@madarco/agentbox 0.14.0 → 0.15.0

package/dist/{chunk-TCS5HXJX.js → chunk-MLMFNN4T.js}

@@ -24,8 +24,8 @@ import {
 // ../../packages/sandbox-docker/dist/index.js
 import { mkdir as mkdir7, stat as stat8 } from "fs/promises";
 import { homedir as homedir10 } from "os";
-import { basename as basename4, join as join12, resolve as resolve3 } from "path";
-import { execa as execa14 } from "execa";
+import { basename as basename5, join as join12, resolve as resolve4 } from "path";
+import { execa as execa15 } from "execa";
 
 // ../../packages/ctl/dist/index.js
 import { readFile } from "fs/promises";
@@ -517,7 +517,21 @@ var CarryConfigError = class extends Error {
     this.name = "CarryConfigError";
   }
 };
-var ITEM_KEYS = /* @__PURE__ */ new Set(["src", "dest", "mode", "user", "optional"]);
+var ITEM_KEYS = /* @__PURE__ */ new Set(["src", "dest", "mode", "user", "exclude", "optional"]);
+function parseExclude(raw, where) {
+  if (raw === void 0 || raw === null) return void 0;
+  if (!Array.isArray(raw)) {
+    throw new CarryConfigError(`${where}.exclude must be a list of glob/name strings`);
+  }
+  const out = [];
+  for (const [i, v] of raw.entries()) {
+    if (typeof v !== "string" || v.trim().length === 0) {
+      throw new CarryConfigError(`${where}.exclude[${String(i)}] must be a non-empty string`);
+    }
+    out.push(v.trim());
+  }
+  return out.length > 0 ? out : void 0;
+}
 function parseUser(raw, where) {
   if (raw === void 0 || raw === null) return void 0;
   let n;
@@ -646,6 +660,7 @@ function parseMapping(raw, where) {
   assertDestShape(dest, where);
   const mode = parseMode(raw.mode, where);
   const user = parseUser(raw.user, where);
+  const exclude = parseExclude(raw.exclude, where);
   let optional = false;
   if (raw.optional !== void 0 && raw.optional !== null) {
     if (typeof raw.optional !== "boolean") {
@@ -656,6 +671,7 @@ function parseMapping(raw, where) {
   const out = { src, dest, optional };
   if (mode !== void 0) out.mode = mode;
   if (user !== void 0) out.user = user;
+  if (exclude !== void 0) out.exclude = exclude;
   return out;
 }
 function parseCarryRaw(raw) {
@@ -702,20 +718,6 @@ async function loadCarrySection(path) {
   return parseCarrySection(text);
 }
 
-// ../../packages/sandbox-docker/dist/index.js
-import { spawnSync } from "child_process";
-import { mkdir as mkdir3, mkdtemp as mkdtemp2, readdir as readdir3, readFile as readFile42, realpath as realpath2, rm as rm2, stat as stat3, writeFile as writeFile22 } from "fs/promises";
-import { homedir as homedir3, tmpdir as tmpdir2 } from "os";
-import { isAbsolute as isAbsolute2, join as join4, relative as relative2 } from "path";
-import { setTimeout as delay } from "timers/promises";
-import { execa as execa5 } from "execa";
-import { execa as execa2 } from "execa";
-import { mkdir as mkdir4, readFile as readFile5, readdir as readdir4, stat as stat4 } from "fs/promises";
-import { createHash as createHash3 } from "crypto";
-import { homedir as homedir2 } from "os";
-import { join as join5 } from "path";
-import { execa as execa22 } from "execa";
-
 // ../../packages/config/dist/index.js
 import { parse as parseYaml3 } from "yaml";
 import { createHash } from "crypto";
@@ -748,6 +750,7 @@ var BUILT_IN_DEFAULTS = {
     withEnv: false,
     resyncOnStart: true,
     vnc: true,
+    autoApproveHostActions: false,
     isolateClaudeConfig: false,
     isolateCodexConfig: false,
     isolateOpencodeConfig: false,
@@ -768,7 +771,8 @@ var BUILT_IN_DEFAULTS = {
     bundleDepth: void 0,
     vercelVcpus: 2,
     vercelTimeoutMs: 27e5,
-    vercelNetworkPolicy: ""
+    vercelNetworkPolicy: "",
+    cpMaxBytes: 100 * 1024 * 1024
   },
   checkpoint: {
     maxLayers: 3
@@ -824,7 +828,8 @@ var BUILT_IN_DEFAULTS = {
     enabled: true,
     maxConcurrent: 5,
     maxWorking: 0,
-    idleGraceSeconds: 15
+    idleGraceSeconds: 15,
+    openIn: "none"
   },
   cloud: {
     useCurrentBranch: false
@@ -942,6 +947,11 @@ var KEY_REGISTRY = [
     type: "bool",
     description: "Run the per-box Xvnc + noVNC stack."
   },
+  {
+    key: "box.autoApproveHostActions",
+    type: "bool",
+    description: "Auto-approve host-action confirmations (git push, cp host<->box, gh PR writes, checkpoint) for this box without an interactive prompt. Off by default; intended for unattended orchestration of trusted boxes. Each auto-approval is recorded as a relay event (visible in `agentbox agent` / the dashboard)."
+  },
   {
     key: "box.isolateClaudeConfig",
     type: "bool",
@@ -1040,6 +1050,12 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Max session length (ms) for new --provider vercel boxes before the VM auto-snapshots; persistent mode auto-resumes on the next call. Default 2700000 (45 min, the Hobby ceiling). Vercel-only."
   },
+  {
+    key: "box.cpMaxBytes",
+    type: "int",
+    description: "Max bytes a single host\u2192box copy may transfer after excludes, shared by `agentbox cp` (blocked with a size breakdown unless --yes) and each `carry:` entry (rejected at resolve time). Default 104857600 (100 MiB).",
+    advanced: true
+  },
   {
     key: "box.vercelNetworkPolicy",
     type: "string",
@@ -1187,6 +1203,12 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Seconds an agent must stay non-working before it frees its working slot (debounce against brief idle flaps between turns). Only used when queue.maxWorking > 0."
   },
+  {
+    key: "queue.openIn",
+    type: "enum",
+    enumValues: ["none", "split", "window", "tab"],
+    description: "When a background `-i` job finishes creating its box, where the host relay opens an attached terminal onto it: `none` (default \u2014 open nothing, just queue), `split`, `window`, or `tab`. Honored only when the submitting shell runs inside tmux, cmux, or iTerm2 (the targeting is captured at submit time). Under cmux, `split` splits the pane you submitted from (falling back to the parent workspace, then a new workspace), `tab` adds a tab in the parent workspace, and `window` opens a separate workspace; iTerm2 opens relative to the frontmost window. Unlike `attach.openIn` there is no `same` mode \u2014 the box is created asynchronously, so it is always a fresh terminal."
+  },
   {
     key: "cloud.useCurrentBranch",
     type: "bool",
@@ -1771,33 +1793,48 @@ async function touchProjectMeta(absPath) {
 }
 
 // ../../packages/sandbox-docker/dist/index.js
+import { spawnSync } from "child_process";
+import { mkdir as mkdir3, mkdtemp as mkdtemp2, readdir as readdir3, readFile as readFile42, realpath as realpath2, rm as rm2, stat as stat3, writeFile as writeFile22 } from "fs/promises";
+import { homedir as homedir3, tmpdir as tmpdir2 } from "os";
+import { isAbsolute as isAbsolute2, join as join4, relative as relative2 } from "path";
+import { setTimeout as delay } from "timers/promises";
+import { execa as execa6 } from "execa";
+import { execa as execa2 } from "execa";
+import { mkdir as mkdir4, readFile as readFile5, readdir as readdir4, stat as stat4 } from "fs/promises";
+import { createHash as createHash3 } from "crypto";
+import { homedir as homedir2 } from "os";
+import { join as join5 } from "path";
+import { execa as execa3 } from "execa";
+import { existsSync, mkdirSync, renameSync, statSync } from "fs";
+import { basename as basename2, dirname as dirname3, posix, resolve as resolve2 } from "path";
+import { execa as execa22 } from "execa";
 import { copyFile, mkdtemp, readdir as readdir22, readFile as readFile32, rm as rm3, stat as stat22, writeFile as writeFile3 } from "fs/promises";
 import { homedir as homedir22, tmpdir } from "os";
-import { basename as basename2, join as join32, relative } from "path";
-import { execa as execa4 } from "execa";
+import { basename as basename3, join as join32, relative } from "path";
+import { execa as execa5 } from "execa";
 import { chmod, mkdir as mkdir22, readFile as readFile23 } from "fs/promises";
-import { basename as basename3, join as join22 } from "path";
-import { execa as execa3 } from "execa";
+import { basename as basename22, join as join22 } from "path";
+import { execa as execa4 } from "execa";
 import { spawnSync as spawnSync2 } from "child_process";
 import { stat as stat42 } from "fs/promises";
 import { homedir as homedir4 } from "os";
 import { join as join52 } from "path";
-import { execa as execa6 } from "execa";
+import { execa as execa7 } from "execa";
 import { spawnSync as spawnSync3 } from "child_process";
 import { stat as stat5 } from "fs/promises";
 import { homedir as homedir5 } from "os";
 import { join as join6 } from "path";
-import { execa as execa7 } from "execa";
+import { execa as execa8 } from "execa";
 import { randomBytes as randomBytes3 } from "crypto";
 import { createHash as createHash22 } from "crypto";
 import { readFile as readFile52 } from "fs/promises";
 import { join as join7 } from "path";
-import { execa as execa8 } from "execa";
-import { existsSync } from "fs";
+import { execa as execa9 } from "execa";
+import { existsSync as existsSync2 } from "fs";
 import { readFile as readFile6 } from "fs/promises";
 import { homedir as homedir6 } from "os";
 import { join as join8 } from "path";
-import { execa as execa9 } from "execa";
+import { execa as execa10 } from "execa";
 
