@madarco/agentbox 0.14.0 → 0.16.0

package/dist/{chunk-TCS5HXJX.js → chunk-GXJNJUEV.js}

@@ -1,15 +1,21 @@
 #!/usr/bin/env node
 import {
+  AmbiguousBoxError,
+  BoxNotFoundError,
   DEFAULT_BOX_IMAGE,
   GitWorktreeError,
+  ReplaceError,
   STATE_DIR,
   STATE_FILE,
   computeDockerContextFingerprint,
   detectGitRepos,
   ensureImage,
   findBox,
+  generateBoxId,
   hostOpenCommand,
   imageExists,
+  parseReplaceRules,
+  parseReplacements,
   pickFreshBranch,
   preparedMatches,
   pullOrBuild,
@@ -18,20 +24,22 @@ import {
   readState,
   recordBox,
   removeBoxRecord,
+  renderCarryEntries,
   reserveProjectIndex
-} from "./chunk-XKH7NTT7.js";
+} from "./chunk-DBBUDKKB.js";
 
 // ../../packages/sandbox-docker/dist/index.js
 import { mkdir as mkdir7, stat as stat8 } from "fs/promises";
 import { homedir as homedir10 } from "os";
-import { basename as basename4, join as join12, resolve as resolve3 } from "path";
-import { execa as execa14 } from "execa";
+import { basename as basename6, join as join12, resolve as resolve4 } from "path";
+import { execa as execa15 } from "execa";
 
 // ../../packages/ctl/dist/index.js
-import { readFile } from "fs/promises";
-import { parse as parseYaml } from "yaml";
 import { readFile as readFile2 } from "fs/promises";
 import { parse as parseYaml2 } from "yaml";
+import { parse as parseYaml } from "yaml";
+import { readFile as readFile3 } from "fs/promises";
+import { parse as parseYaml3 } from "yaml";
 var BOX_STATUS_EVENT = "box-status";
 function renderStatusTable(rows) {
   if (rows.length === 0) return "(no services configured)";
@@ -89,6 +97,20 @@ function truncate(s, n) {
   if (s.length <= n) return s;
   return s.slice(0, n - 1) + "\u2026";
 }
+function isPlainObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function parseReplacementsSection(text) {
+  let doc;
+  try {
+    doc = parseYaml(text);
+  } catch (err) {
+    throw new ReplaceError(`yaml parse error: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  if (doc === null || doc === void 0) return {};
+  if (!isPlainObject(doc)) throw new ReplaceError("top-level config must be a mapping");
+  return parseReplacements(doc.replacements);
+}
 var DEFAULT_BACKOFF = {
   initialMs: 500,
   maxMs: 3e4,
@@ -105,12 +127,12 @@ var ConfigError = class extends Error {
     this.name = "ConfigError";
   }
 };
-function isPlainObject(v) {
+function isPlainObject2(v) {
   return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 function parseEnv(raw, where) {
   if (raw === void 0 || raw === null) return void 0;
-  if (!isPlainObject(raw)) {
+  if (!isPlainObject2(raw)) {
     throw new ConfigError(`${where}.env must be a mapping of string \u2192 string`);
   }
   const out = {};
@@ -152,7 +174,7 @@ function parseRestart(raw, where) {
 var BACKOFF_KEYS = /* @__PURE__ */ new Set(["initial_ms", "max_ms", "factor"]);
 function parseBackoff(raw, where) {
   if (raw === void 0) return { ...DEFAULT_BACKOFF };
-  if (!isPlainObject(raw)) {
+  if (!isPlainObject2(raw)) {
     throw new ConfigError(`${where}.backoff must be a mapping`);
   }
   rejectUnknownKeys(raw, BACKOFF_KEYS, `${where}.backoff`);
@@ -234,7 +256,7 @@ var PROBE_KEYS = /* @__PURE__ */ new Set([
 ]);
 function parseReadyWhen(raw, where) {
   if (raw === void 0 || raw === null) return void 0;
-  if (!isPlainObject(raw)) {
+  if (!isPlainObject2(raw)) {
     throw new ConfigError(`${where}.ready_when must be a mapping`);
   }
   rejectUnknownKeys(raw, PROBE_KEYS, `${where}.ready_when`);
@@ -330,12 +352,94 @@ var SERVICE_KEYS = /* @__PURE__ */ new Set([
   "needs",
   "ready_when",
   "expose",
-  "ide"
+  "ide",
+  "image"
 ]);
+var IMAGE_KEYS = /* @__PURE__ */ new Set(["name", "ports", "env", "args", "container_name"]);
+function shQuote(s) {
+  if (/^[A-Za-z0-9_@%+=:,./-]+$/.test(s)) return s;
+  return `'${s.replace(/'/g, `'\\''`)}'`;
+}
+function parsePorts(raw, where) {
+  if (raw === void 0 || raw === null) return void 0;
+  if (!Array.isArray(raw)) {
+    throw new ConfigError(`${where}.ports must be a list of "<host>:<container>" strings`);
+  }
+  const out = [];
+  for (const [i, v] of raw.entries()) {
+    const s = typeof v === "number" ? String(v) : v;
+    if (typeof s !== "string" || !/^\d+(:\d+)?$/.test(s.trim())) {
+      throw new ConfigError(
+        `${where}.ports[${String(i)}] must be "<host>" or "<host>:<container>" (got ${JSON.stringify(v)})`
+      );
+    }
+    out.push(s.trim());
+  }
+  return out.length > 0 ? out : void 0;
+}
+function parseArgs(raw, where) {
+  if (raw === void 0 || raw === null) return void 0;
+  if (typeof raw === "string") return raw.trim().length > 0 ? raw : void 0;
+  if (Array.isArray(raw)) {
+    const parts = [];
+    for (const [i, v] of raw.entries()) {
+      if (typeof v !== "string") throw new ConfigError(`${where}.args[${String(i)}] must be a string`);
+      parts.push(v);
+    }
+    const joined = parts.join(" ").trim();
+    return joined.length > 0 ? joined : void 0;
+  }
+  throw new ConfigError(`${where}.args must be a string or a list of strings`);
+}
+function synthesizeImageCommand(opts) {
+  const name = shQuote(opts.name);
+  const run = ["docker", "run", "--name", name];
+  for (const p of opts.ports ?? []) run.push("-p", shQuote(p));
+  for (const [k, v] of Object.entries(opts.env ?? {})) run.push("-e", `${k}=${shQuote(v)}`);
+  run.push(shQuote(opts.image));
+  let runLine = run.join(" ");
+  if (opts.args) runLine += ` ${opts.args}`;
+  return [
+    "set -e",
+    `if docker container inspect ${name} >/dev/null 2>&1; then`,
+    `  docker start ${name} >/dev/null`,
+    `  exec docker logs -f ${name}`,
+    "else",
+    `  exec ${runLine}`,
+    "fi"
+  ].join("\n");
+}
+function parseImage(raw, where, defaultName) {
+  if (typeof raw === "string") {
+    const name2 = raw.trim();
+    if (name2.length === 0) throw new ConfigError(`${where}.image must not be empty`);
+    return { name: name2, containerName: defaultName };
+  }
+  if (!isPlainObject2(raw)) {
+    throw new ConfigError(`${where}.image must be an image ref string or a mapping`);
+  }
+  rejectUnknownKeys(raw, IMAGE_KEYS, `${where}.image`);
+  const name = assertString(raw.name, `${where}.image.name`).trim();
+  if (name.length === 0) throw new ConfigError(`${where}.image.name must not be empty`);
+  const ports = parsePorts(raw.ports, `${where}.image`);
+  const args = parseArgs(raw.args, `${where}.image`);
+  const env = parseEnv(raw.env, `${where}.image`);
+  const containerName = raw.container_name === void 0 ? defaultName : assertString(raw.container_name, `${where}.image.container_name`).trim();
+  if (!/^[A-Za-z0-9][A-Za-z0-9_.-]*$/.test(containerName)) {
+    throw new ConfigError(
+      `${where}.image.container_name "${containerName}" is not a valid docker container name`
+    );
+  }
+  const out = { name, containerName };
+  if (ports !== void 0) out.ports = ports;
+  if (env !== void 0) out.env = env;
+  if (args !== void 0) out.args = args;
+  return out;
+}
 var EXPOSE_KEYS = /* @__PURE__ */ new Set(["port", "as"]);
 function parseExpose(raw, where) {
   if (raw === void 0 || raw === null) return void 0;
-  if (!isPlainObject(raw)) {
+  if (!isPlainObject2(raw)) {
     throw new ConfigError(`${where}.expose must be a mapping`);
   }
   rejectUnknownKeys(raw, EXPOSE_KEYS, `${where}.expose`);
@@ -359,25 +463,78 @@ function parsePortNumber(raw, where) {
 }
 function parseService(name, raw) {
   const where = `services.${name}`;
-  if (!isPlainObject(raw)) {
+  if (!isPlainObject2(raw)) {
     throw new ConfigError(`${where} must be a mapping`);
   }
   rejectUnknownKeys(raw, SERVICE_KEYS, where);
-  const command = parseCommand(raw.command, where);
+  const hasImage = raw.image !== void 0 && raw.image !== null;
+  const hasCommand = raw.command !== void 0 && raw.command !== null;
+  if (hasImage && hasCommand) {
+    throw new ConfigError(`${where} sets both command and image \u2014 use exactly one`);
+  }
+  if (!hasImage && !hasCommand) {
+    throw new ConfigError(`${where} must set either command or image`);
+  }
   const cwd = raw.cwd === void 0 ? void 0 : assertString(raw.cwd, `${where}.cwd`);
-  const env = parseEnv(raw.env, where);
   const autostart = raw.autostart === void 0 ? true : assertBool(raw.autostart, `${where}.autostart`);
   const restart2 = parseRestart(raw.restart, where);
   const backoff = parseBackoff(raw.backoff, where);
   const needs = parseNeeds(raw.needs, `${where}.needs`);
   const readyWhen = parseReadyWhen(raw.ready_when, where);
   const expose = parseExpose(raw.expose, where);
+  if (hasImage) {
+    if (raw.env !== void 0) {
+      throw new ConfigError(`${where}.env is not valid for an image service \u2014 use image.env`);
+    }
+    const img = parseImage(raw.image, where, name);
+    const command2 = synthesizeImageCommand({
+      image: img.name,
+      name: img.containerName,
+      ports: img.ports,
+      env: img.env,
+      args: img.args
+    });
+    const spec = {
+      name,
+      command: command2,
+      cwd,
+      autostart,
+      restart: restart2,
+      backoff,
+      needs,
+      readyWhen,
+      expose,
+      image: img.name,
+      containerName: img.containerName
+    };
+    if (img.ports !== void 0) spec.ports = img.ports;
+    if (img.args !== void 0) spec.args = img.args;
+    return spec;
+  }
+  const command = parseCommand(raw.command, where);
+  const env = parseEnv(raw.env, where);
   return { name, command, cwd, env, autostart, restart: restart2, backoff, needs, readyWhen, expose };
 }
-var TASK_KEYS = /* @__PURE__ */ new Set(["command", "cwd", "env", "needs"]);
+var TASK_KEYS = /* @__PURE__ */ new Set(["command", "cwd", "env", "needs", "run_once"]);
+function parseRunOnce(raw, where) {
+  if (raw === void 0 || raw === null || raw === false) return void 0;
+  if (raw === true) return { kind: "marker" };
+  if (isPlainObject2(raw)) {
+    const keys = Object.keys(raw);
+    if (keys.length !== 1 || keys[0] !== "check") {
+      throw new ConfigError(`${where}.run_once object form must be exactly { check: <command> }`);
+    }
+    const check = raw.check;
+    if (typeof check !== "string" || check.trim().length === 0) {
+      throw new ConfigError(`${where}.run_once.check must be a non-empty command string`);
+    }
+    return { kind: "check", command: check };
+  }
+  throw new ConfigError(`${where}.run_once must be true or { check: <command> }`);
+}
 function parseTask(name, raw) {
   const where = `tasks.${name}`;
-  if (!isPlainObject(raw)) {
+  if (!isPlainObject2(raw)) {
     throw new ConfigError(`${where} must be a mapping`);
   }
   rejectUnknownKeys(raw, TASK_KEYS, where);
@@ -385,7 +542,10 @@ function parseTask(name, raw) {
   const cwd = raw.cwd === void 0 ? void 0 : assertString(raw.cwd, `${where}.cwd`);
   const env = parseEnv(raw.env, where);
   const needs = parseNeeds(raw.needs, `${where}.needs`);
-  return { name, command, cwd, env, needs };
+  const runOnce = parseRunOnce(raw.run_once, where);
+  const spec = { name, command, cwd, env, needs };
+  if (runOnce !== void 0) spec.runOnce = runOnce;
+  return spec;
 }
 function assertString(raw, where) {
   if (typeof raw !== "string") throw new ConfigError(`${where} must be a string`);
@@ -395,7 +555,7 @@ function assertBool(raw, where) {
   if (typeof raw !== "boolean") throw new ConfigError(`${where} must be a boolean`);
   return raw;
 }
-var TOP_LEVEL_KEYS = /* @__PURE__ */ new Set(["services", "tasks", "ide", "defaults", "carry"]);
+var TOP_LEVEL_KEYS = /* @__PURE__ */ new Set(["services", "tasks", "ide", "defaults", "carry", "replacements"]);
 function validateUnitGraph(tasks, services) {
   const names = /* @__PURE__ */ new Set();
   for (const t of tasks) {
@@ -449,19 +609,19 @@ function validateUnitGraph(tasks, services) {
 function parseConfig(text) {
   let doc;
   try {
-    doc = parseYaml(text);
+    doc = parseYaml2(text);
   } catch (err) {
     throw new ConfigError(`yaml parse error: ${err instanceof Error ? err.message : String(err)}`);
   }
-  if (doc === null || doc === void 0) return { services: [], tasks: [] };
-  if (!isPlainObject(doc)) {
+  if (doc === null || doc === void 0) return { services: [], tasks: [], replacements: {} };
+  if (!isPlainObject2(doc)) {
     throw new ConfigError("top-level config must be a mapping");
   }
   rejectUnknownKeys(doc, TOP_LEVEL_KEYS, "(root)");
   const services = [];
   const servicesRaw = doc.services;
   if (servicesRaw !== void 0 && servicesRaw !== null) {
-    if (!isPlainObject(servicesRaw)) {
+    if (!isPlainObject2(servicesRaw)) {
       throw new ConfigError("services must be a mapping of name \u2192 service");
     }
     for (const [name, raw] of Object.entries(servicesRaw)) {
@@ -474,7 +634,7 @@ function parseConfig(text) {
   const tasks = [];
   const tasksRaw = doc.tasks;
   if (tasksRaw !== void 0 && tasksRaw !== null) {
-    if (!isPlainObject(tasksRaw)) {
+    if (!isPlainObject2(tasksRaw)) {
       throw new ConfigError("tasks must be a mapping of name \u2192 task");
     }
     for (const [name, raw] of Object.entries(tasksRaw)) {
@@ -484,10 +644,10 @@ function parseConfig(text) {
       tasks.push(parseTask(name, raw));
     }
   }
-  if (doc.ide !== void 0 && doc.ide !== null && !isPlainObject(doc.ide)) {
+  if (doc.ide !== void 0 && doc.ide !== null && !isPlainObject2(doc.ide)) {
     throw new ConfigError("ide must be a mapping");
   }
-  if (doc.defaults !== void 0 && doc.defaults !== null && !isPlainObject(doc.defaults)) {
+  if (doc.defaults !== void 0 && doc.defaults !== null && !isPlainObject2(doc.defaults)) {
     throw new ConfigError("defaults must be a mapping");
   }
   validateUnitGraph(tasks, services);
@@ -497,15 +657,21 @@ function parseConfig(text) {
       `at most one service may set expose: (got: ${exposed.map((s) => s.name).join(", ")})`
     );
   }
-  return { services, tasks };
+  let replacements;
+  try {
+    replacements = parseReplacements(doc.replacements);
+  } catch (err) {
+    throw new ConfigError(err instanceof Error ? err.message : String(err));
+  }
+  return { services, tasks, replacements };
 }
 async function loadConfig(path) {
   let text;
   try {
-    text = await readFile(path, "utf8");
+    text = await readFile2(path, "utf8");
   } catch (err) {
     if (err.code === "ENOENT") {
-      return { services: [], tasks: [] };
+      return { services: [], tasks: [], replacements: {} };
     }
     throw err;
   }
@@ -517,7 +683,31 @@ var CarryConfigError = class extends Error {
     this.name = "CarryConfigError";
   }
 };
-var ITEM_KEYS = /* @__PURE__ */ new Set(["src", "dest", "mode", "user", "optional"]);
+var ITEM_KEYS = /* @__PURE__ */ new Set([
+  "src",
+  "dest",
+  "mode",
+  "user",
+  "exclude",
+  "optional",
+  "replaceEnvs",
+  "replace",
+  "rules"
+]);
+function parseStringList(raw, where, desc) {
+  if (raw === void 0 || raw === null) return void 0;
+  if (!Array.isArray(raw)) {
+    throw new CarryConfigError(`${where} must be a list of ${desc}`);
+  }
+  const out = [];
+  for (const [i, v] of raw.entries()) {
+    if (typeof v !== "string" || v.trim().length === 0) {
+      throw new CarryConfigError(`${where}[${String(i)}] must be a non-empty string`);
+    }
+    out.push(v.trim());
+  }
+  return out.length > 0 ? out : void 0;
+}
 function parseUser(raw, where) {
   if (raw === void 0 || raw === null) return void 0;
   let n;
@@ -542,7 +732,7 @@ function parseUser(raw, where) {
   }
   return n;
 }
-function isPlainObject2(v) {
+function isPlainObject3(v) {
   return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 function assertSrcShape(src, where) {
@@ -646,6 +836,7 @@ function parseMapping(raw, where) {
   assertDestShape(dest, where);
   const mode = parseMode(raw.mode, where);
   const user = parseUser(raw.user, where);
+  const exclude = parseStringList(raw.exclude, `${where}.exclude`, "glob/name strings");
   let optional = false;
   if (raw.optional !== void 0 && raw.optional !== null) {
     if (typeof raw.optional !== "boolean") {
@@ -653,9 +844,30 @@ function parseMapping(raw, where) {
     }
     optional = raw.optional;
   }
+  let replaceEnvs;
+  if (raw.replaceEnvs !== void 0 && raw.replaceEnvs !== null) {
+    if (typeof raw.replaceEnvs !== "boolean") {
+      throw new CarryConfigError(`${where}.replaceEnvs must be a boolean`);
+    }
+    replaceEnvs = raw.replaceEnvs;
+  }
+  let replace;
+  if (raw.replace !== void 0 && raw.replace !== null) {
+    try {
+      const rules2 = parseReplaceRules(raw.replace, `${where}.replace`);
+      if (rules2.length > 0) replace = rules2;
+    } catch (err) {
+      throw new CarryConfigError(err instanceof Error ? err.message : String(err));
+    }
+  }
+  const rules = parseStringList(raw.rules, `${where}.rules`, "replacements rule-set names");
   const out = { src, dest, optional };
   if (mode !== void 0) out.mode = mode;
   if (user !== void 0) out.user = user;
+  if (exclude !== void 0) out.exclude = exclude;
+  if (replaceEnvs !== void 0) out.replaceEnvs = replaceEnvs;
+  if (replace !== void 0) out.replace = replace;
+  if (rules !== void 0) out.rules = rules;
   return out;
 }
 function parseCarryRaw(raw) {
@@ -668,7 +880,7 @@ function parseCarryRaw(raw) {
     const where = `carry[${String(i)}]`;
     if (typeof item === "string") {
       out.push(parseShorthand(item, where));
