${POSTGRES_HOST:-/var/run/postgresql}" \
-                -p "${POSTGRES_PORT:-5432}" \
-                -U "${POSTGRES_USER:-$APP_USER}" \
-                -d "${POSTGRES_DB:-$APP_USER}" \
-                "$path"
+        local user="${POSTGRES_USER:-$APP_USER}"
+        local db="${POSTGRES_DB:-$APP_USER}"
+        local host="${POSTGRES_HOST:-localhost}"
+        if [[ "$host" == "localhost" && -z "${POSTGRES_PASSWORD:-}" ]]; then
+            sudo -u "$user" pg_restore --clean --if-exists -d "$db" "$path"
+        else
+            PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+                pg_restore --clean --if-exists \
+                    -h "$host" \
+                    -p "${POSTGRES_PORT:-5432}" \
+                    -U "$user" \
+                    -d "$db" \
+                    "$path"
+        fi
     ); then
         systemctl start bayanat bayanat-celery
         die "pg_restore failed; services restarted on existing DB"
@@ -338,10 +354,16 @@ _socket_health() {
 _db_ping() {
     (
         eval "$(_pg_env)"
-        PGPASSWORD="${POSTGRES_PASSWORD:-}" \
-            psql -h "${POSTGRES_HOST:-/var/run/postgresql}" \
-                 -U "${POSTGRES_USER:-$APP_USER}" -d "${POSTGRES_DB:-$APP_USER}" \
-                 -c 'SELECT 1' -t >/dev/null 2>&1
+        local user="${POSTGRES_USER:-$APP_USER}"
+        local db="${POSTGRES_DB:-$APP_USER}"
+        local host="${POSTGRES_HOST:-localhost}"
+        if [[ "$host" == "localhost" && -z "${POSTGRES_PASSWORD:-}" ]]; then
+            sudo -u "$user" psql -d "$db" -c 'SELECT 1' -t >/dev/null 2>&1
+        else
+            PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+                psql -h "$host" -U "$user" -d "$db" \
+                     -c 'SELECT 1' -t >/dev/null 2>&1
+        fi
     )
 }
 
@@ -373,11 +395,17 @@ update_preflight() {
     client_major=$(pg_dump --version | awk '{print $3}' | cut -d. -f1)
     server_major=$(
         eval "$(_pg_env)"
-        PGPASSWORD="${POSTGRES_PASSWORD:-}" \
-            psql -h "${POSTGRES_HOST:-/var/run/postgresql}" \
-                 -U "${POSTGRES_USER:-$APP_USER}" -d "${POSTGRES_DB:-$APP_USER}" \
-                 -c 'SHOW server_version_num' -t 2>/dev/null \
-                 | tr -d ' ' | cut -c1-2
+        local user="${POSTGRES_USER:-$APP_USER}"
+        local db="${POSTGRES_DB:-$APP_USER}"
+        local host="${POSTGRES_HOST:-localhost}"
+        if [[ "$host" == "localhost" && -z "${POSTGRES_PASSWORD:-}" ]]; then
+            sudo -u "$user" psql -d "$db" \
+                -c 'SHOW server_version_num' -t 2>/dev/null
+        else
+            PGPASSWORD="${POSTGRES_PASSWORD:-}" \
+                psql -h "$host" -U "$user" -d "$db" \
+                     -c 'SHOW server_version_num' -t 2>/dev/null
+        fi | tr -d ' ' | cut -c1-2
     )
     [[ -n "$client_major" && -n "$server_major" ]] \
         || die "could not determine pg_dump/server versions"
@@ -628,7 +656,7 @@ FORCE_HTTPS=$force_https
 LOG_DIR=$LOGS_DIR
 BACKUPS_LOCAL_PATH=$SHARED_DIR/backups
 
-POSTGRES_HOST=/var/run/postgresql
+POSTGRES_HOST=localhost
 POSTGRES_PORT=5432
 POSTGRES_USER=$APP_USER
 POSTGRES_PASSWORD=

From 487a1b234bc94c5e5df5d7fd9e83b7b2cb42f50f Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 12:42:12 +0200
Subject: [PATCH 30/37] fix(cli): chown cloned release to bayanat so
 _install_deps (uv sync) can write .venv

