cdf17d904d
F1: tolerate up to 3 consecutive health-gate inspect failures (reset on success) before declaring an update failed, so a transient Docker API blip no longer triggers a false rollback. F2: detect baseCtx cancellation during the gate and abort without rolling back or emitting update-failed (debug log only), instead of a misleading "rollback failed" event on every shutdown mid-gate. F3: derive the gate deadline as start + max(RollbackTimeout, StartPeriod+buffer) via effectiveRollbackDeadline, reading the container's healthcheck StartPeriod so a legitimately slow-starting container is not rolled back while starting. F4: only enable the gate when the original reference is a proper tag (new isTagReference helper); skip with a log line for digest-pinned / bare-image-id containers that cannot be re-tagged. F5: document the sequential-tick delay limitation of the gate poll. F6: emit EventUpdated only after the gate confirms healthy (or immediately when no gate is active); the rollback path emits only EventRollback, so the event sequence is truthful. F7: floor RollbackTimeout at 10s in backend and frontend validation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>