 // ../../packages/core/dist/index.js
 import { randomBytes } from "crypto";
@@ -1862,25 +1899,25 @@ function generateBoxId() {
 }
 
 // ../../packages/sandbox-docker/dist/index.js
-import { execa as execa10 } from "execa";
+import { execa as execa11 } from "execa";
 import { mkdir as mkdir42, readdir as readdir42, rm as rm32, stat as stat6 } from "fs/promises";
 import { homedir as homedir7, platform } from "os";
-import { join as join9, resolve as resolve2 } from "path";
+import { join as join9, resolve as resolve22 } from "path";
 import { mkdir as mkdir5, mkdtemp as mkdtemp3, readFile as readFile7, readdir as readdir5, rm as rm4, writeFile as writeFile32 } from "fs/promises";
 import { homedir as homedir8, tmpdir as tmpdir3 } from "os";
-import { basename as basename32, join as join10 } from "path";
-import { execa as execa11 } from "execa";
-import { stat as stat7 } from "fs/promises";
+import { basename as basename4, join as join10 } from "path";
 import { execa as execa12 } from "execa";
+import { stat as stat7 } from "fs/promises";
 import { execa as execa13 } from "execa";
+import { execa as execa14 } from "execa";
 import { spawn } from "child_process";
 import { randomBytes as randomBytes22 } from "crypto";
-import { existsSync as existsSync2, openSync } from "fs";
+import { existsSync as existsSync3, openSync } from "fs";
 import { cp, mkdir as mkdir6, readFile as readFile8, readdir as readdir6, rename as rename3, rm as rm5, unlink as unlink2, writeFile as writeFile4 } from "fs/promises";
 import { request as httpRequest } from "http";
 import { createRequire } from "module";
 import { homedir as homedir9 } from "os";
-import { dirname as dirname3, join as join11, resolve as resolve22, sep } from "path";
+import { dirname as dirname22, join as join11, resolve as resolve3, sep } from "path";
 import { setTimeout as delay2 } from "timers/promises";
 import { fileURLToPath } from "url";
 
@@ -2110,16 +2147,13 @@ function queueLogPath(id) {
 }
 
 // ../../packages/sandbox-docker/dist/index.js
-import { execa as execa16 } from "execa";
+import { execa as execa17 } from "execa";
 import { readdir as readdir7, rm as rm6, stat as stat9 } from "fs/promises";
 import { join as join14 } from "path";
-import { execa as execa15 } from "execa";
+import { execa as execa16 } from "execa";
 import { join as join13 } from "path";
 import { homedir as homedir11 } from "os";
 import { join as join15 } from "path";
-import { execa as execa17 } from "execa";
-import { existsSync as existsSync3, mkdirSync, renameSync, statSync } from "fs";
-import { basename as basename5, dirname as dirname22, posix, resolve as resolve4 } from "path";
 import { execa as execa18 } from "execa";
 import { createHash as createHash32 } from "crypto";
 import { copyFile as copyFile2, mkdir as mkdir8, mkdtemp as mkdtemp4, readdir as readdir8, readFile as readFile9, rm as rm7, stat as stat10 } from "fs/promises";
@@ -2520,11 +2554,144 @@ async function listAgentboxVolumes() {
   if (result.exitCode !== 0) return [];
   return (result.stdout ?? "").split("\n").map((s) => s.trim()).filter((s) => s.startsWith(AGENTBOX_PREFIX));
 }
+function posixDirname(p) {
+  return posix.dirname(p) || "/";
+}
+function asText(s) {
+  if (s === void 0) return "";
+  if (typeof s === "string") return s;
+  return Buffer.from(s).toString("utf8");
+}
+function tarExcludeArgs(exclude) {
+  return (exclude ?? []).map((p) => `--exclude=${p}`);
+}
+async function streamTarPipe(producerFile, producerArgs, consumerFile, consumerArgs, producerEnv) {
+  const producer = execa22(producerFile, producerArgs, {
+    reject: false,
+    buffer: { stdout: false },
+    ...producerEnv ? { env: producerEnv } : {}
+  });
+  const consumer = execa22(consumerFile, consumerArgs, {
+    reject: false,
+    buffer: { stdout: false }
+  });
+  producer.stdout?.pipe(consumer.stdin);
+  const [p, c] = await Promise.all([producer, consumer]);
+  return [
+    { exitCode: p.exitCode, stderr: p.stderr },
+    { exitCode: c.exitCode, stderr: c.stderr }
+  ];
+}
+async function uploadToBox(box, hostSrc, boxDst, exclude) {
+  const srcAbs = resolve2(hostSrc);
+  if (!existsSync(srcAbs)) throw new Error(`source not found: ${hostSrc}`);
+  const srcBasename = basename2(srcAbs);
+  const srcParent = dirname3(srcAbs);
+  let boxParent;
+  let finalName;
+  if (boxDst.endsWith("/")) {
+    boxParent = boxDst.replace(/\/+$/, "") || "/";
+    finalName = srcBasename;
+  } else {
+    const isDir2 = await execa22(
+      "docker",
+      ["exec", box.container, "test", "-d", boxDst],
+      { reject: false }
+    );
+    if (isDir2.exitCode === 0) {
+      boxParent = boxDst.replace(/\/+$/, "") || "/";
+      finalName = srcBasename;
+    } else {
+      boxParent = posixDirname(boxDst);
+      finalName = posix.basename(boxDst);
+    }
+  }
+  const finalPath = boxParent === "/" ? `/${finalName}` : `${boxParent}/${finalName}`;
+  const mk = await execa22(
+    "docker",
+    ["exec", "--user", "root", box.container, "mkdir", "-p", boxParent],
+    { reject: false }
+  );
+  if (mk.exitCode !== 0) {
+    throw new Error(`mkdir -p ${boxParent} in box failed: ${asText(mk.stderr).slice(0, 300)}`);
+  }
+  const [packed, extracted] = await streamTarPipe(
+    "tar",
+    ["-C", srcParent, "-cf", "-", ...tarExcludeArgs(exclude), srcBasename],
+    "docker",
+    ["exec", "-i", "--user", "root", box.container, "tar", "-xf", "-", "-C", boxParent],
+    { ...process.env, COPYFILE_DISABLE: "1" }
+  );
+  if (packed.exitCode !== 0) {
+    throw new Error(`tar pack failed: ${asText(packed.stderr).slice(0, 300)}`);
+  }
+  if (extracted.exitCode !== 0) {
+    throw new Error(`tar extract in box failed: ${asText(extracted.stderr).slice(0, 300)}`);
+  }
+  if (finalName !== srcBasename) {
+    const initial = boxParent === "/" ? `/${srcBasename}` : `${boxParent}/${srcBasename}`;
+    const mv = await execa22(
+      "docker",
+      ["exec", "--user", "root", box.container, "mv", initial, finalPath],
+      { reject: false }
+    );
+    if (mv.exitCode !== 0) {
+      throw new Error(
+        `rename ${initial} -> ${finalPath} in box failed: ${asText(mv.stderr).slice(0, 300)}`
+      );
+    }
+  }
+  const chown = await execa22(
+    "docker",
+    ["exec", "--user", "root", box.container, "chown", "-R", "1000:1000", finalPath],
+    { reject: false }
+  );
+  if (chown.exitCode !== 0) {
+    return {
+      finalPath,
+      warn: `chown ${finalPath} to vscode (uid 1000) failed; ownership inside the box may be root.`
+    };
+  }
+  return { finalPath };
+}
+async function downloadFromBox(box, boxSrc, hostDst, exclude) {
+  const srcBasename = posix.basename(boxSrc);
+  const srcParent = posixDirname(boxSrc);
+  const dstAbs = resolve2(hostDst);
+  let hostParent;
+  let finalName;
+  const dstExists = existsSync(dstAbs);
+  if (hostDst.endsWith("/") || dstExists && statSync(dstAbs).isDirectory()) {
+    hostParent = dstAbs;
+    finalName = srcBasename;
+  } else {
+    hostParent = dirname3(dstAbs);
+    finalName = basename2(dstAbs);
+  }
+  mkdirSync(hostParent, { recursive: true });
+  const finalPath = posix.join(hostParent, finalName);
+  const [packed, extracted] = await streamTarPipe(
+    "docker",
+    ["exec", box.container, "tar", "-C", srcParent, "-cf", "-", ...tarExcludeArgs(exclude), srcBasename],
+    "tar",
+    ["-xf", "-", "-C", hostParent]
+  );
+  if (packed.exitCode !== 0) {
+    throw new Error(`tar pack in box failed: ${asText(packed.stderr).slice(0, 300)}`);
+  }
+  if (extracted.exitCode !== 0) {
+    throw new Error(`tar extract on host failed: ${asText(extracted.stderr).slice(0, 300)}`);
+  }
+  if (finalName !== srcBasename) {
+    renameSync(posix.join(hostParent, srcBasename), finalPath);
+  }
+  return { finalPath };
+}
 var CONTAINER_EXPORT_MERGED = "/host-export";
 var cachedEngine = null;
 async function detectEngine() {
   if (cachedEngine !== null) return cachedEngine;
-  const result = await execa22("docker", ["info", "--format", "{{.OperatingSystem}}"], {
+  const result = await execa3("docker", ["info", "--format", "{{.OperatingSystem}}"], {
     reject: false
   });
   const os = (result.stdout ?? "").trim().toLowerCase();
@@ -2537,7 +2704,7 @@ function setEngineOverride(engine) {
   cachedEngine = engine;
 }
 async function getDockerContext() {
-  const result = await execa22("docker", ["context", "show"], { reject: false });
+  const result = await execa3("docker", ["context", "show"], { reject: false });
   if (result.exitCode !== 0) return void 0;
   const ctx = (result.stdout ?? "").trim();
   return ctx.length > 0 ? ctx : void 0;
@@ -2597,7 +2764,7 @@ async function refreshExport(record, opts = {}) {
     return { hostPath: paths.mergedExport, copied: true, usedFallback: false };
   }
   const excludes = excludeNodeModules ? ["--exclude=node_modules"] : [];
-  const result = await execa22(
+  const result = await execa3(
     "docker",
     ["exec", "--user", "root", record.container, "tar", "-cf", "-", ...excludes, "-C", "/workspace", "."],
     { reject: false, encoding: "buffer" }
@@ -2609,7 +2776,7 @@ async function refreshExport(record, opts = {}) {
       typeof result.stderr === "string" ? result.stderr : result.stderr.toString("utf8")
     );
   }
