npm - @madarco/agentbox - Versions diffs - 0.7.0 → 0.8.0 - Mend

@madarco/agentbox 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/dist/_cloud-attach-T727ZPRV.js +13 -0
package/dist/{chunk-NW5NYTQM.js → chunk-67N47KUS.js} +359 -85
package/dist/chunk-67N47KUS.js.map +1 -0
package/dist/{chunk-NAVL4R34.js → chunk-6OZDFNBF.js} +1084 -516
package/dist/chunk-6OZDFNBF.js.map +1 -0
package/dist/chunk-BGK32PZE.js +455 -0
package/dist/chunk-BGK32PZE.js.map +1 -0
package/dist/{chunk-7KOEFGN2.js → chunk-FODMEHD3.js} +52 -14
package/dist/chunk-FODMEHD3.js.map +1 -0
package/dist/{chunk-UK72UQ5U.js → chunk-G3H2L3O2.js} +55 -4
package/dist/chunk-G3H2L3O2.js.map +1 -0
package/dist/{chunk-V5KZGB5V.js → chunk-LEV3KICD.js} +18 -2
package/dist/chunk-LEV3KICD.js.map +1 -0
package/dist/{cloud-poller-ZIWSADJB-JXFRJUEM.js → cloud-poller-SUNA6ZQC-2RG5WPRN.js} +2 -2
package/dist/{dist-R67WMLCF.js → dist-L4LCG5SJ.js} +120 -10
package/dist/dist-L4LCG5SJ.js.map +1 -0
package/dist/{dist-ETCFRVPA.js → dist-LOZBWMBF.js} +44 -20
package/dist/{dist-QZGJIBT5.js → dist-ZODPD2I6.js} +142 -74
package/dist/dist-ZODPD2I6.js.map +1 -0
package/dist/index.js +3563 -845
package/dist/index.js.map +1 -1
package/dist/prepared-state-CL4CWXQA-ME4HSKDE.js +18 -0
package/dist/prepared-state-CL4CWXQA-ME4HSKDE.js.map +1 -0
package/package.json +4 -4
package/runtime/daytona/custom-system-CLAUDE.md +39 -0
package/runtime/docker/Dockerfile.box +22 -0
package/runtime/docker/apps/cli/share/agentbox-setup/SKILL.md +1 -1
package/runtime/docker/packages/ctl/dist/bin.cjs +1118 -71
package/runtime/docker/packages/sandbox-docker/scripts/agentbox-codex-hooks.json +66 -35
package/runtime/docker/packages/sandbox-docker/scripts/claude-managed-settings.json +62 -1
package/runtime/docker/packages/sandbox-docker/scripts/custom-system-CLAUDE.md +15 -4
package/runtime/docker/packages/sandbox-docker/scripts/gh-shim +263 -0
package/runtime/docker/packages/sandbox-docker/scripts/git-shim +131 -0
package/runtime/docker/packages/sandbox-docker/scripts/opencode-agentbox-plugin.js +76 -0
package/runtime/hetzner/agentbox-codex-hooks.json +66 -35
package/runtime/hetzner/agentbox-setup-skill.md +1 -1
package/runtime/hetzner/claude-managed-settings.json +62 -1
package/runtime/hetzner/ctl.cjs +1118 -71
package/runtime/hetzner/custom-system-CLAUDE.md +26 -14
package/runtime/hetzner/gh-shim +263 -0
package/runtime/hetzner/git-shim +131 -0
package/runtime/hetzner/opencode-agentbox-plugin.js +76 -0
package/runtime/hetzner/scripts/install-box.sh +11 -2
package/runtime/relay/bin.cjs +927 -36
package/share/agentbox-setup/SKILL.md +1 -1
package/share/host-skills/agentbox/SKILL.md +29 -0
package/share/host-skills/agentbox-info/SKILL.md +211 -0
package/share/host-skills/codex/agentbox.md +35 -0
package/share/host-skills/opencode/agentbox.md +26 -0
package/dist/_cloud-attach-DMVH6GWO.js +0 -12
package/dist/chunk-7KOEFGN2.js.map +0 -1
package/dist/chunk-NAVL4R34.js.map +0 -1
package/dist/chunk-NW5NYTQM.js.map +0 -1
package/dist/chunk-UK72UQ5U.js.map +0 -1
package/dist/chunk-V5KZGB5V.js.map +0 -1
package/dist/dist-QZGJIBT5.js.map +0 -1
package/dist/dist-R67WMLCF.js.map +0 -1
/package/dist/{_cloud-attach-DMVH6GWO.js.map → _cloud-attach-T727ZPRV.js.map} +0 -0
/package/dist/{cloud-poller-ZIWSADJB-JXFRJUEM.js.map → cloud-poller-SUNA6ZQC-2RG5WPRN.js.map} +0 -0
/package/dist/{dist-ETCFRVPA.js.map → dist-LOZBWMBF.js.map} +0 -0

package/runtime/hetzner/ctl.cjs CHANGED Viewed

@@ -3033,10 +3033,16 @@ var require_commander = __commonJS({
   }
 });
-// ../relay/dist/chunk-SJUIVWA3.js
-var import_http, import_https, import_promises, BACKOFF_BASE_MS, BACKOFF_MAX_MS, REQUEST_TIMEOUT_MS, FAST_REQUEST_TIMEOUT_MS, FAST_MODE_DECAY_POLLS, STOPPED_TICK_MS, CloudBoxPoller, CloudBoxPollers;
-var init_chunk_SJUIVWA3 = __esm({
-  "../relay/dist/chunk-SJUIVWA3.js"() {
+// ../relay/dist/chunk-YVJLTAM3.js
+function isConnectionLevelError(err) {
+  const code = err?.code;
+  if (code && CONNECTION_LEVEL_CODES.has(code)) return true;
+  const msg = err instanceof Error ? err.message : String(err);
+  return /\b(ECONNREFUSED|ENOTFOUND|EHOSTUNREACH|ECONNRESET|EPIPE)\b/.test(msg);
+}
+var import_http, import_https, import_promises, BACKOFF_BASE_MS, BACKOFF_MAX_MS, REQUEST_TIMEOUT_MS, FAST_REQUEST_TIMEOUT_MS, FAST_MODE_DECAY_POLLS, STOPPED_TICK_MS, CONNECTION_LEVEL_CODES, CloudBoxPoller, CloudBoxPollers;
+var init_chunk_YVJLTAM3 = __esm({
+  "../relay/dist/chunk-YVJLTAM3.js"() {
     "use strict";
     import_http = require("http");
     import_https = require("https");
@@ -3047,9 +3053,17 @@ var init_chunk_SJUIVWA3 = __esm({
     FAST_REQUEST_TIMEOUT_MS = 8e3;
     FAST_MODE_DECAY_POLLS = 5;
     STOPPED_TICK_MS = 250;
+    CONNECTION_LEVEL_CODES = /* @__PURE__ */ new Set([
+      "ECONNREFUSED",
+      "ENOTFOUND",
+      "EHOSTUNREACH",
+      "ECONNRESET",
+      "EPIPE"
+    ]);
     CloudBoxPoller = class {
       constructor(deps) {
         this.deps = deps;
+        this.currentPreviewUrl = deps.previewUrl;
       }
       deps;
       stopped = false;
@@ -3063,6 +3077,15 @@ var init_chunk_SJUIVWA3 = __esm({
        * within ~5 successful round-trips.
        */
       fastModePolls = 0;
+      /**
+       * Mutable copy of `deps.previewUrl`. We don't read `deps.previewUrl`
+       * directly after construction because `recoverPreviewUrl` may hand us a
+       * new URL (e.g. Hetzner reopens its SSH ControlMaster and the `-L`
+       * forward gets a new ephemeral local port).
+       */
+      currentPreviewUrl;
+      /** Guards against recovery storms — at most one recovery attempt in flight. */
+      recovering = null;
       start() {
         if (this.loopPromise) return;
         this.loopPromise = this.run().catch((err) => {
@@ -3079,7 +3102,7 @@ var init_chunk_SJUIVWA3 = __esm({
        * and the in-box agent finally sees the answer.
