From bc915fba4e8348e526125e1e23ec2ce2dac0333a Mon Sep 17 00:00:00 2001
From: Eli Fine <eli88fine@gmail.com>
Date: Thu, 19 Mar 2026 19:56:00 +0000
Subject: [PATCH 1/3] precmomit

---
 AGENTS.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/AGENTS.md b/AGENTS.md
index 2f443460..eb293d53 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -29,7 +29,8 @@
 - Always use `uv run python` instead of `python3` or `python` when running Python commands.
 - Prefer dedicated shell tools over `python3`/`python` for simple one-off tasks: use `jq` for JSON parsing, standard shell builtins for string manipulation, etc. Only reach for `python3` when no simpler tool covers the need.
 - Check .devcontainer/devcontainer.json for tooling versions (Python, Node, etc.) when reasoning about version-specific stdlib or tooling behavior.
-- For frontend work, run commands via `pnpm` scripts from `frontend/package.json` — never invoke tools directly (not pnpm exec <tool>, npx <tool>, etc.). ✅ pnpm test-unit  ❌ pnpm vitest ... or npx vitest ...
+- For frontend tests, run commands via `pnpm` scripts from `frontend/package.json` — never invoke tools directly (not pnpm exec <tool>, npx <tool>, etc.). ✅ pnpm test-unit  ❌ pnpm vitest ... or npx vitest ...
+- For linting and type-checking, prefer `pre-commit run <hook-id>` over invoking tools directly — this matches the permission allow-list and mirrors what CI runs. Key hook IDs: `typescript-check`, `eslint`, `pyright`, `ruff`, `ruff-format`.
 - When running terminal commands, execute exactly one command per tool call. Do not chain commands with &&, ||, ;, or & — this prohibition has no exceptions, even for `cd && ...` patterns. Use absolute paths instead of `cd` to avoid needing to chain. Pipes (|) are allowed for output transformation (e.g., head, tail, grep). If two sequential commands are needed, run them in separate tool calls. Chained commands break the permission allow-list matcher and cause unnecessary permission prompts
 - Never use backslash line continuations in shell commands — always write the full command on a single line. Backslashes break the permission allow-list matcher.
 

From d96466d993522ad9e54908f74e3472daa723d8cf Mon Sep 17 00:00:00 2001
From: Eli Fine <eli88fine@gmail.com>
Date: Fri, 20 Mar 2026 13:12:06 +0000
Subject: [PATCH 2/3] docker build

---
 .../build-docker-image.yaml.jinja-base                   | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
index 636c801a..c2638ffe 100644
--- a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
+++ b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
@@ -35,6 +35,9 @@ on:
       artifact-name:
         description: 'The name of the uploaded artifact of the image tarball'
         value: ${{ jobs.build-image.outputs.artifact-name }}
+      full-image-tag:
+        description: 'The full image tag used for the built image (repository/name:context-hash)'
+        value: ${{ jobs.build-image.outputs.full-image-tag }}
 
 permissions:
     id-token: write
@@ -47,6 +50,7 @@ jobs:
     runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}
     outputs:
       artifact-name: ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}
+      full-image-tag: ${{ steps.calculate-build-context-hash.outputs.full_image_tag }}
     steps:
       - name: Parse ECR URL
         if: ${{ inputs.push-role-name != 'no-push' }}
@@ -89,6 +93,7 @@ jobs:
           IMAGE_NAME_NO_SLASHES="${IMAGE_NAME_WITH_NAMESPACE//\//-}"
           echo "image_name_no_slashes=${IMAGE_NAME_NO_SLASHES}" >> "$GITHUB_OUTPUT"
           echo "Image name without slashes: ${IMAGE_NAME_NO_SLASHES}"
+          echo "full_image_tag=${{ inputs.repository }}/${{ inputs.image_name }}:context-${BUILD_HASH}" >> "$GITHUB_OUTPUT"
 
       - name: Set up mutex # Github concurrency management is horrible, things get arbitrarily cancelled if queued up. So using mutex until github fixes itself. When multiple jobs are modifying cache at once, weird things can happen.  possible issue is https://github.com/actions/toolkit/issues/658
         if: ${{ inputs.push-role-name != 'no-push' }}
@@ -114,7 +119,7 @@ jobs:
       - name: Pull existing image to package as artifact
         if: ${{ inputs.save-as-artifact && steps.check-if-exists.outputs.status == 'found' }}
         run: |
-          docker pull ${{ inputs.repository }}/${{ inputs.image_name }}:${{ steps.calculate-build-context-hash.outputs.build_context_tag }}
+          docker pull ${{ steps.calculate-build-context-hash.outputs.full_image_tag }}
 
       - name: Set up Docker Buildx
         if: ${{ (inputs.save-as-artifact && inputs.push-role-name == 'no-push') || steps.check-if-exists.outputs.status == 'notfound' }}
@@ -129,7 +134,7 @@ jobs:
           context: ${{ inputs.context }}
           push: ${{ inputs.push-role-name != 'no-push' && steps.check-if-exists.outputs.status == 'notfound' }}
           load: ${{ inputs.save-as-artifact }} # make the image available later for the `docker save` step
-          tags: ${{ inputs.repository }}/${{ inputs.image_name }}:${{ steps.calculate-build-context-hash.outputs.build_context_tag }}
+          tags: ${{ steps.calculate-build-context-hash.outputs.full_image_tag }}
 
       - name: Add git sha tag
         if: ${{ inputs.push-role-name != 'no-push' }}

From 0f599068f61ce7b1e4d178da55460c9a608aef13 Mon Sep 17 00:00:00 2001
From: Eli Fine <eli88fine@gmail.com>
Date: Fri, 20 Mar 2026 16:04:15 +0000
Subject: [PATCH 3/3] use output

---
 .../reusable_workflows/build-docker-image.yaml.jinja-base       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
index c2638ffe..c02beb46 100644
--- a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
+++ b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
@@ -152,7 +152,7 @@ jobs:
 
       - name: Save Docker Image as tar
         if: ${{ inputs.save-as-artifact }}
-        run: docker save -o ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}.tar ${{ inputs.repository }}/${{ inputs.image_name }}:${{ steps.calculate-build-context-hash.outputs.build_context_tag }}
+        run: docker save -o ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}.tar ${{ steps.calculate-build-context-hash.outputs.full_image_tag }}
 
       - name: Upload Docker Image Artifact
         if: ${{ inputs.save-as-artifact }}