Cut v0.76.0 — pi 0.76.0 + inherit SSH-CM/gitleaks from base-latest

pi 0.75.5 → 0.76.0 (published upstream 2026-05-27 20:03 UTC). First
pi-devbox release built against opencode-devbox base-latest carrying the
SSH ControlMaster bake-in (commit 668592d) and gitleaks (73a7f96) — both
inherited transparently with no Dockerfile change here. PI_VERSION is
resolved from the git tag by the workflow (v0.75.5b cache-hit fix), so
no Dockerfile default bump needed.

Workflow change: registry cache-export removed from publish step. buildkit
mode=max cache-export to registry-1.docker.io reproducibly returns HTTP 400
(Hub-CDN protocol mismatch with buildx 0.34.x, surfaced ~2026-05-23).
Diagnosed during opencode-devbox v1.15.12 manual publish: image push works,
only --cache-to fails. Pi-devbox would hit the same regression on the next
tag push without this fix. See opencode-devbox CHANGELOG v1.15.12 for the
full root-cause analysis. Pi-devbox is single-stage with a tiny diff (npm
install pi only) on top of base-latest, so builds are fast even uncached.

.gitea/workflows/docker-publish.yml

@@ -33,6 +33,23 @@ jobs:
       - uses: docker/setup-buildx-action@v4
         with: {driver-opts: network=host}
 
+      # Derive PI_VERSION from the tag (e.g. v0.75.5 -> 0.75.5; v0.75.5b -> 0.75.5).
+      # MUST be passed as a build-arg so Docker's layer cache invalidates when pi
+      # is bumped. Without this, the bare `npm install -g <pkg>` in the Dockerfile
+      # produces an identical layer-hash across builds and the registry buildcache
+      # silently reuses the layer from whatever pi version was current when the
+      # cache was first populated. Discovered 2026-05-23 — every pi-devbox release
+      # since v0.74.0 had been shipping the same image bytes (manifest digests
+      # identical across v0.74.0..v0.75.5 on both arches).
+      - name: Resolve PI_VERSION from tag
+        id: resolve
+        run: |
+          TAG="${{ github.ref_name }}"
+          PI_VERSION="${TAG#v}"
+          PI_VERSION=$(echo "$PI_VERSION" | sed 's/[a-z]*$//')
+          echo "pi_version=${PI_VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Resolved PI_VERSION=${PI_VERSION} from tag ${TAG}"
+
       - name: Build (amd64, load to local daemon)
         uses: docker/build-push-action@v7
         with:
@@ -41,8 +58,12 @@ jobs:
           push: false
           load: true
           tags: pi-devbox:smoke
+          build-args: |
+            PI_VERSION=${{ steps.resolve.outputs.pi_version }}
 
       - name: Smoke test
+        env:
+          EXPECTED_PI_VERSION: ${{ steps.resolve.outputs.pi_version }}
         run: bash scripts/smoke-test.sh pi-devbox:smoke
 
   publish:
@@ -81,6 +102,16 @@ jobs:
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
+      # See the smoke job for why this is required (cache-hit silent regression).
+      - name: Resolve PI_VERSION from tag
+        id: resolve
+        run: |
+          TAG="${{ github.ref_name }}"
+          PI_VERSION="${TAG#v}"
+          PI_VERSION=$(echo "$PI_VERSION" | sed 's/[a-z]*$//')
+          echo "pi_version=${PI_VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Resolved PI_VERSION=${PI_VERSION} from tag ${TAG}"
+
       - name: Build and push (amd64 + arm64)
         uses: docker/build-push-action@v7
         with:
@@ -88,8 +119,17 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.tags.outputs.tags }}
-          cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache
-          cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
+          build-args: |
+            PI_VERSION=${{ steps.resolve.outputs.pi_version }}
+          # Registry cache disabled: buildkit's mode=max cache-export to
+          # registry-1.docker.io reproducibly returns HTTP 400 on resumable-
+          # upload PUT (Hub-CDN protocol mismatch with buildx 0.34.x, surfaced
+          # ~2026-05-23). Diagnosed during opencode-devbox v1.15.12 manual
+          # publish: image push works fine, only --cache-to fails. See
+          # opencode-devbox CHANGELOG v1.15.12 Unreleased section for full
+          # root-cause analysis. Re-enable when buildkit upstream resolves.
+          # Single-stage Dockerfile + tiny diff (npm install pi only) means
+          # build is fast even without cache (~30-60s).
 
