fix(commands): capture upgrade target image BEFORE original RunE

talosctl's upgrade handler can overwrite the --image flag with the
node's currently-running install.image during the no-op-upgrade
path (when the target image already matches what's installed). If
Phase 2C reads the flag after RunE, it sees the running image as
the target — silent pass even when the apply was a real upgrade.

Capture targetImage BEFORE original RunE runs. Phase 2C now
verifies against the operator's intended target, not whatever
state talosctl left in the flag.

Verified on dev17: cross-vendor upgrade with target image
correctly set in the node body (machine.install.image:
ghcr.io/siderolabs/installer:v1.13.0) now reaches Phase 2C with
target=v1.13.0 (not the running v1.12.6). On a successful boot the
gate silently passes (target == running); on a failed boot with
auto-rollback the gate would correctly block.

Refs: #172, #175

While here, fold the K1-pre test-plan entry that documents the
new gate's expected output on the cross-vendor mismatch path.

Signed-off-by: Aleksei Sviridkin <f@lex.la>

Author: lexfrei

docs/manual-test-plan.md

@@ -554,6 +554,35 @@ newer than the node's running Talos v1.12.x` plus a hint about
 rebooting into a matching maintenance image or lowering the
 contract. Drift preview still runs.
 
+### K1-pre. Phase 2C version-verify catches silent rollback
+
+⚠️ Same destructive setup as K2, but the gate now does the work
+automatically. Run an intentionally-bad cross-vendor upgrade and
+expect a hint-bearing blocker:
+
+```bash
+# values.yaml carries the wrong vendor / version pair:
+sed -i 's|cozystack/talos:v1.12|siderolabs/installer:v1.13|' values.yaml
+/tmp/talm-safety upgrade -f nodes/node0.yaml
+```
+
+Expected: talosctl upgrade RPC returns success → 90s reconcile
+window → `verifyPostUpgradeVersion` reads `runtime.Version` →
+detects mismatch → blocker:
+
+```
+post-upgrade: requested upgrade to v1.13.0 but running version
+is v1.12.6 — Talos auto-rolled back the new install
+hint: Talos auto-rolled back the new install. Cross-vendor
+upgrades (e.g. cozystack-bundled image -> vanilla siderolabs
+installer) drop bundled extensions and fail the boot readiness
+check; use the cozystack-built image at the target version, or
+pass --skip-post-upgrade-verify to bypass.
+```
+
+`talm upgrade` exits non-zero — the operator sees the failure
+instead of a false "success".
+
 ### K2-pre. Silent-rollback after cross-vendor upgrade (regression pin for #175)
 
 ⚠️ **Operator footgun caught by this matrix**: a `talm upgrade` that

pkg/commands/upgrade_handler.go

@@ -151,6 +151,13 @@ func wrapUpgradeCommand(wrappedCmd *cobra.Command, originalRunE func(*cobra.Comm
 			}
 		}
 
+		// Capture the upgrade target image BEFORE original RunE runs.
+		// talosctl's own upgrade handler can overwrite the --image
+		// flag with the node's currently-running install.image (the
+		// no-op-upgrade path), which would mask the version mismatch
+		// Phase 2C exists to catch.
+		targetImage, _ := cmd.Flags().GetString("image")
+
 		// Execute original command
 		var execErr error
 
@@ -170,18 +177,17 @@ func wrapUpgradeCommand(wrappedCmd *cobra.Command, originalRunE func(*cobra.Comm
 		// Talos pulls + writes the new install, A/B boot fails its
 		// readiness check, Talos rolls back to the prior partition,
 		// and the operator's "successful" upgrade silently no-ops.
-		// Skipped on dry-run-equivalent flows and when the operator
-		// opts out via --skip-post-upgrade-verify.
+		// Skipped when the operator opts out via
+		// --skip-post-upgrade-verify.
 		if upgradeCmdFlags.skipPostUpgradeVerify {
 			return nil
 		}
 
-		image, _ := cmd.Flags().GetString("image")
-		if image == "" {
+		if targetImage == "" {
 			return nil
 		}
 
-		return runPostUpgradeVersionVerify(cmd.Context(), image)
+		return runPostUpgradeVersionVerify(cmd.Context(), targetImage)
 	}
 }