diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..30bb3c2
--- /dev/null
+++ b/.envrc
@@ -0,0 +1,2 @@
+dotenv_if_exists .env.local
+use flake
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..d3a53cf
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,3 @@
+# flake.lock is machine-generated JSON that cannot be merged by git.
+# Always take the branch version on conflict — regenerate after merge if needed.
+flake.lock merge=binary
diff --git a/.github/actions/setup-nix/action.yml b/.github/actions/setup-nix/action.yml
new file mode 100644
index 0000000..11fca39
--- /dev/null
+++ b/.github/actions/setup-nix/action.yml
@@ -0,0 +1,17 @@
+name: Setup Nix
+description: Install Nix with nixpkgs-unstable channel
+
+runs:
+  using: composite
+  steps:
+    # Unset GITHUB_TOKEN so cachix/install-nix-action doesn't write a
+    # repo-scoped token to nix.conf.  That token only covers this repo,
+    # so authenticated requests to other public repos (e.g. toolbox) fail
+    # with 401 instead of succeeding anonymously.
+    - name: Unset GITHUB_TOKEN for Nix
+      shell: bash
+      run: echo "GITHUB_TOKEN=" >> "$GITHUB_ENV"
+    - uses: cachix/install-nix-action@v27
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+    - uses: DeterminateSystems/magic-nix-cache-action@v8
diff --git a/.github/workflows/build-base-image.yml b/.github/workflows/build-base-image.yml
new file mode 100644
index 0000000..d0f03a3
--- /dev/null
+++ b/.github/workflows/build-base-image.yml
@@ -0,0 +1,51 @@
+name: Build forage-base image
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "images/forage-base/**"
+  pull_request:
+    paths:
+      - "images/forage-base/**"
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: firefly-engineering/forage-base
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=sha
+
+      - uses: docker/build-push-action@v5
+        with:
+          context: images/forage-base
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..d466a4f
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,68 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  merge_group:
+
+jobs:
+  format:
+    if: github.event_name != 'merge_group'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-nix
+
+      - name: Check Nix formatting
+        run: nix fmt -- --ci .
+
+  lint:
+    if: github.event_name != 'merge_group'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-nix
+
+      - name: Run linter
+        run: nix develop .#ci --command bash -c "cd packages/forage-ctl && golangci-lint run"
+
+  build:
+    if: github.event_name != 'merge_group'
+    needs: [format, lint]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-nix
+
+      - name: Build forage-ctl
+        run: nix build .#forage-ctl
+
+      - name: Build docs
+        run: nix build .#docs
+
+  test:
+    if: github.event_name != 'merge_group'
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-nix
+
+      - name: Run tests
+        run: nix develop .#ci --command bash -c "cd packages/forage-ctl && go test ./..."
+
+  e2e:
+    if: github.event_name == 'merge_group'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-nix
+
+      - name: Enable KVM
+        run: |
+          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666"' | sudo tee /etc/udev/rules.d/99-kvm.rules
+          sudo udevadm control --reload-rules && sudo udevadm trigger --name-match=kvm
+
+      - name: Run E2E tests
+        run: nix run .#e2e-driver -- 2>&1
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
new file mode 100644
index 0000000..45701c2
--- /dev/null
+++ b/.github/workflows/pages.yml
@@ -0,0 +1,44 @@
+name: Deploy docs to GitHub Pages
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: Build docs
+        run: nix build .#docs
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: result
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..b3011d5
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,15 @@
+result
+result-*
+.direnv/
+docs/book/
+
+# Go vendor directories (dependencies managed by Nix)
+**/vendor/
+
+.claude/
+
+# E2E test VM disk images
+*.qcow2
+
+# local environment files
+.*.local
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..e9cbc79
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,11 @@
+## Work Management
+
+This project tracks work with `bw` (beadwork), which persists to git  plans, progress, and decisions survive
+compaction, session boundaries, and context loss.
+
+ALWAYS run `bw prime` before starting work. Without it, you're missing workflow context, current state, and repo
+hygiene warnings. Work done without priming often conflicts with in-progress changes.
+
+Committing, closing issues, and syncing are part of completing a task  not separate actions requiring additional
+permission.
+
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 120000
index 0000000..47dc3e3
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+AGENTS.md
\ No newline at end of file
diff --git a/DESIGN.md b/DESIGN.md
index 4f282ad..aaefa20 100644
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -96,17 +96,49 @@ The nix store is bind-mounted read-only. All nix operations go through the host'
 
 **Verified:** Tested with `unshare --mount` and confirmed nix builds work.
 
-### Instance Tracking: Stateless
+### Nix Registry Pinning
 
-Instead of maintaining state files, we derive instance information from:
-- Running systemd-nspawn containers (machinectl list)
-- Container naming convention: `forage-{name}`
-- Introspection of bind mounts for workspace info
+Sandboxes automatically have a pinned nix registry that matches the host's nixpkgs version:
+
+```nix
+# Generated in container config
+environment.etc."nix/registry.json".text = builtins.toJSON {
+  version = 2;
+  flakes = [
+    {
+      from = { type = "indirect"; id = "nixpkgs"; };
+      to = {
+        type = "github";
+        owner = "NixOS";
+        repo = "nixpkgs";
+        rev = "...";  # Automatically set to host's nixpkgs revision
+      };
+    }
+  ];
+};
+```
+
+**Benefits:**
+- All agents use the same nixpkgs version
+- Reproducible tool installations across sandboxes
+- No accumulation of different nixpkgs versions in store
+- Pinned to the same nixpkgs used to build the sandbox
+
+**Implementation:** The host module exposes its nixpkgs input revision via `config.json`, and the container config generator injects this into each sandbox's registry.
+
+### Instance Tracking: Metadata-Driven
+
+Sandbox state is tracked via metadata files in `/var/lib/firefly-forage/sandboxes/`:
+- Each sandbox has a `{name}.json` metadata file and a `{name}.nix` config
+- Runtime state (running/stopped) is derived from the container runtime (machinectl)
+- Container naming convention: configurable, defaults to `forage-{name}`
+- Generated files (skills, permissions) are staged in `{name}.generated/` directories
+- The `gc` command reconciles metadata with actual container state
 
 Benefits:
-- No state to corrupt or get out of sync
-- System is the source of truth
-- Simpler implementation
+- Metadata enables rich operations (workspace mode, template, network slot)
+- Runtime state is always from the source of truth (container runtime)
+- gc provides eventual consistency if metadata drifts
 
 ### User Identity: Same UID as Host
 
@@ -141,6 +173,249 @@ The wrapper:
 - Agent cannot easily discover where auth came from
 - Provides minimal protection against credential exfiltration
 
+### JJ Workspace Integration
+
+Each sandbox uses a separate jj workspace, enabling parallel agent work on the same repository without conflicts.
+
+```
+┌─────────────────────────────────────────────────────────────────────┐
+│ Host                                                                │
+│                                                                     │
+│  ~/projects/myrepo/                                                 │
+│  ├── .jj/              ◄─────────────────────────┐                  │
+│  ├── src/                                        │ shared           │
+│  └── ...                                         │ (read-only)      │
+│                                                  │                  │
+│  /var/lib/forage/workspaces/                     │                  │
+│  ├── sandbox-a/        ◄── jj workspace ─────────┤                  │
+│  │   ├── src/          (separate working copy)   │                  │
+│  │   └── ...                                     │                  │
+│  └── sandbox-b/        ◄── jj workspace ─────────┘                  │
+│      ├── src/          (separate working copy)                      │
+│      └── ...                                                        │
+│                                                                     │
+└─────────────────────────────────────────────────────────────────────┘
+```
+
+**How it works:**
+1. `forage-ctl up` creates a jj workspace at a persistent location
+2. The workspace shares the repo's `.jj` directory (operation log, etc.)
+3. Each sandbox gets its own working copy of the files
+4. Changes in one sandbox don't affect others until committed
+5. Agents can work in parallel on different changes
+
+**CLI integration:**
+```bash
+# Create sandbox with jj workspace
+forage-ctl up agent-a --template claude --repo ~/projects/myrepo
+
+# This internally runs:
+# jj workspace add /var/lib/forage/workspaces/agent-a --name agent-a
+
+# Multiple agents on same repo
+forage-ctl up agent-b --template claude --repo ~/projects/myrepo
+forage-ctl up agent-c --template opencode --repo ~/projects/myrepo
+```
+
+**Cleanup:**
+```bash
+# Remove sandbox and its workspace
+forage-ctl down agent-a
+# Internally: jj workspace forget agent-a && rm -rf workspace
+```
+
+### Skill Injection
+
+Sandboxes automatically include "skills" - configuration that teaches agents about available tools and project conventions.
+
+**Injection location:** `.claude/forage-skills.md` (or similar)
+
+This avoids modifying the project's `CLAUDE.md` which may contain valuable upstream information. Claude Code loads instructions from multiple files in `.claude/`.
+
+```
+workspace/
+├── .claude/
+│   ├── forage-skills.md    ◄── Injected by forage (sandbox-specific)
+│   └── settings.json       ◄── May also inject settings here
+├── CLAUDE.md               ◄── Untouched (from upstream repo)
+└── src/
+```
+
+**Injected content (.claude/forage-skills.md):**
+```markdown
+# Firefly Forage Sandbox Environment
+
+This workspace is running inside a Firefly Forage sandbox.
+
+## Version Control: JJ (Jujutsu)
+
+Use `jj` instead of `git` for all version control operations:
+
+- `jj status` - Show working copy status
+- `jj diff` - Show changes
+- `jj new` - Create new change
+- `jj describe -m "message"` - Set change description
+- `jj bookmark set main` - Update bookmark
+
+This is an isolated jj workspace. Your changes won't affect other
+workspaces until you explicitly share them.
+
+## Available Tools
+
+- `rg` (ripgrep) - Fast recursive search
+- `fd` - Fast file finder
+- `jq` - JSON processing
+- `nix build` - Build nix expressions (uses host daemon)
+
+## Sandbox Constraints
+
+- The nix store is read-only (builds go through host daemon)
+- Network access: [full|restricted|none]
+- This container is ephemeral - only /workspace persists
+```
+
+**Skill sources (in priority order):**
+1. **Project skills**: From repo's existing `CLAUDE.md` (untouched, highest priority)
+2. **Forage skills**: Injected `.claude/forage-skills.md` (sandbox-aware instructions)
+3. **Template skills**: From sandbox template configuration
+4. **User skills**: Custom per-sandbox overrides
+
+**Configuration:**
+```nix
+templates.claude = {
+  skills = {
+    jj = true;           # Include jj skill (default: true)
+    nix = true;          # Include nix skill (default: true)
+
+    # Additional custom instructions
+    custom = ''
+      ## Testing Requirements
+      Always write tests before implementation.
+    '';
+  };
+
+  # Optionally inject into .claude/settings.json
+  claudeSettings = {
+    # Any claude-code settings to inject
+  };
+};
+```
+
+**Cleanup:** The injected `.claude/forage-skills.md` is created at sandbox start and can be removed on sandbox down if desired (though it's harmless to leave).
+
+### Tmux Session Management
+
+Each sandbox runs the agent inside a tmux session for better terminal handling and attach/detach capability.
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ Sandbox Container                                           │
+│                                                             │
+│  tmux session: "forage"                                     │
+│  ┌─────────────────────────────────────────────────────┐    │
+│  │ Window 0: agent                                     │    │
+│  │ ┌─────────────────────────────────────────────────┐ │    │
+│  │ │ $ claude                                        │ │    │
+│  │ │ Claude Code ready...                            │ │    │
+│  │ │ >                                               │ │    │
+│  │ └─────────────────────────────────────────────────┘ │    │
+│  └─────────────────────────────────────────────────────┘    │
+│                                                             │
+│  sshd                                                       │
+│                                                             │
+└─────────────────────────────────────────────────────────────┘
+```
+
+**Benefits:**
+- **Attach/detach**: Connect to running agent, disconnect without stopping it
+- **Session persistence**: Agent keeps running if SSH disconnects
+- **Multiple windows**: Agent in one window, shell in another
+- **Scrollback**: Review agent's previous output
+- **Resilience**: Survives network interruptions
+- **Sub-agent support**: Compatible with tools like opencode extensions that spawn sub-agents in tmux panes
+
+**CLI integration:**
+```bash
+# Connect to sandbox (attaches to tmux session)
+forage-ctl ssh myproject
+# → ssh ... -t 'tmux attach -t forage'
+
+# Start agent in sandbox (creates tmux session)
+forage-ctl start myproject
+# → Creates tmux session, starts claude in it
+
+# Detach: Ctrl-b d (standard tmux)
+# Reattach: forage-ctl ssh myproject
+
+# Run shell alongside agent
+forage-ctl shell myproject
+# → Attaches to tmux, creates new window with shell
+```
+
+**Tmux configuration:**
+```bash
+# /etc/tmux.conf in sandbox
+set -g prefix C-b
+set -g mouse on
+set -g history-limit 50000
+set -g status-style 'bg=colour235 fg=colour136'
+set -g status-left '[forage] '
+```
+
+### Gateway Access (Future)
+
+Instead of exposing one SSH port per sandbox, a single gateway service provides access to all sandboxes through a selection interface.
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│ Host Machine                                                    │
+│                                                                 │
+│  ┌─────────────────────────────────────────────────────────┐    │
+│  │ forage-gateway (port 2200)                              │    │
+│  │                                                         │    │
+│  │  ┌─────────────────────────────────────────────────┐    │    │
+│  │  │  Firefly Forage - Select Sandbox                │    │    │
+│  │  │                                                 │    │    │
+│  │  │  > myproject     claude    running  2h ago      │    │    │
+│  │  │    agent-a       claude    running  30m ago     │    │    │
+│  │  │    agent-b       multi     running  5m ago      │    │    │
+│  │  │                                                 │    │    │
+│  │  │  [Enter] Attach  [n] New  [d] Down  [q] Quit    │    │    │
+│  │  └─────────────────────────────────────────────────┘    │    │
+│  └─────────────────────────────────────────────────────────┘    │
+│                           │                                     │
+│                           ▼                                     │
+│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐  │
+│  │ sandbox-myproj  │  │ sandbox-agent-a │  │ sandbox-agent-b │  │
+│  │ tmux: forage    │  │ tmux: forage    │  │ tmux: forage    │  │
+│  └─────────────────┘  └─────────────────┘  └─────────────────┘  │
+│                                                                 │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+**Benefits:**
+- **Single port**: Only one port to expose/forward for remote access
+- **Discoverability**: See all sandboxes at a glance
+- **Simpler firewall**: No dynamic port range needed
+- **Better UX**: Interactive selection instead of remembering names
+
+**Implementation options:**
+1. **TUI selector**: fzf/gum-based picker that runs `machinectl shell` or SSH to selected sandbox
+2. **Custom shell**: Login shell that presents the picker, then `exec`s into chosen sandbox
+3. **SSH ForceCommand**: SSH config that runs the selector before allowing access
+
+**Access patterns:**
+```bash
+# Interactive: land in selector
+ssh -p 2200 forage@hostname
+
+# Direct: skip selector, go straight to sandbox
+ssh -p 2200 forage@hostname myproject
+
+# From selector, attach to sandbox's tmux session
+# → machinectl shell forage-myproject /bin/bash -c 'tmux attach -t forage'
+```
+
 ### Network Isolation Modes
 
 | Mode | Description | Use Case |
@@ -163,18 +438,30 @@ firefly-forage/
 ├── README.md                     # User documentation
 │
 ├── modules/
-│   ├── host.nix                  # NixOS module for host machine
-│   └── sandbox.nix               # Container configuration generator
+│   └── host.nix                  # NixOS module for host machine
 │
 ├── lib/
-│   ├── mkSandbox.nix             # Sandbox template builder
-│   ├── mkAgentWrapper.nix        # Auth wrapper generator
-│   └── types.nix                 # Custom types for options
+│   ├── default.nix               # Library entry point (mkSandboxConfig, mkAgentWrapper, etc.)
+│   ├── mkSandboxConfig.nix       # Container NixOS configuration generator
+│   └── skills.nix                # Skill content generation
+│
+├── docs/                         # Documentation (mdBook)
 │
 └── packages/
-    └── forage-ctl/               # CLI management tool
+    └── forage-ctl/               # CLI management tool (Go)
         ├── default.nix
-        └── forage-ctl.sh
+        ├── main.go
+        ├── cmd/                   # CLI commands
+        └── internal/              # Business logic
+            ├── config/            # Configuration loading
+            ├── generator/         # Nix config generation
+            ├── injection/         # Contribution/injection system
+            ├── network/           # Network isolation
+            ├── proxy/             # API proxy
+            ├── runtime/           # Container runtimes
+            ├── sandbox/           # Sandbox lifecycle
+            ├── skills/            # Project analysis for skills
+            └── workspace/         # VCS workspace backends
 ```
 
 ## Configuration Interface
@@ -273,32 +560,44 @@ claude      claude          full       Claude Code agent sandbox
 multi       claude,opencode full       Multi-agent sandbox
 isolated    claude          none       Network-isolated sandbox
 
-# Create and start a sandbox
+# Create and start a sandbox (with workspace directory)
 forage-ctl up <name> --template <template> --workspace <path>
 forage-ctl up myproject --template claude --workspace ~/projects/myproject
 
+# Create and start a sandbox (with jj repo - creates workspace automatically)
+forage-ctl up <name> --template <template> --repo <path>
+forage-ctl up agent-a --template claude --repo ~/projects/myrepo
+forage-ctl up agent-b --template claude --repo ~/projects/myrepo  # parallel work!
+
 # List running sandboxes
 forage-ctl ps
-NAME        TEMPLATE    PORT    WORKSPACE                      STATUS
-myproject   claude      2200    /home/user/projects/myproject  running
-other       multi       2201    /home/user/projects/other      running
+NAME        TEMPLATE    PORT    WORKSPACE                      STATUS    TMUX
+myproject   claude      2200    /home/user/projects/myproject  running   attached
+agent-a     claude      2201    /var/lib/forage/ws/agent-a     running   detached
+agent-b     claude      2202    /var/lib/forage/ws/agent-b     running   detached
 
-# Connect to sandbox via SSH
+# Connect to sandbox (attaches to tmux session)
 forage-ctl ssh <name>
 forage-ctl ssh myproject
 
 # Get SSH command (for use from remote machines)
 forage-ctl ssh-cmd <name>
-# Output: ssh -p 2200 -o StrictHostKeyChecking=no agent@hostname
+# Output: ssh -p 2200 -t agent@hostname 'tmux attach -t forage'
+
+# Start the agent in sandbox (if not already running)
+forage-ctl start <name>
+
+# Open a shell window alongside the agent
+forage-ctl shell <name>
 
 # Execute command in sandbox
 forage-ctl exec <name> -- <command>
 forage-ctl exec myproject -- claude --version
 
-# Reset sandbox (restart with fresh ephemeral state)
+# Reset sandbox (restart with fresh ephemeral state, keeps workspace)
 forage-ctl reset <name>
 
-# Stop and remove sandbox
+# Stop and remove sandbox (and jj workspace if created)
 forage-ctl down <name>
 
 # Stop and remove all sandboxes
@@ -320,46 +619,183 @@ forage-ctl down --all
 
 ### Phase 1: Basic Sandbox
 
-- [ ] Flake structure and module skeleton
-- [ ] Basic host module with template definitions
-- [ ] Container configuration generator
-- [ ] Agent wrapper generator
-- [ ] forage-ctl: up, down, ps, ssh
-- [ ] Port allocation (simple sequential)
-- [ ] Documentation
+- [x] Flake structure and module skeleton
+- [x] Basic host module with template definitions
+- [x] Container configuration generator
+- [x] Agent wrapper generator
+- [x] forage-ctl: up, down, ps, ssh
+- [x] Port allocation (find free ports)
+- [x] Tmux session management
+- [x] Basic skill injection (.claude/forage-skills.md)
+- [x] Documentation (mdbook)
+
+### Phase 2: JJ Workspace Integration
+
+- [x] Workspace creation on sandbox up
+- [x] Workspace cleanup on sandbox down
+- [x] Mount configuration for shared .jj
+- [x] Handle workspace conflicts
+- [x] forage-ctl: --repo flag for jj integration
+
+### Phase 3: Robustness & UX
+
+- [x] Better port allocation (find free ports)
+- [x] Health checks
+- [x] Logging integration (slog with --verbose and --json flags)
+- [x] forage-ctl: exec, reset
+- [x] forage-ctl: logs, start, shell
+- [x] Error handling improvements (typed errors with exit codes)
+- [x] Nix registry pinning (pin nixpkgs to host version)
+
+### Phase 4: Rewrite forage-ctl in Go
+
+The bash implementation is reaching its limits (~1500 lines). Rewrite in Go for:
+- Better error handling and testing
+- Type safety and maintainability
+- Foundation for gateway service (HTTP server)
+- Easier contributor onboarding
+
+- [x] Project structure with cobra CLI framework
+- [x] Port existing commands (up, down, ps, status, ssh, logs, start, shell, templates)
+- [x] exec and reset commands
+- [x] Structured logging with slog
+- [x] Container runtime abstraction (prep for Phase 9)
+- [x] Unit tests for core logic
+- [x] Integration tests
+
+```
+forage-ctl/
+├── cmd/
+│   ├── root.go
+│   ├── up.go
+│   ├── down.go
+│   ├── ps.go
+│   └── ...
+├── internal/
+│   ├── runtime/      # container runtime abstraction
+│   ├── ssh/          # SSH connection utilities
+│   ├── workspace/    # jj/git workspace management
+│   ├── config/       # host config, templates
+│   └── health/       # health checks
+├── go.mod
+└── main.go
+```
 
-### Phase 2: Robustness
+### Phase 5: Gateway & Advanced UX
 
-- [ ] Better port allocation (find free ports)
-- [ ] Health checks
-- [ ] Logging integration
-- [ ] forage-ctl: exec, reset, logs
-- [ ] Error handling improvements
+Features deferred from Phase 3 that benefit from Go rewrite:
 
-### Phase 3: Network Isolation
+- [x] Gateway service with sandbox selector (single port access)
+- [x] TUI picker for sandbox selection (bubbletea)
+- [x] Advanced skill injection (project analysis)
 
-- [ ] nftables rules for restricted mode
-- [ ] DNS filtering
-- [ ] Network mode switching
+### Phase 6: Network Isolation
 
-### Phase 4: API Bridge (Future)
+- [x] nftables rules for restricted mode
+- [x] DNS filtering
+- [x] Network mode switching
 
-- [ ] Proxy service running on host
-- [ ] Auth injection at proxy level
-- [ ] Rate limiting
-- [ ] Audit logging
-- [ ] Secrets never enter sandbox
+### Phase 7: API Proxy
+
+HTTP proxy for API key injection, rate limiting, and audit logging.
+
+- [x] Proxy service running on host (forage-proxy)
+- [x] Auth injection for API keys (reads from /run/secrets)
+- [x] Per-sandbox rate limiting
+- [x] Request/response audit logging
+- [x] Sandbox configuration for proxy mode
+- [x] Documentation of limitations
 
 ```
 ┌─────────────────┐     ┌──────────────────┐     ┌─────────────────┐
-│ Sandbox         │     │ API Bridge       │     │ External APIs   │
+│ Sandbox         │     │ forage-proxy     │     │ External APIs   │
 │                 │     │ (on host)        │     │                 │
-│ claude-wrapper ─┼────►│ - Auth injection │────►│ api.anthropic.  │
-│  (no secrets)   │     │ - Rate limiting  │     │                 │
-│                 │     │ - Audit logs     │     │                 │
+│ ANTHROPIC_BASE  │     │ - Read API key   │     │                 │
+│ _URL=proxy:8080─┼────►│ - Inject header  │────►│ api.anthropic.  │
+│                 │     │ - Rate limit     │     │                 │
+│ (no API key)    │     │ - Audit log      │     │                 │
 └─────────────────┘     └──────────────────┘     └─────────────────┘
 ```
 
+**Limitations:**
+
+This approach only works for **API key authentication**. For Claude Max/Pro plans
+(OAuth-based), the "secrets never enter sandbox" goal is not achievable without
+significant complexity. Max plan users should:
+
+1. Run `claude login` inside the sandbox (token stored in keychain, not env var)
+2. Use the proxy for rate limiting and audit logging only (auth passes through)
+
+The proxy still provides value for Max plans (rate limiting, logging) but cannot
+inject authentication. See [LLM Gateway docs](https://code.claude.com/docs/en/llm-gateway)
+for official gateway configuration options.
+
+### Phase 8: Git Worktree Backend
+
+Alternative to JJ workspaces for projects using plain git.
+
+- [x] `--git-worktree` flag as alternative to `--repo`
+- [x] `git worktree add` on sandbox creation
+- [x] `git worktree remove` on sandbox cleanup
+- [x] Skill injection with git-specific instructions
+- [x] Handle worktree conflicts and naming
+
+```bash
+# Usage
+forage-ctl up agent-a --template claude --git-worktree ~/projects/myrepo
+forage-ctl up agent-b --template claude --git-worktree ~/projects/myrepo
+
+# Internally creates:
+# - Branch: forage-agent-a
+# - Worktree at: /var/lib/forage/workspaces/agent-a
+# git worktree add /var/lib/forage/workspaces/agent-a -b forage-agent-a HEAD
+```
+
+### Phase 9: Container Runtime Abstraction
+
+Abstract the container backend to support multiple platforms.
+
+- [x] Define container runtime interface (create, destroy, exec, status)
+- [x] systemd-nspawn backend (NixOS, current implementation)
+- [x] Docker/Podman backend (universal fallback)
+- [x] Runtime auto-detection based on platform
+- [x] Migrate commands to use runtime interface
+- [x] Extract SSH functions to dedicated package (runtime-agnostic)
+- [x] Remove legacy container package
+- [x] Apple Container backend (macOS via github.com/apple/containerization)
+- [x] Consistent bind mount semantics across runtimes (mounts.go)
+- [x] Platform-specific nix store sharing strategies (DetectNixStoreStrategy)
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│ forage-ctl                                                      │
+│                                                                 │
+│  ┌─────────────────────────────────────────────────────────┐    │
+│  │ Container Runtime Interface                              │    │
+│  │  - create(name, config) -> Container                     │    │
+│  │  - destroy(name)                                         │    │
+│  │  - exec(name, command) -> Output                         │    │
+│  │  - status(name) -> Status                                │    │
+│  └─────────────────────────────────────────────────────────┘    │
+│         │                    │                    │              │
+│         ▼                    ▼                    ▼              │
+│  ┌─────────────┐     ┌─────────────┐     ┌─────────────┐        │
+│  │ nspawn      │     │ apple/      │     │ docker/     │        │
+│  │ (NixOS)     │     │ container   │     │ podman      │        │
+│  │             │     │ (macOS)     │     │ (fallback)  │        │
+│  └─────────────┘     └─────────────┘     └─────────────┘        │
+│                                                                 │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+**Platform considerations:**
+
+| Platform | Runtime | Nix Store Strategy |
+|----------|---------|-------------------|
+| NixOS | systemd-nspawn | Direct bind mount (current) |
+| macOS | apple/container | nix-darwin store or Determinate Nix |
+| Linux (other) | Docker/Podman | Volume mount or bind mount |
+
 ## Security Considerations
 
 ### Threat Model
@@ -376,7 +812,7 @@ forage-ctl down --all
 
 | Threat | Mitigation |
 |--------|------------|
-| Agent exfiltrates API keys | Auth obfuscation via wrappers |
+| Agent exfiltrates API keys | API proxy (keeps secrets on host); auth wrappers provide UX convenience only |
 | Agent accesses host filesystem | Container isolation, bind mounts only |
 | Agent makes unwanted network calls | Network isolation modes |
 | Agent corrupts sandbox | Ephemeral root, easy reset |
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d92bccf
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Firefly Engineering
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f1f4a14
--- /dev/null
+++ b/README.md
@@ -0,0 +1,90 @@
+# Firefly Forage
+
+Isolated, ephemeral sandboxes for AI coding agents on NixOS.
+
+## Features
+
+- **Isolation**: Run AI agents in contained systemd-nspawn environments
+- **Efficiency**: Read-only nix store sharing via bind mounts
+- **Disposability**: Ephemeral container roots, easy reset
+- **Multi-agent**: Support multiple concurrent sandboxes
+- **Security**: Auth obfuscation, optional network isolation
+
+## Quick Start
+
+### Installation
+
+Add to your flake inputs:
+
+```nix
+{
+  inputs.firefly-forage.url = "github:firefly-engineering/firefly-forage";
+}
+```
+
+Import the module:
+
+```nix
+{ inputs, ... }:
+{
+  imports = [ inputs.firefly-forage.nixosModules.default ];
+
+  services.firefly-forage = {
+    enable = true;
+    user = "myuser";
+    authorizedKeys = [ "ssh-ed25519 AAAA..." ];
+
+    secrets = {
+      anthropic = config.sops.secrets.anthropic-api-key.path;
+    };
+
+    templates.claude = {
+      description = "Claude Code sandbox";
+      agents.claude = {
+        package = pkgs.claude-code;
+        secretName = "anthropic";
+        authEnvVar = "ANTHROPIC_API_KEY";
+      };
+      extraPackages = with pkgs; [ ripgrep fd ];
+    };
+  };
+}
+```
+
+### Usage
+
+```bash
+# List templates
+forage-ctl templates
+
+# Create a sandbox
+forage-ctl up myproject --template claude --workspace ~/projects/myproject
+
+# Connect via SSH
+forage-ctl ssh myproject
+
+# From inside the sandbox
+claude chat "Hello!"
+
+# Reset if polluted
+forage-ctl reset myproject
+
+# Clean up
+forage-ctl down myproject
+```
+
+## Documentation
+
+- **[User Guide](docs/src/SUMMARY.md)** - Getting started, configuration, and usage
+- **[DESIGN.md](DESIGN.md)** - Architecture and design decisions
+
+Build the docs locally:
+```bash
+nix build .#docs
+# Or with mdbook directly
+mdbook serve docs
+```
+
+## License
+
+MIT
diff --git a/docs/adr/001-container-runtime-abstraction.md b/docs/adr/001-container-runtime-abstraction.md
new file mode 100644
index 0000000..71782fd
--- /dev/null
+++ b/docs/adr/001-container-runtime-abstraction.md
@@ -0,0 +1,76 @@
+# ADR 001: Container Runtime Abstraction
+
+## Status
+
+Accepted
+
+## Context
+
+Firefly Forage creates isolated sandbox environments for AI coding agents. Initially, the implementation was tightly coupled to NixOS containers (systemd-nspawn). However, several requirements emerged:
+
+1. **Cross-platform support**: Users on macOS need sandboxes too
+2. **Testing**: Integration tests need mock runtimes
+3. **Flexibility**: Different deployment environments may prefer different backends
+4. **Future-proofing**: New container technologies may emerge
+
+## Decision
+
+Introduce a `Runtime` interface that abstracts container operations:
+
+```go
+type Runtime interface {
+    Name() string
+    Create(ctx context.Context, opts CreateOptions) error
+    Start(ctx context.Context, name string) error
+    Stop(ctx context.Context, name string) error
+    Destroy(ctx context.Context, name string) error
+    IsRunning(ctx context.Context, name string) (bool, error)
+    Status(ctx context.Context, name string) (*ContainerInfo, error)
+    Exec(ctx context.Context, name string, command []string, opts ExecOptions) (*ExecResult, error)
+    ExecInteractive(ctx context.Context, name string, command []string, opts ExecOptions) error
+    List(ctx context.Context) ([]*ContainerInfo, error)
+}
+```
+
+Implementations:
+- `NspawnRuntime`: NixOS containers via systemd-nspawn (Linux)
+- `DockerRuntime`: Docker/Podman containers (universal fallback)
+- `AppleRuntime`: Apple Container framework (macOS 13+)
+- `MockRuntime`: For testing
+
+Runtime selection is automatic via `Global()` which detects the platform and available tools.
+
+## Consequences
+
+### Positive
+
+- **Portability**: Same CLI works across platforms with different backends
+- **Testability**: MockRuntime enables comprehensive unit testing
+- **Extensibility**: New backends can be added without changing command code
+- **Separation of concerns**: Commands focus on business logic, not container details
+
+### Negative
+
+- **Abstraction overhead**: Some runtime-specific features may not fit the interface
+- **Complexity**: More code to maintain across multiple backends
+- **Lowest common denominator**: Interface limited to features all backends support
+
+## Alternatives Considered
+
+### 1. Platform-specific CLIs
+
+Build separate `forage-ctl-nix`, `forage-ctl-macos`, etc.
+
+**Rejected because**: Significant code duplication, harder to maintain, confusing for users.
+
+### 2. Docker-only
+
+Use Docker everywhere, including on NixOS.
+
+**Rejected because**: Loses NixOS integration benefits (nix-daemon socket sharing, ephemeral roots), adds Docker dependency on NixOS systems that don't need it.
+
+### 3. No abstraction (nspawn only)
+
+Keep tight coupling to systemd-nspawn, add other platforms later.
+
+**Rejected because**: Would require significant refactoring later, harder to test now.
diff --git a/docs/adr/002-ssh-based-sandbox-access.md b/docs/adr/002-ssh-based-sandbox-access.md
new file mode 100644
index 0000000..3900e87
--- /dev/null
+++ b/docs/adr/002-ssh-based-sandbox-access.md
@@ -0,0 +1,80 @@
+# ADR 002: SSH-Based Sandbox Access
+
+## Status
+
+Accepted
+
+## Context
+
+Users need to access sandboxes to interact with AI agents, run commands, and debug issues. Several access methods were considered.
+
+Requirements:
+1. Works from remote machines (not just localhost)
+2. Supports terminal-based AI agents (Claude Code, etc.)
+3. Compatible with existing developer workflows
+4. Secure by default
+5. Works consistently across container runtimes
+
+## Decision
+
+Use SSH as the primary access method for all sandboxes:
+
+1. Each sandbox runs an OpenSSH server on port 22 (container-internal)
+2. Container port 22 is forwarded to a unique host port (from configured range)
+3. Authentication uses SSH public keys (no passwords)
+4. `forage-ctl ssh <name>` connects to the sandbox's tmux session
+
+The `ssh` package provides a builder pattern for constructing SSH commands:
+
+```go
+opts := ssh.DefaultOptions(port).WithTTY()
+args := opts.BuildArgs("tmux", "attach", "-t", "forage")
+```
+
+## Consequences
+
+### Positive
+
+- **Universal**: SSH works from any machine, any network
+- **Familiar**: Developers already know SSH
+- **Secure**: Key-based auth, encrypted transport
+- **Flexible**: Works with VS Code Remote, Mosh, etc.
+- **Runtime-agnostic**: Same access method for nspawn, Docker, Apple Container
+- **Scriptable**: Easy to automate with standard SSH tools
+
+### Negative
+
+- **Overhead**: SSH adds latency compared to `machinectl shell`
+- **Port management**: Need to track and allocate ports
+- **Key management**: Requires SSH key configuration
+- **Extra dependency**: Requires sshd in container image
+
+## Alternatives Considered
+
+### 1. machinectl shell (nspawn only)
+
+Use `machinectl shell` for direct container access.
+
+**Rejected because**: Only works for nspawn, not Docker or Apple Container. Not accessible from remote machines.
+
+### 2. docker exec / podman exec
+
+Use container runtime's native exec for access.
+
+**Rejected because**: Requires the runtime's CLI on the client machine. Not accessible from remote machines without additional tooling.
+
+### 3. Web terminal
+
+Provide a browser-based terminal.
+
+**Rejected because**: Adds significant complexity (web server, auth). Poor integration with AI agent workflows that expect real terminals.
+
+### 4. VS Code Server built-in
+
+Rely on each AI agent providing its own remote access.
+
+**Rejected because**: Not all agents have this. Inconsistent experience.
+
+## Notes
+
+The gateway service (Phase 5) provides single-port access by running an SSH server that routes to the selected sandbox. This builds on the SSH foundation rather than replacing it.
diff --git a/docs/adr/003-skill-injection-strategy.md b/docs/adr/003-skill-injection-strategy.md
new file mode 100644
index 0000000..c0666a7
--- /dev/null
+++ b/docs/adr/003-skill-injection-strategy.md
@@ -0,0 +1,95 @@
+# ADR 003: Skill Injection Strategy
+
+## Status
+
+Accepted
+
+## Context
+
+AI coding agents (like Claude Code) can be customized via "skills" files that provide context about the project and environment. We need to inform agents about:
+
+1. The sandbox environment (network restrictions, available tools)
+2. Version control system in use (jj vs git)
+3. Project-specific information (language, build system, frameworks)
+4. Workspace constraints (ephemeral container, persistent workspace)
+
+The challenge is injecting this information without conflicting with existing project documentation.
+
+## Decision
+
+### Two-tier skill injection
+
+1. **Project analysis**: Detect project type, build system, and frameworks
+2. **Generated skills file**: Write a combined `CLAUDE.md` to the workspace
+
+The `skills` package:
+- Analyzes the workspace to detect project characteristics
+- Generates context-aware instructions
+- Includes sandbox-specific information
+
+```go
+analyzer := skills.NewAnalyzer(workspacePath)
+projectInfo := analyzer.Analyze()
+content := skills.GenerateSkills(metadata, template, projectInfo)
+```
+
+### Content structure
+
+The generated file includes:
+- Environment section (sandbox name, template, workspace mode)
+- Project section (type, build system, frameworks, common commands)
+- Version control section (jj or git instructions)
+- Network section (access level and restrictions)
+- Available agents section
+- Guidelines section
+
+### File location
+
+Skills are written to `/workspace/CLAUDE.md` inside the container. This is a simple approach that works well in practice.
+
+## Consequences
+
+### Positive
+
+- **Context-aware**: Agents know about project-specific tools and conventions
+- **Consistent**: All sandboxes get appropriate environment documentation
+- **Discoverable**: Agents find skills in expected location
+- **Dynamic**: Content adapts based on project analysis
+
+### Negative
+
+- **May conflict**: If workspace has existing CLAUDE.md, it gets overwritten
+- **Maintenance**: Need to keep framework/tool detection up to date
+- **Not perfect**: Detection heuristics may miss some project types
+
+## Alternatives Considered
+
+### 1. Separate skills directory
+
+Write to `.claude/forage-skills.md` to avoid conflicts.
+
+**Not implemented because**: Claude Code loads instructions from `CLAUDE.md` primarily. A separate file would need explicit configuration to be discovered.
+
+### 2. No injection
+
+Let users manually configure agent skills.
+
+**Rejected because**: Defeats the purpose of automation. Users would need to repeat configuration for every sandbox.
+
+### 3. Template-only skills
+
+Only include skills defined in the template, no project analysis.
+
+**Rejected because**: Misses valuable context about the actual project being worked on.
+
+### 4. Append to existing CLAUDE.md
+
+If a CLAUDE.md exists, append forage skills to it.
+
+**Considered but not implemented**: Could lead to messy documents with duplicate information. The current approach prioritizes clean, consistent output.
+
+## Future Considerations
+
+- Add option to preserve existing CLAUDE.md content
+- Support for other agent configuration formats
+- User-defined skill templates
diff --git a/docs/adr/004-workspace-modes.md b/docs/adr/004-workspace-modes.md
new file mode 100644
index 0000000..9dc6a55
--- /dev/null
+++ b/docs/adr/004-workspace-modes.md
@@ -0,0 +1,143 @@
+# ADR 004: Workspace Modes (Direct, JJ, Git Worktree)
+
+## Status
+
+Accepted
+
+## Context
+
+Sandboxes need access to project files. The workspace configuration determines:
+1. Where files come from (bind mount, workspace copy)
+2. How changes are isolated between sandboxes
+3. How version control works inside the sandbox
+
+A key use case is running multiple AI agents on the same repository simultaneously without conflicts.
+
+## Decision
+
+Support three workspace modes:
+
+### 1. Direct Mode (`--workspace`)
+
+Bind-mount an existing directory directly into the sandbox.
+
+```bash
+forage-ctl up mybox --template claude --workspace ~/projects/myrepo
+```
+
+- Simple and straightforward
+- No isolation between sandboxes using the same directory
+- Best for single-agent workflows
+
+### 2. JJ Mode (`--repo` with jj repository)
+
+Create an isolated jj workspace from a repository.
+
+```bash
+forage-ctl up agent-a --template claude --repo ~/projects/myrepo
+forage-ctl up agent-b --template claude --repo ~/projects/myrepo
+```
+
+- Each sandbox gets its own working copy
+- Changes don't affect other sandboxes until committed
+- Shared operation log enables cross-sandbox visibility
+- Workspace created at `/var/lib/forage/workspaces/<name>`
+
+### 3. Git Worktree Mode (`--git-worktree`)
+
+Create an isolated git worktree with a dedicated branch.
+
+```bash
+forage-ctl up agent-a --template claude --git-worktree ~/projects/myrepo
+```
+
+- Each sandbox gets a separate branch (`forage-<name>`)
+- Worktree created at `/var/lib/forage/workspaces/<name>`
+- Works with plain git repositories
+
+### Implementation
+
+The `workspace` package defines a `Backend` interface:
+
+```go
+type Backend interface {
+    Name() string
+    IsRepo(path string) bool
+    Exists(repoPath, name string) bool
+    Create(repoPath, name, workspacePath string) error
+    Remove(repoPath, name, workspacePath string) error
+}
+```
+
+With implementations:
+- `JJBackend`: Manages jj workspaces
+- `GitBackend`: Manages git worktrees
+
+## Consequences
+
+### Positive
+
+- **Parallel work**: Multiple agents can work on the same repo simultaneously
+- **Isolation**: Changes in one sandbox don't affect others
+- **Flexibility**: Users choose the mode that fits their workflow
+- **Cleanup**: Workspaces are properly removed on sandbox destruction
+
+### Negative
+
+- **Complexity**: Three modes to understand and maintain
+- **Disk usage**: JJ/git modes create file copies
+- **VCS dependency**: JJ/git must be installed and functional
+- **Bind mount quirks**: JJ mode requires special handling of `.jj` directory
+
+## Alternatives Considered
+
+### 1. Copy-on-write filesystem
+
+Use a COW filesystem (btrfs subvolumes, overlayfs) for isolation.
+
+**Rejected because**: Adds filesystem requirements, complex to set up, doesn't integrate with version control.
+
+### 2. JJ only
+
+Only support jj workspaces, require jj for all isolated workflows.
+
+**Rejected because**: Many users still use git. Forcing jj adoption is a barrier.
+
+### 3. No isolation
+
+Only support direct bind mounts, let users manage isolation.
+
+**Rejected because**: Defeats a key use case (parallel agents on same repo).
+
+### 4. rsync-based copies
+
+Copy workspace files to a new directory.
+
+**Rejected because**: Loses version control integration, hard to sync changes back, inefficient for large repos.
+
+## Technical Notes
+
+### JJ Mode Bind Mounts
+
+JJ workspaces use a symlink in `.jj/repo` that points to the source repo's `.jj` directory. For this to work inside the container, we bind-mount the source repo's `.jj` at its original host path:
+
+```nix
+bindMounts = {
+  "/workspace" = { hostPath = "/var/lib/forage/workspaces/agent-a"; };
+  "/home/user/projects/myrepo/.jj" = { hostPath = "/home/user/projects/myrepo/.jj"; };
+};
+```
+
+### Git Worktree Branches
+
+Git worktrees require a unique branch per worktree. We use the pattern `forage-<sandbox-name>`:
+
+```bash
+git worktree add /var/lib/forage/workspaces/agent-a -b forage-agent-a HEAD
+```
+
+On cleanup:
+```bash
+git worktree remove /var/lib/forage/workspaces/agent-a
+git branch -d forage-agent-a
+```
diff --git a/docs/adr/005-ssh-host-key-verification.md b/docs/adr/005-ssh-host-key-verification.md
new file mode 100644
index 0000000..3bd2148
--- /dev/null
+++ b/docs/adr/005-ssh-host-key-verification.md
@@ -0,0 +1,84 @@
+# ADR 005: SSH Host Key Verification for Localhost Connections
+
+## Status
+
+Accepted
+
+## Context
+
+Firefly Forage uses SSH to connect to sandboxes running on localhost. Standard SSH security practice requires host key verification to prevent Man-in-the-Middle (MITM) attacks. However, sandbox containers are ephemeral and regenerate their SSH host keys on each creation.
+
+The current implementation disables host key verification:
+```go
+StrictHostKeyChecking: false,
+KnownHostsFile:        "/dev/null",
+```
+
+This decision requires documentation of the security trade-offs.
+
+## Decision
+
+Accept disabled host key verification for localhost-only sandbox connections with the following rationale:
+
+### Threat Model Analysis
+
+1. **Localhost-only scope**: All sandbox SSH connections target `localhost`. An attacker would need local system access to intercept these connections.
+
+2. **Defense in depth**: If an attacker has local system access sufficient to perform a MITM attack on localhost SSH, they likely already have the ability to:
+   - Read the sandbox secrets from `/run/forage-secrets/`
+   - Access the container directly via the runtime
+   - Modify the forage-ctl binary itself
+
+3. **Ephemeral containers**: Sandboxes are designed to be short-lived. Host keys change on each container recreation, making traditional known_hosts management impractical.
+
+4. **Port isolation**: Each sandbox uses a unique port, reducing the attack surface for port confusion attacks.
+
+### Security Properties Maintained
+
+- **Transport encryption**: SSH still encrypts all traffic
+- **Client authentication**: Public key authentication prevents unauthorized access
+- **Container isolation**: Network namespacing isolates containers from each other
+
+### Mitigations
+
+1. **Strict input validation**: Sandbox names are validated with allowlist regex
+2. **Path traversal protection**: Config loading validates paths stay within base directories
+3. **Port range enforcement**: Only configured port range is used
+
+## Consequences
+
+### Positive
+
+- **Simplicity**: No host key management complexity for ephemeral containers
+- **User experience**: No "host key changed" warnings when recreating sandboxes
+- **Automation friendly**: Scripts don't need to handle known_hosts updates
+
+### Negative
+
+- **Reduced defense-in-depth**: One less security layer for localhost attacks
+- **Security audit findings**: May be flagged in security reviews
+- **Not extensible to remote**: This model cannot be extended to non-localhost connections
+
+## Alternatives Considered
+
+### 1. Per-sandbox known_hosts files
+
+Store each sandbox's host key in a dedicated known_hosts file.
+
+**Rejected because**: Adds complexity, host keys still change on container recreation, would require cleanup logic.
+
+### 2. Pre-generated host keys in Nix configuration
+
+Generate stable SSH host keys as part of the container configuration.
+
+**Rejected because**: Storing private keys in Nix config (which goes to /nix/store) is a security anti-pattern. Keys would be world-readable.
+
+### 3. Host key callback verification
+
+Implement custom host key verification that accepts any key for localhost.
+
+**Rejected because**: Adds complexity without meaningful security benefit given the threat model.
+
+## Notes
+
+If Firefly Forage is extended to support remote sandbox connections (not on localhost), a different security model will be required. This ADR only covers localhost connections.
diff --git a/docs/adr/README.md b/docs/adr/README.md
new file mode 100644
index 0000000..b2747f9
--- /dev/null
+++ b/docs/adr/README.md
@@ -0,0 +1,25 @@
+# Architecture Decision Records
+
+This directory contains Architecture Decision Records (ADRs) for Firefly Forage.
+
+ADRs document significant technical decisions, including the context, decision, and consequences. They complement the [DESIGN.md](/DESIGN.md) document which provides a comprehensive overview of the system architecture.
+
+## Index
+
+| ADR | Title | Status |
+|-----|-------|--------|
+| [001](001-container-runtime-abstraction.md) | Container Runtime Abstraction | Accepted |
+| [002](002-ssh-based-sandbox-access.md) | SSH-Based Sandbox Access | Accepted |
+| [003](003-skill-injection-strategy.md) | Skill Injection Strategy | Accepted |
+| [004](004-workspace-modes.md) | Workspace Modes (Direct, JJ, Git Worktree) | Accepted |
+
+## ADR Format
+
+Each ADR follows this structure:
+
+1. **Title**: Short descriptive name
+2. **Status**: Proposed, Accepted, Deprecated, Superseded
+3. **Context**: The circumstances and constraints
+4. **Decision**: What we decided to do
+5. **Consequences**: The results, both positive and negative
+6. **Alternatives Considered**: Other options we evaluated
diff --git a/docs/book.toml b/docs/book.toml
new file mode 100644
index 0000000..fbdd945
--- /dev/null
+++ b/docs/book.toml
@@ -0,0 +1,15 @@
+[book]
+title = "Firefly Forage"
+authors = ["Firefly Engineering"]
+description = "Isolated, ephemeral sandboxes for AI coding agents on NixOS"
+language = "en"
+src = "src"
+
+[build]
+build-dir = "book"
+
+[output.html]
+default-theme = "navy"
+preferred-dark-theme = "navy"
+git-repository-url = "https://github.com/firefly-engineering/firefly-forage"
+edit-url-template = "https://github.com/firefly-engineering/firefly-forage/edit/main/docs/{path}"
diff --git a/docs/examples/README.md b/docs/examples/README.md
new file mode 100644
index 0000000..61c552d
--- /dev/null
+++ b/docs/examples/README.md
@@ -0,0 +1,42 @@
+# Configuration Examples
+
+This directory contains example configuration files for Firefly Forage.
+
+## Files
+
+### config.json
+
+The host configuration file. Place at `/etc/firefly-forage/config.json`.
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `user` | string | The system user that owns sandboxes |
+| `portRange.from` | int | Start of SSH port range for sandboxes |
+| `portRange.to` | int | End of SSH port range for sandboxes |
+| `authorizedKeys` | []string | SSH public keys authorized for sandbox access |
+| `secrets` | map[string]string | Named secrets (e.g., API keys) |
+| `stateDir` | string | Directory for sandbox state (default: `/var/lib/firefly-forage`) |
+| `nixpkgsRev` | string | Nixpkgs revision to use for containers |
+| `proxyUrl` | string | Optional URL for API proxy service |
+
+### template-claude.json
+
+Example template for Claude Code. Place templates at `/etc/firefly-forage/templates/<name>.json`.
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `name` | string | Template name (auto-set from filename if empty) |
+| `description` | string | Human-readable description |
+| `network` | string | Network mode: `full`, `restricted`, or `none` |
+| `allowedHosts` | []string | Hosts allowed in `restricted` network mode |
+| `agents` | map[string]AgentConfig | Agent configurations |
+| `extraPackages` | []string | Additional Nix packages to include |
+| `useProxy` | bool | Whether to use the API proxy |
+
+### AgentConfig
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `packagePath` | string | Nix package path (e.g., `pkgs.claude-code`) |
+| `secretName` | string | Name of secret from host config to inject |
+| `authEnvVar` | string | Environment variable name for the secret |
diff --git a/docs/examples/config.json b/docs/examples/config.json
new file mode 100644
index 0000000..005b52f
--- /dev/null
+++ b/docs/examples/config.json
@@ -0,0 +1,16 @@
+{
+  "user": "youruser",
+  "portRange": {
+    "from": 2200,
+    "to": 2299
+  },
+  "authorizedKeys": [
+    "ssh-ed25519 AAAA... user@host"
+  ],
+  "secrets": {
+    "anthropic": "/run/secrets/anthropic-api-key"
+  },
+  "stateDir": "/var/lib/firefly-forage",
+  "nixpkgsRev": "nixos-24.05",
+  "proxyUrl": ""
+}
diff --git a/docs/examples/template-claude.json b/docs/examples/template-claude.json
new file mode 100644
index 0000000..c52b9f8
--- /dev/null
+++ b/docs/examples/template-claude.json
@@ -0,0 +1,20 @@
+{
+  "name": "claude",
+  "description": "Claude Code AI agent sandbox",
+  "network": "full",
+  "allowedHosts": [],
+  "agents": {
+    "claude": {
+      "packagePath": "pkgs.claude-code",
+      "secretName": "anthropic",
+      "authEnvVar": "ANTHROPIC_API_KEY"
+    }
+  },
+  "extraPackages": [
+    "ripgrep",
+    "fd",
+    "jq",
+    "tree"
+  ],
+  "useProxy": false
+}
diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md
new file mode 100644
index 0000000..20a888f
--- /dev/null
+++ b/docs/src/SUMMARY.md
@@ -0,0 +1,29 @@
+# Summary
+
+[Introduction](./introduction.md)
+
+# Getting Started
+
+- [Installation](./getting-started/installation.md)
+- [Configuration](./getting-started/configuration.md)
+- [First Sandbox](./getting-started/first-sandbox.md)
+
+# Usage
+
+- [Authentication](./usage/authentication.md)
+- [CLI Reference](./usage/cli-reference.md)
+- [Workspace Mounts](./usage/workspace-mounts.md)
+- [JJ Workspaces](./usage/jj-workspaces.md)
+- [Skill Injection](./usage/skill-injection.md)
+
+# Concepts
+
+- [Architecture](./concepts/architecture.md)
+- [Templates](./concepts/templates.md)
+- [Agent Wrappers](./concepts/agent-wrappers.md)
+- [Nix Store Sharing](./concepts/nix-store.md)
+
+# Reference
+
+- [Security](./reference/security.md)
+- [Troubleshooting](./reference/troubleshooting.md)
diff --git a/docs/src/concepts/agent-wrappers.md b/docs/src/concepts/agent-wrappers.md
new file mode 100644
index 0000000..2df3254
--- /dev/null
+++ b/docs/src/concepts/agent-wrappers.md
@@ -0,0 +1,144 @@
+# Agent Wrappers
+
+Agent wrappers are generated scripts that inject authentication and execute the actual agent binary. They provide a layer of auth obfuscation.
+
+## How Wrappers Work
+
+```
+┌─────────────────────────────────────────────────────────┐
+│ Container                                               │
+│                                                         │
+│  $ claude chat "hello"                                  │
+│       │                                                 │
+│       ▼                                                 │
+│  /usr/bin/claude (wrapper)                              │
+│       │                                                 │
+│       ├─► read /run/secrets/anthropic-api-key           │
+│       ├─► export ANTHROPIC_API_KEY="sk-..."             │
+│       └─► exec /nix/store/.../bin/claude "$@"           │
+│                                                         │
+└─────────────────────────────────────────────────────────┘
+```
+
+The wrapper:
+1. Reads the API key from a file (not environment)
+2. Sets the environment variable only for the child process
+3. Executes the real agent binary with all arguments
+
+## Generated Wrapper Code
+
+For each agent defined in a template:
+
+```nix
+agents.claude = {
+  package = pkgs.claude-code;
+  secretName = "anthropic";
+  authEnvVar = "ANTHROPIC_API_KEY";
+};
+```
+
+Forage generates:
+
+```bash
+#!/usr/bin/env bash
+if [ -f "/run/secrets/anthropic" ]; then
+  export ANTHROPIC_API_KEY="$(cat /run/secrets/anthropic)"
+fi
+exec /nix/store/abc123-claude-code/bin/claude "$@"
+```
+
+This wrapper is added to the container's `environment.systemPackages`.
+
+## Security Properties
+
+### What Wrappers Protect Against
+
+- **Environment snooping**: The API key isn't in the global environment
+- **Process listing**: `ps aux` won't show the key
+- **Casual discovery**: Agent can't just `echo $ANTHROPIC_API_KEY`
+
+### What Wrappers Don't Protect Against
+
+- **Determined agents**: An agent could read `/run/secrets/` directly
+- **Memory inspection**: The key is in the process memory
+- **Network interception**: Keys are sent to APIs
+
+Wrappers provide *obfuscation*, not *security*. They make it harder for an agent to accidentally discover credentials, but a malicious agent could still find them.
+
+## Secret Mounting
+
+Secrets flow from host to container:
+
+```
+Host:
+  /run/secrets/anthropic-api-key (from sops/agenix)
+       │
+       ▼
+  /run/forage-secrets/myproject/anthropic (copied at sandbox creation)
+       │
+       ▼
+Container:
+  /run/secrets/anthropic (bind mounted, read-only)
+```
+
+The secrets directory is:
+- Created fresh for each sandbox
+- Bind-mounted read-only into the container
+- Cleaned up when the sandbox is destroyed
+
+## Multiple Agents
+
+Templates can define multiple agents:
+
+```nix
+agents = {
+  claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+
+  aider = {
+    package = pkgs.aider-chat;
+    secretName = "openai";
+    authEnvVar = "OPENAI_API_KEY";
+  };
+};
+```
+
+Each gets its own wrapper, and both are available in the container:
+
+```bash
+# Inside container
+claude --help
+aider --help
+```
+
+## Wrapper vs Direct Execution
+
+| Aspect | Wrapper | Direct |
+|--------|---------|--------|
+| Auth source | File read at runtime | Environment variable |
+| Auth visibility | Hidden from environment | Visible in `env` |
+| Setup required | Automatic | Manual export |
+| Works outside sandbox | No | Yes (with manual setup) |
+
+## Future: API Bridge
+
+A more secure approach (planned for Phase 5) would remove secrets from containers entirely:
+
+```
+┌─────────────────┐     ┌──────────────────┐     ┌─────────────────┐
+│ Sandbox         │     │ API Bridge       │     │ External APIs   │
+│                 │     │ (on host)        │     │                 │
+│ claude-wrapper ─┼────►│ - Auth injection │────►│ api.anthropic.  │
+│  (no secrets)   │     │ - Rate limiting  │     │                 │
+│                 │     │ - Audit logs     │     │                 │
+└─────────────────┘     └──────────────────┘     └─────────────────┘
+```
+
+With an API bridge:
+- Secrets never enter the container
+- All API calls are logged
+- Rate limiting is enforced
+- Requests can be filtered/modified
diff --git a/docs/src/concepts/architecture.md b/docs/src/concepts/architecture.md
new file mode 100644
index 0000000..207c493
--- /dev/null
+++ b/docs/src/concepts/architecture.md
@@ -0,0 +1,229 @@
+# Architecture
+
+Forage uses NixOS containers (systemd-nspawn) to create isolated environments for AI agents.
+
+## System Overview
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│ Host Machine                                                    │
+│                                                                 │
+│  nix-daemon ◄──────────────────────────────┐                    │
+│       │                                    │                    │
+│       ▼                                    │                    │
+│  /nix/store ◄──────────────────────────────┼───────────┐        │
+│  (writable by daemon)                      │           │        │
+│                                            │           │        │
+│  ┌─────────────────────────────┐  ┌────────┴───────────┴──┐     │
+│  │ sandbox-project-a           │  │ sandbox-project-b     │     │
+│  │                             │  │                       │     │
+│  │ /nix/store (ro bind)        │  │ /nix/store (ro bind)  │     │
+│  │ /nix/var/nix/daemon-socket  │  │ /nix/var/nix/daemon.. │     │
+│  │ /workspace ──► ~/proj-a     │  │ /workspace ──► ~/pr.. │     │
+│  │ /run/secrets (ro bind)      │  │ /run/secrets (ro ..)  │     │
+│  │                             │  │                       │     │
+│  │ agent: claude               │  │ agents: claude, aider │     │
+│  │ sshd :22 ──► host:2200      │  │ sshd :22 ──► host:22. │     │
+│  └─────────────────────────────┘  └───────────────────────┘     │
+│                                                                 │
+│  forage-ctl (CLI)                                               │
+│                                                                 │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+## Components
+
+### Host Module
+
+The NixOS module (`services.firefly-forage`) configures:
+
+- Template definitions
+- Secret paths
+- Port ranges
+- User identity mapping
+- System directories via tmpfiles
+
+### forage-ctl
+
+The CLI tool that:
+
+- Creates/destroys containers via systemd-nspawn
+- Manages SSH port allocation
+- Handles JJ workspace lifecycle
+- Injects skill files
+
+### Containers
+
+Each sandbox is a systemd-nspawn container with:
+
+- **Ephemeral root**: tmpfs filesystem, lost on restart
+- **Private network**: Virtual ethernet with NAT to host
+- **Bind mounts**: Nix store, workspace, secrets
+- **SSH server**: For external access
+- **Tmux session**: For session persistence
+
+## Data Flow
+
+### Container Creation
+
+```
+forage-ctl up myproject -t claude -w ~/project
+       │
+       ├─► Find available port (2200-2299)
+       ├─► Find available network slot (192.168.100.x)
+       ├─► Copy secrets to /run/forage-secrets/myproject/
+       ├─► Inject skills to ~/project/.claude/forage-skills.md
+       ├─► Generate container Nix configuration
+       ├─► Install container units into /etc/systemd-mutable/system
+       └─► Wait for SSH to become available
+```
+
+### Container Configuration
+
+The generated Nix configuration includes:
+
+```nix
+containers."forage-myproject" = {
+  ephemeral = true;
+  privateNetwork = true;
+  hostAddress = "192.168.100.1";
+  localAddress = "192.168.100.11";
+
+  forwardPorts = [{
+    containerPort = 22;
+    hostPort = 2200;
+    protocol = "tcp";
+  }];
+
+  bindMounts = {
+    "/nix/store" = { hostPath = "/nix/store"; isReadOnly = true; };
+    "/workspace" = { hostPath = "/home/user/project"; isReadOnly = false; };
+    "/run/secrets" = { hostPath = "/run/forage-secrets/myproject"; isReadOnly = true; };
+  };
+
+  config = { ... }: {
+    # Container NixOS configuration
+    services.openssh.enable = true;
+    users.users.agent = { ... };
+    environment.systemPackages = [ ... ];
+  };
+};
+```
+
+### Network Architecture
+
+```
+┌─────────────────────────────────────────────────┐
+│ Host                                            │
+│                                                 │
+│  ┌─────────────┐                                │
+│  │ NAT Gateway │ 192.168.100.1                  │
+│  └──────┬──────┘                                │
+│         │                                       │
+│    ┌────┴────┬────────────┐                     │
+│    │         │            │                     │
+│    ▼         ▼            ▼                     │
+│  .11       .12          .13                     │
+│ sandbox-a  sandbox-b   sandbox-c                │
+│ :2200      :2201       :2202                    │
+│                                                 │
+└─────────────────────────────────────────────────┘
+```
+
+Each sandbox:
+- Gets a unique IP in the 192.168.100.0/24 range
+- Has SSH port forwarded from host
+- Uses host's DNS resolution
+
+## State Management
+
+### Metadata Files
+
+Sandbox metadata is stored in JSON files:
+
+```
+/var/lib/firefly-forage/sandboxes/myproject.json
+```
+
+```json
+{
+  "name": "myproject",
+  "template": "claude",
+  "port": 2200,
+  "workspace": "/home/user/project",
+  "networkSlot": 1,
+  "createdAt": "2024-01-15T10:30:00+00:00",
+  "workspaceMode": "direct"
+}
+```
+
+For JJ workspaces, additional fields:
+
+```json
+{
+  "workspaceMode": "jj",
+  "sourceRepo": "/home/user/repos/myrepo",
+  "jjWorkspaceName": "myproject"
+}
+```
+
+For sandboxes with [composable workspace mounts](../usage/workspace-mounts.md), the `workspaceMounts` field replaces the single-workspace fields:
+
+```json
+{
+  "workspaceMounts": [
+    {
+      "name": "main",
+      "containerPath": "/workspace",
+      "hostPath": "/var/lib/firefly-forage/workspaces/myproject/main",
+      "sourceRepo": "/home/user/repos/myrepo",
+      "mode": "jj"
+    },
+    {
+      "name": "beads",
+      "containerPath": "/workspace/.beads",
+      "hostPath": "/var/lib/firefly-forage/workspaces/myproject/beads",
+      "sourceRepo": "/home/user/repos/myrepo",
+      "mode": "jj",
+      "branch": "beads-sync"
+    }
+  ]
+}
+```
+
+### Directories
+
+| Path | Purpose |
+|------|---------|
+| `/etc/firefly-forage/` | Configuration and templates |
+| `/var/lib/firefly-forage/sandboxes/` | Sandbox metadata |
+| `/var/lib/firefly-forage/workspaces/` | JJ workspace directories |
+| `/run/forage-secrets/` | Runtime secrets (tmpfs) |
+
+## Security Boundaries
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│ Trusted Zone (Host)                                             │
+│                                                                 │
+│  - NixOS configuration                                          │
+│  - Nix daemon                                                   │
+│  - Secret files                                                 │
+│  - forage-ctl                                                   │
+│                                                                 │
+├─────────────────────────────────────────────────────────────────┤
+│ Isolation Boundary (systemd-nspawn)                             │
+├─────────────────────────────────────────────────────────────────┤
+│ Untrusted Zone (Container)                                      │
+│                                                                 │
+│  - AI agent code                                                │
+│  - User workspace (read-write)                                  │
+│  - Agent-installed packages                                     │
+│                                                                 │
+│  Limited access to:                                             │
+│  - /nix/store (read-only)                                       │
+│  - /run/secrets (read-only)                                     │
+│  - Network (configurable)                                       │
+│                                                                 │
+└─────────────────────────────────────────────────────────────────┘
+```
diff --git a/docs/src/concepts/nix-store.md b/docs/src/concepts/nix-store.md
new file mode 100644
index 0000000..8fd26ec
--- /dev/null
+++ b/docs/src/concepts/nix-store.md
@@ -0,0 +1,210 @@
+# Nix Store Sharing
+
+Forage sandboxes share the host's nix store, avoiding duplication while maintaining isolation.
+
+## How It Works
+
+The nix store is bind-mounted read-only into each container:
+
+```nix
+bindMounts = {
+  "/nix/store" = {
+    hostPath = "/nix/store";
+    isReadOnly = true;
+  };
+};
+```
+
+When an agent needs to install packages, they go through the host's nix daemon:
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│ Host                                                            │
+│                                                                 │
+│  nix-daemon ◄──────────────────────────────┐                    │
+│       │                                    │                    │
+│       ▼                                    │                    │
+│  /nix/store ◄──────────────────────────────┼───────────┐        │
+│  (writable by daemon)                      │           │        │
+│                                            │           │        │
+│  ┌─────────────────────────────┐  ┌────────┴───────────┴──┐     │
+│  │ sandbox-a                   │  │ sandbox-b             │     │
+│  │                             │  │                       │     │
+│  │ /nix/store (read-only)      │  │ /nix/store (read-only)│     │
+│  │                             │  │                       │     │
+│  │ $ nix run nixpkgs#ripgrep   │  │ $ nix shell nixpkgs#jq│     │
+│  │       │                     │  │       │               │     │
+│  │       └─────────────────────┼──┼───────┘               │     │
+│  │                             │  │                       │     │
+│  └─────────────────────────────┘  └───────────────────────┘     │
+│                                                                 │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+## Why This Works
+
+1. **Read-only detection**: When `/nix/store` is read-only, the nix client detects it can't write directly
+
+2. **Daemon mode**: The client automatically switches to daemon mode and communicates via socket
+
+3. **Host builds**: The nix daemon on the host performs the actual builds and writes to the store
+
+4. **Instant visibility**: Since the container bind-mounts the same store, new paths are immediately visible
+
+5. **Content-addressed**: Nix's content-addressed store means there are no conflicts—the same input always produces the same output path
+
+## Benefits
+
+### No Duplication
+
+Without store sharing, each container would need its own copy of:
+- Base system packages
+- Development tools
+- Agent binaries
+
+With sharing, the store is used efficiently:
+
+```
+Without sharing:
+  Container A: /nix/store/...-ripgrep-14.0.0  (15MB)
+  Container B: /nix/store/...-ripgrep-14.0.0  (15MB)
+  Container C: /nix/store/...-ripgrep-14.0.0  (15MB)
+  Total: 45MB
+
+With sharing:
+  Host: /nix/store/...-ripgrep-14.0.0  (15MB)
+  Container A, B, C: bind mount (0MB additional)
+  Total: 15MB
+```
+
+### Instant Availability
+
+Packages already in the host store are immediately available:
+
+```bash
+# Inside container - if ripgrep is already on host
+$ nix run nixpkgs#ripgrep -- --version
+ripgrep 14.0.0
+# (instant, no download/build)
+```
+
+### Shared Build Cache
+
+If one container builds a package, others can use it:
+
+```bash
+# Container A builds a package
+$ nix build nixpkgs#somePackage
+
+# Container B can use it immediately (same store path)
+$ nix run nixpkgs#somePackage
+# (no rebuild needed)
+```
+
+## Using Nix in Sandboxes
+
+### One-Off Commands
+
+```bash
+# Run a tool without installing
+nix run nixpkgs#ripgrep -- --help
+nix run nixpkgs#jq -- '.foo' data.json
+```
+
+### Interactive Shell
+
+```bash
+# Enter a shell with multiple tools
+nix shell nixpkgs#nodejs nixpkgs#yarn nixpkgs#typescript
+
+# Now node, yarn, tsc are available
+node --version
+```
+
+### Building Projects
+
+```bash
+# Build a flake-based project
+cd /workspace
+nix build
+
+# Run the result
+./result/bin/myapp
+```
+
+### Development Shells
+
+```bash
+# Enter a project's dev shell
+cd /workspace
+nix develop
+
+# Or with direnv (if project has .envrc)
+direnv allow
+```
+
+## Limitations
+
+### No Direct Store Writes
+
+Containers cannot write directly to `/nix/store`:
+
+```bash
+# This won't work
+$ nix-store --add myfile
+error: cannot open `/nix/store/.../myfile' for writing: Read-only file system
+```
+
+All writes must go through the daemon.
+
+### Daemon Socket Required
+
+The nix daemon socket must be accessible. This is handled by systemd-nspawn's socket activation.
+
+### Store Garbage Collection
+
+Garbage collection happens on the host. If the host runs `nix-collect-garbage`, it may remove paths that containers are using.
+
+Best practice: Don't run aggressive garbage collection while sandboxes are active.
+
+## Registry Pinning
+
+Forage automatically pins the nix registry in each sandbox to match the host's nixpkgs version. This ensures consistency across all `nix run nixpkgs#foo` and `nix shell` commands.
+
+### How It Works
+
+The host module extracts the nixpkgs revision from its flake inputs and passes it to each container. The container's `/etc/nix/registry.json` is configured to resolve `nixpkgs` to this specific revision:
+
+```json
+{
+  "version": 2,
+  "flakes": [{
+    "from": { "type": "indirect", "id": "nixpkgs" },
+    "to": {
+      "type": "github",
+      "owner": "NixOS",
+      "repo": "nixpkgs",
+      "rev": "abc123..."
+    }
+  }]
+}
+```
+
+### Benefits
+
+- **Consistency**: All sandboxes use the same nixpkgs version
+- **No store bloat**: Packages aren't duplicated across nixpkgs versions
+- **Reproducibility**: Tool installations are reproducible across sandboxes
+- **Cache efficiency**: If the host already has a package, it's instantly available
+
+### Verification
+
+Inside a sandbox, you can verify the pinning:
+
+```bash
+# Show the registry
+nix registry list
+
+# The nixpkgs entry should show the pinned revision
+# nixpkgs flake:nixpkgs github:NixOS/nixpkgs/<rev>
+```
diff --git a/docs/src/concepts/templates.md b/docs/src/concepts/templates.md
new file mode 100644
index 0000000..e70502e
--- /dev/null
+++ b/docs/src/concepts/templates.md
@@ -0,0 +1,454 @@
+# Templates
+
+Templates are declarative specifications for sandbox environments. They define which agents are available, what packages are installed, and how the sandbox can access the network.
+
+## Template Structure
+
+```nix
+services.firefly-forage.templates.<name> = {
+  description = "Human-readable description";
+
+  agents = {
+    <agent-name> = {
+      package = <derivation>;
+      secretName = "<secret-key>";
+      authEnvVar = "<ENV_VAR_NAME>";
+    };
+  };
+
+  extraPackages = [ ... ];
+
+  network = "full" | "restricted" | "none";
+  allowedHosts = [ ... ];  # for restricted mode
+
+  initCommands = [ ... ];  # commands to run after creation
+
+  workspace.mounts = { ... };   # composable workspace mounts (optional)
+  workspace.useBeads = { ... }; # beads overlay shorthand (optional)
+};
+```
+
+## Components
+
+### Description
+
+A human-readable description shown by `forage-ctl templates`:
+
+```nix
+description = "Claude Code with development tools";
+```
+
+### Agents
+
+Agents are AI coding tools that will be available in the sandbox. Each agent needs:
+
+| Field | Description |
+|-------|-------------|
+| `package` | Nix derivation for the agent |
+| `secretName` | Key in `services.firefly-forage.secrets` |
+| `authEnvVar` | Environment variable for authentication |
+| `hostConfigDir` | Host directory to mount for persistent config (optional) |
+| `containerConfigDir` | Override container mount point (optional) |
+| `hostConfigDirReadOnly` | Mount config dir as read-only (default: `false`) |
+| `permissions` | Agent permission rules (optional, see below) |
+
+```nix
+agents.claude = {
+  package = pkgs.claude-code;
+  secretName = "anthropic";
+  authEnvVar = "ANTHROPIC_API_KEY";
+};
+```
+
+Forage creates a wrapper script that:
+1. Reads the secret from `/run/secrets/<secretName>`
+2. Sets the environment variable
+3. Executes the real agent binary
+
+### Permissions
+
+The `permissions` option controls what actions agents can take without prompting. When set, Forage generates a settings file that is bind-mounted read-only into the container.
+
+| Field | Description |
+|-------|-------------|
+| `skipAll` | Bypass all permission checks (grants all tool families) |
+| `allow` | List of permission rules to auto-approve |
+| `deny` | List of permission rules to always block |
+
+`skipAll` cannot be combined with `allow` or `deny`.
+
+**Full autonomy** (no permission prompts):
+
+```nix
+agents.claude = {
+  package = pkgs.claude-code;
+  secretName = "anthropic";
+  authEnvVar = "ANTHROPIC_API_KEY";
+  permissions.skipAll = true;
+};
+```
+
+**Granular allowlist**:
+
+```nix
+agents.claude = {
+  package = pkgs.claude-code;
+  secretName = "anthropic";
+  authEnvVar = "ANTHROPIC_API_KEY";
+  permissions = {
+    allow = [ "Read" "Glob" "Grep" "Edit(src/**)" "Bash(npm run *)" ];
+    deny = [ "Bash(rm -rf *)" ];
+  };
+};
+```
+
+For Claude, the settings file is written to `/etc/claude-code/managed-settings.json` (managed scope — highest precedence, cannot be overridden by user or project settings). `permissions` and `hostConfigDir` can coexist — they target different paths.
+
+### Extra Packages
+
+Additional packages available in the sandbox:
+
+```nix
+extraPackages = with pkgs; [
+  ripgrep
+  fd
+  jq
+  yq
+  tree
+  htop
+  git
+];
+```
+
+These are added to `environment.systemPackages` in the container.
+
+### Init Commands
+
+Shell commands to run inside the container after creation. These execute after SSH is ready, as the container user in the workspace directory. Failures are logged as warnings but do not block sandbox creation.
+
+```nix
+initCommands = [
+  "npm install"
+  "pip install pytest"
+];
+```
+
+Commands execute in order via `sh -c`. Each command runs independently — a failing command does not prevent subsequent commands from running.
+
+#### Per-Project Init Script
+
+In addition to template-level `initCommands`, you can place a `.forage/init` script in your repository. If present, it runs automatically after template init commands complete.
+
+```bash
+# .forage/init — runs inside the container after creation
+#!/bin/sh
+jj git fetch
+jj new main
+```
+
+**Execution order:**
+1. Template `initCommands` (in declaration order)
+2. `.forage/init` script (if present in workspace)
+
+#### Example: Beads Setup
+
+```nix
+templates.beads = {
+  description = "Beads development sandbox";
+
+  agents.claude = {
+    package = pkgs.claude-code;
+    hostConfigDir = "~/.claude";
+    permissions.skipAll = true;
+  };
+
+  extraPackages = with pkgs; [ git nodejs ];
+
+  initCommands = [
+    "npm install -g beads"
+  ];
+};
+```
+
+Combined with a `.forage/init` in the repo:
+
+```bash
+#!/bin/sh
+git fetch origin beads-sync
+git checkout -b beads-sync origin/beads-sync 2>/dev/null || true
+```
+
+### Network Mode
+
+Controls network access:
+
+| Mode | Description |
+|------|-------------|
+| `full` | Unrestricted internet access (default) |
+| `restricted` | Only allowed hosts can be accessed |
+| `none` | No network access |
+
+```nix
+network = "full";
+```
+
+For restricted mode:
+
+```nix
+network = "restricted";
+allowedHosts = [
+  "api.anthropic.com"
+  "api.openai.com"
+];
+```
+
+You can also change network modes at runtime using `forage-ctl network`.
+
+### Workspace Mounts
+
+Templates can declare composable workspace mounts — multiple mount points assembled from different sources:
+
+```nix
+workspace.mounts = {
+  main = {
+    containerPath = "/workspace";
+    mode = "jj";
+    # repo = null → uses default --repo
+  };
+  data = {
+    containerPath = "/workspace/data";
+    repo = "data";  # references --repo data=<path>
+    readOnly = true;
+  };
+};
+```
+
+When `workspace.mounts` is set, the `--repo` flag becomes optional (if all mounts specify their sources). See the [Workspace Mounts](../usage/workspace-mounts.md) usage guide for full details.
+
+### Beads Overlay (`useBeads`)
+
+A convenience option for overlaying a beads workspace:
+
+```nix
+workspace.useBeads = {
+  enable = true;
+  branch = "beads-sync";              # default
+  containerPath = "/workspace/.beads"; # default
+  package = pkgs.beads;               # added to extraPackages
+};
+```
+
+This automatically injects a jj mount and the beads package. See [Workspace Mounts: useBeads](../usage/workspace-mounts.md#usebeads-convenience-option).
+
+## Example Templates
+
+### Minimal Claude Template
+
+```nix
+templates.claude = {
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+};
+```
+
+### Full-Featured Development Template
+
+```nix
+templates.claude-dev = {
+  description = "Claude Code with full development tooling";
+
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+
+  extraPackages = with pkgs; [
+    # Search and navigation
+    ripgrep
+    fd
+    fzf
+    tree
+
+    # Data processing
+    jq
+    yq
+    miller
+
+    # Development
+    git
+    gh
+    gnumake
+    nodejs
+
+    # Debugging
+    htop
+    strace
+    lsof
+  ];
+
+  network = "full";
+};
+```
+
+### Multi-Agent Template
+
+```nix
+templates.multi = {
+  description = "Multiple AI assistants";
+
+  agents = {
+    claude = {
+      package = pkgs.claude-code;
+      secretName = "anthropic";
+      authEnvVar = "ANTHROPIC_API_KEY";
+    };
+
+    aider = {
+      package = pkgs.aider-chat;
+      secretName = "openai";
+      authEnvVar = "OPENAI_API_KEY";
+    };
+  };
+
+  extraPackages = with pkgs; [ ripgrep fd git ];
+};
+```
+
+### Autonomous Template
+
+```nix
+templates.claude-auto = {
+  description = "Claude Code with full autonomy";
+
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+    permissions.skipAll = true;
+  };
+
+  network = "full";
+};
+```
+
+### Multi-Mount Template with Beads
+
+```nix
+templates.claude-beads = {
+  description = "Claude with beads overlay";
+
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+
+  workspace.mounts.main = {
+    containerPath = "/workspace";
+    mode = "jj";
+  };
+
+  workspace.useBeads = {
+    enable = true;
+    package = pkgs.beads;
+  };
+
+  extraPackages = with pkgs; [ ripgrep fd jq ];
+};
+```
+
+### Air-Gapped Template
+
+```nix
+templates.isolated = {
+  description = "No network access for sensitive work";
+
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+
+  network = "none";
+};
+```
+
+## Template Selection
+
+List available templates:
+
+```bash
+forage-ctl templates
+```
+
+Output:
+```
+TEMPLATE        AGENTS              NETWORK    DESCRIPTION
+claude          claude              full       Claude Code sandbox
+claude-dev      claude              full       Claude Code with full development tooling
+multi           claude,aider        full       Multiple AI assistants
+isolated        claude              none       No network access for sensitive work
+```
+
+Use a template when creating a sandbox:
+
+```bash
+forage-ctl up myproject --template claude-dev --workspace ~/projects/myproject
+```
+
+## How Templates Are Processed
+
+1. **At NixOS build time**: Templates are converted to JSON files in `/etc/firefly-forage/templates/`
+
+2. **At sandbox creation**: `forage-ctl` reads the template JSON and generates a container configuration
+
+3. **Agent wrappers**: For each agent, a wrapper script is generated that injects authentication
+
+The template JSON format:
+
+```json
+{
+  "name": "claude",
+  "description": "Claude Code sandbox",
+  "network": "full",
+  "allowedHosts": [],
+  "agents": {
+    "claude": {
+      "packagePath": "/nix/store/...-claude-code",
+      "secretName": "anthropic",
+      "authEnvVar": "ANTHROPIC_API_KEY",
+      "permissions": { "skipAll": true }
+    }
+  },
+  "extraPackages": [
+    "/nix/store/...-ripgrep",
+    "/nix/store/...-fd"
+  ]
+}
+```
+
+When `workspace.mounts` is configured, the JSON includes a `workspaceMounts` field:
+
+```json
+{
+  "workspaceMounts": {
+    "main": {
+      "containerPath": "/workspace",
+      "mode": "jj"
+    },
+    "beads": {
+      "containerPath": "/workspace/.beads",
+      "mode": "jj",
+      "branch": "beads-sync"
+    }
+  }
+}
+```
+
+The `permissions` field is `null` when not configured. When set, it can contain:
+- `{"skipAll": true}` — grants all tool families
+- `{"allow": [...], "deny": [...]}` — granular rules
diff --git a/docs/src/getting-started/configuration.md b/docs/src/getting-started/configuration.md
new file mode 100644
index 0000000..05fa986
--- /dev/null
+++ b/docs/src/getting-started/configuration.md
@@ -0,0 +1,386 @@
+# Configuration
+
+Forage is configured through your NixOS configuration. This page covers all available options.
+
+## Minimal Configuration
+
+**With Claude Max/Pro subscription (OAuth):**
+
+```nix
+services.firefly-forage = {
+  enable = true;
+  user = "myuser";
+
+  templates.claude = {
+    agents.claude = {
+      package = pkgs.claude-code;
+      hostConfigDir = "~/.claude";
+    };
+  };
+};
+```
+
+Then store a long-lived token — see [Authentication](../usage/authentication.md) for the full setup.
+
+**With API key:**
+
+```nix
+services.firefly-forage = {
+  enable = true;
+  user = "myuser";
+
+  secrets = {
+    anthropic = "/run/secrets/anthropic-api-key";
+  };
+
+  templates.claude = {
+    agents.claude = {
+      package = pkgs.claude-code;
+      secretName = "anthropic";
+      authEnvVar = "ANTHROPIC_API_KEY";
+    };
+  };
+};
+```
+
+## Full Configuration Reference
+
+### Top-Level Options
+
+#### `enable`
+
+Whether to enable Firefly Forage.
+
+```nix
+services.firefly-forage.enable = true;
+```
+
+#### `user`
+
+The host user whose UID/GID will be used inside sandboxes. This ensures files created in the workspace have correct ownership.
+
+```nix
+services.firefly-forage.user = "myuser";
+```
+
+#### `authorizedKeys`
+
+SSH public keys that can access sandboxes. Typically you'll use the same keys as your user account:
+
+```nix
+services.firefly-forage.authorizedKeys =
+  config.users.users.myuser.openssh.authorizedKeys.keys;
+```
+
+#### `portRange`
+
+Port range for sandbox SSH servers. Each sandbox gets one port from this range.
+
+```nix
+services.firefly-forage.portRange = {
+  from = 2200;  # default
+  to = 2299;    # default
+};
+```
+
+#### `stateDir`
+
+Directory for Forage state (sandbox metadata, JJ workspaces).
+
+```nix
+services.firefly-forage.stateDir = "/var/lib/firefly-forage";  # default
+```
+
+### Secrets
+
+Map secret names to file paths containing API keys:
+
+```nix
+services.firefly-forage.secrets = {
+  anthropic = "/run/secrets/anthropic-api-key";
+  openai = "/run/secrets/openai-api-key";
+};
+```
+
+**With sops-nix:**
+
+```nix
+services.firefly-forage.secrets = {
+  anthropic = config.sops.secrets.anthropic-api-key.path;
+};
+```
+
+**With agenix:**
+
+```nix
+services.firefly-forage.secrets = {
+  anthropic = config.age.secrets.anthropic-api-key.path;
+};
+```
+
+### Templates
+
+Templates define sandbox configurations that can be instantiated multiple times.
+
+#### Basic Template
+
+```nix
+services.firefly-forage.templates.claude = {
+  description = "Claude Code sandbox";
+
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+};
+```
+
+#### Template with Extra Packages
+
+```nix
+services.firefly-forage.templates.claude = {
+  description = "Claude Code with dev tools";
+
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+
+  extraPackages = with pkgs; [
+    ripgrep
+    fd
+    jq
+    tree
+    htop
+  ];
+};
+```
+
+#### Multi-Agent Template
+
+```nix
+services.firefly-forage.templates.multi = {
+  description = "Multiple AI agents";
+
+  agents = {
+    claude = {
+      package = pkgs.claude-code;
+      secretName = "anthropic";
+      authEnvVar = "ANTHROPIC_API_KEY";
+    };
+
+    aider = {
+      package = pkgs.aider;
+      secretName = "openai";
+      authEnvVar = "OPENAI_API_KEY";
+    };
+  };
+
+  extraPackages = with pkgs; [ ripgrep fd ];
+};
+```
+
+#### Host Config Directory Mounting
+
+Mount host configuration directories into sandboxes for persistent agent configuration. For Claude Code, this provides settings, project history, and skills. Authentication is handled separately — see [Authentication](../usage/authentication.md).
+
+```nix
+services.firefly-forage.templates.claude = {
+  agents.claude = {
+    package = pkgs.claude-code;
+    hostConfigDir = "~/.claude";  # mounts to /home/agent/.claude
+  };
+};
+```
+
+Options:
+- `hostConfigDir` - Host directory to mount (supports `~` expansion)
+- `containerConfigDir` - Override the container mount point (default: `/home/agent/.<dirname>`)
+- `hostConfigDirReadOnly` - Mount as read-only (default: `false` to allow token refresh)
+
+Example with all options:
+
+```nix
+services.firefly-forage.templates.claude = {
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+    hostConfigDir = "~/.claude";
+    containerConfigDir = "/home/agent/.claude";  # explicit path
+    hostConfigDirReadOnly = false;  # allow writing (default)
+  };
+};
+```
+
+#### Agent Permissions
+
+Control what agents can do without prompting. Permissions are written to a settings file and bind-mounted read-only into the container.
+
+**Full autonomy** — skip all permission prompts:
+
+```nix
+services.firefly-forage.templates.claude-auto = {
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+    permissions.skipAll = true;
+  };
+};
+```
+
+**Granular allowlist** — approve specific tools/patterns:
+
+```nix
+services.firefly-forage.templates.claude-restricted = {
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+    permissions = {
+      allow = [ "Read" "Glob" "Grep" "Edit(src/**)" "Bash(npm run *)" ];
+      deny = [ "Bash(rm -rf *)" ];
+    };
+  };
+};
+```
+
+Options:
+- `permissions.skipAll` - Bypass all permission checks (cannot be combined with `allow`/`deny`)
+- `permissions.allow` - Rules to auto-approve (agent-specific format)
+- `permissions.deny` - Rules to always block
+
+For Claude, this generates `/etc/claude-code/managed-settings.json` in the container (managed scope — highest precedence). Permissions and `hostConfigDir` can coexist — they target different paths.
+
+#### Workspace Mounts
+
+Templates can define composable workspace mounts — multiple mount points from different sources:
+
+```nix
+services.firefly-forage.templates.multi-mount = {
+  description = "Multi-mount workspace";
+
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+
+  workspace.mounts = {
+    main = {
+      containerPath = "/workspace";
+      mode = "jj";
+    };
+    docs = {
+      containerPath = "/workspace/docs";
+      hostPath = "~/shared-docs";
+      readOnly = true;
+    };
+  };
+};
+```
+
+When `workspace.mounts` is set, the `--repo` flag becomes optional. See [Workspace Mounts](../usage/workspace-mounts.md) for the full guide.
+
+The `workspace.useBeads` shorthand overlays a beads workspace:
+
+```nix
+workspace.useBeads = {
+  enable = true;
+  package = pkgs.beads;
+  # branch = "beads-sync";         # default
+  # containerPath = "/workspace/.beads";  # default
+};
+```
+
+#### Network Modes
+
+Control network access for sandboxes:
+
+```nix
+services.firefly-forage.templates = {
+  # Full internet access (default)
+  claude = {
+    network = "full";
+    # ...
+  };
+
+  # No network access (air-gapped)
+  isolated = {
+    network = "none";
+    # ...
+  };
+
+  # Restricted to specific hosts
+  restricted = {
+    network = "restricted";
+    allowedHosts = [ "api.anthropic.com" "api.openai.com" ];
+    # ...
+  };
+};
+```
+
+You can also change network modes at runtime using `forage-ctl network`.
+
+## Complete Example
+
+```nix
+{ config, pkgs, ... }:
+{
+  services.firefly-forage = {
+    enable = true;
+    user = "developer";
+    authorizedKeys = config.users.users.developer.openssh.authorizedKeys.keys;
+
+    portRange = {
+      from = 2200;
+      to = 2250;
+    };
+
+    secrets = {
+      anthropic = config.sops.secrets.anthropic-api-key.path;
+      openai = config.sops.secrets.openai-api-key.path;
+    };
+
+    templates = {
+      claude = {
+        description = "Claude Code for general development";
+        agents.claude = {
+          package = pkgs.claude-code;
+          secretName = "anthropic";
+          authEnvVar = "ANTHROPIC_API_KEY";
+        };
+        extraPackages = with pkgs; [ ripgrep fd jq yq tree ];
+        network = "full";
+      };
+
+      claude-auto = {
+        description = "Claude Code with full autonomy";
+        agents.claude = {
+          package = pkgs.claude-code;
+          secretName = "anthropic";
+          authEnvVar = "ANTHROPIC_API_KEY";
+          permissions.skipAll = true;
+        };
+      };
+
+      claude-isolated = {
+        description = "Claude Code without network";
+        agents.claude = {
+          package = pkgs.claude-code;
+          secretName = "anthropic";
+          authEnvVar = "ANTHROPIC_API_KEY";
+        };
+        network = "none";
+      };
+    };
+  };
+}
+```
+
+## Next Steps
+
+With configuration in place, [create your first sandbox](./first-sandbox.md).
diff --git a/docs/src/getting-started/first-sandbox.md b/docs/src/getting-started/first-sandbox.md
new file mode 100644
index 0000000..ac7dd7f
--- /dev/null
+++ b/docs/src/getting-started/first-sandbox.md
@@ -0,0 +1,131 @@
+# First Sandbox
+
+This guide walks you through creating and using your first Forage sandbox.
+
+## Prerequisites
+
+- Forage is [installed](./installation.md) and [configured](./configuration.md)
+- You have at least one template defined
+- Your API key secrets are in place
+
+## List Available Templates
+
+First, see what templates are available:
+
+```bash
+forage-ctl templates
+```
+
+Output:
+```
+TEMPLATE        AGENTS              NETWORK    DESCRIPTION
+claude          claude              full       Claude Code for general development
+claude-isolated claude              none       Claude Code without network
+```
+
+## Create a Sandbox
+
+Create a sandbox bound to a project directory:
+
+```bash
+forage-ctl up myproject --template claude --repo ~/projects/myproject --direct
+```
+
+The `--direct` flag mounts the directory directly without VCS isolation. If your project is a JJ or Git repository and you omit `--direct`, Forage will automatically create an isolated workspace.
+
+You'll see output like:
+```
+ℹ Creating sandbox 'myproject' from template 'claude'
+ℹ Mode: direct
+ℹ Workspace: /home/user/projects/myproject → /workspace
+ℹ SSH port: 2200
+ℹ Network slot: 1 (IP: 192.168.100.11)
+ℹ Creating container...
+ℹ Waiting for SSH to become available on port 2200...
+✓ Sandbox 'myproject' created successfully
+ℹ Connect with: forage-ctl ssh myproject
+```
+
+## Connect to the Sandbox
+
+SSH into the sandbox:
+
+```bash
+forage-ctl ssh myproject
+```
+
+This attaches to a tmux session inside the container. You'll land in `/workspace`, which is your project directory.
+
+## Use the Agent
+
+Inside the sandbox, the configured agent is ready to use:
+
+```bash
+# Start Claude Code
+claude
+
+# Or run a one-off command
+claude "explain this codebase"
+```
+
+The agent has access to:
+- Your project files in `/workspace`
+- Tools specified in `extraPackages`
+- Any nix package via `nix run nixpkgs#<package>`
+
+## Tmux Basics
+
+The sandbox uses tmux for session persistence:
+
+- **Detach**: `Ctrl-b d` (leaves agent running)
+- **Reattach**: `forage-ctl ssh myproject`
+- **New window**: `Ctrl-b c`
+- **Switch windows**: `Ctrl-b n` / `Ctrl-b p`
+- **Scrollback**: `Ctrl-b [` then arrow keys, `q` to exit
+
+## Check Sandbox Status
+
+List running sandboxes:
+
+```bash
+forage-ctl ps
+```
+
+Output:
+```
+NAME            TEMPLATE   PORT   MODE    WORKSPACE                      STATUS
+myproject       claude     2200   direct  /home/user/projects/myproject  ✓ healthy
+```
+
+## Reset if Needed
+
+If the sandbox gets into a bad state, reset it:
+
+```bash
+forage-ctl reset myproject
+```
+
+This destroys and recreates the container while preserving:
+- Your workspace files
+- The sandbox configuration
+
+## Clean Up
+
+When done, remove the sandbox:
+
+```bash
+forage-ctl down myproject
+```
+
+This:
+- Stops the container
+- Removes secrets
+- Cleans up metadata
+- Removes injected skill files from workspace
+
+## Next Steps
+
+- Learn about [workspace mounts](../usage/workspace-mounts.md) for composable multi-mount sandboxes
+- Learn about [JJ workspaces](../usage/jj-workspaces.md) for parallel agent work
+- See the full [CLI reference](../usage/cli-reference.md)
+- Understand [skill injection](../usage/skill-injection.md)
diff --git a/docs/src/getting-started/installation.md b/docs/src/getting-started/installation.md
new file mode 100644
index 0000000..3318fa5
--- /dev/null
+++ b/docs/src/getting-started/installation.md
@@ -0,0 +1,80 @@
+# Installation
+
+Firefly Forage is distributed as a Nix flake. Add it to your NixOS configuration to get started.
+
+## Add the Flake Input
+
+In your `flake.nix`:
+
+```nix
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+
+    firefly-forage = {
+      url = "github:firefly-engineering/firefly-forage";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, firefly-forage, ... }: {
+    nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ./configuration.nix
+        firefly-forage.nixosModules.default
+      ];
+    };
+  };
+}
+```
+
+## Import the Module
+
+The module is automatically available after adding the flake input. You can also import it explicitly:
+
+```nix
+{ inputs, ... }:
+{
+  imports = [ inputs.firefly-forage.nixosModules.default ];
+}
+```
+
+## Enable the Service
+
+Add basic configuration to enable Forage:
+
+```nix
+{ config, pkgs, ... }:
+{
+  services.firefly-forage = {
+    enable = true;
+    user = "myuser";  # Your username
+    authorizedKeys = config.users.users.myuser.openssh.authorizedKeys.keys;
+  };
+}
+```
+
+## Rebuild
+
+Apply the configuration:
+
+```bash
+sudo nixos-rebuild switch --flake .#myhost
+```
+
+After rebuilding, the `forage-ctl` command will be available system-wide.
+
+## Verify Installation
+
+```bash
+# Should show help
+forage-ctl --help
+
+# Should show no templates yet
+forage-ctl templates
+```
+
+## Next Steps
+
+Now [configure your first template](./configuration.md) to define what agents and packages your sandboxes will include.
diff --git a/docs/src/introduction.md b/docs/src/introduction.md
new file mode 100644
index 0000000..5c93397
--- /dev/null
+++ b/docs/src/introduction.md
@@ -0,0 +1,106 @@
+# Firefly Forage
+
+**Isolated, ephemeral sandboxes for AI coding agents on NixOS.**
+
+Firefly Forage is a NixOS module that creates lightweight, isolated environments for running AI coding assistants like Claude Code. Each sandbox is a systemd-nspawn container with:
+
+- **Shared nix store** - Read-only bind mount, no duplication
+- **Ephemeral root** - Fresh state on every reset
+- **Persistent workspace** - Your project files survive restarts
+- **Auth obfuscation** - API keys injected at runtime, not visible in environment
+
+## Why Forage?
+
+AI coding agents are powerful but unpredictable. They can:
+
+- Install packages you didn't ask for
+- Modify system configuration
+- Accumulate cruft over long sessions
+- Potentially exfiltrate sensitive data
+
+Forage addresses these concerns by running agents in disposable containers. When things go wrong, just reset the sandbox and start fresh.
+
+## Key Features
+
+### Multi-Agent Support
+
+Run multiple sandboxes simultaneously, each with its own:
+- SSH port for direct access
+- Tmux session for persistence
+- Workspace bind mount
+
+### JJ Workspace Integration
+
+Create multiple sandboxes working on the same repository using [Jujutsu](https://github.com/martinvonz/jj) workspaces. Each agent gets an isolated working copy while sharing the repository's history.
+
+```bash
+# Two agents working on the same repo in parallel
+forage-ctl up agent-a --template claude --repo ~/projects/myrepo
+forage-ctl up agent-b --template claude --repo ~/projects/myrepo
+```
+
+### Composable Workspace Mounts
+
+Assemble a sandbox's filesystem from multiple sources — mount multiple repos, overlay branches, and mix VCS-backed and literal bind mounts:
+
+```bash
+# Template mounts: main workspace + beads overlay + named data repo
+forage-ctl up dev -t claude-beads --repo ~/projects/myrepo --repo data=~/datasets
+```
+
+### Nix Store Efficiency
+
+Sandboxes share the host's `/nix/store` read-only. When an agent runs `nix shell nixpkgs#ripgrep`, the build happens on the host via the nix daemon socket—no duplication, instant availability.
+
+### Template System
+
+Define sandbox configurations declaratively in your NixOS config:
+
+```nix
+templates.claude = {
+  description = "Claude Code sandbox";
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+  extraPackages = with pkgs; [ ripgrep fd jq ];
+  network = "full";
+};
+```
+
+## Quick Example
+
+```bash
+# Create a sandbox for your project
+forage-ctl up myproject -t claude -w ~/projects/myproject
+
+# Connect and start working
+forage-ctl ssh myproject
+
+# Inside the sandbox, claude is ready to use
+claude
+
+# When done, clean up
+forage-ctl down myproject
+```
+
+## Requirements
+
+- NixOS (tested on 24.11+)
+- systemd-nspawn (included in NixOS)
+- systemd (for container management via systemd-nspawn)
+
+## Status
+
+Firefly Forage has completed all planned implementation phases:
+
+- Phases 1-3: Basic sandboxing, JJ workspaces, UX improvements
+- Phase 4: Go rewrite of forage-ctl
+- Phase 5: Gateway & interactive picker
+- Phase 6: Network isolation modes
+- Phase 7: API proxy for auth injection
+- Phase 8: Git worktree backend
+- Phase 9: Multi-runtime support (nspawn, Docker, Podman, Apple Container)
+
+See the [DESIGN.md](https://github.com/firefly-engineering/firefly-forage/blob/main/DESIGN.md) for architecture details.
diff --git a/docs/src/reference/security.md b/docs/src/reference/security.md
new file mode 100644
index 0000000..6603945
--- /dev/null
+++ b/docs/src/reference/security.md
@@ -0,0 +1,206 @@
+# Security
+
+Forage provides isolation for AI agents, but it's important to understand the threat model and limitations.
+
+## Threat Model
+
+### Trusted
+
+- Host system administrator
+- Nix store contents (from nixpkgs/trusted sources)
+- Forage module configuration
+
+### Untrusted
+
+- AI agent behavior
+- Code being worked on in workspace
+- Packages installed by agents at runtime
+
+## Security Layers
+
+### Container Isolation
+
+Sandboxes use systemd-nspawn containers:
+
+- Separate PID namespace
+- Separate network namespace
+- Separate mount namespace
+- Resource limits (cgroups)
+- Ephemeral root filesystem
+
+### Filesystem Isolation
+
+| Path | Access | Notes |
+|------|--------|-------|
+| `/` | Read-write | Ephemeral (tmpfs), lost on restart |
+| `/nix/store` | Read-only | Shared from host |
+| `/workspace` | Read-write | Bind-mounted from host |
+| `/run/secrets` | Read-only | API keys and credentials |
+
+Agents can only persistently modify files in `/workspace`.
+
+### Network Isolation
+
+| Mode | Description |
+|------|-------------|
+| `full` | Unrestricted internet access |
+| `restricted` | Allowlist of specific hosts |
+| `none` | No network access |
+
+Even with `network = "none"`, containers can communicate with the nix daemon socket.
+
+### Credential Isolation
+
+**API key mode**: keys are stored in host-side files, copied into a per-sandbox secrets directory, and bind-mounted read-only. Wrapper scripts read the file and export the env var only for the agent process.
+
+**OAuth mode**: tokens are injected via `CLAUDE_CODE_OAUTH_TOKEN` environment variable. The token is either a long-lived token from the forage-ctl token store (`<stateDir>/tokens/claude-oauth.json`, mode `0600`) or a short-lived token extracted from the host keychain at sandbox creation time. Neither the host keychain nor the token store file is mounted into the container.
+
+In both cases, a determined agent could discover the credential by inspecting its own environment or process memory. The isolation prevents *accidental* leakage, not *intentional* exfiltration. See [Authentication](../usage/authentication.md) for the full workflow.
+
+## Mitigations
+
+| Threat | Mitigation |
+|--------|------------|
+| Agent exfiltrates API keys | API proxy (keeps secrets on host); obfuscation via wrappers (UX convenience, not a security boundary) |
+| Agent accesses host filesystem | Container isolation, explicit bind mounts only |
+| Agent makes unwanted network calls | Network isolation modes |
+| Agent runs dangerous commands | Permission rules (`allow`/`deny`) via managed settings |
+| Agent corrupts system state | Ephemeral root, easy reset |
+| Agent fills disk | Ephemeral tmpfs has size limits |
+| Agent escapes container | systemd-nspawn security features |
+
+## Limitations
+
+### Auth Obfuscation Is Not Foolproof
+
+A determined agent could:
+- Read files in `/run/secrets/` directly
+- Inspect its own process memory
+- Intercept API calls
+
+Wrappers provide obfuscation, not security. They stop casual discovery, not intentional exfiltration.
+
+### Container Escape Vulnerabilities
+
+systemd-nspawn is not a security boundary like a VM. Kernel vulnerabilities could allow container escape. For high-security scenarios, consider:
+- Running sandboxes in VMs
+- Additional seccomp filtering
+- SELinux/AppArmor policies
+
+### DNS Resolution Timing
+
+In `restricted` mode, allowed host IPs are resolved at sandbox creation time and baked into nftables rules. If a host's IPs change (e.g., CDN rotation), the rules become stale and connectivity may break until the sandbox is reconfigured with `forage-ctl network`.
+
+### Network Exfiltration
+
+Even with `network = "none"`, agents could potentially:
+- Encode data in DNS queries (if DNS is available)
+- Use timing side channels
+- Embed data in legitimate API calls
+
+### Workspace Access
+
+Agents have full read-write access to `/workspace`. They could:
+- Modify or delete project files
+- Read sensitive files in the project
+- Create files that execute on the host
+
+## Best Practices
+
+### Secret Management
+
+```nix
+# Use proper secret management (sops-nix, agenix)
+secrets = {
+  anthropic = config.sops.secrets.anthropic-api-key.path;
+};
+
+# Don't hardcode secrets
+# BAD: secrets = { anthropic = "/home/user/.secrets/key"; };
+```
+
+### Template Design
+
+```nix
+# Minimize installed packages
+extraPackages = with pkgs; [ ripgrep fd ];
+# Don't include: curl, wget, netcat, etc. unless needed
+
+# Use network isolation when possible
+network = "none";  # For tasks that don't need network
+
+# Use granular permissions instead of skipAll when possible
+agents.claude.permissions = {
+  allow = [ "Read" "Glob" "Grep" "Edit(src/**)" ];
+  deny = [ "Bash(rm -rf *)" ];
+};
+```
+
+### Agent Permissions
+
+Use the most restrictive permissions that still allow the agent to do its job:
+
+- Prefer granular `allow`/`deny` over `skipAll`
+- Use `deny` rules to block dangerous patterns even when allowing broad tool access
+- `skipAll` is convenient for trusted development workflows but grants full tool access
+
+### Workspace Hygiene
+
+- Don't put sensitive files (SSH keys, credentials) in project directories
+- Use `.gitignore` / `.jjignore` to exclude sensitive patterns
+- Review agent-created files before committing
+
+### Regular Resets
+
+```bash
+# Reset sandbox periodically to clear accumulated state
+forage-ctl reset myproject
+```
+
+### Monitor Agent Activity
+
+- Review files modified by agents
+- Check git/jj history for unexpected changes
+- Monitor network traffic if concerned
+
+## Additional Security Features
+
+### API Proxy
+
+The `forage-ctl proxy` command starts an HTTP proxy that:
+- Keeps secrets on the host, never in containers
+- Injects API keys into requests at runtime
+- Can log all API calls for audit
+- Enables rate limiting and request filtering
+
+## Future Security Enhancements
+
+### Syscall Filtering
+
+Additional seccomp profiles to restrict:
+- Dangerous syscalls
+- Network operations
+- File operations outside allowed paths
+
+### Read-Only Workspace Mode
+
+For review tasks where the agent shouldn't modify files:
+
+```nix
+templates.review = {
+  readOnlyWorkspace = true;
+  # ...
+};
+```
+
+This is implemented and enforces filesystem-level read-only mounting of `/workspace`.
+
+## Reporting Security Issues
+
+If you discover a security vulnerability in Forage, please report it responsibly:
+
+1. Do not open a public issue
+2. Email security concerns to the maintainers
+3. Allow time for a fix before public disclosure
+
+See the project repository for contact information.
diff --git a/docs/src/reference/troubleshooting.md b/docs/src/reference/troubleshooting.md
new file mode 100644
index 0000000..d4dc048
--- /dev/null
+++ b/docs/src/reference/troubleshooting.md
@@ -0,0 +1,343 @@
+# Troubleshooting
+
+Common issues and their solutions.
+
+## Installation Issues
+
+### "Host configuration not found"
+
+```
+✗ Host configuration not found: /etc/firefly-forage/config.json
+ℹ Is firefly-forage enabled in your NixOS configuration?
+```
+
+**Cause:** The Forage module isn't enabled or the system hasn't been rebuilt.
+
+**Solution:**
+```nix
+services.firefly-forage.enable = true;
+```
+
+Then rebuild:
+```bash
+sudo nixos-rebuild switch
+```
+
+### "Templates directory not found"
+
+```
+✗ Templates directory not found: /etc/firefly-forage/templates
+```
+
+**Cause:** No templates are defined in the configuration.
+
+**Solution:** Add at least one template:
+```nix
+services.firefly-forage.templates.claude = {
+  agents.claude = { ... };
+};
+```
+
+## Sandbox Creation Issues
+
+### "Template not found"
+
+```
+✗ Template not found: mytemplate
+```
+
+**Cause:** The specified template doesn't exist.
+
+**Solution:** List available templates:
+```bash
+forage-ctl templates
+```
+
+### "Workspace directory does not exist"
+
+```
+✗ Workspace directory does not exist: /path/to/project
+```
+
+**Cause:** The path doesn't exist or is misspelled.
+
+**Solution:** Create the directory or check the path:
+```bash
+mkdir -p ~/projects/myproject
+forage-ctl up myproject -t claude -w ~/projects/myproject
+```
+
+### "Not a jj repository"
+
+```
+✗ Not a jj repository: /path/to/repo
+ℹ Initialize with: jj git init
+```
+
+**Cause:** Using `--repo` with a directory that isn't a JJ repository.
+
+**Solution:** Initialize JJ:
+```bash
+cd /path/to/repo
+jj git init --colocate
+```
+
+### "JJ workspace already exists"
+
+```
+✗ JJ workspace 'myname' already exists in /path/to/repo
+```
+
+**Cause:** A JJ workspace with that name already exists.
+
+**Solution:** Use a different sandbox name, or remove the existing workspace:
+```bash
+jj workspace forget myname -R /path/to/repo
+```
+
+### "No available ports"
+
+```
+✗ No available ports in range 2200-2299
+```
+
+**Cause:** All ports in the configured range are in use.
+
+**Solution:**
+1. Remove unused sandboxes: `forage-ctl down <name>`
+2. Increase the port range in configuration:
+```nix
+services.firefly-forage.portRange = {
+  from = 2200;
+  to = 2399;  # Expanded range
+};
+```
+
+### "Failed to create container"
+
+```
+✗ Failed to create container
+```
+
+**Cause:** systemd-nspawn container creation failed.
+
+**Solution:** Check system logs:
+```bash
+journalctl -u container@forage-myproject -n 50
+```
+
+Common causes:
+- Insufficient permissions (run as root)
+- Resource constraints
+- Conflicting container names
+
+## Connection Issues
+
+### SSH Connection Refused
+
+```
+ssh: connect to host localhost port 2200: Connection refused
+```
+
+**Cause:** Container isn't running or SSH isn't ready.
+
+**Solution:**
+1. Check sandbox status:
+```bash
+forage-ctl ps
+```
+
+2. If stopped, the container may have failed. Check logs:
+```bash
+journalctl -u container@forage-myproject
+```
+
+3. Try resetting:
+```bash
+forage-ctl reset myproject
+```
+
+### SSH Timeout
+
+```
+ℹ Waiting for SSH to become available on port 2200...
+✗ Timeout waiting for SSH (60s)
+```
+
+**Cause:** Container is starting slowly or SSH failed to start.
+
+**Solution:** The container may still be starting. Wait and try:
+```bash
+forage-ctl ssh myproject
+```
+
+If it persists, check container logs:
+```bash
+machinectl status forage-myproject
+journalctl -M forage-myproject -u sshd
+```
+
+### Permission Denied (SSH)
+
+```
+agent@localhost: Permission denied (publickey).
+```
+
+**Cause:** SSH key not authorized.
+
+**Solution:** Ensure your key is in the configuration:
+```nix
+services.firefly-forage.authorizedKeys = [
+  "ssh-ed25519 AAAA..."
+];
+```
+
+Or use your user's keys:
+```nix
+services.firefly-forage.authorizedKeys =
+  config.users.users.myuser.openssh.authorizedKeys.keys;
+```
+
+## Runtime Issues
+
+### Agent Authentication Fails
+
+```
+Error: Invalid API key
+```
+
+**Cause:** Secret file is missing or has wrong content.
+
+**Solution:**
+1. Check the secret path in configuration
+2. Verify the secret file exists and has correct content
+3. Check sandbox secrets:
+```bash
+forage-ctl exec myproject -- cat /run/secrets/anthropic
+```
+
+### "Command not found" for Agent
+
+```
+bash: claude: command not found
+```
+
+**Cause:** Agent wrapper wasn't created or PATH issue.
+
+**Solution:**
+1. Check the template defines the agent correctly
+2. Verify the package path exists:
+```bash
+forage-ctl exec myproject -- ls -la /nix/store/*claude*
+```
+
+### Workspace Permission Issues
+
+```
+Permission denied: /workspace/file
+```
+
+**Cause:** UID mismatch between container and host.
+
+**Solution:** Ensure `services.firefly-forage.user` matches the owner of workspace files:
+```nix
+services.firefly-forage.user = "myuser";  # Owner of project files
+```
+
+### Nix Commands Fail
+
+```
+error: cannot open connection to remote store 'daemon'
+```
+
+**Cause:** Nix daemon socket not accessible.
+
+**Solution:** This usually indicates a container configuration issue. Reset the sandbox:
+```bash
+forage-ctl reset myproject
+```
+
+## JJ Workspace Issues
+
+### JJ Commands Fail Inside Sandbox
+
+```
+Error: There is no jj repo at the working directory
+```
+
+**Cause:** The `.jj` bind mount isn't working.
+
+**Solution:**
+1. Check the workspace has `.jj`:
+```bash
+forage-ctl exec myproject -- ls -la /workspace/.jj
+```
+
+2. The `.jj/repo` should be a symlink to the source repo. If broken, recreate the sandbox:
+```bash
+forage-ctl down myproject
+forage-ctl up myproject -t claude --repo /path/to/repo
+```
+
+### Changes Not Visible Between Sandboxes
+
+**This is expected behavior.** Each JJ workspace has an independent working copy. To share changes:
+
+1. Commit in one sandbox:
+```bash
+# In sandbox-a
+jj describe -m "My changes"
+```
+
+2. Update in another:
+```bash
+# In sandbox-b
+jj status  # Will show changes from the shared repo
+```
+
+## Cleanup Issues
+
+### Sandbox Won't Delete
+
+```
+forage-ctl down myproject
+# Hangs or fails
+```
+
+**Solution:** Force cleanup:
+```bash
+# Stop container manually
+sudo machinectl terminate forage-myproject
+
+# Remove metadata
+sudo rm /var/lib/firefly-forage/sandboxes/myproject.json
+
+# Clean up secrets
+sudo rm -rf /run/forage-secrets/myproject
+```
+
+### Orphaned JJ Workspace
+
+If a sandbox was removed but the JJ workspace remains:
+
+```bash
+# List workspaces
+jj workspace list -R /path/to/repo
+
+# Remove orphan
+jj workspace forget orphan-name -R /path/to/repo
+rm -rf /var/lib/firefly-forage/workspaces/orphan-name
+```
+
+## Getting Help
+
+If you can't resolve an issue:
+
+1. Check the [GitHub issues](https://github.com/firefly-engineering/firefly-forage/issues)
+2. Gather diagnostic information:
+```bash
+forage-ctl ps
+journalctl -u container@forage-NAME -n 100
+machinectl status forage-NAME
+```
+3. Open a new issue with the diagnostic output
diff --git a/docs/src/usage/authentication.md b/docs/src/usage/authentication.md
new file mode 100644
index 0000000..239c235
--- /dev/null
+++ b/docs/src/usage/authentication.md
@@ -0,0 +1,232 @@
+# Authentication
+
+Sandboxes run in isolated containers that cannot access the host's credential stores (e.g., macOS Keychain, Linux secret-service). This page explains how forage-ctl bridges that gap for each authentication method.
+
+## Overview
+
+There are three ways to authenticate agents in sandboxes, in order of preference:
+
+| Method | Scope | Token lifetime | Best for |
+|--------|-------|---------------|----------|
+| [Long-lived token](#long-lived-token-recommended) | Claude-specific | 1 year | Production use, long-running sandboxes |
+| [Keychain passthrough](#keychain-passthrough) | Claude-specific | ~8 hours | Quick experiments, no setup needed |
+| [Secret files](#secret-files) | Any agent | Indefinite | API key auth (Anthropic API, OpenAI, etc.) |
+
+## Long-lived token (recommended)
+
+For Claude Code with a Max/Pro subscription (OAuth authentication), generate a long-lived token that forage-ctl stores and injects into every sandbox.
+
+### Setup
+
+1. Generate a token (opens browser for OAuth):
+
+   ```bash
+   claude setup-token
+   ```
+
+2. Copy the displayed token and store it:
+
+   ```bash
+   forage-ctl claude token store <token>
+   ```
+
+3. Verify:
+
+   ```bash
+   forage-ctl claude token status
+   ```
+
+That's it. All future sandboxes with a Claude agent will automatically pick up this token.
+
+### How it works
+
+```
+forage-ctl claude token store <token>
+    │
+    ▼
+<stateDir>/tokens/claude-oauth.json     ← token + creation time + expiry
+    │
+    │  (on forage-ctl up)
+    ▼
+CLAUDE_CODE_OAUTH_TOKEN env var         ← injected into container
+    │
+    ▼
+Claude Code reads env var               ← authenticates without keychain
+```
+
+The token file is stored at `<stateDir>/tokens/claude-oauth.json` (typically `/var/lib/firefly-forage/tokens/claude-oauth.json`) with mode `0600`. It contains:
+
+```json
+{
+  "token": "sk-ant-...",
+  "createdAt": "2026-03-19T21:00:00Z",
+  "expiresAt": "2027-03-19T21:00:00Z"
+}
+```
+
+### Token lifecycle
+
+- **Valid**: token is used silently, no output.
+- **Expiring** (< 30 days remaining): token is used but forage-ctl prints a warning during `forage-ctl up` suggesting renewal.
+- **Expired**: forage-ctl falls back to keychain passthrough and warns. Renew with `claude setup-token` + `forage-ctl claude token store`.
+- **Missing**: same behavior as expired — keychain fallback with instructions.
+
+### Management commands
+
+```bash
+forage-ctl claude token store <token>   # Store a new token
+forage-ctl claude token status          # Show token state and expiry
+forage-ctl claude token remove          # Delete stored token
+```
+
+### Nix configuration
+
+When using a long-lived token, the template only needs `hostConfigDir` — no secrets or API key env vars:
+
+```nix
+services.firefly-forage.templates.claude = {
+  description = "Claude Code sandbox";
+  network = "full";
+  agents.claude = {
+    package = pkgs.claude-code;
+    hostConfigDir = "~/.claude";
+  };
+};
+```
+
+`hostConfigDir` mounts the host `~/.claude` directory into the container. This provides Claude Code with its configuration, project history, and settings. The OAuth token is injected separately via `CLAUDE_CODE_OAUTH_TOKEN`, not through the mounted directory.
+
+## Keychain passthrough
+
+When no long-lived token is stored, forage-ctl automatically reads the OAuth access token from the host's credential store and injects it. This requires no setup but has limitations.
+
+### How it works
+
+On macOS, Claude Code stores OAuth credentials in the login keychain under the service name `Claude Code-credentials`. At sandbox creation time, forage-ctl:
+
+1. Reads the keychain entry via `security find-generic-password`
+2. Parses the JSON to extract the access token
+3. Checks the token hasn't expired
+4. Injects it as `CLAUDE_CODE_OAUTH_TOKEN`
+
+### Limitations
+
+- **macOS only** — Linux keychain support is not yet implemented.
+- **Short-lived** — access tokens expire in ~8 hours. A token extracted at sandbox creation may expire during a long session.
+- **No refresh** — once injected, the token cannot be refreshed inside the container. When it expires, Claude Code will report authentication errors.
+- **Requires active session** — the host must have a valid Claude Code login (i.e., you've used `claude` on the host recently).
+
+The keychain passthrough is a convenience for quick experiments. For anything beyond that, use a long-lived token.
+
+### Verbose output
+
+With `-v`, forage-ctl logs which token source was used:
+
+```
+level=DEBUG msg="using stored long-lived Claude OAuth token"
+```
+
+or:
+
+```
+level=DEBUG msg="read OAuth token from keychain" expiresIn=7h25m0s
+level=DEBUG msg="using short-lived OAuth token from host keychain ..."
+```
+
+## Secret files
+
+For agents that authenticate via API keys (not OAuth), use the secrets mechanism. This works for any agent type — Claude with an API key, OpenAI, or custom agents.
+
+### Nix configuration
+
+Define secrets as a mapping from names to file paths:
+
+```nix
+services.firefly-forage = {
+  secrets = {
+    anthropic = config.sops.secrets.anthropic-api-key.path;
+    openai = "/run/secrets/openai-api-key";
+  };
+
+  templates.claude = {
+    agents.claude = {
+      package = pkgs.claude-code;
+      secretName = "anthropic";
+      authEnvVar = "ANTHROPIC_API_KEY";
+    };
+  };
+};
+```
+
+### How it works
+
+1. The Nix module validates that each agent's `secretName` exists in the top-level `secrets` map.
+2. At sandbox creation, forage-ctl copies the secret file into a per-sandbox directory under `<secretsDir>/<sandbox-name>/`.
+3. The secret directory is bind-mounted read-only into the container at `/run/secrets/`.
+4. The agent's wrapper script reads the file and exports it as the specified `authEnvVar`.
+
+### Secret management integration
+
+Secrets should come from a proper secret manager, not plain files:
+
+```nix
+# sops-nix (recommended)
+secrets.anthropic = config.sops.secrets.anthropic-api-key.path;
+
+# agenix
+secrets.anthropic = config.age.secrets.anthropic-api-key.path;
+```
+
+## Token resolution priority
+
+When a Claude agent is configured with `hostConfigDir` (OAuth flow) and no `secretName`, forage-ctl resolves the token in this order:
+
+1. **Token store** — `<stateDir>/tokens/claude-oauth.json`. If valid, use it.
+2. **Token store (expiring)** — if the stored token has < 30 days remaining, use it but warn.
+3. **Token store (expired)** — skip, warn, fall through.
+4. **Host keychain** — extract the short-lived access token from the macOS Keychain.
+5. **No token** — warn with setup instructions. The sandbox is created but Claude Code will report "Not logged in".
+
+When `secretName` is set, the secret file path is used directly and none of the above applies.
+
+## Troubleshooting
+
+### "Not logged in" inside sandbox
+
+Check which token source forage-ctl is using:
+
+```bash
+forage-ctl up mysandbox --template=claude --repo=. -v 2>&1 | grep -i "oauth\|token\|keychain"
+```
+
+Common causes:
+
+- **No long-lived token and no keychain entry**: log in on the host with `claude auth login`, then either use the keychain passthrough or generate a long-lived token.
+- **Expired keychain token**: run `claude` on the host to trigger a refresh, then recreate the sandbox.
+- **Expired long-lived token**: `forage-ctl claude token status` will confirm. Regenerate with `claude setup-token`.
+
+### Verify authentication inside a running sandbox
+
+```bash
+forage-ctl exec mysandbox -- claude auth status
+```
+
+Expected output for a working setup:
+
+```json
+{
+  "loggedIn": true,
+  "authMethod": "oauth_token",
+  "apiProvider": "firstParty"
+}
+```
+
+### Token not reaching the container
+
+Verify the env var is set:
+
+```bash
+forage-ctl exec mysandbox -- printenv CLAUDE_CODE_OAUTH_TOKEN
+```
+
+If empty, check `forage-ctl up -v` output for token resolution messages.
diff --git a/docs/src/usage/cli-reference.md b/docs/src/usage/cli-reference.md
new file mode 100644
index 0000000..43a9146
--- /dev/null
+++ b/docs/src/usage/cli-reference.md
@@ -0,0 +1,568 @@
+# CLI Reference
+
+Complete reference for the `forage-ctl` command-line tool.
+
+## Synopsis
+
+```bash
+forage-ctl <command> [options]
+```
+
+## Commands
+
+### `templates`
+
+List available sandbox templates.
+
+```bash
+forage-ctl templates
+```
+
+**Output:**
+```
+TEMPLATE        AGENTS              NETWORK    DESCRIPTION
+claude          claude              full       Claude Code sandbox
+multi           claude,aider        full       Multi-agent sandbox
+```
+
+---
+
+### `up`
+
+Create and start a sandbox.
+
+```bash
+forage-ctl up <name> --template <template> [--repo <path>] [options]
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Unique name for the sandbox |
+
+**Options:**
+
+| Option | Description |
+|--------|-------------|
+| `--template, -t <name>` | Template to use (required) |
+| `--repo, -r <path>` | Repository or directory path (repeatable, see below) |
+| `--direct` | Mount directory directly, skipping VCS isolation |
+| `--ssh-key <key>` | SSH public key for sandbox access (can be repeated) |
+| `--ssh-key-path <path>` | Path to SSH private key for agent push access |
+| `--git-user <name>` | Git user.name for agent commits |
+| `--git-email <email>` | Git user.email for agent commits |
+| `--no-mux-config` | Don't mount host multiplexer config into sandbox |
+
+**`--repo` Flag:**
+
+The `--repo` flag is repeatable and supports named parameters:
+
+```bash
+--repo <path>              # default (unnamed) repo
+--repo <name>=<path>       # named repo
+```
+
+When the template defines `workspace.mounts`, mounts reference repos by name. `--repo` is not required if every mount specifies `hostPath` or an absolute `repo` path. See [Workspace Mounts](./workspace-mounts.md) for details.
+
+**Workspace Modes:**
+
+The workspace mode is determined automatically based on the `--repo` path and flags:
+
+| Mode | Condition | Behavior |
+|------|-----------|----------|
+| Direct | `--direct` flag used | Mounts directory directly at `/workspace` |
+| JJ workspace | Path contains `.jj/` directory | Creates isolated JJ workspace |
+| Git worktree | Path contains `.git/` directory | Creates git worktree with branch `forage-<name>` |
+
+**Examples:**
+
+```bash
+# Direct mount (no VCS isolation)
+forage-ctl up myproject -t claude --repo ~/projects/myproject --direct
+
+# JJ workspace (auto-detected, creates isolated working copy)
+forage-ctl up agent-a -t claude --repo ~/projects/jj-repo
+
+# Git worktree (auto-detected, creates isolated worktree)
+forage-ctl up agent-b -t claude --repo ~/projects/git-repo
+
+# With SSH key for push access
+forage-ctl up myproject -t claude --repo ~/projects/myrepo --ssh-key-path ~/.ssh/id_ed25519
+
+# With git identity for commits
+forage-ctl up myproject -t claude --repo ~/projects/myrepo --git-user "Agent" --git-email "agent@example.com"
+
+# Named repos for multi-mount templates
+forage-ctl up dev -t monorepo --repo ~/main-project --repo data=~/datasets
+
+# No --repo when template specifies all paths
+forage-ctl up dev -t self-contained
+```
+
+---
+
+### `down`
+
+Stop and remove a sandbox.
+
+```bash
+forage-ctl down <name>
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Name of the sandbox to remove |
+
+**Example:**
+
+```bash
+forage-ctl down myproject
+```
+
+**Cleanup performed:**
+- Stops and destroys the container
+- Removes secrets from `/var/lib/forage/secrets/<name>/`
+- For each VCS-backed mount: removes the workspace/worktree via the appropriate VCS command
+- For literal bind mounts (`hostPath`): no cleanup (host directory untouched)
+- Removes managed workspace subdirectories
+- Removes skills file and container configuration
+- Deletes sandbox metadata
+
+---
+
+### `ps`
+
+List sandboxes with health status.
+
+```bash
+forage-ctl ps
+```
+
+**Output:**
+```
+NAME            TEMPLATE   PORT   MODE        WORKSPACE                         STATUS
+myproject       claude     2200   direct      /home/user/projects/myproj        ✓ healthy
+agent-a         claude     2201   jj          ...forage/workspaces/agent-a      ✓ healthy
+agent-b         claude     2202   git-worktree ...forage/workspaces/agent-b     ● stopped
+```
+
+**Columns:**
+
+| Column | Description |
+|--------|-------------|
+| NAME | Sandbox name |
+| TEMPLATE | Template used |
+| PORT | SSH port |
+| MODE | `direct` (direct mount), `jj` (JJ workspace), or `git-worktree` (git worktree) |
+| WORKSPACE | Path mounted at `/workspace` |
+| STATUS | Health status (see below) |
+
+**Status values:**
+
+| Status | Description |
+|--------|-------------|
+| `✓ healthy` | Container running, SSH reachable, tmux session active |
+| `⚠ unhealthy` | Container running but SSH not reachable |
+| `○ no-tmux` | Container running, SSH works, but no tmux session |
+| `● stopped` | Container not running |
+
+---
+
+### `status`
+
+Show detailed sandbox status and health information.
+
+```bash
+forage-ctl status <name>
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Name of the sandbox |
+
+**Example output:**
+```
+Sandbox: myproject
+========================================
+
+Configuration:
+  Template:      claude
+  Workspace:     /home/user/projects/myproject
+  Mode:          direct
+  SSH Port:      2200
+  Container IP:  192.168.100.11
+  Created:       2024-01-15T10:30:00+00:00
+
+Container Status:
+  Running:       yes
+  Uptime:        2h 30m
+
+Health Checks:
+  SSH:           reachable
+  Tmux Session:  active
+  Tmux Windows:
+    - 0:bash
+    - 1:claude
+
+Connect:
+  forage-ctl ssh myproject
+  ssh -p 2200 agent@localhost
+```
+
+Use this command for debugging connectivity issues or checking sandbox health.
+
+---
+
+### `ssh`
+
+Connect to a sandbox via SSH, attaching to the tmux session.
+
+```bash
+forage-ctl ssh <name>
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Name of the sandbox |
+
+This runs:
+```bash
+ssh -p <port> -t agent@localhost 'tmux attach -t forage || tmux new -s forage'
+```
+
+**Tmux controls:**
+- Detach: `Ctrl-b d`
+- New window: `Ctrl-b c`
+- Next/prev window: `Ctrl-b n` / `Ctrl-b p`
+
+---
+
+### `exec`
+
+Execute a command inside a sandbox.
+
+```bash
+forage-ctl exec <name> -- <command>
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Name of the sandbox |
+| `<command>` | Command to execute |
+
+**Examples:**
+
+```bash
+# Check agent version
+forage-ctl exec myproject -- claude --version
+
+# Run a script
+forage-ctl exec myproject -- bash -c 'cd /workspace && ./build.sh'
+
+# List files
+forage-ctl exec myproject -- ls -la /workspace
+```
+
+---
+
+### `start`
+
+Start an agent in the sandbox's tmux session.
+
+```bash
+forage-ctl start <name> [agent]
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Name of the sandbox |
+| `[agent]` | Agent to start (optional, defaults to first agent in template) |
+
+**Examples:**
+
+```bash
+# Start the default agent
+forage-ctl start myproject
+
+# Start a specific agent (in multi-agent templates)
+forage-ctl start myproject claude
+forage-ctl start myproject aider
+```
+
+This sends the agent command to the existing tmux session. Use `forage-ctl ssh` to attach and interact with the agent.
+
+---
+
+### `shell`
+
+Open a shell in a new tmux window.
+
+```bash
+forage-ctl shell <name>
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Name of the sandbox |
+
+This creates a new tmux window in the sandbox's session and attaches to it. Useful for running commands alongside a running agent.
+
+**Tmux window navigation:**
+- Switch windows: `Ctrl-b n` (next) / `Ctrl-b p` (previous)
+- List windows: `Ctrl-b w`
+- Close window: `exit` or `Ctrl-d`
+
+---
+
+### `logs`
+
+Show container logs.
+
+```bash
+forage-ctl logs <name> [-f] [-n <lines>]
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Name of the sandbox |
+
+**Options:**
+
+| Option | Description |
+|--------|-------------|
+| `-f, --follow` | Follow log output (like `tail -f`) |
+| `-n, --lines <n>` | Number of lines to show (default: 100) |
+
+**Examples:**
+
+```bash
+# Show last 100 lines
+forage-ctl logs myproject
+
+# Follow logs in real-time
+forage-ctl logs myproject -f
+
+# Show last 500 lines
+forage-ctl logs myproject -n 500
+```
+
+This uses `journalctl` to show logs from the container's systemd services (sshd, tmux, etc.).
+
+---
+
+### `reset`
+
+Reset a sandbox to fresh state.
+
+```bash
+forage-ctl reset <name>
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Name of the sandbox |
+
+This destroys and recreates the container while preserving:
+- Workspace files
+- Sandbox configuration (template, port, network slot)
+- JJ workspace association (if applicable)
+
+Use this when:
+- The container is in a bad state
+- You want a fresh environment
+- The agent has polluted the container filesystem
+
+---
+
+### `network`
+
+Change sandbox network isolation mode.
+
+```bash
+forage-ctl network <name> <mode> [--allow <host>...] [--no-restart]
+```
+
+**Arguments:**
+
+| Argument | Description |
+|----------|-------------|
+| `<name>` | Name of the sandbox |
+| `<mode>` | Network mode: `full`, `restricted`, or `none` |
+
+**Options:**
+
+| Option | Description |
+|--------|-------------|
+| `--allow <host>` | Additional hosts to allow (restricted mode only) |
+| `--no-restart` | Don't restart sandbox (changes won't take effect until reset) |
+
+**Modes:**
+
+| Mode | Description |
+|------|-------------|
+| `full` | Unrestricted internet access (default) |
+| `restricted` | Only allowed hosts can be accessed |
+| `none` | No network access except SSH for management |
+
+**Examples:**
+
+```bash
+# Switch to no network
+forage-ctl network myproject none
+
+# Switch to restricted with allowed hosts
+forage-ctl network myproject restricted --allow api.anthropic.com
+```
+
+---
+
+### `gateway`
+
+Interactive sandbox selector (gateway mode).
+
+```bash
+forage-ctl gateway [sandbox-name]
+```
+
+If a sandbox name is provided, connects directly. Otherwise, presents an interactive picker.
+
+This command is designed to be used as a login shell for SSH access, providing a single entry point to all sandboxes.
+
+---
+
+### `pick`
+
+Interactive sandbox picker.
+
+```bash
+forage-ctl pick
+```
+
+Opens a TUI for selecting and connecting to sandboxes.
+
+**Controls:**
+- Arrow keys or `j/k` to navigate
+- `/` to filter
+- `Enter` to connect
+- `n` to show new sandbox instructions
+- `d` to show remove instructions
+- `q` or `Esc` to quit
+
+---
+
+### `proxy`
+
+Start the API proxy server.
+
+```bash
+forage-ctl proxy [--port <port>] [--host <host>]
+```
+
+Starts an HTTP proxy that injects API keys into requests. Used for sandboxes that need auth injection without storing secrets in the container.
+
+---
+
+### `runtime`
+
+Show container runtime information.
+
+```bash
+forage-ctl runtime
+```
+
+Displays the active container runtime and lists available runtimes on the system.
+
+**Supported runtimes:**
+- `nspawn` - NixOS (systemd-nspawn)
+- `apple` - macOS 13+ (Apple Virtualization.framework)
+- `podman` - Linux, macOS (rootless preferred)
+- `docker` - Linux, macOS, Windows
+
+---
+
+### `gc`
+
+Garbage collect orphaned sandbox resources.
+
+```bash
+forage-ctl gc [--force]
+```
+
+**Options:**
+
+| Option | Description |
+|--------|-------------|
+| `--force` | Actually remove orphaned resources (default is dry run) |
+
+This command reconciles disk state with runtime state and removes orphaned resources. Without `--force`, it performs a dry run showing what would be cleaned.
+
+**Detects:**
+
+| Type | Description |
+|------|-------------|
+| Orphaned files | Sandbox files on disk with no matching container |
+| Orphaned containers | Containers in runtime with no matching metadata on disk |
+| Stale metadata | Metadata files for sandboxes whose container no longer exists |
+
+**Examples:**
+
+```bash
+# Dry run - show what would be cleaned
+forage-ctl gc
+
+# Actually clean up orphaned resources
+forage-ctl gc --force
+```
+
+**Use cases:**
+
+- After a system crash that left containers in an inconsistent state
+- When manual cleanup left orphaned files
+- Periodic maintenance to reclaim disk space
+
+---
+
+### `help`
+
+Show help message.
+
+```bash
+forage-ctl help
+forage-ctl --help
+forage-ctl -h
+```
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | Success |
+| 1 | General error |
+| 2 | Sandbox not found |
+| 3 | Template not found |
+| 4 | Port/slot allocation failed |
+| 5 | Container operation failed |
+
+## Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `FORAGE_CONFIG_DIR` | `/etc/firefly-forage` | Configuration directory |
+| `FORAGE_STATE_DIR` | `/var/lib/firefly-forage` | State directory |
diff --git a/docs/src/usage/jj-workspaces.md b/docs/src/usage/jj-workspaces.md
new file mode 100644
index 0000000..2ebe9f4
--- /dev/null
+++ b/docs/src/usage/jj-workspaces.md
@@ -0,0 +1,258 @@
+# JJ Workspaces
+
+Forage integrates with [Jujutsu (jj)](https://github.com/martinvonz/jj) to enable multiple agents working on the same repository simultaneously, each with an isolated working copy.
+
+## Overview
+
+When you use `--repo` with a JJ repository (without the `--direct` flag), Forage:
+
+1. Creates a JJ workspace at `/var/lib/forage/workspaces/<name>`
+2. Bind mounts this workspace to `/workspace` in the container
+3. Bind mounts the source repo's `.jj` directory so the workspace symlink resolves
+
+Each sandbox gets its own working copy of the files, but they all share the repository's operation log and history.
+
+```
+┌─────────────────────────────────────────────────────────────────────┐
+│ Host                                                                │
+│                                                                     │
+│  ~/projects/myrepo/                                                 │
+│  ├── .jj/              ◄─────────────────────────┐                  │
+│  ├── src/                                        │ shared           │
+│  └── ...                                         │                  │
+│                                                  │                  │
+│  /var/lib/forage/workspaces/                     │                  │
+│  ├── agent-a/        ◄── jj workspace ───────────┤                  │
+│  │   ├── src/        (separate working copy)     │                  │
+│  │   └── ...                                     │                  │
+│  └── agent-b/        ◄── jj workspace ───────────┘                  │
+│      ├── src/        (separate working copy)                        │
+│      └── ...                                                        │
+│                                                                     │
+└─────────────────────────────────────────────────────────────────────┘
+```
+
+## Creating JJ Sandboxes
+
+### Prerequisites
+
+Your project must be a JJ repository:
+
+```bash
+cd ~/projects/myrepo
+jj git init --colocate  # or jj init
+```
+
+### Create Multiple Sandboxes
+
+```bash
+# First agent
+forage-ctl up agent-a --template claude --repo ~/projects/myrepo
+
+# Second agent on the same repo
+forage-ctl up agent-b --template claude --repo ~/projects/myrepo
+
+# Third agent with a different template
+forage-ctl up agent-c --template multi --repo ~/projects/myrepo
+```
+
+Each sandbox appears as a JJ workspace:
+
+```bash
+jj workspace list -R ~/projects/myrepo
+```
+
+Output:
+```
+default: abc123 (no description set)
+agent-a: def456 (empty) (no description set)
+agent-b: ghi789 (empty) (no description set)
+agent-c: jkl012 (empty) (no description set)
+```
+
+## Working with JJ Inside Sandboxes
+
+When you connect to a JJ sandbox, the skill injection includes JJ-specific instructions:
+
+```bash
+forage-ctl ssh agent-a
+```
+
+Inside the sandbox, use JJ commands:
+
+```bash
+# Show status
+jj status
+
+# Show changes
+jj diff
+
+# Create a new change
+jj new
+
+# Describe your change
+jj describe -m "Add feature X"
+
+# See all changes
+jj log
+```
+
+## Isolation Benefits
+
+### Parallel Work
+
+Each agent works on a separate JJ change:
+
+```
+agent-a: Working on feature-auth
+agent-b: Working on feature-api
+agent-c: Reviewing and testing
+```
+
+Changes don't interfere—each workspace has its own working copy.
+
+### Easy Coordination
+
+From the host, you can see all work:
+
+```bash
+# See all changes from all workspaces
+jj log -R ~/projects/myrepo
+
+# Squash agent work into main
+jj squash --from agent-a -R ~/projects/myrepo
+```
+
+### Safe Experimentation
+
+If an agent makes a mess:
+
+```bash
+# Reset just that sandbox
+forage-ctl reset agent-a
+
+# Or abandon the change in JJ
+jj abandon agent-a -R ~/projects/myrepo
+```
+
+## Cleanup
+
+When you remove a JJ sandbox, Forage:
+
+1. Runs `jj workspace forget <name>`
+2. Removes the workspace directory
+3. Cleans up container and metadata
+
+```bash
+forage-ctl down agent-a
+```
+
+The changes made in that workspace remain in the repository history—only the workspace is removed.
+
+## Workspace Modes
+
+Forage automatically detects the workspace mode based on the repository type:
+
+| Mode | Condition | Behavior |
+|------|-----------|----------|
+| Direct | `--direct` flag used | Mounts directory directly at `/workspace` |
+| JJ workspace | Path contains `.jj/` | Creates isolated JJ workspace |
+| Git worktree | Path contains `.git/` | Creates git worktree with branch `forage-<name>` |
+
+### Comparison
+
+| Aspect | Direct (`--direct`) | JJ workspace | Git worktree |
+|--------|---------------------|--------------|--------------|
+| Working directory | Direct bind mount | JJ workspace | Git worktree |
+| Multiple sandboxes | Need separate directories | Share same repo | Share same repo |
+| Isolation | File-level (same files) | Change-level (JJ) | Branch-level (git) |
+| VCS | Any (git, jj, etc.) | JJ only | Git only |
+| Cleanup | Removes skill files | Forgets JJ workspace | Removes git worktree |
+
+**Use `--direct` when:**
+- Simple single-agent workflow
+- Project doesn't use JJ or git
+- You want direct file access without VCS isolation
+
+**Use JJ repos (auto-detected) when:**
+- Multiple agents on same codebase
+- You want change isolation
+- Project uses JJ for version control
+
+**Use Git repos (auto-detected) when:**
+- Multiple agents on same git repository
+- Each agent works on a separate branch (auto-created as `forage-<name>`)
+
+## Composable JJ Mounts
+
+With [workspace mounts](./workspace-mounts.md), you can create multiple JJ workspaces within a single sandbox. A common pattern is overlaying a beads branch alongside the main workspace:
+
+```nix
+templates.claude-beads = {
+  agents.claude = { ... };
+
+  workspace.mounts.main = {
+    containerPath = "/workspace";
+    mode = "jj";
+  };
+
+  workspace.useBeads = {
+    enable = true;
+    package = pkgs.beads;
+  };
+};
+```
+
+```bash
+forage-ctl up agent-a -t claude-beads --repo ~/projects/myrepo
+```
+
+This creates two JJ workspaces from the same repository:
+- `/workspace` — the main working copy
+- `/workspace/.beads` — checking out the `beads-sync` branch
+
+Each mount gets its own managed workspace directory under `/var/lib/firefly-forage/workspaces/<sandbox>/<mount-name>/`.
+
+You can also mount JJ workspaces from different repositories using named repos:
+
+```bash
+forage-ctl up dev -t multi-repo \
+  --repo ~/projects/frontend \
+  --repo backend=~/projects/backend
+```
+
+See [Workspace Mounts](./workspace-mounts.md) for the full guide.
+
+## Troubleshooting
+
+### "Not a jj repository"
+
+The path doesn't contain a `.jj/repo` directory:
+
+```bash
+# Initialize JJ
+cd ~/projects/myrepo
+jj git init --colocate
+```
+
+### "JJ workspace already exists"
+
+A workspace with that name already exists in the repo:
+
+```bash
+# Check existing workspaces
+jj workspace list -R ~/projects/myrepo
+
+# Use a different sandbox name, or remove the existing workspace
+jj workspace forget existingname -R ~/projects/myrepo
+```
+
+### JJ commands fail inside sandbox
+
+Ensure the source repo's `.jj` directory is accessible. The sandbox needs the bind mount to resolve the workspace symlink. This should be automatic—if it's not working, check:
+
+```bash
+# Inside sandbox
+ls -la /workspace/.jj/
+# Should show a symlink to the repo's .jj directory
+```
diff --git a/docs/src/usage/skill-injection.md b/docs/src/usage/skill-injection.md
new file mode 100644
index 0000000..b753555
--- /dev/null
+++ b/docs/src/usage/skill-injection.md
@@ -0,0 +1,150 @@
+# Skill Injection
+
+Forage automatically injects "skills"—configuration files that teach AI agents about the sandbox environment and available tools.
+
+## How It Works
+
+When a sandbox is created, Forage generates `.claude/forage-skills.md` in the workspace directory. This file is automatically loaded by Claude Code alongside any existing project instructions.
+
+```
+workspace/
+├── .claude/
+│   ├── forage-skills.md    ◄── Injected by Forage
+│   └── settings.json       ◄── Your project settings (untouched)
+├── CLAUDE.md               ◄── Your project instructions (untouched)
+└── src/
+```
+
+## Injected Content
+
+The generated skill file includes:
+
+### Environment Information
+
+```markdown
+# Forage Sandbox Skills
+
+You are running inside a Firefly Forage sandbox named `myproject`.
+
+## Environment
+
+- **Workspace**: `/workspace` (your working directory)
+- **Network**: Full internet access
+- **Session**: tmux session `forage` (persistent across reconnections)
+```
+
+### Available Agents
+
+Lists the agents configured in the template:
+
+```markdown
+## Available Agents
+
+claude
+```
+
+### JJ Instructions (if applicable)
+
+For sandboxes created with `--repo`:
+
+```markdown
+## Version Control: JJ (Jujutsu)
+
+This workspace uses `jj` for version control:
+
+- `jj status` - Show working copy status
+- `jj diff` - Show changes
+- `jj new` - Create new change
+- `jj describe -m ""` - Set commit message
+- `jj bookmark set` - Update bookmark
+
+This is an isolated jj workspace - changes don't affect other workspaces.
+```
+
+### Sandbox Constraints
+
+```markdown
+## Sandbox Constraints
+
+- The root filesystem is ephemeral (tmpfs) - changes outside /workspace are lost on restart
+- `/nix/store` is read-only (shared from host)
+- `/workspace` is your persistent working directory
+- Secrets are mounted read-only at `/run/secrets/`
+```
+
+### Nix Usage
+
+```markdown
+## Installing Additional Tools
+
+Any tool not pre-installed can be used via Nix:
+
+- `nix run nixpkgs#ripgrep -- --help` - Run a tool once
+- `nix shell nixpkgs#jq nixpkgs#yq` - Enter a shell with multiple tools
+- `nix run github:owner/repo` - Build and run a flake
+
+This works because `/nix/store` is shared (read-only) and the Nix daemon
+handles all builds on the host.
+```
+
+### Tips and Sub-Agent Information
+
+```markdown
+## Tips
+
+- Use `tmux` for long-running processes
+- All project work should be done in `/workspace`
+- The sandbox can be reset with `forage-ctl reset myproject` from the host
+
+## Sub-Agent Spawning
+
+When spawning sub-agents (e.g., with Claude Code's Task tool):
+- Sub-agents share this same sandbox environment
+- Use tmux windows/panes for parallel agent work
+- Each sub-agent has access to the same workspace and tools
+```
+
+## Skill Priority
+
+Claude Code loads instructions in this order:
+
+1. **Project CLAUDE.md** - Your existing project instructions (highest priority)
+2. **Forage skills** - Injected `.claude/forage-skills.md`
+3. **User settings** - From `.claude/settings.json`
+
+The Forage skills supplement rather than override your project documentation.
+
+## Cleanup
+
+When a sandbox is removed with `forage-ctl down`:
+
+- **Direct mode (`--workspace`)**: The skill file is removed from the workspace
+- **JJ mode (`--repo`)**: The entire workspace directory is removed, including skills
+- **Git worktree mode (`--git-worktree`)**: The worktree is removed, including skills
+
+## Composite Workspace Layout
+
+For sandboxes with [composable workspace mounts](./workspace-mounts.md), the skill file includes a description of the full mount layout:
+
+```markdown
+## Workspace Layout
+
+Your workspace contains multiple mount sources:
+- /workspace: jj workspace from ~/projects/myrepo
+- /workspace/.beads: jj workspace (branch beads-sync) from ~/projects/myrepo
+- /workspace/data: direct mount from ~/datasets (read-only)
+```
+
+This gives the agent context about what's mounted where and how each path is managed.
+
+## Dynamic Skill Generation
+
+Skills are dynamically generated based on project analysis. The skills analyzer (`internal/skills/analyzer.go`) detects:
+
+- **Project type**: Go, Rust, Python, Node/TypeScript, Nix, and more
+- **Build system**: detected build commands (e.g., `go build`, `cargo build`, `npm run build`)
+- **Test commands**: detected test runners (e.g., `go test ./...`, `cargo test`, `pytest`)
+- **Frameworks**: detected web frameworks and libraries
+- **VCS**: Git or JJ repository detection
+
+Based on detection results, the injected skill content includes project-specific guidance for the agent (build/test commands, VCS workflow tips, etc.).
diff --git a/docs/src/usage/workspace-mounts.md b/docs/src/usage/workspace-mounts.md
new file mode 100644
index 0000000..3449d4d
--- /dev/null
+++ b/docs/src/usage/workspace-mounts.md
@@ -0,0 +1,338 @@
+# Workspace Mounts
+
+Forage supports composable workspace mounts, allowing you to assemble a sandbox's filesystem from multiple sources. Instead of a single `--repo` mapped to `/workspace`, you can mount multiple repositories, overlay branches, and mix VCS-backed and literal bind mounts.
+
+## Overview
+
+The traditional single-workspace model mounts one directory at `/workspace`:
+
+```bash
+forage-ctl up myproject -t claude --repo ~/projects/myrepo
+```
+
+With composable mounts, a template can declare multiple mount points:
+
+```
+/workspace          ← jj workspace from ~/projects/myrepo
+/workspace/.beads   ← jj workspace (branch beads-sync) from same repo
+/workspace/data     ← direct bind mount from ~/datasets
+```
+
+No mount is special-cased as "root" — you could have `/workspace/proj1` and `/workspace/proj2` with nothing at `/workspace` itself.
+
+## Configuring Mounts in Templates
+
+Mounts are declared in your NixOS configuration under `workspace.mounts`. Each mount is keyed by a stable name:
+
+```nix
+services.firefly-forage.templates.my-template = {
+  agents.claude = { ... };
+
+  workspace.mounts = {
+    main = {
+      containerPath = "/workspace";
+      mode = "jj";
+      # repo = null → uses default --repo from CLI
+    };
+
+    data = {
+      containerPath = "/workspace/data";
+      repo = "data";  # references --repo data=<path>
+      mode = "git-worktree";
+    };
+
+    config = {
+      containerPath = "/workspace/.config";
+      hostPath = "~/shared-config";  # literal bind mount
+      readOnly = true;
+    };
+  };
+};
+```
+
+### Mount Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `containerPath` | string | (required) | Mount point inside the container |
+| `hostPath` | string or null | `null` | Literal host path for bind mount. Mutually exclusive with `repo`. |
+| `repo` | string or null | `null` | Repo reference (see [Repo Resolution](#repo-resolution)) |
+| `mode` | `"jj"`, `"git-worktree"`, `"direct"`, or null | `null` (auto-detect) | VCS mode for repo-backed mounts |
+| `branch` | string or null | `null` | Branch/ref to check out (VCS mounts only) |
+| `readOnly` | bool | `false` | Mount as read-only |
+
+### Repo Resolution
+
+The `repo` field controls where a mount's source comes from:
+
+| Value | Behavior |
+|-------|----------|
+| `null` or `""` | Uses the default (unnamed) `--repo` value from CLI |
+| `"<name>"` | Looks up the named repo from `--repo <name>=<path>` |
+| `"/absolute/path"` | Literal path, no CLI lookup needed |
+
+When a mount specifies `hostPath` instead of `repo`, it becomes a direct bind mount — no VCS workspace is created.
+
+## Named Repo Parameters
+
+The `--repo` flag supports both unnamed (default) and named parameters:
+
+```bash
+# Default repo (used by mounts with repo = null)
+forage-ctl up mysandbox -t my-template --repo ~/projects/myrepo
+
+# Default repo + named repo
+forage-ctl up mysandbox -t my-template \
+  --repo ~/projects/myrepo \
+  --repo data=~/datasets/my-data
+
+# Multiple named repos (no default)
+forage-ctl up mysandbox -t my-template \
+  --repo main=~/projects/myrepo \
+  --repo data=~/datasets/my-data
+```
+
+The `--repo` flag is repeatable. Values containing `=` are parsed as `name=path`; values without `=` set the default repo.
+
+### When `--repo` Is Optional
+
+If every mount in the template specifies either `hostPath` or an absolute `repo` path, the `--repo` flag is not required:
+
+```nix
+workspace.mounts = {
+  project = {
+    containerPath = "/workspace";
+    repo = "/home/user/projects/myrepo";  # absolute path
+  };
+  config = {
+    containerPath = "/workspace/.config";
+    hostPath = "/etc/shared-config";  # literal bind mount
+  };
+};
+```
+
+```bash
+# No --repo needed
+forage-ctl up mysandbox -t self-contained
+```
+
+## Backward Compatibility
+
+Templates without `workspace.mounts` behave exactly as before — `--repo` creates a single auto-detected mount at the configured workspace path. All existing workflows continue to work unchanged.
+
+```bash
+# This still works identically to before
+forage-ctl up myproject -t claude --repo ~/projects/myrepo
+forage-ctl up myproject -t claude --repo ~/projects/myrepo --direct
+```
+
+## VCS Mode Behavior
+
+Each repo-backed mount gets its own VCS workspace:
+
+| Mode | What Happens |
+|------|-------------|
+| `jj` | Creates a JJ workspace at the managed path. If `branch` is set, checks out that branch. |
+| `git-worktree` | Creates a git worktree with branch `forage-<sandbox>-<mount>`. |
+| `direct` | Bind mounts the repo path directly (no workspace isolation). |
+| `null` (auto-detect) | Detects `.jj/` → jj, `.git/` → git-worktree, otherwise → direct. |
+
+Managed workspace directories are created under `/var/lib/firefly-forage/workspaces/<sandbox>/<mount-name>/`, one subdirectory per VCS-backed mount.
+
+## `useBeads` Convenience Option
+
+The `workspace.useBeads` option provides a shorthand for a common pattern — overlaying a beads workspace:
+
+```nix
+services.firefly-forage.templates.with-beads = {
+  agents.claude = { ... };
+
+  workspace.mounts.main = {
+    containerPath = "/workspace";
+    mode = "jj";
+  };
+
+  workspace.useBeads = {
+    enable = true;
+    branch = "beads-sync";        # default
+    containerPath = "/workspace/.beads";  # default
+    package = pkgs.beads;         # added to extraPackages
+    # repo = null;                # null → inherits default --repo
+  };
+};
+```
+
+When `useBeads.enable = true`, the Nix module automatically:
+
+1. Injects a mount named `beads` into `workspace.mounts` (jj mode, specified branch, at `containerPath`)
+2. Adds the `package` to `extraPackages` (if set)
+
+### `useBeads` Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enable` | bool | `false` | Enable the beads workspace overlay |
+| `branch` | string | `"beads-sync"` | Branch to check out in the beads workspace |
+| `package` | package or null | `null` | Beads package to install in the sandbox |
+| `containerPath` | string | `"/workspace/.beads"` | Mount point inside the container |
+| `repo` | string or null | `null` | Repo reference (`null` → inherit default `--repo`) |
+
+## Examples
+
+### Single Repo with Beads Overlay
+
+The most common multi-mount pattern — a primary workspace with a beads branch overlaid:
+
+```nix
+templates.claude-beads = {
+  description = "Claude with beads";
+
+  agents.claude = {
+    package = pkgs.claude-code;
+    secretName = "anthropic";
+    authEnvVar = "ANTHROPIC_API_KEY";
+  };
+
+  workspace.mounts.main = {
+    containerPath = "/workspace";
+    mode = "jj";
+  };
+
+  workspace.useBeads = {
+    enable = true;
+    package = pkgs.beads;
+  };
+
+  extraPackages = with pkgs; [ ripgrep fd jq ];
+};
+```
+
+```bash
+forage-ctl up agent-a -t claude-beads --repo ~/projects/myrepo
+```
+
+Inside the sandbox:
+```
+/workspace/           ← jj workspace (main working copy)
+/workspace/.beads/    ← jj workspace (beads-sync branch)
+```
+
+### Monorepo with Multiple Services
+
+Mount different parts of a monorepo at different paths:
+
+```nix
+templates.monorepo = {
+  description = "Multi-service development";
+
+  agents.claude = { ... };
+
+  workspace.mounts = {
+    frontend = {
+      containerPath = "/workspace/frontend";
+      repo = "frontend";
+      mode = "jj";
+    };
+    backend = {
+      containerPath = "/workspace/backend";
+      repo = "backend";
+      mode = "jj";
+    };
+    shared = {
+      containerPath = "/workspace/shared";
+      hostPath = "~/projects/shared-libs";
+      readOnly = true;
+    };
+  };
+};
+```
+
+```bash
+forage-ctl up dev -t monorepo \
+  --repo frontend=~/projects/frontend \
+  --repo backend=~/projects/backend
+```
+
+### Read-Only Reference Mount
+
+Mount documentation or reference data alongside the workspace:
+
+```nix
+templates.with-docs = {
+  agents.claude = { ... };
+
+  workspace.mounts = {
+    main = {
+      containerPath = "/workspace";
+      mode = "jj";
+    };
+    docs = {
+      containerPath = "/workspace/reference";
+      hostPath = "~/docs/api-reference";
+      readOnly = true;
+    };
+  };
+};
+```
+
+## Mount Validation
+
+Before creating any VCS workspaces, Forage validates the mount configuration:
+
+- **Duplicate container paths**: Two mounts claiming the same path is an error
+- **Repo resolution**: A mount referencing a named repo not provided via `--repo` is an error
+- **Source existence**: `hostPath` that doesn't exist or `repo` path that isn't a valid directory is an error
+- **Rollback on failure**: If creating a VCS workspace fails partway through, all previously-created workspaces for that sandbox are rolled back
+
+## Cleanup
+
+When you remove a sandbox with `forage-ctl down`, each mount is cleaned up individually:
+
+- **VCS-backed mounts** (jj, git-worktree): The workspace/worktree is removed via the appropriate VCS command
+- **Literal bind mounts** (`hostPath`): No cleanup needed — the host directory is left untouched
+- **Managed directories**: The subdirectory under `/var/lib/firefly-forage/workspaces/<sandbox>/` is removed
+
+## Skill Injection with Multiple Mounts
+
+When a sandbox has multiple mounts, the injected skill file describes the composite layout:
+
+```markdown
+## Workspace Layout
+
+Your workspace contains multiple mount sources:
+- /workspace: jj workspace from ~/projects/myrepo
+- /workspace/.beads: jj workspace (branch beads-sync) from ~/projects/myrepo
+- /workspace/data: direct mount from ~/datasets (read-only)
+```
+
+This gives the agent full context about what's mounted where and how each mount is managed.
+
+## Metadata
+
+Multi-mount sandboxes store mount information in their metadata:
+
+```json
+{
+  "name": "myproject",
+  "template": "claude-beads",
+  "workspaceMounts": [
+    {
+      "name": "main",
+      "containerPath": "/workspace",
+      "hostPath": "/var/lib/firefly-forage/workspaces/myproject/main",
+      "sourceRepo": "/home/user/projects/myrepo",
+      "mode": "jj"
+    },
+    {
+      "name": "beads",
+      "containerPath": "/workspace/.beads",
+      "hostPath": "/var/lib/firefly-forage/workspaces/myproject/beads",
+      "sourceRepo": "/home/user/projects/myrepo",
+      "mode": "jj",
+      "branch": "beads-sync"
+    }
+  ]
+}
+```
+
+Legacy single-workspace fields (`workspace`, `workspaceMode`, `sourceRepo`) are still populated for backward compatibility with older tooling.
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..4d79dae
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,606 @@
+{
+  "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1758758545,
+        "narHash": "sha256-NU5WaEdfwF6i8faJ2Yh+jcK9vVFrofLcwlD/mP65JrI=",
+        "rev": "95d528a5f54eaba0d12102249ce42f4d01f4e364",
+        "revCount": 764,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/ipetkov/crane/0.21.1/01997e40-19a9-7bc6-9dba-0585d6ed9a98/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/ipetkov/crane/0"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-pins",
+          "darwin-stable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1772129556,
+        "narHash": "sha256-Utk0zd8STPsUJPyjabhzPc5BpPodLTXrwkpXBHYnpeg=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "ebec37af18215214173c98cf6356d0aca24a2585",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "nix-darwin-25.11",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "darwin-stable": {
+      "locked": {
+        "lastModified": 1773757037,
+        "narHash": "sha256-NBnGaZvJvz+cdpHUwtBw/PcTEP/gD02pL76wERzRDFk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "69ba8f9b9132e83a2e2aca3a810fe158a7072531",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-25.11-darwin",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "devenv-root": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-d6xi4mKdjkX2JFicDIv5niSzpyI0m/Hnm8GGAIU04kY=",
+        "type": "file",
+        "url": "file:///dev/null"
+      },
+      "original": {
+        "type": "file",
+        "url": "file:///dev/null"
+      }
+    },
+    "devshell": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768818222,
+        "narHash": "sha256-460jc0+CZfyaO8+w8JNtlClB2n4ui1RbHfPTLkpwhU8=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "255a2b1725a20d060f566e4755dbf571bbbb5f76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
+    "fenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ],
+        "rust-analyzer-src": "rust-analyzer-src"
+      },
+      "locked": {
+        "lastModified": 1773818109,
+        "narHash": "sha256-Wsk92HrZODmCgBb+v7XfTMUAIEhqU+Obwj+09IKRTpU=",
+        "owner": "nix-community",
+        "repo": "fenix",
+        "rev": "b8b443c5a1bd8dd99df899b4ac786a7f410193e5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "fenix",
+        "type": "github"
+      }
+    },
+    "fh": {
+      "inputs": {
+        "crane": "crane",
+        "fenix": [
+          "nix-pins",
+          "fenix"
+        ],
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1761780713,
+        "narHash": "sha256-EUCV7/J9wJRroCGW5JqonFJIqcvJEBAwB7l3eWYxiSk=",
+        "rev": "4f001f2e1de4776f01cf22d1de815f1016a4c4c9",
+        "revCount": 786,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/fh/0.1.27/019a355b-4c74-769d-a9ad-232df447089d/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/DeterminateSystems/fh/%2A"
+      }
+    },
+    "flake-compat": {
+      "locked": {
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nix-pins",
+          "nixpkgs-lib"
+        ]
+      },
+      "locked": {
+        "lastModified": 1772408722,
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-root": {
+      "locked": {
+        "lastModified": 1723604017,
+        "narHash": "sha256-rBtQ8gg+Dn4Sx/s+pvjdq3CB2wQNzx9XGFq/JVGCB6k=",
+        "owner": "srid",
+        "repo": "flake-root",
+        "rev": "b759a56851e10cb13f6b8e5698af7b59c44be26e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "repo": "flake-root",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": [
+          "nix-pins",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-pins",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs-stable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773681845,
+        "narHash": "sha256-o8hrZrigP0JYcwnglCp8Zi8jQafWsxbDtRRPzuVwFxY=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "0759e0e137305bc9d0c52c204c6d8dffe6f601a6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-25.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "naersk": {
+      "inputs": {
+        "fenix": [
+          "nix-pins",
+          "fenix"
+        ],
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769799857,
+        "narHash": "sha256-88IFXZ7Sa1vxbz5pty0Io5qEaMQMMUPMonLa3Ls/ss4=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "9d4ed44d8b8cecdceb1d6fd76e74123d90ae6339",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nix-index-database": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773552174,
+        "narHash": "sha256-mHSRNrT1rjeYBgkAlj07dW3+1nFEgAd8Gu6lgyfT9DU=",
+        "owner": "nix-community",
+        "repo": "nix-index-database",
+        "rev": "8faeb68130df077450451b6734a221ba0d6cde42",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-index-database",
+        "type": "github"
+      }
+    },
+    "nix-pins": {
+      "inputs": {
+        "darwin": "darwin",
+        "darwin-stable": "darwin-stable",
+        "devshell": "devshell",
+        "fenix": "fenix",
+        "fh": "fh",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-root": "flake-root",
+        "flake-utils": "flake-utils",
+        "home-manager": "home-manager",
+        "naersk": "naersk",
+        "nix-index-database": "nix-index-database",
+        "nixos-generators": "nixos-generators",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-lib": "nixpkgs-lib",
+        "nixpkgs-master": "nixpkgs-master",
+        "nixpkgs-stable": "nixpkgs-stable",
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "sops-nix": "sops-nix",
+        "systems": "systems",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1773844693,
+        "narHash": "sha256-AtBZh2guf2ZCXAObaFvIuDuWZGiZmj//OkFN3ECWaDw=",
+        "owner": "firefly-engineering",
+        "repo": "nix-pins",
+        "rev": "59da26be0b6854cf39f5ca2679b8a80bffdecb77",
+        "type": "github"
+      },
+      "original": {
+        "owner": "firefly-engineering",
+        "repo": "nix-pins",
+        "type": "github"
+      }
+    },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769813415,
+        "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "8946737ff703382fda7623b9fab071d037e897d5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773628058,
+        "narHash": "sha256-hpXH0z3K9xv0fHaje136KY872VT2T5uwxtezlAskQgY=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f8573b9c935cfaa162dd62cc9e75ae2db86f85df",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1773734432,
+        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-master": {
+      "locked": {
+        "lastModified": 1773843647,
+        "narHash": "sha256-wDDgb/5vsDu4boVF9JOkDLR0Yh38VjE/mX8voR+v5yY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "95bf4ea089b3e3af92d1f7d9a3a00d3bc5384afc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1773705440,
+        "narHash": "sha256-xB30bbAp0e7ogSEYyc126mAJMt4FRFh8wtm6ADE1xuM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "48652e9d5aea46e555b3df87354280d4f29cd3a3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "nix-pins",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1772893680,
+        "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nix-pins": "nix-pins",
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ],
+        "toolbox": "toolbox"
+      }
+    },
+    "rust-analyzer-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1773775226,
+        "narHash": "sha256-413aE+fhubk1GA2v4IlRrpdZZzW/b89wJGuDfZCVtEs=",
+        "owner": "rust-lang",
+        "repo": "rust-analyzer",
+        "rev": "4eac290b58a70961e78f2e0c04f61a08b995b2cb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rust-lang",
+        "ref": "nightly",
+        "repo": "rust-analyzer",
+        "type": "github"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773698643,
+        "narHash": "sha256-VCiDjE8kNs8uCAK73Ezk1r3fFuc4JepvW07YFqaN968=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "8237de83e8200d16fe0c4467b02a1c608ff28044",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "teller": {
+      "inputs": {
+        "nix-pins": [
+          "toolbox",
+          "nix-pins"
+        ],
+        "nixpkgs": [
+          "toolbox",
+          "teller",
+          "nix-pins",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773845232,
+        "narHash": "sha256-wWncrIvRfWOSX04wfO0jLuyFx1rpw+Oq+BdKtZQnBcs=",
+        "owner": "firefly-engineering",
+        "repo": "teller",
+        "rev": "417b9fc87e9c4a00f08abb5cd82b86e2dd164727",
+        "type": "github"
+      },
+      "original": {
+        "owner": "firefly-engineering",
+        "repo": "teller",
+        "type": "github"
+      }
+    },
+    "toolbox": {
+      "inputs": {
+        "devenv": [],
+        "devenv-root": "devenv-root",
+        "nix-pins": [
+          "nix-pins"
+        ],
+        "nixpkgs": [
+          "toolbox",
+          "nix-pins",
+          "nixpkgs"
+        ],
+        "teller": "teller"
+      },
+      "locked": {
+        "lastModified": 1773864293,
+        "narHash": "sha256-OTxZVAuHwRavonP1JFzHVdkJLiwJd0h2+X9r0g5T4pg=",
+        "owner": "firefly-engineering",
+        "repo": "toolbox",
+        "rev": "27b7d92b31bca19d54b2cc71016667e3f0c49e0a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "firefly-engineering",
+        "repo": "toolbox",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-pins",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773297127,
+        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..b3a7257
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,169 @@
+{
+  description = "Firefly Forage - Isolated sandboxes for AI coding agents";
+
+  inputs = {
+    nix-pins.url = "github:firefly-engineering/nix-pins";
+    nixpkgs.follows = "nix-pins/nixpkgs";
+    toolbox.url = "github:firefly-engineering/toolbox";
+    toolbox.inputs.nix-pins.follows = "nix-pins";
+    toolbox.inputs.devenv.follows = "";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      toolbox,
+      ...
+    }:
+    let
+      supportedSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+        "aarch64-darwin"
+        "x86_64-darwin"
+      ];
+
+      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+
+      pkgsFor = system: nixpkgs.legacyPackages.${system};
+    in
+    {
+      nixosModules = {
+        default = self.nixosModules.host;
+        host = import ./modules/host.nix { inherit self nixpkgs; };
+      };
+
+      darwinModules = {
+        default = self.darwinModules.host;
+        host = import ./modules/darwin.nix { inherit self; };
+      };
+
+      lib = import ./lib { inherit (nixpkgs) lib; };
+
+      packages = forAllSystems (
+        system:
+        let
+          pkgs = pkgsFor system;
+          isLinux = pkgs.stdenv.isLinux;
+
+          # Shared Go module source — used by forage-ctl and e2e tests.
+          # The Go workspace has a `replace` directive pointing to ../../images/forage-base,
+          # so the source must include both directories rooted at the repo root.
+          goSrc = pkgs.lib.fileset.toSource {
+            root = ./.;
+            fileset = pkgs.lib.fileset.unions [
+              ./packages/forage-ctl
+              ./images/forage-base
+            ];
+          };
+          goModRoot = "packages/forage-ctl";
+
+          e2e = import ./tests/e2e/vm.nix {
+            inherit
+              pkgs
+              self
+              goSrc
+              goModRoot
+              ;
+          };
+        in
+        {
+          forage-ctl = pkgs.callPackage ./packages/forage-ctl { inherit goSrc goModRoot; };
+          docs = pkgs.stdenvNoCC.mkDerivation {
+            pname = "firefly-forage-docs";
+            version = "0.1.0";
+            src = ./docs;
+            nativeBuildInputs = [ pkgs.mdbook ];
+            buildPhase = ''
+              mdbook build
+            '';
+            installPhase = ''
+              mv book $out
+            '';
+          };
+          default = self.packages.${system}.forage-ctl;
+        }
+        // nixpkgs.lib.optionalAttrs isLinux {
+          # E2E test VM (QEMU) - builds the bootable VM image
+          e2e-vm = e2e.vm;
+          # E2E test driver - boots VM and runs full lifecycle tests
+          e2e-driver = e2e.testDriver;
+        }
+      );
+
+      devShells = forAllSystems (
+        system:
+        let
+          pkgs = pkgsFor system;
+        in
+        {
+          default = pkgs.mkShell {
+            packages =
+              with pkgs;
+              [
+                # Go toolchain
+                go
+                gopls
+                gotools
+                go-tools # staticcheck
+                golangci-lint
+
+                # Nix tooling
+                nixfmt-tree
+                nil
+
+                # Documentation
+                mdbook
+
+                # Testing dependencies
+                git
+
+                # Task runner
+                just
+              ]
+              ++ (with toolbox.packages.${system}; [
+                beadwork-default
+                jj-default
+              ]);
+          };
+
+          # Minimal shell for CI — avoids pulling in toolbox (jj, beadwork, rust)
+          ci = pkgs.mkShell {
+            packages = with pkgs; [
+              go
+              golangci-lint
+              git
+            ];
+          };
+        }
+      );
+
+      formatter = forAllSystems (system: (pkgsFor system).nixfmt-tree);
+
+      # Integration tests (VM tests only work on Linux)
+      checks = forAllSystems (
+        system:
+        let
+          pkgs = pkgsFor system;
+          isLinux = pkgs.stdenv.isLinux;
+        in
+        {
+          # NixOS VM integration test using the actual module
+          # Only available on Linux systems
+          vm-integration =
+            if isLinux then
+              import ./tests/vm-integration.nix { inherit pkgs self; }
+            else
+              # Placeholder for non-Linux systems
+              pkgs.runCommand "vm-integration-unsupported" { } ''
+                echo "VM integration tests are only supported on Linux" > $out
+              '';
+
+          # Darwin module evaluation test — verifies darwin.nix produces correct config.
+          # Runs on all platforms (pure Nix evaluation, no VM needed).
+          darwin-eval = import ./tests/darwin-eval.nix { inherit pkgs self; };
+        }
+      );
+    };
+}
diff --git a/images/forage-base/Dockerfile b/images/forage-base/Dockerfile
new file mode 100644
index 0000000..79e706e
--- /dev/null
+++ b/images/forage-base/Dockerfile
@@ -0,0 +1,21 @@
+FROM nixos/nix:latest
+
+# Enable nix-command and flakes so `nix profile install` works out of the box.
+# The upstream nixos/nix image does not always have these enabled in nix.conf.
+RUN mkdir -p /etc/nix && \
+    echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
+
+# git-minimal is already in the base image; only add what's missing.
+RUN nix profile install --profile /nix/var/nix/profiles/default --no-write-lock-file \
+    nixpkgs#tmux \
+    nixpkgs#jq \
+    && nix-collect-garbage -d
+
+# Create the agent user with a proper home directory.
+# OCI containers don't have NixOS user management, so we do it here.
+RUN mkdir -p /home/agent && \
+    echo "agent:x:1000:1000::/home/agent:/bin/bash" >> /etc/passwd && \
+    echo "agent:x:1000:" >> /etc/group
+
+ENV HOME=/home/agent
+WORKDIR /home/agent
diff --git a/images/forage-base/go.mod b/images/forage-base/go.mod
new file mode 100644
index 0000000..faff86e
--- /dev/null
+++ b/images/forage-base/go.mod
@@ -0,0 +1,3 @@
+module github.com/firefly-engineering/firefly-forage/images/forage-base
+
+go 1.24.2
diff --git a/images/forage-base/image.go b/images/forage-base/image.go
new file mode 100644
index 0000000..179a6db
--- /dev/null
+++ b/images/forage-base/image.go
@@ -0,0 +1,9 @@
+// Package image embeds the forage-base Dockerfile for local builds.
+package image
+
+import _ "embed"
+
+// Dockerfile is the forage-base Dockerfile content, embedded at compile time.
+//
+//go:embed Dockerfile
+var Dockerfile []byte
diff --git a/justfile b/justfile
new file mode 100644
index 0000000..b7a72b0
--- /dev/null
+++ b/justfile
@@ -0,0 +1,96 @@
+# Firefly Forage development tasks
+
+# Default recipe - show available commands
+default:
+    @just --list
+
+# Build forage-ctl with nix
+build:
+    nix build .#forage-ctl
+
+# Run all Go tests
+test:
+    @just packages/forage-ctl/test
+
+# Run Go tests with verbose output
+test-v:
+    @just packages/forage-ctl/test-v
+
+# Run a specific test package
+test-pkg pkg:
+    @just packages/forage-ctl/test-pkg {{pkg}}
+
+# Run docker integration tests (requires docker daemon)
+test-docker:
+    @just packages/forage-ctl/test-docker
+
+# Run all Go tests including docker integration
+test-all:
+    @just packages/forage-ctl/test-all
+
+# Run NixOS VM integration test (uses actual nixosModule, Linux only)
+test-vm:
+    nix build .#checks.$(nix eval --raw --impure --expr 'builtins.currentSystem').vm-integration
+
+# Run E2E tests in a QEMU VM (full sandbox lifecycle, Linux only, KVM recommended)
+test-e2e:
+    nix run .#e2e-driver
+
+# Run E2E tests against the current machine (post-deployment sanity check)
+test-e2e-local:
+    E2E_LOCAL=1 go test -tags=e2e -v -timeout=15m ./packages/forage-ctl/e2e/
+
+# Format all code
+fmt:
+    nix fmt -- .
+    @just packages/forage-ctl/fmt
+
+# Run Go linter
+lint:
+    @just packages/forage-ctl/lint
+
+# Fix Go linter issues
+lint-fix:
+    @just packages/forage-ctl/lint-fix
+
+# Build documentation
+docs:
+    nix build .#docs
+
+# Serve documentation locally
+docs-serve:
+    cd docs && mdbook serve
+
+# Check everything (fmt, lint, test, build, e2e)
+check: fmt lint test build _check-e2e
+
+# Run E2E tests if the system is eligible (Linux + KVM), skip otherwise
+[linux]
+_check-e2e:
+    #!/usr/bin/env bash
+    if [[ ! -e /dev/kvm ]]; then
+        echo "Skipping E2E tests: /dev/kvm not available"
+        exit 0
+    fi
+    just test-e2e
+
+[macos]
+_check-e2e:
+    @echo "Skipping E2E tests: not supported on macOS"
+
+[windows]
+_check-e2e:
+    @echo "Skipping E2E tests: not supported on Windows"
+
+# Clean build artifacts
+clean:
+    rm -rf result
+    @just packages/forage-ctl/clean
+
+# Update Go dependencies
+update-deps:
+    @just packages/forage-ctl/update-deps
+
+# Show flake outputs
+outputs:
+    nix flake show
diff --git a/lib/default.nix b/lib/default.nix
new file mode 100644
index 0000000..38a75ad
--- /dev/null
+++ b/lib/default.nix
@@ -0,0 +1,43 @@
+{ lib }:
+let
+  # Generate an agent wrapper that injects auth from a secret file
+  mkAgentWrapper =
+    {
+      pkgs,
+      name,
+      package,
+      authEnvVar,
+      secretPath,
+    }:
+    pkgs.writeShellApplication {
+      inherit name;
+      runtimeInputs = [ package ];
+      text = ''
+        # Load auth from secret file into environment variable.
+        # Note: exported vars are visible via env/proc. This is
+        # obfuscation for UX convenience, not a security boundary.
+        if [ -f "${secretPath}" ]; then
+          export ${authEnvVar}="$(cat "${secretPath}")"
+        else
+          echo "Warning: Secret file not found: ${secretPath}" >&2
+        fi
+        exec ${lib.getExe package} "$@"
+      '';
+    };
+in
+{
+  # Generate NixOS container configuration for a sandbox
+  mkSandboxConfig = import ./mkSandboxConfig.nix { inherit lib mkAgentWrapper; };
+
+  # Generate skill injection content
+  mkSkillsContent = import ./skills.nix { inherit lib; };
+
+  inherit mkAgentWrapper;
+
+  # Network mode type
+  networkModes = [
+    "full"
+    "restricted"
+    "none"
+  ];
+}
diff --git a/lib/mkSandboxConfig.nix b/lib/mkSandboxConfig.nix
new file mode 100644
index 0000000..a2a3873
--- /dev/null
+++ b/lib/mkSandboxConfig.nix
@@ -0,0 +1,177 @@
+# Generate NixOS container configuration for a sandbox
+{ lib, mkAgentWrapper }:
+{
+  pkgs,
+  name,
+  template,
+  workspace,
+  sshPort,
+  hostUid,
+  hostGid,
+  authorizedKeys,
+  secretsPaths,
+  networkSlot,
+  username ? "agent",
+  workspacePath ? "/workspace",
+}:
+let
+  inherit (lib) mkForce optionalString;
+
+  homeDir = "/home/${username}";
+
+  # Container IP based on network slot (192.168.100.x)
+  containerIp = "192.168.100.${toString (networkSlot + 10)}";
+  hostIp = "192.168.100.1";
+
+  # Build agent wrappers from template using shared mkAgentWrapper
+  agentWrappers = lib.mapAttrsToList (
+    agentName: agentConfig:
+    mkAgentWrapper {
+      inherit pkgs;
+      name = agentName;
+      package = builtins.storePath agentConfig.packagePath;
+      authEnvVar = agentConfig.authEnvVar;
+      secretPath = "/run/secrets/${agentConfig.secretName}";
+    }
+  ) template.agents;
+
+  # Extra packages from template (stored as paths in JSON)
+  extraPackages = map builtins.storePath template.extraPackages;
+in
+{
+  # This is the NixOS container configuration
+  containers."forage-${name}" = {
+    # Ephemeral = tmpfs root, container state is not persisted
+    ephemeral = true;
+
+    # Private network with NAT
+    privateNetwork = true;
+    hostAddress = hostIp;
+    localAddress = containerIp;
+
+    # Forward SSH port from host to container
+    forwardPorts = [
+      {
+        containerPort = 22;
+        hostPort = sshPort;
+        protocol = "tcp";
+      }
+    ];
+
+    # Bind mounts
+    bindMounts = {
+      # Read-only nix store
+      "/nix/store" = {
+        hostPath = "/nix/store";
+        isReadOnly = true;
+      };
+
+      # Workspace directory (read-write)
+      "${workspacePath}" = {
+        hostPath = workspace;
+        isReadOnly = false;
+      };
+
+      # Secrets directory (read-only)
+      "/run/secrets" = {
+        hostPath = "/run/forage-secrets/${name}";
+        isReadOnly = true;
+      };
+    };
+
+    # Allow network access based on template
+    allowedDevices =
+      if template.network == "none" then
+        [ ]
+      else
+        [
+          {
+            node = "/dev/net/tun";
+            modifier = "rw";
+          }
+        ];
+
+    # Container NixOS configuration
+    config =
+      { config, pkgs, ... }:
+      {
+        # System basics
+        system.stateVersion = "24.11";
+
+        # No bootloader in container
+        boot.isContainer = true;
+
+        # Network configuration
+        networking = {
+          hostName = "forage-${name}";
+          firewall.allowedTCPPorts = [ 22 ];
+
+          # NAT for outbound connections
+          useHostResolvConf = mkForce true;
+          defaultGateway = hostIp;
+        };
+
+        # Create agent user with host UID/GID
+        users.users.${username} = {
+          isNormalUser = true;
+          uid = hostUid;
+          group = username;
+          home = homeDir;
+          shell = pkgs.bash;
+          openssh.authorizedKeys.keys = authorizedKeys;
+        };
+
+        users.groups.${username} = {
+          gid = hostGid;
+        };
+
+        # SSH server
+        services.openssh = {
+          enable = true;
+          settings = {
+            PermitRootLogin = "no";
+            PasswordAuthentication = false;
+          };
+        };
+
+        # Tmux session service
+        systemd.services.forage-tmux = {
+          description = "Forage tmux session for ${username}";
+          after = [ "multi-user.target" ];
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "forking";
+            User = username;
+            Group = username;
+            WorkingDirectory = workspacePath;
+            ExecStart = "${pkgs.tmux}/bin/tmux new-session -d -s forage -c ${workspacePath}";
+            ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t forage";
+            Restart = "on-failure";
+            RestartSec = "5s";
+          };
+        };
+
+        # Packages available in the container
+        environment.systemPackages = [
+          pkgs.tmux
+          pkgs.git
+          pkgs.curl
+          pkgs.vim
+          pkgs.coreutils
+          pkgs.bash
+        ]
+        ++ agentWrappers
+        ++ extraPackages;
+
+        # Set PATH for agent
+        environment.variables = {
+          WORKSPACE = workspacePath;
+        };
+
+        # Sudo is disabled for the agent user by default.
