@clipboard-health/groundcrew 3.1.9 → 3.2.1

package/dist/commands/sandbox/model.d.ts

@@ -0,0 +1,10 @@
+import type { ResolvedConfig, SandboxDefinition } from "../../lib/config.ts";
+export interface SandboxModel {
+    modelName: string;
+    sandbox: SandboxDefinition;
+    sandboxName: string;
+}
+export declare function sandboxModels(config: ResolvedConfig): SandboxModel[];
+export declare function resolveModel(config: ResolvedConfig, modelName: string): SandboxModel;
+export declare function requireOnePositional(argv: string[], usage: string): string;
+//# sourceMappingURL=model.d.ts.map

package/dist/commands/sandbox/model.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"model.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/model.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAG7E,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,iBAAiB,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,cAAc,GAAG,YAAY,EAAE,CAcpE;AAED,wBAAgB,YAAY,CAAC,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,GAAG,YAAY,CAapF;AAED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAM1E"}

package/dist/commands/sandbox/model.js

@@ -0,0 +1,37 @@
+import { sandboxNameFor } from "../../lib/dockerSandbox.js";
+export function sandboxModels(config) {
+    const models = [];
+    for (const [modelName, definition] of Object.entries(config.models.definitions)) {
+        const { sandbox } = definition;
+        if (sandbox === undefined) {
+            continue;
+        }
+        models.push({
+            modelName,
+            sandbox,
+            sandboxName: sandboxNameFor({ agent: sandbox.agent }),
+        });
+    }
+    return models;
+}
+export function resolveModel(config, modelName) {
+    const definition = config.models.definitions[modelName];
+    if (definition === undefined) {
+        throw new Error(`crew sandbox: unknown model '${modelName}'`);
+    }
+    if (definition.sandbox === undefined) {
+        throw new Error(`crew sandbox: model '${modelName}' has no sandbox config`);
+    }
+    return {
+        modelName,
+        sandbox: definition.sandbox,
+        sandboxName: sandboxNameFor({ agent: definition.sandbox.agent }),
+    };
+}
+export function requireOnePositional(argv, usage) {
+    const [first, ...rest] = argv;
+    if (first === undefined || rest.length > 0) {
+        throw new Error(usage);
+    }
+    return first;
+}

package/dist/commands/sandbox/picker.d.ts

@@ -0,0 +1,20 @@
+export interface ToolChoice {
+    /** Recipe key (e.g. "claude", "github"). Returned in the selection. */
+    key: string;
+    /** Human-friendly label shown in the prompt. */
+    label: string;
+    /** Auth status decoration: ✓ when authenticated, ○ otherwise. */
+    authenticated: boolean;
+}
+/**
+ * Show an interactive checkbox picker so the engineer chooses which
+ * tools to authenticate. Items marked `authenticated` start unchecked
+ * (no need to re-auth); unauthed items start checked (default action
+ * is "auth what's missing"). The returned array is the list of `key`
+ * values that the engineer left checked when they confirmed.
+ *
+ * Extracted to its own module so tests can vi.mock it and skip stdin
+ * interaction; the real implementation pulls @inquirer/checkbox.
+ */
+export declare function pickTools(choices: readonly ToolChoice[]): Promise<readonly string[]>;
+//# sourceMappingURL=picker.d.ts.map

package/dist/commands/sandbox/picker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"picker.d.ts","sourceRoot":"","sources":["../../../src/commands/sandbox/picker.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,uEAAuE;IACvE,GAAG,EAAE,MAAM,CAAC;IACZ,gDAAgD;IAChD,KAAK,EAAE,MAAM,CAAC;IACd,iEAAiE;IACjE,aAAa,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,SAAS,CAAC,OAAO,EAAE,SAAS,UAAU,EAAE,GAAG,OAAO,CAAC,SAAS,MAAM,EAAE,CAAC,CAW1F"}

package/dist/commands/sandbox/picker.js

@@ -0,0 +1,23 @@
+import checkbox from "@inquirer/checkbox";
+/**
+ * Show an interactive checkbox picker so the engineer chooses which
+ * tools to authenticate. Items marked `authenticated` start unchecked
+ * (no need to re-auth); unauthed items start checked (default action
+ * is "auth what's missing"). The returned array is the list of `key`
+ * values that the engineer left checked when they confirmed.
+ *
+ * Extracted to its own module so tests can vi.mock it and skip stdin
+ * interaction; the real implementation pulls @inquirer/checkbox.
+ */
+export async function pickTools(choices) {
+    const selected = await checkbox({
+        message: "Select tools to authenticate (space to toggle, enter to confirm):",
+        choices: choices.map((choice) => ({
+            name: `${choice.authenticated ? "✓" : "○"} ${choice.label}`,
+            value: choice.key,
+            checked: !choice.authenticated,
+        })),
+        pageSize: Math.max(choices.length, 1),
+    });
+    return selected;
+}

