diff --git a/doc/HANDOFF-JAIL-EXTENSIONS.md b/doc/HANDOFF-JAIL-EXTENSIONS.md
new file mode 100644
index 0000000..054fc1e
--- /dev/null
+++ b/doc/HANDOFF-JAIL-EXTENSIONS.md
@@ -0,0 +1,56 @@
+# Handoff: Fix Pi Extension Loading in Jails
+
+**Date:** 2026-04-18  
+**From:** Claude Opus session  
+**Priority:** High — blocks reliable jail task execution
+
+## Problem
+
+When agents run inside Bastille jails (mevy_db_worker, mevy_git_worker, mevy_ctrl_worker), the pi extension at `/opt/pi-extensions/clawdie-harness/index.ts` fails to load:
+
+```
+Error: Cannot find module '../../../src/hostd/client.js'
+Require stack:
+- /opt/pi-extensions/clawdie-harness/hostd-bridge.ts
+```
+
+## What Was Fixed
+
+The **code** is already fixed. `.pi/extensions/clawdie-harness/hostd-bridge.ts` was rewritten to be self-contained — uses `node:fs` + `node:net` directly to talk to the hostd Unix socket. No more `../../../src/hostd/client.js` import. The git-admin worktree was also synced to match.
+
+## What Remains
+
+The **nullfs mount** that exposes `.pi/extensions` → `/opt/pi-extensions` inside jails is not configured. The fstab entries for the jails need to be checked/created.
+
+### Steps
+
+1. Check jail fstab files at `/usr/local/bastille/jails/mevy_db_worker/fstab` (and git_worker, ctrl_worker)
+2. Add nullfs mount if missing:
+   ```
+   /home/mevy/mevy-ai/.pi/extensions /usr/local/bastille/jails/mevy_db_worker/root/opt/pi-extensions nullfs ro 0 0
+   ```
+3. Create `/opt/pi-extensions` inside each jail root if it doesn't exist
+4. Restart jails or mount manually: `mount -F /usr/local/bastille/jails/mevy_db_worker/fstab -a`
+5. Verify: `bastille cmd mevy_db_worker ls /opt/pi-extensions/clawdie-harness/`
+6. Test: create a db_admin_agent task and confirm the extension loads without error
+
+### Mount config reference
+
+`infra/jails.yaml` defines `PI_EXTENSIONS_DIR:/opt/pi-extensions:ro` for all worker jails. `setup/agent-jails.ts:390` resolves `PI_EXTENSIONS_DIR` → `PROJECT_ROOT/.pi/extensions`. The setup script may need to be re-run, or mounts added manually.
+
+### Socket access in jails
+
+The hostd-bridge detects the socket path from env vars or defaults:
+- `HOSTD_SOCKET` or `MEVY_HOSTD_SOCKET` env var
+- `/var/run/mevy-hostd.sock`
+- `/var/run/clawdie-hostd.sock`
+
+The hostd socket also needs to be accessible inside jails (nullfs mount or shared path). Verify the socket is reachable from inside the jail after mounting.
+
+## Context
+
+- 3 running jails: mevy_db_worker (10.0.1.211), mevy_git_worker (10.0.1.212), mevy_ctrl_worker (10.0.1.213)
+- Controlplane uses mevy_brain DB pool (not mevy_ops)
+- 5 agents: mevy (orchestrator 80%), sysadmin_agent (10%), db_admin_agent (5%), git_admin_agent (5%), coordinator (0%)
+- Task execution on host works end-to-end (validated this session)
+- Legacy agent IDs fully removed in commit `0f7fbc4`