@madarco/agentbox 0.13.0 → 0.15.0

package/dist/{chunk-B4QG2MCW.js → chunk-MLMFNN4T.js}

@@ -4,7 +4,6 @@ import {
   GitWorktreeError,
   STATE_DIR,
   STATE_FILE,
-  allocateProjectIndex,
   computeDockerContextFingerprint,
   detectGitRepos,
   ensureImage,
@@ -18,14 +17,15 @@ import {
   readPreparedDockerState,
   readState,
   recordBox,
-  removeBoxRecord
-} from "./chunk-SNTHHWKY.js";
+  removeBoxRecord,
+  reserveProjectIndex
+} from "./chunk-XKH7NTT7.js";
 
 // ../../packages/sandbox-docker/dist/index.js
 import { mkdir as mkdir7, stat as stat8 } from "fs/promises";
 import { homedir as homedir10 } from "os";
-import { basename as basename4, join as join11, resolve as resolve3 } from "path";
-import { execa as execa14 } from "execa";
+import { basename as basename5, join as join12, resolve as resolve4 } from "path";
+import { execa as execa15 } from "execa";
 
 // ../../packages/ctl/dist/index.js
 import { readFile } from "fs/promises";
@@ -517,7 +517,21 @@ var CarryConfigError = class extends Error {
     this.name = "CarryConfigError";
   }
 };
-var ITEM_KEYS = /* @__PURE__ */ new Set(["src", "dest", "mode", "user", "optional"]);
+var ITEM_KEYS = /* @__PURE__ */ new Set(["src", "dest", "mode", "user", "exclude", "optional"]);
+function parseExclude(raw, where) {
+  if (raw === void 0 || raw === null) return void 0;
+  if (!Array.isArray(raw)) {
+    throw new CarryConfigError(`${where}.exclude must be a list of glob/name strings`);
+  }
+  const out = [];
+  for (const [i, v] of raw.entries()) {
+    if (typeof v !== "string" || v.trim().length === 0) {
+      throw new CarryConfigError(`${where}.exclude[${String(i)}] must be a non-empty string`);
+    }
+    out.push(v.trim());
+  }
+  return out.length > 0 ? out : void 0;
+}
 function parseUser(raw, where) {
   if (raw === void 0 || raw === null) return void 0;
   let n;
@@ -646,6 +660,7 @@ function parseMapping(raw, where) {
   assertDestShape(dest, where);
   const mode = parseMode(raw.mode, where);
   const user = parseUser(raw.user, where);
+  const exclude = parseExclude(raw.exclude, where);
   let optional = false;
   if (raw.optional !== void 0 && raw.optional !== null) {
     if (typeof raw.optional !== "boolean") {
@@ -656,6 +671,7 @@ function parseMapping(raw, where) {
   const out = { src, dest, optional };
   if (mode !== void 0) out.mode = mode;
   if (user !== void 0) out.user = user;
+  if (exclude !== void 0) out.exclude = exclude;
   return out;
 }
 function parseCarryRaw(raw) {
@@ -702,20 +718,6 @@ async function loadCarrySection(path) {
   return parseCarrySection(text);
 }
 
-// ../../packages/sandbox-docker/dist/index.js
-import { spawnSync } from "child_process";
-import { mkdir as mkdir3, mkdtemp as mkdtemp2, readdir as readdir3, readFile as readFile4, realpath as realpath2, rm as rm2, stat as stat3, writeFile as writeFile22 } from "fs/promises";
-import { homedir as homedir3, tmpdir as tmpdir2 } from "os";
-import { isAbsolute as isAbsolute2, join as join4, relative as relative2 } from "path";
-import { setTimeout as delay } from "timers/promises";
-import { execa as execa5 } from "execa";
-import { execa as execa2 } from "execa";
-import { mkdir as mkdir4, readFile as readFile5, readdir as readdir4, stat as stat4 } from "fs/promises";
-import { createHash as createHash3 } from "crypto";
-import { homedir as homedir2 } from "os";
-import { join as join5 } from "path";
-import { execa as execa22 } from "execa";
-
 // ../../packages/config/dist/index.js
 import { parse as parseYaml3 } from "yaml";
 import { createHash } from "crypto";
@@ -737,15 +739,18 @@ var BUILT_IN_DEFAULTS = {
     defaultCheckpointDaytona: "",
     defaultCheckpointHetzner: "",
     defaultCheckpointVercel: "",
+    defaultCheckpointE2b: "",
     size: "",
     sizeDocker: "",
     sizeDaytona: "",
     sizeHetzner: "",
     sizeVercel: "",
+    sizeE2b: "",
     withPlaywright: false,
     withEnv: false,
     resyncOnStart: true,
     vnc: true,
+    autoApproveHostActions: false,
     isolateClaudeConfig: false,
     isolateCodexConfig: false,
     isolateOpencodeConfig: false,
@@ -754,6 +759,7 @@ var BUILT_IN_DEFAULTS = {
     imageDaytona: "",
     imageHetzner: "",
     imageVercel: "",
+    imageE2b: "",
     // Mirrors BOX_IMAGE_REGISTRY in @agentbox/sandbox-docker. Empty disables the
     // registry pull (always build the docker base image locally).
     imageRegistry: "ghcr.io/madarco/agentbox/box",
@@ -765,7 +771,8 @@ var BUILT_IN_DEFAULTS = {
     bundleDepth: void 0,
     vercelVcpus: 2,
     vercelTimeoutMs: 27e5,
-    vercelNetworkPolicy: ""
+    vercelNetworkPolicy: "",
+    cpMaxBytes: 100 * 1024 * 1024
   },
   checkpoint: {
     maxLayers: 3
@@ -821,7 +828,8 @@ var BUILT_IN_DEFAULTS = {
     enabled: true,
     maxConcurrent: 5,
     maxWorking: 0,
-    idleGraceSeconds: 15
+    idleGraceSeconds: 15,
+    openIn: "none"
   },
   cloud: {
     useCurrentBranch: false
@@ -835,8 +843,8 @@ var KEY_REGISTRY = [
   {
     key: "box.provider",
     type: "enum",
-    enumValues: ["docker", "daytona", "hetzner", "vercel"],
-    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, Hetzner Cloud VPSes, or Vercel Sandboxes."
+    enumValues: ["docker", "daytona", "hetzner", "vercel", "e2b"],
+    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, Hetzner Cloud VPSes, Vercel Sandboxes, or E2B microVMs."
   },
   {
     key: "box.hostSnapshot",
@@ -872,6 +880,12 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.defaultCheckpoint` for vercel. Wins over the global when set; set via `agentbox checkpoint set-default --provider vercel`.",
     advanced: true
   },
+  {
+    key: "box.defaultCheckpointE2b",
+    type: "string",
+    description: "Per-provider override of `box.defaultCheckpoint` for e2b. Wins over the global when set; set via `agentbox checkpoint set-default --provider e2b`.",
+    advanced: true
+  },
   {
     key: "box.size",
     type: "string",
@@ -901,6 +915,12 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.size` for vercel. Reserved \u2014 vercel sizing is controlled via `box.vercelVcpus`.",
     advanced: true
   },
+  {
+    key: "box.sizeE2b",
+    type: "string",
+    description: "Per-provider override of `box.size` for e2b. Reserved \u2014 e2b sizing is template-level (set at `agentbox prepare --provider e2b` time via --vcpus / --memory).",
+    advanced: true
+  },
   {
     key: "checkpoint.maxLayers",
     type: "int",
@@ -927,6 +947,11 @@ var KEY_REGISTRY = [
     type: "bool",
     description: "Run the per-box Xvnc + noVNC stack."
   },
+  {
+    key: "box.autoApproveHostActions",
+    type: "bool",
+    description: "Auto-approve host-action confirmations (git push, cp host<->box, gh PR writes, checkpoint) for this box without an interactive prompt. Off by default; intended for unattended orchestration of trusted boxes. Each auto-approval is recorded as a relay event (visible in `agentbox agent` / the dashboard)."
+  },
   {
     key: "box.isolateClaudeConfig",
     type: "bool",
@@ -972,6 +997,12 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.image` for vercel (snapshot id, e.g. `snap_\u2026`). Written by `agentbox prepare --provider vercel`.",
     advanced: true
   },
+  {
+    key: "box.imageE2b",
+    type: "string",
+    description: "Per-provider override of `box.image` for e2b (template id or `name:tag`, e.g. `agentbox-base:latest`). Written by `agentbox prepare --provider e2b`.",
+    advanced: true
+  },
   {
     key: "box.imageRegistry",
     type: "string",
@@ -1019,6 +1050,12 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Max session length (ms) for new --provider vercel boxes before the VM auto-snapshots; persistent mode auto-resumes on the next call. Default 2700000 (45 min, the Hobby ceiling). Vercel-only."
   },
+  {
+    key: "box.cpMaxBytes",
+    type: "int",
+    description: "Max bytes a single host\u2192box copy may transfer after excludes, shared by `agentbox cp` (blocked with a size breakdown unless --yes) and each `carry:` entry (rejected at resolve time). Default 104857600 (100 MiB).",
+    advanced: true
+  },
   {
     key: "box.vercelNetworkPolicy",
     type: "string",
@@ -1166,6 +1203,12 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Seconds an agent must stay non-working before it frees its working slot (debounce against brief idle flaps between turns). Only used when queue.maxWorking > 0."
   },
+  {
+    key: "queue.openIn",
+    type: "enum",
+    enumValues: ["none", "split", "window", "tab"],
+    description: "When a background `-i` job finishes creating its box, where the host relay opens an attached terminal onto it: `none` (default \u2014 open nothing, just queue), `split`, `window`, or `tab`. Honored only when the submitting shell runs inside tmux, cmux, or iTerm2 (the targeting is captured at submit time). Under cmux, `split` splits the pane you submitted from (falling back to the parent workspace, then a new workspace), `tab` adds a tab in the parent workspace, and `window` opens a separate workspace; iTerm2 opens relative to the frontmost window. Unlike `attach.openIn` there is no `same` mode \u2014 the box is created asynchronously, so it is always a fresh terminal."
+  },
   {
     key: "cloud.useCurrentBranch",
     type: "bool",
@@ -1526,7 +1569,7 @@ function writeLeaf(obj, branch, leaf, value) {
   b[leaf] = value;
 }
 function resolveDefaultCheckpoint(cfg, provider) {
-  const perProvider = provider === "daytona" ? cfg.box.defaultCheckpointDaytona : provider === "hetzner" ? cfg.box.defaultCheckpointHetzner : provider === "vercel" ? cfg.box.defaultCheckpointVercel : cfg.box.defaultCheckpointDocker;
+  const perProvider = provider === "daytona" ? cfg.box.defaultCheckpointDaytona : provider === "hetzner" ? cfg.box.defaultCheckpointHetzner : provider === "vercel" ? cfg.box.defaultCheckpointVercel : provider === "e2b" ? cfg.box.defaultCheckpointE2b : cfg.box.defaultCheckpointDocker;
   if (perProvider && perProvider.length > 0) return perProvider;
   return cfg.box.defaultCheckpoint;
 }
@@ -1535,15 +1578,16 @@ function defaultCheckpointConfigKey(provider) {
   if (provider === "daytona") return "box.defaultCheckpointDaytona";
   if (provider === "hetzner") return "box.defaultCheckpointHetzner";
   if (provider === "vercel") return "box.defaultCheckpointVercel";
+  if (provider === "e2b") return "box.defaultCheckpointE2b";
   return "box.defaultCheckpoint";
 }
 function resolveBoxSize(cfg, provider) {
-  const perProvider = provider === "daytona" ? cfg.box.sizeDaytona : provider === "hetzner" ? cfg.box.sizeHetzner : provider === "vercel" ? cfg.box.sizeVercel : cfg.box.sizeDocker;
+  const perProvider = provider === "daytona" ? cfg.box.sizeDaytona : provider === "hetzner" ? cfg.box.sizeHetzner : provider === "vercel" ? cfg.box.sizeVercel : provider === "e2b" ? cfg.box.sizeE2b : cfg.box.sizeDocker;
   if (perProvider && perProvider.length > 0) return perProvider;
   return cfg.box.size;
 }
 function resolveBoxImage(cfg, provider) {
-  const perProvider = provider === "daytona" ? cfg.box.imageDaytona : provider === "hetzner" ? cfg.box.imageHetzner : provider === "vercel" ? cfg.box.imageVercel : cfg.box.imageDocker;
+  const perProvider = provider === "daytona" ? cfg.box.imageDaytona : provider === "hetzner" ? cfg.box.imageHetzner : provider === "vercel" ? cfg.box.imageVercel : provider === "e2b" ? cfg.box.imageE2b : cfg.box.imageDocker;
   if (perProvider && perProvider.length > 0) return perProvider;
   return cfg.box.image;
 }
@@ -1552,6 +1596,7 @@ function boxImageConfigKey(provider) {
   if (provider === "daytona") return "box.imageDaytona";
   if (provider === "hetzner") return "box.imageHetzner";
   if (provider === "vercel") return "box.imageVercel";
+  if (provider === "e2b") return "box.imageE2b";
   return "box.image";
 }
 async function setConfigValue(scope, key, value, cwd, opts = {}) {
@@ -1748,30 +1793,48 @@ async function touchProjectMeta(absPath) {
 }
 
 // ../../packages/sandbox-docker/dist/index.js
+import { spawnSync } from "child_process";
+import { mkdir as mkdir3, mkdtemp as mkdtemp2, readdir as readdir3, readFile as readFile42, realpath as realpath2, rm as rm2, stat as stat3, writeFile as writeFile22 } from "fs/promises";
+import { homedir as homedir3, tmpdir as tmpdir2 } from "os";
+import { isAbsolute as isAbsolute2, join as join4, relative as relative2 } from "path";
+import { setTimeout as delay } from "timers/promises";
+import { execa as execa6 } from "execa";
+import { execa as execa2 } from "execa";
+import { mkdir as mkdir4, readFile as readFile5, readdir as readdir4, stat as stat4 } from "fs/promises";
+import { createHash as createHash3 } from "crypto";
+import { homedir as homedir2 } from "os";
+import { join as join5 } from "path";
+import { execa as execa3 } from "execa";
+import { existsSync, mkdirSync, renameSync, statSync } from "fs";
+import { basename as basename2, dirname as dirname3, posix, resolve as resolve2 } from "path";
+import { execa as execa22 } from "execa";
 import { copyFile, mkdtemp, readdir as readdir22, readFile as readFile32, rm as rm3, stat as stat22, writeFile as writeFile3 } from "fs/promises";
 import { homedir as homedir22, tmpdir } from "os";
-import { basename as basename2, join as join32, relative } from "path";
+import { basename as basename3, join as join32, relative } from "path";
+import { execa as execa5 } from "execa";
+import { chmod, mkdir as mkdir22, readFile as readFile23 } from "fs/promises";
+import { basename as basename22, join as join22 } from "path";
 import { execa as execa4 } from "execa";
-import { chmod, mkdir as mkdir22, readFile as readFile24 } from "fs/promises";
-import { basename as basename3, join as join22 } from "path";
-import { execa as execa3 } from "execa";
 import { spawnSync as spawnSync2 } from "child_process";
 import { stat as stat42 } from "fs/promises";
 import { homedir as homedir4 } from "os";
 import { join as join52 } from "path";
-import { execa as execa6 } from "execa";
+import { execa as execa7 } from "execa";
 import { spawnSync as spawnSync3 } from "child_process";
 import { stat as stat5 } from "fs/promises";
 import { homedir as homedir5 } from "os";
 import { join as join6 } from "path";
-import { execa as execa7 } from "execa";
-import { randomBytes as randomBytes3 } from "crypto";
 import { execa as execa8 } from "execa";
-import { existsSync } from "fs";
+import { randomBytes as randomBytes3 } from "crypto";
+import { createHash as createHash22 } from "crypto";
 import { readFile as readFile52 } from "fs/promises";
-import { homedir as homedir6 } from "os";
 import { join as join7 } from "path";
 import { execa as execa9 } from "execa";
+import { existsSync as existsSync2 } from "fs";
+import { readFile as readFile6 } from "fs/promises";
+import { homedir as homedir6 } from "os";
