chore(tooling): scope ansible-lint to ansible content; venv PATH in make test

Kaizen 2026-06-10 fixes:
- ansible-lint pre-commit hook now `always_run: false` + a files filter for
  roles/playbooks/inventories YAML, so docs-/config-only commits skip it and no
  longer need `rbw unlock` (root cause was ansible-lint auto-decrypting the
  group_vars vault, not the syntax-check).
- `make test`/`test-all` prepend $(CURDIR)/.venv/bin to PATH so non-activated
  agent runs find ansible-config/ansible-playbook.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.pre-commit-config.yaml

@@ -19,6 +19,15 @@ repos:
     rev: v24.12.2  # keep in sync with requirements.txt
     hooks:
       - id: ansible-lint
+        # Only run on Ansible content. ansible-lint loads the play context, which
+        # auto-decrypts inventories/*/group_vars/all/vault.yml via the wired
+        # vault_password_file (→ rbw) — so it needs `rbw unlock`. The upstream hook is
+        # always_run+pass_filenames:false (lints the whole project, every commit); we
+        # override always_run:false and add a files filter so docs-/config-only commits
+        # skip it (no vault needed). pass_filenames stays false → still a project lint
+        # when any Ansible file is staged.
+        always_run: false
+        files: ^(roles|playbooks|inventories)/.*\.ya?ml$
         additional_dependencies:
           - ansible-core==2.17.*  # pin (not >=) — keep in sync with requirements.txt
 

Makefile

@@ -75,12 +75,12 @@ test:
 ifndef ROLE
 	$(error ROLE is required: make test ROLE=<rolename>)
 endif
-	cd roles/$(ROLE) && ../../$(MOLECULE) test
+	cd roles/$(ROLE) && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test
 
 test-all:
 	@for role in roles/*/; do \
 	  echo "── Testing $$role ──"; \
-	  cd $$role && ../../$(MOLECULE) test; cd ../..; \
+	  cd $$role && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test; cd ../..; \
 	done
 
 # ── Playbook execution ────────────────────────────────────────────────────────