@madarco/agentbox 0.7.0 → 0.9.0

package/dist/{chunk-NAVL4R34.js → chunk-NCJP5MTN.js}

@@ -1,15 +1,39 @@
 #!/usr/bin/env node
+import {
+  DEFAULT_BOX_IMAGE,
+  GitWorktreeError,
+  STATE_DIR,
+  STATE_FILE,
+  allocateProjectIndex,
+  buildImage,
+  computeDockerContextFingerprint,
+  detectGitRepos,
+  ensureImage,
+  findBox,
+  imageExists,
+  pickFreshBranch,
+  preparedMatches,
+  readCliStamp,
+  readPreparedDockerState,
+  readState,
+  recordBox,
+  removeBoxRecord,
+  writePreparedDockerState
+} from "./chunk-KL36BRN4.js";
 
 // ../../packages/sandbox-docker/dist/index.js
 import { randomBytes as randomBytes3 } from "crypto";
 import { mkdir as mkdir7, stat as stat6 } from "fs/promises";
 import { homedir as homedir9 } from "os";
-import { basename as basename2, join as join10, resolve as resolve4 } from "path";
-import { execa as execa14 } from "execa";
+import { basename as basename2, join as join10, resolve as resolve3 } from "path";
+import { execa as execa13 } from "execa";
 
 // ../../packages/ctl/dist/index.js
 import { readFile } from "fs/promises";
 import { parse as parseYaml } from "yaml";
+import { readFile as readFile2 } from "fs/promises";
+import { parse as parseYaml2 } from "yaml";
+var BOX_STATUS_EVENT = "box-status";
 function renderStatusTable(rows) {
   if (rows.length === 0) return "(no services configured)";
   const headers = ["NAME", "STATE", "PID", "RESTARTS", "LAST EXIT", "BLOCKED ON", "COMMAND"];
@@ -372,7 +396,7 @@ function assertBool(raw, where) {
   if (typeof raw !== "boolean") throw new ConfigError(`${where} must be a boolean`);
   return raw;
 }
-var TOP_LEVEL_KEYS = /* @__PURE__ */ new Set(["services", "tasks", "ide", "defaults"]);
+var TOP_LEVEL_KEYS = /* @__PURE__ */ new Set(["services", "tasks", "ide", "defaults", "carry"]);
 function validateUnitGraph(tasks, services) {
   const names = /* @__PURE__ */ new Set();
   for (const t of tasks) {
@@ -488,27 +512,217 @@ async function loadConfig(path) {
   }
   return parseConfig(text);
 }
+var CarryConfigError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CarryConfigError";
+  }
+};
+var ITEM_KEYS = /* @__PURE__ */ new Set(["src", "dest", "mode", "user", "optional"]);
+function parseUser(raw, where) {
+  if (raw === void 0 || raw === null) return void 0;
+  let n;
+  if (typeof raw === "number") {
+    if (!Number.isInteger(raw) || raw < 0) {
+      throw new CarryConfigError(`${where}.user must be a non-negative integer uid (got ${String(raw)})`);
+    }
+    n = raw;
+  } else if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    if (!/^[0-9]+$/.test(trimmed)) {
+      throw new CarryConfigError(
+        `${where}.user "${raw}" must be a numeric uid (e.g. 1000). Usernames not supported \u2014 look up the uid first.`
+      );
+    }
+    n = parseInt(trimmed, 10);
+  } else {
+    throw new CarryConfigError(`${where}.user must be a non-negative integer uid`);
+  }
+  if (n > 65535) {
+    throw new CarryConfigError(`${where}.user must be between 0 and 65535 (got ${String(n)})`);
+  }
+  return n;
+}
+function isPlainObject2(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function assertSrcShape(src, where) {
+  if (src.length === 0) {
+    throw new CarryConfigError(`${where}.src must not be empty`);
+  }
+  if (!src.startsWith("/") && !src.startsWith("~/") && !src.startsWith("./")) {
+    throw new CarryConfigError(
+      `${where}.src "${src}" must start with /, ~/, or ./ (bare relative paths are rejected to avoid surprises)`
+    );
+  }
+}
+function assertDestShape(dest, where) {
+  if (dest.length === 0) {
+    throw new CarryConfigError(`${where}.dest must not be empty`);
+  }
+  if (!dest.startsWith("/") && !dest.startsWith("~/")) {
+    throw new CarryConfigError(
+      `${where}.dest "${dest}" must start with / or ~/ (relative box-side paths are not allowed)`
+    );
+  }
+}
+function parseMode(raw, where) {
+  if (raw === void 0 || raw === null) return void 0;
+  let n;
+  if (typeof raw === "number") {
+    if (!Number.isInteger(raw) || raw < 0) {
+      throw new CarryConfigError(`${where}.mode must be a non-negative integer (got ${String(raw)})`);
+    }
+    n = raw;
+  } else if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    if (trimmed.length === 0) {
+      throw new CarryConfigError(`${where}.mode must not be empty`);
+    }
+    const cleaned = trimmed.startsWith("0o") || trimmed.startsWith("0O") ? trimmed.slice(2) : trimmed;
+    if (!/^[0-7]+$/.test(cleaned)) {
+      throw new CarryConfigError(
+        `${where}.mode "${raw}" must be an octal number (e.g. 0o600, "0600", "600")`
+      );
+    }
+    n = parseInt(cleaned, 8);
+  } else {
+    throw new CarryConfigError(`${where}.mode must be a number or octal string`);
+  }
+  if (n < 0 || n > 4095) {
+    throw new CarryConfigError(`${where}.mode must be between 0 and 0o7777 (got ${n.toString(8)})`);
+  }
+  return n;
+}
+function parseShorthand(raw, where) {
+  const eq = raw.indexOf("=");
+  let src;
+  let dest;
+  if (eq === -1) {
+    src = raw;
+    dest = raw;
+  } else {
+    src = raw.slice(0, eq);
+    dest = raw.slice(eq + 1);
+  }
+  src = src.trim();
+  dest = dest.trim();
+  assertSrcShape(src, where);
+  if (eq === -1) {
+    if (src.startsWith("./")) {
+      throw new CarryConfigError(
+        `${where} shorthand "${raw}" must specify an explicit dest (use "src=dest") when src starts with ./`
+      );
+    }
+  }
+  assertDestShape(dest, where);
+  return { src, dest, optional: false };
+}
+function parseMapping(raw, where) {
+  for (const key of Object.keys(raw)) {
+    if (!ITEM_KEYS.has(key)) {
+      throw new CarryConfigError(`${where} has unknown key "${key}"`);
+    }
+  }
+  const srcRaw = raw.src;
+  if (typeof srcRaw !== "string") {
+    throw new CarryConfigError(`${where}.src must be a string`);
+  }
+  const src = srcRaw.trim();
+  assertSrcShape(src, where);
+  let dest;
+  if (raw.dest === void 0 || raw.dest === null) {
+    if (src.startsWith("./")) {
+      throw new CarryConfigError(
+        `${where}.dest is required when src starts with ./ (no sensible in-box default)`
+      );
+    }
+    dest = src;
+  } else {
+    if (typeof raw.dest !== "string") {
+      throw new CarryConfigError(`${where}.dest must be a string`);
+    }
+    dest = raw.dest.trim();
+  }
+  assertDestShape(dest, where);
+  const mode = parseMode(raw.mode, where);
+  const user = parseUser(raw.user, where);
+  let optional = false;
+  if (raw.optional !== void 0 && raw.optional !== null) {
+    if (typeof raw.optional !== "boolean") {
+      throw new CarryConfigError(`${where}.optional must be a boolean`);
+    }
+    optional = raw.optional;
+  }
+  const out = { src, dest, optional };
+  if (mode !== void 0) out.mode = mode;
+  if (user !== void 0) out.user = user;
+  return out;
+}
+function parseCarryRaw(raw) {
+  if (raw === void 0 || raw === null) return [];
+  if (!Array.isArray(raw)) {
+    throw new CarryConfigError("carry must be a list of strings or mappings");
+  }
+  const out = [];
+  for (const [i, item] of raw.entries()) {
+    const where = `carry[${String(i)}]`;
+    if (typeof item === "string") {
+      out.push(parseShorthand(item, where));
+    } else if (isPlainObject2(item)) {
+      out.push(parseMapping(item, where));
+    } else {
+      throw new CarryConfigError(`${where} must be a string or mapping`);
+    }
+  }
+  return out;
+}
+function parseCarrySection(text) {
+  let doc;
+  try {
+    doc = parseYaml2(text);
+  } catch (err) {
+    throw new CarryConfigError(
+      `yaml parse error: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (doc === null || doc === void 0) return [];
+  if (!isPlainObject2(doc)) {
+    throw new CarryConfigError("top-level config must be a mapping");
+  }
+  return parseCarryRaw(doc.carry);
+}
+async function loadCarrySection(path) {
+  let text;
+  try {
+    text = await readFile2(path, "utf8");
+  } catch (err) {
+    if (err.code === "ENOENT") return [];
+    throw err;
+  }
+  return parseCarrySection(text);
+}
 
 // ../../packages/sandbox-docker/dist/index.js
 import { spawnSync } from "child_process";
-import { mkdir as mkdir22, mkdtemp, readdir as readdir3, readFile as readFile23, rm as rm2, stat as stat4, writeFile as writeFile3 } from "fs/promises";
-import { homedir as homedir22, tmpdir } from "os";
-import { join as join23, relative } from "path";
+import { mkdir as mkdir22, mkdtemp, readdir as readdir3, readFile as readFile24, rm as rm2, stat as stat3, writeFile as writeFile3 } from "fs/promises";
+import { homedir as homedir2, tmpdir } from "os";
+import { join as join22, relative } from "path";
 import { setTimeout as delay } from "timers/promises";
 import { execa as execa3 } from "execa";
-import { execa as execa4 } from "execa";
+import { execa as execa2 } from "execa";
 import { mkdir as mkdir3, readFile as readFile4 } from "fs/promises";
 import { homedir as homedir3 } from "os";
 import { join as join4 } from "path";
 import { execa as execa22 } from "execa";
 
 // ../../packages/config/dist/index.js
-import { parse as parseYaml2 } from "yaml";
+import { parse as parseYaml3 } from "yaml";
 import { createHash } from "crypto";
 import { realpath, stat } from "fs/promises";
 import { homedir } from "os";
 import { basename, dirname, join, resolve } from "path";
-import { readFile as readFile2 } from "fs/promises";
+import { readFile as readFile3 } from "fs/promises";
 import { parse as parseYaml22 } from "yaml";
 import { mkdir, readFile as readFile22, rename, rm, stat as stat2, writeFile } from "fs/promises";
 import { dirname as dirname2, isAbsolute, join as join2 } from "path";
@@ -522,6 +736,7 @@ var BUILT_IN_DEFAULTS = {
     defaultCheckpointDocker: "",
     defaultCheckpointDaytona: "",
     defaultCheckpointHetzner: "",
+    defaultCheckpointVercel: "",
     withPlaywright: false,
     withEnv: false,
     vnc: true,
@@ -533,7 +748,11 @@ var BUILT_IN_DEFAULTS = {
     memory: 0,
     cpus: 0,
     pidsLimit: 0,
-    disk: ""
+    disk: "",
+    bundleDepth: void 0,
+    vercelVcpus: 2,
+    vercelTimeoutMs: 27e5,
+    vercelNetworkPolicy: ""
   },
   checkpoint: {
     maxLayers: 3
@@ -582,6 +801,15 @@ var BUILT_IN_DEFAULTS = {
     maxRunningBoxes: 5,
     idleMinutes: 5
   },
+  queue: {
+    enabled: true,
+    maxConcurrent: 5,
+    maxWorking: 0,
+    idleGraceSeconds: 15
+  },
+  cloud: {
+    useCurrentBranch: false
+  },
   maintenance: {
     pruneProjectConfigs: true,
     pruneProjectConfigsEvery: 50
@@ -591,8 +819,8 @@ var KEY_REGISTRY = [
   {
     key: "box.provider",
     type: "enum",
-    enumValues: ["docker", "daytona", "hetzner"],
-    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, or Hetzner Cloud VPSes."
+    enumValues: ["docker", "daytona", "hetzner", "vercel"],
+    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, Hetzner Cloud VPSes, or Vercel Sandboxes."
   },
   {
     key: "box.hostSnapshot",
@@ -622,6 +850,12 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.defaultCheckpoint` for hetzner. Wins over the global when set; set via `agentbox checkpoint set-default --provider hetzner`.",
     advanced: true
   },
+  {
+    key: "box.defaultCheckpointVercel",
+    type: "string",
+    description: "Per-provider override of `box.defaultCheckpoint` for vercel. Wins over the global when set; set via `agentbox checkpoint set-default --provider vercel`.",
+    advanced: true
+  },
   {
     key: "checkpoint.maxLayers",
     type: "int",
@@ -690,6 +924,26 @@ var KEY_REGISTRY = [
     description: "Best-effort writable-layer size for new boxes, e.g. '10G'. No-op on overlay2 / the macOS engines.",
     advanced: true
   },
+  {
+    key: "box.bundleDepth",
+    type: "int",
+    description: "Cap git bundle history shipped to cloud sandboxes (daytona, hetzner). 0 = full history. Unset = adaptive default (last 200 commits; re-bundle at 100 if the bundle exceeds 20 MB). Ignored for docker (which bind-mounts .git/)."
+  },
+  {
+    key: "box.vercelVcpus",
+    type: "int",
+    description: "vCPUs for new --provider vercel boxes (Vercel couples RAM at 2048 MB/vCPU). Default 2. Vercel only accepts specific counts (e.g. 1, 2, 4, 8) \u2014 an unsupported value fails create with a 400. Vercel-only; ignored by other providers."
+  },
+  {
+    key: "box.vercelTimeoutMs",
+    type: "int",
+    description: "Max session length (ms) for new --provider vercel boxes before the VM auto-snapshots; persistent mode auto-resumes on the next call. Default 2700000 (45 min, the Hobby ceiling). Vercel-only."
+  },
+  {
+    key: "box.vercelNetworkPolicy",
+    type: "string",
+    description: "Egress lock for new --provider vercel boxes: 'allow-all' (default, unset), 'deny-all', or a comma-separated domain allowlist (e.g. 'github.com,*.npmjs.org') that denies everything else. Vercel-only; ignored by other providers."
+  },
   {
     key: "claude.sessionName",
     type: "string",
@@ -797,6 +1051,31 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Minutes a box must be continuously idle (claude state) before it is eligible for auto-pause."
   },
+  {
+    key: "queue.enabled",
+    type: "bool",
+    description: "Run `agentbox claude|codex|opencode -i <prompt>` jobs through the host-wide background queue (FIFO, capped by queue.maxConcurrent)."
+  },
+  {
+    key: "queue.maxConcurrent",
+    type: "int",
+    description: "Max number of simultaneously-running boxes (across providers) before background `-i` jobs queue up instead of starting immediately. Per-invocation override: `--max-running <n>`."
+  },
+  {
+    key: "queue.maxWorking",
+    type: "int",
+    description: "Max agents actively working/thinking (quota-consuming) at once before background `-i` jobs queue. 0 = disabled (use the queue.maxConcurrent running-box gate). Counts all boxes, foreground + queued. Per-invocation override: `--max-working <n>`."
+  },
+  {
+    key: "queue.idleGraceSeconds",
+    type: "int",
+    description: "Seconds an agent must stay non-working before it frees its working slot (debounce against brief idle flaps between turns). Only used when queue.maxWorking > 0."
+  },
+  {
+    key: "cloud.useCurrentBranch",
+    type: "bool",
+    description: "On cloud providers (daytona/hetzner), start new boxes on the host's current branch instead of forking a new agentbox/<box-name> branch. Overridden by an explicit --use-branch / --from-branch."