+import { join as join8 } from "path";
+import { execa as execa10 } from "execa";
 
 // ../../packages/core/dist/index.js
 import { randomBytes } from "crypto";
@@ -1805,6 +1868,12 @@ function resolveAgentLauncher(kind) {
   if (kind === "opencode") return opencodeLauncher;
   throw new Error(`unknown agent kind: ${String(kind)}`);
 }
+var UserFacingError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "UserFacingError";
+  }
+};
 var BoxNotFoundError = class extends Error {
   constructor(query) {
     super(`no agentbox matches "${query}"`);
@@ -1830,36 +1899,36 @@ function generateBoxId() {
 }
 
 // ../../packages/sandbox-docker/dist/index.js
-import { execa as execa10 } from "execa";
+import { execa as execa11 } from "execa";
 import { mkdir as mkdir42, readdir as readdir42, rm as rm32, stat as stat6 } from "fs/promises";
 import { homedir as homedir7, platform } from "os";
-import { join as join8, resolve as resolve2 } from "path";
-import { mkdir as mkdir5, mkdtemp as mkdtemp3, readFile as readFile6, readdir as readdir5, rm as rm4, writeFile as writeFile32 } from "fs/promises";
+import { join as join9, resolve as resolve22 } from "path";
+import { mkdir as mkdir5, mkdtemp as mkdtemp3, readFile as readFile7, readdir as readdir5, rm as rm4, writeFile as writeFile32 } from "fs/promises";
 import { homedir as homedir8, tmpdir as tmpdir3 } from "os";
-import { basename as basename32, join as join9 } from "path";
-import { execa as execa11 } from "execa";
-import { stat as stat7 } from "fs/promises";
+import { basename as basename4, join as join10 } from "path";
 import { execa as execa12 } from "execa";
+import { stat as stat7 } from "fs/promises";
 import { execa as execa13 } from "execa";
+import { execa as execa14 } from "execa";
 import { spawn } from "child_process";
 import { randomBytes as randomBytes22 } from "crypto";
-import { existsSync as existsSync2, openSync } from "fs";
-import { cp, mkdir as mkdir6, readFile as readFile7, readdir as readdir6, rename as rename3, rm as rm5, unlink as unlink2, writeFile as writeFile4 } from "fs/promises";
+import { existsSync as existsSync3, openSync } from "fs";
+import { cp, mkdir as mkdir6, readFile as readFile8, readdir as readdir6, rename as rename3, rm as rm5, unlink as unlink2, writeFile as writeFile4 } from "fs/promises";
 import { request as httpRequest } from "http";
 import { createRequire } from "module";
 import { homedir as homedir9 } from "os";
-import { dirname as dirname3, join as join10, resolve as resolve22, sep } from "path";
+import { dirname as dirname22, join as join11, resolve as resolve3, sep } from "path";
 import { setTimeout as delay2 } from "timers/promises";
 import { fileURLToPath } from "url";
 
 // ../../packages/relay/dist/index.js
 import { createHash as createHash2, randomBytes as randomBytes2 } from "crypto";
 import { execa } from "execa";
-import { spawn as spawn4 } from "child_process";
+import { spawn as spawn3 } from "child_process";
 import {
   mkdir as mkdir2,
   readdir as readdir2,
-  readFile as readFile23,
+  readFile as readFile4,
   rename as rename2,
   unlink,
   writeFile as writeFile2
@@ -1921,7 +1990,7 @@ async function loadQueueConfig() {
   const d = BUILT_IN_DEFAULTS.queue;
   let global = {};
   try {
-    global = parseUserConfig(await readFile23(GLOBAL_CONFIG_FILE, "utf8"), GLOBAL_CONFIG_FILE);
+    global = parseUserConfig(await readFile4(GLOBAL_CONFIG_FILE, "utf8"), GLOBAL_CONFIG_FILE);
   } catch {
   }
   const q = global.queue ?? {};
@@ -1941,7 +2010,7 @@ async function writeJob(job) {
 }
 async function readJob(id) {
   try {
-    const raw = await readFile23(join3(QUEUE_DIR, `${id}.json`), "utf8");
+    const raw = await readFile4(join3(QUEUE_DIR, `${id}.json`), "utf8");
     return JSON.parse(raw);
   } catch (err) {
     if (err.code === "ENOENT") return null;
@@ -1967,7 +2036,7 @@ async function loadQueue() {
   for (const name of entries) {
     if (!name.endsWith(".json")) continue;
     try {
-      const raw = await readFile23(join3(QUEUE_DIR, name), "utf8");
+      const raw = await readFile4(join3(QUEUE_DIR, name), "utf8");
       out.push(JSON.parse(raw));
     } catch {
     }
@@ -1975,6 +2044,8 @@ async function loadQueue() {
   out.sort((a, b) => a.createdAt < b.createdAt ? -1 : a.createdAt > b.createdAt ? 1 : 0);
   return out;
 }
+var TERMINAL_RETENTION_MS = 60 * 60 * 1e3;
+var SWEEP_INTERVAL_MS = 60 * 1e3;
 function processAlive(pid) {
   try {
     process.kill(pid, 0);
@@ -2043,7 +2114,7 @@ async function uncachedBoxStateCount() {
 }
 function inspectDockerState(containerName) {
   return new Promise((resolveP) => {
-    const child = spawn4("docker", ["inspect", "--format", "{{.State.Status}}", containerName], {
+    const child = spawn3("docker", ["inspect", "--format", "{{.State.Status}}", containerName], {
       stdio: ["ignore", "pipe", "pipe"]
     });
     let out = "";
@@ -2076,21 +2147,18 @@ function queueLogPath(id) {
 }
 
 // ../../packages/sandbox-docker/dist/index.js
-import { execa as execa16 } from "execa";
+import { execa as execa17 } from "execa";
 import { readdir as readdir7, rm as rm6, stat as stat9 } from "fs/promises";
+import { join as join14 } from "path";
+import { execa as execa16 } from "execa";
 import { join as join13 } from "path";
-import { execa as execa15 } from "execa";
-import { join as join12 } from "path";
 import { homedir as homedir11 } from "os";
-import { join as join14 } from "path";
-import { execa as execa17 } from "execa";
-import { existsSync as existsSync3, mkdirSync, renameSync, statSync } from "fs";
-import { basename as basename5, dirname as dirname22, posix, resolve as resolve4 } from "path";
+import { join as join15 } from "path";
 import { execa as execa18 } from "execa";
-import { createHash as createHash22 } from "crypto";
-import { copyFile as copyFile2, mkdir as mkdir8, mkdtemp as mkdtemp4, readdir as readdir8, readFile as readFile8, rm as rm7, stat as stat10 } from "fs/promises";
+import { createHash as createHash32 } from "crypto";
+import { copyFile as copyFile2, mkdir as mkdir8, mkdtemp as mkdtemp4, readdir as readdir8, readFile as readFile9, rm as rm7, stat as stat10 } from "fs/promises";
 import { homedir as homedir12, tmpdir as tmpdir4 } from "os";
-import { basename as basename6, dirname as dirname32, join as join15 } from "path";
+import { basename as basename6, dirname as dirname32, join as join16 } from "path";
 import { execa as execa19 } from "execa";
 function isHostPathHookCommand(command, hostHome) {
   if (typeof command !== "string" || command.length === 0) return false;
@@ -2486,11 +2554,144 @@ async function listAgentboxVolumes() {
   if (result.exitCode !== 0) return [];
   return (result.stdout ?? "").split("\n").map((s) => s.trim()).filter((s) => s.startsWith(AGENTBOX_PREFIX));
 }
+function posixDirname(p) {
+  return posix.dirname(p) || "/";
+}
+function asText(s) {
+  if (s === void 0) return "";
+  if (typeof s === "string") return s;
+  return Buffer.from(s).toString("utf8");
+}
+function tarExcludeArgs(exclude) {
+  return (exclude ?? []).map((p) => `--exclude=${p}`);
+}
+async function streamTarPipe(producerFile, producerArgs, consumerFile, consumerArgs, producerEnv) {
+  const producer = execa22(producerFile, producerArgs, {
+    reject: false,
+    buffer: { stdout: false },
+    ...producerEnv ? { env: producerEnv } : {}
+  });
+  const consumer = execa22(consumerFile, consumerArgs, {
+    reject: false,
+    buffer: { stdout: false }
+  });
+  producer.stdout?.pipe(consumer.stdin);
+  const [p, c] = await Promise.all([producer, consumer]);
+  return [
+    { exitCode: p.exitCode, stderr: p.stderr },
+    { exitCode: c.exitCode, stderr: c.stderr }
+  ];
+}
+async function uploadToBox(box, hostSrc, boxDst, exclude) {
+  const srcAbs = resolve2(hostSrc);
+  if (!existsSync(srcAbs)) throw new Error(`source not found: ${hostSrc}`);
+  const srcBasename = basename2(srcAbs);
+  const srcParent = dirname3(srcAbs);
+  let boxParent;
+  let finalName;
+  if (boxDst.endsWith("/")) {
+    boxParent = boxDst.replace(/\/+$/, "") || "/";
+    finalName = srcBasename;
+  } else {
+    const isDir2 = await execa22(
+      "docker",
+      ["exec", box.container, "test", "-d", boxDst],
+      { reject: false }
+    );
+    if (isDir2.exitCode === 0) {
+      boxParent = boxDst.replace(/\/+$/, "") || "/";
+      finalName = srcBasename;
+    } else {
+      boxParent = posixDirname(boxDst);
+      finalName = posix.basename(boxDst);
+    }
+  }
+  const finalPath = boxParent === "/" ? `/${finalName}` : `${boxParent}/${finalName}`;
+  const mk = await execa22(
+    "docker",
+    ["exec", "--user", "root", box.container, "mkdir", "-p", boxParent],
+    { reject: false }
+  );
+  if (mk.exitCode !== 0) {
+    throw new Error(`mkdir -p ${boxParent} in box failed: ${asText(mk.stderr).slice(0, 300)}`);
+  }
+  const [packed, extracted] = await streamTarPipe(
+    "tar",
+    ["-C", srcParent, "-cf", "-", ...tarExcludeArgs(exclude), srcBasename],
+    "docker",
+    ["exec", "-i", "--user", "root", box.container, "tar", "-xf", "-", "-C", boxParent],
+    { ...process.env, COPYFILE_DISABLE: "1" }
+  );
+  if (packed.exitCode !== 0) {
+    throw new Error(`tar pack failed: ${asText(packed.stderr).slice(0, 300)}`);
+  }
+  if (extracted.exitCode !== 0) {
+    throw new Error(`tar extract in box failed: ${asText(extracted.stderr).slice(0, 300)}`);
+  }
+  if (finalName !== srcBasename) {
+    const initial = boxParent === "/" ? `/${srcBasename}` : `${boxParent}/${srcBasename}`;
+    const mv = await execa22(
+      "docker",
+      ["exec", "--user", "root", box.container, "mv", initial, finalPath],
+      { reject: false }
+    );
+    if (mv.exitCode !== 0) {
+      throw new Error(
+        `rename ${initial} -> ${finalPath} in box failed: ${asText(mv.stderr).slice(0, 300)}`
+      );
+    }
+  }
+  const chown = await execa22(
+    "docker",
+    ["exec", "--user", "root", box.container, "chown", "-R", "1000:1000", finalPath],
+    { reject: false }
+  );
+  if (chown.exitCode !== 0) {
+    return {
+      finalPath,
+      warn: `chown ${finalPath} to vscode (uid 1000) failed; ownership inside the box may be root.`
+    };
+  }
+  return { finalPath };
+}
+async function downloadFromBox(box, boxSrc, hostDst, exclude) {
+  const srcBasename = posix.basename(boxSrc);
+  const srcParent = posixDirname(boxSrc);
+  const dstAbs = resolve2(hostDst);
+  let hostParent;
+  let finalName;
+  const dstExists = existsSync(dstAbs);
+  if (hostDst.endsWith("/") || dstExists && statSync(dstAbs).isDirectory()) {
+    hostParent = dstAbs;
+    finalName = srcBasename;
+  } else {
+    hostParent = dirname3(dstAbs);
+    finalName = basename2(dstAbs);
+  }
+  mkdirSync(hostParent, { recursive: true });
+  const finalPath = posix.join(hostParent, finalName);
+  const [packed, extracted] = await streamTarPipe(
+    "docker",
+    ["exec", box.container, "tar", "-C", srcParent, "-cf", "-", ...tarExcludeArgs(exclude), srcBasename],
+    "tar",
+    ["-xf", "-", "-C", hostParent]
+  );
+  if (packed.exitCode !== 0) {
+    throw new Error(`tar pack in box failed: ${asText(packed.stderr).slice(0, 300)}`);
+  }
+  if (extracted.exitCode !== 0) {
+    throw new Error(`tar extract on host failed: ${asText(extracted.stderr).slice(0, 300)}`);
+  }
+  if (finalName !== srcBasename) {
+    renameSync(posix.join(hostParent, srcBasename), finalPath);
+  }
+  return { finalPath };
+}
 var CONTAINER_EXPORT_MERGED = "/host-export";
 var cachedEngine = null;
 async function detectEngine() {
   if (cachedEngine !== null) return cachedEngine;
-  const result = await execa22("docker", ["info", "--format", "{{.OperatingSystem}}"], {
+  const result = await execa3("docker", ["info", "--format", "{{.OperatingSystem}}"], {
     reject: false
   });
   const os = (result.stdout ?? "").trim().toLowerCase();
@@ -2503,7 +2704,7 @@ function setEngineOverride(engine) {
   cachedEngine = engine;
 }
 async function getDockerContext() {
-  const result = await execa22("docker", ["context", "show"], { reject: false });
+  const result = await execa3("docker", ["context", "show"], { reject: false });
   if (result.exitCode !== 0) return void 0;
   const ctx = (result.stdout ?? "").trim();
   return ctx.length > 0 ? ctx : void 0;
@@ -2563,7 +2764,7 @@ async function refreshExport(record, opts = {}) {
     return { hostPath: paths.mergedExport, copied: true, usedFallback: false };
   }
   const excludes = excludeNodeModules ? ["--exclude=node_modules"] : [];
-  const result = await execa22(
+  const result = await execa3(
     "docker",
     ["exec", "--user", "root", record.container, "tar", "-cf", "-", ...excludes, "-C", "/workspace", "."],
     { reject: false, encoding: "buffer" }
@@ -2575,7 +2776,7 @@ async function refreshExport(record, opts = {}) {
       typeof result.stderr === "string" ? result.stderr : result.stderr.toString("utf8")
     );
   }
-  const extract = await execa22("tar", ["-xf", "-", "-C", paths.mergedExport], {
+  const extract = await execa3("tar", ["-xf", "-", "-C", paths.mergedExport], {
     input: result.stdout,
     reject: false
   });
@@ -2670,7 +2871,7 @@ function buildHostEnvFindArgs(patterns) {
 async function copyHostEnvFilesToBox(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const found = await execa22("find", buildHostEnvFindArgs(opts.patterns).slice(1), {
+  const found = await execa3("find", buildHostEnvFindArgs(opts.patterns).slice(1), {
     cwd: opts.workspaceDir,
     reject: false
   });
@@ -2680,7 +2881,7 @@ async function copyHostEnvFilesToBox(opts) {
   }
   const list = String(found.stdout).split("\0").filter((p) => p.length > 0);
   if (list.length === 0) return { copied: 0 };
-  const packed = await execa22("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
+  const packed = await execa3("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
     input: list.join("\0"),
     encoding: "buffer",
     reject: false
@@ -2689,7 +2890,7 @@ async function copyHostEnvFilesToBox(opts) {
     log(`warning: env-file tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
     return { copied: 0 };
   }
-  const extract = await execa22(
+  const extract = await execa3(
     "docker",
     ["exec", "-i", "--user", "1000:1000", opts.container, "tar", "-xf", "-", "-C", "/workspace"],
     { input: packed.stdout, reject: false }
@@ -2702,7 +2903,7 @@ async function copyHostEnvFilesToBox(opts) {
 }
 async function scanHostEnvFiles(workspaceDir, patterns) {
   if (patterns.length === 0) return [];
-  const found = await execa22("find", buildHostEnvFindArgs(patterns).slice(1), {
+  const found = await execa3("find", buildHostEnvFindArgs(patterns).slice(1), {
     cwd: workspaceDir,
     reject: false
   });
@@ -2714,7 +2915,7 @@ async function copyHostFilesToBox(opts) {
