chore(release): repin x402 images to c19ffaf for rc14

Rebuild x402-verifier, serviceoffer-controller, and x402-buyer from
release/v0.10.0-rc14 HEAD (docker-publish-x402 workflow_dispatch run
27265470511) and repin the embedded manifests to the new multi-arch
digests. Resolves the FOLLOW-UP gate recorded in embed_image_pin_test.go:
the prior 04bebbc pins were this train's merge base and contained none of
the train's verifier/controller/buyer changes (settled-but-failed
ConfirmSpend, settle tx hash on the error path, maxTimeoutSeconds on the
402 wire, UID-1000 sub-agent rendering, Hermes v2026.6.5 default).

Author: bussyjd

internal/embed/embed_crd_test.go

@@ -819,10 +819,12 @@ func TestX402VerifierImage_CarriesAgentAuthFix(t *testing.T) {
 		t.Fatalf("ReadInfrastructureFile: %v", err)
 	}
 
-	// Bumped to 04bebbc (current main HEAD as of rc13) to also carry ab71481
-	// (suppress verifyOnly=false warning on the in-process settle path). The
-	// agent upstream auth fix from abfd55a remains in scope.
-	const ref = "ghcr.io/obolnetwork/x402-verifier:04bebbc@sha256:a80f72c89341a422724ad1b5d5d5da0c8cdd246b9dcabc6560e369b48ed5d775"
+	// Bumped to c19ffaf (release/v0.10.0-rc14 HEAD) to carry the rc14
+	// verifier changes: settle tx hash surfaced via X-PAYMENT-RESPONSE on
+	// the error path and ClampMaxTimeoutSeconds on the 402 wire. The agent
+	// upstream auth fix from abfd55a and ab71481's verifyOnly warning
+	// suppression remain in scope (ancestors via main).
+	const ref = "ghcr.io/obolnetwork/x402-verifier:c19ffaf@sha256:535067aa8bcfaac6f628d76733c5786b0d0e46f70e8ffdc978d53e91e27fb8e6"
 	if !strings.Contains(string(data), "image: "+ref) {
 		t.Fatalf("x402-verifier image must carry agent upstream auth fix: %s", ref)
 	}
@@ -835,7 +837,9 @@ func TestX402VerifierImage_CarriesAgentAuthFix(t *testing.T) {
 // built from source that has that behaviour — the prior f5d94fc side-branch pin
 // did not, so the deployed binary Updated the per-agent Secrets on re-reconcile
 // and 403'd. b39bcaa (post-rc10 main) carries the fix, and also ships PR #590's
-// actionable pending-registration status message.
+// actionable pending-registration status message. The current c19ffaf pin
+// (release/v0.10.0-rc14 HEAD) descends from b39bcaa via main, so the fix
+// remains in scope.
 // Bumping this pin requires a conscious, documented change here so a future
 // downgrade can't silently re-ship the bug.
 func TestServiceOfferControllerImage_CarriesSecretCreateOnlyFix(t *testing.T) {
@@ -844,7 +848,7 @@ func TestServiceOfferControllerImage_CarriesSecretCreateOnlyFix(t *testing.T) {
 		t.Fatalf("ReadInfrastructureFile: %v", err)
 	}
 
-	const ref = "ghcr.io/obolnetwork/serviceoffer-controller:04bebbc@sha256:286d07604c001006d54a5f89ef854210ab805859c072e7b8dd89fe0c6f130d7d"
+	const ref = "ghcr.io/obolnetwork/serviceoffer-controller:c19ffaf@sha256:7d907f525f7b020a5b40a87c7088b9a12286b4c9197bd2f1ee8d5e4710ff7346"
 	if !strings.Contains(string(data), "image: "+ref) {
 		t.Fatalf("serviceoffer-controller image must carry the Secret-create-only reconciler fix "+
 			"(else per-agent provisioning 403s under the no-update/patch Secret RBAC): %s", ref)