-    } else if (isPlainObject2(item)) {
+    } else if (isPlainObject3(item)) {
       out.push(parseMapping(item, where));
     } else {
       throw new CarryConfigError(`${where} must be a string or mapping`);
@@ -679,14 +891,14 @@ function parseCarryRaw(raw) {
 function parseCarrySection(text) {
   let doc;
   try {
-    doc = parseYaml2(text);
+    doc = parseYaml3(text);
   } catch (err) {
     throw new CarryConfigError(
       `yaml parse error: ${err instanceof Error ? err.message : String(err)}`
     );
   }
   if (doc === null || doc === void 0) return [];
-  if (!isPlainObject2(doc)) {
+  if (!isPlainObject3(doc)) {
     throw new CarryConfigError("top-level config must be a mapping");
   }
   return parseCarryRaw(doc.carry);
@@ -694,7 +906,7 @@ function parseCarrySection(text) {
 async function loadCarrySection(path) {
   let text;
   try {
-    text = await readFile2(path, "utf8");
+    text = await readFile3(path, "utf8");
   } catch (err) {
     if (err.code === "ENOENT") return [];
     throw err;
@@ -702,27 +914,13 @@ async function loadCarrySection(path) {
   return parseCarrySection(text);
 }
 
-// ../../packages/sandbox-docker/dist/index.js
-import { spawnSync } from "child_process";
-import { mkdir as mkdir3, mkdtemp as mkdtemp2, readdir as readdir3, readFile as readFile42, realpath as realpath2, rm as rm2, stat as stat3, writeFile as writeFile22 } from "fs/promises";
-import { homedir as homedir3, tmpdir as tmpdir2 } from "os";
-import { isAbsolute as isAbsolute2, join as join4, relative as relative2 } from "path";
-import { setTimeout as delay } from "timers/promises";
-import { execa as execa5 } from "execa";
-import { execa as execa2 } from "execa";
-import { mkdir as mkdir4, readFile as readFile5, readdir as readdir4, stat as stat4 } from "fs/promises";
-import { createHash as createHash3 } from "crypto";
-import { homedir as homedir2 } from "os";
-import { join as join5 } from "path";
-import { execa as execa22 } from "execa";
-
 // ../../packages/config/dist/index.js
-import { parse as parseYaml3 } from "yaml";
+import { parse as parseYaml4 } from "yaml";
 import { createHash } from "crypto";
 import { realpath, stat } from "fs/promises";
 import { homedir } from "os";
 import { basename, dirname, join, resolve } from "path";
-import { readFile as readFile3 } from "fs/promises";
+import { readFile } from "fs/promises";
 import { parse as parseYaml22 } from "yaml";
 import { mkdir, readFile as readFile22, rename, rm, stat as stat2, writeFile } from "fs/promises";
 import { dirname as dirname2, isAbsolute, join as join2 } from "path";
@@ -748,6 +946,7 @@ var BUILT_IN_DEFAULTS = {
     withEnv: false,
     resyncOnStart: true,
     vnc: true,
+    autoApproveHostActions: false,
     isolateClaudeConfig: false,
     isolateCodexConfig: false,
     isolateOpencodeConfig: false,
@@ -768,7 +967,8 @@ var BUILT_IN_DEFAULTS = {
     bundleDepth: void 0,
     vercelVcpus: 2,
     vercelTimeoutMs: 27e5,
-    vercelNetworkPolicy: ""
+    vercelNetworkPolicy: "",
+    cpMaxBytes: 100 * 1024 * 1024
   },
   checkpoint: {
     maxLayers: 3
@@ -824,7 +1024,8 @@ var BUILT_IN_DEFAULTS = {
     enabled: true,
     maxConcurrent: 5,
     maxWorking: 0,
-    idleGraceSeconds: 15
+    idleGraceSeconds: 15,
+    openIn: "none"
   },
   cloud: {
     useCurrentBranch: false
@@ -832,6 +1033,10 @@ var BUILT_IN_DEFAULTS = {
   maintenance: {
     pruneProjectConfigs: true,
     pruneProjectConfigsEvery: 50
+  },
+  integrations: {
+    notion: { enabled: false },
+    linear: { enabled: false }
   }
 };
 var KEY_REGISTRY = [
@@ -942,6 +1147,11 @@ var KEY_REGISTRY = [
     type: "bool",
     description: "Run the per-box Xvnc + noVNC stack."
   },
+  {
+    key: "box.autoApproveHostActions",
+    type: "bool",
+    description: "Auto-approve host-action confirmations (git push, cp host<->box, gh PR writes, checkpoint) for this box without an interactive prompt. Off by default; intended for unattended orchestration of trusted boxes. Each auto-approval is recorded as a relay event (visible in `agentbox agent` / the dashboard)."
+  },
   {
     key: "box.isolateClaudeConfig",
     type: "bool",
@@ -1040,6 +1250,12 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Max session length (ms) for new --provider vercel boxes before the VM auto-snapshots; persistent mode auto-resumes on the next call. Default 2700000 (45 min, the Hobby ceiling). Vercel-only."
   },
+  {
+    key: "box.cpMaxBytes",
+    type: "int",
+    description: "Max bytes a single host\u2192box copy may transfer after excludes, shared by `agentbox cp` (blocked with a size breakdown unless --yes) and each `carry:` entry (rejected at resolve time). Default 104857600 (100 MiB).",
+    advanced: true
+  },
   {
     key: "box.vercelNetworkPolicy",
     type: "string",
@@ -1187,6 +1403,12 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Seconds an agent must stay non-working before it frees its working slot (debounce against brief idle flaps between turns). Only used when queue.maxWorking > 0."
   },
+  {
+    key: "queue.openIn",
+    type: "enum",
+    enumValues: ["none", "split", "window", "tab"],
+    description: "When a background `-i` job finishes creating its box, where the host relay opens an attached terminal onto it: `none` (default \u2014 open nothing, just queue), `split`, `window`, or `tab`. Honored only when the submitting shell runs inside tmux, cmux, or iTerm2 (the targeting is captured at submit time). Under cmux, `split` splits the pane you submitted from (falling back to the parent workspace, then a new workspace), `tab` adds a tab in the parent workspace, and `window` opens a separate workspace; iTerm2 opens relative to the frontmost window. Unlike `attach.openIn` there is no `same` mode \u2014 the box is created asynchronously, so it is always a fresh terminal."
+  },
   {
     key: "cloud.useCurrentBranch",
     type: "bool",
@@ -1201,6 +1423,16 @@ var KEY_REGISTRY = [
     key: "maintenance.pruneProjectConfigsEvery",
     type: "int",
     description: "Run the orphan project-config sweep every N successful `agentbox create`."
+  },
+  {
+    key: "integrations.notion.enabled",
+    type: "bool",
+    description: 'Enable the in-box Notion integration shim (`ntn`/`notion` commands routed via the host relay). When false (default), the relay refuses dispatch with a clear "disabled" error and no host process is touched.'
+  },
+  {
+    key: "integrations.linear.enabled",
+    type: "bool",
+    description: 'Enable the in-box Linear integration shim (`linear` commands routed via the host relay; backed by `@schpet/linear-cli`). When false (default), the relay refuses dispatch with a clear "disabled" error and no host process is touched.'
   }
 ];
 var REGISTRY_BY_KEY = new Map(KEY_REGISTRY.map((d) => [d.key, d]));
@@ -1213,7 +1445,7 @@ var UserConfigError = class extends Error {
     this.name = "UserConfigError";
   }
 };
-function isPlainObject3(v) {
+function isPlainObject4(v) {
   return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 var RENAMED_KEYS = /* @__PURE__ */ new Map([["box.snapshot", "box.hostSnapshot"]]);
@@ -1270,21 +1502,21 @@ function coerceTypedValue(raw, desc, where) {
 function parseUserConfig(text, where) {
   let doc;
   try {
-    doc = parseYaml3(text);
+    doc = parseYaml4(text);
   } catch (err) {
     throw new UserConfigError(
       `${where}: yaml parse error: ${err instanceof Error ? err.message : String(err)}`
     );
   }
   if (doc === null || doc === void 0) return {};
-  if (!isPlainObject3(doc)) {
+  if (!isPlainObject4(doc)) {
     throw new UserConfigError(`${where}: top-level must be a mapping`);
   }
   return parseUserConfigObject(doc, where);
 }
 function parseUserConfigObject(doc, where) {
   if (doc === null || doc === void 0) return {};
-  if (!isPlainObject3(doc)) {
+  if (!isPlainObject4(doc)) {
     throw new UserConfigError(`${where}: must be a mapping`);
   }
   const out = {};
@@ -1305,32 +1537,50 @@ function parseUserConfigObject(doc, where) {
       );
     }
     if (branchRaw === null || branchRaw === void 0) continue;
-    if (!isPlainObject3(branchRaw)) {
+    if (!isPlainObject4(branchRaw)) {
       throw new UserConfigError(`${where}.${branchName}: must be a mapping`);
     }
-    const branchOut = {};
-    for (const [leafName, leafRaw] of Object.entries(branchRaw)) {
-      const desc = branchSpec.leaves.get(leafName);
-      if (!desc) {
-        const renamedTo = RENAMED_KEYS.get(`${branchName}.${leafName}`);
-        if (renamedTo) {
-          throw new UserConfigError(
-            `${where}.${branchName}.${leafName} was renamed to ${renamedTo} \u2014 update your config`
-          );
-        }
-        throw new UserConfigError(
-          `${where}.${branchName}: unknown key "${leafName}" (known: ${[...branchSpec.leaves.keys()].join(", ")})`
-        );
-      }
-      if (leafRaw === void 0) continue;
-      branchOut[leafName] = coerceTypedValue(leafRaw, desc, `${where}.${desc.key}`);
-    }
+    const branchOut = parseBranchObject(branchSpec, branchName, branchRaw, "", where);
     if (Object.keys(branchOut).length > 0) {
       out[branchName] = branchOut;
     }
   }
   return out;
 }
+function parseBranchObject(branchSpec, branchName, raw, qualifiedPrefix, where) {
+  const out = {};
+  for (const [name, value] of Object.entries(raw)) {
+    if (value === void 0) continue;
+    const qualified = qualifiedPrefix ? `${qualifiedPrefix}.${name}` : name;
+    const desc = branchSpec.leaves.get(qualified);
+    if (desc) {
+      out[name] = coerceTypedValue(value, desc, `${where}.${desc.key}`);
+      continue;
+    }
+    if (isPlainObject4(value) && branchHasLeafBelow(branchSpec, qualified)) {
+      const sub = parseBranchObject(branchSpec, branchName, value, qualified, where);
+      if (Object.keys(sub).length > 0) out[name] = sub;
+      continue;
+    }
+    const renamedTo = RENAMED_KEYS.get(`${branchName}.${qualified}`);
+    if (renamedTo) {
+      throw new UserConfigError(
+        `${where}.${branchName}.${qualified} was renamed to ${renamedTo} \u2014 update your config`
+      );
+    }
+    throw new UserConfigError(
+      `${where}.${branchName}: unknown key "${qualified}" (known: ${[...branchSpec.leaves.keys()].join(", ")})`
+    );
+  }
+  return out;
+}
+function branchHasLeafBelow(branchSpec, prefix) {
+  const needle = `${prefix}.`;
+  for (const leaf of branchSpec.leaves.keys()) {
+    if (leaf.startsWith(needle)) return true;
+  }
+  return false;
+}
 function coerceFromString(key, raw) {
   const desc = lookupKeyOrThrow(key);
   switch (desc.type) {
@@ -1446,7 +1696,7 @@ async function configPathFor(scope, cwd) {
 async function loadOptionalUserConfig(path) {
   let text;
   try {
-    text = await readFile3(path, "utf8");
+    text = await readFile(path, "utf8");
   } catch (err) {
     if (err.code === "ENOENT") return {};
     throw err;
@@ -1457,7 +1707,7 @@ async function loadProjectAgentboxDefaults(workspacePath) {
   const path = workspaceConfigFile(workspacePath);
   let text;
   try {
-    text = await readFile3(path, "utf8");
+    text = await readFile(path, "utf8");
   } catch (err) {
     if (err.code === "ENOENT") return {};
     throw err;
@@ -1537,14 +1787,26 @@ function mergeLayers(input) {
   return { effective, sources };
 }
 function readLeaf(obj, branch, leaf) {
-  const b = obj[branch];
-  if (b === void 0 || b === null || typeof b !== "object") return void 0;
-  return b[leaf];
+  let cur = obj[branch];
+  for (const seg of leaf.split(".")) {
+    if (cur === void 0 || cur === null || typeof cur !== "object") return void 0;
+    cur = cur[seg];
+  }
+  return cur;
 }
 function writeLeaf(obj, branch, leaf, value) {
-  const b = obj[branch];
-  if (!b) return;
-  b[leaf] = value;
+  let cur = obj[branch];
+  if (!cur) return;
+  const segs = leaf.split(".");
+  for (let i = 0; i < segs.length - 1; i++) {
+    const seg = segs[i];
+    const next = cur[seg];
+    if (next === void 0 || next === null || typeof next !== "object") {
+      cur[seg] = {};
+    }
+    cur = cur[seg];
+  }
+  cur[segs[segs.length - 1]] = value;
 }
 function resolveDefaultCheckpoint(cfg, provider) {
   const perProvider = provider === "daytona" ? cfg.box.defaultCheckpointDaytona : provider === "hetzner" ? cfg.box.defaultCheckpointHetzner : provider === "vercel" ? cfg.box.defaultCheckpointVercel : provider === "e2b" ? cfg.box.defaultCheckpointE2b : cfg.box.defaultCheckpointDocker;
@@ -1720,25 +1982,34 @@ function stampSchema(doc) {
   }
 }
 function setLeaf(doc, key, value) {
-  const idx = key.indexOf(".");
-  const branch = key.slice(0, idx);
-  const leaf = key.slice(idx + 1);
-  const root = doc;
-  if (!root[branch] || typeof root[branch] !== "object") {
-    root[branch] = {};
+  const segs = key.split(".");
+  let cur = doc;
+  for (let i = 0; i < segs.length - 1; i++) {
+    const seg = segs[i];
+    const next = cur[seg];
+    if (!next || typeof next !== "object") {
+      cur[seg] = {};
+    }
+    cur = cur[seg];
   }
-  root[branch][leaf] = value;
+  cur[segs[segs.length - 1]] = value;
 }
 function unsetLeaf(doc, key) {
-  const idx = key.indexOf(".");
-  const branch = key.slice(0, idx);
-  const leaf = key.slice(idx + 1);
-  const root = doc;
-  const b = root[branch];
-  if (!b || typeof b !== "object" || !(leaf in b)) return false;
-  delete b[leaf];
-  if (Object.keys(b).length === 0) {
-    delete root[branch];
+  const segs = key.split(".");
+  const path = [doc];
+  for (let i = 0; i < segs.length - 1; i++) {
+    const seg = segs[i];
+    const next = path[path.length - 1][seg];
+    if (!next || typeof next !== "object") return false;
+    path.push(next);
+  }
+  const leafSeg = segs[segs.length - 1];
+  const leafContainer = path[path.length - 1];
+  if (!(leafSeg in leafContainer)) return false;
+  delete leafContainer[leafSeg];
+  for (let i = path.length - 1; i > 0; i--) {
+    if (Object.keys(path[i]).length > 0) break;
+    delete path[i - 1][segs[i - 1]];
   }
   return true;
 }
@@ -1771,123 +2042,346 @@ async function touchProjectMeta(absPath) {
 }
 
 // ../../packages/sandbox-docker/dist/index.js
+import { spawnSync } from "child_process";
+import { mkdir as mkdir3, mkdtemp as mkdtemp2, readdir as readdir3, readFile as readFile42, realpath as realpath2, rm as rm2, stat as stat3, writeFile as writeFile22 } from "fs/promises";
+import { homedir as homedir3, tmpdir as tmpdir2 } from "os";
+import { isAbsolute as isAbsolute2, join as join4, relative as relative2 } from "path";
+import { setTimeout as delay } from "timers/promises";
+import { execa as execa6 } from "execa";
+import { execa as execa2 } from "execa";
+import { mkdir as mkdir4, readFile as readFile5, readdir as readdir4, stat as stat4 } from "fs/promises";
+import { createHash as createHash3 } from "crypto";
+import { homedir as homedir2 } from "os";
+import { basename as basename2, dirname as dirname22, join as join5 } from "path";
+import { execa as execa3 } from "execa";
+import { existsSync, mkdirSync, renameSync, statSync } from "fs";
+import { basename as basename3, dirname as dirname3, posix, resolve as resolve2 } from "path";
+import { execa as execa22 } from "execa";
 import { copyFile, mkdtemp, readdir as readdir22, readFile as readFile32, rm as rm3, stat as stat22, writeFile as writeFile3 } from "fs/promises";
 import { homedir as homedir22, tmpdir } from "os";
-import { basename as basename2, join as join32, relative } from "path";
-import { execa as execa4 } from "execa";
+import { basename as basename4, join as join32, relative } from "path";
+import { execa as execa5 } from "execa";
 import { chmod, mkdir as mkdir22, readFile as readFile23 } from "fs/promises";
-import { basename as basename3, join as join22 } from "path";
-import { execa as execa3 } from "execa";
+import { basename as basename32, join as join22 } from "path";
+import { execa as execa4 } from "execa";
 import { spawnSync as spawnSync2 } from "child_process";
 import { stat as stat42 } from "fs/promises";
 import { homedir as homedir4 } from "os";
 import { join as join52 } from "path";
-import { execa as execa6 } from "execa";
+import { execa as execa7 } from "execa";
 import { spawnSync as spawnSync3 } from "child_process";
 import { stat as stat5 } from "fs/promises";
 import { homedir as homedir5 } from "os";
 import { join as join6 } from "path";
-import { execa as execa7 } from "execa";
-import { randomBytes as randomBytes3 } from "crypto";
+import { execa as execa8 } from "execa";
+import { randomBytes as randomBytes2 } from "crypto";
 import { createHash as createHash22 } from "crypto";
 import { readFile as readFile52 } from "fs/promises";
 import { join as join7 } from "path";
-import { execa as execa8 } from "execa";
-import { existsSync } from "fs";
+import { execa as execa9 } from "execa";
+import { existsSync as existsSync2 } from "fs";
 import { readFile as readFile6 } from "fs/promises";
 import { homedir as homedir6 } from "os";
 import { join as join8 } from "path";
-import { execa as execa9 } from "execa";
-
-// ../../packages/core/dist/index.js
-import { randomBytes } from "crypto";
-var claudeCodeLauncher = {
-  kind: "claude-code",
-  // claude treats its first positional argument as the seed user turn in
-  // interactive mode (`claude "<message>"`), so we slot the initial message
-  // ahead of any user-passed flags.
