chore: Sync with rhiza

.devcontainer/bootstrap.sh

@@ -36,9 +36,3 @@ make install
 
 # Install Marimo tool for notebook editing
 "$UV_BIN" tool install marimo 
-
-# Initialize pre-commit hooks if configured
-if [ -f .pre-commit-config.yaml ]; then
-  # uvx runs tools without requiring them in the project deps
-  "$UVX_BIN" pre-commit install
-fi

.devcontainer/devcontainer.json

@@ -5,19 +5,20 @@
         "cpus": 4
     },
     "features": {
-        "ghcr.io/devcontainers/features/common-utils:2": {},
-        "ghcr.io/devcontainers/features/git:1": {},
         "ghcr.io/devcontainers/features/github-cli:1": {},
-        "ghcr.io/devcontainers/features/copilot-cli:1": {}
+        "ghcr.io/devcontainers/features/copilot-cli:1": {},
+        "ghcr.io/devcontainers/features/node:1": {},
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {
+            "moby": false
+        }
     },
     "mounts": [
         "source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind,consistency=cached"
     ],
     "containerEnv": {
-        "SSH_AUTH_SOCK": "${localEnv:SSH_AUTH_SOCK}",
         "INSTALL_DIR": "/home/vscode/.local/bin"
     },
-    "forwardPorts": [8080],
+    "forwardPorts": [8080, 2718],
     "customizations": {
         "vscode": {
             "settings": {
@@ -43,7 +44,8 @@
                 "ms-vscode.makefile-tools",
                 // AI Assistance
                 "github.copilot-chat",
-                "github.copilot"
+                "github.copilot",
+                "anthropic.claude-code"
             ]
         }
     },

.github/actions/configure-git-auth/README.md

@@ -0,0 +1,80 @@
+# Configure Git Auth for Private Packages
+
+This composite action configures git to use token authentication for private GitHub packages.
+
+## Usage
+
+Add this step before installing dependencies that include private GitHub packages:
+
+```yaml
+- name: Configure git auth for private packages
+  uses: ./.github/actions/configure-git-auth
+  with:
+    token: ${{ secrets.GH_PAT }}
+```
+
+The `GH_PAT` secret should be a Personal Access Token with `repo` scope.
+
+## What It Does
+
+This action runs:
+
+```bash
+git config --global url."https://<token>@github.com/".insteadOf "https://github.com/"
+```
+
+This tells git to automatically inject the token into all HTTPS GitHub URLs, enabling access to private repositories.
+
+## When to Use
+
+Use this action when your project has dependencies defined in `pyproject.toml` like:
+
+```toml
+[tool.uv.sources]
+private-package = { git = "https://github.com/your-org/private-package.git", rev = "v1.0.0" }
+```
+
+## Token Requirements
+
+By default, this action will use the workflow’s built-in `GITHUB_TOKEN` (`github.token`) if no `token` input is provided or if the provided value is empty (it uses `inputs.token || github.token` internally).
+
+The `GITHUB_TOKEN` is usually sufficient when:
+
+- installing dependencies hosted in the **same repository** as the workflow, or
+- accessing **public** repositories.
+
+The default `GITHUB_TOKEN` typically does **not** have permission to read other private repositories, even within the same organization. For that scenario, you should create a Personal Access Token (PAT) with `repo` scope and store it as `secrets.GH_PAT`, then pass it to the action via the `token` input.
+
+If you configure the step as in the example (`token: ${{ secrets.GH_PAT }}`) and `secrets.GH_PAT` is not defined, GitHub Actions passes an empty string to the action. The composite action then falls back to `github.token`, so the configuration step itself still succeeds. However, any subsequent step that tries to access private repositories that are not covered by the permissions of `GITHUB_TOKEN` will fail with an authentication error.
+## Example Workflow
+
+```yaml
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Install dependencies
+        run: uv sync --frozen
+
+      - name: Run tests
+        run: uv run pytest
+```
+
+## See Also
+
+- [PRIVATE_PACKAGES.md](../../../.rhiza/docs/PRIVATE_PACKAGES.md) - Complete guide to using private packages
+- [TOKEN_SETUP.md](../../../.rhiza/docs/TOKEN_SETUP.md) - Setting up Personal Access Tokens

.github/actions/configure-git-auth/action.yml

@@ -0,0 +1,21 @@
+name: 'Configure Git Auth for Private Packages'
+description: 'Configure git to use token authentication for private GitHub packages'
+
+inputs:
+  token:
+    description: 'GitHub token to use for authentication'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Configure git authentication
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token || github.token }}
+      run: |
+        # Configure git to use token authentication for GitHub URLs
+        # This allows uv/pip to install private packages from GitHub
+        git config --global url."https://${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+
+        echo "✓ Git configured to use token authentication for GitHub"

.github/agents/analyser.md

@@ -1,6 +1,7 @@
 ---
 name: analyser
 description: Ongoing technical journal for repository analysis
+model: claude-sonnet-4.5
 ---
 
 You are a senior software architect performing a critical, journal-style review of this repository.

.github/agents/summarise.md

@@ -1,6 +1,7 @@
 ---
 name: summarise
 description: Agent for summarizing changes since the last release/tag
+model: claude-sonnet-4.5
 ---
 
 You are a software development assistant tasked with summarizing repository changes since the most recent release or tag.