   });
   const list = opts.files.map((p) => p.replace(/^\.\//, "")).filter((p) => p.length > 0);
   if (list.length === 0) return { copied: 0 };
-  const packed = await execa22("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
+  const packed = await execa3("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
     input: list.join("\0"),
     encoding: "buffer",
     reject: false
@@ -2723,7 +2924,7 @@ async function copyHostFilesToBox(opts) {
     log(`warning: env-file tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
     return { copied: 0 };
   }
-  const extract = await execa22(
+  const extract = await execa3(
     "docker",
     ["exec", "-i", "--user", "1000:1000", opts.container, "tar", "-xf", "-", "-C", "/workspace"],
     { input: packed.stdout, reject: false }
@@ -2797,7 +2998,7 @@ async function pullToHost(record, opts = {}) {
   }
   const src = `${scratchDir}/`;
   const dst = `${record.workspacePath}/`;
-  const dry = await execa22("rsync", [...baseArgs, "--dry-run", "-i", src, dst], {
+  const dry = await execa3("rsync", [...baseArgs, "--dry-run", "-i", src, dst], {
     reject: false,
     input: fileList !== null ? fileList : void 0
   });
@@ -2808,7 +3009,7 @@ async function pullToHost(record, opts = {}) {
   if (opts.dryRun) {
     return { hostPath: record.workspacePath, changes, applied: false, usedGitignore };
   }
-  const real = await execa22("rsync", [...baseArgs, src, dst], {
+  const real = await execa3("rsync", [...baseArgs, src, dst], {
     reject: false,
     input: fileList !== null ? fileList : void 0
   });
@@ -2833,7 +3034,7 @@ async function openInFinder(record, opts) {
     usedFallback = refreshed.usedFallback;
   }
   if (!opts.noOpen) {
-    const opened = await execa22(hostOpenCommand(), [hostPath], { reject: false });
+    const opened = await execa3(hostOpenCommand(), [hostPath], { reject: false });
     if (opened.exitCode !== 0) {
       throw new ExportError(`open ${hostPath} failed`, opened.stdout, opened.stderr);
     }
@@ -2856,12 +3057,14 @@ async function carrySourceHash(entry) {
     if (entry.kind === "file") {
       return createHash3("sha256").update(await readFile5(entry.absSrc)).digest("hex");
     }
+    const exclude = entry.exclude ?? [];
     const h = createHash3("sha256");
     const walk = async (dir, rel) => {
       const names = (await readdir4(dir)).sort();
       for (const name of names) {
-        const abs = join5(dir, name);
         const relPath = rel ? `${rel}/${name}` : name;
+        if (carryRelExcluded(relPath, exclude)) continue;
+        const abs = join5(dir, name);
         const st = await stat4(abs);
         if (st.isDirectory()) {
           h.update(`d\0${relPath}
@@ -2880,6 +3083,24 @@ async function carrySourceHash(entry) {
     return void 0;
   }
 }
+function carryRelExcluded(relPath, patterns) {
+  if (patterns.length === 0) return false;
+  const segs = relPath.split("/");
+  for (const p of patterns) {
+    const isGlob = p.includes("*") || p.includes("?");
+    if (!isGlob) {
+      if (segs.includes(p)) return true;
+    } else if (p.startsWith("*/") && !/[*?/]/.test(p.slice(2))) {
+      if (segs.includes(p.slice(2))) return true;
+    } else {
+      const re = new RegExp(
+        `^${p.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".")}$`
+      );
+      if (re.test(relPath)) return true;
+    }
+  }
+  return false;
+}
 async function copyCarryPathsToBox(opts) {
   const log = opts.onLog ?? (() => {
   });
@@ -2915,7 +3136,7 @@ async function copyOneEntry(container, entry) {
   const boxDest = entry.absDest.startsWith("~/") ? `${BOX_HOME}/${entry.absDest.slice(2)}` : entry.absDest;
   const boxDestParent = boxDest.endsWith("/") ? boxDest.slice(0, -1) : boxDest;
   const parentDir = entry.kind === "dir" ? boxDestParent : dirnameUnix(boxDestParent);
-  const mkdir9 = await execa22(
+  const mkdir9 = await execa3(
     "docker",
     ["exec", "--user", "0:0", container, "mkdir", "-p", parentDir],
     { reject: false }
@@ -2924,7 +3145,7 @@ async function copyOneEntry(container, entry) {
     throw new Error(`mkdir -p ${parentDir} failed: ${String(mkdir9.stderr).slice(0, 300)}`);
   }
   if (entry.kind === "file") {
-    const cp2 = await execa22(
+    const cp2 = await execa3(
       "docker",
       ["cp", entry.absSrc, `${container}:${boxDest}`],
       { reject: false }
@@ -2933,15 +3154,10 @@ async function copyOneEntry(container, entry) {
       throw new Error(`docker cp failed: ${String(cp2.stderr).slice(0, 300)}`);
     }
   } else {
-    const packed = await execa22(
+    const excludeArgs = (entry.exclude ?? []).map((p) => `--exclude=${p}`);
+    const [packed, extract] = await streamTarPipe(
       "tar",
-      ["-C", entry.absSrc, "-cf", "-", "."],
-      { encoding: "buffer", reject: false }
-    );
-    if (packed.exitCode !== 0) {
-      throw new Error(`tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
-    }
-    const extract = await execa22(
+      ["-C", entry.absSrc, "-cf", "-", ...excludeArgs, "."],
       "docker",
       [
         "exec",
@@ -2957,16 +3173,18 @@ async function copyOneEntry(container, entry) {
         "--no-same-permissions",
         "--no-same-owner",
         "-m"
-      ],
-      { input: packed.stdout, reject: false }
+      ]
     );
+    if (packed.exitCode !== 0) {
+      throw new Error(`tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
+    }
     if (extract.exitCode !== 0) {
       throw new Error(`tar extract failed: ${String(extract.stderr).slice(0, 300)}`);
     }
   }
   if (entry.mode !== void 0) {
     const modeStr = entry.mode.toString(8).padStart(4, "0");
-    const chmod2 = await execa22(
+    const chmod2 = await execa3(
       "docker",
       ["exec", "--user", "0:0", container, "chmod", "-R", modeStr, boxDest],
       { reject: false }
@@ -2976,7 +3194,7 @@ async function copyOneEntry(container, entry) {
     }
   }
   const uid = entry.user ?? 1e3;
-  const chown = await execa22(
+  const chown = await execa3(
     "docker",
     ["exec", "--user", "0:0", container, "chown", "-R", `${String(uid)}:${String(uid)}`, boxDest],
     { reject: false }
@@ -2987,7 +3205,7 @@ async function copyOneEntry(container, entry) {
   if (boxDest.startsWith(BOX_HOME + "/") && dirnameUnix(boxDest) !== BOX_HOME) {
     const safeDest = boxDest.replace(/'/g, `'\\''`);
     const script = `set -e; parent="$(dirname '${safeDest}')"; while [ "$parent" != "${BOX_HOME}" ] && [ "$parent" != "/" ]; do chown ${String(uid)}:${String(uid)} "$parent"; parent="$(dirname "$parent")"; done`;
-    const chownParents = await execa22(
+    const chownParents = await execa3(
       "docker",
       ["exec", "--user", "0:0", container, "bash", "-c", script],
       { reject: false }
@@ -3021,7 +3239,7 @@ function isRealAgentCredential(agent, text) {
 }
 async function hostClaudeBackupExpired(path = CREDENTIALS_BACKUP_FILE, now = Date.now()) {
   try {
-    const parsed = JSON.parse(await readFile24(path, "utf8"));
+    const parsed = JSON.parse(await readFile23(path, "utf8"));
     const exp = parsed?.claudeAiOauth?.expiresAt;
     return typeof exp === "number" && Number.isFinite(exp) && exp < now;
   } catch {
@@ -3035,7 +3253,7 @@ async function extractVolumeAuthToBackup(opts) {
   try {
     await mkdir22(STATE_DIR, { recursive: true });
     const script = 'COPIED=no; if [ -s /dst/auth.json ]; then cp -a /dst/auth.json "/host-state/$DEST" && COPIED=yes; fi; echo "COPIED=$COPIED"';
-    const { stdout } = await execa3("docker", [
+    const { stdout } = await execa4("docker", [
       "run",
       "--rm",
       "--user",
@@ -3047,7 +3265,7 @@ async function extractVolumeAuthToBackup(opts) {
       "-e",
       // Pass the destination filename via env so the path isn't interpolated
       // into the script string (keeps the docker arg list static + injection-safe).
-      `DEST=${basename3(opts.backupFile)}`,
+      `DEST=${basename22(opts.backupFile)}`,
       opts.image,
       "sh",
       "-c",
@@ -3069,7 +3287,7 @@ function extractOpencodeCredentials(volume, image) {
 }
 async function hostBackupHasCredentials(path = CREDENTIALS_BACKUP_FILE) {
   try {
-    const parsed = JSON.parse(await readFile24(path, "utf8"));
+    const parsed = JSON.parse(await readFile23(path, "utf8"));
     const rt = parsed?.claudeAiOauth?.refreshToken;
     return typeof rt === "string" && rt.length > 0;
   } catch {
@@ -3099,7 +3317,7 @@ echo "EXTRACTED=$EXTRACTED SEEDED=$SEEDED VOLREAL=$VOL_REAL"
 async function syncClaudeCredentials(spec, opts) {
   try {
     await mkdir22(STATE_DIR, { recursive: true });
-    const { stdout } = await execa3("docker", [
+    const { stdout } = await execa4("docker", [
       "run",
       "--rm",
       "--user",
@@ -3167,8 +3385,8 @@ function emptyResult(warnings = []) {
   }, warnings };
 }
 async function tarballFromDir(stageDir, agent) {
-  const tarballPath = join32(tmpdir(), `agentbox-${agent}-${basename2(stageDir)}.tar.gz`);
-  await execa4("tar", ["-czf", tarballPath, "-C", stageDir, "."], {
+  const tarballPath = join32(tmpdir(), `agentbox-${agent}-${basename3(stageDir)}.tar.gz`);
+  await execa5("tar", ["-czf", tarballPath, "-C", stageDir, "."], {
     env: { ...process.env, COPYFILE_DISABLE: "1" }
   });
   return tarballPath;
@@ -3241,6 +3459,64 @@ async function resolveClaudeMemoryDir(hostWorkspace, hostHome = homedir22()) {
   }
   return memDir;
 }
+async function buildBoxClaudeJsonFromHost(opts) {
+  const { hostHome, hostWorkspace } = opts;
+  const hostClaudeJson = join32(hostHome, ".claude.json");
+  let working;
+  if (await pathExists(hostClaudeJson)) {
+    try {
+      working = JSON.parse(await readFile32(hostClaudeJson, "utf8"));
+    } catch {
+      working = null;
+    }
+  }
+  if (working === void 0 || working === null) {
+    working = {
+      installMethod: "native",
+      autoUpdates: false,
+      autoUpdatesProtectedForNative: true,
+      // Pre-accept onboarding so the in-box Claude doesn't show the theme
+      // picker on first run. AgentBox installing implies the user has
+      // already used Claude Code on the host.
+      hasCompletedOnboarding: true,
+      projects: { [CLOUD_WORKSPACE]: { hasTrustDialogAccepted: true } }
+    };
+  } else {
+    working = filterHostHooks(working, hostHome).data;
+    working = setInstallMethodNative(working).data;
+    if (hostWorkspace) {
+      working = addProjectAlias(working, hostWorkspace, CLOUD_WORKSPACE).data;
+    }
+    working = trustWorkspace(working, CLOUD_WORKSPACE).data;
+    if (typeof working === "object" && working !== null) {
+      const w = working;
+      if (w["hasCompletedOnboarding"] !== true) w["hasCompletedOnboarding"] = true;
+    }
+  }
+  return working;
+}
+async function stageClaudeJsonOnlyForUpload(opts = {}) {
+  const hostHome = opts.hostHome ?? homedir22();
+  const stageDir = await mkStageDir("claude-json-only");
+  let tarballPath = null;
+  try {
+    const claudeJson = await buildBoxClaudeJsonFromHost({
+      hostHome,
+      hostWorkspace: opts.hostWorkspace
+    });
+    await writeFile3(join32(stageDir, "_claude.json"), JSON.stringify(claudeJson, null, 2));
+    tarballPath = await tarballFromDir(stageDir, "claude-json-only");
+    return {
+      tarballPath,
+      cleanup: makeCleanup([stageDir, tarballPath]),
+      warnings: []
+    };
+  } catch (err) {
+    await rm3(stageDir, { recursive: true, force: true });
+    if (tarballPath) await rm3(tarballPath, { force: true });
+    throw err;
+  }
+}
 async function stageClaudeStaticForUpload(opts = {}) {
   const hostHome = opts.hostHome ?? homedir22();
   const hostClaude = join32(hostHome, ".claude");
@@ -3255,7 +3531,7 @@ async function stageClaudeStaticForUpload(opts = {}) {
       ...CLAUDE_RUNTIME_EXCLUDES.map((p) => `--exclude=${p}`),
       ...broken.map((r) => `--exclude=/${r}`)
     ];
-    await execa4("rsync", [
+    await execa5("rsync", [
       "-a",
       "--copy-unsafe-links",
       ...excludes,
@@ -3273,31 +3549,11 @@ async function stageClaudeStaticForUpload(opts = {}) {
       } catch {
       }
     }
-    const hostClaudeJson = join32(hostHome, ".claude.json");
-    let working;
-    if (await pathExists(hostClaudeJson)) {
-      try {
-        working = JSON.parse(await readFile32(hostClaudeJson, "utf8"));
-      } catch {
-        working = null;
-      }
-    }
-    if (working === void 0 || working === null) {
-      working = {
-        installMethod: "native",
-        autoUpdates: false,
-        autoUpdatesProtectedForNative: true,
-        projects: { [CLOUD_WORKSPACE]: { hasTrustDialogAccepted: true } }
-      };
-    } else {
-      working = filterHostHooks(working, hostHome).data;
-      working = setInstallMethodNative(working).data;
-      if (opts.hostWorkspace) {
-        working = addProjectAlias(working, opts.hostWorkspace, CLOUD_WORKSPACE).data;
-      }
-      working = trustWorkspace(working, CLOUD_WORKSPACE).data;
-    }
-    await writeFile3(join32(stageDir, "_claude.json"), JSON.stringify(working, null, 2));
+    const claudeJson = await buildBoxClaudeJsonFromHost({
+      hostHome,
+      hostWorkspace: opts.hostWorkspace
+    });
+    await writeFile3(join32(stageDir, "_claude.json"), JSON.stringify(claudeJson, null, 2));
     const pluginsDir = join32(stageDir, "plugins");
     if (await pathExists(pluginsDir)) {
       try {
@@ -3364,7 +3620,7 @@ async function stageCodexStaticForUpload(opts = {}) {
   let tarballPath = null;
   try {
     const codexBroken = await findBrokenSymlinks(hostCodex);
-    await execa4("rsync", [
+    await execa5("rsync", [
       "-a",
       "-L",
       ...codexBroken.map((r) => `--exclude=/${r}`),
@@ -3420,7 +3676,7 @@ async function stageOpencodeStaticForUpload(opts = {}) {
   try {
     if (hasData) {
       const dataBroken = await findBrokenSymlinks(hostData);
-      await execa4("rsync", [
+      await execa5("rsync", [
         "-a",
         "-L",
         ...dataBroken.map((r) => `--exclude=/${r}`),
@@ -3433,7 +3689,7 @@ async function stageOpencodeStaticForUpload(opts = {}) {
     if (hasConfig) {
       const configStage = join32(stageDir, "config");
       const cfgBroken = await findBrokenSymlinks(hostConfig);
-      await execa4("rsync", [
+      await execa5("rsync", [
         "-a",
         "-L",
         ...cfgBroken.map((r) => `--exclude=/${r}`),
@@ -3491,7 +3747,7 @@ async function pathExists2(p) {
   }
 }
 async function volumeHasClaudeJson(volume, image) {
-  const res = await execa5(
+  const res = await execa6(
     "docker",
     ["run", "--rm", "-v", `${volume}:/dst`, image, "sh", "-c", "test -e /dst/_claude.json"],
     { reject: false }
@@ -3661,7 +3917,7 @@ async function ensureClaudeVolume(spec, opts) {
       // linux/amd64 node_modules on the next `agentbox claude`.