-  buildArgs(initialMessage, userArgs) {
-    if (!initialMessage) return [...userArgs];
-    return [initialMessage, ...userArgs];
-  }
-};
-var codexLauncher = {
-  kind: "codex",
-  buildArgs(initialMessage, userArgs) {
-    if (!initialMessage) return [...userArgs];
-    return [initialMessage, ...userArgs];
-  }
-};
-var opencodeLauncher = {
-  kind: "opencode",
-  buildArgs(initialMessage, userArgs) {
-    if (!initialMessage) return [...userArgs];
-    return [initialMessage, ...userArgs];
-  }
-};
-function resolveAgentLauncher(kind) {
-  if (kind === "claude-code") return claudeCodeLauncher;
-  if (kind === "codex") return codexLauncher;
-  if (kind === "opencode") return opencodeLauncher;
-  throw new Error(`unknown agent kind: ${String(kind)}`);
-}
-var UserFacingError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "UserFacingError";
-  }
-};
-var BoxNotFoundError = class extends Error {
-  constructor(query) {
-    super(`no agentbox matches "${query}"`);
-    this.query = query;
-    this.name = "BoxNotFoundError";
-  }
-  query;
-};
-var AmbiguousBoxError = class extends Error {
-  constructor(query, matches) {
-    const ids = matches.map((m) => m.id).join(", ");
-    super(`"${query}" matches multiple boxes: ${ids}`);
-    this.query = query;
-    this.matches = matches;
-    this.name = "AmbiguousBoxError";
-  }
-  query;
-  matches;
-};
-var BOX_ID_PREFIX = "b";
-function generateBoxId() {
-  return `${BOX_ID_PREFIX}${randomBytes(4).toString("hex")}`;
-}
-
-// ../../packages/sandbox-docker/dist/index.js
 import { execa as execa10 } from "execa";
+import { execa as execa11 } from "execa";
 import { mkdir as mkdir42, readdir as readdir42, rm as rm32, stat as stat6 } from "fs/promises";
 import { homedir as homedir7, platform } from "os";
-import { join as join9, resolve as resolve2 } from "path";
+import { join as join9, resolve as resolve22 } from "path";
 import { mkdir as mkdir5, mkdtemp as mkdtemp3, readFile as readFile7, readdir as readdir5, rm as rm4, writeFile as writeFile32 } from "fs/promises";
 import { homedir as homedir8, tmpdir as tmpdir3 } from "os";
-import { basename as basename32, join as join10 } from "path";
-import { execa as execa11 } from "execa";
-import { stat as stat7 } from "fs/promises";
+import { basename as basename5, join as join10 } from "path";
 import { execa as execa12 } from "execa";
+import { stat as stat7 } from "fs/promises";
 import { execa as execa13 } from "execa";
+import { execa as execa14 } from "execa";
 import { spawn } from "child_process";
 import { randomBytes as randomBytes22 } from "crypto";
-import { existsSync as existsSync2, openSync } from "fs";
+import { existsSync as existsSync3, openSync } from "fs";
 import { cp, mkdir as mkdir6, readFile as readFile8, readdir as readdir6, rename as rename3, rm as rm5, unlink as unlink2, writeFile as writeFile4 } from "fs/promises";
 import { request as httpRequest } from "http";
 import { createRequire } from "module";
 import { homedir as homedir9 } from "os";
-import { dirname as dirname3, join as join11, resolve as resolve22, sep } from "path";
+import { dirname as dirname32, join as join11, resolve as resolve3, sep } from "path";
 import { setTimeout as delay2 } from "timers/promises";
 import { fileURLToPath } from "url";
 
 // ../../packages/relay/dist/index.js
-import { createHash as createHash2, randomBytes as randomBytes2 } from "crypto";
+import { createHash as createHash2, randomBytes } from "crypto";
 import { execa } from "execa";
-import { spawn as spawn3 } from "child_process";
+
+// ../../packages/integrations/dist/index.js
+var linearConnector = {
+  service: "linear",
+  hostBin: "linear",
+  detect: {
+    versionArgs: ["--version"],
+    authArgs: ["auth", "whoami"],
+    installHint: "install @schpet/linear-cli: npm i -g @schpet/linear-cli",
+    loginHint: "linear auth login"
+  },
+  ops: {
+    whoami: {
+      write: false,
+      buildArgv: (args) => ["auth", "whoami", ...args]
+    },
+    "issue.list": {
+      write: false,
+      buildArgv: (args) => ["issue", "list", ...args]
+    },
+    "issue.mine": {
+      // The v2-native read for "issues assigned to me" — the README directs
+      // users here in place of the older `issue list --me`. Listed as a
+      // separate op so the shim doesn't reject the canonical form.
+      write: false,
+      buildArgv: (args) => ["issue", "mine", ...args]
+    },
+    "issue.view": {
+      write: false,
+      buildArgv: (args) => ["issue", "view", ...args]
+    },
+    "issue.query": {
+      write: false,
+      buildArgv: (args) => ["issue", "query", ...args]
+    },
+    "team.list": {
+      write: false,
+      buildArgv: (args) => ["team", "list", ...args]
+    },
+    api: {
+      write: false,
+      buildArgv: (args) => ["api", ...args],
+      refuseCall: refuseGraphqlNonQuery
+    },
+    "issue.create": {
+      write: true,
+      buildArgv: (args) => ["issue", "create", ...args]
+    },
+    "issue.update": {
+      write: true,
+      buildArgv: (args) => ["issue", "update", ...args]
+    },
+    "issue.comment": {
+      // Maps to `linear issue comment add` — `@schpet/linear-cli` v2 uses
+      // `add` (not `create`); `add`'s sibling subcommands are `list`,
+      // `update`, `delete`.
+      write: true,
+      buildArgv: (args) => ["issue", "comment", "add", ...args]
+    }
+  }
+};
+function refuseGraphqlNonQuery(args) {
+  const refuse = (reason) => ({
+    exitCode: 65,
+    stderr: `linear api: ${reason}
+`
+  });
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i] ?? "";
+    if (arg === "--input" || arg.startsWith("--input=")) {
+      return refuse("'--input' (stdin/file body) isn't supported through the relay");
+    }
+    if (arg === "--variable") {
+      const next = args[i + 1] ?? "";
+      if (variableValueIsFileLoad(next)) {
+        return refuse(
+          "'--variable key=@<path>' (host-file load) isn't supported through the relay"
+        );
+      }
+      if (!next.startsWith("--")) i++;
+      continue;
+    }
+    if (arg.startsWith("--variable=")) {
+      if (variableValueIsFileLoad(arg.slice("--variable=".length))) {
+        return refuse(
+          "'--variable=key=@<path>' (host-file load) isn't supported through the relay"
+        );
+      }
+      continue;
+    }
+    if (arg === "--variables-json") {
+      const next = args[i + 1] ?? "";
+      if (!next.startsWith("--")) i++;
+      continue;
+    }
+    if (arg.startsWith("--variables-json=")) {
+      continue;
+    }
+    if (arg.startsWith("--")) continue;
+    const op = firstGraphqlOperationKeyword(arg);
+    if (op === "mutation" || op === "subscription") {
+      return refuse(
+        `only GraphQL queries are proxied (use issue.create / issue.update / issue.comment for writes); detected operation '${op}'`
+      );
+    }
+    if (op === "unparseable") {
+      return refuse(
+        `couldn't classify positional argv ${JSON.stringify(arg)} as a GraphQL operation (expected 'query', 'mutation', 'subscription', or '{')`
+      );
+    }
+  }
+  return null;
+}
+function variableValueIsFileLoad(value) {
+  if (value.startsWith("@")) return true;
+  return value.includes("=@");
+}
+function firstGraphqlOperationKeyword(source) {
+  let i = 0;
+  const n = source.length;
+  while (i < n) {
+    const c = source[i];
+    if (/\s/.test(c) || c === "," || c === "\uFEFF") {
+      i++;
+      continue;
+    }
+    if (c === "#") {
+      while (i < n && source[i] !== "\n") i++;
+      continue;
+    }
+    break;
+  }
+  if (i >= n) return null;
+  if (source[i] === "{") return "anonymous";
+  let j = i;
+  while (j < n) {
+    const c = source[j];
+    if (c >= "a" && c <= "z" || c >= "A" && c <= "Z") {
+      j++;
+    } else {
+      break;
+    }
+  }
+  if (j === i) return "unparseable";
+  return source.slice(i, j).toLowerCase();
+}
+var notionConnector = {
+  service: "notion",
+  hostBin: "ntn",
+  detect: {
+    versionArgs: ["--version"],
+    authArgs: ["api", "v1/users/me"],
+    installHint: "install ntn: https://developers.notion.com/reference/notion-cli",
+    loginHint: "ntn login"
+  },
+  ops: {
+    whoami: {
+      write: false,
+      buildArgv: (args) => ["whoami", ...args]
+    },
+    api: {
+      write: false,
+      buildArgv: (args) => ["api", ...args],
+      refuseCall: refuseUnsafeApiCall
+    },
+    "page.create": {
+      write: true,
+      buildArgv: (args) => ["pages", "create", ...args]
+    },
+    "page.update": {
+      write: true,
+      buildArgv: (args) => ["pages", "update", ...args]
+    }
+  }
+};
+var READ_POST_ENDPOINTS = [
+  /^\/?v1\/search$/,
+  /^\/?v1\/databases\/[^/?]+\/query$/,
+  /^\/?v1\/data_sources\/[^/?]+\/query$/
+];
+var SAFE_API_BOOLEAN_FLAGS = /* @__PURE__ */ new Set([
+  "--spec",
+  "--docs",
+  "-h",
+  "--help",
+  "-v",
+  "--verbose",
+  "-V",
+  "--version"
+]);
+function refuseUnsafeApiCall(args) {
+  const refuse = (reason) => ({
+    exitCode: 65,
+    stderr: `notion api: ${reason}
+`
+  });
+  let explicitMethod = null;
+  let hasBody = false;
+  let endpoint = null;
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i] ?? "";
+    if (arg === "-X" || arg === "--method") {
+      explicitMethod = args[i + 1] ?? "";
+      i++;
+      continue;
+    }
+    if (arg.startsWith("--method=")) {
+      explicitMethod = arg.slice("--method=".length);
+      continue;
+    }
+    if (arg.startsWith("-X") && arg.length > 2) {
+      explicitMethod = arg.slice(2).replace(/^=/, "");
+      continue;
+    }
+    if (arg === "-d" || arg === "--data") {
+      hasBody = true;
+      i++;
+      continue;
+    }
+    if (arg.startsWith("--data=") || arg.startsWith("-d") && arg.length > 2) {
+      hasBody = true;
+      continue;
+    }
+    if (arg === "--file" || arg.startsWith("--file=")) {
+      return refuse("'--file' (host-file upload) isn't supported through the relay");
+    }
+    if (arg === "--input" || arg.startsWith("--input=")) {
+      return refuse("'--input' (stdin/file body) isn't supported through the relay; use -d <JSON>");
+    }
+    if (arg === "--notion-version") {
+      i++;
+      continue;
+    }
+    if (arg.startsWith("--notion-version=")) continue;
+    if (arg.startsWith("-")) {
+      if (SAFE_API_BOOLEAN_FLAGS.has(arg)) continue;
+      return refuse(
+        `unsupported option '${arg}' (read-only api accepts a path, inline inputs, -d <JSON>, -X GET/POST, --notion-version, --spec, --docs)`
+      );
+    }
+    if (endpoint === null) {
+      endpoint = arg;
+      continue;
+    }
+    if (isBodyAssignment(arg)) hasBody = true;
+  }
+  const method = (explicitMethod && explicitMethod.length > 0 ? explicitMethod : hasBody ? "POST" : "GET").toUpperCase();
+  if (method === "GET") return null;
+  if (method !== "POST") {
+    return refuse(
+      `only GET and read-only POST are proxied (use page.create / page.update for writes); detected method '${method}'`
+    );
+  }
+  if (endpoint === null) {
+    return refuse("could not determine the API endpoint for a non-GET call");
+  }
+  if (endpoint.split("/").some((seg) => seg === "." || seg === "..")) {
+    return refuse(`path traversal segments ('.' / '..') are not allowed in '${endpoint}'`);
+  }
+  if (READ_POST_ENDPOINTS.some((re) => re.test(endpoint))) return null;
+  return refuse(
+    `POST is only proxied for read endpoints (v1/search, v1/databases/{id}/query, v1/data_sources/{id}/query); '${endpoint}' is not one (use page.create / page.update for writes)`
+  );
+}
+function isBodyAssignment(token) {
+  if (token.includes(":=")) return true;
+  if (token.includes("==")) return false;
+  return token.includes("=");
+}
+var ALL_CONNECTORS = [notionConnector, linearConnector];
+
+// ../../packages/relay/dist/index.js
+import { spawn as spawn4 } from "child_process";
 import {
   mkdir as mkdir2,
   readdir as readdir2,
@@ -2077,7 +2571,7 @@ async function uncachedBoxStateCount() {
 }
 function inspectDockerState(containerName) {
   return new Promise((resolveP) => {
-    const child = spawn3("docker", ["inspect", "--format", "{{.State.Status}}", containerName], {
+    const child = spawn4("docker", ["inspect", "--format", "{{.State.Status}}", containerName], {
       stdio: ["ignore", "pipe", "pipe"]
     });
     let out = "";
@@ -2110,21 +2604,18 @@ function queueLogPath(id) {
 }
 
 // ../../packages/sandbox-docker/dist/index.js
-import { execa as execa16 } from "execa";
+import { execa as execa17 } from "execa";
 import { readdir as readdir7, rm as rm6, stat as stat9 } from "fs/promises";
 import { join as join14 } from "path";
-import { execa as execa15 } from "execa";
+import { execa as execa16 } from "execa";
 import { join as join13 } from "path";
 import { homedir as homedir11 } from "os";