+  },
   {
     key: "maintenance.pruneProjectConfigs",
     type: "bool",
@@ -818,7 +1097,7 @@ var UserConfigError = class extends Error {
     this.name = "UserConfigError";
   }
 };
-function isPlainObject2(v) {
+function isPlainObject3(v) {
   return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 var RENAMED_KEYS = /* @__PURE__ */ new Map([["box.snapshot", "box.hostSnapshot"]]);
@@ -875,25 +1154,34 @@ function coerceTypedValue(raw, desc, where) {
 function parseUserConfig(text, where) {
   let doc;
   try {
-    doc = parseYaml2(text);
+    doc = parseYaml3(text);
   } catch (err) {
     throw new UserConfigError(
       `${where}: yaml parse error: ${err instanceof Error ? err.message : String(err)}`
     );
   }
   if (doc === null || doc === void 0) return {};
-  if (!isPlainObject2(doc)) {
+  if (!isPlainObject3(doc)) {
     throw new UserConfigError(`${where}: top-level must be a mapping`);
   }
   return parseUserConfigObject(doc, where);
 }
 function parseUserConfigObject(doc, where) {
   if (doc === null || doc === void 0) return {};
-  if (!isPlainObject2(doc)) {
+  if (!isPlainObject3(doc)) {
     throw new UserConfigError(`${where}: must be a mapping`);
   }
   const out = {};
   for (const [branchName, branchRaw] of Object.entries(doc)) {
+    if (branchName === "schema") {
+      if (branchRaw !== void 0 && branchRaw !== null) {
+        if (typeof branchRaw !== "number" || !Number.isInteger(branchRaw)) {
+          throw new UserConfigError(`${where}.schema: must be an integer (got ${String(branchRaw)})`);
+        }
+        out.schema = branchRaw;
+      }
+      continue;
+    }
     const branchSpec = BRANCHES.get(branchName);
     if (!branchSpec) {
       throw new UserConfigError(
@@ -901,7 +1189,7 @@ function parseUserConfigObject(doc, where) {
       );
     }
     if (branchRaw === null || branchRaw === void 0) continue;
-    if (!isPlainObject2(branchRaw)) {
+    if (!isPlainObject3(branchRaw)) {
       throw new UserConfigError(`${where}.${branchName}: must be a mapping`);
     }
     const branchOut = {};
@@ -978,9 +1266,9 @@ function lookupKeyOrThrow(key) {
   }
   return desc;
 }
-var STATE_DIR = join(homedir(), ".agentbox");
-var GLOBAL_CONFIG_FILE = join(STATE_DIR, "config.yaml");
-var PROJECTS_DIR = join(STATE_DIR, "projects");
+var STATE_DIR2 = join(homedir(), ".agentbox");
+var GLOBAL_CONFIG_FILE = join(STATE_DIR2, "config.yaml");
+var PROJECTS_DIR = join(STATE_DIR2, "projects");
 var WORKSPACE_CONFIG_BASENAME = "agentbox.yaml";
 async function findProjectRoot(cwd) {
   const start = await canonicalize(cwd);
@@ -1042,7 +1330,7 @@ async function configPathFor(scope, cwd) {
 async function loadOptionalUserConfig(path) {
   let text;
   try {
-    text = await readFile2(path, "utf8");
+    text = await readFile3(path, "utf8");
   } catch (err) {
     if (err.code === "ENOENT") return {};
     throw err;
@@ -1053,7 +1341,7 @@ async function loadProjectAgentboxDefaults(workspacePath) {
   const path = workspaceConfigFile(workspacePath);
   let text;
   try {
-    text = await readFile2(path, "utf8");
+    text = await readFile3(path, "utf8");
   } catch (err) {
     if (err.code === "ENOENT") return {};
     throw err;
@@ -1143,7 +1431,7 @@ function writeLeaf(obj, branch, leaf, value) {
   b[leaf] = value;
 }
 function resolveDefaultCheckpoint(cfg, provider) {
-  const perProvider = provider === "daytona" ? cfg.box.defaultCheckpointDaytona : provider === "hetzner" ? cfg.box.defaultCheckpointHetzner : cfg.box.defaultCheckpointDocker;
+  const perProvider = provider === "daytona" ? cfg.box.defaultCheckpointDaytona : provider === "hetzner" ? cfg.box.defaultCheckpointHetzner : provider === "vercel" ? cfg.box.defaultCheckpointVercel : cfg.box.defaultCheckpointDocker;
   if (perProvider && perProvider.length > 0) return perProvider;
   return cfg.box.defaultCheckpoint;
 }
@@ -1151,6 +1439,7 @@ function defaultCheckpointConfigKey(provider) {
   if (provider === "docker") return "box.defaultCheckpointDocker";
   if (provider === "daytona") return "box.defaultCheckpointDaytona";
   if (provider === "hetzner") return "box.defaultCheckpointHetzner";
+  if (provider === "vercel") return "box.defaultCheckpointVercel";
   return "box.defaultCheckpoint";
 }
 async function setConfigValue(scope, key, value, cwd, opts = {}) {
@@ -1161,6 +1450,7 @@ async function setConfigValue(scope, key, value, cwd, opts = {}) {
   const path = await configPathFor(scope, cwd);
   const current = await readExistingDoc(path);
   setLeaf(current, key, coerced);
+  stampSchema(current);
   parseUserConfig(stringifyYaml(current), path);
   await atomicWriteYaml(path, current);
   if (scope === "project") {
@@ -1177,6 +1467,7 @@ async function unsetConfigValue(scope, key, cwd) {
   const current = await readExistingDoc(path);
   const existed = unsetLeaf(current, key);
   if (!existed) return { path, existed: false };
+  stampSchema(current);
   await atomicWriteYaml(path, current);
   if (scope === "project") {
     const root = (await findProjectRoot(cwd)).root;
@@ -1287,6 +1578,12 @@ async function readExistingDoc(path) {
   }
   return parseUserConfig(text, path);
 }
+var CURRENT_CONFIG_SCHEMA = 1;
+function stampSchema(doc) {
+  if (typeof doc.schema !== "number") {
+    doc.schema = CURRENT_CONFIG_SCHEMA;
+  }
+}
 function setLeaf(doc, key, value) {
   const idx = key.indexOf(".");
   const branch = key.slice(0, idx);
@@ -1341,181 +1638,7 @@ async function touchProjectMeta(absPath) {
 // ../../packages/sandbox-docker/dist/index.js
 import { chmod, mkdir as mkdir32, readFile as readFile32 } from "fs/promises";
 import { join as join32 } from "path";
-import { execa as execa42 } from "execa";
-
-// ../../packages/sandbox-core/dist/index.js
-import { mkdir as mkdir2, readFile as readFile3, writeFile as writeFile2 } from "fs/promises";
-import { homedir as homedir2 } from "os";
-import { dirname as dirname3, join as join3 } from "path";
-import { execa } from "execa";
-import { readdir as readdir2, stat as stat3 } from "fs/promises";
-import { join as join22 } from "path";
-var STATE_DIR2 = join3(homedir2(), ".agentbox");
-var STATE_FILE = join3(STATE_DIR2, "state.json");
-var EMPTY = { version: 1, boxes: [] };
-async function readState(path = STATE_FILE) {
-  try {
-    const raw = await readFile3(path, "utf8");
-    const parsed = JSON.parse(raw);
-    if (parsed.version !== 1 || !Array.isArray(parsed.boxes)) {
-      throw new Error(`unrecognized state file shape at ${path}`);
-    }
-    for (const b of parsed.boxes) {
-      b.provider ??= "docker";
-      if ((b.provider ?? "docker") === "docker" && !b.docker) {
-        b.docker = projectDockerFields(b);
-      }
-    }
-    return parsed;
-  } catch (err) {
-    if (err.code === "ENOENT") {
-      return { ...EMPTY };
-    }
-    throw err;
-  }
-}
-async function writeState(state, path = STATE_FILE) {
-  await mkdir2(dirname3(path), { recursive: true });
-  await writeFile2(path, JSON.stringify(state, null, 2) + "\n", "utf8");
-}
-async function recordBox(box, path = STATE_FILE) {
-  const toWrite = (box.provider ?? "docker") === "docker" && !box.docker ? { ...box, docker: projectDockerFields(box) } : box;
-  const state = await readState(path);
-  const next = {
-    version: 1,
-    boxes: [...state.boxes.filter((b) => b.id !== toWrite.id), toWrite]
-  };
-  await writeState(next, path);
-}
-function projectDockerFields(box) {
-  return {
-    container: box.container,
-    image: box.image,
-    snapshotDir: box.snapshotDir ?? null,
-    socketPath: box.socketPath,
-    claudeConfigVolume: box.claudeConfigVolume,
-    codexConfigVolume: box.codexConfigVolume,
-    opencodeConfigVolume: box.opencodeConfigVolume,
-    vscodeServerVolume: box.vscodeServerVolume,
-    cursorServerVolume: box.cursorServerVolume,
-    vncHostPort: box.vncHostPort,
-    webHostPort: box.webHostPort,
-    portlessAlias: box.portlessAlias,
-    portlessUrl: box.portlessUrl,
-    dockerVolume: box.dockerVolume,
-    dockerCacheShared: box.dockerCacheShared,
-    checkpointImage: box.checkpointImage
-  };
-}
-async function removeBoxRecord(id, path = STATE_FILE) {
-  const state = await readState(path);
-  const before = state.boxes.length;
-  const next = {
-    version: 1,
-    boxes: state.boxes.filter((b) => b.id !== id)
-  };
-  if (next.boxes.length === before) return false;
-  await writeState(next, path);
-  return true;
-}
-function findBox(idOrName, state) {
-  const q = idOrName.trim();
-  if (q.length === 0) return { kind: "none" };
-  const exactId = state.boxes.find((b) => b.id === q);
-  if (exactId) return { kind: "ok", box: exactId };
-  const prefixMatches = state.boxes.filter((b) => b.id.startsWith(q));
-  if (prefixMatches.length === 1) return { kind: "ok", box: prefixMatches[0] };
-  if (prefixMatches.length > 1) return { kind: "ambiguous", matches: prefixMatches };
-  const byName = state.boxes.find((b) => b.name === q);
-  if (byName) return { kind: "ok", box: byName };
-  const byContainer = state.boxes.find((b) => b.container === q);
-  if (byContainer) return { kind: "ok", box: byContainer };
-  return { kind: "none" };
-}
-function allocateProjectIndex(state, projectRoot) {
-  let max = 0;
-  for (const b of state.boxes) {
-    if (b.projectRoot !== projectRoot) continue;
-    if (typeof b.projectIndex === "number" && b.projectIndex > max) {
-      max = b.projectIndex;
-    }
-  }
-  return max + 1;
-}
-function autoPickProjectBox(state, projectRoot) {
-  const matches = state.boxes.filter((b) => b.projectRoot === projectRoot);
-  if (matches.length === 0) return { kind: "none" };
-  if (matches.length === 1) return { kind: "ok", box: matches[0] };
-  return { kind: "ambiguous", matches };
-}
-function resolveBoxRef(ref, state, projectRoot) {
-  if (ref === void 0) {
-    if (projectRoot === void 0) return { kind: "none" };
-    return autoPickProjectBox(state, projectRoot);
-  }
-  const trimmed = ref.trim();
-  if (projectRoot !== void 0 && /^[1-9][0-9]*$/.test(trimmed)) {
-    const idx = Number.parseInt(trimmed, 10);
-    const hit = state.boxes.find(
-      (b) => b.projectRoot === projectRoot && b.projectIndex === idx
-    );
-    return hit ? { kind: "ok", box: hit } : { kind: "none" };
-  }
-  return findBox(trimmed, state);
-}
-async function detectGitRepos(workspace) {
-  const out = [];
-  if (await isGitDir(join22(workspace, ".git"))) {
-    out.push({ kind: "root", hostMainRepo: workspace, relPathFromWorkspace: "" });
-  }
-  let entries;
-  try {
-    entries = await readdir2(workspace, { withFileTypes: true });
-  } catch {
-    return out;
-  }
-  for (const e of entries) {
-    if (!e.isDirectory() || e.name.startsWith(".")) continue;
-    const sub = join22(workspace, e.name);
-    if (await isGitDir(join22(sub, ".git"))) {
-      out.push({ kind: "nested", hostMainRepo: sub, relPathFromWorkspace: e.name });
-    }
-  }
-  return out;
-}
-async function isGitDir(path) {
-  try {
-    const s = await stat3(path);
-    return s.isDirectory();
-  } catch {
-    return false;
-  }
-}
-async function pickFreshBranch(hostMainRepo, base) {
-  let candidate = base;
-  let suffix = 2;
-  while (await branchExists(hostMainRepo, candidate)) {
-    candidate = `${base}-${String(suffix++)}`;
-    if (suffix > 100) throw new GitWorktreeError(`could not find a free branch name near ${base}`);
-  }
-  return candidate;
-}
-async function branchExists(hostMainRepo, name) {
-  const result = await execa(
-    "git",
-    ["-C", hostMainRepo, "show-ref", "--verify", "--quiet", `refs/heads/${name}`],
-    { reject: false }
-  );
-  return result.exitCode === 0;
-}
-var GitWorktreeError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "GitWorktreeError";
-  }
-};
-
-// ../../packages/sandbox-docker/dist/index.js
+import { execa as execa4 } from "execa";
 import { spawnSync as spawnSync2 } from "child_process";
 import { stat as stat22 } from "fs/promises";
 import { homedir as homedir32 } from "os";
@@ -1526,7 +1649,7 @@ import { stat as stat32 } from "fs/promises";
 import { homedir as homedir4 } from "os";
 import { join as join5 } from "path";
 import { execa as execa6 } from "execa";
-import { randomBytes } from "crypto";
+import { randomBytes as randomBytes2 } from "crypto";
 import { execa as execa7 } from "execa";
 import { existsSync } from "fs";
 import { readFile as readFile42 } from "fs/promises";
@@ -1534,41 +1657,213 @@ import { homedir as homedir5 } from "os";
 import { join as join6 } from "path";
 import { execa as execa8 } from "execa";
 import { execa as execa9 } from "execa";
-import { existsSync as existsSync2 } from "fs";
-import { fileURLToPath } from "url";
-import { dirname as dirname4, resolve as resolve2 } from "path";
-import { execa as execa10 } from "execa";
-import { mkdir as mkdir4, readdir as readdir22, rm as rm22, stat as stat42 } from "fs/promises";
+import { mkdir as mkdir4, readdir as readdir22, rm as rm22, stat as stat4 } from "fs/promises";
 import { homedir as homedir6, platform } from "os";
-import { join as join7, resolve as resolve22 } from "path";
+import { join as join7, resolve as resolve2 } from "path";
 import { mkdir as mkdir5, mkdtemp as mkdtemp2, readFile as readFile5, readdir as readdir32, rm as rm3, writeFile as writeFile22 } from "fs/promises";
 import { homedir as homedir7, tmpdir as tmpdir2 } from "os";
 import { basename as basename3, join as join8 } from "path";
-import { execa as execa11 } from "execa";
+import { execa as execa10 } from "execa";
 import { stat as stat5 } from "fs/promises";
+import { execa as execa11 } from "execa";
 import { execa as execa12 } from "execa";
-import { execa as execa13 } from "execa";
 import { spawn } from "child_process";
-import { randomBytes as randomBytes2 } from "crypto";
-import { existsSync as existsSync3, openSync } from "fs";
-import { mkdir as mkdir6, readFile as readFile6, unlink, writeFile as writeFile32 } from "fs/promises";
+import { randomBytes as randomBytes22 } from "crypto";
+import { existsSync as existsSync2, openSync } from "fs";
+import { mkdir as mkdir6, readFile as readFile6, unlink as unlink2, writeFile as writeFile32 } from "fs/promises";
 import { request as httpRequest } from "http";
 import { homedir as homedir8 } from "os";
-import { dirname as dirname22, join as join9, resolve as resolve3 } from "path";
