pi-devbox/CHANGELOG.md

Changelog

All notable changes to the pi-devbox container image.

Tags follow the pi npm version: v{pi_version}[letter] — bare tag for the first build on a new pi release, letter suffix (b, c, …) for container-level rebuilds on the same version.

---

Unreleased

CI: workflow-level retry around docker buildx build --push

The single push step in .gitea/workflows/docker-publish.yml is now wrapped in a 3-attempt retry loop with backoff (15s, 30s) as belt-and-braces against transient registry-1.docker.io blips (rate limits, brief 5xx, CDN flap). Replaces the docker/build-push-action@v7 invocation with a shell: bash step that runs docker buildx build --push directly so the loop is visible and tweakable.

Does not mask deterministic failures: a true regression (e.g. the cache-export 400 we hit 2026-05-23..28) will fail all 3 attempts identically and the job still fails by design. Only intended to absorb genuinely transient failures that single-attempt CI was vulnerable to.

No image-side change.

v0.76.0 — 2026-05-28

pi 0.75.5 → 0.76.0 bump (first minor-version release on pi 0.76 line, published upstream 2026-05-27 20:03 UTC). Built against a fresh joakimp/opencode-devbox:base-latest which now bakes in SSH ControlMaster on a writable socket path, plus gitleaks and git-crypt — see the inherited-from-base notes below for details on each.

Bumped: pi 0.75.5 → 0.76.0

Notable upstream changes (from pi's CHANGELOG):

• Explicit session IDs for automation — --session-id <id> lets scripts create or resume an exact project-local session.
• RPC bash output can stay out of model context — RPC clients can pass excludeFromContext to bash for commands whose output should not be sent with the next prompt.
• More predictable provider retries and timeouts — Codex WebSocket/SSE waits are bounded; retry.provider.maxRetries controls provider retries instead of hidden SDK defaults; SDK retries default to 0; quota/billing 429s are no longer retried behind Pi's retry handling.
• Better terminal editing across environments — Apple Terminal Shift+Enter detection on macOS, Windows Terminal OSC 8 hyperlink support, JetBrains truecolor with disabled OSC 8, Unicode-aware word navigation and deletion.
• Bugfixes — pi update bypasses npm/pnpm/Bun minimum-release-age gates; user-authored ordered-list markers preserved in transcripts; image attachment token estimates aligned with tool-result images; Codex Responses cache-affinity header fixed (session-id not session_id); OpenRouter/Poolside context-overflow detection; managed npm extension updates avoid peer-dependency conflicts; RpcClient handles unexpected child exits cleanly.

Workflow continues to derive PI_VERSION from the git tag (v0.76.0 → 0.76.0) and pass it as a build-arg, per the v0.75.5b cache-hit fix; smoke test asserts pi --version matches.

Workflow change: registry cache-export disabled

• .gitea/workflows/docker-publish.yml — cache-from/cache-to removed from the publish step. buildkit's mode=max cache-export to registry-1.docker.io reproducibly returns HTTP 400 on the resumable-upload PUT, surfacing ~2026-05-23. Diagnosed during opencode-devbox v1.15.12's manual host-side publish: image push works fine, only --cache-to fails. See opencode-devbox CHANGELOG v1.15.12 Unreleased for the full root-cause analysis. The pi-devbox Dockerfile is single-stage with a tiny diff (npm install pi only) on top of base-latest, so builds are fast even without cache (~30-60s expected).

Inherited from opencode-devbox base: SSH ControlMaster on a writable socket path

No Dockerfile change here — just a note that this release picks up the system-wide SSH ControlMaster default (/etc/ssh/ssh_config.d/00-devbox-controlmaster.conf → ControlPath /tmp/sshcm/%r@%h:%p, ControlMaster auto, ControlPersist 10m). This unblocks ssh and pi --ssh user@host from inside the container when ~/.ssh is bind-mounted read-only from the host (the standard pi-devbox compose layout) — previously, OpenSSH's default ControlPath under ~/.ssh/cm/ was unwritable, so multiplexing failed with unix_listener: cannot bind ... Read-only file system and ssh fell back to fresh TCP connections, which on residential CGNAT manifested as banner-exchange timeouts. The fix is purely additive (per-container /tmp/sshcm dir, mode 700, created by entrypoint) and user ~/.ssh/config per-host overrides still win because Debian's stock ssh_config sources ssh_config.d/*.conf before its own Host * block. See opencode-devbox CHANGELOG v1.15.12 for the base-side details.

