docs: fix drift — sync compose/volumes, studio coverage, mempalace link

Audit found README/AGENTS carried a stale compose/volume set that
diverged from the shipped docker-compose.yml (DOCKER_HUB + compose +
.env.example were already consistent — README was the outlier):

- README compose block + 'Volumes and persistence' table: correct volume
  names (devbox-shell-history not -bash-history; devbox-uv at
  ~/.local/share/uv not devbox-uv-tools at /opt/uv-tools — the latter
  would SHADOW the baked mempalace install at UV_TOOL_DIR); add
  devbox-ssh-local + devbox-zoxide; mark devbox-palace/-chroma-cache
  optional; WORKSPACE_PATH/SSH_KEY_PATH (not HOST_WORKSPACE).
- README quickstart: 'compose exec -u developer' (no USER in image; bare
  exec lands a root shell).
- README: pi-studio now 'shipped' not 'planned'; build-pipeline + tag
  table cover -studio + smoke-studio/build-variant-studio.
- AGENTS: backward-compat volume names corrected; repo-layout bullets
  cover pi-studio install + studio-expose + STUDIO_EXPOSE bridge.
- DOCKER_HUB: MemPalace source link -> upstream MemPalace/mempalace
  (matches Dockerfile.base + CHANGELOG refs).

Note: the shipped v1.0.0 CHANGELOG migration note still lists the old
(incorrect) volume names; left as immutable released history.

AGENTS.md

@@ -12,14 +12,17 @@ re-brand of opencode-devbox's `pi-only` variant.
   Node.js, Python toolchain, locales, ssh ControlMaster defaults, and
   `/etc/tmux.conf` with 0-indexed sessions.
 - `Dockerfile.variant` — `FROM base-<hash>`, adds pi + companions
-  (`pi-toolkit`, `pi-extensions`, `pi-fork`, `pi-observational-memory`).
+  (`pi-toolkit`, `pi-extensions`, `pi-fork`, `pi-observational-memory`)
+  and, when `INSTALL_STUDIO=true`, vendors `pi-studio` to `/opt/pi-studio`
+  (`-studio` variant).
 - `entrypoint.sh` — UID/GID alignment as root, then drops to `developer`.
 - `entrypoint-user.sh` — per-container start: SSH ControlMaster socket
   dir, LAN-access setup, MemPalace init, pi-toolkit + pi-extensions
-  deploy, mempalace-bridge symlink, fork/recall pi-install, skillset
+  deploy, mempalace-bridge symlink, fork/recall + pi-studio pi-install,
+  optional `studio-expose` bridge (when `STUDIO_EXPOSE=1`), skillset
   deploy.
 - `rootfs/` — files baked into the image (bash aliases, inputrc,
-  setup-lan-access.sh).
+  setup-lan-access.sh, `studio-expose` helper).
 - `scripts/smoke-test.sh` — sanity checks run by CI before pushing to Hub.
 - `.gitea/workflows/docker-publish.yml` — two-phase CI (base-decide →
   build-base → smoke → build-variant → promote-base-latest →
@@ -129,8 +132,9 @@ deprecated artifacts (to be removed in opencode-devbox v2.0.0).
 ## Backward compatibility
 
 - The host `~/.mempalace` bind-mount path is unchanged.
-- Volume names (`devbox-pi-config`, `devbox-bash-history`,
-  `devbox-nvim-data`, `devbox-uv-tools`, `devbox-chroma-cache`) are
+- Volume names (`devbox-pi-config`, `devbox-ssh-local`,
+  `devbox-shell-history`, `devbox-zoxide`, `devbox-nvim-data`,
+  `devbox-uv`; optional `devbox-palace`, `devbox-chroma-cache`) are
   unchanged.
 - `~/.pi/agent/` layout inside the container is unchanged; existing
   named volumes work without recreation.

DOCKER_HUB.md

@@ -151,7 +151,7 @@ Optional volumes for MemPalace (commented out by default — uncomment in `docke
 - **pi**: https://github.com/earendil-works/pi
 - **pi-toolkit**: https://gitea.jordbo.se/joakimp/pi-toolkit
 - **pi-extensions**: https://gitea.jordbo.se/joakimp/pi-extensions
-- **MemPalace**: https://github.com/joakimp/mempalace
+- **MemPalace**: https://github.com/MemPalace/mempalace
 
