Bump opencode to 1.14.28

Gitea Actions runners accumulate buildkit cache, stale containers,
and unused images. Without periodic cleanup the disk fills and builds
stall during image push (observed: build-omos hung at 'pushing layers'
for 1.5h on a 77%-full disk).

Add a 'CI runner maintenance' section to deploy/README.md with two
cleanup layers: a daily cron job (prunes anything >72h old) and
Docker daemon builder GC (caps buildkit cache at 10 GB).

.env.shared.example

@@ -1,7 +1,13 @@
 # ── Shared machine setup ─────────────────────────────────────────────
-# Your corporate signum / username (REQUIRED)
-# This isolates your container, config, and data from other users.
-SIGNUM=your-signum-here
+# SIGNUM isolates your container name and named volumes from other users.
+#
+# Own-account mode (each user has their own OS login):
+#   Leave SIGNUM commented out — it defaults to your OS username ($USER).
+# SIGNUM=
+#
+# Shared-account mode (everyone logs in as the same OS user):
+#   Uncomment and set to your unique identifier.
+# SIGNUM=your-signum-here
 
 # ── Provider ─────────────────────────────────────────────────────────
 OPENCODE_PROVIDER=amazon-bedrock

CHANGELOG.md

@@ -0,0 +1,159 @@
+# Changelog
+
+All notable changes to the opencode-devbox container image.
+
+Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a new opencode release, letter suffix (`b`, `c`, …) for container-level rebuilds on the same version. See [AGENTS.md](AGENTS.md#versioning-scheme) for details.
+
+---
+
+## v1.14.28 — 2026-04-26
+
+Bump opencode to 1.14.28.
+
+## v1.14.25 — 2026-04-25
+
+Bump opencode to 1.14.25. Also includes container-level changes since v1.14.22b:
+- Add `python3-pip` and `python3-venv` to base image (fixes Mason LSP installs).
+- Add `devbox-nvim-data` named volume for neovim plugin/Mason persistence.
+- Add `devbox-zoxide` named volume for zoxide directory history persistence.
+- Bake devbox-shell bridge line into `/etc/skel-devbox/.bash_aliases`.
+- Add CHANGELOG.md with full release history.
+
+## v1.14.22b — 2026-04-23
+
+**Fix Mason LSP installs, persist nvim data, devbox-shell bridge.**
+
+- **Fix:** Add `python3-pip` and `python3-venv` to base image. Mason creates a Python venv per LSP package and pip-installs into it; Debian trixie ships python3 without ensurepip, so venv creation failed and every Mason Python package (ruff, ansible-lint) errored on every nvim start.
+- **Feature:** Add `devbox-nvim-data` named volume at `~/.local/share/nvim` — Lazy plugin cache and Mason LSP installs now persist across `--force-recreate`.
+- **Feature:** Add `devbox-zoxide` named volume at `~/.local/share/zoxide` — zoxide directory history persists across recreates.
+- **Feature:** Bake the devbox-shell bridge line into `/etc/skel-devbox/.bash_aliases` — hosts using the `~/.config/devbox-shell/` directory-mount pattern get automatic sourcing without manual setup after recreate.
+
+## v1.14.22 — 2026-04-23
+
+Bump opencode to 1.14.22.
+
+## v1.14.21 — 2026-04-23
+
+**Opencode 1.14.21 + zoxide persistence + multi-user fixes.**
+
+- Bump opencode to 1.14.21.
+- Fix single-file bind-mount caveat: document the kernel-level inode issue (affects all platforms, not just Docker Desktop).
+- Pin project name in default `docker-compose.yml` — directory renames no longer orphan named volumes.
+- Fix volume collision in shared-machine compose: scope project name by `SIGNUM`.
+- Auto-detect OS username (`$USER`) for volume isolation in own-account mode.
+- Document the upgrade ritual for reconciling VM compose files.
+- Add multi-user setup pointer in DOCKER_HUB.md.
+
+## v1.14.20b — 2026-04-21
+
+**Fix `[devbox]` prompt marker lost on `exec bash`.**
+
+- The PS1 prefix guard used an exported env var that survived `exec bash`, but PS1 itself doesn't — so the new shell skipped adding the prefix. Replaced with a substring check on PS1 itself.
