Bump opencode to v1.4.12

Reduces locale generation from 200+ to 16 targeted locales (major world
languages + Nordic + key European). Saves build time and image size.
Users can add more at runtime via locale-gen.

.env.example

@@ -30,3 +30,15 @@ WORKSPACE_PATH=~/projects
 
 # Path to SSH keys on host
 SSH_KEY_PATH=~/.ssh
+
+# ── Locale (defaults to en_US.UTF-8) ─────────────────────────────────
+# LANG=sv_SE.UTF-8
+# LANGUAGE=sv_SE:sv
+# LC_ALL=sv_SE.UTF-8
+
+# ── oh-my-opencode-slim (multi-agent orchestration) ──────────────────
+# Requires image built with INSTALL_OMOS=true
+# ENABLE_OMOS=false
+# OMOS_TMUX=false              # Enable tmux multiplexer integration
+# OMOS_SKILLS=true             # Install recommended skills (simplify, agent-browser, cartography)
+# OMOS_RESET=false             # Force regenerate oh-my-opencode-slim config on next start

.env.shared.example

@@ -0,0 +1,27 @@
+# ── Shared machine setup ─────────────────────────────────────────────
+# Your corporate signum / username (REQUIRED)
+# This isolates your container, config, and data from other users.
+SIGNUM=your-signum-here
+
+# ── Provider ─────────────────────────────────────────────────────────
+OPENCODE_PROVIDER=amazon-bedrock
+OPENCODE_MODEL=amazon-bedrock/eu.anthropic.claude-opus-4-6-v1
+AWS_REGION=eu-west-1
+AWS_PROFILE=default
+
+# ── Git ──────────────────────────────────────────────────────────────
+GIT_USER_NAME=Your Name
+GIT_USER_EMAIL=your.name@example.com
+
+# ── Paths (adjust to your layout) ───────────────────────────────────
+# Default: ~/src mounted as /workspace
+# WORKSPACE_PATH=~/src
+
+# SSH keys — defaults to shared ~/.ssh
+# If you have per-user keys: SSH_KEY_PATH=~/<signum>/.ssh
+# SSH_KEY_PATH=~/.ssh
+
+# ── Locale (defaults to en_US.UTF-8) ────────────────────────────────
+# LANG=sv_SE.UTF-8
+# LANGUAGE=sv_SE:sv
+# LC_ALL=sv_SE.UTF-8

.gitea/workflows/docker-publish.yml

@@ -6,7 +6,7 @@ on:
       - 'v*'
 
 jobs:
-  build-and-push:
+  build-base:
     runs-on: ubuntu-latest
     container:
       image: catthehacker/ubuntu:act-latest
@@ -14,11 +14,18 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Force IPv4 for Docker Hub
+        run: |
+          # Prefer IPv4 to avoid intermittent IPv6 connectivity failures
+          echo 'precedence ::ffff:0:0/96  100' >> /etc/gai.conf
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
+        with:
+          driver-opts: network=host
 
       - name: Login to Docker Hub
         uses: docker/login-action@v4
@@ -32,7 +39,7 @@ jobs:
           VERSION=${GITHUB_REF#refs/tags/}
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
 
-      - name: Build and push
+      - name: Build and push (base)
         uses: docker/build-push-action@v7
         with:
           context: .
@@ -42,18 +49,83 @@ jobs:
             ${{ vars.DOCKERHUB_USERNAME }}/opencode-devbox:${{ steps.version.outputs.version }}
             ${{ vars.DOCKERHUB_USERNAME }}/opencode-devbox:latest
 
+  build-omos:
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Force IPv4 for Docker Hub
+        run: |
+          # Prefer IPv4 to avoid intermittent IPv6 connectivity failures
+          echo 'precedence ::ffff:0:0/96  100' >> /etc/gai.conf
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+        with:
+          driver-opts: network=host
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Build and push (omos)
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          build-args: |
+            INSTALL_OMOS=true
+          tags: |
+            ${{ vars.DOCKERHUB_USERNAME }}/opencode-devbox:${{ steps.version.outputs.version }}-omos
+            ${{ vars.DOCKERHUB_USERNAME }}/opencode-devbox:latest-omos
+
+  update-description:
+    runs-on: ubuntu-latest
+    needs: [build-base, build-omos]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Update Docker Hub description
         run: |
-          TOKEN=$(curl -s -X POST https://hub.docker.com/v2/users/login/ \
+          TOKEN=$(curl -s -X POST https://hub.docker.com/v2/auth/token \
             -H "Content-Type: application/json" \
-            -d '{"username":"${{ vars.DOCKERHUB_USERNAME }}","password":"${{ secrets.DOCKERHUB_TOKEN }}"}' \
+            -d '{"identifier":"${{ vars.DOCKERHUB_USERNAME }}","secret":"${{ secrets.DOCKERHUB_TOKEN }}"}' \
-            | jq -r .token)
+            | jq -r .access_token)
-          jq -n \
+          if [ "$TOKEN" = "null" ] || [ -z "$TOKEN" ]; then
-            --arg full "$(cat DOCKER_HUB.md)" \
+            echo "::error::Failed to authenticate with Docker Hub API"
+            exit 1
+          fi
+          HTTP_CODE=$(jq -n \
+            --rawfile full DOCKER_HUB.md \
             --arg short "Portable AI dev environment for opencode. Debian-based with git, Node.js, AWS CLI, and SSH support." \
             '{"full_description": $full, "description": $short}' | \
-            curl -s -o /dev/null -w "%{http_code}" -X PATCH \
+            curl -s -o /tmp/hub-response.txt -w "%{http_code}" -X PATCH \
               "https://hub.docker.com/v2/repositories/${{ vars.DOCKERHUB_USERNAME }}/opencode-devbox/" \
-              -H "Authorization: JWT $TOKEN" \
+              -H "Authorization: Bearer $TOKEN" \
               -H "Content-Type: application/json" \
-              -d @-
+              -d @-)
+          echo "Docker Hub API returned: $HTTP_CODE"
+          if [ "$HTTP_CODE" != "200" ]; then
+            echo "Response body:"
+            cat /tmp/hub-response.txt
+            echo "::error::Docker Hub description update failed with HTTP $HTTP_CODE"
+            exit 1
+          fi

