docs: complete CHANGELOG + promote Unreleased -> v0.78.1

Add the two missing doc entries (the ~/.config/devbox-shell compose mount,
3bfbafa; and DEVBOX_HOST_ALIAS in .env.example, 45f4488) and promote Unreleased
-> v0.78.1 (2026-06-04). v0.78.1 is a real pi version bump (0.78.0 -> 0.78.1);
builds FROM the republished base-pi-only carrying pi 0.78.1 from opencode-devbox
v1.15.13e. Docs only.

.env.example

@@ -12,9 +12,11 @@ SSH_KEY_PATH=~/.ssh
 # ── LAN access from the container (host-OS-agnostic) ─────────────────
 # On VM-backed hosts (macOS OrbStack / Docker Desktop) the container can't
 # reach the host's directly-attached LAN peers by default. The entrypoint
-# then sets up the host as an SSH jump (use the `dssh` alias, or add
-# `ProxyJump host` to targets in your bind-mounted ~/.ssh/config). On native
-# Linux Docker the LAN is reachable directly and this is a no-op.
+# then sets up the host as an SSH jump (use the `dssh` alias). Reach the host
+# with `dssh host`; for named LAN peers put `ProxyJump host` overrides in a
+# host-owned ~/.config/devbox-shell/ssh-lan.conf (bind-mounted in) rather than
+# editing ~/.ssh/config. On native Linux Docker the LAN is reachable directly
+# and this is a no-op.
 # See the opencode-devbox README for the full walkthrough.
 #
 # DEVBOX_LAN_ACCESS: auto (default) | jump | off
@@ -22,6 +24,11 @@ SSH_KEY_PATH=~/.ssh
 # HOST_SSH_USER: your username on the host (required for the jump). On first
 # start the entrypoint prints the public key to authorize on the host.
 # HOST_SSH_USER=
+# DEVBOX_HOST_ALIAS: host hostname to reach (default host.docker.internal).
+# DEVBOX_HOST_ALIAS=host.docker.internal
+# DEVBOX_LAN_AUTOJUMP_PRIVATE: 1 = ProxyJump any private (RFC1918) IP through
+# the host, so bare `dssh user@<ip>` works on whatever LAN you're roaming on.
+# DEVBOX_LAN_AUTOJUMP_PRIVATE=0
 
 # ── Git Configuration ────────────────────────────────────────────────
 GIT_USER_NAME=

CHANGELOG.md

@@ -8,7 +8,55 @@ Tags follow the pi npm version: `v{pi_version}[letter]` — bare tag for the fir
 
 ## Unreleased
 
-_(no changes since v0.78.0b)_
+_(no changes since v0.78.1)_
+
+## v0.78.1 — 2026-06-04
+
+First build on pi **`0.78.1`** (upstream `@earendil-works/pi-coding-agent` bump
+from `0.78.0`). Built `FROM` the freshly republished
+`joakimp/pi-devbox:base-pi-only` from opencode-devbox `v1.15.13e`, which carries
+pi `0.78.1` plus the LAN-jump key-persistence work and the `devbox-ssh-local`
+volume ownership fix. Adds compose/env documentation in this repo.
+
+### Added: persist the LAN-jump key + one-line authorize hint
+
+- **compose:** persist `~/.ssh-local` via a new `devbox-ssh-local` named volume
+  so the generated LAN-jump key survives `docker compose up --force-recreate`.
+  You authorize the key on the host **once per machine** instead of after every
+  container update.
+- **Inherited from base:** `setup-lan-access.sh` now prints a copy-paste
+  `echo '…' >> ~/.ssh/authorized_keys` line when it generates a new key
+  (published via opencode-devbox's `base-pi-only`). No helper file to locate.
+
+### Docs: document optional host-owned config in the compose + env templates
+
+- **compose:** added a commented-out `~/.config/devbox-shell` bind mount with a
+  note — the image's `~/.bash_aliases` sources
+  `~/.config/devbox-shell/bash_aliases` if present, and `setup-lan-access.sh`
+  reads `~/.config/devbox-shell/ssh-lan.conf` for named-peer `ProxyJump host`
+  overrides (reach LAN peers by name via `dssh <peer>`).
+- **.env.example:** documented `DEVBOX_HOST_ALIAS` (host hostname to reach,
+  default `host.docker.internal`) so getting-started is self-contained.
+
+Template/example comments only; no behavior change.
+
+## v0.78.0c — 2026-06-04
+
+### Fixed / Added (inherited from the base via `FROM`)
+
+LAN-access improvements made in opencode-devbox's `setup-lan-access.sh` (baked
+into the `base-pi-only` image, published by opencode-devbox v1.15.13d) flow
+through to pi-devbox automatically — no pi-devbox source change. Built `FROM`
+the rebuilt `joakimp/pi-devbox:base-pi-only` (digest `83b45335…`):
+
+- **Fixed:** the generated `~/.ssh-local/config` had `Include ~/.ssh/config`
+  scoped to the `host`/`mac` block, so `dssh <peer>` by name was ignored.
+- **Fixed:** read-only `~/.ssh/cm` ControlPath broke multiplexed hosts
+  (`pmx-jh`, `proxmox*`, …); master sockets now use the writable sidecar.
+- **Added:** host-owned `~/.config/devbox-shell/ssh-lan.conf` for named-peer
+  `ProxyJump host` overrides (Included before `~/.ssh/config`).
+- **Added:** `DEVBOX_LAN_AUTOJUMP_PRIVATE=1` — ProxyJump any RFC1918 IP through
+  the host for roaming laptops.
 
