@madarco/agentbox 0.7.0 → 0.9.0

package/runtime/hetzner/ctl.cjs

@@ -3033,10 +3033,16 @@ var require_commander = __commonJS({
   }
 });
 
-// ../relay/dist/chunk-SJUIVWA3.js
-var import_http, import_https, import_promises, BACKOFF_BASE_MS, BACKOFF_MAX_MS, REQUEST_TIMEOUT_MS, FAST_REQUEST_TIMEOUT_MS, FAST_MODE_DECAY_POLLS, STOPPED_TICK_MS, CloudBoxPoller, CloudBoxPollers;
-var init_chunk_SJUIVWA3 = __esm({
-  "../relay/dist/chunk-SJUIVWA3.js"() {
+// ../relay/dist/chunk-YVJLTAM3.js
+function isConnectionLevelError(err) {
+  const code = err?.code;
+  if (code && CONNECTION_LEVEL_CODES.has(code)) return true;
+  const msg = err instanceof Error ? err.message : String(err);
+  return /\b(ECONNREFUSED|ENOTFOUND|EHOSTUNREACH|ECONNRESET|EPIPE)\b/.test(msg);
+}
+var import_http, import_https, import_promises, BACKOFF_BASE_MS, BACKOFF_MAX_MS, REQUEST_TIMEOUT_MS, FAST_REQUEST_TIMEOUT_MS, FAST_MODE_DECAY_POLLS, STOPPED_TICK_MS, CONNECTION_LEVEL_CODES, CloudBoxPoller, CloudBoxPollers;
+var init_chunk_YVJLTAM3 = __esm({
+  "../relay/dist/chunk-YVJLTAM3.js"() {
     "use strict";
     import_http = require("http");
     import_https = require("https");
@@ -3047,9 +3053,17 @@ var init_chunk_SJUIVWA3 = __esm({
     FAST_REQUEST_TIMEOUT_MS = 8e3;
     FAST_MODE_DECAY_POLLS = 5;
     STOPPED_TICK_MS = 250;
+    CONNECTION_LEVEL_CODES = /* @__PURE__ */ new Set([
+      "ECONNREFUSED",
+      "ENOTFOUND",
+      "EHOSTUNREACH",
+      "ECONNRESET",
+      "EPIPE"
+    ]);
     CloudBoxPoller = class {
       constructor(deps) {
         this.deps = deps;
+        this.currentPreviewUrl = deps.previewUrl;
       }
       deps;
       stopped = false;
@@ -3063,6 +3077,15 @@ var init_chunk_SJUIVWA3 = __esm({
        * within ~5 successful round-trips.
        */
       fastModePolls = 0;
+      /**
+       * Mutable copy of `deps.previewUrl`. We don't read `deps.previewUrl`
+       * directly after construction because `recoverPreviewUrl` may hand us a
+       * new URL (e.g. Hetzner reopens its SSH ControlMaster and the `-L`
+       * forward gets a new ephemeral local port).
+       */
+      currentPreviewUrl;
+      /** Guards against recovery storms — at most one recovery attempt in flight. */
+      recovering = null;
       start() {
         if (this.loopPromise) return;
         this.loopPromise = this.run().catch((err) => {
@@ -3079,7 +3102,7 @@ var init_chunk_SJUIVWA3 = __esm({
        * and the in-box agent finally sees the answer.
        */
       async respond(actionId, result) {
-        const base = this.deps.previewUrl.replace(/\/+$/, "");
+        const base = this.currentPreviewUrl.replace(/\/+$/, "");
         const url = new URL(`${base}/bridge/action-result`);
         const isHttps = url.protocol === "https:";
         const transport = isHttps ? import_https.request : import_http.request;
@@ -3169,6 +3192,9 @@ var init_chunk_SJUIVWA3 = __esm({
               this.fastModePolls = FAST_MODE_DECAY_POLLS;
             }
             this.log(`poll error: ${msg}`);
+            if (this.deps.recoverPreviewUrl && isConnectionLevelError(err)) {
+              await this.tryRecoverPreviewUrl();
+            }
             await this.backoff();
           }
           if (this.currentBackoffMs === 0 && this.fastModePolls > 0) {
@@ -3181,8 +3207,33 @@ var init_chunk_SJUIVWA3 = __esm({
         this.currentBackoffMs = this.currentBackoffMs === 0 ? BACKOFF_BASE_MS : Math.min(this.currentBackoffMs * 2, BACKOFF_MAX_MS);
         await (0, import_promises.setTimeout)(this.currentBackoffMs);
       }
+      async tryRecoverPreviewUrl() {
+        if (!this.deps.recoverPreviewUrl) return;
+        if (this.recovering) {
+          await this.recovering;
+          return;
+        }
+        this.recovering = (async () => {
+          try {
+            const next = await this.deps.recoverPreviewUrl();
+            if (typeof next === "string" && next.length > 0 && next !== this.currentPreviewUrl) {
+              this.log(`preview URL recovered: ${this.currentPreviewUrl} \u2192 ${next}`);
+              this.currentPreviewUrl = next;
+              this.currentBackoffMs = 0;
+            } else if (typeof next === "string" && next === this.currentPreviewUrl) {
+              this.log("preview URL recovered (unchanged)");
+              this.currentBackoffMs = 0;
+            }
+          } catch (err) {
+            this.log(`preview URL recover failed: ${err instanceof Error ? err.message : String(err)}`);
+          } finally {
+            this.recovering = null;
+          }
+        })();
+        await this.recovering;
+      }
       async pollOnce() {
-        const base = this.deps.previewUrl.replace(/\/+$/, "");
+        const base = this.currentPreviewUrl.replace(/\/+$/, "");
         const url = new URL(`${base}/bridge/poll?since=${String(this.cursor)}`);
         const isHttps = url.protocol === "https:";
         const transport = isHttps ? import_https.request : import_http.request;
@@ -3750,7 +3801,7 @@ var require_cross_spawn = __commonJS({
     var cp = require("child_process");
     var parse = require_parse();
     var enoent = require_enoent();
-    function spawn9(command, args, options) {
+    function spawn10(command, args, options) {
       const parsed = parse(command, args, options);
       const spawned = cp.spawn(parsed.command, parsed.args, parsed.options);
       enoent.hookChildProcess(spawned, parsed);
@@ -3762,8 +3813,8 @@ var require_cross_spawn = __commonJS({
       result.error = result.error || enoent.verifyENOENTSync(result.status, parsed);
       return result;
     }
-    module2.exports = spawn9;
-    module2.exports.spawn = spawn9;
+    module2.exports = spawn10;
+    module2.exports.spawn = spawn10;
     module2.exports.sync = spawnSync2;
     module2.exports._parse = parse;
     module2.exports._enoent = enoent;
@@ -11097,16 +11148,16 @@ var require_dist = __commonJS({
   }
 });
 
-// ../relay/dist/cloud-poller-ZIWSADJB.js
-var cloud_poller_ZIWSADJB_exports = {};
-__export(cloud_poller_ZIWSADJB_exports, {
+// ../relay/dist/cloud-poller-SUNA6ZQC.js
+var cloud_poller_SUNA6ZQC_exports = {};
+__export(cloud_poller_SUNA6ZQC_exports, {
   CloudBoxPoller: () => CloudBoxPoller,
   CloudBoxPollers: () => CloudBoxPollers
 });
-var init_cloud_poller_ZIWSADJB = __esm({
-  "../relay/dist/cloud-poller-ZIWSADJB.js"() {
+var init_cloud_poller_SUNA6ZQC = __esm({
+  "../relay/dist/cloud-poller-SUNA6ZQC.js"() {
     "use strict";
-    init_chunk_SJUIVWA3();
+    init_chunk_YVJLTAM3();
   }
 });
 
@@ -11231,12 +11282,21 @@ async function claudeSession(opts) {
     sessionName: opts.sessionName
   });
 }
-async function claudeState(opts, state) {
-  return sendOneShot(opts, { op: "claude-state", state });
+async function claudeState(opts, state, payload) {
+  return sendOneShot(opts, {
+    op: "claude-state",
+    state,
+    ...payload?.plan ? { plan: payload.plan } : {},
+    ...payload?.question ? { question: payload.question } : {},
+    ...payload?.clearPending ? { clearPending: true } : {}
+  });
 }
 async function codexState(opts, state) {
   return sendOneShot(opts, { op: "codex-state", state });
 }
+async function opencodeState(opts, state) {
+  return sendOneShot(opts, { op: "opencode-state", state });
+}
 async function logs(opts, args) {
   const sock = await connect(opts);
   sock.write(`${JSON.stringify({ op: "logs", ...args })}
@@ -11291,6 +11351,10 @@ var CLAUDE_ACTIVITY_STATES = [
   "working",
   "idle",
   "waiting",
+  "end-plan",
+  "question",
+  "compacting",
+  "error",
   "unknown"
 ];
 var BOX_STATUS_SCHEMA = 1;
@@ -11324,18 +11388,90 @@ var claudeSessionCommand = new Command("claude-session").description("Report whe
 });
 