+        # If specific privileged operations are needed, add fine-grained
+        # sudoers rules instead of blanket passwordless access.
+        security.sudo.enable = false;
+      };
+  };
+}
diff --git a/lib/skills.nix b/lib/skills.nix
new file mode 100644
index 0000000..a5f3df9
--- /dev/null
+++ b/lib/skills.nix
@@ -0,0 +1,82 @@
+# Generate skill injection content for .claude/forage-skills.md
+{ lib }:
+{
+  template,
+  sandboxName,
+}:
+let
+  agentNames = lib.attrNames template.agents;
+  # The agent list tells the AI which tools are available in this sandbox.
+  # Each agent entry maps to a configured AI coding agent (e.g., claude, aider)
+  # that has been provisioned with credentials and is ready to use.
+  agentList =
+    if agentNames == [ ] then
+      "No agents configured"
+    else
+      lib.concatMapStringsSep "\n" (name: "- `${name}` - AI coding agent") agentNames;
+
+  networkDesc =
+    {
+      full = "Full internet access";
+      restricted = "Restricted to allowed hosts: ${lib.concatStringsSep ", " template.allowedHosts}";
+      none = "No network access (air-gapped)";
+    }
+    .${template.network};
+in
+''
+  # Forage Sandbox Skills
+
+  You are running inside a Firefly Forage sandbox named `${sandboxName}`.
+
+  ## Environment
+
+  - **Workspace**: `/workspace` (your working directory)
+  - **Network**: ${networkDesc}
+  - **Session**: tmux session `forage` (persistent across reconnections)
+
+  ## Available Agents
+
+  ${agentList}
+
+  ## Sandbox Constraints
+
+  - The root filesystem is ephemeral (tmpfs) - changes outside /workspace are lost on restart
+  - `/nix/store` is read-only (shared from host)
+  - `/workspace` is your persistent working directory
+  - Secrets are mounted read-only at `/run/secrets/`
+
+  ## Installing Additional Tools
+
+  Any tool not pre-installed can be used via Nix. The sandbox has access to the
+  host's Nix daemon, so you can run any package from nixpkgs:
+
+  ```bash
+  # Run a tool once
+  nix run nixpkgs#ripgrep -- --help
+
+  # Enter a shell with multiple tools
+  nix shell nixpkgs#jq nixpkgs#yq
+
+  # Build and run a flake
+  nix run github:owner/repo
+  ```
+
+  This works because `/nix/store` is shared (read-only) and the Nix daemon
+  handles all builds on the host. New packages appear instantly in the sandbox.
+
+  ## Tips
+
+  - Use `tmux` for long-running processes - your session persists across SSH disconnections
+  - All project work should be done in `/workspace`
+  - The sandbox can be reset with `forage-ctl reset ${sandboxName}` from the host
+
+  ## Sub-Agent Spawning
+
+  When spawning sub-agents (e.g., with Claude Code's Task tool), be aware:
+  - Sub-agents share this same sandbox environment
+  - Use tmux windows/panes for parallel agent work
+  - Each sub-agent has access to the same workspace and tools
+
+  ---
+  *This file is auto-generated by Firefly Forage. Do not edit manually.*
+''
diff --git a/modules/config-gen.nix b/modules/config-gen.nix
new file mode 100644
index 0000000..5f311c3
--- /dev/null
+++ b/modules/config-gen.nix
@@ -0,0 +1,208 @@
+# Shared configuration generation logic for services.firefly-forage.
+# Used by both host.nix (NixOS) and darwin.nix (nix-darwin) to produce
+# config.json and template JSON files.
+{ lib }:
+let
+  inherit (lib)
+    mapAttrs
+    hasPrefix
+    filterAttrs
+    optionalAttrs
+    ;
+in
+rec {
+  # Resolve ~ to a user's home directory
+  resolveTilde =
+    userHome: path:
+    if path == null then
+      null
+    else if hasPrefix "~/" path then
+      userHome + (builtins.substring 1 (builtins.stringLength path - 1) path)
+    else if path == "~" then
+      userHome
+    else
+      path;
+
+  # Derive container config dir from host path
+  # e.g., ~/.claude -> /home/agent/.claude
+  deriveContainerPath =
+    containerUsername: hostPath:
+    let
+      baseName = baseNameOf hostPath;
+    in
+    "/home/${containerUsername}/${baseName}";
+
+  # Generate the template JSON for a single template.
+  # resolveTilde' should be a partially-applied (resolveTilde userHome).
+  mkTemplateJSON =
+    {
+      cfg,
+      template,
+      resolveTilde',
+    }:
+    let
+      # Merge explicit workspace.mounts with useBeads-injected mount
+      beadsMount =
+        if template.workspace.useBeads.enable then
+          {
+            beads = {
+              containerPath = template.workspace.useBeads.containerPath;
+              repo = template.workspace.useBeads.repo;
+              mode = "jj";
+              branch = template.workspace.useBeads.branch;
+              readOnly = false;
+              hostPath = null;
+            };
+          }
+        else
+          { };
+      allMounts = template.workspace.mounts // beadsMount;
+
+      # Merge useBeads package into extraPackages
+      beadsPackages =
+        if template.workspace.useBeads.enable && template.workspace.useBeads.package != null then
+          [ template.workspace.useBeads.package ]
+        else
+          [ ];
+      allExtraPackages = template.extraPackages ++ beadsPackages;
+    in
+    {
+      inherit (template)
+        description
+        network
+        allowedHosts
+        readOnlyWorkspace
+        ;
+      agents = mapAttrs (
+        agentName: agent:
+        let
+          resolvedHostConfigDir = resolveTilde' agent.hostConfigDir;
+          resolvedContainerConfigDir =
+            if agent.containerConfigDir != null then
+              agent.containerConfigDir
+            else if resolvedHostConfigDir != null then
+              deriveContainerPath cfg.containerUsername resolvedHostConfigDir
+            else
+              null;
+        in
+        {
+          inherit (agent) secretName authEnvVar hostConfigDirReadOnly;
+          packagePath = agent.package.pname;
+          hostConfigDir = resolvedHostConfigDir;
+          containerConfigDir = resolvedContainerConfigDir;
+          permissions =
+            if agent.permissions != null then
+              {
+                inherit (agent.permissions) skipAll allow deny;
+              }
+            else
+              null;
+        }
+      ) template.agents;
+      extraPackages = map (p: p.pname) allExtraPackages;
+    }
+    // optionalAttrs (allMounts != { }) {
+      workspaceMounts = mapAttrs (
+        mountName: mount:
+        filterAttrs (_: v: v != null) {
+          inherit (mount) containerPath readOnly;
+          hostPath = if mount.hostPath != null then resolveTilde' mount.hostPath else null;
+          repo = mount.repo;
+          mode = mount.mode;
+          branch = mount.branch;
+        }
+      ) allMounts;
+    }
+    //
+      optionalAttrs
+        (
+          template.resourceLimits.cpuQuota != null
+          || template.resourceLimits.memoryMax != null
+          || template.resourceLimits.tasksMax != null
+        )
+        {
+          resourceLimits = filterAttrs (_: v: v != null) {
+            cpuQuota = template.resourceLimits.cpuQuota;
+            memoryMax = template.resourceLimits.memoryMax;
+            tasksMax = template.resourceLimits.tasksMax;
+          };
+        }
+    // optionalAttrs (template.initCommands != [ ]) {
+      inherit (template) initCommands;
+    }
+    //
+      optionalAttrs
+        (
+          template.agentIdentity.gitUser != null
+          || template.agentIdentity.gitEmail != null
+          || template.agentIdentity.sshKeyPath != null
+        )
+        {
+          agentIdentity = filterAttrs (_: v: v != null) {
+            gitUser = template.agentIdentity.gitUser;
+            gitEmail = template.agentIdentity.gitEmail;
+            sshKeyPath =
+              if template.agentIdentity.sshKeyPath != null then
+                resolveTilde' (toString template.agentIdentity.sshKeyPath)
+              else
+                null;
+          };
+        };
+
+  # Generate the host config JSON.
+  mkHostConfigJSON =
+    {
+      cfg,
+      resolveTilde',
+      extraAttrs ? { },
+    }:
+    {
+      user = cfg.user;
+      secrets = cfg.secrets;
+      stateDir = cfg.stateDir;
+    }
+    // lib.optionalAttrs (cfg.containerUsername != "agent") {
+      containerUsername = cfg.containerUsername;
+    }
+    // lib.optionalAttrs (cfg.workspacePath != "/workspace") {
+      workspacePath = cfg.workspacePath;
+    }
+    //
+      lib.optionalAttrs
+        (
+          cfg.agentIdentity.gitUser != null
+          || cfg.agentIdentity.gitEmail != null
+          || cfg.agentIdentity.sshKeyPath != null
+        )
+        {
+          agentIdentity = filterAttrs (_: v: v != null) {
+            gitUser = cfg.agentIdentity.gitUser;
+            gitEmail = cfg.agentIdentity.gitEmail;
+            sshKeyPath =
+              if cfg.agentIdentity.sshKeyPath != null then
+                resolveTilde' (toString cfg.agentIdentity.sshKeyPath)
+              else
+                null;
+          };
+        }
+    // extraAttrs;
+
+  # Generate template etc entries (name -> { target, text })
+  mkTemplateEtcEntries =
+    {
+      cfg,
+      configDir,
+      resolveTilde',
+    }:
+    mapAttrs (name: template: {
+      target = "${configDir}/templates/${name}.json";
+      text = builtins.toJSON (
+        {
+          inherit name;
+        }
+        // mkTemplateJSON {
+          inherit cfg template resolveTilde';
+        }
+      );
+    }) cfg.templates;
+}
diff --git a/modules/darwin.nix b/modules/darwin.nix
new file mode 100644
index 0000000..3936aa8
--- /dev/null
+++ b/modules/darwin.nix
@@ -0,0 +1,114 @@
+# nix-darwin module for services.firefly-forage.
+# Uses shared option definitions (options.nix) and config generation (config-gen.nix)
+# to avoid duplication with the NixOS module (host.nix).
+#
+# Key differences from the NixOS module:
+# - No extra-container / systemd-nspawn (macOS uses Apple Container or Docker)
+# - No networking.nat (container runtimes handle their own networking)
+# - Uses system.activationScripts instead of systemd.tmpfiles
+# - Uses launchd.daemons instead of systemd.services
+# - No uid/gid/authorizedKeys/nixpkgs in config.json (NixOS-specific)
+{ self }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.firefly-forage;
+
+  sharedOptions = import ./options.nix { inherit lib; };
+  configGen = import ./config-gen.nix { inherit lib; };
+
+  inherit (lib) mkIf;
+
+  # On macOS, home directories are under /Users
+  userHome = "/Users/${cfg.user}";
+  resolveTilde' = configGen.resolveTilde userHome;
+
+  configDir = "firefly-forage";
+  forage-ctl = self.packages.${pkgs.stdenv.hostPlatform.system}.forage-ctl;
+
+in
+{
+  options.services.firefly-forage = sharedOptions.mkOptions {
+    defaultStateDir = "/var/lib/firefly-forage";
+  };
+
+  config = mkIf cfg.enable {
+    # Validate configuration
+    assertions = [
+      {
+        assertion = cfg.user != "";
+        message = "services.firefly-forage.user must be specified";
+      }
+      {
+        assertion = builtins.hasAttr cfg.user (config.users.users or { }) || cfg.user != "";
+        message = "services.firefly-forage.user '${cfg.user}' should be a valid system user";
+      }
+    ]
+    ++ lib.flatten (
+      lib.mapAttrsToList (
+        templateName: template:
+        lib.mapAttrsToList (
+          agentName: agent:
+          lib.optional (agent.secretName != null) {
+            assertion = cfg.secrets ? ${agent.secretName};
+            message = "Template '${templateName}' agent '${agentName}' references secret '${agent.secretName}' which is not defined in services.firefly-forage.secrets";
+          }
+        ) template.agents
+      ) cfg.templates
+    );
+
+    # Install forage-ctl
+    environment.systemPackages = [ forage-ctl ];
+
+    # Generate host configuration file and template configurations
+    environment.etc = {
+      "${configDir}/config.json" = {
+        text = builtins.toJSON (
+          configGen.mkHostConfigJSON {
+            inherit cfg resolveTilde';
+          }
+        );
+      };
+    }
+    // configGen.mkTemplateEtcEntries {
+      inherit cfg resolveTilde';
+      inherit configDir;
+    };
+
+    # Ensure state and secrets directories exist via activation script
+    system.activationScripts.postActivation.text = ''
+      mkdir -p "${cfg.stateDir}" "${cfg.stateDir}/sandboxes" "${cfg.stateDir}/workspaces"
+      chown ${cfg.user}:staff "${cfg.stateDir}" "${cfg.stateDir}/sandboxes" "${cfg.stateDir}/workspaces"
+      chmod 750 "${cfg.stateDir}" "${cfg.stateDir}/sandboxes" "${cfg.stateDir}/workspaces"
+
+      # Secrets directory — use a restrictive mode since it holds API keys.
+      # On macOS there is no tmpfs, but /var/lib is acceptable for development.
+      mkdir -p /run/forage-secrets
+      chown root:wheel /run/forage-secrets
+      chmod 700 /run/forage-secrets
+    '';
+
+    # Health monitor launchd service
+    launchd.daemons.forage-monitor = mkIf cfg.monitor.enable {
+      serviceConfig = {
+        Label = "com.firefly.forage-monitor";
+        ProgramArguments = [
+          "${forage-ctl}/bin/forage-ctl"
+          "monitor"
+          "--interval"
+          cfg.monitor.interval
+        ]
+        ++ lib.optionals cfg.monitor.autoRestart [ "--auto-restart" ];
+        RunAtLoad = true;
+        KeepAlive = true;
+        UserName = cfg.user;
+        StandardOutPath = "/var/log/forage-monitor.log";
+        StandardErrorPath = "/var/log/forage-monitor.log";
+      };
+    };
+  };
+}
diff --git a/modules/host.nix b/modules/host.nix
new file mode 100644
index 0000000..4a34009
--- /dev/null
+++ b/modules/host.nix
@@ -0,0 +1,142 @@
+{
+  self,
+  nixpkgs,
+}:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.firefly-forage;
+
+  sharedOptions = import ./options.nix { inherit lib; };
+  configGen = import ./config-gen.nix { inherit lib; };
+
+  inherit (lib) mkIf;
+
+  # Resolve ~ to the configured user's home directory
+  userHome = config.users.users.${cfg.user}.home or "/home/${cfg.user}";
+  resolveTilde' = configGen.resolveTilde userHome;
+
+in
+{
+  options.services.firefly-forage =
+    sharedOptions.mkOptions { defaultStateDir = "/var/lib/firefly-forage"; }
+    // {
+      externalInterface = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = ''
+          External network interface for NAT. If null, NAT configuration
+          is skipped (useful when using an existing NAT setup or when
+          the interface name differs from the default).
+        '';
+        example = "eth0";
+      };
+    };
+
+  config = lib.mkMerge [
+    {
+      # Allow dynamically-installed systemd units (container service files)
+      # to be picked up by systemd from the mutable directory.
+      boot.extraSystemdUnitPaths = [ "/etc/systemd-mutable/system" ];
+
+      # Ensure the mutable services directory exists at boot.
+      systemd.tmpfiles.rules = [
+        "d /etc/systemd-mutable/system 0755 root root -"
+      ];
+    }
+    (mkIf cfg.enable {
+      # Validate configuration
+      assertions = [
+        {
+          assertion = cfg.user != "";
+          message = "services.firefly-forage.user must be specified";
+        }
+        {
+          assertion = lib.hasPrefix "/run/" "/run/forage-secrets";
+          message = "Secrets directory must be under /run (tmpfs) to prevent secrets from persisting on disk";
+        }
+      ]
+      ++ lib.flatten (
+        lib.mapAttrsToList (
+          templateName: template:
+          lib.mapAttrsToList (
+            agentName: agent:
+            # Only validate secret reference if secretName is specified
+            lib.optional (agent.secretName != null) {
+              assertion = cfg.secrets ? ${agent.secretName};
+              message = "Template '${templateName}' agent '${agentName}' references secret '${agent.secretName}' which is not defined in services.firefly-forage.secrets";
+            }
+          ) template.agents
+        ) cfg.templates
+      );
+
+      # Ensure state directory exists
+      # The configured user needs access to sandboxes and workspaces directories
+      systemd.tmpfiles.rules = [
+        "d ${cfg.stateDir} 0750 ${cfg.user} root -"
+        "d ${cfg.stateDir}/sandboxes 0750 ${cfg.user} root -"
+        "d ${cfg.stateDir}/workspaces 0750 ${cfg.user} root -"
+        # Secrets directory is under /run (tmpfs on NixOS) so secrets
+        # are never persisted to disk. Do not move this outside /run.
+        "d /run/forage-secrets 0700 root root -"
+      ];
+
+      # Install forage-ctl
+      environment.systemPackages = [
+        self.packages.${pkgs.stdenv.hostPlatform.system}.forage-ctl
+      ];
+
+      # Enable NAT for container networking (only if externalInterface is set)
+      networking.nat = mkIf (cfg.externalInterface != null) {
+        enable = true;
+        internalInterfaces = [ "ve-+" ];
+        externalInterface = cfg.externalInterface;
+      };
+
+      # Generate host configuration file and template configurations
+      environment.etc = {
+        "firefly-forage/config.json" = {
+          mode = "0644";
+          text = builtins.toJSON (
+            configGen.mkHostConfigJSON {
+              inherit cfg resolveTilde';
+              extraAttrs = {
+                uid = config.users.users.${cfg.user}.uid;
+                gid = config.users.groups.${config.users.users.${cfg.user}.group}.gid;
+                authorizedKeys = cfg.authorizedKeys;
+                nixpkgsPath = "${nixpkgs}";
+                # Nixpkgs revision for registry pinning
+                nixpkgsRev = nixpkgs.rev or "unknown";
+              };
+            }
+          );
+        };
+      }
+      // configGen.mkTemplateEtcEntries {
+        inherit cfg resolveTilde';
+        configDir = "firefly-forage";
+      };
+
+      # Health monitor systemd service
+      systemd.services.forage-monitor = mkIf cfg.monitor.enable {
+        description = "Firefly Forage Health Monitor";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        serviceConfig = {
+          ExecStart = "${
+            self.packages.${pkgs.stdenv.hostPlatform.system}.forage-ctl
+          }/bin/forage-ctl monitor --interval ${cfg.monitor.interval}${
+            if cfg.monitor.autoRestart then " --auto-restart" else ""
+          }";
+          Restart = "on-failure";
+          RestartSec = "10s";
+          User = cfg.user;
+        };
+      };
+    })
+  ];
+}
diff --git a/modules/options.nix b/modules/options.nix
new file mode 100644
index 0000000..72f8a68
--- /dev/null
+++ b/modules/options.nix
@@ -0,0 +1,366 @@
+# Shared option definitions for services.firefly-forage.
+# Imported by both host.nix (NixOS) and darwin.nix (nix-darwin).
+{ lib }:
+let
+  inherit (lib)
+    mkEnableOption
+    mkOption
+    types
+    ;
+
+  # Agent definition type
+  agentType = types.submodule {
+    options = {
+      package = mkOption {
+        type = types.package;
+        description = "The agent package to use";
+      };
+
+      secretName = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Name of the secret (key in services.firefly-forage.secrets). Optional if using hostConfigDir for credentials.";
+      };
+
+      authEnvVar = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Environment variable name for the auth token. Optional if using hostConfigDir for credentials.";
+        example = "ANTHROPIC_API_KEY";
+      };
+
+      hostConfigDir = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Host directory to mount for persistent agent configuration (supports ~ expansion)";
+        example = "~/.claude";
+      };
+
+      containerConfigDir = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Override container mount point (default: /home/<containerUsername>/.<dirname>)";
+        example = "/home/agent/.claude";
+      };
+
+      hostConfigDirReadOnly = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Mount the config directory as read-only (default: false to allow token refresh)";
+      };
+
+      permissions = mkOption {
+        type = types.nullOr (
+          types.submodule {
+            options = {
+              skipAll = mkOption {
+                type = types.bool;
+                default = false;
+                description = "Bypass all permission checks";
+              };
+              allow = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+                description = "Permission rules to auto-approve (agent-specific format)";
+                example = [
+                  "Bash(npm run *)"
+                  "Edit"
+                  "Read"
+                ];
+              };
+              deny = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+                description = "Permission rules to always block";
+                example = [ "Bash(rm -rf *)" ];
+              };
+            };
+          }
+        );
+        default = null;
+        description = "Agent permission rules. When null, no permission settings are generated.";
+      };
+    };
+  };
+
+  # Template definition type
+  templateType = types.submodule {
+    options = {
+      description = mkOption {
+        type = types.str;
+        default = "";
+        description = "Human-readable description of this template";
+      };
+
+      agents = mkOption {
+        type = types.attrsOf agentType;
+        default = { };
+        description = "Agents available in this sandbox";
+      };
+
+      extraPackages = mkOption {
+        type = types.listOf types.package;
+        default = [ ];
+        description = "Additional packages to include in the sandbox";
+      };
+
+      network = mkOption {
+        type = types.enum [
+          "full"
+          "restricted"
+          "none"
+        ];
+        default = "full";
+        description = ''
+          Network access mode:
+          - full: Unrestricted internet access
+          - restricted: Only allowed hosts can be accessed
+          - none: No network access
+        '';
+      };
+
+      allowedHosts = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = "Allowed hosts when network = restricted";
+      };
+
+      readOnlyWorkspace = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Mount the workspace as read-only inside the sandbox (filesystem-level enforcement)";
+      };
+
+      resourceLimits = {
+        cpuQuota = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          description = "CPU quota for the container (e.g., '200%' for 2 cores)";
+          example = "200%";
+        };
+
+        memoryMax = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          description = "Memory limit for the container (e.g., '4G')";
+          example = "4G";
+        };
+
+        tasksMax = mkOption {
+          type = types.nullOr types.int;
+          default = null;
+          description = "Maximum number of tasks/processes in the container";
+          example = 512;
+        };
+      };
+
+      initCommands = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = "Shell commands to run inside the container after creation. Failures warn but do not block creation.";
+        example = [
+          "npm install"
+          "pip install pytest"
+        ];
+      };
+
+      agentIdentity = {
+        gitUser = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          description = "Default git user.name for agents in sandboxes using this template";
+          example = "Template Agent";
+        };
+
+        gitEmail = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          description = "Default git user.email for agents in sandboxes using this template";
+          example = "template-agent@example.com";
+        };
+
+        sshKeyPath = mkOption {
+          type = types.nullOr types.path;
+          default = null;
+          description = "Path to SSH private key for agent push access in this template";
+          example = "/run/secrets/template-agent-ssh-key";
+        };
+      };
+
+      workspace = {
+        mounts = mkOption {
+          type = types.attrsOf (
+            types.submodule {
+              options = {
+                containerPath = mkOption {
+                  type = types.str;
+                  description = "Mount point inside the container (e.g., '/workspace/.beads')";
+                };
+                hostPath = mkOption {
+                  type = types.nullOr types.str;
+                  default = null;
+                  description = "Literal bind mount from host. Mutually exclusive with repo.";
+                };
+                repo = mkOption {
+                  type = types.nullOr types.str;
+                  default = null;
+                  description = "Repo reference: null/empty for default --repo, a name for named --repo, or an absolute path";
+                };
+                mode = mkOption {
+                  type = types.nullOr (
+                    types.enum [
+                      "jj"
+                      "git-worktree"
+                      "direct"
+                    ]
+                  );
+                  default = null;
+                  description = "VCS mode (null = auto-detect)";
+                };
+                branch = mkOption {
+                  type = types.nullOr types.str;
+                  default = null;
+                  description = "Branch/ref to check out (VCS mounts only)";
+                };
+                readOnly = mkOption {
+                  type = types.bool;
+                  default = false;
+                  description = "Mount as read-only";
+                };
+              };
+            }
+          );
+          default = { };
+          description = "Composable workspace mounts (keyed by name). When set, --repo becomes optional.";
+        };
+
+        useBeads = {
+          enable = mkOption {
+            type = types.bool;
+            default = false;
+            description = "Enable beads workspace overlay";
+          };
+          branch = mkOption {
+            type = types.str;
+            default = "beads-sync";
+            description = "Branch to use for the beads workspace";
+          };
+          package = mkOption {
+            type = types.nullOr types.package;
+            default = null;
+            description = "Beads package to install";
+          };
+          containerPath = mkOption {
+            type = types.str;
+            default = "/workspace/.beads";
+            description = "Mount point for the beads workspace inside the container";
+          };
+          repo = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            description = "Repo reference for beads (null = inherit default --repo)";
+          };
+        };
+      };
+    };
+  };
+in
+{
+  inherit agentType templateType;
+
+  # The shared option tree under services.firefly-forage
+  mkOptions =
+    { defaultStateDir }:
+    {
+      enable = mkEnableOption "Firefly Forage AI sandbox system";
+
+      user = mkOption {
+        type = types.str;
+        description = "Host user whose UID/GID will be used in sandboxes";
+        example = "myuser";
+      };
+
+      authorizedKeys = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = "SSH public keys authorized to access sandboxes";
+      };
+
+      secrets = mkOption {
+        type = types.attrsOf types.path;
+        default = { };
+        description = "Mapping of secret names to file paths containing API keys";
+        example = {
+          anthropic = "/run/secrets/anthropic-api-key";
+          openai = "/run/secrets/openai-api-key";
+        };
+      };
+
+      templates = mkOption {
+        type = types.attrsOf templateType;
+        default = { };
+        description = "Sandbox templates";
+      };
+
+      stateDir = mkOption {
+        type = types.path;
+        default = defaultStateDir;
+        description = "Directory for forage state and generated configs";
+      };
+
+      containerUsername = mkOption {
+        type = types.str;
+        default = "agent";
+        description = "Username for the agent user inside sandbox containers";
+      };
+
+      workspacePath = mkOption {
+        type = types.str;
+        default = "/workspace";
+        description = "Path to the workspace directory inside sandbox containers";
+      };
+
+      agentIdentity = {
+        gitUser = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          description = "Default git user.name for agent commits in sandboxes";
+          example = "Forage Agent";
+        };
+
+        gitEmail = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          description = "Default git user.email for agent commits in sandboxes";
+          example = "agent@example.com";
+        };
+
+        sshKeyPath = mkOption {
+          type = types.nullOr types.path;
+          default = null;
+          description = "Path to SSH private key for agent push access (e.g. sops-nix secret path)";
+          example = "/run/secrets/agent-ssh-key";
+        };
+      };
+
+      monitor = {
+        enable = mkOption {
+          type = types.bool;
+          default = false;
+          description = "Enable background health monitoring of sandboxes";
+        };
+
+        interval = mkOption {
+          type = types.str;
+          default = "60";
+          description = "Health check interval in seconds";
+        };
+
+        autoRestart = mkOption {
+          type = types.bool;
+          default = false;
+          description = "Automatically restart unhealthy containers";
+        };
+      };
+    };
+}
diff --git a/packages/forage-ctl/.golangci.yml b/packages/forage-ctl/.golangci.yml
new file mode 100644
index 0000000..6a107c8
--- /dev/null
+++ b/packages/forage-ctl/.golangci.yml
@@ -0,0 +1,75 @@
+version: "2"
+
+run:
+  timeout: 5m
+  tests: true
+
+linters:
+  default: standard
+  enable:
+    - misspell
+    - unconvert
+    - unparam
+    - gosec
+  disable:
+    - prealloc  # Suggestions only, not errors
+
+  settings:
+    errcheck:
+      check-type-assertions: true
+      check-blank: false
+
+    govet:
+      enable-all: true
+      disable:
+        - fieldalignment
+
+    gosec:
+      excludes:
+        - G104  # Errors unhandled (covered by errcheck)
+        - G204  # Subprocess with variable - expected for sandbox tool
+        - G301  # Directory permissions 0755 - acceptable for non-secret dirs
+        - G304  # File path from variable - expected behavior
+        - G306  # File permissions 0644 - acceptable for config files
+        - G101  # Hardcoded credentials - false positive on constant names
+
+  exclusions:
+    rules:
+      - path: _test\.go
+        linters:
+          - errcheck
+          - gosec
+
+      - linters:
+          - unparam
+        text: "always receives"
+
+      # Allow unchecked errors on tabwriter/stdout writes
+      - linters:
+          - errcheck
+        text: "fmt\\.(Fprint|Fprintf|Fprintln)"
+
+      # Allow unchecked cleanup operations
+      - linters:
+          - errcheck
+        text: "(os\\.Remove|os\\.RemoveAll)"
+
+      # Suppress empty branch warnings - sometimes intentional
+      - linters:
+          - staticcheck
+        text: "SA9003"
+
+      # Style suggestion - capitalized error strings acceptable for user-facing
+      - linters:
+          - staticcheck
+        text: "ST1005"
+
+formatters:
+  enable:
+    - gofmt
+    - goimports
+
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/firefly-engineering/firefly-forage
diff --git a/packages/forage-ctl/cmd/audit-log.go b/packages/forage-ctl/cmd/audit-log.go
new file mode 100644
index 0000000..b41e516
--- /dev/null
+++ b/packages/forage-ctl/cmd/audit-log.go
@@ -0,0 +1,59 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/audit"
+)
+
+var auditLogCmd = &cobra.Command{
+	Use:   "audit-log <name>",
+	Short: "Display the audit trail for a sandbox",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runAuditLog,
+}
+
+var auditLogJSON bool
+
+func init() {
+	auditLogCmd.Flags().BoolVar(&auditLogJSON, "json", false, "Output events as JSON lines")
+	rootCmd.AddCommand(auditLogCmd)
+}
+
+func runAuditLog(cmd *cobra.Command, args []string) error {
+	name := args[0]
+	p := paths()
+
+	auditLogger := audit.NewLogger(p.StateDir)
+	events, err := auditLogger.Events(name)
+	if err != nil {
+		return fmt.Errorf("failed to read audit log: %w", err)
+	}
+
+	if len(events) == 0 {
+		logInfo("No events found for sandbox %s", name)
+		return nil
+	}
+
+	for _, e := range events {
+		if auditLogJSON {
+			data, err := json.Marshal(e)
+			if err != nil {
+				return fmt.Errorf("failed to marshal event: %w", err)
+			}
+			fmt.Println(string(data))
+		} else {
+			ts := e.Timestamp.Local().Format("2006-01-02 15:04:05")
+			if e.Details != "" {
+				fmt.Printf("[%s] %-8s %s (%s)\n", ts, e.Type, e.Sandbox, e.Details)
+			} else {
+				fmt.Printf("[%s] %-8s %s\n", ts, e.Type, e.Sandbox)
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/packages/forage-ctl/cmd/claude.go b/packages/forage-ctl/cmd/claude.go
new file mode 100644
index 0000000..3e9803b
--- /dev/null
+++ b/packages/forage-ctl/cmd/claude.go
@@ -0,0 +1,119 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/agent"
+)
+
+var claudeCmd = &cobra.Command{
+	Use:   "claude",
+	Short: "Claude agent management",
+}
+
+var claudeTokenCmd = &cobra.Command{
+	Use:   "token",
+	Short: "Manage Claude OAuth token for sandboxes",
+}
+
+var claudeTokenStoreCmd = &cobra.Command{
+	Use:   "store <token>",
+	Short: "Store a long-lived Claude OAuth token",
+	Long: `Store a long-lived OAuth token generated by 'claude setup-token'.
+
+The token is valid for 1 year and is used to authenticate Claude Code
+inside sandboxes, which cannot access the host keychain.
+
+To generate a token:
+  1. Run: claude setup-token
+  2. Complete the browser authentication
+  3. Copy the token and run: forage-ctl claude token store <token>`,
+	Args: cobra.ExactArgs(1),
+	RunE: runClaudeTokenStore,
+}
+
+var claudeTokenStatusCmd = &cobra.Command{
+	Use:   "status",
+	Short: "Show Claude OAuth token status",
+	RunE:  runClaudeTokenStatus,
+}
+
+var claudeTokenRemoveCmd = &cobra.Command{
+	Use:   "remove",
+	Short: "Remove stored Claude OAuth token",
+	RunE:  runClaudeTokenRemove,
+}
+
+func init() {
+	rootCmd.AddCommand(claudeCmd)
+	claudeCmd.AddCommand(claudeTokenCmd)
+	claudeTokenCmd.AddCommand(claudeTokenStoreCmd)
+	claudeTokenCmd.AddCommand(claudeTokenStatusCmd)
+	claudeTokenCmd.AddCommand(claudeTokenRemoveCmd)
+}
+
+func claudeTokenStore() *agent.TokenStore {
+	return agent.NewTokenStore(paths().StateDir)
+}
+
+func runClaudeTokenStore(cmd *cobra.Command, args []string) error {
+	token := strings.TrimSpace(args[0])
+	if token == "" {
+		return fmt.Errorf("token cannot be empty")
+	}
+
+	store := claudeTokenStore()
+	st, err := store.Store(token)
+	if err != nil {
+		return fmt.Errorf("failed to store token: %w", err)
+	}
+
+	logSuccess("Token stored (expires %s)", st.ExpiresAt.Format("2006-01-02"))
+	return nil
+}
+
+func runClaudeTokenStatus(cmd *cobra.Command, args []string) error {
+	store := claudeTokenStore()
+	status, st, err := store.Status()
+	if err != nil {
+		return fmt.Errorf("failed to check token: %w", err)
+	}
+
+	switch status {
+	case agent.TokenMissing:
+		logInfo("No Claude OAuth token stored")
+		fmt.Println("  Generate one with: claude setup-token")
+		fmt.Println("  Then store it with: forage-ctl claude token store <token>")
+	case agent.TokenExpired:
+		logWarning("Token expired on %s", st.ExpiresAt.Format("2006-01-02"))
+		fmt.Println("  Generate a new one with: claude setup-token")
+		fmt.Println("  Then store it with: forage-ctl claude token store <token>")
+	case agent.TokenExpiring:
+		remaining := time.Until(st.ExpiresAt)
+		days := int(remaining.Hours() / 24)
+		logWarning("Token expires in %d days (%s)", days, st.ExpiresAt.Format("2006-01-02"))
+		fmt.Printf("  Stored: %s\n", st.CreatedAt.Format("2006-01-02"))
+		fmt.Println("  Consider regenerating: claude setup-token")
+	case agent.TokenValid:
+		remaining := time.Until(st.ExpiresAt)
+		days := int(remaining.Hours() / 24)
+		logSuccess("Token valid (%d days remaining)", days)
+		fmt.Printf("  Stored:  %s\n", st.CreatedAt.Format("2006-01-02"))
+		fmt.Printf("  Expires: %s\n", st.ExpiresAt.Format("2006-01-02"))
+	}
+
+	return nil
+}
+
+func runClaudeTokenRemove(cmd *cobra.Command, args []string) error {
+	store := claudeTokenStore()
+	if err := store.Remove(); err != nil {
+		return fmt.Errorf("failed to remove token: %w", err)
+	}
+	logSuccess("Token removed")
+	return nil
+}
diff --git a/packages/forage-ctl/cmd/cmd_test.go b/packages/forage-ctl/cmd/cmd_test.go
new file mode 100644
index 0000000..016dc58
--- /dev/null
+++ b/packages/forage-ctl/cmd/cmd_test.go
@@ -0,0 +1,440 @@
+package cmd
+
+import (
+	"bytes"
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+// testEnv holds test environment state
+type testEnv struct {
+	tmpDir     string
+	configDir  string
+	stateDir   string
+	secretsDir string
+}
+
+func setupTestEnv(t *testing.T) *testEnv {
+	t.Helper()
+
+	tmpDir := t.TempDir()
+
+	env := &testEnv{
+		tmpDir:     tmpDir,
+		configDir:  filepath.Join(tmpDir, "config"),
+		stateDir:   filepath.Join(tmpDir, "state"),
+		secretsDir: filepath.Join(tmpDir, "secrets"),
+	}
+
+	// Create directories
+	dirs := []string{
+		env.configDir,
+		env.stateDir,
+		env.secretsDir,
+		filepath.Join(env.stateDir, "sandboxes"),
+		filepath.Join(env.stateDir, "workspaces"),
+		filepath.Join(env.configDir, "templates"),
+	}
+
+	for _, dir := range dirs {
+		if err := os.MkdirAll(dir, 0755); err != nil {
+			t.Fatalf("Failed to create %s: %v", dir, err)
+		}
+	}
+
+	// Create a secret file for testing
+	secretFile := filepath.Join(tmpDir, "secret-anthropic")
+	if err := os.WriteFile(secretFile, []byte("sk-test"), 0600); err != nil {
+		t.Fatalf("Failed to write test secret file: %v", err)
+	}
+
+	// Create host config
+	hostConfig := &config.HostConfig{
+		User:           "testuser",
+		UID:            1000,
+		GID:            100,
+		AuthorizedKeys: []string{"ssh-rsa AAAA..."},
+		Secrets:        map[string]string{"anthropic": secretFile},
+		StateDir:       env.stateDir,
+		NixpkgsRev:     "test123",
+	}
+
+	data, _ := json.MarshalIndent(hostConfig, "", "  ")
+	if err := os.WriteFile(filepath.Join(env.configDir, "config.json"), data, 0644); err != nil {
+		t.Fatalf("Failed to write config: %v", err)
+	}
+
+	return env
+}
+
+func (e *testEnv) addTemplate(t *testing.T, name string, tmpl *config.Template) {
+	t.Helper()
+
+	if tmpl.Name == "" {
+		tmpl.Name = name
+	}
+
+	data, _ := json.MarshalIndent(tmpl, "", "  ")
+	path := filepath.Join(e.configDir, "templates", name+".json")
+	if err := os.WriteFile(path, data, 0644); err != nil {
+		t.Fatalf("Failed to write template: %v", err)
+	}
+}
+
+func (e *testEnv) createWorkspace(t *testing.T, name string) string {
+	t.Helper()
+
+	path := filepath.Join(e.tmpDir, "workspace", name)
+	if err := os.MkdirAll(path, 0755); err != nil {
+		t.Fatalf("Failed to create workspace: %v", err)
+	}
+	return path
+}
+
+func executeCommand(args ...string) (string, string, error) {
+	// Reset flag values before each test
+	upTemplate = ""
+	upRepos = nil
+	upDirect = false
+	logsFollow = false
+	logsLines = 50
+	verbose = false
+	jsonOutput = false
+
+	cmd := rootCmd
+	cmd.SetArgs(args)
+
+	var stdout, stderr bytes.Buffer
+	cmd.SetOut(&stdout)
+	cmd.SetErr(&stderr)
+
+	err := cmd.Execute()
+
+	// Reset args for next test
+	cmd.SetArgs(nil)
+	cmd.SetOut(nil)
+	cmd.SetErr(nil)
+
+	return stdout.String(), stderr.String(), err
+}
+
+func TestRootCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "forage-ctl") {
+		t.Error("Help output should contain 'forage-ctl'")
+	}
+
+	if !strings.Contains(stdout, "sandbox") {
+		t.Error("Help output should mention sandbox")
+	}
+}
+
+func TestRootCommand_Version(t *testing.T) {
+	// Version is not implemented, but help should work
+	stdout, _, err := executeCommand("help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "Available Commands") {
+		t.Error("Help output should list available commands")
+	}
+}
+
+func TestUpCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("up", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "--template") {
+		t.Error("Up help should mention --template flag")
+	}
+
+	if !strings.Contains(stdout, "--repo") {
+		t.Error("Up help should mention --repo flag")
+	}
+
+	if !strings.Contains(stdout, "--direct") {
+		t.Error("Up help should mention --direct flag")
+	}
+}
+
+func TestUpCommand_MissingTemplate(t *testing.T) {
+	stdout, stderr, err := executeCommand("up", "test-sandbox", "--repo", "/tmp")
+	output := stdout + stderr
+
+	// Should either return an error or show required flag message
+	if err == nil && !strings.Contains(output, "required") && !strings.Contains(output, "template") {
+		t.Error("Up should fail or show error when --template is missing")
+	}
+}
+
+func TestUpCommand_Flags(t *testing.T) {
+	env := setupTestEnv(t)
+	env.addTemplate(t, "test", &config.Template{
+		Name:    "test",
+		Network: "full",
+		Agents: map[string]config.AgentConfig{
+			"test": {
+				PackagePath: "/nix/store/test-agent",
+				SecretName:  "test-secret",
+				AuthEnvVar:  "TEST_API_KEY",
+			},
+		},
+	})
+
+	// Create workspace for potential future tests
+	_ = env.createWorkspace(t, "project")
+
+	// Verify the help mentions key flags
+	stdout, _, _ := executeCommand("up", "--help")
+
+	if !strings.Contains(stdout, "repo") {
+		t.Error("Help should document --repo")
+	}
+	if !strings.Contains(stdout, "direct") {
+		t.Error("Help should document --direct")
+	}
+}
+
+func TestDownCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("down", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "Stop and remove") {
+		t.Error("Down help should describe its purpose")
+	}
+}
+
+func TestPsCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("ps", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "List") {
+		t.Error("Ps help should mention listing")
+	}
+}
+
+func TestStatusCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("status", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "status") {
+		t.Error("Status help should mention status")
+	}
+}
+
+func TestSSHCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("ssh", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "SSH") || !strings.Contains(stdout, "multiplexer") {
+		t.Error("SSH help should mention SSH and multiplexer")
+	}
+}
+
+func TestExecCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("exec", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "Execute") {
+		t.Error("Exec help should mention execution")
+	}
+}
+
+func TestLogsCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("logs", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "logs") {
+		t.Error("Logs help should mention logs")
+	}
+
+	if !strings.Contains(stdout, "--follow") {
+		t.Error("Logs help should mention --follow flag")
+	}
+}
+
+func TestStartCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("start", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "Start") {
+		t.Error("Start help should mention starting")
+	}
+}
+
+func TestShellCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("shell", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "shell") {
+		t.Error("Shell help should mention shell")
+	}
+}
+
+func TestResetCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("reset", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "Reset") {
+		t.Error("Reset help should mention reset")
+	}
+}
+
+func TestTemplatesCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("templates", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "templates") {
+		t.Error("Templates help should mention templates")
+	}
+}
+
+func TestGlobalFlags(t *testing.T) {
+	stdout, _, err := executeCommand("--help")
+	if err != nil {
+		t.Fatalf("Help failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "--verbose") {
+		t.Error("Should have --verbose flag")
+	}
+
+	if !strings.Contains(stdout, "--json") {
+		t.Error("Should have --json flag")
+	}
+}
+
+func TestCommandRequiresArgs(t *testing.T) {
+	// Commands that require arguments show error in stderr
+	tests := []struct {
+		cmd            string
+		shouldShowHelp bool
+	}{
+		{"down", true},   // requires name, shows usage
+		{"status", true}, // requires name, shows usage
+		{"ssh", true},    // requires name, shows usage
+		{"start", true},  // requires name, shows usage
+		{"shell", true},  // requires name, shows usage
+		{"reset", true},  // requires name, shows usage
+		{"logs", true},   // requires name, shows usage
+		{"ps", false},    // no args required
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.cmd, func(t *testing.T) {
+			stdout, stderr, _ := executeCommand(tt.cmd)
+			output := stdout + stderr
+
+			// Commands requiring args should show usage info
+			if tt.shouldShowHelp {
+				if !strings.Contains(output, "Usage:") && !strings.Contains(output, "Error:") {
+					// Some cobra versions just show usage without "Error:"
+					if !strings.Contains(output, tt.cmd) {
+						t.Errorf("%s: expected usage info in output", tt.cmd)
+					}
+				}
+			}
+		})
+	}
+}
+
+func TestParseRepoFlags(t *testing.T) {
+	tests := []struct {
+		name        string
+		repos       []string
+		wantDefault string
+		wantNamed   map[string]string
+		wantErr     bool
+	}{
+		{
+			name:        "single default repo",
+			repos:       []string{"/home/user/project"},
+			wantDefault: "/home/user/project",
+			wantNamed:   map[string]string{},
+		},
+		{
+			name:        "named repo only",
+			repos:       []string{"data=/home/user/data-repo"},
+			wantDefault: "",
+			wantNamed:   map[string]string{"data": "/home/user/data-repo"},
+		},
+		{
+			name:        "default plus named",
+			repos:       []string{"/home/user/project", "data=/home/user/data-repo"},
+			wantDefault: "/home/user/project",
+			wantNamed:   map[string]string{"data": "/home/user/data-repo"},
+		},
+		{
+			name:        "multiple named repos",
+			repos:       []string{"proj=/home/user/project", "data=/home/user/data"},
+			wantDefault: "",
+			wantNamed:   map[string]string{"proj": "/home/user/project", "data": "/home/user/data"},
+		},
+		{
+			name:    "duplicate default repos",
+			repos:   []string{"/home/user/a", "/home/user/b"},
+			wantErr: true,
+		},
+		{
+			name:        "empty repos",
+			repos:       nil,
+			wantDefault: "",
+			wantNamed:   map[string]string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			defaultRepo, namedRepos, err := parseRepoFlags(tt.repos)
+			if (err != nil) != tt.wantErr {
+				t.Fatalf("parseRepoFlags() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if tt.wantErr {
+				return
+			}
+			if defaultRepo != tt.wantDefault {
+				t.Errorf("defaultRepo = %q, want %q", defaultRepo, tt.wantDefault)
+			}
+			if len(namedRepos) != len(tt.wantNamed) {
+				t.Errorf("namedRepos length = %d, want %d", len(namedRepos), len(tt.wantNamed))
+			}
+			for k, v := range tt.wantNamed {
+				if got, ok := namedRepos[k]; !ok || got != v {
+					t.Errorf("namedRepos[%q] = %q, want %q", k, got, v)
+				}
+			}
+		})
+	}
+}
diff --git a/packages/forage-ctl/cmd/down.go b/packages/forage-ctl/cmd/down.go
new file mode 100644
index 0000000..d210dd8
--- /dev/null
+++ b/packages/forage-ctl/cmd/down.go
@@ -0,0 +1,64 @@
+package cmd
+
+import (
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/audit"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/errors"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/sandbox"
+)
+
+var downCmd = &cobra.Command{
+	Use:   "down <name>",
+	Short: "Stop and remove a sandbox",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runDown,
+}
+
+var downTimeout int
+
+func init() {
+	downCmd.Flags().IntVarP(&downTimeout, "timeout", "t", 30, "Graceful shutdown timeout in seconds before destroy (0 for immediate)")
+	rootCmd.AddCommand(downCmd)
+}
+
+func runDown(cmd *cobra.Command, args []string) error {
+	name := args[0]
+	p := paths()
+	rt := getRuntime()
+
+	logging.Debug("removing sandbox", "name", name)
+
+	metadata, err := config.LoadSandboxMetadata(p.SandboxesDir, name)
+	if err != nil {
+		return errors.SandboxNotFound(name)
+	}
+
+	logInfo("Removing sandbox %s...", name)
+
+	// Attempt graceful stop before destroy if timeout > 0
+	if downTimeout > 0 {
+		if gs, ok := rt.(runtime.GracefulStopper); ok {
+			ctx := cmd.Context()
+			running, _ := rt.IsRunning(ctx, name)
+			if running {
+				logging.Debug("attempting graceful stop before destroy", "timeout", downTimeout)
+				_ = gs.GracefulStop(ctx, name, time.Duration(downTimeout)*time.Second)
+			}
+		}
+	}
+
+	// Use unified cleanup function
+	sandbox.Cleanup(cmd.Context(), metadata, p, sandbox.DefaultCleanupOptions(), rt)
+
+	auditLog := audit.NewLogger(p.StateDir)
+	_ = auditLog.LogEvent(audit.EventDestroy, name, "")
+
+	logSuccess("Removed sandbox %s", name)
+	return nil
+}
diff --git a/packages/forage-ctl/cmd/exec.go b/packages/forage-ctl/cmd/exec.go
new file mode 100644
index 0000000..ba25151
--- /dev/null
+++ b/packages/forage-ctl/cmd/exec.go
@@ -0,0 +1,80 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"syscall"
+
+	shellquote "github.com/kballard/go-shellquote"
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/errors"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/ssh"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/system"
+)
+
+var execCmd = &cobra.Command{
+	Use:   "exec <name> -- <command>",
+	Short: "Execute command in sandbox",
+	Args:  cobra.MinimumNArgs(1),
+	RunE:  runExec,
+}
+
+func init() {
+	rootCmd.AddCommand(execCmd)
+}
+
+func runExec(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	metadata, err := loadRunningSandbox(cmd.Context(), name)
+	if err != nil {
+		return err
+	}
+
+	// Find the command to execute (everything after --)
+	// cobra/pflag strips "--" from args, so we use ArgsLenAtDash()
+	// to find the position where "--" was in the original argv.
+	dash := cmd.ArgsLenAtDash()
+	var execArgs []string
+	if dash >= 0 && dash < len(args) {
+		execArgs = args[dash:]
+	}
+
+	if len(execArgs) == 0 {
+		return errors.ValidationError("usage: forage-ctl exec <name> -- <command>")
+	}
+
+	// Use runtime exec for backends that don't support SSH
+	rt := getRuntime()
+	caps := runtime.GetCapabilities(rt)
+	if !caps.SSHAccess {
+		result, execErr := rt.Exec(cmd.Context(), name, execArgs, runtime.ExecOptions{})
+		if execErr != nil {
+			return fmt.Errorf("exec failed: %w", execErr)
+		}
+		_, _ = os.Stdout.WriteString(result.Stdout)
+		_, _ = os.Stderr.WriteString(result.Stderr)
+		if result.ExitCode != 0 {
+			os.Exit(result.ExitCode)
+		}
+		return nil
+	}
+
+	// SSH path for backends that support it
+	sshPath, err := exec.LookPath("ssh")
+	if err != nil {
+		return errors.SSHError("ssh not found", err)
+	}
+
+	// Construct the command string with all arguments quoted
+	cmdStr := shellquote.Join(execArgs...)
+
+	// Use SSH options builder
+	opts := ssh.DefaultOptions(metadata.ContainerIP())
+	sshArgs := opts.BuildArgsWithArgv(cmdStr)
+
+	return syscall.Exec(sshPath, sshArgs, system.SafeEnviron())
+}
diff --git a/packages/forage-ctl/cmd/gateway.go b/packages/forage-ctl/cmd/gateway.go
new file mode 100644
index 0000000..d676721
--- /dev/null
+++ b/packages/forage-ctl/cmd/gateway.go
@@ -0,0 +1,90 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/gateway"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/tui"
+)
+
+var gatewayCmd = &cobra.Command{
+	Use:   "gateway [sandbox-name]",
+	Short: "Interactive sandbox selector (gateway mode)",
+	Long: `Opens an interactive TUI for selecting and connecting to sandboxes.
+
+If a sandbox name is provided, connects directly to that sandbox.
+Otherwise, presents an interactive picker to choose from available sandboxes.
+
+This command is designed to be used as a login shell for SSH access,
+providing a single entry point to all sandboxes.`,
+	Args: cobra.MaximumNArgs(1),
+	RunE: runGateway,
+}
+
+func init() {
+	rootCmd.AddCommand(gatewayCmd)
+}
+
+func runGateway(cmd *cobra.Command, args []string) error {
+	p := paths()
+	rt := getRuntime()
+
+	logging.Debug("gateway mode started")
+
+	// If sandbox name provided, connect directly
+	if len(args) == 1 {
+		return connectToSandbox(cmd.Context(), args[0], p)
+	}
+
+	// List sandboxes
+	sandboxes, err := listSandboxes()
+	if err != nil {
+		return fmt.Errorf("failed to list sandboxes: %w", err)
+	}
+
+	// Run interactive picker (no creation wizard in gateway mode)
+	result, err := tui.RunPicker(cmd.Context(), sandboxes, p, rt, tui.PickerOptions{})
+	if err != nil {
+		return fmt.Errorf("picker error: %w", err)
+	}
+
+	logging.Debug("picker result", "action", result.Action)
+
+	switch result.Action {
+	case tui.ActionAttach:
+		if result.Sandbox != nil {
+			return connectToSandbox(cmd.Context(), result.Sandbox.Name, p)
+		}
+
+	case tui.ActionNew:
+		// TODO: implement creation wizard for gateway mode
+		fmt.Println("\nTo create a new sandbox, run:")
+		fmt.Println("  forage-ctl up <name> -t <template> -w <workspace>")
+		fmt.Println("\nAvailable templates:")
+		templates, _ := config.ListTemplates(p.TemplatesDir)
+		for _, t := range templates {
+			fmt.Printf("  - %s: %s\n", t.Name, t.Description)
+		}
+
+	case tui.ActionDown:
+		// TODO: implement sandbox teardown in gateway mode
+		if result.Sandbox != nil {
+			fmt.Printf("\nTo remove sandbox '%s', run:\n", result.Sandbox.Name)
+			fmt.Printf("  forage-ctl down %s\n", result.Sandbox.Name)
+		}
+
+	case tui.ActionQuit:
+		// Just exit cleanly
+	}
+
+	return nil
+}
+
+func connectToSandbox(ctx context.Context, name string, paths *config.Paths) error {
+	return gateway.Connect(ctx, name, paths.SandboxesDir, getRuntime())
+}
diff --git a/packages/forage-ctl/cmd/gc.go b/packages/forage-ctl/cmd/gc.go
new file mode 100644
index 0000000..ee2be0f
--- /dev/null
+++ b/packages/forage-ctl/cmd/gc.go
@@ -0,0 +1,285 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/sandbox"
+)
+
+var gcForce bool
+
+var gcCmd = &cobra.Command{
+	Use:   "gc",
+	Short: "Garbage collect orphaned sandbox resources",
+	Long: `Reconciles disk state with runtime state and removes orphaned resources.
+
+Without --force, prints what would be cleaned (dry run).
+With --force, actually removes orphaned files and destroys orphaned containers.
+
+Detects:
+  - Orphaned files: sandbox files on disk with no matching container
+  - Orphaned containers: containers with no matching metadata on disk
+  - Stale metadata: metadata files for sandboxes whose container no longer exists`,
+	RunE: runGC,
+}
+
+func init() {
+	gcCmd.Flags().BoolVar(&gcForce, "force", false, "Actually remove orphaned resources (default is dry run)")
+	rootCmd.AddCommand(gcCmd)
+}
+
+// orphanedContainer represents a container in the runtime with no metadata on disk.
+type orphanedContainer struct {
+	name        string // sandbox name from runtime
+	recoveredBy string // how the sandbox name was identified (empty if from runtime directly)
+}
+
+// gcResult tracks what gc found and would/did clean up.
+type gcResult struct {
+	orphanedSandboxNames []string            // sandbox names with files on disk but no container
+	orphanedContainers   []orphanedContainer // containers in runtime but no metadata on disk
+}
+
+func (r *gcResult) empty() bool {
+	return len(r.orphanedSandboxNames) == 0 && len(r.orphanedContainers) == 0
+}
+
+func runGC(cmd *cobra.Command, args []string) error {
+	p := paths()
+	rt := getRuntime()
+	ctx := cmd.Context()
+
+	// 1. Collect sandbox names from disk files
+	diskNames, err := sandboxNamesFromDisk(p.SandboxesDir)
+	if err != nil {
+		return fmt.Errorf("failed to scan sandboxes directory: %w", err)
+	}
+
+	// 2. Collect container names from runtime
+	containers, err := rt.List(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to list containers: %w", err)
+	}
+
+	containerSet := make(map[string]bool)
+	for _, c := range containers {
+		containerSet[c.Name] = true
+	}
+
+	// 3. Collect valid metadata names
+	metadataList, err := config.ListSandboxes(p.SandboxesDir)
+	if err != nil {
+		return fmt.Errorf("failed to list sandbox metadata: %w", err)
+	}
+
+	metadataSet := make(map[string]*config.SandboxMetadata)
+	for _, m := range metadataList {
+		metadataSet[m.Name] = m
+	}
+
+	// 4. Find orphans
+	result := &gcResult{}
+
+	// Orphaned disk files: sandbox name found on disk but no matching container
+	for name := range diskNames {
+		if !containerSet[name] {
+			result.orphanedSandboxNames = append(result.orphanedSandboxNames, name)
+		}
+	}
+
+	// Orphaned containers: in runtime but no metadata on disk
+	for name := range containerSet {
+		if _, ok := metadataSet[name]; !ok {
+			result.orphanedContainers = append(result.orphanedContainers, orphanedContainer{name: name})
+		}
+	}
+
+	// 5. Report or act
+	if result.empty() {
+		logInfo("No orphaned resources found")
+		return nil
+	}
+
+	if !gcForce {
+		printGCDryRun(result)
+		return nil
+	}
+
+	return executeGC(ctx, result, p, rt, metadataSet)
+}
+
+// sandboxNamesFromDisk scans the sandboxes directory and returns a set of
+// sandbox names extracted from filenames. It recognizes:
+//   - <name>.json (metadata)
+//   - <name>.nix (config)
+//   - <name>.skills.md (skills)
+//   - <name>.*-permissions.json (permissions)
+func sandboxNamesFromDisk(sandboxesDir string) (map[string]bool, error) {
+	entries, err := os.ReadDir(sandboxesDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	names := make(map[string]bool)
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+
+		name := extractSandboxName(entry.Name())
+		if name == "" {
+			continue
+		}
+
+		if config.ValidateSandboxName(name) == nil {
+			names[name] = true
+		}
+	}
+
+	return names, nil
+}
+
+// extractSandboxName extracts the sandbox name from a known file pattern.
+// Returns empty string if the filename doesn't match any known pattern.
+func extractSandboxName(filename string) string {
+	// <name>.*-permissions.json (e.g. "test.claude-permissions.json")
+	if strings.HasSuffix(filename, "-permissions.json") {
+		// Find the first dot to split sandbox name from agent-permissions suffix
+		idx := strings.Index(filename, ".")
+		if idx > 0 {
+			return filename[:idx]
+		}
+		return ""
+	}
+
+	// <name>.skills.md
+	if name, ok := strings.CutSuffix(filename, ".skills.md"); ok {
+		return name
+	}
+
+	// <name>.nix
+	if name, ok := strings.CutSuffix(filename, ".nix"); ok {
+		return name
+	}
+
+	// <name>.json (metadata - must not contain dots before .json)
+	if name, ok := strings.CutSuffix(filename, ".json"); ok {
+		if !strings.Contains(name, ".") {
+			return name
+		}
+	}
+
+	return ""
+}
+
+func printGCDryRun(result *gcResult) {
+	fmt.Println("Dry run (use --force to actually clean up):")
+	fmt.Println()
+
+	if len(result.orphanedSandboxNames) > 0 {
+		fmt.Println("Orphaned sandbox files (no matching container):")
+		for _, name := range result.orphanedSandboxNames {
+			fmt.Printf("  %s\n", name)
+		}
+		fmt.Println()
+	}
+
+	if len(result.orphanedContainers) > 0 {
+		fmt.Println("Orphaned containers (no matching metadata):")
+		for _, oc := range result.orphanedContainers {
+			if oc.recoveredBy != "" {
+				fmt.Printf("  %s (identified via %s)\n", oc.name, oc.recoveredBy)
+			} else {
+				fmt.Printf("  %s\n", oc.name)
+			}
+		}
+		fmt.Println()
+	}
+}
+
+func executeGC(ctx context.Context, result *gcResult, p *config.Paths, rt interface {
+	Destroy(ctx context.Context, name string) error
+}, metadataSet map[string]*config.SandboxMetadata) error {
+	// Clean up orphaned sandbox files
+	for _, name := range result.orphanedSandboxNames {
+		logInfo("Cleaning up orphaned sandbox: %s", name)
+
+		// If we have valid metadata, use Cleanup() for proper VCS unwinding
+		if meta, ok := metadataSet[name]; ok {
+			opts := sandbox.DefaultCleanupOptions()
+			opts.DestroyContainer = false // container doesn't exist
+			sandbox.Cleanup(ctx, meta, p, opts, nil)
+		} else {
+			// No valid metadata -- remove files manually
+			removeOrphanedFiles(name, p)
+		}
+
+		logging.Debug("cleaned up orphaned sandbox", "name", name)
+	}
+
+	// Destroy orphaned containers
+	for _, oc := range result.orphanedContainers {
+		if oc.recoveredBy != "" {
+			logInfo("Destroying orphaned container: %s (identified via %s)", oc.name, oc.recoveredBy)
+		} else {
+			logInfo("Destroying orphaned container: %s", oc.name)
+		}
+		if err := rt.Destroy(ctx, oc.name); err != nil {
+			logWarning("Failed to destroy container %s: %v", oc.name, err)
+		} else {
+			logging.Debug("destroyed orphaned container", "name", oc.name)
+		}
+	}
+
+	logSuccess("Garbage collection complete")
+	return nil
+}
+
+// removeOrphanedFiles removes all files associated with a sandbox name
+// when no valid metadata is available.
+func removeOrphanedFiles(name string, p *config.Paths) {
+	// Remove known file patterns
+	patterns := []string{
+		filepath.Join(p.SandboxesDir, name+".json"),
+		filepath.Join(p.SandboxesDir, name+".nix"),
+		filepath.Join(p.SandboxesDir, name+".skills.md"),
+	}
+
+	for _, path := range patterns {
+		if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+			logging.Warn("failed to remove file", "path", path, "error", err)
+		}
+	}
+
+	// Glob for permissions files
+	permPattern := filepath.Join(p.SandboxesDir, name+".*-permissions.json")
+	matches, _ := filepath.Glob(permPattern)
+	for _, match := range matches {
+		if err := os.Remove(match); err != nil && !os.IsNotExist(err) {
+			logging.Warn("failed to remove permissions file", "path", match, "error", err)
+		}
+	}
+
+	// Remove secrets directory
+	secretsPath := filepath.Join(p.SecretsDir, name)
+	if err := os.RemoveAll(secretsPath); err != nil {
+		logging.Warn("failed to remove secrets directory", "path", secretsPath, "error", err)
+	}
+
+	// Remove workspace directory
+	workspacePath := filepath.Join(p.WorkspacesDir, name)
+	if err := os.RemoveAll(workspacePath); err != nil {
+		logging.Warn("failed to remove workspace directory", "path", workspacePath, "error", err)
+	}
+}
diff --git a/packages/forage-ctl/cmd/gc_test.go b/packages/forage-ctl/cmd/gc_test.go
new file mode 100644
index 0000000..d627476
--- /dev/null
+++ b/packages/forage-ctl/cmd/gc_test.go
@@ -0,0 +1,329 @@
+package cmd
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/testutil"
+)
+
+func TestGCCommand_Help(t *testing.T) {
+	stdout, _, err := executeCommand("gc", "--help")
+	if err != nil {
+		t.Fatalf("Help command failed: %v", err)
+	}
+
+	if !strings.Contains(stdout, "orphaned") {
+		t.Error("GC help should mention orphaned resources")
+	}
+
+	if !strings.Contains(stdout, "--force") {
+		t.Error("GC help should mention --force flag")
+	}
+}
+
+func TestExtractSandboxName(t *testing.T) {
+	tests := []struct {
+		filename string
+		want     string
+	}{
+		// Metadata files
+		{"test.json", "test"},
+		{"my-sandbox.json", "my-sandbox"},
+
+		// Config files
+		{"test.nix", "test"},
+		{"my-sandbox.nix", "my-sandbox"},
+
+		// Skills files
+		{"test.skills.md", "test"},
+		{"my-sandbox.skills.md", "my-sandbox"},
+
+		// Permissions files
+		{"test.claude-permissions.json", "test"},
+		{"my-sandbox.copilot-permissions.json", "my-sandbox"},
+
+		// Dotted JSON (not metadata, not permissions) -- ignored
+		{"some.other.json", ""},
+
+		// Non-sandbox files
+		{"readme.txt", ""},
+		{"notes.md", ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.filename, func(t *testing.T) {
+			got := extractSandboxName(tt.filename)
+			if got != tt.want {
+				t.Errorf("extractSandboxName(%q) = %q, want %q", tt.filename, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestSandboxNamesFromDisk(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create various sandbox files
+	files := map[string]string{
+		"sandbox-1.json":                    `{"name":"sandbox-1","template":"claude","networkSlot":1}`,
+		"sandbox-1.nix":                     "# nix config",
+		"sandbox-1.skills.md":               "# skills",
+		"sandbox-1.claude-permissions.json": `{}`,
+		"sandbox-2.json":                    `{"name":"sandbox-2","template":"claude","networkSlot":2}`,
+		"orphan.nix":                        "# orphaned nix file",
+		"notes.txt":                         "not a sandbox file",
+	}
+
+	for name, content := range files {
+		os.WriteFile(filepath.Join(tmpDir, name), []byte(content), 0644)
+	}
+
+	names, err := sandboxNamesFromDisk(tmpDir)
+	if err != nil {
+		t.Fatalf("sandboxNamesFromDisk failed: %v", err)
+	}
+
+	expected := map[string]bool{
+		"sandbox-1": true,
+		"sandbox-2": true,
+		"orphan":    true,
+	}
+
+	if len(names) != len(expected) {
+		t.Errorf("len(names) = %d, want %d", len(names), len(expected))
+	}
+
+	for name := range expected {
+		if !names[name] {
+			t.Errorf("expected name %q not found in disk names", name)
+		}
+	}
+}
+
+func TestSandboxNamesFromDisk_NonexistentDir(t *testing.T) {
+	names, err := sandboxNamesFromDisk("/nonexistent/path")
+	if err != nil {
+		t.Fatalf("should not error for nonexistent dir: %v", err)
+	}
+	if names != nil {
+		t.Errorf("names = %v, want nil", names)
+	}
+}
+
+func TestGC_OrphanDetection(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Create a sandbox with matching container (not orphaned)
+	env.AddSandbox(&config.SandboxMetadata{
+		Name:        "healthy",
+		Template:    "claude",
+		NetworkSlot: 1,
+		Workspace:   "/tmp/healthy",
+	})
+
+	// Create metadata on disk with NO container (orphaned files)
+	config.SaveSandboxMetadata(env.Paths.SandboxesDir, &config.SandboxMetadata{
+		Name:        "orphan-disk",
+		Template:    "claude",
+		NetworkSlot: 2,
+		Workspace:   "/tmp/orphan-disk",
+	})
+
+	// Add container in runtime with NO metadata (orphaned container)
+	env.Runtime.AddContainer("orphan-rt", runtime.StatusRunning)
+
+	ctx := context.Background()
+
+	// Collect disk names
+	diskNames, err := sandboxNamesFromDisk(env.Paths.SandboxesDir)
+	if err != nil {
+		t.Fatalf("sandboxNamesFromDisk: %v", err)
+	}
+
+	// Collect runtime containers
+	containers, err := env.Runtime.List(ctx)
+	if err != nil {
+		t.Fatalf("List: %v", err)
+	}
+	containerSet := make(map[string]bool)
+	for _, c := range containers {
+		containerSet[c.Name] = true
+	}
+
+	// Collect metadata
+	metadataList, err := config.ListSandboxes(env.Paths.SandboxesDir)
+	if err != nil {
+		t.Fatalf("ListSandboxes: %v", err)
+	}
+	metadataSet := make(map[string]*config.SandboxMetadata)
+	for _, m := range metadataList {
+		metadataSet[m.Name] = m
+	}
+
+	// Find orphaned disk files
+	var orphanedDisk []string
+	for name := range diskNames {
+		if !containerSet[name] {
+			orphanedDisk = append(orphanedDisk, name)
+		}
+	}
+
+	// Find orphaned containers
+	var orphanedContainers []string
+	for name := range containerSet {
+		if _, ok := metadataSet[name]; !ok {
+			orphanedContainers = append(orphanedContainers, name)
+		}
+	}
+
+	// Verify: orphan-disk should be in orphaned disk files
+	foundDisk := false
+	for _, name := range orphanedDisk {
+		if name == "orphan-disk" {
+			foundDisk = true
+		}
+		if name == "healthy" {
+			t.Error("healthy sandbox should not be orphaned on disk")
+		}
+	}
+	if !foundDisk {
+		t.Error("orphan-disk should be detected as orphaned on disk")
+	}
+
+	// Verify: orphan-rt should be in orphaned containers
+	foundRT := false
+	for _, name := range orphanedContainers {
+		if name == "orphan-rt" {
+			foundRT = true
+		}
+		if name == "healthy" {
+			t.Error("healthy sandbox should not be an orphaned container")
+		}
+	}
+	if !foundRT {
+		t.Error("orphan-rt should be detected as orphaned container")
+	}
+}
+
+func TestGC_Force_CleansOrphanedFiles(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	name := "orphan"
+	sandboxesDir := env.Paths.SandboxesDir
+
+	// Create various sandbox files on disk
+	os.WriteFile(filepath.Join(sandboxesDir, name+".json"),
+		[]byte(`{"name":"orphan","template":"claude","networkSlot":1,"workspace":"/tmp/w"}`), 0644)
+	os.WriteFile(filepath.Join(sandboxesDir, name+".nix"), []byte("# nix"), 0644)
+	os.WriteFile(filepath.Join(sandboxesDir, name+".skills.md"), []byte("# skills"), 0644)
+	os.WriteFile(filepath.Join(sandboxesDir, name+".claude-permissions.json"), []byte("{}"), 0644)
+
+	// Create secrets directory
+	secretsDir := filepath.Join(env.Paths.SecretsDir, name)
+	os.MkdirAll(secretsDir, 0755)
+	os.WriteFile(filepath.Join(secretsDir, "key"), []byte("secret"), 0644)
+
+	// No container in runtime -- sandbox is orphaned
+	// Use removeOrphanedFiles directly to test cleanup logic
+	removeOrphanedFiles(name, env.Paths)
+
+	// Verify all files were removed
+	for _, suffix := range []string{".json", ".nix", ".skills.md", ".claude-permissions.json"} {
+		path := filepath.Join(sandboxesDir, name+suffix)
+		if _, err := os.Stat(path); !os.IsNotExist(err) {
+			t.Errorf("file %s should have been removed", filepath.Base(path))
+		}
+	}
+
+	// Verify secrets directory was removed
+	if _, err := os.Stat(secretsDir); !os.IsNotExist(err) {
+		t.Error("secrets directory should have been removed")
+	}
+}
+
+func TestGC_Force_DestroysOrphanedContainers(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	ctx := context.Background()
+
+	// Add orphaned container (no metadata)
+	env.Runtime.AddContainer("ghost", runtime.StatusRunning)
+
+	// Call executeGC directly
+	result := &gcResult{
+		orphanedContainers: []orphanedContainer{{name: "ghost"}},
+	}
+	metadataSet := make(map[string]*config.SandboxMetadata)
+
+	err := executeGC(ctx, result, env.Paths, env.Runtime, metadataSet)
+	if err != nil {
+		t.Fatalf("executeGC failed: %v", err)
+	}
+
+	// Verify container was destroyed
+	destroyCalls := env.Runtime.GetCallsFor("Destroy")
+	found := false
+	for _, call := range destroyCalls {
+		if len(call.Args) > 0 && call.Args[0] == "ghost" {
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Error("expected Destroy to be called for orphaned container 'ghost'")
+	}
+}
+
+func TestGC_NoOrphans(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Create a sandbox with matching container
+	env.AddSandbox(&config.SandboxMetadata{
+		Name:        "test",
+		Template:    "claude",
+		NetworkSlot: 1,
+		Workspace:   "/tmp/test",
+	})
+
+	ctx := context.Background()
+
+	// Collect all three data sources
+	diskNames, _ := sandboxNamesFromDisk(env.Paths.SandboxesDir)
+	containers, _ := env.Runtime.List(ctx)
+	containerSet := make(map[string]bool)
+	for _, c := range containers {
+		containerSet[c.Name] = true
+	}
+	metadataList, _ := config.ListSandboxes(env.Paths.SandboxesDir)
+	metadataSet := make(map[string]*config.SandboxMetadata)
+	for _, m := range metadataList {
+		metadataSet[m.Name] = m
+	}
+
+	result := &gcResult{}
+	for name := range diskNames {
+		if !containerSet[name] {
+			result.orphanedSandboxNames = append(result.orphanedSandboxNames, name)
+		}
+	}
+	for name := range containerSet {
+		if _, ok := metadataSet[name]; !ok {
+			result.orphanedContainers = append(result.orphanedContainers, orphanedContainer{name: name})
+		}
+	}
+
+	if !result.empty() {
+		t.Errorf("expected no orphans, got disk=%v containers=%v",
+			result.orphanedSandboxNames, result.orphanedContainers)
+	}
+}
diff --git a/packages/forage-ctl/cmd/helpers.go b/packages/forage-ctl/cmd/helpers.go
new file mode 100644
index 0000000..0ab0039
--- /dev/null
+++ b/packages/forage-ctl/cmd/helpers.go
@@ -0,0 +1,57 @@
+package cmd
+
+import (
+	"context"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/app"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/errors"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// paths returns the default paths configuration.
+// This is a helper to reduce repetition in commands.
+func paths() *config.Paths {
+	return app.Default.Paths
+}
+
+// getRuntime returns the application runtime.
+func getRuntime() runtime.Runtime {
+	return app.Default.Runtime
+}
+
+// isRunning checks if a container is running using the app's runtime.
+func isRunning(ctx context.Context, name string) bool {
+	return app.Default.IsRunning(ctx, name)
+}
+
+// loadSandbox loads sandbox metadata or returns a SandboxNotFound error.
+func loadSandbox(name string) (*config.SandboxMetadata, error) {
+	p := paths()
+	metadata, err := config.LoadSandboxMetadata(p.SandboxesDir, name)
+	if err != nil {
+		return nil, errors.SandboxNotFound(name)
+	}
+	return metadata, nil
+}
+
+// loadRunningSandbox loads sandbox metadata and verifies it's running.
+// Returns SandboxNotFound if the sandbox doesn't exist,
+// or SandboxNotRunning if it exists but isn't running.
+func loadRunningSandbox(ctx context.Context, name string) (*config.SandboxMetadata, error) {
+	metadata, err := loadSandbox(name)
+	if err != nil {
+		return nil, err
+	}
+
+	if !isRunning(ctx, name) {
+		return nil, errors.SandboxNotRunning(name)
+	}
+
+	return metadata, nil
+}
+
+// listSandboxes lists all sandbox metadata.
+func listSandboxes() ([]*config.SandboxMetadata, error) {
+	return config.ListSandboxes(paths().SandboxesDir)
+}
diff --git a/packages/forage-ctl/cmd/integration_test.go b/packages/forage-ctl/cmd/integration_test.go
new file mode 100644
index 0000000..1181ac3
--- /dev/null
+++ b/packages/forage-ctl/cmd/integration_test.go
@@ -0,0 +1,498 @@
+package cmd
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+// These tests verify the business logic of commands
+// They use file-based state to verify behavior
+
+func TestTemplatesCommand_ListsTemplates(t *testing.T) {
+	env := setupTestEnv(t)
+
+	// Add some templates with all required fields
+	env.addTemplate(t, "claude", &config.Template{
+		Name:        "claude",
+		Description: "Claude Code sandbox",
+		Network:     "full",
+		Agents: map[string]config.AgentConfig{
+			"claude": {
+				PackagePath: "/nix/store/test-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+		},
+	})
+
+	env.addTemplate(t, "multi", &config.Template{
+		Name:        "multi",
+		Description: "Multi-agent sandbox",
+		Network:     "full",
+		Agents: map[string]config.AgentConfig{
+			"claude": {
+				PackagePath: "/nix/store/test-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+			"opencode": {
+				PackagePath: "/nix/store/test-opencode",
+				SecretName:  "openai",
+				AuthEnvVar:  "OPENAI_API_KEY",
+			},
+		},
+	})
+
+	// Verify templates can be loaded
+	templates, err := config.ListTemplates(filepath.Join(env.configDir, "templates"))
+	if err != nil {
+		t.Fatalf("Failed to list templates: %v", err)
+	}
+
+	if len(templates) != 2 {
+		t.Errorf("Expected 2 templates, got %d", len(templates))
+	}
+}
+
+func TestSandboxMetadata_Lifecycle(t *testing.T) {
+	env := setupTestEnv(t)
+	sandboxesDir := filepath.Join(env.stateDir, "sandboxes")
+
+	// Create metadata
+	meta := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		Workspace:     "/home/user/project",
+		NetworkSlot:   1,
+		CreatedAt:     "2024-01-01T00:00:00Z",
+		WorkspaceMode: "direct",
+	}
+
+	// Save
+	if err := config.SaveSandboxMetadata(sandboxesDir, meta); err != nil {
+		t.Fatalf("Failed to save metadata: %v", err)
+	}
+
+	// Verify exists
+	if !config.SandboxExists(sandboxesDir, "test-sandbox") {
+		t.Error("Sandbox should exist after save")
+	}
+
+	// Load
+	loaded, err := config.LoadSandboxMetadata(sandboxesDir, "test-sandbox")
+	if err != nil {
+		t.Fatalf("Failed to load metadata: %v", err)
+	}
+
+	if loaded.Name != meta.Name {
+		t.Errorf("Name = %q, want %q", loaded.Name, meta.Name)
+	}
+	if loaded.NetworkSlot != meta.NetworkSlot {
+		t.Errorf("NetworkSlot = %d, want %d", loaded.NetworkSlot, meta.NetworkSlot)
+	}
+
+	// Delete
+	if err := config.DeleteSandboxMetadata(sandboxesDir, "test-sandbox"); err != nil {
+		t.Fatalf("Failed to delete metadata: %v", err)
+	}
+
+	// Verify gone
+	if config.SandboxExists(sandboxesDir, "test-sandbox") {
+		t.Error("Sandbox should not exist after delete")
+	}
+}
+
+func TestSandboxMetadata_JJMode(t *testing.T) {
+	env := setupTestEnv(t)
+	sandboxesDir := filepath.Join(env.stateDir, "sandboxes")
+
+	meta := &config.SandboxMetadata{
+		Name:            "jj-sandbox",
+		Template:        "claude",
+		Workspace:       "/var/lib/forage/workspaces/jj-sandbox",
+		NetworkSlot:     2,
+		CreatedAt:       "2024-01-01T00:00:00Z",
+		WorkspaceMode:   "jj",
+		SourceRepo:      "/home/user/myrepo",
+		JJWorkspaceName: "jj-sandbox",
+	}
+
+	if err := config.SaveSandboxMetadata(sandboxesDir, meta); err != nil {
+		t.Fatalf("Failed to save metadata: %v", err)
+	}
+
+	loaded, err := config.LoadSandboxMetadata(sandboxesDir, "jj-sandbox")
+	if err != nil {
+		t.Fatalf("Failed to load metadata: %v", err)
+	}
+
+	if loaded.WorkspaceMode != "jj" {
+		t.Errorf("WorkspaceMode = %q, want %q", loaded.WorkspaceMode, "jj")
+	}
+	if loaded.SourceRepo != meta.SourceRepo {
+		t.Errorf("SourceRepo = %q, want %q", loaded.SourceRepo, meta.SourceRepo)
+	}
+	if loaded.JJWorkspaceName != meta.JJWorkspaceName {
+		t.Errorf("JJWorkspaceName = %q, want %q", loaded.JJWorkspaceName, meta.JJWorkspaceName)
+	}
+}
+
+func TestListSandboxes_MultipleStates(t *testing.T) {
+	env := setupTestEnv(t)
+	sandboxesDir := filepath.Join(env.stateDir, "sandboxes")
+
+	// Create multiple sandboxes
+	sandboxes := []*config.SandboxMetadata{
+		{Name: "sandbox-1", Template: "claude", NetworkSlot: 1},
+		{Name: "sandbox-2", Template: "multi", NetworkSlot: 2},
+		{Name: "sandbox-3", Template: "claude", NetworkSlot: 3},
+	}
+
+	for _, sb := range sandboxes {
+		if err := config.SaveSandboxMetadata(sandboxesDir, sb); err != nil {
+			t.Fatalf("Failed to save sandbox %s: %v", sb.Name, err)
+		}
+	}
+
+	// List all
+	loaded, err := config.ListSandboxes(sandboxesDir)
+	if err != nil {
+		t.Fatalf("Failed to list sandboxes: %v", err)
+	}
+
+	if len(loaded) != 3 {
+		t.Errorf("Expected 3 sandboxes, got %d", len(loaded))
+	}
+}
+
+func TestHostConfig_Loading(t *testing.T) {
+	env := setupTestEnv(t)
+
+	cfg, err := config.LoadHostConfig(env.configDir)
+	if err != nil {
+		t.Fatalf("Failed to load host config: %v", err)
+	}
+
+	if cfg.User != "testuser" {
+		t.Errorf("User = %q, want %q", cfg.User, "testuser")
+	}
+
+	if cfg.NixpkgsRev != "test123" {
+		t.Errorf("NixpkgsRev = %q, want %q", cfg.NixpkgsRev, "test123")
+	}
+}
+
+func TestHostConfig_Secrets(t *testing.T) {
+	env := setupTestEnv(t)
+
+	cfg, err := config.LoadHostConfig(env.configDir)
+	if err != nil {
+		t.Fatalf("Failed to load host config: %v", err)
+	}
+
+	secretPath, ok := cfg.Secrets["anthropic"]
+	if !ok {
+		t.Error("Secret 'anthropic' should exist")
+	}
+
+	if !filepath.IsAbs(secretPath) {
+		t.Errorf("Secret path should be absolute, got %q", secretPath)
+	}
+}
+
+func TestTemplate_Loading(t *testing.T) {
+	env := setupTestEnv(t)
+
+	env.addTemplate(t, "test-template", &config.Template{
+		Name:        "test-template",
+		Description: "Test template for testing",
+		Network:     "restricted",
+		AllowedHosts: []string{
+			"api.anthropic.com",
+			"github.com",
+		},
+		Agents: map[string]config.AgentConfig{
+			"claude": {
+				PackagePath: "pkgs.claude-code",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+		},
+		ExtraPackages: []string{"ripgrep", "fd"},
+	})
+
+	tmpl, err := config.LoadTemplate(filepath.Join(env.configDir, "templates"), "test-template")
+	if err != nil {
+		t.Fatalf("Failed to load template: %v", err)
+	}
+
+	if tmpl.Network != "restricted" {
+		t.Errorf("Network = %q, want %q", tmpl.Network, "restricted")
+	}
+
+	if len(tmpl.AllowedHosts) != 2 {
+		t.Errorf("len(AllowedHosts) = %d, want 2", len(tmpl.AllowedHosts))
+	}
+
+	if len(tmpl.Agents) != 1 {
+		t.Errorf("len(Agents) = %d, want 1", len(tmpl.Agents))
+	}
+
+	agent, ok := tmpl.Agents["claude"]
+	if !ok {
+		t.Fatal("Agent 'claude' not found")
+	}
+
+	if agent.AuthEnvVar != "ANTHROPIC_API_KEY" {
+		t.Errorf("AuthEnvVar = %q, want %q", agent.AuthEnvVar, "ANTHROPIC_API_KEY")
+	}
+}
+
+func TestContainerName(t *testing.T) {
+	tests := []struct {
+		sandbox string
+		want    string
+	}{
+		{"myproject", "forage-myproject"},
+		{"test-123", "forage-test-123"},
+		{"sandbox_with_underscore", "forage-sandbox_with_underscore"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.sandbox, func(t *testing.T) {
+			got := config.ContainerName(tt.sandbox)
+			if got != tt.want {
+				t.Errorf("ContainerName(%q) = %q, want %q", tt.sandbox, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestSecretsDirectory_Setup(t *testing.T) {
+	env := setupTestEnv(t)
+
+	// Simulate creating secrets for a sandbox
+	sandboxName := "test-sandbox"
+	secretsPath := filepath.Join(env.secretsDir, sandboxName)
+
+	if err := os.MkdirAll(secretsPath, 0700); err != nil {
+		t.Fatalf("Failed to create secrets dir: %v", err)
+	}
+
+	// Write a secret
+	secretFile := filepath.Join(secretsPath, "anthropic")
+	if err := os.WriteFile(secretFile, []byte("sk-secret-key"), 0600); err != nil {
+		t.Fatalf("Failed to write secret: %v", err)
+	}
+
+	// Verify permissions
+	info, err := os.Stat(secretsPath)
+	if err != nil {
+		t.Fatalf("Failed to stat secrets dir: %v", err)
+	}
+
+	if info.Mode().Perm() != 0700 {
+		t.Errorf("Secrets dir permissions = %o, want %o", info.Mode().Perm(), 0700)
+	}
+
+	// Read secret back
+	data, err := os.ReadFile(secretFile)
+	if err != nil {
+		t.Fatalf("Failed to read secret: %v", err)
+	}
+
+	if string(data) != "sk-secret-key" {
+		t.Errorf("Secret content = %q, want %q", string(data), "sk-secret-key")
+	}
+}
+
+func TestNixConfigFile_Creation(t *testing.T) {
+	env := setupTestEnv(t)
+
+	// Simulate creating a nix config file for a sandbox
+	sandboxName := "test-sandbox"
+	configPath := filepath.Join(env.stateDir, "sandboxes", sandboxName+".nix")
+
+	nixConfig := `{ pkgs, ... }: {
+  containers.forage-test-sandbox = {
+    autoStart = true;
+  };
+}`
+
+	if err := os.WriteFile(configPath, []byte(nixConfig), 0644); err != nil {
+		t.Fatalf("Failed to write nix config: %v", err)
+	}
+
+	// Verify file exists and content
+	data, err := os.ReadFile(configPath)
+	if err != nil {
+		t.Fatalf("Failed to read nix config: %v", err)
+	}
+
+	if string(data) != nixConfig {
+		t.Error("Nix config content mismatch")
+	}
+}
+
+func TestSkillsFile_Creation(t *testing.T) {
+	env := setupTestEnv(t)
+
+	sandboxName := "test-sandbox"
+	skillsPath := filepath.Join(env.stateDir, "sandboxes", sandboxName+".skills.md")
+
+	skillsContent := `# Agent Instructions
+
+You are running in a sandboxed environment.
+
+## Workspace
+Your workspace is at /workspace.
+`
+
+	if err := os.WriteFile(skillsPath, []byte(skillsContent), 0644); err != nil {
+		t.Fatalf("Failed to write skills file: %v", err)
+	}
+
+	data, err := os.ReadFile(skillsPath)
+	if err != nil {
+		t.Fatalf("Failed to read skills file: %v", err)
+	}
+
+	if string(data) != skillsContent {
+		t.Error("Skills content mismatch")
+	}
+}
+
+func TestWorkspaceDirectory_Validation(t *testing.T) {
+	env := setupTestEnv(t)
+
+	// Non-existent workspace
+	nonExistent := filepath.Join(env.tmpDir, "nonexistent")
+	_, err := os.Stat(nonExistent)
+	if !os.IsNotExist(err) {
+		t.Error("Non-existent path should not exist")
+	}
+
+	// Create workspace
+	workspace := env.createWorkspace(t, "valid-project")
+
+	info, err := os.Stat(workspace)
+	if err != nil {
+		t.Fatalf("Failed to stat workspace: %v", err)
+	}
+
+	if !info.IsDir() {
+		t.Error("Workspace should be a directory")
+	}
+}
+
+func TestJJRepo_Detection(t *testing.T) {
+	env := setupTestEnv(t)
+
+	// Not a JJ repo
+	notRepo := env.createWorkspace(t, "not-a-repo")
+	jjPath := filepath.Join(notRepo, ".jj", "repo")
+	_, err := os.Stat(jjPath)
+	if !os.IsNotExist(err) {
+		t.Error(".jj/repo should not exist in non-repo")
+	}
+
+	// Create fake JJ repo
+	repo := filepath.Join(env.tmpDir, "real-repo")
+	repoJJPath := filepath.Join(repo, ".jj", "repo")
+	if err = os.MkdirAll(repoJJPath, 0755); err != nil {
+		t.Fatalf("Failed to create .jj/repo: %v", err)
+	}
+
+	info, err := os.Stat(repoJJPath)
+	if err != nil {
+		t.Fatalf("Failed to stat .jj/repo: %v", err)
+	}
+
+	if !info.IsDir() {
+		t.Error(".jj/repo should be a directory")
+	}
+}
+
+func TestMultipleTemplates_DifferentNetworkModes(t *testing.T) {
+	env := setupTestEnv(t)
+
+	templates := []struct {
+		name    string
+		network string
+	}{
+		{"full-network", "full"},
+		{"no-network", "none"},
+		{"restricted-network", "restricted"},
+	}
+
+	for _, tt := range templates {
+		env.addTemplate(t, tt.name, &config.Template{
+			Name:    tt.name,
+			Network: tt.network,
+			Agents: map[string]config.AgentConfig{
+				"test": {
+					PackagePath: "/nix/store/test-agent",
+					SecretName:  "test-secret",
+					AuthEnvVar:  "TEST_API_KEY",
+				},
+			},
+		})
+	}
+
+	// Load and verify each
+	for _, tt := range templates {
+		tmpl, err := config.LoadTemplate(filepath.Join(env.configDir, "templates"), tt.name)
+		if err != nil {
+			t.Fatalf("Failed to load template %s: %v", tt.name, err)
+		}
+
+		if tmpl.Network != tt.network {
+			t.Errorf("Template %s: Network = %q, want %q", tt.name, tmpl.Network, tt.network)
+		}
+	}
+}
+
+func TestSandboxMetadata_JSON_Format(t *testing.T) {
+	env := setupTestEnv(t)
+	sandboxesDir := filepath.Join(env.stateDir, "sandboxes")
+
+	meta := &config.SandboxMetadata{
+		Name:          "json-test",
+		Template:      "claude",
+		Workspace:     "/workspace",
+		NetworkSlot:   1,
+		CreatedAt:     "2024-01-01T00:00:00Z",
+		WorkspaceMode: "direct",
+	}
+
+	if err := config.SaveSandboxMetadata(sandboxesDir, meta); err != nil {
+		t.Fatalf("Failed to save metadata: %v", err)
+	}
+
+	// Read raw JSON
+	path := filepath.Join(sandboxesDir, "json-test.json")
+	data, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("Failed to read JSON: %v", err)
+	}
+
+	// Verify it's valid JSON
+	var raw map[string]interface{}
+	if err := json.Unmarshal(data, &raw); err != nil {
+		t.Fatalf("Invalid JSON: %v", err)
+	}
+
+	// Check expected fields
+	if raw["name"] != "json-test" {
+		t.Errorf("name = %v, want %q", raw["name"], "json-test")
+	}
+
+	// NetworkSlot should be a number
+	if slot, ok := raw["networkSlot"].(float64); !ok || int(slot) != 1 {
+		t.Errorf("networkSlot = %v, want 1", raw["networkSlot"])
+	}
+}
diff --git a/packages/forage-ctl/cmd/logs.go b/packages/forage-ctl/cmd/logs.go
new file mode 100644
index 0000000..adc3fcc
--- /dev/null
+++ b/packages/forage-ctl/cmd/logs.go
@@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+var logsCmd = &cobra.Command{
+	Use:   "logs <name>",
+	Short: "View container logs",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runLogs,
+}
+
+var logsFollow bool
+var logsLines int
+
+func init() {
+	logsCmd.Flags().BoolVarP(&logsFollow, "follow", "f", false, "Follow log output")
+	logsCmd.Flags().IntVarP(&logsLines, "lines", "n", 50, "Number of lines to show")
+	rootCmd.AddCommand(logsCmd)
+}
+
+func runLogs(cmd *cobra.Command, args []string) error {
+	name := args[0]
+	if _, err := loadSandbox(name); err != nil {
+		return err
+	}
+
+	rt := getRuntime()
+	lv, ok := rt.(runtime.LogViewer)
+	if !ok {
+		return fmt.Errorf("log viewing is not supported by the %s runtime", rt.Name())
+	}
+
+	return lv.ViewLogs(cmd.Context(), name, logsFollow, logsLines)
+}
diff --git a/packages/forage-ctl/cmd/monitor.go b/packages/forage-ctl/cmd/monitor.go
new file mode 100644
index 0000000..a27e0d9
--- /dev/null
+++ b/packages/forage-ctl/cmd/monitor.go
@@ -0,0 +1,63 @@
+package cmd
+
+import (
+	"context"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/audit"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/monitor"
+)
+
+var monitorCmd = &cobra.Command{
+	Use:   "monitor",
+	Short: "Monitor sandbox health in the background",
+	Long: `Periodically checks the health of all sandboxes and optionally
+restarts unhealthy containers. Runs in the foreground until interrupted.
+
+Can be wrapped in a systemd service for persistent monitoring.`,
+	RunE: runMonitor,
+}
+
+var (
+	monitorInterval    int
+	monitorAutoRestart bool
+)
+
+func init() {
+	monitorCmd.Flags().IntVar(&monitorInterval, "interval", 60, "Health check interval in seconds")
+	monitorCmd.Flags().BoolVar(&monitorAutoRestart, "auto-restart", false, "Automatically restart unhealthy containers")
+	rootCmd.AddCommand(monitorCmd)
+}
+
+func runMonitor(cmd *cobra.Command, args []string) error {
+	p := paths()
+	rt := getRuntime()
+	auditLogger := audit.NewLogger(p.StateDir)
+
+	interval := time.Duration(monitorInterval) * time.Second
+
+	opts := []monitor.Option{
+		monitor.WithAuditLogger(auditLogger),
+	}
+	if monitorAutoRestart {
+		opts = append(opts, monitor.WithAutoRestart(true))
+	}
+
+	mon := monitor.New(interval, rt, p, opts...)
+
+	logInfo("Starting health monitor (interval: %ds, auto-restart: %v)", monitorInterval, monitorAutoRestart)
+
+	ctx, stop := signal.NotifyContext(cmd.Context(), syscall.SIGINT, syscall.SIGTERM)
+	defer stop()
+
+	err := mon.Run(ctx)
+	if err == context.Canceled {
+		logInfo("Monitor stopped")
+		return nil
+	}
+	return err
+}
diff --git a/packages/forage-ctl/cmd/network.go b/packages/forage-ctl/cmd/network.go
new file mode 100644
index 0000000..aaec479
--- /dev/null
+++ b/packages/forage-ctl/cmd/network.go
@@ -0,0 +1,175 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/app"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/errors"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/generator"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/network"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/sandbox"
+)
+
+var networkCmd = &cobra.Command{
+	Use:   "network <sandbox> <mode>",
+	Short: "Change sandbox network isolation mode",
+	Long: `Change the network isolation mode for a sandbox.
+
+Available modes:
+  full       - Unrestricted internet access (default)
+  restricted - Only allowed hosts can be accessed (requires template config)
+  none       - No network access except SSH for management
+
+Note: Changing network mode requires restarting the sandbox.`,
+	Args: cobra.ExactArgs(2),
+	RunE: runNetwork,
+}
+
+var (
+	networkAllowHosts []string
+	networkNoRestart  bool
+)
+
+func init() {
+	networkCmd.Flags().StringSliceVar(&networkAllowHosts, "allow", nil, "Additional hosts to allow (restricted mode only)")
+	networkCmd.Flags().BoolVar(&networkNoRestart, "no-restart", false, "Don't restart sandbox (changes won't take effect)")
+	rootCmd.AddCommand(networkCmd)
+}
+
+func runNetwork(cmd *cobra.Command, args []string) error {
+	name := args[0]
+	modeStr := args[1]
+	p := paths()
+
+	// Validate mode
+	var mode network.Mode
+	switch modeStr {
+	case "full":
+		mode = network.ModeFull
+	case "restricted":
+		mode = network.ModeRestricted
+	case "none":
+		mode = network.ModeNone
+	default:
+		return errors.New(errors.ExitGeneralError, fmt.Sprintf("invalid network mode: %s (use full, restricted, or none)", modeStr))
+	}
+
+	logging.Debug("changing network mode", "sandbox", name, "mode", mode)
+
+	// Load sandbox metadata
+	metadata, err := config.LoadSandboxMetadata(p.SandboxesDir, name)
+	if err != nil {
+		return errors.SandboxNotFound(name)
+	}
+
+	// Load host config
+	hostConfig, err := config.LoadHostConfig(p.ConfigDir)
+	if err != nil {
+		return errors.ConfigError("failed to load host config", err)
+	}
+
+	// Load template
+	template, err := config.LoadTemplate(p.TemplatesDir, metadata.Template)
+	if err != nil {
+		return errors.TemplateNotFound(metadata.Template)
+	}
+
+	// Update template network mode for regeneration
+	template.Network = string(mode)
+
+	// Merge allowed hosts from template and command line
+	allowedHosts := template.AllowedHosts
+	if len(networkAllowHosts) > 0 {
+		allowedHosts = append(allowedHosts, networkAllowHosts...)
+	}
+	template.AllowedHosts = allowedHosts
+
+	// Validate restricted mode has allowed hosts
+	if mode == network.ModeRestricted && len(allowedHosts) == 0 {
+		logWarning("restricted mode with no allowed hosts is equivalent to 'none' mode")
+	}
+
+	// Check if sandbox is running
+	wasRunning := isRunning(cmd.Context(), name)
+	if wasRunning && !networkNoRestart {
+		logInfo("Stopping sandbox for network reconfiguration...")
+		logging.Debug("stopping container", "name", name)
+		if stopErr := app.Default.Stop(cmd.Context(), name); stopErr != nil {
+			logging.Warn("failed to stop container", "error", stopErr)
+		}
+	}
+
+	// Regenerate container configuration using contribution system
+	logInfo("Regenerating container configuration...")
+
+	containerCfg, err := sandbox.RebuildContainerConfig(cmd.Context(), sandbox.RebuildContainerConfigParams{
+		Metadata:   metadata,
+		Template:   template,
+		HostConfig: hostConfig,
+		Paths:      p,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to rebuild container config: %w", err)
+	}
+
+	nixConfig, err := generator.GenerateNixConfig(containerCfg)
+	if err != nil {
+		return fmt.Errorf("failed to generate container config: %w", err)
+	}
+
+	// Write updated container config
+	configPath := filepath.Join(p.SandboxesDir, name+".nix")
+	logging.Debug("writing updated container config", "path", configPath)
+	if err := os.WriteFile(configPath, []byte(nixConfig), 0644); err != nil {
+		return errors.ContainerFailed("write config", err)
+	}
+
+	if networkNoRestart {
+		logWarning("Container configuration updated. Restart the sandbox for changes to take effect.")
+		logInfo("  forage-ctl reset %s", name)
+		return nil
+	}
+
+	// Recreate container with new configuration
+	logInfo("Recreating container with new network configuration...")
+
+	// Destroy old container
+	if err := app.Default.Destroy(cmd.Context(), name); err != nil {
+		logging.Warn("failed to destroy old container", "error", err)
+	}
+
+	// Create new container via runtime
+	logging.Debug("creating container via runtime", "name", name, "config", configPath)
+	if err := app.Default.Create(cmd.Context(), runtime.CreateOptions{
+		Name:       name,
+		ConfigPath: configPath,
+		Start:      true,
+	}); err != nil {
+		return errors.ContainerFailed("recreate container", err)
+	}
+
+	logSuccess("Network mode changed to %s", mode)
+
+	// Show network info
+	switch mode {
+	case network.ModeFull:
+		fmt.Println("  Full internet access enabled")
+	case network.ModeRestricted:
+		fmt.Println("  Restricted network enabled")
+		fmt.Println("  Allowed hosts:")
+		for _, host := range allowedHosts {
+			fmt.Printf("    - %s\n", host)
+		}
+	case network.ModeNone:
+		fmt.Println("  Network access disabled (SSH only for management)")
+	}
+
+	return nil
+}
diff --git a/packages/forage-ctl/cmd/pick.go b/packages/forage-ctl/cmd/pick.go
new file mode 100644
index 0000000..32ec0ad
--- /dev/null
+++ b/packages/forage-ctl/cmd/pick.go
@@ -0,0 +1,125 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/sandbox"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/tui"
+)
+
+var pickCmd = &cobra.Command{
+	Use:   "pick",
+	Short: "Interactive sandbox picker",
+	Long: `Opens an interactive TUI for selecting and connecting to sandboxes.
+
+Use arrow keys or j/k to navigate, / to filter, Enter to connect.
+
+Actions:
+  Enter  - Attach to selected sandbox
+  n      - Create new sandbox (opens wizard)
+  d      - Show instructions for removing selected sandbox
+  q/Esc  - Quit`,
+	RunE: runPick,
+}
+
+func init() {
+	rootCmd.AddCommand(pickCmd)
+}
+
+func runPick(cmd *cobra.Command, args []string) error {
+	p := paths()
+	rt := getRuntime()
+
+	logging.Debug("picker mode started")
+
+	// List sandboxes (nil is fine -- RunPicker handles empty list)
+	sandboxes, err := listSandboxes()
+	if err != nil {
+		return fmt.Errorf("failed to list sandboxes: %w", err)
+	}
+
+	opts := tui.PickerOptions{
+		AllowCreate:  true,
+		TemplatesDir: p.TemplatesDir,
+	}
+
+	// Run interactive picker
+	result, err := tui.RunPicker(cmd.Context(), sandboxes, p, rt, opts)
+	if err != nil {
+		return fmt.Errorf("picker error: %w", err)
+	}
+
+	logging.Debug("picker result", "action", result.Action)
+
+	switch result.Action {
+	case tui.ActionAttach:
+		if result.Sandbox != nil {
+			return attachToSandbox(cmd.Context(), result.Sandbox, p)
+		}
+
+	case tui.ActionNew:
+		if result.CreateOptions != nil {
+			return createSandboxFromWizard(cmd.Context(), result.CreateOptions)
+		}
+		fmt.Println("\nTo create a new sandbox, run:")
+		fmt.Println("  forage-ctl up <name> -t <template> -w <workspace>")
+		fmt.Println("\nAvailable templates:")
+		templates, _ := config.ListTemplates(p.TemplatesDir)
+		for _, t := range templates {
+			fmt.Printf("  - %s: %s\n", t.Name, t.Description)
+		}
+
+	case tui.ActionDown:
+		if result.Sandbox != nil {
+			fmt.Printf("\nTo remove sandbox '%s', run:\n", result.Sandbox.Name)
+			fmt.Printf("  forage-ctl down %s\n", result.Sandbox.Name)
+		}
+
+	case tui.ActionQuit:
+		// Just exit cleanly
+	}
+
+	return nil
+}
+
+func createSandboxFromWizard(ctx context.Context, opts *tui.CreateOptions) error {
+
+	creator, err := sandbox.NewCreator()
+	if err != nil {
+		return fmt.Errorf("failed to initialize: %w", err)
+	}
+
+	logInfo("Creating sandbox %s...", opts.Name)
+
+	result, err := creator.Create(ctx, sandbox.CreateOptions{
+		Name:        opts.Name,
+		Template:    opts.Template,
+		RepoPath:    opts.RepoPath,
+		Direct:      opts.Direct,
+		NoMuxConfig: opts.NoMuxConfig,
+		GitUser:     opts.GitUser,
+		GitEmail:    opts.GitEmail,
+		SSHKeyPath:  opts.SSHKeyPath,
+	})
+	if err != nil {
+		return fmt.Errorf("sandbox creation failed: %w", err)
+	}
+
+	displayInitResult(result.InitResult)
+
+	logSuccess("Sandbox %s created", opts.Name)
+	fmt.Printf("  IP: %s\n", result.ContainerIP)
+	fmt.Printf("  Workspace: %s\n", result.Workspace)
+	fmt.Printf("  Connect: forage-ctl ssh %s\n", opts.Name)
+
+	return nil
+}
+
+func attachToSandbox(ctx context.Context, metadata *config.SandboxMetadata, paths *config.Paths) error {
+	return connectToSandbox(ctx, metadata.Name, paths)
+}
diff --git a/packages/forage-ctl/cmd/proxy.go b/packages/forage-ctl/cmd/proxy.go
new file mode 100644
index 0000000..aebe8ca
--- /dev/null
+++ b/packages/forage-ctl/cmd/proxy.go
@@ -0,0 +1,109 @@
+package cmd
+
+import (
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/proxy"
+)
+
+var proxyCmd = &cobra.Command{
+	Use:   "proxy",
+	Short: "Run the API proxy server",
+	Long: `Run an HTTP proxy server that injects API keys into requests.
+
+The proxy reads API keys from the secrets directory and injects them
+into requests from sandboxes. This allows sandboxes to make API calls
+without having direct access to the API keys.
+
+Sandboxes should:
+1. Set ANTHROPIC_BASE_URL to point to this proxy
+2. Include X-Forage-Sandbox header with their sandbox name
+
+The proxy will:
+- Inject the appropriate API key for the sandbox
+- Apply rate limiting (if configured)
+- Log all requests to the audit log (if configured)
+
+IMPORTANT: This only works for API key authentication. For Claude Max/Pro
+plans using OAuth, authentication must be done inside the sandbox via
+'claude login'. The proxy can still provide rate limiting and logging
+for Max plans, but cannot inject authentication.`,
+	RunE: runProxy,
+}
+
+var (
+	proxyListen     string
+	proxyTarget     string
+	proxyRateLimit  int
+	proxyRateWindow time.Duration
+	proxyAuditLog   string
+)
+
+func init() {
+	proxyCmd.Flags().StringVar(&proxyListen, "listen", ":8080", "Address to listen on")
+	proxyCmd.Flags().StringVar(&proxyTarget, "target", "https://api.anthropic.com", "Upstream API URL")
+	proxyCmd.Flags().IntVar(&proxyRateLimit, "rate-limit", 0, "Max requests per window (0 = unlimited)")
+	proxyCmd.Flags().DurationVar(&proxyRateWindow, "rate-window", time.Minute, "Rate limit window duration")
+	proxyCmd.Flags().StringVar(&proxyAuditLog, "audit-log", "", "Path to audit log file")
+	rootCmd.AddCommand(proxyCmd)
+}
+
+func runProxy(cmd *cobra.Command, args []string) error {
+	paths := config.DefaultPaths()
+
+	cfg := &proxy.Config{
+		ListenAddr:        proxyListen,
+		SecretsDir:        paths.SecretsDir,
+		TargetURL:         proxyTarget,
+		RateLimitRequests: proxyRateLimit,
+		RateLimitWindow:   proxyRateWindow,
+		AuditLogPath:      proxyAuditLog,
+		Logger:            logging.Logger,
+	}
+
+	server, err := proxy.NewServer(cfg)
+	if err != nil {
+		return err
+	}
+
+	// Handle shutdown signals
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		<-sigCh
+		logging.Info("shutting down proxy server")
+		_ = server.Stop() // Best-effort shutdown
+	}()
+
+	// Handle SIGHUP for config reload
+	hupCh := make(chan os.Signal, 1)
+	signal.Notify(hupCh, syscall.SIGHUP)
+	go func() {
+		for range hupCh {
+			logging.Info("reloading API keys")
+			if err := server.ReloadKeys(); err != nil {
+				logging.Warn("failed to reload keys", "error", err)
+			}
+		}
+	}()
+
+	logInfo("Starting API proxy server on %s", proxyListen)
+	logInfo("Target: %s", proxyTarget)
+	logInfo("Secrets: %s", paths.SecretsDir)
+	if proxyRateLimit > 0 {
+		logInfo("Rate limit: %d requests per %s", proxyRateLimit, proxyRateWindow)
+	}
+	if proxyAuditLog != "" {
+		logInfo("Audit log: %s", proxyAuditLog)
+	}
+
+	return server.Start()
+}
diff --git a/packages/forage-ctl/cmd/ps.go b/packages/forage-ctl/cmd/ps.go
new file mode 100644
index 0000000..36f0109
--- /dev/null
+++ b/packages/forage-ctl/cmd/ps.go
@@ -0,0 +1,67 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"text/tabwriter"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/health"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+)
+
+var psCmd = &cobra.Command{
+	Use:   "ps",
+	Short: "List all sandboxes",
+	RunE:  runPs,
+}
+
+func init() {
+	rootCmd.AddCommand(psCmd)
+}
+
+func runPs(cmd *cobra.Command, args []string) error {
+	rt := getRuntime()
+
+	sandboxes, err := listSandboxes()
+	if err != nil {
+		return fmt.Errorf("failed to list sandboxes: %w", err)
+	}
+
+	if len(sandboxes) == 0 {
+		logInfo("No sandboxes found. Create one with: forage-ctl up <name> -t <template>")
+		return nil
+	}
+
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintln(w, "NAME\tTEMPLATE\tIP\tMODE\tWORKSPACE\tSTATUS")
+	fmt.Fprintln(w, "----\t--------\t--\t----\t---------\t------")
+
+	for _, sb := range sandboxes {
+		mode := sb.WorkspaceMode
+		mux := multiplexer.New(multiplexer.Type(sb.Multiplexer))
+		status := health.GetSummary(cmd.Context(), sb.Name, sb.ContainerIP(), rt, mux)
+		statusStr := formatStatus(status)
+
+		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
+			sb.Name, sb.Template, sb.ContainerIP(), mode, sb.Workspace, statusStr)
+	}
+
+	return w.Flush()
+}
+
+func formatStatus(status health.Status) string {
+	switch status {
+	case health.StatusHealthy:
+		return "✓ healthy"
+	case health.StatusUnhealthy:
+		return "⚠ unhealthy"
+	case health.StatusNoMux:
+		return "○ no-mux"
+	case health.StatusStopped:
+		return "● stopped"
+	default:
+		return string(status)
+	}
+}
diff --git a/packages/forage-ctl/cmd/reset.go b/packages/forage-ctl/cmd/reset.go
new file mode 100644
index 0000000..fe59bf5
--- /dev/null
+++ b/packages/forage-ctl/cmd/reset.go
@@ -0,0 +1,65 @@
+package cmd
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/app"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/health"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+)
+
+var resetCmd = &cobra.Command{
+	Use:   "reset <name>",
+	Short: "Reset sandbox (restart with fresh ephemeral state)",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runReset,
+}
+
+func init() {
+	rootCmd.AddCommand(resetCmd)
+}
+
+func runReset(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	metadata, err := loadSandbox(name)
+	if err != nil {
+		return err
+	}
+
+	// Stop the container if running
+	if isRunning(cmd.Context(), name) {
+		logInfo("Stopping container...")
+		logging.Debug("destroying container", "name", name)
+		if err := app.Default.Destroy(cmd.Context(), name); err != nil {
+			logWarning("Failed to stop container: %v", err)
+		}
+	}
+
+	// Restart the container (uses cached etc → outer config → full .nix fallback)
+	logInfo("Starting container...")
+	if err := app.Default.Start(cmd.Context(), name); err != nil {
+		return fmt.Errorf("failed to start container: %w", err)
+	}
+
+	// Wait for SSH to be ready
+	logInfo("Waiting for sandbox to be ready...")
+	ready := false
+	for i := 0; i < health.SSHReadyTimeoutSeconds; i++ {
+		if health.CheckSSH(metadata.ContainerIP()) {
+			ready = true
+			break
+		}
+		time.Sleep(time.Second)
+	}
+
+	if !ready {
+		logWarning("SSH not ready after %d seconds", health.SSHReadyTimeoutSeconds)
+	}
+
+	logSuccess("Reset sandbox %s", name)
+	return nil
+}
diff --git a/packages/forage-ctl/cmd/root.go b/packages/forage-ctl/cmd/root.go
new file mode 100644
index 0000000..5e1852f
--- /dev/null
+++ b/packages/forage-ctl/cmd/root.go
@@ -0,0 +1,87 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel/trace"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/sandbox"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/telemetry"
+)
+
+var (
+	verbose    bool
+	jsonOutput bool
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "forage-ctl",
+	Short: "Firefly Forage sandbox management CLI",
+	Long: `forage-ctl manages isolated, ephemeral sandboxes for AI coding agents.
+
+Each sandbox is a lightweight container with:
+  - Shared nix store (read-only)
+  - Ephemeral root filesystem
+  - Persistent workspace via bind mount
+  - SSH access with tmux session`,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		logging.Setup(verbose, jsonOutput, os.Stderr)
+		ctx, span := telemetry.Command(cmd.Context(), cmd.Name())
+		cmd.SetContext(ctx)
+		// span ended in PersistentPostRun
+		_ = span
+	},
+	PersistentPostRun: func(cmd *cobra.Command, args []string) {
+		if span := trace.SpanFromContext(cmd.Context()); span.IsRecording() {
+			span.End()
+		}
+	},
+}
+
+func Execute(ctx context.Context) error {
+	return rootCmd.ExecuteContext(ctx)
+}
+
+func init() {
+	rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Enable verbose output")
+	rootCmd.PersistentFlags().BoolVar(&jsonOutput, "json", false, "Output logs in JSON format")
+	rootCmd.CompletionOptions.DisableDefaultCmd = true
+}
+
+// Helper aliases for user-facing output (delegates to logging package)
+var (
+	logInfo    = logging.UserInfo
+	logSuccess = logging.UserSuccess
+	logWarning = logging.UserWarning
+	_          = logging.UserError // reserved for future use
+)
+
+// displayInitResult shows init command results to the user.
+func displayInitResult(r *sandbox.InitCommandResult) {
+	if r == nil {
+		return
+	}
+
+	if r.TemplateCommandsRun > 0 {
+		if len(r.TemplateWarnings) > 0 {
+			logWarning("  %d of %d init commands had warnings", len(r.TemplateWarnings), r.TemplateCommandsRun)
+			for _, w := range r.TemplateWarnings {
+				logWarning("    %s", w)
+			}
+		} else {
+			fmt.Printf("  Init commands: %d completed\n", r.TemplateCommandsRun)
+		}
+	}
+
+	if r.ProjectInitRun {
+		if r.ProjectInitWarning != "" {
+			logWarning("  %s", r.ProjectInitWarning)
+		} else {
+			fmt.Printf("  Project init: completed\n")
+		}
+	}
+}
diff --git a/packages/forage-ctl/cmd/runtime.go b/packages/forage-ctl/cmd/runtime.go
new file mode 100644
index 0000000..81a58a3
--- /dev/null
+++ b/packages/forage-ctl/cmd/runtime.go
@@ -0,0 +1,66 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+var runtimeCmd = &cobra.Command{
+	Use:   "runtime",
+	Short: "Show container runtime information",
+	Long: `Display information about available and active container runtimes.
+
+Firefly Forage supports multiple container runtimes:
+  - nspawn:  systemd-nspawn (NixOS only)
+  - apple:   Apple Container (macOS, uses Virtualization.framework)
+  - podman:  Podman (rootless containers)
+  - docker:  Docker Engine
+
+The runtime is auto-detected based on what's available on your system.`,
+	RunE: runRuntime,
+}
+
+func init() {
+	rootCmd.AddCommand(runtimeCmd)
+}
+
+func runRuntime(cmd *cobra.Command, args []string) error {
+	// Detect current runtime
+	detected, err := runtime.Detect()
+	if err != nil {
+		fmt.Printf("Detection failed: %s\n", err)
+	} else {
+		fmt.Printf("Active runtime: %s\n", detected)
+	}
+
+	fmt.Println()
+
+	// List available runtimes
+	available := runtime.Available()
+	fmt.Println("Available runtimes:")
+	if len(available) == 0 {
+		fmt.Println("  (none)")
+	} else {
+		for _, rt := range available {
+			marker := "  "
+			if rt == detected {
+				marker = "* "
+			}
+			fmt.Printf("%s%s\n", marker, rt)
+		}
+	}
+
+	fmt.Println()
+
+	// Show platform info
+	fmt.Println("Platform support:")
+	fmt.Println("  nspawn  - NixOS (systemd-nspawn)")
+	fmt.Println("  apple   - macOS 13+ (Apple Virtualization.framework)")
+	fmt.Println("  podman  - Linux, macOS (rootless preferred)")
+	fmt.Println("  docker  - Linux, macOS, Windows")
+
+	return nil
+}
diff --git a/packages/forage-ctl/cmd/shell.go b/packages/forage-ctl/cmd/shell.go
new file mode 100644
index 0000000..8f6c6aa
--- /dev/null
+++ b/packages/forage-ctl/cmd/shell.go
@@ -0,0 +1,36 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/errors"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+var shellCmd = &cobra.Command{
+	Use:   "shell <name>",
+	Short: "Open root shell in container",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runShell,
+}
+
+func init() {
+	rootCmd.AddCommand(shellCmd)
+}
+
+func runShell(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	_, err := loadRunningSandbox(cmd.Context(), name)
+	if err != nil {
+		return err
+	}
+
+	rt := getRuntime()
+	if rt == nil {
+		return errors.New(errors.ExitGeneralError, "no container runtime available")
+	}
+
+	// Use runtime's interactive exec to get a shell
+	return rt.ExecInteractive(cmd.Context(), name, []string{"/bin/bash"}, runtime.ExecOptions{})
+}
diff --git a/packages/forage-ctl/cmd/snapshot.go b/packages/forage-ctl/cmd/snapshot.go
new file mode 100644
index 0000000..25f4028
--- /dev/null
+++ b/packages/forage-ctl/cmd/snapshot.go
@@ -0,0 +1,140 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/workspace"
+)
+
+var snapshotCmd = &cobra.Command{
+	Use:   "snapshot",
+	Short: "Manage workspace snapshots",
+	Long: `Create, list, and restore VCS-level snapshots of sandbox workspace state.
+Snapshots use jj bookmarks or git tags depending on the workspace backend.`,
+}
+
+var snapshotCreateCmd = &cobra.Command{
+	Use:   "create <sandbox> <name>",
+	Short: "Create a workspace snapshot",
+	Args:  cobra.ExactArgs(2),
+	RunE:  runSnapshotCreate,
+}
+
+var snapshotListCmd = &cobra.Command{
+	Use:   "list <sandbox>",
+	Short: "List workspace snapshots",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runSnapshotList,
+}
+
+var snapshotRestoreCmd = &cobra.Command{
+	Use:   "restore <sandbox> <name>",
+	Short: "Restore a workspace snapshot",
+	Args:  cobra.ExactArgs(2),
+	RunE:  runSnapshotRestore,
+}
+
+func init() {
+	snapshotCmd.AddCommand(snapshotCreateCmd)
+	snapshotCmd.AddCommand(snapshotListCmd)
+	snapshotCmd.AddCommand(snapshotRestoreCmd)
+	rootCmd.AddCommand(snapshotCmd)
+}
+
+func getSnapshotterForSandbox(metadata *config.SandboxMetadata) (workspace.Snapshotter, error) {
+	if metadata.WorkspaceMode == "direct" || metadata.SourceRepo == "" {
+		return nil, fmt.Errorf("snapshots are not available in direct workspace mode (no VCS backend)")
+	}
+
+	backend := workspace.BackendForMode(metadata.WorkspaceMode)
+	if backend == nil {
+		return nil, fmt.Errorf("unknown workspace mode: %s", metadata.WorkspaceMode)
+	}
+
+	snapshotter, ok := backend.(workspace.Snapshotter)
+	if !ok {
+		return nil, fmt.Errorf("workspace backend %q does not support snapshots", backend.Name())
+	}
+
+	return snapshotter, nil
+}
+
+func runSnapshotCreate(cmd *cobra.Command, args []string) error {
+	name := args[0]
+	snapshotName := args[1]
+
+	metadata, err := loadSandbox(name)
+	if err != nil {
+		return err
+	}
+
+	snapshotter, err := getSnapshotterForSandbox(metadata)
+	if err != nil {
+		return err
+	}
+
+	if err := snapshotter.Snapshot(metadata.SourceRepo, name, snapshotName); err != nil {
+		return fmt.Errorf("failed to create snapshot: %w", err)
+	}
+
+	logSuccess("Created snapshot %q for sandbox %s", snapshotName, name)
+	return nil
+}
+
+func runSnapshotList(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	metadata, err := loadSandbox(name)
+	if err != nil {
+		return err
+	}
+
+	snapshotter, err := getSnapshotterForSandbox(metadata)
+	if err != nil {
+		return err
+	}
+
+	snapshots, err := snapshotter.ListSnapshots(metadata.SourceRepo, name)
+	if err != nil {
+		return fmt.Errorf("failed to list snapshots: %w", err)
+	}
+
+	if len(snapshots) == 0 {
+		logInfo("No snapshots found for sandbox %s", name)
+		return nil
+	}
+
+	for _, s := range snapshots {
+		if s.ChangeID != "" {
+			fmt.Printf("  %s  (%s)\n", s.Name, s.ChangeID)
+		} else {
+			fmt.Printf("  %s\n", s.Name)
+		}
+	}
+	return nil
+}
+
+func runSnapshotRestore(cmd *cobra.Command, args []string) error {
+	name := args[0]
+	snapshotName := args[1]
+
+	metadata, err := loadSandbox(name)
+	if err != nil {
+		return err
+	}
+
+	snapshotter, err := getSnapshotterForSandbox(metadata)
+	if err != nil {
+		return err
+	}
+
+	if err := snapshotter.RestoreSnapshot(metadata.SourceRepo, name, snapshotName); err != nil {
+		return fmt.Errorf("failed to restore snapshot: %w", err)
+	}
+
+	logSuccess("Restored snapshot %q for sandbox %s", snapshotName, name)
+	return nil
+}
diff --git a/packages/forage-ctl/cmd/ssh.go b/packages/forage-ctl/cmd/ssh.go
new file mode 100644
index 0000000..c569a94
--- /dev/null
+++ b/packages/forage-ctl/cmd/ssh.go
@@ -0,0 +1,60 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/ssh"
+)
+
+var sshCmd = &cobra.Command{
+	Use:   "ssh <name>",
+	Short: "SSH into a sandbox and attach to multiplexer session",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runSSH,
+}
+
+func init() {
+	sshCmd.Flags().Bool("no-tmux-cc", false, "Disable tmux control mode (-CC) even when WezTerm is detected")
+	rootCmd.AddCommand(sshCmd)
+}
+
+func runSSH(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	metadata, err := loadRunningSandbox(cmd.Context(), name)
+	if err != nil {
+		return err
+	}
+
+	noCC, _ := cmd.Flags().GetBool("no-tmux-cc")
+	mux := multiplexer.New(multiplexer.Type(metadata.Multiplexer), multiplexer.WithControlMode(!noCC))
+
+	rt := getRuntime()
+	caps := runtime.GetCapabilities(rt)
+
+	if attachCmd := mux.AttachCommand(); attachCmd != "" {
+		// Use SSH for runtimes that support it, exec-based attach otherwise
+		if caps.SSHAccess {
+			return ssh.ReplaceWithSession(metadata.ContainerIP(), attachCmd)
+		}
+		return runtime.ExecShellInteractive(cmd.Context(), rt, name, attachCmd, runtime.ExecOptions{})
+	}
+
+	// Check if multiplexer supports native connect (e.g., wezterm)
+	containerName := metadata.ResolvedContainerName()
+	if nc, ok := mux.(multiplexer.NativeConnector); ok {
+		if os.Getenv("TERM_PROGRAM") == "WezTerm" {
+			return nc.NativeConnect(containerName)
+		}
+		return fmt.Errorf("sandbox %q uses wezterm multiplexing\n"+
+			"  Connect with: wezterm connect %s\n"+
+			"  Or configure an SSH domain in ~/.wezterm.lua", name, containerName)
+	}
+
+	return fmt.Errorf("multiplexer %q has no attach command and no native connect", mux.Type())
+}
diff --git a/packages/forage-ctl/cmd/start.go b/packages/forage-ctl/cmd/start.go
new file mode 100644
index 0000000..e4fa600
--- /dev/null
+++ b/packages/forage-ctl/cmd/start.go
@@ -0,0 +1,44 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/app"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/audit"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/errors"
+)
+
+var startCmd = &cobra.Command{
+	Use:   "start <name>",
+	Short: "Start a stopped sandbox",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runStart,
+}
+
+func init() {
+	rootCmd.AddCommand(startCmd)
+}
+
+func runStart(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	_, err := loadSandbox(name)
+	if err != nil {
+		return err
+	}
+
+	if isRunning(cmd.Context(), name) {
+		logInfo("Sandbox %s is already running", name)
+		return nil
+	}
+
+	if err := app.Default.Start(cmd.Context(), name); err != nil {
+		return errors.ContainerFailed("start", err)
+	}
+
+	auditLog := audit.NewLogger(paths().StateDir)
+	_ = auditLog.LogEvent(audit.EventStart, name, "")
+
+	logSuccess("Started sandbox %s", name)
+	return nil
+}
diff --git a/packages/forage-ctl/cmd/status.go b/packages/forage-ctl/cmd/status.go
new file mode 100644
index 0000000..46d6aac
--- /dev/null
+++ b/packages/forage-ctl/cmd/status.go
@@ -0,0 +1,93 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/health"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+var statusCmd = &cobra.Command{
+	Use:   "status <name>",
+	Short: "Show detailed status of a sandbox",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runStatus,
+}
+
+func init() {
+	rootCmd.AddCommand(statusCmd)
+}
+
+func runStatus(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	metadata, err := loadSandbox(name)
+	if err != nil {
+		return err
+	}
+
+	mux := multiplexer.New(multiplexer.Type(metadata.Multiplexer))
+	result := health.Check(cmd.Context(), name, metadata.ContainerIP(), getRuntime(), mux)
+
+	fmt.Printf("Sandbox: %s\n", metadata.Name)
+	fmt.Printf("Template: %s\n", metadata.Template)
+	fmt.Printf("IP: %s\n", metadata.ContainerIP())
+	fmt.Printf("Workspace: %s\n", metadata.Workspace)
+
+	mode := metadata.WorkspaceMode
+	if mode == "" {
+		mode = "direct"
+	}
+	fmt.Printf("Mode: %s\n", mode)
+
+	if metadata.SourceRepo != "" {
+		fmt.Printf("Source Repo: %s\n", metadata.SourceRepo)
+	}
+	if metadata.JJWorkspaceName != "" {
+		fmt.Printf("JJ Workspace: %s\n", metadata.JJWorkspaceName)
+	}
+
+	if metadata.AgentIdentity != nil {
+		id := metadata.AgentIdentity
+		if id.GitUser != "" {
+			fmt.Printf("Git User: %s\n", id.GitUser)
+		}
+		if id.GitEmail != "" {
+			fmt.Printf("Git Email: %s\n", id.GitEmail)
+		}
+		if id.SSHKeyPath != "" {
+			fmt.Printf("SSH Key: %s\n", id.SSHKeyPath)
+		}
+	}
+
+	fmt.Printf("Created: %s\n", metadata.CreatedAt)
+	fmt.Println()
+
+	// Health status
+	fmt.Println("Health Checks:")
+	fmt.Printf("  Container: %s\n", boolStatus(result.ContainerRunning))
+	if result.ContainerRunning {
+		fmt.Printf("  Uptime: %s\n", result.Uptime)
+		caps := runtime.GetCapabilities(getRuntime())
+		if caps.SSHAccess {
+			fmt.Printf("  SSH: %s\n", boolStatus(result.SSHReachable))
+		}
+		fmt.Printf("  Mux: %s\n", boolStatus(result.MuxActive))
+		if len(result.MuxWindows) > 0 {
+			fmt.Printf("  Windows: %s\n", strings.Join(result.MuxWindows, ", "))
+		}
+	}
+
+	return nil
+}
+
+func boolStatus(b bool) string {
+	if b {
+		return "✓"
+	}
+	return "✗"
+}
diff --git a/packages/forage-ctl/cmd/stop.go b/packages/forage-ctl/cmd/stop.go
new file mode 100644
index 0000000..dafcd04
--- /dev/null
+++ b/packages/forage-ctl/cmd/stop.go
@@ -0,0 +1,61 @@
+package cmd
+
+import (
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/audit"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/errors"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+var stopCmd = &cobra.Command{
+	Use:   "stop <name>",
+	Short: "Stop a running sandbox",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runStop,
+}
+
+var stopTimeout int
+
+func init() {
+	stopCmd.Flags().IntVarP(&stopTimeout, "timeout", "t", 30, "Graceful shutdown timeout in seconds (0 for immediate)")
+	rootCmd.AddCommand(stopCmd)
+}
+
+func runStop(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	_, err := loadRunningSandbox(cmd.Context(), name)
+	if err != nil {
+		return err
+	}
+
+	rt := getRuntime()
+	ctx := cmd.Context()
+
+	var stopErr error
+	if stopTimeout > 0 {
+		if gs, ok := rt.(runtime.GracefulStopper); ok {
+			logInfo("Stopping sandbox %s (timeout: %ds)...", name, stopTimeout)
+			stopErr = gs.GracefulStop(ctx, name, time.Duration(stopTimeout)*time.Second)
+		} else {
+			logInfo("Stopping sandbox %s...", name)
+			stopErr = rt.Stop(ctx, name)
+		}
+	} else {
+		logInfo("Stopping sandbox %s...", name)
+		stopErr = rt.Stop(ctx, name)
+	}
+
+	if stopErr != nil {
+		return errors.ContainerFailed("stop", stopErr)
+	}
+
+	auditLog := audit.NewLogger(paths().StateDir)
+	_ = auditLog.LogEvent(audit.EventStop, name, "")
+
+	logSuccess("Stopped sandbox %s", name)
+	return nil
+}
diff --git a/packages/forage-ctl/cmd/templates.go b/packages/forage-ctl/cmd/templates.go
new file mode 100644
index 0000000..568f7a3
--- /dev/null
+++ b/packages/forage-ctl/cmd/templates.go
@@ -0,0 +1,60 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+var templatesCmd = &cobra.Command{
+	Use:   "templates",
+	Short: "List available sandbox templates",
+	RunE:  runTemplates,
+}
+
+func init() {
+	rootCmd.AddCommand(templatesCmd)
+}
+
+func runTemplates(cmd *cobra.Command, args []string) error {
+	p := paths()
+
+	templates, err := config.ListTemplates(p.TemplatesDir)
+	if err != nil {
+		return fmt.Errorf("failed to list templates: %w", err)
+	}
+
+	if len(templates) == 0 {
+		logInfo("No templates found. Configure templates in your system configuration.")
+		return nil
+	}
+
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintln(w, "TEMPLATE\tAGENTS\tNETWORK\tDESCRIPTION")
+	fmt.Fprintln(w, "--------\t------\t-------\t-----------")
+
+	for _, t := range templates {
+		agents := make([]string, 0, len(t.Agents))
+		for name := range t.Agents {
+			agents = append(agents, name)
+		}
+		agentStr := strings.Join(agents, ",")
+		if agentStr == "" {
+			agentStr = "-"
+		}
+
+		network := t.Network
+		if network == "" {
+			network = "full"
+		}
+
+		fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", t.Name, agentStr, network, t.Description)
+	}
+
+	return w.Flush()
+}
diff --git a/packages/forage-ctl/cmd/up.go b/packages/forage-ctl/cmd/up.go
new file mode 100644
index 0000000..e389615
--- /dev/null
+++ b/packages/forage-ctl/cmd/up.go
@@ -0,0 +1,141 @@
+package cmd
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/errors"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/sandbox"
+)
+
+var upCmd = &cobra.Command{
+	Use:   "up <name>",
+	Short: "Create and start a new sandbox",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runUp,
+}
+
+var (
+	upTemplate    string
+	upRepos       []string
+	upSSHKeys     []string
+	upNoMuxConfig bool
+	upDirect      bool
+	upGitUser     string
+	upGitEmail    string
+	upSSHKeyPath  string
+)
+
+func init() {
+	upCmd.Flags().StringVarP(&upTemplate, "template", "t", "", "Template to use (required)")
+	upCmd.Flags().StringArrayVarP(&upRepos, "repo", "r", nil, "Repository or directory path (repeatable; use name=path for named repos)")
+	upCmd.Flags().BoolVar(&upDirect, "direct", false, "Mount directory directly (skip VCS isolation)")
+	upCmd.Flags().StringArrayVar(&upSSHKeys, "ssh-key", nil, "SSH public key for sandbox access (can be repeated)")
+	upCmd.Flags().BoolVar(&upNoMuxConfig, "no-mux-config", false, "Don't mount host multiplexer config into sandbox")
+	upCmd.Flags().BoolVar(&upNoMuxConfig, "no-tmux-config", false, "Don't mount host multiplexer config into sandbox")
+	_ = upCmd.Flags().MarkDeprecated("no-tmux-config", "use --no-mux-config instead")
+	upCmd.Flags().StringVar(&upGitUser, "git-user", "", "Git user.name for agent commits")
+	upCmd.Flags().StringVar(&upGitEmail, "git-email", "", "Git user.email for agent commits")
+	upCmd.Flags().StringVar(&upSSHKeyPath, "ssh-key-path", "", "Path to SSH private key for agent push access")
+	if err := upCmd.MarkFlagRequired("template"); err != nil {
+		panic(err)
+	}
+	// --repo is no longer unconditionally required; templates with workspace.mounts
+	// may fully specify all mount sources without needing --repo.
+	rootCmd.AddCommand(upCmd)
+}
+
+func runUp(cmd *cobra.Command, args []string) error {
+	name := args[0]
+	ctx := cmd.Context()
+
+	// Validate sandbox name early
+	if err := config.ValidateSandboxName(name); err != nil {
+		return errors.New(errors.ExitGeneralError, err.Error())
+	}
+
+	logging.Debug("starting sandbox creation", "name", name, "template", upTemplate)
+
+	// Parse workspace mode from flags
+	opts, err := parseCreateOptions(name)
+	if err != nil {
+		return errors.New(errors.ExitGeneralError, err.Error())
+	}
+
+	// Create the sandbox using the sandbox package
+	creator, err := sandbox.NewCreator()
+	if err != nil {
+		return errors.ConfigError("failed to initialize", err)
+	}
+
+	logInfo("Creating sandbox %s...", name)
+
+	result, err := creator.Create(ctx, opts)
+	if err != nil {
+		return errors.New(errors.ExitGeneralError, err.Error())
+	}
+
+	for _, w := range result.CapabilityWarnings {
+		logWarning("  %s", w)
+	}
+
+	displayInitResult(result.InitResult)
+
+	logSuccess("Sandbox %s created", name)
+	fmt.Printf("  IP: %s\n", result.ContainerIP)
+	fmt.Printf("  Workspace: %s\n", result.Workspace)
+	fmt.Printf("  Connect: forage-ctl ssh %s\n", name)
+
+	return nil
+}
+
+// parseRepoFlags parses --repo flags into a default repo path and named repos map.
+// Formats:
+//   - --repo /path/to/repo          → default repo
+//   - --repo name=/path/to/repo     → named repo "name"
+func parseRepoFlags(repos []string) (defaultRepo string, namedRepos map[string]string, err error) {
+	namedRepos = make(map[string]string)
+	for _, r := range repos {
+		if idx := strings.IndexByte(r, '='); idx > 0 {
+			name := r[:idx]
+			path := r[idx+1:]
+			absPath, absErr := filepath.Abs(path)
+			if absErr != nil {
+				return "", nil, fmt.Errorf("invalid repo path for %q: %w", name, absErr)
+			}
+			namedRepos[name] = absPath
+		} else {
+			if defaultRepo != "" {
+				return "", nil, fmt.Errorf("multiple default repos specified; use name=path for additional repos")
+			}
+			defaultRepo = r
+		}
+	}
+	return defaultRepo, namedRepos, nil
+}
+
+// parseCreateOptions parses command flags into CreateOptions.
+func parseCreateOptions(name string) (sandbox.CreateOptions, error) {
+	defaultRepo, namedRepos, err := parseRepoFlags(upRepos)
+	if err != nil {
+		return sandbox.CreateOptions{}, err
+	}
+
+	return sandbox.CreateOptions{
+		Name:        name,
+		Template:    upTemplate,
+		RepoPath:    defaultRepo,
+		Repos:       namedRepos,
+		Direct:      upDirect,
+		SSHKeys:     upSSHKeys,
+		NoMuxConfig: upNoMuxConfig,
+		GitUser:     upGitUser,
+		GitEmail:    upGitEmail,
+		SSHKeyPath:  upSSHKeyPath,
+	}, nil
+}
diff --git a/packages/forage-ctl/default.nix b/packages/forage-ctl/default.nix
new file mode 100644
index 0000000..740428f
--- /dev/null
+++ b/packages/forage-ctl/default.nix
@@ -0,0 +1,34 @@
+{
+  lib,
+  buildGoModule,
+  git,
+  jujutsu,
+  goSrc,
+  goModRoot,
+}:
+
+buildGoModule {
+  pname = "forage-ctl";
+  version = "0.1.0";
+
+  src = goSrc;
+  modRoot = goModRoot;
+
+  vendorHash = "sha256-bMqCHxnDAHqzMlUVnRS8pjo6+XYfiD6WIRNwk0iEMwA=";
+
+  # Disable CGO for static build
+  env.CGO_ENABLED = "0";
+
+  # Tests shell out to git and jj for config parsing and workspace operations
+  nativeCheckInputs = [
+    git
+    jujutsu
+  ];
+
+  meta = with lib; {
+    description = "Firefly Forage sandbox management CLI";
+    homepage = "https://github.com/firefly-engineering/firefly-forage";
+    license = licenses.mit;
+    mainProgram = "forage-ctl";
+  };
+}
diff --git a/packages/forage-ctl/e2e/e2e_test.go b/packages/forage-ctl/e2e/e2e_test.go
new file mode 100644
index 0000000..232c60f
--- /dev/null
+++ b/packages/forage-ctl/e2e/e2e_test.go
@@ -0,0 +1,390 @@
+//go:build e2e
+
+package e2e
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(SetupSharedEnv(m))
+}
+
+func TestModuleSetup(t *testing.T) {
+	env := GetSharedEnv(t)
+
+	t.Run("forage-ctl installed", func(t *testing.T) {
+		t.Parallel()
+		AssertSuccess(t, env.Ctx(t), env.System, "forage-ctl is available", "which forage-ctl")
+	})
+
+	t.Run("directories", func(t *testing.T) {
+		t.Parallel()
+		dirs := []string{
+			"/var/lib/firefly-forage",
+			"/var/lib/firefly-forage/sandboxes",
+			"/var/lib/firefly-forage/workspaces",
+			"/etc/firefly-forage/templates",
+		}
+		for _, dir := range dirs {
+			AssertSuccess(t, env.Ctx(t), env.System, dir+" exists", "test -d "+dir)
+		}
+	})
+
+	t.Run("host config", func(t *testing.T) {
+		t.Parallel()
+		AssertSuccess(t, env.Ctx(t), env.System, "host config exists",
+			"test -f /etc/firefly-forage/config.json")
+		AssertOutputContains(t, env.Ctx(t), env.System, "host config has correct user",
+			`"user"`, "cat /etc/firefly-forage/config.json")
+	})
+
+	t.Run("template", func(t *testing.T) {
+		t.Parallel()
+		AssertSuccess(t, env.Ctx(t), env.System, "template JSON exists",
+			"test -f /etc/firefly-forage/templates/test.json")
+		AssertOutputContains(t, env.Ctx(t), env.System, "template has network config",
+			`"network"`, "cat /etc/firefly-forage/templates/test.json")
+	})
+
+	t.Run("systemd mutable dir", func(t *testing.T) {
+		t.Parallel()
+		AssertSuccess(t, env.Ctx(t), env.System, "mutable services dir exists", "test -d /etc/systemd-mutable/system")
+	})
+
+	t.Run("secrets directory", func(t *testing.T) {
+		t.Parallel()
+		AssertSuccess(t, env.Ctx(t), env.System, "secrets directory exists", "test -d /run/forage-secrets")
+	})
+
+	t.Run("templates command", func(t *testing.T) {
+		t.Parallel()
+		AssertOutputContains(t, env.Ctx(t), env.System, "templates lists test template",
+			"test", "forage-ctl templates")
+		AssertOutputContains(t, env.Ctx(t), env.System, "templates shows agent name",
+			"test-agent", "forage-ctl templates")
+	})
+}
+
+func TestSandboxLifecycle(t *testing.T) {
+	env := GetSharedEnv(t)
+
+	// Clean up any stale sandboxes
+	env.System.ForageCtl(env.Ctx(t), "down", "e2e-test")
+
+	// Create test repository
+	env.InitGitRepo(t, "/tmp/e2e-project", map[string]string{
+		"README.md": "# E2E Test Project",
+	})
+
+	// === forage-ctl up ===
+	t.Log("running forage-ctl up...")
+	env.MustRun(t, "forage-ctl up e2e-test -t test --repo /tmp/e2e-project --direct > /tmp/forage-up.log 2>&1")
+	t.Cleanup(func() {
+		env.System.ForageCtl(env.Ctx(t), "down", "e2e-test")
+	})
+
+	// Wait for sandbox
+	containerIP := "10.100.1.2"
+	env.WaitForSandbox(t, containerIP, 60*time.Second)
+
+	// Connect to sandbox (ssh.Client is safe for concurrent use)
+	sb := env.ConnectSandbox(t, "e2e-test", containerIP)
+
+	// Phase 1: All read-only checks run in parallel.
+	// The "verify" subtest blocks until every parallel child finishes,
+	// ensuring destructive operations below don't start early.
+	t.Run("verify", func(t *testing.T) {
+		t.Run("connectivity", func(t *testing.T) {
+			t.Parallel()
+			AssertSandboxSuccess(t, env.Ctx(t), sb, "can run commands in sandbox", "true")
+		})
+
+		t.Run("workspace", func(t *testing.T) {
+			t.Parallel()
+			AssertSandboxOutputContains(t, env.Ctx(t), sb, "workspace has README",
+				"E2E Test Project", "cat /workspace/README.md")
+		})
+
+		t.Run("forage metadata", func(t *testing.T) {
+			t.Parallel()
+			AssertSandboxOutputContains(t, env.Ctx(t), sb, "forage.json has sandbox name",
+				"e2e-test", "cat /etc/forage.json")
+		})
+
+		t.Run("packages", func(t *testing.T) {
+			t.Parallel()
+			AssertSandboxSuccess(t, env.Ctx(t), sb, "git is available", "which git")
+			AssertSandboxSuccess(t, env.Ctx(t), sb, "jj is available", "which jj")
+			AssertSandboxSuccess(t, env.Ctx(t), sb, "tmux is available", "which tmux")
+		})
+
+		t.Run("vcs", func(t *testing.T) {
+			t.Parallel()
+			AssertSandboxOutputContains(t, env.Ctx(t), sb, "git log works",
+				"Initial commit", "cd /workspace && git log --oneline -1")
+			// Note: jj init is skipped here because it mutates workspace state.
+			// It was tested in the original sequential flow but is not safe to
+			// run concurrently with other read-only workspace checks.
+		})
+
+		t.Run("secrets", func(t *testing.T) {
+			t.Parallel()
+			AssertSandboxOutputContains(t, env.Ctx(t), sb, "secret file mounted",
+				"test-api-key-e2e", "cat /run/secrets/test-secret")
+			// Note: auth env var (TEST_KEY) is only set for recognized agent
+			// types (e.g. "claude"). The generic "test-agent" doesn't get
+			// env var injection, so we only verify file-level access here.
+		})
+
+		t.Run("network-none", func(t *testing.T) {
+			t.Parallel()
+			AssertSandboxFailure(t, env.Ctx(t), sb, "outbound ping blocked",
+				"ping -c 1 -W 2 8.8.8.8")
+		})
+
+		t.Run("audit-log", func(t *testing.T) {
+			t.Parallel()
+			AssertOutputContains(t, env.Ctx(t), env.System, "audit log has create event",
+				"create", "forage-ctl audit-log e2e-test")
+		})
+
+		t.Run("status", func(t *testing.T) {
+			t.Parallel()
+			AssertOutputContains(t, env.Ctx(t), env.System, "status shows container healthy",
+				"Container:", "forage-ctl status e2e-test")
+		})
+
+		t.Run("ps", func(t *testing.T) {
+			t.Parallel()
+			AssertOutputContains(t, env.Ctx(t), env.System, "ps shows sandbox",
+				"e2e-test", "forage-ctl ps")
+		})
+	})
+
+	// Phase 2: Sequential operations that mutate state
+
+	t.Run("file sync", func(t *testing.T) {
+		AssertSandboxSuccess(t, env.Ctx(t), sb, "can create files in workspace",
+			"echo hello-from-sandbox > /workspace/sandbox-created.txt")
+
+		// Verify file visible on host
+		AssertSuccess(t, env.Ctx(t), env.System, "file visible on host",
+			"test -f /tmp/e2e-project/sandbox-created.txt")
+		AssertOutputContains(t, env.Ctx(t), env.System, "content matches",
+			"hello-from-sandbox", "cat /tmp/e2e-project/sandbox-created.txt")
+	})
+
+	t.Run("jj init", func(t *testing.T) {
+		AssertSandboxSuccess(t, env.Ctx(t), sb, "jj init works",
+			"cd /workspace && jj git init --colocate 2>&1")
+		AssertSandboxSuccess(t, env.Ctx(t), sb, "jj log works after init",
+			"cd /workspace && jj log --no-graph -r @ -T description 2>&1")
+	})
+
+	// Phase 3: Destructive operations (stop/start, reset, down)
+
+	t.Run("stop-start", func(t *testing.T) {
+		// Close old sandbox connection before stopping
+		sb.Close()
+
+		t.Log("stopping sandbox...")
+		AssertSuccess(t, env.Ctx(t), env.System, "forage-ctl stop succeeds",
+			"forage-ctl stop e2e-test")
+
+		// Verify status shows container not running (✗ = not running)
+		AssertOutputContains(t, env.Ctx(t), env.System, "status shows container down after stop",
+			"Container: ✗", "forage-ctl status e2e-test 2>&1 || true")
+
+		t.Log("starting sandbox...")
+		AssertSuccess(t, env.Ctx(t), env.System, "forage-ctl start succeeds",
+			"forage-ctl start e2e-test")
+
+		// Wait for sandbox to be reachable again
+		env.WaitForSandbox(t, containerIP, 60*time.Second)
+
+		// Reconnect and verify workspace survived the stop/start cycle
+		sbAfter := env.ConnectSandbox(t, "e2e-test", containerIP)
+		AssertSandboxOutputContains(t, env.Ctx(t), sbAfter, "workspace intact after stop/start",
+			"E2E Test Project", "cat /workspace/README.md")
+		sbAfter.Close()
+	})
+
+	t.Run("reset", func(t *testing.T) {
+		// Create a file outside /workspace (ephemeral container state)
+		sbPre := env.ConnectSandbox(t, "e2e-test", containerIP)
+		AssertSandboxSuccess(t, env.Ctx(t), sbPre, "create ephemeral file",
+			"touch /tmp/ephemeral-marker")
+		sbPre.Close()
+
+		t.Log("resetting sandbox...")
+		AssertSuccess(t, env.Ctx(t), env.System, "forage-ctl reset succeeds",
+			"forage-ctl reset e2e-test")
+
+		// Wait for sandbox to be reachable after reset
+		env.WaitForSandbox(t, containerIP, 60*time.Second)
+
+		// Verify ephemeral state is gone but workspace persists
+		sbPost := env.ConnectSandbox(t, "e2e-test", containerIP)
+		AssertSandboxFailure(t, env.Ctx(t), sbPost, "ephemeral file gone after reset",
+			"test -f /tmp/ephemeral-marker")
+		AssertSandboxOutputContains(t, env.Ctx(t), sbPost, "workspace intact after reset",
+			"E2E Test Project", "cat /workspace/README.md")
+		sbPost.Close()
+	})
+
+	t.Run("down", func(t *testing.T) {
+		t.Log("running forage-ctl down...")
+		AssertSuccess(t, env.Ctx(t), env.System, "forage-ctl down succeeds",
+			"forage-ctl down e2e-test")
+		AssertFailure(t, env.Ctx(t), env.System, "sandbox no longer exists after down",
+			"forage-ctl status e2e-test")
+
+		// Verify cleanup: metadata and secrets removed
+		AssertFailure(t, env.Ctx(t), env.System, "metadata file removed",
+			"test -f /var/lib/firefly-forage/sandboxes/e2e-test.json")
+		AssertFailure(t, env.Ctx(t), env.System, "nix config file removed",
+			"test -f /var/lib/firefly-forage/sandboxes/e2e-test.nix")
+		AssertFailure(t, env.Ctx(t), env.System, "secrets directory removed",
+			"test -d /run/forage-secrets/e2e-test")
+	})
+}
+
+func TestMultipleSandboxes(t *testing.T) {
+	env := GetSharedEnv(t)
+
+	// Clean up any stale sandboxes
+	env.System.ForageCtl(env.Ctx(t), "down", "e2e-multi-a")
+	env.System.ForageCtl(env.Ctx(t), "down", "e2e-multi-b")
+
+	// Create two separate project directories
+	env.InitGitRepo(t, "/tmp/e2e-project-a", map[string]string{
+		"README.md": "# Project A",
+	})
+	env.InitGitRepo(t, "/tmp/e2e-project-b", map[string]string{
+		"README.md": "# Project B",
+	})
+
+	// Start both sandboxes in parallel (slot allocation is serialized by the sandbox lock)
+	t.Cleanup(func() {
+		env.System.ForageCtl(env.Ctx(t), "down", "e2e-multi-a")
+		env.System.ForageCtl(env.Ctx(t), "down", "e2e-multi-b")
+	})
+
+	var wg sync.WaitGroup
+	var errA, errB error
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		ctx, cancel := context.WithTimeout(env.Ctx(t), 2*time.Minute)
+		defer cancel()
+		_, errA = env.System.Run(ctx, "forage-ctl up e2e-multi-a -t test --repo /tmp/e2e-project-a --direct > /tmp/forage-multi-a.log 2>&1")
+	}()
+	go func() {
+		defer wg.Done()
+		ctx, cancel := context.WithTimeout(env.Ctx(t), 2*time.Minute)
+		defer cancel()
+		_, errB = env.System.Run(ctx, "forage-ctl up e2e-multi-b -t test --repo /tmp/e2e-project-b --direct > /tmp/forage-multi-b.log 2>&1")
+	}()
+	wg.Wait()
+	if errA != nil {
+		t.Fatalf("sandbox A creation failed: %v", errA)
+	}
+	if errB != nil {
+		t.Fatalf("sandbox B creation failed: %v", errB)
+	}
+
+	// Look up IPs from metadata (slot assignment is non-deterministic with parallel creation)
+	ipA := sandboxIP(t, env, "e2e-multi-a")
+	ipB := sandboxIP(t, env, "e2e-multi-b")
+
+	env.WaitForSandbox(t, ipA, 60*time.Second)
+	env.WaitForSandbox(t, ipB, 60*time.Second)
+
+	sbA := env.ConnectSandbox(t, "e2e-multi-a", ipA)
+	sbB := env.ConnectSandbox(t, "e2e-multi-b", ipB)
+
+	// All verification subtests run in parallel
+	t.Run("verify", func(t *testing.T) {
+		t.Run("sandbox A has correct project", func(t *testing.T) {
+			t.Parallel()
+			AssertSandboxOutputContains(t, env.Ctx(t), sbA, "sandbox A has project-a README",
+				"Project A", "cat /workspace/README.md")
+		})
+
+		t.Run("sandbox B has correct project", func(t *testing.T) {
+			t.Parallel()
+			AssertSandboxOutputContains(t, env.Ctx(t), sbB, "sandbox B has project-b README",
+				"Project B", "cat /workspace/README.md")
+		})
+
+		t.Run("ps shows both", func(t *testing.T) {
+			t.Parallel()
+			AssertOutputContains(t, env.Ctx(t), env.System, "ps shows sandbox A",
+				"e2e-multi-a", "forage-ctl ps")
+			AssertOutputContains(t, env.Ctx(t), env.System, "ps shows sandbox B",
+				"e2e-multi-b", "forage-ctl ps")
+		})
+	})
+}
+
+func TestGarbageCollection(t *testing.T) {
+	env := GetSharedEnv(t)
+
+	// Clean up any stale sandbox
+	env.System.ForageCtl(env.Ctx(t), "down", "e2e-gc")
+
+	// Create a sandbox
+	env.InitGitRepo(t, "/tmp/e2e-gc-project", map[string]string{
+		"README.md": "# GC Test",
+	})
+
+	t.Log("creating sandbox for gc test...")
+	env.MustRun(t, "forage-ctl up e2e-gc -t test --repo /tmp/e2e-gc-project --direct > /tmp/forage-gc.log 2>&1")
+
+	// Dry run: should report no orphans (sandbox is running)
+	t.Run("dry-run-clean", func(t *testing.T) {
+		AssertOutputContains(t, env.Ctx(t), env.System, "gc dry run reports clean",
+			"No orphaned resources", "forage-ctl gc")
+	})
+
+	// Tear down the sandbox
+	t.Log("tearing down sandbox for gc test...")
+	env.MustRun(t, "forage-ctl down e2e-gc")
+
+	// Create an orphaned metadata file (simulates incomplete cleanup)
+	env.MustRun(t, `echo '{"name":"e2e-orphan"}' > /var/lib/firefly-forage/sandboxes/e2e-orphan.json`)
+
+	// Dry run: should detect the orphan
+	t.Run("dry-run-detects-orphan", func(t *testing.T) {
+		AssertOutputContains(t, env.Ctx(t), env.System, "gc dry run detects orphaned file",
+			"e2e-orphan", "forage-ctl gc")
+	})
+
+	// Force: should clean up the orphan
+	t.Run("force-cleans-orphan", func(t *testing.T) {
+		AssertSuccess(t, env.Ctx(t), env.System, "gc force succeeds",
+			"forage-ctl gc --force")
+		AssertFailure(t, env.Ctx(t), env.System, "orphaned file removed",
+			"test -f /var/lib/firefly-forage/sandboxes/e2e-orphan.json")
+	})
+}
+
+// sandboxIP reads the networkSlot from sandbox metadata and returns the container IP.
+func sandboxIP(t *testing.T, env *TestEnv, name string) string {
+	t.Helper()
+	// Use grep+sed instead of jq since the VM may not have jq installed
+	cmd := fmt.Sprintf(`grep -o '"networkSlot": *[0-9]*' /var/lib/firefly-forage/sandboxes/%s.json | grep -o '[0-9]*$'`, name)
+	output, err := env.System.Run(env.Ctx(t), cmd)
+	if err != nil {
+		t.Fatalf("failed to read networkSlot for %s: %v", name, err)
+	}
+	slot := strings.TrimSpace(output)
+	return fmt.Sprintf("10.100.%s.2", slot)
+}
diff --git a/packages/forage-ctl/e2e/local.go b/packages/forage-ctl/e2e/local.go
new file mode 100644
index 0000000..3ca0536
--- /dev/null
+++ b/packages/forage-ctl/e2e/local.go
@@ -0,0 +1,97 @@
+//go:build e2e
+
+package e2e
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+
+	"golang.org/x/crypto/ssh"
+
+	"go.opentelemetry.io/otel/attribute"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/telemetry"
+)
+
+// LocalSystem runs commands on the local machine via os/exec.
+// Useful for testing against a real NixOS host without the VM layer.
+type LocalSystem struct {
+	sshKeyPath string
+}
+
+// NewLocalSystem creates a LocalSystem.
+func NewLocalSystem(sshKeyPath string) *LocalSystem {
+	return &LocalSystem{sshKeyPath: sshKeyPath}
+}
+
+// Run executes a shell command locally.
+func (l *LocalSystem) Run(ctx context.Context, cmd string) (string, error) {
+	ctx, span := telemetry.Start(ctx, "local.exec",
+		telemetry.WithAttr(attribute.String("cmd", cmd)))
+	defer span.End()
+
+	// Propagate trace context + OTEL config to child processes
+	cmd = telemetry.EnvPrefix(ctx) + cmd
+
+	c := exec.CommandContext(ctx, "bash", "-c", cmd)
+	output, err := c.CombinedOutput()
+	if err != nil {
+		return string(output), fmt.Errorf("local exec %q: %w\noutput: %s", cmd, err, output)
+	}
+	return string(output), nil
+}
+
+// ForageCtl runs forage-ctl with the given arguments locally.
+func (l *LocalSystem) ForageCtl(ctx context.Context, args ...string) (string, error) {
+	ctx, span := telemetry.Start(ctx, "local.forage-ctl",
+		telemetry.WithAttr(attribute.String("args", strings.Join(args, " "))))
+	defer span.End()
+
+	c := exec.CommandContext(ctx, "forage-ctl", args...)
+	if extra := telemetry.PropagationEnv(ctx); len(extra) > 0 {
+		c.Env = append(os.Environ(), extra...)
+	}
+	output, err := c.CombinedOutput()
+	if err != nil {
+		return string(output), fmt.Errorf("forage-ctl %s: %w\noutput: %s", strings.Join(args, " "), err, output)
+	}
+	return string(output), nil
+}
+
+// DialSandbox opens a direct SSH connection to a sandbox container.
+func (l *LocalSystem) DialSandbox(ctx context.Context, ip string) (*SandboxConn, error) {
+	keyData, err := os.ReadFile(l.sshKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("read ssh key: %w", err)
+	}
+	signer, err := ssh.ParsePrivateKey(keyData)
+	if err != nil {
+		return nil, fmt.Errorf("parse ssh key: %w", err)
+	}
+
+	config := &ssh.ClientConfig{
+		User: "agent",
+		Auth: []ssh.AuthMethod{
+			ssh.PublicKeys(signer),
+		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		Timeout:         10 * time.Second,
+	}
+
+	addr := ip + ":22"
+	client, err := ssh.Dial("tcp", addr, config)
+	if err != nil {
+		return nil, fmt.Errorf("ssh dial %s: %w", addr, err)
+	}
+
+	return &SandboxConn{client: client, ip: ip}, nil
+}
+
+// Close is a no-op for LocalSystem.
+func (l *LocalSystem) Close() error {
+	return nil
+}
diff --git a/packages/forage-ctl/e2e/registry.go b/packages/forage-ctl/e2e/registry.go
new file mode 100644
index 0000000..0a984db
--- /dev/null
+++ b/packages/forage-ctl/e2e/registry.go
@@ -0,0 +1,149 @@
+//go:build e2e
+
+package e2e
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"syscall"
+	"time"
+)
+
+// VMInfo holds metadata about a running E2E VM.
+type VMInfo struct {
+	ID        string    `json:"id"`
+	PID       int       `json:"pid"`
+	SSHPort   int       `json:"ssh_port"`
+	StartTime time.Time `json:"start_time"`
+	TmpDir    string    `json:"tmp_dir"`
+	GitBranch string    `json:"git_branch,omitempty"`
+}
+
+// registryDir returns the directory for VM state files.
+func registryDir() string {
+	if dir := os.Getenv("XDG_RUNTIME_DIR"); dir != "" {
+		return filepath.Join(dir, "forage-e2e")
+	}
+	return fmt.Sprintf("/tmp/forage-e2e-vms-%d", os.Getuid())
+}
+
+// Register records a running VM in the registry.
+func Register(info VMInfo) error {
+	dir := registryDir()
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return err
+	}
+
+	data, err := json.MarshalIndent(info, "", "  ")
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(filepath.Join(dir, info.ID+".json"), data, 0600)
+}
+
+// Deregister removes a VM from the registry.
+func Deregister(id string) {
+	os.Remove(filepath.Join(registryDir(), id+".json"))
+}
+
+// ListVMs returns all registered VMs, garbage-collecting stale entries.
+func ListVMs() ([]VMInfo, error) {
+	dir := registryDir()
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	var vms []VMInfo
+	for _, entry := range entries {
+		if filepath.Ext(entry.Name()) != ".json" {
+			continue
+		}
+
+		data, err := os.ReadFile(filepath.Join(dir, entry.Name()))
+		if err != nil {
+			continue
+		}
+
+		var info VMInfo
+		if err := json.Unmarshal(data, &info); err != nil {
+			continue
+		}
+
+		// Check if process is still alive
+		proc, err := os.FindProcess(info.PID)
+		if err != nil {
+			// Process doesn't exist, clean up stale entry
+			os.Remove(filepath.Join(dir, entry.Name()))
+			continue
+		}
+
+		if err := proc.Signal(syscall.Signal(0)); err != nil {
+			// Process is dead, clean up stale entry
+			os.Remove(filepath.Join(dir, entry.Name()))
+			continue
+		}
+
+		vms = append(vms, info)
+	}
+
+	return vms, nil
+}
+
+// KillVM terminates a VM by its registry ID.
+func KillVM(id string) error {
+	dir := registryDir()
+	data, err := os.ReadFile(filepath.Join(dir, id+".json"))
+	if err != nil {
+		return fmt.Errorf("vm %s not found in registry: %w", id, err)
+	}
+
+	var info VMInfo
+	if err := json.Unmarshal(data, &info); err != nil {
+		return fmt.Errorf("parse registry entry: %w", err)
+	}
+
+	proc, err := os.FindProcess(info.PID)
+	if err != nil {
+		Deregister(id)
+		return fmt.Errorf("process %d not found: %w", info.PID, err)
+	}
+
+	// SIGTERM first
+	log.Printf("sending SIGTERM to VM %s (PID %d)", id, info.PID)
+	if err := proc.Signal(syscall.SIGTERM); err != nil {
+		Deregister(id)
+		return fmt.Errorf("sigterm: %w", err)
+	}
+
+	// Wait up to 15s
+	deadline := time.Now().Add(15 * time.Second)
+	for time.Now().Before(deadline) {
+		if err := proc.Signal(syscall.Signal(0)); err != nil {
+			break // Process exited
+		}
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	// SIGKILL if still alive
+	if err := proc.Signal(syscall.Signal(0)); err == nil {
+		log.Printf("VM %s did not exit, sending SIGKILL", id)
+		proc.Signal(syscall.SIGKILL)
+		time.Sleep(time.Second)
+	}
+
+	// Clean up tmpdir
+	if info.TmpDir != "" {
+		os.RemoveAll(info.TmpDir)
+	}
+
+	Deregister(id)
+	return nil
+}
diff --git a/packages/forage-ctl/e2e/system.go b/packages/forage-ctl/e2e/system.go
new file mode 100644
index 0000000..9971a9b
--- /dev/null
+++ b/packages/forage-ctl/e2e/system.go
@@ -0,0 +1,80 @@
+//go:build e2e
+
+// Package e2e provides end-to-end testing infrastructure for Firefly Forage.
+//
+// Tests boot a QEMU VM with the forage NixOS module configured, run forage-ctl
+// commands via SSH, and verify sandbox lifecycle behavior. The System interface
+// abstracts command execution so the same test scenarios work against a VM or
+// the local machine.
+package e2e
+
+import (
+	"context"
+	"fmt"
+
+	"golang.org/x/crypto/ssh"
+
+	"go.opentelemetry.io/otel/attribute"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/telemetry"
+)
+
+// System represents a host where forage-ctl and sandbox containers run.
+// Tests use this interface exclusively and never reference VM/SSH details.
+type System interface {
+	// Run executes a shell command and returns combined stdout+stderr.
+	Run(ctx context.Context, cmd string) (string, error)
+
+	// ForageCtl runs forage-ctl with the given arguments.
+	ForageCtl(ctx context.Context, args ...string) (string, error)
+
+	// DialSandbox opens an SSH connection to a sandbox container.
+	DialSandbox(ctx context.Context, ip string) (*SandboxConn, error)
+
+	// Close shuts down the system and releases resources.
+	Close() error
+}
+
+// SandboxConn wraps an SSH connection to a sandbox container.
+type SandboxConn struct {
+	client *ssh.Client
+	ip     string
+}
+
+// Run executes a command inside the sandbox container.
+func (s *SandboxConn) Run(ctx context.Context, cmd string) (string, error) {
+	ctx, span := telemetry.Start(ctx, "sandbox.exec",
+		telemetry.WithAttr(attribute.String("cmd", cmd)))
+	defer span.End()
+
+	session, err := s.client.NewSession()
+	if err != nil {
+		return "", fmt.Errorf("new session: %w", err)
+	}
+	defer session.Close()
+
+	done := make(chan struct{})
+	var output []byte
+	var runErr error
+
+	go func() {
+		output, runErr = session.CombinedOutput(cmd)
+		close(done)
+	}()
+
+	select {
+	case <-ctx.Done():
+		session.Signal(ssh.SIGKILL)
+		return "", ctx.Err()
+	case <-done:
+		if runErr != nil {
+			return string(output), fmt.Errorf("sandbox exec %q: %w\noutput: %s", cmd, runErr, output)
+		}
+		return string(output), nil
+	}
+}
+
+// Close terminates the SSH connection.
+func (s *SandboxConn) Close() error {
+	return s.client.Close()
+}
diff --git a/packages/forage-ctl/e2e/testenv.go b/packages/forage-ctl/e2e/testenv.go
new file mode 100644
index 0000000..c662ee2
--- /dev/null
+++ b/packages/forage-ctl/e2e/testenv.go
@@ -0,0 +1,350 @@
+//go:build e2e
+
+package e2e
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/codes"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/telemetry"
+)
+
+// sharedEnv holds the singleton test environment shared across all tests.
+var sharedEnv *TestEnv
+
+// TestEnv ties a System to testing.T for convenient test helpers.
+type TestEnv struct {
+	System  System
+	rootCtx context.Context
+
+	mu       sync.Mutex
+	testCtxs map[*testing.T]context.Context
+}
+
+// Ctx returns a context for the given test, creating a per-test span
+// on first call. The span is ended automatically via t.Cleanup.
+// All operations within a test should derive from this context so
+// that spans form a single trace: root → test → operations.
+func (e *TestEnv) Ctx(t *testing.T) context.Context {
+	t.Helper()
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	if ctx, ok := e.testCtxs[t]; ok {
+		return ctx
+	}
+
+	ctx, span := telemetry.Start(e.rootCtx, "test."+t.Name())
+	t.Cleanup(func() {
+		if t.Failed() {
+			span.SetStatus(codes.Error, "test failed")
+		}
+		span.End()
+
+		e.mu.Lock()
+		delete(e.testCtxs, t)
+		e.mu.Unlock()
+	})
+
+	e.testCtxs[t] = ctx
+	return ctx
+}
+
+// SetupSharedEnv initializes the shared test environment based on env vars:
+//   - E2E_VM set → VM mode (boot QEMU, run tests via SSH)
+//   - E2E_LOCAL=1 → Local mode (run tests against current machine)
+//   - Neither set → skip all E2E tests gracefully (return 0)
+func SetupSharedEnv(m *testing.M) int {
+	ctx := context.Background()
+	shutdown, err := telemetry.Init(ctx, "forage-e2e")
+	if err != nil {
+		log.Printf("telemetry init: %v", err)
+	}
+
+	ctx, rootSpan := telemetry.Start(ctx, "e2e.run")
+
+	// run executes the test suite and returns the exit code.
+	// Separated so we can explicitly end the root span and flush
+	// the exporter before os.Exit kills the process.
+	code := setupAndRun(ctx, m)
+
+	rootSpan.End()
+	shutdown()
+	return code
+}
+
+func setupAndRun(ctx context.Context, m *testing.M) int {
+	if vmScript := os.Getenv("E2E_VM"); vmScript != "" {
+		// VM mode (existing behavior)
+		sshKey := os.Getenv("E2E_SSH_KEY")
+		if sshKey == "" {
+			log.Fatal("E2E_SSH_KEY not set.")
+		}
+
+		sys, err := NewVMSystem(ctx, VMConfig{
+			VMScript:    vmScript,
+			SSHKeyPath:  sshKey,
+			BootTimeout: 5 * time.Minute,
+		})
+		if err != nil {
+			log.Fatalf("failed to boot VM: %v", err)
+		}
+
+		sharedEnv = &TestEnv{
+			System:   sys,
+			rootCtx:  ctx,
+			testCtxs: make(map[*testing.T]context.Context),
+		}
+		code := m.Run()
+		sys.Close()
+		return code
+	}
+
+	if os.Getenv("E2E_LOCAL") != "" {
+		// Local mode: run against current machine
+		sshKey := os.Getenv("E2E_SSH_KEY")
+		if sshKey == "" {
+			sshKey = "/etc/firefly-forage/ssh-key"
+		}
+
+		sharedEnv = &TestEnv{
+			System:   NewLocalSystem(sshKey),
+			rootCtx:  ctx,
+			testCtxs: make(map[*testing.T]context.Context),
+		}
+		code := m.Run()
+		sharedEnv.System.Close()
+		return code
+	}
+
+	// No mode set: skip gracefully
+	log.Println("E2E_VM and E2E_LOCAL not set; skipping E2E tests")
+	return 0
+}
+
+// GetSharedEnv returns the shared TestEnv, or skips the test if no
+// environment was configured (neither E2E_VM nor E2E_LOCAL set).
+func GetSharedEnv(t *testing.T) *TestEnv {
+	t.Helper()
+	if sharedEnv == nil {
+		t.Skip("E2E environment not configured; set E2E_VM or E2E_LOCAL")
+	}
+	return sharedEnv
+}
+
+// MustRun executes a command and fails the test if it errors.
+func (e *TestEnv) MustRun(t *testing.T, cmd string) string {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(e.Ctx(t), 2*time.Minute)
+	defer cancel()
+
+	output, err := e.System.Run(ctx, cmd)
+	if err != nil {
+		t.Fatalf("command failed: %s\nerror: %v", cmd, err)
+	}
+	return output
+}
+
+// MustForageCtl runs forage-ctl and fails the test if it errors.
+func (e *TestEnv) MustForageCtl(t *testing.T, args ...string) string {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(e.Ctx(t), 5*time.Minute)
+	defer cancel()
+
+	output, err := e.System.ForageCtl(ctx, args...)
+	if err != nil {
+		t.Fatalf("forage-ctl %s failed: %v", strings.Join(args, " "), err)
+	}
+	return output
+}
+
+// InitGitRepo creates a git repository in the VM with the given files.
+func (e *TestEnv) InitGitRepo(t *testing.T, path string, files map[string]string) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(e.Ctx(t), 30*time.Second)
+	defer cancel()
+
+	// Remove any existing directory and create fresh
+	cmd := fmt.Sprintf("rm -rf %s && mkdir -p %s && cd %s && git init -q", path, path, path)
+	if _, err := e.System.Run(ctx, cmd); err != nil {
+		t.Fatalf("init git repo: %v", err)
+	}
+
+	// Write files
+	for name, content := range files {
+		dir := fmt.Sprintf("%s/%s", path, name)
+		// Ensure parent directory exists
+		if strings.Contains(name, "/") {
+			parentDir := dir[:strings.LastIndex(dir, "/")]
+			e.System.Run(ctx, fmt.Sprintf("mkdir -p %s", parentDir))
+		}
+		// Use printf to handle special characters safely
+		writeCmd := fmt.Sprintf("printf '%%s' %q > %s/%s", content, path, name)
+		if _, err := e.System.Run(ctx, writeCmd); err != nil {
+			t.Fatalf("write file %s: %v", name, err)
+		}
+	}
+
+	// Commit
+	commitCmd := fmt.Sprintf("cd %s && git add . && git commit -q -m 'Initial commit' && chown -R 1000:100 %s", path, path)
+	if _, err := e.System.Run(ctx, commitCmd); err != nil {
+		t.Fatalf("git commit: %v", err)
+	}
+}
+
+// WaitForSandbox waits for a sandbox to become SSH-reachable.
+func (e *TestEnv) WaitForSandbox(t *testing.T, ip string, timeout time.Duration) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(e.Ctx(t), timeout)
+	defer cancel()
+	ctx, span := telemetry.Start(ctx, "e2e.wait-for-sandbox",
+		telemetry.WithAttr(attribute.String("sandbox.ip", ip)))
+	defer span.End()
+
+	deadline := time.Now().Add(timeout)
+	for time.Now().Before(deadline) {
+		conn, err := e.System.DialSandbox(ctx, ip)
+		if err == nil {
+			// Try running a command
+			_, err = conn.Run(ctx, "true")
+			conn.Close()
+			if err == nil {
+				t.Logf("sandbox %s ready", ip)
+				return
+			}
+		}
+		time.Sleep(time.Second)
+	}
+
+	// Diagnostics on failure
+	t.Logf("sandbox at %s not ready after %v, running diagnostics...", ip, timeout)
+	diagCtx, diagCancel := context.WithTimeout(e.Ctx(t), 10*time.Second)
+	defer diagCancel()
+	if out, err := e.System.Run(diagCtx, "machinectl list"); err == nil {
+		t.Logf("machinectl list:\n%s", out)
+	}
+	if out, err := e.System.Run(diagCtx, "forage-ctl ps"); err == nil {
+		t.Logf("forage-ctl ps:\n%s", out)
+	}
+	if out, err := e.System.Run(diagCtx, fmt.Sprintf("ping -c 1 -W 2 %s", ip)); err == nil {
+		t.Logf("ping:\n%s", out)
+	}
+
+	t.Fatalf("sandbox %s did not become ready within %v", ip, timeout)
+}
+
+// ConnectSandbox connects to a sandbox and registers cleanup.
+func (e *TestEnv) ConnectSandbox(t *testing.T, name, ip string) *SandboxConn {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(e.Ctx(t), 10*time.Second)
+	defer cancel()
+
+	conn, err := e.System.DialSandbox(ctx, ip)
+	if err != nil {
+		t.Fatalf("connect to sandbox %s (%s): %v", name, ip, err)
+	}
+	t.Cleanup(func() { conn.Close() })
+	return conn
+}
+
+// Assertion helpers that use testing.T for proper failure reporting.
+// All accept a context.Context to propagate trace context.
+
+// AssertSuccess asserts that a command succeeds in the system.
+func AssertSuccess(t *testing.T, ctx context.Context, sys System, desc, cmd string) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(ctx, 2*time.Minute)
+	defer cancel()
+
+	if _, err := sys.Run(ctx, cmd); err != nil {
+		t.Errorf("%s: %v", desc, err)
+	}
+}
+
+// AssertFailure asserts that a command fails in the system.
+func AssertFailure(t *testing.T, ctx context.Context, sys System, desc, cmd string) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	if _, err := sys.Run(ctx, cmd); err == nil {
+		t.Errorf("%s: expected failure but succeeded", desc)
+	}
+}
+
+// AssertOutputContains asserts that a command's output contains expected string.
+func AssertOutputContains(t *testing.T, ctx context.Context, sys System, desc, expected, cmd string) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(ctx, 2*time.Minute)
+	defer cancel()
+
+	output, err := sys.Run(ctx, cmd)
+	// Allow non-zero exit codes; we only care about output content
+	if err != nil {
+		// Extract output from error if the command itself produced output
+		output = extractOutput(output, err)
+	}
+	if !strings.Contains(output, expected) {
+		t.Errorf("%s: output does not contain %q\nactual: %s", desc, expected, output)
+	}
+}
+
+// AssertSandboxSuccess asserts that a command succeeds in a sandbox.
+func AssertSandboxSuccess(t *testing.T, ctx context.Context, sb *SandboxConn, desc, cmd string) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	if _, err := sb.Run(ctx, cmd); err != nil {
+		t.Errorf("%s: %v", desc, err)
+	}
+}
+
+// AssertSandboxFailure asserts that a command fails in a sandbox.
+func AssertSandboxFailure(t *testing.T, ctx context.Context, sb *SandboxConn, desc, cmd string) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	if _, err := sb.Run(ctx, cmd); err == nil {
+		t.Errorf("%s: expected failure but succeeded", desc)
+	}
+}
+
+// AssertSandboxOutputContains asserts sandbox command output contains expected string.
+func AssertSandboxOutputContains(t *testing.T, ctx context.Context, sb *SandboxConn, desc, expected, cmd string) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	output, err := sb.Run(ctx, cmd)
+	if err != nil {
+		output = extractOutput(output, err)
+	}
+	if !strings.Contains(output, expected) {
+		t.Errorf("%s: output does not contain %q\nactual: %s", desc, expected, output)
+	}
+}
+
+// extractOutput extracts any output from an error message or returns the
+// original output. Commands may exit non-zero but still produce useful output.
+func extractOutput(output string, err error) string {
+	if output != "" {
+		return output
+	}
+	// Try to extract output from the error string
+	errStr := err.Error()
+	if idx := strings.Index(errStr, "\noutput: "); idx >= 0 {
+		return errStr[idx+len("\noutput: "):]
+	}
+	return errStr
+}
diff --git a/packages/forage-ctl/e2e/vm.go b/packages/forage-ctl/e2e/vm.go
new file mode 100644
index 0000000..29a7bc9
--- /dev/null
+++ b/packages/forage-ctl/e2e/vm.go
@@ -0,0 +1,385 @@
+//go:build e2e
+
+package e2e
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"golang.org/x/crypto/ssh"
+
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/telemetry"
+)
+
+// VMConfig configures the QEMU VM for testing.
+type VMConfig struct {
+	// VMScript is the path to the QEMU VM run script (from nix build).
+	VMScript string
+	// SSHKeyPath is the path to the SSH private key for connecting to the VM.
+	SSHKeyPath string
+	// BootTimeout is how long to wait for the VM to boot and SSH to become ready.
+	BootTimeout time.Duration
+}
+
+// VMSystem boots a QEMU VM and connects via SSH.
+type VMSystem struct {
+	cfg        VMConfig
+	sshClient  *ssh.Client
+	sshConfig  *ssh.ClientConfig
+	sshPort    int
+	qemuPID    int
+	tmpDir     string
+	consoleLog string
+}
+
+// NewVMSystem boots a QEMU VM and returns a System interface.
