@prover-coder-ai/docker-git 1.0.41 → 1.0.42

package/dist/src/docker-git/main.js

@@ -269,6 +269,8 @@ var defaultTemplateConfig = {
 	codexAuthPath: "./.docker-git/.orch/auth/codex",
 	codexSharedAuthPath: "./.docker-git/.orch/auth/codex",
 	codexHome: "/home/dev/.codex",
+	cpuLimit: "30%",
+	ramLimit: "30%",
 	dockerNetworkMode: defaultDockerNetworkMode,
 	dockerSharedNetworkName: defaultDockerSharedNetworkName,
 	enableMcpPlaywright: false,
@@ -1336,6 +1338,8 @@ var TemplateConfigSchema = Schema.Struct({
 	codexAuthPath: Schema.String,
 	codexSharedAuthPath: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.codexSharedAuthPath }),
 	codexHome: Schema.String,
+	cpuLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.cpuLimit }),
+	ramLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.ramLimit }),
 	dockerNetworkMode: Schema.optionalWith(Schema.Literal("shared", "project"), { default: () => defaultTemplateConfig.dockerNetworkMode }),
 	dockerSharedNetworkName: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.dockerSharedNetworkName }),
 	enableMcpPlaywright: Schema.optionalWith(Schema.Boolean, { default: () => defaultTemplateConfig.enableMcpPlaywright }),
@@ -1506,6 +1510,84 @@ var withProjectIndexAndSsh = (run) => pipe(loadProjectIndex(), Effect.flatMap((i
 	return yield* _(run(index, yield* _(findSshPrivateKey(yield* _(FileSystem.FileSystem), yield* _(Path.Path), process.cwd()))));
 })));
 //#endregion
+//#region ../lib/src/core/resource-limits.ts
+var mebibyte = 1024 ** 2;
+var minimumResolvedCpuLimit = .25;
+var minimumResolvedRamLimitMib = 512;
+var precisionScale = 100;
+var cpuAbsolutePattern = /^\d+(?:\.\d+)?$/u;
+var ramAbsolutePattern = /^\d+(?:\.\d+)?(?:b|k|kb|m|mb|g|gb|t|tb)$/iu;
+var percentPattern = /^\d+(?:\.\d+)?%$/u;
+var normalizePrecision = (value) => Math.round(value * precisionScale) / precisionScale;
+var missingLimit = () => void 0;
+var parsePercent = (candidate) => {
+	if (!percentPattern.test(candidate)) return null;
+	const parsed = Number(candidate.slice(0, -1));
+	if (!Number.isFinite(parsed) || parsed <= 0 || parsed > 100) return null;
+	return normalizePrecision(parsed);
+};
+var percentReason = (kind) => kind === "cpu" ? "expected CPU like 30% or 1.5" : "expected RAM like 30%, 512m or 4g";
+var normalizePercent = (candidate, kind) => {
+	const parsed = parsePercent(candidate);
+	if (parsed === null) return Either.left({
+		_tag: "InvalidOption",
+		option: kind === "cpu" ? "--cpu" : "--ram",
+		reason: percentReason(kind)
+	});
+	return Either.right(`${parsed}%`);
+};
+var normalizeCpuLimit = (value, option) => {
+	const candidate = value?.trim().toLowerCase() ?? "";
+	if (candidate.length === 0) return Either.right(missingLimit());
+	if (candidate.endsWith("%")) return normalizePercent(candidate, "cpu");
+	if (!cpuAbsolutePattern.test(candidate)) return Either.left({
+		_tag: "InvalidOption",
+		option,
+		reason: "expected CPU like 30% or 1.5"
+	});
+	const parsed = Number(candidate);
+	if (!Number.isFinite(parsed) || parsed <= 0) return Either.left({
+		_tag: "InvalidOption",
+		option,
+		reason: "must be greater than 0"
+	});
+	return Either.right(String(normalizePrecision(parsed)));
+};
+var normalizeRamLimit = (value, option) => {
+	const candidate = value?.trim().toLowerCase() ?? "";
+	if (candidate.length === 0) return Either.right(missingLimit());
+	if (candidate.endsWith("%")) return normalizePercent(candidate, "ram");
+	if (!ramAbsolutePattern.test(candidate)) return Either.left({
+		_tag: "InvalidOption",
+		option,
+		reason: "expected RAM like 30%, 512m or 4g"
+	});
+	return Either.right(candidate);
+};
+var withDefaultResourceLimitIntent = (template) => ({
+	...template,
+	cpuLimit: template.cpuLimit ?? "30%",
+	ramLimit: template.ramLimit ?? "30%"
+});
+var resolvePercentCpuLimit = (percent, cpuCount) => Math.max(minimumResolvedCpuLimit, normalizePrecision(Math.max(1, cpuCount) * percent / 100));
+var resolvePercentRamLimit = (percent, totalMemoryBytes) => {
+	const totalMib = Math.max(minimumResolvedRamLimitMib, Math.floor(totalMemoryBytes / mebibyte));
+	return `${Math.max(minimumResolvedRamLimitMib, Math.floor(totalMib * percent / 100))}m`;
