test(macos-container): satisfy pyright mock typing

Apple's container exec --interactive --tty does not put the host
terminal into raw mode before starting its I/O relay.  In cooked
(canonical) mode the kernel line discipline buffers modifier-key
escape sequences — e.g. Shift+Enter in modifyOtherKeys mode generates
\x1b[13;2~ — until a carriage-return arrives, so they never reach
Claude Code inside the container.

Add pty_forward.py, a stdlib-only wrapper (modelled on the existing
smolmachines pty_resize.py) that sets the host terminal to raw mode
via tty.setraw(), spawns the container exec command, and restores the
original terminal attributes on exit.  Falls back to a bare
subprocess.run when stdin is not a TTY (piped invocations, CI) or
when termios operations fail.

Also retain the --env TERM=<host> forwarding from the previous commit:
without TERM inside the container session, Claude Code cannot determine
which modifier-key protocol to enable even with raw mode correctly set.

Non-TTY exec paths (bottle.exec, cp_in) are unaffected.

README.md

@@ -5,7 +5,7 @@
 # bot-bottle
 
 [![test](https://gitea.dideric.is/didericis/bot-bottle/actions/workflows/test.yml/badge.svg?branch=main)](https://gitea.dideric.is/didericis/bot-bottle/actions?workflow=test.yml)
-[![pylint](https://img.shields.io/badge/pylint-9.93%2F10-brightgreen)](https://github.com/PyCQA/pylint)
+[![pylint](https://img.shields.io/badge/pylint-9.92%2F10-brightgreen)](https://github.com/PyCQA/pylint)
 [![pyright](https://img.shields.io/badge/pyright-0%20errors-brightgreen)](https://github.com/microsoft/pyright)
 
 **Problem:** Developer wants to run a coding agent without supervision, but they don't want a prompt injected or misbehaving agent wrecking their environment or exfiltrating sensitive data.
@@ -14,7 +14,7 @@
 
 ## Features
 
-- **Per-bottle egress allowlist** — TLS-bumped HTTP/HTTPS chokepoint with a per-manifest host allowlist; per-route path/method/header `matches` filtering; outbound DLP scanning for known tokens and secrets, inbound DLP scanning for prompt-injection attempts; DoH and arbitrary hosts blocked by default.
+- **Per-bottle egress allowlist** — TLS-bumped HTTP/HTTPS chokepoint with a per-manifest host allowlist and request-body DLP scanner; DoH and arbitrary hosts blocked by default.
 - **Tokens the agent never sees** — host secrets live in a sidecar; the agent dials `http://sidecar:9099/<path>` and the proxy strips inbound `Authorization` and injects the real token before forwarding. `printenv` in the agent shows proxy URLs only.
 - **Gitleaks-scanned push (git-gate)** — `bottle.git` remotes route through a per-bottle `git daemon` that gitleaks-scans incoming refs pre-receive and forwards clean refs upstream over SSH. The agent never holds the upstream credential.
 - **Manifest-scoped skills + secrets** — each bottle declares its skills, env, git identity, remotes, and egress routes; unknown keys die at load.
@@ -106,15 +106,8 @@ egress:
   routes:
     - host: gitea.dideric.is
       auth:
-        scheme: token        # Bearer | token
+        scheme: token
         token_ref: BOT_BOTTLE_GITEA_TOKEN
-      matches:               # optional — restrict to specific paths/methods/headers
-        - paths:
-            - {type: prefix, value: /api/v1/}
-          methods: [GET, POST, PATCH, DELETE]
-      dlp:                   # optional — per-route detector overrides (default: all on)
-        outbound_detectors: [token_patterns, known_secrets]
-        inbound_detectors: false   # disable response scanning for this host
 ---
 
 The `gitea-dev` bottle. Provider auth via the inherited Claude route;
@@ -133,23 +126,6 @@ skills:
 You help maintain Gitea-hosted projects.
 ````
 
-**Egress route fields:**
-
-| Field | Required | Description |
-|---|---|---|
-| `host` | yes | Hostname to allowlist. One entry per host. |
-| `role` | no | Provider-specific role string (e.g. `claude_code_oauth`). Wires built-in auth flows; set by provider templates, not manually. |
-| `auth.scheme` | when `auth` present | `Bearer` or `token`. Injected by the proxy; the agent never sees the value. |
-| `auth.token_ref` | when `auth` present | Env-var name holding the secret on the host. |
-| `matches` | no | Array of `{paths, methods, headers}` filters. A request must match at least one entry (if any are given) to be forwarded. |
-| `matches[].paths` | no | Array of `{type, value}`. `type` is `prefix` (default), `exact`, or `regex`. |
-| `matches[].methods` | no | Array of HTTP method strings, e.g. `[GET, POST]`. |
-| `matches[].headers` | no | Array of `{name, value, type}`. `type` is `exact` (default) or `regex`. |
-| `dlp` | no | Per-route DLP overrides. Omit to use defaults (all detectors on). |
-| `dlp.outbound_detectors` | no | `false` disables outbound scanning; list restricts to named detectors (`token_patterns`, `known_secrets`). |
-| `dlp.inbound_detectors` | no | `false` disables inbound scanning; list restricts to named detectors (`naive_injection_detection`). |
-| `git.fetch` | no | `true` permits smart HTTP clone/fetch (`git-upload-pack`) for this host. Push (`git-receive-pack`) remains blocked. |
-
 More examples in `examples/`. Full design lives under `docs/prds/`; the trust-boundary rationale is in `docs/prds/0011-per-file-md-manifest.md`.
 
 ## Trademarks

bot_bottle/backend/__init__.py

@@ -45,7 +45,7 @@ from ..agent_provider import AgentProvisionPlan, get_provider, build_agent_provi
 from ..egress import EgressPlan
 from ..git_gate import GitGatePlan
 from ..log import die, info
-from ..manifest import ManifestGitEntry, Manifest
+from ..manifest import Manifest
 from ..supervise import SupervisePlan
 from ..util import expand_tilde
 from ..env import resolve_env, ResolvedEnv
@@ -356,16 +356,14 @@ class BottleBackend(ABC, Generic[PlanT, CleanupT]):
         pass
 
     def _validate(self, spec: BottleSpec) -> None:
-        """Cross-backend pre-launch checks. Confirms the agent exists,
-        the named skills are present on the host, and every git
-        IdentityFile resolves. Subclasses with additional preconditions
-        should override and call `super()._validate(spec)` first."""
+        """Cross-backend pre-launch checks. Confirms the agent exists
+        and the named skills are present on the host. Subclasses with
+        additional preconditions should override and call
+        `super()._validate(spec)` first."""
         manifest = spec.manifest
         manifest.require_agent(spec.agent_name)
         agent = manifest.agents[spec.agent_name]
-        bottle = manifest.bottle_for(spec.agent_name)
         self._validate_skills(agent.skills)
-        self._validate_git_entries(bottle.git)
         self._validate_agent_provider_dockerfile(spec)
 
     def _validate_skills(self, skills: Sequence[str]) -> None:
@@ -380,16 +378,6 @@ class BottleBackend(ABC, Generic[PlanT, CleanupT]):
                     f"Create it under ~/.claude/skills/, then re-run."
                 )
 
-    def _validate_git_entries(self, entries: Sequence[ManifestGitEntry]) -> None:
-        """Each entry's IdentityFile must exist on the host (after
-        expanding leading ~) — the git-gate copies it in at start time
-        to authenticate the upstream push (PRD 0008). Shape is already
-        enforced by Manifest validation; this only checks presence."""