+- Clarify tag-letter convention in AGENTS.md: suffix is the build ordinal, `a` is never used.
+
+## v1.14.20 — 2026-04-21
+
+**Opencode 1.14.20 + PROMPT_COMMAND/zoxide fix.**
+
+- Bump opencode to 1.14.20.
+- Fix `PROMPT_COMMAND` collision with zoxide: `history -a;` followed by zoxide's `;__zoxide_hook` produced `;;` which bash rejected on every prompt. Moved history-flush after zoxide init, using newline separator.
+- Includes all v1.14.19c shell-defaults work (baked `.bash_aliases`/`.inputrc` via `/etc/skel-devbox/`, skel-copy on first run, `devbox-shell-history` named volume).
+
+## v1.14.19d — 2026-04-21
+
+*Superseded by v1.14.20 before building. Tagged but never built.*
+
+## v1.14.19c — 2026-04-21
+
+**Bash history persistence, shell defaults, GID auto-detect.**
+
+- **Feature:** Bash history persists across `--force-recreate` via `devbox-shell-history` named volume at `~/.cache/bash`.
+- **Feature:** Quality-of-life shell defaults shipped in `/etc/skel-devbox/` and copied to `~/` only if absent: prefix history search on Up/Down, 100k-entry timestamped dedup history, coloured case-insensitive tab completion, eza/bat aliases, zoxide/fzf integrations, `[devbox]` prompt marker.
+- **Feature:** Skel-copy pattern — host bind-mounts and in-container customizations are never overwritten on upgrade.
+- **Fix:** Entrypoint now detects workspace UID and GID independently. Hosts with UID 1000 but non-1000 GID (e.g. Debian's `useradd` default GID 1001) get correct group remapping.
+- **Docs:** SSH banner-timeout troubleshooting (CGNAT), shell defaults section, skel restore/diff commands.
+
+## v1.14.19b — 2026-04-20
+
+**Ownership fixes and config/docs refresh.**
+
+- **Fix:** Root-owned parent dirs left behind by nested named-volume mounts. Entrypoint now chowns `.local`, `.local/share`, `.local/state`, `.config` before leaf mount points.
+- **Fix:** `deploy/sync-to-vm.sh` no longer preserves host GIDs (`rsync -a` → `-rlptDz`).
+- Default model IDs refreshed (claude-sonnet-4-6, gpt-5.4, global Bedrock inference profile).
+- Documentation gates oh-my-opencode-slim references to the OMOS variant.
+
+## v1.14.19 — 2026-04-20
+
+Bump opencode to 1.14.19.
+
+## v1.14.18 — 2026-04-19
+
+Fix Bun download URL: remove non-existent LATEST file fetch.
+
+## v1.4.17 — 2026-04-19
+
+Bump opencode to v1.4.17, add `file` utility to base image.
+
+## v1.4.12 — 2026-04-18
+
+Bump opencode to v1.4.12.
+
+## v1.4.11 — 2026-04-18
+
+Bump opencode to v1.4.11.
+
+## v1.4.7 — 2026-04-17
+
+Bump opencode to v1.4.7.
+
+## v1.4.6 — 2026-04-15
+
+Bump opencode to v1.4.6.
+
+## v1.4.3k — 2026-04-13
+
+Fix Bedrock config: add `AWS_PROFILE` to generated config, add `.agents/skills` to volume ownership fix.
+
+## v1.4.3j — 2026-04-13
+
+Upgrade base image from Debian bookworm to trixie (current stable). Bookworm EOL June 2026; trixie supported until 2028/LTS 2030.
+
+## v1.4.3i — 2026-04-12
+
+Add rustup for on-demand Rust support, document JS/TS development.
+
+## v1.4.3h — 2026-04-12
+
+Add uv package manager to base image for on-demand Python support.
+
+## v1.4.3g — 2026-04-12
+
+Fix IPv6 connectivity failures: force IPv4 preference in CI builds.
+
+## v1.4.3f — 2026-04-11
+
+Add error handling to Docker Hub description update step.
+
+## v1.4.3e — 2026-04-10
+
+Fix CVEs: install git-lfs from GitHub (Go 1.25), document Go versions for gosu/fzf.
+
+## v1.4.3d — 2026-04-10
+
+Fix CVEs: install gosu 1.19 and fzf 0.71.0 from GitHub releases instead of Debian packages.
+
+## v1.4.3c — 2026-04-10
+
+Fix CVEs: install gosu from GitHub release instead of Debian package (Go 1.19.8 → current).
+
+## v1.4.3b — 2026-04-10
+
+Fix entrypoint crash on read-only SSH mount.
+
+## v1.4.3 — 2026-04-10
+
+Bump opencode to 1.4.3.
+
+## v1.4.2 — 2026-04-10
+
+Initial release. Fix CI: use vars for username, secrets for token.