AGENTS.md

@@ -0,0 +1,47 @@
+# AGENTS.md
+
+## Project overview
+
+Docker image packaging [opencode](https://opencode.ai) into a production-ready dev container. Two image variants (base and omos) are published to Docker Hub via Gitea Actions CI. Not a library or application — this is infrastructure (Dockerfile, entrypoint scripts, docker-compose, documentation).
+
+## File roles
+
+- `Dockerfile` — single multi-stage build for both variants. OMOS variant is controlled by `INSTALL_OMOS=true` build arg. All GitHub-sourced binaries are pinned with version ARGs.
+- `entrypoint.sh` — runs as root: UID/GID adjustment, SSH permissions, volume ownership fixes. Then drops to developer via gosu.
+- `entrypoint-user.sh` — runs as developer: git config, opencode.json generation from env vars, OMOS setup.
+- `DOCKER_HUB.md` — pushed to Docker Hub description via CI API call. Must stay under 25KB. Short description field must be ≤100 bytes.
+- `README.md` — source repo documentation. Must stay in sync with DOCKER_HUB.md (both describe the same features but for different audiences).
+- `.gitea/workflows/docker-publish.yml` — CI pipeline: three parallel jobs (build-base, build-omos, update-description). Triggered by tag push only.
+
+## Versioning scheme
+
+Tags follow `v{opencode_version}{letter}` — e.g. `v1.4.3k`. The number matches the opencode npm version. The letter suffix increments for container-level changes (tooling, docs, CVE fixes) on the same opencode version. CI produces four Docker Hub tags per release: `vX.Y.Zn`, `latest`, `vX.Y.Zn-omos`, `latest-omos`.
+
+## Critical conventions
+
+- **entrypoint.sh volume ownership loop** — when adding a new named volume mount point, add it to the `for dir in ...` loop in `entrypoint.sh` so root-owned volumes get chowned on startup.
+- **Three docs to keep in sync** — Dockerfile changes that add tools or features must be reflected in `README.md`, `DOCKER_HUB.md`, and `.env.example`. The docker-compose examples in both docs must match the source `docker-compose.yml` pattern.
+- **GitHub-sourced binaries** — fzf, gosu, git-lfs, neovim, bat, eza, zoxide, uv, rustup are installed from upstream releases (not apt) with pinned versions. Use the same `ARCH` case-switch pattern for multi-arch support (amd64/arm64).
+- **Shell scripts use `set -euo pipefail`** — both entrypoints are strict. Errors in volume chown or SSH permission operations are intentionally suppressed with `|| true`.
+- **Docker Hub description update** — uses `/v2/auth/token` endpoint (not the deprecated `/v2/users/login`). Auth uses `identifier`/`secret` fields, returns `access_token`, sent as `Bearer`. Short description must be ≤100 bytes.
+
+## CI quirks
+
+- Both build jobs include an IPv4 preference step (`gai.conf` + `driver-opts: network=host` for buildx) to work around intermittent IPv6 failures on the Gitea runners.
+- `update-description` job runs only when both builds succeed (`needs: [build-base, build-omos]`).
+- Tags must be pushed to trigger CI. Pushing to `main` alone does not build images.
+
+## Testing changes
+
+No test suite. Verify by:
+1. Building locally: `docker compose build`
+2. Running: `docker compose run --rm devbox bash`
+3. Checking tool availability inside container: `nvim --version`, `bat --version`, `uv --version`, etc.
+4. For entrypoint changes: test with a non-1000 UID workspace to verify UID adjustment and volume ownership fixes.
+
+## Commit style
+
+Imperative mood, first line summarizes the change. Multi-line body explains "why" when non-obvious. Examples from history:
+- `Fix ownership of named volume mount points in entrypoint`
+- `Add uv package manager to base image for on-demand Python support`
+- `Upgrade base image from Debian bookworm to trixie (current stable)`

DOCKER_HUB.md

@@ -2,6 +2,17 @@
 
 Portable AI developer environment for [opencode](https://opencode.ai). Debian-based, with git, SSH, Node.js, AWS CLI v2, and common dev tools pre-installed.
 
+## Image Variants
+
+Two image variants are published for each release:
+
+| Tag | Description |
+|---|---|
+| `latest` / `vX.Y.Z` | Base image — opencode, Node.js, AWS CLI, dev tools |
+| `latest-omos` / `vX.Y.Z-omos` | Base + [oh-my-opencode-slim](https://github.com/alvinunreal/oh-my-opencode-slim) multi-agent orchestration and Bun |
+
+Both variants support `linux/amd64` and `linux/arm64`.
+
 ## Quick Start
 
 ```bash
@@ -103,12 +114,54 @@ The entrypoint automatically detects the owner of `/workspace` and adjusts the c
 | `USER_UID` | Container user UID | Auto-detect from `/workspace` owner |
 | `USER_GID` | Container user GID | Auto-detect from `/workspace` owner |
 
-## Initial Setup
+### Locale and Editor
 
-### 1. Create a project directory
+The container defaults to English (`en_US.UTF-8`) and neovim as the editor. Override via environment variables:
+
+| Variable | Description | Default |
+|---|---|---|
+| `LANG` | System locale | `en_US.UTF-8` |
+| `LANGUAGE` | Language priority list | `en_US:en` |
+| `LC_ALL` | Override all locale settings | `en_US.UTF-8` |
+| `EDITOR` | Default text editor | `nvim` |
+
+Pre-generated locales: `en_US`, `en_GB`, `sv_SE`, `da_DK`, `nb_NO`, `fi_FI`, `de_DE`, `fr_FR`, `es_ES`, `it_IT`, `pt_BR`, `nl_NL`, `pl_PL`, `ja_JP`, `ko_KR`, `zh_CN` (all UTF-8).
+
+Example for Swedish:
 
 ```bash
+LANG=sv_SE.UTF-8
+LANGUAGE=sv_SE:sv
+LC_ALL=sv_SE.UTF-8
+```
+
+To add a locale not in the list, run inside the container:
+
+```bash
+sudo sed -i '/xx_XX.UTF-8/s/^# //g' /etc/locale.gen
+sudo locale-gen
+```
+
+Replace `xx_XX` with the desired locale (e.g. `ru_RU`, `tr_TR`). This change does not persist across container restarts — for permanent additions, build from source and modify the Dockerfile.
+
+## Initial Setup
+
+### 1. Create host directories
+
+Bind-mounted directories must exist on the host before starting the container. Docker creates missing directories as root-owned, which causes permission issues.
+
+```bash
+# Required
 mkdir -p ~/projects
+
+# If mounting opencode config (recommended for persistent settings)
+mkdir -p ~/.config/opencode
+
+# If using AWS Bedrock
+# mkdir -p ~/.aws
+
+# If mounting neovim config
+# mkdir -p ~/.config/nvim
 ```
 
 ### 2. Create a `.env` file
@@ -134,7 +187,7 @@ GIT_USER_EMAIL=you@example.com
 **AWS Bedrock (SSO):**
 ```bash
 OPENCODE_PROVIDER=amazon-bedrock
-OPENCODE_MODEL=amazon-bedrock/anthropic.claude-sonnet-4-5-v1
+OPENCODE_MODEL=amazon-bedrock/eu.anthropic.claude-opus-4-6-v1
 AWS_REGION=eu-west-1
 AWS_PROFILE=your-profile-name
 GIT_USER_NAME=Your Name
@@ -173,27 +226,152 @@ Understanding what survives container restarts and what doesn't:
 | `/home/developer/.ssh` | Host bind mount (ro) | ✅ Yes — lives on host | SSH keys |
 | `/home/developer/.aws` | Host bind mount | ✅ Yes — lives on host | AWS credentials/SSO cache |
 | `/home/developer/.local/share/opencode` | Named volume (if configured) | ✅ Yes — Docker volume | Session history, memory, auth tokens |
-| `/home/developer/.config/opencode/opencode.json` | Generated by entrypoint | ❌ No — regenerated each start | Provider config, MCP server definitions |
+| `/home/developer/.local/share/uv` | Named volume (if configured) | ✅ Yes — Docker volume | Python installs, uv tool installs |
+| `/home/developer/.rustup` | Named volume (if configured) | ✅ Yes — Docker volume | Rust toolchains |
+| `/home/developer/.cargo` | Named volume (if configured) | ✅ Yes — Docker volume | Cargo binaries, registry cache |
+| `/home/developer/.vscode-server` | Named volume (if configured) | ✅ Yes — Docker volume | VS Code server and extensions |
+| `/home/developer/.config/opencode` | Host bind mount (if configured) | ✅ Yes — lives on host | opencode.json, oh-my-opencode-slim.json, skills |
 
 ### Key points
 
 - **Project files** (`/workspace`) are always safe — they're your host filesystem.
-- **opencode config** is auto-generated from `OPENCODE_PROVIDER` env var on each start. It only sets provider and model — no MCP servers. To persist MCP server config, mount your own config file (see Custom opencode Config below).
+- **opencode config** is auto-generated from `OPENCODE_PROVIDER` env var on each start if no existing config is found. To persist config changes, mount the config directory from the host (see Custom opencode Config below).
 - **opencode data** (session history, memory) is lost with `--rm` unless you add a named volume.
+- **Python installs** via `uv python install` are lost unless you add the `devbox-uv` named volume.
+- **Rust toolchains** via `rustup-init` are lost unless you add the `devbox-rustup` and `devbox-cargo` named volumes.
 - **AWS SSO tokens** persist across restarts when `~/.aws` is mounted (recommended for Bedrock users).
 