package/dist/lib/agentLaunch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"agentLaunch.d.ts","sourceRoot":"","sources":["../../src/lib/agentLaunch.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAOhF,UAAU,mBAAmB;IAC3B,MAAM,EAAE,WAAW,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;CACjC;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE;IAC9C,MAAM,EAAE,cAAc,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,eAAe,CAAC;IAC5B,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5B,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA6B/B;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE;IAC9C,MAAM,EAAE,cAAc,CAAC;IACvB,UAAU,EAAE,eAAe,CAAC;IAC5B,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB,GAAG,OAAO,CAAC,IAAI,CAAC,CAWhB;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE;IAC9C,MAAM,EAAE,cAAc,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB,GAAG,OAAO,CAAC,IAAI,CAAC,CAUhB"}
+{"version":3,"file":"agentLaunch.d.ts","sourceRoot":"","sources":["../../src/lib/agentLaunch.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAOhF,UAAU,mBAAmB;IAC3B,MAAM,EAAE,WAAW,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;CACjC;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE;IAC9C,MAAM,EAAE,cAAc,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,eAAe,CAAC;IAC5B,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5B,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA6B/B;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE;IAC9C,MAAM,EAAE,cAAc,CAAC;IACvB,UAAU,EAAE,eAAe,CAAC;IAC5B,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB,GAAG,OAAO,CAAC,IAAI,CAAC,CAYhB;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE;IAC9C,MAAM,EAAE,cAAc,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB,GAAG,OAAO,CAAC,IAAI,CAAC,CAUhB"}

package/dist/lib/agentLaunch.js

@@ -37,6 +37,7 @@ export async function ensureAgentSandbox(input) {
             sandboxName: input.sandboxName,
             sandbox: input.definition.sandbox,
             mountPath: resolve(input.config.workspace.projectDir),
+            gitDefaults: input.config.sandbox.gitDefaults,
         }, input.signal);
     }
 }

package/dist/lib/config.d.ts

@@ -58,6 +58,42 @@ export interface SandboxDefinition {
      */
     setupCommand?: string;
 }
+/**
+ * Recipe used by `crew sandbox auth <model>` to drive an interactive
+ * login flow inside a sbx sandbox and then verify it. The flow is
+ * picker-driven — no positional `<tool>` argument; the picker lists
+ * every recipe visible to the current sandbox.
+ *
+ * `binary` defaults to the recipe key (typically the agent or CLI name).
+ * `authenticatedPattern` matches against combined stdout+stderr from
+ * `statusArgs` — exit code alone isn't reliable because some CLIs
+ * report "not logged in" while still exiting 0.
+ * `kind` controls visibility in the interactive picker: `"agent"`
+ * recipes are scoped to a specific sbx agent and only appear when you
+ * `auth` against that agent's sandbox; `"tool"` recipes (default)
+ * appear in every sandbox's picker because they're cross-cutting
+ * (github, npm, gcloud, …). Defaults to `"tool"` when omitted.
+ *
+ * Ship-side recipes for `claude`, `codex`, and `cursor` live in
+ * `src/commands/sandbox/auth.ts`; users register additional tools
+ * under `sandbox.authRecipes` in their config.
+ */
+export interface AuthRecipe {
+    displayName: string;
+    binary?: string;
+    loginArgs: readonly string[];
+    statusArgs: readonly string[];
+    authenticatedPattern: RegExp;
+    kind?: "agent" | "tool";
+    /**
+     * Environment variables passed to `sbx exec` for both the login and
+     * status calls. Use this for CLIs whose default flow assumes a
+     * browser or other host-only feature — e.g. cursor-agent wants
+     * `NO_OPEN_BROWSER=1` to print a device code instead of trying to
+     * launch a browser inside the sandbox.
+     */
+    env?: Record<string, string>;
+}
 export interface ModelDefinition {
     /**
      * Shell command launched for the model. Wrapped with Safehouse/clearance
@@ -192,6 +228,32 @@ export interface Config {
     local?: {
         runner?: LocalRunnerSetting;
     };
+    /**
+     * Sandbox-wide settings. `authRecipes` lets users register additional
+     * tools (github, npm, gcloud, …) for `crew sandbox auth <model>` to
+     * authenticate inside the sandbox. The auth flow is picker-driven —
+     * registered recipes show up in the picker alongside the shipped ones,
+     * and a user recipe under the same key (e.g. "claude") overrides the
+     * shipped one.
+     */
+    sandbox?: {
+        authRecipes?: Record<string, AuthRecipe>;
+        /**
+         * When true (default), every `crew sandbox ensure` / `auth` run applies
+         * a small set of git defaults inside the sandbox so robot commits push
+         * over `gh`-managed HTTPS regardless of how the user cloned the repo:
+         *
+         *   - disable GPG signing for commits and tags
+         *   - rewrite `git@github.com:` and `ssh://git@github.com/` URLs to
+         *     `https://github.com/` so push uses gh's credential helper
+         *   - after a successful `github` auth recipe login, run
+         *     `gh auth setup-git` inside the sandbox
+         *
+         * Set `false` to skip both the git-config block and the post-login
+         * `gh auth setup-git` step.
+         */
+        gitDefaults?: boolean;
+    };
     logging?: {
         /**
          * Append-mode log file destination. `log()` and `logEvent()` tee here
@@ -261,6 +323,14 @@ export interface ResolvedConfig {
     local: {
         runner: LocalRunnerSetting;
     };
+    /**
+     * Sandbox-wide settings. Always present after defaults; `authRecipes`
+     * is `{}` when the user provides none.
+     */
+    sandbox: {
+        authRecipes: Record<string, AuthRecipe>;
+        gitDefaults: boolean;
+    };
     logging: {
         file: string;
     };

