pi-devbox/CHANGELOG.md

Changelog

All notable changes to the pi-devbox container image.

Tags follow the pi npm version: v{pi_version}[letter] — bare tag for the first build on a new pi release, letter suffix (b, c, …) for container-level rebuilds on the same version.

---

Unreleased

Changed: refactored to re-brand the opencode-devbox pi-only variant

pi-devbox no longer installs pi itself. The Dockerfile is now a thin FROM joakimp/pi-devbox:base-pi-only (overridable via the BASE_IMAGE arg), inheriting pi + pi-toolkit + pi-extensions and all base tooling from the single source of truth. This eliminates the install-logic duplication that used to drift against opencode-devbox/Dockerfile.variant.

The pi-only artifact is built by opencode-devbox's CI (from opencode-devbox/Dockerfile.variant with INSTALL_OPENCODE=false) but is published into this repo as the internal building-block tag joakimp/pi-devbox:base-pi-only (+ base-pi-only-vX.Y.Z, where vX.Y.Z is the opencode-devbox release version). This supersedes the brief approach of publishing it as opencode-devbox:latest-pi-only — an "opencode-devbox" tag with no opencode in it confused users. base-pi-only is internal; end users pull joakimp/pi-devbox:latest or a vX.Y.Z tag.

The pi-only build uses INSTALL_OPENCODE=false, so this image stays lean and pi-focused — it does not carry opencode, and remains distinct from opencode-devbox:latest-with-pi (which has both).

Added (inherited from the pi-only variant)

• fork tool (pi-fork) and recall tool (pi-observational-memory), baked into /opt with node_modules and registered at runtime.
• Host-OS-agnostic LAN access: on VM-backed hosts (macOS OrbStack / Docker Desktop) the entrypoint sets up the host as an SSH jump to reach LAN peers (dssh alias; DEVBOX_LAN_ACCESS / HOST_SSH_USER env). No-op on native Linux. See the opencode-devbox README for details.

Consequences / notes

• Publish ordering: release opencode-devbox first so base-pi-only carries the target pi version, then tag this repo. The smoke test asserts pi --version matches the tag and fails loudly if the base is stale.
• CI no longer passes PI_VERSION as a build-arg (the Dockerfile installs nothing); it still resolves the tag version to feed the smoke base-freshness guard. Smoke size threshold 2200 → 2750 MB (now tracks the pi-only variant).

pi version unchanged at 0.78.0 (still latest).

v0.78.0 — 2026-05-29

pi 0.77.0 → 0.78.0 bump (first container build on the pi 0.78 line, published upstream 2026-05-29). Built against joakimp/opencode-devbox:base-latest (unchanged from the v0.77.0 build).

Bumped: pi 0.77.0 → 0.78.0

New Features

• Named startup sessions — --name / -n sets the session display name before startup across interactive, print, JSON, and RPC modes.
• Clickable file tool paths — built-in file tool titles render OSC 8 file:// hyperlinks when the terminal supports them, including supported tmux clients.

Added

• Exported convertToPng for extension authors.
• Exported parseArgs and type Args for extension authors.
• Added a resume command hint when exiting interactive sessions.
• Added custom Amazon Bedrock request header support.

Fixed

• Fixed early interactive input typed before the prompt loop starts so it is buffered instead of dropped.
• Fixed OpenRouter Moonshot Kimi K2.6 requests to use system instead of unsupported developer messages.
• Fixed OSC 8 hyperlinks to pass through tmux when the client supports them.
• Fixed ANSI text wrapping to avoid stack overflows on very long wrapped lines.
• Fixed OpenAI Codex Responses SSE streams to abort response body reads after terminal events.

v0.77.0 — 2026-05-29

pi 0.76.0 → 0.77.0 bump (first container build on the pi 0.77 line, published upstream 2026-05-28). Built against joakimp/opencode-devbox:base-latest (unchanged from the v0.76.0 build — same SSH-CM, gitleaks, git-crypt baked in).

Bumped: pi 0.76.0 → 0.77.0

Notable upstream changes (from pi's CHANGELOG):

• Claude Opus 4.8 support — Anthropic Opus 4.8 model metadata + adaptive-thinking coverage updated.
• Selective tool disablement — --exclude-tools / -xt disables specific built-in, extension, or custom tools while leaving the rest available.
• Headless Codex subscription login — /login can use device-code auth for ChatGPT Plus/Pro Codex subscriptions; browser login remains the default.
• Streaming-aware extension input — InputEvent.streamingBehavior lets extensions distinguish idle prompts from mid-stream steers and queued follow-ups.
• Bugfixes — startup timing output excludes createAgentSessionRuntime work; OpenRouter DeepSeek V4 xhigh reasoning preserves OpenRouter's native effort; SIGTERM/SIGHUP exits run extension session_shutdown cleanup; keyboard protocol negotiation ignores delayed terminal responses (no false Kitty detection); Windows MSYS2 ucrt64 startup crash fixed via napi-rs 3.x clipboard addon; API-key/header config resolution treats plain strings as literals with $ENV_VAR / ${ENV_VAR} interpolation and $! escaping; session disposal aborts in-flight agent/compaction/branch-summary/retry/bash work; pi.getAllTools() exposes per-tool promptGuidelines; OpenAI Codex Responses replay after switching from Anthropic extended-thinking sessions; Anthropic-compatible replay supports allowEmptySignature for providers returning empty thinking signatures; OpenAI/OpenRouter GPT-5.5 Pro thinking levels limited to supported efforts; OpenCode Go Kimi K2.6 thinking-off requests; Xiaomi Token Plan model metadata cleaned of unsupported variants; follow-up messages queued by agent_end extension handlers drain before idle; system prompt tool-selection guidance avoids unavailable file-exploration tools; fenced diff highlighting restored.

