chore(remote-signer): bump chart and image version

OisinKyne · OisinKyne · commit d0b51b24183f · 2026-06-16T02:24:27.000+02:00
diff --git a/internal/agentruntime/charts.go b/internal/agentruntime/charts.go
@@ -5,12 +5,14 @@ package agentruntime
 // deployments. It MUST be updated as a single edit; bumping it here
 // updates every consumer in lockstep.
 //
-// Chart 0.3.2 ships remote-signer image `v0.3.0`, which emits canonical
-// Ethereum recovery-id signatures (`v=27/28`) from `/sign/.../message`,
-// `/sign/.../typed-data`, and `/sign/.../hash`. Earlier images returned
-// `v=0/1` (alloy y-parity), which was rejected by EIP-712 / ERC-3009
-// verifiers like USDC `transferWithAuthorization` and forced the buy.py
-// caller to renormalize.
+// Chart 0.3.3 ships remote-signer image `v0.4.0`, which honours
+// `SIGNER__AUTH__TOKEN` (the bearer token the controller mints into the
+// keystore Secret and injects via env). Canonical Ethereum recovery-id
+// signatures (`v=27/28`) from `/sign/.../message`, `/sign/.../typed-data`,
+// and `/sign/.../hash` have been the baseline since chart 0.3.2 / image
+// v0.3.0 — earlier images returned `v=0/1` (alloy y-parity) and forced
+// the buy.py caller to renormalize for EIP-712 / ERC-3009 verifiers like
+// USDC `transferWithAuthorization`.
 //
 // renovate: datasource=helm depName=remote-signer registryUrl=https://obolnetwork.github.io/helm-charts/
-const RemoteSignerChartVersion = "0.3.2"
+const RemoteSignerChartVersion = "0.3.3"
diff --git a/internal/serviceoffercontroller/agent_wallet.go b/internal/serviceoffercontroller/agent_wallet.go
@@ -15,11 +15,12 @@ import (
 // Constants for the per-agent remote-signer side-stack. Image pinned by
 // digest is desirable but the chart still publishes by tag — keeping the
 // version synced with agentruntime.RemoteSignerChartVersion's notes
-// (chart 0.3.2 → image v0.3.0, the canonical recovery-id behaviour).
+// (chart 0.3.3 → image v0.4.0, the first image that honours
+// SIGNER__AUTH__TOKEN).
 const (
 	remoteSignerName  = "remote-signer"
 	remoteSignerPort  = 9000
-	remoteSignerImage = "ghcr.io/obolnetwork/remote-signer:v0.3.0"
+	remoteSignerImage = "ghcr.io/obolnetwork/remote-signer:v0.4.0"
 	// Image hard-codes /data/keystores as the default and reads its
 	// config under the SIGNER__... env namespace; values picked to match
 	// the master agent's working config in hermes-obol-agent.
@@ -34,8 +35,8 @@ const (
 	// Bearer token for the signer's REST API. Injected into the signer
 	// as SIGNER__AUTH__TOKEN and into Hermes as REMOTE_SIGNER_TOKEN —
 	// defense-in-depth on top of the agent-isolation NetworkPolicy.
-	// Signer images < v0.4.0 ignore the env, so injection is a safe
-	// no-op until the image pin advances.
+	// Honoured by signer image v0.4.0+ (the version chart 0.3.3 ships);
+	// older images silently ignore the env.
 	remoteSignerAuthTokenKey = "authToken"
 )
 