 ## v0.78.0b — 2026-06-03
 

README.md

@@ -27,7 +27,7 @@ Base tooling:
 - **Gitea MCP** server
 - **Dev tools**: neovim (LazyVim), tmux, bat, eza, fzf, zoxide, ripgrep, jq, git-lfs, make
 - **Shell**: bash with history tuning, prefix-search, fzf/zoxide integration
-- **Host-OS-agnostic LAN access** — on VM-backed hosts (macOS OrbStack / Docker Desktop) the entrypoint sets up the host as an SSH jump so you can reach LAN peers (`dssh` alias; `DEVBOX_LAN_ACCESS`/`HOST_SSH_USER` env). No-op on native Linux.
+- **Host-OS-agnostic LAN access** — on VM-backed hosts (macOS OrbStack / Docker Desktop) the entrypoint sets up the host as an SSH jump so you can reach LAN peers (`dssh` alias; `DEVBOX_LAN_ACCESS` / `HOST_SSH_USER` / `DEVBOX_LAN_AUTOJUMP_PRIVATE` env; host-owned `~/.config/devbox-shell/ssh-lan.conf` for named-peer jumps). No-op on native Linux.
 
 pi and companions:
 
@@ -159,6 +159,7 @@ Persistent state is what makes the difference between "use this once" and "make
 | Volume | Mount point | What survives | Notes |
 |---|---|---|---|
 | `devbox-pi-config` | `/home/developer/.pi/` | pi settings.json, extension toggles, sessions, user-installed pi packages | `NPM_CONFIG_PREFIX` set inside the container so `pi install npm:…` and `npm install -g` lands here automatically |
+| `devbox-ssh-local` | `/home/developer/.ssh-local` | generated LAN-jump keypair + known_hosts | Authorize the jump key on the host **once per machine**; persisting it avoids re-authorizing after every update (see opencode-devbox README → *Reaching your LAN*) |
 | `devbox-shell-history` | `/home/developer/.cache/bash` | bash history | Across container recreate |
 | `devbox-zoxide` | `/home/developer/.local/share/zoxide` | zoxide directory jump history | The `z`/`zi` shortcuts remember where you've been |
 | `devbox-nvim-data` | `/home/developer/.local/share/nvim` | neovim plugin & Mason package state | LazyVim plugins persist |
@@ -202,6 +203,7 @@ All config flows through `.env`. The full list (with annotations) is in [`.env.e
 | `GITHUB_PERSONAL_ACCESS_TOKEN` | (unset) | GitHub MCP server / git ops over HTTPS |
 | `DEVBOX_LAN_ACCESS` | `auto` | LAN-access mode: `auto` (jump only on VM-backed hosts), `jump`, `off` |
 | `HOST_SSH_USER` | (unset) | Host username for the LAN SSH jump (see opencode-devbox README) |
+| `DEVBOX_LAN_AUTOJUMP_PRIVATE` | `0` | `1` = ProxyJump any private (RFC1918) IP through the host (roaming-friendly; see opencode-devbox README) |
 | `LANG` / `LANGUAGE` / `LC_ALL` | `en_US.UTF-8` | Locale override |
 
 ---

docker-compose.yml

@@ -36,12 +36,25 @@ services:
       # SSH keys (read-only) — for git push/pull
       - ${SSH_KEY_PATH:-~/.ssh}:/home/developer/.ssh:ro
 
+      # Optional: host-owned shell config + LAN jump overrides. The image's
+      # ~/.bash_aliases sources ~/.config/devbox-shell/bash_aliases if present,
+      # and setup-lan-access.sh reads ~/.config/devbox-shell/ssh-lan.conf for
+      # named-peer `ProxyJump host` overrides (reach LAN peers by name via
+      # `dssh <peer>`; see opencode-devbox's ssh-lan.conf.example).
+      # - ~/.config/devbox-shell:/home/developer/.config/devbox-shell:ro
+
       # Optional: mount skillset repo for automatic skill/instruction deployment.
       # - ${SKILLSET_PATH}:/home/developer/skillset
 
       # Persist pi config (settings.json, extensions, sessions, auth)
       - devbox-pi-config:/home/developer/.pi
 
+      # Persist the generated LAN-jump keypair (~/.ssh-local) across recreates.
+      # setup-lan-access.sh generates this key once and reuses it; persisting
+      # it means you authorize it on the host ONCE rather than re-authorizing
+      # after every `docker compose up --force-recreate`.
+      - devbox-ssh-local:/home/developer/.ssh-local
+
       # Persist bash history across container recreations
       - devbox-shell-history:/home/developer/.cache/bash
 
@@ -65,6 +78,7 @@ services:
 
 volumes:
   devbox-pi-config:
+  devbox-ssh-local:
   devbox-shell-history:
   devbox-zoxide:
   devbox-nvim-data: