Two bugs surfaced live 2026-05-06 on tenant "test":
1) UpdateParentKustomization used substring match against " - <slug>",
which falsely "found" the slug when it was a PREFIX of an existing
entry. Adding "test" to a file already listing "test11" or "test13"
silently no-op'd. Result: tenant manifests committed but the
tenants/kustomization.yaml never registered them, Flux's tenants
Kustomization couldn't apply the new tenant, vCluster step timed
out at 10m. Fix: exact line match on the resources entry.
2) openclaw + stalwart-mail were flagged Deployable=true in #941 but
never had AppSpec entries in core/services/provisioning/gitops/apps.go
KnownApps. The SME provisioning generator emits a single-Deployment
template that requires Image + Port; for those two slugs it produced
invalid manifests:
Deployment.apps "openclaw" is invalid:
containers[0].image: Required value
containers[0].ports[0].containerPort: Required value
tenant-test11-apps Kustomization rejected the dry-run, no apps ever
landed inside the vcluster. Re-enabling these requires per-app
overlay support beyond the single-Deployment template — separate
work. For now: comment them out of DeployableAppSlugs so the catalog
seed flips them back to Deployable=false on next pod restart and the
marketplace UI shows them as COMING SOON.
Adds regression tests for both: prefix-collision in
UpdateParentKustomization, and a stability test on the deployable map
shape.
Co-authored-by: hatiyildiz <hatice@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
a57d05d4dd