Auto-Update Systems Expert

What this skill does

# Auto-Update Systems Expert

## 0. Mandatory Reading Protocol

**CRITICAL**: Before implementing, read these reference files:

| Reference | When to Read |
|-----------|--------------|
| `references/security-examples.md` | Signing keys, signature verification, secure endpoints |
| `references/advanced-patterns.md` | Staged rollouts, rollback, update channels, differential updates |
| `references/threat-model.md` | Security posture, MITM defense, key rotation |

---

## 1. Overview

**Risk Level: HIGH**

**Justification**: Auto-update systems can deliver code to all users simultaneously. A compromised update system can distribute malware to the entire user base. Signature verification bypass (like CVE-2024-39698) allows attackers to install unsigned malicious updates. Poor rollback mechanisms can leave users with broken software.

You are an expert in auto-update system implementation, specializing in:
- **Signature verification** for cryptographic update integrity
- **Rollback mechanisms** for failed updates
- **Staged rollouts** for risk mitigation
- **Secure distribution** with HTTPS and pinning
- **Tauri updater** configuration and best practices

### Primary Use Cases
- Tauri application auto-updates
- Secure update distribution infrastructure
- Update channel management (stable, beta)
- Emergency rollback procedures
- Update analytics and monitoring

---

## 2. Core Responsibilities

### 2.1 Core Principles

1. **TDD First** - Write tests before implementation code
2. **Performance Aware** - Optimize for bandwidth and speed
3. **ALWAYS verify signatures** - Never install unsigned updates
4. **Use HTTPS only** - Never fetch updates over HTTP
5. **Implement rollback** - Plan for failed updates
6. **Staged rollouts** - Don't update all users at once
7. **Monitor update health** - Track success rates and errors

### 2.2 Reliability Principles

1. **Atomic updates** - All or nothing installation
2. **Preserve user data** - Never lose configuration during updates
3. **Graceful degradation** - App works if update fails
4. **User consent** - Inform users before updating

---

## 3. Technical Foundation

### 3.1 Tauri Updater Components

| Component | Purpose |
|-----------|---------|
| Update manifest | JSON with version, download URLs, signatures |
| Signing key | Ed25519 private key for signing updates |
| Public key | Embedded in app for verification |
| Update endpoint | HTTPS server hosting manifests and artifacts |

### 3.2 Version Recommendations

| Component | Recommended | Notes |
|-----------|-------------|-------|
| Tauri | 1.5+ / 2.0+ | Latest security patches |
| Update protocol | v2 | Better signature handling |

---

## 4. Implementation Patterns

### 4.1 Tauri Updater Configuration

```json
// tauri.conf.json
{
  "tauri": {
    "updater": {
      "active": true,
      "dialog": true,
      "pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6...",
      "endpoints": [
        "https://releases.myapp.com/{{target}}/{{arch}}/{{current_version}}"
      ],
      "windows": {
        "installMode": "passive"
      }
    },
    "bundle": {
      "createUpdaterArtifacts": true
    }
  }
}
```

### 4.2 Update Manifest Format

```json
{
  "version": "1.2.0",
  "notes": "Bug fixes and performance improvements",
  "pub_date": "2024-01-15T12:00:00Z",
  "platforms": {
    "darwin-x86_64": {
      "signature": "dW50cnVzdGVkIGNvbW1lbnQ6...",
      "url": "https://releases.myapp.com/MyApp_1.2.0_x64.app.tar.gz"
    },
    "windows-x86_64": {
      "signature": "dW50cnVzdGVkIGNvbW1lbnQ6...",
      "url": "https://releases.myapp.com/MyApp_1.2.0_x64-setup.nsis.zip"
    }
  }
}
```

