Deep Review: 20260501-221035-pr-4917

Date	2026-05-01 22:10
Repo	lima-vm/lima
Round	1
Author	@peschmae
PR	#4917 — shell: Add sync-exclude flag and .limasyncignore file
Branch	`pr-4917`
Commits	`37bef33b` shell: --sync-exclude add bats tests `6e864710` shell: Add sync-exclude flag and .limasyncignore file
Reviewers	Claude Opus 4.7 (effort: xhigh), Codex GPT 5.5 (effort: xhigh), Gemini 3.1 Pro (effort: default)
Verdict	Merge with fixes — Windows-only `.limasyncignore` lookup is broken, and the interactive diff misrepresents excluded files as deletions; both should be addressed before merge.
Wall-clock time	`36 min 55 s`

Executive Summary ¶

The PR adds --sync-exclude (repeatable) and an implicit .limasyncignore file to limactl shell --sync, plumbing both into rsync via --exclude and --exclude-from. The change is small, focused, and ships with unit and BATS coverage for the happy-path round trip.

Two important issues block a clean merge: on Windows, .limasyncignore is looked up against the WSL/Cygwin-translated path, so the file is silently never found; and the interactive "View the changed contents" path diffs the unfiltered host directory against a filtered guest snapshot, so excluded host files are displayed as pending deletions. A third important finding flags validateSyncFlagValue as a brittle string-prefix workaround for an underlying --sync argument-parsing ambiguity. The remaining suggestions improve dynamic ignore-file evaluation, error handling, test ergonomics, and documentation precision.

This review found 0 critical, 3 important, 7 suggestions across 3 reviewers.

Critical Issues ¶

None.

Important Issues ¶

I1. .limasyncignore lookup uses the WSL/Cygwin-translated path on Windows — file is never found Claude Codex¶

cmd/limactl/shell.go

	//
	// changeDirCmd := "cd workDir || exit 1"                  if workDir != ""
	//              := "cd hostCurrentDir || cd hostHomeDir"   if workDir == ""
	var changeDirCmd string
	var hostCurrentDir string
	if syncDirVal != "" {
		hostCurrentDir, err = filepath.Abs(syncDirVal)
		if err == nil && runtime.GOOS == "windows" {
			hostCurrentDir, err = mountDirFromWindowsDir(ctx, inst, hostCurrentDir)
		}
	} else {
		hostCurrentDir, err = hostCurrentDirectory(ctx, inst)
	}

	if err != nil {

By the time the call site at cmd/limactl/shell.go:397 reaches buildSyncExcludeArgs(syncExcludes, hostCurrentDir), hostCurrentDir has already been transformed by mountDirFromWindowsDir (line 225) into a Cygwin/WSL path such as /cygdrive/c/Users/foo or /mnt/c/Users/foo. pkg/ioutilx/ioutilx.go:53 confirms the conversion runs cygpath (or wsl wslpath for WSL2 instances).

cmd/limactl/shell.go


		paths := []string{
			hostCurrentDir,
			fmt.Sprintf("%s:%s", inst.Name, destRsyncDir),
		}
		excludeArgs = buildSyncExcludeArgs(syncExcludes, hostCurrentDir)
		rsync, err = copytool.New(ctx, string(copytool.BackendRsync), paths, &copytool.Options{
			Recursive: true,
			Verbose:   false,
			AdditionalArgs: append([]string{
				"--delete",

pkg/ioutilx/ioutilx.go

	}

	return string(out), nil
}

func WindowsSubsystemPath(ctx context.Context, orig string) (string, error) {
	out, err := exec.CommandContext(ctx, "cygpath", filepath.ToSlash(orig)).CombinedOutput()
	if err != nil {
		logrus.WithError(err).Errorf("failed to convert path to mingw, maybe not using Git ssh?")
		return "", err
	}

// shell.go:842-852 (new)
func buildSyncExcludeArgs(excludes []string, syncDir string) []string {
    ...
    ignoreFile := filepath.Join(syncDir, ".limasyncignore")
    if _, err := os.Stat(ignoreFile); err == nil {
        args = append(args, "--exclude-from", ignoreFile)
    }
    return args
}

On Windows, os.Stat(filepath.Join("/cygdrive/c/Users/foo", ".limasyncignore")) resolves against the current drive (\cygdrive\c\Users\foo\.limasyncignore), so the file is silently not found and --exclude-from is never appended. The documented .limasyncignore behavior therefore does nothing on Windows. The Windows verification reviewer (@liketosweep) flagged this in recommendation #4 of the test report; the author has not addressed it.