 import { join as join15 } from "path";
-import { execa as execa17 } from "execa";
-import { existsSync as existsSync3, mkdirSync, renameSync, statSync } from "fs";
-import { basename as basename5, dirname as dirname22, posix, resolve as resolve4 } from "path";
 import { execa as execa18 } from "execa";
 import { createHash as createHash32 } from "crypto";
 import { copyFile as copyFile2, mkdir as mkdir8, mkdtemp as mkdtemp4, readdir as readdir8, readFile as readFile9, rm as rm7, stat as stat10 } from "fs/promises";
 import { homedir as homedir12, tmpdir as tmpdir4 } from "os";
-import { basename as basename6, dirname as dirname32, join as join16 } from "path";
+import { basename as basename7, dirname as dirname4, join as join16 } from "path";
 import { execa as execa19 } from "execa";
 function isHostPathHookCommand(command, hostHome) {
   if (typeof command !== "string" || command.length === 0) return false;
@@ -2251,16 +2742,16 @@ function rewritePluginPaths(value, hostPluginsPrefix) {
   }
   return value;
 }
-function isPlainObject4(v) {
+function isPlainObject5(v) {
   return v !== null && typeof v === "object" && !Array.isArray(v);
 }
 function additiveMerge(hostRoot, boxRoot, hostPluginsPrefix, selectMap, withMap) {
   const hostMap = selectMap(hostRoot);
   const boxMap = selectMap(boxRoot);
-  if (!isPlainObject4(boxMap)) {
+  if (!isPlainObject5(boxMap)) {
     return { data: hostRoot, changed: false, addedKeys: [] };
   }
-  const base = isPlainObject4(hostMap) ? { ...hostMap } : {};
+  const base = isPlainObject5(hostMap) ? { ...hostMap } : {};
   const addedKeys = [];
   for (const [key, value] of Object.entries(boxMap)) {
     if (Object.prototype.hasOwnProperty.call(base, key)) continue;
@@ -2275,7 +2766,7 @@ function additiveMerge(hostRoot, boxRoot, hostPluginsPrefix, selectMap, withMap)
 function mergeKnownMarketplaces(hostJson, boxJson, opts) {
   const prefix = `${opts.hostHome}/.claude/plugins/`;
   return additiveMerge(
-    isPlainObject4(hostJson) ? hostJson : {},
+    isPlainObject5(hostJson) ? hostJson : {},
     boxJson,
     prefix,
     (root) => root,
@@ -2284,24 +2775,24 @@ function mergeKnownMarketplaces(hostJson, boxJson, opts) {
 }
 function mergeInstalledPlugins(hostJson, boxJson, opts) {
   const prefix = `${opts.hostHome}/.claude/plugins/`;
-  const hostRoot = isPlainObject4(hostJson) ? hostJson : { plugins: {} };
+  const hostRoot = isPlainObject5(hostJson) ? hostJson : { plugins: {} };
   return additiveMerge(
     hostRoot,
     boxJson,
     prefix,
-    (root) => isPlainObject4(root) ? root["plugins"] : void 0,
+    (root) => isPlainObject5(root) ? root["plugins"] : void 0,
     (host, merged) => ({ ...host, plugins: merged })
   );
 }
 function referencedPluginVersionKeys(installedPluginsJson) {
   const keys = /* @__PURE__ */ new Set();
-  if (!isPlainObject4(installedPluginsJson)) return keys;
+  if (!isPlainObject5(installedPluginsJson)) return keys;
   const plugins = installedPluginsJson["plugins"];
-  if (!isPlainObject4(plugins)) return keys;
+  if (!isPlainObject5(plugins)) return keys;
   for (const entries of Object.values(plugins)) {
     if (!Array.isArray(entries)) continue;
     for (const entry of entries) {
-      if (!isPlainObject4(entry)) continue;
+      if (!isPlainObject5(entry)) continue;
       const installPath = entry["installPath"];
       if (typeof installPath !== "string") continue;
       const segments = installPath.split("/").filter((s) => s.length > 0);
@@ -2483,48 +2974,181 @@ async function inspectContainer(name) {
   } catch {
     return null;
   }
-}
-async function inspectVolumeMountpoint(name) {
-  const result = await execa2("docker", ["volume", "inspect", "--format", "{{.Mountpoint}}", name], {
-    reject: false
-  });
-  if (result.exitCode !== 0) return null;
-  return (result.stdout ?? "").trim() || null;
-}
-var AGENTBOX_PREFIX = "agentbox-";
-async function listAgentboxContainers() {
-  const result = await execa2(
+}
+async function inspectVolumeMountpoint(name) {
+  const result = await execa2("docker", ["volume", "inspect", "--format", "{{.Mountpoint}}", name], {
+    reject: false
+  });
+  if (result.exitCode !== 0) return null;
+  return (result.stdout ?? "").trim() || null;
+}
+var AGENTBOX_PREFIX = "agentbox-";
+async function listAgentboxContainers() {
+  const result = await execa2(
+    "docker",
+    ["ps", "-a", "--filter", `name=^${AGENTBOX_PREFIX}`, "--format", "{{.Names}}"],
+    { reject: false }
+  );
+  if (result.exitCode !== 0) return [];
+  return (result.stdout ?? "").split("\n").map((s) => s.trim()).filter((s) => s.startsWith(AGENTBOX_PREFIX));
+}
+async function publishedHostPort(container, containerPort) {
+  const result = await execa2("docker", ["port", container, `${String(containerPort)}/tcp`], {
+    reject: false
+  });
+  if (result.exitCode !== 0) return null;
+  const first = (result.stdout ?? "").split("\n")[0]?.trim();
+  if (!first) return null;
+  const m = /:(\d+)$/.exec(first);
+  return m ? Number(m[1]) : null;
+}
+async function listAgentboxVolumes() {
+  const result = await execa2(
+    "docker",
+    ["volume", "ls", "--filter", `name=^${AGENTBOX_PREFIX}`, "--format", "{{.Name}}"],
+    { reject: false }
+  );
+  if (result.exitCode !== 0) return [];
+  return (result.stdout ?? "").split("\n").map((s) => s.trim()).filter((s) => s.startsWith(AGENTBOX_PREFIX));
+}
+function posixDirname(p) {
+  return posix.dirname(p) || "/";
+}
+function asText(s) {
+  if (s === void 0) return "";
+  if (typeof s === "string") return s;
+  return Buffer.from(s).toString("utf8");
+}
+function tarExcludeArgs(exclude) {
+  return (exclude ?? []).map((p) => `--exclude=${p}`);
+}
+async function streamTarPipe(producerFile, producerArgs, consumerFile, consumerArgs, producerEnv) {
+  const producer = execa22(producerFile, producerArgs, {
+    reject: false,
+    buffer: { stdout: false },
+    ...producerEnv ? { env: producerEnv } : {}
+  });
+  const consumer = execa22(consumerFile, consumerArgs, {
+    reject: false,
+    buffer: { stdout: false }
+  });
+  producer.stdout?.pipe(consumer.stdin);
+  const [p, c] = await Promise.all([producer, consumer]);
+  return [
+    { exitCode: p.exitCode, stderr: p.stderr },
+    { exitCode: c.exitCode, stderr: c.stderr }
+  ];
+}
+async function uploadToBox(box, hostSrc, boxDst, exclude) {
+  const srcAbs = resolve2(hostSrc);
+  if (!existsSync(srcAbs)) throw new Error(`source not found: ${hostSrc}`);
+  const srcBasename = basename3(srcAbs);
+  const srcParent = dirname3(srcAbs);
+  let boxParent;
+  let finalName;
+  if (boxDst.endsWith("/")) {
+    boxParent = boxDst.replace(/\/+$/, "") || "/";
+    finalName = srcBasename;
+  } else {
+    const isDir2 = await execa22(
+      "docker",
+      ["exec", box.container, "test", "-d", boxDst],
+      { reject: false }
+    );
+    if (isDir2.exitCode === 0) {
+      boxParent = boxDst.replace(/\/+$/, "") || "/";
+      finalName = srcBasename;
+    } else {
+      boxParent = posixDirname(boxDst);
+      finalName = posix.basename(boxDst);
+    }
+  }
+  const finalPath = boxParent === "/" ? `/${finalName}` : `${boxParent}/${finalName}`;
+  const mk = await execa22(
+    "docker",
+    ["exec", "--user", "root", box.container, "mkdir", "-p", boxParent],
+    { reject: false }
+  );
+  if (mk.exitCode !== 0) {
+    throw new Error(`mkdir -p ${boxParent} in box failed: ${asText(mk.stderr).slice(0, 300)}`);
+  }
+  const [packed, extracted] = await streamTarPipe(
+    "tar",
+    ["-C", srcParent, "-cf", "-", ...tarExcludeArgs(exclude), srcBasename],
+    "docker",
+    ["exec", "-i", "--user", "root", box.container, "tar", "-xf", "-", "-C", boxParent],
+    { ...process.env, COPYFILE_DISABLE: "1" }
+  );
+  if (packed.exitCode !== 0) {
+    throw new Error(`tar pack failed: ${asText(packed.stderr).slice(0, 300)}`);
+  }
+  if (extracted.exitCode !== 0) {
+    throw new Error(`tar extract in box failed: ${asText(extracted.stderr).slice(0, 300)}`);
+  }
+  if (finalName !== srcBasename) {
+    const initial = boxParent === "/" ? `/${srcBasename}` : `${boxParent}/${srcBasename}`;
+    const mv = await execa22(
+      "docker",
+      ["exec", "--user", "root", box.container, "mv", initial, finalPath],
+      { reject: false }
+    );
+    if (mv.exitCode !== 0) {
+      throw new Error(
+        `rename ${initial} -> ${finalPath} in box failed: ${asText(mv.stderr).slice(0, 300)}`
+      );
+    }
+  }
+  const chown = await execa22(
     "docker",
-    ["ps", "-a", "--filter", `name=^${AGENTBOX_PREFIX}`, "--format", "{{.Names}}"],
+    ["exec", "--user", "root", box.container, "chown", "-R", "1000:1000", finalPath],
     { reject: false }
   );
-  if (result.exitCode !== 0) return [];
-  return (result.stdout ?? "").split("\n").map((s) => s.trim()).filter((s) => s.startsWith(AGENTBOX_PREFIX));
-}
-async function publishedHostPort(container, containerPort) {
-  const result = await execa2("docker", ["port", container, `${String(containerPort)}/tcp`], {
-    reject: false
-  });
-  if (result.exitCode !== 0) return null;
-  const first = (result.stdout ?? "").split("\n")[0]?.trim();
-  if (!first) return null;
-  const m = /:(\d+)$/.exec(first);
-  return m ? Number(m[1]) : null;
+  if (chown.exitCode !== 0) {
+    return {
+      finalPath,
+      warn: `chown ${finalPath} to vscode (uid 1000) failed; ownership inside the box may be root.`
+    };
+  }
+  return { finalPath };
 }
-async function listAgentboxVolumes() {
-  const result = await execa2(
+async function downloadFromBox(box, boxSrc, hostDst, exclude) {
+  const srcBasename = posix.basename(boxSrc);
+  const srcParent = posixDirname(boxSrc);
+  const dstAbs = resolve2(hostDst);
+  let hostParent;
+  let finalName;
+  const dstExists = existsSync(dstAbs);
+  if (hostDst.endsWith("/") || dstExists && statSync(dstAbs).isDirectory()) {
+    hostParent = dstAbs;
+    finalName = srcBasename;
+  } else {
+    hostParent = dirname3(dstAbs);
+    finalName = basename3(dstAbs);
+  }
+  mkdirSync(hostParent, { recursive: true });
+  const finalPath = posix.join(hostParent, finalName);
+  const [packed, extracted] = await streamTarPipe(
     "docker",
-    ["volume", "ls", "--filter", `name=^${AGENTBOX_PREFIX}`, "--format", "{{.Name}}"],
-    { reject: false }
+    ["exec", box.container, "tar", "-C", srcParent, "-cf", "-", ...tarExcludeArgs(exclude), srcBasename],
+    "tar",
+    ["-xf", "-", "-C", hostParent]
   );
-  if (result.exitCode !== 0) return [];
-  return (result.stdout ?? "").split("\n").map((s) => s.trim()).filter((s) => s.startsWith(AGENTBOX_PREFIX));
+  if (packed.exitCode !== 0) {
+    throw new Error(`tar pack in box failed: ${asText(packed.stderr).slice(0, 300)}`);
+  }
+  if (extracted.exitCode !== 0) {
+    throw new Error(`tar extract on host failed: ${asText(extracted.stderr).slice(0, 300)}`);
+  }
+  if (finalName !== srcBasename) {
+    renameSync(posix.join(hostParent, srcBasename), finalPath);
+  }
+  return { finalPath };
 }
 var CONTAINER_EXPORT_MERGED = "/host-export";
 var cachedEngine = null;
 async function detectEngine() {
   if (cachedEngine !== null) return cachedEngine;
-  const result = await execa22("docker", ["info", "--format", "{{.OperatingSystem}}"], {
+  const result = await execa3("docker", ["info", "--format", "{{.OperatingSystem}}"], {
     reject: false
   });
   const os = (result.stdout ?? "").trim().toLowerCase();
@@ -2537,7 +3161,7 @@ function setEngineOverride(engine) {
   cachedEngine = engine;
 }
 async function getDockerContext() {
-  const result = await execa22("docker", ["context", "show"], { reject: false });
+  const result = await execa3("docker", ["context", "show"], { reject: false });
   if (result.exitCode !== 0) return void 0;
   const ctx = (result.stdout ?? "").trim();
   return ctx.length > 0 ? ctx : void 0;
@@ -2597,7 +3221,7 @@ async function refreshExport(record, opts = {}) {
     return { hostPath: paths.mergedExport, copied: true, usedFallback: false };
   }
   const excludes = excludeNodeModules ? ["--exclude=node_modules"] : [];
-  const result = await execa22(
+  const result = await execa3(
     "docker",
     ["exec", "--user", "root", record.container, "tar", "-cf", "-", ...excludes, "-C", "/workspace", "."],
     { reject: false, encoding: "buffer" }
@@ -2609,7 +3233,7 @@ async function refreshExport(record, opts = {}) {
       typeof result.stderr === "string" ? result.stderr : result.stderr.toString("utf8")
     );
   }
-  const extract = await execa22("tar", ["-xf", "-", "-C", paths.mergedExport], {
+  const extract = await execa3("tar", ["-xf", "-", "-C", paths.mergedExport], {
     input: result.stdout,
     reject: false
   });
@@ -2704,7 +3328,7 @@ function buildHostEnvFindArgs(patterns) {