DOCKER_HUB.md

@@ -228,6 +228,8 @@ Understanding what survives container restarts and what doesn't:
 | `/home/developer/.local/share/opencode` | Named volume (if configured) | ✅ Yes — Docker volume | Session history, memory, auth tokens |
 | `/home/developer/.local/state/opencode` | Named volume (if configured) | ✅ Yes — Docker volume | TUI settings (theme, toggles) |
 | `/home/developer/.cache/bash` | Named volume `devbox-shell-history` | ✅ Yes — Docker volume | Bash history (`$HISTFILE`) — survives container recreate |
+| `/home/developer/.local/share/zoxide` | Named volume `devbox-zoxide` | ✅ Yes — Docker volume | Zoxide directory history (`z <fragment>` jump targets) |
+| `/home/developer/.local/share/nvim` | Named volume `devbox-nvim-data` | ✅ Yes — Docker volume | Neovim plugins, Mason LSP installs, Lazy plugin cache |
 | `/home/developer/.local/share/uv` | Named volume (if configured) | ✅ Yes — Docker volume | Python installs, uv tool installs |
 | `/home/developer/.rustup` | Named volume (if configured) | ✅ Yes — Docker volume | Rust toolchains |
 | `/home/developer/.cargo` | Named volume (if configured) | ✅ Yes — Docker volume | Cargo binaries, registry cache |
@@ -547,6 +549,12 @@ ping all agents
 
 All six agents should respond if your provider authentication is working.
 
+## Multi-User Setup
+
+This guide covers single-user setup. For running multiple opencode-devbox instances in parallel — whether each user has their own OS account or everyone shares one login — see the [Multi-user setup section](https://gitea.jordbo.se/joakimp/opencode-devbox#multi-user-setup) in the source repository. It covers volume isolation, the `docker-compose.shared.yml` layout, and the `SIGNUM` / `$USER` auto-detection mechanism.
+
 ## Source
 
 Build from source or contribute: [opencode-devbox on Gitea](https://gitea.jordbo.se/joakimp/opencode-devbox)
+
+See the [Changelog](https://gitea.jordbo.se/joakimp/opencode-devbox/src/branch/main/CHANGELOG.md) for a full release history.

Dockerfile

@@ -5,7 +5,7 @@ ARG DEBIAN_VERSION=trixie-slim
 FROM debian:${DEBIAN_VERSION} AS base
 
 ARG TARGETARCH
-ARG OPENCODE_VERSION=1.14.20
+ARG OPENCODE_VERSION=1.14.28
 
 LABEL maintainer="joakimp"
 LABEL description="Portable opencode developer container"
@@ -42,6 +42,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     gcc \
     g++ \
     rsync \
+    python3-pip \
+    python3-venv \
     && ln -s /usr/bin/fdfind /usr/local/bin/fd \
     && rm -rf /var/lib/apt/lists/*
 

README.md

@@ -273,11 +273,17 @@ volumes:
   - devbox-vscode:/home/developer/.vscode-server
 ```
 
-### Shared machine setup (multiple users, single OS account)
+### Multi-user setup
 
-For machines where multiple users share one OS account (e.g. a common `garage` user), a separate compose file isolates each user's config and data using a `SIGNUM` variable.
+The shared-machine compose file (`docker-compose.shared.yml`) supports two modes:
 
-Each user creates their own directory and setup:
+**Own-account mode** (each user has their own OS login — the common case):
+Leave `SIGNUM` unset in `.env`. The project name defaults to `devbox-$USER`, so each OS user automatically gets isolated container names and named volumes with zero configuration.
+
+**Shared-account mode** (everyone logs in as the same OS user, e.g. `garage`):
+Each user sets `SIGNUM=<unique-id>` in `.env` to get isolation.
+
+Setup per user:
 
 ```bash
 # Replace <signum> with your username/identifier
@@ -291,17 +297,17 @@ cp /path/to/opencode-devbox/.env.shared.example .env
 # Create per-user config directory
 mkdir -p ~/<signum>/.config/opencode
 
-# Edit .env with your signum, provider, keys, etc.
+# Edit .env — set SIGNUM only if you're in shared-account mode
 vim .env
 