        */
       async respond(actionId, result) {
-        const base = this.deps.previewUrl.replace(/\/+$/, "");
+        const base = this.currentPreviewUrl.replace(/\/+$/, "");
         const url = new URL(`${base}/bridge/action-result`);
         const isHttps = url.protocol === "https:";
         const transport = isHttps ? import_https.request : import_http.request;
@@ -3169,6 +3192,9 @@ var init_chunk_SJUIVWA3 = __esm({
               this.fastModePolls = FAST_MODE_DECAY_POLLS;
             }
             this.log(`poll error: ${msg}`);
+            if (this.deps.recoverPreviewUrl && isConnectionLevelError(err)) {
+              await this.tryRecoverPreviewUrl();
+            }
             await this.backoff();
           }
           if (this.currentBackoffMs === 0 && this.fastModePolls > 0) {
@@ -3181,8 +3207,33 @@ var init_chunk_SJUIVWA3 = __esm({
         this.currentBackoffMs = this.currentBackoffMs === 0 ? BACKOFF_BASE_MS : Math.min(this.currentBackoffMs * 2, BACKOFF_MAX_MS);
         await (0, import_promises.setTimeout)(this.currentBackoffMs);
       }
+      async tryRecoverPreviewUrl() {
+        if (!this.deps.recoverPreviewUrl) return;
+        if (this.recovering) {
+          await this.recovering;
+          return;
+        }
+        this.recovering = (async () => {
+          try {
+            const next = await this.deps.recoverPreviewUrl();
+            if (typeof next === "string" && next.length > 0 && next !== this.currentPreviewUrl) {
+              this.log(`preview URL recovered: ${this.currentPreviewUrl} \u2192 ${next}`);
+              this.currentPreviewUrl = next;
+              this.currentBackoffMs = 0;
+            } else if (typeof next === "string" && next === this.currentPreviewUrl) {
+              this.log("preview URL recovered (unchanged)");
+              this.currentBackoffMs = 0;
+            }
+          } catch (err) {
+            this.log(`preview URL recover failed: ${err instanceof Error ? err.message : String(err)}`);
+          } finally {
+            this.recovering = null;
+          }
+        })();
+        await this.recovering;
+      }
       async pollOnce() {
-        const base = this.deps.previewUrl.replace(/\/+$/, "");
+        const base = this.currentPreviewUrl.replace(/\/+$/, "");
         const url = new URL(`${base}/bridge/poll?since=${String(this.cursor)}`);
         const isHttps = url.protocol === "https:";
         const transport = isHttps ? import_https.request : import_http.request;
@@ -3750,7 +3801,7 @@ var require_cross_spawn = __commonJS({
     var cp = require("child_process");
     var parse = require_parse();
     var enoent = require_enoent();
-    function spawn9(command, args, options) {
+    function spawn10(command, args, options) {
       const parsed = parse(command, args, options);
       const spawned = cp.spawn(parsed.command, parsed.args, parsed.options);
       enoent.hookChildProcess(spawned, parsed);
@@ -3762,8 +3813,8 @@ var require_cross_spawn = __commonJS({
       result.error = result.error || enoent.verifyENOENTSync(result.status, parsed);
       return result;
     }
-    module2.exports = spawn9;
-    module2.exports.spawn = spawn9;
+    module2.exports = spawn10;
+    module2.exports.spawn = spawn10;
     module2.exports.sync = spawnSync2;
     module2.exports._parse = parse;
     module2.exports._enoent = enoent;
@@ -11097,16 +11148,16 @@ var require_dist = __commonJS({
   }
 });
-// ../relay/dist/cloud-poller-ZIWSADJB.js
-var cloud_poller_ZIWSADJB_exports = {};
-__export(cloud_poller_ZIWSADJB_exports, {
+// ../relay/dist/cloud-poller-SUNA6ZQC.js
+var cloud_poller_SUNA6ZQC_exports = {};
+__export(cloud_poller_SUNA6ZQC_exports, {
   CloudBoxPoller: () => CloudBoxPoller,
   CloudBoxPollers: () => CloudBoxPollers
 });
-var init_cloud_poller_ZIWSADJB = __esm({
-  "../relay/dist/cloud-poller-ZIWSADJB.js"() {
+var init_cloud_poller_SUNA6ZQC = __esm({
+  "../relay/dist/cloud-poller-SUNA6ZQC.js"() {
     "use strict";
-    init_chunk_SJUIVWA3();
+    init_chunk_YVJLTAM3();
   }
 });
@@ -11231,12 +11282,21 @@ async function claudeSession(opts) {
     sessionName: opts.sessionName
   });
 }
-async function claudeState(opts, state) {
-  return sendOneShot(opts, { op: "claude-state", state });
+async function claudeState(opts, state, payload) {
+  return sendOneShot(opts, {
+    op: "claude-state",
+    state,
+    ...payload?.plan ? { plan: payload.plan } : {},
+    ...payload?.question ? { question: payload.question } : {},
+    ...payload?.clearPending ? { clearPending: true } : {}
+  });
 }
 async function codexState(opts, state) {
   return sendOneShot(opts, { op: "codex-state", state });
 }
+async function opencodeState(opts, state) {
+  return sendOneShot(opts, { op: "opencode-state", state });
+}
 async function logs(opts, args) {
   const sock = await connect(opts);
   sock.write(`${JSON.stringify({ op: "logs", ...args })}
@@ -11291,6 +11351,10 @@ var CLAUDE_ACTIVITY_STATES = [
   "working",
   "idle",
   "waiting",
+  "end-plan",
+  "question",
+  "compacting",
+  "error",
   "unknown"
 ];
 var BOX_STATUS_SCHEMA = 1;
@@ -11324,18 +11388,90 @@ var claudeSessionCommand = new Command("claude-session").description("Report whe
 });
 // src/commands/claude-state.ts
-var claudeStateCommand = new Command("claude-state").description("Report Claude activity state to the box supervisor (used by hooks)").argument("<state>", `one of: ${CLAUDE_ACTIVITY_STATES.join(", ")}`).option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).action(async (state, opts) => {
+var claudeStateCommand = new Command("claude-state").description("Report Claude activity state to the box supervisor (used by hooks)").argument("<state>", `one of: ${CLAUDE_ACTIVITY_STATES.join(", ")}`).option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).option("--payload-stdin", "parse Claude Code's hook JSON from stdin (PreToolUse plan/question)").option("--clear-pending", "force-clear a sticky end-plan/question state (PostToolUse cleanup)").action(async (state, opts) => {
   try {
-    if (CLAUDE_ACTIVITY_STATES.includes(state)) {
-      await claudeState(
-        { socketPath: opts.socket, timeoutMs: 1500 },
-        state
-      );
-    }
+    if (!CLAUDE_ACTIVITY_STATES.includes(state)) {
+      process.exit(0);
+    }
+    const typedState = state;
+    const extracted = opts.payloadStdin ? await extractPayload(typedState, await readStdinJson()) : void 0;
+    const payload = { ...extracted ?? {} };
+    if (opts.clearPending) payload.clearPending = true;
+    const hasField = payload.plan !== void 0 || payload.question !== void 0 || payload.clearPending !== void 0;
+    await claudeState(
+      { socketPath: opts.socket, timeoutMs: 1500 },
+      typedState,
+      hasField ? payload : void 0
+    );
   } catch {
   }
   process.exit(0);
 });
+function extractPayload(state, raw) {
+  if (!raw || typeof raw !== "object") return void 0;
+  const tool = raw.tool_input ?? {};
+  const capturedAt = (/* @__PURE__ */ new Date()).toISOString();
+  if (state === "end-plan" && typeof tool.plan === "string") {
+    const plan = { plan: tool.plan, capturedAt };
+    return { plan };
+  }
+  if (state === "question" && Array.isArray(tool.questions)) {
+    const questions = tool.questions.map((q) => normalizeQuestion(q)).filter((q) => q !== null);
+    if (questions.length === 0) return void 0;
+    const question = { questions, capturedAt };
+    return { question };
+  }
+  return void 0;
+}
+function normalizeQuestion(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  const q = raw;
+  if (typeof q.question !== "string") return null;
+  const opts = Array.isArray(q.options) ? q.options : [];
+  const options = opts.map((o2) => {
+    if (!o2 || typeof o2 !== "object") return null;
+    const oo = o2;
+    if (typeof oo.label !== "string") return null;
+    const entry = { label: oo.label };
+    if (typeof oo.description === "string") entry.description = oo.description;
+    return entry;
+  }).filter((o2) => o2 !== null);
+  const out = { question: q.question, options };
+  if (typeof q.header === "string") out.header = q.header;
+  if (typeof q.multiSelect === "boolean") out.multiSelect = q.multiSelect;
+  return out;
+}
+function readStdinJson() {
+  return new Promise((resolve2) => {
+    if (process.stdin.isTTY) {
+      resolve2(null);
+      return;
+    }
+    const chunks = [];
+    const cap = setTimeout(() => {
+      process.stdin.removeAllListeners();
+      resolve2(null);
+    }, 1e3);
+    cap.unref();
+    process.stdin.on("data", (b) => chunks.push(b));
+    process.stdin.on("end", () => {
+      clearTimeout(cap);
+      if (chunks.length === 0) {
+        resolve2(null);
+        return;
+      }
+      try {
+        resolve2(JSON.parse(Buffer.concat(chunks).toString("utf8")));
+      } catch {
+        resolve2(null);
+      }
+    });
+    process.stdin.on("error", () => {
+      clearTimeout(cap);
+      resolve2(null);
+    });
+  });
+}
 // src/commands/codex-state.ts
 var codexStateCommand = new Command("codex-state").description("Report Codex activity state to the box supervisor (used by hooks)").argument("<state>", `one of: ${CLAUDE_ACTIVITY_STATES.join(", ")}`).option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).action(async (state, opts) => {
@@ -11450,15 +11586,31 @@ var cpCommand = new Command("cp").description("Copy a file/dir between this box
   })
 );
+// src/commands/opencode-state.ts
+var opencodeStateCommand = new Command("opencode-state").description("Report OpenCode activity state to the box supervisor (used by the plugin)").argument("<state>", `one of: ${CLAUDE_ACTIVITY_STATES.join(", ")}`).option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).action(async (state, opts) => {
+  try {
+    if (CLAUDE_ACTIVITY_STATES.includes(state)) {
+      await opencodeState(
+        { socketPath: opts.socket, timeoutMs: 1500 },
+        state
+      );
+    }
+  } catch {
+  }
+  process.exit(0);
+});
 // ../relay/dist/index.js
-init_chunk_SJUIVWA3();
+init_chunk_YVJLTAM3();
 var import_crypto = require("crypto");
 var import_crypto2 = require("crypto");
 var import_crypto3 = require("crypto");
+var import_crypto4 = require("crypto");
+var import_child_process = require("child_process");
 var import_promises14 = require("fs/promises");
 var import_os3 = require("os");
 var import_path4 = require("path");
-var import_child_process = require("child_process");
+var import_child_process2 = require("child_process");
 var import_http2 = require("http");
 // ../../node_modules/.pnpm/is-plain-obj@4.1.0/node_modules/is-plain-obj/index.js
@@ -18284,6 +18436,8 @@ function projectDockerFields(box) {
     webHostPort: box.webHostPort,
     portlessAlias: box.portlessAlias,
     portlessUrl: box.portlessUrl,
+    portlessVncAlias: box.portlessVncAlias,
+    portlessVncUrl: box.portlessVncUrl,
     dockerVolume: box.dockerVolume,
     dockerCacheShared: box.dockerCacheShared,
     checkpointImage: box.checkpointImage
@@ -18414,6 +18568,11 @@ var KEY_REGISTRY = [
     description: "Best-effort writable-layer size for new boxes, e.g. '10G'. No-op on overlay2 / the macOS engines.",
     advanced: true
   },
+  {
+    key: "box.bundleDepth",
+    type: "int",
+    description: "Cap git bundle history shipped to cloud sandboxes (daytona, hetzner). 0 = full history. Unset = adaptive default (last 200 commits; re-bundle at 100 if the bundle exceeds 20 MB). Ignored for docker (which bind-mounts .git/)."