       `{ [ ! -f /dst/.agentbox-cleaned-nm-v1 ] && find /dst -name node_modules -type d -prune -exec rm -rf {} + && touch /dst/.agentbox-cleaned-nm-v1; true; } && rsync ${rsyncFlags} /src-claude/ /dst/ && { [ -f /src-claude-json ] && cp -a /src-claude-json /dst/_claude.json; true; } && { [ -f /src-filter/settings.json ] && cp -a /src-filter/settings.json /dst/settings.json; true; } && { [ -f /src-filter/_claude.json ] && cp -a /src-filter/_claude.json /dst/_claude.json; true; } && { [ -d /dst/plugins ] && [ -n "$HOST_HOME" ] && find /dst/plugins -maxdepth 1 -type f -name "*.json" -exec sed -i "s|$HOST_HOME/.claude/plugins/|/home/vscode/.claude/plugins/|g" {} +; true; }` + memoryRekeyStep + " && chown -R 1000:1000 /dst"
     );
-    await execa5("docker", args);
+    await execa6("docker", args);
   } finally {
     await rm2(filterDir, { recursive: true, force: true });
   }
@@ -3676,7 +3932,7 @@ async function ensureClaudeVolume(spec, opts) {
 }
 async function seedSetupSkillIntoVolume(volume, image) {
   try {
-    const { stdout } = await execa5("docker", [
+    const { stdout } = await execa6("docker", [
       "run",
       "--rm",
       "--user",
@@ -3705,7 +3961,7 @@ async function maybeFilterTo(src, dest, hostHome, opts = {}) {
   };
   let parsed;
   try {
-    parsed = JSON.parse(await readFile4(src, "utf8"));
+    parsed = JSON.parse(await readFile42(src, "utf8"));
   } catch {
     return zero;
   }
@@ -3788,7 +4044,7 @@ async function isDir(p) {
 }
 async function readReferencedPluginKeys(installedPluginsJsonPath) {
   try {
-    const raw = await readFile4(installedPluginsJsonPath, "utf8");
+    const raw = await readFile42(installedPluginsJsonPath, "utf8");
     return referencedPluginVersionKeys(JSON.parse(raw));
   } catch {
     return /* @__PURE__ */ new Set();
@@ -3841,7 +4097,7 @@ async function resolveClaudeCacheLiveOnHost(volume) {
   return orbstackVolumePath(volume, "plugins", "cache");
 }
 async function readBoxReferencedPluginKeys(container) {
-  const res = await execa5(
+  const res = await execa6(
     "docker",
     [
       "exec",
@@ -3959,7 +4215,7 @@ while IFS= read -r dir; do
 done < "$WORK/dirs"
 rm -rf "$WORK"
 `;
-  const result = await execa5(
+  const result = await execa6(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "sh", "-c", script],
     { reject: false }
@@ -4020,7 +4276,7 @@ async function startClaudeSession(opts) {
     const v = process.env[k];
     if (typeof v === "string" && v.length > 0) envFlags.push("-e", `${k}=${v}`);
   }
-  const result = await execa5(
+  const result = await execa6(
     "docker",
     [
       "exec",
@@ -4111,7 +4367,7 @@ function buildDashboardAttachArgv(container, sessionName) {
 async function waitForTmuxPaneContent(container, sessionName, timeoutMs = 2e4) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
-    const res = await execa5(
+    const res = await execa6(
       "docker",
       ["exec", "--user", CONTAINER_USER, container, "tmux", "capture-pane", "-p", "-t", sessionName],
       { reject: false }
@@ -4179,7 +4435,7 @@ async function warmUpClaudeCredentials(volume, image, opts = {}) {
   const SLEEP_MS = 5e3;
   for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
     opts.onProgress?.(`checking credentials... ${attempt}/${MAX_ATTEMPTS}`);
-    const res = await execa5(
+    const res = await execa6(
       "docker",
       [
         "run",
@@ -4221,7 +4477,7 @@ function attachClaudeSession(container, sessionName, reattachRef) {
 }
 async function claudeSessionInfo(container, sessionName) {
   const name = sessionName ?? DEFAULT_CLAUDE_SESSION;
-  const has = await execa5(
+  const has = await execa6(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -4229,7 +4485,7 @@ async function claudeSessionInfo(container, sessionName) {
   if (has.exitCode !== 0) {
     return { running: false, sessionName: name, startedAt: null };
   }
-  const ts = await execa5(
+  const ts = await execa6(
     "docker",
     [
       "exec",
@@ -4263,7 +4519,7 @@ async function listChildDirs(dir) {
 }
 async function readJsonFile(path) {
   try {
-    return JSON.parse(await readFile4(path, "utf8"));
+    return JSON.parse(await readFile42(path, "utf8"));
   } catch {
     return void 0;
   }
@@ -4295,7 +4551,7 @@ async function pullClaudeExtras(spec, opts) {
     '  printf "\\n";',
     "done"
   ].join(" ");
-  const inv = await execa5(
+  const inv = await execa6(
     "docker",
     ["run", "--rm", "--user", "0", "-v", `${spec.volume}:/src:ro`, opts.image, "sh", "-c", inventoryScript],
     { reject: false }
@@ -4368,7 +4624,7 @@ async function pullClaudeExtras(spec, opts) {
       const parent = dest.slice(0, dest.lastIndexOf("/"));
       return `mkdir -p '${parent}' && rsync -a --ignore-existing --exclude=node_modules '${src}/' '${dest}/'`;
     });
-    const apply = await execa5(
+    const apply = await execa6(
       "docker",
       [
         "run",
@@ -4441,7 +4697,7 @@ async function ensureCodexVolume(spec, opts) {
   const hostCodex = join52(homedir4(), ".codex");
   const willSync = opts.syncFromHost && await pathExists3(hostCodex);
   if (willSync) {
-    await execa6("docker", [
+    await execa7("docker", [
       "run",
       "--rm",
       "--user",
@@ -4459,7 +4715,7 @@ async function ensureCodexVolume(spec, opts) {
     ]);
     return { created, synced: true };
   }
-  await execa6(
+  await execa7(
     "docker",
     [
       "run",
@@ -4479,7 +4735,7 @@ async function ensureCodexVolume(spec, opts) {
 }
 async function seedCodexHooks(volume, image) {
   try {
-    const { stdout } = await execa6("docker", [
+    const { stdout } = await execa7("docker", [
       "run",
       "--rm",
       "--user",
@@ -4516,14 +4772,14 @@ var CodexSessionError = class extends Error {
   }
 };
 async function ensureCodexInstalled(container, opts = {}) {
-  const probe = await execa6(
+  const probe = await execa7(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "sh", "-c", "command -v codex"],
     { reject: false }
   );
   if (probe.exitCode === 0) return { installed: false };
   opts.onProgress?.("installing codex (absent from this box image)");
-  const install = await execa6(
+  const install = await execa7(
     "docker",
     ["exec", "--user", "root", container, "bash", "-lc", "npm install -g @openai/codex 2>&1"],
     { reject: false }
@@ -4546,7 +4802,7 @@ async function startCodexSession(opts) {
     const v = process.env[k];
     if (typeof v === "string" && v.length > 0) envFlags.push("-e", `${k}=${v}`);
   }
-  const result = await execa6(
+  const result = await execa7(
     "docker",
     [
       "exec",
@@ -4628,7 +4884,7 @@ function runInteractiveCodexLogin(dockerArgv) {
   return { exitCode: child.status ?? 1 };
 }
 async function volumeHasCodexAuth(volume, image) {
-  const res = await execa6(
+  const res = await execa7(
     "docker",
     ["run", "--rm", "-v", `${volume}:/dst`, image, "sh", "-c", "test -e /dst/auth.json"],
     { reject: false }
@@ -4637,7 +4893,7 @@ async function volumeHasCodexAuth(volume, image) {
 }
 async function codexSessionInfo(container, sessionName) {
   const name = sessionName ?? DEFAULT_CODEX_SESSION;
-  const has = await execa6(
+  const has = await execa7(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -4645,7 +4901,7 @@ async function codexSessionInfo(container, sessionName) {
   if (has.exitCode !== 0) {
     return { running: false, sessionName: name, startedAt: null };
   }
-  const ts = await execa6(
+  const ts = await execa7(
     "docker",
     [
       "exec",
@@ -4671,7 +4927,7 @@ async function codexSessionInfo(container, sessionName) {
 var CODEX_PULL_ITEMS = ["config.toml", "auth.json", "prompts"];
 async function pullCodexConfig(spec, opts) {
   const hostCodex = join52(homedir4(), ".codex");
-  const inv = await execa6(
+  const inv = await execa7(
     "docker",
     [
       "run",
@@ -4705,7 +4961,7 @@ async function pullCodexConfig(spec, opts) {
   const uid = process.getuid?.() ?? 0;
   const gid = process.getgid?.() ?? 0;
   const cmds = newItems.map((it) => `cp -a '/src/${it}' '/dst/${it}'`);
-  const apply = await execa6(
+  const apply = await execa7(
     "docker",
     [
       "run",
@@ -4787,10 +5043,10 @@ async function ensureOpencodeVolume(spec, opts) {
     }
     steps.push("chown -R 1000:1000 /dst");
     args.push(opts.image, "sh", "-c", steps.join(" && "));
-    await execa7("docker", args);
+    await execa8("docker", args);
     return { created, synced: true };
   }
-  await execa7(
+  await execa8(
     "docker",
     [
       "run",
@@ -4810,7 +5066,7 @@ async function ensureOpencodeVolume(spec, opts) {
 }
 async function seedOpencodePlugin(volume, image) {
   try {
-    const { stdout } = await execa7("docker", [
+    const { stdout } = await execa8("docker", [
       "run",
       "--rm",
       "--user",
@@ -4858,14 +5114,14 @@ var OpencodeSessionError = class extends Error {
   }
 };
 async function ensureOpencodeInstalled(container, opts = {}) {
-  const probe = await execa7(
+  const probe = await execa8(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "sh", "-c", "command -v opencode"],
     { reject: false }
   );
   if (probe.exitCode === 0) return { installed: false };
   opts.onProgress?.("installing opencode (absent from this box image)");
-  const install = await execa7(
+  const install = await execa8(
     "docker",
     ["exec", "--user", "root", container, "bash", "-lc", "npm install -g opencode-ai 2>&1"],
     { reject: false }
@@ -4887,7 +5143,7 @@ async function startOpencodeSession(opts) {
     const v = process.env[k];
     if (typeof v === "string" && v.length > 0) envFlags.push("-e", `${k}=${v}`);
   }
-  const result = await execa7(
+  const result = await execa8(
     "docker",
     [
       "exec",
@@ -4973,7 +5229,7 @@ function runInteractiveOpencodeLogin(dockerArgv) {
   return { exitCode: child.status ?? 1 };
 }
 async function volumeHasOpencodeAuth(volume, image) {
-  const res = await execa7(
+  const res = await execa8(
     "docker",
     ["run", "--rm", "-v", `${volume}:/dst`, image, "sh", "-c", "test -e /dst/auth.json"],
     { reject: false }
@@ -4982,7 +5238,7 @@ async function volumeHasOpencodeAuth(volume, image) {
 }
 async function opencodeSessionInfo(container, sessionName) {
   const name = sessionName ?? DEFAULT_OPENCODE_SESSION;
-  const has = await execa7(
+  const has = await execa8(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -4990,7 +5246,7 @@ async function opencodeSessionInfo(container, sessionName) {
   if (has.exitCode !== 0) {
     return { running: false, sessionName: name, startedAt: null };
   }
-  const ts = await execa7(
+  const ts = await execa8(
     "docker",
     [
       "exec",
@@ -5028,7 +5284,7 @@ var OPENCODE_PULL_CONFIG_ITEMS = [
 async function pullOpencodeConfig(spec, opts) {
   const hostData = join6(homedir5(), ".local", "share", "opencode");
   const hostConfig = join6(homedir5(), ".config", "opencode");
-  const inv = await execa7(
+  const inv = await execa8(
     "docker",
     [
       "run",
@@ -5070,7 +5326,7 @@ async function pullOpencodeConfig(spec, opts) {
   const cmds = newItems.map(
     (i) => `cp -a '${i.src}' '${i.hostDst === "data" ? "/dst-data" : "/dst-config"}/${i.name}'`
   );
-  const apply = await execa7(
+  const apply = await execa8(
     "docker",
     [
       "run",
@@ -5181,9 +5437,9 @@ function gitWorktreePathFor(branch) {
   return `${WORKTREE_ROOT}/${fsSafeBranch(branch)}`;
 }
 async function collectRepoCarryOver(repo, branch, containerPath, gitWorktreePath) {
-  const stash = await execa8("git", ["-C", repo.hostMainRepo, "stash", "create"], { reject: false });
+  const stash = await execa9("git", ["-C", repo.hostMainRepo, "stash", "create"], { reject: false });
   const stashSha = stash.exitCode === 0 ? stash.stdout.trim() || null : null;
-  const untracked = await execa8(
+  const untracked = await execa9(
     "git",
     ["-C", repo.hostMainRepo, "ls-files", "--others", "--exclude-standard", "-z"],
     { reject: false }
@@ -5200,7 +5456,7 @@ async function collectRepoCarryOver(repo, branch, containerPath, gitWorktreePath
   };
 }
 async function dexec(container, argv, user = "vscode", cwd = "/") {
-  const r = await execa8(
+  const r = await execa9(
     "docker",
     ["exec", "-w", cwd, "--user", user, container, ...argv],
     { reject: false }
@@ -5232,7 +5488,7 @@ async function bindWorktrees(container, binds, onLog) {
     (a, b) => a.kind === "root" && b.kind !== "root" ? -1 : a.kind !== "root" && b.kind === "root" ? 1 : 0
   );
   for (const b of ordered) {
-    await execa8(
+    await execa9(
       "docker",
       ["exec", "-w", "/", "--user", "root", container, "sh", "-c", `mountpoint -q ${b.containerPath} && umount ${b.containerPath} || true`],
       { reject: false }
@@ -5254,7 +5510,7 @@ async function seedWorkspace(opts) {
     const wt = r.gitWorktreePath;
     const baseRef = r.repo.kind === "root" ? opts.fromBranch ?? "HEAD" : "HEAD";
     const addArgs = r.reuseBranch ? ["worktree", "add", wt, r.branch] : ["worktree", "add", "-b", r.branch, wt, baseRef];
-    const add = await execa8(
+    const add = await execa9(
       "docker",
       ["exec", "--user", "vscode", opts.container, "git", "-C", main, ...addArgs],
       { reject: false }
@@ -5265,7 +5521,7 @@ async function seedWorkspace(opts) {
       );
     }
     log(`worktree ${wt} on branch ${r.branch} (host main ${main})`);
-    await execa8(
+    await execa9(
       "docker",
       [
         "exec",
@@ -5281,7 +5537,7 @@ async function seedWorkspace(opts) {
       ],
       { reject: false }
     );
-    await execa8(
+    await execa9(
       "docker",
       [
         "exec",
@@ -5311,7 +5567,7 @@ async function seedWorkspace(opts) {
   for (const r of opts.repos) {
     const ct = r.containerPath;
     if (r.stashSha) {
-      const withIndex = await execa8(
+      const withIndex = await execa9(
         "docker",
         [
           "exec",
@@ -5329,7 +5585,7 @@ async function seedWorkspace(opts) {
         { reject: false }
       );
       if (withIndex.exitCode !== 0) {
-        const noIndex = await execa8(
+        const noIndex = await execa9(
           "docker",
           [
             "exec",
@@ -5357,7 +5613,7 @@ async function seedWorkspace(opts) {
       }
     }
     if (r.untrackedNul.length > 0) {
-      const tarOut = await execa8("tar", ["-C", r.hostSource, "--null", "-T", "-", "-cf", "-"], {
+      const tarOut = await execa9("tar", ["-C", r.hostSource, "--null", "-T", "-", "-cf", "-"], {
         input: r.untrackedNul.replace(/\0$/, ""),
         encoding: "buffer",
         reject: false
@@ -5366,7 +5622,7 @@ async function seedWorkspace(opts) {
         log(`warning: tar of untracked files for ${r.repo.hostMainRepo} failed: ${tarOut.stderr}`);
         continue;
       }
-      const tarIn = await execa8(
+      const tarIn = await execa9(
         "docker",
         ["exec", "-i", "--user", "vscode", opts.container, "tar", "-C", ct, "-xf", "-"],
         { input: tarOut.stdout, reject: false }
@@ -5380,17 +5636,86 @@ async function seedWorkspace(opts) {
     }
   }
 }
+async function regenerateRestoredWorktrees(opts) {
+  const log = opts.onLog ?? (() => {
+  });
+  const script = [
+    "set -e",
+    'OLD="$1"; NEW="$2"; MAIN="$3"; BR="$4"; BASE="$5"; META="$6"',
+    // Rename baked content to the fresh unique path (rename, not copy).
+    '[ "$OLD" = "$NEW" ] || mv "$OLD" "$NEW"',
+    // Fresh branch at the base ref; -f is safe because pickFreshBranch already
+    // guaranteed BR is unused on the host.
+    'git -C "$MAIN" branch -f "$BR" "$BASE"',
+    // Author worktree metadata under the bind-mounted host .git.
+    'mkdir -p "$META"',
+    'printf "../..\\n" > "$META/commondir"',
+    'printf "%s\\n" "$NEW/.git" > "$META/gitdir"',
+    'printf "ref: refs/heads/%s\\n" "$BR" > "$META/HEAD"',
+    // Point the worktree's gitfile at the fresh metadata dir.
+    'printf "gitdir: %s\\n" "$META" > "$NEW/.git"',
+    // Reset tracked files to the fork base so the box starts CLEAN at the host
+    // base ref — same git state as a fresh create. The baked tree was captured
+    // on the source box's (possibly divergent/older) branch, so its tracked
+    // deviations are staleness, not work; resetting drops that noise. The
+    // gitignored warm artifacts (node_modules, .next, build caches) are
+    // untouched by reset --hard — that warm state is the checkpoint's value.
+    'git -C "$NEW" reset -q --hard HEAD',
+    // Boxes carry no signing key; mirror seedWorkspace's per-worktree config so
+    // host commit.gpgsign=true doesn't break in-box commits. extensions.
+    // worktreeConfig writes the SHARED (bind-mounted) .git/config, so concurrent
+    // boxes race on .git/config.lock — retry through the contention rather than
+    // aborting (best-effort, like seedWorkspace). The per-worktree gpgsign write
+    // needs the extension enabled first, so it follows the retry.
+    "set +e",
+    'for i in 1 2 3 4 5 6 7 8; do git -C "$MAIN" config extensions.worktreeConfig true && break; sleep 0.25; done',
+    'git -C "$NEW" config --worktree commit.gpgsign false',
+    "exit 0"
+  ].join("\n");
+  for (const p of opts.plans) {
+    const baseRef = p.kind === "root" ? opts.fromBranch ?? "HEAD" : "HEAD";
+    const metaDir = `${p.hostMainRepo}/.git/worktrees/${fsSafeBranch(p.freshBranch)}`;
+    const r = await execa9(
+      "docker",
+      [
+        "exec",
+        "--user",
+        "vscode",
+        opts.container,
+        "bash",
+        "-c",
+        script,
+        "bash",
+        p.bakedGitWorktreePath,
+        p.freshGitWorktreePath,
+        p.hostMainRepo,
+        p.freshBranch,
+        baseRef,
+        metaDir
+      ],
+      { reject: false }
+    );
+    if (r.exitCode !== 0) {
+      throw new GitWorktreeError(
+        `regenerate worktree for ${p.freshBranch} failed: ${r.stderr || r.stdout}`
+      );
+    }
+    log(
+      `restored worktree ${p.freshGitWorktreePath} on fresh branch ${p.freshBranch} (base ${baseRef})`
+    );
+  }
+}
 async function seedWorkspaceFromDir(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const tarOut = await execa8("tar", ["-C", opts.hostSource, "-cf", "-", "."], {
+  const tarOut = await execa9("tar", ["-C", opts.hostSource, "-cf", "-", "."], {
     encoding: "buffer",
     reject: false
   });
   if (tarOut.exitCode !== 0) {
     throw new GitWorktreeError(`tar of ${opts.hostSource} failed: ${tarOut.stderr}`);
   }
-  const tarIn = await execa8(
+  const tarIn = await execa9(
     "docker",
     ["exec", "-i", "--user", "1000:1000", opts.container, "tar", "-C", "/workspace", "-xf", "-"],
     { input: tarOut.stdout, reject: false }
@@ -5401,13 +5726,13 @@ async function seedWorkspaceFromDir(opts) {
   log(`seeded /workspace from ${opts.hostSource}`);
 }
 async function removeInBoxWorktree(args) {
-  const remove = await execa8(
+  const remove = await execa9(
     "git",
     ["-C", args.hostMainRepo, "worktree", "remove", "--force", args.gitWorktreePath],
     { reject: false }
   );
   if (remove.exitCode === 0) return;
-  await execa8("git", ["-C", args.hostMainRepo, "worktree", "prune"], { reject: false });
+  await execa9("git", ["-C", args.hostMainRepo, "worktree", "prune"], { reject: false });
 }
 function ctParent(p) {
   const i = p.lastIndexOf("/");
@@ -5419,6 +5744,12 @@ async function gitIn(container, ct, args) {
 function splitNul(s) {
   return s.split("\0").filter((p) => p.length > 0);
 }
+var NON_REGULAR_TOKEN = "-";
+function classifyUntrackedOverlay(boxToken, hostHash) {
+  if (boxToken === void 0) return "copy";
+  if (boxToken === NON_REGULAR_TOKEN) return "conflict";
+  return boxToken === hostHash ? "identical" : "conflict";
+}
 async function unmergedPaths(container, ct) {
   const r = await gitIn(container, ct, ["diff", "--name-only", "--diff-filter=U", "-z"]);
   return r.exitCode === 0 ? splitNul(r.stdout) : [];
@@ -5432,20 +5763,20 @@ async function resyncWorkspaceFromHost(opts) {
     const hostMain = w.hostMainRepo;
     const boxBranch = w.branch;
     const res = { containerPath: ct, mergeConflicts: [], overlaySkipped: [] };
-    const hostBranchProbe = await execa8(
+    const hostBranchProbe = await execa9(
       "git",
       ["-C", hostMain, "symbolic-ref", "--short", "-q", "HEAD"],
       { reject: false }
     );
-    const hostRef = hostBranchProbe.exitCode === 0 && hostBranchProbe.stdout.trim() ? hostBranchProbe.stdout.trim() : (await execa8("git", ["-C", hostMain, "rev-parse", "HEAD"], { reject: false })).stdout.trim();
+    const hostRef = hostBranchProbe.exitCode === 0 && hostBranchProbe.stdout.trim() ? hostBranchProbe.stdout.trim() : (await execa9("git", ["-C", hostMain, "rev-parse", "HEAD"], { reject: false })).stdout.trim();
     if (!hostRef) {
       log(`resync: ${ct}: could not resolve host ref; skipping`);
       results.push(res);
       continue;
     }
-    const stash = await execa8("git", ["-C", hostMain, "stash", "create"], { reject: false });
+    const stash = await execa9("git", ["-C", hostMain, "stash", "create"], { reject: false });
     const hostStashSha = stash.exitCode === 0 ? stash.stdout.trim() || null : null;
-    const untracked = await execa8(
+    const untracked = await execa9(
       "git",
       ["-C", hostMain, "ls-files", "--others", "--exclude-standard", "-z"],
       { reject: false }
@@ -5515,7 +5846,7 @@ async function resyncWorkspaceFromHost(opts) {
       }
     }
     if (hostUntracked.length > 0) {
-      const filter = await execa8(
+      const probe = await execa9(
         "docker",
         [
           "exec",
@@ -5525,23 +5856,50 @@ async function resyncWorkspaceFromHost(opts) {
           opts.container,
           "bash",
           "-c",
-          'cd "$1" && while IFS= read -r -d "" f; do [ -e "$f" ] && printf "%s\\0" "$f"; done',
+          'cd "$1" && while IFS= read -r -d "" f; do if [ -f "$f" ] && [ ! -L "$f" ]; then printf "%s\\0%s\\0" "$(sha256sum < "$f" | cut -d" " -f1)" "$f"; elif [ -e "$f" ]; then printf "%s\\0%s\\0" "-" "$f"; fi; done',
           "bash",
           ct
         ],
         { input: hostUntracked.join("\0"), reject: false }
       );
-      const existing = new Set(filter.exitCode === 0 ? splitNul(filter.stdout) : []);
-      const toCopy = hostUntracked.filter((p) => !existing.has(p));
-      for (const p of hostUntracked) if (existing.has(p)) res.overlaySkipped.push(p);
+      const boxTokens = /* @__PURE__ */ new Map();
+      if (probe.exitCode === 0) {
+        const flat = splitNul(probe.stdout);
+        for (let i = 0; i + 1 < flat.length; i += 2) {
+          const token = flat[i];
+          const path = flat[i + 1];
+          if (token !== void 0 && path !== void 0) boxTokens.set(path, token);
+        }
+      }
+      const toCopy = [];
+      let identical = 0;
+      for (const p of hostUntracked) {
+        const boxToken = boxTokens.get(p);
+        let hostHash = "";
+        if (boxToken !== void 0 && boxToken !== NON_REGULAR_TOKEN) {
+          try {
+            hostHash = createHash22("sha256").update(await readFile52(join7(hostMain, p))).digest("hex");
+          } catch {
+            identical++;
+            continue;
+          }
+        }
+        const verdict = classifyUntrackedOverlay(boxToken, hostHash);
+        if (verdict === "copy") toCopy.push(p);
+        else if (verdict === "conflict") res.overlaySkipped.push(p);
+        else identical++;
+      }
+      if (identical > 0) {
+        log(`resync: ${ct}: ${String(identical)} untracked host file(s) already identical in box (no-op)`);
+      }
       if (toCopy.length > 0) {
-        const tarOut = await execa8("tar", ["-C", hostMain, "--null", "-T", "-", "-cf", "-"], {
+        const tarOut = await execa9("tar", ["-C", hostMain, "--null", "-T", "-", "-cf", "-"], {
           input: toCopy.join("\0"),
           encoding: "buffer",
           reject: false
         });
         if (tarOut.exitCode === 0) {
-          await execa8(
+          await execa9(
             "docker",
             ["exec", "-i", "--user", "vscode", opts.container, "tar", "-C", ct, "-xf", "-"],
             { input: tarOut.stdout, reject: false }
@@ -5564,7 +5922,7 @@ var cached = null;
 async function detectPortless() {
   if (cached !== null) return cached;
   try {
-    const ver = await execa9(PORTLESS_BIN, SUB_VERSION, { reject: false });
+    const ver = await execa10(PORTLESS_BIN, SUB_VERSION, { reject: false });
     if (ver.exitCode !== 0) {
       cached = { installed: false, proxyRunning: false };
       return cached;
@@ -5584,7 +5942,7 @@ function resetPortlessCache() {
 }
 async function portlessAlias(name, port) {
   try {
-    const r = await execa9(PORTLESS_BIN, [SUB_ALIAS, name, String(port)], { reject: false });
+    const r = await execa10(PORTLESS_BIN, [SUB_ALIAS, name, String(port)], { reject: false });
     return r.exitCode === 0;
   } catch {
     return false;
@@ -5592,7 +5950,7 @@ async function portlessAlias(name, port) {
 }
 async function portlessUnalias(name) {
   try {
-    const r = await execa9(PORTLESS_BIN, [SUB_ALIAS, SUB_ALIAS_REMOVE, name], { reject: false });
+    const r = await execa10(PORTLESS_BIN, [SUB_ALIAS, SUB_ALIAS_REMOVE, name], { reject: false });
     return r.exitCode === 0;
   } catch {
     return false;
@@ -5601,7 +5959,7 @@ async function portlessUnalias(name) {
 async function portlessGetUrl(name) {
   const fallback = `https://${name}.localhost`;
   try {
-    const r = await execa9(PORTLESS_BIN, [SUB_GET, name], { reject: false });
+    const r = await execa10(PORTLESS_BIN, [SUB_GET, name], { reject: false });
     const out = (r.stdout ?? "").trim();
     if (r.exitCode === 0 && /^https?:\/\//.test(out)) return out;
   } catch {
@@ -5622,7 +5980,7 @@ function portlessBrowserEnv(boxName, opts) {
 }
 async function installPortless() {
   try {
-    const r = await execa9("npm", ["install", "-g", "portless"], { reject: false });
+    const r = await execa10("npm", ["install", "-g", "portless"], { reject: false });
     return r.exitCode === 0;
   } catch {
     return false;
@@ -5630,7 +5988,7 @@ async function installPortless() {
 }
 async function startPortlessProxy() {
   try {
-    const r = await execa9(
+    const r = await execa10(
       PORTLESS_BIN,
       ["proxy", "start", "--no-tls", "-p", String(PORTLESS_PROXY_PORT)],
       { reject: false }
@@ -5643,7 +6001,7 @@ async function startPortlessProxy() {
 function portlessStateDirCandidates() {
   const env = process.env["PORTLESS_STATE_DIR"];
   if (env && env.trim().length > 0) return [env.trim()];
-  return ["/tmp/portless", join7(homedir6(), ".portless")];
+  return ["/tmp/portless", join8(homedir6(), ".portless")];
 }
 function pidAlive(pid) {
   if (!Number.isFinite(pid) || pid <= 0) return false;
@@ -5656,7 +6014,7 @@ function pidAlive(pid) {
 }
 async function readProxyPid(dir) {
   try {
-    const raw = await readFile52(join7(dir, "proxy.pid"), "utf8");
+    const raw = await readFile6(join8(dir, "proxy.pid"), "utf8");
     const pid = Number.parseInt(raw.trim(), 10);
     return Number.isFinite(pid) && pid > 0 ? pid : null;
   } catch {
@@ -5676,15 +6034,15 @@ async function resolvePortlessHostStateDir(override) {
   if (env && env.trim().length > 0) return env.trim();
   const live = await findLivePortlessStateDir();
   if (live) return live;
-  const home = join7(homedir6(), ".portless");
-  if (existsSync(home)) return home;
-  if (existsSync("/tmp/portless")) return "/tmp/portless";
+  const home = join8(homedir6(), ".portless");
+  if (existsSync2(home)) return home;
+  if (existsSync2("/tmp/portless")) return "/tmp/portless";
   return home;
 }
 async function isProxyRunning() {
   if (await findLivePortlessStateDir() !== null) return true;
   try {
-    const r = await execa9("pgrep", ["-f", "portless proxy"], { reject: false });
+    const r = await execa10("pgrep", ["-f", "portless proxy"], { reject: false });
     return r.exitCode === 0 && (r.stdout ?? "").trim().length > 0;
   } catch {
     return false;
@@ -5705,12 +6063,12 @@ var EXCLUDE_DIRS = /* @__PURE__ */ new Set([
   ".cache",
   ".parcel-cache"
 ]);
-var SNAPSHOTS_ROOT = join8(homedir7(), ".agentbox", "snapshots");
+var SNAPSHOTS_ROOT = join9(homedir7(), ".agentbox", "snapshots");
 function snapshotPathFor(box) {
   const mnemonic = sanitizeMnemonic(box.name);
   const n = box.projectIndex;
   const segment = typeof n === "number" && Number.isFinite(n) && n > 0 ? `${box.id}-${String(n)}-${mnemonic}` : `${box.id}-${mnemonic}`;
-  return join8(SNAPSHOTS_ROOT, segment);
+  return join9(SNAPSHOTS_ROOT, segment);
 }
 async function findExcludedDirs(root, excluded = EXCLUDE_DIRS) {
   const matches = [];
@@ -5723,7 +6081,7 @@ async function findExcludedDirs(root, excluded = EXCLUDE_DIRS) {
     }
     for (const entry of entries) {
       if (!entry.isDirectory()) continue;
-      const abs = join8(dir, entry.name);
+      const abs = join9(dir, entry.name);
       if (excluded.has(entry.name)) {
         matches.push(abs);
         continue;
@@ -5735,31 +6093,31 @@ async function findExcludedDirs(root, excluded = EXCLUDE_DIRS) {
   return matches;
 }
 async function createSnapshot(opts) {
-  const source = resolve2(opts.source);
-  const destination = resolve2(opts.destination);
+  const source = resolve22(opts.source);
+  const destination = resolve22(opts.destination);
   const excluded = opts.excluded ?? EXCLUDE_DIRS;
   await mkdir42(SNAPSHOTS_ROOT, { recursive: true });
   const cpArgs = platform() === "darwin" ? ["-cR"] : ["-R"];
-  await execa10("cp", [...cpArgs, `${source}/`, destination]);
+  await execa11("cp", [...cpArgs, `${source}/`, destination]);
