CDN Strategy
Distribute signed payloads through a multi-tier CDN with atomic rollover, cache-busting, and fallback chains so updates never leave a client stranded.
Tiered Distribution
Payloads live on an origin S3 bucket behind CloudFront. Edge nodes cache immutable, versioned blobs. A tiny manifest (latest.json) with a 60-second TTL points clients at the current artifact name. When you ship a new build, upload the blob, then flip the manifest — zero-downtime cutover.
Atomic Rollover
Never overwrite an existing artifact. Each release carries a unique content-hash in its filename. The manifest is the single mutable pointer. Rollback means pointing the manifest back to the previous hash — instant, no cache invalidation needed.
Fallback Chain
Clients try the primary CDN first. On failure they fall back to a secondary region, then a direct S3 signed URL. Each hop adds latency but guarantees reachability. The loader bakes all three endpoints at compile time.
Integrity Verification
Every payload is Ed25519-signed. The manifest includes the expected signature. Before executing a downloaded blob, the loader verifies the signature against a pinned public key compiled into the binary. Tampered CDN responses are discarded silently.
Next: Auto-Update Pipeline — wire the CDN into the loader's update loop.