The local pre-commit container lane resolves the tool image by :latest with the default pull policy, so a machine that pulled the image months ago keeps using it silently. The local gate output then diverges from CI (new hooks missing, version drift) and the developer debugs phantom differences. Hit during the #1894 arc, and again on 2026-06-12 when a stale :latest carried a newer clippy than CI's pinned toolchain.
Proposed fix: always-pull-with-fallback in tools/make/pre-commit.mk - try a pull before running, fall back to the cached image when offline, and print which image digest the run used. Low-priority DX trap; fix shape verified locally.
The local pre-commit container lane resolves the tool image by
:latestwith the default pull policy, so a machine that pulled the image months ago keeps using it silently. The local gate output then diverges from CI (new hooks missing, version drift) and the developer debugs phantom differences. Hit during the #1894 arc, and again on 2026-06-12 when a stale:latestcarried a newer clippy than CI's pinned toolchain.Proposed fix: always-pull-with-fallback in
tools/make/pre-commit.mk- try a pull before running, fall back to the cached image when offline, and print which image digest the run used. Low-priority DX trap; fix shape verified locally.