From 72ec25238e4e907c9675b189b30d19a18b7209cb Mon Sep 17 00:00:00 2001
From: pitboss <pitboss@local>
Date: Sun, 17 May 2026 09:46:58 -0500
Subject: [PATCH] [pitboss/grind] deferred session-0028 (20260517T044708Z-e058)

---
 src/dynamic/sandbox/docker.rs   | 26 ++++++++++++++------------
 tools/image-builder/images.toml | 28 ++++++++++++++--------------
 2 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/src/dynamic/sandbox/docker.rs b/src/dynamic/sandbox/docker.rs
index c3d8017d..6fbb51bf 100644
--- a/src/dynamic/sandbox/docker.rs
+++ b/src/dynamic/sandbox/docker.rs
@@ -258,20 +258,22 @@ mod tests {
     }
 
     #[test]
-    fn image_reference_for_toolchain_known_returns_base_when_unpinned() {
-        // The catalogue ships with empty digests; we therefore expect the
-        // bare base tag for known IDs.  When the daily CI run pins a real
-        // digest this test will start seeing `<base>@sha256:…` instead, and
-        // we update the assertion accordingly.
-        let r = image_reference_for_toolchain("python-3.11");
-        assert!(r.is_some());
-        assert!(r.unwrap().contains("python"));
+    fn image_reference_for_toolchain_known_returns_pinned_digest() {
+        // The catalogue ships with hand-seeded sha256 digests for every
+        // catalogue entry, so known IDs resolve to `<base>@sha256:…` refs.
+        let r = image_reference_for_toolchain("python-3.11")
+            .expect("python-3.11 is in the catalogue");
+        assert!(r.starts_with("python:3.11-slim@sha256:"), "got {r}");
     }
 
     #[test]
-    fn toolchain_is_pinned_false_when_digest_empty() {
-        // Fresh catalogue ships with empty digests, so every known toolchain
-        // is still considered unpinned until the daily CI run.
-        assert!(!toolchain_is_pinned("python-3.11"));
+    fn toolchain_is_pinned_true_for_seeded_catalogue() {
+        // Every catalogue entry carries a seeded digest from the manual
+        // Path B walk on a host with a live docker daemon.  The daily CI
+        // workflow refreshes these in place; the assertion stays "pinned"
+        // because empty digests are a regression we want to catch.
+        assert!(toolchain_is_pinned("python-3.11"));
+        assert!(toolchain_is_pinned("node-20"));
+        assert!(toolchain_is_pinned("java-21"));
     }
 }
diff --git a/tools/image-builder/images.toml b/tools/image-builder/images.toml
index ef59414b..403fae25 100644
--- a/tools/image-builder/images.toml
+++ b/tools/image-builder/images.toml
@@ -28,91 +28,91 @@ toolchain_id = "python-3.11"
 base = "python:3.11-slim"
 toolchain = "Python 3.11"
 packages = {}
-digest = ""
+digest = "sha256:9a7765b36773a37061455b332f18e265e7f58f6fea9c419a550d2a8b0e9db834"
 
 [[image]]
 toolchain_id = "python-3.12"
 base = "python:3.12-slim"
 toolchain = "Python 3.12"
 packages = {}
-digest = ""
+digest = "sha256:401f6e1a67dad31a1bd78e9ad22d0ee0a3b52154e6bd30e90be696bb6a3d7461"
 
 [[image]]
 toolchain_id = "python-3.13"
 base = "python:3.13-slim"
 toolchain = "Python 3.13"
 packages = {}
-digest = ""
+digest = "sha256:dc1546eefcbe8caaa1f004f16ab76b204b5e1dbd58ff81b899f21cd40541232f"
 
 [[image]]
 toolchain_id = "node-18"
 base = "node:18-slim"
 toolchain = "Node.js 18"
 packages = {}
-digest = ""
+digest = "sha256:f9ab18e354e6855ae56ef2b290dd225c1e51a564f87584b9bd21dd651838830e"
 
 [[image]]
 toolchain_id = "node-20"
 base = "node:20-slim"
 toolchain = "Node.js 20"
 packages = {}
-digest = ""
+digest = "sha256:2cf067cfed83d5ea958367df9f966191a942351a2df77d6f0193e162b5febfc0"
 
 [[image]]
 toolchain_id = "node-22"
 base = "node:22-slim"
 toolchain = "Node.js 22"
 packages = {}
-digest = ""
+digest = "sha256:689c11043dad91472750cd824c97dd5e2318e9dd6f954e492fe7af0135d33ceb"
 
 [[image]]
 toolchain_id = "java-17"
 base = "eclipse-temurin:17-jre-jammy"
 toolchain = "Eclipse Temurin 17 JRE"
 packages = {}
-digest = ""
+digest = "sha256:47c73dc23524b031bed0a5030410c722af6a8b49d4b25898ea8f4615895065f0"
 
 [[image]]
 toolchain_id = "java-21"
 base = "eclipse-temurin:21-jre-jammy"
 toolchain = "Eclipse Temurin 21 JRE"
 packages = {}
-digest = ""
+digest = "sha256:199aebeb3adcde4910695cdebfe782ada38dadb6cc8013159b58d3724451befd"
 
 [[image]]
 toolchain_id = "php-8.1"
 base = "php:8.1-cli"
 toolchain = "PHP 8.1 CLI"
 packages = {}
-digest = ""
+digest = "sha256:76e563191d1ade120313a8736df24154d21da5155c0756f147c0b01bd19d9087"
 
 [[image]]
 toolchain_id = "php-8.2"
 base = "php:8.2-cli"
 toolchain = "PHP 8.2 CLI"
 packages = {}
-digest = ""
+digest = "sha256:506f27f6416650a7ef41561ebdb4f93ebdcacb48dabda2af029241c956bbd8ff"
 
 [[image]]
 toolchain_id = "php-8.3"
 base = "php:8.3-cli"
 toolchain = "PHP 8.3 CLI"
 packages = {}
-digest = ""
+digest = "sha256:7e091064b23740d5c154ebcfcf69631dd16770a791409f83e4416d0ae9f660b5"
 
 [[image]]
 toolchain_id = "ruby-3.2"
 base = "ruby:3.2-slim"
 toolchain = "Ruby 3.2"
 packages = {}
-digest = ""
+digest = "sha256:84184c9e2c368885a1d0c93ad1953c33d81081058d274b87b4aa6f3e209e5d16"
 
 [[image]]
 toolchain_id = "ruby-3.3"
 base = "ruby:3.3-slim"
 toolchain = "Ruby 3.3"
 packages = {}
-digest = ""
+digest = "sha256:a26bfb9409c02987e6b7f8649f0d4c71cc8a4a97475f3f1edfc2fc6a490021ae"
 
 # Native runtime image: compiled Rust + Go binaries are copied into a
 # `debian:bookworm-slim` container.  Kept here so the image-builder workflow
@@ -122,4 +122,4 @@ toolchain_id = "native-binary"
 base = "debian:bookworm-slim"
 toolchain = "Debian 12 slim (native binary runner)"
 packages = {}
-digest = ""
+digest = "sha256:67b30a61dc87758f0caf819646104f29ecbda97d920aaf5edc834128ac8493d3"