fix(ci): repair and harden pre-commit hooks and CI checks

.github/workflows/_common.yml

@@ -31,7 +31,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Check Rust versions are synchronized
-        run: ./scripts/ci/sync-rust-version.sh --check
+        run: ./scripts/ci/sync-rustc-version.sh --check
 
   python-versions:
     name: Check Python SDK versions sync
@@ -49,7 +49,19 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Check Python interpreter versions are synchronized
-        run: ./scripts/ci/sync-python-version.sh --check
+        run: ./scripts/ci/sync-python-interpreter-version.sh --check
+
+  python-lockfiles:
+    name: Check Python lockfiles
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+
+      - name: Check uv.lock files are in sync with pyproject.toml
+        run: ./scripts/ci/uv-lock-check.sh --check
 
   version-consistency:
     name: Check version consistency
@@ -203,6 +215,7 @@ jobs:
         rust-versions,
         python-versions,
         python-interpreter-versions,
+        python-lockfiles,
         version-consistency,
         license-headers,
         third-party-licenses,
@@ -219,34 +232,35 @@ jobs:
     steps:
       - name: Summary
         run: |
-          echo "## 📋 Common Checks Summary" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Check | Status | Description |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|--------|-------------|" >> $GITHUB_STEP_SUMMARY
+          echo "## 📋 Common Checks Summary" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Check | Status | Description |" >> "$GITHUB_STEP_SUMMARY"
+          echo "|-------|--------|-------------|" >> "$GITHUB_STEP_SUMMARY"
 
           # Always-run checks
           RUST_VERSIONS="${{ needs.rust-versions.result }}"
           PYTHON_VERSIONS="${{ needs.python-versions.result }}"
           PYTHON_INTERPRETER_VERSIONS="${{ needs.python-interpreter-versions.result }}"
+          PYTHON_LOCKFILES="${{ needs.python-lockfiles.result }}"
           VERSION_CONSISTENCY="${{ needs.version-consistency.result }}"
           LICENSE_HEADERS="${{ needs.license-headers.result }}"
           THIRD_PARTY_LICENSES="${{ needs.third-party-licenses.result }}"
           MARKDOWN="${{ needs.markdown.result }}"
 