-        for entry in entries:
-            key = expand_tilde(entry.IdentityFile)
-            if not os.path.isfile(key):
-                die(f"git upstream key file not found for '{entry.Name}': {key}")
-
     def _validate_agent_provider_dockerfile(self, spec: BottleSpec) -> None:
         bottle = spec.manifest.bottle_for(spec.agent_name)
         dockerfile = bottle.agent_provider.dockerfile

bot_bottle/backend/docker/launch.py

@@ -176,7 +176,7 @@ def launch(
             agent_command=plan.agent_command,
             agent_prompt_mode=plan.agent_prompt_mode,
             agent_provider_template=plan.agent_provider_template,
-            terminal_title=plan.spec.label or plan.spec.agent_name,
+            terminal_title=f"{plan.spec.label} ({plan.spec.agent_name})" if plan.spec.label else plan.spec.agent_name,
             terminal_color=plan.spec.color,
             agent_workdir=plan.workspace_plan.workdir,
         )

bot_bottle/backend/macos_container/bottle.py

@@ -2,12 +2,41 @@
 
 from __future__ import annotations
 
+import os
 import subprocess
+import sys
 from typing import Callable, cast
 
 from ...agent_provider import PromptMode, prompt_args
 from .. import Bottle, ExecResult
 from ..terminal import exec_shell_script
+from . import pty_forward as _pty_forward
+
+
+_PTY_FORWARD_SCRIPT = _pty_forward.__file__
+_TERMINAL_ENV_NAMES = (
+    "TERM",
+    "COLORTERM",
+    "TERM_PROGRAM",
+    "TERM_PROGRAM_VERSION",
+    "KITTY_WINDOW_ID",
+    "KITTY_PID",
+    "WEZTERM_PANE",
+    "WEZTERM_UNIX_SOCKET",
+    "GHOSTTY_BIN_DIR",
+    "GHOSTTY_RESOURCES_DIR",
+    "ITERM_SESSION_ID",
+    "VTE_VERSION",
+    "KONSOLE_VERSION",
+    "ALACRITTY_WINDOW_ID",
+)
+
+
+def _terminal_env_names() -> tuple[str, ...]:
+    return tuple(
+        name for name in _TERMINAL_ENV_NAMES
+        if name == "TERM" or os.environ.get(name)
+    )
 
 
 class MacosContainerBottle(Bottle):
@@ -44,13 +73,24 @@ class MacosContainerBottle(Bottle):
                 argv=full_argv,
             )
         )
-        cmd = ["container", "exec"]
+        container_exec = ["container", "exec"]
         if tty:
-            cmd.extend(["--interactive", "--tty"])
+            container_exec.extend(["--interactive", "--tty"])
+            # Forward terminal capability hints so TUIs can enable modified-key
+            # protocols. Use bare env names: values stay in the child env, not
+            # on argv, and pty_forward supplies a TERM fallback when needed.
+            for name in _terminal_env_names():
+                container_exec.extend(["--env", name])
         if self.agent_workdir and self.agent_workdir != "/home/node":
-            cmd.extend(["--workdir", self.agent_workdir])
-        cmd.extend([self.name, self.agent_command, *full_argv])
-        return cmd
+            container_exec.extend(["--workdir", self.agent_workdir])
+        container_exec.extend([self.name, self.agent_command, *full_argv])
+        if tty:
+            # Wrap with the raw-mode forwarder: container exec does not put
+            # the host terminal into raw mode itself, so the line discipline
+            # buffers modifier-key sequences until CR.  The wrapper sets raw
+            # mode before exec and restores it on exit.
+            return [sys.executable, _PTY_FORWARD_SCRIPT, "--", *container_exec]
+        return container_exec
 
     def exec_agent(self, argv: list[str], *, tty: bool = True) -> int:
         agent_argv = self.agent_argv(argv, tty=tty)

bot_bottle/backend/macos_container/launch.py

@@ -112,7 +112,7 @@ def launch(
             agent_command=plan.agent_command,
             agent_prompt_mode=plan.agent_prompt_mode,
             agent_provider_template=plan.agent_provider_template,
-            terminal_title=plan.spec.label or plan.spec.agent_name,
+            terminal_title=f"{plan.spec.label} ({plan.spec.agent_name})" if plan.spec.label else plan.spec.agent_name,
             terminal_color=plan.spec.color,
             agent_workdir=plan.workspace_plan.workdir,
         )

bot_bottle/backend/macos_container/pty_forward.py

@@ -0,0 +1,70 @@
+"""Host-side raw-mode wrapper for `container exec --interactive --tty`.
+
+Apple's `container exec --interactive --tty` does not set the host terminal to
+raw mode before starting its I/O relay.  Without raw mode the kernel line
+discipline buffers modifier-key escape sequences (e.g. Shift+Enter in
+modifyOtherKeys mode produces \\x1b[13;2~) until a carriage-return arrives, so
+they never reach Claude Code inside the container.
+
+This module sets the host terminal to raw mode, spawns the inner argv (the
+container exec command), and restores the original terminal attributes on
+exit.  When stdin is not a TTY (piped invocations, CI) it falls through to a
+bare subprocess.run so callers do not need to special-case non-interactive
+contexts.
+
+Usage (the `--` separator is the API contract — everything after it is the
+inner command):
+
+    python pty_forward.py -- container exec --interactive --tty <name> <cmd>
+"""
+
+from __future__ import annotations
+
+import os
+import subprocess
+import sys
+import termios
+import tty
+
+
+def _inner_env() -> dict[str, str]:
+    env = dict(os.environ)
+    env.setdefault("TERM", "xterm-256color")
+    return env
+
+
+def _run_inner(inner: list[str]) -> int:
+    return subprocess.run(inner, check=False, env=_inner_env()).returncode
+
+
+def main(argv: list[str]) -> int:
+    """Entry point.  ``argv`` shape: ``-- <inner-argv...>``."""
+    if len(argv) < 2 or argv[0] != "--":
+        sys.stderr.write(
+            "usage: python pty_forward.py -- <container-exec-argv...>\n"
+        )
+        return 2
+    inner = argv[1:]
+
+    try:
+        fd = sys.stdin.fileno()
+    except OSError:
+        return _run_inner(inner)
+
+    if not os.isatty(fd):
+        return _run_inner(inner)
+
+    try:
+        old = termios.tcgetattr(fd)
+    except termios.error:
+        return _run_inner(inner)
+
+    try:
+        tty.setraw(fd)
+        return _run_inner(inner)
+    finally:
+        termios.tcsetattr(fd, termios.TCSADRAIN, old)
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv[1:]))

bot_bottle/backend/resolve_common.py

@@ -33,8 +33,18 @@ from . import BottleSpec
 
 def mint_slug(spec: BottleSpec) -> str:
     """Return the bottle identity: the recorded identity for a resume,
-    or a freshly minted one for a new start."""
-    return spec.identity or bottle_identity(spec.agent_name)
+    or a freshly minted one for a new start.
+
+    When a label is provided it becomes the full slug (no random suffix),
+    so two launches with the same label collide by design.  When no label
+    is given the identity is minted with a random suffix to avoid
+    collisions between anonymous launches of the same agent."""