 async function copyHostEnvFilesToBox(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const found = await execa22("find", buildHostEnvFindArgs(opts.patterns).slice(1), {
+  const found = await execa3("find", buildHostEnvFindArgs(opts.patterns).slice(1), {
     cwd: opts.workspaceDir,
     reject: false
   });
@@ -2714,7 +3338,7 @@ async function copyHostEnvFilesToBox(opts) {
   }
   const list = String(found.stdout).split("\0").filter((p) => p.length > 0);
   if (list.length === 0) return { copied: 0 };
-  const packed = await execa22("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
+  const packed = await execa3("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
     input: list.join("\0"),
     encoding: "buffer",
     reject: false
@@ -2723,7 +3347,7 @@ async function copyHostEnvFilesToBox(opts) {
     log(`warning: env-file tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
     return { copied: 0 };
   }
-  const extract = await execa22(
+  const extract = await execa3(
     "docker",
     ["exec", "-i", "--user", "1000:1000", opts.container, "tar", "-xf", "-", "-C", "/workspace"],
     { input: packed.stdout, reject: false }
@@ -2736,7 +3360,7 @@ async function copyHostEnvFilesToBox(opts) {
 }
 async function scanHostEnvFiles(workspaceDir, patterns) {
   if (patterns.length === 0) return [];
-  const found = await execa22("find", buildHostEnvFindArgs(patterns).slice(1), {
+  const found = await execa3("find", buildHostEnvFindArgs(patterns).slice(1), {
     cwd: workspaceDir,
     reject: false
   });
@@ -2748,7 +3372,7 @@ async function copyHostFilesToBox(opts) {
   });
   const list = opts.files.map((p) => p.replace(/^\.\//, "")).filter((p) => p.length > 0);
   if (list.length === 0) return { copied: 0 };
-  const packed = await execa22("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
+  const packed = await execa3("tar", ["-C", opts.workspaceDir, "--null", "-T", "-", "-cf", "-"], {
     input: list.join("\0"),
     encoding: "buffer",
     reject: false
@@ -2757,7 +3381,7 @@ async function copyHostFilesToBox(opts) {
     log(`warning: env-file tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
     return { copied: 0 };
   }
-  const extract = await execa22(
+  const extract = await execa3(
     "docker",
     ["exec", "-i", "--user", "1000:1000", opts.container, "tar", "-xf", "-", "-C", "/workspace"],
     { input: packed.stdout, reject: false }
@@ -2831,7 +3455,7 @@ async function pullToHost(record, opts = {}) {
   }
   const src = `${scratchDir}/`;
   const dst = `${record.workspacePath}/`;
-  const dry = await execa22("rsync", [...baseArgs, "--dry-run", "-i", src, dst], {
+  const dry = await execa3("rsync", [...baseArgs, "--dry-run", "-i", src, dst], {
     reject: false,
     input: fileList !== null ? fileList : void 0
   });
@@ -2842,7 +3466,7 @@ async function pullToHost(record, opts = {}) {
   if (opts.dryRun) {
     return { hostPath: record.workspacePath, changes, applied: false, usedGitignore };
   }
-  const real = await execa22("rsync", [...baseArgs, src, dst], {
+  const real = await execa3("rsync", [...baseArgs, src, dst], {
     reject: false,
     input: fileList !== null ? fileList : void 0
   });
@@ -2867,7 +3491,7 @@ async function openInFinder(record, opts) {
     usedFallback = refreshed.usedFallback;
   }
   if (!opts.noOpen) {
-    const opened = await execa22(hostOpenCommand(), [hostPath], { reject: false });
+    const opened = await execa3(hostOpenCommand(), [hostPath], { reject: false });
     if (opened.exitCode !== 0) {
       throw new ExportError(`open ${hostPath} failed`, opened.stdout, opened.stderr);
     }
@@ -2890,12 +3514,14 @@ async function carrySourceHash(entry) {
     if (entry.kind === "file") {
       return createHash3("sha256").update(await readFile5(entry.absSrc)).digest("hex");
     }
+    const exclude = entry.exclude ?? [];
     const h = createHash3("sha256");
     const walk = async (dir, rel) => {
       const names = (await readdir4(dir)).sort();
       for (const name of names) {
-        const abs = join5(dir, name);
         const relPath = rel ? `${rel}/${name}` : name;
+        if (carryRelExcluded(relPath, exclude)) continue;
+        const abs = join5(dir, name);
         const st = await stat4(abs);
         if (st.isDirectory()) {
           h.update(`d\0${relPath}
@@ -2914,6 +3540,24 @@ async function carrySourceHash(entry) {
     return void 0;
   }
 }
+function carryRelExcluded(relPath, patterns) {
+  if (patterns.length === 0) return false;
+  const segs = relPath.split("/");
+  for (const p of patterns) {
+    const isGlob = p.includes("*") || p.includes("?");
+    if (!isGlob) {
+      if (segs.includes(p)) return true;
+    } else if (p.startsWith("*/") && !/[*?/]/.test(p.slice(2))) {
+      if (segs.includes(p.slice(2))) return true;
+    } else {
+      const re = new RegExp(
+        `^${p.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".")}$`
+      );
+      if (re.test(relPath)) return true;
+    }
+  }
+  return false;
+}
 async function copyCarryPathsToBox(opts) {
   const log = opts.onLog ?? (() => {
   });
@@ -2949,7 +3593,7 @@ async function copyOneEntry(container, entry) {
   const boxDest = entry.absDest.startsWith("~/") ? `${BOX_HOME}/${entry.absDest.slice(2)}` : entry.absDest;
   const boxDestParent = boxDest.endsWith("/") ? boxDest.slice(0, -1) : boxDest;
   const parentDir = entry.kind === "dir" ? boxDestParent : dirnameUnix(boxDestParent);
-  const mkdir9 = await execa22(
+  const mkdir9 = await execa3(
     "docker",
     ["exec", "--user", "0:0", container, "mkdir", "-p", parentDir],
     { reject: false }
@@ -2958,24 +3602,50 @@ async function copyOneEntry(container, entry) {
     throw new Error(`mkdir -p ${parentDir} failed: ${String(mkdir9.stderr).slice(0, 300)}`);
   }
   if (entry.kind === "file") {
-    const cp2 = await execa22(
-      "docker",
-      ["cp", entry.absSrc, `${container}:${boxDest}`],
-      { reject: false }
-    );
-    if (cp2.exitCode !== 0) {
-      throw new Error(`docker cp failed: ${String(cp2.stderr).slice(0, 300)}`);
-    }
-  } else {
-    const packed = await execa22(
+    const srcDir = dirname22(entry.absSrc);
+    const srcBase = basename2(entry.absSrc);
+    const destBase = boxDest.slice(boxDest.lastIndexOf("/") + 1);
+    const [packed, extract] = await streamTarPipe(
       "tar",
-      ["-C", entry.absSrc, "-cf", "-", "."],
-      { encoding: "buffer", reject: false }
+      ["-C", srcDir, "-cf", "-", srcBase],
+      "docker",
+      [
+        "exec",
+        "-i",
+        "--user",
+        "0:0",
+        container,
+        "tar",
+        "-xf",
+        "-",
+        "-C",
+        parentDir,
+        "--no-same-permissions",
+        "--no-same-owner",
+        "-m"
+      ]
     );
     if (packed.exitCode !== 0) {
       throw new Error(`tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
     }
-    const extract = await execa22(
+    if (extract.exitCode !== 0) {
+      throw new Error(`tar extract failed: ${String(extract.stderr).slice(0, 300)}`);
+    }
+    if (srcBase !== destBase) {
+      const mv = await execa3(
+        "docker",
+        ["exec", "--user", "0:0", container, "mv", "-f", `${parentDir}/${srcBase}`, boxDest],
+        { reject: false }
+      );
+      if (mv.exitCode !== 0) {
+        throw new Error(`rename to ${boxDest} failed: ${String(mv.stderr).slice(0, 300)}`);
+      }
+    }
+  } else {
+    const excludeArgs = (entry.exclude ?? []).map((p) => `--exclude=${p}`);
+    const [packed, extract] = await streamTarPipe(
+      "tar",
+      ["-C", entry.absSrc, "-cf", "-", ...excludeArgs, "."],
       "docker",
       [
         "exec",
@@ -2991,16 +3661,18 @@ async function copyOneEntry(container, entry) {
         "--no-same-permissions",
         "--no-same-owner",
         "-m"
-      ],
-      { input: packed.stdout, reject: false }
+      ]
     );
+    if (packed.exitCode !== 0) {
+      throw new Error(`tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
+    }
     if (extract.exitCode !== 0) {
       throw new Error(`tar extract failed: ${String(extract.stderr).slice(0, 300)}`);
     }
   }
   if (entry.mode !== void 0) {
     const modeStr = entry.mode.toString(8).padStart(4, "0");
-    const chmod2 = await execa22(
+    const chmod2 = await execa3(
       "docker",
       ["exec", "--user", "0:0", container, "chmod", "-R", modeStr, boxDest],
       { reject: false }
@@ -3010,7 +3682,7 @@ async function copyOneEntry(container, entry) {
     }
   }
   const uid = entry.user ?? 1e3;
-  const chown = await execa22(
+  const chown = await execa3(
     "docker",
     ["exec", "--user", "0:0", container, "chown", "-R", `${String(uid)}:${String(uid)}`, boxDest],
     { reject: false }
@@ -3021,7 +3693,7 @@ async function copyOneEntry(container, entry) {
   if (boxDest.startsWith(BOX_HOME + "/") && dirnameUnix(boxDest) !== BOX_HOME) {
     const safeDest = boxDest.replace(/'/g, `'\\''`);
     const script = `set -e; parent="$(dirname '${safeDest}')"; while [ "$parent" != "${BOX_HOME}" ] && [ "$parent" != "/" ]; do chown ${String(uid)}:${String(uid)} "$parent"; parent="$(dirname "$parent")"; done`;
-    const chownParents = await execa22(
+    const chownParents = await execa3(
       "docker",
       ["exec", "--user", "0:0", container, "bash", "-c", script],
       { reject: false }
@@ -3069,7 +3741,7 @@ async function extractVolumeAuthToBackup(opts) {
   try {
     await mkdir22(STATE_DIR, { recursive: true });
     const script = 'COPIED=no; if [ -s /dst/auth.json ]; then cp -a /dst/auth.json "/host-state/$DEST" && COPIED=yes; fi; echo "COPIED=$COPIED"';
-    const { stdout } = await execa3("docker", [
+    const { stdout } = await execa4("docker", [
       "run",
       "--rm",
       "--user",
@@ -3081,7 +3753,7 @@ async function extractVolumeAuthToBackup(opts) {
       "-e",
       // Pass the destination filename via env so the path isn't interpolated
       // into the script string (keeps the docker arg list static + injection-safe).
-      `DEST=${basename3(opts.backupFile)}`,
+      `DEST=${basename32(opts.backupFile)}`,
       opts.image,
       "sh",
       "-c",
@@ -3133,7 +3805,7 @@ echo "EXTRACTED=$EXTRACTED SEEDED=$SEEDED VOLREAL=$VOL_REAL"
 async function syncClaudeCredentials(spec, opts) {
   try {
     await mkdir22(STATE_DIR, { recursive: true });
-    const { stdout } = await execa3("docker", [
+    const { stdout } = await execa4("docker", [
       "run",
       "--rm",
       "--user",
@@ -3201,8 +3873,8 @@ function emptyResult(warnings = []) {
   }, warnings };
 }
 async function tarballFromDir(stageDir, agent) {
-  const tarballPath = join32(tmpdir(), `agentbox-${agent}-${basename2(stageDir)}.tar.gz`);
-  await execa4("tar", ["-czf", tarballPath, "-C", stageDir, "."], {
+  const tarballPath = join32(tmpdir(), `agentbox-${agent}-${basename4(stageDir)}.tar.gz`);
+  await execa5("tar", ["-czf", tarballPath, "-C", stageDir, "."], {
     env: { ...process.env, COPYFILE_DISABLE: "1" }
   });
   return tarballPath;
@@ -3347,7 +4019,7 @@ async function stageClaudeStaticForUpload(opts = {}) {
       ...CLAUDE_RUNTIME_EXCLUDES.map((p) => `--exclude=${p}`),
       ...broken.map((r) => `--exclude=/${r}`)
     ];
-    await execa4("rsync", [
+    await execa5("rsync", [
       "-a",
       "--copy-unsafe-links",
       ...excludes,
@@ -3436,7 +4108,7 @@ async function stageCodexStaticForUpload(opts = {}) {
   let tarballPath = null;
   try {
     const codexBroken = await findBrokenSymlinks(hostCodex);
-    await execa4("rsync", [
+    await execa5("rsync", [
       "-a",
       "-L",
       ...codexBroken.map((r) => `--exclude=/${r}`),
@@ -3492,7 +4164,7 @@ async function stageOpencodeStaticForUpload(opts = {}) {
   try {
     if (hasData) {
       const dataBroken = await findBrokenSymlinks(hostData);
-      await execa4("rsync", [
+      await execa5("rsync", [
         "-a",
         "-L",
         ...dataBroken.map((r) => `--exclude=/${r}`),
@@ -3505,7 +4177,7 @@ async function stageOpencodeStaticForUpload(opts = {}) {
     if (hasConfig) {
       const configStage = join32(stageDir, "config");
       const cfgBroken = await findBrokenSymlinks(hostConfig);
-      await execa4("rsync", [
+      await execa5("rsync", [
         "-a",
         "-L",
         ...cfgBroken.map((r) => `--exclude=/${r}`),
@@ -3563,7 +4235,7 @@ async function pathExists2(p) {
   }
 }
 async function volumeHasClaudeJson(volume, image) {
-  const res = await execa5(
+  const res = await execa6(
     "docker",
     ["run", "--rm", "-v", `${volume}:/dst`, image, "sh", "-c", "test -e /dst/_claude.json"],
     { reject: false }
@@ -3733,7 +4405,7 @@ async function ensureClaudeVolume(spec, opts) {
       // linux/amd64 node_modules on the next `agentbox claude`.