-  const extract = await execa22("tar", ["-xf", "-", "-C", paths.mergedExport], {
+  const extract = await execa3("tar", ["-xf", "-", "-C", paths.mergedExport], {
     input: result.stdout,
     reject: false
   });
@@ -2704,7 +2871,7 @@ function buildHostEnvFindArgs(patterns) {
 async function copyHostEnvFilesToBox(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const found = await execa22("find", buildHostEnvFindArgs(opts.patterns).slice(1), {
+  const found = await execa3("find", buildHostEnvFindArgs(opts.patterns).slice(1), {
     cwd: opts.workspaceDir,
     reject: false
   });
@@ -2714,7 +2881,7 @@ async function copyHostEnvFilesToBox(opts) {
   }
   const list = String(found.stdout).split("\0").filter((p) => p.length > 0);
   if (list.length === 0) return { copied: 0 };
-  const packed = await execa22("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
+  const packed = await execa3("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
     input: list.join("\0"),
     encoding: "buffer",
     reject: false
@@ -2723,7 +2890,7 @@ async function copyHostEnvFilesToBox(opts) {
     log(`warning: env-file tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
     return { copied: 0 };
   }
-  const extract = await execa22(
+  const extract = await execa3(
     "docker",
     ["exec", "-i", "--user", "1000:1000", opts.container, "tar", "-xf", "-", "-C", "/workspace"],
     { input: packed.stdout, reject: false }
@@ -2736,7 +2903,7 @@ async function copyHostEnvFilesToBox(opts) {
 }
 async function scanHostEnvFiles(workspaceDir, patterns) {
   if (patterns.length === 0) return [];
-  const found = await execa22("find", buildHostEnvFindArgs(patterns).slice(1), {
+  const found = await execa3("find", buildHostEnvFindArgs(patterns).slice(1), {
     cwd: workspaceDir,
     reject: false
   });
@@ -2748,7 +2915,7 @@ async function copyHostFilesToBox(opts) {
   });
   const list = opts.files.map((p) => p.replace(/^\.\//, "")).filter((p) => p.length > 0);
   if (list.length === 0) return { copied: 0 };
-  const packed = await execa22("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
+  const packed = await execa3("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
     input: list.join("\0"),
     encoding: "buffer",
     reject: false
@@ -2757,7 +2924,7 @@ async function copyHostFilesToBox(opts) {
     log(`warning: env-file tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
     return { copied: 0 };
   }
-  const extract = await execa22(
+  const extract = await execa3(
     "docker",
     ["exec", "-i", "--user", "1000:1000", opts.container, "tar", "-xf", "-", "-C", "/workspace"],
     { input: packed.stdout, reject: false }
@@ -2831,7 +2998,7 @@ async function pullToHost(record, opts = {}) {
   }
   const src = `${scratchDir}/`;
   const dst = `${record.workspacePath}/`;
-  const dry = await execa22("rsync", [...baseArgs, "--dry-run", "-i", src, dst], {
+  const dry = await execa3("rsync", [...baseArgs, "--dry-run", "-i", src, dst], {
     reject: false,
     input: fileList !== null ? fileList : void 0
   });
@@ -2842,7 +3009,7 @@ async function pullToHost(record, opts = {}) {
   if (opts.dryRun) {
     return { hostPath: record.workspacePath, changes, applied: false, usedGitignore };
   }
-  const real = await execa22("rsync", [...baseArgs, src, dst], {
+  const real = await execa3("rsync", [...baseArgs, src, dst], {
     reject: false,
     input: fileList !== null ? fileList : void 0
   });
@@ -2867,7 +3034,7 @@ async function openInFinder(record, opts) {
     usedFallback = refreshed.usedFallback;
   }
   if (!opts.noOpen) {
-    const opened = await execa22(hostOpenCommand(), [hostPath], { reject: false });
+    const opened = await execa3(hostOpenCommand(), [hostPath], { reject: false });
     if (opened.exitCode !== 0) {
       throw new ExportError(`open ${hostPath} failed`, opened.stdout, opened.stderr);
     }
@@ -2890,12 +3057,14 @@ async function carrySourceHash(entry) {
     if (entry.kind === "file") {
       return createHash3("sha256").update(await readFile5(entry.absSrc)).digest("hex");
     }
+    const exclude = entry.exclude ?? [];
     const h = createHash3("sha256");
     const walk = async (dir, rel) => {
       const names = (await readdir4(dir)).sort();
       for (const name of names) {
-        const abs = join5(dir, name);
         const relPath = rel ? `${rel}/${name}` : name;
+        if (carryRelExcluded(relPath, exclude)) continue;
+        const abs = join5(dir, name);
         const st = await stat4(abs);
         if (st.isDirectory()) {
           h.update(`d\0${relPath}
@@ -2914,6 +3083,24 @@ async function carrySourceHash(entry) {
     return void 0;
   }
 }
+function carryRelExcluded(relPath, patterns) {
+  if (patterns.length === 0) return false;
+  const segs = relPath.split("/");
+  for (const p of patterns) {
+    const isGlob = p.includes("*") || p.includes("?");
+    if (!isGlob) {
+      if (segs.includes(p)) return true;
+    } else if (p.startsWith("*/") && !/[*?/]/.test(p.slice(2))) {
+      if (segs.includes(p.slice(2))) return true;
+    } else {
+      const re = new RegExp(
+        `^${p.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".")}$`
+      );
+      if (re.test(relPath)) return true;
+    }
+  }
+  return false;
+}
 async function copyCarryPathsToBox(opts) {
   const log = opts.onLog ?? (() => {
   });
@@ -2949,7 +3136,7 @@ async function copyOneEntry(container, entry) {
   const boxDest = entry.absDest.startsWith("~/") ? `${BOX_HOME}/${entry.absDest.slice(2)}` : entry.absDest;
   const boxDestParent = boxDest.endsWith("/") ? boxDest.slice(0, -1) : boxDest;
   const parentDir = entry.kind === "dir" ? boxDestParent : dirnameUnix(boxDestParent);
-  const mkdir9 = await execa22(
+  const mkdir9 = await execa3(
     "docker",
     ["exec", "--user", "0:0", container, "mkdir", "-p", parentDir],
     { reject: false }
@@ -2958,7 +3145,7 @@ async function copyOneEntry(container, entry) {
     throw new Error(`mkdir -p ${parentDir} failed: ${String(mkdir9.stderr).slice(0, 300)}`);
   }
   if (entry.kind === "file") {
-    const cp2 = await execa22(
+    const cp2 = await execa3(
       "docker",
       ["cp", entry.absSrc, `${container}:${boxDest}`],
       { reject: false }
@@ -2967,15 +3154,10 @@ async function copyOneEntry(container, entry) {
       throw new Error(`docker cp failed: ${String(cp2.stderr).slice(0, 300)}`);
     }
   } else {
-    const packed = await execa22(
+    const excludeArgs = (entry.exclude ?? []).map((p) => `--exclude=${p}`);
+    const [packed, extract] = await streamTarPipe(
       "tar",
-      ["-C", entry.absSrc, "-cf", "-", "."],
-      { encoding: "buffer", reject: false }
-    );
-    if (packed.exitCode !== 0) {
-      throw new Error(`tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
-    }
-    const extract = await execa22(
+      ["-C", entry.absSrc, "-cf", "-", ...excludeArgs, "."],
       "docker",
       [
         "exec",
@@ -2991,16 +3173,18 @@ async function copyOneEntry(container, entry) {
         "--no-same-permissions",
         "--no-same-owner",
         "-m"
-      ],
-      { input: packed.stdout, reject: false }
+      ]
     );
+    if (packed.exitCode !== 0) {
+      throw new Error(`tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
+    }
     if (extract.exitCode !== 0) {
       throw new Error(`tar extract failed: ${String(extract.stderr).slice(0, 300)}`);
     }
   }
   if (entry.mode !== void 0) {
     const modeStr = entry.mode.toString(8).padStart(4, "0");
-    const chmod2 = await execa22(
+    const chmod2 = await execa3(
       "docker",
       ["exec", "--user", "0:0", container, "chmod", "-R", modeStr, boxDest],
       { reject: false }
@@ -3010,7 +3194,7 @@ async function copyOneEntry(container, entry) {
     }
   }
   const uid = entry.user ?? 1e3;
-  const chown = await execa22(
+  const chown = await execa3(
     "docker",
     ["exec", "--user", "0:0", container, "chown", "-R", `${String(uid)}:${String(uid)}`, boxDest],
     { reject: false }
@@ -3021,7 +3205,7 @@ async function copyOneEntry(container, entry) {
   if (boxDest.startsWith(BOX_HOME + "/") && dirnameUnix(boxDest) !== BOX_HOME) {
     const safeDest = boxDest.replace(/'/g, `'\\''`);
     const script = `set -e; parent="$(dirname '${safeDest}')"; while [ "$parent" != "${BOX_HOME}" ] && [ "$parent" != "/" ]; do chown ${String(uid)}:${String(uid)} "$parent"; parent="$(dirname "$parent")"; done`;
-    const chownParents = await execa22(
+    const chownParents = await execa3(
       "docker",
       ["exec", "--user", "0:0", container, "bash", "-c", script],
       { reject: false }
@@ -3069,7 +3253,7 @@ async function extractVolumeAuthToBackup(opts) {
   try {
     await mkdir22(STATE_DIR, { recursive: true });
     const script = 'COPIED=no; if [ -s /dst/auth.json ]; then cp -a /dst/auth.json "/host-state/$DEST" && COPIED=yes; fi; echo "COPIED=$COPIED"';
-    const { stdout } = await execa3("docker", [
+    const { stdout } = await execa4("docker", [
       "run",
       "--rm",
       "--user",
@@ -3081,7 +3265,7 @@ async function extractVolumeAuthToBackup(opts) {
       "-e",
       // Pass the destination filename via env so the path isn't interpolated
       // into the script string (keeps the docker arg list static + injection-safe).
