32a2b7a9ae
P0 Health-gated rollback (standalone auto-update path): capture the previous image id + reference + healthcheck before the recreate, then poll the new container's health over a configurable window. On healthy proceed (and only then clean up the old image); on unhealthy/exit/timeout re-tag the old image back onto the original reference and Recreate (no pull) to restore it, reusing Recreate's config preservation. The decision is a pure decideRollback() helper. P1 Per-endpoint enable: ContainerAutomationDisabled flag on Endpoint (zero value participates, no migration churn), checked by both daemons; settable via the endpoint update API. UI control deferred (see report). P2 Notifier seam: minimal Notifier interface + logNotifier, emitting structured updated/rollback/update-failed/heal-restarted events from the daemon. Settings: RollbackOnFailure + RollbackTimeout (default 120s) added to ContainerAutomation.AutoUpdate, wired through defaults/migration/golden, settings_update validation, the AutoUpdatePanel and the TS types. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>