Add official Gitea MCP server to base image

Install gitea-mcp v1.1.0 (Go binary from gitea.com/gitea/gitea-mcp)
using the same multi-arch pattern as gosu/fzf/bat. Provides 50+ MCP
tools for Gitea API — repos, issues, PRs, releases, branches, wiki,
and Actions.

Disabled by default in auto-generated opencode.json (requires
GITEA_ACCESS_TOKEN and GITEA_HOST to be useful). Users enable it by
setting those env vars in .env and flipping enabled to true in their
opencode.json.

Env vars forwarded into the container via docker-compose.yml and
docker-compose.shared.yml environment blocks. Same {env:VAR} pattern
as the GitHub MCP server.

Docs updated: README.md (new Gitea MCP section with setup steps),
DOCKER_HUB.md (tools list), CHANGELOG.md (v1.14.28b entry).

.gitignore

@@ -4,5 +4,8 @@
 *~
 .DS_Store
 
+# Docker buildx state (created by 'docker compose build')
+.docker/
+
 # Personal cloud-init overrides (not shared)
 deploy/my-cloud-init.yml

CHANGELOG.md

@@ -6,6 +6,16 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a
 
 ---
 
+## v1.14.28b — 2026-04-27
+
+- **Feature:** Add MemPalace local-first AI memory system to base image. Provides 29 MCP tools for semantic search over conversation history, knowledge graph queries, and agent diaries. Palace data persists via optional `devbox-palace` named volume, ChromaDB embedding model cache via `devbox-chroma-cache`. No API keys required.
+- **Feature:** Auto-register mempalace MCP server in generated opencode.json (when mempalace is installed and config is auto-generated from OPENCODE_PROVIDER).
+- **Feature:** Add official Gitea MCP server (`gitea-mcp`) to base image. Provides 50+ MCP tools for Gitea API (repos, issues, PRs, releases, Actions). Disabled by default — requires `GITEA_ACCESS_TOKEN` and `GITEA_HOST` env vars.
+
+## v1.14.28 — 2026-04-26
+
+Bump opencode to 1.14.28.
+
 ## v1.14.25 — 2026-04-25
 
 Bump opencode to 1.14.25. Also includes container-level changes since v1.14.22b:

DOCKER_HUB.md

@@ -230,6 +230,8 @@ Understanding what survives container restarts and what doesn't:
 | `/home/developer/.cache/bash` | Named volume `devbox-shell-history` | ✅ Yes — Docker volume | Bash history (`$HISTFILE`) — survives container recreate |
 | `/home/developer/.local/share/zoxide` | Named volume `devbox-zoxide` | ✅ Yes — Docker volume | Zoxide directory history (`z <fragment>` jump targets) |
 | `/home/developer/.local/share/nvim` | Named volume `devbox-nvim-data` | ✅ Yes — Docker volume | Neovim plugins, Mason LSP installs, Lazy plugin cache |
+| `/home/developer/.mempalace` | Named volume `devbox-palace` (if configured) | ✅ Yes — Docker volume | MemPalace conversation memory, knowledge graph, embeddings |
+| `/home/developer/.cache/chroma` | Named volume `devbox-chroma-cache` (if configured) | ✅ Yes — Docker volume | ChromaDB ONNX embedding model (~79 MB, downloaded on first use) |
 | `/home/developer/.local/share/uv` | Named volume (if configured) | ✅ Yes — Docker volume | Python installs, uv tool installs |
 | `/home/developer/.rustup` | Named volume (if configured) | ✅ Yes — Docker volume | Rust toolchains |
 | `/home/developer/.cargo` | Named volume (if configured) | ✅ Yes — Docker volume | Cargo binaries, registry cache |
@@ -488,7 +490,7 @@ To override with your host's own files, uncomment the matching bind-mount lines
 - **opencode** — AI coding assistant
 - **Node.js 22** — for npx-based MCP servers
 - **AWS CLI v2** — SSO and Bedrock authentication
-- **Dev tools** — git, git-lfs, git-crypt, age, ssh, ripgrep, fd, fzf, bat, eza, zoxide, uv, rustup, jq, make, gcc, g++, curl, wget, neovim 0.12, tmux, htop, tree, rsync
+- **Dev tools** — git, git-lfs, git-crypt, age, ssh, ripgrep, fd, fzf, bat, eza, zoxide, uv, rustup, mempalace, gitea-mcp, jq, make, gcc, g++, curl, wget, neovim 0.12, tmux, htop, tree, rsync
 - **Non-root user** — runs as `developer` with UID auto-matched to workspace owner (sudo available)
 