-      `DEST=${basename3(opts.backupFile)}`,
+      `DEST=${basename22(opts.backupFile)}`,
       opts.image,
       "sh",
       "-c",
@@ -3133,7 +3317,7 @@ echo "EXTRACTED=$EXTRACTED SEEDED=$SEEDED VOLREAL=$VOL_REAL"
 async function syncClaudeCredentials(spec, opts) {
   try {
     await mkdir22(STATE_DIR, { recursive: true });
-    const { stdout } = await execa3("docker", [
+    const { stdout } = await execa4("docker", [
       "run",
       "--rm",
       "--user",
@@ -3201,8 +3385,8 @@ function emptyResult(warnings = []) {
   }, warnings };
 }
 async function tarballFromDir(stageDir, agent) {
-  const tarballPath = join32(tmpdir(), `agentbox-${agent}-${basename2(stageDir)}.tar.gz`);
-  await execa4("tar", ["-czf", tarballPath, "-C", stageDir, "."], {
+  const tarballPath = join32(tmpdir(), `agentbox-${agent}-${basename3(stageDir)}.tar.gz`);
+  await execa5("tar", ["-czf", tarballPath, "-C", stageDir, "."], {
     env: { ...process.env, COPYFILE_DISABLE: "1" }
   });
   return tarballPath;
@@ -3347,7 +3531,7 @@ async function stageClaudeStaticForUpload(opts = {}) {
       ...CLAUDE_RUNTIME_EXCLUDES.map((p) => `--exclude=${p}`),
       ...broken.map((r) => `--exclude=/${r}`)
     ];
-    await execa4("rsync", [
+    await execa5("rsync", [
       "-a",
       "--copy-unsafe-links",
       ...excludes,
@@ -3436,7 +3620,7 @@ async function stageCodexStaticForUpload(opts = {}) {
   let tarballPath = null;
   try {
     const codexBroken = await findBrokenSymlinks(hostCodex);
-    await execa4("rsync", [
+    await execa5("rsync", [
       "-a",
       "-L",
       ...codexBroken.map((r) => `--exclude=/${r}`),
@@ -3492,7 +3676,7 @@ async function stageOpencodeStaticForUpload(opts = {}) {
   try {
     if (hasData) {
       const dataBroken = await findBrokenSymlinks(hostData);
-      await execa4("rsync", [
+      await execa5("rsync", [
         "-a",
         "-L",
         ...dataBroken.map((r) => `--exclude=/${r}`),
@@ -3505,7 +3689,7 @@ async function stageOpencodeStaticForUpload(opts = {}) {
     if (hasConfig) {
       const configStage = join32(stageDir, "config");
       const cfgBroken = await findBrokenSymlinks(hostConfig);
-      await execa4("rsync", [
+      await execa5("rsync", [
         "-a",
         "-L",
         ...cfgBroken.map((r) => `--exclude=/${r}`),
@@ -3563,7 +3747,7 @@ async function pathExists2(p) {
   }
 }
 async function volumeHasClaudeJson(volume, image) {
-  const res = await execa5(
+  const res = await execa6(
     "docker",
     ["run", "--rm", "-v", `${volume}:/dst`, image, "sh", "-c", "test -e /dst/_claude.json"],
     { reject: false }
@@ -3733,7 +3917,7 @@ async function ensureClaudeVolume(spec, opts) {
       // linux/amd64 node_modules on the next `agentbox claude`.
       `{ [ ! -f /dst/.agentbox-cleaned-nm-v1 ] && find /dst -name node_modules -type d -prune -exec rm -rf {} + && touch /dst/.agentbox-cleaned-nm-v1; true; } && rsync ${rsyncFlags} /src-claude/ /dst/ && { [ -f /src-claude-json ] && cp -a /src-claude-json /dst/_claude.json; true; } && { [ -f /src-filter/settings.json ] && cp -a /src-filter/settings.json /dst/settings.json; true; } && { [ -f /src-filter/_claude.json ] && cp -a /src-filter/_claude.json /dst/_claude.json; true; } && { [ -d /dst/plugins ] && [ -n "$HOST_HOME" ] && find /dst/plugins -maxdepth 1 -type f -name "*.json" -exec sed -i "s|$HOST_HOME/.claude/plugins/|/home/vscode/.claude/plugins/|g" {} +; true; }` + memoryRekeyStep + " && chown -R 1000:1000 /dst"
     );
-    await execa5("docker", args);
+    await execa6("docker", args);
   } finally {
     await rm2(filterDir, { recursive: true, force: true });
   }
@@ -3748,7 +3932,7 @@ async function ensureClaudeVolume(spec, opts) {
 }
 async function seedSetupSkillIntoVolume(volume, image) {
   try {
-    const { stdout } = await execa5("docker", [
+    const { stdout } = await execa6("docker", [
       "run",
       "--rm",
       "--user",
@@ -3913,7 +4097,7 @@ async function resolveClaudeCacheLiveOnHost(volume) {
   return orbstackVolumePath(volume, "plugins", "cache");
 }
 async function readBoxReferencedPluginKeys(container) {
-  const res = await execa5(
+  const res = await execa6(
     "docker",
     [
       "exec",
@@ -4031,7 +4215,7 @@ while IFS= read -r dir; do
 done < "$WORK/dirs"
 rm -rf "$WORK"
 `;
-  const result = await execa5(
+  const result = await execa6(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "sh", "-c", script],
     { reject: false }
@@ -4092,7 +4276,7 @@ async function startClaudeSession(opts) {
     const v = process.env[k];
     if (typeof v === "string" && v.length > 0) envFlags.push("-e", `${k}=${v}`);
   }
-  const result = await execa5(
+  const result = await execa6(
     "docker",
     [
       "exec",
@@ -4183,7 +4367,7 @@ function buildDashboardAttachArgv(container, sessionName) {
 async function waitForTmuxPaneContent(container, sessionName, timeoutMs = 2e4) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
-    const res = await execa5(
+    const res = await execa6(
       "docker",
       ["exec", "--user", CONTAINER_USER, container, "tmux", "capture-pane", "-p", "-t", sessionName],
       { reject: false }
@@ -4251,7 +4435,7 @@ async function warmUpClaudeCredentials(volume, image, opts = {}) {
   const SLEEP_MS = 5e3;
   for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
     opts.onProgress?.(`checking credentials... ${attempt}/${MAX_ATTEMPTS}`);
-    const res = await execa5(
+    const res = await execa6(
       "docker",
       [
         "run",
@@ -4293,7 +4477,7 @@ function attachClaudeSession(container, sessionName, reattachRef) {
 }
 async function claudeSessionInfo(container, sessionName) {
   const name = sessionName ?? DEFAULT_CLAUDE_SESSION;
-  const has = await execa5(
+  const has = await execa6(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -4301,7 +4485,7 @@ async function claudeSessionInfo(container, sessionName) {
   if (has.exitCode !== 0) {
     return { running: false, sessionName: name, startedAt: null };
   }
-  const ts = await execa5(
+  const ts = await execa6(
     "docker",
     [
       "exec",
@@ -4367,7 +4551,7 @@ async function pullClaudeExtras(spec, opts) {
     '  printf "\\n";',
     "done"
   ].join(" ");
-  const inv = await execa5(
+  const inv = await execa6(
     "docker",
     ["run", "--rm", "--user", "0", "-v", `${spec.volume}:/src:ro`, opts.image, "sh", "-c", inventoryScript],
     { reject: false }
@@ -4440,7 +4624,7 @@ async function pullClaudeExtras(spec, opts) {
       const parent = dest.slice(0, dest.lastIndexOf("/"));
       return `mkdir -p '${parent}' && rsync -a --ignore-existing --exclude=node_modules '${src}/' '${dest}/'`;
     });
-    const apply = await execa5(
+    const apply = await execa6(
       "docker",
       [
         "run",
@@ -4513,7 +4697,7 @@ async function ensureCodexVolume(spec, opts) {
   const hostCodex = join52(homedir4(), ".codex");
   const willSync = opts.syncFromHost && await pathExists3(hostCodex);
   if (willSync) {
-    await execa6("docker", [
+    await execa7("docker", [
       "run",
       "--rm",
       "--user",
@@ -4531,7 +4715,7 @@ async function ensureCodexVolume(spec, opts) {
     ]);
     return { created, synced: true };
   }
-  await execa6(
+  await execa7(
     "docker",
     [
       "run",
@@ -4551,7 +4735,7 @@ async function ensureCodexVolume(spec, opts) {
 }
 async function seedCodexHooks(volume, image) {
   try {
-    const { stdout } = await execa6("docker", [
+    const { stdout } = await execa7("docker", [
       "run",
       "--rm",
       "--user",
@@ -4588,14 +4772,14 @@ var CodexSessionError = class extends Error {
   }
 };
 async function ensureCodexInstalled(container, opts = {}) {
-  const probe = await execa6(
+  const probe = await execa7(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "sh", "-c", "command -v codex"],
     { reject: false }
   );
   if (probe.exitCode === 0) return { installed: false };
   opts.onProgress?.("installing codex (absent from this box image)");
-  const install = await execa6(
+  const install = await execa7(
     "docker",
     ["exec", "--user", "root", container, "bash", "-lc", "npm install -g @openai/codex 2>&1"],
     { reject: false }
@@ -4618,7 +4802,7 @@ async function startCodexSession(opts) {
     const v = process.env[k];
     if (typeof v === "string" && v.length > 0) envFlags.push("-e", `${k}=${v}`);
   }
-  const result = await execa6(
+  const result = await execa7(
     "docker",
     [
       "exec",
@@ -4700,7 +4884,7 @@ function runInteractiveCodexLogin(dockerArgv) {
   return { exitCode: child.status ?? 1 };
 }
 async function volumeHasCodexAuth(volume, image) {
-  const res = await execa6(
+  const res = await execa7(
     "docker",
     ["run", "--rm", "-v", `${volume}:/dst`, image, "sh", "-c", "test -e /dst/auth.json"],
     { reject: false }
@@ -4709,7 +4893,7 @@ async function volumeHasCodexAuth(volume, image) {
 }
 async function codexSessionInfo(container, sessionName) {
   const name = sessionName ?? DEFAULT_CODEX_SESSION;
-  const has = await execa6(
+  const has = await execa7(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -4717,7 +4901,7 @@ async function codexSessionInfo(container, sessionName) {
   if (has.exitCode !== 0) {
     return { running: false, sessionName: name, startedAt: null };
   }
-  const ts = await execa6(
+  const ts = await execa7(
     "docker",
     [
       "exec",
@@ -4743,7 +4927,7 @@ async function codexSessionInfo(container, sessionName) {
 var CODEX_PULL_ITEMS = ["config.toml", "auth.json", "prompts"];
 async function pullCodexConfig(spec, opts) {
   const hostCodex = join52(homedir4(), ".codex");
-  const inv = await execa6(
+  const inv = await execa7(
     "docker",
     [
       "run",
@@ -4777,7 +4961,7 @@ async function pullCodexConfig(spec, opts) {
   const uid = process.getuid?.() ?? 0;
   const gid = process.getgid?.() ?? 0;
   const cmds = newItems.map((it) => `cp -a '/src/${it}' '/dst/${it}'`);
-  const apply = await execa6(
+  const apply = await execa7(
     "docker",
     [
       "run",
@@ -4859,10 +5043,10 @@ async function ensureOpencodeVolume(spec, opts) {
     }
     steps.push("chown -R 1000:1000 /dst");
     args.push(opts.image, "sh", "-c", steps.join(" && "));
