updating

.github/agents/implementation.agent.md

@@ -1,15 +1,7 @@
 ---
 name: implementation
 description: Full implementation agent. Writes code, creates files, runs tests, and commits changes based on an approved plan.
-tools:
-  - read
-  - search
-  - fetch
-  - edit
-  - create
-  - delete
-  - terminal
-  - run
+tools: [vscode, execute, read, agent, edit, search, todo]
 model: Claude Sonnet 4.6 (copilot)
 handoffs:
   - label: "🔍 Review Changes"

.github/agents/planner.agent.md

@@ -4,7 +4,6 @@ description: Read-only planning agent. Analyzes the codebase, designs interfaces
 tools:
   - read
   - search
-  - fetch
   - web
 model: Claude Sonnet 4.6 (copilot)
 handoffs:

.github/agents/reviewer.agent.md

@@ -4,7 +4,7 @@ description: Code review agent. Reviews changes for correctness, security, Censu
 tools:
   - read
   - search
-  - fetch
+  - web
 model: Claude Sonnet 4.6 (copilot)
 handoffs:
   - label: "🔧 Fix Issues"

.github/prompts/analyze-pr-comments.prompt.md

@@ -3,10 +3,7 @@ name: analyze-pr-comments
 description: Fetch all review comments on a GHE pull request, summarize the issues, and propose or implement fixes.
 argument-hint: "[repo org/name] [PR number]"
 agent: implementation
-tools:
-  - terminal
-  - read
-  - edit
+tools: [vscode, execute, read, agent, edit, search, todo]
 ---
 
 # Analyze and Address PR Review Comments

.github/prompts/checkpoint-load.prompt.md

@@ -0,0 +1,43 @@
+---
+name: checkpoint-load
+description: Restore project context from CHECKPOINT.md at the start of a new session. Run this before doing any work.
+tools: [read, search, todo]
+---
+
+# Load Checkpoint
+
+Restore context from `design-docs/CHECKPOINT.md` and get ready to work.
+
+## Instructions
+
+1. Read `design-docs/CHECKPOINT.md` in full
+2. Read `design-docs/README.md` (full architecture spec)
+3. Read any files listed in the checkpoint's **Key File Index** that are marked
+   as recently changed or directly relevant to the **Current Phase**
+4. Output a session briefing in this format:
+
+---
+
+**Session Briefing — [date]**
+
+**Where we left off**: [one sentence from Last Updated]
+
+**Current phase**: [phase name + step]
+
+**Next action**: [exact next action from checkpoint]
+
+**Open questions**: [bulleted list, or "None" if clear]
+
+**Files to be aware of**: [only the ones relevant to the next action]
+
+---
+
+5. Populate the todo list with the checklist items for the current phase
+   (mark already-completed items as completed)
+6. Ask: "Ready to continue? Any updates since the last checkpoint?"
+
+## Notes
+
+- Do not start implementing anything until the user confirms
+- If `design-docs/CHECKPOINT.md` does not exist, say so and suggest running
+  the `checkpoint-save` prompt first after reviewing `design-docs/README.md`