+import { dirname as dirname3, join as join9, resolve as resolve22 } from "path";
 import { setTimeout as delay2 } from "timers/promises";
-import { fileURLToPath as fileURLToPath2 } from "url";
+import { fileURLToPath } from "url";
 
 // ../../packages/relay/dist/index.js
-import { execa as execa2 } from "execa";
+import { createHash as createHash2, randomBytes } from "crypto";
+import { execa } from "execa";
+import { spawn as spawn4 } from "child_process";
+import {
+  mkdir as mkdir2,
+  readdir as readdir2,
+  readFile as readFile23,
+  rename as rename2,
+  unlink,
+  writeFile as writeFile2
+} from "fs/promises";
+import { join as join3 } from "path";
 var DEFAULT_RELAY_PORT = 8787;
 var RELAY_CONTAINER_NAME = "agentbox-relay";
 var RELAY_NETWORK_NAME = "agentbox-net";
 var RELAY_IMAGE_REF = "agentbox/relay:dev";
 var DEFAULT_HOST_ACTION_MAX_AGE_MS = 15 * 60 * 1e3;
+function hashRpcParams(params) {
+  return createHash2("sha256").update(canonicalJson(params)).digest("hex");
+}
+function canonicalJson(v) {
+  if (v === null) return "null";
+  if (typeof v === "undefined") return "null";
+  if (typeof v === "number") return Number.isFinite(v) ? String(v) : "null";
+  if (typeof v === "boolean") return v ? "true" : "false";
+  if (typeof v === "string") return JSON.stringify(v);
+  if (Array.isArray(v)) return "[" + v.map(canonicalJson).join(",") + "]";
+  if (typeof v === "object") {
+    const entries = Object.entries(v).filter(([k]) => k !== "hostInitiated").filter(([, val]) => val !== void 0).sort(([a], [b]) => a < b ? -1 : a > b ? 1 : 0);
+    return "{" + entries.map(([k, val]) => JSON.stringify(k) + ":" + canonicalJson(val)).join(",") + "}";
+  }
+  return "null";
+}
+var GH_PR_OPS = [
+  "create",
+  "view",
+  "list",
+  "comment",
+  "review",
+  "merge",
+  "checkout",
+  "close",
+  "reopen"
+];
+function injectPrCreateHead(op, branch, args) {
+  if (op !== "create") return args;
+  if (!branch || branch === "HEAD") return args;
+  if (hasHeadArg(args)) return args;
+  return ["--head", branch, ...args];
+}
+function hasHeadArg(args) {
+  return args.some((a) => a === "--head" || a.startsWith("--head=") || a.startsWith("-H"));
+}
 var MAX_BODY_BYTES = 1024 * 1024;
+var QUEUE_DIR = join3(STATE_DIR, "queue");
+async function loadQueueConfig() {
+  const d = BUILT_IN_DEFAULTS.queue;
+  let global = {};
+  try {
+    global = parseUserConfig(await readFile23(GLOBAL_CONFIG_FILE, "utf8"), GLOBAL_CONFIG_FILE);
+  } catch {
+  }
+  const q = global.queue ?? {};
+  return {
+    enabled: q.enabled ?? d.enabled,
+    maxConcurrent: q.maxConcurrent ?? d.maxConcurrent,
+    maxWorking: q.maxWorking ?? d.maxWorking,
+    idleGraceMs: (q.idleGraceSeconds ?? d.idleGraceSeconds) * 1e3
+  };
+}
+async function writeJob(job) {
+  await mkdir2(QUEUE_DIR, { recursive: true });
+  const final = join3(QUEUE_DIR, `${job.id}.json`);
+  const tmp = `${final}.tmp.${String(process.pid)}.${String(Date.now())}`;
+  await writeFile2(tmp, JSON.stringify(job, null, 2) + "\n", "utf8");
+  await rename2(tmp, final);
+}
+async function readJob(id) {
+  try {
+    const raw = await readFile23(join3(QUEUE_DIR, `${id}.json`), "utf8");
+    return JSON.parse(raw);
+  } catch (err) {
+    if (err.code === "ENOENT") return null;
+    throw err;
+  }
+}
+async function deleteJob(id) {
+  try {
+    await unlink(join3(QUEUE_DIR, `${id}.json`));
+  } catch (err) {
+    if (err.code !== "ENOENT") throw err;
+  }
+}
+async function loadQueue() {
+  let entries;
+  try {
+    entries = await readdir2(QUEUE_DIR);
+  } catch (err) {
+    if (err.code === "ENOENT") return [];
+    throw err;
+  }
+  const out = [];
+  for (const name of entries) {
+    if (!name.endsWith(".json")) continue;
+    try {
+      const raw = await readFile23(join3(QUEUE_DIR, name), "utf8");
+      out.push(JSON.parse(raw));
+    } catch {
+    }
+  }
+  out.sort((a, b) => a.createdAt < b.createdAt ? -1 : a.createdAt > b.createdAt ? 1 : 0);
+  return out;
+}
+var RUNNING_COUNT_CACHE_MS = 3e3;
+var runningCountCache = null;
+async function defaultCountRunningBoxes() {
+  const now = Date.now();
+  if (runningCountCache && runningCountCache.expiresAt > now) {
+    return runningCountCache.value;
+  }
+  const value = await uncachedCountRunningBoxes();
+  runningCountCache = { value, expiresAt: now + RUNNING_COUNT_CACHE_MS };
+  return value;
+}
+async function uncachedCountRunningBoxes() {
+  let boxes;
+  try {
+    boxes = (await readState(STATE_FILE)).boxes;
+  } catch {
+    return 0;
+  }
+  if (boxes.length === 0) return 0;
+  let count = 0;
+  const dockerBoxes = [];
+  for (const b of boxes) {
+    const provider = b.provider ?? "docker";
+    if (provider === "docker") {
+      dockerBoxes.push(b);
+    } else {
+      count += 1;
+    }
+  }
+  if (dockerBoxes.length > 0) {
+    const states = await Promise.all(dockerBoxes.map((b) => inspectDockerState(b.container)));
+    for (const s of states) {
+      if (s === "running") count += 1;
+    }
+  }
+  return count;
+}
+function inspectDockerState(containerName) {
+  return new Promise((resolveP) => {
+    const child = spawn4("docker", ["inspect", "--format", "{{.State.Status}}", containerName], {
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let out = "";
+    let settled = false;
+    const finish = (state) => {
+      if (settled) return;
+      settled = true;
+      resolveP(state);
+    };
+    const timer = setTimeout(() => {
+      child.kill("SIGTERM");
+      finish("other");
+    }, 1e4);
+    child.stdout?.on("data", (c) => {
+      out += c.toString("utf8");
+    });
+    child.on("error", () => {
+      clearTimeout(timer);
+      finish("other");
+    });
+    child.on("close", () => {
+      clearTimeout(timer);
+      finish(out.trim() === "running" ? "running" : "other");
+    });
+  });
+}
+var QUEUE_LOGS_DIR = join3(STATE_DIR, "logs");
+function queueLogPath(id) {
+  return join3(QUEUE_LOGS_DIR, `queue-${id}.log`);
+}
 
 // ../../packages/sandbox-docker/dist/index.js
-import { execa as execa16 } from "execa";
+import { execa as execa15 } from "execa";
 import { readdir as readdir4, rm as rm4, stat as stat7 } from "fs/promises";
 import { join as join12 } from "path";
 
@@ -1624,14 +1919,17 @@ var AmbiguousBoxError = class extends Error {
 };
 
 // ../../packages/sandbox-docker/dist/index.js
-import { execa as execa15 } from "execa";
+import { execa as execa14 } from "execa";
 import { join as join11 } from "path";
 import { homedir as homedir10 } from "os";
 import { join as join13 } from "path";
+import { execa as execa16 } from "execa";
+import { existsSync as existsSync3, mkdirSync, renameSync, statSync } from "fs";
+import { basename as basename32, dirname as dirname22, posix, resolve as resolve4 } from "path";
 import { execa as execa17 } from "execa";
 import { copyFile, mkdtemp as mkdtemp3, readdir as readdir5, readFile as readFile7, rm as rm5, stat as stat8, writeFile as writeFile4 } from "fs/promises";
 import { homedir as homedir11, tmpdir as tmpdir3 } from "os";
-import { basename as basename32, join as join14, relative as relative2 } from "path";
+import { basename as basename4, join as join14, relative as relative2 } from "path";
 import { execa as execa18 } from "execa";
 function isHostPathHookCommand(command, hostHome) {
   if (typeof command !== "string" || command.length === 0) return false;
@@ -1758,16 +2056,16 @@ function rewritePluginPaths(value, hostPluginsPrefix) {
   }
   return value;
 }
-function isPlainObject3(v) {
+function isPlainObject4(v) {
   return v !== null && typeof v === "object" && !Array.isArray(v);
 }
 function additiveMerge(hostRoot, boxRoot, hostPluginsPrefix, selectMap, withMap) {
   const hostMap = selectMap(hostRoot);
   const boxMap = selectMap(boxRoot);
-  if (!isPlainObject3(boxMap)) {
+  if (!isPlainObject4(boxMap)) {
     return { data: hostRoot, changed: false, addedKeys: [] };
   }
-  const base = isPlainObject3(hostMap) ? { ...hostMap } : {};
+  const base = isPlainObject4(hostMap) ? { ...hostMap } : {};
   const addedKeys = [];
   for (const [key, value] of Object.entries(boxMap)) {
     if (Object.prototype.hasOwnProperty.call(base, key)) continue;
@@ -1782,7 +2080,7 @@ function additiveMerge(hostRoot, boxRoot, hostPluginsPrefix, selectMap, withMap)
 function mergeKnownMarketplaces(hostJson, boxJson, opts) {
   const prefix = `${opts.hostHome}/.claude/plugins/`;
   return additiveMerge(
-    isPlainObject3(hostJson) ? hostJson : {},
+    isPlainObject4(hostJson) ? hostJson : {},
     boxJson,
     prefix,
     (root) => root,
@@ -1791,24 +2089,24 @@ function mergeKnownMarketplaces(hostJson, boxJson, opts) {
 }
 function mergeInstalledPlugins(hostJson, boxJson, opts) {
   const prefix = `${opts.hostHome}/.claude/plugins/`;
-  const hostRoot = isPlainObject3(hostJson) ? hostJson : { plugins: {} };
+  const hostRoot = isPlainObject4(hostJson) ? hostJson : { plugins: {} };
   return additiveMerge(
     hostRoot,
     boxJson,
     prefix,
-    (root) => isPlainObject3(root) ? root["plugins"] : void 0,
+    (root) => isPlainObject4(root) ? root["plugins"] : void 0,
     (host, merged) => ({ ...host, plugins: merged })
   );
 }
 function referencedPluginVersionKeys(installedPluginsJson) {
   const keys = /* @__PURE__ */ new Set();
-  if (!isPlainObject3(installedPluginsJson)) return keys;
+  if (!isPlainObject4(installedPluginsJson)) return keys;
   const plugins = installedPluginsJson["plugins"];
-  if (!isPlainObject3(plugins)) return keys;
+  if (!isPlainObject4(plugins)) return keys;
   for (const entries of Object.values(plugins)) {
     if (!Array.isArray(entries)) continue;
     for (const entry of entries) {
-      if (!isPlainObject3(entry)) continue;
+      if (!isPlainObject4(entry)) continue;
       const installPath = entry["installPath"];
       if (typeof installPath !== "string") continue;
       const segments = installPath.split("/").filter((s) => s.length > 0);
@@ -1819,7 +2117,7 @@ function referencedPluginVersionKeys(installedPluginsJson) {
   return keys;
 }
 async function dockerInfo() {
-  const result = await execa4("docker", ["info"], { reject: false });
+  const result = await execa2("docker", ["info"], { reject: false });
   if (result.exitCode !== 0) {
     throw new Error(
       `docker info failed (exit ${String(result.exitCode)}). Is the Docker daemon running?
@@ -1866,6 +2164,9 @@ async function runBox(spec) {
     // on the macOS engines). Boxes use it to reach the host relay process.
     "--add-host=host.docker.internal:host-gateway"
   ];
+  if (process.env.AGENTBOX === "1") {
+    args.push("--user", "0");
+  }
   const lim = spec.limits;
   if (lim) {
     if (lim.memoryBytes && lim.memoryBytes > 0) {
@@ -1892,11 +2193,11 @@ async function runBox(spec) {
     args.push("-e", `${k}=${val}`);
   }
   args.push(spec.image, "sleep", "infinity");
-  const { stdout } = await execa4("docker", args);
+  const { stdout } = await execa2("docker", args);
   return stdout.trim();
 }
 async function dockerStorageDriver() {
-  const result = await execa4("docker", ["info", "--format", "{{.Driver}}"], { reject: false });
+  const result = await execa2("docker", ["info", "--format", "{{.Driver}}"], { reject: false });
   if (result.exitCode !== 0) return "";
   return (result.stdout ?? "").trim();
 }
@@ -1905,7 +2206,7 @@ async function execInBox(container, cmd, opts = {}) {
   if (opts.detach) args.push("-d");
   if (opts.user) args.push("--user", opts.user);
   args.push(container, ...cmd);
-  const result = await execa4("docker", args, {
+  const result = await execa2("docker", args, {
     reject: false,
     ...opts.timeoutMs ? { timeout: opts.timeoutMs } : {}
   });
@@ -1916,49 +2217,49 @@ async function execInBox(container, cmd, opts = {}) {
   };
 }
 async function removeContainer(container) {
-  await execa4("docker", ["rm", "-f", container], { reject: false });
+  await execa2("docker", ["rm", "-f", container], { reject: false });
 }
 async function removeVolume(name) {
-  await execa4("docker", ["volume", "rm", name], { reject: false });
+  await execa2("docker", ["volume", "rm", name], { reject: false });
 }
 async function removeImage(ref, opts = {}) {
   const args = ["image", "rm"];
   if (opts.force !== false) args.push("-f");
   args.push(ref);
-  const result = await execa4("docker", args, { reject: false });
+  const result = await execa2("docker", args, { reject: false });
   return result.exitCode === 0;
 }
 async function containerExists(name) {
-  const result = await execa4("docker", ["container", "inspect", "--format", "{{.Id}}", name], {
+  const result = await execa2("docker", ["container", "inspect", "--format", "{{.Id}}", name], {
     reject: false
   });
   return result.exitCode === 0;
 }
 async function volumeExists(name) {
-  const result = await execa4("docker", ["volume", "inspect", name], { reject: false });
+  const result = await execa2("docker", ["volume", "inspect", name], { reject: false });
   return result.exitCode === 0;
 }
 async function ensureVolume(name) {
   if (await volumeExists(name)) return;
-  await execa4("docker", ["volume", "create", name]);
+  await execa2("docker", ["volume", "create", name]);
 }
 async function removeNetwork(name) {
-  await execa4("docker", ["network", "rm", name], { reject: false });
+  await execa2("docker", ["network", "rm", name], { reject: false });
 }
 async function pauseContainer(name) {
-  await execa4("docker", ["pause", name]);
+  await execa2("docker", ["pause", name]);
 }
 async function unpauseContainer(name) {
-  await execa4("docker", ["unpause", name]);
+  await execa2("docker", ["unpause", name]);
 }
 async function stopContainer(name) {
-  await execa4("docker", ["stop", name]);
+  await execa2("docker", ["stop", name]);
 }
 async function startContainer(name) {
-  await execa4("docker", ["start", name]);
+  await execa2("docker", ["start", name]);
 }
 async function inspectContainerStatus(name) {
-  const result = await execa4("docker", ["inspect", "--format", "{{.State.Status}}", name], {
+  const result = await execa2("docker", ["inspect", "--format", "{{.State.Status}}", name], {
     reject: false
   });
   if (result.exitCode !== 0) return "missing";
@@ -1979,7 +2280,7 @@ async function inspectContainerStatus(name) {
   }
 }