Fix: keep both paths around — the native host path for filesystem probing and the converted path for rsync arguments — and stat the local path. For example, capture localHostCurrentDir = filepath.Abs(syncDirVal) before the WSL/Cygwin translation and pass it through as a separate argument to the helper.

I2. Interactive diff reports excluded host files as deletions Codex¶

cmd/limactl/shell.go

		case 2: // View the changed contents
			var diffCmd *exec.Cmd
			if _, err := exec.LookPath("diff"); err != nil {
				logrus.WithError(err).Warn("`diff` not found; showing rsync dry-run output only")
			} else {
				diffCmd = exec.CommandContext(ctx, "diff", "-ruN", "--color=always", hostCurrentDir, hostTmpDest)
				if !rsyncToTempDir {
					paths := []string{
						remoteSource,
						hostTmpDest,
					}

					if err := rsyncDirectory(ctx, cmd, rsync, paths); err != nil {
						return fmt.Errorf("failed to sync back the changes from guest instance to host temporary directory: %w", err)
					}
					rsyncToTempDir = true
				}
			}

The rsync CopyTool is constructed with excludeArgs baked into AdditionalArgs at cmd/limactl/shell.go:398-404, then reused at line 554 to populate hostTmpDest. As a result, excluded files are absent from the temporary guest snapshot. The diff at line 547 then compares the unfiltered live hostCurrentDir against that filtered snapshot, so for --sync-exclude=foo.txt the user sees foo.txt listed as "Only in host" — i.e., a pending deletion — even though accepting the prompt will leave foo.txt untouched. This is a regression: pre-PR there were no exclude args, so the two trees were comparable.

cmd/limactl/shell.go

		paths := []string{
			hostCurrentDir,
			fmt.Sprintf("%s:%s", inst.Name, destRsyncDir),
		}
		excludeArgs = buildSyncExcludeArgs(syncExcludes, hostCurrentDir)
		rsync, err = copytool.New(ctx, string(copytool.BackendRsync), paths, &copytool.Options{
			Recursive: true,
			Verbose:   false,
			AdditionalArgs: append([]string{
				"--delete",
			}, excludeArgs...),
		})
		if err != nil {
			return err
		}
		logrus.Debugf("using copy tool %q", rsync.Name())

Fix: diff two equivalently filtered trees. Materialize a filtered host snapshot (using the same exclude args) into a separate temp dir, then diff hostTmpSource hostTmpDest. Alternatively, run rsync --dry-run --itemize-changes with the excludes between hostCurrentDir and remoteSource and feed the parsed output into the pager.

I3. validateSyncFlagValue is a string-prefix workaround for an --sync parsing ambiguity Claude¶

cmd/limactl/shell.go

	syncDirVal, err := flags.GetString("sync")
	if err != nil {
		return fmt.Errorf("failed to get sync flag: %w", err)
	}
	syncHostWorkdir := syncDirVal != ""
	// Validate that --sync has a proper directory value, not another flag
	if err := validateSyncFlagValue(syncDirVal); err != nil {
		return err
	}
	if syncHostWorkdir && len(inst.Config.Mounts) > 0 {
		return errors.New("cannot use `--sync` when the instance has host mounts configured, start the instance with `--mount-none` to disable mounts")
	}

	syncExcludes, err := flags.GetStringArray("sync-exclude")

This was added because limactl shell --sync --sync-exclude=git ai-box ls lets cobra consume --sync-exclude=git as the value of --sync. The string-prefix check is a partial fix only:

It rejects any directory argument that literally begins with -- (e.g., a relative path named --data). Rare in practice, but it is a behavioral cliff with no escape hatch in the error.
It does not catch the symmetric case limactl shell --sync ai-box ls, where ai-box is silently consumed as the sync directory and ls becomes the (nonexistent) instance name. The user gets a confusing "instance does not exist" error.

The root cause is that --sync is declared as a String flag, while users routinely want the implicit . shorthand. Two cleaner options:

Declare --sync as a Bool and pull the directory from the next positional arg (matching the help text --sync <DIR>); the parser then does the right thing.
Or, declare it String with NoOptDefVal so a bare --sync defaults to ., and remove this validator entirely.

