[Bug] Updater can offer stale pending downgrade

[Astro-Han]

What happened?

PawWork can keep prompting to install an already-downloaded updater package even when that pending package is older than the currently running app version.

Observed during the v0.2.8 replacement release: the app had already moved back to 0.2.8, but the updater toast still said an update was available for 0.2.7. Inspecting the pending cache showed that PawWork was holding onto an older downloaded update:

• ~/Library/Caches/pawwork-updater/pending/pawwork-mac-arm64.zip
• ~/Library/Caches/pawwork-updater/pending/update-info.json

The cached zip was unpacked and its Info.plist reported 0.2.7, while the live GitHub release metadata and direct v0.2.8 zip download both reported 0.2.8.

The logs show the stale pending download was created during a temporary release replacement window:

2026-04-23 05:59:01 update metadata fetched { releaseVersion: '0.2.7', ... }
2026-04-23 05:59:08 New version 0.2.7 has been downloaded to .../pawwork-updater/pending/pawwork-mac-arm64.zip
2026-04-23 06:09:00 update already downloaded { releaseVersion: '0.2.7' }

This is especially risky because setupAutoUpdater() currently sets autoUpdater.allowDowngrade = true, so a temporarily older latest release can be accepted and cached as a ready update.

Steps to reproduce

1. Run PawWork 0.2.8.
2. Make GitHub latest temporarily point to an older stable release such as 0.2.7.
3. Let PawWork check for updates and download the older package.
4. Restore GitHub latest to 0.2.8.
5. Let PawWork check for updates again.
6. See that PawWork still reports the already-downloaded 0.2.7 update as ready.

What did you expect to happen?

PawWork should never prompt to install a pending update whose version is lower than or equal to the current app version.

At minimum, the updater controller should discard a stale pending update and run a fresh update check when readyVersion <= currentVersion.

We should also reconsider whether stable production builds should set allowDowngrade = true.

PawWork version

v0.2.8

OS version

macOS

Can you reproduce it again?

Only once so far

Screenshots, recordings, or extra context

The issue was found from local updater evidence:

• Live v0.2.8/latest-mac.yml was version: 0.2.8.
• Directly downloaded v0.2.8/pawwork-mac-arm64.zip unpacked to app version 0.2.8.
• Local pending updater cache unpacked to app version 0.2.7.
• ~/Library/Logs/PawWork/main.log repeatedly logged update already downloaded { releaseVersion: '0.2.7' }.

[Astro-Han]

Implementation plan after root-cause analysis and reviewer pass:

1. Stable production builds should not accept downgrades. Set autoUpdater.allowDowngrade = false for the normal stable updater path, and add a focused assertion that final updater setup still has allowDowngrade === false after setting channel = "latest", because the channel setter can affect downgrade behavior and ordering matters.

2. Use a manual-prompt install flow on macOS only. Set autoUpdater.autoInstallOnAppQuit = false on macOS so native Squirrel.Mac cannot stage or install a downloaded update outside PawWork's explicit install action. Keep Windows behavior unchanged unless tests show the same risk there.

3. Make the main process own the complete install-and-quit sequence. Renderer update actions should request install once and should not immediately call a separate relaunch after platform.update(). This avoids racing macOS Squirrel.Mac, where quitAndInstall() may still be handing the downloaded package to the native updater.

4. PawWork's updater controller should enforce its own semver gate before returning a cached ready update or downloading a fresh provider result. Use semver parsing and gt, never string comparison. readyVersion > currentVersion is the only state that can stay ready. readyVersion <= currentVersion is stale. Invalid versions fail closed and must not prompt installation.

5. When a stale pending update is detected, clear PawWork's in-memory ready latch and physically delete the pending updater cache, including the pending zip and update-info.json. Cache cleanup must be strict and propagate errors. Do not rely on DownloadedUpdateHelper.clear() or cleanCacheDirForPendingUpdate() because that helper swallows cleanup errors.

6. Resolve the pending cache path from the updater configuration, not from a hardcoded macOS path. The path should come from electron-updater's cache base plus updaterCacheDirName from app-update.yml (pawwork-updater today), then delete that cache's pending directory. This keeps macOS, Windows, beta, and future config changes covered.

7. If cache cleanup fails, return a failed update result with a new cache reason. Do not continue to a fresh check while the stale local package remains on disk. Adding reason: "cache" also needs renderer-facing type coverage, especially packages/app/src/context/platform.tsx and any preload or IPC result types that mirror update failure reasons.

8. Fresh update checks must apply the same semver gate before download. If the provider reports an older or equal version as available, treat it as no usable update and do not download it. If electron-updater.checkForUpdates() throws ERR_UPDATER_INVALID_VERSION before PawWork receives normal metadata, map that to metadata failure.

9. Tests should cover stale ready cache cleanup and recheck, cleanup failure returning reason: "cache", invalid version metadata failing closed, older or equal provider versions not downloading, semver ordering such as 0.2.10 > 0.2.9, final updater config ordering, macOS-only autoInstallOnAppQuit = false, renderer no longer calling a separate relaunch after install, cache path resolution from config, and the existing ready latch behavior only applying to truly newer versions.

Non-goal: this does not add a rollback channel. If PawWork ever needs rollback support, it should be a separate explicit recovery path rather than the default stable updater behavior.