### 4.3 Custom Update Logic

```rust
use tauri::updater::UpdateResponse;
use tauri::{AppHandle, Manager};

#[tauri::command]
async fn check_for_updates(app: AppHandle) -> Result<Option<UpdateInfo>, String> {
    match app.updater().check().await {
        Ok(update) => {
            if update.is_update_available() {
                Ok(Some(UpdateInfo {
                    version: update.latest_version().to_string(),
                    notes: update.body().map(|s| s.to_string()),
                    date: update.date().map(|d| d.to_string()),
                }))
            } else {
                Ok(None)
            }
        }
        Err(e) => Err(format!("Failed to check for updates: {}", e)),
    }
}

#[tauri::command]
async fn install_update(app: AppHandle) -> Result<(), String> {
    let update = app.updater().check().await
        .map_err(|e| format!("Check failed: {}", e))?;

    if update.is_update_available() {
        // Download and verify signature
        update.download_and_install()
            .await
            .map_err(|e| format!("Install failed: {}", e))?;

        // Restart app to apply update
        app.restart();
    }

    Ok(())
}

#[derive(serde::Serialize)]
struct UpdateInfo {
    version: String,
    notes: Option<String>,
    date: Option<String>,
}
```

---

## 5. Security Standards

### 5.1 Domain Vulnerability Landscape

**Research Date**: November 2024

| CVE | Severity | Description | Mitigation |
|-----|----------|-------------|------------|
| CVE-2024-39698 | High | electron-updater signature bypass | Update electron-builder 6.3.0+ |
| CVE-2024-24576 | High | Rust Command injection (affects Tauri shell) | Update Rust 1.77.2+ |
| CVE-2024-35222 | High | Tauri iFrame origin bypass | Update Tauri 1.6.7+/2.0.0-beta.20+ |
| CVE-2023-46115 | Medium | Tauri key leak via Vite config | Remove TAURI_ from envPrefix |

**Key Insight**: Signature verification bypass is the most critical vulnerability class. Always verify signatures are actually checked and cannot be bypassed.

### 5.2 OWASP Mapping

| OWASP Category | Risk Level | Key Controls |
|----------------|------------|--------------|
| A02:2021 - Cryptographic Failures | Critical | Ed25519 signatures, HTTPS only |
| A05:2021 - Security Misconfiguration | High | Proper endpoint config, key management |
| A08:2021 - Software Integrity Failures | Critical | Signature verification, pinning |

### 5.3 Signature Verification

**See `references/security-examples.md` for complete implementations**

```rust
// Tauri handles signature verification automatically when configured correctly
// The signature in the manifest is verified against the embedded public key

// CRITICAL: Never bypass signature verification
// CRITICAL: Always use HTTPS for update endpoints
// CRITICAL: Protect the private signing key
```

---

## 6. Testing Standards

### 6.1 Update Testing

```rust
#[cfg(test)]
mod tests {
    #[tokio::test]
    async fn test_update_check() {
        let mock_server = MockUpdateServer::new();
        mock_server.set_latest_version("2.0.0");
        let result = check_for_updates_from(&mock_server.url()).await;
        assert_eq!(result.unwrap().version, "2.0.0");
    }

    #[tokio::test]
    async fn test_invalid_signature_rejected() {
        let mock_server = MockUpdateServer::new();
        mock_server.set_invalid_signature();
        assert!(install_update_from(&mock_server.url()).await.is_err());
    }

    #[tokio::test]
    async fn test_downgrade_prevented() {
        let mock_server = MockUpdateServer::new();
        mock_server.set_latest_version("0.9.0");
        assert!(check_for_updates_from(&mock_server.url()).await.unwrap().is_none());
    }
}
```

---

## 7. Implementation Workflow (TDD)

### Step 1: Write Failing Test First

```python
# tests/test_update_system.py
import pytest
from unittest.mock import patch
from update_manager import UpdateManager

class TestUpdateManager:
    @pytest.fixture
    def manager(self):
        return UpdateManager(current_version="1.0.0", update_endpoint="https://updates.example.com")

    @pytest.mark.asyncio
    async def test_check_for_update_returns_info(self, manager):
        with patch.object(manager, '_fetch_manifest') as mock:
            mock.return_value = {"version": "2.0.0", "signature": "valid_sig"}
            result