Drain + canary + auto-rollback
Every live deploy goes through a drain-and-swap sequence: the new container starts, passes its health check, takes over traffic via an atomic Caddy route swap, and only then is the old container stopped (after a 5-second drain window so in-flight requests complete cleanly).
A 60-second canary monitor probes the new version after the swap. If two probes return 5xx in a row, Percher automatically rolls back: restores the previous upstream, stops the failed container, and marks the deploy failed. You see this live in the dashboard as a stepper — Build → Start → Health check → Swap → Canary → Live — with a Rolled back row if the canary fired.
Opt out per-instance via PERCHER_CANARY_AUTO_ROLLBACK=false. Canary window and drain time can be tuned via PERCHER_CANARY_WINDOW_MS and PERCHER_DRAIN_GRACE_MS.