internal/embed/embed_image_pin_test.go

@@ -230,31 +230,24 @@ func TestEmbeddedImages_X402ControllerAndBuyerUseFixPins(t *testing.T) {
 		ref  string
 	}{
 		{
-			// Repinned to 04bebbc (current main HEAD as of rc13) to pick up:
-			//   - ab71481 fix(x402): suppress verifyOnly=false warning on the
-			//     in-process settle path — covers the per-request log spam
-			//     seen by sell-agent buyers on the prior pin.
-			//   - 86b8c9f fix(x402-buyer): drop expired pre-signed auths
-			//     before signing — affects long-running paid inference.
+			// Repinned to c19ffaf (release/v0.10.0-rc14 HEAD; the rc11
+			// pattern, cf. 8fb1553) — images built from the release branch
+			// via docker-publish-x402 workflow_dispatch, so unlike the prior
+			// 04bebbc base pin they DO contain this train's source changes:
+			//   - controller renders sub-agents with Hermes v2026.6.5 and
+			//     the UID-1000 kubelet-owned permission model (#610), and
+			//     surfaces maxTimeoutSeconds in the catalog ext (#614).
+			//   - buyer carries the settled-but-failed ConfirmSpend branch
+			//     (>=400 + settle tx hash counts as money moved) (#614).
 			// Still carries the Secret-create-only reconciler change from
-			// b39bcaa. See TestServiceOfferControllerImage_CarriesSecretCreateOnlyFix.
-			//
-			// FOLLOW-UP REQUIRED after this PR merges: 04bebbc is this PR's
-			// own merge base, so these images do NOT contain this PR's source
-			// changes — the controller still renders sub-agents with Hermes
-			// v2026.5.28 (compiled-in agent_render.go default), the verifier
-			// still hardcodes maxTimeoutSeconds=60 and drops the settle tx
-			// hash on facilitator errors, and the buyer lacks the
-			// settled-but-failed ConfirmSpend branch. Rebuild all three from
-			// the merge commit and repin (the rc11 pattern, cf. 8fb1553)
-			// before cutting v0.10.0 final. OBOL_DEVELOPMENT=true masks this
-			// locally because dev clusters rebuild from worktree source.
+			// b39bcaa and the earlier ab71481/86b8c9f fixes (ancestors via
+			// main). See TestServiceOfferControllerImage_CarriesSecretCreateOnlyFix.
 			file: "base/templates/x402.yaml",
-			ref:  "ghcr.io/obolnetwork/serviceoffer-controller:04bebbc@sha256:286d07604c001006d54a5f89ef854210ab805859c072e7b8dd89fe0c6f130d7d",
+			ref:  "ghcr.io/obolnetwork/serviceoffer-controller:c19ffaf@sha256:7d907f525f7b020a5b40a87c7088b9a12286b4c9197bd2f1ee8d5e4710ff7346",
 		},
 		{
 			file: "base/templates/llm.yaml",
-			ref:  "ghcr.io/obolnetwork/x402-buyer:04bebbc@sha256:1c2bb19824bae2caf4b305a495b6686ff6e973b378c2b88fc89d73a06265aaf7",
+			ref:  "ghcr.io/obolnetwork/x402-buyer:c19ffaf@sha256:e23e30430670600faf2c1082c1bfbd5ae78d99c0355cf31c98e3c77e52f5fd2d",
 		},
 	}
 

internal/embed/infrastructure/base/templates/llm.yaml

@@ -303,14 +303,14 @@ spec:
         - name: x402-buyer
           # Pinned by sha256 digest (multi-arch manifest list, amd64+arm64)
           # so the deployed sidecar is byte-for-byte identical across QA
-          # hosts. The :04bebbc tag is preserved for human readability; the
+          # hosts. The :c19ffaf tag is preserved for human readability; the
           # digest is authoritative.
           # Previous tag-only pin allowed the local-build path to silently
           # reuse a 5-day-old `:latest` image and ate the release-smoke 503
           # investigation: stale buyer serialized X-PAYMENT with empty
           # authorization fields → facilitator /verify 400 → 503 cascade
           # across flow-08/11/14/13. See internal/embed/embed_image_pin_test.go.
-          image: ghcr.io/obolnetwork/x402-buyer:04bebbc@sha256:1c2bb19824bae2caf4b305a495b6686ff6e973b378c2b88fc89d73a06265aaf7
+          image: ghcr.io/obolnetwork/x402-buyer:c19ffaf@sha256:e23e30430670600faf2c1082c1bfbd5ae78d99c0355cf31c98e3c77e52f5fd2d
           imagePullPolicy: IfNotPresent
           # PSS Restricted + writable PVC. On fresh clusters the StorageClass
           # asks local-path-provisioner for local PVs, so kubelet applies the

internal/embed/infrastructure/base/templates/x402.yaml

@@ -250,7 +250,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: verifier
-          image: ghcr.io/obolnetwork/x402-verifier:04bebbc@sha256:a80f72c89341a422724ad1b5d5d5da0c8cdd246b9dcabc6560e369b48ed5d775
+          image: ghcr.io/obolnetwork/x402-verifier:c19ffaf@sha256:535067aa8bcfaac6f628d76733c5786b0d0e46f70e8ffdc978d53e91e27fb8e6
           imagePullPolicy: IfNotPresent
           # PSS Restricted: per-container hardening. Verifier is a Go binary
           # reading two RO ConfigMaps; no writeable rootfs paths required.
@@ -352,7 +352,7 @@ spec:
           # bug; b39bcaa (post-rc10 main) carries it, and also ships PR #590's
           # actionable pending-registration status message.
           # See TestServiceOfferControllerImage_CarriesSecretCreateOnlyFix.
-          image: ghcr.io/obolnetwork/serviceoffer-controller:04bebbc@sha256:286d07604c001006d54a5f89ef854210ab805859c072e7b8dd89fe0c6f130d7d
+          image: ghcr.io/obolnetwork/serviceoffer-controller:c19ffaf@sha256:7d907f525f7b020a5b40a87c7088b9a12286b4c9197bd2f1ee8d5e4710ff7346
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false