 ## Custom opencode Config
 
-For full control (MCP servers, custom models, keybindings), mount your own config:
+For full control over opencode settings (MCP servers, custom models, oh-my-opencode-slim agents, etc.), mount the entire config directory from the host:
 
 ```bash
 docker run -it --rm \
-  -v ./my-opencode.json:/home/developer/.config/opencode/opencode.json:ro \
+  -v ~/.config/opencode:/home/developer/.config/opencode \
   ... \
   joakimp/opencode-devbox:latest
 ```
 
-When a config file is mounted, the `OPENCODE_PROVIDER` auto-config is skipped.
+This persists all configuration changes across container restarts. When an existing `opencode.json` is found, the `OPENCODE_PROVIDER` auto-config is skipped.
+
+## Neovim Configuration
+
+The image includes neovim 0.12 with `EDITOR=nvim` set by default. To use your own neovim config (and have plugins auto-install via lazy.nvim on first start), mount it from the host:
+
+```bash
+docker run -it --rm \
+  -v ~/.config/nvim:/home/developer/.config/nvim:ro \
+  ... \
+  joakimp/opencode-devbox:latest
+```
+
+## Python Development with uv
+
+The image includes Python 3.13 (from Debian Trixie) and [uv](https://docs.astral.sh/uv/), a fast Python package manager that replaces pip, venv, and pyenv:
+
+```bash
+# Python 3.13 is available out of the box
+python3 --version
+
+# Use uv for package management
+uv venv
+uv pip install -r requirements.txt
+
+# Or use uv's project workflow (reads pyproject.toml)
+uv sync
+
+# Run a Python script
+uv run python script.py
+
+# Install standalone Python tools
+uvx ruff check .
+
+# Install a newer Python version (persists with devbox-uv volume)
+uv python install 3.14
+```
+
+To persist Python installs across container restarts, add a named volume:
+
+```bash
+docker run -it --rm \
+  -v devbox-uv:/home/developer/.local/share/uv \
+  ... \
+  joakimp/opencode-devbox:latest
+```
+
+Project virtual environments (`.venv`) are stored in your workspace directory and persist automatically via the `/workspace` bind mount.
+
+## Rust Development with rustup
+
+The image includes `rustup-init`, the Rust toolchain installer. Rust is not pre-installed but can be bootstrapped on demand:
+
+```bash
+# One-time setup: install Rust toolchain (~300MB, persists with volumes)
+rustup-init -y
+source ~/.cargo/env
+
+# Now use Rust normally
+cargo new my-project
+cargo build
+cargo run
+```
+
+To persist Rust toolchains and cargo data across container restarts, add named volumes:
+
+```bash
+docker run -it --rm \
+  -v devbox-rustup:/home/developer/.rustup \
+  -v devbox-cargo:/home/developer/.cargo \
+  ... \
+  joakimp/opencode-devbox:latest
+```
+
+## JavaScript and TypeScript
+
+The base image includes **Node.js 22** and **npm** — sufficient for most JavaScript and TypeScript development:
+
+```bash
+# Initialize a new project
+npm init -y
+
+# Install dependencies
+npm install
+
+# Run TypeScript (via tsx, ts-node, etc.)
+npx tsx src/index.ts
+```
+
+The OMOS image variant also includes **Bun**, a faster JavaScript runtime and package manager:
+
+```bash
+bun init
+bun install
+bun run src/index.ts
+```
+
+Node modules are stored in your project directory under `/workspace` and persist automatically.
+
+## VS Code Integration
+
+VS Code can connect directly to a running opencode-devbox container for a full IDE experience with IntelliSense, debugging, and extensions running inside the container.
+
+**Requirements:** Install the [Dev Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) extension. For remote Docker hosts, also install [Remote - SSH](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-ssh).
+
+**Steps:**
+
+1. Start the container: `docker compose up -d`
+2. In VS Code: `Ctrl+Shift+P` → "Dev Containers: Attach to Running Container" → select `opencode-devbox`
+
+For remote Docker hosts (e.g. connecting to a server via SSH), first connect to the remote host with Remote-SSH, then attach to the container from there.
+
+VS Code extensions installed inside the container persist as long as the container exists. For persistent extension storage across container recreations, add a named volume:
+
+```bash
+docker run -it --rm \
+  -v devbox-vscode:/home/developer/.vscode-server \
+  ... \
+  joakimp/opencode-devbox:latest
+```
 
 ## Using docker-compose
 
@@ -207,7 +385,7 @@ mkdir opencode-devbox && cd opencode-devbox
 
 ```bash
 OPENCODE_PROVIDER=amazon-bedrock
-OPENCODE_MODEL=amazon-bedrock/anthropic.claude-sonnet-4-5-v1
+OPENCODE_MODEL=amazon-bedrock/eu.anthropic.claude-opus-4-6-v1
 AWS_REGION=eu-west-1
 AWS_PROFILE=your-profile-name
 GIT_USER_NAME=Your Name
@@ -220,6 +398,8 @@ GIT_USER_EMAIL=you@example.com
 services:
   devbox:
     image: joakimp/opencode-devbox:latest
+    # For multi-agent orchestration, use the omos variant instead:
+    # image: joakimp/opencode-devbox:latest-omos
     stdin_open: true
     tty: true
     env_file:
@@ -230,16 +410,28 @@ services:
       - ~/projects:/workspace
       - ~/.ssh:/home/developer/.ssh:ro
       - devbox-data:/home/developer/.local/share/opencode
+      # Optional: persist Python/uv installs across restarts
+      # - devbox-uv:/home/developer/.local/share/uv
+      # Optional: persist Rust toolchains and cargo data
+      # - devbox-rustup:/home/developer/.rustup
+      # - devbox-cargo:/home/developer/.cargo
+      # Optional: persist VS Code server and extensions
+      # - devbox-vscode:/home/developer/.vscode-server
       # Mount AWS config for Bedrock SSO (required for amazon-bedrock provider)
       # - ~/.aws:/home/developer/.aws
-      # Optional: mount your own opencode config (MCP servers, custom models, etc.)
+      # Optional: mount opencode config directory (persists config changes across restarts)
-      # - ./opencode.json:/home/developer/.config/opencode/opencode.json:ro
+      # - ~/.config/opencode:/home/developer/.config/opencode
-      # Optional: mount opencode skills from host
+      # Optional: mount opencode agent skills from host
-      # - ~/.config/opencode/skills:/home/developer/.config/opencode/skills:ro
       # - ~/.agents/skills:/home/developer/.agents/skills:ro
+      # Optional: mount neovim config from host (plugins auto-install on first start)
+      # - ~/.config/nvim:/home/developer/.config/nvim:ro
 
 volumes:
   devbox-data:
+  # devbox-uv:
+  # devbox-rustup:
+  # devbox-cargo:
+  # devbox-vscode:
 ```
 
 Docker Compose loads `.env` automatically from the same directory. All variables from `.env` are passed to the container via `env_file`. Do **not** hardcode provider settings in the `environment:` section — use `.env` instead.
@@ -267,13 +459,73 @@ docker compose run --rm devbox bash   # interactive shell
 
