release: v0.78.0c — inherit LAN-access fixes from rebuilt base-pi-only

opencode-devbox v1.15.13d published the rebuilt base-pi-only (digest 83b45335)
with the fixed setup-lan-access.sh (Include scope + ControlPath) and the new
ssh-lan.conf / RFC1918 autojump. Tagging now to build the thin pi-devbox on it.

.env.example

@@ -12,9 +12,11 @@ SSH_KEY_PATH=~/.ssh
 # ── LAN access from the container (host-OS-agnostic) ─────────────────
 # On VM-backed hosts (macOS OrbStack / Docker Desktop) the container can't
 # reach the host's directly-attached LAN peers by default. The entrypoint
-# then sets up the host as an SSH jump (use the `dssh` alias, or add
+# then sets up the host as an SSH jump (use the `dssh` alias). Reach the host
-# `ProxyJump host` to targets in your bind-mounted ~/.ssh/config). On native
+# with `dssh host`; for named LAN peers put `ProxyJump host` overrides in a
-# Linux Docker the LAN is reachable directly and this is a no-op.
+# host-owned ~/.config/devbox-shell/ssh-lan.conf (bind-mounted in) rather than
+# editing ~/.ssh/config. On native Linux Docker the LAN is reachable directly
+# and this is a no-op.
 # See the opencode-devbox README for the full walkthrough.
 #
 # DEVBOX_LAN_ACCESS: auto (default) | jump | off
@@ -22,6 +24,9 @@ SSH_KEY_PATH=~/.ssh
 # HOST_SSH_USER: your username on the host (required for the jump). On first
 # start the entrypoint prints the public key to authorize on the host.
 # HOST_SSH_USER=
+# DEVBOX_LAN_AUTOJUMP_PRIVATE: 1 = ProxyJump any private (RFC1918) IP through
+# the host, so bare `dssh user@<ip>` works on whatever LAN you're roaming on.
+# DEVBOX_LAN_AUTOJUMP_PRIVATE=0
 
 # ── Git Configuration ────────────────────────────────────────────────
 GIT_USER_NAME=

AGENTS.md

@@ -5,7 +5,7 @@ pi-focused image. As of 2026-06-03 it no longer installs pi itself.
 
 ## Repository layout
 
-- `Dockerfile` — thin re-brand: `FROM opencode-devbox:latest-pi-only` (overridable via `BASE_IMAGE` arg). No install logic of its own — pi + companions are inherited from the pi-only variant (built `INSTALL_OPENCODE=false`, so **no opencode** — that's the distinction from `latest-with-pi`). This refactor removed the install-logic duplication that used to drift against `opencode-devbox/Dockerfile.variant`.
+- `Dockerfile` — thin re-brand: `FROM joakimp/pi-devbox:base-pi-only` (overridable via `BASE_IMAGE` arg). No install logic of its own — pi + companions are inherited from the pi-only build (built `INSTALL_OPENCODE=false`, so **no opencode** — that's the distinction from `opencode-devbox:latest-with-pi`). The `base-pi-only` tag is produced by opencode-devbox CI (from `opencode-devbox/Dockerfile.variant`) but published into THIS repo as an internal building-block tag. This refactor removed the install-logic duplication that used to drift against `opencode-devbox/Dockerfile.variant`.
 - `docker-compose.yml` — compose file for local use
 - `.env.example` — environment variable template
 - `scripts/smoke-test.sh` — sanity checks run by CI before pushing to Docker Hub
@@ -14,12 +14,12 @@ pi-focused image. As of 2026-06-03 it no longer installs pi itself.
 ## Versioning scheme
 
 - Tags follow the pi npm version: `v{pi_version}[letter]`
-- The image inherits pi from `latest-pi-only`, so the **publish ordering matters**: rebuild opencode-devbox first so `latest-pi-only` carries the target pi version, *then* tag this repo. The smoke test asserts `pi --version` matches the tag (`EXPECTED_PI_VERSION`) and fails loudly if the base is stale.
+- The image inherits pi from `base-pi-only`, so the **publish ordering matters**: rebuild opencode-devbox first so `joakimp/pi-devbox:base-pi-only` carries the target pi version, *then* tag this repo. The smoke test asserts `pi --version` matches the tag (`EXPECTED_PI_VERSION`) and fails loudly if the base is stale.
 - Docker Hub: `joakimp/pi-devbox:vX.Y.Z` + `joakimp/pi-devbox:latest`
 
