diff --git a/cmd/cmd.go b/cmd/cmd.go
index 2c1a32caa5..b9603b740a 100644
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -18,6 +18,7 @@ import (
 	"github.com/databricks/cli/cmd/experimental"
 	"github.com/databricks/cli/cmd/fs"
 	"github.com/databricks/cli/cmd/labs"
+	"github.com/databricks/cli/cmd/lakebox"
 	"github.com/databricks/cli/cmd/pipelines"
 	"github.com/databricks/cli/cmd/root"
 	"github.com/databricks/cli/cmd/selftest"
@@ -121,6 +122,7 @@ func New(ctx context.Context) *cobra.Command {
 	cli.AddCommand(configure.New())
 	cli.AddCommand(fs.New())
 	cli.AddCommand(labs.New(ctx))
+	cli.AddCommand(lakebox.New())
 	cli.AddCommand(sync.New())
 	cli.AddCommand(version.New())
 	cli.AddCommand(selftest.New())
diff --git a/cmd/fuzz_panic_test.go b/cmd/fuzz_panic_test.go
index 4fb5d5b9d3..e4037b4ef8 100644
--- a/cmd/fuzz_panic_test.go
+++ b/cmd/fuzz_panic_test.go
@@ -208,6 +208,7 @@ func isAutoGenerated(leaf leafCommand) bool {
 		"configure":    true,
 		"experimental": true,
 		"labs":         true,
+		"lakebox":      true,
 		"pipelines":    true,
 		"psql":         true,
 		"selftest":     true,
diff --git a/cmd/lakebox/api.go b/cmd/lakebox/api.go
new file mode 100644
index 0000000000..3ae086c922
--- /dev/null
+++ b/cmd/lakebox/api.go
@@ -0,0 +1,339 @@
+package lakebox
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/databricks/cli/libs/auth"
+	"github.com/databricks/databricks-sdk-go"
+	"github.com/databricks/databricks-sdk-go/client"
+)
+
+// sandboxPath returns the URL path for a single sandbox resource. The ID is
+// path-escaped so a value like `foo;rm -rf /` lands on
+// `/sandboxes/foo%3Brm%20-rf%20%2F` and gets a clean 400 from the server,
+// rather than its unescaped `/` re-routing the request to the list endpoint
+// (which silently returns an empty result the CLI then renders as an
+// all-zero sandbox record).
+func sandboxPath(id string) string {
+	return lakeboxAPIPath + "/" + url.PathEscape(id)
+}
+
+// Sub-collections under the lakebox service namespace.
+const (
+	lakeboxAPIPath     = "/api/2.0/lakebox/sandboxes"
+	lakeboxKeysAPIPath = "/api/2.0/lakebox/ssh-keys"
+)
+
+// orgIDHeader scopes the credential to a workspace on multi-workspace
+// gateways. Without it, requests fail with "Credential was not sent or was
+// of an unsupported type for this API."
+const orgIDHeader = "X-Databricks-Org-Id"
+
+// maxNameBytes mirrors the server-side `Sandbox.name` cap. The server
+// measures bytes (not runes), so emoji hit the limit faster than expected;
+// mirroring it client-side lets us fail fast with the observed byte count.
+const maxNameBytes = 256
+
+// validateName rejects names that exceed the wire limit (counted in bytes).
+func validateName(name string) error {
+	if n := len(name); n > maxNameBytes {
+		return fmt.Errorf("--name is %d bytes; limit is %d (emoji and most non-ASCII characters count as 2-4 bytes each)", n, maxNameBytes)
+	}
+	return nil
+}
+
+// lakeboxAPI wraps the SDK ApiClient with workspace-id-aware request headers.
+type lakeboxAPI struct {
+	c *client.DatabricksClient
+}
+
+// sandboxCreateBody is the inner `Sandbox` message in the create payload.
+// Only `name` is caller-settable; the rest are server-chosen.
+type sandboxCreateBody struct {
+	Name string `json:"name,omitempty"`
+}
+
+// createRequest is the wrapped POST body for sandbox creation.
+type createRequest struct {
+	Sandbox sandboxCreateBody `json:"sandbox"`
+}
+
+// createResponse mirrors the Sandbox proto after JSON transcoding.
+// GatewayHost is `omitempty` so old and new server versions round-trip
+// cleanly.
+type createResponse struct {
+	SandboxID   string `json:"sandboxId"`
+	Status      string `json:"status"`
+	GatewayHost string `json:"gatewayHost,omitempty"`
+}
+
+// sandboxEntry mirrors the Sandbox proto after JSON transcoding.
+// IdleTimeout and NoAutostop are pointer-typed so we can distinguish
+// "field absent on the wire" (server uses its default) from "explicitly
+// set to 0 / false". IdleTimeout is a proto3-canonical Duration string
+// (see idleTimeoutSecs).
+type sandboxEntry struct {
+	SandboxID     string  `json:"sandboxId"`
+	Status        string  `json:"status"`
+	GatewayHost   string  `json:"gatewayHost,omitempty"`
+	Name          string  `json:"name,omitempty"`
+	CreateTime    string  `json:"createTime,omitempty"`
+	LastStartTime string  `json:"lastStartTime,omitempty"`
+	IdleTimeout   *string `json:"idleTimeout,omitempty"`
+	NoAutostop    *bool   `json:"noAutostop,omitempty"`
+}
+
+// idleTimeoutSecs parses the proto3-canonical Duration string off
+// `IdleTimeout` (e.g. `"900s"` → `900`). Returns 0 when unset or when
+// the string is not a recognizable Duration. Sub-second precision is
+// dropped — the watchdog only acts on whole seconds.
+func (e *sandboxEntry) idleTimeoutSecs() int64 {
+	if e.IdleTimeout == nil {
+		return 0
+	}
+	s := *e.IdleTimeout
+	if !strings.HasSuffix(s, "s") {
+		return 0
+	}
+	d, err := time.ParseDuration(s)
+	if err != nil {
+		return 0
+	}
+	return int64(d.Seconds())
+}
+
+// autoStopLabel renders the auto-stop policy for one sandbox:
+//   - `no_autostop == true` → never auto-stops
+//   - `idle_timeout` set and positive → that many seconds
+//   - otherwise → no enforcement today; render as "never"
+//
+// If the manager later enforces an idle-grace default, render it here.