---
 bayanat | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bayanat b/bayanat
index 0c85a6e97..ce170b39e 100755
--- a/bayanat
+++ b/bayanat
@@ -631,6 +631,7 @@ _clone_release() {
 
     log "Cloning $tag..."
     git clone --depth 1 --branch "$tag" "$GIT_URL" "$dest"
+    chown -R "$APP_USER:$APP_USER" "$dest"
 }
 
 _generate_env() {

From db0e227b338e33ee5e03db95a60cba8b152200d1 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 12:45:51 +0200
Subject: [PATCH 31/37] fix(cli): redirect snapshot log to stderr so
 STATE_SNAPSHOT captures only filename

---
 bayanat | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/bayanat b/bayanat
index ce170b39e..3940030db 100755
--- a/bayanat
+++ b/bayanat
@@ -110,7 +110,9 @@ snapshot_pg_dump() {
     name="pre-${prev}-to-${target}-${ts}.dump"
     partial="$SHARED_DIR/backups/${name}.partial"
     final="$SHARED_DIR/backups/${name}"
-    log "Taking pre-update snapshot: $name"
+    # Log goes to stderr so `$(snapshot_pg_dump ...)` captures only the
+    # basename from the trailing `echo "$name"`.
+    log "Taking pre-update snapshot: $name" >&2
     (
         eval "$(_pg_env)"
         local user="${POSTGRES_USER:-$APP_USER}"

From f658b23edf240329760bdd620ffefb63be49c278 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 13:09:26 +0200
Subject: [PATCH 32/37] fix(security): copy CLI from release (not $0) and
 require fresh auth for update start

_install_self previously relied on $0 to locate the installer script.
Under the standard 'curl ... | sudo bash -s install' pipe pattern, $0 is
'bash' and readlink resolves to the shell binary, which would then be
installed as /usr/local/bin/bayanat. Every subsequent CLI invocation and
wrapper-driven update would exec bash with 'update' as argv. Silent.
Catastrophic on first use.

Fix: _install_self now takes a tag arg and copies from
$RELEASES_DIR/$tag/bayanat (the just-cloned release, known-good source).
Also called in do_switch_verify's SUCCESS branch so the system CLI stays
in lockstep with the active release after every successful update.

Separately: @auth_required(within=15, grace=0) on POST /api/updates/start
matches the freshness discipline already used by /system-administration/
and other sensitive admin endpoints. A stale cookie is no longer enough
to trigger a privileged update.
---
 bayanat                        | 19 ++++++++++++-------
 enferno/admin/views/system.py  |  8 +++++++-
 tests/test_update_endpoints.py | 21 +++++++++++++++++++++
 3 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/bayanat b/bayanat
index 3940030db..ba26bf73b 100755
--- a/bayanat
+++ b/bayanat
@@ -488,6 +488,10 @@ do_switch_verify() {
     write_state SWITCH_DONE "Verifying new release"
     export STATE_PROGRESS="Waiting for health probe"
     if _wait_healthy 60; then
+        # Refresh /usr/local/bin/bayanat from the now-active release so the
+        # system CLI stays in lockstep with the deployed code. Done AFTER the
+        # health probe so a bad release never overwrites a working CLI.
+        _install_self "$target"
         export STATE_PROGRESS="Update successful"
         write_state SUCCESS "Update to $target complete"
         clear_state
@@ -823,12 +827,13 @@ EOF
 }
 
 _install_self() {
-    # Copy this script to /usr/local/bin/bayanat so sudoers grants +
-    # bayanat-start-update can invoke it by absolute path. Safe to re-run:
-    # `install -m 0755` replaces atomically.
-    local src
-    src=$(readlink -f "$0")
-    [[ -f "$src" ]] || die "cannot resolve installer source path"
+    # Copy the bayanat CLI from the given release directory to
+    # /usr/local/bin/bayanat. Source is $RELEASES_DIR/$tag/bayanat, NOT $0 —
+    # under `curl ... | sudo bash -s install`, $0 is "bash" and readlink
+    # resolves to the shell binary. $1 = tag.
+    local tag="${1:?_install_self requires a tag arg}"
+    local src="$RELEASES_DIR/$tag/bayanat"
+    [[ -f "$src" ]] || die "cannot find CLI source at $src"
     install -m 0755 -o root -g root "$src" /usr/local/bin/bayanat
     log "Installed CLI at /usr/local/bin/bayanat"
 }
@@ -883,7 +888,7 @@ cmd_install() {
     _configure_caddy "$domain"
     _install_sudoers
     _install_update_wrapper
-    _install_self
+    _install_self "$tag"
 
