Lab: Opt-in background autoupdate for the swamp binary (configurable cadence + risk tolerance)

Problem

Today, the swamp binary updates only when a user explicitly runs swamp update. In practice users routinely run versions that are days or weeks behind master. Multiple times today this session we hit issues that were already fixed in a newer build — only discovered after reproducing, filing tickets, and noticing the version delta. Each round costs real time on both the user side and the maintainer side.

Failure modes of the current "pull manually" model:

Users forget to run swamp update for weeks, so they hit known and already-fixed bugs.
Multi-person teams drift to inconsistent versions, making bug repros hard.
"Have you run swamp update?" becomes the universal first response in support — wasting time on both sides.

Proposed solution

Add an opt-in background autoupdater with two configurable settings:

Cadence — how often the agent checks for updates. Options: daily, weekly, manual (off). Default for opt-in users: daily.
Risk tolerance / channel — which release stream to follow. Options: stable (released versions only), latest (every successful main build, including pre-release). Default: stable.

Platform-native scheduling:

macOS: launchd LaunchAgent (~/Library/LaunchAgents/club.swamp.autoupdate.plist)
Linux: systemd --user timer or fallback cron
Windows: Task Scheduler

Configuration uniform across platforms via existing config plumbing:

swamp config set update.auto enabled
swamp config set update.cadence daily
swamp config set update.channel stable

Or interactively:

$ swamp update --setup-auto
? How often should swamp check for updates? (daily/weekly/manual) [daily]: 
? Which channel? (stable/latest) [stable]: 
✓ Installed launchd agent at ~/Library/LaunchAgents/club.swamp.autoupdate.plist
✓ Next check scheduled: tomorrow 09:00 local

swamp update (manual) should remain the default and primary path. Autoupdate is purely opt-in — never auto-enabled.

Why opt-in matters

Some users — especially CI environments and shared infrastructure — explicitly need pinned binaries. Defaulting to off keeps the current invariant intact for them. Casual local users opt in once and the "stale binary" problem goes away permanently.

Signals it works

After autoupdate is enabled and a new release ships, the user's swamp --version reflects the new build on their next invocation, without manual intervention.
The autoupdater logs to a known location (e.g. ~/.swamp/log/autoupdate.log or platform-equivalent) so users can audit "when did my version change?" and triage post-update breakage.
swamp update --setup-auto status reports the current schedule, last check, last upgrade, and next scheduled check.

Suggested companion skill

A swamp-autoupdate skill would let agents walk users through the choice during onboarding — asking cadence and risk tolerance, then writing the config. Slots naturally next to swamp-getting-started.

Alternatives considered

Auto-update on every invocation (like some package managers do): too disruptive — would slow every command and add network dependency at runtime.
Stale-version warning on invocation: easier to implement but does not actually solve the "I forgot" problem; users dismiss warnings.
Stick with the manual-only model + better release notifications: viable, but does not close the gap for users who do not monitor announcements.

Environment / motivation

Observed today: ran into already-fixed behaviors against swamp 20260504.140403.0-sha.d4c9188f, then a manual swamp update jumped me to 20260504.162725.0-sha.51f43769 — a build from earlier the same day. That is the gap the autoupdater would have closed automatically.

swamp issue get should rate-limit unauthenticated users instead of blocking

swamp issue get should not require authentication

telemetry: emit child entries for follow-up action method invocations

Publish release-candidate / unstable extension versions

extension source rm leaves stale @local/. rows in catalog, blocking later pulls of registry types

extension push drops binaries: field from re-emitted archive manifest.yaml

macOS launchd autoupdate (club.swamp.autoupdate) silently fails — binary stays stale

Clicking @hivemq/honeycomb extension card on /extensions shows 'Something went wrong'

Docs: Update model-definitions.md and workflows.md for direct type execution

Docs: document binaries manifest field in extension-manifest.md

Add an official @swamp/ssh extension for general-purpose SSH (brownfield-friendly)

Accept and display binaries field from extension push metadata

Direct type execution: collapse model create + method run into one command

Per-method telemetry events for workflow runs

Workflow run liveness: orphaned 'running' records when originating CLI process dies mid-run

Provide a CLI-shape primer for AI agents to reduce rediscovery overhead

quality rubric: don't penalize extensions whose upstream constrains them to a single platform

