bf0c67539e
Pre-test review of 0.61.9 surfaced two issues in the manifest reader:
1. v3 stores instanceCode under provenance.* but readManifestString
only looked at recipe → root. Today the v2 root mirror covers it,
but a future v4 dropping that mirror would silently lose the
filestore-rename hint.
2. Adding a blanket provenance lookup re-opened the leak: a poison
bundle could embed provenance.tenantId and have it reachable to
any future caller.
Fix: provenance lookup is now allowlisted to {instanceCode}. Any
new provenance field requires an explicit constant addition,
which is a code-review gate against re-introducing the leak.
Round-trip simulation (tools/phase_i_simulate.go) passes for v3,
v3-pure (no v2 mirrors), v3-poison, and v2.
2.0 KiB
2.0 KiB