Agentina

Updates

Agentina is updated by promoting signed builds to a channel. Your license is pinned to a channel; the agent learns about a newer release on the next heartbeat and surfaces a hint. Installation is always operator-initiated — the agent does not auto-replace its own binary.

Channels

ChannelAudienceCadence
stableMost customersEvery 1–2 weeks
betaEarly adopters~2 days behind main
enterprise-ltsProcurement-gated rolloutsQuarterly with backports
devInternal onlyPer commit

Which channel you're on is baked into your license. Check it with agentina status.

How updates flow

  1. Engineering tags a release and publishes a signed tarball to the channel.
  2. An operator promotes the build via the admin panel. Release notes are authored alongside the promotion.
  3. Every agent on that channel sees an update_available hint on its next heartbeat (default cadence: 60s).
  4. agentina status shows the available version and the release notes title.
  5. The operator (or you, depending on how you run the fleet) runs agentina upgrade.

Upgrading an agent

The fastest path uses the manifest URL the install was wired with:

bash
sudo agentina upgrade --manifest <manifest-url>

What happens:

  1. Fetch the new manifest. Verify the cosign signature against the trusted public key.
  2. Fetch the new tarball. Verify its signature.
  3. Extract to /opt/agentina/<new-version>/.
  4. Swap the current symlink to the new version (atomic).
  5. Run a smoke check against the new binary. On failure: swap the symlink back, exit non-zero.
  6. Restart the service. If the new version fails to start: swap the symlink back, restart the old version, exit non-zero.
Two-level rollback: a binary that runs but misbehaves is caught by the smoke check; a binary that won't even start is caught by the service-restart step. In both cases you end up back on the previous version with no manual intervention.

Manual rollback

If you need to revert after a successful upgrade (e.g. a bug surfaces in production after a clean smoke check):

bash
sudo agentina upgrade --manifest <previous-manifest-url>

Old versions live under /opt/agentina/<version>/ until you garbage-collect them. The installer keeps the most recent 3 installed by default; older ones are deleted on the next upgrade.

Signature verification

Every manifest and every tarball is signed with cosign. The agent installs with the verification public key baked in at install time (/opt/agentina/keys/agentina-internal-release.pub). Builds signed with the dev key are refused unless you pass --allow-dev-builds — useful in test environments, not for production.