This is the beauty of cryptoeconomics, the development of secure elective economies and systems.
There are a variety of choices with their individual costs and benefits on implementation parameters. I feel that making the upgrades dependent on market expectations would make the most sense. They could place a price/fee on the upgrade with the level of node acceptance to activate on the network. This could definitely open up the door to hard forks, but I advocate for competition and the ability to choose. So, I am not adverse to hard forks.
Yet, there are a number of issues with even this suggestion. Collusion by nodes to avoid paying the set fee by could occur by developers/minters/miners copying the code and upgrading with their signatures could be a potential issue. This type of dishonesty would be an incentive to not build on the network for others. However, these are the types of checks and balances to consider.
It is important to recognize that most people get their nodes from trusted clients. Everyone doesn’t audit the code and they shouldn’t be expected to do so. Thus, lone developers would most likely work with more trusted clients to set the fee and have their code audited. I don’t assume everything will/can take place on chain unless there is some type of developer identification/authentication system on chain.
In the first idea iteration I was thinking, the funds would be stored in a smart wallet/programmed vault/smart contract that releases given nodes send specific parameters.