DockerBuild: rotate Claude image hash daily to refresh @latest packages

The image tag in -Claude mode is derived from a SHA256 of Dockerfile.claude
plus eng/docker-context/ (excluding .g/), so it never changed and Docker
served the cached image forever — the Claude CLI and marketplace plug-ins
installed from @latest were effectively pinned to whatever was current the
first time the image was built.

Mix a shared $script:DayStamp into the hash only when -Claude is set, and
have Get-TimestampFile persist the same string to update.timestamp so the
outer image tag and the inner COPY layer invalidate on the same UTC-day
boundary. Non-Claude image tags are unchanged.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: PostSharpAgent

DockerBuild.ps1

@@ -566,9 +566,10 @@ try
 
     function Get-TimestampFile
     {
-        param(
-            [switch]$Update
-        )
+        # Persists $script:DayStamp (the single source of truth, also mixed
+        # into the image tag by Get-ContentHash in Claude mode) to disk so
+        # Dockerfile.claude can COPY it in and invalidate inner layers on
+        # the same day boundary as the outer image tag.
 
         $timestampDir = if ($IsUnix)
         {
@@ -586,34 +587,24 @@ try
             New-Item -ItemType Directory -Path $timestampDir -Force | Out-Null
         }
 
-        if ($Update)
-        {
-            # Force update with full timestamp (seconds precision) to invalidate cache
-            $timestamp = [DateTime]::UtcNow.ToString("o")  # ISO 8601 format
-            Set-Content -Path $timestampFile -Value $timestamp -NoNewline -Force
-            Write-Host "Timestamp file updated (forced): $timestamp" -ForegroundColor Cyan
-        }
-        else
+        # Only rewrite the file if the content would actually change — avoids
+        # bumping mtime on every run, which would pointlessly invalidate the
+        # Docker COPY layer for the timestamp file.
+        $needsUpdate = $true
+        if (Test-Path $timestampFile)
         {
-            # Daily timestamp - only update if file doesn't exist or date changed
-            $todayTimestamp = [DateTime]::UtcNow.Date.ToString("yyyy-MM-dd")
-            $needsUpdate = $true
-
-            if (Test-Path $timestampFile)
+            $currentTimestamp = Get-Content $timestampFile -Raw -ErrorAction SilentlyContinue
+            if ($currentTimestamp -eq $script:DayStamp)
             {
-                $currentTimestamp = Get-Content $timestampFile -Raw
-                # Check if current timestamp starts with today's date
-                if ($currentTimestamp -and $currentTimestamp.StartsWith($todayTimestamp))
-                {
-                    $needsUpdate = $false
-                }
+                $needsUpdate = $false
             }
+        }
 
-            if ($needsUpdate)
-            {
-                Set-Content -Path $timestampFile -Value $todayTimestamp -NoNewline -Force
-                Write-Host "Timestamp file updated (daily): $todayTimestamp" -ForegroundColor Cyan
-            }
+        if ($needsUpdate)
+        {
+            Set-Content -Path $timestampFile -Value $script:DayStamp -NoNewline -Force
+            $label = if ($Update) { "forced" } else { "daily" }
+            Write-Host "Timestamp file updated ($label): $script:DayStamp" -ForegroundColor Cyan
         }
 
         return $timestampFile
@@ -623,7 +614,8 @@ try
     {
         param(
             [string]$DockerfilePath,
-            [string]$ContextDirectory
+            [string]$ContextDirectory,
+            [string]$DayStamp  # non-empty => mix into hash (used in -Claude mode)
         )
 
         $hashInput = Get-Content $DockerfilePath -Raw -ErrorAction SilentlyContinue
@@ -632,7 +624,8 @@ try
             $hashInput = ""
         }
 
-        # Add context files (excluding generated .g/ directory)
+        # Add context files (excluding generated .g/ directory, which holds
+        # per-invocation files like env.g.json and Init.g.ps1).
         $contextFiles = Get-ChildItem $ContextDirectory -Recurse -File -ErrorAction SilentlyContinue |
                 Where-Object { $_.FullName -notmatch '[/\\]\.g[/\\]' } |
                 Sort-Object FullName
@@ -647,6 +640,14 @@ try
             }
         }
 