+func (e *sandboxEntry) autoStopLabel() string {
+	if e.NoAutostop != nil && *e.NoAutostop {
+		return "never"
+	}
+	if secs := e.idleTimeoutSecs(); secs > 0 {
+		return formatDurationSecs(secs)
+	}
+	return "never"
+}
+
+// formatDurationSecs prints `secs` as a compact duration (e.g. `90s`,
+// `15m`, `2h`, `1h30m`). Falls back to seconds if it's not a clean
+// minute/hour multiple.
+func formatDurationSecs(secs int64) string {
+	if secs < 60 {
+		return fmt.Sprintf("%ds", secs)
+	}
+	if secs%3600 == 0 {
+		return fmt.Sprintf("%dh", secs/3600)
+	}
+	if secs >= 3600 {
+		return fmt.Sprintf("%dh%dm", secs/3600, (secs%3600)/60)
+	}
+	if secs%60 == 0 {
+		return fmt.Sprintf("%dm", secs/60)
+	}
+	return fmt.Sprintf("%ds", secs)
+}
+
+// listResponse is the JSON body returned by GET /api/2.0/lakebox/sandboxes.
+type listResponse struct {
+	Sandboxes     []sandboxEntry `json:"sandboxes"`
+	NextPageToken string         `json:"nextPageToken,omitempty"`
+}
+
+// listPageSize matches the manager-side default.
+const listPageSize = 100
+
+// updateBody is the PATCH body; the server takes the inner `Sandbox`
+// message directly with no `{"sandbox": ...}` wrapping. Pointer fields
+// encode proto3 optional semantics (see sandboxEntry).
+type updateBody struct {
+	SandboxID   string  `json:"sandbox_id"`
+	Name        *string `json:"name,omitempty"`
+	IdleTimeout *string `json:"idle_timeout,omitempty"`
+	NoAutostop  *bool   `json:"no_autostop,omitempty"`
+}
+
+// registerKeyRequest is the JSON body for POST /api/2.0/lakebox/ssh-keys.
+type registerKeyRequest struct {
+	PublicKey string `json:"public_key"`
+	Name      string `json:"name,omitempty"`
+}
+
+// newLakeboxAPI returns a lakeboxAPI bound to the workspace client's config.
+func newLakeboxAPI(w *databricks.WorkspaceClient) (*lakeboxAPI, error) {
+	c, err := client.New(w.Config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create lakebox API client: %w", err)
+	}
+	return &lakeboxAPI{c: c}, nil
+}
+
+// headers attaches the workspace routing identifier so multi-workspace
+// gateways (e.g. SPOG hosts) can scope the credential. The
+// auth.WorkspaceIDNone sentinel ("none") is treated as unset so the
+// literal string never goes on the wire.
+func (a *lakeboxAPI) headers() map[string]string {
+	wsID := a.c.Config.WorkspaceID
+	if wsID == "" || wsID == auth.WorkspaceIDNone {
+		return nil
+	}
+	return map[string]string{orgIDHeader: wsID}
+}
+
+// create calls POST /api/2.0/lakebox/sandboxes. An empty `name` is omitted
+// so the server treats it as "unset" rather than "explicit empty string".
+func (a *lakeboxAPI) create(ctx context.Context, name string) (*createResponse, error) {
+	body := createRequest{Sandbox: sandboxCreateBody{Name: name}}
+	var resp createResponse
+	err := a.c.Do(ctx, http.MethodPost, lakeboxAPIPath, a.headers(), nil, body, &resp)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// list calls GET /api/2.0/lakebox/sandboxes, following pagination until the
+// server stops sending `next_page_token`.
+func (a *lakeboxAPI) list(ctx context.Context) ([]sandboxEntry, error) {
+	var all []sandboxEntry
+	pageToken := ""
+	for {
+		page, err := a.listPage(ctx, pageToken)
+		if err != nil {
+			return nil, err
+		}
+		all = append(all, page.Sandboxes...)
+		if page.NextPageToken == "" {
+			return all, nil
+		}
+		pageToken = page.NextPageToken
+	}
+}
+
+// listPage fetches a single page of sandboxes.
+//
+// `query` is passed in slot 6 (`request`), not slot 5 (`queryParams`). On
+// GET, the SDK's makeRequestBody serializes `request` into the URL query
+// string and sends an empty body. Routing through `queryParams` instead
+// makes it write a literal `null` body, which the lakebox manager rejects
+// with `INVALID_PARAMETER_VALUE: Request body must be a JSON object`. See
+// databricks-sdk-go/httpclient/request.go:makeRequestBody.
+func (a *lakeboxAPI) listPage(ctx context.Context, pageToken string) (*listResponse, error) {
+	query := map[string]any{"page_size": listPageSize}
+	if pageToken != "" {
+		query["page_token"] = pageToken
+	}
+	var resp listResponse
+	err := a.c.Do(ctx, http.MethodGet, lakeboxAPIPath, a.headers(), nil, query, &resp)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// get calls GET /api/2.0/lakebox/sandboxes/{id}.
+func (a *lakeboxAPI) get(ctx context.Context, id string) (*sandboxEntry, error) {
+	var resp sandboxEntry
+	err := a.c.Do(ctx, http.MethodGet, sandboxPath(id), a.headers(), nil, nil, &resp)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// update calls PATCH /api/2.0/lakebox/sandboxes/{id} with whichever of
+// `idle_timeout` / `no_autostop` the caller chose to set. Fields left nil
+// are omitted from the wire payload, so the server preserves their current
+// values. Returns the refreshed `sandboxEntry`.
+func (a *lakeboxAPI) update(ctx context.Context, id string, name *string, idleTimeoutSecs *int64, noAutostop *bool) (*sandboxEntry, error) {
+	var idleTimeout *string
+	if idleTimeoutSecs != nil {
+		s := fmt.Sprintf("%ds", *idleTimeoutSecs)
+		idleTimeout = &s
+	}
+	body := updateBody{
+		SandboxID:   id,
+		Name:        name,
+		IdleTimeout: idleTimeout,
+		NoAutostop:  noAutostop,
+	}
+	var resp sandboxEntry
+	err := a.c.Do(ctx, http.MethodPatch, sandboxPath(id), a.headers(), nil, body, &resp)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// delete calls DELETE /api/2.0/lakebox/sandboxes/{id}.
+func (a *lakeboxAPI) delete(ctx context.Context, id string) error {
+	return a.c.Do(ctx, http.MethodDelete, sandboxPath(id), a.headers(), nil, nil, nil)
+}
+
+// stop calls POST /api/2.0/lakebox/sandboxes/{id}/stop and returns the
+// refreshed sandbox.