.github/prompts/checkpoint-save.prompt.md

@@ -0,0 +1,63 @@
+---
+name: checkpoint-save
+description: Save current project state to CHECKPOINT.md. Run this at the end of any work session to preserve context for the next session.
+tools: [read, edit, search, todo]
+---
+
+# Save Checkpoint
+
+Update the file `design-docs/CHECKPOINT.md` to reflect the current project state.
+
+## Instructions
+
+1. Read the current `design-docs/CHECKPOINT.md`
+2. Read `design-docs/README.md` (architecture decisions)
+3. Scan the repo for any files created or modified since the last checkpoint
+   (check git status if possible, or look at timestamps)
+4. Rewrite `design-docs/CHECKPOINT.md` using the schema below
+
+## CHECKPOINT.md Schema
+
+The file must have exactly these sections in this order:
+
+### 1. Last Updated
+Date and a one-line summary of what changed this session.
+
+### 2. Architecture (locked in)
+Brief settled description of the pipeline. Mark anything that changed since the
+last checkpoint with `[CHANGED]`. Do not store debate — only the settled decision.
+
+### 3. Current Phase
+Which implementation phase we are in and what step within it.
+Include the phase checklist from `design-docs/README.md` with checkboxes updated.
+
+### 4. Next Action
+One or two sentences: exactly what to do first at the start of the next session.
+Be specific — include file paths and commands.
+
+### 5. Open Questions
+Bulleted list of things not yet decided or needing external input.
+Remove items that have been answered since the last checkpoint.
+
+### 6. Key File Index
+Table of every file created or modified in this repo, with a one-line purpose.
+Include files that need to be created but don't exist yet, marked `[TODO]`.
+
+### 7. External Dependencies
+Things outside this repo that must be true for the project to work:
+- AWS resources (Secrets Manager secrets, S3 buckets, ECR repos, etc.)
+- GHE repos and orgs
+- IAM roles or permissions assumed to exist
+- Other repos whose patterns we follow
+
+### 8. Constraints (never change without discussion)
+Hard rules that must not be violated. Pull from `design-docs/README.md`
+"What NOT to Do" section plus any session-specific constraints discovered.
+
+## Rules
+
+- Keep each section concise. This file is read at the start of every session —
+  it must load fast and be scannable.
+- Do NOT copy-paste large blocks from README.md. Summarize and link instead.
+- Remove stale information. If something was resolved, move it out of Open Questions.
+- Mark TODOs clearly so the next session can pick up immediately.

.github/prompts/new-account-repo-layer.prompt.md

@@ -3,11 +3,7 @@ name: new-account-repo-layer
 description: Scaffold a new layer directory (common, infrastructure, or vpc) inside an account repo, complete with remote_state.yml, tf-run.data, and boilerplate symlink stubs.
 argument-hint: "[layer: common|infrastructure|vpc] [region: us-gov-west-1|us-gov-east-1] [account_id] [account_alias]"
 agent: implementation
-tools:
-  - read
-  - create
-  - edit
-  - terminal
+tools: [vscode, execute, read, agent, edit, search, todo]
 ---
 
 # Scaffold a New Account Repo Layer

.github/prompts/review-sc-template.prompt.md

@@ -3,9 +3,7 @@ name: review-sc-template
 description: Review a Service Catalog CloudFormation product template for compliance with Census Lambda interface conventions.
 argument-hint: "[path to template yaml file]"
 agent: reviewer
-tools:
-  - read
-  - search
+tools: [vscode, execute, read, agent, edit, search, todo]
 ---
 
 # Review SC Product Template

.github/skills/account-repo-analysis/SKILL.md

@@ -1,11 +1,6 @@
 ---
 name: account-repo-analysis
-description: >
-  Analyze or scaffold Census AWS account repos. Understands the 3-layer directory
-  structure (common/infrastructure/vpc), regional splits (east/west), tf-run DSL
-  directives, remote_state.yml schema, and the tf-run toolchain scripts. Use this
-  skill when asked to analyze an account repo, explain tf-run steps, scaffold a new
-  layer, or debug tf-directory-setup.py failures.
+description: "Analyze or scaffold Census AWS account repos. Understands the 3-layer directory structure (common/infrastructure/vpc), regional splits (east/west), tf-run DSL directives, remote_state.yml schema, and the tf-run toolchain scripts. Use this skill when asked to analyze an account repo, explain tf-run steps, scaffold a new layer, or debug tf-directory-setup.py failures."
 ---
 
