Offline OTA Update System — Signed Updates for Edge Linux

Most OTA systems assume cloud connectivity. Field-deployed edge hardware — industrial gateways, agricultural controllers, remote sensors — often has none. Offline OTA Update System is built for exactly that: deliver and apply firmware/app updates with full cryptographic safety and automatic rollback, entirely offline.

**Signed bundle delivery**: Updates ship as signed bundles delivered over USB or local HTTP. The device agent validates version, target, file hashes, and signature against a trusted public key before anything touches the active system. An update that fails verification never gets staged.

**Staged installs with symlink switching**: Releases are staged into inactive directories. The agent only switches the active release (via atomic symlink swap) after the new version is fully written and verified, then restarts the service. The previous release stays intact on disk.

**Health-check promotion + automatic rollback**: After switching, the agent runs health checks against the new release. If they pass, the update is promoted. If they fail — or the service crashes — the agent automatically rolls back to the last known-good release by switching the symlink back. This is the core safety guarantee: a bad update can't brick the device.

**Components**: a device updater daemon and state machine (`agent/`), a release builder + demo app for Raspberry Pi (`demo_service/`), a local dashboard and API for status and audit history (`server/`), a manifest + signing tool (`signer/`), and systemd units for device integration (`device/`).

The full workflow: build a release bundle with manifest and signatures → deliver over USB or local HTTP → device validates version/target/hashes/signature → stage to inactive location → switch active release and restart → health checks confirm success or trigger rollback.