diff --git a/.claude/commands/release-notes.md b/.claude/commands/release-notes.md
index cd20429..26fca4e 100644
--- a/.claude/commands/release-notes.md
+++ b/.claude/commands/release-notes.md
@@ -1,7 +1,7 @@
 ---
-description: Generate a short, curated CHANGELOG.md entry from the commits since the last release
+description: Curate a CHANGELOG.md entry from commits since the last release; with a bump arg, also version, commit, push, and publish to npm
 argument-hint: "[patch|minor|major]"
-allowed-tools: Bash(git describe:*), Bash(git log:*), Bash(git tag:*), Bash(git rev-list:*), Bash(node:*), Read, Edit
+allowed-tools: Bash(git describe:*), Bash(git log:*), Bash(git tag:*), Bash(git rev-list:*), Bash(git rev-parse:*), Bash(git status:*), Bash(git add:*), Bash(git commit:*), Bash(git push:*), Bash(node:*), Bash(npm version:*), Bash(npm publish:*), Bash(npm view:*), Bash(cp:*), Bash(pnpm:*), Read, Edit
 ---
 
 You are writing the next release-notes entry for `@madarco/agentbox`. The
@@ -56,7 +56,56 @@ changelog is at `apps/cli/CHANGELOG.md` (Keep a Changelog format). Produce
   ```
 
   Use today's real date — get it from the environment context, do not invent one.
-- Do **not** bump `package.json` or create a git tag — that happens at publish
-  time (`pnpm --filter @madarco/agentbox run publish:<bump>`).
-- Print the entry you wrote and stop, so the user can review and edit before
-  releasing.
+- Print the entry you wrote.
+
+## 6. Release (only when `$ARGUMENTS` named a bump)
+
+If `$ARGUMENTS` did **not** name a bump (`patch` / `minor` / `major`), stop here so
+the user can review and edit the changelog before releasing — do not bump or push.
+
+Otherwise continue. **This publishes to a public registry and is irreversible**, so
+get the user's explicit go-ahead at step 6.4 before publishing.
+
+1. **Bump `package.json` (no commit, no tag yet).** Section 5 just edited the
+   changelog, so the tree is dirty and a plain `npm version` would abort with
+   `EGITDIRTYWORKINGDIR`. Bump the version field only, from the package dir:
+   `cd apps/cli && npm version <bump> --no-git-tag-version`
+   (this is the version you already wrote into the changelog heading).
+
+2. **Commit the changelog + bump together, and tag.** One commit:
+   ```
+   git add apps/cli/CHANGELOG.md apps/cli/package.json
+   git commit -m "release: v<next-version>"
+   git tag v<next-version>
+   ```
+   (Stage whatever actually changed — add the root `CHANGELOG.md` too if you edited it.)
+
+3. **Push the commit and tag.** Check the current branch first (`git rev-parse
+   --abbrev-ref HEAD`). If it is not `main`, tell the user and confirm they want to
+   release from this branch. Then: `git push --follow-tags`.
+
+4. **Confirm before publishing.** Restate package (`@madarco/agentbox`), the new
+   version, and the branch. Verify the version is not already on the registry
+   (`npm view @madarco/agentbox@<next-version> version` should print nothing). Get
+   an explicit go-ahead.
+
+5. **Publish and surface the MFA link.** From the package dir (`prepublishOnly`
+   rebuilds the whole workspace first, so this also runs the full build):
+   `cd apps/cli && npm publish --auth-type=web`
+   - With 2FA enabled, npm prints a web-auth URL:
+     ```
+     npm notice Authenticate your account at:
+     npm notice https://www.npmjs.com/auth/cli/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
+     ```
+     **Show that full URL to the user immediately and prominently** ("Open this to
+     authorize the publish: <url>"). Keep the command running in the **foreground** —
+     npm completes the publish automatically once the browser approval lands. Do not
+     cancel or background it.
+   - **Classic TOTP fallback:** if npm instead asks for a one-time password
+     (`This operation requires a one-time password`), ask the user for the 6-digit
+     code and re-run with `--otp=<code>`.
+
+6. **Confirm success.** `npm view @madarco/agentbox version` should now show
+   <next-version>. Report the published version, the pushed tag, and the commit. If
+   `npm publish` fails (already-published version, auth, build), report the exact
+   error and stop — do not retry blindly.
diff --git a/.gitignore b/.gitignore
index e070eca..07d4fa4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,4 +15,8 @@ coverage/
 .vscode/
 .idea/
 
+# Claude Code session-specific runtime state (lock files, etc.) — keep
+# .claude/commands and other intentional config tracked.
+.claude/scheduled_tasks.lock
+
 TODO.md
\ No newline at end of file
diff --git a/CLAUDE.md b/CLAUDE.md
index 210e195..f06ac32 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -75,3 +75,4 @@ Each topic has a dedicated file under [`docs/`](./docs). Read the relevant one b
 - [`docs/daytona-backlog.md`](./docs/daytona-backlog.md) — what's done vs still missing on the Daytona path. Quick index of where each cloud feature actually lives.
 - [`docs/hertzner_backlog.md`](./docs/hertzner_backlog.md) — Hetzner provider build-out status: phase-by-phase progress, the live e2e smoke results, deferred follow-ups (per-project snapshot tier, `--pause` checkpoint flag, `agentbox prune --provider hetzner`, the install-script post-Chromium trace mystery). Filename uses the user-requested spelling.
 - [`docs/vercel-backlog.md`](./docs/vercel-backlog.md) — Vercel provider build-out status: why Vercel's shape differs (no Dockerfile, no containers, no SSH, persistent snapshots), phase-by-phase progress, and the live-verify checklist (user mapping, attach latency / ttyd upgrade, snapshot-vs-delete cascade, VNC on AL2023, published-CLI asset staging).
+- [`docs/linux-host-backlog.md`](./docs/linux-host-backlog.md) — Linux (Ubuntu) **host** support: what's done (`agentbox doctor` is Linux-aware), how to test on a persistent Hetzner Ubuntu VM (`scripts/linux-dev-vm.sh` — `up`/`deploy`/`ssh`/`doctor`/`down`), and the remaining macOS-only host assumptions (browser `open`→`xdg-open`, iTerm2/AppleScript terminal spawning, OrbStack-only fast paths).
diff --git a/apps/cli/src/commands/_cloud-agent-create.ts b/apps/cli/src/commands/_cloud-agent-create.ts
index a4c9e7e..d61a05f 100644
--- a/apps/cli/src/commands/_cloud-agent-create.ts
+++ b/apps/cli/src/commands/_cloud-agent-create.ts
@@ -16,10 +16,10 @@
  * only runs when the caller pre-resolved a non-docker provider.
  */
 
-import { log, outro } from '@clack/prompts';
 import type { BoxRecord, CreateBoxRequest, Provider } from '@agentbox/core';
 import type { AttachOpenIn } from '@agentbox/config';
 import { makeProgressReporter } from '../lib/progress.js';
+import { printLaunchRecap } from '../lib/launch-recap.js';
 import { cloudAgentAttach } from './_cloud-attach.js';
 
 export interface CloudAgentCreateArgs {
@@ -71,12 +71,7 @@ export async function cloudAgentCreate(args: CloudAgentCreateArgs): Promise<void
       typeof result.record.projectIndex === 'number'
         ? `  ·  n ${String(result.record.projectIndex)}`
         : '';
-    s.stop(`box ${result.record.name} ready${nSuffix}`);
-    log.info(`id:        ${result.record.id}`);
-    log.info(`provider:  ${result.record.provider}`);
-    if (result.record.cloud?.sandboxId) {
-      log.info(`sandboxId: ${result.record.cloud.sandboxId}`);
-    }
+    s.stop(`box ready${nSuffix}`);
     let extraArgs = args.extraArgs;
     if (args.beforeStart) {
       const hook = await args.beforeStart(result.record);
@@ -84,13 +79,22 @@ export async function cloudAgentCreate(args: CloudAgentCreateArgs): Promise<void
         extraArgs = [...hook.agentArgsPrefix, ...(extraArgs ?? [])];
       }
     }
+    await printLaunchRecap({
+      record: result.record,
+      mode: args.mode,
+      reattach:
+        typeof result.record.projectIndex === 'number'
+          ? String(result.record.projectIndex)
+          : result.record.name,
+      workspacePath: args.request.workspacePath,
+      fromBranch: args.request.fromBranch,
+      useBranch: args.request.useBranch,
+      checkpointRef: args.request.checkpointRef,
+      attaching: args.attach !== false,
+    });
     if (args.attach === false) {
-      outro(
-        `session not started — attach with: agentbox ${args.mode} attach ${result.record.name}`,
-      );
       return;
     }
-    outro(`attaching ${args.mode} — Control+a d to detach, leaves the agent running`);
     await cloudAgentAttach({
       box: result.record,
       binary: args.binary,
diff --git a/apps/cli/src/commands/claude.ts b/apps/cli/src/commands/claude.ts
index 6964d00..fdbe98f 100644
--- a/apps/cli/src/commands/claude.ts
+++ b/apps/cli/src/commands/claude.ts
@@ -63,6 +63,7 @@ import {
 } from '../session-teleport/index.js';
 import { clampSpinnerLine } from '../spinner-line.js';
 import { makeProgressReporter } from '../lib/progress.js';
+import { printLaunchRecap } from '../lib/launch-recap.js';
 import { maybeShowInstallHint } from '../lib/install-hint.js';
 import { openCommandLog } from '../lib/log-file.js';
 import { resolveLimits } from '../limits.js';
@@ -816,20 +817,26 @@ export const claudeCommand = new Command('claude')
         typeof result.record.projectIndex === 'number'
           ? `  ·  n ${String(result.record.projectIndex)}`
           : '';
-      s.stop(`box ${result.record.container} ready${nSuffix}`);
+      s.stop(`box ready${nSuffix}`);
       logPrune(rebuild);
       for (const f of rebuild.failed) {
         log.warn(`plugin install failed for ${f.dir}; claude may still load it. stderr:\n${f.stderr.trim()}`);
       }
       maybeShowInstallHint();
 
+      await printLaunchRecap({
+        record: result.record,
+        mode: 'claude',
+        reattach: reattachRef(result.record),
+        workspacePath: opts.workspace,
+        fromBranch,
+        useBranch,
+        checkpointRef,
+        attaching: opts.attach !== false,
+      });
       if (opts.attach === false) {
-        outro(
-          `session started — attach with: agentbox claude attach ${reattachRef(result.record)}`,
-        );
         return;
       }
-      outro('attaching — Control+a d to detach, leaves claude running');
       await attachClaudeWrapped(
         result.record,
         sessionName,
diff --git a/apps/cli/src/commands/code.ts b/apps/cli/src/commands/code.ts
index eb9c7e2..4150e70 100644
--- a/apps/cli/src/commands/code.ts
+++ b/apps/cli/src/commands/code.ts
@@ -1,6 +1,7 @@
 import { spawn } from 'node:child_process';
 import { log } from '@clack/prompts';
 import { Command, InvalidArgumentError } from 'commander';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import type { BoxRecord } from '@agentbox/core';
 import type { StatusReply, WaitReadyReply } from '@agentbox/ctl';
 import { loadEffectiveConfig, type IdeFlavor as ConfigIdeFlavor, type UserConfig } from '@agentbox/config';
@@ -307,10 +308,10 @@ async function launchOne(flavor: IdeFlavor, folderUri: string): Promise<LaunchRe
   const cliCode = await spawnCommand(profile.cli, ['--folder-uri', folderUri]);
   if (cliCode !== 127) return { code: cliCode, flavor, via: 'cli' };
   log.warn(
-    `\`${profile.cli}\` not found in PATH; falling back to \`open ${profile.protocolScheme}://...\` (the %2B URL-encoding bug may break attach)`,
+    `\`${profile.cli}\` not found in PATH; falling back to \`${hostOpenCommand()} ${profile.protocolScheme}://...\` (the %2B URL-encoding bug may break attach)`,
   );
   const url = `${profile.protocolScheme}://${folderUri.replace(/^vscode-remote:\/\//, 'vscode-remote/')}`;
-  const fallback = await spawnCommand('open', [url]);
+  const fallback = await spawnCommand(hostOpenCommand(), [url]);
   return { code: fallback, flavor, via: 'open' };
 }
 
diff --git a/apps/cli/src/commands/codex.ts b/apps/cli/src/commands/codex.ts
index e1a466b..77f2695 100644
--- a/apps/cli/src/commands/codex.ts
+++ b/apps/cli/src/commands/codex.ts
@@ -63,6 +63,7 @@ import {
 } from '../session-teleport/index.js';
 import { clampSpinnerLine } from '../spinner-line.js';
 import { makeProgressReporter } from '../lib/progress.js';
+import { printLaunchRecap } from '../lib/launch-recap.js';
 import { openCommandLog } from '../lib/log-file.js';
 import { resolveLimits } from '../limits.js';
 import { maybePromptPortless } from '../portless-prompt.js';
@@ -694,15 +695,21 @@ export const codexCommand = new Command('codex')
         typeof result.record.projectIndex === 'number'
           ? `  ·  n ${String(result.record.projectIndex)}`
           : '';
-      s.stop(`box ${result.record.container} ready${nSuffix}`);
+      s.stop(`box ready${nSuffix}`);
 
+      await printLaunchRecap({
+        record: result.record,
+        mode: 'codex',
+        reattach: reattachRef(result.record),
+        workspacePath: opts.workspace,
+        fromBranch,
+        useBranch,
+        checkpointRef,
+        attaching: opts.attach !== false,
+      });
       if (opts.attach === false) {
-        outro(
-          `session started — attach with: agentbox codex attach ${reattachRef(result.record)}`,
-        );
         return;
       }
-      outro('attaching — Control+a d to detach, leaves codex running');
       await attachCodexWrapped(
         result.record,
         sessionName,
diff --git a/apps/cli/src/commands/dashboard.ts b/apps/cli/src/commands/dashboard.ts
index 1e8754c..88a85fe 100644
--- a/apps/cli/src/commands/dashboard.ts
+++ b/apps/cli/src/commands/dashboard.ts
@@ -31,7 +31,7 @@ import {
   waitForTmuxPaneContent,
   type ListedBox,
 } from '@agentbox/sandbox-docker';
-import { readState } from '@agentbox/sandbox-core';
+import { hostOpenCommand, readState } from '@agentbox/sandbox-core';
 import type { BoxRecord } from '@agentbox/core';
 import { resolveBoxOrExit } from '../box-ref.js';
 import { resolveClaudeAuth } from '../auth.js';
@@ -557,9 +557,9 @@ export const dashboardCommand = new Command('dashboard')
         } catch {
           // Best-effort — still open the viewer even if the box isn't running.
         }
-        detach('open', [url]);
+        detach(hostOpenCommand(), [url]);
         if (exposedWebUrl) {
-          detach('open', [exposedWebUrl]);
+          detach(hostOpenCommand(), [exposedWebUrl]);
           return 'Opening VNC + web in browser…';
         }
         return 'Opening VNC in browser…';
@@ -569,7 +569,7 @@ export const dashboardCommand = new Command('dashboard')
         const box = (await listBoxes()).find((b) => b.id === boxId);
         if (!box) return 'box not found';
         const { url } = webTarget(box);
-        detach('open', [url]);
+        detach(hostOpenCommand(), [url]);
         return `Opening ${url.replace(/^https?:\/\//, '')}…`;
       };
 
diff --git a/apps/cli/src/commands/open.ts b/apps/cli/src/commands/open.ts
index 6d9798b..d37730e 100644
--- a/apps/cli/src/commands/open.ts
+++ b/apps/cli/src/commands/open.ts
@@ -4,6 +4,7 @@ import { existsSync, mkdirSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 import type { BoxRecord } from '@agentbox/core';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import { openBoxInFinder } from '@agentbox/sandbox-docker';
 import { Command } from 'commander';
 import { resolveBoxOrExit } from '../box-ref.js';
@@ -156,9 +157,10 @@ async function runCloudOpen(
   if (mount.exitCode !== 0) {
     throw new Error(`sshfs mount failed (exit ${String(mount.exitCode)}): ${mount.stderr || mount.stdout}`);
   }
-  // `open` on macOS reveals the dir in Finder. On non-macOS this is a no-op
-  // / error — degrade silently because the mount path is already printed.
-  await execa('open', [mountRoot], { reject: false });
+  // Reveal the mount in the OS file manager (Finder on macOS, the default
+  // handler via xdg-open on Linux). Best-effort — the mount path is already
+  // printed, so a missing opener degrades silently.