   update-description:
     needs: publish

AGENTS.md

@@ -23,6 +23,19 @@ Container image that adds pi coding-agent on top of the opencode-devbox base ima
 3. Add fresh `## Unreleased` section
 4. Commit, tag `vX.Y.Z`, push tag → CI fires automatically
 
+When drafting CHANGELOG entries, pull pi's release notes from the
+`CHANGELOG.md` shipped inside the npm tarball:
+
+```bash
+cd /tmp && npm pack @earendil-works/pi-coding-agent@<version>
+tar -xzf earendil-works-pi-coding-agent-<version>.tgz package/CHANGELOG.md
+head -40 package/CHANGELOG.md
+```
+
+Pi's CHANGELOG has rich New Features / Added / Changed / Fixed sections
+per version. Don't try to derive notes from the npm registry metadata
+(`npm view`) — it doesn't include the changelog body.
+
 ## Key facts
 
 - **Base image**: `joakimp/opencode-devbox:base-latest` — rebuilt whenever opencode-devbox cuts a new base
@@ -35,6 +48,7 @@ Container image that adds pi coding-agent on top of the opencode-devbox base ima
 - Do NOT call `mempalace-toolkit/install.sh` in the Dockerfile — the base entrypoint handles it
 - `NPM_CONFIG_PREFIX=/usr` must be set per-RUN for any build-time `npm install -g` to keep baked binaries off the volume-shadowed path
 - The smoke test threshold is 2200 MB — update if the image legitimately grows past it
+- **PI_VERSION must be passed explicitly by CI as a concrete version** (derived from the git tag), not left as the `latest` default. The Dockerfile's bare `npm install -g @earendil-works/pi-coding-agent` (without `@${PI_VERSION}`) produces an identical layer-hash across builds; combined with registry buildcache (`cache-from`/`cache-to`) the layer gets reused even when `latest` would have resolved to a newer pi version. **All releases v0.74.0 → v0.75.5 silently shipped the same image bytes** because of this (verified via `docker manifest inspect` — identical digests across both arches and all four tags). Fixed in v0.75.5b: workflow now derives `PI_VERSION` from `${{ github.ref_name }}` and passes it as a build-arg; smoke-test asserts the resulting `pi --version` matches via `EXPECTED_PI_VERSION` env var. Same latent bug exists in opencode-devbox's `with-pi` variants but is masked there because `OPENCODE_VERSION` bumps invalidate downstream layers — will only manifest when cutting a `vN.N.Nb`-style opencode-version-unchanged release that only bumps pi.
 
 ## Documentation drift sweep
 

CHANGELOG.md

@@ -8,6 +8,66 @@ Tags follow the pi npm version: `v{pi_version}[letter]` — bare tag for the fir
 