 ## License
 

README.md

@@ -98,7 +98,7 @@ git clone https://gitea.jordbo.se/joakimp/pi-devbox
 cd pi-devbox
 cp .env.example .env       # edit if needed
 docker compose up -d
-docker compose exec devbox bash
+docker compose exec -u developer devbox bash
 ```
 
 You're now in the container as user `developer` with `pi` on PATH and
@@ -236,37 +236,45 @@ services:
     container_name: pi-devbox
     stdin_open: true
     tty: true
-    env_file: .env
+    env_file:
+      - .env
     environment:
-      - TZ=${TZ:-Europe/Stockholm}
       - TERM=xterm-256color
-      - AWS_PROFILE=${AWS_PROFILE:-}
-      - AWS_REGION=${AWS_REGION:-eu-west-1}
+      - GITEA_ACCESS_TOKEN=${GITEA_ACCESS_TOKEN:-}
+      - GITEA_HOST=${GITEA_HOST:-}
+      - GITHUB_PERSONAL_ACCESS_TOKEN=${GITHUB_PERSONAL_ACCESS_TOKEN:-}
     volumes:
-      # Workspace: your host source tree, read-write
-      - ${HOST_WORKSPACE:-./workspace}:/workspace:rw
+      # Workspace: your host source tree
+      - ${WORKSPACE_PATH:-.}:/workspace
       # SSH keys: read-only from host
-      - ${HOME}/.ssh:/home/developer/.ssh:ro
-      # AWS config: read-only from host
-      - ${HOME}/.aws:/home/developer/.aws:ro
-      # MemPalace: bind-mounted so host pi and container pi share a brain
-      - ${HOME}/.mempalace:/home/developer/.mempalace:rw
+      - ${SSH_KEY_PATH:-~/.ssh}:/home/developer/.ssh:ro
       # Per-container persistent state
       - devbox-pi-config:/home/developer/.pi
-      - devbox-bash-history:/home/developer/.cache/bash
+      - devbox-ssh-local:/home/developer/.ssh-local
+      - devbox-shell-history:/home/developer/.cache/bash
+      - devbox-zoxide:/home/developer/.local/share/zoxide
       - devbox-nvim-data:/home/developer/.local/share/nvim
-      - devbox-uv-tools:/opt/uv-tools
-      - devbox-chroma-cache:/home/developer/.cache/chroma
+      - devbox-uv:/home/developer/.local/share/uv
+      # Optional (uncomment to enable):
+      # - ~/.aws:/home/developer/.aws                          # AWS creds
+      # - devbox-palace:/home/developer/.mempalace             # persist palace
+      # - devbox-chroma-cache:/home/developer/.cache/chroma    # embedding cache
 
 volumes:
   devbox-pi-config:
-  devbox-bash-history:
+  devbox-ssh-local:
+  devbox-shell-history:
+  devbox-zoxide:
   devbox-nvim-data:
-  devbox-uv-tools:
-  devbox-chroma-cache:
+  devbox-uv:
+  # devbox-palace:
+  # devbox-chroma-cache:
 ```
 
-See `.env.example` in the repo for available environment variables.
+See `docker-compose.yml` and `.env.example` in the repo for the full
+template (build-from-source args, LAN-jump and skillset mounts, MemPalace
+persistence). To share one palace between host pi and the container,
+bind-mount your host `~/.mempalace` to `/home/developer/.mempalace`.
 
 ## uv-driven REPL recipes
 
@@ -322,15 +330,16 @@ to refresh.
 
 | Path inside container | Volume | What survives |
 |---|---|---|
-| `/workspace` | host bind-mount | host filesystem |
-| `~/.ssh` | host bind-mount (read-only) | host filesystem |
-| `~/.aws` | host bind-mount (read-only) | host filesystem |
-| `~/.mempalace` | host bind-mount | host filesystem |
+| `/workspace` | host bind-mount (`WORKSPACE_PATH`) | host filesystem |
+| `~/.ssh` | host bind-mount (read-only, `SSH_KEY_PATH`) | host filesystem |
 | `~/.pi` | named volume `devbox-pi-config` | `down -v` wipes |
-| `~/.cache/bash` | named volume | `down -v` wipes |
-| `~/.local/share/nvim` | named volume | `down -v` wipes |
-| `/opt/uv-tools` | named volume | `down -v` wipes |
-| `~/.cache/chroma` | named volume | `down -v` wipes |
+| `~/.ssh-local` | named volume `devbox-ssh-local` | `down -v` wipes |
+| `~/.cache/bash` | named volume `devbox-shell-history` | `down -v` wipes |
+| `~/.local/share/zoxide` | named volume `devbox-zoxide` | `down -v` wipes |
+| `~/.local/share/nvim` | named volume `devbox-nvim-data` | `down -v` wipes |
+| `~/.local/share/uv` | named volume `devbox-uv` | `down -v` wipes |
+| `~/.mempalace` | host bind-mount or `devbox-palace` (optional) | host / volume |
+| `~/.cache/chroma` | `devbox-chroma-cache` (optional) | `down -v` wipes |
 
 Anything not on a volume is on the writable layer and is lost on
 container recreate.
@@ -386,9 +395,9 @@ set -g pane-base-index 0
 ```
 
 This is the default tmux indexing. It's baked here because `pi-studio`
-(planned for `:latest-studio`) hard-codes its tmux send target to
-`<session>:0.0`. If you override `base-index` to 1 in a personal
-`~/.tmux.conf`, pi-studio will fail with "can't find window: 0".
+(shipped in the `:latest-studio` variant) hard-codes its tmux send
+target to `<session>:0.0`. If you override `base-index` to 1 in a
+personal `~/.tmux.conf`, pi-studio will fail with "can't find window: 0".
 
 ## AWS Bedrock auth
 
@@ -411,8 +420,11 @@ pi-devbox is built from this repo's CI in two phases:
    where `<hash>` is content-addressed over `Dockerfile.base`,
    `rootfs/`, and `entrypoint*.sh`. Rebuilt only when these change.
 2. **Variant** (`Dockerfile.variant`) — `FROM ${BASE_IMAGE}` and adds
-   the pi install. The `:latest` and `vX.Y.Z` tags are produced from
-   this layer; future Studio variants will extend further.
+   the pi install (+ pi-studio when `INSTALL_STUDIO=true`). The `:latest`
+   / `vX.Y.Z` and `:latest-studio` / `vX.Y.Z-studio` tags are produced
+   from this layer. The studio variant builds via independent
+   `smoke-studio` + `build-variant-studio` CI jobs that gate only the
+   `-studio` tags.
 
 Tag naming:
 
@@ -421,6 +433,7 @@ Tag naming:
 | `base-<hash>` | base image — internal building block |
 | `base-latest` | promoted alias of the most recent base |
 | `latest`, `vX.Y.Z` | variant: base + pi |
+| `latest-studio`, `vX.Y.Z-studio` | variant: base + pi + pi-studio |
 
 CI resolves `PI_VERSION` to a concrete version string before building
 to defeat a registry-buildcache hit on `npm install -g