+  },
   {
     key: "claude.sessionName",
     type: "string",
@@ -18521,6 +18680,16 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Minutes a box must be continuously idle (claude state) before it is eligible for auto-pause."
   },
+  {
+    key: "queue.enabled",
+    type: "bool",
+    description: "Run `agentbox claude|codex|opencode -i <prompt>` jobs through the host-wide background queue (FIFO, capped by queue.maxConcurrent)."
+  },
+  {
+    key: "queue.maxConcurrent",
+    type: "int",
+    description: "Max number of simultaneously-running boxes (across providers) before background `-i` jobs queue up instead of starting immediately. Per-invocation override: `--max-running <n>`."
+  },
   {
     key: "maintenance.pruneProjectConfigs",
     type: "bool",
@@ -18557,7 +18726,8 @@ var PROJECTS_DIR = (0, import_path2.join)(STATE_DIR2, "projects");
 var PROJECT_GC_COUNTER_FILE = (0, import_path3.join)(PROJECTS_DIR, ".gc.json");
 // ../relay/dist/index.js
-var DEFAULT_RELAY_PORT = 8787;
+var import_path6 = require("path");
+var DEFAULT_BOX_RELAY_PORT = 8788;
 var RELAY_EVENT_RING_SIZE = 1e3;
 var DEFAULT_HOST_ACTION_MAX_AGE_MS = 15 * 60 * 1e3;
 var HostActionQueue = class {
@@ -18870,6 +19040,237 @@ var BoxNotices = class {
     return this.entries.size;
   }
 };
+var DEFAULT_TTL_MS = 12e4;
+function hashRpcParams(params) {
+  return (0, import_crypto4.createHash)("sha256").update(canonicalJson(params)).digest("hex");
+}
+function canonicalJson(v) {
+  if (v === null) return "null";
+  if (typeof v === "undefined") return "null";
+  if (typeof v === "number") return Number.isFinite(v) ? String(v) : "null";
+  if (typeof v === "boolean") return v ? "true" : "false";
+  if (typeof v === "string") return JSON.stringify(v);
+  if (Array.isArray(v)) return "[" + v.map(canonicalJson).join(",") + "]";
+  if (typeof v === "object") {
+    const entries = Object.entries(v).filter(([k]) => k !== "hostInitiated").filter(([, val]) => val !== void 0).sort(([a2], [b]) => a2 < b ? -1 : a2 > b ? 1 : 0);
+    return "{" + entries.map(([k, val]) => JSON.stringify(k) + ":" + canonicalJson(val)).join(",") + "}";
+  }
+  return "null";
+}
+var HostInitiatedTokens = class {
+  store = /* @__PURE__ */ new Map();
+  /**
+   * Mint a fresh one-time token scoped to (boxId, method, paramsHash).
+   * `paramsHash` MUST be supplied for any call surface where the box can
+   * influence the eventual RPC params. Pass `null` only when there are no
+   * params (no current call sites use this).
+   */
+  mint(boxId, method, paramsHash, ttlMs = DEFAULT_TTL_MS) {
+    const token = (0, import_crypto4.randomBytes)(32).toString("hex");
+    this.store.set(token, { boxId, method, paramsHash, expiresAt: Date.now() + ttlMs });
+    return token;
+  }
+  /**
+   * Returns true exactly once if `token` is a valid, unexpired token for the
+   * given `(boxId, method)` AND the supplied `incomingParamsHash` matches
+   * the hash bound at mint time. The token is removed on a successful match
+   * (one-shot semantics). All failure modes return false — callers fall back
+   * to the normal prompt path.
+   */
+  consume(token, boxId, method, incomingParamsHash) {
+    if (!token || typeof token !== "string") return false;
+    const record = this.store.get(token);
+    if (!record) return false;
+    if (record.expiresAt < Date.now()) {
+      this.store.delete(token);
+      return false;
+    }
+    if (record.boxId !== boxId || record.method !== method) return false;
+    if (record.paramsHash !== null && record.paramsHash !== incomingParamsHash) {
+      return false;
+    }
+    this.store.delete(token);
+    return true;
+  }
+  /** Drop expired entries. Cheap; safe to call periodically. */
+  gc() {
+    const now = Date.now();
+    for (const [token, record] of this.store) {
+      if (record.expiresAt < now) this.store.delete(token);
+    }
+  }
+  /** Test-only: number of live tokens. */
+  size() {
+    return this.store.size;
+  }
+};
+var GH_PR_OPS = [
+  "create",
+  "view",
+  "list",
+  "comment",
+  "review",
+  "merge",
+  "checkout",
+  "close",
+  "reopen"
+];
+function isGhPrOp(value) {
+  return GH_PR_OPS.includes(value);
+}
+var GH_PR_READ_ONLY_OPS = /* @__PURE__ */ new Set(["view", "list"]);
+var GH_RPC_TIMEOUT_MS = 12e4;
+var GH_READY_CACHE_TTL_MS = 6e4;
+var ghReadyCache;
+async function assertGhReady() {
+  const now = Date.now();
+  if (ghReadyCache && ghReadyCache.expiresAt > now) {
+    return ghReadyCache.result;
+  }
+  const result = await probeGh();
+  ghReadyCache = { result, expiresAt: now + GH_READY_CACHE_TTL_MS };
+  return result;
+}
+async function probeGh() {
+  const version = await runHostGh(["--version"], process.cwd(), 1e4);
+  if (version.exitCode === 127 || /ENOENT/.test(version.stderr)) {
+    return {
+      exitCode: 127,
+      stdout: "",
+      stderr: "gh not installed on host (https://cli.github.com)\n"
+    };
+  }
+  if (version.exitCode !== 0) {
+    return {
+      exitCode: version.exitCode,
+      stdout: "",
+      stderr: `gh --version failed: ${version.stderr || version.stdout}`.trimEnd() + "\n"
+    };
+  }
+  const auth = await runHostGh(["auth", "status"], process.cwd(), 15e3);
+  if (auth.exitCode !== 0) {
+    return {
+      exitCode: 4,
+      stdout: "",
+      stderr: "gh not authenticated on host (run `gh auth login`)\n"
+    };
+  }
+  return null;
+}
+function runHostGh(args, cwd, timeoutMs = GH_RPC_TIMEOUT_MS) {
+  return new Promise((resolve2) => {
+    const child = (0, import_child_process.spawn)("gh", args, {
+      cwd,
+      env: process.env,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    let settled = false;
+    const finish = (exitCode) => {
+      if (settled) return;
+      settled = true;
+      resolve2({ exitCode, stdout, stderr });
+    };
+    const timer = setTimeout(() => {
+      child.kill("SIGTERM");
+      stderr += `
+relay: gh command timed out after ${String(timeoutMs)}ms
+`;
+      finish(124);
+    }, timeoutMs);
+    child.stdout?.on("data", (chunk) => {
+      stdout += chunk.toString("utf8");
+    });
+    child.stderr?.on("data", (chunk) => {
+      stderr += chunk.toString("utf8");
+    });
+    child.on("error", (err) => {
+      clearTimeout(timer);
+      const code = err.code;
+      stderr += String(err.message ?? err);
+      finish(code === "ENOENT" ? 127 : 1);
+    });
+    child.on("close", (code) => {
+      clearTimeout(timer);
+      finish(code ?? -1);
+    });
+  });
+}
+async function checkoutGuards(hostMainRepo, registeredBranches) {
+  const status2 = await runGitProbe(["-C", hostMainRepo, "status", "--porcelain"]);
+  if (status2.exitCode !== 0) {
+    return {
+      exitCode: status2.exitCode,
+      stdout: "",
+      stderr: `gh pr checkout: failed to inspect host repo: ${status2.stderr || status2.stdout}`.trimEnd() + "\n"
+    };
+  }
+  if (status2.stdout.trim().length > 0) {
+    return {
+      exitCode: 12,
+      stdout: "",
+      stderr: `gh pr checkout: ${hostMainRepo} has uncommitted changes; refusing to switch branches
+`
+    };
+  }
+  const head = await runGitProbe(["-C", hostMainRepo, "rev-parse", "--abbrev-ref", "HEAD"]);
+  if (head.exitCode !== 0) {
+    return {
+      exitCode: head.exitCode,
+      stdout: "",
+      stderr: `gh pr checkout: failed to resolve HEAD: ${head.stderr || head.stdout}`.trimEnd() + "\n"
+    };
+  }
+  const currentBranch = head.stdout.trim();
+  if (registeredBranches.includes(currentBranch)) {
+    return {
+      exitCode: 12,
+      stdout: "",
+      stderr: `gh pr checkout: ${hostMainRepo} is on registered box branch ${currentBranch}; refusing (would corrupt the bind-mounted box HEAD)
+`
+    };
+  }
+  return null;
+}
+function runGitProbe(args) {
+  return new Promise((resolve2) => {
+    const child = (0, import_child_process.spawn)("git", args, { env: process.env, stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    child.stdout?.on("data", (c3) => {
+      stdout += c3.toString("utf8");
+    });
+    child.stderr?.on("data", (c3) => {
+      stderr += c3.toString("utf8");
+    });
+    child.on("error", (err) => {
+      resolve2({ exitCode: 127, stdout, stderr: stderr + String(err.message ?? err) });
+    });
+    child.on("close", (code) => {
+      resolve2({ exitCode: code ?? -1, stdout, stderr });
+    });
+  });
+}
+function refuseMergeBypass(op) {
+  if (op !== "merge") return null;
+  if (process.env["AGENTBOX_PROMPT"] !== "off") return null;
+  if (process.env["AGENTBOX_GH_FORCE"] === "1") return null;
+  return {
+    exitCode: 10,
+    stdout: "",
+    stderr: "gh pr merge: AGENTBOX_PROMPT=off bypass requires AGENTBOX_GH_FORCE=1 (merge is irreversible)\n"
+  };
+}
+function refuseCheckoutByDefault(op) {
+  if (op !== "checkout") return null;
+  if (process.env["AGENTBOX_GH_PR_CHECKOUT"] === "allow") return null;
+  return {
+    exitCode: 13,
+    stdout: "",
+    stderr: "gh pr checkout: disabled by default; set AGENTBOX_GH_PR_CHECKOUT=allow to enable\n"
+  };
+}
 function sanitizeMnemonic(raw) {
   return raw.toLowerCase().replace(/-/g, "_").replace(/[^a-z0-9_]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").slice(0, 32) || "unnamed";
 }
@@ -18949,6 +19350,18 @@ async function resolveCloudBackend(name) {
   }
   throw new Error(`no host executor for cloud backend '${name}'`);
 }
+async function refreshCloudPreviewUrl(backendName, boxId, port) {
+  try {
+    const backend = await resolveCloudBackend(backendName);
+    if (!backend.refreshPreviewUrl) return null;
+    const lookup = await lookupCloudBox(boxId);
+    const handle = { sandboxId: lookup.cloudSandboxId };
+    const url = await backend.refreshPreviewUrl(handle, port);
+    return url.url;
+  } catch {
+    return null;
+  }
+}
 async function executeCloudAction(action, deps) {
   const log = deps.log ?? (() => {
   });
@@ -18968,6 +19381,17 @@ async function executeCloudAction(action, deps) {
   if (action.method === "browser.open.mirror") {
     return runBrowserOpenMirror(action, deps);
   }
+  if (action.method.startsWith("gh.pr.")) {
+    return runGhPrRpc(action, deps);
+  }
+  if (action.method === "git.clone" || action.method === "gh.repo.clone") {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `${action.method}: not yet implemented (deferred; see docs/plans/gh-and-git-shims-host-only.md). Run \`gh\` / \`git\` on the host directly for now.