+};
+var resolveComposeResourceLimits = (template, hostResources) => {
+	const cpuLimitIntent = template.cpuLimit ?? "30%";
+	const ramLimitIntent = template.ramLimit ?? "30%";
+	const cpuPercent = parsePercent(cpuLimitIntent);
+	const ramPercent = parsePercent(ramLimitIntent);
+	return {
+		cpuLimit: cpuPercent === null ? Number(cpuLimitIntent) : resolvePercentCpuLimit(cpuPercent, hostResources.cpuCount),
+		ramLimit: ramPercent === null ? ramLimitIntent : resolvePercentRamLimit(ramPercent, hostResources.totalMemoryBytes)
+	};
+};
+//#endregion
+//#region ../lib/src/usecases/resource-limits.ts
+var resolveTemplateResourceLimits = (template) => Effect.succeed(withDefaultResourceLimitIntent(template));
+//#endregion
 //#region ../lib/src/usecases/state-repo/env.ts
 var isTruthyEnv = (value) => {
 	const normalized = value.trim().toLowerCase();
@@ -1543,7 +1625,7 @@ var gitExitCode = (cwd, args, env = gitBaseEnv$1) => runCommandExitCode({
 	args,
 	env
 });
-var gitCapture = (cwd, args, env = gitBaseEnv$1) => runCommandCapture({
+var gitCapture$1 = (cwd, args, env = gitBaseEnv$1) => runCommandCapture({
 	cwd,
 	command: "git",
 	args,
@@ -3736,7 +3818,8 @@ var renderAgentModeEnv = (agentMode) => agentMode !== void 0 && agentMode.length
 var renderAgentAutoEnv = (agentAuto) => agentAuto === true ? `      AGENT_AUTO: "1"\n` : "";
 var renderProjectsRootHostMount = (projectsRoot) => `\${DOCKER_GIT_PROJECTS_ROOT_HOST:-${projectsRoot}}`;
 var renderSharedCodexHostMount = (projectsRoot) => `\${DOCKER_GIT_PROJECTS_ROOT_HOST:-${projectsRoot}}/.orch/auth/codex`;
-var buildPlaywrightFragments = (config, networkName) => {
+var renderResourceLimits = (resourceLimits) => resourceLimits === void 0 ? "" : `    cpus: ${resourceLimits.cpuLimit}\n    mem_limit: "${resourceLimits.ramLimit}"\n    memswap_limit: "${resourceLimits.ramLimit}"\n`;
+var buildPlaywrightFragments = (config, networkName, resourceLimits) => {
 	if (!config.enableMcpPlaywright) return {
 		maybeDependsOn: "",
 		maybePlaywrightEnv: "",
@@ -3751,11 +3834,11 @@ var buildPlaywrightFragments = (config, networkName) => {
 	return {
 		maybeDependsOn: `    depends_on:\n      - ${browserServiceName}\n`,
 		maybePlaywrightEnv: `      MCP_PLAYWRIGHT_ENABLE: "1"\n      MCP_PLAYWRIGHT_CDP_ENDPOINT: "${browserCdpEndpoint}"\n`,
-		maybeBrowserService: `\n  ${browserServiceName}:\n    build:\n      context: .\n      dockerfile: ${browserDockerfile}\n    container_name: ${browserContainerName}\n    restart: unless-stopped\n    environment:\n      VNC_NOPW: "1"\n    shm_size: "2gb"\n    expose:\n      - "9223"\n    volumes:\n      - ${browserVolumeName}:/data\n    networks:\n      - ${networkName}\n`,
+		maybeBrowserService: `\n  ${browserServiceName}:\n    build:\n      context: .\n      dockerfile: ${browserDockerfile}\n    container_name: ${browserContainerName}\n    restart: unless-stopped\n${renderResourceLimits(resourceLimits)}    environment:\n      VNC_NOPW: "1"\n    shm_size: "2gb"\n    expose:\n      - "9223"\n    volumes:\n      - ${browserVolumeName}:/data\n    networks:\n      - ${networkName}\n`,
 		maybeBrowserVolume: `  ${browserVolumeName}:\n`
 	};
 };
-var buildComposeFragments = (config) => {
+var buildComposeFragments = (config, resourceLimits) => {
 	const networkMode = config.dockerNetworkMode;
 	const networkName = resolveComposeNetworkName(config);
 	const forkRepoUrl = config.forkRepoUrl ?? "";
@@ -3767,7 +3850,7 @@ var buildComposeFragments = (config) => {
 	const maybeClaudeAuthLabelEnv = renderClaudeAuthLabelEnv(claudeAuthLabel);
 	const maybeAgentModeEnv = renderAgentModeEnv(config.agentMode);
 	const maybeAgentAutoEnv = renderAgentAutoEnv(config.agentAuto);
-	const playwright = buildPlaywrightFragments(config, networkName);
+	const playwright = buildPlaywrightFragments(config, networkName, resourceLimits);
 	return {
 		networkMode,
 		networkName,
@@ -3783,7 +3866,7 @@ var buildComposeFragments = (config) => {
 		forkRepoUrl
 	};
 };
-var renderComposeServices = (config, fragments) => `services:
+var renderComposeServices = (config, fragments, resourceLimits) => `services:
   ${config.serviceName}:
     build: .