     chown -R "$APP_USER:$APP_USER" "$BAYANAT_ROOT"
     systemctl daemon-reload
diff --git a/enferno/admin/views/system.py b/enferno/admin/views/system.py
index 7b743e3a1..e6c146052 100644
--- a/enferno/admin/views/system.py
+++ b/enferno/admin/views/system.py
@@ -234,9 +234,15 @@ def api_updates_available() -> Response:
 
 
 @admin.post("/api/updates/start")
+@auth_required(within=15, grace=0)
 @roles_required("Admin")
 def api_updates_start() -> Response:
-    """Launch `bayanat update` out-of-process via the sudoers-granted wrapper."""
+    """Launch `bayanat update` out-of-process via the sudoers-granted wrapper.
+
+    Fresh-auth required (within 15 min) to limit stale-cookie exposure: a
+    compromised admin session cannot trigger a privileged update without a
+    recent password prompt.
+    """
     try:
         subprocess.run(
             ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"],
diff --git a/tests/test_update_endpoints.py b/tests/test_update_endpoints.py
index 71bd82aa1..5f71d849a 100644
--- a/tests/test_update_endpoints.py
+++ b/tests/test_update_endpoints.py
@@ -1,7 +1,17 @@
 import json
+import time
 from unittest.mock import patch
 
 
+def _fresh_session(client):
+    """Mark the test-client session as freshly authenticated so
+    `@auth_required(within=15)` passes. Flask-Security stores the primary
+    auth timestamp in session key 'fs_paa'.
+    """
+    with client.session_transaction() as sess:
+        sess["fs_paa"] = time.time()
+
+
 def test_available_returns_cached(admin_client):
     from enferno.extensions import rds
 
@@ -64,6 +74,7 @@ def test_status_terminal_when_success(admin_client, tmp_path, monkeypatch):
 
 
 def test_start_calls_wrapper(admin_client):
+    _fresh_session(admin_client)
     with patch("enferno.admin.views.system.subprocess.run") as run:
         resp = admin_client.post("/admin/api/updates/start")
         assert resp.status_code == 200
@@ -72,7 +83,17 @@ def test_start_calls_wrapper(admin_client):
         assert args == ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"]
 
 
+def test_start_requires_fresh_auth(admin_client):
+    # No _fresh_session call -> session is stale -> auth_required(within=15)
+    # should reject with redirect/401/403.
+    with patch("enferno.admin.views.system.subprocess.run") as run:
+        resp = admin_client.post("/admin/api/updates/start")
+        assert resp.status_code in (302, 401, 403)
+        run.assert_not_called()
+
+
 def test_non_admin_cannot_start(da_client):
+    _fresh_session(da_client)
     resp = da_client.post("/admin/api/updates/start")
     # roles_required returns 403 (Forbidden) for wrong-role users
     assert resp.status_code in (401, 403)

From a69b6125d5d2835a87f738af72c8804c4d1498a2 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 13:21:22 +0200
Subject: [PATCH 33/37] fix(security): safe .env parser (no eval) + correct
 snapshots-UI restore command

_pg_env previously emitted 'export KEY=VALUE' lines from shared/.env and
callers ran eval on the output. A malicious .env value (writable by the
bayanat user) could inject shell commands that run as root under
'bayanat update'. Lateral-to-root escalation path.

Replace _pg_env with _pg_load: parses POSTGRES_* keys natively in bash
and uses 'export "$key=$val"' which never interprets the value.
Verified a malicious value like 'foo; echo PWNED > /tmp/...' is stored
as a literal password instead of being executed.

Separately: the snapshots UI showed 'sudo -u bayanat bayanat restore',
which hits require_root and fails. Matches the same bug class as P4
(runbook) that was fixed in docs but missed in the Vue component.
Updated to 'sudo bayanat restore <name>'.
---
 bayanat                                       | 36 ++++++++++++++-----
 enferno/static/js/components/SnapshotsList.js |  3 +-
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/bayanat b/bayanat
index ba26bf73b..c5d350958 100755
--- a/bayanat
+++ b/bayanat
@@ -90,13 +90,31 @@ swap_symlink() {
 SNAPSHOT_RETENTION_DAYS="${BAYANAT_SNAPSHOT_RETENTION_DAYS:-30}"
 readonly SNAPSHOT_RETENTION_COUNT=5
 
-_pg_env() {
-    # Emits pg_dump / pg_restore env from shared/.env. All callers must
-    # `eval "$(_pg_env)"` in a subshell.
+_pg_load() {
+    # Loads POSTGRES_* from shared/.env into the current shell env WITHOUT
+    # eval. Must be invoked inside a subshell so the exports do not leak.
+    #
+    # Why no eval: a malicious .env value (writable by the bayanat user)
+    # could smuggle shell commands that would run as root under `bayanat
+    # update`. `export "$key=$val"` treats $val as a literal string, no
+    # interpretation.
     local env_file="$SHARED_DIR/.env"
     [[ -f "$env_file" ]] || die "missing $env_file"
-    grep -E '^(POSTGRES_HOST|POSTGRES_PORT|POSTGRES_USER|POSTGRES_PASSWORD|POSTGRES_DB)=' \
-        "$env_file" | sed 's/^/export /'
+    local key val
+    while IFS='=' read -r key val; do
+        case "$key" in
+            POSTGRES_HOST|POSTGRES_PORT|POSTGRES_USER|POSTGRES_PASSWORD|POSTGRES_DB)
+                # Strip matching surrounding quotes (common .env convention).
+                if [[ ${#val} -ge 2 ]]; then
+                    if [[ "${val:0:1}" == '"' && "${val: -1}" == '"' ]] \
+                        || [[ "${val:0:1}" == "'" && "${val: -1}" == "'" ]]; then
+                        val="${val:1:${#val}-2}"
+                    fi
+                fi
+                export "$key=$val"
+                ;;
+        esac
+    done < "$env_file"
 }
 
 snapshot_pg_dump() {
@@ -114,7 +132,7 @@ snapshot_pg_dump() {
     # basename from the trailing `echo "$name"`.
     log "Taking pre-update snapshot: $name" >&2
     (
-        eval "$(_pg_env)"
+        _pg_load
         local user="${POSTGRES_USER:-$APP_USER}"
         local db="${POSTGRES_DB:-$APP_USER}"
         local host="${POSTGRES_HOST:-localhost}"
@@ -183,7 +201,7 @@ restore_pg() {
     [[ "$reply" == "yes" ]] || die "aborted"
     systemctl stop bayanat bayanat-celery
     if ! (
-        eval "$(_pg_env)"
+        _pg_load
         local user="${POSTGRES_USER:-$APP_USER}"
         local db="${POSTGRES_DB:-$APP_USER}"
         local host="${POSTGRES_HOST:-localhost}"
@@ -355,7 +373,7 @@ _socket_health() {
 
 _db_ping() {
     (
-        eval "$(_pg_env)"
+        _pg_load
         local user="${POSTGRES_USER:-$APP_USER}"
         local db="${POSTGRES_DB:-$APP_USER}"
         local host="${POSTGRES_HOST:-localhost}"
@@ -396,7 +414,7 @@ update_preflight() {
     local client_major server_major
     client_major=$(pg_dump --version | awk '{print $3}' | cut -d. -f1)
     server_major=$(
-        eval "$(_pg_env)"
+        _pg_load
         local user="${POSTGRES_USER:-$APP_USER}"
         local db="${POSTGRES_DB:-$APP_USER}"
         local host="${POSTGRES_HOST:-localhost}"
diff --git a/enferno/static/js/components/SnapshotsList.js b/enferno/static/js/components/SnapshotsList.js
index 018f3267c..e704c199c 100644
--- a/enferno/static/js/components/SnapshotsList.js
+++ b/enferno/static/js/components/SnapshotsList.js
@@ -31,7 +31,8 @@ const SnapshotsList = Vue.defineComponent({
       <v-card-text>
         <v-alert type="info" variant="tonal" density="compact" class="mb-3">
           Restore is CLI-only for safety. SSH to the server and run
-          <code>sudo -u bayanat bayanat restore &lt;name&gt;</code>.
+          <code>sudo bayanat restore &lt;name&gt;</code> (needs root; it stops
+          services, runs <code>pg_restore</code>, and starts services again).
         </v-alert>
         <v-data-table
           :items="items"

