How does mender client store provides on the device?

I’m trying to understand how mender-client stores provides on device.

• Where are they stored, and when do they get written to the device?
• Are they available pre-commit of the artifact?
• How is the data protected - could an attacker change the value of provides, or is it guarded against modification in any way?
• Is there a command or file where they’re stored, if I want to programmatically read provides on-device?

I found this doc, but it doesn’t go into much detail.
https://docs.mender.io/overview/artifact#provides-and-depends

I have a few different use cases for provides pre-commit, but I don’t have enough information to understand how to use it on-device.

They are stored in /var/lib/mender/mender-store, an LMDB database. They get written immediately after the ArtifactCommit state has finished successfully, together with the new artifact name.

Yes, but only in Update Modules, not in state scripts. They are available as artifact headers in header/header-info inside the directory which is passed to the Update Module when it is called. See the File API in the Update Module specification for more information.

They are protected by normal Unix file permissions, writable by root only.

Yes, use mender show-provides. Note that these only display the currently active provides, which during an installation, are still the old provides. Use the header approach I described above if you need the provides of the new artifact during installation.