+    if spec.identity:
+        return spec.identity
+    if spec.label:
+        from .docker import util as docker_mod
+        return docker_mod.slugify(spec.label)
+    return bottle_identity(spec.agent_name)
 
 
 def write_launch_metadata(

bot_bottle/backend/smolmachines/launch.py

@@ -104,7 +104,7 @@ def launch(
             agent_command=plan.agent_command,
             agent_prompt_mode=plan.agent_prompt_mode,
             agent_provider_template=plan.agent_provider_template,
-            terminal_title=plan.spec.label or plan.spec.agent_name,
+            terminal_title=f"{plan.spec.label} ({plan.spec.agent_name})" if plan.spec.label else plan.spec.agent_name,
             terminal_color=plan.spec.color,
             agent_workdir=plan.workspace_plan.workdir,
         )

bot_bottle/backend/terminal.py

@@ -12,22 +12,11 @@ import shlex
 # uses true/24-bit colors for its own chrome, which would otherwise bypass
 # the palette entirely.
 _COLORS: dict[str, tuple[int, str, int, str, str]] = {
-    "black":          (0,  "#2d2d2d", 8,  "#5c5c5c", "#0a0a0a"),
-    "red":            (1,  "#c0392b", 9,  "#e74c3c", "#1a0707"),
-    "green":          (2,  "#27ae60", 10, "#2ecc71", "#071a09"),
-    "yellow":         (3,  "#d4ac0d", 11, "#f1c40f", "#1a1507"),
-    "blue":           (4,  "#2471a3", 12, "#3498db", "#07071a"),
-    "magenta":        (5,  "#7d3c98", 13, "#9b59b6", "#12071a"),
-    "cyan":           (6,  "#148f77", 14, "#1abc9c", "#071a1a"),
-    "white":          (7,  "#bdc3c7", 15, "#ecf0f1", "#111111"),
-    "bright-black":   (8,  "#5c5c5c", 0,  "#2d2d2d", "#111111"),
-    "bright-red":     (9,  "#e74c3c", 1,  "#c0392b", "#200808"),
-    "bright-green":   (10, "#2ecc71", 2,  "#27ae60", "#082008"),
-    "bright-yellow":  (11, "#f1c40f", 3,  "#d4ac0d", "#201808"),
-    "bright-blue":    (12, "#3498db", 4,  "#2471a3", "#080820"),
-    "bright-magenta": (13, "#9b59b6", 5,  "#7d3c98", "#160820"),
-    "bright-cyan":    (14, "#1abc9c", 6,  "#148f77", "#082020"),
-    "bright-white":   (15, "#ecf0f1", 7,  "#bdc3c7", "#151515"),
+    "red":     (9,  "#e74c3c", 1,  "#c0392b", "#200808"),
+    "green":   (10, "#2ecc71", 2,  "#27ae60", "#082008"),
+    "yellow":  (11, "#f1c40f", 3,  "#d4ac0d", "#201808"),
+    "blue":    (12, "#3498db", 4,  "#2471a3", "#080820"),
+    "magenta": (13, "#9b59b6", 5,  "#7d3c98", "#160820"),
 }
 
 # OSC 104 resets all indexed palette entries; OSC 111 resets default background.

bot_bottle/cli/list.py

@@ -11,22 +11,11 @@ from ..manifest import Manifest
 from ._common import PROG, USER_CWD
 
 _ANSI_COLOR_CODES: dict[str, str] = {
-    "black": "\033[30m",
-    "red": "\033[31m",
-    "green": "\033[32m",
-    "yellow": "\033[33m",
-    "blue": "\033[34m",
-    "magenta": "\033[35m",
-    "cyan": "\033[36m",
-    "white": "\033[37m",
-    "bright-black": "\033[90m",
-    "bright-red": "\033[91m",
-    "bright-green": "\033[92m",
-    "bright-yellow": "\033[93m",
-    "bright-blue": "\033[94m",
-    "bright-magenta": "\033[95m",
-    "bright-cyan": "\033[96m",
-    "bright-white": "\033[97m",
+    "red": "\033[91m",
+    "green": "\033[92m",
+    "yellow": "\033[93m",
+    "blue": "\033[94m",
+    "magenta": "\033[95m",
 }
 _ANSI_RESET = "\033[0m"
 
@@ -66,7 +55,7 @@ def cmd_list(argv: list[str]) -> int:
     # Tab-separated keeps the format stable for shell pipelines.
     for b in active:
         services = ",".join(b.services) if b.services else "-"
-        display_name = b.label if b.label else b.agent_name
+        display_name = f"{b.label} ({b.agent_name})" if b.label else b.agent_name
         colored_name = _ansi_label(display_name, b.color)
         print(f"{b.backend_name}\t{b.slug}\t{colored_name}\t{services}")
     return 0

bot_bottle/cli/start.py

@@ -20,9 +20,11 @@ from ..agent_provider import runtime_for
 from ..backend import (
     Bottle,
     BottleSpec,
+    enumerate_active_agents,
     get_bottle_backend,
     known_backend_names,
 )
+from ..backend.docker import util as docker_mod
 from ..backend.docker.bottle_plan import DockerBottlePlan
 from ..bottle_state import (
     cleanup_state,
@@ -74,6 +76,7 @@ def cmd_start(argv: list[str]) -> int:
     backend_name: str | None = args.backend
 
     label, color = tui.name_color_modal(default_label=agent_name)
+    label, color = _resolve_unique_label(label, color)
 
     spec = BottleSpec(
         manifest=manifest,
@@ -191,6 +194,21 @@ def _identity_from_plan(plan: object) -> str:
     return getattr(plan, "slug", "")
 
 
+def _resolve_unique_label(label: str, color: str) -> tuple[str, str]:
+    """Re-prompt with a disclaimer until the label's slug is not already
+    in use among running bottles.  Passes through unchanged when no
+    collision is found on the first check."""
+    while True:
+        slug_candidate = docker_mod.slugify(label)
+        active_slugs = {a.slug for a in enumerate_active_agents()}
+        if slug_candidate not in active_slugs:
+            return label, color
+        label, color = tui.name_color_modal(
+            default_label=label,
+            disclaimer=f'"{label}" is already in use',
+        )
+
+
 def _text_prompt_yes() -> bool:
     """Default `prompt_yes` for CLI use: reads y/N from the
     controlling tty via stderr prompt + tty-line read."""

bot_bottle/cli/tui.py

@@ -226,20 +226,15 @@ def _addstr_safe(screen: Any, row: int, col: int, text: str, attr: int = curses.
 # ---------------------------------------------------------------------------
 
 _ANSI_COLORS = [
-    "red", "green", "blue", "yellow", "magenta", "cyan", "white", "black",
-    "bright-red", "bright-green", "bright-blue", "bright-yellow",
-    "bright-magenta", "bright-cyan", "bright-white", "bright-black",
+    "red", "green", "yellow", "blue", "magenta",
 ]
 
 _CURSES_COLOR_MAP: dict[str, int] = {
-    "black": curses.COLOR_BLACK,
     "red": curses.COLOR_RED,
     "green": curses.COLOR_GREEN,
     "yellow": curses.COLOR_YELLOW,
     "blue": curses.COLOR_BLUE,
     "magenta": curses.COLOR_MAGENTA,
-    "cyan": curses.COLOR_CYAN,
-    "white": curses.COLOR_WHITE,
 }
 
 _COLOR_NONE = "(none)"
@@ -248,11 +243,15 @@ _COLOR_NONE = "(none)"
 def name_color_modal(
     default_label: str,
     *,
+    disclaimer: str = "",
     tty_path: str = "/dev/tty",
 ) -> tuple[str, str]:
     """Present a two-step curses modal: first edit the agent label,
     then optionally pick a color.
 
+    ``disclaimer`` is shown below the input field — use it to surface
+    an error from a previous attempt (e.g. name already in use).
+
     Returns ``(label, color)`` where ``color`` is one of the 16 ANSI
     color name strings or ``""`` for no color. Falls back to
     ``(default_label, "")`` on any error (terminal too small, not a tty).
