From bf0c67539eef0ea869d945c1c73dcb35a79b3259 Mon Sep 17 00:00:00 2001
From: Claude <claude@havari.me>
Date: Thu, 30 Apr 2026 13:24:56 +0300
Subject: [PATCH] =?UTF-8?q?tower=200.61.10=20=E2=80=94=20Phase=20I=20revie?=
 =?UTF-8?q?w=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pre-test review of 0.61.9 surfaced two issues in the manifest reader:

1. v3 stores instanceCode under provenance.* but readManifestString
   only looked at recipe → root. Today the v2 root mirror covers it,
   but a future v4 dropping that mirror would silently lose the
   filestore-rename hint.

2. Adding a blanket provenance lookup re-opened the leak: a poison
   bundle could embed provenance.tenantId and have it reachable to
   any future caller.

Fix: provenance lookup is now allowlisted to {instanceCode}. Any
new provenance field requires an explicit constant addition,
which is a code-review gate against re-introducing the leak.

Round-trip simulation (tools/phase_i_simulate.go) passes for v3,
v3-pure (no v2 mirrors), v3-poison, and v2.
---
 values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/values.yaml b/values.yaml
index 32ab882..1b3362e 100644
--- a/values.yaml
+++ b/values.yaml
@@ -9,7 +9,7 @@ backend:
     # so every cluster that runs Tower needs the same imagePullSecret
     # provisioned out-of-band (until cluster-platform-v3 owns it).
     repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
-    tag: "0.61.9"
+    tag: "0.61.10"
     pullPolicy: IfNotPresent
   imagePullSecrets:
     - name: docker-mirror-pull