feat: add tmux bridge for container-to-host tmux control

- Build tmux 3.6a from source with SHA256 verification
- Add deva-bridge-tmux-host (host TCP listener) and deva-bridge-tmux
  (container Unix socket proxy) scripts for macOS<->Linux socket bridging
- Fix docker-entrypoint.sh usermod error handling for mounted volumes
- Document bridge architecture and security model in AGENTS.md
- Fix version-upgrade build resilience (gh api vs curl for rate limits)
- Add LSP support planning devlog

Author: lroolle

AGENTS.md

@@ -148,6 +148,37 @@ Mitigations:
 - Set `DEVA_NO_DOCKER=1` environment variable
 - Only mount when Docker-in-Docker workflows are required
 
+## Bridges (privileged)
+
+Deva's container IS the sandbox. Bridges punch controlled holes back to the host for specific integrations. Each bridge has TWO components: host-side and container-side.
+
+| Bridge | Host Command | Container Command | Risk |
+|--------|--------------|-------------------|------|
+| Docker | (auto-mount `/var/run/docker.sock`) | `docker ...` | Root-equivalent on host |
+| tmux | `deva-bridge-tmux-host` | `deva-bridge-tmux` | Host command execution |
+
+**tmux bridge**: Connect container tmux client to host tmux server.
+- Problem: Unix socket mount fails across macOS<->Linux kernel boundary
+- Solution: socat TCP proxy (host) + socat Unix socket (container)
+- Security: Container gains full tmux control (send-keys, run-shell, scrollback)
+
+Usage:
+```bash
+# Host (macOS)
+./scripts/deva-bridge-tmux-host
+
+# Container
+deva-bridge-tmux
+tmux -S /tmp/host-tmux.sock list-sessions
+```
+
+Environment variables:
+- `DEVA_BRIDGE_BIND`: host bind address (default: 127.0.0.1)
+- `DEVA_BRIDGE_PORT`: TCP port (default: 41555)
+- `DEVA_BRIDGE_HOST`: container's host address (default: host.docker.internal)
+- `DEVA_BRIDGE_SOCKET`: host tmux socket path (default: auto-detected)
+- `DEVA_BRIDGE_SOCK`: container local socket (default: /tmp/host-tmux.sock)
+
 ## Docker Architecture Details
 
 ### Volume Mounting Strategy

DEV-LOGS.md

@@ -14,6 +14,19 @@
 - Reference issue numbers in the format `#<issue-number>` for easy linking.
 
 
+# [2026-01-07] Dev Log: Fix version-upgrade build resilience
+- Why: `make versions-up` exited 56 during GitHub API changelog fetch - GitHub API 403 rate limit (60/hour) from unauthenticated curl
+- What:
+  - Changed `fetch_github_releases()` and `fetch_recent_github_releases()` in `scripts/release-utils.sh` from `curl` to `gh api` for authenticated requests
+  - All changelog fetch functions now fail gracefully with `{ echo "(fetch failed)"; return 0; }` instead of `|| return` (was causing `set -e` script abort)
+  - Added fallback in `load_versions()` - network fetch failure uses current image version instead of empty string
+  - Added pre-build version check in `scripts/version-upgrade.sh` - warns about missing versions but proceeds with build
+- Result: Build script resilient to transient network failures and GitHub rate limits. Changelog display is best-effort, won't block builds.
+
+**Files changed**:
+- `scripts/release-utils.sh` (lines 175, 221, 452, 480)
+- `scripts/version-upgrade.sh` (lines 82-95)
+
 # [2025-11-27] Dev Log: Docker-in-Docker auto-mount support
 - Why: Common dev workflow need - testing containers, building images, CI/CD simulation inside deva environments
 - What: Auto-mount Docker socket (`/var/run/docker.sock`) by default with graceful detection, opt-out via `--no-docker` flag or `DEVA_NO_DOCKER=1`, quick permission fix (chmod 666) for deva user access

Dockerfile

@@ -30,7 +30,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
         openssh-client rsync \
         shellcheck bat fd-find silversearcher-ag \
         vim \
-        procps psmisc zsh
+        procps psmisc zsh socat \
+        libevent-dev libncurses-dev bison
 