 async function inspectContainer(name) {
-  const result = await execa4("docker", ["inspect", name], { reject: false });
+  const result = await execa2("docker", ["inspect", name], { reject: false });
   if (result.exitCode !== 0) return null;
   try {
     const parsed = JSON.parse(result.stdout ?? "null");
@@ -1989,7 +2290,7 @@ async function inspectContainer(name) {
   }
 }
 async function inspectVolumeMountpoint(name) {
-  const result = await execa4("docker", ["volume", "inspect", "--format", "{{.Mountpoint}}", name], {
+  const result = await execa2("docker", ["volume", "inspect", "--format", "{{.Mountpoint}}", name], {
     reject: false
   });
   if (result.exitCode !== 0) return null;
@@ -1997,7 +2298,7 @@ async function inspectVolumeMountpoint(name) {
 }
 var AGENTBOX_PREFIX = "agentbox-";
 async function listAgentboxContainers() {
-  const result = await execa4(
+  const result = await execa2(
     "docker",
     ["ps", "-a", "--filter", `name=^${AGENTBOX_PREFIX}`, "--format", "{{.Names}}"],
     { reject: false }
@@ -2006,7 +2307,7 @@ async function listAgentboxContainers() {
   return (result.stdout ?? "").split("\n").map((s) => s.trim()).filter((s) => s.startsWith(AGENTBOX_PREFIX));
 }
 async function publishedHostPort(container, containerPort) {
-  const result = await execa4("docker", ["port", container, `${String(containerPort)}/tcp`], {
+  const result = await execa2("docker", ["port", container, `${String(containerPort)}/tcp`], {
     reject: false
   });
   if (result.exitCode !== 0) return null;
@@ -2016,7 +2317,7 @@ async function publishedHostPort(container, containerPort) {
   return m ? Number(m[1]) : null;
 }
 async function listAgentboxVolumes() {
-  const result = await execa4(
+  const result = await execa2(
     "docker",
     ["volume", "ls", "--filter", `name=^${AGENTBOX_PREFIX}`, "--format", "{{.Name}}"],
     { reject: false }
@@ -2385,9 +2686,126 @@ var ExportError = class extends Error {
     this.stderr = stderr;
     this.name = "ExportError";
   }
-  stdout;
-  stderr;
-};
+  stdout;
+  stderr;
+};
+async function copyCarryPathsToBox(opts) {
+  const log = opts.onLog ?? (() => {
+  });
+  let copied = 0;
+  const errors = [];
+  const applied = [];
+  for (const [i, entry] of opts.entries.entries()) {
+    const where = `carry[${String(i)}] "${entry.rawSrc}"`;
+    if (entry.kind === "missing") {
+      log(`${where}: skipped (missing on host, optional)`);
+      continue;
+    }
+    try {
+      await copyOneEntry(opts.container, entry);
+      copied += 1;
+      applied.push({ src: entry.absSrc, dest: entry.absDest, bytes: entry.bytes ?? 0 });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      errors.push(`${where}: ${msg}`);
+      log(`${where}: failed: ${msg}`);
+    }
+  }
+  return { copied, errors, applied };
+}
+var BOX_HOME = "/home/vscode";
+async function copyOneEntry(container, entry) {
+  if (entry.kind === "missing") return;
+  const boxDest = entry.absDest.startsWith("~/") ? `${BOX_HOME}/${entry.absDest.slice(2)}` : entry.absDest;
+  const boxDestParent = boxDest.endsWith("/") ? boxDest.slice(0, -1) : boxDest;
+  const parentDir = entry.kind === "dir" ? boxDestParent : dirnameUnix(boxDestParent);
+  const mkdir8 = await execa22(
+    "docker",
+    ["exec", "--user", "0:0", container, "mkdir", "-p", parentDir],
+    { reject: false }
+  );
+  if (mkdir8.exitCode !== 0) {
+    throw new Error(`mkdir -p ${parentDir} failed: ${String(mkdir8.stderr).slice(0, 300)}`);
+  }
+  if (entry.kind === "file") {
+    const cp = await execa22(
+      "docker",
+      ["cp", entry.absSrc, `${container}:${boxDest}`],
+      { reject: false }
+    );
+    if (cp.exitCode !== 0) {
+      throw new Error(`docker cp failed: ${String(cp.stderr).slice(0, 300)}`);
+    }
+  } else {
+    const packed = await execa22(
+      "tar",
+      ["-C", entry.absSrc, "-cf", "-", "."],
+      { encoding: "buffer", reject: false }
+    );
+    if (packed.exitCode !== 0) {
+      throw new Error(`tar pack failed: ${String(packed.stderr).slice(0, 300)}`);
+    }
+    const extract = await execa22(
+      "docker",
+      [
+        "exec",
+        "-i",
+        "--user",
+        "0:0",
+        container,
+        "tar",
+        "-xf",
+        "-",
+        "-C",
+        boxDest,
+        "--no-same-permissions",
+        "--no-same-owner",
+        "-m"
+      ],
+      { input: packed.stdout, reject: false }
+    );
+    if (extract.exitCode !== 0) {
+      throw new Error(`tar extract failed: ${String(extract.stderr).slice(0, 300)}`);
+    }
+  }
+  if (entry.mode !== void 0) {
+    const modeStr = entry.mode.toString(8).padStart(4, "0");
+    const chmod2 = await execa22(
+      "docker",
+      ["exec", "--user", "0:0", container, "chmod", "-R", modeStr, boxDest],
+      { reject: false }
+    );
+    if (chmod2.exitCode !== 0) {
+      throw new Error(`chmod failed: ${String(chmod2.stderr).slice(0, 300)}`);
+    }
+  }
+  const uid = entry.user ?? 1e3;
+  const chown = await execa22(
+    "docker",
+    ["exec", "--user", "0:0", container, "chown", "-R", `${String(uid)}:${String(uid)}`, boxDest],
+    { reject: false }
+  );
+  if (chown.exitCode !== 0) {
+    throw new Error(`chown failed: ${String(chown.stderr).slice(0, 300)}`);
+  }
+  if (boxDest.startsWith(BOX_HOME + "/") && dirnameUnix(boxDest) !== BOX_HOME) {
+    const safeDest = boxDest.replace(/'/g, `'\\''`);
+    const script = `set -e; parent="$(dirname '${safeDest}')"; while [ "$parent" != "${BOX_HOME}" ] && [ "$parent" != "/" ]; do chown ${String(uid)}:${String(uid)} "$parent"; parent="$(dirname "$parent")"; done`;
+    const chownParents = await execa22(
+      "docker",
+      ["exec", "--user", "0:0", container, "bash", "-c", script],
+      { reject: false }
+    );
+    if (chownParents.exitCode !== 0) {
+      throw new Error(`chown parents failed: ${String(chownParents.stderr).slice(0, 300)}`);
+    }
+  }
+}
+function dirnameUnix(p) {
+  const i = p.lastIndexOf("/");
+  if (i <= 0) return "/";
+  return p.slice(0, i);
+}
 var SHARED_CLAUDE_VOLUME = "agentbox-claude-config";
 var DEFAULT_CLAUDE_SESSION = "claude";
 var CONTAINER_CLAUDE_DIR = "/home/vscode/.claude";
@@ -2403,7 +2821,7 @@ function resolveClaudeVolume(opts) {
 }
 async function pathExists(p) {
   try {
-    await stat4(p);
+    await stat3(p);
     return true;
   } catch {
     return false;
@@ -2427,10 +2845,10 @@ async function findBrokenSymlinks(root) {
       return;
     }
     for (const ent of entries) {
-      const full = join23(dir, ent.name);
+      const full = join22(dir, ent.name);
       if (ent.isSymbolicLink()) {
         try {
-          await stat4(full);
+          await stat3(full);
         } catch {
           broken.push(relative(root, full));
         }
@@ -2447,13 +2865,13 @@ async function ensureClaudeVolume(spec, opts) {
   await ensureVolume(spec.volume);
   const created = !existed;
   if (!opts.syncFromHost) return { created, synced: false };
-  const hostClaude = join23(homedir22(), ".claude");
+  const hostClaude = join22(homedir2(), ".claude");
   if (!await pathExists(hostClaude)) return { created, synced: false };
-  const hostClaudeJson = join23(homedir22(), ".claude.json");
+  const hostClaudeJson = join22(homedir2(), ".claude.json");
   const hasJson = await pathExists(hostClaudeJson);
   const seedClaudeJson = !await volumeHasClaudeJson(spec.volume, opts.image);
-  const hostHome = homedir22();
-  const hostAgents = join23(homedir22(), ".agents");
+  const hostHome = homedir2();
+  const hostAgents = join22(homedir2(), ".agents");
   const hasAgents = await pathExists(hostAgents);
   const args = [
     "run",
@@ -2471,15 +2889,15 @@ async function ensureClaudeVolume(spec, opts) {
   ];
   if (hasJson && seedClaudeJson) args.push("-v", `${hostClaudeJson}:/src-claude-json:ro`);
   if (hasAgents) args.push("-v", `${hostAgents}:/.agents:ro`);
-  const filterDir = await mkdtemp(join23(tmpdir(), "agentbox-claude-filter-"));
+  const filterDir = await mkdtemp(join22(tmpdir(), "agentbox-claude-filter-"));
   let filteredHookCount = 0;
   let installMethodFixed = false;
   let aliasedProjectKey = false;
   let workspaceTrusted = false;
   try {
     const settingsResult = await maybeFilterTo(
-      join23(hostClaude, "settings.json"),
-      join23(filterDir, "settings.json"),
+      join22(hostClaude, "settings.json"),
+      join22(filterDir, "settings.json"),
       hostHome
     );
     filteredHookCount += settingsResult.removedHooks;
@@ -2487,7 +2905,7 @@ async function ensureClaudeVolume(spec, opts) {
     } else if (hasJson) {
       const jsonResult = await maybeFilterTo(
         hostClaudeJson,
-        join23(filterDir, "_claude.json"),
+        join22(filterDir, "_claude.json"),
         hostHome,
         {
           setInstallMethodNative: true,
@@ -2501,7 +2919,7 @@ async function ensureClaudeVolume(spec, opts) {
       workspaceTrusted = jsonResult.workspaceTrusted;
     } else {
       await writeFile3(
-        join23(filterDir, "_claude.json"),
+        join22(filterDir, "_claude.json"),
         JSON.stringify(
           {
             installMethod: "native",
@@ -2603,7 +3021,7 @@ async function maybeFilterTo(src, dest, hostHome, opts = {}) {
   };
   let parsed;
   try {
-    parsed = JSON.parse(await readFile23(src, "utf8"));
+    parsed = JSON.parse(await readFile24(src, "utf8"));
   } catch {
     return zero;
   }
@@ -2664,14 +3082,14 @@ var PLUGIN_INSTALL_BACKOFF_MIN = Math.round(PLUGIN_INSTALL_BACKOFF_MS / 6e4);
 var NPM_CACHE_DIR = "/home/vscode/.claude/.agentbox-npm-cache";
 async function isFile(p) {
   try {
-    return (await stat4(p)).isFile();
+    return (await stat3(p)).isFile();
   } catch {
     return false;
   }
 }
 async function isRecentFailMarker(p) {
   try {
-    const st = await stat4(p);
+    const st = await stat3(p);
     return Date.now() - st.mtimeMs < PLUGIN_INSTALL_BACKOFF_MS;
   } catch {
     return false;
@@ -2679,14 +3097,14 @@ async function isRecentFailMarker(p) {
 }
 async function isDir(p) {
   try {
-    return (await stat4(p)).isDirectory();
+    return (await stat3(p)).isDirectory();
   } catch {
     return false;
   }
 }
 async function readReferencedPluginKeys(installedPluginsJsonPath) {
   try {
-    const raw = await readFile23(installedPluginsJsonPath, "utf8");
+    const raw = await readFile24(installedPluginsJsonPath, "utf8");
     return referencedPluginVersionKeys(JSON.parse(raw));
   } catch {
     return /* @__PURE__ */ new Set();
@@ -2694,7 +3112,7 @@ async function readReferencedPluginKeys(installedPluginsJsonPath) {
 }
 async function scanPluginCacheForRebuild(cacheRoot) {
   const referenced = await readReferencedPluginKeys(
-    join23(cacheRoot, "..", "installed_plugins.json")
+    join22(cacheRoot, "..", "installed_plugins.json")
   );
   let marketplaces;
   try {
@@ -2704,7 +3122,7 @@ async function scanPluginCacheForRebuild(cacheRoot) {
   }
   for (const m of marketplaces) {
     if (!m.isDirectory()) continue;
-    const mPath = join23(cacheRoot, m.name);
+    const mPath = join22(cacheRoot, m.name);
     let plugins;
     try {
       plugins = await readdir3(mPath, { withFileTypes: true });
@@ -2713,7 +3131,7 @@ async function scanPluginCacheForRebuild(cacheRoot) {
     }
     for (const p of plugins) {
       if (!p.isDirectory()) continue;
-      const pPath = join23(mPath, p.name);
+      const pPath = join22(mPath, p.name);
       let versions;
       try {
         versions = await readdir3(pPath, { withFileTypes: true });
@@ -2723,10 +3141,10 @@ async function scanPluginCacheForRebuild(cacheRoot) {
       for (const v of versions) {
         if (!v.isDirectory()) continue;
         if (referenced.size > 0 && !referenced.has(`${m.name}/${p.name}/${v.name}`)) continue;
-        const vPath = join23(pPath, v.name);
-        if (!await isFile(join23(vPath, "package.json"))) continue;
-        if (await isFile(join23(vPath, PLUGIN_INSTALLED_MARKER))) continue;
-        if (await isRecentFailMarker(join23(vPath, PLUGIN_FAILED_MARKER))) continue;
+        const vPath = join22(pPath, v.name);
+        if (!await isFile(join22(vPath, "package.json"))) continue;
+        if (await isFile(join22(vPath, PLUGIN_INSTALLED_MARKER))) continue;
+        if (await isRecentFailMarker(join22(vPath, PLUGIN_FAILED_MARKER))) continue;
         return true;
       }
     }
@@ -3018,67 +3436,31 @@ async function waitForTmuxPaneContent(container, sessionName, timeoutMs = 2e4) {
     await delay(400);
   }
 }
-function buildTmuxSessionArgs(sessionName) {
-  const s = sessionName;
+function tmuxConfigSubcommands(sessionName) {
   return [
-    // Server-global (no -t): primary prefix Ctrl+a (dashboard parity), keep
-    // tmux's default Ctrl+b as a secondary prefix so users with existing
-    // muscle memory / integrations aren't broken. `d` is the same key under
-    // both prefixes (single key table) -> Ctrl+a d AND Ctrl+b d both detach
-    // (and `d` is already tmux's built-in detach key — bound explicitly so
-    // the contract is visible). `send-prefix` / `send-prefix -2` let a
-    // double-tap of either prefix reach Claude as that literal key.
-    ";",
-    "set",
-    "-g",
-    "prefix",
-    "C-a",
-    ";",
-    "set",
-    "-g",
-    "prefix2",
-    "C-b",
-    ";",
-    "bind-key",
-    "C-a",
-    "send-prefix",
-    ";",
-    "bind-key",
-    "C-b",
-    "send-prefix",
-    "-2",
-    ";",
-    "bind-key",
-    "d",
-    "detach-client",
-    // Modified-key reporting: without `extended-keys on`, tmux strips the
-    // modifier from Shift+Enter / Ctrl+Enter / etc. so Claude Code can't
-    // distinguish them from a plain Enter — pressing Shift+Enter submits the
-    // prompt instead of inserting a newline. `csi-u` is the format Claude
-    // Code recognises after `/terminal-setup`. Server-global so it survives
-    // grouped sibling sessions (e.g. the dashboard's `<name>-dash`).
-    ";",
-    "set",
-    "-g",
-    "extended-keys",
-    "on",
-    ";",
-    "set",
-    "-as",
-    "terminal-features",
-    ",*:extkeys",
-    // Hide the inner tmux status bar — the wrapped-pty footer (for
-    // `agentbox claude` / `agentbox shell`) and the dashboard's own status
-    // row already show the box name + detach hint; without `status off`
-    // they double up.