     container_name: ${config.containerName}
@@ -3802,7 +3885,7 @@ ${fragments.maybePlaywrightEnv}${fragments.maybeDependsOn}    env_file:
       - ${config.envProjectPath}
     ports:
       - "127.0.0.1:${config.sshPort}:22"
-    volumes:
+${renderResourceLimits(resourceLimits)}    volumes:
       - ${config.volumeName}:/home/${config.sshUser}
       - ${renderProjectsRootHostMount(config.dockerGitPath)}:/home/${config.sshUser}/.docker-git
       - ${config.authorizedKeysPath}:/authorized_keys:ro
@@ -3820,10 +3903,10 @@ var renderComposeNetworks = (networkMode, networkName) => networkMode === "share
 var renderComposeVolumes = (config, maybeBrowserVolume) => `volumes:
   ${config.volumeName}:
 ${maybeBrowserVolume}`;
-var renderDockerCompose = (config) => {
-	const fragments = buildComposeFragments(config);
+var renderDockerCompose = (config, resourceLimits) => {
+	const fragments = buildComposeFragments(config, resourceLimits);
 	return [
-		renderComposeServices(config, fragments),
+		renderComposeServices(config, fragments, resourceLimits),
 		renderComposeNetworks(fragments.networkMode, fragments.networkName),
 		renderComposeVolumes(config, fragments.maybeBrowserVolume)
 	].join("\n\n");
@@ -4097,7 +4180,7 @@ var renderConfigJson = (config) => `${JSON.stringify({
 	template: config
 }, null, 2)}
 `;
-var planFiles = (config) => {
+var planFiles = (config, composeResourceLimits) => {
 	const maybePlaywrightFiles = config.enableMcpPlaywright ? [{
 		_tag: "File",
 		relativePath: "Dockerfile.browser",
@@ -4123,7 +4206,7 @@ var planFiles = (config) => {
 		{
 			_tag: "File",
 			relativePath: "docker-compose.yml",
-			contents: renderDockerCompose(config)
+			contents: renderDockerCompose(config, composeResourceLimits)
 		},
 		{
 			_tag: "File",
@@ -4154,6 +4237,20 @@ var planFiles = (config) => {
 //#endregion
 //#region ../lib/src/shell/files.ts
 var ensureParentDir = (path, fs, filePath) => fs.makeDirectory(path.dirname(filePath), { recursive: true });
+var fallbackHostResources = {
+	cpuCount: 1,
+	totalMemoryBytes: 1024 ** 3
+};
+var loadHostResources = () => Effect.tryPromise({
+	try: () => import("node:os").then((os) => ({
+		cpuCount: os.availableParallelism(),
+		totalMemoryBytes: os.totalmem()
+	})),
+	catch: (error) => new Error(String(error))
+}).pipe(Effect.match({
+	onFailure: () => fallbackHostResources,
+	onSuccess: (value) => value
+}));
 var isFileSpec = (spec) => spec._tag === "File";
 var resolveSpecPath = (path, baseDir, spec) => path.join(baseDir, spec.relativePath);
 var writeSpec = (path, fs, baseDir, spec) => {
@@ -4181,7 +4278,8 @@ var failOnExistingFiles = (existingFilePaths, skipExistingFiles) => {
 var writeProjectFiles = (outDir, config, force, skipExistingFiles = false) => Effect.gen(function* (_) {
 	const { fs, path, resolved: baseDir } = yield* _(resolveBaseDir(outDir));
 	yield* _(fs.makeDirectory(baseDir, { recursive: true }));
-	const specs = planFiles(config);
+	const normalizedConfig = withDefaultResourceLimitIntent(config);
+	const specs = planFiles(normalizedConfig, resolveComposeResourceLimits(normalizedConfig, yield* _(loadHostResources())));
 	const created = [];
 	const existingFilePaths = force ? [] : yield* _(collectExistingFilePaths(fs, path, baseDir, specs));
 	const existingSet = new Set(existingFilePaths);
@@ -4301,7 +4399,7 @@ var rebaseOntoOriginIfPossible = (root, baseBranch, env) => Effect.gen(function*
 	return "conflict";
 });
 var pushToNewBranch = (root, baseBranch, originPushTarget, env) => Effect.gen(function* (_) {
-	const headShort = yield* _(gitCapture(root, [
+	const headShort = yield* _(gitCapture$1(root, [
 		"rev-parse",
 		"--short",
 		"HEAD"
@@ -4316,7 +4414,7 @@ var pushToNewBranch = (root, baseBranch, originPushTarget, env) => Effect.gen(fu
 	return branch;
 });
 var resolveBaseBranch = (value) => value === "HEAD" ? "main" : value;
-var getCurrentBranch = (root, env) => gitCapture(root, [
+var getCurrentBranch = (root, env) => gitCapture$1(root, [
 	"rev-parse",
 	"--abbrev-ref",
 	"HEAD"
@@ -4391,7 +4489,7 @@ var stateSync = (message) => Effect.gen(function* (_) {
 			exitCode: originUrlExit
 		})));
 	}
-	const originUrl = yield* _(gitCapture(root, [
+	const originUrl = yield* _(gitCapture$1(root, [
 		"remote",
 		"get-url",
 		"origin"
@@ -4495,7 +4593,7 @@ var stateInit = (input) => Effect.gen(function* (_) {
 	yield* _(Effect.log(`Remote: ${input.repoUrl}`));
 }).pipe(Effect.asVoid);
 var stateStatus = Effect.gen(function* (_) {
-	const output = yield* _(gitCapture(resolveStateRoot(yield* _(Path.Path), process.cwd()), [
+	const output = yield* _(gitCapture$1(resolveStateRoot(yield* _(Path.Path), process.cwd()), [
 		"status",
 		"-sb",
 		"--porcelain=v1"
@@ -4514,7 +4612,7 @@ var statePull = Effect.gen(function* (_) {
 		yield* _(git(root, ["pull", "--rebase"], gitBaseEnv$1));
 		return;
 	}
-	const originUrl = yield* _(gitCapture(root, [
+	const originUrl = yield* _(gitCapture$1(root, [
 		"remote",
 		"get-url",
 		"origin"
@@ -4539,13 +4637,13 @@ var statePush = Effect.gen(function* (_) {
 		], gitBaseEnv$1));
 		return;
 	}
-	const originUrl = yield* _(gitCapture(root, [
+	const originUrl = yield* _(gitCapture$1(root, [
 		"remote",
 		"get-url",
 		"origin"
 	], gitBaseEnv$1).pipe(Effect.map((value) => value.trim())));
 	const token = yield* _(resolveGithubToken(fs, path, root));
-	yield* _(token && token.length > 0 && isGithubHttpsRemote(originUrl) ? withGithubAskpassEnv(token, (env) => pipe(gitCapture(root, [
+	yield* _(token && token.length > 0 && isGithubHttpsRemote(originUrl) ? withGithubAskpassEnv(token, (env) => pipe(gitCapture$1(root, [
 		"rev-parse",
 		"--abbrev-ref",
 		"HEAD"
@@ -5105,18 +5203,18 @@ var ensureAvailableSshPort = (projectDir, config) => Effect.gen(function* (_) {
 });
 var runDockerComposeUpWithPortCheck = (projectDir) => Effect.gen(function* (_) {
 	const config = yield* _(readProjectConfig(projectDir));
-	const updated = (yield* _(runDockerComposePsFormatted(projectDir).pipe(Effect.map((raw) => parseComposePsOutput(raw)), Effect.map((rows) => rows.length > 0)))) ? config.template : yield* _(ensureAvailableSshPort(projectDir, config));
-	yield* _(syncManagedProjectFiles(projectDir, updated));
-	yield* _(ensureComposeNetworkReady(projectDir, updated));
+	const resolvedTemplate = yield* _(resolveTemplateResourceLimits((yield* _(runDockerComposePsFormatted(projectDir).pipe(Effect.map((raw) => parseComposePsOutput(raw)), Effect.map((rows) => rows.length > 0)))) ? config.template : yield* _(ensureAvailableSshPort(projectDir, config))));
+	yield* _(syncManagedProjectFiles(projectDir, resolvedTemplate));
+	yield* _(ensureComposeNetworkReady(projectDir, resolvedTemplate));
 	yield* _(runDockerComposeUp(projectDir));
-	yield* _(ensureClaudeCliReady(projectDir, updated.containerName));
+	yield* _(ensureClaudeCliReady(projectDir, resolvedTemplate.containerName));
 	const ensureBridgeAccess = (containerName) => runDockerInspectContainerBridgeIp(projectDir, containerName).pipe(Effect.flatMap((bridgeIp) => bridgeIp.length > 0 ? Effect.void : runDockerNetworkConnectBridge(projectDir, containerName)), Effect.matchEffect({
 		onFailure: (error) => Effect.logWarning(`Failed to connect ${containerName} to bridge network: ${error instanceof Error ? error.message : String(error)}`),
 		onSuccess: () => Effect.void
 	}));
-	yield* _(ensureBridgeAccess(updated.containerName));
-	if (updated.enableMcpPlaywright) yield* _(ensureBridgeAccess(`${updated.containerName}-browser`));
-	return updated;
+	yield* _(ensureBridgeAccess(resolvedTemplate.containerName));
+	if (resolvedTemplate.enableMcpPlaywright) yield* _(ensureBridgeAccess(`${resolvedTemplate.containerName}-browser`));
+	return resolvedTemplate;
 });
 //#endregion
 //#region ../lib/src/usecases/projects-ssh.ts
@@ -5408,7 +5506,7 @@ var resolveRootedConfig = (command, ctx) => ({
 	codexAuthPath: ctx.resolveRootPath(command.config.codexAuthPath),
 	codexSharedAuthPath: ctx.resolveRootPath(command.config.codexSharedAuthPath)
 });
-var resolveCreateConfig = (command, ctx, resolvedOutDir) => resolveSshPort(resolveRootedConfig(command, ctx), resolvedOutDir).pipe(Effect.flatMap((config) => applyGithubForkConfig(config)));
+var resolveCreateConfig = (command, ctx, resolvedOutDir) => resolveSshPort(resolveRootedConfig(command, ctx), resolvedOutDir).pipe(Effect.flatMap((config) => applyGithubForkConfig(config)), Effect.flatMap((config) => resolveTemplateResourceLimits(config)));
 var logCreatedProject = (resolvedOutDir, createdFiles) => Effect.gen(function* (_) {
 	yield* _(Effect.log(`Created docker-git project in ${resolvedOutDir}`));
 	for (const file of createdFiles) yield* _(Effect.log(`  - ${file}`));
@@ -5524,7 +5622,7 @@ var normalizeAuthLabel = (value) => {
 };
 //#endregion
 //#region ../lib/src/usecases/apply-overrides.ts
-var hasApplyOverrides = (command) => command.gitTokenLabel !== void 0 || command.codexTokenLabel !== void 0 || command.claudeTokenLabel !== void 0 || command.enableMcpPlaywright !== void 0;
+var hasApplyOverrides = (command) => command.gitTokenLabel !== void 0 || command.codexTokenLabel !== void 0 || command.claudeTokenLabel !== void 0 || command.cpuLimit !== void 0 || command.ramLimit !== void 0 || command.enableMcpPlaywright !== void 0;
 var applyTemplateOverrides = (template, command) => {
 	if (command === void 0) return template;
 	let nextTemplate = template;
@@ -5540,6 +5638,14 @@ var applyTemplateOverrides = (template, command) => {
 		...nextTemplate,
 		claudeAuthLabel: normalizeAuthLabel(command.claudeTokenLabel)
 	};
+	if (command.cpuLimit !== void 0) nextTemplate = {
+		...nextTemplate,
+		cpuLimit: command.cpuLimit
+	};
+	if (command.ramLimit !== void 0) nextTemplate = {
+		...nextTemplate,
+		ramLimit: command.ramLimit
+	};
 	if (command.enableMcpPlaywright !== void 0) nextTemplate = {
 		...nextTemplate,
 		enableMcpPlaywright: command.enableMcpPlaywright
@@ -5547,22 +5653,12 @@ var applyTemplateOverrides = (template, command) => {
 	return nextTemplate;
 };
 //#endregion
-//#region ../lib/src/usecases/apply.ts
-var applyProjectFiles = (projectDir, command) => Effect.gen(function* (_) {
-	yield* _(Effect.log(`Applying docker-git config files in ${projectDir}...`));
-	const resolvedTemplate = applyTemplateOverrides((yield* _(readProjectConfig(projectDir))).template, command);
-	yield* _(writeProjectFiles(projectDir, resolvedTemplate, true));
-	yield* _(ensureCodexConfigFile(projectDir, resolvedTemplate.codexAuthPath));
-	yield* _(ensureClaudeAuthSeedFromHome(defaultProjectsRoot(projectDir), ".orch/auth/claude"));
-	return resolvedTemplate;
-});
+//#region ../lib/src/usecases/apply-project-discovery.ts
 var gitSuccessExitCode = 0;
-var gitBranchDetached = "HEAD";
-var maxLocalConfigSearchDepth = 6;
 var gitBaseEnv = { GIT_TERMINAL_PROMPT: "0" };
 var emptyConfigPaths = () => [];
 var nullProjectCandidate = () => null;
-var nullString = () => null;
+var nullString$1 = () => null;
 var normalizeRepoIdentity = (repoUrl) => {
 	const github = parseGithubRepoUrl(repoUrl);
 	if (github !== null) {
@@ -5630,7 +5726,7 @@ var tryGitCapture = (cwd, args) => {
 			_tag: "ApplyGitCaptureError",
 			code
 		})).pipe(Effect.map((value) => value.trim()), Effect.match({
-			onFailure: nullString,
+			onFailure: nullString$1,
 			onSuccess: (value) => value
 		})) : Effect.succeed(null)
 	}));
@@ -5680,6 +5776,20 @@ var collectRemoteIdentities = (repoRoot) => Effect.gen(function* (_) {
 	}
 	return [...identityMap.values()];
 });
+var gitCapture = tryGitCapture;
+//#endregion
+//#region ../lib/src/usecases/apply.ts
+var applyProjectFiles = (projectDir, command) => Effect.gen(function* (_) {
+	yield* _(Effect.log(`Applying docker-git config files in ${projectDir}...`));
+	const resolvedTemplate = yield* _(resolveTemplateResourceLimits(applyTemplateOverrides((yield* _(readProjectConfig(projectDir))).template, command)));
+	yield* _(writeProjectFiles(projectDir, resolvedTemplate, true));
+	yield* _(ensureCodexConfigFile(projectDir, resolvedTemplate.codexAuthPath));
+	yield* _(ensureClaudeAuthSeedFromHome(defaultProjectsRoot(projectDir), ".orch/auth/claude"));
+	return resolvedTemplate;
+});
+var gitBranchDetached = "HEAD";
+var maxLocalConfigSearchDepth = 6;
+var nullString = () => null;
 var resolveFromCurrentTree = () => Effect.gen(function* (_) {
 	const { fs, path, resolved } = yield* _(resolveBaseDir("."));
 	const configPath = yield* _(findExistingUpwards(fs, path, resolved, "docker-git.json", maxLocalConfigSearchDepth).pipe(Effect.match({
@@ -5695,11 +5805,11 @@ var normalizeBranch = (branch) => {
 };
 var resolveFromCurrentRepository = () => Effect.gen(function* (_) {
 	const cwd = process.cwd();
-	const repoRoot = yield* _(tryGitCapture(cwd, ["rev-parse", "--show-toplevel"]));
+	const repoRoot = yield* _(gitCapture(cwd, ["rev-parse", "--show-toplevel"]));
 	if (repoRoot === null) return null;
 	const remoteIdentities = yield* _(collectRemoteIdentities(repoRoot));
 	if (remoteIdentities.length === 0) return null;
-	const branch = normalizeBranch(yield* _(tryGitCapture(repoRoot, [
+	const branch = normalizeBranch(yield* _(gitCapture(repoRoot, [
 		"rev-parse",
 		"--abbrev-ref",
 		"HEAD"
@@ -6951,6 +7061,22 @@ var valueOptionSpecByFlag = new Map([
 		flag: "--codex-home",
 		key: "codexHome"
 	},
+	{
+		flag: "--cpu",
+		key: "cpuLimit"
+	},
+	{
+		flag: "--cpus",
+		key: "cpuLimit"
+	},
+	{
+		flag: "--ram",
+		key: "ramLimit"
+	},
+	{
+		flag: "--memory",
+		key: "ramLimit"
+	},
 	{
 		flag: "--network-mode",
 		key: "dockerNetworkMode"
@@ -7127,6 +7253,14 @@ var valueFlagUpdaters = {
 		...raw,
 		codexHome: value
 	}),
+	cpuLimit: (raw, value) => ({
+		...raw,
+		cpuLimit: value
+	}),
+	ramLimit: (raw, value) => ({
+		...raw,
+		ramLimit: value
+	}),
 	dockerNetworkMode: (raw, value) => ({
 		...raw,
 		dockerNetworkMode: value
@@ -7304,15 +7438,22 @@ var parseProjectDirWithOptions = (args, defaultProjectDir = ".") => Either.gen(f
 var parseProjectDirArgs = (args, defaultProjectDir = ".") => Either.map(parseProjectDirWithOptions(args, defaultProjectDir), ({ projectDir }) => ({ projectDir }));
 //#endregion
 //#region src/docker-git/cli/parser-apply.ts
-var parseApply = (args) => Either.map(parseProjectDirWithOptions(args), ({ projectDir, raw }) => ({
-	_tag: "Apply",
-	projectDir,
-	runUp: raw.up ?? true,
-	gitTokenLabel: raw.gitTokenLabel,
-	codexTokenLabel: raw.codexTokenLabel,
-	claudeTokenLabel: raw.claudeTokenLabel,
-	enableMcpPlaywright: raw.enableMcpPlaywright
-}));
+var parseApply = (args) => Either.gen(function* (_) {
+	const { projectDir, raw } = yield* _(parseProjectDirWithOptions(args));
+	const cpuLimit = yield* _(normalizeCpuLimit(raw.cpuLimit, "--cpu"));
+	const ramLimit = yield* _(normalizeRamLimit(raw.ramLimit, "--ram"));
+	return {
+		_tag: "Apply",
+		projectDir,
+		runUp: raw.up ?? true,
+		gitTokenLabel: raw.gitTokenLabel,
+		codexTokenLabel: raw.codexTokenLabel,
+		claudeTokenLabel: raw.claudeTokenLabel,
+		cpuLimit,
+		ramLimit,
+		enableMcpPlaywright: raw.enableMcpPlaywright
+	};
+});
 //#endregion
 //#region src/docker-git/cli/parser-attach.ts
 var parseAttach = (args) => {
@@ -7419,7 +7560,7 @@ var resolveAutoAgentFlags = (raw) => {
 	});
 };
 //#endregion
-//#region ../lib/src/core/command-builders.ts
+//#region ../lib/src/core/command-builders-shared.ts
 var parsePort = (value) => {
 	const parsed = Number(value);
 	if (!Number.isInteger(parsed)) return Either.left({
@@ -7434,6 +7575,7 @@ var parsePort = (value) => {
 	});
 	return Either.right(parsed);
 };
+var parseSshPort = (value) => parsePort(value);
 var parseDockerNetworkMode = (value) => {
 	const candidate = value?.trim() ?? defaultTemplateConfig.dockerNetworkMode;
 	if (isDockerNetworkMode(candidate)) return Either.right(candidate);
@@ -7451,6 +7593,8 @@ var nonEmpty = (option, value, fallback) => {
 	});
 	return Either.right(candidate);
 };
+//#endregion
+//#region ../lib/src/core/command-builders.ts
 var normalizeSecretsRoot = (value) => trimRightChar(value, "/");
 var resolveRepoBasics = (raw) => Either.gen(function* (_) {
 	const resolvedRepo = resolveRepoInput(raw.repoUrl?.trim() ?? "");
@@ -7470,7 +7614,7 @@ var resolveRepoBasics = (raw) => Either.gen(function* (_) {
 		repoRef,
 		targetDir: expandContainerHome(sshUser, yield* _(nonEmpty("--target-dir", raw.targetDir, defaultTemplateConfig.targetDir))),
 		sshUser,
-		sshPort: yield* _(parsePort(raw.sshPort ?? String(defaultTemplateConfig.sshPort)))
+		sshPort: yield* _(parseSshPort(raw.sshPort ?? String(defaultTemplateConfig.sshPort)))
 	};
 });
 var resolveNames = (raw, projectSlug) => Either.gen(function* (_) {
@@ -7525,7 +7669,7 @@ var resolveCreateBehavior = (raw) => ({
 	forceEnv: raw.forceEnv ?? false,
 	enableMcpPlaywright: raw.enableMcpPlaywright ?? false
 });
-var buildTemplateConfig = ({ agentAuto, agentMode, claudeAuthLabel, codexAuthLabel, dockerNetworkMode, dockerSharedNetworkName, enableMcpPlaywright, gitTokenLabel, names, paths, repo }) => ({
+var buildTemplateConfig = ({ agentAuto, agentMode, claudeAuthLabel, codexAuthLabel, cpuLimit, dockerNetworkMode, dockerSharedNetworkName, enableMcpPlaywright, gitTokenLabel, names, paths, ramLimit, repo }) => ({
 	containerName: names.containerName,
 	serviceName: names.serviceName,
 	sshUser: repo.sshUser,
@@ -7544,6 +7688,8 @@ var buildTemplateConfig = ({ agentAuto, agentMode, claudeAuthLabel, codexAuthLab
 	codexAuthPath: paths.codexAuthPath,
 	codexSharedAuthPath: paths.codexSharedAuthPath,
 	codexHome: paths.codexHome,
+	cpuLimit,
+	ramLimit,
 	dockerNetworkMode,
 	dockerSharedNetworkName,
 	enableMcpPlaywright,
@@ -7559,6 +7705,8 @@ var buildCreateCommand = (raw) => Either.gen(function* (_) {
 	const gitTokenLabel = normalizeGitTokenLabel(raw.gitTokenLabel);
 	const codexAuthLabel = normalizeAuthLabel(raw.codexTokenLabel);
 	const claudeAuthLabel = normalizeAuthLabel(raw.claudeTokenLabel);
+	const cpuLimit = yield* _(normalizeCpuLimit(raw.cpuLimit ?? "30%", "--cpu"));
+	const ramLimit = yield* _(normalizeRamLimit(raw.ramLimit ?? "30%", "--ram"));
 	const dockerNetworkMode = yield* _(parseDockerNetworkMode(raw.dockerNetworkMode));
 	const dockerSharedNetworkName = yield* _(nonEmpty("--shared-network", raw.dockerSharedNetworkName, defaultTemplateConfig.dockerSharedNetworkName));
 	const { agentAuto, agentMode } = yield* _(resolveAutoAgentFlags(raw));
@@ -7574,6 +7722,8 @@ var buildCreateCommand = (raw) => Either.gen(function* (_) {
 			repo,
 			names,
 			paths,
+			cpuLimit,
+			ramLimit,
 			dockerNetworkMode,
 			dockerSharedNetworkName,
 			gitTokenLabel,
@@ -7856,6 +8006,8 @@ Options:
   --env-project <path>      Host path to project env file (default: ./.orch/env/project.env)
   --codex-auth <path>       Host path for Codex auth cache (default: <projectsRoot>/.orch/auth/codex)
   --codex-home <path>       Container path for Codex auth (default: /home/dev/.codex)
+  --cpu <value>             CPU limit: percent or cores (examples: 30%, 1.5; default: 30%)
+  --ram <value>             RAM limit: percent or size (examples: 30%, 512m, 4g; default: 30%)
   --network-mode <mode>     Compose network mode: shared|project (default: shared)
   --shared-network <name>   Shared Docker network name when network-mode=shared (default: docker-git-shared)
   --out-dir <path>          Output directory (default: <projectsRoot>/<org>/<repo>[/issue-<id>|/pr-<id>])
@@ -8348,6 +8500,8 @@ var createSteps = [
 	"repoUrl",
 	"repoRef",
 	"outDir",
+	"cpuLimit",
+	"ramLimit",
 	"runUp",
 	"mcpPlaywright",
 	"force"
@@ -8400,15 +8554,38 @@ var menuItems = [
 ];
 //#endregion
 //#region src/docker-git/menu-create.ts
+var optionalCreateArgs = (input) => [
+	{
+		value: input.repoUrl,
+		args: ["--repo-url", input.repoUrl]
+	},
+	{
+		value: input.repoRef,
+		args: ["--repo-ref", input.repoRef]
+	},
+	{
+		value: input.outDir,
+		args: ["--out-dir", input.outDir]
+	},
+	{
+		value: input.cpuLimit,
+		args: ["--cpu", input.cpuLimit]
+	},
+	{
+		value: input.ramLimit,
+		args: ["--ram", input.ramLimit]
+	}
+];
+var booleanCreateFlags = (input) => [
+	input.runUp ? null : "--no-up",
+	input.enableMcpPlaywright ? "--mcp-playwright" : null,
+	input.force ? "--force" : null,
+	input.forceEnv ? "--force-env" : null
+].filter((value) => value !== null);
 var buildCreateArgs = (input) => {
 	const args = ["create"];
-	if (input.repoUrl.length > 0) args.push("--repo-url", input.repoUrl);
-	if (input.repoRef.length > 0) args.push("--repo-ref", input.repoRef);
-	if (input.outDir.length > 0) args.push("--out-dir", input.outDir);
-	if (!input.runUp) args.push("--no-up");
-	if (input.enableMcpPlaywright) args.push("--mcp-playwright");
-	if (input.force) args.push("--force");
-	if (input.forceEnv) args.push("--force-env");
+	for (const spec of optionalCreateArgs(input)) if (spec.value.length > 0) args.push(spec.args[0], spec.args[1]);
+	for (const flag of booleanCreateFlags(input)) args.push(flag);
 	return args;
 };
 var trimLeftSlash = (value) => {
@@ -8441,6 +8618,8 @@ var resolveCreateInputs = (cwd, values) => {
 		repoUrl,
 		repoRef: values.repoRef ?? resolvedRepoRef ?? "main",
 		outDir,
+		cpuLimit: values.cpuLimit ?? "",
+		ramLimit: values.ramLimit ?? "",
 		runUp: values.runUp !== false,
 		enableMcpPlaywright: values.enableMcpPlaywright === true,
 		force: values.force === true,
@@ -8484,6 +8663,12 @@ var applyCreateStep = (input) => Match.value(input.step).pipe(Match.when("repoUr
 }), Match.when("outDir", () => {
 	input.nextValues.outDir = input.buffer.length > 0 ? input.buffer : input.currentDefaults.outDir;
 	return true;
+}), Match.when("cpuLimit", () => {
+	input.nextValues.cpuLimit = input.buffer.length > 0 ? input.buffer : input.currentDefaults.cpuLimit;
+	return true;
+}), Match.when("ramLimit", () => {
+	input.nextValues.ramLimit = input.buffer.length > 0 ? input.buffer : input.currentDefaults.ramLimit;
+	return true;
 }), Match.when("runUp", () => {
 	input.nextValues.runUp = parseYesDefault(input.buffer, input.currentDefaults.runUp);
 	return true;
@@ -10106,7 +10291,7 @@ var renderProjectAuthPrompt = (view, message) => {
 };
 //#endregion
 //#region src/docker-git/menu-render.ts
-var renderStepLabel = (step, defaults) => Match.value(step).pipe(Match.when("repoUrl", () => "Repo URL (optional for empty workspace)"), Match.when("repoRef", () => `Repo ref [${defaults.repoRef}]`), Match.when("outDir", () => `Output dir [${defaults.outDir}]`), Match.when("runUp", () => `Run docker compose up now? [${defaults.runUp ? "Y" : "n"}]`), Match.when("mcpPlaywright", () => `Enable Playwright MCP (Chromium sidecar)? [${defaults.enableMcpPlaywright ? "y" : "N"}]`), Match.when("force", () => `Force recreate (overwrite files + wipe volumes)? [${defaults.force ? "y" : "N"}]`), Match.exhaustive);
+var renderStepLabel = (step, defaults) => Match.value(step).pipe(Match.when("repoUrl", () => "Repo URL (optional for empty workspace)"), Match.when("repoRef", () => `Repo ref [${defaults.repoRef}]`), Match.when("outDir", () => `Output dir [${defaults.outDir}]`), Match.when("cpuLimit", () => `CPU limit [${defaults.cpuLimit || "30%"}]`), Match.when("ramLimit", () => `RAM limit [${defaults.ramLimit || "30%"}]`), Match.when("runUp", () => `Run docker compose up now? [${defaults.runUp ? "Y" : "n"}]`), Match.when("mcpPlaywright", () => `Enable Playwright MCP (Chromium sidecar)? [${defaults.enableMcpPlaywright ? "y" : "N"}]`), Match.when("force", () => `Force recreate (overwrite files + wipe volumes)? [${defaults.force ? "y" : "N"}]`), Match.exhaustive);
 var compactElements = (items) => items.filter((item) => item !== null);
 var renderMenuHints = (el) => el(Box, {
 	marginTop: 1,