Use content-based hashing for Docker image tags instead of git commit hash

[drernie]

Problem

Currently, the Docker image tagging system uses git commit hashes (git rev-parse --short HEAD), which means:

• Every commit triggers a Docker rebuild, even if Docker dependencies haven't changed
• Can't iterate on non-Docker changes (Lambda, CDK, policies) without committing
• Wastes time rebuilding identical Docker images

Desired Behavior

Use content-based hashing of Docker dependencies to determine when rebuilds are needed:

# Hash only Docker-related files
IMAGE_TAG=$(cat infra/raja_poc/assets/envoy/Dockerfile \
    infra/raja_poc/assets/envoy/*.sh \
    infra/raja_poc/assets/envoy/*.lua \
    infra/raja_poc/assets/envoy/*.tmpl | shasum -a 256 | cut -c1-8)

This ensures:

• Docker files unchanged → Same hash → No rebuild needed
• Docker files changed → Different hash → Rebuild triggered
• Other code changed → Same Docker hash → No rebuild

Implementation Tasks

1. Create/update smart build script with content-based hashing
2. Add ECR image existence check to skip builds if image already exists
3. Update scripts/build-envoy-image.sh to use content hash by default
4. Update poe tasks (build-envoy-push, deploy-fast) to use new tagging
5. Document the new behavior in CLAUDE.md

Benefits

• Faster iteration: Change Lambda/CDK code without Docker rebuilds
• CI/CD efficiency: Only rebuild Docker when dependencies actually change
• Better caching: Same content = same tag = reuse across branches

Files Involved

• scripts/build-envoy-image.sh - Current build script
• infra/raja_poc/assets/envoy/ - Docker dependencies
  • Dockerfile
  • entrypoint.sh
  • authorize.lua
  • authorize_lib.lua
  • envoy.yaml.tmpl
• pyproject.toml - Poe tasks for building and deploying