-    ";",
-    "set",
-    "-t",
-    s,
-    "status",
-    "off"
+    ["set", "-g", "prefix", "C-a"],
+    ["set", "-g", "prefix2", "C-b"],
+    ["bind-key", "C-a", "send-prefix"],
+    ["bind-key", "C-b", "send-prefix", "-2"],
+    ["bind-key", "d", "detach-client"],
+    ["set", "-g", "extended-keys", "on"],
+    ["set", "-as", "terminal-features", ",*:extkeys"],
+    ["set", "-t", sessionName, "status", "off"]
   ];
 }
+function buildTmuxSessionArgs(sessionName) {
+  const out = [];
+  for (const sub of tmuxConfigSubcommands(sessionName)) {
+    out.push(";", ...sub);
+  }
+  return out;
+}
+function buildTmuxConfigShellSnippet(sessionName) {
+  return tmuxConfigSubcommands(sessionName).map((sub) => `tmux ${sub.map(shellSingleQuoteIfNeeded).join(" ")}`).join("; ");
+}
+function shellSingleQuoteIfNeeded(s) {
+  return /^[A-Za-z0-9_:.\/=+-]+$/.test(s) ? s : "'" + s.replace(/'/g, "'\\''") + "'";
+}
 function buildShellArgv(container) {
   const term = process.env["TERM"] ?? "xterm-256color";
   return ["exec", "-it", "-e", `TERM=${term}`, "--user", CONTAINER_USER, container, "bash", "-l"];
@@ -3197,14 +3579,14 @@ async function listChildDirs(dir) {
 }
 async function readJsonFile(path) {
   try {
-    return JSON.parse(await readFile23(path, "utf8"));
+    return JSON.parse(await readFile24(path, "utf8"));
   } catch {
     return void 0;
   }
 }
 async function pullClaudeExtras(spec, opts) {
-  const hostHome = homedir22();
-  const hostClaude = join23(hostHome, ".claude");
+  const hostHome = homedir2();
+  const hostClaude = join22(hostHome, ".claude");
   const inventoryScript = [
     "for cat in skills agents commands; do",
     '  [ -d "/src/$cat" ] || continue;',
@@ -3266,7 +3648,7 @@ async function pullClaudeExtras(spec, opts) {
   const newItems = [];
   const applyPaths = [];
   for (const cat of PULL_DIR_CATEGORIES) {
-    const hostNames = await listChildDirs(join23(hostClaude, cat));
+    const hostNames = await listChildDirs(join22(hostClaude, cat));
     const excludes = cat === "skills" ? SKILL_EXCLUDE_PREFIXES : [];
     for (const name of pickNewItems(boxDirs[cat] ?? [], hostNames, excludes)) {
       newItems.push({ category: cat, name });
@@ -3274,8 +3656,8 @@ async function pullClaudeExtras(spec, opts) {
     }
   }
   const hostPluginKeys = [];
-  for (const m of await listChildDirs(join23(hostClaude, "plugins", "cache"))) {
-    for (const p of await listChildDirs(join23(hostClaude, "plugins", "cache", m))) {
+  for (const m of await listChildDirs(join22(hostClaude, "plugins", "cache"))) {
+    for (const p of await listChildDirs(join22(hostClaude, "plugins", "cache", m))) {
       hostPluginKeys.push(`${m}/${p}`);
     }
   }
@@ -3283,8 +3665,8 @@ async function pullClaudeExtras(spec, opts) {
     newItems.push({ category: "plugins", name: key });
     applyPaths.push({ src: `/src/plugins/cache/${key}`, dest: `/dst/plugins/cache/${key}` });
   }
-  const hostInstalled = await readJsonFile(join23(hostClaude, "plugins", "installed_plugins.json"));
-  const hostMarkets = await readJsonFile(join23(hostClaude, "plugins", "known_marketplaces.json"));
+  const hostInstalled = await readJsonFile(join22(hostClaude, "plugins", "installed_plugins.json"));
+  const hostMarkets = await readJsonFile(join22(hostClaude, "plugins", "known_marketplaces.json"));
   const mergedInstalled = mergeInstalledPlugins(hostInstalled, boxJson["installed_plugins"], {
     hostHome
   });
@@ -3327,17 +3709,17 @@ async function pullClaudeExtras(spec, opts) {
     }
   }
   if (mergedMarkets.changed || mergedInstalled.changed) {
-    await mkdir22(join23(hostClaude, "plugins"), { recursive: true });
+    await mkdir22(join22(hostClaude, "plugins"), { recursive: true });
     if (mergedMarkets.changed) {
       await writeFile3(
-        join23(hostClaude, "plugins", "known_marketplaces.json"),
+        join22(hostClaude, "plugins", "known_marketplaces.json"),
         `${JSON.stringify(mergedMarkets.data, null, 2)}
 `
       );
     }
     if (mergedInstalled.changed) {
       await writeFile3(
-        join23(hostClaude, "plugins", "installed_plugins.json"),
+        join22(hostClaude, "plugins", "installed_plugins.json"),
         `${JSON.stringify(mergedInstalled.data, null, 2)}
 `
       );
@@ -3345,7 +3727,23 @@ async function pullClaudeExtras(spec, opts) {
   }
   return { newItems, mergedRegistries };
 }
-var CREDENTIALS_BACKUP_FILE = join32(STATE_DIR2, "claude-credentials.json");
+var CREDENTIALS_BACKUP_FILE = join32(STATE_DIR, "claude-credentials.json");
+var CODEX_CREDENTIALS_BACKUP_FILE = join32(STATE_DIR, "codex-credentials.json");
+var OPENCODE_CREDENTIALS_BACKUP_FILE = join32(STATE_DIR, "opencode-credentials.json");
+function isRealAgentCredential(agent, text) {
+  let parsed;
+  try {
+    parsed = JSON.parse(text);
+  } catch {
+    return false;
+  }
+  if (typeof parsed !== "object" || parsed === null) return false;
+  if (agent === "claude") {
+    const rt = parsed.claudeAiOauth?.refreshToken;
+    return typeof rt === "string" && rt.length > 0;
+  }
+  return Object.keys(parsed).length > 0;
+}
 async function hostBackupHasCredentials(path = CREDENTIALS_BACKUP_FILE) {
   try {
     const parsed = JSON.parse(await readFile32(path, "utf8"));
@@ -3377,8 +3775,8 @@ echo "EXTRACTED=$EXTRACTED SEEDED=$SEEDED VOLREAL=$VOL_REAL"
 `;
 async function syncClaudeCredentials(spec, opts) {
   try {
-    await mkdir32(STATE_DIR2, { recursive: true });
-    const { stdout } = await execa42("docker", [
+    await mkdir32(STATE_DIR, { recursive: true });
+    const { stdout } = await execa4("docker", [
       "run",
       "--rm",
       "--user",
@@ -3386,7 +3784,7 @@ async function syncClaudeCredentials(spec, opts) {
       "-v",
       `${spec.volume}:/dst`,
       "-v",
-      `${STATE_DIR2}:/host-state`,
+      `${STATE_DIR}:/host-state`,
       "-e",
       `ISOLATE=${opts.isolate ? "yes" : "no"}`,
       opts.image,
@@ -3529,9 +3927,10 @@ ${(install.stdout ?? "").toString().slice(-600)}`
   }
   return { installed: true };
 }
+var CODEX_AGENTBOX_FLAGS = ["--enable", "hooks", "--dangerously-bypass-hook-trust"];
 async function startCodexSession(opts) {
   const sessionName = opts.sessionName ?? DEFAULT_CODEX_SESSION;
-  const cmd = ["codex", ...opts.codexArgs].map(shQuote2).join(" ");
+  const cmd = ["codex", ...CODEX_AGENTBOX_FLAGS, ...opts.codexArgs].map(shQuote2).join(" ");
   const term = process.env["TERM"] ?? "xterm-256color";
   const envFlags = ["-e", `TERM=${term}`];
   for (const k of CODEX_FORWARDED_ENV_KEYS) {
@@ -3726,6 +4125,8 @@ var SHARED_OPENCODE_VOLUME = "agentbox-opencode-config";
 var DEFAULT_OPENCODE_SESSION = "opencode";
 var CONTAINER_OPENCODE_DIR = "/home/vscode/.local/share/opencode";
 var CONTAINER_OPENCODE_CONFIG_DIR = "/home/vscode/.local/share/opencode/config";
+var CONTAINER_OPENCODE_STATE_HOME = "/home/vscode/.local/share/opencode/.state";
+var IN_BOX_OPENCODE_PLUGIN_PATH = "/usr/local/share/agentbox/opencode-agentbox-plugin.js";
 function resolveOpencodeVolume(opts) {
   if (opts.isolate) {
     return { volume: `${SHARED_OPENCODE_VOLUME}-${opts.boxId}` };
@@ -3751,13 +4152,16 @@ async function ensureOpencodeVolume(spec, opts) {
   const created = !existed;
   const hostData = join5(homedir4(), ".local", "share", "opencode");
   const hostConfig = join5(homedir4(), ".config", "opencode");
+  const hostState = join5(homedir4(), ".local", "state", "opencode");
   const hasData = await pathExists3(hostData);
   const hasConfig = await pathExists3(hostConfig);
-  const willSync = opts.syncFromHost && (hasData || hasConfig);
+  const hasState = await pathExists3(hostState);
+  const willSync = opts.syncFromHost && (hasData || hasConfig || hasState);
   if (willSync) {
     const args = ["run", "--rm", "--user", "0", "-v", `${spec.volume}:/dst`];
     if (hasData) args.push("-v", `${hostData}:/src-data:ro`);
     if (hasConfig) args.push("-v", `${hostConfig}:/src-config:ro`);
+    if (hasState) args.push("-v", `${hostState}:/src-state:ro`);
     const steps = [];
     if (hasData) {
       steps.push(
@@ -3767,6 +4171,11 @@ async function ensureOpencodeVolume(spec, opts) {
     if (hasConfig) {
       steps.push("mkdir -p /dst/config && rsync -a /src-config/ /dst/config/");
     }
+    if (hasState) {
+      steps.push(
+        "mkdir -p /dst/.state/opencode && rsync -a --update --exclude=locks /src-state/ /dst/.state/opencode/"
+      );
+    }
     steps.push("chown -R 1000:1000 /dst");
     args.push(opts.image, "sh", "-c", steps.join(" && "));
     await execa6("docker", args);
@@ -3790,6 +4199,25 @@ async function ensureOpencodeVolume(spec, opts) {
   );
   return { created, synced: false };
 }
+async function seedOpencodePlugin(volume, image) {
+  try {
+    const { stdout } = await execa6("docker", [
+      "run",
+      "--rm",
+      "--user",
+      "0",
+      "-v",
+      `${volume}:/dst`,
+      image,
+      "sh",
+      "-c",
+      `{ [ -f ${IN_BOX_OPENCODE_PLUGIN_PATH} ] && mkdir -p /dst/config/plugins && cp -a ${IN_BOX_OPENCODE_PLUGIN_PATH} /dst/config/plugins/agentbox-state.js && chown -R 1000:1000 /dst/config/plugins && echo SEEDED; } || true`
+    ]);
+    return { seeded: stdout.includes("SEEDED") };
+  } catch {
+    return { seeded: false };
+  }
+}
 var OPENCODE_FORWARDED_ENV_KEYS = [
   "ANTHROPIC_API_KEY",
   "OPENAI_API_KEY",
@@ -3800,7 +4228,10 @@ var OPENCODE_FORWARDED_ENV_KEYS = [
   "GROQ_API_KEY"
 ];
 function buildOpencodeMounts(spec, hostEnv) {
-  const env = { OPENCODE_CONFIG_DIR: CONTAINER_OPENCODE_CONFIG_DIR };
+  const env = {
+    OPENCODE_CONFIG_DIR: CONTAINER_OPENCODE_CONFIG_DIR,
+    XDG_STATE_HOME: CONTAINER_OPENCODE_STATE_HOME
+  };
   for (const k of OPENCODE_FORWARDED_ENV_KEYS) {
     const v = hostEnv[k];
     if (typeof v === "string" && v.length > 0) env[k] = v;
@@ -3915,6 +4346,8 @@ function buildOpencodeLoginRunArgv(opts) {
     "DISPLAY=",
     "-e",
     `OPENCODE_CONFIG_DIR=${CONTAINER_OPENCODE_CONFIG_DIR}`,
+    "-e",
+    `XDG_STATE_HOME=${CONTAINER_OPENCODE_STATE_HOME}`,
     "-v",
     `${opts.volume}:${CONTAINER_OPENCODE_DIR}`,
     "--user",
@@ -4105,7 +4538,7 @@ async function launchVncDaemon(container, timeoutMs = 5e3) {
 }
 var VNC_PASSWORD_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
 function generateVncPassword() {
-  const bytes = randomBytes(8);
+  const bytes = randomBytes2(8);
   let out = "";
   for (let i = 0; i < 8; i++) {
     out += VNC_PASSWORD_ALPHABET[bytes[i] % VNC_PASSWORD_ALPHABET.length];
@@ -4124,6 +4557,10 @@ function buildVncUrls(record, engine) {
   if (record.vncHostPort) {
     urls.loopbackUrl = `http://127.0.0.1:${String(record.vncHostPort)}/vnc.html?${qs}`;
   }
+  if (record.portlessVncAlias) {
+    const base = record.portlessVncUrl ?? `https://${record.portlessVncAlias}.localhost`;
+    urls.portlessUrl = `${base}/vnc.html?${qs}`;
+  }
   return urls;
 }
 var WEB_CONTAINER_PORT = 80;
@@ -4206,23 +4643,11 @@ async function seedWorkspace(opts) {
   for (const r of opts.repos) {
     const main = r.repo.hostMainRepo;
     const wt = r.gitWorktreePath;
+    const baseRef = r.repo.kind === "root" ? opts.fromBranch ?? "HEAD" : "HEAD";
+    const addArgs = r.reuseBranch ? ["worktree", "add", wt, r.branch] : ["worktree", "add", "-b", r.branch, wt, baseRef];
     const add = await execa7(
       "docker",
-      [
-        "exec",
-        "--user",
-        "vscode",
-        opts.container,
-        "git",
-        "-C",
-        main,
-        "worktree",
-        "add",
-        "-b",
-        r.branch,
-        wt,
-        "HEAD"
-      ],
+      ["exec", "--user", "vscode", opts.container, "git", "-C", main, ...addArgs],
       { reject: false }
     );
     if (add.exitCode !== 0) {
@@ -4515,79 +4940,6 @@ async function isProxyRunning() {
     return false;
   }
 }
-var DEFAULT_BOX_IMAGE = "agentbox/box:dev";
-var here = dirname4(fileURLToPath(import.meta.url));
-function resolveDockerBuild() {
-  const override = process.env.AGENTBOX_DOCKER_CONTEXT;
-  if (override && existsSync2(resolve2(override, "Dockerfile.box"))) {
-    return { dockerfile: resolve2(override, "Dockerfile.box"), context: override };
-  }
-  const staged = resolve2(here, "..", "runtime", "docker");
-  if (existsSync2(resolve2(staged, "Dockerfile.box"))) {
-    return { dockerfile: resolve2(staged, "Dockerfile.box"), context: staged };
-  }
-  const packageRoot = resolve2(here, "..");
-  return {
-    dockerfile: resolve2(packageRoot, "Dockerfile.box"),
-    context: resolve2(packageRoot, "..", "..")
