pagopa · diegoitaliait · Apr 12, 2026 · Apr 12, 2026 · Apr 12, 2026 · Apr 12, 2026
@@ -1,30 +1,73 @@
-# EditorConfig is awesome: http://EditorConfig.org
-# Uses editorconfig to maintain consistent coding styles
+# EditorConfig is awesome: https://editorconfig.org/
+# Keep shared editing defaults predictable across source, tests, and synced repos.
 
-# top-most EditorConfig file
 root = true
 
-# Unix-style newlines with a newline ending every file
 [*]
 charset = utf-8
 end_of_line = lf
-indent_size = 2
 indent_style = space
+indent_size = 2
 insert_final_newline = true
-max_line_length = 80
 trim_trailing_whitespace = true
 
-[*.{tf,tfvars}]
+[*.{py,pyi}]
+indent_size = 4
+max_line_length = 88
+
+[*.{sh,bash,zsh}]
 indent_size = 2
-indent_style = space
+max_line_length = 100
+
+[*.{tf,tfvars,hcl}]
+indent_size = 2
+max_line_length = 100
+
+[*.{yml,yaml}]
+indent_size = 2
+max_line_length = 120
+
+[*.{json,jsonc,toml}]
+indent_size = 2
+max_line_length = 100
+
+[*.{cfg,conf,ini}]
+indent_size = 2
+max_line_length = 100
+
+[.editorconfig]
+indent_size = 2
+max_line_length = 100
 
 [*.md]
 max_line_length = 0
 trim_trailing_whitespace = false
 
 [Makefile]
-tab_width = 2
 indent_style = tab
+indent_size = 4
+tab_width = 4
 
-[COMMIT_EDITMSG]
+[*.mk]
+indent_style = tab
+indent_size = 4
+tab_width = 4
+
+[.gitignore]
+max_line_length = 0
+
+[.gitattributes]
+max_line_length = 0
+
+[.env]
 max_line_length = 0
+trim_trailing_whitespace = false
+
+[.env.*]
+max_line_length = 0
+trim_trailing_whitespace = false
+
+[COMMIT_EDITMSG]
+insert_final_newline = false
+max_line_length = 72
+trim_trailing_whitespace = false
@@ -7,6 +7,8 @@ Use this format for new updates:
 - Include file/path scope when useful.
 
 ## 2026-04-12
+- Aligned `.pre-commit-config.yaml` and expanded `.editorconfig` with file-type defaults for Python, shell, Terraform/HCL, YAML, JSON/TOML, Markdown, Make, and local config files so the repo and synced consumers get a practical editor baseline without the formatter ping-pong that left `pre-commit` failing with no visible git diff.
+- Expanded the cross-repository sync baseline to include `.editorconfig`, `.pre-commit-config.yaml`, and `.github/workflows/terraform-pre-commit.yml`, then updated the sync agent/skill contract and sync planner tests to keep that scope explicit and narrow.
 - Renamed the workflow skill from `internal-cicd-workflow` to `internal-github-actions`, renamed `internal-github-composite-action` to `internal-github-action-composite`, and realigned the GitHub Actions instructions so the umbrella instruction is the family baseline while the composite instruction now carries only composite-specific delta guidance.
 - Added a retained-learning governance contract: root `AGENTS.md` now defines repository-root `LESSONS.md` as a non-canonical ledger for durable lessons learned during completed tasks, `.github/copilot-instructions.md` projects the same behavior into native Copilot flows, `INTERNAL_CONTRACT.md` source-governs the invariant, and the new `LESSONS.md` file records retained lessons with canonical-owner pointers.
 - Slimmed the retained-learning section in root `AGENTS.md` so the bridge keeps only strategic ownership and boundary language while `.github/copilot-instructions.md` remains the detailed operational projection.

@@ -1,6 +1,6 @@
 ---
 name: internal-sync-global-copilot-configs-into-repo
-description: Use this agent when aligning a consumer repository to the managed GitHub Copilot baseline from this standards repository. Keep the paired sync skill as the reusable sync-procedure owner, preserve target `local-*` extensions plus any `.github/local-copilot-overrides.md` layer, and keep root-guidance files aligned to their separate ownership layers.
+description: Use this agent when aligning a consumer repository to the managed GitHub Copilot baseline from this standards repository, plus the explicitly shared repository-hygiene files declared by the paired sync skill. Keep the paired sync skill as the reusable sync-procedure owner, preserve target `local-*` extensions plus any `.github/local-copilot-overrides.md` layer, and keep root-guidance files aligned to their separate ownership layers.
 tools: ["read", "edit", "search", "execute", "web", "agent"]
 agents: []
 ---
@@ -42,7 +42,7 @@ Treat this agent plus `.github/skills/internal-agent-sync-global-copilot-configs
 - Start in `plan` by default. Move to `apply` only on explicit request and only when the plan is conflict-safe.
 - Keep target assumptions narrow and let the paired skill own the mirrored-scope and plan-file details.
 - Preserve target `local-*` assets plus any consumer-owned `.github/local-copilot-overrides.md` file, exclude repository-owned `internal-sync-*` resources from mirroring, and keep root-guidance files layered according to the paired skill contract.
-- Sync GitHub Copilot assets only unless the user explicitly expands scope.
+- Sync only the managed cross-repository baseline declared by the paired skill contract; do not expand beyond that scope unless the user explicitly asks for more.
 - Do not restate reusable sync procedure in this agent; when the contract drifts, update the paired skill first and then realign this agent.
 