 ### OMOS image (`latest-omos`)

Dockerfile

@@ -5,7 +5,7 @@ ARG DEBIAN_VERSION=trixie-slim
 FROM debian:${DEBIAN_VERSION} AS base
 
 ARG TARGETARCH
-ARG OPENCODE_VERSION=1.14.25
+ARG OPENCODE_VERSION=1.14.28
 
 LABEL maintainer="joakimp"
 LABEL description="Portable opencode developer container"
@@ -47,6 +47,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && ln -s /usr/bin/fdfind /usr/local/bin/fd \
     && rm -rf /var/lib/apt/lists/*
 
+# ── MemPalace — local-first AI memory system ─────────────────────────
+# Provides semantic search over conversation history via 29 MCP tools.
+# Palace data persists via the devbox-palace named volume.
+# The embedding model (~300 MB) is downloaded on first use and cached
+# in the palace directory.
+RUN pip install --no-cache-dir --break-system-packages mempalace
+
 # ── Go-compiled tools (install from GitHub to avoid CVEs in Debian's old Go builds)
 
 # gosu — privilege de-escalation (built with Go 1.24.6)
@@ -115,6 +122,14 @@ RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64"
     curl -fsSL "https://static.rust-lang.org/rustup/dist/${ARCH}-unknown-linux-gnu/rustup-init" -o /usr/local/bin/rustup-init && \
     chmod +x /usr/local/bin/rustup-init
 
+# gitea-mcp — MCP server for Gitea API (official, Go binary)
+ARG GITEA_MCP_VERSION=1.1.0
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "arm64" ;; *) echo "x86_64" ;; esac) && \
+    curl -fsSL "https://gitea.com/gitea/gitea-mcp/releases/download/v${GITEA_MCP_VERSION}/gitea-mcp_Linux_${ARCH}.tar.gz" \
+    | tar -xz -C /usr/local/bin/ gitea-mcp && \
+    chmod +x /usr/local/bin/gitea-mcp && \
+    gitea-mcp --version
+
 # Set locale — generate common UTF-8 locales (override via LANG/LC_ALL env vars)
 # To add more locales, run: sudo sed -i '/<locale>.UTF-8/s/^# //g' /etc/locale.gen && sudo locale-gen
 RUN sed -i -E '/(en_US|en_GB|sv_SE|da_DK|nb_NO|fi_FI|de_DE|fr_FR|es_ES|it_IT|pt_BR|nl_NL|pl_PL|ja_JP|ko_KR|zh_CN)\.UTF-8/s/^# //g' /etc/locale.gen && locale-gen

README.md

@@ -444,6 +444,104 @@ The `--use-device-code` flag outputs a URL and short code instead of trying to o
 
 SSO sessions typically last 8–12 hours before requiring re-authentication. Since `~/.aws` is mounted from the host, tokens persist across container restarts.
 