+func NewVMSystem(ctx context.Context, cfg VMConfig) (*VMSystem, error) {
+	if cfg.BootTimeout == 0 {
+		cfg.BootTimeout = 5 * time.Minute
+	}
+
+	vm := &VMSystem{cfg: cfg}
+
+	// Read SSH private key
+	keyData, err := os.ReadFile(cfg.SSHKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("read ssh key: %w", err)
+	}
+	signer, err := ssh.ParsePrivateKey(keyData)
+	if err != nil {
+		return nil, fmt.Errorf("parse ssh key: %w", err)
+	}
+
+	vm.sshConfig = &ssh.ClientConfig{
+		User: "root",
+		Auth: []ssh.AuthMethod{
+			ssh.PublicKeys(signer),
+		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		Timeout:         10 * time.Second,
+	}
+
+	// Allocate a random free port
+	port, err := allocatePort()
+	if err != nil {
+		return nil, fmt.Errorf("allocate port: %w", err)
+	}
+	vm.sshPort = port
+
+	// Create a temp directory for this VM instance
+	vm.tmpDir, err = os.MkdirTemp("", "forage-e2e-*")
+	if err != nil {
+		return nil, fmt.Errorf("create tmpdir: %w", err)
+	}
+
+	// Patch the VM run script to use our allocated port
+	if err := vm.patchRunScript(); err != nil {
+		os.RemoveAll(vm.tmpDir)
+		return nil, fmt.Errorf("patch run script: %w", err)
+	}
+
+	// Boot the VM
+	if err := vm.boot(ctx); err != nil {
+		os.RemoveAll(vm.tmpDir)
+		return nil, fmt.Errorf("boot vm: %w", err)
+	}
+
+	// Register in the VM registry
+	if err := Register(VMInfo{
+		ID:        filepath.Base(vm.tmpDir),
+		PID:       vm.qemuPID,
+		SSHPort:   vm.sshPort,
+		StartTime: time.Now(),
+		TmpDir:    vm.tmpDir,
+	}); err != nil {
+		log.Printf("warning: failed to register VM: %v", err)
+	}
+
+	// Wait for SSH
+	if err := vm.waitSSH(ctx); err != nil {
+		vm.Close()
+		return nil, fmt.Errorf("wait ssh: %w", err)
+	}
+
+	// Wait for system to be fully ready
+	log.Printf("waiting for multi-user.target...")
+	vm.Run(ctx, "systemctl is-system-running --wait")
+
+	return vm, nil
+}
+
+// Run executes a shell command in the VM via SSH.
+func (vm *VMSystem) Run(ctx context.Context, cmd string) (string, error) {
+	ctx, span := telemetry.Start(ctx, "vm.exec",
+		telemetry.WithAttr(attribute.String("cmd", cmd)))
+	defer span.End()
+
+	// Propagate trace context + OTEL config to child processes
+	cmd = telemetry.EnvPrefix(ctx) + cmd
+
+	session, err := vm.sshClient.NewSession()
+	if err != nil {
+		return "", fmt.Errorf("new session: %w", err)
+	}
+	defer session.Close()
+
+	done := make(chan struct{})
+	var output []byte
+	var runErr error
+
+	go func() {
+		output, runErr = session.CombinedOutput(cmd)
+		close(done)
+	}()
+
+	select {
+	case <-ctx.Done():
+		session.Signal(ssh.SIGKILL)
+		return "", ctx.Err()
+	case <-done:
+		if runErr != nil {
+			return string(output), fmt.Errorf("vm exec %q: %w\noutput: %s", cmd, runErr, output)
+		}
+		return string(output), nil
+	}
+}
+
+// ForageCtl runs forage-ctl with the given arguments in the VM.
+func (vm *VMSystem) ForageCtl(ctx context.Context, args ...string) (string, error) {
+	ctx, span := telemetry.Start(ctx, "vm.forage-ctl",
+		telemetry.WithAttr(attribute.String("args", strings.Join(args, " "))))
+	defer span.End()
+
+	cmd := "forage-ctl " + strings.Join(args, " ")
+	return vm.Run(ctx, cmd)
+}
+
+// DialSandbox opens an SSH connection to a sandbox container via SSH tunneling.
+// The connection is tunneled through the VM: Host -> VM -> Container.
+func (vm *VMSystem) DialSandbox(ctx context.Context, ip string) (*SandboxConn, error) {
+	// Read the SSH key for container auth (same key, "agent" user)
+	keyData, err := os.ReadFile(vm.cfg.SSHKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("read ssh key: %w", err)
+	}
+	signer, err := ssh.ParsePrivateKey(keyData)
+	if err != nil {
+		return nil, fmt.Errorf("parse ssh key: %w", err)
+	}
+
+	containerConfig := &ssh.ClientConfig{
+		User: "agent",
+		Auth: []ssh.AuthMethod{
+			ssh.PublicKeys(signer),
+		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		Timeout:         10 * time.Second,
+	}
+
+	// Tunnel through the VM to the container
+	addr := ip + ":22"
+	conn, err := vm.sshClient.Dial("tcp", addr)
+	if err != nil {
+		return nil, fmt.Errorf("tunnel to %s: %w", addr, err)
+	}
+
+	nconn, chans, reqs, err := ssh.NewClientConn(conn, addr, containerConfig)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("ssh handshake with container %s: %w", addr, err)
+	}
+
+	client := ssh.NewClient(nconn, chans, reqs)
+	return &SandboxConn{client: client, ip: ip}, nil
+}
+
+// Close shuts down the VM and cleans up resources.
+func (vm *VMSystem) Close() error {
+	// Close SSH connection
+	if vm.sshClient != nil {
+		vm.sshClient.Close()
+	}
+
+	// Try graceful shutdown
+	if vm.qemuPID > 0 {
+		log.Printf("shutting down VM (PID %d)...", vm.qemuPID)
+
+		// Send SIGTERM
+		proc, err := os.FindProcess(vm.qemuPID)
+		if err == nil {
+			proc.Signal(syscall.SIGTERM)
+
+			// Wait up to 30s for graceful shutdown
+			deadline := time.Now().Add(30 * time.Second)
+			for time.Now().Before(deadline) {
+				if err := proc.Signal(syscall.Signal(0)); err != nil {
+					break // Process exited
+				}
+				time.Sleep(500 * time.Millisecond)
+			}
+
+			// Force kill if still alive
+			if err := proc.Signal(syscall.Signal(0)); err == nil {
+				log.Printf("VM did not exit gracefully, sending SIGKILL")
+				proc.Signal(syscall.SIGKILL)
+				time.Sleep(time.Second)
+			}
+		}
+	}
+
+	// Deregister from registry
+	Deregister(filepath.Base(vm.tmpDir))
+
+	// Clean up temp directory
+	if vm.tmpDir != "" {
+		os.RemoveAll(vm.tmpDir)
+	}
+
+	return nil
+}
+
+// SSHPort returns the SSH port allocated for this VM.
+func (vm *VMSystem) SSHPort() int {
+	return vm.sshPort
+}
+
+// allocatePort finds a random free TCP port.
+func allocatePort() (int, error) {
+	l, err := net.Listen("tcp", ":0")
+	if err != nil {
+		return 0, err
+	}
+	port := l.Addr().(*net.TCPAddr).Port
+	l.Close()
+	return port, nil
+}
+
+// patchRunScript copies the VM run script and replaces the hardcoded SSH port.
+func (vm *VMSystem) patchRunScript() error {
+	data, err := os.ReadFile(vm.cfg.VMScript)
+	if err != nil {
+		return fmt.Errorf("read vm script: %w", err)
+	}
+
+	// Replace the hardcoded port forwarding
+	patched := strings.ReplaceAll(
+		string(data),
+		"hostfwd=tcp::2222-:22",
+		fmt.Sprintf("hostfwd=tcp::%d-:22", vm.sshPort),
+	)
+
+	patchedScript := filepath.Join(vm.tmpDir, "run-vm")
+	if err := os.WriteFile(patchedScript, []byte(patched), 0755); err != nil {
+		return fmt.Errorf("write patched script: %w", err)
+	}
+
+	return nil
+}
+
+// boot starts the QEMU VM process.
+func (vm *VMSystem) boot(ctx context.Context) error {
+	ctx, span := telemetry.Start(ctx, "vm.boot",
+		telemetry.WithAttr(attribute.Int("ssh.port", vm.sshPort)))
+	defer span.End()
+
+	log.Printf("booting VM on SSH port %d...", vm.sshPort)
+
+	// Clean up any stale disk images in our tmpdir
+	matches, _ := filepath.Glob(filepath.Join(vm.tmpDir, "*.qcow2"))
+	for _, m := range matches {
+		os.Remove(m)
+	}
+
+	vm.consoleLog = filepath.Join(vm.tmpDir, "console.log")
+	pidFile := filepath.Join(vm.tmpDir, "vm.pid")
+
+	script := filepath.Join(vm.tmpDir, "run-vm")
+	cmd := exec.CommandContext(ctx, script,
+		"-daemonize",
+		"-pidfile", pidFile,
+		"-display", "none",
+		"-serial", "file:"+vm.consoleLog,
+	)
+	// Run QEMU from the tmpdir so qcow2 files land there
+	cmd.Dir = vm.tmpDir
+	cmd.Stdout = os.Stderr
+	cmd.Stderr = os.Stderr
+
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("start qemu: %w", err)
+	}
+
+	// Wait for PID file (QEMU creates nix store image first, can take a while)
+	deadline := time.Now().Add(5 * time.Minute)
+	for time.Now().Before(deadline) {
+		data, err := os.ReadFile(pidFile)
+		if err == nil && len(strings.TrimSpace(string(data))) > 0 {
+			pid, err := strconv.Atoi(strings.TrimSpace(string(data)))
+			if err != nil {
+				return fmt.Errorf("parse pid: %w", err)
+			}
+			vm.qemuPID = pid
+			log.Printf("VM started with PID %d", pid)
+			return nil
+		}
+		time.Sleep(time.Second)
+	}
+
+	return fmt.Errorf("VM failed to start (no PID file after timeout)")
+}
+
+// waitSSH waits for the VM to become reachable via SSH.
+func (vm *VMSystem) waitSSH(ctx context.Context) error {
+	ctx, span := telemetry.Start(ctx, "vm.wait-ssh",
+		telemetry.WithAttr(attribute.Int("ssh.port", vm.sshPort)),
+		telemetry.WithAttr(attribute.String("timeout", vm.cfg.BootTimeout.String())))
+	defer span.End()
+
+	deadline := time.Now().Add(vm.cfg.BootTimeout)
+	addr := fmt.Sprintf("localhost:%d", vm.sshPort)
+
+	log.Printf("waiting for SSH on %s (timeout: %v)...", addr, vm.cfg.BootTimeout)
+
+	attempts := 0
+	for time.Now().Before(deadline) {
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+
+		attempts++
+		client, err := ssh.Dial("tcp", addr, vm.sshConfig)
+		if err == nil {
+			vm.sshClient = client
+			span.SetAttributes(attribute.Int("attempts", attempts))
+			log.Printf("SSH ready")
+			return nil
+		}
+
+		span.AddEvent("ssh.dial.failed", trace.WithAttributes(attribute.String("error", err.Error())))
+		time.Sleep(2 * time.Second)
+	}
+
+	// Dump console log on timeout
+	if data, err := os.ReadFile(vm.consoleLog); err == nil {
+		lines := strings.Split(string(data), "\n")
+		start := 0
+		if len(lines) > 50 {
+			start = len(lines) - 50
+		}
+		log.Printf("VM console log (last 50 lines):\n%s", strings.Join(lines[start:], "\n"))
+	}
+
+	return fmt.Errorf("SSH timeout after %v (%d attempts)", vm.cfg.BootTimeout, attempts)
+}
diff --git a/packages/forage-ctl/go.mod b/packages/forage-ctl/go.mod
new file mode 100644
index 0000000..92cd47a
--- /dev/null
+++ b/packages/forage-ctl/go.mod
@@ -0,0 +1,80 @@
+module github.com/firefly-engineering/firefly-forage/packages/forage-ctl
+
+go 1.24.2
+
+require (
+	github.com/charmbracelet/bubbles v0.21.1
+	github.com/charmbracelet/bubbletea v1.3.10
+	github.com/charmbracelet/lipgloss v1.1.0
+	github.com/firefly-engineering/firefly-forage/images/forage-base v0.0.0-00010101000000-000000000000
+	github.com/honeycombio/otel-config-go v1.17.0
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
+	github.com/spf13/cobra v1.10.2
+	go.opentelemetry.io/otel v1.40.0
+	go.opentelemetry.io/otel/trace v1.40.0
+	golang.org/x/crypto v0.48.0
+)
+
+require (
+	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/charmbracelet/colorprofile v0.4.1 // indirect
+	github.com/charmbracelet/x/ansi v0.11.6 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
+	github.com/charmbracelet/x/term v0.2.2 // indirect
+	github.com/clipperhouse/displaywidth v0.9.0 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.5.0 // indirect
+	github.com/ebitengine/purego v0.9.1 // indirect
+	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
+	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-localereader v0.0.1 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
+	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/sahilm/fuzzy v0.1.1 // indirect
+	github.com/sethvargo/go-envconfig v1.1.0 // indirect
+	github.com/shirou/gopsutil/v4 v4.26.1 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/tklauser/go-sysconf v0.3.16 // indirect
+	github.com/tklauser/numcpus v0.11.0 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/host v0.65.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/runtime v0.65.0 // indirect
+	go.opentelemetry.io/contrib/propagators/b3 v1.40.0 // indirect
+	go.opentelemetry.io/contrib/propagators/ot v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.40.0
+	go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
+	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+)
+
+replace github.com/firefly-engineering/firefly-forage/images/forage-base => ../../images/forage-base
diff --git a/packages/forage-ctl/go.sum b/packages/forage-ctl/go.sum
new file mode 100644
index 0000000..fa7b367
--- /dev/null
+++ b/packages/forage-ctl/go.sum
@@ -0,0 +1,176 @@
+github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
+github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY=
+github.com/aymanbagabas/go-udiff v0.3.1/go.mod h1:G0fsKmG+P6ylD0r6N/KgQD/nWzgfnl8ZBcNLgcbrw8E=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/charmbracelet/bubbles v0.21.1 h1:nj0decPiixaZeL9diI4uzzQTkkz1kYY8+jgzCZXSmW0=
+github.com/charmbracelet/bubbles v0.21.1/go.mod h1:HHvIYRCpbkCJw2yo0vNX1O5loCwSr9/mWS8GYSg50Sk=
+github.com/charmbracelet/bubbletea v1.3.10 h1:otUDHWMMzQSB0Pkc87rm691KZ3SWa4KUlvF9nRvCICw=
+github.com/charmbracelet/bubbletea v1.3.10/go.mod h1:ORQfo0fk8U+po9VaNvnV95UPWA1BitP1E0N6xJPlHr4=
+github.com/charmbracelet/colorprofile v0.4.1 h1:a1lO03qTrSIRaK8c3JRxJDZOvhvIeSco3ej+ngLk1kk=
+github.com/charmbracelet/colorprofile v0.4.1/go.mod h1:U1d9Dljmdf9DLegaJ0nGZNJvoXAhayhmidOdcBwAvKk=
+github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
+github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
+github.com/charmbracelet/x/ansi v0.11.6 h1:GhV21SiDz/45W9AnV2R61xZMRri5NlLnl6CVF7ihZW8=
+github.com/charmbracelet/x/ansi v0.11.6/go.mod h1:2JNYLgQUsyqaiLovhU2Rv/pb8r6ydXKS3NIttu3VGZQ=
+github.com/charmbracelet/x/cellbuf v0.0.15 h1:ur3pZy0o6z/R7EylET877CBxaiE1Sp1GMxoFPAIztPI=
+github.com/charmbracelet/x/cellbuf v0.0.15/go.mod h1:J1YVbR7MUuEGIFPCaaZ96KDl5NoS0DAWkskup+mOY+Q=
+github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91 h1:payRxjMjKgx2PaCWLZ4p3ro9y97+TVLZNaRZgJwSVDQ=
+github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
+github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
+github.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI=
+github.com/clipperhouse/displaywidth v0.9.0 h1:Qb4KOhYwRiN3viMv1v/3cTBlz3AcAZX3+y9OLhMtAtA=
+github.com/clipperhouse/displaywidth v0.9.0/go.mod h1:aCAAqTlh4GIVkhQnJpbL0T/WfcrJXHcj8C0yjYcjOZA=
+github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
+github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
+github.com/clipperhouse/uax29/v2 v2.5.0 h1:x7T0T4eTHDONxFJsL94uKNKPHrclyFI0lm7+w94cO8U=
+github.com/clipperhouse/uax29/v2 v2.5.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
+github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 h1:X+2YciYSxvMQK0UZ7sg45ZVabVZBeBuvMkmuI2V3Fak=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7/go.mod h1:lW34nIZuQ8UDPdkon5fmfp2l3+ZkQ2me/+oecHYLOII=
+github.com/honeycombio/otel-config-go v1.17.0 h1:3/zig0L3IGnfgiCrEfAwBsM0rF57+TKTyJ/a8yqW2eM=
+github.com/honeycombio/otel-config-go v1.17.0/go.mod h1:g2mMdfih4sYKfXBtz2mNGvo3HiQYqX4Up4pdA8JOF2s=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag=
+github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 h1:PwQumkgq4/acIiZhtifTV5OUqqiP82UAl0h87xj/l9k=
+github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
+github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
+github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
+github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
+github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
+github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
+github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
+github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA=
+github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
+github.com/sethvargo/go-envconfig v1.1.0 h1:cWZiJxeTm7AlCvzGXrEXaSTCNgip5oJepekh/BOQuog=
+github.com/sethvargo/go-envconfig v1.1.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
+github.com/shirou/gopsutil/v4 v4.26.1 h1:TOkEyriIXk2HX9d4isZJtbjXbEjf5qyKPAzbzY0JWSo=
+github.com/shirou/gopsutil/v4 v4.26.1/go.mod h1:medLI9/UNAb0dOI9Q3/7yWSqKkj00u+1tgY8nvv41pc=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tklauser/go-sysconf v0.3.16 h1:frioLaCQSsF5Cy1jgRBrzr6t502KIIwQ0MArYICU0nA=
+github.com/tklauser/go-sysconf v0.3.16/go.mod h1:/qNL9xxDhc7tx3HSRsLWNnuzbVfh3e7gh/BmM179nYI=
+github.com/tklauser/numcpus v0.11.0 h1:nSTwhKH5e1dMNsCdVBukSZrURJRoHbSEQjdEbY+9RXw=
+github.com/tklauser/numcpus v0.11.0/go.mod h1:z+LwcLq54uWZTX0u/bGobaV34u6V7KNlTZejzM6/3MQ=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/detectors/aws/lambda v0.53.0 h1:KG6fOUk3EwSH1dEpsAbsLKFbn3cFwN9xDu8plGu55zI=
+go.opentelemetry.io/contrib/detectors/aws/lambda v0.53.0/go.mod h1:bSd579exEkh/P5msRcom8YzVB6NsUxYKyV+D/FYOY7Y=
+go.opentelemetry.io/contrib/instrumentation/host v0.65.0 h1:cR4LpCn/2xDNdW3saBLrGJW7vWmrYlHYIhfuklhrlUc=
+go.opentelemetry.io/contrib/instrumentation/host v0.65.0/go.mod h1:laAqufqDgLYaaewUBpolv8GePmhIVqIeHyudbmi9KYk=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.65.0 h1:n8qdwrebNEHF/zHpueuZ4OacdJ8CdSaP7xef9WRZXTQ=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.65.0/go.mod h1:Z1pjGxUL3nJ/IbDDfL6rBD0Xbz7ZOViRqrIUg4l1CYE=
+go.opentelemetry.io/contrib/propagators/b3 v1.40.0 h1:xariChe8OOVF3rNlfzGFgQc61npQmXhzZj/i82mxMfg=
+go.opentelemetry.io/contrib/propagators/b3 v1.40.0/go.mod h1:72WvbdxbOfXaELEQfonFfOL6osvcVjI7uJEE8C2nkrs=
+go.opentelemetry.io/contrib/propagators/ot v1.40.0 h1:Lon8J5SPmWaL1Ko2TIlCNHJ42/J1b5XbJlgJaE/9m7I=
+go.opentelemetry.io/contrib/propagators/ot v1.40.0/go.mod h1:dKWtJTlp1Yj+8Cneye5idO46eRPIbi23qVuJYKjNnvY=
+go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
+go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0 h1:NOyNnS19BF2SUDApbOKbDtWZ0IK7b8FJ2uAGdIWOGb0=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0/go.mod h1:VL6EgVikRLcJa9ftukrHu/ZkkhFBSo1lzvdBC9CF1ss=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0 h1:9y5sHvAxWzft1WQ4BwqcvA+IFVUJ1Ya75mSAUnFEVwE=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0/go.mod h1:eQqT90eR3X5Dbs1g9YSM30RavwLF725Ris5/XSXWvqE=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 h1:QKdN8ly8zEMrByybbQgv8cWBcdAarwmIPZ6FThrWXJs=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0/go.mod h1:bTdK1nhqF76qiPoCCdyFIV+N/sRHYXYCTQc+3VCi3MI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0 h1:DvJDOPmSWQHWywQS6lKL+pb8s3gBLOZUtw4N+mavW1I=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0/go.mod h1:EtekO9DEJb4/jRyN4v4Qjc2yA7AtfCBuz2FynRUWTXs=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 h1:wVZXIWjQSeSmMoxF74LzAnpVQOAFDo3pPji9Y4SOFKc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0/go.mod h1:khvBS2IggMFNwZK/6lEeHg/W57h/IX6J4URh57fuI40=
+go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
+go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
+go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
+go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
+go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
+go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
+go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=
+google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
+google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/packages/forage-ctl/internal/agent/agent.go b/packages/forage-ctl/internal/agent/agent.go
new file mode 100644
index 0000000..6566cd4
--- /dev/null
+++ b/packages/forage-ctl/internal/agent/agent.go
@@ -0,0 +1,63 @@
+// Package agent provides implementations for AI agents that can run in sandboxes.
+// Each agent type (e.g., Claude) implements contribution interfaces to provide
+// its specific mounts, packages, environment variables, and generated files.
+package agent
+
+import (
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// Agent represents an AI agent type (e.g., Claude) and its injection needs.
+// Agents implement contribution interfaces for the resources they need.
+type Agent interface {
+	// Name returns the agent identifier (e.g., "claude").
+	Name() string
+
+	// Implements contribution interfaces:
+	injection.MountContributor         // existing host files (.claude, .claude.json)
+	injection.PackageContributor       // agent package
+	injection.EnvVarContributor        // API keys
+	injection.GeneratedFileContributor // permissions, skills, system prompt
+}
+
+// Config holds configuration for an agent from the template.
+type Config struct {
+	PackagePath           string
+	AuthEnvVar            string
+	SecretName            string
+	HostConfigDir         string
+	ContainerConfigDir    string
+	HostConfigDirReadOnly bool
+	Permissions           *Permissions
+	StateDir              string // host state directory (for token store, etc.)
+}
+
+// Permissions defines what tool families an agent can use.
+type Permissions struct {
+	SkipAll bool     // allow all tool families
+	Allow   []string // tool families to allow
+	Deny    []string // tool families to deny
+}
+
+// NewAgent creates an Agent instance for the given agent name and configuration.
+// Returns nil if the agent type is not supported.
+func NewAgent(name string, cfg *Config, rt runtime.GeneratedFileRuntime) Agent {
+	switch name {
+	case "claude":
+		return NewClaudeAgent(cfg, rt)
+	default:
+		return nil
+	}
+}
+
+// ForTemplate returns Agent instances for all agents defined in a template.
+func ForTemplate(agents map[string]*Config, rt runtime.GeneratedFileRuntime) []Agent {
+	var result []Agent
+	for name, cfg := range agents {
+		if agent := NewAgent(name, cfg, rt); agent != nil {
+			result = append(result, agent)
+		}
+	}
+	return result
+}
diff --git a/packages/forage-ctl/internal/agent/claude.go b/packages/forage-ctl/internal/agent/claude.go
new file mode 100644
index 0000000..1650f74
--- /dev/null
+++ b/packages/forage-ctl/internal/agent/claude.go
@@ -0,0 +1,244 @@
+package agent
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// ClaudeAgent implements Agent for Claude Code.
+type ClaudeAgent struct {
+	config     *Config
+	runtime    runtime.GeneratedFileRuntime
+	tokenStore *TokenStore
+}
+
+// NewClaudeAgent creates a new ClaudeAgent.
+func NewClaudeAgent(cfg *Config, rt runtime.GeneratedFileRuntime) *ClaudeAgent {
+	var ts *TokenStore
+	if cfg.StateDir != "" {
+		ts = NewTokenStore(cfg.StateDir)
+	}
+	return &ClaudeAgent{
+		config:     cfg,
+		runtime:    rt,
+		tokenStore: ts,
+	}
+}
+
+// Name returns the agent identifier.
+func (a *ClaudeAgent) Name() string {
+	return "claude"
+}
+
+// ContributePackages returns the Claude Code package.
+func (a *ClaudeAgent) ContributePackages(ctx context.Context) ([]injection.Package, error) {
+	if a.config.PackagePath == "" {
+		return nil, nil
+	}
+	// Return the package path as-is - it's a Nix flake reference
+	return []injection.Package{{Name: a.config.PackagePath}}, nil
+}
+
+// ContributeMounts returns mounts for existing Claude config files.
+func (a *ClaudeAgent) ContributeMounts(ctx context.Context, req *injection.MountRequest) ([]injection.Mount, error) {
+	var mounts []injection.Mount
+
+	// Mount .claude project directory from source repo
+	if req.SourceRepo != "" {
+		claudeDir := filepath.Join(req.SourceRepo, ".claude")
+		if info, err := os.Stat(claudeDir); err == nil && info.IsDir() {
+			mounts = append(mounts, injection.Mount{
+				HostPath:      claudeDir,
+				ContainerPath: filepath.Join("/workspace", ".claude"),
+				ReadOnly:      req.ReadOnlyWorkspace,
+			})
+		}
+	}
+
+	// Mount .claude.json from host home directory
+	if req.HostHomeDir != "" {
+		claudeJson := filepath.Join(req.HostHomeDir, ".claude.json")
+		if _, err := os.Stat(claudeJson); err == nil {
+			info := a.runtime.ContainerInfo()
+			mounts = append(mounts, injection.Mount{
+				HostPath:      claudeJson,
+				ContainerPath: filepath.Join(info.HomeDir, ".claude.json"),
+				ReadOnly:      false,
+			})
+		}
+	}
+
+	// Mount host config directory if specified
+	if a.config.HostConfigDir != "" && a.config.ContainerConfigDir != "" {
+		mounts = append(mounts, injection.Mount{
+			HostPath:      a.config.HostConfigDir,
+			ContainerPath: a.config.ContainerConfigDir,
+			ReadOnly:      a.config.HostConfigDirReadOnly,
+		})
+	}
+
+	return mounts, nil
+}
+
+// ContributeEnvVars returns environment variables for Claude authentication.
+func (a *ClaudeAgent) ContributeEnvVars(ctx context.Context, req *injection.EnvVarRequest) ([]injection.EnvVar, error) {
+	var envVars []injection.EnvVar
+
+	// Enable agent teams in all Claude sandboxes
+	envVars = append(envVars, injection.EnvVar{
+		Name:  "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS",
+		Value: `"1"`,
+	})
+
+	// If using proxy, the proxy contributor handles auth env vars
+	if req.ProxyURL != "" {
+		return envVars, nil
+	}
+
+	// If using secrets, set up the auth env var
+	if a.config.AuthEnvVar != "" && a.config.SecretName != "" && req.SecretsPath != "" {
+		envVars = append(envVars, injection.EnvVar{
+			Name:  a.config.AuthEnvVar,
+			Value: fmt.Sprintf(`"$(cat /run/secrets/%s 2>/dev/null || echo '')"`, a.config.SecretName),
+		})
+		return envVars, nil
+	}
+
+	// If using hostConfigDir (OAuth flow) with no explicit secret, inject
+	// the OAuth token so the container (which can't access the host
+	// keychain) can authenticate.
+	//
+	// Priority:
+	//   1. Long-lived token from token store (forage-ctl claude token store)
+	//   2. Short-lived token from host keychain (macOS only, ~8h expiry)
+	if a.config.HostConfigDir != "" && a.config.SecretName == "" {
+		token, warning := a.resolveOAuthToken()
+		if token != "" {
+			envVars = append(envVars, injection.EnvVar{
+				Name:  "CLAUDE_CODE_OAUTH_TOKEN",
+				Value: fmt.Sprintf(`"%s"`, token),
+			})
+		}
+		if warning != "" {
+			logging.Warn(warning)
+		}
+	}
+
+	return envVars, nil
+}
+
+// ContributeGeneratedFiles returns generated files for Claude configuration.
+func (a *ClaudeAgent) ContributeGeneratedFiles(ctx context.Context, req *injection.GeneratedFileRequest) ([]injection.GeneratedFile, error) {
+	var files []injection.GeneratedFile
+	info := a.runtime.ContainerInfo()
+	claudeDir := filepath.Join(info.HomeDir, ".claude")
+
+	// Generate permissions policy
+	if a.config.Permissions != nil {
+		permContent, err := a.generatePermissions()
+		if err != nil {
+			return nil, fmt.Errorf("failed to generate permissions: %w", err)
+		}
+		if permContent != nil {
+			files = append(files, injection.GeneratedFile{
+				ContainerPath: "/etc/claude-code/managed-settings.json",
+				Content:       permContent,
+				Mode:          0644,
+				ReadOnly:      true,
+			})
+		}
+	}
+
+	// Skills and system prompt generation are handled by SkillsContributor,
+	// which wraps the skills package and uses project analysis context.
+
+	// Ensure .claude directory exists (handled by ClaudeTmpfilesContributor)
+	_ = claudeDir
+
+	return files, nil
+}
+
+// generatePermissions creates the Claude Code managed-settings.json content.
+func (a *ClaudeAgent) generatePermissions() ([]byte, error) {
+	if a.config.Permissions == nil {
+		return nil, nil
+	}
+
+	type permissionsBlock struct {
+		Allow []string `json:"allow,omitempty"`
+		Deny  []string `json:"deny,omitempty"`
+	}
+
+	type managedSettings struct {
+		Permissions permissionsBlock `json:"permissions"`
+	}
+
+	var settings managedSettings
+
+	if a.config.Permissions.SkipAll {
+		settings.Permissions.Allow = claudeToolFamilies
+	} else {
+		if len(a.config.Permissions.Allow) == 0 && len(a.config.Permissions.Deny) == 0 {
+			return nil, nil
+		}
+		settings.Permissions.Allow = a.config.Permissions.Allow
+		settings.Permissions.Deny = a.config.Permissions.Deny
+	}
+
+	return json.Marshal(settings)
+}
+
+// resolveOAuthToken returns an OAuth token and an optional warning.
+// It checks the token store first, then falls back to the host keychain.
+func (a *ClaudeAgent) resolveOAuthToken() (token string, warning string) {
+	// 1. Try the long-lived token from the store
+	if a.tokenStore != nil {
+		token, reason := a.tokenStore.Token()
+		if token != "" {
+			if reason != "" {
+				// Token valid but expiring soon
+				return token, "Claude OAuth token is expiring soon — run 'claude setup-token' and 'forage-ctl claude token store <token>' to renew"
+			}
+			logging.Debug("using stored long-lived Claude OAuth token")
+			return token, ""
+		}
+		if reason != "no token stored" {
+			// Token exists but is expired
+			return "", "Claude OAuth token has expired — run 'claude setup-token' and 'forage-ctl claude token store <token>' to renew"
+		}
+	}
+
+	// 2. Fall back to short-lived token from host keychain
+	if keychainToken := readOAuthToken(); keychainToken != "" {
+		logging.Debug("using short-lived OAuth token from host keychain (store a long-lived token with 'forage-ctl claude token store' for better reliability)")
+		return keychainToken, ""
+	}
+
+	return "", "no Claude OAuth token available — run 'claude setup-token' and 'forage-ctl claude token store <token>'"
+}
+
+// claudeToolFamilies lists all Claude Code tool families for skipAll mode.
+var claudeToolFamilies = []string{
+	"Bash",
+	"Edit",
+	"Read",
+	"Write",
+	"WebFetch",
+	"WebSearch",
+	"Glob",
+	"Grep",
+	"NotebookEdit",
+	"NotebookRead",
+	"TodoRead",
+	"TodoWrite",
+}
+
+// Ensure ClaudeAgent implements Agent
+var _ Agent = (*ClaudeAgent)(nil)
diff --git a/packages/forage-ctl/internal/agent/credentials.go b/packages/forage-ctl/internal/agent/credentials.go
new file mode 100644
index 0000000..89641de
--- /dev/null
+++ b/packages/forage-ctl/internal/agent/credentials.go
@@ -0,0 +1,95 @@
+package agent
+
+import (
+	"encoding/json"
+	"fmt"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+)
+
+// keychainServiceName is the service name Claude Code uses for credential storage.
+const keychainServiceName = "Claude Code-credentials"
+
+// claudeCredentials holds the OAuth credential structure stored in the keychain.
+type claudeCredentials struct {
+	ClaudeAiOauth *oauthCredential `json:"claudeAiOauth,omitempty"`
+}
+
+type oauthCredential struct {
+	AccessToken  string `json:"accessToken"`  //nolint:gosec // G117: this is a deserialized credential, not a hardcoded secret
+	RefreshToken string `json:"refreshToken"` //nolint:gosec // G117: this is a deserialized credential, not a hardcoded secret
+	ExpiresAt    int64  `json:"expiresAt"`    // milliseconds since epoch
+}
+
+// readOAuthToken reads the Claude OAuth access token from the host credential store.
+// Returns the access token string, or empty string if unavailable or expired.
+func readOAuthToken() string {
+	if runtime.GOOS != "darwin" {
+		// TODO: support Linux secret-service / libsecret
+		return ""
+	}
+
+	token, err := readMacOSKeychainToken()
+	if err != nil {
+		logging.Debug("failed to read OAuth token from keychain", "error", err)
+		return ""
+	}
+	return token
+}
+
+// readMacOSKeychainToken extracts the Claude OAuth access token from the macOS keychain.
+func readMacOSKeychainToken() (string, error) {
+	cmd := exec.Command("security", "find-generic-password",
+		"-s", keychainServiceName,
+		"-g",
+	)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("keychain lookup failed: %w", err)
+	}
+
+	// The password line looks like: password: "{ ... json ... }"
+	password := extractKeychainPassword(string(out))
+	if password == "" {
+		return "", fmt.Errorf("no password found in keychain entry")
+	}
+
+	var creds claudeCredentials
+	if err := json.Unmarshal([]byte(password), &creds); err != nil {
+		return "", fmt.Errorf("failed to parse credentials JSON: %w", err)
+	}
+
+	if creds.ClaudeAiOauth == nil || creds.ClaudeAiOauth.AccessToken == "" {
+		return "", fmt.Errorf("no OAuth access token in credentials")
+	}
+
+	// Check expiry (expiresAt is milliseconds since epoch)
+	expiresAt := time.UnixMilli(creds.ClaudeAiOauth.ExpiresAt)
+	if time.Now().After(expiresAt) {
+		return "", fmt.Errorf("OAuth access token expired at %s", expiresAt)
+	}
+
+	remaining := time.Until(expiresAt)
+	logging.Debug("read OAuth token from keychain", "expiresIn", remaining.Round(time.Minute))
+	return creds.ClaudeAiOauth.AccessToken, nil
+}
+
+// extractKeychainPassword parses the password value from `security find-generic-password -g` output.
+func extractKeychainPassword(output string) string {
+	for _, line := range strings.Split(output, "\n") {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "password: \"") {
+			// Strip prefix and trailing quote
+			pw := strings.TrimPrefix(line, "password: \"")
+			if len(pw) > 0 && pw[len(pw)-1] == '"' {
+				pw = pw[:len(pw)-1]
+			}
+			return pw
+		}
+	}
+	return ""
+}
diff --git a/packages/forage-ctl/internal/agent/tokenstore.go b/packages/forage-ctl/internal/agent/tokenstore.go
new file mode 100644
index 0000000..b7600c7
--- /dev/null
+++ b/packages/forage-ctl/internal/agent/tokenstore.go
@@ -0,0 +1,145 @@
+package agent
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+const (
+	// tokenFileName is the file name for the stored Claude OAuth token.
+	tokenFileName = "claude-oauth.json"
+
+	// tokenExpiryDuration is how long a setup-token is valid (1 year).
+	tokenExpiryDuration = 365 * 24 * time.Hour
+
+	// tokenWarnThreshold triggers a warning when the token expires within this window.
+	tokenWarnThreshold = 30 * 24 * time.Hour
+)
+
+// StoredToken represents a persisted OAuth token with metadata.
+type StoredToken struct {
+	Token     string    `json:"token"`
+	CreatedAt time.Time `json:"createdAt"`
+	ExpiresAt time.Time `json:"expiresAt"`
+}
+
+// TokenStatus describes the state of a stored token.
+type TokenStatus int
+
+const (
+	TokenMissing  TokenStatus = iota // no token file
+	TokenExpired                     // token past expiry
+	TokenExpiring                    // token valid but within warn threshold
+	TokenValid                       // token valid with plenty of time
+)
+
+// TokenStore manages persistent Claude OAuth tokens on disk.
+type TokenStore struct {
+	dir string // directory containing the token file
+}
+
+// NewTokenStore creates a TokenStore rooted at the given state directory.
+// Tokens are stored under <stateDir>/tokens/.
+func NewTokenStore(stateDir string) *TokenStore {
+	return &TokenStore{dir: filepath.Join(stateDir, "tokens")}
+}
+
+// Store persists a long-lived token to disk.
+func (s *TokenStore) Store(token string) (*StoredToken, error) {
+	if err := os.MkdirAll(s.dir, 0700); err != nil {
+		return nil, fmt.Errorf("create token directory: %w", err)
+	}
+
+	now := time.Now()
+	st := &StoredToken{
+		Token:     token,
+		CreatedAt: now,
+		ExpiresAt: now.Add(tokenExpiryDuration),
+	}
+
+	data, err := json.MarshalIndent(st, "", "  ")
+	if err != nil {
+		return nil, fmt.Errorf("marshal token: %w", err)
+	}
+
+	path := filepath.Join(s.dir, tokenFileName)
+	if err := os.WriteFile(path, data, 0600); err != nil {
+		return nil, fmt.Errorf("write token file: %w", err)
+	}
+
+	return st, nil
+}
+
+// Load reads the stored token from disk. Returns nil if no token exists.
+func (s *TokenStore) Load() (*StoredToken, error) {
+	path := filepath.Join(s.dir, tokenFileName)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("read token file: %w", err)
+	}
+
+	var st StoredToken
+	if err := json.Unmarshal(data, &st); err != nil {
+		return nil, fmt.Errorf("parse token file: %w", err)
+	}
+
+	return &st, nil
+}
+
+// Remove deletes the stored token.
+func (s *TokenStore) Remove() error {
+	path := filepath.Join(s.dir, tokenFileName)
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove token file: %w", err)
+	}
+	return nil
+}
+
+// Status checks the current token state.
+func (s *TokenStore) Status() (TokenStatus, *StoredToken, error) {
+	st, err := s.Load()
+	if err != nil {
+		return TokenMissing, nil, err
+	}
+	if st == nil {
+		return TokenMissing, nil, nil
+	}
+
+	now := time.Now()
+	if now.After(st.ExpiresAt) {
+		return TokenExpired, st, nil
+	}
+	if st.ExpiresAt.Sub(now) < tokenWarnThreshold {
+		return TokenExpiring, st, nil
+	}
+	return TokenValid, st, nil
+}
+
+// Token returns the access token string if valid, or empty string with a
+// human-readable reason if not.
+func (s *TokenStore) Token() (string, string) {
+	status, st, err := s.Status()
+	if err != nil {
+		return "", fmt.Sprintf("failed to read token: %v", err)
+	}
+
+	switch status {
+	case TokenMissing:
+		return "", "no token stored"
+	case TokenExpired:
+		return "", fmt.Sprintf("token expired on %s", st.ExpiresAt.Format("2006-01-02"))
+	case TokenExpiring:
+		remaining := time.Until(st.ExpiresAt)
+		days := int(remaining.Hours() / 24)
+		return st.Token, fmt.Sprintf("token expires in %d days", days)
+	case TokenValid:
+		return st.Token, ""
+	}
+	return "", "unknown token state"
+}
diff --git a/packages/forage-ctl/internal/app/app.go b/packages/forage-ctl/internal/app/app.go
new file mode 100644
index 0000000..d9efd3a
--- /dev/null
+++ b/packages/forage-ctl/internal/app/app.go
@@ -0,0 +1,130 @@
+// Package app provides the application context for forage-ctl.
+// It allows dependency injection for testing.
+package app
+
+import (
+	"context"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// App holds the application dependencies
+type App struct {
+	// Paths holds the configured paths
+	Paths *config.Paths
+
+	// Runtime is the container runtime
+	Runtime runtime.Runtime
+
+	// HostConfig is the loaded host configuration
+	HostConfig *config.HostConfig
+}
+
+// Option is a function that configures the App
+type Option func(*App)
+
+// WithPaths sets custom paths
+func WithPaths(paths *config.Paths) Option {
+	return func(a *App) {
+		a.Paths = paths
+	}
+}
+
+// WithRuntime sets a custom runtime
+func WithRuntime(r runtime.Runtime) Option {
+	return func(a *App) {
+		a.Runtime = r
+	}
+}
+
+// WithHostConfig sets a custom host config
+func WithHostConfig(cfg *config.HostConfig) Option {
+	return func(a *App) {
+		a.HostConfig = cfg
+	}
+}
+
+// New creates a new App with the given options.
+// If runtime is not provided via WithRuntime, it will be auto-detected.
+func New(opts ...Option) *App {
+	app := &App{
+		Paths: config.DefaultPaths(),
+	}
+
+	for _, opt := range opts {
+		opt(app)
+	}
+
+	// Initialize runtime if not provided
+	if app.Runtime == nil {
+		cfg := &runtime.Config{
+			Type:            runtime.RuntimeAuto,
+			ContainerPrefix: config.ContainerPrefix,
+			SandboxesDir:    app.Paths.SandboxesDir,
+		}
+		rt, err := runtime.New(cfg)
+		if err != nil {
+			logging.Debug("failed to initialize runtime", "error", err)
+		} else {
+			app.Runtime = rt
+		}
+	}
+
+	return app
+}
+
+// IsRunning checks if a container is running using the app's runtime
+func (a *App) IsRunning(ctx context.Context, name string) bool {
+	if a.Runtime == nil {
+		return false
+	}
+	running, _ := a.Runtime.IsRunning(ctx, name)
+	return running
+}
+
+// Start starts a container using the app's runtime
+func (a *App) Start(ctx context.Context, name string) error {
+	if a.Runtime == nil {
+		return nil
+	}
+	return a.Runtime.Start(ctx, name)
+}
+
+// Stop stops a container using the app's runtime
+func (a *App) Stop(ctx context.Context, name string) error {
+	if a.Runtime == nil {
+		return nil
+	}
+	return a.Runtime.Stop(ctx, name)
+}
+
+// Destroy destroys a container using the app's runtime
+func (a *App) Destroy(ctx context.Context, name string) error {
+	if a.Runtime == nil {
+		return nil
+	}
+	return a.Runtime.Destroy(ctx, name)
+}
+
+// Create creates a container using the app's runtime
+func (a *App) Create(ctx context.Context, opts runtime.CreateOptions) error {
+	if a.Runtime == nil {
+		return nil
+	}
+	return a.Runtime.Create(ctx, opts)
+}
+
+// Default is the default application instance
+var Default = New()
+
+// SetDefault sets the default application instance (used for testing)
+func SetDefault(app *App) {
+	Default = app
+}
+
+// ResetDefault resets to the default application instance
+func ResetDefault() {
+	Default = New()
+}
diff --git a/packages/forage-ctl/internal/app/app_test.go b/packages/forage-ctl/internal/app/app_test.go
new file mode 100644
index 0000000..59eed32
--- /dev/null
+++ b/packages/forage-ctl/internal/app/app_test.go
@@ -0,0 +1,118 @@
+package app
+
+import (
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+func TestNew(t *testing.T) {
+	app := New()
+
+	if app == nil {
+		t.Fatal("New() returned nil")
+	}
+
+	// Should have default paths
+	if app.Paths == nil {
+		t.Error("Paths should not be nil")
+	}
+
+	// Runtime and HostConfig may be nil by default
+}
+
+func TestNew_WithPaths(t *testing.T) {
+	customPaths := &config.Paths{
+		ConfigDir:     "/custom/config",
+		StateDir:      "/custom/state",
+		SecretsDir:    "/custom/secrets",
+		SandboxesDir:  "/custom/sandboxes",
+		WorkspacesDir: "/custom/workspaces",
+		TemplatesDir:  "/custom/templates",
+	}
+
+	app := New(WithPaths(customPaths))
+
+	if app.Paths != customPaths {
+		t.Error("WithPaths did not set custom paths")
+	}
+}
+
+func TestNew_WithRuntime(t *testing.T) {
+	mockRuntime := runtime.NewMockRuntime()
+
+	app := New(WithRuntime(mockRuntime))
+
+	if app.Runtime != mockRuntime {
+		t.Error("WithRuntime did not set runtime")
+	}
+}
+
+func TestNew_WithHostConfig(t *testing.T) {
+	customConfig := &config.HostConfig{
+		User: "testuser",
+	}
+
+	app := New(WithHostConfig(customConfig))
+
+	if app.HostConfig != customConfig {
+		t.Error("WithHostConfig did not set host config")
+	}
+}
+
+func TestNew_MultipleOptions(t *testing.T) {
+	customPaths := &config.Paths{ConfigDir: "/custom"}
+	mockRuntime := runtime.NewMockRuntime()
+	customConfig := &config.HostConfig{User: "test"}
+
+	app := New(
+		WithPaths(customPaths),
+		WithRuntime(mockRuntime),
+		WithHostConfig(customConfig),
+	)
+
+	if app.Paths != customPaths {
+		t.Error("Paths not set correctly")
+	}
+	if app.Runtime != mockRuntime {
+		t.Error("Runtime not set correctly")
+	}
+	if app.HostConfig != customConfig {
+		t.Error("HostConfig not set correctly")
+	}
+}
+
+func TestSetDefault(t *testing.T) {
+	// Save original default
+	original := Default
+	defer func() { Default = original }()
+
+	customApp := New(WithHostConfig(&config.HostConfig{User: "custom"}))
+	SetDefault(customApp)
+
+	if Default != customApp {
+		t.Error("SetDefault did not update Default")
+	}
+}
+
+func TestResetDefault(t *testing.T) {
+	// Save original default
+	original := Default
+	defer func() { Default = original }()
+
+	// Set a custom default
+	customApp := New(WithHostConfig(&config.HostConfig{User: "custom"}))
+	SetDefault(customApp)
+
+	// Reset to default
+	ResetDefault()
+
+	// Should have a new default app with default paths
+	if Default == customApp {
+		t.Error("ResetDefault did not create new Default")
+	}
+	if Default.Paths == nil {
+		t.Error("ResetDefault should create app with default paths")
+	}
+}
diff --git a/packages/forage-ctl/internal/app/doc.go b/packages/forage-ctl/internal/app/doc.go
new file mode 100644
index 0000000..918bb7c
--- /dev/null
+++ b/packages/forage-ctl/internal/app/doc.go
@@ -0,0 +1,35 @@
+// Package app provides the application context for forage-ctl.
+//
+// This package manages application-wide dependencies using the functional
+// options pattern, enabling easy testing through dependency injection.
+//
+// # App Context
+//
+// The App struct holds core dependencies:
+//
+//	type App struct {
+//	    Paths      *config.Paths      // File system paths
+//	    Runtime    runtime.Runtime    // Container runtime
+//	    HostConfig *config.HostConfig // Host configuration
+//	}
+//
+// # Creating an App
+//
+// Use New with functional options:
+//
+//	// Production usage
+//	app, err := app.New()
+//
+//	// Testing with custom dependencies
+//	app, err := app.New(
+//	    app.WithPaths(testPaths),
+//	    app.WithRuntime(mockRuntime),
+//	    app.WithHostConfig(testConfig),
+//	)
+//
+// # Available Options
+//
+//	WithPaths(paths)        // Custom path configuration
+//	WithRuntime(runtime)    // Custom container runtime
+//	WithHostConfig(config)  // Custom host configuration
+package app
diff --git a/packages/forage-ctl/internal/audit/audit.go b/packages/forage-ctl/internal/audit/audit.go
new file mode 100644
index 0000000..8899556
--- /dev/null
+++ b/packages/forage-ctl/internal/audit/audit.go
@@ -0,0 +1,131 @@
+// Package audit provides structured event logging for sandbox lifecycle events.
+// Events are stored as JSON Lines (JSONL) files, one per sandbox.
+package audit
+
+import (
+	"bufio"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// EventType classifies a lifecycle event.
+type EventType string
+
+const (
+	EventCreate  EventType = "create"
+	EventStart   EventType = "start"
+	EventStop    EventType = "stop"
+	EventDestroy EventType = "destroy"
+	EventExec    EventType = "exec"
+	EventHealth  EventType = "health"
+	EventError   EventType = "error"
+)
+
+// Event represents a single audit log entry.
+type Event struct {
+	Timestamp time.Time `json:"timestamp"`
+	Type      EventType `json:"type"`
+	Sandbox   string    `json:"sandbox"`
+	Details   string    `json:"details,omitempty"`
+}
+
+// Logger writes and reads audit events for sandboxes.
+// Events are stored in {stateDir}/sandboxes/{name}/events.jsonl.
+type Logger struct {
+	stateDir string
+}
+
+// NewLogger creates a new audit logger rooted at stateDir.
+func NewLogger(stateDir string) *Logger {
+	return &Logger{stateDir: stateDir}
+}
+
+// eventPath returns the path to the JSONL event log for a sandbox.
+func (l *Logger) eventPath(sandbox string) string {
+	return filepath.Join(l.stateDir, "sandboxes", sandbox+".events.jsonl")
+}
+
+// Log appends an event to the sandbox's audit log.
+func (l *Logger) Log(event Event) error {
+	if event.Timestamp.IsZero() {
+		event.Timestamp = time.Now()
+	}
+
+	path := l.eventPath(event.Sandbox)
+	if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+		return fmt.Errorf("failed to create audit log directory: %w", err)
+	}
+
+	f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
+	if err != nil {
+		return fmt.Errorf("failed to open audit log: %w", err)
+	}
+	defer func() { _ = f.Close() }()
+
+	data, err := json.Marshal(event)
+	if err != nil {
+		return fmt.Errorf("failed to marshal event: %w", err)
+	}
+
+	if _, err := f.Write(append(data, '\n')); err != nil {
+		return fmt.Errorf("failed to write event: %w", err)
+	}
+
+	return nil
+}
+
+// LogEvent is a convenience method that creates and logs an event.
+func (l *Logger) LogEvent(eventType EventType, sandbox, details string) error {
+	return l.Log(Event{
+		Timestamp: time.Now(),
+		Type:      eventType,
+		Sandbox:   sandbox,
+		Details:   details,
+	})
+}
+
+// Events reads all events for a sandbox in chronological order.
+func (l *Logger) Events(sandbox string) ([]Event, error) {
+	path := l.eventPath(sandbox)
+
+	f, err := os.Open(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("failed to open audit log: %w", err)
+	}
+	defer func() { _ = f.Close() }()
+
+	var events []Event
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Bytes()
+		if len(line) == 0 {
+			continue
+		}
+		var event Event
+		if err := json.Unmarshal(line, &event); err != nil {
+			continue // Skip malformed lines
+		}
+		events = append(events, event)
+	}
+
+	if err := scanner.Err(); err != nil {
+		return events, fmt.Errorf("error reading audit log: %w", err)
+	}
+
+	return events, nil
+}
+
+// Remove deletes the audit log for a sandbox.
+func (l *Logger) Remove(sandbox string) error {
+	path := l.eventPath(sandbox)
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+	return nil
+}
diff --git a/packages/forage-ctl/internal/audit/audit_test.go b/packages/forage-ctl/internal/audit/audit_test.go
new file mode 100644
index 0000000..e2a7b45
--- /dev/null
+++ b/packages/forage-ctl/internal/audit/audit_test.go
@@ -0,0 +1,151 @@
+package audit
+
+import (
+	"testing"
+	"time"
+)
+
+func TestLogger_LogAndEvents(t *testing.T) {
+	dir := t.TempDir()
+	logger := NewLogger(dir)
+
+	// Log some events
+	now := time.Now().Truncate(time.Millisecond)
+
+	events := []Event{
+		{Timestamp: now, Type: EventCreate, Sandbox: "test-sandbox", Details: "template=claude"},
+		{Timestamp: now.Add(time.Second), Type: EventStart, Sandbox: "test-sandbox"},
+		{Timestamp: now.Add(2 * time.Second), Type: EventHealth, Sandbox: "test-sandbox", Details: "healthy"},
+		{Timestamp: now.Add(3 * time.Second), Type: EventStop, Sandbox: "test-sandbox"},
+	}
+
+	for _, e := range events {
+		if err := logger.Log(e); err != nil {
+			t.Fatalf("Log failed: %v", err)
+		}
+	}
+
+	// Read them back
+	result, err := logger.Events("test-sandbox")
+	if err != nil {
+		t.Fatalf("Events failed: %v", err)
+	}
+
+	if len(result) != len(events) {
+		t.Fatalf("got %d events, want %d", len(result), len(events))
+	}
+
+	for i, e := range result {
+		if e.Type != events[i].Type {
+			t.Errorf("event %d: type = %q, want %q", i, e.Type, events[i].Type)
+		}
+		if e.Sandbox != events[i].Sandbox {
+			t.Errorf("event %d: sandbox = %q, want %q", i, e.Sandbox, events[i].Sandbox)
+		}
+		if e.Details != events[i].Details {
+			t.Errorf("event %d: details = %q, want %q", i, e.Details, events[i].Details)
+		}
+	}
+}
+
+func TestLogger_EventsEmpty(t *testing.T) {
+	dir := t.TempDir()
+	logger := NewLogger(dir)
+
+	result, err := logger.Events("nonexistent")
+	if err != nil {
+		t.Fatalf("Events failed: %v", err)
+	}
+
+	if len(result) != 0 {
+		t.Errorf("got %d events, want 0", len(result))
+	}
+}
+
+func TestLogger_LogEvent(t *testing.T) {
+	dir := t.TempDir()
+	logger := NewLogger(dir)
+
+	if err := logger.LogEvent(EventCreate, "my-sandbox", "template=test"); err != nil {
+		t.Fatalf("LogEvent failed: %v", err)
+	}
+
+	events, err := logger.Events("my-sandbox")
+	if err != nil {
+		t.Fatalf("Events failed: %v", err)
+	}
+
+	if len(events) != 1 {
+		t.Fatalf("got %d events, want 1", len(events))
+	}
+
+	e := events[0]
+	if e.Type != EventCreate {
+		t.Errorf("type = %q, want %q", e.Type, EventCreate)
+	}
+	if e.Sandbox != "my-sandbox" {
+		t.Errorf("sandbox = %q, want %q", e.Sandbox, "my-sandbox")
+	}
+	if e.Details != "template=test" {
+		t.Errorf("details = %q, want %q", e.Details, "template=test")
+	}
+	if e.Timestamp.IsZero() {
+		t.Error("timestamp should be set automatically")
+	}
+}
+
+func TestLogger_Remove(t *testing.T) {
+	dir := t.TempDir()
+	logger := NewLogger(dir)
+
+	logger.LogEvent(EventCreate, "removable", "")
+
+	if err := logger.Remove("removable"); err != nil {
+		t.Fatalf("Remove failed: %v", err)
+	}
+
+	events, err := logger.Events("removable")
+	if err != nil {
+		t.Fatalf("Events failed: %v", err)
+	}
+	if len(events) != 0 {
+		t.Errorf("got %d events after remove, want 0", len(events))
+	}
+}
+
+func TestLogger_RemoveNonexistent(t *testing.T) {
+	dir := t.TempDir()
+	logger := NewLogger(dir)
+
+	// Should not error
+	if err := logger.Remove("nonexistent"); err != nil {
+		t.Errorf("Remove should not error for nonexistent: %v", err)
+	}
+}
+
+func TestLogger_EventOrder(t *testing.T) {
+	dir := t.TempDir()
+	logger := NewLogger(dir)
+
+	base := time.Now()
+	for i := 0; i < 5; i++ {
+		logger.Log(Event{
+			Timestamp: base.Add(time.Duration(i) * time.Second),
+			Type:      EventExec,
+			Sandbox:   "order-test",
+			Details:   string(rune('A' + i)),
+		})
+	}
+
+	events, _ := logger.Events("order-test")
+	if len(events) != 5 {
+		t.Fatalf("got %d events, want 5", len(events))
+	}
+
+	// Events should be in chronological order (append-only)
+	for i := 1; i < len(events); i++ {
+		if events[i].Timestamp.Before(events[i-1].Timestamp) {
+			t.Errorf("event %d timestamp before event %d", i, i-1)
+		}
+	}
+}
diff --git a/packages/forage-ctl/internal/config/config.go b/packages/forage-ctl/internal/config/config.go
new file mode 100644
index 0000000..1fd255f
--- /dev/null
+++ b/packages/forage-ctl/internal/config/config.go
@@ -0,0 +1,732 @@
+package config
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+// IsSandboxMetadataFile returns true if the filename is a valid sandbox metadata file.
+// Valid metadata files are "<name>.json" where name contains no dots.
+// This excludes files like "test.claude-permissions.json".
+func IsSandboxMetadataFile(filename string) bool {
+	if filepath.Ext(filename) != ".json" {
+		return false
+	}
+	name := strings.TrimSuffix(filename, ".json")
+	return !strings.Contains(name, ".")
+}
+
+// sandboxNameRegex validates sandbox names.
+// Names must start with a lowercase letter or digit, followed by lowercase letters, digits, underscores, or hyphens.
+// Maximum length is 63 characters (common container name limit).
+var sandboxNameRegex = regexp.MustCompile(`^[a-z0-9][a-z0-9_-]{0,62}$`)
+
+// ValidateSandboxName checks if a sandbox name is valid.
+// Valid names:
+//   - Start with a lowercase letter or digit
+//   - Contain only lowercase letters, digits, underscores, or hyphens
+//   - Are between 1 and 63 characters long
+//   - Do not contain path separators or special characters
+func ValidateSandboxName(name string) error {
+	if name == "" {
+		return fmt.Errorf("sandbox name cannot be empty")
+	}
+
+	if !sandboxNameRegex.MatchString(name) {
+		return fmt.Errorf("invalid sandbox name %q: must start with a lowercase letter or digit, contain only lowercase letters, digits, underscores, or hyphens, and be at most 63 characters", name)
+	}
+
+	return nil
+}
+
+// safePath validates that a constructed path stays within the base directory.
+// This prevents path traversal attacks where names like "../../../etc/passwd"
+// could escape the intended directory. The joined path is cleaned and checked
+// to ensure it remains under baseDir. Note: we intentionally avoid resolving
+// symlinks here because NixOS manages /etc via symlinks to /nix/store, and
+// following them would incorrectly reject all NixOS-managed paths.
+func safePath(baseDir, name, suffix string) (string, error) {
+	joined := filepath.Join(baseDir, name+suffix)
+	// filepath.Join + Clean resolves ".." lexically
+	if !strings.HasPrefix(joined, filepath.Clean(baseDir)+string(filepath.Separator)) &&
+		joined != filepath.Clean(baseDir) {
+		return "", fmt.Errorf("path escapes base directory: %s", joined)
+	}
+	return joined, nil
+}
+
+const (
+	// Fallback paths when no environment override is set.
+	// Override with FORAGE_CONFIG_DIR, FORAGE_STATE_DIR, FORAGE_SECRETS_DIR.
+	DefaultConfigDir  = "/etc/firefly-forage"
+	DefaultStateDir   = "/var/lib/firefly-forage"
+	DefaultSecretsDir = "/run/forage-secrets"
+	// ContainerPrefix is used for legacy sandbox container names ("forage-<name>").
+	// New sandboxes use ContainerNameForSlot() for short names ("f<slot>").
+	// Kept for backward compatibility with existing sandboxes via ResolvedContainerName().
+	ContainerPrefix = "forage-"
+	TmuxSessionName = "forage"
+	MuxSessionName  = TmuxSessionName // alias for new code
+)
+
+// AgentIdentity holds optional git authorship and SSH key configuration
+// for agents running inside sandboxes. All fields are optional.
+type AgentIdentity struct {
+	GitUser    string `json:"gitUser,omitempty"`
+	GitEmail   string `json:"gitEmail,omitempty"`
+	SSHKeyPath string `json:"sshKeyPath,omitempty"` // absolute path to private key on host
+}
+
+// ValidateAgentIdentity validates an AgentIdentity configuration.
+// When SSHKeyPath is non-empty, checks it's absolute, the file exists, and the .pub companion exists.
+// Returns nil if identity is nil or all fields are empty.
+func ValidateAgentIdentity(id *AgentIdentity) error {
+	if id == nil {
+		return nil
+	}
+	if id.SSHKeyPath == "" {
+		return nil
+	}
+	if !filepath.IsAbs(id.SSHKeyPath) {
+		return fmt.Errorf("sshKeyPath must be an absolute path (got %q)", id.SSHKeyPath)
+	}
+	if _, err := os.Stat(id.SSHKeyPath); err != nil {
+		return fmt.Errorf("sshKeyPath %q: %w", id.SSHKeyPath, err)
+	}
+	pubPath := id.SSHKeyPath + ".pub"
+	if _, err := os.Stat(pubPath); err != nil {
+		return fmt.Errorf("sshKeyPath companion %q: %w", pubPath, err)
+	}
+	return nil
+}
+
+// ReadHostUserGitIdentity reads the git/jj user.name and user.email using CLI
+// tools that respect the full config resolution (includeIf, conf.d overlays, etc.).
+// When repoDir is non-empty, commands run in that directory so repo-context
+// conditional config is applied. Checks jj first (preferred for forage
+// workspaces), then falls back to git. Returns nil if no identity is found.
+func ReadHostUserGitIdentity(username string, repoDir string) *AgentIdentity {
+	u, err := user.Lookup(username)
+	if err != nil {
+		return nil
+	}
+
+	// Try CLI-based resolution first (respects conf.d, includeIf, etc.)
+	dir := repoDir
+	if dir == "" {
+		dir = u.HomeDir
+	}
+
+	// Try jj config first (preferred for forage workspaces)
+	if id := readJJIdentity(dir); id != nil {
+		return id
+	}
+
+	// Fall back to git config
+	if id := readGitIdentity(dir); id != nil {
+		return id
+	}
+
+	return nil
+}
+
+// readJJIdentity reads user.name and user.email via `jj config get` in the
+// given directory. This respects conf.d overlays, conditional includes, env
+// vars, and repo-level config — unlike direct TOML parsing.
+func readJJIdentity(repoDir string) *AgentIdentity {
+	jjBin, err := exec.LookPath("jj")
+	if err != nil {
+		return nil
+	}
+
+	getName := exec.Command(jjBin, "config", "get", "user.name")
+	getName.Dir = repoDir
+	getEmail := exec.Command(jjBin, "config", "get", "user.email")
+	getEmail.Dir = repoDir
+
+	var gitUser, gitEmail string
+	if out, err := getName.Output(); err == nil {
+		gitUser = strings.TrimSpace(string(out))
+	}
+	if out, err := getEmail.Output(); err == nil {
+		gitEmail = strings.TrimSpace(string(out))
+	}
+
+	if gitUser == "" && gitEmail == "" {
+		return nil
+	}
+	return &AgentIdentity{GitUser: gitUser, GitEmail: gitEmail}
+}
+
+// readGitIdentity reads user.name and user.email via `git config` in the
+// given directory. This respects includeIf directives that depend on repo
+// context — unlike `git config --file` which only reads a single file.
+func readGitIdentity(repoDir string) *AgentIdentity {
+	gitBin, err := exec.LookPath("git")
+	if err != nil {
+		return nil
+	}
+
+	getName := exec.Command(gitBin, "config", "user.name")
+	getName.Dir = repoDir
+	getEmail := exec.Command(gitBin, "config", "user.email")
+	getEmail.Dir = repoDir
+
+	var gitUser, gitEmail string
+	if out, err := getName.Output(); err == nil {
+		gitUser = strings.TrimSpace(string(out))
+	}
+	if out, err := getEmail.Output(); err == nil {
+		gitEmail = strings.TrimSpace(string(out))
+	}
+
+	if gitUser == "" && gitEmail == "" {
+		return nil
+	}
+	return &AgentIdentity{GitUser: gitUser, GitEmail: gitEmail}
+}
+
+// HostConfig represents the host configuration from config.json
+type HostConfig struct {
+	User              string            `json:"user"`
+	UID               int               `json:"uid"` // Host user's UID
+	GID               int               `json:"gid"` // Host user's GID
+	AuthorizedKeys    []string          `json:"authorizedKeys"`
+	Secrets           map[string]string `json:"secrets"` // Secret name -> file path containing the secret
+	StateDir          string            `json:"stateDir"`
+	NixpkgsPath       string            `json:"nixpkgsPath"`
+	NixpkgsRev        string            `json:"nixpkgsRev"`
+	ProxyURL          string            `json:"proxyUrl,omitempty"`          // URL of the forage-proxy server
+	AgentIdentity     *AgentIdentity    `json:"agentIdentity,omitempty"`     // Host-level default agent identity
+	ContainerImage    string            `json:"containerImage,omitempty"`    // Override default container image for OCI runtimes
+	ContainerUsername string            `json:"containerUsername,omitempty"` // Container username (default: "agent")
+	WorkspacePath     string            `json:"workspacePath,omitempty"`     // Container workspace path (default: "/workspace")
+	StateVersion      string            `json:"stateVersion,omitempty"`      // NixOS state version (default: "24.11")
+}
+
+// ResolvedContainerUsername returns the container username, defaulting to "agent".
+func (c *HostConfig) ResolvedContainerUsername() string {
+	if c.ContainerUsername != "" {
+		return c.ContainerUsername
+	}
+	return "agent"
+}
+
+// ResolvedWorkspacePath returns the container workspace path, defaulting to "/workspace".
+func (c *HostConfig) ResolvedWorkspacePath() string {
+	if c.WorkspacePath != "" {
+		return c.WorkspacePath
+	}
+	return "/workspace"
+}
+
+// ResolvedStateVersion returns the NixOS state version, defaulting to "24.11".
+func (c *HostConfig) ResolvedStateVersion() string {
+	if c.StateVersion != "" {
+		return c.StateVersion
+	}
+	return "24.11"
+}
+
+// resolveUID looks up the UID/GID from the OS for the configured user
+// when they weren't explicitly set in the NixOS config (i.e., null/0 in JSON).
+func (c *HostConfig) resolveUID() error {
+	if c.UID != 0 && c.GID != 0 {
+		return nil
+	}
+
+	u, err := user.Lookup(c.User)
+	if err != nil {
+		return fmt.Errorf("failed to look up user %q: %w", c.User, err)
+	}
+
+	if c.UID == 0 {
+		uid, err := strconv.Atoi(u.Uid)
+		if err != nil {
+			return fmt.Errorf("failed to parse UID for user %q: %w", c.User, err)
+		}
+		c.UID = uid
+	}
+
+	if c.GID == 0 {
+		gid, err := strconv.Atoi(u.Gid)
+		if err != nil {
+			return fmt.Errorf("failed to parse GID for user %q: %w", c.User, err)
+		}
+		c.GID = gid
+	}
+
+	return nil
+}
+
+// Validate checks that the HostConfig is valid.
+func (c *HostConfig) Validate() error {
+	if c.User == "" {
+		return fmt.Errorf("user is required")
+	}
+
+	return nil
+}
+
+// TmuxWindow describes a tmux window to create at sandbox start.
+type TmuxWindow struct {
+	Name    string `json:"name"`
+	Command string `json:"command"`
+}
+
+// ResourceLimits configures cgroup resource constraints for the container.
+// All fields are optional; zero/empty values mean no limit.
+type ResourceLimits struct {
+	CPUQuota  string `json:"cpuQuota,omitempty"`  // CPU quota (e.g. "200%" for 2 cores)
+	MemoryMax string `json:"memoryMax,omitempty"` // Memory limit (e.g. "4G")
+	TasksMax  int    `json:"tasksMax,omitempty"`  // Maximum number of tasks/processes
+}
+
+// IsEmpty returns true if no resource limits are configured.
+func (r *ResourceLimits) IsEmpty() bool {
+	if r == nil {
+		return true
+	}
+	return r.CPUQuota == "" && r.MemoryMax == "" && r.TasksMax == 0
+}
+
+// WorkspaceMount defines a single mount source within the sandbox.
+// Each mount declares what to put where inside the container.
+type WorkspaceMount struct {
+	Name          string `json:"name"`          // identifier (from template key or generated)
+	ContainerPath string `json:"containerPath"` // e.g. "/workspace/.beads"
+
+	// Source — exactly one of HostPath or Repo must be set
+	HostPath string `json:"hostPath,omitempty"` // literal bind mount from host
+	Repo     string `json:"repo,omitempty"`     // repo reference (named repo, absolute path, or empty for default --repo)
+
+	// VCS options (only for repo-backed mounts)
+	Mode   string `json:"mode,omitempty"`   // "jj", "git-worktree", "direct" (default: auto-detect)
+	Branch string `json:"branch,omitempty"` // branch/ref to check out
+
+	ReadOnly bool `json:"readOnly,omitempty"`
+}
+
+// Template represents a sandbox template configuration
+type Template struct {
+	Name              string                     `json:"name"`
+	Description       string                     `json:"description"`
+	Network           string                     `json:"network"`
+	AllowedHosts      []string                   `json:"allowedHosts"`
+	Agents            map[string]AgentConfig     `json:"agents"`
+	ExtraPackages     []string                   `json:"extraPackages"`
+	UseProxy          bool                       `json:"useProxy,omitempty"`          // Use forage-proxy for API calls
+	AgentIdentity     *AgentIdentity             `json:"agentIdentity,omitempty"`     // Template-level default agent identity
+	TmuxWindows       []TmuxWindow               `json:"tmuxWindows,omitempty"`       // Explicit tmux window layout
+	Multiplexer       string                     `json:"multiplexer,omitempty"`       // "tmux" (default) or "wezterm"
+	Image             string                     `json:"image,omitempty"`             // Override default container image for this template
+	ReadOnlyWorkspace bool                       `json:"readOnlyWorkspace,omitempty"` // Mount workspace as read-only
+	ResourceLimits    *ResourceLimits            `json:"resourceLimits,omitempty"`    // Container resource limits
+	InitCommands      []string                   `json:"initCommands,omitempty"`      // Commands to run after container creation
+	WorkspaceMounts   map[string]*WorkspaceMount `json:"workspaceMounts,omitempty"`   // Composable workspace mounts (keyed by name)
+}
+
+// AgentPermissions controls agent permission settings.
+// When nil, no permission settings are generated.
+type AgentPermissions struct {
+	SkipAll bool     `json:"skipAll,omitempty"`
+	Allow   []string `json:"allow,omitempty"`
+	Deny    []string `json:"deny,omitempty"`
+}
+
+type AgentConfig struct {
+	PackagePath           string            `json:"packagePath"`
+	SecretName            string            `json:"secretName"`
+	AuthEnvVar            string            `json:"authEnvVar"`
+	HostConfigDir         string            `json:"hostConfigDir,omitempty"`
+	ContainerConfigDir    string            `json:"containerConfigDir,omitempty"`
+	HostConfigDirReadOnly bool              `json:"hostConfigDirReadOnly,omitempty"`
+	Permissions           *AgentPermissions `json:"permissions,omitempty"`
+}
+
+// Validate checks that the Template is valid.
+func (t *Template) Validate() error {
+	if t.Name == "" {
+		return fmt.Errorf("name is required")
+	}
+
+	if len(t.Agents) == 0 {
+		return fmt.Errorf("at least one agent is required")
+	}
+
+	for name, agent := range t.Agents {
+		if err := agent.Validate(); err != nil {
+			return fmt.Errorf("agent %s: %w", name, err)
+		}
+	}
+
+	validNetworks := map[string]bool{"full": true, "restricted": true, "none": true, "": true}
+	if !validNetworks[t.Network] {
+		return fmt.Errorf("invalid network mode: %s (must be full, restricted, or none)", t.Network)
+	}
+
+	return nil
+}
+
+// secretNameRegex validates secret names to prevent shell injection.
+// Secret names are used in shell commands like $(cat /run/secrets/<name> ...),
+// so they must be restricted to safe filename characters.
+var secretNameRegex = regexp.MustCompile(`^[a-zA-Z][a-zA-Z0-9._-]*$`)
+
+// Validate checks that the AgentConfig is valid.
+func (a *AgentConfig) Validate() error {
+	if a.PackagePath == "" {
+		return fmt.Errorf("packagePath is required")
+	}
+
+	// If one of secretName/authEnvVar is set, both must be set
+	if (a.SecretName != "") != (a.AuthEnvVar != "") {
+		return fmt.Errorf("secretName and authEnvVar must both be set or both be empty")
+	}
+
+	// Validate secret name format to prevent shell injection
+	if a.SecretName != "" && !secretNameRegex.MatchString(a.SecretName) {
+		return fmt.Errorf("invalid secretName %q: must start with a letter and contain only letters, digits, dots, hyphens, or underscores", a.SecretName)
+	}
+
+	// Either secret-based auth OR credential mount is required
+	hasSecretAuth := a.SecretName != "" && a.AuthEnvVar != ""
+	hasCredentialMount := a.HostConfigDir != ""
+
+	if !hasSecretAuth && !hasCredentialMount {
+		return fmt.Errorf("either secretName/authEnvVar or hostConfigDir is required")
+	}
+
+	// Validate host config directory paths if specified
+	if a.HostConfigDir != "" {
+		if !filepath.IsAbs(a.HostConfigDir) {
+			return fmt.Errorf("hostConfigDir must be an absolute path (got %q)", a.HostConfigDir)
+		}
+	}
+	if a.ContainerConfigDir != "" {
+		if !filepath.IsAbs(a.ContainerConfigDir) {
+			return fmt.Errorf("containerConfigDir must be an absolute path (got %q)", a.ContainerConfigDir)
+		}
+	}
+	// If hostConfigDir is set, containerConfigDir should also be set (NixOS module does this)
+	if a.HostConfigDir != "" && a.ContainerConfigDir == "" {
+		return fmt.Errorf("containerConfigDir is required when hostConfigDir is set")
+	}
+
+	// Validate permissions
+	if a.Permissions != nil {
+		if a.Permissions.SkipAll && (len(a.Permissions.Allow) > 0 || len(a.Permissions.Deny) > 0) {
+			return fmt.Errorf("permissions: skipAll cannot be combined with allow or deny")
+		}
+	}
+
+	return nil
+}
+
+// WorkspaceMountMeta records a resolved workspace mount in sandbox metadata.
+// Unlike WorkspaceMount (template spec), this holds the effective host path
+// after repo resolution and VCS workspace creation.
+type WorkspaceMountMeta struct {
+	Name          string `json:"name"`
+	ContainerPath string `json:"containerPath"`
+	HostPath      string `json:"hostPath"`             // effective host path (managed dir or literal)
+	SourceRepo    string `json:"sourceRepo,omitempty"` // source repo path (for VCS-backed mounts)
+	Mode          string `json:"mode"`                 // "direct", "jj", "git-worktree"
+	Branch        string `json:"branch,omitempty"`     // branch/ref checked out
+	GitBranch     string `json:"gitBranch,omitempty"`  // git branch name (for git-worktree mode)
+	ReadOnly      bool   `json:"readOnly,omitempty"`
+}
+
+// SandboxMetadata represents the metadata for a running sandbox
+type SandboxMetadata struct {
+	Name            string         `json:"name"`
+	Template        string         `json:"template"`
+	Workspace       string         `json:"workspace"`
+	NetworkSlot     int            `json:"networkSlot"`
+	CreatedAt       string         `json:"createdAt"`
+	WorkspaceMode   string         `json:"workspaceMode,omitempty"`   // "direct", "jj", or "git-worktree"
+	SourceRepo      string         `json:"sourceRepo,omitempty"`      // Source repo path for jj/git-worktree
+	JJWorkspaceName string         `json:"jjWorkspaceName,omitempty"` // JJ workspace name
+	GitBranch       string         `json:"gitBranch,omitempty"`       // Git branch name for worktree
+	AgentIdentity   *AgentIdentity `json:"agentIdentity,omitempty"`   // Resolved agent identity
+	Multiplexer     string         `json:"multiplexer,omitempty"`     // "tmux" (default) or "wezterm"
+	ContainerName   string         `json:"containerName,omitempty"`   // Short container name (e.g. "f42"); empty for legacy sandboxes
+	Runtime         string         `json:"runtime,omitempty"`         // Runtime backend used (e.g. "nspawn", "docker", "podman")
+	CachedEtcPath   string         `json:"cachedEtcPath,omitempty"`   // Cached /etc store path for fast restart
+
+	// Composable workspace mounts — supersedes Workspace/WorkspaceMode/SourceRepo when present.
+	WorkspaceMounts []WorkspaceMountMeta `json:"workspaceMounts,omitempty"`
+}
+
+// ContainerIP returns the container's IP address based on its network slot.
+// Containers use the 10.100.X.0/24 network where X is the NetworkSlot.
+// The container gets .2 (host gets .1).
+func (m *SandboxMetadata) ContainerIP() string {
+	return fmt.Sprintf("10.100.%d.2", m.NetworkSlot)
+}
+
+// Validate checks that the SandboxMetadata is valid.
+func (m *SandboxMetadata) Validate() error {
+	if m.Name == "" {
+		return fmt.Errorf("name is required")
+	}
+	if m.Template == "" {
+		return fmt.Errorf("template is required")
+	}
+	if m.NetworkSlot < 1 || m.NetworkSlot > 254 {
+		return fmt.Errorf("networkSlot must be between 1 and 254 (got %d)", m.NetworkSlot)
+	}
+
+	// Allow either legacy Workspace field or new WorkspaceMounts
+	if m.Workspace == "" && len(m.WorkspaceMounts) == 0 {
+		return fmt.Errorf("workspace or workspaceMounts is required")
+	}
+
+	validModes := map[string]bool{"direct": true, "jj": true, "git-worktree": true, "": true}
+	if !validModes[m.WorkspaceMode] {
+		return fmt.Errorf("invalid workspaceMode: %s", m.WorkspaceMode)
+	}
+
+	for _, mount := range m.WorkspaceMounts {
+		if !validModes[mount.Mode] {
+			return fmt.Errorf("invalid mode %q for mount %s", mount.Mode, mount.Name)
+		}
+	}
+
+	return nil
+}
+
+// Paths holds the configured paths
+type Paths struct {
+	ConfigDir     string
+	StateDir      string
+	SecretsDir    string
+	SandboxesDir  string
+	WorkspacesDir string
+	TemplatesDir  string
+}
+
+// DefaultPaths returns the path configuration, respecting environment overrides.
+//
+// Environment variables:
+//   - FORAGE_CONFIG_DIR  → config directory (default: /etc/firefly-forage)
+//   - FORAGE_STATE_DIR   → state directory  (default: /var/lib/firefly-forage)
+//   - FORAGE_SECRETS_DIR → secrets directory (default: /run/forage-secrets)
+func DefaultPaths() *Paths {
+	configDir := envOrDefault("FORAGE_CONFIG_DIR", DefaultConfigDir)
+	stateDir := envOrDefault("FORAGE_STATE_DIR", DefaultStateDir)
+	secretsDir := envOrDefault("FORAGE_SECRETS_DIR", DefaultSecretsDir)
+	return &Paths{
+		ConfigDir:     configDir,
+		StateDir:      stateDir,
+		SecretsDir:    secretsDir,
+		SandboxesDir:  filepath.Join(stateDir, "sandboxes"),
+		WorkspacesDir: filepath.Join(stateDir, "workspaces"),
+		TemplatesDir:  filepath.Join(configDir, "templates"),
+	}
+}
+
+func envOrDefault(key, fallback string) string {
+	if v := os.Getenv(key); v != "" {
+		return v
+	}
+	return fallback
+}
+
+// LoadHostConfig loads the host configuration from config.json
+func LoadHostConfig(configDir string) (*HostConfig, error) {
+	configPath := filepath.Join(configDir, "config.json")
+	data, err := os.ReadFile(configPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read host config: %w", err)
+	}
+
+	var config HostConfig
+	if err := json.Unmarshal(data, &config); err != nil {
+		return nil, fmt.Errorf("failed to parse host config: %w", err)
+	}
+
+	if err := config.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid host config: %w", err)
+	}
+
+	// Resolve UID/GID from OS if not set in config (NixOS auto-assigns UIDs)
+	if err := config.resolveUID(); err != nil {
+		return nil, fmt.Errorf("failed to resolve user IDs: %w", err)
+	}
+
+	return &config, nil
+}
+
+// LoadTemplate loads a template configuration
+func LoadTemplate(templatesDir, name string) (*Template, error) {
+	templatePath, err := safePath(templatesDir, name, ".json")
+	if err != nil {
+		return nil, fmt.Errorf("invalid template name: %w", err)
+	}
+	data, err := os.ReadFile(templatePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read template %s: %w", name, err)
+	}
+
+	var template Template
+	if err := json.Unmarshal(data, &template); err != nil {
+		return nil, fmt.Errorf("failed to parse template %s: %w", name, err)
+	}
+
+	// Set name from filename if not specified in JSON
+	if template.Name == "" {
+		template.Name = name
+	}
+
+	if err := template.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid template %s: %w", name, err)
+	}
+
+	return &template, nil
+}
+
+// ListTemplates returns all available templates
+func ListTemplates(templatesDir string) ([]*Template, error) {
+	entries, err := os.ReadDir(templatesDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read templates directory: %w", err)
+	}
+
+	var templates []*Template
+	for _, entry := range entries {
+		if entry.IsDir() || filepath.Ext(entry.Name()) != ".json" {
+			continue
+		}
+		name := entry.Name()[:len(entry.Name())-5] // Remove .json extension
+		template, err := LoadTemplate(templatesDir, name)
+		if err != nil {
+			continue // Skip invalid templates
+		}
+		templates = append(templates, template)
+	}
+
+	return templates, nil
+}
+
+// LoadSandboxMetadata loads metadata for a sandbox
+func LoadSandboxMetadata(sandboxesDir, name string) (*SandboxMetadata, error) {
+	metaPath, err := safePath(sandboxesDir, name, ".json")
+	if err != nil {
+		return nil, fmt.Errorf("invalid sandbox name: %w", err)
+	}
+	data, err := os.ReadFile(metaPath)
+	if err != nil {
+		return nil, fmt.Errorf("sandbox not found: %s", name)
+	}
+
+	var metadata SandboxMetadata
+	if err := json.Unmarshal(data, &metadata); err != nil {
+		return nil, fmt.Errorf("failed to parse sandbox metadata: %w", err)
+	}
+
+	// Default workspace mode
+	if metadata.WorkspaceMode == "" {
+		metadata.WorkspaceMode = "direct"
+	}
+
+	return &metadata, nil
+}
+
+// SaveSandboxMetadata saves metadata for a sandbox
+func SaveSandboxMetadata(sandboxesDir string, metadata *SandboxMetadata) error {
+	if err := os.MkdirAll(sandboxesDir, 0755); err != nil {
+		return fmt.Errorf("failed to create sandboxes directory: %w", err)
+	}
+
+	metaPath, err := safePath(sandboxesDir, metadata.Name, ".json")
+	if err != nil {
+		return fmt.Errorf("invalid sandbox name: %w", err)
+	}
+	data, err := json.MarshalIndent(metadata, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal metadata: %w", err)
+	}
+
+	if err := os.WriteFile(metaPath, data, 0644); err != nil {
+		return fmt.Errorf("failed to write metadata: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteSandboxMetadata removes metadata for a sandbox
+func DeleteSandboxMetadata(sandboxesDir, name string) error {
+	metaPath, err := safePath(sandboxesDir, name, ".json")
+	if err != nil {
+		return fmt.Errorf("invalid sandbox name: %w", err)
+	}
+	return os.Remove(metaPath)
+}
+
+// ListSandboxes returns all sandbox metadata
+func ListSandboxes(sandboxesDir string) ([]*SandboxMetadata, error) {
+	entries, err := os.ReadDir(sandboxesDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("failed to read sandboxes directory: %w", err)
+	}
+
+	var sandboxes []*SandboxMetadata
+	for _, entry := range entries {
+		if entry.IsDir() || !IsSandboxMetadataFile(entry.Name()) {
+			continue
+		}
+		name := strings.TrimSuffix(entry.Name(), ".json")
+		metadata, err := LoadSandboxMetadata(sandboxesDir, name)
+		if err != nil {
+			continue
+		}
+		sandboxes = append(sandboxes, metadata)
+	}
+
+	return sandboxes, nil
+}
+
+// SandboxExists checks if a sandbox exists
+func SandboxExists(sandboxesDir, name string) bool {
+	metaPath, err := safePath(sandboxesDir, name, ".json")
+	if err != nil {
+		return false // Invalid name means it doesn't exist
+	}
+	_, err = os.Stat(metaPath)
+	return err == nil
+}
+
+// ContainerName returns the legacy container name for a sandbox.
+// Deprecated: Use ContainerNameForSlot for new sandboxes or
+// SandboxMetadata.ResolvedContainerName for existing ones.
+func ContainerName(sandboxName string) string {
+	return ContainerPrefix + sandboxName
+}
+
+// ContainerNameForSlot returns a short container name derived from the network slot.
+// This produces names like "f1", "f42", "f254" that fit within the 11-character
+// limit imposed by NixOS containers with privateNetwork.
+func ContainerNameForSlot(slot int) string {
+	return fmt.Sprintf("f%d", slot)
+}
+
+// ResolvedContainerName returns the container name to use for this sandbox.
+// Returns the new short ContainerName if set, otherwise falls back to the
+// legacy "forage-{name}" format for backward compatibility.
+func (m *SandboxMetadata) ResolvedContainerName() string {
+	if m.ContainerName != "" {
+		return m.ContainerName
+	}
+	return ContainerPrefix + m.Name
+}
diff --git a/packages/forage-ctl/internal/config/config_test.go b/packages/forage-ctl/internal/config/config_test.go
new file mode 100644
index 0000000..f3c49db
--- /dev/null
+++ b/packages/forage-ctl/internal/config/config_test.go
@@ -0,0 +1,1511 @@
+package config
+
+import (
+	"encoding/json"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestDefaultPaths(t *testing.T) {
+	// Clear env vars so we get the compiled defaults.
+	// t.Setenv("", ...) sets to empty string, which envOrDefault treats as unset.
+	for _, k := range []string{"FORAGE_CONFIG_DIR", "FORAGE_STATE_DIR", "FORAGE_SECRETS_DIR"} {
+		t.Setenv(k, "")
+	}
+
+	paths := DefaultPaths()
+
+	if paths.ConfigDir != DefaultConfigDir {
+		t.Errorf("ConfigDir = %q, want %q", paths.ConfigDir, DefaultConfigDir)
+	}
+	if paths.StateDir != DefaultStateDir {
+		t.Errorf("StateDir = %q, want %q", paths.StateDir, DefaultStateDir)
+	}
+	if paths.SecretsDir != DefaultSecretsDir {
+		t.Errorf("SecretsDir = %q, want %q", paths.SecretsDir, DefaultSecretsDir)
+	}
+	if paths.SandboxesDir != filepath.Join(DefaultStateDir, "sandboxes") {
+		t.Errorf("SandboxesDir = %q, want %q", paths.SandboxesDir, filepath.Join(DefaultStateDir, "sandboxes"))
+	}
+	if paths.WorkspacesDir != filepath.Join(DefaultStateDir, "workspaces") {
+		t.Errorf("WorkspacesDir = %q, want %q", paths.WorkspacesDir, filepath.Join(DefaultStateDir, "workspaces"))
+	}
+	if paths.TemplatesDir != filepath.Join(DefaultConfigDir, "templates") {
+		t.Errorf("TemplatesDir = %q, want %q", paths.TemplatesDir, filepath.Join(DefaultConfigDir, "templates"))
+	}
+}
+
+func TestDefaultPathsEnvOverride(t *testing.T) {
+	t.Setenv("FORAGE_CONFIG_DIR", "/tmp/forage-config")
+	t.Setenv("FORAGE_STATE_DIR", "/tmp/forage-state")
+	t.Setenv("FORAGE_SECRETS_DIR", "/tmp/forage-secrets")
+
+	paths := DefaultPaths()
+
+	if paths.ConfigDir != "/tmp/forage-config" {
+		t.Errorf("ConfigDir = %q, want /tmp/forage-config", paths.ConfigDir)
+	}
+	if paths.StateDir != "/tmp/forage-state" {
+		t.Errorf("StateDir = %q, want /tmp/forage-state", paths.StateDir)
+	}
+	if paths.SecretsDir != "/tmp/forage-secrets" {
+		t.Errorf("SecretsDir = %q, want /tmp/forage-secrets", paths.SecretsDir)
+	}
+	if paths.SandboxesDir != "/tmp/forage-state/sandboxes" {
+		t.Errorf("SandboxesDir = %q, want /tmp/forage-state/sandboxes", paths.SandboxesDir)
+	}
+	if paths.WorkspacesDir != "/tmp/forage-state/workspaces" {
+		t.Errorf("WorkspacesDir = %q, want /tmp/forage-state/workspaces", paths.WorkspacesDir)
+	}
+	if paths.TemplatesDir != "/tmp/forage-config/templates" {
+		t.Errorf("TemplatesDir = %q, want /tmp/forage-config/templates", paths.TemplatesDir)
+	}
+}
+
+func TestContainerName(t *testing.T) {
+	tests := []struct {
+		sandboxName string
+		want        string
+	}{
+		{"myproject", "forage-myproject"},
+		{"test-123", "forage-test-123"},
+		{"", "forage-"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.sandboxName, func(t *testing.T) {
+			got := ContainerName(tt.sandboxName)
+			if got != tt.want {
+				t.Errorf("ContainerName(%q) = %q, want %q", tt.sandboxName, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestContainerNameForSlot(t *testing.T) {
+	tests := []struct {
+		slot int
+		want string
+	}{
+		{1, "f1"},
+		{42, "f42"},
+		{254, "f254"},
+	}
+
+	for _, tt := range tests {
+		got := ContainerNameForSlot(tt.slot)
+		if got != tt.want {
+			t.Errorf("ContainerNameForSlot(%d) = %q, want %q", tt.slot, got, tt.want)
+		}
+	}
+}
+
+func TestResolvedContainerName(t *testing.T) {
+	// New sandbox with ContainerName set
+	meta := &SandboxMetadata{Name: "review", ContainerName: "f5"}
+	if got := meta.ResolvedContainerName(); got != "f5" {
+		t.Errorf("ResolvedContainerName() = %q, want %q", got, "f5")
+	}
+
+	// Legacy sandbox without ContainerName
+	legacy := &SandboxMetadata{Name: "review"}
+	if got := legacy.ResolvedContainerName(); got != "forage-review" {
+		t.Errorf("ResolvedContainerName() = %q, want %q", got, "forage-review")
+	}
+}
+
+func TestLoadHostConfig(t *testing.T) {
+	// Create a temporary directory
+	tmpDir := t.TempDir()
+
+	// Create a test config file
+	config := HostConfig{
+		User:           "testuser",
+		UID:            1000,
+		GID:            100,
+		AuthorizedKeys: []string{"ssh-rsa AAAA..."},
+		Secrets:        map[string]string{"anthropic": "sk-test"},
+		StateDir:       "/var/lib/forage",
+		NixpkgsRev:     "abc123",
+	}
+
+	data, err := json.MarshalIndent(config, "", "  ")
+	if err != nil {
+		t.Fatalf("Failed to marshal config: %v", err)
+	}
+
+	configPath := filepath.Join(tmpDir, "config.json")
+	if err = os.WriteFile(configPath, data, 0644); err != nil {
+		t.Fatalf("Failed to write config: %v", err)
+	}
+
+	// Test loading the config
+	loaded, err := LoadHostConfig(tmpDir)
+	if err != nil {
+		t.Fatalf("LoadHostConfig failed: %v", err)
+	}
+
+	if loaded.User != config.User {
+		t.Errorf("User = %q, want %q", loaded.User, config.User)
+	}
+	if loaded.NixpkgsRev != config.NixpkgsRev {
+		t.Errorf("NixpkgsRev = %q, want %q", loaded.NixpkgsRev, config.NixpkgsRev)
+	}
+}
+
+func TestLoadHostConfig_NotFound(t *testing.T) {
+	_, err := LoadHostConfig("/nonexistent/path")
+	if err == nil {
+		t.Error("Expected error for nonexistent config, got nil")
+	}
+}
+
+func TestLoadHostConfig_InvalidJSON(t *testing.T) {
+	tmpDir := t.TempDir()
+	configPath := filepath.Join(tmpDir, "config.json")
+
+	if err := os.WriteFile(configPath, []byte("not valid json"), 0644); err != nil {
+		t.Fatalf("Failed to write config: %v", err)
+	}
+
+	_, err := LoadHostConfig(tmpDir)
+	if err == nil {
+		t.Error("Expected error for invalid JSON, got nil")
+	}
+}
+
+func TestLoadTemplate(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	template := Template{
+		Name:        "claude",
+		Description: "Claude Code sandbox",
+		Network:     "full",
+		Agents: map[string]AgentConfig{
+			"claude": {
+				PackagePath: "pkgs.claude-code",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+		},
+		ExtraPackages: []string{"ripgrep", "fd"},
+	}
+
+	data, err := json.MarshalIndent(template, "", "  ")
+	if err != nil {
+		t.Fatalf("Failed to marshal template: %v", err)
+	}
+
+	templatePath := filepath.Join(tmpDir, "claude.json")
+	if err = os.WriteFile(templatePath, data, 0644); err != nil {
+		t.Fatalf("Failed to write template: %v", err)
+	}
+
+	loaded, err := LoadTemplate(tmpDir, "claude")
+	if err != nil {
+		t.Fatalf("LoadTemplate failed: %v", err)
+	}
+
+	if loaded.Name != template.Name {
+		t.Errorf("Name = %q, want %q", loaded.Name, template.Name)
+	}
+	if loaded.Network != template.Network {
+		t.Errorf("Network = %q, want %q", loaded.Network, template.Network)
+	}
+	if len(loaded.Agents) != 1 {
+		t.Errorf("len(Agents) = %d, want 1", len(loaded.Agents))
+	}
+	if agent, ok := loaded.Agents["claude"]; !ok {
+		t.Error("Agent 'claude' not found")
+	} else if agent.AuthEnvVar != "ANTHROPIC_API_KEY" {
+		t.Errorf("AuthEnvVar = %q, want %q", agent.AuthEnvVar, "ANTHROPIC_API_KEY")
+	}
+}
+
+func TestLoadTemplate_NotFound(t *testing.T) {
+	_, err := LoadTemplate("/nonexistent", "missing")
+	if err == nil {
+		t.Error("Expected error for nonexistent template, got nil")
+	}
+}
+
+func TestListTemplates(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create two valid templates (must have agents with all required fields)
+	templates := []Template{
+		{
+			Name:        "claude",
+			Description: "Claude sandbox",
+			Agents: map[string]AgentConfig{
+				"claude": {PackagePath: "claude-code", SecretName: "anthropic-api-key", AuthEnvVar: "ANTHROPIC_API_KEY"},
+			},
+		},
+		{
+			Name:        "multi",
+			Description: "Multi-agent sandbox",
+			Agents: map[string]AgentConfig{
+				"agent1": {PackagePath: "agent1", SecretName: "key1", AuthEnvVar: "API_KEY"},
+			},
+		},
+	}
+
+	for _, tmpl := range templates {
+		data, _ := json.MarshalIndent(tmpl, "", "  ")
+		path := filepath.Join(tmpDir, tmpl.Name+".json")
+		os.WriteFile(path, data, 0644)
+	}
+
+	// Create a non-json file (should be ignored)
+	os.WriteFile(filepath.Join(tmpDir, "readme.txt"), []byte("ignore me"), 0644)
+
+	// Create a directory (should be ignored)
+	os.Mkdir(filepath.Join(tmpDir, "subdir"), 0755)
+
+	loaded, err := ListTemplates(tmpDir)
+	if err != nil {
+		t.Fatalf("ListTemplates failed: %v", err)
+	}
+
+	if len(loaded) != 2 {
+		t.Errorf("len(loaded) = %d, want 2", len(loaded))
+	}
+}
+
+func TestSandboxMetadata(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	metadata := &SandboxMetadata{
+		Name:            "test-sandbox",
+		Template:        "claude",
+		Workspace:       "/home/user/project",
+		NetworkSlot:     1,
+		CreatedAt:       "2024-01-01T00:00:00Z",
+		WorkspaceMode:   "jj",
+		SourceRepo:      "/home/user/repo",
+		JJWorkspaceName: "test-sandbox",
+	}
+
+	// Test save
+	if err := SaveSandboxMetadata(tmpDir, metadata); err != nil {
+		t.Fatalf("SaveSandboxMetadata failed: %v", err)
+	}
+
+	// Verify file exists
+	metaPath := filepath.Join(tmpDir, "test-sandbox.json")
+	if _, err := os.Stat(metaPath); os.IsNotExist(err) {
+		t.Error("Metadata file was not created")
+	}
+
+	// Test load
+	loaded, err := LoadSandboxMetadata(tmpDir, "test-sandbox")
+	if err != nil {
+		t.Fatalf("LoadSandboxMetadata failed: %v", err)
+	}
+
+	if loaded.Name != metadata.Name {
+		t.Errorf("Name = %q, want %q", loaded.Name, metadata.Name)
+	}
+	if loaded.NetworkSlot != metadata.NetworkSlot {
+		t.Errorf("NetworkSlot = %d, want %d", loaded.NetworkSlot, metadata.NetworkSlot)
+	}
+	if loaded.WorkspaceMode != metadata.WorkspaceMode {
+		t.Errorf("WorkspaceMode = %q, want %q", loaded.WorkspaceMode, metadata.WorkspaceMode)
+	}
+
+	// Test ContainerIP
+	expectedIP := "10.100.1.2"
+	if loaded.ContainerIP() != expectedIP {
+		t.Errorf("ContainerIP() = %q, want %q", loaded.ContainerIP(), expectedIP)
+	}
+
+	// Test exists
+	if !SandboxExists(tmpDir, "test-sandbox") {
+		t.Error("SandboxExists returned false for existing sandbox")
+	}
+	if SandboxExists(tmpDir, "nonexistent") {
+		t.Error("SandboxExists returned true for nonexistent sandbox")
+	}
+
+	// Test delete
+	if err := DeleteSandboxMetadata(tmpDir, "test-sandbox"); err != nil {
+		t.Fatalf("DeleteSandboxMetadata failed: %v", err)
+	}
+
+	if SandboxExists(tmpDir, "test-sandbox") {
+		t.Error("Sandbox still exists after delete")
+	}
+}
+
+func TestLoadSandboxMetadata_DefaultWorkspaceMode(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create metadata without WorkspaceMode (simulating old format)
+	data := `{"name": "old-sandbox", "template": "claude", "networkSlot": 1}`
+	metaPath := filepath.Join(tmpDir, "old-sandbox.json")
+	if err := os.WriteFile(metaPath, []byte(data), 0644); err != nil {
+		t.Fatalf("Failed to write metadata: %v", err)
+	}
+
+	loaded, err := LoadSandboxMetadata(tmpDir, "old-sandbox")
+	if err != nil {
+		t.Fatalf("LoadSandboxMetadata failed: %v", err)
+	}
+
+	if loaded.WorkspaceMode != "direct" {
+		t.Errorf("WorkspaceMode = %q, want %q (default)", loaded.WorkspaceMode, "direct")
+	}
+}
+
+func TestListSandboxes(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create some sandbox metadata
+	sandboxes := []*SandboxMetadata{
+		{Name: "sandbox-1", Template: "claude", NetworkSlot: 1},
+		{Name: "sandbox-2", Template: "multi", NetworkSlot: 2},
+	}
+
+	for _, sb := range sandboxes {
+		SaveSandboxMetadata(tmpDir, sb)
+	}
+
+	// Create a non-json file (should be ignored)
+	os.WriteFile(filepath.Join(tmpDir, "notes.txt"), []byte("ignore"), 0644)
+
+	loaded, err := ListSandboxes(tmpDir)
+	if err != nil {
+		t.Fatalf("ListSandboxes failed: %v", err)
+	}
+
+	if len(loaded) != 2 {
+		t.Errorf("len(loaded) = %d, want 2", len(loaded))
+	}
+}
+
+func TestListSandboxes_SkipsPermissionsFiles(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create valid sandbox metadata
+	SaveSandboxMetadata(tmpDir, &SandboxMetadata{
+		Name: "test", Template: "claude", NetworkSlot: 1, Workspace: "/w",
+	})
+
+	// Create permissions files that should be skipped
+	os.WriteFile(filepath.Join(tmpDir, "test.claude-permissions.json"), []byte(`{}`), 0644)
+	os.WriteFile(filepath.Join(tmpDir, "test.copilot-permissions.json"), []byte(`{}`), 0644)
+
+	// Create another dotted JSON file that should be skipped
+	os.WriteFile(filepath.Join(tmpDir, "some.other.json"), []byte(`{}`), 0644)
+
+	loaded, err := ListSandboxes(tmpDir)
+	if err != nil {
+		t.Fatalf("ListSandboxes failed: %v", err)
+	}
+
+	if len(loaded) != 1 {
+		t.Errorf("len(loaded) = %d, want 1 (permissions files should be skipped)", len(loaded))
+	}
+	if len(loaded) > 0 && loaded[0].Name != "test" {
+		t.Errorf("loaded[0].Name = %q, want %q", loaded[0].Name, "test")
+	}
+}
+
+func TestIsSandboxMetadataFile(t *testing.T) {
+	tests := []struct {
+		filename string
+		want     bool
+	}{
+		{"sandbox-1.json", true},
+		{"my-project.json", true},
+		{"test.claude-permissions.json", false},
+		{"test.copilot-permissions.json", false},
+		{"some.other.json", false},
+		{"notes.txt", false},
+		{"readme.md", false},
+		{".json", true}, // edge case: empty name before .json
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.filename, func(t *testing.T) {
+			got := IsSandboxMetadataFile(tt.filename)
+			if got != tt.want {
+				t.Errorf("IsSandboxMetadataFile(%q) = %v, want %v", tt.filename, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestListSandboxes_EmptyDir(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	loaded, err := ListSandboxes(tmpDir)
+	if err != nil {
+		t.Fatalf("ListSandboxes failed: %v", err)
+	}
+
+	if len(loaded) != 0 {
+		t.Errorf("len(loaded) = %d, want 0", len(loaded))
+	}
+}
+
+func TestListSandboxes_NonexistentDir(t *testing.T) {
+	loaded, err := ListSandboxes("/nonexistent/path")
+	if err != nil {
+		t.Fatalf("ListSandboxes should not error for nonexistent dir: %v", err)
+	}
+
+	if loaded != nil {
+		t.Errorf("loaded = %v, want nil", loaded)
+	}
+}
+
+func TestSafePath(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Valid names should resolve within the base directory
+	for _, tt := range []struct {
+		name   string
+		fname  string
+		suffix string
+	}{
+		{"valid name", "sandbox1", ".json"},
+		{"valid with dash", "my-sandbox", ".json"},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := safePath(tmpDir, tt.fname, tt.suffix)
+			if err != nil {
+				t.Errorf("safePath(%q, %q, %q) unexpected error: %v", tmpDir, tt.fname, tt.suffix, err)
+			}
+			if !strings.HasPrefix(result, tmpDir) {
+				t.Errorf("safePath result %q escapes base %q", result, tmpDir)
+			}
+		})
+	}
+
+	// Traversal attempts must be rejected
+	for _, tt := range []struct {
+		name   string
+		fname  string
+		suffix string
+	}{
+		{"path traversal", "../escape", ".json"},
+		{"deep traversal", "../../etc/passwd", ""},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := safePath(tmpDir, tt.fname, tt.suffix)
+			if err != nil {
+				return // error is expected
+			}
+			// If no error, the result must still be contained within the base
+			if !strings.HasPrefix(result, tmpDir) {
+				t.Errorf("safePath(%q, %q, %q) = %q escapes base directory", tmpDir, tt.fname, tt.suffix, result)
+			}
+		})
+	}
+}
+
+func TestLoadSandboxMetadata_PathTraversal(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Attempt to load with path traversal attack
+	_, err := LoadSandboxMetadata(tmpDir, "../../../etc/passwd")
+	if err == nil {
+		t.Error("Expected error for path traversal, got nil")
+	}
+}
+
+func TestAgentConfigValidate(t *testing.T) {
+	tests := []struct {
+		name    string
+		agent   AgentConfig
+		wantErr string
+	}{
+		{
+			name: "valid basic config",
+			agent: AgentConfig{
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+			wantErr: "",
+		},
+		{
+			name: "valid with host config dir",
+			agent: AgentConfig{
+				PackagePath:        "/nix/store/abc-claude",
+				SecretName:         "anthropic",
+				AuthEnvVar:         "ANTHROPIC_API_KEY",
+				HostConfigDir:      "/home/user/.claude",
+				ContainerConfigDir: "/home/agent/.claude",
+			},
+			wantErr: "",
+		},
+		{
+			name: "valid with read-only config dir",
+			agent: AgentConfig{
+				PackagePath:           "/nix/store/abc-claude",
+				SecretName:            "anthropic",
+				AuthEnvVar:            "ANTHROPIC_API_KEY",
+				HostConfigDir:         "/home/user/.claude",
+				ContainerConfigDir:    "/home/agent/.claude",
+				HostConfigDirReadOnly: true,
+			},
+			wantErr: "",
+		},
+		{
+			name: "valid credential mount only (no secret)",
+			agent: AgentConfig{
+				PackagePath:        "/nix/store/abc-claude",
+				HostConfigDir:      "/home/user/.claude",
+				ContainerConfigDir: "/home/agent/.claude",
+			},
+			wantErr: "",
+		},
+		{
+			name: "missing packagePath",
+			agent: AgentConfig{
+				SecretName: "anthropic",
+				AuthEnvVar: "ANTHROPIC_API_KEY",
+			},
+			wantErr: "packagePath is required",
+		},
+		{
+			name: "no auth method",
+			agent: AgentConfig{
+				PackagePath: "/nix/store/abc-claude",
+			},
+			wantErr: "either secretName/authEnvVar or hostConfigDir is required",
+		},
+		{
+			name: "secretName without authEnvVar",
+			agent: AgentConfig{
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+			},
+			wantErr: "secretName and authEnvVar must both be set or both be empty",
+		},
+		{
+			name: "authEnvVar without secretName",
+			agent: AgentConfig{
+				PackagePath: "/nix/store/abc-claude",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+			wantErr: "secretName and authEnvVar must both be set or both be empty",
+		},
+		{
+			name: "relative hostConfigDir",
+			agent: AgentConfig{
+				PackagePath:        "/nix/store/abc-claude",
+				SecretName:         "anthropic",
+				AuthEnvVar:         "ANTHROPIC_API_KEY",
+				HostConfigDir:      ".claude",
+				ContainerConfigDir: "/home/agent/.claude",
+			},
+			wantErr: "hostConfigDir must be an absolute path",
+		},
+		{
+			name: "relative containerConfigDir",
+			agent: AgentConfig{
+				PackagePath:        "/nix/store/abc-claude",
+				SecretName:         "anthropic",
+				AuthEnvVar:         "ANTHROPIC_API_KEY",
+				HostConfigDir:      "/home/user/.claude",
+				ContainerConfigDir: ".claude",
+			},
+			wantErr: "containerConfigDir must be an absolute path",
+		},
+		{
+			name: "hostConfigDir without containerConfigDir",
+			agent: AgentConfig{
+				PackagePath:   "/nix/store/abc-claude",
+				SecretName:    "anthropic",
+				AuthEnvVar:    "ANTHROPIC_API_KEY",
+				HostConfigDir: "/home/user/.claude",
+			},
+			wantErr: "containerConfigDir is required when hostConfigDir is set",
+		},
+		{
+			name: "valid permissions skipAll",
+			agent: AgentConfig{
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+				Permissions: &AgentPermissions{SkipAll: true},
+			},
+			wantErr: "",
+		},
+		{
+			name: "valid permissions allow and deny",
+			agent: AgentConfig{
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+				Permissions: &AgentPermissions{
+					Allow: []string{"Read", "Glob"},
+					Deny:  []string{"Bash(rm -rf *)"},
+				},
+			},
+			wantErr: "",
+		},
+		{
+			name: "valid nil permissions",
+			agent: AgentConfig{
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+			wantErr: "",
+		},
+		{
+			name: "invalid skipAll with allow",
+			agent: AgentConfig{
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+				Permissions: &AgentPermissions{
+					SkipAll: true,
+					Allow:   []string{"Read"},
+				},
+			},
+			wantErr: "permissions: skipAll cannot be combined with allow or deny",
+		},
+		{
+			name: "valid permissions with hostConfigDir",
+			agent: AgentConfig{
+				PackagePath:        "/nix/store/abc-claude",
+				SecretName:         "anthropic",
+				AuthEnvVar:         "ANTHROPIC_API_KEY",
+				HostConfigDir:      "/home/user/.claude",
+				ContainerConfigDir: "/home/agent/.claude",
+				Permissions:        &AgentPermissions{SkipAll: true},
+			},
+			wantErr: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.agent.Validate()
+			if tt.wantErr == "" {
+				if err != nil {
+					t.Errorf("Validate() unexpected error: %v", err)
+				}
+			} else {
+				if err == nil {
+					t.Errorf("Validate() expected error containing %q, got nil", tt.wantErr)
+				} else if !strings.Contains(err.Error(), tt.wantErr) {
+					t.Errorf("Validate() error = %q, want containing %q", err.Error(), tt.wantErr)
+				}
+			}
+		})
+	}
+}
+
+func TestAgentIdentity_RoundTrip(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	metadata := &SandboxMetadata{
+		Name:        "identity-test",
+		Template:    "claude",
+		Workspace:   "/workspace",
+		NetworkSlot: 1,
+		AgentIdentity: &AgentIdentity{
+			GitUser:    "Agent Bot",
+			GitEmail:   "agent@example.com",
+			SSHKeyPath: "/run/secrets/agent-key",
+		},
+	}
+
+	if err := SaveSandboxMetadata(tmpDir, metadata); err != nil {
+		t.Fatalf("SaveSandboxMetadata failed: %v", err)
+	}
+
+	loaded, err := LoadSandboxMetadata(tmpDir, "identity-test")
+	if err != nil {
+		t.Fatalf("LoadSandboxMetadata failed: %v", err)
+	}
+
+	if loaded.AgentIdentity == nil {
+		t.Fatal("AgentIdentity should not be nil after round-trip")
+	}
+	if loaded.AgentIdentity.GitUser != "Agent Bot" {
+		t.Errorf("GitUser = %q, want %q", loaded.AgentIdentity.GitUser, "Agent Bot")
+	}
+	if loaded.AgentIdentity.GitEmail != "agent@example.com" {
+		t.Errorf("GitEmail = %q, want %q", loaded.AgentIdentity.GitEmail, "agent@example.com")
+	}
+	if loaded.AgentIdentity.SSHKeyPath != "/run/secrets/agent-key" {
+		t.Errorf("SSHKeyPath = %q, want %q", loaded.AgentIdentity.SSHKeyPath, "/run/secrets/agent-key")
+	}
+}
+
+func TestAgentIdentity_BackwardCompat(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// JSON without agentIdentity (old format)
+	data := `{"name": "old-sandbox", "template": "claude", "networkSlot": 1, "workspace": "/w"}`
+	metaPath := filepath.Join(tmpDir, "old-sandbox.json")
+	if err := os.WriteFile(metaPath, []byte(data), 0644); err != nil {
+		t.Fatalf("Failed to write metadata: %v", err)
+	}
+
+	loaded, err := LoadSandboxMetadata(tmpDir, "old-sandbox")
+	if err != nil {
+		t.Fatalf("LoadSandboxMetadata failed: %v", err)
+	}
+
+	if loaded.AgentIdentity != nil {
+		t.Error("AgentIdentity should be nil for old format without identity")
+	}
+}
+
+func TestAgentIdentity_NilOmittedInJSON(t *testing.T) {
+	metadata := &SandboxMetadata{
+		Name:        "no-identity",
+		Template:    "claude",
+		Workspace:   "/w",
+		NetworkSlot: 1,
+	}
+
+	data, err := json.MarshalIndent(metadata, "", "  ")
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+
+	if strings.Contains(string(data), "agentIdentity") {
+		t.Error("nil AgentIdentity should be omitted from JSON")
+	}
+}
+
+func TestValidateAgentIdentity(t *testing.T) {
+	// Create temp files for SSH key tests
+	tmpDir := t.TempDir()
+	keyPath := filepath.Join(tmpDir, "id_ed25519")
+	pubPath := keyPath + ".pub"
+	os.WriteFile(keyPath, []byte("private-key"), 0600)
+	os.WriteFile(pubPath, []byte("ssh-ed25519 AAAA..."), 0644)
+
+	tests := []struct {
+		name    string
+		id      *AgentIdentity
+		wantErr string
+	}{
+		{
+			name:    "nil identity",
+			id:      nil,
+			wantErr: "",
+		},
+		{
+			name:    "git only (no SSH key)",
+			id:      &AgentIdentity{GitUser: "Agent", GitEmail: "a@b.com"},
+			wantErr: "",
+		},
+		{
+			name:    "empty identity",
+			id:      &AgentIdentity{},
+			wantErr: "",
+		},
+		{
+			name:    "valid SSH key",
+			id:      &AgentIdentity{SSHKeyPath: keyPath},
+			wantErr: "",
+		},
+		{
+			name:    "relative SSH path",
+			id:      &AgentIdentity{SSHKeyPath: "relative/path"},
+			wantErr: "sshKeyPath must be an absolute path",
+		},
+		{
+			name:    "nonexistent SSH key",
+			id:      &AgentIdentity{SSHKeyPath: "/nonexistent/key"},
+			wantErr: "sshKeyPath \"/nonexistent/key\"",
+		},
+		{
+			name: "missing .pub companion",
+			id: &AgentIdentity{SSHKeyPath: func() string {
+				kp := filepath.Join(tmpDir, "no_pub_key")
+				os.WriteFile(kp, []byte("key"), 0600)
+				return kp
+			}()},
+			wantErr: "sshKeyPath companion",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateAgentIdentity(tt.id)
+			if tt.wantErr == "" {
+				if err != nil {
+					t.Errorf("ValidateAgentIdentity() unexpected error: %v", err)
+				}
+			} else {
+				if err == nil {
+					t.Errorf("ValidateAgentIdentity() expected error containing %q, got nil", tt.wantErr)
+				} else if !strings.Contains(err.Error(), tt.wantErr) {
+					t.Errorf("ValidateAgentIdentity() error = %q, want containing %q", err.Error(), tt.wantErr)
+				}
+			}
+		})
+	}
+}
+
+func TestHostConfig_AgentIdentity_RoundTrip(t *testing.T) {
+	config := HostConfig{
+		User:           "testuser",
+		UID:            1000,
+		GID:            100,
+		AuthorizedKeys: []string{"ssh-rsa AAAA..."},
+		Secrets:        map[string]string{"anthropic": "sk-test"},
+		StateDir:       "/var/lib/forage",
+		AgentIdentity: &AgentIdentity{
+			GitUser:  "Host Agent",
+			GitEmail: "host@example.com",
+		},
+	}
+
+	data, err := json.MarshalIndent(config, "", "  ")
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+
+	var loaded HostConfig
+	if err := json.Unmarshal(data, &loaded); err != nil {
+		t.Fatalf("Unmarshal failed: %v", err)
+	}
+
+	if loaded.AgentIdentity == nil {
+		t.Fatal("AgentIdentity should not be nil")
+	}
+	if loaded.AgentIdentity.GitUser != "Host Agent" {
+		t.Errorf("GitUser = %q, want %q", loaded.AgentIdentity.GitUser, "Host Agent")
+	}
+}
+
+// sandboxEnv returns environment variables suitable for running git/jj in a
+// hermetic temp directory. This is needed because the nix build sandbox sets
+// HOME=/homeless-shelter (non-writable), and jj's "secure config" feature
+// writes to ~/.config/jj/repos/.
+func sandboxEnv(homeDir string) []string {
+	return []string{
+		"HOME=" + homeDir,
+		"GIT_CONFIG_GLOBAL=/dev/null",
+		"GIT_CONFIG_SYSTEM=/dev/null",
+		"JJ_CONFIG=" + filepath.Join(homeDir, ".config", "jj", "config.toml"),
+		"PATH=" + os.Getenv("PATH"),
+	}
+}
+
+func TestReadGitIdentity(t *testing.T) {
+	if _, err := exec.LookPath("git"); err != nil {
+		t.Skip("git not in PATH")
+	}
+
+	t.Run("reads identity from git repo", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		env := sandboxEnv(tmpDir)
+
+		// Initialize a git repo and set identity
+		for _, args := range [][]string{
+			{"init"},
+			{"config", "user.name", "Test User"},
+			{"config", "user.email", "test@example.com"},
+		} {
+			cmd := exec.Command("git", args...)
+			cmd.Dir = tmpDir
+			cmd.Env = env
+			if out, err := cmd.CombinedOutput(); err != nil {
+				t.Fatalf("git %v failed: %v\n%s", args, err, out)
+			}
+		}
+
+		result := readGitIdentity(tmpDir)
+		if result == nil {
+			t.Fatal("expected non-nil identity")
+		}
+		if result.GitUser != "Test User" {
+			t.Errorf("GitUser = %q, want %q", result.GitUser, "Test User")
+		}
+		if result.GitEmail != "test@example.com" {
+			t.Errorf("GitEmail = %q, want %q", result.GitEmail, "test@example.com")
+		}
+		if result.SSHKeyPath != "" {
+			t.Errorf("SSHKeyPath = %q, want empty", result.SSHKeyPath)
+		}
+	})
+
+	t.Run("name with spaces", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		env := sandboxEnv(tmpDir)
+		for _, args := range [][]string{
+			{"init"},
+			{"config", "user.name", "Yann Hodique"},
+			{"config", "user.email", "yann@example.com"},
+		} {
+			cmd := exec.Command("git", args...)
+			cmd.Dir = tmpDir
+			cmd.Env = env
+			if out, err := cmd.CombinedOutput(); err != nil {
+				t.Fatalf("git %v failed: %v\n%s", args, err, out)
+			}
+		}
+
+		result := readGitIdentity(tmpDir)
+		if result == nil {
+			t.Fatal("expected non-nil identity")
+		}
+		if result.GitUser != "Yann Hodique" {
+			t.Errorf("GitUser = %q, want %q", result.GitUser, "Yann Hodique")
+		}
+	})
+
+	t.Run("no identity configured", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		env := sandboxEnv(tmpDir)
+		cmd := exec.Command("git", "init")
+		cmd.Dir = tmpDir
+		cmd.Env = env
+		if out, err := cmd.CombinedOutput(); err != nil {
+			t.Fatalf("git init failed: %v\n%s", err, out)
+		}
+
+		result := readGitIdentity(tmpDir)
+		// Result may or may not be nil depending on global git config;
+		// we just verify it doesn't crash
+		_ = result
+	})
+}
+
+func TestReadJJIdentity(t *testing.T) {
+	if _, err := exec.LookPath("jj"); err != nil {
+		t.Skip("jj not in PATH")
+	}
+
+	t.Run("reads identity from jj repo", func(t *testing.T) {
+		homeDir := t.TempDir()
+		repoDir := t.TempDir()
+		env := sandboxEnv(homeDir)
+		// jj needs a writable HOME for its secure-config repo tracking,
+		// both during setup and when readJJIdentity calls jj config get.
+		t.Setenv("HOME", homeDir)
+
+		// Initialize a jj repo
+		cmd := exec.Command("jj", "git", "init")
+		cmd.Dir = repoDir
+		cmd.Env = env
+		if out, err := cmd.CombinedOutput(); err != nil {
+			t.Fatalf("jj git init failed: %v\n%s", err, out)
+		}
+
+		// Set identity via jj config
+		for _, args := range [][]string{
+			{"config", "set", "--repo", "user.name", "JJ User"},
+			{"config", "set", "--repo", "user.email", "jj@example.com"},
+		} {
+			cmd := exec.Command("jj", args...)
+			cmd.Dir = repoDir
+			cmd.Env = env
+			if out, err := cmd.CombinedOutput(); err != nil {
+				t.Fatalf("jj %v failed: %v\n%s", args, err, out)
+			}
+		}
+
+		result := readJJIdentity(repoDir)
+		if result == nil {
+			t.Fatal("expected non-nil identity")
+		}
+		if result.GitUser != "JJ User" {
+			t.Errorf("GitUser = %q, want %q", result.GitUser, "JJ User")
+		}
+		if result.GitEmail != "jj@example.com" {
+			t.Errorf("GitEmail = %q, want %q", result.GitEmail, "jj@example.com")
+		}
+	})
+
+	t.Run("name with spaces", func(t *testing.T) {
+		homeDir := t.TempDir()
+		repoDir := t.TempDir()
+		env := sandboxEnv(homeDir)
+		t.Setenv("HOME", homeDir)
+
+		cmd := exec.Command("jj", "git", "init")
+		cmd.Dir = repoDir
+		cmd.Env = env
+		if out, err := cmd.CombinedOutput(); err != nil {
+			t.Fatalf("jj git init failed: %v\n%s", err, out)
+		}
+		for _, args := range [][]string{
+			{"config", "set", "--repo", "user.name", "Yann Hodique"},
+			{"config", "set", "--repo", "user.email", "yann@firefly.engineering"},
+		} {
+			cmd := exec.Command("jj", args...)
+			cmd.Dir = repoDir
+			cmd.Env = env
+			if out, err := cmd.CombinedOutput(); err != nil {
+				t.Fatalf("jj %v failed: %v\n%s", args, err, out)
+			}
+		}
+
+		result := readJJIdentity(repoDir)
+		if result == nil {
+			t.Fatal("expected non-nil identity")
+		}
+		if result.GitUser != "Yann Hodique" {
+			t.Errorf("GitUser = %q, want %q", result.GitUser, "Yann Hodique")
+		}
+		if result.GitEmail != "yann@firefly.engineering" {
+			t.Errorf("GitEmail = %q, want %q", result.GitEmail, "yann@firefly.engineering")
+		}
+	})
+}
+
+func TestTemplate_AgentIdentity_RoundTrip(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	template := Template{
+		Name:    "test-template",
+		Network: "full",
+		Agents: map[string]AgentConfig{
+			"claude": {
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+		},
+		AgentIdentity: &AgentIdentity{
+			GitUser:  "Template Agent",
+			GitEmail: "template@example.com",
+		},
+	}
+
+	data, err := json.MarshalIndent(template, "", "  ")
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+
+	templatePath := filepath.Join(tmpDir, "test-template.json")
+	if err = os.WriteFile(templatePath, data, 0644); err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	loaded, err := LoadTemplate(tmpDir, "test-template")
+	if err != nil {
+		t.Fatalf("LoadTemplate failed: %v", err)
+	}
+
+	if loaded.AgentIdentity == nil {
+		t.Fatal("AgentIdentity should not be nil after round-trip")
+	}
+	if loaded.AgentIdentity.GitUser != "Template Agent" {
+		t.Errorf("GitUser = %q, want %q", loaded.AgentIdentity.GitUser, "Template Agent")
+	}
+	if loaded.AgentIdentity.GitEmail != "template@example.com" {
+		t.Errorf("GitEmail = %q, want %q", loaded.AgentIdentity.GitEmail, "template@example.com")
+	}
+}
+
+func TestTemplate_AgentIdentity_BackwardCompat(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Template JSON without agentIdentity (old format)
+	data := `{"name": "old-template", "network": "full", "agents": {"claude": {"packagePath": "/nix/store/abc", "secretName": "anthropic", "authEnvVar": "ANTHROPIC_API_KEY"}}}`
+	templatePath := filepath.Join(tmpDir, "old-template.json")
+	if err := os.WriteFile(templatePath, []byte(data), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	loaded, err := LoadTemplate(tmpDir, "old-template")
+	if err != nil {
+		t.Fatalf("LoadTemplate failed: %v", err)
+	}
+
+	if loaded.AgentIdentity != nil {
+		t.Error("AgentIdentity should be nil for old format without identity")
+	}
+}
+
+func TestSandboxMetadata_Multiplexer_RoundTrip(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	metadata := &SandboxMetadata{
+		Name:        "mux-test",
+		Template:    "claude",
+		Workspace:   "/workspace",
+		NetworkSlot: 1,
+		Multiplexer: "wezterm",
+	}
+
+	if err := SaveSandboxMetadata(tmpDir, metadata); err != nil {
+		t.Fatalf("SaveSandboxMetadata failed: %v", err)
+	}
+
+	loaded, err := LoadSandboxMetadata(tmpDir, "mux-test")
+	if err != nil {
+		t.Fatalf("LoadSandboxMetadata failed: %v", err)
+	}
+
+	if loaded.Multiplexer != "wezterm" {
+		t.Errorf("Multiplexer = %q, want %q", loaded.Multiplexer, "wezterm")
+	}
+}
+
+func TestSandboxMetadata_Multiplexer_BackwardCompat(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// JSON without multiplexer (old format)
+	data := `{"name": "old-sandbox", "template": "claude", "networkSlot": 1, "workspace": "/w"}`
+	metaPath := filepath.Join(tmpDir, "old-sandbox.json")
+	if err := os.WriteFile(metaPath, []byte(data), 0644); err != nil {
+		t.Fatalf("Failed to write metadata: %v", err)
+	}
+
+	loaded, err := LoadSandboxMetadata(tmpDir, "old-sandbox")
+	if err != nil {
+		t.Fatalf("LoadSandboxMetadata failed: %v", err)
+	}
+
+	if loaded.Multiplexer != "" {
+		t.Errorf("Multiplexer = %q, want empty for old format", loaded.Multiplexer)
+	}
+}
+
+func TestTemplate_Multiplexer_RoundTrip(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	tmpl := Template{
+		Name:        "wez-template",
+		Network:     "full",
+		Multiplexer: "wezterm",
+		Agents: map[string]AgentConfig{
+			"claude": {
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+		},
+	}
+
+	data, err := json.MarshalIndent(tmpl, "", "  ")
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+
+	templatePath := filepath.Join(tmpDir, "wez-template.json")
+	if err = os.WriteFile(templatePath, data, 0644); err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	loaded, err := LoadTemplate(tmpDir, "wez-template")
+	if err != nil {
+		t.Fatalf("LoadTemplate failed: %v", err)
+	}
+
+	if loaded.Multiplexer != "wezterm" {
+		t.Errorf("Multiplexer = %q, want %q", loaded.Multiplexer, "wezterm")
+	}
+}
+
+func TestTemplate_InitCommands_RoundTrip(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	tmpl := Template{
+		Name:    "init-template",
+		Network: "full",
+		Agents: map[string]AgentConfig{
+			"claude": {
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+		},
+		InitCommands: []string{"npm install", "pip install pytest"},
+	}
+
+	data, err := json.MarshalIndent(tmpl, "", "  ")
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+
+	templatePath := filepath.Join(tmpDir, "init-template.json")
+	if err = os.WriteFile(templatePath, data, 0644); err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	loaded, err := LoadTemplate(tmpDir, "init-template")
+	if err != nil {
+		t.Fatalf("LoadTemplate failed: %v", err)
+	}
+
+	if len(loaded.InitCommands) != 2 {
+		t.Fatalf("len(InitCommands) = %d, want 2", len(loaded.InitCommands))
+	}
+	if loaded.InitCommands[0] != "npm install" {
+		t.Errorf("InitCommands[0] = %q, want %q", loaded.InitCommands[0], "npm install")
+	}
+	if loaded.InitCommands[1] != "pip install pytest" {
+		t.Errorf("InitCommands[1] = %q, want %q", loaded.InitCommands[1], "pip install pytest")
+	}
+}
+
+func TestTemplate_InitCommands_BackwardCompat(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Template JSON without initCommands (old format)
+	data := `{"name": "old-template", "network": "full", "agents": {"claude": {"packagePath": "/nix/store/abc", "secretName": "anthropic", "authEnvVar": "ANTHROPIC_API_KEY"}}}`
+	templatePath := filepath.Join(tmpDir, "old-template.json")
+	if err := os.WriteFile(templatePath, []byte(data), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	loaded, err := LoadTemplate(tmpDir, "old-template")
+	if err != nil {
+		t.Fatalf("LoadTemplate failed: %v", err)
+	}
+
+	if len(loaded.InitCommands) != 0 {
+		t.Errorf("InitCommands should be empty for old format, got %v", loaded.InitCommands)
+	}
+}
+
+func TestTemplate_InitCommands_OmittedWhenEmpty(t *testing.T) {
+	tmpl := Template{
+		Name:    "no-init",
+		Network: "full",
+		Agents: map[string]AgentConfig{
+			"claude": {
+				PackagePath: "/nix/store/abc-claude",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+		},
+	}
+
+	data, err := json.MarshalIndent(tmpl, "", "  ")
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+
+	if strings.Contains(string(data), "initCommands") {
+		t.Error("empty InitCommands should be omitted from JSON")
+	}
+}
+
+func TestValidateSandboxName(t *testing.T) {
+	tests := []struct {
+		name    string
+		wantErr bool
+	}{
+		// Valid names
+		{"myproject", false},
+		{"my-project", false},
+		{"my_project", false},
+		{"project123", false},
+		{"123project", false},
+		{"a", false},
+		{"a-b-c", false},
+		{"test_sandbox_1", false},
+
+		// Invalid names
+		{"", true},                             // empty
+		{"My-Project", true},                   // uppercase
+		{"my project", true},                   // space
+		{"../../../etc/passwd", true},          // path traversal
+		{"/absolute/path", true},               // absolute path
+		{"my.project", true},                   // dots
+		{"-starts-with-dash", true},            // starts with dash
+		{"_starts_with_underscore", true},      // starts with underscore
+		{"has@special", true},                  // special characters
+		{"has$dollar", true},                   // special characters
+		{"has;semicolon", true},                // injection attempt
+		{"a" + string(make([]byte, 64)), true}, // too long (64+ chars)
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateSandboxName(tt.name)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ValidateSandboxName(%q) error = %v, wantErr %v", tt.name, err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestWorkspaceMountMeta_RoundTrip(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	metadata := &SandboxMetadata{
+		Name:        "multi-mount-test",
+		Template:    "claude",
+		NetworkSlot: 5,
+		CreatedAt:   "2024-01-01T00:00:00Z",
+		Workspace:   "/var/lib/firefly-forage/workspaces/multi-mount-test/main",
+		WorkspaceMounts: []WorkspaceMountMeta{
+			{
+				Name:          "main",
+				ContainerPath: "/workspace",
+				HostPath:      "/var/lib/firefly-forage/workspaces/multi-mount-test/main",
+				SourceRepo:    "/home/user/project",
+				Mode:          "jj",
+			},
+			{
+				Name:          "beads",
+				ContainerPath: "/workspace/.beads",
+				HostPath:      "/var/lib/firefly-forage/workspaces/multi-mount-test/beads",
+				SourceRepo:    "/home/user/project",
+				Mode:          "jj",
+				Branch:        "beads-sync",
+			},
+			{
+				Name:          "data",
+				ContainerPath: "/workspace/data",
+				HostPath:      "/mnt/data",
+				Mode:          "direct",
+				ReadOnly:      true,
+			},
+		},
+	}
+
+	if err := SaveSandboxMetadata(tmpDir, metadata); err != nil {
+		t.Fatalf("SaveSandboxMetadata failed: %v", err)
+	}
+
+	loaded, err := LoadSandboxMetadata(tmpDir, "multi-mount-test")
+	if err != nil {
+		t.Fatalf("LoadSandboxMetadata failed: %v", err)
+	}
+
+	if len(loaded.WorkspaceMounts) != 3 {
+		t.Fatalf("WorkspaceMounts length = %d, want 3", len(loaded.WorkspaceMounts))
+	}
+
+	main := loaded.WorkspaceMounts[0]
+	if main.Name != "main" || main.ContainerPath != "/workspace" || main.Mode != "jj" {
+		t.Errorf("main mount = %+v, unexpected", main)
+	}
+
+	beads := loaded.WorkspaceMounts[1]
+	if beads.Name != "beads" || beads.Branch != "beads-sync" || beads.Mode != "jj" {
+		t.Errorf("beads mount = %+v, unexpected", beads)
+	}
+
+	data := loaded.WorkspaceMounts[2]
+	if data.Name != "data" || !data.ReadOnly || data.Mode != "direct" {
+		t.Errorf("data mount = %+v, unexpected", data)
+	}
+}
+
+func TestSandboxMetadata_Validate_WorkspaceMounts(t *testing.T) {
+	// Valid: has WorkspaceMounts but empty Workspace
+	meta := &SandboxMetadata{
+		Name:        "test",
+		Template:    "claude",
+		NetworkSlot: 1,
+		WorkspaceMounts: []WorkspaceMountMeta{
+			{Name: "main", ContainerPath: "/workspace", HostPath: "/tmp/ws", Mode: "direct"},
+		},
+	}
+	if err := meta.Validate(); err != nil {
+		t.Errorf("expected valid metadata with WorkspaceMounts, got error: %v", err)
+	}
+
+	// Invalid: neither Workspace nor WorkspaceMounts
+	meta2 := &SandboxMetadata{
+		Name:        "test",
+		Template:    "claude",
+		NetworkSlot: 1,
+	}
+	if err := meta2.Validate(); err == nil {
+		t.Error("expected error for metadata with no workspace or mounts")
+	}
+
+	// Invalid mode in mount
+	meta3 := &SandboxMetadata{
+		Name:        "test",
+		Template:    "claude",
+		NetworkSlot: 1,
+		WorkspaceMounts: []WorkspaceMountMeta{
+			{Name: "bad", ContainerPath: "/workspace", HostPath: "/tmp/ws", Mode: "invalid-mode"},
+		},
+	}
+	if err := meta3.Validate(); err == nil {
+		t.Error("expected error for invalid mount mode")
+	}
+}
+
+func TestWorkspaceMount_TemplateJSON(t *testing.T) {
+	template := &Template{
+		Name:    "test",
+		Network: "full",
+		Agents: map[string]AgentConfig{
+			"claude": {PackagePath: "claude", HostConfigDir: "/home/user/.claude", ContainerConfigDir: "/home/agent/.claude"},
+		},
+		WorkspaceMounts: map[string]*WorkspaceMount{
+			"main": {
+				Name:          "main",
+				ContainerPath: "/workspace",
+				Mode:          "jj",
+			},
+			"data": {
+				Name:          "data",
+				ContainerPath: "/workspace/data",
+				Repo:          "data",
+				Mode:          "git-worktree",
+			},
+		},
+	}
+
+	data, err := json.MarshalIndent(template, "", "  ")
+	if err != nil {
+		t.Fatalf("failed to marshal template: %v", err)
+	}
+
+	var loaded Template
+	if err := json.Unmarshal(data, &loaded); err != nil {
+		t.Fatalf("failed to unmarshal template: %v", err)
+	}
+
+	if len(loaded.WorkspaceMounts) != 2 {
+		t.Fatalf("WorkspaceMounts length = %d, want 2", len(loaded.WorkspaceMounts))
+	}
+
+	mainMount := loaded.WorkspaceMounts["main"]
+	if mainMount == nil || mainMount.ContainerPath != "/workspace" || mainMount.Mode != "jj" {
+		t.Errorf("main mount = %+v, unexpected", mainMount)
+	}
+
+	dataMount := loaded.WorkspaceMounts["data"]
+	if dataMount == nil || dataMount.Repo != "data" || dataMount.Mode != "git-worktree" {
+		t.Errorf("data mount = %+v, unexpected", dataMount)
+	}
+}
+
+func TestSandboxMetadata_BackwardCompat_NoWorkspaceMounts(t *testing.T) {
+	// Simulate loading old metadata that has no workspaceMounts field
+	oldJSON := `{
+		"name": "legacy-sandbox",
+		"template": "claude",
+		"workspace": "/var/lib/firefly-forage/workspaces/legacy-sandbox",
+		"networkSlot": 3,
+		"createdAt": "2024-01-01T00:00:00Z",
+		"workspaceMode": "jj",
+		"sourceRepo": "/home/user/project"
+	}`
+
+	var meta SandboxMetadata
+	if err := json.Unmarshal([]byte(oldJSON), &meta); err != nil {
+		t.Fatalf("failed to unmarshal legacy metadata: %v", err)
+	}
+
+	if meta.Workspace != "/var/lib/firefly-forage/workspaces/legacy-sandbox" {
+		t.Errorf("Workspace = %q, unexpected", meta.Workspace)
+	}
+	if len(meta.WorkspaceMounts) != 0 {
+		t.Errorf("WorkspaceMounts should be empty for legacy metadata, got %d", len(meta.WorkspaceMounts))
+	}
+	if err := meta.Validate(); err != nil {
+		t.Errorf("legacy metadata should validate, got: %v", err)
+	}
+}
diff --git a/packages/forage-ctl/internal/config/doc.go b/packages/forage-ctl/internal/config/doc.go
new file mode 100644
index 0000000..e55f3e7
--- /dev/null
+++ b/packages/forage-ctl/internal/config/doc.go
@@ -0,0 +1,50 @@
+// Package config provides configuration types and loading for forage-ctl.
+//
+// # Configuration Files
+//
+// The package handles three types of configuration:
+//
+//   - HostConfig: Host-level settings loaded from /etc/firefly-forage/config.json
+//   - Template: Sandbox templates loaded from /etc/firefly-forage/templates/*.json
+//   - SandboxMetadata: Runtime sandbox state stored in /var/lib/firefly-forage/sandboxes/*.json
+//
+// # Host Configuration
+//
+// HostConfig contains system-wide settings:
+//
+//	type HostConfig struct {
+//	    User           string            // SSH user for sandboxes
+//	    UID            int               // Host user's UID
+//	    GID            int               // Host user's GID
+//	    AuthorizedKeys []string          // SSH public keys
+//	    Secrets        map[string]string // Secret paths by name
+//	}
+//
+// # Templates
+//
+// Templates define sandbox configurations:
+//
+//	type Template struct {
+//	    Name         string                 // Template identifier
+//	    Network      string                 // "full", "restricted", or "none"
+//	    AllowedHosts []string               // For restricted mode
+//	    Agents       map[string]AgentConfig // Agent configurations
+//	}
+//
+// # Sandbox Metadata
+//
+// SandboxMetadata tracks running sandbox state:
+//
+//	type SandboxMetadata struct {
+//	    Name          string // Sandbox name
+//	    Template      string // Template used
+//	    Port          int    // SSH port
+//	    Workspace     string // Workspace path
+//	    WorkspaceMode string // "direct", "jj", or "git-worktree"
+//	}
+//
+// # Validation
+//
+// All configuration types implement Validate() to check for required fields
+// and valid values. Loading functions automatically validate after parsing.
+package config
diff --git a/packages/forage-ctl/internal/errors/doc.go b/packages/forage-ctl/internal/errors/doc.go
new file mode 100644
index 0000000..ff11bf0
--- /dev/null
+++ b/packages/forage-ctl/internal/errors/doc.go
@@ -0,0 +1,43 @@
+// Package errors provides typed errors with exit codes for forage-ctl.
+//
+// # Error Types
+//
+// ForageError is the base error type that wraps an error with an exit code:
+//
+//	type ForageError struct {
+//	    Code    int    // Exit code
+//	    Message string // User-facing message
+//	    Cause   error  // Wrapped error
+//	}
+//
+// # Exit Codes
+//
+// Defined exit codes for different error categories:
+//
+//	ExitSuccess           = 0  // Success
+//	ExitGeneralError      = 1  // General/unknown errors
+//	ExitSandboxNotFound   = 2  // Sandbox does not exist
+//	ExitTemplateNotFound  = 3  // Template does not exist
+//	ExitPortAllocation    = 4  // Port allocation failure
+//	ExitContainerFailed   = 5  // Container operation failed
+//	ExitConfigError       = 6  // Configuration error
+//	ExitJJError           = 7  // JJ operation failed
+//	ExitSSHError          = 8  // SSH operation failed
+//
+// # Error Constructors
+//
+// Use the provided constructors for consistent error creation:
+//
+//	errors.SandboxNotFound("mybox")
+//	errors.TemplateNotFound("claude")
+//	errors.ContainerFailed("create", err)
+//	errors.SSHError("connection failed", err)
+//
+// # Extracting Exit Codes
+//
+// Use GetExitCode to extract the exit code from an error chain:
+//
+//	if err != nil {
+//	    os.Exit(errors.GetExitCode(err))
+//	}
+package errors
diff --git a/packages/forage-ctl/internal/errors/errors.go b/packages/forage-ctl/internal/errors/errors.go
new file mode 100644
index 0000000..aaaf419
--- /dev/null
+++ b/packages/forage-ctl/internal/errors/errors.go
@@ -0,0 +1,130 @@
+package errors
+
+import (
+	"errors"
+	"fmt"
+)
+
+// Exit codes for forage-ctl
+const (
+	ExitSuccess          = 0
+	ExitGeneralError     = 1
+	ExitSandboxNotFound  = 2
+	ExitTemplateNotFound = 3
+	ExitPortAllocation   = 4
+	ExitContainerFailed  = 5
+	ExitConfigError      = 6
+	ExitJJError          = 7
+	ExitSSHError         = 8
+)
+
+// ForageError is the base error type for forage-ctl
+type ForageError struct {
+	Code    int
+	Message string
+	Cause   error
+}
+
+func (e *ForageError) Error() string {
+	if e.Cause != nil {
+		return fmt.Sprintf("%s: %v", e.Message, e.Cause)
+	}
+	return e.Message
+}
+
+func (e *ForageError) Unwrap() error {
+	return e.Cause
+}
+
+// ExitCode returns the exit code for this error
+func (e *ForageError) ExitCode() int {
+	return e.Code
+}
+
+// New creates a new ForageError
+func New(code int, message string) *ForageError {
+	return &ForageError{
+		Code:    code,
+		Message: message,
+	}
+}
+
+// Wrap wraps an existing error with a ForageError
+func Wrap(code int, message string, cause error) *ForageError {
+	return &ForageError{
+		Code:    code,
+		Message: message,
+		Cause:   cause,
+	}
+}
+
+// Common error constructors
+
+// SandboxNotFound returns an error for a missing sandbox
+func SandboxNotFound(name string) *ForageError {
+	return New(ExitSandboxNotFound, fmt.Sprintf("sandbox not found: %s", name))
+}
+
+// TemplateNotFound returns an error for a missing template
+func TemplateNotFound(name string) *ForageError {
+	return New(ExitTemplateNotFound, fmt.Sprintf("template not found: %s", name))
+}
+
+// PortAllocationFailed returns an error for port allocation failure
+func PortAllocationFailed(cause error) *ForageError {
+	return Wrap(ExitPortAllocation, "failed to allocate port", cause)
+}
+
+// ContainerFailed returns an error for container operations
+func ContainerFailed(op string, cause error) *ForageError {
+	return Wrap(ExitContainerFailed, fmt.Sprintf("container %s failed", op), cause)
+}
+
+// ConfigError returns an error for configuration issues
+func ConfigError(message string, cause error) *ForageError {
+	return Wrap(ExitConfigError, message, cause)
+}
+
+// JJError returns an error for jj operations
+func JJError(message string, cause error) *ForageError {
+	return Wrap(ExitJJError, message, cause)
+}
+
+// SSHError returns an error for SSH operations
+func SSHError(message string, cause error) *ForageError {
+	return Wrap(ExitSSHError, message, cause)
+}
+
+// SandboxNotRunning returns an error when a sandbox exists but is not running
+func SandboxNotRunning(name string) *ForageError {
+	return New(ExitGeneralError, fmt.Sprintf("sandbox %s is not running", name))
+}
+
+// WorkspaceError returns an error for workspace operations
+func WorkspaceError(op string, cause error) *ForageError {
+	return Wrap(ExitGeneralError, fmt.Sprintf("workspace %s failed", op), cause)
+}
+
+// ValidationError returns an error for input validation failures
+func ValidationError(message string) *ForageError {
+	return New(ExitGeneralError, message)
+}
+
+// GetExitCode extracts the exit code from an error
+func GetExitCode(err error) int {
+	var forageErr *ForageError
+	if errors.As(err, &forageErr) {
+		return forageErr.ExitCode()
+	}
+	return ExitGeneralError
+}
+
+// Is checks if an error is of a specific type
+func Is(err, target error) bool {
+	return errors.Is(err, target)
+}
+
+// As finds the first error in err's chain that matches target
+func As(err error, target any) bool {
+	return errors.As(err, target)
+}
diff --git a/packages/forage-ctl/internal/errors/errors_test.go b/packages/forage-ctl/internal/errors/errors_test.go
new file mode 100644
index 0000000..cecd049
--- /dev/null
+++ b/packages/forage-ctl/internal/errors/errors_test.go
@@ -0,0 +1,261 @@
+package errors
+
+import (
+	"errors"
+	"fmt"
+	"testing"
+)
+
+func TestForageError_Error(t *testing.T) {
+	tests := []struct {
+		name    string
+		err     *ForageError
+		wantMsg string
+	}{
+		{
+			name:    "without cause",
+			err:     New(ExitGeneralError, "something went wrong"),
+			wantMsg: "something went wrong",
+		},
+		{
+			name:    "with cause",
+			err:     Wrap(ExitGeneralError, "operation failed", fmt.Errorf("underlying error")),
+			wantMsg: "operation failed: underlying error",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.err.Error(); got != tt.wantMsg {
+				t.Errorf("Error() = %q, want %q", got, tt.wantMsg)
+			}
+		})
+	}
+}
+
+func TestForageError_Unwrap(t *testing.T) {
+	cause := fmt.Errorf("root cause")
+	err := Wrap(ExitGeneralError, "wrapped", cause)
+
+	if unwrapped := err.Unwrap(); unwrapped != cause {
+		t.Errorf("Unwrap() = %v, want %v", unwrapped, cause)
+	}
+
+	// Without cause
+	errNoCause := New(ExitGeneralError, "no cause")
+	if unwrapped := errNoCause.Unwrap(); unwrapped != nil {
+		t.Errorf("Unwrap() = %v, want nil", unwrapped)
+	}
+}
+
+func TestForageError_ExitCode(t *testing.T) {
+	tests := []struct {
+		code int
+		name string
+	}{
+		{ExitSuccess, "success"},
+		{ExitGeneralError, "general"},
+		{ExitSandboxNotFound, "sandbox not found"},
+		{ExitTemplateNotFound, "template not found"},
+		{ExitPortAllocation, "port allocation"},
+		{ExitContainerFailed, "container failed"},
+		{ExitConfigError, "config error"},
+		{ExitJJError, "jj error"},
+		{ExitSSHError, "ssh error"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := New(tt.code, "test")
+			if got := err.ExitCode(); got != tt.code {
+				t.Errorf("ExitCode() = %d, want %d", got, tt.code)
+			}
+		})
+	}
+}
+
+func TestSandboxNotFound(t *testing.T) {
+	err := SandboxNotFound("my-sandbox")
+
+	if err.Code != ExitSandboxNotFound {
+		t.Errorf("Code = %d, want %d", err.Code, ExitSandboxNotFound)
+	}
+
+	if err.Message != "sandbox not found: my-sandbox" {
+		t.Errorf("Message = %q, want %q", err.Message, "sandbox not found: my-sandbox")
+	}
+}
+
+func TestTemplateNotFound(t *testing.T) {
+	err := TemplateNotFound("claude")
+
+	if err.Code != ExitTemplateNotFound {
+		t.Errorf("Code = %d, want %d", err.Code, ExitTemplateNotFound)
+	}
+
+	if err.Message != "template not found: claude" {
+		t.Errorf("Message = %q, want %q", err.Message, "template not found: claude")
+	}
+}
+
+func TestPortAllocationFailed(t *testing.T) {
+	cause := fmt.Errorf("no ports available")
+	err := PortAllocationFailed(cause)
+
+	if err.Code != ExitPortAllocation {
+		t.Errorf("Code = %d, want %d", err.Code, ExitPortAllocation)
+	}
+
+	if err.Cause != cause {
+		t.Errorf("Cause = %v, want %v", err.Cause, cause)
+	}
+}
+
+func TestContainerFailed(t *testing.T) {
+	cause := fmt.Errorf("nspawn error")
+	err := ContainerFailed("create", cause)
+
+	if err.Code != ExitContainerFailed {
+		t.Errorf("Code = %d, want %d", err.Code, ExitContainerFailed)
+	}
+
+	if err.Message != "container create failed" {
+		t.Errorf("Message = %q, want %q", err.Message, "container create failed")
+	}
+
+	if err.Cause != cause {
+		t.Errorf("Cause = %v, want %v", err.Cause, cause)
+	}
+}
+
+func TestConfigError(t *testing.T) {
+	cause := fmt.Errorf("invalid json")
+	err := ConfigError("failed to parse config", cause)
+
+	if err.Code != ExitConfigError {
+		t.Errorf("Code = %d, want %d", err.Code, ExitConfigError)
+	}
+
+	if err.Cause != cause {
+		t.Errorf("Cause = %v, want %v", err.Cause, cause)
+	}
+}
+
+func TestJJError(t *testing.T) {
+	cause := fmt.Errorf("workspace conflict")
+	err := JJError("workspace creation failed", cause)
+
+	if err.Code != ExitJJError {
+		t.Errorf("Code = %d, want %d", err.Code, ExitJJError)
+	}
+
+	if err.Cause != cause {
+		t.Errorf("Cause = %v, want %v", err.Cause, cause)
+	}
+}
+
+func TestSSHError(t *testing.T) {
+	cause := fmt.Errorf("connection refused")
+	err := SSHError("failed to connect", cause)
+
+	if err.Code != ExitSSHError {
+		t.Errorf("Code = %d, want %d", err.Code, ExitSSHError)
+	}
+
+	if err.Cause != cause {
+		t.Errorf("Cause = %v, want %v", err.Cause, cause)
+	}
+}
+
+func TestGetExitCode(t *testing.T) {
+	tests := []struct {
+		name     string
+		err      error
+		wantCode int
+	}{
+		{
+			name:     "ForageError",
+			err:      SandboxNotFound("test"),
+			wantCode: ExitSandboxNotFound,
+		},
+		{
+			name:     "wrapped ForageError",
+			err:      fmt.Errorf("outer: %w", TemplateNotFound("test")),
+			wantCode: ExitTemplateNotFound,
+		},
+		{
+			name:     "regular error",
+			err:      fmt.Errorf("some error"),
+			wantCode: ExitGeneralError,
+		},
+		{
+			name:     "nil error",
+			err:      nil,
+			wantCode: ExitGeneralError,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := GetExitCode(tt.err); got != tt.wantCode {
+				t.Errorf("GetExitCode() = %d, want %d", got, tt.wantCode)
+			}
+		})
+	}
+}
+
+func TestIs(t *testing.T) {
+	target := fmt.Errorf("target error")
+	wrapped := fmt.Errorf("wrapped: %w", target)
+
+	if !Is(wrapped, target) {
+		t.Error("Is() should return true for wrapped error")
+	}
+
+	other := fmt.Errorf("other error")
+	if Is(wrapped, other) {
+		t.Error("Is() should return false for different error")
+	}
+}
+
+func TestAs(t *testing.T) {
+	forageErr := SandboxNotFound("test")
+	wrapped := fmt.Errorf("wrapped: %w", forageErr)
+
+	var target *ForageError
+	if !As(wrapped, &target) {
+		t.Error("As() should return true for wrapped ForageError")
+	}
+
+	if target.Code != ExitSandboxNotFound {
+		t.Errorf("target.Code = %d, want %d", target.Code, ExitSandboxNotFound)
+	}
+
+	// Test with non-ForageError
+	regularErr := fmt.Errorf("regular error")
+	if As(regularErr, &target) {
+		t.Error("As() should return false for non-ForageError")
+	}
+}
+
+func TestErrorChaining(t *testing.T) {
+	// Test that our errors work with standard error unwrapping
+	root := fmt.Errorf("root cause")
+	middle := Wrap(ExitConfigError, "config error", root)
+	outer := fmt.Errorf("operation failed: %w", middle)
+
+	// Should be able to find root cause
+	if !errors.Is(outer, root) {
+		t.Error("errors.Is should find root cause")
+	}
+
+	// Should be able to extract ForageError
+	var forageErr *ForageError
+	if !errors.As(outer, &forageErr) {
+		t.Error("errors.As should find ForageError")
+	}
+
+	if forageErr.Code != ExitConfigError {
+		t.Errorf("Code = %d, want %d", forageErr.Code, ExitConfigError)
+	}
+}
diff --git a/packages/forage-ctl/internal/gateway/connect.go b/packages/forage-ctl/internal/gateway/connect.go
new file mode 100644
index 0000000..ec44488
--- /dev/null
+++ b/packages/forage-ctl/internal/gateway/connect.go
@@ -0,0 +1,51 @@
+package gateway
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/ssh"
+)
+
+// Connect loads sandbox metadata, verifies it is running, and replaces the
+// current process with an SSH session to the sandbox (with the appropriate
+// multiplexer attach command, if any).
+func Connect(ctx context.Context, name, sandboxesDir string, rt runtime.Runtime) error {
+	metadata, err := config.LoadSandboxMetadata(sandboxesDir, name)
+	if err != nil {
+		return fmt.Errorf("sandbox not found: %s", name)
+	}
+
+	if rt != nil {
+		running, _ := rt.IsRunning(ctx, name)
+		if !running {
+			return fmt.Errorf("sandbox %s is not running", name)
+		}
+	}
+
+	caps := runtime.GetCapabilities(rt)
+	containerIP := metadata.ContainerIP()
+	logging.Debug("connecting to sandbox", "name", name, "ip", containerIP, "sshAccess", caps.SSHAccess)
+
+	mux := multiplexer.New(multiplexer.Type(metadata.Multiplexer))
+	attachCmd := mux.AttachCommand()
+
+	// For runtimes without SSH, use exec-based attach
+	if !caps.SSHAccess && rt != nil {
+		if attachCmd != "" {
+			return runtime.ExecShellInteractive(ctx, rt, name, attachCmd, runtime.ExecOptions{})
+		}
+		return rt.ExecInteractive(ctx, name, []string{"sh"}, runtime.ExecOptions{})
+	}
+
+	if attachCmd != "" {
+		return ssh.ReplaceWithSession(containerIP, attachCmd)
+	}
+	// For multiplexers without an attach command (e.g. wezterm in SSH context),
+	// fall back to an interactive shell.
+	return ssh.ReplaceWithSession(containerIP, "")
+}
diff --git a/packages/forage-ctl/internal/gateway/doc.go b/packages/forage-ctl/internal/gateway/doc.go
new file mode 100644
index 0000000..85a09b4
--- /dev/null
+++ b/packages/forage-ctl/internal/gateway/doc.go
@@ -0,0 +1,34 @@
+// Package gateway provides the gateway service for single-port sandbox access.
+//
+// The gateway enables SSH access to multiple sandboxes through a single entry
+// point, simplifying network configuration and providing an interactive sandbox
+// picker.
+//
+// # Architecture
+//
+// The gateway runs on the host and accepts SSH connections on a single port.
+// Users can either specify a sandbox name directly or use an interactive picker.
+//
+// # Usage
+//
+// As SSH ForceCommand:
+//
+//	# In sshd_config:
+//	Match User forage
+//	    ForceCommand /run/current-system/sw/bin/forage-ctl gateway
+//
+// Client connection:
+//
+//	ssh forage@host sandbox-name  # Direct connection
+//	ssh forage@host               # Interactive picker
+//
+// # Server
+//
+// The Server type handles gateway operations:
+//
+//	server := gateway.NewServer(paths, rt)
+//	server.HandleSSHOriginalCommand()  // Process SSH_ORIGINAL_COMMAND
+//	server.HandleConnection(args)      // Handle connection with args
+//	server.ConnectToSandbox(name)      // Connect to specific sandbox
+//	server.ShowPicker()                // Show interactive picker
+package gateway
diff --git a/packages/forage-ctl/internal/gateway/server.go b/packages/forage-ctl/internal/gateway/server.go
new file mode 100644
index 0000000..e256fd1
--- /dev/null
+++ b/packages/forage-ctl/internal/gateway/server.go
@@ -0,0 +1,126 @@
+// Package gateway provides the gateway service for single-port sandbox access
+package gateway
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/tui"
+)
+
+// Server represents the gateway server
+type Server struct {
+	Paths   *config.Paths
+	Runtime runtime.Runtime
+}
+
+// NewServer creates a new gateway server
+func NewServer(paths *config.Paths, rt runtime.Runtime) *Server {
+	return &Server{Paths: paths, Runtime: rt}
+}
+
+// HandleConnection handles an incoming connection
+// This is designed to be called from SSH ForceCommand
+func (s *Server) HandleConnection(ctx context.Context, args []string) error {
+	logging.Debug("gateway connection", "args", args)
+
+	// If a sandbox name is provided as argument, connect directly
+	if len(args) > 0 && args[0] != "" {
+		sandboxName := args[0]
+		// Validate before attempting connection (defense in depth - ConnectToSandbox also validates)
+		if err := config.ValidateSandboxName(sandboxName); err != nil {
+			return fmt.Errorf("invalid sandbox name: %w", err)
+		}
+		return s.ConnectToSandbox(ctx, sandboxName)
+	}
+
+	// Otherwise, show the interactive picker
+	return s.ShowPicker(ctx)
+}
+
+// HandleSSHOriginalCommand handles SSH_ORIGINAL_COMMAND environment variable
+// This is used when the gateway is set up as SSH ForceCommand
+func (s *Server) HandleSSHOriginalCommand(ctx context.Context) error {
+	originalCmd := os.Getenv("SSH_ORIGINAL_COMMAND")
+	logging.Debug("SSH_ORIGINAL_COMMAND", "value", originalCmd)
+
+	if originalCmd != "" {
+		// Parse the command - first word is sandbox name
+		parts := strings.Fields(originalCmd)
+		if len(parts) > 0 {
+			sandboxName := parts[0]
+			// Validate before attempting connection (defense in depth)
+			if err := config.ValidateSandboxName(sandboxName); err != nil {
+				return fmt.Errorf("invalid sandbox name in SSH command: %w", err)
+			}
+			return s.ConnectToSandbox(ctx, sandboxName)
+		}
+	}
+
+	// No command specified, show picker
+	return s.ShowPicker(ctx)
+}
+
+// ShowPicker displays the interactive sandbox picker
+func (s *Server) ShowPicker(ctx context.Context) error {
+	sandboxes, err := config.ListSandboxes(s.Paths.SandboxesDir)
+	if err != nil {
+		return fmt.Errorf("failed to list sandboxes: %w", err)
+	}
+
+	if len(sandboxes) == 0 {
+		fmt.Println("No sandboxes available.")
+		fmt.Println("\nCreate a sandbox on the host with:")
+		fmt.Println("  forage-ctl up <name> -t <template> -w <workspace>")
+		return nil
+	}
+
+	result, err := tui.RunPicker(ctx, sandboxes, s.Paths, s.Runtime, tui.PickerOptions{})
+	if err != nil {
+		return fmt.Errorf("picker error: %w", err)
+	}
+
+	switch result.Action {
+	case tui.ActionAttach:
+		if result.Sandbox != nil {
+			return s.ConnectToSandbox(ctx, result.Sandbox.Name)
+		}
+
+	case tui.ActionNew:
+		fmt.Println("\nCreate a sandbox on the host with:")
+		fmt.Println("  forage-ctl up <name> -t <template> -w <workspace>")
+
+	case tui.ActionDown:
+		if result.Sandbox != nil {
+			fmt.Printf("\nRemove sandbox on the host with:\n")
+			fmt.Printf("  forage-ctl down %s\n", result.Sandbox.Name)
+		}
+	}
+
+	return nil
+}
+
+// ConnectToSandbox connects to a specific sandbox
+func (s *Server) ConnectToSandbox(ctx context.Context, name string) error {
+	// Validate name to prevent path traversal or injection
+	if err := config.ValidateSandboxName(name); err != nil {
+		return fmt.Errorf("invalid sandbox name: %w", err)
+	}
+
+	return Connect(ctx, name, s.Paths.SandboxesDir, s.Runtime)
+}
+
+// ListSandboxes returns a formatted list of sandboxes
+func (s *Server) ListSandboxes(ctx context.Context) (string, error) {
+	sandboxes, err := config.ListSandboxes(s.Paths.SandboxesDir)
+	if err != nil {
+		return "", err
+	}
+
+	return tui.SimplePicker(ctx, sandboxes, s.Paths, s.Runtime), nil
+}
diff --git a/packages/forage-ctl/internal/gateway/server_test.go b/packages/forage-ctl/internal/gateway/server_test.go
new file mode 100644
index 0000000..69da013
--- /dev/null
+++ b/packages/forage-ctl/internal/gateway/server_test.go
@@ -0,0 +1,157 @@
+package gateway
+
+import (
+	"context"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/testutil"
+)
+
+func TestServer_HandleConnection_InvalidName(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	server := NewServer(env.Paths, env.Runtime)
+
+	// Test invalid sandbox names - should fail validation
+	invalidNames := []string{
+		"../escape",         // path traversal
+		"My-Project",        // uppercase
+		"has spaces",        // spaces
+		"-starts-with-dash", // starts with dash
+		"has;semicolon",     // special characters
+	}
+
+	for _, name := range invalidNames {
+		t.Run(name, func(t *testing.T) {
+			err := server.HandleConnection(context.Background(), []string{name})
+			if err == nil {
+				t.Errorf("HandleConnection(%q) should have failed with invalid name", name)
+			}
+		})
+	}
+}
+
+func TestServer_HandleConnection_ValidNameNotFound(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	server := NewServer(env.Paths, env.Runtime)
+
+	// Valid name but sandbox doesn't exist
+	err := server.HandleConnection(context.Background(), []string{"nonexistent"})
+	if err == nil {
+		t.Error("HandleConnection should fail for nonexistent sandbox")
+	}
+}
+
+func TestServer_ConnectToSandbox_InvalidName(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	server := NewServer(env.Paths, env.Runtime)
+
+	// Test path traversal attack
+	err := server.ConnectToSandbox(context.Background(), "../../../etc/passwd")
+	if err == nil {
+		t.Error("ConnectToSandbox should fail for path traversal")
+	}
+}
+
+func TestServer_ConnectToSandbox_NotRunning(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Add sandbox metadata but don't mark it as running
+	env.AddSandbox(&config.SandboxMetadata{
+		Name:        "stopped-sandbox",
+		Template:    "test",
+		NetworkSlot: 1,
+	})
+
+	// Mark as stopped in runtime
+	env.Runtime.Containers["stopped-sandbox"].Status = runtime.StatusStopped
+
+	server := NewServer(env.Paths, env.Runtime)
+
+	err := server.ConnectToSandbox(context.Background(), "stopped-sandbox")
+	if err == nil {
+		t.Error("ConnectToSandbox should fail for stopped sandbox")
+	}
+}
+
+func TestServer_ShowPicker_NoSandboxes(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	server := NewServer(env.Paths, env.Runtime)
+
+	// ShowPicker should not error when there are no sandboxes
+	err := server.ShowPicker(context.Background())
+	if err != nil {
+		t.Errorf("ShowPicker() failed: %v", err)
+	}
+}
+
+func TestServer_ListSandboxes_Empty(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	server := NewServer(env.Paths, env.Runtime)
+
+	result, err := server.ListSandboxes(context.Background())
+	if err != nil {
+		t.Errorf("ListSandboxes() failed: %v", err)
+	}
+
+	// Should return something (even if just a header)
+	if result == "" {
+		t.Error("ListSandboxes() returned empty string")
+	}
+}
+
+func TestServer_ListSandboxes_WithSandboxes(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Add some sandboxes
+	env.AddSandbox(&config.SandboxMetadata{
+		Name:        "sandbox1",
+		Template:    "test",
+		NetworkSlot: 1,
+	})
+	env.AddSandbox(&config.SandboxMetadata{
+		Name:        "sandbox2",
+		Template:    "test",
+		NetworkSlot: 2,
+	})
+
+	server := NewServer(env.Paths, env.Runtime)
+
+	result, err := server.ListSandboxes(context.Background())
+	if err != nil {
+		t.Errorf("ListSandboxes() failed: %v", err)
+	}
+
+	// Should contain sandbox names
+	if result == "" {
+		t.Error("ListSandboxes() returned empty string")
+	}
+}
+
+func TestNewServer(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	server := NewServer(env.Paths, env.Runtime)
+
+	if server == nil {
+		t.Fatal("NewServer() returned nil")
+	}
+
+	if server.Paths != env.Paths {
+		t.Error("Server.Paths not set correctly")
+	}
+}
diff --git a/packages/forage-ctl/internal/generator/container.go b/packages/forage-ctl/internal/generator/container.go
new file mode 100644
index 0000000..96bdbf7
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/container.go
@@ -0,0 +1,463 @@
+package generator
+
+import (
+	"bytes"
+	"fmt"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/network"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/reproducibility"
+)
+
+// ContainerConfig holds the configuration for generating a container.
+// All mounts, packages, env vars, and tmpfiles rules come from Contributions.
+type ContainerConfig struct {
+	Name           string
+	NetworkSlot    int
+	AuthorizedKeys []string
+	Template       *config.Template
+	UID            int                     // Host user's UID for the container agent user
+	GID            int                     // Host user's GID for the container agent user
+	Mux            multiplexer.Multiplexer // Multiplexer instance (created by caller)
+	AgentIdentity  *config.AgentIdentity   // Optional agent identity for git authorship (used for Nix template)
+	Runtime        string                  // Runtime backend name (e.g. "nspawn", "docker", "podman")
+
+	// Container user/path configuration (defaults applied if empty)
+	Username     string // Container username (default: "agent")
+	WorkspaceDir string // Container workspace path (default: "/workspace")
+	StateVersion string // NixOS state version (default: "24.11")
+
+	// NixpkgsPath is the nix store path to nixpkgs source, injected as a
+	// literal string into the container's nix registry to avoid an expensive
+	// pkgs.path evaluation (~10s) during container creation.
+	NixpkgsPath string
+
+	// ResourceLimits are optional cgroup limits for the container.
+	ResourceLimits *config.ResourceLimits
+
+	// Contributions from the injection collector (required).
+	// Contains all mounts, packages, env vars, and tmpfiles rules.
+	Contributions *injection.Contributions
+
+	// Reproducibility handles package resolution (required).
+	// Used to resolve Package{Name, Version} to Nix expressions.
+	Reproducibility reproducibility.Reproducibility
+}
+
+// Validate checks that the ContainerConfig has all required fields
+func (c *ContainerConfig) Validate() error {
+	if c.Name == "" {
+		return fmt.Errorf("container name is required")
+	}
+	if c.NetworkSlot < 1 || c.NetworkSlot > 254 {
+		return fmt.Errorf("invalid network slot: %d (must be 1-254)", c.NetworkSlot)
+	}
+	if len(c.AuthorizedKeys) == 0 {
+		return fmt.Errorf("at least one authorized key is required")
+	}
+	if c.Template == nil {
+		return fmt.Errorf("template is required")
+	}
+	if err := c.Template.Validate(); err != nil {
+		return fmt.Errorf("invalid template: %w", err)
+	}
+	if c.Contributions == nil {
+		return fmt.Errorf("contributions is required")
+	}
+	if c.Reproducibility == nil {
+		return fmt.Errorf("reproducibility is required")
+	}
+	return nil
+}
+
+// GenerateNixConfig generates the nix configuration for the container.
+// Returns the generated config and any validation error.
+func GenerateNixConfig(cfg *ContainerConfig) (string, error) {
+	if err := cfg.Validate(); err != nil {
+		return "", fmt.Errorf("invalid container config: %w", err)
+	}
+
+	data := buildTemplateData(cfg)
+
+	var buf bytes.Buffer
+	if err := containerTemplate.Execute(&buf, data); err != nil {
+		return "", fmt.Errorf("failed to execute container template: %w", err)
+	}
+
+	return buf.String(), nil
+}
+
+// buildTemplateData constructs TemplateData from a ContainerConfig.
+// All mounts, packages, env vars, and tmpfiles rules come from Contributions.
+func buildTemplateData(cfg *ContainerConfig) *TemplateData {
+	username := cfg.Username
+	if username == "" {
+		username = "agent"
+	}
+	workspaceDir := cfg.WorkspaceDir
+	if workspaceDir == "" {
+		workspaceDir = "/workspace"
+	}
+	stateVersion := cfg.StateVersion
+	if stateVersion == "" {
+		stateVersion = "24.11"
+	}
+
+	data := &TemplateData{
+		ContainerName:  config.ContainerNameForSlot(cfg.NetworkSlot),
+		Hostname:       cfg.Name,
+		NetworkSlot:    cfg.NetworkSlot,
+		StateVersion:   stateVersion,
+		Username:       username,
+		HomeDir:        "/home/" + username,
+		WorkspaceDir:   workspaceDir,
+		AuthorizedKeys: cfg.AuthorizedKeys,
+		NetworkConfig:  buildNetworkConfig(cfg.Template.Network, cfg.Template.AllowedHosts, cfg.NetworkSlot),
+		UID:            cfg.UID,
+		GID:            cfg.GID,
+		SandboxName:    cfg.Name,
+		Runtime:        cfg.Runtime,
+		NixpkgsPath:    cfg.NixpkgsPath,
+	}
+
+	// Set resource limits if configured
+	if cfg.ResourceLimits != nil && !cfg.ResourceLimits.IsEmpty() {
+		data.ResourceLimits = cfg.ResourceLimits
+	}
+
+	// Use provided multiplexer
+	mux := cfg.Mux
+	if mux == nil {
+		mux = multiplexer.New(multiplexer.TypeTmux) // Default fallback
+	}
+	data.MuxPackages = mux.NixPackages()
+
+	// Compute windows: use explicit config if set, else one window per agent
+	var windows []multiplexer.Window
+	if len(cfg.Template.TmuxWindows) > 0 {
+		for _, w := range cfg.Template.TmuxWindows {
+			windows = append(windows, multiplexer.Window{Name: w.Name, Command: w.Command})
+		}
+	} else {
+		names := make([]string, 0, len(cfg.Template.Agents))
+		for name := range cfg.Template.Agents {
+			names = append(names, name)
+		}
+		sort.Strings(names)
+		for _, name := range names {
+			windows = append(windows, multiplexer.Window{Name: name, Command: name})
+		}
+	}
+	data.MuxInitScript = mux.InitScript(windows)
+
+	// Apply all contributions (mounts, packages, env vars, tmpfiles rules)
+	if cfg.Contributions != nil {
+		applyContributions(data, cfg.Contributions, cfg.Reproducibility)
+	}
+
+	// Set identity fields from AgentIdentity (for Nix template)
+	if cfg.AgentIdentity != nil {
+		data.GitUser = cfg.AgentIdentity.GitUser
+		data.GitEmail = cfg.AgentIdentity.GitEmail
+		if cfg.AgentIdentity.SSHKeyPath != "" {
+			data.SSHKeyName = filepath.Base(cfg.AgentIdentity.SSHKeyPath)
+		}
+	}
+
+	resolveClaudeWrapper(data, cfg)
+
+	return data
+}
+
+func buildNetworkConfig(networkMode string, allowedHosts []string, slot int) string {
+	cfg := &network.Config{
+		Mode:         network.Mode(networkMode),
+		AllowedHosts: allowedHosts,
+		NetworkSlot:  slot,
+	}
+
+	// Default to full if not specified
+	if cfg.Mode == "" {
+		cfg.Mode = network.ModeFull
+	}
+
+	return network.GenerateNixNetworkConfig(cfg)
+}
+
+// resolveClaudeWrapper detects whether a system-prompt.md mount exists and, if
+// the template includes a "claude" agent, configures a shell-script wrapper
+// that passes --append-system-prompt. The raw Claude package is removed from
+// AgentPackages to avoid a buildEnv collision (both provide /bin/claude).
+func resolveClaudeWrapper(data *TemplateData, cfg *ContainerConfig) {
+	for _, m := range data.BindMounts {
+		if strings.HasSuffix(m.Path, "system-prompt.md") {
+			data.SystemPromptFile = m.Path
+			for name, agent := range cfg.Template.Agents {
+				if name == "claude" && agent.PackagePath != "" {
+					data.ClaudePackagePath = agent.PackagePath
+					break
+				}
+			}
+			break
+		}
+	}
+
+	if data.ClaudePackagePath == "" {
+		return
+	}
+
+	resolved := "pkgs." + data.ClaudePackagePath
+	filtered := data.AgentPackages[:0]
+	for _, pkg := range data.AgentPackages {
+		if pkg != resolved {
+			filtered = append(filtered, pkg)
+		}
+	}
+	data.AgentPackages = filtered
+}
+
+// GenerateInnerNixConfig generates the cached inner system NixOS configuration.
+// This is template-level (identical for all sandboxes) and produces a standalone
+// NixOS module that is built via nix-build '<nixpkgs/nixos>' -A system.build.toplevel.
+func GenerateInnerNixConfig(cfg *ContainerConfig) (string, error) {
+	if err := cfg.Validate(); err != nil {
+		return "", fmt.Errorf("invalid container config: %w", err)
+	}
+
+	data := buildInnerTemplateData(cfg)
+
+	var buf bytes.Buffer
+	if err := innerTemplate.Execute(&buf, data); err != nil {
+		return "", fmt.Errorf("failed to execute inner template: %w", err)
+	}
+
+	return buf.String(), nil
+}
+
+// GenerateOuterNixConfig generates the per-sandbox outer container definition.
+// This references a pre-built inner system by store path and adds only the
+// per-sandbox shell (networking, bind mounts). Evaluates in ~0.5s.
+func GenerateOuterNixConfig(data *OuterTemplateData) (string, error) {
+	var buf bytes.Buffer
+	if err := outerTemplate.Execute(&buf, data); err != nil {
+		return "", fmt.Errorf("failed to execute outer template: %w", err)
+	}
+
+	return buf.String(), nil
+}
+
+// buildInnerTemplateData constructs InnerTemplateData from a ContainerConfig.
+// Uses the template name as canonical hostname and generates slot-independent
+// network config.
+func buildInnerTemplateData(cfg *ContainerConfig) *InnerTemplateData {
+	username := cfg.Username
+	if username == "" {
+		username = "agent"
+	}
+	workspaceDir := cfg.WorkspaceDir
+	if workspaceDir == "" {
+		workspaceDir = "/workspace"
+	}
+	stateVersion := cfg.StateVersion
+	if stateVersion == "" {
+		stateVersion = "24.11"
+	}
+
+	data := &InnerTemplateData{
+		TemplateName:   cfg.Template.Name,
+		StateVersion:   stateVersion,
+		Username:       username,
+		HomeDir:        "/home/" + username,
+		WorkspaceDir:   workspaceDir,
+		AuthorizedKeys: cfg.AuthorizedKeys,
+		NetworkConfig:  buildNetworkConfigCached(cfg.Template.Network, cfg.Template.AllowedHosts),
+		UID:            cfg.UID,
+		GID:            cfg.GID,
+		NixpkgsPath:    cfg.NixpkgsPath,
+	}
+
+	// Set resource limits if configured
+	if cfg.ResourceLimits != nil && !cfg.ResourceLimits.IsEmpty() {
+		data.ResourceLimits = cfg.ResourceLimits
+	}
+
+	// Use provided multiplexer
+	mux := cfg.Mux
+	if mux == nil {
+		mux = multiplexer.New(multiplexer.TypeTmux)
+	}
+	data.MuxPackages = mux.NixPackages()
+
+	// Compute windows
+	var windows []multiplexer.Window
+	if len(cfg.Template.TmuxWindows) > 0 {
+		for _, w := range cfg.Template.TmuxWindows {
+			windows = append(windows, multiplexer.Window{Name: w.Name, Command: w.Command})
+		}
+	} else {
+		names := make([]string, 0, len(cfg.Template.Agents))
+		for name := range cfg.Template.Agents {
+			names = append(names, name)
+		}
+		sort.Strings(names)
+		for _, name := range names {
+			windows = append(windows, multiplexer.Window{Name: name, Command: name})
+		}
+	}
+	data.MuxInitScript = mux.InitScript(windows)
+
+	// Apply packages and tmpfiles from contributions (no mounts or env vars for inner)
+	if cfg.Contributions != nil {
+		applyInnerContributions(data, cfg.Contributions, cfg.Reproducibility)
+	}
+
+	// Set identity fields
+	if cfg.AgentIdentity != nil {
+		data.GitUser = cfg.AgentIdentity.GitUser
+		data.GitEmail = cfg.AgentIdentity.GitEmail
+		if cfg.AgentIdentity.SSHKeyPath != "" {
+			data.SSHKeyName = filepath.Base(cfg.AgentIdentity.SSHKeyPath)
+		}
+	}
+
+	// Detect system prompt for claude wrapper
+	resolveClaudeWrapperInner(data, cfg)
+
+	return data
+}
+
+// buildNetworkConfigCached generates slot-independent network configuration.
+func buildNetworkConfigCached(networkMode string, allowedHosts []string) string {
+	cfg := &network.Config{
+		Mode:         network.Mode(networkMode),
+		AllowedHosts: allowedHosts,
+		NetworkSlot:  0, // Not used for cached config
+	}
+
+	if cfg.Mode == "" {
+		cfg.Mode = network.ModeFull
+	}
+
+	return network.GenerateNixNetworkConfigCached(cfg)
+}
+
+// resolveClaudeWrapperInner detects system-prompt.md in contributions and
+// configures the claude wrapper for the inner template.
+func resolveClaudeWrapperInner(data *InnerTemplateData, cfg *ContainerConfig) {
+	if cfg.Contributions == nil {
+		return
+	}
+
+	for _, m := range cfg.Contributions.Mounts {
+		if strings.HasSuffix(m.ContainerPath, "system-prompt.md") {
+			data.SystemPromptFile = m.ContainerPath
+			for name, agent := range cfg.Template.Agents {
+				if name == "claude" && agent.PackagePath != "" {
+					data.ClaudePackagePath = agent.PackagePath
+					break
+				}
+			}
+			break
+		}
+	}
+
+	if data.ClaudePackagePath == "" {
+		return
+	}
+
+	resolved := "pkgs." + data.ClaudePackagePath
+	filtered := data.AgentPackages[:0]
+	for _, pkg := range data.AgentPackages {
+		if pkg != resolved {
+			filtered = append(filtered, pkg)
+		}
+	}
+	data.AgentPackages = filtered
+}
+
+// applyInnerContributions populates inner template data from contributions.
+// Only packages and tmpfiles rules go into the inner system (not mounts or env vars).
