More agent rules

.coderabbit.yaml

@@ -7,6 +7,8 @@ reviews:
       instructions: "These files came from a vendor and we're not allowed to change them. Refer to it if you need to understand how the main code interacts with it, but do not make comments about it."
     - path: "**/*.py"
       instructions: "Check the `ruff.toml` and `ruff-test.toml` for linting rules we've explicitly disabled and don't suggest changes to please conventions we've disabled. Do not express concerns about ruff rules; a pre-commit hook already runs a ruff check. Do not warn about unnecessary super().__init__() calls; pyright prefers those to be present. Do not warn about missing type hints; a pre-commit hook already checks for that."
+    - path: "**/.copier-answers.yml"
+      instructions: "Do not comment about the `_commit` value needing to be a clean release tag. A CI job will fail if that is not the case."
   tools:
     eslint: # when the code contains typescript, eslint will be run by pre-commit, and coderabbit often generates false positives
       enabled: false

AGENTS.md

@@ -23,7 +23,7 @@ This project is a Copier template used to generate other copier templates. It is
 - Avoid magic values in comparisons in tests in all languages (like ruff rule PLR2004 specifies)
 - Prefer using random values in tests rather than arbitrary ones (e.g. the faker library, uuids, random.randint) when possible. For enums, pick randomly rather than hardcoding one value.
 - Avoid loops in tests — assert each item explicitly so failures pinpoint the exact element. When verifying a condition across all items in a collection, collect the violations into a list and assert it's empty (e.g., assert [x for x in items if bad_condition(x)] == []).
-- Key `data-testid` selectors off unique IDs (e.g. UUIDs), not human-readable names which may collide or change.
+- When asserting a mock or spy was called with specific arguments, always constrain as tightly as possible. In order of preference: (1) assert called exactly once with those args (`assert_called_once_with` in Python, `toHaveBeenCalledExactlyOnceWith` in Vitest/Jest); (2) if multiple calls are expected, assert the total call count and use a positional or last-call assertion (`nthCalledWith`, `lastCalledWith` / `assert_has_calls` with `call_args_list[n]`); (3) plain "called with at any point" (`toHaveBeenCalledWith`, `assert_called_with`) is a last resort only when neither the call count nor the call order can reasonably be constrained.
 
 ### Python Testing
 
@@ -37,6 +37,11 @@ This project is a Copier template used to generate other copier templates. It is
 - **Never hand-edit syrupy snapshot files.** Snapshots are auto-generated — to create or update them, run `uv run pytest --snapshot-update <test path> --no-cov`. A missing snapshot causes the test to fail, which is expected until you run with `--snapshot-update`. When a snapshot mismatch occurs, fix the code if the change was unintentional; run `--snapshot-update` if it was intentional.
 - **Never hand-write or hand-edit pytest-reserial `.jsonl` recording files.** Recordings must be captured from real serial port traffic by running the test with `--record` while the device is connected: `uv run pytest --record <test path> --no-cov`. The default mode replays recordings — a missing recording causes an error, which is expected until recorded against a live device.
 
+### Frontend Testing
+
+- Key `data-testid` selectors off unique IDs (e.g. UUIDs), not human-readable names which may collide or change.
+- In DOM-based tests, scope queries to the tightest relevant container. Only query `document` or `document.body` directly to find the top-level portal/popup element (e.g. a Reka UI dialog via `[role="dialog"][data-state="open"]`); all further queries should run on that element, not on `document.body` again.
+
 # Agent Implementations & Configurations
 
 ## Memory and Rules

extensions/context.py

@@ -26,12 +26,12 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["ty_version"] = ">=0.0.23"
         #######
         context["sphinx_version"] = "9.0.4"
-        context["pulumi_version"] = ">=3.226.0"
+        context["pulumi_version"] = ">=3.228.0"
         context["pulumi_aws_version"] = ">=7.23.0"
-        context["pulumi_aws_native_version"] = ">=1.57.0"
+        context["pulumi_aws_native_version"] = ">=1.59.0"
         context["pulumi_command_version"] = ">=1.2.1"
         context["pulumi_github_version"] = ">=6.12.1"
-        context["pulumi_okta_version"] = ">=6.2.3"
+        context["pulumi_okta_version"] = ">=6.4.0"
         context["boto3_version"] = ">=1.42.53"
         context["ephemeral_pulumi_deploy_version"] = ">=0.0.6"
         context["pydantic_version"] = ">=2.12.5"

template/.github/actions/install_deps/action.yml.jinja-base

@@ -47,7 +47,7 @@ inputs:
   skip-installing-pulumi-cli:
     type: boolean
     description: Whether to skip installing the Pulumi CLI even if the lock file references it
-    default: true
+    default: false
     required: false
 
 

template/.github/workflows/ci.yaml.jinja-base

@@ -13,6 +13,7 @@ env:
 
 permissions:
   id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact)
+  contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined
 
 jobs:
   get-values:

template/template/.github/workflows/ci.yaml.jinja

@@ -13,10 +13,13 @@ env:
 
 permissions:
   id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact)
+  contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined
 
 jobs:
   get-values:
     uses: ./.github/workflows/get-values.yaml
+    permissions:
+      contents: write # needed for updating dependabot branches
 
   check-skip-duplicate:
     runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}