If neither refactor is acceptable, narrow the check to recognize specific Lima flag tokens, document the ./--foo workaround for paths that legitimately start with --, and split the usage string out of the error so it does not drift from cobra's generated help (see S8).

Suggestions ¶

S1. No test for --sync-exclude rejected without --sync Claude¶

cmd/limactl/shell.go


	syncExcludes, err := flags.GetStringArray("sync-exclude")
	if err != nil {
		return fmt.Errorf("failed to get sync-exclude flag: %w", err)
	}
	if len(syncExcludes) > 0 && !syncHostWorkdir {
		return errors.New("cannot use `--sync-exclude` without `--sync`")
	}

	// When workDir is explicitly set, the shell MUST have workDir as the cwd, or exit with an error.
	//
	// changeDirCmd := "cd workDir || exit 1"                  if workDir != ""
	//              := "cd hostCurrentDir || cd hostHomeDir"   if workDir == ""

This is the user-visible contract introduced by the PR but has no Go-level or BATS coverage. A regression that drops or inverts the guard would not be caught. Add a BATS case (limactl shell --sync-exclude=foo $INSTANCE -- true asserting the error) or extract the check into a helper that can be unit-tested.

S2. buildSyncExcludeArgs swallows non-ENOENT stat errors Claude¶

cmd/limactl/shell.go

func buildSyncExcludeArgs(excludes []string, syncDir string) []string {
	var args []string
	for _, pattern := range excludes {
		args = append(args, "--exclude", pattern)
	}
	ignoreFile := filepath.Join(syncDir, ".limasyncignore")
	if _, err := os.Stat(ignoreFile); err == nil {
		args = append(args, "--exclude-from", ignoreFile)
	}
	return args
}

// validateSyncFlagValue ensures the value passed to --sync is a directory
// path and not another flag token like "--sync-exclude=...".

If .limasyncignore exists but os.Stat fails for a reason other than ENOENT (permission denied, broken symlink, I/O error), the file is silently ignored and the sync quietly stops respecting the user's excludes.

Fix: skip on errors.Is(err, fs.ErrNotExist), log a warning otherwise so the operator can diagnose.

ignoreFile := filepath.Join(syncDir, ".limasyncignore")
switch _, err := os.Stat(ignoreFile); {
case err == nil:
    args = append(args, "--exclude-from", ignoreFile)
case errors.Is(err, fs.ErrNotExist):
    // no ignore file
default:
    logrus.WithError(err).Warnf("ignoring %s due to stat error", ignoreFile)
}

S3. Use rsync's per-directory merge filter instead of a startup os.Stat lookup Gemini¶

cmd/limactl/shell.go

	return &s
}

// buildSyncExcludeArgs converts --sync-exclude flag values and an optional
// .limasyncignore file into rsync --exclude / --exclude-from arguments.
func buildSyncExcludeArgs(excludes []string, syncDir string) []string {
	var args []string
	for _, pattern := range excludes {
		args = append(args, "--exclude", pattern)
	}
	ignoreFile := filepath.Join(syncDir, ".limasyncignore")
	if _, err := os.Stat(ignoreFile); err == nil {
		args = append(args, "--exclude-from", ignoreFile)
	}
	return args
}

// validateSyncFlagValue ensures the value passed to --sync is a directory
// path and not another flag token like "--sync-exclude=...".
func validateSyncFlagValue(syncDirVal string) error {
	if syncDirVal != "" && strings.HasPrefix(syncDirVal, "--") {

The current implementation snapshots the host-side .limasyncignore at startup and embeds its absolute path into the rsync arguments reused for both the host→guest sync and the guest→host sync-back. Two consequences:

An ignore file created or modified inside the guest during the shell session is never honored on the way back, because rsync still reads the host-side path.
If the user deletes the host-side .limasyncignore mid-session, the cached --exclude-from argument now points at a missing file, causing both getRsyncStats and the eventual rsyncBack() to fail. The pre-existing unconditional defer cleanup at cmd/limactl/shell.go:480-485 then rm -rfs the guest workdir regardless. The data-loss-on-failure behavior is pre-existing and not a regression of this PR (verified at MERGE_BASE 898ac652), but the new code adds a contrived trigger.

cmd/limactl/shell.go

		}
		logrus.Info("Successfully synced back the changes to host.")
		return nil
	}

	defer func() {
		// Clean up the guest synced workdir
		if err := executeSSHForRsync(ctx, *sshCmd, inst.SSHLocalPort, inst.SSHAddress, fmt.Sprintf("rm -rf %s", dirForCleanup)); err != nil {
			logrus.WithError(err).Warn("Failed to clean up guest synced workdir")
		}
	}()

	if !tty {
		return rsyncBack()
	}

Fix: replace the static --exclude-from with rsync's per-directory merge filter, which evaluates the ignore file dynamically at the root of the transfer and tolerates a missing file:

args = append(args, "--filter", ":- /.limasyncignore")

This also eliminates the empty-string placeholder dance in TestBuildSyncExcludeArgs and consolidates host- and guest-side semantics. The unconditional cleanup defer is a separate, pre-existing concern worth tracking independently.