@@ -264,14 +263,14 @@ def name_color_modal(
 
     try:
         fd_dup = os.dup(tty_fd.fileno())
-        return _run_name_color(default_label, tty_fd=fd_dup)
+        return _run_name_color(default_label, tty_fd=fd_dup, disclaimer=disclaimer)
     except Exception:  # noqa: BLE001  # pylint: disable=broad-exception-caught
         return default_label, ""
     finally:
         tty_fd.close()
 
 
-def _run_name_color(default_label: str, *, tty_fd: int) -> tuple[str, str]:
+def _run_name_color(default_label: str, *, tty_fd: int, disclaimer: str = "") -> tuple[str, str]:
     import io
     orig_stdin = sys.__stdin__
     orig_stdout = sys.__stdout__
@@ -286,7 +285,7 @@ def _run_name_color(default_label: str, *, tty_fd: int) -> tuple[str, str]:
         curses.cbreak()
         screen.keypad(True)
         try:
-            label = _label_step(screen, default_label)
+            label = _label_step(screen, default_label, disclaimer=disclaimer)
             color = _color_step(screen, label)
         finally:
             screen.keypad(False)
@@ -299,14 +298,14 @@ def _run_name_color(default_label: str, *, tty_fd: int) -> tuple[str, str]:
     return label, color
 
 
-def _label_step(screen: Any, default_label: str) -> str:
+def _label_step(screen: Any, default_label: str, *, disclaimer: str = "") -> str:
     """Step 1: edit the label. First printable key replaces the
     pre-fill; subsequent keys append. Enter confirms."""
     text = default_label
     replaced = False  # True once the user has typed their first char
 
     while True:
-        _render_label(screen, text)
+        _render_label(screen, text, disclaimer=disclaimer)
         try:
             key = screen.getch()
         except KeyboardInterrupt:
@@ -330,7 +329,7 @@ def _label_step(screen: Any, default_label: str) -> str:
                 text += chr(key)
 
 
-def _render_label(screen: Any, text: str) -> None:
+def _render_label(screen: Any, text: str, *, disclaimer: str = "") -> None:
     screen.erase()
     rows, cols = screen.getmaxyx()
     sep = "─" * min(cols - 1, 40)
@@ -338,8 +337,12 @@ def _render_label(screen: Any, text: str) -> None:
     _addstr_safe(screen, 1, 0, sep)
     _addstr_safe(screen, 2, 0, text[:cols - 1], curses.A_REVERSE)
     _addstr_safe(screen, 3, 0, sep)
-    if rows > 5:
-        _addstr_safe(screen, 5, 0, "[any key] edit  [Enter] confirm", curses.A_DIM)
+    row = 4
+    if disclaimer and rows > row + 1:
+        _addstr_safe(screen, row, 0, disclaimer[:cols - 1], curses.A_BOLD)
+        row += 1
+    if rows > row + 1:
+        _addstr_safe(screen, row, 0, "[any key] edit  [Enter] confirm", curses.A_DIM)
     screen.refresh()
 
 
@@ -379,13 +382,10 @@ def _init_color_pairs() -> dict[str, int]:
         curses.use_default_colors()
         pair_idx = 2  # pair 1 reserved for other uses
         for name in _ANSI_COLORS:
-            base = name.replace("bright-", "")
-            fg = _CURSES_COLOR_MAP.get(base, curses.COLOR_WHITE)
+            fg = _CURSES_COLOR_MAP.get(name, curses.COLOR_WHITE)
             try:
                 curses.init_pair(pair_idx, fg, -1)
-                attr = curses.color_pair(pair_idx)
-                if name.startswith("bright-"):
-                    attr |= curses.A_BOLD
+                attr = curses.color_pair(pair_idx) | curses.A_BOLD
                 attrs[name] = attr
                 pair_idx += 1
             except curses.error:

bot_bottle/contrib/claude/agent_provider.py

@@ -42,41 +42,19 @@ def _prompt_path(guest_home: str) -> str:
 
 
 _STATUS_LINE_COLORS = {
-    "black": "\033[30m",
-    "red": "\033[31m",
-    "green": "\033[32m",
-    "yellow": "\033[33m",
-    "blue": "\033[34m",
-    "magenta": "\033[35m",
-    "cyan": "\033[36m",
-    "white": "\033[37m",
-    "bright-black": "\033[90m",
-    "bright-red": "\033[91m",
-    "bright-green": "\033[92m",
-    "bright-yellow": "\033[93m",
-    "bright-blue": "\033[94m",
-    "bright-magenta": "\033[95m",
-    "bright-cyan": "\033[96m",
-    "bright-white": "\033[97m",
+    "red": "\033[91m",
+    "green": "\033[92m",
+    "yellow": "\033[93m",
+    "blue": "\033[94m",
+    "magenta": "\033[95m",
 }
 
 _CLAUDE_THEME_COLORS = {
-    "black": "black",
-    "red": "red",
-    "green": "green",
-    "yellow": "yellow",
-    "blue": "blue",
-    "magenta": "magenta",
-    "cyan": "cyan",
-    "white": "white",
-    "bright-black": "blackBright",
-    "bright-red": "redBright",
-    "bright-green": "greenBright",
-    "bright-yellow": "yellowBright",
-    "bright-blue": "blueBright",
-    "bright-magenta": "magentaBright",
-    "bright-cyan": "cyanBright",
-    "bright-white": "whiteBright",
+    "red": "redBright",
+    "green": "greenBright",
+    "yellow": "yellowBright",
+    "blue": "blueBright",
+    "magenta": "magentaBright",
 }
 
 

bot_bottle/manifest_extends.py

@@ -5,16 +5,20 @@ from __future__ import annotations
 from typing import TYPE_CHECKING
 
 if TYPE_CHECKING:
-    from .manifest import ManifestBottle, ManifestGitEntry
+    from .manifest import ManifestBottle
     from .manifest_egress import ManifestEgressConfig
 
 
 def resolve_bottles(raws: dict[str, dict[str, object]]) -> dict[str, ManifestBottle]:
     """Apply `extends:` chains and return resolved ManifestBottle objects."""
     cache: dict[str, ManifestBottle] = {}
+    # Per-bottle effective git-gate.repos, as raw dicts keyed by repo name.
+    # Threaded alongside `cache` so a child can field-merge against its
+    # parent's repos without reconstructing them from parsed entries.
+    repos_cache: dict[str, dict[str, object]] = {}
     for name in raws:
         if name not in cache:
-            _resolve_one_bottle(name, raws, cache, ())
+            _resolve_one_bottle(name, raws, cache, repos_cache, ())
     return cache
 
 
@@ -22,6 +26,7 @@ def _resolve_one_bottle(
     name: str,
     raws: dict[str, dict[str, object]],
     cache: dict[str, ManifestBottle],
+    repos_cache: dict[str, dict[str, object]],
     seen: tuple[str, ...],
 ) -> ManifestBottle:
     from .manifest import ManifestBottle, ManifestError
@@ -41,6 +46,7 @@ def _resolve_one_bottle(
     if parent_name_raw is None:
         bottle = ManifestBottle.from_dict(name, child_raw)
         cache[name] = bottle
+        repos_cache[name] = _resolve_repos_raw({}, child_raw)
         return bottle
 
     if not isinstance(parent_name_raw, str):
@@ -60,20 +66,33 @@ def _resolve_one_bottle(
             f"bottle '{name}' extends '{parent_name}' which is not "
             f"defined. Available bottles: {avail}"
         )
-    parent = _resolve_one_bottle(parent_name, raws, cache, seen + (name,))
-    bottle = _merge_bottles(parent, child_raw, name)
+    parent = _resolve_one_bottle(
+        parent_name, raws, cache, repos_cache, seen + (name,)
+    )
+    merged_repos_raw = _resolve_repos_raw(repos_cache[parent_name], child_raw)
+    bottle = _merge_bottles(parent, child_raw, merged_repos_raw, name)
     cache[name] = bottle
+    repos_cache[name] = merged_repos_raw
     return bottle
 
 
 def _merge_bottles(
     parent: ManifestBottle,
     child_raw: dict[str, object],
+    merged_repos_raw: dict[str, object],
     name: str,
 ) -> ManifestBottle:
     """Apply PRD 0025 merge rules."""
     from .manifest import ManifestBottle, ManifestGitUser
     from .manifest_egress import validate_egress_routes
+    from .manifest_util import as_json_object
+
+    # git-gate.repos: when the child declares repos, inject the already
+    # name-merged repo set (computed by _resolve_repos_raw) so the child
+    # parses with the full inherited+overridden list (issue #237).
