Push a model bundle

This walks through the core loop: take a model, sign it into the platform, and roll it out to devices with a health check and automatic rollback — the same loop you use for containers and configuration.

1. Get the artifact in

You have two ways to bring an artifact in:

• Connect a registry you already use. The platform resolves the chosen tag to an immutable digest at publish time and pins it. Devices pull through a facade and never receive your registry credentials.
• Push the artifact directly (for example a model file) to the platform.

Either way, the artifact is signed into the update metadata as it is published. There is no separate "sign it later" step — an unsigned artifact cannot become a rollout.

A model artifact carries a manifest: framework (ONNX, TensorRT, TFLite), input specification, evaluation metrics, and the target hardware profile. That metadata is what lets the platform refuse to send a model to hardware it does not fit.

2. Define a health probe

A rollout is only as safe as its health check. A probe is one of:

• exec — run an allowlisted health-check binary on the device; exit zero means healthy.
• HTTP — a GET that must return a success status.
• file — a readiness file your application writes.

If the probe fails after the swap, the agent restores the previous version on its own. Defining the probe is how you make rollback meaningful.

3. Roll it out

Create a rollout against a target — a static group or a capability selector — and choose a strategy. The typical shape is a canary first (a small cohort), then widening waves, with a halt rule on failure rate so the fleet pauses itself if something goes wrong.

rollout — yolo-v8n@2.1.0 → plant-7 (canary 10%)
  artifact signed                       TUF · publisher
  wave 1/3 → 4 devices                  canary
  jetson-line7-01 verified · swapped    healthy
  jetson-line7-03 probe failed          rolling back
  jetson-line7-03 restored 2.0.4        recovered
  halt rule tripped — rollout paused    halted
  fleet impact: 0 devices down

You watch each device verify, swap and probe in real time. A bad model takes down no devices: the ones that received it recover themselves, and the rollout halts before it spreads.

4. Promote

When the canary looks good, widen to the rest of the fleet. Every step — published, approved, updated, rolled back — is written to the append-only audit trail, which is what your compliance evidence reads from.

Next

• Health probes & rollback
• Trust Center — see exactly what was signed and by which key.