 ## Release-day checklist
 
-1. Ensure opencode-devbox has been released so `joakimp/opencode-devbox:latest-pi-only` carries the target pi version (and the fork/recall extensions). This is the hard prerequisite — the smoke guard enforces it.
+1. Ensure opencode-devbox has been released so `joakimp/pi-devbox:base-pi-only` carries the target pi version (and the fork/recall extensions). This is the hard prerequisite — the smoke guard enforces it.
 2. Update `CHANGELOG.md`: promote `Unreleased` → `vX.Y.Z — YYYY-MM-DD`
 3. Add fresh `## Unreleased` section
 4. Commit, tag `vX.Y.Z`, push tag → CI fires automatically
@@ -39,7 +39,7 @@ per version. Don't try to derive notes from the npm registry metadata
 
 ## Key facts
 
-- **Base image**: `joakimp/opencode-devbox:latest-pi-only` — the single source of truth for the pi install + companions. Rebuilt whenever opencode-devbox releases.
+- **Base image**: `joakimp/pi-devbox:base-pi-only` — an internal building-block tag (produced by opencode-devbox CI from `Dockerfile.variant`, the single source of truth for the pi install + companions; published into this repo, not under opencode-devbox). Rebuilt whenever opencode-devbox releases. Not for end users — they pull `joakimp/pi-devbox:latest` or a `vX.Y.Z` tag.
 - **Inherited content**: pi (`/usr/bin/pi`), pi-toolkit, pi-extensions, pi-fork (`fork`), pi-observational-memory (`recall`), the mempalace bridge, the LAN-access helper, entrypoints, and all base dev tooling. The pi-only variant is built `INSTALL_OPENCODE=false`, so the image does **not** contain opencode.
 - **Companion repos**: cloned to `/opt/` by the pi-only build; `entrypoint-user.sh` (inherited) deploys/registers them on container start.
 - **MemPalace**: fully operational — inherited from base; bridge extension deployed by entrypoint.
@@ -49,7 +49,7 @@ per version. Don't try to derive notes from the npm registry metadata
 - This repo no longer installs pi or clones companion repos — do **not** re-add that logic here. Change it in `opencode-devbox/Dockerfile.variant` (the single source of truth) instead.
 - The smoke test threshold is 2750 MB (tracks the pi-only variant) — update if the image legitimately grows past it.
 - The CI still resolves the tag's pi version, but only to feed `EXPECTED_PI_VERSION` to the smoke base-freshness guard — it is no longer passed as a build-arg (nothing in the Dockerfile consumes it).
-- To pin a specific base build instead of tracking `latest-pi-only`, override the `BASE_IMAGE` arg (a version tag or a digest).
+- To pin a specific base build instead of tracking `base-pi-only`, override the `BASE_IMAGE` arg (a `base-pi-only-vX.Y.Z` tag or a digest).
 
 ## Documentation drift sweep
 

CHANGELOG.md

@@ -8,15 +8,50 @@ Tags follow the pi npm version: `v{pi_version}[letter]` — bare tag for the fir
 
 ## Unreleased
 
+_(no changes since v0.78.0c)_
+
+## v0.78.0c — 2026-06-04
+
+### Fixed / Added (inherited from the base via `FROM`)
+
+LAN-access improvements made in opencode-devbox's `setup-lan-access.sh` (baked
+into the `base-pi-only` image, published by opencode-devbox v1.15.13d) flow
+through to pi-devbox automatically — no pi-devbox source change. Built `FROM`
+the rebuilt `joakimp/pi-devbox:base-pi-only` (digest `83b45335…`):
+
+- **Fixed:** the generated `~/.ssh-local/config` had `Include ~/.ssh/config`
+  scoped to the `host`/`mac` block, so `dssh <peer>` by name was ignored.
+- **Fixed:** read-only `~/.ssh/cm` ControlPath broke multiplexed hosts
+  (`pmx-jh`, `proxmox*`, …); master sockets now use the writable sidecar.
+- **Added:** host-owned `~/.config/devbox-shell/ssh-lan.conf` for named-peer
+  `ProxyJump host` overrides (Included before `~/.ssh/config`).
+- **Added:** `DEVBOX_LAN_AUTOJUMP_PRIVATE=1` — ProxyJump any RFC1918 IP through
+  the host for roaming laptops.
+
+## v0.78.0b — 2026-06-03
+
+Container-level rebuild on pi `0.78.0` (unchanged): re-brands the pi-only build
+as a thin `FROM joakimp/pi-devbox:base-pi-only`, inheriting fork/recall and
+host-OS-agnostic LAN access. Letter-suffix release (pi version unchanged).
+
 ### Changed: refactored to re-brand the opencode-devbox `pi-only` variant
 