 # Account Repo Analysis Skill

design-docs/CHECKPOINT.md

@@ -0,0 +1,134 @@
+# CHECKPOINT
+
+## 1. Last Updated
+
+**2026-04-28** — Architecture finalized (CodeBuild all-in-one runner, GHA deferred on OIDC blocker).
+Design doc written. Checkpoint system created. Skill file description syntax fixed.
+No implementation code written yet.
+
+---
+
+## 2. Architecture (locked in)
+
+**Pipeline**: SC Console → CFN `Custom::TerraformRun` → Lambda → CodeBuild → Account Repo (`tf-run` + PR)
+
+- **Lambda** (`tf-run-executor-trigger`, csvd-dev `229685449397`, `us-gov-west-1`, 900s timeout):
+  validates inputs (Pydantic v2), fetches GHE PAT from Secrets Manager, starts CodeBuild,
+  polls every 20s, signals CFN SUCCESS/FAILED with PR URL.
+
+- **CodeBuild** (`tf-run-executor`, 60 min timeout, Amazon Linux 2):
+  installs Terraform from S3 + Census CA cert → clones account repo over HTTPS →
+  writes `EXTRA_FILES` → commits + pushes to `repo-init` → `cd <LAYER>/<REGION_DIR>/` →
+  `tf-run apply [tag:START_TAG]` (or `tf plan` if `DRY_RUN=true`) → opens PR via `gh` CLI.
+
+- **GHA**: deferred — blocked on OIDC. Buildspec designed to port directly to GHA workflow with no Lambda changes.
+
+Full spec: `design-docs/README.md`
+
+---
+
+## 3. Current Phase
+
+**Phase 1 — CodeBuild + buildspec (manual test)**
+
+- [ ] Write `buildspec.yml` at repo root
+- [ ] Write `deploy/codebuild.tf` — CodeBuild project with inline buildspec + IAM service role
+- [ ] Test manually via AWS CLI `start-build` with env var overrides against a test account repo
+- [ ] Validate: clone → write file → commit → `tf plan` in `infrastructure/west/` → PR opens
+
+Phases 2–4 not started. See `design-docs/README.md` for full phase list.
+
+---
+
+## 4. Next Action
+
+Create `buildspec.yml` at `/home/a/arnol377/git/sc-lambda-ghactions/buildspec.yml`
+using the draft in `design-docs/README.md` → CodeBuild Project Design → buildspec.yml.
+
+Then create `deploy/codebuild.tf` with the `aws_codebuild_project.tf_run_executor` resource
+and an `aws_iam_role.codebuild_exec` with S3 read, Secrets Manager read, and CloudWatch Logs write.
+
+---
+
+## 5. Open Questions
+
+- What is the correct CodeBuild service role ARN format for this account? (need to verify existing pattern in `lambda-template-repo-generator/deploy/main.tf`)
+- `tf-run` is interactive by default (prompts `y/n` between steps) — need to confirm non-interactive invocation flag or environment variable to suppress prompts in CodeBuild. Check `tf-run.sh` behavior with `CI=true` or similar.
+- Self-hosted GHA runner label (for future GHA migration) — confirm with Matt Morgan once OIDC is unblocked.
+- Should `extra_files` support base64-encoded binary content, or plain text only?
+
+---
+
+## 6. Key File Index
+
+### Design / Memory (this repo)
+
+| File | Status | Purpose |
+|------|--------|---------|
+| `design-docs/README.md` | ✅ done | Full architecture spec, buildspec draft, phase checklist |
+| `design-docs/CHECKPOINT.md` | ✅ done | This file — session memory |
+
+### Prompts (`.github/prompts/`)
+
+| File | Status | Purpose |
+|------|--------|---------|
+| `checkpoint-save.prompt.md` | ✅ done | End-of-session: rewrite CHECKPOINT.md from current state |
+| `checkpoint-load.prompt.md` | ✅ done | Start-of-session: restore context, brief + todo list |