+        # When a day stamp is supplied (Claude mode), rotate the image tag once
+        # per UTC day so @latest npm installs of the Claude CLI and marketplace
+        # plug-ins actually get refreshed. Same string as update.timestamp.
+        if ($DayStamp)
+        {
+            $hashInput += "`n--- day-stamp ---`n$DayStamp"
+        }
+
         $hashBytes = [System.Security.Cryptography.SHA256]::Create().ComputeHash(
                 [System.Text.Encoding]::UTF8.GetBytes($hashInput)
         )
@@ -704,6 +705,20 @@ try
     }
     else
     {
+        # Single source of truth for today's cache-busting stamp, shared by
+        # Get-ContentHash (image tag, Claude mode only) and Get-TimestampFile
+        # (update.timestamp file baked into the image). Computing it once here
+        # guarantees both consumers see the same value even if the wall clock
+        # crosses UTC midnight mid-run.
+        $script:DayStamp = if ($Update)
+        {
+            [DateTime]::UtcNow.ToString("o")          # full ISO 8601, seconds precision
+        }
+        else
+        {
+            [DateTime]::UtcNow.Date.ToString("yyyy-MM-dd")
+        }
+
         # Determine which Dockerfile will be used (needed for ImageName generation)
         $DockerfilesDir = "$EngPath/docker"
 
@@ -744,8 +759,14 @@ try
             $dockerfileFullPath = Join-Path $PSScriptRoot $Dockerfile
         }
 
-        # Generate content-based hash for image tag
-        $contentHash = Get-ContentHash -DockerfilePath $dockerfileFullPath -ContextDirectory $dockerContextDirectory
+        # Generate content-based hash for image tag.
+        # In Claude mode, mix in $script:DayStamp so the tag rotates daily
+        # and picks up fresh @latest npm installs.
+        $hashDayStamp = if ($Claude) { $script:DayStamp } else { $null }
+        $contentHash = Get-ContentHash `
+                -DockerfilePath $dockerfileFullPath `
+                -ContextDirectory $dockerContextDirectory `
+                -DayStamp $hashDayStamp
         $dockerRegistry = $env:DOCKER_REGISTRY
 
         if ($dockerRegistry)
@@ -801,7 +822,7 @@ try
         # This is used by Dockerfile.claude but doesn't affect other Dockerfiles
         if (-not $NoBuildImage)
         {
-            $timestampFile = Get-TimestampFile -Update:$Update
+            $timestampFile = Get-TimestampFile
         }
 
         if ($Claude)

src/PostSharp.Engineering.BuildTools/Resources/DockerBuild.ps1

@@ -566,9 +566,10 @@ try
 
     function Get-TimestampFile
     {
-        param(
-            [switch]$Update
-        )
+        # Persists $script:DayStamp (the single source of truth, also mixed
+        # into the image tag by Get-ContentHash in Claude mode) to disk so
+        # Dockerfile.claude can COPY it in and invalidate inner layers on
+        # the same day boundary as the outer image tag.
 
         $timestampDir = if ($IsUnix)
         {
@@ -586,34 +587,24 @@ try
             New-Item -ItemType Directory -Path $timestampDir -Force | Out-Null
         }
 
-        if ($Update)
-        {
-            # Force update with full timestamp (seconds precision) to invalidate cache
-            $timestamp = [DateTime]::UtcNow.ToString("o")  # ISO 8601 format
-            Set-Content -Path $timestampFile -Value $timestamp -NoNewline -Force
-            Write-Host "Timestamp file updated (forced): $timestamp" -ForegroundColor Cyan
-        }
-        else
+        # Only rewrite the file if the content would actually change — avoids
+        # bumping mtime on every run, which would pointlessly invalidate the
+        # Docker COPY layer for the timestamp file.
+        $needsUpdate = $true
+        if (Test-Path $timestampFile)
         {
-            # Daily timestamp - only update if file doesn't exist or date changed
-            $todayTimestamp = [DateTime]::UtcNow.Date.ToString("yyyy-MM-dd")
-            $needsUpdate = $true
-
-            if (Test-Path $timestampFile)
+            $currentTimestamp = Get-Content $timestampFile -Raw -ErrorAction SilentlyContinue
+            if ($currentTimestamp -eq $script:DayStamp)
             {
-                $currentTimestamp = Get-Content $timestampFile -Raw
-                # Check if current timestamp starts with today's date
-                if ($currentTimestamp -and $currentTimestamp.StartsWith($todayTimestamp))
-                {
-                    $needsUpdate = $false
-                }
+                $needsUpdate = $false
             }
+        }
 