 pi-devbox no longer installs pi itself. The `Dockerfile` is now a thin
-`FROM joakimp/opencode-devbox:latest-pi-only` (overridable via the `BASE_IMAGE`
+`FROM joakimp/pi-devbox:base-pi-only` (overridable via the `BASE_IMAGE`
 arg), inheriting pi + pi-toolkit + pi-extensions and all base tooling from the
 single source of truth. This eliminates the install-logic duplication that
 used to drift against `opencode-devbox/Dockerfile.variant`.
 
-The `pi-only` variant is built with `INSTALL_OPENCODE=false`, so this image
+The pi-only artifact is **built** by opencode-devbox's CI (from
+`opencode-devbox/Dockerfile.variant` with `INSTALL_OPENCODE=false`) but is
+**published into this repo** as the internal building-block tag
+`joakimp/pi-devbox:base-pi-only` (+ `base-pi-only-vX.Y.Z`, where `vX.Y.Z` is
+the opencode-devbox release version). This supersedes the brief approach of
+publishing it as `opencode-devbox:latest-pi-only` — an "opencode-devbox" tag
+with no opencode in it confused users. `base-pi-only` is internal; end users
+pull `joakimp/pi-devbox:latest` or a `vX.Y.Z` tag.
+
+The pi-only build uses `INSTALL_OPENCODE=false`, so this image
 stays lean and pi-focused — it does **not** carry opencode, and remains
 distinct from `opencode-devbox:latest-with-pi` (which has both).
 
@@ -31,7 +66,7 @@ distinct from `opencode-devbox:latest-with-pi` (which has both).
 
 ### Consequences / notes
 
-- **Publish ordering**: release opencode-devbox first so `latest-pi-only`
+- **Publish ordering**: release opencode-devbox first so `base-pi-only`
   carries the target pi version, *then* tag this repo. The smoke test asserts
   `pi --version` matches the tag and fails loudly if the base is stale.
 - CI no longer passes `PI_VERSION` as a build-arg (the Dockerfile installs

DOCKER_HUB.md

@@ -38,9 +38,12 @@ Full setup guide — authentication for each provider (Anthropic, OpenAI, Gemini
 
 ## What's inside
 
-pi-devbox is a re-brand of the **opencode-devbox `pi-only` variant** — it builds
+pi-devbox is a re-brand of the **pi-only build** — it builds
-`FROM joakimp/opencode-devbox:latest-pi-only` and adds no layers of its own.
+`FROM joakimp/pi-devbox:base-pi-only` and adds no layers of its own. That
-The pi-only variant is built `INSTALL_OPENCODE=false`, so this image is lean
+building-block tag is produced by opencode-devbox's CI (from
+`Dockerfile.variant` with `INSTALL_OPENCODE=false`) but published here, in the
+pi-devbox repo, so an opencode-devbox tag never ships without opencode.
+The pi-only build is lean
 and pi-focused (no opencode — use `opencode-devbox:latest-with-pi` if you want
 both).
 Everything below is inherited from that single source of truth.
@@ -68,7 +71,7 @@ The entrypoint deploys/registers all of these on first container start. Re-runni
 
 ## Versioning
 
-Tags follow the pi npm version: `v0.74.0`, `v0.75.0`, etc. `latest` always points at the most recent release. The pi binary is inherited from `opencode-devbox:latest-pi-only`, so each release follows an opencode-devbox release that bakes the target pi version.
+Tags follow the pi npm version: `v0.74.0`, `v0.75.0`, etc. `latest` always points at the most recent release. The pi binary is inherited from `joakimp/pi-devbox:base-pi-only`, so each release follows an opencode-devbox release that bakes the target pi version. (`base-pi-only` is an internal building-block tag — pull `latest` or a `vX.Y.Z` tag instead.)
 