           if [ "$RUST_VERSIONS" = "success" ]; then
-            echo "| ✅ Rust Versions | success | All Rust versions synchronized |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Rust Versions | success | All Rust versions synchronized |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$RUST_VERSIONS" = "failure" ]; then
-            echo "| ❌ Rust Versions | failure | Rust versions mismatch in Dockerfiles |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Rust Versions | failure | Rust versions mismatch in Dockerfiles |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Rust Versions | $RUST_VERSIONS | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Rust Versions | $RUST_VERSIONS | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           if [ "$PYTHON_VERSIONS" = "success" ]; then
-            echo "| ✅ Python SDK Versions | success | Cargo.toml and pyproject.toml synchronized |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Python SDK Versions | success | Cargo.toml and pyproject.toml synchronized |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$PYTHON_VERSIONS" = "failure" ]; then
-            echo "| ❌ Python SDK Versions | failure | Version mismatch between Cargo.toml and pyproject.toml |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Python SDK Versions | failure | Version mismatch between Cargo.toml and pyproject.toml |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Python SDK Versions | $PYTHON_VERSIONS | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Python SDK Versions | $PYTHON_VERSIONS | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           if [ "$PYTHON_INTERPRETER_VERSIONS" = "success" ]; then
@@ -257,100 +271,108 @@ jobs:
             echo "| ⏭️ Python Interpreter Versions | $PYTHON_INTERPRETER_VERSIONS | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
+          if [ "$PYTHON_LOCKFILES" = "success" ]; then
+            echo "| ✅ Python Lockfiles | success | uv.lock files in sync with pyproject.toml |" >> "$GITHUB_STEP_SUMMARY"
+          elif [ "$PYTHON_LOCKFILES" = "failure" ]; then
+            echo "| ❌ Python Lockfiles | failure | uv.lock out of sync (run scripts/ci/uv-lock-check.sh --fix) |" >> "$GITHUB_STEP_SUMMARY"
+          else
+            echo "| ⏭️ Python Lockfiles | $PYTHON_LOCKFILES | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
+          fi
+
           if [ "$VERSION_CONSISTENCY" = "success" ]; then
-            echo "| ✅ Version Consistency | success | Group and workspace dep versions match |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Version Consistency | success | Group and workspace dep versions match |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$VERSION_CONSISTENCY" = "failure" ]; then
-            echo "| ❌ Version Consistency | failure | Version mismatch detected |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Version Consistency | failure | Version mismatch detected |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Version Consistency | $VERSION_CONSISTENCY | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Version Consistency | $VERSION_CONSISTENCY | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           if [ "$LICENSE_HEADERS" = "success" ]; then
-            echo "| ✅ License Headers | success | All files have Apache headers |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ License Headers | success | All files have Apache headers |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$LICENSE_HEADERS" = "failure" ]; then
-            echo "| ❌ License Headers | failure | Missing Apache license headers |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ License Headers | failure | Missing Apache license headers |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ License Headers | $LICENSE_HEADERS | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ License Headers | $LICENSE_HEADERS | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           if [ "$THIRD_PARTY_LICENSES" = "success" ]; then
-            echo "| ✅ Third-Party Licenses | success | All deps in about.toml accept list |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Third-Party Licenses | success | All deps in about.toml accept list |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$THIRD_PARTY_LICENSES" = "failure" ]; then
-            echo "| ❌ Third-Party Licenses | failure | Disallowed license detected (see job log) |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Third-Party Licenses | failure | Disallowed license detected (see job log) |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Third-Party Licenses | $THIRD_PARTY_LICENSES | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Third-Party Licenses | $THIRD_PARTY_LICENSES | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           if [ "$MARKDOWN" = "success" ]; then
-            echo "| ✅ Markdown Lint | success | All markdown files are valid |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Markdown Lint | success | All markdown files are valid |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$MARKDOWN" = "failure" ]; then
-            echo "| ❌ Markdown Lint | failure | Markdown formatting issues found |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Markdown Lint | failure | Markdown formatting issues found |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Markdown Lint | $MARKDOWN | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Markdown Lint | $MARKDOWN | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           SHELLCHECK="${{ needs.shellcheck.result }}"
           if [ "$SHELLCHECK" = "success" ]; then
-            echo "| ✅ Shellcheck | success | All shell scripts are valid |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Shellcheck | success | All shell scripts are valid |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$SHELLCHECK" = "failure" ]; then
-            echo "| ❌ Shellcheck | failure | Shell script issues found |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Shellcheck | failure | Shell script issues found |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Shellcheck | $SHELLCHECK | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Shellcheck | $SHELLCHECK | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           TRAILING="${{ needs.trailing-whitespace.result }}"
           if [ "$TRAILING" = "success" ]; then
-            echo "| ✅ Trailing Whitespace | success | No trailing whitespace found |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Trailing Whitespace | success | No trailing whitespace found |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$TRAILING" = "failure" ]; then
-            echo "| ❌ Trailing Whitespace | failure | Trailing whitespace detected |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Trailing Whitespace | failure | Trailing whitespace detected |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Trailing Whitespace | $TRAILING | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Trailing Whitespace | $TRAILING | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           TRAILING_NL="${{ needs.trailing-newline.result }}"
           if [ "$TRAILING_NL" = "success" ]; then
-            echo "| ✅ Trailing Newline | success | All text files have trailing newlines |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Trailing Newline | success | All text files have trailing newlines |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$TRAILING_NL" = "failure" ]; then
-            echo "| ❌ Trailing Newline | failure | Missing trailing newlines detected |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Trailing Newline | failure | Missing trailing newlines detected |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Trailing Newline | $TRAILING_NL | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Trailing Newline | $TRAILING_NL | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           BINARY_ARTIFACTS="${{ needs.binary-artifacts.result }}"
           if [ "$BINARY_ARTIFACTS" = "success" ]; then
-            echo "| ✅ Binary Artifacts | success | No binary artifacts found |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Binary Artifacts | success | No binary artifacts found |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$BINARY_ARTIFACTS" = "failure" ]; then
-            echo "| ❌ Binary Artifacts | failure | Binary artifacts detected in commit |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Binary Artifacts | failure | Binary artifacts detected in commit |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Binary Artifacts | $BINARY_ARTIFACTS | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Binary Artifacts | $BINARY_ARTIFACTS | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           TOML_FORMAT="${{ needs.toml-format.result }}"
           if [ "$TOML_FORMAT" = "success" ]; then
-            echo "| ✅ TOML Format | success | All TOML files properly formatted |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ TOML Format | success | All TOML files properly formatted |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$TOML_FORMAT" = "failure" ]; then
-            echo "| ❌ TOML Format | failure | TOML formatting issues found |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ TOML Format | failure | TOML formatting issues found |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ TOML Format | $TOML_FORMAT | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ TOML Format | $TOML_FORMAT | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           TYPOS="${{ needs.typos.result }}"
           if [ "$TYPOS" = "success" ]; then
-            echo "| ✅ Typos Check | success | All files are free of spelling typos |" >> $GITHUB_STEP_SUMMARY
+            echo "| ✅ Typos Check | success | All files are free of spelling typos |" >> "$GITHUB_STEP_SUMMARY"
           elif [ "$TYPOS" = "failure" ]; then
-            echo "| ❌ Typos Check | failure | Spelling typos detected (run 'typos -w' to fix) |" >> $GITHUB_STEP_SUMMARY
+            echo "| ❌ Typos Check | failure | Spelling typos detected (run 'typos -w' to fix) |" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "| ⏭️ Typos Check | $TYPOS | Check skipped |" >> $GITHUB_STEP_SUMMARY
+            echo "| ⏭️ Typos Check | $TYPOS | Check skipped |" >> "$GITHUB_STEP_SUMMARY"
           fi
 