 # Start
 docker compose up -d
-docker compose exec -u developer devbox-<signum> opencode
+docker compose exec -u developer devbox opencode
 ```
 
 Each user's container, config, and named volumes are fully isolated:
-- Container name: `devbox-<signum>` (no collisions)
-- Named volumes: prefixed with the project directory name (automatic per-user isolation)
+- Container name: `devbox-<signum>` (or `devbox-$USER` in own-account mode)
+- Named volumes: prefixed with the project name (`devbox-<signum>_devbox-data`, etc.) — the Docker daemon is system-wide, so directory-name prefixing alone is NOT sufficient for isolation
 - Opencode config: `~/<signum>/.config/opencode/` (per-user settings, OMOS config, etc.)
 
 See `docker-compose.shared.yml` and `.env.shared.example` for the full configuration.
@@ -460,6 +466,8 @@ Defaults you get out of the box:
 - ~/.inputrc:/home/developer/.inputrc:ro
 ```
 
+> **Single-file bind-mount caveat (all platforms):** Docker bind-mounts the file's **inode**, not its path. When editors like vim, nvim, VS Code, or `sed -i` save a file, they write to a temp file and `rename()` it over the original — creating a new inode. The container stays pinned to the old (now unlinked) inode and never sees the update. This is a kernel limitation ([Docker #15793](https://github.com/moby/moby/issues/15793)), not fixable by Docker. Append-only writes (`echo "alias foo=bar" >> file`) are safe because they modify the same inode. **Workaround:** mount the parent directory instead of the single file (e.g. `~/.config/devbox-shell:/home/developer/.config/devbox-shell:ro`) and source files from there.
+
 **Option B — customize inside the container.** Just edit `~/.bash_aliases` or `~/.inputrc` as normal. Pair this with a bind-mount or named volume on the home dir if you want the edits to survive container recreation.
 
 ### Restoring or diffing defaults
@@ -540,6 +548,8 @@ Container (Debian trixie)
 | `/home/developer/.local/share/opencode` | Named volume `devbox-data` | ✅ Yes | Session history, memory |
 | `/home/developer/.local/state/opencode` | Named volume `devbox-state` | ✅ Yes | TUI settings (theme, toggles) |
 | `/home/developer/.cache/bash` | Named volume `devbox-shell-history` | ✅ Yes | Bash history (`$HISTFILE`), survives container recreate |
+| `/home/developer/.local/share/zoxide` | Named volume `devbox-zoxide` | ✅ Yes | Zoxide directory history (`z <fragment>` jump targets) |
+| `/home/developer/.local/share/nvim` | Named volume `devbox-nvim-data` | ✅ Yes | Neovim plugins, Mason LSP installs, Lazy plugin cache |
 | `/home/developer/.local/share/uv` | Named volume `devbox-uv` (if configured) | ✅ Yes | Python installs, uv tool installs |
 | `/home/developer/.rustup` | Named volume `devbox-rustup` (if configured) | ✅ Yes | Rust toolchains |
 | `/home/developer/.cargo` | Named volume `devbox-cargo` (if configured) | ✅ Yes | Cargo binaries, registry cache |

deploy/README.md

@@ -198,6 +198,34 @@ After editing `docker-compose.yml` on the VM to uncomment the bind mounts you ne
 
 The script reads `docker-compose.yml` on the remote VM, detects which bind mounts are active, and syncs only those directories from your local machine. It also creates the remote directories if they don't exist.
 
+### Upgrading an existing VM to a new release
+
+Each tagged release may add new named volumes or bind-mount lines to `docker-compose.yml`. Pulling a new image via `docker compose pull` grabs the new container behaviour, but compose files on the VM are user-owned and never touched by the image — you have to reconcile them yourself when upgrading across versions.
+
+**Symptom of a missed reconcile:** a new feature quietly doesn't work even though the image is correct. Example from v1.14.19c → v1.14.20: bash history persistence requires the `devbox-shell-history` named volume mounted at `/home/developer/.cache/bash`. The v1.14.20 image writes history to that path either way, but without the volume mount on the VM, writes land in the container's writable layer and vanish on every `--force-recreate`.
+
+**Upgrade ritual:**
+
+```bash
+# On the VM, before recreating the container:
+cd ~/opencode-devbox
+cp docker-compose.yml docker-compose.yml.bak-$(date +%Y%m%d-%H%M%S)
+
+# Compare against the repo version to see what's new:
+#   (from your local checkout)
+scp devbox-affection:~/opencode-devbox/docker-compose.yml /tmp/vm-compose.yml
+diff -u /tmp/vm-compose.yml ~/src/src_local/opencode-devbox/docker-compose.yml
+```
+
+For each new `volumes:` entry or mount line in the repo version that isn't in your VM's file, add it manually — preserving any local customizations you've made (image variant, read/write flags on bind mounts, etc.). Then:
+
+```bash
+docker compose config >/dev/null   # verify YAML still parses
+docker compose up -d --force-recreate
+```
+
+If you maintain the VM's compose file with no local changes, `scp` the repo version over wholesale. If you have customizations (the common case), do the diff-and-merge by hand.
+
 ### Shell defaults inside the container
 