+  await execa(hostOpenCommand(), [mountRoot], { reject: false });
   process.stdout.write(`opened ${mountRoot}\n`);
   process.stdout.write(`unmount later with: agentbox open ${box.name} --unmount\n`);
 }
diff --git a/apps/cli/src/commands/opencode.ts b/apps/cli/src/commands/opencode.ts
index 3688562..4d0ce54 100644
--- a/apps/cli/src/commands/opencode.ts
+++ b/apps/cli/src/commands/opencode.ts
@@ -56,6 +56,7 @@ import { providerForCreate } from '../provider/registry.js';
 import { prepareTeleport, TeleportError } from '../session-teleport/index.js';
 import { clampSpinnerLine } from '../spinner-line.js';
 import { makeProgressReporter } from '../lib/progress.js';
+import { printLaunchRecap } from '../lib/launch-recap.js';
 import { openCommandLog } from '../lib/log-file.js';
 import { resolveLimits } from '../limits.js';
 import { maybePromptPortless } from '../portless-prompt.js';
@@ -620,15 +621,21 @@ export const opencodeCommand = new Command('opencode')
         typeof result.record.projectIndex === 'number'
           ? `  ·  n ${String(result.record.projectIndex)}`
           : '';
-      s.stop(`box ${result.record.container} ready${nSuffix}`);
+      s.stop(`box ready${nSuffix}`);
 
+      await printLaunchRecap({
+        record: result.record,
+        mode: 'opencode',
+        reattach: reattachRef(result.record),
+        workspacePath: opts.workspace,
+        fromBranch,
+        useBranch,
+        checkpointRef,
+        attaching: opts.attach !== false,
+      });
       if (opts.attach === false) {
-        outro(
-          `session started — attach with: agentbox opencode attach ${reattachRef(result.record)}`,
-        );
         return;
       }
-      outro('attaching — Control+a d to detach, leaves opencode running');
       await attachOpencodeWrapped(
         result.record,
         sessionName,
diff --git a/apps/cli/src/commands/screen.ts b/apps/cli/src/commands/screen.ts
index c30ffd9..09446a2 100644
--- a/apps/cli/src/commands/screen.ts
+++ b/apps/cli/src/commands/screen.ts
@@ -1,5 +1,6 @@
 import { spawnSync } from 'node:child_process';
 import { log } from '@clack/prompts';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   buildVncUrls,
   detectEngine,
@@ -173,7 +174,7 @@ export const screenCommand = new Command('screen')
         return;
       }
 
-      const opened = spawnSync('open', [url], { stdio: 'inherit' });
+      const opened = spawnSync(hostOpenCommand(), [url], { stdio: 'inherit' });
       if (opened.status !== 0) {
         throw new Error(`open ${url} failed (exit ${String(opened.status ?? 'n/a')})`);
       }
diff --git a/apps/cli/src/commands/url.ts b/apps/cli/src/commands/url.ts
index db43946..8bd96a1 100644
--- a/apps/cli/src/commands/url.ts
+++ b/apps/cli/src/commands/url.ts
@@ -1,5 +1,6 @@
 import { spawnSync } from 'node:child_process';
 import { log } from '@clack/prompts';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   detectEngine,
   getBoxHostPaths,
@@ -119,7 +120,7 @@ export const urlCommand = new Command('url')
         return;
       }
 
-      const opened = spawnSync('open', [url], { stdio: 'inherit' });
+      const opened = spawnSync(hostOpenCommand(), [url], { stdio: 'inherit' });
       if (opened.status !== 0) {
         throw new Error(`open ${url} failed (exit ${String(opened.status ?? 'n/a')})`);
       }
diff --git a/apps/cli/src/lib/doctor-checks.ts b/apps/cli/src/lib/doctor-checks.ts
index a57c0b0..1d32f7b 100644
--- a/apps/cli/src/lib/doctor-checks.ts
+++ b/apps/cli/src/lib/doctor-checks.ts
@@ -71,7 +71,13 @@ function checkNode(): CheckResult {
 }
 
 function checkPlatform(): CheckResult {
-  return { label: 'platform', status: 'ok', detail: `${process.platform}/${process.arch}` };
+  const supported = process.platform === 'darwin' || process.platform === 'linux';
+  return {
+    label: 'platform',
+    status: supported ? 'ok' : 'warn',
+    detail: `${process.platform}/${process.arch}`,
+    hint: supported ? undefined : 'agentbox supports macOS and Linux hosts; this OS is untested',
+  };
 }
 
 function checkAgentboxHome(): CheckResult {
@@ -121,6 +127,7 @@ export async function runSystemChecks(): Promise<CheckResult[]> {
 }
 
 async function dockerChecks(): Promise<CheckResult[]> {
+  const linux = process.platform === 'linux';
   const cli = await probeVersion('docker');
   if (!cli) {
     return [
@@ -128,23 +135,38 @@ async function dockerChecks(): Promise<CheckResult[]> {
         label: 'docker cli',
         status: 'warn',
         detail: 'not found',
-        hint: 'install Docker Desktop, OrbStack, or docker engine',
+        hint: linux
+          ? 'install docker engine: https://docs.docker.com/engine/install/'
+          : 'install Docker Desktop, OrbStack, or docker engine',
       },
     ];
   }
   const cliRes: CheckResult = { label: 'docker cli', status: 'ok', detail: cli };
 
   // Daemon reachability via `docker info` (same probe pattern as
-  // packages/sandbox-docker/src/docker.ts:dockerInfo).
+  // packages/sandbox-docker/src/docker.ts:dockerInfo). On Linux the most common
+  // failure is not a stopped daemon but the user missing from the `docker`
+  // group — `docker info` then exits non-zero with "permission denied" on the
+  // socket. Distinguish the two so the hint points at the right fix.
   const info = await execa('docker', ['info'], { reject: false });
   if (info.exitCode !== 0) {
+    const permDenied = `${info.stderr ?? ''}`.toLowerCase().includes('permission denied');
+    let hint: string;
+    if (permDenied && linux) {
+      hint =
+        'add your user to the docker group: `sudo usermod -aG docker $USER`, then log out/in (or run `newgrp docker`)';
+    } else if (linux) {
+      hint = 'start Docker: `sudo systemctl start docker` (install docker engine if missing)';
+    } else {
+      hint = 'start Docker (Desktop / OrbStack)';
+    }
     return [
       cliRes,
       {
         label: 'docker daemon',
         status: 'warn',
-        detail: 'unreachable',
-        hint: 'start Docker (Desktop / OrbStack / `systemctl start docker`)',
+        detail: permDenied ? 'permission denied' : 'unreachable',
+        hint,
       },
     ];
   }
diff --git a/apps/cli/src/lib/launch-recap.ts b/apps/cli/src/lib/launch-recap.ts
new file mode 100644
index 0000000..0849aac
--- /dev/null
+++ b/apps/cli/src/lib/launch-recap.ts
@@ -0,0 +1,86 @@
+/**
+ * `printLaunchRecap` — the single bordered "card" shown after an agent box is
+ * provisioned, replacing the old scatter of `●` rows (`id:`/`provider:`/
+ * `sandboxId:`) and the split detach/reattach hints. Rendered identically for
+ * docker and cloud, for `claude` / `codex` / `opencode` / `shell`, so the
+ * post-create surface stays consistent across every launch path.
+ *
+ * The card shows the box name (+ source checkpoint when started from one), the
+ * project folder (the dir that actually held `agentbox.yaml`, which may be a
+ * parent of cwd), the `from → to` branch mapping, and the detach/reattach
+ * instructions on the last line.
+ */
+import { homedir } from 'node:os';
+import { note } from '@clack/prompts';
+import type { BoxRecord } from '@agentbox/core';
+import { currentHostBranch } from './from-branch.js';
+
+export interface LaunchRecapArgs {
+  record: BoxRecord;
+  mode: 'claude' | 'codex' | 'opencode' | 'shell';
+  /** Reattach ref shown in the hint: the per-project index `n` or the box name. */
+  reattach: string;
+  /** Host repo path — used to resolve the base branch label when none was given. */
+  workspacePath: string;
+  /** Resolved `--from-branch` (base ref), if any. */
+  fromBranch?: string;
+  /** Resolved `--use-branch` (reused existing branch), if any. */
+  useBranch?: string;
+  /** Source checkpoint the box started from, when applicable. */
+  checkpointRef?: string;
+  /** true → attaching now (detach hint); false → background create (attach hint). */
+  attaching: boolean;
+}
+
+/** Collapse an absolute path under $HOME to a `~/…` form for display. */
+function homeShorten(p: string): string {
+  const home = homedir();
+  return p === home || p.startsWith(home + '/') ? '~' + p.slice(home.length) : p;
+}
+
+/**
+ * clack's `note` wraps every body line in `color.dim`, which renders dark gray.
+ * Prefix each line with reset + bright-white so the recap reads in plain white;
+ * the leading reset cancels the dim attribute clack opened. `strip-ansi` length
+ * (clack's padding math) ignores these codes, so box alignment is unaffected.
+ */
+function whiten(text: string): string {
+  if (process.env.NO_COLOR) return text;
+  return text
+    .split('\n')
+    .map((line) => `\x1b[0m\x1b[97m${line}\x1b[0m`)
+    .join('\n');
+}
+
+export async function printLaunchRecap(args: LaunchRecapArgs): Promise<void> {
+  const { record } = args;
+  const rows: Array<[string, string]> = [];
+
+  rows.push([
+    'box',
+    args.checkpointRef ? `${record.name} (${args.checkpointRef})` : record.name,
+  ]);
+
+  if (record.projectRoot) {
+    rows.push(['project', homeShorten(record.projectRoot)]);
+  }
+
+  const toBranch = record.gitWorktrees?.find((w) => w.kind === 'root')?.branch;
+  if (toBranch) {
+    if (args.useBranch) {
+      rows.push(['branch', `${toBranch} (reused)`]);
+    } else {
+      const base = args.fromBranch ?? (await currentHostBranch(args.workspacePath)) ?? 'HEAD';
+      rows.push(['branch', `${base} → ${toBranch}`]);
+    }
+  }
+
+  const pad = Math.max(...rows.map(([label]) => label.length)) + 2;
+  const body = rows.map(([label, value]) => `${label.padEnd(pad)}${value}`).join('\n');
+
+  const instruction = args.attaching
+    ? `Ctrl+a d to detach. Reattach with: agentbox ${args.mode} attach ${args.reattach}`
+    : `Attach with: agentbox ${args.mode} attach ${args.reattach}`;
+
+  note(whiten(`${body}\n\n${instruction}`));
+}
diff --git a/apps/cli/src/lib/paste-image.ts b/apps/cli/src/lib/paste-image.ts
index 4b8fb81..58d54fd 100644
--- a/apps/cli/src/lib/paste-image.ts
+++ b/apps/cli/src/lib/paste-image.ts
@@ -11,7 +11,7 @@
  * "paste image from clipboard" binding reads the now-populated selection.
  *
  * All steps go through the provider-neutral `Provider` seam (`uploadPath` +
- * `exec`), so it works identically on docker / daytona / hetzner.
+ * `exec`), so it works identically on docker / daytona / hetzner / vercel.
  */
 
 import { rm } from 'node:fs/promises';
diff --git a/apps/cli/src/terminal/host.ts b/apps/cli/src/terminal/host.ts
index 0494807..c170f6c 100644
--- a/apps/cli/src/terminal/host.ts
+++ b/apps/cli/src/terminal/host.ts
@@ -8,8 +8,11 @@ export type HostTerminal = 'tmux' | 'iterm2' | 'unknown';
  * when nested — when `TMUX` is set, the tmux CLI is the right primitive (it can
  * split the current pane / open a new window without going through AppleScript).
  *
- * macOS-only by design: the CLI itself is macOS-only (see CLAUDE.md), so we
- * don't try to recognize gnome-terminal / alacritty / Windows Terminal.
+ * tmux is recognized on every host (macOS + Linux) — its CLI is the portable
+ * primitive. The iTerm2 path is macOS-only (it drives AppleScript). On Linux we
+ * deliberately don't recognize native emulators (gnome-terminal / alacritty /
+ * konsole) yet: outside tmux the caller falls back to attaching in the current
+ * terminal. See docs/linux-host-backlog.md.