+func applyInnerContributions(data *InnerTemplateData, contributions *injection.Contributions, repro reproducibility.Reproducibility) {
+	// Add contributed tmpfiles rules (deduplicated)
+	seen := make(map[string]bool)
+	for _, r := range contributions.TmpfilesRules {
+		if !seen[r] {
+			data.ExtraTmpfilesRules = append(data.ExtraTmpfilesRules, r)
+			seen[r] = true
+		}
+	}
+
+	// Resolve and add contributed packages
+	if repro != nil {
+		existingPkgs := make(map[string]bool)
+		for _, p := range data.MuxPackages {
+			existingPkgs[p] = true
+		}
+		for _, pkg := range contributions.Packages {
+			resolved, err := repro.ResolvePackage(pkg)
+			if err != nil {
+				logging.Warn("skipping unresolvable package", "package", pkg.Name, "error", err)
+				continue
+			}
+			if !existingPkgs[resolved] {
+				data.AgentPackages = append(data.AgentPackages, resolved)
+				existingPkgs[resolved] = true
+			}
+		}
+	}
+}
+
+// applyContributions populates template data from the injection contributions.
+// This is the primary source for mounts, packages, env vars, and tmpfiles rules.
+func applyContributions(data *TemplateData, contributions *injection.Contributions, repro reproducibility.Reproducibility) {
+	// Add all contributed mounts
+	for _, m := range contributions.Mounts {
+		data.BindMounts = append(data.BindMounts, BindMount{
+			Path:     m.ContainerPath,
+			HostPath: m.HostPath,
+			ReadOnly: m.ReadOnly,
+		})
+	}
+
+	// Add all contributed environment variables
+	for _, e := range contributions.EnvVars {
+		data.EnvVars = append(data.EnvVars, EnvVar{
+			Name:  e.Name,
+			Value: e.Value,
+		})
+	}
+
+	// Add contributed tmpfiles rules (deduplicated)
+	seen := make(map[string]bool)
+	for _, r := range contributions.TmpfilesRules {
+		if !seen[r] {
+			data.ExtraTmpfilesRules = append(data.ExtraTmpfilesRules, r)
+			seen[r] = true
+		}
+	}
+
+	// Resolve and add contributed packages
+	if repro != nil {
+		existingPkgs := make(map[string]bool)
+		for _, p := range data.MuxPackages {
+			existingPkgs[p] = true
+		}
+		for _, pkg := range contributions.Packages {
+			resolved, err := repro.ResolvePackage(pkg)
+			if err != nil {
+				logging.Warn("skipping unresolvable package", "package", pkg.Name, "error", err)
+				continue
+			}
+			if !existingPkgs[resolved] {
+				data.AgentPackages = append(data.AgentPackages, resolved)
+				existingPkgs[resolved] = true
+			}
+		}
+	}
+}
diff --git a/packages/forage-ctl/internal/generator/doc.go b/packages/forage-ctl/internal/generator/doc.go
new file mode 100644
index 0000000..8bb170d
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/doc.go
@@ -0,0 +1,40 @@
+// Package generator provides Nix configuration generation for containers.
+//
+// This package generates the Nix expressions that define sandbox containers
+// for systemd-nspawn. Generated configurations include network
+// settings, bind mounts, SSH access, and agent-specific packages.
+//
+// # Container Configuration
+//
+// GenerateNixConfig creates a complete NixOS container configuration:
+//
+//	cfg := &generator.ContainerConfig{
+//	    Name:           "my-sandbox",
+//	    NetworkSlot:    1,
+//	    Workspace:      "/path/to/workspace",
+//	    SecretsPath:    "/run/secrets/my-sandbox",
+//	    AuthorizedKeys: []string{"ssh-ed25519 ..."},
+//	    Template:       template,
+//	    HostConfig:     hostConfig,
+//	    UID:            1000,
+//	    GID:            100,
+//	}
+//
+//	nixExpr := generator.GenerateNixConfig(cfg)
+//
+// # Generated Features
+//
+// The generated configuration includes:
+//   - Private networking with NAT (10.100.X.0/24 subnets)
+//   - SSH access with key authentication
+//   - Workspace bind mount at /workspace
+//   - Nix store shared read-only from host
+//   - Secrets mounted at /run/secrets
+//   - tmux session auto-started for agents
+//   - Network firewall rules based on template settings
+//
+// # Skills Generation
+//
+// GenerateSkills creates markdown documentation for agents running in the
+// sandbox, explaining the environment, available tools, and guidelines.
+package generator
diff --git a/packages/forage-ctl/internal/generator/eval_config.go b/packages/forage-ctl/internal/generator/eval_config.go
new file mode 100644
index 0000000..47cd5d9
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/eval_config.go
@@ -0,0 +1,11 @@
+package generator
+
+import _ "embed"
+
+// EvalConfigNix is the embedded eval-config.nix content.
+// This is a minimal NixOS module evaluator for container configs that imports
+// only the ~7 modules needed (instead of 700+), allowing container configs
+// to evaluate in ~0.5s instead of ~13s.
+//
+//go:embed eval_config.nix
+var EvalConfigNix string
diff --git a/packages/forage-ctl/internal/generator/eval_config.nix b/packages/forage-ctl/internal/generator/eval_config.nix
new file mode 100644
index 0000000..29786b1
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/eval_config.nix
@@ -0,0 +1,114 @@
+# Minimal NixOS module evaluator for container configurations.
+# Imports only ~7 base modules (instead of 700+) to evaluate
+# container configs in ~0.5s instead of ~13s.
+{
+  nixosPath,
+  systemConfig,
+  system ? builtins.currentSystem,
+}:
+
+let
+  # A minimal module set for evaluating container configs.
+  # This significantly reduces evaluation time compared to a full NixOS eval
+  # Compatible with nixpkgs >= 16.09
+  baseModules = [
+    (nixosPath + "/modules/misc/assertions.nix")
+    (nixosPath + "/modules/misc/nixpkgs.nix")
+    (nixosPath + "/modules/misc/extra-arguments.nix")
+    (nixosPath + "/modules/system/activation/top-level.nix")
+    (nixosPath + "/modules/system/etc/etc.nix")
+    (nixosPath + "/modules/system/boot/systemd.nix")
+    nixosContainerModule
+    dummyOptions
+  ];
+
+  nixosContainerModule =
+    let
+      new = nixosPath + "/modules/virtualisation/nixos-containers.nix";
+      old = nixosPath + "/modules/virtualisation/containers.nix"; # For nixpkgs < 20.09)
+    in
+    if builtins.pathExists new then new else old;
+
+  dummyOptions =
+    {
+      pkgs,
+      lib,
+      options,
+      ...
+    }:
+    let
+      optionValue = default: lib.mkOption { inherit default; };
+      dummy = optionValue [ ];
+    in
+    {
+      options = {
+        boot.kernel.sysctl = dummy;
+        boot.kernelModules = dummy;
+        boot.kernelPackages.kernel.version = optionValue "";
+        boot.kernelParams = dummy;
+        boot.loader.systemd-boot.bootCounting.enable = optionValue false;
+        environment.systemPackages = dummy;
+        networking.dhcpcd.denyInterfaces = dummy;
+        networking.hosts = dummy;
+        networking.extraHosts = dummy;
+        networking.proxy.envVars = optionValue { };
+        nix.package = optionValue pkgs.nix;
+        security = dummy;
+        services = {
+          dbus = dummy;
+          logrotate = dummy;
+          udev = dummy;
+          rsyslogd.enable = optionValue false;
+          syslog-ng.enable = optionValue false;
+        };
+        system.activationScripts = dummy;
+        system.fsPackages = dummy;
+        system.nssDatabases = dummy;
+        system.nssModules = dummy;
+        system.path = optionValue "";
+        system.nixos-init.package = optionValue pkgs.hello;
+        system.requiredKernelConfig = dummy;
+        system.stateVersion = optionValue "22.05";
+        time.timeZone = optionValue null;
+        systemd.oomd = dummy;
+        systemd.user.generators = optionValue { };
+        ids.gids.keys = dummy;
+        ids.uids.systemd-coredump = dummy;
+        ids.gids.systemd-journal = dummy;
+        ids.gids.systemd-journal-gateway = dummy;
+        ids.uids.systemd-journal-gateway = dummy;
+        ids.gids.systemd-network = dummy;
+        ids.uids.systemd-network = dummy;
+        ids.uids.systemd-resolve = dummy;
+        ids.gids.systemd-resolve = dummy;
+        users.users.systemd-coredump = dummy;
+        users.users.systemd-network.group = dummy;
+        users.users.systemd-network.uid = dummy;
+        users.users.systemd-resolve.group = dummy;
+        users.users.systemd-resolve.uid = dummy;
+        users.users.systemd-journal-gateway.group = dummy;
+        users.users.systemd-journal-gateway.uid = dummy;
+        users.groups.systemd-coredump = dummy;
+        users.groups.systemd-network.gid = dummy;
+        users.groups.systemd-resolve.gid = dummy;
+        users.groups.keys.gid = dummy;
+        users.groups.systemd-journal.gid = dummy;
+        users.groups.systemd-journal-gateway.gid = dummy;
+      };
+
+      config = {
+        systemd.timers = lib.mkForce { };
+        systemd.targets = lib.mkForce { };
+      }
+      // lib.optionalAttrs (options.systemd ? managerEnvironment) {
+        systemd.managerEnvironment = lib.mkForce { };
+      };
+    };
+
+in
+# Only include the user's systemConfig — no extra convenience modules
+# that would trigger full NixOS module evaluation.
+import (nixosPath + "/lib/eval-config.nix") {
+  inherit baseModules system;
+  modules = [ systemConfig ];
+}
diff --git a/packages/forage-ctl/internal/generator/generator_test.go b/packages/forage-ctl/internal/generator/generator_test.go
new file mode 100644
index 0000000..28fa8f0
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/generator_test.go
@@ -0,0 +1,1729 @@
+package generator
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/reproducibility"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/skills"
+)
+
+// testContributions creates a minimal set of contributions for testing.
+func testContributions() *injection.Contributions {
+	return &injection.Contributions{
+		Mounts: []injection.Mount{
+			{HostPath: "/nix/store", ContainerPath: "/nix/store", ReadOnly: true},
+			{HostPath: "/home/user/project", ContainerPath: "/workspace", ReadOnly: false},
+			{HostPath: "/run/secrets/test-sandbox", ContainerPath: "/run/secrets", ReadOnly: true},
+		},
+		EnvVars: []injection.EnvVar{
+			{Name: "ANTHROPIC_API_KEY", Value: `"$(cat /run/secrets/anthropic 2>/dev/null || echo '')"`},
+		},
+		Packages: []injection.Package{
+			{Name: "claude-code"},
+		},
+		TmpfilesRules: []string{
+			"d /home/agent/.config 0755 agent users -",
+		},
+	}
+}
+
+// validTestConfig returns a valid ContainerConfig for testing
+func validTestConfig() *ContainerConfig {
+	return &ContainerConfig{
+		Name:        "test-sandbox",
+		NetworkSlot: 1,
+		AuthorizedKeys: []string{
+			"ssh-rsa AAAA... user@host",
+		},
+		Template: &config.Template{
+			Name:        "claude",
+			Description: "Claude sandbox",
+			Network:     "full",
+			Agents: map[string]config.AgentConfig{
+				"claude": {
+					PackagePath: "pkgs.claude-code",
+					SecretName:  "anthropic",
+					AuthEnvVar:  "ANTHROPIC_API_KEY",
+				},
+			},
+		},
+		UID:             1000,
+		GID:             100,
+		NixpkgsPath:     "/nix/store/test-nixpkgs",
+		Contributions:   testContributions(),
+		Reproducibility: reproducibility.NewNixReproducibility(),
+	}
+}
+
+func TestGenerateNixConfig(t *testing.T) {
+	cfg := validTestConfig()
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Check container name (derived from network slot, not sandbox name)
+	if !strings.Contains(result, "containers.f1") {
+		t.Error("Config should contain short container name derived from network slot")
+	}
+
+	// Check hostname is set to sandbox name
+	if !strings.Contains(result, `networking.hostName = "test-sandbox"`) {
+		t.Error("Config should set hostname to sandbox name")
+	}
+
+	// Check NO port forwarding (we use direct container IP access now)
+	if strings.Contains(result, "forwardPorts") {
+		t.Error("Config should NOT contain forwardPorts (using direct IP access)")
+	}
+
+	// Check network address
+	if !strings.Contains(result, "hostAddress = \"10.100.1.1\"") {
+		t.Error("Config should contain host address based on network slot")
+	}
+	if !strings.Contains(result, "localAddress = \"10.100.1.2\"") {
+		t.Error("Config should contain local address based on network slot")
+	}
+
+	// Check bind mounts
+	if !strings.Contains(result, "/nix/store") {
+		t.Error("Config should mount nix store")
+	}
+	if !strings.Contains(result, "/workspace") {
+		t.Error("Config should mount workspace")
+	}
+	if !strings.Contains(result, "/run/secrets") {
+		t.Error("Config should mount secrets")
+	}
+
+	// Check authorized keys
+	if !strings.Contains(result, "ssh-rsa AAAA") {
+		t.Error("Config should contain authorized keys")
+	}
+
+	// Check nixpkgs registry uses literal store path
+	if !strings.Contains(result, `path = "/nix/store/test-nixpkgs"`) {
+		t.Error("Config should pin nixpkgs registry to literal store path")
+	}
+
+	// Check packages
+	if !strings.Contains(result, "jujutsu") {
+		t.Error("Config should include jujutsu package")
+	}
+}
+
+func TestGenerateNixConfig_HostConfigDir(t *testing.T) {
+	cfg := validTestConfig()
+	// Add agent config dir mount via contributions
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts, injection.Mount{
+		HostPath:      "/home/user/.claude",
+		ContainerPath: "/home/agent/.claude",
+		ReadOnly:      false,
+	})
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Check that the bind mount is present
+	if !strings.Contains(result, "/home/agent/.claude") {
+		t.Error("Config should contain container config dir path")
+	}
+	if !strings.Contains(result, "/home/user/.claude") {
+		t.Error("Config should contain host config dir path")
+	}
+}
+
+func TestGenerateNixConfig_HostConfigDirReadOnly(t *testing.T) {
+	cfg := validTestConfig()
+	// Add agent config dir mount via contributions as read-only
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts, injection.Mount{
+		HostPath:      "/home/user/.claude",
+		ContainerPath: "/home/agent/.claude",
+		ReadOnly:      true,
+	})
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Check that the bind mount is present with read-only flag
+	if !strings.Contains(result, "/home/agent/.claude") {
+		t.Error("Config should contain container config dir path")
+	}
+	// The mount should be read-only - look for isReadOnly = true pattern near our mount
+	if !strings.Contains(result, "isReadOnly = true") {
+		t.Error("Config should have at least one read-only mount")
+	}
+}
+
+func TestGenerateNixConfig_MultipleAgentsWithConfigDirs(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.Template.Agents = map[string]config.AgentConfig{
+		"claude": {
+			PackagePath: "pkgs.claude-code",
+			SecretName:  "anthropic",
+			AuthEnvVar:  "ANTHROPIC_API_KEY",
+		},
+		"aider": {
+			PackagePath: "pkgs.aider",
+			SecretName:  "openai",
+			AuthEnvVar:  "OPENAI_API_KEY",
+		},
+	}
+	// Add config dir mounts for both agents via contributions
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts,
+		injection.Mount{
+			HostPath:      "/home/user/.claude",
+			ContainerPath: "/home/agent/.claude",
+			ReadOnly:      false,
+		},
+		injection.Mount{
+			HostPath:      "/home/user/.aider",
+			ContainerPath: "/home/agent/.aider",
+			ReadOnly:      false,
+		},
+	)
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Check both agent config dirs are mounted
+	if !strings.Contains(result, "/home/agent/.claude") {
+		t.Error("Config should contain claude container config dir path")
+	}
+	if !strings.Contains(result, "/home/user/.claude") {
+		t.Error("Config should contain claude host config dir path")
+	}
+	if !strings.Contains(result, "/home/agent/.aider") {
+		t.Error("Config should contain aider container config dir path")
+	}
+	if !strings.Contains(result, "/home/user/.aider") {
+		t.Error("Config should contain aider host config dir path")
+	}
+}
+
+func TestGenerateNixConfig_JJMode(t *testing.T) {
+	cfg := validTestConfig()
+	// Add JJ mount to contributions
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts, injection.Mount{
+		HostPath:      "/home/user/myrepo/.jj",
+		ContainerPath: "/home/user/myrepo/.jj",
+		ReadOnly:      false,
+	})
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Check JJ bind mount
+	if !strings.Contains(result, "/home/user/myrepo/.jj") {
+		t.Error("Config should contain .jj bind mount from contributions")
+	}
+}
+
+func TestGenerateNixConfig_ClaudeDirMount(t *testing.T) {
+	// Test that mounts in contributions are applied
+	cfg := validTestConfig()
+	// Add .claude mount to contributions
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts, injection.Mount{
+		HostPath:      "/home/user/myrepo/.claude",
+		ContainerPath: "/workspace/.claude",
+		ReadOnly:      false,
+	})
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	if !strings.Contains(result, "/workspace/.claude") {
+		t.Error("Config should contain .claude bind mount from contributions")
+	}
+}
+
+func TestGenerateNixConfig_NoMountWithoutContribution(t *testing.T) {
+	// Without a mount in contributions, the path should not appear
+	cfg := validTestConfig()
+	// Don't add any .claude mount
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	if strings.Contains(result, "/workspace/.claude") {
+		t.Error("should not mount .claude when not in contributions")
+	}
+}
+
+func TestGenerateNixConfig_NetworkModes(t *testing.T) {
+	tests := []struct {
+		network      string
+		allowedHosts []string
+		shouldHave   []string
+		shouldntHave []string
+	}{
+		{
+			network:    "full",
+			shouldHave: []string{"defaultGateway", "nameservers"},
+		},
+		{
+			network:    "none",
+			shouldHave: []string{"nameservers = [ ]", "defaultGateway = null", "policy drop"},
+		},
+		{
+			network:      "restricted",
+			allowedHosts: []string{"api.anthropic.com"},
+			shouldHave:   []string{"nftables", "dnsmasq", "api.anthropic.com", "allowed_ipv4"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.network, func(t *testing.T) {
+			cfg := validTestConfig()
+			cfg.Template.Network = tt.network
+			cfg.Template.AllowedHosts = tt.allowedHosts
+
+			result, err := GenerateNixConfig(cfg)
+			if err != nil {
+				t.Fatalf("GenerateNixConfig failed: %v", err)
+			}
+
+			for _, s := range tt.shouldHave {
+				if !strings.Contains(result, s) {
+					t.Errorf("Network mode %q should contain %q", tt.network, s)
+				}
+			}
+
+			for _, s := range tt.shouldntHave {
+				if strings.Contains(result, s) {
+					t.Errorf("Network mode %q should not contain %q", tt.network, s)
+				}
+			}
+		})
+	}
+}
+
+func TestGenerateNixConfig_ProxyMode(t *testing.T) {
+	cfg := validTestConfig()
+	// Add proxy env vars via contributions
+	cfg.Contributions.EnvVars = append(cfg.Contributions.EnvVars,
+		injection.EnvVar{Name: "ANTHROPIC_BASE_URL", Value: `"http://10.100.1.1:8080"`},
+		injection.EnvVar{Name: "ANTHROPIC_AUTH_TOKEN", Value: `"ignored-by-proxy"`},
+		injection.EnvVar{Name: "ANTHROPIC_CUSTOM_HEADERS", Value: `"X-Forage-Sandbox: test-sandbox"`},
+	)
+	// Remove the direct secret reading env var
+	cfg.Contributions.EnvVars = []injection.EnvVar{
+		{Name: "ANTHROPIC_BASE_URL", Value: `"http://10.100.1.1:8080"`},
+		{Name: "ANTHROPIC_AUTH_TOKEN", Value: `"ignored-by-proxy"`},
+		{Name: "ANTHROPIC_CUSTOM_HEADERS", Value: `"X-Forage-Sandbox: test-sandbox"`},
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Should contain proxy environment variables
+	if !strings.Contains(result, "ANTHROPIC_BASE_URL") {
+		t.Error("Config should contain ANTHROPIC_BASE_URL when proxy is enabled")
+	}
+	if !strings.Contains(result, "http://10.100.1.1:8080") {
+		t.Error("Config should contain proxy URL")
+	}
+	if !strings.Contains(result, "X-Forage-Sandbox") {
+		t.Error("Config should contain X-Forage-Sandbox header")
+	}
+	if !strings.Contains(result, "test-sandbox") {
+		t.Error("Config should contain sandbox name in header")
+	}
+	// Should NOT contain direct secret reading when proxy is enabled
+	if strings.Contains(result, "cat /run/secrets/anthropic") {
+		t.Error("Config should not read secrets directly when proxy is enabled")
+	}
+}
+
+func TestGenerateNixConfig_NoProxy(t *testing.T) {
+	cfg := validTestConfig()
+	// Default testContributions has direct secret reading, no proxy env vars
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Should contain direct secret reading
+	if !strings.Contains(result, "cat /run/secrets/anthropic") {
+		t.Error("Config should read secrets directly when proxy is disabled")
+	}
+	// Should NOT contain proxy URL
+	if strings.Contains(result, "ANTHROPIC_BASE_URL") {
+		t.Error("Config should not contain ANTHROPIC_BASE_URL when proxy is disabled")
+	}
+}
+
+func TestContainerConfig_Validate(t *testing.T) {
+	tests := []struct {
+		name    string
+		modify  func(*ContainerConfig)
+		wantErr string
+	}{
+		{
+			name:    "valid config",
+			modify:  func(c *ContainerConfig) {},
+			wantErr: "",
+		},
+		{
+			name:    "missing name",
+			modify:  func(c *ContainerConfig) { c.Name = "" },
+			wantErr: "container name is required",
+		},
+		{
+			name:    "invalid network slot (zero)",
+			modify:  func(c *ContainerConfig) { c.NetworkSlot = 0 },
+			wantErr: "invalid network slot",
+		},
+		{
+			name:    "invalid network slot (too high)",
+			modify:  func(c *ContainerConfig) { c.NetworkSlot = 300 },
+			wantErr: "invalid network slot",
+		},
+		{
+			name:    "missing contributions",
+			modify:  func(c *ContainerConfig) { c.Contributions = nil },
+			wantErr: "contributions is required",
+		},
+		{
+			name:    "missing authorized keys",
+			modify:  func(c *ContainerConfig) { c.AuthorizedKeys = nil },
+			wantErr: "at least one authorized key is required",
+		},
+		{
+			name:    "missing template",
+			modify:  func(c *ContainerConfig) { c.Template = nil },
+			wantErr: "template is required",
+		},
+		{
+			name:    "missing reproducibility",
+			modify:  func(c *ContainerConfig) { c.Reproducibility = nil },
+			wantErr: "reproducibility is required",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := validTestConfig()
+			tt.modify(cfg)
+
+			err := cfg.Validate()
+			if tt.wantErr == "" {
+				if err != nil {
+					t.Errorf("Validate() unexpected error: %v", err)
+				}
+			} else {
+				if err == nil {
+					t.Errorf("Validate() expected error containing %q, got nil", tt.wantErr)
+				} else if !strings.Contains(err.Error(), tt.wantErr) {
+					t.Errorf("Validate() error = %q, want containing %q", err.Error(), tt.wantErr)
+				}
+			}
+		})
+	}
+}
+
+func TestGenerateSystemPrompt(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "direct",
+	}
+
+	tmpl := &config.Template{
+		Name:        "claude",
+		Description: "Claude sandbox",
+		Network:     "full",
+		Agents: map[string]config.AgentConfig{
+			"claude": {
+				AuthEnvVar: "ANTHROPIC_API_KEY",
+			},
+		},
+	}
+
+	result := skills.GenerateSystemPrompt(metadata, tmpl)
+
+	if !strings.Contains(result, "test-sandbox") {
+		t.Error("System prompt should contain sandbox name")
+	}
+	if !strings.Contains(result, "claude") {
+		t.Error("System prompt should contain template name")
+	}
+	if !strings.Contains(result, "/workspace") {
+		t.Error("System prompt should mention workspace")
+	}
+	if !strings.Contains(result, "Full network access") {
+		t.Error("System prompt should mention network mode")
+	}
+}
+
+func TestGenerateSystemPrompt_JJMode(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "jj",
+		SourceRepo:    "/home/user/myrepo",
+	}
+
+	tmpl := &config.Template{
+		Name:    "claude",
+		Network: "full",
+	}
+
+	result := skills.GenerateSystemPrompt(metadata, tmpl)
+
+	if !strings.Contains(result, "jj workspace") {
+		t.Error("System prompt should mention jj workspace mode")
+	}
+	if !strings.Contains(result, "/home/user/myrepo") {
+		t.Error("System prompt should mention source repo")
+	}
+}
+
+func TestGenerateSystemPrompt_NetworkModes(t *testing.T) {
+	tests := []struct {
+		network    string
+		shouldHave string
+	}{
+		{"full", "Full network access"},
+		{"none", "No network access"},
+		{"restricted", "Restricted network"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.network, func(t *testing.T) {
+			metadata := &config.SandboxMetadata{
+				Name:     "test",
+				Template: "test",
+			}
+			tmpl := &config.Template{
+				Network: tt.network,
+			}
+
+			result := skills.GenerateSystemPrompt(metadata, tmpl)
+
+			if !strings.Contains(result, tt.shouldHave) {
+				t.Errorf("System prompt for network %q should contain %q\nGot:\n%s", tt.network, tt.shouldHave, result)
+			}
+		})
+	}
+}
+
+func TestGenerateSystemPrompt_RestrictedHosts(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:     "test",
+		Template: "test",
+	}
+	tmpl := &config.Template{
+		Network:      "restricted",
+		AllowedHosts: []string{"api.anthropic.com", "github.com"},
+	}
+
+	result := skills.GenerateSystemPrompt(metadata, tmpl)
+
+	if !strings.Contains(result, "api.anthropic.com") {
+		t.Error("System prompt should list allowed hosts")
+	}
+	if !strings.Contains(result, "github.com") {
+		t.Error("System prompt should list allowed hosts")
+	}
+}
+
+func TestGenerateSystemPrompt_Identity(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:     "test",
+		Template: "claude",
+		AgentIdentity: &config.AgentIdentity{
+			GitUser:    "Bot",
+			GitEmail:   "bot@test.com",
+			SSHKeyPath: "/key",
+		},
+	}
+	tmpl := &config.Template{
+		Network: "full",
+	}
+
+	result := skills.GenerateSystemPrompt(metadata, tmpl)
+
+	if !strings.Contains(result, "Identity") {
+		t.Error("System prompt should have identity info")
+	}
+	if !strings.Contains(result, "Bot") {
+		t.Error("System prompt should contain git user name")
+	}
+	if !strings.Contains(result, "bot@test.com") {
+		t.Error("System prompt should contain git email")
+	}
+	if !strings.Contains(result, "SSH key available") {
+		t.Error("System prompt should mention SSH key")
+	}
+}
+
+func TestGenerateSystemPrompt_IdentityGitOnly(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:     "test",
+		Template: "claude",
+		AgentIdentity: &config.AgentIdentity{
+			GitUser: "Bot",
+		},
+	}
+	tmpl := &config.Template{
+		Network: "full",
+	}
+
+	result := skills.GenerateSystemPrompt(metadata, tmpl)
+
+	if !strings.Contains(result, "Identity") {
+		t.Error("System prompt should have identity info")
+	}
+	if strings.Contains(result, "SSH key") {
+		t.Error("System prompt should not mention SSH key when not set")
+	}
+}
+
+func TestGenerateSystemPrompt_NoIdentity(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:     "test",
+		Template: "claude",
+	}
+	tmpl := &config.Template{
+		Network: "full",
+	}
+
+	result := skills.GenerateSystemPrompt(metadata, tmpl)
+
+	if strings.Contains(result, "Identity") {
+		t.Error("System prompt should not have identity info when none configured")
+	}
+}
+
+func TestGenerateSystemPrompt_WithAgents(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:     "test",
+		Template: "multi",
+	}
+	tmpl := &config.Template{
+		Network: "full",
+		Agents: map[string]config.AgentConfig{
+			"claude": {
+				AuthEnvVar: "ANTHROPIC_API_KEY",
+			},
+			"opencode": {
+				AuthEnvVar: "OPENAI_API_KEY",
+			},
+		},
+	}
+
+	result := skills.GenerateSystemPrompt(metadata, tmpl)
+
+	if !strings.Contains(result, "Agents") {
+		t.Error("System prompt should have agents info")
+	}
+	if !strings.Contains(result, "claude") {
+		t.Error("System prompt should list claude agent")
+	}
+	if !strings.Contains(result, "opencode") {
+		t.Error("System prompt should list opencode agent")
+	}
+}
+
+func TestGenerateSkillFiles_VCS(t *testing.T) {
+	tests := []struct {
+		name       string
+		metadata   *config.SandboxMetadata
+		info       *skills.ProjectInfo
+		wantSkill  bool
+		shouldHave []string
+	}{
+		{
+			name: "jj mode",
+			metadata: &config.SandboxMetadata{
+				Name:          "test",
+				Template:      "test",
+				WorkspaceMode: "jj",
+			},
+			wantSkill:  true,
+			shouldHave: []string{"jj status", "jj diff", "isolated jj workspace"},
+		},
+		{
+			name: "git-worktree mode",
+			metadata: &config.SandboxMetadata{
+				Name:          "test",
+				Template:      "test",
+				WorkspaceMode: "git-worktree",
+				GitBranch:     "test-branch",
+			},
+			wantSkill:  true,
+			shouldHave: []string{"git status", "test-branch", "Git Worktree"},
+		},
+		{
+			name: "plain git",
+			metadata: &config.SandboxMetadata{
+				Name:     "test",
+				Template: "test",
+			},
+			info:      &skills.ProjectInfo{HasGit: true},
+			wantSkill: false,
+		},
+		{
+			name: "no vcs",
+			metadata: &config.SandboxMetadata{
+				Name:     "test",
+				Template: "test",
+			},
+			info:      &skills.ProjectInfo{},
+			wantSkill: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpl := &config.Template{Network: "full"}
+			result := skills.GenerateSkillFiles(tt.metadata, tmpl, tt.info)
+			vcs, ok := result["forage-vcs"]
+			if tt.wantSkill && !ok {
+				t.Fatal("expected forage-vcs skill file")
+			}
+			if !tt.wantSkill && ok {
+				t.Fatal("did not expect forage-vcs skill file")
+			}
+			for _, s := range tt.shouldHave {
+				if !strings.Contains(vcs, s) {
+					t.Errorf("forage-vcs should contain %q\nGot:\n%s", s, vcs)
+				}
+			}
+		})
+	}
+}
+
+func TestGenerateSkillFiles_Nix(t *testing.T) {
+	tmpl := &config.Template{Network: "full"}
+	metadata := &config.SandboxMetadata{Name: "test", Template: "test"}
+
+	info := &skills.ProjectInfo{HasNixFlake: true}
+	result := skills.GenerateSkillFiles(metadata, tmpl, info)
+	nix, ok := result["forage-nix"]
+	if !ok {
+		t.Fatal("expected forage-nix skill file")
+	}
+
+	for _, s := range []string{"nix build", "nix develop", "nix flake check"} {
+		if !strings.Contains(nix, s) {
+			t.Errorf("forage-nix should contain %q", s)
+		}
+	}
+}
+
+func TestGenerateSkillFiles_Empty(t *testing.T) {
+	tmpl := &config.Template{Network: "full"}
+	metadata := &config.SandboxMetadata{Name: "test", Template: "test"}
+
+	result := skills.GenerateSkillFiles(metadata, tmpl, nil)
+	if len(result) != 0 {
+		t.Errorf("expected empty skill files map, got %d entries", len(result))
+	}
+}
+
+// Golden test configuration helpers
+
+func goldenTestConfig() *ContainerConfig {
+	return &ContainerConfig{
+		Name:        "test-sandbox",
+		NetworkSlot: 1,
+		AuthorizedKeys: []string{
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample user@host",
+		},
+		Template: &config.Template{
+			Name:        "claude",
+			Description: "Claude sandbox",
+			Network:     "full",
+			Agents: map[string]config.AgentConfig{
+				"claude": {
+					PackagePath: "pkgs.claude-code",
+					SecretName:  "anthropic",
+					AuthEnvVar:  "ANTHROPIC_API_KEY",
+				},
+			},
+		},
+		UID:             1000,
+		GID:             100,
+		NixpkgsPath:     "/nix/store/test-nixpkgs",
+		Contributions:   testContributions(),
+		Reproducibility: reproducibility.NewNixReproducibility(),
+	}
+}
+
+func readGoldenFile(t *testing.T, name string) string {
+	t.Helper()
+	path := filepath.Join("testdata", name)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("failed to read golden file %s: %v", path, err)
+	}
+	return string(data)
+}
+
+func TestGenerateNixConfig_Golden(t *testing.T) {
+	tests := []struct {
+		name       string
+		modifyFunc func(*ContainerConfig)
+		goldenFile string
+	}{
+		{
+			name:       "basic",
+			modifyFunc: func(c *ContainerConfig) {},
+			goldenFile: "basic_container.nix",
+		},
+		{
+			name: "jj_mode",
+			modifyFunc: func(c *ContainerConfig) {
+				// Change workspace mount to jj workspace path and add .jj and .git mounts
+				c.Contributions.Mounts = []injection.Mount{
+					{HostPath: "/nix/store", ContainerPath: "/nix/store", ReadOnly: true},
+					{HostPath: "/var/lib/forage/workspaces/test-sandbox", ContainerPath: "/workspace", ReadOnly: false},
+					{HostPath: "/run/secrets/test-sandbox", ContainerPath: "/run/secrets", ReadOnly: true},
+					{HostPath: "/home/user/myrepo/.jj", ContainerPath: "/home/user/myrepo/.jj", ReadOnly: false},
+					{HostPath: "/home/user/myrepo/.git", ContainerPath: "/home/user/myrepo/.git", ReadOnly: false},
+				}
+			},
+			goldenFile: "jj_mode_container.nix",
+		},
+		{
+			name: "proxy_mode",
+			modifyFunc: func(c *ContainerConfig) {
+				// Replace direct secret reading with proxy env vars
+				c.Contributions.EnvVars = []injection.EnvVar{
+					{Name: "ANTHROPIC_BASE_URL", Value: `"http://10.100.1.1:8080"`},
+					{Name: "ANTHROPIC_AUTH_TOKEN", Value: `"ignored-by-proxy"`},
+					{Name: "ANTHROPIC_CUSTOM_HEADERS", Value: `"X-Forage-Sandbox: test-sandbox"`},
+				}
+			},
+			goldenFile: "proxy_mode_container.nix",
+		},
+		{
+			name: "no_network",
+			modifyFunc: func(c *ContainerConfig) {
+				c.Template.Network = "none"
+			},
+			goldenFile: "no_network_container.nix",
+		},
+		{
+			name: "read_only_workspace",
+			modifyFunc: func(c *ContainerConfig) {
+				for i := range c.Contributions.Mounts {
+					if c.Contributions.Mounts[i].ContainerPath == "/workspace" {
+						c.Contributions.Mounts[i].ReadOnly = true
+					}
+				}
+			},
+			goldenFile: "read_only_workspace_container.nix",
+		},
+		{
+			name: "resource_limits",
+			modifyFunc: func(c *ContainerConfig) {
+				c.ResourceLimits = &config.ResourceLimits{
+					CPUQuota:  "200%",
+					MemoryMax: "4G",
+					TasksMax:  512,
+				}
+			},
+			goldenFile: "resource_limits_container.nix",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := goldenTestConfig()
+			tt.modifyFunc(cfg)
+
+			result, err := GenerateNixConfig(cfg)
+			if err != nil {
+				t.Fatalf("GenerateNixConfig failed: %v", err)
+			}
+
+			golden := readGoldenFile(t, tt.goldenFile)
+			if result != golden {
+				// To regenerate golden files, run:
+				// UPDATE_GOLDEN=1 go test -run TestGenerateNixConfig_Golden ./internal/generator/...
+				if os.Getenv("UPDATE_GOLDEN") == "1" {
+					path := filepath.Join("testdata", tt.goldenFile)
+					if err := os.WriteFile(path, []byte(result), 0644); err != nil {
+						t.Fatalf("failed to update golden file: %v", err)
+					}
+					t.Logf("Updated golden file: %s", path)
+					return
+				}
+				t.Errorf("Generated config does not match golden file %s.\nRun with UPDATE_GOLDEN=1 to regenerate.\nGot:\n%s\nWant:\n%s", tt.goldenFile, result, golden)
+			}
+		})
+	}
+}
+
+func TestGenerateNixConfig_PermissionsMounts(t *testing.T) {
+	cfg := validTestConfig()
+	// Add permissions mount via contributions
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts, injection.Mount{
+		HostPath:      "/var/lib/forage/sandboxes/test-sandbox.claude-permissions.json",
+		ContainerPath: "/etc/claude-code/managed-settings.json",
+		ReadOnly:      true,
+	})
+	cfg.Contributions.TmpfilesRules = append(cfg.Contributions.TmpfilesRules,
+		"d /etc/claude-code 0755 root root -",
+	)
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Check bind mount is present
+	if !strings.Contains(result, "/etc/claude-code/managed-settings.json") {
+		t.Error("Config should contain permissions container path")
+	}
+	if !strings.Contains(result, "/var/lib/forage/sandboxes/test-sandbox.claude-permissions.json") {
+		t.Error("Config should contain permissions host path")
+	}
+	// Check that the mount is read-only
+	if !strings.Contains(result, "isReadOnly = true") || !strings.Contains(result, "/var/lib/forage/sandboxes/test-sandbox.claude-permissions.json") {
+		t.Error("Permissions mount should be read-only")
+	}
+
+	// Check tmpfiles rule for parent directory
+	if !strings.Contains(result, "d /etc/claude-code 0755 root root -") {
+		t.Error("Config should contain tmpfiles rule for permissions directory")
+	}
+}
+
+func TestGenerateNixConfig_NoPermissionsMounts(t *testing.T) {
+	cfg := validTestConfig()
+	// Default testContributions has no permissions mounts
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Should not contain any permissions-related mount
+	if strings.Contains(result, "managed-settings.json") {
+		t.Error("Config should not contain permissions mount when none configured")
+	}
+	if strings.Contains(result, "/etc/claude-code") {
+		t.Error("Config should not contain claude-code dir when no permissions configured")
+	}
+}
+
+func TestGenerateNixConfig_IdentityGitOnly(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.AgentIdentity = &config.AgentIdentity{
+		GitUser:  "Agent Bot",
+		GitEmail: "agent@example.com",
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Should contain identity service with git config
+	if !strings.Contains(result, "forage-agent-identity") {
+		t.Error("Config should contain forage-agent-identity service")
+	}
+	if !strings.Contains(result, "user.name") {
+		t.Error("Config should set git user.name")
+	}
+	if !strings.Contains(result, "Agent Bot") {
+		t.Error("Config should contain git user name")
+	}
+	if !strings.Contains(result, "user.email") {
+		t.Error("Config should set git user.email")
+	}
+	if !strings.Contains(result, "agent@example.com") {
+		t.Error("Config should contain git user email")
+	}
+	// Should NOT have SSH key mounts
+	if strings.Contains(result, "/home/agent/.ssh/id_ed25519") {
+		t.Error("Config should not have SSH key mount without SSHKeyPath")
+	}
+}
+
+func TestGenerateNixConfig_IdentityWithSSHKey(t *testing.T) {
+	// Create temp SSH key files
+	tmpDir := t.TempDir()
+	keyPath := filepath.Join(tmpDir, "id_ed25519")
+	os.WriteFile(keyPath, []byte("key"), 0600)
+	os.WriteFile(keyPath+".pub", []byte("pub"), 0644)
+
+	cfg := validTestConfig()
+	cfg.AgentIdentity = &config.AgentIdentity{
+		GitUser:    "Agent Bot",
+		GitEmail:   "agent@example.com",
+		SSHKeyPath: keyPath,
+	}
+	// Add SSH key mounts via contributions (as the identity contributor would)
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts,
+		injection.Mount{
+			HostPath:      keyPath,
+			ContainerPath: "/home/agent/.ssh/id_ed25519",
+			ReadOnly:      true,
+		},
+		injection.Mount{
+			HostPath:      keyPath + ".pub",
+			ContainerPath: "/home/agent/.ssh/id_ed25519.pub",
+			ReadOnly:      true,
+		},
+	)
+	cfg.Contributions.TmpfilesRules = append(cfg.Contributions.TmpfilesRules,
+		"d /home/agent/.ssh 0700 agent users -",
+	)
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Should contain SSH key bind mounts
+	if !strings.Contains(result, "/home/agent/.ssh/id_ed25519") {
+		t.Error("Config should mount SSH private key")
+	}
+	if !strings.Contains(result, keyPath) {
+		t.Error("Config should reference host SSH key path")
+	}
+	if !strings.Contains(result, keyPath+".pub") {
+		t.Error("Config should mount SSH public key")
+	}
+	// SSH config should be written via init commands
+	if !strings.Contains(result, "IdentityFile") {
+		t.Error("Config should write SSH config with IdentityFile")
+	}
+	if !strings.Contains(result, "StrictHostKeyChecking accept-new") {
+		t.Error("Config should set StrictHostKeyChecking")
+	}
+	// Should have tmpfiles rule for .ssh directory
+	if !strings.Contains(result, "d /home/agent/.ssh 0700 agent users -") {
+		t.Error("Config should have tmpfiles rule for .ssh directory")
+	}
+}
+
+func TestGenerateNixConfig_NoIdentity(t *testing.T) {
+	cfg := validTestConfig()
+	// AgentIdentity is nil by default
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	if strings.Contains(result, "forage-agent-identity") {
+		t.Error("Config should not contain identity service when no identity")
+	}
+	if strings.Contains(result, "/home/agent/.ssh") {
+		t.Error("Config should not have .ssh mount when no identity")
+	}
+}
+
+func TestNixEscapeIndented(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{"plain", "hello", "hello"},
+		{"nix interpolation", "x${y}z", "x''${y}z"},
+		{"no double quote escape needed", `say "hi"`, `say "hi"`},
+		{"multiple interpolations", "${a}${b}", "''${a}''${b}"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := nixEscapeIndented(tt.input)
+			if got != tt.expected {
+				t.Errorf("nixEscapeIndented(%q) = %q, want %q", tt.input, got, tt.expected)
+			}
+		})
+	}
+}
+
+func TestNixEscape(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{"plain", "hello", "hello"},
+		{"double quote", `say "hi"`, `say \"hi\"`},
+		{"backslash", `a\b`, `a\\b`},
+		{"nix interpolation", "x${y}z", `x\${y}z`},
+		{"combined", `a"b\c${d}`, `a\"b\\c\${d}`},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := nixEscape(tt.input)
+			if got != tt.expected {
+				t.Errorf("nixEscape(%q) = %q, want %q", tt.input, got, tt.expected)
+			}
+		})
+	}
+}
+
+func TestGenerateNixConfig_IdentityEscaping(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.AgentIdentity = &config.AgentIdentity{
+		GitUser:  "Jane Doe",
+		GitEmail: "jane.doe@example.com",
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Identity service now uses writeShellScript with nixEscapeIndented
+	if !strings.Contains(result, "writeShellScript \"forage-agent-identity\"") {
+		t.Errorf("Config should use writeShellScript for identity service, got:\n%s", result)
+	}
+	// shellQuote wraps names with spaces in single quotes; nixEscapeIndented is a no-op for those
+	if !strings.Contains(result, `user.name 'Jane Doe'`) {
+		t.Errorf("Config should contain properly escaped user.name, got:\n%s", result)
+	}
+	if !strings.Contains(result, `user.email jane.doe@example.com`) {
+		t.Errorf("Config should contain properly escaped user.email, got:\n%s", result)
+	}
+	// Should NOT use bash -c for identity (old quoting bug)
+	if strings.Contains(result, `bash -c '`) {
+		t.Error("Identity service should NOT use bash -c (old quoting bug)")
+	}
+}
+
+func TestGenerateNixConfig_IdentityWriteShellScript(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.AgentIdentity = &config.AgentIdentity{
+		GitUser:  "Agent Bot",
+		GitEmail: "agent@example.com",
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Should use writeShellScript, not bash -c
+	if !strings.Contains(result, "writeShellScript \"forage-agent-identity\"") {
+		t.Error("forage-agent-identity should use writeShellScript")
+	}
+	if !strings.Contains(result, "set -euo pipefail") {
+		t.Error("forage-agent-identity script should use set -euo pipefail")
+	}
+}
+
+func TestGenerateNixConfig_IdentityNameWithSpaces(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.AgentIdentity = &config.AgentIdentity{
+		GitUser:  "Yann Hodique",
+		GitEmail: "yann@firefly.engineering",
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// The full name must survive quoting — this was the original bug
+	if !strings.Contains(result, `user.name 'Yann Hodique'`) {
+		t.Errorf("Config should contain full name with spaces, got:\n%s", result)
+	}
+	if !strings.Contains(result, `user.email yann@firefly.engineering`) {
+		t.Errorf("Config should contain email, got:\n%s", result)
+	}
+	// Both git and jj config commands should be present
+	if !strings.Contains(result, "git config --global user.name") {
+		t.Error("Config should set git user.name")
+	}
+	if !strings.Contains(result, "jj config set --user user.name") {
+		t.Error("Config should set jj user.name")
+	}
+}
+
+func TestGenerateNixConfig_SystemPromptMount(t *testing.T) {
+	cfg := validTestConfig()
+	// Add system prompt mount via contributions
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts, injection.Mount{
+		HostPath:      "/var/lib/forage/sandboxes/test-sandbox.system-prompt.md",
+		ContainerPath: "/home/agent/.config/forage/system-prompt.md",
+		ReadOnly:      true,
+	})
+	cfg.Contributions.TmpfilesRules = append(cfg.Contributions.TmpfilesRules,
+		"d /home/agent/.config/forage 0755 agent users -",
+	)
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// System prompt file should be bind-mounted read-only
+	if !strings.Contains(result, "/home/agent/.config/forage/system-prompt.md") {
+		t.Error("Config should mount system prompt at container path")
+	}
+	if !strings.Contains(result, "/var/lib/forage/sandboxes/test-sandbox.system-prompt.md") {
+		t.Error("Config should reference host system prompt path")
+	}
+	// Should have tmpfiles rule for parent directory
+	if !strings.Contains(result, "d /home/agent/.config/forage 0755 agent users -") {
+		t.Error("Config should have tmpfiles rule for forage config directory")
+	}
+}
+
+func TestGenerateNixConfig_SkillsMount(t *testing.T) {
+	cfg := validTestConfig()
+	// Add skills mount via contributions
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts, injection.Mount{
+		HostPath:      "/var/lib/forage/sandboxes/test-sandbox.skills",
+		ContainerPath: "/home/agent/.claude/skills",
+		ReadOnly:      true,
+	})
+	cfg.Contributions.TmpfilesRules = append(cfg.Contributions.TmpfilesRules,
+		"d /home/agent/.claude 0755 agent users -",
+	)
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Skills directory should be bind-mounted read-only
+	if !strings.Contains(result, "/home/agent/.claude/skills") {
+		t.Error("Config should mount skills directory")
+	}
+	if !strings.Contains(result, "/var/lib/forage/sandboxes/test-sandbox.skills") {
+		t.Error("Config should reference host skills path")
+	}
+	// Should have tmpfiles rules
+	if !strings.Contains(result, "d /home/agent/.claude 0755 agent users -") {
+		t.Error("Config should have tmpfiles rule for .claude directory")
+	}
+}
+
+func TestGenerateNixConfig_ClaudeWrapper(t *testing.T) {
+	cfg := validTestConfig()
+	// Remove claude-code from packages since the wrapper replaces it
+	cfg.Contributions.Packages = nil
+	// Add system prompt mount via contributions - this triggers the wrapper
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts, injection.Mount{
+		HostPath:      "/var/lib/forage/sandboxes/test-sandbox.system-prompt.md",
+		ContainerPath: "/home/agent/.config/forage/system-prompt.md",
+		ReadOnly:      true,
+	})
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// When a system-prompt.md mount exists and claude agent exists, should emit wrapper
+	if !strings.Contains(result, "writeShellScriptBin") {
+		t.Error("Config should contain writeShellScriptBin wrapper for claude")
+	}
+	if !strings.Contains(result, "--append-system-prompt") {
+		t.Error("Config should contain --append-system-prompt flag")
+	}
+	if !strings.Contains(result, "system-prompt.md") {
+		t.Error("Config should reference system prompt file in wrapper")
+	}
+	// Raw claude package should NOT be in systemPackages when wrapper is used
+	if strings.Contains(result, "        pkgs.claude-code\n") {
+		t.Error("Config should NOT include raw claude package when wrapper is used")
+	}
+}
+
+func TestGenerateNixConfig_NoClaudeWrapper_WithoutPrompt(t *testing.T) {
+	cfg := validTestConfig()
+	// No system-prompt.md mount — claude should be added as raw package
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	if strings.Contains(result, "writeShellScriptBin") {
+		t.Error("Config should NOT contain wrapper when no system prompt")
+	}
+	if !strings.Contains(result, "pkgs.claude-code") {
+		t.Error("Config should contain raw claude package when no system prompt")
+	}
+}
+
+func TestGenerateNixConfig_NonClaudeAgent_NoWrapper(t *testing.T) {
+	cfg := validTestConfig()
+	// Add system prompt mount but replace claude with a non-claude agent
+	cfg.Contributions.Mounts = append(cfg.Contributions.Mounts, injection.Mount{
+		HostPath:      "/var/lib/forage/sandboxes/test-sandbox.system-prompt.md",
+		ContainerPath: "/home/agent/.config/forage/system-prompt.md",
+		ReadOnly:      true,
+	})
+	cfg.Template.Agents = map[string]config.AgentConfig{
+		"aider": {
+			PackagePath: "pkgs.aider",
+			SecretName:  "openai",
+			AuthEnvVar:  "OPENAI_API_KEY",
+		},
+	}
+	// Replace claude-code package with aider package
+	cfg.Contributions.Packages = []injection.Package{
+		{Name: "aider"},
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Non-claude agents should not get a wrapper
+	if strings.Contains(result, "writeShellScriptBin") {
+		t.Error("Config should NOT contain wrapper for non-claude agent")
+	}
+	if !strings.Contains(result, "pkgs.aider") {
+		t.Error("Config should contain raw aider package")
+	}
+}
+
+func TestGenerateNixConfig_DefaultTmuxWindows(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.Template.Agents = map[string]config.AgentConfig{
+		"claude": {
+			PackagePath: "pkgs.claude-code",
+			SecretName:  "anthropic",
+			AuthEnvVar:  "ANTHROPIC_API_KEY",
+		},
+		"aider": {
+			PackagePath: "pkgs.aider",
+			SecretName:  "openai",
+			AuthEnvVar:  "OPENAI_API_KEY",
+		},
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Default: one window per agent, sorted by name (aider, claude)
+	if !strings.Contains(result, "new-session -d -s forage -c /workspace -n aider") {
+		t.Error("First tmux window should be 'aider' (sorted)")
+	}
+	if !strings.Contains(result, "new-window -t forage -n claude") {
+		t.Error("Second tmux window should be 'claude' (sorted)")
+	}
+	if !strings.Contains(result, "send-keys -t forage:aider aider Enter") {
+		t.Error("Should send-keys for aider window")
+	}
+	if !strings.Contains(result, "send-keys -t forage:claude claude Enter") {
+		t.Error("Should send-keys for claude window")
+	}
+}
+
+func TestGenerateNixConfig_ExplicitTmuxWindows(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.Template.TmuxWindows = []config.TmuxWindow{
+		{Name: "claude", Command: "claude"},
+		{Name: "shell", Command: ""},
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// First window: claude with command
+	if !strings.Contains(result, "new-session -d -s forage -c /workspace -n claude") {
+		t.Error("First tmux window should be 'claude'")
+	}
+	if !strings.Contains(result, "send-keys -t forage:claude claude Enter") {
+		t.Error("Should send-keys for claude window")
+	}
+	// Second window: shell with no command
+	if !strings.Contains(result, "new-window -t forage -n shell") {
+		t.Error("Second tmux window should be 'shell'")
+	}
+	// Shell window has empty command — no send-keys
+	if strings.Contains(result, "send-keys -t forage:shell") {
+		t.Error("Should NOT send-keys for shell window (empty command)")
+	}
+}
+
+func TestGenerateNixConfig_TmuxWriteShellScript(t *testing.T) {
+	cfg := validTestConfig()
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Should use writeShellScript, not bash -c
+	if !strings.Contains(result, "writeShellScript") {
+		t.Error("forage-init should use writeShellScript")
+	}
+	if strings.Contains(result, "${pkgs.bash}/bin/bash -c") {
+		t.Error("forage-init should NOT use bash -c anymore")
+	}
+}
+
+func TestGenerateNixConfig_WeztermMultiplexer(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.Mux = multiplexer.New(multiplexer.TypeWezterm)
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Should contain wezterm package instead of tmux
+	if !strings.Contains(result, "wezterm") {
+		t.Error("Config should contain wezterm package")
+	}
+	if strings.Contains(result, "\n        tmux\n") {
+		t.Error("Config should NOT contain tmux package when using wezterm")
+	}
+	// Should use wezterm-mux-server in init script
+	if !strings.Contains(result, "wezterm-mux-server") {
+		t.Error("Config should contain wezterm-mux-server in init script")
+	}
+}
+
+func TestGenerateNixConfig_DefaultMultiplexer(t *testing.T) {
+	cfg := validTestConfig()
+	// Multiplexer field is empty (default)
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Should use tmux by default
+	if !strings.Contains(result, "tmux") {
+		t.Error("Config should contain tmux by default")
+	}
+	if !strings.Contains(result, "tmux new-session") {
+		t.Error("Config should use tmux init script by default")
+	}
+}
+
+// TestGenerateNixConfig_RestrictedNetwork tests restricted network mode separately
+// because it involves DNS resolution which produces dynamic IP addresses.
+func TestGenerateNixConfig_ResourceLimits(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.ResourceLimits = &config.ResourceLimits{
+		CPUQuota:  "200%",
+		MemoryMax: "4G",
+		TasksMax:  512,
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	if !strings.Contains(result, "forage-resources") {
+		t.Error("Config should contain forage-resources service")
+	}
+	if !strings.Contains(result, `CPUQuota = "200%"`) {
+		t.Error("Config should contain CPUQuota")
+	}
+	if !strings.Contains(result, `MemoryMax = "4G"`) {
+		t.Error("Config should contain MemoryMax")
+	}
+	if !strings.Contains(result, "TasksMax = 512") {
+		t.Error("Config should contain TasksMax")
+	}
+}
+
+func TestGenerateNixConfig_ResourceLimitsPartial(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.ResourceLimits = &config.ResourceLimits{
+		MemoryMax: "2G",
+	}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	if !strings.Contains(result, "forage-resources") {
+		t.Error("Config should contain forage-resources service")
+	}
+	if !strings.Contains(result, `MemoryMax = "2G"`) {
+		t.Error("Config should contain MemoryMax")
+	}
+	if strings.Contains(result, "CPUQuota") {
+		t.Error("Config should not contain CPUQuota when not set")
+	}
+	if strings.Contains(result, "TasksMax") {
+		t.Error("Config should not contain TasksMax when not set")
+	}
+}
+
+func TestGenerateNixConfig_NoResourceLimits(t *testing.T) {
+	cfg := validTestConfig()
+	// No resource limits by default
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	if strings.Contains(result, "forage-resources") {
+		t.Error("Config should not contain forage-resources when no resource limits")
+	}
+}
+
+func TestResourceLimits_IsEmpty(t *testing.T) {
+	tests := []struct {
+		name     string
+		limits   *config.ResourceLimits
+		expected bool
+	}{
+		{"nil", nil, true},
+		{"empty struct", &config.ResourceLimits{}, true},
+		{"cpuQuota only", &config.ResourceLimits{CPUQuota: "200%"}, false},
+		{"memoryMax only", &config.ResourceLimits{MemoryMax: "4G"}, false},
+		{"tasksMax only", &config.ResourceLimits{TasksMax: 512}, false},
+		{"all set", &config.ResourceLimits{CPUQuota: "100%", MemoryMax: "1G", TasksMax: 256}, false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.limits.IsEmpty(); got != tt.expected {
+				t.Errorf("IsEmpty() = %v, want %v", got, tt.expected)
+			}
+		})
+	}
+}
+
+func TestGenerateNixConfig_RestrictedNetwork(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.Template.Network = "restricted"
+	cfg.Template.AllowedHosts = []string{"api.anthropic.com", "github.com"}
+
+	result, err := GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateNixConfig failed: %v", err)
+	}
+
+	// Check for key structural elements (IPs may vary due to DNS resolution)
+	required := []string{
+		"containers.f1",
+		"nftables",
+		"dnsmasq",
+		"allowed_ipv4",
+		"allowed_ipv6",
+		"api.anthropic.com",
+		"github.com",
+		"server=/api.anthropic.com/1.1.1.1",
+		"server=/github.com/1.1.1.1",
+	}
+
+	for _, s := range required {
+		if !strings.Contains(result, s) {
+			t.Errorf("Restricted network config should contain %q", s)
+		}
+	}
+}
+
+// Tests for the two-phase cached config generation
+
+func TestGenerateInnerNixConfig(t *testing.T) {
+	cfg := validTestConfig()
+
+	result, err := GenerateInnerNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateInnerNixConfig failed: %v", err)
+	}
+
+	// Inner config must set boot.isContainer = true (required for nix-build as standalone)
+	if !strings.Contains(result, "boot.isContainer = true") {
+		t.Error("Inner config must have boot.isContainer = true")
+	}
+
+	// Inner config should use template name as hostname (not sandbox name)
+	if !strings.Contains(result, `networking.hostName = "claude"`) {
+		t.Error("Inner config should use template name as hostname")
+	}
+
+	// Inner config should have forage-network service (runtime gateway injection)
+	if !strings.Contains(result, "forage-network") {
+		t.Error("Inner config should contain forage-network service")
+	}
+	if !strings.Contains(result, "ip route replace default") {
+		t.Error("Inner config should set gateway via ip route")
+	}
+	if !strings.Contains(result, "/run/forage/config.json") {
+		t.Error("Inner config should read from /run/forage/config.json")
+	}
+
+	// Inner config should have forage-hostname service
+	if !strings.Contains(result, "forage-hostname") {
+		t.Error("Inner config should contain forage-hostname service")
+	}
+
+	// Inner config should NOT have per-sandbox hostname
+	if strings.Contains(result, `networking.hostName = "test-sandbox"`) {
+		t.Error("Inner config should NOT use sandbox name as hostname")
+	}
+
+	// Inner config should NOT have per-sandbox forage.json (bind-mounted at runtime)
+	if strings.Contains(result, `environment.etc."forage.json"`) {
+		t.Error("Inner config should NOT contain static forage.json")
+	}
+
+	// Inner config should NOT have defaultGateway (set at runtime)
+	if strings.Contains(result, "defaultGateway") {
+		t.Error("Inner config should NOT contain defaultGateway (set at runtime)")
+	}
+
+	// Inner config should still have packages and services
+	if !strings.Contains(result, "jujutsu") {
+		t.Error("Inner config should include jujutsu package")
+	}
+	if !strings.Contains(result, "openssh") {
+		t.Error("Inner config should include openssh")
+	}
+	if !strings.Contains(result, "forage-init") {
+		t.Error("Inner config should include forage-init service")
+	}
+
+	// Inner config should have nixpkgs registry
+	if !strings.Contains(result, `path = "/nix/store/test-nixpkgs"`) {
+		t.Error("Inner config should pin nixpkgs registry")
+	}
+}
+
+func TestGenerateInnerNixConfig_FullNetwork(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.Template.Network = "full"
+
+	result, err := GenerateInnerNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateInnerNixConfig failed: %v", err)
+	}
+
+	// Full mode should have nameservers but no defaultGateway
+	if !strings.Contains(result, "nameservers") {
+		t.Error("Full network inner config should have nameservers")
+	}
+	if strings.Contains(result, "defaultGateway") {
+		t.Error("Full network inner config should NOT have defaultGateway")
+	}
+}
+
+func TestGenerateInnerNixConfig_NoneNetwork(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.Template.Network = "none"
+
+	result, err := GenerateInnerNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateInnerNixConfig failed: %v", err)
+	}
+
+	// None mode should have the drop policy
+	if !strings.Contains(result, "policy drop") {
+		t.Error("None network inner config should have drop policy")
+	}
+}
+
+func TestGenerateInnerNixConfig_WithIdentity(t *testing.T) {
+	cfg := validTestConfig()
+	cfg.AgentIdentity = &config.AgentIdentity{
+		GitUser:  "Agent Bot",
+		GitEmail: "agent@example.com",
+	}
+
+	result, err := GenerateInnerNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("GenerateInnerNixConfig failed: %v", err)
+	}
+
+	if !strings.Contains(result, "forage-agent-identity") {
+		t.Error("Inner config should contain identity service")
+	}
+	if !strings.Contains(result, "Agent Bot") {
+		t.Error("Inner config should contain git user name")
+	}
+}
+
+func TestGenerateOuterNixConfig(t *testing.T) {
+	data := &OuterTemplateData{
+		ContainerName: "f1",
+		NetworkSlot:   1,
+		SystemPath:    "/nix/store/abc123-nixos-system",
+		BindMounts: []BindMount{
+			{Path: "/workspace", HostPath: "/home/user/project", ReadOnly: false},
+			{Path: "/nix/store", HostPath: "/nix/store", ReadOnly: true},
+			{Path: "/run/forage/config.json", HostPath: "/var/lib/forage/sandboxes/test.runtime/config.json", ReadOnly: true},
+		},
+	}
+
+	result, err := GenerateOuterNixConfig(data)
+	if err != nil {
+		t.Fatalf("GenerateOuterNixConfig failed: %v", err)
+	}
+
+	// Should reference pre-built system path
+	if !strings.Contains(result, "/nix/store/abc123-nixos-system") {
+		t.Error("Outer config should reference the cached system path")
+	}
+
+	// Should have container definition
+	if !strings.Contains(result, "containers.f1") {
+		t.Error("Outer config should define container")
+	}
+
+	// Should have network addressing
+	if !strings.Contains(result, `hostAddress = "10.100.1.1"`) {
+		t.Error("Outer config should have host address")
+	}
+	if !strings.Contains(result, `localAddress = "10.100.1.2"`) {
+		t.Error("Outer config should have local address")
+	}
+
+	// Should have bind mounts
+	if !strings.Contains(result, "/workspace") {
+		t.Error("Outer config should have workspace mount")
+	}
+	if !strings.Contains(result, "/run/forage/config.json") {
+		t.Error("Outer config should have runtime config mount")
+	}
+
+	// Should be minimal (no config = { } block)
+	if strings.Contains(result, "config =") {
+		t.Error("Outer config should NOT have an inner config block")
+	}
+
+	// Should use lib.mkForce on path to prevent conflicts with nixos-containers.nix
+	if !strings.Contains(result, "lib.mkForce") {
+		t.Error("Outer config should use lib.mkForce on path")
+	}
+
+	// Should accept lib in module arguments
+	if !strings.Contains(result, "{ lib, ... }") {
+		t.Error("Outer config should accept lib in module arguments")
+	}
+}
diff --git a/packages/forage-ctl/internal/generator/inner_template.go b/packages/forage-ctl/internal/generator/inner_template.go
new file mode 100644
index 0000000..c2fdc75
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/inner_template.go
@@ -0,0 +1,192 @@
+package generator
+
+// innerTemplateText is the NixOS module for the cached inner system.
+// It contains everything template-level: packages, services, users, etc.
+// Per-sandbox data (hostname, network slot, env vars, forage.json) is
+// injected at runtime via bind mounts and the forage-network service.
+const innerTemplateText = `{ pkgs, ... }:
+{
+  boot.isContainer = true;
+  system.stateVersion = "{{.StateVersion}}";
+  nixpkgs.config.allowUnfree = true;
+  networking.hostName = "{{.TemplateName}}";
+  {{.NetworkConfig}}
+  users.users.{{.Username}} = {
+    isNormalUser = true;
+    home = "{{.HomeDir}}";
+    shell = "${pkgs.bash}/bin/bash";
+    uid = {{.UID}};
+    group = "users";
+    extraGroups = [ ];
+    openssh.authorizedKeys.keys = [
+{{- range .AuthorizedKeys}}
+      {{. | printf "%q"}}
+{{- end}}
+    ];
+  };
+  users.groups.users.gid = {{.GID}};
+
+  security.sudo.enable = false;
+
+  services.openssh = {
+    enable = true;
+    ports = [ 22 ];
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    jujutsu
+{{- range .MuxPackages}}
+    {{.}}
+{{- end}}
+    neovim
+    ripgrep
+    fd
+    jq
+    iproute2
+{{- range .AgentPackages}}
+    {{.}}
+{{- end}}
+{{- if .ClaudePackagePath}}
+    (pkgs.writeShellScriptBin "claude" ''
+      exec ${pkgs.{{.ClaudePackagePath}}}/bin/claude \
+        --append-system-prompt "$(cat {{.SystemPromptFile}})" "$@"
+    '')
+{{- end}}
+  ];
+
+  environment.etc."nix/registry.json".text = builtins.toJSON {
+    version = 2;
+    flakes = [
+      {
+        exact = true;
+        from = {
+          id = "nixpkgs";
+          type = "indirect";
+        };
+        to = {
+          type = "path";
+          path = "{{.NixpkgsPath}}";
+        };
+      }
+    ];
+  };
+
+  # Ensure directories exist for bind mounts
+  systemd.tmpfiles.rules = [
+{{- range .ExtraTmpfilesRules}}
+    "{{.}}"
+{{- end}}
+  ];
+
+  # Runtime network configuration: reads gateway from bind-mounted config
+  systemd.services.forage-network = {
+    description = "Forage Network Configuration";
+    wantedBy = [ "network.target" ];
+    before = [ "network-online.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.writeShellScript "forage-network" ''
+        set -euo pipefail
+        CONFIG=/run/forage/config.json
+        if [ -f "$CONFIG" ]; then
+          GATEWAY=$(${pkgs.jq}/bin/jq -r '.gateway' "$CONFIG")
+          if [ -n "$GATEWAY" ] && [ "$GATEWAY" != "null" ]; then
+            ${pkgs.iproute2}/bin/ip route replace default via "$GATEWAY"
+          fi
+        fi
+      ''}";
+    };
+  };
+
+  # Runtime hostname configuration: reads sandbox name from bind-mounted config
+  systemd.services.forage-hostname = {
+    description = "Forage Hostname Configuration";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.writeShellScript "forage-hostname" ''
+        set -euo pipefail
+        CONFIG=/run/forage/config.json
+        if [ -f "$CONFIG" ]; then
+          HOSTNAME=$(${pkgs.jq}/bin/jq -r '.sandboxName' "$CONFIG")
+          if [ -n "$HOSTNAME" ] && [ "$HOSTNAME" != "null" ]; then
+            ${pkgs.hostname}/bin/hostname "$HOSTNAME"
+          fi
+        fi
+      ''}";
+    };
+  };
+
+  systemd.services.forage-init = {
+    description = "Forage Sandbox Initialization";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      User = "{{.Username}}";
+      WorkingDirectory = "{{.WorkspaceDir}}";
+      ExecStart = "${pkgs.writeShellScript "forage-init" ''
+{{.MuxInitScript}}
+      ''}";
+    };
+  };
+{{- if .ResourceLimits}}
+  systemd.services.forage-resources = {
+    description = "Forage Resource Limits (no-op anchor for resource control)";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.coreutils}/bin/true";
+      RemainAfterExit = true;
+{{- if .ResourceLimits.CPUQuota}}
+      CPUQuota = "{{.ResourceLimits.CPUQuota}}";
+{{- end}}
+{{- if .ResourceLimits.MemoryMax}}
+      MemoryMax = "{{.ResourceLimits.MemoryMax}}";
+{{- end}}
+{{- if .ResourceLimits.TasksMax}}
+      TasksMax = {{.ResourceLimits.TasksMax}};
+{{- end}}
+    };
+  };
+{{- end}}
+{{- if or .GitUser .GitEmail .SSHKeyName}}
+  systemd.services.forage-agent-identity = {
+    description = "Forage Agent Identity Setup";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      User = "{{.Username}}";
+      ExecStart = "${pkgs.writeShellScript "forage-agent-identity" ''
+        set -euo pipefail
+        ${pkgs.coreutils}/bin/mkdir -p {{.HomeDir}}/.ssh {{.HomeDir}}/.config/jj
+{{- if .GitUser}}
+        ${pkgs.git}/bin/git config --global user.name {{.GitUser | shellQuote | nixEscapeIndented}}
+        ${pkgs.jujutsu}/bin/jj config set --user user.name {{.GitUser | shellQuote | nixEscapeIndented}} || true
+{{- end}}
+{{- if .GitEmail}}
+        ${pkgs.git}/bin/git config --global user.email {{.GitEmail | shellQuote | nixEscapeIndented}}
+        ${pkgs.jujutsu}/bin/jj config set --user user.email {{.GitEmail | shellQuote | nixEscapeIndented}} || true
+{{- end}}
+{{- if .SSHKeyName}}
+        ${pkgs.coreutils}/bin/cat > {{.HomeDir}}/.ssh/config <<SSH_EOF
+        Host *
+          IdentityFile {{.HomeDir}}/.ssh/{{.SSHKeyName}}
+          StrictHostKeyChecking accept-new
+        SSH_EOF
+{{- end}}
+      ''}";
+    };
+  };
+{{- end}}
+}
+`
diff --git a/packages/forage-ctl/internal/generator/outer_template.go b/packages/forage-ctl/internal/generator/outer_template.go
new file mode 100644
index 0000000..c09d308
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/outer_template.go
@@ -0,0 +1,40 @@
+package generator
+
+// OuterTemplateData holds data for the outer container definition.
+// This is the per-sandbox config that references the cached inner system.
+type OuterTemplateData struct {
+	ContainerName string      // Short container name (e.g., "f42")
+	NetworkSlot   int         // Network slot for IP addressing
+	SystemPath    string      // Nix store path of the cached inner system
+	BindMounts    []BindMount // All bind mounts (workspace, secrets, runtime files, etc.)
+}
+
+// outerTemplateText is the minimal container definition that wraps a pre-built
+// inner system. It only specifies the container shell (networking, mounts) and
+// references the inner system via its store path. This evaluates in ~0.5s
+// instead of ~12s because no NixOS module evaluation happens.
+//
+// The path uses lib.mkForce because nixos-containers.nix derives `path` from a
+// `config` module when one is present. Without mkForce, if both `config` and
+// `path` are set, Nix reports a conflicting definition error.
+const outerTemplateText = `{ lib, ... }:
+{
+  containers.{{.ContainerName}} = {
+    autoStart = true;
+    ephemeral = true;
+    privateNetwork = true;
+    hostAddress = "10.100.{{.NetworkSlot}}.1";
+    localAddress = "10.100.{{.NetworkSlot}}.2";
+    path = lib.mkForce {{.SystemPath}};
+
+    bindMounts = {
+{{- range .BindMounts}}
+      "{{.Path}}" = {
+        hostPath = "{{.HostPath}}";
+        isReadOnly = {{.ReadOnly | nixBool}};
+      };
+{{- end}}
+    };
+  };
+}
+`
diff --git a/packages/forage-ctl/internal/generator/templates.go b/packages/forage-ctl/internal/generator/templates.go
new file mode 100644
index 0000000..c0a6d5b
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/templates.go
@@ -0,0 +1,307 @@
+package generator
+
+import (
+	"strings"
+	"text/template"
+
+	shellquote "github.com/kballard/go-shellquote"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+// TemplateData holds all data needed to render the container Nix configuration.
+type TemplateData struct {
+	ContainerName      string
+	Hostname           string // Hostname inside the container (the sandbox name)
+	NetworkSlot        int
+	StateVersion       string
+	Username           string // Container username (e.g. "agent")
+	HomeDir            string // Container home directory (e.g. "/home/agent")
+	WorkspaceDir       string // Container workspace path (e.g. "/workspace")
+	BindMounts         []BindMount
+	AuthorizedKeys     []string
+	NetworkConfig      string // Pre-rendered from network package
+	AgentPackages      []string
+	EnvVars            []EnvVar
+	MuxPackages        []string               // Multiplexer packages to install (e.g. ["tmux"] or ["wezterm"])
+	MuxInitScript      string                 // Pre-rendered init script from multiplexer backend
+	UID                int                    // Host user's UID for the container agent user
+	GID                int                    // Host user's GID for the container agent user
+	ExtraTmpfilesRules []string               // Additional systemd tmpfiles rules
+	GitUser            string                 // Git user.name for agent identity
+	GitEmail           string                 // Git user.email for agent identity
+	SSHKeyName         string                 // Basename of SSH key file (empty if no SSH key)
+	SystemPromptFile   string                 // Container path of system prompt file (empty if not set)
+	ClaudePackagePath  string                 // Nix store path of unwrapped claude package (empty if not wrapping)
+	SandboxName        string                 // Sandbox name (for in-container metadata)
+	Runtime            string                 // Runtime backend name (for in-container metadata)
+	NixpkgsPath        string                 // Nix store path to nixpkgs source (avoids expensive pkgs.path eval)
+	ResourceLimits     *config.ResourceLimits // Optional resource limits for systemd
+}
+
+// BindMount represents a bind mount entry in the Nix config.
+type BindMount struct {
+	Path     string
+	HostPath string
+	ReadOnly bool
+}
+
+// EnvVar represents an environment variable in the Nix config.
+type EnvVar struct {
+	Name  string
+	Value string
+}
+
+// nixBool returns "true" or "false" for use in Nix configuration.
+func nixBool(b bool) string {
+	if b {
+		return "true"
+	}
+	return "false"
+}
+
+// nixEscape escapes a string for safe inclusion inside a Nix "..." string literal.
+// It handles backslashes, double quotes, and ${} interpolation sequences.
+func nixEscape(s string) string {
+	s = strings.ReplaceAll(s, `\`, `\\`)
+	s = strings.ReplaceAll(s, `"`, `\"`)
+	s = strings.ReplaceAll(s, "${", "\\${")
+	return s
+}
+
+// nixEscapeIndented escapes a string for safe inclusion inside a Nix indented
+// string literal (”...”). The only interpolation sequence in indented strings
+// is ${...}, which is escaped as ”${...}.
+func nixEscapeIndented(s string) string {
+	return strings.ReplaceAll(s, "${", "''${")
+}
+
+// containerTemplate is the main Go template for generating NixOS container configurations.
+const containerTemplateText = `{ pkgs, ... }:
+{
+  containers.{{.ContainerName}} = {
+    autoStart = true;
+    ephemeral = true;
+    privateNetwork = true;
+    hostAddress = "10.100.{{.NetworkSlot}}.1";
+    localAddress = "10.100.{{.NetworkSlot}}.2";
+
+    bindMounts = {
+{{- range .BindMounts}}
+      "{{.Path}}" = {
+        hostPath = "{{.HostPath}}";
+        isReadOnly = {{.ReadOnly | nixBool}};
+      };
+{{- end}}
+    };
+
+    config =
+      { pkgs, ... }:
+      {
+        system.stateVersion = "{{.StateVersion}}";
+        nixpkgs.config.allowUnfree = true;
+        networking.hostName = "{{.Hostname}}";
+        {{.NetworkConfig}}
+        users.users.{{.Username}} = {
+          isNormalUser = true;
+          home = "{{.HomeDir}}";
+          shell = "${pkgs.bash}/bin/bash";
+          uid = {{.UID}};
+          group = "users";
+          extraGroups = [ ];
+          openssh.authorizedKeys.keys = [
+{{- range .AuthorizedKeys}}
+            {{. | printf "%q"}}
+{{- end}}
+          ];
+        };
+        users.groups.users.gid = {{.GID}};
+
+        security.sudo.enable = false;
+
+        services.openssh = {
+          enable = true;
+          ports = [ 22 ];
+          settings = {
+            PasswordAuthentication = false;
+            PermitRootLogin = "no";
+          };
+        };
+
+        environment.systemPackages = with pkgs; [
+          git
+          jujutsu
+{{- range .MuxPackages}}
+          {{.}}
+{{- end}}
+          neovim
+          ripgrep
+          fd
+{{- range .AgentPackages}}
+          {{.}}
+{{- end}}
+{{- if .ClaudePackagePath}}
+          (pkgs.writeShellScriptBin "claude" ''
+            exec ${pkgs.{{.ClaudePackagePath}}}/bin/claude \
+              --append-system-prompt "$(cat {{.SystemPromptFile}})" "$@"
+          '')
+{{- end}}
+        ];
+{{if .EnvVars}}
+        environment.sessionVariables = {
+{{- range .EnvVars}}
+          {{.Name}} = {{.Value}};
+{{- end}}
+        };
+{{end}}
+        environment.etc."nix/registry.json".text = builtins.toJSON {
+          version = 2;
+          flakes = [
+            {
+              exact = true;
+              from = {
+                id = "nixpkgs";
+                type = "indirect";
+              };
+              to = {
+                type = "path";
+                path = "{{.NixpkgsPath}}";
+              };
+            }
+          ];
+        };
+
+        environment.etc."forage.json".text = builtins.toJSON {
+          sandboxName = "{{.SandboxName}}";
+          containerName = "{{.ContainerName}}";
+          runtime = "{{.Runtime}}";
+        };
+
+        # Ensure ~/.config is owned by agent (bind mounts may create it as root)
+        systemd.tmpfiles.rules = [
+{{- range .ExtraTmpfilesRules}}
+          "{{.}}"
+{{- end}}
+        ];
+
+        systemd.services.forage-init = {
+          description = "Forage Sandbox Initialization";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            User = "{{.Username}}";
+            WorkingDirectory = "{{.WorkspaceDir}}";
+            ExecStart = "${pkgs.writeShellScript "forage-init" ''
+{{.MuxInitScript}}
+            ''}";
+          };
+        };
+{{- if .ResourceLimits}}
+        systemd.services.forage-resources = {
+          description = "Forage Resource Limits (no-op anchor for resource control)";
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            ExecStart = "${pkgs.coreutils}/bin/true";
+            RemainAfterExit = true;
+{{- if .ResourceLimits.CPUQuota}}
+            CPUQuota = "{{.ResourceLimits.CPUQuota}}";
+{{- end}}
+{{- if .ResourceLimits.MemoryMax}}
+            MemoryMax = "{{.ResourceLimits.MemoryMax}}";
+{{- end}}
+{{- if .ResourceLimits.TasksMax}}
+            TasksMax = {{.ResourceLimits.TasksMax}};
+{{- end}}
+          };
+        };
+{{- end}}
+{{- if or .GitUser .GitEmail .SSHKeyName}}
+        systemd.services.forage-agent-identity = {
+          description = "Forage Agent Identity Setup";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            User = "{{.Username}}";
+            ExecStart = "${pkgs.writeShellScript "forage-agent-identity" ''
+              set -euo pipefail
+              ${pkgs.coreutils}/bin/mkdir -p {{.HomeDir}}/.ssh {{.HomeDir}}/.config/jj
+{{- if .GitUser}}
+              ${pkgs.git}/bin/git config --global user.name {{.GitUser | shellQuote | nixEscapeIndented}}
+              ${pkgs.jujutsu}/bin/jj config set --user user.name {{.GitUser | shellQuote | nixEscapeIndented}} || true
+{{- end}}
+{{- if .GitEmail}}
+              ${pkgs.git}/bin/git config --global user.email {{.GitEmail | shellQuote | nixEscapeIndented}}
+              ${pkgs.jujutsu}/bin/jj config set --user user.email {{.GitEmail | shellQuote | nixEscapeIndented}} || true
+{{- end}}
+{{- if .SSHKeyName}}
+              ${pkgs.coreutils}/bin/cat > {{.HomeDir}}/.ssh/config <<SSH_EOF
+              Host *
+                IdentityFile {{.HomeDir}}/.ssh/{{.SSHKeyName}}
+                StrictHostKeyChecking accept-new
+              SSH_EOF
+{{- end}}
+            ''}";
+          };
+        };
+{{- end}}
+      };
+  };
+}
+`
+
+// InnerTemplateData holds data for the cached inner system NixOS module.
+// Unlike TemplateData, it uses TemplateName (canonical) instead of per-sandbox
+// Hostname, and omits per-sandbox fields (SandboxName, Runtime, ContainerName).
+type InnerTemplateData struct {
+	TemplateName       string
+	StateVersion       string
+	Username           string
+	HomeDir            string
+	WorkspaceDir       string
+	AuthorizedKeys     []string
+	NetworkConfig      string // Pre-rendered from network package (slot-independent)
+	AgentPackages      []string
+	MuxPackages        []string
+	MuxInitScript      string
+	UID                int
+	GID                int
+	ExtraTmpfilesRules []string
+	GitUser            string
+	GitEmail           string
+	SSHKeyName         string
+	SystemPromptFile   string
+	ClaudePackagePath  string
+	NixpkgsPath        string
+	ResourceLimits     *config.ResourceLimits
+}
+
+// nixTemplateFuncs returns the shared template function map.
+func nixTemplateFuncs() template.FuncMap {
+	return template.FuncMap{
+		"nixBool":           nixBool,
+		"nixEscape":         nixEscape,
+		"nixEscapeIndented": nixEscapeIndented,
+		"shellQuote": func(s string) string {
+			return shellquote.Join(s)
+		},
+	}
+}
+
+// containerTemplate is the parsed template, initialized at package load time.
+var containerTemplate *template.Template
+
+// innerTemplate is the parsed inner system template.
+var innerTemplate *template.Template
+
+// outerTemplate is the parsed outer container definition template.
+var outerTemplate *template.Template
+
+func init() {
+	funcs := nixTemplateFuncs()
+	containerTemplate = template.Must(template.New("container").Funcs(funcs).Parse(containerTemplateText))
+	innerTemplate = template.Must(template.New("inner").Funcs(funcs).Parse(innerTemplateText))
+	outerTemplate = template.Must(template.New("outer").Funcs(funcs).Parse(outerTemplateText))
+}
diff --git a/packages/forage-ctl/internal/generator/testdata/basic_container.nix b/packages/forage-ctl/internal/generator/testdata/basic_container.nix
new file mode 100644
index 0000000..45759ba
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/testdata/basic_container.nix
@@ -0,0 +1,122 @@
+{ pkgs, ... }:
+{
+  containers.f1 = {
+    autoStart = true;
+    ephemeral = true;
+    privateNetwork = true;
+    hostAddress = "10.100.1.1";
+    localAddress = "10.100.1.2";
+
+    bindMounts = {
+      "/nix/store" = {
+        hostPath = "/nix/store";
+        isReadOnly = true;
+      };
+      "/workspace" = {
+        hostPath = "/home/user/project";
+        isReadOnly = false;
+      };
+      "/run/secrets" = {
+        hostPath = "/run/secrets/test-sandbox";
+        isReadOnly = true;
+      };
+    };
+
+    config =
+      { pkgs, ... }:
+      {
+        system.stateVersion = "24.11";
+        nixpkgs.config.allowUnfree = true;
+        networking.hostName = "test-sandbox";
+        # Full network access
+        networking.defaultGateway = "10.100.1.1";
+        networking.nameservers = [
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
+        networking.firewall.allowedTCPPorts = [ 22 ];
+        users.users.agent = {
+          isNormalUser = true;
+          home = "/home/agent";
+          shell = "${pkgs.bash}/bin/bash";
+          uid = 1000;
+          group = "users";
+          extraGroups = [ ];
+          openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample user@host"
+          ];
+        };
+        users.groups.users.gid = 100;
+
+        security.sudo.enable = false;
+
+        services.openssh = {
+          enable = true;
+          ports = [ 22 ];
+          settings = {
+            PasswordAuthentication = false;
+            PermitRootLogin = "no";
+          };
+        };
+
+        environment.systemPackages = with pkgs; [
+          git
+          jujutsu
+          tmux
+          neovim
+          ripgrep
+          fd
+          pkgs.claude-code
+        ];
+
+        environment.sessionVariables = {
+          ANTHROPIC_API_KEY = "$(cat /run/secrets/anthropic 2>/dev/null || echo '')";
+        };
+
+        environment.etc."nix/registry.json".text = builtins.toJSON {
+          version = 2;
+          flakes = [
+            {
+              exact = true;
+              from = {
+                id = "nixpkgs";
+                type = "indirect";
+              };
+              to = {
+                type = "path";
+                path = "/nix/store/test-nixpkgs";
+              };
+            }
+          ];
+        };
+
+        environment.etc."forage.json".text = builtins.toJSON {
+          sandboxName = "test-sandbox";
+          containerName = "f1";
+          runtime = "";
+        };
+
+        # Ensure ~/.config is owned by agent (bind mounts may create it as root)
+        systemd.tmpfiles.rules = [
+          "d /home/agent/.config 0755 agent users -"
+        ];
+
+        systemd.services.forage-init = {
+          description = "Forage Sandbox Initialization";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            User = "agent";
+            WorkingDirectory = "/workspace";
+            ExecStart = "${pkgs.writeShellScript "forage-init" ''
+              tmux new-session -d -s forage -c /workspace -n claude
+              tmux set-option -w -t forage:claude automatic-rename off
+              tmux send-keys -t forage:claude claude Enter
+              true
+            ''}";
+          };
+        };
+      };
+  };
+}
diff --git a/packages/forage-ctl/internal/generator/testdata/jj_mode_container.nix b/packages/forage-ctl/internal/generator/testdata/jj_mode_container.nix
new file mode 100644
index 0000000..d5a3f96
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/testdata/jj_mode_container.nix
@@ -0,0 +1,130 @@
+{ pkgs, ... }:
+{
+  containers.f1 = {
+    autoStart = true;
+    ephemeral = true;
+    privateNetwork = true;
+    hostAddress = "10.100.1.1";
+    localAddress = "10.100.1.2";
+
+    bindMounts = {
+      "/nix/store" = {
+        hostPath = "/nix/store";
+        isReadOnly = true;
+      };
+      "/workspace" = {
+        hostPath = "/var/lib/forage/workspaces/test-sandbox";
+        isReadOnly = false;
+      };
+      "/run/secrets" = {
+        hostPath = "/run/secrets/test-sandbox";
+        isReadOnly = true;
+      };
+      "/home/user/myrepo/.jj" = {
+        hostPath = "/home/user/myrepo/.jj";
+        isReadOnly = false;
+      };
+      "/home/user/myrepo/.git" = {
+        hostPath = "/home/user/myrepo/.git";
+        isReadOnly = false;
+      };
+    };
+
+    config =
+      { pkgs, ... }:
+      {
+        system.stateVersion = "24.11";
+        nixpkgs.config.allowUnfree = true;
+        networking.hostName = "test-sandbox";
+        # Full network access
+        networking.defaultGateway = "10.100.1.1";
+        networking.nameservers = [
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
+        networking.firewall.allowedTCPPorts = [ 22 ];
+        users.users.agent = {
+          isNormalUser = true;
+          home = "/home/agent";
+          shell = "${pkgs.bash}/bin/bash";
+          uid = 1000;
+          group = "users";
+          extraGroups = [ ];
+          openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample user@host"
+          ];
+        };
+        users.groups.users.gid = 100;
+
+        security.sudo.enable = false;
+
+        services.openssh = {
+          enable = true;
+          ports = [ 22 ];
+          settings = {
+            PasswordAuthentication = false;
+            PermitRootLogin = "no";
+          };
+        };
+
+        environment.systemPackages = with pkgs; [
+          git
+          jujutsu
+          tmux
+          neovim
+          ripgrep
+          fd
+          pkgs.claude-code
+        ];
+
+        environment.sessionVariables = {
+          ANTHROPIC_API_KEY = "$(cat /run/secrets/anthropic 2>/dev/null || echo '')";
+        };
+
+        environment.etc."nix/registry.json".text = builtins.toJSON {
+          version = 2;
+          flakes = [
+            {
+              exact = true;
+              from = {
+                id = "nixpkgs";
+                type = "indirect";
+              };
+              to = {
+                type = "path";
+                path = "/nix/store/test-nixpkgs";
+              };
+            }
+          ];
+        };
+
+        environment.etc."forage.json".text = builtins.toJSON {
+          sandboxName = "test-sandbox";
+          containerName = "f1";
+          runtime = "";
+        };
+
+        # Ensure ~/.config is owned by agent (bind mounts may create it as root)
+        systemd.tmpfiles.rules = [
+          "d /home/agent/.config 0755 agent users -"
+        ];
+
+        systemd.services.forage-init = {
+          description = "Forage Sandbox Initialization";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            User = "agent";
+            WorkingDirectory = "/workspace";
+            ExecStart = "${pkgs.writeShellScript "forage-init" ''
+              tmux new-session -d -s forage -c /workspace -n claude
+              tmux set-option -w -t forage:claude automatic-rename off
+              tmux send-keys -t forage:claude claude Enter
+              true
+            ''}";
+          };
+        };
+      };
+  };
+}
diff --git a/packages/forage-ctl/internal/generator/testdata/no_network_container.nix b/packages/forage-ctl/internal/generator/testdata/no_network_container.nix
new file mode 100644
index 0000000..44146b5
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/testdata/no_network_container.nix
@@ -0,0 +1,149 @@
+{ pkgs, ... }:
+{
+  containers.f1 = {
+    autoStart = true;
+    ephemeral = true;
+    privateNetwork = true;
+    hostAddress = "10.100.1.1";
+    localAddress = "10.100.1.2";
+
+    bindMounts = {
+      "/nix/store" = {
+        hostPath = "/nix/store";
+        isReadOnly = true;
+      };
+      "/workspace" = {
+        hostPath = "/home/user/project";
+        isReadOnly = false;
+      };
+      "/run/secrets" = {
+        hostPath = "/run/secrets/test-sandbox";
+        isReadOnly = true;
+      };
+    };
+
+    config =
+      { pkgs, ... }:
+      {
+        system.stateVersion = "24.11";
+        nixpkgs.config.allowUnfree = true;
+        networking.hostName = "test-sandbox";
+        # No network access
+        networking.nameservers = [ ];
+        networking.defaultGateway = null;
+
+        # Disable all network interfaces except loopback
+        networking.useDHCP = false;
+
+        # Use nftables with default-drop policy (consistent with restricted mode)
+        networking.nftables = {
+          enable = true;
+          ruleset = ''
+            table inet filter {
+              chain input {
+                type filter hook input priority 0; policy accept;
+              }
+
+              chain output {
+                type filter hook output priority 0; policy drop;
+
+                # Allow loopback only
+                oif "lo" accept
+
+                # Allow established/related (for SSH management)
+                ct state established,related accept
+
+                # Reject everything else
+                reject with icmp type admin-prohibited
+              }
+            }
+          '';
+        };
+
+        # Disable iptables (using nftables)
+        networking.firewall.enable = false;
+        users.users.agent = {
+          isNormalUser = true;
+          home = "/home/agent";
+          shell = "${pkgs.bash}/bin/bash";
+          uid = 1000;
+          group = "users";
+          extraGroups = [ ];
+          openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample user@host"
+          ];
+        };
+        users.groups.users.gid = 100;
+
+        security.sudo.enable = false;
+
+        services.openssh = {
+          enable = true;
+          ports = [ 22 ];
+          settings = {
+            PasswordAuthentication = false;
+            PermitRootLogin = "no";
+          };
+        };
+
+        environment.systemPackages = with pkgs; [
+          git
+          jujutsu
+          tmux
+          neovim
+          ripgrep
+          fd
+          pkgs.claude-code
+        ];
+
+        environment.sessionVariables = {
+          ANTHROPIC_API_KEY = "$(cat /run/secrets/anthropic 2>/dev/null || echo '')";
+        };
+
+        environment.etc."nix/registry.json".text = builtins.toJSON {
+          version = 2;
+          flakes = [
+            {
+              exact = true;
+              from = {
+                id = "nixpkgs";
+                type = "indirect";
+              };
+              to = {
+                type = "path";
+                path = "/nix/store/test-nixpkgs";
+              };
+            }
+          ];
+        };
+
+        environment.etc."forage.json".text = builtins.toJSON {
+          sandboxName = "test-sandbox";
+          containerName = "f1";
+          runtime = "";
+        };
+
+        # Ensure ~/.config is owned by agent (bind mounts may create it as root)
+        systemd.tmpfiles.rules = [
+          "d /home/agent/.config 0755 agent users -"
+        ];
+
+        systemd.services.forage-init = {
+          description = "Forage Sandbox Initialization";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            User = "agent";
+            WorkingDirectory = "/workspace";
+            ExecStart = "${pkgs.writeShellScript "forage-init" ''
+              tmux new-session -d -s forage -c /workspace -n claude
+              tmux set-option -w -t forage:claude automatic-rename off
+              tmux send-keys -t forage:claude claude Enter
+              true
+            ''}";
+          };
+        };
+      };
+  };
+}
diff --git a/packages/forage-ctl/internal/generator/testdata/proxy_mode_container.nix b/packages/forage-ctl/internal/generator/testdata/proxy_mode_container.nix
new file mode 100644
index 0000000..8b1ce5c
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/testdata/proxy_mode_container.nix
@@ -0,0 +1,124 @@
+{ pkgs, ... }:
+{
+  containers.f1 = {
+    autoStart = true;
+    ephemeral = true;
+    privateNetwork = true;
+    hostAddress = "10.100.1.1";
+    localAddress = "10.100.1.2";
+
+    bindMounts = {
+      "/nix/store" = {
+        hostPath = "/nix/store";
+        isReadOnly = true;
+      };
+      "/workspace" = {
+        hostPath = "/home/user/project";
+        isReadOnly = false;
+      };
+      "/run/secrets" = {
+        hostPath = "/run/secrets/test-sandbox";
+        isReadOnly = true;
+      };
+    };
+
+    config =
+      { pkgs, ... }:
+      {
+        system.stateVersion = "24.11";
+        nixpkgs.config.allowUnfree = true;
+        networking.hostName = "test-sandbox";
+        # Full network access
+        networking.defaultGateway = "10.100.1.1";
+        networking.nameservers = [
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
+        networking.firewall.allowedTCPPorts = [ 22 ];
+        users.users.agent = {
+          isNormalUser = true;
+          home = "/home/agent";
+          shell = "${pkgs.bash}/bin/bash";
+          uid = 1000;
+          group = "users";
+          extraGroups = [ ];
+          openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample user@host"
+          ];
+        };
+        users.groups.users.gid = 100;
+
+        security.sudo.enable = false;
+
+        services.openssh = {
+          enable = true;
+          ports = [ 22 ];
+          settings = {
+            PasswordAuthentication = false;
+            PermitRootLogin = "no";
+          };
+        };
+
+        environment.systemPackages = with pkgs; [
+          git
+          jujutsu
+          tmux
+          neovim
+          ripgrep
+          fd
+          pkgs.claude-code
+        ];
+
+        environment.sessionVariables = {
+          ANTHROPIC_BASE_URL = "http://10.100.1.1:8080";
+          ANTHROPIC_AUTH_TOKEN = "ignored-by-proxy";
+          ANTHROPIC_CUSTOM_HEADERS = "X-Forage-Sandbox: test-sandbox";
+        };
+
+        environment.etc."nix/registry.json".text = builtins.toJSON {
+          version = 2;
+          flakes = [
+            {
+              exact = true;
+              from = {
+                id = "nixpkgs";
+                type = "indirect";
+              };
+              to = {
+                type = "path";
+                path = "/nix/store/test-nixpkgs";
+              };
+            }
+          ];
+        };
+
+        environment.etc."forage.json".text = builtins.toJSON {
+          sandboxName = "test-sandbox";
+          containerName = "f1";
+          runtime = "";
+        };
+
+        # Ensure ~/.config is owned by agent (bind mounts may create it as root)
+        systemd.tmpfiles.rules = [
+          "d /home/agent/.config 0755 agent users -"
+        ];
+
+        systemd.services.forage-init = {
+          description = "Forage Sandbox Initialization";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            User = "agent";
+            WorkingDirectory = "/workspace";
+            ExecStart = "${pkgs.writeShellScript "forage-init" ''
+              tmux new-session -d -s forage -c /workspace -n claude
+              tmux set-option -w -t forage:claude automatic-rename off
+              tmux send-keys -t forage:claude claude Enter
+              true
+            ''}";
+          };
+        };
+      };
+  };
+}
diff --git a/packages/forage-ctl/internal/generator/testdata/read_only_workspace_container.nix b/packages/forage-ctl/internal/generator/testdata/read_only_workspace_container.nix
new file mode 100644
index 0000000..d846014
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/testdata/read_only_workspace_container.nix
@@ -0,0 +1,122 @@
+{ pkgs, ... }:
+{
+  containers.f1 = {
+    autoStart = true;
+    ephemeral = true;
+    privateNetwork = true;
+    hostAddress = "10.100.1.1";
+    localAddress = "10.100.1.2";
+
+    bindMounts = {
+      "/nix/store" = {
+        hostPath = "/nix/store";
+        isReadOnly = true;
+      };
+      "/workspace" = {
+        hostPath = "/home/user/project";
+        isReadOnly = true;
+      };
+      "/run/secrets" = {
+        hostPath = "/run/secrets/test-sandbox";
+        isReadOnly = true;
+      };
+    };
+
+    config =
+      { pkgs, ... }:
+      {
+        system.stateVersion = "24.11";
+        nixpkgs.config.allowUnfree = true;
+        networking.hostName = "test-sandbox";
+        # Full network access
+        networking.defaultGateway = "10.100.1.1";
+        networking.nameservers = [
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
+        networking.firewall.allowedTCPPorts = [ 22 ];
+        users.users.agent = {
+          isNormalUser = true;
+          home = "/home/agent";
+          shell = "${pkgs.bash}/bin/bash";
+          uid = 1000;
+          group = "users";
+          extraGroups = [ ];
+          openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample user@host"
+          ];
+        };
+        users.groups.users.gid = 100;
+
+        security.sudo.enable = false;
+
+        services.openssh = {
+          enable = true;
+          ports = [ 22 ];
+          settings = {
+            PasswordAuthentication = false;
+            PermitRootLogin = "no";
+          };
+        };
+
+        environment.systemPackages = with pkgs; [
+          git
+          jujutsu
+          tmux
+          neovim
+          ripgrep
+          fd
+          pkgs.claude-code
+        ];
+
+        environment.sessionVariables = {
+          ANTHROPIC_API_KEY = "$(cat /run/secrets/anthropic 2>/dev/null || echo '')";
+        };
+
+        environment.etc."nix/registry.json".text = builtins.toJSON {
+          version = 2;
+          flakes = [
+            {
+              exact = true;
+              from = {
+                id = "nixpkgs";
+                type = "indirect";
+              };
+              to = {
+                type = "path";
+                path = "/nix/store/test-nixpkgs";
+              };
+            }
+          ];
+        };
+
+        environment.etc."forage.json".text = builtins.toJSON {
+          sandboxName = "test-sandbox";
+          containerName = "f1";
+          runtime = "";
+        };
+
+        # Ensure ~/.config is owned by agent (bind mounts may create it as root)
+        systemd.tmpfiles.rules = [
+          "d /home/agent/.config 0755 agent users -"
+        ];
+
+        systemd.services.forage-init = {
+          description = "Forage Sandbox Initialization";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            User = "agent";
+            WorkingDirectory = "/workspace";
+            ExecStart = "${pkgs.writeShellScript "forage-init" ''
+              tmux new-session -d -s forage -c /workspace -n claude
+              tmux set-option -w -t forage:claude automatic-rename off
+              tmux send-keys -t forage:claude claude Enter
+              true
+            ''}";
+          };
+        };
+      };
+  };
+}
diff --git a/packages/forage-ctl/internal/generator/testdata/resource_limits_container.nix b/packages/forage-ctl/internal/generator/testdata/resource_limits_container.nix
new file mode 100644
index 0000000..1f37cba
--- /dev/null
+++ b/packages/forage-ctl/internal/generator/testdata/resource_limits_container.nix
@@ -0,0 +1,134 @@
+{ pkgs, ... }:
+{
+  containers.f1 = {
+    autoStart = true;
+    ephemeral = true;
+    privateNetwork = true;
+    hostAddress = "10.100.1.1";
+    localAddress = "10.100.1.2";
+
+    bindMounts = {
+      "/nix/store" = {
+        hostPath = "/nix/store";
+        isReadOnly = true;
+      };
+      "/workspace" = {
+        hostPath = "/home/user/project";
+        isReadOnly = false;
+      };
+      "/run/secrets" = {
+        hostPath = "/run/secrets/test-sandbox";
+        isReadOnly = true;
+      };
+    };
+
+    config =
+      { pkgs, ... }:
+      {
+        system.stateVersion = "24.11";
+        nixpkgs.config.allowUnfree = true;
+        networking.hostName = "test-sandbox";
+        # Full network access
+        networking.defaultGateway = "10.100.1.1";
+        networking.nameservers = [
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
+        networking.firewall.allowedTCPPorts = [ 22 ];
+        users.users.agent = {
+          isNormalUser = true;
+          home = "/home/agent";
+          shell = "${pkgs.bash}/bin/bash";
+          uid = 1000;
+          group = "users";
+          extraGroups = [ ];
+          openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample user@host"
+          ];
+        };
+        users.groups.users.gid = 100;
+
+        security.sudo.enable = false;
+
+        services.openssh = {
+          enable = true;
+          ports = [ 22 ];
+          settings = {
+            PasswordAuthentication = false;
+            PermitRootLogin = "no";
+          };
+        };
+
+        environment.systemPackages = with pkgs; [
+          git
+          jujutsu
+          tmux
+          neovim
+          ripgrep
+          fd
+          pkgs.claude-code
+        ];
+
+        environment.sessionVariables = {
+          ANTHROPIC_API_KEY = "$(cat /run/secrets/anthropic 2>/dev/null || echo '')";
+        };
+
+        environment.etc."nix/registry.json".text = builtins.toJSON {
+          version = 2;
+          flakes = [
+            {
+              exact = true;
+              from = {
+                id = "nixpkgs";
+                type = "indirect";
+              };
+              to = {
+                type = "path";
+                path = "/nix/store/test-nixpkgs";
+              };
+            }
+          ];
+        };
+
+        environment.etc."forage.json".text = builtins.toJSON {
+          sandboxName = "test-sandbox";
+          containerName = "f1";
+          runtime = "";
+        };
+
+        # Ensure ~/.config is owned by agent (bind mounts may create it as root)
+        systemd.tmpfiles.rules = [
+          "d /home/agent/.config 0755 agent users -"
+        ];
+
+        systemd.services.forage-init = {
+          description = "Forage Sandbox Initialization";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            User = "agent";
+            WorkingDirectory = "/workspace";
+            ExecStart = "${pkgs.writeShellScript "forage-init" ''
+              tmux new-session -d -s forage -c /workspace -n claude
+              tmux set-option -w -t forage:claude automatic-rename off
+              tmux send-keys -t forage:claude claude Enter
+              true
+            ''}";
+          };
+        };
+        systemd.services.forage-resources = {
+          description = "Forage Resource Limits (no-op anchor for resource control)";
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            ExecStart = "${pkgs.coreutils}/bin/true";
+            RemainAfterExit = true;
+            CPUQuota = "200%";
+            MemoryMax = "4G";
+            TasksMax = 512;
+          };
+        };
+      };
+  };
+}
diff --git a/packages/forage-ctl/internal/health/doc.go b/packages/forage-ctl/internal/health/doc.go
new file mode 100644
index 0000000..cfe6124
--- /dev/null
+++ b/packages/forage-ctl/internal/health/doc.go
@@ -0,0 +1,35 @@
+// Package health provides health check utilities for sandbox monitoring.
+//
+// Health checks verify that a sandbox is fully operational by checking
+// container status, SSH connectivity, and multiplexer session availability.
+//
+// # Health Status
+//
+// Sandbox health is represented by Status:
+//
+//	StatusHealthy   - Container running, SSH reachable, mux active
+//	StatusUnhealthy - Container running but SSH unreachable
+//	StatusNoMux     - SSH reachable but multiplexer session not found
+//	StatusStopped   - Container not running
+//
+// # Check Functions
+//
+// Individual checks:
+//
+//	health.CheckSSH(host)           // SSH connectivity
+//	health.CheckMux(host, mux)      // multiplexer session exists
+//	health.GetUptime(name, rt)      // Container uptime
+//
+// Combined checks:
+//
+//	result := health.Check(sandboxName, host, rt, mux)
+//	// result.ContainerRunning, .SSHReachable, .MuxActive, .Uptime
+//
+//	status := health.GetSummary(sandboxName, host, rt, mux)
+//	// Returns StatusHealthy, StatusUnhealthy, etc.
+//
+// # Constants
+//
+// SSHReadyTimeoutSeconds defines the default timeout when waiting for
+// SSH to become available after container creation.
+package health
diff --git a/packages/forage-ctl/internal/health/health.go b/packages/forage-ctl/internal/health/health.go
new file mode 100644
index 0000000..35a5365
--- /dev/null
+++ b/packages/forage-ctl/internal/health/health.go
@@ -0,0 +1,199 @@
+package health
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/ssh"
+)
+
+// CheckOptions holds options for health checking.
+type CheckOptions struct {
+	Runtime runtime.Runtime
+}
+
+// Status represents the health status of a sandbox
+type Status string
+
+const (
+	StatusHealthy   Status = "healthy"
+	StatusUnhealthy Status = "unhealthy"
+	StatusNoMux     Status = "no-mux"
+	StatusStopped   Status = "stopped"
+
+	// SSHReadyTimeoutSeconds is the default timeout waiting for SSH to become ready.
+	SSHReadyTimeoutSeconds = 30
+)
+
+// CheckResult contains the results of health checks
+type CheckResult struct {
+	ContainerRunning bool
+	SSHReachable     bool
+	MuxActive        bool
+	Uptime           string
+	MuxWindows       []string
+}
+
+// CheckSSH checks if SSH is reachable
+func CheckSSH(host string) bool {
+	return ssh.CheckConnection(host)
+}
+
+// CheckMux checks if the multiplexer session exists via SSH
+func CheckMux(host string, mux multiplexer.Multiplexer) bool {
+	args := mux.CheckSessionArgs()
+	_, err := ssh.ExecWithOutput(host, args...)
+	return err == nil
+}
+
+// CheckMuxViaExec checks if the multiplexer session exists via runtime exec
+func CheckMuxViaExec(ctx context.Context, sandboxName string, rt runtime.Runtime, mux multiplexer.Multiplexer) bool {
+	args := mux.CheckSessionArgs()
+	result, err := rt.Exec(ctx, sandboxName, args, runtime.ExecOptions{})
+	return err == nil && result.ExitCode == 0
+}
+
+// GetMuxWindows returns the list of multiplexer windows via SSH
+func GetMuxWindows(host string, mux multiplexer.Multiplexer) []string {
+	args := mux.ListWindowsArgs()
+	output, err := ssh.ExecWithOutput(host, args...)
+	if err != nil {
+		return nil
+	}
+	return mux.ParseWindowList(output)
+}
+
+// GetMuxWindowsViaExec returns the list of multiplexer windows via runtime exec
+func GetMuxWindowsViaExec(ctx context.Context, sandboxName string, rt runtime.Runtime, mux multiplexer.Multiplexer) []string {
+	args := mux.ListWindowsArgs()
+	result, err := rt.Exec(ctx, sandboxName, args, runtime.ExecOptions{})
+	if err != nil || result.ExitCode != 0 {
+		return nil
+	}
+	return mux.ParseWindowList(strings.TrimSpace(result.Stdout))
+}
+
+// GetUptime returns the container uptime in human-readable format.
+// Uses the runtime-agnostic Status method to get container start time.
+func GetUptime(ctx context.Context, sandboxName string, rt runtime.Runtime) string {
+	if rt == nil {
+		return "unknown"
+	}
+
+	info, err := rt.Status(ctx, sandboxName)
+	if err != nil || info == nil {
+		return "unknown"
+	}
+
+	since := info.StartedAt
+	if since == "" || since == "n/a" {
+		return "unknown"
+	}
+
+	// Try common timestamp formats
+	var t time.Time
+	formats := []string{
+		time.RFC3339,
+		time.RFC3339Nano,
+		"Mon 2006-01-02 15:04:05 MST",
+		"2006-01-02T15:04:05.000000000Z",
+	}
+
+	for _, format := range formats {
+		if parsed, err := time.Parse(format, since); err == nil {
+			t = parsed
+			break
+		}
+	}
+
+	if t.IsZero() {
+		return since // Return raw value if can't parse
+	}
+
+	duration := time.Since(t)
+	return formatDuration(duration)
+}
+
+func formatDuration(d time.Duration) string {
+	if d < time.Minute {
+		return fmt.Sprintf("%ds", int(d.Seconds()))
+	} else if d < time.Hour {
+		return fmt.Sprintf("%dm", int(d.Minutes()))
+	} else if d < 24*time.Hour {
+		hours := int(d.Hours())
+		mins := int(d.Minutes()) % 60
+		return fmt.Sprintf("%dh %dm", hours, mins)
+	}
+	days := int(d.Hours()) / 24
+	hours := int(d.Hours()) % 24
+	return fmt.Sprintf("%dd %dh", days, hours)
+}
+
+// Check performs all health checks for a sandbox.
+// The rt parameter is optional; if nil, container running check returns false.
+func Check(ctx context.Context, sandboxName string, host string, rt runtime.Runtime, mux multiplexer.Multiplexer) *CheckResult {
+	result := &CheckResult{}
+
+	// Check container
+	if rt != nil {
+		result.ContainerRunning, _ = rt.IsRunning(ctx, sandboxName)
+	}
+	if !result.ContainerRunning {
+		return result
+	}
+
+	// Check uptime
+	result.Uptime = GetUptime(ctx, sandboxName, rt)
+
+	caps := runtime.GetCapabilities(rt)
+	if caps.SSHAccess {
+		// SSH-based health checks
+		result.SSHReachable = CheckSSH(host)
+		if !result.SSHReachable {
+			return result
+		}
+		result.MuxActive = CheckMux(host, mux)
+		if result.MuxActive {
+			result.MuxWindows = GetMuxWindows(host, mux)
+		}
+	} else {
+		// For non-SSH runtimes, check mux via runtime exec
+		result.MuxActive = CheckMuxViaExec(ctx, sandboxName, rt, mux)
+		if result.MuxActive {
+			result.MuxWindows = GetMuxWindowsViaExec(ctx, sandboxName, rt, mux)
+		}
+	}
+
+	return result
+}
+
+// GetSummary returns a summary health status.
+// The rt parameter is optional; if nil, returns StatusStopped.
+func GetSummary(ctx context.Context, sandboxName string, host string, rt runtime.Runtime, mux multiplexer.Multiplexer) Status {
+	if rt == nil {
+		return StatusStopped
+	}
+	running, _ := rt.IsRunning(ctx, sandboxName)
+	if !running {
+		return StatusStopped
+	}
+
+	caps := runtime.GetCapabilities(rt)
+	if caps.SSHAccess {
+		if !CheckSSH(host) {
+			return StatusUnhealthy
+		}
+		if !CheckMux(host, mux) {
+			return StatusNoMux
+		}
+	} else {
+		if !CheckMuxViaExec(ctx, sandboxName, rt, mux) {
+			return StatusNoMux
+		}
+	}
+	return StatusHealthy
+}
diff --git a/packages/forage-ctl/internal/health/health_test.go b/packages/forage-ctl/internal/health/health_test.go
new file mode 100644
index 0000000..86bdeda
--- /dev/null
+++ b/packages/forage-ctl/internal/health/health_test.go
@@ -0,0 +1,116 @@
+package health
+
+import (
+	"testing"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+)
+
+func TestStatusConstants(t *testing.T) {
+	// Verify status constants are defined correctly
+	tests := []struct {
+		status Status
+		want   string
+	}{
+		{StatusHealthy, "healthy"},
+		{StatusUnhealthy, "unhealthy"},
+		{StatusNoMux, "no-mux"},
+		{StatusStopped, "stopped"},
+	}
+
+	for _, tt := range tests {
+		if string(tt.status) != tt.want {
+			t.Errorf("Status %v = %q, want %q", tt.status, tt.status, tt.want)
+		}
+	}
+}
+
+func TestConstants(t *testing.T) {
+	// Verify important constants are set
+	if config.TmuxSessionName == "" {
+		t.Error("config.TmuxSessionName should not be empty")
+	}
+	if SSHReadyTimeoutSeconds <= 0 {
+		t.Errorf("SSHReadyTimeoutSeconds = %d, should be positive", SSHReadyTimeoutSeconds)
+	}
+}
+
+func TestFormatDuration(t *testing.T) {
+	tests := []struct {
+		name     string
+		duration time.Duration
+		want     string
+	}{
+		{"seconds", 30 * time.Second, "30s"},
+		{"one minute", 1 * time.Minute, "1m"},
+		{"minutes", 45 * time.Minute, "45m"},
+		{"one hour", 1 * time.Hour, "1h 0m"},
+		{"hours and minutes", 2*time.Hour + 30*time.Minute, "2h 30m"},
+		{"one day", 24 * time.Hour, "1d 0h"},
+		{"days and hours", 3*24*time.Hour + 5*time.Hour, "3d 5h"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := formatDuration(tt.duration)
+			if got != tt.want {
+				t.Errorf("formatDuration(%v) = %q, want %q", tt.duration, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCheckResult(t *testing.T) {
+	// Test that CheckResult struct has expected fields
+	result := &CheckResult{
+		ContainerRunning: true,
+		SSHReachable:     true,
+		MuxActive:        true,
+		Uptime:           "1h 30m",
+		MuxWindows:       []string{"0:bash", "1:nvim"},
+	}
+
+	if !result.ContainerRunning {
+		t.Error("ContainerRunning should be true")
+	}
+	if !result.SSHReachable {
+		t.Error("SSHReachable should be true")
+	}
+	if !result.MuxActive {
+		t.Error("MuxActive should be true")
+	}
+	if result.Uptime != "1h 30m" {
+		t.Errorf("Uptime = %q, want %q", result.Uptime, "1h 30m")
+	}
+	if len(result.MuxWindows) != 2 {
+		t.Errorf("MuxWindows length = %d, want 2", len(result.MuxWindows))
+	}
+}
+
+func TestCheckSSH_NoConnection(t *testing.T) {
+	// Test with an IP that definitely won't have SSH running
+	result := CheckSSH("192.0.2.1") // TEST-NET-1 address
+	if result {
+		t.Error("CheckSSH should return false for unreachable host")
+	}
+}
+
+func TestCheckMux_NoConnection(t *testing.T) {
+	// Test with an IP that definitely won't have SSH running
+	mux := multiplexer.New(multiplexer.TypeTmux)
+	result := CheckMux("192.0.2.1", mux) // TEST-NET-1 address
+	if result {
+		t.Error("CheckMux should return false for unreachable host")
+	}
+}
+
+func TestGetMuxWindows_NoConnection(t *testing.T) {
+	// Test with an IP that definitely won't have SSH running
+	mux := multiplexer.New(multiplexer.TypeTmux)
+	windows := GetMuxWindows("192.0.2.1", mux) // TEST-NET-1 address
+	if windows != nil {
+		t.Error("GetMuxWindows should return nil for unreachable host")
+	}
+}
diff --git a/packages/forage-ctl/internal/injection/claude_tmpfiles.go b/packages/forage-ctl/internal/injection/claude_tmpfiles.go
new file mode 100644
index 0000000..1c05a86
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/claude_tmpfiles.go
@@ -0,0 +1,53 @@
+package injection
+
+import (
+	"context"
+	"fmt"
+)
+
+// ClaudeTmpfilesContributor provides tmpfiles rules for Claude directories.
+type ClaudeTmpfilesContributor struct {
+	HomeDir  string
+	Username string
+}
+
+// NewClaudeTmpfilesContributor creates a Claude tmpfiles contributor.
+func NewClaudeTmpfilesContributor(homeDir, username string) *ClaudeTmpfilesContributor {
+	return &ClaudeTmpfilesContributor{
+		HomeDir:  homeDir,
+		Username: username,
+	}
+}
+
+// ContributeTmpfilesRules returns Claude-specific tmpfiles rules.
+func (c *ClaudeTmpfilesContributor) ContributeTmpfilesRules(ctx context.Context, req *TmpfilesRequest) ([]string, error) {
+	homeDir := c.HomeDir
+	username := c.Username
+
+	if req != nil {
+		if req.HomeDir != "" {
+			homeDir = req.HomeDir
+		}
+		if req.Username != "" {
+			username = req.Username
+		}
+	}
+
+	if homeDir == "" {
+		homeDir = "/home/agent"
+	}
+	if username == "" {
+		username = "agent"
+	}
+
+	return []string{
+		fmt.Sprintf("d %s/.claude 0755 %s users -", homeDir, username),
+		fmt.Sprintf("d %s/.claude/commands 0755 %s users -", homeDir, username),
+		fmt.Sprintf("d %s/.claude/skills 0755 %s users -", homeDir, username),
+		// Also create the managed settings directory
+		"d /etc/claude-code 0755 root root -",
+	}, nil
+}
+
+// Ensure ClaudeTmpfilesContributor implements TmpfilesContributor
+var _ TmpfilesContributor = (*ClaudeTmpfilesContributor)(nil)
diff --git a/packages/forage-ctl/internal/injection/collector.go b/packages/forage-ctl/internal/injection/collector.go
new file mode 100644
index 0000000..ee9b958
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/collector.go
@@ -0,0 +1,136 @@
+package injection
+
+import (
+	"context"
+	"sort"
+)
+
+// Collector gathers contributions from various backends.
+type Collector struct{}
+
+// NewCollector creates a new Collector.
+func NewCollector() *Collector {
+	return &Collector{}
+}
+
+// Contributions is the aggregated result from all contributors.
+type Contributions struct {
+	Mounts          []Mount
+	EnvVars         []EnvVar
+	Packages        []Package
+	TmpfilesRules   []string
+	PromptFragments []PromptFragment
+}
+
+// CollectionSources holds all the backends that might contribute.
+type CollectionSources struct {
+	// Contributors is the list of all potential contributors.
+	// Each will be checked via interface assertions.
+	Contributors []any
+
+	// Request contexts for different contribution types
+	MountRequest         *MountRequest
+	EnvVarRequest        *EnvVarRequest
+	GeneratedFileRequest *GeneratedFileRequest
+	TmpfilesRequest      *TmpfilesRequest
+
+	// GeneratedFileMounter handles converting generated files to mounts.
+	// If nil, generated files will be skipped.
+	GeneratedFileMounter interface {
+		MountGeneratedFile(ctx context.Context, sandboxName string, file GeneratedFile) (Mount, error)
+	}
+	SandboxName string
+}
+
+// Collect queries all sources for their contributions.
+func (c *Collector) Collect(ctx context.Context, sources CollectionSources) (*Contributions, error) {
+	result := &Contributions{}
+
+	for _, src := range sources.Contributors {
+		// Mounts
+		if mc, ok := src.(MountContributor); ok {
+			mounts, err := mc.ContributeMounts(ctx, sources.MountRequest)
+			if err != nil {
+				return nil, err
+			}
+			result.Mounts = append(result.Mounts, mounts...)
+		}
+
+		// Packages
+		if pc, ok := src.(PackageContributor); ok {
+			pkgs, err := pc.ContributePackages(ctx)
+			if err != nil {
+				return nil, err
+			}
+			result.Packages = append(result.Packages, pkgs...)
+		}
+
+		// Environment variables
+		if ec, ok := src.(EnvVarContributor); ok {
+			envVars, err := ec.ContributeEnvVars(ctx, sources.EnvVarRequest)
+			if err != nil {
+				return nil, err
+			}
+			result.EnvVars = append(result.EnvVars, envVars...)
+		}
+
+		// Tmpfiles rules
+		if tc, ok := src.(TmpfilesContributor); ok {
+			rules, err := tc.ContributeTmpfilesRules(ctx, sources.TmpfilesRequest)
+			if err != nil {
+				return nil, err
+			}
+			result.TmpfilesRules = append(result.TmpfilesRules, rules...)
+		}
+
+		// Prompt fragments
+		if pc, ok := src.(PromptContributor); ok {
+			fragments, err := pc.ContributePromptFragments(ctx)
+			if err != nil {
+				return nil, err
+			}
+			result.PromptFragments = append(result.PromptFragments, fragments...)
+		}
+
+		// Generated files -> converted to mounts
+		if gfc, ok := src.(GeneratedFileContributor); ok && sources.GeneratedFileMounter != nil {
+			files, err := gfc.ContributeGeneratedFiles(ctx, sources.GeneratedFileRequest)
+			if err != nil {
+				return nil, err
+			}
+			for _, file := range files {
+				mount, err := sources.GeneratedFileMounter.MountGeneratedFile(ctx, sources.SandboxName, file)
+				if err != nil {
+					return nil, err
+				}
+				result.Mounts = append(result.Mounts, mount)
+			}
+		}
+	}
+
+	// Sort prompt fragments by section and priority
+	sort.Slice(result.PromptFragments, func(i, j int) bool {
+		if result.PromptFragments[i].Section != result.PromptFragments[j].Section {
+			return result.PromptFragments[i].Section < result.PromptFragments[j].Section
+		}
+		return result.PromptFragments[i].Priority < result.PromptFragments[j].Priority
+	})
+
+	// Deduplicate tmpfiles rules (keep first occurrence)
+	result.TmpfilesRules = dedupeStrings(result.TmpfilesRules)
+
+	return result, nil
+}
+
+// dedupeStrings removes duplicates while preserving order.
+func dedupeStrings(items []string) []string {
+	seen := make(map[string]bool)
+	result := make([]string, 0, len(items))
+	for _, item := range items {
+		if !seen[item] {
+			seen[item] = true
+			result = append(result, item)
+		}
+	}
+	return result
+}
diff --git a/packages/forage-ctl/internal/injection/identity.go b/packages/forage-ctl/internal/injection/identity.go
new file mode 100644
index 0000000..738c5fa
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/identity.go
@@ -0,0 +1,150 @@
+package injection
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+// IdentityContributor provides identity-related contributions.
+// This includes SSH key mounts and git/jj config init commands.
+type IdentityContributor struct {
+	GitUser    string
+	GitEmail   string
+	SSHKeyPath string
+	HomeDir    string // Container home directory
+}
+
+// NewIdentityContributor creates a new identity contributor.
+func NewIdentityContributor(gitUser, gitEmail, sshKeyPath, homeDir string) *IdentityContributor {
+	return &IdentityContributor{
+		GitUser:    gitUser,
+		GitEmail:   gitEmail,
+		SSHKeyPath: sshKeyPath,
+		HomeDir:    homeDir,
+	}
+}
+
+// ContributeMounts returns SSH key mounts.
+func (i *IdentityContributor) ContributeMounts(ctx context.Context, req *MountRequest) ([]Mount, error) {
+	if i.SSHKeyPath == "" {
+		return nil, nil
+	}
+
+	// Check that the key files exist
+	if _, err := os.Stat(i.SSHKeyPath); err != nil {
+		return nil, nil
+	}
+	pubKeyPath := i.SSHKeyPath + ".pub"
+	if _, err := os.Stat(pubKeyPath); err != nil {
+		return nil, nil
+	}
+
+	homeDir := i.HomeDir
+	if homeDir == "" {
+		homeDir = "/home/agent"
+	}
+
+	keyName := filepath.Base(i.SSHKeyPath)
+	sshDir := filepath.Join(homeDir, ".ssh")
+
+	return []Mount{
+		{
+			HostPath:      i.SSHKeyPath,
+			ContainerPath: filepath.Join(sshDir, keyName),
+			ReadOnly:      true,
+		},
+		{
+			HostPath:      pubKeyPath,
+			ContainerPath: filepath.Join(sshDir, keyName+".pub"),
+			ReadOnly:      true,
+		},
+	}, nil
+}
+
+// ContributeTmpfilesRules returns tmpfiles rules for SSH directory.
+func (i *IdentityContributor) ContributeTmpfilesRules(ctx context.Context, req *TmpfilesRequest) ([]string, error) {
+	if i.SSHKeyPath == "" {
+		return nil, nil
+	}
+
+	homeDir := i.HomeDir
+	username := "agent"
+
+	if req != nil {
+		if req.HomeDir != "" {
+			homeDir = req.HomeDir
+		}
+		if req.Username != "" {
+			username = req.Username
+		}
+	}
+
+	if homeDir == "" {
+		homeDir = "/home/agent"
+	}
+
+	return []string{
+		fmt.Sprintf("d %s/.ssh 0700 %s users -", homeDir, username),
+	}, nil
+}
+
+// ContributeEnvVars returns git identity environment variables.
+// These ensure git commits use the configured identity regardless of
+// whether a gitconfig file is available in the container.
+func (i *IdentityContributor) ContributeEnvVars(ctx context.Context, req *EnvVarRequest) ([]EnvVar, error) {
+	var vars []EnvVar
+	if i.GitUser != "" {
+		vars = append(vars,
+			EnvVar{Name: "GIT_AUTHOR_NAME", Value: fmt.Sprintf("%q", i.GitUser)},
+			EnvVar{Name: "GIT_COMMITTER_NAME", Value: fmt.Sprintf("%q", i.GitUser)},
+		)
+	}
+	if i.GitEmail != "" {
+		vars = append(vars,
+			EnvVar{Name: "GIT_AUTHOR_EMAIL", Value: fmt.Sprintf("%q", i.GitEmail)},
+			EnvVar{Name: "GIT_COMMITTER_EMAIL", Value: fmt.Sprintf("%q", i.GitEmail)},
+		)
+	}
+	return vars, nil
+}
+
+// ContributePromptFragments returns identity information for prompts.
+func (i *IdentityContributor) ContributePromptFragments(ctx context.Context) ([]PromptFragment, error) {
+	if i.GitUser == "" && i.GitEmail == "" && i.SSHKeyPath == "" {
+		return nil, nil
+	}
+
+	var content string
+	if i.GitUser != "" || i.GitEmail != "" {
+		content = "Git authorship is configured for this sandbox"
+		if i.GitUser != "" {
+			content += " as **" + i.GitUser + "**"
+		}
+		if i.GitEmail != "" {
+			content += " <" + i.GitEmail + ">"
+		}
+		content += ". All commits will use this identity automatically."
+	}
+	if i.SSHKeyPath != "" {
+		if content != "" {
+			content += " "
+		}
+		content += "An SSH key is available for pushing to remote repositories. SSH is configured to use this key automatically for all hosts."
+	}
+
+	return []PromptFragment{{
+		Section:  PromptSectionIdentity,
+		Priority: 10,
+		Content:  content,
+	}}, nil
+}
+
+// Ensure IdentityContributor implements interfaces
+var (
+	_ MountContributor    = (*IdentityContributor)(nil)
+	_ EnvVarContributor   = (*IdentityContributor)(nil)
+	_ TmpfilesContributor = (*IdentityContributor)(nil)
+	_ PromptContributor   = (*IdentityContributor)(nil)
+)
diff --git a/packages/forage-ctl/internal/injection/interfaces.go b/packages/forage-ctl/internal/injection/interfaces.go
new file mode 100644
index 0000000..15eb294
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/interfaces.go
@@ -0,0 +1,36 @@
+package injection
+
+import (
+	"context"
+)
+
+// MountContributor can contribute filesystem mounts to a container.
+type MountContributor interface {
+	ContributeMounts(ctx context.Context, req *MountRequest) ([]Mount, error)
+}
+
+// PackageContributor can contribute packages to install in the container.
+type PackageContributor interface {
+	ContributePackages(ctx context.Context) ([]Package, error)
+}
+
+// EnvVarContributor can contribute environment variables to the container.
+type EnvVarContributor interface {
+	ContributeEnvVars(ctx context.Context, req *EnvVarRequest) ([]EnvVar, error)
+}
+
+// PromptContributor can contribute to agent system prompts.
+type PromptContributor interface {
+	ContributePromptFragments(ctx context.Context) ([]PromptFragment, error)
+}
+
+// GeneratedFileContributor can contribute dynamically generated files
+// (e.g., permissions policy, skills, system prompts).
+type GeneratedFileContributor interface {
+	ContributeGeneratedFiles(ctx context.Context, req *GeneratedFileRequest) ([]GeneratedFile, error)
+}
+
+// TmpfilesContributor can contribute systemd tmpfiles rules.
+type TmpfilesContributor interface {
+	ContributeTmpfilesRules(ctx context.Context, req *TmpfilesRequest) ([]string, error)
+}
diff --git a/packages/forage-ctl/internal/injection/proxy.go b/packages/forage-ctl/internal/injection/proxy.go
new file mode 100644
index 0000000..e48a2fd
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/proxy.go
@@ -0,0 +1,81 @@
+package injection
+
+import (
+	"context"
+	"fmt"
+)
+
+// ProxyContributor provides proxy-related environment variables.
+type ProxyContributor struct {
+	ProxyURL    string
+	SandboxName string
+}
+
+// NewProxyContributor creates a new proxy contributor.
+func NewProxyContributor(proxyURL, sandboxName string) *ProxyContributor {
+	return &ProxyContributor{
+		ProxyURL:    proxyURL,
+		SandboxName: sandboxName,
+	}
+}
+
+// ContributeEnvVars returns proxy environment variables.
+func (p *ProxyContributor) ContributeEnvVars(ctx context.Context, req *EnvVarRequest) ([]EnvVar, error) {
+	proxyURL := p.ProxyURL
+	sandboxName := p.SandboxName
+
+	// Use request values if provided
+	if req != nil {
+		if req.ProxyURL != "" {
+			proxyURL = req.ProxyURL
+		}
+		if req.SandboxName != "" {
+			sandboxName = req.SandboxName
+		}
+	}
+
+	if proxyURL == "" {
+		return nil, nil
+	}
+
+	return []EnvVar{
+		{
+			Name:  "ANTHROPIC_BASE_URL",
+			Value: fmt.Sprintf("%q", proxyURL),
+		},
+		{
+			Name:  "ANTHROPIC_CUSTOM_HEADERS",
+			Value: fmt.Sprintf(`"X-Forage-Sandbox: %s"`, sandboxName),
+		},
+	}, nil
+}
+
+// ContributePromptFragments returns proxy information for prompts.
+func (p *ProxyContributor) ContributePromptFragments(ctx context.Context) ([]PromptFragment, error) {
+	if p.ProxyURL == "" {
+		return nil, nil
+	}
+
+	return []PromptFragment{{
+		Section:  PromptSectionAgent,
+		Priority: 50,
+		Content:  proxyPromptInstructions,
+	}}, nil
+}
+
+const proxyPromptInstructions = `This sandbox uses an API proxy for authentication. API keys are not stored in this container - they are injected by the proxy on the host.
+
+How it works:
+- ANTHROPIC_BASE_URL points to the host proxy
+- Requests are forwarded with API key injection
+- Rate limiting and audit logging are applied
+
+Limitations:
+- Only works with API key authentication
+- For Max/Pro plans, use "claude login" directly (auth stays in sandbox)`
+
+// Ensure ProxyContributor implements interfaces
+var (
+	_ EnvVarContributor = (*ProxyContributor)(nil)
+	_ PromptContributor = (*ProxyContributor)(nil)
+)
diff --git a/packages/forage-ctl/internal/injection/secrets.go b/packages/forage-ctl/internal/injection/secrets.go
new file mode 100644
index 0000000..271c751
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/secrets.go
@@ -0,0 +1,33 @@
+package injection
+
+import (
+	"context"
+)
+
+// SecretsContributor provides the /run/secrets mount.
+type SecretsContributor struct {
+	SecretsPath string // Host path to secrets directory
+}
+
+// NewSecretsContributor creates a new secrets contributor.
+func NewSecretsContributor(secretsPath string) *SecretsContributor {
+	return &SecretsContributor{
+		SecretsPath: secretsPath,
+	}
+}
+
+// ContributeMounts returns the secrets mount.
+func (s *SecretsContributor) ContributeMounts(ctx context.Context, req *MountRequest) ([]Mount, error) {
+	if s.SecretsPath == "" {
+		return nil, nil
+	}
+
+	return []Mount{{
+		HostPath:      s.SecretsPath,
+		ContainerPath: "/run/secrets",
+		ReadOnly:      true,
+	}}, nil
+}
+
+// Ensure SecretsContributor implements MountContributor
+var _ MountContributor = (*SecretsContributor)(nil)
diff --git a/packages/forage-ctl/internal/injection/tmpfiles.go b/packages/forage-ctl/internal/injection/tmpfiles.go
new file mode 100644
index 0000000..68a8d4c
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/tmpfiles.go
@@ -0,0 +1,50 @@
+package injection
+
+import (
+	"context"
+	"fmt"
+)
+
+// BaseTmpfilesContributor provides essential tmpfiles rules for sandboxes.
+type BaseTmpfilesContributor struct {
+	HomeDir  string // Container home directory (e.g., "/home/agent")
+	Username string // Container username (e.g., "agent")
+}
+
+// NewBaseTmpfilesContributor creates a new base tmpfiles contributor.
+func NewBaseTmpfilesContributor(homeDir, username string) *BaseTmpfilesContributor {
+	return &BaseTmpfilesContributor{
+		HomeDir:  homeDir,
+		Username: username,
+	}
+}
+
+// ContributeTmpfilesRules returns essential tmpfiles rules.
+func (b *BaseTmpfilesContributor) ContributeTmpfilesRules(ctx context.Context, req *TmpfilesRequest) ([]string, error) {
+	homeDir := b.HomeDir
+	username := b.Username
+
+	// Use request values if provided, falling back to configured values
+	if req != nil {
+		if req.HomeDir != "" {
+			homeDir = req.HomeDir
+		}
+		if req.Username != "" {
+			username = req.Username
+		}
+	}
+
+	if homeDir == "" {
+		homeDir = "/home/agent"
+	}
+	if username == "" {
+		username = "agent"
+	}
+
+	return []string{
+		fmt.Sprintf("d %s/.config 0755 %s users -", homeDir, username),
+	}, nil
+}
+
+// Ensure BaseTmpfilesContributor implements TmpfilesContributor
+var _ TmpfilesContributor = (*BaseTmpfilesContributor)(nil)
diff --git a/packages/forage-ctl/internal/injection/types.go b/packages/forage-ctl/internal/injection/types.go
new file mode 100644
index 0000000..88f0f34
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/types.go
@@ -0,0 +1,100 @@
+// Package injection provides types and interfaces for sandbox injection contributions.
+// Backends (runtime, workspace, multiplexer, agent) implement contribution interfaces
+// to provide mounts, packages, environment variables, and other injections.
+package injection
+
+import (
+	"os"
+)
+
+// Mount represents a filesystem mount for a container.
+type Mount struct {
+	HostPath      string
+	ContainerPath string
+	ReadOnly      bool
+}
+
+// EnvVar represents an environment variable to set in the container.
+// Value must be a complete Nix expression, typically a double-quoted string
+// (e.g., `"1"` or `"$(cat /run/secrets/foo ...)"`) because it is inserted
+// directly into the Nix template without additional escaping or quoting.
+type EnvVar struct {
+	Name  string
+	Value string
+}
+
+// Package represents a package to install with optional version pinning.
+type Package struct {
+	Name    string
+	Version string // optional, empty means latest/default
+}
+
+// PromptSection identifies a section of the agent system prompt.
+type PromptSection int
+
+const (
+	PromptSectionEnvironment PromptSection = iota
+	PromptSectionVCS
+	PromptSectionIdentity
+	PromptSectionAgent
+)
+
+// PromptFragment is text to add to agent prompts.
+type PromptFragment struct {
+	Section  PromptSection
+	Priority int // Lower priority = earlier in section
+	Content  string
+}
+
+// GeneratedFile represents a file that needs to be generated and mounted.
+// The runtime handles the actual mechanism for making the content available
+// in the container (e.g., writing to a temp dir that gets bind-mounted).
+type GeneratedFile struct {
+	ContainerPath string
+	Content       []byte
+	Mode          os.FileMode
+	ReadOnly      bool
+}
+
+// MountRequest provides context for mount contributions.
+type MountRequest struct {
+	WorkspacePath     string
+	SourceRepo        string // empty for direct mode
+	HostHomeDir       string
+	ContainerHomeDir  string // container home directory (e.g., "/home/agent")
+	ReadOnlyWorkspace bool   // when true, workspace and VCS mounts are read-only
+}
+
+// EnvVarRequest provides context for env var contributions.
+type EnvVarRequest struct {
+	SandboxName string
+	SecretsPath string
+	ProxyURL    string
+	SourceRepo  string // source repository path (empty for direct mode)
+}
+
+// GeneratedFileRequest provides context for generating files.
+type GeneratedFileRequest struct {
+	SandboxName   string
+	SourceRepo    string
+	WorkspacePath string
+	Template      string // sandbox template name
+
+	// Extended context for skills generation (optional)
+	WorkspaceMode string            // "jj", "git-worktree", or "direct"
+	GitBranch     string            // git branch name (for git-worktree mode)
+	Network       string            // "full", "restricted", or "none"
+	AllowedHosts  []string          // allowed hosts (for restricted network)
+	UseProxy      bool              // whether proxy is used
+	Multiplexer   string            // "tmux" or "wezterm"
+	GitUser       string            // git user name (for identity)
+	GitEmail      string            // git email (for identity)
+	SSHKeyPath    string            // SSH key path (for identity)
+	Agents        map[string]string // agent name -> auth label (e.g., "$ANTHROPIC_API_KEY" or "proxy")
+}
+
+// TmpfilesRequest provides context for tmpfiles rules.
+type TmpfilesRequest struct {
+	HomeDir  string
+	Username string
+}
diff --git a/packages/forage-ctl/internal/injection/workspace_mount.go b/packages/forage-ctl/internal/injection/workspace_mount.go
new file mode 100644
index 0000000..5576b3b
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/workspace_mount.go
@@ -0,0 +1,78 @@
+package injection
+
+import (
+	"context"
+)
+
+// ResolvedMount holds a fully resolved mount spec with effective host paths.
+type ResolvedMount struct {
+	Name          string
+	HostPath      string
+	ContainerPath string
+	ReadOnly      bool
+}
+
+// WorkspaceMountContributor provides the main workspace mount.
+// Deprecated: Use WorkspaceMountsContributor for multi-mount support.
+type WorkspaceMountContributor struct {
+	WorkspacePath string // Host path to the workspace
+	ContainerPath string // Container path (e.g., "/workspace")
+}
+
+// NewWorkspaceMountContributor creates a new workspace mount contributor.
+// Deprecated: Use NewWorkspaceMountsContributor for multi-mount support.
+func NewWorkspaceMountContributor(workspacePath, containerPath string) *WorkspaceMountContributor {
+	return &WorkspaceMountContributor{
+		WorkspacePath: workspacePath,
+		ContainerPath: containerPath,
+	}
+}
+
+// ContributeMounts returns the workspace mount.
+func (w *WorkspaceMountContributor) ContributeMounts(ctx context.Context, req *MountRequest) ([]Mount, error) {
+	if w.WorkspacePath == "" {
+		return nil, nil
+	}
+	containerPath := w.ContainerPath
+	if containerPath == "" {
+		containerPath = "/workspace"
+	}
+	return []Mount{{
+		HostPath:      w.WorkspacePath,
+		ContainerPath: containerPath,
+		ReadOnly:      req != nil && req.ReadOnlyWorkspace,
+	}}, nil
+}
+
+// WorkspaceMountsContributor provides multiple workspace mounts.
+type WorkspaceMountsContributor struct {
+	Mounts []ResolvedMount
+}
+
+// NewWorkspaceMountsContributor creates a contributor for multiple workspace mounts.
+func NewWorkspaceMountsContributor(mounts []ResolvedMount) *WorkspaceMountsContributor {
+	return &WorkspaceMountsContributor{Mounts: mounts}
+}
+
+// ContributeMounts returns all workspace mounts.
+func (w *WorkspaceMountsContributor) ContributeMounts(ctx context.Context, req *MountRequest) ([]Mount, error) {
+	var mounts []Mount
+	for _, m := range w.Mounts {
+		readOnly := m.ReadOnly
+		if req != nil && req.ReadOnlyWorkspace {
+			readOnly = true
+		}
+		mounts = append(mounts, Mount{
+			HostPath:      m.HostPath,
+			ContainerPath: m.ContainerPath,
+			ReadOnly:      readOnly,
+		})
+	}
+	return mounts, nil
+}
+
+// Ensure contributors implement MountContributor
+var (
+	_ MountContributor = (*WorkspaceMountContributor)(nil)
+	_ MountContributor = (*WorkspaceMountsContributor)(nil)
+)
diff --git a/packages/forage-ctl/internal/injection/workspace_mount_test.go b/packages/forage-ctl/internal/injection/workspace_mount_test.go
new file mode 100644
index 0000000..5657973
--- /dev/null
+++ b/packages/forage-ctl/internal/injection/workspace_mount_test.go
@@ -0,0 +1,85 @@
+package injection
+
+import (
+	"context"
+	"testing"
+)
+
+func TestWorkspaceMountsContributor_ContributeMounts(t *testing.T) {
+	mounts := []ResolvedMount{
+		{Name: "main", HostPath: "/var/lib/ws/main", ContainerPath: "/workspace"},
+		{Name: "beads", HostPath: "/var/lib/ws/beads", ContainerPath: "/workspace/.beads", ReadOnly: true},
+	}
+
+	contrib := NewWorkspaceMountsContributor(mounts)
+	req := &MountRequest{ReadOnlyWorkspace: false}
+
+	result, err := contrib.ContributeMounts(context.Background(), req)
+	if err != nil {
+		t.Fatalf("ContributeMounts() failed: %v", err)
+	}
+
+	if len(result) != 2 {
+		t.Fatalf("got %d mounts, want 2", len(result))
+	}
+
+	// First mount: not read-only
+	if result[0].HostPath != "/var/lib/ws/main" {
+		t.Errorf("mount[0].HostPath = %q, want %q", result[0].HostPath, "/var/lib/ws/main")
+	}
+	if result[0].ContainerPath != "/workspace" {
+		t.Errorf("mount[0].ContainerPath = %q, want %q", result[0].ContainerPath, "/workspace")
+	}
+	if result[0].ReadOnly {
+		t.Error("mount[0] should not be read-only")
+	}
+
+	// Second mount: inherently read-only
+	if !result[1].ReadOnly {
+		t.Error("mount[1] should be read-only")
+	}
+}
+
+func TestWorkspaceMountsContributor_ReadOnlyWorkspace(t *testing.T) {
+	mounts := []ResolvedMount{
+		{Name: "main", HostPath: "/var/lib/ws/main", ContainerPath: "/workspace"},
+	}
+
+	contrib := NewWorkspaceMountsContributor(mounts)
+	req := &MountRequest{ReadOnlyWorkspace: true}
+
+	result, err := contrib.ContributeMounts(context.Background(), req)
+	if err != nil {
+		t.Fatalf("ContributeMounts() failed: %v", err)
+	}
+
+	if !result[0].ReadOnly {
+		t.Error("mount should be read-only when ReadOnlyWorkspace is true")
+	}
+}
+
+func TestWorkspaceMountsContributor_Empty(t *testing.T) {
+	contrib := NewWorkspaceMountsContributor(nil)
+	result, err := contrib.ContributeMounts(context.Background(), &MountRequest{})
+	if err != nil {
+		t.Fatalf("ContributeMounts() failed: %v", err)
+	}
+	if len(result) != 0 {
+		t.Errorf("got %d mounts, want 0", len(result))
+	}
+}
+
+func TestWorkspaceMountContributor_BackwardCompat(t *testing.T) {
+	// Ensure the legacy contributor still works
+	contrib := NewWorkspaceMountContributor("/tmp/ws", "/workspace")
+	result, err := contrib.ContributeMounts(context.Background(), &MountRequest{})
+	if err != nil {
+		t.Fatalf("ContributeMounts() failed: %v", err)
+	}
+	if len(result) != 1 {
+		t.Fatalf("got %d mounts, want 1", len(result))
+	}
+	if result[0].HostPath != "/tmp/ws" || result[0].ContainerPath != "/workspace" {
+		t.Errorf("unexpected mount: %+v", result[0])
+	}
+}
diff --git a/packages/forage-ctl/internal/integration/doc.go b/packages/forage-ctl/internal/integration/doc.go
new file mode 100644
index 0000000..125b7fb
--- /dev/null
+++ b/packages/forage-ctl/internal/integration/doc.go
@@ -0,0 +1,37 @@
+// Package integration provides a test harness for integration tests
+// that require actual container runtime support.
+//
+// Integration tests are skipped unless the FORAGE_INTEGRATION_TESTS
+// environment variable is set. These tests require:
+//   - NixOS with systemd-nspawn support
+//   - sudo access for systemd container management
+//   - Available ports in the configured range
+//
+// # Test Harness
+//
+// TestHarness manages test environments:
+//
+//	func TestMyIntegration(t *testing.T) {
+//	    h := integration.NewHarness(t) // Skips if env var not set
+//
+//	    h.AddTemplate("test", integration.DefaultTemplate())
+//	    workspace := h.CreateWorkspace("my-sandbox")
+//
+//	    // Create sandbox, run tests...
+//
+//	    // Cleanup is automatic via t.Cleanup
+//	}
+//
+// # Harness Features
+//
+// The harness provides:
+//   - Isolated temporary directories for configs and state
+//   - Template and workspace creation helpers
+//   - SSH readiness waiting (WaitForSSH)
+//   - Sandbox tracking for cleanup (TrackSandbox)
+//   - Access to paths, host config, and runtime
+//
+// # Running Integration Tests
+//
+//	FORAGE_INTEGRATION_TESTS=1 go test -v ./internal/integration/...
+package integration
diff --git a/packages/forage-ctl/internal/integration/docker_test.go b/packages/forage-ctl/internal/integration/docker_test.go
new file mode 100644
index 0000000..cd42097
--- /dev/null
+++ b/packages/forage-ctl/internal/integration/docker_test.go
@@ -0,0 +1,284 @@
+//go:build integration && docker
+
+// Package integration provides integration tests that exercise complete code paths.
+//
+// Docker integration tests require:
+// - Docker daemon running
+// - User in docker group (or docker accessible)
+//
+// Run with: go test -tags=integration -v ./internal/integration/...
+package integration
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// skipUnlessDockerAvailable skips the test if docker is not accessible
+func skipUnlessDockerAvailable(t *testing.T) {
+	t.Helper()
+
+	// Verify docker is available
+	rt, err := runtime.NewDockerRuntime("forage-test-")
+	if err != nil {
+		t.Skipf("docker runtime not available: %v", err)
+	}
+
+	// Quick check that docker is responsive
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	_, err = rt.List(ctx)
+	if err != nil {
+		t.Skipf("docker not responsive: %v", err)
+	}
+}
+
+// TestDocker_ContainerLifecycle tests the complete container lifecycle with Docker
+func TestDocker_ContainerLifecycle(t *testing.T) {
+	skipUnlessDockerAvailable(t)
+
+	rt, err := runtime.NewDockerRuntime("forage-test-")
+	if err != nil {
+		t.Fatalf("failed to create docker runtime: %v", err)
+	}
+
+	ctx := context.Background()
+	sandboxName := "lifecycle-test"
+
+	// Cleanup any leftover containers from previous runs
+	_ = rt.Destroy(ctx, sandboxName)
+
+	// Create container
+	t.Log("Creating container...")
+	err = rt.Create(ctx, runtime.CreateOptions{
+		Name:  sandboxName,
+		Start: true,
+	})
+	if err != nil {
+		t.Fatalf("failed to create container: %v", err)
+	}
+
+	// Verify it's running
+	t.Log("Verifying container is running...")
+	running, err := rt.IsRunning(ctx, sandboxName)
+	if err != nil {
+		t.Errorf("IsRunning failed: %v", err)
+	}
+	if !running {
+		t.Error("container should be running after Create with Start=true")
+	}
+
+	// Get status
+	t.Log("Getting container status...")
+	status, err := rt.Status(ctx, sandboxName)
+	if err != nil {
+		t.Errorf("Status failed: %v", err)
+	}
+	if status.Status != runtime.StatusRunning {
+		t.Errorf("expected StatusRunning, got %v", status.Status)
+	}
+
+	// Execute a command
+	t.Log("Executing command in container...")
+	result, err := rt.Exec(ctx, sandboxName, []string{"echo", "hello"}, runtime.ExecOptions{})
+	if err != nil {
+		t.Errorf("Exec failed: %v", err)
+	}
+	if result.ExitCode != 0 {
+		t.Errorf("expected exit code 0, got %d", result.ExitCode)
+	}
+	if result.Stdout != "hello\n" {
+		t.Errorf("expected 'hello\\n', got %q", result.Stdout)
+	}
+
+	// Stop container
+	t.Log("Stopping container...")
+	err = rt.Stop(ctx, sandboxName)
+	if err != nil {
+		t.Errorf("Stop failed: %v", err)
+	}
+
+	// Verify it's stopped
+	running, _ = rt.IsRunning(ctx, sandboxName)
+	if running {
+		t.Error("container should not be running after Stop")
+	}
+
+	// Start again
+	t.Log("Starting container...")
+	err = rt.Start(ctx, sandboxName)
+	if err != nil {
+		t.Errorf("Start failed: %v", err)
+	}
+
+	running, _ = rt.IsRunning(ctx, sandboxName)
+	if !running {
+		t.Error("container should be running after Start")
+	}
+
+	// Destroy container
+	t.Log("Destroying container...")
+	err = rt.Destroy(ctx, sandboxName)
+	if err != nil {
+		t.Errorf("Destroy failed: %v", err)
+	}
+
+	// Verify it's gone
+	running, _ = rt.IsRunning(ctx, sandboxName)
+	if running {
+		t.Error("container should not exist after Destroy")
+	}
+
+	t.Log("Container lifecycle test passed!")
+}
+
+// TestDocker_List tests listing containers
+func TestDocker_List(t *testing.T) {
+	skipUnlessDockerAvailable(t)
+
+	rt, err := runtime.NewDockerRuntime("forage-test-")
+	if err != nil {
+		t.Fatalf("failed to create docker runtime: %v", err)
+	}
+
+	ctx := context.Background()
+
+	// Cleanup any leftover containers
+	_ = rt.Destroy(ctx, "list-test-1")
+	_ = rt.Destroy(ctx, "list-test-2")
+
+	// Create two containers
+	for _, name := range []string{"list-test-1", "list-test-2"} {
+		err = rt.Create(ctx, runtime.CreateOptions{
+			Name:  name,
+			Start: true,
+		})
+		if err != nil {
+			t.Fatalf("failed to create container %s: %v", name, err)
+		}
+	}
+
+	// List containers
+	containers, err := rt.List(ctx)
+	if err != nil {
+		t.Fatalf("List failed: %v", err)
+	}
+
+	// Should have at least 2 containers
+	found := 0
+	for _, c := range containers {
+		if c.Name == "list-test-1" || c.Name == "list-test-2" {
+			found++
+		}
+	}
+
+	if found != 2 {
+		t.Errorf("expected to find 2 containers, found %d", found)
+	}
+
+	// Cleanup
+	_ = rt.Destroy(ctx, "list-test-1")
+	_ = rt.Destroy(ctx, "list-test-2")
+}
+
+// TestDocker_BindMounts tests container bind mounts
+func TestDocker_BindMounts(t *testing.T) {
+	skipUnlessDockerAvailable(t)
+
+	rt, err := runtime.NewDockerRuntime("forage-test-")
+	if err != nil {
+		t.Fatalf("failed to create docker runtime: %v", err)
+	}
+
+	ctx := context.Background()
+	sandboxName := "bindmount-test"
+
+	// Cleanup
+	_ = rt.Destroy(ctx, sandboxName)
+
+	// Create a temp file to mount
+	tmpDir := t.TempDir()
+	testFile := tmpDir + "/test.txt"
+	if err := os.WriteFile(testFile, []byte("bind mount test"), 0644); err != nil {
+		t.Fatalf("failed to create test file: %v", err)
+	}
+
+	// Create container with bind mount
+	err = rt.Create(ctx, runtime.CreateOptions{
+		Name:  sandboxName,
+		Start: true,
+		BindMounts: map[string]string{
+			tmpDir: "/workspace",
+		},
+	})
+	if err != nil {
+		t.Fatalf("failed to create container: %v", err)
+	}
+
+	// Verify we can read the mounted file
+	result, err := rt.Exec(ctx, sandboxName, []string{"cat", "/workspace/test.txt"}, runtime.ExecOptions{})
+	if err != nil {
+		t.Errorf("Exec failed: %v", err)
+	}
+	if result.Stdout != "bind mount test" {
+		t.Errorf("expected 'bind mount test', got %q", result.Stdout)
+	}
+
+	// Cleanup
+	_ = rt.Destroy(ctx, sandboxName)
+}
+
+// TestDocker_ExecWithOptions tests exec with various options
+func TestDocker_ExecWithOptions(t *testing.T) {
+	skipUnlessDockerAvailable(t)
+
+	rt, err := runtime.NewDockerRuntime("forage-test-")
+	if err != nil {
+		t.Fatalf("failed to create docker runtime: %v", err)
+	}
+
+	ctx := context.Background()
+	sandboxName := "exec-options-test"
+
+	// Cleanup and create
+	_ = rt.Destroy(ctx, sandboxName)
+	err = rt.Create(ctx, runtime.CreateOptions{
+		Name:  sandboxName,
+		Start: true,
+	})
+	if err != nil {
+		t.Fatalf("failed to create container: %v", err)
+	}
+
+	t.Run("working directory", func(t *testing.T) {
+		result, err := rt.Exec(ctx, sandboxName, []string{"pwd"}, runtime.ExecOptions{
+			WorkingDir: "/tmp",
+		})
+		if err != nil {
+			t.Errorf("Exec failed: %v", err)
+		}
+		if result.Stdout != "/tmp\n" {
+			t.Errorf("expected '/tmp\\n', got %q", result.Stdout)
+		}
+	})
+
+	t.Run("environment variables", func(t *testing.T) {
+		result, err := rt.Exec(ctx, sandboxName, []string{"sh", "-c", "echo $MY_VAR"}, runtime.ExecOptions{
+			Env: []string{"MY_VAR=test_value"},
+		})
+		if err != nil {
+			t.Errorf("Exec failed: %v", err)
+		}
+		if result.Stdout != "test_value\n" {
+			t.Errorf("expected 'test_value\\n', got %q", result.Stdout)
+		}
+	})
+
+	// Cleanup
+	_ = rt.Destroy(ctx, sandboxName)
+}
diff --git a/packages/forage-ctl/internal/integration/harness.go b/packages/forage-ctl/internal/integration/harness.go
new file mode 100644
index 0000000..c35bf7a
--- /dev/null
+++ b/packages/forage-ctl/internal/integration/harness.go
@@ -0,0 +1,241 @@
+// Package integration provides a test harness for integration tests
+// that require actual container runtime support.
+//
+// Integration tests are skipped unless the FORAGE_INTEGRATION_TESTS
+// environment variable is set. These tests require:
+// - NixOS with systemd-nspawn support
+// - sudo access for systemd container management
+// - Available ports in the configured range
+package integration
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/health"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// TestHarness provides utilities for integration testing with real containers.
+type TestHarness struct {
+	t          *testing.T
+	tempDir    string
+	paths      *config.Paths
+	hostConfig *config.HostConfig
+	rt         runtime.Runtime
+	sandboxes  []string // Track created sandboxes for cleanup
+}
+
+// NewHarness creates a new test harness.
+// It will skip the test if FORAGE_INTEGRATION_TESTS is not set.
+func NewHarness(t *testing.T) *TestHarness {
+	t.Helper()
+
+	if os.Getenv("FORAGE_INTEGRATION_TESTS") == "" {
+		t.Skip("integration tests disabled (set FORAGE_INTEGRATION_TESTS=1 to enable)")
+	}
+
+	tempDir := t.TempDir()
+
+	paths := &config.Paths{
+		ConfigDir:     filepath.Join(tempDir, "config"),
+		StateDir:      filepath.Join(tempDir, "state"),
+		SecretsDir:    filepath.Join(tempDir, "secrets"),
+		SandboxesDir:  filepath.Join(tempDir, "state", "sandboxes"),
+		WorkspacesDir: filepath.Join(tempDir, "state", "workspaces"),
+		TemplatesDir:  filepath.Join(tempDir, "config", "templates"),
+	}
+
+	// Create directories
+	for _, dir := range []string{
+		paths.ConfigDir,
+		paths.StateDir,
+		paths.SecretsDir,
+		paths.SandboxesDir,
+		paths.WorkspacesDir,
+		paths.TemplatesDir,
+	} {
+		if err := os.MkdirAll(dir, 0755); err != nil {
+			t.Fatalf("Failed to create directory %s: %v", dir, err)
+		}
+	}
+
+	// Try to detect the real runtime
+	cfg := &runtime.Config{
+		Type:         runtime.RuntimeAuto,
+		SandboxesDir: paths.SandboxesDir,
+	}
+	rt, err := runtime.New(cfg)
+	if err != nil {
+		t.Skipf("no container runtime available: %v", err)
+	}
+
+	// Load host config from system if available
+	hostConfig, err := loadHostConfig()
+	if err != nil {
+		t.Skipf("failed to load host config: %v", err)
+	}
+
+	h := &TestHarness{
+		t:          t,
+		tempDir:    tempDir,
+		paths:      paths,
+		hostConfig: hostConfig,
+		rt:         rt,
+		sandboxes:  make([]string, 0),
+	}
+
+	t.Cleanup(h.Cleanup)
+
+	return h
+}
+
+// loadHostConfig loads the host configuration from the default location.
+func loadHostConfig() (*config.HostConfig, error) {
+	paths := config.DefaultPaths()
+	return config.LoadHostConfig(paths.ConfigDir)
+}
+
+// Paths returns the test paths.
+func (h *TestHarness) Paths() *config.Paths {
+	return h.paths
+}
+
+// HostConfig returns the host configuration.
+func (h *TestHarness) HostConfig() *config.HostConfig {
+	return h.hostConfig
+}
+
+// Runtime returns the container runtime.
+func (h *TestHarness) Runtime() runtime.Runtime {
+	return h.rt
+}
+
+// AddTemplate adds a template to the test environment.
+func (h *TestHarness) AddTemplate(name string, template *config.Template) {
+	h.t.Helper()
+
+	if template.Name == "" {
+		template.Name = name
+	}
+
+	data, err := json.MarshalIndent(template, "", "  ")
+	if err != nil {
+		h.t.Fatalf("Failed to marshal template: %v", err)
+	}
+
+	path := filepath.Join(h.paths.TemplatesDir, name+".json")
+	if err := os.WriteFile(path, data, 0644); err != nil {
+		h.t.Fatalf("Failed to write template: %v", err)
+	}
+}
+
+// CreateWorkspace creates a test workspace directory.
+func (h *TestHarness) CreateWorkspace(name string) string {
+	h.t.Helper()
+
+	path := filepath.Join(h.tempDir, "workspaces", name)
+	if err := os.MkdirAll(path, 0755); err != nil {
+		h.t.Fatalf("Failed to create workspace: %v", err)
+	}
+
+	// Create a simple file to verify the workspace exists
+	testFile := filepath.Join(path, "README.md")
+	if err := os.WriteFile(testFile, []byte("# Test Workspace\n"), 0644); err != nil {
+		h.t.Fatalf("Failed to create test file: %v", err)
+	}
+
+	return path
+}
+
+// WaitForSSH waits for SSH to be ready on a sandbox.
+func (h *TestHarness) WaitForSSH(host string, timeout time.Duration) error {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	ticker := time.NewTicker(time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return fmt.Errorf("SSH not ready after %v", timeout)
+		case <-ticker.C:
+			if health.CheckSSH(host) {
+				return nil
+			}
+		}
+	}
+}
+
+// TrackSandbox tracks a sandbox for cleanup.
+func (h *TestHarness) TrackSandbox(name string) {
+	h.sandboxes = append(h.sandboxes, name)
+}
+
+// Cleanup removes all created sandboxes and resources.
+func (h *TestHarness) Cleanup() {
+	ctx := context.Background()
+
+	// Destroy all tracked sandboxes
+	for _, name := range h.sandboxes {
+		if err := h.rt.Destroy(ctx, name); err != nil {
+			h.t.Logf("Warning: failed to destroy sandbox %s: %v", name, err)
+		}
+	}
+
+	// Clean up metadata files
+	for _, name := range h.sandboxes {
+		metaPath := filepath.Join(h.paths.SandboxesDir, name+".json")
+		os.Remove(metaPath)
+
+		configPath := filepath.Join(h.paths.SandboxesDir, name+".nix")
+		os.Remove(configPath)
+
+		skillsPath := filepath.Join(h.paths.SandboxesDir, name+".skills.md")
+		os.Remove(skillsPath)
+
+		secretsPath := filepath.Join(h.paths.SecretsDir, name)
+		os.RemoveAll(secretsPath)
+	}
+}
+
+// RequireRunning skips the test if the named container is not running.
+func (h *TestHarness) RequireRunning(name string) {
+	h.t.Helper()
+
+	running, err := h.rt.IsRunning(context.Background(), name)
+	if err != nil {
+		h.t.Skipf("failed to check if %s is running: %v", name, err)
+	}
+	if !running {
+		h.t.Skipf("sandbox %s is not running", name)
+	}
+}
+
+// GetSandboxMetadata loads sandbox metadata.
+func (h *TestHarness) GetSandboxMetadata(name string) (*config.SandboxMetadata, error) {
+	return config.LoadSandboxMetadata(h.paths.SandboxesDir, name)
+}
+
+// DefaultTemplate returns a basic template suitable for integration tests.
+func DefaultTemplate() *config.Template {
+	return &config.Template{
+		Name:        "integration-test",
+		Description: "Template for integration tests",
+		Network:     "none", // Restrict network in tests
+		Agents: map[string]config.AgentConfig{
+			"test": {
+				PackagePath: "pkgs.hello", // Use a minimal package
+				SecretName:  "test-secret",
+				AuthEnvVar:  "TEST_API_KEY",
+			},
+		},
+	}
+}
diff --git a/packages/forage-ctl/internal/integration/harness_test.go b/packages/forage-ctl/internal/integration/harness_test.go
new file mode 100644
index 0000000..0095ff0
--- /dev/null
+++ b/packages/forage-ctl/internal/integration/harness_test.go
@@ -0,0 +1,19 @@
+package integration
+
+import (
+	"testing"
+)
+
+func TestDefaultTemplate(t *testing.T) {
+	tmpl := DefaultTemplate()
+
+	if tmpl.Name != "integration-test" {
+		t.Errorf("Name = %q, want %q", tmpl.Name, "integration-test")
+	}
+	if tmpl.Network != "none" {
+		t.Errorf("Network = %q, want %q", tmpl.Network, "none")
+	}
+	if _, ok := tmpl.Agents["test"]; !ok {
+		t.Error("Template should have 'test' agent")
+	}
+}
diff --git a/packages/forage-ctl/internal/integration/workflow_test.go b/packages/forage-ctl/internal/integration/workflow_test.go
new file mode 100644
index 0000000..67e3ed9
--- /dev/null
+++ b/packages/forage-ctl/internal/integration/workflow_test.go
@@ -0,0 +1,553 @@
+// Package integration provides workflow tests that exercise complete code paths
+// without requiring actual container infrastructure.
+//
+// These tests verify that all components work together correctly:
+// - Config loading and validation
+// - Port allocation across sandboxes
+// - Workspace setup
+// - Nix config generation
+// - Metadata persistence
+// - Cleanup operations
+package integration
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/generator"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/port"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/reproducibility"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/sandbox"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/skills"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/testutil"
+)
+
+// testContributions creates a minimal set of contributions for testing.
+func testContributions(workspacePath, secretsPath string) *injection.Contributions {
+	return &injection.Contributions{
+		Mounts: []injection.Mount{
+			{HostPath: "/nix/store", ContainerPath: "/nix/store", ReadOnly: true},
+			{HostPath: workspacePath, ContainerPath: "/workspace", ReadOnly: false},
+			{HostPath: secretsPath, ContainerPath: "/run/secrets", ReadOnly: true},
+		},
+		TmpfilesRules: []string{
+			"d /home/agent/.config 0755 agent users -",
+		},
+	}
+}
+
+// TestWorkflow_CreateSandboxWithDirectWorkspace tests creating a sandbox
+// with a direct workspace path (no jj or git-worktree).
+func TestWorkflow_CreateSandboxWithDirectWorkspace(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Set up test template
+	env.AddTemplate("test-template", &config.Template{
+		Name:        "test-template",
+		Description: "Test template",
+		Network:     "full",
+		Agents: map[string]config.AgentConfig{
+			"test-agent": {
+				PackagePath: "pkgs.hello",
+				SecretName:  "test-secret",
+				AuthEnvVar:  "TEST_KEY",
+			},
+		},
+	})
+
+	// Create a workspace directory
+	workspacePath := env.CreateWorkspace("test-project")
+	// Add a file to simulate a real project
+	if err := os.WriteFile(filepath.Join(workspacePath, "README.md"), []byte("# Test"), 0644); err != nil {
+		t.Fatalf("failed to create README: %v", err)
+	}
+
+	// Test slot allocation
+	networkSlot, err := port.AllocateSlot(nil)
+	if err != nil {
+		t.Fatalf("slot allocation failed: %v", err)
+	}
+	if networkSlot < 1 || networkSlot > 254 {
+		t.Errorf("network slot %d outside valid range", networkSlot)
+	}
+
+	// Test config generation
+	template, err := config.LoadTemplate(env.Paths.TemplatesDir, "test-template")
+	if err != nil {
+		t.Fatalf("failed to load template: %v", err)
+	}
+
+	secretsPath := filepath.Join(env.Paths.SecretsDir, "test-sandbox")
+	containerCfg := &generator.ContainerConfig{
+		Name:            "test-sandbox",
+		NetworkSlot:     networkSlot,
+		AuthorizedKeys:  []string{"ssh-rsa AAAA... test@test"},
+		Template:        template,
+		UID:             env.HostConfig.UID,
+		GID:             env.HostConfig.GID,
+		Contributions:   testContributions(workspacePath, secretsPath),
+		Reproducibility: reproducibility.NewNixReproducibility(),
+	}
+
+	nixConfig, err := generator.GenerateNixConfig(containerCfg)
+	if err != nil {
+		t.Fatalf("config generation failed: %v", err)
+	}
+
+	// Verify generated config contains expected elements
+	// Container name is derived from network slot (f{slot}), not sandbox name
+	expectedContainerName := fmt.Sprintf("containers.f%d", networkSlot)
+	checks := []string{
+		expectedContainerName,
+		workspacePath,
+		"ssh-rsa AAAA",
+	}
+	for _, check := range checks {
+		if !strings.Contains(nixConfig, check) {
+			t.Errorf("generated config missing: %s", check)
+		}
+	}
+
+	// Test metadata persistence
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "test-template",
+		Workspace:     workspacePath,
+		NetworkSlot:   networkSlot,
+		WorkspaceMode: "direct",
+		CreatedAt:     "2024-01-01T00:00:00Z",
+	}
+
+	if err = config.SaveSandboxMetadata(env.Paths.SandboxesDir, metadata); err != nil {
+		t.Fatalf("failed to save metadata: %v", err)
+	}
+
+	// Verify we can load it back
+	loaded, err := config.LoadSandboxMetadata(env.Paths.SandboxesDir, "test-sandbox")
+	if err != nil {
+		t.Fatalf("failed to load metadata: %v", err)
+	}
+	if loaded.NetworkSlot != networkSlot {
+		t.Errorf("loaded NetworkSlot = %d, want %d", loaded.NetworkSlot, networkSlot)
+	}
+}
+
+// TestWorkflow_MultipleSandboxesSlotAllocation tests that slot allocation
+// works correctly across multiple sandboxes.
+func TestWorkflow_MultipleSandboxesSlotAllocation(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Create multiple sandboxes and track slots
+	var sandboxes []*config.SandboxMetadata
+	usedSlots := make(map[int]bool)
+
+	for i := 0; i < 5; i++ {
+		slot, err := port.AllocateSlot(sandboxes)
+		if err != nil {
+			t.Fatalf("allocation %d failed: %v", i, err)
+		}
+
+		if usedSlots[slot] {
+			t.Errorf("slot %d allocated twice", slot)
+		}
+		usedSlots[slot] = true
+
+		meta := &config.SandboxMetadata{
+			Name:        "sandbox-" + string(rune('a'+i)),
+			NetworkSlot: slot,
+		}
+		sandboxes = append(sandboxes, meta)
+
+		// Save to disk
+		if err := config.SaveSandboxMetadata(env.Paths.SandboxesDir, meta); err != nil {
+			t.Fatalf("failed to save metadata: %v", err)
+		}
+	}
+
+	// Verify all sandboxes are listed
+	listed, err := config.ListSandboxes(env.Paths.SandboxesDir)
+	if err != nil {
+		t.Fatalf("list failed: %v", err)
+	}
+	if len(listed) != 5 {
+		t.Errorf("expected 5 sandboxes, got %d", len(listed))
+	}
+}
+
+// TestWorkflow_CleanupRemovesAllArtifacts tests that cleanup properly
+// removes all sandbox artifacts.
+func TestWorkflow_CleanupRemovesAllArtifacts(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	sandboxName := "cleanup-test"
+
+	// Create sandbox artifacts manually
+	metadataPath := filepath.Join(env.Paths.SandboxesDir, sandboxName+".json")
+	configPath := filepath.Join(env.Paths.SandboxesDir, sandboxName+".nix")
+	skillsPath := filepath.Join(env.Paths.SandboxesDir, sandboxName+".skills.md")
+	secretsPath := filepath.Join(env.Paths.SecretsDir, sandboxName)
+
+	// Create the files
+	if err := os.WriteFile(metadataPath, []byte(`{"name":"cleanup-test"}`), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(configPath, []byte("{ }"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(skillsPath, []byte("# Skills"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.MkdirAll(secretsPath, 0700); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(secretsPath, "api-key"), []byte("secret"), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify files exist
+	for _, path := range []string{metadataPath, configPath, skillsPath, secretsPath} {
+		if _, err := os.Stat(path); os.IsNotExist(err) {
+			t.Fatalf("expected %s to exist before cleanup", path)
+		}
+	}
+
+	// Run cleanup (with nil runtime since we're not testing container cleanup)
+	metadata := &config.SandboxMetadata{
+		Name:     sandboxName,
+		Template: "test",
+	}
+	sandbox.Cleanup(context.Background(), metadata, env.Paths, sandbox.CleanupOptions{
+		DestroyContainer: false, // No container to destroy
+		CleanupWorkspace: false, // No VCS workspace
+		CleanupSecrets:   true,
+		CleanupConfig:    true,
+		CleanupSkills:    true,
+		CleanupMetadata:  true,
+	}, nil)
+
+	// Verify files are removed
+	for _, path := range []string{metadataPath, configPath, skillsPath} {
+		if _, err := os.Stat(path); !os.IsNotExist(err) {
+			t.Errorf("expected %s to be removed after cleanup", path)
+		}
+	}
+	if _, err := os.Stat(secretsPath); !os.IsNotExist(err) {
+		t.Errorf("expected secrets dir to be removed after cleanup")
+	}
+}
+
+// TestWorkflow_NetworkModeConfigs tests that different network modes
+// generate correct configurations.
+func TestWorkflow_NetworkModeConfigs(t *testing.T) {
+	tests := []struct {
+		name         string
+		networkMode  string
+		allowedHosts []string
+		wantContains []string
+	}{
+		{
+			name:         "full network",
+			networkMode:  "full",
+			wantContains: []string{"defaultGateway", "nameservers"},
+		},
+		{
+			name:         "no network",
+			networkMode:  "none",
+			wantContains: []string{"defaultGateway = null", "nameservers = [ ]"},
+		},
+		{
+			name:         "restricted network",
+			networkMode:  "restricted",
+			allowedHosts: []string{"api.anthropic.com", "github.com"},
+			wantContains: []string{"nftables", "api.anthropic.com", "github.com"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			template := &config.Template{
+				Name:         "test",
+				Network:      tt.networkMode,
+				AllowedHosts: tt.allowedHosts,
+				Agents: map[string]config.AgentConfig{
+					"test": {PackagePath: "pkgs.hello", SecretName: "test", AuthEnvVar: "TEST_KEY"},
+				},
+			}
+
+			cfg := &generator.ContainerConfig{
+				Name:            "test",
+				NetworkSlot:     1,
+				AuthorizedKeys:  []string{"ssh-rsa AAAA..."},
+				Template:        template,
+				UID:             1000,
+				GID:             100,
+				Contributions:   testContributions("/workspace", "/secrets"),
+				Reproducibility: reproducibility.NewNixReproducibility(),
+			}
+
+			result, err := generator.GenerateNixConfig(cfg)
+			if err != nil {
+				t.Fatalf("generation failed: %v", err)
+			}
+
+			for _, want := range tt.wantContains {
+				if !strings.Contains(result, want) {
+					t.Errorf("config should contain %q for network mode %s", want, tt.networkMode)
+				}
+			}
+		})
+	}
+}
+
+// TestWorkflow_SandboxNameValidation tests that invalid sandbox names
+// are properly rejected throughout the workflow.
+func TestWorkflow_SandboxNameValidation(t *testing.T) {
+	invalidNames := []string{
+		"../escape",
+		"has spaces",
+		"Has-Uppercase",
+		"-starts-dash",
+		"has;semicolon",
+		"has\nnewline",
+		"",
+	}
+
+	for _, name := range invalidNames {
+		t.Run(name, func(t *testing.T) {
+			err := config.ValidateSandboxName(name)
+			if err == nil {
+				t.Errorf("expected validation error for %q", name)
+			}
+		})
+	}
+
+	validNames := []string{
+		"my-project",
+		"test123",
+		"sandbox_1",
+		"a",
+	}
+
+	for _, name := range validNames {
+		t.Run(name, func(t *testing.T) {
+			err := config.ValidateSandboxName(name)
+			if err != nil {
+				t.Errorf("unexpected validation error for %q: %v", name, err)
+			}
+		})
+	}
+}
+
+// TestWorkflow_RuntimeMockIntegration tests that the mock runtime
+// correctly simulates container operations.
+func TestWorkflow_RuntimeMockIntegration(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	ctx := context.Background()
+
+	// Initially, no containers should be running
+	running, err := env.Runtime.IsRunning(ctx, "test-sandbox")
+	if err != nil {
+		t.Fatalf("IsRunning failed: %v", err)
+	}
+	if running {
+		t.Error("sandbox should not be running initially")
+	}
+
+	// Start a container
+	env.Runtime.AddContainer("test-sandbox", runtime.StatusRunning)
+
+	running, err = env.Runtime.IsRunning(ctx, "test-sandbox")
+	if err != nil {
+		t.Fatalf("IsRunning failed: %v", err)
+	}
+	if !running {
+		t.Error("sandbox should be running after creation")
+	}
+
+	// Stop the container
+	if err = env.Runtime.Stop(ctx, "test-sandbox"); err != nil {
+		t.Fatalf("Stop failed: %v", err)
+	}
+
+	running, err = env.Runtime.IsRunning(ctx, "test-sandbox")
+	if err != nil {
+		t.Fatalf("IsRunning failed: %v", err)
+	}
+	if running {
+		t.Error("sandbox should not be running after stop")
+	}
+}
+
+// TestWorkflow_TemplateValidation tests template loading and validation.
+func TestWorkflow_TemplateValidation(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Add a valid template
+	env.AddTemplate("valid", &config.Template{
+		Name:        "valid",
+		Description: "Valid template",
+		Network:     "full",
+		Agents: map[string]config.AgentConfig{
+			"test": {PackagePath: "pkgs.hello", SecretName: "test", AuthEnvVar: "TEST_KEY"},
+		},
+	})
+
+	// Load it
+	tmpl, err := config.LoadTemplate(env.Paths.TemplatesDir, "valid")
+	if err != nil {
+		t.Fatalf("failed to load valid template: %v", err)
+	}
+	if tmpl.Name != "valid" {
+		t.Errorf("template name = %q, want %q", tmpl.Name, "valid")
+	}
+
+	// Try to load non-existent template
+	_, err = config.LoadTemplate(env.Paths.TemplatesDir, "nonexistent")
+	if err == nil {
+		t.Error("expected error loading nonexistent template")
+	}
+}
+
+// TestWorkflow_SkillsGeneration tests that skills are generated correctly
+// for different project types.
+func TestWorkflow_SkillsGeneration(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "direct",
+	}
+
+	template := &config.Template{
+		Name:    "claude",
+		Network: "full",
+		Agents: map[string]config.AgentConfig{
+			"claude": {AuthEnvVar: "ANTHROPIC_API_KEY"},
+		},
+	}
+
+	prompt := skills.GenerateSystemPrompt(metadata, template)
+
+	// Verify skills content
+	if !strings.Contains(prompt, "test-sandbox") {
+		t.Error("skills should contain sandbox name")
+	}
+	if !strings.Contains(prompt, "claude") {
+		t.Error("skills should contain agent name")
+	}
+	if !strings.Contains(prompt, "/workspace") {
+		t.Error("skills should mention workspace")
+	}
+}
+
+// TestWorkflow_JJModeConfig tests JJ workspace mode configuration.
+func TestWorkflow_JJModeConfig(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Create a fake JJ repo
+	repoPath := env.CreateJJRepo("test-repo")
+
+	template := &config.Template{
+		Name:    "test",
+		Network: "full",
+		Agents: map[string]config.AgentConfig{
+			"test": {PackagePath: "pkgs.hello", SecretName: "test", AuthEnvVar: "TEST_KEY"},
+		},
+	}
+
+	workspacePath := filepath.Join(env.TmpDir, "workspaces", "jj-sandbox")
+	secretsPath := filepath.Join(env.Paths.SecretsDir, "jj-sandbox")
+	jjPath := filepath.Join(repoPath, ".jj")
+
+	// Create contributions with JJ mount
+	contributions := testContributions(workspacePath, secretsPath)
+	contributions.Mounts = append(contributions.Mounts, injection.Mount{
+		HostPath:      jjPath,
+		ContainerPath: jjPath,
+		ReadOnly:      false,
+	})
+
+	cfg := &generator.ContainerConfig{
+		Name:            "jj-sandbox",
+		NetworkSlot:     1,
+		AuthorizedKeys:  []string{"ssh-rsa AAAA..."},
+		Template:        template,
+		UID:             env.HostConfig.UID,
+		GID:             env.HostConfig.GID,
+		Contributions:   contributions,
+		Reproducibility: reproducibility.NewNixReproducibility(),
+	}
+
+	nixConfig, err := generator.GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("config generation failed: %v", err)
+	}
+
+	// JJ mode should include .jj bind mount
+	if !strings.Contains(nixConfig, ".jj") {
+		t.Error("JJ mode config should contain .jj bind mount")
+	}
+}
+
+// TestWorkflow_ProxyModeConfig tests proxy mode configuration.
