release: v2.2.0

The doc-drift pass rewrote the v2.1.1 release entry to describe v2.2.0
behaviour; at v2.1.1 the sidecar genuinely was a no-op on native Linux, so
the edit falsified release history. The new behaviour is already documented
in the Unreleased section. Other doc-drift fixes retained.

.gitea/workflows/docker-publish-split.yml

@@ -59,6 +59,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Guard — base *_REF args must be folded into the base hash
+        run: bash scripts/check-base-hash.sh
+
       - name: Compute base tag from Dockerfile.base + dependencies
         id: compute
         run: |
@@ -130,14 +133,32 @@ jobs:
     steps:
       - name: Resolve omos version from npm registry
         id: resolve
+        shell: bash
         run: |
-          set -eu
+          set -euo pipefail
+          # Fail loud rather than silently shipping a floating ref or a bad
+          # version. A transient network/API failure must ABORT the release,
+          # not bake an unpinned ref that defeats both cache-busting AND
+          # after-the-fact reproducibility. (Previously the gitea lookup fell
+          # back to `main` via `|| echo`, and the npm lookup had no guard.)
+          # NOTE: shell: bash is REQUIRED — `set -o pipefail` is illegal in
+          # the runner's default dash/sh and aborts the step immediately.
+          require_sha() { # $1=label $2=value
+            if ! printf '%s' "${2:-}" | grep -qiE '^[0-9a-f]{40}$'; then
+              echo "::error::Could not resolve $1 to a commit SHA (got '${2:-<empty>}'). Refusing to fall back to a floating ref — published images must stay reproducible. Check connectivity and GITEA_BUILD_TOKEN/GITHUB_TOKEN."
+              exit 1
+            fi
+          }
           # Query the npm registry directly via curl+jq rather than `npm view`.
           # catthehacker/ubuntu:act-latest ships Node/npm under /opt/acttoolcache/
           # and adds it to PATH only via /etc/environment — which act_runner never
           # sources (it reads the Docker image's ENV instructions, not /etc/environment).
           # curl and jq are both guaranteed present in every job in this workflow.
-          OMOS_VERSION=$(curl -sf "https://registry.npmjs.org/oh-my-opencode-slim/latest" | jq -r '.version')
+          OMOS_VERSION=$(curl -sf "https://registry.npmjs.org/oh-my-opencode-slim/latest" | jq -r '.version' 2>/dev/null || true)
+          if ! printf '%s' "${OMOS_VERSION:-}" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+'; then
+            echo "::error::Could not resolve oh-my-opencode-slim version from npm (got '${OMOS_VERSION:-<empty>}'). Refusing to build with an unresolved version."
+            exit 1
+          fi
           echo "omos_version=${OMOS_VERSION}" >> "$GITHUB_OUTPUT"
           echo "Resolved OMOS_VERSION=${OMOS_VERSION}"
           # Resolve mempalace-toolkit main HEAD to a commit SHA. Unlike omos
@@ -150,8 +171,8 @@ jobs:
           # env vars are unset (degrades to anon, still HTTP 200).
           MEMPALACE_TOOLKIT_REF=$(curl -sf -H "Authorization: token ${GITEA_BUILD_TOKEN:-${GITHUB_TOKEN:-}}" \
             "https://gitea.jordbo.se/api/v1/repos/joakimp/mempalace-toolkit/commits?limit=1&sha=main" \
-            | jq -r '.[0].sha // "main"' 2>/dev/null || echo "main")
-          [ -n "$MEMPALACE_TOOLKIT_REF" ] || MEMPALACE_TOOLKIT_REF=main
+            | jq -r '.[0].sha // empty' 2>/dev/null || true)
+          require_sha MEMPALACE_TOOLKIT_REF "$MEMPALACE_TOOLKIT_REF"
           echo "mempalace_toolkit_ref=${MEMPALACE_TOOLKIT_REF}" >> "$GITHUB_OUTPUT"
           echo "Resolved MEMPALACE_TOOLKIT_REF=${MEMPALACE_TOOLKIT_REF}"
 
@@ -288,6 +309,8 @@ jobs:
             BASE_IMAGE=${{ env.IMAGE }}:${{ needs.base-decide.outputs.base_tag }}
             INSTALL_OPENCODE=true
             INSTALL_OMOS=false
+            RELEASE_TAG=smoke
+            SOURCE_REVISION=${{ github.sha }}
       - name: Smoke test (amd64)
         run: bash scripts/smoke-test.sh opencode-devbox:smoke-base --variant base
 
@@ -331,6 +354,8 @@ jobs:
             INSTALL_OPENCODE=true
             INSTALL_OMOS=true
             OMOS_VERSION=${{ needs.resolve-versions.outputs.omos_version }}
+            RELEASE_TAG=smoke
+            SOURCE_REVISION=${{ github.sha }}
       - env:
           EXPECTED_OMOS_VERSION: ${{ needs.resolve-versions.outputs.omos_version }}
         run: bash scripts/smoke-test.sh opencode-devbox:smoke-omos --variant omos
@@ -338,7 +363,7 @@ jobs:
   # ── Phase 4: multi-arch publish per variant ────────────────────────
 
   build-variant-base:
-    needs: [base-decide, smoke-base]
+    needs: [base-decide, smoke-base, resolve-versions]
     runs-on: ubuntu-latest
     container:
       image: catthehacker/ubuntu:act-latest
@@ -377,8 +402,10 @@ jobs:
         env:
           TAGS: ${{ steps.tags.outputs.tags }}
           BASE_IMAGE_FULL: ${{ env.IMAGE }}:${{ needs.base-decide.outputs.base_tag }}
+          MEMPALACE_TOOLKIT_REF: ${{ needs.resolve-versions.outputs.mempalace_toolkit_ref }}
         run: |
           set -euo pipefail
+          BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
           TAG_FLAGS=()
           while IFS= read -r t; do [[ -n "$t" ]] && TAG_FLAGS+=( -t "$t" ); done <<< "${TAGS}"
           # 3-attempt retry around `docker buildx build --push` (see build-base
@@ -392,6 +419,10 @@ jobs:
                 --build-arg "BASE_IMAGE=${BASE_IMAGE_FULL}" \
                 --build-arg "INSTALL_OPENCODE=true" \
                 --build-arg "INSTALL_OMOS=false" \
+                --build-arg "MEMPALACE_TOOLKIT_REF=${MEMPALACE_TOOLKIT_REF}" \
+                --build-arg "RELEASE_TAG=${RELEASE_TAG}" \
+                --build-arg "BUILD_DATE=${BUILD_DATE}" \
+                --build-arg "SOURCE_REVISION=${GITHUB_SHA:-}" \
                 "${TAG_FLAGS[@]}" \
                 .; then
               echo "==> Attempt ${attempt} succeeded"
@@ -447,8 +478,10 @@ jobs:
           TAGS: ${{ steps.tags.outputs.tags }}
           BASE_IMAGE_FULL: ${{ env.IMAGE }}:${{ needs.base-decide.outputs.base_tag }}
           OMOS_VERSION: ${{ needs.resolve-versions.outputs.omos_version }}
+          MEMPALACE_TOOLKIT_REF: ${{ needs.resolve-versions.outputs.mempalace_toolkit_ref }}
         run: |
           set -euo pipefail
+          BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
           TAG_FLAGS=()
           while IFS= read -r t; do [[ -n "$t" ]] && TAG_FLAGS+=( -t "$t" ); done <<< "${TAGS}"
           # 3-attempt retry (see build-base step for rationale). Variant: omos.
@@ -462,6 +495,10 @@ jobs:
                 --build-arg "INSTALL_OPENCODE=true" \
                 --build-arg "INSTALL_OMOS=true" \
                 --build-arg "OMOS_VERSION=${OMOS_VERSION}" \
+                --build-arg "MEMPALACE_TOOLKIT_REF=${MEMPALACE_TOOLKIT_REF}" \
+                --build-arg "RELEASE_TAG=${RELEASE_TAG}" \
+                --build-arg "BUILD_DATE=${BUILD_DATE}" \
+                --build-arg "SOURCE_REVISION=${GITHUB_SHA:-}" \
                 "${TAG_FLAGS[@]}" \
                 .; then
               echo "==> Attempt ${attempt} succeeded"