   const toPrune = await findExcludedDirs(destination, excluded);
   await Promise.all(toPrune.map((p) => rm32(p, { recursive: true, force: true })));
   return { destination, prunedPaths: toPrune };
 }
-var CHECKPOINTS_ROOT = join9(homedir8(), ".agentbox", "checkpoints");
+var CHECKPOINTS_ROOT = join10(homedir8(), ".agentbox", "checkpoints");
 var CHECKPOINT_IMAGE_PREFIX = "agentbox-ckpt-";
 function checkpointImageTag(projectRoot, name) {
-  const mnemonic = sanitizeMnemonic(basename32(projectRoot));
+  const mnemonic = sanitizeMnemonic(basename4(projectRoot));
   return `${CHECKPOINT_IMAGE_PREFIX}${hashProjectPath(projectRoot)}_${mnemonic}:${name}`;
 }
 function projectCheckpointsDir(projectRoot) {
-  return join9(CHECKPOINTS_ROOT, projectDirSegment(projectRoot));
+  return join10(CHECKPOINTS_ROOT, projectDirSegment(projectRoot));
 }
 function checkpointDir(projectRoot, name) {
-  return join9(projectCheckpointsDir(projectRoot), name);
+  return join10(projectCheckpointsDir(projectRoot), name);
 }
 async function readManifest(dir) {
   try {
-    const raw = await readFile6(join9(dir, "manifest.json"), "utf8");
+    const raw = await readFile7(join10(dir, "manifest.json"), "utf8");
     const m = JSON.parse(raw);
     if (m.schema !== 2 && m.schema !== 3) return null;
     return m;
@@ -5776,7 +6134,7 @@ async function listCheckpointsInDir(root) {
   }
   const out = [];
   for (const name of entries) {
-    const dir = join9(root, name);
+    const dir = join10(root, name);
     const manifest = await readManifest(dir);
     if (manifest) out.push({ name, dir, manifest });
   }
@@ -5795,7 +6153,7 @@ async function listAllCheckpoints() {
   }
   const out = [];
   for (const segment of segments) {
-    const items = await listCheckpointsInDir(join9(CHECKPOINTS_ROOT, segment));
+    const items = await listCheckpointsInDir(join10(CHECKPOINTS_ROOT, segment));
     if (items.length > 0) out.push({ segment, items });
   }
   return out;
@@ -5815,7 +6173,7 @@ async function listAllCheckpointImages() {
   }
   const out = /* @__PURE__ */ new Set();
   for (const proj of projectDirs) {
-    const projPath = join9(CHECKPOINTS_ROOT, proj);
+    const projPath = join10(CHECKPOINTS_ROOT, proj);
     let names;
     try {
       names = (await readdir5(projPath, { withFileTypes: true })).filter((e) => e.isDirectory()).map((e) => e.name);
@@ -5823,7 +6181,7 @@ async function listAllCheckpointImages() {
       continue;
     }
     for (const name of names) {
-      const manifest = await readManifest(join9(projPath, name));
+      const manifest = await readManifest(join10(projPath, name));
       if (manifest) out.add(manifest.image);
     }
   }
@@ -5865,7 +6223,7 @@ async function runCleanup(container, log) {
   }
 }
 async function inspectImageConfig(imageRef) {
-  const r = await execa11("docker", ["image", "inspect", imageRef], { reject: false });
+  const r = await execa12("docker", ["image", "inspect", imageRef], { reject: false });
   if (r.exitCode !== 0) {
     throw new CheckpointError(`docker image inspect ${imageRef} failed`, r.stdout, r.stderr);
   }
@@ -5941,14 +6299,14 @@ async function createCheckpoint(opts) {
   await runCleanup(box.container, log);
   if (type === "layered") {
     log(`docker commit ${box.container} -> ${tag} (layered)`);
-    const r = await execa11("docker", ["commit", box.container, tag], { reject: false });
+    const r = await execa12("docker", ["commit", box.container, tag], { reject: false });
     if (r.exitCode !== 0) {
       throw new CheckpointError(`docker commit failed for ${box.container}`, r.stdout, r.stderr);
     }
   } else {
     log(`docker commit ${box.container} -> <intermediate> (flattened path)`);
     const intermediate = `${tag}-intermediate`;
-    const commit = await execa11("docker", ["commit", box.container, intermediate], {
+    const commit = await execa12("docker", ["commit", box.container, intermediate], {
       reject: false
     });
     if (commit.exitCode !== 0) {
@@ -5984,7 +6342,7 @@ async function createCheckpoint(opts) {
     cliVersion: stamp.cliVersion,
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  await writeFile32(join9(dir, "manifest.json"), JSON.stringify(manifest, null, 2) + "\n", "utf8");
+  await writeFile32(join10(dir, "manifest.json"), JSON.stringify(manifest, null, 2) + "\n", "utf8");
   if (opts.setDefault) {
     await setConfigValue("project", "box.defaultCheckpointDocker", name, opts.projectRoot);
     log(`set project default checkpoint (box.defaultCheckpointDocker) -> ${name}`);
@@ -5993,7 +6351,7 @@ async function createCheckpoint(opts) {
 }
 async function flattenImage(sourceTag, destTag, log) {
   const tmpName = `agentbox-flatten-${Date.now().toString(36)}`;
-  const create = await execa11(
+  const create = await execa12(
     "docker",
     ["create", "--name", tmpName, sourceTag, "sleep", "0"],
     { reject: false }
@@ -6001,11 +6359,11 @@ async function flattenImage(sourceTag, destTag, log) {
   if (create.exitCode !== 0) {
     throw new CheckpointError(`docker create for flatten failed`, create.stdout, create.stderr);
   }
-  const scratch = await mkdtemp3(join9(tmpdir3(), "agentbox-flatten-"));
+  const scratch = await mkdtemp3(join10(tmpdir3(), "agentbox-flatten-"));
   try {
-    const rootfsPath = join9(scratch, "rootfs.tar");
+    const rootfsPath = join10(scratch, "rootfs.tar");
     log(`exporting rootfs of ${sourceTag} to ${rootfsPath}`);
-    const exp = await execa11("docker", ["export", "-o", rootfsPath, tmpName], { reject: false });
+    const exp = await execa12("docker", ["export", "-o", rootfsPath, tmpName], { reject: false });
     if (exp.exitCode !== 0) {
       throw new CheckpointError(`docker export failed`, exp.stdout, exp.stderr);
     }
@@ -6016,18 +6374,18 @@ async function flattenImage(sourceTag, destTag, log) {
       "ADD rootfs.tar /",
       ...renderConfigDirectives(cfg)
     ];
-    await writeFile32(join9(scratch, "Dockerfile"), lines.join("\n") + "\n", "utf8");
+    await writeFile32(join10(scratch, "Dockerfile"), lines.join("\n") + "\n", "utf8");
     log(`building flattened ${destTag} from rootfs.tar (FROM scratch)`);
-    const build = await execa11(
+    const build = await execa12(
       "docker",
-      ["build", "-t", destTag, "-f", join9(scratch, "Dockerfile"), scratch],
+      ["build", "-t", destTag, "-f", join10(scratch, "Dockerfile"), scratch],
       { reject: false }
     );
     if (build.exitCode !== 0) {
       throw new CheckpointError(`flatten docker build failed`, build.stdout, build.stderr);
     }
   } finally {
-    await execa11("docker", ["rm", "-f", tmpName], { reject: false });
+    await execa12("docker", ["rm", "-f", tmpName], { reject: false });
     await rm4(scratch, { recursive: true, force: true });
   }
 }
@@ -6071,7 +6429,7 @@ async function pathExists5(p) {
 }
 async function writeBoxEnvFile(container, env) {
   const body = formatBoxEnvBody(env);
-  const result = await execa12(
+  const result = await execa13(
     "docker",
     ["exec", "--user", "root", "-i", container, "sh", "-c", "umask 022 && cat > /etc/agentbox/box.env"],
     { input: body, reject: false }
@@ -6095,7 +6453,7 @@ function shellSingleQuote(s) {
   return `'${s.replace(/'/g, `'\\''`)}'`;
 }
 async function ensureHomeOwnedByVscode(container) {
-  await execa13(
+  await execa14(
     "docker",
     [
       "exec",
@@ -6111,10 +6469,10 @@ async function ensureHomeOwnedByVscode(container) {
     { reject: false }
   );
 }
-var STATE_DIR22 = join10(homedir9(), ".agentbox");
-var PID_FILE = join10(STATE_DIR22, "relay.pid");
-var LOG_FILE = join10(STATE_DIR22, "relay.log");
-var RELAY_HOME_DIR = join10(STATE_DIR22, "relay");
+var STATE_DIR22 = join11(homedir9(), ".agentbox");
+var PID_FILE = join11(STATE_DIR22, "relay.pid");
+var LOG_FILE = join11(STATE_DIR22, "relay.log");
+var RELAY_HOME_DIR = join11(STATE_DIR22, "relay");
 var PORT = DEFAULT_RELAY_PORT;
 var ENDPOINT = {
   // host.docker.internal is the Docker Desktop / OrbStack-supplied alias for
@@ -6244,16 +6602,16 @@ async function spawnRelay(relayBin, cliEntry, log) {
 }
 function resolveRelayBin() {
   const override = process.env.AGENTBOX_RELAY_BIN;
-  if (override && existsSync2(override)) return override;
-  const here = dirname3(fileURLToPath(import.meta.url));
+  if (override && existsSync3(override)) return override;
+  const here = dirname22(fileURLToPath(import.meta.url));
   const candidates = [
-    resolve22(here, "..", "runtime", "relay", "bin.cjs"),
-    resolve22(here, "..", "..", "relay", "dist", "bin.cjs"),
-    resolve22(here, "..", "..", "..", "@agentbox", "relay", "dist", "bin.cjs"),
-    resolve22(here, "..", "..", "node_modules", "@agentbox", "relay", "dist", "bin.cjs")
+    resolve3(here, "..", "runtime", "relay", "bin.cjs"),
+    resolve3(here, "..", "..", "relay", "dist", "bin.cjs"),
+    resolve3(here, "..", "..", "..", "@agentbox", "relay", "dist", "bin.cjs"),
+    resolve3(here, "..", "..", "node_modules", "@agentbox", "relay", "dist", "bin.cjs")
   ];
   for (const c of candidates) {
-    if (existsSync2(c)) return c;
+    if (existsSync3(c)) return c;
   }
   throw new Error(
     `could not locate @agentbox/relay bin; tried:
@@ -6262,32 +6620,32 @@ function resolveRelayBin() {
 }
 function resolveCliEntry() {
   const override = process.env.AGENTBOX_CLI_ENTRY;
-  if (override && existsSync2(override)) return override;
-  const here = dirname3(fileURLToPath(import.meta.url));
+  if (override && existsSync3(override)) return override;
+  const here = dirname22(fileURLToPath(import.meta.url));
   const candidates = [
     // Bundled CLI (dev + published): this module IS bundled into the CLI
     // entry, so the entry is index.js next to this file.
-    resolve22(here, "index.js"),
-    resolve22(here, "..", "..", "..", "apps", "cli", "dist", "index.js"),
-    resolve22(here, "..", "..", "..", "..", "dist", "index.js")
+    resolve3(here, "index.js"),
+    resolve3(here, "..", "..", "..", "apps", "cli", "dist", "index.js"),
+    resolve3(here, "..", "..", "..", "..", "dist", "index.js")
   ];
   for (const c of candidates) {
-    if (existsSync2(c)) return c;
+    if (existsSync3(c)) return c;
   }
   return null;
 }
 async function stageRelayHome(version, log) {
   if (!version || version === "0.0.0-dev") return null;
   if (process.env.AGENTBOX_RELAY_BIN || process.env.AGENTBOX_CLI_ENTRY) return null;
-  const cliRoot = findCliRoot(dirname3(fileURLToPath(import.meta.url)));
+  const cliRoot = findCliRoot(dirname22(fileURLToPath(import.meta.url)));
   if (cliRoot === null) return null;
-  const homeDir = join10(RELAY_HOME_DIR, version);
-  const stagedEntry = join10(homeDir, "dist", "index.js");
-  const stagedBin = join10(homeDir, "runtime", "relay", "bin.cjs");
-  if (existsSync2(stagedEntry) && existsSync2(stagedBin)) {
+  const homeDir = join11(RELAY_HOME_DIR, version);
+  const stagedEntry = join11(homeDir, "dist", "index.js");
+  const stagedBin = join11(homeDir, "runtime", "relay", "bin.cjs");
+  if (existsSync3(stagedEntry) && existsSync3(stagedBin)) {
     return { relayBin: stagedBin, cliEntry: stagedEntry };
   }
-  const nodeModules = resolveDepRoot(join10(cliRoot, "dist", "index.js"));
+  const nodeModules = resolveDepRoot(join11(cliRoot, "dist", "index.js"));
   if (nodeModules === null) return null;
   const tmpDir = `${homeDir}.tmp-${String(process.pid)}`;
   try {
@@ -6295,16 +6653,16 @@ async function stageRelayHome(version, log) {
     await rm5(tmpDir, { recursive: true, force: true });
     await mkdir6(tmpDir, { recursive: true });
     for (const sub of ["dist", "runtime", "share"]) {
-      const src = join10(cliRoot, sub);
-      if (existsSync2(src)) await cp(src, join10(tmpDir, sub), { recursive: true });
+      const src = join11(cliRoot, sub);
+      if (existsSync3(src)) await cp(src, join11(tmpDir, sub), { recursive: true });
     }
-    await cp(nodeModules, join10(tmpDir, "node_modules"), { recursive: true, dereference: true });
+    await cp(nodeModules, join11(tmpDir, "node_modules"), { recursive: true, dereference: true });
     await rm5(homeDir, { recursive: true, force: true });
     await rename3(tmpDir, homeDir);
   } catch (err) {
     await rm5(tmpDir, { recursive: true, force: true }).catch(() => {
     });
-    if (existsSync2(stagedEntry) && existsSync2(stagedBin)) {
+    if (existsSync3(stagedEntry) && existsSync3(stagedBin)) {
       return { relayBin: stagedBin, cliEntry: stagedEntry };
     }
     log(`relay home staging failed (${err instanceof Error ? err.message : String(err)}); using bundle paths`);
@@ -6316,8 +6674,8 @@ async function stageRelayHome(version, log) {
   return { relayBin: stagedBin, cliEntry: stagedEntry };
 }
 function findCliRoot(moduleDir) {
-  for (const root of [resolve22(moduleDir, ".."), resolve22(moduleDir, "..", "..")]) {
-    if (existsSync2(join10(root, "dist", "index.js")) && existsSync2(join10(root, "runtime", "relay", "bin.cjs"))) {
+  for (const root of [resolve3(moduleDir, ".."), resolve3(moduleDir, "..", "..")]) {
+    if (existsSync3(join11(root, "dist", "index.js")) && existsSync3(join11(root, "runtime", "relay", "bin.cjs"))) {
       return root;
     }
   }
@@ -6332,7 +6690,7 @@ function resolveDepRoot(fromFile) {
     const idx = main.lastIndexOf(marker);
     if (idx === -1) return null;
     const nm = main.slice(0, idx + marker.length - 1);
-    return existsSync2(join10(nm, "commander")) ? nm : null;
+    return existsSync3(join11(nm, "commander")) ? nm : null;
   } catch {
     return null;
   }
@@ -6346,7 +6704,7 @@ async function gcOldRelayHomes(keepVersion) {
   }
   for (const name of entries) {
     if (name === keepVersion) continue;
-    await rm5(join10(RELAY_HOME_DIR, name), { recursive: true, force: true }).catch(() => {
+    await rm5(join11(RELAY_HOME_DIR, name), { recursive: true, force: true }).catch(() => {
     });
   }
 }
@@ -6457,7 +6815,7 @@ function fetchHealthz(timeoutMs) {
 }
 async function readPidFile() {
   try {
-    const text = await readFile7(PID_FILE, "utf8");
+    const text = await readFile8(PID_FILE, "utf8");
     const pid = Number.parseInt(text.trim(), 10);
     return Number.isFinite(pid) && pid > 0 ? pid : null;
   } catch {
@@ -6493,7 +6851,8 @@ async function registerBoxWithRelay(args) {
     worktrees,