package/dist/lib/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AACvE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAGrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAEvD;;;;;GAKG;AACH,MAAM,MAAM,YAAY,GAAG,mBAAmB,GAAG,kBAAkB,CAAC;AAEpE;;;;;GAKG;AACH,eAAO,MAAM,eAAe,QAAQ,CAAC;AAErC;;;;;;GAMG;AACH,MAAM,MAAM,oBAAoB,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE5D,eAAO,MAAM,uBAAuB,EAAE,SAAS,oBAAoB,EAIzD,CAAC;AAEX;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,KAAK,GAAG,MAAM,CAAC;AAEvD;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,GAAG,WAAW,GAAG,MAAM,CAAC;AAEtD,eAAO,MAAM,qBAAqB,EAAE,SAAS,kBAAkB,EAKrD,CAAC;AAEX;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,+CAA+C;IAC/C,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,eAAe;IAC9B;;;;;;;OAOG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE;QACN,QAAQ,EAAE;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;KACjD,CAAC;IACF;;;;OAIG;IACH,OAAO,CAAC,EAAE,iBAAiB,CAAC;CAC7B;AAED;;;;;;;;;GASG;AACH,KAAK,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG;IAAE,QAAQ,EAAE,IAAI,CAAA;CAAE,CAAC;AAC/D,KAAK,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,GAAG;IAC1E,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AACF,UAAU,2BAA2B;IACnC,QAAQ,EAAE,IAAI,CAAC;CAChB;AACD,KAAK,mBAAmB,GAAG,0BAA0B,GAAG,2BAA2B,CAAC;AAEpF;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B;;;;;;;;OAQG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE;QACT,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;CACH;AAED;;;;GAIG;AACH,MAAM,WAAW,MAAM;IACrB,MAAM,EAAE;QACN;;;;WAIG;QACH,QAAQ,EAAE,aAAa,EAAE,CAAC;KAC3B,CAAC;IACF;;;;;;;;;OASG;IACH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB,GAAG,CAAC,EAAE;QACJ,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,SAAS,EAAE;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,iBAAiB,EAAE,MAAM,EAAE,CAAC;KAC7B,CAAC;IACF,YAAY,CAAC,EAAE;QACb,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,wBAAwB,CAAC,EAAE,MAAM,CAAC;QAClC,sBAAsB,CAAC,EAAE,MAAM,CAAC;KACjC,CAAC;IACF,MAAM,CAAC,EAAE;QACP,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB;;;;;WAKG;QACH,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;KACnD,CAAC;IACF,OAAO,CAAC,EAAE;QACR,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF;;;;OAIG;IACH,aAAa,CAAC,EAAE,oBAAoB,CAAC;IACrC;;;;OAIG;IACH,KAAK,CAAC,EAAE;QACN,MAAM,CAAC,EAAE,kBAAkB,CAAC;KAC7B,CAAC;IACF,OAAO,CAAC,EAAE;QACR;;;;;WAKG;QACH,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;CACH;AAED,MAAM,WAAW,qBAAqB;IACpC,2EAA2E;IAC3E,WAAW,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE;QACN,QAAQ,EAAE,qBAAqB,EAAE,CAAC;KACnC,CAAC;IACF;;;;;OAKG;IACH,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,GAAG,EAAE;QACH,MAAM,EAAE,MAAM,CAAC;QACf,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,SAAS,EAAE;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,iBAAiB,EAAE,MAAM,EAAE,CAAC;KAC7B,CAAC;IACF,YAAY,EAAE;QACZ,iBAAiB,EAAE,MAAM,CAAC;QAC1B,wBAAwB,EAAE,MAAM,CAAC;QACjC,sBAAsB,EAAE,MAAM,CAAC;KAChC,CAAC;IACF,MAAM,EAAE;QACN,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;KAC9C,CAAC;IACF,OAAO,EAAE;QACP,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF;;;OAGG;IACH,aAAa,EAAE,oBAAoB,CAAC;IACpC;;;;OAIG;IACH,KAAK,EAAE;QACL,MAAM,EAAE,kBAAkB,CAAC;KAC5B,CAAC;IACF,OAAO,EAAE;QACP,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AA4RD;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,EACtC,IAAI,EAAE,MAAM,GACX,OAAO,CAKT;AA4dD;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,EACtC,MAAM,EAAE,MAAM,GACb,qBAAqB,GAAG,SAAS,CAEnC;AAOD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,CAajG;AAID,wBAAsB,UAAU,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAwBpE"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AACvE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAIrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAEvD;;;;;GAKG;AACH,MAAM,MAAM,YAAY,GAAG,mBAAmB,GAAG,kBAAkB,CAAC;AAEpE;;;;;GAKG;AACH,eAAO,MAAM,eAAe,QAAQ,CAAC;AAErC;;;;;;GAMG;AACH,MAAM,MAAM,oBAAoB,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE5D,eAAO,MAAM,uBAAuB,EAAE,SAAS,oBAAoB,EAIzD,CAAC;AAEX;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,KAAK,GAAG,MAAM,CAAC;AAEvD;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,GAAG,WAAW,GAAG,MAAM,CAAC;AAEtD,eAAO,MAAM,qBAAqB,EAAE,SAAS,kBAAkB,EAKrD,CAAC;AAEX;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,+CAA+C;IAC/C,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,SAAS,MAAM,EAAE,CAAC;IAC7B,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,IAAI,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IACxB;;;;;;OAMG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,eAAe;IAC9B;;;;;;;OAOG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE;QACN,QAAQ,EAAE;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;KACjD,CAAC;IACF;;;;OAIG;IACH,OAAO,CAAC,EAAE,iBAAiB,CAAC;CAC7B;AAED;;;;;;;;;GASG;AACH,KAAK,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG;IAAE,QAAQ,EAAE,IAAI,CAAA;CAAE,CAAC;AAC/D,KAAK,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,GAAG;IAC1E,KAAK,CAAC,EAAE,SAAS,CAAC;IAClB,QAAQ,CAAC,EAAE,KAAK,CAAC;CAClB,CAAC;AACF,UAAU,2BAA2B;IACnC,QAAQ,EAAE,IAAI,CAAC;CAChB;AACD,KAAK,mBAAmB,GAAG,0BAA0B,GAAG,2BAA2B,CAAC;AAEpF;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B;;;;;;;;OAQG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE;QACT,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;CACH;AAED;;;;GAIG;AACH,MAAM,WAAW,MAAM;IACrB,MAAM,EAAE;QACN;;;;WAIG;QACH,QAAQ,EAAE,aAAa,EAAE,CAAC;KAC3B,CAAC;IACF;;;;;;;;;OASG;IACH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB,GAAG,CAAC,EAAE;QACJ,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,SAAS,EAAE;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,iBAAiB,EAAE,MAAM,EAAE,CAAC;KAC7B,CAAC;IACF,YAAY,CAAC,EAAE;QACb,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,wBAAwB,CAAC,EAAE,MAAM,CAAC;QAClC,sBAAsB,CAAC,EAAE,MAAM,CAAC;KACjC,CAAC;IACF,MAAM,CAAC,EAAE;QACP,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB;;;;;WAKG;QACH,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;KACnD,CAAC;IACF,OAAO,CAAC,EAAE;QACR,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF;;;;OAIG;IACH,aAAa,CAAC,EAAE,oBAAoB,CAAC;IACrC;;;;OAIG;IACH,KAAK,CAAC,EAAE;QACN,MAAM,CAAC,EAAE,kBAAkB,CAAC;KAC7B,CAAC;IACF;;;;;;;OAOG;IACH,OAAO,CAAC,EAAE;QACR,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACzC;;;;;;;;;;;;;WAaG;QACH,WAAW,CAAC,EAAE,OAAO,CAAC;KACvB,CAAC;IACF,OAAO,CAAC,EAAE;QACR;;;;;WAKG;QACH,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;CACH;AAED,MAAM,WAAW,qBAAqB;IACpC,2EAA2E;IAC3E,WAAW,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE;QACN,QAAQ,EAAE,qBAAqB,EAAE,CAAC;KACnC,CAAC;IACF;;;;;OAKG;IACH,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,GAAG,EAAE;QACH,MAAM,EAAE,MAAM,CAAC;QACf,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,SAAS,EAAE;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,iBAAiB,EAAE,MAAM,EAAE,CAAC;KAC7B,CAAC;IACF,YAAY,EAAE;QACZ,iBAAiB,EAAE,MAAM,CAAC;QAC1B,wBAAwB,EAAE,MAAM,CAAC;QACjC,sBAAsB,EAAE,MAAM,CAAC;KAChC,CAAC;IACF,MAAM,EAAE;QACN,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;KAC9C,CAAC;IACF,OAAO,EAAE;QACP,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF;;;OAGG;IACH,aAAa,EAAE,oBAAoB,CAAC;IACpC;;;;OAIG;IACH,KAAK,EAAE;QACL,MAAM,EAAE,kBAAkB,CAAC;KAC5B,CAAC;IACF;;;OAGG;IACH,OAAO,EAAE;QACP,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACxC,WAAW,EAAE,OAAO,CAAC;KACtB,CAAC;IACF,OAAO,EAAE;QACP,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAsRD;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,EACtC,IAAI,EAAE,MAAM,GACX,OAAO,CAKT;AAoiBD;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,EACtC,MAAM,EAAE,MAAM,GACb,qBAAqB,GAAG,SAAS,CAEnC;AAOD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,CAajG;AAID,wBAAsB,UAAU,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAwBpE"}