-          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "" >> "$GITHUB_STEP_SUMMARY"
 
           # Overall status
           if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]]; then
-            echo "### ❌ Some checks failed" >> $GITHUB_STEP_SUMMARY
-            echo "Please review the failed checks above and fix the issues." >> $GITHUB_STEP_SUMMARY
+            echo "### ❌ Some checks failed" >> "$GITHUB_STEP_SUMMARY"
+            echo "Please review the failed checks above and fix the issues." >> "$GITHUB_STEP_SUMMARY"
           elif [[ "${{ contains(needs.*.result, 'skipped') }}" == "true" ]]; then
-            echo "### ⚠️ Some checks were skipped" >> $GITHUB_STEP_SUMMARY
+            echo "### ⚠️ Some checks were skipped" >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "### ✅ All checks passed!" >> $GITHUB_STEP_SUMMARY
+            echo "### ✅ All checks passed!" >> "$GITHUB_STEP_SUMMARY"
           fi

.pre-commit-config.yaml

@@ -85,11 +85,11 @@ repos:
         entry: ./scripts/ci/license-headers.sh
         args: ["--fix"]
         language: system
-        pass_filenames: false
+        pass_filenames: true
 
       - id: rust-version-sync
         name: rust version sync
-        entry: ./scripts/ci/sync-rust-version.sh
+        entry: ./scripts/ci/sync-rustc-version.sh
         args: ["--fix"]
         language: system
         files: ^rust-toolchain\.toml$
@@ -105,10 +105,10 @@ repos:
 