S4. Docs say "directories" but the flag and file accept rsync patterns Claude¶

website/content/en/docs/examples/ai.md

### Excluding files or directories from syncing

 | ⚡ Requirement | Lima >= 2.2 |
 |----------------|-------------|

In addition to the `--sync` flag, a `--sync-exclude` flag is available, which allows you to configure directories that will not be synced to the VM. This is useful to exclude large generated directories (like `node_modules`, or `vendor`),
or more sensitive files (like credentials, or a `.git` directory). This flag can be repeated to exclude multiple directories.

The flag is passed to **rsync** as `--exclude` and must conform to its conventions.

```bash
limactl shell --sync . --sync-exclude .git default
```

The example in the same section uses *.o, which is a glob, not a directory. The docs should say "files or patterns" (or just "patterns") and link the rsync --exclude FILTER RULES section so users know which globbing conventions apply. The .limasyncignore block is missing a note on precedence: file and flag are additive — both apply if both are present.

S5. TestBuildSyncExcludeArgs mutates the loop-table fixture in place Claude¶

cmd/limactl/shell_test.go

	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			dir := t.TempDir()
			if tt.hasIgnore {
				ignoreFile := filepath.Join(dir, ".limasyncignore")
				err := os.WriteFile(ignoreFile, []byte("build\ndist\n"), 0o644)
				assert.NilError(t, err)
				// Patch expected with actual path
				for i, v := range tt.expected {
					if v == "" {
						tt.expected[i] = ignoreFile
					}
				}
			}
			got := buildSyncExcludeArgs(tt.excludes, dir)
			assert.DeepEqual(t, got, tt.expected)
		})
	}
}

The empty-string sentinel exists because t.TempDir() is unknown at table-declaration time, but the in-place patch is fragile: a future refactor that runs subtests in parallel, or one that shares tt.expected across cases, would silently corrupt fixtures. Build expected from explicit fields (e.g., wantPatterns []string, wantIgnore bool) and compute the final []string inside the subtest body.

S6. excludeArgs is plumbed through three functions purely as a duplicate parameter Claude¶

cmd/limactl/shell.go

		sshOpts = sshutil.SSHOptsRemovingControlPath(sshOpts)
	}
	sshArgs := append([]string{}, sshExe.Args...)
	sshArgs = append(sshArgs, sshutil.SSHArgsFromOpts(sshOpts)...)

	var (
		sshExecForRsync *exec.Cmd
		rsync           copytool.CopyTool
		excludeArgs     []string
	)
	if syncHostWorkdir {
		logrus.Infof("Syncing host current directory(%s) to guest instance...", hostCurrentDir)
		sshExecForRsync = exec.CommandContext(ctx, sshExe.Exe, sshArgs...)

		// Create the destination directory in the guest instance,

excludeArgs is now threaded through askUserForRsyncBack and getRsyncStats solely to be re-appended to a fresh copytool.Options. Two reasonable cleanups: reuse the existing rsync CopyTool for the dry-run inside getRsyncStats (with per-call options for --dry-run --itemize-changes), or wrap source/dest/AdditionalArgs into a single struct. As-is, askUserForRsyncBack now takes nine positional parameters and any future caller that forgets excludeArgs will produce stats that disagree with the actual sync.