  */
 export function detectHostTerminal(env: NodeJS.ProcessEnv = process.env): HostTerminal {
   const tmux = env['TMUX'];
@@ -105,7 +108,7 @@ async function spawnInTmux(args: SpawnInNewTerminalArgs): Promise<SpawnInNewTerm
   }
   return {
     launched: true,
-    note: `Attached in new ${noteKind} — Ctrl+a d to detach the box's tmux session.`,
+    note: `Attached in new ${noteKind}.`,
   };
 }
 
@@ -166,7 +169,7 @@ async function spawnInITerm2(args: SpawnInNewTerminalArgs): Promise<SpawnInNewTe
   }
   return {
     launched: true,
-    note: `Attached in new ${noteKind} — Ctrl+a d to detach the box's tmux session.`,
+    note: `Attached in new ${noteKind}.`,
   };
 }
 
diff --git a/apps/cli/src/wrapped-pty/input-router.ts b/apps/cli/src/wrapped-pty/input-router.ts
index a23f848..17f09a8 100644
--- a/apps/cli/src/wrapped-pty/input-router.ts
+++ b/apps/cli/src/wrapped-pty/input-router.ts
@@ -47,6 +47,7 @@ const KEY_N_UP = 0x4e;
 const KEY_LEADER = 0x01; // Ctrl-a
 const KEY_CTRL_V = 0x16; // Ctrl-v — Claude Code's "paste image from clipboard"
 const KEY_A_LOW = 0x61; // 'a'
+const KEY_V_LOW = 0x76; // 'v'
 
 /**
  * A key decoded from an enhanced-keyboard escape sequence. TUIs like Claude Code
@@ -258,15 +259,18 @@ export function createInputRouter(opts: InputRouterOptions): InputRouter {
   };
 
   // Intercepted Ctrl+V: run the host→box image-paste hook, then re-emit the
-  // Ctrl+V so the inner program reads the (now-loaded) box clipboard. A press
-  // while one is in flight is dropped — the Ctrl+V was already swallowed by the
-  // caller, so there's nothing to forward.
-  const triggerPaste = (): void => {
+  // original keypress so the inner program reads the (now-loaded) box clipboard.
+  // `reemit` is the exact byte sequence we swallowed — a raw 0x16, or the CSI-u /
+  // modifyOtherKeys encoding when an enhanced keyboard protocol is active — so
+  // the inner program (Claude) sees the encoding it negotiated. A press while one
+  // is in flight is dropped — the Ctrl+V was already swallowed by the caller, so
+  // there's nothing to forward.
+  const triggerPaste = (reemit: Buffer): void => {
     if (pasteInFlight) return;
     pasteInFlight = true;
     const done = (): void => {
       pasteInFlight = false;
-      if (!disposed) opts.onForward(Buffer.from([KEY_CTRL_V]));
+      if (!disposed) opts.onForward(reemit);
     };
     void Promise.resolve()
       .then(() => onPasteImage?.())
@@ -333,11 +337,26 @@ export function createInputRouter(opts: InputRouterOptions): InputRouter {
           continue;
         }
       }
+      // Ctrl+V re-encoded by an enhanced keyboard protocol (kitty / modifyOtherKeys).
+      // The inner app (Claude) can flip this on, in which case the host terminal
+      // sends `ESC [ 118 ; 5 u` instead of a raw 0x16 — mirror the leader handling
+      // above so the paste hook still fires.
+      if (pasteEnabled && byte === KEY_ESC) {
+        const k = parseCsiKey(buf, i);
+        if (k && k.ctrl && k.code === KEY_V_LOW) {
+          flushChunk(i);
+          const seq = Buffer.from(buf.subarray(i, i + k.len));
+          i += k.len;
+          chunkStart = i; // swallow it; triggerPaste re-emits after the load
+          triggerPaste(seq);
+          continue;
+        }
+      }
       if (pasteEnabled && byte === KEY_CTRL_V) {
         flushChunk(i); // forward everything typed before the Ctrl+V
         i += 1;
         chunkStart = i; // swallow it; triggerPaste re-emits after the load
-        triggerPaste();
+        triggerPaste(Buffer.from([KEY_CTRL_V]));
         continue;
       }
       i += 1;
diff --git a/apps/cli/test/wrapped-pty/input-router.test.ts b/apps/cli/test/wrapped-pty/input-router.test.ts
index 55e15b5..6e1695a 100644
--- a/apps/cli/test/wrapped-pty/input-router.test.ts
+++ b/apps/cli/test/wrapped-pty/input-router.test.ts
@@ -368,6 +368,35 @@ describe('input router (Ctrl+V image paste)', () => {
     await flushMicrotasks();
     expect(Buffer.concat(s.forwarded)).toEqual(Buffer.from('abcd\x16'));
   });
+
+  it('intercepts kitty-encoded Ctrl+V (ESC[118;5u): re-emits the same sequence', async () => {
+    const s = pasteSetup();
+    s.router.feed(Buffer.from('\x1b[118;5u', 'latin1'));
+    await flushMicrotasks();
+    expect(s.calls()).toBe(1);
+    expect(s.forwarded).toHaveLength(0); // nothing forwarded until the load finishes
+    s.resolveAll();
+    await flushMicrotasks();
+    expect(Buffer.concat(s.forwarded)).toEqual(Buffer.from('\x1b[118;5u', 'latin1'));
+  });
+
+  it('intercepts modifyOtherKeys Ctrl+V (ESC[27;5;118~)', async () => {
+    const s = pasteSetup();
+    s.router.feed(Buffer.from('\x1b[27;5;118~', 'latin1'));
+    await flushMicrotasks();
+    expect(s.calls()).toBe(1);
+    s.resolveAll();
+    await flushMicrotasks();
+    expect(Buffer.concat(s.forwarded)).toEqual(Buffer.from('\x1b[27;5;118~', 'latin1'));
+  });
+
+  it('does NOT intercept a non-ctrl kitty "v" (ESC[118u) — forwards verbatim', async () => {
+    const s = pasteSetup();
+    s.router.feed(Buffer.from('\x1b[118u', 'latin1'));
+    await flushMicrotasks();
+    expect(s.calls()).toBe(0);
+    expect(Buffer.concat(s.forwarded)).toEqual(Buffer.from('\x1b[118u', 'latin1'));
+  });
 });
 
 describe('input router (enhanced keyboard: kitty / modifyOtherKeys)', () => {
diff --git a/apps/web/CLAUDE.md b/apps/web/CLAUDE.md
new file mode 100644
index 0000000..9e3c7fb
--- /dev/null
+++ b/apps/web/CLAUDE.md
@@ -0,0 +1,41 @@
+# apps/web — marketing site
+
+The public marketing/landing site for AgentBox. Deployed on Vercel.
+
+## What it is
+
+- A **hand-written static site**, NOT a framework (no Astro/Vite/Next/React).
+- The whole site is a single file: **`index.html`** — markup plus one big inline `<style>` block (no external CSS, no build step for the page itself).
+- `public/` is a **literal subfolder**, not a framework-managed asset root.
+
+## Layout
+
+- `index.html` — the entire page (head + inline CSS + body). Edit this directly.
+- `public/` — static assets:
+  - `logo.svg`, `logo.png`
+  - `favicon-16x16.png`, `favicon-32x32.png`, `favicon-256x256.png`
+  - `site.webmanifest` — PWA manifest (icons + theme colors)
+- `vercel.json` — deploy config.
+
+## Asset URLs — important
+
+`vercel.json` sets `"outputDirectory": "."`, so Vercel serves **this folder (`apps/web/`) as the site root**. There is no step that hoists `public/` to `/`. Therefore:
+
+- Reference assets with the **`/public/` prefix**, e.g. `href="/public/favicon-32x32.png"`, `src="/public/logo.svg"`.
+- Do NOT use `/favicon-32x32.png` (that 404s in production).
+
+`vercel.json` also sets `"cleanUrls": true` (strips `.html` from page URLs; does not affect asset paths).
+
+## Build
+
+The page needs no build. `buildCommand` only copies JSON schemas into `schema/` for the docs:
+
+```
+mkdir -p schema && cp ../../packages/ctl/schema/agentbox.schema.json ../../packages/config/schema/user-config.schema.json schema/
+```
+
+## Conventions
+
+- Keep styling in the single inline `<style>` block in `index.html`; match the existing CSS-variable design tokens (`:root { --paper, --ink, --accent: #128a4f, ... }`).
+- No emojis in output unless asked.