From d04dbbda46e8961e782d6f20956cc4ef89485b58 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 18 Apr 2026 17:53:24 +0200
Subject: [PATCH 34/37] test: add end-to-end auto-update test script for
 Hetzner VMs

Codifies the manual 45-min ad-hoc test into a single-command script.
Provisions a disposable CPX22 Ubuntu 24.04 VM, installs via curl|bash
from the test fork's v4.0.0 tag, runs S1-S4 (happy / bad-migration /
bad-health / recovery), asserts final state per scenario, tears down.

Env knobs:
  KEEP_VM=1                 leave VM running for iteration
  VM_IP=x.y.z.w             reuse existing VM, skip provision/install
  SCENARIOS='S1 S2'         run subset
  TEST_FORK=you/yourfork    point at a different test fork

Requires hcloud CLI + ssh-agent loaded + gh CLI authenticated. Full run
~8-10 minutes, costs well under one cent per cycle.
---
 e2e-auto-update.sh | 229 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 229 insertions(+)
 create mode 100755 e2e-auto-update.sh

diff --git a/e2e-auto-update.sh b/e2e-auto-update.sh
new file mode 100755
index 000000000..8f9b3a5a0
--- /dev/null
+++ b/e2e-auto-update.sh
@@ -0,0 +1,229 @@
+#!/usr/bin/env bash
+#
+# End-to-end test for the `bayanat update` pipeline on a disposable
+# Hetzner VM. Provisions → installs → runs S1-S4 → teardown.
+#
+# Requires:
+#   - hcloud CLI authenticated to the right project (see `hcloud context list`)
+#   - ssh-agent loaded with the private key matching the registered hcloud key
+#   - a public test fork with tags v4.0.0 (baseline), v4.0.1 (additive),
+#     v4.0.2 (bad migration), v4.0.3 (/health 503 at runtime), v4.0.4 (recovery)
+#
+# Usage:
+#   ./e2e-auto-update.sh                    # full run: provision → S1-S4 → destroy
+#   KEEP_VM=1 ./e2e-auto-update.sh          # leave VM running at end
+#   VM_IP=1.2.3.4 ./e2e-auto-update.sh      # reuse an existing VM (skip provision)
+#   SCENARIOS="S1 S2" ./e2e-auto-update.sh  # run a subset
+#   TEST_FORK=you/yourfork ./e2e-auto-update.sh
+#
+set -euo pipefail
+
+# --- Config ---
+TEST_FORK="${TEST_FORK:-level09/bayanat-update-test}"
+SSH_KEY="${SSH_KEY:-level09@Black09}"
+SERVER_TYPE="${SERVER_TYPE:-cpx22}"
+LOCATION="${LOCATION:-nbg1}"
+SCENARIOS="${SCENARIOS:-S1 S2 S3 S4}"
+KEEP_VM="${KEEP_VM:-0}"
+VM_IP="${VM_IP:-}"
+SERVER_NAME=""
+
+SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=5"
+
+log()  { printf '\n\033[1;34m[%s] %s\033[0m\n' "$(date +%H:%M:%S)" "$*"; }
+pass() { printf '\033[1;32m  ✓ %s\033[0m\n' "$*"; }
+fail() { printf '\033[1;31m  ✗ %s\033[0m\n' "$*" >&2; exit 1; }
+
+on_vm() { ssh $SSHOPTS "root@$VM_IP" "$@"; }
+
+# --- Prereqs ---
+command -v hcloud >/dev/null || { echo "hcloud CLI not found"; exit 2; }
+command -v gh >/dev/null || { echo "gh CLI not found (needed to rewrite tags)"; exit 2; }
+git ls-remote --tags "https://github.com/$TEST_FORK.git" >/dev/null \
+    || { echo "test fork $TEST_FORK not reachable"; exit 2; }
+
+# --- Tag ladder prep: hide upper tags so installer picks v4.0.0 ---
+stash_upper_tags() {
+    log "Hiding upper tags on $TEST_FORK so installer picks v4.0.0"
+    for t in v4.0.1 v4.0.2 v4.0.3 v4.0.4; do