 ## What's Included
 
-- **Debian bookworm-slim** — glibc, full terminal/PTY support
+### Base image (`latest`)
+
+- **Debian trixie-slim** — glibc, full terminal/PTY support
 - **opencode** — AI coding assistant
 - **Node.js 22** — for npx-based MCP servers
 - **AWS CLI v2** — SSO and Bedrock authentication
-- **Dev tools** — git, git-lfs, ssh, ripgrep, fd, fzf, jq, curl, wget, vim, tree
+- **Dev tools** — git, git-lfs, git-crypt, age, ssh, ripgrep, fd, fzf, bat, eza, zoxide, uv, rustup, jq, make, curl, wget, neovim 0.12, tmux, htop, tree
 - **Non-root user** — runs as `developer` with UID auto-matched to workspace owner (sudo available)
 
+### OMOS image (`latest-omos`)
+
+Everything in the base image, plus:
+
+- **[oh-my-opencode-slim](https://github.com/alvinunreal/oh-my-opencode-slim)** — multi-agent orchestration plugin
+- **Bun** — JavaScript runtime required by oh-my-opencode-slim
+- **6 specialized agents** — Orchestrator, Explorer, Oracle, Librarian, Designer, Fixer
+
+### Additional runtimes (build from source)
+
+When [building from source](https://gitea.jordbo.se/joakimp/opencode-devbox), additional runtimes are available via build args:
+
+- **Python 3** (`INSTALL_PYTHON=true`) — Python 3 + pip + venv
+- **Go** (`INSTALL_GO=true`) — Go toolchain
+
+## oh-my-opencode-slim (OMOS variant)
+
+The `-omos` image variant includes [oh-my-opencode-slim](https://github.com/alvinunreal/oh-my-opencode-slim), which adds a multi-agent layer on top of opencode. An Orchestrator delegates tasks to specialized agents, each configurable with different models and providers.
+
+### Quick start with OMOS
+
+```bash
+docker run -it --rm \
+  -e OPENAI_API_KEY=your-key \
+  -e OPENCODE_PROVIDER=openai \
+  -e ENABLE_OMOS=true \
+  -v ~/projects:/workspace \
+  -v ~/.ssh:/home/developer/.ssh:ro \
+  joakimp/opencode-devbox:latest-omos
+```
+
+On first start, the entrypoint configures oh-my-opencode-slim automatically. The default preset uses OpenAI models.
+
+### OMOS environment variables
+
+| Variable | Default | Description |
+|---|---|---|
+| `ENABLE_OMOS` | `false` | Activate oh-my-opencode-slim on container start |
+| `OMOS_TMUX` | `false` | Enable tmux pane integration (watch agents in split panes) |
+| `OMOS_SKILLS` | `true` | Install recommended skills (simplify, agent-browser, cartography) |
+| `OMOS_RESET` | `false` | Force regenerate config on next start (backs up existing config) |
+
+### Custom OMOS configuration
+
+If you mount the opencode config directory (see Custom opencode Config above), the `oh-my-opencode-slim.json` file is included and persists across restarts. Edit it directly to control which models power each agent, fallback chains, council setup, and more.
+
+See the [oh-my-opencode-slim configuration docs](https://github.com/alvinunreal/oh-my-opencode-slim/blob/master/docs/configuration.md) for the full reference.
+
+### Verifying agents
+
+After starting opencode with OMOS enabled, run inside the opencode session:
+
+```
+ping all agents
+```
+
+All six agents should respond if your provider authentication is working.
+
 ## Source
 
 Build from source or contribute: [opencode-devbox on Gitea](https://gitea.jordbo.se/joakimp/opencode-devbox)

Dockerfile

@@ -1,11 +1,11 @@
 # opencode-devbox — portable AI dev environment
 # Debian-based container with opencode and configurable dev tools
 
-ARG DEBIAN_VERSION=bookworm-slim
+ARG DEBIAN_VERSION=trixie-slim
 FROM debian:${DEBIAN_VERSION} AS base
 
 ARG TARGETARCH
-ARG OPENCODE_VERSION=1.4.3
+ARG OPENCODE_VERSION=1.4.12
 
 LABEL maintainer="joakimp"
 LABEL description="Portable opencode developer container"
@@ -20,7 +20,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     wget \
     git \
-    git-lfs \
     openssh-client \
     gnupg \
     jq \
@@ -28,7 +27,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     fd-find \
     tree \
     less \
-    vim-tiny \
+    htop \
+    tmux \
+    make \
+    patch \
+    diffutils \
+    git-crypt \
+    age \
     sudo \
     locales \
     procps \
@@ -36,24 +41,82 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && ln -s /usr/bin/fdfind /usr/local/bin/fd \
     && rm -rf /var/lib/apt/lists/*
 
-# ── gosu (install from GitHub to avoid CVEs in Debian's old Go-compiled package)
+# ── Go-compiled tools (install from GitHub to avoid CVEs in Debian's old Go builds)
+
+# gosu — privilege de-escalation (built with Go 1.24.6)
 ARG GOSU_VERSION=1.19
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
     curl -fsSL "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${ARCH}" -o /usr/local/bin/gosu && \
     chmod +x /usr/local/bin/gosu && \
     gosu --version
 
-# ── fzf (install from GitHub to avoid CVEs in Debian's old Go-compiled package)
+# fzf — fuzzy finder (built with Go 1.23.12)
 ARG FZF_VERSION=0.71.0
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
     curl -fsSL "https://github.com/junegunn/fzf/releases/download/v${FZF_VERSION}/fzf-${FZF_VERSION}-linux_${ARCH}.tar.gz" | tar -xz -C /usr/local/bin fzf && \
     fzf --version
 