+- When adding assets, drop the file in `public/` and reference it as `/public/<name>`.
diff --git a/apps/web/index.html b/apps/web/index.html
index 6b85714..f79d570 100644
--- a/apps/web/index.html
+++ b/apps/web/index.html
@@ -4,6 +4,12 @@
 <meta charset="UTF-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 <title>AgentBox — Teleport for agents</title>
+<link rel="icon" type="image/svg+xml" href="/public/logo.svg" />
+<link rel="icon" type="image/png" sizes="32x32" href="/public/favicon-32x32.png" />
+<link rel="icon" type="image/png" sizes="16x16" href="/public/favicon-16x16.png" />
+<link rel="apple-touch-icon" sizes="256x256" href="/public/favicon-256x256.png" />
+<link rel="manifest" href="/public/site.webmanifest" />
+<meta name="theme-color" content="#f6f6f3" />
 <link rel="preconnect" href="https://fonts.googleapis.com" />
 <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
 <link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:wght@400;500;600&family=IBM+Plex+Sans:wght@400;450;500;600&display=swap" rel="stylesheet" />
diff --git a/apps/web/public/favicon-16x16.png b/apps/web/public/favicon-16x16.png
new file mode 100644
index 0000000..4037f01
Binary files /dev/null and b/apps/web/public/favicon-16x16.png differ
diff --git a/apps/web/public/favicon-256x256.png b/apps/web/public/favicon-256x256.png
new file mode 100644
index 0000000..970eba7
Binary files /dev/null and b/apps/web/public/favicon-256x256.png differ
diff --git a/apps/web/public/favicon-32x32.png b/apps/web/public/favicon-32x32.png
new file mode 100644
index 0000000..3304535
Binary files /dev/null and b/apps/web/public/favicon-32x32.png differ
diff --git a/apps/web/public/logo.png b/apps/web/public/logo.png
new file mode 100644
index 0000000..aeb3836
Binary files /dev/null and b/apps/web/public/logo.png differ
diff --git a/apps/web/public/logo.svg b/apps/web/public/logo.svg
new file mode 100644
index 0000000..74f7c92
--- /dev/null
+++ b/apps/web/public/logo.svg
@@ -0,0 +1,5 @@
+<svg width="385" height="382" viewBox="0 0 385 382" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M325 16H59C35.804 16 17 34.804 17 58V324C17 347.196 35.804 366 59 366H325C348.196 366 367 347.196 367 324V58C367 34.804 348.196 16 325 16Z" fill="#F6F6F3" stroke="#161A20" stroke-width="31"/>
+<path d="M255 191H129V317H255V191Z" stroke="#161A20" stroke-width="10"/>
+<path d="M236 210H148V298H236V210Z" fill="#161A20"/>
+</svg>
diff --git a/apps/web/public/site.webmanifest b/apps/web/public/site.webmanifest
new file mode 100644
index 0000000..13d1950
--- /dev/null
+++ b/apps/web/public/site.webmanifest
@@ -0,0 +1,20 @@
+{
+	"name": "AgentBox",
+	"short_name": "AgentBox",
+	"description": "Isolated sandboxes for coding agents",
+	"icons": [
+		{
+			"src": "/public/favicon-32x32.png",
+			"type": "image/png",
+			"sizes": "32x32"
+		},
+		{
+			"src": "/public/favicon-256x256.png",
+			"type": "image/png",
+			"sizes": "256x256"
+		}
+	],
+	"theme_color": "#f6f6f3",
+	"background_color": "#f6f6f3",
+	"display": "standalone"
+}
diff --git a/docs/linux-host-backlog.md b/docs/linux-host-backlog.md
new file mode 100644
index 0000000..8085ad8
--- /dev/null
+++ b/docs/linux-host-backlog.md
@@ -0,0 +1,112 @@
+# Linux host support — backlog
+
+AgentBox's CLI grew up assuming a **macOS host**. We now want it to also run on a
+**Linux host (primarily Ubuntu)** — i.e. a developer driving `agentbox` from a Linux
+laptop/server, spinning up docker/cloud boxes from there. This file tracks what
+already works, what's been fixed, and the remaining macOS-only host assumptions.
+
+> Scope note: this is about the **host** running the CLI. The *boxes* (docker
+> images, cloud VMs) have always been Linux — that part is unaffected.
+
+## Done
+
+- **`agentbox doctor` is Linux-aware** (`apps/cli/src/lib/doctor-checks.ts`):
+  - `checkPlatform()` returns `ok` for `darwin`/`linux`, `warn` for any other OS
+    (Windows etc.) with an "untested OS" hint — instead of blindly reporting `ok`.
+  - The docker-cli "not found" hint is platform-specific (Linux points at
+    `https://docs.docker.com/engine/install/`).
+  - The docker **daemon** check now distinguishes the #1 Linux failure — `docker
+    info` exiting with *permission denied* because the user isn't in the `docker`
+    group — from a genuinely stopped daemon, and emits the right fix
+    (`sudo usermod -aG docker $USER` vs `sudo systemctl start docker`).
+  - Verified live on a clean Ubuntu 24.04 Hetzner VM (see below): both the
+    permission-denied branch and the healthy `reachable` path render correctly,
+    and the daytona/hetzner/vercel credential checks run without crashing.
+
+- **Host browser/file opening uses `xdg-open` on Linux.** Added
+  `hostOpenCommand()` to `@agentbox/sandbox-core` (`darwin` -> `open`, `linux` ->
+  `xdg-open`) with a unit test, and routed every host-side launcher through it
+  instead of the hardcoded macOS `open`:
+  - apps/cli: `url`, `screen`, `code` (CLI-missing fallback), `open` (sshfs mount
+    reveal), `dashboard` (VNC/web/code openers)
+  - relay: the box-initiated "open link on host" path (`host-actions.ts`,
+    `server.ts`)
+  - cloud login dashboards: daytona / vercel / hetzner `credentials.ts`
+  - `sandbox-docker` checkpoint/export reveal (`host-export.ts`)
+  - Verified live on the Ubuntu VM: `agentbox url <box>` launches via `xdg-open`
+    (not `open`) — see the dev-VM E2E below.
+
+- **Terminal attach on Linux: tmux only (by decision).** `detectHostTerminal()`
+  recognizes tmux via `$TMUX` on every host, so attach-in-new-window/pane works on
+  Linux when you're inside tmux. The iTerm2 path (`spawnInITerm2()` →
+  `osascript`, `apps/cli/src/terminal/host.ts`) stays macOS-only. We deliberately
+  do **not** recognize native Linux emulators (gnome-terminal / alacritty /
+  konsole) for now: outside tmux the caller falls back to attaching in the current
+  terminal (and `agentbox fork` passes `--no-attach`). Revisit only if there's
+  demand for native-emulator spawning.
+
+## How to test on Linux
+
+`scripts/linux-dev-vm.sh` manages a **persistent** clean Ubuntu VM on Hetzner
+(`cx23` / `nbg1` / `ubuntu-24.04` — the repo's hetzner defaults; cloud-init
+installs Node 20 + docker + git + tmux and a non-root `dev` user in the docker
+group with passwordless sudo). It is a bare VPS you log into and drive the CLI on
+— **not** an agentbox box. State (server id / ip / key) lives in
+`~/.agentbox/linux-dev-vm/`, so the VM survives across edit→deploy→test cycles
+until you explicitly `down` it.
+
+```bash
+scripts/linux-dev-vm.sh up                 # create (idempotent — reuses a live VM)
+scripts/linux-dev-vm.sh deploy             # build + npm pack + install -g the latest CLI
+scripts/linux-dev-vm.sh deploy --no-build  # reuse an existing dist/
+scripts/linux-dev-vm.sh ssh                # interactive shell as `dev`
+scripts/linux-dev-vm.sh ssh -- agentbox ls # run a one-off command
+scripts/linux-dev-vm.sh doctor             # two-phase doctor (perm-denied + healthy)
+scripts/linux-dev-vm.sh info               # server id / ip / ssh command
+scripts/linux-dev-vm.sh down               # destroy server + key + local state
+```
+
+`HCLOUD_TOKEN` is read from the env, then `.env.local`, then
+`~/.agentbox/secrets.env`.
+
+Notes learned the hard way:
+- Run the CLI via a **login shell** (`su - <user> -c …` / `ssh dev@…`), not
+  `sudo -u <user> <bin>` — the latter hands the node process a reduced PATH where
+  `/usr/bin` tools (git/ssh/docker) and the npm global bin aren't all resolvable,
+  so `doctor` falsely reports them "not found".
+- The `doctor` subcommand creates a throwaway `probe` user (no docker group) to
+  exercise the *permission denied* daemon branch, then runs as `dev` (in the
+  group) for the healthy path.
+
+Manual recipe (any Ubuntu host, no script):
+```bash
+# on the host
+pnpm -w build && (cd apps/cli && npm pack)        # -> madarco-agentbox-*.tgz
+scp madarco-agentbox-*.tgz user@host:~
+# on the Ubuntu box
+sudo npm install -g ./madarco-agentbox-*.tgz
+agentbox doctor                                   # inspect the report
+```
+
+## Open blockers (not yet done — host code still macOS-only)
+
+These were found while scoping the doctor change. None are needed for `doctor`
+itself; they block the wider "drive everything from Linux" goal.
+
+- **OrbStack-only fast paths assume macOS** and should be skipped on Linux (OrbStack
+  is macOS-only; on Linux the docker socket / volume paths differ):
+  - `packages/sandbox-docker/src/host-export.ts` (`orbstackVolumePath`, ~L138)
+  - `packages/sandbox-docker/src/stats.ts:77`
+- **Docs / CLAUDE.md still describe the CLI as macOS-oriented** in places — update
+  the relevant statements once broader support lands.
+
+## Already cross-platform (verified — no work needed)
+
+- **Clipboard capture** (`apps/cli/src/lib/host-clipboard.ts`) already has a Linux
+  path (`wl-paste` for Wayland, `xclip` for X11); the macOS `sips`/`osascript` path
+  is gated behind `process.platform === 'darwin'`.
+- **Vercel CLI store** (`packages/sandbox-vercel/src/cli-store.ts`) resolves
+  `$XDG_DATA_HOME` / `~/.local/share` on Linux.
+- **Snapshot copy** (`packages/sandbox-docker/src/snapshot.ts:105`) already branches
+  `-cR` (macOS APFS CoW) vs `-R` (Linux).