     previewUrl: args.previewUrl,
     previewToken: args.previewToken,
-    bridgeToken: args.bridgeToken
+    bridgeToken: args.bridgeToken,
+    autoApproveHostActions: args.autoApproveHostActions
   });
 }
 async function forgetBoxFromRelay(boxId) {
@@ -6634,7 +6993,8 @@ async function rehydrateRelayRegistry(boxes) {
         worktrees: b.gitWorktrees,
         previewUrl: b.relayPreviewUrl,
         previewToken: b.relayPreviewToken,
-        bridgeToken: b.bridgeToken
+        bridgeToken: b.bridgeToken,
+        autoApproveHostActions: b.autoApproveHostActions
       });
     } catch {
     }
@@ -6785,7 +7145,7 @@ function persistableLimits(lim) {
   return Object.keys(out).length > 0 ? out : void 0;
 }
 function sanitizeBasename(workspacePath) {
-  const raw = basename4(resolve3(workspacePath));
+  const raw = basename5(resolve4(workspacePath));
   return raw.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/-+/g, "-").replace(/^[-._]+|[-._]+$/g, "").slice(0, 30).replace(/[-._]+$/, "");
 }
 function defaultBoxName(workspacePath, id) {
@@ -6803,7 +7163,7 @@ async function pathExists6(p) {
 async function buildIdentityMounts() {
   const home = homedir10();
   const candidates = [
-    { src: join11(home, ".gitconfig"), dst: "/home/vscode/.gitconfig", readOnly: true }
+    { src: join12(home, ".gitconfig"), dst: "/home/vscode/.gitconfig", readOnly: true }
   ];
   const out = [];
   for (const c of candidates) {
@@ -6816,11 +7176,11 @@ async function buildIdentityMounts() {
 async function createBox(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const workspace = resolve3(opts.workspacePath);
+  const workspace = resolve4(opts.workspacePath);
   if (!await pathExists6(workspace)) {
     throw new Error(`workspace does not exist: ${workspace}`);
   }
-  const cfgPath = join11(workspace, "agentbox.yaml");
+  const cfgPath = join12(workspace, "agentbox.yaml");
   if (await pathExists6(cfgPath)) {
     try {
       const cfg = await loadConfig(cfgPath);
@@ -6900,12 +7260,35 @@ async function createBox(opts) {
   }
   let projectIndex;
   if (opts.projectRoot) {
-    projectIndex = allocateProjectIndex(await readState(), opts.projectRoot);
+    projectIndex = await reserveProjectIndex(
+      { id, name, container: containerName, image: imageRef, workspacePath: workspace, createdAt },
+      opts.projectRoot
+    );
   }
   const repoCarryOvers = [];
   const gitWorktreeRecords = [];
+  const restoreWorktreePlans = [];
   if (checkpointImage && restoredWorktrees && restoredWorktrees.length > 0) {
-    gitWorktreeRecords.push(...restoredWorktrees);
+    for (const w of restoredWorktrees) {
+      const branchBase = w.kind === "root" ? `agentbox/${name}` : `agentbox/${name}--${w.relPathFromWorkspace.replace(/[^A-Za-z0-9._-]+/g, "_")}`;
+      const freshBranch = await pickFreshBranch(w.hostMainRepo, branchBase);
+      const freshGitWorktreePath = gitWorktreePathFor(freshBranch);
+      restoreWorktreePlans.push({
+        hostMainRepo: w.hostMainRepo,
+        kind: w.kind,
+        bakedGitWorktreePath: w.gitWorktreePath,
+        freshBranch,
+        freshGitWorktreePath
+      });
+      gitWorktreeRecords.push({
+        kind: w.kind,
+        hostMainRepo: w.hostMainRepo,
+        containerPath: w.containerPath,
+        gitWorktreePath: freshGitWorktreePath,
+        branch: freshBranch,
+        relPathFromWorkspace: w.relPathFromWorkspace
+      });
+    }
   }
   if (!checkpointImage) {
     const repos = await detectGitRepos(workspace);
@@ -7013,7 +7396,7 @@ async function createBox(opts) {
     log(`seeded claude credentials into ${claudeSpec.volume} from host backup`);
   }
   const claudeMounts = buildClaudeMounts(claudeSpec, process.env);
-  const wantCodex = opts.codexConfig !== void 0 || await pathExists6(join11(homedir10(), ".codex"));
+  const wantCodex = opts.codexConfig !== void 0 || await pathExists6(join12(homedir10(), ".codex"));
   let codexMounts;
   let codexConfigVolume;
   if (wantCodex) {
@@ -7033,7 +7416,7 @@ async function createBox(opts) {
     codexMounts = buildCodexMounts(codexSpec, process.env);
     codexConfigVolume = codexSpec.volume;
   }
-  const wantOpencode = opts.opencodeConfig !== void 0 || await pathExists6(join11(homedir10(), ".config", "opencode")) || await pathExists6(join11(homedir10(), ".local", "share", "opencode"));
+  const wantOpencode = opts.opencodeConfig !== void 0 || await pathExists6(join12(homedir10(), ".config", "opencode")) || await pathExists6(join12(homedir10(), ".local", "share", "opencode"));
   let opencodeMounts;
   let opencodeConfigVolume;
   if (wantOpencode) {
@@ -7054,9 +7437,9 @@ async function createBox(opts) {
     opencodeConfigVolume = opencodeSpec.volume;
   }
   const boxDir = boxRunDirFor({ id, name, projectIndex });
-  const socketDir = join11(boxDir, "run");
-  const socketPath = join11(socketDir, "ctl.sock");
-  const mergedExportDir = join11(boxDir, "workspace");
+  const socketDir = join12(boxDir, "run");
+  const socketPath = join12(socketDir, "ctl.sock");
+  const mergedExportDir = join12(boxDir, "workspace");
   await mkdir7(socketDir, { recursive: true });
   await mkdir7(mergedExportDir, { recursive: true });
   const extraVolumes = await buildIdentityMounts();
@@ -7086,6 +7469,7 @@ async function createBox(opts) {
     }
   }
   for (const v of extraVolumes) log(`mounting agent dir: ${v}`);
+  const autoApproveHostActions = (await loadEffectiveConfig(opts.projectRoot ?? workspace)).effective.box.autoApproveHostActions;
   const relayToken = generateRelayToken();
   if (relayUp) {
     try {
@@ -7096,7 +7480,8 @@ async function createBox(opts) {
         containerName,
         createdAt,
         projectIndex,
-        worktrees: gitWorktreeRecords
+        worktrees: gitWorktreeRecords,
+        autoApproveHostActions
       });
       log(`registered box token with relay`);
     } catch (err) {
@@ -7145,6 +7530,37 @@ async function createBox(opts) {
       effectiveLimits = { ...appliedLimits, disk: null };
     }
   }
+  const baseRecord = {
+    id,
+    name,
+    container: containerName,
+    image: imageRef,
+    workspacePath: workspace,
+    snapshotDir,
+    socketPath,
+    claudeConfigVolume: claudeSpec.volume,
+    codexConfigVolume,
+    opencodeConfigVolume,
+    vscodeServerVolume: vscodeServerVolumeName(id),
+    cursorServerVolume: cursorServerVolumeName(id),
+    relayToken: relayUp ? relayToken : void 0,
+    gitWorktrees: gitWorktreeRecords.length > 0 ? gitWorktreeRecords : void 0,
+    withPlaywright: opts.withPlaywright ? true : void 0,
+    withEnv: opts.withEnv ? true : void 0,
+    autoApproveHostActions: autoApproveHostActions ? true : void 0,
+    vncEnabled: vncEnabled ? true : void 0,
+    vncContainerPort: vncEnabled ? VNC_CONTAINER_PORT : void 0,
+    vncPassword,
+    webContainerPort: WEB_CONTAINER_PORT,
+    dockerVolume,
+    dockerCacheShared: dockerCacheShared || void 0,
+    projectRoot: opts.projectRoot,
+    projectIndex,
+    checkpointImage,
+    checkpointSource,
+    resourceLimits: persistableLimits(effectiveLimits),
+    createdAt
+  };
   await runBox({
     name: containerName,
     image: imageRef,
@@ -7164,6 +7580,7 @@ async function createBox(opts) {
     }
   });
   log(`container ${containerName} started`);
+  await recordBox(baseRecord);
   if (gitWorktreeRecords.length > 0) {
     await chownGitBindParents({
       container: containerName,
@@ -7188,7 +7605,8 @@ async function createBox(opts) {
       } catch (err) {
         if (opts.useBranch !== void 0) {
           log(`seedWorkspace failed for --use-branch ${opts.useBranch}; cleaning up the box`);
-          await execa14("docker", ["rm", "-f", containerName], { reject: false });
+          await execa15("docker", ["rm", "-f", containerName], { reject: false });
+          await removeBoxRecord(id);
           for (const w of gitWorktreeRecords) {
             await removeInBoxWorktree({
               hostMainRepo: w.hostMainRepo,
@@ -7204,21 +7622,27 @@ async function createBox(opts) {
       const source = snapshotDir ?? workspace;
       await seedWorkspaceFromDir({ container: containerName, hostSource: source, onLog: log });
     }
-  } else if (restoredWorktrees && restoredWorktrees.length > 0) {
+  } else if (restoreWorktreePlans.length > 0) {
+    await regenerateRestoredWorktrees({
+      container: containerName,
+      plans: restoreWorktreePlans,
+      fromBranch: opts.fromBranch,
+      onLog: log
+    });
     await bindWorktrees(
       containerName,
-      restoredWorktrees.map((w) => ({
+      gitWorktreeRecords.map((w) => ({
         kind: w.kind,
         containerPath: w.containerPath,
         gitWorktreePath: w.gitWorktreePath
       })),
       log
     );
-    log("re-bound /workspace from checkpoint image");
+    log("re-bound /workspace from checkpoint image (fresh per-box worktree)");
     if (opts.resyncOnStart !== false) {
       const repos = await resyncWorkspaceFromHost({
         container: containerName,
-        worktrees: restoredWorktrees,
+        worktrees: gitWorktreeRecords,
         onLog: log
       });
       resyncResult = {
@@ -7233,18 +7657,18 @@ async function createBox(opts) {
   }
   await repairIdeOwnership(containerName);
   log(".vscode-server + .cursor-server ownership verified");
-  const ctl = await launchCtlDaemon(containerName, socketPath);
-  if (ctl.up) log("agentbox-ctl daemon up");
-  else log(`agentbox-ctl daemon did not become reachable: ${ctl.reason}`);
   const dockerd = await launchDockerdDaemon(containerName);
   if (dockerd.up) {
     log(`dockerd up (data root=${dockerVolume})`);
   } else {
     log(`dockerd did not become ready: ${dockerd.reason}`);
   }
+  const ctl = await launchCtlDaemon(containerName, socketPath);
+  if (ctl.up) log("agentbox-ctl daemon up");
+  else log(`agentbox-ctl daemon did not become reachable: ${ctl.reason}`);
   if (opts.withPlaywright) {
     log("installing @playwright/cli@latest (--with-playwright)");
-    const result = await execa14(
+    const result = await execa15(
       "docker",
       [
         "exec",
@@ -7360,41 +7784,14 @@ async function createBox(opts) {
     }
   }
   const record = {
-    id,
-    name,
-    container: containerName,
-    image: imageRef,
-    workspacePath: workspace,
-    snapshotDir,
-    socketPath,
-    claudeConfigVolume: claudeSpec.volume,
-    codexConfigVolume,
-    opencodeConfigVolume,
-    vscodeServerVolume: vscodeServerVolumeName(id),
-    cursorServerVolume: cursorServerVolumeName(id),
-    relayToken: relayUp ? relayToken : void 0,
-    gitWorktrees: gitWorktreeRecords.length > 0 ? gitWorktreeRecords : void 0,
-    withPlaywright: opts.withPlaywright ? true : void 0,
-    withEnv: opts.withEnv ? true : void 0,
+    ...baseRecord,
     carry: carrySummary,
-    vncEnabled: vncEnabled ? true : void 0,
-    vncContainerPort: vncEnabled ? VNC_CONTAINER_PORT : void 0,
     vncHostPort: vncHostPort ?? void 0,
-    vncPassword,
-    webContainerPort: WEB_CONTAINER_PORT,
     webHostPort: webHostPort ?? void 0,
     portlessAlias: portlessAliasName,
     portlessUrl,
     portlessVncAlias: portlessVncAliasName,
-    portlessVncUrl,
-    dockerVolume,
-    dockerCacheShared: dockerCacheShared || void 0,
-    projectRoot: opts.projectRoot,
-    projectIndex,
-    checkpointImage,
-    checkpointSource,
-    resourceLimits: persistableLimits(effectiveLimits),
-    createdAt
+    portlessVncUrl
   };
   await recordBox(record);
   return { record, imageBuilt: built, resync: resyncResult };
@@ -7445,7 +7842,7 @@ function parseShellSessionList(stdout) {
   return out;
 }
 async function listShellSessions(container, user) {
-  const res = await execa15(
+  const res = await execa16(
     "docker",
     [
       "exec",
@@ -7469,7 +7866,7 @@ async function startShellSession(opts) {
   const login = opts.login !== false;
   const term = process.env["TERM"] ?? "xterm-256color";
   const cmd = login ? "bash -l" : "bash";
-  const result = await execa15(
+  const result = await execa16(
     "docker",
     [
       "exec",
@@ -7518,7 +7915,7 @@ function buildShellSessionAttachArgv(container, sessionName, user) {
 }
 async function shellSessionInfo(container, sessionName, user) {
   const name = sessionName ?? DEFAULT_SHELL_SESSION;
-  const has = await execa15(
+  const has = await execa16(
     "docker",
     ["exec", "--user", user ?? CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -7526,7 +7923,7 @@ async function shellSessionInfo(container, sessionName, user) {
   return { running: has.exitCode === 0, sessionName: name };
 }
 async function killShellSession(container, sessionName, user) {
-  const res = await execa15(
+  const res = await execa16(
     "docker",
     [
       "exec",
@@ -7580,7 +7977,7 @@ async function getBoxEndpoints(record, engine, persisted) {
     for (const svc of persistedServices) pushService(svc.name, svc.port);
   } else {
     try {
-      const cfg = await loadConfig(join12(record.workspacePath, "agentbox.yaml"));
+      const cfg = await loadConfig(join13(record.workspacePath, "agentbox.yaml"));
       if (!webServiceName) {
         webServiceName = cfg.services.find((s) => s.expose)?.name ?? null;
       }
@@ -7731,9 +8128,9 @@ async function resyncBox(idOrName, onLog) {
 async function startBox(idOrName) {
   const box = await resolveBox(idOrName);
   for (const w of box.gitWorktrees ?? []) {
-    if (!await pathExists7(join13(w.hostMainRepo, ".git"))) {
+    if (!await pathExists7(join14(w.hostMainRepo, ".git"))) {
       throw new Error(
-        `main repo for box worktree missing: ${join13(w.hostMainRepo, ".git")} (recreate the box)`
+        `main repo for box worktree missing: ${join14(w.hostMainRepo, ".git")} (recreate the box)`
       );
     }
   }
@@ -7749,12 +8146,12 @@ async function startBox(idOrName) {
     );
   }
   await ensureHomeOwnedByVscode(box.container);
-  if (box.socketPath) {
-    await launchCtlDaemon(box.container, box.socketPath);
-  }
   if (box.dockerVolume) {
     await launchDockerdDaemon(box.container);
   }
+  if (box.socketPath) {
+    await launchCtlDaemon(box.container, box.socketPath);
+  }
   if (box.vncEnabled) {
     await launchVncDaemon(box.container);
     const freshHostPort = await publishedHostPort(box.container, VNC_CONTAINER_PORT);