 // src/commands/claude-state.ts
-var claudeStateCommand = new Command("claude-state").description("Report Claude activity state to the box supervisor (used by hooks)").argument("<state>", `one of: ${CLAUDE_ACTIVITY_STATES.join(", ")}`).option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).action(async (state, opts) => {
+var claudeStateCommand = new Command("claude-state").description("Report Claude activity state to the box supervisor (used by hooks)").argument("<state>", `one of: ${CLAUDE_ACTIVITY_STATES.join(", ")}`).option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).option("--payload-stdin", "parse Claude Code's hook JSON from stdin (PreToolUse plan/question)").option("--clear-pending", "force-clear a sticky end-plan/question state (PostToolUse cleanup)").action(async (state, opts) => {
   try {
-    if (CLAUDE_ACTIVITY_STATES.includes(state)) {
-      await claudeState(
-        { socketPath: opts.socket, timeoutMs: 1500 },
-        state
-      );
-    }
+    if (!CLAUDE_ACTIVITY_STATES.includes(state)) {
+      process.exit(0);
+    }
+    const typedState = state;
+    const extracted = opts.payloadStdin ? await extractPayload(typedState, await readStdinJson()) : void 0;
+    const payload = { ...extracted ?? {} };
+    if (opts.clearPending) payload.clearPending = true;
+    const hasField = payload.plan !== void 0 || payload.question !== void 0 || payload.clearPending !== void 0;
+    await claudeState(
+      { socketPath: opts.socket, timeoutMs: 1500 },
+      typedState,
+      hasField ? payload : void 0
+    );
   } catch {
   }
   process.exit(0);
 });
+function extractPayload(state, raw) {
+  if (!raw || typeof raw !== "object") return void 0;
+  const tool = raw.tool_input ?? {};
+  const capturedAt = (/* @__PURE__ */ new Date()).toISOString();
+  if (state === "end-plan" && typeof tool.plan === "string") {
+    const plan = { plan: tool.plan, capturedAt };
+    return { plan };
+  }
+  if (state === "question" && Array.isArray(tool.questions)) {
+    const questions = tool.questions.map((q) => normalizeQuestion(q)).filter((q) => q !== null);
+    if (questions.length === 0) return void 0;
+    const question = { questions, capturedAt };
+    return { question };
+  }
+  return void 0;
+}
+function normalizeQuestion(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  const q = raw;
+  if (typeof q.question !== "string") return null;
+  const opts = Array.isArray(q.options) ? q.options : [];
+  const options = opts.map((o2) => {
+    if (!o2 || typeof o2 !== "object") return null;
+    const oo = o2;
+    if (typeof oo.label !== "string") return null;
+    const entry = { label: oo.label };
+    if (typeof oo.description === "string") entry.description = oo.description;
+    return entry;
+  }).filter((o2) => o2 !== null);
+  const out = { question: q.question, options };
+  if (typeof q.header === "string") out.header = q.header;
+  if (typeof q.multiSelect === "boolean") out.multiSelect = q.multiSelect;
+  return out;
+}
+function readStdinJson() {
+  return new Promise((resolve2) => {
+    if (process.stdin.isTTY) {
+      resolve2(null);
+      return;
+    }
+    const chunks = [];
+    const cap = setTimeout(() => {
+      process.stdin.removeAllListeners();
+      resolve2(null);
+    }, 1e3);
+    cap.unref();
+    process.stdin.on("data", (b) => chunks.push(b));
+    process.stdin.on("end", () => {
+      clearTimeout(cap);
+      if (chunks.length === 0) {
+        resolve2(null);
+        return;
+      }
+      try {
+        resolve2(JSON.parse(Buffer.concat(chunks).toString("utf8")));
+      } catch {
+        resolve2(null);
+      }
+    });
+    process.stdin.on("error", () => {
+      clearTimeout(cap);
+      resolve2(null);
+    });
+  });
+}
 
 // src/commands/codex-state.ts
 var codexStateCommand = new Command("codex-state").description("Report Codex activity state to the box supervisor (used by hooks)").argument("<state>", `one of: ${CLAUDE_ACTIVITY_STATES.join(", ")}`).option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).action(async (state, opts) => {
@@ -11450,15 +11586,31 @@ var cpCommand = new Command("cp").description("Copy a file/dir between this box
   })
 );
 
+// src/commands/opencode-state.ts
+var opencodeStateCommand = new Command("opencode-state").description("Report OpenCode activity state to the box supervisor (used by the plugin)").argument("<state>", `one of: ${CLAUDE_ACTIVITY_STATES.join(", ")}`).option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).action(async (state, opts) => {
+  try {
+    if (CLAUDE_ACTIVITY_STATES.includes(state)) {
+      await opencodeState(
+        { socketPath: opts.socket, timeoutMs: 1500 },
+        state
+      );
+    }
+  } catch {
+  }
+  process.exit(0);
+});
+
 // ../relay/dist/index.js
-init_chunk_SJUIVWA3();
+init_chunk_YVJLTAM3();
 var import_crypto = require("crypto");
 var import_crypto2 = require("crypto");
 var import_crypto3 = require("crypto");
+var import_crypto4 = require("crypto");
+var import_child_process = require("child_process");
 var import_promises14 = require("fs/promises");
 var import_os3 = require("os");
 var import_path4 = require("path");
-var import_child_process = require("child_process");
+var import_child_process2 = require("child_process");
 var import_http2 = require("http");
 
 // ../../node_modules/.pnpm/is-plain-obj@4.1.0/node_modules/is-plain-obj/index.js
@@ -18284,6 +18436,8 @@ function projectDockerFields(box) {
     webHostPort: box.webHostPort,
     portlessAlias: box.portlessAlias,
     portlessUrl: box.portlessUrl,
+    portlessVncAlias: box.portlessVncAlias,
+    portlessVncUrl: box.portlessVncUrl,
     dockerVolume: box.dockerVolume,
     dockerCacheShared: box.dockerCacheShared,
     checkpointImage: box.checkpointImage
@@ -18315,8 +18469,8 @@ var KEY_REGISTRY = [
   {
     key: "box.provider",
     type: "enum",
-    enumValues: ["docker", "daytona", "hetzner"],
-    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, or Hetzner Cloud VPSes."
+    enumValues: ["docker", "daytona", "hetzner", "vercel"],
+    description: "Sandbox backend new boxes are created on: local Docker containers, Daytona Cloud sandboxes, Hetzner Cloud VPSes, or Vercel Sandboxes."
   },
   {
     key: "box.hostSnapshot",
@@ -18346,6 +18500,12 @@ var KEY_REGISTRY = [
     description: "Per-provider override of `box.defaultCheckpoint` for hetzner. Wins over the global when set; set via `agentbox checkpoint set-default --provider hetzner`.",
     advanced: true
   },
+  {
+    key: "box.defaultCheckpointVercel",
+    type: "string",
+    description: "Per-provider override of `box.defaultCheckpoint` for vercel. Wins over the global when set; set via `agentbox checkpoint set-default --provider vercel`.",
+    advanced: true
+  },
   {
     key: "checkpoint.maxLayers",
     type: "int",
@@ -18414,6 +18574,26 @@ var KEY_REGISTRY = [
     description: "Best-effort writable-layer size for new boxes, e.g. '10G'. No-op on overlay2 / the macOS engines.",
     advanced: true
   },
+  {
+    key: "box.bundleDepth",
+    type: "int",
+    description: "Cap git bundle history shipped to cloud sandboxes (daytona, hetzner). 0 = full history. Unset = adaptive default (last 200 commits; re-bundle at 100 if the bundle exceeds 20 MB). Ignored for docker (which bind-mounts .git/)."
+  },
+  {
+    key: "box.vercelVcpus",
+    type: "int",
+    description: "vCPUs for new --provider vercel boxes (Vercel couples RAM at 2048 MB/vCPU). Default 2. Vercel only accepts specific counts (e.g. 1, 2, 4, 8) \u2014 an unsupported value fails create with a 400. Vercel-only; ignored by other providers."
+  },
+  {
+    key: "box.vercelTimeoutMs",
+    type: "int",
+    description: "Max session length (ms) for new --provider vercel boxes before the VM auto-snapshots; persistent mode auto-resumes on the next call. Default 2700000 (45 min, the Hobby ceiling). Vercel-only."
+  },
+  {
+    key: "box.vercelNetworkPolicy",
+    type: "string",
+    description: "Egress lock for new --provider vercel boxes: 'allow-all' (default, unset), 'deny-all', or a comma-separated domain allowlist (e.g. 'github.com,*.npmjs.org') that denies everything else. Vercel-only; ignored by other providers."
+  },
   {
     key: "claude.sessionName",
     type: "string",
@@ -18521,6 +18701,31 @@ var KEY_REGISTRY = [
     type: "int",
     description: "Minutes a box must be continuously idle (claude state) before it is eligible for auto-pause."
   },
+  {
+    key: "queue.enabled",
+    type: "bool",
+    description: "Run `agentbox claude|codex|opencode -i <prompt>` jobs through the host-wide background queue (FIFO, capped by queue.maxConcurrent)."
+  },
+  {
+    key: "queue.maxConcurrent",
+    type: "int",
+    description: "Max number of simultaneously-running boxes (across providers) before background `-i` jobs queue up instead of starting immediately. Per-invocation override: `--max-running <n>`."
+  },
+  {
+    key: "queue.maxWorking",
+    type: "int",
+    description: "Max agents actively working/thinking (quota-consuming) at once before background `-i` jobs queue. 0 = disabled (use the queue.maxConcurrent running-box gate). Counts all boxes, foreground + queued. Per-invocation override: `--max-working <n>`."
+  },
+  {
+    key: "queue.idleGraceSeconds",
+    type: "int",
+    description: "Seconds an agent must stay non-working before it frees its working slot (debounce against brief idle flaps between turns). Only used when queue.maxWorking > 0."
+  },
+  {
+    key: "cloud.useCurrentBranch",
+    type: "bool",
+    description: "On cloud providers (daytona/hetzner), start new boxes on the host's current branch instead of forking a new agentbox/<box-name> branch. Overridden by an explicit --use-branch / --from-branch."
+  },
   {
     key: "maintenance.pruneProjectConfigs",
     type: "bool",
@@ -18557,7 +18762,8 @@ var PROJECTS_DIR = (0, import_path2.join)(STATE_DIR2, "projects");
 var PROJECT_GC_COUNTER_FILE = (0, import_path3.join)(PROJECTS_DIR, ".gc.json");
 