AGENTS.md

@@ -19,7 +19,7 @@ Docker image packaging [opencode](https://opencode.ai) into a production-ready d
 - `Dockerfile.variant` — `FROM`s the base and adds only opencode/omos installs gated by build args: `INSTALL_OPENCODE` (default true), `INSTALL_OMOS`, and `INSTALL_MEMPALACE`. All GitHub-sourced binaries are pinned with version ARGs. Two variants: `base` (`INSTALL_OPENCODE=true`) and `omos` (`+INSTALL_OMOS=true`).
 - `entrypoint.sh` — runs as root: UID/GID adjustment, SSH permissions, volume ownership fixes (skipped via `.devbox-owner` sentinel when ownership is already correct). Then drops to developer via gosu.
 - `entrypoint-user.sh` — runs as developer: git config, opencode.jsonc generation (delegated to `generate-config.py`), LAN-access setup (delegated to `setup-lan-access.sh`), a one-time npm-global prefix migration shim (legacy `~/.pi/npm-global` → `~/.config/opencode/npm-global`), skillset auto-deploy from mounted skillset repo, OMOS bundled-skills reconcile (symlinks the image's bundled skills into `~/.agents/skills/`), OMOS config setup.
-- `rootfs/usr/local/lib/opencode-devbox/setup-lan-access.sh` — host-OS-agnostic LAN reachability helper. Detects VM-backed hosts (macOS OrbStack / Docker Desktop, via `host.docker.internal` resolution) and generates a writable `~/.ssh-local/config` using the host as an SSH jump; no-op on native Linux. Controlled by `DEVBOX_LAN_ACCESS` / `HOST_SSH_USER` / `DEVBOX_HOST_ALIAS` / `DEVBOX_LAN_AUTOJUMP_PRIVATE`. Ships the mechanism only (generic `host` jump alias); user targets stay host-side — named-peer `ProxyJump host` overrides go in a bind-mounted `~/.config/devbox-shell/ssh-lan.conf` (Included before `~/.ssh/config`), never baked into the image. **Scoping invariant:** every `Include` in the generated config MUST be preceded by a bare `Host *` reset — an `Include` is scoped to the enclosing `Host`/`Match` block, so without the reset the included config only applies when targeting `host`/`mac` and named peers fall back to SSH defaults. The top `Host *` block also overrides `UserKnownHostsFile` and `ControlPath` into the writable `~/.ssh-local` sidecar (first-value-wins), because the bind-mounted `~/.ssh` is read-only — otherwise multiplexed hosts (`ControlPath ~/.ssh/cm/...`) fail to create their master socket. Non-fatal. Counted in the base hash, so editing it advances `base-latest`.
+- `rootfs/usr/local/lib/opencode-devbox/setup-lan-access.sh` — host-OS-agnostic LAN reachability helper. Always writes the writable `~/.ssh-local/config` sidecar on **every** host OS: a `Host *` block that redirects `ControlPath` into `~/.ssh-local/cm/` (first-value-wins over any read-only `~/.ssh`-bound per-host setting) plus `Include ~/.ssh/config`. On VM-backed hosts (macOS OrbStack / Docker Desktop, detected via `host.docker.internal` resolution) it additionally inserts the host-jump block; on native Linux that block is omitted (LAN is reachable directly) but the sidecar is still rendered. Previously the script exited early on native Linux, leaving `dssh`/`dscp` broken when `~/.ssh` was read-only there. Controlled by `DEVBOX_LAN_ACCESS` / `HOST_SSH_USER` / `DEVBOX_HOST_ALIAS` / `DEVBOX_LAN_AUTOJUMP_PRIVATE`. Ships the mechanism only (generic `host` jump alias); user targets stay host-side — named-peer `ProxyJump host` overrides go in a bind-mounted `~/.config/devbox-shell/ssh-lan.conf` (Included before `~/.ssh/config`), never baked into the image. **Scoping invariant:** every `Include` in the generated config MUST be preceded by a bare `Host *` reset — an `Include` is scoped to the enclosing `Host`/`Match` block, so without the reset the included config only applies when targeting `host`/`mac` and named peers fall back to SSH defaults. Non-fatal. Counted in the base hash, so editing it advances `base-latest`.
 - `rootfs/usr/local/lib/opencode-devbox/generate-config.py` — generates `~/.config/opencode/opencode.jsonc` from env vars. Never overwrites an existing config (checks both `.json` and `.jsonc`). Auto-registers MCP servers for detected tools (mempalace via `mempalace-mcp`, gitea-mcp, context7 remote endpoint).
 - `scripts/smoke-test.sh` — post-build image verification. Asserts binary presence, opencode startup, entrypoint correctness, config generation idempotency, and image size thresholds. Used by both CI workflows.
 - `scripts/recreate-sanity-check.sh` — **runtime** post-recreate verification (counterpart to the build-time `smoke-test.sh`). Run inside the container after `docker compose up -d --force-recreate` to confirm the new image is live (opencode version matches `Dockerfile.variant`'s `OPENCODE_VERSION`), persisted named volumes survived (mempalace palace, opencode.db, bash-history), omos runtime skill symlinks resolve, shell defaults re-seeded, and `/opt` toolkits intact. Not run by CI or the entrypoint — it needs the running container + volumes that smoke-test.sh (which uses `--entrypoint=""`) cannot see.

CHANGELOG.md

@@ -6,6 +6,110 @@ Tags follow **independent semver** (since `v2.0.0`) — they version *this image
 