-  };
-}
-var { dockerfile: DOCKERFILE_PATH_RESOLVED, context: BUILD_CONTEXT_DIR_RESOLVED } = resolveDockerBuild();
-var DOCKERFILE_PATH = DOCKERFILE_PATH_RESOLVED;
-var BUILD_CONTEXT_DIR = BUILD_CONTEXT_DIR_RESOLVED;
-async function imageExists(ref) {
-  const result = await execa9("docker", ["image", "inspect", ref], { reject: false });
-  return result.exitCode === 0;
-}
-async function imageInfo(ref = DEFAULT_BOX_IMAGE) {
-  const result = await execa9(
-    "docker",
-    ["image", "inspect", "--format", "{{.Size}}|{{.Created}}", ref],
-    { reject: false }
-  );
-  if (result.exitCode !== 0) return { ref, exists: false };
-  const [sizeStr, createdAt] = result.stdout.trim().split("|");
-  const sizeBytes = sizeStr ? Number.parseInt(sizeStr, 10) : NaN;
-  return {
-    ref,
-    exists: true,
-    sizeBytes: Number.isFinite(sizeBytes) ? sizeBytes : void 0,
-    createdAt: createdAt && createdAt.length > 0 ? createdAt : void 0
-  };
-}
-async function buildImage(opts = {}) {
-  const ref = opts.ref ?? DEFAULT_BOX_IMAGE;
-  const dockerfile = opts.dockerfile ?? DOCKERFILE_PATH;
-  const contextDir = opts.contextDir ?? BUILD_CONTEXT_DIR;
-  const subprocess = execa9("docker", ["build", "-t", ref, "-f", dockerfile, contextDir], {
-    stderr: "pipe",
-    stdout: "pipe"
-  });
-  if (opts.onProgress) {
-    const forward = (chunk) => {
-      const text = typeof chunk === "string" ? chunk : chunk.toString("utf8");
-      for (const line of text.split(/\r?\n/)) {
-        if (line.length > 0) opts.onProgress?.(line);
-      }
-    };
-    subprocess.stdout?.on("data", forward);
-    subprocess.stderr?.on("data", forward);
-  }
-  await subprocess;
-  return ref;
-}
-async function ensureImage(ref = DEFAULT_BOX_IMAGE, opts = {}) {
-  if (await imageExists(ref)) {
-    return { ref, built: false };
-  }
-  await buildImage({
-    ref,
-    dockerfile: opts.dockerfile,
-    contextDir: opts.contextDir,
-    onProgress: opts.onProgress
-  });
-  return { ref, built: true };
-}
 var EXCLUDE_DIRS = /* @__PURE__ */ new Set([
   "node_modules",
   ".next",
@@ -4633,12 +4985,12 @@ async function findExcludedDirs(root, excluded = EXCLUDE_DIRS) {
   return matches;
 }
 async function createSnapshot(opts) {
-  const source = resolve22(opts.source);
-  const destination = resolve22(opts.destination);
+  const source = resolve2(opts.source);
+  const destination = resolve2(opts.destination);
   const excluded = opts.excluded ?? EXCLUDE_DIRS;
   await mkdir4(SNAPSHOTS_ROOT, { recursive: true });
   const cpArgs = platform() === "darwin" ? ["-cR"] : ["-R"];
-  await execa10("cp", [...cpArgs, `${source}/`, destination]);
+  await execa9("cp", [...cpArgs, `${source}/`, destination]);
   const toPrune = await findExcludedDirs(destination, excluded);
   await Promise.all(toPrune.map((p) => rm22(p, { recursive: true, force: true })));
   return { destination, prunedPaths: toPrune };
@@ -4659,7 +5011,7 @@ async function readManifest(dir) {
   try {
     const raw = await readFile5(join8(dir, "manifest.json"), "utf8");
     const m = JSON.parse(raw);
-    if (m.schema !== 2) return null;
+    if (m.schema !== 2 && m.schema !== 3) return null;
     return m;
   } catch {
     return null;
@@ -4747,7 +5099,7 @@ async function runCleanup(container, log) {
   }
 }
 async function inspectImageConfig(imageRef) {
-  const r = await execa11("docker", ["image", "inspect", imageRef], { reject: false });
+  const r = await execa10("docker", ["image", "inspect", imageRef], { reject: false });
   if (r.exitCode !== 0) {
     throw new CheckpointError(`docker image inspect ${imageRef} failed`, r.stdout, r.stderr);
   }
@@ -4823,14 +5175,14 @@ async function createCheckpoint(opts) {
   await runCleanup(box.container, log);
   if (type === "layered") {
     log(`docker commit ${box.container} -> ${tag} (layered)`);
-    const r = await execa11("docker", ["commit", box.container, tag], { reject: false });
+    const r = await execa10("docker", ["commit", box.container, tag], { reject: false });
     if (r.exitCode !== 0) {
       throw new CheckpointError(`docker commit failed for ${box.container}`, r.stdout, r.stderr);
     }
   } else {
     log(`docker commit ${box.container} -> <intermediate> (flattened path)`);
     const intermediate = `${tag}-intermediate`;
-    const commit = await execa11("docker", ["commit", box.container, intermediate], {
+    const commit = await execa10("docker", ["commit", box.container, intermediate], {
       reject: false
     });
     if (commit.exitCode !== 0) {
@@ -4843,8 +5195,15 @@ async function createCheckpoint(opts) {
     }
   }
   const base = (box.gitWorktrees ?? []).some((w) => w.kind === "root") ? "worktree" : "workspace";
+  const prepared = readPreparedDockerState();
+  let baseFingerprint = prepared?.base?.contextSha256;
+  if (!baseFingerprint) {
+    const fp = await computeDockerContextFingerprint();
+    baseFingerprint = fp?.contextSha256;
+  }
+  const stamp = readCliStamp();
   const manifest = {
-    schema: 2,
+    schema: 3,
     name,
     type,
     image: tag,
@@ -4854,6 +5213,9 @@ async function createCheckpoint(opts) {
     sourceBoxId: box.id,
     sourceBoxName: box.name,
     worktrees: box.gitWorktrees,
+    baseProvider: "docker",
+    baseFingerprint,
+    cliVersion: stamp.cliVersion,
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
   await writeFile22(join8(dir, "manifest.json"), JSON.stringify(manifest, null, 2) + "\n", "utf8");
@@ -4865,7 +5227,7 @@ async function createCheckpoint(opts) {
 }
 async function flattenImage(sourceTag, destTag, log) {
   const tmpName = `agentbox-flatten-${Date.now().toString(36)}`;
-  const create = await execa11(
+  const create = await execa10(
     "docker",
     ["create", "--name", tmpName, sourceTag, "sleep", "0"],
     { reject: false }
@@ -4877,7 +5239,7 @@ async function flattenImage(sourceTag, destTag, log) {
   try {
     const rootfsPath = join8(scratch, "rootfs.tar");
     log(`exporting rootfs of ${sourceTag} to ${rootfsPath}`);
-    const exp = await execa11("docker", ["export", "-o", rootfsPath, tmpName], { reject: false });
+    const exp = await execa10("docker", ["export", "-o", rootfsPath, tmpName], { reject: false });
     if (exp.exitCode !== 0) {
       throw new CheckpointError(`docker export failed`, exp.stdout, exp.stderr);
     }
@@ -4890,7 +5252,7 @@ async function flattenImage(sourceTag, destTag, log) {
     ];
     await writeFile22(join8(scratch, "Dockerfile"), lines.join("\n") + "\n", "utf8");
     log(`building flattened ${destTag} from rootfs.tar (FROM scratch)`);
-    const build = await execa11(
+    const build = await execa10(
       "docker",
       ["build", "-t", destTag, "-f", join8(scratch, "Dockerfile"), scratch],
       { reject: false }
@@ -4899,7 +5261,7 @@ async function flattenImage(sourceTag, destTag, log) {
       throw new CheckpointError(`flatten docker build failed`, build.stdout, build.stderr);
     }
   } finally {
-    await execa11("docker", ["rm", "-f", tmpName], { reject: false });
+    await execa10("docker", ["rm", "-f", tmpName], { reject: false });
     await rm3(scratch, { recursive: true, force: true });
   }
 }
@@ -4943,7 +5305,7 @@ async function pathExists4(p) {
 }
 async function writeBoxEnvFile(container, env) {
   const body = formatBoxEnvBody(env);
-  const result = await execa12(
+  const result = await execa11(
     "docker",
     ["exec", "--user", "root", "-i", container, "sh", "-c", "umask 022 && cat > /etc/agentbox/box.env"],
     { input: body, reject: false }
@@ -4967,7 +5329,7 @@ function shellSingleQuote(s) {
   return `'${s.replace(/'/g, `'\\''`)}'`;
 }
 async function ensureHomeOwnedByVscode(container) {
-  await execa13(
+  await execa12(
     "docker",
     [
       "exec",
@@ -5004,25 +5366,72 @@ async function ensureRelay(opts = {}) {
     await removeContainer(RELAY_CONTAINER_NAME);
     log(`removed legacy relay container ${RELAY_CONTAINER_NAME}`);
   }
-  if (await pingHealthz(500)) {
-    return ENDPOINT;
-  }
-  const existingPid = await readPidFile();
-  if (existingPid !== null && await processAlive(existingPid)) {
-    for (let i = 0; i < 10; i++) {
-      if (await pingHealthz(300)) return ENDPOINT;
-      await delay2(200);
+  const health = await fetchHealthz(500);
+  if (health !== null) {
+    if (health.cliEntry !== false) {
+      return ENDPOINT;
+    }
+    log("relay is alive but lacks AGENTBOX_CLI_ENTRY (cp/download/checkpoint would fail) \u2014 reclaiming");
+    await reclaimRelay(health.pid, log);
+  } else {
+    const existingPid = await readPidFile();
+    if (existingPid !== null && await processAlive(existingPid)) {
+      for (let i = 0; i < 10; i++) {
+        if (await pingHealthz(300)) return ENDPOINT;
+        await delay2(200);
+      }
+      log(`relay pid ${String(existingPid)} alive but /healthz unresponsive \u2014 proceeding anyway`);
+      return ENDPOINT;
+    }
+    if (existingPid !== null) {
+      await unlink2(PID_FILE).catch(() => {
+      });
     }
-    log(`relay pid ${String(existingPid)} alive but /healthz unresponsive \u2014 proceeding anyway`);
-    return ENDPOINT;
-  }
-  if (existingPid !== null) {
-    await unlink(PID_FILE).catch(() => {
-    });
   }
   const relayBin = resolveRelayBin();
-  const logFd = openSync(LOG_FILE, "a");
   const cliEntry = resolveCliEntry();
+  if (cliEntry === null) {
+    throw new Error(
+      "cannot start the host relay: agentbox CLI entry not found (is the build complete / dist present?). Set AGENTBOX_CLI_ENTRY to override."
+    );
+  }
+  return spawnRelay(relayBin, cliEntry, log);
+}
+async function reclaimRelay(reportedPid, log) {
+  const pidFromFile = await readPidFile();
+  const seen = /* @__PURE__ */ new Set();
+  for (const pid of [reportedPid, pidFromFile]) {
+    if (typeof pid !== "number" || pid <= 0 || seen.has(pid)) continue;
+    seen.add(pid);
+    if (!await processAlive(pid)) continue;
+    log(`stopping crippled relay pid ${String(pid)}`);
+    await killPid(pid);
+  }
+  await unlink2(PID_FILE).catch(() => {
+  });
+  if (await pingHealthz(300)) {
+    throw new Error(
+      `a relay without AGENTBOX_CLI_ENTRY is still listening on :${String(PORT)} and could not be stopped (reported pid ${String(reportedPid ?? "unknown")}); kill it manually and retry`
+    );
+  }
+}
+async function killPid(pid) {
+  try {
+    process.kill(pid, "SIGTERM");
+  } catch {
+    return;
+  }
+  for (let i = 0; i < 20; i++) {
+    if (!await processAlive(pid)) return;
+    await delay2(100);
+  }
+  try {
+    process.kill(pid, "SIGKILL");
+  } catch {
+  }
+}
+async function spawnRelay(relayBin, cliEntry, log) {
+  const logFd = openSync(LOG_FILE, "a");
   const child = spawn(
     process.execPath,
     [relayBin, "serve", "--port", String(PORT), "--host", "0.0.0.0"],
@@ -5031,7 +5440,7 @@ async function ensureRelay(opts = {}) {
       stdio: ["ignore", logFd, logFd],
       env: {
         ...process.env,
-        ...cliEntry ? { AGENTBOX_CLI_ENTRY: cliEntry } : {}
+        AGENTBOX_CLI_ENTRY: cliEntry
       }
     }
   );
@@ -5053,16 +5462,16 @@ async function ensureRelay(opts = {}) {
 }
 function resolveRelayBin() {
   const override = process.env.AGENTBOX_RELAY_BIN;
-  if (override && existsSync3(override)) return override;
-  const here2 = dirname22(fileURLToPath2(import.meta.url));
+  if (override && existsSync2(override)) return override;
+  const here = dirname3(fileURLToPath(import.meta.url));
   const candidates = [
-    resolve3(here2, "..", "runtime", "relay", "bin.cjs"),
-    resolve3(here2, "..", "..", "relay", "dist", "bin.cjs"),
-    resolve3(here2, "..", "..", "..", "@agentbox", "relay", "dist", "bin.cjs"),
-    resolve3(here2, "..", "..", "node_modules", "@agentbox", "relay", "dist", "bin.cjs")
+    resolve22(here, "..", "runtime", "relay", "bin.cjs"),
+    resolve22(here, "..", "..", "relay", "dist", "bin.cjs"),
+    resolve22(here, "..", "..", "..", "@agentbox", "relay", "dist", "bin.cjs"),
+    resolve22(here, "..", "..", "node_modules", "@agentbox", "relay", "dist", "bin.cjs")
   ];
   for (const c of candidates) {
-    if (existsSync3(c)) return c;
+    if (existsSync2(c)) return c;
   }
   throw new Error(
     `could not locate @agentbox/relay bin; tried:
@@ -5071,17 +5480,17 @@ function resolveRelayBin() {
 }
 function resolveCliEntry() {
   const override = process.env.AGENTBOX_CLI_ENTRY;
-  if (override && existsSync3(override)) return override;
-  const here2 = dirname22(fileURLToPath2(import.meta.url));
+  if (override && existsSync2(override)) return override;
+  const here = dirname3(fileURLToPath(import.meta.url));
   const candidates = [
     // Bundled CLI (dev + published): this module IS bundled into the CLI
     // entry, so the entry is index.js next to this file.
-    resolve3(here2, "index.js"),
-    resolve3(here2, "..", "..", "..", "apps", "cli", "dist", "index.js"),
-    resolve3(here2, "..", "..", "..", "..", "dist", "index.js")
+    resolve22(here, "index.js"),
+    resolve22(here, "..", "..", "..", "apps", "cli", "dist", "index.js"),
+    resolve22(here, "..", "..", "..", "..", "dist", "index.js")
   ];
   for (const c of candidates) {
-    if (existsSync3(c)) return c;
+    if (existsSync2(c)) return c;
   }
   return null;
 }
@@ -5091,7 +5500,7 @@ async function stopRelay() {
     return { stopped: false, pid: null };
   }
   if (!await processAlive(pid)) {
-    await unlink(PID_FILE).catch(() => {
+    await unlink2(PID_FILE).catch(() => {
     });
     return { stopped: false, pid };
   }
@@ -5109,7 +5518,7 @@ async function stopRelay() {
     } catch {
     }
   }
-  await unlink(PID_FILE).catch(() => {
+  await unlink2(PID_FILE).catch(() => {
   });
   return { stopped: true, pid };
 }
@@ -5163,7 +5572,13 @@ function fetchHealthz(timeoutMs) {
           try {
             const parsed = JSON.parse(Buffer.concat(chunks).toString("utf8"));
             if (typeof parsed.ok === "boolean" && typeof parsed.boxes === "number" && typeof parsed.events === "number") {
-              resolveP({ ok: parsed.ok, boxes: parsed.boxes, events: parsed.events });
+              resolveP({
+                ok: parsed.ok,
+                boxes: parsed.boxes,
+                events: parsed.events,
+                pid: typeof parsed.pid === "number" ? parsed.pid : void 0,
+                cliEntry: typeof parsed.cliEntry === "boolean" ? parsed.cliEntry : void 0
+              });
             } else {
               resolveP(null);
             }
@@ -5200,7 +5615,7 @@ async function processAlive(pid) {
   }
 }
 function generateRelayToken() {
-  return randomBytes2(32).toString("hex");
+  return randomBytes22(32).toString("hex");
 }
 async function registerBoxWithRelay(args) {
   const worktrees = (args.worktrees ?? []).map((w) => ({
@@ -5249,6 +5664,20 @@ async function clearRelayNotice(boxId, id) {
   } catch {
   }
 }
+async function mintHostInitiatedToken(boxId, method, paramsHash, ttlMs) {
+  try {
+    const body = await adminPostForJson("/admin/host-initiated/mint", {
+      boxId,
+      method,
+      paramsHash,
+      ...typeof ttlMs === "number" ? { ttlMs } : {}
+    });
+    const token = body?.token;
+    return typeof token === "string" && token.length > 0 ? token : null;
+  } catch {
+    return null;
+  }
+}
 async function adminPost(path, body) {
   const json = JSON.stringify(body);
   await new Promise((resolveP, rejectP) => {
@@ -5501,7 +5930,7 @@ function generateBoxId() {
   return randomBytes3(4).toString("hex");
 }
 function sanitizeBasename(workspacePath) {
-  const raw = basename2(resolve4(workspacePath));
+  const raw = basename2(resolve3(workspacePath));
   return raw.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/-+/g, "-").replace(/^[-._]+|[-._]+$/g, "").slice(0, 30).replace(/[-._]+$/, "");
 }
 function defaultBoxName(workspacePath, id) {
@@ -5532,7 +5961,7 @@ async function buildIdentityMounts() {
 async function createBox(opts) {
   const log = opts.onLog ?? (() => {
   });
-  const workspace = resolve4(opts.workspacePath);
+  const workspace = resolve3(opts.workspacePath);
   if (!await pathExists5(workspace)) {
     throw new Error(`workspace does not exist: ${workspace}`);
   }
@@ -5567,6 +5996,27 @@ async function createBox(opts) {
     log(
       `starting from checkpoint ${opts.checkpointRef} (${head.manifest.type}, ${String(chain.length)} layer(s), image ${head.manifest.image})`
     );
+    const ckptFingerprint = head.manifest.baseFingerprint;
+    const ckptCliVersion = head.manifest.cliVersion ?? "unknown";
+    if (head.manifest.schema === 2) {
+      log(
+        `WARNING: checkpoint '${opts.checkpointRef}' was captured before checkpoint versioning landed.