+func TestWorkflow_ProxyModeConfig(t *testing.T) {
+	template := &config.Template{
+		Name:    "test",
+		Network: "full",
+		Agents: map[string]config.AgentConfig{
+			"claude": {
+				PackagePath: "pkgs.claude-code",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+		},
+	}
+
+	// Create contributions with proxy env vars (instead of secret reading)
+	contributions := testContributions("/workspace", "/secrets")
+	contributions.EnvVars = []injection.EnvVar{
+		{Name: "ANTHROPIC_BASE_URL", Value: `"http://10.100.1.1:8080"`},
+		{Name: "ANTHROPIC_CUSTOM_HEADERS", Value: `"X-Forage-Sandbox: proxy-sandbox"`},
+	}
+
+	cfg := &generator.ContainerConfig{
+		Name:            "proxy-sandbox",
+		NetworkSlot:     1,
+		AuthorizedKeys:  []string{"ssh-rsa AAAA..."},
+		Template:        template,
+		UID:             1000,
+		GID:             100,
+		Contributions:   contributions,
+		Reproducibility: reproducibility.NewNixReproducibility(),
+	}
+
+	nixConfig, err := generator.GenerateNixConfig(cfg)
+	if err != nil {
+		t.Fatalf("config generation failed: %v", err)
+	}
+
+	// Proxy mode should include base URL and headers
+	if !strings.Contains(nixConfig, "ANTHROPIC_BASE_URL") {
+		t.Error("proxy mode config should contain ANTHROPIC_BASE_URL")
+	}
+	if !strings.Contains(nixConfig, "X-Forage-Sandbox") {
+		t.Error("proxy mode config should contain X-Forage-Sandbox header")
+	}
+	// Should NOT contain direct secret reading
+	if strings.Contains(nixConfig, "cat /run/secrets/anthropic") {
+		t.Error("proxy mode should not read secrets directly")
+	}
+}
diff --git a/packages/forage-ctl/internal/logging/doc.go b/packages/forage-ctl/internal/logging/doc.go
new file mode 100644
index 0000000..838cbf7
--- /dev/null
+++ b/packages/forage-ctl/internal/logging/doc.go
@@ -0,0 +1,34 @@
+// Package logging provides logging utilities for forage-ctl.
+//
+// This package provides two categories of output:
+//   - Debug logging: Structured logs for debugging (via slog)
+//   - User output: Formatted messages for end users
+//
+// # Debug Logging
+//
+// Debug logs are written using slog and controlled by verbosity settings:
+//
+//	logging.Debug("creating sandbox", "name", name, "template", template)
+//	logging.Warn("SSH timeout", "port", port, "timeout", timeout)
+//
+// # User Output
+//
+// User-facing messages are formatted with status indicators:
+//
+//	logging.UserInfo("Loading template %s...", templateName)
+//	logging.UserSuccess("Sandbox %s created successfully", name)
+//	logging.UserWarning("Port %d is already in use", port)
+//	logging.UserError("Failed to create sandbox: %v", err)
+//
+// Output destinations:
+//   - UserInfo, UserSuccess: stdout
+//   - UserWarning, UserError: stderr
+//
+// # Status Indicators
+//
+// User functions prepend status indicators:
+//   - ℹ (info)
+//   - ✓ (success)
+//   - ⚠ (warning)
+//   - ✗ (error)
+package logging
diff --git a/packages/forage-ctl/internal/logging/logging.go b/packages/forage-ctl/internal/logging/logging.go
new file mode 100644
index 0000000..3f9b71a
--- /dev/null
+++ b/packages/forage-ctl/internal/logging/logging.go
@@ -0,0 +1,71 @@
+package logging
+
+import (
+	"io"
+	"log/slog"
+	"os"
+)
+
+var (
+	// Logger is the global structured logger
+	Logger *slog.Logger
+
+	// Verbose enables debug logging
+	Verbose bool
+)
+
+func init() {
+	// Default to a simple text handler for CLI output
+	Logger = slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+		Level: slog.LevelInfo,
+	}))
+}
+
+// Setup configures the logger based on verbosity and output preferences
+func Setup(verbose bool, jsonOutput bool, w io.Writer) {
+	Verbose = verbose
+
+	level := slog.LevelInfo
+	if verbose {
+		level = slog.LevelDebug
+	}
+
+	opts := &slog.HandlerOptions{
+		Level: level,
+	}
+
+	if w == nil {
+		w = os.Stderr
+	}
+
+	if jsonOutput {
+		Logger = slog.New(slog.NewJSONHandler(w, opts))
+	} else {
+		Logger = slog.New(slog.NewTextHandler(w, opts))
+	}
+}
+
+// Debug logs a debug message
+func Debug(msg string, args ...any) {
+	Logger.Debug(msg, args...)
+}
+
+// Info logs an info message
+func Info(msg string, args ...any) {
+	Logger.Info(msg, args...)
+}
+
+// Warn logs a warning message
+func Warn(msg string, args ...any) {
+	Logger.Warn(msg, args...)
+}
+
+// Error logs an error message
+func Error(msg string, args ...any) {
+	Logger.Error(msg, args...)
+}
+
+// With returns a logger with additional attributes
+func With(args ...any) *slog.Logger {
+	return Logger.With(args...)
+}
diff --git a/packages/forage-ctl/internal/logging/logging_test.go b/packages/forage-ctl/internal/logging/logging_test.go
new file mode 100644
index 0000000..15d1eb1
--- /dev/null
+++ b/packages/forage-ctl/internal/logging/logging_test.go
@@ -0,0 +1,145 @@
+package logging
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+)
+
+func TestSetup_TextOutput(t *testing.T) {
+	var buf bytes.Buffer
+	Setup(false, false, &buf)
+
+	Info("test message", "key", "value")
+
+	output := buf.String()
+	if !strings.Contains(output, "test message") {
+		t.Errorf("Expected 'test message' in output, got: %s", output)
+	}
+}
+
+func TestSetup_JSONOutput(t *testing.T) {
+	var buf bytes.Buffer
+	Setup(false, true, &buf)
+
+	Info("test message", "key", "value")
+
+	output := buf.String()
+	// JSON output should contain braces
+	if !strings.Contains(output, "{") {
+		t.Errorf("Expected JSON output, got: %s", output)
+	}
+	if !strings.Contains(output, "test message") {
+		t.Errorf("Expected 'test message' in output, got: %s", output)
+	}
+}
+
+func TestSetup_VerboseMode(t *testing.T) {
+	var buf bytes.Buffer
+	Setup(true, false, &buf)
+
+	if !Verbose {
+		t.Error("Verbose flag should be true after Setup(true, ...)")
+	}
+
+	Debug("debug message")
+
+	output := buf.String()
+	if !strings.Contains(output, "debug message") {
+		t.Errorf("Debug message should appear in verbose mode, got: %s", output)
+	}
+}
+
+func TestSetup_NonVerboseMode(t *testing.T) {
+	var buf bytes.Buffer
+	Setup(false, false, &buf)
+
+	if Verbose {
+		t.Error("Verbose flag should be false after Setup(false, ...)")
+	}
+
+	Debug("debug message")
+
+	output := buf.String()
+	if strings.Contains(output, "debug message") {
+		t.Errorf("Debug message should NOT appear in non-verbose mode, got: %s", output)
+	}
+}
+
+func TestDebug(t *testing.T) {
+	var buf bytes.Buffer
+	Setup(true, false, &buf)
+
+	Debug("debug test", "key", "value")
+
+	output := buf.String()
+	if !strings.Contains(output, "debug test") {
+		t.Errorf("Expected 'debug test' in output, got: %s", output)
+	}
+}
+
+func TestInfo(t *testing.T) {
+	var buf bytes.Buffer
+	Setup(false, false, &buf)
+
+	Info("info test", "key", "value")
+
+	output := buf.String()
+	if !strings.Contains(output, "info test") {
+		t.Errorf("Expected 'info test' in output, got: %s", output)
+	}
+}
+
+func TestWarn(t *testing.T) {
+	var buf bytes.Buffer
+	Setup(false, false, &buf)
+
+	Warn("warn test", "key", "value")
+
+	output := buf.String()
+	if !strings.Contains(output, "warn test") {
+		t.Errorf("Expected 'warn test' in output, got: %s", output)
+	}
+}
+
+func TestError(t *testing.T) {
+	var buf bytes.Buffer
+	Setup(false, false, &buf)
+
+	Error("error test", "key", "value")
+
+	output := buf.String()
+	if !strings.Contains(output, "error test") {
+		t.Errorf("Expected 'error test' in output, got: %s", output)
+	}
+}
+
+func TestWith(t *testing.T) {
+	var buf bytes.Buffer
+	Setup(false, false, &buf)
+
+	logger := With("component", "test")
+	if logger == nil {
+		t.Error("With() returned nil")
+	}
+
+	logger.Info("with test")
+
+	output := buf.String()
+	if !strings.Contains(output, "with test") {
+		t.Errorf("Expected 'with test' in output, got: %s", output)
+	}
+	if !strings.Contains(output, "component") {
+		t.Errorf("Expected 'component' in output, got: %s", output)
+	}
+}
+
+func TestSetup_NilWriter(t *testing.T) {
+	// Should not panic with nil writer
+	Setup(false, false, nil)
+
+	// Logger should still work (writes to stderr)
+	if Logger == nil {
+		t.Error("Logger should not be nil after Setup with nil writer")
+	}
+}
diff --git a/packages/forage-ctl/internal/logging/user.go b/packages/forage-ctl/internal/logging/user.go
new file mode 100644
index 0000000..15493fd
--- /dev/null
+++ b/packages/forage-ctl/internal/logging/user.go
@@ -0,0 +1,30 @@
+package logging
+
+import (
+	"fmt"
+	"os"
+)
+
+// User-facing output functions with emoji prefixes.
+// These write to stdout/stderr directly for CLI output,
+// separate from the structured debug logging.
+
+// UserInfo prints an info message to stdout.
+func UserInfo(format string, args ...interface{}) {
+	fmt.Fprintf(os.Stdout, "ℹ "+format+"\n", args...)
+}
+
+// UserSuccess prints a success message to stdout.
+func UserSuccess(format string, args ...interface{}) {
+	fmt.Fprintf(os.Stdout, "✓ "+format+"\n", args...)
+}
+
+// UserWarning prints a warning message to stderr.
+func UserWarning(format string, args ...interface{}) {
+	fmt.Fprintf(os.Stderr, "⚠ "+format+"\n", args...)
+}
+
+// UserError prints an error message to stderr.
+func UserError(format string, args ...interface{}) {
+	fmt.Fprintf(os.Stderr, "✗ "+format+"\n", args...)
+}
diff --git a/packages/forage-ctl/internal/monitor/monitor.go b/packages/forage-ctl/internal/monitor/monitor.go
new file mode 100644
index 0000000..c45a185
--- /dev/null
+++ b/packages/forage-ctl/internal/monitor/monitor.go
@@ -0,0 +1,138 @@
+// Package monitor provides background health monitoring for sandboxes.
+package monitor
+
+import (
+	"context"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/audit"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/health"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// CheckResult holds the result of a single sandbox health check.
+type CheckResult struct {
+	Sandbox string
+	Status  health.Status
+	Health  *health.CheckResult
+}
+
+// Monitor periodically checks the health of all sandboxes.
+type Monitor struct {
+	interval    time.Duration
+	rt          runtime.Runtime
+	paths       *config.Paths
+	autoRestart bool
+	auditLog    *audit.Logger
+}
+
+// Option configures a Monitor.
+type Option func(*Monitor)
+
+// WithAutoRestart enables automatic restart of unhealthy sandboxes.
+func WithAutoRestart(enabled bool) Option {
+	return func(m *Monitor) {
+		m.autoRestart = enabled
+	}
+}
+
+// WithAuditLogger sets the audit logger for recording health events.
+func WithAuditLogger(logger *audit.Logger) Option {
+	return func(m *Monitor) {
+		m.auditLog = logger
+	}
+}
+
+// New creates a new Monitor.
+func New(interval time.Duration, rt runtime.Runtime, paths *config.Paths, opts ...Option) *Monitor {
+	m := &Monitor{
+		interval: interval,
+		rt:       rt,
+		paths:    paths,
+	}
+	for _, opt := range opts {
+		opt(m)
+	}
+	return m
+}
+
+// Run starts the monitoring loop. It blocks until the context is cancelled.
+func (m *Monitor) Run(ctx context.Context) error {
+	logging.Debug("starting health monitor", "interval", m.interval, "autoRestart", m.autoRestart)
+
+	// Run an immediate check, then loop on interval.
+	m.checkAll(ctx)
+
+	ticker := time.NewTicker(m.interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			logging.Debug("health monitor stopping")
+			return ctx.Err()
+		case <-ticker.C:
+			m.checkAll(ctx)
+		}
+	}
+}
+
+// checkAll performs health checks on all known sandboxes.
+func (m *Monitor) checkAll(ctx context.Context) []CheckResult {
+	sandboxes, err := config.ListSandboxes(m.paths.SandboxesDir)
+	if err != nil {
+		logging.Warn("monitor failed to list sandboxes", "error", err)
+		return nil
+	}
+
+	var results []CheckResult
+	for _, sb := range sandboxes {
+		if ctx.Err() != nil {
+			break
+		}
+
+		mux := multiplexer.New(multiplexer.Type(sb.Multiplexer))
+		status := health.GetSummary(ctx, sb.Name, sb.ContainerIP(), m.rt, mux)
+		result := CheckResult{
+			Sandbox: sb.Name,
+			Status:  status,
+		}
+		results = append(results, result)
+
+		// Log health events
+		if m.auditLog != nil {
+			var details string
+			switch status {
+			case health.StatusHealthy:
+				details = "healthy"
+			case health.StatusUnhealthy:
+				details = "unhealthy"
+			case health.StatusNoMux:
+				details = "no-mux"
+			case health.StatusStopped:
+				details = "stopped"
+			}
+			_ = m.auditLog.LogEvent(audit.EventHealth, sb.Name, details)
+		}
+
+		// Auto-restart unhealthy or stopped containers
+		if m.autoRestart && (status == health.StatusStopped || status == health.StatusUnhealthy) {
+			logging.UserInfo("Auto-restarting sandbox %s (status: %s)", sb.Name, status)
+			if err := m.rt.Start(ctx, sb.Name); err != nil {
+				logging.Warn("auto-restart failed", "sandbox", sb.Name, "error", err)
+				if m.auditLog != nil {
+					_ = m.auditLog.LogEvent(audit.EventError, sb.Name, "auto-restart failed: "+err.Error())
+				}
+			} else {
+				if m.auditLog != nil {
+					_ = m.auditLog.LogEvent(audit.EventStart, sb.Name, "auto-restart")
+				}
+			}
+		}
+	}
+
+	return results
+}
diff --git a/packages/forage-ctl/internal/monitor/monitor_test.go b/packages/forage-ctl/internal/monitor/monitor_test.go
new file mode 100644
index 0000000..16a7180
--- /dev/null
+++ b/packages/forage-ctl/internal/monitor/monitor_test.go
@@ -0,0 +1,142 @@
+package monitor
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/audit"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+func TestMonitor_New(t *testing.T) {
+	rt := runtime.NewMockRuntime()
+	paths := &config.Paths{
+		SandboxesDir: t.TempDir(),
+		StateDir:     t.TempDir(),
+	}
+
+	m := New(30*time.Second, rt, paths)
+	if m.interval != 30*time.Second {
+		t.Errorf("interval = %v, want %v", m.interval, 30*time.Second)
+	}
+	if m.autoRestart {
+		t.Error("autoRestart should default to false")
+	}
+	if m.auditLog != nil {
+		t.Error("auditLog should default to nil")
+	}
+}
+
+func TestMonitor_Options(t *testing.T) {
+	rt := runtime.NewMockRuntime()
+	paths := &config.Paths{
+		SandboxesDir: t.TempDir(),
+		StateDir:     t.TempDir(),
+	}
+	auditLogger := audit.NewLogger(paths.StateDir)
+
+	m := New(60*time.Second, rt, paths,
+		WithAutoRestart(true),
+		WithAuditLogger(auditLogger),
+	)
+
+	if !m.autoRestart {
+		t.Error("autoRestart should be true")
+	}
+	if m.auditLog == nil {
+		t.Error("auditLog should be set")
+	}
+}
+
+func TestMonitor_CheckAllEmpty(t *testing.T) {
+	rt := runtime.NewMockRuntime()
+	paths := &config.Paths{
+		SandboxesDir: t.TempDir(),
+		StateDir:     t.TempDir(),
+	}
+
+	m := New(time.Second, rt, paths)
+	ctx := context.Background()
+
+	results := m.checkAll(ctx)
+	if len(results) != 0 {
+		t.Errorf("got %d results, want 0 for empty sandboxes dir", len(results))
+	}
+}
+
+func TestMonitor_CheckAllWithSandbox(t *testing.T) {
+	rt := runtime.NewMockRuntime()
+	sandboxesDir := t.TempDir()
+	stateDir := t.TempDir()
+	paths := &config.Paths{
+		SandboxesDir: sandboxesDir,
+		StateDir:     stateDir,
+	}
+
+	// Create a sandbox metadata file
+	metadata := &config.SandboxMetadata{
+		Name:        "test-sandbox",
+		Template:    "test",
+		NetworkSlot: 1,
+		Multiplexer: "tmux",
+	}
+	if err := config.SaveSandboxMetadata(sandboxesDir, metadata); err != nil {
+		t.Fatalf("failed to save sandbox metadata: %v", err)
+	}
+
+	auditLogger := audit.NewLogger(stateDir)
+	m := New(time.Second, rt, paths, WithAuditLogger(auditLogger))
+	ctx := context.Background()
+
+	results := m.checkAll(ctx)
+	if len(results) != 1 {
+		t.Fatalf("got %d results, want 1", len(results))
+	}
+	if results[0].Sandbox != "test-sandbox" {
+		t.Errorf("sandbox = %q, want %q", results[0].Sandbox, "test-sandbox")
+	}
+
+	// Verify audit event was logged
+	events, err := auditLogger.Events("test-sandbox")
+	if err != nil {
+		t.Fatalf("Events failed: %v", err)
+	}
+	if len(events) != 1 {
+		t.Fatalf("got %d audit events, want 1", len(events))
+	}
+	if events[0].Type != audit.EventHealth {
+		t.Errorf("event type = %q, want %q", events[0].Type, audit.EventHealth)
+	}
+}
+
+func TestMonitor_RunCancellation(t *testing.T) {
+	rt := runtime.NewMockRuntime()
+	paths := &config.Paths{
+		SandboxesDir: t.TempDir(),
+		StateDir:     t.TempDir(),
+	}
+
+	m := New(100*time.Millisecond, rt, paths)
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	done := make(chan error, 1)
+	go func() {
+		done <- m.Run(ctx)
+	}()
+
+	// Let it run briefly then cancel
+	time.Sleep(250 * time.Millisecond)
+	cancel()
+
+	select {
+	case err := <-done:
+		if err != context.Canceled {
+			t.Errorf("Run() error = %v, want context.Canceled", err)
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatal("Run() did not stop after context cancellation")
+	}
+}
diff --git a/packages/forage-ctl/internal/multiplexer/multiplexer.go b/packages/forage-ctl/internal/multiplexer/multiplexer.go
new file mode 100644
index 0000000..22cea9b
--- /dev/null
+++ b/packages/forage-ctl/internal/multiplexer/multiplexer.go
@@ -0,0 +1,91 @@
+// Package multiplexer provides an abstraction over terminal multiplexers
+// (tmux, wezterm) used for sandbox sessions.
+package multiplexer
+
+// Type identifies a terminal multiplexer backend.
+type Type string
+
+const (
+	TypeTmux    Type = "tmux"
+	TypeWezterm Type = "wezterm"
+)
+
+// Window describes a multiplexer window/tab to create at sandbox start.
+type Window struct {
+	Name    string
+	Command string
+}
+
+// ConfigMount describes a host file or directory to bind-mount into the
+// container so the multiplexer picks up the user's configuration.
+type ConfigMount struct {
+	ContainerPath string
+	HostPath      string
+	ReadOnly      bool
+}
+
+// Multiplexer is the interface that every multiplexer backend implements.
+type Multiplexer interface {
+	// Type returns the multiplexer type identifier.
+	Type() Type
+
+	// NixPackages returns the Nix package names to install in the container.
+	NixPackages() []string
+
+	// InitScript returns the shell script body for the forage-init service
+	// that creates a session and spawns the given windows.
+	InitScript(windows []Window) string
+
+	// AttachCommand returns the SSH remote command used to attach to the
+	// session. An empty string means native attach (no SSH command needed).
+	AttachCommand() string
+
+	// CheckSessionArgs returns the SSH command+args used to test whether a
+	// session is running inside the container.
+	CheckSessionArgs() []string
+
+	// ListWindowsArgs returns the SSH command+args used to list windows.
+	ListWindowsArgs() []string
+
+	// ParseWindowList parses the output of the list-windows command into
+	// a slice of human-readable window descriptions.
+	ParseWindowList(output string) []string
+
+	// HostConfigMounts returns bind mounts for the user's multiplexer
+	// configuration on the host.
+	HostConfigMounts(homeDir string) []ConfigMount
+
+	// PromptInstructions returns a short string for agent system prompts
+	// describing how to use the multiplexer.
+	PromptInstructions() string
+}
+
+// Option configures a Multiplexer. Options that don't apply to a
+// particular multiplexer type are silently ignored.
+type Option func(Multiplexer)
+
+// WithControlMode sets whether to use control mode (e.g. tmux -CC).
+// Only affects multiplexers that support control mode.
+func WithControlMode(enabled bool) Option {
+	return func(m Multiplexer) {
+		if t, ok := m.(*Tmux); ok {
+			t.DisableControlMode = !enabled
+		}
+	}
+}
+
+// New returns a Multiplexer for the given type.
+// Defaults to TypeTmux for empty or unrecognised values.
+func New(t Type, opts ...Option) Multiplexer {
+	var m Multiplexer
+	switch t {
+	case TypeWezterm:
+		m = &Wezterm{}
+	default:
+		m = &Tmux{}
+	}
+	for _, opt := range opts {
+		opt(m)
+	}
+	return m
+}
diff --git a/packages/forage-ctl/internal/multiplexer/multiplexer_test.go b/packages/forage-ctl/internal/multiplexer/multiplexer_test.go
new file mode 100644
index 0000000..3388b99
--- /dev/null
+++ b/packages/forage-ctl/internal/multiplexer/multiplexer_test.go
@@ -0,0 +1,259 @@
+package multiplexer
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestNewDefault(t *testing.T) {
+	mux := New("")
+	if mux.Type() != TypeTmux {
+		t.Errorf("New(\"\") type = %q, want %q", mux.Type(), TypeTmux)
+	}
+}
+
+func TestNewTmux(t *testing.T) {
+	mux := New(TypeTmux)
+	if mux.Type() != TypeTmux {
+		t.Errorf("New(TypeTmux) type = %q, want %q", mux.Type(), TypeTmux)
+	}
+}
+
+func TestNewWezterm(t *testing.T) {
+	mux := New(TypeWezterm)
+	if mux.Type() != TypeWezterm {
+		t.Errorf("New(TypeWezterm) type = %q, want %q", mux.Type(), TypeWezterm)
+	}
+}
+
+func TestNewUnknown(t *testing.T) {
+	mux := New("unknown")
+	if mux.Type() != TypeTmux {
+		t.Errorf("New(\"unknown\") type = %q, want %q (default)", mux.Type(), TypeTmux)
+	}
+}
+
+// --- Tmux tests ---
+
+func TestTmuxNixPackages(t *testing.T) {
+	mux := &Tmux{}
+	pkgs := mux.NixPackages()
+	if len(pkgs) != 1 || pkgs[0] != "tmux" {
+		t.Errorf("NixPackages() = %v, want [tmux]", pkgs)
+	}
+}
+
+func TestTmuxInitScript(t *testing.T) {
+	mux := &Tmux{}
+	windows := []Window{
+		{Name: "claude", Command: "claude"},
+		{Name: "shell", Command: ""},
+	}
+
+	script := mux.InitScript(windows)
+
+	if !strings.Contains(script, "tmux new-session -d -s forage -c /workspace -n claude") {
+		t.Error("InitScript should create session with first window")
+	}
+	if !strings.Contains(script, "tmux send-keys -t forage:claude claude Enter") {
+		t.Error("InitScript should send-keys for first window command")
+	}
+	if !strings.Contains(script, "tmux set-option -w -t forage:claude automatic-rename off") {
+		t.Error("InitScript should disable automatic-rename for first window")
+	}
+	if !strings.Contains(script, "tmux new-window -t forage -n shell") {
+		t.Error("InitScript should create second window")
+	}
+	if !strings.Contains(script, "tmux set-option -w -t forage:shell automatic-rename off") {
+		t.Error("InitScript should disable automatic-rename for second window")
+	}
+	if strings.Contains(script, "send-keys -t forage:shell") {
+		t.Error("InitScript should not send-keys for empty command")
+	}
+	if !strings.HasSuffix(strings.TrimSpace(script), "true") {
+		t.Error("InitScript should end with 'true'")
+	}
+}
+
+func TestTmuxAttachCommand(t *testing.T) {
+	mux := &Tmux{}
+	cmd := mux.AttachCommand()
+	if !strings.Contains(cmd, "attach-session -t forage") {
+		t.Errorf("AttachCommand() = %q, should contain attach-session", cmd)
+	}
+}
+
+func TestTmuxCheckSessionArgs(t *testing.T) {
+	mux := &Tmux{}
+	args := mux.CheckSessionArgs()
+	if len(args) != 4 || args[0] != "tmux" || args[1] != "has-session" {
+		t.Errorf("CheckSessionArgs() = %v, unexpected", args)
+	}
+}
+
+func TestTmuxListWindowsArgs(t *testing.T) {
+	mux := &Tmux{}
+	args := mux.ListWindowsArgs()
+	if len(args) < 3 || args[0] != "tmux" || args[1] != "list-windows" {
+		t.Errorf("ListWindowsArgs() = %v, unexpected", args)
+	}
+}
+
+func TestTmuxParseWindowList(t *testing.T) {
+	mux := &Tmux{}
+	output := "0:claude\n1:shell\n"
+	windows := mux.ParseWindowList(output)
+	if len(windows) != 2 {
+		t.Fatalf("ParseWindowList() returned %d windows, want 2", len(windows))
+	}
+	if windows[0] != "0:claude" {
+		t.Errorf("windows[0] = %q, want %q", windows[0], "0:claude")
+	}
+}
+
+func TestTmuxParseWindowList_Empty(t *testing.T) {
+	mux := &Tmux{}
+	windows := mux.ParseWindowList("")
+	if len(windows) != 0 {
+		t.Errorf("ParseWindowList(\"\") returned %d windows, want 0", len(windows))
+	}
+}
+
+func TestTmuxHostConfigMounts_ConfigDir(t *testing.T) {
+	tmpDir := t.TempDir()
+	tmuxDir := filepath.Join(tmpDir, ".config", "tmux")
+	if err := os.MkdirAll(tmuxDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	mux := &Tmux{}
+	mounts := mux.HostConfigMounts(tmpDir)
+	if len(mounts) != 1 {
+		t.Fatalf("HostConfigMounts() returned %d mounts, want 1", len(mounts))
+	}
+	if mounts[0].ContainerPath != "/home/agent/.config/tmux" {
+		t.Errorf("ContainerPath = %q", mounts[0].ContainerPath)
+	}
+	if !mounts[0].ReadOnly {
+		t.Error("mount should be read-only")
+	}
+}
+
+func TestTmuxHostConfigMounts_TmuxConf(t *testing.T) {
+	tmpDir := t.TempDir()
+	confFile := filepath.Join(tmpDir, ".tmux.conf")
+	if err := os.WriteFile(confFile, []byte("# tmux config"), 0o644); err != nil {
+		t.Fatal(err)
+	}
+
+	mux := &Tmux{}
+	mounts := mux.HostConfigMounts(tmpDir)
+	if len(mounts) != 1 {
+		t.Fatalf("HostConfigMounts() returned %d mounts, want 1", len(mounts))
+	}
+	if mounts[0].ContainerPath != "/home/agent/.tmux.conf" {
+		t.Errorf("ContainerPath = %q", mounts[0].ContainerPath)
+	}
+}
+
+func TestTmuxHostConfigMounts_None(t *testing.T) {
+	tmpDir := t.TempDir()
+	mux := &Tmux{}
+	mounts := mux.HostConfigMounts(tmpDir)
+	if len(mounts) != 0 {
+		t.Errorf("HostConfigMounts() returned %d mounts, want 0", len(mounts))
+	}
+}
+
+func TestTmuxHostConfigMounts_EmptyHome(t *testing.T) {
+	mux := &Tmux{}
+	mounts := mux.HostConfigMounts("")
+	if mounts != nil {
+		t.Errorf("HostConfigMounts(\"\") = %v, want nil", mounts)
+	}
+}
+
+func TestTmuxPromptInstructions(t *testing.T) {
+	mux := &Tmux{}
+	instructions := mux.PromptInstructions()
+	if !strings.Contains(instructions, "tmux") {
+		t.Errorf("PromptInstructions() = %q, should mention tmux", instructions)
+	}
+}
+
+// --- Wezterm tests ---
+
+func TestWeztermNixPackages(t *testing.T) {
+	mux := &Wezterm{}
+	pkgs := mux.NixPackages()
+	if len(pkgs) != 1 || pkgs[0] != "wezterm" {
+		t.Errorf("NixPackages() = %v, want [wezterm]", pkgs)
+	}
+}
+
+func TestWeztermInitScript(t *testing.T) {
+	mux := &Wezterm{}
+	windows := []Window{
+		{Name: "claude", Command: "claude"},
+		{Name: "shell", Command: ""},
+	}
+
+	script := mux.InitScript(windows)
+
+	if !strings.Contains(script, "wezterm-mux-server --daemonize") {
+		t.Error("InitScript should start mux server")
+	}
+	if !strings.Contains(script, "wezterm cli set-tab-title") {
+		t.Error("InitScript should set tab titles")
+	}
+	if !strings.Contains(script, "wezterm cli spawn --cwd /workspace") {
+		t.Error("InitScript should spawn additional tabs")
+	}
+	if !strings.Contains(script, "wezterm cli send-text") {
+		t.Error("InitScript should send-text for commands")
+	}
+	if !strings.HasSuffix(strings.TrimSpace(script), "true") {
+		t.Error("InitScript should end with 'true'")
+	}
+}
+
+func TestWeztermAttachCommand(t *testing.T) {
+	mux := &Wezterm{}
+	if cmd := mux.AttachCommand(); cmd != "" {
+		t.Errorf("AttachCommand() = %q, want empty (native connect)", cmd)
+	}
+}
+
+func TestWeztermCheckSessionArgs(t *testing.T) {
+	mux := &Wezterm{}
+	args := mux.CheckSessionArgs()
+	if len(args) != 3 || args[0] != "pgrep" {
+		t.Errorf("CheckSessionArgs() = %v, want pgrep command", args)
+	}
+}
+
+func TestWeztermListWindowsArgs(t *testing.T) {
+	mux := &Wezterm{}
+	args := mux.ListWindowsArgs()
+	if len(args) < 3 || args[0] != "wezterm" {
+		t.Errorf("ListWindowsArgs() = %v, unexpected", args)
+	}
+}
+
+func TestWeztermHostConfigMounts(t *testing.T) {
+	mux := &Wezterm{}
+	mounts := mux.HostConfigMounts("/home/user")
+	if mounts != nil {
+		t.Errorf("HostConfigMounts() = %v, want nil", mounts)
+	}
+}
+
+func TestWeztermPromptInstructions(t *testing.T) {
+	mux := &Wezterm{}
+	instructions := mux.PromptInstructions()
+	if !strings.Contains(instructions, "wezterm") {
+		t.Errorf("PromptInstructions() = %q, should mention wezterm", instructions)
+	}
+}
diff --git a/packages/forage-ctl/internal/multiplexer/tmux.go b/packages/forage-ctl/internal/multiplexer/tmux.go
new file mode 100644
index 0000000..ab77a31
--- /dev/null
+++ b/packages/forage-ctl/internal/multiplexer/tmux.go
@@ -0,0 +1,166 @@
+package multiplexer
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	shellquote "github.com/kballard/go-shellquote"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/terminal"
+)
+
+// SessionName is the tmux/mux session name used in all sandboxes.
+const SessionName = "forage"
+
+// Tmux implements Multiplexer for tmux.
+type Tmux struct {
+	// DisableControlMode prevents automatic use of tmux -CC even when
+	// the host terminal supports it. Used by --no-tmux-cc flag.
+	DisableControlMode bool
+}
+
+func (t *Tmux) Type() Type { return TypeTmux }
+
+func (t *Tmux) NixPackages() []string { return []string{"tmux"} }
+
+func (t *Tmux) InitScript(windows []Window) string {
+	var sb strings.Builder
+	for i, w := range windows {
+		if i == 0 {
+			fmt.Fprintf(&sb, "              tmux new-session -d -s %s -c /workspace -n %s\n", SessionName, w.Name)
+		} else {
+			fmt.Fprintf(&sb, "              tmux new-window -t %s -n %s -c /workspace\n", SessionName, w.Name)
+		}
+		// Prevent tmux from renaming windows based on the foreground process.
+		// Without this, tmux -CC control mode causes wezterm tab title flicker.
+		fmt.Fprintf(&sb, "              tmux set-option -w -t %s:%s automatic-rename off\n", SessionName, w.Name)
+		if w.Command != "" {
+			fmt.Fprintf(&sb, "              tmux send-keys -t %s:%s %s Enter\n", SessionName, w.Name, shellquote.Join(w.Command))
+		}
+	}
+	sb.WriteString("              true")
+	return sb.String()
+}
+
+func (t *Tmux) AttachCommand() string {
+	// Use tmux control mode (-CC) when the host terminal supports it,
+	// unless explicitly disabled.
+	if !t.DisableControlMode && terminal.SupportsControlMode() {
+		// Two constraints for control mode:
+		// 1. Only invoke tmux -CC once. A failed -CC attach emits DCS
+		//    protocol bytes that cause wezterm to enter and immediately
+		//    exit control mode, tearing down the pane.
+		// 2. Don't use exec. When tmux -CC exits, the %exit protocol
+		//    message must be flushed before the process terminates;
+		//    exec causes immediate exit which can leave wezterm hung.
+		// Use if/then/else so exactly one -CC runs without exec.
+		return fmt.Sprintf("if tmux has-session -t %s 2>/dev/null; then tmux -CC attach-session -t %s; else tmux -CC new-session -s %s -c /workspace; fi",
+			SessionName, SessionName, SessionName)
+	}
+	return fmt.Sprintf("tmux attach-session -t %s || tmux new-session -s %s -c /workspace", SessionName, SessionName)
+}
+
+func (t *Tmux) CheckSessionArgs() []string {
+	return []string{"tmux", "has-session", "-t", SessionName}
+}
+
+func (t *Tmux) ListWindowsArgs() []string {
+	return []string{"tmux", "list-windows", "-t", SessionName, "-F", "#{window_index}:#{window_name}"}
+}
+
+func (t *Tmux) ParseWindowList(output string) []string {
+	lines := strings.Split(strings.TrimSpace(output), "\n")
+	var windows []string
+	for _, line := range lines {
+		if line != "" {
+			windows = append(windows, line)
+		}
+	}
+	return windows
+}
+
+func (t *Tmux) HostConfigMounts(homeDir string) []ConfigMount {
+	if homeDir == "" {
+		return nil
+	}
+	// Prefer ~/.config/tmux dir, fall back to ~/.tmux.conf
+	tmuxConfigDir := filepath.Join(homeDir, ".config", "tmux")
+	if info, err := os.Stat(tmuxConfigDir); err == nil && info.IsDir() {
+		return []ConfigMount{{
+			ContainerPath: "/home/agent/.config/tmux",
+			HostPath:      tmuxConfigDir,
+			ReadOnly:      true,
+		}}
+	}
+	tmuxConfFile := filepath.Join(homeDir, ".tmux.conf")
+	if _, err := os.Stat(tmuxConfFile); err == nil {
+		return []ConfigMount{{
+			ContainerPath: "/home/agent/.tmux.conf",
+			HostPath:      tmuxConfFile,
+			ReadOnly:      true,
+		}}
+	}
+	return nil
+}
+
+func (t *Tmux) PromptInstructions() string {
+	return fmt.Sprintf("Use tmux (`tmux attach -t %s`).", SessionName)
+}
+
+// ContributePackages returns the packages needed for tmux.
+func (t *Tmux) ContributePackages(ctx context.Context) ([]injection.Package, error) {
+	return []injection.Package{{Name: "tmux"}}, nil
+}
+
+// ContributeMounts returns host config mounts for tmux.
+func (t *Tmux) ContributeMounts(ctx context.Context, req *injection.MountRequest) ([]injection.Mount, error) {
+	if req.HostHomeDir == "" {
+		return nil, nil
+	}
+
+	containerHome := req.ContainerHomeDir
+	if containerHome == "" {
+		containerHome = "/home/agent"
+	}
+
+	// Prefer ~/.config/tmux dir, fall back to ~/.tmux.conf
+	tmuxConfigDir := filepath.Join(req.HostHomeDir, ".config", "tmux")
+	if info, err := os.Stat(tmuxConfigDir); err == nil && info.IsDir() {
+		return []injection.Mount{{
+			HostPath:      tmuxConfigDir,
+			ContainerPath: filepath.Join(containerHome, ".config", "tmux"),
+			ReadOnly:      true,
+		}}, nil
+	}
+
+	tmuxConfFile := filepath.Join(req.HostHomeDir, ".tmux.conf")
+	if _, err := os.Stat(tmuxConfFile); err == nil {
+		return []injection.Mount{{
+			HostPath:      tmuxConfFile,
+			ContainerPath: filepath.Join(containerHome, ".tmux.conf"),
+			ReadOnly:      true,
+		}}, nil
+	}
+
+	return nil, nil
+}
+
+// ContributePromptFragments returns prompt instructions for tmux.
+func (t *Tmux) ContributePromptFragments(ctx context.Context) ([]injection.PromptFragment, error) {
+	return []injection.PromptFragment{{
+		Section:  injection.PromptSectionEnvironment,
+		Priority: 100,
+		Content:  t.PromptInstructions(),
+	}}, nil
+}
+
+// Ensure Tmux implements contribution interfaces
+var (
+	_ injection.MountContributor   = (*Tmux)(nil)
+	_ injection.PackageContributor = (*Tmux)(nil)
+	_ injection.PromptContributor  = (*Tmux)(nil)
+)
diff --git a/packages/forage-ctl/internal/multiplexer/wezterm.go b/packages/forage-ctl/internal/multiplexer/wezterm.go
new file mode 100644
index 0000000..f30bc8f
--- /dev/null
+++ b/packages/forage-ctl/internal/multiplexer/wezterm.go
@@ -0,0 +1,116 @@
+package multiplexer
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+	"syscall"
+
+	shellquote "github.com/kballard/go-shellquote"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+)
+
+// Wezterm implements Multiplexer for wezterm-mux-server.
+type Wezterm struct{}
+
+func (w *Wezterm) Type() Type { return TypeWezterm }
+
+func (w *Wezterm) NixPackages() []string { return []string{"wezterm"} }
+
+func (w *Wezterm) InitScript(windows []Window) string {
+	var sb strings.Builder
+	sb.WriteString("              wezterm-mux-server --daemonize\n")
+	for i, win := range windows {
+		if i == 0 {
+			// The mux server creates a default tab; set its title.
+			fmt.Fprintf(&sb, "              wezterm cli set-tab-title %s\n", shellquote.Join(win.Name))
+		} else {
+			fmt.Fprintf(&sb, "              wezterm cli spawn --cwd /workspace\n")
+			fmt.Fprintf(&sb, "              wezterm cli set-tab-title %s\n", shellquote.Join(win.Name))
+		}
+		if win.Command != "" {
+			fmt.Fprintf(&sb, "              wezterm cli send-text --no-paste %s\n", shellquote.Join(win.Command+"\n"))
+		}
+	}
+	sb.WriteString("              true")
+	return sb.String()
+}
+
+// AttachCommand returns empty — wezterm uses native `wezterm connect`, not SSH.
+func (w *Wezterm) AttachCommand() string { return "" }
+
+func (w *Wezterm) CheckSessionArgs() []string {
+	return []string{"pgrep", "-x", "wezterm-mux-server"}
+}
+
+func (w *Wezterm) ListWindowsArgs() []string {
+	return []string{"wezterm", "cli", "list", "--format", "json"}
+}
+
+func (w *Wezterm) ParseWindowList(output string) []string {
+	// wezterm cli list outputs tab-separated rows; parse window titles.
+	// With --format json we get JSON but for simplicity parse lines.
+	lines := strings.Split(strings.TrimSpace(output), "\n")
+	var windows []string
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if line != "" {
+			windows = append(windows, line)
+		}
+	}
+	return windows
+}
+
+// HostConfigMounts returns nil — wezterm config is client-side only.
+func (w *Wezterm) HostConfigMounts(homeDir string) []ConfigMount { return nil }
+
+func (w *Wezterm) PromptInstructions() string {
+	return "Terminal multiplexing via wezterm. New tabs: `wezterm cli spawn --cwd /workspace`. List panes: `wezterm cli list`."
+}
+
+// ContributePackages returns the packages needed for wezterm.
+func (w *Wezterm) ContributePackages(ctx context.Context) ([]injection.Package, error) {
+	return []injection.Package{{Name: "wezterm"}}, nil
+}
+
+// ContributeMounts returns nil - wezterm config is client-side only.
+func (w *Wezterm) ContributeMounts(ctx context.Context, req *injection.MountRequest) ([]injection.Mount, error) {
+	return nil, nil
+}
+
+// ContributePromptFragments returns prompt instructions for wezterm.
+func (w *Wezterm) ContributePromptFragments(ctx context.Context) ([]injection.PromptFragment, error) {
+	return []injection.PromptFragment{{
+		Section:  injection.PromptSectionEnvironment,
+		Priority: 100,
+		Content:  w.PromptInstructions(),
+	}}, nil
+}
+
+// NativeConnect execs `wezterm connect` for the named container.
+// This replaces the current process.
+func (w *Wezterm) NativeConnect(containerName string) error {
+	binary, err := exec.LookPath("wezterm")
+	if err != nil {
+		return fmt.Errorf("wezterm not found in PATH: %w", err)
+	}
+	argv := []string{"wezterm", "connect", containerName}
+	return syscall.Exec(binary, argv, os.Environ())
+}
+
+// NativeConnector is an optional interface for multiplexers that support
+// connecting via a native client rather than SSH.
+type NativeConnector interface {
+	NativeConnect(containerName string) error
+}
+
+// Ensure Wezterm implements contribution interfaces
+var (
+	_ injection.MountContributor   = (*Wezterm)(nil)
+	_ injection.PackageContributor = (*Wezterm)(nil)
+	_ injection.PromptContributor  = (*Wezterm)(nil)
+	_ NativeConnector              = (*Wezterm)(nil)
+)
diff --git a/packages/forage-ctl/internal/network/doc.go b/packages/forage-ctl/internal/network/doc.go
new file mode 100644
index 0000000..2f28170
--- /dev/null
+++ b/packages/forage-ctl/internal/network/doc.go
@@ -0,0 +1,36 @@
+// Package network provides network isolation configuration for sandboxes.
+//
+// This package generates NixOS firewall rules for different network isolation
+// modes, enabling fine-grained control over sandbox network access.
+//
+// # Network Modes
+//
+// Three modes are supported:
+//
+//   - ModeFull: Unrestricted outbound access (default)
+//   - ModeRestricted: Only allowed hosts are accessible
+//   - ModeNone: No external network access
+//
+// # Restricted Mode
+//
+// In restricted mode, the package:
+//  1. Resolves allowed hostnames to IP addresses
+//  2. Generates nftables rules permitting only those destinations
+//  3. Blocks all other outbound traffic
+//
+// Usage:
+//
+//	cfg := &network.Config{
+//	    Mode:         network.ModeRestricted,
+//	    AllowedHosts: []string{"api.anthropic.com", "api.openai.com"},
+//	    NetworkSlot:  1,
+//	}
+//	nixConfig := network.GenerateNixNetworkConfig(cfg)
+//
+// # Host Resolution
+//
+// ResolveHosts resolves hostnames to IP addresses for firewall rules:
+//
+//	resolved, err := network.ResolveHosts([]string{"api.anthropic.com"})
+//	// Returns hostname with IPv4 and IPv6 addresses
+package network
diff --git a/packages/forage-ctl/internal/network/network.go b/packages/forage-ctl/internal/network/network.go
new file mode 100644
index 0000000..e55fa72
--- /dev/null
+++ b/packages/forage-ctl/internal/network/network.go
@@ -0,0 +1,500 @@
+// Package network provides network isolation configuration for sandboxes
+package network
+
+import (
+	"fmt"
+	"net"
+	"strings"
+)
+
+// Mode represents the network isolation mode
+type Mode string
+
+const (
+	ModeFull       Mode = "full"
+	ModeRestricted Mode = "restricted"
+	ModeNone       Mode = "none"
+)
+
+// Config holds network configuration for a sandbox
+type Config struct {
+	Mode         Mode
+	AllowedHosts []string
+	NetworkSlot  int
+}
+
+// ResolvedHost contains a hostname and its resolved IPs
+type ResolvedHost struct {
+	Hostname string
+	IPs      []string
+}
+
+// ResolveHosts resolves hostnames to IP addresses at config generation time.
+//
+// KNOWN LIMITATION: IPs are resolved once and baked into nftables rules.
+// If a host's IPs change (e.g., CDN rotation), the container's nftables
+// rules will become stale and connectivity may break until the sandbox is
+// reconfigured. A future improvement could periodically re-resolve hosts
+// or use DNS-based nftables filtering.
+func ResolveHosts(hosts []string) ([]ResolvedHost, error) {
+	var resolved []ResolvedHost
+
+	for _, host := range hosts {
+		ips, err := net.LookupIP(host)
+		if err != nil {
+			// If we can't resolve, include the hostname anyway
+			// nftables can do DNS resolution at rule load time
+			resolved = append(resolved, ResolvedHost{
+				Hostname: host,
+				IPs:      []string{},
+			})
+			continue
+		}
+
+		var ipStrings []string
+		for _, ip := range ips {
+			// Include both IPv4 and IPv6
+			ipStrings = append(ipStrings, ip.String())
+		}
+
+		resolved = append(resolved, ResolvedHost{
+			Hostname: host,
+			IPs:      ipStrings,
+		})
+	}
+
+	return resolved, nil
+}
+
+// GenerateNftablesRules generates nftables rules for restricted mode
+func GenerateNftablesRules(cfg *Config) string {
+	if cfg.Mode != ModeRestricted || len(cfg.AllowedHosts) == 0 {
+		return ""
+	}
+
+	// Resolve hosts to IPs
+	resolved, _ := ResolveHosts(cfg.AllowedHosts)
+
+	// Build IP sets
+	var ipv4Addrs []string
+	var ipv6Addrs []string
+
+	for _, h := range resolved {
+		for _, ip := range h.IPs {
+			parsed := net.ParseIP(ip)
+			if parsed == nil {
+				continue
+			}
+			if parsed.To4() != nil {
+				ipv4Addrs = append(ipv4Addrs, ip)
+			} else {
+				ipv6Addrs = append(ipv6Addrs, ip)
+			}
+		}
+	}
+
+	gatewayIP := fmt.Sprintf("10.100.%d.1", cfg.NetworkSlot)
+	ipv4Set := append([]string{gatewayIP}, ipv4Addrs...)
+	ipv4Set = append(ipv4Set, "127.0.0.1")
+
+	ipv6Set := []string{"::1"}
+	ipv6Set = append(ipv6Set, ipv6Addrs...)
+
+	var buf strings.Builder
+	_ = nftablesTmpl.Execute(&buf, nftablesData{
+		IPv4Addrs: strings.Join(ipv4Set, ", "),
+		IPv6Addrs: strings.Join(ipv6Set, ", "),
+	})
+	return buf.String()
+}
+
+// GenerateDnsmasqConfig generates dnsmasq configuration for DNS filtering
+func GenerateDnsmasqConfig(allowedHosts []string) string {
+	var serverLines strings.Builder
+	for _, host := range allowedHosts {
+		if strings.HasPrefix(host, "*.") {
+			domain := strings.TrimPrefix(host, "*.")
+			fmt.Fprintf(&serverLines, "server=/%s/1.1.1.1\n", domain)
+			fmt.Fprintf(&serverLines, "server=/%s/8.8.8.8\n", domain)
+		} else {
+			fmt.Fprintf(&serverLines, "server=/%s/1.1.1.1\n", host)
+			fmt.Fprintf(&serverLines, "server=/%s/8.8.8.8\n", host)
+		}
+	}
+
+	var buf strings.Builder
+	_ = dnsmasqTmpl.Execute(&buf, dnsmasqData{
+		ServerLines: serverLines.String(),
+	})
+	return buf.String()
+}
+
+// GenerateNixNetworkConfig generates NixOS configuration for network isolation
+func GenerateNixNetworkConfig(cfg *Config) string {
+	switch cfg.Mode {
+	case ModeNone:
+		return generateNoneConfig()
+	case ModeRestricted:
+		return generateRestrictedConfig(cfg)
+	default: // ModeFull
+		return generateFullConfig(cfg.NetworkSlot)
+	}
+}
+
+func generateNoneConfig() string {
+	return `# No network access
+        networking.nameservers = [ ];
+        networking.defaultGateway = null;
+
+        # Disable all network interfaces except loopback
+        networking.useDHCP = false;
+
+        # Use nftables with default-drop policy (consistent with restricted mode)
+        networking.nftables = {
+          enable = true;
+          ruleset = ''
+            table inet filter {
+              chain input {
+                type filter hook input priority 0; policy accept;
+              }
+
+              chain output {
+                type filter hook output priority 0; policy drop;
+
+                # Allow loopback only
+                oif "lo" accept
+
+                # Allow established/related (for SSH management)
+                ct state established,related accept
+
+                # Reject everything else
+                reject with icmp type admin-prohibited
+              }
+            }
+          '';
+        };
+
+        # Disable iptables (using nftables)
+        networking.firewall.enable = false;`
+}
+
+func generateRestrictedConfig(cfg *Config) string {
+	if len(cfg.AllowedHosts) == 0 {
+		return generateNoneConfig()
+	}
+
+	// Build the list of allowed hosts for nftables
+	var allowedIPv4 []string
+	var allowedIPv6 []string
+
+	// Always allow gateway
+	gatewayIP := fmt.Sprintf("10.100.%d.1", cfg.NetworkSlot)
+	allowedIPv4 = append(allowedIPv4, gatewayIP, "127.0.0.1")
+	allowedIPv6 = append(allowedIPv6, "::1")
+
+	// Resolve hosts
+	resolved, _ := ResolveHosts(cfg.AllowedHosts)
+	for _, h := range resolved {
+		for _, ip := range h.IPs {
+			parsed := net.ParseIP(ip)
+			if parsed == nil {
+				continue
+			}
+			if parsed.To4() != nil {
+				allowedIPv4 = append(allowedIPv4, ip)
+			} else {
+				allowedIPv6 = append(allowedIPv6, ip)
+			}
+		}
+	}
+
+	// Build dnsmasq server lines
+	var dnsServers []string
+	for _, host := range cfg.AllowedHosts {
+		if strings.HasPrefix(host, "*.") {
+			domain := strings.TrimPrefix(host, "*.")
+			dnsServers = append(dnsServers, fmt.Sprintf("server=/%s/1.1.1.1", domain))
+		} else {
+			dnsServers = append(dnsServers, fmt.Sprintf("server=/%s/1.1.1.1", host))
+		}
+	}
+
+	return fmt.Sprintf(`# Restricted network - only allowed hosts
+        networking.defaultGateway = "%s";
+        networking.nameservers = [ "127.0.0.1" ]; # Use local DNS filter
+
+        # DNS filtering with dnsmasq
+        services.dnsmasq = {
+          enable = true;
+          settings = {
+            # Don't use system resolv.conf
+            no-resolv = true;
+
+            # Listen only on localhost
+            listen-address = "127.0.0.1";
+            bind-interfaces = true;
+
+            # Forward allowed domains to public DNS
+            server = [
+              %s
+            ];
+
+            # Block all other queries
+            address = "/#/";
+
+            # Cache settings
+            cache-size = 1000;
+
+            # Security
+            domain-needed = true;
+            bogus-priv = true;
+          };
+        };
+
+        # nftables for egress filtering
+        networking.nftables = {
+          enable = true;
+          ruleset = ''
+            table inet filter {
+              set allowed_ipv4 {
+                type ipv4_addr
+                flags interval
+                elements = { %s }
+              }
+
+              set allowed_ipv6 {
+                type ipv6_addr
+                flags interval
+                elements = { %s }
+              }
+
+              chain input {
+                type filter hook input priority 0; policy accept;
+              }
+
+              chain forward {
+                type filter hook forward priority 0; policy accept;
+              }
+
+              chain output {
+                type filter hook output priority 0; policy drop;
+
+                # Allow loopback
+                oif "lo" accept
+
+                # Allow established/related
+                ct state established,related accept
+
+                # Allow ICMP
+                ip protocol icmp accept
+                ip6 nexthdr icmpv6 accept
+
+                # Allow DNS to local resolver
+                tcp dport 53 ip daddr 127.0.0.1 accept
+                udp dport 53 ip daddr 127.0.0.1 accept
+
+                # Allow connections to allowed hosts
+                ip daddr @allowed_ipv4 accept
+                ip6 daddr @allowed_ipv6 accept
+
+                # Reject everything else
+                reject with icmp type admin-prohibited
+              }
+            }
+          '';
+        };
+
+        # Disable iptables (using nftables instead)
+        networking.firewall.enable = false;`,
+		gatewayIP,
+		formatNixList(dnsServers),
+		strings.Join(allowedIPv4, ", "),
+		strings.Join(allowedIPv6, ", "),
+	)
+}
+
+func generateFullConfig(slot int) string {
+	return fmt.Sprintf(`# Full network access
+        networking.defaultGateway = "10.100.%d.1";
+        networking.nameservers = [
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
+        networking.firewall.allowedTCPPorts = [ 22 ];`, slot)
+}
+
+// GenerateNixNetworkConfigCached generates a slot-independent version of the
+// network config suitable for the cached inner system. The gateway IP and
+// slot-dependent nftables rules are deferred to runtime.
+//
+// For ModeFull: omits defaultGateway (set by forage-network service at runtime)
+// For ModeRestricted: omits defaultGateway and loads nftables from a bind-mounted file
+// For ModeNone: unchanged (already slot-independent)
+func GenerateNixNetworkConfigCached(cfg *Config) string {
+	switch cfg.Mode {
+	case ModeNone:
+		return generateNoneConfig()
+	case ModeRestricted:
+		return generateRestrictedConfigCached(cfg)
+	default: // ModeFull
+		return generateFullConfigCached()
+	}
+}
+
+func generateFullConfigCached() string {
+	return `# Full network access (gateway set at runtime by forage-network service)
+        networking.nameservers = [
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
+        networking.firewall.allowedTCPPorts = [ 22 ];`
+}
+
+func generateRestrictedConfigCached(cfg *Config) string {
+	if len(cfg.AllowedHosts) == 0 {
+		return generateNoneConfig()
+	}
+
+	// Build dnsmasq server lines (not slot-dependent)
+	var dnsServers []string
+	for _, host := range cfg.AllowedHosts {
+		if strings.HasPrefix(host, "*.") {
+			domain := strings.TrimPrefix(host, "*.")
+			dnsServers = append(dnsServers, fmt.Sprintf("server=/%s/1.1.1.1", domain))
+		} else {
+			dnsServers = append(dnsServers, fmt.Sprintf("server=/%s/1.1.1.1", host))
+		}
+	}
+
+	return fmt.Sprintf(`# Restricted network - gateway and nftables rules set at runtime
+        networking.nameservers = [ "127.0.0.1" ]; # Use local DNS filter
+
+        # DNS filtering with dnsmasq
+        services.dnsmasq = {
+          enable = true;
+          settings = {
+            # Don't use system resolv.conf
+            no-resolv = true;
+
+            # Listen only on localhost
+            listen-address = "127.0.0.1";
+            bind-interfaces = true;
+
+            # Forward allowed domains to public DNS
+            server = [
+              %s
+            ];
+
+            # Block all other queries
+            address = "/#/";
+
+            # Cache settings
+            cache-size = 1000;
+
+            # Security
+            domain-needed = true;
+            bogus-priv = true;
+          };
+        };
+
+        # nftables ruleset loaded from bind-mounted file at runtime
+        networking.nftables = {
+          enable = true;
+          rulesetFile = "/etc/forage-nftables.conf";
+        };
+
+        # Disable iptables (using nftables instead)
+        networking.firewall.enable = false;`,
+		formatNixList(dnsServers),
+	)
+}
+
+// GenerateNftablesRuleset generates the content of the nftables ruleset file
+// for restricted mode. This is written to a generated file and bind-mounted.
+func GenerateNftablesRuleset(cfg *Config) string {
+	if cfg.Mode != ModeRestricted || len(cfg.AllowedHosts) == 0 {
+		return ""
+	}
+
+	resolved, _ := ResolveHosts(cfg.AllowedHosts)
+
+	var allowedIPv4 []string
+	var allowedIPv6 []string
+
+	gatewayIP := fmt.Sprintf("10.100.%d.1", cfg.NetworkSlot)
+	allowedIPv4 = append(allowedIPv4, gatewayIP, "127.0.0.1")
+	allowedIPv6 = append(allowedIPv6, "::1")
+
+	for _, h := range resolved {
+		for _, ip := range h.IPs {
+			parsed := net.ParseIP(ip)
+			if parsed == nil {
+				continue
+			}
+			if parsed.To4() != nil {
+				allowedIPv4 = append(allowedIPv4, ip)
+			} else {
+				allowedIPv6 = append(allowedIPv6, ip)
+			}
+		}
+	}
+
+	return fmt.Sprintf(`table inet filter {
+  set allowed_ipv4 {
+    type ipv4_addr
+    flags interval
+    elements = { %s }
+  }
+
+  set allowed_ipv6 {
+    type ipv6_addr
+    flags interval
+    elements = { %s }
+  }
+
+  chain input {
+    type filter hook input priority 0; policy accept;
+  }
+
+  chain forward {
+    type filter hook forward priority 0; policy accept;
+  }
+
+  chain output {
+    type filter hook output priority 0; policy drop;
+
+    # Allow loopback
+    oif "lo" accept
+
+    # Allow established/related
+    ct state established,related accept
+
+    # Allow ICMP
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # Allow DNS to local resolver
+    tcp dport 53 ip daddr 127.0.0.1 accept
+    udp dport 53 ip daddr 127.0.0.1 accept
+
+    # Allow connections to allowed hosts
+    ip daddr @allowed_ipv4 accept
+    ip6 daddr @allowed_ipv6 accept
+
+    # Reject everything else
+    reject with icmp type admin-prohibited
+  }
+}
+`, strings.Join(allowedIPv4, ", "), strings.Join(allowedIPv6, ", "))
+}
+
+func formatNixList(items []string) string {
+	if len(items) == 0 {
+		return ""
+	}
+	quoted := make([]string, len(items))
+	for i, item := range items {
+		quoted[i] = fmt.Sprintf("%q", item)
+	}
+	return strings.Join(quoted, "\n              ")
+}
diff --git a/packages/forage-ctl/internal/network/network_test.go b/packages/forage-ctl/internal/network/network_test.go
new file mode 100644
index 0000000..9d9ab26
--- /dev/null
+++ b/packages/forage-ctl/internal/network/network_test.go
@@ -0,0 +1,247 @@
+package network
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestResolveHosts(t *testing.T) {
+	// Test with a well-known host
+	resolved, err := ResolveHosts([]string{"localhost"})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if len(resolved) != 1 {
+		t.Fatalf("expected 1 resolved host, got %d", len(resolved))
+	}
+
+	if resolved[0].Hostname != "localhost" {
+		t.Errorf("expected hostname 'localhost', got %q", resolved[0].Hostname)
+	}
+
+	// localhost should resolve to 127.0.0.1 or ::1
+	if len(resolved[0].IPs) == 0 {
+		t.Error("expected at least one IP for localhost")
+	}
+}
+
+func TestResolveHosts_UnresolvableHost(t *testing.T) {
+	// Test with an unresolvable host - should not error
+	resolved, err := ResolveHosts([]string{"this-host-does-not-exist-12345.invalid"})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if len(resolved) != 1 {
+		t.Fatalf("expected 1 resolved host, got %d", len(resolved))
+	}
+
+	// Should have hostname but no IPs
+	if resolved[0].Hostname != "this-host-does-not-exist-12345.invalid" {
+		t.Errorf("unexpected hostname: %q", resolved[0].Hostname)
+	}
+}
+
+func TestGenerateNftablesRules_RestrictedMode(t *testing.T) {
+	cfg := &Config{
+		Mode:         ModeRestricted,
+		AllowedHosts: []string{"api.anthropic.com", "github.com"},
+		NetworkSlot:  5,
+	}
+
+	rules := GenerateNftablesRules(cfg)
+
+	// Check for expected elements
+	expectedStrings := []string{
+		"flush ruleset",
+		"table inet filter",
+		"set allowed_ipv4",
+		"set allowed_ipv6",
+		"10.100.5.1", // Gateway IP
+		"127.0.0.1",
+		"::1",
+		"chain output",
+		"policy drop",
+		"oif \"lo\" accept",
+		"ct state established,related accept",
+		"@allowed_ipv4 accept",
+		"@allowed_ipv6 accept",
+		"reject with icmp type admin-prohibited",
+	}
+
+	for _, expected := range expectedStrings {
+		if !strings.Contains(rules, expected) {
+			t.Errorf("expected rules to contain %q", expected)
+		}
+	}
+}
+
+func TestGenerateNftablesRules_NonRestrictedMode(t *testing.T) {
+	// Full mode should return empty string
+	cfg := &Config{
+		Mode:        ModeFull,
+		NetworkSlot: 5,
+	}
+
+	rules := GenerateNftablesRules(cfg)
+	if rules != "" {
+		t.Errorf("expected empty rules for full mode, got %q", rules)
+	}
+
+	// None mode should also return empty string
+	cfg.Mode = ModeNone
+	rules = GenerateNftablesRules(cfg)
+	if rules != "" {
+		t.Errorf("expected empty rules for none mode, got %q", rules)
+	}
+}
+
+func TestGenerateNftablesRules_NoAllowedHosts(t *testing.T) {
+	cfg := &Config{
+		Mode:         ModeRestricted,
+		AllowedHosts: []string{},
+		NetworkSlot:  5,
+	}
+
+	rules := GenerateNftablesRules(cfg)
+	if rules != "" {
+		t.Errorf("expected empty rules when no allowed hosts, got %q", rules)
+	}
+}
+
+func TestGenerateDnsmasqConfig(t *testing.T) {
+	allowedHosts := []string{"api.anthropic.com", "github.com", "*.openai.com"}
+
+	config := GenerateDnsmasqConfig(allowedHosts)
+
+	expectedStrings := []string{
+		"no-resolv",
+		"listen-address=127.0.0.1",
+		"server=/api.anthropic.com/1.1.1.1",
+		"server=/github.com/1.1.1.1",
+		"server=/openai.com/1.1.1.1", // Wildcard domain
+		"address=/#/",                // Block all other queries
+		"cache-size=1000",
+		"domain-needed",
+		"bogus-priv",
+	}
+
+	for _, expected := range expectedStrings {
+		if !strings.Contains(config, expected) {
+			t.Errorf("expected config to contain %q", expected)
+		}
+	}
+}
+
+func TestGenerateNixNetworkConfig_Full(t *testing.T) {
+	cfg := &Config{
+		Mode:        ModeFull,
+		NetworkSlot: 7,
+	}
+
+	config := GenerateNixNetworkConfig(cfg)
+
+	expectedStrings := []string{
+		"10.100.7.1",     // Gateway
+		"1.1.1.1",        // DNS
+		"8.8.8.8",        // DNS
+		"defaultGateway", // Gateway setting
+		"nameservers",    // DNS setting
+	}
+
+	for _, expected := range expectedStrings {
+		if !strings.Contains(config, expected) {
+			t.Errorf("expected config to contain %q", expected)
+		}
+	}
+}
+
+func TestGenerateNixNetworkConfig_None(t *testing.T) {
+	cfg := &Config{
+		Mode:        ModeNone,
+		NetworkSlot: 3,
+	}
+
+	config := GenerateNixNetworkConfig(cfg)
+
+	expectedStrings := []string{
+		"nameservers = [ ]",
+		"defaultGateway = null",
+		"policy drop",
+		"networking.nftables",
+		"reject with icmp type admin-prohibited",
+	}
+
+	for _, expected := range expectedStrings {
+		if !strings.Contains(config, expected) {
+			t.Errorf("expected config to contain %q", expected)
+		}
+	}
+
+	// Should NOT have external DNS
+	if strings.Contains(config, "1.1.1.1") || strings.Contains(config, "8.8.8.8") {
+		t.Error("none mode should not have external DNS servers")
+	}
+}
+
+func TestGenerateNixNetworkConfig_Restricted(t *testing.T) {
+	cfg := &Config{
+		Mode:         ModeRestricted,
+		AllowedHosts: []string{"api.anthropic.com", "github.com"},
+		NetworkSlot:  4,
+	}
+
+	config := GenerateNixNetworkConfig(cfg)
+
+	expectedStrings := []string{
+		"10.100.4.1",                 // Gateway
+		"127.0.0.1",                  // Local DNS
+		"services.dnsmasq",           // DNS filtering
+		"server=/api.anthropic.com/", // DNS forward rule
+		"server=/github.com/",        // DNS forward rule
+		"address = \"/#/\"",          // Block other DNS
+		"networking.nftables",        // nftables
+		"set allowed_ipv4",           // IP set
+		"@allowed_ipv4 accept",       // Accept rule
+		"reject with icmp type admin-prohibited",
+	}
+
+	for _, expected := range expectedStrings {
+		if !strings.Contains(config, expected) {
+			t.Errorf("expected config to contain %q\nconfig:\n%s", expected, config)
+		}
+	}
+}
+
+func TestGenerateNixNetworkConfig_RestrictedNoHosts(t *testing.T) {
+	cfg := &Config{
+		Mode:         ModeRestricted,
+		AllowedHosts: []string{},
+		NetworkSlot:  4,
+	}
+
+	config := GenerateNixNetworkConfig(cfg)
+
+	// With no allowed hosts, restricted should behave like none (nftables drop policy)
+	if !strings.Contains(config, "policy drop") {
+		t.Error("restricted mode with no hosts should behave like none mode")
+	}
+}
+
+func TestMode_String(t *testing.T) {
+	tests := []struct {
+		mode     Mode
+		expected string
+	}{
+		{ModeFull, "full"},
+		{ModeRestricted, "restricted"},
+		{ModeNone, "none"},
+	}
+
+	for _, tt := range tests {
+		if string(tt.mode) != tt.expected {
+			t.Errorf("Mode %v: expected %q, got %q", tt.mode, tt.expected, string(tt.mode))
+		}
+	}
+}
diff --git a/packages/forage-ctl/internal/network/templates.go b/packages/forage-ctl/internal/network/templates.go
new file mode 100644
index 0000000..1685157
--- /dev/null
+++ b/packages/forage-ctl/internal/network/templates.go
@@ -0,0 +1,108 @@
+package network
+
+import (
+	"text/template"
+)
+
+// nftablesData holds data for the nftables template.
+type nftablesData struct {
+	IPv4Addrs string // comma-separated list of allowed IPv4 addresses
+	IPv6Addrs string // comma-separated list of allowed IPv6 addresses
+}
+
+// dnsmasqData holds data for the dnsmasq template.
+type dnsmasqData struct {
+	ServerLines string // newline-separated server= directives
+}
+
+var nftablesTmpl = template.Must(template.New("nftables").Parse(`#!/usr/sbin/nft -f
+
+# Flush existing rules
+flush ruleset
+
+table inet filter {
+  # Set of allowed IPv4 addresses
+  set allowed_ipv4 {
+    type ipv4_addr
+    flags interval
+    elements = { {{.IPv4Addrs}} }
+  }
+
+  # Set of allowed IPv6 addresses
+  set allowed_ipv6 {
+    type ipv6_addr
+    flags interval
+    elements = { {{.IPv6Addrs}} }
+  }
+
+  chain input {
+    type filter hook input priority 0; policy accept;
+  }
+
+  chain forward {
+    type filter hook forward priority 0; policy accept;
+  }
+
+  chain output {
+    type filter hook output priority 0; policy drop;
+
+    # Allow loopback
+    oif "lo" accept
+
+    # Allow established/related connections
+    ct state established,related accept
+
+    # Allow ICMP for diagnostics
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # Allow DNS to local resolver only (localhost)
+    tcp dport 53 ip daddr 127.0.0.1 accept
+    udp dport 53 ip daddr 127.0.0.1 accept
+
+    # Allow connections to allowed IPv4 addresses
+    ip daddr @allowed_ipv4 accept
+
+    # Allow connections to allowed IPv6 addresses
+    ip6 daddr @allowed_ipv6 accept
+
+    # Log and reject everything else
+    log prefix "forage-blocked: " level info
+    reject with icmp type admin-prohibited
+  }
+}
+`))
+
+var dnsmasqTmpl = template.Must(template.New("dnsmasq").Parse(`# Forage DNS filtering configuration
+# Only resolve allowed hosts, block everything else
+
+# Don't read /etc/resolv.conf
+no-resolv
+
+# Don't read /etc/hosts
+no-hosts
+
+# Listen only on localhost
+listen-address=127.0.0.1
+bind-interfaces
+
+# Port
+port=53
+
+# Upstream DNS servers for allowed domains
+{{.ServerLines}}
+# Block all other DNS queries by returning NXDOMAIN
+address=/#/
+
+# Cache settings
+cache-size=1000
+
+# Log queries (optional, useful for debugging)
+# log-queries
+
+# Don't forward plain names (without dots)
+domain-needed
+
+# Never forward addresses in non-routed address spaces
+bogus-priv
+`))
diff --git a/packages/forage-ctl/internal/nixcache/cache.go b/packages/forage-ctl/internal/nixcache/cache.go
new file mode 100644
index 0000000..df812a5
--- /dev/null
+++ b/packages/forage-ctl/internal/nixcache/cache.go
@@ -0,0 +1,128 @@
+// Package nixcache manages cached NixOS system store paths per template.
+// It prevents repeated expensive NixOS evaluations when multiple sandboxes
+// share the same template configuration.
+package nixcache
+
+import (
+	"crypto/sha256"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+)
+
+// Cache manages cached inner system store paths keyed by template configuration.
+type Cache struct {
+	// CacheDir is the base directory for cache files (e.g., /var/lib/firefly-forage/cache).
+	CacheDir string
+}
+
+// New creates a new Cache with the given base directory.
+func New(cacheDir string) *Cache {
+	return &Cache{CacheDir: cacheDir}
+}
+
+// cacheEntry is the on-disk format for a cached store path.
+type cacheEntry struct {
+	StorePath string `json:"storePath"`
+	CreatedAt string `json:"createdAt"`
+}
+
+// Key computes a cache key from the inputs that affect the inner system evaluation.
+// Any change to these inputs should produce a different key.
+func Key(templateJSON []byte, nixpkgsPath string, uid, gid int, stateVersion string) string {
+	h := sha256.New()
+	h.Write(templateJSON)
+	h.Write([]byte(nixpkgsPath))
+	fmt.Fprintf(h, "\nuid=%d\ngid=%d\nstateVersion=%s", uid, gid, stateVersion)
+	return fmt.Sprintf("%x", h.Sum(nil))[:32]
+}
+
+// Get returns the cached system store path for the given key, or empty string
+// if not cached or the cached path no longer exists on disk (e.g., GC'd).
+func (c *Cache) Get(key string) string {
+	entryPath := c.entryPath(key)
+	data, err := os.ReadFile(entryPath)
+	if err != nil {
+		logging.Info("nixcache: entry not found", "path", entryPath, "error", err)
+		return ""
+	}
+
+	var entry cacheEntry
+	if err := json.Unmarshal(data, &entry); err != nil {
+		logging.Warn("nixcache: corrupt entry", "key", key, "error", err)
+		return ""
+	}
+
+	// Verify the store path still exists (may have been garbage collected)
+	if _, err := os.Stat(entry.StorePath); err != nil {
+		logging.Warn("nixcache: store path gone", "key", key, "path", entry.StorePath, "error", err)
+		_ = os.Remove(entryPath)
+		c.removeGCRoot(key)
+		return ""
+	}
+
+	return entry.StorePath
+}
+
+// Put stores a system store path for the given key and creates a GC root
+// to prevent nix garbage collection from removing the cached closure.
+func (c *Cache) Put(key string, storePath string) error {
+	if err := os.MkdirAll(filepath.Dir(c.entryPath(key)), 0755); err != nil {
+		return fmt.Errorf("nixcache: failed to create cache dir: %w", err)
+	}
+
+	entry := cacheEntry{
+		StorePath: storePath,
+		CreatedAt: time.Now().Format(time.RFC3339),
+	}
+	data, err := json.MarshalIndent(entry, "", "  ")
+	if err != nil {
+		return fmt.Errorf("nixcache: failed to marshal entry: %w", err)
+	}
+
+	if err := os.WriteFile(c.entryPath(key), data, 0644); err != nil {
+		return fmt.Errorf("nixcache: failed to write entry: %w", err)
+	}
+
+	// Create a GC root so nix-collect-garbage doesn't remove the closure
+	if err := c.createGCRoot(key, storePath); err != nil {
+		logging.Warn("nixcache: failed to create GC root", "key", key, "error", err)
+		// Non-fatal: cache still works, just at risk of GC
+	}
+
+	return nil
+}
+
+// Invalidate removes a cache entry and its GC root.
+func (c *Cache) Invalidate(key string) {
+	_ = os.Remove(c.entryPath(key))
+	c.removeGCRoot(key)
+}
+
+func (c *Cache) entryPath(key string) string {
+	return filepath.Join(c.CacheDir, "nixcache", key+".json")
+}
+
+func (c *Cache) gcRootPath(key string) string {
+	return filepath.Join("/nix/var/nix/gcroots/auto", "forage-cache-"+key)
+}
+
+func (c *Cache) createGCRoot(key, storePath string) error {
+	gcRootDir := filepath.Dir(c.gcRootPath(key))
+	if err := os.MkdirAll(gcRootDir, 0755); err != nil {
+		return err
+	}
+
+	linkPath := c.gcRootPath(key)
+	// Remove existing symlink if present
+	_ = os.Remove(linkPath)
+	return os.Symlink(storePath, linkPath)
+}
+
+func (c *Cache) removeGCRoot(key string) {
+	_ = os.Remove(c.gcRootPath(key))
+}
diff --git a/packages/forage-ctl/internal/nixcache/cache_test.go b/packages/forage-ctl/internal/nixcache/cache_test.go
new file mode 100644
index 0000000..2fde16d
--- /dev/null
+++ b/packages/forage-ctl/internal/nixcache/cache_test.go
@@ -0,0 +1,148 @@
+package nixcache
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestKey_Deterministic(t *testing.T) {
+	k1 := Key([]byte(`{"name":"test"}`), "/nix/store/abc-nixpkgs", 1000, 100, "24.11")
+	k2 := Key([]byte(`{"name":"test"}`), "/nix/store/abc-nixpkgs", 1000, 100, "24.11")
+	if k1 != k2 {
+		t.Errorf("same inputs should produce same key: %s != %s", k1, k2)
+	}
+}
+
+func TestKey_DifferentInputs(t *testing.T) {
+	k1 := Key([]byte(`{"name":"test1"}`), "/nix/store/abc-nixpkgs", 1000, 100, "24.11")
+	k2 := Key([]byte(`{"name":"test2"}`), "/nix/store/abc-nixpkgs", 1000, 100, "24.11")
+	if k1 == k2 {
+		t.Error("different template JSON should produce different keys")
+	}
+}
+
+func TestKey_DifferentNixpkgs(t *testing.T) {
+	k1 := Key([]byte(`{"name":"test"}`), "/nix/store/abc-nixpkgs", 1000, 100, "24.11")
+	k2 := Key([]byte(`{"name":"test"}`), "/nix/store/def-nixpkgs", 1000, 100, "24.11")
+	if k1 == k2 {
+		t.Error("different nixpkgs path should produce different keys")
+	}
+}
+
+func TestKey_DifferentUID(t *testing.T) {
+	k1 := Key([]byte(`{"name":"test"}`), "/nix/store/abc", 1000, 100, "24.11")
+	k2 := Key([]byte(`{"name":"test"}`), "/nix/store/abc", 1001, 100, "24.11")
+	if k1 == k2 {
+		t.Error("different UID should produce different keys")
+	}
+}
+
+func TestCache_GetMiss(t *testing.T) {
+	c := New(t.TempDir())
+	got := c.Get("nonexistent")
+	if got != "" {
+		t.Errorf("expected empty string for cache miss, got %q", got)
+	}
+}
+
+func TestCache_PutAndGet(t *testing.T) {
+	cacheDir := t.TempDir()
+	c := New(cacheDir)
+
+	// Create a fake store path that exists on disk
+	storePath := filepath.Join(t.TempDir(), "nix-store-fake")
+	if err := os.MkdirAll(storePath, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	key := "testkey123"
+	if err := c.Put(key, storePath); err != nil {
+		t.Fatalf("Put failed: %v", err)
+	}
+
+	got := c.Get(key)
+	if got != storePath {
+		t.Errorf("Get after Put: got %q, want %q", got, storePath)
+	}
+}
+
+func TestCache_GetStaleEntry(t *testing.T) {
+	cacheDir := t.TempDir()
+	c := New(cacheDir)
+
+	// Store path that doesn't exist
+	key := "stalekey"
+	if err := c.Put(key, "/nix/store/nonexistent-path"); err != nil {
+		t.Fatalf("Put failed: %v", err)
+	}
+
+	// Should return empty because the store path doesn't exist
+	got := c.Get(key)
+	if got != "" {
+		t.Errorf("expected empty string for stale entry, got %q", got)
+	}
+
+	// Entry should have been cleaned up
+	if _, err := os.Stat(c.entryPath(key)); !os.IsNotExist(err) {
+		t.Error("stale entry should have been removed from disk")
+	}
+}
+
+func TestCache_PutAndGet_SeparateInstances(t *testing.T) {
+	// Simulate the real flow: Put on one Cache instance, Get on another
+	// (as happens across forage-ctl invocations)
+	cacheDir := t.TempDir()
+
+	storePath := filepath.Join(t.TempDir(), "nix-store-fake")
+	if err := os.MkdirAll(storePath, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	key := "cross-instance-test"
+
+	// First "run": Put
+	c1 := New(cacheDir)
+	if err := c1.Put(key, storePath); err != nil {
+		t.Fatalf("Put failed: %v", err)
+	}
+
+	// Verify file exists on disk
+	entryPath := c1.entryPath(key)
+	if _, err := os.Stat(entryPath); err != nil {
+		t.Fatalf("cache entry file not on disk: %v", err)
+	}
+	t.Logf("cache entry written to: %s", entryPath)
+
+	data, _ := os.ReadFile(entryPath)
+	t.Logf("cache entry contents: %s", data)
+
+	// Second "run": Get with fresh Cache instance
+	c2 := New(cacheDir)
+	got := c2.Get(key)
+	if got != storePath {
+		t.Errorf("Get on second instance: got %q, want %q", got, storePath)
+	}
+}
+
+func TestCache_Invalidate(t *testing.T) {
+	cacheDir := t.TempDir()
+	c := New(cacheDir)
+
+	storePath := filepath.Join(t.TempDir(), "fake-store")
+	if err := os.MkdirAll(storePath, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	key := "invalidate-test"
+	if err := c.Put(key, storePath); err != nil {
+		t.Fatal(err)
+	}
+
+	c.Invalidate(key)
+
+	got := c.Get(key)
+	if got != "" {
+		t.Errorf("expected empty after Invalidate, got %q", got)
+	}
+}
diff --git a/packages/forage-ctl/internal/port/doc.go b/packages/forage-ctl/internal/port/doc.go
new file mode 100644
index 0000000..e418c04
--- /dev/null
+++ b/packages/forage-ctl/internal/port/doc.go
@@ -0,0 +1,28 @@
+// Package port provides port and network slot allocation for sandboxes.
+//
+// Each sandbox requires a unique SSH port and network slot. This package
+// manages allocation by scanning existing sandbox metadata to find unused
+// resources.
+//
+// # Port Allocation
+//
+// Ports are allocated from the range configured in HostConfig:
+//
+//	port, slot, err := port.Allocate(hostConfig, existingSandboxes)
+//
+// # Network Slots
+//
+// Network slots determine container IP addresses in the 10.100.X.0/24 range.
+// Slot 1 gives 10.100.1.0/24, slot 2 gives 10.100.2.0/24, etc.
+//
+// Constants:
+//
+//	NetworkSlotMin = 1   // First usable slot
+//	NetworkSlotMax = 254 // Last usable slot (255 is broadcast)
+//
+// # Allocation Strategy
+//
+// Both ports and slots are allocated using first-fit: the lowest available
+// value is chosen. This maximizes the chance of finding available resources
+// when sandboxes are created and destroyed over time.
+package port
diff --git a/packages/forage-ctl/internal/port/port.go b/packages/forage-ctl/internal/port/port.go
new file mode 100644
index 0000000..e71e49f
--- /dev/null
+++ b/packages/forage-ctl/internal/port/port.go
@@ -0,0 +1,39 @@
+package port
+
+import (
+	"fmt"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+// Network slot range for container IP allocation (10.100.X.0/24).
+const (
+	NetworkSlotMin = 1
+	NetworkSlotMax = 254 // 255 is broadcast, 0 is network address
+)
+
+// AllocateSlot finds the next available network slot.
+// Each sandbox gets a unique network slot for its private network (10.100.X.0/24).
+func AllocateSlot(sandboxes []*config.SandboxMetadata) (slot int, err error) {
+	usedSlots := make(map[int]bool)
+
+	for _, sb := range sandboxes {
+		usedSlots[sb.NetworkSlot] = true
+	}
+
+	// Find available network slot
+	for s := NetworkSlotMin; s <= NetworkSlotMax; s++ {
+		if !usedSlots[s] {
+			return s, nil
+		}
+	}
+
+	return 0, fmt.Errorf("no available network slots (max %d sandboxes)", NetworkSlotMax)
+}
+
+// ContainerIP returns the container IP address for a given network slot.
+// Containers use the 10.100.X.0/24 network where X is the slot.
+// The container gets .2 (host gets .1).
+func ContainerIP(slot int) string {
+	return fmt.Sprintf("10.100.%d.2", slot)
+}
diff --git a/packages/forage-ctl/internal/port/port_test.go b/packages/forage-ctl/internal/port/port_test.go
new file mode 100644
index 0000000..3773143
--- /dev/null
+++ b/packages/forage-ctl/internal/port/port_test.go
@@ -0,0 +1,107 @@
+package port
+
+import (
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+func TestAllocateSlot_Empty(t *testing.T) {
+	slot, err := AllocateSlot(nil)
+	if err != nil {
+		t.Fatalf("AllocateSlot failed: %v", err)
+	}
+
+	if slot != 1 {
+		t.Errorf("slot = %d, want 1", slot)
+	}
+}
+
+func TestAllocateSlot_WithExisting(t *testing.T) {
+	existing := []*config.SandboxMetadata{
+		{NetworkSlot: 1},
+		{NetworkSlot: 2},
+	}
+
+	slot, err := AllocateSlot(existing)
+	if err != nil {
+		t.Fatalf("AllocateSlot failed: %v", err)
+	}
+
+	if slot != 3 {
+		t.Errorf("slot = %d, want 3", slot)
+	}
+}
+
+func TestAllocateSlot_GapInSlots(t *testing.T) {
+	// Slot 2 is free (gap)
+	existing := []*config.SandboxMetadata{
+		{NetworkSlot: 1},
+		{NetworkSlot: 3},
+	}
+
+	slot, err := AllocateSlot(existing)
+	if err != nil {
+		t.Fatalf("AllocateSlot failed: %v", err)
+	}
+
+	if slot != 2 {
+		t.Errorf("slot = %d, want 2 (first gap)", slot)
+	}
+}
+
+func TestAllocateSlot_Exhausted(t *testing.T) {
+	// Create 254 existing sandboxes (exhausting all network slots)
+	existing := make([]*config.SandboxMetadata, 254)
+	for i := 0; i < 254; i++ {
+		existing[i] = &config.SandboxMetadata{
+			NetworkSlot: i + 1,
+		}
+	}
+
+	_, err := AllocateSlot(existing)
+	if err == nil {
+		t.Error("Expected error when network slots exhausted, got nil")
+	}
+}
+
+func TestAllocateSlot_PreservesOrder(t *testing.T) {
+	// Allocate multiple times and verify order
+	var existing []*config.SandboxMetadata
+
+	for i := 0; i < 5; i++ {
+		slot, err := AllocateSlot(existing)
+		if err != nil {
+			t.Fatalf("AllocateSlot %d failed: %v", i, err)
+		}
+
+		expectedSlot := i + 1
+
+		if slot != expectedSlot {
+			t.Errorf("iteration %d: slot = %d, want %d", i, slot, expectedSlot)
+		}
+
+		existing = append(existing, &config.SandboxMetadata{
+			NetworkSlot: slot,
+		})
+	}
+}
+
+func TestContainerIP(t *testing.T) {
+	tests := []struct {
+		slot int
+		want string
+	}{
+		{1, "10.100.1.2"},
+		{2, "10.100.2.2"},
+		{100, "10.100.100.2"},
+		{254, "10.100.254.2"},
+	}
+
+	for _, tt := range tests {
+		got := ContainerIP(tt.slot)
+		if got != tt.want {
+			t.Errorf("ContainerIP(%d) = %q, want %q", tt.slot, got, tt.want)
+		}
+	}
+}
diff --git a/packages/forage-ctl/internal/proxy/doc.go b/packages/forage-ctl/internal/proxy/doc.go
new file mode 100644
index 0000000..668ed2f
--- /dev/null
+++ b/packages/forage-ctl/internal/proxy/doc.go
@@ -0,0 +1,40 @@
+// Package proxy provides an HTTP proxy for API key injection and rate limiting.
+//
+// This package implements a reverse proxy that sits between sandboxes and
+// external APIs (like the Anthropic API), injecting authentication and
+// enforcing rate limits without exposing API keys inside containers.
+//
+// # Key Features
+//
+//   - API key injection: Keys stay on the host, never enter containers
+//   - Per-sandbox rate limiting: Prevent runaway API usage
+//   - Audit logging: Track all API requests for compliance
+//   - Sandbox identification via X-Forage-Sandbox header
+//
+// # Configuration
+//
+//	cfg := &proxy.Config{
+//	    ListenAddr:        ":8080",
+//	    SecretsDir:        "/run/forage-secrets",
+//	    TargetURL:         "https://api.anthropic.com",
+//	    RateLimitRequests: 1000,
+//	    RateLimitWindow:   time.Hour,
+//	    AuditLogPath:      "/var/log/forage/proxy.log",
+//	}
+//
+// # Running the Proxy
+//
+//	p, err := proxy.New(cfg)
+//	if err != nil {
+//	    return err
+//	}
+//	p.Start()  // Blocks, serving requests
+//
+// # How It Works
+//
+//  1. Sandbox sends request with X-Forage-Sandbox header
+//  2. Proxy looks up API key for that sandbox
+//  3. Proxy injects Authorization header
+//  4. Request is forwarded to upstream API
+//  5. Response is returned to sandbox
+package proxy
diff --git a/packages/forage-ctl/internal/proxy/proxy.go b/packages/forage-ctl/internal/proxy/proxy.go
new file mode 100644
index 0000000..8115478
--- /dev/null
+++ b/packages/forage-ctl/internal/proxy/proxy.go
@@ -0,0 +1,581 @@
+// Package proxy provides an HTTP proxy for API key injection and rate limiting
+package proxy
+
+import (
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+// Config holds proxy configuration
+type Config struct {
+	// ListenAddr is the address to listen on (e.g., ":8080")
+	ListenAddr string
+
+	// SecretsDir is the directory containing API key files
+	SecretsDir string
+
+	// TargetURL is the upstream API URL (e.g., "https://api.anthropic.com")
+	TargetURL string
+
+	// RateLimitRequests is the max requests per window (0 = unlimited)
+	RateLimitRequests int
+
+	// RateLimitWindow is the rate limit window duration
+	RateLimitWindow time.Duration
+
+	// AuditLogPath is the path to write audit logs (empty = no logging)
+	AuditLogPath string
+
+	// APIKeyFilename is the name of the file within each sandbox's secrets
+	// directory that contains the API key. Defaults to "anthropic-api-key".
+	APIKeyFilename string
+
+	// SandboxesDir is the directory containing sandbox metadata files.
+	// When set, enables IP-based sandbox identity verification.
+	SandboxesDir string
+
+	// Logger for proxy operations
+	Logger *slog.Logger
+
+	// Transport is an optional HTTP transport for the reverse proxy.
+	// Used in tests to supply a TLS-aware transport for test servers.
+	Transport http.RoundTripper
+}
+
+// Proxy is an HTTP reverse proxy with auth injection
+type Proxy struct {
+	config       *Config
+	reverseProxy *httputil.ReverseProxy
+	rateLimiter  *rateLimiter
+	auditLog     *auditLogger
+	apiKeys      map[string]string // sandbox name -> API key
+	ipToSandbox  map[string]string // container IP -> sandbox name
+	keysMu       sync.RWMutex
+}
+
+// New creates a new proxy instance
+func New(cfg *Config) (*Proxy, error) {
+	target, err := url.Parse(cfg.TargetURL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid target URL: %w", err)
+	}
+
+	// Validate the target URL scheme to prevent plaintext key transmission
+	if target.Scheme != "https" {
+		return nil, fmt.Errorf("proxy target must use HTTPS (got %q) to protect API keys in transit", target.Scheme)
+	}
+
+	// Reject targets that could be used for SSRF against internal services.
+	// Skip this check when a custom Transport is provided (used in tests
+	// with httptest.NewTLSServer which binds to 127.0.0.1).
+	targetHost := target.Hostname()
+	if cfg.Transport == nil && isInternalHost(targetHost) {
+		return nil, fmt.Errorf("proxy target must not point to internal/link-local addresses: %s", targetHost)
+	}
+
+	if cfg.APIKeyFilename == "" {
+		cfg.APIKeyFilename = "anthropic-api-key"
+	}
+
+	if cfg.Logger == nil {
+		cfg.Logger = slog.Default()
+	}
+
+	p := &Proxy{
+		config:      cfg,
+		apiKeys:     make(map[string]string),
+		ipToSandbox: make(map[string]string),
+	}
+
+	// Create reverse proxy
+	p.reverseProxy = &httputil.ReverseProxy{
+		Director: func(req *http.Request) {
+			req.URL.Scheme = target.Scheme
+			req.URL.Host = target.Host
+			req.Host = target.Host
+
+			// Remove hop-by-hop headers
+			req.Header.Del("Connection")
+			req.Header.Del("Proxy-Connection")
+			req.Header.Del("Proxy-Authenticate")
+			req.Header.Del("Proxy-Authorization")
+		},
+		ModifyResponse: p.modifyResponse,
+		ErrorHandler:   p.errorHandler,
+	}
+
+	// Use custom transport if provided (e.g., for TLS test servers)
+	if cfg.Transport != nil {
+		p.reverseProxy.Transport = cfg.Transport
+	}
+
+	// Create rate limiter if configured
+	if cfg.RateLimitRequests > 0 {
+		p.rateLimiter = newRateLimiter(cfg.RateLimitRequests, cfg.RateLimitWindow)
+	}
+
+	// Create audit logger if configured
+	if cfg.AuditLogPath != "" {
+		al, err := newAuditLogger(cfg.AuditLogPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create audit logger: %w", err)
+		}
+		p.auditLog = al
+	}
+
+	return p, nil
+}
+
+// ServeHTTP implements http.Handler
+func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	startTime := time.Now()
+
+	// Extract and verify sandbox identity.
+	// Prefer X-Forage-Sandbox header but verify it matches source IP.
+	sandboxName := r.Header.Get("X-Forage-Sandbox")
+	if sandboxName != "" {
+		sandboxName = p.verifySandboxIdentity(sandboxName, r.RemoteAddr)
+	} else {
+		// Fall back to checking source IP against known sandbox IPs
+		sandboxName = p.identifySandbox(r.RemoteAddr)
+	}
+
+	p.config.Logger.Debug("proxy request",
+		"method", r.Method,
+		"path", r.URL.Path,
+		"sandbox", sandboxName,
+		"remote", r.RemoteAddr)
+
+	// Check rate limit
+	if p.rateLimiter != nil && sandboxName != "" {
+		if !p.rateLimiter.allow(sandboxName) {
+			p.config.Logger.Warn("rate limit exceeded", "sandbox", sandboxName)
+			http.Error(w, `{"error": {"type": "rate_limit_error", "message": "Rate limit exceeded"}}`,
+				http.StatusTooManyRequests)
+			return
+		}
+	}
+
+	// Inject API key if available
+	if sandboxName != "" {
+		apiKey := p.getAPIKey(sandboxName)
+		if apiKey != "" {
+			r.Header.Set("X-Api-Key", apiKey)
+			// Only set X-Api-Key (used by Anthropic API). Do not also
+			// set Authorization: Bearer as it doubles leakage surface.
+			// Remove the sandbox header before forwarding
+			r.Header.Del("X-Forage-Sandbox")
+		}
+	}
+
+	// Wrap response writer for logging
+	lw := &loggingResponseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+
+	// Forward request to the fixed upstream target configured at startup.
+	p.reverseProxy.ServeHTTP(lw, r) //nolint:gosec // G704: target is a fixed config URL, not user-controlled
+
+	// Audit log
+	if p.auditLog != nil {
+		p.auditLog.log(auditEntry{
+			Timestamp:   startTime,
+			Duration:    time.Since(startTime),
+			Sandbox:     sandboxName,
+			Method:      r.Method,
+			Path:        r.URL.Path,
+			StatusCode:  lw.statusCode,
+			RequestSize: r.ContentLength,
+			RemoteAddr:  r.RemoteAddr,
+		})
+	}
+}
+
+// LoadAPIKeys loads API keys from the secrets directory and builds the
+// IP-to-sandbox mapping from sandbox metadata (if SandboxesDir is configured).
+func (p *Proxy) LoadAPIKeys() error {
+	p.keysMu.Lock()
+	defer p.keysMu.Unlock()
+
+	entries, err := os.ReadDir(p.config.SecretsDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return fmt.Errorf("failed to read secrets directory: %w", err)
+	}
+
+	for _, entry := range entries {
+		if entry.IsDir() {
+			// Each sandbox has a subdirectory with its secrets
+			sandboxName := entry.Name()
+			keyPath := filepath.Join(p.config.SecretsDir, sandboxName, p.config.APIKeyFilename)
+			data, err := os.ReadFile(keyPath)
+			if err != nil {
+				if !os.IsNotExist(err) {
+					p.config.Logger.Warn("failed to read API key", "sandbox", sandboxName, "error", err)
+				}
+				continue
+			}
+			p.apiKeys[sandboxName] = strings.TrimSpace(string(data))
+			p.config.Logger.Debug("loaded API key", "sandbox", sandboxName)
+		}
+	}
+
+	// Build IP-to-sandbox mapping from metadata
+	if p.config.SandboxesDir != "" {
+		p.loadIPMapping()
+	}
+
+	return nil
+}
+
+// loadIPMapping builds the IP-to-sandbox mapping from sandbox metadata.
+// Must be called with keysMu held.
+func (p *Proxy) loadIPMapping() {
+	metadatas, err := config.ListSandboxes(p.config.SandboxesDir)
+	if err != nil {
+		p.config.Logger.Warn("failed to list sandbox metadata for IP mapping", "error", err)
+		return
+	}
+	p.ipToSandbox = make(map[string]string, len(metadatas))
+	for _, meta := range metadatas {
+		ip := meta.ContainerIP()
+		p.ipToSandbox[ip] = meta.Name
+		p.config.Logger.Debug("mapped sandbox IP", "sandbox", meta.Name, "ip", ip)
+	}
+}
+
+// getAPIKey returns the API key for a sandbox
+func (p *Proxy) getAPIKey(sandboxName string) string {
+	p.keysMu.RLock()
+	defer p.keysMu.RUnlock()
+	return p.apiKeys[sandboxName]
+}
+
+// identifySandbox identifies the sandbox from the remote address using the
+// IP-to-sandbox mapping built from sandbox metadata.
+func (p *Proxy) identifySandbox(remoteAddr string) string {
+	host, _, err := net.SplitHostPort(remoteAddr)
+	if err != nil {
+		return ""
+	}
+	p.keysMu.RLock()
+	defer p.keysMu.RUnlock()
+	return p.ipToSandbox[host]
+}
+
+// verifySandboxIdentity checks that the X-Forage-Sandbox header matches
+// the source IP. Returns the verified sandbox name or empty string.
+func (p *Proxy) verifySandboxIdentity(headerName, remoteAddr string) string {
+	if headerName == "" {
+		return ""
+	}
+	// If we have IP mapping, verify the header matches the source
+	if len(p.ipToSandbox) > 0 {
+		host, _, err := net.SplitHostPort(remoteAddr)
+		if err != nil {
+			return headerName // can't verify, trust header
+		}
+		p.keysMu.RLock()
+		ipSandbox := p.ipToSandbox[host]
+		p.keysMu.RUnlock()
+		if ipSandbox != "" && ipSandbox != headerName {
+			p.config.Logger.Warn("sandbox identity mismatch",
+				"header", headerName,
+				"ip_sandbox", ipSandbox,
+				"remote", remoteAddr)
+			return "" // reject mismatched identity
+		}
+	}
+	return headerName
+}
+
+// isInternalHost returns true if the host resolves to a loopback, link-local,
+// or private address that could be used for SSRF attacks.
+func isInternalHost(host string) bool {
+	ip := net.ParseIP(host)
+	if ip == nil {
+		// Try resolving hostname
+		ips, err := net.LookupIP(host)
+		if err != nil || len(ips) == 0 {
+			return false
+		}
+		ip = ips[0]
+	}
+	return ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast()
+}
+
+func (p *Proxy) modifyResponse(resp *http.Response) error {
+	// No CORS headers - the proxy should only be accessed by sandboxes
+	// directly, not from browsers. Adding Access-Control-Allow-Origin: *
+	// would allow any website to make API calls through the proxy.
+	return nil
+}
+
+func (p *Proxy) errorHandler(w http.ResponseWriter, r *http.Request, err error) {
+	p.config.Logger.Error("proxy error", "error", err, "path", r.URL.Path)
+	http.Error(w, `{"error": {"type": "proxy_error", "message": "Proxy error"}}`,
+		http.StatusBadGateway)
+}
+
+// Close closes the proxy and releases resources
+func (p *Proxy) Close() error {
+	if p.rateLimiter != nil {
+		p.rateLimiter.stop()
+	}
+	if p.auditLog != nil {
+		return p.auditLog.close()
+	}
+	return nil
+}
+
+// loggingResponseWriter wraps http.ResponseWriter to capture status code
+type loggingResponseWriter struct {
+	http.ResponseWriter
+	statusCode int
+}
+
+func (lw *loggingResponseWriter) WriteHeader(code int) {
+	lw.statusCode = code
+	lw.ResponseWriter.WriteHeader(code)
+}
+
+// rateLimiter implements per-sandbox rate limiting
+type rateLimiter struct {
+	maxRequests int
+	window      time.Duration
+	requests    map[string][]time.Time
+	mu          sync.Mutex
+	stopClean   chan struct{}
+}
+
+func newRateLimiter(maxRequests int, window time.Duration) *rateLimiter {
+	rl := &rateLimiter{
+		maxRequests: maxRequests,
+		window:      window,
+		requests:    make(map[string][]time.Time),
+		stopClean:   make(chan struct{}),
+	}
+	go rl.cleanupLoop()
+	return rl
+}
+
+func (rl *rateLimiter) allow(key string) bool {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	now := time.Now()
+	windowStart := now.Add(-rl.window)
+
+	// Get existing requests and filter to window
+	reqs := rl.requests[key]
+	var valid []time.Time
+	for _, t := range reqs {
+		if t.After(windowStart) {
+			valid = append(valid, t)
+		}
+	}
+
+	if len(valid) >= rl.maxRequests {
+		rl.requests[key] = valid
+		return false
+	}
+
+	rl.requests[key] = append(valid, now)
+	return true
+}
+
+// cleanupLoop periodically removes stale entries from the requests map
+// to prevent unbounded memory growth from inactive sandboxes.
+func (rl *rateLimiter) cleanupLoop() {
+	ticker := time.NewTicker(rl.window * 2)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ticker.C:
+			rl.cleanup()
+		case <-rl.stopClean:
+			return
+		}
+	}
+}
+
+func (rl *rateLimiter) cleanup() {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	windowStart := time.Now().Add(-rl.window)
+	for key, reqs := range rl.requests {
+		var valid []time.Time
+		for _, t := range reqs {
+			if t.After(windowStart) {
+				valid = append(valid, t)
+			}
+		}
+		if len(valid) == 0 {
+			delete(rl.requests, key)
+		} else {
+			rl.requests[key] = valid
+		}
+	}
+}
+
+func (rl *rateLimiter) stop() {
+	close(rl.stopClean)
+}
+
+// auditLogger logs requests to a file with size-based rotation.
+type auditLogger struct {
+	path    string
+	maxSize int64 // max file size in bytes before rotation (0 = no limit)
+	file    *os.File
+	enc     *json.Encoder
+	size    int64
+	mu      sync.Mutex
+	logger  *slog.Logger
+}
+
+const (
+	defaultAuditMaxSize = 50 * 1024 * 1024 // 50 MiB
+	auditKeepFiles      = 3                // keep current + 3 rotated files
+)
+
+type auditEntry struct {
+	Timestamp   time.Time     `json:"timestamp"`
+	Duration    time.Duration `json:"duration_ns"`
+	Sandbox     string        `json:"sandbox,omitempty"`
+	Method      string        `json:"method"`
+	Path        string        `json:"path"`
+	StatusCode  int           `json:"status_code"`
+	RequestSize int64         `json:"request_size"`
+	RemoteAddr  string        `json:"remote_addr"`
+}
+
+func newAuditLogger(path string) (*auditLogger, error) {
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
+	if err != nil {
+		return nil, err
+	}
+	info, _ := f.Stat()
+	var size int64
+	if info != nil {
+		size = info.Size()
+	}
+	return &auditLogger{
+		path:    path,
+		maxSize: defaultAuditMaxSize,
+		file:    f,
+		enc:     json.NewEncoder(f),
+		size:    size,
+		logger:  slog.Default(),
+	}, nil
+}
+
+func (al *auditLogger) log(entry auditEntry) {
+	al.mu.Lock()
+	defer al.mu.Unlock()
+
+	if err := al.enc.Encode(entry); err != nil {
+		al.logger.Warn("audit log write failed", "error", err)
+		return
+	}
+
+	// Approximate size tracking (exact size not critical)
+	al.size += 256 // average entry size estimate
+	if al.maxSize > 0 && al.size >= al.maxSize {
+		al.rotate()
+	}
+}
+
+func (al *auditLogger) rotate() {
+	_ = al.file.Close()
+
+	// Shift existing rotated files: .3 -> deleted, .2 -> .3, .1 -> .2, current -> .1
+	for i := auditKeepFiles; i > 0; i-- {
+		old := fmt.Sprintf("%s.%d", al.path, i)
+		if i == auditKeepFiles {
+			os.Remove(old)
+		}
+		if i > 1 {
+			prev := fmt.Sprintf("%s.%d", al.path, i-1)
+			_ = os.Rename(prev, old)
+		} else {
+			_ = os.Rename(al.path, old)
+		}
+	}
+
+	f, err := os.OpenFile(al.path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
+	if err != nil {
+		al.logger.Warn("audit log rotation failed", "error", err)
+		return
+	}
+	al.file = f
+	al.enc = json.NewEncoder(f)
+	al.size = 0
+}
+
+func (al *auditLogger) close() error {
+	return al.file.Close()
+}
+
+// Server wraps the proxy with lifecycle management
+type Server struct {
+	proxy  *Proxy
+	server *http.Server
+}
+
+// NewServer creates a new proxy server
+func NewServer(cfg *Config) (*Server, error) {
+	proxy, err := New(cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	// Load API keys initially
+	if err := proxy.LoadAPIKeys(); err != nil {
+		cfg.Logger.Warn("failed to load API keys", "error", err)
+	}
+
+	server := &http.Server{
+		Addr:         cfg.ListenAddr,
+		Handler:      proxy,
+		ReadTimeout:  30 * time.Second,
+		WriteTimeout: 120 * time.Second, // Longer for streaming responses
+		IdleTimeout:  60 * time.Second,
+	}
+
+	return &Server{
+		proxy:  proxy,
+		server: server,
+	}, nil
+}
+
+// Start starts the proxy server
+func (s *Server) Start() error {
+	s.proxy.config.Logger.Info("starting proxy server", "addr", s.server.Addr)
+	return s.server.ListenAndServe()
+}
+
+// Stop stops the proxy server
+func (s *Server) Stop() error {
+	if err := s.server.Close(); err != nil {
+		return err
+	}
+	return s.proxy.Close()
+}
+
+// ReloadKeys reloads API keys from disk
+func (s *Server) ReloadKeys() error {
+	return s.proxy.LoadAPIKeys()
+}
diff --git a/packages/forage-ctl/internal/proxy/proxy_test.go b/packages/forage-ctl/internal/proxy/proxy_test.go
new file mode 100644
index 0000000..edcd5ed
--- /dev/null
+++ b/packages/forage-ctl/internal/proxy/proxy_test.go
@@ -0,0 +1,396 @@
+package proxy
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestProxy_AuthInjection(t *testing.T) {
+	// Create a test upstream server that verifies headers
+	var receivedAPIKey string
+	var receivedAuth string
+	upstream := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAPIKey = r.Header.Get("X-Api-Key")
+		receivedAuth = r.Header.Get("Authorization")
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(`{"ok": true}`))
+	}))
+	defer upstream.Close()
+
+	// Create secrets directory with test API key
+	tmpDir := t.TempDir()
+	sandboxDir := filepath.Join(tmpDir, "test-sandbox")
+	if err := os.MkdirAll(sandboxDir, 0700); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(sandboxDir, "anthropic-api-key"), []byte("sk-test-key-123"), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create proxy
+	cfg := &Config{
+		ListenAddr: ":0",
+		SecretsDir: tmpDir,
+		TargetURL:  upstream.URL,
+		Transport:  upstream.Client().Transport,
+	}
+	proxy, err := New(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Load API keys
+	if err := proxy.LoadAPIKeys(); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create test request with sandbox header
+	req := httptest.NewRequest("POST", "/v1/messages", strings.NewReader(`{"test": true}`))
+	req.Header.Set("X-Forage-Sandbox", "test-sandbox")
+	req.Header.Set("Content-Type", "application/json")
+
+	// Execute
+	w := httptest.NewRecorder()
+	proxy.ServeHTTP(w, req)
+
+	// Verify
+	if w.Code != http.StatusOK {
+		t.Errorf("expected status 200, got %d", w.Code)
+	}
+	if receivedAPIKey != "sk-test-key-123" {
+		t.Errorf("expected API key 'sk-test-key-123', got %q", receivedAPIKey)
+	}
+	// Authorization: Bearer should NOT be set (only X-Api-Key is used)
+	if receivedAuth != "" {
+		t.Errorf("expected no Authorization header, got %q", receivedAuth)
+	}
+}
+
+func TestProxy_NoAPIKey(t *testing.T) {
+	// Create a test upstream server
+	var receivedAPIKey string
+	upstream := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAPIKey = r.Header.Get("X-Api-Key")
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer upstream.Close()
+
+	// Create proxy with empty secrets dir
+	tmpDir := t.TempDir()
+	cfg := &Config{
+		ListenAddr: ":0",
+		SecretsDir: tmpDir,
+		TargetURL:  upstream.URL,
+		Transport:  upstream.Client().Transport,
+	}
+	proxy, err := New(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Request without matching sandbox
+	req := httptest.NewRequest("POST", "/v1/messages", nil)
+	req.Header.Set("X-Forage-Sandbox", "unknown-sandbox")
+
+	w := httptest.NewRecorder()
+	proxy.ServeHTTP(w, req)
+
+	// Should forward without injection
+	if receivedAPIKey != "" {
+		t.Errorf("expected no API key, got %q", receivedAPIKey)
+	}
+}
+
+func TestProxy_RateLimiting(t *testing.T) {
+	// Create a test upstream server
+	requestCount := 0
+	upstream := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		requestCount++
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer upstream.Close()
+
+	// Create proxy with rate limiting
+	cfg := &Config{
+		ListenAddr:        ":0",
+		SecretsDir:        t.TempDir(),
+		TargetURL:         upstream.URL,
+		Transport:         upstream.Client().Transport,
+		RateLimitRequests: 3,
+		RateLimitWindow:   time.Minute,
+	}
+	proxy, err := New(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Make requests up to limit
+	for i := 0; i < 3; i++ {
+		req := httptest.NewRequest("GET", "/", nil)
+		req.Header.Set("X-Forage-Sandbox", "test-sandbox")
+		w := httptest.NewRecorder()
+		proxy.ServeHTTP(w, req)
+		if w.Code != http.StatusOK {
+			t.Errorf("request %d: expected 200, got %d", i, w.Code)
+		}
+	}
+
+	// Next request should be rate limited
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Forage-Sandbox", "test-sandbox")
+	w := httptest.NewRecorder()
+	proxy.ServeHTTP(w, req)
+	if w.Code != http.StatusTooManyRequests {
+		t.Errorf("expected 429, got %d", w.Code)
+	}
+
+	// Different sandbox should not be rate limited
+	req = httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Forage-Sandbox", "other-sandbox")
+	w = httptest.NewRecorder()
+	proxy.ServeHTTP(w, req)
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200 for different sandbox, got %d", w.Code)
+	}
+}
+
+func TestProxy_AuditLogging(t *testing.T) {
+	// Create a test upstream server
+	upstream := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer upstream.Close()
+
+	// Create proxy with audit logging
+	tmpDir := t.TempDir()
+	auditPath := filepath.Join(tmpDir, "audit.log")
+	cfg := &Config{
+		ListenAddr:   ":0",
+		SecretsDir:   tmpDir,
+		TargetURL:    upstream.URL,
+		Transport:    upstream.Client().Transport,
+		AuditLogPath: auditPath,
+	}
+	proxy, err := New(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Make a request
+	req := httptest.NewRequest("POST", "/v1/messages", strings.NewReader("test body"))
+	req.Header.Set("X-Forage-Sandbox", "test-sandbox")
+	w := httptest.NewRecorder()
+	proxy.ServeHTTP(w, req)
+
+	// Close proxy to flush logs
+	proxy.Close()
+
+	// Read audit log
+	data, err := os.ReadFile(auditPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var entry auditEntry
+	if err := json.Unmarshal(data, &entry); err != nil {
+		t.Fatalf("failed to parse audit log: %v\ndata: %s", err, string(data))
+	}
+
+	if entry.Sandbox != "test-sandbox" {
+		t.Errorf("expected sandbox 'test-sandbox', got %q", entry.Sandbox)
+	}
+	if entry.Method != "POST" {
+		t.Errorf("expected method POST, got %q", entry.Method)
+	}
+	if entry.Path != "/v1/messages" {
+		t.Errorf("expected path '/v1/messages', got %q", entry.Path)
+	}
+	if entry.StatusCode != http.StatusOK {
+		t.Errorf("expected status 200, got %d", entry.StatusCode)
+	}
+}
+
+func TestProxy_SandboxHeaderRemoved(t *testing.T) {
+	// Verify X-Forage-Sandbox header is not forwarded
+	var receivedHeaders http.Header
+	upstream := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedHeaders = r.Header.Clone()
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer upstream.Close()
+
+	// Create proxy with API key
+	tmpDir := t.TempDir()
+	sandboxDir := filepath.Join(tmpDir, "test-sandbox")
+	os.MkdirAll(sandboxDir, 0700)
+	os.WriteFile(filepath.Join(sandboxDir, "anthropic-api-key"), []byte("sk-test"), 0600)
+
+	cfg := &Config{
+		ListenAddr: ":0",
+		SecretsDir: tmpDir,
+		TargetURL:  upstream.URL,
+		Transport:  upstream.Client().Transport,
+	}
+	proxy, err := New(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxy.LoadAPIKeys()
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Forage-Sandbox", "test-sandbox")
+	w := httptest.NewRecorder()
+	proxy.ServeHTTP(w, req)
+
+	if receivedHeaders.Get("X-Forage-Sandbox") != "" {
+		t.Error("X-Forage-Sandbox header should not be forwarded")
+	}
+}
+
+func TestRateLimiter_WindowExpiry(t *testing.T) {
+	rl := newRateLimiter(2, 50*time.Millisecond)
+
+	// Use up the limit
+	if !rl.allow("test") {
+		t.Error("first request should be allowed")
+	}
+	if !rl.allow("test") {
+		t.Error("second request should be allowed")
+	}
+	if rl.allow("test") {
+		t.Error("third request should be denied")
+	}
+
+	// Wait for window to expire
+	time.Sleep(60 * time.Millisecond)
+
+	// Should be allowed again
+	if !rl.allow("test") {
+		t.Error("request after window expiry should be allowed")
+	}
+}
+
+func TestProxy_LoadAPIKeys(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create multiple sandbox secrets
+	for _, name := range []string{"sandbox-a", "sandbox-b", "sandbox-c"} {
+		dir := filepath.Join(tmpDir, name)
+		os.MkdirAll(dir, 0700)
+		os.WriteFile(filepath.Join(dir, "anthropic-api-key"), []byte("key-"+name), 0600)
+	}
+
+	// Create a sandbox without the anthropic key
+	os.MkdirAll(filepath.Join(tmpDir, "sandbox-no-key"), 0700)
+	os.WriteFile(filepath.Join(tmpDir, "sandbox-no-key", "other-secret"), []byte("other"), 0600)
+
+	cfg := &Config{
+		ListenAddr: ":0",
+		SecretsDir: tmpDir,
+		TargetURL:  "https://api.example.com",
+	}
+	proxy, err := New(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := proxy.LoadAPIKeys(); err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify keys loaded
+	tests := []struct {
+		sandbox string
+		wantKey string
+	}{
+		{"sandbox-a", "key-sandbox-a"},
+		{"sandbox-b", "key-sandbox-b"},
+		{"sandbox-c", "key-sandbox-c"},
+		{"sandbox-no-key", ""},
+		{"nonexistent", ""},
+	}
+
+	for _, tt := range tests {
+		got := proxy.getAPIKey(tt.sandbox)
+		if got != tt.wantKey {
+			t.Errorf("getAPIKey(%q) = %q, want %q", tt.sandbox, got, tt.wantKey)
+		}
+	}
+}
+
+func TestProxy_UpstreamError(t *testing.T) {
+	// Create an upstream that always errors
+	upstream := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusInternalServerError)
+		w.Write([]byte(`{"error": "upstream error"}`))
+	}))
+	defer upstream.Close()
+
+	cfg := &Config{
+		ListenAddr: ":0",
+		SecretsDir: t.TempDir(),
+		TargetURL:  upstream.URL,
+		Transport:  upstream.Client().Transport,
+	}
+	proxy, err := New(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := httptest.NewRequest("GET", "/", nil)
+	w := httptest.NewRecorder()
+	proxy.ServeHTTP(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d", w.Code)
+	}
+}
+
+func TestProxy_StreamingResponse(t *testing.T) {
+	// Test that streaming responses work correctly
+	upstream := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/event-stream")
+		w.WriteHeader(http.StatusOK)
+		flusher, ok := w.(http.Flusher)
+		if !ok {
+			t.Error("expected Flusher")
+			return
+		}
+		for i := 0; i < 3; i++ {
+			w.Write([]byte("data: test\n\n"))
+			flusher.Flush()
+		}
+	}))
+	defer upstream.Close()
+
+	cfg := &Config{
+		ListenAddr: ":0",
+		SecretsDir: t.TempDir(),
+		TargetURL:  upstream.URL,
+		Transport:  upstream.Client().Transport,
+	}
+	proxy, err := New(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := httptest.NewRequest("POST", "/v1/messages", nil)
+	w := httptest.NewRecorder()
+	proxy.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+
+	body, _ := io.ReadAll(w.Body)
+	if !strings.Contains(string(body), "data: test") {
+		t.Error("expected streaming data in response")
+	}
+}
diff --git a/packages/forage-ctl/internal/reproducibility/nix.go b/packages/forage-ctl/internal/reproducibility/nix.go
new file mode 100644
index 0000000..9065c1d
--- /dev/null
+++ b/packages/forage-ctl/internal/reproducibility/nix.go
@@ -0,0 +1,74 @@
+package reproducibility
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+)
+
+// NixReproducibility implements Reproducibility using Nix.
+type NixReproducibility struct {
+	// NixpkgsPath is the path to the nixpkgs input (optional, for pinning).
+	NixpkgsPath string
+}
+
+// NewNixReproducibility creates a new NixReproducibility instance.
+func NewNixReproducibility() *NixReproducibility {
+	return &NixReproducibility{}
+}
+
+// StoreMount returns the /nix/store mount.
+func (n *NixReproducibility) StoreMount() injection.Mount {
+	return injection.Mount{
+		HostPath:      "/nix/store",
+		ContainerPath: "/nix/store",
+		ReadOnly:      true,
+	}
+}
+
+// BasePackages returns the minimal set of packages for any sandbox.
+func (n *NixReproducibility) BasePackages() []injection.Package {
+	return []injection.Package{
+		{Name: "git"},
+		{Name: "jujutsu"},
+		{Name: "neovim"},
+		{Name: "ripgrep"},
+		{Name: "fd"},
+	}
+}
+
+// ResolvePackage resolves a Package to a Nix package expression.
+// If Version is empty, returns "pkgs.{Name}".
+// If Version is set, attempts to resolve to a versioned package.
+func (n *NixReproducibility) ResolvePackage(pkg injection.Package) (string, error) {
+	nixName := pkg.Name
+
+	if pkg.Version == "" {
+		return "pkgs." + nixName, nil
+	}
+
+	// Handle version pinning by constructing a versioned package reference.
+	// This is a simplified approach - in practice, version pinning in Nix
+	// is more complex and may require different strategies per package.
+	versionedName := fmt.Sprintf("%s_%s", nixName, normalizeVersion(pkg.Version))
+	return "pkgs." + versionedName, nil
+}
+
+// normalizeVersion normalizes a version string for use in Nix package names.
+// Converts "0.21.0" to "0_21_0".
+func normalizeVersion(version string) string {
+	return strings.ReplaceAll(version, ".", "_")
+}
+
+// ContributeMounts returns the /nix/store mount.
+func (n *NixReproducibility) ContributeMounts(ctx context.Context, req *injection.MountRequest) ([]injection.Mount, error) {
+	return []injection.Mount{n.StoreMount()}, nil
+}
+
+// Ensure NixReproducibility implements Reproducibility and MountContributor.
+var (
+	_ Reproducibility            = (*NixReproducibility)(nil)
+	_ injection.MountContributor = (*NixReproducibility)(nil)
+)
diff --git a/packages/forage-ctl/internal/reproducibility/reproducibility.go b/packages/forage-ctl/internal/reproducibility/reproducibility.go
new file mode 100644
index 0000000..1416965
--- /dev/null
+++ b/packages/forage-ctl/internal/reproducibility/reproducibility.go
@@ -0,0 +1,21 @@
+// Package reproducibility provides an abstraction over hermetic package
+// management and store mounts. Currently backed by Nix, but abstracted
+// for potential future alternatives.
+package reproducibility
+
+import (
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+)
+
+// Reproducibility handles hermetic package installation and store mounts.
+type Reproducibility interface {
+	// StoreMount returns the mount for the package store (e.g., /nix/store).
+	StoreMount() injection.Mount
+
+	// ResolvePackage resolves a Package to an installable reference.
+	// For Nix, this returns strings like "pkgs.git" or "pkgs.jujutsu_0_21_0".
+	ResolvePackage(pkg injection.Package) (string, error)
+
+	// BasePackages returns the minimal set of packages for any sandbox.
+	BasePackages() []injection.Package
+}
diff --git a/packages/forage-ctl/internal/runtime/apple.go b/packages/forage-ctl/internal/runtime/apple.go
new file mode 100644
index 0000000..1519d9b
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/apple.go
@@ -0,0 +1,758 @@
+// Package runtime provides container runtime implementations.
+// This file implements the Apple Container backend for macOS.
+//
+// Apple Container (github.com/apple/containerization) uses Apple's
+// Virtualization.framework to run Linux containers in lightweight VMs.
+// This provides better isolation than Docker Desktop on macOS while
+// maintaining good performance.
+//
+// Prerequisites:
+// - macOS 13+ (Ventura or later)
+// - Apple Silicon or Intel with Virtualization support
+// - The 'container' CLI tool installed
+//
+// Installation:
+//
+//	brew install apple/containerization/container
+//
+// Note: This backend requires the nix store to be available in the VM.
+// Options include:
+// 1. Use Determinate Nix installer (recommended for macOS)
+// 2. Use nix-darwin with store sharing
+// 3. Mount the nix store from the host (requires VM configuration)
+
+package runtime
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	goruntime "runtime"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	shellquote "github.com/kballard/go-shellquote"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/system"
+)
+
+// defaultAppleImage is the default OCI image for Apple Container sandboxes.
+const defaultAppleImage = DefaultImage
+
+// AppleRuntime implements the Runtime interface using Apple Container.
+type AppleRuntime struct {
+	// ContainerPrefix is prepended to sandbox names to form container names
+	ContainerPrefix string
+
+	// BinaryPath is the path to the container CLI
+	BinaryPath string
+
+	// SandboxesDir is the directory containing sandbox metadata files
+	// Used to resolve container names from metadata
+	SandboxesDir string
+
+	// Image overrides the default OCI image (defaultAppleImage).
+	// When empty, defaultAppleImage is used.
+	Image string
+
+	// GeneratedFileMounter handles staging of generated files
+	GeneratedFileMounter
+}
+
+// NewAppleRuntime creates a new Apple Container runtime.
+// The image parameter overrides the default OCI image; pass "" for the default.
+func NewAppleRuntime(containerPrefix, sandboxesDir, image string) (*AppleRuntime, error) {
+	// Apple Container only works on macOS
+	if goruntime.GOOS != "darwin" {
+		return nil, fmt.Errorf("Apple Container is only available on macOS")
+	}
+
+	// Look for the container binary
+	binaryPath, err := exec.LookPath("container")
+	if err != nil {
+		return nil, fmt.Errorf("Apple Container CLI not found. Install with: brew install apple/containerization/container")
+	}
+
+	rt := &AppleRuntime{
+		ContainerPrefix:      containerPrefix,
+		BinaryPath:           binaryPath,
+		SandboxesDir:         sandboxesDir,
+		Image:                image,
+		GeneratedFileMounter: GeneratedFileMounter{StagingDir: sandboxesDir},
+	}
+
+	// Run preflight checks (warnings only — don't prevent creation)
+	rt.preflight()
+
+	return rt, nil
+}
+
+// preflight validates prerequisites and logs actionable warnings.
+// It does not return errors because missing prerequisites may be
+// resolved before the first container creation.
+func (r *AppleRuntime) preflight() {
+	// Check CLI version / health.
+	// Apple Container CLI uses "system version" (not "version" which is a plugin).
+	output, err := r.runCmd(context.Background(), "system", "version")
+	if err != nil {
+		logging.Warn("Apple Container CLI may not be functional", "error", err)
+	} else {
+		logging.Debug("Apple Container CLI version", "output", strings.TrimSpace(output))
+	}
+
+	// Check Nix store is accessible on the host
+	if _, err := os.Stat("/nix/store"); err != nil {
+		logging.Warn("Nix store not found at /nix/store — containers will not have access to Nix packages. Install Nix: https://nixos.org/download")
+	}
+
+	// Check nix-daemon socket
+	if _, err := os.Stat("/nix/var/nix/daemon-socket/socket"); err != nil {
+		logging.Warn("Nix daemon socket not found — container builds may fail. Ensure nix-daemon is running")
+	}
+}
+
+// containerName returns the full container name for a sandbox.
+// It loads metadata to use the short container name if available,
+// falling back to the legacy prefix+name format.
+func (r *AppleRuntime) containerName(sandboxName string) string {
+	if r.SandboxesDir != "" {
+		if meta, err := config.LoadSandboxMetadata(r.SandboxesDir, sandboxName); err == nil {
+			return meta.ResolvedContainerName()
+		}
+	}
+	return r.ContainerPrefix + sandboxName
+}
+
+// Name returns the runtime identifier
+func (r *AppleRuntime) Name() string {
+	return "apple"
+}
+
+// containerCmdError wraps an Apple Container CLI error with the exit code
+// so callers can branch on exit codes instead of fragile string matching.
+type containerCmdError struct {
+	Subcommand string
+	ExitCode   int
+	Stderr     string
+	Err        error
+}
+
+func (e *containerCmdError) Error() string {
+	return fmt.Sprintf("container %s failed: %s: %v", e.Subcommand, e.Stderr, e.Err)
+}
+
+func (e *containerCmdError) Unwrap() error { return e.Err }
+
+// isNotFound returns true when the CLI indicated the target resource does not exist.
+// It checks the exit code first (non-zero) and falls back to stderr keywords
+// for CLIs that don't use distinct exit codes.
+func isContainerNotFound(err error) bool {
+	var cmdErr *containerCmdError
+	if !errors.As(err, &cmdErr) {
+		return false
+	}
+	// Any non-zero exit + stderr containing a "not found" variant
+	if cmdErr.ExitCode == 0 {
+		return false
+	}
+	lower := strings.ToLower(cmdErr.Stderr)
+	return strings.Contains(lower, "not found") ||
+		strings.Contains(lower, "no such container") ||
+		strings.Contains(lower, "does not exist")
+}
+
+// runCmd executes an Apple Container command
+func (r *AppleRuntime) runCmd(ctx context.Context, args ...string) (string, error) {
+	cmd := exec.CommandContext(ctx, r.BinaryPath, args...)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		exitCode := -1
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			exitCode = exitErr.ExitCode()
+		}
+		return "", &containerCmdError{
+			Subcommand: args[0],
+			ExitCode:   exitCode,
+			Stderr:     stderr.String(),
+			Err:        err,
+		}
+	}
+
+	return stdout.String(), nil
+}
+
+// Create creates a new container.
+// Apple Container's 'run --detach' creates and starts in one step.
+// When opts.Start is false, we use 'create' instead.
+func (r *AppleRuntime) Create(ctx context.Context, opts CreateOptions) error {
+	containerName := r.containerName(opts.Name)
+	logging.Debug("creating container", "name", containerName, "runtime", "apple")
+
+	var subcommand string
+	var args []string
+	if opts.Start {
+		subcommand = "run"
+		args = []string{subcommand, "--name", containerName, "--detach"}
+	} else {
+		subcommand = "create"
+		args = []string{subcommand, "--name", containerName}
+	}
+
+	// Note: We do NOT mount the host /nix/store into OCI containers.
+	// The nixos/nix image has its own nix store, and overlaying the host
+	// store would break symlinks (e.g., /bin/sh → /nix/store/...).
+	// The sandbox creator already skips /nix/store mounts for non-nspawn
+	// runtimes. We only forward the nix-daemon socket so the container
+	// can issue build requests to the host daemon.
+	platformCfg := DetectPlatformMountConfig()
+	if _, err := os.Stat(platformCfg.NixDaemonSocketPath); err == nil {
+		args = append(args, "--mount", fmt.Sprintf("type=bind,source=%s,target=%s",
+			platformCfg.NixDaemonSocketPath, platformCfg.NixDaemonSocketPath))
+	}
+
+	// Add bind mounts.
+	// Apple Container only supports directory mounts, not individual files.
+	// File mounts are collected and injected post-start via exec cp.
+	var fileMounts map[string]string
+	for hostPath, containerPath := range opts.BindMounts {
+		info, err := os.Stat(hostPath)
+		if err != nil {
+			logging.Debug("skipping mount (source not found)", "host", hostPath, "container", containerPath)
+			continue
+		}
+		if !info.IsDir() {
+			if fileMounts == nil {
+				fileMounts = make(map[string]string)
+			}
+			fileMounts[hostPath] = containerPath
+			logging.Debug("deferring file mount to post-start copy", "host", hostPath, "container", containerPath)
+			continue
+		}
+		args = append(args, "--mount", fmt.Sprintf("type=bind,source=%s,target=%s", hostPath, containerPath))
+	}
+
+	// Add port forwards
+	for hostPort, containerPort := range opts.ForwardPorts {
+		args = append(args, "--publish", fmt.Sprintf("127.0.0.1:%d:%d", hostPort, containerPort))
+	}
+
+	// Network isolation
+	switch opts.NetworkMode {
+	case "none":
+		args = append(args, "--network=none")
+	case "restricted":
+		// Start with networking enabled; iptables rules are injected post-start
+		// via applyRestrictedNetwork
+	default:
+		// "full" or empty: default networking
+	}
+
+	// Add labels for orphan detection
+	args = append(args,
+		"--label", "forage.sandbox-name="+opts.Name,
+		"--label", "forage.runtime=apple",
+		"--label", "forage.container-name="+containerName,
+	)
+
+	// Apply resource limits via Apple Container CLI flags
+	if opts.CPUQuota != "" {
+		// Apple Container uses --cpus (float, e.g. "2.0" for 2 cores).
+		// Convert from percentage format (e.g. "200%") to float.
+		cpus := cpuQuotaToFloat(opts.CPUQuota)
+		if cpus != "" {
+			args = append(args, "--cpus", cpus)
+		}
+	}
+	if opts.MemoryMax != "" {
+		args = append(args, "--memory", opts.MemoryMax)
+	}
+
+	// Add environment variables
+	for k, v := range opts.EnvVars {
+		args = append(args, "-e", k+"="+v)
+	}
+
+	// Add extra args
+	args = append(args, opts.ExtraArgs...)
+
+	// Use a NixOS-compatible image.
+	// The nixos/nix image has binaries in the nix store, not at standard paths.
+	// Use /bin/sh -c to ensure the nix profile PATH is sourced.
+	image := r.containerImage()
+	if opts.Image != "" {
+		image = opts.Image
+	}
+	imageIdx := len(args)
+	args = append(args, image)
+	args = append(args, "/bin/sh", "-c", "exec sleep infinity")
+
+	_, err := r.runCmd(ctx, args...)
+	if err != nil {
+		// If the default image failed and no explicit override was set,
+		// build the base image locally from the embedded Dockerfile.
+		if image == DefaultImage && opts.Image == "" {
+			logging.Warn("default image unavailable, building locally", "error", err)
+			if buildErr := BuildFallbackImage(ctx, r.BinaryPath); buildErr != nil {
+				return fmt.Errorf("image pull failed and local build failed: %w", buildErr)
+			}
+			args[imageIdx] = FallbackImage
+			if _, retryErr := r.runCmd(ctx, args...); retryErr != nil {
+				return retryErr
+			}
+		} else {
+			return err
+		}
+	}
+
+	// Post-start tasks
+	if opts.Start {
+		// Copy deferred file mounts into the container
+		if len(fileMounts) > 0 {
+			r.injectFileMounts(ctx, opts.Name, fileMounts)
+		}
+
+		// Validate Nix store is accessible inside the container
+		if valErr := r.validateNixStore(ctx, opts.Name); valErr != nil {
+			logging.Warn("Nix store may not be accessible in container", "error", valErr)
+		}
+
+		// Apply iptables rules for restricted network mode
+		if opts.NetworkMode == "restricted" {
+			if netErr := r.applyRestrictedNetwork(ctx, opts.Name, opts.AllowedHosts); netErr != nil {
+				return fmt.Errorf("failed to apply network restrictions: %w", netErr)
+			}
+		}
+	}
+
+	return nil
+}
+
+// injectFileMounts copies host files into the container via exec.
+// Apple Container doesn't support file bind mounts, so we read the file
+// on the host and write it inside the container post-start.
+func (r *AppleRuntime) injectFileMounts(ctx context.Context, sandboxName string, mounts map[string]string) {
+	containerName := r.containerName(sandboxName)
+
+	for hostPath, containerPath := range mounts {
+		data, err := os.ReadFile(hostPath)
+		if err != nil {
+			logging.Warn("failed to read file for injection", "host", hostPath, "error", err)
+			continue
+		}
+
+		// Run the copy command directly via the container CLI, bypassing
+		// the Exec method's /bin/sh wrapping to avoid double-escaping.
+		dir := filepath.Dir(containerPath)
+		script := fmt.Sprintf("mkdir -p '%s' && cat > '%s'", dir, containerPath)
+		cmd := exec.CommandContext(ctx, r.BinaryPath, "exec", "-i", containerName, "/bin/sh", "-c", script)
+		cmd.Stdin = bytes.NewReader(data)
+		var stderr bytes.Buffer
+		cmd.Stderr = &stderr
+		if err := cmd.Run(); err != nil {
+			logging.Warn("failed to inject file into container", "container", containerPath, "error", err, "stderr", stderr.String())
+			continue
+		}
+		logging.Debug("injected file mount", "host", hostPath, "container", containerPath, "size", len(data))
+	}
+}
+
+// applyRestrictedNetwork injects iptables rules inside the container to restrict
+// outbound traffic to only the allowed hosts. This is used for the "restricted"
+// network mode where the container starts with full networking and then gets
+// filtered. The iptables approach works inside any Linux container without
+// requiring NixOS or nftables.
+func (r *AppleRuntime) applyRestrictedNetwork(ctx context.Context, sandboxName string, allowedHosts []string) error {
+	logging.Debug("applying restricted network rules", "sandbox", sandboxName, "allowedHosts", allowedHosts)
+
+	// Resolve allowed hosts to IPs
+	resolved, err := net.LookupIP("localhost") // Warm up resolver
+	_ = resolved
+	_ = err
+
+	// Build the iptables rules script
+	var script strings.Builder
+	script.WriteString("set -e\n")
+	// Default policy: drop outbound
+	script.WriteString("iptables -P OUTPUT DROP 2>/dev/null || true\n")
+	// Allow loopback
+	script.WriteString("iptables -A OUTPUT -o lo -j ACCEPT 2>/dev/null || true\n")
+	// Allow established/related
+	script.WriteString("iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true\n")
+
+	// Allow each host
+	for _, host := range allowedHosts {
+		ips, lookupErr := net.LookupIP(host)
+		if lookupErr != nil {
+			logging.Warn("failed to resolve host for network restriction", "host", host, "error", lookupErr)
+			continue
+		}
+		for _, ip := range ips {
+			if ip.To4() != nil {
+				fmt.Fprintf(&script, "iptables -A OUTPUT -d %s -j ACCEPT 2>/dev/null || true\n", ip.String())
+			}
+		}
+	}
+
+	// Reject remaining with ICMP unreachable (better than silent drop)
+	script.WriteString("iptables -A OUTPUT -j REJECT 2>/dev/null || true\n")
+
+	result, execErr := r.Exec(ctx, sandboxName, []string{"sh", "-c", script.String()}, ExecOptions{User: "root"})
+	if execErr != nil {
+		return fmt.Errorf("failed to apply iptables rules: %w", execErr)
+	}
+	if result.ExitCode != 0 {
+		logging.Warn("iptables rules may not have applied cleanly", "stderr", result.Stderr)
+	}
+
+	logging.Debug("restricted network rules applied", "sandbox", sandboxName)
+	return nil
+}
+
+// validateNixStore checks that the Nix store is accessible inside the container.
+func (r *AppleRuntime) validateNixStore(ctx context.Context, sandboxName string) error {
+	result, err := r.Exec(ctx, sandboxName, []string{"ls", "/nix/store"}, ExecOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to validate nix store: %w", err)
+	}
+	if result.ExitCode != 0 {
+		return fmt.Errorf("nix store not accessible (exit %d): %s", result.ExitCode, result.Stderr)
+	}
+	return nil
+}
+
+// containerImage returns the OCI image to use for containers.
+func (r *AppleRuntime) containerImage() string {
+	if r.Image != "" {
+		return r.Image
+	}
+	return defaultAppleImage
+}
+
+// cpuQuotaToFloat converts a CPU quota string (e.g. "200%" for 2 cores)
+// to a float string (e.g. "2.0") suitable for Apple Container's --cpus flag.
+func cpuQuotaToFloat(quota string) string {
+	s := strings.TrimSuffix(quota, "%")
+	pct, err := strconv.ParseFloat(s, 64)
+	if err != nil {
+		return ""
+	}
+	return strconv.FormatFloat(pct/100, 'f', 1, 64)
+}
+
+// Start starts an existing container
+func (r *AppleRuntime) Start(ctx context.Context, name string) error {
+	containerName := r.containerName(name)
+	logging.Debug("starting container", "container", containerName)
+
+	_, err := r.runCmd(ctx, "start", containerName)
+	return err
+}
+
+// Stop stops a running container
+func (r *AppleRuntime) Stop(ctx context.Context, name string) error {
+	containerName := r.containerName(name)
+	logging.Debug("stopping container", "container", containerName)
+
+	_, err := r.runCmd(ctx, "stop", containerName)
+	return err
+}
+
+// Destroy stops and removes a container
+func (r *AppleRuntime) Destroy(ctx context.Context, name string) error {
+	containerName := r.containerName(name)
+	logging.Debug("destroying container", "container", containerName)
+
+	// Stop first (ignore errors if already stopped)
+	_, _ = r.runCmd(ctx, "stop", containerName)
+
+	// Remove container (Apple CLI uses 'rm' or 'delete', no -f flag)
+	_, err := r.runCmd(ctx, "rm", containerName)
+	if err != nil && isContainerNotFound(err) {
+		return nil
+	}
+
+	return err
+}
+
+// IsRunning checks if a container is currently running
+func (r *AppleRuntime) IsRunning(ctx context.Context, name string) (bool, error) {
+	containerName := r.containerName(name)
+
+	output, err := r.runCmd(ctx, "inspect", containerName)
+	if err != nil {
+		return false, nil // Container doesn't exist
+	}
+
+	var inspects []appleInspect
+	if err := json.Unmarshal([]byte(output), &inspects); err != nil {
+		return false, nil
+	}
+
+	if len(inspects) == 0 {
+		return false, nil
+	}
+
+	return inspects[0].Status == "running", nil
+}
+
+// appleInspect holds the relevant fields from Apple Container's inspect JSON.
+// The Apple CLI returns a different schema than Docker:
+//
+//	[{"status": "running", "startedDate": 12345.67,
+//	  "configuration": {"id": "name", ...},
+//	  "networks": [{"ipv4Address": "192.168.64.2/24", ...}]}]
+type appleInspect struct {
+	Status        string  `json:"status"`
+	StartedDate   float64 `json:"startedDate"`
+	Configuration struct {
+		ID string `json:"id"`
+	} `json:"configuration"`
+	Networks []struct {
+		IPv4Address string `json:"ipv4Address"`
+		IPv6Address string `json:"ipv6Address"`
+		Network     string `json:"network"`
+	} `json:"networks"`
+}
+
+// Status returns detailed status of a container
+func (r *AppleRuntime) Status(ctx context.Context, name string) (*ContainerInfo, error) {
+	containerName := r.containerName(name)
+
+	info := &ContainerInfo{
+		Name:   name,
+		Status: StatusNotFound,
+	}
+
+	output, err := r.runCmd(ctx, "inspect", containerName)
+	if err != nil {
+		return info, nil
+	}
+
+	var inspects []appleInspect
+	if err := json.Unmarshal([]byte(output), &inspects); err != nil {
+		return info, nil
+	}
+
+	if len(inspects) == 0 {
+		return info, nil
+	}
+
+	inspect := inspects[0]
+	switch inspect.Status {
+	case "running":
+		info.Status = StatusRunning
+	case "exited", "stopped", "created":
+		info.Status = StatusStopped
+	default:
+		info.Status = StatusUnknown
+	}
+
+	// Extract IP address from first network, stripping CIDR suffix
+	if len(inspect.Networks) > 0 {
+		ip := inspect.Networks[0].IPv4Address
+		if idx := strings.IndexByte(ip, '/'); idx >= 0 {
+			ip = ip[:idx]
+		}
+		info.IPAddress = ip
+	}
+
+	return info, nil
+}
+
+// Exec executes a command inside a container
+func (r *AppleRuntime) Exec(ctx context.Context, name string, command []string, opts ExecOptions) (*ExecResult, error) {
+	containerName := r.containerName(name)
+
+	args := []string{"exec"}
+
+	if opts.Interactive {
+		args = append(args, "-i", "-t")
+	}
+
+	if opts.User != "" {
+		args = append(args, "-u", opts.User)
+	}
+
+	if opts.WorkingDir != "" {
+		args = append(args, "-w", opts.WorkingDir)
+	}
+
+	for _, env := range opts.Env {
+		args = append(args, "-e", env)
+	}
+
+	args = append(args, containerName)
+
+	// Wrap in /bin/sh so the container's PATH (nix profile paths) is used.
+	// Without this, commands like "ls" won't be found since nix-based
+	// containers don't place binaries in standard locations.
+	args = append(args, "/bin/sh", "-c", shellquote.Join(command...))
+
+	cmd := exec.CommandContext(ctx, r.BinaryPath, args...)
+
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if opts.Stdin != nil {
+		cmd.Stdin = opts.Stdin
+	}
+
+	err := cmd.Run()
+
+	result := &ExecResult{
+		Stdout: stdout.String(),
+		Stderr: stderr.String(),
+	}
+
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			result.ExitCode = exitErr.ExitCode()
+		} else {
+			return result, fmt.Errorf("exec failed: %w", err)
+		}
+	}
+
+	return result, nil
+}
+
+// ExecInteractive executes a command with an interactive TTY
+func (r *AppleRuntime) ExecInteractive(ctx context.Context, name string, command []string, opts ExecOptions) error {
+	containerName := r.containerName(name)
+
+	args := []string{r.BinaryPath, "exec", "-i", "-t"}
+
+	if opts.User != "" {
+		args = append(args, "-u", opts.User)
+	}
+
+	if opts.WorkingDir != "" {
+		args = append(args, "-w", opts.WorkingDir)
+	}
+
+	args = append(args, containerName)
+
+	args = append(args, "/bin/sh", "-c", shellquote.Join(command...))
+
+	return syscall.Exec(r.BinaryPath, args, system.SafeEnviron())
+}
+
+// appleListEntry holds the fields from Apple Container's list --format json.
+type appleListEntry struct {
+	Status        string `json:"status"`
+	Configuration struct {
+		ID string `json:"id"`
+	} `json:"configuration"`
+}
+
+// List returns all containers managed by this runtime
+func (r *AppleRuntime) List(ctx context.Context) ([]*ContainerInfo, error) {
+	// Build reverse mapping: container name → sandbox name from metadata
+	reverseMap := buildContainerReverseMap(r.SandboxesDir)
+
+	// Apple CLI uses 'list --all --format json' (not Docker's ps --format template)
+	output, err := r.runCmd(ctx, "list", "--all", "--format", "json")
+	if err != nil {
+		return nil, err
+	}
+
+	output = strings.TrimSpace(output)
+	if output == "" {
+		return nil, nil
+	}
+
+	var entries []appleListEntry
+	if err := json.Unmarshal([]byte(output), &entries); err != nil {
+		return nil, fmt.Errorf("failed to parse container list: %w", err)
+	}
+
+	var containers []*ContainerInfo
+	for _, entry := range entries {
+		name := entry.Configuration.ID
+		if name == "" {
+			continue
+		}
+
+		var sandboxName string
+		if sn, ok := reverseMap[name]; ok {
+			sandboxName = sn
+		} else if strings.HasPrefix(name, r.ContainerPrefix) {
+			// Legacy fallback: strip prefix
+			sandboxName = strings.TrimPrefix(name, r.ContainerPrefix)
+		} else {
+			continue // Not a forage container
+		}
+
+		info, _ := r.Status(ctx, sandboxName)
+		if info != nil {
+			containers = append(containers, info)
+		}
+	}
+
+	return containers, nil
+}
+
+// GracefulStop uses Apple Container's stop command.
+func (r *AppleRuntime) GracefulStop(ctx context.Context, name string, timeout time.Duration) error {
+	containerName := r.containerName(name)
+	logging.Debug("graceful stop", "container", containerName, "timeout", timeout)
+
+	// Apple Container's stop doesn't have a timeout flag,
+	// so we use context timeout instead
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	_, err := r.runCmd(ctx, "stop", containerName)
+	return err
+}
+
+// ContainerInfo returns information about the container environment.
+func (r *AppleRuntime) ContainerInfo() SandboxContainerInfo {
+	return DefaultContainerInfo()
+}
+
+// ViewLogs streams container logs via 'container logs'.
+func (r *AppleRuntime) ViewLogs(ctx context.Context, name string, follow bool, lines int) error {
+	containerName := r.containerName(name)
+
+	args := []string{r.BinaryPath, "logs", "-n", fmt.Sprintf("%d", lines), containerName}
+	if follow {
+		args = append(args, "-f")
+	}
+
+	return syscall.Exec(r.BinaryPath, args, system.SafeEnviron())
+}
+
+// Capabilities returns the capabilities of Apple Container runtime.
+// Apple Container supports resource limits (CPU, memory) via --cpus and --memory.
+func (r *AppleRuntime) Capabilities() Capabilities {
+	return Capabilities{
+		NixOSConfig:      false,
+		NetworkIsolation: true,
+		EphemeralRoot:    true,
+		SSHAccess:        false,
+		GeneratedFiles:   true,
+		ResourceLimits:   true,
+		GracefulShutdown: true,
+	}
+}
+
+// Ensure AppleRuntime implements Runtime, GeneratedFileRuntime, CapableRuntime, GracefulStopper, and LogViewer
+var _ Runtime = (*AppleRuntime)(nil)
+var _ GeneratedFileRuntime = (*AppleRuntime)(nil)
+var _ CapableRuntime = (*AppleRuntime)(nil)
+var _ GracefulStopper = (*AppleRuntime)(nil)
+var _ LogViewer = (*AppleRuntime)(nil)
diff --git a/packages/forage-ctl/internal/runtime/apple_test.go b/packages/forage-ctl/internal/runtime/apple_test.go
new file mode 100644
index 0000000..05a1936
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/apple_test.go
@@ -0,0 +1,131 @@
+package runtime
+
+import (
+	"fmt"
+	"os/exec"
+	"testing"
+)
+
+func TestCpuQuotaToFloat(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected string
+	}{
+		{"200%", "2.0"},
+		{"100%", "1.0"},
+		{"50%", "0.5"},
+		{"400%", "4.0"},
+		{"150%", "1.5"},
+		{"invalid", ""},
+		{"", ""},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.input, func(t *testing.T) {
+			result := cpuQuotaToFloat(tc.input)
+			if result != tc.expected {
+				t.Errorf("cpuQuotaToFloat(%q) = %q, want %q", tc.input, result, tc.expected)
+			}
+		})
+	}
+}
+
+func TestContainerImage(t *testing.T) {
+	t.Run("default image", func(t *testing.T) {
+		rt := &AppleRuntime{BinaryPath: "container"}
+		if img := rt.containerImage(); img != defaultAppleImage {
+			t.Errorf("expected %q, got %q", defaultAppleImage, img)
+		}
+	})
+
+	t.Run("custom image", func(t *testing.T) {
+		rt := &AppleRuntime{BinaryPath: "container", Image: "custom/image:v1"}
+		if img := rt.containerImage(); img != "custom/image:v1" {
+			t.Errorf("expected %q, got %q", "custom/image:v1", img)
+		}
+	})
+}
+
+func TestIsContainerNotFound(t *testing.T) {
+	tests := []struct {
+		name     string
+		err      error
+		expected bool
+	}{
+		{
+			"nil error",
+			nil,
+			false,
+		},
+		{
+			"non-cmd error",
+			fmt.Errorf("some other error"),
+			false,
+		},
+		{
+			"not found stderr",
+			&containerCmdError{Subcommand: "rm", ExitCode: 1, Stderr: "container not found", Err: &exec.ExitError{}},
+			true,
+		},
+		{
+			"no such container",
+			&containerCmdError{Subcommand: "rm", ExitCode: 1, Stderr: "No such container: foo", Err: &exec.ExitError{}},
+			true,
+		},
+		{
+			"does not exist",
+			&containerCmdError{Subcommand: "rm", ExitCode: 1, Stderr: "container does not exist", Err: &exec.ExitError{}},
+			true,
+		},
+		{
+			"exit 0 with not found text",
+			&containerCmdError{Subcommand: "rm", ExitCode: 0, Stderr: "not found", Err: nil},
+			false,
+		},
+		{
+			"exit 1 with unrelated stderr",
+			&containerCmdError{Subcommand: "rm", ExitCode: 1, Stderr: "permission denied", Err: &exec.ExitError{}},
+			false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := isContainerNotFound(tc.err)
+			if result != tc.expected {
+				t.Errorf("isContainerNotFound(%v) = %v, want %v", tc.err, result, tc.expected)
+			}
+		})
+	}
+}
+
+func TestAppleRuntime_Name(t *testing.T) {
+	rt := &AppleRuntime{BinaryPath: "container"}
+	if rt.Name() != "apple" {
+		t.Errorf("expected 'apple', got %q", rt.Name())
+	}
+}
+
+func TestAppleRuntime_ContainerInfo(t *testing.T) {
+	rt := &AppleRuntime{BinaryPath: "container"}
+	info := rt.ContainerInfo()
+	if info.Username != "agent" {
+		t.Errorf("expected username 'agent', got %q", info.Username)
+	}
+	if info.HomeDir != "/home/agent" {
+		t.Errorf("expected home '/home/agent', got %q", info.HomeDir)
+	}
+	if info.WorkspaceDir != "/workspace" {
+		t.Errorf("expected workspace '/workspace', got %q", info.WorkspaceDir)
+	}
+}
+
+func TestAppleRuntime_containerName(t *testing.T) {
+	t.Run("fallback to prefix", func(t *testing.T) {
+		rt := &AppleRuntime{ContainerPrefix: "forage-"}
+		name := rt.containerName("myproject")
+		if name != "forage-myproject" {
+			t.Errorf("expected 'forage-myproject', got %q", name)
+		}
+	})
+}
diff --git a/packages/forage-ctl/internal/runtime/capabilities_test.go b/packages/forage-ctl/internal/runtime/capabilities_test.go
new file mode 100644
index 0000000..fe78b74
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/capabilities_test.go
@@ -0,0 +1,165 @@
+package runtime
+
+import (
+	"context"
+	"testing"
+	"time"
+)
+
+func TestNspawnCapabilities(t *testing.T) {
+	rt := &NspawnRuntime{}
+	caps := rt.Capabilities()
+
+	if !caps.NixOSConfig {
+		t.Error("nspawn should support NixOSConfig")
+	}
+	if !caps.NetworkIsolation {
+		t.Error("nspawn should support NetworkIsolation")
+	}
+	if !caps.EphemeralRoot {
+		t.Error("nspawn should support EphemeralRoot")
+	}
+	if !caps.SSHAccess {
+		t.Error("nspawn should support SSHAccess")
+	}
+	if !caps.GeneratedFiles {
+		t.Error("nspawn should support GeneratedFiles")
+	}
+	if !caps.ResourceLimits {
+		t.Error("nspawn should support ResourceLimits")
+	}
+	if !caps.GracefulShutdown {
+		t.Error("nspawn should support GracefulShutdown")
+	}
+}
+
+func TestDockerCapabilities(t *testing.T) {
+	rt := &DockerRuntime{Command: "docker"}
+	caps := rt.Capabilities()
+
+	if caps.NixOSConfig {
+		t.Error("docker should not support NixOSConfig")
+	}
+	if caps.NetworkIsolation {
+		t.Error("docker should not support NetworkIsolation")
+	}
+	if !caps.EphemeralRoot {
+		t.Error("docker should support EphemeralRoot")
+	}
+	if caps.SSHAccess {
+		t.Error("docker should not support SSHAccess")
+	}
+	if !caps.GeneratedFiles {
+		t.Error("docker should support GeneratedFiles")
+	}
+	if !caps.ResourceLimits {
+		t.Error("docker should support ResourceLimits")
+	}
+	if !caps.GracefulShutdown {
+		t.Error("docker should support GracefulShutdown")
+	}
+}
+
+func TestAppleCapabilities(t *testing.T) {
+	rt := &AppleRuntime{BinaryPath: "container"}
+	caps := rt.Capabilities()
+
+	if caps.NixOSConfig {
+		t.Error("apple should not support NixOSConfig")
+	}
+	if !caps.NetworkIsolation {
+		t.Error("apple should support NetworkIsolation")
+	}
+	if !caps.EphemeralRoot {
+		t.Error("apple should support EphemeralRoot")
+	}
+	if caps.SSHAccess {
+		t.Error("apple should not support SSHAccess")
+	}
+	if !caps.GeneratedFiles {
+		t.Error("apple should support GeneratedFiles")
+	}
+	if !caps.ResourceLimits {
+		t.Error("apple should support ResourceLimits")
+	}
+	if !caps.GracefulShutdown {
+		t.Error("apple should support GracefulShutdown")
+	}
+}
+
+func TestGetCapabilities_WithCapableRuntime(t *testing.T) {
+	rt := &NspawnRuntime{}
+	caps := GetCapabilities(rt)
+
+	if !caps.NixOSConfig {
+		t.Error("GetCapabilities should return nspawn capabilities")
+	}
+}
+
+func TestGracefulStopper_MockRuntime(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	mock.AddContainer("test", StatusRunning)
+
+	err := mock.GracefulStop(ctx, "test", 5*time.Second)
+	if err != nil {
+		t.Fatalf("GracefulStop failed: %v", err)
+	}
+
+	running, _ := mock.IsRunning(ctx, "test")
+	if running {
+		t.Error("Container should be stopped after GracefulStop")
+	}
+
+	calls := mock.GetCallsFor("GracefulStop")
+	if len(calls) != 1 {
+		t.Errorf("Expected 1 GracefulStop call, got %d", len(calls))
+	}
+}
+
+func TestGracefulStopper_ViaInterface(t *testing.T) {
+	// Test the pattern: check if runtime implements GracefulStopper via interface
+	mock := NewMockRuntime()
+	ctx := context.Background()
+	mock.AddContainer("test", StatusRunning)
+
+	var rt Runtime = mock
+	if gs, ok := rt.(GracefulStopper); ok {
+		err := gs.GracefulStop(ctx, "test", 10*time.Second)
+		if err != nil {
+			t.Fatalf("GracefulStop failed: %v", err)
+		}
+	} else {
+		t.Fatal("MockRuntime should implement GracefulStopper")
+	}
+}
+
+func TestGetCapabilities_WithNonCapableRuntime(t *testing.T) {
+	// MockRuntime doesn't implement CapableRuntime
+	rt := NewMockRuntime()
+	caps := GetCapabilities(rt)
+
+	// All should default to true
+	if !caps.NixOSConfig {
+		t.Error("default capabilities should have NixOSConfig true")
+	}
+	if !caps.NetworkIsolation {
+		t.Error("default capabilities should have NetworkIsolation true")
+	}
+	if !caps.EphemeralRoot {
+		t.Error("default capabilities should have EphemeralRoot true")
+	}
+	if !caps.SSHAccess {
+		t.Error("default capabilities should have SSHAccess true")
+	}
+	if !caps.GeneratedFiles {
+		t.Error("default capabilities should have GeneratedFiles true")
+	}
+	if !caps.ResourceLimits {
+		t.Error("default capabilities should have ResourceLimits true")
+	}
+	if !caps.GracefulShutdown {
+		t.Error("default capabilities should have GracefulShutdown true")
+	}
+}
diff --git a/packages/forage-ctl/internal/runtime/container_info.go b/packages/forage-ctl/internal/runtime/container_info.go
new file mode 100644
index 0000000..d5bd744
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/container_info.go
@@ -0,0 +1,152 @@
+package runtime
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+)
+
+// SandboxContainerInfo provides runtime-determined paths and settings for containers.
+type SandboxContainerInfo struct {
+	HomeDir      string // e.g., "/home/agent"
+	WorkspaceDir string // e.g., "/workspace"
+	Username     string // e.g., "agent"
+}
+
+// DefaultContainerInfo returns the default container info for forage sandboxes.
+// If username or workspaceDir are provided, they override the defaults.
+func DefaultContainerInfo(opts ...ContainerInfoOption) SandboxContainerInfo {
+	info := SandboxContainerInfo{
+		HomeDir:      "/home/agent",
+		WorkspaceDir: "/workspace",
+		Username:     "agent",
+	}
+	for _, opt := range opts {
+		opt(&info)
+	}
+	return info
+}
+
+// ContainerInfoOption configures a SandboxContainerInfo.
+type ContainerInfoOption func(*SandboxContainerInfo)
+
+// WithUsername sets the container username and derives the home directory.
+func WithUsername(username string) ContainerInfoOption {
+	return func(info *SandboxContainerInfo) {
+		if username != "" {
+			info.Username = username
+			info.HomeDir = "/home/" + username
+		}
+	}
+}
+
+// WithWorkspaceDir sets the container workspace directory.
+func WithWorkspaceDir(dir string) ContainerInfoOption {
+	return func(info *SandboxContainerInfo) {
+		if dir != "" {
+			info.WorkspaceDir = dir
+		}
+	}
+}
+
+// GeneratedFileRuntime extends Runtime with support for generated file mounting.
+// Runtimes that support staging generated files for mounting implement this interface.
+type GeneratedFileRuntime interface {
+	Runtime
+
+	// MountGeneratedFile stages a generated file for mounting into the container.
+	// The runtime handles the actual mechanism (e.g., writing to a temp dir that
+	// gets bind-mounted, or using container-specific file injection).
+	// Returns the mount that will make the file available in the container.
+	MountGeneratedFile(ctx context.Context, sandboxName string, file injection.GeneratedFile) (injection.Mount, error)
+
+	// ContainerInfo returns information about the container environment.
+	ContainerInfo() SandboxContainerInfo
+}
+
+// GeneratedFileMounter provides a default implementation for MountGeneratedFile
+// that writes files to a staging directory. Runtimes can embed this to get
+// the default behavior.
+type GeneratedFileMounter struct {
+	// StagingDir is the base directory for staging generated files.
+	// Files are written to StagingDir/{sandboxName}/...
+	StagingDir string
+}
+
+// MountGeneratedFile writes a generated file to the staging directory and
+// returns a mount for it. It validates that no symlinks exist in the path
+// to prevent symlink-based attacks that could redirect writes to arbitrary
+// host locations.
+func (m *GeneratedFileMounter) MountGeneratedFile(ctx context.Context, sandboxName string, file injection.GeneratedFile) (injection.Mount, error) {
+	// Create the staging path based on the container path to maintain structure
+	// Use the sandbox name to namespace files
+	relPath := file.ContainerPath
+	if filepath.IsAbs(relPath) {
+		relPath = relPath[1:] // Remove leading slash
+	}
+	hostPath := filepath.Join(m.StagingDir, sandboxName+".generated", relPath)
+
+	// Ensure parent directory exists
+	if err := os.MkdirAll(filepath.Dir(hostPath), 0755); err != nil {
+		return injection.Mount{}, err
+	}
+
+	// Validate no symlinks in the resolved path to prevent TOCTOU attacks.
+	// EvalSymlinks resolves all symlinks and gives us the real path.
+	realDir, err := filepath.EvalSymlinks(filepath.Dir(hostPath))
+	if err != nil {
+		return injection.Mount{}, fmt.Errorf("failed to resolve staging path: %w", err)
+	}
+	expectedDir, err := filepath.EvalSymlinks(m.StagingDir)
+	if err != nil {
+		return injection.Mount{}, fmt.Errorf("failed to resolve staging base: %w", err)
+	}
+	if !isSubpath(realDir, expectedDir) {
+		return injection.Mount{}, fmt.Errorf("staging path escapes base directory: %s", realDir)
+	}
+
+	// Write with O_CREATE|O_EXCL first (fails if file exists, including symlinks).
+	// Fall back to O_TRUNC if file already exists from a previous run.
+	realHostPath := filepath.Join(realDir, filepath.Base(hostPath))
+	f, err := os.OpenFile(realHostPath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, file.Mode)
+	if os.IsExist(err) {
+		// File exists from previous run; verify it's not a symlink before overwriting
+		info, statErr := os.Lstat(realHostPath)
+		if statErr != nil {
+			return injection.Mount{}, statErr
+		}
+		if info.Mode()&os.ModeSymlink != 0 {
+			return injection.Mount{}, fmt.Errorf("refusing to overwrite symlink: %s", realHostPath)
+		}
+		f, err = os.OpenFile(realHostPath, os.O_WRONLY|os.O_TRUNC, file.Mode)
+	}
+	if err != nil {
+		return injection.Mount{}, err
+	}
+	_, writeErr := f.Write(file.Content)
+	closeErr := f.Close()
+	if writeErr != nil {
+		return injection.Mount{}, writeErr
+	}
+	if closeErr != nil {
+		return injection.Mount{}, closeErr
+	}
+
+	return injection.Mount{
+		HostPath:      realHostPath,
+		ContainerPath: file.ContainerPath,
+		ReadOnly:      file.ReadOnly,
+	}, nil
+}
+
+// isSubpath returns true if child is under parent (or equal to parent).
+func isSubpath(child, parent string) bool {
+	rel, err := filepath.Rel(parent, child)
+	if err != nil {
+		return false
+	}
+	return rel == "." || (len(rel) > 0 && rel[0] != '.' && !filepath.IsAbs(rel))
+}
diff --git a/packages/forage-ctl/internal/runtime/detect.go b/packages/forage-ctl/internal/runtime/detect.go
new file mode 100644
index 0000000..4adc435
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/detect.go
@@ -0,0 +1,202 @@
+package runtime
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	goruntime "runtime"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+)
+
+// RuntimeType identifies which container runtime to use
+type RuntimeType string
+
+const (
+	RuntimeNspawn RuntimeType = "nspawn"
+	RuntimeDocker RuntimeType = "docker"
+	RuntimePodman RuntimeType = "podman"
+	RuntimeApple  RuntimeType = "apple"
+	RuntimeAuto   RuntimeType = "auto"
+)
+
+// Config holds runtime configuration
+type Config struct {
+	// Type specifies which runtime to use (or "auto" for auto-detection)
+	Type RuntimeType
+
+	// ContainerPrefix is prepended to sandbox names
+	ContainerPrefix string
+
+	// NixpkgsPath is the Nix store path to nixpkgs source (nspawn only)
+	// Used for nix-build of container configurations
+	NixpkgsPath string
+
+	// SandboxesDir is the directory containing sandbox metadata files
+	// Used by all runtimes to resolve container names from metadata
+	SandboxesDir string
+
+	// Image overrides the default OCI image for Apple/Docker runtimes.
+	// When empty, the runtime's built-in default is used.
+	Image string
+}
+
+// DefaultConfig returns the default runtime configuration
+func DefaultConfig() *Config {
+	return &Config{
+		Type:            RuntimeAuto,
+		ContainerPrefix: "forage-",
+	}
+}
+
+// Detect determines which container runtime is available on the system.
+// Returns the RuntimeType and any error encountered.
+func Detect() (RuntimeType, error) {
+	logging.Debug("detecting container runtime", "os", goruntime.GOOS)
+
+	switch goruntime.GOOS {
+	case "linux":
+		return detectLinux()
+	case "darwin":
+		return detectDarwin()
+	default:
+		return "", fmt.Errorf("unsupported operating system: %s", goruntime.GOOS)
+	}
+}
+
+// detectLinux detects the best runtime for Linux systems
+func detectLinux() (RuntimeType, error) {
+	// On NixOS with systemd, prefer nspawn
+	if isNixOS() && hasSystemd() {
+		logging.Debug("detected NixOS with systemd, using nspawn")
+		return RuntimeNspawn, nil
+	}
+
+	// Try podman (preferred for rootless)
+	if _, err := exec.LookPath("podman"); err == nil {
+		logging.Debug("detected podman")
+		return RuntimePodman, nil
+	}
+
+	// Try docker
+	if _, err := exec.LookPath("docker"); err == nil {
+		logging.Debug("detected docker")
+		return RuntimeDocker, nil
+	}
+
+	return "", fmt.Errorf("no supported container runtime found (tried: nspawn, podman, docker)")
+}
+
+// detectDarwin detects the best runtime for macOS
+func detectDarwin() (RuntimeType, error) {
+	// Prefer Apple Container if available (native macOS virtualization)
+	if _, err := exec.LookPath("container"); err == nil {
+		logging.Debug("detected Apple Container on macOS")
+		return RuntimeApple, nil
+	}
+
+	// Try podman
+	if _, err := exec.LookPath("podman"); err == nil {
+		logging.Debug("detected podman on macOS")
+		return RuntimePodman, nil
+	}
+
+	// Try docker (Docker Desktop)
+	if _, err := exec.LookPath("docker"); err == nil {
+		logging.Debug("detected docker on macOS")
+		return RuntimeDocker, nil
+	}
+
+	return "", fmt.Errorf("no supported container runtime found on macOS (tried: container, podman, docker)")
+}
+
+// isNixOS checks if we're running on NixOS
+func isNixOS() bool {
+	// Check for /etc/NIXOS marker file
+	if _, err := os.Stat("/etc/NIXOS"); err == nil {
+		return true
+	}
+
+	// Check for /run/current-system (NixOS-specific)
+	if _, err := os.Stat("/run/current-system"); err == nil {
+		return true
+	}
+
+	return false
+}
+
+// New creates a new Runtime based on the configuration.
+// If Type is RuntimeAuto, it auto-detects the best runtime.
+func New(cfg *Config) (Runtime, error) {
+	if cfg == nil {
+		cfg = DefaultConfig()
+	}
+
+	runtimeType := cfg.Type
+	if runtimeType == RuntimeAuto {
+		detected, err := Detect()
+		if err != nil {
+			return nil, err
+		}
+		runtimeType = detected
+	}
+
+	logging.Debug("creating runtime", "type", runtimeType)
+
+	switch runtimeType {
+	case RuntimeNspawn:
+		return NewNspawnRuntime(cfg.ContainerPrefix, cfg.SandboxesDir, cfg.NixpkgsPath), nil
+
+	case RuntimeDocker, RuntimePodman:
+		return NewDockerRuntime(cfg.ContainerPrefix, cfg.SandboxesDir, cfg.Image)
+
+	case RuntimeApple:
+		return NewAppleRuntime(cfg.ContainerPrefix, cfg.SandboxesDir, cfg.Image)
+
+	default:
+		return nil, fmt.Errorf("unknown runtime type: %s", runtimeType)
+	}
+}
+
+// MustNew creates a new Runtime, panicking on error.
+// Useful for initialization in main or tests.
+func MustNew(cfg *Config) Runtime {
+	rt, err := New(cfg)
+	if err != nil {
+		panic(err)
+	}
+	return rt
+}
+
+// hasSystemd checks if systemd is running.
+// https://www.freedesktop.org/software/systemd/man/sd_booted.html
+func hasSystemd() bool {
+	_, err := os.Stat("/run/systemd/system")
+	return err == nil
+}
+
+// Available returns a list of available runtimes on this system
+func Available() []RuntimeType {
+	var available []RuntimeType
+
+	if goruntime.GOOS == "linux" && isNixOS() && hasSystemd() {
+		available = append(available, RuntimeNspawn)
+	}
+
+	// Check for Apple Container on macOS
+	if goruntime.GOOS == "darwin" {
+		if _, err := exec.LookPath("container"); err == nil {
+			available = append(available, RuntimeApple)
+		}
+	}
+
+	if _, err := exec.LookPath("podman"); err == nil {
+		available = append(available, RuntimePodman)
+	}
+
+	if _, err := exec.LookPath("docker"); err == nil {
+		available = append(available, RuntimeDocker)
+	}
+
+	return available
+}
diff --git a/packages/forage-ctl/internal/runtime/detect_test.go b/packages/forage-ctl/internal/runtime/detect_test.go
new file mode 100644
index 0000000..9cf474a
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/detect_test.go
@@ -0,0 +1,51 @@
+package runtime
+
+import (
+	"testing"
+)
+
+func TestDefaultConfig(t *testing.T) {
+	cfg := DefaultConfig()
+
+	if cfg.Type != RuntimeAuto {
+		t.Errorf("expected RuntimeAuto, got %s", cfg.Type)
+	}
+
+	if cfg.ContainerPrefix != "forage-" {
+		t.Errorf("expected 'forage-' prefix, got %s", cfg.ContainerPrefix)
+	}
+}
+
+func TestAvailable(t *testing.T) {
+	// Just ensure it doesn't panic
+	available := Available()
+	t.Logf("available runtimes: %v", available)
+}
+
+func TestDetect(t *testing.T) {
+	// Just ensure it doesn't panic - actual result depends on system
+	rt, err := Detect()
+	if err != nil {
+		t.Logf("no runtime detected (expected in minimal test env): %v", err)
+	} else {
+		t.Logf("detected runtime: %s", rt)
+	}
+}
+
+func TestRuntimeTypes(t *testing.T) {
+	tests := []struct {
+		rt   RuntimeType
+		want string
+	}{
+		{RuntimeNspawn, "nspawn"},
+		{RuntimeDocker, "docker"},
+		{RuntimePodman, "podman"},
+		{RuntimeAuto, "auto"},
+	}
+
+	for _, tt := range tests {
+		if string(tt.rt) != tt.want {
+			t.Errorf("RuntimeType %v != %s", tt.rt, tt.want)
+		}
+	}
+}
diff --git a/packages/forage-ctl/internal/runtime/doc.go b/packages/forage-ctl/internal/runtime/doc.go
new file mode 100644
index 0000000..ea8bde0
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/doc.go
@@ -0,0 +1,30 @@
+// Package runtime provides a unified interface for container runtimes.
+//
+// Supported runtimes:
+//   - nspawn: NixOS containers via systemd-nspawn (Linux)
+//   - docker: Docker containers (Linux, macOS, Windows)
+//   - apple: Apple Container (macOS 13+)
+//
+// Runtime selection is automatic based on platform and available tools.
+// Use Global() to get the detected runtime, or construct specific
+// implementations directly for testing.
+//
+// # Runtime Interface
+//
+// The Runtime interface defines operations common to all container backends:
+//   - Create, Start, Stop, Destroy: Container lifecycle
+//   - IsRunning, Status: Container state queries
+//   - Exec, ExecInteractive: Command execution inside containers
+//   - List: Enumerate all managed containers
+//
+// # SSH Runtime
+//
+// SSHRuntime extends Runtime for backends that provide SSH access to containers.
+// This allows unified SSH-based access regardless of the underlying container
+// technology. Methods include SSHPort, SSHExec, and SSHInteractive.
+//
+// # Mock Runtime
+//
+// For testing, use NewMockRuntime() to create a mock implementation that can
+// be configured with expected responses and used to verify command execution.
+package runtime
diff --git a/packages/forage-ctl/internal/runtime/docker.go b/packages/forage-ctl/internal/runtime/docker.go
new file mode 100644
index 0000000..d3afce9
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/docker.go
@@ -0,0 +1,432 @@
+package runtime
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os/exec"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/system"
+)
+
+// defaultDockerImage is the default OCI image for Docker/Podman sandboxes.
+const defaultDockerImage = DefaultImage
+
+// DockerRuntime implements the Runtime interface using Docker or Podman.
+// It auto-detects which container engine is available.
+type DockerRuntime struct {
+	// Command is the container command to use (docker or podman)
+	Command string
+
+	// ContainerPrefix is prepended to sandbox names to form container names
+	ContainerPrefix string
+
+	// UseRootless indicates whether to use rootless mode
+	UseRootless bool
+
+	// StagingDir is the directory for staging generated files
+	StagingDir string
+
+	// SandboxesDir is the directory containing sandbox metadata files
+	// Used to resolve container names from metadata
+	SandboxesDir string
+
+	// Image overrides the default OCI image (defaultDockerImage).
+	// When empty, defaultDockerImage is used.
+	Image string
+
+	// GeneratedFileMounter handles staging of generated files
+	GeneratedFileMounter
+}
+
+// NewDockerRuntime creates a new Docker/Podman runtime.
+// It auto-detects which command is available.
+// The image parameter overrides the default OCI image; pass "" for the default.
+func NewDockerRuntime(containerPrefix, sandboxesDir, image string) (*DockerRuntime, error) {
+	// Try podman first (preferred for rootless)
+	if _, err := exec.LookPath("podman"); err == nil {
+		return &DockerRuntime{
+			Command:         "podman",
+			ContainerPrefix: containerPrefix,
+			UseRootless:     true,
+			SandboxesDir:    sandboxesDir,
+			Image:           image,
+		}, nil
+	}
+
+	// Fall back to docker
+	if _, err := exec.LookPath("docker"); err == nil {
+		return &DockerRuntime{
+			Command:         "docker",
+			ContainerPrefix: containerPrefix,
+			UseRootless:     false,
+			SandboxesDir:    sandboxesDir,
+			Image:           image,
+		}, nil
+	}
+
+	return nil, fmt.Errorf("neither podman nor docker found in PATH")
+}
+
+// containerImage returns the OCI image to use for containers.
+func (r *DockerRuntime) containerImage() string {
+	if r.Image != "" {
+		return r.Image
+	}
+	return defaultDockerImage
+}
+
+// containerName returns the full container name for a sandbox.
+// It loads metadata to use the short container name if available,
+// falling back to the legacy prefix+name format.
+func (r *DockerRuntime) containerName(sandboxName string) string {
+	if r.SandboxesDir != "" {
+		if meta, err := config.LoadSandboxMetadata(r.SandboxesDir, sandboxName); err == nil {
+			return meta.ResolvedContainerName()
+		}
+	}
+	return r.ContainerPrefix + sandboxName
+}
+
+// Name returns the runtime identifier
+func (r *DockerRuntime) Name() string {
+	return r.Command
+}
+
+// runCmd executes a docker/podman command
+func (r *DockerRuntime) runCmd(ctx context.Context, args ...string) (string, error) {
+	cmd := exec.CommandContext(ctx, r.Command, args...)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("%s %s failed: %s: %w", r.Command, args[0], stderr.String(), err)
+	}
+
+	return stdout.String(), nil
+}
+
+// Create creates a new container from a NixOS image
+func (r *DockerRuntime) Create(ctx context.Context, opts CreateOptions) error {
+	containerName := r.containerName(opts.Name)
+	logging.Debug("creating container", "name", containerName, "runtime", r.Command)
+
+	args := []string{"create", "--name", containerName}
+
+	// Add bind mounts
+	for hostPath, containerPath := range opts.BindMounts {
+		args = append(args, "-v", fmt.Sprintf("%s:%s", hostPath, containerPath))
+	}
+
+	// Add port forwards
+	for hostPort, containerPort := range opts.ForwardPorts {
+		args = append(args, "-p", fmt.Sprintf("127.0.0.1:%d:%d", hostPort, containerPort))
+	}
+
+	// Add labels for orphan detection
+	args = append(args,
+		"--label", "forage.sandbox-name="+opts.Name,
+		"--label", "forage.runtime="+r.Command,
+		"--label", "forage.container-name="+containerName,
+	)
+
+	// Add extra args
+	args = append(args, opts.ExtraArgs...)
+
+	image := r.containerImage()
+	if opts.Image != "" {
+		image = opts.Image
+	}
+	imageIdx := len(args)
+	args = append(args, image, "sleep", "infinity")
+
+	_, err := r.runCmd(ctx, args...)
+	if err != nil {
+		// If the default image failed and no explicit override was set,
+		// build the base image locally from the embedded Dockerfile.
+		if image == DefaultImage && opts.Image == "" {
+			logging.Warn("default image unavailable, building locally", "error", err)
+			cmdPath, _ := exec.LookPath(r.Command)
+			if buildErr := BuildFallbackImage(ctx, cmdPath); buildErr != nil {
+				return fmt.Errorf("image pull failed and local build failed: %w", buildErr)
+			}
+			args[imageIdx] = FallbackImage
+			if _, retryErr := r.runCmd(ctx, args...); retryErr != nil {
+				return retryErr
+			}
+		} else {
+			return err
+		}
+	}
+
+	if opts.Start {
+		return r.Start(ctx, opts.Name)
+	}
+
+	return nil
+}
+
+// Start starts an existing container
+func (r *DockerRuntime) Start(ctx context.Context, name string) error {
+	containerName := r.containerName(name)
+	logging.Debug("starting container", "container", containerName)
+
+	_, err := r.runCmd(ctx, "start", containerName)
+	return err
+}
+
+// Stop stops a running container
+func (r *DockerRuntime) Stop(ctx context.Context, name string) error {
+	containerName := r.containerName(name)
+	logging.Debug("stopping container", "container", containerName)
+
+	_, err := r.runCmd(ctx, "stop", containerName)
+	return err
+}
+
+// Destroy stops and removes a container
+func (r *DockerRuntime) Destroy(ctx context.Context, name string) error {
+	containerName := r.containerName(name)
+	logging.Debug("destroying container", "container", containerName)
+
+	// Stop first (ignore errors if already stopped)
+	_, _ = r.runCmd(ctx, "stop", containerName)
+
+	// Remove container
+	_, err := r.runCmd(ctx, "rm", "-f", containerName)
+	if err != nil {
+		// Ignore "no such container" errors
+		if strings.Contains(err.Error(), "No such container") ||
+			strings.Contains(err.Error(), "no such container") {
+			return nil
+		}
+	}
+
+	return err
+}
+
+// IsRunning checks if a container is currently running
+func (r *DockerRuntime) IsRunning(ctx context.Context, name string) (bool, error) {
+	containerName := r.containerName(name)
+
+	output, err := r.runCmd(ctx, "inspect", "-f", "{{.State.Running}}", containerName)
+	if err != nil {
+		return false, nil // Container doesn't exist
+	}
+
+	return strings.TrimSpace(output) == "true", nil
+}
+
+// dockerInspect holds the relevant fields from docker inspect
+type dockerInspect struct {
+	State struct {
+		Status    string `json:"Status"`
+		Running   bool   `json:"Running"`
+		StartedAt string `json:"StartedAt"`
+	} `json:"State"`
+	NetworkSettings struct {
+		IPAddress string `json:"IPAddress"`
+	} `json:"NetworkSettings"`
+}
+
+// Status returns detailed status of a container
+func (r *DockerRuntime) Status(ctx context.Context, name string) (*ContainerInfo, error) {
+	containerName := r.containerName(name)
+
+	info := &ContainerInfo{
+		Name:   name,
+		Status: StatusNotFound,
+	}
+
+	output, err := r.runCmd(ctx, "inspect", containerName)
+	if err != nil {
+		return info, nil
+	}
+
+	var inspects []dockerInspect
+	if err := json.Unmarshal([]byte(output), &inspects); err != nil {
+		return info, nil
+	}
+
+	if len(inspects) == 0 {
+		return info, nil
+	}
+
+	inspect := inspects[0]
+	switch inspect.State.Status {
+	case "running":
+		info.Status = StatusRunning
+	case "exited", "stopped", "created":
+		info.Status = StatusStopped
+	default:
+		info.Status = StatusUnknown
+	}
+
+	info.StartedAt = inspect.State.StartedAt
+	info.IPAddress = inspect.NetworkSettings.IPAddress
+
+	return info, nil
+}
+
+// Exec executes a command inside a container
+func (r *DockerRuntime) Exec(ctx context.Context, name string, command []string, opts ExecOptions) (*ExecResult, error) {
+	containerName := r.containerName(name)
+
+	args := []string{"exec"}
+
+	if opts.Interactive {
+		args = append(args, "-it")
+	}
+
+	if opts.User != "" {
+		args = append(args, "-u", opts.User)
+	}
+
+	if opts.WorkingDir != "" {
+		args = append(args, "-w", opts.WorkingDir)
+	}
+
+	for _, env := range opts.Env {
+		args = append(args, "-e", env)
+	}
+
+	args = append(args, containerName)
+	args = append(args, command...)