 ---
 
+## v2.2.0 — 2026-06-19
+
+Ports the build-provenance, CI-hardening, SSH and shell fixes that landed in
+the sibling **pi-devbox** repo (v1.1.4–v1.1.6) into opencode-devbox, adapted to
+this image's companions and two-variant (`base`/`omos`) shape. Also bumps
+opencode. Defaults are unchanged, so the canonical CI build stays byte-identical
+apart from the opencode bump and the (cache-free) provenance layer.
+
+### Fixed: read-only `~/.ssh` ControlPath / LAN sidecar on native Linux
+
+`rootfs/usr/local/lib/opencode-devbox/setup-lan-access.sh` previously
+`exit 0`-ed early on native-Linux hosts (`auto` mode, not VM-backed) **before**
+rendering the writable `~/.ssh-local/config` sidecar. On such hosts with a
+read-only `~/.ssh` bind-mount, `dssh`/`dscp` got no config and the `Host *`
+ControlPath redirect into `~/.ssh-local/cm` never happened, so a user
+`~/.ssh/config` carrying the CGNAT idiom `ControlPath ~/.ssh/cm/%r@%h:%p`
+broke ControlMaster. The sidecar (ControlPath redirect + `Include
+~/.ssh/config`) is now rendered on **every** host OS; only the jump-specific
+blocks (host alias, key generation, peer overrides, RFC1918 catch-all) stay
+gated behind a new `NEED_JUMP` flag. `Dockerfile.base` and `entrypoint-user.sh`
+comments updated to document the always-render behavior and the
+plain-`ssh <host>` caveat. (Mirrors pi-devbox v1.1.5; the pi-only
+`ssh-controlmaster` extension layer has no opencode equivalent and is N/A.)
+
+### Fixed: bash history loss in nested / tmux shells
+
+`rootfs/home/developer/.bash_aliases` exported the `DEVBOX_HIST_SET` flush
+guard, so it leaked into child processes — every nested shell (crucially each
+tmux pane, which inherits the tmux server's env) saw the guard already set and
+skipped installing `history -a` in `PROMPT_COMMAND`. Those shells only
+persisted history on a clean exit, silently losing in-memory history on abrupt
+termination (`docker stop`, `tmux kill-server`, SIGKILL). The guard is now
+shell-local (dropped `export`). (Mirrors pi-devbox v1.1.4.)
+
+### Added: build provenance — OCI labels + on-disk manifest
+
+The variant build now bakes OCI labels
+(`org.opencontainers.image.{version,revision,created}` +
+`se.jordbo.opencode-devbox.{opencode-version,install-omos,omos-version,mempalace-toolkit-ref}`)
+and writes `/etc/opencode-devbox/build-manifest.json` from **ground truth** —
+the live `opencode --version`, the installed `oh-my-opencode-slim` version
+(JSON `null` in the `base` variant), and the actual checked-out HEAD of
+`/opt/mempalace-toolkit` — so a published tag is self-describing and
+reconstructable after CI logs rotate. Provenance ARGs (`RELEASE_TAG`,
+`BUILD_DATE`, `SOURCE_REVISION`, re-declared `MEMPALACE_TOOLKIT_REF`) are
+declared last in `Dockerfile.variant` so they never bust the expensive
+npm-install layers. Wired into both `build-variant-*` and `smoke-*` jobs;
+`scripts/smoke-test.sh` now asserts the manifest exists, is complete, has no
+`unknown` components, and that the `opencode-version` OCI label is present.
+(Mirrors pi-devbox v1.1.6.)
+
+### Added: base-rebuild hash guard (`scripts/check-base-hash.sh`)
+
+New CI guard (run first in the `base-decide` job) that fails the build if any
+floating `ARG *_REF` consumed by `Dockerfile.base` is not folded into the
+`base_tag` hash — preventing the v1.1.2-class staleness footgun where a
+ref-only dependency change silently fails to rebuild the base. Passes today
+(`MEMPALACE_TOOLKIT_REF` is already folded in); this is forward protection.
+(Mirrors pi-devbox v1.1.6.)
+
+### Changed: fail-loud version/ref resolution
+
+The `resolve-versions` step now validates each resolved value — the
+mempalace-toolkit ref must be a 40-hex commit SHA, the omos version must be
+semver — and **aborts the release** on failure instead of silently falling
+back to a floating `main` ref (which defeats both cache-busting and
+reproducibility). The step also gains `shell: bash`, because `set -o pipefail`
+is illegal under the runner's default dash/sh and would otherwise abort the
+step (this exact latent bug bit pi-devbox's first v1.1.6 run). (Mirrors
+pi-devbox v1.1.6.)
+
+### Added: overridable `MEMPALACE_TOOLKIT_REPO` build-arg
+
+`Dockerfile.base` no longer hardcodes the mempalace-toolkit clone URL inline;
+it is now an `ARG MEMPALACE_TOOLKIT_REPO` defaulting to the canonical gitea
+origin, so a relocated/forked build can repoint it via `--build-arg` without
+editing the Dockerfile. Default unchanged. (Mirrors pi-devbox v1.1.6.)
+
+### Bumped: opencode-ai 1.17.7 → 1.17.8
+
+`OPENCODE_VERSION` ARG in `Dockerfile.variant`. `1.17.8` is the current npm
+`latest` stable. Only the variant layer rebuilds; the base is unaffected.
+
+### Added: opencode.json merge-on-recreate — non-destructive `.proposed` sidecar
+
+The pi-devbox v1.1.4 deep-merge into a preserved `settings.json` does not port
+cleanly here: opencode's config is *generated from env vars* and written as
+JSONC with comments (not a static image-owned template), and overwriting or
+`jq`-merging a possibly-bind-mounted host config is destructive. Instead,
+`generate-config.py` keeps its "never touch an existing config" guarantee and
+adds a non-destructive side-channel: when a live config exists, it writes
+`opencode.jsonc.proposed` — the config it *would* generate for the current
+environment plus this image's defaults — **only when that differs** from the
+live config, and removes it once they match. opencode never loads a `.proposed`
+file, so it is purely a manual-merge reference (e.g. surfacing a default MCP
+server added in a newer image). A one-line hint is logged when one is written;
+an unparseable live config surfaces the proposal rather than guessing. The
+proposed config is regenerated from env + image defaults, so a diff may reflect
+your own past edits as well as new image defaults — the file header says so.
+Covered by a new `scripts/smoke-test.sh` assertion (write-on-diff, removal on
+match, live config never clobbered).
+
+---
+
 ## v2.1.2 — 2026-06-16
 
 Image-semver **patch**: bumps opencode to `1.17.7`. No devbox-side changes

Dockerfile.base

@@ -94,6 +94,15 @@ RUN apt-get update && \
 # the last session closes, so consecutive ssh calls in a workflow reuse
 # the same TCP flow. Companion entrypoint-user.sh creates /tmp/sshcm
 # (mode 700) on each container start.
+#
+# CAVEAT (and why dssh/dscp are handled elsewhere): a user per-host override
+# that points ControlPath BACK under the read-only ~/.ssh (e.g. the common
+# CGNAT idiom `ControlPath ~/.ssh/cm/%r@%h:%p`) re-introduces the
+# unwritable-socket failure for a plain `ssh <host>` — a system drop-in here
+# can never override a user's per-host value. For `ssh -F ~/.ssh-local/config`
+# (the dssh/dscp aliases), setup-lan-access.sh redirects ControlPath into the
+# writable ~/.ssh-local sidecar, so those paths are unaffected. See CHANGELOG
+# "Unreleased".
 RUN mkdir -p /etc/ssh/ssh_config.d && \
     printf '%s\n' \
       '# Devbox-baked default. See Dockerfile.base "SSH client defaults".' \
@@ -312,6 +321,11 @@ RUN if [ "${INSTALL_MEMPALACE}" = "true" ]; then \
 # ── mempalace-toolkit — bash wrappers for session/docs mining ────────
 ARG INSTALL_MEMPALACE_TOOLKIT=true
 ARG MEMPALACE_TOOLKIT_REF=main
+# MEMPALACE_TOOLKIT_REPO is overridable so a relocated/forked build can repoint
+# the clone without editing this Dockerfile (matches the *_REPO pattern used by
+# other companions). Defaults to the canonical gitea origin; the default CI
+# build is byte-identical.
+ARG MEMPALACE_TOOLKIT_REPO=https://gitea.jordbo.se/joakimp/mempalace-toolkit.git
 # MEMPALACE_TOOLKIT_REF accepts EITHER a branch name OR a commit SHA. CI
 # resolves it to a SHA (resolve-versions job) and folds that SHA into the
 # base-decide hash so the base rebuilds when the toolkit moves. `git clone
@@ -320,7 +334,7 @@ ARG MEMPALACE_TOOLKIT_REF=main
 RUN if [ "${INSTALL_MEMPALACE}" = "true" ] && [ "${INSTALL_MEMPALACE_TOOLKIT}" = "true" ]; then \
       rm -rf /opt/mempalace-toolkit && mkdir -p /opt/mempalace-toolkit && \
       git -C /opt/mempalace-toolkit init -q && \
-      git -C /opt/mempalace-toolkit remote add origin https://gitea.jordbo.se/joakimp/mempalace-toolkit.git && \
+      git -C /opt/mempalace-toolkit remote add origin "${MEMPALACE_TOOLKIT_REPO}" && \
       ok=0; for i in 1 2 3 4 5; do \
         if git -C /opt/mempalace-toolkit fetch --depth 1 origin "${MEMPALACE_TOOLKIT_REF}" && \
            git -C /opt/mempalace-toolkit checkout -q FETCH_HEAD; then ok=1; break; fi; \

Dockerfile.variant

@@ -39,7 +39,7 @@ ARG USER_NAME=developer
 # edit, so the cache-hit class of bug that bit pi-devbox v0.74.0..
 # v0.75.5 cannot apply here.
 ARG INSTALL_OPENCODE=true
-ARG OPENCODE_VERSION=1.17.7
+ARG OPENCODE_VERSION=1.17.8
 RUN if [ "${INSTALL_OPENCODE}" = "true" ]; then \
       NPM_CONFIG_PREFIX=/usr npm install -g opencode-ai@${OPENCODE_VERSION} && \
       opencode --version ; \
@@ -91,4 +91,58 @@ RUN if [ "${INSTALL_OMOS}" = "true" ]; then \
       NPM_CONFIG_PREFIX=/usr npm install -g oh-my-opencode-slim@${OMOS_VERSION}; \
     fi
 
