Replace per-Secret hashing with source-agnostic phase content hashing

Addresses PR review feedback:
- Compute SHA-256 hash per resolved phase (name + objects) instead of
  per-Secret, making immutability verification source-agnostic and
  futureproof for bundle refs.
- Move hash computation after buildBoxcutterPhases succeeds so hashes
  are only persisted for successfully resolved content.
- Remove Blocked reason from skipTerminallyBlockedPredicate so blocked
  COS can be re-reconciled when the underlying issue is fixed.

API: rename ObservedObjectContainer → ObservedPhase, field
observedObjectContainers → observedPhases in ClusterObjectSetStatus.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: pedjak

api/v1/clusterobjectset_types.go

@@ -511,26 +511,27 @@ type ClusterObjectSetStatus struct {
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 
-	// observedObjectContainers records the content hashes of referenced Secrets
-	// at first successful resolution. This is used to detect if a referenced
-	// Secret was deleted and recreated with different content.
+	// observedPhases records the content hashes of resolved phases
+	// at first successful reconciliation. This is used to detect if
+	// referenced object sources were deleted and recreated with
+	// different content. Each entry covers all fully-resolved object
+	// manifests within a phase, making it source-agnostic.
 	//
 	// +listType=map
 	// +listMapKey=name
 	// +optional
-	ObservedObjectContainers []ObservedObjectContainer `json:"observedObjectContainers,omitempty"`
+	ObservedPhases []ObservedPhase `json:"observedPhases,omitempty"`
 }
 
-// ObservedObjectContainer records the observed state of a referenced Secret
-// used as an object source.
-type ObservedObjectContainer struct {
-	// name identifies the referenced Secret in "namespace/name" format.
+// ObservedPhase records the observed content hash of a resolved phase.
+type ObservedPhase struct {
+	// name is the phase name matching a phase in spec.phases.
 	//
 	// +required
 	Name string `json:"name"`
 
-	// hash is the hex-encoded SHA-256 hash of the Secret's .data field
-	// at first successful resolution.
+	// hash is the hex-encoded SHA-256 hash of the phase's resolved
+	// object content at first successful reconciliation.
 	//
 	// +required
 	Hash string `json:"hash"`

api/v1/zz_generated.deepcopy.go

@@ -477,6 +477,8 @@ _Appears in:_
 
 
 
+
+
 #### PreflightConfig
 
 

applyconfigurations/api/v1/clusterobjectsetstatus.go

@@ -151,9 +151,9 @@ Recommended conventions:
    that all referenced Secrets have `immutable: true` set before proceeding.
    Mutable referenced Secrets are rejected and reconciliation is blocked with
    `Progressing=False, Reason=Blocked`. Additionally, the reconciler records
-   content hashes of referenced Secrets on first resolution and blocks
-   reconciliation if the content changes (e.g., if a Secret is deleted and
-   recreated with the same name but different data).
+   content hashes of the resolved phases on first successful reconciliation
+   and blocks reconciliation if the content changes (e.g., if a Secret is
+   deleted and recreated with the same name but different data).
 
 3. **Owner references**: Referenced Secrets should carry an ownerReference to
    the COS so that Kubernetes garbage collection removes them when the COS is
@@ -392,12 +392,13 @@ Key properties:
 
 ### COS reconciler behavior
 
-Before resolving individual object refs, the reconciler verifies all referenced
-Secrets: each must have `immutable: true` set, and its content hash must match
-the hash recorded in `.status.observedObjectContainers` (if present). If any Secret
-fails verification, reconciliation is blocked with `Progressing=False,
-Reason=Blocked`. On first successful verification, content hashes are persisted
-to status for future comparisons.
+Before resolving individual object refs, the reconciler verifies that all
+referenced Secrets have `immutable: true` set. After successfully building
+the phases (resolving all refs), the reconciler computes a per-phase content
+hash and compares it against the hashes recorded in `.status.observedPhases`
+(if present). If any phase's content has changed, reconciliation is blocked
+with `Progressing=False, Reason=Blocked`. On first successful build, phase
+content hashes are persisted to status for future comparisons.
 
 When processing a COS phase:
 - For each object entry in the phase:

…ations/api/v1/observedobjectcontainer.go …lyconfigurations/api/v1/observedphase.goapplyconfigurations/api/v1/observedobjectcontainer.go renamed to applyconfigurations/api/v1/observedphase.go applyconfigurations/api/v1/observedobjectcontainer.go renamed to applyconfigurations/api/v1/observedphase.go

@@ -621,24 +621,24 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
-              observedObjectContainers:
+              observedPhases:
                 description: |-
-                  observedObjectContainers records the content hashes of referenced Secrets
-                  at first successful resolution. This is used to detect if a referenced
-                  Secret was deleted and recreated with different content.
+                  observedPhases records the content hashes of resolved phases
+                  at first successful reconciliation. This is used to detect if
+                  referenced object sources were deleted and recreated with
+                  different content. Each entry covers all fully-resolved object
+                  manifests within a phase, making it source-agnostic.
                 items:
-                  description: |-
-                    ObservedObjectContainer records the observed state of a referenced Secret
-                    used as an object source.
+                  description: ObservedPhase records the observed content hash of
+                    a resolved phase.
                   properties:
                     hash:
                       description: |-
-                        hash is the hex-encoded SHA-256 hash of the Secret's .data field
-                        at first successful resolution.
+                        hash is the hex-encoded SHA-256 hash of the phase's resolved
+                        object content at first successful reconciliation.
                       type: string
                     name:
-                      description: name identifies the referenced Secret in "namespace/name"
-                        format.
+                      description: name is the phase name matching a phase in spec.phases.
                       type: string
                   required:
                   - hash