       `{ [ ! -f /dst/.agentbox-cleaned-nm-v1 ] && find /dst -name node_modules -type d -prune -exec rm -rf {} + && touch /dst/.agentbox-cleaned-nm-v1; true; } && rsync ${rsyncFlags} /src-claude/ /dst/ && { [ -f /src-claude-json ] && cp -a /src-claude-json /dst/_claude.json; true; } && { [ -f /src-filter/settings.json ] && cp -a /src-filter/settings.json /dst/settings.json; true; } && { [ -f /src-filter/_claude.json ] && cp -a /src-filter/_claude.json /dst/_claude.json; true; } && { [ -d /dst/plugins ] && [ -n "$HOST_HOME" ] && find /dst/plugins -maxdepth 1 -type f -name "*.json" -exec sed -i "s|$HOST_HOME/.claude/plugins/|/home/vscode/.claude/plugins/|g" {} +; true; }` + memoryRekeyStep + " && chown -R 1000:1000 /dst"
     );
-    await execa5("docker", args);
+    await execa6("docker", args);
   } finally {
     await rm2(filterDir, { recursive: true, force: true });
   }
@@ -3748,7 +4420,7 @@ async function ensureClaudeVolume(spec, opts) {
 }
 async function seedSetupSkillIntoVolume(volume, image) {
   try {
-    const { stdout } = await execa5("docker", [
+    const { stdout } = await execa6("docker", [
       "run",
       "--rm",
       "--user",
@@ -3913,7 +4585,7 @@ async function resolveClaudeCacheLiveOnHost(volume) {
   return orbstackVolumePath(volume, "plugins", "cache");
 }
 async function readBoxReferencedPluginKeys(container) {
-  const res = await execa5(
+  const res = await execa6(
     "docker",
     [
       "exec",
@@ -4031,7 +4703,7 @@ while IFS= read -r dir; do
 done < "$WORK/dirs"
 rm -rf "$WORK"
 `;
-  const result = await execa5(
+  const result = await execa6(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "sh", "-c", script],
     { reject: false }
@@ -4078,21 +4750,21 @@ var ClaudeSessionError = class extends Error {
     this.name = "ClaudeSessionError";
   }
 };
-function shQuote(arg) {
+function shQuote2(arg) {
   if (arg.length === 0) return `''`;
   if (/^[A-Za-z0-9_\-./=:@%+,]+$/.test(arg)) return arg;
   return `'${arg.replace(/'/g, `'\\''`)}'`;
 }
 async function startClaudeSession(opts) {
   const sessionName = opts.sessionName ?? DEFAULT_CLAUDE_SESSION;
-  const cmd = ["claude", ...opts.claudeArgs].map(shQuote).join(" ");
+  const cmd = ["claude", ...opts.claudeArgs].map(shQuote2).join(" ");
   const term = process.env["TERM"] ?? "xterm-256color";
   const envFlags = ["-e", `TERM=${term}`];
   for (const k of FORWARDED_ENV_KEYS) {
     const v = process.env[k];
     if (typeof v === "string" && v.length > 0) envFlags.push("-e", `${k}=${v}`);
   }
-  const result = await execa5(
+  const result = await execa6(
     "docker",
     [
       "exec",
@@ -4183,7 +4855,7 @@ function buildDashboardAttachArgv(container, sessionName) {
 async function waitForTmuxPaneContent(container, sessionName, timeoutMs = 2e4) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
-    const res = await execa5(
+    const res = await execa6(
       "docker",
       ["exec", "--user", CONTAINER_USER, container, "tmux", "capture-pane", "-p", "-t", sessionName],
       { reject: false }
@@ -4251,7 +4923,7 @@ async function warmUpClaudeCredentials(volume, image, opts = {}) {
   const SLEEP_MS = 5e3;
   for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
     opts.onProgress?.(`checking credentials... ${attempt}/${MAX_ATTEMPTS}`);
-    const res = await execa5(
+    const res = await execa6(
       "docker",
       [
         "run",
@@ -4293,7 +4965,7 @@ function attachClaudeSession(container, sessionName, reattachRef) {
 }
 async function claudeSessionInfo(container, sessionName) {
   const name = sessionName ?? DEFAULT_CLAUDE_SESSION;
-  const has = await execa5(
+  const has = await execa6(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -4301,7 +4973,7 @@ async function claudeSessionInfo(container, sessionName) {
   if (has.exitCode !== 0) {
     return { running: false, sessionName: name, startedAt: null };
   }
-  const ts = await execa5(
+  const ts = await execa6(
     "docker",
     [
       "exec",
@@ -4367,7 +5039,7 @@ async function pullClaudeExtras(spec, opts) {
     '  printf "\\n";',
     "done"
   ].join(" ");
-  const inv = await execa5(
+  const inv = await execa6(
     "docker",
     ["run", "--rm", "--user", "0", "-v", `${spec.volume}:/src:ro`, opts.image, "sh", "-c", inventoryScript],
     { reject: false }
@@ -4440,7 +5112,7 @@ async function pullClaudeExtras(spec, opts) {
       const parent = dest.slice(0, dest.lastIndexOf("/"));
       return `mkdir -p '${parent}' && rsync -a --ignore-existing --exclude=node_modules '${src}/' '${dest}/'`;
     });
-    const apply = await execa5(
+    const apply = await execa6(
       "docker",
       [
         "run",
@@ -4501,7 +5173,7 @@ async function pathExists3(p) {
     return false;
   }
 }
-function shQuote2(arg) {
+function shQuote22(arg) {
   if (arg.length === 0) return `''`;
   if (/^[A-Za-z0-9_\-./=:@%+,]+$/.test(arg)) return arg;
   return `'${arg.replace(/'/g, `'\\''`)}'`;
@@ -4513,7 +5185,7 @@ async function ensureCodexVolume(spec, opts) {
   const hostCodex = join52(homedir4(), ".codex");
   const willSync = opts.syncFromHost && await pathExists3(hostCodex);
   if (willSync) {
-    await execa6("docker", [
+    await execa7("docker", [
       "run",
       "--rm",
       "--user",
@@ -4531,7 +5203,7 @@ async function ensureCodexVolume(spec, opts) {
     ]);
     return { created, synced: true };
   }
-  await execa6(
+  await execa7(
     "docker",
     [
       "run",
@@ -4551,7 +5223,7 @@ async function ensureCodexVolume(spec, opts) {
 }
 async function seedCodexHooks(volume, image) {
   try {
-    const { stdout } = await execa6("docker", [
+    const { stdout } = await execa7("docker", [
       "run",
       "--rm",
       "--user",
@@ -4588,14 +5260,14 @@ var CodexSessionError = class extends Error {
   }
 };
 async function ensureCodexInstalled(container, opts = {}) {
-  const probe = await execa6(
+  const probe = await execa7(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "sh", "-c", "command -v codex"],
     { reject: false }
   );
   if (probe.exitCode === 0) return { installed: false };
   opts.onProgress?.("installing codex (absent from this box image)");
-  const install = await execa6(
+  const install = await execa7(
     "docker",
     ["exec", "--user", "root", container, "bash", "-lc", "npm install -g @openai/codex 2>&1"],
     { reject: false }
@@ -4611,14 +5283,14 @@ ${(install.stdout ?? "").toString().slice(-600)}`
 var CODEX_AGENTBOX_FLAGS = ["--enable", "hooks", "--dangerously-bypass-hook-trust"];
 async function startCodexSession(opts) {
   const sessionName = opts.sessionName ?? DEFAULT_CODEX_SESSION;
-  const cmd = ["codex", ...CODEX_AGENTBOX_FLAGS, ...opts.codexArgs].map(shQuote2).join(" ");
+  const cmd = ["codex", ...CODEX_AGENTBOX_FLAGS, ...opts.codexArgs].map(shQuote22).join(" ");
   const term = process.env["TERM"] ?? "xterm-256color";
   const envFlags = ["-e", `TERM=${term}`];
   for (const k of CODEX_FORWARDED_ENV_KEYS) {
     const v = process.env[k];
     if (typeof v === "string" && v.length > 0) envFlags.push("-e", `${k}=${v}`);
   }
-  const result = await execa6(
+  const result = await execa7(
     "docker",
     [
       "exec",
@@ -4700,7 +5372,7 @@ function runInteractiveCodexLogin(dockerArgv) {
   return { exitCode: child.status ?? 1 };
 }
 async function volumeHasCodexAuth(volume, image) {
-  const res = await execa6(
+  const res = await execa7(
     "docker",
     ["run", "--rm", "-v", `${volume}:/dst`, image, "sh", "-c", "test -e /dst/auth.json"],
     { reject: false }
@@ -4709,7 +5381,7 @@ async function volumeHasCodexAuth(volume, image) {
 }
 async function codexSessionInfo(container, sessionName) {
   const name = sessionName ?? DEFAULT_CODEX_SESSION;
-  const has = await execa6(
+  const has = await execa7(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -4717,7 +5389,7 @@ async function codexSessionInfo(container, sessionName) {
   if (has.exitCode !== 0) {
     return { running: false, sessionName: name, startedAt: null };
   }
-  const ts = await execa6(
+  const ts = await execa7(
     "docker",
     [
       "exec",
@@ -4743,7 +5415,7 @@ async function codexSessionInfo(container, sessionName) {
 var CODEX_PULL_ITEMS = ["config.toml", "auth.json", "prompts"];
 async function pullCodexConfig(spec, opts) {
   const hostCodex = join52(homedir4(), ".codex");
-  const inv = await execa6(
+  const inv = await execa7(
     "docker",
     [
       "run",
@@ -4777,7 +5449,7 @@ async function pullCodexConfig(spec, opts) {
   const uid = process.getuid?.() ?? 0;
   const gid = process.getgid?.() ?? 0;
   const cmds = newItems.map((it) => `cp -a '/src/${it}' '/dst/${it}'`);
-  const apply = await execa6(
+  const apply = await execa7(
     "docker",
     [
       "run",
@@ -4859,10 +5531,10 @@ async function ensureOpencodeVolume(spec, opts) {
     }
     steps.push("chown -R 1000:1000 /dst");
     args.push(opts.image, "sh", "-c", steps.join(" && "));
-    await execa7("docker", args);
+    await execa8("docker", args);
     return { created, synced: true };
   }
-  await execa7(
+  await execa8(
     "docker",
     [
       "run",
@@ -4882,7 +5554,7 @@ async function ensureOpencodeVolume(spec, opts) {
 }
 async function seedOpencodePlugin(volume, image) {
   try {
-    const { stdout } = await execa7("docker", [
+    const { stdout } = await execa8("docker", [
       "run",
       "--rm",
       "--user",
@@ -4930,14 +5602,14 @@ var OpencodeSessionError = class extends Error {
   }
 };
 async function ensureOpencodeInstalled(container, opts = {}) {
-  const probe = await execa7(
+  const probe = await execa8(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "sh", "-c", "command -v opencode"],
     { reject: false }
   );
   if (probe.exitCode === 0) return { installed: false };
   opts.onProgress?.("installing opencode (absent from this box image)");
-  const install = await execa7(
+  const install = await execa8(
     "docker",
     ["exec", "--user", "root", container, "bash", "-lc", "npm install -g opencode-ai 2>&1"],
     { reject: false }
@@ -4959,7 +5631,7 @@ async function startOpencodeSession(opts) {
     const v = process.env[k];
     if (typeof v === "string" && v.length > 0) envFlags.push("-e", `${k}=${v}`);
   }
-  const result = await execa7(
+  const result = await execa8(
     "docker",
     [
       "exec",
@@ -5045,7 +5717,7 @@ function runInteractiveOpencodeLogin(dockerArgv) {
   return { exitCode: child.status ?? 1 };
 }
 async function volumeHasOpencodeAuth(volume, image) {
-  const res = await execa7(
+  const res = await execa8(
     "docker",
     ["run", "--rm", "-v", `${volume}:/dst`, image, "sh", "-c", "test -e /dst/auth.json"],
     { reject: false }
@@ -5054,7 +5726,7 @@ async function volumeHasOpencodeAuth(volume, image) {
 }
 async function opencodeSessionInfo(container, sessionName) {
   const name = sessionName ?? DEFAULT_OPENCODE_SESSION;
-  const has = await execa7(
+  const has = await execa8(
     "docker",
     ["exec", "--user", CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -5062,7 +5734,7 @@ async function opencodeSessionInfo(container, sessionName) {
   if (has.exitCode !== 0) {
     return { running: false, sessionName: name, startedAt: null };
   }
-  const ts = await execa7(
+  const ts = await execa8(
     "docker",
     [
       "exec",
@@ -5100,7 +5772,7 @@ var OPENCODE_PULL_CONFIG_ITEMS = [
 async function pullOpencodeConfig(spec, opts) {
   const hostData = join6(homedir5(), ".local", "share", "opencode");
   const hostConfig = join6(homedir5(), ".config", "opencode");
-  const inv = await execa7(
+  const inv = await execa8(
     "docker",
     [
       "run",
@@ -5142,7 +5814,7 @@ async function pullOpencodeConfig(spec, opts) {
   const cmds = newItems.map(
     (i) => `cp -a '${i.src}' '${i.hostDst === "data" ? "/dst-data" : "/dst-config"}/${i.name}'`
   );
-  const apply = await execa7(
+  const apply = await execa8(
     "docker",
     [
       "run",
@@ -5219,7 +5891,7 @@ async function launchVncDaemon(container, timeoutMs = 5e3) {
 }
 var VNC_PASSWORD_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
 function generateVncPassword() {
-  const bytes = randomBytes3(8);
+  const bytes = randomBytes2(8);
   let out = "";
   for (let i = 0; i < 8; i++) {
     out += VNC_PASSWORD_ALPHABET[bytes[i] % VNC_PASSWORD_ALPHABET.length];
@@ -5253,9 +5925,9 @@ function gitWorktreePathFor(branch) {
   return `${WORKTREE_ROOT}/${fsSafeBranch(branch)}`;
 }
 async function collectRepoCarryOver(repo, branch, containerPath, gitWorktreePath) {
-  const stash = await execa8("git", ["-C", repo.hostMainRepo, "stash", "create"], { reject: false });
+  const stash = await execa9("git", ["-C", repo.hostMainRepo, "stash", "create"], { reject: false });
   const stashSha = stash.exitCode === 0 ? stash.stdout.trim() || null : null;
-  const untracked = await execa8(
+  const untracked = await execa9(
     "git",
     ["-C", repo.hostMainRepo, "ls-files", "--others", "--exclude-standard", "-z"],
     { reject: false }
@@ -5272,7 +5944,7 @@ async function collectRepoCarryOver(repo, branch, containerPath, gitWorktreePath
   };
 }
 async function dexec(container, argv, user = "vscode", cwd = "/") {
-  const r = await execa8(
+  const r = await execa9(
     "docker",
     ["exec", "-w", cwd, "--user", user, container, ...argv],
     { reject: false }
@@ -5304,7 +5976,7 @@ async function bindWorktrees(container, binds, onLog) {
     (a, b) => a.kind === "root" && b.kind !== "root" ? -1 : a.kind !== "root" && b.kind === "root" ? 1 : 0
   );
   for (const b of ordered) {
-    await execa8(
+    await execa9(
       "docker",
       ["exec", "-w", "/", "--user", "root", container, "sh", "-c", `mountpoint -q ${b.containerPath} && umount ${b.containerPath} || true`],
       { reject: false }
@@ -5326,7 +5998,7 @@ async function seedWorkspace(opts) {
     const wt = r.gitWorktreePath;
     const baseRef = r.repo.kind === "root" ? opts.fromBranch ?? "HEAD" : "HEAD";
     const addArgs = r.reuseBranch ? ["worktree", "add", wt, r.branch] : ["worktree", "add", "-b", r.branch, wt, baseRef];
-    const add = await execa8(
+    const add = await execa9(
       "docker",
       ["exec", "--user", "vscode", opts.container, "git", "-C", main, ...addArgs],
       { reject: false }
@@ -5337,7 +6009,7 @@ async function seedWorkspace(opts) {
       );
     }
     log(`worktree ${wt} on branch ${r.branch} (host main ${main})`);
-    await execa8(
+    await execa9(
       "docker",
       [
         "exec",
@@ -5353,7 +6025,7 @@ async function seedWorkspace(opts) {
       ],
       { reject: false }
     );
-    await execa8(
+    await execa9(
       "docker",
       [
         "exec",
@@ -5383,7 +6055,7 @@ async function seedWorkspace(opts) {
   for (const r of opts.repos) {
     const ct = r.containerPath;
     if (r.stashSha) {
-      const withIndex = await execa8(
+      const withIndex = await execa9(
         "docker",
         [