+# ── Build provenance: OCI labels + on-disk manifest ──────────────────
+# These ARGs are declared LAST, immediately before the layer that uses
+# them, so a changing BUILD_DATE / RELEASE_TAG / SOURCE_REVISION never
+# invalidates the expensive npm-install layers above. OPENCODE_VERSION,
+# OMOS_VERSION and INSTALL_OMOS are already in scope from earlier in this
+# stage and need no re-declaration; MEMPALACE_TOOLKIT_REF is consumed in
+# Dockerfile.base, so it is re-declared here only to land in the labels.
+ARG RELEASE_TAG=dev
+ARG BUILD_DATE=
+ARG SOURCE_REVISION=
+ARG MEMPALACE_TOOLKIT_REF=main
+
+LABEL org.opencontainers.image.version="${RELEASE_TAG}" \
+      org.opencontainers.image.revision="${SOURCE_REVISION}" \
+      org.opencontainers.image.created="${BUILD_DATE}" \
+      se.jordbo.opencode-devbox.opencode-version="${OPENCODE_VERSION}" \
+      se.jordbo.opencode-devbox.install-omos="${INSTALL_OMOS}" \
+      se.jordbo.opencode-devbox.omos-version="${OMOS_VERSION}" \
+      se.jordbo.opencode-devbox.mempalace-toolkit-ref="${MEMPALACE_TOOLKIT_REF}"
+
+# The manifest is written from GROUND TRUTH — the live `opencode --version`,
+# the omos package's installed version (when present), and the actual
+# checked-out HEAD of /opt/mempalace-toolkit (cloned in the base) — not
+# merely the intended build-args. That way it also exposes a dependency
+# that silently resolved to something other than the requested value.
+# oh-my-opencode-slim is present only in the omos variant (JSON null
+# otherwise). NOTE: omos is installed under prefix /usr at build time, so
+# we resolve its dir via `npm root -g` with that prefix rather than the
+# runtime NPM_CONFIG_PREFIX the base sets for the developer volume.
+RUN set -e; \
+    mkdir -p /etc/opencode-devbox; \
+    rev() { git -C "$1" rev-parse HEAD 2>/dev/null || echo "unknown"; }; \
+    OPENCODE_V="$(opencode --version 2>/dev/null | head -n1 | tr -d '\r\n')"; \
+    OMOS_REV='null'; \
+    if [ "${INSTALL_OMOS}" = "true" ]; then \
+      OMOS_DIR="$(NPM_CONFIG_PREFIX=/usr npm root -g 2>/dev/null)/oh-my-opencode-slim"; \
+      OMOS_V="$(node -e "process.stdout.write(require('${OMOS_DIR}/package.json').version)" 2>/dev/null || echo unknown)"; \
+      OMOS_REV="\"${OMOS_V}\""; \
+    fi; \
+    { \
+      echo '{'; \
+      echo "  \"release_tag\": \"${RELEASE_TAG}\","; \
+      echo "  \"build_date\": \"${BUILD_DATE}\","; \
+      echo "  \"source_revision\": \"${SOURCE_REVISION}\","; \
+      echo "  \"opencode_version\": \"${OPENCODE_V}\","; \
+      echo "  \"components\": {"; \
+      echo "    \"opencode\": \"${OPENCODE_V}\","; \
+      echo "    \"oh-my-opencode-slim\": ${OMOS_REV},"; \
+      echo "    \"mempalace-toolkit\": \"$(rev /opt/mempalace-toolkit)\""; \
+      echo "  }"; \
+      echo '}'; \
+    } > /etc/opencode-devbox/build-manifest.json; \
+    echo "── build manifest ──"; cat /etc/opencode-devbox/build-manifest.json
+
 # WORKDIR / ENTRYPOINT / CMD inherited from base.

README.md

@@ -157,7 +157,7 @@ The devbox works the same way whether the host is **native Linux Docker** or a *
 - **Native Linux Docker:** the host NATs container egress onto its LAN, so other devices on your LAN are reachable directly. Nothing to configure.
 - **VM-backed (macOS / Docker Desktop):** the container runs in a Linux VM behind the host's network stack. The host's *directly-attached* LAN peers are **not** bridged into the container by default — only the host itself and *routed* subnets are reachable.
 
-On every start the entrypoint detects which case applies. On VM-backed hosts it generates a writable `~/.ssh-local/config` that uses the **host as an SSH jump** to reach LAN peers; on native Linux it does nothing. The jump keypair lives in `~/.ssh-local`, which is persisted by the `devbox-ssh-local` named volume — so it's generated **once** and reused across container updates.
+On every start the entrypoint runs `setup-lan-access.sh`, which always writes a writable `~/.ssh-local/config` sidecar. The sidecar does two things regardless of host OS: redirect `ControlPath` into the writable `~/.ssh-local/cm/` (so ControlMaster sockets don't hit the read-only `~/.ssh` bind-mount) and `Include ~/.ssh/config`. On VM-backed hosts it additionally inserts the **SSH-jump-via-host block** so you can reach LAN peers; on native Linux that block is omitted (LAN is reachable directly) but the sidecar is still written — so `dssh`/`dscp` and ControlMaster work on native Linux with a read-only `~/.ssh` too. The jump keypair lives in `~/.ssh-local`, persisted by the `devbox-ssh-local` named volume — generated **once** and reused across container updates.
 
 **To enable it on a VM-backed host (one-time setup per machine):**
 
@@ -209,7 +209,7 @@ Host my-remote
 
 Opencode configuration is persisted automatically via the named volume `devbox-opencode-config`. This volume is mounted at `/home/developer/.config/opencode` by default — no host directory setup required. Changes to `opencode.jsonc` and (on the OMOS variant) `oh-my-opencode-slim.json` survive container recreation. Auto-deployed skills are *not* stored here — skillset and OMOS skills are symlinked into `~/.agents/skills/` and rebuilt on every start (see [Custom skills](#custom-skills) and [docs/omos-skills.md](docs/omos-skills.md)).
 
-When an existing `opencode.jsonc` is found in the volume, the `OPENCODE_PROVIDER` auto-config is skipped.
+When an existing `opencode.jsonc` is found in the volume, the `OPENCODE_PROVIDER` auto-config is skipped — the live config is never overwritten. However, on each start `generate-config.py` checks whether the config it *would* generate for your current environment differs from the live one, and if so writes a **`opencode.jsonc.proposed`** sidecar in the same directory. This is a manual-merge reference only — opencode never loads `.proposed` files. It is removed automatically once your live config matches the current image defaults. A one-line hint is logged when one is present. Differences may reflect new image defaults (e.g. a newly-added MCP server) *or* your own past edits — the file header explains both.
 
 **Alternative: host bind-mount** — if you specifically want to share config from the host (e.g. to version-control it or sync across machines), replace the named volume with a bind mount:
 
@@ -422,7 +422,7 @@ docker compose build --build-arg NVIM_VERSION=0.12.1   # pin to a specific versi
 |---|---|---|
 | `INSTALL_GO` | `false` | Go toolchain (resolves latest stable from go.dev when `GO_VERSION=latest`) |
 | `INSTALL_MEMPALACE` | `true` | [MemPalace](https://github.com/MemPalace/mempalace) local AI memory system (~300 MB — disable to shrink image if you don't need MCP memory) |
-| `INSTALL_MEMPALACE_TOOLKIT` | `true` | [mempalace-toolkit](https://gitea.jordbo.se/joakimp/mempalace-toolkit) bash wrappers (`mempalace-session`, `mempalace-docs`). Cloned at build time from `MEMPALACE_TOOLKIT_REF` (default `main`). Requires `INSTALL_MEMPALACE=true`. |
+| `INSTALL_MEMPALACE_TOOLKIT` | `true` | [mempalace-toolkit](https://gitea.jordbo.se/joakimp/mempalace-toolkit) bash wrappers (`mempalace-session`, `mempalace-docs`). Cloned at build time from `MEMPALACE_TOOLKIT_REPO` at ref `MEMPALACE_TOOLKIT_REF` (default `main`). Requires `INSTALL_MEMPALACE=true`. |
 | `INSTALL_OMOS` | `false` | [oh-my-opencode-slim](https://github.com/alvinunreal/oh-my-opencode-slim) multi-agent orchestration (installs Bun and plugin) |
 | `INSTALL_OPENCODE` | `true` | Install opencode. Set `false` to build a base with no harness (still includes Bun if `INSTALL_OMOS=true`). |
 | `OPENCODE_VERSION` | *(pinned per release)* | opencode npm version. Drives the image tag and is intentionally not floated. |
@@ -603,7 +603,46 @@ Both wrappers are idempotent and dedup-aware — re-running them on unchanged in
 
 For weekly automated runs, the toolkit ships ready-to-use scheduler templates (systemd user timer, launchd user agent, cron) in its [`contrib/`](https://gitea.jordbo.se/joakimp/mempalace-toolkit/src/branch/main/contrib) directory. The `*-devbox` variants are designed for this container: host-side schedulers that `docker exec` into the running opencode-devbox.
 