-    await execa7("docker", args);
+    await execa8("docker", args);
     return { created, synced: true };
   }
-  await execa7(
+  await execa8(
     "docker",
     [
       "run",
@@ -4882,7 +5066,7 @@ async function ensureOpencodeVolume(spec, opts) {
 }
 async function seedOpencodePlugin(volume, image) {
   try {
-    const { stdout } = await execa7("docker", [
+    const { stdout } = await execa8("docker", [
       "run",
       "--rm",
       "--user",
@@ -4930,14 +5114,14 @@ var OpencodeSessionError = class extends Error {
   }
 };
 async function ensureOpencodeInstalled(container, opts = {}) {
-  const probe = await execa7(
+  const probe = await execa8(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "sh", "-c", "command -v opencode"],
     { reject: false }
   );
   if (probe.exitCode === 0) return { installed: false };
   opts.onProgress?.("installing opencode (absent from this box image)");
-  const install = await execa7(
+  const install = await execa8(
     "docker",
     ["exec", "--user", "root", container, "bash", "-lc", "npm install -g opencode-ai 2>&1"],
     { reject: false }
@@ -4959,7 +5143,7 @@ async function startOpencodeSession(opts) {
     const v = process.env[k];
     if (typeof v === "string" && v.length > 0) envFlags.push("-e", `${k}=${v}`);
   }
-  const result = await execa7(
+  const result = await execa8(
     "docker",
     [
       "exec",
@@ -5045,7 +5229,7 @@ function runInteractiveOpencodeLogin(dockerArgv) {
   return { exitCode: child.status ?? 1 };
 }
 async function volumeHasOpencodeAuth(volume, image) {
-  const res = await execa7(
+  const res = await execa8(
     "docker",
     ["run", "--rm", "-v", `${volume}:/dst`, image, "sh", "-c", "test -e /dst/auth.json"],
     { reject: false }
@@ -5054,7 +5238,7 @@ async function volumeHasOpencodeAuth(volume, image) {
 }
 async function opencodeSessionInfo(container, sessionName) {
   const name = sessionName ?? DEFAULT_OPENCODE_SESSION;
-  const has = await execa7(
+  const has = await execa8(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -5062,7 +5246,7 @@ async function opencodeSessionInfo(container, sessionName) {
   if (has.exitCode !== 0) {
     return { running: false, sessionName: name, startedAt: null };
   }
-  const ts = await execa7(
+  const ts = await execa8(
     "docker",
     [
       "exec",
@@ -5100,7 +5284,7 @@ var OPENCODE_PULL_CONFIG_ITEMS = [
 async function pullOpencodeConfig(spec, opts) {
   const hostData = join6(homedir5(), ".local", "share", "opencode");
   const hostConfig = join6(homedir5(), ".config", "opencode");
-  const inv = await execa7(
+  const inv = await execa8(
     "docker",
     [
       "run",
@@ -5142,7 +5326,7 @@ async function pullOpencodeConfig(spec, opts) {
   const cmds = newItems.map(
     (i) => `cp -a '${i.src}' '${i.hostDst === "data" ? "/dst-data" : "/dst-config"}/${i.name}'`
   );
-  const apply = await execa7(
+  const apply = await execa8(
     "docker",
     [
       "run",
@@ -5253,9 +5437,9 @@ function gitWorktreePathFor(branch) {
   return `${WORKTREE_ROOT}/${fsSafeBranch(branch)}`;
 }
 async function collectRepoCarryOver(repo, branch, containerPath, gitWorktreePath) {
-  const stash = await execa8("git", ["-C", repo.hostMainRepo, "stash", "create"], { reject: false });
+  const stash = await execa9("git", ["-C", repo.hostMainRepo, "stash", "create"], { reject: false });
   const stashSha = stash.exitCode === 0 ? stash.stdout.trim() || null : null;
-  const untracked = await execa8(
+  const untracked = await execa9(
     "git",
     ["-C", repo.hostMainRepo, "ls-files", "--others", "--exclude-standard", "-z"],
     { reject: false }
@@ -5272,7 +5456,7 @@ async function collectRepoCarryOver(repo, branch, containerPath, gitWorktreePath
   };
 }
 async function dexec(container, argv, user = "vscode", cwd = "/") {
-  const r = await execa8(
+  const r = await execa9(
     "docker",
     ["exec", "-w", cwd, "--user", user, container, ...argv],
     { reject: false }
@@ -5304,7 +5488,7 @@ async function bindWorktrees(container, binds, onLog) {
     (a, b) => a.kind === "root" && b.kind !== "root" ? -1 : a.kind !== "root" && b.kind === "root" ? 1 : 0
   );
   for (const b of ordered) {
-    await execa8(
+    await execa9(
       "docker",
       ["exec", "-w", "/", "--user", "root", container, "sh", "-c", `mountpoint -q ${b.containerPath} && umount ${b.containerPath} || true`],
       { reject: false }
@@ -5326,7 +5510,7 @@ async function seedWorkspace(opts) {
     const wt = r.gitWorktreePath;
     const baseRef = r.repo.kind === "root" ? opts.fromBranch ?? "HEAD" : "HEAD";
     const addArgs = r.reuseBranch ? ["worktree", "add", wt, r.branch] : ["worktree", "add", "-b", r.branch, wt, baseRef];
-    const add = await execa8(
+    const add = await execa9(
       "docker",
       ["exec", "--user", "vscode", opts.container, "git", "-C", main, ...addArgs],
       { reject: false }
@@ -5337,7 +5521,7 @@ async function seedWorkspace(opts) {
       );
     }
     log(`worktree ${wt} on branch ${r.branch} (host main ${main})`);
-    await execa8(
+    await execa9(
       "docker",
       [
         "exec",
@@ -5353,7 +5537,7 @@ async function seedWorkspace(opts) {
       ],
       { reject: false }
     );
-    await execa8(
+    await execa9(
       "docker",
       [
         "exec",
@@ -5383,7 +5567,7 @@ async function seedWorkspace(opts) {
   for (const r of opts.repos) {
     const ct = r.containerPath;
     if (r.stashSha) {
-      const withIndex = await execa8(
+      const withIndex = await execa9(
         "docker",
         [
           "exec",
@@ -5401,7 +5585,7 @@ async function seedWorkspace(opts) {
         { reject: false }
       );
       if (withIndex.exitCode !== 0) {
-        const noIndex = await execa8(
+        const noIndex = await execa9(
           "docker",
           [
             "exec",
@@ -5429,7 +5613,7 @@ async function seedWorkspace(opts) {
       }
     }
     if (r.untrackedNul.length > 0) {
-      const tarOut = await execa8("tar", ["-C", r.hostSource, "--null", "-T", "-", "-cf", "-"], {
+      const tarOut = await execa9("tar", ["-C", r.hostSource, "--null", "-T", "-", "-cf", "-"], {
         input: r.untrackedNul.replace(/\0$/, ""),
         encoding: "buffer",
         reject: false
@@ -5438,7 +5622,7 @@ async function seedWorkspace(opts) {
         log(`warning: tar of untracked files for ${r.repo.hostMainRepo} failed: ${tarOut.stderr}`);
         continue;
       }
-      const tarIn = await execa8(
+      const tarIn = await execa9(
         "docker",
         ["exec", "-i", "--user", "vscode", opts.container, "tar", "-C", ct, "-xf", "-"],
         { input: tarOut.stdout, reject: false }
@@ -5491,7 +5675,7 @@ async function regenerateRestoredWorktrees(opts) {
   for (const p of opts.plans) {
     const baseRef = p.kind === "root" ? opts.fromBranch ?? "HEAD" : "HEAD";
     const metaDir = `${p.hostMainRepo}/.git/worktrees/${fsSafeBranch(p.freshBranch)}`;
-    const r = await execa8(
+    const r = await execa9(
       "docker",
       [
         "exec",
@@ -5524,14 +5708,14 @@ async function regenerateRestoredWorktrees(opts) {
 async function seedWorkspaceFromDir(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const tarOut = await execa8("tar", ["-C", opts.hostSource, "-cf", "-", "."], {
+  const tarOut = await execa9("tar", ["-C", opts.hostSource, "-cf", "-", "."], {
     encoding: "buffer",
     reject: false
   });
   if (tarOut.exitCode !== 0) {
     throw new GitWorktreeError(`tar of ${opts.hostSource} failed: ${tarOut.stderr}`);
   }
-  const tarIn = await execa8(
+  const tarIn = await execa9(
     "docker",
     ["exec", "-i", "--user", "1000:1000", opts.container, "tar", "-C", "/workspace", "-xf", "-"],
     { input: tarOut.stdout, reject: false }
@@ -5542,13 +5726,13 @@ async function seedWorkspaceFromDir(opts) {
   log(`seeded /workspace from ${opts.hostSource}`);
 }
 async function removeInBoxWorktree(args) {
-  const remove = await execa8(
+  const remove = await execa9(
     "git",
     ["-C", args.hostMainRepo, "worktree", "remove", "--force", args.gitWorktreePath],
     { reject: false }
   );
   if (remove.exitCode === 0) return;
-  await execa8("git", ["-C", args.hostMainRepo, "worktree", "prune"], { reject: false });
+  await execa9("git", ["-C", args.hostMainRepo, "worktree", "prune"], { reject: false });
 }
 function ctParent(p) {
   const i = p.lastIndexOf("/");
@@ -5579,20 +5763,20 @@ async function resyncWorkspaceFromHost(opts) {
     const hostMain = w.hostMainRepo;
     const boxBranch = w.branch;
     const res = { containerPath: ct, mergeConflicts: [], overlaySkipped: [] };
-    const hostBranchProbe = await execa8(
+    const hostBranchProbe = await execa9(
       "git",
       ["-C", hostMain, "symbolic-ref", "--short", "-q", "HEAD"],
       { reject: false }
     );
-    const hostRef = hostBranchProbe.exitCode === 0 && hostBranchProbe.stdout.trim() ? hostBranchProbe.stdout.trim() : (await execa8("git", ["-C", hostMain, "rev-parse", "HEAD"], { reject: false })).stdout.trim();
+    const hostRef = hostBranchProbe.exitCode === 0 && hostBranchProbe.stdout.trim() ? hostBranchProbe.stdout.trim() : (await execa9("git", ["-C", hostMain, "rev-parse", "HEAD"], { reject: false })).stdout.trim();
     if (!hostRef) {
       log(`resync: ${ct}: could not resolve host ref; skipping`);
       results.push(res);
       continue;
     }
-    const stash = await execa8("git", ["-C", hostMain, "stash", "create"], { reject: false });
+    const stash = await execa9("git", ["-C", hostMain, "stash", "create"], { reject: false });
     const hostStashSha = stash.exitCode === 0 ? stash.stdout.trim() || null : null;
-    const untracked = await execa8(
+    const untracked = await execa9(
       "git",
       ["-C", hostMain, "ls-files", "--others", "--exclude-standard", "-z"],
       { reject: false }
@@ -5662,7 +5846,7 @@ async function resyncWorkspaceFromHost(opts) {
       }
     }
     if (hostUntracked.length > 0) {
-      const probe = await execa8(
+      const probe = await execa9(
         "docker",
         [
           "exec",
@@ -5709,13 +5893,13 @@ async function resyncWorkspaceFromHost(opts) {
         log(`resync: ${ct}: ${String(identical)} untracked host file(s) already identical in box (no-op)`);