+`
+    };
+  }
   return {
     exitCode: 1,
     stdout: "",
@@ -18975,6 +19399,86 @@ async function executeCloudAction(action, deps) {
 `
   };
 }
+async function runGhPrRpc(action, deps) {
+  const op = action.method.slice("gh.pr.".length);
+  if (!isGhPrOp(op)) {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `unknown gh.pr.* op: ${op}
+`
+    };
+  }
+  const mergeBypass = refuseMergeBypass(op);
+  if (mergeBypass) return mergeBypass;
+  const checkoutOptIn = refuseCheckoutByDefault(op);
+  if (checkoutOptIn) return checkoutOptIn;
+  const params = action.params ?? {};
+  const args = Array.isArray(params.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const lookup = await lookupCloudBox(deps.boxId);
+  if (op === "checkout") {
+    const guard = await checkoutGuards(lookup.workspacePath, []);
+    if (guard) return guard;
+  }
+  const tokenClaimedGhCloud = typeof params.hostInitiated === "string";
+  const incomingHashGhCloud = hashRpcParams(params);
+  const hostInitiatedGhOk = !GH_PR_READ_ONLY_OPS.has(op) && tokenClaimedGhCloud && (deps.hostInitiatedTokens?.consume(
+    params.hostInitiated,
+    deps.boxId,
+    `gh.pr.${op}`,
+    incomingHashGhCloud
+  ) ?? false);
+  if (!GH_PR_READ_ONLY_OPS.has(op) && tokenClaimedGhCloud && !hostInitiatedGhOk) {
+    return {
+      exitCode: 10,
+      stdout: "",
+      stderr: "host-initiated token rejected: invalid, expired, or bound to different params\n"
+    };
+  }
+  if (!GH_PR_READ_ONLY_OPS.has(op) && !hostInitiatedGhOk && deps.prompts && deps.subscribers) {
+    const detail = args.join(" ").slice(0, 200);
+    const ctx = {
+      kind: "confirm",
+      message: `Allow gh pr ${op} from cloud box ${deps.boxName ?? deps.boxId}?`,
+      detail,
+      defaultAnswer: "n",
+      context: {
+        command: `gh pr ${op}`,
+        cwd: params.path,
+        argv: args
+      }
+    };
+    const hasSubscriber = deps.subscribers.forBox(deps.boxId).length > 0;
+    if (!hasSubscriber && process.env["AGENTBOX_PROMPT"] !== "off") {
+      const noSubMode = (process.env["AGENTBOX_GH_NO_SUB"] ?? "deny").toLowerCase();
+      if (noSubMode === "deny") {
+        return {
+          exitCode: 10,
+          stdout: "",
+          stderr: "denied automatically \u2014 no attached wrapper to confirm. Attach `agentbox claude` (or similar) and retry, or set AGENTBOX_GH_NO_SUB=allow.\n"
+        };
+      }
+      if (noSubMode === "allow") {
+        deps.log?.(`gh.pr.${op} auto-approved (no subscribers, AGENTBOX_GH_NO_SUB=allow)`);
+      } else {
+        const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, ctx, {
+          ttlMs: 5 * 60 * 1e3
+        });
+        if (verdict.answer !== "y") {
+          return { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+        }
+      }
+    } else {
+      const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, ctx);
+      if (verdict.answer !== "y") {
+        return { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+      }
+    }
+  }
+  return runHostGh(["pr", op, ...args], lookup.workspacePath);
+}
 async function runBrowserOpenMirror(action, deps) {
   const params = action.params ?? {};
   const url = typeof params.url === "string" ? params.url.trim() : "";
@@ -19001,8 +19505,8 @@ async function runBrowserOpenMirror(action, deps) {
       { ttlMs: TTL_MS }
     );
     if (verdict.answer === "y" && !verdict.cancelled) {
-      const { spawn: spawn32 } = await import("child_process");
-      const child = spawn32("open", [url], { stdio: "ignore", detached: true });
+      const { spawn: spawn52 } = await import("child_process");
+      const child = spawn52("open", [url], { stdio: "ignore", detached: true });
       child.unref();
     }
   } catch (err) {
@@ -19173,7 +19677,23 @@ async function runGitRpc(action, deps) {
       stderr: `failed to resolve branch in sandbox ${containerPath}: ${branchProbe.stderr || branch}`
     };
   }
-  if (action.method === "git.push" && deps.prompts && deps.subscribers) {
+  const isAgentboxBranch = branch.startsWith("agentbox/");
+  const tokenClaimedGit = typeof params.hostInitiated === "string";
+  const incomingHashGit = hashRpcParams(params);
+  const hostInitiatedOk = !isAgentboxBranch && tokenClaimedGit && (deps.hostInitiatedTokens?.consume(
+    params.hostInitiated,
+    deps.boxId,
+    "git.push",
+    incomingHashGit
+  ) ?? false);
+  if (action.method === "git.push" && !isAgentboxBranch && tokenClaimedGit && !hostInitiatedOk) {
+    return {
+      exitCode: 10,
+      stdout: "",
+      stderr: "host-initiated token rejected: invalid, expired, or bound to different params\n"
+    };
+  }
+  if (action.method === "git.push" && !isAgentboxBranch && !hostInitiatedOk && deps.prompts && deps.subscribers) {
     const hasSubscriber = deps.subscribers.forBox(deps.boxId).length > 0;
     if (!hasSubscriber && process.env["AGENTBOX_PROMPT"] !== "off") {
       const noSubMode = (process.env["AGENTBOX_GIT_PUSH_NO_SUB"] ?? "deny").toLowerCase();
@@ -19248,10 +19768,45 @@ async function runGitRpc(action, deps) {
         for (const a2 of params.args) if (typeof a2 === "string") argv.push(a2);
       }
       const push = await execa("git", argv, { reject: false });
+      let pushStderr = push.stderr ?? "";
+      if ((push.exitCode ?? 1) === 0 && !branch.startsWith("agentbox/")) {
+        try {
+          const sha = await execa(
+            "git",
+            ["-C", lookup.workspacePath, "rev-parse", branch],
+            { reject: false }
+          );
+          const shaText = (sha.stdout ?? "").trim();
+          if (sha.exitCode === 0 && shaText.length > 0) {
+            const updateRef = await backend.exec(
+              handle,
+              `git -C ${shellQuote(containerPath)} update-ref refs/remotes/${remote2}/${branch} ${shellQuote(shaText)}`
+            );
+            if (updateRef.exitCode !== 0) {
+              pushStderr += `
+relay: post-push in-box update-ref refs/remotes/${remote2}/${branch} failed: ${updateRef.stderr || updateRef.stdout}`;
+            }
+            const setUpstream = await backend.exec(
+              handle,
+              `git -C ${shellQuote(containerPath)} branch --set-upstream-to=${remote2}/${branch} ${shellQuote(branch)}`
+            );
+            if (setUpstream.exitCode !== 0) {
+              pushStderr += `
+relay: post-push in-box --set-upstream-to=${remote2}/${branch} failed: ${setUpstream.stderr || setUpstream.stdout}`;
+            }
+          } else {
+            pushStderr += `
+relay: post-push rev-parse ${branch} failed on host; skipping in-box origin/upstream sync`;
+          }
+        } catch (err) {
+          pushStderr += `
+relay: post-push in-box origin/upstream sync threw: ${err instanceof Error ? err.message : String(err)}`;
+        }
+      }
       return {
         exitCode: push.exitCode ?? 1,
         stdout: push.stdout ?? "",
-        stderr: push.stderr ?? ""
+        stderr: pushStderr
       };
     }
     const remote = params.remote ?? "origin";
@@ -19363,6 +19918,8 @@ function createRelayServer(opts) {
   const prompts = new PendingPrompts();
   const subscribers = new PromptSubscribers();
   const notices = new BoxNotices(subscribers);
+  const hostInitiatedTokens = new HostInitiatedTokens();
+  let queuePoke = null;
   const host = opts.host ?? "0.0.0.0";
   const mode = opts.mode ?? "host";
   const hostActions = mode === "box" ? new HostActionQueue() : null;
@@ -19373,7 +19930,7 @@ function createRelayServer(opts) {
   let pollers = null;
   async function getPollers() {
     if (!pollers) {
-      const mod = await Promise.resolve().then(() => (init_cloud_poller_ZIWSADJB(), cloud_poller_ZIWSADJB_exports));
+      const mod = await Promise.resolve().then(() => (init_cloud_poller_SUNA6ZQC(), cloud_poller_SUNA6ZQC_exports));
       pollers = new mod.CloudBoxPollers();
     }
     return pollers;
@@ -19495,21 +20052,36 @@ function createRelayServer(opts) {
       if (body.method === "git.push" || body.method === "git.fetch") {
         if (body.method === "git.push") {
           const params = body.params;
-          const verdict = await askPrompt(prompts, subscribers, reg.boxId, {
-            kind: "confirm",
-            message: `Allow git push from box ${reg.name}?`,
-            detail: `${params?.remote ?? "origin"} ${(params?.args ?? []).join(" ")}`.trim(),
-            defaultAnswer: "n",
-            context: {
-              command: "git push",
-              cwd: params?.path,
-              argv: params?.args
-            }
-          });
-          if (verdict.answer !== "y") {
-            send(res, 500, { exitCode: 10, stdout: "", stderr: "denied by user\n" });
+          const worktree = resolveWorktree(reg, params?.path ?? "/workspace");
+          const isAgentboxBranch = worktree?.branch.startsWith("agentbox/") ?? false;
+          const tokenClaimed = typeof params?.hostInitiated === "string";
+          const incomingHash = hashRpcParams(params);
+          const hostInitiatedOk = !isAgentboxBranch && tokenClaimed && hostInitiatedTokens.consume(params?.hostInitiated, reg.boxId, "git.push", incomingHash);
+          if (!isAgentboxBranch && tokenClaimed && !hostInitiatedOk) {
+            send(res, 500, {
+              exitCode: 10,
+              stdout: "",
+              stderr: "host-initiated token rejected: invalid, expired, or bound to different params\n"
+            });
             return;
           }
+          if (!isAgentboxBranch && !hostInitiatedOk) {
+            const verdict = await askPrompt(prompts, subscribers, reg.boxId, {
+              kind: "confirm",