-Disable the toolkit (keeps mempalace itself) with `--build-arg INSTALL_MEMPALACE_TOOLKIT=false`. Pin to a specific ref with `--build-arg MEMPALACE_TOOLKIT_REF=v0.3.0` once tagged releases exist.
+Disable the toolkit (keeps mempalace itself) with `--build-arg INSTALL_MEMPALACE_TOOLKIT=false`. Pin to a specific ref with `--build-arg MEMPALACE_TOOLKIT_REF=v0.3.0` once tagged releases exist. Repoint the clone URL with `--build-arg MEMPALACE_TOOLKIT_REPO=<url>` for forked or air-gapped builds (see below).
+
+### Building a fork / relocated build
+
+The canonical build clones `mempalace-toolkit` from `gitea.jordbo.se`. That URL is an overridable build-arg (defaulting to the canonical origin), so a fork or a build on a host that can't reach that gitea can repoint it at a mirror, another host, or a local `file://` path **without editing the Dockerfiles**:
+
+| Build-arg | Default | Dockerfile |
+|---|---|---|
+| `MEMPALACE_TOOLKIT_REPO` | `https://gitea.jordbo.se/joakimp/mempalace-toolkit.git` | base |
+
+Each companion also has a matching `*_REF` arg (branch name or commit SHA). Example — build against a forked mempalace-toolkit:
+
+```bash
+# base first
+docker build -f Dockerfile.base -t myorg/opencode-devbox:base-dev \
+  --build-arg MEMPALACE_TOOLKIT_REPO=https://github.com/myorg/mempalace-toolkit.git .
+
+# then the variant FROM that base
+docker build -f Dockerfile.variant -t myorg/opencode-devbox:dev \
+  --build-arg BASE_IMAGE=myorg/opencode-devbox:base-dev \
+  --build-arg OPENCODE_VERSION=1.17.8 .
+```
+
+Note: mempalace-toolkit clones anonymously (no token needed). Only the `resolve-versions` CI job calls the gitea API (which needs a token for public repos). A plain `docker build` like the above skips that job entirely, so no credentials are required.
+
+Provenance build-args (all optional; populate the OCI labels and `/etc/opencode-devbox/build-manifest.json` — see below): `RELEASE_TAG`, `BUILD_DATE`, `SOURCE_REVISION`. CI sets these automatically; a manual build leaves them at harmless defaults.
+
+### Build provenance (labels + manifest)
+
+Every published image is self-describing. Inspect the OCI labels without pulling the filesystem:
+
+```bash
+docker inspect --format '{{json .Config.Labels}}' joakimp/opencode-devbox:latest | jq .
+```
+
+`org.opencontainers.image.{version,revision,created}` plus `se.jordbo.opencode-devbox.{opencode-version,install-omos,omos-version,mempalace-toolkit-ref}` record the intended opencode version, omos status, and companion refs. The on-disk `/etc/opencode-devbox/build-manifest.json` records **ground truth** — the live `opencode --version`, the installed `oh-my-opencode-slim` version (or `null` in the base variant), and the actual checked-out HEAD of `/opt/mempalace-toolkit` — so a tag is reconstructable after CI logs rotate:
+
+```bash
+docker run --rm --entrypoint= joakimp/opencode-devbox:latest cat /etc/opencode-devbox/build-manifest.json
+```
 
 ### Storage
 

docs/plan-lan-access-and-pi-extensions.md

@@ -219,7 +219,8 @@ Add (for `with-pi`/`omos-with-pi`/pi-devbox):
 2. **Latest-but-pinned**: track latest (master HEAD), resolve to SHA in CI build-arg. ✓
 3. **Refactor**: pi-devbox/Dockerfile -> `FROM` the with-pi variant; pi-install in ONE place. ✓
 4. **LAN default** `DEVBOX_LAN_ACCESS=auto`: generate config + print authorize hint when
-   `HOST_SSH_USER` unset; silent no-op on native Linux. ✓
+   `HOST_SSH_USER` unset; silent no-op on native Linux. ✓ *(v2.2.0: sidecar now rendered on
+   all OSes; native Linux no longer skipped — jump block still omitted there)*
 5. **No `DEVBOX_LAN_HOSTS`**: rely on user's bind-mounted `~/.ssh/config` (`ProxyJump host`). ✓
 
 ## Remaining verify-before-merge items

entrypoint-user.sh

@@ -12,12 +12,16 @@ set -euo pipefail
 mkdir -p /tmp/sshcm
 chmod 700 /tmp/sshcm
 
-# ── LAN access: generic host-OS-agnostic reachability helper ────────
-# On VM-backed hosts (macOS OrbStack / Docker Desktop) the container can't
-# reach the host's directly-attached LAN peers by default; this generates a
-# writable ~/.ssh-local/config that uses the host as an SSH jump. On native
-# Linux (LAN reachable directly) it is a no-op. Controlled by DEVBOX_LAN_ACCESS
-# (auto|jump|off) + HOST_SSH_USER. Always non-fatal. See the script header.
+# ── LAN access + writable SSH sidecar: host-OS-agnostic helper ──────
+# Generates the writable ~/.ssh-local/config on EVERY host OS: a `Host *`
+# ControlPath redirect into ~/.ssh-local/cm (so `ssh -F` / dssh / dscp work
+# even when ~/.ssh is bind-mounted read-only) plus `Include ~/.ssh/config`. On
+# VM-backed hosts (macOS OrbStack / Docker Desktop) it ALSO adds an
+# SSH-jump-via-host block so the container can reach the host's
+# directly-attached LAN peers; on native Linux (LAN reachable directly) the
+# jump block is omitted but the sidecar is still rendered. Controlled by
+# DEVBOX_LAN_ACCESS (auto|jump|off) + HOST_SSH_USER. Always non-fatal. See the
+# script header.
 if [ -r /usr/local/lib/opencode-devbox/setup-lan-access.sh ]; then
   bash /usr/local/lib/opencode-devbox/setup-lan-access.sh || true
 fi
@@ -91,9 +95,11 @@ fi
 
 # ── Generate opencode config from env vars if no config mounted ──────
 # Delegated to a standalone Python script for clarity and testability.
-# The script is idempotent: it never overwrites an existing opencode.json
-# (bind-mounted from host, persisted in named volume, or previously
-# generated) and no-ops if OPENCODE_PROVIDER is unset.
+# The script never overwrites an existing opencode.json/.jsonc (bind-mounted
+# from host, persisted in named volume, or previously generated) and no-ops if
+# OPENCODE_PROVIDER is unset. When a config already exists it instead writes a
+# NON-loaded opencode.jsonc.proposed sidecar (only when newer image defaults
+# differ) for manual review/merge.
 python3 /usr/local/lib/opencode-devbox/generate-config.py
 
 # ── Skillset: deploy skills/instructions from mounted skillset repo ──

rootfs/home/developer/.bash_aliases

@@ -89,9 +89,16 @@ fi
 # we append with a newline separator to avoid the ';;' parse error
 # described at the top of this file. Guarded so repeated sourcing
 # (e.g. `exec bash`) doesn't stack duplicates.
+#
+# The guard MUST stay shell-local (NOT exported): if it leaks into child
+# processes, every nested shell -- crucially each tmux pane, which inherits
+# the tmux server's env -- skips installing `history -a` and only persists
+# history on a clean exit. Abrupt termination (docker stop, tmux kill-server,
+# SIGKILL) then loses that shell's in-memory history. Keeping it unexported
+# means each new interactive shell re-installs its own per-prompt flush.
 if [ -z "${DEVBOX_HIST_SET:-}" ]; then
   PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND$'\n'}history -a"
-  export DEVBOX_HIST_SET=1
+  DEVBOX_HIST_SET=1
 fi
 
 # ── Prompt: show [opencode-devbox] tag so it's obvious you're in the container

rootfs/usr/local/lib/opencode-devbox/generate-config.py

@@ -3,9 +3,12 @@
 Generate opencode.json from environment variables on first container start.
 