       }
       if (toCopy.length > 0) {
-        const tarOut = await execa8("tar", ["-C", hostMain, "--null", "-T", "-", "-cf", "-"], {
+        const tarOut = await execa9("tar", ["-C", hostMain, "--null", "-T", "-", "-cf", "-"], {
           input: toCopy.join("\0"),
           encoding: "buffer",
           reject: false
         });
         if (tarOut.exitCode === 0) {
-          await execa8(
+          await execa9(
             "docker",
             ["exec", "-i", "--user", "vscode", opts.container, "tar", "-C", ct, "-xf", "-"],
             { input: tarOut.stdout, reject: false }
@@ -5738,7 +5922,7 @@ var cached = null;
 async function detectPortless() {
   if (cached !== null) return cached;
   try {
-    const ver = await execa9(PORTLESS_BIN, SUB_VERSION, { reject: false });
+    const ver = await execa10(PORTLESS_BIN, SUB_VERSION, { reject: false });
     if (ver.exitCode !== 0) {
       cached = { installed: false, proxyRunning: false };
       return cached;
@@ -5758,7 +5942,7 @@ function resetPortlessCache() {
 }
 async function portlessAlias(name, port) {
   try {
-    const r = await execa9(PORTLESS_BIN, [SUB_ALIAS, name, String(port)], { reject: false });
+    const r = await execa10(PORTLESS_BIN, [SUB_ALIAS, name, String(port)], { reject: false });
     return r.exitCode === 0;
   } catch {
     return false;
@@ -5766,7 +5950,7 @@ async function portlessAlias(name, port) {
 }
 async function portlessUnalias(name) {
   try {
-    const r = await execa9(PORTLESS_BIN, [SUB_ALIAS, SUB_ALIAS_REMOVE, name], { reject: false });
+    const r = await execa10(PORTLESS_BIN, [SUB_ALIAS, SUB_ALIAS_REMOVE, name], { reject: false });
     return r.exitCode === 0;
   } catch {
     return false;
@@ -5775,7 +5959,7 @@ async function portlessUnalias(name) {
 async function portlessGetUrl(name) {
   const fallback = `https://${name}.localhost`;
   try {
-    const r = await execa9(PORTLESS_BIN, [SUB_GET, name], { reject: false });
+    const r = await execa10(PORTLESS_BIN, [SUB_GET, name], { reject: false });
     const out = (r.stdout ?? "").trim();
     if (r.exitCode === 0 && /^https?:\/\//.test(out)) return out;
   } catch {
@@ -5796,7 +5980,7 @@ function portlessBrowserEnv(boxName, opts) {
 }
 async function installPortless() {
   try {
-    const r = await execa9("npm", ["install", "-g", "portless"], { reject: false });
+    const r = await execa10("npm", ["install", "-g", "portless"], { reject: false });
     return r.exitCode === 0;
   } catch {
     return false;
@@ -5804,7 +5988,7 @@ async function installPortless() {
 }
 async function startPortlessProxy() {
   try {
-    const r = await execa9(
+    const r = await execa10(
       PORTLESS_BIN,
       ["proxy", "start", "--no-tls", "-p", String(PORTLESS_PROXY_PORT)],
       { reject: false }
@@ -5851,14 +6035,14 @@ async function resolvePortlessHostStateDir(override) {
   const live = await findLivePortlessStateDir();
   if (live) return live;
   const home = join8(homedir6(), ".portless");
-  if (existsSync(home)) return home;
-  if (existsSync("/tmp/portless")) return "/tmp/portless";
+  if (existsSync2(home)) return home;
+  if (existsSync2("/tmp/portless")) return "/tmp/portless";
   return home;
 }
 async function isProxyRunning() {
   if (await findLivePortlessStateDir() !== null) return true;
   try {
-    const r = await execa9("pgrep", ["-f", "portless proxy"], { reject: false });
+    const r = await execa10("pgrep", ["-f", "portless proxy"], { reject: false });
     return r.exitCode === 0 && (r.stdout ?? "").trim().length > 0;
   } catch {
     return false;
@@ -5909,12 +6093,12 @@ async function findExcludedDirs(root, excluded = EXCLUDE_DIRS) {
   return matches;
 }
 async function createSnapshot(opts) {
-  const source = resolve2(opts.source);
-  const destination = resolve2(opts.destination);
+  const source = resolve22(opts.source);
+  const destination = resolve22(opts.destination);
   const excluded = opts.excluded ?? EXCLUDE_DIRS;
   await mkdir42(SNAPSHOTS_ROOT, { recursive: true });
   const cpArgs = platform() === "darwin" ? ["-cR"] : ["-R"];
-  await execa10("cp", [...cpArgs, `${source}/`, destination]);
+  await execa11("cp", [...cpArgs, `${source}/`, destination]);
   const toPrune = await findExcludedDirs(destination, excluded);
   await Promise.all(toPrune.map((p) => rm32(p, { recursive: true, force: true })));
   return { destination, prunedPaths: toPrune };
@@ -5922,7 +6106,7 @@ async function createSnapshot(opts) {
 var CHECKPOINTS_ROOT = join10(homedir8(), ".agentbox", "checkpoints");
 var CHECKPOINT_IMAGE_PREFIX = "agentbox-ckpt-";
 function checkpointImageTag(projectRoot, name) {
-  const mnemonic = sanitizeMnemonic(basename32(projectRoot));
+  const mnemonic = sanitizeMnemonic(basename4(projectRoot));
   return `${CHECKPOINT_IMAGE_PREFIX}${hashProjectPath(projectRoot)}_${mnemonic}:${name}`;
 }
 function projectCheckpointsDir(projectRoot) {
@@ -6039,7 +6223,7 @@ async function runCleanup(container, log) {
   }
 }
 async function inspectImageConfig(imageRef) {
-  const r = await execa11("docker", ["image", "inspect", imageRef], { reject: false });
+  const r = await execa12("docker", ["image", "inspect", imageRef], { reject: false });
   if (r.exitCode !== 0) {
     throw new CheckpointError(`docker image inspect ${imageRef} failed`, r.stdout, r.stderr);
   }
@@ -6115,14 +6299,14 @@ async function createCheckpoint(opts) {
   await runCleanup(box.container, log);
   if (type === "layered") {
     log(`docker commit ${box.container} -> ${tag} (layered)`);
-    const r = await execa11("docker", ["commit", box.container, tag], { reject: false });
+    const r = await execa12("docker", ["commit", box.container, tag], { reject: false });
     if (r.exitCode !== 0) {
       throw new CheckpointError(`docker commit failed for ${box.container}`, r.stdout, r.stderr);
     }
   } else {
     log(`docker commit ${box.container} -> <intermediate> (flattened path)`);
     const intermediate = `${tag}-intermediate`;
-    const commit = await execa11("docker", ["commit", box.container, intermediate], {
+    const commit = await execa12("docker", ["commit", box.container, intermediate], {
       reject: false
     });
     if (commit.exitCode !== 0) {
@@ -6167,7 +6351,7 @@ async function createCheckpoint(opts) {
 }
 async function flattenImage(sourceTag, destTag, log) {
   const tmpName = `agentbox-flatten-${Date.now().toString(36)}`;
-  const create = await execa11(
+  const create = await execa12(
     "docker",
     ["create", "--name", tmpName, sourceTag, "sleep", "0"],
     { reject: false }
@@ -6179,7 +6363,7 @@ async function flattenImage(sourceTag, destTag, log) {
   try {
     const rootfsPath = join10(scratch, "rootfs.tar");
     log(`exporting rootfs of ${sourceTag} to ${rootfsPath}`);
-    const exp = await execa11("docker", ["export", "-o", rootfsPath, tmpName], { reject: false });
+    const exp = await execa12("docker", ["export", "-o", rootfsPath, tmpName], { reject: false });
     if (exp.exitCode !== 0) {
       throw new CheckpointError(`docker export failed`, exp.stdout, exp.stderr);
     }
@@ -6192,7 +6376,7 @@ async function flattenImage(sourceTag, destTag, log) {
     ];
     await writeFile32(join10(scratch, "Dockerfile"), lines.join("\n") + "\n", "utf8");
     log(`building flattened ${destTag} from rootfs.tar (FROM scratch)`);
-    const build = await execa11(
+    const build = await execa12(
       "docker",
       ["build", "-t", destTag, "-f", join10(scratch, "Dockerfile"), scratch],
       { reject: false }
@@ -6201,7 +6385,7 @@ async function flattenImage(sourceTag, destTag, log) {
       throw new CheckpointError(`flatten docker build failed`, build.stdout, build.stderr);
     }
   } finally {
-    await execa11("docker", ["rm", "-f", tmpName], { reject: false });
+    await execa12("docker", ["rm", "-f", tmpName], { reject: false });
     await rm4(scratch, { recursive: true, force: true });
   }
 }
@@ -6245,7 +6429,7 @@ async function pathExists5(p) {
 }
 async function writeBoxEnvFile(container, env) {
   const body = formatBoxEnvBody(env);
-  const result = await execa12(
+  const result = await execa13(
     "docker",
     ["exec", "--user", "root", "-i", container, "sh", "-c", "umask 022 && cat > /etc/agentbox/box.env"],
     { input: body, reject: false }
@@ -6269,7 +6453,7 @@ function shellSingleQuote(s) {
   return `'${s.replace(/'/g, `'\\''`)}'`;
 }
 async function ensureHomeOwnedByVscode(container) {
-  await execa13(
+  await execa14(
     "docker",
     [
       "exec",
@@ -6418,16 +6602,16 @@ async function spawnRelay(relayBin, cliEntry, log) {
 }
 function resolveRelayBin() {
   const override = process.env.AGENTBOX_RELAY_BIN;
-  if (override && existsSync2(override)) return override;
-  const here = dirname3(fileURLToPath(import.meta.url));
+  if (override && existsSync3(override)) return override;
+  const here = dirname22(fileURLToPath(import.meta.url));
   const candidates = [
-    resolve22(here, "..", "runtime", "relay", "bin.cjs"),
-    resolve22(here, "..", "..", "relay", "dist", "bin.cjs"),
-    resolve22(here, "..", "..", "..", "@agentbox", "relay", "dist", "bin.cjs"),
-    resolve22(here, "..", "..", "node_modules", "@agentbox", "relay", "dist", "bin.cjs")
+    resolve3(here, "..", "runtime", "relay", "bin.cjs"),
+    resolve3(here, "..", "..", "relay", "dist", "bin.cjs"),
+    resolve3(here, "..", "..", "..", "@agentbox", "relay", "dist", "bin.cjs"),
+    resolve3(here, "..", "..", "node_modules", "@agentbox", "relay", "dist", "bin.cjs")
   ];
   for (const c of candidates) {
-    if (existsSync2(c)) return c;
+    if (existsSync3(c)) return c;
   }
   throw new Error(
     `could not locate @agentbox/relay bin; tried:
@@ -6436,29 +6620,29 @@ function resolveRelayBin() {
 }
 function resolveCliEntry() {
   const override = process.env.AGENTBOX_CLI_ENTRY;
-  if (override && existsSync2(override)) return override;
-  const here = dirname3(fileURLToPath(import.meta.url));
+  if (override && existsSync3(override)) return override;
+  const here = dirname22(fileURLToPath(import.meta.url));
   const candidates = [
     // Bundled CLI (dev + published): this module IS bundled into the CLI
     // entry, so the entry is index.js next to this file.