+func (a *lakeboxAPI) stop(ctx context.Context, id string) (*sandboxEntry, error) {
+	body := map[string]string{"sandbox_id": id}
+	var resp sandboxEntry
+	err := a.c.Do(ctx, http.MethodPost, sandboxPath(id)+"/stop", a.headers(), nil, body, &resp)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// start calls POST /api/2.0/lakebox/sandboxes/{id}/start and returns the
+// refreshed sandbox.
+func (a *lakeboxAPI) start(ctx context.Context, id string) (*sandboxEntry, error) {
+	body := map[string]string{"sandbox_id": id}
+	var resp sandboxEntry
+	err := a.c.Do(ctx, http.MethodPost, sandboxPath(id)+"/start", a.headers(), nil, body, &resp)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+// registerKey calls POST /api/2.0/lakebox/ssh-keys. An empty `name` is
+// omitted so the server records "unset" rather than an explicit empty string.
+func (a *lakeboxAPI) registerKey(ctx context.Context, publicKey, name string) error {
+	return a.c.Do(ctx, http.MethodPost, lakeboxKeysAPIPath, a.headers(), nil, registerKeyRequest{PublicKey: publicKey, Name: name}, nil)
+}
+
+// sshKeyEntry is a single item in the ssh-key list response.
+type sshKeyEntry struct {
+	KeyHash     string `json:"keyHash"`
+	Name        string `json:"name,omitempty"`
+	CreateTime  string `json:"createTime,omitempty"`
+	LastUseTime string `json:"lastUseTime,omitempty"`
+}
+
+// listKeysResponse is the JSON body returned by GET /api/2.0/lakebox/ssh-keys.
+// Per-user keys are hard-capped server-side, so the full set fits in one
+// response — no pagination.
+type listKeysResponse struct {
+	SshKeys []sshKeyEntry `json:"sshKeys"`
+}
+
+// listKeys calls GET /api/2.0/lakebox/ssh-keys.
+func (a *lakeboxAPI) listKeys(ctx context.Context) ([]sshKeyEntry, error) {
+	var resp listKeysResponse
+	err := a.c.Do(ctx, http.MethodGet, lakeboxKeysAPIPath, a.headers(), nil, nil, &resp)
+	if err != nil {
+		return nil, err
+	}
+	return resp.SshKeys, nil
+}
+
+// deleteKey calls DELETE /api/2.0/lakebox/ssh-keys/{key_hash}.
+func (a *lakeboxAPI) deleteKey(ctx context.Context, keyHash string) error {
+	return a.c.Do(ctx, http.MethodDelete, lakeboxKeysAPIPath+"/"+url.PathEscape(keyHash), a.headers(), nil, nil, nil)
+}
diff --git a/cmd/lakebox/api_test.go b/cmd/lakebox/api_test.go
new file mode 100644
index 0000000000..9664f19f7d
--- /dev/null
+++ b/cmd/lakebox/api_test.go
@@ -0,0 +1,31 @@
+package lakebox
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateNameAcceptsAscii(t *testing.T) {
+	require.NoError(t, validateName(""))
+	require.NoError(t, validateName("my-project"))
+	require.NoError(t, validateName(strings.Repeat("a", 256))) // boundary: exactly the limit
+}
+
+func TestValidateNameRejectsOversize(t *testing.T) {
+	err := validateName(strings.Repeat("a", 257))
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "257 bytes")
+	assert.Contains(t, err.Error(), "256")
+}
+
+func TestValidateNameCountsBytesNotRunes(t *testing.T) {
+	// 64 panda emoji = 64 × 4 bytes = 256 bytes — at the limit, OK.
+	require.NoError(t, validateName(strings.Repeat("🐼", 64)))
+	// 65 = 260 bytes, rejected.
+	err := validateName(strings.Repeat("🐼", 65))
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "260 bytes")
+}
diff --git a/cmd/lakebox/completion.go b/cmd/lakebox/completion.go
new file mode 100644
index 0000000000..29e9c07420
--- /dev/null
+++ b/cmd/lakebox/completion.go
@@ -0,0 +1,72 @@
+package lakebox
+
+import (
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/spf13/cobra"
+)
+
+// completeSandboxIDs returns sandbox IDs and (distinct) display names
+// from the local cache for tab completion. Cache-only so an unrefreshed
+// token never hangs the shell; any failure yields no suggestions.
+func completeSandboxIDs(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	if len(args) > 0 {
+		return nil, cobra.ShellCompDirectiveNoFileComp
+	}
+	profile := completionProfile(cmd, args)
+	if profile == "" {
+		return nil, cobra.ShellCompDirectiveNoFileComp
+	}
+	sbs := getSandboxes(cmd.Context(), profile)
+	if len(sbs) == 0 {
+		return nil, cobra.ShellCompDirectiveNoFileComp
+	}
+	// Server defaults `name` to the ID, so only emit the name when it's distinct.
+	suggestions := make([]string, 0, len(sbs)*2)
+	for _, s := range sbs {
+		suggestions = append(suggestions, s.ID)
+		if s.Name != "" && s.Name != s.ID {
+			suggestions = append(suggestions, s.Name)
+		}
+	}
+	return suggestions, cobra.ShellCompDirectiveNoFileComp
+}
+
+// completeSSHKeyHashes returns registered key hashes for `ssh-key delete`.
+// Hashes aren't cached locally, so this path calls the API.
+func completeSSHKeyHashes(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	if len(args) > 0 {
+		return nil, cobra.ShellCompDirectiveNoFileComp
+	}
+	if err := root.MustWorkspaceClient(cmd, args); err != nil {
+		return nil, cobra.ShellCompDirectiveNoFileComp
+	}
+	ctx := cmd.Context()
+	api, err := newLakeboxAPI(cmdctx.WorkspaceClient(ctx))
+	if err != nil {
+		return nil, cobra.ShellCompDirectiveNoFileComp
+	}
+	keys, err := api.listKeys(ctx)
+	if err != nil {
+		return nil, cobra.ShellCompDirectiveNoFileComp
+	}
+	hashes := make([]string, 0, len(keys))
+	for _, k := range keys {
+		hashes = append(hashes, k.KeyHash)
+	}
+	return hashes, cobra.ShellCompDirectiveNoFileComp
+}
+
+// completionProfile returns the profile name the cache is keyed under,
+// matching the resolution used by the runtime commands (Profile if set,
+// else Host). Returns "" if the workspace client can't be bootstrapped.