S7. Hardcoded usage string in the validator error Gemini¶

cmd/limactl/shell.go


// validateSyncFlagValue ensures the value passed to --sync is a directory
// path and not another flag token like "--sync-exclude=...".
func validateSyncFlagValue(syncDirVal string) error {
	if syncDirVal != "" && strings.HasPrefix(syncDirVal, "--") {
		return fmt.Errorf("--sync flag requires a directory path argument, got %q instead\nUsage: limactl shell --sync <DIR> [--sync-exclude <PATTERN>...] <INSTANCE> [COMMAND...]", syncDirVal)
	}
	return nil
}

func hasMetadataDelta(attrs string) bool {

The hardcoded usage line will drift from cobra's generated help the first time the flag set changes. Drop the second sentence and rely on limactl shell --help:

return fmt.Errorf("--sync flag requires a directory path argument, got %q instead", syncDirVal)

Design Observations ¶

Concerns ¶

Magic-file conventions deserve an opt-in switch (in-scope) Claude. .limasyncignore is implicitly applied when present. @unsuman raised this concern in PR review and the author's own counter-proposal of --sync-exclude-from is more discoverable, easier to script, and avoids "why is my file not syncing?" debugging on workstations that happen to carry an old .limasyncignore. Resolving the design question before merge would avoid shipping a magic-file convention that has to be deprecated later. Overlaps with Unresolved Feedback below.
--sync overloads value semantics (future) Claude. The flag is documented as taking a directory but the code papers over it repeatedly: implicit ., validator that rejects ---prefixed values, error path for missing argument. Making it a boolean with a separate positional, or giving it NoOptDefVal=., would eliminate I3 and a class of UX bugs.

Strengths ¶

Same exclude args applied throughout the pipeline (in-scope) Codex. The initial sync, the dry-run stats, and the actual sync-back all use the same excludeArgs, preserving the core data-transfer contract users expect from --sync-exclude. (The "View the changed contents" path is the one place this symmetry breaks — see I2.)
Unit-test discipline (in-scope) Claude. TestBuildSyncExcludeArgs covers no-excludes, single, multiple, and ignore-file-only paths.
Round-trip BATS coverage (in-scope) Claude. The new BATS tests assert that excluded files are not pushed and not overwritten on the way back — the correct invariant for an exclude feature.
Minimal blast radius (in-scope) Claude. The PR keeps the existing rsync wiring intact and just appends --exclude arguments; no new dependencies and easy to revert.

Testing Assessment ¶

Unit and BATS coverage is adequate for the happy path. Untested scenarios, ranked by risk:

Windows behavior — neither unit nor BATS test exercises runtime.GOOS == "windows" paths, and the .limasyncignore lookup is broken there (I1).
Interactive "View the changed contents" path with excludes — would catch I2.
--sync-exclude without --sync — error path is uncovered (S1).
.limasyncignore modified inside the guest during the session — current implementation cannot honor it (S3).
Both --sync-exclude and .limasyncignore present — the additive contract is implemented but not pinned by a test.
.limasyncignore patterns that exercise rsync filter-rule semantics (leading slash, negation, .limasyncignore matching itself).

Documentation Assessment ¶

website/content/en/docs/examples/ai.md:193-196 says "directories" but the in-page example uses *.o; correct to "files or patterns" and link the rsync FILTER RULES section (S4).
The doc does not state the precedence rule when both --sync-exclude and .limasyncignore are present (S4).
Help text for --sync-exclude (shell.go:76) reads "Exclude pattern for --sync (can be specified multiple times)"; brief mention of rsync --exclude semantics would mirror the docs.
The "Lima >= 2.2" requirement banner pins a version that is not yet released; verify this is the intended target and bump if the PR slips.

Commit Structure ¶

Two commits: feature + tests. Splitting BATS tests from the implementation is reasonable, but tests usually land in the same commit as the feature so git bisect does not land on a commit lacking coverage. Squashing into one commit before merge would be cleaner.

Acknowledged Limitations ¶

Windows error 1 — rsync missing: author response (@peschmae): "I assume this is already the case with 2.1? […] I think this is unrelated to this PR." The final code adds an exec.LookPath preflight at cmd/limactl/shell.go:236-237, so the error message is now actionable; not a finding.
Windows error 2/3 — path concatenation and positional parsing: diagnosed by @peschmae as a pre-existing issue triggered by mixed-shell path separators (os.PathSeparator vs. / from Git Bash). The PR does not change the relevant code path; out of scope for this review.
.limasyncignore design: @unsuman proposed an environment-block style config; @peschmae proposed --sync-exclude-from as an alternative. Author kept the magic-file behavior pending further input. See Unresolved Feedback.