-    resolve22(here, "index.js"),
-    resolve22(here, "..", "..", "..", "apps", "cli", "dist", "index.js"),
-    resolve22(here, "..", "..", "..", "..", "dist", "index.js")
+    resolve3(here, "index.js"),
+    resolve3(here, "..", "..", "..", "apps", "cli", "dist", "index.js"),
+    resolve3(here, "..", "..", "..", "..", "dist", "index.js")
   ];
   for (const c of candidates) {
-    if (existsSync2(c)) return c;
+    if (existsSync3(c)) return c;
   }
   return null;
 }
 async function stageRelayHome(version, log) {
   if (!version || version === "0.0.0-dev") return null;
   if (process.env.AGENTBOX_RELAY_BIN || process.env.AGENTBOX_CLI_ENTRY) return null;
-  const cliRoot = findCliRoot(dirname3(fileURLToPath(import.meta.url)));
+  const cliRoot = findCliRoot(dirname22(fileURLToPath(import.meta.url)));
   if (cliRoot === null) return null;
   const homeDir = join11(RELAY_HOME_DIR, version);
   const stagedEntry = join11(homeDir, "dist", "index.js");
   const stagedBin = join11(homeDir, "runtime", "relay", "bin.cjs");
-  if (existsSync2(stagedEntry) && existsSync2(stagedBin)) {
+  if (existsSync3(stagedEntry) && existsSync3(stagedBin)) {
     return { relayBin: stagedBin, cliEntry: stagedEntry };
   }
   const nodeModules = resolveDepRoot(join11(cliRoot, "dist", "index.js"));
@@ -6470,7 +6654,7 @@ async function stageRelayHome(version, log) {
     await mkdir6(tmpDir, { recursive: true });
     for (const sub of ["dist", "runtime", "share"]) {
       const src = join11(cliRoot, sub);
-      if (existsSync2(src)) await cp(src, join11(tmpDir, sub), { recursive: true });
+      if (existsSync3(src)) await cp(src, join11(tmpDir, sub), { recursive: true });
     }
     await cp(nodeModules, join11(tmpDir, "node_modules"), { recursive: true, dereference: true });
     await rm5(homeDir, { recursive: true, force: true });
@@ -6478,7 +6662,7 @@ async function stageRelayHome(version, log) {
   } catch (err) {
     await rm5(tmpDir, { recursive: true, force: true }).catch(() => {
     });
-    if (existsSync2(stagedEntry) && existsSync2(stagedBin)) {
+    if (existsSync3(stagedEntry) && existsSync3(stagedBin)) {
       return { relayBin: stagedBin, cliEntry: stagedEntry };
     }
     log(`relay home staging failed (${err instanceof Error ? err.message : String(err)}); using bundle paths`);
@@ -6490,8 +6674,8 @@ async function stageRelayHome(version, log) {
   return { relayBin: stagedBin, cliEntry: stagedEntry };
 }
 function findCliRoot(moduleDir) {
-  for (const root of [resolve22(moduleDir, ".."), resolve22(moduleDir, "..", "..")]) {
-    if (existsSync2(join11(root, "dist", "index.js")) && existsSync2(join11(root, "runtime", "relay", "bin.cjs"))) {
+  for (const root of [resolve3(moduleDir, ".."), resolve3(moduleDir, "..", "..")]) {
+    if (existsSync3(join11(root, "dist", "index.js")) && existsSync3(join11(root, "runtime", "relay", "bin.cjs"))) {
       return root;
     }
   }
@@ -6506,7 +6690,7 @@ function resolveDepRoot(fromFile) {
     const idx = main.lastIndexOf(marker);
     if (idx === -1) return null;
     const nm = main.slice(0, idx + marker.length - 1);
-    return existsSync2(join11(nm, "commander")) ? nm : null;
+    return existsSync3(join11(nm, "commander")) ? nm : null;
   } catch {
     return null;
   }
@@ -6667,7 +6851,8 @@ async function registerBoxWithRelay(args) {
     worktrees,
     previewUrl: args.previewUrl,
     previewToken: args.previewToken,
-    bridgeToken: args.bridgeToken
+    bridgeToken: args.bridgeToken,
+    autoApproveHostActions: args.autoApproveHostActions
   });
 }
 async function forgetBoxFromRelay(boxId) {
@@ -6808,7 +6993,8 @@ async function rehydrateRelayRegistry(boxes) {
         worktrees: b.gitWorktrees,
         previewUrl: b.relayPreviewUrl,
         previewToken: b.relayPreviewToken,
-        bridgeToken: b.bridgeToken
+        bridgeToken: b.bridgeToken,
+        autoApproveHostActions: b.autoApproveHostActions
       });
     } catch {
     }
@@ -6959,7 +7145,7 @@ function persistableLimits(lim) {
   return Object.keys(out).length > 0 ? out : void 0;
 }
 function sanitizeBasename(workspacePath) {
-  const raw = basename4(resolve3(workspacePath));
+  const raw = basename5(resolve4(workspacePath));
   return raw.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/-+/g, "-").replace(/^[-._]+|[-._]+$/g, "").slice(0, 30).replace(/[-._]+$/, "");
 }
 function defaultBoxName(workspacePath, id) {
@@ -6990,7 +7176,7 @@ async function buildIdentityMounts() {
 async function createBox(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const workspace = resolve3(opts.workspacePath);
+  const workspace = resolve4(opts.workspacePath);
   if (!await pathExists6(workspace)) {
     throw new Error(`workspace does not exist: ${workspace}`);
   }
@@ -7283,6 +7469,7 @@ async function createBox(opts) {
     }
   }
   for (const v of extraVolumes) log(`mounting agent dir: ${v}`);
+  const autoApproveHostActions = (await loadEffectiveConfig(opts.projectRoot ?? workspace)).effective.box.autoApproveHostActions;
   const relayToken = generateRelayToken();
   if (relayUp) {
     try {
@@ -7293,7 +7480,8 @@ async function createBox(opts) {
         containerName,
         createdAt,
         projectIndex,
-        worktrees: gitWorktreeRecords
+        worktrees: gitWorktreeRecords,
+        autoApproveHostActions
       });
       log(`registered box token with relay`);
     } catch (err) {
@@ -7359,6 +7547,7 @@ async function createBox(opts) {
     gitWorktrees: gitWorktreeRecords.length > 0 ? gitWorktreeRecords : void 0,
     withPlaywright: opts.withPlaywright ? true : void 0,
     withEnv: opts.withEnv ? true : void 0,
+    autoApproveHostActions: autoApproveHostActions ? true : void 0,
     vncEnabled: vncEnabled ? true : void 0,
     vncContainerPort: vncEnabled ? VNC_CONTAINER_PORT : void 0,
     vncPassword,
@@ -7416,7 +7605,7 @@ async function createBox(opts) {
       } catch (err) {
         if (opts.useBranch !== void 0) {
           log(`seedWorkspace failed for --use-branch ${opts.useBranch}; cleaning up the box`);
-          await execa14("docker", ["rm", "-f", containerName], { reject: false });
+          await execa15("docker", ["rm", "-f", containerName], { reject: false });
           await removeBoxRecord(id);
           for (const w of gitWorktreeRecords) {
             await removeInBoxWorktree({
@@ -7479,7 +7668,7 @@ async function createBox(opts) {
   else log(`agentbox-ctl daemon did not become reachable: ${ctl.reason}`);
   if (opts.withPlaywright) {
     log("installing @playwright/cli@latest (--with-playwright)");
-    const result = await execa14(
+    const result = await execa15(
       "docker",
       [
         "exec",
@@ -7653,7 +7842,7 @@ function parseShellSessionList(stdout) {
   return out;
 }
 async function listShellSessions(container, user) {
-  const res = await execa15(
+  const res = await execa16(
     "docker",
     [
       "exec",
@@ -7677,7 +7866,7 @@ async function startShellSession(opts) {
   const login = opts.login !== false;
   const term = process.env["TERM"] ?? "xterm-256color";
   const cmd = login ? "bash -l" : "bash";
-  const result = await execa15(
+  const result = await execa16(
     "docker",
     [
       "exec",
@@ -7726,7 +7915,7 @@ function buildShellSessionAttachArgv(container, sessionName, user) {
 }
 async function shellSessionInfo(container, sessionName, user) {
   const name = sessionName ?? DEFAULT_SHELL_SESSION;
-  const has = await execa15(
+  const has = await execa16(
     "docker",
     ["exec", "--user", user ?? CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -7734,7 +7923,7 @@ async function shellSessionInfo(container, sessionName, user) {
   return { running: has.exitCode === 0, sessionName: name };
 }
 async function killShellSession(container, sessionName, user) {
-  const res = await execa15(
+  const res = await execa16(
     "docker",
     [
       "exec",
@@ -8017,7 +8206,8 @@ async function startBox(idOrName) {
         containerName: box.container,
         createdAt: box.createdAt,
         projectIndex: box.projectIndex,
-        worktrees: box.gitWorktrees
+        worktrees: box.gitWorktrees,
+        autoApproveHostActions: box.autoApproveHostActions
       });
     } catch {
     }
@@ -8036,7 +8226,7 @@ async function getBoxHostPaths(idOrName) {
 }
 async function dirSizeBytes(path) {
   try {
-    const result = await execa16("du", ["-sk", path], { reject: false });
+    const result = await execa17("du", ["-sk", path], { reject: false });
     if (result.exitCode !== 0) return null;