+        gh api -X DELETE "repos/$TEST_FORK/git/refs/tags/$t" 2>&1 \
+            | grep -v '^$' | head -1 || true
+    done
+}
+
+restore_upper_tags() {
+    log "Restoring upper tags v4.0.1..v4.0.4"
+    # Must push via a configured remote (SSH auth), not an HTTPS URL.
+    for t in v4.0.1 v4.0.2 v4.0.3 v4.0.4; do
+        if ! git show-ref --tags --verify --quiet "refs/tags/$t"; then
+            echo "  LOCAL TAG MISSING: $t (run the rebase block in the README)"; continue
+        fi
+        git push test-fork "+refs/tags/$t:refs/tags/$t" 2>&1 | tail -1
+    done
+    # Sanity: confirm remote has them
+    local remote_tags
+    remote_tags=$(git ls-remote --tags test-fork | awk '{print $2}' | grep -E 'v4\.0\.[1-4]$' | wc -l | tr -d ' ')
+    [[ "$remote_tags" == "4" ]] || fail "expected 4 upper tags on remote, found $remote_tags"
+    pass "4 upper tags visible on remote"
+}
+
+# --- Provision ---
+provision() {
+    SERVER_NAME="bayanat-update-test-$(date +%Y%m%d-%H%M%S)"
+    log "Provisioning Hetzner VM $SERVER_NAME ($SERVER_TYPE in $LOCATION)"
+    VM_IP=$(hcloud server create \
+        --name "$SERVER_NAME" \
+        --type "$SERVER_TYPE" \
+        --image ubuntu-24.04 \
+        --ssh-key "$SSH_KEY" \
+        --location "$LOCATION" \
+        -o json | python3 -c 'import json,sys; print(json.load(sys.stdin)["server"]["public_net"]["ipv4"]["ip"])')
+    log "IP: $VM_IP"
+    log "Waiting for SSH..."
+    until on_vm 'true' 2>/dev/null; do sleep 3; done
+    pass "SSH ready"
+}
+
+teardown() {
+    if [[ "$KEEP_VM" == "1" ]]; then
+        log "KEEP_VM=1 — leaving $SERVER_NAME (IP $VM_IP) alive"
+        return
+    fi
+    if [[ -n "$SERVER_NAME" ]]; then
+        log "Destroying $SERVER_NAME"
+        hcloud server delete "$SERVER_NAME" >/dev/null
+        pass "destroyed"
+    fi
+}
+
+# --- Install ---
+install_baseline() {
+    log "Installing v4.0.0 via curl | sudo bash -s install (validates \$0-free install)"
+    on_vm 'echo "BAYANAT_REPO='"$TEST_FORK"'" >> /etc/environment'
+    on_vm 'curl -fsSL https://raw.githubusercontent.com/'"$TEST_FORK"'/v4.0.0/bayanat | BAYANAT_REPO='"$TEST_FORK"' sudo -E bash -s install localhost' \
+        >/tmp/e2e-install.log 2>&1 \
+        || { tail -30 /tmp/e2e-install.log; fail "install failed"; }
+    pass "install succeeded"
+
+    # Work around the SETUP_COMPLETE gating until that lands in installer
+    on_vm 'echo "BAYANAT_CONFIG_FILE=/opt/bayanat/shared/config.json" >> /opt/bayanat/shared/.env
+           echo "{\"SETUP_COMPLETE\": true}" > /opt/bayanat/shared/config.json
+           chown bayanat:bayanat /opt/bayanat/shared/config.json
+           systemctl restart bayanat bayanat-celery'
+    sleep 3
+
+    local health
+    health=$(on_vm 'curl -s --unix-socket /opt/bayanat/current/bayanat.sock http://localhost/health')
+    [[ "$health" == *'"status":"ok"'* ]] || fail "/health not ok: $health"
+    pass "/health OK: $health"
+
+    local cur
+    cur=$(on_vm 'bayanat status | grep "Current version" | awk "{print \$3}"')
+    [[ "$cur" == "v4.0.0" ]] || fail "expected v4.0.0, got $cur"
+    pass "installed version: $cur"
+}
+
+# --- Scenario helpers ---