 // ../relay/dist/index.js
-var DEFAULT_RELAY_PORT = 8787;
+var import_path6 = require("path");
+var DEFAULT_BOX_RELAY_PORT = 8788;
 var RELAY_EVENT_RING_SIZE = 1e3;
 var DEFAULT_HOST_ACTION_MAX_AGE_MS = 15 * 60 * 1e3;
 var HostActionQueue = class {
@@ -18870,6 +19076,254 @@ var BoxNotices = class {
     return this.entries.size;
   }
 };
+var DEFAULT_TTL_MS = 12e4;
+function hashRpcParams(params) {
+  return (0, import_crypto4.createHash)("sha256").update(canonicalJson(params)).digest("hex");
+}
+function canonicalJson(v) {
+  if (v === null) return "null";
+  if (typeof v === "undefined") return "null";
+  if (typeof v === "number") return Number.isFinite(v) ? String(v) : "null";
+  if (typeof v === "boolean") return v ? "true" : "false";
+  if (typeof v === "string") return JSON.stringify(v);
+  if (Array.isArray(v)) return "[" + v.map(canonicalJson).join(",") + "]";
+  if (typeof v === "object") {
+    const entries = Object.entries(v).filter(([k]) => k !== "hostInitiated").filter(([, val]) => val !== void 0).sort(([a2], [b]) => a2 < b ? -1 : a2 > b ? 1 : 0);
+    return "{" + entries.map(([k, val]) => JSON.stringify(k) + ":" + canonicalJson(val)).join(",") + "}";
+  }
+  return "null";
+}
+var HostInitiatedTokens = class {
+  store = /* @__PURE__ */ new Map();
+  /**
+   * Mint a fresh one-time token scoped to (boxId, method, paramsHash).
+   * `paramsHash` MUST be supplied for any call surface where the box can
+   * influence the eventual RPC params. Pass `null` only when there are no
+   * params (no current call sites use this).
+   */
+  mint(boxId, method, paramsHash, ttlMs = DEFAULT_TTL_MS) {
+    const token = (0, import_crypto4.randomBytes)(32).toString("hex");
+    this.store.set(token, { boxId, method, paramsHash, expiresAt: Date.now() + ttlMs });
+    return token;
+  }
+  /**
+   * Returns true exactly once if `token` is a valid, unexpired token for the
+   * given `(boxId, method)` AND the supplied `incomingParamsHash` matches
+   * the hash bound at mint time. The token is removed on a successful match
+   * (one-shot semantics). All failure modes return false — callers fall back
+   * to the normal prompt path.
+   */
+  consume(token, boxId, method, incomingParamsHash) {
+    if (!token || typeof token !== "string") return false;
+    const record = this.store.get(token);
+    if (!record) return false;
+    if (record.expiresAt < Date.now()) {
+      this.store.delete(token);
+      return false;
+    }
+    if (record.boxId !== boxId || record.method !== method) return false;
+    if (record.paramsHash !== null && record.paramsHash !== incomingParamsHash) {
+      return false;
+    }
+    this.store.delete(token);
+    return true;
+  }
+  /** Drop expired entries. Cheap; safe to call periodically. */
+  gc() {
+    const now = Date.now();
+    for (const [token, record] of this.store) {
+      if (record.expiresAt < now) this.store.delete(token);
+    }
+  }
+  /** Test-only: number of live tokens. */
+  size() {
+    return this.store.size;
+  }
+};
+var GH_PR_OPS = [
+  "create",
+  "view",
+  "list",
+  "comment",
+  "review",
+  "merge",
+  "checkout",
+  "close",
+  "reopen"
+];
+function isGhPrOp(value) {
+  return GH_PR_OPS.includes(value);
+}
+var GH_PR_READ_ONLY_OPS = /* @__PURE__ */ new Set(["view", "list"]);
+function injectPrCreateHead(op, branch, args) {
+  if (op !== "create") return args;
+  if (!branch || branch === "HEAD") return args;
+  if (hasHeadArg(args)) return args;
+  return ["--head", branch, ...args];
+}
+function hasHeadArg(args) {
+  return args.some((a2) => a2 === "--head" || a2.startsWith("--head=") || a2.startsWith("-H"));
+}
+function prCreateNeedsHead(op, args) {
+  return op === "create" && !hasHeadArg(args);
+}
+var PR_CREATE_NO_HEAD_REFUSAL = {
+  exitCode: 65,
+  stdout: "",
+  stderr: "gh pr create: refusing to run without --head \u2014 could not resolve this box's branch, and falling back to the host repo's checked-out branch would open a PR for the wrong branch. Ensure the box branch is pushed, or pass --head <branch> explicitly.\n"
+};
+var GH_RPC_TIMEOUT_MS = 12e4;
+var GH_READY_CACHE_TTL_MS = 6e4;
+var ghReadyCache;
+async function assertGhReady() {
+  const now = Date.now();
+  if (ghReadyCache && ghReadyCache.expiresAt > now) {
+    return ghReadyCache.result;
+  }
+  const result = await probeGh();
+  ghReadyCache = { result, expiresAt: now + GH_READY_CACHE_TTL_MS };
+  return result;
+}
+async function probeGh() {
+  const version = await runHostGh(["--version"], process.cwd(), 1e4);
+  if (version.exitCode === 127 || /ENOENT/.test(version.stderr)) {
+    return {
+      exitCode: 127,
+      stdout: "",
+      stderr: "gh not installed on host (https://cli.github.com)\n"
+    };
+  }
+  if (version.exitCode !== 0) {
+    return {
+      exitCode: version.exitCode,
+      stdout: "",
+      stderr: `gh --version failed: ${version.stderr || version.stdout}`.trimEnd() + "\n"
+    };
+  }
+  const auth = await runHostGh(["auth", "status"], process.cwd(), 15e3);
+  if (auth.exitCode !== 0) {
+    return {
+      exitCode: 4,
+      stdout: "",
+      stderr: "gh not authenticated on host (run `gh auth login`)\n"
+    };
+  }
+  return null;
+}
+function runHostGh(args, cwd, timeoutMs = GH_RPC_TIMEOUT_MS) {
+  return new Promise((resolve2) => {
+    const child = (0, import_child_process.spawn)("gh", args, {
+      cwd,
+      env: process.env,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    let settled = false;
+    const finish = (exitCode) => {
+      if (settled) return;
+      settled = true;
+      resolve2({ exitCode, stdout, stderr });
+    };
+    const timer = setTimeout(() => {
+      child.kill("SIGTERM");
+      stderr += `
+relay: gh command timed out after ${String(timeoutMs)}ms
+`;
+      finish(124);
+    }, timeoutMs);
+    child.stdout?.on("data", (chunk) => {
+      stdout += chunk.toString("utf8");
+    });
+    child.stderr?.on("data", (chunk) => {
+      stderr += chunk.toString("utf8");
+    });
+    child.on("error", (err) => {
+      clearTimeout(timer);
+      const code = err.code;
+      stderr += String(err.message ?? err);
+      finish(code === "ENOENT" ? 127 : 1);
+    });
+    child.on("close", (code) => {
+      clearTimeout(timer);
+      finish(code ?? -1);
+    });
+  });
+}
+async function checkoutGuards(hostMainRepo, registeredBranches) {
+  const status2 = await runGitProbe(["-C", hostMainRepo, "status", "--porcelain"]);
+  if (status2.exitCode !== 0) {
+    return {
+      exitCode: status2.exitCode,
+      stdout: "",
+      stderr: `gh pr checkout: failed to inspect host repo: ${status2.stderr || status2.stdout}`.trimEnd() + "\n"
+    };
+  }
+  if (status2.stdout.trim().length > 0) {
+    return {
+      exitCode: 12,
+      stdout: "",
+      stderr: `gh pr checkout: ${hostMainRepo} has uncommitted changes; refusing to switch branches
+`
+    };
+  }
+  const head = await runGitProbe(["-C", hostMainRepo, "rev-parse", "--abbrev-ref", "HEAD"]);
+  if (head.exitCode !== 0) {
+    return {
+      exitCode: head.exitCode,
+      stdout: "",
+      stderr: `gh pr checkout: failed to resolve HEAD: ${head.stderr || head.stdout}`.trimEnd() + "\n"
+    };
+  }
+  const currentBranch = head.stdout.trim();
+  if (registeredBranches.includes(currentBranch)) {
+    return {
+      exitCode: 12,
+      stdout: "",
+      stderr: `gh pr checkout: ${hostMainRepo} is on registered box branch ${currentBranch}; refusing (would corrupt the bind-mounted box HEAD)
+`
+    };
+  }
+  return null;
+}
+function runGitProbe(args) {
+  return new Promise((resolve2) => {
+    const child = (0, import_child_process.spawn)("git", args, { env: process.env, stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    child.stdout?.on("data", (c3) => {
+      stdout += c3.toString("utf8");
+    });
+    child.stderr?.on("data", (c3) => {
+      stderr += c3.toString("utf8");
+    });
+    child.on("error", (err) => {
+      resolve2({ exitCode: 127, stdout, stderr: stderr + String(err.message ?? err) });
+    });
+    child.on("close", (code) => {
+      resolve2({ exitCode: code ?? -1, stdout, stderr });
+    });
+  });
+}
+function refuseMergeBypass(op) {
+  if (op !== "merge") return null;
+  if (process.env["AGENTBOX_PROMPT"] !== "off") return null;
+  if (process.env["AGENTBOX_GH_FORCE"] === "1") return null;
+  return {
+    exitCode: 10,
+    stdout: "",
+    stderr: "gh pr merge: AGENTBOX_PROMPT=off bypass requires AGENTBOX_GH_FORCE=1 (merge is irreversible)\n"
+  };
+}
+function refuseCheckoutByDefault(op) {
+  if (op !== "checkout") return null;
+  if (process.env["AGENTBOX_GH_PR_CHECKOUT"] === "allow") return null;
+  return {
+    exitCode: 13,
+    stdout: "",
+    stderr: "gh pr checkout: disabled by default; set AGENTBOX_GH_PR_CHECKOUT=allow to enable\n"
+  };
+}
 function sanitizeMnemonic(raw) {
   return raw.toLowerCase().replace(/-/g, "_").replace(/[^a-z0-9_]+/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").slice(0, 32) || "unnamed";
 }
@@ -18919,36 +19373,43 @@ var BoxStatusStore = class {
 async function resolveCloudBackend(name) {
   if (name === "daytona") {
     const pkg = "@agentbox/sandbox-daytona";
-    try {
-      const mod = await import(pkg);
-      return mod.daytonaBackend;
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (/cannot find module|MODULE_NOT_FOUND/i.test(msg)) {
-        throw new Error(
-          `relay: cannot load '${pkg}' at runtime \u2014 install it alongside @agentbox/relay (the @madarco/agentbox CLI normally provides this dependency). Original: ${msg}`
-        );
-      }
-      throw err;
-    }
+    return loadCloudBackend(pkg, async () => (await import(pkg)).daytonaBackend);
   }
   if (name === "hetzner") {
     const pkg = "@agentbox/sandbox-hetzner";
-    try {
-      const mod = await import(pkg);
-      return mod.hetznerBackend;
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (/cannot find module|MODULE_NOT_FOUND/i.test(msg)) {
-        throw new Error(
-          `relay: cannot load '${pkg}' at runtime \u2014 install it alongside @agentbox/relay (the @madarco/agentbox CLI normally provides this dependency). Original: ${msg}`
-        );
-      }
-      throw err;
-    }
+    return loadCloudBackend(pkg, async () => (await import(pkg)).hetznerBackend);
+  }
+  if (name === "vercel") {
+    const pkg = "@agentbox/sandbox-vercel";
+    return loadCloudBackend(pkg, async () => (await import(pkg)).vercelBackend);
   }
   throw new Error(`no host executor for cloud backend '${name}'`);
 }
+async function loadCloudBackend(pkg, load2) {
+  try {
