Per t20 debug matrix:
* `bp-self-sovereign-cutover` step-06 phase-1 rewrites every HelmRepository
URL from `oci://ghcr.io/openova-io` to `oci://${harbor_host}/openova-io`,
where `harbor_host` is derived from `sovereign.harborPublicURL`.
* Pre-fix: `harborPublicURL: https://harbor.${SOVEREIGN_FQDN}`.
* But the bp-harbor HTTPRoute publishes at `registry.${SOVEREIGN_FQDN}` —
see `clusters/_template/bootstrap-kit/19-harbor.yaml` line 167
(`gateway.host: registry.\${SOVEREIGN_FQDN}`). No HTTPRoute matches
`harbor.<sov>`, so post-pivot every OCI chart pull EOFs.
* Effect: bp-sandbox HR never Ready → bootstrap-kit Kustomization stuck
waiting on bp-sandbox health → t20 convergence blocks indefinitely.
Fix (chart-level, no Chart.yaml bump for bp-catalyst-platform):
* `clusters/_template/bootstrap-kit/06a-bp-self-sovereign-cutover.yaml`
overlay value flipped `harbor.${SOVEREIGN_FQDN}` → `registry.${SOVEREIGN_FQDN}`.
* `platform/self-sovereign-cutover/chart/values.yaml` default placeholder
flipped `harbor.example.local` → `registry.example.local` so smoke
renders + docs line up.
* README + smoke command updated.
Smoke tests:
* `helm template smoke platform/self-sovereign-cutover/chart` — clean,
1851 lines, `HARBOR_PUBLIC_URL=https://registry.example.local`.
* `helm template smoke ... --set sovereign.harborPublicURL=https://registry.otechN.omani.works`
— clean, all step env vars carry the new host.
* `kubectl kustomize clusters/_template/bootstrap-kit/` — clean, 2926 lines,
overlay shows `harborPublicURL: https://registry.${SOVEREIGN_FQDN}`.
* `bash platform/self-sovereign-cutover/chart/tests/cutover-contract.sh`
— all gates green (Phase-0 ghcr-pull auth merge still works because
`harbor_host` is derived from `HARBOR_PUBLIC_URL` env at runtime, so
the script now correctly merges auth for `registry.<sov-fqdn>` instead
of `harbor.<sov-fqdn>`).
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
b01281a70c