 ## Routing

@@ -21,6 +21,7 @@ You are an expert software and platform engineer. Protect correctness, security,
 
 - `internal-sync-*` assets stay sync-specific and must not become second canonical homes for repository-wide policy.
 - When repository-wide defaults change, update `AGENTS.md` first, then refresh this file, then realign narrower governance assets that reference the change.
+- When source-managed guidance from this repository is mirrored into consumer repositories, phrase source-side rules conditionally so they remain true in targets and do not imply that the target repository is the source of truth.
 - `.github/local-copilot-overrides.md` may override synced defaults from `AGENTS.md` or this file only when the exception makes the conflict, scope, reason, and required disclosure explicit.
 - If `.github/local-copilot-overrides.md` exists but declares no active overrides, keep following the synced baseline.
 - When following a local override instead of the synced baseline, say that a consumer-local exception is in effect and cite `.github/local-copilot-overrides.md`.
@@ -58,8 +59,11 @@ You are an expert software and platform engineer. Protect correctness, security,
 - Prefer the simplest correct change.
 - Keep business logic separated from I/O and infrastructure concerns.
 - Apply only the instruction files relevant to the files being changed.
+- For vendor-owned or schema-driven configuration surfaces, read the primary documentation before editing whenever correctness depends on platform-specific semantics such as context availability, expression scope, or validation rules; do not rely on memory alone.
 - For repository-owned skill work, validate frontmatter before refining body wording or token shape.
+- For source-side repository-owned standards work that deepens parallel skill families, stage planning in `tmp/superpowers/`, make anti-scope explicit, and close parity gaps in existing `Common mistakes`, `Validation`, and current reference depth before adding optional new skills, validators, or shared assets.
 - Keep repository-owned skill `description:` lines trigger-first, and do not rewrite a working route during token optimization unless improving retrieval is the explicit goal.
+- For provider-specific cloud skills, keep guidance provider-native and omit cross-cloud comparison or provider-selection content when provider choice is already upstream of skill activation.
 - Prefer `references/` over new `scripts/` for static checklists, lookup tables, and starter templates; add scripts only when the workflow is deterministic, repeated, and execution-heavy.
 - Keep Python tests under the repository-root `tests/` tree with mirrored source paths, and make Bash wrappers runnable with internal defaults plus optional overrides.
 - Run the applicable validation that actually exists for the files you changed.
@@ -76,8 +80,11 @@ You are an expert software and platform engineer. Protect correctness, security,
 
 - Whenever work reveals a new durable lesson, regardless of whether the task is in planning, review, debugging, or implementation, check whether it was already codified in repository resources when discovered.
 - Also treat a repeated or consequential misapplication of an already-codified repository rule as a lesson when the correction is likely to prevent the same mistake in future work.
+- When a validator, IDE, schema check, or runtime error overturns an earlier assumption, immediately re-check whether that correction is durable enough to retain or codify.
+- Before finalizing such a correction, read the primary documentation for the relevant platform or schema instead of relying on memory or partial recall.
 - Before editing repository-root `LESSONS.md`, read its current on-disk contents and treat them as the source of truth for in-progress local lessons, including uncommitted rows already present on disk.
 - When a durable lesson is clear and still uncodified, append one concise, reusable row to the pending table in `LESSONS.md` instead of waiting for task completion; do not regenerate, reorder, or rewrite unrelated rows.
+- If you decide not to record a lesson after such a correction, make that decision explicit in the completion report with a short reason.
 - Treat `LESSONS.md` as a learning ledger, not as canonical policy. Do not dump transient notes, full debugging timelines, sensitive content, or conversational noise into it.
 - Preserve unrelated existing lessons in `LESSONS.md`, including local uncommitted ones already on disk.
 - If a lesson is later disproven, narrowed, deduplicated, or codified elsewhere in the same task, update or remove only that lesson's row before completion.

@@ -10,8 +10,12 @@ applyTo: "**/actions/**/action.y*ml"
 - Keep only composite-specific rules here.
 