+  Its base-image layers may be older than your current base image. If the box is missing
+  expected updates, remove the checkpoint with \`agentbox checkpoint rm ${opts.checkpointRef}\` and recreate it.`
+      );
+    } else {
+      const prepared = readPreparedDockerState();
+      const currentFingerprint = prepared?.base?.contextSha256 ?? (await computeDockerContextFingerprint())?.contextSha256;
+      if (ckptFingerprint && currentFingerprint && ckptFingerprint !== currentFingerprint) {
+        log(
+          `WARNING: checkpoint '${opts.checkpointRef}' was captured against an older base image.
+  captured: cli ${ckptCliVersion}, fingerprint ${ckptFingerprint.slice(0, 12)}
+  current : cli ${prepared?.base?.cliVersion ?? "unknown"}, fingerprint ${currentFingerprint.slice(0, 12)}
+  The restored box will keep the old base layers and will NOT include base-image updates.
+  To pick up updates: \`agentbox checkpoint rm ${opts.checkpointRef}\` and recreate from a fresh box.`
+        );
+      }
+    }
   }
   const imageRef = checkpointImage ?? opts.image ?? DEFAULT_BOX_IMAGE;
   const ensureRef = checkpointImage ? opts.image ?? DEFAULT_BOX_IMAGE : imageRef;
@@ -5607,9 +6057,33 @@ async function createBox(opts) {
       );
     }
     for (const r of repos) {
+      const containerPath = r.kind === "root" ? "/workspace" : `/workspace/${r.relPathFromWorkspace}`;
+      const reuseBranch = r.kind === "root" && opts.useBranch !== void 0;
+      if (reuseBranch) {
+        const branch2 = opts.useBranch;
+        const gitWorktreePath2 = gitWorktreePathFor(branch2);
+        repoCarryOvers.push({
+          repo: r,
+          containerPath,
+          gitWorktreePath: gitWorktreePath2,
+          branch: branch2,
+          stashSha: null,
+          untrackedNul: "",
+          hostSource: r.hostMainRepo,
+          reuseBranch: true
+        });
+        gitWorktreeRecords.push({
+          kind: r.kind,
+          hostMainRepo: r.hostMainRepo,
+          containerPath,
+          gitWorktreePath: gitWorktreePath2,
+          branch: branch2,
+          relPathFromWorkspace: r.relPathFromWorkspace
+        });
+        continue;
+      }
       const branchBase = r.kind === "root" ? `agentbox/${name}` : `agentbox/${name}--${r.relPathFromWorkspace.replace(/[^A-Za-z0-9._-]+/g, "_")}`;
       const branch = await pickFreshBranch(r.hostMainRepo, branchBase);
-      const containerPath = r.kind === "root" ? "/workspace" : `/workspace/${r.relPathFromWorkspace}`;
       const gitWorktreePath = gitWorktreePathFor(branch);
       const carry = await collectRepoCarryOver(r, branch, containerPath, gitWorktreePath);
       repoCarryOvers.push(carry);
@@ -5716,6 +6190,8 @@ async function createBox(opts) {
     if (opencodeEnsured.synced) log(`synced ${opencodeSpec.volume} from ~/.config + ~/.local/share opencode`);
     else if (opencodeEnsured.created) log(`created empty volume ${opencodeSpec.volume} (no host opencode)`);
     else log(`reusing volume ${opencodeSpec.volume}`);
+    const opencodePlugin = await seedOpencodePlugin(opencodeSpec.volume, ensureRef);
+    if (opencodePlugin.seeded) log(`seeded agentbox-state plugin into ${opencodeSpec.volume}`);
     opencodeMounts = buildOpencodeMounts(opencodeSpec, process.env);
     opencodeConfigVolume = opencodeSpec.volume;
   }
@@ -5771,10 +6247,15 @@ async function createBox(opts) {
     }
   }
   const relayEnv = relayUp ? {
-    // host.docker.internal resolves to the host (where the relay node
-    // process is running). The matching `--add-host` is set in runBox.
-    AGENTBOX_RELAY_URL: `http://host.docker.internal:8787`,
-    AGENTBOX_RELAY_TOKEN: relayToken
+    // The in-box ctl client always talks to its own in-box relay/forwarder
+    // on AGENTBOX_BOX_RELAY_PORT (default 8788). For docker boxes the
+    // forwarder transparently proxies to the host relay at
+    // host.docker.internal:8787 (the matching `--add-host` is set in
+    // runBox). This keeps :8787 inside the box free for a nested
+    // agentbox to claim its own host relay.
+    AGENTBOX_RELAY_URL: `http://127.0.0.1:8788`,
+    AGENTBOX_RELAY_TOKEN: relayToken,
+    AGENTBOX_HOST_RELAY_URL: `http://host.docker.internal:8787`
   } : {};
   const vncEnabled = opts.vnc?.enabled !== false;
   const vncPassword = vncEnabled ? generateVncPassword() : void 0;
@@ -5839,12 +6320,26 @@ async function createBox(opts) {
   if (!checkpointImage) {
     if (repoCarryOvers.length > 0) {
       try {
-        await seedWorkspace({ container: containerName, repos: repoCarryOvers, onLog: log });
+        await seedWorkspace({
+          container: containerName,
+          repos: repoCarryOvers,
+          fromBranch: opts.fromBranch,
+          onLog: log
+        });
         log("seeded /workspace from in-container git worktree(s)");
       } catch (err) {
-        log(
-          `seedWorkspace failed; leaving ${containerName} running so you can inspect it`
-        );
+        if (opts.useBranch !== void 0) {
+          log(`seedWorkspace failed for --use-branch ${opts.useBranch}; cleaning up the box`);
+          await execa13("docker", ["rm", "-f", containerName], { reject: false });
+          for (const w of gitWorktreeRecords) {
+            await removeInBoxWorktree({
+              hostMainRepo: w.hostMainRepo,
+              gitWorktreePath: w.gitWorktreePath
+            });
+          }
+        } else {
+          log(`seedWorkspace failed; leaving ${containerName} running so you can inspect it`);
+        }
         throw err;
       }
     } else {
@@ -5878,7 +6373,7 @@ async function createBox(opts) {
   }
   if (opts.withPlaywright) {
     log("installing @playwright/cli@latest (--with-playwright)");
-    const result = await execa14(
+    const result = await execa13(
       "docker",
       [
         "exec",
@@ -5923,6 +6418,20 @@ async function createBox(opts) {
       log(`copied ${String(copied)}/${String(opts.envFilesToImport.length)} selected env/config file(s)`);
     }
   }
+  let carrySummary;
+  if (opts.carry && opts.carry.length > 0) {
+    log(`carry: copying ${String(opts.carry.length)} host path(s) into the box`);
+    const result = await copyCarryPathsToBox({
+      container: containerName,
+      entries: opts.carry,
+      onLog: log
+    });
+    log(`carry: copied ${String(result.copied)}/${String(opts.carry.length)} entry/entries`);
+    for (const err of result.errors) log(`carry: ${err}`);
+    if (result.applied.length > 0) {
+      carrySummary = { count: result.applied.length, entries: result.applied };
+    }
+  }
   let vncHostPort = null;
   if (vncEnabled) {
     const vnc = await launchVncDaemon(containerName);
@@ -5939,7 +6448,9 @@ async function createBox(opts) {
   }
   let portlessAliasName;
   let portlessUrl;
-  if (opts.portless === true && webHostPort) {
+  let portlessVncAliasName;
+  let portlessVncUrl;
+  if (opts.portless === true && (webHostPort || vncEnabled && vncHostPort)) {
     try {
       const engine = await detectEngine();
       if (engine === "orbstack") {
@@ -5948,15 +6459,29 @@ async function createBox(opts) {
         const portless = await detectPortless();
         if (!portless.installed) {
           log("portless not installed \u2014 run `npm install -g portless` for a <name>.localhost URL");
-        } else if (await portlessAlias(name, webHostPort)) {
-          portlessAliasName = name;
-          portlessUrl = await portlessGetUrl(name);
-          log(`portless alias ${portlessUrl} -> 127.0.0.1:${String(webHostPort)}`);
-          if (!portless.proxyRunning) {
+        } else {
+          if (webHostPort) {
+            if (await portlessAlias(name, webHostPort)) {
+              portlessAliasName = name;
+              portlessUrl = await portlessGetUrl(name);
+              log(`portless alias ${portlessUrl} -> 127.0.0.1:${String(webHostPort)}`);
+            } else {
+              log("portless alias failed (best-effort) \u2014 box still reachable on the loopback URL");
+            }
+          }
+          if (vncEnabled && vncHostPort) {
+            const vncAlias = `vnc-${name}`;
+            if (await portlessAlias(vncAlias, vncHostPort)) {
+              portlessVncAliasName = vncAlias;
+              portlessVncUrl = await portlessGetUrl(vncAlias);
+              log(`portless alias ${portlessVncUrl} -> 127.0.0.1:${String(vncHostPort)}`);
+            } else {
+              log("portless vnc alias failed (best-effort) \u2014 VNC still reachable on the loopback URL");
+            }
+          }
+          if (!portless.proxyRunning && (portlessAliasName || portlessVncAliasName)) {
             log(`portless proxy not running \u2014 start it with \`${portlessStartHint()}\``);
           }
-        } else {
-          log("portless alias failed (best-effort) \u2014 box still reachable on the loopback URL");
         }
       }
     } catch (err) {
@@ -5980,6 +6505,7 @@ async function createBox(opts) {
     gitWorktrees: gitWorktreeRecords.length > 0 ? gitWorktreeRecords : void 0,
     withPlaywright: opts.withPlaywright ? true : void 0,
     withEnv: opts.withEnv ? true : void 0,
+    carry: carrySummary,
     vncEnabled: vncEnabled ? true : void 0,
     vncContainerPort: vncEnabled ? VNC_CONTAINER_PORT : void 0,
     vncHostPort: vncHostPort ?? void 0,
@@ -5988,6 +6514,8 @@ async function createBox(opts) {
     webHostPort: webHostPort ?? void 0,
     portlessAlias: portlessAliasName,
     portlessUrl,
+    portlessVncAlias: portlessVncAliasName,
+    portlessVncUrl,
     dockerVolume,
     dockerCacheShared: dockerCacheShared || void 0,
     projectRoot: opts.projectRoot,
@@ -6046,7 +6574,7 @@ function parseShellSessionList(stdout) {
   return out;
 }
 async function listShellSessions(container, user) {
-  const res = await execa15(
+  const res = await execa14(
     "docker",
     [
       "exec",
@@ -6070,7 +6598,7 @@ async function startShellSession(opts) {
   const login = opts.login !== false;
   const term = process.env["TERM"] ?? "xterm-256color";
   const cmd = login ? "bash -l" : "bash";
-  const result = await execa15(
+  const result = await execa14(
     "docker",
     [
       "exec",
@@ -6119,7 +6647,7 @@ function buildShellSessionAttachArgv(container, sessionName, user) {
 }
 async function shellSessionInfo(container, sessionName, user) {
   const name = sessionName ?? DEFAULT_SHELL_SESSION;
-  const has = await execa15(
+  const has = await execa14(
     "docker",
     ["exec", "--user", user ?? CONTAINER_USER, container, "tmux", "has-session", "-t", name],
     { reject: false }
@@ -6127,7 +6655,7 @@ async function shellSessionInfo(container, sessionName, user) {
   return { running: has.exitCode === 0, sessionName: name };
 }
 async function killShellSession(container, sessionName, user) {
-  const res = await execa15(
+  const res = await execa14(
     "docker",
     [
       "exec",
@@ -6149,7 +6677,7 @@ async function getBoxEndpoints(record, engine, persisted) {
   const endpoints = [];
   if (record.vncEnabled && record.vncPassword) {
     const vncUrls = buildVncUrls(record, engine);
-    const url = vncUrls.orbUrl ?? vncUrls.loopbackUrl;
+    const url = engine === "orbstack" ? vncUrls.orbUrl ?? vncUrls.loopbackUrl : vncUrls.portlessUrl ?? vncUrls.loopbackUrl;
     endpoints.push({
       kind: "vnc",
       name: "vnc",
@@ -6216,18 +6744,30 @@ async function listBoxes() {
         const portlessWebUrl = b.portlessAlias !== void 0 ? b.portlessUrl ?? `https://${b.portlessAlias}.localhost` : void 0;
         const cachedWebUrl = webPort > 0 ? b.cloud?.previewUrls?.[webPort] : void 0;
         const webUrl = portlessWebUrl ?? cachedWebUrl;
+        const portlessVncBase = b.portlessVncAlias !== void 0 ? b.portlessVncUrl ?? `https://${b.portlessVncAlias}.localhost` : void 0;
+        const vncUrl = portlessVncBase && b.vncPassword ? `${portlessVncBase}/vnc.html?autoconnect=1&password=${encodeURIComponent(b.vncPassword)}` : void 0;
+        const cloudEndpoints = [];
+        if (webUrl) {
+          cloudEndpoints.push({
+            kind: "web",
+            name: "web",
+            containerPort: webPort,
+            url: webUrl,
+            reachable: true
+          });
+        }
+        if (b.vncEnabled && b.vncPassword) {
+          cloudEndpoints.push({
+            kind: "vnc",
+            name: "vnc",
+            containerPort: b.vncContainerPort ?? 6080,
+            ...vncUrl ? { url: vncUrl, reachable: true } : { reachable: false }
+          });
+        }
         const endpoints2 = {
           domain: webUrl ? safeHost(webUrl) : "",
           domainIsOrb: false,
-          endpoints: webUrl ? [
-            {
-              kind: "web",
-              name: "web",
-              containerPort: webPort,
-              url: webUrl,
-              reachable: true
-            }
-          ] : []
+          endpoints: cloudEndpoints
         };
         return {
           ...b,
@@ -6351,19 +6891,31 @@ async function startBox(idOrName) {
       box.webHostPort = freshWebPort;
       await recordBox(box);
     }
-    if (box.portlessAlias && box.webHostPort) {
-      try {
-        const portless = await detectPortless();
-        if (portless.installed) {
+  }
+  if (box.portlessAlias && box.webHostPort || box.portlessVncAlias && box.vncHostPort) {
+    try {
+      const portless = await detectPortless();
+      if (portless.installed) {
+        let dirty = false;
+        if (box.portlessAlias && box.webHostPort) {
           await portlessAlias(box.portlessAlias, box.webHostPort);
           const url = await portlessGetUrl(box.portlessAlias);
           if (url !== box.portlessUrl) {
             box.portlessUrl = url;
-            await recordBox(box);
+            dirty = true;
           }
         }
-      } catch {
+        if (box.portlessVncAlias && box.vncHostPort) {
+          await portlessAlias(box.portlessVncAlias, box.vncHostPort);
+          const url = await portlessGetUrl(box.portlessVncAlias);
+          if (url !== box.portlessVncUrl) {
+            box.portlessVncUrl = url;
+            dirty = true;
+          }
+        }
+        if (dirty) await recordBox(box);
       }
+    } catch {
     }
   }
   if (box.relayToken) {
@@ -6395,7 +6947,7 @@ async function getBoxHostPaths(idOrName) {
 }
 async function dirSizeBytes(path) {
   try {
-    const result = await execa16("du", ["-sk", path], { reject: false });
+    const result = await execa15("du", ["-sk", path], { reject: false });
     if (result.exitCode !== 0) return null;