+    return await load2();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (/cannot find module|MODULE_NOT_FOUND/i.test(msg)) {
+      throw new Error(
+        `relay: cannot load '${pkg}' at runtime \u2014 install it alongside @agentbox/relay (the @madarco/agentbox CLI normally provides this dependency). Original: ${msg}`
+      );
+    }
+    throw err;
+  }
+}
+async function refreshCloudPreviewUrl(backendName, boxId, port) {
+  try {
+    const backend = await resolveCloudBackend(backendName);
+    if (!backend.refreshPreviewUrl) return null;
+    const lookup = await lookupCloudBox(boxId);
+    const handle = { sandboxId: lookup.cloudSandboxId };
+    const url = await backend.refreshPreviewUrl(handle, port);
+    return url.url;
+  } catch {
+    return null;
+  }
+}
 async function executeCloudAction(action, deps) {
   const log = deps.log ?? (() => {
   });
@@ -18968,6 +19429,17 @@ async function executeCloudAction(action, deps) {
   if (action.method === "browser.open.mirror") {
     return runBrowserOpenMirror(action, deps);
   }
+  if (action.method.startsWith("gh.pr.")) {
+    return runGhPrRpc(action, deps);
+  }
+  if (action.method === "git.clone" || action.method === "gh.repo.clone") {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `${action.method}: not yet implemented (deferred; see docs/plans/gh-and-git-shims-host-only.md). Run \`gh\` / \`git\` on the host directly for now.
+`
+    };
+  }
   return {
     exitCode: 1,
     stdout: "",
@@ -18975,6 +19447,99 @@ async function executeCloudAction(action, deps) {
 `
   };
 }
+async function runGhPrRpc(action, deps) {
+  const op = action.method.slice("gh.pr.".length);
+  if (!isGhPrOp(op)) {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `unknown gh.pr.* op: ${op}
+`
+    };
+  }
+  const mergeBypass = refuseMergeBypass(op);
+  if (mergeBypass) return mergeBypass;
+  const checkoutOptIn = refuseCheckoutByDefault(op);
+  if (checkoutOptIn) return checkoutOptIn;
+  const params = action.params ?? {};
+  const args = Array.isArray(params.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const lookup = await lookupCloudBox(deps.boxId);
+  if (op === "checkout") {
+    const guard = await checkoutGuards(lookup.workspacePath, []);
+    if (guard) return guard;
+  }
+  const tokenClaimedGhCloud = typeof params.hostInitiated === "string";
+  const incomingHashGhCloud = hashRpcParams(params);
+  const hostInitiatedGhOk = !GH_PR_READ_ONLY_OPS.has(op) && tokenClaimedGhCloud && (deps.hostInitiatedTokens?.consume(
+    params.hostInitiated,
+    deps.boxId,
+    `gh.pr.${op}`,
+    incomingHashGhCloud
+  ) ?? false);
+  if (!GH_PR_READ_ONLY_OPS.has(op) && tokenClaimedGhCloud && !hostInitiatedGhOk) {
+    return {
+      exitCode: 10,
+      stdout: "",
+      stderr: "host-initiated token rejected: invalid, expired, or bound to different params\n"
+    };
+  }
+  if (!GH_PR_READ_ONLY_OPS.has(op) && !hostInitiatedGhOk && deps.prompts && deps.subscribers) {
+    const detail = args.join(" ").slice(0, 200);
+    const ctx = {
+      kind: "confirm",
+      message: `Allow gh pr ${op} from cloud box ${deps.boxName ?? deps.boxId}?`,
+      detail,
+      defaultAnswer: "n",
+      context: {
+        command: `gh pr ${op}`,
+        cwd: params.path,
+        argv: args
+      }
+    };
+    const hasSubscriber = deps.subscribers.forBox(deps.boxId).length > 0;
+    if (!hasSubscriber && process.env["AGENTBOX_PROMPT"] !== "off") {
+      const noSubMode = (process.env["AGENTBOX_GH_NO_SUB"] ?? "deny").toLowerCase();
+      if (noSubMode === "deny") {
+        return {
+          exitCode: 10,
+          stdout: "",
+          stderr: "denied automatically \u2014 no attached wrapper to confirm. Attach `agentbox claude` (or similar) and retry, or set AGENTBOX_GH_NO_SUB=allow.\n"
+        };
+      }
+      if (noSubMode === "allow") {
+        deps.log?.(`gh.pr.${op} auto-approved (no subscribers, AGENTBOX_GH_NO_SUB=allow)`);
+      } else {
+        const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, ctx, {
+          ttlMs: 5 * 60 * 1e3
+        });
+        if (verdict.answer !== "y") {
+          return { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+        }
+      }
+    } else {
+      const verdict = await askPrompt(deps.prompts, deps.subscribers, deps.boxId, ctx);
+      if (verdict.answer !== "y") {
+        return { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+      }
+    }
+  }
+  let finalArgs = args;
+  if (op === "create" && !args.some((a2) => a2 === "--head" || a2.startsWith("--head="))) {
+    const backend = await resolveCloudBackend(deps.backendName);
+    const handle = { sandboxId: lookup.cloudSandboxId };
+    const containerPath = params.path ?? "/workspace";
+    const branchProbe = await backend.exec(
+      handle,
+      `git -C ${shellQuote(containerPath)} rev-parse --abbrev-ref HEAD`
+    );
+    const branch = branchProbe.exitCode === 0 ? (branchProbe.stdout ?? "").trim() : "";
+    finalArgs = injectPrCreateHead(op, branch, args);
+  }
+  if (prCreateNeedsHead(op, finalArgs)) return PR_CREATE_NO_HEAD_REFUSAL;
+  return runHostGh(["pr", op, ...finalArgs], lookup.workspacePath);
+}
 async function runBrowserOpenMirror(action, deps) {
   const params = action.params ?? {};
   const url = typeof params.url === "string" ? params.url.trim() : "";
@@ -19001,8 +19566,8 @@ async function runBrowserOpenMirror(action, deps) {
       { ttlMs: TTL_MS }
     );
     if (verdict.answer === "y" && !verdict.cancelled) {
-      const { spawn: spawn32 } = await import("child_process");
-      const child = spawn32("open", [url], { stdio: "ignore", detached: true });
+      const { spawn: spawn52 } = await import("child_process");
+      const child = spawn52("open", [url], { stdio: "ignore", detached: true });
       child.unref();
     }
   } catch (err) {
@@ -19173,7 +19738,23 @@ async function runGitRpc(action, deps) {
       stderr: `failed to resolve branch in sandbox ${containerPath}: ${branchProbe.stderr || branch}`
     };
   }
-  if (action.method === "git.push" && deps.prompts && deps.subscribers) {
+  const isAgentboxBranch = branch.startsWith("agentbox/");
+  const tokenClaimedGit = typeof params.hostInitiated === "string";
+  const incomingHashGit = hashRpcParams(params);
+  const hostInitiatedOk = !isAgentboxBranch && tokenClaimedGit && (deps.hostInitiatedTokens?.consume(
+    params.hostInitiated,
+    deps.boxId,
+    "git.push",
+    incomingHashGit
+  ) ?? false);
+  if (action.method === "git.push" && !isAgentboxBranch && tokenClaimedGit && !hostInitiatedOk) {
+    return {
+      exitCode: 10,
+      stdout: "",
+      stderr: "host-initiated token rejected: invalid, expired, or bound to different params\n"
+    };
+  }
+  if (action.method === "git.push" && !isAgentboxBranch && !hostInitiatedOk && deps.prompts && deps.subscribers) {
     const hasSubscriber = deps.subscribers.forBox(deps.boxId).length > 0;
     if (!hasSubscriber && process.env["AGENTBOX_PROMPT"] !== "off") {
       const noSubMode = (process.env["AGENTBOX_GIT_PUSH_NO_SUB"] ?? "deny").toLowerCase();
@@ -19248,10 +19829,45 @@ async function runGitRpc(action, deps) {
         for (const a2 of params.args) if (typeof a2 === "string") argv.push(a2);
       }
       const push = await execa("git", argv, { reject: false });
+      let pushStderr = push.stderr ?? "";
+      if ((push.exitCode ?? 1) === 0 && !branch.startsWith("agentbox/")) {
+        try {
+          const sha = await execa(
+            "git",
+            ["-C", lookup.workspacePath, "rev-parse", branch],
+            { reject: false }
+          );
+          const shaText = (sha.stdout ?? "").trim();
+          if (sha.exitCode === 0 && shaText.length > 0) {
+            const updateRef = await backend.exec(
+              handle,
+              `git -C ${shellQuote(containerPath)} update-ref refs/remotes/${remote2}/${branch} ${shellQuote(shaText)}`
+            );
+            if (updateRef.exitCode !== 0) {
+              pushStderr += `
+relay: post-push in-box update-ref refs/remotes/${remote2}/${branch} failed: ${updateRef.stderr || updateRef.stdout}`;
+            }
+            const setUpstream = await backend.exec(
+              handle,
+              `git -C ${shellQuote(containerPath)} branch --set-upstream-to=${remote2}/${branch} ${shellQuote(branch)}`
+            );
+            if (setUpstream.exitCode !== 0) {
+              pushStderr += `
+relay: post-push in-box --set-upstream-to=${remote2}/${branch} failed: ${setUpstream.stderr || setUpstream.stdout}`;
+            }
+          } else {
+            pushStderr += `
+relay: post-push rev-parse ${branch} failed on host; skipping in-box origin/upstream sync`;
+          }
+        } catch (err) {
+          pushStderr += `
+relay: post-push in-box origin/upstream sync threw: ${err instanceof Error ? err.message : String(err)}`;
+        }
+      }
       return {
         exitCode: push.exitCode ?? 1,
         stdout: push.stdout ?? "",
-        stderr: push.stderr ?? ""
+        stderr: pushStderr
       };
     }
     const remote = params.remote ?? "origin";
@@ -19363,6 +19979,8 @@ function createRelayServer(opts) {
   const prompts = new PendingPrompts();
   const subscribers = new PromptSubscribers();
   const notices = new BoxNotices(subscribers);
+  const hostInitiatedTokens = new HostInitiatedTokens();
+  let queuePoke = null;
   const host = opts.host ?? "0.0.0.0";
   const mode = opts.mode ?? "host";
   const hostActions = mode === "box" ? new HostActionQueue() : null;
@@ -19373,7 +19991,7 @@ function createRelayServer(opts) {
   let pollers = null;
   async function getPollers() {
     if (!pollers) {
-      const mod = await Promise.resolve().then(() => (init_cloud_poller_ZIWSADJB(), cloud_poller_ZIWSADJB_exports));
+      const mod = await Promise.resolve().then(() => (init_cloud_poller_SUNA6ZQC(), cloud_poller_SUNA6ZQC_exports));
       pollers = new mod.CloudBoxPollers();
     }
     return pollers;
@@ -19390,7 +20008,13 @@ function createRelayServer(opts) {
     const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "relay"}`);
     const route = `${req.method ?? "GET"} ${url.pathname}`;
     if (route === "GET /healthz") {
-      send(res, 200, { ok: true, boxes: registry.size(), events: events.size() });
+      send(res, 200, {
+        ok: true,
+        boxes: registry.size(),
+        events: events.size(),
+        pid: process.pid,
+        cliEntry: Boolean(process.env.AGENTBOX_CLI_ENTRY)
+      });
       return;
     }
     if (url.pathname.startsWith("/bridge/")) {
@@ -19495,21 +20119,36 @@ function createRelayServer(opts) {