+    if _child_declares_git_gate_repos(child_raw):
+        git_raw = as_json_object(child_raw.get("git-gate", {}), "child git-gate")
+        child_raw = {**child_raw, "git-gate": {**git_raw, "repos": merged_repos_raw}}
 
     # Parse the child's declared fields into a ManifestBottle (with the
     # usual defaults for anything missing). Validation runs the same
@@ -92,11 +111,11 @@ def _merge_bottles(
         email=child.git_user.email or parent.git_user.email,
     )
 
-    # git-gate.repos: missing means inherit; an explicit empty object
-    # clears; otherwise parent and child merge by UpstreamHost with
-    # child entries replacing duplicate hosts.
+    # git-gate.repos: when declared, child.git already holds the merged
+    # set (an explicit empty dict clears parent, leaving child.git empty).
+    # When omitted, the parent's entries are inherited verbatim.
     if _child_declares_git_gate_repos(child_raw):
-        merged_git = _merge_git_remotes(parent.git, child.git) if child.git else ()
+        merged_git = child.git
     else:
         merged_git = parent.git
 
@@ -130,6 +149,45 @@ def _merge_bottles(
     )
 
 
+def _resolve_repos_raw(
+    parent_repos: dict[str, object],
+    child_raw: dict[str, object],
+) -> dict[str, object]:
+    """Compute a bottle's effective git-gate.repos as raw dicts.
+
+    Repos are keyed by name. When the child omits git-gate.repos it
+    inherits the parent's set verbatim; an explicit empty dict clears it.
+    Otherwise parent and child unite by name, with same-name entries
+    field-merged (parent fields are defaults, child fields win)."""
+    from .manifest_util import as_json_object
+
+    if not _child_declares_git_gate_repos(child_raw):
+        return parent_repos
+    child_repos = _declared_repos_raw(child_raw)
+    if not child_repos:
+        return {}
+    # Parent entries keep their order; child-only names are appended.
+    names = list(parent_repos) + [n for n in child_repos if n not in parent_repos]
+    return {
+        name: {
+            **as_json_object(parent_repos.get(name, {}), "parent git-gate repo"),
+            **as_json_object(child_repos.get(name, {}), "child git-gate repo"),
+        }
+        for name in names
+    }
+
+
+def _declared_repos_raw(child_raw: dict[str, object]) -> dict[str, object]:
+    """Return the child's explicitly declared git-gate.repos as raw dicts,
+    or an empty dict when none are declared."""
+    from .manifest_util import as_json_object
+
+    if not _child_declares_git_gate_repos(child_raw):
+        return {}
+    git_raw = as_json_object(child_raw.get("git-gate", {}), "child git-gate")
+    return as_json_object(git_raw.get("repos", {}), "child git-gate.repos")
+
+
 def _child_declares_git_gate_repos(child_raw: dict[str, object]) -> bool:
     from .manifest_util import as_json_object
 
@@ -140,16 +198,6 @@ def _child_declares_git_gate_repos(child_raw: dict[str, object]) -> bool:
     return "repos" in git_obj
 
 
-def _merge_git_remotes(
-    parent: tuple[ManifestGitEntry, ...],
-    child: tuple[ManifestGitEntry, ...],
-) -> tuple[ManifestGitEntry, ...]:
-    by_host = {entry.UpstreamHost: entry for entry in parent}
-    for entry in child:
-        by_host[entry.UpstreamHost] = entry
-    return tuple(by_host.values())
-
-
 def _merge_egress(
     parent: ManifestEgressConfig,
     child: ManifestEgressConfig,

examples/bottles/claude.md

@@ -5,15 +5,10 @@ agent_provider:
 egress:
   routes:
     - host: api.anthropic.com
-      role: claude_code_oauth    # wires Claude Code OAuth; do not change
+      role: claude_code_oauth
       auth:
         scheme: Bearer
         token_ref: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
-      # dlp is omitted → all detectors on by default (token_patterns,
-      # known_secrets outbound; naive_injection_detection inbound).
-      # To disable inbound scanning for this route:
-      #   dlp:
-      #     inbound_detectors: false
 ---
 
 Common Claude provider boundary. Drop this file into

tests/integration/test_sandbox_escape.py

@@ -92,10 +92,9 @@ class TestSandboxEscape(unittest.TestCase):
                     "on PATH: curl -sSL https://smolmachines.com/install.sh | sh"
                 )
 
-        # Throwaway "identity file" so the manifest's _validate_git_entries
-        # passes (it only checks `os.path.isfile`, not that the content is
-        # a real SSH key). Test 5 reaches gitleaks before any SSH attempt
-        # anyway.
+        # Throwaway "identity file" for the git-gate's `identity` field.
+        # It need not be a real SSH key: test 5 reaches gitleaks before
+        # any SSH attempt anyway.
         fd, kp = tempfile.mkstemp(prefix="sandbox-test-key.")