+- **State/config paths** (`~/.agentbox`, `~/.ssh/config`) are all `homedir()`-based.
diff --git a/docs/vercel-backlog.md b/docs/vercel-backlog.md
index 6d761fb..96a4078 100644
--- a/docs/vercel-backlog.md
+++ b/docs/vercel-backlog.md
@@ -262,8 +262,18 @@ agentbox/<box>` shows the commit, then try `agentbox-ctl git pull` and a `gh pr`
    hetzner unaffected). Verified live on a snapshot box: 6080 binds, `vnc.html`
    returns HTTP 200, web root `/usr/local/share/novnc`. The script is in the
    prepare context fingerprint, so the next `agentbox prepare` auto-rebakes.
-   (Minor follow-up: `autocutsel` isn't in the AL2023 bake, so VNC clipboard
-   sync is degraded there — the script already tolerates its absence.)
+   **Clipboard tooling resolved:** `xclip` and `autocutsel` are absent from the
+   AL2023 repos (unlike the Debian/Ubuntu apt path), which left the host->box
+   Ctrl+V image paste (`apps/cli/src/lib/paste-image.ts`) silently broken on
+   vercel and VNC clipboard sync degraded. `provision.sh` now builds both from
+   source (all deps in the AL2023 default repos), fail-loud. Requires a
+   re-`prepare` to take effect.
+   (Follow-up: building from source pulls a full toolchain into the bake and
+   adds ~minutes + snapshot size. We should instead ship pre-built `xclip` /
+   `autocutsel` binaries for AL2023 — bake them once and stage them as runtime
+   assets, the way the relay/ctl bins are staged — so the per-prepare bake just
+   drops the binaries in rather than compiling. Optionally `dnf remove` the
+   build toolchain after compiling in the meantime.)
 8. [x] **Attach is laggy.** Done — replaced the `send-keys`/`capture-pane` pump
    with the official Vercel `sandbox` CLI's real PTY. `buildVercelAttach` now emits
    `sbx exec --sudo [-i] --project <p> --scope <team> <name> -- sudo -u vscode -H
diff --git a/packages/core/src/identity.ts b/packages/core/src/identity.ts
new file mode 100644
index 0000000..1327713
--- /dev/null
+++ b/packages/core/src/identity.ts
@@ -0,0 +1,20 @@
+import { randomBytes } from 'node:crypto';
+
+/**
+ * Stable identity helpers shared across providers. Currently just the per-box
+ * id mint; checkpoint ids etc. can join later under their own prefix.
+ */
+
+/**
+ * Type tag prefixed to every minted box id so the kind is readable at a glance
+ * and id namespaces can grow without colliding (reserve `c` for checkpoints,
+ * etc.). The leading non-digit is load-bearing: it guarantees a box id is never
+ * an all-decimal string, which would otherwise collide with the per-project
+ * numeric index in `resolveBoxRef` (`agentbox open 4`) and make all-digit ids
+ * unresolvable.
+ */
+export const BOX_ID_PREFIX = 'b';
+
+export function generateBoxId(): string {
+  return `${BOX_ID_PREFIX}${randomBytes(4).toString('hex')}`;
+}
diff --git a/packages/core/src/index.ts b/packages/core/src/index.ts
index dcc70f9..8c49771 100644
--- a/packages/core/src/index.ts
+++ b/packages/core/src/index.ts
@@ -51,3 +51,4 @@ export type {
   CloudVolumeMount,
 } from './cloud-backend.js';
 export { AmbiguousBoxError, BoxNotFoundError } from './errors.js';
+export { BOX_ID_PREFIX, generateBoxId } from './identity.js';
diff --git a/packages/relay/src/host-actions.ts b/packages/relay/src/host-actions.ts
index e471ce8..a2b3c74 100644
--- a/packages/relay/src/host-actions.ts
+++ b/packages/relay/src/host-actions.ts
@@ -19,7 +19,7 @@ import { mkdtemp, rm } from 'node:fs/promises';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import type { CloudBackend, CloudHandle } from '@agentbox/core';
-import { findBox, readState } from '@agentbox/sandbox-core';
+import { findBox, hostOpenCommand, readState } from '@agentbox/sandbox-core';
 import {
   assertGhReady,
   checkoutGuards,
@@ -394,11 +394,11 @@ async function runBrowserOpenMirror(
       { ttlMs: TTL_MS },
     );
     if (verdict.answer === 'y' && !verdict.cancelled) {
-      // macOS `open` is the only supported launcher today (Daytona client is
-      // mac/Linux; on Linux the same call no-ops or errors — either way the
-      // box doesn't observe). Spawn detached so the relay loop isn't blocked.
+      // Open on the host's default handler (`open` on macOS, `xdg-open` on
+      // Linux). Spawn detached so the relay loop isn't blocked; the box never
+      // observes the outcome.
       const { spawn } = await import('node:child_process');
-      const child = spawn('open', [url], { stdio: 'ignore', detached: true });
+      const child = spawn(hostOpenCommand(), [url], { stdio: 'ignore', detached: true });
       child.unref();
     }
   } catch (err) {
diff --git a/packages/relay/src/server.ts b/packages/relay/src/server.ts
index 1b257eb..3b33eec 100644
--- a/packages/relay/src/server.ts
+++ b/packages/relay/src/server.ts
@@ -3,6 +3,7 @@ import { createServer, type IncomingMessage, type Server, type ServerResponse }
 import { executeCloudAction, refreshCloudPreviewUrl } from './host-actions.js';
 import { HostActionQueue } from './host-action-queue.js';
 import { BoxNotices } from './notices.js';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   assertGhReady,
   checkoutGuards,
@@ -569,7 +570,7 @@ export function createRelayServer(opts: RelayServerOptions): RelayServerHandle {
             )
               .then((verdict) => {
                 if (verdict.answer === 'y' && !verdict.cancelled) {
-                  void runHostCommand(['open', url], BROWSER_OPEN_RPC_TIMEOUT_MS);
+                  void runHostCommand([hostOpenCommand(), url], BROWSER_OPEN_RPC_TIMEOUT_MS);
                 }
               })
               .catch(() => {
diff --git a/packages/sandbox-cloud/src/cloud-provider.ts b/packages/sandbox-cloud/src/cloud-provider.ts
index 076a7e6..6489d1c 100644
--- a/packages/sandbox-cloud/src/cloud-provider.ts
+++ b/packages/sandbox-cloud/src/cloud-provider.ts
@@ -11,8 +11,8 @@
  * "no relay configured" error.
  */
 
-import { randomBytes } from 'node:crypto';
 import { basename } from 'node:path';
+import { generateBoxId } from '@agentbox/core';
 import type {
   AttachKind,
   AttachSpec,
@@ -248,7 +248,7 @@ export function createCloudProvider(
     name: string;
     branch: string;
   } {
-    const id = randomBytes(4).toString('hex');
+    const id = generateBoxId();
     const name = req.name ?? `${basename(req.workspacePath)}-${id}`;
     return {
       id,
diff --git a/packages/sandbox-core/src/host-open.ts b/packages/sandbox-core/src/host-open.ts
new file mode 100644
index 0000000..6250686
--- /dev/null
+++ b/packages/sandbox-core/src/host-open.ts
@@ -0,0 +1,13 @@
+/**
+ * The host command that opens a URL or file path in the OS default handler.
+ *
+ * macOS ships `open`; Linux uses `xdg-open` (from `xdg-utils`, present on any
+ * desktop install). We deliberately return only the binary name and let each
+ * call site keep its own spawn semantics (sync/async, stdio, detached) — the
+ * single platform decision lives here so adding a host platform is a one-line
+ * change. Callers already treat a non-zero exit / ENOENT as "couldn't
+ * auto-open" and print the target, so an absent `xdg-open` degrades cleanly.