       if (body.method === "git.push" || body.method === "git.fetch") {
         if (body.method === "git.push") {
           const params = body.params;
-          const verdict = await askPrompt(prompts, subscribers, reg.boxId, {
-            kind: "confirm",
-            message: `Allow git push from box ${reg.name}?`,
-            detail: `${params?.remote ?? "origin"} ${(params?.args ?? []).join(" ")}`.trim(),
-            defaultAnswer: "n",
-            context: {
-              command: "git push",
-              cwd: params?.path,
-              argv: params?.args
-            }
-          });
-          if (verdict.answer !== "y") {
-            send(res, 500, { exitCode: 10, stdout: "", stderr: "denied by user\n" });
+          const worktree = resolveWorktree(reg, params?.path ?? "/workspace");
+          const isAgentboxBranch = worktree?.branch.startsWith("agentbox/") ?? false;
+          const tokenClaimed = typeof params?.hostInitiated === "string";
+          const incomingHash = hashRpcParams(params);
+          const hostInitiatedOk = !isAgentboxBranch && tokenClaimed && hostInitiatedTokens.consume(params?.hostInitiated, reg.boxId, "git.push", incomingHash);
+          if (!isAgentboxBranch && tokenClaimed && !hostInitiatedOk) {
+            send(res, 500, {
+              exitCode: 10,
+              stdout: "",
+              stderr: "host-initiated token rejected: invalid, expired, or bound to different params\n"
+            });
             return;
           }
+          if (!isAgentboxBranch && !hostInitiatedOk) {
+            const verdict = await askPrompt(prompts, subscribers, reg.boxId, {
+              kind: "confirm",
+              message: `Allow git push from box ${reg.name}?`,
+              detail: `${params?.remote ?? "origin"} ${(params?.args ?? []).join(" ")}`.trim(),
+              defaultAnswer: "n",
+              context: {
+                command: "git push",
+                cwd: params?.path,
+                argv: params?.args
+              }
+            });
+            if (verdict.answer !== "y") {
+              send(res, 500, { exitCode: 10, stdout: "", stderr: "denied by user\n" });
+              return;
+            }
+          }
         }
         const result = await handleGitRpc(reg, body.method, body.params);
         const status2 = result.exitCode === 0 ? 200 : 500;
@@ -19542,6 +20181,33 @@ function createRelayServer(opts) {
         send(res, status2, result);
         return;
       }
+      if (body.method.startsWith("gh.pr.")) {
+        const op = body.method.slice("gh.pr.".length);
+        if (!isGhPrOp(op)) {
+          send(res, 400, { error: `unknown gh.pr.* op: ${op}` });
+          return;
+        }
+        const result = await handleGhPrRpc(
+          op,
+          reg,
+          body.params,
+          prompts,
+          subscribers,
+          hostInitiatedTokens
+        );
+        const status2 = result.exitCode === 0 ? 200 : 500;
+        send(res, status2, result);
+        return;
+      }
+      if (body.method === "git.clone" || body.method === "gh.repo.clone") {
+        send(res, 501, {
+          exitCode: 64,
+          stdout: "",
+          stderr: `${body.method}: not yet implemented (deferred; see docs/plans/gh-and-git-shims-host-only.md). Run \`gh\` / \`git\` on the host directly for now.
+`
+        });
+        return;
+      }
       if (body.method === "download.workspace" || body.method === "download.env" || body.method === "download.config" || body.method === "download.claude") {
         const params = body.params;
         const kind = body.method.split(".")[1] ?? "workspace";
@@ -19678,6 +20344,7 @@ function createRelayServer(opts) {
                   boxName: reg.name,
                   prompts,
                   subscribers,
+                  hostInitiatedTokens,
                   log
                 });
                 await respond(result);
@@ -19690,6 +20357,11 @@ function createRelayServer(opts) {
                 });
               }
             } : void 0,
+            // Self-heal a dead preview transport (hetzner SSH `-L` after a
+            // ControlMaster death). The relay strips the `cloud:` prefix
+            // the cloud-provider tags onto BoxRecord.container — what the
+            // backend's `get(sandboxId)` expects is the bare sandbox id.
+            recoverPreviewUrl: reg.backend ? async () => refreshCloudPreviewUrl(reg.backend, reg.boxId, DEFAULT_BOX_RELAY_PORT) : void 0,
             logger: log
           });
         } catch (err) {
@@ -19804,6 +20476,27 @@ data: {"ts":"${(/* @__PURE__ */ new Date()).toISOString()}"}
       send(res, 204, null);
       return;
     }
+    if (route === "POST /admin/host-initiated/mint") {
+      const body = await readJsonBody(req);
+      if (!body || typeof body.boxId !== "string" || body.boxId.length === 0 || typeof body.method !== "string" || body.method.length === 0) {
+        send(res, 400, { error: "expected {boxId, method, paramsHash, ttlMs?}" });
+        return;
+      }
+      let paramsHash;
+      if (body.paramsHash === null || body.paramsHash === void 0) {
+        paramsHash = null;
+      } else if (typeof body.paramsHash === "string" && /^[0-9a-f]{64}$/.test(body.paramsHash)) {
+        paramsHash = body.paramsHash;
+      } else {
+        send(res, 400, { error: "paramsHash must be a 64-hex sha256 string or null" });
+        return;
+      }
+      const ttlMs = typeof body.ttlMs === "number" && Number.isFinite(body.ttlMs) && body.ttlMs > 0 ? body.ttlMs : void 0;
+      const token = hostInitiatedTokens.mint(body.boxId, body.method, paramsHash, ttlMs);
+      log(`host-initiated-mint box=${body.boxId} method=${body.method} paramsBound=${paramsHash !== null}`);
+      send(res, 200, { token });
+      return;
+    }
     if (route === "POST /admin/notices/set") {
       const body = await readJsonBody(req);
       if (!body || typeof body.boxId !== "string" || body.boxId.length === 0 || typeof body.kind !== "string" || body.kind.length === 0 || typeof body.message !== "string" || body.message.length === 0) {
@@ -19816,6 +20509,17 @@ data: {"ts":"${(/* @__PURE__ */ new Date()).toISOString()}"}
       send(res, 200, { id });
       return;
     }
+    if (route === "POST /admin/queue/enqueue") {
+      const body = await readJsonBody(req);
+      if (!body || typeof body.id !== "string" || body.id.length === 0) {
+        send(res, 400, { error: "expected {id}" });
+        return;
+      }
+      log(`queue-enqueue id=${body.id}`);
+      queuePoke?.();
+      send(res, 204, null);
+      return;
+    }
     if (route === "POST /admin/notices/clear") {
       const body = await readJsonBody(req);
       if (!body || typeof body.id !== "string" || body.id.length === 0) {
@@ -19852,6 +20556,9 @@ data: {"ts":"${(/* @__PURE__ */ new Date()).toISOString()}"}
     notices,
     hostActions: hostActions ?? void 0,
     url: `http://${host}:${String(opts.port)}`,
+    setQueuePoke: (fn) => {
+      queuePoke = fn;
+    },
     close: async () => {
       if (pollers) await pollers.stopAll();
       await new Promise((resolve2, reject) => {
@@ -19903,7 +20610,71 @@ async function handleGitRpc(reg, method, params) {
       if (typeof a2 === "string") argv.push(a2);
     }
   }
-  return runHostCommand(argv);
+  const result = await runHostCommand(argv);
+  if (method === "git.push" && result.exitCode === 0 && !worktree.branch.startsWith("agentbox/")) {
+    await runHostCommand([
+      "git",
+      "-C",
+      worktree.hostMainRepo,
+      "branch",
+      `--set-upstream-to=${remote}/${worktree.branch}`,
+      worktree.branch
+    ]);
+  }
+  return result;
+}
+async function handleGhPrRpc(op, reg, params, prompts, subscribers, hostInitiatedTokens) {
+  const mergeBypass = refuseMergeBypass(op);
+  if (mergeBypass) return mergeBypass;
+  const checkoutOptIn = refuseCheckoutByDefault(op);
+  if (checkoutOptIn) return checkoutOptIn;
+  const containerPath = params?.path ?? "/workspace";
+  const worktree = resolveWorktree(reg, containerPath);
+  if (!worktree) {
+    return {
+      exitCode: 64,
+      stdout: "",
+      stderr: `no worktree registered for box ${reg.boxId} matching ${containerPath}`
+    };
+  }
+  const ghReady = await assertGhReady();
+  if (ghReady) return ghReady;
+  const args = Array.isArray(params?.args) ? params.args.filter((a2) => typeof a2 === "string") : [];
+  if (op === "checkout") {
+    const branches = (reg.worktrees ?? []).map((w) => w.branch);
+    const guard = await checkoutGuards(worktree.hostMainRepo, branches);
+    if (guard) return guard;
+  }
+  const tokenClaimedGh = typeof params?.hostInitiated === "string";
+  const incomingHashGh = hashRpcParams(params);
+  const hostInitiatedOk = !GH_PR_READ_ONLY_OPS.has(op) && tokenClaimedGh && hostInitiatedTokens.consume(params?.hostInitiated, reg.boxId, `gh.pr.${op}`, incomingHashGh);
+  if (!GH_PR_READ_ONLY_OPS.has(op) && tokenClaimedGh && !hostInitiatedOk) {
+    return {
+      exitCode: 10,
+      stdout: "",
+      stderr: "host-initiated token rejected: invalid, expired, or bound to different params\n"
+    };
+  }
+  if (!GH_PR_READ_ONLY_OPS.has(op) && !hostInitiatedOk) {
+    const detail = args.join(" ").slice(0, 200);
+    const verdict = await askPrompt(prompts, subscribers, reg.boxId, {
+      kind: "confirm",
+      message: `Allow gh pr ${op} from box ${reg.name}?`,
+      detail,
+      defaultAnswer: "n",
+      context: {
+        command: `gh pr ${op}`,
+        cwd: containerPath,
+        argv: args
+      }
+    });
+    if (verdict.answer !== "y") {
+      return { exitCode: 10, stdout: "", stderr: "denied by user\n" };
+    }
+  }
+  const finalArgs = injectPrCreateHead(op, worktree.branch, args);
+  if (prCreateNeedsHead(op, finalArgs)) return PR_CREATE_NO_HEAD_REFUSAL;
+  return runHostGh(["pr", op, ...finalArgs], worktree.hostMainRepo);
 }
 async function handleCpRpc(reg, method, params) {
   const entry = process.env.AGENTBOX_CLI_ENTRY;
@@ -19964,7 +20735,7 @@ function runHostCommand(argv, timeoutMs = GIT_RPC_TIMEOUT_MS) {
       resolve2({ exitCode: 64, stdout: "", stderr: "empty command" });
       return;
     }
-    const child = (0, import_child_process.spawn)(cmd, rest, {
+    const child = (0, import_child_process2.spawn)(cmd, rest, {
       env: process.env,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -20011,6 +20782,8 @@ async function startRelayServer(opts) {
   });
   return handle;
 }
+var QUEUE_DIR = (0, import_path6.join)(STATE_DIR, "queue");
+var QUEUE_LOGS_DIR = (0, import_path6.join)(STATE_DIR, "logs");
 
