vm run: ship tracked files only by default; add --include-untracked + --dry-run

Workspace-mode vm run and vm workspace prepare used to copy both
tracked AND untracked non-ignored files into the guest. That silently
catches local .env files, scratch notes, credentials, and any other
working-tree state a developer hasn't explicitly gitignored — a real
data-exposure footgun given the golden image ships Docker and the
usual dev tooling.

Flip the default to tracked-only. Users who actually want the fuller
set opt in with --include-untracked (documented in both commands'
help). Gitignored files are still always excluded regardless of the
flag.

Add --dry-run to both vm run and vm workspace prepare. Dry-run
inspects the repo CLI-side (no VM created, no daemon RPC needed since
the daemon is always local and the inspection is a pure git read),
prints the exact file list + mode, and exits. A byte-level preview of
what would land in the guest.

When running real (non-dry) and untracked files exist in the repo but
are being skipped under the new default, print a one-line notice
pointing to --include-untracked so users aren't surprised when the
guest is missing something they expected.

Signature changes:
- ListOverlayPaths takes an includeUntracked bool (tracked always;
  untracked gated by flag).
- InspectRepo takes the same flag and passes it through.
- VMWorkspacePrepareParams gains IncludeUntracked.
- WorkspaceService.workspaceInspectRepo seam signature widened to
  match (4 callers in tests updated).

New workspace package tests cover both modes and verify that
gitignored files never leak regardless of the flag.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/cli/commands_vm.go

@@ -62,6 +62,8 @@ func (d *deps) newVMRunCommand() *cobra.Command {
 		branchName        string
 		fromRef           = "HEAD"
 		removeOnExit      bool
+		includeUntracked  bool
+		dryRun            bool
 	)
 	cmd := &cobra.Command{
 		Use:   "run [path] [-- command args...]",
@@ -107,7 +109,17 @@ Three modes:
 				if err != nil {
 					return err
 				}
-				repoPtr = &vmRunRepo{sourcePath: resolved, branchName: branchName, fromRef: fromRef}
+				repoPtr = &vmRunRepo{sourcePath: resolved, branchName: branchName, fromRef: fromRef, includeUntracked: includeUntracked}
+			}
+			if dryRun {
+				if repoPtr == nil {
+					return errors.New("--dry-run requires a workspace path")
+				}
+				dryFromRef := ""
+				if strings.TrimSpace(repoPtr.branchName) != "" {
+					dryFromRef = repoPtr.fromRef
+				}
+				return runWorkspaceDryRun(cmd.Context(), cmd.OutOrStdout(), repoPtr.sourcePath, repoPtr.branchName, dryFromRef, repoPtr.includeUntracked)
 			}
 
 			layout, err := paths.Resolve()
@@ -151,6 +163,8 @@ Three modes:
 	cmd.Flags().StringVar(&branchName, "branch", "", "create and switch to a new guest branch")
 	cmd.Flags().StringVar(&fromRef, "from", "HEAD", "base ref for --branch")
 	cmd.Flags().BoolVar(&removeOnExit, "rm", false, "delete the VM after the ssh session / command exits")
+	cmd.Flags().BoolVar(&includeUntracked, "include-untracked", false, "also copy untracked non-ignored files into the guest workspace (default: tracked files only)")
+	cmd.Flags().BoolVar(&dryRun, "dry-run", false, "list the files that would be copied into the guest workspace and exit without creating a VM")
 	_ = cmd.RegisterFlagCompletionFunc("image", d.completeImageNames)
 	return cmd
 }
@@ -570,6 +584,8 @@ func (d *deps) newVMWorkspacePrepareCommand() *cobra.Command {
 	var fromRef string
 	var mode string
 	var readOnly bool
+	var includeUntracked bool
+	var dryRun bool
 	cmd := &cobra.Command{
 		Use:               "prepare <id-or-name> [path]",
 		Short:             "Copy a local repo into a running VM",
@@ -582,10 +598,6 @@ func (d *deps) newVMWorkspacePrepareCommand() *cobra.Command {
   banger vm workspace prepare devbox ../repo --mode full_copy
 `),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			layout, _, err := d.ensureDaemon(cmd.Context())
-			if err != nil {
-				return err
-			}
 			sourcePath := ""
 			if len(args) > 1 {
 				sourcePath = args[1]
@@ -605,14 +617,27 @@ func (d *deps) newVMWorkspacePrepareCommand() *cobra.Command {
 			if strings.TrimSpace(branchName) != "" {
 				prepareFrom = fromRef
 			}
+			if dryRun {
+				return runWorkspaceDryRun(cmd.Context(), cmd.OutOrStdout(), resolvedPath, branchName, prepareFrom, includeUntracked)
+			}
+			layout, _, err := d.ensureDaemon(cmd.Context())
+			if err != nil {
+				return err
+			}
+			if !includeUntracked {
+				if err := noteUntrackedSkipped(cmd.Context(), cmd.ErrOrStderr(), resolvedPath); err != nil {
+					return err
+				}
+			}
 			result, err := d.vmWorkspacePrepare(cmd.Context(), layout.SocketPath, api.VMWorkspacePrepareParams{
-				IDOrName:   args[0],
-				SourcePath: resolvedPath,
-				GuestPath:  guestPath,
-				Branch:     branchName,
-				From:       prepareFrom,
-				Mode:       mode,
-				ReadOnly:   readOnly,
+				IDOrName:         args[0],
+				SourcePath:       resolvedPath,
+				GuestPath:        guestPath,
+				Branch:           branchName,
+				From:             prepareFrom,
+				Mode:             mode,
+				ReadOnly:         readOnly,
+				IncludeUntracked: includeUntracked,
 			})
 			if err != nil {
 				return err
@@ -625,6 +650,8 @@ func (d *deps) newVMWorkspacePrepareCommand() *cobra.Command {
 	cmd.Flags().StringVar(&fromRef, "from", "HEAD", "base ref for --branch")
 	cmd.Flags().StringVar(&mode, "mode", string(model.WorkspacePrepareModeShallowOverlay), "workspace mode: shallow_overlay, full_copy, metadata_only")
 	cmd.Flags().BoolVar(&readOnly, "readonly", false, "make the prepared workspace read-only")
+	cmd.Flags().BoolVar(&includeUntracked, "include-untracked", false, "also copy untracked non-ignored files into the guest workspace (default: tracked files only)")
+	cmd.Flags().BoolVar(&dryRun, "dry-run", false, "list the files that would be copied and exit without touching the guest")
 	return cmd
 }