+ */
+export function hostOpenCommand(): string {
+  return process.platform === 'linux' ? 'xdg-open' : 'open';
+}
diff --git a/packages/sandbox-core/src/index.ts b/packages/sandbox-core/src/index.ts
index 144234a..528589e 100644
--- a/packages/sandbox-core/src/index.ts
+++ b/packages/sandbox-core/src/index.ts
@@ -16,6 +16,7 @@ export {
   pickFreshBranch,
   type DetectedGitRepo,
 } from './git-detect.js';
+export { hostOpenCommand } from './host-open.js';
 export {
   computeContextSha256,
   DOCKER_CONTEXT_FILE_MAP,
diff --git a/packages/sandbox-core/test/host-open.test.ts b/packages/sandbox-core/test/host-open.test.ts
new file mode 100644
index 0000000..f05bdb9
--- /dev/null
+++ b/packages/sandbox-core/test/host-open.test.ts
@@ -0,0 +1,25 @@
+import { afterEach, describe, expect, it } from 'vitest';
+import { hostOpenCommand } from '../src/host-open.js';
+
+describe('hostOpenCommand', () => {
+  const original = process.platform;
+  const setPlatform = (value: NodeJS.Platform) =>
+    Object.defineProperty(process, 'platform', { value, configurable: true });
+
+  afterEach(() => setPlatform(original));
+
+  it('uses xdg-open on Linux', () => {
+    setPlatform('linux');
+    expect(hostOpenCommand()).toBe('xdg-open');
+  });
+
+  it('uses open on macOS', () => {
+    setPlatform('darwin');
+    expect(hostOpenCommand()).toBe('open');
+  });
+
+  it('falls back to open on other platforms', () => {
+    setPlatform('win32');
+    expect(hostOpenCommand()).toBe('open');
+  });
+});
diff --git a/packages/sandbox-daytona/src/credentials.ts b/packages/sandbox-daytona/src/credentials.ts
index bde2770..9b860c5 100644
--- a/packages/sandbox-daytona/src/credentials.ts
+++ b/packages/sandbox-daytona/src/credentials.ts
@@ -1,4 +1,5 @@
 import { spawnSync } from 'node:child_process';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   chmodSync,
   existsSync,
@@ -248,7 +249,7 @@ function persistCredentials(creds: Credentials): void {
 
 function openDashboard(): void {
   try {
-    const r = spawnSync('open', [DASHBOARD_KEYS_URL], { stdio: 'ignore' });
+    const r = spawnSync(hostOpenCommand(), [DASHBOARD_KEYS_URL], { stdio: 'ignore' });
     if (r.status !== 0) {
       log.warn(`Could not auto-open the browser — visit ${DASHBOARD_KEYS_URL} manually.`);
     }
diff --git a/packages/sandbox-docker/src/create.ts b/packages/sandbox-docker/src/create.ts
index 45c5286..c5a2655 100644
--- a/packages/sandbox-docker/src/create.ts
+++ b/packages/sandbox-docker/src/create.ts
@@ -1,4 +1,3 @@
-import { randomBytes } from 'node:crypto';
 import { mkdir, stat } from 'node:fs/promises';
 import { homedir } from 'node:os';
 import { basename, join, resolve } from 'node:path';
@@ -73,7 +72,7 @@ import {
   type BoxRecord,
   type GitWorktreeRecord,
 } from './state.js';
-import type { ResolvedCarryEntry } from '@agentbox/core';
+import { generateBoxId, type ResolvedCarryEntry } from '@agentbox/core';
 import { createSnapshot, snapshotPathFor } from './snapshot.js';
 import { resolveCheckpoint } from './checkpoint.js';
 import {
@@ -261,10 +260,6 @@ function persistableLimits(
   return Object.keys(out).length > 0 ? out : undefined;
 }
 
-function generateBoxId(): string {
-  return randomBytes(4).toString('hex');
-}
-
 export function sanitizeBasename(workspacePath: string): string {
   const raw = basename(resolve(workspacePath));
   return raw
diff --git a/packages/sandbox-docker/src/host-export.ts b/packages/sandbox-docker/src/host-export.ts
index e5ee15e..33fe92a 100644
--- a/packages/sandbox-docker/src/host-export.ts
+++ b/packages/sandbox-docker/src/host-export.ts
@@ -3,6 +3,7 @@ import { homedir } from 'node:os';
 import { join } from 'node:path';
 import { execa } from 'execa';
 import { sanitizeMnemonic } from '@agentbox/config';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import type { ResolvedCarryEntry } from '@agentbox/core';
 import type { BoxStatus } from '@agentbox/ctl';
 import { execInBox } from './docker.js';
@@ -673,7 +674,7 @@ export async function openInFinder(
   }
 
   if (!opts.noOpen) {
-    const opened = await execa('open', [hostPath], { reject: false });
+    const opened = await execa(hostOpenCommand(), [hostPath], { reject: false });
     if (opened.exitCode !== 0) {
       throw new ExportError(`open ${hostPath} failed`, opened.stdout, opened.stderr);
     }
diff --git a/packages/sandbox-hetzner/src/credentials.ts b/packages/sandbox-hetzner/src/credentials.ts
index 04e42f9..717251f 100644
--- a/packages/sandbox-hetzner/src/credentials.ts
+++ b/packages/sandbox-hetzner/src/credentials.ts
@@ -1,4 +1,5 @@
 import { spawnSync } from 'node:child_process';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   chmodSync,
   existsSync,
@@ -195,7 +196,7 @@ function persistCredentials(creds: Credentials): void {
 
 function openDashboard(): void {
   try {
-    const r = spawnSync('open', [DASHBOARD_KEYS_URL], { stdio: 'ignore' });
+    const r = spawnSync(hostOpenCommand(), [DASHBOARD_KEYS_URL], { stdio: 'ignore' });
     if (r.status !== 0) {
       log.warn(`Could not auto-open the browser — visit ${DASHBOARD_KEYS_URL} manually.`);
     }
diff --git a/packages/sandbox-vercel/scripts/provision.sh b/packages/sandbox-vercel/scripts/provision.sh
index c2b6f19..edd5705 100644
--- a/packages/sandbox-vercel/scripts/provision.sh
+++ b/packages/sandbox-vercel/scripts/provision.sh
@@ -235,6 +235,26 @@ fi
 sudo -u vscode -H mkdir -p /home/vscode/.vnc
 done_ "VNC stack (TigerVNC + websockify + noVNC)"
 
+step "X11 clipboard tools (xclip + autocutsel, built from source)"
+# xclip and autocutsel are NOT in the AL2023 repos (unlike Debian/Ubuntu where
+# docker + hetzner apt-install them). They are load-bearing: xclip backs the
+# host->box Ctrl+V image paste (apps/cli/src/lib/paste-image.ts), and autocutsel
+# keeps the VNC CLIPBOARD/PRIMARY selections in sync (agentbox-vnc-start). Build
+# both from source — all deps are in the AL2023 default repos. Fail loud: a
+# missing binary is a silently broken feature, not a skippable convenience.
+dnf install -y -q --allowerasing \
+  gcc make automake autoconf git \
+  libX11-devel libXmu-devel libXt-devel libXaw-devel
+git clone --depth 1 https://github.com/astrand/xclip /tmp/xclip
+( cd /tmp/xclip && autoreconf -i && ./configure --prefix=/usr/local && make && make install )
+rm -rf /tmp/xclip
+command -v xclip >/dev/null || { echo "provision.sh: xclip build failed"; exit 1; }
+git clone --depth 1 https://github.com/sigmike/autocutsel /tmp/autocutsel
+( cd /tmp/autocutsel && autoreconf -i && ./configure --prefix=/usr/local && make && make install )
+rm -rf /tmp/autocutsel
+command -v autocutsel >/dev/null || { echo "provision.sh: autocutsel build failed"; exit 1; }
+done_ "X11 clipboard tools (xclip + autocutsel, built from source)"
+
 step "agent CLIs (codex + opencode + agent-browser, global npm)"
 npm install -g @openai/codex opencode-ai agent-browser 2>&1 | tail -3 || \
   echo "provision.sh: one or more agent npm installs failed (continuing)"
diff --git a/packages/sandbox-vercel/src/credentials.ts b/packages/sandbox-vercel/src/credentials.ts
index 7125f78..a0c74f5 100644
--- a/packages/sandbox-vercel/src/credentials.ts
+++ b/packages/sandbox-vercel/src/credentials.ts
@@ -8,6 +8,7 @@ import {
 } from 'node:fs';
 import { homedir } from 'node:os';
 import { dirname, resolve } from 'node:path';
+import { hostOpenCommand } from '@agentbox/sandbox-core';
 import {
   confirm,
   isCancel,
@@ -389,7 +390,7 @@ function openDashboard(): void {
   // Lazy import keeps node:child_process out of the module's load cost.
   import('node:child_process')
     .then(({ spawnSync }) => {
-      const r = spawnSync('open', [DASHBOARD_TOKENS_URL], { stdio: 'ignore' });
+      const r = spawnSync(hostOpenCommand(), [DASHBOARD_TOKENS_URL], { stdio: 'ignore' });
       if (r.status !== 0) {
         log.warn(`Could not auto-open the browser — visit ${DASHBOARD_TOKENS_URL} manually.`);
       }
diff --git a/scripts/linux-dev-vm.sh b/scripts/linux-dev-vm.sh
new file mode 100755
index 0000000..1e4588a
--- /dev/null
+++ b/scripts/linux-dev-vm.sh
@@ -0,0 +1,198 @@
+#!/usr/bin/env bash
+#
+# linux-dev-vm.sh — manage a *persistent* clean Ubuntu VM on Hetzner for testing
+# `agentbox` on a Linux host. NOT an agentbox box: a bare VPS you log into and
+# drive the CLI on to check Linux compatibility of any feature.
+#
+# WHY this exists: the CLI grew up macOS-only (see docs/linux-host-backlog.md).
+# To find and fix Linux-host issues we need a real Ubuntu host that survives
+# across edit/deploy/test cycles. This script provisions one, ships the locally
+# built CLI on demand, and tears it down when you're done.
+#
+# Subcommands:
+#   up        create the VM if absent (cx23 / nbg1 / ubuntu-24.04), install
+#             node 20 + docker + git + tmux, create a non-root `dev` user
+#             (docker + passwordless sudo). Idempotent: reuses a live VM.
+#   deploy    build the monorepo, npm pack apps/cli, scp + `npm install -g` it
+#             on the VM. Re-run after local changes. Use --no-build to skip build.
+#   ssh       open an interactive shell as `dev` (or run: `linux-dev-vm.sh ssh -- uptime`)
+#   doctor    run `agentbox doctor --provider docker` twice — as a user NOT in
+#             the docker group (permission-denied branch) and as `dev` (healthy).
+#   info      print server id / ip / ssh command / state file
+#   down      destroy the server + SSH key + local state
+#
+# State (server id, ip, key) persists in ~/.agentbox/linux-dev-vm/ so every
+# subcommand targets the same VM. `down` is the only thing that deletes it.
+#
+# HCLOUD_TOKEN is read from env, else .env.local, else ~/.agentbox/secrets.env.