 // src/config.ts
 var import_promises16 = require("fs/promises");
@@ -20321,7 +21094,7 @@ function assertBool(raw, where) {
   if (typeof raw !== "boolean") throw new ConfigError(`${where} must be a boolean`);
   return raw;
 }
-var TOP_LEVEL_KEYS = /* @__PURE__ */ new Set(["services", "tasks", "ide", "defaults"]);
+var TOP_LEVEL_KEYS = /* @__PURE__ */ new Set(["services", "tasks", "ide", "defaults", "carry"]);
 function validateUnitGraph(tasks, services) {
   const names = /* @__PURE__ */ new Set();
   for (const t of tasks) {
@@ -20441,8 +21214,95 @@ function describeCommand(cmd) {
   return Array.isArray(cmd) ? cmd.join(" ") : cmd;
 }
 
-// src/supervisor.ts
+// src/codex-scraper.ts
 var import_node_child_process7 = require("child_process");
+var DEFAULT_INTERVAL_MS = 1e3;
+var DEFAULT_SESSION = "codex";
+var PATTERNS = [
+  // Permission / approval prompts (highest priority — these mean codex is blocked).
+  { re: /Hooks need review|Trust all and continue/i, state: "waiting" },
+  { re: /Do you trust the contents of this directory/i, state: "waiting" },
+  { re: /Allow this command\?|Approve this (command|tool)\?|Press y\/n|\[Y\/n\]/m, state: "waiting" },
+  { re: /Waiting for (your |user )?(response|input|approval|permission)/i, state: "waiting" },
+  // Compaction (codex's `/compact` command and auto-compaction).
+  { re: /Compacting (conversation|context)|Summariz(e|ing) (the )?conversation/i, state: "compacting" },
+  // Failure / fatal-error frames.
+  { re: /\bError:|\bFailed:|^Traceback /m, state: "error" },
+  // Active work signals — pinned to specific codex TUI fragments to avoid
+  // matching every line of english that contains "working" or "running"
+  // (e.g. the directory-trust prompt's "Working with untrusted contents"
+  // warning is NOT a working state).
+  {
+    re: /\b(Thinking\.\.\.|Worked for \d|Streaming response|tool call \w|Running command|Generating response|Reasoning\.\.\.|Editing \w)/m,
+    state: "working"
+  },
+  // Idle: codex shows a status line `gpt-5.5 high · /workspace` (or similar
+  // model · cwd footer) at the bottom of the input prompt when ready for
+  // input. Lower priority than every "busy" pattern above so an in-flight
+  // turn that still shows the footer correctly registers as working.
+  { re: /gpt-\d+(\.\d+)?(-\w+)?\s+(low|medium|high|xhigh)\b|OpenAI Codex \(v\d/i, state: "idle" }
+];
+function startCodexScraper(opts) {
+  const sessionName = opts.sessionName ?? DEFAULT_SESSION;
+  const intervalMs = opts.intervalMs ?? DEFAULT_INTERVAL_MS;
+  const capture = opts.capturePane ?? defaultCapturePane;
+  let lastState = null;
+  let lastSessionPresent = false;
+  let stopped = false;
+  const tick = async () => {
+    if (stopped) return;
+    try {
+      const pane = await capture(sessionName);
+      if (pane === null) {
+        lastSessionPresent = false;
+        return;
+      }
+      if (!lastSessionPresent) {
+        opts.reporter.setCodexState("idle");
+        lastState = "idle";
+        lastSessionPresent = true;
+      }
+      const matched = matchState(pane);
+      if (matched !== null && matched !== lastState) {
+        opts.reporter.setCodexState(matched);
+        lastState = matched;
+      }
+    } catch {
+    }
+  };
+  const timer = setInterval(() => void tick(), intervalMs);
+  timer.unref();
+  void tick();
+  return {
+    stop() {
+      stopped = true;
+      clearInterval(timer);
+    }
+  };
+}
+function matchState(pane) {
+  for (const { re, state } of PATTERNS) {
+    if (re.test(pane)) return state;
+  }
+  return null;
+}
+function defaultCapturePane(sessionName) {
+  return new Promise((resolve2) => {
+    const child = (0, import_node_child_process7.spawn)("tmux", ["capture-pane", "-p", "-t", sessionName], {
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    let stdout = "";
+    child.stdout.on("data", (b) => stdout += b.toString("utf8"));
+    child.on("error", () => resolve2(null));
+    child.on("close", (code) => {
+      if (code === 0) resolve2(stdout);
+      else resolve2(null);
+    });
+  });
+}
+
+// src/supervisor.ts
+var import_node_child_process8 = require("child_process");
 var import_node_events15 = require("events");
 var import_node_fs7 = require("fs");
 var import_promises18 = require("fs/promises");
@@ -20708,7 +21568,7 @@ var cachedLoginPath;
 function loginShellPath() {
   if (cachedLoginPath !== void 0) return cachedLoginPath;
   try {
-    const out = (0, import_node_child_process7.execFileSync)("bash", ["-lc", 'printf %s "$PATH"'], {
+    const out = (0, import_node_child_process8.execFileSync)("bash", ["-lc", 'printf %s "$PATH"'], {
       encoding: "utf8",
       timeout: 5e3
     }).trim();
@@ -20723,7 +21583,7 @@ var ServiceRunner = class extends import_node_events15.EventEmitter {
     super();
     this.spec = spec;
     this.opts = opts;
-    this.spawnFn = opts.spawn ?? import_node_child_process7.spawn;
+    this.spawnFn = opts.spawn ?? import_node_child_process8.spawn;
     this.setTimer = opts.setTimer ?? ((fn, ms) => setTimeout(fn, ms));
     this.clearTimer = opts.clearTimer ?? ((h2) => {
       clearTimeout(h2);
@@ -20954,7 +21814,7 @@ var TaskRunner = class extends import_node_events15.EventEmitter {
     super();
     this.spec = spec;
     this.opts = opts;
-    this.spawnFn = opts.spawn ?? import_node_child_process7.spawn;
+    this.spawnFn = opts.spawn ?? import_node_child_process8.spawn;
   }
   spec;
   opts;
@@ -21502,10 +22362,10 @@ var import_promises19 = require("fs/promises");
 var import_node_path7 = require("path");
 
