diff --git a/.github/docker/Dockerfile.ci b/.github/docker/Dockerfile.ci
index 1c136a8b..c1fcec68 100644
--- a/.github/docker/Dockerfile.ci
+++ b/.github/docker/Dockerfile.ci
@@ -30,8 +30,8 @@ ENV PATH="$BUN_INSTALL/bin:$PATH"
 # Claude CLI
 RUN npm i -g @anthropic-ai/claude-code
 
-# Pre-install dependencies (cached layer — only rebuilds when lockfile changes)
-COPY bun.lock package.json /workspace/
+# Pre-install dependencies (cached layer — only rebuilds when package.json changes)
+COPY package.json /workspace/
 WORKDIR /workspace
 RUN bun install && rm -rf /tmp/*
 
@@ -40,4 +40,6 @@ RUN bun --version && node --version && claude --version && jq --version && gh --
 
 # At runtime: checkout overwrites /workspace, but node_modules persists
 # if we move it out of the way and symlink back
-RUN mv /workspace/node_modules /opt/node_modules_cache
+# Save node_modules + package.json snapshot for cache validation at runtime
+RUN mv /workspace/node_modules /opt/node_modules_cache \
+    && cp /workspace/package.json /opt/node_modules_cache/.package.json
diff --git a/.github/workflows/ci-image.yml b/.github/workflows/ci-image.yml
index 19099334..00d38637 100644
--- a/.github/workflows/ci-image.yml
+++ b/.github/workflows/ci-image.yml
@@ -8,14 +8,6 @@ on:
     branches: [main]
     paths:
       - '.github/docker/Dockerfile.ci'
-      - 'bun.lock'
-      - 'package.json'
-  # Build on PRs that change the image (so first PR run has it)
-  pull_request:
-    branches: [main]
-    paths:
-      - '.github/docker/Dockerfile.ci'
-      - 'bun.lock'
       - 'package.json'
   # Manual trigger
   workflow_dispatch:
@@ -30,7 +22,7 @@ jobs:
       - uses: actions/checkout@v4
 
       # Copy lockfile + package.json into Docker build context
-      - run: cp bun.lock package.json .github/docker/
+      - run: cp package.json .github/docker/
 
       - uses: docker/login-action@v3
         with:
diff --git a/.github/workflows/evals.yml b/.github/workflows/evals.yml
index 5a05b4ea..2a7009d5 100644
--- a/.github/workflows/evals.yml
+++ b/.github/workflows/evals.yml
@@ -23,7 +23,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - id: meta
-        run: echo "tag=${{ env.IMAGE }}:${{ hashFiles('.github/docker/Dockerfile.ci', 'bun.lock', 'package.json') }}" >> "$GITHUB_OUTPUT"
+        run: echo "tag=${{ env.IMAGE }}:${{ hashFiles('.github/docker/Dockerfile.ci', 'package.json') }}" >> "$GITHUB_OUTPUT"
 
       - uses: docker/login-action@v3
         with:
@@ -41,7 +41,7 @@ jobs:
           fi
 
       - if: steps.check.outputs.exists == 'false'
-        run: cp bun.lock package.json .github/docker/
+        run: cp package.json .github/docker/
 
       - if: steps.check.outputs.exists == 'false'
         uses: docker/build-push-action@v6
@@ -96,10 +96,10 @@ jobs:
           fetch-depth: 0
 
       # Restore pre-installed node_modules from Docker image (~1s vs ~15s install)
-      # If lockfile changed since image was built, fall back to fresh install
+      # If package.json changed since image was built, fall back to fresh install
       - name: Restore deps
         run: |
-          if diff -q /opt/node_modules_cache/.package-lock.json package.json >/dev/null 2>&1; then
+          if [ -d /opt/node_modules_cache ] && diff -q /opt/node_modules_cache/.package.json package.json >/dev/null 2>&1; then
             cp -al /opt/node_modules_cache node_modules
           else
             bun install