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+API="https://api.hetzner.cloud/v1"
+STATE_DIR="$HOME/.agentbox/linux-dev-vm"
+STATE_FILE="$STATE_DIR/state.json"
+KEY="$STATE_DIR/id_ed25519"
+NAME="agentbox-linux-dev"
+SERVER_TYPE="cx23"
+LOCATION="nbg1"
+IMAGE="ubuntu-24.04"
+SSH_OPTS=(-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=8 -o LogLevel=ERROR)
+
+die() { echo "error: $*" >&2; exit 1; }
+
+# --- token -------------------------------------------------------------------
+resolve_token() {
+  if [[ -z "${HCLOUD_TOKEN:-}" && -f "$REPO_ROOT/.env.local" ]]; then
+    HCLOUD_TOKEN="$(grep -E '^HCLOUD_TOKEN=' "$REPO_ROOT/.env.local" | head -1 | cut -d= -f2- | tr -d '"' || true)"
+  fi
+  if [[ -z "${HCLOUD_TOKEN:-}" && -f "$HOME/.agentbox/secrets.env" ]]; then
+    HCLOUD_TOKEN="$(grep -E '^HCLOUD_TOKEN=' "$HOME/.agentbox/secrets.env" | head -1 | cut -d= -f2- | tr -d '"' || true)"
+  fi
+  [[ -n "${HCLOUD_TOKEN:-}" ]] || die "HCLOUD_TOKEN not found (env / .env.local / ~/.agentbox/secrets.env)"
+}
+
+# Tiny JSON field extractor (node is always present in this repo; jq is not).
+jget() { node -e 'let s="";process.stdin.on("data",d=>s+=d).on("end",()=>{const o=JSON.parse(s);const p=process.argv[1].split(".");let v=o;for(const k of p)v=(v==null?undefined:v[k]);process.stdout.write(v==null?"":String(v));})' "$1"; }
+
+api() {
+  # api <METHOD> <PATH> [json-body]
+  local method="$1" path="$2" body="${3:-}"
+  if [[ -n "$body" ]]; then
+    curl -fsS -X "$method" -H "Authorization: Bearer $HCLOUD_TOKEN" -H "Content-Type: application/json" -d "$body" "$API$path"
+  else
+    curl -fsS -X "$method" -H "Authorization: Bearer $HCLOUD_TOKEN" "$API$path"
+  fi
+}
+
+state_get() { [[ -f "$STATE_FILE" ]] && jget "$1" < "$STATE_FILE" || true; }
+
+require_vm() {
+  [[ -f "$STATE_FILE" ]] || die "no VM — run \`$0 up\` first"
+  IP="$(state_get ip)"
+  [[ -n "$IP" ]] || die "state file has no ip; \`$0 down\` and re-\`up\`"
+}
+
+ssh_dev() { ssh -i "$KEY" "${SSH_OPTS[@]}" "dev@$IP" "$@"; }
+ssh_root() { ssh -i "$KEY" "${SSH_OPTS[@]}" "root@$IP" "$@"; }
+
+# --- cloud-init: node 20 + docker + git + tmux, non-root `dev` user ----------
+cloud_init() {
+cat <<'EOF'
+#cloud-config
+package_update: true
+runcmd:
+  - curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+  - apt-get install -y nodejs docker.io git tmux ca-certificates
+  - systemctl enable --now docker
+  - id dev >/dev/null 2>&1 || useradd -m -s /bin/bash dev
+  - usermod -aG docker dev
+  - echo 'dev ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/90-dev
+  - install -d -m 700 -o dev -g dev /home/dev/.ssh
+  - cp /root/.ssh/authorized_keys /home/dev/.ssh/authorized_keys
+  - chown dev:dev /home/dev/.ssh/authorized_keys
+  - chmod 600 /home/dev/.ssh/authorized_keys
+  - touch /var/lib/cloud/agentbox-ready
+EOF
+}
+
+cmd_up() {
+  resolve_token
+  mkdir -p "$STATE_DIR"
+  local sid; sid="$(state_get server_id)"
+  if [[ -n "$sid" ]] && api GET "/servers/$sid" >/dev/null 2>&1; then
+    echo ">> VM already up (server_id=$sid)"; cmd_info; return 0
+  fi
+
+  [[ -f "$KEY" ]] || ssh-keygen -t ed25519 -N "" -C "$NAME" -f "$KEY" >/dev/null
+  local pub; pub="$(cat "$KEY.pub")"
+  local suffix; suffix="$(date +%s)"
+  echo ">> uploading ssh key"
+  local key_resp key_id
+  key_resp="$(api POST /ssh_keys "$(node -e 'console.log(JSON.stringify({name:process.argv[1],public_key:process.argv[2]}))' "$NAME-$suffix" "$pub")")"
+  key_id="$(printf '%s' "$key_resp" | jget ssh_key.id)"
+
+  echo ">> creating $SERVER_TYPE/$LOCATION $IMAGE server '$NAME'"
+  local body create ip server_id
+  body="$(node -e 'console.log(JSON.stringify({name:process.argv[1],server_type:process.argv[2],location:process.argv[3],image:process.argv[4],ssh_keys:[Number(process.argv[5])],user_data:process.argv[6],public_net:{enable_ipv4:true,enable_ipv6:false}}))' "$NAME" "$SERVER_TYPE" "$LOCATION" "$IMAGE" "$key_id" "$(cloud_init)")"
+  create="$(api POST /servers "$body")"
+  server_id="$(printf '%s' "$create" | jget server.id)"
+  ip="$(printf '%s' "$create" | jget server.public_net.ipv4.ip)"
+  node -e 'const fs=require("fs");fs.writeFileSync(process.argv[1],JSON.stringify({server_id:Number(process.argv[2]),ip:process.argv[3],ssh_key_id:Number(process.argv[4])},null,2)+"\n")' "$STATE_FILE" "$server_id" "$ip" "$key_id"
+  echo "   server_id=$server_id ip=$ip"
+
+  echo ">> waiting for SSH"
+  for i in $(seq 1 60); do
+    if ssh -i "$KEY" "${SSH_OPTS[@]}" "root@$ip" true 2>/dev/null; then break; fi
+    sleep 5; [[ "$i" == "60" ]] && die "ssh never came up"
+  done
+  echo ">> waiting for cloud-init (node + docker + dev user)"
+  ssh -i "$KEY" "${SSH_OPTS[@]}" "root@$ip" 'cloud-init status --wait >/dev/null 2>&1 || true; until [ -f /var/lib/cloud/agentbox-ready ]; do sleep 3; done'
+  echo ">> ready:"
+  ssh -i "$KEY" "${SSH_OPTS[@]}" "root@$ip" 'echo "   node=$(node -v) docker=$(docker --version) git=$(git --version)"'
+  cmd_info
+}
+
+cmd_deploy() {
+  require_vm
+  local build=1
+  for a in "$@"; do [[ "$a" == "--no-build" ]] && build=0; done
+  if [[ "$build" == "1" ]]; then echo ">> pnpm -w build"; (cd "$REPO_ROOT" && pnpm -w build); fi
+  local tmp tarball
+  tmp="$(mktemp -d)"
+  echo ">> npm pack apps/cli"
+  tarball="$(cd "$REPO_ROOT/apps/cli" && npm pack --silent --pack-destination "$tmp")"
+  echo ">> scp + npm install -g on the VM"
+  scp -i "$KEY" "${SSH_OPTS[@]}" "$tmp/$tarball" "dev@$IP:/home/dev/$tarball"
+  ssh_dev "sudo npm install -g --no-fund --no-audit /home/dev/$tarball && echo \"installed agentbox \$(agentbox --version)\""
+  rm -rf "$tmp"
+}
+
+cmd_ssh() {
+  require_vm
+  # `linux-dev-vm.sh ssh`            -> interactive shell
+  # `linux-dev-vm.sh ssh -- <cmd…>`  -> run a command
+  if [[ "${1:-}" == "--" ]]; then shift; ssh_dev "$@"; else ssh_dev "$@"; fi
+}
+
+cmd_doctor() {
+  require_vm
+  ssh_dev 'command -v agentbox >/dev/null' || die "agentbox not installed on the VM — run: $0 deploy"
+  # A user NOT in the docker group exercises the permission-denied branch.
+  ssh_root 'id probe >/dev/null 2>&1 || { useradd -m -s /bin/bash probe; install -d -m 700 -o probe -g probe /home/probe/.ssh; }'
+  echo ""
+  echo "============ doctor #1: user NOT in docker group (permission denied) ============"
+  ssh_root 'su - probe -c "NO_COLOR=1 agentbox doctor --provider docker" || true'
+  echo ""
+  echo "============ doctor #2: dev user IN docker group (healthy) ============"
+  ssh_dev 'sg docker -c "NO_COLOR=1 agentbox doctor --provider docker" || true'
+}
+
+cmd_info() {
+  [[ -f "$STATE_FILE" ]] || { echo "no VM (state file absent)"; return 0; }
+  IP="$(state_get ip)"
+  echo "server_id : $(state_get server_id)"
+  echo "ip        : $IP"
+  echo "ssh       : ssh -i $KEY dev@$IP"
+  echo "state     : $STATE_FILE"
+}
+
+cmd_down() {
+  resolve_token
+  [[ -f "$STATE_FILE" ]] || { echo "no VM to delete"; return 0; }
+  local sid kid; sid="$(state_get server_id)"; kid="$(state_get ssh_key_id)"
+  echo ">> deleting server $sid + ssh key $kid"
+  [[ -n "$sid" ]] && api DELETE "/servers/$sid" >/dev/null 2>&1 || true
+  [[ -n "$kid" ]] && api DELETE "/ssh_keys/$kid" >/dev/null 2>&1 || true
+  rm -rf "$STATE_DIR"
+  echo ">> done"
+}
+
+case "${1:-}" in
+  up) shift; cmd_up "$@" ;;
+  deploy) shift; cmd_deploy "$@" ;;
+  ssh) shift; cmd_ssh "$@" ;;
+  doctor) shift; cmd_doctor "$@" ;;
+  info) shift; cmd_info "$@" ;;
+  down) shift; cmd_down "$@" ;;
+  *) echo "usage: $0 {up|deploy|ssh|doctor|info|down} [args]" >&2; exit 2 ;;
+esac