@@ -7809,7 +8206,8 @@ async function startBox(idOrName) {
         containerName: box.container,
         createdAt: box.createdAt,
         projectIndex: box.projectIndex,
-        worktrees: box.gitWorktrees
+        worktrees: box.gitWorktrees,
+        autoApproveHostActions: box.autoApproveHostActions
       });
     } catch {
     }
@@ -7828,7 +8226,7 @@ async function getBoxHostPaths(idOrName) {
 }
 async function dirSizeBytes(path) {
   try {
-    const result = await execa16("du", ["-sk", path], { reject: false });
+    const result = await execa17("du", ["-sk", path], { reject: false });
     if (result.exitCode !== 0) return null;
     const sizeKb = Number.parseInt((result.stdout ?? "").split(/\s+/)[0] ?? "", 10);
     if (Number.isNaN(sizeKb)) return null;
@@ -7902,16 +8300,13 @@ async function destroyBox(idOrName, opts = {}) {
     } catch {
     }
   }
-  const ownsWorktrees = !box.checkpointImage;
-  if (ownsWorktrees) {
-    for (const w of box.gitWorktrees ?? []) {
-      try {
-        await removeInBoxWorktree({
-          hostMainRepo: w.hostMainRepo,
-          gitWorktreePath: w.gitWorktreePath
-        });
-      } catch {
-      }
+  for (const w of box.gitWorktrees ?? []) {
+    try {
+      await removeInBoxWorktree({
+        hostMainRepo: w.hostMainRepo,
+        gitWorktreePath: w.gitWorktreePath
+      });
+    } catch {
     }
   }
   const beforeContainer = await inspectContainerStatus(box.container);
@@ -7962,7 +8357,7 @@ async function destroyBox(idOrName, opts = {}) {
 async function listSnapshotDirs() {
   try {
     const entries = await readdir7(SNAPSHOTS_ROOT, { withFileTypes: true });
-    return entries.filter((e) => e.isDirectory()).map((e) => join13(SNAPSHOTS_ROOT, e.name));
+    return entries.filter((e) => e.isDirectory()).map((e) => join14(SNAPSHOTS_ROOT, e.name));
   } catch {
     return [];
   }
@@ -7970,13 +8365,13 @@ async function listSnapshotDirs() {
 async function listBoxDirs() {
   try {
     const entries = await readdir7(BOXES_ROOT, { withFileTypes: true });
-    return entries.filter((e) => e.isDirectory()).map((e) => join13(BOXES_ROOT, e.name));
+    return entries.filter((e) => e.isDirectory()).map((e) => join14(BOXES_ROOT, e.name));
   } catch {
     return [];
   }
 }
 async function listCheckpointImageTags() {
-  const r = await execa16(
+  const r = await execa17(
     "docker",
     ["image", "ls", "--format", "{{.Repository}}:{{.Tag}}", `${CHECKPOINT_IMAGE_PREFIX}*`],
     { reject: false }
@@ -8084,7 +8479,7 @@ async function pruneBoxes(opts = {}) {
     } catch {
     }
     try {
-      await execa16("docker", ["image", "rm", RELAY_IMAGE_REF], { reject: false });
+      await execa17("docker", ["image", "rm", RELAY_IMAGE_REF], { reject: false });
     } catch {
     }
     try {
@@ -8146,7 +8541,7 @@ function splitPair(raw) {
   return [parts[0].trim(), parts[1].trim()];
 }
 async function duBytes(path) {
-  const result = await execa17("du", ["-sk", path], { reject: false });
+  const result = await execa18("du", ["-sk", path], { reject: false });
   if (result.exitCode !== 0) return null;
   const kb = Number.parseInt((result.stdout ?? "").split(/\s+/)[0] ?? "", 10);
   return Number.isNaN(kb) ? null : kb * 1024;
@@ -8155,11 +8550,11 @@ async function volumeSizeBytes(name) {
   if (!name) return null;
   const engine = await detectEngine();
   if (engine === "orbstack") {
-    const live = join14(homedir11(), "OrbStack", "docker", "volumes", name);
+    const live = join15(homedir11(), "OrbStack", "docker", "volumes", name);
     const sz = await duBytes(live);
     if (sz !== null) return sz;
   }
-  const df = await execa17(
+  const df = await execa18(
     "docker",
     ["system", "df", "-v", "--format", "{{json .Volumes}}"],
     { reject: false }
@@ -8180,7 +8575,7 @@ async function volumeSizeBytes(name) {
   return null;
 }
 async function imageBytes(tag) {
-  const r = await execa17("docker", ["image", "inspect", tag, "--format", "{{.Size}}"], {
+  const r = await execa18("docker", ["image", "inspect", tag, "--format", "{{.Size}}"], {
     reject: false
   });
   if (r.exitCode !== 0) return null;
@@ -8191,7 +8586,7 @@ async function projectCheckpointImageBytes(projectRoot, name) {
   return imageBytes(checkpointImageTag(projectRoot, name));
 }
 async function allCheckpointImagesBytes() {
-  const r = await execa17(
+  const r = await execa18(
     "docker",
     [
       "image",
@@ -8218,7 +8613,7 @@ async function allCheckpointImagesBytes() {
   return any ? total : null;
 }
 async function agentboxHomeBytes() {
-  return duBytes(join14(homedir11(), ".agentbox"));
+  return duBytes(join15(homedir11(), ".agentbox"));
 }
 function limitsFromRecord(record) {
   const r = record.resourceLimits;
@@ -8243,7 +8638,7 @@ function reconcileLimits(persisted, dockerJson) {
   };
 }
 async function containerWritableBytes(container) {
-  const r = await execa17(
+  const r = await execa18(
     "docker",
     ["ps", "-a", "--filter", `name=^${container}$`, "--format", "{{.Size}}", "--size"],
     { reject: false }
@@ -8290,7 +8685,7 @@ async function boxResourceStats(record) {
   if (await inspectContainerStatus(record.container) !== "running") {
     return base;
   }
-  const proc = await execa17(
+  const proc = await execa18(
     "docker",
     ["stats", "--no-stream", "--format", "{{json .}}", record.container],
     { reject: false }
@@ -8325,125 +8720,6 @@ async function boxResourceStats(record) {
     blockWriteBytes: blkPair ? parseDockerSize(blkPair[1]) : null
   };
 }
-function posixDirname(p) {
-  return posix.dirname(p) || "/";
-}
-function asText(s) {
-  if (s === void 0) return "";
-  if (typeof s === "string") return s;
-  return Buffer.from(s).toString("utf8");
-}
-async function uploadToBox(box, hostSrc, boxDst) {
-  const srcAbs = resolve4(hostSrc);
-  if (!existsSync3(srcAbs)) throw new Error(`source not found: ${hostSrc}`);
-  const srcBasename = basename5(srcAbs);
-  const srcParent = dirname22(srcAbs);
-  let boxParent;
-  let finalName;
-  if (boxDst.endsWith("/")) {
-    boxParent = boxDst.replace(/\/+$/, "") || "/";
-    finalName = srcBasename;
-  } else {
-    const isDir2 = await execa18(
-      "docker",
-      ["exec", box.container, "test", "-d", boxDst],
-      { reject: false }
-    );
-    if (isDir2.exitCode === 0) {
-      boxParent = boxDst.replace(/\/+$/, "") || "/";
-      finalName = srcBasename;
-    } else {
-      boxParent = posixDirname(boxDst);
-      finalName = posix.basename(boxDst);
-    }
-  }
-  const finalPath = boxParent === "/" ? `/${finalName}` : `${boxParent}/${finalName}`;
-  const mk = await execa18(
-    "docker",
-    ["exec", "--user", "root", box.container, "mkdir", "-p", boxParent],
-    { reject: false }
-  );
-  if (mk.exitCode !== 0) {
-    throw new Error(`mkdir -p ${boxParent} in box failed: ${asText(mk.stderr).slice(0, 300)}`);
-  }
-  const packed = await execa18("tar", ["-C", srcParent, "-cf", "-", srcBasename], {
-    encoding: "buffer",
-    reject: false,
-    env: { ...process.env, COPYFILE_DISABLE: "1" }
-  });
-  if (packed.exitCode !== 0) {
-    throw new Error(`tar pack failed: ${asText(packed.stderr).slice(0, 300)}`);
-  }
-  const extract = await execa18(
-    "docker",
-    ["exec", "-i", "--user", "root", box.container, "tar", "-xf", "-", "-C", boxParent],
-    { input: packed.stdout, reject: false }
-  );
-  if (extract.exitCode !== 0) {
-    throw new Error(`tar extract in box failed: ${asText(extract.stderr).slice(0, 300)}`);
-  }
-  if (finalName !== srcBasename) {
-    const initial = boxParent === "/" ? `/${srcBasename}` : `${boxParent}/${srcBasename}`;
-    const mv = await execa18(
-      "docker",
-      ["exec", "--user", "root", box.container, "mv", initial, finalPath],
-      { reject: false }
-    );
-    if (mv.exitCode !== 0) {
-      throw new Error(
-        `rename ${initial} -> ${finalPath} in box failed: ${asText(mv.stderr).slice(0, 300)}`
-      );
-    }
-  }
-  const chown = await execa18(
-    "docker",
-    ["exec", "--user", "root", box.container, "chown", "-R", "1000:1000", finalPath],
-    { reject: false }
-  );
-  if (chown.exitCode !== 0) {
-    return {
-      finalPath,
-      warn: `chown ${finalPath} to vscode (uid 1000) failed; ownership inside the box may be root.`
-    };
-  }
-  return { finalPath };
-}
-async function downloadFromBox(box, boxSrc, hostDst) {
-  const srcBasename = posix.basename(boxSrc);
-  const srcParent = posixDirname(boxSrc);
-  const dstAbs = resolve4(hostDst);
-  let hostParent;
-  let finalName;
-  const dstExists = existsSync3(dstAbs);
-  if (hostDst.endsWith("/") || dstExists && statSync(dstAbs).isDirectory()) {
-    hostParent = dstAbs;
-    finalName = srcBasename;
-  } else {
-    hostParent = dirname22(dstAbs);
-    finalName = basename5(dstAbs);
-  }
-  mkdirSync(hostParent, { recursive: true });
-  const finalPath = posix.join(hostParent, finalName);
-  const packed = await execa18(
-    "docker",
-    ["exec", box.container, "tar", "-C", srcParent, "-cf", "-", srcBasename],
-    { encoding: "buffer", reject: false }
-  );
-  if (packed.exitCode !== 0) {
-    throw new Error(`tar pack in box failed: ${asText(packed.stderr).slice(0, 300)}`);
-  }
-  const extract = await execa18("tar", ["-xf", "-", "-C", hostParent], {
-    input: packed.stdout,
-    reject: false
-  });
-  if (extract.exitCode !== 0) {
-    throw new Error(`tar extract on host failed: ${asText(extract.stderr).slice(0, 300)}`);
-  }
-  if (finalName !== srcBasename) {
-    renameSync(posix.join(hostParent, srcBasename), finalPath);
-  }
-  return { finalPath };
-}
 var dockerProvider = {
   name: "docker",
   async create(req) {
@@ -8519,12 +8795,12 @@ var dockerProvider = {
     const r = await execInBox(box.container, argv, opts?.user ? { user: opts.user } : {});
     return { exitCode: r.exitCode, stdout: r.stdout, stderr: r.stderr };
   },
-  async uploadPath(box, hostSrc, boxDst) {
-    const r = await uploadToBox(box, hostSrc, boxDst);
+  async uploadPath(box, hostSrc, boxDst, exclude) {
+    const r = await uploadToBox(box, hostSrc, boxDst, exclude);
     return { finalPath: r.finalPath };
   },
-  async downloadPath(box, boxSrc, hostDst) {
-    const r = await downloadFromBox(box, boxSrc, hostDst);
+  async downloadPath(box, boxSrc, hostDst, exclude) {
+    const r = await downloadFromBox(box, boxSrc, hostDst, exclude);
     return { finalPath: r.finalPath };
   },
   async resolveUrl(box, opts) {
@@ -8604,7 +8880,7 @@ async function walkFiles(root, prefix = "") {
   const out = [];
   for (const ent of entries) {
     const rel = prefix ? `${prefix}/${ent.name}` : ent.name;
-    const full = join15(root, ent.name);
+    const full = join16(root, ent.name);
     if (ent.isDirectory()) {
       out.push(...await walkFiles(full, rel));
     } else if (ent.isFile()) {
@@ -8620,20 +8896,20 @@ async function walkFiles(root, prefix = "") {
   return out;
 }
 async function hashFile(absPath) {
-  const buf = await readFile8(absPath);
-  return createHash22("sha256").update(buf).digest("hex");
+  const buf = await readFile9(absPath);
+  return createHash32("sha256").update(buf).digest("hex");
 }
 async function buildHostSet(name, hostDir, boxDst) {
   if (hostDir === null) return { dst: boxDst, files: {}, hostDir: null };
   const rels = await walkFiles(hostDir);
   const files = {};
   for (const rel of rels) {
-    files[rel] = await hashFile(join15(hostDir, rel));
+    files[rel] = await hashFile(join16(hostDir, rel));
   }
   return { dst: boxDst, files, hostDir };
 }
 async function buildHostSyncManifest(workspacePath, hostHome = homedir12()) {
-  const workflowsDir = join15(hostHome, ".claude", "workflows");
+  const workflowsDir = join16(hostHome, ".claude", "workflows");
   const workflowsHost = await pathExists8(workflowsDir) ? workflowsDir : null;
   const memoryHost = await resolveClaudeMemoryDir(workspacePath, hostHome);
   const [workflows, memory] = await Promise.all([
@@ -8655,7 +8931,7 @@ function computeSyncDelta(host, box) {
         uploads.push({
           set: name,
           rel,
-          absSrc: join15(hostSet.hostDir, rel),
+          absSrc: join16(hostSet.hostDir, rel),
           dst: `${hostSet.dst}/${rel}`
         });
       }
@@ -8674,15 +8950,15 @@ async function stageDynamicSyncTarball(uploads) {
     return { tarballPath: null, cleanup: async () => {
     } };
   }
-  const stageDir = await mkdtemp4(join15(tmpdir4(), "agentbox-dynsync-stage-"));
+  const stageDir = await mkdtemp4(join16(tmpdir4(), "agentbox-dynsync-stage-"));
   let tarballPath = null;
   try {
     for (const up of uploads) {
-      const target = join15(stageDir, up.set, up.rel);
+      const target = join16(stageDir, up.set, up.rel);
       await mkdir8(dirname32(target), { recursive: true });
       await copyFile2(up.absSrc, target);
     }
-    tarballPath = join15(tmpdir4(), `agentbox-dynsync-${basename6(stageDir)}.tar.gz`);
+    tarballPath = join16(tmpdir4(), `agentbox-dynsync-${basename6(stageDir)}.tar.gz`);
     await execa19("tar", ["-czf", tarballPath, "-C", stageDir, "."], {
       env: { ...process.env, COPYFILE_DISABLE: "1" }
     });
@@ -8723,6 +8999,7 @@ async function ensureBoxBrowser(container, timeoutMs = 8e3, targetUrl = "about:b
 }
 
 export {
+  BUILT_IN_DEFAULTS,
   KEY_REGISTRY,
   lookupKey,
   UserConfigError,
@@ -8748,6 +9025,7 @@ export {
   renderPortsTable,
   loadCarrySection,
   resolveAgentLauncher,
+  UserFacingError,
   BoxNotFoundError,
   AmbiguousBoxError,
   generateBoxId,
@@ -8768,6 +9046,8 @@ export {
   execInBox,
   removeImage,
   volumeExists,
+  uploadToBox,
+  downloadFromBox,
   CONTAINER_EXPORT_MERGED,
   detectEngine,
   setEngineOverride,
@@ -8804,6 +9084,7 @@ export {
   encodeClaudeProjectsKey,
   BOX_CLAUDE_PROJECT_DIR,
   resolveClaudeMemoryDir,
+  stageClaudeJsonOnlyForUpload,
   stageClaudeStaticForUpload,
   stageClaudeCredentialsForUpload,
   stageCodexStaticForUpload,
@@ -8967,8 +9248,6 @@ export {
   allCheckpointImagesBytes,
   agentboxHomeBytes,
   boxResourceStats,
-  uploadToBox,
-  downloadFromBox,
   dockerProvider,
   BOX_WORKFLOWS_DIR,
   BOX_DYNAMIC_SYNC_MANIFEST,
@@ -8979,4 +9258,4 @@ export {
   browserSessionActive,
   ensureBoxBrowser
 };
-//# sourceMappingURL=chunk-B4QG2MCW.js.map
+//# sourceMappingURL=chunk-MLMFNN4T.js.map