-# Set locale
+# git-lfs — Git Large File Storage (built with Go 1.25)
-RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
+ARG GIT_LFS_VERSION=3.7.1
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
+    curl -fsSL "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${ARCH}-v${GIT_LFS_VERSION}.tar.gz" | tar -xz -C /tmp && \
+    install /tmp/git-lfs-${GIT_LFS_VERSION}/git-lfs /usr/local/bin/git-lfs && \
+    rm -rf /tmp/git-lfs-${GIT_LFS_VERSION} && \
+    git lfs install --system && \
+    git-lfs --version
+
+# neovim — modern text editor (pre-built release from GitHub)
+ARG NVIM_VERSION=0.12.1
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "arm64" ;; *) echo "x86_64" ;; esac) && \
+    curl -fsSL "https://github.com/neovim/neovim/releases/download/v${NVIM_VERSION}/nvim-linux-${ARCH}.tar.gz" | tar -xz -C /opt && \
+    ln -s /opt/nvim-linux-${ARCH}/bin/nvim /usr/local/bin/nvim && \
+    nvim --version | head -1
+
+# bat — syntax-highlighted cat replacement
+ARG BAT_VERSION=0.26.1
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
+    curl -fsSL "https://github.com/sharkdp/bat/releases/download/v${BAT_VERSION}/bat-v${BAT_VERSION}-${ARCH}-unknown-linux-musl.tar.gz" | tar -xz -C /tmp && \
+    install /tmp/bat-v${BAT_VERSION}-${ARCH}-unknown-linux-musl/bat /usr/local/bin/bat && \
+    rm -rf /tmp/bat-v${BAT_VERSION}-* && \
+    bat --version
+
+# eza — modern ls replacement
+ARG EZA_VERSION=0.23.4
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
+    curl -fsSL "https://github.com/eza-community/eza/releases/download/v${EZA_VERSION}/eza_${ARCH}-unknown-linux-gnu.tar.gz" | tar -xz -C /usr/local/bin && \
+    eza --version | head -1
+
+# zoxide — smarter cd command
+ARG ZOXIDE_VERSION=0.9.9
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
+    curl -fsSL "https://github.com/ajeetdsouza/zoxide/releases/download/v${ZOXIDE_VERSION}/zoxide-${ZOXIDE_VERSION}-${ARCH}-unknown-linux-musl.tar.gz" | tar -xz -C /usr/local/bin zoxide && \
+    zoxide --version
+
+# uv — fast Python package manager (replaces pip, venv, pyenv)
+ARG UV_VERSION=0.11.7
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
+    curl -fsSL "https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/uv-${ARCH}-unknown-linux-musl.tar.gz" | tar -xz -C /tmp && \
+    install /tmp/uv-${ARCH}-unknown-linux-musl/uv /usr/local/bin/uv && \
+    install /tmp/uv-${ARCH}-unknown-linux-musl/uvx /usr/local/bin/uvx && \
+    rm -rf /tmp/uv-* && \
+    uv --version
+
+# rustup — Rust toolchain manager
+# Installs the rustup-init binary only. Users bootstrap Rust with:
+#   rustup-init -y && source ~/.cargo/env
+# Toolchains persist via devbox-rustup and devbox-cargo volumes.
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
+    curl -fsSL "https://static.rust-lang.org/rustup/dist/${ARCH}-unknown-linux-gnu/rustup-init" -o /usr/local/bin/rustup-init && \
+    chmod +x /usr/local/bin/rustup-init
+
+# Set locale — generate common UTF-8 locales (override via LANG/LC_ALL env vars)
+# To add more locales, run: sudo sed -i '/<locale>.UTF-8/s/^# //g' /etc/locale.gen && sudo locale-gen
+RUN sed -i -E '/(en_US|en_GB|sv_SE|da_DK|nb_NO|fi_FI|de_DE|fr_FR|es_ES|it_IT|pt_BR|nl_NL|pl_PL|ja_JP|ko_KR|zh_CN)\.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
 ENV LANG=en_US.UTF-8
 ENV LANGUAGE=en_US:en
 ENV LC_ALL=en_US.UTF-8
+ENV EDITOR=nvim
+ENV PATH="/home/developer/.local/bin:/home/developer/.cargo/bin:${PATH}"
 
 # ── Node.js (required for opencode v1.x install + MCP servers) ──────
 ARG NODE_VERSION=22
@@ -88,7 +151,7 @@ RUN if [ "${INSTALL_PYTHON}" = "true" ]; then \
 
 # ── Optional: Go ─────────────────────────────────────────────────────
 ARG INSTALL_GO=false
-ARG GO_VERSION=1.23.4
+ARG GO_VERSION=1.26.2
 RUN if [ "${INSTALL_GO}" = "true" ]; then \
       GOARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
       curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-${GOARCH}.tar.gz" | tar -C /usr/local -xz && \
@@ -96,6 +159,17 @@ RUN if [ "${INSTALL_GO}" = "true" ]; then \
       ln -s /usr/local/go/bin/gofmt /usr/local/bin/gofmt; \
     fi
 
+# ── Optional: oh-my-opencode-slim (multi-agent orchestration) ────────
+# Installs Bun runtime and the oh-my-opencode-slim npm package.
+# Runtime activation is controlled by ENABLE_OMOS env var in entrypoint.
+ARG INSTALL_OMOS=false
+ARG OMOS_VERSION=latest
+RUN if [ "${INSTALL_OMOS}" = "true" ]; then \
+      curl -fsSL https://bun.sh/install | BUN_INSTALL=/usr/local bash && \
+      bun --version && \
+      npm install -g oh-my-opencode-slim@${OMOS_VERSION}; \
+    fi
+
 # ── Non-root user ────────────────────────────────────────────────────
 ARG USER_NAME=developer
 ARG USER_UID=1000

README.md

@@ -27,18 +27,33 @@ docker compose run --rm devbox
 
 ## Features
 
-- **Debian bookworm** base — glibc, full PTY/terminal support
+- **Debian trixie** base — glibc, full PTY/terminal support
 - **Configurable providers** — Anthropic, OpenAI, AWS Bedrock via env vars
 - **Host filesystem access** — bind mount any directory as `/workspace`
 - **SSH key forwarding** — git push/pull to private repos
 - **MCP server support** — Node.js included for `npx`-based MCP servers
 - **Non-root user** — runs as `developer` with UID auto-matched to workspace owner (sudo available)
-- **Optional runtimes** — Python, Go via build args (Node.js always included — required for opencode v1.x)
+- **Python via uv** — `uv` package manager included; install Python on demand with `uv python install`
+- **Rust via rustup** — `rustup-init` included; bootstrap Rust on demand with `rustup-init -y`
+- **Optional runtimes** — Python (apt), Go via build args (Node.js always included — required for opencode v1.x)
+- **Multi-agent orchestration** — optional [oh-my-opencode-slim](https://github.com/alvinunreal/oh-my-opencode-slim) integration via build arg
 - **AWS CLI v2** — built-in SSO/Bedrock authentication with headless device-code flow
 - **Multi-arch** — amd64 and arm64
 
 ## Usage
 
+### Prerequisites
+
+Bind-mounted directories must exist on the host before starting the container. Docker creates missing directories as root-owned, which causes permission issues.
+
+```bash
+# Required: workspace for your projects
+mkdir -p ~/projects
+
+# If mounting opencode config (recommended for persistent settings)
+mkdir -p ~/.config/opencode
+```
+
 ### Connecting to the container
 
 From your laptop, SSH into the remote server where Docker is running, then start the container:
@@ -102,26 +117,193 @@ docker compose exec -u developer devbox aws --version
 | `SSH_KEY_PATH` | Host SSH key directory | `~/.ssh` |
 | `USER_UID` | Override container user UID | Auto-detect from `/workspace` |
 | `USER_GID` | Override container user GID | Auto-detect from `/workspace` |
+| `LANG` | System locale | `en_US.UTF-8` |
+| `LANGUAGE` | Language priority list | `en_US:en` |
+| `LC_ALL` | Override all locale settings | `en_US.UTF-8` |
+| `EDITOR` | Default text editor | `nvim` |
+| `ENABLE_OMOS` | Enable oh-my-opencode-slim multi-agent orchestration | `false` |
+| `OMOS_TMUX` | Enable tmux pane integration for OMOS | `false` |
+| `OMOS_SKILLS` | Install OMOS recommended skills on first run | `true` |
+| `OMOS_RESET` | Force regenerate OMOS config on next start | `false` |
 
 ### Custom opencode config
 
-Mount your own `opencode.json` for full control (MCP servers, custom models, etc.):
+For full control over opencode settings (MCP servers, custom models, oh-my-opencode-slim agents, etc.), mount the entire config directory from the host:
 
 ```yaml
 volumes:
-  - ./my-opencode.json:/home/developer/.config/opencode/opencode.json:ro
+  - ~/.config/opencode:/home/developer/.config/opencode
 ```
 
+This persists all configuration changes across container restarts, including `opencode.json`, `oh-my-opencode-slim.json`, and skills. When an existing `opencode.json` is found, the `OPENCODE_PROVIDER` auto-config is skipped.
+
 ### Custom skills
 
-Mount your host's opencode skills into the container:
+Mount agent skills from the host:
 
 ```yaml
 volumes:
-  - ~/.config/opencode/skills:/home/developer/.config/opencode/skills:ro
   - ~/.agents/skills:/home/developer/.agents/skills:ro
 ```
 