 // src/status-reporter.ts
-var import_node_child_process9 = require("child_process");
+var import_node_child_process10 = require("child_process");
 
 // src/tmux.ts
-var import_node_child_process8 = require("child_process");
+var import_node_child_process9 = require("child_process");
 var import_node_os4 = require("os");
 var MAX_TITLE_LEN = 120;
 function sanitizePaneTitle(raw, ctx) {
@@ -21519,7 +22379,7 @@ function sanitizePaneTitle(raw, ctx) {
 }
 function runTool(cmd, args) {
   return new Promise((resolve2) => {
-    const child = (0, import_node_child_process8.spawn)(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
+    const child = (0, import_node_child_process9.spawn)(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
     let stdout = "";
     let stderr = "";
     child.stdout.on("data", (b) => stdout += b.toString("utf8"));
@@ -21565,8 +22425,12 @@ var StatusReporter = class {
   periodicMs;
   claudeState = "unknown";
   claudeUpdatedAt = null;
+  claudePlan;
+  claudeQuestion;
   codexState = "unknown";
   codexUpdatedAt = null;
+  opencodeState = "unknown";
+  opencodeUpdatedAt = null;
   debounceTimer = null;
   periodicTimer = null;
   onChange = () => this.schedulePush();
@@ -21595,9 +22459,21 @@ var StatusReporter = class {
       this.periodicTimer = null;
     }
   }
-  setClaudeState(state) {
+  setClaudeState(state, payload) {
+    const sticky = this.claudeState === "end-plan" || this.claudeState === "question";
+    if (state === "working" && sticky && !payload?.clearPending) return;
     this.claudeState = state;
     this.claudeUpdatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    if (payload?.clearPending) {
+      this.claudePlan = void 0;
+      this.claudeQuestion = void 0;
+    }
+    if (state === "end-plan" && payload?.plan) {
+      this.claudePlan = payload.plan;
+    }
+    if (state === "question" && payload?.question) {
+      this.claudeQuestion = payload.question;
+    }
     this.schedulePush();
   }
   setCodexState(state) {
@@ -21605,6 +22481,11 @@ var StatusReporter = class {
     this.codexUpdatedAt = (/* @__PURE__ */ new Date()).toISOString();
     this.schedulePush();
   }
+  setOpencodeState(state) {
+    this.opencodeState = state;
+    this.opencodeUpdatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.schedulePush();
+  }
   /** Forced immediate push (used on shutdown). */
   flush() {
     if (this.debounceTimer) {
@@ -21654,7 +22535,9 @@ var StatusReporter = class {
         state: this.claudeState,
         updatedAt: this.claudeUpdatedAt,
         sessionRunning: claudeSession2.running,
-        ...claudeSession2.title ? { sessionTitle: claudeSession2.title } : {}
+        ...claudeSession2.title ? { sessionTitle: claudeSession2.title } : {},
+        ...this.claudePlan ? { plan: this.claudePlan } : {},
+        ...this.claudeQuestion ? { question: this.claudeQuestion } : {}
       }
     };
     if (codexSession.running || this.codexState !== "unknown") {
@@ -21665,9 +22548,11 @@ var StatusReporter = class {
         ...codexSession.title ? { sessionTitle: codexSession.title } : {}
       };
     }
-    if (opencodeSession.running) {
+    if (opencodeSession.running || this.opencodeState !== "unknown") {
       status2.opencode = {
-        sessionRunning: true,
+        state: this.opencodeState,
+        updatedAt: this.opencodeUpdatedAt,
+        sessionRunning: opencodeSession.running,
         ...opencodeSession.title ? { sessionTitle: opencodeSession.title } : {}
       };
     }
@@ -21687,7 +22572,7 @@ async function collectPorts(supervisor) {
 }
 function run(cmd, args) {
   return new Promise((resolve2) => {
-    const child = (0, import_node_child_process9.spawn)(cmd, args, { stdio: ["ignore", "pipe", "ignore"] });
+    const child = (0, import_node_child_process10.spawn)(cmd, args, { stdio: ["ignore", "pipe", "ignore"] });
     let stdout = "";
     child.stdout.on("data", (b) => stdout += b.toString("utf8"));
     child.on("error", () => resolve2({ exitCode: 127, stdout }));
@@ -21844,7 +22729,11 @@ async function handleConnection(sock, opts) {
       if (!CLAUDE_ACTIVITY_STATES.includes(req.state)) {
         writeLine(sock, { ok: false, error: `invalid claude state: ${String(req.state)}` });
       } else {
-        opts.reporter?.setClaudeState(req.state);
+        opts.reporter?.setClaudeState(req.state, {
+          plan: req.plan,
+          question: req.question,
+          clearPending: req.clearPending
+        });
         writeLine(sock, { ok: true, data: "ok" });
       }
       sock.end();
@@ -21860,6 +22749,16 @@ async function handleConnection(sock, opts) {
       sock.end();
       return;
     }
+    case "opencode-state": {
+      if (!CLAUDE_ACTIVITY_STATES.includes(req.state)) {
+        writeLine(sock, { ok: false, error: `invalid opencode state: ${String(req.state)}` });
+      } else {
+        opts.reporter?.setOpencodeState(req.state);
+        writeLine(sock, { ok: true, data: "ok" });
+      }
+      sock.end();
+      return;
+    }
     default: {
       writeLine(sock, { ok: false, error: `unknown op` });
       sock.end();
@@ -21913,7 +22812,85 @@ async function* createLineReader(sock) {
   if (buf.length > 0) yield buf;
 }
 
+// src/box-relay-forwarder.ts
+var import_node_http3 = require("http");
+var ALLOWED_PATHS = /* @__PURE__ */ new Set(["/rpc", "/events"]);
+function startBoxRelayForwarder(opts) {
+  const log = opts.logger ?? (() => {
+  });
+  const upstream = opts.upstream;
+  const upstreamPort = upstream.port.length > 0 ? Number.parseInt(upstream.port, 10) : upstream.protocol === "https:" ? 443 : 80;
+  const server = (0, import_node_http3.createServer)((req, res) => {
+    const path6 = (req.url ?? "").split("?")[0] ?? "";
+    if (req.method !== "POST" || !ALLOWED_PATHS.has(path6)) {
+      res.writeHead(404, { "Content-Type": "text/plain" });
+      res.end("not found");
+      return;
+    }
+    const headers = { ...req.headers };
+    delete headers.host;
+    delete headers.connection;
+    const upstreamReq = (0, import_node_http3.request)(
+      {
+        host: upstream.hostname,
+        port: upstreamPort,
+        method: "POST",
+        path: `${upstream.pathname.replace(/\/$/, "")}${path6}`,
+        headers,
+        // No keep-alive: the relay holds /rpc open for the lifetime of a
+        // host prompt (potentially many seconds). Reusing sockets across
+        // such calls invites mid-stream resets on Node version drift.
+        agent: false
+      },
+      (upstreamRes) => {
+        res.writeHead(upstreamRes.statusCode ?? 502, upstreamRes.headers);
+        upstreamRes.pipe(res);
+      }
+    );
+    upstreamReq.on("error", (err) => {
+      log(`upstream error on ${path6}: ${err.message}`);
+      if (!res.headersSent) {
+        res.writeHead(502, { "Content-Type": "text/plain" });
+      }
+      res.end();
+    });
+    req.on("error", (err) => {
+      log(`client error on ${path6}: ${err.message}`);
+      upstreamReq.destroy();
+    });
+    req.pipe(upstreamReq);
+  });
+  return new Promise((resolve2, reject) => {
+    const onError = (err) => {
+      reject(err);
+    };
+    server.once("error", onError);
+    server.listen(opts.port, "127.0.0.1", () => {
+      server.removeListener("error", onError);
+      resolve2({
+        url: `http://127.0.0.1:${String(opts.port)}`,
+        close: () => new Promise((res) => {
+          server.close(() => res());
+        })
+      });
+    });
+  });
+}
+
 // src/commands/daemon.ts
+function resolveBoxRelayPort() {
+  const raw = process.env.AGENTBOX_BOX_RELAY_PORT;
+  if (raw === void 0 || raw.length === 0) return DEFAULT_BOX_RELAY_PORT;
+  const n2 = Number.parseInt(raw, 10);
+  if (!Number.isFinite(n2) || n2 < 1 || n2 > 65535) {
+    process.stderr.write(
+      `agentbox-ctl: AGENTBOX_BOX_RELAY_PORT=${raw} is not a valid port; falling back to ${String(DEFAULT_BOX_RELAY_PORT)}
+`
+    );
+    return DEFAULT_BOX_RELAY_PORT;
+  }
+  return n2;
+}
 var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supervisor in the foreground").option("--socket <path>", "unix socket path", DEFAULT_SOCKET_PATH).option("--config <path>", "path to agentbox.yaml", DEFAULT_CONFIG_PATH).option("--log-dir <path>", "where per-service log files are written", DEFAULT_LOG_DIR).option("--workspace <path>", "cwd for service processes", "/workspace").action(async (opts) => {
   const cfg = await loadConfig(opts.config);
   const sup = new Supervisor({ workspace: opts.workspace, logDir: opts.logDir });
@@ -21925,6 +22902,14 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
     sessionName: DEFAULT_CLAUDE_SESSION_NAME
   });
   reporter.start();
+  let codexScraper = null;
+  try {
+    codexScraper = startCodexScraper({ reporter });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    process.stderr.write(`agentbox-ctl: codex scraper failed to start: ${msg}
+`);
+  }
   const server = await startServer({
     socketPath: opts.socket,
     supervisor: sup,
@@ -21938,7 +22923,9 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
     `agentbox-ctl: ${String(cfg.services.length)} service(s), ${String(cfg.tasks.length)} task(s) configured
 `
   );
+  const boxRelayPort = resolveBoxRelayPort();
   let inBoxRelay = null;
+  let inBoxForwarder = null;
   if (process.env.AGENTBOX_BOX_KIND === "cloud") {
     const bridgeToken = process.env.AGENTBOX_BRIDGE_TOKEN ?? "";
     const boxId = process.env.AGENTBOX_BOX_ID ?? "";
@@ -21951,7 +22938,7 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
     } else {
       try {
         inBoxRelay = await startRelayServer({
-          port: DEFAULT_RELAY_PORT,
+          port: boxRelayPort,
           host: "0.0.0.0",
           mode: "box",
           bridgeToken,
@@ -21966,7 +22953,7 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
           registeredAt: (/* @__PURE__ */ new Date()).toISOString()
         });
         process.stdout.write(
-          `agentbox-ctl: in-sandbox relay (mode=box) listening on :${String(DEFAULT_RELAY_PORT)}
+          `agentbox-ctl: in-sandbox relay (mode=box) listening on :${String(boxRelayPort)}
 `
         );
       } catch (err) {
@@ -21975,15 +22962,35 @@ var daemonCommand = new Command("daemon").description("Run the agentbox-ctl supe
 `);
       }
     }
+  } else {
+    const upstreamUrl = process.env.AGENTBOX_HOST_RELAY_URL ?? "http://host.docker.internal:8787";
+    try {
+      inBoxForwarder = await startBoxRelayForwarder({
+        port: boxRelayPort,
+        upstream: new URL(upstreamUrl),
+        logger: (line) => process.stdout.write(`relay(fwd): ${line}
+`)
+      });
+      process.stdout.write(
+        `agentbox-ctl: in-box relay forwarder listening on :${String(boxRelayPort)} -> ${upstreamUrl}
+`
+      );
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`agentbox-ctl: in-box relay forwarder failed to start: ${msg}
+`);
+    }
   }
   const shutdown = async (signal) => {
     process.stdout.write(`agentbox-ctl: ${signal} \u2014 shutting down
 `);
+    if (codexScraper) codexScraper.stop();
     reporter.stop();
     reporter.flush();
     server.close();
     await sup.stopAll();
     if (inBoxRelay) await inBoxRelay.close();
+    if (inBoxForwarder) await inBoxForwarder.close();
     process.exit(0);
   };
   process.on("SIGTERM", () => void shutdown("SIGTERM"));
@@ -22030,17 +23037,95 @@ var checkpointCommand = new Command("checkpoint").description("Capture this box
   }
 );
 