Inherited from opencode-devbox base: gitleaks + git-crypt

No Dockerfile change here — just a note that this release includes gitleaks (newly added to the base) and git-crypt (was always installed via apt; just wasn't called out). Both are useful inside the container for repos that use a gitleaks pre-commit hook or git-crypt-encrypted canonical config and don't want host-side dependencies. See opencode-devbox CHANGELOG v1.15.12 for the base-side details.

v0.75.5b — 2026-05-23

Recovery release fixing a silent cache-hit regression discovered in the v0.75.5 image. All four releases v0.74.0 through v0.75.5 had been shipping the same image bytes because the Dockerfile's npm install -g @earendil-works/pi-coding-agent (bare, when PI_VERSION=latest) produces an identical layer-hash across builds. Combined with the registry buildcache, Docker reused the layer from whatever pi version was current when the cache was first populated.

Verification: docker manifest inspect joakimp/pi-devbox:vX.Y.Z showed identical SHA256 digests on both linux/amd64 and linux/arm64 for v0.74.0, v0.75.3, v0.75.4, v0.75.5. Users on :latest were getting whatever pi version was baked into the v0.74.0 build (probably 0.74.0 itself).

• Workflow fix: Both smoke and publish jobs now derive PI_VERSION from github.ref_name (e.g. v0.75.5b → 0.75.5) and pass it as a build-arg. The Dockerfile's existing if PI_VERSION=latest branch never fires in CI now — always takes the @${PI_VERSION} branch — so the layer-hash includes the version and cache invalidates correctly.
• Smoke test: New run_expect helper asserts pi --version output contains EXPECTED_PI_VERSION (passed from the resolve step). Would have caught this regression on v0.75.3 if it had existed.
• Dockerfile: Comment added above ARG PI_VERSION=latest documenting the cache-hit footgun and pointing at the workflow's resolve step + AGENTS.md gotcha.
• AGENTS.md: New convention bullet explaining the cache-hit class of bug and noting the latent same-bug in opencode-devbox's with-pi variants (currently masked by OPENCODE_VERSION bumps).

No image-side changes vs v0.75.5 intent — this build will produce the actual pi 0.75.5 image content that v0.75.5 was supposed to ship.

v0.75.5 — 2026-05-23

pi 0.75.4 → 0.75.5 bump (one upstream patch release, two days after v0.75.4).

Notable upstream changes (from pi's CHANGELOG):

• Cleaner read tool output (collapsed cards show only the read line; Ctrl+O expands).
• Faster file tools on Windows (async fs ops during streaming, image resize off the main TUI thread).
• More reliable package updates (pi update reconciles git-pinned refs without losing settings).
• Custom Anthropic-compatible adaptive thinking via compat.forceAdaptiveThinking.
• Several bash/read tool card display fixes; macOS Bun clipboard sidecar resolution; per-session OpenCode-Zen routing headers; Amazon Bedrock token cap fix.

Plus a new pi 0.74.2 rescue release advising Node 20 users to upgrade Node before going to newer Pi versions — the devbox base image runs newer Node so this doesn't affect us, but worth noting for users running pi outside the devbox.

• Bump: pi @earendil-works/pi-coding-agent@0.75.5 baked at /usr/bin/pi (via PI_VERSION=latest resolving to 0.75.5 at build time — no Dockerfile change needed).
• No image-side changes from v0.75.4 beyond the pi npm version. Built on joakimp/opencode-devbox:base-latest which itself is unchanged (cache-hit on base-35ee5fe7861a since v1.14.50b).

v0.75.4 — 2026-05-21

pi 0.75.3 → 0.75.4 bump (one upstream patch release). Plus the AGENTS.md documentation-drift sweep clause that landed on main between v0.75.3 and now.

• Bump: pi @earendil-works/pi-coding-agent@0.75.4 baked at /usr/bin/pi (via PI_VERSION=latest resolving to 0.75.4 at build time — no Dockerfile change needed).
• AGENTS.md: documentation drift sweep as explicit pre-commit workflow step (commit ae6253a). Companion clause added across the wider repo set the same day.
• No image-side changes beyond the pi npm version. Built on joakimp/opencode-devbox:base-latest which itself is unchanged (cache-hit on base-35ee5fe7861a since v1.14.50b).

v0.75.3 — 2026-05-18

pi 0.74.0 → 0.75.3 bump (one upstream minor + three patch releases since the initial pi-devbox release on 2026-05-14).

• Bump: pi @earendil-works/pi-coding-agent@0.75.3 baked at /usr/bin/pi (via PI_VERSION=latest resolving to 0.75.3 at build time).
• No image-side changes from the v0.74.0 baseline beyond the pi npm version. The pi-toolkit + pi-extensions clones, mempalace bridge symlink, and NPM_CONFIG_PREFIX named-volume setup all unchanged.

v0.74.0 — 2026-05-14

Initial release.

• pi @earendil-works/pi-coding-agent@0.74.0 baked at /usr/bin/pi
• pi-toolkit and pi-extensions cloned at build time; deployed to ~/.pi/agent/ by entrypoint on container start
• mempalace bridge (mempalace.ts) symlinked from /opt/mempalace-toolkit/
• Built on joakimp/opencode-devbox:base-latest