Unresolved Feedback ¶

@unsuman on website/content/en/docs/examples/ai.md:202 — questioned whether .limasyncignore is the right design vs. a LIMA_SHELLENV_BLOCK-style config block. https://github.com/lima-vm/lima/pull/4917#discussion_r3174868896 — The author replied with a --sync-exclude-from counter-proposal but did not commit a change. Still actionable; resolving before merge would avoid shipping a magic-file convention that has to be deprecated later. Overlaps with the Design Concern above.

Agent Performance Retro ¶

Claude ¶

Produced the longest and most varied review: caught the Windows path bug (I1), proposed both refactor options for the --sync validator (I3), and surfaced the strongest set of suggestions including the missing-test gap (S1), error-handling tightening (S2), doc precision (S4), test fixture mutation (S5), and parameter-list bloat (S6). The example list of "blocked legitimate paths" (./--foo) for I3 was incorrect — ./--foo does not start with -- — but the underlying complaint about the validator being a partial fix stood, and I downgraded the wording rather than the finding.

Codex ¶

Smaller surface area but the highest-signal-per-finding ratio: independently caught the Windows path bug (its I2, merged with Claude's I1) and was the only agent to spot the interactive-diff asymmetry (I2), which is the most user-visible regression in the PR. No suggestions and no false positives. Coverage summary correctly attributed both findings to shell.go.

Gemini ¶

Single critical finding (its C1) was misclassified: the unconditional defer rm -rf on rsync-back failure is pre-existing, not a regression of this PR (verified at MERGE_BASE 898ac652 — the defer block is identical). The TOCTOU framing exaggerated a contrived trigger. The proposed --filter ':- /.limasyncignore' mechanism is genuinely useful — it makes ignore evaluation dynamic and respects guest-side files — so I demoted it to S3 rather than dropping it. Gemini also produced one valid suggestion (S7, hardcoded usage string). Its git blame skip is the documented daily-quota behavior.

Summary ¶

	Claude Opus 4.7	Codex GPT 5.5	Gemini 3.1 Pro
Duration	3m 43s	3m 00s	12m 44s
Findings	1I 6S	2I	2S
Tool calls	9 (Read 5, Bash 3, Grep 1)	17 (shell 17)	28 (runshellcommand 20, grepsearch 5, readfile 3)
Design observations	6	1	0
False positives	0	0	0
Unique insights	5	1	1
Files reviewed	4	4	4
Coverage misses	0	0	0
Totals	1I 6S	2I	2S
Downgraded	1 (I→S)	0	1 (I→S)
Dropped	0	0	0

Reconciliation

Gemini C1 (data-loss TOCTOU on .limasyncignore removal): demoted critical → suggestion S3. Reason: the unconditional cleanup defer is pre-existing (not a regression of this PR), the TOCTOU trigger is contrived, and the proposed --filter fix has independent merit but does not actually close the underlying data-loss path.
Claude I3 (no test for --sync-exclude without --sync): demoted important → suggestion S1. Reason: missing test coverage of a new contract is real, but the failure mode is a regression net rather than a current bug.

Codex provided the highest signal in the smallest review and was the only agent to find the interactive-diff regression. Claude provided the broadest coverage and the cleanest fix sketches. Gemini's contribution was one usable suggestion plus a misclassified critical that nonetheless surfaced a useful refactor idea.

Review Process Notes ¶

Skill improvements ¶

None. The current dimensions and verification gates were sufficient to catch the misclassified critical and reconcile the duplicate Windows-path finding.

Repo context updates ¶

[repo] When reviewing changes to limactl shell --sync flow, check whether excludeArgs (or any rsync option set introduced in the change) is applied symmetrically in all three rsync invocations in cmd/limactl/shell.go: the initial host→guest sync, the getRsyncStats dry-run, and the "View the changed contents" path that populates a temp directory before diff. The "View" path diffs the live host directory against a filtered guest snapshot, so any filter applied only to the rsync side will misrepresent excluded files as deletions. Reason: this asymmetry shipped as I2 in this review; future filter-flag additions are likely to repeat the pattern.
[repo] When a Lima command builds host paths and then converts them with mountDirFromWindowsDir / pkg/ioutilx.WindowsSubsystemPath / WindowsSubsystemPathForLinux, treat the original native path and the converted path as two distinct values. Any os.Stat, os.Open, or other filesystem call from the limactl process must use the native host path; only arguments handed to a tool that runs against the converted toolchain (rsync over WSL, ssh into a WSL2 instance) should use the converted form. A single hostCurrentDir variable that is overwritten with the converted path causes silent failures on Windows. Reason: this pattern shipped as I1 in this review.