+### Neovim configuration
+
+The image includes neovim 0.12 with `EDITOR=nvim` set by default. To use your own neovim config (and have plugins auto-install via lazy.nvim on first start), mount it from the host:
+
+```yaml
+volumes:
+  - ~/.config/nvim:/home/developer/.config/nvim:ro
+```
+
+### Python development with uv
+
+The image includes Python 3.13 (from Debian Trixie) and [uv](https://docs.astral.sh/uv/), a fast Python package manager that replaces pip, venv, and pyenv:
+
+```bash
+# Python 3.13 is available out of the box
+python3 --version
+
+# Use uv for package management
+uv venv
+uv pip install -r requirements.txt
+
+# Or use uv's project workflow (reads pyproject.toml)
+uv sync
+
+# Run a Python script
+uv run python script.py
+
+# Install standalone Python tools
+uvx ruff check .
+
+# Install a newer Python version (persists with devbox-uv volume)
+uv python install 3.14
+```
+
+Python installations are stored in `~/.local/share/uv/`. To persist them across container restarts, add the `devbox-uv` named volume to your `docker-compose.yml`:
+
+```yaml
+volumes:
+  - devbox-uv:/home/developer/.local/share/uv
+
+volumes:
+  devbox-uv:
+```
+
+Project virtual environments (`.venv`) are stored in your workspace directory and persist automatically via the `/workspace` bind mount.
+
+### Rust development with rustup
+
+The image includes `rustup-init`, the Rust toolchain installer. Rust is not pre-installed but can be bootstrapped on demand:
+
+```bash
+# One-time setup: install Rust toolchain (~300MB, persists with volumes)
+rustup-init -y
+source ~/.cargo/env
+
+# Now use Rust normally
+cargo new my-project
+cargo build
+cargo run
+```
+
+To persist Rust toolchains and cargo data across container restarts, add named volumes to your `docker-compose.yml`:
+
+```yaml
+volumes:
+  - devbox-rustup:/home/developer/.rustup
+  - devbox-cargo:/home/developer/.cargo
+
+volumes:
+  devbox-rustup:
+  devbox-cargo:
+```
+
+### JavaScript and TypeScript
+
+The base image includes **Node.js 22** and **npm** — sufficient for most JavaScript and TypeScript development:
+
+```bash
+# Initialize a new project
+npm init -y
+
+# Install dependencies
+npm install
+
+# Run TypeScript (via tsx, ts-node, etc.)
+npx tsx src/index.ts
+
+# Use npx for one-off tools
+npx tsc --init
+```
+
+The OMOS image variant also includes **Bun**, a faster JavaScript runtime and package manager:
+
+```bash
+bun init
+bun install
+bun run src/index.ts
+```
+
+Node modules are stored in your project directory under `/workspace` and persist automatically.
+
+### VS Code integration
+
+VS Code can connect directly to a running opencode-devbox container for a full IDE experience with IntelliSense, debugging, and extensions running inside the container.
+
+**Local Docker (Docker running on your workstation):**
+
+1. Install the [Dev Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) extension
+2. Start the container: `docker compose up -d`
+3. In VS Code: `Ctrl+Shift+P` → "Dev Containers: Attach to Running Container" → select `opencode-devbox`
+
+**Remote Docker (Docker running on a remote server, e.g. via SSH):**
+
+1. Install the [Remote - SSH](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-ssh) and [Dev Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) extensions
+2. Connect to the remote host: `Ctrl+Shift+P` → "Remote-SSH: Connect to Host"
+3. On the remote host, start the container: `docker compose up -d`
+4. In VS Code (now connected to the remote): `Ctrl+Shift+P` → "Dev Containers: Attach to Running Container"
+
+VS Code extensions installed inside the container persist as long as the container exists (not removed with `docker compose down`). For persistent extension storage across container recreations, add a named volume:
+
+```yaml
+volumes:
+  - devbox-vscode:/home/developer/.vscode-server
+```
+
+### Shared machine setup (multiple users, single OS account)
+
+For machines where multiple users share one OS account (e.g. a common `garage` user), a separate compose file isolates each user's config and data using a `SIGNUM` variable.
+
+Each user creates their own directory and setup:
+
+```bash
+# Replace <signum> with your username/identifier
+mkdir -p ~/<signum>/opencode-devbox
+cd ~/<signum>/opencode-devbox
+
+# Copy the shared-machine compose and env files
+cp /path/to/opencode-devbox/docker-compose.shared.yml docker-compose.yml
+cp /path/to/opencode-devbox/.env.shared.example .env
+
+# Create per-user config directory
+mkdir -p ~/<signum>/.config/opencode
+
+# Edit .env with your signum, provider, keys, etc.
+vim .env
+
+# Start
+docker compose up -d
+docker compose exec -u developer devbox-<signum> opencode
+```
+
+Each user's container, config, and named volumes are fully isolated:
+- Container name: `devbox-<signum>` (no collisions)
+- Named volumes: prefixed with the project directory name (automatic per-user isolation)
+- Opencode config: `~/<signum>/.config/opencode/` (per-user settings, OMOS config, etc.)
+
+See `docker-compose.shared.yml` and `.env.shared.example` for the full configuration.
+
 ### Rebuilding the Image
 
 `docker compose run` and `docker compose up` use the existing image — they **do not rebuild** when you change the Dockerfile or build args (e.g. updating `OPENCODE_VERSION`). Rebuild explicitly:
@@ -148,6 +330,63 @@ docker compose build --build-arg OPENCODE_VERSION=1.5.0
 |---|---|---|
 | `INSTALL_PYTHON` | `false` | Python 3 + pip + venv |
 | `INSTALL_GO` | `false` | Go toolchain |
+| `INSTALL_OMOS` | `false` | [oh-my-opencode-slim](https://github.com/alvinunreal/oh-my-opencode-slim) multi-agent orchestration (installs Bun and plugin) |
+| `OMOS_VERSION` | `latest` | Pin a specific oh-my-opencode-slim version |
+
+## oh-my-opencode-slim (Multi-Agent Orchestration)
+
+[oh-my-opencode-slim](https://github.com/alvinunreal/oh-my-opencode-slim) adds a multi-agent layer on top of opencode — an Orchestrator delegates tasks to specialized agents (Explorer, Oracle, Librarian, Designer, Fixer), each configurable with different models and providers.
+
+### Setup
+
+A pre-built OMOS image is available on Docker Hub as `joakimp/opencode-devbox:latest-omos`. Alternatively, build from source:
+
+**1. Build the image with OMOS support:**
+
+```bash
+docker compose build --build-arg INSTALL_OMOS=true
+```
+
+This installs Bun and the oh-my-opencode-slim package into the image.
+
+**2. Enable in `.env`:**
+
+```bash
+ENABLE_OMOS=true
+```
+
+**3. Run as normal:**
+
+```bash
+docker compose run --rm devbox
+```
+
+On first start, the entrypoint runs the oh-my-opencode-slim installer in non-interactive mode. It generates agent configuration at `~/.config/opencode/oh-my-opencode-slim.json` inside the container. The default preset uses OpenAI models — edit the generated config or mount your own to customize.
+
+### OMOS Environment Variables
+
+| Variable | Default | Description |
+|---|---|---|
+| `ENABLE_OMOS` | `false` | Activate oh-my-opencode-slim on container start |
+| `OMOS_TMUX` | `false` | Enable tmux pane integration (tmux is included in the base image) |
+| `OMOS_SKILLS` | `true` | Install recommended skills (simplify, agent-browser, cartography) |
+| `OMOS_RESET` | `false` | Force regenerate config on next start (backs up existing config) |
+
+### Custom Configuration
+
+If you mount the opencode config directory (see Custom opencode config above), the `oh-my-opencode-slim.json` file is included and persists across restarts. Edit it directly to control which models power each agent, fallback chains, council setup, and more.
+
+See the [oh-my-opencode-slim configuration docs](https://github.com/alvinunreal/oh-my-opencode-slim/blob/master/docs/configuration.md) for the full reference.
+
+### Verifying Agents
+
+After starting opencode with OMOS enabled, run inside the opencode session:
+
+```
+ping all agents
+```
+
+All six agents should respond if your provider authentication is working.
 