           "exec",
@@ -5401,7 +6073,7 @@ async function seedWorkspace(opts) {
         { reject: false }
       );
       if (withIndex.exitCode !== 0) {
-        const noIndex = await execa8(
+        const noIndex = await execa9(
           "docker",
           [
             "exec",
@@ -5429,7 +6101,7 @@ async function seedWorkspace(opts) {
       }
     }
     if (r.untrackedNul.length > 0) {
-      const tarOut = await execa8("tar", ["-C", r.hostSource, "--null", "-T", "-", "-cf", "-"], {
+      const tarOut = await execa9("tar", ["-C", r.hostSource, "--null", "-T", "-", "-cf", "-"], {
         input: r.untrackedNul.replace(/\0$/, ""),
         encoding: "buffer",
         reject: false
@@ -5438,7 +6110,7 @@ async function seedWorkspace(opts) {
         log(`warning: tar of untracked files for ${r.repo.hostMainRepo} failed: ${tarOut.stderr}`);
         continue;
       }
-      const tarIn = await execa8(
+      const tarIn = await execa9(
         "docker",
         ["exec", "-i", "--user", "vscode", opts.container, "tar", "-C", ct, "-xf", "-"],
         { input: tarOut.stdout, reject: false }
@@ -5491,7 +6163,7 @@ async function regenerateRestoredWorktrees(opts) {
   for (const p of opts.plans) {
     const baseRef = p.kind === "root" ? opts.fromBranch ?? "HEAD" : "HEAD";
     const metaDir = `${p.hostMainRepo}/.git/worktrees/${fsSafeBranch(p.freshBranch)}`;
-    const r = await execa8(
+    const r = await execa9(
       "docker",
       [
         "exec",
@@ -5524,14 +6196,14 @@ async function regenerateRestoredWorktrees(opts) {
 async function seedWorkspaceFromDir(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const tarOut = await execa8("tar", ["-C", opts.hostSource, "-cf", "-", "."], {
+  const tarOut = await execa9("tar", ["-C", opts.hostSource, "-cf", "-", "."], {
     encoding: "buffer",
     reject: false
   });
   if (tarOut.exitCode !== 0) {
     throw new GitWorktreeError(`tar of ${opts.hostSource} failed: ${tarOut.stderr}`);
   }
-  const tarIn = await execa8(
+  const tarIn = await execa9(
     "docker",
     ["exec", "-i", "--user", "1000:1000", opts.container, "tar", "-C", "/workspace", "-xf", "-"],
     { input: tarOut.stdout, reject: false }
@@ -5542,13 +6214,13 @@ async function seedWorkspaceFromDir(opts) {
   log(`seeded /workspace from ${opts.hostSource}`);
 }
 async function removeInBoxWorktree(args) {
-  const remove = await execa8(
+  const remove = await execa9(
     "git",
     ["-C", args.hostMainRepo, "worktree", "remove", "--force", args.gitWorktreePath],
     { reject: false }
   );
   if (remove.exitCode === 0) return;
-  await execa8("git", ["-C", args.hostMainRepo, "worktree", "prune"], { reject: false });
+  await execa9("git", ["-C", args.hostMainRepo, "worktree", "prune"], { reject: false });
 }
 function ctParent(p) {
   const i = p.lastIndexOf("/");
@@ -5579,20 +6251,20 @@ async function resyncWorkspaceFromHost(opts) {
     const hostMain = w.hostMainRepo;
     const boxBranch = w.branch;
     const res = { containerPath: ct, mergeConflicts: [], overlaySkipped: [] };
-    const hostBranchProbe = await execa8(
+    const hostBranchProbe = await execa9(
       "git",
       ["-C", hostMain, "symbolic-ref", "--short", "-q", "HEAD"],
       { reject: false }
     );
-    const hostRef = hostBranchProbe.exitCode === 0 && hostBranchProbe.stdout.trim() ? hostBranchProbe.stdout.trim() : (await execa8("git", ["-C", hostMain, "rev-parse", "HEAD"], { reject: false })).stdout.trim();
+    const hostRef = hostBranchProbe.exitCode === 0 && hostBranchProbe.stdout.trim() ? hostBranchProbe.stdout.trim() : (await execa9("git", ["-C", hostMain, "rev-parse", "HEAD"], { reject: false })).stdout.trim();
     if (!hostRef) {
       log(`resync: ${ct}: could not resolve host ref; skipping`);
       results.push(res);
       continue;
     }
-    const stash = await execa8("git", ["-C", hostMain, "stash", "create"], { reject: false });
+    const stash = await execa9("git", ["-C", hostMain, "stash", "create"], { reject: false });
     const hostStashSha = stash.exitCode === 0 ? stash.stdout.trim() || null : null;
-    const untracked = await execa8(
+    const untracked = await execa9(
       "git",
       ["-C", hostMain, "ls-files", "--others", "--exclude-standard", "-z"],
       { reject: false }
@@ -5662,7 +6334,7 @@ async function resyncWorkspaceFromHost(opts) {
       }
     }
     if (hostUntracked.length > 0) {
-      const probe = await execa8(
+      const probe = await execa9(
         "docker",
         [
           "exec",
@@ -5709,13 +6381,13 @@ async function resyncWorkspaceFromHost(opts) {
         log(`resync: ${ct}: ${String(identical)} untracked host file(s) already identical in box (no-op)`);
       }
       if (toCopy.length > 0) {
-        const tarOut = await execa8("tar", ["-C", hostMain, "--null", "-T", "-", "-cf", "-"], {
+        const tarOut = await execa9("tar", ["-C", hostMain, "--null", "-T", "-", "-cf", "-"], {
           input: toCopy.join("\0"),
           encoding: "buffer",
           reject: false
         });
         if (tarOut.exitCode === 0) {
-          await execa8(
+          await execa9(
             "docker",
             ["exec", "-i", "--user", "vscode", opts.container, "tar", "-C", ct, "-xf", "-"],
             { input: tarOut.stdout, reject: false }
@@ -5738,7 +6410,7 @@ var cached = null;
 async function detectPortless() {
   if (cached !== null) return cached;
   try {
-    const ver = await execa9(PORTLESS_BIN, SUB_VERSION, { reject: false });
+    const ver = await execa10(PORTLESS_BIN, SUB_VERSION, { reject: false });
     if (ver.exitCode !== 0) {
       cached = { installed: false, proxyRunning: false };
       return cached;
@@ -5758,7 +6430,7 @@ function resetPortlessCache() {
 }
 async function portlessAlias(name, port) {
   try {
-    const r = await execa9(PORTLESS_BIN, [SUB_ALIAS, name, String(port)], { reject: false });
+    const r = await execa10(PORTLESS_BIN, [SUB_ALIAS, name, String(port)], { reject: false });
     return r.exitCode === 0;
   } catch {
     return false;
@@ -5766,7 +6438,7 @@ async function portlessAlias(name, port) {
 }
 async function portlessUnalias(name) {
   try {
-    const r = await execa9(PORTLESS_BIN, [SUB_ALIAS, SUB_ALIAS_REMOVE, name], { reject: false });
+    const r = await execa10(PORTLESS_BIN, [SUB_ALIAS, SUB_ALIAS_REMOVE, name], { reject: false });
     return r.exitCode === 0;
   } catch {
     return false;
@@ -5775,7 +6447,7 @@ async function portlessUnalias(name) {
 async function portlessGetUrl(name) {
   const fallback = `https://${name}.localhost`;
   try {
-    const r = await execa9(PORTLESS_BIN, [SUB_GET, name], { reject: false });
+    const r = await execa10(PORTLESS_BIN, [SUB_GET, name], { reject: false });
     const out = (r.stdout ?? "").trim();
     if (r.exitCode === 0 && /^https?:\/\//.test(out)) return out;
   } catch {
@@ -5796,7 +6468,7 @@ function portlessBrowserEnv(boxName, opts) {
 }
 async function installPortless() {
   try {
-    const r = await execa9("npm", ["install", "-g", "portless"], { reject: false });
+    const r = await execa10("npm", ["install", "-g", "portless"], { reject: false });
     return r.exitCode === 0;
   } catch {
     return false;
@@ -5804,7 +6476,7 @@ async function installPortless() {
 }
 async function startPortlessProxy() {
   try {
-    const r = await execa9(
+    const r = await execa10(
       PORTLESS_BIN,
       ["proxy", "start", "--no-tls", "-p", String(PORTLESS_PROXY_PORT)],
       { reject: false }
@@ -5851,14 +6523,14 @@ async function resolvePortlessHostStateDir(override) {
   const live = await findLivePortlessStateDir();
   if (live) return live;
   const home = join8(homedir6(), ".portless");
-  if (existsSync(home)) return home;
-  if (existsSync("/tmp/portless")) return "/tmp/portless";
+  if (existsSync2(home)) return home;
+  if (existsSync2("/tmp/portless")) return "/tmp/portless";
   return home;
 }
 async function isProxyRunning() {
   if (await findLivePortlessStateDir() !== null) return true;
   try {
-    const r = await execa9("pgrep", ["-f", "portless proxy"], { reject: false });
+    const r = await execa10("pgrep", ["-f", "portless proxy"], { reject: false });
     return r.exitCode === 0 && (r.stdout ?? "").trim().length > 0;
   } catch {
     return false;
@@ -5909,12 +6581,12 @@ async function findExcludedDirs(root, excluded = EXCLUDE_DIRS) {
   return matches;
 }
 async function createSnapshot(opts) {
-  const source = resolve2(opts.source);
-  const destination = resolve2(opts.destination);
+  const source = resolve22(opts.source);
+  const destination = resolve22(opts.destination);
   const excluded = opts.excluded ?? EXCLUDE_DIRS;
   await mkdir42(SNAPSHOTS_ROOT, { recursive: true });
   const cpArgs = platform() === "darwin" ? ["-cR"] : ["-R"];
-  await execa10("cp", [...cpArgs, `${source}/`, destination]);
+  await execa11("cp", [...cpArgs, `${source}/`, destination]);
   const toPrune = await findExcludedDirs(destination, excluded);
   await Promise.all(toPrune.map((p) => rm32(p, { recursive: true, force: true })));
   return { destination, prunedPaths: toPrune };
@@ -5922,7 +6594,7 @@ async function createSnapshot(opts) {
 var CHECKPOINTS_ROOT = join10(homedir8(), ".agentbox", "checkpoints");
 var CHECKPOINT_IMAGE_PREFIX = "agentbox-ckpt-";
 function checkpointImageTag(projectRoot, name) {
-  const mnemonic = sanitizeMnemonic(basename32(projectRoot));
+  const mnemonic = sanitizeMnemonic(basename5(projectRoot));
   return `${CHECKPOINT_IMAGE_PREFIX}${hashProjectPath(projectRoot)}_${mnemonic}:${name}`;
 }
 function projectCheckpointsDir(projectRoot) {
@@ -6039,7 +6711,7 @@ async function runCleanup(container, log) {
   }
 }
 async function inspectImageConfig(imageRef) {
-  const r = await execa11("docker", ["image", "inspect", imageRef], { reject: false });
+  const r = await execa12("docker", ["image", "inspect", imageRef], { reject: false });
   if (r.exitCode !== 0) {
     throw new CheckpointError(`docker image inspect ${imageRef} failed`, r.stdout, r.stderr);
   }
@@ -6115,14 +6787,14 @@ async function createCheckpoint(opts) {
   await runCleanup(box.container, log);
   if (type === "layered") {
     log(`docker commit ${box.container} -> ${tag} (layered)`);
-    const r = await execa11("docker", ["commit", box.container, tag], { reject: false });
+    const r = await execa12("docker", ["commit", box.container, tag], { reject: false });
     if (r.exitCode !== 0) {
       throw new CheckpointError(`docker commit failed for ${box.container}`, r.stdout, r.stderr);
     }
   } else {
     log(`docker commit ${box.container} -> <intermediate> (flattened path)`);
     const intermediate = `${tag}-intermediate`;
-    const commit = await execa11("docker", ["commit", box.container, intermediate], {
+    const commit = await execa12("docker", ["commit", box.container, intermediate], {
       reject: false
     });
     if (commit.exitCode !== 0) {
@@ -6167,7 +6839,7 @@ async function createCheckpoint(opts) {
 }
 async function flattenImage(sourceTag, destTag, log) {
   const tmpName = `agentbox-flatten-${Date.now().toString(36)}`;
-  const create = await execa11(
+  const create = await execa12(
     "docker",
     ["create", "--name", tmpName, sourceTag, "sleep", "0"],
     { reject: false }
@@ -6179,7 +6851,7 @@ async function flattenImage(sourceTag, destTag, log) {
   try {
     const rootfsPath = join10(scratch, "rootfs.tar");
     log(`exporting rootfs of ${sourceTag} to ${rootfsPath}`);
-    const exp = await execa11("docker", ["export", "-o", rootfsPath, tmpName], { reject: false });
+    const exp = await execa12("docker", ["export", "-o", rootfsPath, tmpName], { reject: false });
     if (exp.exitCode !== 0) {
       throw new CheckpointError(`docker export failed`, exp.stdout, exp.stderr);
     }
@@ -6192,7 +6864,7 @@ async function flattenImage(sourceTag, destTag, log) {
     ];
     await writeFile32(join10(scratch, "Dockerfile"), lines.join("\n") + "\n", "utf8");
     log(`building flattened ${destTag} from rootfs.tar (FROM scratch)`);
-    const build = await execa11(
+    const build = await execa12(
       "docker",
       ["build", "-t", destTag, "-f", join10(scratch, "Dockerfile"), scratch],
       { reject: false }
@@ -6201,7 +6873,7 @@ async function flattenImage(sourceTag, destTag, log) {
       throw new CheckpointError(`flatten docker build failed`, build.stdout, build.stderr);
     }
   } finally {
-    await execa11("docker", ["rm", "-f", tmpName], { reject: false });
+    await execa12("docker", ["rm", "-f", tmpName], { reject: false });
     await rm4(scratch, { recursive: true, force: true });
   }
 }
@@ -6245,7 +6917,7 @@ async function pathExists5(p) {
 }
 async function writeBoxEnvFile(container, env) {
   const body = formatBoxEnvBody(env);
-  const result = await execa12(
+  const result = await execa13(
     "docker",
     ["exec", "--user", "root", "-i", container, "sh", "-c", "umask 022 && cat > /etc/agentbox/box.env"],
     { input: body, reject: false }
@@ -6269,7 +6941,7 @@ function shellSingleQuote(s) {
   return `'${s.replace(/'/g, `'\\''`)}'`;
 }
 async function ensureHomeOwnedByVscode(container) {
-  await execa13(
+  await execa14(
     "docker",
     [
       "exec",
@@ -6418,16 +7090,16 @@ async function spawnRelay(relayBin, cliEntry, log) {
 }
 function resolveRelayBin() {
   const override = process.env.AGENTBOX_RELAY_BIN;
-  if (override && existsSync2(override)) return override;
-  const here = dirname3(fileURLToPath(import.meta.url));
+  if (override && existsSync3(override)) return override;
+  const here = dirname32(fileURLToPath(import.meta.url));
   const candidates = [
-    resolve22(here, "..", "runtime", "relay", "bin.cjs"),
-    resolve22(here, "..", "..", "relay", "dist", "bin.cjs"),
-    resolve22(here, "..", "..", "..", "@agentbox", "relay", "dist", "bin.cjs"),
-    resolve22(here, "..", "..", "node_modules", "@agentbox", "relay", "dist", "bin.cjs")
+    resolve3(here, "..", "runtime", "relay", "bin.cjs"),
+    resolve3(here, "..", "..", "relay", "dist", "bin.cjs"),
+    resolve3(here, "..", "..", "..", "@agentbox", "relay", "dist", "bin.cjs"),
+    resolve3(here, "..", "..", "node_modules", "@agentbox", "relay", "dist", "bin.cjs")
   ];
   for (const c of candidates) {
-    if (existsSync2(c)) return c;
+    if (existsSync3(c)) return c;
   }
   throw new Error(
     `could not locate @agentbox/relay bin; tried:
@@ -6436,29 +7108,29 @@ function resolveRelayBin() {
 }
 function resolveCliEntry() {
   const override = process.env.AGENTBOX_CLI_ENTRY;
-  if (override && existsSync2(override)) return override;
-  const here = dirname3(fileURLToPath(import.meta.url));
+  if (override && existsSync3(override)) return override;
+  const here = dirname32(fileURLToPath(import.meta.url));
   const candidates = [
     // Bundled CLI (dev + published): this module IS bundled into the CLI
     // entry, so the entry is index.js next to this file.
