catalog v3.3.1 — verify-downstream chain fixed v3.3.0 inherited a broken verify-downstream bridge that had been red since v3.1.0: the catalog tag pipeline fires multi-project trigger pipelines into basef + carmine with strategy: depend, but no rule on either side accepted $CI_PIPELINE_SOURCE == "pipeline" — so the downstream pipelines had zero allowed jobs and the bridges failed with downstream_pipeline_creation_failed. v3.3.1 closes that gap on the catalog side: every heavy-job rules location (base-build-scratch's .heavy-job-rules anchor, instance.yml's build job, container-build.yml's job_rules default) now accepts pipeline-source unconditionally. Consumers (basef, carmine) accept it guarded on TRIGGERED_BY_CATALOG=true. No functional changes to any build, validate, sign, or promote step. Self-test + heavy-job-on-pipeline-source the only new behavior.