 ## AWS Bedrock Authentication
 
@@ -234,11 +473,14 @@ Host Machine
 ├── ~/.aws             ──bind mount──▶  /home/developer/.aws (Bedrock SSO)
 └── .env               ──env vars───▶  provider config + API keys
 
-Container (Debian bookworm)
+Container (Debian trixie)
 ├── opencode binary
+├── oh-my-opencode-slim (optional — multi-agent orchestration plugin, includes Bun)
 ├── AWS CLI v2 (SSO + Bedrock auth)
-├── git, ssh, ripgrep, fd, jq, curl, fzf
+├── neovim 0.12, tmux, htop, bat, eza, zoxide, uv, rustup, make
+├── git, git-crypt, age, ssh, ripgrep, fd, fzf, jq, curl, tree
 ├── Node.js (for MCP servers)
+├── Bun (optional — included with oh-my-opencode-slim)
 ├── entrypoint.sh (UID adjustment, git config, provider setup)
 └── /workspace ← your code lives here
 ```
@@ -251,9 +493,13 @@ Container (Debian bookworm)
 | `/home/developer/.ssh` | Host bind mount (ro) | ✅ Yes | SSH keys |
 | `/home/developer/.aws` | Host bind mount (if configured) | ✅ Yes | AWS credentials/SSO cache |
 | `/home/developer/.local/share/opencode` | Named volume `devbox-data` | ✅ Yes | Session history, memory |
-| `/home/developer/.config/opencode/opencode.json` | Generated by entrypoint | ❌ No | Provider/model config |
+| `/home/developer/.local/share/uv` | Named volume `devbox-uv` (if configured) | ✅ Yes | Python installs, uv tool installs |
+| `/home/developer/.rustup` | Named volume `devbox-rustup` (if configured) | ✅ Yes | Rust toolchains |
+| `/home/developer/.cargo` | Named volume `devbox-cargo` (if configured) | ✅ Yes | Cargo binaries, registry cache |
+| `/home/developer/.vscode-server` | Named volume `devbox-vscode` (if configured) | ✅ Yes | VS Code server and extensions |
+| `/home/developer/.config/opencode` | Host bind mount (if configured) | ✅ Yes | opencode.json, oh-my-opencode-slim.json, skills |
 
-**opencode config** (`opencode.json`) is auto-generated from `OPENCODE_PROVIDER` on each start. It sets provider and model only — no MCP servers. To use MCP servers or custom settings, mount your own config file (see Custom opencode config above).
+**opencode config** (`opencode.json`) is auto-generated from `OPENCODE_PROVIDER` on each start. It sets provider and model only — no MCP servers. To persist config changes and use custom settings, mount the config directory from the host (see Custom opencode config above).
 
 ## License
 

check-versions.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+# check-versions.sh — Compare pinned versions in Dockerfile against latest releases
+# Run before tagging a release to see what can be bumped.
+set -euo pipefail
+
+BOLD="\033[1m"; DIM="\033[2m"; GREEN="\033[32m"; YELLOW="\033[33m"; RESET="\033[0m"
+
+DOCKERFILE="${1:-Dockerfile}"
+
+if [[ ! -f "$DOCKERFILE" ]]; then
+  echo "Usage: $0 [Dockerfile]"
+  exit 1
+fi
+
+get_pinned() {
+  grep "^ARG $1=" "$DOCKERFILE" | head -1 | cut -d= -f2
+}
+
+get_latest_github() {
+  local repo="$1"
+  local tag
+  tag=$(curl -s "https://api.github.com/repos/${repo}/releases/latest" | jq -r '.tag_name // empty')
+  # Strip leading 'v' if present
+  echo "${tag#v}"
+}
+
+get_latest_go() {
+  curl -s "https://go.dev/dl/?mode=json" | jq -r '.[0].version' | sed 's/^go//'
+}
+
+get_latest_npm() {
+  npm view "$1" version 2>/dev/null
+}
+
+check() {
+  local name="$1" current="$2" latest="$3"
+  if [[ -z "$latest" ]]; then
+    printf "  ${DIM}%-20s %-12s  (could not check)${RESET}\n" "$name" "$current"
+  elif [[ "$current" == "$latest" ]]; then
+    printf "  ${GREEN}%-20s %-12s  ✓ up to date${RESET}\n" "$name" "$current"
+  else
+    printf "  ${YELLOW}${BOLD}%-20s %-12s  → %s available${RESET}\n" "$name" "$current" "$latest"
+  fi
+}
+
+echo ""
+echo -e "${BOLD}Version check for $DOCKERFILE${RESET}"
+echo ""
+
+# GitHub-sourced binaries
+check "opencode"  "$(get_pinned OPENCODE_VERSION)" "$(get_latest_npm opencode-ai)"
+check "gosu"      "$(get_pinned GOSU_VERSION)"      "$(get_latest_github tianon/gosu)"
+check "fzf"       "$(get_pinned FZF_VERSION)"        "$(get_latest_github junegunn/fzf)"
+check "git-lfs"   "$(get_pinned GIT_LFS_VERSION)"    "$(get_latest_github git-lfs/git-lfs)"
+check "neovim"    "$(get_pinned NVIM_VERSION)"        "$(get_latest_github neovim/neovim)"
+check "bat"       "$(get_pinned BAT_VERSION)"         "$(get_latest_github sharkdp/bat)"
+check "eza"       "$(get_pinned EZA_VERSION)"         "$(get_latest_github eza-community/eza)"
+check "zoxide"    "$(get_pinned ZOXIDE_VERSION)"      "$(get_latest_github ajeetdsouza/zoxide)"
+check "uv"        "$(get_pinned UV_VERSION)"          "$(get_latest_github astral-sh/uv)"
+check "Go (opt)"  "$(get_pinned GO_VERSION)"          "$(get_latest_go)"
+
+echo ""
+echo -e "${DIM}Node.js uses major version ($(get_pinned NODE_VERSION)) — auto-updates via nodesource.${RESET}"
+echo -e "${DIM}rustup-init uses latest from static.rust-lang.org — no pinned version.${RESET}"
+echo -e "${DIM}Debian apt packages update on each build via apt-get update.${RESET}"
+echo ""

docker-compose.shared.yml

@@ -0,0 +1,50 @@
+# opencode-devbox docker-compose for shared machines
+#
+# For machines where multiple users share one OS account (e.g. 'garage').
+# Each user gets isolated config, data, and named volumes by setting
+# SIGNUM in their .env file.
+#
+# Setup per user:
+#   1. mkdir -p ~/<signum>/opencode-devbox && cd ~/<signum>/opencode-devbox
+#   2. cp docker-compose.shared.yml docker-compose.yml
+#   3. cp .env.shared.example .env
+#   4. Edit .env with your signum, provider, keys, etc.
+#   5. mkdir -p ~/<signum>/.config/opencode
+#   6. docker compose up -d
+#
+# Named volumes are automatically isolated per user because Docker Compose
+# prefixes them with the project directory name (e.g. opencode-devbox_devbox-data).
+# Since each user runs from ~/<signum>/opencode-devbox/, volumes don't collide.
+
+services:
+  devbox:
+    image: joakimp/opencode-devbox:latest
+    container_name: devbox-${SIGNUM:?Set SIGNUM in .env}
+    stdin_open: true
+    tty: true
+    env_file:
+      - .env
+    environment:
+      - TERM=xterm-256color
+    volumes:
+      # Host workspace — user's project directory
+      - ${WORKSPACE_PATH:-~/src}:/workspace
+
+      # SSH keys — user-specific if available, else shared
+      - ${SSH_KEY_PATH:-~/.ssh}:/home/developer/.ssh:ro
+
+      # Opencode config — per-user (persists settings across restarts)
+      - ${HOME}/${SIGNUM}/.config/opencode:/home/developer/.config/opencode
+
+      # Persist opencode data (auth, memory, session history)
+      - devbox-data:/home/developer/.local/share/opencode
+
+      # Persist uv data (Python installs)
+      - devbox-uv:/home/developer/.local/share/uv
+
+      # Optional: AWS credentials (per-user if available)
+      # - ${HOME}/${SIGNUM}/.aws:/home/developer/.aws
+
+volumes:
+  devbox-data:
+  devbox-uv:

docker-compose.yml

@@ -15,6 +15,7 @@ services:
       args:
         INSTALL_PYTHON: "false"
         INSTALL_GO: "false"
+        INSTALL_OMOS: "false"
     image: opencode-devbox:latest
     container_name: opencode-devbox
     stdin_open: true
@@ -30,18 +31,38 @@ services:
       # SSH keys (read-only) — for git push/pull
       - ${SSH_KEY_PATH:-~/.ssh}:/home/developer/.ssh:ro
 
-      # Optional: mount your own opencode config (MCP servers, custom models, etc.)
+      # Optional: mount opencode config directory (persists config changes across restarts)
-      # - ./opencode.json:/home/developer/.config/opencode/opencode.json:ro
+      # Includes opencode.json, oh-my-opencode-slim.json, skills, etc.
+      # When mounted, OPENCODE_PROVIDER auto-config is skipped if opencode.json exists.
+      # - ~/.config/opencode:/home/developer/.config/opencode
 
-      # Optional: mount opencode skills from host
+      # Optional: mount opencode agent skills from host
-      # - ~/.config/opencode/skills:/home/developer/.config/opencode/skills:ro
       # - ~/.agents/skills:/home/developer/.agents/skills:ro
 
+      # Optional: mount neovim config from host (plugins auto-install on first start)
+      # - ~/.config/nvim:/home/developer/.config/nvim:ro
+
       # Optional: persist opencode data (auth, memory, etc.)
       - devbox-data:/home/developer/.local/share/opencode
 
+      # Optional: persist uv data (Python installs, tool installs)
+      # Without this, 'uv python install' must be re-run after container removal.
+      - devbox-uv:/home/developer/.local/share/uv
+
+      # Optional: persist Rust toolchains and cargo data
+      # Without this, 'rustup-init' must be re-run after container removal.
+      # - devbox-rustup:/home/developer/.rustup
+      # - devbox-cargo:/home/developer/.cargo
+
+      # Optional: persist VS Code server and extensions across container recreations
+      # - devbox-vscode:/home/developer/.vscode-server
+
       # Optional: AWS credentials/SSO config (not read-only — SSO writes token cache)
       # - ~/.aws:/home/developer/.aws
 
 volumes:
   devbox-data:
+  devbox-uv:
+  # devbox-rustup:
+  # devbox-cargo:
+  # devbox-vscode:

entrypoint-user.sh

@@ -48,7 +48,8 @@ EOF
   "provider": {
     "amazon-bedrock": {
       "options": {
-        "region": "${AWS_REGION:-us-east-1}"
+        "region": "${AWS_REGION:-us-east-1}",
+        "profile": "${AWS_PROFILE:-default}"
       }
     }
   }
@@ -68,5 +69,54 @@ EOF
   esac
 fi
 
+# ── oh-my-opencode-slim setup (multi-agent orchestration) ────────────
+# Activated by ENABLE_OMOS=true. Requires the image to be built with
+# INSTALL_OMOS=true (which installs bun + the oh-my-opencode-slim package).
+OMOS_CONFIG="$CONFIG_DIR/oh-my-opencode-slim.json"
+
+if [ "${ENABLE_OMOS:-false}" = "true" ]; then
+  if ! command -v bunx &>/dev/null; then
+    echo "WARNING: ENABLE_OMOS=true but bun is not installed."
+    echo "Rebuild with: docker compose build --build-arg INSTALL_OMOS=true"
+  elif [ ! -f "$OMOS_CONFIG" ]; then
+    echo "Setting up oh-my-opencode-slim agents..."
+
+    # Determine installer flags
+    OMOS_TMUX_FLAG="no"
+    if [ "${OMOS_TMUX:-false}" = "true" ]; then
+      OMOS_TMUX_FLAG="yes"
+    fi
+
+    OMOS_SKILLS_FLAG="yes"
+    if [ "${OMOS_SKILLS:-true}" = "false" ]; then
+      OMOS_SKILLS_FLAG="no"
+    fi
+
+    bunx oh-my-opencode-slim@latest install \
+      --no-tui \
+      --tmux="${OMOS_TMUX_FLAG}" \
+      --skills="${OMOS_SKILLS_FLAG}"
+
+    echo "oh-my-opencode-slim configured successfully."
+  else
+    echo "oh-my-opencode-slim config found at $OMOS_CONFIG (use OMOS_RESET=true to overwrite)."
+
+    # Allow reset via env var (creates backup automatically)
+    if [ "${OMOS_RESET:-false}" = "true" ]; then
+      echo "OMOS_RESET=true — regenerating oh-my-opencode-slim config..."
+      OMOS_TMUX_FLAG="no"
+      [ "${OMOS_TMUX:-false}" = "true" ] && OMOS_TMUX_FLAG="yes"
+      OMOS_SKILLS_FLAG="yes"
+      [ "${OMOS_SKILLS:-true}" = "false" ] && OMOS_SKILLS_FLAG="no"
+
+      bunx oh-my-opencode-slim@latest install \
+        --no-tui \
+        --tmux="${OMOS_TMUX_FLAG}" \
+        --skills="${OMOS_SKILLS_FLAG}" \
+        --reset
+    fi
+  fi
+fi
+
 # ── Execute command ──────────────────────────────────────────────────
 exec "$@"

entrypoint.sh

@@ -46,5 +46,24 @@ if [ -d "/home/$USER_NAME/.ssh" ] && [ "$(ls -A "/home/$USER_NAME/.ssh" 2>/dev/n
   fi
 fi
 
+# ── Fix ownership of named volume mount points ──────────────────────
+# Named volumes are created as root on first use. Fix ownership so the
+# developer user can write to them.
+FINAL_UID="${TARGET_UID:-$CURRENT_UID}"
+FINAL_GID="${TARGET_GID:-$CURRENT_GID}"
+for dir in \
+  /home/"$USER_NAME"/.local/share/opencode \
+  /home/"$USER_NAME"/.local/share/uv \
+  /home/"$USER_NAME"/.rustup \
+  /home/"$USER_NAME"/.cargo \
+  /home/"$USER_NAME"/.vscode-server \
+  /home/"$USER_NAME"/.config/opencode \
+  /home/"$USER_NAME"/.config/nvim \
+  /home/"$USER_NAME"/.agents/skills; do
+  if [ -d "$dir" ] && [ "$(stat -c '%u' "$dir" 2>/dev/null)" != "$FINAL_UID" ]; then
+    chown -R "$FINAL_UID":"$FINAL_GID" "$dir" 2>/dev/null || true
+  fi
+done
+
 # ── Drop to developer user for remaining setup ──────────────────────
 exec gosu "$USER_NAME" /usr/local/bin/entrypoint-user.sh "$@"