+              message: `Allow git push from box ${reg.name}?`,
+              detail: `${params?.remote ?? "origin"} ${(params?.args ?? []).join(" ")}`.trim(),
+              defaultAnswer: "n",
+              context: {
+                command: "git push",
+                cwd: params?.path,
+                argv: params?.args
+              }
+            });
+            if (verdict.answer !== "y") {
+              send(res, 500, { exitCode: 10, stdout: "", stderr: "denied by user\n" });
+              return;
+            }
+          }
         }
         const result = await handleGitRpc(reg, body.method, body.params);
         const status2 = result.exitCode === 0 ? 200 : 500;
@@ -19542,6 +20114,33 @@ function createRelayServer(opts) {
         send(res, status2, result);
         return;
       }
+      if (body.method.startsWith("gh.pr.")) {
+        const op = body.method.slice("gh.pr.".length);
+        if (!isGhPrOp(op)) {
+          send(res, 400, { error: `unknown gh.pr.* op: ${op}` });
+          return;
+        }
+        const result = await handleGhPrRpc(
+          op,
+          reg,
+          body.params,
+          prompts,
+          subscribers,
+          hostInitiatedTokens
+        );
+        const status2 = result.exitCode === 0 ? 200 : 500;
+        send(res, status2, result);
+        return;
+      }
+      if (body.method === "git.clone" || body.method === "gh.repo.clone") {
+        send(res, 501, {
+          exitCode: 64,
+          stdout: "",
+          stderr: `${body.method}: not yet implemented (deferred; see docs/plans/gh-and-git-shims-host-only.md). Run \`gh\` / \`git\` on the host directly for now.
+`
+        });
+        return;
+      }
       if (body.method === "download.workspace" || body.method === "download.env" || body.method === "download.config" || body.method === "download.claude") {
         const params = body.params;
         const kind = body.method.split(".")[1] ?? "workspace";
@@ -19678,6 +20277,7 @@ function createRelayServer(opts) {
                   boxName: reg.name,
                   prompts,
                   subscribers,
+                  hostInitiatedTokens,
                   log
                 });
                 await respond(result);
@@ -19690,6 +20290,11 @@ function createRelayServer(opts) {
                 });
               }
             } : void 0,
+            // Self-heal a dead preview transport (hetzner SSH `-L` after a
+            // ControlMaster death). The relay strips the `cloud:` prefix
+            // the cloud-provider tags onto BoxRecord.container — what the
+            // backend's `get(sandboxId)` expects is the bare sandbox id.
+            recoverPreviewUrl: reg.backend ? async () => refreshCloudPreviewUrl(reg.backend, reg.boxId, DEFAULT_BOX_RELAY_PORT) : void 0,
             logger: log
           });
         } catch (err) {
@@ -19804,6 +20409,27 @@ data: {"ts":"${(/* @__PURE__ */ new Date()).toISOString()}"}
       send(res, 204, null);
       return;
     }
+    if (route === "POST /admin/host-initiated/mint") {
+      const body = await readJsonBody(req);
+      if (!body || typeof body.boxId !== "string" || body.boxId.length === 0 || typeof body.method !== "string" || body.method.length === 0) {
+        send(res, 400, { error: "expected {boxId, method, paramsHash, ttlMs?}" });
+        return;
+      }
+      let paramsHash;
+      if (body.paramsHash === null || body.paramsHash === void 0) {
+        paramsHash = null;
+      } else if (typeof body.paramsHash === "string" && /^[0-9a-f]{64}$/.test(body.paramsHash)) {
+        paramsHash = body.paramsHash;
+      } else {
+        send(res, 400, { error: "paramsHash must be a 64-hex sha256 string or null" });
+        return;
+      }
+      const ttlMs = typeof body.ttlMs === "number" && Number.isFinite(body.ttlMs) && body.ttlMs > 0 ? body.ttlMs : void 0;
+      const token = hostInitiatedTokens.mint(body.boxId, body.method, paramsHash, ttlMs);
+      log(`host-initiated-mint box=${body.boxId} method=${body.method} paramsBound=${paramsHash !== null}`);
+      send(res, 200, { token });
+      return;
+    }
     if (route === "POST /admin/notices/set") {
       const body = await readJsonBody(req);
       if (!body || typeof body.boxId !== "string" || body.boxId.length === 0 || typeof body.kind !== "string" || body.kind.length === 0 || typeof body.message !== "string" || body.message.length === 0) {
@@ -19816,6 +20442,17 @@ data: {"ts":"${(/* @__PURE__ */ new Date()).toISOString()}"}
       send(res, 200, { id });
       return;
     }
+    if (route === "POST /admin/queue/enqueue") {
+      const body = await readJsonBody(req);
+      if (!body || typeof body.id !== "string" || body.id.length === 0) {
+        send(res, 400, { error: "expected {id}" });
+        return;
+      }
+      log(`queue-enqueue id=${body.id}`);
+      queuePoke?.();
+      send(res, 204, null);
+      return;
+    }
     if (route === "POST /admin/notices/clear") {
       const body = await readJsonBody(req);
       if (!body || typeof body.id !== "string" || body.id.length === 0) {
@@ -19852,6 +20489,9 @@ data: {"ts":"${(/* @__PURE__ */ new Date()).toISOString()}"}
     notices,
     hostActions: hostActions ?? void 0,
     url: `http://${host}:${String(opts.port)}`,
+    setQueuePoke: (fn) => {
+      queuePoke = fn;
+    },
     close: async () => {
       if (pollers) await pollers.stopAll();
       await new Promise((resolve2, reject) => {
@@ -19903,7 +20543,69 @@ async function handleGitRpc(reg, method, params) {
       if (typeof a2 === "string") argv.push(a2);
     }
   }
-  return runHostCommand(argv);
+  const result = await runHostCommand(argv);
+  if (method === "git.push" && result.exitCode === 0 && !worktree.branch.startsWith("agentbox/")) {
+    await runHostCommand([
+      "git",
+      "-C",
+      worktree.hostMainRepo,
+      "branch",
+      `--set-upstream-to=${remote}/${worktree.branch}`,
+      worktree.branch
+    ]);
+  }
+  return result;
+}
+async function handleGhPrRpc(op, reg, params, prompts, subscribers, hostInitiatedTokens) {
+  const mergeBypass = refuseMergeBypass(op);
+  if (mergeBypass) return mergeBypass;
+  const checkoutOptIn = refuseCheckoutByDefault(op);
+  if (checkoutOptIn) return checkoutOptIn;
+  const containerPath = params?.path ?? "/workspace";
+  const worktree = resolveWorktree(reg, containerPath);
+  if (!worktree) {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `no worktree registered for box ${reg.boxId} matching ${containerPath}`
+    };
+  }
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const args = Array.isArray(params?.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  if (op === "checkout") {
+    const branches = (reg.worktrees ?? []).map((w) => w.branch);
+    const guard = await checkoutGuards(worktree.hostMainRepo, branches);
+    if (guard) return guard;
+  }
+  const tokenClaimedGh = typeof params?.hostInitiated === "string";
+  const incomingHashGh = hashRpcParams(params);
+  const hostInitiatedOk = !GH_PR_READ_ONLY_OPS.has(op) && tokenClaimedGh && hostInitiatedTokens.consume(params?.hostInitiated, reg.boxId, `gh.pr.${op}`, incomingHashGh);
+  if (!GH_PR_READ_ONLY_OPS.has(op) && tokenClaimedGh && !hostInitiatedOk) {
+    return {
+      exitCode: 10,
+      stdout: "",
+      stderr: "host-initiated token rejected: invalid, expired, or bound to different params\n"
+    };
+  }
+  if (!GH_PR_READ_ONLY_OPS.has(op) && !hostInitiatedOk) {
+    const detail = args.join(" ").slice(0, 200);
+    const verdict = await askPrompt(prompts, subscribers, reg.boxId, {
+      kind: "confirm",
+      message: `Allow gh pr ${op} from box ${reg.name}?`,
+      detail,
+      defaultAnswer: "n",
+      context: {
+        command: `gh pr ${op}`,
+        cwd: containerPath,
+        argv: args
+      }
+    });
+    if (verdict.answer !== "y") {
+      return { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+    }
+  }
+  return runHostGh(["pr", op, ...args], worktree.hostMainRepo);
 }
 async function handleCpRpc(reg, method, params) {
   const entry = process.env.AGENTBOX_CLI_ENTRY;
@@ -19964,7 +20666,7 @@ function runHostCommand(argv, timeoutMs = GIT_RPC_TIMEOUT_MS) {
       resolve2({ exitCode: 64, stdout: "", stderr: "empty command" });
       return;
     }
-    const child = (0, import_child_process.spawn)(cmd, rest, {
+    const child = (0, import_child_process2.spawn)(cmd, rest, {
       env: process.env,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -20011,6 +20713,8 @@ async function startRelayServer(opts) {
   });
   return handle;
 }
+var QUEUE_DIR = (0, import_path6.join)(STATE_DIR, "queue");
+var QUEUE_LOGS_DIR = (0, import_path6.join)(STATE_DIR, "logs");
 // src/config.ts
 var import_promises16 = require("fs/promises");
@@ -20321,7 +21025,7 @@ function assertBool(raw, where) {
   if (typeof raw !== "boolean") throw new ConfigError(`${where} must be a boolean`);
   return raw;
 }
-var TOP_LEVEL_KEYS = /* @__PURE__ */ new Set(["services", "tasks", "ide", "defaults"]);
+var TOP_LEVEL_KEYS = /* @__PURE__ */ new Set(["services", "tasks", "ide", "defaults", "carry"]);
 function validateUnitGraph(tasks, services) {
   const names = /* @__PURE__ */ new Set();
   for (const t of tasks) {
@@ -20441,8 +21145,95 @@ function describeCommand(cmd) {
   return Array.isArray(cmd) ? cmd.join(" ") : cmd;
 }
-// src/supervisor.ts
+// src/codex-scraper.ts
 var import_node_child_process7 = require("child_process");
+var DEFAULT_INTERVAL_MS = 1e3;
+var DEFAULT_SESSION = "codex";
+var PATTERNS = [
+  // Permission / approval prompts (highest priority — these mean codex is blocked).