Extension update rejects multiple .ts files extending the same target type within one local extension (regression)

swamp extension push deadlocks when invoked from inside a swamp workflow step

Collective-scoped auth keys + OIDC federation for CI publishing

forEach self.* in modelIdOrName not resolved in runtime execution path

Award leaderboard points for referrals and collective invites

Add agent harness detection and AiTool to telemetry

Workflow-level runtime expressions (env.*, vault.*) not resolved in driverConfig — docker driver receives literal ${{ ... }} strings

Implement W5: Per-fingerprint import URLs + subprocess test harness (extension catalog rearchitecture)

swamp config set crashes with YAML serialization error

datastore compact: VACUUM fails in compiled binary (SQLITE_LIMIT_ATTACHED=0)

Repo-level version gating: minSwampVersion high-water mark for team consistency

Docs: document self.* expressions in modelIdOrName during forEach

Docs: How-to guide for background autoupdating

Manifest version bumps silently ignored for existing local extension aggregates

materialiseExtensions misclassifies pulled rows when manifest name collides with a pulled extension

Local extension edits don't reliably trigger rebundle

Missing unique indexes on user.email and user.username allow duplicate users

Resolve self.* expressions in modelIdOrName during forEach expansion

discord-bot double-sends sign_up notifications

Discord bot sends duplicate signup notifications

Add 'swamp workflow list' as alias for 'swamp workflow search'

Add 'swamp auth status' as alias for 'swamp auth whoami'

Extension bundle cache does not invalidate on source edits

extension pull fails on @local/[email protected] phantom-claim collision when local repo has its own extension

Lab search by numeric issue ID returns no results

W3 sourceToRow writes empty source_mtime — should carry filesystem mtime through Source entity

Warm-start rebundleAndUpdateCatalog should respect terminal RowStates set by reconcile

Implement W4: KindAdapter + unified loader (extension catalog rearchitecture)

Docs: add vault read-secret command to reference manual

Extension layer garbage collection: prune catalog rows + evict orphaned bundles

Docs: document workflow concurrency limits in reference manual

Locally-sourced extension: source_mtime updates without regenerating stale bundle

Extension push: allow shipping executable host helpers (bin/mudroom blocker)

Vault expressions silently deliver __SWAMP_VSEC__ sentinels under the docker driver

First-class shell-shim support for extensions, with registry-level visibility

Local extension model bundles don't rebuild when source changes (no rebuild CLI; manual cache delete breaks the runner)

Configurable concurrency limits for workflow fan-out (forEach, parallel jobs/steps)

feat(security): redact sensitive method arg values from audit log

docs: document swamp datastore compact and GC WAL behaviour

UAT: swamp datastore compact reclaims WAL and catalog space

Plan v4 step 9 literal test untestable under current catalog PK semantics

Cross-process concurrency stress for W2 lifecycle services

UAT additions for W2 lifecycle services (Install/Remove/Upgrade)

Implement W3: ReconcileFromDisk + freshness-as-aggregate-query (extension catalog rearchitecture)

doctor extensions repair: clean catalog-only orphans

Extensions should be able to ship Claude Code skills

Pre-existing TOCTOU windows in YAML repo walkers (findAll directory level + findById)

`swamp datastore setup` migration is not resumable / leaves the repo in a partial state on failure

Built-in models must honor AbortSignal so --timeout works in practice

Reader-lock or lock-free read path for data list/get/search/query

data search: surface jobTag alongside workflowTag and stepTag (follow-up to #237)

global-arg silently strips unknown keys; should reject via strict Zod schema

redmine extension: adopt state machine patterns from @magistr for agent-driven workflows

performance degrades significantly with large SQLite catalog

summarise: timeout/hang on repos with many workflow runs

extension quality/fmt fail on pulled extensions (path mismatch)

vault: add read-secret CLI command for agent-driven secret retrieval

data query: stepName and jobName fields always empty in CEL results

Extension ecosystem: shared utility library, version sync tooling, and HTTP resilience patterns

Agentic CLI improvements: --json stdout isolation, array inputs, and --repo-dir consistency

data delete fails with "Directory not empty (os error 39)" when concurrent writes are active

Extract LockfileRepository (W2 prequel for swamp-club#231)

Extend DatastoreSyncService.markDirty() with optional relPath argument

Workflow-level runtime expressions (env., vault.) not resolved in driverConfig — docker driver receives literal ${{ ... }} strings