 For container-level rebuilds on the same pi version (security updates, base bumps, fixes) the tag gets a letter suffix: `v0.74.0b`, `v0.74.0c`, …
 

Dockerfile

@@ -1,29 +1,34 @@
 # pi-devbox — pi coding-agent container
 #
-# As of 2026-06-03 this image is a thin re-brand of the opencode-devbox
+# As of 2026-06-03 this image is a thin re-brand of the "pi-only" build, which
-# "pi-only" variant, which is the SINGLE SOURCE OF TRUTH for the pi install
+# is the SINGLE SOURCE OF TRUTH for the pi install and its companion repos
-# and its companion repos (pi-toolkit, pi-extensions, pi-fork,
+# (pi-toolkit, pi-extensions, pi-fork, pi-observational-memory). That build is
-# pi-observational-memory). Previously pi-devbox/Dockerfile duplicated that
+# produced by opencode-devbox's CI (from opencode-devbox/Dockerfile.variant
-# install logic, which drifted from opencode-devbox/Dockerfile.variant; this
+# with INSTALL_OPENCODE=false), but is published as an INTERNAL building-block
-# refactor eliminates the duplication.
+# tag in THIS repo — joakimp/pi-devbox:base-pi-only — NOT under opencode-devbox.
+# Rationale: an "opencode-devbox" tag containing no opencode confuses
+# opencode-devbox users, so the pi-only artifact lives here instead.
+# Previously pi-devbox/Dockerfile duplicated the install logic, which drifted
+# from opencode-devbox/Dockerfile.variant; this refactor eliminates the dup.
 #
-# The "pi-only" variant is built with INSTALL_OPENCODE=false, so this image
+# The pi-only build uses INSTALL_OPENCODE=false, so this image does NOT contain
-# does NOT contain opencode — it stays a lean, pi-focused image, distinct
+# opencode — it stays a lean, pi-focused image, distinct from
-# from opencode-devbox:latest-with-pi (which carries both).
+# opencode-devbox:latest-with-pi (which carries both).
 #
-# Everything is inherited from the pi-only image:
+# Everything is inherited from the pi-only build:
 #   pi + pi-toolkit + pi-extensions + pi-fork (fork) + pi-observational-memory
 #   (recall), the mempalace bridge, the LAN-access helper, entrypoints, and
 #   all base dev tooling.
 #
-# NOTE on PUBLISH ORDERING: rebuild opencode-devbox (so `latest-pi-only`
+# NOTE on PUBLISH ORDERING: rebuild opencode-devbox (so `base-pi-only` carries
-# carries the target pi version) BEFORE tagging this repo. The smoke test
+# the target pi version) BEFORE tagging this repo. The smoke test asserts
-# asserts `pi --version` matches this repo's tag and fails loudly if the
+# `pi --version` matches this repo's tag and fails loudly if the base is stale
-# base is stale — turning the version coupling into an enforced ordering check.
+# — turning the version coupling into an enforced ordering check.
 #
-# Override BASE_IMAGE to pin a specific pi-only build (e.g. a version tag or a
+# base-pi-only is an internal building-block alias (existence-only, not for
-# digest) instead of tracking latest-pi-only.
+# end users — pull joakimp/pi-devbox:latest or a vX.Y.Z tag instead). Override
-ARG BASE_IMAGE=joakimp/opencode-devbox:latest-pi-only
+# BASE_IMAGE to pin a specific pi-only build (a version tag or a digest).
+ARG BASE_IMAGE=joakimp/pi-devbox:base-pi-only
 FROM ${BASE_IMAGE}
 
 # WORKDIR / ENTRYPOINT / CMD and all tooling inherited from the base.

README.md

@@ -9,10 +9,14 @@ A Docker container with [pi coding-agent](https://github.com/earendil-works/pi)
 
 ## What's inside
 
-pi-devbox is a re-brand of the **opencode-devbox `pi-only` variant** — it `FROM`s
+pi-devbox is a thin re-brand of the **`pi-only` build** — it `FROM`s
-`opencode-devbox:latest-pi-only` and adds no layers of its own. Everything below
+`joakimp/pi-devbox:base-pi-only` and adds no layers of its own. That base build
-is inherited from that single source of truth. The pi-only variant is built with
+is produced by opencode-devbox's CI (from `opencode-devbox/Dockerfile.variant`
-`INSTALL_OPENCODE=false`, so this image is lean and pi-focused — no opencode.
+with `INSTALL_OPENCODE=false`, the single source of truth for the pi install +
+companions) but is published **into this repo** as the internal building-block
+tag `base-pi-only` — *not* under opencode-devbox, so an "opencode-devbox" tag
+never ships without opencode. Everything below is inherited from that build,
+which is lean and pi-focused — no opencode.
 
