Update public.ecr.aws/lambda/python:3.14 Docker digest to c7fd51c

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
public.ecr.aws/lambda/python	final	digest	5f57713 → c7fd51c

---

Configuration

📅 Schedule: Branch creation - "on sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: This PR updates the Docker base image SHA256 digest for public.ecr.aws/lambda/python:3.14 from 5f57713... to 4a260ea....

---

Code Quality

✅ Code style — Single-line ARG update; no style violations.

✅ No commented-out code — None present.

✅ Meaningful variable names — BASE_IMAGE is clear.

✅ DRY principle — No duplication.

✅ Defects — No bugs or logic errors introduced. The digest pin is a valid security practice. However, note that ENV REFRESHED_AT=2025-12-22 (Dockerfile:4) was not updated to reflect today's date (2026-02-22). If this field is intended to track when the image was last refreshed, it is now stale.

✅ .claude/CLAUDE.md — Not present; no issues.

---

Testing

✅ N/A — This is a base image digest bump with no logic changes. No unit/integration tests required.

---

Documentation

✅ README — No update needed for a digest bump.

✅ API docs — N/A.

✅ Inline comments — N/A.

❌ CHANGELOG.md not updated — Previous digest bumps (e.g., [1.0.5], [1.0.4]) were documented in CHANGELOG.md. This update follows the same pattern but has no corresponding entry. A new entry should be added, e.g.:

## [Unreleased]

### Changed

- In `Dockerfile`, updated FROM instruction to `public.ecr.aws/lambda/python:3.14@sha256:4a260ea...`

✅ Markdown formatting — No markdown files modified.

---

Security

✅ No hardcoded credentials.

✅ No .lic files or AQAAAD-prefixed content.

✅ Using digest-pinned base image — This is the correct security practice.

---

Summary

Severity	Issue
Minor	CHANGELOG.md not updated to reflect the digest bump (CHANGELOG.md)
Minor	ENV REFRESHED_AT=2025-12-22 appears stale and was not updated (Dockerfile:4)

Both issues are low severity and consistent with an automated digest update workflow. If REFRESHED_AT is managed separately or CHANGELOG entries for digest bumps are intentionally omitted for automated PRs, these can be waived.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

PR Code Review

Change: Dockerfile — base image SHA256 digest update (5f5771... → c7fd51c...)

---

Code Quality

• ✅ No commented-out code
• ✅ Meaningful variable names
• ✅ DRY principle followed
• ✅ No defects, logic errors, or security vulnerabilities in this change
• ✅ No .claude/CLAUDE.md present

---

Testing

• ✅ No application logic changed; automated Docker digest update does not require new tests

---

Documentation

• ❌ CHANGELOG.md not updated — The last entry is [1.0.5] - 2024-06-24. This base image digest bump should be documented with a new entry (e.g., [1.0.6]) following the existing pattern.
• ❌ REFRESHED_AT not updated (Dockerfile:3) — The value remains 2025-12-22, but this PR was merged in February 2026. Given the repository has a dedicated docker-verify-refreshed-at-updated workflow, this field should be updated to reflect the current date when the digest is refreshed.
• ✅ README does not require changes for a digest-only update

---

Security

• ✅ No hardcoded credentials
• ✅ No sensitive data introduced
• ✅ No .lic files present

---

Summary

#	File	Issue
1	CHANGELOG.md	Missing entry for this digest update
2	Dockerfile:3	REFRESHED_AT still set to 2025-12-22; should be updated to today's date

---

Automated code review analyzing defects and coding standards