         os.close(fd)
         cls._key_path = Path(kp)

tests/unit/test_agent_provider.py

@@ -74,7 +74,7 @@ class TestAgentProviderRuntime(unittest.TestCase):
                 instance_name="bot-bottle-test",
                 prompt_file=prompt_file,
                 label="review-api",
-                color="bright-cyan",
+                color="cyan",
             )
             prompt = prompt_file.read_text()
             config = Path(tmp, "codex-config.toml").read_text()

tests/unit/test_backend_prepare.py

@@ -16,6 +16,7 @@ from bot_bottle import bottle_state
 from bot_bottle import supervise
 from bot_bottle.backend import BottleSpec
 from bot_bottle.backend.docker import DockerBottleBackend
+from bot_bottle.backend.resolve_common import mint_slug
 from bot_bottle.backend.smolmachines import SmolmachinesBottleBackend
 from bot_bottle.manifest import Manifest
 
@@ -115,5 +116,36 @@ class TestSmolmachinesPrepare(_FakeStateMixin, unittest.TestCase):
         )
 
 
+class TestMintSlug(unittest.TestCase):
+    def _spec(self, *, label: str = "", identity: str = "") -> BottleSpec:
+        manifest = _manifest()
+        return BottleSpec(
+            manifest=manifest,
+            agent_name="demo",
+            copy_cwd=False,
+            user_cwd="/tmp",
+            label=label,
+            identity=identity,
+        )
+
+    def test_no_label_uses_agent_name_with_random_suffix(self) -> None:
+        slug = mint_slug(self._spec(label=""))
+        self.assertTrue(slug.startswith("demo-"), slug)
+        # random suffix present — slug is longer than just "demo"
+        self.assertGreater(len(slug), len("demo-"))
+
+    def test_label_becomes_exact_slug(self) -> None:
+        slug = mint_slug(self._spec(label="my-run"))
+        self.assertEqual("my-run", slug)
+
+    def test_label_with_spaces_slugified_no_suffix(self) -> None:
+        slug = mint_slug(self._spec(label="My Feature Run"))
+        self.assertEqual("my-feature-run", slug)
+
+    def test_identity_takes_precedence_over_label(self) -> None:
+        slug = mint_slug(self._spec(label="my-run", identity="fixed-id"))
+        self.assertEqual("fixed-id", slug)
+
+
 if __name__ == "__main__":
     unittest.main()

tests/unit/test_backend_terminal.py

@@ -11,14 +11,14 @@ class TestPalettePrintf(unittest.TestCase):
     def test_known_color_returns_printf(self):
         cmd = palette_printf("red")
         self.assertTrue(cmd.startswith("printf '"))
-        self.assertIn("\\033]4;1;", cmd)   # normal red
-        self.assertIn("\\033]4;9;", cmd)   # bright red
+        self.assertIn("\\033]4;9;", cmd)   # bright-red slot
+        self.assertIn("\\033]4;1;", cmd)   # normal-red slot
         self.assertIn("\\033]11;", cmd)    # default background tint
 
-    def test_bright_variant_sets_both_slots(self):
-        cmd = palette_printf("bright-blue")
-        self.assertIn("\\033]4;12;", cmd)  # bright-blue
-        self.assertIn("\\033]4;4;", cmd)   # blue
+    def test_color_sets_both_palette_slots(self):
+        cmd = palette_printf("blue")
+        self.assertIn("\\033]4;12;", cmd)  # bright-blue slot
+        self.assertIn("\\033]4;4;", cmd)   # normal-blue slot
 
     def test_unknown_color_returns_empty(self):
         self.assertEqual("", palette_printf(""))
@@ -26,10 +26,7 @@ class TestPalettePrintf(unittest.TestCase):
 
     def test_all_named_colors_produce_output(self):
         colors = [
-            "black", "red", "green", "yellow",
-            "blue", "magenta", "cyan", "white",
-            "bright-black", "bright-red", "bright-green", "bright-yellow",
-            "bright-blue", "bright-magenta", "bright-cyan", "bright-white",
+            "red", "green", "yellow", "blue", "magenta",
         ]
         for color in colors:
             with self.subTest(color=color):
@@ -65,7 +62,7 @@ class TestExecShellScript(unittest.TestCase):
         self.assertFalse(agent_part.startswith("exec "))
 
     def test_title_and_color_both_appear(self):
-        script = exec_shell_script(self._ARGV, terminal_title="bot", terminal_color="cyan")
+        script = exec_shell_script(self._ARGV, terminal_title="bot", terminal_color="magenta")
         assert script is not None
         self.assertIn("bot", script)
         self.assertIn("\\033]4;", script)

tests/unit/test_cli_start_selector.py

@@ -14,6 +14,7 @@ from unittest.mock import MagicMock, patch
 
 import bot_bottle.cli.start as start_mod
 import bot_bottle.cli.tui as tui_mod
+from bot_bottle.backend import ActiveAgent
 
 
 def _make_manifest(agent_names: list[str]):
@@ -133,5 +134,63 @@ class TestCmdStartSelector(unittest.TestCase):
         self._launch_mock.assert_not_called()
 
 
+def _active_agent(slug: str) -> ActiveAgent:
+    return ActiveAgent(
+        backend_name="docker",
+        slug=slug,
+        agent_name="demo",
+        started_at="2026-01-01T00:00:00+00:00",
+        services=(),
+    )
+
+
+class TestCmdStartLabelCollision(unittest.TestCase):
+    """cmd_start re-prompts when the label's slug is already running."""
+
+    def setUp(self):
+        self._manifest = _make_manifest(["researcher"])
+        patch("bot_bottle.cli.start.Manifest.resolve", return_value=self._manifest).start()
+        self._launch_mock = patch(
+            "bot_bottle.cli.start._launch_bottle", return_value=0,
+        ).start()
+        self.addCleanup(patch.stopall)
+
+    def test_no_collision_proceeds_without_reprompt(self):
+        with (
+            patch.object(tui_mod, "name_color_modal", return_value=("researcher", "")) as modal,
+            patch("bot_bottle.cli.start.enumerate_active_agents", return_value=[]),
+        ):
+            rc = start_mod.cmd_start(["researcher"])
+        self.assertEqual(0, rc)
+        modal.assert_called_once()
+        self._launch_mock.assert_called_once()
+
+    def test_collision_reprompts_with_disclaimer(self):
+        collision_agent = _active_agent("researcher")
+        call_count = 0
+
+        def _modal(default_label: str, *, disclaimer: str = "", **_kw: object) -> tuple[str, str]:
+            nonlocal call_count
+            call_count += 1
+            if call_count == 1:
+                return "researcher", ""
+            return "researcher-2", ""
+
+        with (
+            patch.object(tui_mod, "name_color_modal", side_effect=_modal) as modal,
+            patch(
+                "bot_bottle.cli.start.enumerate_active_agents",
+                side_effect=[[collision_agent], []],
+            ),
+        ):
+            rc = start_mod.cmd_start(["researcher"])
+
+        self.assertEqual(0, rc)
+        self.assertEqual(2, modal.call_count)
+        second_call_kwargs = modal.call_args_list[1][1]
+        self.assertIn("researcher", second_call_kwargs.get("disclaimer", ""))
+        self.assertIn("already in use", second_call_kwargs.get("disclaimer", ""))
+
+
 if __name__ == "__main__":
     unittest.main()

tests/unit/test_contrib_claude_provider.py

@@ -276,7 +276,7 @@ class TestClaudeUiProvision(unittest.TestCase):
                 instance_name="bot-bottle-demo-abc12",
                 prompt_file=prompt_file,
                 label="research-ui",
-                color="bright-cyan",
+                color="blue",
             )
             settings = json.loads((state_dir / "claude-settings.json").read_text())
             statusline = (state_dir / "claude-statusline.sh").read_text()
@@ -288,9 +288,9 @@ class TestClaudeUiProvision(unittest.TestCase):
         self.assertEqual("~/.claude/statusline.sh", settings["statusLine"]["command"])
         self.assertEqual("custom:bot-bottle-research-ui", settings["theme"])
         self.assertIn("research-ui", statusline)
-        self.assertIn("\x1b[96m", statusline)
+        self.assertIn("\x1b[94m", statusline)
         self.assertEqual("dark", theme["base"])
-        self.assertEqual("ansi:cyanBright", theme["overrides"]["claude"])
