feat(extensions/pi): ship pi-env.zsh shell loader

The loader that sources ~/.config/pi/.env into every shell was only
living in the myconfigs tor-ms22 backup \u2014 a fresh machine had nowhere
to get it from except copying by hand. Now canonical here.

- extensions/pi/pi-env.zsh: 20-line POSIX-compatible loader
  (set -a; source ~/.config/pi/.env; set +a). Works in bash and zsh.
- install.sh install_pi_env_loader:
  * oh-my-zsh detected (~/.oh-my-zsh/custom/ exists)
    \u2192 cp into that dir (NOT symlink \u2014 that dir is typically part of
      a dotfiles backup, and a symlink to mempalace-toolkit would
      break when restored on another host).
    \u2192 Idempotent: if target content matches repo, says 'already
      installed'. If it differs, leaves user edits alone and points
      at diff for manual reconcile.
  * No oh-my-zsh \u2192 prints source-this-line snippet for ~/.zshrc or
    ~/.bashrc (derived from $SHELL). Does NOT auto-edit rc files.
- install.sh uninstall: only removes the copy if content still matches
  repo. Local edits preserved.
- Docs:
  * extensions/pi/README.md Environment setup section rewritten with
    both install paths, step 5 of deploy recipe updated.
  * AGENTS.md Structure block lists pi-env.zsh.
  * Root README repo-contents line mentions it.

Verified on tor-ms22: install fresh \u2192 uninstall (content match \u2192 remove)
\u2192 reinstall \u2192 zsh -ic loads AWS vars correctly. Also tested bash fallback
path via HOME=/tmp/fake-home SHELL=/bin/bash \u2014 prints right .bashrc snippet.

extensions/pi/README.md

@@ -97,17 +97,22 @@ Run `pi --list-models` to confirm what your credentials can actually invoke.
 
 ### 5. Ensure AWS env vars are live in your shell
 
-If you provisioned via step 1, `~/.config/pi/.env` exists and
-`~/.oh-my-zsh/custom/pi-env.zsh` sources it on every new shell. Verify:
+**On zsh + oh-my-zsh hosts:** step 3's `install.sh` already copied
+`pi-env.zsh` into `~/.oh-my-zsh/custom/`, so every new shell sources
+`~/.config/pi/.env` automatically. Verify:
 
 ```bash
 exec zsh
 echo "$AWS_PROFILE  $AWS_REGION"   # should print your values
 ```
 
-If empty, check that `~/.config/pi/.env` decrypted (`head ~/.config/pi/.env`
-should show plain text, not binary). `git-crypt unlock` in step 1 is the
-usual culprit when this is empty.
+**On bash or plain zsh (no oh-my-zsh):** `install.sh` printed a
+`source <repo>/extensions/pi/pi-env.zsh` snippet — add that one line to
+`~/.bashrc` or `~/.zshrc`, open a fresh shell, verify as above.
+
+If vars are empty, check that `~/.config/pi/.env` decrypted
+(`head ~/.config/pi/.env` should show plain text, not binary).
+`git-crypt unlock` in step 1 is the usual culprit when this is empty.
 
 ### 6. Register mempalace MCP with opencode (if using opencode too)
 
@@ -259,9 +264,26 @@ layout (matches the tor-ms22 dotfiles pattern):
 ```
 ~/.config/pi/.env               ← AWS_PROFILE=..., AWS_REGION=...
                                   (git-crypt encrypted in dotfiles repo)
-~/.oh-my-zsh/custom/pi-env.zsh  ← set -a; source ~/.config/pi/.env; set +a
+~/.oh-my-zsh/custom/pi-env.zsh  ← installed by mempalace-toolkit install.sh
+                                  (sources the .env into every shell)
 ```
 
+The loader file `pi-env.zsh` is canonical here in `extensions/pi/` and
+installed by `install.sh` in one of two ways:
+
+| Detected | Action |
+|---|---|
+| `~/.oh-my-zsh/custom/` exists | `cp` (not symlink) into that directory — auto-loaded by omz on every new shell. cp not symlink because that directory is part of the dotfiles backup, and a symlink into mempalace-toolkit would break when the backup is restored on another host. |
+| No oh-my-zsh | Prints a shell-specific `source <repo>/extensions/pi/pi-env.zsh` snippet for `~/.zshrc` or `~/.bashrc`. Installer does not auto-edit rc files. |
+
+The loader itself is POSIX-compatible (`set -a` / `source` / `set +a`),
+so bash users can source it directly — no zsh dependency in the file.
+
+Re-runs are idempotent: if the installed copy matches the repo, prints
+"already installed". If it differs, leaves your edits alone and points
+at `diff` for comparison. Uninstall only removes the file if it still
+matches the repo copy; local edits are preserved.
+
 Historical note: these vars used to live under a `# Environment variables
 for pi` block inside `~/.config/opencode/.env`. Split out 2026-05-05 so
 each tool owns its own env file. `install.sh` runs a `check_aws_env`
@@ -276,6 +298,7 @@ mempalace-toolkit/
         ├── README.md               ← this file
         ├── mempalace.ts            ← symlinked into ~/.pi/agent/extensions/
         ├── keybindings.json        ← symlinked into ~/.pi/agent/
+        ├── pi-env.zsh              ← cp'd into ~/.oh-my-zsh/custom/ (or source'd manually for bash)
         └── settings.example.json   ← template; copy + edit into ~/.pi/agent/
 ```
 

extensions/pi/pi-env.zsh

@@ -0,0 +1,28 @@
+# Load pi coding-agent environment variables from ~/.config/pi/.env
+#
+# Canonical source: mempalace-toolkit/extensions/pi/pi-env.zsh
+# Installed by mempalace-toolkit/install.sh via `cp` (not symlink) to keep
+# ~/.oh-my-zsh/custom/ portable across machines with different $HOME paths.
+# See extensions/pi/README.md#environment-setup for the full story.
+#
+# Sources ~/.config/pi/.env (AWS_PROFILE, AWS_REGION, and any future
+# pi-scoped secrets) so pi's Bedrock provider works when spawned from any
+# shell. The .env file itself is shipped (git-crypt encrypted) from the
+# myconfigs dotfiles repo.
+#
+# `set -a` auto-exports every assignment in the sourced file, so plain
+# KEY=VALUE lines become exported env vars without needing `export` in .env.
+# Also works in bash (set -a and source are POSIX) — non-oh-my-zsh users
+# can source this file directly from ~/.bashrc or ~/.zshrc instead.
+#
+# Historical note: these vars used to live in ~/.config/opencode/.env
+# under a "# Environment variables for pi" block. Split out 2026-05-05
+# so each tool owns its own env file.
+
+_pi_env="${HOME}/.config/pi/.env"
+if [[ -r "${_pi_env}" ]]; then
+  set -a
+  source "${_pi_env}"
+  set +a
+fi
+unset _pi_env