package/dist/lib/config.js

@@ -5,6 +5,7 @@ import { resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 import { cosmiconfig } from "cosmiconfig";
 import { log, readEnvironmentVariable, setLogFile } from "./util.js";
+import { xdgConfigPath, xdgStatePath } from "./xdg.js";
 export { BUILD_SECRET_NAMES } from "./buildSecrets.js";
 /**
  * Reserved model name. A ticket labeled `agent-any` resolves at runtime
@@ -83,19 +84,6 @@ const ALLOWED_PROMPT_PLACEHOLDERS = new Set([
 const PROMPT_PLACEHOLDER_RE = /{{[^{}]*}}/g;
 const PERCENT_MIN_EXCLUSIVE = 0;
 const PERCENT_MAX = 100;
-function xdgBase(envName, fallbackSegments) {
-    const override = readEnvironmentVariable(envName);
-    if (override !== undefined && override.length > 0) {
-        return override;
-    }
-    return resolve(homedir(), ...fallbackSegments);
-}
-function xdgConfigPath(...segments) {
-    return resolve(xdgBase("XDG_CONFIG_HOME", [".config"]), ...segments);
-}
-function xdgStatePath(...segments) {
-    return resolve(xdgBase("XDG_STATE_HOME", [".local", "state"]), ...segments);
-}
 function defaultLogFile() {
     return xdgStatePath("groundcrew", "groundcrew.log");
 }
@@ -144,6 +132,15 @@ function normalizeOptionalString(value, path) {
     }
     return value.trim();
 }
+function normalizeOptionalBoolean(value, path) {
+    if (value === undefined) {
+        return undefined;
+    }
+    if (typeof value !== "boolean") {
+        fail(`${path} must be a boolean`);
+    }
+    return value;
+}
 function normalizeOptionalStringArray(value, path) {
     if (value === undefined) {
         return undefined;
@@ -337,6 +334,11 @@ function requireObject(value, path) {
         fail(`${path} must be an object (got ${JSON.stringify(value)})`);
     }
 }
+function requireOptionalObject(value, path) {
+    if (value !== undefined && !isPlainObject(value)) {
+        fail(`${path} must be an object`);
+    }
+}
 function normalizeProject(value, index) {
     const path = `linear.projects[${index}]`;
     if (!isPlainObject(value)) {
@@ -441,6 +443,65 @@ function normalizeProjects(linear) {
     });
     return resolved;
 }
+function normalizeAuthRecipes(value, path) {
+    if (value === undefined) {
+        return {};
+    }
+    if (!isPlainObject(value)) {
+        fail(`${path} must be an object`);
+    }
+    const recipes = {};
+    for (const [key, raw] of Object.entries(value)) {
+        const recipePath = `${path}.${key}`;
+        if (!isPlainObject(raw)) {
+            fail(`${recipePath} must be an object`);
+        }
+        const { displayName, binary, loginArgs, statusArgs, authenticatedPattern, kind, env } = raw;
+        requireString(displayName, `${recipePath}.displayName`);
+        const loginArray = normalizeOptionalStringArray(loginArgs, `${recipePath}.loginArgs`);
+        const statusArray = normalizeOptionalStringArray(statusArgs, `${recipePath}.statusArgs`);
+        if (loginArray === undefined) {
+            fail(`${recipePath}.loginArgs is required`);
+        }
+        if (statusArray === undefined) {
+            fail(`${recipePath}.statusArgs is required`);
+        }
+        if (!(authenticatedPattern instanceof RegExp)) {
+            fail(`${recipePath}.authenticatedPattern must be a RegExp`);
+        }
+        const recipe = {
+            displayName,
+            loginArgs: loginArray,
+            statusArgs: statusArray,
+            authenticatedPattern,
+        };
+        const binaryString = normalizeOptionalString(binary, `${recipePath}.binary`);
+        if (binaryString !== undefined) {
+            recipe.binary = binaryString;
+        }
+        if (kind !== undefined) {
+            if (kind !== "agent" && kind !== "tool") {
+                fail(`${recipePath}.kind must be "agent" or "tool"`);
+            }
+            recipe.kind = kind;
+        }
+        if (env !== undefined) {
+            if (!isPlainObject(env)) {
+                fail(`${recipePath}.env must be an object`);
+            }
+            const normalizedEnv = {};
+            for (const [envKey, envValue] of Object.entries(env)) {
+                if (typeof envValue !== "string") {
+                    fail(`${recipePath}.env.${envKey} must be a string`);
+                }
+                normalizedEnv[envKey] = envValue;
+            }
+            recipe.env = normalizedEnv;
+        }
+        recipes[key] = recipe;
+    }
+    return recipes;
+}
 function applyDefaults(user) {
     // Guard the top-level shape before reading nested fields, so a
     // malformed runtime config produces a `groundcrew config: ...` error
@@ -455,6 +516,7 @@ function applyDefaults(user) {
     if (Object.hasOwn(user, "remote")) {
         fail("remote is no longer supported: groundcrew runs locally via safehouse/sdx/none; remove the remote block from your config");
     }
+    requireOptionalObject(user.sandbox, "sandbox");
     const userLocal = user.local;
     if (userLocal !== undefined && !isPlainObject(userLocal)) {
         fail("local must be an object");
@@ -482,6 +544,10 @@ function applyDefaults(user) {
         local: {
             runner: normalizeLocalRunner(userLocal?.runner, "local.runner") ?? "auto",
         },
+        sandbox: {
+            authRecipes: normalizeAuthRecipes(user.sandbox?.authRecipes, "sandbox.authRecipes"),
+            gitDefaults: normalizeOptionalBoolean(user.sandbox?.gitDefaults, "sandbox.gitDefaults") ?? true,
+        },
         logging: {
             file: expandHome(normalizeOptionalString(user.logging?.file, "logging.file") ?? defaultLogFile()),
         },

