Bump opencode to 1.14.28

Gitea Actions runners accumulate buildkit cache, stale containers,
and unused images. Without periodic cleanup the disk fills and builds
stall during image push (observed: build-omos hung at 'pushing layers'
for 1.5h on a 77%-full disk).

Add a 'CI runner maintenance' section to deploy/README.md with two
cleanup layers: a daily cron job (prunes anything >72h old) and
Docker daemon builder GC (caps buildkit cache at 10 GB).

CHANGELOG.md

@@ -0,0 +1,159 @@
+# Changelog
+
+All notable changes to the opencode-devbox container image.
+
+Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a new opencode release, letter suffix (`b`, `c`, …) for container-level rebuilds on the same version. See [AGENTS.md](AGENTS.md#versioning-scheme) for details.
+
+---
+
+## v1.14.28 — 2026-04-26
+
+Bump opencode to 1.14.28.
+
+## v1.14.25 — 2026-04-25
+
+Bump opencode to 1.14.25. Also includes container-level changes since v1.14.22b:
+- Add `python3-pip` and `python3-venv` to base image (fixes Mason LSP installs).
+- Add `devbox-nvim-data` named volume for neovim plugin/Mason persistence.
+- Add `devbox-zoxide` named volume for zoxide directory history persistence.
+- Bake devbox-shell bridge line into `/etc/skel-devbox/.bash_aliases`.
+- Add CHANGELOG.md with full release history.
+
+## v1.14.22b — 2026-04-23
+
+**Fix Mason LSP installs, persist nvim data, devbox-shell bridge.**
+
+- **Fix:** Add `python3-pip` and `python3-venv` to base image. Mason creates a Python venv per LSP package and pip-installs into it; Debian trixie ships python3 without ensurepip, so venv creation failed and every Mason Python package (ruff, ansible-lint) errored on every nvim start.
+- **Feature:** Add `devbox-nvim-data` named volume at `~/.local/share/nvim` — Lazy plugin cache and Mason LSP installs now persist across `--force-recreate`.
+- **Feature:** Add `devbox-zoxide` named volume at `~/.local/share/zoxide` — zoxide directory history persists across recreates.
+- **Feature:** Bake the devbox-shell bridge line into `/etc/skel-devbox/.bash_aliases` — hosts using the `~/.config/devbox-shell/` directory-mount pattern get automatic sourcing without manual setup after recreate.
+
+## v1.14.22 — 2026-04-23
+
+Bump opencode to 1.14.22.
+
+## v1.14.21 — 2026-04-23
+
+**Opencode 1.14.21 + zoxide persistence + multi-user fixes.**
+
+- Bump opencode to 1.14.21.
+- Fix single-file bind-mount caveat: document the kernel-level inode issue (affects all platforms, not just Docker Desktop).
+- Pin project name in default `docker-compose.yml` — directory renames no longer orphan named volumes.
+- Fix volume collision in shared-machine compose: scope project name by `SIGNUM`.
+- Auto-detect OS username (`$USER`) for volume isolation in own-account mode.
+- Document the upgrade ritual for reconciling VM compose files.
+- Add multi-user setup pointer in DOCKER_HUB.md.
+
+## v1.14.20b — 2026-04-21
+
+**Fix `[devbox]` prompt marker lost on `exec bash`.**
+
+- The PS1 prefix guard used an exported env var that survived `exec bash`, but PS1 itself doesn't — so the new shell skipped adding the prefix. Replaced with a substring check on PS1 itself.
+- Clarify tag-letter convention in AGENTS.md: suffix is the build ordinal, `a` is never used.
+
+## v1.14.20 — 2026-04-21
+
+**Opencode 1.14.20 + PROMPT_COMMAND/zoxide fix.**
+
+- Bump opencode to 1.14.20.
+- Fix `PROMPT_COMMAND` collision with zoxide: `history -a;` followed by zoxide's `;__zoxide_hook` produced `;;` which bash rejected on every prompt. Moved history-flush after zoxide init, using newline separator.
