@prover-coder-ai/docker-git 1.0.41 → 1.0.43

package/dist/src/docker-git/main.js

@@ -269,6 +269,8 @@ var defaultTemplateConfig = {
 	codexAuthPath: "./.docker-git/.orch/auth/codex",
 	codexSharedAuthPath: "./.docker-git/.orch/auth/codex",
 	codexHome: "/home/dev/.codex",
+	cpuLimit: "30%",
+	ramLimit: "30%",
 	dockerNetworkMode: defaultDockerNetworkMode,
 	dockerSharedNetworkName: defaultDockerSharedNetworkName,
 	enableMcpPlaywright: false,
@@ -1209,6 +1211,38 @@ var ensureGhAuthImage = (fs, path, cwd, buildLabel) => ensureDockerImage(fs, pat
 	buildLabel
 });
 //#endregion
+//#region ../lib/src/usecases/github-api-helpers.ts
+/**
+* Run `gh api <args>` inside the auth Docker container and return trimmed stdout.
+*
+* @pure false
+* @effect CommandExecutor (Docker)
+* @invariant exits with CommandFailedError on non-zero exit code
+* @complexity O(1)
+*/
+var runGhApiCapture = (cwd, hostPath, token, args) => runDockerAuthCapture(buildDockerAuthSpec({
+	cwd,
+	image: ghImageName,
+	hostPath,
+	containerPath: ghAuthDir,
+	env: `GH_TOKEN=${token}`,
+	args: ["api", ...args],
+	interactive: false
+}), [0], (exitCode) => new CommandFailedError({
+	command: `gh api ${args.join(" ")}`,
+	exitCode
+})).pipe(Effect.map((raw) => raw.trim()));
+/**
+* Like `runGhApiCapture` but returns `null` instead of failing on API errors
+* (e.g. HTTP 404 / non-zero exit code).
+*
+* @pure false
+* @effect CommandExecutor (Docker)
+* @invariant never fails — errors become null
+* @complexity O(1)
+*/
+var runGhApiNullable = (cwd, hostPath, token, args) => runGhApiCapture(cwd, hostPath, token, args).pipe(Effect.catchTag("CommandFailedError", () => Effect.succeed("")), Effect.map((raw) => raw.length === 0 ? null : raw));
+//#endregion
 //#region ../lib/src/usecases/runtime.ts
 var withFsPathContext = (run) => Effect.gen(function* (_) {
 	return yield* _(run({
@@ -1226,20 +1260,7 @@ var resolveGithubToken$1 = (envText) => {
 	const labeled = entries.find((entry) => entry.key.startsWith("GITHUB_TOKEN__"));
 	return labeled && labeled.value.trim().length > 0 ? labeled.value.trim() : null;
 };
-var runGhApiCapture = (cwd, hostPath, token, args) => runDockerAuthCapture(buildDockerAuthSpec({
-	cwd,
-	image: ghImageName,
-	hostPath,
-	containerPath: ghAuthDir,
-	env: `GH_TOKEN=${token}`,
-	args: ["api", ...args],
-	interactive: false
-}), [0], (exitCode) => new CommandFailedError({
-	command: `gh api ${args.join(" ")}`,
-	exitCode
-})).pipe(Effect.map((raw) => raw.trim()));
-var runGhApiCloneUrl = (cwd, hostPath, token, args) => runGhApiCapture(cwd, hostPath, token, args).pipe(Effect.catchTag("CommandFailedError", () => Effect.succeed("")), Effect.map((raw) => raw.length === 0 ? null : raw));
-var resolveViewerLogin = (cwd, hostPath, token) => Effect.gen(function* (_) {
+var resolveViewerLogin$1 = (cwd, hostPath, token) => Effect.gen(function* (_) {
 	const command = "gh api /user --jq .login";
 	const raw = yield* _(runGhApiCapture(cwd, hostPath, token, [
 		"/user",
@@ -1252,12 +1273,12 @@ var resolveViewerLogin = (cwd, hostPath, token) => Effect.gen(function* (_) {
 	})));
 	return raw;
 });
-var resolveRepoCloneUrl = (cwd, hostPath, token, fullName) => runGhApiCloneUrl(cwd, hostPath, token, [
+var resolveRepoCloneUrl = (cwd, hostPath, token, fullName) => runGhApiNullable(cwd, hostPath, token, [
 	`/repos/${fullName}`,
 	"--jq",
 	".clone_url"
 ]);
-var createFork = (cwd, hostPath, token, owner, repo) => runGhApiCloneUrl(cwd, hostPath, token, [
+var createFork = (cwd, hostPath, token, owner, repo) => runGhApiNullable(cwd, hostPath, token, [
 	"-X",
 	"POST",
 	`/repos/${owner}/${repo}/forks`,
@@ -1275,7 +1296,7 @@ var resolveGithubForkUrl = (repoUrl, envGlobalPath) => withFsPathContext(({ cwd,
 	const ghRoot = resolvePathFromCwd(path, cwd, ghAuthRoot);
 	yield* _(fs.makeDirectory(ghRoot, { recursive: true }));
 	yield* _(ensureGhAuthImage(fs, path, cwd, "gh api"));
-	const viewer = yield* _(resolveViewerLogin(cwd, ghRoot, token));
+	const viewer = yield* _(resolveViewerLogin$1(cwd, ghRoot, token));
 	if (viewer.toLowerCase() === repo.owner.toLowerCase()) return null;
 	const existingFork = yield* _(resolveRepoCloneUrl(cwd, ghRoot, token, `${viewer}/${repo.repo}`));
 	if (existingFork !== null) return existingFork;
@@ -1336,6 +1357,8 @@ var TemplateConfigSchema = Schema.Struct({
 	codexAuthPath: Schema.String,
 	codexSharedAuthPath: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.codexSharedAuthPath }),
 	codexHome: Schema.String,
+	cpuLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.cpuLimit }),
+	ramLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.ramLimit }),
 	dockerNetworkMode: Schema.optionalWith(Schema.Literal("shared", "project"), { default: () => defaultTemplateConfig.dockerNetworkMode }),
 	dockerSharedNetworkName: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.dockerSharedNetworkName }),
 	enableMcpPlaywright: Schema.optionalWith(Schema.Boolean, { default: () => defaultTemplateConfig.enableMcpPlaywright }),
@@ -1506,28 +1529,93 @@ var withProjectIndexAndSsh = (run) => pipe(loadProjectIndex(), Effect.flatMap((i
 	return yield* _(run(index, yield* _(findSshPrivateKey(yield* _(FileSystem.FileSystem), yield* _(Path.Path), process.cwd()))));
 })));
 //#endregion
-//#region ../lib/src/usecases/state-repo/env.ts
-var isTruthyEnv = (value) => {
-	const normalized = value.trim().toLowerCase();
-	return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on";
+//#region ../lib/src/core/resource-limits.ts
+var mebibyte = 1024 ** 2;
+var minimumResolvedCpuLimit = .25;
+var minimumResolvedRamLimitMib = 512;
+var precisionScale = 100;
+var cpuAbsolutePattern = /^\d+(?:\.\d+)?$/u;
+var ramAbsolutePattern = /^\d+(?:\.\d+)?(?:b|k|kb|m|mb|g|gb|t|tb)$/iu;
+var percentPattern = /^\d+(?:\.\d+)?%$/u;
+var normalizePrecision = (value) => Math.round(value * precisionScale) / precisionScale;
+var missingLimit = () => void 0;
+var parsePercent = (candidate) => {
+	if (!percentPattern.test(candidate)) return null;
+	const parsed = Number(candidate.slice(0, -1));
+	if (!Number.isFinite(parsed) || parsed <= 0 || parsed > 100) return null;
+	return normalizePrecision(parsed);
+};
+var percentReason = (kind) => kind === "cpu" ? "expected CPU like 30% or 1.5" : "expected RAM like 30%, 512m or 4g";
+var normalizePercent = (candidate, kind) => {
+	const parsed = parsePercent(candidate);
+	if (parsed === null) return Either.left({
+		_tag: "InvalidOption",
+		option: kind === "cpu" ? "--cpu" : "--ram",
+		reason: percentReason(kind)
+	});
+	return Either.right(`${parsed}%`);
 };
-var isFalsyEnv = (value) => {
-	const normalized = value.trim().toLowerCase();
-	return normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off";
+var normalizeCpuLimit = (value, option) => {
+	const candidate = value?.trim().toLowerCase() ?? "";
+	if (candidate.length === 0) return Either.right(missingLimit());
+	if (candidate.endsWith("%")) return normalizePercent(candidate, "cpu");
+	if (!cpuAbsolutePattern.test(candidate)) return Either.left({
+		_tag: "InvalidOption",
+		option,
+		reason: "expected CPU like 30% or 1.5"
+	});
+	const parsed = Number(candidate);
+	if (!Number.isFinite(parsed) || parsed <= 0) return Either.left({
+		_tag: "InvalidOption",
+		option,
+		reason: "must be greater than 0"
+	});
+	return Either.right(String(normalizePrecision(parsed)));
 };
-var autoSyncStrictEnvKey = "DOCKER_GIT_STATE_AUTO_SYNC_STRICT";
-var defaultSyncMessage = "chore(state): sync";
-var isAutoSyncEnabled = (envValue, hasRemote) => {
-	if (envValue === void 0) return hasRemote;
-	if (envValue.trim().length === 0) return hasRemote;
-	if (isFalsyEnv(envValue)) return false;
-	if (isTruthyEnv(envValue)) return true;
-	return true;
+var normalizeRamLimit = (value, option) => {
+	const candidate = value?.trim().toLowerCase() ?? "";
+	if (candidate.length === 0) return Either.right(missingLimit());
+	if (candidate.endsWith("%")) return normalizePercent(candidate, "ram");
+	if (!ramAbsolutePattern.test(candidate)) return Either.left({
+		_tag: "InvalidOption",
+		option,
+		reason: "expected RAM like 30%, 512m or 4g"
+	});
+	return Either.right(candidate);
+};
+var withDefaultResourceLimitIntent = (template) => ({
+	...template,
+	cpuLimit: template.cpuLimit ?? "30%",
+	ramLimit: template.ramLimit ?? "30%"
+});
+var resolvePercentCpuLimit = (percent, cpuCount) => Math.max(minimumResolvedCpuLimit, normalizePrecision(Math.max(1, cpuCount) * percent / 100));
+var resolvePercentRamLimit = (percent, totalMemoryBytes) => {
+	const totalMib = Math.max(minimumResolvedRamLimitMib, Math.floor(totalMemoryBytes / mebibyte));
+	return `${Math.max(minimumResolvedRamLimitMib, Math.floor(totalMib * percent / 100))}m`;
+};
+var resolveComposeResourceLimits = (template, hostResources) => {
+	const cpuLimitIntent = template.cpuLimit ?? "30%";
+	const ramLimitIntent = template.ramLimit ?? "30%";
+	const cpuPercent = parsePercent(cpuLimitIntent);
+	const ramPercent = parsePercent(ramLimitIntent);
+	return {
+		cpuLimit: cpuPercent === null ? Number(cpuLimitIntent) : resolvePercentCpuLimit(cpuPercent, hostResources.cpuCount),
+		ramLimit: ramPercent === null ? ramLimitIntent : resolvePercentRamLimit(ramPercent, hostResources.totalMemoryBytes)
+	};
 };
 //#endregion
+//#region ../lib/src/usecases/resource-limits.ts
+var resolveTemplateResourceLimits = (template) => Effect.succeed(withDefaultResourceLimitIntent(template));
+//#endregion
 //#region ../lib/src/usecases/state-repo/git-commands.ts
 var successExitCode = Number(ExitCode(0));
-var gitBaseEnv$1 = { GIT_TERMINAL_PROMPT: "0" };
+var gitBaseEnv$1 = {
+	GIT_TERMINAL_PROMPT: "0",
+	GIT_AUTHOR_NAME: "docker-git",
+	GIT_AUTHOR_EMAIL: "docker-git@users.noreply.github.com",
+	GIT_COMMITTER_NAME: "docker-git",
+	GIT_COMMITTER_EMAIL: "docker-git@users.noreply.github.com"
+};
 var git = (cwd, args, env = gitBaseEnv$1) => runCommandWithExitCodes({
 	cwd,
 	command: "git",
@@ -1543,7 +1631,7 @@ var gitExitCode = (cwd, args, env = gitBaseEnv$1) => runCommandExitCode({
 	args,
 	env
 });
-var gitCapture = (cwd, args, env = gitBaseEnv$1) => runCommandCapture({
+var gitCapture$1 = (cwd, args, env = gitBaseEnv$1) => runCommandCapture({
 	cwd,
 	command: "git",
 	args,
@@ -1559,6 +1647,68 @@ var hasOriginRemote = (root) => Effect.map(gitExitCode(root, [
 	"origin"
 ]), (exit) => exit === successExitCode);
 //#endregion
+//#region ../lib/src/usecases/state-repo/adopt-remote.ts
+var adoptRemoteHistoryIfOrphan = (root, repoRef, env) => Effect.gen(function* (_) {
+	const fetchExit = yield* _(gitExitCode(root, [
+		"fetch",
+		"origin",
+		repoRef
+	], env));
+	if (fetchExit !== successExitCode) {
+		yield* _(Effect.logWarning(`git fetch origin ${repoRef} failed (exit ${fetchExit}); starting fresh history`));
+		return;
+	}
+	const remoteRef = `origin/${repoRef}`;
+	if ((yield* _(gitExitCode(root, [
+		"show-ref",
+		"--verify",
+		"--quiet",
+		`refs/remotes/${remoteRef}`
+	], env))) !== successExitCode) return;
+	if ((yield* _(gitExitCode(root, ["rev-parse", "HEAD"], env))) !== successExitCode) {
+		yield* _(git(root, ["reset", remoteRef], env));
+		yield* _(gitExitCode(root, ["checkout-index", "--all"], env));
+		yield* _(Effect.log(`Adopted remote history from ${remoteRef}`));
+		return;
+	}
+	if ((yield* _(gitExitCode(root, [
+		"merge-base",
+		"HEAD",
+		remoteRef
+	], env))) === successExitCode) return;
+	yield* _(Effect.logWarning(`Local history has no common ancestor with ${remoteRef}; merging unrelated histories`));
+	if ((yield* _(gitExitCode(root, [
+		"merge",
+		"--allow-unrelated-histories",
+		"--no-edit",
+		remoteRef
+	], env))) === successExitCode) {
+		yield* _(Effect.log(`Merged unrelated histories from ${remoteRef}`));
+		return;
+	}
+	yield* _(gitExitCode(root, ["merge", "--abort"], env));
+	yield* _(Effect.logWarning(`Merge conflict with ${remoteRef}; sync will open a PR for manual resolution`));
+});
+//#endregion
+//#region ../lib/src/usecases/state-repo/env.ts
+var isTruthyEnv = (value) => {
+	const normalized = value.trim().toLowerCase();
+	return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on";
+};
+var isFalsyEnv = (value) => {
+	const normalized = value.trim().toLowerCase();
+	return normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off";
+};
+var autoSyncStrictEnvKey = "DOCKER_GIT_STATE_AUTO_SYNC_STRICT";
+var defaultSyncMessage = "chore(state): sync";
+var isAutoSyncEnabled = (envValue, hasRemote) => {
+	if (envValue === void 0) return hasRemote;
+	if (envValue.trim().length === 0) return hasRemote;
+	if (isFalsyEnv(envValue)) return false;
+	if (isTruthyEnv(envValue)) return true;
+	return true;
+};
+//#endregion
 //#region ../lib/src/usecases/state-repo/github-auth.ts
 var githubTokenKey = "GITHUB_TOKEN";
 var githubHttpsRemoteRe = /^https:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?$/;
@@ -3736,7 +3886,8 @@ var renderAgentModeEnv = (agentMode) => agentMode !== void 0 && agentMode.length
 var renderAgentAutoEnv = (agentAuto) => agentAuto === true ? `      AGENT_AUTO: "1"\n` : "";
 var renderProjectsRootHostMount = (projectsRoot) => `\${DOCKER_GIT_PROJECTS_ROOT_HOST:-${projectsRoot}}`;
 var renderSharedCodexHostMount = (projectsRoot) => `\${DOCKER_GIT_PROJECTS_ROOT_HOST:-${projectsRoot}}/.orch/auth/codex`;
-var buildPlaywrightFragments = (config, networkName) => {
+var renderResourceLimits = (resourceLimits) => resourceLimits === void 0 ? "" : `    cpus: ${resourceLimits.cpuLimit}\n    mem_limit: "${resourceLimits.ramLimit}"\n    memswap_limit: "${resourceLimits.ramLimit}"\n`;
+var buildPlaywrightFragments = (config, networkName, resourceLimits) => {
 	if (!config.enableMcpPlaywright) return {
 		maybeDependsOn: "",
 		maybePlaywrightEnv: "",
@@ -3751,11 +3902,11 @@ var buildPlaywrightFragments = (config, networkName) => {
 	return {
 		maybeDependsOn: `    depends_on:\n      - ${browserServiceName}\n`,
 		maybePlaywrightEnv: `      MCP_PLAYWRIGHT_ENABLE: "1"\n      MCP_PLAYWRIGHT_CDP_ENDPOINT: "${browserCdpEndpoint}"\n`,
-		maybeBrowserService: `\n  ${browserServiceName}:\n    build:\n      context: .\n      dockerfile: ${browserDockerfile}\n    container_name: ${browserContainerName}\n    restart: unless-stopped\n    environment:\n      VNC_NOPW: "1"\n    shm_size: "2gb"\n    expose:\n      - "9223"\n    volumes:\n      - ${browserVolumeName}:/data\n    networks:\n      - ${networkName}\n`,
+		maybeBrowserService: `\n  ${browserServiceName}:\n    build:\n      context: .\n      dockerfile: ${browserDockerfile}\n    container_name: ${browserContainerName}\n    restart: unless-stopped\n${renderResourceLimits(resourceLimits)}    environment:\n      VNC_NOPW: "1"\n    shm_size: "2gb"\n    expose:\n      - "9223"\n    volumes:\n      - ${browserVolumeName}:/data\n    networks:\n      - ${networkName}\n`,
 		maybeBrowserVolume: `  ${browserVolumeName}:\n`
 	};
 };
-var buildComposeFragments = (config) => {
+var buildComposeFragments = (config, resourceLimits) => {
 	const networkMode = config.dockerNetworkMode;
 	const networkName = resolveComposeNetworkName(config);
 	const forkRepoUrl = config.forkRepoUrl ?? "";
@@ -3767,7 +3918,7 @@ var buildComposeFragments = (config) => {
 	const maybeClaudeAuthLabelEnv = renderClaudeAuthLabelEnv(claudeAuthLabel);
 	const maybeAgentModeEnv = renderAgentModeEnv(config.agentMode);
 	const maybeAgentAutoEnv = renderAgentAutoEnv(config.agentAuto);
-	const playwright = buildPlaywrightFragments(config, networkName);
+	const playwright = buildPlaywrightFragments(config, networkName, resourceLimits);
 	return {
 		networkMode,
 		networkName,
@@ -3783,7 +3934,7 @@ var buildComposeFragments = (config) => {
 		forkRepoUrl
 	};
 };
-var renderComposeServices = (config, fragments) => `services:
+var renderComposeServices = (config, fragments, resourceLimits) => `services:
   ${config.serviceName}:
     build: .
     container_name: ${config.containerName}
@@ -3802,7 +3953,7 @@ ${fragments.maybePlaywrightEnv}${fragments.maybeDependsOn}    env_file:
       - ${config.envProjectPath}
     ports:
       - "127.0.0.1:${config.sshPort}:22"
-    volumes:
+${renderResourceLimits(resourceLimits)}    volumes:
       - ${config.volumeName}:/home/${config.sshUser}
       - ${renderProjectsRootHostMount(config.dockerGitPath)}:/home/${config.sshUser}/.docker-git
       - ${config.authorizedKeysPath}:/authorized_keys:ro
@@ -3820,10 +3971,10 @@ var renderComposeNetworks = (networkMode, networkName) => networkMode === "share
 var renderComposeVolumes = (config, maybeBrowserVolume) => `volumes:
   ${config.volumeName}:
 ${maybeBrowserVolume}`;
-var renderDockerCompose = (config) => {
-	const fragments = buildComposeFragments(config);
+var renderDockerCompose = (config, resourceLimits) => {
+	const fragments = buildComposeFragments(config, resourceLimits);
 	return [
-		renderComposeServices(config, fragments),
+		renderComposeServices(config, fragments, resourceLimits),
 		renderComposeNetworks(fragments.networkMode, fragments.networkName),
 		renderComposeVolumes(config, fragments.maybeBrowserVolume)
 	].join("\n\n");
@@ -4097,7 +4248,7 @@ var renderConfigJson = (config) => `${JSON.stringify({
 	template: config
 }, null, 2)}
 `;
-var planFiles = (config) => {
+var planFiles = (config, composeResourceLimits) => {
 	const maybePlaywrightFiles = config.enableMcpPlaywright ? [{
 		_tag: "File",
 		relativePath: "Dockerfile.browser",
@@ -4123,7 +4274,7 @@ var planFiles = (config) => {
 		{
 			_tag: "File",
 			relativePath: "docker-compose.yml",
-			contents: renderDockerCompose(config)
+			contents: renderDockerCompose(config, composeResourceLimits)
 		},
 		{
 			_tag: "File",
@@ -4154,6 +4305,20 @@ var planFiles = (config) => {
 //#endregion
 //#region ../lib/src/shell/files.ts
 var ensureParentDir = (path, fs, filePath) => fs.makeDirectory(path.dirname(filePath), { recursive: true });
+var fallbackHostResources = {
+	cpuCount: 1,
+	totalMemoryBytes: 1024 ** 3
+};
+var loadHostResources = () => Effect.tryPromise({
+	try: () => import("node:os").then((os) => ({
+		cpuCount: os.availableParallelism(),
+		totalMemoryBytes: os.totalmem()
+	})),
+	catch: (error) => new Error(String(error))
+}).pipe(Effect.match({
+	onFailure: () => fallbackHostResources,
+	onSuccess: (value) => value
+}));
 var isFileSpec = (spec) => spec._tag === "File";
 var resolveSpecPath = (path, baseDir, spec) => path.join(baseDir, spec.relativePath);
 var writeSpec = (path, fs, baseDir, spec) => {
@@ -4181,7 +4346,8 @@ var failOnExistingFiles = (existingFilePaths, skipExistingFiles) => {
 var writeProjectFiles = (outDir, config, force, skipExistingFiles = false) => Effect.gen(function* (_) {
 	const { fs, path, resolved: baseDir } = yield* _(resolveBaseDir(outDir));
 	yield* _(fs.makeDirectory(baseDir, { recursive: true }));
-	const specs = planFiles(config);
+	const normalizedConfig = withDefaultResourceLimitIntent(config);
+	const specs = planFiles(normalizedConfig, resolveComposeResourceLimits(normalizedConfig, yield* _(loadHostResources())));
 	const created = [];
 	const existingFilePaths = force ? [] : yield* _(collectExistingFilePaths(fs, path, baseDir, specs));
 	const existingSet = new Set(existingFilePaths);
@@ -4280,7 +4446,7 @@ var commitAllIfNeeded = (root, message, env) => Effect.gen(function* (_) {
 	], env));
 });
 var sanitizeBranchComponent = (value) => value.trim().replaceAll(" ", "-").replaceAll(":", "-").replaceAll("..", "-").replaceAll("@{", "-").replaceAll("\\", "-").replaceAll("^", "-").replaceAll("~", "-");
-var rebaseOntoOriginIfPossible = (root, baseBranch, env) => Effect.gen(function* (_) {
+var pullRemoteAndRestoreLocal = (root, baseBranch, env) => Effect.gen(function* (_) {
 	const fetchExit = yield* _(gitExitCode(root, [
 		"fetch",
 		"origin",
@@ -4295,13 +4461,29 @@ var rebaseOntoOriginIfPossible = (root, baseBranch, env) => Effect.gen(function*
 		"--verify",
 		"--quiet",
 		`refs/remotes/origin/${baseBranch}`
-	], env))) !== successExitCode) return "skipped";
-	if ((yield* _(gitExitCode(root, ["rebase", `origin/${baseBranch}`], env))) === successExitCode) return "ok";
-	yield* _(gitExitCode(root, ["rebase", "--abort"], env));
-	return "conflict";
+	], env))) !== successExitCode) return;
+	yield* _(git(root, ["add", "-A"], env));
+	const stashExit = yield* _(gitExitCode(root, ["stash", "--include-untracked"], env));
+	yield* _(git(root, [
+		"reset",
+		"--hard",
+		`origin/${baseBranch}`
+	], env));
+	if (stashExit === successExitCode) {
+		if ((yield* _(gitExitCode(root, ["stash", "pop"], env))) !== successExitCode) {
+			yield* _(gitExitCode(root, [
+				"checkout",
+				"--theirs",
+				"--",
+				"."
+			], env));
+			yield* _(git(root, ["add", "-A"], env));
+			yield* _(gitExitCode(root, ["stash", "drop"], env));
+		}
+	}
 });
 var pushToNewBranch = (root, baseBranch, originPushTarget, env) => Effect.gen(function* (_) {
-	const headShort = yield* _(gitCapture(root, [
+	const headShort = yield* _(gitCapture$1(root, [
 		"rev-parse",
 		"--short",
 		"HEAD"
@@ -4316,7 +4498,7 @@ var pushToNewBranch = (root, baseBranch, originPushTarget, env) => Effect.gen(fu
 	return branch;
 });
 var resolveBaseBranch = (value) => value === "HEAD" ? "main" : value;
-var getCurrentBranch = (root, env) => gitCapture(root, [
+var getCurrentBranch = (root, env) => gitCapture$1(root, [
 	"rev-parse",
 	"--abbrev-ref",
 	"HEAD"
@@ -4324,15 +4506,9 @@ var getCurrentBranch = (root, env) => gitCapture(root, [
 var runStateSyncOps = (root, originUrl, message, env, options) => Effect.gen(function* (_) {
 	const originPushTarget = resolveOriginPushTarget(options?.originPushUrlOverride ?? null);
 	yield* _(normalizeLegacyStateProjects(root));
-	yield* _(commitAllIfNeeded(root, resolveSyncMessage(message), env));
 	const baseBranch = resolveBaseBranch(yield* _(getCurrentBranch(root, env)));
-	if ((yield* _(rebaseOntoOriginIfPossible(root, baseBranch, env))) === "conflict") {
-		const prBranch = yield* _(pushToNewBranch(root, baseBranch, originPushTarget, env));
-		const compareUrl = tryBuildGithubCompareUrl(originUrl, baseBranch, prBranch);
-		yield* _(Effect.logWarning(`State sync needs manual merge: pushed changes to branch '${prBranch}'.`));
-		yield* _(logOpenPr(originUrl, baseBranch, prBranch, compareUrl));
-		return;
-	}
+	yield* _(pullRemoteAndRestoreLocal(root, baseBranch, env));
+	yield* _(commitAllIfNeeded(root, resolveSyncMessage(message), env));
 	const pushExit = yield* _(gitExitCode(root, [
 		"push",
 		"--no-verify",
@@ -4391,7 +4567,7 @@ var stateSync = (message) => Effect.gen(function* (_) {
 			exitCode: originUrlExit
 		})));
 	}
-	const originUrl = yield* _(gitCapture(root, [
+	const originUrl = yield* _(gitCapture$1(root, [
 		"remote",
 		"get-url",
 		"origin"
@@ -4419,7 +4595,7 @@ var autoSyncState = (message) => Effect.gen(function* (_) {
 	onFailure: (error) => Effect.logWarning(`State auto-sync failed: ${String(error)}`),
 	onSuccess: () => Effect.void
 }), Effect.asVoid);
-var cloneStateRepo = (root, input) => Effect.gen(function* (_) {
+var cloneStateRepo = (root, input, env) => Effect.gen(function* (_) {
 	const cloneBranchExit = yield* _(runCommandExitCode({
 		cwd: root,
 		command: "git",
@@ -4430,7 +4606,7 @@ var cloneStateRepo = (root, input) => Effect.gen(function* (_) {
 			input.repoUrl,
 			root
 		],
-		env: gitBaseEnv$1
+		env
 	}));
 	if (cloneBranchExit === successExitCode) return;
 	yield* _(Effect.logWarning(`git clone --branch ${input.repoRef} failed (exit ${cloneBranchExit}); retrying without --branch`));
@@ -4442,60 +4618,65 @@ var cloneStateRepo = (root, input) => Effect.gen(function* (_) {
 			input.repoUrl,
 			root
 		],
-		env: gitBaseEnv$1
+		env
 	}));
 	if (cloneDefaultExit !== successExitCode) return yield* _(Effect.fail(new CommandFailedError({
 		command: "git clone",
 		exitCode: cloneDefaultExit
 	})));
 }).pipe(Effect.asVoid);
-var initRepoIfNeeded = (fs, path, root, input) => Effect.gen(function* (_) {
+var initRepoIfNeeded = (fs, path, root, input, env) => Effect.gen(function* (_) {
 	yield* _(fs.makeDirectory(root, { recursive: true }));
 	const gitDir = path.join(root, ".git");
 	if (yield* _(fs.exists(gitDir))) return;
 	if ((yield* _(fs.readDirectory(root))).length === 0) {
-		yield* _(cloneStateRepo(root, input));
+		yield* _(cloneStateRepo(root, input, env));
 		yield* _(Effect.log(`State dir cloned: ${root}`));
 		return;
 	}
-	yield* _(git(root, ["init"], gitBaseEnv$1));
+	yield* _(git(root, ["init", "--initial-branch=main"], env));
 }).pipe(Effect.asVoid);
-var ensureOriginRemote = (root, repoUrl) => Effect.gen(function* (_) {
+var ensureOriginRemote = (root, repoUrl, env) => Effect.gen(function* (_) {
 	if ((yield* _(gitExitCode(root, [
 		"remote",
 		"set-url",
 		"origin",
 		repoUrl
-	], gitBaseEnv$1))) === successExitCode) return;
+	], env))) === successExitCode) return;
 	yield* _(git(root, [
 		"remote",
 		"add",
 		"origin",
 		repoUrl
-	], gitBaseEnv$1));
+	], env));
 });
-var checkoutBranchBestEffort = (root, repoRef) => Effect.gen(function* (_) {
+var checkoutBranchBestEffort = (root, repoRef, env) => Effect.gen(function* (_) {
 	const checkoutExit = yield* _(gitExitCode(root, [
 		"checkout",
 		"-B",
 		repoRef
-	], gitBaseEnv$1));
+	], env));
 	if (checkoutExit === successExitCode) return;
 	yield* _(Effect.logWarning(`git checkout -B ${repoRef} failed (exit ${checkoutExit})`));
 });
-var stateInit = (input) => Effect.gen(function* (_) {
-	const fs = yield* _(FileSystem.FileSystem);
-	const path = yield* _(Path.Path);
-	const root = resolveStateRoot(path, process.cwd());
-	yield* _(initRepoIfNeeded(fs, path, root, input));
-	yield* _(ensureOriginRemote(root, input.repoUrl));
-	yield* _(checkoutBranchBestEffort(root, input.repoRef));
-	yield* _(ensureStateGitignore(fs, path, root));
-	yield* _(Effect.log(`State dir ready: ${root}`));
-	yield* _(Effect.log(`Remote: ${input.repoUrl}`));
-}).pipe(Effect.asVoid);
+var stateInit = (input) => {
+	const doInit = (env) => Effect.gen(function* (_) {
+		const fs = yield* _(FileSystem.FileSystem);
+		const path = yield* _(Path.Path);
+		const root = resolveStateRoot(path, process.cwd());
+		yield* _(initRepoIfNeeded(fs, path, root, input, env));
+		yield* _(ensureOriginRemote(root, input.repoUrl, env));
+		yield* _(adoptRemoteHistoryIfOrphan(root, input.repoRef, env));
+		yield* _(checkoutBranchBestEffort(root, input.repoRef, env));
+		yield* _(ensureStateGitignore(fs, path, root));
+		yield* _(Effect.log(`State dir ready: ${root}`));
+		yield* _(Effect.log(`Remote: ${input.repoUrl}`));
+	}).pipe(Effect.asVoid);
+	const token = input.token?.trim() ?? "";
+	return token.length > 0 && isGithubHttpsRemote(input.repoUrl) ? withGithubAskpassEnv(token, doInit) : doInit(gitBaseEnv$1);
+};
 var stateStatus = Effect.gen(function* (_) {
-	const output = yield* _(gitCapture(resolveStateRoot(yield* _(Path.Path), process.cwd()), [
+	const output = yield* _(gitCapture$1(resolveStateRoot(yield* _(Path.Path), process.cwd()), [
 		"status",
 		"-sb",
 		"--porcelain=v1"
@@ -4514,7 +4695,7 @@ var statePull = Effect.gen(function* (_) {
 		yield* _(git(root, ["pull", "--rebase"], gitBaseEnv$1));
 		return;
 	}
-	const originUrl = yield* _(gitCapture(root, [
+	const originUrl = yield* _(gitCapture$1(root, [
 		"remote",
 		"get-url",
 		"origin"
@@ -4539,13 +4720,13 @@ var statePush = Effect.gen(function* (_) {
 		], gitBaseEnv$1));
 		return;
 	}
-	const originUrl = yield* _(gitCapture(root, [
+	const originUrl = yield* _(gitCapture$1(root, [
 		"remote",
 		"get-url",
 		"origin"
 	], gitBaseEnv$1).pipe(Effect.map((value) => value.trim())));
 	const token = yield* _(resolveGithubToken(fs, path, root));
-	yield* _(token && token.length > 0 && isGithubHttpsRemote(originUrl) ? withGithubAskpassEnv(token, (env) => pipe(gitCapture(root, [
+	yield* _(token && token.length > 0 && isGithubHttpsRemote(originUrl) ? withGithubAskpassEnv(token, (env) => pipe(gitCapture$1(root, [
 		"rev-parse",
 		"--abbrev-ref",
 		"HEAD"
@@ -5105,18 +5286,18 @@ var ensureAvailableSshPort = (projectDir, config) => Effect.gen(function* (_) {
 });
 var runDockerComposeUpWithPortCheck = (projectDir) => Effect.gen(function* (_) {
 	const config = yield* _(readProjectConfig(projectDir));
-	const updated = (yield* _(runDockerComposePsFormatted(projectDir).pipe(Effect.map((raw) => parseComposePsOutput(raw)), Effect.map((rows) => rows.length > 0)))) ? config.template : yield* _(ensureAvailableSshPort(projectDir, config));
-	yield* _(syncManagedProjectFiles(projectDir, updated));
-	yield* _(ensureComposeNetworkReady(projectDir, updated));
+	const resolvedTemplate = yield* _(resolveTemplateResourceLimits((yield* _(runDockerComposePsFormatted(projectDir).pipe(Effect.map((raw) => parseComposePsOutput(raw)), Effect.map((rows) => rows.length > 0)))) ? config.template : yield* _(ensureAvailableSshPort(projectDir, config))));
+	yield* _(syncManagedProjectFiles(projectDir, resolvedTemplate));
+	yield* _(ensureComposeNetworkReady(projectDir, resolvedTemplate));
 	yield* _(runDockerComposeUp(projectDir));
-	yield* _(ensureClaudeCliReady(projectDir, updated.containerName));
+	yield* _(ensureClaudeCliReady(projectDir, resolvedTemplate.containerName));
 	const ensureBridgeAccess = (containerName) => runDockerInspectContainerBridgeIp(projectDir, containerName).pipe(Effect.flatMap((bridgeIp) => bridgeIp.length > 0 ? Effect.void : runDockerNetworkConnectBridge(projectDir, containerName)), Effect.matchEffect({
 		onFailure: (error) => Effect.logWarning(`Failed to connect ${containerName} to bridge network: ${error instanceof Error ? error.message : String(error)}`),
 		onSuccess: () => Effect.void
 	}));
-	yield* _(ensureBridgeAccess(updated.containerName));
-	if (updated.enableMcpPlaywright) yield* _(ensureBridgeAccess(`${updated.containerName}-browser`));
-	return updated;
+	yield* _(ensureBridgeAccess(resolvedTemplate.containerName));
+	if (resolvedTemplate.enableMcpPlaywright) yield* _(ensureBridgeAccess(`${resolvedTemplate.containerName}-browser`));
+	return resolvedTemplate;
 });
 //#endregion
 //#region ../lib/src/usecases/projects-ssh.ts
@@ -5408,7 +5589,7 @@ var resolveRootedConfig = (command, ctx) => ({
 	codexAuthPath: ctx.resolveRootPath(command.config.codexAuthPath),
 	codexSharedAuthPath: ctx.resolveRootPath(command.config.codexSharedAuthPath)
 });
-var resolveCreateConfig = (command, ctx, resolvedOutDir) => resolveSshPort(resolveRootedConfig(command, ctx), resolvedOutDir).pipe(Effect.flatMap((config) => applyGithubForkConfig(config)));
+var resolveCreateConfig = (command, ctx, resolvedOutDir) => resolveSshPort(resolveRootedConfig(command, ctx), resolvedOutDir).pipe(Effect.flatMap((config) => applyGithubForkConfig(config)), Effect.flatMap((config) => resolveTemplateResourceLimits(config)));
 var logCreatedProject = (resolvedOutDir, createdFiles) => Effect.gen(function* (_) {
 	yield* _(Effect.log(`Created docker-git project in ${resolvedOutDir}`));
 	for (const file of createdFiles) yield* _(Effect.log(`  - ${file}`));
@@ -5524,7 +5705,7 @@ var normalizeAuthLabel = (value) => {
 };
 //#endregion
 //#region ../lib/src/usecases/apply-overrides.ts
-var hasApplyOverrides = (command) => command.gitTokenLabel !== void 0 || command.codexTokenLabel !== void 0 || command.claudeTokenLabel !== void 0 || command.enableMcpPlaywright !== void 0;
+var hasApplyOverrides = (command) => command.gitTokenLabel !== void 0 || command.codexTokenLabel !== void 0 || command.claudeTokenLabel !== void 0 || command.cpuLimit !== void 0 || command.ramLimit !== void 0 || command.enableMcpPlaywright !== void 0;
 var applyTemplateOverrides = (template, command) => {
 	if (command === void 0) return template;
 	let nextTemplate = template;
@@ -5540,6 +5721,14 @@ var applyTemplateOverrides = (template, command) => {
 		...nextTemplate,
 		claudeAuthLabel: normalizeAuthLabel(command.claudeTokenLabel)
 	};
+	if (command.cpuLimit !== void 0) nextTemplate = {
+		...nextTemplate,
+		cpuLimit: command.cpuLimit
+	};
+	if (command.ramLimit !== void 0) nextTemplate = {
+		...nextTemplate,
+		ramLimit: command.ramLimit
+	};
 	if (command.enableMcpPlaywright !== void 0) nextTemplate = {
 		...nextTemplate,
 		enableMcpPlaywright: command.enableMcpPlaywright
@@ -5547,22 +5736,12 @@ var applyTemplateOverrides = (template, command) => {
 	return nextTemplate;
 };
 //#endregion
-//#region ../lib/src/usecases/apply.ts
-var applyProjectFiles = (projectDir, command) => Effect.gen(function* (_) {
-	yield* _(Effect.log(`Applying docker-git config files in ${projectDir}...`));
-	const resolvedTemplate = applyTemplateOverrides((yield* _(readProjectConfig(projectDir))).template, command);
-	yield* _(writeProjectFiles(projectDir, resolvedTemplate, true));
-	yield* _(ensureCodexConfigFile(projectDir, resolvedTemplate.codexAuthPath));
-	yield* _(ensureClaudeAuthSeedFromHome(defaultProjectsRoot(projectDir), ".orch/auth/claude"));
-	return resolvedTemplate;
-});
+//#region ../lib/src/usecases/apply-project-discovery.ts
 var gitSuccessExitCode = 0;
-var gitBranchDetached = "HEAD";
-var maxLocalConfigSearchDepth = 6;
 var gitBaseEnv = { GIT_TERMINAL_PROMPT: "0" };
 var emptyConfigPaths = () => [];
 var nullProjectCandidate = () => null;
-var nullString = () => null;
+var nullString$1 = () => null;
 var normalizeRepoIdentity = (repoUrl) => {
 	const github = parseGithubRepoUrl(repoUrl);
 	if (github !== null) {
@@ -5630,7 +5809,7 @@ var tryGitCapture = (cwd, args) => {
 			_tag: "ApplyGitCaptureError",
 			code
 		})).pipe(Effect.map((value) => value.trim()), Effect.match({
-			onFailure: nullString,
+			onFailure: nullString$1,
 			onSuccess: (value) => value
 		})) : Effect.succeed(null)
 	}));
@@ -5680,6 +5859,20 @@ var collectRemoteIdentities = (repoRoot) => Effect.gen(function* (_) {
 	}
 	return [...identityMap.values()];
 });
+var gitCapture = tryGitCapture;
+//#endregion
+//#region ../lib/src/usecases/apply.ts
+var applyProjectFiles = (projectDir, command) => Effect.gen(function* (_) {
+	yield* _(Effect.log(`Applying docker-git config files in ${projectDir}...`));
+	const resolvedTemplate = yield* _(resolveTemplateResourceLimits(applyTemplateOverrides((yield* _(readProjectConfig(projectDir))).template, command)));
+	yield* _(writeProjectFiles(projectDir, resolvedTemplate, true));
+	yield* _(ensureCodexConfigFile(projectDir, resolvedTemplate.codexAuthPath));
+	yield* _(ensureClaudeAuthSeedFromHome(defaultProjectsRoot(projectDir), ".orch/auth/claude"));
+	return resolvedTemplate;
+});
+var gitBranchDetached = "HEAD";
+var maxLocalConfigSearchDepth = 6;
+var nullString = () => null;
 var resolveFromCurrentTree = () => Effect.gen(function* (_) {
 	const { fs, path, resolved } = yield* _(resolveBaseDir("."));
 	const configPath = yield* _(findExistingUpwards(fs, path, resolved, "docker-git.json", maxLocalConfigSearchDepth).pipe(Effect.match({
@@ -5695,11 +5888,11 @@ var normalizeBranch = (branch) => {
 };
 var resolveFromCurrentRepository = () => Effect.gen(function* (_) {
 	const cwd = process.cwd();
-	const repoRoot = yield* _(tryGitCapture(cwd, ["rev-parse", "--show-toplevel"]));
+	const repoRoot = yield* _(gitCapture(cwd, ["rev-parse", "--show-toplevel"]));
 	if (repoRoot === null) return null;
 	const remoteIdentities = yield* _(collectRemoteIdentities(repoRoot));
 	if (remoteIdentities.length === 0) return null;
-	const branch = normalizeBranch(yield* _(tryGitCapture(repoRoot, [
+	const branch = normalizeBranch(yield* _(gitCapture(repoRoot, [
 		"rev-parse",
 		"--abbrev-ref",
 		"HEAD"
@@ -6156,6 +6349,87 @@ var authCodexStatus = (command) => withCodexAuth(command, ({ accountPath, cwd })
 }));
 var authCodexLogout = (command) => withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogout(cwd, accountPath)).pipe(Effect.zipRight(autoSyncState(`chore(state): auth codex logout ${normalizeAccountLabel(command.label, "default")}`)));
 //#endregion
+//#region ../lib/src/usecases/state-repo-github.ts
+var dotDockerGitRepoName = ".docker-git";
+var defaultStateRef = "main";
+var resolveViewerLogin = (cwd, hostPath, token) => Effect.gen(function* (_) {
+	const raw = yield* _(runGhApiCapture(cwd, hostPath, token, [
+		"/user",
+		"--jq",
+		".login"
+	]));
+	if (raw.length === 0) return yield* _(Effect.fail(new CommandFailedError({
+		command: "gh api /user --jq .login",
+		exitCode: 1
+	})));
+	return raw;
+});
+var getRepoCloneUrl = (cwd, hostPath, token, login) => runGhApiNullable(cwd, hostPath, token, [
+	`/repos/${login}/${dotDockerGitRepoName}`,
+	"--jq",
+	".clone_url"
+]);
+var createStateRepo = (cwd, hostPath, token) => runGhApiNullable(cwd, hostPath, token, [
+	"-X",
+	"POST",
+	"/user/repos",
+	"-f",
+	`name=${dotDockerGitRepoName}`,
+	"-f",
+	"private=false",
+	"-f",
+	"auto_init=true",
+	"--jq",
+	".clone_url"
+]);
+/**
+* Ensures the .docker-git state repository exists on GitHub and is initialised locally.
+*
+* On GitHub auth, immediately:
+* 1. Resolve the authenticated user's login via the GitHub API
+* 2. Check whether `<login>/.docker-git` exists on GitHub
+* 3. If missing, create the repository (public, auto-initialised with a README)
+* 4. Initialise the local `~/.docker-git` directory as a clone of that repository
+*
+* All failures are swallowed and logged as warnings so they never abort the auth
+* flow itself.
+*
+* @param token - A valid GitHub personal-access or OAuth token
+* @returns Effect<void, never, GithubStateRepoRuntime>
+*
+* @pure false
+* @effect FileSystem, CommandExecutor (Docker gh CLI, git)
+* @invariant ∀token ∈ ValidTokens: ensureStateDotDockerGitRepo(token) → cloned(~/.docker-git) ∨ warned
+* @precondition token.length > 0
+* @postcondition ~/.docker-git is a git repo with origin pointing to github.com/<login>/.docker-git
+* @complexity O(1) API calls
+* @throws Never - all errors are caught and logged
+*/
+var ensureStateDotDockerGitRepo = (token) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
+	const ghRoot = resolvePathFromCwd(path, cwd, ghAuthRoot);
+	yield* _(fs.makeDirectory(ghRoot, { recursive: true }));
+	yield* _(ensureGhAuthImage(fs, path, cwd, "gh api"));
+	const login = yield* _(resolveViewerLogin(cwd, ghRoot, token));
+	let cloneUrl = yield* _(getRepoCloneUrl(cwd, ghRoot, token, login));
+	if (cloneUrl === null) {
+		yield* _(Effect.log(`Creating .docker-git repository for ${login}...`));
+		cloneUrl = yield* _(createStateRepo(cwd, ghRoot, token));
+	}
+	if (cloneUrl === null) {
+		yield* _(Effect.logWarning(`Could not resolve or create .docker-git repository for ${login}`));
+		return;
+	}
+	yield* _(Effect.log(`Initializing state repository: ${cloneUrl}`));
+	yield* _(stateInit({
+		repoUrl: cloneUrl,
+		repoRef: defaultStateRef,
+		token
+	}));
+})).pipe(Effect.matchEffect({
+	onFailure: (error) => Effect.logWarning(`State repo setup failed: ${error instanceof Error ? error.message : String(error)}`),
+	onSuccess: () => Effect.void
+}));
+//#endregion
 //#region ../lib/src/usecases/auth-github.ts
 var ensureGithubOrchLayout = (cwd, envGlobalPath) => migrateLegacyOrchLayout(cwd, {
 	envGlobalPath,
@@ -6253,6 +6527,7 @@ var runGithubInteractiveLogin = (cwd, fs, path, envPath, command) => Effect.gen(
 	const resolved = yield* _(resolveGithubTokenFromGh(cwd, accountPath));
 	yield* _(ensureEnvFile$1(fs, path, envPath));
 	yield* _(persistGithubToken(fs, envPath, buildGithubTokenKey(command.label), resolved));
+	return resolved;
 });
 var authGithubLogin = (command) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
 	yield* _(ensureGithubOrchLayout(cwd, command.envGlobalPath));
@@ -6263,10 +6538,11 @@ var authGithubLogin = (command) => withFsPathContext(({ cwd, fs, path }) => Effe
 	if (token.length > 0) {
 		yield* _(ensureEnvFile$1(fs, path, envPath));
 		yield* _(persistGithubToken(fs, envPath, key, token));
+		yield* _(ensureStateDotDockerGitRepo(token));
 		yield* _(autoSyncState(`chore(state): auth gh ${label}`));
 		return;
 	}
-	yield* _(runGithubInteractiveLogin(cwd, fs, path, envPath, command));
+	yield* _(ensureStateDotDockerGitRepo(yield* _(runGithubInteractiveLogin(cwd, fs, path, envPath, command))));
 	yield* _(autoSyncState(`chore(state): auth gh ${label}`));
 }));
 var authGithubStatus = (command) => withEnvContext(command.envGlobalPath, ({ current, envPath }) => Effect.gen(function* (_) {
@@ -6951,6 +7227,22 @@ var valueOptionSpecByFlag = new Map([
 		flag: "--codex-home",
 		key: "codexHome"
 	},
+	{
+		flag: "--cpu",
+		key: "cpuLimit"
+	},
+	{
+		flag: "--cpus",
+		key: "cpuLimit"
+	},
+	{
+		flag: "--ram",
+		key: "ramLimit"
+	},
+	{
+		flag: "--memory",
+		key: "ramLimit"
+	},
 	{
 		flag: "--network-mode",
 		key: "dockerNetworkMode"
@@ -7127,6 +7419,14 @@ var valueFlagUpdaters = {
 		...raw,
 		codexHome: value
 	}),
+	cpuLimit: (raw, value) => ({
+		...raw,
+		cpuLimit: value
+	}),
+	ramLimit: (raw, value) => ({
+		...raw,
+		ramLimit: value
+	}),
 	dockerNetworkMode: (raw, value) => ({
 		...raw,
 		dockerNetworkMode: value
@@ -7304,15 +7604,22 @@ var parseProjectDirWithOptions = (args, defaultProjectDir = ".") => Either.gen(f
 var parseProjectDirArgs = (args, defaultProjectDir = ".") => Either.map(parseProjectDirWithOptions(args, defaultProjectDir), ({ projectDir }) => ({ projectDir }));
 //#endregion
 //#region src/docker-git/cli/parser-apply.ts
-var parseApply = (args) => Either.map(parseProjectDirWithOptions(args), ({ projectDir, raw }) => ({
-	_tag: "Apply",
-	projectDir,
-	runUp: raw.up ?? true,
-	gitTokenLabel: raw.gitTokenLabel,
-	codexTokenLabel: raw.codexTokenLabel,
-	claudeTokenLabel: raw.claudeTokenLabel,
-	enableMcpPlaywright: raw.enableMcpPlaywright
-}));
+var parseApply = (args) => Either.gen(function* (_) {
+	const { projectDir, raw } = yield* _(parseProjectDirWithOptions(args));
+	const cpuLimit = yield* _(normalizeCpuLimit(raw.cpuLimit, "--cpu"));
+	const ramLimit = yield* _(normalizeRamLimit(raw.ramLimit, "--ram"));
+	return {
+		_tag: "Apply",
+		projectDir,
+		runUp: raw.up ?? true,
+		gitTokenLabel: raw.gitTokenLabel,
+		codexTokenLabel: raw.codexTokenLabel,
+		claudeTokenLabel: raw.claudeTokenLabel,
+		cpuLimit,
+		ramLimit,
+		enableMcpPlaywright: raw.enableMcpPlaywright
+	};
+});
 //#endregion
 //#region src/docker-git/cli/parser-attach.ts
 var parseAttach = (args) => {
@@ -7419,7 +7726,7 @@ var resolveAutoAgentFlags = (raw) => {
 	});
 };
 //#endregion
-//#region ../lib/src/core/command-builders.ts
+//#region ../lib/src/core/command-builders-shared.ts
 var parsePort = (value) => {
 	const parsed = Number(value);
 	if (!Number.isInteger(parsed)) return Either.left({
@@ -7434,6 +7741,7 @@ var parsePort = (value) => {
 	});
 	return Either.right(parsed);
 };
+var parseSshPort = (value) => parsePort(value);
 var parseDockerNetworkMode = (value) => {
 	const candidate = value?.trim() ?? defaultTemplateConfig.dockerNetworkMode;
 	if (isDockerNetworkMode(candidate)) return Either.right(candidate);
@@ -7451,6 +7759,8 @@ var nonEmpty = (option, value, fallback) => {
 	});
 	return Either.right(candidate);
 };
+//#endregion
+//#region ../lib/src/core/command-builders.ts
 var normalizeSecretsRoot = (value) => trimRightChar(value, "/");
 var resolveRepoBasics = (raw) => Either.gen(function* (_) {
 	const resolvedRepo = resolveRepoInput(raw.repoUrl?.trim() ?? "");
@@ -7470,7 +7780,7 @@ var resolveRepoBasics = (raw) => Either.gen(function* (_) {
 		repoRef,
 		targetDir: expandContainerHome(sshUser, yield* _(nonEmpty("--target-dir", raw.targetDir, defaultTemplateConfig.targetDir))),
 		sshUser,
-		sshPort: yield* _(parsePort(raw.sshPort ?? String(defaultTemplateConfig.sshPort)))
+		sshPort: yield* _(parseSshPort(raw.sshPort ?? String(defaultTemplateConfig.sshPort)))
 	};
 });
 var resolveNames = (raw, projectSlug) => Either.gen(function* (_) {
@@ -7525,7 +7835,7 @@ var resolveCreateBehavior = (raw) => ({
 	forceEnv: raw.forceEnv ?? false,
 	enableMcpPlaywright: raw.enableMcpPlaywright ?? false
 });
-var buildTemplateConfig = ({ agentAuto, agentMode, claudeAuthLabel, codexAuthLabel, dockerNetworkMode, dockerSharedNetworkName, enableMcpPlaywright, gitTokenLabel, names, paths, repo }) => ({
+var buildTemplateConfig = ({ agentAuto, agentMode, claudeAuthLabel, codexAuthLabel, cpuLimit, dockerNetworkMode, dockerSharedNetworkName, enableMcpPlaywright, gitTokenLabel, names, paths, ramLimit, repo }) => ({
 	containerName: names.containerName,
 	serviceName: names.serviceName,
 	sshUser: repo.sshUser,
@@ -7544,6 +7854,8 @@ var buildTemplateConfig = ({ agentAuto, agentMode, claudeAuthLabel, codexAuthLab
 	codexAuthPath: paths.codexAuthPath,
 	codexSharedAuthPath: paths.codexSharedAuthPath,
 	codexHome: paths.codexHome,
+	cpuLimit,
+	ramLimit,
 	dockerNetworkMode,
 	dockerSharedNetworkName,
 	enableMcpPlaywright,
@@ -7559,6 +7871,8 @@ var buildCreateCommand = (raw) => Either.gen(function* (_) {
 	const gitTokenLabel = normalizeGitTokenLabel(raw.gitTokenLabel);
 	const codexAuthLabel = normalizeAuthLabel(raw.codexTokenLabel);
 	const claudeAuthLabel = normalizeAuthLabel(raw.claudeTokenLabel);
+	const cpuLimit = yield* _(normalizeCpuLimit(raw.cpuLimit ?? "30%", "--cpu"));
+	const ramLimit = yield* _(normalizeRamLimit(raw.ramLimit ?? "30%", "--ram"));
 	const dockerNetworkMode = yield* _(parseDockerNetworkMode(raw.dockerNetworkMode));
 	const dockerSharedNetworkName = yield* _(nonEmpty("--shared-network", raw.dockerSharedNetworkName, defaultTemplateConfig.dockerSharedNetworkName));
 	const { agentAuto, agentMode } = yield* _(resolveAutoAgentFlags(raw));
@@ -7574,6 +7888,8 @@ var buildCreateCommand = (raw) => Either.gen(function* (_) {
 			repo,
 			names,
 			paths,
+			cpuLimit,
+			ramLimit,
 			dockerNetworkMode,
 			dockerSharedNetworkName,
 			gitTokenLabel,
@@ -7856,6 +8172,8 @@ Options:
   --env-project <path>      Host path to project env file (default: ./.orch/env/project.env)
   --codex-auth <path>       Host path for Codex auth cache (default: <projectsRoot>/.orch/auth/codex)
   --codex-home <path>       Container path for Codex auth (default: /home/dev/.codex)
+  --cpu <value>             CPU limit: percent or cores (examples: 30%, 1.5; default: 30%)
+  --ram <value>             RAM limit: percent or size (examples: 30%, 512m, 4g; default: 30%)
   --network-mode <mode>     Compose network mode: shared|project (default: shared)
   --shared-network <name>   Shared Docker network name when network-mode=shared (default: docker-git-shared)
   --out-dir <path>          Output directory (default: <projectsRoot>/<org>/<repo>[/issue-<id>|/pr-<id>])
@@ -8348,6 +8666,8 @@ var createSteps = [
 	"repoUrl",
 	"repoRef",
 	"outDir",
+	"cpuLimit",
+	"ramLimit",
 	"runUp",
 	"mcpPlaywright",
 	"force"
@@ -8400,15 +8720,38 @@ var menuItems = [
 ];
 //#endregion
 //#region src/docker-git/menu-create.ts
+var optionalCreateArgs = (input) => [
+	{
+		value: input.repoUrl,
+		args: ["--repo-url", input.repoUrl]
+	},
+	{
+		value: input.repoRef,
+		args: ["--repo-ref", input.repoRef]
+	},
+	{
+		value: input.outDir,
+		args: ["--out-dir", input.outDir]
+	},
+	{
+		value: input.cpuLimit,
+		args: ["--cpu", input.cpuLimit]
+	},
+	{
+		value: input.ramLimit,
+		args: ["--ram", input.ramLimit]
+	}
+];
+var booleanCreateFlags = (input) => [
+	input.runUp ? null : "--no-up",
+	input.enableMcpPlaywright ? "--mcp-playwright" : null,
+	input.force ? "--force" : null,
+	input.forceEnv ? "--force-env" : null
+].filter((value) => value !== null);
 var buildCreateArgs = (input) => {
 	const args = ["create"];
-	if (input.repoUrl.length > 0) args.push("--repo-url", input.repoUrl);
-	if (input.repoRef.length > 0) args.push("--repo-ref", input.repoRef);
-	if (input.outDir.length > 0) args.push("--out-dir", input.outDir);
-	if (!input.runUp) args.push("--no-up");
-	if (input.enableMcpPlaywright) args.push("--mcp-playwright");
-	if (input.force) args.push("--force");
-	if (input.forceEnv) args.push("--force-env");
+	for (const spec of optionalCreateArgs(input)) if (spec.value.length > 0) args.push(spec.args[0], spec.args[1]);
+	for (const flag of booleanCreateFlags(input)) args.push(flag);
 	return args;
 };
 var trimLeftSlash = (value) => {
@@ -8441,6 +8784,8 @@ var resolveCreateInputs = (cwd, values) => {
 		repoUrl,
 		repoRef: values.repoRef ?? resolvedRepoRef ?? "main",
 		outDir,
+		cpuLimit: values.cpuLimit ?? "",
+		ramLimit: values.ramLimit ?? "",
 		runUp: values.runUp !== false,
 		enableMcpPlaywright: values.enableMcpPlaywright === true,
 		force: values.force === true,
@@ -8484,6 +8829,12 @@ var applyCreateStep = (input) => Match.value(input.step).pipe(Match.when("repoUr
 }), Match.when("outDir", () => {
 	input.nextValues.outDir = input.buffer.length > 0 ? input.buffer : input.currentDefaults.outDir;
 	return true;
+}), Match.when("cpuLimit", () => {
+	input.nextValues.cpuLimit = input.buffer.length > 0 ? input.buffer : input.currentDefaults.cpuLimit;
+	return true;
+}), Match.when("ramLimit", () => {
+	input.nextValues.ramLimit = input.buffer.length > 0 ? input.buffer : input.currentDefaults.ramLimit;
+	return true;
 }), Match.when("runUp", () => {
 	input.nextValues.runUp = parseYesDefault(input.buffer, input.currentDefaults.runUp);
 	return true;
@@ -10106,7 +10457,7 @@ var renderProjectAuthPrompt = (view, message) => {
 };
 //#endregion
 //#region src/docker-git/menu-render.ts
-var renderStepLabel = (step, defaults) => Match.value(step).pipe(Match.when("repoUrl", () => "Repo URL (optional for empty workspace)"), Match.when("repoRef", () => `Repo ref [${defaults.repoRef}]`), Match.when("outDir", () => `Output dir [${defaults.outDir}]`), Match.when("runUp", () => `Run docker compose up now? [${defaults.runUp ? "Y" : "n"}]`), Match.when("mcpPlaywright", () => `Enable Playwright MCP (Chromium sidecar)? [${defaults.enableMcpPlaywright ? "y" : "N"}]`), Match.when("force", () => `Force recreate (overwrite files + wipe volumes)? [${defaults.force ? "y" : "N"}]`), Match.exhaustive);
+var renderStepLabel = (step, defaults) => Match.value(step).pipe(Match.when("repoUrl", () => "Repo URL (optional for empty workspace)"), Match.when("repoRef", () => `Repo ref [${defaults.repoRef}]`), Match.when("outDir", () => `Output dir [${defaults.outDir}]`), Match.when("cpuLimit", () => `CPU limit [${defaults.cpuLimit || "30%"}]`), Match.when("ramLimit", () => `RAM limit [${defaults.ramLimit || "30%"}]`), Match.when("runUp", () => `Run docker compose up now? [${defaults.runUp ? "Y" : "n"}]`), Match.when("mcpPlaywright", () => `Enable Playwright MCP (Chromium sidecar)? [${defaults.enableMcpPlaywright ? "y" : "N"}]`), Match.when("force", () => `Force recreate (overwrite files + wipe volumes)? [${defaults.force ? "y" : "N"}]`), Match.exhaustive);
 var compactElements = (items) => items.filter((item) => item !== null);
 var renderMenuHints = (el) => el(Box, {
 	marginTop: 1,