refactor: re-brand the opencode-devbox with-pi variant (single source of truth)

pi-devbox no longer installs pi itself. The Dockerfile is now a thin
FROM joakimp/opencode-devbox:latest-with-pi (overridable via BASE_IMAGE),
inheriting pi + pi-toolkit + pi-extensions + pi-fork (fork) +
pi-observational-memory (recall) + the LAN-access helper + all base tooling
from the single source of truth. Eliminates the install-logic duplication
that drifted against opencode-devbox/Dockerfile.variant (decision #3).

Consequences (documented in CHANGELOG/AGENTS):
- The image now ALSO contains opencode (with-pi has INSTALL_OPENCODE=true).
  A leaner pi-only image would need a dedicated pi-only variant upstream.
- Publish ordering: release opencode-devbox first so latest-with-pi carries
  the target pi version, THEN tag this repo. The smoke test asserts
  pi --version matches the tag (EXPECTED_PI_VERSION) and fails loudly if the
  base is stale — turning the version coupling into an enforced ordering guard.

CI: drop PI_VERSION build-arg (Dockerfile installs nothing); keep tag->version
resolution to feed the smoke base-freshness guard. Smoke adds fork/recall
clone + node_modules + settings.json registration checks; size threshold
2200 -> 2900 MB (now tracks with-pi). Docs updated across README, AGENTS,
DOCKER_HUB, .env.example, docker-compose.

.gitea/workflows/docker-publish.yml

@@ -33,14 +33,13 @@ jobs:
       - uses: docker/setup-buildx-action@v4
         with: {driver-opts: network=host}
 
-      # Derive PI_VERSION from the tag (e.g. v0.75.5 -> 0.75.5; v0.75.5b -> 0.75.5).
-      # MUST be passed as a build-arg so Docker's layer cache invalidates when pi
-      # is bumped. Without this, the bare `npm install -g <pkg>` in the Dockerfile
-      # produces an identical layer-hash across builds and the registry buildcache
-      # silently reuses the layer from whatever pi version was current when the
-      # cache was first populated. Discovered 2026-05-23 — every pi-devbox release
-      # since v0.74.0 had been shipping the same image bytes (manifest digests
-      # identical across v0.74.0..v0.75.5 on both arches).
+      # Derive PI_VERSION from the tag (e.g. v0.78.0 -> 0.78.0; v0.78.0b -> 0.78.0).
+      # Since the refactor to FROM opencode-devbox:latest-with-pi, this repo no
+      # longer installs pi itself — pi comes from the base image. We still resolve
+      # the tag version and feed it to the smoke test as EXPECTED_PI_VERSION: the
+      # smoke asserts the inherited base actually carries this pi version, which
+      # turns the version coupling into an enforced publish-ordering guard (it
+      # fails loudly if latest-with-pi is stale relative to this tag).
       - name: Resolve PI_VERSION from tag
         id: resolve
         run: |
@@ -58,8 +57,6 @@ jobs:
           push: false
           load: true
           tags: pi-devbox:smoke
-          build-args: |
-            PI_VERSION=${{ steps.resolve.outputs.pi_version }}
 
       - name: Smoke test
         env:
@@ -102,7 +99,8 @@ jobs:
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
-      # See the smoke job for why this is required (cache-hit silent regression).
+      # See the smoke job for why the tag version is resolved (now used only for
+      # the base-freshness smoke guard; pi is no longer installed in this repo).
       - name: Resolve PI_VERSION from tag
         id: resolve
         run: |
@@ -115,7 +113,6 @@ jobs:
       - name: Build and push (amd64 + arm64) — with retry
         shell: bash
         env:
-          PI_VERSION: ${{ steps.resolve.outputs.pi_version }}
           TAGS: ${{ steps.tags.outputs.tags }}
         run: |
           set -euo pipefail
@@ -125,24 +122,16 @@ jobs:
           while IFS= read -r t; do [[ -n "$t" ]] && TAG_FLAGS+=( -t "$t" ); done <<< "${TAGS}"
           # 3-attempt retry around `docker buildx build --push` for transient
           # registry-1.docker.io blips (rate limits, CDN flap, brief 5xx).
-          # Does NOT mask deterministic failures: a true regression (e.g. the
-          # cache-export 400 hit 2026-05-23..28) will fail all 3 attempts
-          # identically and the job still fails — by design.
-          # Registry cache disabled: buildkit's mode=max cache-export to
-          # registry-1.docker.io reproducibly returns HTTP 400 on resumable-
-          # upload PUT (Hub-CDN protocol mismatch with buildx 0.34.x, surfaced
-          # ~2026-05-23). Diagnosed during opencode-devbox v1.15.12 manual
-          # publish: image push works fine, only --cache-to fails. See
-          # opencode-devbox CHANGELOG v1.15.12 Unreleased section for full
-          # root-cause analysis. Re-enable when buildkit upstream resolves.
-          # Single-stage Dockerfile + tiny diff (npm install pi only) means
-          # build is fast even without cache (~30-60s).
+          # The build itself is now trivial (FROM opencode-devbox:latest-with-pi
+          # + an empty layer) so it is fast even without registry cache.
+          # Registry cache stays disabled (buildkit mode=max cache-export hits a
+          # reproducible HTTP 400 from Hub CDN since ~2026-05-23; image push is
+          # unaffected). See opencode-devbox CHANGELOG v1.15.12.
           for attempt in 1 2 3; do
             echo "==> Build+push attempt ${attempt}/3"
             if docker buildx build \
                 --platform linux/amd64,linux/arm64 \
                 --push \
-                --build-arg "PI_VERSION=${PI_VERSION}" \
                 "${TAG_FLAGS[@]}" \
                 .; then
               echo "==> Attempt ${attempt} succeeded"