 RUN git lfs install --system
 
@@ -123,6 +124,24 @@ RUN --mount=type=cache,target=/tmp/delta-cache,sharing=locked \
     mv delta-0.18.2-${DELTA_ARCH}-unknown-linux-gnu/delta /usr/local/bin/ && \
     rm -rf delta-0.18.2-${DELTA_ARCH}-unknown-linux-gnu*
 
+# Install tmux from source (protocol version must match host for socket bridge)
+# Same major.minor usually works; exact match is pragmatic, not required.
+ARG TMUX_VERSION=3.6a
+ARG TMUX_SHA256=b6d8d9c76585db8ef5fa00d4931902fa4b8cbe8166f528f44fc403961a3f3759
+RUN --mount=type=cache,target=/tmp/tmux-cache,sharing=locked \
+    set -eu && \
+    cd /tmp/tmux-cache && \
+    TARBALL="tmux-${TMUX_VERSION}.tar.gz" && \
+    wget -q "https://github.com/tmux/tmux/releases/download/${TMUX_VERSION}/${TARBALL}" && \
+    echo "${TMUX_SHA256}  ${TARBALL}" | sha256sum -c - && \
+    tar -xzf "${TARBALL}" && \
+    cd "tmux-${TMUX_VERSION}" && \
+    ./configure --prefix=/usr/local && \
+    make -j"$(nproc)" && \
+    make install && \
+    rm -rf /tmp/tmux-cache/tmux-* && \
+    hash -r && \
+    tmux -V
 
 ENV NPM_CONFIG_FETCH_RETRIES=5 \
     NPM_CONFIG_FETCH_RETRY_FACTOR=2 \
@@ -207,9 +226,11 @@ RUN curl -fsSL "https://raw.githubusercontent.com/lroolle/atlas-cli/${ATLAS_CLI_
 USER root
 
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+COPY scripts/deva-bridge-tmux /usr/local/bin/deva-bridge-tmux
 
-RUN chmod +x /usr/local/bin/docker-entrypoint.sh && \
-    chmod -R +x /usr/local/bin/scripts || true
+RUN chmod 755 /usr/local/bin/docker-entrypoint.sh && \
+    chmod 755 /usr/local/bin/deva-bridge-tmux && \
+    chmod -R 755 /usr/local/bin/scripts || true
 
 WORKDIR /root
 

docker-entrypoint.sh

@@ -202,7 +202,22 @@ setup_nonroot_user() {
 
     if [ "$DEVA_UID" != "$current_uid" ]; then
         [ "$VERBOSE" = "true" ] && echo "[entrypoint] updating $DEVA_USER UID: $current_uid -> $DEVA_UID"
-        usermod -u "$DEVA_UID" -g "$DEVA_GID" "$DEVA_USER"
+        # usermod may fail with rc=12 when it can't chown home directory (mounted volumes)
+        # The UID change itself usually succeeds even when chown fails
+        if ! usermod -u "$DEVA_UID" -g "$DEVA_GID" "$DEVA_USER" 2>/dev/null; then
+            # Verify what UID we actually got
+            local actual_uid
+            actual_uid=$(id -u "$DEVA_USER" 2>/dev/null)
+            if [ -z "$actual_uid" ]; then
+                echo "[entrypoint] ERROR: cannot determine UID for $DEVA_USER" >&2
+                exit 1
+            fi
+            if [ "$actual_uid" != "$DEVA_UID" ]; then
+                echo "[entrypoint] WARNING: UID change failed ($DEVA_USER is UID $actual_uid, wanted $DEVA_UID)" >&2
+                # Adapt to reality so subsequent operations use correct UID
+                DEVA_UID="$actual_uid"
+            fi
+        fi
         # Only chown files owned by container, skip mounted volumes
         find "$DEVA_HOME" -maxdepth 1 ! -type l -user root -exec chown "$DEVA_UID:$DEVA_GID" {} \; 2>/dev/null || true
     fi