diff --git a/.tekton/pipeline.yaml b/.tekton/pipeline.yaml
index 57ed4cf4..b7bb258b 100644
--- a/.tekton/pipeline.yaml
+++ b/.tekton/pipeline.yaml
@@ -142,6 +142,8 @@ spec:
       value: $(params.image-expires-after)
     - name: enable-package-registry-proxy
       value: $(params.enable-package-registry-proxy)
+    - name: mode
+      value: $(params.prefetch-mode)
     runAfter:
     - clone-repository
     taskRef:
diff --git a/.tekton/rapidast-llm-pull-request.yaml b/.tekton/rapidast-llm-pull-request.yaml
index e868a835..f50b3487 100644
--- a/.tekton/rapidast-llm-pull-request.yaml
+++ b/.tekton/rapidast-llm-pull-request.yaml
@@ -36,9 +36,25 @@ spec:
     value: "true"
   - name: rebuild
     value: "true"
+  - name: prefetch-input
+    value:
+    - {"type": "generic", "path": "."}
+    - {"type": "npm", "path": "."}
+    - {
+        "type": "pip",
+        "path": ".",
+        "requirements_files": ["requirements-llm.txt", "requirements-dev.txt"],
+        "requirements_build_files": ["requirements-build.txt"],
+        "binary": {
+          "py_version": 312,
+          "platform": "^(any|manylinux.*_x86_64)$"
+        }
+      }
+  - name: prefetch-mode
+    value: "permissive"
   - name: build-args
     value:
-    - PREFETCH=false
+    - PREFETCH=true
     - COMMIT_SHA={{revision}}
   taskRunSpecs:
     - pipelineTaskName: ecosystem-cert-preflight-checks
diff --git a/.tekton/rapidast-pull-request.yaml b/.tekton/rapidast-pull-request.yaml
index eb519b1d..9ac6cbb0 100644
--- a/.tekton/rapidast-pull-request.yaml
+++ b/.tekton/rapidast-pull-request.yaml
@@ -40,10 +40,22 @@ spec:
     value:
     - {"type": "generic", "path": "."}
     - {"type": "npm", "path": "."}
-    - {"type": "pip", "path": ".", "allow_binary": "true", "requirements_files": ["requirements-dev.txt"]}
+    - {
+        "type": "pip",
+        "path": ".",
+        "requirements_files": ["requirements.txt", "requirements-dev.txt"],
+        "requirements_build_files": ["requirements-build.txt"],
+        "binary": {
+          "py_version": 312,
+          "platform": "^(any|manylinux.*_x86_64)$"
+        }
+      }
+  - name: prefetch-mode
+    value: "strict"
   - name: build-args
     value:
     - PREFETCH=true
+    - HERMETIC=true
     - COMMIT_SHA={{revision}}
   taskRunSpecs:
     - pipelineTaskName: ecosystem-cert-preflight-checks
diff --git a/containerize/Containerfile b/containerize/Containerfile
index 0e9d483d..8af53cf8 100644
--- a/containerize/Containerfile
+++ b/containerize/Containerfile
@@ -123,11 +123,13 @@ COPY ./containerize/container_default_config.yaml /opt/rapidast/rapidast-default
 COPY ./containerize/path_rapidast.sh /etc/profile.d/rapidast.sh
 
 ### Install RapiDAST requirements, globally, so that it's available to any user
-RUN microdnf -y module enable nodejs:24 && \
+RUN set -x && microdnf -y module enable nodejs:24 && \
   microdnf install -y --setopt=install_weak_deps=0 --nodocs \
       shadow-utils procps \
       # RapiDAST
       python3.12 \
+      # RapiDAST / py-nessus-pro
+      python3.12-setuptools-wheel python3.12-wheel-wheel \
       # ZAP
       java-21-openjdk \
       # Firefox
@@ -137,8 +139,12 @@ RUN microdnf -y module enable nodejs:24 && \
       # user convenience
       git-core \
       && \
+  cat /cachi2/cachi2.env && \
+  ls -R /cachi2/output/deps/pip && \
   python3.12 -m ensurepip --upgrade && \
-  python3.12 -m pip install --no-cache-dir -r /opt/rapidast/requirements.txt && \
+  python3.12 -m pip install --no-cache-dir -f /usr/share/python3.12-wheels/ \
+    -r /opt/rapidast/requirements.txt && \
+  microdnf remove -y python3.12-setuptools-wheel python3.12-wheel-wheel && \
   microdnf clean all -y && rm -rf /var/cache/dnf /tmp/* && \
   ln -s /usr/bin/python3.12 /usr/local/bin/python3 && \
   ln -s /opt/redocly/node_modules/@redocly/cli/bin/cli.js /usr/local/bin/redocly
diff --git a/containerize/Containerfile.garak b/containerize/Containerfile.garak
index 4ab8c19f..b1db71b0 100644
--- a/containerize/Containerfile.garak
+++ b/containerize/Containerfile.garak
@@ -123,7 +123,7 @@ COPY ./containerize/container_default_config.yaml /opt/rapidast/rapidast-default
 COPY ./containerize/path_rapidast.sh /etc/profile.d/rapidast.sh
 