 The image ships baked `.bash_aliases` and `.inputrc` in `/etc/skel-devbox/` — quality-of-life defaults (prefix history search on Up/Down arrows, persistent history across container recreates via the `devbox-shell-history` named volume, `[devbox]` prompt marker, sensible aliases). On first container start the entrypoint copies them to `/home/developer/` **only if the target file does not already exist**.
@@ -210,6 +238,42 @@ This means:
 - To restore the baked defaults any time: `cp /etc/skel-devbox/.bash_aliases ~/` (or delete the file and recreate the container).
 - To diff your current config against what the image ships: `diff ~/.bash_aliases /etc/skel-devbox/.bash_aliases`.
 
+### CI runner maintenance: automatic Docker pruning
+
+Gitea Actions runners accumulate Docker build cache, stale buildkit containers, and unused images over time. Without periodic cleanup, the runner's disk fills up and builds stall during the image-push phase (symptom: `#61 exporting to image` / `pushing layers` hangs indefinitely while buildkit repeatedly re-authenticates with Docker Hub).
+
+Set up two layers of automatic cleanup on the runner host:
+
+**1. Daily cron job** — prunes images, containers, and build cache older than 72 hours:
+
+```bash
+sudo tee /etc/cron.daily/docker-prune <<'EOF'
+#!/bin/sh
+docker system prune -af --filter "until=72h" > /var/log/docker-prune.log 2>&1
+docker builder prune -af --filter "until=72h" >> /var/log/docker-prune.log 2>&1
+EOF
+sudo chmod +x /etc/cron.daily/docker-prune
+```
+
+**2. Docker daemon builder GC** — caps buildkit cache at 10 GB (Docker 23.0+):
+
+Add to `/etc/docker/daemon.json` (create if absent):
+
+```json
+{
+  "builder": {
+    "gc": {
+      "enabled": true,
+      "defaultKeepStorage": "10GB"
+    }
+  }
+}
+```
+
+Then `sudo systemctl restart docker`.
+
+Both are safe to run on a machine that also hosts long-running containers (like opencode-devbox) — `docker system prune` only removes *unused* images and *stopped* containers, never running ones.
+
 ### Troubleshooting: SSH hangs or "banner exchange" timeouts
 
 If SSH to the VM intermittently fails with `Connection timed out during banner exchange` or pure TCP connect timeouts — especially after the first few successful connects in a short window — the cause is almost certainly your ISP's CGNAT (Carrier-Grade NAT), not the VM.

docker-compose.shared.yml

@@ -12,14 +12,24 @@
 #   5. mkdir -p ~/<signum>/.config/opencode
 #   6. docker compose up -d
 #
-# Named volumes are automatically isolated per user because Docker Compose
-# prefixes them with the project directory name (e.g. opencode-devbox_devbox-data).
-# Since each user runs from ~/<signum>/opencode-devbox/, volumes don't collide.
+# Volume isolation: the top-level 'name:' field derives a unique project
+# name per user, which Docker Compose uses as the prefix for all named
+# volumes. Without this, two users whose compose file lives in a directory
+# with the same basename would share volumes — the Docker daemon is
+# system-wide and doesn't scope by OS user.
+#
+# Two modes:
+#   Own-account mode (each user has their own OS login):
+#     Leave SIGNUM unset in .env — it defaults to $USER automatically.
+#   Shared-account mode (everyone logs in as the same OS user):
+#     Set SIGNUM=<unique-id> in .env so each person gets isolated volumes.
+
+name: devbox-${SIGNUM:-${USER}}
 
 services:
   devbox:
     image: joakimp/opencode-devbox:latest
-    container_name: devbox-${SIGNUM:?Set SIGNUM in .env}
+    container_name: devbox-${SIGNUM:-${USER}}
     stdin_open: true
     tty: true
     env_file:
@@ -42,6 +52,12 @@ services:
       # Persist bash history across container recreations
       - devbox-shell-history:/home/developer/.cache/bash
 