+- Includes all v1.14.19c shell-defaults work (baked `.bash_aliases`/`.inputrc` via `/etc/skel-devbox/`, skel-copy on first run, `devbox-shell-history` named volume).
+
+## v1.14.19d — 2026-04-21
+
+*Superseded by v1.14.20 before building. Tagged but never built.*
+
+## v1.14.19c — 2026-04-21
+
+**Bash history persistence, shell defaults, GID auto-detect.**
+
+- **Feature:** Bash history persists across `--force-recreate` via `devbox-shell-history` named volume at `~/.cache/bash`.
+- **Feature:** Quality-of-life shell defaults shipped in `/etc/skel-devbox/` and copied to `~/` only if absent: prefix history search on Up/Down, 100k-entry timestamped dedup history, coloured case-insensitive tab completion, eza/bat aliases, zoxide/fzf integrations, `[devbox]` prompt marker.
+- **Feature:** Skel-copy pattern — host bind-mounts and in-container customizations are never overwritten on upgrade.
+- **Fix:** Entrypoint now detects workspace UID and GID independently. Hosts with UID 1000 but non-1000 GID (e.g. Debian's `useradd` default GID 1001) get correct group remapping.
+- **Docs:** SSH banner-timeout troubleshooting (CGNAT), shell defaults section, skel restore/diff commands.
+
+## v1.14.19b — 2026-04-20
+
+**Ownership fixes and config/docs refresh.**
+
+- **Fix:** Root-owned parent dirs left behind by nested named-volume mounts. Entrypoint now chowns `.local`, `.local/share`, `.local/state`, `.config` before leaf mount points.
+- **Fix:** `deploy/sync-to-vm.sh` no longer preserves host GIDs (`rsync -a` → `-rlptDz`).
+- Default model IDs refreshed (claude-sonnet-4-6, gpt-5.4, global Bedrock inference profile).
+- Documentation gates oh-my-opencode-slim references to the OMOS variant.
+
+## v1.14.19 — 2026-04-20
+
+Bump opencode to 1.14.19.
+
+## v1.14.18 — 2026-04-19
+
+Fix Bun download URL: remove non-existent LATEST file fetch.
+
+## v1.4.17 — 2026-04-19
+
+Bump opencode to v1.4.17, add `file` utility to base image.
+
+## v1.4.12 — 2026-04-18
+
+Bump opencode to v1.4.12.
+
+## v1.4.11 — 2026-04-18
+
+Bump opencode to v1.4.11.
+
+## v1.4.7 — 2026-04-17
+
+Bump opencode to v1.4.7.
+
+## v1.4.6 — 2026-04-15
+
+Bump opencode to v1.4.6.
+
+## v1.4.3k — 2026-04-13
+
+Fix Bedrock config: add `AWS_PROFILE` to generated config, add `.agents/skills` to volume ownership fix.
+
+## v1.4.3j — 2026-04-13
+
+Upgrade base image from Debian bookworm to trixie (current stable). Bookworm EOL June 2026; trixie supported until 2028/LTS 2030.
+
+## v1.4.3i — 2026-04-12
+
+Add rustup for on-demand Rust support, document JS/TS development.
+
+## v1.4.3h — 2026-04-12
+
+Add uv package manager to base image for on-demand Python support.
+
+## v1.4.3g — 2026-04-12
+
+Fix IPv6 connectivity failures: force IPv4 preference in CI builds.
+
+## v1.4.3f — 2026-04-11
+
+Add error handling to Docker Hub description update step.
+
+## v1.4.3e — 2026-04-10
+
+Fix CVEs: install git-lfs from GitHub (Go 1.25), document Go versions for gosu/fzf.
+
+## v1.4.3d — 2026-04-10
+
+Fix CVEs: install gosu 1.19 and fzf 0.71.0 from GitHub releases instead of Debian packages.
+
+## v1.4.3c — 2026-04-10
+
+Fix CVEs: install gosu from GitHub release instead of Debian package (Go 1.19.8 → current).
+
+## v1.4.3b — 2026-04-10
+
+Fix entrypoint crash on read-only SSH mount.
+
+## v1.4.3 — 2026-04-10
+
+Bump opencode to 1.4.3.
+
+## v1.4.2 — 2026-04-10
+
+Initial release. Fix CI: use vars for username, secrets for token.