 Safety guarantees:
-  - NEVER overwrites an existing opencode.json. If the file is present
-    (whether bind-mounted from the host, persisted in a named volume, or
-    previously generated), this script exits immediately without writing.
+  - NEVER overwrites an existing config (opencode.json / opencode.jsonc),
+    whether bind-mounted from the host, persisted in a named volume, or
+    previously generated. When a config already exists, this script instead
+    writes a NON-loaded `opencode.jsonc.proposed` sidecar (only when the
+    freshly-generated config would differ) so new image defaults can be
+    reviewed and merged by hand. opencode never loads the .proposed file.
   - Requires OPENCODE_PROVIDER to be set. Without it, no file is written.
 
 Environment variables:
@@ -18,13 +21,16 @@ MCP servers are auto-registered for tools detected on PATH:
   - mempalace (if installed) — enabled
   - gitea-mcp (if installed) — registered but disabled by default
 
-Output path: $HOME/.config/opencode/opencode.json
+Output path: $HOME/.config/opencode/opencode.jsonc
+             (existing config preserved; newer defaults surfaced as
+              $HOME/.config/opencode/opencode.jsonc.proposed)
 """
 
 from __future__ import annotations
 
 import json
 import os
+import re
 import shutil
 import sys
 from pathlib import Path
@@ -110,6 +116,113 @@ def register_mcp_servers(config: dict) -> list[str]:
     return list(servers.keys())
 
 
+def render_config(provider: str, model: str) -> tuple[dict, str, list[str]]:
+    """Build the config dict and its JSONC rendering for a provider/model.
+
+    Shared by first-generation and the proposed-config side-channel so the
+    two can never drift. Returns (config_dict, jsonc_text, mcp_servers_added).
+    """
+    config = build_config(provider, model)
+    added = register_mcp_servers(config)
+
+    # Write as JSONC so we can include helpful comments.
+    content = json.dumps(config, indent=2)
+    # Insert a comment about the Context7 API key after the context7 url line.
+    context7_comment = (
+        '      "url": "https://mcp.context7.com/mcp"\n'
+        "      // For higher rate limits, sign up at https://context7.com/dashboard\n"
+        '      // and add: "headers": { "CONTEXT7_API_KEY": "{env:CONTEXT7_API_KEY}" }'
+    )
+    content = content.replace(
+        '      "url": "https://mcp.context7.com/mcp"',
+        context7_comment,
+    )
+    return config, content, added
+
+
+def _loads_jsonc(text: str) -> dict:
+    """Parse JSONC (JSON + // line comments), preserving // inside strings.
+
+    Uses the same string-aware comment stripper as scripts/smoke-test.sh, so a
+    value such as an https:// URL is never corrupted. Raises on invalid JSON
+    (e.g. trailing commas) — callers treat that as 'cannot compare'.
+    """
+    pattern = r'"(?:\\.|[^"\\])*"|//[^\n]*'
+    stripped = re.sub(
+        pattern,
+        lambda m: m.group(0) if m.group(0).startswith('"') else "",
+        text,
+    )
+    return json.loads(stripped)
+
+
+PROPOSED_HEADER = """\
+// ───────────────────────────────────────────────────────────────
+// PROPOSED opencode config — NOT loaded by opencode.
+//
+// This is what opencode-devbox would generate for your CURRENT environment
+// plus THIS image's defaults. It is written only when it differs from your
+// live opencode.jsonc, as a manual-merge reference — e.g. a newer image added
+// a default MCP server you do not have yet. opencode only loads
+// opencode.json / opencode.jsonc, never this .proposed file.
+//
+// NOTE: this reflects env + image defaults, so a difference may be a new image
+// default OR simply one of your own past edits (changed model, gitea
+// enabled=true, …). Diff against your live config and merge what you want.
+// Delete this file any time — it is rewritten on the next start if still
+// relevant, and removed automatically once your live config matches.
+// ───────────────────────────────────────────────────────────────
+"""
+
+
+def write_proposed(
+    proposed_file: Path, live_file: Path, config: dict, content: str
+) -> None:
+    """Non-destructively surface a newer default config beside the live one.
+
+    Writes <proposed_file> ONLY when the freshly-rendered config differs from
+    the live config (or the live config cannot be parsed for comparison).
+    Removes a stale proposed file when the live config already matches. NEVER
+    touches the live config itself.
+    """
+    try:
+        live = _loads_jsonc(live_file.read_text())
+        differs = live != config
+        comparable = True
+    except (OSError, ValueError):
+        # Can't read or parse the live config — surface the proposal rather
+        # than silently guess they are equivalent.
+        comparable = False
+        differs = True
+
+    if comparable and not differs:
+        if proposed_file.exists():
+            try:
+                proposed_file.unlink()
+                print(
+                    f"Live opencode config matches image defaults; removed "
+                    f"stale {proposed_file.name}.",
+                    file=sys.stderr,
+                )
+            except OSError:
+                pass
+        return
+
+    try:
+        proposed_file.write_text(PROPOSED_HEADER + content + "\n")
+    except OSError as e:
+        print(f"WARN: could not write {proposed_file}: {e}", file=sys.stderr)
+        return
+
+    why = "" if comparable else " (existing config could not be parsed for comparison)"
+    print(
+        f"A newer default opencode config is available at {proposed_file}{why}. "
+        "It is NOT applied automatically — diff/merge it into your live config "
+        "manually, or delete it to dismiss.",
+        file=sys.stderr,
+    )
+
+
 def main() -> int:
     provider = os.environ.get("OPENCODE_PROVIDER", "").strip()
     if not provider:
@@ -120,19 +233,7 @@ def main() -> int:
     config_dir = home / ".config" / "opencode"
     config_file = config_dir / "opencode.jsonc"
     config_file_legacy = config_dir / "opencode.json"
-
-    # CRITICAL: never overwrite an existing config. Users may have
-    # bind-mounted their host config directory, or their config may be
-    # persisted in a named volume from a previous run.
-    # Check both .json and .jsonc variants.
-    if config_file.exists() or config_file_legacy.exists():
-        existing = config_file if config_file.exists() else config_file_legacy
-        print(
-            f"Existing config found at {existing} — "
-            "skipping generation.",
-            file=sys.stderr,
-        )
-        return 0
+    proposed_file = config_dir / "opencode.jsonc.proposed"
 
     if provider not in DEFAULT_MODELS:
         print(
@@ -145,30 +246,37 @@ def main() -> int:
         provider, FALLBACK_MODEL
     )
 