-            if ($needsUpdate)
-            {
-                Set-Content -Path $timestampFile -Value $todayTimestamp -NoNewline -Force
-                Write-Host "Timestamp file updated (daily): $todayTimestamp" -ForegroundColor Cyan
-            }
+        if ($needsUpdate)
+        {
+            Set-Content -Path $timestampFile -Value $script:DayStamp -NoNewline -Force
+            $label = if ($Update) { "forced" } else { "daily" }
+            Write-Host "Timestamp file updated ($label): $script:DayStamp" -ForegroundColor Cyan
         }
 
         return $timestampFile
@@ -623,7 +614,8 @@ try
     {
         param(
             [string]$DockerfilePath,
-            [string]$ContextDirectory
+            [string]$ContextDirectory,
+            [string]$DayStamp  # non-empty => mix into hash (used in -Claude mode)
         )
 
         $hashInput = Get-Content $DockerfilePath -Raw -ErrorAction SilentlyContinue
@@ -632,7 +624,8 @@ try
             $hashInput = ""
         }
 
-        # Add context files (excluding generated .g/ directory)
+        # Add context files (excluding generated .g/ directory, which holds
+        # per-invocation files like env.g.json and Init.g.ps1).
         $contextFiles = Get-ChildItem $ContextDirectory -Recurse -File -ErrorAction SilentlyContinue |
                 Where-Object { $_.FullName -notmatch '[/\\]\.g[/\\]' } |
                 Sort-Object FullName
@@ -647,6 +640,14 @@ try
             }
         }
 
+        # When a day stamp is supplied (Claude mode), rotate the image tag once
+        # per UTC day so @latest npm installs of the Claude CLI and marketplace
+        # plug-ins actually get refreshed. Same string as update.timestamp.
+        if ($DayStamp)
+        {
+            $hashInput += "`n--- day-stamp ---`n$DayStamp"
+        }
+
         $hashBytes = [System.Security.Cryptography.SHA256]::Create().ComputeHash(
                 [System.Text.Encoding]::UTF8.GetBytes($hashInput)
         )
@@ -704,6 +705,20 @@ try
     }
     else
     {
+        # Single source of truth for today's cache-busting stamp, shared by
+        # Get-ContentHash (image tag, Claude mode only) and Get-TimestampFile
+        # (update.timestamp file baked into the image). Computing it once here
+        # guarantees both consumers see the same value even if the wall clock
+        # crosses UTC midnight mid-run.
+        $script:DayStamp = if ($Update)
+        {
+            [DateTime]::UtcNow.ToString("o")          # full ISO 8601, seconds precision
+        }
+        else
+        {
+            [DateTime]::UtcNow.Date.ToString("yyyy-MM-dd")
+        }
+
         # Determine which Dockerfile will be used (needed for ImageName generation)
         $DockerfilesDir = "$EngPath/docker"
 
@@ -744,8 +759,14 @@ try
             $dockerfileFullPath = Join-Path $PSScriptRoot $Dockerfile
         }
 
-        # Generate content-based hash for image tag
-        $contentHash = Get-ContentHash -DockerfilePath $dockerfileFullPath -ContextDirectory $dockerContextDirectory
+        # Generate content-based hash for image tag.
+        # In Claude mode, mix in $script:DayStamp so the tag rotates daily
+        # and picks up fresh @latest npm installs.
+        $hashDayStamp = if ($Claude) { $script:DayStamp } else { $null }
+        $contentHash = Get-ContentHash `
+                -DockerfilePath $dockerfileFullPath `
+                -ContextDirectory $dockerContextDirectory `
+                -DayStamp $hashDayStamp
         $dockerRegistry = $env:DOCKER_REGISTRY
 
         if ($dockerRegistry)
@@ -801,7 +822,7 @@ try
         # This is used by Dockerfile.claude but doesn't affect other Dockerfiles
         if (-not $NoBuildImage)
         {
-            $timestampFile = Get-TimestampFile -Update:$Update
+            $timestampFile = Get-TimestampFile
         }
 
         if ($Claude)