-    resolve22(here, "index.js"),
-    resolve22(here, "..", "..", "..", "apps", "cli", "dist", "index.js"),
-    resolve22(here, "..", "..", "..", "..", "dist", "index.js")
+    resolve3(here, "index.js"),
+    resolve3(here, "..", "..", "..", "apps", "cli", "dist", "index.js"),
+    resolve3(here, "..", "..", "..", "..", "dist", "index.js")
   ];
   for (const c of candidates) {
-    if (existsSync2(c)) return c;
+    if (existsSync3(c)) return c;
   }
   return null;
 }
 async function stageRelayHome(version, log) {
   if (!version || version === "0.0.0-dev") return null;
   if (process.env.AGENTBOX_RELAY_BIN || process.env.AGENTBOX_CLI_ENTRY) return null;
-  const cliRoot = findCliRoot(dirname3(fileURLToPath(import.meta.url)));
+  const cliRoot = findCliRoot(dirname32(fileURLToPath(import.meta.url)));
   if (cliRoot === null) return null;
   const homeDir = join11(RELAY_HOME_DIR, version);
   const stagedEntry = join11(homeDir, "dist", "index.js");
   const stagedBin = join11(homeDir, "runtime", "relay", "bin.cjs");
-  if (existsSync2(stagedEntry) && existsSync2(stagedBin)) {
+  if (existsSync3(stagedEntry) && existsSync3(stagedBin)) {
     return { relayBin: stagedBin, cliEntry: stagedEntry };
   }
   const nodeModules = resolveDepRoot(join11(cliRoot, "dist", "index.js"));
@@ -6470,7 +7142,7 @@ async function stageRelayHome(version, log) {
     await mkdir6(tmpDir, { recursive: true });
     for (const sub of ["dist", "runtime", "share"]) {
       const src = join11(cliRoot, sub);
-      if (existsSync2(src)) await cp(src, join11(tmpDir, sub), { recursive: true });
+      if (existsSync3(src)) await cp(src, join11(tmpDir, sub), { recursive: true });
     }
     await cp(nodeModules, join11(tmpDir, "node_modules"), { recursive: true, dereference: true });
     await rm5(homeDir, { recursive: true, force: true });
@@ -6478,7 +7150,7 @@ async function stageRelayHome(version, log) {
   } catch (err) {
     await rm5(tmpDir, { recursive: true, force: true }).catch(() => {
     });
-    if (existsSync2(stagedEntry) && existsSync2(stagedBin)) {
+    if (existsSync3(stagedEntry) && existsSync3(stagedBin)) {
       return { relayBin: stagedBin, cliEntry: stagedEntry };
     }
     log(`relay home staging failed (${err instanceof Error ? err.message : String(err)}); using bundle paths`);
@@ -6490,8 +7162,8 @@ async function stageRelayHome(version, log) {
   return { relayBin: stagedBin, cliEntry: stagedEntry };
 }
 function findCliRoot(moduleDir) {
-  for (const root of [resolve22(moduleDir, ".."), resolve22(moduleDir, "..", "..")]) {
-    if (existsSync2(join11(root, "dist", "index.js")) && existsSync2(join11(root, "runtime", "relay", "bin.cjs"))) {
+  for (const root of [resolve3(moduleDir, ".."), resolve3(moduleDir, "..", "..")]) {
+    if (existsSync3(join11(root, "dist", "index.js")) && existsSync3(join11(root, "runtime", "relay", "bin.cjs"))) {
       return root;
     }
   }
@@ -6506,7 +7178,7 @@ function resolveDepRoot(fromFile) {
     const idx = main.lastIndexOf(marker);
     if (idx === -1) return null;
     const nm = main.slice(0, idx + marker.length - 1);
-    return existsSync2(join11(nm, "commander")) ? nm : null;
+    return existsSync3(join11(nm, "commander")) ? nm : null;
   } catch {
     return null;
   }
@@ -6667,7 +7339,8 @@ async function registerBoxWithRelay(args) {
     worktrees,
     previewUrl: args.previewUrl,
     previewToken: args.previewToken,
-    bridgeToken: args.bridgeToken
+    bridgeToken: args.bridgeToken,
+    autoApproveHostActions: args.autoApproveHostActions
   });
 }
 async function forgetBoxFromRelay(boxId) {
@@ -6808,7 +7481,8 @@ async function rehydrateRelayRegistry(boxes) {
         worktrees: b.gitWorktrees,
         previewUrl: b.relayPreviewUrl,
         previewToken: b.relayPreviewToken,
-        bridgeToken: b.bridgeToken
+        bridgeToken: b.bridgeToken,
+        autoApproveHostActions: b.autoApproveHostActions
       });
     } catch {
     }
@@ -6959,7 +7633,7 @@ function persistableLimits(lim) {
   return Object.keys(out).length > 0 ? out : void 0;
 }
 function sanitizeBasename(workspacePath) {
-  const raw = basename4(resolve3(workspacePath));
+  const raw = basename6(resolve4(workspacePath));
   return raw.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/-+/g, "-").replace(/^[-._]+|[-._]+$/g, "").slice(0, 30).replace(/[-._]+$/, "");
 }
 function defaultBoxName(workspacePath, id) {
@@ -6990,7 +7664,7 @@ async function buildIdentityMounts() {
 async function createBox(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const workspace = resolve3(opts.workspacePath);
+  const workspace = resolve4(opts.workspacePath);
   if (!await pathExists6(workspace)) {
     throw new Error(`workspace does not exist: ${workspace}`);
   }
@@ -7283,6 +7957,7 @@ async function createBox(opts) {
     }
   }
   for (const v of extraVolumes) log(`mounting agent dir: ${v}`);
+  const autoApproveHostActions = (await loadEffectiveConfig(opts.projectRoot ?? workspace)).effective.box.autoApproveHostActions;
   const relayToken = generateRelayToken();
   if (relayUp) {
     try {
@@ -7293,7 +7968,8 @@ async function createBox(opts) {
         containerName,
         createdAt,
         projectIndex,
-        worktrees: gitWorktreeRecords
+        worktrees: gitWorktreeRecords,
+        autoApproveHostActions
       });
       log(`registered box token with relay`);
     } catch (err) {
@@ -7359,6 +8035,7 @@ async function createBox(opts) {
     gitWorktrees: gitWorktreeRecords.length > 0 ? gitWorktreeRecords : void 0,
     withPlaywright: opts.withPlaywright ? true : void 0,
     withEnv: opts.withEnv ? true : void 0,
+    autoApproveHostActions: autoApproveHostActions ? true : void 0,
     vncEnabled: vncEnabled ? true : void 0,
     vncContainerPort: vncEnabled ? VNC_CONTAINER_PORT : void 0,
     vncPassword,
@@ -7416,7 +8093,7 @@ async function createBox(opts) {
       } catch (err) {
         if (opts.useBranch !== void 0) {
           log(`seedWorkspace failed for --use-branch ${opts.useBranch}; cleaning up the box`);
-          await execa14("docker", ["rm", "-f", containerName], { reject: false });
+          await execa15("docker", ["rm", "-f", containerName], { reject: false });
           await removeBoxRecord(id);
           for (const w of gitWorktreeRecords) {
             await removeInBoxWorktree({
@@ -7479,7 +8156,7 @@ async function createBox(opts) {
   else log(`agentbox-ctl daemon did not become reachable: ${ctl.reason}`);
   if (opts.withPlaywright) {
     log("installing @playwright/cli@latest (--with-playwright)");
-    const result = await execa14(
+    const result = await execa15(
       "docker",
       [
         "exec",
@@ -7527,9 +8204,14 @@ async function createBox(opts) {
   let carrySummary;
   if (opts.carry && opts.carry.length > 0) {
     log(`carry: copying ${String(opts.carry.length)} host path(s) into the box`);
+    const entries = await renderCarryEntries(
+      opts.carry,
+      { name, id, kind: "docker", hostWorkspace: workspace, projectRoot: opts.projectRoot },
+      log
+    );
     const result = await copyCarryPathsToBox({
       container: containerName,
-      entries: opts.carry,
+      entries,
       onLog: log
     });
     log(`carry: copied ${String(result.copied)}/${String(opts.carry.length)} entry/entries`);
@@ -7653,7 +8335,7 @@ function parseShellSessionList(stdout) {
   return out;
 }
 async function listShellSessions(container, user) {
-  const res = await execa15(
+  const res = await execa16(
     "docker",
     [
       "exec",
@@ -7677,7 +8359,7 @@ async function startShellSession(opts) {
   const login = opts.login !== false;
   const term = process.env["TERM"] ?? "xterm-256color";
   const cmd = login ? "bash -l" : "bash";
-  const result = await execa15(
+  const result = await execa16(
     "docker",
     [
       "exec",
@@ -7726,7 +8408,7 @@ function buildShellSessionAttachArgv(container, sessionName, user) {
 }
 async function shellSessionInfo(container, sessionName, user) {
   const name = sessionName ?? DEFAULT_SHELL_SESSION;
-  const has = await execa15(
+  const has = await execa16(
     "docker",
     ["exec", "--user", user ?? CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -7734,7 +8416,7 @@ async function shellSessionInfo(container, sessionName, user) {
   return { running: has.exitCode === 0, sessionName: name };
 }
 async function killShellSession(container, sessionName, user) {
-  const res = await execa15(
+  const res = await execa16(
     "docker",
     [
       "exec",
@@ -8017,7 +8699,8 @@ async function startBox(idOrName) {
         containerName: box.container,
         createdAt: box.createdAt,
         projectIndex: box.projectIndex,
-        worktrees: box.gitWorktrees
+        worktrees: box.gitWorktrees,
+        autoApproveHostActions: box.autoApproveHostActions
       });
     } catch {
     }
@@ -8036,7 +8719,7 @@ async function getBoxHostPaths(idOrName) {
 }
 async function dirSizeBytes(path) {
   try {
-    const result = await execa16("du", ["-sk", path], { reject: false });
+    const result = await execa17("du", ["-sk", path], { reject: false });
     if (result.exitCode !== 0) return null;
     const sizeKb = Number.parseInt((result.stdout ?? "").split(/\s+/)[0] ?? "", 10);
     if (Number.isNaN(sizeKb)) return null;
@@ -8181,7 +8864,7 @@ async function listBoxDirs() {
   }
 }
 async function listCheckpointImageTags() {
-  const r = await execa16(
+  const r = await execa17(
     "docker",
     ["image", "ls", "--format", "{{.Repository}}:{{.Tag}}", `${CHECKPOINT_IMAGE_PREFIX}*`],
     { reject: false }
@@ -8289,7 +8972,7 @@ async function pruneBoxes(opts = {}) {
     } catch {
     }
     try {
-      await execa16("docker", ["image", "rm", RELAY_IMAGE_REF], { reject: false });
+      await execa17("docker", ["image", "rm", RELAY_IMAGE_REF], { reject: false });
     } catch {
     }
     try {
@@ -8351,7 +9034,7 @@ function splitPair(raw) {
   return [parts[0].trim(), parts[1].trim()];
 }
 async function duBytes(path) {
-  const result = await execa17("du", ["-sk", path], { reject: false });
+  const result = await execa18("du", ["-sk", path], { reject: false });
   if (result.exitCode !== 0) return null;
   const kb = Number.parseInt((result.stdout ?? "").split(/\s+/)[0] ?? "", 10);
   return Number.isNaN(kb) ? null : kb * 1024;
@@ -8364,7 +9047,7 @@ async function volumeSizeBytes(name) {
     const sz = await duBytes(live);
     if (sz !== null) return sz;
   }
-  const df = await execa17(
+  const df = await execa18(
     "docker",
     ["system", "df", "-v", "--format", "{{json .Volumes}}"],
     { reject: false }
@@ -8385,7 +9068,7 @@ async function volumeSizeBytes(name) {
   return null;
 }
 async function imageBytes(tag) {
-  const r = await execa17("docker", ["image", "inspect", tag, "--format", "{{.Size}}"], {
+  const r = await execa18("docker", ["image", "inspect", tag, "--format", "{{.Size}}"], {
     reject: false
   });
   if (r.exitCode !== 0) return null;
@@ -8396,7 +9079,7 @@ async function projectCheckpointImageBytes(projectRoot, name) {
   return imageBytes(checkpointImageTag(projectRoot, name));
 }
 async function allCheckpointImagesBytes() {
-  const r = await execa17(
+  const r = await execa18(
     "docker",
     [
       "image",
@@ -8448,7 +9131,7 @@ function reconcileLimits(persisted, dockerJson) {
   };
 }
 async function containerWritableBytes(container) {
-  const r = await execa17(
+  const r = await execa18(
     "docker",
     ["ps", "-a", "--filter", `name=^${container}$`, "--format", "{{.Size}}", "--size"],
     { reject: false }
@@ -8495,7 +9178,7 @@ async function boxResourceStats(record) {
   if (await inspectContainerStatus(record.container) !== "running") {
     return base;
   }
-  const proc = await execa17(
+  const proc = await execa18(
     "docker",
     ["stats", "--no-stream", "--format", "{{json .}}", record.container],
     { reject: false }
@@ -8530,125 +9213,6 @@ async function boxResourceStats(record) {
     blockWriteBytes: blkPair ? parseDockerSize(blkPair[1]) : null
   };
 }
-function posixDirname(p) {
-  return posix.dirname(p) || "/";
-}
-function asText(s) {
-  if (s === void 0) return "";
-  if (typeof s === "string") return s;
-  return Buffer.from(s).toString("utf8");
-}
-async function uploadToBox(box, hostSrc, boxDst) {
-  const srcAbs = resolve4(hostSrc);
-  if (!existsSync3(srcAbs)) throw new Error(`source not found: ${hostSrc}`);
-  const srcBasename = basename5(srcAbs);
-  const srcParent = dirname22(srcAbs);
-  let boxParent;
-  let finalName;
-  if (boxDst.endsWith("/")) {
-    boxParent = boxDst.replace(/\/+$/, "") || "/";
-    finalName = srcBasename;
-  } else {
-    const isDir2 = await execa18(
-      "docker",
-      ["exec", box.container, "test", "-d", boxDst],
-      { reject: false }
-    );
-    if (isDir2.exitCode === 0) {
-      boxParent = boxDst.replace(/\/+$/, "") || "/";
-      finalName = srcBasename;
-    } else {
-      boxParent = posixDirname(boxDst);
-      finalName = posix.basename(boxDst);
-    }
-  }
-  const finalPath = boxParent === "/" ? `/${finalName}` : `${boxParent}/${finalName}`;
-  const mk = await execa18(
-    "docker",
-    ["exec", "--user", "root", box.container, "mkdir", "-p", boxParent],
-    { reject: false }
-  );
-  if (mk.exitCode !== 0) {
-    throw new Error(`mkdir -p ${boxParent} in box failed: ${asText(mk.stderr).slice(0, 300)}`);
-  }
-  const packed = await execa18("tar", ["-C", srcParent, "-cf", "-", srcBasename], {
-    encoding: "buffer",
-    reject: false,
-    env: { ...process.env, COPYFILE_DISABLE: "1" }
-  });
-  if (packed.exitCode !== 0) {
-    throw new Error(`tar pack failed: ${asText(packed.stderr).slice(0, 300)}`);
-  }
-  const extract = await execa18(
-    "docker",
-    ["exec", "-i", "--user", "root", box.container, "tar", "-xf", "-", "-C", boxParent],
-    { input: packed.stdout, reject: false }
-  );
-  if (extract.exitCode !== 0) {
-    throw new Error(`tar extract in box failed: ${asText(extract.stderr).slice(0, 300)}`);
-  }
-  if (finalName !== srcBasename) {
-    const initial = boxParent === "/" ? `/${srcBasename}` : `${boxParent}/${srcBasename}`;
-    const mv = await execa18(
-      "docker",
-      ["exec", "--user", "root", box.container, "mv", initial, finalPath],
-      { reject: false }
-    );
-    if (mv.exitCode !== 0) {
-      throw new Error(
-        `rename ${initial} -> ${finalPath} in box failed: ${asText(mv.stderr).slice(0, 300)}`
-      );
-    }
-  }
-  const chown = await execa18(
-    "docker",
-    ["exec", "--user", "root", box.container, "chown", "-R", "1000:1000", finalPath],
-    { reject: false }
-  );
-  if (chown.exitCode !== 0) {
-    return {
-      finalPath,
-      warn: `chown ${finalPath} to vscode (uid 1000) failed; ownership inside the box may be root.`
-    };
-  }
-  return { finalPath };
-}
-async function downloadFromBox(box, boxSrc, hostDst) {
-  const srcBasename = posix.basename(boxSrc);
-  const srcParent = posixDirname(boxSrc);
-  const dstAbs = resolve4(hostDst);
-  let hostParent;
-  let finalName;
-  const dstExists = existsSync3(dstAbs);
-  if (hostDst.endsWith("/") || dstExists && statSync(dstAbs).isDirectory()) {
-    hostParent = dstAbs;
-    finalName = srcBasename;
-  } else {
-    hostParent = dirname22(dstAbs);
-    finalName = basename5(dstAbs);
-  }
-  mkdirSync(hostParent, { recursive: true });
-  const finalPath = posix.join(hostParent, finalName);
-  const packed = await execa18(
-    "docker",
-    ["exec", box.container, "tar", "-C", srcParent, "-cf", "-", srcBasename],
-    { encoding: "buffer", reject: false }
-  );
-  if (packed.exitCode !== 0) {
-    throw new Error(`tar pack in box failed: ${asText(packed.stderr).slice(0, 300)}`);
-  }
-  const extract = await execa18("tar", ["-xf", "-", "-C", hostParent], {
-    input: packed.stdout,
-    reject: false
-  });
-  if (extract.exitCode !== 0) {
-    throw new Error(`tar extract on host failed: ${asText(extract.stderr).slice(0, 300)}`);
-  }
-  if (finalName !== srcBasename) {
-    renameSync(posix.join(hostParent, srcBasename), finalPath);
-  }
-  return { finalPath };
-}
 var dockerProvider = {
   name: "docker",
   async create(req) {
@@ -8724,12 +9288,12 @@ var dockerProvider = {
     const r = await execInBox(box.container, argv, opts?.user ? { user: opts.user } : {});
     return { exitCode: r.exitCode, stdout: r.stdout, stderr: r.stderr };
   },
-  async uploadPath(box, hostSrc, boxDst) {
-    const r = await uploadToBox(box, hostSrc, boxDst);
+  async uploadPath(box, hostSrc, boxDst, exclude) {
+    const r = await uploadToBox(box, hostSrc, boxDst, exclude);
     return { finalPath: r.finalPath };
   },
-  async downloadPath(box, boxSrc, hostDst) {
-    const r = await downloadFromBox(box, boxSrc, hostDst);
+  async downloadPath(box, boxSrc, hostDst, exclude) {
+    const r = await downloadFromBox(box, boxSrc, hostDst, exclude);
     return { finalPath: r.finalPath };
   },
   async resolveUrl(box, opts) {
@@ -8884,10 +9448,10 @@ async function stageDynamicSyncTarball(uploads) {
   try {
     for (const up of uploads) {
       const target = join16(stageDir, up.set, up.rel);
-      await mkdir8(dirname32(target), { recursive: true });
+      await mkdir8(dirname4(target), { recursive: true });
       await copyFile2(up.absSrc, target);
     }
-    tarballPath = join16(tmpdir4(), `agentbox-dynsync-${basename6(stageDir)}.tar.gz`);
+    tarballPath = join16(tmpdir4(), `agentbox-dynsync-${basename7(stageDir)}.tar.gz`);
     await execa19("tar", ["-czf", tarballPath, "-C", stageDir, "."], {
       env: { ...process.env, COPYFILE_DISABLE: "1" }
     });
@@ -8928,6 +9492,7 @@ async function ensureBoxBrowser(container, timeoutMs = 8e3, targetUrl = "about:b
 }
 
 export {
+  BUILT_IN_DEFAULTS,
   KEY_REGISTRY,
   lookupKey,
   UserConfigError,
@@ -8951,12 +9516,10 @@ export {
   renderStatusTable,
   renderTaskTable,
   renderPortsTable,
+  parseReplacementsSection,
+  parseCarrySection,
   loadCarrySection,
-  resolveAgentLauncher,
-  UserFacingError,
-  BoxNotFoundError,
-  AmbiguousBoxError,
-  generateBoxId,
+  ALL_CONNECTORS,
   DEFAULT_RELAY_PORT,
   RELAY_CONTAINER_NAME,
   RELAY_NETWORK_NAME,
@@ -8974,6 +9537,8 @@ export {
   execInBox,
   removeImage,
   volumeExists,
+  uploadToBox,
+  downloadFromBox,
   CONTAINER_EXPORT_MERGED,
   detectEngine,
   setEngineOverride,
@@ -9174,8 +9739,6 @@ export {
   allCheckpointImagesBytes,
   agentboxHomeBytes,
   boxResourceStats,
-  uploadToBox,
-  downloadFromBox,
   dockerProvider,
   BOX_WORKFLOWS_DIR,
   BOX_DYNAMIC_SYNC_MANIFEST,
@@ -9186,4 +9749,4 @@ export {
   browserSessionActive,
   ensureBoxBrowser
 };
-//# sourceMappingURL=chunk-TCS5HXJX.js.map
+//# sourceMappingURL=chunk-GXJNJUEV.js.map