Workflow continues to derive PI_VERSION from the git tag (v0.77.0 → 0.77.0) and pass it as a build-arg per the v0.75.5b cache-hit fix; smoke test asserts pi --version matches.

Inheritance from base

No base change in joakimp/opencode-devbox:base-latest since v0.76.0 — the v1.15.12 opencode-devbox release also reused the unchanged base. SSH ControlMaster on a writable socket path, gitleaks, and git-crypt continue to ride along from the base.

CI

This is the second pi-devbox release exercising the cache-export-disabled workflow (after v0.76.0's clean publish on run #340) and the first to also exercise the 3-attempt retry wrapper added in 2d39766 along the publish path.

v0.76.0 — 2026-05-28

pi 0.75.5 → 0.76.0 bump (first minor-version release on pi 0.76 line, published upstream 2026-05-27 20:03 UTC). Built against a fresh joakimp/opencode-devbox:base-latest which now bakes in SSH ControlMaster on a writable socket path, plus gitleaks and git-crypt — see the inherited-from-base notes below for details on each.

Bumped: pi 0.75.5 → 0.76.0

Notable upstream changes (from pi's CHANGELOG):

• Explicit session IDs for automation — --session-id <id> lets scripts create or resume an exact project-local session.
• RPC bash output can stay out of model context — RPC clients can pass excludeFromContext to bash for commands whose output should not be sent with the next prompt.
• More predictable provider retries and timeouts — Codex WebSocket/SSE waits are bounded; retry.provider.maxRetries controls provider retries instead of hidden SDK defaults; SDK retries default to 0; quota/billing 429s are no longer retried behind Pi's retry handling.
• Better terminal editing across environments — Apple Terminal Shift+Enter detection on macOS, Windows Terminal OSC 8 hyperlink support, JetBrains truecolor with disabled OSC 8, Unicode-aware word navigation and deletion.
• Bugfixes — pi update bypasses npm/pnpm/Bun minimum-release-age gates; user-authored ordered-list markers preserved in transcripts; image attachment token estimates aligned with tool-result images; Codex Responses cache-affinity header fixed (session-id not session_id); OpenRouter/Poolside context-overflow detection; managed npm extension updates avoid peer-dependency conflicts; RpcClient handles unexpected child exits cleanly.

Workflow continues to derive PI_VERSION from the git tag (v0.76.0 → 0.76.0) and pass it as a build-arg, per the v0.75.5b cache-hit fix; smoke test asserts pi --version matches.

Workflow change: registry cache-export disabled

• .gitea/workflows/docker-publish.yml — cache-from/cache-to removed from the publish step. buildkit's mode=max cache-export to registry-1.docker.io reproducibly returns HTTP 400 on the resumable-upload PUT, surfacing ~2026-05-23. Diagnosed during opencode-devbox v1.15.12's manual host-side publish: image push works fine, only --cache-to fails. See opencode-devbox CHANGELOG v1.15.12 Unreleased for the full root-cause analysis. The pi-devbox Dockerfile is single-stage with a tiny diff (npm install pi only) on top of base-latest, so builds are fast even without cache (~30-60s expected).

Inherited from opencode-devbox base: SSH ControlMaster on a writable socket path

No Dockerfile change here — just a note that this release picks up the system-wide SSH ControlMaster default (/etc/ssh/ssh_config.d/00-devbox-controlmaster.conf → ControlPath /tmp/sshcm/%r@%h:%p, ControlMaster auto, ControlPersist 10m). This unblocks ssh and pi --ssh user@host from inside the container when ~/.ssh is bind-mounted read-only from the host (the standard pi-devbox compose layout) — previously, OpenSSH's default ControlPath under ~/.ssh/cm/ was unwritable, so multiplexing failed with unix_listener: cannot bind ... Read-only file system and ssh fell back to fresh TCP connections, which on residential CGNAT manifested as banner-exchange timeouts. The fix is purely additive (per-container /tmp/sshcm dir, mode 700, created by entrypoint) and user ~/.ssh/config per-host overrides still win because Debian's stock ssh_config sources ssh_config.d/*.conf before its own Host * block. See opencode-devbox CHANGELOG v1.15.12 for the base-side details.