package/dist/lib/dockerSandbox.d.ts

@@ -25,15 +25,19 @@ interface EnsureSandboxArguments {
      * clone) are visible to `sbx exec -w <worktreeDir>` after creation.
      */
     mountPath: string;
+    /**
+     * When true, apply the standard git defaults inside the sandbox after
+     * it exists (idempotent, runs whether the sandbox was just created or
+     * already there). See `sandboxGitDefaults.ts` for what gets set.
+     */
+    gitDefaults: boolean;
+    /**
+     * Result of an earlier `sandboxExists` probe by the caller, used to
+     * skip the initial `sbx ls` here. Leave undefined to let this function
+     * probe on its own.
+     */
+    alreadyExists?: boolean;
 }
-/**
- * Idempotent guard: ensure a Docker Sandboxes container exists for the
- * given repository + model. Probes `sbx ls`; if `sandboxName` is missing,
- * calls `sbx create --name <name> [--template <t>] [--kit <k>]... <agent>
- * <mountPath>` to provision it. First-time agent auth still happens inside
- * the sandbox the first time `sbx exec` runs the agent — `create` only
- * provisions the container, it does not attach.
- */
 export declare function ensureSandbox(arguments_: EnsureSandboxArguments, signal?: AbortSignal): Promise<void>;
 export {};
 //# sourceMappingURL=dockerSandbox.d.ts.map

package/dist/lib/dockerSandbox.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dockerSandbox.d.ts","sourceRoot":"","sources":["../../src/lib/dockerSandbox.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAMpE;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAM/F;AAED,UAAU,sBAAsB;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,iBAAiB,CAAC;IAC3B;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CACjC,UAAU,EAAE,sBAAsB,EAClC,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,IAAI,CAAC,CAqBf"}
+{"version":3,"file":"dockerSandbox.d.ts","sourceRoot":"","sources":["../../src/lib/dockerSandbox.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAMpE;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAM/F;AAED,UAAU,sBAAsB;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,iBAAiB,CAAC;IAC3B;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,WAAW,EAAE,OAAO,CAAC;IACrB;;;;OAIG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAsBD,wBAAsB,aAAa,CACjC,UAAU,EAAE,sBAAsB,EAClC,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,IAAI,CAAC,CAuBf"}