 ## Unreleased
 
+_(no changes since v0.76.0)_
+
+## v0.76.0 — 2026-05-28
+
+pi `0.75.5` → `0.76.0` bump (first minor-version release on pi 0.76 line, published upstream 2026-05-27 20:03 UTC). Built against a fresh `joakimp/opencode-devbox:base-latest` which now bakes in SSH ControlMaster on a writable socket path, plus gitleaks and git-crypt — see the inherited-from-base notes below for details on each.
+
+### Bumped: pi 0.75.5 → 0.76.0
+
+Notable upstream changes (from pi's CHANGELOG):
+
+- **Explicit session IDs for automation** — `--session-id <id>` lets scripts create or resume an exact project-local session.
+- **RPC bash output can stay out of model context** — RPC clients can pass `excludeFromContext` to `bash` for commands whose output should not be sent with the next prompt.
+- **More predictable provider retries and timeouts** — Codex WebSocket/SSE waits are bounded; `retry.provider.maxRetries` controls provider retries instead of hidden SDK defaults; SDK retries default to 0; quota/billing 429s are no longer retried behind Pi's retry handling.
+- **Better terminal editing across environments** — Apple Terminal Shift+Enter detection on macOS, Windows Terminal OSC 8 hyperlink support, JetBrains truecolor with disabled OSC 8, Unicode-aware word navigation and deletion.
+- **Bugfixes** — `pi update` bypasses npm/pnpm/Bun minimum-release-age gates; user-authored ordered-list markers preserved in transcripts; image attachment token estimates aligned with tool-result images; Codex Responses cache-affinity header fixed (`session-id` not `session_id`); OpenRouter/Poolside context-overflow detection; managed npm extension updates avoid peer-dependency conflicts; RpcClient handles unexpected child exits cleanly.
+
+Workflow continues to derive `PI_VERSION` from the git tag (`v0.76.0` → `0.76.0`) and pass it as a build-arg, per the v0.75.5b cache-hit fix; smoke test asserts `pi --version` matches.
+
+### Workflow change: registry cache-export disabled
+
+- **`.gitea/workflows/docker-publish.yml`** — `cache-from`/`cache-to` removed from the `publish` step. buildkit's `mode=max` cache-export to `registry-1.docker.io` reproducibly returns HTTP 400 on the resumable-upload PUT, surfacing ~2026-05-23. Diagnosed during opencode-devbox v1.15.12's manual host-side publish: image push works fine, only `--cache-to` fails. See opencode-devbox CHANGELOG v1.15.12 `Unreleased` for the full root-cause analysis. The pi-devbox Dockerfile is single-stage with a tiny diff (npm install pi only) on top of `base-latest`, so builds are fast even without cache (~30-60s expected).
+
+### Inherited from opencode-devbox base: SSH ControlMaster on a writable socket path
+
+No Dockerfile change here — just a note that this release picks up the system-wide SSH ControlMaster default (`/etc/ssh/ssh_config.d/00-devbox-controlmaster.conf` → `ControlPath /tmp/sshcm/%r@%h:%p`, `ControlMaster auto`, `ControlPersist 10m`). This unblocks `ssh` and `pi --ssh user@host` from inside the container when `~/.ssh` is bind-mounted read-only from the host (the standard pi-devbox compose layout) — previously, OpenSSH's default `ControlPath` under `~/.ssh/cm/` was unwritable, so multiplexing failed with `unix_listener: cannot bind ... Read-only file system` and ssh fell back to fresh TCP connections, which on residential CGNAT manifested as banner-exchange timeouts. The fix is purely additive (per-container `/tmp/sshcm` dir, mode 700, created by entrypoint) and user `~/.ssh/config` per-host overrides still win because Debian's stock `ssh_config` sources `ssh_config.d/*.conf` before its own `Host *` block. See opencode-devbox CHANGELOG `v1.15.12` for the base-side details.
+
+### Inherited from opencode-devbox base: gitleaks + git-crypt
+
+No Dockerfile change here — just a note that this release includes `gitleaks` (newly added to the base) and `git-crypt` (was always installed via apt; just wasn't called out). Both are useful inside the container for repos that use a gitleaks pre-commit hook or git-crypt-encrypted canonical config and don't want host-side dependencies. See opencode-devbox CHANGELOG `v1.15.12` for the base-side details.
+
+## v0.75.5b — 2026-05-23
+
+Recovery release fixing a **silent cache-hit regression** discovered in the v0.75.5 image. All four releases v0.74.0 through v0.75.5 had been shipping the same image bytes because the Dockerfile's `npm install -g @earendil-works/pi-coding-agent` (bare, when `PI_VERSION=latest`) produces an identical layer-hash across builds. Combined with the registry buildcache, Docker reused the layer from whatever pi version was current when the cache was first populated.
+
+Verification: `docker manifest inspect joakimp/pi-devbox:vX.Y.Z` showed identical SHA256 digests on both `linux/amd64` and `linux/arm64` for v0.74.0, v0.75.3, v0.75.4, v0.75.5. Users on `:latest` were getting whatever pi version was baked into the v0.74.0 build (probably 0.74.0 itself).
+
+- **Workflow fix:** Both `smoke` and `publish` jobs now derive `PI_VERSION` from `github.ref_name` (e.g. `v0.75.5b` → `0.75.5`) and pass it as a build-arg. The Dockerfile's existing `if PI_VERSION=latest` branch never fires in CI now — always takes the `@${PI_VERSION}` branch — so the layer-hash includes the version and cache invalidates correctly.
+- **Smoke test:** New `run_expect` helper asserts `pi --version` output contains `EXPECTED_PI_VERSION` (passed from the resolve step). Would have caught this regression on v0.75.3 if it had existed.
+- **Dockerfile:** Comment added above `ARG PI_VERSION=latest` documenting the cache-hit footgun and pointing at the workflow's resolve step + AGENTS.md gotcha.
+- **AGENTS.md:** New convention bullet explaining the cache-hit class of bug and noting the latent same-bug in opencode-devbox's `with-pi` variants (currently masked by OPENCODE_VERSION bumps).
+
+No image-side changes vs v0.75.5 *intent* — this build will produce the actual pi 0.75.5 image content that v0.75.5 was supposed to ship.
+
+## v0.75.5 — 2026-05-23
+
+pi `0.75.4` → `0.75.5` bump (one upstream patch release, two days after v0.75.4).
+
+Notable upstream changes (from pi's CHANGELOG):
+
+- Cleaner read tool output (collapsed cards show only the read line; Ctrl+O expands).
+- Faster file tools on Windows (async fs ops during streaming, image resize off the main TUI thread).
+- More reliable package updates (`pi update` reconciles git-pinned refs without losing settings).
+- Custom Anthropic-compatible adaptive thinking via `compat.forceAdaptiveThinking`.
+- Several bash/read tool card display fixes; macOS Bun clipboard sidecar resolution; per-session OpenCode-Zen routing headers; Amazon Bedrock token cap fix.
+
+Plus a new pi 0.74.2 rescue release advising Node 20 users to upgrade Node before going to newer Pi versions — the devbox base image runs newer Node so this doesn't affect us, but worth noting for users running pi outside the devbox.
+
+- **Bump:** pi `@earendil-works/pi-coding-agent@0.75.5` baked at `/usr/bin/pi` (via `PI_VERSION=latest` resolving to 0.75.5 at build time — no Dockerfile change needed).
+- No image-side changes from v0.75.4 beyond the pi npm version. Built on `joakimp/opencode-devbox:base-latest` which itself is unchanged (cache-hit on `base-35ee5fe7861a` since v1.14.50b).
+
 ## v0.75.4 — 2026-05-21
 