 ## Composite-specific rules
-- Define explicit `inputs` and validate required values early.
+- Define explicit `inputs` and `outputs`, and keep published names stable for existing callers.
+- Validate required values early and fail before the main logic runs.
 - Pass `${{ inputs.* }}` through `env:` before shell usage.
+- Use `$GITHUB_OUTPUT` and `$GITHUB_ENV` for multi-step coordination instead of ad hoc temp files when shell steps need to share state.
 - Keep `shell: bash` explicit and start shell blocks with `set -euo pipefail`.
 - Move longer logic into dedicated scripts instead of large inline `run:` blocks.
+- Document inputs, outputs, and a minimal usage example next to the action.
+- Keep a lightweight happy-path validation path before release, such as a smoke workflow or fixture-based script.
 - Preserve backward-compatible input and output contracts when modifying an existing composite action.
@@ -14,6 +14,8 @@ applyTo: "**/workflows/**,**/actions/**/action.y*ml"
 - Start with `contents: read` and add write scopes only when the job requires them.
 - Avoid `pull_request_target` for untrusted code.
 - Pass secrets only through `secrets.*` or protected environments; never hardcode them in `env`.
+- For production deployments, use protected `environment:` gates with required reviewers instead of relying on branch conditions alone.
+- Treat self-hosted runners as trusted infrastructure and scope them to the repositories, runner groups, and network access they actually need.
 
 ## Family baseline
 - Use clear English step names and deterministic outputs.
@@ -22,9 +24,14 @@ applyTo: "**/workflows/**,**/actions/**/action.y*ml"
 - Prefer reusable workflows (`workflow_call`) for repeated job orchestration inside one repository.
 - Prefer smaller jobs with explicit `needs` over monolithic workflows when phases are logically separate.
 - Use `if` conditions deliberately for branch, event, and environment-specific execution.
-- Keep cache and artifact usage explicit, deterministic, and scoped to real reuse.
-- Use self-hosted runners only for justified hardware, network, or cost reasons, and note the security and maintenance tradeoff.
+- Before making or validating workflow changes that depend on expression scope, context usage, or key-specific rules, read GitHub's official workflow syntax and context-availability documentation; do not rely on memory.
+- Do not place runner-derived paths such as `runner.temp` in workflow-root `env` or `jobs.<job_id>.env`; resolve them in step-level keys that allow `runner`, or derive them from default runner environment variables inside `run`.
+- Treat IDE, parser, `actionlint`, and queue-time errors such as `Unrecognized named-value` as mandatory documentation-check triggers.
+- Keep cache keys deterministic from lockfiles, tool versions, or other stable inputs instead of timestamps or branch-only entropy.
+- Set explicit artifact `retention-days` when artifacts bridge review, release, or deploy stages.
+- Validate `workflow_dispatch` free-form inputs before shell, deploy, or infrastructure steps consume them.
 
 ## Use the skill for deeper guidance
-- Load `.github/skills/internal-github-actions/SKILL.md` for workflow-vs-reusable-vs-composite decisions, reusable workflow patterns, and examples.
+- Load `.github/skills/internal-github-actions/SKILL.md` for workflow-vs-reusable-vs-composite decisions, reusable workflow templates, cache and artifact patterns, and workflow hardening checklists.
+- Keep this instruction lean because it is part of the source-managed baseline mirrored into consumer repositories; add new always-on GitHub Actions depth only when downstream reuse justifies that sync cost, and keep advanced patterns, examples, and decision support in the skill references.
 - Keep this instruction as the auto-loaded baseline; keep authoring depth and examples in the skill.
@@ -26,13 +26,16 @@
 CONSUMER_SYNC_EXCLUDED_PREFIX = "internal-sync-"
 MANAGED_ROOT_FILES = (
     "AGENTS.md",
+    ".editorconfig",
+    ".pre-commit-config.yaml",
     ".github/copilot-instructions.md",
     ".github/copilot-code-review-instructions.md",
     ".github/copilot-commit-message-instructions.md",
     ".github/security-baseline.md",
     ".github/DEPRECATION.md",
     ".github/repo-profiles.yml",
 )
+MANAGED_WORKFLOW_FILES = (".github/workflows/terraform-pre-commit.yml",)
 LOCAL_COPILOT_OVERRIDES_PATH = ".github/local-copilot-overrides.md"
 INVENTORY_PATH = ".github/INVENTORY.md"
 