 ### Install RapiDAST requirements, globally, so that it's available to any user
-RUN microdnf -y module enable nodejs:24 && \
+RUN set -x && microdnf -y module enable nodejs:24 && \
   microdnf install -y --setopt=install_weak_deps=0 --nodocs \
       shadow-utils procps \
       # RapiDAST
@@ -137,8 +137,11 @@ RUN microdnf -y module enable nodejs:24 && \
       # user convenience
       git-core \
       && \
+  cat /cachi2/cachi2.env && \
+  ls -R /cachi2/output/deps/pip && \
   python3.12 -m ensurepip --upgrade && \
-  python3.12 -m pip install --no-cache-dir -r /opt/rapidast/requirements-llm.txt && \
+  python3.12 -m pip install --no-cache-dir -f /usr/share/python3.12-wheels/ \
+    -r /opt/rapidast/requirements-llm.txt && \
   microdnf clean all -y && rm -rf /var/cache/dnf /tmp/* && \
   ln -s /usr/bin/python3.12 /usr/local/bin/python3 && \
   ln -s /opt/redocly/node_modules/@redocly/cli/bin/cli.js /usr/local/bin/redocly
diff --git a/requirements-build.txt b/requirements-build.txt
index 3181da8b..f7417997 100644
--- a/requirements-build.txt
+++ b/requirements-build.txt
@@ -2,128 +2,22 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pybuild-deps compile --output-file=requirements-build.txt
+#    pip-compile --allow-unsafe requirements-build.in
 #
-calver==2025.10.20
-    # via trove-classifiers
-cffi==2.0.0
-    # via cryptography
-cython==3.2.4
-    # via pyyaml
-flit-core==3.12.0
+packaging==26.2
     # via
-    #   arrow
-    #   click
-    #   idna
-    #   loguru
-    #   markdown-it-py
-    #   mdurl
-    #   packaging
-    #   pathspec
-    #   typing-extensions
-    #   wheel
-hatch-fancy-pypi-readme==25.1.0
-    # via
-    #   attrs
-    #   jsonschema
-hatch-vcs==0.5.0
-    # via
-    #   attrs
-    #   jsonschema
-    #   jsonschema-specifications
-    #   referencing
-    #   urllib3
-hatchling==1.29.0
-    # via
-    #   attrs
-    #   hatch-fancy-pypi-readme
-    #   hatch-vcs
-    #   jsonschema
-    #   jsonschema-specifications
-    #   pygments
-    #   referencing
-    #   urllib3
-maturin==1.13.1
-    # via
-    #   cryptography
-    #   pendulum
-    #   rpds-py
-packaging==26.0
-    # via
-    #   hatchling
     #   setuptools-scm
     #   vcs-versioning
     #   wheel
-pathspec==1.1.1
-    # via hatchling
-pdm-backend==2.4.8
-    # via
-    #   annotated-doc
-    #   typer
-    #   webcolors
-pluggy==1.6.0
-    # via hatchling
-poetry-core==2.3.2
-    # via
-    #   cel-python
-    #   rich
-pycparser==3.0
-    # via cffi
-semantic-version==2.10.0
-    # via setuptools-rust
-setuptools-rust==1.12.1
-    # via maturin
 setuptools-scm==10.0.5
-    # via
-    #   hatch-vcs
-    #   pluggy
-    #   setuptools-rust
-    #   uri-template
-setuptools-scm==10.0.5
-    # via python-dateutil
-setuptools-scm==10.0.5
-    # via
-    #   hatch-vcs
-    #   urllib3
-trove-classifiers==2026.4.28.13
-    # via hatchling
-typing-extensions==4.15.0
-    # via setuptools-scm
+    # via -r requirements-build.in
 vcs-versioning==1.1.1
     # via setuptools-scm
 wheel==0.47.0
-    # via
-    #   google-crc32c
-    #   python-dateutil
-    #   shellingham
-    #   tzdata
+    # via -r requirements-build.in
 
 # The following packages are considered to be unsafe in a requirements file:
-setuptools==82.0.0
-    # via charset-normalizer
 setuptools==82.0.1
     # via
-    #   calver
-    #   certifi
-    #   cffi
-    #   cryptography
-    #   google-api-core
-    #   google-crc32c
-    #   googleapis-common-protos
-    #   maturin
-    #   pathspec
-    #   pluggy
-    #   proto-plus
-    #   pyasn1
-    #   pyasn1-modules
-    #   python-dateutil
-    #   python-dotenv
-    #   pyyaml
-    #   setuptools-rust
+    #   -r requirements-build.in
     #   setuptools-scm
-    #   shellingham
-    #   trove-classifiers
-    #   types-pyyaml
-    #   tzdata
-    #   uri-template
-    #   vcs-versioning