+    config, content, added = render_config(provider, model)
+
+    # CRITICAL: never overwrite an existing config. Users may have bind-mounted
+    # their host config directory, or their config may be persisted in a named
+    # volume from a previous run. When a config already exists we instead
+    # surface any newer image defaults via a NON-loaded opencode.jsonc.proposed
+    # sidecar for manual merge (see write_proposed) — the live file is untouched.
+    existing = None
+    if config_file.exists():
+        existing = config_file
+    elif config_file_legacy.exists():
+        existing = config_file_legacy
+    if existing is not None:
+        print(
+            f"Existing config found at {existing} — not overwritten.",
+            file=sys.stderr,
+        )
+        write_proposed(proposed_file, existing, config, content)
+        return 0
+
     print(f"Generating opencode config for provider: {provider}", file=sys.stderr)
-
-    config = build_config(provider, model)
-    added = register_mcp_servers(config)
-
     config_dir.mkdir(parents=True, exist_ok=True)
-
-    # Write as JSONC so we can include helpful comments.
-    content = json.dumps(config, indent=2)
-
-    # Insert a comment about Context7 API key after the context7 url line.
-    context7_comment = (
-        '      "url": "https://mcp.context7.com/mcp"\n'
-        "      // For higher rate limits, sign up at https://context7.com/dashboard\n"
-        '      // and add: "headers": { "CONTEXT7_API_KEY": "{env:CONTEXT7_API_KEY}" }'
-    )
-    content = content.replace(
-        '      "url": "https://mcp.context7.com/mcp"',
-        context7_comment,
-    )
-
     with config_file.open("w") as f:
         f.write(content)
         f.write("\n")
+    # The fresh config now equals the image defaults — clear any stale proposal.
+    if proposed_file.exists():
+        try:
+            proposed_file.unlink()
+        except OSError:
+            pass
 
     if added:
         print(

rootfs/usr/local/lib/opencode-devbox/setup-lan-access.sh

@@ -14,7 +14,9 @@
 #   The one thing reachable from a container on every OS is the host itself
 #   (host.docker.internal). So on VM-backed hosts we generate a writable SSH
 #   config that reaches the host and lets the user ProxyJump onward to LAN
-#   peers the host can reach. On native Linux we do nothing.
+#   peers the host can reach. On native Linux we render the same writable
+#   config (for the ControlPath redirect + Include ~/.ssh/config) but emit no
+#   jump block, since LAN peers are reachable directly there.
 #
 #   We ship the MECHANISM (a generic `host` jump alias + writable config),
 #   never the POLICY: the user's specific target hosts live in their own
@@ -30,7 +32,9 @@
 #
 # CONTROLS (env)
 #   DEVBOX_LAN_ACCESS = auto (default) | jump | off
-#       auto  → set up the jump config only on VM-backed hosts; no-op on Linux.
+#       auto  → set up the host jump only on VM-backed hosts. The writable
+#               sidecar config (ControlPath redirect + Include) is always
+#               rendered, on every OS.
 #       jump  → always set up (e.g. native Linux with extra_hosts host-gateway).
 #       off   → do nothing.
 #   HOST_SSH_USER  — the username to SSH into the host as. REQUIRED for the
@@ -84,42 +88,72 @@ is_vm_backed() {
   getent hosts "$HOST_ALIAS_HOSTNAME" >/dev/null 2>&1
 }
 
-if [ "$MODE" = "auto" ] && ! is_vm_backed; then
-  # Native Linux host: LAN peers are reachable directly. Nothing to do.
-  exit 0
-fi
-
-# From here: MODE=jump, or MODE=auto on a VM-backed host.
-
-command -v ssh-keygen >/dev/null 2>&1 || exit 0
-
+# ── Writable socket dir + sidecar (ALWAYS, every host OS) ─────────────
+# The ControlPath redirect in the generated config needs a writable directory
+# regardless of host OS or jump mode. ~/.ssh is typically read-only, so the
+# master socket lives under the writable ~/.ssh-local. We create it and render
+# the config UNCONDITIONALLY so the redirect (and `Include ~/.ssh/config`) works
+# even on native Linux — where we set up no host jump but a read-only ~/.ssh
+# would otherwise still break ControlMaster sockets.
 mkdir -p "${SSH_LOCAL}/cm" 2>/dev/null || true
 chmod 700 "${SSH_LOCAL}" "${SSH_LOCAL}/cm" 2>/dev/null || true
 
-# ── Jump key (generated once; preserved across restarts) ──────────────
+# ── Decide whether to set up the host jump ────────────────────────────
+# Jump = reach the container host (host.docker.internal) as an SSH ProxyJump
+# onward to the host's LAN peers. Needed on VM-backed hosts (macOS / Docker
+# Desktop) or when forced with DEVBOX_LAN_ACCESS=jump. On native Linux LAN
+# peers are reachable directly, so NEED_JUMP=0 and we emit no jump block — but
+# we still render the config for the ControlPath redirect + Include.
+NEED_JUMP=0
+if [ "$MODE" = "jump" ] || { [ "$MODE" = "auto" ] && is_vm_backed; }; then
+  NEED_JUMP=1
+fi
+
+# ── Jump key (only when a jump is needed; generated once, preserved) ──
 # Persisted via a named volume on ~/.ssh-local (see compose), so a fresh key
 # is generated only on the very first start (or if the volume is wiped). When
 # we DO generate one it must be (re-)authorized on the host, so we flag it and
 # print a copy-paste authorize line below.
 KEY_JUST_GENERATED=0
-if [ ! -f "$KEY" ]; then
-  ssh-keygen -t ed25519 -N '' -C "devbox-jump@${HOSTNAME:-container}" -f "$KEY" >/dev/null 2>&1 || exit 0
-  chmod 600 "$KEY" 2>/dev/null || true
-  KEY_JUST_GENERATED=1
+if [ "$NEED_JUMP" = "1" ] && command -v ssh-keygen >/dev/null 2>&1 && [ ! -f "$KEY" ]; then
+  if ssh-keygen -t ed25519 -N '' -C "devbox-jump@${HOSTNAME:-container}" -f "$KEY" >/dev/null 2>&1; then
+    chmod 600 "$KEY" 2>/dev/null || true
+    KEY_JUST_GENERATED=1
+  fi
 fi
 
 # ── Render the writable config ────────────────────────────────────────
-USER_LINE=""
-if [ -n "${HOST_SSH_USER:-}" ]; then
-  USER_LINE="    User ${HOST_SSH_USER}"
-fi
-
-# Optional host-owned named-peer jump overrides (portable: lives on the host,
-# not in the image). Included BEFORE ~/.ssh/config so its ProxyJump wins.
-SSH_LAN_CONF="${HOME}/.config/devbox-shell/ssh-lan.conf"
+# Jump-specific blocks (the host alias, host-owned peer overrides, and the
+# optional RFC1918 catch-all) only make sense when a jump is set up; on native
+# Linux they are all empty and only the ControlPath redirect + Include remain.
+JUMP_BLOCK=""
 LAN_CONF_BLOCK=""
-if [ -r "$SSH_LAN_CONF" ]; then
-  LAN_CONF_BLOCK=$(cat <<'EOF'
+AUTOJUMP_BLOCK=""
+if [ "$NEED_JUMP" = "1" ]; then
+  USER_LINE=""
+  if [ -n "${HOST_SSH_USER:-}" ]; then
+    USER_LINE="    User ${HOST_SSH_USER}"
+  fi
+  JUMP_BLOCK=$(cat <<EOF
+
+# The container host (OrbStack / Docker Desktop). 'host' and 'mac' are aliases.
+Host host mac
+    HostName ${HOST_ALIAS_HOSTNAME}
+${USER_LINE}
+    IdentityFile ~/.ssh-local/devbox_jump_ed25519
+    IdentitiesOnly yes
+    ControlMaster auto
+    ControlPath ~/.ssh-local/cm/%r@%h:%p
+    ControlPersist 4h
+    ServerAliveInterval 30
+EOF
+)
+
+  # Optional host-owned named-peer jump overrides (portable: lives on the host,
+  # not in the image). Included BEFORE ~/.ssh/config so its ProxyJump wins.
+  SSH_LAN_CONF="${HOME}/.config/devbox-shell/ssh-lan.conf"
+  if [ -r "$SSH_LAN_CONF" ]; then
+    LAN_CONF_BLOCK=$(cat <<'EOF'
 
 # Host-owned named-peer jump overrides (bind-mounted; edit on the host).
 # Scope reset to match-all so the Include applies to every target host.
@@ -127,14 +161,13 @@ Host *
 Include ~/.config/devbox-shell/ssh-lan.conf
 EOF
 )
-fi
+  fi
 
-# Optional opt-in RFC1918 catch-all: ProxyJump every private IP through the
-# host. Matches the typed address, never the resolved HostName, so named hosts
-# with their own ProxyJump are unaffected. Network-agnostic → roaming-safe.
-AUTOJUMP_BLOCK=""
-if [ "${DEVBOX_LAN_AUTOJUMP_PRIVATE:-0}" = "1" ]; then
-  AUTOJUMP_BLOCK=$(cat <<'EOF'
+  # Optional opt-in RFC1918 catch-all: ProxyJump every private IP through the
+  # host. Matches the typed address, never the resolved HostName, so named hosts
+  # with their own ProxyJump are unaffected. Network-agnostic → roaming-safe.
+  if [ "${DEVBOX_LAN_AUTOJUMP_PRIVATE:-0}" = "1" ]; then
+    AUTOJUMP_BLOCK=$(cat <<'EOF'
 