@@ -11,6 +11,7 @@
     INVENTORY_PATH,
     LOCAL_COPILOT_OVERRIDES_PATH,
     MANAGED_ROOT_FILES,
+    MANAGED_WORKFLOW_FILES,
     SyncOperation,
     SyncPlan,
     action_sort_key,
@@ -197,6 +198,7 @@ def build_sync_plan(source_root: Path, target_root: Path) -> SyncPlan:
 
 def discover_source_sync_files(root: Path) -> set[str]:
     files = {relative_path for relative_path in MANAGED_ROOT_FILES if (root / relative_path).exists()}
+    files.update(relative_path for relative_path in MANAGED_WORKFLOW_FILES if (root / relative_path).exists())
     files.update(all_files_under(root, ".github/agents"))
     files.update(all_files_under(root, ".github/instructions"))
     files.update(all_files_under(root, MANAGED_SKILL_DIR))
@@ -209,6 +211,7 @@ def discover_source_sync_files(root: Path) -> set[str]:
 
 def discover_target_managed_files(root: Path) -> set[str]:
     files = {relative_path for relative_path in MANAGED_ROOT_FILES if (root / relative_path).exists()}
+    files.update(relative_path for relative_path in MANAGED_WORKFLOW_FILES if (root / relative_path).exists())
     if (root / INVENTORY_PATH).exists():
         files.add(INVENTORY_PATH)
     files.update(all_files_under(root, ".github/agents"))

@@ -1,6 +1,6 @@
 ---
 name: internal-agent-sync-global-copilot-configs-into-repo
-description: Use when aligning a consumer repository to this repository's managed GitHub Copilot baseline, including mirror planning, apply runs, drift checks, and preservation of target `local-*` assets plus any `.github/local-copilot-overrides.md` layer.
+description: Use when aligning a consumer repository to this repository's managed GitHub Copilot baseline plus the explicitly shared repository-hygiene files, including mirror planning, apply runs, drift checks, and preservation of target `local-*` assets plus any `.github/local-copilot-overrides.md` layer.
 ---
 
 # Internal Agent Sync Global Copilot Configs Into Repo
@@ -15,6 +15,7 @@ The paired agent should not restate default mode handling, preserved `local-*` b
 
 - Align a consumer repository with the managed GitHub Copilot baseline from this repository.
 - Refresh target `AGENTS.md`, `.github/copilot-instructions.md`, and `.github/INVENTORY.md` to the current bridge model after mirroring.
+- Refresh shared repository-hygiene files that are part of the managed sync baseline, currently `.editorconfig`, `.pre-commit-config.yaml`, and `.github/workflows/terraform-pre-commit.yml`.
 - Preserve or review a target `.github/local-copilot-overrides.md` file that locally overrides the synced baseline.
 - Run or interpret `.github/scripts/sync_copilot_catalog.sh` or `.github/scripts/sync_copilot_catalog.py`.
 - Audit source-target drift before or after a sync.
@@ -27,6 +28,7 @@ The paired agent should not restate default mode handling, preserved `local-*` b
 - Exclude source resources named `internal-sync-*` from consumer mirroring and remove any target copies of those resources during `apply`.
 - Do not mirror a source `.github/local-copilot-overrides.md`; it stays consumer-owned even when the source repository has one.
 - Keep root guidance layered: `AGENTS.md` is the bridge, `.github/copilot-instructions.md` is the repo-wide projection, `.github/local-copilot-overrides.md` is the consumer-local exception layer, and `.github/INVENTORY.md` is the live catalog.
+- Mirror only the explicitly shared repository-hygiene files declared in `references/sync-contract.md`; do not widen workflow or root-file mirroring implicitly.
 - Ensure the target repository `.gitignore` contains an ignore rule for `tmp/superpowers/`.
 - Prefer the bundled sync automation when it matches the requested mode instead of re-deriving the workflow manually.
 - Keep detailed operating rules in `references/sync-contract.md` instead of re-expanding them in the agent body.

@@ -7,17 +7,20 @@ Use this reference when the paired agent or this skill needs the exact sync rule
 Mirror these source-managed paths into the consumer repository:
 
 - `AGENTS.md`
+- `.editorconfig`
+- `.pre-commit-config.yaml`
 - `.github/copilot-instructions.md`
 - `.github/copilot-code-review-instructions.md`
 - `.github/copilot-commit-message-instructions.md`
 - `.github/security-baseline.md`
 - `.github/DEPRECATION.md`
 - `.github/repo-profiles.yml`
+- `.github/workflows/terraform-pre-commit.yml`
 - `.github/agents/**`
 - `.github/instructions/**`
 - `.github/skills/**`, including bundled `references/`, `assets/`, `scripts/`, `agents/`, and licenses
 
-Do not sync `README.md`, changelogs, workflows, templates, or bootstrap helpers unless the user explicitly expands scope.
+Do not sync `README.md`, changelogs, other workflows, templates, or bootstrap helpers unless the user explicitly expands scope.
 Do not sync consumer-facing resources whose file or directory name starts with `internal-sync-`; those remain source-only operational controls for the standards repository.
 
 ## Target Rules