+
+	cmd := exec.CommandContext(ctx, r.Command, args...)
+
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if opts.Stdin != nil {
+		cmd.Stdin = opts.Stdin
+	}
+
+	err := cmd.Run()
+
+	result := &ExecResult{
+		Stdout: stdout.String(),
+		Stderr: stderr.String(),
+	}
+
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			result.ExitCode = exitErr.ExitCode()
+		} else {
+			return result, fmt.Errorf("exec failed: %w", err)
+		}
+	}
+
+	return result, nil
+}
+
+// ExecInteractive executes a command with an interactive TTY
+func (r *DockerRuntime) ExecInteractive(ctx context.Context, name string, command []string, opts ExecOptions) error {
+	containerName := r.containerName(name)
+
+	cmdPath, err := exec.LookPath(r.Command)
+	if err != nil {
+		return fmt.Errorf("%s not found: %w", r.Command, err)
+	}
+
+	args := []string{r.Command, "exec", "-it"}
+
+	if opts.User != "" {
+		args = append(args, "-u", opts.User)
+	}
+
+	if opts.WorkingDir != "" {
+		args = append(args, "-w", opts.WorkingDir)
+	}
+
+	args = append(args, containerName)
+	args = append(args, command...)
+
+	return syscall.Exec(cmdPath, args, system.SafeEnviron())
+}
+
+// List returns all containers managed by this runtime
+func (r *DockerRuntime) List(ctx context.Context) ([]*ContainerInfo, error) {
+	// Build reverse mapping: container name → sandbox name from metadata
+	reverseMap := buildContainerReverseMap(r.SandboxesDir)
+
+	// List all containers (both legacy prefix-named and new short-named)
+	output, err := r.runCmd(ctx, "ps", "-a", "--format", "{{.Names}}")
+	if err != nil {
+		return nil, err
+	}
+
+	var containers []*ContainerInfo
+	lines := strings.Split(strings.TrimSpace(output), "\n")
+
+	for _, name := range lines {
+		if name == "" {
+			continue
+		}
+
+		var sandboxName string
+		if sn, ok := reverseMap[name]; ok {
+			sandboxName = sn
+		} else if strings.HasPrefix(name, r.ContainerPrefix) {
+			// Legacy fallback: strip prefix
+			sandboxName = strings.TrimPrefix(name, r.ContainerPrefix)
+		} else {
+			continue // Not a forage container
+		}
+
+		info, _ := r.Status(ctx, sandboxName)
+		if info != nil {
+			containers = append(containers, info)
+		}
+	}
+
+	return containers, nil
+}
+
+// ContainerInfo returns information about the container environment.
+func (r *DockerRuntime) ContainerInfo() SandboxContainerInfo {
+	return DefaultContainerInfo()
+}
+
+// GracefulStop uses docker/podman stop with a configurable timeout.
+func (r *DockerRuntime) GracefulStop(ctx context.Context, name string, timeout time.Duration) error {
+	containerName := r.containerName(name)
+	logging.Debug("graceful stop", "container", containerName, "timeout", timeout)
+
+	seconds := int(timeout.Seconds())
+	if seconds < 1 {
+		seconds = 1
+	}
+
+	_, err := r.runCmd(ctx, "stop", "--time", fmt.Sprintf("%d", seconds), containerName)
+	return err
+}
+
+// Capabilities returns the capabilities of Docker/Podman runtimes.
+// Docker/Podman lack NixOS config generation, network isolation (nftables-based),
+// and SSH access.
+func (r *DockerRuntime) Capabilities() Capabilities {
+	return Capabilities{
+		NixOSConfig:      false,
+		NetworkIsolation: false,
+		EphemeralRoot:    true,
+		SSHAccess:        false,
+		GeneratedFiles:   true,
+		ResourceLimits:   true,
+		GracefulShutdown: true,
+	}
+}
+
+// Ensure DockerRuntime implements Runtime, GeneratedFileRuntime, CapableRuntime, and GracefulStopper
+var _ Runtime = (*DockerRuntime)(nil)
+var _ GeneratedFileRuntime = (*DockerRuntime)(nil)
+var _ CapableRuntime = (*DockerRuntime)(nil)
+var _ GracefulStopper = (*DockerRuntime)(nil)
diff --git a/packages/forage-ctl/internal/runtime/docker_test.go b/packages/forage-ctl/internal/runtime/docker_test.go
new file mode 100644
index 0000000..8641ca6
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/docker_test.go
@@ -0,0 +1,155 @@
+package runtime
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+func TestDockerRuntime_Name(t *testing.T) {
+	rt := &DockerRuntime{
+		Command:         "docker",
+		ContainerPrefix: "forage-",
+	}
+
+	if rt.Name() != "docker" {
+		t.Errorf("Name() = %q, want %q", rt.Name(), "docker")
+	}
+
+	rt.Command = "podman"
+	if rt.Name() != "podman" {
+		t.Errorf("Name() = %q, want %q", rt.Name(), "podman")
+	}
+}
+
+func TestDockerRuntime_containerName_Fallback(t *testing.T) {
+	// Without SandboxesDir, falls back to prefix + name
+	rt := &DockerRuntime{
+		Command:         "docker",
+		ContainerPrefix: "forage-",
+	}
+
+	tests := []struct {
+		sandboxName string
+		want        string
+	}{
+		{"myproject", "forage-myproject"},
+		{"test-123", "forage-test-123"},
+		{"", "forage-"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.sandboxName, func(t *testing.T) {
+			got := rt.containerName(tt.sandboxName)
+			if got != tt.want {
+				t.Errorf("containerName(%q) = %q, want %q", tt.sandboxName, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestDockerRuntime_containerName_FromMetadata(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	meta := &config.SandboxMetadata{
+		Name:          "review",
+		Template:      "test",
+		NetworkSlot:   5,
+		ContainerName: "f5",
+	}
+	if err := config.SaveSandboxMetadata(tmpDir, meta); err != nil {
+		t.Fatalf("Failed to save metadata: %v", err)
+	}
+
+	rt := &DockerRuntime{
+		Command:         "docker",
+		ContainerPrefix: "forage-",
+		SandboxesDir:    tmpDir,
+	}
+
+	got := rt.containerName("review")
+	if got != "f5" {
+		t.Errorf("containerName(%q) = %q, want %q", "review", got, "f5")
+	}
+}
+
+func TestDockerRuntime_containerName_CustomPrefix(t *testing.T) {
+	rt := &DockerRuntime{
+		Command:         "docker",
+		ContainerPrefix: "custom-prefix-",
+	}
+
+	got := rt.containerName("sandbox")
+	want := "custom-prefix-sandbox"
+	if got != want {
+		t.Errorf("containerName with custom prefix = %q, want %q", got, want)
+	}
+}
+
+func TestDockerRuntime_Interface(t *testing.T) {
+	// Ensure DockerRuntime implements Runtime interface
+	var _ Runtime = (*DockerRuntime)(nil)
+}
+
+func TestDockerInspect_Parse(t *testing.T) {
+	// Test that dockerInspect struct can parse expected JSON
+	jsonData := `[{
+		"State": {
+			"Status": "running",
+			"Running": true,
+			"StartedAt": "2024-01-01T00:00:00Z"
+		},
+		"NetworkSettings": {
+			"IPAddress": "172.17.0.2"
+		}
+	}]`
+
+	var inspects []dockerInspect
+	if err := json.Unmarshal([]byte(jsonData), &inspects); err != nil {
+		t.Fatalf("Failed to parse dockerInspect: %v", err)
+	}
+
+	if len(inspects) != 1 {
+		t.Fatalf("Expected 1 inspect result, got %d", len(inspects))
+	}
+
+	inspect := inspects[0]
+	if inspect.State.Status != "running" {
+		t.Errorf("State.Status = %q, want %q", inspect.State.Status, "running")
+	}
+	if !inspect.State.Running {
+		t.Error("State.Running = false, want true")
+	}
+	if inspect.State.StartedAt != "2024-01-01T00:00:00Z" {
+		t.Errorf("State.StartedAt = %q, want %q", inspect.State.StartedAt, "2024-01-01T00:00:00Z")
+	}
+	if inspect.NetworkSettings.IPAddress != "172.17.0.2" {
+		t.Errorf("NetworkSettings.IPAddress = %q, want %q", inspect.NetworkSettings.IPAddress, "172.17.0.2")
+	}
+}
+
+func TestDockerRuntime_Status_NotFound(t *testing.T) {
+	// Test that Status returns NotFound for missing container
+	// This is a unit test that doesn't require docker
+	rt := &DockerRuntime{
+		Command:         "docker",
+		ContainerPrefix: "forage-",
+	}
+
+	// We can't easily test this without mocking exec, but we can verify the
+	// interface is implemented correctly
+	info, err := rt.Status(context.Background(), "nonexistent-container-that-should-not-exist-12345")
+
+	// This will fail because docker isn't running in test, but we verify the return type
+	if info == nil && err != nil {
+		// Expected - docker command failed
+		t.Skip("Skipping - docker not available")
+	}
+
+	// If docker is available, verify return type
+	if info != nil && info.Status == StatusNotFound {
+		// Correct behavior
+	}
+}
diff --git a/packages/forage-ctl/internal/runtime/exec_test.go b/packages/forage-ctl/internal/runtime/exec_test.go
new file mode 100644
index 0000000..b644667
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/exec_test.go
@@ -0,0 +1,310 @@
+package runtime
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	shellquote "github.com/kballard/go-shellquote"
+)
+
+func TestExecShell(t *testing.T) {
+	ctx := context.Background()
+	mock := NewMockRuntime()
+	mock.AddContainer("test", StatusRunning)
+
+	t.Run("passes script as sh -c to Exec", func(t *testing.T) {
+		mock.Reset()
+		mock.AddContainer("test", StatusRunning)
+
+		script := "echo hello && echo world"
+		result, err := ExecShell(ctx, mock, "test", script, ExecOptions{})
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if result.ExitCode != 0 {
+			t.Fatalf("unexpected exit code: %d", result.ExitCode)
+		}
+
+		calls := mock.GetCallsFor("Exec")
+		if len(calls) != 1 {
+			t.Fatalf("expected 1 Exec call, got %d", len(calls))
+		}
+		cmd := calls[0].Args[1].([]string)
+		if len(cmd) != 3 || cmd[0] != "sh" || cmd[1] != "-c" || cmd[2] != script {
+			t.Errorf("expected [sh -c %q], got %v", script, cmd)
+		}
+	})
+
+	t.Run("forwards exec options", func(t *testing.T) {
+		mock.Reset()
+		mock.AddContainer("test", StatusRunning)
+
+		opts := ExecOptions{User: "root", WorkingDir: "/tmp"}
+		ExecShell(ctx, mock, "test", "ls", opts)
+
+		calls := mock.GetCallsFor("Exec")
+		if len(calls) != 1 {
+			t.Fatalf("expected 1 Exec call, got %d", len(calls))
+		}
+		gotOpts := calls[0].Args[2].(ExecOptions)
+		if gotOpts.User != "root" {
+			t.Errorf("expected User=root, got %q", gotOpts.User)
+		}
+		if gotOpts.WorkingDir != "/tmp" {
+			t.Errorf("expected WorkingDir=/tmp, got %q", gotOpts.WorkingDir)
+		}
+	})
+
+	t.Run("propagates errors", func(t *testing.T) {
+		mock.Reset()
+		mock.AddContainer("test", StatusRunning)
+		mock.SetError("Exec", context.DeadlineExceeded)
+
+		_, err := ExecShell(ctx, mock, "test", "sleep 999", ExecOptions{})
+		if err != context.DeadlineExceeded {
+			t.Errorf("expected DeadlineExceeded, got %v", err)
+		}
+	})
+
+	t.Run("handles complex shell expressions", func(t *testing.T) {
+		mock.Reset()
+		mock.AddContainer("test", StatusRunning)
+
+		script := `if tmux has-session -t forage 2>/dev/null; then tmux -CC attach-session -t forage; else tmux -CC new-session -s forage -c /workspace; fi`
+		ExecShell(ctx, mock, "test", script, ExecOptions{})
+
+		calls := mock.GetCallsFor("Exec")
+		cmd := calls[0].Args[1].([]string)
+		if cmd[2] != script {
+			t.Errorf("script was modified:\n  got:  %s\n  want: %s", cmd[2], script)
+		}
+	})
+
+	t.Run("handles multiline scripts", func(t *testing.T) {
+		mock.Reset()
+		mock.AddContainer("test", StatusRunning)
+
+		script := "set -e\ntmux new-session -d -s forage\ntrue"
+		ExecShell(ctx, mock, "test", script, ExecOptions{})
+
+		calls := mock.GetCallsFor("Exec")
+		cmd := calls[0].Args[1].([]string)
+		if cmd[2] != script {
+			t.Errorf("multiline script was modified:\n  got:  %q\n  want: %q", cmd[2], script)
+		}
+	})
+}
+
+func TestExecShellInteractive(t *testing.T) {
+	ctx := context.Background()
+	mock := NewMockRuntime()
+
+	t.Run("passes script as sh -c to ExecInteractive", func(t *testing.T) {
+		mock.Reset()
+		mock.AddContainer("test", StatusRunning)
+
+		script := "tmux attach-session -t forage || tmux new-session -s forage"
+		err := ExecShellInteractive(ctx, mock, "test", script, ExecOptions{})
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		calls := mock.GetCallsFor("ExecInteractive")
+		if len(calls) != 1 {
+			t.Fatalf("expected 1 ExecInteractive call, got %d", len(calls))
+		}
+		cmd := calls[0].Args[1].([]string)
+		if len(cmd) != 3 || cmd[0] != "sh" || cmd[1] != "-c" || cmd[2] != script {
+			t.Errorf("expected [sh -c %q], got %v", script, cmd)
+		}
+	})
+
+	t.Run("propagates errors", func(t *testing.T) {
+		mock.Reset()
+		mock.AddContainer("test", StatusRunning)
+		mock.SetError("ExecInteractive", context.Canceled)
+
+		err := ExecShellInteractive(ctx, mock, "test", "tmux attach", ExecOptions{})
+		if err != context.Canceled {
+			t.Errorf("expected Canceled, got %v", err)
+		}
+	})
+}
+
+// buildExecArgs extracts the arg-building logic from AppleRuntime.Exec for
+// testability. It returns the args slice that would be passed to the container
+// CLI binary (excluding the binary path itself).
+func (r *AppleRuntime) buildExecArgs(sandboxName string, command []string, opts ExecOptions) []string {
+	containerName := r.containerName(sandboxName)
+
+	args := []string{"exec"}
+
+	if opts.Interactive {
+		args = append(args, "-i", "-t")
+	}
+
+	if opts.User != "" {
+		args = append(args, "-u", opts.User)
+	}
+
+	if opts.WorkingDir != "" {
+		args = append(args, "-w", opts.WorkingDir)
+	}
+
+	for _, env := range opts.Env {
+		args = append(args, "-e", env)
+	}
+
+	args = append(args, containerName)
+	args = append(args, "/bin/sh", "-c", shellquote.Join(command...))
+
+	return args
+}
+
+func TestAppleRuntime_ExecCommandConstruction(t *testing.T) {
+	rt := &AppleRuntime{
+		BinaryPath:      "/usr/bin/container",
+		ContainerPrefix: "forage-",
+	}
+
+	t.Run("token commands are shellquoted", func(t *testing.T) {
+		// ["ls", "/nix/store"] → shellquote.Join → "ls /nix/store"
+		args := rt.buildExecArgs("mybox", []string{"ls", "/nix/store"}, ExecOptions{})
+		assertArgsSuffix(t, args, "/bin/sh", "-c", "ls /nix/store")
+	})
+
+	t.Run("shell expressions via ExecShell are double-wrapped correctly", func(t *testing.T) {
+		// ExecShell passes ["sh", "-c", script] to Exec.
+		// shellquote.Join produces: sh -c '<script>'
+		// The outer /bin/sh -c runs: sh -c '<script>'
+		// The inner sh interprets: <script>
+		script := `echo "hello world"`
+		args := rt.buildExecArgs("mybox", []string{"sh", "-c", script}, ExecOptions{})
+		assertArgsSuffix(t, args, "/bin/sh", "-c", `sh -c 'echo "hello world"'`)
+	})
+
+	t.Run("complex tmux attach command survives quoting", func(t *testing.T) {
+		script := `if tmux has-session -t forage 2>/dev/null; then tmux -CC attach-session -t forage; else tmux -CC new-session -s forage -c /workspace; fi`
+		args := rt.buildExecArgs("mybox", []string{"sh", "-c", script}, ExecOptions{})
+		shC := findShellArg(args)
+		if shC == "" {
+			t.Fatal("no /bin/sh -c found in args")
+		}
+		// The outer shell command must contain the full script text
+		// (wrapped inside the inner sh -c)
+		if !strings.Contains(shC, "if tmux has-session") {
+			t.Errorf("shell command doesn't contain tmux expression:\n  %s", shC)
+		}
+		if !strings.Contains(shC, "tmux -CC new-session") {
+			t.Errorf("shell command doesn't contain new-session fallback:\n  %s", shC)
+		}
+	})
+
+	t.Run("multiline init script survives quoting", func(t *testing.T) {
+		script := "              tmux new-session -d -s forage -c /workspace -n main\n              tmux set-option -w -t forage:main automatic-rename off\n              true"
+		args := rt.buildExecArgs("mybox", []string{"sh", "-c", script}, ExecOptions{})
+		shC := findShellArg(args)
+		if shC == "" {
+			t.Fatal("no /bin/sh -c found in args")
+		}
+		if !strings.Contains(shC, "tmux new-session") {
+			t.Errorf("shell command doesn't contain tmux new-session:\n  %s", shC)
+		}
+	})
+
+	t.Run("user option", func(t *testing.T) {
+		args := rt.buildExecArgs("mybox", []string{"whoami"}, ExecOptions{User: "root"})
+		assertArgsPair(t, args, "-u", "root")
+	})
+
+	t.Run("working directory option", func(t *testing.T) {
+		args := rt.buildExecArgs("mybox", []string{"pwd"}, ExecOptions{WorkingDir: "/workspace"})
+		assertArgsPair(t, args, "-w", "/workspace")
+	})
+
+	t.Run("environment variables", func(t *testing.T) {
+		args := rt.buildExecArgs("mybox", []string{"env"}, ExecOptions{Env: []string{"FOO=bar", "BAZ=qux"}})
+		assertArgsPair(t, args, "-e", "FOO=bar")
+		assertArgsPair(t, args, "-e", "BAZ=qux")
+	})
+
+	t.Run("container name uses prefix", func(t *testing.T) {
+		args := rt.buildExecArgs("mybox", []string{"echo"}, ExecOptions{})
+		assertArgsHas(t, args, "forage-mybox")
+	})
+
+	t.Run("special characters in arguments are escaped", func(t *testing.T) {
+		args := rt.buildExecArgs("mybox", []string{"echo", "hello world", "$HOME"}, ExecOptions{})
+		shC := findShellArg(args)
+		if shC == "" {
+			t.Fatal("no /bin/sh -c found in args")
+		}
+		// shellquote.Join should quote the space-containing arg and escape $
+		if !strings.Contains(shC, "hello world") {
+			t.Errorf("expected 'hello world' in shell cmd: %s", shC)
+		}
+	})
+
+	t.Run("empty command array", func(t *testing.T) {
+		args := rt.buildExecArgs("mybox", []string{}, ExecOptions{})
+		shC := findShellArg(args)
+		// shellquote.Join of empty slice produces ""
+		if shC != "" {
+			t.Errorf("expected empty shell command for empty command array, got %q", shC)
+		}
+	})
+
+	t.Run("interactive flag", func(t *testing.T) {
+		args := rt.buildExecArgs("mybox", []string{"bash"}, ExecOptions{Interactive: true})
+		assertArgsPair(t, args, "-i", "-t")
+	})
+}
+
+// --- test helpers ---
+
+// findShellArg returns the argument following "/bin/sh -c" in args.
+func findShellArg(args []string) string {
+	for i, a := range args {
+		if a == "/bin/sh" && i+2 < len(args) && args[i+1] == "-c" {
+			return args[i+2]
+		}
+	}
+	return ""
+}
+
+// assertArgsSuffix checks that args ends with the given values.
+func assertArgsSuffix(t *testing.T, args []string, suffix ...string) {
+	t.Helper()
+	if len(args) < len(suffix) {
+		t.Fatalf("args too short: %v, expected suffix %v", args, suffix)
+	}
+	tail := args[len(args)-len(suffix):]
+	for i, s := range suffix {
+		if tail[i] != s {
+			t.Errorf("args[%d] = %q, want %q\n  full args: %v", len(args)-len(suffix)+i, tail[i], s, args)
+		}
+	}
+}
+
+// assertArgsPair checks that the consecutive pair [key, value] appears in args.
+func assertArgsPair(t *testing.T, args []string, key, value string) {
+	t.Helper()
+	for i := 0; i < len(args)-1; i++ {
+		if args[i] == key && args[i+1] == value {
+			return
+		}
+	}
+	t.Errorf("args %v does not contain [%q, %q]", args, key, value)
+}
+
+// assertArgsHas checks that value appears somewhere in args.
+func assertArgsHas(t *testing.T, args []string, value string) {
+	t.Helper()
+	for _, a := range args {
+		if a == value {
+			return
+		}
+	}
+	t.Errorf("args %v does not contain %q", args, value)
+}
diff --git a/packages/forage-ctl/internal/runtime/global.go b/packages/forage-ctl/internal/runtime/global.go
new file mode 100644
index 0000000..cef5a9d
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/global.go
@@ -0,0 +1,104 @@
+package runtime
+
+import (
+	"context"
+	"sync"
+)
+
+var (
+	globalRuntime Runtime
+	globalMu      sync.RWMutex
+	initOnce      sync.Once
+)
+
+// Global returns the global runtime instance.
+// It initializes the runtime on first call using auto-detection.
+func Global() Runtime {
+	globalMu.RLock()
+	if globalRuntime != nil {
+		defer globalMu.RUnlock()
+		return globalRuntime
+	}
+	globalMu.RUnlock()
+
+	// Initialize with auto-detection
+	initOnce.Do(func() {
+		rt, err := New(nil)
+		if err != nil {
+			// Return nil - caller should handle
+			return
+		}
+		SetGlobal(rt)
+	})
+
+	globalMu.RLock()
+	defer globalMu.RUnlock()
+	return globalRuntime
+}
+
+// SetGlobal sets the global runtime instance.
+// This should be called early in main() if you want to override auto-detection.
+func SetGlobal(rt Runtime) {
+	globalMu.Lock()
+	defer globalMu.Unlock()
+	globalRuntime = rt
+}
+
+// InitGlobal initializes the global runtime with the given config.
+// Returns an error if runtime creation fails.
+func InitGlobal(cfg *Config) error {
+	rt, err := New(cfg)
+	if err != nil {
+		return err
+	}
+	SetGlobal(rt)
+	return nil
+}
+
+// Helper functions that use the global runtime
+
+// IsRunning checks if a container is running using the global runtime
+func IsRunning(ctx context.Context, name string) bool {
+	rt := Global()
+	if rt == nil {
+		return false
+	}
+	running, _ := rt.IsRunning(ctx, name)
+	return running
+}
+
+// Destroy destroys a container using the global runtime
+func Destroy(ctx context.Context, name string) error {
+	rt := Global()
+	if rt == nil {
+		return nil
+	}
+	return rt.Destroy(ctx, name)
+}
+
+// Start starts a container using the global runtime
+func Start(ctx context.Context, name string) error {
+	rt := Global()
+	if rt == nil {
+		return nil
+	}
+	return rt.Start(ctx, name)
+}
+
+// Stop stops a container using the global runtime
+func Stop(ctx context.Context, name string) error {
+	rt := Global()
+	if rt == nil {
+		return nil
+	}
+	return rt.Stop(ctx, name)
+}
+
+// Create creates a container using the global runtime
+func Create(ctx context.Context, opts CreateOptions) error {
+	rt := Global()
+	if rt == nil {
+		return nil
+	}
+	return rt.Create(ctx, opts)
+}
diff --git a/packages/forage-ctl/internal/runtime/mock.go b/packages/forage-ctl/internal/runtime/mock.go
new file mode 100644
index 0000000..9aaec83
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/mock.go
@@ -0,0 +1,324 @@
+package runtime
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+)
+
+// MockRuntime is a mock implementation of Runtime for testing
+type MockRuntime struct {
+	mu sync.RWMutex
+
+	// Containers tracks the state of mock containers
+	Containers map[string]*ContainerInfo
+
+	// ExecResults maps container names to predefined exec results
+	ExecResults map[string]*ExecResult
+
+	// Errors allows injecting errors for specific operations
+	Errors map[string]error
+
+	// CallLog records all method calls for verification
+	CallLog []MockCall
+
+	// SandboxContainerInfo is returned by ContainerInfo()
+	SandboxContainerInfoValue SandboxContainerInfo
+
+	// GeneratedFileMounter handles MountGeneratedFile calls
+	GeneratedFileMounter GeneratedFileMounter
+}
+
+// MockCall represents a recorded method call
+type MockCall struct {
+	Method string
+	Args   []interface{}
+}
+
+// NewMockRuntime creates a new mock runtime
+func NewMockRuntime() *MockRuntime {
+	return &MockRuntime{
+		Containers:  make(map[string]*ContainerInfo),
+		ExecResults: make(map[string]*ExecResult),
+		Errors:      make(map[string]error),
+		CallLog:     make([]MockCall, 0),
+	}
+}
+
+func (m *MockRuntime) record(method string, args ...interface{}) {
+	m.CallLog = append(m.CallLog, MockCall{Method: method, Args: args})
+}
+
+// SetError sets an error to be returned for a specific operation
+func (m *MockRuntime) SetError(operation string, err error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.Errors[operation] = err
+}
+
+// SetExecResult sets the result for exec operations on a container
+func (m *MockRuntime) SetExecResult(name string, result *ExecResult) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.ExecResults[name] = result
+}
+
+// AddContainer adds a container to the mock
+func (m *MockRuntime) AddContainer(name string, status ContainerStatus) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.Containers[name] = &ContainerInfo{
+		Name:   name,
+		Status: status,
+	}
+}
+
+// GetCalls returns all recorded calls
+func (m *MockRuntime) GetCalls() []MockCall {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	calls := make([]MockCall, len(m.CallLog))
+	copy(calls, m.CallLog)
+	return calls
+}
+
+// GetCallsFor returns all calls for a specific method
+func (m *MockRuntime) GetCallsFor(method string) []MockCall {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	var calls []MockCall
+	for _, call := range m.CallLog {
+		if call.Method == method {
+			calls = append(calls, call)
+		}
+	}
+	return calls
+}
+
+// Reset clears all state
+func (m *MockRuntime) Reset() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.Containers = make(map[string]*ContainerInfo)
+	m.ExecResults = make(map[string]*ExecResult)
+	m.Errors = make(map[string]error)
+	m.CallLog = make([]MockCall, 0)
+}
+
+// Name returns the runtime identifier
+func (m *MockRuntime) Name() string {
+	return "mock"
+}
+
+// Create creates a new container
+func (m *MockRuntime) Create(ctx context.Context, opts CreateOptions) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.record("Create", opts)
+
+	if err, ok := m.Errors["Create"]; ok {
+		return err
+	}
+
+	status := StatusStopped
+	if opts.Start {
+		status = StatusRunning
+	}
+
+	m.Containers[opts.Name] = &ContainerInfo{
+		Name:   opts.Name,
+		Status: status,
+	}
+
+	return nil
+}
+
+// Start starts an existing container
+func (m *MockRuntime) Start(ctx context.Context, name string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.record("Start", name)
+
+	if err, ok := m.Errors["Start"]; ok {
+		return err
+	}
+
+	if container, ok := m.Containers[name]; ok {
+		container.Status = StatusRunning
+		return nil
+	}
+
+	return fmt.Errorf("container not found: %s", name)
+}
+
+// Stop stops a running container
+func (m *MockRuntime) Stop(ctx context.Context, name string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.record("Stop", name)
+
+	if err, ok := m.Errors["Stop"]; ok {
+		return err
+	}
+
+	if container, ok := m.Containers[name]; ok {
+		container.Status = StatusStopped
+		return nil
+	}
+
+	return fmt.Errorf("container not found: %s", name)
+}
+
+// Destroy stops and removes a container
+func (m *MockRuntime) Destroy(ctx context.Context, name string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.record("Destroy", name)
+
+	if err, ok := m.Errors["Destroy"]; ok {
+		return err
+	}
+
+	delete(m.Containers, name)
+	return nil
+}
+
+// IsRunning checks if a container is currently running
+func (m *MockRuntime) IsRunning(ctx context.Context, name string) (bool, error) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	m.record("IsRunning", name)
+
+	if err, ok := m.Errors["IsRunning"]; ok {
+		return false, err
+	}
+
+	if container, ok := m.Containers[name]; ok {
+		return container.Status == StatusRunning, nil
+	}
+
+	return false, nil
+}
+
+// Status returns detailed status of a container
+func (m *MockRuntime) Status(ctx context.Context, name string) (*ContainerInfo, error) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	m.record("Status", name)
+
+	if err, ok := m.Errors["Status"]; ok {
+		return nil, err
+	}
+
+	if container, ok := m.Containers[name]; ok {
+		return container, nil
+	}
+
+	return &ContainerInfo{Name: name, Status: StatusNotFound}, nil
+}
+
+// Exec executes a command inside a container
+func (m *MockRuntime) Exec(ctx context.Context, name string, command []string, opts ExecOptions) (*ExecResult, error) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	m.record("Exec", name, command, opts)
+
+	if err, ok := m.Errors["Exec"]; ok {
+		return nil, err
+	}
+
+	if result, ok := m.ExecResults[name]; ok {
+		return result, nil
+	}
+
+	return &ExecResult{ExitCode: 0, Stdout: "", Stderr: ""}, nil
+}
+
+// ExecInteractive executes a command with an interactive TTY
+func (m *MockRuntime) ExecInteractive(ctx context.Context, name string, command []string, opts ExecOptions) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.record("ExecInteractive", name, command, opts)
+
+	if err, ok := m.Errors["ExecInteractive"]; ok {
+		return err
+	}
+
+	return nil
+}
+
+// List returns all containers managed by this runtime
+func (m *MockRuntime) List(ctx context.Context) ([]*ContainerInfo, error) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	m.record("List")
+
+	if err, ok := m.Errors["List"]; ok {
+		return nil, err
+	}
+
+	var containers []*ContainerInfo
+	for _, container := range m.Containers {
+		containers = append(containers, container)
+	}
+
+	return containers, nil
+}
+
+// ContainerInfo returns the sandbox container info for generated file paths.
+func (m *MockRuntime) ContainerInfo() SandboxContainerInfo {
+	if m.SandboxContainerInfoValue != (SandboxContainerInfo{}) {
+		return m.SandboxContainerInfoValue
+	}
+	return DefaultContainerInfo()
+}
+
+// MountGeneratedFile stages a generated file for mounting into the container.
+func (m *MockRuntime) MountGeneratedFile(ctx context.Context, sandboxName string, file injection.GeneratedFile) (injection.Mount, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.record("MountGeneratedFile", sandboxName, file)
+
+	if err, ok := m.Errors["MountGeneratedFile"]; ok {
+		return injection.Mount{}, err
+	}
+
+	if m.GeneratedFileMounter.StagingDir != "" {
+		return m.GeneratedFileMounter.MountGeneratedFile(ctx, sandboxName, file)
+	}
+
+	// Default: return a simple mount without writing to disk
+	return injection.Mount{
+		HostPath:      fmt.Sprintf("/mock/staging/%s%s", sandboxName, file.ContainerPath),
+		ContainerPath: file.ContainerPath,
+		ReadOnly:      file.ReadOnly,
+	}, nil
+}
+
+// GracefulStop implements GracefulStopper for MockRuntime.
+func (m *MockRuntime) GracefulStop(ctx context.Context, name string, timeout time.Duration) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.record("GracefulStop", name, timeout)
+
+	if err, ok := m.Errors["GracefulStop"]; ok {
+		return err
+	}
+
+	if container, ok := m.Containers[name]; ok {
+		container.Status = StatusStopped
+		return nil
+	}
+
+	return fmt.Errorf("container not found: %s", name)
+}
+
+// Ensure MockRuntime implements Runtime, GeneratedFileRuntime, and GracefulStopper
+var (
+	_ Runtime              = (*MockRuntime)(nil)
+	_ GeneratedFileRuntime = (*MockRuntime)(nil)
+	_ GracefulStopper      = (*MockRuntime)(nil)
+)
diff --git a/packages/forage-ctl/internal/runtime/mock_test.go b/packages/forage-ctl/internal/runtime/mock_test.go
new file mode 100644
index 0000000..a3b8188
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/mock_test.go
@@ -0,0 +1,309 @@
+package runtime
+
+import (
+	"context"
+	"fmt"
+	"testing"
+)
+
+func TestMockRuntime_Create(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	opts := CreateOptions{
+		Name:       "test-container",
+		ConfigPath: "/path/to/config.nix",
+		Start:      true,
+	}
+
+	err := mock.Create(ctx, opts)
+	if err != nil {
+		t.Fatalf("Create failed: %v", err)
+	}
+
+	// Verify container was created
+	info, _ := mock.Status(ctx, "test-container")
+	if info.Status != StatusRunning {
+		t.Errorf("Status = %v, want %v", info.Status, StatusRunning)
+	}
+
+	// Verify call was logged
+	calls := mock.GetCallsFor("Create")
+	if len(calls) != 1 {
+		t.Errorf("len(calls) = %d, want 1", len(calls))
+	}
+}
+
+func TestMockRuntime_CreateWithoutStart(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	opts := CreateOptions{
+		Name:  "test-container",
+		Start: false,
+	}
+
+	err := mock.Create(ctx, opts)
+	if err != nil {
+		t.Fatalf("Create failed: %v", err)
+	}
+
+	info, _ := mock.Status(ctx, "test-container")
+	if info.Status != StatusStopped {
+		t.Errorf("Status = %v, want %v", info.Status, StatusStopped)
+	}
+}
+
+func TestMockRuntime_CreateWithError(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	expectedErr := fmt.Errorf("creation failed")
+	mock.SetError("Create", expectedErr)
+
+	err := mock.Create(ctx, CreateOptions{Name: "test"})
+	if err != expectedErr {
+		t.Errorf("err = %v, want %v", err, expectedErr)
+	}
+}
+
+func TestMockRuntime_StartStop(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	// Add a stopped container
+	mock.AddContainer("test", StatusStopped)
+
+	// Start it
+	if err := mock.Start(ctx, "test"); err != nil {
+		t.Fatalf("Start failed: %v", err)
+	}
+
+	running, _ := mock.IsRunning(ctx, "test")
+	if !running {
+		t.Error("Container should be running after Start")
+	}
+
+	// Stop it
+	if err := mock.Stop(ctx, "test"); err != nil {
+		t.Fatalf("Stop failed: %v", err)
+	}
+
+	running, _ = mock.IsRunning(ctx, "test")
+	if running {
+		t.Error("Container should not be running after Stop")
+	}
+}
+
+func TestMockRuntime_StartNonexistent(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	err := mock.Start(ctx, "nonexistent")
+	if err == nil {
+		t.Error("Start should fail for nonexistent container")
+	}
+}
+
+func TestMockRuntime_Destroy(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	mock.AddContainer("test", StatusRunning)
+
+	if err := mock.Destroy(ctx, "test"); err != nil {
+		t.Fatalf("Destroy failed: %v", err)
+	}
+
+	info, _ := mock.Status(ctx, "test")
+	if info.Status != StatusNotFound {
+		t.Errorf("Status = %v, want %v", info.Status, StatusNotFound)
+	}
+}
+
+func TestMockRuntime_IsRunning(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	mock.AddContainer("running", StatusRunning)
+	mock.AddContainer("stopped", StatusStopped)
+
+	tests := []struct {
+		name string
+		want bool
+	}{
+		{"running", true},
+		{"stopped", false},
+		{"nonexistent", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			running, err := mock.IsRunning(ctx, tt.name)
+			if err != nil {
+				t.Fatalf("IsRunning failed: %v", err)
+			}
+			if running != tt.want {
+				t.Errorf("IsRunning(%q) = %v, want %v", tt.name, running, tt.want)
+			}
+		})
+	}
+}
+
+func TestMockRuntime_Status(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	mock.AddContainer("test", StatusRunning)
+
+	info, err := mock.Status(ctx, "test")
+	if err != nil {
+		t.Fatalf("Status failed: %v", err)
+	}
+
+	if info.Name != "test" {
+		t.Errorf("Name = %q, want %q", info.Name, "test")
+	}
+	if info.Status != StatusRunning {
+		t.Errorf("Status = %v, want %v", info.Status, StatusRunning)
+	}
+}
+
+func TestMockRuntime_Exec(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	mock.AddContainer("test", StatusRunning)
+	mock.SetExecResult("test", &ExecResult{
+		ExitCode: 0,
+		Stdout:   "hello world",
+		Stderr:   "",
+	})
+
+	result, err := mock.Exec(ctx, "test", []string{"echo", "hello"}, ExecOptions{})
+	if err != nil {
+		t.Fatalf("Exec failed: %v", err)
+	}
+
+	if result.Stdout != "hello world" {
+		t.Errorf("Stdout = %q, want %q", result.Stdout, "hello world")
+	}
+	if result.ExitCode != 0 {
+		t.Errorf("ExitCode = %d, want 0", result.ExitCode)
+	}
+}
+
+func TestMockRuntime_ExecDefault(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	mock.AddContainer("test", StatusRunning)
+
+	// Without setting a result, should return default
+	result, err := mock.Exec(ctx, "test", []string{"command"}, ExecOptions{})
+	if err != nil {
+		t.Fatalf("Exec failed: %v", err)
+	}
+
+	if result.ExitCode != 0 {
+		t.Errorf("ExitCode = %d, want 0", result.ExitCode)
+	}
+	if result.Stdout != "" {
+		t.Errorf("Stdout = %q, want empty", result.Stdout)
+	}
+}
+
+func TestMockRuntime_List(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	mock.AddContainer("container-1", StatusRunning)
+	mock.AddContainer("container-2", StatusStopped)
+	mock.AddContainer("container-3", StatusRunning)
+
+	containers, err := mock.List(ctx)
+	if err != nil {
+		t.Fatalf("List failed: %v", err)
+	}
+
+	if len(containers) != 3 {
+		t.Errorf("len(containers) = %d, want 3", len(containers))
+	}
+}
+
+func TestMockRuntime_GetCalls(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	mock.Create(ctx, CreateOptions{Name: "test1"})
+	mock.Create(ctx, CreateOptions{Name: "test2"})
+	mock.Start(ctx, "test1")
+
+	calls := mock.GetCalls()
+	if len(calls) != 3 {
+		t.Errorf("len(calls) = %d, want 3", len(calls))
+	}
+
+	createCalls := mock.GetCallsFor("Create")
+	if len(createCalls) != 2 {
+		t.Errorf("len(createCalls) = %d, want 2", len(createCalls))
+	}
+
+	startCalls := mock.GetCallsFor("Start")
+	if len(startCalls) != 1 {
+		t.Errorf("len(startCalls) = %d, want 1", len(startCalls))
+	}
+}
+
+func TestMockRuntime_Reset(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	mock.AddContainer("test", StatusRunning)
+	mock.SetError("Create", fmt.Errorf("error"))
+	mock.Create(ctx, CreateOptions{Name: "another"})
+
+	// Reset
+	mock.Reset()
+
+	// Verify everything is cleared
+	containers, _ := mock.List(ctx)
+	if len(containers) != 0 {
+		t.Errorf("len(containers) = %d, want 0 after reset", len(containers))
+	}
+
+	// Note: List() call from above should be recorded after Reset
+	if len(mock.CallLog) != 1 { // Just the List call after Reset
+		t.Errorf("len(CallLog) = %d after reset + List", len(mock.CallLog))
+	}
+
+	// Error should be cleared
+	err := mock.Create(ctx, CreateOptions{Name: "test"})
+	if err != nil {
+		t.Errorf("Create should succeed after reset: %v", err)
+	}
+}
+
+func TestMockRuntime_Name(t *testing.T) {
+	mock := NewMockRuntime()
+	if mock.Name() != "mock" {
+		t.Errorf("Name() = %q, want %q", mock.Name(), "mock")
+	}
+}
+
+func TestMockRuntime_ExecInteractive(t *testing.T) {
+	mock := NewMockRuntime()
+	ctx := context.Background()
+
+	err := mock.ExecInteractive(ctx, "test", []string{"bash"}, ExecOptions{})
+	if err != nil {
+		t.Errorf("ExecInteractive should not error: %v", err)
+	}
+
+	// With error
+	mock.SetError("ExecInteractive", fmt.Errorf("tty error"))
+	err = mock.ExecInteractive(ctx, "test", []string{"bash"}, ExecOptions{})
+	if err == nil {
+		t.Error("ExecInteractive should return injected error")
+	}
+}
diff --git a/packages/forage-ctl/internal/runtime/mounts.go b/packages/forage-ctl/internal/runtime/mounts.go
new file mode 100644
index 0000000..bad5fee
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/mounts.go
@@ -0,0 +1,253 @@
+// Package runtime provides container runtime implementations.
+// This file defines the unified bind mount interface.
+package runtime
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	goruntime "runtime"
+)
+
+// MountType specifies how a path is mounted into the container
+type MountType string
+
+const (
+	// MountBind creates a bind mount from host to container
+	MountBind MountType = "bind"
+	// MountVolume uses a named volume (Docker/Podman only)
+	MountVolume MountType = "volume"
+	// MountTmpfs creates a tmpfs mount
+	MountTmpfs MountType = "tmpfs"
+)
+
+// Mount represents a filesystem mount in a container
+type Mount struct {
+	// Type is the mount type (bind, volume, tmpfs)
+	Type MountType
+
+	// Source is the host path (for bind) or volume name (for volume)
+	Source string
+
+	// Target is the path inside the container
+	Target string
+
+	// ReadOnly makes the mount read-only
+	ReadOnly bool
+
+	// Options are additional mount options (runtime-specific)
+	Options map[string]string
+}
+
+// StandardMounts returns the standard mounts required for a sandbox.
+// This includes nix store, workspace, secrets, etc.
+type StandardMounts struct {
+	// NixStore is the nix store mount
+	NixStore *Mount
+
+	// NixDaemonSocket is the nix daemon socket for builds
+	NixDaemonSocket *Mount
+
+	// Workspace is the project workspace mount
+	Workspace *Mount
+
+	// Secrets is the secrets directory mount
+	Secrets *Mount
+
+	// SourceRepo is for jj/git workspace mode (.jj or .git directory)
+	SourceRepo *Mount
+}
+
+// NewStandardMounts creates the standard mounts for a sandbox
+func NewStandardMounts(workspace, secretsPath, sourceRepo string) *StandardMounts {
+	mounts := &StandardMounts{
+		NixStore: &Mount{
+			Type:     MountBind,
+			Source:   "/nix/store",
+			Target:   "/nix/store",
+			ReadOnly: true,
+		},
+		NixDaemonSocket: &Mount{
+			Type:   MountBind,
+			Source: "/nix/var/nix/daemon-socket",
+			Target: "/nix/var/nix/daemon-socket",
+		},
+		Workspace: &Mount{
+			Type:   MountBind,
+			Source: workspace,
+			Target: "/workspace",
+		},
+		Secrets: &Mount{
+			Type:     MountBind,
+			Source:   secretsPath,
+			Target:   "/run/secrets",
+			ReadOnly: true,
+		},
+	}
+
+	// For jj/git workspace mode, mount the source repo's VCS directory
+	if sourceRepo != "" {
+		jjPath := filepath.Join(sourceRepo, ".jj")
+		if _, err := os.Stat(jjPath); err == nil {
+			mounts.SourceRepo = &Mount{
+				Type:   MountBind,
+				Source: jjPath,
+				Target: jjPath, // Same path to preserve symlinks
+			}
+		} else {
+			// Check for .git
+			gitPath := filepath.Join(sourceRepo, ".git")
+			if _, err := os.Stat(gitPath); err == nil {
+				mounts.SourceRepo = &Mount{
+					Type:   MountBind,
+					Source: gitPath,
+					Target: gitPath,
+				}
+			}
+		}
+	}
+
+	return mounts
+}
+
+// ToNspawnConfig converts mounts to NixOS container config format
+func (m *StandardMounts) ToNspawnConfig() map[string]interface{} {
+	config := make(map[string]interface{})
+
+	addMount := func(mount *Mount) {
+		if mount == nil {
+			return
+		}
+		config[mount.Target] = map[string]interface{}{
+			"hostPath":   mount.Source,
+			"isReadOnly": mount.ReadOnly,
+		}
+	}
+
+	addMount(m.NixStore)
+	addMount(m.NixDaemonSocket)
+	addMount(m.Workspace)
+	addMount(m.Secrets)
+	addMount(m.SourceRepo)
+
+	return config
+}
+
+// ToDockerArgs converts mounts to Docker/Podman command line arguments
+func (m *StandardMounts) ToDockerArgs() []string {
+	var args []string
+
+	addMount := func(mount *Mount) {
+		if mount == nil {
+			return
+		}
+		mountStr := fmt.Sprintf("%s:%s", mount.Source, mount.Target)
+		if mount.ReadOnly {
+			mountStr += ":ro"
+		}
+		args = append(args, "-v", mountStr)
+	}
+
+	addMount(m.NixStore)
+	addMount(m.NixDaemonSocket)
+	addMount(m.Workspace)
+	addMount(m.Secrets)
+	addMount(m.SourceRepo)
+
+	return args
+}
+
+// ToAppleArgs converts mounts to Apple Container command line arguments
+func (m *StandardMounts) ToAppleArgs() []string {
+	var args []string
+
+	addMount := func(mount *Mount) {
+		if mount == nil {
+			return
+		}
+		mountStr := fmt.Sprintf("type=bind,source=%s,target=%s", mount.Source, mount.Target)
+		if mount.ReadOnly {
+			mountStr += ",readonly"
+		}
+		args = append(args, "--mount", mountStr)
+	}
+
+	addMount(m.NixStore)
+	addMount(m.NixDaemonSocket)
+	addMount(m.Workspace)
+	addMount(m.Secrets)
+	addMount(m.SourceRepo)
+
+	return args
+}
+
+// NixStoreStrategy describes how the nix store is shared with containers
+type NixStoreStrategy string
+
+const (
+	// NixStoreBindMount uses direct bind mount (NixOS, Linux with nix installed)
+	NixStoreBindMount NixStoreStrategy = "bind"
+
+	// NixStoreVolume uses a named Docker volume (for environments without nix)
+	NixStoreVolume NixStoreStrategy = "volume"
+
+	// NixStoreDeterminate uses Determinate Nix installer paths (macOS recommended)
+	NixStoreDeterminate NixStoreStrategy = "determinate"
+)
+
+// DetectNixStoreStrategy determines the best strategy for sharing the nix store
+func DetectNixStoreStrategy() NixStoreStrategy {
+	// Check if nix store exists at standard path
+	if _, err := os.Stat("/nix/store"); err == nil {
+		// Check for Determinate Nix (macOS)
+		if goruntime.GOOS == "darwin" {
+			// Determinate Nix uses a volume mounted at /nix
+			if _, err := os.Stat("/nix/.nix-netrc-file"); err == nil {
+				return NixStoreDeterminate
+			}
+		}
+		return NixStoreBindMount
+	}
+
+	// Fallback to volume (nix must be installed in container)
+	return NixStoreVolume
+}
+
+// PlatformMountConfig holds platform-specific mount configuration
+type PlatformMountConfig struct {
+	// NixStorePath is the nix store path (usually /nix/store)
+	NixStorePath string
+
+	// NixDaemonSocketPath is the daemon socket path
+	NixDaemonSocketPath string
+
+	// Strategy is how the nix store is shared
+	Strategy NixStoreStrategy
+
+	// UseBindMount indicates if bind mounts work on this platform
+	UseBindMount bool
+}
+
+// DetectPlatformMountConfig returns the mount configuration for the current platform
+func DetectPlatformMountConfig() *PlatformMountConfig {
+	config := &PlatformMountConfig{
+		NixStorePath:        "/nix/store",
+		NixDaemonSocketPath: "/nix/var/nix/daemon-socket",
+		Strategy:            DetectNixStoreStrategy(),
+		UseBindMount:        true,
+	}
+
+	switch goruntime.GOOS {
+	case "darwin":
+		// macOS may need special handling depending on nix installer
+		if config.Strategy == NixStoreDeterminate {
+			// Determinate Nix handles this correctly
+			config.UseBindMount = true
+		}
+	case "linux":
+		// Linux with nix works with bind mounts
+		config.UseBindMount = true
+	}
+
+	return config
+}
diff --git a/packages/forage-ctl/internal/runtime/mounts_test.go b/packages/forage-ctl/internal/runtime/mounts_test.go
new file mode 100644
index 0000000..2b4fb28
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/mounts_test.go
@@ -0,0 +1,104 @@
+package runtime
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestNewStandardMounts(t *testing.T) {
+	mounts := NewStandardMounts("/workspace/test", "/run/secrets/test", "")
+
+	if mounts.NixStore == nil {
+		t.Error("NixStore mount should not be nil")
+	}
+	if mounts.NixStore.Target != "/nix/store" {
+		t.Errorf("NixStore target = %s, want /nix/store", mounts.NixStore.Target)
+	}
+	if !mounts.NixStore.ReadOnly {
+		t.Error("NixStore should be read-only")
+	}
+
+	if mounts.Workspace == nil {
+		t.Error("Workspace mount should not be nil")
+	}
+	if mounts.Workspace.Source != "/workspace/test" {
+		t.Errorf("Workspace source = %s, want /workspace/test", mounts.Workspace.Source)
+	}
+	if mounts.Workspace.Target != "/workspace" {
+		t.Errorf("Workspace target = %s, want /workspace", mounts.Workspace.Target)
+	}
+
+	if mounts.Secrets == nil {
+		t.Error("Secrets mount should not be nil")
+	}
+	if !mounts.Secrets.ReadOnly {
+		t.Error("Secrets should be read-only")
+	}
+
+	// No source repo provided
+	if mounts.SourceRepo != nil {
+		t.Error("SourceRepo should be nil when no source repo provided")
+	}
+}
+
+func TestStandardMountsToDockerArgs(t *testing.T) {
+	mounts := NewStandardMounts("/workspace/test", "/run/secrets/test", "")
+	args := mounts.ToDockerArgs()
+
+	// Should have at least 4 mounts (nix store, daemon socket, workspace, secrets)
+	if len(args) < 8 { // Each mount is -v + value
+		t.Errorf("Expected at least 8 args, got %d", len(args))
+	}
+
+	// Check for nix store mount with :ro
+	found := false
+	for i := 0; i < len(args)-1; i++ {
+		if args[i] == "-v" && strings.Contains(args[i+1], "/nix/store") {
+			if !strings.HasSuffix(args[i+1], ":ro") {
+				t.Error("Nix store mount should be read-only")
+			}
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Error("Nix store mount not found in Docker args")
+	}
+}
+
+func TestStandardMountsToAppleArgs(t *testing.T) {
+	mounts := NewStandardMounts("/workspace/test", "/run/secrets/test", "")
+	args := mounts.ToAppleArgs()
+
+	// Should have at least 4 mounts
+	if len(args) < 8 { // Each mount is --mount + value
+		t.Errorf("Expected at least 8 args, got %d", len(args))
+	}
+
+	// Check for nix store mount with readonly
+	found := false
+	for i := 0; i < len(args)-1; i++ {
+		if args[i] == "--mount" && strings.Contains(args[i+1], "/nix/store") {
+			if !strings.Contains(args[i+1], "readonly") {
+				t.Error("Nix store mount should be read-only")
+			}
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Error("Nix store mount not found in Apple args")
+	}
+}
+
+func TestDetectPlatformMountConfig(t *testing.T) {
+	config := DetectPlatformMountConfig()
+
+	if config.NixStorePath != "/nix/store" {
+		t.Errorf("NixStorePath = %s, want /nix/store", config.NixStorePath)
+	}
+
+	if config.NixDaemonSocketPath != "/nix/var/nix/daemon-socket" {
+		t.Errorf("NixDaemonSocketPath = %s, want /nix/var/nix/daemon-socket", config.NixDaemonSocketPath)
+	}
+}
diff --git a/packages/forage-ctl/internal/runtime/nspawn.go b/packages/forage-ctl/internal/runtime/nspawn.go
new file mode 100644
index 0000000..b8ea355
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/nspawn.go
@@ -0,0 +1,671 @@
+package runtime
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"time"
+
+	"go.opentelemetry.io/otel/attribute"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/generator"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/ssh"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/system"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/telemetry"
+)
+
+// NspawnRuntime implements the Runtime interface using systemd-nspawn
+// for NixOS systems. Container lifecycle (install, start, destroy) is
+// managed directly via systemd and symlinks into /etc/systemd-mutable/system.
+type NspawnRuntime struct {
+	// ContainerPrefix is prepended to sandbox names to form container names
+	ContainerPrefix string
+
+	// SandboxesDir is the directory containing sandbox metadata files
+	// Used for looking up SSH ports from persisted metadata
+	SandboxesDir string
+
+	// NixpkgsPath is the Nix store path to nixpkgs source.
+	// Used for nix-build of container configurations.
+	NixpkgsPath string
+
+	// GeneratedFileMounter handles staging of generated files
+	GeneratedFileMounter
+}
+
+// NewNspawnRuntime creates a new nspawn runtime with the given configuration
+func NewNspawnRuntime(containerPrefix, sandboxesDir, nixpkgsPath string) *NspawnRuntime {
+	return &NspawnRuntime{
+		ContainerPrefix: containerPrefix,
+		SandboxesDir:    sandboxesDir,
+		NixpkgsPath:     nixpkgsPath,
+		GeneratedFileMounter: GeneratedFileMounter{
+			StagingDir: sandboxesDir,
+		},
+	}
+}
+
+// containerName returns the full container name for a sandbox.
+// It loads metadata to use the short container name if available,
+// falling back to the legacy prefix+name format.
+func (r *NspawnRuntime) containerName(sandboxName string) string {
+	if r.SandboxesDir != "" {
+		if meta, err := config.LoadSandboxMetadata(r.SandboxesDir, sandboxName); err == nil {
+			return meta.ResolvedContainerName()
+		}
+	}
+	return r.ContainerPrefix + sandboxName
+}
+
+// Name returns the runtime identifier
+func (r *NspawnRuntime) Name() string {
+	return "nspawn"
+}
+
+// Create creates a new container by building the Nix config and installing
+// the resulting systemd units directly via symlinks into /etc/systemd-mutable/system.
+func (r *NspawnRuntime) Create(ctx context.Context, opts CreateOptions) error {
+	ctx, span := telemetry.Start(ctx, "nspawn.create")
+	defer span.End()
+
+	logging.Debug("creating container", "name", opts.Name, "config", opts.ConfigPath)
+
+	// If the config path is a nix store path (pre-built /etc), install directly
+	if strings.HasPrefix(opts.ConfigPath, "/nix/store/") {
+		return r.CreateFromEtc(ctx, opts.ConfigPath, opts.Start)
+	}
+
+	// Otherwise, build the config first using our eval-config.nix
+	evalConfigPath := filepath.Join(r.SandboxesDir, opts.Name+".eval-config.nix")
+	if err := os.WriteFile(evalConfigPath, []byte(generator.EvalConfigNix), 0644); err != nil {
+		return fmt.Errorf("failed to write eval-config.nix: %w", err)
+	}
+
+	etcPath, err := r.BuildOuterEtc(ctx, opts.ConfigPath, evalConfigPath)
+	if err != nil {
+		return fmt.Errorf("nix-build container config failed: %w", err)
+	}
+
+	return installContainer(ctx, etcPath, opts.Start)
+}
+
+// Start starts an existing container. Uses the fastest available path:
+// 1. Cached etc path from metadata → CreateFromEtc (~1s, no eval at all)
+// 2. Outer .nix + our eval-config → BuildOuterEtc + CreateFromEtc (~2s)
+// 3. Full .nix through nix-build + install (fallback, ~17s)
+func (r *NspawnRuntime) Start(ctx context.Context, name string) error {
+	ctx, span := telemetry.Start(ctx, "nspawn.start")
+	defer span.End()
+
+	if r.SandboxesDir == "" {
+		return r.startFallback(ctx, name)
+	}
+
+	// Fast path 1: use cached etc path from metadata (no Nix eval at all)
+	if meta, err := config.LoadSandboxMetadata(r.SandboxesDir, name); err == nil && meta.CachedEtcPath != "" {
+		if _, err := os.Stat(meta.CachedEtcPath); err == nil {
+			logging.Debug("starting container via cached etc", "name", name, "etcPath", meta.CachedEtcPath)
+			if err := r.CreateFromEtc(ctx, meta.CachedEtcPath, true); err == nil {
+				return nil
+			}
+			logging.Warn("cached etc start failed, trying outer config", "name", name)
+		}
+	}
+
+	// Fast path 2: build outer etc using our stripped eval-config
+	outerPath := r.SandboxesDir + "/" + name + ".outer.nix"
+	if _, err := os.Stat(outerPath); err == nil {
+		etcPath, err := r.buildAndCacheOuterEtc(ctx, name, outerPath)
+		if err == nil {
+			logging.Debug("starting container via freshly built etc", "name", name, "etcPath", etcPath)
+			if startErr := r.CreateFromEtc(ctx, etcPath, true); startErr == nil {
+				return nil
+			}
+			logging.Warn("outer etc start failed, falling back to full rebuild", "name", name)
+		} else {
+			logging.Warn("outer etc build failed, falling back to full rebuild", "name", name, "error", err)
+		}
+	}
+
+	// Slow path: rebuild from full .nix config through nix-build + install
+	return r.startFallback(ctx, name)
+}
+
+// startFallback starts a container via the full .nix config through nix-build + install.
+func (r *NspawnRuntime) startFallback(ctx context.Context, name string) error {
+	configPath := r.SandboxesDir + "/" + name + ".nix"
+	logging.Debug("starting container via nix-build", "name", name, "config", configPath)
+	return r.Create(ctx, CreateOptions{
+		Name:       name,
+		ConfigPath: configPath,
+		Start:      true,
+	})
+}
+
+// buildAndCacheOuterEtc writes the eval-config.nix to the sandbox staging dir,
+// builds outer etc, and saves the etc path in metadata.
+func (r *NspawnRuntime) buildAndCacheOuterEtc(ctx context.Context, name, outerPath string) (string, error) {
+	evalConfigPath := r.SandboxesDir + "/" + name + ".eval-config.nix"
+	if err := os.WriteFile(evalConfigPath, []byte(generator.EvalConfigNix), 0644); err != nil {
+		return "", fmt.Errorf("failed to write eval-config.nix: %w", err)
+	}
+
+	etcPath, err := r.BuildOuterEtc(ctx, outerPath, evalConfigPath)
+	if err != nil {
+		return "", err
+	}
+
+	// Save cached etc path in metadata for future fast restarts
+	if meta, loadErr := config.LoadSandboxMetadata(r.SandboxesDir, name); loadErr == nil {
+		meta.CachedEtcPath = etcPath
+		_ = config.SaveSandboxMetadata(r.SandboxesDir, meta)
+	}
+
+	return etcPath, nil
+}
+
+// BuildInnerSystem builds the inner NixOS system from a config file and returns
+// its store path. Uses nix-build '<nixpkgs/nixos>' -A system.build.toplevel.
+func (r *NspawnRuntime) BuildInnerSystem(ctx context.Context, configPath string) (string, error) {
+	ctx, span := telemetry.Start(ctx, "nspawn.build-inner-system")
+	defer span.End()
+
+	logging.Info("nixcache: building inner system", "config", configPath)
+
+	nixpkgsExpr := "<nixpkgs/nixos>"
+	if r.NixpkgsPath != "" {
+		nixpkgsExpr = r.NixpkgsPath + "/nixos"
+	}
+
+	args := []string{
+		"nix-build", nixpkgsExpr,
+		"-A", "config.system.build.toplevel",
+		"--arg", "configuration", configPath,
+		"--no-out-link",
+	}
+
+	cmd := exec.CommandContext(ctx, args[0], args[1:]...)
+	var stdout, stderr bytes.Buffer
+	tracer := newNixOutputTracer(span)
+	cmd.Stdout = &stdout
+	cmd.Stderr = io.MultiWriter(os.Stderr, &stderr, tracer)
+
+	span.AddEvent("subprocess.start")
+	err := cmd.Run()
+	tracer.Flush()
+	if err != nil {
+		// Include stderr in error message so fallback log reveals the Nix evaluation error
+		errMsg := strings.TrimSpace(stderr.String())
+		if len(errMsg) > 500 {
+			errMsg = errMsg[len(errMsg)-500:]
+		}
+		return "", fmt.Errorf("nix-build inner system failed: %w\nstderr: %s", err, errMsg)
+	}
+
+	storePath := strings.TrimSpace(stdout.String())
+	if storePath == "" {
+		return "", fmt.Errorf("nix-build produced empty output")
+	}
+
+	span.SetAttributes(attribute.String("store.path", storePath))
+	logging.Info("nixcache: inner system built", "path", storePath)
+	return storePath, nil
+}
+
+// BuildOuterEtc builds the outer container /etc from an outer config file using
+// our stripped eval-config.nix (minimal module set). This
+// evaluates in ~0.5s instead of ~13s because no inner NixOS system is evaluated.
+// Returns the /nix/store path of the built etc derivation.
+func (r *NspawnRuntime) BuildOuterEtc(ctx context.Context, outerConfigPath, evalConfigPath string) (string, error) {
+	ctx, span := telemetry.Start(ctx, "nspawn.build-outer-etc")
+	defer span.End()
+
+	logging.Info("building outer /etc", "config", outerConfigPath)
+
+	nixosPath := "<nixpkgs/nixos>"
+	if r.NixpkgsPath != "" {
+		nixosPath = r.NixpkgsPath + "/nixos"
+	}
+
+	// Build the etc derivation using our stripped eval-config.nix
+	nixExpr := fmt.Sprintf(`
+let
+  cfg = import ''%s'';
+in (import %s {
+  nixosPath = %s;
+  systemConfig = cfg;
+}).config.system.build.etc
+`, outerConfigPath, evalConfigPath, nixosPath)
+
+	args := []string{
+		"nix-build", "--no-out-link", "-E", nixExpr,
+	}
+
+	cmd := exec.CommandContext(ctx, args[0], args[1:]...)
+	var stdout, stderr bytes.Buffer
+	tracer := newNixOutputTracer(span)
+	cmd.Stdout = &stdout
+	cmd.Stderr = io.MultiWriter(os.Stderr, &stderr, tracer)
+
+	span.AddEvent("subprocess.start")
+	err := cmd.Run()
+	tracer.Flush()
+	if err != nil {
+		errMsg := strings.TrimSpace(stderr.String())
+		if len(errMsg) > 500 {
+			errMsg = errMsg[len(errMsg)-500:]
+		}
+		return "", fmt.Errorf("nix-build outer etc failed: %w\nstderr: %s", err, errMsg)
+	}
+
+	etcPath := strings.TrimSpace(stdout.String())
+	if etcPath == "" {
+		return "", fmt.Errorf("nix-build outer etc produced empty output")
+	}
+
+	span.SetAttributes(attribute.String("etc.path", etcPath))
+	logging.Info("outer /etc built", "path", etcPath)
+	return etcPath, nil
+}
+
+// CreateFromEtc creates a container directly from a pre-built /etc store path.
+// This installs systemd units and starts the container without any Nix evaluation.
+func (r *NspawnRuntime) CreateFromEtc(ctx context.Context, etcPath string, start bool) error {
+	ctx, span := telemetry.Start(ctx, "nspawn.create-from-etc")
+	defer span.End()
+
+	logging.Debug("creating container from pre-built etc", "etcPath", etcPath)
+	span.AddEvent("install.start")
+
+	return installContainer(ctx, etcPath, start)
+}
+
+// Stop stops a running container
+func (r *NspawnRuntime) Stop(ctx context.Context, name string) error {
+	ctx, span := telemetry.Start(ctx, "nspawn.stop")
+	defer span.End()
+
+	containerName := r.containerName(name)
+	logging.Debug("stopping container", "container", containerName)
+
+	cmd := exec.CommandContext(ctx, "sudo", "machinectl", "stop", containerName)
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("machinectl stop failed: %w", err)
+	}
+
+	return nil
+}
+
+// Destroy stops and removes a container
+func (r *NspawnRuntime) Destroy(ctx context.Context, name string) error {
+	ctx, span := telemetry.Start(ctx, "nspawn.destroy")
+	defer span.End()
+
+	containerName := r.containerName(name)
+	logging.Debug("destroying container", "container", containerName)
+
+	return destroyContainer(ctx, containerName)
+}
+
+// IsRunning checks if a container is currently running
+func (r *NspawnRuntime) IsRunning(ctx context.Context, name string) (bool, error) {
+	containerName := r.containerName(name)
+
+	cmd := exec.CommandContext(ctx, "machinectl", "show", containerName)
+	err := cmd.Run()
+
+	return err == nil, nil
+}
+
+// Status returns detailed status of a container
+func (r *NspawnRuntime) Status(ctx context.Context, name string) (*ContainerInfo, error) {
+	containerName := r.containerName(name)
+
+	info := &ContainerInfo{
+		Name:   name,
+		Status: StatusNotFound,
+	}
+
+	// Check if container exists
+	cmd := exec.CommandContext(ctx, "machinectl", "show", containerName, "-p", "State", "--value")
+	output, err := cmd.Output()
+	if err != nil {
+		return info, nil
+	}
+
+	state := strings.TrimSpace(string(output))
+	switch state {
+	case "running":
+		info.Status = StatusRunning
+	case "stopped", "":
+		info.Status = StatusStopped
+	default:
+		info.Status = StatusUnknown
+	}
+
+	// Get start time if running
+	if info.Status == StatusRunning {
+		cmd = exec.CommandContext(ctx, "machinectl", "show", containerName, "-p", "Since", "--value")
+		output, err = cmd.Output()
+		if err == nil {
+			info.StartedAt = strings.TrimSpace(string(output))
+		}
+
+		// Get IP address
+		cmd = exec.CommandContext(ctx, "machinectl", "show", containerName, "-p", "IPAddress", "--value")
+		output, err = cmd.Output()
+		if err == nil {
+			info.IPAddress = strings.TrimSpace(string(output))
+		}
+	}
+
+	return info, nil
+}
+
+// Exec executes a command inside a container
+func (r *NspawnRuntime) Exec(ctx context.Context, name string, command []string, opts ExecOptions) (*ExecResult, error) {
+	ctx, span := telemetry.Start(ctx, "nspawn.exec",
+		telemetry.WithAttr(attribute.String("cmd", strings.Join(command, " "))))
+	defer span.End()
+
+	containerName := r.containerName(name)
+
+	args := []string{"machinectl", "shell"}
+	if opts.User != "" {
+		args = append(args, fmt.Sprintf("%s@%s", opts.User, containerName))
+	} else {
+		args = append(args, containerName)
+	}
+	args = append(args, "--")
+	args = append(args, command...)
+
+	cmd := exec.CommandContext(ctx, "sudo", args...)
+
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if opts.Stdin != nil {
+		cmd.Stdin = opts.Stdin
+	}
+
+	err := cmd.Run()
+
+	result := &ExecResult{
+		Stdout: stdout.String(),
+		Stderr: stderr.String(),
+	}
+
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			result.ExitCode = exitErr.ExitCode()
+		} else {
+			return result, fmt.Errorf("exec failed: %w", err)
+		}
+	}
+
+	return result, nil
+}
+
+// ExecInteractive executes a command with an interactive TTY
+func (r *NspawnRuntime) ExecInteractive(ctx context.Context, name string, command []string, opts ExecOptions) error {
+	containerName := r.containerName(name)
+
+	machinectlPath, err := exec.LookPath("machinectl")
+	if err != nil {
+		return fmt.Errorf("machinectl not found: %w", err)
+	}
+
+	args := []string{"machinectl", "shell"}
+	if opts.User != "" {
+		args = append(args, fmt.Sprintf("%s@%s", opts.User, containerName))
+	} else {
+		args = append(args, containerName)
+	}
+
+	if len(command) > 0 {
+		args = append(args, "--")
+		args = append(args, command...)
+	}
+
+	return syscall.Exec(machinectlPath, args, system.SafeEnviron())
+}
+
+// List returns all containers managed by this runtime
+func (r *NspawnRuntime) List(ctx context.Context) ([]*ContainerInfo, error) {
+	// Build reverse mapping: container name → sandbox name from metadata
+	reverseMap := buildContainerReverseMap(r.SandboxesDir)
+
+	cmd := exec.CommandContext(ctx, "machinectl", "list", "--no-legend", "--no-pager")
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("machinectl list failed: %w", err)
+	}
+
+	var containers []*ContainerInfo
+	lines := strings.Split(strings.TrimSpace(string(output)), "\n")
+
+	for _, line := range lines {
+		if line == "" {
+			continue
+		}
+
+		fields := strings.Fields(line)
+		if len(fields) < 1 {
+			continue
+		}
+
+		name := fields[0]
+
+		var sandboxName string
+		if sn, ok := reverseMap[name]; ok {
+			sandboxName = sn
+		} else if strings.HasPrefix(name, r.ContainerPrefix) {
+			// Legacy fallback: strip prefix
+			sandboxName = strings.TrimPrefix(name, r.ContainerPrefix)
+		} else if sn := readForageJSONSandboxName(ctx, name); sn != "" {
+			// Fallback: query /etc/forage.json from running container
+			sandboxName = sn
+		} else {
+			continue // Not a forage container
+		}
+
+		info, _ := r.Status(ctx, sandboxName)
+		if info != nil {
+			containers = append(containers, info)
+		}
+	}
+
+	return containers, nil
+}
+
+// SSHHost returns the container IP address for SSH connections.
+// The container IP is derived from the network slot in the metadata.
+func (r *NspawnRuntime) SSHHost(ctx context.Context, name string) (string, error) {
+	if r.SandboxesDir == "" {
+		return "", fmt.Errorf("sandboxes directory not configured")
+	}
+
+	metadata, err := config.LoadSandboxMetadata(r.SandboxesDir, name)
+	if err != nil {
+		return "", fmt.Errorf("failed to load sandbox metadata: %w", err)
+	}
+
+	if metadata.NetworkSlot == 0 {
+		return "", fmt.Errorf("no network slot configured for sandbox %s", name)
+	}
+
+	return metadata.ContainerIP(), nil
+}
+
+// SSHExec executes a command via SSH
+func (r *NspawnRuntime) SSHExec(ctx context.Context, name string, command []string, opts ExecOptions) (*ExecResult, error) {
+	ctx, span := telemetry.Start(ctx, "nspawn.ssh-exec")
+	defer span.End()
+
+	host, err := r.SSHHost(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	return r.SSHExecWithHost(ctx, host, command, opts)
+}
+
+// SSHExecWithHost executes a command via SSH with a specific host
+func (r *NspawnRuntime) SSHExecWithHost(ctx context.Context, host string, command []string, opts ExecOptions) (*ExecResult, error) {
+	// Build SSH options using the builder
+	sshOpts := ssh.DefaultOptions(host).WithBatchMode()
+
+	// Override user if specified
+	if opts.User != "" {
+		sshOpts.User = opts.User
+	}
+
+	sshArgs := sshOpts.BuildArgs(command...)
+	cmd := exec.CommandContext(ctx, "ssh", sshArgs...)
+
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if opts.Stdin != nil {
+		cmd.Stdin = opts.Stdin
+	}
+
+	err := cmd.Run()
+
+	result := &ExecResult{
+		Stdout: stdout.String(),
+		Stderr: stderr.String(),
+	}
+
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			result.ExitCode = exitErr.ExitCode()
+		} else {
+			return result, err
+		}
+	}
+
+	return result, nil
+}
+
+// SSHInteractive starts an interactive SSH session
+func (r *NspawnRuntime) SSHInteractive(ctx context.Context, name string, command string) error {
+	host, err := r.SSHHost(ctx, name)
+	if err != nil {
+		return err
+	}
+	return r.SSHInteractiveWithHost(host, command)
+}
+
+// SSHInteractiveWithHost starts an interactive SSH session with a specific host
+func (r *NspawnRuntime) SSHInteractiveWithHost(host string, command string) error {
+	return ssh.ReplaceWithSession(host, command)
+}
+
+// ContainerInfo returns information about the container environment.
+func (r *NspawnRuntime) ContainerInfo() SandboxContainerInfo {
+	return DefaultContainerInfo()
+}
+
+// forageJSON represents the /etc/forage.json metadata inside a container.
+type forageJSON struct {
+	SandboxName   string `json:"sandboxName"`
+	ContainerName string `json:"containerName"`
+	Runtime       string `json:"runtime"`
+}
+
+// readForageJSONSandboxName attempts to read /etc/forage.json from a running
+// container via machinectl shell. Returns the sandbox name or empty string on failure.
+func readForageJSONSandboxName(ctx context.Context, containerName string) string {
+	cmd := exec.CommandContext(ctx, "sudo", "machinectl", "shell", containerName, "--", "/bin/cat", "/etc/forage.json")
+	var stdout bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = nil
+
+	if err := cmd.Run(); err != nil {
+		return ""
+	}
+
+	var meta forageJSON
+	if err := json.Unmarshal(stdout.Bytes(), &meta); err != nil {
+		return ""
+	}
+
+	return meta.SandboxName
+}
+
+// GracefulStop sends SIGTERM via machinectl terminate, waits up to timeout
+// for the container to stop, then forces poweroff if still running.
+func (r *NspawnRuntime) GracefulStop(ctx context.Context, name string, timeout time.Duration) error {
+	containerName := r.containerName(name)
+	logging.Debug("graceful stop", "container", containerName, "timeout", timeout)
+
+	// Send SIGTERM to container init via machinectl terminate
+	cmd := exec.CommandContext(ctx, "sudo", "machinectl", "terminate", containerName)
+	if err := cmd.Run(); err != nil {
+		logging.Debug("terminate failed, trying poweroff", "error", err)
+		return r.Stop(ctx, name)
+	}
+
+	// Poll until stopped or timeout
+	deadline := time.Now().Add(timeout)
+	for time.Now().Before(deadline) {
+		running, err := r.IsRunning(ctx, name)
+		if err != nil || !running {
+			return nil
+		}
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	// Force stop if still running
+	logging.Warn("container did not stop gracefully, forcing poweroff", "container", containerName)
+	return r.Stop(ctx, name)
+}
+
+// Capabilities returns the full set of capabilities for nspawn.
+// NixOS nspawn containers support all features.
+func (r *NspawnRuntime) Capabilities() Capabilities {
+	return Capabilities{
+		NixOSConfig:      true,
+		NetworkIsolation: true,
+		EphemeralRoot:    true,
+		SSHAccess:        true,
+		GeneratedFiles:   true,
+		ResourceLimits:   true,
+		GracefulShutdown: true,
+	}
+}
+
+// ViewLogs replaces the current process with journalctl -M to view container logs.
+func (r *NspawnRuntime) ViewLogs(ctx context.Context, name string, follow bool, lines int) error {
+	containerName := r.containerName(name)
+
+	journalctlPath, err := exec.LookPath("journalctl")
+	if err != nil {
+		return fmt.Errorf("journalctl not found: %w", err)
+	}
+
+	argv := []string{"journalctl", "-M", containerName, "-n", fmt.Sprintf("%d", lines)}
+	if follow {
+		argv = append(argv, "-f")
+	}
+
+	return syscall.Exec(journalctlPath, argv, system.SafeEnviron())
+}
+
+// Ensure NspawnRuntime implements Runtime, GeneratedFileRuntime, CapableRuntime, GracefulStopper, and LogViewer
+var _ Runtime = (*NspawnRuntime)(nil)
+var _ GeneratedFileRuntime = (*NspawnRuntime)(nil)
+var _ CapableRuntime = (*NspawnRuntime)(nil)
+var _ GracefulStopper = (*NspawnRuntime)(nil)
+var _ LogViewer = (*NspawnRuntime)(nil)
diff --git a/packages/forage-ctl/internal/runtime/nspawn_lifecycle.go b/packages/forage-ctl/internal/runtime/nspawn_lifecycle.go
new file mode 100644
index 0000000..059281e
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/nspawn_lifecycle.go
@@ -0,0 +1,266 @@
+package runtime
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+)
+
+// Container lifecycle constants for NixOS systemd-nspawn containers.
+const (
+	// mutableServicesDir is where dynamically-installed systemd units live on NixOS.
+	// Requires boot.extraSystemdUnitPaths = [ "/etc/systemd-mutable/system" ].
+	mutableServicesDir = "/etc/systemd-mutable/system"
+
+	// containerConfigDir is where NixOS container .conf files are stored (NixOS >=22.05).
+	containerConfigDir = "/etc/nixos-containers"
+
+	// containerStateDir is where NixOS container root filesystems live.
+	containerStateDir = "/var/lib/nixos-containers"
+
+	// gcRootsDir is where nix GC roots are stored. We use gcroots/auto so that
+	// stale links are automatically cleaned up by the nix garbage collector.
+	gcRootsDir = "/nix/var/nix/gcroots/auto"
+)
+
+// installContainer installs a container from a pre-built /etc store path.
+// It symlinks the systemd service and container conf files into the mutable
+// directories, creates nix GC roots to prevent garbage collection, reloads
+// the systemd daemon, and optionally starts the container.
+func installContainer(ctx context.Context, etcPath string, start bool) error {
+	nixosEtc := etcPath + "/etc"
+	if _, err := os.Stat(nixosEtc); err != nil {
+		return fmt.Errorf("%s doesn't exist", nixosEtc)
+	}
+
+	// Discover containers from the built etc
+	containers, err := discoverContainers(nixosEtc)
+	if err != nil {
+		return err
+	}
+	if len(containers) == 0 {
+		return fmt.Errorf("no container services found in %s/systemd/system", nixosEtc)
+	}
+
+	// Ensure target directories exist
+	for _, dir := range []string{
+		mutableServicesDir,
+		containerConfigDir,
+		gcRootsDir,
+	} {
+		if err := os.MkdirAll(dir, 0755); err != nil {
+			return fmt.Errorf("failed to create %s: %w", dir, err)
+		}
+	}
+
+	var installed []string
+	for _, name := range containers {
+		changed, err := installSingleContainer(nixosEtc, name)
+		if err != nil {
+			return fmt.Errorf("failed to install container %s: %w", name, err)
+		}
+		if changed {
+			installed = append(installed, name)
+		}
+	}
+
+	if len(installed) > 0 {
+		if err := systemctlDaemonReload(ctx); err != nil {
+			return err
+		}
+	}
+
+	if start {
+		for _, name := range containers {
+			svc := "container@" + name + ".service"
+			if err := sudoRun(ctx, "systemctl", "start", svc); err != nil {
+				return fmt.Errorf("failed to start %s: %w", svc, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// installSingleContainer installs one container's service and conf files.
+// Returns true if the container was installed (i.e., changed from current state).
+func installSingleContainer(nixosEtc, name string) (bool, error) {
+	svc := "container@" + name + ".service"
+	serviceFile := filepath.Join(nixosEtc, "systemd/system", svc)
+	serviceDest := filepath.Join(mutableServicesDir, svc)
+
+	confFile := filepath.Join(nixosEtc, "nixos-containers", name+".conf")
+	confDest := filepath.Join(containerConfigDir, name+".conf")
+
+	// Check if unchanged (same realpath for both service and conf symlinks)
+	if isUnchanged(serviceFile, serviceDest) && isUnchanged(confFile, confDest) {
+		logging.Debug("container unchanged, skipped", "name", name)
+		return false, nil
+	}
+
+	// Resolve to real paths for symlink targets
+	realService, err := filepath.EvalSymlinks(serviceFile)
+	if err != nil {
+		return false, fmt.Errorf("failed to resolve service file: %w", err)
+	}
+	realConf, err := filepath.EvalSymlinks(confFile)
+	if err != nil {
+		// Try legacy path (NixOS <22.05 uses /etc/containers/)
+		altConfFile := filepath.Join(nixosEtc, "containers", name+".conf")
+		realConf, err = filepath.EvalSymlinks(altConfFile)
+		if err != nil {
+			return false, fmt.Errorf("container conf file not found: %w", err)
+		}
+	}
+
+	// Create symlinks
+	if err := forceSymlink(realService, serviceDest); err != nil {
+		return false, fmt.Errorf("failed to symlink service: %w", err)
+	}
+	if err := forceSymlink(realConf, confDest); err != nil {
+		return false, fmt.Errorf("failed to symlink conf: %w", err)
+	}
+
+	// Create GC roots to prevent nix garbage collection
+	gcRoot := filepath.Join(gcRootsDir, "extra-container-"+name)
+	if err := forceSymlink(serviceDest, gcRoot); err != nil {
+		return false, fmt.Errorf("failed to create service GC root: %w", err)
+	}
+	if err := forceSymlink(confDest, gcRoot+".conf"); err != nil {
+		return false, fmt.Errorf("failed to create conf GC root: %w", err)
+	}
+
+	logging.Debug("container installed", "name", name)
+	return true, nil
+}
+
+// destroyContainer stops and fully removes a container.
+func destroyContainer(ctx context.Context, name string) error {
+	svc := "container@" + name + ".service"
+	serviceFile := filepath.Join(mutableServicesDir, svc)
+	confFile := filepath.Join(containerConfigDir, name+".conf")
+	stateDir := filepath.Join(containerStateDir, name)
+
+	// Stop the service (non-blocking so we can kill it right after)
+	_ = sudoRun(ctx, "systemctl", "stop", "--no-block", svc)
+
+	// Kill it to ensure the machine terminates
+	_ = sudoRun(ctx, "systemctl", "kill", svc)
+
+	// Remove service symlinks
+	_ = os.Remove(filepath.Join(mutableServicesDir, "machines.target.wants", svc))
+	if isSymlink(serviceFile) {
+		_ = os.Remove(serviceFile)
+	}
+
+	// Remove GC roots
+	gcRoot := filepath.Join(gcRootsDir, "extra-container-"+name)
+	_ = os.Remove(gcRoot)
+	_ = os.Remove(gcRoot + ".conf")
+
+	// Remove conf file — nixos-container destroy needs a conf file to exist
+	// (even a dummy one), otherwise it fails. So replace with an empty touch.
+	_ = os.Remove(confFile)
+	f, err := os.Create(confFile)
+	if err == nil {
+		_ = f.Close()
+	}
+
+	// Remove immutable attribute from nested container var/empty files
+	// so the state directory can be deleted
+	removeVarEmptyImmutable(stateDir)
+
+	// Clean up the container state directory (root filesystem, etc.)
+	// nixos-container does this but we do it directly for reliability.
+	if _, err := os.Stat(stateDir); err == nil {
+		_ = sudoRun(ctx, "rm", "-rf", stateDir)
+	}
+
+	// Clean up the dummy conf file
+	_ = os.Remove(confFile)
+
+	// Reload systemd so it forgets the removed units
+	return systemctlDaemonReload(ctx)
+}
+
+// discoverContainers finds container names from service files in the etc output.
+func discoverContainers(nixosEtc string) ([]string, error) {
+	pattern := filepath.Join(nixosEtc, "systemd/system/container@*.service")
+	matches, err := filepath.Glob(pattern)
+	if err != nil {
+		return nil, fmt.Errorf("failed to glob container services: %w", err)
+	}
+
+	var names []string
+	for _, match := range matches {
+		base := filepath.Base(match)
+		// container@foo.service -> foo
+		name := strings.TrimPrefix(base, "container@")
+		name = strings.TrimSuffix(name, ".service")
+		if name != "" {
+			names = append(names, name)
+		}
+	}
+	return names, nil
+}
+
+// isUnchanged checks if src and dest point to the same real path.
+func isUnchanged(src, dest string) bool {
+	realSrc, err := filepath.EvalSymlinks(src)
+	if err != nil {
+		return false
+	}
+	realDest, err := filepath.EvalSymlinks(dest)
+	if err != nil {
+		return false
+	}
+	return realSrc == realDest
+}
+
+// isSymlink returns true if path is a symlink.
+func isSymlink(path string) bool {
+	fi, err := os.Lstat(path)
+	if err != nil {
+		return false
+	}
+	return fi.Mode()&os.ModeSymlink != 0
+}
+
+// forceSymlink creates a symlink, removing any existing file at dest.
+func forceSymlink(target, dest string) error {
+	_ = os.Remove(dest)
+	return os.Symlink(target, dest)
+}
+
+// removeVarEmptyImmutable removes the immutable attribute from var/empty
+// directories inside nested containers, which would otherwise prevent
+// deletion of the container state directory.
+func removeVarEmptyImmutable(stateDir string) {
+	pattern := filepath.Join(stateDir, "var/lib/*containers/*/var/empty")
+	matches, _ := filepath.Glob(pattern)
+	for _, m := range matches {
+		// chattr -i — ignore errors (file may not exist or not be immutable)
+		cmd := exec.Command("chattr", "-i", m)
+		_ = cmd.Run()
+	}
+}
+
+// systemctlDaemonReload tells systemd to reload its unit files.
+func systemctlDaemonReload(ctx context.Context) error {
+	return sudoRun(ctx, "systemctl", "daemon-reload")
+}
+
+// sudoRun executes a command via sudo.
+func sudoRun(ctx context.Context, args ...string) error {
+	cmd := exec.CommandContext(ctx, "sudo", args...)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("%s: %w (output: %s)", strings.Join(args, " "), err, strings.TrimSpace(string(output)))
+	}
+	return nil
+}
diff --git a/packages/forage-ctl/internal/runtime/nspawn_test.go b/packages/forage-ctl/internal/runtime/nspawn_test.go
new file mode 100644
index 0000000..c875a64
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/nspawn_test.go
@@ -0,0 +1,206 @@
+package runtime
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+func TestNspawnRuntime_Name(t *testing.T) {
+	rt := NewNspawnRuntime("forage-", "", "")
+
+	if rt.Name() != "nspawn" {
+		t.Errorf("Name() = %q, want %q", rt.Name(), "nspawn")
+	}
+}
+
+func TestNspawnRuntime_containerName_Fallback(t *testing.T) {
+	// Without SandboxesDir, falls back to prefix + name
+	rt := NewNspawnRuntime("forage-", "", "")
+
+	tests := []struct {
+		sandboxName string
+		want        string
+	}{
+		{"myproject", "forage-myproject"},
+		{"test-123", "forage-test-123"},
+		{"", "forage-"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.sandboxName, func(t *testing.T) {
+			got := rt.containerName(tt.sandboxName)
+			if got != tt.want {
+				t.Errorf("containerName(%q) = %q, want %q", tt.sandboxName, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestNspawnRuntime_containerName_FromMetadata(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Save metadata with a short container name
+	meta := &config.SandboxMetadata{
+		Name:          "review",
+		Template:      "test",
+		NetworkSlot:   5,
+		ContainerName: "f5",
+	}
+	if err := config.SaveSandboxMetadata(tmpDir, meta); err != nil {
+		t.Fatalf("Failed to save metadata: %v", err)
+	}
+
+	rt := NewNspawnRuntime("forage-", tmpDir, "")
+
+	got := rt.containerName("review")
+	if got != "f5" {
+		t.Errorf("containerName(%q) = %q, want %q", "review", got, "f5")
+	}
+}
+
+func TestNspawnRuntime_containerName_LegacyMetadata(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Save metadata without ContainerName (legacy sandbox)
+	meta := &config.SandboxMetadata{
+		Name:        "old-sandbox",
+		Template:    "test",
+		NetworkSlot: 3,
+	}
+	if err := config.SaveSandboxMetadata(tmpDir, meta); err != nil {
+		t.Fatalf("Failed to save metadata: %v", err)
+	}
+
+	rt := NewNspawnRuntime("forage-", tmpDir, "")
+
+	got := rt.containerName("old-sandbox")
+	if got != "forage-old-sandbox" {
+		t.Errorf("containerName(%q) = %q, want %q", "old-sandbox", got, "forage-old-sandbox")
+	}
+}
+
+func TestNspawnRuntime_containerName_CustomPrefix(t *testing.T) {
+	rt := NewNspawnRuntime("custom-prefix-", "", "")
+
+	got := rt.containerName("sandbox")
+	want := "custom-prefix-sandbox"
+	if got != want {
+		t.Errorf("containerName with custom prefix = %q, want %q", got, want)
+	}
+}
+
+func TestNewNspawnRuntime(t *testing.T) {
+	rt := NewNspawnRuntime("test-", "/var/lib/forage/sandboxes", "")
+
+	if rt == nil {
+		t.Fatal("NewNspawnRuntime returned nil")
+	}
+
+	if rt.ContainerPrefix != "test-" {
+		t.Errorf("ContainerPrefix = %q, want %q", rt.ContainerPrefix, "test-")
+	}
+
+	if rt.SandboxesDir != "/var/lib/forage/sandboxes" {
+		t.Errorf("SandboxesDir = %q, want %q", rt.SandboxesDir, "/var/lib/forage/sandboxes")
+	}
+}
+
+func TestNspawnRuntime_Interface(t *testing.T) {
+	// Ensure NspawnRuntime implements Runtime interface
+	var _ Runtime = (*NspawnRuntime)(nil)
+}
+
+func TestNspawnRuntime_SSHRuntime_Interface(t *testing.T) {
+	// Ensure NspawnRuntime implements SSHRuntime interface
+	var _ SSHRuntime = (*NspawnRuntime)(nil)
+}
+
+func TestNspawnRuntime_SSHHost_FromMetadata(t *testing.T) {
+	// Create temp directory for sandbox metadata
+	tmpDir, err := os.MkdirTemp("", "nspawn-test-*")
+	if err != nil {
+		t.Fatalf("Failed to create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	// Create sandbox metadata with network slot
+	metadata := &config.SandboxMetadata{
+		Name:        "test-sandbox",
+		NetworkSlot: 5,
+		Template:    "test",
+	}
+	if err = config.SaveSandboxMetadata(tmpDir, metadata); err != nil {
+		t.Fatalf("Failed to save sandbox metadata: %v", err)
+	}
+
+	rt := NewNspawnRuntime("forage-", tmpDir, "")
+	ctx := context.Background()
+
+	// Verify SSHHost loads from metadata and returns container IP
+	host, err := rt.SSHHost(ctx, "test-sandbox")
+	if err != nil {
+		t.Errorf("SSHHost() error: %v", err)
+	} else if host != "10.100.5.2" {
+		t.Errorf("SSHHost() = %q, want %q", host, "10.100.5.2")
+	}
+}
+
+func TestNspawnRuntime_SSHHost_NotFound(t *testing.T) {
+	tmpDir, err := os.MkdirTemp("", "nspawn-test-*")
+	if err != nil {
+		t.Fatalf("Failed to create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	rt := NewNspawnRuntime("forage-", tmpDir, "")
+	ctx := context.Background()
+
+	// Verify SSHHost returns error for unknown sandbox
+	if _, err := rt.SSHHost(ctx, "unknown"); err == nil {
+		t.Error("SSHHost(unknown) should return error")
+	}
+}
+
+func TestNspawnRuntime_SSHHost_NoSandboxesDir(t *testing.T) {
+	rt := NewNspawnRuntime("forage-", "", "")
+	ctx := context.Background()
+
+	// Verify SSHHost returns error when sandboxes dir not configured
+	_, err := rt.SSHHost(ctx, "test")
+	if err == nil {
+		t.Error("SSHHost should return error when sandboxes dir not configured")
+	}
+}
+
+func TestNspawnRuntime_SSHExec(t *testing.T) {
+	// Create temp directory for sandbox metadata
+	tmpDir, err := os.MkdirTemp("", "nspawn-test-*")
+	if err != nil {
+		t.Fatalf("Failed to create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	// Create sandbox metadata
+	metadata := &config.SandboxMetadata{
+		Name:        "test-sandbox",
+		NetworkSlot: 1,
+		Template:    "test",
+	}
+	if err = config.SaveSandboxMetadata(tmpDir, metadata); err != nil {
+		t.Fatalf("Failed to save sandbox metadata: %v", err)
+	}
+
+	rt := NewNspawnRuntime("forage-", tmpDir, "")
+	ctx := context.Background()
+
+	// SSHExec will fail because SSH isn't actually running,
+	// but it should get the host correctly from metadata
+	_, err = rt.SSHExec(ctx, "test-sandbox", []string{"echo", "test"}, ExecOptions{})
+	// We expect an error since SSH isn't running, but it shouldn't be about metadata lookup
+	if err != nil && err.Error() == "failed to load sandbox metadata: no sandbox named \"test-sandbox\" found" {
+		t.Errorf("SSHExec failed to load metadata: %v", err)
+	}
+}
diff --git a/packages/forage-ctl/internal/runtime/nspawn_trace.go b/packages/forage-ctl/internal/runtime/nspawn_trace.go
new file mode 100644
index 0000000..6cecaab
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/nspawn_trace.go
@@ -0,0 +1,100 @@
+package runtime
+
+import (
+	"regexp"
+	"strconv"
+
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+)
+
+// nixOutputTracer is an io.Writer that intercepts nix-build stderr
+// output line-by-line, emitting OTel span events for known progress patterns
+// while forwarding all bytes to an underlying writer.
+type nixOutputTracer struct {
+	span trace.Span
+	// buf accumulates bytes until a newline is seen.
+	buf []byte
+}
+
+// Patterns matched against each stderr line.
+var (
+	reEvaluating = regexp.MustCompile(`evaluating derivation`)
+	reBuildPlan  = regexp.MustCompile(`these (\d+) derivations will be built`)
+	reBuildDrv   = regexp.MustCompile(`building '(/nix/store/[^']+)'`)
+	reCopyPath   = regexp.MustCompile(`copying path '(/nix/store/[^']+)'`)
+	reFetchPath  = regexp.MustCompile(`fetching path '(/nix/store/[^']+)'`)
+)
+
+func newNixOutputTracer(span trace.Span) *nixOutputTracer {
+	return &nixOutputTracer{span: span}
+}
+
+// Write implements io.Writer. It buffers input and processes complete lines.
+func (t *nixOutputTracer) Write(p []byte) (int, error) {
+	t.buf = append(t.buf, p...)
+
+	for {
+		idx := -1
+		for i, b := range t.buf {
+			if b == '\n' {
+				idx = i
+				break
+			}
+		}
+		if idx < 0 {
+			break
+		}
+		line := t.buf[:idx]
+		t.processLine(line)
+		t.buf = t.buf[idx+1:]
+	}
+
+	return len(p), nil
+}
+
+// Flush processes any remaining partial line in the buffer.
+func (t *nixOutputTracer) Flush() {
+	if len(t.buf) > 0 {
+		t.processLine(t.buf)
+		t.buf = nil
+	}
+}
+
+func (t *nixOutputTracer) processLine(line []byte) {
+	s := string(line)
+
+	if reEvaluating.MatchString(s) {
+		t.span.AddEvent("nix.eval.start")
+		return
+	}
+
+	if m := reBuildPlan.FindStringSubmatch(s); m != nil {
+		n, _ := strconv.Atoi(m[1])
+		t.span.AddEvent("nix.build.plan", trace.WithAttributes(
+			attribute.Int("derivation.count", n),
+		))
+		return
+	}
+
+	if m := reBuildDrv.FindStringSubmatch(s); m != nil {
+		t.span.AddEvent("nix.build.derivation", trace.WithAttributes(
+			attribute.String("derivation.path", m[1]),
+		))
+		return
+	}
+
+	if m := reCopyPath.FindStringSubmatch(s); m != nil {
+		t.span.AddEvent("nix.copy", trace.WithAttributes(
+			attribute.String("store.path", m[1]),
+		))
+		return
+	}
+
+	if m := reFetchPath.FindStringSubmatch(s); m != nil {
+		t.span.AddEvent("nix.fetch", trace.WithAttributes(
+			attribute.String("store.path", m[1]),
+		))
+		return
+	}
+}
diff --git a/packages/forage-ctl/internal/runtime/nspawn_trace_test.go b/packages/forage-ctl/internal/runtime/nspawn_trace_test.go
new file mode 100644
index 0000000..83ed124
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/nspawn_trace_test.go
@@ -0,0 +1,200 @@
+package runtime
+
+import (
+	"testing"
+
+	"go.opentelemetry.io/otel/attribute"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	"go.opentelemetry.io/otel/sdk/trace/tracetest"
+)
+
+// newTestTracer returns a nixOutputTracer wired to an in-memory span recorder.
+// Call flush + ended() to retrieve the recorded span and its events.
+func newTestTracer(t *testing.T) (*nixOutputTracer, func() sdktrace.ReadOnlySpan) {
+	t.Helper()
+	rec := tracetest.NewSpanRecorder()
+	tp := sdktrace.NewTracerProvider(sdktrace.WithSpanProcessor(rec))
+	_, span := tp.Tracer("test").Start(t.Context(), "test-span")
+
+	tracer := newNixOutputTracer(span)
+
+	ended := func() sdktrace.ReadOnlySpan {
+		t.Helper()
+		tracer.Flush()
+		span.End()
+		spans := rec.Ended()
+		if len(spans) != 1 {
+			t.Fatalf("expected 1 span, got %d", len(spans))
+		}
+		return spans[0]
+	}
+	return tracer, ended
+}
+
+func TestNixOutputTracer_EvalStart(t *testing.T) {
+	tr, ended := newTestTracer(t)
+	tr.Write([]byte("evaluating derivation 'foo'\n"))
+
+	s := ended()
+	events := s.Events()
+	if len(events) != 1 {
+		t.Fatalf("expected 1 event, got %d", len(events))
+	}
+	if events[0].Name != "nix.eval.start" {
+		t.Errorf("expected event name nix.eval.start, got %s", events[0].Name)
+	}
+}
+
+func TestNixOutputTracer_BuildPlan(t *testing.T) {
+	tr, ended := newTestTracer(t)
+	tr.Write([]byte("these 42 derivations will be built:\n"))
+
+	s := ended()
+	events := s.Events()
+	if len(events) != 1 {
+		t.Fatalf("expected 1 event, got %d", len(events))
+	}
+	if events[0].Name != "nix.build.plan" {
+		t.Errorf("expected nix.build.plan, got %s", events[0].Name)
+	}
+	assertAttr(t, events[0].Attributes, "derivation.count", int64(42))
+}
+
+func TestNixOutputTracer_BuildDerivation(t *testing.T) {
+	tr, ended := newTestTracer(t)
+	tr.Write([]byte("building '/nix/store/abc123-foo.drv'\n"))
+
+	s := ended()
+	events := s.Events()
+	if len(events) != 1 {
+		t.Fatalf("expected 1 event, got %d", len(events))
+	}
+	if events[0].Name != "nix.build.derivation" {
+		t.Errorf("expected nix.build.derivation, got %s", events[0].Name)
+	}
+	assertAttr(t, events[0].Attributes, "derivation.path", "/nix/store/abc123-foo.drv")
+}
+
+func TestNixOutputTracer_CopyPath(t *testing.T) {
+	tr, ended := newTestTracer(t)
+	tr.Write([]byte("copying path '/nix/store/xyz-bar' to remote\n"))
+
+	s := ended()
+	events := s.Events()
+	if len(events) != 1 {
+		t.Fatalf("expected 1 event, got %d", len(events))
+	}
+	if events[0].Name != "nix.copy" {
+		t.Errorf("expected nix.copy, got %s", events[0].Name)
+	}
+	assertAttr(t, events[0].Attributes, "store.path", "/nix/store/xyz-bar")
+}
+
+func TestNixOutputTracer_FetchPath(t *testing.T) {
+	tr, ended := newTestTracer(t)
+	tr.Write([]byte("fetching path '/nix/store/qrs-baz'...\n"))
+
+	s := ended()
+	events := s.Events()
+	if len(events) != 1 {
+		t.Fatalf("expected 1 event, got %d", len(events))
+	}
+	if events[0].Name != "nix.fetch" {
+		t.Errorf("expected nix.fetch, got %s", events[0].Name)
+	}
+	assertAttr(t, events[0].Attributes, "store.path", "/nix/store/qrs-baz")
+}
+
+func TestNixOutputTracer_UnrelatedLines(t *testing.T) {
+	tr, ended := newTestTracer(t)
+	tr.Write([]byte("some random output\nanother line\n"))
+
+	s := ended()
+	if len(s.Events()) != 0 {
+		t.Errorf("expected 0 events for unrelated lines, got %d", len(s.Events()))
+	}
+}
+
+func TestNixOutputTracer_MultipleLines(t *testing.T) {
+	tr, ended := newTestTracer(t)
+	tr.Write([]byte("evaluating derivation\nthese 5 derivations will be built:\nbuilding '/nix/store/a-b'\n"))
+
+	s := ended()
+	events := s.Events()
+	if len(events) != 3 {
+		t.Fatalf("expected 3 events, got %d", len(events))
+	}
+	if events[0].Name != "nix.eval.start" {
+		t.Errorf("event[0]: expected nix.eval.start, got %s", events[0].Name)
+	}
+	if events[1].Name != "nix.build.plan" {
+		t.Errorf("event[1]: expected nix.build.plan, got %s", events[1].Name)
+	}
+	if events[2].Name != "nix.build.derivation" {
+		t.Errorf("event[2]: expected nix.build.derivation, got %s", events[2].Name)
+	}
+}
+
+func TestNixOutputTracer_SplitWrites(t *testing.T) {
+	tr, ended := newTestTracer(t)
+	// Line split across two Write calls
+	tr.Write([]byte("building '/nix"))
+	tr.Write([]byte("/store/abc-foo'\n"))
+
+	s := ended()
+	events := s.Events()
+	if len(events) != 1 {
+		t.Fatalf("expected 1 event, got %d", len(events))
+	}
+	if events[0].Name != "nix.build.derivation" {
+		t.Errorf("expected nix.build.derivation, got %s", events[0].Name)
+	}
+}
+
+func TestNixOutputTracer_FlushPartialLine(t *testing.T) {
+	tr, ended := newTestTracer(t)
+	// No trailing newline — only emitted on Flush
+	tr.Write([]byte("building '/nix/store/partial-drv'"))
+
+	s := ended()
+	events := s.Events()
+	if len(events) != 1 {
+		t.Fatalf("expected 1 event after flush, got %d", len(events))
+	}
+	if events[0].Name != "nix.build.derivation" {
+		t.Errorf("expected nix.build.derivation, got %s", events[0].Name)
+	}
+}
+
+func TestNixOutputTracer_WriteReturnsFullLength(t *testing.T) {
+	tr, _ := newTestTracer(t)
+	input := []byte("hello world\n")
+	n, err := tr.Write(input)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if n != len(input) {
+		t.Errorf("expected n=%d, got %d", len(input), n)
+	}
+}
+
+// assertAttr checks that the given attribute key has the expected value.
+func assertAttr(t *testing.T, attrs []attribute.KeyValue, key string, want any) {
+	t.Helper()
+	for _, a := range attrs {
+		if string(a.Key) == key {
+			switch w := want.(type) {
+			case string:
+				if a.Value.AsString() != w {
+					t.Errorf("attr %s: expected %q, got %q", key, w, a.Value.AsString())
+				}
+			case int64:
+				if a.Value.AsInt64() != w {
+					t.Errorf("attr %s: expected %d, got %d", key, w, a.Value.AsInt64())
+				}
+			}
+			return
+		}
+	}
+	t.Errorf("attribute %s not found", key)
+}
diff --git a/packages/forage-ctl/internal/runtime/resolve.go b/packages/forage-ctl/internal/runtime/resolve.go
new file mode 100644
index 0000000..f5a65b1
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/resolve.go
@@ -0,0 +1,27 @@
+package runtime
+
+import (
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+)
+
+// buildContainerReverseMap builds a mapping from container name to sandbox name
+// by loading all sandbox metadata files. This is used by List operations to
+// identify which running containers belong to forage sandboxes.
+func buildContainerReverseMap(sandboxesDir string) map[string]string {
+	result := make(map[string]string)
+	if sandboxesDir == "" {
+		return result
+	}
+
+	sandboxes, err := config.ListSandboxes(sandboxesDir)
+	if err != nil {
+		logging.Debug("failed to list sandboxes for reverse map", "error", err)
+		return result
+	}
+
+	for _, meta := range sandboxes {
+		result[meta.ResolvedContainerName()] = meta.Name
+	}
+	return result
+}
diff --git a/packages/forage-ctl/internal/runtime/runtime.go b/packages/forage-ctl/internal/runtime/runtime.go
new file mode 100644
index 0000000..221bb2c
--- /dev/null
+++ b/packages/forage-ctl/internal/runtime/runtime.go
@@ -0,0 +1,226 @@
+// Package runtime defines the container runtime interface for forage-ctl.
+// This abstraction allows for multiple backend implementations (nspawn, docker, etc.)
+// and enables comprehensive testing through mocking.
+package runtime
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+
+	image "github.com/firefly-engineering/firefly-forage/images/forage-base"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+)
+
+// ContainerStatus represents the state of a container
+type ContainerStatus string
+
+const (
+	StatusRunning  ContainerStatus = "running"
+	StatusStopped  ContainerStatus = "stopped"
+	StatusNotFound ContainerStatus = "not-found"
+	StatusUnknown  ContainerStatus = "unknown"
+)
+
+const (
+	// DefaultImage is the pre-built base image with common packages (tmux, git, jq).
+	DefaultImage = "ghcr.io/firefly-engineering/forage-base:latest"
+
+	// FallbackImage is the tag used when building the base image locally.
+	FallbackImage = "forage-base:local"
+)
+
+// BuildFallbackImage builds the forage-base image locally using the embedded
+// Dockerfile. Called by runtimes when the pre-built GHCR image is unavailable.
+// The buildCmd is the container CLI binary (e.g. "container", "docker").
+func BuildFallbackImage(ctx context.Context, buildCmd string) error {
+	dir, err := os.MkdirTemp("", "forage-base-build-*")
+	if err != nil {
+		return fmt.Errorf("failed to create temp build dir: %w", err)
+	}
+	defer os.RemoveAll(dir)
+
+	if err := os.WriteFile(filepath.Join(dir, "Dockerfile"), image.Dockerfile, 0644); err != nil {
+		return fmt.Errorf("failed to write Dockerfile: %w", err)
+	}
+
+	logging.Info("building forage-base image locally (this may take a minute)...")
+	cmd := exec.CommandContext(ctx, buildCmd, "build", "-t", FallbackImage, dir)
+	cmd.Stdout = os.Stderr // show build progress
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to build fallback image: %w", err)
+	}
+	return nil
+}
+
+// ContainerInfo holds information about a container
+type ContainerInfo struct {
+	Name      string
+	Status    ContainerStatus
+	StartedAt string
+	IPAddress string
+}
+
+// ExecResult holds the result of executing a command in a container
+type ExecResult struct {
+	ExitCode int
+	Stdout   string
+	Stderr   string
+}
+
+// CreateOptions holds options for creating a container
+type CreateOptions struct {
+	Name         string
+	ConfigPath   string            // Path to container config (e.g., nix file)
+	Start        bool              // Start immediately after creation
+	BindMounts   map[string]string // host path -> container path
+	ForwardPorts map[int]int       // host port -> container port
+	EnvVars      map[string]string // environment variables
+	NetworkSlot  int               // For private networking
+	ExtraArgs    []string          // Backend-specific arguments
+
+	// Resource limits (optional). Runtimes that declare ResourceLimits
+	// capability translate these to backend-specific flags.
+	CPUQuota  string // CPU quota (e.g. "200%" for 2 cores)
+	MemoryMax string // Memory limit (e.g. "4G")
+	TasksMax  int    // Maximum number of tasks/processes
+
+	// Network isolation (optional). Runtimes that declare NetworkIsolation
+	// capability use this to configure the container's network.
+	NetworkMode  string   // "full", "restricted", "none" (empty = full)
+	AllowedHosts []string // Hosts allowed in restricted mode
+
+	// Image overrides the OCI image for this specific container creation.
+	// Takes priority over the runtime's configured image.
+	Image string
+}
+
+// ExecOptions holds options for executing a command in a container
+type ExecOptions struct {
+	User        string    // User to run as
+	WorkingDir  string    // Working directory
+	Env         []string  // Environment variables
+	Stdin       io.Reader // Standard input
+	Interactive bool      // Allocate a TTY
+}
+
+// Runtime is the interface that container backends must implement.
+// All methods should be safe for concurrent use.
+type Runtime interface {
+	// Name returns the runtime identifier (e.g., "nspawn", "docker")
+	Name() string
+
+	// Create creates a new container but does not start it
+	Create(ctx context.Context, opts CreateOptions) error
+
+	// Start starts an existing container
+	Start(ctx context.Context, name string) error
+
+	// Stop stops a running container
+	Stop(ctx context.Context, name string) error
+
+	// Destroy stops and removes a container
+	Destroy(ctx context.Context, name string) error
+
+	// IsRunning checks if a container is currently running
+	IsRunning(ctx context.Context, name string) (bool, error)
+
+	// Status returns detailed status of a container
+	Status(ctx context.Context, name string) (*ContainerInfo, error)
+
+	// Exec executes a command inside a container
+	Exec(ctx context.Context, name string, command []string, opts ExecOptions) (*ExecResult, error)
+
+	// ExecInteractive executes a command with an interactive TTY
+	// This replaces the current process (uses syscall.Exec)
+	ExecInteractive(ctx context.Context, name string, command []string, opts ExecOptions) error
+
+	// List returns all containers managed by this runtime
+	List(ctx context.Context) ([]*ContainerInfo, error)
+}
+
+// Capabilities describes what features a runtime supports.
+// Runtimes return this from the Capabilities() method so callers can
+// gate features or warn when a template requests unsupported functionality.
+type Capabilities struct {
+	NixOSConfig      bool // Can generate NixOS container configs
+	NetworkIsolation bool // Supports network mode filtering
+	EphemeralRoot    bool // Root filesystem is ephemeral
+	SSHAccess        bool // Supports SSH into container
+	GeneratedFiles   bool // Supports generated file mounting
+	ResourceLimits   bool // Supports cgroup resource limits
+	GracefulShutdown bool // Supports graceful stop signals
+}
+
+// CapableRuntime is an optional interface that runtimes can implement to
+// advertise their capabilities. Runtimes that do not implement this are
+// assumed to have full capabilities.
+type CapableRuntime interface {
+	Capabilities() Capabilities
+}
+
+// GetCapabilities returns the capabilities of a runtime.
+// If the runtime implements CapableRuntime, its declared capabilities are returned.
+// Otherwise, all capabilities are assumed to be true (backward compatibility).
+func GetCapabilities(rt Runtime) Capabilities {
+	if cr, ok := rt.(CapableRuntime); ok {
+		return cr.Capabilities()
+	}
+	return Capabilities{
+		NixOSConfig:      true,
+		NetworkIsolation: true,
+		EphemeralRoot:    true,
+		SSHAccess:        true,
+		GeneratedFiles:   true,
+		ResourceLimits:   true,
+		GracefulShutdown: true,
+	}
+}
+
+// ExecShell executes a shell script or expression inside a container.
+// Use this instead of manually constructing ["sh", "-c", script] arrays.
+func ExecShell(ctx context.Context, rt Runtime, name, script string, opts ExecOptions) (*ExecResult, error) {
+	return rt.Exec(ctx, name, []string{"sh", "-c", script}, opts)
+}
+
+// ExecShellInteractive replaces the current process with an interactive
+// shell expression inside a container.
+// Use this instead of manually constructing ["sh", "-c", script] arrays.
+func ExecShellInteractive(ctx context.Context, rt Runtime, name, script string, opts ExecOptions) error {
+	return rt.ExecInteractive(ctx, name, []string{"sh", "-c", script}, opts)
+}
+
+// LogViewer is an optional interface for runtimes that support viewing
+// container logs. If not implemented, callers should display an error
+// indicating that log viewing is not supported by the current runtime.
+type LogViewer interface {
+	ViewLogs(ctx context.Context, name string, follow bool, lines int) error
+}
+
+// GracefulStopper is an optional interface for runtimes that support
+// graceful shutdown with a configurable timeout. If not implemented,
+// callers should fall back to Stop() for immediate termination.
+type GracefulStopper interface {
+	GracefulStop(ctx context.Context, name string, timeout time.Duration) error
+}
+
+// SSHRuntime extends Runtime with SSH-based access capabilities.
+// This is used by runtimes that provide SSH access to containers.
+type SSHRuntime interface {
+	Runtime
+
+	// SSHHost returns the SSH host (container IP) for a container
+	SSHHost(ctx context.Context, name string) (string, error)
+
+	// SSHExec executes a command via SSH
+	SSHExec(ctx context.Context, name string, command []string, opts ExecOptions) (*ExecResult, error)
+
+	// SSHInteractive starts an interactive SSH session
+	SSHInteractive(ctx context.Context, name string, command string) error
+}
diff --git a/packages/forage-ctl/internal/sandbox/cleanup.go b/packages/forage-ctl/internal/sandbox/cleanup.go
new file mode 100644
index 0000000..fea44c1
--- /dev/null
+++ b/packages/forage-ctl/internal/sandbox/cleanup.go
@@ -0,0 +1,182 @@
+package sandbox
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/workspace"
+)
+
+// CleanupOptions configures sandbox cleanup behavior.
+type CleanupOptions struct {
+	// DestroyContainer if true, destroys the container via runtime.
+	DestroyContainer bool
+
+	// CleanupWorkspace if true, removes VCS workspace (jj/git-worktree).
+	CleanupWorkspace bool
+
+	// CleanupSecrets if true, removes the secrets directory.
+	CleanupSecrets bool
+
+	// CleanupConfig if true, removes the nix config file.
+	CleanupConfig bool
+
+	// CleanupSkills if true, removes the skills markdown file.
+	CleanupSkills bool
+
+	// CleanupPermissions if true, removes agent permissions files (*-permissions.json).
+	CleanupPermissions bool
+
+	// CleanupMetadata if true, removes the sandbox metadata file.
+	CleanupMetadata bool
+
+	// CleanupAuditLog if true, removes the sandbox audit log.
+	CleanupAuditLog bool
+}
+
+// DefaultCleanupOptions returns options that clean up everything.
+func DefaultCleanupOptions() CleanupOptions {
+	return CleanupOptions{
+		DestroyContainer:   true,
+		CleanupWorkspace:   true,
+		CleanupSecrets:     true,
+		CleanupConfig:      true,
+		CleanupSkills:      true,
+		CleanupPermissions: true,
+		CleanupMetadata:    true,
+		CleanupAuditLog:    true,
+	}
+}
+
+// Cleanup removes sandbox resources.
+// This is the canonical cleanup function used by both the down command
+// and error recovery in the create flow.
+// The rt parameter is optional; if nil, container destruction is skipped.
+func Cleanup(ctx context.Context, metadata *config.SandboxMetadata, paths *config.Paths, opts CleanupOptions, rt runtime.Runtime) {
+	if metadata == nil {
+		return
+	}
+
+	name := metadata.Name
+	logging.Debug("cleaning up sandbox", "name", name)
+
+	// Destroy container if requested (always attempt — unit file cleanup
+	// must happen even after the container has already been stopped).
+	if opts.DestroyContainer && rt != nil {
+		logging.Debug("destroying container", "name", name)
+		if err := rt.Destroy(ctx, name); err != nil {
+			logging.Warn("container destroy failed during cleanup", "name", name, "error", err)
+		}
+	}
+
+	// Clean up workspaces
+	if opts.CleanupWorkspace {
+		if len(metadata.WorkspaceMounts) > 0 {
+			// Multi-mount cleanup: iterate each mount
+			for _, m := range metadata.WorkspaceMounts {
+				if m.SourceRepo == "" {
+					continue // hostPath mounts don't need cleanup
+				}
+				backend := workspace.BackendForMode(m.Mode)
+				if backend == nil {
+					continue
+				}
+				// Workspace name matches the pattern used in setupWorkspaceMounts
+				wsName := name + "-" + m.Name
+				logging.Debug("cleaning up workspace mount",
+					"mount", m.Name,
+					"backend", backend.Name(),
+					"repo", m.SourceRepo,
+					"wsName", wsName)
+				if err := backend.Remove(m.SourceRepo, wsName, m.HostPath); err != nil {
+					logging.Warn("failed to remove workspace mount", "mount", m.Name, "error", err)
+				}
+			}
+			// Remove the managed workspace subdirectory for this sandbox
+			sandboxWsDir := filepath.Join(paths.WorkspacesDir, name)
+			if err := os.RemoveAll(sandboxWsDir); err != nil {
+				logging.Warn("failed to remove sandbox workspace directory", "path", sandboxWsDir, "error", err)
+			}
+		} else if metadata.SourceRepo != "" {
+			// Legacy single-workspace cleanup
+			backend := workspace.BackendForMode(metadata.WorkspaceMode)
+			if backend != nil {
+				logging.Debug("cleaning up workspace",
+					"backend", backend.Name(),
+					"repo", metadata.SourceRepo,
+					"name", name)
+				if err := backend.Remove(metadata.SourceRepo, name, metadata.Workspace); err != nil {
+					logging.Warn("failed to remove workspace", "error", err)
+				}
+			}
+		}
+	}
+
+	// Remove secrets directory
+	if opts.CleanupSecrets {
+		secretsPath := filepath.Join(paths.SecretsDir, name)
+		logging.Debug("removing secrets", "path", secretsPath)
+		if err := os.RemoveAll(secretsPath); err != nil {
+			logging.Warn("failed to remove secrets directory", "path", secretsPath, "error", err)
+		}
+	}
+
+	// Remove skills file
+	if opts.CleanupSkills {
+		skillsPath := filepath.Join(paths.SandboxesDir, name+".skills.md")
+		if err := os.Remove(skillsPath); err != nil && !os.IsNotExist(err) {
+			logging.Warn("failed to remove skills file", "path", skillsPath, "error", err)
+		}
+	}
+
+	// Remove permissions files (e.g. <name>.claude-permissions.json)
+	if opts.CleanupPermissions {
+		pattern := filepath.Join(paths.SandboxesDir, name+".*-permissions.json")
+		matches, err := filepath.Glob(pattern)
+		if err != nil {
+			logging.Warn("failed to glob permissions files", "pattern", pattern, "error", err)
+		}
+		for _, match := range matches {
+			logging.Debug("removing permissions file", "path", match)
+			if err := os.Remove(match); err != nil && !os.IsNotExist(err) {
+				logging.Warn("failed to remove permissions file", "path", match, "error", err)
+			}
+		}
+	}
+
+	// Remove nix config file
+	if opts.CleanupConfig {
+		configPath := filepath.Join(paths.SandboxesDir, name+".nix")
+		if err := os.Remove(configPath); err != nil && !os.IsNotExist(err) {
+			logging.Warn("failed to remove config file", "path", configPath, "error", err)
+		}
+	}
+
+	// Remove generated file staging directory
+	if opts.CleanupConfig {
+		generatedDir := filepath.Join(paths.SandboxesDir, name+".generated")
+		if err := os.RemoveAll(generatedDir); err != nil {
+			logging.Warn("failed to remove generated files directory", "path", generatedDir, "error", err)
+		}
+	}
+
+	// Remove audit log
+	if opts.CleanupAuditLog {
+		auditPath := filepath.Join(paths.StateDir, "sandboxes", name+".events.jsonl")
+		if err := os.Remove(auditPath); err != nil && !os.IsNotExist(err) {
+			logging.Warn("failed to remove audit log", "path", auditPath, "error", err)
+		}
+	}
+
+	// Remove metadata
+	if opts.CleanupMetadata {
+		logging.Debug("removing metadata", "name", name)
+		if err := config.DeleteSandboxMetadata(paths.SandboxesDir, name); err != nil {
+			logging.Warn("failed to remove metadata", "name", name, "error", err)
+		}
+	}
+}
diff --git a/packages/forage-ctl/internal/sandbox/cleanup_test.go b/packages/forage-ctl/internal/sandbox/cleanup_test.go
new file mode 100644
index 0000000..3ed90b0
--- /dev/null
+++ b/packages/forage-ctl/internal/sandbox/cleanup_test.go
@@ -0,0 +1,75 @@
+package sandbox
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+func TestCleanup_RemovesPermissionsFiles(t *testing.T) {
+	tmpDir := t.TempDir()
+	sandboxesDir := filepath.Join(tmpDir, "sandboxes")
+	os.MkdirAll(sandboxesDir, 0755)
+
+	paths := &config.Paths{
+		SandboxesDir:  sandboxesDir,
+		SecretsDir:    filepath.Join(tmpDir, "secrets"),
+		WorkspacesDir: filepath.Join(tmpDir, "workspaces"),
+	}
+
+	name := "test-sandbox"
+	metadata := &config.SandboxMetadata{
+		Name:          name,
+		Template:      "claude",
+		NetworkSlot:   1,
+		Workspace:     "/tmp/workspace",
+		WorkspaceMode: "direct",
+	}
+
+	// Create permissions files
+	permFiles := []string{
+		name + ".claude-permissions.json",
+		name + ".copilot-permissions.json",
+	}
+	for _, f := range permFiles {
+		path := filepath.Join(sandboxesDir, f)
+		if err := os.WriteFile(path, []byte(`{}`), 0644); err != nil {
+			t.Fatalf("Failed to create test file %s: %v", f, err)
+		}
+	}
+
+	// Create a permissions file for a different sandbox (should NOT be removed)
+	otherPerm := filepath.Join(sandboxesDir, "other.claude-permissions.json")
+	if err := os.WriteFile(otherPerm, []byte(`{}`), 0644); err != nil {
+		t.Fatalf("Failed to create other permissions file: %v", err)
+	}
+
+	// Run cleanup with only permissions enabled
+	opts := CleanupOptions{
+		CleanupPermissions: true,
+	}
+	Cleanup(context.Background(), metadata, paths, opts, nil)
+
+	// Verify permissions files were removed
+	for _, f := range permFiles {
+		path := filepath.Join(sandboxesDir, f)
+		if _, err := os.Stat(path); !os.IsNotExist(err) {
+			t.Errorf("permissions file %s should have been removed", f)
+		}
+	}
+
+	// Verify other sandbox's permissions file was NOT removed
+	if _, err := os.Stat(otherPerm); os.IsNotExist(err) {
+		t.Error("other sandbox's permissions file should not have been removed")
+	}
+}
+
+func TestDefaultCleanupOptions_IncludesPermissions(t *testing.T) {
+	opts := DefaultCleanupOptions()
+	if !opts.CleanupPermissions {
+		t.Error("DefaultCleanupOptions should have CleanupPermissions = true")
+	}
+}
diff --git a/packages/forage-ctl/internal/sandbox/contributions.go b/packages/forage-ctl/internal/sandbox/contributions.go
new file mode 100644
index 0000000..42a7c17
--- /dev/null
+++ b/packages/forage-ctl/internal/sandbox/contributions.go
@@ -0,0 +1,348 @@
+package sandbox
+
+import (
+	"context"
+	"fmt"
+	"os/user"
+	"path/filepath"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/agent"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/generator"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/reproducibility"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/workspace"
+)
+
+// ContributionSourcesParams holds parameters for building contribution sources.
+type ContributionSourcesParams struct {
+	Runtime       runtime.Runtime
+	Template      *config.Template
+	Metadata      *config.SandboxMetadata // Needed for skills generation
+	WsBackend     workspace.Backend       // Legacy single-workspace backend
+	Mux           multiplexer.Multiplexer
+	Identity      *config.AgentIdentity
+	WorkspacePath string
+	SourceRepo    string
+	SecretsPath   string
+	ProxyURL      string
+	SandboxName   string
+	HostConfig    *config.HostConfig
+
+	// Multi-mount fields (when set, override single-workspace fields)
+	WorkspaceMounts []config.WorkspaceMountMeta
+	MountBackends   map[string]workspace.Backend // mount name -> backend
+}
+
+// ContributionSourcesResult holds the result of building contribution sources.
+type ContributionSourcesResult struct {
+	Sources         injection.CollectionSources
+	Reproducibility reproducibility.Reproducibility
+}
+
+// buildContributionSources builds the collection sources for the injection collector.
+// This centralizes the construction of all the contributors that participate in
+// container configuration.
+func buildContributionSources(params ContributionSourcesParams) ContributionSourcesResult {
+	rt := params.Runtime
+	template := params.Template
+	wsBackend := params.WsBackend
+	mux := params.Mux
+	identity := params.Identity
+	workspacePath := params.WorkspacePath
+	sourceRepo := params.SourceRepo
+	secretsPath := params.SecretsPath
+	proxyURL := params.ProxyURL
+	sandboxName := params.SandboxName
+	hostConfig := params.HostConfig
+	// Get container info from runtime if available
+	var containerInfo runtime.SandboxContainerInfo
+	if gfr, ok := rt.(runtime.GeneratedFileRuntime); ok {
+		containerInfo = gfr.ContainerInfo()
+	} else {
+		var opts []runtime.ContainerInfoOption
+		if hostConfig != nil {
+			opts = append(opts,
+				runtime.WithUsername(hostConfig.ResolvedContainerUsername()),
+				runtime.WithWorkspaceDir(hostConfig.ResolvedWorkspacePath()),
+			)
+		}
+		containerInfo = runtime.DefaultContainerInfo(opts...)
+	}
+
+	// Get host home directory
+	hostHomeDir := ""
+	if hostConfig != nil && hostConfig.User != "" {
+		if u, err := user.Lookup(hostConfig.User); err == nil {
+			hostHomeDir = u.HomeDir
+		}
+	}
+
+	// Build the list of contributors
+	var contributors []any
+
+	// 1. Reproducibility (Nix store mount, base packages)
+	repro := reproducibility.NewNixReproducibility()
+	contributors = append(contributors, repro)
+
+	// 2. Workspace mount contributor(s)
+	if len(params.WorkspaceMounts) > 0 {
+		// Multi-mount path: build resolved mounts from metadata
+		var resolvedMounts []injection.ResolvedMount
+		for _, m := range params.WorkspaceMounts {
+			resolvedMounts = append(resolvedMounts, injection.ResolvedMount{
+				Name:          m.Name,
+				HostPath:      m.HostPath,
+				ContainerPath: m.ContainerPath,
+				ReadOnly:      m.ReadOnly,
+			})
+		}
+		contributors = append(contributors, injection.NewWorkspaceMountsContributor(resolvedMounts))
+	} else {
+		// Legacy single-mount path
+		workspaceMountContrib := injection.NewWorkspaceMountContributor(workspacePath, containerInfo.WorkspaceDir)
+		contributors = append(contributors, workspaceMountContrib)
+	}
+
+	// 3. Secrets contributor (if secrets are configured)
+	if secretsPath != "" {
+		secrets := injection.NewSecretsContributor(secretsPath)
+		contributors = append(contributors, secrets)
+	}
+
+	// 4. Workspace backend contributor(s)
+	if len(params.WorkspaceMounts) > 0 && params.MountBackends != nil {
+		// Multi-mount: add per-mount VCS backends
+		for _, backend := range params.MountBackends {
+			contributors = append(contributors, backend)
+		}
+	} else if wsBackend != nil {
+		// Legacy: single workspace backend
+		contributors = append(contributors, wsBackend)
+	}
+
+	// 5. Multiplexer contributor
+	if mux != nil {
+		contributors = append(contributors, mux)
+	}
+
+	// 6. Identity contributor (if identity is configured)
+	if identity != nil {
+		identityContrib := injection.NewIdentityContributor(
+			identity.GitUser,
+			identity.GitEmail,
+			identity.SSHKeyPath,
+			containerInfo.HomeDir,
+		)
+		contributors = append(contributors, identityContrib)
+	}
+
+	// 7. Proxy contributor (if proxy is configured)
+	if proxyURL != "" {
+		proxy := injection.NewProxyContributor(proxyURL, sandboxName)
+		contributors = append(contributors, proxy)
+	}
+
+	// 8. Base tmpfiles contributor
+	baseTmpfiles := injection.NewBaseTmpfilesContributor(containerInfo.HomeDir, containerInfo.Username)
+	contributors = append(contributors, baseTmpfiles)
+
+	// 9. Agent contributors
+	if gfr, ok := rt.(runtime.GeneratedFileRuntime); ok {
+		for agentName, agentCfg := range template.Agents {
+			cfg := &agent.Config{
+				PackagePath:           agentCfg.PackagePath,
+				AuthEnvVar:            agentCfg.AuthEnvVar,
+				SecretName:            agentCfg.SecretName,
+				HostConfigDir:         agentCfg.HostConfigDir,
+				ContainerConfigDir:    agentCfg.ContainerConfigDir,
+				HostConfigDirReadOnly: agentCfg.HostConfigDirReadOnly,
+			}
+			if hostConfig != nil {
+				cfg.StateDir = hostConfig.StateDir
+			}
+			if agentCfg.Permissions != nil {
+				cfg.Permissions = &agent.Permissions{
+					SkipAll: agentCfg.Permissions.SkipAll,
+					Allow:   agentCfg.Permissions.Allow,
+					Deny:    agentCfg.Permissions.Deny,
+				}
+			}
+			if a := agent.NewAgent(agentName, cfg, gfr); a != nil {
+				contributors = append(contributors, a)
+
+				// Add Claude-specific tmpfiles if this is a Claude agent
+				if agentName == "claude" {
+					claudeTmpfiles := injection.NewClaudeTmpfilesContributor(containerInfo.HomeDir, containerInfo.Username)
+					contributors = append(contributors, claudeTmpfiles)
+				}
+			}
+		}
+	}
+
+	// 10. Skills contributor (generates system prompt and skill files)
+	if params.Metadata != nil && template != nil {
+		skillsContrib := NewSkillsContributor(containerInfo.HomeDir, template, params.Metadata)
+		contributors = append(contributors, skillsContrib)
+	}
+
+	// Build request contexts
+	mountReq := &injection.MountRequest{
+		WorkspacePath:     workspacePath,
+		SourceRepo:        sourceRepo,
+		HostHomeDir:       hostHomeDir,
+		ContainerHomeDir:  containerInfo.HomeDir,
+		ReadOnlyWorkspace: template.ReadOnlyWorkspace,
+	}
+
+	envVarReq := &injection.EnvVarRequest{
+		SandboxName: sandboxName,
+		SecretsPath: secretsPath,
+		ProxyURL:    proxyURL,
+		SourceRepo:  sourceRepo,
+	}
+
+	genFileReq := &injection.GeneratedFileRequest{
+		SandboxName:   sandboxName,
+		SourceRepo:    sourceRepo,
+		WorkspacePath: workspacePath,
+		Template:      template.Name,
+	}
+
+	tmpfilesReq := &injection.TmpfilesRequest{
+		HomeDir:  containerInfo.HomeDir,
+		Username: containerInfo.Username,
+	}
+
+	// Build the generated file mounter if runtime supports it
+	var gfMounter interface {
+		MountGeneratedFile(ctx context.Context, sandboxName string, file injection.GeneratedFile) (injection.Mount, error)
+	}
+	if gfr, ok := rt.(runtime.GeneratedFileRuntime); ok {
+		gfMounter = gfr
+	}
+
+	return ContributionSourcesResult{
+		Sources: injection.CollectionSources{
+			Contributors:         contributors,
+			MountRequest:         mountReq,
+			EnvVarRequest:        envVarReq,
+			GeneratedFileRequest: genFileReq,
+			TmpfilesRequest:      tmpfilesReq,
+			GeneratedFileMounter: gfMounter,
+			SandboxName:          sandboxName,
+		},
+		Reproducibility: repro,
+	}
+}
+
+// RebuildContainerConfigParams holds parameters for rebuilding a container config.
+type RebuildContainerConfigParams struct {
+	Metadata   *config.SandboxMetadata
+	Template   *config.Template
+	HostConfig *config.HostConfig
+	Paths      *config.Paths
+}
+
+// RebuildContainerConfig rebuilds the container config from metadata using the contribution system.
+// This is useful for commands that need to regenerate configs for existing sandboxes.
+func RebuildContainerConfig(ctx context.Context, params RebuildContainerConfigParams) (*generator.ContainerConfig, error) {
+	metadata := params.Metadata
+	template := params.Template
+	hostConfig := params.HostConfig
+	paths := params.Paths
+
+	// Determine secrets path (if secrets are used)
+	secretsPath := ""
+	for _, agent := range template.Agents {
+		if agent.SecretName != "" {
+			secretsPath = filepath.Join(paths.SecretsDir, metadata.Name)
+			break
+		}
+	}
+
+	// Determine proxy URL
+	proxyURL := ""
+	if template.UseProxy && hostConfig.ProxyURL != "" {
+		proxyURL = hostConfig.ProxyURL
+	}
+
+	// Create multiplexer instance
+	mux := multiplexer.New(multiplexer.Type(metadata.Multiplexer))
+
+	// Detect workspace backend from metadata
+	var wsBackend workspace.Backend
+	if metadata.SourceRepo != "" {
+		wsBackend = workspace.DetectBackend(metadata.SourceRepo)
+	}
+
+	// Create a properly configured runtime with SandboxesDir for generated file staging
+	rt, err := runtime.New(&runtime.Config{
+		Type:            runtime.RuntimeAuto,
+		ContainerPrefix: config.ContainerPrefix,
+		SandboxesDir:    paths.SandboxesDir,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize runtime: %w", err)
+	}
+
+	// Build contribution sources
+	contribParams := ContributionSourcesParams{
+		Runtime:       rt,
+		Template:      template,
+		Metadata:      metadata,
+		WsBackend:     wsBackend,
+		Mux:           mux,
+		Identity:      metadata.AgentIdentity,
+		WorkspacePath: metadata.Workspace,
+		SourceRepo:    metadata.SourceRepo,
+		SecretsPath:   secretsPath,
+		ProxyURL:      proxyURL,
+		SandboxName:   metadata.Name,
+		HostConfig:    hostConfig,
+	}
+
+	// Use multi-mount data from metadata if present
+	if len(metadata.WorkspaceMounts) > 0 {
+		contribParams.WorkspaceMounts = metadata.WorkspaceMounts
+		mountBackends := make(map[string]workspace.Backend)
+		for _, m := range metadata.WorkspaceMounts {
+			if m.SourceRepo != "" {
+				if b := workspace.BackendForMode(m.Mode); b != nil {
+					mountBackends[m.Name] = b
+				}
+			}
+		}
+		if len(mountBackends) > 0 {
+			contribParams.MountBackends = mountBackends
+		}
+	}
+	contribResult := buildContributionSources(contribParams)
+
+	// Collect contributions
+	collector := injection.NewCollector()
+	contributions, err := collector.Collect(ctx, contribResult.Sources)
+	if err != nil {
+		return nil, err
+	}
+
+	return &generator.ContainerConfig{
+		Name:            metadata.Name,
+		NetworkSlot:     metadata.NetworkSlot,
+		AuthorizedKeys:  hostConfig.AuthorizedKeys,
+		Template:        template,
+		UID:             hostConfig.UID,
+		GID:             hostConfig.GID,
+		Mux:             mux,
+		AgentIdentity:   metadata.AgentIdentity,
+		Runtime:         metadata.Runtime,
+		Username:        hostConfig.ResolvedContainerUsername(),
+		WorkspaceDir:    hostConfig.ResolvedWorkspacePath(),
+		StateVersion:    hostConfig.ResolvedStateVersion(),
+		NixpkgsPath:     hostConfig.NixpkgsPath,
+		Contributions:   contributions,
+		Reproducibility: contribResult.Reproducibility,
+	}, nil
+}
diff --git a/packages/forage-ctl/internal/sandbox/creator.go b/packages/forage-ctl/internal/sandbox/creator.go
new file mode 100644
index 0000000..e5efdf8
--- /dev/null
+++ b/packages/forage-ctl/internal/sandbox/creator.go
@@ -0,0 +1,1546 @@
+package sandbox
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"time"
+
+	"go.opentelemetry.io/otel/attribute"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/audit"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/generator"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/health"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/network"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/nixcache"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/port"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/telemetry"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/workspace"
+)
+
+// Creator handles sandbox creation with all necessary dependencies.
+type Creator struct {
+	paths      *config.Paths
+	hostConfig *config.HostConfig
+	rt         runtime.Runtime
+}
+
+// NewCreator creates a new sandbox Creator with default configuration.
+func NewCreator() (*Creator, error) {
+	paths := config.DefaultPaths()
+
+	hostConfig, err := config.LoadHostConfig(paths.ConfigDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load host config: %w", err)
+	}
+
+	rt, err := runtime.New(&runtime.Config{
+		Type:            runtime.RuntimeAuto,
+		ContainerPrefix: config.ContainerPrefix,
+		NixpkgsPath:     hostConfig.NixpkgsPath,
+		SandboxesDir:    paths.SandboxesDir,
+		Image:           hostConfig.ContainerImage,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize runtime: %w", err)
+	}
+
+	return &Creator{
+		paths:      paths,
+		hostConfig: hostConfig,
+		rt:         rt,
+	}, nil
+}
+
+// Create creates a new sandbox with the given options.
+// File locking is used to prevent TOCTOU races during slot allocation.
+func (c *Creator) Create(ctx context.Context, opts CreateOptions) (*CreateResult, error) {
+	ctx, span := telemetry.Start(ctx, "sandbox.create")
+	defer span.End()
+
+	logging.Debug("starting sandbox creation", "name", opts.Name, "template", opts.Template)
+
+	// Phase 1: Validate inputs
+	if err := c.validateInputs(opts); err != nil {
+		return nil, err
+	}
+
+	// Acquire an exclusive lock on the sandboxes directory to prevent
+	// concurrent slot allocation races (TOCTOU in AllocateSlot).
+	unlock, err := acquireSandboxLock(c.paths.SandboxesDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to acquire sandbox lock: %w", err)
+	}
+	defer unlock()
+
+	// Check runtime capabilities and warn about unsupported features
+	warnings := c.checkCapabilities()
+
+	// Phase 2: Load resources and allocate ports
+	resources, err := c.loadResources(opts)
+	if err != nil {
+		return nil, err
+	}
+
+	// Resolve and validate agent identity (after template load for template-level identity)
+	identity := c.resolveIdentity(opts, resources.template)
+	if err = config.ValidateAgentIdentity(identity); err != nil {
+		return nil, fmt.Errorf("invalid agent identity: %w", err)
+	}
+
+	// Phase 3: Set up workspace
+	var ws *workspaceSetup
+	if len(resources.template.WorkspaceMounts) > 0 {
+		ws, err = c.setupWorkspaceMounts(ctx, opts, resources.template)
+	} else {
+		if opts.RepoPath == "" {
+			return nil, fmt.Errorf("--repo is required (template has no workspace mounts configured)")
+		}
+		ws, err = c.setupWorkspace(ctx, opts)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Phase 4: Create metadata
+	metadata := c.createMetadata(opts, resources, ws, identity)
+
+	// Set up cleanup on failure
+	cleanup := func() {
+		c.cleanup(ctx, metadata)
+	}
+
+	// Phase 5: Set up secrets (only if any agent uses secrets)
+	var secretsPath string
+	if c.templateHasSecrets(resources.template) {
+		secretsPath = filepath.Join(c.paths.SecretsDir, opts.Name)
+		if err = c.setupSecrets(ctx, secretsPath, resources.template); err != nil {
+			cleanup()
+			return nil, fmt.Errorf("failed to setup secrets: %w", err)
+		}
+	}
+
+	// Phase 6-8: Generate config and create container.
+	// Try two-phase cached path for nspawn; fall back to single-pass.
+	if nspawnRT, ok := c.rt.(*runtime.NspawnRuntime); ok {
+		err = c.createCached(ctx, opts, resources, ws, secretsPath, identity, metadata, nspawnRT)
+	} else {
+		err = c.createGeneric(ctx, opts, resources, ws, secretsPath, identity, metadata)
+	}
+	if err != nil {
+		cleanup()
+		return nil, err
+	}
+
+	// Phase 9: Post-creation setup (wait for SSH)
+	c.postCreationSetup(ctx, metadata)
+
+	// Phase 10: Run init commands
+	initResult := c.runInitCommands(ctx, metadata, resources.template)
+
+	// Log creation event
+	auditLogger := audit.NewLogger(c.paths.StateDir)
+	_ = auditLogger.LogEvent(audit.EventCreate, opts.Name, "template="+opts.Template)
+
+	return &CreateResult{
+		Name:               opts.Name,
+		ContainerIP:        metadata.ContainerIP(),
+		Workspace:          ws.effectivePath,
+		Metadata:           metadata,
+		CapabilityWarnings: warnings,
+		InitResult:         initResult,
+	}, nil
+}
+
+// resourceAllocation holds loaded resources and allocated network slot.
+type resourceAllocation struct {
+	template    *config.Template
+	networkSlot int
+}
+
+// validateInputs validates the sandbox creation inputs.
+func (c *Creator) validateInputs(opts CreateOptions) error {
+	if err := config.ValidateSandboxName(opts.Name); err != nil {
+		return fmt.Errorf("invalid sandbox name: %w", err)
+	}
+
+	if config.SandboxExists(c.paths.SandboxesDir, opts.Name) {
+		return fmt.Errorf("sandbox %s already exists", opts.Name)
+	}
+
+	return nil
+}
+
+// loadResources loads the template and allocates network slot.
+func (c *Creator) loadResources(opts CreateOptions) (*resourceAllocation, error) {
+	template, err := config.LoadTemplate(c.paths.TemplatesDir, opts.Template)
+	if err != nil {
+		return nil, fmt.Errorf("template not found: %s", opts.Template)
+	}
+
+	sandboxes, err := config.ListSandboxes(c.paths.SandboxesDir)
+	if err != nil {
+		logging.Debug("no existing sandboxes found", "error", err)
+		sandboxes = []*config.SandboxMetadata{}
+	}
+
+	networkSlot, err := port.AllocateSlot(sandboxes)
+	if err != nil {
+		return nil, fmt.Errorf("slot allocation failed: %w", err)
+	}
+	logging.Debug("network slot allocated", "slot", networkSlot)
+
+	return &resourceAllocation{
+		template:    template,
+		networkSlot: networkSlot,
+	}, nil
+}
+
+// createMetadata creates the sandbox metadata struct.
+func (c *Creator) createMetadata(opts CreateOptions, resources *resourceAllocation, ws *workspaceSetup, identity *config.AgentIdentity) *config.SandboxMetadata {
+	meta := &config.SandboxMetadata{
+		Name:          opts.Name,
+		Template:      opts.Template,
+		NetworkSlot:   resources.networkSlot,
+		CreatedAt:     time.Now().Format(time.RFC3339),
+		AgentIdentity: identity,
+		Multiplexer:   resources.template.Multiplexer,
+		ContainerName: config.ContainerNameForSlot(resources.networkSlot),
+		Runtime:       c.rt.Name(),
+	}
+
+	if len(ws.mounts) > 0 {
+		// Multi-mount path
+		meta.WorkspaceMounts = ws.mounts
+		// Set legacy fields from first mount for backward compat
+		if len(ws.mounts) > 0 {
+			first := ws.mounts[0]
+			meta.Workspace = first.HostPath
+			meta.WorkspaceMode = first.Mode
+			meta.SourceRepo = first.SourceRepo
+			meta.GitBranch = first.GitBranch
+		}
+	} else {
+		// Legacy single-mount path
+		meta.Workspace = ws.effectivePath
+		meta.WorkspaceMode = string(ws.mode)
+		meta.SourceRepo = ws.sourceRepo
+		meta.JJWorkspaceName = opts.Name
+		meta.GitBranch = ws.gitBranch
+	}
+
+	return meta
+}
+
+// writeContainerConfig generates and writes the Nix container configuration using the contribution system.
+func (c *Creator) writeContainerConfig(ctx context.Context, opts CreateOptions, resources *resourceAllocation, ws *workspaceSetup, secretsPath string, identity *config.AgentIdentity, metadata *config.SandboxMetadata) (string, error) {
+	ctx, span := telemetry.Start(ctx, "sandbox.generate-nix-config")
+	defer span.End()
+	// Determine proxy URL
+	proxyURL := ""
+	if resources.template.UseProxy && c.hostConfig.ProxyURL != "" {
+		proxyURL = c.hostConfig.ProxyURL
+		logging.Debug("using API proxy", "url", proxyURL)
+	}
+
+	// Create multiplexer instance
+	mux := multiplexer.New(multiplexer.Type(resources.template.Multiplexer))
+
+	// Build contribution sources from all backends
+	contribParams := ContributionSourcesParams{
+		Runtime:       c.rt,
+		Template:      resources.template,
+		Metadata:      metadata,
+		WsBackend:     ws.backend,
+		Mux:           mux,
+		Identity:      identity,
+		WorkspacePath: ws.effectivePath,
+		SourceRepo:    ws.sourceRepo,
+		SecretsPath:   secretsPath,
+		ProxyURL:      proxyURL,
+		SandboxName:   opts.Name,
+		HostConfig:    c.hostConfig,
+	}
+	if len(ws.mounts) > 0 {
+		contribParams.WorkspaceMounts = ws.mounts
+		contribParams.MountBackends = ws.backends
+	}
+	contribResult := buildContributionSources(contribParams)
+
+	// Collect contributions from all sources
+	collector := injection.NewCollector()
+	contributions, err := collector.Collect(ctx, contribResult.Sources)
+	if err != nil {
+		return "", fmt.Errorf("failed to collect contributions: %w", err)
+	}
+
+	// Pass resource limits if runtime supports them
+	var resourceLimits *config.ResourceLimits
+	caps := runtime.GetCapabilities(c.rt)
+	if caps.ResourceLimits && resources.template.ResourceLimits != nil {
+		resourceLimits = resources.template.ResourceLimits
+	} else if resources.template.ResourceLimits != nil && !resources.template.ResourceLimits.IsEmpty() {
+		logging.Warn("runtime does not support resource limits; ignoring resource limit configuration")
+	}
+
+	containerCfg := &generator.ContainerConfig{
+		Name:            opts.Name,
+		NetworkSlot:     resources.networkSlot,
+		AuthorizedKeys:  c.resolveSSHKeys(opts),
+		Template:        resources.template,
+		UID:             c.hostConfig.UID,
+		GID:             c.hostConfig.GID,
+		Mux:             mux,
+		AgentIdentity:   identity,
+		Runtime:         c.rt.Name(),
+		Username:        c.hostConfig.ResolvedContainerUsername(),
+		WorkspaceDir:    c.hostConfig.ResolvedWorkspacePath(),
+		StateVersion:    c.hostConfig.ResolvedStateVersion(),
+		NixpkgsPath:     c.hostConfig.NixpkgsPath,
+		ResourceLimits:  resourceLimits,
+		Contributions:   contributions,
+		Reproducibility: contribResult.Reproducibility,
+	}
+
+	nixConfig, err := generator.GenerateNixConfig(containerCfg)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate container config: %w", err)
+	}
+
+	configPath := filepath.Join(c.paths.SandboxesDir, opts.Name+".nix")
+	if err := os.MkdirAll(c.paths.SandboxesDir, 0755); err != nil {
+		return "", fmt.Errorf("failed to create sandboxes directory: %w", err)
+	}
+	if err := os.WriteFile(configPath, []byte(nixConfig), 0644); err != nil {
+		return "", fmt.Errorf("failed to write config: %w", err)
+	}
+
+	return configPath, nil
+}
+
+// runtimeConfig is the JSON structure bind-mounted at /run/forage/config.json.
+// The forage-network and forage-hostname services read it at container boot.
+type runtimeConfig struct {
+	SandboxName string `json:"sandboxName"`
+	NetworkSlot int    `json:"networkSlot"`
+	Gateway     string `json:"gateway"`
+}
+
+// createCached implements the two-phase cached creation flow for nspawn.
+// 1. Check cache for inner system store path (keyed on template+host config)
+// 2. If miss: build inner system and cache it
+// 3. Generate runtime files (config.json, forage.json, env vars, nftables)
+// 4. Generate outer config (references cached inner + all bind mounts)
+// 5. Build outer /etc
+// 6. Create container from cached /etc
+func (c *Creator) createCached(ctx context.Context, opts CreateOptions, resources *resourceAllocation, ws *workspaceSetup, secretsPath string, identity *config.AgentIdentity, metadata *config.SandboxMetadata, nspawnRT *runtime.NspawnRuntime) error {
+	ctx, span := telemetry.Start(ctx, "sandbox.create-cached")
+	defer span.End()
+
+	logging.Info("nixcache: entering cached creation flow", "sandbox", opts.Name, "template", opts.Template)
+
+	cache := nixcache.New(c.paths.SandboxesDir)
+
+	// Compute cache key from template config + host config
+	templateJSON, err := json.Marshal(resources.template)
+	if err != nil {
+		return fmt.Errorf("failed to marshal template for cache key: %w", err)
+	}
+	cacheKey := nixcache.Key(templateJSON, c.hostConfig.NixpkgsPath, c.hostConfig.UID, c.hostConfig.GID, c.hostConfig.ResolvedStateVersion())
+
+	span.SetAttributes(attribute.String("nixcache.key", cacheKey))
+
+	// Phase 1: Get or build inner system
+	systemPath := cache.Get(cacheKey)
+	if systemPath != "" {
+		logging.Info("nixcache hit, skipping inner system build", "key", cacheKey, "path", systemPath)
+		span.AddEvent("nixcache.hit")
+	} else {
+		logging.Info("nixcache miss, building inner system", "key", cacheKey)
+		span.AddEvent("nixcache.miss")
+
+		// Build contribution sources for the inner config
+		proxyURL := ""
+		if resources.template.UseProxy && c.hostConfig.ProxyURL != "" {
+			proxyURL = c.hostConfig.ProxyURL
+		}
+
+		mux := multiplexer.New(multiplexer.Type(resources.template.Multiplexer))
+		contribParams := ContributionSourcesParams{
+			Runtime:       c.rt,
+			Template:      resources.template,
+			Metadata:      metadata,
+			WsBackend:     ws.backend,
+			Mux:           mux,
+			Identity:      identity,
+			WorkspacePath: ws.effectivePath,
+			SourceRepo:    ws.sourceRepo,
+			SecretsPath:   secretsPath,
+			ProxyURL:      proxyURL,
+			SandboxName:   opts.Name,
+			HostConfig:    c.hostConfig,
+		}
+		if len(ws.mounts) > 0 {
+			contribParams.WorkspaceMounts = ws.mounts
+			contribParams.MountBackends = ws.backends
+		}
+		contribResult := buildContributionSources(contribParams)
+		collector := injection.NewCollector()
+		var contributions *injection.Contributions
+		contributions, err = collector.Collect(ctx, contribResult.Sources)
+		if err != nil {
+			return fmt.Errorf("failed to collect contributions: %w", err)
+		}
+
+		var resourceLimits *config.ResourceLimits
+		caps := runtime.GetCapabilities(c.rt)
+		if caps.ResourceLimits && resources.template.ResourceLimits != nil {
+			resourceLimits = resources.template.ResourceLimits
+		}
+
+		innerCfg := &generator.ContainerConfig{
+			Name:            opts.Name,
+			NetworkSlot:     resources.networkSlot,
+			AuthorizedKeys:  c.resolveSSHKeys(opts),
+			Template:        resources.template,
+			UID:             c.hostConfig.UID,
+			GID:             c.hostConfig.GID,
+			Mux:             mux,
+			AgentIdentity:   identity,
+			Runtime:         c.rt.Name(),
+			Username:        c.hostConfig.ResolvedContainerUsername(),
+			WorkspaceDir:    c.hostConfig.ResolvedWorkspacePath(),
+			StateVersion:    c.hostConfig.ResolvedStateVersion(),
+			NixpkgsPath:     c.hostConfig.NixpkgsPath,
+			ResourceLimits:  resourceLimits,
+			Contributions:   contributions,
+			Reproducibility: contribResult.Reproducibility,
+		}
+
+		var innerNix string
+		innerNix, err = generator.GenerateInnerNixConfig(innerCfg)
+		if err != nil {
+			return fmt.Errorf("failed to generate inner config: %w", err)
+		}
+
+		// Write inner config to temp file
+		innerPath := filepath.Join(c.paths.SandboxesDir, opts.Name+".inner.nix")
+		err = os.MkdirAll(c.paths.SandboxesDir, 0755)
+		if err != nil {
+			return fmt.Errorf("failed to create sandboxes directory: %w", err)
+		}
+		err = os.WriteFile(innerPath, []byte(innerNix), 0644)
+		if err != nil {
+			return fmt.Errorf("failed to write inner config: %w", err)
+		}
+
+		systemPath, err = nspawnRT.BuildInnerSystem(ctx, innerPath)
+		if err != nil {
+			// Fall back to single-pass flow
+			logging.Warn("nixcache: inner system build failed, falling back to single-pass", "error", err)
+			return c.createSinglePass(ctx, opts, resources, ws, secretsPath, identity, metadata)
+		}
+
+		err = cache.Put(cacheKey, systemPath)
+		if err != nil {
+			logging.Warn("failed to cache inner system", "key", cacheKey, "dir", c.paths.StateDir, "error", err)
+		} else {
+			logging.Info("nixcache stored", "key", cacheKey, "path", systemPath)
+		}
+	}
+
+	// Phase 2: Generate runtime files and stage them as bind mounts
+	runtimeMounts, err := c.generateRuntimeFiles(ctx, opts, resources)
+	if err != nil {
+		return fmt.Errorf("failed to generate runtime files: %w", err)
+	}
+
+	// Phase 3: Collect all bind mounts (from contributions + runtime files)
+	proxyURL := ""
+	if resources.template.UseProxy && c.hostConfig.ProxyURL != "" {
+		proxyURL = c.hostConfig.ProxyURL
+	}
+	mux := multiplexer.New(multiplexer.Type(resources.template.Multiplexer))
+	contribParams := ContributionSourcesParams{
+		Runtime:       c.rt,
+		Template:      resources.template,
+		Metadata:      metadata,
+		WsBackend:     ws.backend,
+		Mux:           mux,
+		Identity:      identity,
+		WorkspacePath: ws.effectivePath,
+		SourceRepo:    ws.sourceRepo,
+		SecretsPath:   secretsPath,
+		ProxyURL:      proxyURL,
+		SandboxName:   opts.Name,
+		HostConfig:    c.hostConfig,
+	}
+	if len(ws.mounts) > 0 {
+		contribParams.WorkspaceMounts = ws.mounts
+		contribParams.MountBackends = ws.backends
+	}
+	contribResult := buildContributionSources(contribParams)
+	collector := injection.NewCollector()
+	contributions, err := collector.Collect(ctx, contribResult.Sources)
+	if err != nil {
+		return fmt.Errorf("failed to collect contributions: %w", err)
+	}
+
+	// Build the full bind mount list
+	var allMounts []generator.BindMount
+	for _, m := range contributions.Mounts {
+		allMounts = append(allMounts, generator.BindMount{
+			Path:     m.ContainerPath,
+			HostPath: m.HostPath,
+			ReadOnly: m.ReadOnly,
+		})
+	}
+	allMounts = append(allMounts, runtimeMounts...)
+
+	// Phase 4: Generate outer config
+	outerData := &generator.OuterTemplateData{
+		ContainerName: config.ContainerNameForSlot(resources.networkSlot),
+		NetworkSlot:   resources.networkSlot,
+		SystemPath:    systemPath,
+		BindMounts:    allMounts,
+	}
+
+	outerNix, err := generator.GenerateOuterNixConfig(outerData)
+	if err != nil {
+		return fmt.Errorf("failed to generate outer config: %w", err)
+	}
+
+	// Write outer config
+	outerPath := filepath.Join(c.paths.SandboxesDir, opts.Name+".outer.nix")
+	err = os.WriteFile(outerPath, []byte(outerNix), 0644)
+	if err != nil {
+		return fmt.Errorf("failed to write outer config: %w", err)
+	}
+
+	// Also write the single-pass .nix as fallback for future starts
+	c.writeFallbackConfig(ctx, opts, resources, ws, secretsPath, identity, metadata)
+
+	// Phase 5: Build outer /etc using our stripped eval-config (minimal module set)
+	evalConfigPath := filepath.Join(c.paths.SandboxesDir, opts.Name+".eval-config.nix")
+	err = os.WriteFile(evalConfigPath, []byte(generator.EvalConfigNix), 0644)
+	if err != nil {
+		return fmt.Errorf("failed to write eval-config.nix: %w", err)
+	}
+
+	etcPath, err := nspawnRT.BuildOuterEtc(ctx, outerPath, evalConfigPath)
+	if err != nil {
+		// Fall back to full nix-build eval (slower but works)
+		logging.Warn("outer etc build failed, falling back to full nix-build eval", "error", err)
+		if err := config.SaveSandboxMetadata(c.paths.SandboxesDir, metadata); err != nil {
+			return fmt.Errorf("failed to save metadata: %w", err)
+		}
+		return c.startContainer(ctx, opts.Name, outerPath)
+	}
+
+	// Phase 6: Save metadata with cached etc path for fast restarts
+	metadata.CachedEtcPath = etcPath
+	if err := config.SaveSandboxMetadata(c.paths.SandboxesDir, metadata); err != nil {
+		return fmt.Errorf("failed to save metadata: %w", err)
+	}
+
+	// Phase 7: Install container from pre-built /etc (no Nix eval needed)
+	return nspawnRT.CreateFromEtc(ctx, etcPath, true)
+}
+
+// generateRuntimeFiles creates per-sandbox files that are bind-mounted into
+// the container at runtime (not baked into the NixOS evaluation).
+func (c *Creator) generateRuntimeFiles(ctx context.Context, opts CreateOptions, resources *resourceAllocation) ([]generator.BindMount, error) {
+	_, span := telemetry.Start(ctx, "sandbox.generate-runtime-files")
+	defer span.End()
+
+	stagingDir := filepath.Join(c.paths.SandboxesDir, opts.Name+".runtime")
+	if err := os.MkdirAll(stagingDir, 0755); err != nil {
+		return nil, fmt.Errorf("failed to create runtime staging dir: %w", err)
+	}
+
+	var mounts []generator.BindMount
+
+	// 1. /run/forage/config.json — sandbox name, network slot, gateway IP
+	rtCfg := runtimeConfig{
+		SandboxName: opts.Name,
+		NetworkSlot: resources.networkSlot,
+		Gateway:     fmt.Sprintf("10.100.%d.1", resources.networkSlot),
+	}
+	rtCfgJSON, _ := json.MarshalIndent(rtCfg, "", "  ")
+	rtCfgPath := filepath.Join(stagingDir, "config.json")
+	if err := os.WriteFile(rtCfgPath, rtCfgJSON, 0644); err != nil {
+		return nil, fmt.Errorf("failed to write runtime config: %w", err)
+	}
+	mounts = append(mounts, generator.BindMount{
+		Path:     "/run/forage/config.json",
+		HostPath: rtCfgPath,
+		ReadOnly: true,
+	})
+
+	// 2. /etc/forage.json — in-container metadata
+	forageJSON := map[string]string{
+		"sandboxName":   opts.Name,
+		"containerName": config.ContainerNameForSlot(resources.networkSlot),
+		"runtime":       c.rt.Name(),
+	}
+	forageJSONBytes, _ := json.MarshalIndent(forageJSON, "", "  ")
+	forageJSONPath := filepath.Join(stagingDir, "forage.json")
+	if err := os.WriteFile(forageJSONPath, forageJSONBytes, 0644); err != nil {
+		return nil, fmt.Errorf("failed to write forage.json: %w", err)
+	}
+	mounts = append(mounts, generator.BindMount{
+		Path:     "/etc/forage.json",
+		HostPath: forageJSONPath,
+		ReadOnly: true,
+	})
+
+	// 3. /etc/profile.d/forage-env.sh — per-sandbox env vars
+	proxyURL := ""
+	if resources.template.UseProxy && c.hostConfig.ProxyURL != "" {
+		proxyURL = c.hostConfig.ProxyURL
+	}
+	if proxyURL != "" {
+		envScript := fmt.Sprintf(`# Per-sandbox environment (generated by forage)
+export SANDBOX_NAME=%q
+export ANTHROPIC_BASE_URL=%q
+`, opts.Name, fmt.Sprintf("http://10.100.%d.1:8080", resources.networkSlot))
+		envScriptPath := filepath.Join(stagingDir, "forage-env.sh")
+		if err := os.WriteFile(envScriptPath, []byte(envScript), 0644); err != nil {
+			return nil, fmt.Errorf("failed to write env script: %w", err)
+		}
+		mounts = append(mounts, generator.BindMount{
+			Path:     "/etc/profile.d/forage-env.sh",
+			HostPath: envScriptPath,
+			ReadOnly: true,
+		})
+	}
+
+	// 4. /etc/forage-nftables.conf — nftables rules for restricted mode
+	if network.Mode(resources.template.Network) == network.ModeRestricted && len(resources.template.AllowedHosts) > 0 {
+		nftCfg := &network.Config{
+			Mode:         network.ModeRestricted,
+			AllowedHosts: resources.template.AllowedHosts,
+			NetworkSlot:  resources.networkSlot,
+		}
+		ruleset := network.GenerateNftablesRuleset(nftCfg)
+		if ruleset != "" {
+			nftPath := filepath.Join(stagingDir, "forage-nftables.conf")
+			if err := os.WriteFile(nftPath, []byte(ruleset), 0644); err != nil {
+				return nil, fmt.Errorf("failed to write nftables rules: %w", err)
+			}
+			mounts = append(mounts, generator.BindMount{
+				Path:     "/etc/forage-nftables.conf",
+				HostPath: nftPath,
+				ReadOnly: true,
+			})
+		}
+	}
+
+	return mounts, nil
+}
+
+// createSinglePass is the fallback to the original single-pass creation flow.
+func (c *Creator) createSinglePass(ctx context.Context, opts CreateOptions, resources *resourceAllocation, ws *workspaceSetup, secretsPath string, identity *config.AgentIdentity, metadata *config.SandboxMetadata) error {
+	configPath, err := c.writeContainerConfig(ctx, opts, resources, ws, secretsPath, identity, metadata)
+	if err != nil {
+		return err
+	}
+	if err := config.SaveSandboxMetadata(c.paths.SandboxesDir, metadata); err != nil {
+		return fmt.Errorf("failed to save metadata: %w", err)
+	}
+	return c.startContainer(ctx, opts.Name, configPath)
+}
+
+// writeFallbackConfig writes the single-pass .nix config as fallback for restarts.
+// Errors are logged but not fatal — the cached etc path is the primary mechanism.
+func (c *Creator) writeFallbackConfig(ctx context.Context, opts CreateOptions, resources *resourceAllocation, ws *workspaceSetup, secretsPath string, identity *config.AgentIdentity, metadata *config.SandboxMetadata) {
+	_, err := c.writeContainerConfig(ctx, opts, resources, ws, secretsPath, identity, metadata)
+	if err != nil {
+		logging.Warn("failed to write fallback config", "error", err)
+	}
+}
+
+// createGeneric implements the non-nspawn creation flow for Docker, Podman, and Apple backends.
+// It collects contribution bind mounts and passes them to the runtime's Create method.
+func (c *Creator) createGeneric(ctx context.Context, opts CreateOptions, resources *resourceAllocation, ws *workspaceSetup, secretsPath string, identity *config.AgentIdentity, metadata *config.SandboxMetadata) error {
+	ctx, span := telemetry.Start(ctx, "sandbox.create-generic")
+	defer span.End()
+
+	// Write the nix config (for reference/debugging, not used by the runtime)
+	if _, writeErr := c.writeContainerConfig(ctx, opts, resources, ws, secretsPath, identity, metadata); writeErr != nil {
+		return writeErr
+	}
+
+	if saveErr := config.SaveSandboxMetadata(c.paths.SandboxesDir, metadata); saveErr != nil {
+		return fmt.Errorf("failed to save metadata: %w", saveErr)
+	}
+
+	// Collect contributions to get bind mounts
+	proxyURL := ""
+	if resources.template.UseProxy && c.hostConfig.ProxyURL != "" {
+		proxyURL = c.hostConfig.ProxyURL
+	}
+	mux := multiplexer.New(multiplexer.Type(resources.template.Multiplexer))
+	contribParams := ContributionSourcesParams{
+		Runtime:       c.rt,
+		Template:      resources.template,
+		Metadata:      metadata,
+		WsBackend:     ws.backend,
+		Mux:           mux,
+		Identity:      identity,
+		WorkspacePath: ws.effectivePath,
+		SourceRepo:    ws.sourceRepo,
+		SecretsPath:   secretsPath,
+		ProxyURL:      proxyURL,
+		SandboxName:   opts.Name,
+		HostConfig:    c.hostConfig,
+	}
+	if len(ws.mounts) > 0 {
+		contribParams.WorkspaceMounts = ws.mounts
+		contribParams.MountBackends = ws.backends
+	}
+	contribResult := buildContributionSources(contribParams)
+	collector := injection.NewCollector()
+	contributions, err := collector.Collect(ctx, contribResult.Sources)
+	if err != nil {
+		return fmt.Errorf("failed to collect contributions: %w", err)
+	}
+
+	// Build bind mount map from contributions.
+	// Skip the /nix/store mount — OCI-based runtimes have their own nix store
+	// in the image, and overlaying the host store would break the container.
+	bindMounts := make(map[string]string)
+	for _, m := range contributions.Mounts {
+		if m.ContainerPath == "/nix/store" {
+			continue
+		}
+		bindMounts[m.HostPath] = m.ContainerPath
+	}
+
+	// Build env var map from contributions.
+	// EnvVar values are Nix expressions (double-quoted strings like `"value"`);
+	// strip the outer quotes for plain key=value usage in OCI runtimes.
+	envVars := make(map[string]string)
+	for _, ev := range contributions.EnvVars {
+		val := ev.Value
+		if len(val) >= 2 && val[0] == '"' && val[len(val)-1] == '"' {
+			val = val[1 : len(val)-1]
+		}
+		envVars[ev.Name] = val
+	}
+
+	logging.Debug("creating container via runtime", "name", opts.Name, "mounts", len(bindMounts), "envVars", len(envVars))
+	createOpts := runtime.CreateOptions{
+		Name:        opts.Name,
+		Start:       true,
+		BindMounts:  bindMounts,
+		EnvVars:     envVars,
+		NetworkSlot: resources.networkSlot,
+		Image:       resources.template.Image,
+	}
+
+	// Pass resource limits if configured and runtime supports them
+	caps := runtime.GetCapabilities(c.rt)
+	if caps.ResourceLimits && resources.template.ResourceLimits != nil {
+		rl := resources.template.ResourceLimits
+		createOpts.CPUQuota = rl.CPUQuota
+		createOpts.MemoryMax = rl.MemoryMax
+		createOpts.TasksMax = rl.TasksMax
+	}
+
+	// Pass network isolation if runtime supports it
+	if caps.NetworkIsolation {
+		createOpts.NetworkMode = resources.template.Network
+		createOpts.AllowedHosts = resources.template.AllowedHosts
+	}
+
+	if err := c.rt.Create(ctx, createOpts); err != nil {
+		return err
+	}
+
+	// For OCI runtimes, install contributed packages and start the mux session.
+	// The nspawn path bakes packages into the NixOS config and starts tmux via
+	// the forage-init systemd service; the OCI path must do both post-start.
+	if !caps.NixOSConfig {
+		if pkgErr := c.installPackages(ctx, opts.Name, contributions.Packages); pkgErr != nil {
+			logging.Warn("failed to install packages", "error", pkgErr)
+		}
+		if muxErr := c.startMuxSession(ctx, opts.Name, mux, resources.template); muxErr != nil {
+			logging.Warn("failed to start multiplexer session", "error", muxErr)
+		}
+	}
+
+	return nil
+}
+
+// installPackages installs contributed packages inside an OCI container via nix.
+// The nspawn path declares these in environment.systemPackages; the OCI path
+// must install them post-start since the base image may not have them.
+func (c *Creator) installPackages(ctx context.Context, name string, packages []injection.Package) error {
+	if len(packages) == 0 {
+		return nil
+	}
+
+	// Query which packages are already installed in the container's nix profile.
+	installed := c.listInstalledPackages(ctx, name)
+
+	// Build nix installable references from package names.
+	// Bare names (e.g. "tmux") become "nixpkgs#tmux".
+	// Flake references (containing # or /) are used as-is.
+	// Packages already installed in the image are skipped.
+	var installables []string
+	for _, pkg := range packages {
+		if installed[pkg.Name] {
+			logging.Debug("skipping already-installed package", "package", pkg.Name)
+			continue
+		}
+		ref := pkg.Name
+		if !strings.Contains(ref, "#") && !strings.Contains(ref, "/") {
+			ref = "nixpkgs#" + ref
+		}
+		installables = append(installables, ref)
+	}
+
+	if len(installables) == 0 {
+		return nil
+	}
+
+	// Deduplicate
+	seen := make(map[string]bool)
+	var deduped []string
+	for _, ref := range installables {
+		if !seen[ref] {
+			seen[ref] = true
+			deduped = append(deduped, ref)
+		}
+	}
+
+	logging.Debug("installing packages in container", "name", name, "packages", deduped)
+
+	// nix profile install can take multiple installables in one invocation.
+	// --extra-experimental-features is needed for images where nix-command/flakes
+	// aren't enabled in nix.conf (e.g. the fallback nixos/nix:latest image).
+	// --profile targets the default profile whose bin/ is already on PATH;
+	// without it, nix writes to a per-user profile that isn't on PATH.
+	script := "NIXPKGS_ALLOW_UNFREE=1 nix --extra-experimental-features 'nix-command flakes' profile install --impure --profile /nix/var/nix/profiles/default --no-write-lock-file " + strings.Join(deduped, " ")
+
+	installCtx, cancel := context.WithTimeout(ctx, 5*time.Minute)
+	defer cancel()
+
+	result, err := runtime.ExecShell(installCtx, c.rt, name, script, runtime.ExecOptions{})
+	if err != nil {
+		return fmt.Errorf("nix profile install failed: %w", err)
+	}
+	if result.ExitCode != 0 {
+		return fmt.Errorf("nix profile install exited %d: %s", result.ExitCode, result.Stderr)
+	}
+
+	return nil
+}
+
+// listInstalledPackages queries the container's nix profile for already-installed
+// packages and returns a set of their names. This allows installPackages to skip
+// packages that ship in the base image, regardless of which image is used.
+// Returns an empty map on any error (fail-open: we'll just reinstall).
+func (c *Creator) listInstalledPackages(ctx context.Context, name string) map[string]bool {
+	listCtx, cancel := context.WithTimeout(ctx, 15*time.Second)
+	defer cancel()
+
+	result, err := runtime.ExecShell(listCtx, c.rt, name, "nix --extra-experimental-features 'nix-command flakes' profile list --profile /nix/var/nix/profiles/default --json", runtime.ExecOptions{})
+	if err != nil || result.ExitCode != 0 {
+		return nil
+	}
+
+	// Parse {"elements": {"tmux": {...}, "git": {...}}, "version": N}
+	var profile struct {
+		Elements map[string]json.RawMessage `json:"elements"`
+	}
+	if err := json.Unmarshal([]byte(result.Stdout), &profile); err != nil {
+		return nil
+	}
+
+	installed := make(map[string]bool, len(profile.Elements))
+	for pkg := range profile.Elements {
+		installed[pkg] = true
+	}
+
+	if len(installed) > 0 {
+		logging.Debug("detected pre-installed packages", "packages", installed)
+	}
+	return installed
+}
+
+// startMuxSession execs the multiplexer init script inside an OCI container.
+// This is the OCI equivalent of the forage-init systemd service in nspawn.
+// It uses a timeout to avoid blocking creation if tmux is unavailable.
+func (c *Creator) startMuxSession(ctx context.Context, name string, mux multiplexer.Multiplexer, tmpl *config.Template) error {
+	var windows []multiplexer.Window
+	if len(tmpl.TmuxWindows) > 0 {
+		for _, w := range tmpl.TmuxWindows {
+			windows = append(windows, multiplexer.Window{Name: w.Name, Command: w.Command})
+		}
+	} else {
+		windows = []multiplexer.Window{{Name: "main"}}
+	}
+	initScript := mux.InitScript(windows)
+
+	// Use a timeout so a missing tmux binary doesn't hang creation.
+	execCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+
+	// Pass the init script as a single element — the runtime's Exec already
+	// wraps commands in /bin/sh -c, so we avoid double-wrapping.
+	// Don't specify User because OCI images may not have the "agent" user;
+	// the container's default user (root) can start tmux fine.
+	result, err := runtime.ExecShell(execCtx, c.rt, name, initScript, runtime.ExecOptions{})
+	if err != nil {
+		return fmt.Errorf("exec failed: %w", err)
+	}
+	if result.ExitCode != 0 {
+		return fmt.Errorf("init exited %d: %s", result.ExitCode, result.Stderr)
+	}
+	return nil
+}
+
+// startContainer creates and starts the container via the runtime.
+func (c *Creator) startContainer(ctx context.Context, name, configPath string) error {
+	logging.Debug("creating container via runtime", "name", name, "config", configPath)
+	if err := c.rt.Create(ctx, runtime.CreateOptions{
+		Name:       name,
+		ConfigPath: configPath,
+		Start:      true,
+	}); err != nil {
+		return fmt.Errorf("container creation failed: %w", err)
+	}
+	return nil
+}
+
+// runInitCommands executes template-level init commands and per-project .forage/init
+// inside the container. Failures are logged as warnings and do not block creation.
+func (c *Creator) runInitCommands(ctx context.Context, metadata *config.SandboxMetadata, template *config.Template) *InitCommandResult {
+	ctx, span := telemetry.Start(ctx, "sandbox.init-commands")
+	defer span.End()
+
+	containerName := metadata.ResolvedContainerName()
+	username := c.hostConfig.ResolvedContainerUsername()
+	workspacePath := c.hostConfig.ResolvedWorkspacePath()
+	execOpts := runtime.ExecOptions{
+		User:       username,
+		WorkingDir: workspacePath,
+	}
+
+	result := &InitCommandResult{}
+
+	// Run template init commands
+	for _, cmd := range template.InitCommands {
+		result.TemplateCommandsRun++
+		logging.Debug("running init command", "command", cmd, "container", containerName)
+
+		execResult, err := runtime.ExecShell(ctx, c.rt, containerName, cmd, execOpts)
+		if err != nil {
+			warning := fmt.Sprintf("init command %q: %v", cmd, err)
+			logging.Warn(warning)
+			result.TemplateWarnings = append(result.TemplateWarnings, warning)
+			continue
+		}
+		if execResult.ExitCode != 0 {
+			warning := fmt.Sprintf("init command %q exited with code %d", cmd, execResult.ExitCode)
+			if execResult.Stderr != "" {
+				warning += ": " + execResult.Stderr
+			}
+			logging.Warn(warning)
+			result.TemplateWarnings = append(result.TemplateWarnings, warning)
+		}
+	}
+
+	// Check for per-project .forage/init script
+	initScriptPath := filepath.Join(workspacePath, ".forage", "init")
+	checkResult, err := c.rt.Exec(ctx, containerName, []string{"test", "-f", initScriptPath}, execOpts)
+	if err != nil || checkResult.ExitCode != 0 {
+		// No .forage/init script found, that's fine
+		return result
+	}
+
+	// Run the per-project init script
+	logging.Debug("running .forage/init script", "container", containerName)
+	result.ProjectInitRun = true
+	execResult, err := c.rt.Exec(ctx, containerName, []string{"sh", initScriptPath}, execOpts)
+	if err != nil {
+		result.ProjectInitWarning = fmt.Sprintf(".forage/init: %v", err)
+		logging.Warn(result.ProjectInitWarning)
+	} else if execResult.ExitCode != 0 {
+		result.ProjectInitWarning = fmt.Sprintf(".forage/init exited with code %d", execResult.ExitCode)
+		if execResult.Stderr != "" {
+			result.ProjectInitWarning += ": " + execResult.Stderr
+		}
+		logging.Warn(result.ProjectInitWarning)
+	}
+
+	return result
+}
+
+// postCreationSetup performs post-creation setup (SSH wait).
+// Skipped for runtimes that don't support SSH access.
+func (c *Creator) postCreationSetup(ctx context.Context, metadata *config.SandboxMetadata) {
+	caps := runtime.GetCapabilities(c.rt)
+	if !caps.SSHAccess {
+		logging.Debug("skipping SSH wait (runtime does not support SSH)")
+		return
+	}
+	containerIP := metadata.ContainerIP()
+	logging.Debug("waiting for SSH", "host", containerIP, "timeout", health.SSHReadyTimeoutSeconds)
+	c.waitForSSH(ctx, containerIP, health.SSHReadyTimeoutSeconds)
+}
+
+// workspaceSetup holds workspace setup results.
+type workspaceSetup struct {
+	effectivePath string
+	sourceRepo    string
+	gitBranch     string
+	backend       workspace.Backend
+	mode          WorkspaceMode
+
+	// Multi-mount results (when template has WorkspaceMounts)
+	mounts   []config.WorkspaceMountMeta
+	backends map[string]workspace.Backend // mount name -> backend
+}
+
+// setupWorkspace sets up the workspace based on the options (legacy single-mount path).
+func (c *Creator) setupWorkspace(ctx context.Context, opts CreateOptions) (*workspaceSetup, error) {
+	_, span := telemetry.Start(ctx, "sandbox.setup-workspace")
+	defer span.End()
+
+	ws := &workspaceSetup{}
+
+	absPath, err := filepath.Abs(opts.RepoPath)
+	if err != nil {
+		return nil, fmt.Errorf("invalid path: %w", err)
+	}
+	// Resolve symlinks so that bind mount paths match what tools like
+	// git-worktree write into .git files (e.g., /tmp → /private/tmp on macOS).
+	if resolved, err := filepath.EvalSymlinks(absPath); err == nil {
+		absPath = resolved
+	}
+
+	if opts.Direct {
+		if _, err := os.Stat(absPath); os.IsNotExist(err) {
+			return nil, fmt.Errorf("workspace does not exist: %s", absPath)
+		}
+		ws.effectivePath = absPath
+		ws.mode = WorkspaceModeDirect
+		return ws, nil
+	}
+
+	// Auto-detect VCS backend
+	ws.backend = workspace.DetectBackend(absPath)
+	if ws.backend == nil {
+		return nil, fmt.Errorf("not a supported repository: %s\n  Use --direct for non-repo directories", absPath)
+	}
+
+	switch ws.backend.Name() {
+	case "jj":
+		ws.mode = WorkspaceModeJJ
+	case "git-worktree":
+		ws.mode = WorkspaceModeGitWorktree
+	}
+
+	if ws.backend.Exists(absPath, opts.Name) {
+		return nil, fmt.Errorf("%s workspace %s already exists in repo", ws.backend.Name(), opts.Name)
+	}
+
+	ws.sourceRepo = absPath
+	ws.effectivePath = filepath.Join(c.paths.WorkspacesDir, opts.Name)
+
+	if gitBackend, ok := ws.backend.(*workspace.GitBackend); ok {
+		ws.gitBranch = gitBackend.BranchName(opts.Name)
+	}
+
+	if err := os.MkdirAll(c.paths.WorkspacesDir, 0755); err != nil {
+		return nil, fmt.Errorf("failed to create workspaces directory: %w", err)
+	}
+
+	logging.Debug("creating workspace", "backend", ws.backend.Name(), "repo", absPath, "name", opts.Name)
+	if err := ws.backend.Create(absPath, opts.Name, ws.effectivePath); err != nil {
+		return nil, fmt.Errorf("failed to create %s workspace: %w", ws.backend.Name(), err)
+	}
+
+	return ws, nil
+}
+
+// resolveRepoPath resolves a mount's repo reference to an absolute path.