+assert_version() {
+    local expected="$1"
+    local actual
+    actual=$(on_vm 'bayanat status | grep "Current version" | awk "{print \$3}"')
+    [[ "$actual" == "$expected" ]] || fail "expected version $expected, got $actual"
+    pass "version = $expected"
+}
+
+assert_state() {
+    local expected="$1"
+    local actual
+    actual=$(on_vm 'bayanat status | grep "Update state" | awk "{print \$3}"')
+    [[ "$actual" == "$expected" ]] || fail "expected state $expected, got $actual"
+    pass "update state = $expected"
+}
+
+assert_state_file_phase() {
+    local expected="$1"
+    local phase
+    phase=$(on_vm 'python3 -c "import json; print(json.load(open(\"/opt/bayanat/state/update.json\")).get(\"phase\",\"\"))"' 2>/dev/null || echo "")
+    [[ "$phase" == "$expected" ]] || fail "expected state file phase $expected, got '$phase'"
+    pass "state file phase = $expected"
+}
+
+assert_services_active() {
+    on_vm 'systemctl is-active --quiet bayanat bayanat-celery caddy' \
+        || fail "services not all active"
+    pass "services all active"
+}
+
+clear_state_file() {
+    on_vm 'rm -f /opt/bayanat/state/update.json /opt/bayanat/state/update.lock'
+}
+
+run_update() {
+    local tag="$1"
+    log "  -> bayanat update $tag"
+    on_vm 'sudo BAYANAT_REPO='"$TEST_FORK"' /usr/local/bin/bayanat update '"$tag" \
+        >/tmp/e2e-update.log 2>&1 || true   # we inspect state, exit code is scenario-dependent
+    tail -5 /tmp/e2e-update.log | sed 's/^/    /'
+}
+
+# --- Scenarios ---
+S1() {
+    log "S1: happy path v4.0.0 -> v4.0.1"
+    run_update v4.0.1
+    assert_version v4.0.1
+    assert_state IDLE
+    assert_services_active
+    on_vm 'sudo -u bayanat psql -d bayanat -c "\d bulletin" | grep -q auto_update_test' \
+        || fail "auto_update_test column missing"
+    pass "auto_update_test column present"
+}
+
+S2() {
+    log "S2: bad migration v4.0.1 -> v4.0.2 -> NEEDS_INTERVENTION"
+    run_update v4.0.2
+    assert_version v4.0.1
+    assert_state_file_phase NEEDS_INTERVENTION
+    assert_services_active
+    clear_state_file
+}
+
+S3() {
+    log "S3: bad /health v4.0.1 -> v4.0.3 -> ROLLED_BACK"
+    run_update v4.0.3
+    assert_version v4.0.1
+    assert_state IDLE
+    assert_services_active
+    local health
+    health=$(on_vm 'curl -s --unix-socket /opt/bayanat/current/bayanat.sock http://localhost/health')
+    [[ "$health" == *'"status":"ok"'* ]] || fail "/health not ok after rollback"
+    pass "/health back to OK after rollback"
+}
+
+S4() {
+    log "S4: recovery v4.0.1 -> v4.0.4"
+    run_update v4.0.4
+    assert_version v4.0.4
+    assert_state IDLE
+    assert_services_active
+    on_vm 'sudo -u bayanat psql -d bayanat -c "\d bulletin" | grep -q auto_update_recovery_test' \
+        || fail "auto_update_recovery_test column missing"
+    pass "auto_update_recovery_test column present"
+}
+
+# --- Main ---
+trap 'restore_upper_tags; teardown' EXIT
+
+if [[ -z "$VM_IP" ]]; then
+    stash_upper_tags
+    provision
+    install_baseline
+    restore_upper_tags
+else
+    log "Reusing existing VM at $VM_IP"
+fi
+
+for s in $SCENARIOS; do
+    "$s"
+done
+
+log "ALL PASSED"