 # RFC1918 auto-jump (DEVBOX_LAN_AUTOJUMP_PRIVATE=1): reach any private IP on
 # the host's CURRENT LAN via bare `dssh user@<ip>`. Public IPs are unmatched
@@ -146,6 +179,7 @@ Host 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22
     ProxyJump host
 EOF
 )
+  fi
 fi
 
 INCLUDE_BLOCK=""
@@ -176,17 +210,7 @@ Host *
     UserKnownHostsFile ~/.ssh-local/known_hosts
     StrictHostKeyChecking accept-new
     ControlPath ~/.ssh-local/cm/%r@%h:%p
-
-# The container host (OrbStack / Docker Desktop). 'host' and 'mac' are aliases.
-Host host mac
-    HostName ${HOST_ALIAS_HOSTNAME}
-${USER_LINE}
-    IdentityFile ~/.ssh-local/devbox_jump_ed25519
-    IdentitiesOnly yes
-    ControlMaster auto
-    ControlPath ~/.ssh-local/cm/%r@%h:%p
-    ControlPersist 4h
-    ServerAliveInterval 30
+${JUMP_BLOCK}
 ${LAN_CONF_BLOCK}
 ${AUTOJUMP_BLOCK}
 ${INCLUDE_BLOCK}
@@ -199,6 +223,7 @@ chmod 600 "$CONFIG" 2>/dev/null || true
 # host won't recognize. With ~/.ssh-local persisted via a named volume, case
 # (b) fires only on first-ever start (or after the volume is reset) — so this
 # is normally a one-time, one-line step per machine, with no file to locate.
+if [ "$NEED_JUMP" = "1" ]; then
 PUBKEY_TEXT="$(cat "${KEY}.pub" 2>/dev/null)"
 if [ -z "${HOST_SSH_USER:-}" ]; then
   cat <<EOF
@@ -221,5 +246,6 @@ elif [ "$KEY_JUST_GENERATED" = "1" ]; then
          repeat this on container updates — only if that volume is reset.
 EOF
 fi
+fi
 
 exit 0

scripts/check-base-hash.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# check-base-hash.sh — guard the base-rebuild invariant.
+#
+# Every floating `ARG *_REF` consumed by Dockerfile.base MUST be folded
+# into the base_tag hash in the docker-publish workflow. Otherwise a
+# ref-only change to that dependency does not change the base hash, the
+# Docker Hub probe finds the old base tag, and the base is NOT rebuilt —
+# the dependency fix silently fails to land. This is the v1.1.2-class
+# staleness footgun (then it was mempalace-toolkit; this guard stops the
+# next one before it ships).
+#
+# Runs in CI (base-decide job) and locally:  bash scripts/check-base-hash.sh
+set -euo pipefail
+cd "$(dirname "$0")/.."
+
+WF=".gitea/workflows/docker-publish-split.yml"
+DF="Dockerfile.base"
+
+# Extract the hash-compute block: the `HASH=$( … ) | sha256sum | cut`
+# brace-group in the "Compute base tag" step. This lives in a separate
+# file from the workflow, so scanning $WF here is free of the self-match
+# hazard an inline workflow step would have.
+block=$(awk '/HASH=\$\(/{f=1} f{print} f && /cut -c1-12/{exit}' "$WF")
+if [ -z "$block" ]; then
+  echo "::error::could not locate the HASH=\$( … ) | sha256sum block in $WF"
+  exit 1
+fi
+
+refs=$(grep -oE '^ARG [A-Z0-9_]+_REF' "$DF" | awk '{print $2}' | sort -u)
+fail=0
+for r in $refs; do
+  lc=$(printf '%s' "$r" | tr '[:upper:]' '[:lower:]')
+  if ! printf '%s' "$block" | grep -q "outputs.$lc"; then
+    echo "::error::Dockerfile.base declares '$r' but it is NOT folded into the base_tag hash in $WF."
+    echo "::error::Add  echo \"\${{ needs.resolve-versions.outputs.$lc }}\"  inside the HASH=\$( … ) | sha256sum block, or a $r-only change will silently fail to rebuild the base."
+    fail=1
+  fi
+done
+
+if [ "$fail" = 0 ]; then
+  echo "OK: all Dockerfile.base *_REF args are folded into base_tag (${refs:-none})."
+fi
+exit $fail

scripts/smoke-test.sh

@@ -197,6 +197,34 @@ else
   fi
 fi
 
+echo
+echo "-- Build provenance (manifest + OCI labels) --"
+run "/etc/opencode-devbox/build-manifest.json present" \
+    "test -f /etc/opencode-devbox/build-manifest.json"
+run_expect "manifest records opencode component" \
+    "cat /etc/opencode-devbox/build-manifest.json" '"opencode"'
+run_expect "manifest records opencode_version" \
+    "cat /etc/opencode-devbox/build-manifest.json" '"opencode_version"'
+run_expect "manifest records mempalace-toolkit component" \
+    "cat /etc/opencode-devbox/build-manifest.json" '"mempalace-toolkit"'
+# Every resolved component must be a real value, never the 'unknown'
+# sentinel that rev()/version lookups emit on failure. (oh-my-opencode-slim
+# is JSON null in the base variant — that is expected, not 'unknown'.)
+run "manifest has no unresolved ('unknown') components" \
+    "! grep -q '\"unknown\"' /etc/opencode-devbox/build-manifest.json"
+if [ "$VARIANT" = "omos" ]; then
+  run "manifest omos component is resolved (not null) in omos variant" \
+      "! grep -q '\"oh-my-opencode-slim\": null' /etc/opencode-devbox/build-manifest.json"
+fi
+# OCI labels live in the image config, not the container fs — inspect them
+# from the host docker rather than via `docker run`.
+LBL=$(docker inspect --format '{{ index .Config.Labels "se.jordbo.opencode-devbox.opencode-version" }}' "$IMAGE" 2>/dev/null || true)
+if [ -n "$LBL" ] && [ "$LBL" != "<no value>" ]; then
+  pass "OCI label se.jordbo.opencode-devbox.opencode-version=$LBL"
+else
+  fail "OCI label se.jordbo.opencode-devbox.opencode-version missing or empty"
+fi
+
 echo
 echo "-- Entrypoint behaviour --"
 
@@ -278,6 +306,37 @@ if docker run --rm \
 else
   fail "$label: existing config was modified!"
 fi
+
+# Proposed-config side-channel: when a config already exists, a NEWER default
+# config is surfaced as a NON-loaded opencode.jsonc.proposed (write-on-diff,
+# removed once the live config matches). The live config is never touched.
+label="generate-config writes .proposed only when config differs"
+if docker run --rm \
+    -e OPENCODE_PROVIDER=anthropic \
+    -e HOME=/tmp/home \
+    --entrypoint="" \
+    "$IMAGE" sh -c '
+      set -e
+      d=/tmp/home/.config/opencode
+      mkdir -p "$d"
+      gc=/usr/local/lib/opencode-devbox/generate-config.py
+      # (a) differing existing config → proposed written, live NOT clobbered
+      printf "{\n  \"model\": \"old/model\"\n}\n" > "$d/opencode.jsonc"
+      python3 "$gc" 2>/dev/null
+      test -f "$d/opencode.jsonc.proposed"
+      grep -q "old/model" "$d/opencode.jsonc"
+      # (b) live matches defaults + stale proposed present → proposed removed
+      rm -f "$d/opencode.jsonc" "$d/opencode.jsonc.proposed"
+      python3 "$gc" 2>/dev/null
+      cp "$d/opencode.jsonc" "$d/opencode.jsonc.proposed"
+      python3 "$gc" 2>/dev/null
+      test ! -f "$d/opencode.jsonc.proposed"
+      echo ok
+    ' 2>/dev/null | grep -q ok; then
+  pass "$label"
+else
+  fail "$label: proposed-config behaviour incorrect"
+fi
 rm -rf "$tmp"
 
 echo