+func completionProfile(cmd *cobra.Command, args []string) string {
+	if err := root.MustWorkspaceClient(cmd, args); err != nil {
+		return ""
+	}
+	w := cmdctx.WorkspaceClient(cmd.Context())
+	if w.Config.Profile != "" {
+		return w.Config.Profile
+	}
+	return w.Config.Host
+}
diff --git a/cmd/lakebox/config.go b/cmd/lakebox/config.go
new file mode 100644
index 0000000000..efe0d51220
--- /dev/null
+++ b/cmd/lakebox/config.go
@@ -0,0 +1,169 @@
+package lakebox
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/spf13/cobra"
+)
+
+// minIdleTimeoutSecs / maxIdleTimeoutSecs mirror the server-side bounds
+// on `idle_timeout`. Pre-flighting client-side gives a clearer error
+// than waiting for the server's INVALID_ARGUMENT.
+const (
+	minIdleTimeoutSecs = 60
+	maxIdleTimeoutSecs = 86_400
+)
+
+func newConfigCommand() *cobra.Command {
+	var idleTimeoutFlag string
+	var noAutostopFlag bool
+	var nameFlag string
+
+	cmd := &cobra.Command{
+		Use:   "config <lakebox-id>",
+		Short: "Configure a Lakebox's name and auto-stop policy",
+		Long: `Configure a Lakebox's name and auto-stop policy.
+
+Three knobs are independent — pass any combination:
+
+  --name <label>              Display label for the lakebox (max 256 bytes).
+                              Pass an empty string to clear.
+
+  --idle-timeout <duration>   Per-sandbox idle timeout. The watchdog reaps
+                              the sandbox after this much idle time. Pass
+                              0 (or 0s) to clear and revert to the manager's
+                              global default (10m). Valid range when set:
+                              1m to 24h.
+
+  --no-autostop[=true|false]  When true, the sandbox is exempt from
+                              idle-driven auto-stop entirely. The
+                              --idle-timeout setting is ignored while
+                              this is on. Setting --idle-timeout to a
+                              non-zero value in a later call clears
+                              --no-autostop automatically. Sandbox still
+                              stops on explicit 'databricks lakebox delete'.
+
+Examples:
+  databricks lakebox config happy-panda-1234 --name my-project
+  databricks lakebox config happy-panda-1234 --idle-timeout 15m
+  databricks lakebox config happy-panda-1234 --idle-timeout 1h30m
+  databricks lakebox config happy-panda-1234 --idle-timeout 0           # clear, use default
+  databricks lakebox config happy-panda-1234 --no-autostop                  # never auto-stop
+  databricks lakebox config happy-panda-1234 --no-autostop=false            # back to timeout path
+  databricks lakebox config happy-panda-1234 --idle-timeout 30m --no-autostop=false`,
+		Args:              cobra.ExactArgs(1),
+		PreRunE:           root.MustWorkspaceClient,
+		ValidArgsFunction: completeSandboxIDs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+			out := cmd.OutOrStdout()
+
+			profile := w.Config.Profile
+			if profile == "" {
+				profile = w.Config.Host
+			}
+
+			id, err := resolveLocalID(ctx, profile, args[0])
+			if err != nil {
+				return err
+			}
+
+			var idleSecs *int64
+			if cmd.Flags().Changed("idle-timeout") {
+				secs, err := parseIdleTimeoutFlag(idleTimeoutFlag)
+				if err != nil {
+					return err
+				}
+				idleSecs = &secs
+			}
+
+			var noAutostop *bool
+			if cmd.Flags().Changed("no-autostop") {
+				p := noAutostopFlag
+				noAutostop = &p
+			}
+
+			var name *string
+			if cmd.Flags().Changed("name") {
+				if err := validateName(nameFlag); err != nil {
+					return err
+				}
+				n := nameFlag
+				name = &n
+			}
+
+			if idleSecs == nil && noAutostop == nil && name == nil {
+				return errors.New("nothing to update — pass --name, --idle-timeout, and/or --no-autostop")
+			}
+
+			updated, err := api.update(ctx, id, name, idleSecs, noAutostop)
+			if err != nil {
+				return fmt.Errorf("failed to update lakebox %s: %w", id, err)
+			}
+			_ = setGatewayHost(ctx, profile, updated.GatewayHost)
+			_ = upsertSandbox(ctx, profile, updated.SandboxID, updated.Name)
+
+			blank(out)
+			field(ctx, out, "id", cmdio.Bold(ctx, updated.SandboxID))
+			if updated.Name != "" {
+				field(ctx, out, "name", updated.Name)
+			}
+			field(ctx, out, "autostop", cmdio.Faint(ctx, updated.autoStopLabel()))
+			blank(out)
+			return nil
+		},
+	}
+
+	cmd.Flags().StringVar(&nameFlag, "name", "",
+		"Display label for the lakebox (max 256 bytes). Pass --name= to clear.")
+	cmd.Flags().StringVar(&idleTimeoutFlag, "idle-timeout", "",
+		"Idle timeout (e.g. 15m, 1h30m, 90s). Pass 0 to clear and revert to the manager's default.")
+	cmd.Flags().BoolVar(&noAutostopFlag, "no-autostop", false,
+		"When true, this sandbox never auto-stops on idle. Pass --no-autostop=false to revert.")
+
+	return cmd
+}
+
+// parseIdleTimeoutFlag accepts the same syntax as time.ParseDuration plus
+// the special-case "0" / "0s" → clear. Anything else outside the
+// [60s, 86400s] window is rejected client-side.
+func parseIdleTimeoutFlag(raw string) (int64, error) {
+	d, err := time.ParseDuration(raw)
+	if err != nil {
+		// Allow bare integer seconds as a convenience (`--idle-timeout 900`).
+		var secs int64
+		if _, e2 := fmt.Sscanf(raw, "%d", &secs); e2 == nil {
+			return checkIdleSecs(secs)
+		}
+		return 0, fmt.Errorf("invalid --idle-timeout %q: %w (use Go duration syntax, e.g. 15m, 1h30m)", raw, err)
+	}
+	return checkIdleSecs(int64(d.Seconds()))
+}
+
+func checkIdleSecs(secs int64) (int64, error) {
+	if secs == 0 {
+		return 0, nil // clear / revert to global default
+	}
+	if secs < minIdleTimeoutSecs || secs > maxIdleTimeoutSecs {
+		// Echo bounds in Go duration form so they match the input the
+		// user typed (raw seconds like `86400s` reads as a different
+		// unit).