+| `review-sc-template.prompt.md` | ✅ exists | Review SC CFN templates for Census conventions |
+| `new-account-repo-layer.prompt.md` | ✅ exists | Scaffold a new layer in an account repo |
+| `analyze-pr-comments.prompt.md` | ✅ exists | Analyze PR review comments |
+
+### Agents (`.github/agents/`)
+
+| File | Status | Purpose |
+|------|--------|---------|
+| `planner.agent.md` | ✅ exists | Planning / design agent |
+| `implementation.agent.md` | ✅ exists | Implementation agent |
+| `reviewer.agent.md` | ✅ exists | Review agent |
+
+### Skills (`.github/skills/`)
+
+| File | Status | Purpose |
+|------|--------|---------|
+| `account-repo-analysis/SKILL.md` | ✅ fixed | Account repo structure, tf-run DSL, remote_state.yml — description syntax fixed (block scalar → single-line string) |
+
+### Implementation (to be created)
+
+| File | Status | Purpose |
+|------|--------|---------|
+| `buildspec.yml` | 🔲 TODO | CodeBuild buildspec — Phase 1, step 1 |
+| `deploy/codebuild.tf` | 🔲 TODO | CodeBuild project + service role — Phase 1, step 2 |
+| `deploy/versions.tf` | 🔲 TODO | Terraform + provider version pins |
+| `lambda/app.py` | 🔲 TODO | Lambda CFN handler — Phase 2 |
+| `lambda/Dockerfile` | 🔲 TODO | Lambda container image — Phase 2 |
+| `deploy/lambda.tf` | 🔲 TODO | Lambda function + ECR repo — Phase 2 |
+| `deploy/iam.tf` | 🔲 TODO | IAM roles for Lambda + CodeBuild — Phase 2 |
+| `service-catalog/product-template.yaml` | 🔲 TODO | SC CFN product template — Phase 3 |
+| `deploy/service_catalog.tf` | 🔲 TODO | SC portfolio/product/constraint — Phase 3 |
+
+---
+
+## 7. External Dependencies
+
+| Resource | Location | Notes |
+|----------|----------|-------|
+| `ghe-runner/github-token` | Secrets Manager, csvd-dev, us-gov-west-1 | GHE PAT (`ghp_`), reused from EKS automation |
+| `s3://csvd-packer-pipeline-assets/terraform/terraform_1.9.1_linux_amd64.zip` | S3, csvd-dev | Terraform binary (registry.terraform.io blocked) |
+| `s3://csvd-packer-pipeline-assets/certs/census-ca.pem` | S3, csvd-dev | Census CA cert for GHE TLS |
+| GHE org `SCT-Engineering` | `github.e.it.census.gov` | Target account repos live here |
+| Account repos (pre-bootstrapped) | GHE `SCT-Engineering` | Must already have `remote_state.backend.tf`, `tf-run.data`, `.tf-control` |
+| `lambda-template-repo-generator/deploy/main.tf` | Local repo | Reference pattern for CodeBuild + Lambda IAM + SC wiring |
+
+---
+
+## 8. Constraints (never change without discussion)
+
+- ❌ Never `terraform` directly — always `tf` alias (tf-control.sh symlink)
+- ❌ Never SSH clone — Census proxy blocks SSH; always `https://<token>@github.e.it.census.gov/...`
+- ❌ Never hardcode `aws-us-gov` in ARNs — use `${AWS::Partition}`
+- ❌ Never add `aws_account_id` or `aws_region` as SC form parameters — use `!Sub` resolution
+- ❌ Never run tf-run from the repo root — always `cd <layer>/<region_dir>/` first
+- ❌ Never write temp files to `/tmp` — use the CodeBuild build directory
+- ❌ Never use `HappyPathway/terraform-github-repo` — use `CSVD/terraform-github-repo`
+- ✅ Always set `HTTPS_PROXY=http://proxy.tco.census.gov:3128` + `NO_PROXY=github.e.it.census.gov,...`
+- ✅ Always use `GH_HOST=github.e.it.census.gov` for all `gh` CLI commands