ci: shorten Hub short-description to ≤100 bytes + resolve toolkit/extensions to SHAs

The v1.0.0 release run failed at update-description because Docker Hub's
short-description field has a 100-byte limit and the previous string
was 151 bytes (the em dash is 3 bytes UTF-8). The image itself shipped
fine — only the cosmetic Hub description patch failed.

Changes:
- Short description: 'Linux container with the pi coding-agent, MemPalace,
  and curated dev tooling.' (77 bytes, was 151)
- resolve-versions now also resolves pi-toolkit and pi-extensions main
  HEADs to commit SHAs so workflow_dispatch re-runs produce byte-identical
  images when those repos haven't moved. Fork+obsmem were already
  SHA-resolved; toolkit+extensions were branch-named (drift risk on
  re-runs that we got lucky on for v1.0.0).

.gitea/workflows/docker-publish.yml

@@ -114,8 +114,10 @@ jobs:
       pi_version: ${{ steps.resolve.outputs.pi_version }}
       fork_ref: ${{ steps.resolve.outputs.fork_ref }}
       obsmem_ref: ${{ steps.resolve.outputs.obsmem_ref }}
+      toolkit_ref: ${{ steps.resolve.outputs.toolkit_ref }}
+      extensions_ref: ${{ steps.resolve.outputs.extensions_ref }}
     steps:
-      - name: Resolve pi version + fork/obsmem refs
+      - name: Resolve pi version + companion refs
         id: resolve
         run: |
           set -eu
@@ -133,8 +135,24 @@ jobs:
           [ -n "$OBSMEM_REF" ] || OBSMEM_REF=master
           echo "fork_ref=${FORK_REF}"     >> "$GITHUB_OUTPUT"
           echo "obsmem_ref=${OBSMEM_REF}" >> "$GITHUB_OUTPUT"
+          # Also resolve pi-toolkit / pi-extensions main HEADs to SHAs so a
+          # workflow_dispatch re-run produces byte-identical images when
+          # those repos haven't moved (and a clean diff in build-arg strings
+          # when they have, defeating the registry buildcache footgun).
+          # Gitea API requires auth even for public-repo commit listing.
+          TOOLKIT_REF=$(curl -sf -H "Authorization: token ${GITEA_BUILD_TOKEN:-${GITHUB_TOKEN:-}}" \
+            "https://gitea.jordbo.se/api/v1/repos/joakimp/pi-toolkit/commits?limit=1&sha=main" \
+            | jq -r '.[0].sha // "main"' 2>/dev/null || echo "main")
+          EXTENSIONS_REF=$(curl -sf -H "Authorization: token ${GITEA_BUILD_TOKEN:-${GITHUB_TOKEN:-}}" \
+            "https://gitea.jordbo.se/api/v1/repos/joakimp/pi-extensions/commits?limit=1&sha=main" \
+            | jq -r '.[0].sha // "main"' 2>/dev/null || echo "main")
+          [ -n "$TOOLKIT_REF" ]    || TOOLKIT_REF=main
+          [ -n "$EXTENSIONS_REF" ] || EXTENSIONS_REF=main
+          echo "toolkit_ref=${TOOLKIT_REF}"        >> "$GITHUB_OUTPUT"
+          echo "extensions_ref=${EXTENSIONS_REF}"  >> "$GITHUB_OUTPUT"
           echo "Resolved PI_VERSION=${PI_VERSION}"
           echo "Resolved PI_FORK_REF=${FORK_REF}, PI_OBSMEM_REF=${OBSMEM_REF}"
+          echo "Resolved PI_TOOLKIT_REF=${TOOLKIT_REF}, PI_EXTENSIONS_REF=${EXTENSIONS_REF}"
 
   # ── Phase 2: build & push base (multi-arch), only when needed ──────
   build-base:
@@ -252,6 +270,8 @@ jobs:
             PI_VERSION=${{ needs.resolve-versions.outputs.pi_version }}
             PI_FORK_REF=${{ needs.resolve-versions.outputs.fork_ref }}
             PI_OBSMEM_REF=${{ needs.resolve-versions.outputs.obsmem_ref }}
+            PI_TOOLKIT_REF=${{ needs.resolve-versions.outputs.toolkit_ref }}
+            PI_EXTENSIONS_REF=${{ needs.resolve-versions.outputs.extensions_ref }}
       - name: Smoke test (amd64)
         env:
           EXPECTED_PI_VERSION: ${{ needs.resolve-versions.outputs.pi_version }}
@@ -301,6 +321,8 @@ jobs:
           PI_VERSION: ${{ needs.resolve-versions.outputs.pi_version }}
           FORK_REF: ${{ needs.resolve-versions.outputs.fork_ref }}
           OBSMEM_REF: ${{ needs.resolve-versions.outputs.obsmem_ref }}
+          TOOLKIT_REF: ${{ needs.resolve-versions.outputs.toolkit_ref }}
+          EXTENSIONS_REF: ${{ needs.resolve-versions.outputs.extensions_ref }}
         run: |
           set -euo pipefail
           TAG_FLAGS=()
@@ -316,6 +338,8 @@ jobs:
                 --build-arg "PI_VERSION=${PI_VERSION}" \
                 --build-arg "PI_FORK_REF=${FORK_REF}" \
                 --build-arg "PI_OBSMEM_REF=${OBSMEM_REF}" \
+                --build-arg "PI_TOOLKIT_REF=${TOOLKIT_REF}" \
+                --build-arg "PI_EXTENSIONS_REF=${EXTENSIONS_REF}" \
                 "${TAG_FLAGS[@]}" \
                 .; then
               echo "==> Attempt ${attempt} succeeded"
@@ -396,7 +420,7 @@ jobs:
           fi
           HTTP_CODE=$(jq -n \
             --rawfile full DOCKER_HUB.md \
-            --arg short "Self-contained Linux container for the pi coding-agent — pi + companions + MemPalace + curated dev tooling. Decoupled from opencode-devbox at v1.0.0." \
+            --arg short "Linux container with the pi coding-agent, MemPalace, and curated dev tooling." \
             '{"full_description": $full, "description": $short}' | \
             curl -s -o /tmp/hub-response.txt -w "%{http_code}" -X PATCH \
               "https://hub.docker.com/v2/repositories/${{ vars.DOCKERHUB_USERNAME }}/pi-devbox/" \