+		return 0, fmt.Errorf(
+			"idle-timeout must be 0 (clear) or between %s and %s, got %s",
+			formatDurationSecs(minIdleTimeoutSecs),
+			formatDurationSecs(maxIdleTimeoutSecs),
+			formatDurationSecs(secs),
+		)
+	}
+	return secs, nil
+}
diff --git a/cmd/lakebox/create.go b/cmd/lakebox/create.go
new file mode 100644
index 0000000000..84034214e5
--- /dev/null
+++ b/cmd/lakebox/create.go
@@ -0,0 +1,107 @@
+package lakebox
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/databricks-sdk-go/apierr"
+	"github.com/spf13/cobra"
+)
+
+func newCreateCommand() *cobra.Command {
+	var name string
+	var outputJSON bool
+
+	cmd := &cobra.Command{
+		Use:   "create",
+		Short: "Create a new Lakebox environment",
+		Long: `Create a new Lakebox environment.
+
+Creates a new personal development environment backed by a microVM.
+Blocks until the lakebox is running and prints the lakebox ID.
+
+Examples:
+  databricks lakebox create
+  databricks lakebox create --name my-project
+  databricks lakebox create --json`,
+		PreRunE: root.MustWorkspaceClient,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := validateName(name); err != nil {
+				return err
+			}
+
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			wantJSON := jsonOutput(cmd, outputJSON)
+
+			// In JSON mode, suppress the spinner+ok lines so the only thing
+			// on stdout/stderr that a scripted caller has to parse is the
+			// JSON body itself.
+			var result *createResponse
+			if wantJSON {
+				result, err = api.create(ctx, name)
+				if err != nil {
+					return fmt.Errorf("failed to create lakebox: %w", err)
+				}
+			} else {
+				s := spin(ctx, "Provisioning your lakebox…")
+				defer s.Close()
+				result, err = api.create(ctx, name)
+				if err != nil {
+					s.fail("Failed to create lakebox")
+					return fmt.Errorf("failed to create lakebox: %w", err)
+				}
+				s.ok("Lakebox " + cmdio.Bold(ctx, result.SandboxID) + " is " + status(ctx, result.Status))
+			}
+
+			profile := w.Config.Profile
+			if profile == "" {
+				profile = w.Config.Host
+			}
+			_ = setGatewayHost(ctx, profile, result.GatewayHost)
+			_ = upsertSandbox(ctx, profile, result.SandboxID, name)
+
+			// Only clobber an existing default if it's actually gone
+			// (404). Transient errors (5xx, network blip, rate limit)
+			// must not silently overwrite the user's chosen default.
+			currentDefault := getDefault(ctx, profile)
+			shouldSetDefault := currentDefault == ""
+			if !shouldSetDefault {
+				if _, err := api.get(ctx, currentDefault); errors.Is(err, apierr.ErrNotFound) {
+					shouldSetDefault = true
+				}
+			}
+			if shouldSetDefault {
+				if err := setDefault(ctx, profile, result.SandboxID); err != nil {
+					warn(ctx, fmt.Sprintf("Could not save default: %v", err))
+				} else if !wantJSON {
+					field(ctx, cmd.ErrOrStderr(), "default", result.SandboxID)
+				}
+			}
+
+			if wantJSON {
+				enc := json.NewEncoder(cmd.OutOrStdout())
+				enc.SetIndent("", "  ")
+				return enc.Encode(result)
+			}
+
+			blank(cmd.ErrOrStderr())
+			fmt.Fprintln(cmd.OutOrStdout(), result.SandboxID)
+			return nil
+		},
+	}
+
+	cmd.Flags().StringVar(&name, "name", "", "Display label for the lakebox (max 256 bytes)")
+	cmd.Flags().BoolVar(&outputJSON, "json", false, "Output as JSON")
+
+	return cmd
+}
diff --git a/cmd/lakebox/default.go b/cmd/lakebox/default.go
new file mode 100644
index 0000000000..42f58b466a
--- /dev/null
+++ b/cmd/lakebox/default.go
@@ -0,0 +1,63 @@
+package lakebox
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/databricks-sdk-go/apierr"
+	"github.com/spf13/cobra"
+)
+
+func newSetDefaultCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "default <lakebox-id>",
+		Aliases: []string{"set-default"},
+		Short:   "Set the default Lakebox for SSH",
+		Long: `Set the default Lakebox that 'databricks lakebox ssh' connects to.
+
+The default is stored locally in ~/.databricks/lakebox.json per profile.
+The ID is validated against the server before being written, so a typo
+or a sandbox that lives on a different workspace fails fast instead of
+silently corrupting local state.
+
+Example:
+  databricks lakebox default happy-panda-1234`,
+		Args:              cobra.ExactArgs(1),
+		PreRunE:           root.MustWorkspaceClient,
+		ValidArgsFunction: completeSandboxIDs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			profile := w.Config.Profile
+			if profile == "" {
+				profile = w.Config.Host
+			}
+
+			lakeboxID, err := resolveLocalID(ctx, profile, args[0])
+			if err != nil {
+				return err
+			}
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+			entry, err := api.get(ctx, lakeboxID)
+			if err != nil {
+				if errors.Is(err, apierr.ErrNotFound) {
+					return fmt.Errorf("no lakebox named %q — `databricks lakebox list` shows available IDs", lakeboxID)
+				}
+				return fmt.Errorf("failed to validate lakebox %s: %w", lakeboxID, err)
+			}
+
+			if err := setDefault(ctx, profile, lakeboxID); err != nil {
+				return fmt.Errorf("failed to set default: %w", err)
+			}
+			_ = upsertSandbox(ctx, profile, entry.SandboxID, entry.Name)
+			fmt.Fprintf(cmd.OutOrStdout(), "Default lakebox set to: %s\n", lakeboxID)
+			return nil
+		},
+	}
+	return cmd
+}
diff --git a/cmd/lakebox/delete.go b/cmd/lakebox/delete.go
new file mode 100644
index 0000000000..91800700b7
--- /dev/null
+++ b/cmd/lakebox/delete.go
@@ -0,0 +1,106 @@
+package lakebox
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/databricks-sdk-go/apierr"
+	"github.com/spf13/cobra"
+)
+
+func newDeleteCommand() *cobra.Command {
+	var autoApprove bool
+
+	cmd := &cobra.Command{
+		Use:   "delete <lakebox-id>",
+		Short: "Delete a Lakebox environment",
+		Long: `Delete a Lakebox environment.
+
+Permanently terminates and removes the specified lakebox. Prompts for
+confirmation interactively; pass --auto-approve to skip the prompt
+(required in non-interactive contexts).