package/dist/lib/dockerSandbox.js

@@ -1,4 +1,5 @@
 import { runCommandAsync } from "./commandRunner.js";
+import { applyGitDefaults } from "./sandboxGitDefaults.js";
 /**
  * Derive a deterministic sbx sandbox name from the sbx agent so every
  * groundcrew model that targets the same agent reuses one sandbox across
@@ -29,30 +30,40 @@ export async function sandboxExists(sandboxName, signal) {
  * Idempotent guard: ensure a Docker Sandboxes container exists for the
  * given repository + model. Probes `sbx ls`; if `sandboxName` is missing,
  * calls `sbx create --name <name> [--template <t>] [--kit <k>]... <agent>
- * <mountPath>` to provision it. First-time agent auth still happens inside
- * the sandbox the first time `sbx exec` runs the agent — `create` only
- * provisions the container, it does not attach.
+ * <mountPath>` to provision it. Once the container exists (newly created
+ * or pre-existing), applies the standard git defaults when enabled.
+ * First-time agent auth still happens inside the sandbox the first time
+ * `sbx exec` runs the agent — `create` only provisions the container, it
+ * does not attach.
  */
-export async function ensureSandbox(arguments_, signal) {
-    if (await sandboxExists(arguments_.sandboxName, signal)) {
-        return;
-    }
-    const createArguments = ["create", "--name", arguments_.sandboxName];
-    if (arguments_.sandbox.template !== undefined) {
-        createArguments.push("--template", arguments_.sandbox.template);
-    }
-    for (const kit of arguments_.sandbox.kits ?? []) {
-        createArguments.push("--kit", kit);
+async function resolveExistence(arguments_, signal) {
+    if (arguments_.alreadyExists === undefined) {
+        return await sandboxExists(arguments_.sandboxName, signal);
     }
-    createArguments.push(arguments_.sandbox.agent, arguments_.mountPath);
-    const options = signal === undefined ? {} : { signal };
-    try {
-        await runCommandAsync("sbx", createArguments, options);
-    }
-    catch (error) {
-        if (await sandboxExists(arguments_.sandboxName, signal)) {
-            return;
+    return arguments_.alreadyExists;
+}
+export async function ensureSandbox(arguments_, signal) {
+    const existed = await resolveExistence(arguments_, signal);
+    if (!existed) {
+        const createArguments = ["create", "--name", arguments_.sandboxName];
+        if (arguments_.sandbox.template !== undefined) {
+            createArguments.push("--template", arguments_.sandbox.template);
+        }
+        for (const kit of arguments_.sandbox.kits ?? []) {
+            createArguments.push("--kit", kit);
+        }
+        createArguments.push(arguments_.sandbox.agent, arguments_.mountPath);
+        const options = signal === undefined ? {} : { signal };
+        try {
+            await runCommandAsync("sbx", createArguments, options);
         }
-        throw error;
+        catch (error) {
+            if (!(await sandboxExists(arguments_.sandboxName, signal))) {
+                throw error;
+            }
+        }
+    }
+    if (arguments_.gitDefaults) {
+        await applyGitDefaults({ sandboxName: arguments_.sandboxName }, signal);
     }
 }

package/dist/lib/sandboxGitDefaults.d.ts

@@ -0,0 +1,10 @@
+interface ApplyGitDefaultsArguments {
+    sandboxName: string;
+}
+/**
+ * Apply the standard git defaults inside `sandboxName`. Idempotent —
+ * safe to call on every `ensure`/`auth` run to repair drift.
+ */
+export declare function applyGitDefaults(arguments_: ApplyGitDefaultsArguments, signal?: AbortSignal): Promise<void>;
+export {};
+//# sourceMappingURL=sandboxGitDefaults.d.ts.map

package/dist/lib/sandboxGitDefaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandboxGitDefaults.d.ts","sourceRoot":"","sources":["../../src/lib/sandboxGitDefaults.ts"],"names":[],"mappings":"AAyBA,UAAU,yBAAyB;IACjC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,EAAE,yBAAyB,EACrC,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,IAAI,CAAC,CAOf"}