     const sizeKb = Number.parseInt((result.stdout ?? "").split(/\s+/)[0] ?? "", 10);
     if (Number.isNaN(sizeKb)) return null;
@@ -6463,6 +7015,12 @@ async function destroyBox(idOrName, opts = {}) {
     } catch {
     }
   }
+  if (box.portlessVncAlias) {
+    try {
+      await portlessUnalias(box.portlessVncAlias);
+    } catch {
+    }
+  }
   const ownsWorktrees = !box.checkpointImage;
   if (ownsWorktrees) {
     for (const w of box.gitWorktrees ?? []) {
@@ -6537,7 +7095,7 @@ async function listBoxDirs() {
   }
 }
 async function listCheckpointImageTags() {
-  const r = await execa16(
+  const r = await execa15(
     "docker",
     ["image", "ls", "--format", "{{.Repository}}:{{.Tag}}", `${CHECKPOINT_IMAGE_PREFIX}*`],
     { reject: false }
@@ -6645,7 +7203,7 @@ async function pruneBoxes(opts = {}) {
     } catch {
     }
     try {
-      await execa16("docker", ["image", "rm", RELAY_IMAGE_REF], { reject: false });
+      await execa15("docker", ["image", "rm", RELAY_IMAGE_REF], { reject: false });
     } catch {
     }
     try {
@@ -6707,7 +7265,7 @@ function splitPair(raw) {
   return [parts[0].trim(), parts[1].trim()];
 }
 async function duBytes(path) {
-  const result = await execa17("du", ["-sk", path], { reject: false });
+  const result = await execa16("du", ["-sk", path], { reject: false });
   if (result.exitCode !== 0) return null;
   const kb = Number.parseInt((result.stdout ?? "").split(/\s+/)[0] ?? "", 10);
   return Number.isNaN(kb) ? null : kb * 1024;
@@ -6720,7 +7278,7 @@ async function volumeSizeBytes(name) {
     const sz = await duBytes(live);
     if (sz !== null) return sz;
   }
-  const df = await execa17(
+  const df = await execa16(
     "docker",
     ["system", "df", "-v", "--format", "{{json .Volumes}}"],
     { reject: false }
@@ -6741,7 +7299,7 @@ async function volumeSizeBytes(name) {
   return null;
 }
 async function imageBytes(tag) {
-  const r = await execa17("docker", ["image", "inspect", tag, "--format", "{{.Size}}"], {
+  const r = await execa16("docker", ["image", "inspect", tag, "--format", "{{.Size}}"], {
     reject: false
   });
   if (r.exitCode !== 0) return null;
@@ -6752,7 +7310,7 @@ async function projectCheckpointImageBytes(projectRoot, name) {
   return imageBytes(checkpointImageTag(projectRoot, name));
 }
 async function allCheckpointImagesBytes() {
-  const r = await execa17(
+  const r = await execa16(
     "docker",
     [
       "image",
@@ -6804,7 +7362,7 @@ function reconcileLimits(persisted, dockerJson) {
   };
 }
 async function containerWritableBytes(container) {
-  const r = await execa17(
+  const r = await execa16(
     "docker",
     ["ps", "-a", "--filter", `name=^${container}$`, "--format", "{{.Size}}", "--size"],
     { reject: false }
@@ -6851,7 +7409,7 @@ async function boxResourceStats(record) {
   if (await inspectContainerStatus(record.container) !== "running") {
     return base;
   }
-  const proc = await execa17(
+  const proc = await execa16(
     "docker",
     ["stats", "--no-stream", "--format", "{{json .}}", record.container],
     { reject: false }
@@ -6886,6 +7444,125 @@ async function boxResourceStats(record) {
     blockWriteBytes: blkPair ? parseDockerSize(blkPair[1]) : null
   };
 }
+function posixDirname(p) {
+  return posix.dirname(p) || "/";
+}
+function asText(s) {
+  if (s === void 0) return "";
+  if (typeof s === "string") return s;
+  return Buffer.from(s).toString("utf8");
+}
+async function uploadToBox(box, hostSrc, boxDst) {
+  const srcAbs = resolve4(hostSrc);
+  if (!existsSync3(srcAbs)) throw new Error(`source not found: ${hostSrc}`);
+  const srcBasename = basename32(srcAbs);
+  const srcParent = dirname22(srcAbs);
+  let boxParent;
+  let finalName;
+  if (boxDst.endsWith("/")) {
+    boxParent = boxDst.replace(/\/+$/, "") || "/";
+    finalName = srcBasename;
+  } else {
+    const isDir2 = await execa17(
+      "docker",
+      ["exec", box.container, "test", "-d", boxDst],
+      { reject: false }
+    );
+    if (isDir2.exitCode === 0) {
+      boxParent = boxDst.replace(/\/+$/, "") || "/";
+      finalName = srcBasename;
+    } else {
+      boxParent = posixDirname(boxDst);
+      finalName = posix.basename(boxDst);
+    }
+  }
+  const finalPath = boxParent === "/" ? `/${finalName}` : `${boxParent}/${finalName}`;
+  const mk = await execa17(
+    "docker",
+    ["exec", "--user", "root", box.container, "mkdir", "-p", boxParent],
+    { reject: false }
+  );
+  if (mk.exitCode !== 0) {
+    throw new Error(`mkdir -p ${boxParent} in box failed: ${asText(mk.stderr).slice(0, 300)}`);
+  }
+  const packed = await execa17("tar", ["-C", srcParent, "-cf", "-", srcBasename], {
+    encoding: "buffer",
+    reject: false,
+    env: { ...process.env, COPYFILE_DISABLE: "1" }
+  });
+  if (packed.exitCode !== 0) {
+    throw new Error(`tar pack failed: ${asText(packed.stderr).slice(0, 300)}`);
+  }
+  const extract = await execa17(
+    "docker",
+    ["exec", "-i", "--user", "root", box.container, "tar", "-xf", "-", "-C", boxParent],
+    { input: packed.stdout, reject: false }
+  );
+  if (extract.exitCode !== 0) {
+    throw new Error(`tar extract in box failed: ${asText(extract.stderr).slice(0, 300)}`);
+  }
+  if (finalName !== srcBasename) {
+    const initial = boxParent === "/" ? `/${srcBasename}` : `${boxParent}/${srcBasename}`;
+    const mv = await execa17(
+      "docker",
+      ["exec", "--user", "root", box.container, "mv", initial, finalPath],
+      { reject: false }
+    );
+    if (mv.exitCode !== 0) {
+      throw new Error(
+        `rename ${initial} -> ${finalPath} in box failed: ${asText(mv.stderr).slice(0, 300)}`
+      );
+    }
+  }
+  const chown = await execa17(
+    "docker",
+    ["exec", "--user", "root", box.container, "chown", "-R", "1000:1000", finalPath],
+    { reject: false }
+  );
+  if (chown.exitCode !== 0) {
+    return {
+      finalPath,
+      warn: `chown ${finalPath} to vscode (uid 1000) failed; ownership inside the box may be root.`
+    };
+  }
+  return { finalPath };
+}
+async function downloadFromBox(box, boxSrc, hostDst) {
+  const srcBasename = posix.basename(boxSrc);
+  const srcParent = posixDirname(boxSrc);
+  const dstAbs = resolve4(hostDst);
+  let hostParent;
+  let finalName;
+  const dstExists = existsSync3(dstAbs);
+  if (hostDst.endsWith("/") || dstExists && statSync(dstAbs).isDirectory()) {
+    hostParent = dstAbs;
+    finalName = srcBasename;
+  } else {
+    hostParent = dirname22(dstAbs);
+    finalName = basename32(dstAbs);
+  }
+  mkdirSync(hostParent, { recursive: true });
+  const finalPath = posix.join(hostParent, finalName);
+  const packed = await execa17(
+    "docker",
+    ["exec", box.container, "tar", "-C", srcParent, "-cf", "-", srcBasename],
+    { encoding: "buffer", reject: false }
+  );
+  if (packed.exitCode !== 0) {
+    throw new Error(`tar pack in box failed: ${asText(packed.stderr).slice(0, 300)}`);
+  }
+  const extract = await execa17("tar", ["-xf", "-", "-C", hostParent], {
+    input: packed.stdout,
+    reject: false
+  });
+  if (extract.exitCode !== 0) {
+    throw new Error(`tar extract on host failed: ${asText(extract.stderr).slice(0, 300)}`);
+  }
+  if (finalName !== srcBasename) {
+    renameSync(posix.join(hostParent, srcBasename), finalPath);
+  }
+  return { finalPath };
+}
 var dockerProvider = {
   name: "docker",
   async create(req) {
@@ -6895,6 +7572,8 @@ var dockerProvider = {
       name: req.name,
       useSnapshot: po.useSnapshot ?? false,
       checkpointRef: req.checkpointRef,
+      fromBranch: req.fromBranch,
+      useBranch: req.useBranch,
       image: req.image,
       onLog: req.onLog,
       claudeConfig: po.claudeConfig,
@@ -6904,6 +7583,7 @@ var dockerProvider = {
       withPlaywright: req.withPlaywright,
       withEnv: req.withEnv,
       envFilesToImport: req.envFilesToImport,
+      carry: req.carry,
       vnc: req.vnc,
       docker: po.sharedCache !== void 0 ? { sharedCache: po.sharedCache } : void 0,
       portless: po.portless,
@@ -6954,6 +7634,14 @@ var dockerProvider = {
     const r = await execInBox(box.container, argv, opts?.user ? { user: opts.user } : {});
     return { exitCode: r.exitCode, stdout: r.stdout, stderr: r.stderr };
   },
+  async uploadPath(box, hostSrc, boxDst) {
+    const r = await uploadToBox(box, hostSrc, boxDst);
+    return { finalPath: r.finalPath };
+  },
+  async downloadPath(box, boxSrc, hostDst) {
+    const r = await downloadFromBox(box, boxSrc, hostDst);
+    return { finalPath: r.finalPath };
+  },
   async resolveUrl(box, opts) {
     if (box.webContainerPort === void 0) {
       throw new Error(
@@ -6976,13 +7664,33 @@ var dockerProvider = {
   },
   async prepare(opts) {
     const ref = DEFAULT_BOX_IMAGE;
-    if (!opts.force && await imageExists(ref)) {
-      opts.onLog?.(`docker image ${ref} already built \u2014 skipping (use --force to rebuild)`);
-      return {};
+    const fingerprint = await computeDockerContextFingerprint();
+    const prepared = readPreparedDockerState();
+    if (!opts.force) {
+      const exists = await imageExists(ref);
+      if (exists && fingerprint && preparedMatches(prepared, fingerprint.contextSha256)) {
+        opts.onLog?.(
+          `docker image ${ref} up to date (fingerprint ${fingerprint.contextSha256.slice(0, 12)}) \u2014 skipping (use --force to rebuild)`
+        );
+        return {};
+      }
+      if (exists && !fingerprint) {
+        opts.onLog?.(
+          `docker image ${ref} present but build context could not be fingerprinted \u2014 skipping (use --force to rebuild)`
+        );
+        return {};
+      }
     }
     opts.onLog?.(`building docker image ${ref}\u2026`);
     await buildImage({ ref, onProgress: opts.onLog });
-    opts.onLog?.(`docker image ${ref} built`);
+    if (fingerprint) {
+      writePreparedDockerState({ imageRef: ref, contextSha256: fingerprint.contextSha256 });
+      opts.onLog?.(
+        `docker image ${ref} built; recorded fingerprint ${fingerprint.contextSha256.slice(0, 12)}`
+      );
+    } else {
+      opts.onLog?.(`docker image ${ref} built (fingerprint unavailable, prepared state not written)`);
+    }
     return {};
   }
 };
@@ -7028,7 +7736,7 @@ function emptyResult(warnings = []) {
   }, warnings };
 }
 async function tarballFromDir(stageDir, agent) {
-  const tarballPath = join14(tmpdir3(), `agentbox-${agent}-${basename32(stageDir)}.tar.gz`);
+  const tarballPath = join14(tmpdir3(), `agentbox-${agent}-${basename4(stageDir)}.tar.gz`);
   await execa18("tar", ["-czf", tarballPath, "-C", stageDir, "."], {
     env: { ...process.env, COPYFILE_DISABLE: "1" }
   });
@@ -7222,6 +7930,9 @@ async function stageCodexStaticForUpload(opts = {}) {
   }
 }
 async function stageCodexCredentialsForUpload(opts = {}) {
+  if (await pathExists7(CODEX_CREDENTIALS_BACKUP_FILE)) {
+    return stageSingleFileTarball("codex-creds", CODEX_CREDENTIALS_BACKUP_FILE, "auth.json");
+  }
   const hostHome = opts.hostHome ?? homedir11();
   const hostAuth = join14(hostHome, ".codex", "auth.json");
   if (!await pathExists7(hostAuth)) return emptyResult([CODEX_KEYCHAIN_WARNING]);
@@ -7286,11 +7997,20 @@ async function stageOpencodeStaticForUpload(opts = {}) {
   }
 }
 async function stageOpencodeCredentialsForUpload(opts = {}) {
+  if (await pathExists7(OPENCODE_CREDENTIALS_BACKUP_FILE)) {
+    return stageSingleFileTarball("opencode-creds", OPENCODE_CREDENTIALS_BACKUP_FILE, "auth.json");
+  }
   const hostHome = opts.hostHome ?? homedir11();
   const hostAuth = join14(hostHome, ".local", "share", "opencode", "auth.json");
   if (!await pathExists7(hostAuth)) return emptyResult();
   return stageSingleFileTarball("opencode-creds", hostAuth, "auth.json");
 }
+async function stageOpencodeStateForUpload(opts = {}) {
+  const hostHome = opts.hostHome ?? homedir11();
+  const hostModel = join14(hostHome, ".local", "state", "opencode", "model.json");
+  if (!await pathExists7(hostModel)) return emptyResult();
+  return stageSingleFileTarball("opencode-state", hostModel, "model.json");
+}
 function browserSessionActive(stdout, exitCode) {
   return exitCode === 0 && !/no active sessions/i.test(stdout);
 }
@@ -7330,25 +8050,25 @@ export {
   listProjectsConfigured,
   pruneOrphanProjectConfigs,
   bumpProjectGcCounter,
+  BOX_STATUS_EVENT,
   renderStatusTable,
   renderTaskTable,
   renderPortsTable,
-  STATE_DIR2 as STATE_DIR,
-  STATE_FILE,
-  readState,
-  recordBox,
-  removeBoxRecord,
-  findBox,
-  allocateProjectIndex,
-  autoPickProjectBox,
-  resolveBoxRef,
-  detectGitRepos,
-  pickFreshBranch,
-  GitWorktreeError,
+  loadCarrySection,
   DEFAULT_RELAY_PORT,
   RELAY_CONTAINER_NAME,
   RELAY_NETWORK_NAME,
   RELAY_IMAGE_REF,
+  hashRpcParams,
+  GH_PR_OPS,
+  injectPrCreateHead,
+  loadQueueConfig,
+  writeJob,
+  readJob,
+  deleteJob,
+  loadQueue,
+  defaultCountRunningBoxes,
+  queueLogPath,
   resolveAgentLauncher,
   BoxNotFoundError,
   AmbiguousBoxError,
@@ -7390,6 +8110,7 @@ export {
   buildDashboardAttachArgv,
   waitForTmuxPaneContent,
   buildTmuxSessionArgs,
+  buildTmuxConfigShellSnippet,
   buildShellArgv,
   buildClaudeLoginRunArgv,
   runInteractiveClaudeLogin,
@@ -7399,6 +8120,9 @@ export {
   claudeSessionInfo,
   pullClaudeExtras,
   CREDENTIALS_BACKUP_FILE,
+  CODEX_CREDENTIALS_BACKUP_FILE,
+  OPENCODE_CREDENTIALS_BACKUP_FILE,
+  isRealAgentCredential,
   hostBackupHasCredentials,
   parseSyncResult,
   syncClaudeCredentials,
@@ -7422,6 +8146,7 @@ export {
   DEFAULT_OPENCODE_SESSION,
   resolveOpencodeVolume,
   ensureOpencodeVolume,
+  seedOpencodePlugin,
   OPENCODE_FORWARDED_ENV_KEYS,
   buildOpencodeMounts,
   OpencodeSessionError,
@@ -7459,10 +8184,6 @@ export {
   installPortless,
   startPortlessProxy,
   resolvePortlessHostStateDir,
-  DEFAULT_BOX_IMAGE,
-  imageExists,
-  imageInfo,
-  ensureImage,
   EXCLUDE_DIRS,
   SNAPSHOTS_ROOT,
   snapshotPathFor,
@@ -7485,6 +8206,7 @@ export {
   forgetBoxFromRelay,
   setRelayNotice,
   clearRelayNotice,
+  mintHostInitiatedToken,
   rehydrateRelayRegistry,
   IDE_FLAVORS,
   ideProfile,
@@ -7533,6 +8255,8 @@ export {
   allCheckpointImagesBytes,
   agentboxHomeBytes,
   boxResourceStats,
+  uploadToBox,
+  downloadFromBox,
   dockerProvider,
   stageClaudeStaticForUpload,
   stageClaudeCredentialsForUpload,
@@ -7540,7 +8264,8 @@ export {
   stageCodexCredentialsForUpload,
   stageOpencodeStaticForUpload,
   stageOpencodeCredentialsForUpload,
+  stageOpencodeStateForUpload,
   browserSessionActive,
   ensureBoxBrowser
 };
-//# sourceMappingURL=chunk-NAVL4R34.js.map
+//# sourceMappingURL=chunk-NCJP5MTN.js.map