+  { re: /Hooks need review|Trust all and continue/i, state: "waiting" },
+  { re: /Do you trust the contents of this directory/i, state: "waiting" },
+  { re: /Allow this command\?|Approve this (command|tool)\?|Press y\/n|\[Y\/n\]/m, state: "waiting" },
+  { re: /Waiting for (your |user )?(response|input|approval|permission)/i, state: "waiting" },
+  // Compaction (codex's `/compact` command and auto-compaction).
+  { re: /Compacting (conversation|context)|Summariz(e|ing) (the )?conversation/i, state: "compacting" },
+  // Failure / fatal-error frames.
+  { re: /\bError:|\bFailed:|^Traceback /m, state: "error" },
+  // Active work signals — pinned to specific codex TUI fragments to avoid
+  // matching every line of english that contains "working" or "running"
+  // (e.g. the directory-trust prompt's "Working with untrusted contents"
+  // warning is NOT a working state).
+  {
+    re: /\b(Thinking\.\.\.|Worked for \d|Streaming response|tool call \w|Running command|Generating response|Reasoning\.\.\.|Editing \w)/m,
+    state: "working"
+  },
+  // Idle: codex shows a status line `gpt-5.5 high · /workspace` (or similar
+  // model · cwd footer) at the bottom of the input prompt when ready for
+  // input. Lower priority than every "busy" pattern above so an in-flight
+  // turn that still shows the footer correctly registers as working.
+  { re: /gpt-\d+(\.\d+)?(-\w+)?\s+(low|medium|high|xhigh)\b|OpenAI Codex \(v\d/i, state: "idle" }
+];
+function startCodexScraper(opts) {
+  const sessionName = opts.sessionName ?? DEFAULT_SESSION;
+  const intervalMs = opts.intervalMs ?? DEFAULT_INTERVAL_MS;
+  const capture = opts.capturePane ?? defaultCapturePane;
+  let lastState = null;
+  let lastSessionPresent = false;
+  let stopped = false;
+  const tick = async () => {
+    if (stopped) return;
+    try {
+      const pane = await capture(sessionName);
+      if (pane === null) {
+        lastSessionPresent = false;
+        return;
+      }
+      if (!lastSessionPresent) {
+        opts.reporter.setCodexState("idle");
+        lastState = "idle";
+        lastSessionPresent = true;
+      }
+      const matched = matchState(pane);
+      if (matched !== null && matched !== lastState) {
+        opts.reporter.setCodexState(matched);
+        lastState = matched;
+      }
+    } catch {
+    }
+  };
+  const timer = setInterval(() => void tick(), intervalMs);
+  timer.unref();
+  void tick();
+  return {
+    stop() {
+      stopped = true;
+      clearInterval(timer);
+    }
+  };
+}
+function matchState(pane) {
+  for (const { re, state } of PATTERNS) {
+    if (re.test(pane)) return state;
+  }
+  return null;
+}
+function defaultCapturePane(sessionName) {
+  return new Promise((resolve2) => {
+    const child = (0, import_node_child_process7.spawn)("tmux", ["capture-pane", "-p", "-t", sessionName], {
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    let stdout = "";
+    child.stdout.on("data", (b) => stdout += b.toString("utf8"));
+    child.on("error", () => resolve2(null));
+    child.on("close", (code) => {
+      if (code === 0) resolve2(stdout);
+      else resolve2(null);
+    });
+  });
+}
+// src/supervisor.ts
+var import_node_child_process8 = require("child_process");
 var import_node_events15 = require("events");
 var import_node_fs7 = require("fs");
 var import_promises18 = require("fs/promises");
@@ -20708,7 +21499,7 @@ var cachedLoginPath;
 function loginShellPath() {
   if (cachedLoginPath !== void 0) return cachedLoginPath;
   try {
-    const out = (0, import_node_child_process7.execFileSync)("bash", ["-lc", 'printf %s "$PATH"'], {
+    const out = (0, import_node_child_process8.execFileSync)("bash", ["-lc", 'printf %s "$PATH"'], {
       encoding: "utf8",
       timeout: 5e3
     }).trim();
@@ -20723,7 +21514,7 @@ var ServiceRunner = class extends import_node_events15.EventEmitter {
     super();
     this.spec = spec;
     this.opts = opts;
-    this.spawnFn = opts.spawn ?? import_node_child_process7.spawn;
+    this.spawnFn = opts.spawn ?? import_node_child_process8.spawn;
     this.setTimer = opts.setTimer ?? ((fn, ms) => setTimeout(fn, ms));
     this.clearTimer = opts.clearTimer ?? ((h2) => {
       clearTimeout(h2);
@@ -20954,7 +21745,7 @@ var TaskRunner = class extends import_node_events15.EventEmitter {
     super();
     this.spec = spec;
     this.opts = opts;
-    this.spawnFn = opts.spawn ?? import_node_child_process7.spawn;
+    this.spawnFn = opts.spawn ?? import_node_child_process8.spawn;
   }
   spec;
   opts;
@@ -21502,10 +22293,10 @@ var import_promises19 = require("fs/promises");
 var import_node_path7 = require("path");
 // src/status-reporter.ts
-var import_node_child_process9 = require("child_process");
+var import_node_child_process10 = require("child_process");
 // src/tmux.ts
-var import_node_child_process8 = require("child_process");
+var import_node_child_process9 = require("child_process");
 var import_node_os4 = require("os");
 var MAX_TITLE_LEN = 120;
 function sanitizePaneTitle(raw, ctx) {
@@ -21519,7 +22310,7 @@ function sanitizePaneTitle(raw, ctx) {
 }
 function runTool(cmd, args) {
   return new Promise((resolve2) => {
-    const child = (0, import_node_child_process8.spawn)(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
+    const child = (0, import_node_child_process9.spawn)(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
     let stdout = "";
     let stderr = "";
     child.stdout.on("data", (b) => stdout += b.toString("utf8"));
@@ -21565,8 +22356,12 @@ var StatusReporter = class {
   periodicMs;
   claudeState = "unknown";
   claudeUpdatedAt = null;
+  claudePlan;
+  claudeQuestion;
   codexState = "unknown";
   codexUpdatedAt = null;
+  opencodeState = "unknown";
+  opencodeUpdatedAt = null;
   debounceTimer = null;
   periodicTimer = null;
   onChange = () => this.schedulePush();
@@ -21595,9 +22390,21 @@ var StatusReporter = class {
       this.periodicTimer = null;
     }
   }
-  setClaudeState(state) {
+  setClaudeState(state, payload) {
+    const sticky = this.claudeState === "end-plan" || this.claudeState === "question";
+    if (state === "working" && sticky && !payload?.clearPending) return;
     this.claudeState = state;
     this.claudeUpdatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    if (payload?.clearPending) {
+      this.claudePlan = void 0;
+      this.claudeQuestion = void 0;
+    }
+    if (state === "end-plan" && payload?.plan) {
+      this.claudePlan = payload.plan;
+    }
+    if (state === "question" && payload?.question) {
+      this.claudeQuestion = payload.question;
+    }
     this.schedulePush();
   }
   setCodexState(state) {
@@ -21605,6 +22412,11 @@ var StatusReporter = class {
     this.codexUpdatedAt = (/* @__PURE__ */ new Date()).toISOString();
     this.schedulePush();
   }
+  setOpencodeState(state) {
+    this.opencodeState = state;
+    this.opencodeUpdatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.schedulePush();
+  }
   /** Forced immediate push (used on shutdown). */
   flush() {
     if (this.debounceTimer) {
@@ -21654,7 +22466,9 @@ var StatusReporter = class {
         state: this.claudeState,
         updatedAt: this.claudeUpdatedAt,
         sessionRunning: claudeSession2.running,
-        ...claudeSession2.title ? { sessionTitle: claudeSession2.title } : {}
+        ...claudeSession2.title ? { sessionTitle: claudeSession2.title } : {},
+        ...this.claudePlan ? { plan: this.claudePlan } : {},
+        ...this.claudeQuestion ? { question: this.claudeQuestion } : {}
       }
     };
     if (codexSession.running || this.codexState !== "unknown") {
@@ -21665,9 +22479,11 @@ var StatusReporter = class {
         ...codexSession.title ? { sessionTitle: codexSession.title } : {}
       };
     }
-    if (opencodeSession.running) {
+    if (opencodeSession.running || this.opencodeState !== "unknown") {
       status2.opencode = {
-        sessionRunning: true,
+        state: this.opencodeState,
+        updatedAt: this.opencodeUpdatedAt,
+        sessionRunning: opencodeSession.running,
         ...opencodeSession.title ? { sessionTitle: opencodeSession.title } : {}
       };
     }
@@ -21687,7 +22503,7 @@ async function collectPorts(supervisor) {
 }
 function run(cmd, args) {
   return new Promise((resolve2) => {
-    const child = (0, import_node_child_process9.spawn)(cmd, args, { stdio: ["ignore", "pipe", "ignore"] });
+    const child = (0, import_node_child_process10.spawn)(cmd, args, { stdio: ["ignore", "pipe", "ignore"] });