       - id: python-interpreter-version-sync
         name: python interpreter version sync
-        entry: ./scripts/ci/sync-python-version.sh
+        entry: ./scripts/ci/sync-python-interpreter-version.sh
         args: ["--fix"]
         language: system
-        files: ^(scripts/ci/sync-python-version\.sh|foreign/python/(pyproject\.toml|pylock\.toml|Dockerfile\.test|README\.md|\.devcontainer/Dockerfile)|bdd/python/(pyproject\.toml|pylock\.toml)|examples/python/(pyproject\.toml|pylock\.toml)|\.github/actions/python-maturin/pre-merge/action\.yml|\.github/workflows/(_build_python_wheels|_test_examples|coverage-baseline)\.yml)$
+        files: ^(scripts/ci/sync-python-interpreter-version\.sh|foreign/python/(pyproject\.toml|pylock\.toml|Dockerfile\.test|README\.md|\.devcontainer/Dockerfile)|bdd/python/(pyproject\.toml|pylock\.toml)|examples/python/(pyproject\.toml|pylock\.toml)|\.github/actions/python-maturin/pre-merge/action\.yml|\.github/workflows/(_build_python_wheels|_test_examples|coverage-baseline)\.yml)$
         pass_filenames: false
 
       - id: uv-lock-check
@@ -305,10 +305,10 @@ repos:
     hooks:
       - id: helmfmt
         name: helmfmt
-        entry: helmfmt
+        entry: helmfmt --check helm/charts/iggy
         language: system
         files: ^helm/charts/.*/templates/.*\.(yaml|tpl)$
-        pass_filenames: true
+        pass_filenames: false
 
       - id: yamllint-helm
         name: yamllint (helm)

.typos.toml

@@ -21,6 +21,8 @@
 NdJson = "NdJson"
 # Valid Python package name used in dependency metadata and lockfiles
 certifi = "certifi"
+# Rust serialization framework in CamelCase ("Ser" misread as "Set")
+SerDe = "SerDe"
 
 # Whitelist valid technical terms to avoid typos false positives
 [default.extend-words]
@@ -40,6 +42,10 @@ Strat = "Strat"
 strin = "strin"
 # Valid Rust crate name (part of ICU4X)
 writeable = "writeable"
+# .NET dependency manager (proper noun, not "Packet")
+Paket = "Paket"
+# Visual Studio dockerignore glob "[Pp]ublish.xml" tokenizes to "ublish"
+ublish = "ublish"
 
 # Exclude auto-generated/non-editable files from typos check
 [files]

AGENTS.md

@@ -59,7 +59,7 @@ cargo test -p <crate>                                      # step 4
 ./scripts/ci/license-headers.sh   # Apache headers
 ./scripts/ci/trailing-whitespace.sh
 ./scripts/ci/trailing-newline.sh
-./scripts/ci/sync-rust-version.sh
+./scripts/ci/sync-rustc-version.sh
 ./scripts/ci/python-sdk-version-sync.sh
 ./scripts/ci/uv-lock-check.sh
 ./scripts/ci/binary-artifacts.sh --check
@@ -136,7 +136,7 @@ description). Load `connectors-overview` first as router.
 
 ## Repo-wide principles
 
-1. **Apache 2.0 header on every new source file:** Follow the comment style configured in `licenserc.toml`; common examples: .rs uses // ..., Cargo.toml and shell use # ....
+1. **Apache 2.0 header on every new source file:** Follow the comment style configured in `licenserc.toml`; common examples: `.rs` uses `// ...`, `Cargo.toml` and shell use `# ...`.
 2. **Verification order:** `fmt --all` -> `sort --no-format --workspace` -> `clippy --all-features --all-targets -- -D warnings` -> `test`. Plus `taplo.sh --check`. CI enforces all.
 3. **Always pass `--no-format` to `cargo sort`.** Without it multi-line feature arrays flatten and `taplo` re-expands them, churning the workspace.
 4. **Avoid LLM-slop tells: em dashes, gratuitous semicolons, hedging narrative, trailing summaries.** Defaults, not absolute bans. Same rule for code, comments, commits, PR descriptions.