+// src/commands/pr-subcommands.ts
+var PR_SUBCOMMANDS = [
+  {
+    op: "create",
+    description: "Run `gh pr create` on the host (creates a PR for this box's branch). User is prompted on the host wrapper."
+  },
+  { op: "view", description: "Run `gh pr view` on the host (read-only; no prompt)." },
+  { op: "list", description: "Run `gh pr list` on the host (read-only; no prompt)." },
+  { op: "comment", description: "Run `gh pr comment` on the host (prompted; visible to others)." },
+  { op: "review", description: "Run `gh pr review` on the host (prompted; visible to others)." },
+  {
+    op: "merge",
+    description: "Run `gh pr merge` on the host (prompted; destructive \u2014 AGENTBOX_PROMPT=off bypass requires AGENTBOX_GH_FORCE=1)."
+  },
+  {
+    op: "checkout",
+    description: "Run `gh pr checkout` on the host (prompted + clean-tree guard; opt-in via AGENTBOX_GH_PR_CHECKOUT=allow because it switches the host main repo branch)."
+  },
+  { op: "close", description: "Run `gh pr close` on the host (prompted)." },
+  { op: "reopen", description: "Run `gh pr reopen` on the host (prompted)." }
+];
+function buildPrCommand(errorPrefix) {
+  const prCommand = new Command("pr").description(
+    "PR operations via the host `gh` CLI (requires `gh` installed and `gh auth login` on the host)"
+  );
+  for (const spec of PR_SUBCOMMANDS) {
+    prCommand.addCommand(
+      new Command(spec.op).description(spec.description).option("--cwd <path>", "container path identifying which registered worktree to use").addOption(
+        new Option(
+          "--host-initiated-token <token>",
+          "internal: one-time token from the host CLI; skips relay confirm prompt when valid"
+        ).hideHelp()
+      ).allowExcessArguments(true).allowUnknownOption(true).argument(
+        "[args...]",
+        "extra flags forwarded to `gh pr <op>` verbatim (e.g. `--title`, `--body`, `--label`, `--draft`, `--json`)."
+      ).action(async (args, opts) => {
+        const params = { path: opts.cwd ?? process.cwd() };
+        if (args.length > 0) params.args = args;
+        if (opts.hostInitiatedToken) params.hostInitiated = opts.hostInitiatedToken;
+        const code = await postRpcAndExit(`gh.pr.${spec.op}`, params, { errorPrefix });
+        process.exit(code);
+      })
+    );
+  }
+  return prCommand;
+}
+
+// src/commands/gh.ts
+var repoCommand = new Command("repo").description("GitHub repo operations via the host `gh` CLI (host runs `gh repo \u2026` then ships results to the box)").addCommand(
+  new Command("clone").description(
+    "Clone a github repo into the box via host `gh repo clone`. The host clones into a tmpdir with its creds, bundles, and ships the bundle back; the box materialises the working copy and resets origin to the original URL."
+  ).option("--cwd <path>", "container path identifying which registered worktree to use (default: cwd)").option("--branch <name>", "pass --branch <name> to host gh repo clone").option("--depth <n>", "pass --depth <n> to host gh repo clone").argument("<repo>", "github repo: owner/name shorthand or full URL").argument("[dir]", "target directory inside the box (default: derived from repo)").action(
+    async (repo, dir, opts) => {
+      const params = {
+        path: opts.cwd ?? process.cwd(),
+        repo
+      };
+      if (dir) params.targetPath = dir;
+      const extra = [];
+      if (opts.branch) extra.push("--branch", opts.branch);
+      if (opts.depth) extra.push("--depth", opts.depth);
+      if (extra.length > 0) params.args = extra;
+      const code = await postRpcAndExit("gh.repo.clone", params, {
+        errorPrefix: "agentbox-ctl gh repo clone"
+      });
+      process.exit(code);
+    }
+  )
+);
+var ghCommand = new Command("gh").description("GitHub CLI operations routed through the relay (host `gh` runs with host creds; box never sees a token)").addCommand(buildPrCommand("agentbox-ctl gh pr")).addCommand(repoCommand);
+
 // src/commands/git.ts
-var import_node_child_process10 = require("child_process");
+var import_node_child_process11 = require("child_process");
+function hostInitiatedOption() {
+  return new Option(
+    "--host-initiated-token <token>",
+    "internal: one-time token from the host CLI; skips relay confirm prompt when valid"
+  ).hideHelp();
+}
 function buildParams(opts, extra) {
   const params = { path: opts.cwd ?? process.cwd() };
   if (opts.remote) params.remote = opts.remote;
   if (extra.length > 0) params.args = extra;
+  if (opts.hostInitiatedToken) params.hostInitiated = opts.hostInitiatedToken;
   return params;
 }
 function runLocalGit(args, cwd) {
   return new Promise((resolve2) => {
-    const child = (0, import_node_child_process10.spawn)("git", args, { cwd, stdio: "inherit" });
+    const child = (0, import_node_child_process11.spawn)("git", args, { cwd, stdio: "inherit" });
     child.on("close", (code) => resolve2(code ?? 1));
     child.on("error", (err) => {
       process.stderr.write(`agentbox-ctl git: ${String(err.message ?? err)}
@@ -22050,14 +23135,20 @@ function runLocalGit(args, cwd) {
   });
 }
 var gitCommand = new Command("git").description("Git operations that need host credentials (routed through the agentbox relay)").addCommand(
-  new Command("push").description("Run `git push` on the host main repo against this box's branch (user is prompted on the host wrapper to confirm)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").allowExcessArguments(true).allowUnknownOption(true).argument("[args...]", "additional args forwarded to git push").action(async (args, opts) => {
+  new Command("push").description("Run `git push` on the host main repo against this box's branch (user is prompted on the host wrapper to confirm)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").addOption(hostInitiatedOption()).allowExcessArguments(true).allowUnknownOption(true).argument(
+    "[args...]",
+    "extra flags appended to the host-built `git push <remote> <branch>` (e.g. `--force-with-lease`, `--tags`). Do NOT re-pass the remote or branch \u2014 they are taken from --remote and the registered worktree; appending them as positionals makes git treat them as refspecs and fail with `refs/remotes/origin/HEAD cannot be resolved to branch`. Use --remote to change the remote."
+  ).action(async (args, opts) => {
     const code = await postRpcAndExit("git.push", buildParams(opts, args), {
       errorPrefix: "agentbox-ctl git"
     });
     process.exit(code);
   })
 ).addCommand(
-  new Command("fetch").description("Run `git fetch` on the host main repo (refs land in the shared .git)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").allowExcessArguments(true).allowUnknownOption(true).argument("[args...]", "additional args forwarded to git fetch").action(async (args, opts) => {
+  new Command("fetch").description("Run `git fetch` on the host main repo (refs land in the shared .git)").option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").addOption(hostInitiatedOption()).allowExcessArguments(true).allowUnknownOption(true).argument(
+    "[args...]",
+    "extra flags appended to the host-built `git fetch <remote> <branch>` (e.g. `--prune`, `--tags`). Do NOT re-pass the remote or branch; they come from --remote and the registered worktree (same gotcha as `push`)."
+  ).action(async (args, opts) => {
     const code = await postRpcAndExit("git.fetch", buildParams(opts, args), {
       errorPrefix: "agentbox-ctl git"
     });
@@ -22066,7 +23157,10 @@ var gitCommand = new Command("git").description("Git operations that need host c
 ).addCommand(
   new Command("pull").description(
     "Fetch via the relay (host creds), then merge into the in-container working tree locally"
-  ).option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").option("--ff-only", "pass --ff-only to the local merge").allowExcessArguments(true).allowUnknownOption(true).argument("[args...]", "additional args forwarded to git fetch").action(
+  ).option("--remote <name>", "remote name (default: origin)").option("--cwd <path>", "container path identifying which registered worktree to use").option("--ff-only", "pass --ff-only to the local merge").addOption(hostInitiatedOption()).allowExcessArguments(true).allowUnknownOption(true).argument(
+    "[args...]",
+    "extra flags appended to the host-built `git fetch <remote> <branch>` (e.g. `--prune`). Do NOT re-pass the remote or branch; they come from --remote and the registered worktree (same gotcha as `push`)."
+  ).action(
     async (args, opts) => {
       const fetchCode = await postRpcAndExit("git.fetch", buildParams(opts, args), {
         errorPrefix: "agentbox-ctl git"
@@ -22081,7 +23175,27 @@ var gitCommand = new Command("git").description("Git operations that need host c
       process.exit(mergeCode);
     }
   )
-);
+).addCommand(
+  new Command("clone").description(
+    "Clone a github repo into the box. Host runs `git clone` with its creds into a tmpdir, bundles, and ships the bundle back; the box materialises the working copy and resets origin to the original URL."
+  ).option("--cwd <path>", "container path identifying which registered worktree to use (default: cwd)").option("--branch <name>", "pass --branch <name> to host git clone").option("--depth <n>", "pass --depth <n> to host git clone").argument("<url>", "github URL or owner/name shorthand").argument("[dir]", "target directory inside the box (default: derived from url)").action(
+    async (url, dir, opts) => {
+      const params = {
+        path: opts.cwd ?? process.cwd(),
+        url
+      };
+      if (dir) params.targetPath = dir;
+      const extra = [];
+      if (opts.branch) extra.push("--branch", opts.branch);
+      if (opts.depth) extra.push("--depth", opts.depth);
+      if (extra.length > 0) params.args = extra;
+      const code = await postRpcAndExit("git.clone", params, {
+        errorPrefix: "agentbox-ctl git clone"
+      });
+      process.exit(code);
+    }
+  )
+).addCommand(buildPrCommand("agentbox-ctl git pr"));
 
 // src/commands/notify.ts
 async function reportState(opts, state) {
@@ -22103,7 +23217,7 @@ var notifyCommand = new Command("notify").description(
 );
 
 // src/commands/open.ts
-var import_node_child_process11 = require("child_process");
+var import_node_child_process12 = require("child_process");
 var OPEN_TIMEOUT_MS = 3e4;
 function isHttpUrl(value) {
   try {
@@ -22115,7 +23229,7 @@ function isHttpUrl(value) {
 }
 function openInBoxBrowser(url) {
   return new Promise((resolve2) => {
-    const child = (0, import_node_child_process11.spawn)("agent-browser", ["open", "--headed", url], { stdio: "inherit" });
+    const child = (0, import_node_child_process12.spawn)("agent-browser", ["open", "--headed", url], { stdio: "inherit" });
     const timer = setTimeout(() => {
       child.kill("SIGTERM");
       process.stderr.write(
@@ -22334,9 +23448,11 @@ program2.addCommand(reloadCommand);
 program2.addCommand(claudeSessionCommand);
 program2.addCommand(claudeStateCommand);
 program2.addCommand(codexStateCommand);
+program2.addCommand(opencodeStateCommand);
 program2.addCommand(waitReadyCommand);
 program2.addCommand(runTaskCommand);
 program2.addCommand(gitCommand);
+program2.addCommand(ghCommand);
 program2.addCommand(checkpointCommand);
 program2.addCommand(cpCommand);
 program2.addCommand(downloadCommand);