     let stdout = "";
     child.stdout.on("data", (b) => stdout += b.toString("utf8"));
     child.on("error", () => resolve2({ exitCode: 127, stdout }));
@@ -21844,7 +22660,11 @@ async function handleConnection(sock, opts) {
       if (!CLAUDE_ACTIVITY_STATES.includes(req.state)) {
         writeLine(sock, { ok: false, error: `invalid claude state: ${String(req.state)}` });
       } else {
-        opts.reporter?.setClaudeState(req.state);
+        opts.reporter?.setClaudeState(req.state, {
+          plan: req.plan,
+          question: req.question,
+          clearPending: req.clearPending
+        });
         writeLine(sock, { ok: true, data: "ok" });
       }
       sock.end();
@@ -21860,6 +22680,16 @@ async function handleConnection(sock, opts) {
       sock.end();
       return;
     }
+    case "opencode-state": {
+      if (!CLAUDE_ACTIVITY_STATES.includes(req.state)) {
+        writeLine(sock, { ok: false, error: `invalid opencode state: ${String(req.state)}` });
+      } else {
+        opts.reporter?.setOpencodeState(req.state);
+        writeLine(sock, { ok: true, data: "ok" });
+      }
+      sock.end();
+      return;
+    }
     default: {
       writeLine(sock, { ok: false, error: `unknown op` });
       sock.end();
@@ -21913,7 +22743,85 @@ async function* createLineReader(sock) {
   if (buf.length > 0) yield buf;
 }
+// src/box-relay-forwarder.ts
+var import_node_http3 = require("http");
+var ALLOWED_PATHS = /* @__PURE__ */ new Set(["/rpc", "/events"]);
+function startBoxRelayForwarder(opts) {
+  const log = opts.logger ?? (() => {
+  });
+  const upstream = opts.upstream;
+  const upstreamPort = upstream.port.length > 0 ? Number.parseInt(upstream.port, 10) : upstream.protocol === "https:" ? 443 : 80;
+  const server = (0, import_node_http3.createServer)((req, res) => {
+    const path6 = (req.url ?? "").split("?")[0] ?? "";
+    if (req.method !== "POST" || !ALLOWED_PATHS.has(path6)) {
+      res.writeHead(404, { "Content-Type": "text/plain" });
+      res.end("not found");
+      return;
+    }
+    const headers = { ...req.headers };
+    delete headers.host;
+    delete headers.connection;
+    const upstreamReq = (0, import_node_http3.request)(
+      {
+        host: upstream.hostname,
+        port: upstreamPort,
+        method: "POST",
+        path: `${upstream.pathname.replace(/\/$/, "")}${path6}`,
+        headers,
+        // No keep-alive: the relay holds /rpc open for the lifetime of a
+        // host prompt (potentially many seconds). Reusing sockets across
+        // such calls invites mid-stream resets on Node version drift.
+        agent: false
+      },
+      (upstreamRes) => {
+        res.writeHead(upstreamRes.statusCode ?? 502, upstreamRes.headers);
+        upstreamRes.pipe(res);
+      }
+    );
+    upstreamReq.on("error", (err) => {
+      log(`upstream error on ${path6}: ${err.message}`);
+      if (!res.headersSent) {
+        res.writeHead(502, { "Content-Type": "text/plain" });
+      }
+      res.end();
+    });
+    req.on("error", (err) => {
+      log(`client error on ${path6}: ${err.message}`);
+      upstreamReq.destroy();
+    });
+    req.pipe(upstreamReq);
+  });
+  return new Promise((resolve2, reject) => {
+    const onError = (err) => {
+      reject(err);
+    };
+    server.once("error", onError);
+    server.listen(opts.port, "127.0.0.1", () => {
+      server.removeListener("error", onError);
+      resolve2({
+        url: `http://127.0.0.1:${String(opts.port)}`,
+        close: () => new Promise((res) => {
+          server.close(() => res());
+        })
+      });
+    });
+  });
+}
 // src/commands/daemon.ts
+function resolveBoxRelayPort() {
+  const raw = process.env.AGENTBOX_BOX_RELAY_PORT;
+  if (raw === void 0 || raw.length === 0) return DEFAULT_BOX_RELAY_PORT;
+  const n2 = Number.parseInt(raw, 10);
+  if (!Number.isFinite(n2) || n2 < 1 || n2 > 65535) {
+    process.stderr.write(
+      `agentbox-ctl: AGENTBOX_BOX_RELAY_PORT=${raw} is not a valid port; falling back to ${String(DEFAULT_BOX_RELAY_PORT)}
+`
+    );
+    return DEFAULT_BOX_RELAY_PORT;
+  }
+  return n2;
+}
 var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supervisor in the foreground").option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).option("--config <path>", "path to agentbox.yaml", DEFAULT_CONFIG_PATH).option("--log-dir <path>", "where per-service log files are written", DEFAULT_LOG_DIR).option("--workspace <path>", "cwd for service processes", "/workspace").action(async (opts) => {
   const cfg = await loadConfig(opts.config);
   const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir });
@@ -21925,6 +22833,14 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
     sessionName: DEFAULT_CLAUDE_SESSION_NAME
   });
   reporter.start();
+  let codexScraper = null;
+  try {
+    codexScraper = startCodexScraper({ reporter });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    process.stderr.write(`agentbox-ctl: codex scraper failed to start: ${msg}
+`);
+  }
   const server = await startServer({
     socketPath: opts.socket,
     supervisor: sup,
@@ -21938,7 +22854,9 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
     `agentbox-ctl: ${String(cfg.services.length)} service(s), ${String(cfg.tasks.length)} task(s) configured
 `
   );
+  const boxRelayPort = resolveBoxRelayPort();
   let inBoxRelay = null;
+  let inBoxForwarder = null;
   if (process.env.AGENTBOX_BOX_KIND === "cloud") {
     const bridgeToken = process.env.AGENTBOX_BRIDGE_TOKEN ?? "";
     const boxId = process.env.AGENTBOX_BOX_ID ?? "";
@@ -21951,7 +22869,7 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
     } else {
       try {
         inBoxRelay = await startRelayServer({
-          port: DEFAULT_RELAY_PORT,
+          port: boxRelayPort,
           host: "0.0.0.0",
           mode: "box",
           bridgeToken,
@@ -21966,7 +22884,7 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
           registeredAt: (/* @__PURE__ */ new Date()).toISOString()
         });
         process.stdout.write(
-          `agentbox-ctl: in-sandbox relay (mode=box) listening on :${String(DEFAULT_RELAY_PORT)}
+          `agentbox-ctl: in-sandbox relay (mode=box) listening on :${String(boxRelayPort)}
 `
         );
       } catch (err) {
@@ -21975,15 +22893,35 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
 `);
       }
     }
+  } else {
+    const upstreamUrl = process.env.AGENTBOX_HOST_RELAY_URL ?? "http://host.docker.internal:8787";
+    try {
+      inBoxForwarder = await startBoxRelayForwarder({
+        port: boxRelayPort,
+        upstream: new URL(upstreamUrl),
+        logger: (line) => process.stdout.write(`relay(fwd): ${line}
+`)
+      });
+      process.stdout.write(
+        `agentbox-ctl: in-box relay forwarder listening on :${String(boxRelayPort)} -> ${upstreamUrl}
+`
+      );
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`agentbox-ctl: in-box relay forwarder failed to start: ${msg}
+`);
+    }
   }
   const shutdown = async (signal) => {
     process.stdout.write(`agentbox-ctl: ${signal} \u2014 shutting down
 `);
+    if (codexScraper) codexScraper.stop();
     reporter.stop();
     reporter.flush();
     server.close();
     await sup.stopAll();
     if (inBoxRelay) await inBoxRelay.close();
+    if (inBoxForwarder) await inBoxForwarder.close();
     process.exit(0);
   };
   process.on("SIGTERM", () => void shutdown("SIGTERM"));
@@ -22030,17 +22968,95 @@ var checkpointCommand = new Command("checkpoint").description("Capture this box
   }
 );
+// src/commands/pr-subcommands.ts
+var PR_SUBCOMMANDS = [
+  {
+    op: "create",
+    description: "Run `gh pr create` on the host (creates a PR for this box's branch). User is prompted on the host wrapper."
+  },
+  { op: "view", description: "Run `gh pr view` on the host (read-only; no prompt)." },
+  { op: "list", description: "Run `gh pr list` on the host (read-only; no prompt)." },
+  { op: "comment", description: "Run `gh pr comment` on the host (prompted; visible to others)." },
+  { op: "review", description: "Run `gh pr review` on the host (prompted; visible to others)." },
+  {
+    op: "merge",
+    description: "Run `gh pr merge` on the host (prompted; destructive \u2014 AGENTBOX_PROMPT=off bypass requires AGENTBOX_GH_FORCE=1)."
+  },
+  {
+    op: "checkout",
+    description: "Run `gh pr checkout` on the host (prompted + clean-tree guard; opt-in via AGENTBOX_GH_PR_CHECKOUT=allow because it switches the host main repo branch)."
