ObolNetwork · OisinKyne · Jun 16, 2026 · Jun 16, 2026
diff --git a/internal/embed/infrastructure/base/templates/llm.yaml b/internal/embed/infrastructure/base/templates/llm.yaml
@@ -303,14 +303,14 @@ spec:
         - name: x402-buyer
           # Pinned by sha256 digest (multi-arch manifest list, amd64+arm64)
           # so the deployed sidecar is byte-for-byte identical across QA
-          # hosts. The :d16d167 tag is preserved for human readability; the
+          # hosts. The :6c77f17 tag is preserved for human readability; the
           # digest is authoritative.
           # Previous tag-only pin allowed the local-build path to silently
           # reuse a 5-day-old `:latest` image and ate the release-smoke 503
           # investigation: stale buyer serialized X-PAYMENT with empty
           # authorization fields → facilitator /verify 400 → 503 cascade
           # across flow-08/11/14/13. See internal/embed/embed_image_pin_test.go.
-          image: ghcr.io/obolnetwork/x402-buyer:d16d167@sha256:3e45377eff12474f1ae65a8514cf8d75375bcf84e649a6c25b7cae0c350a803f
+          image: ghcr.io/obolnetwork/x402-buyer:6c77f17@sha256:675b1ca779593e4faeb230832b70dd5a169bd2a3b2fa746b9d08e3db91ff00c7
           imagePullPolicy: IfNotPresent
           # PSS Restricted + writable PVC. On fresh clusters the StorageClass
           # asks local-path-provisioner for local PVs, so kubelet applies the

diff --git a/internal/embed/infrastructure/base/templates/x402.yaml b/internal/embed/infrastructure/base/templates/x402.yaml
@@ -262,7 +262,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: verifier
-          image: ghcr.io/obolnetwork/x402-verifier:d16d167@sha256:1d501bbaa14cd3bfc37cffa47c1c8d19a5743e86cb6066bc73f3197b89ca0abf
+          image: ghcr.io/obolnetwork/x402-verifier:6c77f17@sha256:c842395fad3fe392fa81d6dbb01e403cf4d62ea52537252c8368986fdee43076
           imagePullPolicy: IfNotPresent
           # PSS Restricted: per-container hardening. Verifier is a Go binary
           # reading two RO ConfigMaps; no writeable rootfs paths required.
@@ -364,7 +364,7 @@ spec:
           # bug; b39bcaa (post-rc10 main) carries it, and also ships PR #590's
           # actionable pending-registration status message.
           # See TestServiceOfferControllerImage_CarriesSecretCreateOnlyFix.
-          image: ghcr.io/obolnetwork/serviceoffer-controller:d16d167@sha256:ab2bc596b0c2b40664519d01e37aea349a6df22dd1b4ed5e44c1c9e1fcf89519
+          image: ghcr.io/obolnetwork/serviceoffer-controller:6c77f17@sha256:c6e7bea7f6ba3492da10e7c29da37b29c1b15176da92a7fcb281416e815a2e13
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false