+        self.assertEqual("ansi:blueBright", theme["overrides"]["claude"])
 
     def test_runs_verify_commands(self):
         provision = AgentProvisionPlan(

tests/unit/test_contrib_codex_provider.py

@@ -158,7 +158,7 @@ class TestCodexProvisionPrompt(unittest.TestCase):
                 instance_name="bot-bottle-demo-abc12",
                 prompt_file=prompt_file,
                 label="research-ui",
-                color="bright-cyan",
+                color="cyan",
             )
             config = (state_dir / "codex-config.toml").read_text()
             prompt_text = prompt_file.read_text()

tests/unit/test_macos_container_bottle.py

@@ -2,26 +2,32 @@
 
 from __future__ import annotations
 
+import sys
 import unittest
 from unittest.mock import patch
 
-from bot_bottle.backend.macos_container.bottle import MacosContainerBottle
+from bot_bottle.backend.macos_container import bottle as bottle_mod
+from bot_bottle.backend.macos_container.bottle import MacosContainerBottle, _PTY_FORWARD_SCRIPT
 
 
 class TestMacosContainerBottle(unittest.TestCase):
-    def test_agent_argv_uses_container_exec(self):
+    def test_agent_argv_uses_pty_forward_and_container_exec(self):
         bottle = MacosContainerBottle(
             "bot-bottle-dev-abc",
             lambda: None,
             None,
             agent_command="codex",
         )
+        with patch.dict(bottle_mod.os.environ, {}, clear=True):
+            argv = bottle.agent_argv(["run"])
         self.assertEqual(
             [
+                sys.executable, _PTY_FORWARD_SCRIPT, "--",
                 "container", "exec", "--interactive", "--tty",
+                "--env", "TERM",
                 "bot-bottle-dev-abc", "codex", "run",
             ],
-            bottle.agent_argv(["run"]),
+            argv,
         )
 
     def test_agent_argv_includes_workdir(self):
@@ -31,15 +37,54 @@ class TestMacosContainerBottle(unittest.TestCase):
             None,
             agent_workdir="/home/node/workspace",
         )
+        with patch.dict(bottle_mod.os.environ, {}, clear=True):
+            argv = bottle.agent_argv([])
         self.assertEqual(
             [
+                sys.executable, _PTY_FORWARD_SCRIPT, "--",
                 "container", "exec", "--interactive", "--tty",
+                "--env", "TERM",
                 "--workdir", "/home/node/workspace",
                 "bot-bottle-dev-abc", "claude",
             ],
-            bottle.agent_argv([]),
+            argv,
         )
 
+    def test_agent_argv_forwards_terminal_env_names_without_values(self):
+        bottle = MacosContainerBottle("bot-bottle-dev-abc", lambda: None, None)
+        with patch.dict(
+            bottle_mod.os.environ,
+            {
+                "TERM": "screen-256color",
+                "TERM_PROGRAM": "WezTerm",
+                "WEZTERM_PANE": "pane-id",
+                "SHELL": "/bin/zsh",
+            },
+            clear=True,
+        ):
+            argv = bottle.agent_argv([])
+        self.assertIn("TERM", argv)
+        self.assertIn("TERM_PROGRAM", argv)
+        self.assertIn("WEZTERM_PANE", argv)
+        self.assertNotIn("SHELL", argv)
+        self.assertNotIn("TERM=screen-256color", argv)
+        self.assertNotIn("TERM_PROGRAM=WezTerm", argv)
+        self.assertNotIn("WEZTERM_PANE=pane-id", argv)
+
+    def test_agent_argv_always_forwards_term_name(self):
+        bottle = MacosContainerBottle("bot-bottle-dev-abc", lambda: None, None)
+        with patch.dict(bottle_mod.os.environ, {}, clear=True):
+            argv = bottle.agent_argv([])
+        self.assertIn("TERM", argv)
+
+    def test_agent_argv_no_tty_omits_wrapper_and_tty_flags(self):
+        bottle = MacosContainerBottle("bot-bottle-dev-abc", lambda: None, None)
+        argv = bottle.agent_argv([], tty=False)
+        self.assertNotIn("--tty", argv)
+        self.assertNotIn("--env", argv)
+        self.assertNotIn(_PTY_FORWARD_SCRIPT, argv)
+        self.assertEqual(["container", "exec", "bot-bottle-dev-abc", "claude"], argv)
+
     def test_exec_pipes_script_to_shell(self):
         bottle = MacosContainerBottle("bot-bottle-dev-abc", lambda: None, None)
         with patch("bot_bottle.backend.macos_container.bottle.subprocess.run") as run:

tests/unit/test_macos_container_pty_forward.py

@@ -0,0 +1,159 @@
+"""Unit: macos-container pty_forward raw-mode wrapper (issue #245).
+
+Tests argument parsing, non-TTY fallback, and the raw-mode
+setup/restore sequence without requiring a real terminal.
+"""
+
+from __future__ import annotations
+
+import io
+import termios
+import unittest
+from unittest.mock import ANY, MagicMock, patch
+
+from bot_bottle.backend.macos_container import pty_forward
+
+
+def _fake_stdin(fd: int = 0) -> MagicMock:
+    """Return a mock stdin whose fileno() returns *fd*."""
+    m = MagicMock()
+    m.fileno.return_value = fd
+    return m
+
+
+class TestArgvParsing(unittest.TestCase):
+    def test_missing_separator_returns_error_exit_code(self):
+        with patch.object(pty_forward.sys, "stderr", new=io.StringIO()) as err:
+            rc = pty_forward.main(["container", "exec"])
+        self.assertEqual(2, rc)
+        self.assertIn("usage:", err.getvalue())
+
+    def test_too_few_args_returns_error_exit_code(self):
+        with patch.object(pty_forward.sys, "stderr", new=io.StringIO()):
+            self.assertEqual(2, pty_forward.main([]))
+            self.assertEqual(2, pty_forward.main(["--"]))
+
+    def test_separator_at_start_with_inner_is_valid(self):
+        with (
+            patch.object(pty_forward.sys, "stdin", _fake_stdin()),
+            patch.object(pty_forward.os, "isatty", return_value=False),
+            patch.object(pty_forward.subprocess, "run") as run,
+        ):
+            run.return_value.returncode = 0
+            rc = pty_forward.main(["--", "container", "exec"])
+        self.assertEqual(0, rc)
+        run.assert_called_once()
+        self.assertEqual(["container", "exec"], run.call_args.args[0])
+        self.assertFalse(run.call_args.kwargs["check"])
+
+
+class TestNonTtyFallback(unittest.TestCase):
+    def test_non_tty_stdin_runs_inner_directly(self):
+        with (
+            patch.object(pty_forward.sys, "stdin", _fake_stdin()),
+            patch.object(pty_forward.os, "isatty", return_value=False),
+            patch.object(pty_forward.subprocess, "run") as run,
+        ):
+            run.return_value.returncode = 42
+            rc = pty_forward.main(
+                ["--", "container", "exec", "--interactive", "--tty", "c", "claude"]
+            )
+        self.assertEqual(42, rc)
+        run.assert_called_once()
+        self.assertEqual(
+            ["container", "exec", "--interactive", "--tty", "c", "claude"],
+            run.call_args.args[0],
+        )
+        self.assertFalse(run.call_args.kwargs["check"])
+
+    def test_fileno_error_runs_inner_directly(self):
+        bad_stdin = MagicMock()
+        bad_stdin.fileno.side_effect = OSError("pseudofile")
+        with (
+            patch.object(pty_forward.sys, "stdin", bad_stdin),
+            patch.object(pty_forward.subprocess, "run") as run,
+        ):
+            run.return_value.returncode = 0
+            rc = pty_forward.main(["--", "container", "exec"])
+        run.assert_called_once()
+        self.assertEqual(["container", "exec"], run.call_args.args[0])
+        self.assertFalse(run.call_args.kwargs["check"])
+        self.assertEqual(0, rc)
+
+
+class TestRawModeSetupAndRestore(unittest.TestCase):
+    def test_tty_stdin_sets_raw_mode_and_restores_on_exit(self):
+        saved_attrs = object()
+        with (
+            patch.object(pty_forward.sys, "stdin", _fake_stdin()),
+            patch.object(pty_forward.os, "isatty", return_value=True),
+            patch.object(pty_forward.termios, "tcgetattr", return_value=saved_attrs),
+            patch.object(pty_forward.tty, "setraw") as setraw,
+            patch.object(pty_forward.termios, "tcsetattr") as tcsetattr,