+      # Persist zoxide directory history ('z <fragment>' to jump)
+      - devbox-zoxide:/home/developer/.local/share/zoxide
+
+      # Persist neovim plugin/Mason data (avoids re-downloading on every recreate)
+      - devbox-nvim-data:/home/developer/.local/share/nvim
+
       # Persist uv data (Python installs)
       - devbox-uv:/home/developer/.local/share/uv
 
@@ -51,4 +67,6 @@ services:
 volumes:
   devbox-data:
   devbox-shell-history:
+  devbox-zoxide:
+  devbox-nvim-data:
   devbox-uv:

docker-compose.yml

@@ -8,6 +8,11 @@
 # Or for interactive one-shot:
 #   docker compose run --rm devbox
 
+# Pin the project name so named volumes survive directory renames.
+# Without this, Docker Compose derives the project name from the
+# directory basename — renaming the dir orphans all existing volumes.
+name: opencode-devbox
+
 services:
   devbox:
     image: joakimp/opencode-devbox:latest
@@ -56,9 +61,19 @@ services:
       # Without this, ~/.bash_history is lost on 'docker compose up --force-recreate'.
       - devbox-shell-history:/home/developer/.cache/bash
 
+      # Persist zoxide directory history ('z <fragment>' to jump).
+      - devbox-zoxide:/home/developer/.local/share/zoxide
+
       # Optional: override baked shell defaults with your host's rc files.
       # The image ships sensible defaults (history tuning, prefix-search on
       # Up/Down arrows, fzf/zoxide integration). Uncomment to use your own:
+      #
+      # NOTE: Single-file bind-mounts break when editors use atomic save
+      # (vim, VS Code, sed -i write a temp file then rename() over the
+      # original, creating a new inode the container never sees). This is a
+      # kernel limitation, not Docker-specific. If host edits stop appearing
+      # in the container, mount the parent directory instead — see the
+      # "Shell defaults" section in README.md.
       # - ~/.bash_aliases:/home/developer/.bash_aliases:ro
       # - ~/.inputrc:/home/developer/.inputrc:ro
 
@@ -74,6 +89,9 @@ services:
       # Optional: persist VS Code server and extensions across container recreations
       # - devbox-vscode:/home/developer/.vscode-server
 
+      # Persist neovim plugin/Mason data (avoids re-downloading on every recreate)
+      - devbox-nvim-data:/home/developer/.local/share/nvim
+
       # Optional: AWS credentials/SSO config (not read-only — SSO writes token cache)
       # - ~/.aws:/home/developer/.aws
 
@@ -81,6 +99,8 @@ volumes:
   devbox-data:
   devbox-state:
   devbox-shell-history:
+  devbox-zoxide:
+  devbox-nvim-data:
   devbox-uv:
   # devbox-rustup:
   # devbox-cargo:

entrypoint.sh

@@ -77,6 +77,8 @@ for dir in \
   /home/"$USER_NAME"/.local/share/opencode \
   /home/"$USER_NAME"/.local/state/opencode \
   /home/"$USER_NAME"/.local/share/uv \
+  /home/"$USER_NAME"/.local/share/zoxide \
+  /home/"$USER_NAME"/.local/share/nvim \
   /home/"$USER_NAME"/.cache/bash \
   /home/"$USER_NAME"/.rustup \
   /home/"$USER_NAME"/.cargo \

rootfs/home/developer/.bash_aliases

@@ -3,6 +3,15 @@
 # To override, bind-mount your host's ~/.bash_aliases over this file
 # via docker-compose.yml.
 
+# ── Host-shared shell customizations (devbox-shell bridge) ───────────
+# If the host bind-mounts a directory at ~/.config/devbox-shell/ (the
+# recommended pattern for sharing aliases/PATH/utilities between host
+# and container), source the bash_aliases file from it. This survives
+# --force-recreate because it's baked into the image's skel, not the
+# container's writable layer. Hosts that don't use this pattern are
+# unaffected — the test silently skips if the file doesn't exist.
+[ -r "$HOME/.config/devbox-shell/bash_aliases" ] && . "$HOME/.config/devbox-shell/bash_aliases"
+
 # ── History persistence and quality ──────────────────────────────────
 # The named volume devbox-shell-history is mounted at ~/.cache/bash
 # so history survives container recreation.