     const sizeKb = Number.parseInt((result.stdout ?? "").split(/\s+/)[0] ?? "", 10);
     if (Number.isNaN(sizeKb)) return null;
@@ -8181,7 +8371,7 @@ async function listBoxDirs() {
   }
 }
 async function listCheckpointImageTags() {
-  const r = await execa16(
+  const r = await execa17(
     "docker",
     ["image", "ls", "--format", "{{.Repository}}:{{.Tag}}", `${CHECKPOINT_IMAGE_PREFIX}*`],
     { reject: false }
@@ -8289,7 +8479,7 @@ async function pruneBoxes(opts = {}) {
     } catch {
     }
     try {
-      await execa16("docker", ["image", "rm", RELAY_IMAGE_REF], { reject: false });
+      await execa17("docker", ["image", "rm", RELAY_IMAGE_REF], { reject: false });
     } catch {
     }
     try {
@@ -8351,7 +8541,7 @@ function splitPair(raw) {
   return [parts[0].trim(), parts[1].trim()];
 }
 async function duBytes(path) {
-  const result = await execa17("du", ["-sk", path], { reject: false });
+  const result = await execa18("du", ["-sk", path], { reject: false });
   if (result.exitCode !== 0) return null;
   const kb = Number.parseInt((result.stdout ?? "").split(/\s+/)[0] ?? "", 10);
   return Number.isNaN(kb) ? null : kb * 1024;
@@ -8364,7 +8554,7 @@ async function volumeSizeBytes(name) {
     const sz = await duBytes(live);
     if (sz !== null) return sz;
   }
-  const df = await execa17(
+  const df = await execa18(
     "docker",
     ["system", "df", "-v", "--format", "{{json .Volumes}}"],
     { reject: false }
@@ -8385,7 +8575,7 @@ async function volumeSizeBytes(name) {
   return null;
 }
 async function imageBytes(tag) {
-  const r = await execa17("docker", ["image", "inspect", tag, "--format", "{{.Size}}"], {
+  const r = await execa18("docker", ["image", "inspect", tag, "--format", "{{.Size}}"], {
     reject: false
   });
   if (r.exitCode !== 0) return null;
@@ -8396,7 +8586,7 @@ async function projectCheckpointImageBytes(projectRoot, name) {
   return imageBytes(checkpointImageTag(projectRoot, name));
 }
 async function allCheckpointImagesBytes() {
-  const r = await execa17(
+  const r = await execa18(
     "docker",
     [
       "image",
@@ -8448,7 +8638,7 @@ function reconcileLimits(persisted, dockerJson) {
   };
 }
 async function containerWritableBytes(container) {
-  const r = await execa17(
+  const r = await execa18(
     "docker",
     ["ps", "-a", "--filter", `name=^${container}$`, "--format", "{{.Size}}", "--size"],
     { reject: false }
@@ -8495,7 +8685,7 @@ async function boxResourceStats(record) {
   if (await inspectContainerStatus(record.container) !== "running") {
     return base;
   }
-  const proc = await execa17(
+  const proc = await execa18(
     "docker",
     ["stats", "--no-stream", "--format", "{{json .}}", record.container],
     { reject: false }
@@ -8530,125 +8720,6 @@ async function boxResourceStats(record) {
     blockWriteBytes: blkPair ? parseDockerSize(blkPair[1]) : null
   };
 }
-function posixDirname(p) {
-  return posix.dirname(p) || "/";
-}
-function asText(s) {
-  if (s === void 0) return "";
-  if (typeof s === "string") return s;
-  return Buffer.from(s).toString("utf8");
-}
-async function uploadToBox(box, hostSrc, boxDst) {
-  const srcAbs = resolve4(hostSrc);
-  if (!existsSync3(srcAbs)) throw new Error(`source not found: ${hostSrc}`);
-  const srcBasename = basename5(srcAbs);
-  const srcParent = dirname22(srcAbs);
-  let boxParent;
-  let finalName;
-  if (boxDst.endsWith("/")) {
-    boxParent = boxDst.replace(/\/+$/, "") || "/";
-    finalName = srcBasename;
-  } else {
-    const isDir2 = await execa18(
-      "docker",
-      ["exec", box.container, "test", "-d", boxDst],
-      { reject: false }
-    );
-    if (isDir2.exitCode === 0) {
-      boxParent = boxDst.replace(/\/+$/, "") || "/";
-      finalName = srcBasename;
-    } else {
-      boxParent = posixDirname(boxDst);
-      finalName = posix.basename(boxDst);
-    }
-  }
-  const finalPath = boxParent === "/" ? `/${finalName}` : `${boxParent}/${finalName}`;
-  const mk = await execa18(
-    "docker",
-    ["exec", "--user", "root", box.container, "mkdir", "-p", boxParent],
-    { reject: false }
-  );
-  if (mk.exitCode !== 0) {
-    throw new Error(`mkdir -p ${boxParent} in box failed: ${asText(mk.stderr).slice(0, 300)}`);
-  }
-  const packed = await execa18("tar", ["-C", srcParent, "-cf", "-", srcBasename], {
-    encoding: "buffer",
-    reject: false,
-    env: { ...process.env, COPYFILE_DISABLE: "1" }
-  });
-  if (packed.exitCode !== 0) {
-    throw new Error(`tar pack failed: ${asText(packed.stderr).slice(0, 300)}`);
-  }
-  const extract = await execa18(
-    "docker",
-    ["exec", "-i", "--user", "root", box.container, "tar", "-xf", "-", "-C", boxParent],
-    { input: packed.stdout, reject: false }
-  );
-  if (extract.exitCode !== 0) {
-    throw new Error(`tar extract in box failed: ${asText(extract.stderr).slice(0, 300)}`);
-  }
-  if (finalName !== srcBasename) {
-    const initial = boxParent === "/" ? `/${srcBasename}` : `${boxParent}/${srcBasename}`;
-    const mv = await execa18(
-      "docker",
-      ["exec", "--user", "root", box.container, "mv", initial, finalPath],
-      { reject: false }
-    );
-    if (mv.exitCode !== 0) {
-      throw new Error(
-        `rename ${initial} -> ${finalPath} in box failed: ${asText(mv.stderr).slice(0, 300)}`
-      );
-    }
-  }
-  const chown = await execa18(
-    "docker",
-    ["exec", "--user", "root", box.container, "chown", "-R", "1000:1000", finalPath],
-    { reject: false }
-  );
-  if (chown.exitCode !== 0) {
-    return {
-      finalPath,
-      warn: `chown ${finalPath} to vscode (uid 1000) failed; ownership inside the box may be root.`
-    };
-  }
-  return { finalPath };
-}
-async function downloadFromBox(box, boxSrc, hostDst) {
-  const srcBasename = posix.basename(boxSrc);
-  const srcParent = posixDirname(boxSrc);
-  const dstAbs = resolve4(hostDst);
-  let hostParent;
-  let finalName;
-  const dstExists = existsSync3(dstAbs);
-  if (hostDst.endsWith("/") || dstExists && statSync(dstAbs).isDirectory()) {
-    hostParent = dstAbs;
-    finalName = srcBasename;
-  } else {
-    hostParent = dirname22(dstAbs);
-    finalName = basename5(dstAbs);
-  }
-  mkdirSync(hostParent, { recursive: true });
-  const finalPath = posix.join(hostParent, finalName);
-  const packed = await execa18(
-    "docker",
-    ["exec", box.container, "tar", "-C", srcParent, "-cf", "-", srcBasename],
-    { encoding: "buffer", reject: false }
-  );
-  if (packed.exitCode !== 0) {
-    throw new Error(`tar pack in box failed: ${asText(packed.stderr).slice(0, 300)}`);
-  }
-  const extract = await execa18("tar", ["-xf", "-", "-C", hostParent], {
-    input: packed.stdout,
-    reject: false
-  });
-  if (extract.exitCode !== 0) {
-    throw new Error(`tar extract on host failed: ${asText(extract.stderr).slice(0, 300)}`);
-  }
-  if (finalName !== srcBasename) {
-    renameSync(posix.join(hostParent, srcBasename), finalPath);
-  }
-  return { finalPath };
-}
 var dockerProvider = {
   name: "docker",
   async create(req) {
@@ -8724,12 +8795,12 @@ var dockerProvider = {
     const r = await execInBox(box.container, argv, opts?.user ? { user: opts.user } : {});
     return { exitCode: r.exitCode, stdout: r.stdout, stderr: r.stderr };
   },
-  async uploadPath(box, hostSrc, boxDst) {
-    const r = await uploadToBox(box, hostSrc, boxDst);
+  async uploadPath(box, hostSrc, boxDst, exclude) {
+    const r = await uploadToBox(box, hostSrc, boxDst, exclude);
     return { finalPath: r.finalPath };
   },
-  async downloadPath(box, boxSrc, hostDst) {
-    const r = await downloadFromBox(box, boxSrc, hostDst);
+  async downloadPath(box, boxSrc, hostDst, exclude) {
+    const r = await downloadFromBox(box, boxSrc, hostDst, exclude);
     return { finalPath: r.finalPath };
   },
   async resolveUrl(box, opts) {
@@ -8928,6 +8999,7 @@ async function ensureBoxBrowser(container, timeoutMs = 8e3, targetUrl = "about:b
 }
 
 export {
+  BUILT_IN_DEFAULTS,
   KEY_REGISTRY,
   lookupKey,
   UserConfigError,
@@ -8974,6 +9046,8 @@ export {
   execInBox,
   removeImage,
   volumeExists,
+  uploadToBox,
+  downloadFromBox,
   CONTAINER_EXPORT_MERGED,
   detectEngine,
   setEngineOverride,
@@ -9174,8 +9248,6 @@ export {
   allCheckpointImagesBytes,
   agentboxHomeBytes,
   boxResourceStats,
-  uploadToBox,
-  downloadFromBox,
   dockerProvider,
   BOX_WORKFLOWS_DIR,
   BOX_DYNAMIC_SYNC_MANIFEST,
@@ -9186,4 +9258,4 @@ export {
   browserSessionActive,
   ensureBoxBrowser
 };
-//# sourceMappingURL=chunk-TCS5HXJX.js.map
+//# sourceMappingURL=chunk-MLMFNN4T.js.map