+
+Examples:
+  databricks lakebox delete happy-panda-1234
+  databricks lakebox delete happy-panda-1234 --auto-approve`,
+		Args:              cobra.ExactArgs(1),
+		PreRunE:           root.MustWorkspaceClient,
+		ValidArgsFunction: completeSandboxIDs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			profile := w.Config.Profile
+			if profile == "" {
+				profile = w.Config.Host
+			}
+
+			lakeboxID, err := resolveLocalID(ctx, profile, args[0])
+			if err != nil {
+				return err
+			}
+
+			// DELETE returns success on 404, so pre-check existence to
+			// surface typos clearly.
+			entry, err := api.get(ctx, lakeboxID)
+			if err != nil {
+				if errors.Is(err, apierr.ErrNotFound) {
+					return fmt.Errorf("no lakebox named %q — `databricks lakebox list` shows available IDs", lakeboxID)
+				}
+				return fmt.Errorf("failed to look up lakebox %s: %w", lakeboxID, err)
+			}
+
+			if !autoApprove {
+				// Non-interactive contexts can't prompt; fail fast with
+				// a pointer to the bypass flag instead of hanging on a
+				// read from a closed/redirected stdin.
+				if !cmdio.IsPromptSupported(ctx) {
+					return errors.New("`databricks lakebox delete` permanently destroys the sandbox; pass --auto-approve to confirm in non-interactive contexts")
+				}
+				question := "Delete lakebox " + cmdio.Bold(ctx, entry.SandboxID)
+				if entry.Name != "" && entry.Name != entry.SandboxID {
+					question += " (name: " + entry.Name + ", status: " + entry.Status + ")"
+				} else {
+					question += " (status: " + entry.Status + ")"
+				}
+				question += "?"
+				confirmed, err := cmdio.AskYesOrNo(ctx, question)
+				if err != nil {
+					return err
+				}
+				if !confirmed {
+					cmdio.LogString(ctx, "Cancelled.")
+					return nil
+				}
+			}
+
+			s := spin(ctx, "Removing "+lakeboxID+"…")
+			defer s.Close()
+
+			if err := api.delete(ctx, lakeboxID); err != nil {
+				s.fail("Failed to delete " + lakeboxID)
+				return fmt.Errorf("failed to delete lakebox %s: %w", lakeboxID, err)
+			}
+
+			_ = removeSandbox(ctx, profile, lakeboxID)
+			if getDefault(ctx, profile) == lakeboxID {
+				_ = clearDefault(ctx, profile)
+				s.ok("Removed " + cmdio.Bold(ctx, lakeboxID) + " " + cmdio.Faint(ctx, "(default cleared)"))
+			} else {
+				s.ok("Removed " + cmdio.Bold(ctx, lakeboxID))
+			}
+			return nil
+		},
+	}
+
+	cmd.Flags().BoolVar(&autoApprove, "auto-approve", false, "Skip the interactive confirmation prompt")
+
+	return cmd
+}
diff --git a/cmd/lakebox/keyhash.go b/cmd/lakebox/keyhash.go
new file mode 100644
index 0000000000..238847fe44
--- /dev/null
+++ b/cmd/lakebox/keyhash.go
@@ -0,0 +1,31 @@
+package lakebox
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"strings"
+)
+
+// keyHash returns the identifier the lakebox SSH-keys API assigns to a
+// public key. The algorithm is sha256("<type> <base64-blob>") truncated to
+// the first 16 bytes and hex-encoded; the OpenSSH comment (anything after
+// the second whitespace-separated token) is stripped before hashing, so
+// registering the same key under different comments yields the same hash.
+// Leading and trailing whitespace are trimmed first — `.pub` files end
+// with a newline that would otherwise be hashed in for comment-less keys.
+func keyHash(publicKey string) string {
+	publicKey = strings.TrimSpace(publicKey)
+	end := len(publicKey)
+	spaces := 0
+	for i, c := range publicKey {
+		if c == ' ' {
+			spaces++
+			if spaces == 2 {
+				end = i
+				break
+			}
+		}
+	}
+	sum := sha256.Sum256([]byte(publicKey[:end]))
+	return hex.EncodeToString(sum[:16])
+}
diff --git a/cmd/lakebox/keyhash_test.go b/cmd/lakebox/keyhash_test.go
new file mode 100644
index 0000000000..32d98b310b
--- /dev/null
+++ b/cmd/lakebox/keyhash_test.go
@@ -0,0 +1,68 @@
+package lakebox
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// Inputs are synthetic; expected values are sha256(canonical input)[:16]
+// in hex. The algorithm was verified against the live
+// /api/2.0/lakebox/ssh-keys endpoint during exploration, so this test
+// pins the algorithm — not a known set of real registered keys.
+func TestKeyHash(t *testing.T) {
+	tests := []struct {
+		name  string
+		input string
+		want  string
+	}{
+		{
+			name:  "single-token input hashed verbatim",
+			input: "a",
+			want:  "ca978112ca1bbdcafac231b39a23dc4d",
+		},
+		{
+			name:  "type and blob with no comment",
+			input: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUMMY",
+			want:  "2b366430eb9743668b652921d3b22d54",
+		},
+		{
+			name:  "comment is stripped before hashing",
+			input: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUMMY comment-one",
+			want:  "2b366430eb9743668b652921d3b22d54",
+		},
+		{
+			name:  "different comment same key still matches",
+			input: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUMMY entirely-different-comment",
+			want:  "2b366430eb9743668b652921d3b22d54",
+		},
+		{
+			name:  "longer key with multi-word comment",
+			input: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITESTKEY1234 test-from-cli-exploration",
+			want:  "52c927705154e2d98a1b7036cc3e06dc",
+		},
+		{
+			name:  "empty input still produces a hash",
+			input: "",
+			want:  "e3b0c44298fc1c149afbf4c8996fb924",
+		},
+		{
+			// `.pub` files end with a newline. Without trimming, a
+			// comment-less key would hash with `\n` mixed in and
+			// stop matching the server's value.
+			name:  "trailing newline does not change hash",
+			input: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUMMY\n",
+			want:  "2b366430eb9743668b652921d3b22d54",
+		},
+		{
+			name:  "leading and trailing whitespace stripped",
+			input: "  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUMMY  \n",
+			want:  "2b366430eb9743668b652921d3b22d54",
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.want, keyHash(tc.input))
+		})
+	}
+}
diff --git a/cmd/lakebox/lakebox.go b/cmd/lakebox/lakebox.go
new file mode 100644
index 0000000000..382d6865d4
--- /dev/null
+++ b/cmd/lakebox/lakebox.go
@@ -0,0 +1,49 @@
+package lakebox
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// New returns the root command for the lakebox subcommand.