Inherited from opencode-devbox base: gitleaks + git-crypt

No Dockerfile change here — just a note that this release includes gitleaks (newly added to the base) and git-crypt (was always installed via apt; just wasn't called out). Both are useful inside the container for repos that use a gitleaks pre-commit hook or git-crypt-encrypted canonical config and don't want host-side dependencies. See opencode-devbox CHANGELOG v1.15.12 for the base-side details.

v0.75.5b — 2026-05-23

Recovery release fixing a silent cache-hit regression discovered in the v0.75.5 image. All four releases v0.74.0 through v0.75.5 had been shipping the same image bytes because the Dockerfile's npm install -g @earendil-works/pi-coding-agent (bare, when PI_VERSION=latest) produces an identical layer-hash across builds. Combined with the registry buildcache, Docker reused the layer from whatever pi version was current when the cache was first populated.

Verification: docker manifest inspect joakimp/pi-devbox:vX.Y.Z showed identical SHA256 digests on both linux/amd64 and linux/arm64 for v0.74.0, v0.75.3, v0.75.4, v0.75.5. Users on :latest were getting whatever pi version was baked into the v0.74.0 build (probably 0.74.0 itself).

• Workflow fix: Both smoke and publish jobs now derive PI_VERSION from github.ref_name (e.g. v0.75.5b → 0.75.5) and pass it as a build-arg. The Dockerfile's existing if PI_VERSION=latest branch never fires in CI now — always takes the @${PI_VERSION} branch — so the layer-hash includes the version and cache invalidates correctly.
• Smoke test: New run_expect helper asserts pi --version output contains EXPECTED_PI_VERSION (passed from the resolve step). Would have caught this regression on v0.75.3 if it had existed.
• Dockerfile: Comment added above ARG PI_VERSION=latest documenting the cache-hit footgun and pointing at the workflow's resolve step + AGENTS.md gotcha.
• AGENTS.md: New convention bullet explaining the cache-hit class of bug and noting the latent same-bug in opencode-devbox's with-pi variants (currently masked by OPENCODE_VERSION bumps).

No image-side changes vs v0.75.5 intent — this build will produce the actual pi 0.75.5 image content that v0.75.5 was supposed to ship.

v0.75.5 — 2026-05-23

pi 0.75.4 → 0.75.5 bump (one upstream patch release, two days after v0.75.4).

Notable upstream changes (from pi's CHANGELOG):

• Cleaner read tool output (collapsed cards show only the read line; Ctrl+O expands).
• Faster file tools on Windows (async fs ops during streaming, image resize off the main TUI thread).
• More reliable package updates (pi update reconciles git-pinned refs without losing settings).
• Custom Anthropic-compatible adaptive thinking via compat.forceAdaptiveThinking.
• Several bash/read tool card display fixes; macOS Bun clipboard sidecar resolution; per-session OpenCode-Zen routing headers; Amazon Bedrock token cap fix.

Plus a new pi 0.74.2 rescue release advising Node 20 users to upgrade Node before going to newer Pi versions — the devbox base image runs newer Node so this doesn't affect us, but worth noting for users running pi outside the devbox.

• Bump: pi @earendil-works/pi-coding-agent@0.75.5 baked at /usr/bin/pi (via PI_VERSION=latest resolving to 0.75.5 at build time — no Dockerfile change needed).
• No image-side changes from v0.75.4 beyond the pi npm version. Built on joakimp/opencode-devbox:base-latest which itself is unchanged (cache-hit on base-35ee5fe7861a since v1.14.50b).

v0.75.4 — 2026-05-21

pi 0.75.3 → 0.75.4 bump (one upstream patch release). Plus the AGENTS.md documentation-drift sweep clause that landed on main between v0.75.3 and now.

• Bump: pi @earendil-works/pi-coding-agent@0.75.4 baked at /usr/bin/pi (via PI_VERSION=latest resolving to 0.75.4 at build time — no Dockerfile change needed).
• AGENTS.md: documentation drift sweep as explicit pre-commit workflow step (commit ae6253a). Companion clause added across the wider repo set the same day.
• No image-side changes beyond the pi npm version. Built on joakimp/opencode-devbox:base-latest which itself is unchanged (cache-hit on base-35ee5fe7861a since v1.14.50b).

v0.75.3 — 2026-05-18

pi 0.74.0 → 0.75.3 bump (one upstream minor + three patch releases since the initial pi-devbox release on 2026-05-14).

• Bump: pi @earendil-works/pi-coding-agent@0.75.3 baked at /usr/bin/pi (via PI_VERSION=latest resolving to 0.75.3 at build time).
• No image-side changes from the v0.74.0 baseline beyond the pi npm version. The pi-toolkit + pi-extensions clones, mempalace bridge symlink, and NPM_CONFIG_PREFIX named-volume setup all unchanged.

v0.74.0 — 2026-05-14

Initial release.

• pi @earendil-works/pi-coding-agent@0.74.0 baked at /usr/bin/pi
• pi-toolkit and pi-extensions cloned at build time; deployed to ~/.pi/agent/ by entrypoint on container start
• mempalace bridge (mempalace.ts) symlinked from /opt/mempalace-toolkit/
• Built on joakimp/opencode-devbox:base-latest