+## MemPalace — persistent AI memory
+
+The image includes [MemPalace](https://github.com/MemPalace/mempalace), a local-first AI memory system that stores conversation history verbatim and retrieves it via semantic search. Nothing leaves your machine.
+
+### Enabling persistence
+
+Uncomment the palace volume in `docker-compose.yml`:
+
+```yaml
+- devbox-palace:/home/developer/.mempalace
+```
+
+Without the volume, palace data lives in the container's writable layer and is lost on `--force-recreate`.
+
+### MCP integration with opencode
+
+Add mempalace as an MCP server in your `opencode.json` (inside `~/.config/opencode/`):
+
+```json
+{
+  "mcp": {
+    "mempalace": {
+      "type": "local",
+      "command": ["python3", "-m", "mempalace.mcp_server"]
+    }
+  }
+}
+```
+
+This gives opencode access to 29 MCP tools for searching memory, querying the knowledge graph, managing wings/rooms/drawers, and agent diaries.
+
+### Basic usage
+
+```bash
+# Mine project files into the palace
+mempalace mine /workspace
+
+# Mine conversation transcripts
+mempalace mine ~/.local/share/opencode/ --mode convos
+
+# Search memory
+mempalace search "why did we switch to eno1"
+
+# Load context for a new session
+mempalace wake-up
+```
+
+Each workspace gets its own isolated "wing" — memories never leak between projects.
+
+### Storage
+
+Two separate named volumes keep different data classes apart:
+
+- **Palace data** (`~/.mempalace/`): ChromaDB vectors, SQLite knowledge graph, drawers. This is your memory — back it up, treat it as precious. Persists via the `devbox-palace` named volume.
+- **Embedding model cache** (`~/.cache/chroma/`): ONNX model (~79 MB), downloaded automatically on first search. Disposable — blow it away and it re-downloads in ~4 seconds. Persists via the `devbox-chroma-cache` named volume so you don't re-download on every container recreation.
+- **No API keys required** for core functionality (local embeddings via ONNX).
+
+Both volumes are commented out by default in `docker-compose.yml` — uncomment to enable:
+
+```yaml
+- devbox-palace:/home/developer/.mempalace
+- devbox-chroma-cache:/home/developer/.cache/chroma
+```
+
+**Air-gapped environments:** pre-populate the `devbox-chroma-cache` volume with the `all-MiniLM-L6-v2/` model contents. The palace volume needs no pre-population.
+
+## Gitea MCP server
+
+The image includes the [official Gitea MCP server](https://gitea.com/gitea/gitea-mcp) (`gitea-mcp`), providing 50+ MCP tools for interacting with self-hosted Gitea instances — repositories, issues, pull requests, releases, branches, wiki, and Actions.
+
+### Setup
+
+1. Create a Personal Access Token on your Gitea instance (Settings → Applications → Generate Token, scopes: `repo`, `read:user`).
+
+2. Add to your `.env`:
+   ```env
+   GITEA_HOST=https://your-gitea-instance.example.com
+   GITEA_ACCESS_TOKEN=your_token_here
+   ```
+
+3. Enable the gitea MCP server in your `opencode.json`:
+   ```json
+   {
+     "mcp": {
+       "gitea": {
+         "type": "local",
+         "command": ["gitea-mcp", "-t", "stdio", "--host", "{env:GITEA_HOST}"],
+         "environment": {
+           "GITEA_ACCESS_TOKEN": "{env:GITEA_ACCESS_TOKEN}"
+         },
+         "enabled": true
+       }
+     }
+   }
+   ```
+
+The server is installed but disabled by default — it requires authentication to be useful.
+
 ## Shell defaults
 
 The image ships a baked `.bash_aliases` and `.inputrc` with quality-of-life defaults. On first container start they are copied from `/etc/skel-devbox/` into `/home/developer/` **only if the target file does not already exist** — so host bind-mounts and any version you've customized inside the container are never overwritten on upgrade.

docker-compose.shared.yml

@@ -36,6 +36,8 @@ services:
       - .env
     environment:
       - TERM=xterm-256color
+      - GITEA_ACCESS_TOKEN=${GITEA_ACCESS_TOKEN:-}
+      - GITEA_HOST=${GITEA_HOST:-}
     volumes:
       # Host workspace — user's project directory
       - ${WORKSPACE_PATH:-~/src}:/workspace
@@ -61,6 +63,12 @@ services:
       # Persist uv data (Python installs)
       - devbox-uv:/home/developer/.local/share/uv
 
+      # Optional: persist MemPalace data (conversation memory, knowledge graph)
+      # - devbox-palace:/home/developer/.mempalace
+
+      # Optional: persist ChromaDB embedding model cache (~79 MB)
+      # - devbox-chroma-cache:/home/developer/.cache/chroma
+
       # Optional: AWS credentials (per-user if available)
       # - ${HOME}/${SIGNUM}/.aws:/home/developer/.aws
 
@@ -70,3 +78,5 @@ volumes:
   devbox-zoxide:
   devbox-nvim-data:
   devbox-uv:
+  # devbox-palace:
+  # devbox-chroma-cache:

docker-compose.yml

@@ -33,6 +33,9 @@ services:
       - .env
     environment:
       - TERM=xterm-256color
+      - GITHUB_PERSONAL_ACCESS_TOKEN=${GITHUB_PERSONAL_ACCESS_TOKEN:-}
+      - GITEA_ACCESS_TOKEN=${GITEA_ACCESS_TOKEN:-}
+      - GITEA_HOST=${GITEA_HOST:-}
     volumes:
       # Host workspace — mount your project here
       - ${WORKSPACE_PATH:-.}:/workspace
@@ -75,7 +78,7 @@ services:
       # in the container, mount the parent directory instead — see the
       # "Shell defaults" section in README.md.
       # - ~/.bash_aliases:/home/developer/.bash_aliases:ro
-      # - ~/.inputrc:/home/developer/.inputrc:ro
+       # - ~/.inputrc:/home/developer/.inputrc:ro
 
       # Optional: persist uv data (Python installs, tool installs)
       # Without this, 'uv python install' must be re-run after container removal.
@@ -92,6 +95,16 @@ services:
       # Persist neovim plugin/Mason data (avoids re-downloading on every recreate)
       - devbox-nvim-data:/home/developer/.local/share/nvim
 
+      # Optional: persist MemPalace data (conversation memory, knowledge graph,
+      # embeddings). Without this, palace data is lost on container recreation.
+      # - devbox-palace:/home/developer/.mempalace
+
+      # Optional: persist ChromaDB embedding model cache (~79 MB, downloaded on
+      # first mempalace search). Without this, the model re-downloads on every
+      # container recreation. Separate from palace data — model cache is
+      # disposable, palace data is precious.
+      # - devbox-chroma-cache:/home/developer/.cache/chroma
+
       # Optional: AWS credentials/SSO config (not read-only — SSO writes token cache)
       # - ~/.aws:/home/developer/.aws
 
@@ -102,6 +115,8 @@ volumes:
   devbox-zoxide:
   devbox-nvim-data:
   devbox-uv:
+  # devbox-palace:
+  # devbox-chroma-cache:
   # devbox-rustup:
   # devbox-cargo:
   # devbox-vscode:

entrypoint-user.sh

@@ -15,6 +15,17 @@ if [ -d "$SKEL_DIR" ]; then
   done
 fi
 
+# ── MemPalace: initialize palace for the workspace if mempalace is installed
+# Creates the palace directory structure on first run. Idempotent — skips
+# if palace already exists. Uses the workspace path to derive the wing name.
+if command -v mempalace &>/dev/null && [ -d /workspace ]; then
+  PALACE_DIR="${HOME}/.mempalace"
+  if [ ! -d "$PALACE_DIR/palace" ]; then
+    echo "Initializing MemPalace for workspace..."
+    mempalace init /workspace 2>/dev/null || true
+  fi
+fi
+
 # ── Git config defaults ──────────────────────────────────────────────
 if [ -n "${GIT_USER_NAME:-}" ] && ! git config --global user.name &>/dev/null; then
   git config --global user.name "$GIT_USER_NAME"
@@ -81,6 +92,35 @@ EOF
 EOF
       ;;
   esac
+
+  # Add MCP servers for installed tools
+  if command -v python3 &>/dev/null; then
+    python3 -c "
+import json, shutil
+with open('$CONFIG_FILE') as f:
+    config = json.load(f)
+mcp = config.setdefault('mcp', {})
+
+# MemPalace — local AI memory (if installed)
+if shutil.which('mempalace'):
+    mcp['mempalace'] = {
+        'type': 'local',
+        'command': ['python3', '-m', 'mempalace.mcp_server']
+    }
+
+# Gitea — self-hosted Git forge API (if installed)
+if shutil.which('gitea-mcp'):
+    mcp['gitea'] = {
+        'type': 'local',
+        'command': ['gitea-mcp', '-t', 'stdio'],
+        'enabled': False
+    }
+
+with open('$CONFIG_FILE', 'w') as f:
+    json.dump(config, f, indent=2)
+    f.write('\n')
+" 2>/dev/null && echo "MCP servers registered in opencode config."
+  fi
 fi
 
 # ── oh-my-opencode-slim setup (multi-agent orchestration) ────────────

entrypoint.sh

@@ -79,7 +79,9 @@ for dir in \
   /home/"$USER_NAME"/.local/share/uv \
   /home/"$USER_NAME"/.local/share/zoxide \
   /home/"$USER_NAME"/.local/share/nvim \
+  /home/"$USER_NAME"/.mempalace \
   /home/"$USER_NAME"/.cache/bash \
+  /home/"$USER_NAME"/.cache/chroma \
   /home/"$USER_NAME"/.rustup \
   /home/"$USER_NAME"/.cargo \
   /home/"$USER_NAME"/.vscode-server \