+func New() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "lakebox",
+		Short:   "Manage Databricks Lakebox environments",
+		GroupID: "development",
+		Hidden:  true,
+		Long: `Manage Databricks Lakebox environments.
+
+Lakebox provides SSH-accessible development environments backed by
+microVM isolation. Each lakebox is a personal sandbox with pre-installed
+tooling (Python, Node.js, Rust, Databricks CLI) and persistent storage.
+
+Getting started:
+  databricks auth login --host https://...   # authenticate to a Databricks workspace
+  databricks lakebox register                # generate and register an SSH key
+  databricks lakebox create                  # provision a lakebox (becomes your default)
+  databricks lakebox ssh                     # SSH to your default lakebox
+
+Common workflows:
+  databricks lakebox ssh                     # SSH to your default lakebox
+  databricks lakebox ssh my-project          # SSH to a named lakebox
+  databricks lakebox list                    # list your lakeboxes
+  databricks lakebox create                  # create a new lakebox
+  databricks lakebox delete my-project       # delete a lakebox
+  databricks lakebox status my-project       # show lakebox status
+`,
+	}
+
+	cmd.AddCommand(newRegisterCommand())
+	cmd.AddCommand(newSSHKeyCommand())
+	cmd.AddCommand(newSetDefaultCommand())
+	cmd.AddCommand(newSSHCommand())
+	cmd.AddCommand(newListCommand())
+	cmd.AddCommand(newCreateCommand())
+	cmd.AddCommand(newDeleteCommand())
+	cmd.AddCommand(newStopCommand())
+	cmd.AddCommand(newStartCommand())
+	cmd.AddCommand(newStatusCommand())
+	cmd.AddCommand(newConfigCommand())
+
+	return cmd
+}
diff --git a/cmd/lakebox/list.go b/cmd/lakebox/list.go
new file mode 100644
index 0000000000..6e415241e9
--- /dev/null
+++ b/cmd/lakebox/list.go
@@ -0,0 +1,167 @@
+package lakebox
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/spf13/cobra"
+)
+
+func newListCommand() *cobra.Command {
+	var outputJSON bool
+
+	cmd := &cobra.Command{
+		Use:   "list",
+		Short: "List your Lakebox environments",
+		Long: `List your Lakebox environments.
+
+Shows all lakeboxes associated with your account, including their
+current status and ID.
+
+Example:
+  databricks lakebox list
+  databricks lakebox list --json`,
+		PreRunE: root.MustWorkspaceClient,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			entries, err := api.list(ctx)
+			if err != nil {
+				return fmt.Errorf("failed to list lakeboxes: %w", err)
+			}
+
+			profile := w.Config.Profile
+			if profile == "" {
+				profile = w.Config.Host
+			}
+
+			// `list` returns the full set (the API client loops through every
+			// page), so it's the cheapest place to keep local state coherent:
+			//
+			//   - If our saved default isn't in the result, the lakebox was
+			//     deleted elsewhere — clear so the next `ssh` provisions fresh
+			//     instead of erroring against a missing ID.
+			//   - Cache the gateway hostname stamped on any returned entry so
+			//     subsequent `ssh <id>` invocations don't need their own `get`.
+			defaultID := getDefault(ctx, profile)
+			if defaultID != "" {
+				found := false
+				for _, e := range entries {
+					if e.SandboxID == defaultID {
+						found = true
+						break
+					}
+				}
+				if !found {
+					warn(ctx, fmt.Sprintf("Saved default %s no longer exists; clearing", defaultID))
+					_ = clearDefault(ctx, profile)
+					defaultID = ""
+				}
+			}
+			for _, e := range entries {
+				if e.GatewayHost != "" {
+					_ = setGatewayHost(ctx, profile, e.GatewayHost)
+					break
+				}
+			}
+
+			// Replace the local (id, name) cache from this fresh list,
+			// so subsequent name-based commands (`lakebox ssh my-project`,
+			// etc.) resolve locally without another API call.
+			refs := make([]cachedSandbox, 0, len(entries))
+			for _, e := range entries {
+				refs = append(refs, cachedSandbox{ID: e.SandboxID, Name: e.Name})
+			}
+			_ = setSandboxes(ctx, profile, refs)
+
+			if jsonOutput(cmd, outputJSON) {
+				enc := json.NewEncoder(cmd.OutOrStdout())
+				enc.SetIndent("", "  ")
+				return enc.Encode(entries)
+			}
+
+			if len(entries) == 0 {
+				fmt.Fprintf(cmd.ErrOrStderr(), "  %s\n", cmdio.Faint(ctx, "No lakeboxes found."))
+				return nil
+			}
+
+			out := cmd.OutOrStdout()
+
+			// NAME is always rendered (even with no --name set on any
+			// row) so the table shape stays stable across calls;
+			// unnamed sandboxes render as `-`. Widths are measured in
+			// terminal cells via cmdio.Width so emoji / CJK names line
+			// up correctly.
+			idCol := 10
+			autostopCol := 8
+			nameCol := 4
+			for _, e := range entries {
+				if l := cmdio.Width(e.SandboxID); l > idCol {
+					idCol = l
+				}
+				if l := cmdio.Width(e.autoStopLabel()); l > autostopCol {
+					autostopCol = l
+				}
+				// A name equal to the id renders as `-`, so don't let
+				// it expand the column.
+				if e.Name != "" && e.Name != e.SandboxID {
+					if l := cmdio.Width(e.Name); l > nameCol {
+						nameCol = l
+					}
+				}
+			}
+			idCol += 2
+			autostopCol += 2
+			nameCol += 2
+			const statusCol = 10
+			const defaultCol = 7
+
+			blank(out)
+			header := fmt.Sprintf("%-*s  %-*s  %-*s  %-*s  %s",
+				idCol, "ID", nameCol, "NAME", statusCol, "STATUS", autostopCol, "AUTOSTOP", "DEFAULT")
+			fmt.Fprintf(out, "  %s\n", cmdio.Faint(ctx, header))
+
+			ruleLen := idCol + nameCol + statusCol + autostopCol + defaultCol + 8
+			fmt.Fprintf(out, "  %s\n", cmdio.Faint(ctx, strings.Repeat("─", ruleLen)))
+
+			for _, e := range entries {
+				id := e.SandboxID
+				def := ""
+				if id == defaultID {
+					def = cmdio.Cyan(ctx, "*")
+				}
+				idStr := cmdio.Bold(ctx, id)
+				if strings.EqualFold(e.Status, "running") {
+					idStr = cmdio.Bold(ctx, cmdio.Cyan(ctx, id))
+				}
+				nm := cmdio.Faint(ctx, "-")
+				if e.Name != "" && e.Name != id {
+					nm = e.Name
+				}
+				// cmdio.PadRight measures visible width, so the ANSI escapes
+				// the color helpers wrap each cell in don't break alignment.