package/dist/lib/sandboxGitDefaults.js

@@ -0,0 +1,31 @@
+import { runCommandAsync } from "./commandRunner.js";
+/**
+ * Git defaults applied inside every sandbox when `sandbox.gitDefaults`
+ * is enabled (the default).
+ *
+ * - Disable GPG signing — robot commits inside the sandbox have no key
+ *   and would otherwise fail or end up unsigned silently.
+ * - Rewrite GitHub SSH URLs to HTTPS so push/fetch go through the `gh`
+ *   credential helper (wired by `gh auth setup-git` after a successful
+ *   `crew sandbox auth` github login), regardless of how the user
+ *   originally cloned the repo on the host.
+ *
+ * `url.<base>.insteadOf` is multi-valued in git; `--unset-all` before
+ * `--add` keeps the set identical across repeated runs instead of
+ * appending duplicates.
+ */
+const GIT_DEFAULT_COMMANDS = [
+    "git config --global commit.gpgsign false",
+    "git config --global tag.gpgsign false",
+    '(git config --global --unset-all url."https://github.com/".insteadOf 2>/dev/null || true)',
+    'git config --global --add url."https://github.com/".insteadOf "git@github.com:"',
+    'git config --global --add url."https://github.com/".insteadOf "ssh://git@github.com/"',
+].join(" && ");
+/**
+ * Apply the standard git defaults inside `sandboxName`. Idempotent —
+ * safe to call on every `ensure`/`auth` run to repair drift.
+ */
+export async function applyGitDefaults(arguments_, signal) {
+    const options = signal === undefined ? {} : { signal };
+    await runCommandAsync("sbx", ["exec", arguments_.sandboxName, "sh", "-c", GIT_DEFAULT_COMMANDS], options);
+}

package/dist/lib/xdg.d.ts

@@ -0,0 +1,3 @@
+export declare function xdgConfigPath(...segments: string[]): string;
+export declare function xdgStatePath(...segments: string[]): string;
+//# sourceMappingURL=xdg.d.ts.map

package/dist/lib/xdg.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xdg.d.ts","sourceRoot":"","sources":["../../src/lib/xdg.ts"],"names":[],"mappings":"AAgBA,wBAAgB,aAAa,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,CAE3D;AAED,wBAAgB,YAAY,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,CAE1D"}

package/dist/lib/xdg.js

@@ -0,0 +1,19 @@
+import { homedir } from "node:os";
+import { isAbsolute, resolve } from "node:path";
+import { readEnvironmentVariable } from "./util.js";
+// Per the XDG Base Directory spec, relative override paths are invalid and
+// must be ignored — without this guard, a relative override would anchor to
+// the cwd via `resolve` instead of falling back to $HOME.
+function xdgBase(envName, fallbackSegments) {
+    const override = readEnvironmentVariable(envName);
+    if (override !== undefined && override.length > 0 && isAbsolute(override)) {
+        return override;
+    }
+    return resolve(homedir(), ...fallbackSegments);
+}
+export function xdgConfigPath(...segments) {
+    return resolve(xdgBase("XDG_CONFIG_HOME", [".config"]), ...segments);
+}
+export function xdgStatePath(...segments) {
+    return resolve(xdgBase("XDG_STATE_HOME", [".local", "state"]), ...segments);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clipboard-health/groundcrew",
-  "version": "3.1.9",
+  "version": "3.2.1",
   "description": "Linear-driven orchestrator that launches AI coding agents in git worktrees, with workspace lifecycle and usage tracking.",
   "keywords": [
     "agent",
@@ -68,6 +68,7 @@
   },
   "dependencies": {
     "@clipboard-health/clearance": "1.0.8",
+    "@inquirer/checkbox": "5.1.5",
     "@linear/sdk": "85.0.0",
     "cosmiconfig": "9.0.1",
     "tslib": "2.8.1",
@@ -76,26 +77,26 @@
   "devDependencies": {
     "@clipboard-health/ai-rules": "2.18.7",
     "@clipboard-health/oxlint-config": "1.9.4",
-    "@nx/js": "22.7.1",
+    "@nx/js": "22.7.2",
     "@tsconfig/node24": "24.0.4",
     "@tsconfig/strictest": "2.0.8",
-    "@types/node": "24.12.2",
+    "@types/node": "24.12.4",
     "@typescript/native-preview": "7.0.0-dev.20260522.1",
-    "@vitest/coverage-v8": "4.1.5",
+    "@vitest/coverage-v8": "4.1.6",
     "cspell": "10.0.0",
     "dependency-cruiser": "17.4.0",
     "husky": "9.1.7",
-    "jscpd": "4.0.9",
-    "knip": "6.9.0",
+    "jscpd": "4.2.3",
+    "knip": "6.14.1",
     "lint-staged": "17.0.5",
     "markdownlint-cli2": "0.22.1",
-    "nx": "22.7.1",
+    "nx": "22.7.2",
     "oxfmt": "0.50.0",
-    "oxlint": "1.64.0",
-    "oxlint-tsgolint": "0.22.1",
-    "syncpack": "15.0.0",
+    "oxlint": "1.65.0",
+    "oxlint-tsgolint": "0.23.0",
+    "syncpack": "15.2.0",
     "vite": "8.0.14",
-    "vitest": "4.1.5"
+    "vitest": "4.1.6"
   },
   "engines": {
     "node": "24.14.1",