+// Empty/null repo uses the default --repo, a name looks up in named repos,
+// an absolute path is used as-is.
+func resolveRepoPath(repoRef string, opts CreateOptions) (string, error) {
+	if repoRef == "" {
+		// Uses default --repo
+		if opts.RepoPath == "" {
+			return "", fmt.Errorf("mount requires --repo but none provided")
+		}
+		return filepath.Abs(opts.RepoPath)
+	}
+	if filepath.IsAbs(repoRef) {
+		return repoRef, nil
+	}
+	// Named repo lookup
+	if path, ok := opts.Repos[repoRef]; ok {
+		return filepath.Abs(path)
+	}
+	return "", fmt.Errorf("named repo %q not provided via --repo", repoRef)
+}
+
+// validateMountSpecs checks mount specs for conflicts before creation.
+func validateMountSpecs(mounts map[string]*config.WorkspaceMount) error {
+	seen := make(map[string]string) // containerPath -> mount name
+	for name, m := range mounts {
+		if m.ContainerPath == "" {
+			return fmt.Errorf("mount %q: containerPath is required", name)
+		}
+		if prev, ok := seen[m.ContainerPath]; ok {
+			return fmt.Errorf("mounts %q and %q both claim container path %s", prev, name, m.ContainerPath)
+		}
+		seen[m.ContainerPath] = name
+		if m.HostPath == "" && m.Repo == "" {
+			// Repo-backed mount using default --repo (valid if --repo is provided)
+		}
+		if m.HostPath != "" && m.Repo != "" {
+			return fmt.Errorf("mount %q: cannot set both hostPath and repo", name)
+		}
+	}
+	return nil
+}
+
+// setupWorkspaceMounts sets up multiple workspace mounts from template specs.
+func (c *Creator) setupWorkspaceMounts(_ context.Context, opts CreateOptions, template *config.Template) (*workspaceSetup, error) {
+	ws := &workspaceSetup{
+		backends: make(map[string]workspace.Backend),
+	}
+
+	if err := validateMountSpecs(template.WorkspaceMounts); err != nil {
+		return nil, fmt.Errorf("invalid mount configuration: %w", err)
+	}
+
+	// Managed workspace base dir for this sandbox: workspaces/<sandbox>/<mount-name>/
+	sandboxWsDir := filepath.Join(c.paths.WorkspacesDir, opts.Name)
+
+	// Track created workspaces for rollback on failure
+	var created []config.WorkspaceMountMeta
+
+	rollback := func() {
+		for _, m := range created {
+			if m.SourceRepo != "" {
+				if backend := workspace.BackendForMode(m.Mode); backend != nil {
+					_ = backend.Remove(m.SourceRepo, m.Name, m.HostPath)
+				}
+			}
+		}
+		_ = os.RemoveAll(sandboxWsDir)
+	}
+
+	for name, spec := range template.WorkspaceMounts {
+		meta := config.WorkspaceMountMeta{
+			Name:          name,
+			ContainerPath: spec.ContainerPath,
+			ReadOnly:      spec.ReadOnly,
+		}
+
+		if spec.HostPath != "" {
+			// Literal bind mount — validate host path exists
+			absPath, err := filepath.Abs(spec.HostPath)
+			if err != nil {
+				rollback()
+				return nil, fmt.Errorf("mount %q: invalid hostPath: %w", name, err)
+			}
+			if _, err := os.Stat(absPath); os.IsNotExist(err) {
+				rollback()
+				return nil, fmt.Errorf("mount %q: hostPath does not exist: %s", name, absPath)
+			}
+			meta.HostPath = absPath
+			meta.Mode = "direct"
+		} else {
+			// Repo-backed mount
+			repoPath, err := resolveRepoPath(spec.Repo, opts)
+			if err != nil {
+				rollback()
+				return nil, fmt.Errorf("mount %q: %w", name, err)
+			}
+
+			if _, err := os.Stat(repoPath); os.IsNotExist(err) {
+				rollback()
+				return nil, fmt.Errorf("mount %q: repo path does not exist: %s", name, repoPath)
+			}
+
+			meta.SourceRepo = repoPath
+
+			// Determine mode (auto-detect or explicit)
+			var backend workspace.Backend
+			if spec.Mode != "" && spec.Mode != "direct" {
+				backend = workspace.BackendForMode(spec.Mode)
+				if backend == nil {
+					rollback()
+					return nil, fmt.Errorf("mount %q: unsupported mode %q", name, spec.Mode)
+				}
+			} else if spec.Mode != "direct" {
+				backend = workspace.DetectBackend(repoPath)
+			}
+
+			if backend == nil || spec.Mode == "direct" {
+				// Direct mount — use repo path directly
+				meta.HostPath = repoPath
+				meta.Mode = "direct"
+			} else {
+				// VCS workspace — create isolated workspace
+				meta.Mode = backend.Name()
+
+				// Use a unique workspace name combining sandbox name and mount name
+				wsName := opts.Name + "-" + name
+
+				if backend.Exists(repoPath, wsName) {
+					rollback()
+					return nil, fmt.Errorf("mount %q: %s workspace %s already exists in repo", name, backend.Name(), wsName)
+				}
+
+				wsPath := filepath.Join(sandboxWsDir, name)
+				if err := os.MkdirAll(sandboxWsDir, 0755); err != nil {
+					rollback()
+					return nil, fmt.Errorf("mount %q: failed to create workspace directory: %w", name, err)
+				}
+
+				logging.Debug("creating workspace mount", "name", name, "backend", backend.Name(), "repo", repoPath, "wsName", wsName)
+				if err := backend.Create(repoPath, wsName, wsPath); err != nil {
+					rollback()
+					return nil, fmt.Errorf("mount %q: failed to create %s workspace: %w", name, backend.Name(), err)
+				}
+
+				meta.HostPath = wsPath
+
+				if gitBackend, ok := backend.(*workspace.GitBackend); ok {
+					meta.GitBranch = gitBackend.BranchName(wsName)
+				}
+
+				ws.backends[name] = backend
+			}
+
+			meta.Branch = spec.Branch
+		}
+
+		created = append(created, meta)
+	}
+
+	ws.mounts = created
+
+	// Set effectivePath to the first mount's container path for backward compat in the result
+	if len(created) > 0 {
+		ws.effectivePath = created[0].HostPath
+	}
+
+	return ws, nil
+}
+
+// templateHasSecrets returns true if any agent in the template uses secrets.
+func (c *Creator) templateHasSecrets(template *config.Template) bool {
+	for _, agent := range template.Agents {
+		if agent.SecretName != "" {
+			return true
+		}
+	}
+	return false
+}
+
+// setupSecrets reads secrets from host file paths and writes them to the sandbox secrets directory.
+// Files are owned by the configured agent UID/GID so the container user can read them.
+func (c *Creator) setupSecrets(ctx context.Context, secretsPath string, template *config.Template) error {
+	_, span := telemetry.Start(ctx, "sandbox.setup-secrets")
+	defer span.End()
+
+	if err := os.MkdirAll(secretsPath, 0700); err != nil {
+		return err
+	}
+	if err := os.Chown(secretsPath, c.hostConfig.UID, c.hostConfig.GID); err != nil {
+		return fmt.Errorf("failed to chown secrets directory: %w", err)
+	}
+
+	for _, agent := range template.Agents {
+		if agent.SecretName == "" {
+			continue
+		}
+
+		secretSourcePath, ok := c.hostConfig.Secrets[agent.SecretName]
+		if !ok {
+			logging.Debug("secret not found in host config", "secret", agent.SecretName)
+			continue
+		}
+
+		secretData, err := os.ReadFile(secretSourcePath)
+		if err != nil {
+			return fmt.Errorf("failed to read secret %s from %s: %w", agent.SecretName, secretSourcePath, err)
+		}
+
+		secretFile := filepath.Join(secretsPath, filepath.Base(agent.SecretName))
+		if err := os.WriteFile(secretFile, secretData, 0600); err != nil { //nolint:gosec // secretName is validated by config.Validate
+			return fmt.Errorf("failed to write secret %s: %w", agent.SecretName, err)
+		}
+		if err := os.Chown(secretFile, c.hostConfig.UID, c.hostConfig.GID); err != nil {
+			return fmt.Errorf("failed to chown secret %s: %w", agent.SecretName, err)
+		}
+		logging.Debug("secret written", "secret", agent.SecretName)
+	}
+
+	return nil
+}
+
+// waitForSSH waits for SSH to be ready on the given host.
+func (c *Creator) waitForSSH(ctx context.Context, host string, timeoutSeconds int) bool {
+	_, span := telemetry.Start(ctx, "sandbox.wait-ssh")
+	defer span.End()
+
+	for i := range timeoutSeconds {
+		if health.CheckSSH(host) {
+			logging.Debug("SSH ready", "attempt", i+1)
+			return true
+		}
+		time.Sleep(time.Second)
+	}
+	logging.Warn("SSH not ready after timeout", "timeout", timeoutSeconds)
+	return false
+}
+
+// cleanup removes resources created during a failed sandbox creation.
+func (c *Creator) cleanup(ctx context.Context, metadata *config.SandboxMetadata) {
+	logging.Debug("cleaning up failed sandbox creation", "name", metadata.Name)
+
+	// Use unified cleanup function with all options enabled
+	Cleanup(ctx, metadata, c.paths, DefaultCleanupOptions(), c.rt)
+}
+
+// resolveIdentity merges identity from four levels (lowest to highest priority):
+//  1. Host user's ~/.gitconfig (fallback for name/email only)
+//  2. HostConfig.AgentIdentity (host-level defaults)
+//  3. Template.AgentIdentity (template-level defaults)
+//  4. Per-sandbox CreateOptions (explicit overrides)
+//
+// Returns nil if all fields are empty (no identity configured).
+func (c *Creator) resolveIdentity(opts CreateOptions, template *config.Template) *config.AgentIdentity {
+	var gitUser, gitEmail, sshKeyPath string
+
+	// 1. Host user gitconfig (lowest priority fallback, name/email only)
+	if hostGit := config.ReadHostUserGitIdentity(c.hostConfig.User, opts.RepoPath); hostGit != nil {
+		gitUser = hostGit.GitUser
+		gitEmail = hostGit.GitEmail
+	}
+
+	// 2. Host-level defaults
+	if c.hostConfig.AgentIdentity != nil {
+		if c.hostConfig.AgentIdentity.GitUser != "" {
+			gitUser = c.hostConfig.AgentIdentity.GitUser
+		}
+		if c.hostConfig.AgentIdentity.GitEmail != "" {
+			gitEmail = c.hostConfig.AgentIdentity.GitEmail
+		}
+		if c.hostConfig.AgentIdentity.SSHKeyPath != "" {
+			sshKeyPath = c.hostConfig.AgentIdentity.SSHKeyPath
+		}
+	}
+
+	// 3. Template-level defaults
+	if template != nil && template.AgentIdentity != nil {
+		if template.AgentIdentity.GitUser != "" {
+			gitUser = template.AgentIdentity.GitUser
+		}
+		if template.AgentIdentity.GitEmail != "" {
+			gitEmail = template.AgentIdentity.GitEmail
+		}
+		if template.AgentIdentity.SSHKeyPath != "" {
+			sshKeyPath = template.AgentIdentity.SSHKeyPath
+		}
+	}
+
+	// 4. Per-sandbox overrides (highest priority)
+	if opts.GitUser != "" {
+		gitUser = opts.GitUser
+	}
+	if opts.GitEmail != "" {
+		gitEmail = opts.GitEmail
+	}
+	if opts.SSHKeyPath != "" {
+		sshKeyPath = opts.SSHKeyPath
+	}
+
+	// Return nil if nothing is set
+	if gitUser == "" && gitEmail == "" && sshKeyPath == "" {
+		return nil
+	}
+
+	return &config.AgentIdentity{
+		GitUser:    gitUser,
+		GitEmail:   gitEmail,
+		SSHKeyPath: sshKeyPath,
+	}
+}
+
+// resolveSSHKeys returns SSH keys to use, in order of priority:
+// 1. Explicit keys from CreateOptions
+// 2. Keys from host config
+// 3. Keys from ~/.ssh/*.pub
+func (c *Creator) resolveSSHKeys(opts CreateOptions) []string {
+	// 1. Explicit keys from options (highest priority)
+	if len(opts.SSHKeys) > 0 {
+		logging.Debug("using explicit SSH keys", "count", len(opts.SSHKeys))
+		return opts.SSHKeys
+	}
+
+	// 2. Keys from host config
+	if len(c.hostConfig.AuthorizedKeys) > 0 {
+		logging.Debug("using SSH keys from config", "count", len(c.hostConfig.AuthorizedKeys))
+		return c.hostConfig.AuthorizedKeys
+	}
+
+	// 3. Auto-detect from ~/.ssh/*.pub
+	keys := readSSHPublicKeys()
+	if len(keys) > 0 {
+		logging.Debug("using SSH keys from ~/.ssh", "count", len(keys))
+		return keys
+	}
+
+	logging.Warn("no SSH keys found")
+	return nil
+}
+
+// readSSHPublicKeys reads all SSH public keys from ~/.ssh/*.pub
+func readSSHPublicKeys() []string {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		logging.Debug("failed to get home directory", "error", err)
+		return nil
+	}
+
+	sshDir := filepath.Join(homeDir, ".ssh")
+	entries, err := os.ReadDir(sshDir)
+	if err != nil {
+		logging.Debug("failed to read ~/.ssh directory", "error", err)
+		return nil
+	}
+
+	var keys []string
+	for _, entry := range entries {
+		if entry.IsDir() || !isPubKeyFile(entry.Name()) {
+			continue
+		}
+
+		keyPath := filepath.Join(sshDir, entry.Name())
+		content, err := os.ReadFile(keyPath)
+		if err != nil {
+			logging.Debug("failed to read key file", "file", entry.Name(), "error", err)
+			continue
+		}
+
+		// Trim whitespace and skip empty files
+		key := string(content)
+		key = trimKey(key)
+		if key != "" && isValidSSHKey(key) {
+			keys = append(keys, key)
+			logging.Debug("found SSH key", "file", entry.Name())
+		}
+	}
+
+	return keys
+}
+
+// isPubKeyFile returns true if the filename looks like a public key file
+func isPubKeyFile(name string) bool {
+	return filepath.Ext(name) == ".pub"
+}
+
+// trimKey removes leading/trailing whitespace and trailing newlines
+func trimKey(key string) string {
+	// Remove trailing newlines and whitespace
+	for len(key) > 0 && (key[len(key)-1] == '\n' || key[len(key)-1] == '\r' || key[len(key)-1] == ' ') {
+		key = key[:len(key)-1]
+	}
+	// Remove leading whitespace
+	for len(key) > 0 && (key[0] == ' ' || key[0] == '\t') {
+		key = key[1:]
+	}
+	return key
+}
+
+// acquireSandboxLock acquires an exclusive file lock on the sandboxes directory
+// to prevent concurrent operations from racing on slot allocation or metadata writes.
+// Returns an unlock function that must be called when the critical section is done.
+func acquireSandboxLock(sandboxesDir string) (func(), error) {
+	if err := os.MkdirAll(sandboxesDir, 0755); err != nil {
+		return nil, err
+	}
+
+	lockPath := filepath.Join(sandboxesDir, ".lock")
+	f, err := os.OpenFile(lockPath, os.O_CREATE|os.O_RDWR, 0600)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open lock file: %w", err)
+	}
+
+	if err := syscall.Flock(int(f.Fd()), syscall.LOCK_EX); err != nil { //nolint:gosec // G115: fd fits in int on all supported platforms
+		_ = f.Close()
+		return nil, fmt.Errorf("failed to acquire lock: %w", err)
+	}
+
+	return func() {
+		_ = syscall.Flock(int(f.Fd()), syscall.LOCK_UN) //nolint:gosec // G115: fd fits in int on all supported platforms
+		_ = f.Close()
+	}, nil
+}
+
+// checkCapabilities checks runtime capabilities against the sandbox configuration
+// and returns warnings for unsupported features. It does not block creation.
+func (c *Creator) checkCapabilities() []string {
+	caps := runtime.GetCapabilities(c.rt)
+	var warnings []string
+
+	if !caps.NixOSConfig {
+		warnings = append(warnings, "Runtime "+c.rt.Name()+" does not support NixOS config generation; container may have reduced functionality")
+	}
+	if !caps.NetworkIsolation {
+		warnings = append(warnings, "Runtime "+c.rt.Name()+" does not support network isolation; network mode filtering will not be enforced")
+	}
+	if !caps.SSHAccess {
+		warnings = append(warnings, "Runtime "+c.rt.Name()+" does not support SSH access; use exec instead")
+	}
+	if !caps.GeneratedFiles {
+		warnings = append(warnings, "Runtime "+c.rt.Name()+" does not support generated file mounting; skills and permissions may not be available")
+	}
+
+	for _, w := range warnings {
+		logging.Warn(w)
+	}
+
+	return warnings
+}
+
+// isValidSSHKey checks if a string looks like a valid SSH public key
+func isValidSSHKey(key string) bool {
+	// Valid SSH keys start with a key type
+	validPrefixes := []string{
+		"ssh-rsa ",
+		"ssh-ed25519 ",
+		"ssh-dss ",
+		"ecdsa-sha2-nistp256 ",
+		"ecdsa-sha2-nistp384 ",
+		"ecdsa-sha2-nistp521 ",
+		"sk-ssh-ed25519@openssh.com ",
+		"sk-ecdsa-sha2-nistp256@openssh.com ",
+	}
+
+	for _, prefix := range validPrefixes {
+		if len(key) > len(prefix) && key[:len(prefix)] == prefix {
+			return true
+		}
+	}
+	return false
+}
diff --git a/packages/forage-ctl/internal/sandbox/creator_test.go b/packages/forage-ctl/internal/sandbox/creator_test.go
new file mode 100644
index 0000000..1bcf765
--- /dev/null
+++ b/packages/forage-ctl/internal/sandbox/creator_test.go
@@ -0,0 +1,919 @@
+package sandbox
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/testutil"
+)
+
+func TestCreator_Create_InvalidName(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	env.AddTemplate("test", testutil.DefaultTemplate())
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	// Test invalid sandbox names
+	invalidNames := []string{
+		"",                  // empty
+		"../escape",         // path traversal
+		"My-Project",        // uppercase
+		"has spaces",        // spaces
+		"-starts-with-dash", // starts with dash
+		"has;semicolon",     // special characters
+	}
+
+	for _, name := range invalidNames {
+		t.Run(name, func(t *testing.T) {
+			_, err := creator.Create(context.Background(), CreateOptions{
+				Name:     name,
+				Template: "test",
+				RepoPath: env.TmpDir,
+				Direct:   true,
+			})
+			if err == nil {
+				t.Errorf("Create(%q) should have failed with invalid name", name)
+			}
+		})
+	}
+}
+
+func TestCreator_Create_ValidName(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// IMPORTANT: Set mock runtime as global runtime so runtime.Create() uses it
+	runtime.SetGlobal(env.Runtime)
+	defer runtime.SetGlobal(nil)
+
+	env.AddTemplate("test", testutil.DefaultTemplate())
+
+	// Create a workspace directory
+	workspacePath := env.CreateWorkspace("myproject")
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	// Test valid sandbox name
+	result, err := creator.Create(context.Background(), CreateOptions{
+		Name:     "myproject",
+		Template: "test",
+		RepoPath: workspacePath,
+		Direct:   true,
+	})
+
+	if err != nil {
+		t.Fatalf("Create() failed: %v", err)
+	}
+
+	if result.Name != "myproject" {
+		t.Errorf("Name = %q, want %q", result.Name, "myproject")
+	}
+
+	// Verify ContainerIP is derived from NetworkSlot
+	if result.ContainerIP == "" {
+		t.Error("ContainerIP should not be empty")
+	}
+	if result.Metadata.NetworkSlot < 1 || result.Metadata.NetworkSlot > 254 {
+		t.Errorf("NetworkSlot %d not in valid range [1, 254]",
+			result.Metadata.NetworkSlot)
+	}
+
+	// Verify sandbox metadata was saved
+	if !env.SandboxExists("myproject") {
+		t.Error("Sandbox metadata was not saved")
+	}
+
+	// Verify runtime.Create was called
+	if _, exists := env.Runtime.Containers["myproject"]; !exists {
+		t.Error("Container was not created via runtime")
+	}
+}
+
+func TestCreator_Create_DuplicateName(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	env.AddTemplate("test", testutil.DefaultTemplate())
+
+	// Create an existing sandbox
+	env.AddSandbox(&config.SandboxMetadata{
+		Name:        "existing",
+		Template:    "test",
+		NetworkSlot: 1,
+	})
+
+	workspacePath := env.CreateWorkspace("existing")
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	_, err := creator.Create(context.Background(), CreateOptions{
+		Name:     "existing",
+		Template: "test",
+		RepoPath: workspacePath,
+		Direct:   true,
+	})
+
+	if err == nil {
+		t.Error("Create() should have failed for duplicate name")
+	}
+}
+
+func TestCreator_Create_MissingTemplate(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	workspacePath := env.CreateWorkspace("myproject")
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	_, err := creator.Create(context.Background(), CreateOptions{
+		Name:     "myproject",
+		Template: "nonexistent",
+		RepoPath: workspacePath,
+		Direct:   true,
+	})
+
+	if err == nil {
+		t.Error("Create() should have failed for missing template")
+	}
+}
+
+func TestCreator_Create_MissingWorkspace(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	env.AddTemplate("test", testutil.DefaultTemplate())
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	_, err := creator.Create(context.Background(), CreateOptions{
+		Name:     "myproject",
+		Template: "test",
+		RepoPath: "/nonexistent/workspace",
+		Direct:   true,
+	})
+
+	if err == nil {
+		t.Error("Create() should have failed for missing workspace")
+	}
+}
+
+func TestCreator_setupSecrets(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	template := testutil.DefaultTemplate()
+	secretsPath := filepath.Join(env.TmpDir, "test-secrets")
+
+	err := creator.setupSecrets(context.Background(), secretsPath, template)
+	if err != nil {
+		t.Fatalf("setupSecrets() failed: %v", err)
+	}
+
+	// Verify secrets directory was created
+	if _, statErr := os.Stat(secretsPath); os.IsNotExist(statErr) {
+		t.Error("Secrets directory was not created")
+	}
+
+	// Verify secret file was created with correct permissions
+	secretFile := filepath.Join(secretsPath, "anthropic")
+	info, err := os.Stat(secretFile)
+	if os.IsNotExist(err) {
+		t.Error("Secret file was not created")
+	} else if info.Mode().Perm() != 0600 {
+		t.Errorf("Secret file permissions = %o, want %o", info.Mode().Perm(), 0600)
+	}
+
+	// Verify secret content
+	content, err := os.ReadFile(secretFile)
+	if err != nil {
+		t.Fatalf("Failed to read secret file: %v", err)
+	}
+	if string(content) != "sk-test-key" {
+		t.Errorf("Secret content = %q, want %q", string(content), "sk-test-key")
+	}
+}
+
+func TestCreator_setupSecrets_MissingSecret(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Remove the secret from host config
+	env.HostConfig.Secrets = map[string]string{}
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	template := testutil.DefaultTemplate()
+	secretsPath := filepath.Join(env.TmpDir, "test-secrets")
+
+	// Should not fail, just skip the missing secret
+	err := creator.setupSecrets(context.Background(), secretsPath, template)
+	if err != nil {
+		t.Fatalf("setupSecrets() should not fail for missing secret: %v", err)
+	}
+
+	// Secret file should not exist
+	secretFile := filepath.Join(secretsPath, "anthropic")
+	if _, err := os.Stat(secretFile); !os.IsNotExist(err) {
+		t.Error("Secret file should not exist when secret is missing from config")
+	}
+}
+
+func TestCreator_cleanup(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	env.AddTemplate("test", testutil.DefaultTemplate())
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	// Create some resources that cleanup should remove
+	metadata := &config.SandboxMetadata{
+		Name:        "cleanup-test",
+		Template:    "test",
+		NetworkSlot: 1,
+		Workspace:   filepath.Join(env.TmpDir, "workspace"),
+	}
+
+	// Save metadata
+	config.SaveSandboxMetadata(env.Paths.SandboxesDir, metadata)
+
+	// Create secrets directory
+	secretsPath := filepath.Join(env.Paths.SecretsDir, "cleanup-test")
+	os.MkdirAll(secretsPath, 0700)
+	os.WriteFile(filepath.Join(secretsPath, "test-secret"), []byte("secret"), 0600)
+
+	// Create config file
+	configPath := filepath.Join(env.Paths.SandboxesDir, "cleanup-test.nix")
+	os.WriteFile(configPath, []byte("# nix config"), 0644)
+
+	// Add container to mock runtime
+	env.Runtime.AddContainer("cleanup-test", runtime.StatusRunning)
+
+	// Run cleanup
+	creator.cleanup(context.Background(), metadata)
+
+	// Verify resources were cleaned up
+	if env.SandboxExists("cleanup-test") {
+		t.Error("Sandbox metadata was not cleaned up")
+	}
+
+	if _, err := os.Stat(secretsPath); !os.IsNotExist(err) {
+		t.Error("Secrets directory was not cleaned up")
+	}
+
+	if _, err := os.Stat(configPath); !os.IsNotExist(err) {
+		t.Error("Config file was not cleaned up")
+	}
+}
+
+func TestCreator_resolveIdentity(t *testing.T) {
+	tests := []struct {
+		name       string
+		hostID     *config.AgentIdentity
+		tmplID     *config.AgentIdentity
+		opts       CreateOptions
+		wantNil    bool
+		wantUser   string
+		wantEmail  string
+		wantSSHKey string
+	}{
+		{
+			name:    "no identity anywhere",
+			hostID:  nil,
+			tmplID:  nil,
+			opts:    CreateOptions{},
+			wantNil: true,
+		},
+		{
+			name: "host defaults only",
+			hostID: &config.AgentIdentity{
+				GitUser:  "Host Agent",
+				GitEmail: "host@example.com",
+			},
+			opts:      CreateOptions{},
+			wantUser:  "Host Agent",
+			wantEmail: "host@example.com",
+		},
+		{
+			name: "template defaults only",
+			tmplID: &config.AgentIdentity{
+				GitUser:  "Template Agent",
+				GitEmail: "template@example.com",
+			},
+			opts:      CreateOptions{},
+			wantUser:  "Template Agent",
+			wantEmail: "template@example.com",
+		},
+		{
+			name:   "opts only",
+			hostID: nil,
+			opts: CreateOptions{
+				GitUser:  "Opts Agent",
+				GitEmail: "opts@example.com",
+			},
+			wantUser:  "Opts Agent",
+			wantEmail: "opts@example.com",
+		},
+		{
+			name: "template overrides host",
+			hostID: &config.AgentIdentity{
+				GitUser:  "Host Agent",
+				GitEmail: "host@example.com",
+			},
+			tmplID: &config.AgentIdentity{
+				GitUser: "Template Agent",
+			},
+			opts:      CreateOptions{},
+			wantUser:  "Template Agent",
+			wantEmail: "host@example.com",
+		},
+		{
+			name: "opts override template and host",
+			hostID: &config.AgentIdentity{
+				GitUser:    "Host Agent",
+				GitEmail:   "host@example.com",
+				SSHKeyPath: "/host/key",
+			},
+			tmplID: &config.AgentIdentity{
+				GitUser:  "Template Agent",
+				GitEmail: "template@example.com",
+			},
+			opts: CreateOptions{
+				GitUser: "Override Agent",
+			},
+			wantUser:   "Override Agent",
+			wantEmail:  "template@example.com",
+			wantSSHKey: "/host/key",
+		},
+		{
+			name: "template SSH key overrides host SSH key",
+			hostID: &config.AgentIdentity{
+				SSHKeyPath: "/host/key",
+			},
+			tmplID: &config.AgentIdentity{
+				SSHKeyPath: "/template/key",
+			},
+			opts:       CreateOptions{},
+			wantSSHKey: "/template/key",
+		},
+		{
+			name: "opts override SSH key",
+			hostID: &config.AgentIdentity{
+				SSHKeyPath: "/host/key",
+			},
+			opts: CreateOptions{
+				SSHKeyPath: "/opts/key",
+			},
+			wantSSHKey: "/opts/key",
+		},
+		{
+			name:   "opts SSH key only",
+			hostID: nil,
+			opts: CreateOptions{
+				SSHKeyPath: "/my/key",
+			},
+			wantSSHKey: "/my/key",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			creator := &Creator{
+				hostConfig: &config.HostConfig{
+					User:          "nonexistent-user-for-test",
+					AgentIdentity: tt.hostID,
+				},
+			}
+
+			tmpl := &config.Template{
+				AgentIdentity: tt.tmplID,
+			}
+
+			result := creator.resolveIdentity(tt.opts, tmpl)
+
+			if tt.wantNil {
+				if result != nil {
+					t.Errorf("expected nil, got %+v", result)
+				}
+				return
+			}
+
+			if result == nil {
+				t.Fatal("expected non-nil identity")
+			}
+			if result.GitUser != tt.wantUser {
+				t.Errorf("GitUser = %q, want %q", result.GitUser, tt.wantUser)
+			}
+			if result.GitEmail != tt.wantEmail {
+				t.Errorf("GitEmail = %q, want %q", result.GitEmail, tt.wantEmail)
+			}
+			if result.SSHKeyPath != tt.wantSSHKey {
+				t.Errorf("SSHKeyPath = %q, want %q", result.SSHKeyPath, tt.wantSSHKey)
+			}
+		})
+	}
+}
+
+func TestCreator_runInitCommands_NoCommands(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	metadata := &config.SandboxMetadata{
+		Name:          "test-init",
+		Template:      "test",
+		NetworkSlot:   1,
+		ContainerName: "f1",
+	}
+	template := &config.Template{
+		Name: "test",
+	}
+
+	// Add container so exec can find it
+	env.Runtime.AddContainer("f1", runtime.StatusRunning)
+
+	result := creator.runInitCommands(context.Background(), metadata, template)
+
+	if result.TemplateCommandsRun != 0 {
+		t.Errorf("TemplateCommandsRun = %d, want 0", result.TemplateCommandsRun)
+	}
+	if len(result.TemplateWarnings) != 0 {
+		t.Errorf("TemplateWarnings = %v, want empty", result.TemplateWarnings)
+	}
+
+	// Should have .forage/init check (test -f) + execution (sh) since mock returns success
+	execCalls := env.Runtime.GetCallsFor("Exec")
+	if len(execCalls) != 2 {
+		t.Errorf("Expected 2 Exec calls (forage/init check + run), got %d", len(execCalls))
+	}
+}
+
+func TestCreator_runInitCommands_TemplateCommands(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	metadata := &config.SandboxMetadata{
+		Name:          "test-init",
+		Template:      "test",
+		NetworkSlot:   1,
+		ContainerName: "f1",
+	}
+	template := &config.Template{
+		Name:         "test",
+		InitCommands: []string{"echo hello", "echo world"},
+	}
+
+	env.Runtime.AddContainer("f1", runtime.StatusRunning)
+
+	result := creator.runInitCommands(context.Background(), metadata, template)
+
+	if result.TemplateCommandsRun != 2 {
+		t.Errorf("TemplateCommandsRun = %d, want 2", result.TemplateCommandsRun)
+	}
+	if len(result.TemplateWarnings) != 0 {
+		t.Errorf("TemplateWarnings = %v, want empty", result.TemplateWarnings)
+	}
+
+	// Verify exec calls: 2 init commands + 1 .forage/init check + 1 .forage/init run (default returns 0)
+	execCalls := env.Runtime.GetCallsFor("Exec")
+	if len(execCalls) < 2 {
+		t.Fatalf("Expected at least 2 Exec calls, got %d", len(execCalls))
+	}
+
+	// Check first command args
+	cmd1 := execCalls[0].Args[1].([]string)
+	if len(cmd1) != 3 || cmd1[0] != "sh" || cmd1[1] != "-c" || cmd1[2] != "echo hello" {
+		t.Errorf("First command = %v, want [sh -c echo hello]", cmd1)
+	}
+
+	// Check second command args
+	cmd2 := execCalls[1].Args[1].([]string)
+	if len(cmd2) != 3 || cmd2[0] != "sh" || cmd2[1] != "-c" || cmd2[2] != "echo world" {
+		t.Errorf("Second command = %v, want [sh -c echo world]", cmd2)
+	}
+
+	// Verify exec options (user and workdir)
+	opts := execCalls[0].Args[2].(runtime.ExecOptions)
+	if opts.User != "agent" {
+		t.Errorf("Exec User = %q, want %q", opts.User, "agent")
+	}
+	if opts.WorkingDir != "/workspace" {
+		t.Errorf("Exec WorkingDir = %q, want %q", opts.WorkingDir, "/workspace")
+	}
+}
+
+func TestCreator_runInitCommands_FailedCommandContinues(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	metadata := &config.SandboxMetadata{
+		Name:          "test-init",
+		Template:      "test",
+		NetworkSlot:   1,
+		ContainerName: "f1",
+	}
+	template := &config.Template{
+		Name:         "test",
+		InitCommands: []string{"failing-cmd", "second-cmd"},
+	}
+
+	env.Runtime.AddContainer("f1", runtime.StatusRunning)
+	// Set exec result to non-zero exit code for this container
+	env.Runtime.SetExecResult("f1", &runtime.ExecResult{ExitCode: 1, Stderr: "command failed"})
+
+	result := creator.runInitCommands(context.Background(), metadata, template)
+
+	// Both commands should have been attempted
+	if result.TemplateCommandsRun != 2 {
+		t.Errorf("TemplateCommandsRun = %d, want 2", result.TemplateCommandsRun)
+	}
+
+	// Both should have warnings
+	if len(result.TemplateWarnings) != 2 {
+		t.Errorf("len(TemplateWarnings) = %d, want 2", len(result.TemplateWarnings))
+	}
+
+	// Verify all exec calls were made (2 commands + 1 .forage/init check; no init run since check fails)
+	execCalls := env.Runtime.GetCallsFor("Exec")
+	if len(execCalls) != 3 {
+		t.Errorf("Expected 3 Exec calls, got %d", len(execCalls))
+	}
+}
+
+func TestCreator_runInitCommands_ProjectInit(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	metadata := &config.SandboxMetadata{
+		Name:          "test-init",
+		Template:      "test",
+		NetworkSlot:   1,
+		ContainerName: "f1",
+	}
+	template := &config.Template{
+		Name: "test",
+	}
+
+	env.Runtime.AddContainer("f1", runtime.StatusRunning)
+	// Default mock returns ExitCode 0, so test -f will "find" the file
+	// and then sh will "run" it
+
+	result := creator.runInitCommands(context.Background(), metadata, template)
+
+	if !result.ProjectInitRun {
+		t.Error("ProjectInitRun should be true when .forage/init check succeeds")
+	}
+	if result.ProjectInitWarning != "" {
+		t.Errorf("ProjectInitWarning = %q, want empty", result.ProjectInitWarning)
+	}
+
+	// Verify exec calls: 1 test -f check + 1 sh run
+	execCalls := env.Runtime.GetCallsFor("Exec")
+	if len(execCalls) != 2 {
+		t.Fatalf("Expected 2 Exec calls, got %d", len(execCalls))
+	}
+
+	// Check the test -f call
+	testCmd := execCalls[0].Args[1].([]string)
+	if testCmd[0] != "test" || testCmd[1] != "-f" {
+		t.Errorf("First command = %v, want [test -f ...]", testCmd)
+	}
+
+	// Check the sh call
+	shCmd := execCalls[1].Args[1].([]string)
+	if shCmd[0] != "sh" {
+		t.Errorf("Second command = %v, want [sh ...]", shCmd)
+	}
+}
+
+func TestValidateMountSpecs(t *testing.T) {
+	tests := []struct {
+		name    string
+		mounts  map[string]*config.WorkspaceMount
+		wantErr bool
+		errMsg  string
+	}{
+		{
+			name: "valid single mount",
+			mounts: map[string]*config.WorkspaceMount{
+				"main": {ContainerPath: "/workspace"},
+			},
+		},
+		{
+			name: "valid multiple mounts",
+			mounts: map[string]*config.WorkspaceMount{
+				"main":  {ContainerPath: "/workspace", Mode: "jj"},
+				"beads": {ContainerPath: "/workspace/.beads", Mode: "jj"},
+			},
+		},
+		{
+			name: "duplicate container paths",
+			mounts: map[string]*config.WorkspaceMount{
+				"a": {ContainerPath: "/workspace"},
+				"b": {ContainerPath: "/workspace"},
+			},
+			wantErr: true,
+			errMsg:  "both claim container path",
+		},
+		{
+			name: "missing container path",
+			mounts: map[string]*config.WorkspaceMount{
+				"bad": {ContainerPath: ""},
+			},
+			wantErr: true,
+			errMsg:  "containerPath is required",
+		},
+		{
+			name: "both hostPath and repo",
+			mounts: map[string]*config.WorkspaceMount{
+				"bad": {ContainerPath: "/workspace", HostPath: "/tmp/dir", Repo: "myrepo"},
+			},
+			wantErr: true,
+			errMsg:  "cannot set both",
+		},
+		{
+			name:   "empty mounts",
+			mounts: map[string]*config.WorkspaceMount{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateMountSpecs(tt.mounts)
+			if (err != nil) != tt.wantErr {
+				t.Fatalf("validateMountSpecs() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if tt.wantErr && tt.errMsg != "" {
+				if err == nil || !contains(err.Error(), tt.errMsg) {
+					t.Errorf("error = %v, want containing %q", err, tt.errMsg)
+				}
+			}
+		})
+	}
+}
+
+func TestResolveRepoPath(t *testing.T) {
+	tests := []struct {
+		name     string
+		repoRef  string
+		opts     CreateOptions
+		wantErr  bool
+		wantPath string // empty means don't check (absolute paths vary)
+	}{
+		{
+			name:    "empty ref uses default repo",
+			repoRef: "",
+			opts:    CreateOptions{RepoPath: "/home/user/project"},
+		},
+		{
+			name:    "empty ref with no default repo errors",
+			repoRef: "",
+			opts:    CreateOptions{},
+			wantErr: true,
+		},
+		{
+			name:     "absolute path used as-is",
+			repoRef:  "/home/user/other-project",
+			opts:     CreateOptions{},
+			wantPath: "/home/user/other-project",
+		},
+		{
+			name:    "named repo found",
+			repoRef: "data",
+			opts:    CreateOptions{Repos: map[string]string{"data": "/home/user/data-repo"}},
+		},
+		{
+			name:    "named repo not found",
+			repoRef: "missing",
+			opts:    CreateOptions{Repos: map[string]string{"data": "/home/user/data-repo"}},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			path, err := resolveRepoPath(tt.repoRef, tt.opts)
+			if (err != nil) != tt.wantErr {
+				t.Fatalf("resolveRepoPath() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if tt.wantErr {
+				return
+			}
+			if tt.wantPath != "" && path != tt.wantPath {
+				t.Errorf("path = %q, want %q", path, tt.wantPath)
+			}
+		})
+	}
+}
+
+func TestCreator_setupWorkspaceMounts_HostPath(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	// Create a host directory
+	hostDir := filepath.Join(env.TmpDir, "host-data")
+	if err := os.MkdirAll(hostDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	template := &config.Template{
+		Name: "test",
+		WorkspaceMounts: map[string]*config.WorkspaceMount{
+			"data": {
+				ContainerPath: "/workspace/data",
+				HostPath:      hostDir,
+				ReadOnly:      true,
+			},
+		},
+	}
+
+	ws, err := creator.setupWorkspaceMounts(context.Background(), CreateOptions{Name: "test-sandbox"}, template)
+	if err != nil {
+		t.Fatalf("setupWorkspaceMounts() failed: %v", err)
+	}
+
+	if len(ws.mounts) != 1 {
+		t.Fatalf("mounts length = %d, want 1", len(ws.mounts))
+	}
+
+	m := ws.mounts[0]
+	if m.Name != "data" {
+		t.Errorf("mount name = %q, want %q", m.Name, "data")
+	}
+	if m.Mode != "direct" {
+		t.Errorf("mount mode = %q, want %q", m.Mode, "direct")
+	}
+	if !m.ReadOnly {
+		t.Error("mount should be read-only")
+	}
+	if m.SourceRepo != "" {
+		t.Errorf("mount sourceRepo = %q, want empty", m.SourceRepo)
+	}
+}
+
+func TestCreator_setupWorkspaceMounts_MissingHostPath(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	template := &config.Template{
+		Name: "test",
+		WorkspaceMounts: map[string]*config.WorkspaceMount{
+			"data": {
+				ContainerPath: "/workspace/data",
+				HostPath:      "/nonexistent/path",
+			},
+		},
+	}
+
+	_, err := creator.setupWorkspaceMounts(context.Background(), CreateOptions{Name: "test-sandbox"}, template)
+	if err == nil {
+		t.Fatal("setupWorkspaceMounts() should fail for missing hostPath")
+	}
+}
+
+func TestCreator_setupWorkspaceMounts_MissingRepo(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	defer env.Cleanup()
+
+	creator := &Creator{
+		paths:      env.Paths,
+		hostConfig: env.HostConfig,
+		rt:         env.Runtime,
+	}
+
+	template := &config.Template{
+		Name: "test",
+		WorkspaceMounts: map[string]*config.WorkspaceMount{
+			"main": {
+				ContainerPath: "/workspace",
+				Repo:          "missing-repo",
+			},
+		},
+	}
+
+	_, err := creator.setupWorkspaceMounts(context.Background(), CreateOptions{Name: "test-sandbox"}, template)
+	if err == nil {
+		t.Fatal("setupWorkspaceMounts() should fail for missing named repo")
+	}
+}
+
+func contains(s, substr string) bool {
+	return len(s) >= len(substr) && (s == substr || len(s) > 0 && containsHelper(s, substr))
+}
+
+func containsHelper(s, substr string) bool {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}
+
+func TestWorkspaceBackendFor(t *testing.T) {
+	tests := []struct {
+		mode     WorkspaceMode
+		wantName string
+		wantNil  bool
+	}{
+		{WorkspaceModeJJ, "jj", false},
+		{WorkspaceModeGitWorktree, "git-worktree", false},
+		{WorkspaceModeDirect, "", true},
+		{"", "", true},
+		{"invalid", "", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(string(tt.mode), func(t *testing.T) {
+			backend := workspaceBackendFor(tt.mode)
+			if tt.wantNil {
+				if backend != nil {
+					t.Errorf("workspaceBackendFor(%q) = %v, want nil", tt.mode, backend)
+				}
+			} else {
+				if backend == nil {
+					t.Errorf("workspaceBackendFor(%q) = nil, want non-nil", tt.mode)
+				} else if backend.Name() != tt.wantName {
+					t.Errorf("workspaceBackendFor(%q).Name() = %q, want %q",
+						tt.mode, backend.Name(), tt.wantName)
+				}
+			}
+		})
+	}
+}
diff --git a/packages/forage-ctl/internal/sandbox/doc.go b/packages/forage-ctl/internal/sandbox/doc.go
new file mode 100644
index 0000000..532a1d2
--- /dev/null
+++ b/packages/forage-ctl/internal/sandbox/doc.go
@@ -0,0 +1,46 @@
+// Package sandbox provides sandbox lifecycle management for forage-ctl.
+//
+// This package handles the creation and configuration of isolated sandbox
+// environments, including workspace setup, secret injection, container
+// creation, and health monitoring.
+//
+// # Creator
+//
+// Creator orchestrates sandbox creation with all necessary dependencies:
+//
+//	creator, err := sandbox.NewCreator()
+//	if err != nil {
+//	    return err
+//	}
+//
+//	result, err := creator.Create(ctx, sandbox.CreateOptions{
+//	    Name:          "my-sandbox",
+//	    Template:      "claude",
+//	    WorkspaceMode: sandbox.WorkspaceModeDirect,
+//	    WorkspacePath: "/path/to/workspace",
+//	})
+//
+// # Workspace Modes
+//
+// Three workspace modes are supported:
+//
+//   - WorkspaceModeDirect: Bind-mount an existing directory directly
+//   - WorkspaceModeJJ: Create an isolated jj workspace from a repo
+//   - WorkspaceModeGitWorktree: Create an isolated git worktree from a repo
+//
+// # Creation Flow
+//
+// The Creator.Create method:
+//  1. Validates inputs and loads template
+//  2. Allocates port and network slot
+//  3. Sets up workspace (creates jj workspace or git worktree if needed)
+//  4. Copies secrets to sandbox secrets directory
+//  5. Generates Nix container configuration
+//  6. Creates and starts container via runtime
+//  7. Saves sandbox metadata
+//  8. Waits for SSH to become ready
+//  9. Injects project-aware skills file
+//
+// On failure, cleanup is automatic: secrets, configs, and partial containers
+// are removed.
+package sandbox
diff --git a/packages/forage-ctl/internal/sandbox/options.go b/packages/forage-ctl/internal/sandbox/options.go
new file mode 100644
index 0000000..2c6e1cf
--- /dev/null
+++ b/packages/forage-ctl/internal/sandbox/options.go
@@ -0,0 +1,91 @@
+// Package sandbox provides high-level sandbox lifecycle management.
+package sandbox
+
+import (
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/workspace"
+)
+
+// CreateOptions holds all options for creating a sandbox.
+type CreateOptions struct {
+	// Name is the sandbox name (required)
+	Name string
+
+	// Template is the template name to use (required)
+	Template string
+
+	// RepoPath is the target path (repo or directory).
+	// This is the default (unnamed) repo for mounts that don't specify one.
+	RepoPath string
+
+	// Repos holds named repo parameters from --repo name=path flags.
+	// Keys are repo names, values are absolute paths.
+	Repos map[string]string
+
+	// Direct forces direct mount, skipping VCS isolation
+	Direct bool
+
+	// SSHKeys are explicit SSH public keys for sandbox access (optional)
+	// If empty, keys are resolved from config or ~/.ssh/*.pub
+	SSHKeys []string
+
+	// NoMuxConfig skips mounting the host multiplexer config into the sandbox
+	NoMuxConfig bool
+
+	// GitUser is the git user.name for agent commits (optional)
+	GitUser string
+
+	// GitEmail is the git user.email for agent commits (optional)
+	GitEmail string
+
+	// SSHKeyPath is the absolute path to a private SSH key on the host (optional)
+	SSHKeyPath string
+}
+
+// WorkspaceMode specifies the workspace setup strategy.
+type WorkspaceMode string
+
+const (
+	// WorkspaceModeDirect mounts a directory directly
+	WorkspaceModeDirect WorkspaceMode = "direct"
+
+	// WorkspaceModeJJ creates a jj workspace
+	WorkspaceModeJJ WorkspaceMode = "jj"
+
+	// WorkspaceModeGitWorktree creates a git worktree
+	WorkspaceModeGitWorktree WorkspaceMode = "git-worktree"
+)
+
+// InitCommandResult holds the results of running init commands.
+type InitCommandResult struct {
+	TemplateCommandsRun int
+	TemplateWarnings    []string
+	ProjectInitRun      bool
+	ProjectInitWarning  string
+}
+
+// CreateResult holds the result of a successful sandbox creation.
+type CreateResult struct {
+	// Name is the sandbox name
+	Name string
+
+	// ContainerIP is the container's IP address for SSH access
+	ContainerIP string
+
+	// Workspace is the effective workspace path
+	Workspace string
+
+	// Metadata is the full sandbox metadata
+	Metadata *config.SandboxMetadata
+
+	// CapabilityWarnings lists features the runtime doesn't support
+	CapabilityWarnings []string
+
+	// InitResult holds the results of running init commands
+	InitResult *InitCommandResult
+}
+
+// workspaceBackendFor returns the appropriate workspace backend for a mode.
+func workspaceBackendFor(mode WorkspaceMode) workspace.Backend {
+	return workspace.BackendForMode(string(mode))
+}
diff --git a/packages/forage-ctl/internal/sandbox/skills_contributor.go b/packages/forage-ctl/internal/sandbox/skills_contributor.go
new file mode 100644
index 0000000..f067473
--- /dev/null
+++ b/packages/forage-ctl/internal/sandbox/skills_contributor.go
@@ -0,0 +1,88 @@
+package sandbox
+
+import (
+	"context"
+	"path/filepath"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/skills"
+)
+
+// SkillsContributor generates system prompts and skill files.
+// This wraps the skills package and implements GeneratedFileContributor.
+type SkillsContributor struct {
+	HomeDir  string // Container home directory (e.g., "/home/agent")
+	Template *config.Template
+	Metadata *config.SandboxMetadata
+}
+
+// NewSkillsContributor creates a new SkillsContributor.
+func NewSkillsContributor(homeDir string, template *config.Template, metadata *config.SandboxMetadata) *SkillsContributor {
+	if homeDir == "" {
+		homeDir = "/home/agent"
+	}
+	return &SkillsContributor{
+		HomeDir:  homeDir,
+		Template: template,
+		Metadata: metadata,
+	}
+}
+
+// ContributeGeneratedFiles generates the system prompt and skill files.
+func (s *SkillsContributor) ContributeGeneratedFiles(ctx context.Context, req *injection.GeneratedFileRequest) ([]injection.GeneratedFile, error) {
+	if req == nil || s.Template == nil || s.Metadata == nil {
+		return nil, nil
+	}
+
+	var files []injection.GeneratedFile
+
+	// Analyze the project for context-aware skills
+	analyzer := skills.NewAnalyzer(req.WorkspacePath)
+	projectInfo := analyzer.Analyze()
+
+	// Generate system prompt using existing skills package
+	promptContent := skills.GenerateSystemPrompt(s.Metadata, s.Template)
+	files = append(files, injection.GeneratedFile{
+		ContainerPath: filepath.Join(s.HomeDir, ".config", "forage", "system-prompt.md"),
+		Content:       []byte(promptContent),
+		Mode:          0644,
+		ReadOnly:      true,
+	})
+
+	// Generate skill files using existing skills package
+	skillFiles := skills.GenerateSkillFiles(s.Metadata, s.Template, projectInfo)
+	claudeSkillsDir := filepath.Join(s.HomeDir, ".claude", "skills")
+	for skillName, content := range skillFiles {
+		files = append(files, injection.GeneratedFile{
+			ContainerPath: filepath.Join(claudeSkillsDir, skillName, "SKILL.md"),
+			Content:       []byte(content),
+			Mode:          0644,
+			ReadOnly:      true,
+		})
+	}
+
+	return files, nil
+}
+
+// ContributeTmpfilesRules returns tmpfiles rules for skill directories.
+func (s *SkillsContributor) ContributeTmpfilesRules(ctx context.Context, req *injection.TmpfilesRequest) ([]string, error) {
+	username := "agent"
+	if req != nil && req.Username != "" {
+		username = req.Username
+	}
+	homeDir := s.HomeDir
+	if req != nil && req.HomeDir != "" {
+		homeDir = req.HomeDir
+	}
+
+	return []string{
+		"d " + filepath.Join(homeDir, ".config", "forage") + " 0755 " + username + " users -",
+	}, nil
+}
+
+// Ensure SkillsContributor implements interfaces
+var (
+	_ injection.GeneratedFileContributor = (*SkillsContributor)(nil)
+	_ injection.TmpfilesContributor      = (*SkillsContributor)(nil)
+)
diff --git a/packages/forage-ctl/internal/skills/analyzer.go b/packages/forage-ctl/internal/skills/analyzer.go
new file mode 100644
index 0000000..39bccba
--- /dev/null
+++ b/packages/forage-ctl/internal/skills/analyzer.go
@@ -0,0 +1,612 @@
+// Package skills provides advanced skill injection based on project analysis.
+//
+// TODO: Prefer AGENTS.md over heuristic project type detection. If an AGENTS.md
+// file exists in the workspace root, it should be used as the primary source of
+// project instructions rather than the heuristic-based analyzer below.
+package skills
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/logging"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+)
+
+// ProjectType represents the detected project type
+type ProjectType string
+
+const (
+	ProjectTypeUnknown    ProjectType = "unknown"
+	ProjectTypeGo         ProjectType = "go"
+	ProjectTypeRust       ProjectType = "rust"
+	ProjectTypePython     ProjectType = "python"
+	ProjectTypeNode       ProjectType = "node"
+	ProjectTypeNix        ProjectType = "nix"
+	ProjectTypeTypescript ProjectType = "typescript"
+)
+
+// ProjectInfo holds analyzed project information
+type ProjectInfo struct {
+	Type         ProjectType
+	HasGit       bool
+	HasJJ        bool
+	HasNixFlake  bool
+	HasTests     bool
+	HasCI        bool
+	BuildSystem  string
+	TestCommand  string
+	BuildCommand string
+	Frameworks   []string
+}
+
+// Analyzer analyzes projects to generate context-aware skills
+type Analyzer struct {
+	workspacePath string
+}
+
+// NewAnalyzer creates a new project analyzer
+func NewAnalyzer(workspacePath string) *Analyzer {
+	return &Analyzer{workspacePath: workspacePath}
+}
+
+// Analyze analyzes the project and returns project info.
+// TODO: Check for AGENTS.md first and use it as primary project instructions.
+func (a *Analyzer) Analyze() *ProjectInfo {
+	info := &ProjectInfo{
+		Type: ProjectTypeUnknown,
+	}
+
+	logging.Debug("analyzing project", "path", a.workspacePath)
+
+	// Check for version control
+	info.HasGit = a.fileExists(".git")
+	info.HasJJ = a.fileExists(".jj")
+
+	// Check for nix
+	info.HasNixFlake = a.fileExists("flake.nix")
+
+	// Check for CI
+	info.HasCI = a.fileExists(".github/workflows") ||
+		a.fileExists(".gitlab-ci.yml") ||
+		a.fileExists(".circleci")
+
+	// Detect project type
+	info.Type = a.detectProjectType()
+
+	// Detect build system and commands based on type
+	a.detectBuildSystem(info)
+
+	// Detect frameworks
+	a.detectFrameworks(info)
+
+	logging.Debug("project analysis complete",
+		"type", info.Type,
+		"hasGit", info.HasGit,
+		"hasJJ", info.HasJJ,
+		"hasNixFlake", info.HasNixFlake,
+	)
+
+	return info
+}
+
+func (a *Analyzer) fileExists(name string) bool {
+	path := filepath.Join(a.workspacePath, name)
+	_, err := os.Stat(path)
+	return err == nil
+}
+
+func (a *Analyzer) readFile(name string) string {
+	path := filepath.Join(a.workspacePath, name)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return ""
+	}
+	return string(data)
+}
+
+func (a *Analyzer) detectProjectType() ProjectType {
+	// Check for Go
+	if a.fileExists("go.mod") {
+		return ProjectTypeGo
+	}
+
+	// Check for Rust
+	if a.fileExists("Cargo.toml") {
+		return ProjectTypeRust
+	}
+
+	// Check for Python
+	if a.fileExists("pyproject.toml") || a.fileExists("setup.py") || a.fileExists("requirements.txt") {
+		return ProjectTypePython
+	}
+
+	// Check for Node/TypeScript
+	if a.fileExists("package.json") {
+		pkgJson := a.readFile("package.json")
+		if strings.Contains(pkgJson, "typescript") || a.fileExists("tsconfig.json") {
+			return ProjectTypeTypescript
+		}
+		return ProjectTypeNode
+	}
+
+	// Check for Nix
+	if a.fileExists("flake.nix") || a.fileExists("default.nix") {
+		return ProjectTypeNix
+	}
+
+	return ProjectTypeUnknown
+}
+
+func (a *Analyzer) detectBuildSystem(info *ProjectInfo) {
+	switch info.Type {
+	case ProjectTypeGo:
+		info.BuildSystem = "go"
+		info.BuildCommand = "go build ./..."
+		info.TestCommand = "go test ./..."
+		info.HasTests = a.fileExists("*_test.go") || a.hasFilesMatching("**/*_test.go")
+
+	case ProjectTypeRust:
+		info.BuildSystem = "cargo"
+		info.BuildCommand = "cargo build"
+		info.TestCommand = "cargo test"
+		info.HasTests = true // Rust tests are inline
+
+	case ProjectTypePython:
+		if a.fileExists("pyproject.toml") {
+			content := a.readFile("pyproject.toml")
+			if strings.Contains(content, "poetry") {
+				info.BuildSystem = "poetry"
+				info.TestCommand = "poetry run pytest"
+			} else if strings.Contains(content, "hatch") {
+				info.BuildSystem = "hatch"
+				info.TestCommand = "hatch run test"
+			} else {
+				info.BuildSystem = "pip"
+				info.TestCommand = "pytest"
+			}
+		} else {
+			info.BuildSystem = "pip"
+			info.TestCommand = "pytest"
+		}
+		info.HasTests = a.fileExists("tests") || a.fileExists("test")
+
+	case ProjectTypeNode, ProjectTypeTypescript:
+		info.BuildSystem = "npm"
+		pkgJson := a.readFile("package.json")
+
+		if a.fileExists("pnpm-lock.yaml") {
+			info.BuildSystem = "pnpm"
+		} else if a.fileExists("yarn.lock") {
+			info.BuildSystem = "yarn"
+		} else if a.fileExists("bun.lockb") {
+			info.BuildSystem = "bun"
+		}
+
+		if strings.Contains(pkgJson, `"build"`) {
+			info.BuildCommand = info.BuildSystem + " run build"
+		}
+		if strings.Contains(pkgJson, `"test"`) {
+			info.TestCommand = info.BuildSystem + " run test"
+			info.HasTests = true
+		}
+
+	case ProjectTypeNix:
+		info.BuildSystem = "nix"
+		info.BuildCommand = "nix build"
+		if a.fileExists("flake.nix") {
+			content := a.readFile("flake.nix")
+			if strings.Contains(content, "checks") {
+				info.TestCommand = "nix flake check"
+				info.HasTests = true
+			}
+		}
+	}
+}
+
+func (a *Analyzer) detectFrameworks(info *ProjectInfo) {
+	switch info.Type {
+	case ProjectTypeGo:
+		goMod := a.readFile("go.mod")
+		if strings.Contains(goMod, "github.com/gin-gonic/gin") {
+			info.Frameworks = append(info.Frameworks, "gin")
+		}
+		if strings.Contains(goMod, "github.com/labstack/echo") {
+			info.Frameworks = append(info.Frameworks, "echo")
+		}
+		if strings.Contains(goMod, "github.com/spf13/cobra") {
+			info.Frameworks = append(info.Frameworks, "cobra")
+		}
+
+	case ProjectTypeTypescript, ProjectTypeNode:
+		pkgJson := a.readFile("package.json")
+		if strings.Contains(pkgJson, "react") {
+			info.Frameworks = append(info.Frameworks, "react")
+		}
+		if strings.Contains(pkgJson, "next") {
+			info.Frameworks = append(info.Frameworks, "nextjs")
+		}
+		if strings.Contains(pkgJson, "express") {
+			info.Frameworks = append(info.Frameworks, "express")
+		}
+		if strings.Contains(pkgJson, "nestjs") {
+			info.Frameworks = append(info.Frameworks, "nestjs")
+		}
+
+	case ProjectTypePython:
+		requirements := a.readFile("requirements.txt") + a.readFile("pyproject.toml")
+		if strings.Contains(requirements, "django") {
+			info.Frameworks = append(info.Frameworks, "django")
+		}
+		if strings.Contains(requirements, "flask") {
+			info.Frameworks = append(info.Frameworks, "flask")
+		}
+		if strings.Contains(requirements, "fastapi") {
+			info.Frameworks = append(info.Frameworks, "fastapi")
+		}
+
+	case ProjectTypeRust:
+		cargoToml := a.readFile("Cargo.toml")
+		if strings.Contains(cargoToml, "actix") {
+			info.Frameworks = append(info.Frameworks, "actix")
+		}
+		if strings.Contains(cargoToml, "axum") {
+			info.Frameworks = append(info.Frameworks, "axum")
+		}
+		if strings.Contains(cargoToml, "tokio") {
+			info.Frameworks = append(info.Frameworks, "tokio")
+		}
+	}
+}
+
+func (a *Analyzer) hasFilesMatching(pattern string) bool {
+	matches, _ := filepath.Glob(filepath.Join(a.workspacePath, pattern))
+	return len(matches) > 0
+}
+
+// GenerateSystemPrompt generates a compact system prompt with environmental context.
+// This is always injected via --append-system-prompt and contains brief factual info
+// about the sandbox environment.
+func GenerateSystemPrompt(metadata *config.SandboxMetadata, template *config.Template) string {
+	data := buildSystemPromptData(metadata, template)
+	return renderTemplate("system-prompt.md.tmpl", data)
+}
+
+// GenerateSkillFiles generates skill file contents based on project analysis.
+// Returns a map of skill name to SKILL.md content. May return an empty map
+// if no skills are applicable.
+func GenerateSkillFiles(metadata *config.SandboxMetadata, template *config.Template, info *ProjectInfo) map[string]string {
+	result := map[string]string{}
+
+	// VCS skill
+	if tmplName, data := vcsSkillTemplate(metadata, info); tmplName != "" {
+		result["forage-vcs"] = renderTemplate(tmplName, data)
+	}
+
+	// Conventional commits skill (emitted for any VCS)
+	hasVCS := info != nil && (info.HasGit || info.HasJJ)
+	if !hasVCS {
+		// Check multi-mount modes
+		for _, m := range metadata.WorkspaceMounts {
+			if m.Mode == "jj" || m.Mode == "git-worktree" {
+				hasVCS = true
+				break
+			}
+		}
+	}
+	if hasVCS || metadata.WorkspaceMode == "jj" || metadata.WorkspaceMode == "git-worktree" {
+		result["forage-commits"] = renderTemplate("skill-conventional-commits.md.tmpl", nil)
+	}
+
+	// Nix skill
+	if info != nil && info.HasNixFlake {
+		result["forage-nix"] = renderTemplate("skill-nix.md.tmpl", nil)
+	}
+
+	return result
+}
+
+func vcsSkillTemplate(metadata *config.SandboxMetadata, info *ProjectInfo) (string, any) {
+	// Check multi-mount modes
+	if len(metadata.WorkspaceMounts) > 0 {
+		for _, m := range metadata.WorkspaceMounts {
+			if m.Mode == "jj" {
+				return "skill-vcs-jj.md.tmpl", nil
+			}
+		}
+		for _, m := range metadata.WorkspaceMounts {
+			if m.Mode == "git-worktree" {
+				return "skill-vcs-git-worktree.md.tmpl", metadata
+			}
+		}
+	}
+	// Legacy single-workspace check
+	if metadata.WorkspaceMode == "jj" || (info != nil && info.HasJJ) {
+		return "skill-vcs-jj.md.tmpl", nil
+	}
+	if metadata.WorkspaceMode == "git-worktree" {
+		return "skill-vcs-git-worktree.md.tmpl", metadata
+	}
+	return "", nil
+}
+
+// systemPromptData is the template data for the system prompt.
+type systemPromptData struct {
+	Name            string
+	Template        string
+	WorkspaceMode   string
+	SourceRepo      string
+	GitBranch       string
+	Network         string
+	AllowedHosts    []string
+	HasIdentity     bool
+	GitUser         string
+	GitEmail        string
+	SSHKeyPath      string
+	Agents          []agentEntry
+	UseProxy        bool
+	MuxInstructions string
+	Mounts          []mountEntry // non-nil when using composable mounts
+}
+
+type agentEntry struct {
+	Name      string
+	AuthLabel string // e.g. "$ANTHROPIC_API_KEY" or "proxy"
+}
+
+type mountEntry struct {
+	ContainerPath string
+	Description   string // e.g. "jj workspace from ~/my-project"
+}
+
+func buildSystemPromptData(metadata *config.SandboxMetadata, template *config.Template) *systemPromptData {
+	mux := multiplexer.New(multiplexer.Type(metadata.Multiplexer))
+	data := &systemPromptData{
+		Name:            metadata.Name,
+		Template:        metadata.Template,
+		WorkspaceMode:   metadata.WorkspaceMode,
+		SourceRepo:      metadata.SourceRepo,
+		GitBranch:       metadata.GitBranch,
+		Network:         template.Network,
+		AllowedHosts:    template.AllowedHosts,
+		UseProxy:        template.UseProxy,
+		MuxInstructions: mux.PromptInstructions(),
+	}
+
+	// Populate composable mount descriptions
+	if len(metadata.WorkspaceMounts) > 0 {
+		for _, m := range metadata.WorkspaceMounts {
+			desc := describeMountMode(m)
+			data.Mounts = append(data.Mounts, mountEntry{
+				ContainerPath: m.ContainerPath,
+				Description:   desc,
+			})
+		}
+	}
+
+	if metadata.AgentIdentity != nil {
+		id := metadata.AgentIdentity
+		if id.GitUser != "" || id.GitEmail != "" || id.SSHKeyPath != "" {
+			data.HasIdentity = true
+			data.GitUser = id.GitUser
+			data.GitEmail = id.GitEmail
+			data.SSHKeyPath = id.SSHKeyPath
+		}
+	}
+
+	for name, agent := range template.Agents {
+		entry := agentEntry{Name: name}
+		if agent.AuthEnvVar != "" {
+			if template.UseProxy {
+				entry.AuthLabel = "proxy"
+			} else {
+				entry.AuthLabel = "$" + agent.AuthEnvVar
+			}
+		}
+		data.Agents = append(data.Agents, entry)
+	}
+
+	return data
+}
+
+// describeMountMode returns a human-readable description of a mount.
+func describeMountMode(m config.WorkspaceMountMeta) string {
+	if m.SourceRepo == "" {
+		return "direct mount from " + m.HostPath
+	}
+	desc := m.Mode + " workspace from " + m.SourceRepo
+	if m.Branch != "" {
+		desc += " (branch " + m.Branch + ")"
+	}
+	return desc
+}
+
+// GenerateSkills generates skill content based on project analysis.
+// Deprecated: Use GenerateSystemPrompt and GenerateSkillFiles instead.
+func GenerateSkills(metadata *config.SandboxMetadata, template *config.Template, info *ProjectInfo) string {
+	var sb strings.Builder
+
+	sb.WriteString("# Agent Instructions\n\n")
+	sb.WriteString("You are running in a sandboxed environment managed by Firefly Forage.\n\n")
+
+	// Environment section
+	sb.WriteString("## Environment\n\n")
+	sb.WriteString("- **Sandbox**: " + metadata.Name + "\n")
+	sb.WriteString("- **Template**: " + metadata.Template + "\n")
+	sb.WriteString("- **Workspace**: /workspace\n")
+
+	switch metadata.WorkspaceMode {
+	case "jj":
+		sb.WriteString("- **Mode**: jj workspace (isolated from source)\n")
+		sb.WriteString("- **Source Repo**: " + metadata.SourceRepo + "\n")
+	case "git-worktree":
+		sb.WriteString("- **Mode**: git worktree (isolated from source)\n")
+		sb.WriteString("- **Source Repo**: " + metadata.SourceRepo + "\n")
+		sb.WriteString("- **Branch**: " + metadata.GitBranch + "\n")
+	}
+
+	sb.WriteString("\n")
+
+	// Identity section
+	if metadata.AgentIdentity != nil {
+		id := metadata.AgentIdentity
+		if id.GitUser != "" || id.GitEmail != "" || id.SSHKeyPath != "" {
+			sb.WriteString("## Identity\n\n")
+			if id.GitUser != "" || id.GitEmail != "" {
+				sb.WriteString("Git authorship is configured for this sandbox")
+				if id.GitUser != "" {
+					sb.WriteString(" as **" + id.GitUser + "**")
+				}
+				if id.GitEmail != "" {
+					sb.WriteString(" <" + id.GitEmail + ">")
+				}
+				sb.WriteString(".\n")
+				sb.WriteString("All commits will use this identity automatically.\n\n")
+			}
+			if id.SSHKeyPath != "" {
+				sb.WriteString("An SSH key is available for pushing to remote repositories.\n")
+				sb.WriteString("SSH is configured to use this key automatically for all hosts.\n\n")
+			}
+		}
+	}
+
+	// Project-specific section
+	if info != nil && info.Type != ProjectTypeUnknown {
+		sb.WriteString("## Project\n\n")
+		sb.WriteString("- **Type**: " + string(info.Type) + "\n")
+
+		if info.BuildSystem != "" {
+			sb.WriteString("- **Build System**: " + info.BuildSystem + "\n")
+		}
+
+		if len(info.Frameworks) > 0 {
+			sb.WriteString("- **Frameworks**: " + strings.Join(info.Frameworks, ", ") + "\n")
+		}
+
+		sb.WriteString("\n### Common Commands\n\n")
+		sb.WriteString("```bash\n")
+
+		if info.BuildCommand != "" {
+			sb.WriteString("# Build\n")
+			sb.WriteString(info.BuildCommand + "\n\n")
+		}
+
+		if info.TestCommand != "" {
+			sb.WriteString("# Test\n")
+			sb.WriteString(info.TestCommand + "\n")
+		}
+
+		sb.WriteString("```\n\n")
+	}
+
+	// Version control section
+	if metadata.WorkspaceMode == "jj" || (info != nil && info.HasJJ) {
+		sb.WriteString("## Version Control: JJ (Jujutsu)\n\n")
+		sb.WriteString("This workspace uses `jj` for version control:\n\n")
+		sb.WriteString("```bash\n")
+		sb.WriteString("jj status         # Show working copy status\n")
+		sb.WriteString("jj diff           # Show changes\n")
+		sb.WriteString("jj new            # Create new change\n")
+		sb.WriteString("jj describe -m \"\" # Set commit message\n")
+		sb.WriteString("jj bookmark set   # Update bookmark\n")
+		sb.WriteString("```\n\n")
+		sb.WriteString("This is an isolated jj workspace - changes don't affect other workspaces.\n\n")
+	} else if metadata.WorkspaceMode == "git-worktree" {
+		sb.WriteString("## Version Control: Git (Worktree)\n\n")
+		sb.WriteString("This workspace is a git worktree with its own working directory and branch.\n\n")
+		sb.WriteString("**Branch**: `" + metadata.GitBranch + "`\n\n")
+		sb.WriteString("```bash\n")
+		sb.WriteString("git status        # Show working tree status\n")
+		sb.WriteString("git diff          # Show changes\n")
+		sb.WriteString("git add -p        # Stage changes interactively\n")
+		sb.WriteString("git commit -m \"\" # Create commit on this branch\n")
+		sb.WriteString("git push -u origin " + metadata.GitBranch + "  # Push branch\n")
+		sb.WriteString("```\n\n")
+		sb.WriteString("This is an isolated git worktree - commits on this branch don't affect other worktrees.\n")
+		sb.WriteString("When done, merge your branch or create a pull request.\n\n")
+	} else if info != nil && info.HasGit {
+		sb.WriteString("## Version Control: Git\n\n")
+		sb.WriteString("Standard git workflow is available.\n\n")
+	}
+
+	// Nix section
+	if info != nil && info.HasNixFlake {
+		sb.WriteString("## Nix\n\n")
+		sb.WriteString("This project uses Nix flakes:\n\n")
+		sb.WriteString("```bash\n")
+		sb.WriteString("nix build         # Build the project\n")
+		sb.WriteString("nix develop       # Enter dev shell\n")
+		sb.WriteString("nix flake check   # Run checks\n")
+		sb.WriteString("```\n\n")
+		sb.WriteString("The nix store is shared read-only from the host.\n\n")
+	}
+
+	// Network section
+	sb.WriteString("## Network\n\n")
+	switch template.Network {
+	case "none":
+		sb.WriteString("**No network access** - This sandbox has no external network connectivity.\n\n")
+		sb.WriteString("You cannot:\n")
+		sb.WriteString("- Make HTTP/HTTPS requests\n")
+		sb.WriteString("- Clone git repositories\n")
+		sb.WriteString("- Install packages from the internet\n\n")
+		sb.WriteString("All tools and dependencies must be pre-installed in the container.\n")
+	case "restricted":
+		sb.WriteString("**Restricted network** - Network access is filtered by hostname.\n\n")
+		sb.WriteString("Allowed hosts:\n")
+		for _, host := range template.AllowedHosts {
+			sb.WriteString("- " + host + "\n")
+		}
+		sb.WriteString("\n")
+		sb.WriteString("**Important:**\n")
+		sb.WriteString("- DNS queries for non-allowed hosts will fail\n")
+		sb.WriteString("- Connections to IP addresses not in the allowed list are blocked\n")
+		sb.WriteString("- Use allowed API endpoints for external services\n")
+	default:
+		sb.WriteString("Full network access is available.\n")
+	}
+	sb.WriteString("\n")
+
+	// Agents section
+	if len(template.Agents) > 0 {
+		sb.WriteString("## Available Agents\n\n")
+		for name, agent := range template.Agents {
+			sb.WriteString("- **" + name + "**")
+			if agent.AuthEnvVar != "" {
+				if template.UseProxy {
+					sb.WriteString(" (auth via proxy)")
+				} else {
+					sb.WriteString(" (auth via $" + agent.AuthEnvVar + ")")
+				}
+			}
+			sb.WriteString("\n")
+		}
+		sb.WriteString("\n")
+	}
+
+	// API Proxy section
+	if template.UseProxy {
+		sb.WriteString("## API Proxy\n\n")
+		sb.WriteString("This sandbox uses an API proxy for authentication. API keys are not stored\n")
+		sb.WriteString("in this container - they are injected by the proxy on the host.\n\n")
+		sb.WriteString("**How it works:**\n")
+		sb.WriteString("- `ANTHROPIC_BASE_URL` points to the host proxy\n")
+		sb.WriteString("- Requests are forwarded with API key injection\n")
+		sb.WriteString("- Rate limiting and audit logging are applied\n\n")
+		sb.WriteString("**Limitations:**\n")
+		sb.WriteString("- Only works with API key authentication\n")
+		sb.WriteString("- For Max/Pro plans, use `claude login` directly (auth stays in sandbox)\n\n")
+	}
+
+	// Guidelines
+	sb.WriteString("## Guidelines\n\n")
+	sb.WriteString("- Work within the `/workspace` directory\n")
+	sb.WriteString("- The container filesystem (except /workspace) is ephemeral\n")
+	muxForLegacy := multiplexer.New(multiplexer.Type(metadata.Multiplexer))
+	fmt.Fprintf(&sb, "- %s\n", muxForLegacy.PromptInstructions())
+
+	return sb.String()
+}
diff --git a/packages/forage-ctl/internal/skills/analyzer_test.go b/packages/forage-ctl/internal/skills/analyzer_test.go
new file mode 100644
index 0000000..6588b98
--- /dev/null
+++ b/packages/forage-ctl/internal/skills/analyzer_test.go
@@ -0,0 +1,601 @@
+package skills
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+func TestAnalyzer_DetectGoProject(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create go.mod
+	goMod := `module example.com/test
+
+go 1.21
+
+require github.com/spf13/cobra v1.8.0
+`
+	if err := os.WriteFile(filepath.Join(tmpDir, "go.mod"), []byte(goMod), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create .git directory
+	if err := os.MkdirAll(filepath.Join(tmpDir, ".git"), 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create test file
+	if err := os.WriteFile(filepath.Join(tmpDir, "main_test.go"), []byte("package main"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	analyzer := NewAnalyzer(tmpDir)
+	info := analyzer.Analyze()
+
+	if info.Type != ProjectTypeGo {
+		t.Errorf("expected ProjectTypeGo, got %v", info.Type)
+	}
+	if info.BuildSystem != "go" {
+		t.Errorf("expected build system 'go', got %v", info.BuildSystem)
+	}
+	if info.BuildCommand != "go build ./..." {
+		t.Errorf("expected build command 'go build ./...', got %v", info.BuildCommand)
+	}
+	if info.TestCommand != "go test ./..." {
+		t.Errorf("expected test command 'go test ./...', got %v", info.TestCommand)
+	}
+	if !info.HasGit {
+		t.Error("expected HasGit to be true")
+	}
+	if !contains(info.Frameworks, "cobra") {
+		t.Errorf("expected frameworks to contain 'cobra', got %v", info.Frameworks)
+	}
+}
+
+func TestAnalyzer_DetectRustProject(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	cargoToml := `[package]
+name = "test"
+version = "0.1.0"
+
+[dependencies]
+tokio = "1.0"
+axum = "0.7"
+`
+	if err := os.WriteFile(filepath.Join(tmpDir, "Cargo.toml"), []byte(cargoToml), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	analyzer := NewAnalyzer(tmpDir)
+	info := analyzer.Analyze()
+
+	if info.Type != ProjectTypeRust {
+		t.Errorf("expected ProjectTypeRust, got %v", info.Type)
+	}
+	if info.BuildSystem != "cargo" {
+		t.Errorf("expected build system 'cargo', got %v", info.BuildSystem)
+	}
+	if !contains(info.Frameworks, "tokio") {
+		t.Errorf("expected frameworks to contain 'tokio', got %v", info.Frameworks)
+	}
+	if !contains(info.Frameworks, "axum") {
+		t.Errorf("expected frameworks to contain 'axum', got %v", info.Frameworks)
+	}
+}
+
+func TestAnalyzer_DetectPythonProject(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	pyproject := `[tool.poetry]
+name = "test"
+version = "0.1.0"
+
+[tool.poetry.dependencies]
+fastapi = "^0.100.0"
+`
+	if err := os.WriteFile(filepath.Join(tmpDir, "pyproject.toml"), []byte(pyproject), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.MkdirAll(filepath.Join(tmpDir, "tests"), 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	analyzer := NewAnalyzer(tmpDir)
+	info := analyzer.Analyze()
+
+	if info.Type != ProjectTypePython {
+		t.Errorf("expected ProjectTypePython, got %v", info.Type)
+	}
+	if info.BuildSystem != "poetry" {
+		t.Errorf("expected build system 'poetry', got %v", info.BuildSystem)
+	}
+	if info.TestCommand != "poetry run pytest" {
+		t.Errorf("expected test command 'poetry run pytest', got %v", info.TestCommand)
+	}
+	if !info.HasTests {
+		t.Error("expected HasTests to be true")
+	}
+	if !contains(info.Frameworks, "fastapi") {
+		t.Errorf("expected frameworks to contain 'fastapi', got %v", info.Frameworks)
+	}
+}
+
+func TestAnalyzer_DetectTypescriptProject(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	pkgJson := `{
+  "name": "test",
+  "dependencies": {
+    "react": "^18.0.0",
+    "next": "^14.0.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.0.0"
+  },
+  "scripts": {
+    "build": "next build",
+    "test": "jest"
+  }
+}
+`
+	if err := os.WriteFile(filepath.Join(tmpDir, "package.json"), []byte(pkgJson), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(tmpDir, "pnpm-lock.yaml"), []byte(""), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	analyzer := NewAnalyzer(tmpDir)
+	info := analyzer.Analyze()
+
+	if info.Type != ProjectTypeTypescript {
+		t.Errorf("expected ProjectTypeTypescript, got %v", info.Type)
+	}
+	if info.BuildSystem != "pnpm" {
+		t.Errorf("expected build system 'pnpm', got %v", info.BuildSystem)
+	}
+	if info.BuildCommand != "pnpm run build" {
+		t.Errorf("expected build command 'pnpm run build', got %v", info.BuildCommand)
+	}
+	if !contains(info.Frameworks, "react") {
+		t.Errorf("expected frameworks to contain 'react', got %v", info.Frameworks)
+	}
+	if !contains(info.Frameworks, "nextjs") {
+		t.Errorf("expected frameworks to contain 'nextjs', got %v", info.Frameworks)
+	}
+}
+
+func TestAnalyzer_DetectNixProject(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	flakeNix := `{
+  outputs = { self, nixpkgs }: {
+    packages.default = ...;
+    checks.default = ...;
+  };
+}
+`
+	if err := os.WriteFile(filepath.Join(tmpDir, "flake.nix"), []byte(flakeNix), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	analyzer := NewAnalyzer(tmpDir)
+	info := analyzer.Analyze()
+
+	if info.Type != ProjectTypeNix {
+		t.Errorf("expected ProjectTypeNix, got %v", info.Type)
+	}
+	if info.BuildSystem != "nix" {
+		t.Errorf("expected build system 'nix', got %v", info.BuildSystem)
+	}
+	if info.BuildCommand != "nix build" {
+		t.Errorf("expected build command 'nix build', got %v", info.BuildCommand)
+	}
+	if info.TestCommand != "nix flake check" {
+		t.Errorf("expected test command 'nix flake check', got %v", info.TestCommand)
+	}
+	if !info.HasNixFlake {
+		t.Error("expected HasNixFlake to be true")
+	}
+}
+
+func TestAnalyzer_DetectJJ(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	if err := os.MkdirAll(filepath.Join(tmpDir, ".jj"), 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	analyzer := NewAnalyzer(tmpDir)
+	info := analyzer.Analyze()
+
+	if !info.HasJJ {
+		t.Error("expected HasJJ to be true")
+	}
+}
+
+func TestAnalyzer_DetectCI(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	if err := os.MkdirAll(filepath.Join(tmpDir, ".github", "workflows"), 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	analyzer := NewAnalyzer(tmpDir)
+	info := analyzer.Analyze()
+
+	if !info.HasCI {
+		t.Error("expected HasCI to be true")
+	}
+}
+
+func TestGenerateSkills(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "jj",
+		SourceRepo:    "/home/user/project",
+	}
+
+	template := &config.Template{
+		Name:         "claude",
+		Network:      "restricted",
+		AllowedHosts: []string{"api.anthropic.com", "github.com"},
+		Agents: map[string]config.AgentConfig{
+			"claude": {AuthEnvVar: "ANTHROPIC_API_KEY"},
+		},
+	}
+
+	projectInfo := &ProjectInfo{
+		Type:         ProjectTypeGo,
+		HasGit:       true,
+		HasJJ:        true,
+		HasNixFlake:  true,
+		HasTests:     true,
+		BuildSystem:  "go",
+		BuildCommand: "go build ./...",
+		TestCommand:  "go test ./...",
+		Frameworks:   []string{"cobra"},
+	}
+
+	content := GenerateSkills(metadata, template, projectInfo)
+
+	// Check for expected sections
+	expectedStrings := []string{
+		"# Agent Instructions",
+		"test-sandbox",
+		"claude",
+		"jj workspace",
+		"/home/user/project",
+		"## Project",
+		"go",
+		"cobra",
+		"go build ./...",
+		"go test ./...",
+		"## Version Control: JJ",
+		"jj status",
+		"## Nix",
+		"nix build",
+		"## Network",
+		"Restricted network",
+		"api.anthropic.com",
+		"github.com",
+		"## Available Agents",
+		"ANTHROPIC_API_KEY",
+	}
+
+	for _, expected := range expectedStrings {
+		if !strings.Contains(content, expected) {
+			t.Errorf("expected content to contain %q", expected)
+		}
+	}
+}
+
+func TestGenerateSkills_DirectMode(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "direct",
+	}
+
+	template := &config.Template{
+		Name:    "claude",
+		Network: "full",
+	}
+
+	projectInfo := &ProjectInfo{
+		Type:   ProjectTypeUnknown,
+		HasGit: true,
+		HasJJ:  false,
+	}
+
+	content := GenerateSkills(metadata, template, projectInfo)
+
+	// Should have git section, not jj section
+	if !strings.Contains(content, "## Version Control: Git") {
+		t.Error("expected content to contain git section")
+	}
+	if strings.Contains(content, "jj workspace") {
+		t.Error("did not expect jj workspace content")
+	}
+	// Should have full network access
+	if !strings.Contains(content, "Full network access") {
+		t.Error("expected content to contain full network access")
+	}
+}
+
+func TestGenerateSkills_NoNetwork(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:     "test-sandbox",
+		Template: "isolated",
+	}
+
+	template := &config.Template{
+		Name:    "isolated",
+		Network: "none",
+	}
+
+	content := GenerateSkills(metadata, template, nil)
+
+	if !strings.Contains(content, "No network access") {
+		t.Error("expected content to contain no network message")
+	}
+}
+
+func TestGenerateSkills_IdentityGitOnly(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "jj",
+		SourceRepo:    "/home/user/project",
+		AgentIdentity: &config.AgentIdentity{
+			GitUser:  "Agent Bot",
+			GitEmail: "agent@example.com",
+		},
+	}
+
+	template := &config.Template{
+		Name:    "claude",
+		Network: "full",
+	}
+
+	content := GenerateSkills(metadata, template, nil)
+
+	if !strings.Contains(content, "## Identity") {
+		t.Error("expected content to contain Identity section")
+	}
+	if !strings.Contains(content, "Agent Bot") {
+		t.Error("expected content to contain git user name")
+	}
+	if !strings.Contains(content, "agent@example.com") {
+		t.Error("expected content to contain git email")
+	}
+	if strings.Contains(content, "SSH key") {
+		t.Error("should not mention SSH key when not configured")
+	}
+}
+
+func TestGenerateSkills_IdentityWithSSH(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:     "test-sandbox",
+		Template: "claude",
+		AgentIdentity: &config.AgentIdentity{
+			GitUser:    "Agent Bot",
+			GitEmail:   "agent@example.com",
+			SSHKeyPath: "/run/secrets/agent-key",
+		},
+	}
+
+	template := &config.Template{
+		Name:    "claude",
+		Network: "full",
+	}
+
+	content := GenerateSkills(metadata, template, nil)
+
+	if !strings.Contains(content, "## Identity") {
+		t.Error("expected content to contain Identity section")
+	}
+	if !strings.Contains(content, "SSH key is available") {
+		t.Error("expected content to mention SSH key availability")
+	}
+}
+
+func TestGenerateSkills_NoIdentity(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:     "test-sandbox",
+		Template: "claude",
+	}
+
+	template := &config.Template{
+		Name:    "claude",
+		Network: "full",
+	}
+
+	content := GenerateSkills(metadata, template, nil)
+
+	if strings.Contains(content, "## Identity") {
+		t.Error("should not contain Identity section when no identity")
+	}
+}
+
+func TestGenerateSystemPrompt(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "jj",
+		SourceRepo:    "/home/user/project",
+		AgentIdentity: &config.AgentIdentity{
+			GitUser:    "Bot",
+			GitEmail:   "bot@test.com",
+			SSHKeyPath: "/key",
+		},
+	}
+
+	template := &config.Template{
+		Name:         "claude",
+		Network:      "restricted",
+		AllowedHosts: []string{"api.anthropic.com", "github.com"},
+		Agents: map[string]config.AgentConfig{
+			"claude": {AuthEnvVar: "ANTHROPIC_API_KEY"},
+		},
+	}
+
+	result := GenerateSystemPrompt(metadata, template)
+
+	expected := []string{
+		"test-sandbox",
+		"claude",
+		"/workspace",
+		"jj workspace",
+		"/home/user/project",
+		"Restricted network",
+		"api.anthropic.com",
+		"github.com",
+		"Identity",
+		"Bot",
+		"bot@test.com",
+		"SSH key available",
+		"tmux",
+	}
+
+	for _, s := range expected {
+		if !strings.Contains(result, s) {
+			t.Errorf("system prompt should contain %q\nGot:\n%s", s, result)
+		}
+	}
+}
+
+func TestGenerateSystemPrompt_GitWorktreeMode(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "git-worktree",
+		SourceRepo:    "/home/user/project",
+		GitBranch:     "feature-branch",
+	}
+
+	template := &config.Template{
+		Name:    "claude",
+		Network: "full",
+	}
+
+	result := GenerateSystemPrompt(metadata, template)
+
+	if !strings.Contains(result, "git worktree") {
+		t.Errorf("system prompt should mention git worktree mode\nGot:\n%s", result)
+	}
+	if !strings.Contains(result, "feature-branch") {
+		t.Errorf("system prompt should contain branch name\nGot:\n%s", result)
+	}
+}
+
+func TestGenerateSkillFiles_AllSkills(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "jj",
+	}
+
+	template := &config.Template{
+		Name:    "claude",
+		Network: "full",
+	}
+
+	info := &ProjectInfo{
+		Type:         ProjectTypeGo,
+		HasGit:       true,
+		HasJJ:        true,
+		HasNixFlake:  true,
+		BuildSystem:  "go",
+		BuildCommand: "go build ./...",
+		TestCommand:  "go test ./...",
+		Frameworks:   []string{"cobra"},
+	}
+
+	result := GenerateSkillFiles(metadata, template, info)
+
+	if _, ok := result["forage-vcs"]; !ok {
+		t.Error("expected forage-vcs skill")
+	}
+	if _, ok := result["forage-nix"]; !ok {
+		t.Error("expected forage-nix skill")
+	}
+
+	// VCS skill should contain jj content
+	vcs := result["forage-vcs"]
+	if !strings.Contains(vcs, "jj status") {
+		t.Error("VCS skill should contain jj commands")
+	}
+	if !strings.Contains(vcs, "user-invocable: false") {
+		t.Error("VCS skill should have frontmatter")
+	}
+
+	// Nix skill should contain nix content
+	nix := result["forage-nix"]
+	if !strings.Contains(nix, "nix build") {
+		t.Error("Nix skill should contain nix build command")
+	}
+}
+
+func TestGenerateSkillFiles_GitWorktree(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "git-worktree",
+		GitBranch:     "feature-x",
+	}
+
+	template := &config.Template{
+		Name:    "claude",
+		Network: "full",
+	}
+
+	result := GenerateSkillFiles(metadata, template, nil)
+
+	vcs, ok := result["forage-vcs"]
+	if !ok {
+		t.Fatal("expected forage-vcs skill for git-worktree mode")
+	}
+
+	if !strings.Contains(vcs, "feature-x") {
+		t.Error("VCS skill should contain branch name")
+	}
+	if !strings.Contains(vcs, "Git Worktree") {
+		t.Error("VCS skill should mention Git Worktree")
+	}
+}
+
+func TestGenerateSkillFiles_NoSkills(t *testing.T) {
+	metadata := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "test",
+		WorkspaceMode: "direct",
+	}
+
+	template := &config.Template{
+		Name:    "test",
+		Network: "full",
+	}
+
+	result := GenerateSkillFiles(metadata, template, nil)
+
+	if len(result) != 0 {
+		t.Errorf("expected no skill files for direct mode with no project info, got %d", len(result))
+	}
+}
+
+func contains(slice []string, item string) bool {
+	for _, s := range slice {
+		if s == item {
+			return true
+		}
+	}
+	return false
+}
diff --git a/packages/forage-ctl/internal/skills/doc.go b/packages/forage-ctl/internal/skills/doc.go
new file mode 100644
index 0000000..9cbfe28
--- /dev/null
+++ b/packages/forage-ctl/internal/skills/doc.go
@@ -0,0 +1,37 @@
+// Package skills provides project analysis and skills file generation.
+//
+// This package analyzes project workspaces to detect languages, frameworks,
+// and build systems, then generates context-aware instructions for AI agents
+// running in sandboxes.
+//
+// # Project Analysis
+//
+// The Analyzer examines a workspace to detect:
+//   - Project type (Go, Rust, Python, Node, TypeScript, Nix)
+//   - Build system (go, cargo, npm, pnpm, yarn, bun, poetry, hatch)
+//   - Frameworks (gin, echo, react, nextjs, django, flask, etc.)
+//   - Version control (git, jj)
+//   - CI configuration
+//
+// Usage:
+//
+//	analyzer := skills.NewAnalyzer("/path/to/workspace")
+//	info := analyzer.Analyze()
+//
+// # Skills Generation
+//
+// GenerateSkills creates a markdown document (CLAUDE.md) with:
+//   - Environment information (sandbox name, template, workspace mode)
+//   - Project-specific build/test commands
+//   - Version control instructions (git or jj)
+//   - Network access documentation
+//   - Available agents and their authentication
+//   - General guidelines for working in the sandbox
+//
+// Usage:
+//
+//	content := skills.GenerateSkills(metadata, template, projectInfo)
+//
+// The generated skills file is injected into the container at /workspace/CLAUDE.md
+// after the sandbox starts.
+package skills
diff --git a/packages/forage-ctl/internal/skills/render.go b/packages/forage-ctl/internal/skills/render.go
new file mode 100644
index 0000000..9620158
--- /dev/null
+++ b/packages/forage-ctl/internal/skills/render.go
@@ -0,0 +1,32 @@
+package skills
+
+import (
+	"bytes"
+	"embed"
+	"strings"
+	"text/template"
+)
+
+//go:embed templates/*.md.tmpl
+var templatesFS embed.FS
+
+var skillTemplates *template.Template
+
+func init() {
+	funcs := template.FuncMap{
+		"joinStrings": strings.Join,
+	}
+	skillTemplates = template.Must(
+		template.New("").Funcs(funcs).ParseFS(templatesFS, "templates/*.md.tmpl"),
+	)
+}
+
+// renderTemplate executes a named template with the given data and returns the result.
+func renderTemplate(name string, data any) string {
+	var buf bytes.Buffer
+	if err := skillTemplates.ExecuteTemplate(&buf, name, data); err != nil {
+		// Programming error — templates are embedded and tested at init time.
+		panic("skills: failed to render template " + name + ": " + err.Error())
+	}
+	return buf.String()
+}
diff --git a/packages/forage-ctl/internal/skills/templates/skill-conventional-commits.md.tmpl b/packages/forage-ctl/internal/skills/templates/skill-conventional-commits.md.tmpl
new file mode 100644
index 0000000..2c48675
--- /dev/null
+++ b/packages/forage-ctl/internal/skills/templates/skill-conventional-commits.md.tmpl
@@ -0,0 +1,50 @@
+---
+user-invocable: false
+---
+
+# Commit Messages: Conventional Commits
+
+All commits must use [Conventional Commits](https://www.conventionalcommits.org/) format.
+
+## Format
+
+```
+<type>[(scope)]: <description>
+
+[optional body]
+```
+
+## Types
+
+| Type | Purpose |
+|------|---------|
+| `feat` | New feature or capability |
+| `fix` | Bug fix |
+| `refactor` | Code change that neither fixes a bug nor adds a feature |
+| `test` | Adding or updating tests |
+| `docs` | Documentation only |
+| `chore` | Maintenance, dependencies, tooling |
+| `ci` | CI/CD configuration |
+| `perf` | Performance improvement |
+| `build` | Build system or external dependencies |
+| `style` | Formatting, whitespace, semicolons (no logic change) |
+
+## Rules
+
+- **Type is required**, always lowercase
+- **Scope is optional**, lowercase, in parentheses (e.g. `feat(auth):`)
+- **Description**: lowercase start, imperative mood, no trailing period
+- **Breaking changes**: add `!` after type/scope (e.g. `feat!: remove v1 API`)
+- One logical change per commit
+
+## Examples
+
+```
+feat: add user validation
+fix(parser): handle empty input gracefully
+refactor: extract multiplexer interface
+test: add coverage for edge cases
+docs(api): update authentication examples
+chore: upgrade go dependencies
+feat!: drop support for node 16
+```
diff --git a/packages/forage-ctl/internal/skills/templates/skill-nix.md.tmpl b/packages/forage-ctl/internal/skills/templates/skill-nix.md.tmpl
new file mode 100644
index 0000000..1bdc82a
--- /dev/null
+++ b/packages/forage-ctl/internal/skills/templates/skill-nix.md.tmpl
@@ -0,0 +1,53 @@
+---
+user-invocable: false
+---
+
+# Nix
+
+## Critical Rules
+
+- **New files must be git-tracked before Nix can see them.** Nix flakes only evaluate files known to git. After creating or renaming a file, run `git add <file>` (or `jj status` in jj workspaces) before any `nix build`, `nix develop`, or `nix flake check`. Forgetting this causes "file not found" errors even though the file exists on disk.
+- **The nix store (`/nix/store`) is shared read-only from the host.** Pre-built packages are available instantly. The nix daemon handles building new derivations.
+- **Do not use interactive nix commands.** Avoid `nix repl` or any command that expects a TTY.
+
+## Ad-Hoc Packages
+
+Any tool not installed in the sandbox can be run on demand from nixpkgs. Use this instead of attempting to install packages manually.
+
+```bash
+# Run a tool directly (single command)
+nix run nixpkgs#ripgrep -- -r "pattern" .
+nix run nixpkgs#jq -- '.items[]' data.json
+nix run nixpkgs#fd -- --extension go
+
+# Get tools on PATH for multiple commands
+nix shell nixpkgs#jq nixpkgs#curl --command bash -c 'curl -s "$URL" | jq .data'
+
+# Combine multiple packages in a shell session
+nix shell nixpkgs#nodejs nixpkgs#yarn --command yarn install
+```
+
+**When to use which:**
+- `nix run nixpkgs#pkg -- args` — single command, one tool, fire-and-forget
+- `nix shell nixpkgs#pkg --command cmd` — need multiple tools or a pipeline
+
+## Project Commands
+
+```bash
+nix flake show              # list what the flake provides
+nix develop                 # enter the project dev shell
+nix develop --command cmd   # run a single command in the dev shell
+nix build                   # build the default package
+nix build .#name            # build a specific output
+nix flake check             # run flake checks
+nix flake lock              # regenerate flake.lock
+nix flake update            # update all flake inputs
+```
+
+## Troubleshooting
+
+| Symptom | Cause | Fix |
+|---------|-------|-----|
+| "file not found" during eval | New file not tracked by git | `git add <file>` or `jj status` |
+| "Git tree is dirty" warning | Uncommitted changes exist | Informational only — safe to ignore |
+| Package not found | Wrong attribute name | Search at https://search.nixos.org/packages |
diff --git a/packages/forage-ctl/internal/skills/templates/skill-vcs-git-worktree.md.tmpl b/packages/forage-ctl/internal/skills/templates/skill-vcs-git-worktree.md.tmpl
new file mode 100644
index 0000000..9678333
--- /dev/null
+++ b/packages/forage-ctl/internal/skills/templates/skill-vcs-git-worktree.md.tmpl
@@ -0,0 +1,63 @@
+---
+user-invocable: false
+---
+
+# Version Control: Git Worktree
+
+This workspace is an isolated git worktree with its own working directory and branch.
+
+**Branch**: `{{.GitBranch}}`
+
+## Critical Rules
+
+- **Stay in your worktree.** Do not modify files outside `git rev-parse --show-toplevel`.
+- **Do not switch branches.** This worktree is locked to `{{.GitBranch}}`. Never run `git checkout` or `git switch` to change it.
+- **Do not use `git stash`.** The stash is shared across all worktrees and causes confusion. Commit your work instead.
+- **Do not use `git add -p` or `git add -i`.** Interactive staging requires a terminal and will hang. Use `git add <file>` for specific files or `git add -A` for all changes.
+
+## Key Concepts
+
+- **Isolated working tree, shared repo**: This worktree has its own files and `HEAD`, but shares branches, remotes, and tags with other worktrees. A `git fetch` here updates all worktrees.
+- **Branch exclusivity**: The same branch cannot be checked out in multiple worktrees. Do not try to check out another worktree's branch.
+- **Independent dependencies**: Build artifacts, `node_modules`, `.venv`, etc. are per-worktree. Install dependencies after creating a new worktree.
+
+## Workflow
+
+```bash
+# Make changes, then commit
+git add <files>
+git commit -m "feat: add validation"
+git push -u origin {{.GitBranch}}
+```
+
+## Commands
+
+### Inspect
+
+```bash
+git rev-parse --show-toplevel    # worktree root directory
+git status                       # working tree status
+git diff                         # unstaged changes
+git diff --staged                # staged changes
+git log --oneline -20            # recent history
+```
+
+### Stage and Commit
+
+```bash
+git add <file>                   # stage specific file
+git add -A                       # stage all changes
+git commit -m "message"          # create commit
+git commit --amend -m "message"  # amend last commit (before push only)
+```
+
+### Sync
+
+```bash
+git fetch origin                         # fetch latest from remote
+git rebase origin/main                   # rebase onto latest main
+git push -u origin {{.GitBranch}}        # push branch
+git push --force-with-lease              # push after rebase (safer than --force)
+```
+
+When done, push your branch and create a pull request.
diff --git a/packages/forage-ctl/internal/skills/templates/skill-vcs-jj.md.tmpl b/packages/forage-ctl/internal/skills/templates/skill-vcs-jj.md.tmpl
new file mode 100644
index 0000000..7f749c1
--- /dev/null
+++ b/packages/forage-ctl/internal/skills/templates/skill-vcs-jj.md.tmpl
@@ -0,0 +1,112 @@
+---
+user-invocable: false
+---
+
+# Version Control: Jujutsu (jj)
+
+This is an isolated jj workspace. Changes here don't affect other workspaces.
+
+## Critical Rules
+
+- **DO NOT use git commands.** A `.git/` directory may exist (colocated repo) but running git commands directly risks data corruption. Use only `jj` commands.
+- **Always use `-m` flags** for messages. Never use commands that open an editor (`jj describe` without `-m`, `jj split`, `jj squash` without `-m`, `jj resolve`). These will hang.
+- **There is no staging area.** All file changes are automatically part of the working copy commit (`@`). No `add` step needed.
+- **Nix and git-aware tools**: These tools discover files via the underlying git repo. New or renamed files only become visible to git after jj snapshots the working copy, which happens on any `jj` command. Before running `nix build` or similar, run `jj status` first to trigger a snapshot.
+
+## Key Concepts
+
+- **Working copy is a commit**: `@` always refers to the current working copy commit. Changes are snapshotted automatically on every `jj` command.
+- **Commits are mutable**: Unlike git, any commit can be rewritten. Use this for clean, atomic history.
+- **Change IDs vs Commit IDs**: Change IDs (e.g. `tqpwlqmp`) are stable across rewrites. Commit IDs (hashes) change when content changes. Prefer change IDs.
+
+## Workflow
+
+Describe intent first, then code:
+
+```bash
+jj describe -m "feat: add validation to user input"  # describe what you'll do
+# ... make changes ... (automatically tracked)
+jj status                                             # verify changes
+jj new                                                # start next commit
+```
+
+For multiple logical changes, keep commits atomic:
+
+```bash
+jj new && jj describe -m "fix: handle missing error case"
+# ... make changes ...
+jj new && jj describe -m "test: add coverage for edge cases"
+# ... make changes ...
+```
+
+## Commands
+
+### Inspect
+
+```bash
+jj workspace root      # workspace root directory
+jj status              # working copy status
+jj util markdown-help  # full command reference
+jj diff            # working copy diff
+jj log             # recent history
+jj log -p          # history with patches
+jj show CHANGE     # show specific commit
+```
+
+### Create and Edit
+
+```bash
+jj new                          # new empty commit on top of @
+jj new CHANGE                   # new commit on top of CHANGE
+jj describe -m "message"        # set/update commit message for @
+jj edit CHANGE                  # make CHANGE the working copy
+```
+
+### Refine History
+
+```bash
+jj squash                       # squash @ into parent (auto-merges messages)
+jj squash -m "message"          # squash @ into parent with explicit message
+jj squash --from X --into Y     # move changes from X into Y
+jj absorb                       # auto-distribute @ changes to ancestor commits that last touched those lines
+jj abandon CHANGE               # remove a commit (descendants rebase to its parent)
+jj undo                         # revert last jj operation
+```
+
+### Restore and Fix
+
+```bash
+jj restore                      # discard all working copy changes
+jj restore PATH                 # discard changes to specific file
+jj restore --from CHANGE PATH   # restore file from another commit
+```
+
+### Bookmarks (Branches)
+
+```bash
+jj bookmark list                    # list bookmarks
+jj bookmark create NAME -r @        # create bookmark at current commit
+jj bookmark move NAME --to CHANGE   # move bookmark to a commit
+jj bookmark delete NAME             # delete bookmark
+```
+
+Bookmarks do NOT auto-advance. You must explicitly `jj bookmark move` before pushing.
+
+### Push
+
+```bash
+jj git push -b BOOKMARK         # push a bookmark to the remote
+```
+
+Before pushing: ensure the bookmark points to the correct commit, commits are atomic, and the user has requested the push.
+
+### Conflicts
+
+jj allows committing conflicts. Do not use `jj resolve` (interactive). Edit conflicted files directly to remove markers, then run `jj status` to verify.
+
+## Commit Quality
+
+1. One logical change per commit
+2. Describe before coding
+3. Use `jj show @` to review before moving on
+4. Use `jj squash` or `jj absorb` to reorganize
diff --git a/packages/forage-ctl/internal/skills/templates/system-prompt.md.tmpl b/packages/forage-ctl/internal/skills/templates/system-prompt.md.tmpl
new file mode 100644
index 0000000..ed6675e
--- /dev/null
+++ b/packages/forage-ctl/internal/skills/templates/system-prompt.md.tmpl
@@ -0,0 +1,47 @@
+# Firefly Forage Sandbox
+
+- **Sandbox**: {{.Name}}
+- **Template**: {{.Template}}
+{{- if .Mounts}}
+{{- range .Mounts}}
+- **{{.ContainerPath}}**: {{.Description}}
+{{- end}}
+{{- else}}
+- **Workspace**: /workspace
+{{- if eq .WorkspaceMode "jj"}}
+- **Mode**: jj workspace (isolated from source)
+- **Source Repo**: {{.SourceRepo}}
+{{- else if eq .WorkspaceMode "git-worktree"}}
+- **Mode**: git worktree (isolated from source)
+- **Source Repo**: {{.SourceRepo}}
+- **Branch**: {{.GitBranch}}
+{{- end}}
+{{- end}}
+
+{{if eq .Network "none" -}}
+**No network access.** Cannot make HTTP requests, clone repos, or install packages.
+{{- else if eq .Network "restricted" -}}
+**Restricted network.** Allowed hosts: {{joinStrings .AllowedHosts ", "}}
+{{- else -}}
+Full network access available.
+{{- end}}
+
+{{- if .HasIdentity}}
+
+**Identity:** git authorship configured
+{{- if .GitUser}} as {{.GitUser}}{{end}}
+{{- if .GitEmail}} <{{.GitEmail}}>{{end}}
+{{- if .SSHKeyPath}}; SSH key available{{end}}
+{{- end}}
+
+{{- if .Agents}}
+
+**Agents:** {{range $i, $a := .Agents}}{{if $i}}, {{end}}{{$a.Name}}{{if $a.AuthLabel}} ({{$a.AuthLabel}}){{end}}{{end}}
+{{- end}}
+
+{{- if .UseProxy}}
+
+API proxy active — keys injected by host, `ANTHROPIC_BASE_URL` set.
+{{- end}}
+
+Work in `/workspace`. Container filesystem (except /workspace) is ephemeral. {{.MuxInstructions}}
diff --git a/packages/forage-ctl/internal/ssh/ssh.go b/packages/forage-ctl/internal/ssh/ssh.go
new file mode 100644
index 0000000..8286048
--- /dev/null
+++ b/packages/forage-ctl/internal/ssh/ssh.go
@@ -0,0 +1,180 @@
+// Package ssh provides SSH connection utilities for sandbox access.
+// These functions work regardless of the container runtime since
+// all sandboxes have SSH enabled.
+package ssh
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"syscall"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/system"
+)
+
+// Default SSH configuration values.
+const (
+	DefaultUser           = "agent"
+	DefaultConnectTimeout = 2
+)
+
+// Options configures SSH connection parameters.
+type Options struct {
+	User               string
+	Host               string
+	StrictHostKeyCheck bool
+	KnownHostsFile     string
+	ConnectTimeout     int
+	BatchMode          bool
+	RequestTTY         bool
+}
+
+// DefaultOptions returns Options with sensible defaults for sandbox connections.
+// The host parameter should be the container IP (e.g., "10.100.1.2").
+func DefaultOptions(host string) Options {
+	return Options{
+		User:               DefaultUser,
+		Host:               host,
+		StrictHostKeyCheck: false,
+		KnownHostsFile:     "/dev/null",
+		ConnectTimeout:     DefaultConnectTimeout,
+		BatchMode:          false,
+		RequestTTY:         false,
+	}
+}
+
+// WithBatchMode returns a copy with batch mode enabled.
+func (o Options) WithBatchMode() Options {
+	o.BatchMode = true
+	return o
+}
+
+// WithTTY returns a copy with TTY requested.
+func (o Options) WithTTY() Options {
+	o.RequestTTY = true
+	return o
+}
+
+// WithTimeout returns a copy with the specified connect timeout.
+func (o Options) WithTimeout(seconds int) Options {
+	o.ConnectTimeout = seconds
+	return o
+}
+
+// BaseArgs returns the common SSH arguments (options only, no user@host).
+func (o Options) BaseArgs() []string {
+	var args []string
+
+	if !o.StrictHostKeyCheck {
+		args = append(args, "-o", "StrictHostKeyChecking=no")
+	}
+
+	if o.KnownHostsFile != "" {
+		args = append(args, "-o", fmt.Sprintf("UserKnownHostsFile=%s", o.KnownHostsFile))
+	}
+
+	if o.BatchMode {
+		args = append(args, "-o", "BatchMode=yes")
+	}
+
+	if o.ConnectTimeout > 0 {
+		args = append(args, "-o", fmt.Sprintf("ConnectTimeout=%d", o.ConnectTimeout))
+	}
+
+	if o.RequestTTY {
+		args = append(args, "-t")
+	}
+
+	return args
+}
+
+// Destination returns the user@host string.
+func (o Options) Destination() string {
+	return fmt.Sprintf("%s@%s", o.User, o.Host)
+}
+
+// BuildArgs returns complete SSH arguments for executing a command.
+func (o Options) BuildArgs(command ...string) []string {
+	args := o.BaseArgs()
+	args = append(args, o.Destination())
+	args = append(args, command...)
+	return args
+}
+
+// BuildArgsWithArgv returns complete SSH arguments including "ssh" as argv[0].
+// Used for syscall.Exec which requires the program name in argv.
+func (o Options) BuildArgsWithArgv(command ...string) []string {
+	args := []string{"ssh"}
+	args = append(args, o.BuildArgs(command...)...)
+	return args
+}
+
+// --- Convenience functions using the builder ---
+
+// Exec executes a command in a sandbox via SSH.
+func Exec(host string, args ...string) error {
+	opts := DefaultOptions(host)
+	sshArgs := opts.BuildArgs(args...)
+
+	cmd := exec.Command("ssh", sshArgs...)
+	cmd.Stdin = nil
+	cmd.Stdout = nil
+	cmd.Stderr = nil
+	return cmd.Run()
+}
+
+// ExecWithOutput executes a command and returns output.
+func ExecWithOutput(host string, args ...string) (string, error) {
+	opts := DefaultOptions(host).WithBatchMode()
+	sshArgs := opts.BuildArgs(args...)
+
+	cmd := exec.Command("ssh", sshArgs...)
+	output, err := cmd.Output()
+	return string(output), err
+}
+
+// ExecWithStdin executes a command with stdin input.
+func ExecWithStdin(host string, stdin string, args ...string) error {
+	opts := DefaultOptions(host).WithBatchMode()
+	sshArgs := opts.BuildArgs(args...)
+
+	cmd := exec.Command("ssh", sshArgs...)
+	cmd.Stdin = bytes.NewReader([]byte(stdin))
+	return cmd.Run()
+}
+
+// Interactive starts an interactive SSH session.
+func Interactive(host string, command string) error {
+	opts := DefaultOptions(host).WithTTY()
+	sshArgs := opts.BuildArgs(command)
+
+	cmd := exec.Command("ssh", sshArgs...)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
+// ReplaceWithSession replaces the current process with an SSH session.
+// This uses syscall.Exec and does not return on success.
+func ReplaceWithSession(host string, command string) error {
+	sshPath, err := exec.LookPath("ssh")
+	if err != nil {
+		return fmt.Errorf("ssh not found: %w", err)
+	}
+
+	opts := DefaultOptions(host).WithTTY()
+	sshArgs := opts.BuildArgsWithArgv(command)
+
+	return syscall.Exec(sshPath, sshArgs, system.SafeEnviron())
+}
+
+// CheckConnection checks if SSH is reachable.
+func CheckConnection(host string) bool {
+	opts := DefaultOptions(host).WithBatchMode()
+	sshArgs := opts.BuildArgs("true")
+
+	cmd := exec.Command("ssh", sshArgs...)
+	return cmd.Run() == nil
+}
diff --git a/packages/forage-ctl/internal/ssh/ssh_test.go b/packages/forage-ctl/internal/ssh/ssh_test.go
new file mode 100644
index 0000000..beff2db
--- /dev/null
+++ b/packages/forage-ctl/internal/ssh/ssh_test.go
@@ -0,0 +1,210 @@
+package ssh
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestDefaultOptions(t *testing.T) {
+	opts := DefaultOptions("10.100.1.2")
+
+	if opts.Host != "10.100.1.2" {
+		t.Errorf("Host = %q, want %q", opts.Host, "10.100.1.2")
+	}
+	if opts.User != DefaultUser {
+		t.Errorf("User = %q, want %q", opts.User, DefaultUser)
+	}
+	if opts.StrictHostKeyCheck {
+		t.Error("StrictHostKeyCheck should be false by default")
+	}
+	if opts.ConnectTimeout != DefaultConnectTimeout {
+		t.Errorf("ConnectTimeout = %d, want %d", opts.ConnectTimeout, DefaultConnectTimeout)
+	}
+	if opts.BatchMode {
+		t.Error("BatchMode should be false by default")
+	}
+	if opts.RequestTTY {
+		t.Error("RequestTTY should be false by default")
+	}
+}
+
+func TestOptionsWithBatchMode(t *testing.T) {
+	opts := DefaultOptions("10.100.1.2").WithBatchMode()
+
+	if !opts.BatchMode {
+		t.Error("WithBatchMode should enable batch mode")
+	}
+	// Ensure original host is preserved
+	if opts.Host != "10.100.1.2" {
+		t.Errorf("Host = %q, want %q", opts.Host, "10.100.1.2")
+	}
+}
+
+func TestOptionsWithTTY(t *testing.T) {
+	opts := DefaultOptions("10.100.1.2").WithTTY()
+
+	if !opts.RequestTTY {
+		t.Error("WithTTY should enable TTY")
+	}
+}
+
+func TestOptionsWithTimeout(t *testing.T) {
+	opts := DefaultOptions("10.100.1.2").WithTimeout(10)
+
+	if opts.ConnectTimeout != 10 {
+		t.Errorf("ConnectTimeout = %d, want 10", opts.ConnectTimeout)
+	}
+}
+
+func TestOptionsChaining(t *testing.T) {
+	opts := DefaultOptions("10.100.1.2").
+		WithBatchMode().
+		WithTTY().
+		WithTimeout(5)
+
+	if !opts.BatchMode {
+		t.Error("BatchMode should be true")
+	}
+	if !opts.RequestTTY {
+		t.Error("RequestTTY should be true")
+	}
+	if opts.ConnectTimeout != 5 {
+		t.Errorf("ConnectTimeout = %d, want 5", opts.ConnectTimeout)
+	}
+}
+
+func TestDestination(t *testing.T) {
+	opts := DefaultOptions("10.100.1.2")
+
+	dest := opts.Destination()
+	expected := "agent@10.100.1.2"
+
+	if dest != expected {
+		t.Errorf("Destination() = %q, want %q", dest, expected)
+	}
+}
+
+func TestBaseArgs(t *testing.T) {
+	tests := []struct {
+		name     string
+		opts     Options
+		contains []string
+		excludes []string
+	}{
+		{
+			name: "default options",
+			opts: DefaultOptions("10.100.1.2"),
+			contains: []string{
+				"-o", "StrictHostKeyChecking=no",
+				"-o", "UserKnownHostsFile=/dev/null",
+				"-o", "ConnectTimeout=2",
+			},
+			excludes: []string{
+				"BatchMode",
+				"-t",
+				"-p", // No port flag - using standard port 22
+			},
+		},
+		{
+			name: "with batch mode",
+			opts: DefaultOptions("10.100.1.2").WithBatchMode(),
+			contains: []string{
+				"-o", "BatchMode=yes",
+			},
+		},
+		{
+			name: "with TTY",
+			opts: DefaultOptions("10.100.1.2").WithTTY(),
+			contains: []string{
+				"-t",
+			},
+		},
+		{
+			name: "custom timeout",
+			opts: DefaultOptions("10.100.1.2").WithTimeout(30),
+			contains: []string{
+				"-o", "ConnectTimeout=30",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			args := tt.opts.BaseArgs()
+			argsStr := strings.Join(args, " ")
+
+			for _, want := range tt.contains {
+				if !strings.Contains(argsStr, want) {
+					t.Errorf("BaseArgs() missing %q, got: %v", want, args)
+				}
+			}
+
+			for _, exclude := range tt.excludes {
+				if strings.Contains(argsStr, exclude) {
+					t.Errorf("BaseArgs() should not contain %q, got: %v", exclude, args)
+				}
+			}
+		})
+	}
+}
+
+func TestBuildArgs(t *testing.T) {
+	opts := DefaultOptions("10.100.1.2")
+	args := opts.BuildArgs("ls", "-la")
+
+	// Should end with destination and command
+	if len(args) < 3 {
+		t.Fatalf("BuildArgs() returned too few args: %v", args)
+	}
+
+	// Check destination is present
+	argsStr := strings.Join(args, " ")
+	if !strings.Contains(argsStr, "agent@10.100.1.2") {
+		t.Errorf("BuildArgs() should contain destination, got: %v", args)
+	}
+
+	// Check command is at the end
+	if args[len(args)-2] != "ls" || args[len(args)-1] != "-la" {
+		t.Errorf("BuildArgs() command not at end, got: %v", args)
+	}
+}
+
+func TestBuildArgsNoCommand(t *testing.T) {
+	opts := DefaultOptions("10.100.1.2")
+	args := opts.BuildArgs()
+
+	// Should end with destination
+	if len(args) == 0 {
+		t.Fatal("BuildArgs() returned empty args")
+	}
+
+	lastArg := args[len(args)-1]
+	if lastArg != "agent@10.100.1.2" {
+		t.Errorf("BuildArgs() should end with destination, got: %q", lastArg)
+	}
+}
+
+func TestBuildArgsWithArgv(t *testing.T) {
+	opts := DefaultOptions("10.100.1.2")
+	args := opts.BuildArgsWithArgv("echo", "hello")
+
+	// First arg should be "ssh"
+	if len(args) == 0 || args[0] != "ssh" {
+		t.Errorf("BuildArgsWithArgv() should start with 'ssh', got: %v", args)
+	}
+
+	// Check command is present
+	argsStr := strings.Join(args, " ")
+	if !strings.Contains(argsStr, "echo") || !strings.Contains(argsStr, "hello") {
+		t.Errorf("BuildArgsWithArgv() should contain command, got: %v", args)
+	}
+}
+
+func TestCheckConnection(t *testing.T) {
+	// This test verifies the function exists and handles errors gracefully
+	// Actual connection testing would require a running SSH server
+	result := CheckConnection("192.0.2.1") // TEST-NET-1 address, should fail
+	if result {
+		t.Error("CheckConnection should return false for unreachable host")
+	}
+}
diff --git a/packages/forage-ctl/internal/system/executor.go b/packages/forage-ctl/internal/system/executor.go
new file mode 100644
index 0000000..42f9e3b
--- /dev/null
+++ b/packages/forage-ctl/internal/system/executor.go
@@ -0,0 +1,75 @@
+package system
+
+import (
+	"context"
+	"os"
+	"os/exec"
+	"strings"
+	"syscall"
+)
+
+// safeEnvPrefixes lists environment variable prefixes that are safe to pass
+// through to child processes. All others are filtered out to prevent
+// accidental leakage of host secrets (API keys, cloud credentials, etc.).
+var safeEnvPrefixes = []string{
+	"PATH=", "HOME=", "USER=", "LOGNAME=", "SHELL=",
+	"TERM=", "LANG=", "LC_", "LANGUAGE=",
+	"XDG_", "DISPLAY=", "WAYLAND_DISPLAY=",
+	"SSH_AUTH_SOCK=", "DBUS_SESSION_BUS_ADDRESS=",
+	"TMPDIR=", "TMP=", "TEMP=",
+	"COLORTERM=", "COLORFGBG=",
+	"NO_COLOR=", "FORCE_COLOR=",
+	"EDITOR=", "VISUAL=", "PAGER=",
+	"HOSTNAME=", "HOSTTYPE=", "OSTYPE=",
+	"NIX_", "IN_NIX_SHELL=",
+}
+
+// SafeEnviron returns a filtered copy of os.Environ() containing only
+// safe environment variables. This prevents leaking host secrets like
+// ANTHROPIC_API_KEY, AWS_SECRET_ACCESS_KEY, etc. to child processes.
+func SafeEnviron() []string {
+	var filtered []string
+	for _, env := range os.Environ() {
+		for _, prefix := range safeEnvPrefixes {
+			if strings.HasPrefix(env, prefix) {
+				filtered = append(filtered, env)
+				break
+			}
+		}
+	}
+	return filtered
+}
+
+// osExecutor implements CommandExecutor using real OS operations.
+type osExecutor struct{}
+
+func (e *osExecutor) Execute(ctx context.Context, name string, args ...string) ([]byte, error) {
+	cmd := exec.CommandContext(ctx, name, args...)
+	return cmd.CombinedOutput()
+}
+
+func (e *osExecutor) ExecuteWithStdin(ctx context.Context, stdin string, name string, args ...string) ([]byte, error) {
+	cmd := exec.CommandContext(ctx, name, args...)
+	cmd.Stdin = strings.NewReader(stdin)
+	return cmd.CombinedOutput()
+}
+
+func (e *osExecutor) ExecuteInteractive(ctx context.Context, name string, args ...string) error {
+	cmd := exec.CommandContext(ctx, name, args...)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
+func (e *osExecutor) ReplaceProcess(name string, args ...string) error {
+	binary, err := exec.LookPath(name)
+	if err != nil {
+		return err
+	}
+
+	// Build argv with program name as first element
+	argv := append([]string{name}, args...)
+
+	return syscall.Exec(binary, argv, SafeEnviron())
+}
diff --git a/packages/forage-ctl/internal/system/interfaces.go b/packages/forage-ctl/internal/system/interfaces.go
new file mode 100644
index 0000000..52c2938
--- /dev/null
+++ b/packages/forage-ctl/internal/system/interfaces.go
@@ -0,0 +1,143 @@
+// Package system provides abstractions for OS operations to enable testing.
+package system
+
+import (
+	"context"
+	"io/fs"
+	"os"
+)
+
+// FileSystem abstracts file system operations for testability.
+type FileSystem interface {
+	// ReadFile reads the named file and returns the contents.
+	ReadFile(path string) ([]byte, error)
+
+	// WriteFile writes data to the named file, creating it if necessary.
+	WriteFile(path string, data []byte, perm fs.FileMode) error
+
+	// Remove removes the named file or empty directory.
+	Remove(path string) error
+
+	// RemoveAll removes path and any children it contains.
+	RemoveAll(path string) error
+
+	// Stat returns file info for the named file.
+	Stat(path string) (fs.FileInfo, error)
+
+	// MkdirAll creates a directory named path, along with any necessary parents.
+	MkdirAll(path string, perm fs.FileMode) error
+
+	// Exists returns true if the path exists.
+	Exists(path string) bool
+
+	// IsDir returns true if the path is a directory.
+	IsDir(path string) bool
+
+	// ReadDir reads the named directory, returning all its directory entries.
+	ReadDir(path string) ([]fs.DirEntry, error)
+
+	// CopyFile copies a file from src to dst.
+	CopyFile(src, dst string) error
+}
+
+// CommandExecutor abstracts command execution for testability.
+type CommandExecutor interface {
+	// Execute runs a command and returns its combined output.
+	Execute(ctx context.Context, name string, args ...string) ([]byte, error)
+
+	// ExecuteWithStdin runs a command with the given stdin and returns output.
+	ExecuteWithStdin(ctx context.Context, stdin string, name string, args ...string) ([]byte, error)
+
+	// ExecuteInteractive runs a command with stdin/stdout/stderr connected to the terminal.
+	ExecuteInteractive(ctx context.Context, name string, args ...string) error
+
+	// ReplaceProcess replaces the current process with the given command (exec syscall).
+	ReplaceProcess(name string, args ...string) error
+}
+
+// Default instances using real OS operations.
+var (
+	defaultFS       FileSystem      = &osFileSystem{}
+	defaultExecutor CommandExecutor = &osExecutor{}
+)
+
+// DefaultFS returns the default FileSystem implementation using real OS operations.
+func DefaultFS() FileSystem {
+	return defaultFS
+}
+
+// DefaultExecutor returns the default CommandExecutor implementation.
+func DefaultExecutor() CommandExecutor {
+	return defaultExecutor
+}
+
+// SetDefaultFS sets the default FileSystem (useful for testing).
+func SetDefaultFS(fs FileSystem) {
+	defaultFS = fs
+}
+
+// SetDefaultExecutor sets the default CommandExecutor (useful for testing).
+func SetDefaultExecutor(exec CommandExecutor) {
+	defaultExecutor = exec
+}
+
+// ResetDefaults restores the default OS implementations.
+func ResetDefaults() {
+	defaultFS = &osFileSystem{}
+	defaultExecutor = &osExecutor{}
+}
+
+// osFileSystem implements FileSystem using real OS operations.
+type osFileSystem struct{}
+
+func (f *osFileSystem) ReadFile(path string) ([]byte, error) {
+	return os.ReadFile(path)
+}
+
+func (f *osFileSystem) WriteFile(path string, data []byte, perm fs.FileMode) error {
+	return os.WriteFile(path, data, perm)
+}
+
+func (f *osFileSystem) Remove(path string) error {
+	return os.Remove(path)
+}
+
+func (f *osFileSystem) RemoveAll(path string) error {
+	return os.RemoveAll(path)
+}
+
+func (f *osFileSystem) Stat(path string) (fs.FileInfo, error) {
+	return os.Stat(path)
+}
+
+func (f *osFileSystem) MkdirAll(path string, perm fs.FileMode) error {
+	return os.MkdirAll(path, perm)
+}
+
+func (f *osFileSystem) Exists(path string) bool {
+	_, err := os.Stat(path)
+	return err == nil
+}
+
+func (f *osFileSystem) IsDir(path string) bool {
+	info, err := os.Stat(path)
+	return err == nil && info.IsDir()
+}
+
+func (f *osFileSystem) ReadDir(path string) ([]fs.DirEntry, error) {
+	return os.ReadDir(path)
+}
+
+func (f *osFileSystem) CopyFile(src, dst string) error {
+	data, err := os.ReadFile(src)
+	if err != nil {
+		return err
+	}
+
+	srcInfo, err := os.Stat(src)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(dst, data, srcInfo.Mode()) //nolint:gosec // dst is from trusted internal callers
+}
diff --git a/packages/forage-ctl/internal/system/mock.go b/packages/forage-ctl/internal/system/mock.go
new file mode 100644
index 0000000..9a8fb8f
--- /dev/null
+++ b/packages/forage-ctl/internal/system/mock.go
@@ -0,0 +1,410 @@
+package system
+
+import (
+	"context"
+	"errors"
+	"io/fs"
+	"path/filepath"
+	"sync"
+	"time"
+)
+
+// MockFS implements FileSystem for testing.
+type MockFS struct {
+	mu    sync.RWMutex
+	files map[string]*mockFile
+	dirs  map[string]bool
+
+	// Error injection
+	ReadFileErr  error
+	WriteFileErr error
+	RemoveErr    error
+	RemoveAllErr error
+	StatErr      error
+	MkdirAllErr  error
+	ReadDirErr   error
+	CopyFileErr  error
+}
+
+type mockFile struct {
+	data []byte
+	mode fs.FileMode
+}
+
+// NewMockFS creates a new MockFS with an empty filesystem.
+func NewMockFS() *MockFS {
+	return &MockFS{
+		files: make(map[string]*mockFile),
+		dirs:  make(map[string]bool),
+	}
+}
+
+// AddFile adds a file to the mock filesystem.
+func (m *MockFS) AddFile(path string, data []byte, mode fs.FileMode) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.files[path] = &mockFile{data: data, mode: mode}
+	// Ensure parent directories exist
+	dir := filepath.Dir(path)
+	for dir != "." && dir != "/" {
+		m.dirs[dir] = true
+		dir = filepath.Dir(dir)
+	}
+}
+
+// AddDir adds a directory to the mock filesystem.
+func (m *MockFS) AddDir(path string) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.dirs[path] = true
+}
+
+// GetFile returns the contents of a file in the mock filesystem.
+func (m *MockFS) GetFile(path string) ([]byte, bool) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	f, ok := m.files[path]
+	if !ok {
+		return nil, false
+	}
+	return f.data, true
+}
+
+func (m *MockFS) ReadFile(path string) ([]byte, error) {
+	if m.ReadFileErr != nil {
+		return nil, m.ReadFileErr
+	}
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	f, ok := m.files[path]
+	if !ok {
+		return nil, fs.ErrNotExist
+	}
+	return f.data, nil
+}
+
+func (m *MockFS) WriteFile(path string, data []byte, perm fs.FileMode) error {
+	if m.WriteFileErr != nil {
+		return m.WriteFileErr
+	}
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.files[path] = &mockFile{data: data, mode: perm}
+	return nil
+}
+
+func (m *MockFS) Remove(path string) error {
+	if m.RemoveErr != nil {
+		return m.RemoveErr
+	}
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if _, ok := m.files[path]; ok {
+		delete(m.files, path)
+		return nil
+	}
+	if _, ok := m.dirs[path]; ok {
+		delete(m.dirs, path)
+		return nil
+	}
+	return fs.ErrNotExist
+}
+
+func (m *MockFS) RemoveAll(path string) error {
+	if m.RemoveAllErr != nil {
+		return m.RemoveAllErr
+	}
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	// Remove all files and dirs with this prefix
+	for p := range m.files {
+		if p == path || hasPathPrefix(p, path) {
+			delete(m.files, p)
+		}
+	}
+	for p := range m.dirs {
+		if p == path || hasPathPrefix(p, path) {
+			delete(m.dirs, p)
+		}
+	}
+	return nil
+}
+
+func (m *MockFS) Stat(path string) (fs.FileInfo, error) {
+	if m.StatErr != nil {
+		return nil, m.StatErr
+	}
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+
+	if f, ok := m.files[path]; ok {
+		return &mockFileInfo{name: filepath.Base(path), size: int64(len(f.data)), mode: f.mode}, nil
+	}
+	if _, ok := m.dirs[path]; ok {
+		return &mockFileInfo{name: filepath.Base(path), isDir: true, mode: fs.ModeDir | 0755}, nil
+	}
+	return nil, fs.ErrNotExist
+}
+
+func (m *MockFS) MkdirAll(path string, perm fs.FileMode) error {
+	if m.MkdirAllErr != nil {
+		return m.MkdirAllErr
+	}
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	// Create all directories in the path
+	current := path
+	for current != "." && current != "/" {
+		m.dirs[current] = true
+		current = filepath.Dir(current)
+	}
+	return nil
+}
+
+func (m *MockFS) Exists(path string) bool {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	_, fileOk := m.files[path]
+	_, dirOk := m.dirs[path]
+	return fileOk || dirOk
+}
+
+func (m *MockFS) IsDir(path string) bool {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	_, ok := m.dirs[path]
+	return ok
+}
+
+func (m *MockFS) ReadDir(path string) ([]fs.DirEntry, error) {
+	if m.ReadDirErr != nil {
+		return nil, m.ReadDirErr
+	}
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+
+	if _, ok := m.dirs[path]; !ok {
+		// Check if it's the root or a path that has children
+		hasChildren := false
+		for p := range m.files {
+			if hasPathPrefix(p, path) {
+				hasChildren = true
+				break
+			}
+		}
+		if !hasChildren {
+			return nil, fs.ErrNotExist
+		}
+	}
+
+	entries := make(map[string]fs.DirEntry)
+
+	// Find direct children
+	for p, f := range m.files {
+		if dir := filepath.Dir(p); dir == path {
+			name := filepath.Base(p)
+			entries[name] = &mockDirEntry{name: name, mode: f.mode}
+		}
+	}
+	for p := range m.dirs {
+		if dir := filepath.Dir(p); dir == path {
+			name := filepath.Base(p)
+			entries[name] = &mockDirEntry{name: name, isDir: true, mode: fs.ModeDir | 0755}
+		}
+	}
+
+	result := make([]fs.DirEntry, 0, len(entries))
+	for _, e := range entries {
+		result = append(result, e)
+	}
+	return result, nil
+}
+
+func (m *MockFS) CopyFile(src, dst string) error {
+	if m.CopyFileErr != nil {
+		return m.CopyFileErr
+	}
+	data, err := m.ReadFile(src)
+	if err != nil {
+		return err
+	}
+	info, err := m.Stat(src)
+	if err != nil {
+		return err
+	}
+	return m.WriteFile(dst, data, info.Mode())
+}
+
+// hasPathPrefix checks if path has the given prefix as a path component.
+func hasPathPrefix(path, prefix string) bool {
+	if len(path) <= len(prefix) {
+		return false
+	}
+	return path[:len(prefix)] == prefix && path[len(prefix)] == '/'
+}
+
+// mockFileInfo implements fs.FileInfo for testing.
+type mockFileInfo struct {
+	name  string
+	size  int64
+	mode  fs.FileMode
+	isDir bool
+}
+
+func (m *mockFileInfo) Name() string       { return m.name }
+func (m *mockFileInfo) Size() int64        { return m.size }
+func (m *mockFileInfo) Mode() fs.FileMode  { return m.mode }
+func (m *mockFileInfo) ModTime() time.Time { return time.Now() }
+func (m *mockFileInfo) IsDir() bool        { return m.isDir }
+func (m *mockFileInfo) Sys() interface{}   { return nil }
+
+// mockDirEntry implements fs.DirEntry for testing.
+type mockDirEntry struct {
+	name  string
+	mode  fs.FileMode
+	isDir bool
+}
+
+func (m *mockDirEntry) Name() string      { return m.name }
+func (m *mockDirEntry) IsDir() bool       { return m.isDir }
+func (m *mockDirEntry) Type() fs.FileMode { return m.mode.Type() }
+func (m *mockDirEntry) Info() (fs.FileInfo, error) {
+	return &mockFileInfo{name: m.name, mode: m.mode, isDir: m.isDir}, nil
+}
+
+// MockExecutor implements CommandExecutor for testing.
+type MockExecutor struct {
+	mu sync.Mutex
+
+	// Commands records all executed commands for verification.
+	Commands []MockCommand
+
+	// Responses maps command patterns to responses.
+	// Key format: "command arg1 arg2..."
+	Responses map[string]MockResponse
+
+	// DefaultResponse is used when no matching response is found.
+	DefaultResponse MockResponse
+
+	// InteractiveErr is returned by ExecuteInteractive if set.
+	InteractiveErr error
+
+	// ReplaceProcessErr is returned by ReplaceProcess if set.
+	ReplaceProcessErr error
+}
+
+// MockCommand records an executed command.
+type MockCommand struct {
+	Name  string
+	Args  []string
+	Stdin string
+}
+
+// MockResponse defines the response for a command.
+type MockResponse struct {
+	Output []byte
+	Err    error
+}
+
+// NewMockExecutor creates a new MockExecutor.
+func NewMockExecutor() *MockExecutor {
+	return &MockExecutor{
+		Commands:  make([]MockCommand, 0),
+		Responses: make(map[string]MockResponse),
+	}
+}
+
+// AddResponse adds a response for a specific command pattern.
+func (m *MockExecutor) AddResponse(pattern string, output []byte, err error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.Responses[pattern] = MockResponse{Output: output, Err: err}
+}
+
+func (m *MockExecutor) Execute(ctx context.Context, name string, args ...string) ([]byte, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.Commands = append(m.Commands, MockCommand{Name: name, Args: args})
+
+	// Look for matching response
+	key := name
+	if len(args) > 0 {
+		key = name + " " + args[0]
+	}
+
+	if resp, ok := m.Responses[key]; ok {
+		return resp.Output, resp.Err
+	}
+	if resp, ok := m.Responses[name]; ok {
+		return resp.Output, resp.Err
+	}
+
+	return m.DefaultResponse.Output, m.DefaultResponse.Err
+}
+
+func (m *MockExecutor) ExecuteWithStdin(ctx context.Context, stdin string, name string, args ...string) ([]byte, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.Commands = append(m.Commands, MockCommand{Name: name, Args: args, Stdin: stdin})
+
+	key := name
+	if len(args) > 0 {
+		key = name + " " + args[0]
+	}
+
+	if resp, ok := m.Responses[key]; ok {
+		return resp.Output, resp.Err
+	}
+	if resp, ok := m.Responses[name]; ok {
+		return resp.Output, resp.Err
+	}
+
+	return m.DefaultResponse.Output, m.DefaultResponse.Err
+}
+
+func (m *MockExecutor) ExecuteInteractive(ctx context.Context, name string, args ...string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.Commands = append(m.Commands, MockCommand{Name: name, Args: args})
+
+	if m.InteractiveErr != nil {
+		return m.InteractiveErr
+	}
+	return nil
+}
+
+func (m *MockExecutor) ReplaceProcess(name string, args ...string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.Commands = append(m.Commands, MockCommand{Name: name, Args: args})
+
+	if m.ReplaceProcessErr != nil {
+		return m.ReplaceProcessErr
+	}
+	// In tests, we can't actually replace the process, so just return an error
+	// that indicates this was called
+	return errors.New("mock: ReplaceProcess called (would exec in real implementation)")
+}
+
+// LastCommand returns the most recently executed command.
+func (m *MockExecutor) LastCommand() (MockCommand, bool) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if len(m.Commands) == 0 {
+		return MockCommand{}, false
+	}
+	return m.Commands[len(m.Commands)-1], true
+}
+
+// Reset clears all recorded commands.
+func (m *MockExecutor) Reset() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.Commands = make([]MockCommand, 0)
+}
diff --git a/packages/forage-ctl/internal/system/mock_test.go b/packages/forage-ctl/internal/system/mock_test.go
new file mode 100644
index 0000000..0a6a125
--- /dev/null
+++ b/packages/forage-ctl/internal/system/mock_test.go
@@ -0,0 +1,223 @@
+package system
+
+import (
+	"context"
+	"io/fs"
+	"testing"
+)
+
+func TestMockFS_ReadWriteFile(t *testing.T) {
+	mockFS := NewMockFS()
+
+	// Write a file
+	content := []byte("hello world")
+	err := mockFS.WriteFile("/test/file.txt", content, 0644)
+	if err != nil {
+		t.Fatalf("WriteFile error: %v", err)
+	}
+
+	// Read it back
+	data, err := mockFS.ReadFile("/test/file.txt")
+	if err != nil {
+		t.Fatalf("ReadFile error: %v", err)
+	}
+
+	if string(data) != "hello world" {
+		t.Errorf("ReadFile = %q, want %q", string(data), "hello world")
+	}
+}
+
+func TestMockFS_ReadFile_NotExists(t *testing.T) {
+	mockFS := NewMockFS()
+
+	_, err := mockFS.ReadFile("/nonexistent")
+	if err != fs.ErrNotExist {
+		t.Errorf("ReadFile error = %v, want fs.ErrNotExist", err)
+	}
+}
+
+func TestMockFS_Stat(t *testing.T) {
+	mockFS := NewMockFS()
+	mockFS.AddFile("/test/file.txt", []byte("content"), 0644)
+	mockFS.AddDir("/test/dir")
+
+	// Stat file
+	info, err := mockFS.Stat("/test/file.txt")
+	if err != nil {
+		t.Fatalf("Stat file error: %v", err)
+	}
+	if info.IsDir() {
+		t.Error("File should not be a directory")
+	}
+	if info.Name() != "file.txt" {
+		t.Errorf("Name = %q, want %q", info.Name(), "file.txt")
+	}
+
+	// Stat directory
+	info, err = mockFS.Stat("/test/dir")
+	if err != nil {
+		t.Fatalf("Stat dir error: %v", err)
+	}
+	if !info.IsDir() {
+		t.Error("Dir should be a directory")
+	}
+}
+
+func TestMockFS_Exists(t *testing.T) {
+	mockFS := NewMockFS()
+	mockFS.AddFile("/file.txt", []byte("x"), 0644)
+	mockFS.AddDir("/dir")
+
+	if !mockFS.Exists("/file.txt") {
+		t.Error("File should exist")
+	}
+	if !mockFS.Exists("/dir") {
+		t.Error("Dir should exist")
+	}
+	if mockFS.Exists("/nonexistent") {
+		t.Error("Nonexistent should not exist")
+	}
+}
+
+func TestMockFS_IsDir(t *testing.T) {
+	mockFS := NewMockFS()
+	mockFS.AddFile("/file.txt", []byte("x"), 0644)
+	mockFS.AddDir("/dir")
+
+	if mockFS.IsDir("/file.txt") {
+		t.Error("File should not be a directory")
+	}
+	if !mockFS.IsDir("/dir") {
+		t.Error("Dir should be a directory")
+	}
+}
+
+func TestMockFS_Remove(t *testing.T) {
+	mockFS := NewMockFS()
+	mockFS.AddFile("/file.txt", []byte("x"), 0644)
+
+	if err := mockFS.Remove("/file.txt"); err != nil {
+		t.Fatalf("Remove error: %v", err)
+	}
+
+	if mockFS.Exists("/file.txt") {
+		t.Error("File should be removed")
+	}
+}
+
+func TestMockFS_RemoveAll(t *testing.T) {
+	mockFS := NewMockFS()
+	mockFS.AddFile("/dir/file1.txt", []byte("x"), 0644)
+	mockFS.AddFile("/dir/file2.txt", []byte("y"), 0644)
+	mockFS.AddDir("/dir/subdir")
+
+	if err := mockFS.RemoveAll("/dir"); err != nil {
+		t.Fatalf("RemoveAll error: %v", err)
+	}
+
+	if mockFS.Exists("/dir/file1.txt") {
+		t.Error("File1 should be removed")
+	}
+	if mockFS.Exists("/dir/file2.txt") {
+		t.Error("File2 should be removed")
+	}
+}
+
+func TestMockFS_MkdirAll(t *testing.T) {
+	mockFS := NewMockFS()
+
+	if err := mockFS.MkdirAll("/a/b/c", 0755); err != nil {
+		t.Fatalf("MkdirAll error: %v", err)
+	}
+
+	if !mockFS.IsDir("/a") {
+		t.Error("/a should be a directory")
+	}
+	if !mockFS.IsDir("/a/b") {
+		t.Error("/a/b should be a directory")
+	}
+	if !mockFS.IsDir("/a/b/c") {
+		t.Error("/a/b/c should be a directory")
+	}
+}
+
+func TestMockFS_CopyFile(t *testing.T) {
+	mockFS := NewMockFS()
+	mockFS.AddFile("/src.txt", []byte("content"), 0644)
+
+	if err := mockFS.CopyFile("/src.txt", "/dst.txt"); err != nil {
+		t.Fatalf("CopyFile error: %v", err)
+	}
+
+	data, err := mockFS.ReadFile("/dst.txt")
+	if err != nil {
+		t.Fatalf("ReadFile dst error: %v", err)
+	}
+
+	if string(data) != "content" {
+		t.Errorf("Dst content = %q, want %q", string(data), "content")
+	}
+}
+
+func TestMockFS_ErrorInjection(t *testing.T) {
+	mockFS := NewMockFS()
+	mockFS.ReadFileErr = fs.ErrPermission
+
+	_, err := mockFS.ReadFile("/anything")
+	if err != fs.ErrPermission {
+		t.Errorf("ReadFile error = %v, want ErrPermission", err)
+	}
+}
+
+func TestMockExecutor_Execute(t *testing.T) {
+	exec := NewMockExecutor()
+	exec.AddResponse("echo", []byte("hello\n"), nil)
+
+	output, err := exec.Execute(context.Background(), "echo", "hello")
+	if err != nil {
+		t.Fatalf("Execute error: %v", err)
+	}
+
+	if string(output) != "hello\n" {
+		t.Errorf("Output = %q, want %q", string(output), "hello\n")
+	}
+
+	// Verify command was recorded
+	cmd, ok := exec.LastCommand()
+	if !ok {
+		t.Fatal("No command recorded")
+	}
+	if cmd.Name != "echo" {
+		t.Errorf("Command name = %q, want %q", cmd.Name, "echo")
+	}
+}
+
+func TestMockExecutor_DefaultResponse(t *testing.T) {
+	exec := NewMockExecutor()
+	exec.DefaultResponse = MockResponse{Output: []byte("default"), Err: nil}
+
+	output, err := exec.Execute(context.Background(), "unknown", "command")
+	if err != nil {
+		t.Fatalf("Execute error: %v", err)
+	}
+
+	if string(output) != "default" {
+		t.Errorf("Output = %q, want %q", string(output), "default")
+	}
+}
+
+func TestMockExecutor_Reset(t *testing.T) {
+	exec := NewMockExecutor()
+	exec.Execute(context.Background(), "cmd1")
+	exec.Execute(context.Background(), "cmd2")
+
+	if len(exec.Commands) != 2 {
+		t.Errorf("Commands length = %d, want 2", len(exec.Commands))
+	}
+
+	exec.Reset()
+
+	if len(exec.Commands) != 0 {
+		t.Errorf("Commands length after reset = %d, want 0", len(exec.Commands))
+	}
+}
diff --git a/packages/forage-ctl/internal/telemetry/propagation.go b/packages/forage-ctl/internal/telemetry/propagation.go
new file mode 100644
index 0000000..d2a05e8
--- /dev/null
+++ b/packages/forage-ctl/internal/telemetry/propagation.go
@@ -0,0 +1,82 @@
+package telemetry
+
+import (
+	"context"
+	"os"
+	"strings"
+
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/propagation"
+)
+
+// otelEnvVars are the OTEL_* environment variables to forward to child
+// processes so they can export to the same backend.
+var otelEnvVars = []string{
+	"OTEL_EXPORTER_OTLP_ENDPOINT",
+	"OTEL_EXPORTER_OTLP_HEADERS",
+	"OTEL_EXPORTER_OTLP_PROTOCOL",
+}
+
+// EnvPrefix returns a shell-compatible environment variable prefix that
+// propagates W3C trace context (TRACEPARENT) and OTLP export configuration
+// to child processes invoked via shell commands.
+//
+// Returns "" when no active span exists or OTEL is not configured.
+//
+// Example output: TRACEPARENT=00-abc...-def...-01 OTEL_EXPORTER_OTLP_ENDPOINT='https://api.honeycomb.io:443' cmd
+func EnvPrefix(ctx context.Context) string {
+	var parts []string
+
+	carrier := propagation.MapCarrier{}
+	otel.GetTextMapPropagator().Inject(ctx, carrier)
+	if tp := carrier.Get("traceparent"); tp != "" {
+		parts = append(parts, "TRACEPARENT="+tp)
+	}
+
+	for _, key := range otelEnvVars {
+		if val := os.Getenv(key); val != "" {
+			parts = append(parts, key+"="+shellQuote(val))
+		}
+	}
+
+	if len(parts) == 0 {
+		return ""
+	}
+	return strings.Join(parts, " ") + " "
+}
+
+// PropagationEnv returns key=value pairs suitable for appending to
+// exec.Cmd.Env. Includes TRACEPARENT and any set OTEL_* vars.
+func PropagationEnv(ctx context.Context) []string {
+	carrier := propagation.MapCarrier{}
+	otel.GetTextMapPropagator().Inject(ctx, carrier)
+
+	var env []string
+	if tp := carrier.Get("traceparent"); tp != "" {
+		env = append(env, "TRACEPARENT="+tp)
+	}
+
+	for _, key := range otelEnvVars {
+		if val := os.Getenv(key); val != "" {
+			env = append(env, key+"="+val)
+		}
+	}
+	return env
+}
+
+// ContextFromEnv extracts W3C trace context from the TRACEPARENT
+// environment variable. Returns the input context unchanged if
+// TRACEPARENT is not set.
+func ContextFromEnv(ctx context.Context) context.Context {
+	tp := os.Getenv("TRACEPARENT")
+	if tp == "" {
+		return ctx
+	}
+	carrier := propagation.MapCarrier{}
+	carrier.Set("traceparent", tp)
+	return otel.GetTextMapPropagator().Extract(ctx, carrier)
+}
+
+func shellQuote(s string) string {
+	return "'" + strings.ReplaceAll(s, "'", "'\\''") + "'"
+}
diff --git a/packages/forage-ctl/internal/telemetry/span.go b/packages/forage-ctl/internal/telemetry/span.go
new file mode 100644
index 0000000..188630b
--- /dev/null
+++ b/packages/forage-ctl/internal/telemetry/span.go
@@ -0,0 +1,45 @@
+package telemetry
+
+import (
+	"context"
+	"strings"
+
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/codes"
+	"go.opentelemetry.io/otel/trace"
+)
+
+const tracerName = "forage-ctl"
+
+// Start creates a span from the package-level tracer.
+func Start(ctx context.Context, name string, opts ...trace.SpanStartOption) (context.Context, trace.Span) {
+	return otel.Tracer(tracerName).Start(ctx, name, opts...)
+}
+
+// Command creates a span for a CLI command invocation.
+func Command(ctx context.Context, command string) (context.Context, trace.Span) {
+	return Start(ctx, "cmd."+command, trace.WithAttributes(
+		attribute.String("command", command),
+	))
+}
+
+// Exec creates a span for a subprocess execution.
+func Exec(ctx context.Context, binary string, args ...string) (context.Context, trace.Span) {
+	return Start(ctx, "exec."+binary, trace.WithAttributes(
+		attribute.String("binary", binary),
+		attribute.String("args", strings.Join(args, " ")),
+	))
+}
+
+// WithAttr returns a SpanStartOption that sets attributes on the span.
+func WithAttr(attrs ...attribute.KeyValue) trace.SpanStartOption {
+	return trace.WithAttributes(attrs...)
+}
+
+// RecordError records an error on the current span and sets error status.
+func RecordError(ctx context.Context, err error) {
+	span := trace.SpanFromContext(ctx)
+	span.RecordError(err)
+	span.SetStatus(codes.Error, err.Error())
+}
diff --git a/packages/forage-ctl/internal/telemetry/telemetry.go b/packages/forage-ctl/internal/telemetry/telemetry.go
new file mode 100644
index 0000000..0f688b9
--- /dev/null
+++ b/packages/forage-ctl/internal/telemetry/telemetry.go
@@ -0,0 +1,36 @@
+package telemetry
+
+import (
+	"context"
+	"os"
+
+	"github.com/honeycombio/otel-config-go/otelconfig"
+)
+
+// Init sets up OpenTelemetry tracing via standard OTEL_* env vars.
+// If OTEL_EXPORTER_OTLP_ENDPOINT is not set, telemetry is disabled (no-op).
+// Returns a shutdown function that must be called on exit.
+//
+// Configuration is done entirely via environment variables:
+//
+//	OTEL_SERVICE_NAME            - service name (fallback: serviceName param)
+//	OTEL_EXPORTER_OTLP_ENDPOINT - e.g. https://api.honeycomb.io:443
+//	OTEL_EXPORTER_OTLP_HEADERS  - e.g. x-honeycomb-team=YOUR_KEY
+func Init(ctx context.Context, serviceName string) (shutdown func(), err error) {
+	noop := func() {}
+
+	// Only initialize when an exporter endpoint is configured.
+	// otel-config-go defaults to localhost:4317 which would cause
+	// connection noise when telemetry is not desired.
+	if os.Getenv("OTEL_EXPORTER_OTLP_ENDPOINT") == "" {
+		return noop, nil
+	}
+
+	shutdown, err = otelconfig.ConfigureOpenTelemetry(
+		otelconfig.WithServiceName(serviceName),
+	)
+	if err != nil {
+		return noop, err
+	}
+	return shutdown, nil
+}
diff --git a/packages/forage-ctl/internal/terminal/wezterm.go b/packages/forage-ctl/internal/terminal/wezterm.go
new file mode 100644
index 0000000..ac5cc4c
--- /dev/null
+++ b/packages/forage-ctl/internal/terminal/wezterm.go
@@ -0,0 +1,69 @@
+// Package terminal provides host terminal detection helpers.
+package terminal
+
+import (
+	"os"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+// controlModeCutoffDate is the minimum WezTerm version date that supports
+// the tmux control mode protocol (2025-03-08).
+var controlModeCutoffDate = [3]int{2025, 3, 8}
+
+// Regexps for the two known WezTerm version formats.
+var (
+	// Unstable: "0-unstable-YYYY-MM-DD"
+	unstableRe = regexp.MustCompile(`^0-unstable-(\d{4})-(\d{2})-(\d{2})$`)
+	// Stable: "YYYYMMDD-HHMMSS-hash"
+	stableRe = regexp.MustCompile(`^(\d{8})-\d{6}-[0-9a-f]+$`)
+)
+
+// SupportsControlMode reports whether the host terminal is WezTerm with a
+// version recent enough to support the tmux control mode protocol.
+func SupportsControlMode() bool {
+	if os.Getenv("TERM_PROGRAM") != "WezTerm" {
+		return false
+	}
+	return versionSupportsControlMode(os.Getenv("TERM_PROGRAM_VERSION"))
+}
+
+// versionSupportsControlMode checks a WezTerm version string against the
+// minimum cutoff date. Exported for testing via the test file.
+func versionSupportsControlMode(version string) bool {
+	version = strings.TrimSpace(version)
+	if version == "" {
+		return false
+	}
+
+	// Try unstable format: 0-unstable-YYYY-MM-DD
+	if m := unstableRe.FindStringSubmatch(version); m != nil {
+		y, _ := strconv.Atoi(m[1])
+		mo, _ := strconv.Atoi(m[2])
+		d, _ := strconv.Atoi(m[3])
+		return !dateBefore(y, mo, d, controlModeCutoffDate)
+	}
+
+	// Try stable format: YYYYMMDD-HHMMSS-hash
+	if m := stableRe.FindStringSubmatch(version); m != nil {
+		dateStr := m[1] // "YYYYMMDD"
+		y, _ := strconv.Atoi(dateStr[:4])
+		mo, _ := strconv.Atoi(dateStr[4:6])
+		d, _ := strconv.Atoi(dateStr[6:8])
+		return !dateBefore(y, mo, d, controlModeCutoffDate)
+	}
+
+	return false
+}
+
+// dateBefore reports whether (y, m, d) is strictly before the cutoff.
+func dateBefore(y, m, d int, cutoff [3]int) bool {
+	if y != cutoff[0] {
+		return y < cutoff[0]
+	}
+	if m != cutoff[1] {
+		return m < cutoff[1]
+	}
+	return d < cutoff[2]
+}
diff --git a/packages/forage-ctl/internal/terminal/wezterm_test.go b/packages/forage-ctl/internal/terminal/wezterm_test.go
new file mode 100644
index 0000000..cf8a198
--- /dev/null
+++ b/packages/forage-ctl/internal/terminal/wezterm_test.go
@@ -0,0 +1,79 @@
+package terminal
+
+import "testing"
+
+func TestVersionSupportsControlMode(t *testing.T) {
+	tests := []struct {
+		name    string
+		version string
+		want    bool
+	}{
+		// Unstable format
+		{
+			name:    "unstable before cutoff",
+			version: "0-unstable-2025-03-07",
+			want:    false,
+		},
+		{
+			name:    "unstable on cutoff",
+			version: "0-unstable-2025-03-08",
+			want:    true,
+		},
+		{
+			name:    "unstable after cutoff",
+			version: "0-unstable-2025-04-01",
+			want:    true,
+		},
+		// Stable format
+		{
+			name:    "stable before cutoff",
+			version: "20250307-120000-abcdef0",
+			want:    false,
+		},
+		{
+			name:    "stable after cutoff",
+			version: "20250309-080000-1a2b3c4",
+			want:    true,
+		},
+		{
+			name:    "stable on cutoff",
+			version: "20250308-000000-0000000",
+			want:    true,
+		},
+		// Edge cases
+		{
+			name:    "empty string",
+			version: "",
+			want:    false,
+		},
+		{
+			name:    "garbage string",
+			version: "not-a-version",
+			want:    false,
+		},
+		{
+			name:    "whitespace only",
+			version: "   ",
+			want:    false,
+		},
+		{
+			name:    "unstable far future",
+			version: "0-unstable-2026-01-15",
+			want:    true,
+		},
+		{
+			name:    "stable year before cutoff",
+			version: "20240101-120000-abcdef0",
+			want:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := versionSupportsControlMode(tt.version)
+			if got != tt.want {
+				t.Errorf("versionSupportsControlMode(%q) = %v, want %v", tt.version, got, tt.want)
+			}
+		})
+	}
+}
diff --git a/packages/forage-ctl/internal/testutil/doc.go b/packages/forage-ctl/internal/testutil/doc.go
new file mode 100644
index 0000000..51eed6c
--- /dev/null
+++ b/packages/forage-ctl/internal/testutil/doc.go
@@ -0,0 +1,43 @@
+// Package testutil provides test fixtures and utilities.
+//
+// This package contains embedded JSON fixtures and helper functions for
+// loading valid and invalid configurations in unit tests.
+//
+// # Fixtures
+//
+// JSON fixtures are embedded using go:embed:
+//
+//	fixtures/valid_host_config.json
+//	fixtures/invalid_host_config.json
+//	fixtures/valid_template.json
+//	fixtures/valid_sandbox_metadata.json
+//
+// # Loading Fixtures
+//
+// Helper functions load and parse fixtures into typed config objects:
+//
+//	cfg, err := testutil.ValidHostConfig()
+//	tmpl, err := testutil.ValidTemplate()
+//	meta, err := testutil.ValidSandboxMetadata()
+//	cfg, err := testutil.InvalidHostConfig()
+//
+// # Raw Fixture Access
+//
+// For custom parsing or testing edge cases:
+//
+//	data, err := testutil.LoadFixture("valid_host_config.json")
+//
+// # Usage in Tests
+//
+//	func TestConfigValidation(t *testing.T) {
+//	    valid, _ := testutil.ValidHostConfig()
+//	    if err := valid.Validate(); err != nil {
+//	        t.Errorf("valid config failed validation: %v", err)
+//	    }
+//
+//	    invalid, _ := testutil.InvalidHostConfig()
+//	    if err := invalid.Validate(); err == nil {
+//	        t.Error("invalid config should fail validation")
+//	    }
+//	}
+package testutil
diff --git a/packages/forage-ctl/internal/testutil/fixtures.go b/packages/forage-ctl/internal/testutil/fixtures.go
new file mode 100644
index 0000000..046580e
--- /dev/null
+++ b/packages/forage-ctl/internal/testutil/fixtures.go
@@ -0,0 +1,75 @@
+package testutil
+
+import (
+	"embed"
+	"encoding/json"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+//go:embed fixtures/*.json
+var fixturesFS embed.FS
+
+// LoadFixture loads a JSON fixture file by name.
+func LoadFixture(name string) ([]byte, error) {
+	return fixturesFS.ReadFile("fixtures/" + name)
+}
+
+// LoadHostConfigFixture loads a host config fixture.
+func LoadHostConfigFixture(name string) (*config.HostConfig, error) {
+	data, err := LoadFixture(name)
+	if err != nil {
+		return nil, err
+	}
+	var cfg config.HostConfig
+	if err := json.Unmarshal(data, &cfg); err != nil {
+		return nil, err
+	}
+	return &cfg, nil
+}
+
+// LoadTemplateFixture loads a template fixture.
+func LoadTemplateFixture(name string) (*config.Template, error) {
+	data, err := LoadFixture(name)
+	if err != nil {
+		return nil, err
+	}
+	var tmpl config.Template
+	if err := json.Unmarshal(data, &tmpl); err != nil {
+		return nil, err
+	}
+	return &tmpl, nil
+}
+
+// LoadSandboxMetadataFixture loads a sandbox metadata fixture.
+func LoadSandboxMetadataFixture(name string) (*config.SandboxMetadata, error) {
+	data, err := LoadFixture(name)
+	if err != nil {
+		return nil, err
+	}
+	var meta config.SandboxMetadata
+	if err := json.Unmarshal(data, &meta); err != nil {
+		return nil, err
+	}
+	return &meta, nil
+}
+
+// ValidHostConfig returns the valid host config fixture.
+func ValidHostConfig() (*config.HostConfig, error) {
+	return LoadHostConfigFixture("valid_host_config.json")
+}
+
+// InvalidHostConfig returns the invalid host config fixture.
+func InvalidHostConfig() (*config.HostConfig, error) {
+	return LoadHostConfigFixture("invalid_host_config.json")
+}
+
+// ValidTemplate returns the valid template fixture.
+func ValidTemplate() (*config.Template, error) {
+	return LoadTemplateFixture("valid_template.json")
+}
+
+// ValidSandboxMetadata returns the valid sandbox metadata fixture.
+func ValidSandboxMetadata() (*config.SandboxMetadata, error) {
+	return LoadSandboxMetadataFixture("valid_sandbox_metadata.json")
+}
diff --git a/packages/forage-ctl/internal/testutil/fixtures/invalid_host_config.json b/packages/forage-ctl/internal/testutil/fixtures/invalid_host_config.json
new file mode 100644
index 0000000..df0da3c
--- /dev/null
+++ b/packages/forage-ctl/internal/testutil/fixtures/invalid_host_config.json
@@ -0,0 +1,5 @@
+{
+  "user": "",
+  "authorizedKeys": [],
+  "secrets": {}
+}
diff --git a/packages/forage-ctl/internal/testutil/fixtures/valid_host_config.json b/packages/forage-ctl/internal/testutil/fixtures/valid_host_config.json
new file mode 100644
index 0000000..13bcd34
--- /dev/null
+++ b/packages/forage-ctl/internal/testutil/fixtures/valid_host_config.json
@@ -0,0 +1,13 @@
+{
+  "user": "testuser",
+  "authorizedKeys": [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample test@example.com"
+  ],
+  "secrets": {
+    "anthropic-api-key": "/run/secrets/anthropic-api-key",
+    "openai-api-key": "/run/secrets/openai-api-key"
+  },
+  "stateDir": "/var/lib/firefly-forage",
+  "nixpkgsPath": "/nix/store/abc123-nixpkgs-src",
+  "nixpkgsRev": "abc123def456"
+}
diff --git a/packages/forage-ctl/internal/testutil/fixtures/valid_sandbox_metadata.json b/packages/forage-ctl/internal/testutil/fixtures/valid_sandbox_metadata.json
new file mode 100644
index 0000000..4fccab1
--- /dev/null
+++ b/packages/forage-ctl/internal/testutil/fixtures/valid_sandbox_metadata.json
@@ -0,0 +1,11 @@
+{
+  "name": "test-sandbox",
+  "template": "claude",
+  "workspace": "/var/lib/firefly-forage/workspaces/test-sandbox",
+  "networkSlot": 1,
+  "createdAt": "2025-01-15T10:30:00Z",
+  "workspaceMode": "jj",
+  "sourceRepo": "/home/user/projects/myrepo",
+  "jjWorkspaceName": "test-sandbox",
+  "gitBranch": ""
+}
diff --git a/packages/forage-ctl/internal/testutil/fixtures/valid_template.json b/packages/forage-ctl/internal/testutil/fixtures/valid_template.json
new file mode 100644
index 0000000..61fab88
--- /dev/null
+++ b/packages/forage-ctl/internal/testutil/fixtures/valid_template.json
@@ -0,0 +1,14 @@
+{
+  "name": "claude",
+  "description": "Claude AI coding agent sandbox",
+  "network": "full",
+  "useProxy": false,
+  "agents": {
+    "claude": {
+      "packagePath": "pkgs.claude-code",
+      "secretName": "anthropic-api-key",
+      "authEnvVar": "ANTHROPIC_API_KEY"
+    }
+  },
+  "allowedHosts": []
+}
diff --git a/packages/forage-ctl/internal/testutil/fixtures_test.go b/packages/forage-ctl/internal/testutil/fixtures_test.go
new file mode 100644
index 0000000..2581bcd
--- /dev/null
+++ b/packages/forage-ctl/internal/testutil/fixtures_test.go
@@ -0,0 +1,93 @@
+package testutil
+
+import (
+	"testing"
+)
+
+func TestLoadValidHostConfig(t *testing.T) {
+	cfg, err := ValidHostConfig()
+	if err != nil {
+		t.Fatalf("ValidHostConfig() error: %v", err)
+	}
+
+	if cfg.User != "testuser" {
+		t.Errorf("User = %q, want %q", cfg.User, "testuser")
+	}
+	if len(cfg.AuthorizedKeys) == 0 {
+		t.Error("AuthorizedKeys should not be empty")
+	}
+	if _, ok := cfg.Secrets["anthropic-api-key"]; !ok {
+		t.Error("Secrets should contain anthropic-api-key")
+	}
+
+	// Validate should pass
+	if err := cfg.Validate(); err != nil {
+		t.Errorf("Valid config should pass validation: %v", err)
+	}
+}
+
+func TestLoadInvalidHostConfig(t *testing.T) {
+	cfg, err := InvalidHostConfig()
+	if err != nil {
+		t.Fatalf("InvalidHostConfig() error: %v", err)
+	}
+
+	// Validate should fail
+	if err := cfg.Validate(); err == nil {
+		t.Error("Invalid config should fail validation")
+	}
+}
+
+func TestLoadValidTemplate(t *testing.T) {
+	tmpl, err := ValidTemplate()
+	if err != nil {
+		t.Fatalf("ValidTemplate() error: %v", err)
+	}
+
+	if tmpl.Name != "claude" {
+		t.Errorf("Name = %q, want %q", tmpl.Name, "claude")
+	}
+	if tmpl.Network != "full" {
+		t.Errorf("Network = %q, want %q", tmpl.Network, "full")
+	}
+	if _, ok := tmpl.Agents["claude"]; !ok {
+		t.Error("Agents should contain claude")
+	}
+
+	// Validate should pass
+	if err := tmpl.Validate(); err != nil {
+		t.Errorf("Valid template should pass validation: %v", err)
+	}
+}
+
+func TestLoadValidSandboxMetadata(t *testing.T) {
+	meta, err := ValidSandboxMetadata()
+	if err != nil {
+		t.Fatalf("ValidSandboxMetadata() error: %v", err)
+	}
+
+	if meta.Name != "test-sandbox" {
+		t.Errorf("Name = %q, want %q", meta.Name, "test-sandbox")
+	}
+	if meta.Template != "claude" {
+		t.Errorf("Template = %q, want %q", meta.Template, "claude")
+	}
+	if meta.NetworkSlot != 1 {
+		t.Errorf("NetworkSlot = %d, want 1", meta.NetworkSlot)
+	}
+	if meta.WorkspaceMode != "jj" {
+		t.Errorf("WorkspaceMode = %q, want %q", meta.WorkspaceMode, "jj")
+	}
+
+	// Validate should pass
+	if err := meta.Validate(); err != nil {
+		t.Errorf("Valid metadata should pass validation: %v", err)
+	}
+}
+
+func TestLoadFixture_NotFound(t *testing.T) {
+	_, err := LoadFixture("nonexistent.json")
+	if err == nil {
+		t.Error("LoadFixture should error for nonexistent file")
+	}
+}
diff --git a/packages/forage-ctl/internal/testutil/testutil.go b/packages/forage-ctl/internal/testutil/testutil.go
new file mode 100644
index 0000000..b4dd6fc
--- /dev/null
+++ b/packages/forage-ctl/internal/testutil/testutil.go
@@ -0,0 +1,197 @@
+// Package testutil provides test utilities for integration tests
+package testutil
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/app"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// TestEnv holds the test environment
+type TestEnv struct {
+	T          *testing.T
+	TmpDir     string
+	Paths      *config.Paths
+	HostConfig *config.HostConfig
+	Runtime    *runtime.MockRuntime
+	App        *app.App
+	cleanup    func()
+}
+
+// NewTestEnv creates a new test environment with mock runtime
+func NewTestEnv(t *testing.T) *TestEnv {
+	t.Helper()
+
+	tmpDir := t.TempDir()
+
+	paths := &config.Paths{
+		ConfigDir:     filepath.Join(tmpDir, "config"),
+		StateDir:      filepath.Join(tmpDir, "state"),
+		SecretsDir:    filepath.Join(tmpDir, "secrets"),
+		SandboxesDir:  filepath.Join(tmpDir, "state", "sandboxes"),
+		WorkspacesDir: filepath.Join(tmpDir, "state", "workspaces"),
+		TemplatesDir:  filepath.Join(tmpDir, "config", "templates"),
+	}
+
+	// Create directories
+	for _, dir := range []string{
+		paths.ConfigDir,
+		paths.StateDir,
+		paths.SecretsDir,
+		paths.SandboxesDir,
+		paths.WorkspacesDir,
+		paths.TemplatesDir,
+	} {
+		if err := os.MkdirAll(dir, 0755); err != nil {
+			t.Fatalf("Failed to create directory %s: %v", dir, err)
+		}
+	}
+
+	// Create a secret file for testing (simulates /run/secrets/anthropic-api-key)
+	secretFile := filepath.Join(tmpDir, "secret-anthropic")
+	if err := os.WriteFile(secretFile, []byte("sk-test-key"), 0600); err != nil {
+		t.Fatalf("Failed to write test secret file: %v", err)
+	}
+
+	hostConfig := &config.HostConfig{
+		User:           "testuser",
+		UID:            os.Getuid(),
+		GID:            os.Getgid(),
+		AuthorizedKeys: []string{"ssh-rsa AAAA... test@test"},
+		Secrets:        map[string]string{"anthropic": secretFile},
+		StateDir:       paths.StateDir,
+		NixpkgsRev:     "abc123",
+	}
+
+	// Write host config
+	configData, _ := json.MarshalIndent(hostConfig, "", "  ")
+	if err := os.WriteFile(filepath.Join(paths.ConfigDir, "config.json"), configData, 0644); err != nil {
+		t.Fatalf("Failed to write config: %v", err)
+	}
+
+	mockRuntime := runtime.NewMockRuntime()
+
+	testApp := app.New(
+		app.WithPaths(paths),
+		app.WithRuntime(mockRuntime),
+		app.WithHostConfig(hostConfig),
+	)
+
+	// Save original default and set test app
+	originalDefault := app.Default
+	app.SetDefault(testApp)
+
+	env := &TestEnv{
+		T:          t,
+		TmpDir:     tmpDir,
+		Paths:      paths,
+		HostConfig: hostConfig,
+		Runtime:    mockRuntime,
+		App:        testApp,
+		cleanup: func() {
+			app.SetDefault(originalDefault)
+		},
+	}
+
+	return env
+}
+
+// Cleanup restores the original app default
+func (e *TestEnv) Cleanup() {
+	if e.cleanup != nil {
+		e.cleanup()
+	}
+}
+
+// AddTemplate adds a template to the test environment
+func (e *TestEnv) AddTemplate(name string, template *config.Template) {
+	e.T.Helper()
+
+	if template.Name == "" {
+		template.Name = name
+	}
+
+	data, err := json.MarshalIndent(template, "", "  ")
+	if err != nil {
+		e.T.Fatalf("Failed to marshal template: %v", err)
+	}
+
+	path := filepath.Join(e.Paths.TemplatesDir, name+".json")
+	if err := os.WriteFile(path, data, 0644); err != nil {
+		e.T.Fatalf("Failed to write template: %v", err)
+	}
+}
+
+// AddSandbox adds a sandbox to the test environment
+func (e *TestEnv) AddSandbox(metadata *config.SandboxMetadata) {
+	e.T.Helper()
+
+	if err := config.SaveSandboxMetadata(e.Paths.SandboxesDir, metadata); err != nil {
+		e.T.Fatalf("Failed to save sandbox metadata: %v", err)
+	}
+
+	// Also add to mock runtime if running
+	if metadata.NetworkSlot > 0 {
+		e.Runtime.AddContainer(metadata.Name, runtime.StatusRunning)
+	}
+}
+
+// CreateWorkspace creates a workspace directory
+func (e *TestEnv) CreateWorkspace(name string) string {
+	e.T.Helper()
+
+	path := filepath.Join(e.TmpDir, "workspaces", name)
+	if err := os.MkdirAll(path, 0755); err != nil {
+		e.T.Fatalf("Failed to create workspace: %v", err)
+	}
+	return path
+}
+
+// CreateJJRepo creates a fake JJ repository
+func (e *TestEnv) CreateJJRepo(name string) string {
+	e.T.Helper()
+
+	path := filepath.Join(e.TmpDir, "repos", name)
+	jjPath := filepath.Join(path, ".jj", "repo")
+	if err := os.MkdirAll(jjPath, 0755); err != nil {
+		e.T.Fatalf("Failed to create JJ repo: %v", err)
+	}
+	return path
+}
+
+// GetSandbox loads a sandbox metadata
+func (e *TestEnv) GetSandbox(name string) *config.SandboxMetadata {
+	e.T.Helper()
+
+	metadata, err := config.LoadSandboxMetadata(e.Paths.SandboxesDir, name)
+	if err != nil {
+		return nil
+	}
+	return metadata
+}
+
+// SandboxExists checks if a sandbox exists
+func (e *TestEnv) SandboxExists(name string) bool {
+	return config.SandboxExists(e.Paths.SandboxesDir, name)
+}
+
+// DefaultTemplate returns a basic template for testing
+func DefaultTemplate() *config.Template {
+	return &config.Template{
+		Name:        "test",
+		Description: "Test template",
+		Network:     "full",
+		Agents: map[string]config.AgentConfig{
+			"claude": {
+				PackagePath: "pkgs.claude-code",
+				SecretName:  "anthropic",
+				AuthEnvVar:  "ANTHROPIC_API_KEY",
+			},
+		},
+	}
+}
diff --git a/packages/forage-ctl/internal/tui/doc.go b/packages/forage-ctl/internal/tui/doc.go
new file mode 100644
index 0000000..e4c7618
--- /dev/null
+++ b/packages/forage-ctl/internal/tui/doc.go
@@ -0,0 +1,39 @@
+// Package tui provides terminal user interface components for forage-ctl.
+//
+// This package uses the Bubble Tea framework to create interactive terminal
+// interfaces, primarily for the gateway's sandbox picker.
+//
+// # Sandbox Picker
+//
+// The picker displays running sandboxes grouped by project and allows selection:
+//
+//	opts := tui.PickerOptions{AllowCreate: true, TemplatesDir: paths.TemplatesDir}
+//	result, err := tui.RunPicker(sandboxes, paths, rt, opts)
+//	switch result.Action {
+//	case tui.ActionAttach:
+//	    // Connect to result.Sandbox
+//	case tui.ActionNew:
+//	    if result.CreateOptions != nil {
+//	        // Create sandbox from wizard results
+//	    }
+//	case tui.ActionDown:
+//	    // Stop selected sandbox
+//	case tui.ActionQuit:
+//	    // Exit
+//	}
+//
+// # Picker Features
+//
+//   - Lists all sandboxes grouped by project (SourceRepo or Workspace)
+//   - Keyboard navigation (j/k or arrows), headers auto-skipped
+//   - Quick actions: Enter (attach), n (new/wizard), d (down), q (quit)
+//   - Color-coded status indicators
+//   - Creation wizard when AllowCreate is true (path, template, name, advanced)
+//
+// # Dependencies
+//
+// Uses the Charm libraries:
+//   - github.com/charmbracelet/bubbletea - TUI framework
+//   - github.com/charmbracelet/bubbles - UI components
+//   - github.com/charmbracelet/lipgloss - Styling
+package tui
diff --git a/packages/forage-ctl/internal/tui/group.go b/packages/forage-ctl/internal/tui/group.go
new file mode 100644
index 0000000..d3d5a12
--- /dev/null
+++ b/packages/forage-ctl/internal/tui/group.go
@@ -0,0 +1,197 @@
+package tui
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"sort"
+	"strings"
+
+	"github.com/charmbracelet/bubbles/list"
+	tea "github.com/charmbracelet/bubbletea"
+	"github.com/charmbracelet/lipgloss"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/health"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// headerItem is a non-selectable group separator in the picker list.
+type headerItem struct {
+	label string
+}
+
+func (h headerItem) FilterValue() string { return "" }
+func (h headerItem) Title() string       { return h.label }
+func (h headerItem) Description() string { return "" }
+
+// groupKey returns the grouping key for a sandbox.
+// Uses SourceRepo if set (for jj/git-worktree), otherwise Workspace.
+func groupKey(sb *config.SandboxMetadata) string {
+	if sb.SourceRepo != "" {
+		return sb.SourceRepo
+	}
+	return sb.Workspace
+}
+
+// buildGroupedItems groups sandboxes by project and returns list items
+// with headerItem separators. The rt parameter is optional; if nil, all
+// sandboxes will show as stopped.
+func buildGroupedItems(ctx context.Context, sandboxes []*config.SandboxMetadata, rt runtime.Runtime) []list.Item {
+	if len(sandboxes) == 0 {
+		return nil
+	}
+
+	// Group sandboxes by key
+	type group struct {
+		key       string
+		sandboxes []*config.SandboxMetadata
+	}
+	groupMap := make(map[string]*group)
+	for _, sb := range sandboxes {
+		key := groupKey(sb)
+		g, ok := groupMap[key]
+		if !ok {
+			g = &group{key: key}
+			groupMap[key] = g
+		}
+		g.sandboxes = append(g.sandboxes, sb)
+	}
+
+	// Sort groups alphabetically
+	groups := make([]*group, 0, len(groupMap))
+	for _, g := range groupMap {
+		groups = append(groups, g)
+	}
+	sort.Slice(groups, func(i, j int) bool {
+		return groups[i].key < groups[j].key
+	})
+
+	// Build items with headers
+	var items []list.Item
+	for _, g := range groups {
+		items = append(items, headerItem{label: g.key})
+		for _, sb := range g.sandboxes {
+			mux := multiplexer.New(multiplexer.Type(sb.Multiplexer))
+			status := health.GetSummary(ctx, sb.Name, sb.ContainerIP(), rt, mux)
+			uptime := "stopped"
+			if status != health.StatusStopped {
+				uptime = health.GetUptime(ctx, sb.Name, rt)
+			}
+			items = append(items, sandboxItem{
+				metadata: sb,
+				status:   status,
+				uptime:   uptime,
+			})
+		}
+	}
+
+	return items
+}
+
+// headerStyle is the style for group header items.
+var headerStyle = lipgloss.NewStyle().
+	Bold(true).
+	Foreground(lipgloss.Color("241")).
+	PaddingLeft(2)
+
+// groupedDelegate renders both headerItem and sandboxItem in the picker list.
+type groupedDelegate struct {
+	inner list.DefaultDelegate
+}
+
+// newGroupedDelegate creates a groupedDelegate wrapping a configured DefaultDelegate.
+func newGroupedDelegate() groupedDelegate {
+	delegate := list.NewDefaultDelegate()
+	delegate.Styles.SelectedTitle = selectedStyle
+	delegate.Styles.SelectedDesc = lipgloss.NewStyle().Foreground(lipgloss.Color("245"))
+	return groupedDelegate{inner: delegate}
+}
+
+func (d groupedDelegate) Height() int                             { return d.inner.Height() }
+func (d groupedDelegate) Spacing() int                            { return d.inner.Spacing() }
+func (d groupedDelegate) Update(_ tea.Msg, _ *list.Model) tea.Cmd { return nil }
+
+func (d groupedDelegate) Render(w io.Writer, m list.Model, index int, item list.Item) {
+	if h, ok := item.(headerItem); ok {
+		str := headerStyle.Render(h.label)
+		fmt.Fprint(w, str)
+		return
+	}
+
+	d.inner.Render(w, m, index, item)
+}
+
+// skipHeaders adjusts the cursor position to skip headerItem entries.
+// direction should be 1 (down) or -1 (up).