+  },
+  { op: "close", description: "Run `gh pr close` on the host (prompted)." },
+  { op: "reopen", description: "Run `gh pr reopen` on the host (prompted)." }
+];
+function buildPrCommand(errorPrefix) {
+  const prCommand = new Command("pr").description(
+    "PR operations via the host `gh` CLI (requires `gh` installed and `gh auth login` on the host)"
+  );
+  for (const spec of PR_SUBCOMMANDS) {
+    prCommand.addCommand(
+      new Command(spec.op).description(spec.description).option("--cwd <path>", "container path identifying which registered worktree to use").addOption(
+        new Option(
+          "--host-initiated-token <token>",
+          "internal: one-time token from the host CLI; skips relay confirm prompt when valid"
+        ).hideHelp()
+      ).allowExcessArguments(true).allowUnknownOption(true).argument(
+        "[args...]",
+        "extra flags forwarded to `gh pr <op>` verbatim (e.g. `--title`, `--body`, `--label`, `--draft`, `--json`)."
+      ).action(async (args, opts) => {
+        const params = { path: opts.cwd ?? process.cwd() };
+        if (args.length > 0) params.args = args;
+        if (opts.hostInitiatedToken) params.hostInitiated = opts.hostInitiatedToken;
+        const code = await postRpcAndExit(`gh.pr.${spec.op}`, params, { errorPrefix });
+        process.exit(code);
+      })
+    );
+  }
+  return prCommand;
+}
+// src/commands/gh.ts
+var repoCommand = new Command("repo").description("GitHub repo operations via the host `gh` CLI (host runs `gh repo \u2026` then ships results to the box)").addCommand(
+  new Command("clone").description(
+    "Clone a github repo into the box via host `gh repo clone`. The host clones into a tmpdir with its creds, bundles, and ships the bundle back; the box materialises the working copy and resets origin to the original URL."
+  ).option("--cwd <path>", "container path identifying which registered worktree to use (default: cwd)").option("--branch <name>", "pass --branch <name> to host gh repo clone").option("--depth <n>", "pass --depth <n> to host gh repo clone").argument("<repo>", "github repo: owner/name shorthand or full URL").argument("[dir]", "target directory inside the box (default: derived from repo)").action(
+    async (repo, dir, opts) => {
+      const params = {
+        path: opts.cwd ?? process.cwd(),
+        repo
+      };
+      if (dir) params.targetPath = dir;
+      const extra = [];
+      if (opts.branch) extra.push("--branch", opts.branch);
+      if (opts.depth) extra.push("--depth", opts.depth);
+      if (extra.length > 0) params.args = extra;
+      const code = await postRpcAndExit("gh.repo.clone", params, {
+        errorPrefix: "agentbox-ctl gh repo clone"
+      });
+      process.exit(code);
+    }
+  )
+);
+var ghCommand = new Command("gh").description("GitHub CLI operations routed through the relay (host `gh` runs with host creds; box never sees a token)").addCommand(buildPrCommand("agentbox-ctl gh pr")).addCommand(repoCommand);
 // src/commands/git.ts
-var import_node_child_process10 = require("child_process");
+var import_node_child_process11 = require("child_process");
+function hostInitiatedOption() {
+  return new Option(
+    "--host-initiated-token <token>",
+    "internal: one-time token from the host CLI; skips relay confirm prompt when valid"
+  ).hideHelp();
+}
 function buildParams(opts, extra) {
   const params = { path: opts.cwd ?? process.cwd() };
   if (opts.remote) params.remote = opts.remote;
   if (extra.length > 0) params.args = extra;
+  if (opts.hostInitiatedToken) params.hostInitiated = opts.hostInitiatedToken;
   return params;
 }
 function runLocalGit(args, cwd) {
   return new Promise((resolve2) => {
-    const child = (0, import_node_child_process10.spawn)("git", args, { cwd, stdio: "inherit" });
+    const child = (0, import_node_child_process11.spawn)("git", args, { cwd, stdio: "inherit" });
     child.on("close", (code) => resolve2(code ?? 1));
     child.on("error", (err) => {
       process.stderr.write(`agentbox-ctl git: ${String(err.message ?? err)}
@@ -22050,14 +23066,20 @@ function runLocalGit(args, cwd) {
   });
 }
 var gitCommand = new Command("git").description("Git operations that need host credentials (routed through the agentbox relay)").addCommand(
-  new Command("push").description("Run `git push` on the host main repo against this box's branch (user is prompted on the host wrapper to confirm)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").allowExcessArguments(true).allowUnknownOption(true).argument("[args...]", "additional args forwarded to git push").action(async (args, opts) => {
+  new Command("push").description("Run `git push` on the host main repo against this box's branch (user is prompted on the host wrapper to confirm)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").addOption(hostInitiatedOption()).allowExcessArguments(true).allowUnknownOption(true).argument(
+    "[args...]",
+    "extra flags appended to the host-built `git push <remote> <branch>` (e.g. `--force-with-lease`, `--tags`). Do NOT re-pass the remote or branch \u2014 they are taken from --remote and the registered worktree; appending them as positionals makes git treat them as refspecs and fail with `refs/remotes/origin/HEAD cannot be resolved to branch`. Use --remote to change the remote."
+  ).action(async (args, opts) => {
     const code = await postRpcAndExit("git.push", buildParams(opts, args), {
       errorPrefix: "agentbox-ctl git"
     });
     process.exit(code);
   })
 ).addCommand(
-  new Command("fetch").description("Run `git fetch` on the host main repo (refs land in the shared .git)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").allowExcessArguments(true).allowUnknownOption(true).argument("[args...]", "additional args forwarded to git fetch").action(async (args, opts) => {
+  new Command("fetch").description("Run `git fetch` on the host main repo (refs land in the shared .git)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").addOption(hostInitiatedOption()).allowExcessArguments(true).allowUnknownOption(true).argument(
+    "[args...]",
+    "extra flags appended to the host-built `git fetch <remote> <branch>` (e.g. `--prune`, `--tags`). Do NOT re-pass the remote or branch; they come from --remote and the registered worktree (same gotcha as `push`)."
+  ).action(async (args, opts) => {
     const code = await postRpcAndExit("git.fetch", buildParams(opts, args), {
       errorPrefix: "agentbox-ctl git"
     });
@@ -22066,7 +23088,10 @@ var gitCommand = new Command("git").description("Git operations that need host c
 ).addCommand(
   new Command("pull").description(
     "Fetch via the relay (host creds), then merge into the in-container working tree locally"
-  ).option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").option("--ff-only", "pass --ff-only to the local merge").allowExcessArguments(true).allowUnknownOption(true).argument("[args...]", "additional args forwarded to git fetch").action(
+  ).option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").option("--ff-only", "pass --ff-only to the local merge").addOption(hostInitiatedOption()).allowExcessArguments(true).allowUnknownOption(true).argument(
+    "[args...]",
+    "extra flags appended to the host-built `git fetch <remote> <branch>` (e.g. `--prune`). Do NOT re-pass the remote or branch; they come from --remote and the registered worktree (same gotcha as `push`)."
+  ).action(
     async (args, opts) => {
       const fetchCode = await postRpcAndExit("git.fetch", buildParams(opts, args), {
         errorPrefix: "agentbox-ctl git"
@@ -22081,7 +23106,27 @@ var gitCommand = new Command("git").description("Git operations that need host c
       process.exit(mergeCode);
     }
   )
-);
+).addCommand(
+  new Command("clone").description(
+    "Clone a github repo into the box. Host runs `git clone` with its creds into a tmpdir, bundles, and ships the bundle back; the box materialises the working copy and resets origin to the original URL."
+  ).option("--cwd <path>", "container path identifying which registered worktree to use (default: cwd)").option("--branch <name>", "pass --branch <name> to host git clone").option("--depth <n>", "pass --depth <n> to host git clone").argument("<url>", "github URL or owner/name shorthand").argument("[dir]", "target directory inside the box (default: derived from url)").action(
+    async (url, dir, opts) => {
+      const params = {
+        path: opts.cwd ?? process.cwd(),
+        url
+      };
+      if (dir) params.targetPath = dir;
+      const extra = [];
+      if (opts.branch) extra.push("--branch", opts.branch);
+      if (opts.depth) extra.push("--depth", opts.depth);
+      if (extra.length > 0) params.args = extra;
+      const code = await postRpcAndExit("git.clone", params, {
+        errorPrefix: "agentbox-ctl git clone"
+      });
+      process.exit(code);
+    }
+  )
+).addCommand(buildPrCommand("agentbox-ctl git pr"));
 // src/commands/notify.ts
 async function reportState(opts, state) {
@@ -22103,7 +23148,7 @@ var notifyCommand = new Command("notify").description(
 );
 // src/commands/open.ts
-var import_node_child_process11 = require("child_process");
+var import_node_child_process12 = require("child_process");
 var OPEN_TIMEOUT_MS = 3e4;
 function isHttpUrl(value) {
   try {
@@ -22115,7 +23160,7 @@ function isHttpUrl(value) {
 }
 function openInBoxBrowser(url) {
   return new Promise((resolve2) => {
-    const child = (0, import_node_child_process11.spawn)("agent-browser", ["open", "--headed", url], { stdio: "inherit" });
+    const child = (0, import_node_child_process12.spawn)("agent-browser", ["open", "--headed", url], { stdio: "inherit" });
     const timer = setTimeout(() => {
       child.kill("SIGTERM");
       process.stderr.write(
@@ -22334,9 +23379,11 @@ program2.addCommand(reloadCommand);
 program2.addCommand(claudeSessionCommand);
 program2.addCommand(claudeStateCommand);
 program2.addCommand(codexStateCommand);
+program2.addCommand(opencodeStateCommand);
 program2.addCommand(waitReadyCommand);
 program2.addCommand(runTaskCommand);
 program2.addCommand(gitCommand);
+program2.addCommand(ghCommand);
 program2.addCommand(checkpointCommand);
 program2.addCommand(cpCommand);
 program2.addCommand(downloadCommand);