refactor: rename runner to tfroot-runner, centralize pre-commit config

- Rename runner/ to tfroot-runner/
- Update pre-commit-config.yaml with full hook set from tfroot repos
- Add conventional-pre-commit, end-of-file-fixer hooks
- Add -backend=false to terraform_validate for all repos
- Add AGENTS.md with instructions for maintaining pre-commit config
- Update README.md with new image name and pre-commit documentation

Author: xnoto

AGENTS.md

@@ -0,0 +1,26 @@
+# Agent Instructions
+
+## Repository Purpose
+
+This is a container image monorepo. Each subdirectory with a `Containerfile` becomes a container image published to `ghcr.io/makeitworkcloud/<dir>:latest`.
+
+## Push Access
+
+Agents are authorized to push directly to `main` in this repository.
+
+## Key Files
+
+### tfroot-runner/pre-commit-config.yaml
+
+This is the **canonical pre-commit configuration** for all `tfroot-*` repositories in the organization. When modifying pre-commit hooks:
+
+1. Edit `tfroot-runner/pre-commit-config.yaml` in this repo
+2. The shared-workflows OpenTofu workflow fetches this config at CI time
+3. The tfroot-runner image pre-caches these hooks for faster CI runs
+
+**Do not** modify `.pre-commit-config.yaml` files in individual `tfroot-*` repos - they source from here.
+
+## Related Repositories
+
+- `shared-workflows` - Contains reusable GitHub Actions workflows that reference the tfroot-runner image
+- `tfroot-cloudflare`, `tfroot-libvirt`, `tfroot-github`, `tfroot-aws` - Terraform root module repos that use the tfroot-runner image via shared-workflows

README.md

@@ -26,4 +26,14 @@ Container image monorepo. Each subdirectory with a `Containerfile` is built and
 
 | Directory | Description |
 |-----------|-------------|
-| `runner/` | Alpine-based IaC runner with OpenTofu, Checkov, pre-commit, SOPS, tflint, terraform-docs |
+| `tfroot-runner/` | Alpine-based IaC runner with OpenTofu, Checkov, pre-commit, SOPS, tflint, terraform-docs. Used by all `tfroot-*` repos. |
+| `gh-cli/` | GitHub CLI image |
+
+## Pre-commit Configuration
+
+The `tfroot-runner/pre-commit-config.yaml` file is the **canonical pre-commit configuration** for all `tfroot-*` repositories. This config is:
+
+1. Bundled into the container image to pre-cache hook environments
+2. Fetched at CI time by the shared OpenTofu workflow
+
+To update pre-commit hooks for all tfroot repos, modify `tfroot-runner/pre-commit-config.yaml` and push to main.

runner/pre-commit-config.yaml

@@ -0,0 +1,48 @@
+# Canonical pre-commit configuration for tfroot-* repositories.
+# This file is bundled into the tfroot-runner container image to pre-cache hooks.
+# It is also fetched by the shared OpenTofu workflow at CI time.
+#
+# To update hooks for all tfroot repos, modify this file and rebuild the image.
+repos:
+  - repo: https://github.com/compilerla/conventional-pre-commit
+    rev: v4.0.0
+    hooks:
+      - id: conventional-pre-commit
+        stages: [commit-msg]
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.104.0
+    hooks:
+      - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+          - --args=-no-color
+          - --tf-init-args=-reconfigure
+          - --tf-init-args=-upgrade
+          - --tf-init-args=-backend=false
+      - id: terraform_tflint
+        args:
+          - --args=--minimum-failure-severity=error
+          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+      - id: terraform_checkov
+        args:
+          - --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
+      - id: terraform_fmt
+        args:
+          - --args=-no-color
+          - --args=-diff
+          - --args=-recursive
+      - id: terraform_docs
+        args:
+          - --args=--config=.terraform-docs.yml
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: check-vcs-permalinks
+      - id: destroyed-symlinks
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+      - id: trailing-whitespace