+func skipHeaders(l *list.Model, direction int) {
+	items := l.Items()
+	if len(items) == 0 {
+		return
+	}
+
+	idx := l.Index()
+	if _, ok := items[idx].(headerItem); !ok {
+		return
+	}
+
+	// Try to move in the given direction first
+	next := idx + direction
+	if next >= 0 && next < len(items) {
+		if _, ok := items[next].(headerItem); !ok {
+			l.Select(next)
+			return
+		}
+	}
+
+	// Fall back to the opposite direction
+	opposite := idx - direction
+	if opposite >= 0 && opposite < len(items) {
+		if _, ok := items[opposite].(headerItem); !ok {
+			l.Select(opposite)
+			return
+		}
+	}
+
+	// Search forward from current position for any non-header
+	for i := 0; i < len(items); i++ {
+		candidate := (idx + i*direction + len(items)) % len(items)
+		if _, ok := items[candidate].(headerItem); !ok {
+			l.Select(candidate)
+			return
+		}
+	}
+}
+
+// navigationDirection returns 1 for down/j keys, -1 for up/k keys.
+func navigationDirection(msg tea.KeyMsg) int {
+	switch {
+	case msg.String() == "up" || msg.String() == "k":
+		return -1
+	default:
+		return 1
+	}
+}
+
+// headerCount returns the number of headerItems before the given index.
+// This is used to compute a reasonable status bar item count.
+func headerCount(items []list.Item) int {
+	count := 0
+	for _, item := range items {
+		if _, ok := item.(headerItem); ok {
+			count++
+		}
+	}
+	return count
+}
+
+// shortenGroupKey shortens a path for display as a group header label.
+func shortenGroupKey(path string) string {
+	// Show just the last 2 components for readability
+	parts := strings.Split(path, "/")
+	if len(parts) > 2 {
+		return strings.Join(parts[len(parts)-2:], "/")
+	}
+	return path
+}
diff --git a/packages/forage-ctl/internal/tui/group_test.go b/packages/forage-ctl/internal/tui/group_test.go
new file mode 100644
index 0000000..b7e117a
--- /dev/null
+++ b/packages/forage-ctl/internal/tui/group_test.go
@@ -0,0 +1,185 @@
+package tui
+
+import (
+	"context"
+	"testing"
+
+	"github.com/charmbracelet/bubbles/list"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+func TestGroupKey(t *testing.T) {
+	tests := []struct {
+		name string
+		meta *config.SandboxMetadata
+		want string
+	}{
+		{
+			name: "uses SourceRepo when set",
+			meta: &config.SandboxMetadata{
+				SourceRepo: "/home/user/repo",
+				Workspace:  "/var/lib/workspaces/sandbox1",
+			},
+			want: "/home/user/repo",
+		},
+		{
+			name: "falls back to Workspace",
+			meta: &config.SandboxMetadata{
+				Workspace: "/home/user/project",
+			},
+			want: "/home/user/project",
+		},
+		{
+			name: "empty SourceRepo uses Workspace",
+			meta: &config.SandboxMetadata{
+				SourceRepo: "",
+				Workspace:  "/home/user/project",
+			},
+			want: "/home/user/project",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := groupKey(tt.meta)
+			if got != tt.want {
+				t.Errorf("groupKey() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestBuildGroupedItems(t *testing.T) {
+	t.Run("empty sandboxes", func(t *testing.T) {
+		items := buildGroupedItems(context.Background(), nil, nil)
+		if items != nil {
+			t.Errorf("expected nil, got %d items", len(items))
+		}
+	})
+
+	t.Run("single group", func(t *testing.T) {
+		sandboxes := []*config.SandboxMetadata{
+			{Name: "sb1", Template: "claude", Workspace: "/home/user/project"},
+			{Name: "sb2", Template: "aider", Workspace: "/home/user/project"},
+		}
+		items := buildGroupedItems(context.Background(), sandboxes, nil)
+
+		// Expect 1 header + 2 sandbox items
+		if len(items) != 3 {
+			t.Fatalf("expected 3 items, got %d", len(items))
+		}
+
+		// First item should be a header
+		h, ok := items[0].(headerItem)
+		if !ok {
+			t.Fatal("first item should be a headerItem")
+		}
+		if h.label != "/home/user/project" {
+			t.Errorf("header label = %q, want %q", h.label, "/home/user/project")
+		}
+
+		// Next two should be sandboxItems
+		if _, ok := items[1].(sandboxItem); !ok {
+			t.Error("second item should be a sandboxItem")
+		}
+		if _, ok := items[2].(sandboxItem); !ok {
+			t.Error("third item should be a sandboxItem")
+		}
+	})
+
+	t.Run("multiple groups sorted alphabetically", func(t *testing.T) {
+		sandboxes := []*config.SandboxMetadata{
+			{Name: "sb1", Template: "claude", SourceRepo: "/home/user/repo-b"},
+			{Name: "sb2", Template: "aider", SourceRepo: "/home/user/repo-a"},
+			{Name: "sb3", Template: "claude", SourceRepo: "/home/user/repo-b"},
+		}
+		items := buildGroupedItems(context.Background(), sandboxes, nil)
+
+		// Expect 2 headers + 3 sandbox items = 5
+		if len(items) != 5 {
+			t.Fatalf("expected 5 items, got %d", len(items))
+		}
+
+		// First header should be repo-a (alphabetically first)
+		h1, ok := items[0].(headerItem)
+		if !ok {
+			t.Fatal("first item should be a headerItem")
+		}
+		if h1.label != "/home/user/repo-a" {
+			t.Errorf("first header = %q, want %q", h1.label, "/home/user/repo-a")
+		}
+
+		// Second header should be repo-b
+		h2, ok := items[2].(headerItem)
+		if !ok {
+			t.Fatal("third item should be a headerItem")
+		}
+		if h2.label != "/home/user/repo-b" {
+			t.Errorf("second header = %q, want %q", h2.label, "/home/user/repo-b")
+		}
+	})
+
+	t.Run("mixed SourceRepo and Workspace grouping", func(t *testing.T) {
+		sandboxes := []*config.SandboxMetadata{
+			{Name: "sb1", Template: "claude", SourceRepo: "/home/user/repo", Workspace: "/var/lib/ws/sb1"},
+			{Name: "sb2", Template: "aider", Workspace: "/home/user/project"},
+		}
+		items := buildGroupedItems(context.Background(), sandboxes, nil)
+
+		// Expect 2 headers + 2 sandbox items = 4
+		if len(items) != 4 {
+			t.Fatalf("expected 4 items, got %d", len(items))
+		}
+	})
+}
+
+func TestHeaderItem(t *testing.T) {
+	h := headerItem{label: "Test Group"}
+
+	if h.FilterValue() != "" {
+		t.Error("headerItem.FilterValue() should return empty string")
+	}
+	if h.Title() != "Test Group" {
+		t.Errorf("Title() = %q, want %q", h.Title(), "Test Group")
+	}
+	if h.Description() != "" {
+		t.Errorf("Description() = %q, want empty", h.Description())
+	}
+}
+
+func TestHeaderCount(t *testing.T) {
+	items := []list.Item{
+		headerItem{label: "group1"},
+		sandboxItem{metadata: &config.SandboxMetadata{Name: "sb1"}},
+		sandboxItem{metadata: &config.SandboxMetadata{Name: "sb2"}},
+		headerItem{label: "group2"},
+		sandboxItem{metadata: &config.SandboxMetadata{Name: "sb3"}},
+	}
+
+	count := headerCount(items)
+	if count != 2 {
+		t.Errorf("headerCount() = %d, want 2", count)
+	}
+}
+
+func TestShortenGroupKey(t *testing.T) {
+	tests := []struct {
+		path string
+		want string
+	}{
+		{"/home/user/projects/myrepo", "projects/myrepo"},
+		{"/tmp/test", "tmp/test"},
+		{"short", "short"},
+		{"a/b", "a/b"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.path, func(t *testing.T) {
+			got := shortenGroupKey(tt.path)
+			if got != tt.want {
+				t.Errorf("shortenGroupKey(%q) = %q, want %q", tt.path, got, tt.want)
+			}
+		})
+	}
+}
diff --git a/packages/forage-ctl/internal/tui/picker.go b/packages/forage-ctl/internal/tui/picker.go
new file mode 100644
index 0000000..25a134b
--- /dev/null
+++ b/packages/forage-ctl/internal/tui/picker.go
@@ -0,0 +1,393 @@
+// Package tui provides terminal user interface components for forage-ctl
+package tui
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/charmbracelet/bubbles/list"
+	tea "github.com/charmbracelet/bubbletea"
+	"github.com/charmbracelet/lipgloss"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/health"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/multiplexer"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/runtime"
+)
+
+// Action represents the action to take after picker selection
+type Action int
+
+const (
+	ActionNone Action = iota
+	ActionAttach
+	ActionNew
+	ActionDown
+	ActionQuit
+)
+
+// screen identifies which screen the picker is showing.
+type screen int
+
+const (
+	screenList screen = iota
+	screenWizard
+)
+
+// PickerOptions configures the picker behavior.
+type PickerOptions struct {
+	AllowCreate  bool   // enables creation wizard (false for gateway)
+	TemplatesDir string // for loading templates in wizard
+}
+
+// CreateOptions holds wizard-collected values for sandbox creation.
+type CreateOptions struct {
+	Name        string
+	Template    string
+	RepoPath    string
+	Direct      bool
+	NoMuxConfig bool
+	GitUser     string
+	GitEmail    string
+	SSHKeyPath  string
+}
+
+// PickerResult holds the result of the picker
+type PickerResult struct {
+	Action        Action
+	Sandbox       *config.SandboxMetadata
+	CreateOptions *CreateOptions // non-nil when wizard completed
+}
+
+// sandboxItem implements list.Item for sandbox display
+type sandboxItem struct {
+	metadata *config.SandboxMetadata
+	status   health.Status
+	uptime   string
+}
+
+func (i sandboxItem) Title() string {
+	return i.metadata.Name
+}
+
+func (i sandboxItem) Description() string {
+	mode := i.metadata.WorkspaceMode
+
+	statusIcon := "●"
+	switch i.status {
+	case health.StatusHealthy:
+		statusIcon = "✓"
+	case health.StatusUnhealthy:
+		statusIcon = "⚠"
+	case health.StatusNoMux:
+		statusIcon = "○"
+	case health.StatusStopped:
+		statusIcon = "●"
+	}
+
+	// Show source repo for jj/git-worktree modes, workspace otherwise
+	location := i.metadata.Workspace
+	if i.metadata.SourceRepo != "" {
+		location = i.metadata.SourceRepo
+	}
+
+	return fmt.Sprintf("%s %s | %s | %s",
+		statusIcon,
+		i.metadata.Template,
+		mode,
+		truncatePath(location, 40),
+	)
+}
+
+func (i sandboxItem) FilterValue() string {
+	return i.metadata.Name
+}
+
+func truncatePath(path string, maxLen int) string {
+	if len(path) <= maxLen {
+		return path
+	}
+	return "..." + path[len(path)-maxLen+3:]
+}
+
+// Styles
+var (
+	titleStyle = lipgloss.NewStyle().
+			Bold(true).
+			Foreground(lipgloss.Color("39")).
+			MarginBottom(1)
+
+	helpStyle = lipgloss.NewStyle().
+			Foreground(lipgloss.Color("241")).
+			MarginTop(1)
+
+	selectedStyle = lipgloss.NewStyle().
+			Foreground(lipgloss.Color("39")).
+			Bold(true)
+)
+
+// Model is the bubbletea model for the sandbox picker
+type Model struct {
+	list     list.Model
+	result   PickerResult
+	quitting bool
+	paths    *config.Paths
+	options  PickerOptions
+	screen   screen
+	wizard   *wizardModel
+	width    int
+	height   int
+}
+
+// NewPicker creates a new sandbox picker.
+// The rt parameter is optional; if nil, all sandboxes will show as stopped.
+func NewPicker(ctx context.Context, sandboxes []*config.SandboxMetadata, paths *config.Paths, rt runtime.Runtime, opts PickerOptions) Model {
+	items := buildGroupedItems(ctx, sandboxes, rt)
+
+	delegate := newGroupedDelegate()
+	l := list.New(items, delegate, 80, 20)
+	l.Title = "Firefly Forage - Select Sandbox"
+	l.SetShowStatusBar(true)
+	l.SetFilteringEnabled(true)
+	l.Styles.Title = titleStyle
+
+	m := Model{
+		list:    l,
+		paths:   paths,
+		options: opts,
+		screen:  screenList,
+	}
+
+	// Skip initial header selection
+	skipHeaders(&m.list, 1)
+
+	return m
+}
+
+func (m Model) Init() tea.Cmd {
+	if m.screen == screenWizard && m.wizard != nil {
+		return m.wizard.Init()
+	}
+	return nil
+}
+
+func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
+	switch m.screen {
+	case screenWizard:
+		return m.updateWizard(msg)
+	default:
+		return m.updateList(msg)
+	}
+}
+
+func (m Model) updateList(msg tea.Msg) (tea.Model, tea.Cmd) {
+	switch msg := msg.(type) {
+	case tea.WindowSizeMsg:
+		m.width = msg.Width
+		m.height = msg.Height
+		m.list.SetSize(msg.Width, msg.Height-4)
+		return m, nil
+
+	case tea.KeyMsg:
+		// Don't handle keys if filtering
+		if m.list.FilterState() == list.Filtering {
+			break
+		}
+
+		switch msg.String() {
+		case "enter":
+			if item, ok := m.list.SelectedItem().(sandboxItem); ok {
+				m.result = PickerResult{
+					Action:  ActionAttach,
+					Sandbox: item.metadata,
+				}
+				m.quitting = true
+				return m, tea.Quit
+			}
+
+		case "n":
+			if m.options.AllowCreate {
+				m.screen = screenWizard
+				w := newWizardModel(m.options.TemplatesDir)
+				m.wizard = &w
+				if m.width > 0 && m.height > 0 {
+					m.wizard.width = m.width
+					m.wizard.height = m.height
+				}
+				return m, m.wizard.Init()
+			}
+			m.result = PickerResult{Action: ActionNew}
+			m.quitting = true
+			return m, tea.Quit
+
+		case "d":
+			if item, ok := m.list.SelectedItem().(sandboxItem); ok {
+				m.result = PickerResult{
+					Action:  ActionDown,
+					Sandbox: item.metadata,
+				}
+				m.quitting = true
+				return m, tea.Quit
+			}
+
+		case "q", "esc":
+			m.result = PickerResult{Action: ActionQuit}
+			m.quitting = true
+			return m, tea.Quit
+		}
+	}
+
+	prevIdx := m.list.Index()
+	var cmd tea.Cmd
+	m.list, cmd = m.list.Update(msg)
+
+	// Skip headers after navigation
+	if m.list.Index() != prevIdx {
+		dir := 1
+		if keyMsg, ok := msg.(tea.KeyMsg); ok {
+			dir = navigationDirection(keyMsg)
+		}
+		skipHeaders(&m.list, dir)
+	}
+
+	return m, cmd
+}
+
+func (m Model) updateWizard(msg tea.Msg) (tea.Model, tea.Cmd) {
+	if m.wizard == nil {
+		m.screen = screenList
+		return m, nil
+	}
+
+	// Handle window size for wizard
+	if wsMsg, ok := msg.(tea.WindowSizeMsg); ok {
+		m.width = wsMsg.Width
+		m.height = wsMsg.Height
+		m.wizard.width = wsMsg.Width
+		m.wizard.height = wsMsg.Height
+	}
+
+	done, opts, cmd := m.wizard.Update(msg)
+	if done {
+		if opts != nil {
+			m.result = PickerResult{
+				Action:        ActionNew,
+				CreateOptions: opts,
+			}
+			m.quitting = true
+			return m, tea.Quit
+		}
+		// Wizard cancelled, return to list
+		m.screen = screenList
+		m.wizard = nil
+		return m, nil
+	}
+	return m, cmd
+}
+
+func (m Model) View() string {
+	if m.quitting {
+		return ""
+	}
+
+	switch m.screen {
+	case screenWizard:
+		if m.wizard != nil {
+			return m.wizard.View()
+		}
+	}
+
+	help := helpStyle.Render("[enter] Attach  [n] New  [d] Down  [/] Filter  [q] Quit")
+
+	return m.list.View() + "\n" + help
+}
+
+// Result returns the picker result
+func (m Model) Result() PickerResult {
+	return m.result
+}
+
+// RunPicker runs the interactive sandbox picker.
+// The rt parameter is optional; if nil, all sandboxes will show as stopped.
+func RunPicker(ctx context.Context, sandboxes []*config.SandboxMetadata, paths *config.Paths, rt runtime.Runtime, opts PickerOptions) (PickerResult, error) {
+	if len(sandboxes) == 0 {
+		if opts.AllowCreate {
+			// Go directly to wizard
+			w := newWizardModel(opts.TemplatesDir)
+			m := Model{
+				paths:   paths,
+				options: opts,
+				screen:  screenWizard,
+				wizard:  &w,
+			}
+			p := tea.NewProgram(m, tea.WithAltScreen())
+			finalModel, err := p.Run()
+			if err != nil {
+				return PickerResult{}, err
+			}
+			model, ok := finalModel.(Model)
+			if !ok {
+				return PickerResult{}, fmt.Errorf("unexpected model type")
+			}
+			return model.Result(), nil
+		}
+		return PickerResult{Action: ActionNew}, nil
+	}
+
+	m := NewPicker(ctx, sandboxes, paths, rt, opts)
+	p := tea.NewProgram(m, tea.WithAltScreen())
+
+	finalModel, err := p.Run()
+	if err != nil {
+		return PickerResult{}, err
+	}
+
+	model, ok := finalModel.(Model)
+	if !ok {
+		return PickerResult{}, fmt.Errorf("unexpected model type")
+	}
+	return model.Result(), nil
+}
+
+// SimplePicker is a non-interactive picker that just lists sandboxes.
+// The rt parameter is optional; if nil, all sandboxes will show as stopped.
+func SimplePicker(ctx context.Context, sandboxes []*config.SandboxMetadata, paths *config.Paths, rt runtime.Runtime) string {
+	var sb strings.Builder
+
+	sb.WriteString("Firefly Forage - Sandboxes\n")
+	sb.WriteString(strings.Repeat("─", 60) + "\n\n")
+
+	if len(sandboxes) == 0 {
+		sb.WriteString("No sandboxes found.\n")
+		sb.WriteString("Create one with: forage-ctl up <name> -t <template>\n")
+		return sb.String()
+	}
+
+	for i, sandbox := range sandboxes {
+		mux := multiplexer.New(multiplexer.Type(sandbox.Multiplexer))
+		status := health.GetSummary(ctx, sandbox.Name, sandbox.ContainerIP(), rt, mux)
+		statusIcon := "●"
+		switch status {
+		case health.StatusHealthy:
+			statusIcon = "✓"
+		case health.StatusUnhealthy:
+			statusIcon = "⚠"
+		case health.StatusNoMux:
+			statusIcon = "○"
+		}
+
+		// Show source repo for jj/git-worktree modes, workspace otherwise
+		location := sandbox.Workspace
+		if sandbox.SourceRepo != "" {
+			location = sandbox.SourceRepo
+		}
+
+		fmt.Fprintf(&sb, "%d. %s %s (%s)\n",
+			i+1, statusIcon, sandbox.Name, sandbox.Template)
+		fmt.Fprintf(&sb, "   IP: %s | %s\n\n",
+			sandbox.ContainerIP(), truncatePath(location, 40))
+	}
+
+	return sb.String()
+}
diff --git a/packages/forage-ctl/internal/tui/picker_test.go b/packages/forage-ctl/internal/tui/picker_test.go
new file mode 100644
index 0000000..9b8602b
--- /dev/null
+++ b/packages/forage-ctl/internal/tui/picker_test.go
@@ -0,0 +1,397 @@
+package tui
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	tea "github.com/charmbracelet/bubbletea"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/health"
+)
+
+func TestTruncatePath(t *testing.T) {
+	tests := []struct {
+		path   string
+		maxLen int
+		want   string
+	}{
+		{"short", 10, "short"},
+		{"/home/user/workspace", 20, "/home/user/workspace"},
+		{"/home/user/very/long/path/to/workspace", 20, "...path/to/workspace"},
+		{"", 10, ""},
+		{"exactly10!", 10, "exactly10!"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.path, func(t *testing.T) {
+			got := truncatePath(tt.path, tt.maxLen)
+			if got != tt.want {
+				t.Errorf("truncatePath(%q, %d) = %q, want %q", tt.path, tt.maxLen, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestSandboxItemMethods(t *testing.T) {
+	meta := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		Workspace:     "/home/user/workspace",
+		WorkspaceMode: "jj",
+	}
+
+	item := sandboxItem{
+		metadata: meta,
+		status:   health.StatusHealthy,
+		uptime:   "2h30m",
+	}
+
+	t.Run("Title", func(t *testing.T) {
+		if got := item.Title(); got != "test-sandbox" {
+			t.Errorf("Title() = %q, want %q", got, "test-sandbox")
+		}
+	})
+
+	t.Run("FilterValue", func(t *testing.T) {
+		if got := item.FilterValue(); got != "test-sandbox" {
+			t.Errorf("FilterValue() = %q, want %q", got, "test-sandbox")
+		}
+	})
+
+	t.Run("Description", func(t *testing.T) {
+		desc := item.Description()
+		if !strings.Contains(desc, "✓") {
+			t.Error("Description should contain healthy status icon")
+		}
+		if !strings.Contains(desc, "claude") {
+			t.Error("Description should contain template name")
+		}
+		if !strings.Contains(desc, "jj") {
+			t.Error("Description should contain workspace mode")
+		}
+		if !strings.Contains(desc, "/home/user/workspace") {
+			t.Error("Description should contain workspace path")
+		}
+	})
+
+	t.Run("Description with direct mode", func(t *testing.T) {
+		meta := &config.SandboxMetadata{
+			Name:          "test",
+			WorkspaceMode: "direct",
+		}
+		item := sandboxItem{metadata: meta, status: health.StatusStopped}
+		desc := item.Description()
+		if !strings.Contains(desc, "direct") {
+			t.Error("Description should contain 'direct' mode")
+		}
+	})
+}
+
+func TestSandboxItemStatusIcons(t *testing.T) {
+	tests := []struct {
+		status health.Status
+		icon   string
+	}{
+		{health.StatusHealthy, "✓"},
+		{health.StatusUnhealthy, "⚠"},
+		{health.StatusNoMux, "○"},
+		{health.StatusStopped, "●"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.icon, func(t *testing.T) {
+			item := sandboxItem{
+				metadata: &config.SandboxMetadata{Name: "test"},
+				status:   tt.status,
+			}
+			desc := item.Description()
+			if !strings.Contains(desc, tt.icon) {
+				t.Errorf("Description for status %v should contain %q", tt.status, tt.icon)
+			}
+		})
+	}
+}
+
+func TestModelKeyHandling(t *testing.T) {
+	meta := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		NetworkSlot:   1,
+		WorkspaceMode: "direct",
+		Workspace:     "/home/user/project",
+	}
+
+	paths := &config.Paths{
+		ConfigDir:    "/etc/firefly-forage",
+		StateDir:     "/var/lib/firefly-forage",
+		SandboxesDir: "/var/lib/firefly-forage/sandboxes",
+	}
+
+	opts := PickerOptions{}
+
+	t.Run("quit with q", func(t *testing.T) {
+		m := NewPicker(context.Background(), []*config.SandboxMetadata{meta}, paths, nil, opts)
+		newModel, cmd := m.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{'q'}})
+		model := newModel.(Model)
+
+		if model.result.Action != ActionQuit {
+			t.Errorf("Action = %v, want ActionQuit", model.result.Action)
+		}
+		if !model.quitting {
+			t.Error("Model should be quitting")
+		}
+		if cmd == nil {
+			t.Error("Should return tea.Quit command")
+		}
+	})
+
+	t.Run("quit with esc", func(t *testing.T) {
+		m := NewPicker(context.Background(), []*config.SandboxMetadata{meta}, paths, nil, opts)
+		newModel, _ := m.Update(tea.KeyMsg{Type: tea.KeyEsc})
+		model := newModel.(Model)
+
+		if model.result.Action != ActionQuit {
+			t.Errorf("Action = %v, want ActionQuit", model.result.Action)
+		}
+	})
+
+	t.Run("new sandbox with n (AllowCreate=false)", func(t *testing.T) {
+		m := NewPicker(context.Background(), []*config.SandboxMetadata{meta}, paths, nil, opts)
+		newModel, _ := m.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{'n'}})
+		model := newModel.(Model)
+
+		if model.result.Action != ActionNew {
+			t.Errorf("Action = %v, want ActionNew", model.result.Action)
+		}
+	})
+
+	t.Run("new sandbox with n (AllowCreate=true) opens wizard", func(t *testing.T) {
+		createOpts := PickerOptions{AllowCreate: true}
+		m := NewPicker(context.Background(), []*config.SandboxMetadata{meta}, paths, nil, createOpts)
+		newModel, _ := m.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{'n'}})
+		model := newModel.(Model)
+
+		if model.screen != screenWizard {
+			t.Error("Expected screen to be screenWizard")
+		}
+		if model.wizard == nil {
+			t.Error("Expected wizard to be initialized")
+		}
+	})
+
+	t.Run("window size update", func(t *testing.T) {
+		m := NewPicker(context.Background(), []*config.SandboxMetadata{meta}, paths, nil, opts)
+		newModel, cmd := m.Update(tea.WindowSizeMsg{Width: 100, Height: 50})
+		model := newModel.(Model)
+
+		if model.width != 100 {
+			t.Errorf("Width = %d, want 100", model.width)
+		}
+		if model.height != 50 {
+			t.Errorf("Height = %d, want 50", model.height)
+		}
+		if cmd != nil {
+			t.Error("Window size update should not return a command")
+		}
+	})
+}
+
+func TestModelInit(t *testing.T) {
+	m := Model{}
+	cmd := m.Init()
+	if cmd != nil {
+		t.Error("Init() should return nil")
+	}
+}
+
+func TestModelView(t *testing.T) {
+	meta := &config.SandboxMetadata{
+		Name:          "test-sandbox",
+		Template:      "claude",
+		WorkspaceMode: "direct",
+		Workspace:     "/home/user/project",
+	}
+
+	paths := &config.Paths{
+		SandboxesDir: "/var/lib/firefly-forage/sandboxes",
+	}
+
+	opts := PickerOptions{}
+
+	t.Run("normal view contains help", func(t *testing.T) {
+		m := NewPicker(context.Background(), []*config.SandboxMetadata{meta}, paths, nil, opts)
+		view := m.View()
+
+		if !strings.Contains(view, "[enter] Attach") {
+			t.Error("View should contain attach help")
+		}
+		if !strings.Contains(view, "[n] New") {
+			t.Error("View should contain new help")
+		}
+		if !strings.Contains(view, "[q] Quit") {
+			t.Error("View should contain quit help")
+		}
+	})
+
+	t.Run("quitting view is empty", func(t *testing.T) {
+		m := NewPicker(context.Background(), []*config.SandboxMetadata{meta}, paths, nil, opts)
+		m.quitting = true
+		view := m.View()
+
+		if view != "" {
+			t.Errorf("Quitting view should be empty, got %q", view)
+		}
+	})
+}
+
+func TestModelResult(t *testing.T) {
+	m := Model{
+		result: PickerResult{
+			Action: ActionAttach,
+			Sandbox: &config.SandboxMetadata{
+				Name: "test",
+			},
+		},
+	}
+
+	result := m.Result()
+	if result.Action != ActionAttach {
+		t.Errorf("Action = %v, want ActionAttach", result.Action)
+	}
+	if result.Sandbox.Name != "test" {
+		t.Errorf("Sandbox.Name = %q, want %q", result.Sandbox.Name, "test")
+	}
+}
+
+func TestRunPickerEmptySandboxes(t *testing.T) {
+	paths := &config.Paths{
+		SandboxesDir: "/var/lib/firefly-forage/sandboxes",
+	}
+
+	result, err := RunPicker(context.Background(), []*config.SandboxMetadata{}, paths, nil, PickerOptions{})
+	if err != nil {
+		t.Fatalf("RunPicker with empty sandboxes failed: %v", err)
+	}
+
+	if result.Action != ActionNew {
+		t.Errorf("Empty sandboxes should return ActionNew, got %v", result.Action)
+	}
+}
+
+func TestSimplePicker(t *testing.T) {
+	paths := &config.Paths{
+		SandboxesDir: "/var/lib/firefly-forage/sandboxes",
+	}
+
+	t.Run("empty sandboxes", func(t *testing.T) {
+		output := SimplePicker(context.Background(), []*config.SandboxMetadata{}, paths, nil)
+
+		if !strings.Contains(output, "No sandboxes found") {
+			t.Error("Should indicate no sandboxes found")
+		}
+		if !strings.Contains(output, "forage-ctl up") {
+			t.Error("Should show how to create sandbox")
+		}
+	})
+
+	t.Run("with sandboxes", func(t *testing.T) {
+		sandboxes := []*config.SandboxMetadata{
+			{
+				Name:        "sandbox1",
+				Template:    "claude",
+				NetworkSlot: 1,
+				Workspace:   "/home/user/project1",
+			},
+			{
+				Name:        "sandbox2",
+				Template:    "aider",
+				NetworkSlot: 2,
+				Workspace:   "/home/user/project2",
+			},
+		}
+
+		output := SimplePicker(context.Background(), sandboxes, paths, nil)
+
+		if !strings.Contains(output, "Firefly Forage") {
+			t.Error("Should contain title")
+		}
+		if !strings.Contains(output, "sandbox1") {
+			t.Error("Should contain first sandbox name")
+		}
+		if !strings.Contains(output, "sandbox2") {
+			t.Error("Should contain second sandbox name")
+		}
+		if !strings.Contains(output, "claude") {
+			t.Error("Should contain template name")
+		}
+		if !strings.Contains(output, "10.100.1.2") {
+			t.Error("Should contain container IP")
+		}
+	})
+}
+
+func TestActionConstants(t *testing.T) {
+	// Verify action constants have distinct values
+	actions := []Action{ActionNone, ActionAttach, ActionNew, ActionDown, ActionQuit}
+	seen := make(map[Action]bool)
+
+	for _, a := range actions {
+		if seen[a] {
+			t.Errorf("Duplicate action value: %v", a)
+		}
+		seen[a] = true
+	}
+}
+
+func TestPickerResultWithCreateOptions(t *testing.T) {
+	result := PickerResult{
+		Action: ActionNew,
+		CreateOptions: &CreateOptions{
+			Name:     "test-sandbox",
+			Template: "claude",
+			RepoPath: "/home/user/project",
+			Direct:   true,
+		},
+	}
+
+	if result.Action != ActionNew {
+		t.Errorf("Action = %v, want ActionNew", result.Action)
+	}
+	if result.CreateOptions == nil {
+		t.Fatal("CreateOptions should not be nil")
+	}
+	if result.CreateOptions.Name != "test-sandbox" {
+		t.Errorf("Name = %q, want %q", result.CreateOptions.Name, "test-sandbox")
+	}
+	if !result.CreateOptions.Direct {
+		t.Error("Direct should be true")
+	}
+}
+
+func TestGroupedListInPicker(t *testing.T) {
+	sandboxes := []*config.SandboxMetadata{
+		{Name: "sb1", Template: "claude", SourceRepo: "/home/user/repo-a", Workspace: "/var/lib/ws/sb1", WorkspaceMode: "jj"},
+		{Name: "sb2", Template: "aider", SourceRepo: "/home/user/repo-b", Workspace: "/var/lib/ws/sb2", WorkspaceMode: "jj"},
+		{Name: "sb3", Template: "claude", SourceRepo: "/home/user/repo-a", Workspace: "/var/lib/ws/sb3", WorkspaceMode: "jj"},
+	}
+
+	paths := &config.Paths{
+		SandboxesDir: "/var/lib/firefly-forage/sandboxes",
+	}
+
+	m := NewPicker(context.Background(), sandboxes, paths, nil, PickerOptions{})
+
+	// The list should have headers + sandbox items
+	items := m.list.Items()
+	if len(items) != 5 { // 2 headers + 3 sandboxes
+		t.Errorf("expected 5 items (2 headers + 3 sandboxes), got %d", len(items))
+	}
+
+	// Initial selection should skip the header
+	selected := m.list.SelectedItem()
+	if _, ok := selected.(headerItem); ok {
+		t.Error("initial selection should not be a headerItem")
+	}
+}
diff --git a/packages/forage-ctl/internal/tui/wizard.go b/packages/forage-ctl/internal/tui/wizard.go
new file mode 100644
index 0000000..ccb93b4
--- /dev/null
+++ b/packages/forage-ctl/internal/tui/wizard.go
@@ -0,0 +1,655 @@
+package tui
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/charmbracelet/bubbles/list"
+	"github.com/charmbracelet/bubbles/textinput"
+	tea "github.com/charmbracelet/bubbletea"
+	"github.com/charmbracelet/lipgloss"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/config"
+)
+
+// wizardStep identifies the current step.
+type wizardStep int
+
+const (
+	stepPath wizardStep = iota
+	stepTemplate
+	stepName
+	stepAdvanced
+	stepConfirm
+)
+
+// advancedField identifies a field in the advanced step.
+type advancedField int
+
+const (
+	advDirect advancedField = iota
+	advNoMuxConfig
+	advGitUser
+	advGitEmail
+	advSSHKeyPath
+	advFieldCount
+)
+
+// wizardModel drives the multi-step creation wizard.
+type wizardModel struct {
+	step         wizardStep
+	templatesDir string
+
+	// Step 1: path
+	pathInput textinput.Model
+
+	// Step 2: template
+	templateList list.Model
+	templates    []string
+
+	// Step 3: name
+	nameInput textinput.Model
+
+	// Step 4: advanced
+	advCursor     advancedField
+	direct        bool
+	noMuxConfig   bool
+	gitUserInput  textinput.Model
+	gitEmailInput textinput.Model
+	sshKeyInput   textinput.Model
+
+	// Collected values
+	selectedPath     string
+	selectedTemplate string
+	selectedName     string
+
+	width  int
+	height int
+}
+
+// templateItem implements list.Item for template selection.
+type templateItem struct {
+	name        string
+	description string
+}
+
+func (t templateItem) Title() string       { return t.name }
+func (t templateItem) Description() string { return t.description }
+func (t templateItem) FilterValue() string { return t.name }
+
+// wizardStyles
+var (
+	wizardTitleStyle = lipgloss.NewStyle().
+				Bold(true).
+				Foreground(lipgloss.Color("39")).
+				MarginBottom(1)
+
+	wizardStepStyle = lipgloss.NewStyle().
+			Foreground(lipgloss.Color("241"))
+
+	wizardActiveStepStyle = lipgloss.NewStyle().
+				Bold(true).
+				Foreground(lipgloss.Color("39"))
+
+	wizardLabelStyle = lipgloss.NewStyle().
+				Bold(true).
+				MarginBottom(1)
+
+	wizardValueStyle = lipgloss.NewStyle().
+				Foreground(lipgloss.Color("39"))
+
+	wizardDimStyle = lipgloss.NewStyle().
+			Foreground(lipgloss.Color("241"))
+)
+
+func newWizardModel(templatesDir string) wizardModel {
+	pi := textinput.New()
+	pi.Placeholder = "/path/to/project"
+	pi.Focus()
+	pi.CharLimit = 256
+	pi.Width = 60
+	pi.ShowSuggestions = true
+
+	ni := textinput.New()
+	ni.Placeholder = "sandbox-name"
+	ni.CharLimit = 63
+	ni.Width = 40
+
+	gui := textinput.New()
+	gui.Placeholder = "Agent Name"
+	gui.CharLimit = 128
+	gui.Width = 50
+
+	gei := textinput.New()
+	gei.Placeholder = "agent@example.com"
+	gei.CharLimit = 128
+	gei.Width = 50
+
+	ski := textinput.New()
+	ski.Placeholder = "/path/to/ssh/key"
+	ski.CharLimit = 256
+	ski.Width = 60
+
+	return wizardModel{
+		step:          stepPath,
+		templatesDir:  templatesDir,
+		pathInput:     pi,
+		nameInput:     ni,
+		gitUserInput:  gui,
+		gitEmailInput: gei,
+		sshKeyInput:   ski,
+	}
+}
+
+func (w *wizardModel) Init() tea.Cmd {
+	return textinput.Blink
+}
+
+// Update processes a message and returns (done, createOptions, cmd).
+// done=true with non-nil opts means wizard completed successfully.
+// done=true with nil opts means wizard was cancelled.
+func (w *wizardModel) Update(msg tea.Msg) (bool, *CreateOptions, tea.Cmd) {
+	if keyMsg, ok := msg.(tea.KeyMsg); ok {
+		switch keyMsg.Type {
+		case tea.KeyCtrlC:
+			return true, nil, nil
+		case tea.KeyEsc:
+			return w.handleBack()
+		}
+	}
+
+	switch w.step {
+	case stepPath:
+		return w.updatePath(msg)
+	case stepTemplate:
+		return w.updateTemplate(msg)
+	case stepName:
+		return w.updateName(msg)
+	case stepAdvanced:
+		return w.updateAdvanced(msg)
+	case stepConfirm:
+		return w.updateConfirm(msg)
+	}
+
+	return false, nil, nil
+}
+
+func (w *wizardModel) handleBack() (bool, *CreateOptions, tea.Cmd) {
+	switch w.step {
+	case stepPath:
+		// Esc at first step cancels wizard
+		return true, nil, nil
+	case stepTemplate:
+		w.step = stepPath
+		w.pathInput.Focus()
+		return false, nil, textinput.Blink
+	case stepName:
+		w.step = stepTemplate
+		w.nameInput.Blur()
+		return false, nil, nil
+	case stepAdvanced:
+		w.step = stepName
+		w.nameInput.Focus()
+		return false, nil, textinput.Blink
+	case stepConfirm:
+		w.step = stepName
+		w.nameInput.Focus()
+		return false, nil, textinput.Blink
+	}
+	return false, nil, nil
+}
+
+func (w *wizardModel) updatePath(msg tea.Msg) (bool, *CreateOptions, tea.Cmd) {
+	if keyMsg, ok := msg.(tea.KeyMsg); ok && keyMsg.Type == tea.KeyEnter {
+		path := strings.TrimSpace(w.pathInput.Value())
+		if path == "" {
+			return false, nil, nil
+		}
+		w.selectedPath = path
+		w.step = stepTemplate
+		w.pathInput.Blur()
+		w.loadTemplates()
+		return false, nil, nil
+	}
+
+	var cmd tea.Cmd
+	w.pathInput, cmd = w.pathInput.Update(msg)
+
+	// Update path suggestions after each keystroke
+	w.updatePathSuggestions()
+
+	return false, nil, cmd
+}
+
+func (w *wizardModel) updateTemplate(msg tea.Msg) (bool, *CreateOptions, tea.Cmd) {
+	if keyMsg, ok := msg.(tea.KeyMsg); ok && keyMsg.Type == tea.KeyEnter {
+		if item, ok := w.templateList.SelectedItem().(templateItem); ok {
+			w.selectedTemplate = item.name
+			w.step = stepName
+			w.nameInput.Focus()
+			// Auto-suggest name
+			suggested := suggestName(w.selectedPath, w.selectedTemplate)
+			w.nameInput.SetValue(suggested)
+			return false, nil, textinput.Blink
+		}
+		return false, nil, nil
+	}
+
+	var cmd tea.Cmd
+	w.templateList, cmd = w.templateList.Update(msg)
+	return false, nil, cmd
+}
+
+func (w *wizardModel) updateName(msg tea.Msg) (bool, *CreateOptions, tea.Cmd) {
+	if keyMsg, ok := msg.(tea.KeyMsg); ok {
+		switch keyMsg.Type {
+		case tea.KeyEnter:
+			name := strings.TrimSpace(w.nameInput.Value())
+			if name == "" {
+				return false, nil, nil
+			}
+			if err := config.ValidateSandboxName(name); err != nil {
+				return false, nil, nil
+			}
+			w.selectedName = name
+			w.step = stepConfirm
+			w.nameInput.Blur()
+			return false, nil, nil
+		case tea.KeyCtrlA:
+			w.selectedName = strings.TrimSpace(w.nameInput.Value())
+			w.step = stepAdvanced
+			w.nameInput.Blur()
+			return false, nil, nil
+		}
+	}
+
+	var cmd tea.Cmd
+	w.nameInput, cmd = w.nameInput.Update(msg)
+	return false, nil, cmd
+}
+
+func (w *wizardModel) isTextInputField() bool {
+	return w.advCursor == advGitUser || w.advCursor == advGitEmail || w.advCursor == advSSHKeyPath
+}
+
+func (w *wizardModel) activeTextInput() *textinput.Model {
+	switch w.advCursor {
+	case advGitUser:
+		return &w.gitUserInput
+	case advGitEmail:
+		return &w.gitEmailInput
+	case advSSHKeyPath:
+		return &w.sshKeyInput
+	}
+	return nil
+}
+
+func (w *wizardModel) blurAllAdvTextInputs() {
+	w.gitUserInput.Blur()
+	w.gitEmailInput.Blur()
+	w.sshKeyInput.Blur()
+}
+
+func (w *wizardModel) focusCurrentTextField() tea.Cmd {
+	w.blurAllAdvTextInputs()
+	if ti := w.activeTextInput(); ti != nil {
+		ti.Focus()
+		return textinput.Blink
+	}
+	return nil
+}
+
+func (w *wizardModel) updateAdvanced(msg tea.Msg) (bool, *CreateOptions, tea.Cmd) {
+	// If we're on a text input field, forward keystrokes to it
+	if w.isTextInputField() {
+		if keyMsg, ok := msg.(tea.KeyMsg); ok {
+			switch keyMsg.Type {
+			case tea.KeyEnter:
+				w.blurAllAdvTextInputs()
+				w.step = stepConfirm
+				return false, nil, nil
+			case tea.KeyUp:
+				w.blurAllAdvTextInputs()
+				w.advCursor = (w.advCursor - 1 + advFieldCount) % advFieldCount
+				return false, nil, w.focusCurrentTextField()
+			case tea.KeyDown:
+				w.blurAllAdvTextInputs()
+				w.advCursor = (w.advCursor + 1) % advFieldCount
+				return false, nil, w.focusCurrentTextField()
+			case tea.KeyTab:
+				w.blurAllAdvTextInputs()
+				w.advCursor = (w.advCursor + 1) % advFieldCount
+				return false, nil, w.focusCurrentTextField()
+			}
+		}
+		// Forward to text input
+		if ti := w.activeTextInput(); ti != nil {
+			var cmd tea.Cmd
+			*ti, cmd = ti.Update(msg)
+			return false, nil, cmd
+		}
+	}
+
+	if keyMsg, ok := msg.(tea.KeyMsg); ok {
+		switch keyMsg.String() {
+		case "enter":
+			w.step = stepConfirm
+			return false, nil, nil
+		case "j", "down":
+			w.advCursor = (w.advCursor + 1) % advFieldCount
+			return false, nil, w.focusCurrentTextField()
+		case "k", "up":
+			w.advCursor = (w.advCursor - 1 + advFieldCount) % advFieldCount
+			return false, nil, w.focusCurrentTextField()
+		case "tab":
+			w.advCursor = (w.advCursor + 1) % advFieldCount
+			return false, nil, w.focusCurrentTextField()
+		case " ":
+			switch w.advCursor {
+			case advDirect:
+				w.direct = !w.direct
+			case advNoMuxConfig:
+				w.noMuxConfig = !w.noMuxConfig
+			}
+			return false, nil, nil
+		}
+	}
+	return false, nil, nil
+}
+
+func (w *wizardModel) updateConfirm(msg tea.Msg) (bool, *CreateOptions, tea.Cmd) {
+	if keyMsg, ok := msg.(tea.KeyMsg); ok {
+		switch keyMsg.String() {
+		case "enter", "y":
+			return true, &CreateOptions{
+				Name:        w.selectedName,
+				Template:    w.selectedTemplate,
+				RepoPath:    w.selectedPath,
+				Direct:      w.direct,
+				NoMuxConfig: w.noMuxConfig,
+				GitUser:     strings.TrimSpace(w.gitUserInput.Value()),
+				GitEmail:    strings.TrimSpace(w.gitEmailInput.Value()),
+				SSHKeyPath:  strings.TrimSpace(w.sshKeyInput.Value()),
+			}, nil
+		case "n":
+			// Restart wizard
+			w.step = stepPath
+			w.pathInput.SetValue("")
+			w.pathInput.Focus()
+			w.selectedPath = ""
+			w.selectedTemplate = ""
+			w.selectedName = ""
+			w.direct = false
+			w.noMuxConfig = false
+			w.gitUserInput.SetValue("")
+			w.gitEmailInput.SetValue("")
+			w.sshKeyInput.SetValue("")
+			return false, nil, textinput.Blink
+		}
+	}
+	return false, nil, nil
+}
+
+func (w *wizardModel) View() string {
+	var b strings.Builder
+
+	b.WriteString(wizardTitleStyle.Render("Create New Sandbox"))
+	b.WriteString("\n")
+	b.WriteString(w.progressBar())
+	b.WriteString("\n\n")
+
+	switch w.step {
+	case stepPath:
+		b.WriteString(wizardLabelStyle.Render("Project directory:"))
+		b.WriteString("\n")
+		b.WriteString(w.pathInput.View())
+		b.WriteString("\n\n")
+		b.WriteString(wizardDimStyle.Render("Enter the path to your project. Tab to complete."))
+	case stepTemplate:
+		b.WriteString(wizardLabelStyle.Render("Select template:"))
+		b.WriteString("\n")
+		b.WriteString(w.templateList.View())
+	case stepName:
+		b.WriteString(wizardLabelStyle.Render("Sandbox name:"))
+		b.WriteString("\n")
+		b.WriteString(w.nameInput.View())
+		b.WriteString("\n\n")
+		b.WriteString(wizardDimStyle.Render("Enter to confirm, Ctrl+A for advanced options."))
+	case stepAdvanced:
+		b.WriteString(wizardLabelStyle.Render("Advanced options:"))
+		b.WriteString("\n\n")
+		b.WriteString(w.renderToggle(advDirect, "Direct mount", "Skip VCS isolation, mount directory directly"))
+		b.WriteString("\n")
+		b.WriteString(w.renderToggle(advNoMuxConfig, "No mux config", "Don't mount host multiplexer config"))
+		b.WriteString("\n")
+		b.WriteString(w.renderTextInput(advGitUser, "Git user", "Git user.name for agent commits", &w.gitUserInput))
+		b.WriteString("\n")
+		b.WriteString(w.renderTextInput(advGitEmail, "Git email", "Git user.email for agent commits", &w.gitEmailInput))
+		b.WriteString("\n")
+		b.WriteString(w.renderTextInput(advSSHKeyPath, "SSH key path", "Host path to SSH private key for push access", &w.sshKeyInput))
+		b.WriteString("\n\n")
+		b.WriteString(wizardDimStyle.Render("Space/type to edit, Enter to continue, Esc to go back."))
+	case stepConfirm:
+		b.WriteString(wizardLabelStyle.Render("Confirm:"))
+		b.WriteString("\n\n")
+		fmt.Fprintf(&b, "  Path:     %s\n", wizardValueStyle.Render(w.selectedPath))
+		fmt.Fprintf(&b, "  Template: %s\n", wizardValueStyle.Render(w.selectedTemplate))
+		fmt.Fprintf(&b, "  Name:     %s\n", wizardValueStyle.Render(w.selectedName))
+		if w.direct {
+			fmt.Fprintf(&b, "  Direct:   %s\n", wizardValueStyle.Render("yes"))
+		}
+		if w.noMuxConfig {
+			fmt.Fprintf(&b, "  No mux:   %s\n", wizardValueStyle.Render("yes"))
+		}
+		if v := strings.TrimSpace(w.gitUserInput.Value()); v != "" {
+			fmt.Fprintf(&b, "  Git user: %s\n", wizardValueStyle.Render(v))
+		}
+		if v := strings.TrimSpace(w.gitEmailInput.Value()); v != "" {
+			fmt.Fprintf(&b, "  Git email:%s\n", wizardValueStyle.Render(v))
+		}
+		if v := strings.TrimSpace(w.sshKeyInput.Value()); v != "" {
+			fmt.Fprintf(&b, "  SSH key:  %s\n", wizardValueStyle.Render(v))
+		}
+		b.WriteString("\n")
+		b.WriteString(wizardDimStyle.Render("Enter to create, n to restart, Esc to go back."))
+	}
+
+	return b.String()
+}
+
+func (w *wizardModel) progressBar() string {
+	steps := []struct {
+		num  int
+		name string
+	}{
+		{1, "Path"},
+		{2, "Template"},
+		{3, "Name"},
+		{4, "Confirm"},
+	}
+
+	var parts []string
+	for _, s := range steps {
+		label := fmt.Sprintf("%d. %s", s.num, s.name)
+		currentStep := int(w.step) + 1
+		// Map stepAdvanced to stepName for progress display
+		if w.step == stepAdvanced {
+			currentStep = int(stepName) + 1
+		}
+		if s.num == currentStep {
+			parts = append(parts, wizardActiveStepStyle.Render(label))
+		} else {
+			parts = append(parts, wizardStepStyle.Render(label))
+		}
+	}
+
+	return strings.Join(parts, wizardDimStyle.Render(" > "))
+}
+
+func (w *wizardModel) renderToggle(field advancedField, name, desc string) string {
+	cursor := " "
+	if w.advCursor == field {
+		cursor = ">"
+	}
+
+	checked := " "
+	switch field {
+	case advDirect:
+		if w.direct {
+			checked = "x"
+		}
+	case advNoMuxConfig:
+		if w.noMuxConfig {
+			checked = "x"
+		}
+	}
+
+	line := fmt.Sprintf("  %s [%s] %s", cursor, checked, name)
+	if w.advCursor == field {
+		return selectedStyle.Render(line) + "\n" + wizardDimStyle.Render("      "+desc)
+	}
+	return line + "\n" + wizardDimStyle.Render("      "+desc)
+}
+
+func (w *wizardModel) renderTextInput(field advancedField, name, desc string, ti *textinput.Model) string {
+	cursor := " "
+	if w.advCursor == field {
+		cursor = ">"
+	}
+
+	val := strings.TrimSpace(ti.Value())
+	if w.advCursor == field {
+		// Show active text input
+		line := fmt.Sprintf("  %s %s: %s", cursor, name, ti.View())
+		return selectedStyle.Render(line) + "\n" + wizardDimStyle.Render("      "+desc)
+	}
+	if val == "" {
+		line := fmt.Sprintf("  %s %s: (not set)", cursor, name)
+		return line + "\n" + wizardDimStyle.Render("      "+desc)
+	}
+	line := fmt.Sprintf("  %s %s: %s", cursor, name, val)
+	return line + "\n" + wizardDimStyle.Render("      "+desc)
+}
+
+func (w *wizardModel) loadTemplates() {
+	w.templates = nil
+	var items []list.Item
+
+	if w.templatesDir != "" {
+		templates, err := config.ListTemplates(w.templatesDir)
+		if err == nil {
+			for _, t := range templates {
+				w.templates = append(w.templates, t.Name)
+				items = append(items, templateItem{name: t.Name, description: t.Description})
+			}
+		}
+	}
+
+	if len(items) == 0 {
+		// If no templates loaded, add a placeholder
+		items = append(items, templateItem{name: "default", description: "Default template"})
+		w.templates = append(w.templates, "default")
+	}
+
+	delegate := list.NewDefaultDelegate()
+	delegate.Styles.SelectedTitle = selectedStyle
+	delegate.Styles.SelectedDesc = lipgloss.NewStyle().Foreground(lipgloss.Color("245"))
+
+	l := list.New(items, delegate, 60, 10)
+	l.Title = ""
+	l.SetShowStatusBar(false)
+	l.SetFilteringEnabled(false)
+	l.SetShowHelp(false)
+	if w.width > 0 {
+		l.SetWidth(w.width - 4)
+	}
+	if w.height > 0 {
+		l.SetHeight(w.height - 10)
+	}
+
+	w.templateList = l
+}
+
+func (w *wizardModel) updatePathSuggestions() {
+	val := w.pathInput.Value()
+	if val == "" {
+		w.pathInput.SetSuggestions(nil)
+		return
+	}
+
+	// Expand ~ to home directory
+	expanded := val
+	if strings.HasPrefix(val, "~") {
+		if home, err := os.UserHomeDir(); err == nil {
+			expanded = home + val[1:]
+		}
+	}
+
+	dir := expanded
+	prefix := ""
+
+	info, err := os.Stat(expanded)
+	if err != nil || !info.IsDir() {
+		dir = filepath.Dir(expanded)
+		prefix = filepath.Base(expanded)
+	}
+
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		w.pathInput.SetSuggestions(nil)
+		return
+	}
+
+	var suggestions []string
+	for _, entry := range entries {
+		if !entry.IsDir() {
+			continue
+		}
+		name := entry.Name()
+		if strings.HasPrefix(name, ".") {
+			continue
+		}
+		if prefix != "" && !strings.HasPrefix(strings.ToLower(name), strings.ToLower(prefix)) {
+			continue
+		}
+		full := filepath.Join(dir, name)
+		// Convert back to use ~ if original used ~
+		if strings.HasPrefix(val, "~") {
+			if home, err := os.UserHomeDir(); err == nil {
+				full = "~" + strings.TrimPrefix(full, home)
+			}
+		}
+		suggestions = append(suggestions, full)
+	}
+
+	w.pathInput.SetSuggestions(suggestions)
+}
+
+// sanitizeNameRegex matches characters not valid in sandbox names.
+var sanitizeNameRegex = regexp.MustCompile(`[^a-z0-9_-]`)
+
+// suggestName generates a sandbox name from path and template.
+func suggestName(path, template string) string {
+	base := filepath.Base(path)
+	base = strings.ToLower(base)
+	base = sanitizeNameRegex.ReplaceAllString(base, "-")
+	// Trim leading/trailing hyphens
+	base = strings.Trim(base, "-")
+
+	if base == "" {
+		base = "sandbox"
+	}
+
+	name := base + "-" + template
+	// Truncate to 63 chars
+	if len(name) > 63 {
+		name = name[:63]
+	}
+	// Trim trailing hyphens from truncation
+	name = strings.TrimRight(name, "-")
+
+	return name
+}
diff --git a/packages/forage-ctl/internal/tui/wizard_test.go b/packages/forage-ctl/internal/tui/wizard_test.go
new file mode 100644
index 0000000..ba2aff8
--- /dev/null
+++ b/packages/forage-ctl/internal/tui/wizard_test.go
@@ -0,0 +1,346 @@
+package tui
+
+import (
+	"strings"
+	"testing"
+
+	tea "github.com/charmbracelet/bubbletea"
+)
+
+func TestSuggestName(t *testing.T) {
+	tests := []struct {
+		path     string
+		template string
+		want     string
+	}{
+		{"/home/user/my-project", "claude", "my-project-claude"},
+		{"/home/user/MyProject", "aider", "myproject-aider"},
+		{"/tmp/test", "claude", "test-claude"},
+		{"/home/user/repo with spaces", "claude", "repo-with-spaces-claude"},
+		{"", "claude", "sandbox-claude"},
+		{"/", "claude", "sandbox-claude"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.path+"/"+tt.template, func(t *testing.T) {
+			got := suggestName(tt.path, tt.template)
+			if got != tt.want {
+				t.Errorf("suggestName(%q, %q) = %q, want %q", tt.path, tt.template, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestSuggestNameTruncation(t *testing.T) {
+	longPath := "/home/user/" + strings.Repeat("a", 60)
+	name := suggestName(longPath, "claude")
+	if len(name) > 63 {
+		t.Errorf("name length %d exceeds 63", len(name))
+	}
+}
+
+func TestWizardStepTransitions(t *testing.T) {
+	t.Run("path to template", func(t *testing.T) {
+		w := newWizardModel("")
+		if w.step != stepPath {
+			t.Fatalf("initial step = %v, want stepPath", w.step)
+		}
+
+		// Type a path
+		w.pathInput.SetValue("/tmp/test")
+
+		// Press enter to advance
+		done, opts, _ := w.Update(tea.KeyMsg{Type: tea.KeyEnter})
+		if done {
+			t.Error("should not be done after path step")
+		}
+		if opts != nil {
+			t.Error("opts should be nil")
+		}
+		if w.step != stepTemplate {
+			t.Errorf("step = %v, want stepTemplate", w.step)
+		}
+	})
+
+	t.Run("empty path rejected", func(t *testing.T) {
+		w := newWizardModel("")
+		w.pathInput.SetValue("")
+
+		done, _, _ := w.Update(tea.KeyMsg{Type: tea.KeyEnter})
+		if done {
+			t.Error("should not be done")
+		}
+		if w.step != stepPath {
+			t.Error("should stay on stepPath with empty input")
+		}
+	})
+
+	t.Run("template to name", func(t *testing.T) {
+		w := newWizardModel("")
+		w.selectedPath = "/tmp/test"
+		w.step = stepTemplate
+		w.loadTemplates()
+
+		// Press enter to select template
+		done, opts, _ := w.Update(tea.KeyMsg{Type: tea.KeyEnter})
+		if done {
+			t.Error("should not be done")
+		}
+		if opts != nil {
+			t.Error("opts should be nil")
+		}
+		if w.step != stepName {
+			t.Errorf("step = %v, want stepName", w.step)
+		}
+		// Name should be auto-suggested
+		if w.nameInput.Value() == "" {
+			t.Error("name should be auto-suggested")
+		}
+	})
+
+	t.Run("name to confirm", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepName
+		w.selectedPath = "/tmp/test"
+		w.selectedTemplate = "claude"
+		w.nameInput.SetValue("test-claude")
+
+		done, opts, _ := w.Update(tea.KeyMsg{Type: tea.KeyEnter})
+		if done {
+			t.Error("should not be done")
+		}
+		if opts != nil {
+			t.Error("opts should be nil")
+		}
+		if w.step != stepConfirm {
+			t.Errorf("step = %v, want stepConfirm", w.step)
+		}
+	})
+
+	t.Run("name to advanced with ctrl+a", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepName
+		w.selectedPath = "/tmp/test"
+		w.selectedTemplate = "claude"
+		w.nameInput.SetValue("test-claude")
+
+		done, _, _ := w.Update(tea.KeyMsg{Type: tea.KeyCtrlA})
+		if done {
+			t.Error("should not be done")
+		}
+		if w.step != stepAdvanced {
+			t.Errorf("step = %v, want stepAdvanced", w.step)
+		}
+	})
+
+	t.Run("invalid name rejected", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepName
+		w.nameInput.SetValue("INVALID NAME")
+
+		w.Update(tea.KeyMsg{Type: tea.KeyEnter})
+		if w.step != stepName {
+			t.Error("should stay on stepName with invalid name")
+		}
+	})
+}
+
+func TestWizardConfirm(t *testing.T) {
+	t.Run("enter confirms and produces CreateOptions", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepConfirm
+		w.selectedPath = "/home/user/project"
+		w.selectedTemplate = "claude"
+		w.selectedName = "project-claude"
+		w.direct = true
+		w.noMuxConfig = true
+
+		done, opts, _ := w.Update(tea.KeyMsg{Type: tea.KeyEnter})
+		if !done {
+			t.Error("should be done after confirm")
+		}
+		if opts == nil {
+			t.Fatal("opts should not be nil")
+		}
+		if opts.Name != "project-claude" {
+			t.Errorf("Name = %q, want %q", opts.Name, "project-claude")
+		}
+		if opts.Template != "claude" {
+			t.Errorf("Template = %q, want %q", opts.Template, "claude")
+		}
+		if opts.RepoPath != "/home/user/project" {
+			t.Errorf("RepoPath = %q, want %q", opts.RepoPath, "/home/user/project")
+		}
+		if !opts.Direct {
+			t.Error("Direct should be true")
+		}
+		if !opts.NoMuxConfig {
+			t.Error("NoMuxConfig should be true")
+		}
+	})
+
+	t.Run("n restarts wizard", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepConfirm
+		w.selectedPath = "/home/user/project"
+		w.selectedTemplate = "claude"
+		w.selectedName = "project-claude"
+
+		done, opts, _ := w.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{'n'}})
+		if done {
+			t.Error("should not be done after restart")
+		}
+		if opts != nil {
+			t.Error("opts should be nil")
+		}
+		if w.step != stepPath {
+			t.Errorf("step = %v, want stepPath", w.step)
+		}
+		if w.selectedPath != "" {
+			t.Error("path should be cleared")
+		}
+	})
+}
+
+func TestWizardCancel(t *testing.T) {
+	t.Run("ctrl+c cancels", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepName
+
+		done, opts, _ := w.Update(tea.KeyMsg{Type: tea.KeyCtrlC})
+		if !done {
+			t.Error("should be done after cancel")
+		}
+		if opts != nil {
+			t.Error("opts should be nil (cancelled)")
+		}
+	})
+
+	t.Run("esc at first step cancels", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepPath
+
+		done, opts, _ := w.Update(tea.KeyMsg{Type: tea.KeyEsc})
+		if !done {
+			t.Error("should be done after esc at first step")
+		}
+		if opts != nil {
+			t.Error("opts should be nil (cancelled)")
+		}
+	})
+
+	t.Run("esc at later step goes back", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepName
+		w.selectedPath = "/tmp/test"
+		w.selectedTemplate = "claude"
+
+		done, _, _ := w.Update(tea.KeyMsg{Type: tea.KeyEsc})
+		if done {
+			t.Error("should not be done")
+		}
+		if w.step != stepTemplate {
+			t.Errorf("step = %v, want stepTemplate", w.step)
+		}
+	})
+}
+
+func TestWizardAdvanced(t *testing.T) {
+	t.Run("toggle direct", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepAdvanced
+		w.advCursor = advDirect
+
+		if w.direct {
+			t.Error("direct should start false")
+		}
+
+		// Space toggles
+		w.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{' '}})
+		if !w.direct {
+			t.Error("direct should be true after toggle")
+		}
+
+		w.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{' '}})
+		if w.direct {
+			t.Error("direct should be false after second toggle")
+		}
+	})
+
+	t.Run("toggle noMuxConfig", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepAdvanced
+		w.advCursor = advNoMuxConfig
+
+		w.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{' '}})
+		if !w.noMuxConfig {
+			t.Error("noMuxConfig should be true after toggle")
+		}
+	})
+
+	t.Run("navigation", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepAdvanced
+		w.advCursor = advDirect
+
+		// Move down
+		w.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{'j'}})
+		if w.advCursor != advNoMuxConfig {
+			t.Errorf("cursor = %v, want advNoMuxConfig", w.advCursor)
+		}
+
+		// Move up
+		w.Update(tea.KeyMsg{Type: tea.KeyRunes, Runes: []rune{'k'}})
+		if w.advCursor != advDirect {
+			t.Errorf("cursor = %v, want advDirect", w.advCursor)
+		}
+	})
+
+	t.Run("enter advances to confirm", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepAdvanced
+
+		done, _, _ := w.Update(tea.KeyMsg{Type: tea.KeyEnter})
+		if done {
+			t.Error("should not be done")
+		}
+		if w.step != stepConfirm {
+			t.Errorf("step = %v, want stepConfirm", w.step)
+		}
+	})
+}
+
+func TestWizardView(t *testing.T) {
+	t.Run("path step shows input", func(t *testing.T) {
+		w := newWizardModel("")
+		view := w.View()
+		if !strings.Contains(view, "Create New Sandbox") {
+			t.Error("should contain title")
+		}
+		if !strings.Contains(view, "Project directory") {
+			t.Error("should contain path label")
+		}
+		if !strings.Contains(view, "1. Path") {
+			t.Error("should contain progress bar")
+		}
+	})
+
+	t.Run("confirm step shows values", func(t *testing.T) {
+		w := newWizardModel("")
+		w.step = stepConfirm
+		w.selectedPath = "/home/user/project"
+		w.selectedTemplate = "claude"
+		w.selectedName = "project-claude"
+
+		view := w.View()
+		if !strings.Contains(view, "/home/user/project") {
+			t.Error("should show path")
+		}
+		if !strings.Contains(view, "claude") {
+			t.Error("should show template")
+		}
+		if !strings.Contains(view, "project-claude") {
+			t.Error("should show name")
+		}
+	})
+}
diff --git a/packages/forage-ctl/internal/workspace/doc.go b/packages/forage-ctl/internal/workspace/doc.go
new file mode 100644
index 0000000..c9a8c86
--- /dev/null
+++ b/packages/forage-ctl/internal/workspace/doc.go
@@ -0,0 +1,40 @@
+// Package workspace provides a common interface for VCS workspace backends.
+//
+// This package abstracts the creation and management of isolated working
+// directories backed by different version control systems.
+//
+// # Backend Interface
+//
+// The Backend interface defines operations for workspace management:
+//
+//	type Backend interface {
+//	    Name() string                                    // "jj" or "git-worktree"
+//	    IsRepo(path string) bool                         // Check for valid repo
+//	    Exists(repoPath, name string) bool               // Check workspace exists
+//	    Create(repoPath, name, workspacePath string) error
+//	    Remove(repoPath, name, workspacePath string) error
+//	}
+//
+// # JJ Backend
+//
+// JJBackend creates isolated jj workspaces:
+//
+//	backend := &workspace.JJBackend{}
+//	backend.Create("/path/to/repo", "sandbox-1", "/var/lib/forage/workspaces/sandbox-1")
+//	// Creates: jj workspace add --name sandbox-1 /var/lib/forage/workspaces/sandbox-1
+//
+// # Git Backend
+//
+// GitBackend creates isolated git worktrees with dedicated branches:
+//
+//	backend := &workspace.GitBackend{}
+//	backend.Create("/path/to/repo", "sandbox-1", "/var/lib/forage/workspaces/sandbox-1")
+//	// Creates: git worktree add /var/lib/forage/workspaces/sandbox-1 -b forage/sandbox-1
+//
+// # Workspace Modes
+//
+// Sandboxes use one of three workspace modes:
+//   - direct: Bind-mount an existing directory (no backend)
+//   - jj: Create an isolated jj workspace (JJBackend)
+//   - git-worktree: Create an isolated git worktree (GitBackend)
+package workspace
diff --git a/packages/forage-ctl/internal/workspace/git.go b/packages/forage-ctl/internal/workspace/git.go
new file mode 100644
index 0000000..7533bee
--- /dev/null
+++ b/packages/forage-ctl/internal/workspace/git.go
@@ -0,0 +1,271 @@
+package workspace
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+)
+
+const gitBranchPrefix = "forage-"
+
+// GitBackend implements Backend for git repositories using worktrees
+type GitBackend struct{}
+
+// Git returns a new Git worktree workspace backend
+func Git() Backend {
+	return &GitBackend{}
+}
+
+func (b *GitBackend) Name() string {
+	return "git-worktree"
+}
+
+func (b *GitBackend) IsRepo(path string) bool {
+	gitPath := filepath.Join(path, ".git")
+	info, err := os.Stat(gitPath)
+	if err != nil {
+		return false
+	}
+	// .git can be a directory (normal repo) or a file (worktree)
+	return info.IsDir() || info.Mode().IsRegular()
+}
+
+func (b *GitBackend) Exists(repoPath, name string) bool {
+	// Check if a worktree with this name's branch already exists
+	branchName := gitBranchPrefix + name
+	return b.branchExists(repoPath, branchName)
+}
+
+func (b *GitBackend) Create(repoPath, name, workspacePath string) error {
+	if err := ValidateName(name); err != nil {
+		return fmt.Errorf("invalid workspace name: %w", err)
+	}
+	branchName := gitBranchPrefix + name
+
+	// Get the current HEAD to base the new branch on
+	cmd := exec.Command("git", "-C", repoPath, "rev-parse", "HEAD")
+	headOutput, err := cmd.Output()
+	if err != nil {
+		return fmt.Errorf("failed to get HEAD: %w", err)
+	}
+	head := strings.TrimSpace(string(headOutput))
+
+	// Check if branch already exists
+	if b.branchExists(repoPath, branchName) {
+		// Use existing branch
+		cmd = exec.Command("git", "-C", repoPath, "worktree", "add", workspacePath, branchName)
+	} else {
+		// Create new branch from HEAD
+		cmd = exec.Command("git", "-C", repoPath, "worktree", "add", "-b", branchName, workspacePath, head)
+	}
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to create git worktree: %s: %w", string(output), err)
+	}
+	return nil
+}
+
+func (b *GitBackend) Remove(repoPath, name, workspacePath string) error {
+	if err := ValidateName(name); err != nil {
+		return fmt.Errorf("invalid workspace name: %w", err)
+	}
+	branchName := gitBranchPrefix + name
+
+	// Remove the worktree
+	if workspacePath != "" {
+		if err := b.removeWorktree(repoPath, workspacePath); err != nil {
+			return fmt.Errorf("failed to remove worktree: %w", err)
+		}
+	}
+
+	// Delete the branch
+	if err := b.deleteBranch(repoPath, branchName); err != nil {
+		// Branch deletion failure is not fatal - worktree is already gone
+		// The branch might have been merged or deleted manually
+	}
+
+	return nil
+}
+
+// BranchName returns the git branch name for a workspace
+func (b *GitBackend) BranchName(name string) string {
+	return gitBranchPrefix + name
+}
+
+func (b *GitBackend) branchExists(repoPath, branchName string) bool {
+	cmd := exec.Command("git", "-C", repoPath, "show-ref", "--verify", "--quiet", "refs/heads/"+branchName)
+	return cmd.Run() == nil
+}
+
+func (b *GitBackend) removeWorktree(repoPath, worktreePath string) error {
+	// First try normal remove
+	cmd := exec.Command("git", "-C", repoPath, "worktree", "remove", worktreePath)
+	if err := cmd.Run(); err != nil {
+		// Try force remove
+		cmd = exec.Command("git", "-C", repoPath, "worktree", "remove", "--force", worktreePath)
+		if output, err := cmd.CombinedOutput(); err != nil {
+			return fmt.Errorf("%s: %w", string(output), err)
+		}
+	}
+	return nil
+}
+
+func (b *GitBackend) deleteBranch(repoPath, branchName string) error {
+	// First try safe delete
+	cmd := exec.Command("git", "-C", repoPath, "branch", "-d", branchName)
+	if err := cmd.Run(); err != nil {
+		// Try force delete
+		cmd = exec.Command("git", "-C", repoPath, "branch", "-D", branchName)
+		if output, err := cmd.CombinedOutput(); err != nil {
+			return fmt.Errorf("%s: %w", string(output), err)
+		}
+	}
+	return nil
+}
+
+// WorktreeExists checks if a worktree exists at the given path
+func WorktreeExists(repoPath, worktreePath string) bool {
+	cmd := exec.Command("git", "-C", repoPath, "worktree", "list", "--porcelain")
+	output, err := cmd.Output()
+	if err != nil {
+		return false
+	}
+
+	absPath, _ := filepath.Abs(worktreePath)
+	for _, line := range strings.Split(string(output), "\n") {
+		if strings.HasPrefix(line, "worktree ") {
+			path := strings.TrimPrefix(line, "worktree ")
+			if path == absPath {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// ContributeMounts returns the source repo's .git directory mount.
+// ContributePackages returns the packages needed for git-worktree inside the container.
+func (b *GitBackend) ContributePackages(ctx context.Context) ([]injection.Package, error) {
+	return []injection.Package{{Name: "git"}}, nil
+}
+
+// ContributeMounts returns mounts for git-worktree workspace mode.
+// Git worktrees contain a .git file that references the main repo's
+// .git/worktrees/<name> directory. On runtimes where the host filesystem
+// isn't shared (e.g., OCI containers), we need to mount the .git directory
+// so the worktree can resolve its git metadata.
+func (b *GitBackend) ContributeMounts(ctx context.Context, req *injection.MountRequest) ([]injection.Mount, error) {
+	if req.SourceRepo == "" {
+		return nil, nil
+	}
+
+	gitPath := filepath.Join(req.SourceRepo, ".git")
+	if _, err := os.Stat(gitPath); err != nil {
+		return nil, nil
+	}
+
+	return []injection.Mount{{
+		HostPath:      gitPath,
+		ContainerPath: gitPath,
+		ReadOnly:      req.ReadOnlyWorkspace,
+	}}, nil
+}
+
+// ContributePromptFragments returns git worktree-specific VCS instructions.
+func (b *GitBackend) ContributePromptFragments(ctx context.Context) ([]injection.PromptFragment, error) {
+	return []injection.PromptFragment{{
+		Section:  injection.PromptSectionVCS,
+		Priority: 10,
+		Content:  gitWorktreePromptInstructions,
+	}}, nil
+}
+
+const gitWorktreePromptInstructions = `This workspace is a git worktree with its own working directory and branch.
+Use standard git commands for VCS operations:
+- git status: Show working tree status
+- git diff: Show changes
+- git add -p: Stage changes interactively
+- git commit -m "message": Create commit on this branch
+- git push -u origin <branch>: Push branch
+
+This is an isolated git worktree - commits on this branch don't affect other worktrees.
+When done, merge your branch or create a pull request.`
+
+// Snapshot creates a git tag at the current HEAD of the worktree.
+func (b *GitBackend) Snapshot(repoPath, name, snapshotName string) error {
+	if err := ValidateName(snapshotName); err != nil {
+		return fmt.Errorf("invalid snapshot name: %w", err)
+	}
+	tagName := snapshotPrefix + name + "-" + snapshotName
+	// Tag the current HEAD in the main repo, referencing the worktree branch
+	branchName := gitBranchPrefix + name
+	cmd := exec.Command("git", "-C", repoPath, "tag", tagName, branchName)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to create snapshot tag: %s: %w", string(output), err)
+	}
+	return nil
+}
+
+// RestoreSnapshot checks out a previously tagged snapshot in the worktree.
+func (b *GitBackend) RestoreSnapshot(repoPath, name, snapshotName string) error {
+	if err := ValidateName(snapshotName); err != nil {
+		return fmt.Errorf("invalid snapshot name: %w", err)
+	}
+	tagName := snapshotPrefix + name + "-" + snapshotName
+	branchName := gitBranchPrefix + name
+	// Reset the worktree branch to the tagged commit
+	cmd := exec.Command("git", "-C", repoPath, "update-ref", "refs/heads/"+branchName, tagName)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to restore snapshot: %s: %w", string(output), err)
+	}
+	return nil
+}
+
+// ListSnapshots returns all forage snapshots for a workspace.
+func (b *GitBackend) ListSnapshots(repoPath, name string) ([]SnapshotInfo, error) {
+	prefix := snapshotPrefix + name + "-"
+	cmd := exec.Command("git", "-C", repoPath, "tag", "-l", prefix+"*")
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("failed to list tags: %w", err)
+	}
+
+	var snapshots []SnapshotInfo
+	for _, line := range strings.Split(string(output), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+		snapName := strings.TrimPrefix(line, prefix)
+
+		// Get the commit hash for the tag
+		hashCmd := exec.Command("git", "-C", repoPath, "rev-parse", "--short", line)
+		hashOutput, err := hashCmd.Output()
+		var changeID string
+		if err == nil {
+			changeID = strings.TrimSpace(string(hashOutput))
+		}
+
+		snapshots = append(snapshots, SnapshotInfo{
+			Name:     snapName,
+			ChangeID: changeID,
+		})
+	}
+	return snapshots, nil
+}
+
+// Ensure GitBackend implements contribution interfaces
+var (
+	_ injection.PackageContributor = (*GitBackend)(nil)
+	_ injection.MountContributor   = (*GitBackend)(nil)
+	_ injection.PromptContributor  = (*GitBackend)(nil)
+	_ Snapshotter                  = (*GitBackend)(nil)
+)
diff --git a/packages/forage-ctl/internal/workspace/jj.go b/packages/forage-ctl/internal/workspace/jj.go
new file mode 100644
index 0000000..cc63b6d
--- /dev/null
+++ b/packages/forage-ctl/internal/workspace/jj.go
@@ -0,0 +1,223 @@
+package workspace
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/injection"
+)
+
+// JJBackend implements Backend for jj (Jujutsu) repositories
+type JJBackend struct{}
+
+// JJ returns a new JJ workspace backend
+func JJ() Backend {
+	return &JJBackend{}
+}
+
+func (b *JJBackend) Name() string {
+	return "jj"
+}
+
+func (b *JJBackend) IsRepo(path string) bool {
+	jjPath := filepath.Join(path, ".jj", "repo")
+	info, err := os.Stat(jjPath)
+	return err == nil && info.IsDir()
+}
+
+func (b *JJBackend) Exists(repoPath, name string) bool {
+	cmd := exec.Command("jj", "workspace", "list", "-R", repoPath)
+	output, err := cmd.Output()
+	if err != nil {
+		return false
+	}
+
+	for _, line := range strings.Split(string(output), "\n") {
+		parts := strings.SplitN(line, ":", 2)
+		if len(parts) > 0 && strings.TrimSpace(parts[0]) == name {
+			return true
+		}
+	}
+	return false
+}
+
+func (b *JJBackend) Create(repoPath, name, workspacePath string) error {
+	if err := ValidateName(name); err != nil {
+		return fmt.Errorf("invalid workspace name: %w", err)
+	}
+	cmd := exec.Command("jj", "workspace", "add", "-R", repoPath, "--name", name, workspacePath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to create jj workspace: %s: %w", string(output), err)
+	}
+	return nil
+}
+
+func (b *JJBackend) Remove(repoPath, name, workspacePath string) error {
+	if err := ValidateName(name); err != nil {
+		return fmt.Errorf("invalid workspace name: %w", err)
+	}
+	// Forget the workspace in jj
+	cmd := exec.Command("jj", "workspace", "forget", name, "-R", repoPath)
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to forget jj workspace: %w", err)
+	}
+
+	// Remove the workspace directory
+	if workspacePath != "" {
+		if err := os.RemoveAll(workspacePath); err != nil {
+			return fmt.Errorf("failed to remove workspace directory: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// ContributePackages returns the packages needed for jj inside the container.
+// The nixpkgs package is "jujutsu" (not "jj", which is an unrelated JSON tool).
+func (b *JJBackend) ContributePackages(ctx context.Context) ([]injection.Package, error) {
+	return []injection.Package{{Name: "jujutsu"}}, nil
+}
+
+// ContributeMounts returns mounts for jj workspace mode.
+// Mounts both .jj and .git directories since jj uses git as its storage backend.
+func (b *JJBackend) ContributeMounts(ctx context.Context, req *injection.MountRequest) ([]injection.Mount, error) {
+	if req.SourceRepo == "" {
+		return nil, nil
+	}
+
+	jjPath := filepath.Join(req.SourceRepo, ".jj")
+	if _, err := os.Stat(jjPath); err != nil {
+		return nil, nil
+	}
+
+	mounts := []injection.Mount{{
+		HostPath:      jjPath,
+		ContainerPath: jjPath,
+		ReadOnly:      req.ReadOnlyWorkspace,
+	}}
+
+	// jj uses git as its storage backend, so .git must also be mounted
+	gitPath := filepath.Join(req.SourceRepo, ".git")
+	if _, err := os.Stat(gitPath); err == nil {
+		mounts = append(mounts, injection.Mount{
+			HostPath:      gitPath,
+			ContainerPath: gitPath,
+			ReadOnly:      req.ReadOnlyWorkspace,
+		})
+	}
+
+	return mounts, nil
+}
+
+// ContributeEnvVars sets GIT_DIR so the git CLI can find the repository
+// inside containers. jj mounts .git at the host absolute path, but the
+// container workspace is at a different location, so git can't discover
+// the repo by walking up from the working directory.
+func (b *JJBackend) ContributeEnvVars(ctx context.Context, req *injection.EnvVarRequest) ([]injection.EnvVar, error) {
+	if req.SourceRepo == "" {
+		return nil, nil
+	}
+	gitDir := filepath.Join(req.SourceRepo, ".git")
+	if _, err := os.Stat(gitDir); err != nil {
+		return nil, nil
+	}
+	// Value is a Nix expression (double-quoted string); the OCI path strips the quotes.
+	return []injection.EnvVar{{Name: "GIT_DIR", Value: `"` + gitDir + `"`}}, nil
+}
+
+// ContributePromptFragments returns jj-specific VCS instructions.
+func (b *JJBackend) ContributePromptFragments(ctx context.Context) ([]injection.PromptFragment, error) {
+	return []injection.PromptFragment{{
+		Section:  injection.PromptSectionVCS,
+		Priority: 10,
+		Content:  jjPromptInstructions,
+	}}, nil
+}
+
+const jjPromptInstructions = `This workspace uses jj (Jujutsu) for version control. Use jj commands for all VCS operations:
+- jj status: Show working copy status
+- jj diff: Show changes
+- jj new: Create new change
+- jj describe -m "message": Set commit message
+- jj bookmark set <name>: Update bookmark
+
+This is an isolated jj workspace - changes don't affect other workspaces.`
+
+// Snapshot creates a named jj bookmark at the current workspace revision.
+func (b *JJBackend) Snapshot(repoPath, name, snapshotName string) error {
+	if err := ValidateName(snapshotName); err != nil {
+		return fmt.Errorf("invalid snapshot name: %w", err)
+	}
+	bookmarkName := snapshotPrefix + name + "-" + snapshotName
+	cmd := exec.Command("jj", "bookmark", "create", bookmarkName, "-r", "@", "-R", repoPath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to create snapshot bookmark: %s: %w", string(output), err)
+	}
+	return nil
+}
+
+// RestoreSnapshot moves the workspace to a previously bookmarked snapshot.
+func (b *JJBackend) RestoreSnapshot(repoPath, name, snapshotName string) error {
+	if err := ValidateName(snapshotName); err != nil {
+		return fmt.Errorf("invalid snapshot name: %w", err)
+	}
+	bookmarkName := snapshotPrefix + name + "-" + snapshotName
+	cmd := exec.Command("jj", "edit", bookmarkName, "-R", repoPath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to restore snapshot: %s: %w", string(output), err)
+	}
+	return nil
+}
+
+// ListSnapshots returns all forage snapshots for a workspace.
+func (b *JJBackend) ListSnapshots(repoPath, name string) ([]SnapshotInfo, error) {
+	prefix := snapshotPrefix + name + "-"
+	cmd := exec.Command("jj", "bookmark", "list", "-R", repoPath)
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("failed to list bookmarks: %w", err)
+	}
+
+	var snapshots []SnapshotInfo
+	for _, line := range strings.Split(string(output), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+		// jj bookmark list output format: "bookmarkname: changeID commitID"
+		parts := strings.SplitN(line, ":", 2)
+		if len(parts) < 1 {
+			continue
+		}
+		bname := strings.TrimSpace(parts[0])
+		if !strings.HasPrefix(bname, prefix) {
+			continue
+		}
+		snapName := strings.TrimPrefix(bname, prefix)
+		var changeID string
+		if len(parts) > 1 {
+			changeID = strings.TrimSpace(parts[1])
+		}
+		snapshots = append(snapshots, SnapshotInfo{
+			Name:     snapName,
+			ChangeID: changeID,
+		})
+	}
+	return snapshots, nil
+}
+
+// Ensure JJBackend implements contribution interfaces
+var (
+	_ injection.PackageContributor = (*JJBackend)(nil)
+	_ injection.MountContributor   = (*JJBackend)(nil)
+	_ injection.EnvVarContributor  = (*JJBackend)(nil)
+	_ injection.PromptContributor  = (*JJBackend)(nil)
+	_ Snapshotter                  = (*JJBackend)(nil)
+)
diff --git a/packages/forage-ctl/internal/workspace/workspace.go b/packages/forage-ctl/internal/workspace/workspace.go
new file mode 100644
index 0000000..ff90c35
--- /dev/null
+++ b/packages/forage-ctl/internal/workspace/workspace.go
@@ -0,0 +1,107 @@
+// Package workspace provides a common interface for VCS workspace backends
+package workspace
+
+import (
+	"fmt"
+	"regexp"
+)
+
+// Backend provides isolated working directories for a version control system
+type Backend interface {
+	// Name returns the backend name (e.g., "jj", "git-worktree")
+	Name() string
+
+	// IsRepo checks if path is a valid repository for this backend
+	IsRepo(path string) bool
+
+	// Exists checks if a workspace with this name already exists
+	Exists(repoPath, name string) bool
+
+	// Create creates an isolated workspace at workspacePath
+	// For git, this creates a branch named after the workspace
+	// For jj, this creates a named workspace
+	Create(repoPath, name, workspacePath string) error
+
+	// Remove cleans up the workspace and any associated resources
+	// For git, this removes the worktree and deletes the branch
+	// For jj, this forgets the workspace
+	Remove(repoPath, name, workspacePath string) error
+}
+
+// DetectBackend returns the appropriate workspace backend for the given path,
+// or nil if no backend recognizes it as a repository.
+// Checks jj first (since jj repos also contain .git).
+func DetectBackend(path string) Backend {
+	jj := &JJBackend{}
+	if jj.IsRepo(path) {
+		return jj
+	}
+	git := &GitBackend{}
+	if git.IsRepo(path) {
+		return git
+	}
+	return nil
+}
+
+// validName matches safe workspace/branch names: alphanumeric, hyphens, underscores, dots.
+var validName = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._-]*$`)
+
+// ValidateName checks that a workspace name is safe for use in branch names,
+// directory paths, and shell commands. This is a defense-in-depth check at the
+// backend interface boundary.
+func ValidateName(name string) error {
+	if name == "" {
+		return fmt.Errorf("workspace name must not be empty")
+	}
+	if len(name) > 128 {
+		return fmt.Errorf("workspace name too long (max 128 characters)")
+	}
+	if !validName.MatchString(name) {
+		return fmt.Errorf("workspace name %q contains invalid characters (allowed: alphanumeric, hyphens, underscores, dots)", name)
+	}
+	return nil
+}
+
+// Snapshotter is an optional interface for backends that support
+// creating and restoring VCS-level snapshots of workspace state.
+type Snapshotter interface {
+	// Snapshot creates a named snapshot of the current workspace state.
+	Snapshot(repoPath, name, snapshotName string) error
+
+	// RestoreSnapshot restores a workspace to a previously saved snapshot.
+	RestoreSnapshot(repoPath, name, snapshotName string) error
+
+	// ListSnapshots returns all snapshots for a workspace.
+	ListSnapshots(repoPath, name string) ([]SnapshotInfo, error)
+}
+
+// SnapshotInfo describes a single snapshot.
+type SnapshotInfo struct {
+	Name     string
+	ChangeID string // jj change ID or git commit hash
+}
+
+// snapshotPrefix is the naming prefix for snapshot bookmarks/tags.
+const snapshotPrefix = "forage-snap-"
+
+// BackendForMode returns the workspace backend for a given mode string.
+// Returns nil for "direct" or unrecognized modes.
+func BackendForMode(mode string) Backend {
+	switch mode {
+	case "jj":
+		return JJ()
+	case "git-worktree":
+		return Git()
+	default:
+		return nil
+	}
+}
+
+// WorkspaceInfo contains information about a created workspace
+type WorkspaceInfo struct {
+	// Path is the filesystem path to the workspace
+	Path string
+
+	// Branch is the git branch name (git-worktree only)
+	Branch string
+}
diff --git a/packages/forage-ctl/internal/workspace/workspace_test.go b/packages/forage-ctl/internal/workspace/workspace_test.go
new file mode 100644
index 0000000..3528e33
--- /dev/null
+++ b/packages/forage-ctl/internal/workspace/workspace_test.go
@@ -0,0 +1,361 @@
+package workspace
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+)
+
+// requireGit skips the test if git is not available
+func requireGit(t *testing.T) {
+	t.Helper()
+	if _, err := exec.LookPath("git"); err != nil {
+		t.Skip("git not found in PATH, skipping test")
+	}
+}
+
+// requireJJ skips the test if jj is not available
+func requireJJ(t *testing.T) {
+	t.Helper()
+	if _, err := exec.LookPath("jj"); err != nil {
+		t.Skip("jj not found in PATH, skipping test")
+	}
+}
+
+func setupGitRepo(t *testing.T) string {
+	t.Helper()
+	requireGit(t)
+	tmpDir := t.TempDir()
+
+	// Initialize git repo
+	cmd := exec.Command("git", "init", tmpDir)
+	if output, err := cmd.CombinedOutput(); err != nil {
+		t.Fatalf("failed to init git repo: %s: %v", output, err)
+	}
+
+	// Configure git user for commits
+	exec.Command("git", "-C", tmpDir, "config", "user.email", "test@test.com").Run()
+	exec.Command("git", "-C", tmpDir, "config", "user.name", "Test User").Run()
+
+	// Create an initial commit
+	testFile := filepath.Join(tmpDir, "README.md")
+	if err := os.WriteFile(testFile, []byte("# Test\n"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	exec.Command("git", "-C", tmpDir, "add", ".").Run()
+	cmd = exec.Command("git", "-C", tmpDir, "commit", "-m", "Initial commit")
+	if output, err := cmd.CombinedOutput(); err != nil {
+		t.Fatalf("failed to create initial commit: %s: %v", output, err)
+	}
+
+	return tmpDir
+}
+
+func setupJJRepo(t *testing.T) string {
+	t.Helper()
+	requireJJ(t)
+	tmpDir := t.TempDir()
+
+	// Initialize jj repo
+	cmd := exec.Command("jj", "git", "init", tmpDir)
+	if output, err := cmd.CombinedOutput(); err != nil {
+		t.Fatalf("failed to init jj repo: %s: %v", output, err)
+	}
+
+	return tmpDir
+}
+
+func TestGitBackend_Interface(t *testing.T) {
+	// Verify GitBackend implements Backend
+	var _ Backend = &GitBackend{}
+	var _ = Git()
+}
+
+func TestJJBackend_Interface(t *testing.T) {
+	// Verify JJBackend implements Backend
+	var _ Backend = &JJBackend{}
+	var _ = JJ()
+}
+
+func TestGitBackend_Name(t *testing.T) {
+	b := Git()
+	if b.Name() != "git-worktree" {
+		t.Errorf("expected 'git-worktree', got %q", b.Name())
+	}
+}
+
+func TestJJBackend_Name(t *testing.T) {
+	b := JJ()
+	if b.Name() != "jj" {
+		t.Errorf("expected 'jj', got %q", b.Name())
+	}
+}
+
+func TestGitBackend_IsRepo(t *testing.T) {
+	repoPath := setupGitRepo(t)
+	b := Git()
+
+	if !b.IsRepo(repoPath) {
+		t.Error("IsRepo should return true for git repo")
+	}
+
+	nonRepoPath := t.TempDir()
+	if b.IsRepo(nonRepoPath) {
+		t.Error("IsRepo should return false for non-repo")
+	}
+}
+
+func TestJJBackend_IsRepo(t *testing.T) {
+	repoPath := setupJJRepo(t)
+	b := JJ()
+
+	if !b.IsRepo(repoPath) {
+		t.Error("IsRepo should return true for jj repo")
+	}
+
+	nonRepoPath := t.TempDir()
+	if b.IsRepo(nonRepoPath) {
+		t.Error("IsRepo should return false for non-repo")
+	}
+}
+
+func TestGitBackend_CreateAndRemove(t *testing.T) {
+	repoPath := setupGitRepo(t)
+	b := Git()
+
+	workspacePath := filepath.Join(t.TempDir(), "workspace")
+	name := "test-workspace"
+
+	// Should not exist yet
+	if b.Exists(repoPath, name) {
+		t.Error("workspace should not exist before creation")
+	}
+
+	// Create workspace
+	if err := b.Create(repoPath, name, workspacePath); err != nil {
+		t.Fatalf("Create failed: %v", err)
+	}
+
+	// Should exist now
+	if !b.Exists(repoPath, name) {
+		t.Error("workspace should exist after creation")
+	}
+
+	// Verify files exist
+	if _, err := os.Stat(filepath.Join(workspacePath, "README.md")); err != nil {
+		t.Error("workspace should contain repo files")
+	}
+
+	// Remove workspace
+	if err := b.Remove(repoPath, name, workspacePath); err != nil {
+		t.Fatalf("Remove failed: %v", err)
+	}
+
+	// Should not exist after removal
+	if b.Exists(repoPath, name) {
+		t.Error("workspace should not exist after removal")
+	}
+}
+
+func TestJJBackend_CreateAndRemove(t *testing.T) {
+	repoPath := setupJJRepo(t)
+	b := JJ()
+
+	workspacePath := filepath.Join(t.TempDir(), "workspace")
+	name := "test-workspace"
+
+	// Should not exist yet
+	if b.Exists(repoPath, name) {
+		t.Error("workspace should not exist before creation")
+	}
+
+	// Create workspace
+	if err := b.Create(repoPath, name, workspacePath); err != nil {
+		t.Fatalf("Create failed: %v", err)
+	}
+
+	// Should exist now
+	if b.Exists(repoPath, name) {
+		// JJ workspace exists
+	}
+
+	// Remove workspace
+	if err := b.Remove(repoPath, name, workspacePath); err != nil {
+		t.Fatalf("Remove failed: %v", err)
+	}
+
+	// Should not exist after removal
+	if b.Exists(repoPath, name) {
+		t.Error("workspace should not exist after removal")
+	}
+}
+
+func TestDetectBackend_JJ(t *testing.T) {
+	repoPath := setupJJRepo(t)
+
+	backend := DetectBackend(repoPath)
+	if backend == nil {
+		t.Fatal("DetectBackend should return non-nil for jj repo")
+	}
+	if backend.Name() != "jj" {
+		t.Errorf("DetectBackend returned %q, want %q", backend.Name(), "jj")
+	}
+}
+
+func TestDetectBackend_Git(t *testing.T) {
+	repoPath := setupGitRepo(t)
+
+	backend := DetectBackend(repoPath)
+	if backend == nil {
+		t.Fatal("DetectBackend should return non-nil for git repo")
+	}
+	if backend.Name() != "git-worktree" {
+		t.Errorf("DetectBackend returned %q, want %q", backend.Name(), "git-worktree")
+	}
+}
+
+func TestDetectBackend_NonRepo(t *testing.T) {
+	nonRepoPath := t.TempDir()
+
+	backend := DetectBackend(nonRepoPath)
+	if backend != nil {
+		t.Errorf("DetectBackend should return nil for non-repo, got %q", backend.Name())
+	}
+}
+
+func TestGitBackend_BranchName(t *testing.T) {
+	b := Git().(*GitBackend)
+
+	if b.BranchName("my-sandbox") != "forage-my-sandbox" {
+		t.Errorf("expected 'forage-my-sandbox', got %q", b.BranchName("my-sandbox"))
+	}
+}
+
+func TestGitBackend_Snapshotter(t *testing.T) {
+	var _ Snapshotter = &GitBackend{}
+}
+
+func TestJJBackend_Snapshotter(t *testing.T) {
+	var _ Snapshotter = &JJBackend{}
+}
+
+func TestGitBackend_SnapshotCreateListRestore(t *testing.T) {
+	repoPath := setupGitRepo(t)
+	b := Git().(*GitBackend)
+
+	// Create a worktree first
+	workspacePath := filepath.Join(t.TempDir(), "workspace")
+	name := "snap-test"
+	if err := b.Create(repoPath, name, workspacePath); err != nil {
+		t.Fatalf("Create workspace failed: %v", err)
+	}
+
+	// Create a snapshot
+	if err := b.Snapshot(repoPath, name, "checkpoint1"); err != nil {
+		t.Fatalf("Snapshot failed: %v", err)
+	}
+
+	// List snapshots
+	snapshots, err := b.ListSnapshots(repoPath, name)
+	if err != nil {
+		t.Fatalf("ListSnapshots failed: %v", err)
+	}
+	if len(snapshots) != 1 {
+		t.Fatalf("got %d snapshots, want 1", len(snapshots))
+	}
+	if snapshots[0].Name != "checkpoint1" {
+		t.Errorf("snapshot name = %q, want %q", snapshots[0].Name, "checkpoint1")
+	}
+	if snapshots[0].ChangeID == "" {
+		t.Error("snapshot should have a change ID")
+	}
+
+	// Create a second snapshot
+	err = b.Snapshot(repoPath, name, "checkpoint2")
+	if err != nil {
+		t.Fatalf("second Snapshot failed: %v", err)
+	}
+
+	snapshots, err = b.ListSnapshots(repoPath, name)
+	if err != nil {
+		t.Fatalf("ListSnapshots failed: %v", err)
+	}
+	if len(snapshots) != 2 {
+		t.Fatalf("got %d snapshots, want 2", len(snapshots))
+	}
+
+	// Restore first snapshot
+	if err := b.RestoreSnapshot(repoPath, name, "checkpoint1"); err != nil {
+		t.Fatalf("RestoreSnapshot failed: %v", err)
+	}
+
+	// Cleanup
+	b.Remove(repoPath, name, workspacePath)
+}
+
+func TestGitBackend_SnapshotListEmpty(t *testing.T) {
+	repoPath := setupGitRepo(t)
+	b := Git().(*GitBackend)
+
+	snapshots, err := b.ListSnapshots(repoPath, "nonexistent")
+	if err != nil {
+		t.Fatalf("ListSnapshots failed: %v", err)
+	}
+	if len(snapshots) != 0 {
+		t.Errorf("got %d snapshots, want 0", len(snapshots))
+	}
+}
+
+func TestGitBackend_SnapshotInvalidName(t *testing.T) {
+	repoPath := setupGitRepo(t)
+	b := Git().(*GitBackend)
+
+	if err := b.Snapshot(repoPath, "test", "../evil"); err == nil {
+		t.Error("Snapshot with invalid name should fail")
+	}
+	if err := b.RestoreSnapshot(repoPath, "test", "../evil"); err == nil {
+		t.Error("RestoreSnapshot with invalid name should fail")
+	}
+}
+
+func TestJJBackend_SnapshotCreateAndList(t *testing.T) {
+	repoPath := setupJJRepo(t)
+	b := JJ().(*JJBackend)
+
+	// Create a workspace first
+	workspacePath := filepath.Join(t.TempDir(), "workspace")
+	name := "snap-test"
+	if err := b.Create(repoPath, name, workspacePath); err != nil {
+		t.Fatalf("Create workspace failed: %v", err)
+	}
+
+	// Create a snapshot
+	if err := b.Snapshot(repoPath, name, "checkpoint1"); err != nil {
+		t.Fatalf("Snapshot failed: %v", err)
+	}
+
+	// List snapshots
+	snapshots, err := b.ListSnapshots(repoPath, name)
+	if err != nil {
+		t.Fatalf("ListSnapshots failed: %v", err)
+	}
+	if len(snapshots) != 1 {
+		t.Fatalf("got %d snapshots, want 1", len(snapshots))
+	}
+	if snapshots[0].Name != "checkpoint1" {
+		t.Errorf("snapshot name = %q, want %q", snapshots[0].Name, "checkpoint1")
+	}
+
+	// Cleanup
+	b.Remove(repoPath, name, workspacePath)
+}
+
+func TestDirectMode_NoSnapshotter(t *testing.T) {
+	// Direct mode backends don't implement Snapshotter
+	// Verify that the check in the command layer would work
+	_, ok := (Backend)(nil).(Snapshotter)
+	if ok {
+		t.Error("nil backend should not implement Snapshotter")
+	}
+}
diff --git a/packages/forage-ctl/justfile b/packages/forage-ctl/justfile
new file mode 100644
index 0000000..19fdfd8
--- /dev/null
+++ b/packages/forage-ctl/justfile
@@ -0,0 +1,60 @@
+# Firefly Forage CLI - Development Tasks
+
+# Default recipe: show available commands
+default:
+    @just --list
+
+# Run all tests
+test:
+    go test ./...
+
+# Run tests with verbose output
+test-v:
+    go test -v ./...
+
+# Run only unit tests (fast, skips long-running tests)
+test-unit:
+    go test -short ./...
+
+# Run a specific test package
+test-pkg pkg:
+    go test -v ./internal/{{pkg}}/...
+
+# Run docker integration tests (requires docker)
+test-docker:
+    FORAGE_INTEGRATION_TESTS=1 FORAGE_RUNTIME=docker go test -v ./internal/integration/...
+
+# Run all tests including docker integration
+test-all: test test-docker
+
+# Run linter
+lint:
+    golangci-lint run
+
+# Fix linter issues
+lint-fix:
+    golangci-lint run --fix
+
+# Format code
+fmt:
+    go fmt ./...
+
+# Build the binary
+build:
+    go build -o forage-ctl .
+
+# Clean build artifacts
+clean:
+    rm -f forage-ctl
+    go clean
+
+# Update dependencies
+update-deps:
+    go get -u ./... && go mod tidy
+
+# Run E2E tests against the current machine (post-deployment sanity check)
+test-e2e-local:
+    E2E_LOCAL=1 go test -tags=e2e -v -timeout=15m ./e2e/
+
+# Run all checks (fmt, lint, test)
+check: fmt lint test
diff --git a/packages/forage-ctl/main.go b/packages/forage-ctl/main.go
new file mode 100644
index 0000000..4e9d8e7
--- /dev/null
+++ b/packages/forage-ctl/main.go
@@ -0,0 +1,24 @@
+package main
+
+import (
+	"context"
+	"os"
+
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/cmd"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/errors"
+	"github.com/firefly-engineering/firefly-forage/packages/forage-ctl/internal/telemetry"
+)
+
+func main() {
+	ctx := context.Background()
+	shutdown, _ := telemetry.Init(ctx, "forage-ctl")
+	defer shutdown()
+
+	// Extract parent trace context from environment (e.g., TRACEPARENT
+	// set by E2E test framework for cross-process trace continuity).
+	ctx = telemetry.ContextFromEnv(ctx)
+
+	if err := cmd.Execute(ctx); err != nil {
+		os.Exit(errors.GetExitCode(err))
+	}
+}
diff --git a/packages/forage-ctl/mysandbox.generated/home/agent/.config/forage/system-prompt.md b/packages/forage-ctl/mysandbox.generated/home/agent/.config/forage/system-prompt.md
new file mode 100644
index 0000000..9a3b144
--- /dev/null
+++ b/packages/forage-ctl/mysandbox.generated/home/agent/.config/forage/system-prompt.md
@@ -0,0 +1,13 @@
+# Firefly Forage Sandbox
+
+- **Sandbox**: mysandbox
+- **Template**: test
+- **Workspace**: /workspace
+
+Full network access available.
+
+**Identity:** git authorship configured as Yann Hodique <yann@firefly.engineering>
+
+**Agents:** claude
+
+Work in `/workspace`. Container filesystem (except /workspace) is ephemeral. Use tmux (`tmux attach -t forage`).
diff --git a/tests/darwin-eval.nix b/tests/darwin-eval.nix
new file mode 100644
index 0000000..cc64c96
--- /dev/null
+++ b/tests/darwin-eval.nix
@@ -0,0 +1,176 @@
+# Darwin module evaluation test for Firefly Forage
+#
+# This test evaluates the nix-darwin module (darwin.nix) and verifies it produces
+# correct configuration without needing a full macOS VM. It checks:
+# - config.json is generated with expected fields
+# - template JSON files are produced for each template
+# - activation scripts create the expected directories
+# - assertions catch invalid configurations
+#
+# Run with: nix build .#checks.<system>.darwin-eval
+{ pkgs, self }:
+
+let
+  lib = pkgs.lib;
+
+  # Minimal nix-darwin-like module system for evaluation.
+  # We only need enough structure to evaluate our module —
+  # not the full nix-darwin framework.
+  evalModule =
+    {
+      extraConfig ? { },
+    }:
+    lib.evalModules {
+      modules = [
+        # Provide the minimal module interface that darwin.nix expects
+        {
+          options = {
+            environment.systemPackages = lib.mkOption {
+              type = lib.types.listOf lib.types.package;
+              default = [ ];
+            };
+            environment.etc = lib.mkOption {
+              type = lib.types.attrsOf (
+                lib.types.submodule {
+                  options = {
+                    text = lib.mkOption { type = lib.types.str; };
+                    target = lib.mkOption {
+                      type = lib.types.str;
+                      default = "";
+                    };
+                  };
+                }
+              );
+              default = { };
+            };
+            system.activationScripts = lib.mkOption {
+              type = lib.types.attrsOf lib.types.anything;
+              default = { };
+            };
+            launchd.daemons = lib.mkOption {
+              type = lib.types.attrsOf lib.types.anything;
+              default = { };
+            };
+            users.users = lib.mkOption {
+              type = lib.types.attrsOf lib.types.anything;
+              default = { };
+            };
+            assertions = lib.mkOption {
+              type = lib.types.listOf lib.types.anything;
+              default = [ ];
+            };
+          };
+        }
+        # Import our darwin module
+        (import ../modules/darwin.nix { inherit self; })
+        # Test configuration
+        extraConfig
+      ];
+    };
+
+  # Basic configuration for testing
+  basicConfig = evalModule {
+    extraConfig = {
+      services.firefly-forage = {
+        enable = true;
+        user = "testuser";
+        secrets.test-secret = "/run/forage-secrets/test";
+        templates.claude = {
+          description = "Test Claude template";
+          network = "full";
+          agents.claude = {
+            package = pkgs.hello; # Dummy package
+            secretName = "test-secret";
+            authEnvVar = "ANTHROPIC_API_KEY";
+          };
+        };
+      };
+    };
+  };
+
+  cfg = basicConfig.config;
+
+  # Parse the generated config.json
+  hostConfigJSON = builtins.fromJSON cfg.environment.etc."firefly-forage/config.json".text;
+
+  # Template entries are keyed by template name (not path)
+  templateJSON = builtins.fromJSON cfg.environment.etc.claude.text;
+in
+
+pkgs.runCommand "darwin-eval-test" { } ''
+  set -euo pipefail
+  passed=0
+  failed=0
+
+  check() {
+    local desc="$1"
+    local result="$2"
+    if [ "$result" = "true" ]; then
+      echo "  PASS: $desc"
+      passed=$((passed + 1))
+    else
+      echo "  FAIL: $desc"
+      failed=$((failed + 1))
+    fi
+  }
+
+  echo "=== Darwin Module Evaluation Tests ==="
+  echo ""
+
+  echo "--- Host config.json ---"
+  check "user field is set" "${builtins.toJSON (hostConfigJSON.user == "testuser")}"
+  check "secrets map exists" "${builtins.toJSON (hostConfigJSON ? secrets)}"
+  check "stateDir is set" "${builtins.toJSON (hostConfigJSON.stateDir == "/var/lib/firefly-forage")}"
+
+  echo ""
+  echo "--- Template claude.json ---"
+  check "template name is claude" "${builtins.toJSON (templateJSON.name == "claude")}"
+  check "description is set" "${builtins.toJSON (templateJSON.description == "Test Claude template")}"
+  check "network mode is full" "${builtins.toJSON (templateJSON.network == "full")}"
+  check "agent claude exists" "${builtins.toJSON (templateJSON.agents ? claude)}"
+  check "agent secretName is test-secret" "${
+    builtins.toJSON (templateJSON.agents.claude.secretName == "test-secret")
+  }"
+  check "agent authEnvVar is ANTHROPIC_API_KEY" "${
+    builtins.toJSON (templateJSON.agents.claude.authEnvVar == "ANTHROPIC_API_KEY")
+  }"
+
+  echo ""
+  echo "--- Activation scripts ---"
+  check "activation script exists" "${
+    builtins.toJSON (cfg.system.activationScripts ? postActivation)
+  }"
+  check "activation creates state dir" "${
+    builtins.toJSON (
+      builtins.match ".*mkdir -p.*/var/lib/firefly-forage.*" cfg.system.activationScripts.postActivation.text
+      != null
+    )
+  }"
+  check "activation creates secrets dir" "${
+    builtins.toJSON (
+      builtins.match ".*mkdir -p /run/forage-secrets.*" cfg.system.activationScripts.postActivation.text
+      != null
+    )
+  }"
+  check "chown includes group" "${
+    builtins.toJSON (
+      builtins.match ".*chown testuser:staff.*" cfg.system.activationScripts.postActivation.text != null
+    )
+  }"
+
+  echo ""
+  echo "--- Assertions ---"
+  check "assertions list is non-empty" "${builtins.toJSON (builtins.length cfg.assertions > 0)}"
+
+  echo ""
+  echo "=== Results: $passed passed, $failed failed ==="
+
+  if [ "$failed" -gt 0 ]; then
+    echo "FAILED"
+    exit 1
+  fi
+
+  echo "ALL TESTS PASSED"
+  mkdir -p $out
+  echo "passed" > $out/result
+''
diff --git a/tests/e2e/ssh-key b/tests/e2e/ssh-key
new file mode 100644
index 0000000..5eb74ed
--- /dev/null
+++ b/tests/e2e/ssh-key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCh0D1yCjDTVc36J1G7WCV9Jat+zpZ0V9/CdiefS3VZqwAAAJh260Q6dutE
+OgAAAAtzc2gtZWQyNTUxOQAAACCh0D1yCjDTVc36J1G7WCV9Jat+zpZ0V9/CdiefS3VZqw
+AAAEDmrcz/WcVk0e4rTzwRhYtOj4JbKdlT4ksf8vaHiIf2nqHQPXIKMNNVzfonUbtYJX0l
+q37OlnRX38J2J59LdVmrAAAAD2ZvcmFnZS1lMmUtdGVzdAECAwQFBg==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/tests/e2e/ssh-key.pub b/tests/e2e/ssh-key.pub
new file mode 100644
index 0000000..bb9e96d
--- /dev/null
+++ b/tests/e2e/ssh-key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKHQPXIKMNNVzfonUbtYJX0lq37OlnRX38J2J59LdVmr forage-e2e-test
diff --git a/tests/e2e/vm.nix b/tests/e2e/vm.nix
new file mode 100644
index 0000000..7226525
--- /dev/null
+++ b/tests/e2e/vm.nix
@@ -0,0 +1,303 @@
+# E2E test VM configuration for Firefly Forage
+#
+# This builds a QEMU VM via NixOS's config.system.build.vm mechanism.
+# The VM boots with the forage module fully configured, SSH access for the
+# test driver, and a pre-built container closure so the container
+# nix-build is essentially a no-op.
+#
+# Architecture: Host -> QEMU/KVM (this VM) -> systemd-nspawn (forage sandboxes)
+#
+# Usage:
+#   nix build .#packages.x86_64-linux.e2e-vm    # Build the VM
+#   nix build .#packages.x86_64-linux.e2e-driver # Build the test driver
+#   just test-e2e                                 # Build + run
+{
+  pkgs,
+  self,
+  goSrc,
+  goModRoot,
+}:
+let
+  inherit (pkgs) lib;
+
+  sshPubKey = lib.trim (builtins.readFile ./ssh-key.pub);
+  sshPrivKey = ./ssh-key;
+
+  # Pre-build a NixOS container system closure that closely matches what
+  # forage-ctl generates (see internal/generator/templates.go). This ensures
+  # all required store paths are available in the VM's shared nix store,
+  # making the container nix-build essentially a no-op.
+  #
+  # The packages here mirror the container template in templates.go:
+  # git, jujutsu, tmux, neovim, ripgrep, fd, plus openssh for the container.
+  prebuiltContainerSystem =
+    (import (pkgs.path + "/nixos/lib/eval-config.nix") {
+      inherit (pkgs.stdenv.hostPlatform) system;
+      modules = [
+        {
+          boot.isContainer = true;
+          system.stateVersion = "24.11";
+          nixpkgs.config.allowUnfree = true;
+
+          networking = {
+            hostName = "forage-prebuilt";
+            # Match the "none" network mode from network.go:
+            nameservers = [ ];
+            defaultGateway = null;
+            useDHCP = false;
+            firewall.enable = false;
+            nftables.enable = true;
+            useHostResolvConf = lib.mkForce false;
+          };
+
+          users.users.agent = {
+            isNormalUser = true;
+            uid = 1000;
+            group = "users";
+            home = "/home/agent";
+            shell = pkgs.bash;
+            openssh.authorizedKeys.keys = [ sshPubKey ];
+          };
+          users.groups.users.gid = 100;
+
+          security.sudo.enable = false;
+
+          services.openssh = {
+            enable = true;
+            ports = [ 22 ];
+            settings = {
+              PasswordAuthentication = false;
+              PermitRootLogin = "no";
+            };
+          };
+
+          # Match the packages from generator/templates.go
+          environment.systemPackages = with pkgs; [
+            git
+            jujutsu
+            tmux
+            neovim
+            ripgrep
+            fd
+            bash
+            coreutils
+            hello # test agent package
+          ];
+
+          # nftables already enabled via networking block above
+        }
+      ];
+    }).config.system.build.toplevel;
+
+  # The NixOS VM system evaluation
+  vmSystem = import (pkgs.path + "/nixos/lib/eval-config.nix") {
+    inherit (pkgs.stdenv.hostPlatform) system;
+    modules = [
+      self.nixosModules.host
+      (pkgs.path + "/nixos/modules/virtualisation/qemu-vm.nix")
+      (
+        { config, pkgs, ... }:
+        {
+          # Predictable hostname for the VM script name
+          networking.hostName = "forage-e2e";
+          system.stateVersion = "24.11";
+
+          # --- Test user ---
+          users.users.testuser = {
+            isNormalUser = true;
+            uid = 1000;
+            group = "users";
+          };
+
+          # --- Root SSH access for test driver ---
+          users.users.root.openssh.authorizedKeys.keys = [ sshPubKey ];
+          services.openssh = {
+            enable = true;
+            settings = {
+              PermitRootLogin = "prohibit-password";
+            };
+          };
+
+          # --- Install the test SSH key for forage-ctl exec ---
+          # forage-ctl exec uses SSH to connect to containers. It needs
+          # the private key matching the authorized keys in the container.
+          system.activationScripts.forage-test-ssh-key = ''
+            mkdir -p /root/.ssh
+            cp ${sshPrivKey} /root/.ssh/id_ed25519
+            chmod 600 /root/.ssh/id_ed25519
+            cp ${./ssh-key.pub} /root/.ssh/id_ed25519.pub
+            chmod 644 /root/.ssh/id_ed25519.pub
+
+            # Also for testuser
+            mkdir -p /home/testuser/.ssh
+            cp ${sshPrivKey} /home/testuser/.ssh/id_ed25519
+            chmod 600 /home/testuser/.ssh/id_ed25519
+            cp ${./ssh-key.pub} /home/testuser/.ssh/id_ed25519.pub
+            chmod 644 /home/testuser/.ssh/id_ed25519.pub
+            chown -R testuser:users /home/testuser/.ssh
+          '';
+
+          # --- Dummy secret file for testing ---
+          environment.etc."forage-test-secret".text = "test-api-key-e2e";
+
+          # --- Forage module configuration ---
+          services.firefly-forage = {
+            enable = true;
+            user = "testuser";
+            authorizedKeys = [ sshPubKey ];
+            secrets.test-secret = "/etc/forage-test-secret";
+            templates.test = {
+              description = "E2E test template";
+              network = "none";
+              agents.test-agent = {
+                package = pkgs.hello;
+                secretName = "test-secret";
+                authEnvVar = "TEST_KEY";
+              };
+            };
+          };
+
+          # --- Additional packages for testing ---
+          environment.systemPackages = with pkgs; [
+            jujutsu
+            git
+            openssh
+            curl
+          ];
+
+          # --- NAT for container networking ---
+          # Containers use private networks (10.100.x.x). NAT allows them
+          # to reach the VM's network. The ve-+ wildcard matches all veth
+          # interfaces created by systemd-nspawn.
+          networking.nat = {
+            enable = true;
+            internalInterfaces = [ "ve-+" ];
+          };
+
+          # --- Nix configuration ---
+          nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
+          nix.settings = {
+            experimental-features = [
+              "nix-command"
+              "flakes"
+            ];
+            # Limit to 1 build job to reduce memory/IO pressure during
+            # nix-build of container config derivations.
+            max-jobs = 1;
+          };
+
+          # --- Git configuration (required for jj and forage-ctl) ---
+          environment.etc."gitconfig".text = ''
+            [user]
+              email = test@forage-e2e.local
+              name = Forage E2E Test
+          '';
+
+          # --- JJ configuration (set via environment variable) ---
+          environment.variables.JJ_USER = "Forage E2E Test";
+          environment.variables.JJ_EMAIL = "test@forage-e2e.local";
+
+          # --- Pre-build container closure ---
+          # This ensures all store paths needed by the container are available
+          # in the VM's nix store (shared from host via 9p). When forage-ctl
+          # runs nix-build, it becomes essentially a no-op for packages.
+          #
+          # The prebuiltContainerSystem provides all runtime packages.
+          # stdenv + perl provide the build tools (gcc, binutils, etc.) that
+          # nix-build needs to produce the container's config derivations
+          # (systemd units, etc files, activation scripts). Without these,
+          # nix-build downloads ~400MB of build dependencies on every run.
+          system.extraDependencies = [
+            prebuiltContainerSystem
+            pkgs.stdenv
+            pkgs.stdenv.cc
+            pkgs.perl
+            pkgs.desktop-file-utils # needed by NixOS activation
+            pkgs.texinfo # NixOS build dependency
+            pkgs.libxslt # NixOS build dependency
+            pkgs.lndir # NixOS build dependency
+            pkgs.shellcheck # NixOS check phase
+          ];
+
+          # --- QEMU VM settings ---
+          virtualisation = {
+            memorySize = 8192;
+            cores = 4;
+            diskSize = 30720; # 30GB for nix store overlay + container roots
+
+            # Use an erofs image for the nix store instead of 9p.
+            # 9p is too slow for NixOS evaluation (reads thousands of files)
+            # and causes QEMU crashes under heavy load. The erofs image is
+            # mounted as a block device with a writable tmpfs overlay.
+            #
+            # Note: writableStoreUseTmpfs MUST be true. Disk-backed overlays
+            # (false) cause silent VM crashes during nix-build, likely due to
+            # I/O contention between the erofs block device and qcow2 overlay.
+            useNixStoreImage = true;
+            writableStore = true;
+            writableStoreUseTmpfs = true;
+
+            forwardPorts = [
+              {
+                from = "host";
+                host.port = 2222;
+                guest.port = 22;
+              }
+            ];
+          };
+        }
+      )
+    ];
+  };
+
+  vm = vmSystem.config.system.build.vm;
+
+  # Build the Go E2E test binary with the e2e build tag.
+  # This produces a standalone binary that boots the VM, runs all test
+  # scenarios via SSH, and reports results using Go's testing framework.
+  e2eTestBin = pkgs.buildGoModule {
+    pname = "forage-e2e-test-bin";
+    version = "0.1.0";
+
+    src = goSrc;
+    modRoot = goModRoot;
+
+    vendorHash = "sha256-1bHdfu/a6E7gjrU9z+xwi4t+bBrzwdXgADX5aAffHNk=";
+
+    # Use proxy vendor because `go mod vendor` doesn't include packages
+    # only imported by build-tagged files (e2e tag). proxyVendor uses the
+    # Go module cache instead, making all go.mod dependencies available.
+    proxyVendor = true;
+
+    # Only build the e2e test binary, not the main CLI
+    buildPhase = ''
+      runHook preBuild
+      go test -c -tags=e2e -o $GOPATH/bin/forage-e2e-test ./e2e/
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      mkdir -p $out/bin
+      cp $GOPATH/bin/forage-e2e-test $out/bin/
+    '';
+
+    # Skip normal check phase — this is a test binary, not a library
+    doCheck = false;
+
+    env.CGO_ENABLED = "0";
+  };
+
+  # Wrapper that sets environment variables and runs the Go test binary
+  testDriver = pkgs.writeShellApplication {
+    name = "forage-e2e-test";
+    text = ''
+      export E2E_SSH_KEY="${sshPrivKey}"
+      export E2E_VM="${vm}/bin/run-forage-e2e-vm"
+      exec "${e2eTestBin}/bin/forage-e2e-test" -test.v -test.timeout=900s "$@"
+    '';
+  };
+
+in
+{
+  inherit vm testDriver;
+}
diff --git a/tests/integration/README.md b/tests/integration/README.md
new file mode 100644
index 0000000..b540b4e
--- /dev/null
+++ b/tests/integration/README.md
@@ -0,0 +1,170 @@
+# Forage Integration Tests
+
+This directory contains integration tests for verifying forage functionality across different container backends and version control systems.
+
+## Test Matrix
+
+| Backend   | Git Worktree | JJ   |
+|-----------|--------------|------|
+| nspawn    | ✓            | ✓    |
+| docker    | ✓            | ✓    |
+| podman    | ✓            | ✓    |
+| apple     | ✓            | ✓    |
+
+## Running Tests
+
+### Run all tests
+
+```bash
+./run-all.sh
+```
+
+### Run tests in parallel
+
+```bash
+./run-all.sh --parallel
+```
+
+### Run specific backend tests
+
+```bash
+./run-all.sh docker    # Only Docker tests
+./run-all.sh nspawn    # Only nspawn tests
+```
+
+### Run specific VCS tests
+
+```bash
+./run-all.sh jj        # Only JJ tests
+./run-all.sh git       # Only Git tests
+```
+
+### Run a single test
+
+```bash
+./test-docker-git.sh
+```
+
+## Prerequisites
+
+Tests automatically skip if prerequisites are not met:
+
+- **forage-ctl**: Must be installed and in PATH
+- **Backend-specific**:
+  - `nspawn`: NixOS with `machinectl`
+  - `docker`: Docker daemon running
+  - `podman`: Podman installed
+  - `apple`: macOS with Apple's `container` CLI
+- **VCS-specific**:
+  - `git`: Git installed
+  - `jj`: JJ and Git installed
+
+## Test Framework
+
+### Directory Structure
+
+```
+tests/integration/
+├── lib/
+│   ├── common.sh       # Core utilities (logging, cleanup, temp dirs)
+│   ├── prereqs.sh      # Prerequisite checking
+│   ├── vcs.sh          # VCS helpers (create repos, commit, etc.)
+│   ├── sandbox.sh      # Sandbox management (create, start, exec)
+│   ├── assertions.sh   # Test assertions
+│   └── scenarios.sh    # Test orchestration and common scenarios
+├── test-{backend}-{vcs}.sh  # Individual test scripts
+├── run-all.sh          # Test runner
+└── README.md
+```
+
+### Writing Tests
+
+Tests use the `run_scenario` function which orchestrates:
+
+1. Prerequisite checking (auto-skip if not available)
+2. Test repository creation
+3. Sandbox creation and startup
+4. Waiting for sandbox readiness
+5. Running your test scenario
+6. Cleanup
+
+Example test:
+
+```bash
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# Define your test scenario
+my_test_scenario() {
+    # Create a file in the sandbox
+    scenario_create_file "test.txt" "Hello World"
+
+    # Verify it exists
+    assert_true "File exists in sandbox" \
+        "scenario_file_exists test.txt"
+
+    # Verify it synced to host repo
+    assert_true "File synced to host" \
+        "scenario_repo_file_exists test.txt"
+}
+
+# Run with specific backend and VCS
+run_scenario "docker" "git" my_test_scenario "my-custom-test"
+```
+
+### Available Scenario Functions
+
+Within a scenario function, these helpers are available:
+
+**Sandbox Operations:**
+- `scenario_exec "command"` - Execute command in sandbox
+- `scenario_exec_capture "command"` - Execute and capture output
+- `scenario_create_file "path" "content"` - Create file in workspace
+- `scenario_get_file "path"` - Get file content
+- `scenario_file_exists "path"` - Check if file exists
+- `scenario_vcs_status` - Get VCS status
+- `scenario_vcs_commit "message"` - Commit changes
+
+**Host Repository Operations:**
+- `scenario_repo_file_exists "path"` - Check file in host repo
+- `scenario_repo_get_file "path"` - Get file from host repo
+- `scenario_repo_add_file "path" "content"` - Add file to host repo
+- `scenario_repo_commit "message"` - Commit in host repo
+- `scenario_repo_status` - Get host repo status
+
+**Assertions:**
+- `assert_true "description" "condition"`
+- `assert_false "description" "condition"`
+- `assert_equals "description" "expected" "actual"`
+- `assert_contains "description" "haystack" "needle"`
+- `assert_file_exists "description" "path"`
+- `assert_file_contains "description" "path" "content"`
+- `assert_command_succeeds "description" "command"`
+- `assert_command_fails "description" "command"`
+
+### Common Scenarios
+
+Pre-built scenarios in `lib/scenarios.sh`:
+
+- `scenario_basic_workspace_access` - Verify sandbox can access workspace
+- `scenario_file_creation_sync` - Test file creation and sync to host
+- `scenario_vcs_operations` - Test VCS commands inside sandbox
+- `scenario_bidirectional_sync` - Test host→sandbox sync
+- `scenario_full_integration` - Combines all above scenarios
+
+## Configuration
+
+### Environment Variables
+
+- `FORAGE_TEST_TEMPLATE`: Template name to use (default: "test")
+- `SANDBOX_TIMEOUT`: Timeout for sandbox operations in seconds (default: 120)
+- `SSH_WAIT_TIMEOUT`: Timeout waiting for SSH in seconds (default: 60)
+
+### Template Requirements
+
+Tests expect a template named "test" to be configured in forage. The template should have:
+- Network mode: "none" (for faster startup, no network needed)
+- At least one agent configured
diff --git a/tests/integration/lib/assertions.sh b/tests/integration/lib/assertions.sh
new file mode 100755
index 0000000..48c5888
--- /dev/null
+++ b/tests/integration/lib/assertions.sh
@@ -0,0 +1,198 @@
+#!/usr/bin/env bash
+# Assertion helpers for integration tests
+#
+# This library provides assertion functions for verifying test conditions.
+
+# Source common utilities
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/common.sh"
+
+# Assert that a condition is true
+assert_true() {
+    local description="$1"
+    shift
+    local condition="$*"
+
+    if eval "$condition"; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description"
+        return 1
+    fi
+}
+
+# Assert that a condition is false
+assert_false() {
+    local description="$1"
+    shift
+    local condition="$*"
+
+    if ! eval "$condition"; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description"
+        return 1
+    fi
+}
+
+# Assert that two values are equal
+assert_equals() {
+    local description="$1"
+    local expected="$2"
+    local actual="$3"
+
+    if [[ "$expected" == "$actual" ]]; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (expected: '$expected', actual: '$actual')"
+        return 1
+    fi
+}
+
+# Assert that a value contains a substring
+assert_contains() {
+    local description="$1"
+    local haystack="$2"
+    local needle="$3"
+
+    if [[ "$haystack" == *"$needle"* ]]; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (expected to contain: '$needle')"
+        return 1
+    fi
+}
+
+# Assert that a value does not contain a substring
+assert_not_contains() {
+    local description="$1"
+    local haystack="$2"
+    local needle="$3"
+
+    if [[ "$haystack" != *"$needle"* ]]; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (expected NOT to contain: '$needle')"
+        return 1
+    fi
+}
+
+# Assert that a file exists
+assert_file_exists() {
+    local description="$1"
+    local filepath="$2"
+
+    if [[ -f "$filepath" ]]; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (file does not exist: $filepath)"
+        return 1
+    fi
+}
+
+# Assert that a file does not exist
+assert_file_not_exists() {
+    local description="$1"
+    local filepath="$2"
+
+    if [[ ! -f "$filepath" ]]; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (file exists: $filepath)"
+        return 1
+    fi
+}
+
+# Assert that a directory exists
+assert_dir_exists() {
+    local description="$1"
+    local dirpath="$2"
+
+    if [[ -d "$dirpath" ]]; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (directory does not exist: $dirpath)"
+        return 1
+    fi
+}
+
+# Assert that a file contains specific content
+assert_file_contains() {
+    local description="$1"
+    local filepath="$2"
+    local expected_content="$3"
+
+    if [[ ! -f "$filepath" ]]; then
+        test_fail "ASSERT FAILED: $description (file does not exist: $filepath)"
+        return 1
+    fi
+
+    local content
+    content=$(cat "$filepath")
+
+    if [[ "$content" == *"$expected_content"* ]]; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (file does not contain: '$expected_content')"
+        return 1
+    fi
+}
+
+# Assert that a command succeeds
+assert_command_succeeds() {
+    local description="$1"
+    shift
+    local cmd="$*"
+
+    if eval "$cmd" >/dev/null 2>&1; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (command failed: $cmd)"
+        return 1
+    fi
+}
+
+# Assert that a command fails
+assert_command_fails() {
+    local description="$1"
+    shift
+    local cmd="$*"
+
+    if ! eval "$cmd" >/dev/null 2>&1; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (command succeeded but should have failed: $cmd)"
+        return 1
+    fi
+}
+
+# Assert that command output contains a string
+assert_output_contains() {
+    local description="$1"
+    local expected="$2"
+    shift 2
+    local cmd="$*"
+
+    local output
+    output=$(eval "$cmd" 2>&1) || true
+
+    if [[ "$output" == *"$expected"* ]]; then
+        log_success "ASSERT: $description"
+        return 0
+    else
+        test_fail "ASSERT FAILED: $description (output does not contain: '$expected')"
+        log_info "Actual output: $output"
+        return 1
+    fi
+}
diff --git a/tests/integration/lib/common.sh b/tests/integration/lib/common.sh
new file mode 100755
index 0000000..262eafa
--- /dev/null
+++ b/tests/integration/lib/common.sh
@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+# Common utilities for integration tests
+#
+# This library provides core utilities for test output, logging, and control flow.
+
+set -euo pipefail
+
+# Colors for output (disabled if not a terminal)
+if [[ -t 1 ]]; then
+    RED='\033[0;31m'
+    GREEN='\033[0;32m'
+    YELLOW='\033[0;33m'
+    BLUE='\033[0;34m'
+    NC='\033[0m' # No Color
+else
+    RED=''
+    GREEN=''
+    YELLOW=''
+    BLUE=''
+    NC=''
+fi
+
+# Test state
+TEST_NAME="${TEST_NAME:-unknown}"
+TEST_FAILED=0
+TEST_SKIPPED=0
+CLEANUP_ITEMS=()
+
+# Logging functions (all write to stderr to avoid polluting captured output)
+log_info() {
+    echo -e "${BLUE}[INFO]${NC} $*" >&2
+}
+
+log_success() {
+    echo -e "${GREEN}[PASS]${NC} $*" >&2
+}
+
+log_warn() {
+    echo -e "${YELLOW}[WARN]${NC} $*" >&2
+}
+
+log_error() {
+    echo -e "${RED}[FAIL]${NC} $*" >&2
+}
+
+log_skip() {
+    echo -e "${YELLOW}[SKIP]${NC} $*" >&2
+}
+
+# Test lifecycle functions
+test_start() {
+    local name="$1"
+    TEST_NAME="$name"
+    TEST_FAILED=0
+    TEST_SKIPPED=0
+    CLEANUP_ITEMS=()
+    echo "" >&2
+    echo -e "${BLUE}========================================${NC}" >&2
+    echo -e "${BLUE}TEST: ${name}${NC}" >&2
+    echo -e "${BLUE}========================================${NC}" >&2
+}
+
+test_skip() {
+    local reason="$1"
+    TEST_SKIPPED=1
+    log_skip "$TEST_NAME: $reason"
+    exit 0
+}
+
+test_fail() {
+    local reason="$1"
+    TEST_FAILED=1
+    log_error "$TEST_NAME: $reason"
+}
+
+test_end() {
+    # Run cleanup
+    run_cleanup
+
+    if [[ $TEST_SKIPPED -eq 1 ]]; then
+        exit 0
+    elif [[ $TEST_FAILED -eq 1 ]]; then
+        log_error "$TEST_NAME: FAILED"
+        exit 1
+    else
+        log_success "$TEST_NAME: PASSED"
+        exit 0
+    fi
+}
+
+# Cleanup registration and execution
+register_cleanup() {
+    local item="$1"
+    CLEANUP_ITEMS+=("$item")
+}
+
+run_cleanup() {
+    log_info "Running cleanup..."
+    # Run cleanup in reverse order
+    for ((i=${#CLEANUP_ITEMS[@]}-1; i>=0; i--)); do
+        local item="${CLEANUP_ITEMS[$i]}"
+        log_info "  Cleaning up: $item"
+        eval "$item" || log_warn "Cleanup failed: $item"
+    done
+}
+
+# Temporary directory management
+create_temp_dir() {
+    local prefix="${1:-forage-test}"
+    local dir
+    dir=$(mktemp -d "/tmp/${prefix}.XXXXXX")
+    register_cleanup "rm -rf '$dir'"
+    echo "$dir"
+}
+
+# Command execution with output capture
+run_cmd() {
+    local description="$1"
+    shift
+    log_info "$description"
+    if ! "$@"; then
+        test_fail "Command failed: $*"
+        return 1
+    fi
+}
+
+run_cmd_quiet() {
+    local description="$1"
+    shift
+    log_info "$description"
+    if ! "$@" >/dev/null 2>&1; then
+        test_fail "Command failed: $*"
+        return 1
+    fi
+}
+
+# Check if a command exists
+command_exists() {
+    command -v "$1" >/dev/null 2>&1
+}
diff --git a/tests/integration/lib/prereqs.sh b/tests/integration/lib/prereqs.sh
new file mode 100755
index 0000000..12fa988
--- /dev/null
+++ b/tests/integration/lib/prereqs.sh
@@ -0,0 +1,179 @@
+#!/usr/bin/env bash
+# Prerequisite checking for integration tests
+#
+# This library provides functions to check if required tools and backends
+# are available on the system.
+
+# Source common utilities
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/common.sh"
+
+# Check if forage-ctl is available
+check_forage_ctl() {
+    if ! command_exists forage-ctl; then
+        return 1
+    fi
+    return 0
+}
+
+# Check if a specific backend is available
+check_backend() {
+    local backend="$1"
+
+    case "$backend" in
+        nspawn)
+            check_nspawn_backend
+            ;;
+        docker)
+            check_docker_backend
+            ;;
+        podman)
+            check_podman_backend
+            ;;
+        apple)
+            check_apple_backend
+            ;;
+        *)
+            log_error "Unknown backend: $backend"
+            return 1
+            ;;
+    esac
+}
+
+check_nspawn_backend() {
+    # nspawn requires NixOS with systemd
+    if [[ ! -f /etc/NIXOS ]]; then
+        return 1
+    fi
+    if ! command_exists machinectl; then
+        return 1
+    fi
+    return 0
+}
+
+check_docker_backend() {
+    if ! command_exists docker; then
+        return 1
+    fi
+    # Check if docker daemon is running
+    if ! docker info >/dev/null 2>&1; then
+        return 1
+    fi
+    return 0
+}
+
+check_podman_backend() {
+    if ! command_exists podman; then
+        return 1
+    fi
+    # Basic check that podman works
+    if ! podman info >/dev/null 2>&1; then
+        return 1
+    fi
+    return 0
+}
+
+check_apple_backend() {
+    # Apple backend only on macOS
+    if [[ "$(uname)" != "Darwin" ]]; then
+        return 1
+    fi
+    # Check for container CLI (Apple's virtualization)
+    if ! command_exists container; then
+        return 1
+    fi
+    return 0
+}
+
+# Check if a specific VCS is available
+check_vcs() {
+    local vcs="$1"
+
+    case "$vcs" in
+        git|git-worktree)
+            check_git_vcs
+            ;;
+        jj)
+            check_jj_vcs
+            ;;
+        *)
+            log_error "Unknown VCS: $vcs"
+            return 1
+            ;;
+    esac
+}
+
+check_git_vcs() {
+    if ! command_exists git; then
+        return 1
+    fi
+    return 0
+}
+
+check_jj_vcs() {
+    if ! command_exists jj; then
+        return 1
+    fi
+    # jj also requires git for some operations
+    if ! command_exists git; then
+        return 1
+    fi
+    return 0
+}
+
+# Check all prerequisites for a test
+check_all_prerequisites() {
+    local backend="$1"
+    local vcs="$2"
+
+    log_info "Checking prerequisites for backend=$backend, vcs=$vcs"
+
+    if ! check_forage_ctl; then
+        test_skip "forage-ctl not found"
+    fi
+
+    if ! check_backend "$backend"; then
+        test_skip "Backend '$backend' not available on this system"
+    fi
+
+    if ! check_vcs "$vcs"; then
+        test_skip "VCS '$vcs' not available on this system"
+    fi
+
+    log_info "All prerequisites satisfied"
+}
+
+# Get the runtime flag for forage-ctl based on backend
+get_runtime_flag() {
+    local backend="$1"
+    case "$backend" in
+        nspawn)
+            echo "--runtime=nspawn"
+            ;;
+        docker)
+            echo "--runtime=docker"
+            ;;
+        podman)
+            echo "--runtime=podman"
+            ;;
+        apple)
+            echo "--runtime=apple"
+            ;;
+    esac
+}
+
+# Get the workspace mode flag for forage-ctl based on VCS
+get_workspace_mode_flag() {
+    local vcs="$1"
+    case "$vcs" in
+        git|git-worktree)
+            echo "--workspace-mode=git-worktree"
+            ;;
+        jj)
+            echo "--workspace-mode=jj"
+            ;;
+        *)
+            echo "--workspace-mode=direct"
+            ;;
+    esac
+}
diff --git a/tests/integration/lib/sandbox.sh b/tests/integration/lib/sandbox.sh
new file mode 100755
index 0000000..246a3a2
--- /dev/null
+++ b/tests/integration/lib/sandbox.sh
@@ -0,0 +1,235 @@
+#!/usr/bin/env bash
+# Sandbox helpers for integration tests
+#
+# This library provides functions to create, manage, and interact with
+# forage sandboxes.
+
+# Source common utilities and prereqs
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/common.sh"
+source "${SCRIPT_DIR}/prereqs.sh"
+
+# Default timeout for sandbox operations (in seconds)
+SANDBOX_TIMEOUT="${SANDBOX_TIMEOUT:-120}"
+SSH_WAIT_TIMEOUT="${SSH_WAIT_TIMEOUT:-60}"
+
+# Generate a unique sandbox name for testing
+generate_sandbox_name() {
+    local prefix="${1:-test}"
+    echo "${prefix}-$(date +%s)-$$"
+}
+
+# Create and start a sandbox using 'forage-ctl up'
+# Returns the sandbox name
+#
+# Note: Runtime is auto-detected (apple on macOS, nspawn on NixOS, etc.)
+# and workspace mode is inferred from the repo type (git → git-worktree,
+# jj → jj). Use --direct for direct mount.
+create_sandbox() {
+    local backend="$1"
+    local vcs="$2"
+    local repo_dir="$3"
+    local template="${4:-test}"
+    local sandbox_name="${5:-$(generate_sandbox_name)}"
+
+    log_info "Creating sandbox: $sandbox_name"
+    log_info "  Backend: $backend (auto-detected)"
+    log_info "  VCS: $vcs"
+    log_info "  Repository: $repo_dir"
+    log_info "  Template: $template"
+
+    local extra_flags=()
+    if [[ "$vcs" == "direct" ]]; then
+        extra_flags+=(--direct)
+    fi
+
+    if ! forage-ctl up "$sandbox_name" \
+        --template="$template" \
+        --repo="$repo_dir" \
+        "${extra_flags[@]}" >&2; then
+        test_fail "Failed to create sandbox: $sandbox_name"
+        return 1
+    fi
+
+    # Register cleanup
+    register_cleanup "destroy_sandbox '$sandbox_name' || true"
+
+    log_info "Sandbox created: $sandbox_name"
+    echo "$sandbox_name"
+}
+
+# Start a sandbox (no-op if already started by 'up')
+start_sandbox() {
+    local sandbox_name="$1"
+
+    log_info "Starting sandbox: $sandbox_name"
+
+    if ! forage-ctl start "$sandbox_name" >&2; then
+        # May already be running from 'up'
+        log_warn "Start returned error (may already be running)"
+    fi
+
+    log_info "Sandbox started: $sandbox_name"
+}
+
+# Stop a sandbox
+stop_sandbox() {
+    local sandbox_name="$1"
+
+    log_info "Stopping sandbox: $sandbox_name"
+
+    if ! forage-ctl stop "$sandbox_name"; then
+        log_warn "Failed to stop sandbox: $sandbox_name"
+        return 1
+    fi
+
+    log_info "Sandbox stopped: $sandbox_name"
+}
+
+# Destroy a sandbox
+destroy_sandbox() {
+    local sandbox_name="$1"
+
+    log_info "Destroying sandbox: $sandbox_name"
+
+    if ! forage-ctl down "$sandbox_name" 2>/dev/null; then
+        log_warn "Failed to destroy sandbox: $sandbox_name (may already be destroyed)"
+        return 1
+    fi
+
+    log_info "Sandbox destroyed: $sandbox_name"
+}
+
+# Wait for sandbox to be ready (SSH available)
+wait_for_sandbox_ready() {
+    local sandbox_name="$1"
+    local timeout="${2:-$SSH_WAIT_TIMEOUT}"
+
+    log_info "Waiting for sandbox to be ready (timeout: ${timeout}s)..."
+
+    local start_time
+    start_time=$(date +%s)
+
+    while true; do
+        local elapsed
+        elapsed=$(( $(date +%s) - start_time ))
+
+        if [[ $elapsed -ge $timeout ]]; then
+            test_fail "Timeout waiting for sandbox to be ready"
+            return 1
+        fi
+
+        # Try to execute a simple command
+        if forage-ctl exec "$sandbox_name" -- true 2>/dev/null; then
+            log_info "Sandbox is ready (took ${elapsed}s)"
+            return 0
+        fi
+
+        sleep 1
+    done
+}
+
+# Execute a command in the sandbox
+sandbox_exec() {
+    local sandbox_name="$1"
+    shift
+    local cmd="$*"
+
+    log_info "Executing in sandbox: $cmd"
+    forage-ctl exec "$sandbox_name" -- bash -c "$cmd"
+}
+
+# Execute a command in the sandbox and capture output
+sandbox_exec_capture() {
+    local sandbox_name="$1"
+    shift
+    local cmd="$*"
+
+    forage-ctl exec "$sandbox_name" -- bash -c "$cmd" 2>&1
+}
+
+# Check if a file exists in the sandbox workspace
+sandbox_file_exists() {
+    local sandbox_name="$1"
+    local filepath="$2"
+
+    sandbox_exec "$sandbox_name" "test -f /workspace/$filepath" 2>/dev/null
+}
+
+# Get the content of a file in the sandbox workspace
+sandbox_get_file_content() {
+    local sandbox_name="$1"
+    local filepath="$2"
+
+    sandbox_exec_capture "$sandbox_name" "cat /workspace/$filepath"
+}
+
+# Create a file in the sandbox workspace
+sandbox_create_file() {
+    local sandbox_name="$1"
+    local filepath="$2"
+    local content="$3"
+
+    sandbox_exec "$sandbox_name" "echo '$content' > /workspace/$filepath"
+}
+
+# Append to a file in the sandbox workspace
+sandbox_append_file() {
+    local sandbox_name="$1"
+    local filepath="$2"
+    local content="$3"
+
+    sandbox_exec "$sandbox_name" "echo '$content' >> /workspace/$filepath"
+}
+
+# List files in the sandbox workspace
+sandbox_list_workspace() {
+    local sandbox_name="$1"
+
+    sandbox_exec_capture "$sandbox_name" "ls -la /workspace/"
+}
+
+# Get sandbox status
+sandbox_status() {
+    local sandbox_name="$1"
+
+    forage-ctl status "$sandbox_name"
+}
+
+# Check if sandbox is running
+sandbox_is_running() {
+    local sandbox_name="$1"
+
+    forage-ctl status "$sandbox_name" 2>/dev/null | grep -q "running"
+}
+
+# Get the VCS status inside the sandbox
+sandbox_vcs_status() {
+    local sandbox_name="$1"
+    local vcs="$2"
+
+    case "$vcs" in
+        git|git-worktree)
+            sandbox_exec_capture "$sandbox_name" "cd /workspace && git status --short"
+            ;;
+        jj)
+            sandbox_exec_capture "$sandbox_name" "cd /workspace && jj status"
+            ;;
+    esac
+}
+
+# Commit changes inside the sandbox
+sandbox_vcs_commit() {
+    local sandbox_name="$1"
+    local vcs="$2"
+    local message="$3"
+
+    case "$vcs" in
+        git|git-worktree)
+            sandbox_exec "$sandbox_name" "cd /workspace && git add -A && git commit -m '$message'"
+            ;;
+        jj)
+            sandbox_exec "$sandbox_name" "cd /workspace && jj commit -m '$message'"
+            ;;
+    esac
+}
diff --git a/tests/integration/lib/scenarios.sh b/tests/integration/lib/scenarios.sh
new file mode 100755
index 0000000..d2f7cd5
--- /dev/null
+++ b/tests/integration/lib/scenarios.sh
@@ -0,0 +1,300 @@
+#!/usr/bin/env bash
+# Test scenario orchestration for integration tests
+#
+# This library provides the main orchestration functions that encapsulate
+# the test workflow and make individual test scenarios readable.
+
+# Source all helper libraries
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/common.sh"
+source "${SCRIPT_DIR}/prereqs.sh"
+source "${SCRIPT_DIR}/vcs.sh"
+source "${SCRIPT_DIR}/sandbox.sh"
+source "${SCRIPT_DIR}/assertions.sh"
+
+# Global test context (set by run_scenario)
+declare -g SCENARIO_BACKEND=""
+declare -g SCENARIO_VCS=""
+declare -g SCENARIO_REPO_DIR=""
+declare -g SCENARIO_SANDBOX_NAME=""
+declare -g SCENARIO_WORKSPACE_DIR=""  # Host-side workspace path (may differ from repo dir)
+declare -g SCENARIO_TEMPLATE="${FORAGE_TEST_TEMPLATE:-test}"
+
+# Run a complete test scenario
+#
+# This function orchestrates the entire test lifecycle:
+# 1. Check prerequisites (skip if not available)
+# 2. Create test repository
+# 3. Create and start sandbox
+# 4. Wait for sandbox to be ready
+# 5. Run scenario-specific steps (passed as function)
+# 6. Cleanup
+#
+# Usage:
+#   run_scenario "docker" "git" scenario_function
+#
+run_scenario() {
+    local backend="$1"
+    local vcs="$2"
+    local scenario_func="$3"
+    local test_name="${4:-${backend}-${vcs}}"
+
+    # Initialize test
+    test_start "$test_name"
+
+    # Set global context
+    SCENARIO_BACKEND="$backend"
+    SCENARIO_VCS="$vcs"
+
+    # Check prerequisites
+    check_all_prerequisites "$backend" "$vcs"
+
+    # Create test repository
+    log_info "=== Setting up test repository ==="
+    SCENARIO_REPO_DIR=$(create_test_repo "$vcs")
+    log_info "Repository created at: $SCENARIO_REPO_DIR"
+
+    # Create sandbox
+    log_info "=== Creating sandbox ==="
+    SCENARIO_SANDBOX_NAME=$(create_sandbox "$backend" "$vcs" "$SCENARIO_REPO_DIR" "$SCENARIO_TEMPLATE")
+
+    # Resolve the host workspace path
+    SCENARIO_WORKSPACE_DIR=$(forage-ctl status "$SCENARIO_SANDBOX_NAME" 2>/dev/null | grep '^Workspace:' | sed 's/^Workspace: //')
+    log_info "Workspace: $SCENARIO_WORKSPACE_DIR"
+
+    # Start sandbox
+    log_info "=== Starting sandbox ==="
+    start_sandbox "$SCENARIO_SANDBOX_NAME"
+
+    # Wait for sandbox to be ready
+    log_info "=== Waiting for sandbox to be ready ==="
+    wait_for_sandbox_ready "$SCENARIO_SANDBOX_NAME"
+
+    # Run the scenario function
+    log_info "=== Running test scenario ==="
+    if ! "$scenario_func"; then
+        test_fail "Scenario function failed"
+    fi
+
+    # End test (runs cleanup)
+    test_end
+}
+
+# Run a scenario without starting the sandbox
+# Useful for testing sandbox creation/configuration only
+run_scenario_no_start() {
+    local backend="$1"
+    local vcs="$2"
+    local scenario_func="$3"
+    local test_name="${4:-${backend}-${vcs}-no-start}"
+
+    # Initialize test
+    test_start "$test_name"
+
+    # Set global context
+    SCENARIO_BACKEND="$backend"
+    SCENARIO_VCS="$vcs"
+
+    # Check prerequisites
+    check_all_prerequisites "$backend" "$vcs"
+
+    # Create test repository
+    log_info "=== Setting up test repository ==="
+    SCENARIO_REPO_DIR=$(create_test_repo "$vcs")
+    log_info "Repository created at: $SCENARIO_REPO_DIR"
+
+    # Create sandbox (but don't start)
+    log_info "=== Creating sandbox (without starting) ==="
+    SCENARIO_SANDBOX_NAME=$(create_sandbox "$backend" "$vcs" "$SCENARIO_REPO_DIR" "$SCENARIO_TEMPLATE")
+
+    # Run the scenario function
+    log_info "=== Running test scenario ==="
+    if ! "$scenario_func"; then
+        test_fail "Scenario function failed"
+    fi
+
+    # End test (runs cleanup)
+    test_end
+}
+
+# Convenience functions for use within scenario functions
+# These use the global context set by run_scenario
+
+# Execute a command in the current scenario's sandbox
+scenario_exec() {
+    sandbox_exec "$SCENARIO_SANDBOX_NAME" "$@"
+}
+
+# Execute and capture output
+scenario_exec_capture() {
+    sandbox_exec_capture "$SCENARIO_SANDBOX_NAME" "$@"
+}
+
+# Create a file in the sandbox workspace
+scenario_create_file() {
+    sandbox_create_file "$SCENARIO_SANDBOX_NAME" "$@"
+}
+
+# Get file content from sandbox workspace
+scenario_get_file() {
+    sandbox_get_file_content "$SCENARIO_SANDBOX_NAME" "$@"
+}
+
+# Check if file exists in sandbox workspace
+scenario_file_exists() {
+    sandbox_file_exists "$SCENARIO_SANDBOX_NAME" "$@"
+}
+
+# Get VCS status in sandbox
+scenario_vcs_status() {
+    sandbox_vcs_status "$SCENARIO_SANDBOX_NAME" "$SCENARIO_VCS"
+}
+
+# Commit changes in sandbox
+scenario_vcs_commit() {
+    sandbox_vcs_commit "$SCENARIO_SANDBOX_NAME" "$SCENARIO_VCS" "$@"
+}
+
+# Check if a file exists in the host repository
+scenario_repo_file_exists() {
+    repo_file_exists "$SCENARIO_REPO_DIR" "$@"
+}
+
+# Get file content from host repository
+scenario_repo_get_file() {
+    repo_get_file_content "$SCENARIO_REPO_DIR" "$@"
+}
+
+# Add a file to the host repository
+scenario_repo_add_file() {
+    repo_add_file "$SCENARIO_REPO_DIR" "$@"
+}
+
+# Commit in host repository
+scenario_repo_commit() {
+    repo_commit "$SCENARIO_REPO_DIR" "$SCENARIO_VCS" "$@"
+}
+
+# Get VCS status of host repository
+scenario_repo_status() {
+    repo_status "$SCENARIO_REPO_DIR" "$SCENARIO_VCS"
+}
+
+# ============================================
+# Common test scenario implementations
+# These can be reused across different backends/VCS
+# ============================================
+
+# Scenario: Basic workspace access
+# Verifies that the sandbox can access the workspace
+scenario_basic_workspace_access() {
+    log_info "Testing basic workspace access..."
+
+    # Verify README exists (from initial commit)
+    assert_true "README.md exists in sandbox workspace" \
+        "scenario_file_exists README.md"
+
+    # Read README content
+    local content
+    content=$(scenario_get_file README.md)
+    assert_contains "README has expected content" "$content" "Test Project"
+
+    log_info "Basic workspace access test passed"
+}
+
+# Scenario: File creation and sync
+# Verifies that files created in sandbox appear in host repo
+scenario_file_creation_sync() {
+    log_info "Testing file creation and sync..."
+
+    # Create a file in the sandbox
+    scenario_create_file "sandbox-created.txt" "Hello from sandbox"
+
+    # Verify file exists in sandbox
+    assert_true "File exists in sandbox" \
+        "scenario_file_exists sandbox-created.txt"
+
+    # Verify file synced to host workspace
+    # For worktree/jj modes, files appear in the workspace dir, not the source repo
+    local check_dir="${SCENARIO_WORKSPACE_DIR:-$SCENARIO_REPO_DIR}"
+    assert_true "File synced to host workspace" \
+        "[[ -f '$check_dir/sandbox-created.txt' ]]"
+
+    # Verify content matches
+    local host_content
+    host_content=$(cat "$check_dir/sandbox-created.txt")
+    assert_contains "Content matches" "$host_content" "Hello from sandbox"
+
+    log_info "File creation sync test passed"
+}
+
+# Scenario: VCS operations inside sandbox
+# Verifies that VCS commands work inside the sandbox
+scenario_vcs_operations() {
+    log_info "Testing VCS operations inside sandbox..."
+
+    # Create a file
+    scenario_create_file "vcs-test.txt" "Testing VCS operations"
+
+    # Check status shows the change
+    local status
+    status=$(scenario_vcs_status)
+    log_info "VCS status: $status"
+
+    # The status output format differs between git and jj
+    # Just verify we got some output
+    assert_true "VCS status shows output" "[[ -n '$status' ]]"
+
+    # Commit the change
+    scenario_vcs_commit "Add vcs-test.txt from integration test"
+
+    # Verify commit was made
+    local new_status
+    new_status=$(scenario_vcs_status)
+    log_info "VCS status after commit: $new_status"
+
+    log_info "VCS operations test passed"
+}
+
+# Scenario: Bidirectional sync
+# Verifies that changes from host appear in sandbox
+scenario_bidirectional_sync() {
+    log_info "Testing bidirectional sync..."
+
+    # Create a file on the host side
+    scenario_repo_add_file "host-created.txt" "Hello from host"
+    scenario_repo_commit "Add host-created.txt"
+
+    # Note: For git-worktree, changes need to be on the branch
+    # For jj, the workspace should see changes automatically
+
+    # Verify file appears in sandbox
+    # This may require refreshing the workspace depending on VCS mode
+    local found=false
+    for i in {1..5}; do
+        if scenario_file_exists host-created.txt 2>/dev/null; then
+            found=true
+            break
+        fi
+        sleep 1
+    done
+
+    if [[ "$found" == "true" ]]; then
+        assert_true "Host file visible in sandbox" "true"
+        local content
+        content=$(scenario_get_file host-created.txt)
+        assert_contains "Host file content matches" "$content" "Hello from host"
+    else
+        log_warn "Bidirectional sync not verified (may depend on VCS mode)"
+    fi
+
+    log_info "Bidirectional sync test completed"
+}
+
+# Full integration scenario combining all tests
+scenario_full_integration() {
+    scenario_basic_workspace_access
+    scenario_file_creation_sync
+    scenario_vcs_operations
+    # scenario_bidirectional_sync  # Can be flaky depending on VCS mode
+}
diff --git a/tests/integration/lib/vcs.sh b/tests/integration/lib/vcs.sh
new file mode 100755
index 0000000..7b2dd6c
--- /dev/null
+++ b/tests/integration/lib/vcs.sh
@@ -0,0 +1,172 @@
+#!/usr/bin/env bash
+# VCS helpers for integration tests
+#
+# This library provides functions to create and manage test repositories
+# using different version control systems.
+
+# Source common utilities
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/common.sh"
+
+# Ensure git is configured for commits
+ensure_git_config() {
+    # Only set if not already configured (via any source: global, system, etc.)
+    if [[ -z "$(git config user.email 2>/dev/null || true)" ]]; then
+        git config --global user.email "test@forage-integration.local" 2>/dev/null || true
+    fi
+    if [[ -z "$(git config user.name 2>/dev/null || true)" ]]; then
+        git config --global user.name "Forage Integration Test" 2>/dev/null || true
+    fi
+}
+
+# Create a test repository
+# Returns the path to the created repository
+create_test_repo() {
+    local vcs="$1"
+    local name="${2:-test-project}"
+
+    local repo_dir
+    repo_dir=$(create_temp_dir "forage-repo")
+    repo_dir="${repo_dir}/${name}"
+    mkdir -p "$repo_dir"
+
+    case "$vcs" in
+        git|git-worktree)
+            create_git_repo "$repo_dir"
+            ;;
+        jj)
+            create_jj_repo "$repo_dir"
+            ;;
+        *)
+            log_error "Unknown VCS: $vcs"
+            return 1
+            ;;
+    esac
+
+    echo "$repo_dir"
+}
+
+create_git_repo() {
+    local repo_dir="$1"
+
+    ensure_git_config
+
+    log_info "Creating git repository at $repo_dir"
+
+    (
+        cd "$repo_dir"
+        git init -q
+        echo "# Test Project" > README.md
+        echo "Created for forage integration testing" >> README.md
+        git add README.md
+        git commit -q -m "Initial commit"
+    )
+
+    log_info "Git repository created with initial commit"
+}
+
+create_jj_repo() {
+    local repo_dir="$1"
+
+    ensure_git_config
+
+    log_info "Creating jj repository at $repo_dir"
+
+    (
+        cd "$repo_dir"
+        jj git init --quiet
+        echo "# Test Project" > README.md
+        echo "Created for forage integration testing" >> README.md
+        jj commit -m "Initial commit"
+    )
+
+    log_info "JJ repository created with initial commit"
+}
+
+# Make a change in the repository (outside sandbox)
+repo_add_file() {
+    local repo_dir="$1"
+    local filename="$2"
+    local content="$3"
+
+    echo "$content" > "${repo_dir}/${filename}"
+}
+
+# Commit changes in the repository
+repo_commit() {
+    local repo_dir="$1"
+    local vcs="$2"
+    local message="$3"
+
+    (
+        cd "$repo_dir"
+        case "$vcs" in
+            git|git-worktree)
+                git add -A
+                git commit -q -m "$message"
+                ;;
+            jj)
+                jj commit -m "$message"
+                ;;
+        esac
+    )
+}
+
+# Get the current commit/change ID
+repo_get_head() {
+    local repo_dir="$1"
+    local vcs="$2"
+
+    (
+        cd "$repo_dir"
+        case "$vcs" in
+            git|git-worktree)
+                git rev-parse HEAD
+                ;;
+            jj)
+                jj log --no-graph -r @ -T 'change_id' | head -1
+                ;;
+        esac
+    )
+}
+
+# Check if a file exists in the repository
+repo_file_exists() {
+    local repo_dir="$1"
+    local filename="$2"
+
+    [[ -f "${repo_dir}/${filename}" ]]
+}
+
+# Get the content of a file in the repository
+repo_get_file_content() {
+    local repo_dir="$1"
+    local filename="$2"
+
+    cat "${repo_dir}/${filename}"
+}
+
+# List files in the repository
+repo_list_files() {
+    local repo_dir="$1"
+
+    ls -la "$repo_dir"
+}
+
+# Get the VCS status
+repo_status() {
+    local repo_dir="$1"
+    local vcs="$2"
+
+    (
+        cd "$repo_dir"
+        case "$vcs" in
+            git|git-worktree)
+                git status --short
+                ;;
+            jj)
+                jj status
+                ;;
+        esac
+    )
+}
diff --git a/tests/integration/run-all.sh b/tests/integration/run-all.sh
new file mode 100755
index 0000000..a58ae60
--- /dev/null
+++ b/tests/integration/run-all.sh
@@ -0,0 +1,204 @@
+#!/usr/bin/env bash
+# Run all integration tests
+#
+# This script runs all integration tests for available backend/VCS combinations.
+# Tests that cannot run on the current system (missing prerequisites) will be
+# skipped automatically.
+#
+# Usage:
+#   ./run-all.sh              # Run all tests
+#   ./run-all.sh --parallel   # Run tests in parallel
+#   ./run-all.sh docker       # Run only docker tests
+#   ./run-all.sh jj           # Run only jj VCS tests
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Colors
+if [[ -t 1 ]]; then
+    RED='\033[0;31m'
+    GREEN='\033[0;32m'
+    YELLOW='\033[0;33m'
+    BLUE='\033[0;34m'
+    NC='\033[0m'
+else
+    RED=''
+    GREEN=''
+    YELLOW=''
+    BLUE=''
+    NC=''
+fi
+
+# Test results tracking
+declare -A RESULTS
+PASSED=0
+FAILED=0
+SKIPPED=0
+
+# Parse arguments
+FILTER="${1:-}"
+PARALLEL=false
+
+if [[ "$FILTER" == "--parallel" ]]; then
+    PARALLEL=true
+    FILTER="${2:-}"
+fi
+
+# Find all test scripts
+find_tests() {
+    local filter="$1"
+
+    for test_script in "${SCRIPT_DIR}"/test-*.sh; do
+        if [[ -f "$test_script" ]]; then
+            local name
+            name=$(basename "$test_script" .sh)
+
+            # Apply filter if specified
+            if [[ -n "$filter" ]]; then
+                if [[ "$name" != *"$filter"* ]]; then
+                    continue
+                fi
+            fi
+
+            echo "$test_script"
+        fi
+    done
+}
+
+# Run a single test and capture result
+run_test() {
+    local test_script="$1"
+    local name
+    name=$(basename "$test_script" .sh)
+
+    echo -e "${BLUE}Running: ${name}${NC}"
+
+    local start_time
+    start_time=$(date +%s)
+
+    local exit_code=0
+    local output
+    output=$("$test_script" 2>&1) || exit_code=$?
+
+    local end_time
+    end_time=$(date +%s)
+    local duration=$((end_time - start_time))
+
+    if [[ $exit_code -eq 0 ]]; then
+        # Check if it was skipped (look for SKIP in output)
+        if echo "$output" | grep -q "\[SKIP\]"; then
+            RESULTS[$name]="SKIPPED"
+            ((SKIPPED++))
+            echo -e "${YELLOW}  SKIPPED${NC} (${duration}s)"
+            # Show skip reason
+            echo "$output" | grep "\[SKIP\]" | head -1 | sed 's/^/    /'
+        else
+            RESULTS[$name]="PASSED"
+            ((PASSED++))
+            echo -e "${GREEN}  PASSED${NC} (${duration}s)"
+        fi
+    else
+        RESULTS[$name]="FAILED"
+        ((FAILED++))
+        echo -e "${RED}  FAILED${NC} (${duration}s)"
+        # Show failure details
+        echo "$output" | tail -20 | sed 's/^/    /'
+    fi
+}
+
+# Run tests in parallel
+run_tests_parallel() {
+    local tests=("$@")
+    local pids=()
+
+    for test_script in "${tests[@]}"; do
+        (
+            run_test "$test_script"
+        ) &
+        pids+=($!)
+    done
+
+    # Wait for all tests
+    for pid in "${pids[@]}"; do
+        wait "$pid" || true
+    done
+}
+
+# Run tests sequentially
+run_tests_sequential() {
+    local tests=("$@")
+
+    for test_script in "${tests[@]}"; do
+        run_test "$test_script"
+    done
+}
+
+# Main
+main() {
+    echo -e "${BLUE}=======================================${NC}"
+    echo -e "${BLUE}Forage Integration Test Suite${NC}"
+    echo -e "${BLUE}=======================================${NC}"
+    echo ""
+
+    if [[ -n "$FILTER" ]]; then
+        echo -e "Filter: ${FILTER}"
+    fi
+    echo -e "Parallel: ${PARALLEL}"
+    echo ""
+
+    # Find tests
+    local tests=()
+    while IFS= read -r test; do
+        tests+=("$test")
+    done < <(find_tests "$FILTER")
+
+    if [[ ${#tests[@]} -eq 0 ]]; then
+        echo -e "${YELLOW}No tests found${NC}"
+        exit 0
+    fi
+
+    echo -e "Found ${#tests[@]} test(s)"
+    echo ""
+
+    # Run tests
+    if [[ "$PARALLEL" == "true" ]]; then
+        run_tests_parallel "${tests[@]}"
+    else
+        run_tests_sequential "${tests[@]}"
+    fi
+
+    # Summary
+    echo ""
+    echo -e "${BLUE}=======================================${NC}"
+    echo -e "${BLUE}Summary${NC}"
+    echo -e "${BLUE}=======================================${NC}"
+    echo -e "${GREEN}Passed:  ${PASSED}${NC}"
+    echo -e "${RED}Failed:  ${FAILED}${NC}"
+    echo -e "${YELLOW}Skipped: ${SKIPPED}${NC}"
+    echo ""
+
+    # Detailed results
+    echo "Results by test:"
+    for name in "${!RESULTS[@]}"; do
+        local result="${RESULTS[$name]}"
+        case "$result" in
+            PASSED)
+                echo -e "  ${GREEN}PASS${NC} $name"
+                ;;
+            FAILED)
+                echo -e "  ${RED}FAIL${NC} $name"
+                ;;
+            SKIPPED)
+                echo -e "  ${YELLOW}SKIP${NC} $name"
+                ;;
+        esac
+    done | sort
+
+    # Exit with failure if any test failed
+    if [[ $FAILED -gt 0 ]]; then
+        exit 1
+    fi
+}
+
+main
diff --git a/tests/integration/test-apple-git.sh b/tests/integration/test-apple-git.sh
new file mode 100755
index 0000000..2512f90
--- /dev/null
+++ b/tests/integration/test-apple-git.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Integration test: apple backend + git-worktree VCS
+#
+# This test verifies the full sandbox workflow using:
+# - Container backend: Apple (macOS virtualization)
+# - VCS mode: git-worktree
+#
+# Prerequisites:
+# - macOS system
+# - Apple's container CLI available
+# - git installed
+# - forage-ctl configured with a 'test' template
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# Run the full integration scenario
+run_scenario "apple" "git" scenario_full_integration "apple-git-integration"
diff --git a/tests/integration/test-apple-jj.sh b/tests/integration/test-apple-jj.sh
new file mode 100755
index 0000000..9d159cb
--- /dev/null
+++ b/tests/integration/test-apple-jj.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Integration test: apple backend + jj VCS
+#
+# This test verifies the full sandbox workflow using:
+# - Container backend: Apple (macOS virtualization)
+# - VCS mode: jj (jujutsu)
+#
+# Prerequisites:
+# - macOS system
+# - Apple's container CLI available
+# - jj and git installed
+# - forage-ctl configured with a 'test' template
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# Run the full integration scenario
+run_scenario "apple" "jj" scenario_full_integration "apple-jj-integration"
diff --git a/tests/integration/test-apple-specific.sh b/tests/integration/test-apple-specific.sh
new file mode 100755
index 0000000..e3c4e9d
--- /dev/null
+++ b/tests/integration/test-apple-specific.sh
@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+# Integration test: Apple-specific backend behaviors
+#
+# This test exercises features unique to the Apple Container (Virtualization.framework)
+# backend that are not covered by generic cross-backend scenarios:
+#
+# - Nix store availability in the VM
+# - Generated file injection
+# - Environment variable propagation
+# - Container inspect JSON parsing
+# - Command wrapping in /bin/sh -c
+# - Graceful shutdown timeout behavior
+# - Label-based container listing
+#
+# Prerequisites:
+# - macOS system
+# - Apple's container CLI available
+# - Nix installed on host
+# - forage-ctl configured with a 'test' template
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# ============================================
+# Apple-specific scenario implementations
+# ============================================
+
+# Scenario: Nix store is accessible inside the VM
+scenario_apple_nix_store() {
+    log_info "Testing Nix store availability in Apple VM..."
+
+    # /nix/store should be mounted
+    assert_true "/nix/store is accessible" \
+        "scenario_exec 'test -d /nix/store'"
+
+    # Should contain at least some store paths
+    local store_count
+    store_count=$(scenario_exec_capture 'ls /nix/store | wc -l')
+    store_count=$(echo "$store_count" | tr -d '[:space:]')
+    assert_true "Nix store has entries (got $store_count)" \
+        "[[ $store_count -gt 0 ]]"
+
+    # nix-daemon socket should be available
+    assert_true "Nix daemon socket is available" \
+        "scenario_exec 'test -e /nix/var/nix/daemon-socket/socket || test -S /nix/var/nix/daemon-socket/socket'" || \
+        log_warn "Nix daemon socket not found (nix-daemon may not be forwarded)"
+
+    log_info "Nix store availability test passed"
+}
+
+# Scenario: Environment variables are propagated
+scenario_apple_env_vars() {
+    log_info "Testing environment variable propagation..."
+
+    # The sandbox should have basic env vars set
+    local path
+    path=$(scenario_exec_capture 'echo $PATH')
+    assert_true "PATH is set" "[[ -n '$path' ]]"
+
+    # Nix profile paths should be in PATH (from /bin/sh sourcing)
+    assert_contains "PATH contains nix profile" "$path" "nix"
+
+    log_info "Environment variable propagation test passed"
+}
+
+# Scenario: Commands are properly wrapped in /bin/sh -c
+scenario_apple_command_wrapping() {
+    log_info "Testing command wrapping in /bin/sh -c..."
+
+    # Commands with pipes should work (requires shell wrapping)
+    local result
+    result=$(scenario_exec_capture 'echo hello | tr h H')
+    assert_equals "Piped command works" "Hello" "$(echo "$result" | tr -d '[:space:]')"
+
+    # Commands with semicolons should work
+    result=$(scenario_exec_capture 'echo first; echo second')
+    assert_contains "Multi-command works" "$result" "first"
+    assert_contains "Multi-command works (second)" "$result" "second"
+
+    # Commands with environment variable expansion should work
+    result=$(scenario_exec_capture 'export FOO=bar; echo $FOO')
+    assert_contains "Variable expansion works" "$result" "bar"
+
+    log_info "Command wrapping test passed"
+}
+
+# Scenario: Container inspect returns valid JSON
+scenario_apple_inspect() {
+    log_info "Testing container inspect JSON parsing..."
+
+    # Get container status via forage-ctl (which parses inspect JSON)
+    local status
+    status=$(forage-ctl status "$SCENARIO_SANDBOX_NAME" 2>&1) || true
+    assert_contains "Status shows running" "$status" "running"
+
+    # The status output should include the sandbox name
+    assert_contains "Status shows sandbox name" "$status" "$SCENARIO_SANDBOX_NAME"
+
+    log_info "Container inspect test passed"
+}
+
+# Scenario: Container listing with labels works
+scenario_apple_listing() {
+    log_info "Testing label-based container listing..."
+
+    # forage-ctl ps should list our sandbox
+    local ps_output
+    ps_output=$(forage-ctl ps 2>&1) || true
+    assert_contains "ps lists our sandbox" "$ps_output" "$SCENARIO_SANDBOX_NAME"
+
+    log_info "Container listing test passed"
+}
+
+# Scenario: Graceful shutdown works within timeout
+scenario_apple_graceful_shutdown() {
+    log_info "Testing graceful shutdown..."
+
+    # Stop the sandbox
+    forage-ctl stop "$SCENARIO_SANDBOX_NAME" >&2
+
+    # Verify it's stopped
+    local running
+    running=$(forage-ctl status "$SCENARIO_SANDBOX_NAME" 2>&1) || true
+    assert_contains "Container is stopped" "$running" "stopped"
+
+    # Restart for cleanup
+    forage-ctl start "$SCENARIO_SANDBOX_NAME" >&2
+    wait_for_sandbox_ready "$SCENARIO_SANDBOX_NAME"
+
+    log_info "Graceful shutdown test passed"
+}
+
+# Combined Apple-specific scenario
+scenario_apple_specific() {
+    scenario_apple_nix_store
+    scenario_apple_env_vars
+    scenario_apple_command_wrapping
+    scenario_apple_inspect
+    scenario_apple_listing
+    scenario_apple_graceful_shutdown
+}
+
+# Run apple-specific scenarios using jj (default VCS for macOS)
+run_scenario "apple" "jj" scenario_apple_specific "apple-specific"
diff --git a/tests/integration/test-docker-git.sh b/tests/integration/test-docker-git.sh
new file mode 100755
index 0000000..4d83820
--- /dev/null
+++ b/tests/integration/test-docker-git.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Integration test: docker backend + git-worktree VCS
+#
+# This test verifies the full sandbox workflow using:
+# - Container backend: Docker
+# - VCS mode: git-worktree
+#
+# Prerequisites:
+# - Docker installed and running
+# - git installed
+# - forage-ctl configured with a 'test' template
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# Run the full integration scenario
+run_scenario "docker" "git" scenario_full_integration "docker-git-integration"
diff --git a/tests/integration/test-docker-jj.sh b/tests/integration/test-docker-jj.sh
new file mode 100755
index 0000000..9868b46
--- /dev/null
+++ b/tests/integration/test-docker-jj.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Integration test: docker backend + jj VCS
+#
+# This test verifies the full sandbox workflow using:
+# - Container backend: Docker
+# - VCS mode: jj (jujutsu)
+#
+# Prerequisites:
+# - Docker installed and running
+# - jj and git installed
+# - forage-ctl configured with a 'test' template
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# Run the full integration scenario
+run_scenario "docker" "jj" scenario_full_integration "docker-jj-integration"
diff --git a/tests/integration/test-nspawn-git.sh b/tests/integration/test-nspawn-git.sh
new file mode 100755
index 0000000..a3386e1
--- /dev/null
+++ b/tests/integration/test-nspawn-git.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Integration test: nspawn backend + git-worktree VCS
+#
+# This test verifies the full sandbox workflow using:
+# - Container backend: systemd-nspawn
+# - VCS mode: git-worktree
+#
+# Prerequisites:
+# - NixOS system with systemd
+# - git installed
+# - forage-ctl configured with a 'test' template
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# Run the full integration scenario
+run_scenario "nspawn" "git" scenario_full_integration "nspawn-git-integration"
diff --git a/tests/integration/test-nspawn-jj.sh b/tests/integration/test-nspawn-jj.sh
new file mode 100755
index 0000000..5060a91
--- /dev/null
+++ b/tests/integration/test-nspawn-jj.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Integration test: nspawn backend + jj VCS
+#
+# This test verifies the full sandbox workflow using:
+# - Container backend: systemd-nspawn
+# - VCS mode: jj (jujutsu)
+#
+# Prerequisites:
+# - NixOS system with systemd
+# - jj and git installed
+# - forage-ctl configured with a 'test' template
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# Run the full integration scenario
+run_scenario "nspawn" "jj" scenario_full_integration "nspawn-jj-integration"
diff --git a/tests/integration/test-podman-git.sh b/tests/integration/test-podman-git.sh
new file mode 100755
index 0000000..cdd0119
--- /dev/null
+++ b/tests/integration/test-podman-git.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Integration test: podman backend + git-worktree VCS
+#
+# This test verifies the full sandbox workflow using:
+# - Container backend: Podman
+# - VCS mode: git-worktree
+#
+# Prerequisites:
+# - Podman installed and working
+# - git installed
+# - forage-ctl configured with a 'test' template
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# Run the full integration scenario
+run_scenario "podman" "git" scenario_full_integration "podman-git-integration"
diff --git a/tests/integration/test-podman-jj.sh b/tests/integration/test-podman-jj.sh
new file mode 100755
index 0000000..97e1fd6
--- /dev/null
+++ b/tests/integration/test-podman-jj.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Integration test: podman backend + jj VCS
+#
+# This test verifies the full sandbox workflow using:
+# - Container backend: Podman
+# - VCS mode: jj (jujutsu)
+#
+# Prerequisites:
+# - Podman installed and working
+# - jj and git installed
+# - forage-ctl configured with a 'test' template
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/lib/scenarios.sh"
+
+# Run the full integration scenario
+run_scenario "podman" "jj" scenario_full_integration "podman-jj-integration"
diff --git a/tests/vm-integration.nix b/tests/vm-integration.nix
new file mode 100644
index 0000000..8b34758
--- /dev/null
+++ b/tests/vm-integration.nix
@@ -0,0 +1,135 @@
+# NixOS VM integration test for Firefly Forage
+#
+# This test uses the actual nixosModule to verify the full integration works.
+# Run with: nix build .#checks.<system>.vm-integration
+#
+# NOTE: Full container lifecycle tests require network access which is not
+# available in hermetic VM tests. This test verifies module setup, templates,
+# and forage-ctl functionality without actually creating containers.
+# Full lifecycle testing should be done on a real NixOS system.
+{ pkgs, self }:
+
+pkgs.testers.runNixOSTest {
+  name = "firefly-forage-integration";
+
+  nodes.machine =
+    { config, pkgs, ... }:
+    {
+      imports = [ self.nixosModules.host ];
+
+      # Test user for the sandbox
+      users.users.testuser = {
+        isNormalUser = true;
+        uid = 1000;
+      };
+
+      # Create a dummy secret file for testing
+      environment.etc."forage-test-secret".text = "test-api-key";
+
+      # Enable the firefly-forage module with a test template
+      services.firefly-forage = {
+        enable = true;
+        user = "testuser";
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITestKeyForIntegrationTests test@forage"
+        ];
+        secrets.test-secret = "/etc/forage-test-secret";
+        templates.test = {
+          description = "Test template for integration tests";
+          network = "none";
+          agents.test-agent = {
+            package = pkgs.hello;
+            secretName = "test-secret";
+            authEnvVar = "TEST_KEY";
+          };
+        };
+      };
+
+      # Additional packages for testing
+      environment.systemPackages = with pkgs; [
+        jujutsu
+        git
+      ];
+
+      # Set NIX_PATH so nix-build of container configs can find nixpkgs
+      nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
+
+      virtualisation = {
+        memorySize = 2048;
+        cores = 2;
+      };
+    };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+
+    # === Module installation tests ===
+    print("Testing module installation...")
+
+    # Verify forage-ctl is installed and runs
+    machine.succeed("forage-ctl --help")
+
+    # Verify the module created the expected directories
+    machine.succeed("test -d /var/lib/firefly-forage")
+    machine.succeed("test -d /var/lib/firefly-forage/sandboxes")
+    machine.succeed("test -d /var/lib/firefly-forage/workspaces")
+    machine.succeed("test -d /etc/firefly-forage/templates")
+
+    # Verify host config was created
+    machine.succeed("test -f /etc/firefly-forage/config.json")
+    config = machine.succeed("cat /etc/firefly-forage/config.json")
+    print(f"Host config: {config}")
+    assert '"user":"testuser"' in config.replace(" ", ""), "Host config should have testuser"
+
+    # === Template tests ===
+    print("Testing templates...")
+
+    # Verify the test template is available
+    machine.succeed("forage-ctl templates | grep -q test")
+
+    # Verify template JSON was created
+    machine.succeed("test -f /etc/firefly-forage/templates/test.json")
+    template = machine.succeed("cat /etc/firefly-forage/templates/test.json")
+    print(f"Template: {template}")
+    assert '"network":"none"' in template.replace(" ", ""), "Template should have network=none"
+
+    # === Container infrastructure tests ===
+    print("Testing container infrastructure...")
+
+    # machinectl should work (triggers systemd-machined via socket)
+    machine.succeed("machinectl list")
+
+    # Mutable systemd unit directory should exist
+    machine.succeed("test -d /etc/systemd-mutable/system")
+
+    # === Secrets tests ===
+    print("Testing secrets...")
+
+    # Verify secrets directory exists
+    machine.succeed("test -d /run/forage-secrets")
+
+    # === JJ workspace creation test ===
+    print("Testing jj workspace creation...")
+
+    # Configure git (required for jj)
+    machine.succeed("git config --global user.email 'test@example.com'")
+    machine.succeed("git config --global user.name 'Test User'")
+
+    # Create a jj repository
+    machine.succeed("mkdir -p /tmp/test-project")
+    machine.succeed("cd /tmp/test-project && jj git init")
+    machine.succeed("echo '# Test Project' > /tmp/test-project/README.md")
+    machine.succeed("cd /tmp/test-project && jj commit -m 'Initial commit'")
+
+    # Verify jj log works
+    log_output = machine.succeed("cd /tmp/test-project && jj log --no-graph -T 'description'")
+    assert "Initial commit" in log_output, "Should see initial commit"
+
+    # Verify we can create a jj workspace
+    machine.succeed("cd /tmp/test-project && jj workspace add /tmp/test-workspace")
+    machine.succeed("test -d /tmp/test-workspace")
+    machine.succeed("test -f /tmp/test-workspace/README.md")
+
+    print("All integration tests passed!")
+  '';
+}