From 036c500b741e05703c6ee9773b5dd12b41c043d3 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sun, 19 Apr 2026 11:31:39 +0200
Subject: [PATCH 35/37] fix(tests): add AUTO_APPLY_PATCH_UPDATES to TestConfig

---
 enferno/settings.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/enferno/settings.py b/enferno/settings.py
index c116bc6de..f9db8f882 100644
--- a/enferno/settings.py
+++ b/enferno/settings.py
@@ -611,6 +611,9 @@ class TestConfig:
     # Notifications
     NOTIFICATIONS = NOTIFICATIONS_DEFAULT_CONFIG
 
+    # Auto-update
+    AUTO_APPLY_PATCH_UPDATES = False
+
     # Dependencies (from dep_utils)
     HAS_WHISPER = dep_utils.has_whisper  # Use actual dependency detection
     HAS_TESSERACT = dep_utils.has_tesseract  # Use actual dependency detection

From 06856c7f79ae3aa065bdb0f4ba167c5e078a548f Mon Sep 17 00:00:00 2001
From: Nidal Alhariri <level09@gmail.com>
Date: Sun, 19 Apr 2026 11:48:46 +0200
Subject: [PATCH 36/37] Potential fix for pull request finding 'CodeQL /
 Information exposure through an exception'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 enferno/public/views.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/enferno/public/views.py b/enferno/public/views.py
index 92175efd2..5bee348a2 100755
--- a/enferno/public/views.py
+++ b/enferno/public/views.py
@@ -40,9 +40,9 @@ def health() -> Response:
     try:
         db.session.execute(text("SELECT 1"))
         rds.ping()
-    except Exception as e:
-        logger.error(f"health check failed: {e}")
-        return jsonify({"status": "error", "error": str(e)[:120]}), 503
+    except Exception:
+        logger.error("health check failed", exc_info=True)
+        return jsonify({"status": "error", "error": "Service unavailable"}), 503
     version = os.environ.get("BAYANAT_VERSION") or _read_version_from_pyproject()
     return jsonify({"status": "ok", "version": version})
 

From 8615ff11b89aa81d1cee1e132db7d3a389ce60e5 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sun, 19 Apr 2026 12:24:37 +0200
Subject: [PATCH 37/37] fix(tests): call .run() on Celery tasks to bypass
 ContextTask app init

---
 tests/test_update_check.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/test_update_check.py b/tests/test_update_check.py
index be52edf8a..f0b12a9aa 100644
--- a/tests/test_update_check.py
+++ b/tests/test_update_check.py
@@ -51,7 +51,7 @@ def test_auto_apply_patch_triggers_wrapper_when_flag_on():
         patch.object(maintenance, "Notification") as notif,
     ):
         req.get.return_value = _github_response("v4.1.1")
-        maintenance.check_for_updates()
+        maintenance.check_for_updates.run()
         sp.run.assert_called_once()
         args = sp.run.call_args.args[0]
         assert args == ["sudo", "-n", "/usr/local/sbin/bayanat-start-update"]
@@ -72,7 +72,7 @@ def test_auto_apply_off_falls_back_to_notification():
         patch.object(maintenance, "Notification") as notif,
     ):
         req.get.return_value = _github_response("v4.1.1")
-        maintenance.check_for_updates()
+        maintenance.check_for_updates.run()
         sp.run.assert_not_called()
         notif.create_for_admins.assert_called_once()
 
@@ -91,6 +91,6 @@ def test_auto_apply_on_but_minor_bump_still_notifies():
         patch.object(maintenance, "Notification") as notif,
     ):
         req.get.return_value = _github_response("v4.2.0")
-        maintenance.check_for_updates()
+        maintenance.check_for_updates.run()
         sp.run.assert_not_called()
         notif.create_for_admins.assert_called_once()