 Base tooling:
 
@@ -23,7 +27,7 @@ Base tooling:
 - **Gitea MCP** server
 - **Dev tools**: neovim (LazyVim), tmux, bat, eza, fzf, zoxide, ripgrep, jq, git-lfs, make
 - **Shell**: bash with history tuning, prefix-search, fzf/zoxide integration
-- **Host-OS-agnostic LAN access** — on VM-backed hosts (macOS OrbStack / Docker Desktop) the entrypoint sets up the host as an SSH jump so you can reach LAN peers (`dssh` alias; `DEVBOX_LAN_ACCESS`/`HOST_SSH_USER` env). No-op on native Linux.
+- **Host-OS-agnostic LAN access** — on VM-backed hosts (macOS OrbStack / Docker Desktop) the entrypoint sets up the host as an SSH jump so you can reach LAN peers (`dssh` alias; `DEVBOX_LAN_ACCESS` / `HOST_SSH_USER` / `DEVBOX_LAN_AUTOJUMP_PRIVATE` env; host-owned `~/.config/devbox-shell/ssh-lan.conf` for named-peer jumps). No-op on native Linux.
 
 pi and companions:
 
@@ -198,6 +202,7 @@ All config flows through `.env`. The full list (with annotations) is in [`.env.e
 | `GITHUB_PERSONAL_ACCESS_TOKEN` | (unset) | GitHub MCP server / git ops over HTTPS |
 | `DEVBOX_LAN_ACCESS` | `auto` | LAN-access mode: `auto` (jump only on VM-backed hosts), `jump`, `off` |
 | `HOST_SSH_USER` | (unset) | Host username for the LAN SSH jump (see opencode-devbox README) |
+| `DEVBOX_LAN_AUTOJUMP_PRIVATE` | `0` | `1` = ProxyJump any private (RFC1918) IP through the host (roaming-friendly; see opencode-devbox README) |
 | `LANG` / `LANGUAGE` / `LC_ALL` | `en_US.UTF-8` | Locale override |
 
 ---
@@ -208,7 +213,7 @@ Tags follow the pi npm package version: `v0.74.0`, `v0.75.0`, … `latest` alway
 
 Container-level rebuilds on the same pi version (security updates, base bumps, fixes) get a letter suffix: `v0.74.0b`, `v0.74.0c`, …
 
-The pi binary is inherited from `opencode-devbox:latest-pi-only`, so a release of this image must be preceded by an opencode-devbox release that bakes the target pi version into `latest-pi-only`. The smoke test enforces this (it asserts `pi --version` matches the tag).
+The pi binary is inherited from `joakimp/pi-devbox:base-pi-only`, so a release of this image must be preceded by an opencode-devbox release that bakes the target pi version into `base-pi-only`. The smoke test enforces this (it asserts `pi --version` matches the tag).
 
 ---
 
@@ -221,9 +226,9 @@ the base. To pin a specific pi-only build or hack on it:
 git clone https://gitea.jordbo.se/joakimp/pi-devbox
 cd pi-devbox
 
-# Default tracks latest-pi-only; override BASE_IMAGE to pin a build:
+# Default tracks base-pi-only; override BASE_IMAGE to pin a build:
 docker compose build \
-  --build-arg BASE_IMAGE=joakimp/opencode-devbox:v1.15.13-pi-only
+  --build-arg BASE_IMAGE=joakimp/pi-devbox:base-pi-only-v1.15.13c
 
 docker compose up -d
 ```
@@ -236,7 +241,7 @@ Build args supported:
 
 | Arg | Default | Effect |
 |---|---|---|
-| `BASE_IMAGE` | `joakimp/opencode-devbox:latest-pi-only` | Parent image — set to a `:vX.Y.Z-pi-only` tag or a digest for reproducible builds |
+| `BASE_IMAGE` | `joakimp/pi-devbox:base-pi-only` | Parent image (internal building-block tag) — set to a `:base-pi-only-vX.Y.Z` tag or a digest for reproducible builds |
 
 ---
 

docker-compose.yml

@@ -17,8 +17,8 @@ services:
     # build:
     #   context: .
     #   args:
-    #     # Pin a specific pi-only build instead of tracking latest-pi-only:
+    #     # Pin a specific pi-only build instead of tracking base-pi-only:
-    #     BASE_IMAGE: "joakimp/opencode-devbox:v1.15.13-pi-only"
+    #     BASE_IMAGE: "joakimp/pi-devbox:base-pi-only-v1.15.13c"
     container_name: pi-devbox
     stdin_open: true
     tty: true