 pi `0.75.3` → `0.75.4` bump (one upstream patch release). Plus the AGENTS.md documentation-drift sweep clause that landed on `main` between v0.75.3 and now.

Dockerfile

@@ -2,7 +2,8 @@
 #
 # Builds on top of the opencode-devbox base image, which provides:
 #   Debian trixie, Node.js, AWS CLI, mempalace + MCP server, gitea-mcp,
-#   dev tools (neovim, tmux, bat, eza, fzf, zoxide, ripgrep, uv, rustup),
+#   dev tools (neovim, tmux, bat, eza, fzf, zoxide, ripgrep, uv, rustup,
+#   git-crypt, gitleaks),
 #   user setup (developer/gosu), entrypoints, chromadb prewarm.
 #
 # This image adds only pi itself and its companion repos.
@@ -16,6 +17,13 @@
 ARG BASE_IMAGE=joakimp/opencode-devbox:base-latest
 FROM ${BASE_IMAGE}
 
+# PI_VERSION should be passed explicitly by CI as a concrete version
+# (e.g. PI_VERSION=0.75.5, derived from the git tag). The default `latest`
+# is for local dev convenience only — it has a known cache-hit footgun
+# when used in registry-cached CI builds. See .gitea/workflows/docker-
+# publish.yml § "Resolve PI_VERSION from tag" and AGENTS.md gotcha for
+# the full story (silent same-bytes-across-releases regression discovered
+# 2026-05-23 affecting all builds v0.74.0..v0.75.5).
 ARG PI_VERSION=latest
 ARG PI_TOOLKIT_REF=main
 ARG PI_EXTENSIONS_REF=main

scripts/smoke-test.sh

@@ -28,12 +28,33 @@ run() {
   fi
 }
 
+# Stricter version of `run` that also asserts an expected substring in stdout.
+# Used for catching the "image bytes silently identical to previous release"
+# class of regression (Docker layer cache hit on `npm install -g <pkg>` because
+# the bare command string is identical across builds, even when `latest` would
+# resolve differently). Discovered 2026-05-23 — every pi-devbox release v0.74.0
+# through v0.75.5 had been shipping the same image bytes.
+run_expect() {
+  local label="$1"; local cmd="$2"; local expect="$3"
+  local out
+  out=$(docker run --rm --entrypoint="" "$IMAGE" sh -c "$cmd" 2>&1) || true
+  if echo "$out" | grep -Fq "$expect"; then
+    printf "  ✅  %s (got %s)\n" "$label" "$expect"; PASS=$((PASS+1))
+  else
+    printf "  ❌  %s — expected substring %q, got: %s\n" "$label" "$expect" "$out"; FAIL=$((FAIL+1))
+  fi
+}
+
 echo "=== pi-devbox smoke test: $IMAGE ==="
 echo ""
 
 # ── Basic binary checks ───────────────────────────────────────────────
 echo "── Binaries ──"
-run "pi"              "pi --version"
+if [ -n "${EXPECTED_PI_VERSION:-}" ]; then
+  run_expect "pi version matches build arg" "pi --version" "$EXPECTED_PI_VERSION"
+else
+  run "pi"              "pi --version"
+fi
 run "node"            "node --version"
 run "git"             "git --version"
 run "aws"             "aws --version"