DOCKER_HUB.md

@@ -229,6 +229,7 @@ Understanding what survives container restarts and what doesn't:
 | `/home/developer/.local/state/opencode` | Named volume (if configured) | ✅ Yes — Docker volume | TUI settings (theme, toggles) |
 | `/home/developer/.cache/bash` | Named volume `devbox-shell-history` | ✅ Yes — Docker volume | Bash history (`$HISTFILE`) — survives container recreate |
 | `/home/developer/.local/share/zoxide` | Named volume `devbox-zoxide` | ✅ Yes — Docker volume | Zoxide directory history (`z <fragment>` jump targets) |
+| `/home/developer/.local/share/nvim` | Named volume `devbox-nvim-data` | ✅ Yes — Docker volume | Neovim plugins, Mason LSP installs, Lazy plugin cache |
 | `/home/developer/.local/share/uv` | Named volume (if configured) | ✅ Yes — Docker volume | Python installs, uv tool installs |
 | `/home/developer/.rustup` | Named volume (if configured) | ✅ Yes — Docker volume | Rust toolchains |
 | `/home/developer/.cargo` | Named volume (if configured) | ✅ Yes — Docker volume | Cargo binaries, registry cache |
@@ -555,3 +556,5 @@ This guide covers single-user setup. For running multiple opencode-devbox instan
 ## Source
 
 Build from source or contribute: [opencode-devbox on Gitea](https://gitea.jordbo.se/joakimp/opencode-devbox)
+
+See the [Changelog](https://gitea.jordbo.se/joakimp/opencode-devbox/src/branch/main/CHANGELOG.md) for a full release history.

Dockerfile

@@ -5,7 +5,7 @@ ARG DEBIAN_VERSION=trixie-slim
 FROM debian:${DEBIAN_VERSION} AS base
 
 ARG TARGETARCH
-ARG OPENCODE_VERSION=1.14.21
+ARG OPENCODE_VERSION=1.14.28
 
 LABEL maintainer="joakimp"
 LABEL description="Portable opencode developer container"
@@ -42,6 +42,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     gcc \
     g++ \
     rsync \
+    python3-pip \
+    python3-venv \
     && ln -s /usr/bin/fdfind /usr/local/bin/fd \
     && rm -rf /var/lib/apt/lists/*
 

README.md

@@ -549,6 +549,7 @@ Container (Debian trixie)
 | `/home/developer/.local/state/opencode` | Named volume `devbox-state` | ✅ Yes | TUI settings (theme, toggles) |
 | `/home/developer/.cache/bash` | Named volume `devbox-shell-history` | ✅ Yes | Bash history (`$HISTFILE`), survives container recreate |
 | `/home/developer/.local/share/zoxide` | Named volume `devbox-zoxide` | ✅ Yes | Zoxide directory history (`z <fragment>` jump targets) |
+| `/home/developer/.local/share/nvim` | Named volume `devbox-nvim-data` | ✅ Yes | Neovim plugins, Mason LSP installs, Lazy plugin cache |
 | `/home/developer/.local/share/uv` | Named volume `devbox-uv` (if configured) | ✅ Yes | Python installs, uv tool installs |
 | `/home/developer/.rustup` | Named volume `devbox-rustup` (if configured) | ✅ Yes | Rust toolchains |
 | `/home/developer/.cargo` | Named volume `devbox-cargo` (if configured) | ✅ Yes | Cargo binaries, registry cache |

deploy/README.md

@@ -238,6 +238,42 @@ This means:
 - To restore the baked defaults any time: `cp /etc/skel-devbox/.bash_aliases ~/` (or delete the file and recreate the container).
 - To diff your current config against what the image ships: `diff ~/.bash_aliases /etc/skel-devbox/.bash_aliases`.
 
+### CI runner maintenance: automatic Docker pruning
+
+Gitea Actions runners accumulate Docker build cache, stale buildkit containers, and unused images over time. Without periodic cleanup, the runner's disk fills up and builds stall during the image-push phase (symptom: `#61 exporting to image` / `pushing layers` hangs indefinitely while buildkit repeatedly re-authenticates with Docker Hub).
+
+Set up two layers of automatic cleanup on the runner host:
+
+**1. Daily cron job** — prunes images, containers, and build cache older than 72 hours:
+
+```bash
+sudo tee /etc/cron.daily/docker-prune <<'EOF'
+#!/bin/sh
+docker system prune -af --filter "until=72h" > /var/log/docker-prune.log 2>&1
+docker builder prune -af --filter "until=72h" >> /var/log/docker-prune.log 2>&1
+EOF
+sudo chmod +x /etc/cron.daily/docker-prune
+```
+
+**2. Docker daemon builder GC** — caps buildkit cache at 10 GB (Docker 23.0+):
+
+Add to `/etc/docker/daemon.json` (create if absent):
+
+```json
+{
+  "builder": {
+    "gc": {
+      "enabled": true,
+      "defaultKeepStorage": "10GB"
+    }
+  }
+}
+```
+
+Then `sudo systemctl restart docker`.
+
+Both are safe to run on a machine that also hosts long-running containers (like opencode-devbox) — `docker system prune` only removes *unused* images and *stopped* containers, never running ones.
+
 ### Troubleshooting: SSH hangs or "banner exchange" timeouts
 
 If SSH to the VM intermittently fails with `Connection timed out during banner exchange` or pure TCP connect timeouts — especially after the first few successful connects in a short window — the cause is almost certainly your ISP's CGNAT (Carrier-Grade NAT), not the VM.

docker-compose.shared.yml

@@ -55,6 +55,9 @@ services:
       # Persist zoxide directory history ('z <fragment>' to jump)
       - devbox-zoxide:/home/developer/.local/share/zoxide
 
+      # Persist neovim plugin/Mason data (avoids re-downloading on every recreate)
+      - devbox-nvim-data:/home/developer/.local/share/nvim
+
       # Persist uv data (Python installs)
       - devbox-uv:/home/developer/.local/share/uv
 
@@ -65,4 +68,5 @@ volumes:
   devbox-data:
   devbox-shell-history:
   devbox-zoxide:
+  devbox-nvim-data:
   devbox-uv:

docker-compose.yml

@@ -89,6 +89,9 @@ services:
       # Optional: persist VS Code server and extensions across container recreations
       # - devbox-vscode:/home/developer/.vscode-server
 
+      # Persist neovim plugin/Mason data (avoids re-downloading on every recreate)
+      - devbox-nvim-data:/home/developer/.local/share/nvim
+
       # Optional: AWS credentials/SSO config (not read-only — SSO writes token cache)
       # - ~/.aws:/home/developer/.aws
 
@@ -97,6 +100,7 @@ volumes:
   devbox-state:
   devbox-shell-history:
   devbox-zoxide:
+  devbox-nvim-data:
   devbox-uv:
   # devbox-rustup:
   # devbox-cargo:

entrypoint.sh

@@ -78,6 +78,7 @@ for dir in \
   /home/"$USER_NAME"/.local/state/opencode \
   /home/"$USER_NAME"/.local/share/uv \
   /home/"$USER_NAME"/.local/share/zoxide \
+  /home/"$USER_NAME"/.local/share/nvim \
   /home/"$USER_NAME"/.cache/bash \
   /home/"$USER_NAME"/.rustup \
   /home/"$USER_NAME"/.cargo \

rootfs/home/developer/.bash_aliases

@@ -3,6 +3,15 @@
 # To override, bind-mount your host's ~/.bash_aliases over this file
 # via docker-compose.yml.
 
+# ── Host-shared shell customizations (devbox-shell bridge) ───────────
+# If the host bind-mounts a directory at ~/.config/devbox-shell/ (the
+# recommended pattern for sharing aliases/PATH/utilities between host
+# and container), source the bash_aliases file from it. This survives
+# --force-recreate because it's baked into the image's skel, not the
+# container's writable layer. Hosts that don't use this pattern are
+# unaffected — the test silently skips if the file doesn't exist.
+[ -r "$HOME/.config/devbox-shell/bash_aliases" ] && . "$HOME/.config/devbox-shell/bash_aliases"
+
 # ── History persistence and quality ──────────────────────────────────
 # The named volume devbox-shell-history is mounted at ~/.cache/bash
 # so history survives container recreation.