+            patch.object(pty_forward.subprocess, "run") as run,
+        ):
+            run.return_value.returncode = 0
+            rc = pty_forward.main(["--", "container", "exec"])
+
+        self.assertEqual(0, rc)
+        setraw.assert_called_once()
+        tcsetattr.assert_called_once_with(
+            ANY, termios.TCSADRAIN, saved_attrs,
+        )
+
+    def test_tty_restores_on_subprocess_nonzero_exit(self):
+        saved_attrs = object()
+        with (
+            patch.object(pty_forward.sys, "stdin", _fake_stdin()),
+            patch.object(pty_forward.os, "isatty", return_value=True),
+            patch.object(pty_forward.termios, "tcgetattr", return_value=saved_attrs),
+            patch.object(pty_forward.tty, "setraw"),
+            patch.object(pty_forward.termios, "tcsetattr") as tcsetattr,
+            patch.object(pty_forward.subprocess, "run") as run,
+        ):
+            run.return_value.returncode = 1
+            rc = pty_forward.main(["--", "container", "exec"])
+
+        self.assertEqual(1, rc)
+        tcsetattr.assert_called_once_with(
+            ANY, termios.TCSADRAIN, saved_attrs,
+        )
+
+    def test_tcgetattr_error_falls_back_to_bare_run(self):
+        with (
+            patch.object(pty_forward.sys, "stdin", _fake_stdin()),
+            patch.object(pty_forward.os, "isatty", return_value=True),
+            patch.object(
+                pty_forward.termios, "tcgetattr",
+                side_effect=termios.error("not a tty"),
+            ),
+            patch.object(pty_forward.tty, "setraw") as setraw,
+            patch.object(pty_forward.subprocess, "run") as run,
+        ):
+            run.return_value.returncode = 0
+            rc = pty_forward.main(["--", "container", "exec"])
+
+        setraw.assert_not_called()
+        run.assert_called_once()
+        self.assertEqual(["container", "exec"], run.call_args.args[0])
+        self.assertFalse(run.call_args.kwargs["check"])
+        self.assertEqual(0, rc)
+
+    def test_inner_run_sets_term_default_without_mutating_process_env(self):
+        with (
+            patch.dict(pty_forward.os.environ, {}, clear=True),
+            patch.object(pty_forward.subprocess, "run") as run,
+        ):
+            run.return_value.returncode = 0
+            rc = pty_forward._run_inner(["container", "exec"])
+
+            self.assertNotIn("TERM", pty_forward.os.environ)
+
+        self.assertEqual(0, rc)
+        child_env = run.call_args.kwargs["env"]
+        self.assertEqual(["TERM"], sorted(child_env.keys()))
+        self.assertEqual("xterm-256color", child_env["TERM"])
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/unit/test_manifest_extends.py

@@ -113,8 +113,8 @@ class TestExtendsEnvMerge(unittest.TestCase):
 
 
 class TestExtendsGitMerge(unittest.TestCase):
-    """git-gate.user overlays by field; git-gate.repos merges by upstream
-    host, with child entries replacing duplicate hosts."""
+    """git-gate.user overlays by field; git-gate.repos merges by name,
+    with same-name child entries merging field-by-field (child wins)."""
 
     _GIT_ENTRY_A = {"url": "ssh://git@host-a/a.git", "key": {"provider": "static", "path": "/dev/null"}}
     _GIT_ENTRY_B = {"url": "ssh://git@host-b/b.git", "key": {"provider": "static", "path": "/dev/null"}}
@@ -130,19 +130,21 @@ class TestExtendsGitMerge(unittest.TestCase):
         names = [e.Name for e in m.bottles["child"].git]
         self.assertEqual(["a", "b"], names)
 
-    def test_child_git_repo_replaces_same_host(self):
-        replacement = {"url": "ssh://git@host-a/replacement.git", "key": {"provider": "static", "path": "/dev/null"}}
+    def test_child_git_repo_different_name_same_host_coexists(self):
+        # Repos are keyed by Name, not UpstreamHost: two repos with
+        # different names on the same host both survive the merge.
+        same_host_b = {"url": "ssh://git@host-a/b.git", "key": {"provider": "static", "path": "/dev/null"}}
         m = _build(
             base={"git-gate": {"repos": {"a": self._GIT_ENTRY_A}}},
             child={
                 "extends": "base",
-                "git-gate": {"repos": {"a2": replacement}},
+                "git-gate": {"repos": {"a2": same_host_b}},
             },
         )
         entries = m.bottles["child"].git
-        self.assertEqual(1, len(entries))
-        self.assertEqual("a2", entries[0].Name)
-        self.assertEqual("replacement.git", entries[0].UpstreamPath)
+        self.assertEqual(2, len(entries))
+        names = {e.Name for e in entries}
+        self.assertEqual({"a", "a2"}, names)
 
     def test_child_omits_git_gate_inherits_full_list(self):
         m = _build(
@@ -164,6 +166,77 @@ class TestExtendsGitMerge(unittest.TestCase):
         )
         self.assertEqual((), m.bottles["child"].git)
 
+    def test_child_same_name_repo_merges_key_field(self):
+        # Issue #237: child repo with same name as parent should merge
+        # field-by-field. Child overrides only `key`; parent's url and
+        # host_key are preserved.
+        parent_entry = {
+            "url": "ssh://git@host-a/repo.git",
+            "host_key": "ecdsa-sha2-nistp256 AAAA",
+            "key": {"provider": "static", "path": "/keys/id_rsa"},
+        }
+        m = _build(
+            base={"git-gate": {"repos": {"repo": parent_entry}}},
+            child={
+                "extends": "base",
+                "git-gate": {"repos": {"repo": {
+                    "key": {"provider": "gitea", "forge_token_env": "GITEA_TOKEN"},
+                }}},
+            },
+        )
+        entries = m.bottles["child"].git
+        self.assertEqual(1, len(entries))
+        e = entries[0]
+        self.assertEqual("repo", e.Name)
+        self.assertEqual("ssh://git@host-a/repo.git", e.Upstream)
+        self.assertEqual("ecdsa-sha2-nistp256 AAAA", e.KnownHostKey)
+        self.assertEqual("gitea", e.Key.provider)
+        self.assertEqual("GITEA_TOKEN", e.Key.forge_token_env)
+
+    def test_child_same_name_repo_overrides_url(self):
+        # Child can override url on a same-name repo; other parent fields
+        # fall through.
+        parent_entry = {
+            "url": "ssh://git@host-a/old.git",
+            "key": {"provider": "static", "path": "/keys/id_rsa"},
+        }
+        m = _build(
+            base={"git-gate": {"repos": {"repo": parent_entry}}},
+            child={
+                "extends": "base",
+                "git-gate": {"repos": {"repo": {
+                    "url": "ssh://git@host-b/new.git",
+                    "key": {"provider": "static", "path": "/keys/id_rsa"},
+                }}},
+            },
+        )
+        entries = m.bottles["child"].git
+        self.assertEqual(1, len(entries))
+        self.assertEqual("ssh://git@host-b/new.git", entries[0].Upstream)
+
+    def test_child_same_name_plus_new_repo(self):
+        # Same-name repo is field-merged; a distinct new name in child
+        # is appended.
+        parent_entry = {
+            "url": "ssh://git@host-a/repo.git",
+            "key": {"provider": "static", "path": "/keys/id_rsa"},
+        }
+        m = _build(
+            base={"git-gate": {"repos": {"repo": parent_entry}}},
+            child={
+                "extends": "base",
+                "git-gate": {"repos": {
+                    "repo": {"key": {"provider": "gitea", "forge_token_env": "TOK"}},
+                    "other": self._GIT_ENTRY_B,
+                }},
+            },
+        )
+        child = m.bottles["child"]
+        names = {e.Name for e in child.git}
+        self.assertEqual({"repo", "other"}, names)
+        repo_entry = next(e for e in child.git if e.Name == "repo")
+        self.assertEqual("gitea", repo_entry.Key.provider)
+
     def test_child_git_user_inherits_parent_repos(self):
         m = _build(
             base={"git-gate": {"repos": {"a": self._GIT_ENTRY_A}}},