+				fmt.Fprintf(out, "  %s  %s  %s  %s  %s\n",
+					cmdio.PadRight(idStr, idCol),
+					cmdio.PadRight(nm, nameCol),
+					cmdio.PadRight(status(ctx, e.Status), statusCol),
+					cmdio.PadRight(cmdio.Faint(ctx, e.autoStopLabel()), autostopCol),
+					def)
+			}
+			blank(out)
+			return nil
+		},
+	}
+
+	cmd.Flags().BoolVar(&outputJSON, "json", false, "Output as JSON")
+
+	return cmd
+}
diff --git a/cmd/lakebox/register.go b/cmd/lakebox/register.go
new file mode 100644
index 0000000000..9c7538f47d
--- /dev/null
+++ b/cmd/lakebox/register.go
@@ -0,0 +1,148 @@
+package lakebox
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/cli/libs/env"
+	"github.com/spf13/cobra"
+)
+
+const lakeboxKeyName = "lakebox_ed25519"
+
+func newRegisterCommand() *cobra.Command {
+	var name string
+
+	cmd := &cobra.Command{
+		Use:   "register",
+		Short: "Register this machine for lakebox SSH access",
+		Long: `Generate a dedicated SSH key for lakebox and register it with the service.
+
+This command:
+1. Generates an Ed25519 SSH key at ~/.ssh/lakebox_ed25519 (if it doesn't exist)
+2. Registers the public key with the lakebox service, labeled with --name
+   (defaults to this machine's hostname so 'ssh-key list' is meaningful
+   across multiple machines)
+3. Optionally adds a 'Host lakebox-gw' alias to ~/.ssh/config (prompted
+   the first time) so editor Remote-SSH ("Open in VS Code / Cursor"
+   from the workspace UI) and plain 'ssh <id>@lakebox-gw' both work
+
+After registration, 'databricks lakebox ssh' will use this key automatically.
+Run this once per machine.
+
+Examples:
+  databricks lakebox register
+  databricks lakebox register --name my-laptop`,
+		PreRunE: root.MustWorkspaceClient,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			keyPath, generated, err := ensureLakeboxKey(ctx)
+			if err != nil {
+				return fmt.Errorf("failed to ensure lakebox SSH key: %w", err)
+			}
+
+			stderr := cmd.ErrOrStderr()
+			if generated {
+				ok(ctx, "Generated SSH key at "+cmdio.Faint(ctx, keyPath))
+			} else {
+				field(ctx, stderr, "key", keyPath)
+			}
+
+			pubKeyData, err := os.ReadFile(keyPath + ".pub")
+			if err != nil {
+				return fmt.Errorf("failed to read public key %s.pub: %w", keyPath, err)
+			}
+
+			// Default to hostname so `ssh-key list` is meaningful across machines.
+			if name == "" {
+				if host, err := os.Hostname(); err == nil {
+					name = host
+				}
+			}
+
+			s := spin(ctx, "Registering key…")
+			defer s.Close()
+			if err := api.registerKey(ctx, string(pubKeyData), name); err != nil {
+				s.fail("Failed to register key")
+				return fmt.Errorf("failed to register key: %w", err)
+			}
+			s.ok("SSH key registered")
+
+			// Write the shared `lakebox-gw` ~/.ssh/config alias so editor
+			// Remote-SSH and plain `ssh <id>@lakebox-gw` both work without
+			// the user pasting any config block (see maybeWriteSSHConfig).
+			if err := maybeWriteSSHConfig(ctx, keyPath, w.Config.Host); err != nil {
+				warn(ctx, fmt.Sprintf("Registered key, but failed to update ~/.ssh/config: %v", err))
+			}
+
+			blank(stderr)
+			fmt.Fprintf(stderr, "  Run %s to connect.\n\n", cmdio.Bold(ctx, "databricks lakebox ssh"))
+			return nil
+		},
+	}
+
+	cmd.Flags().StringVar(&name, "name", "",
+		"Label for the registered key (defaults to this machine's hostname). "+
+			"Pass --name= to register without a label.")
+
+	return cmd
+}
+
+// lakeboxKeyPath returns the path to the dedicated lakebox SSH key.
+func lakeboxKeyPath(ctx context.Context) (string, error) {
+	homeDir, err := env.UserHomeDir(ctx)
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(homeDir, ".ssh", lakeboxKeyName), nil
+}
+
+// ensureLakeboxKey returns the path to the lakebox SSH key, generating it if
+// it doesn't exist.
+func ensureLakeboxKey(ctx context.Context) (string, bool, error) {
+	keyPath, err := lakeboxKeyPath(ctx)
+	if err != nil {
+		return "", false, err
+	}
+
+	if _, err := os.Stat(keyPath); err == nil {
+		return keyPath, false, nil
+	}
+
+	if _, err := exec.LookPath("ssh-keygen"); err != nil {
+		return "", false, errors.New(
+			"ssh-keygen not found in PATH.\n" +
+				"Please install OpenSSH and run 'databricks lakebox register' again.\n" +
+				"  macOS:   brew install openssh\n" +
+				"  Ubuntu:  sudo apt install openssh-client\n" +
+				"  Windows: install Git for Windows (includes ssh-keygen)")
+	}
+
+	sshDir := filepath.Dir(keyPath)
+	if err := os.MkdirAll(sshDir, 0o700); err != nil {
+		return "", false, fmt.Errorf("failed to create %s: %w", sshDir, err)
+	}
+
+	genCmd := exec.Command("ssh-keygen", "-t", "ed25519", "-f", keyPath, "-N", "", "-q", "-C", "lakebox")
+	genCmd.Stdin = os.Stdin
+	genCmd.Stdout = os.Stderr
+	genCmd.Stderr = os.Stderr
+	if err := genCmd.Run(); err != nil {
+		return "", false, fmt.Errorf("ssh-keygen failed: %w", err)
+	}
+
+	return keyPath, true, nil
+}
diff --git a/cmd/lakebox/resolve.go b/cmd/lakebox/resolve.go
new file mode 100644
index 0000000000..d2e6afbd7a
--- /dev/null
+++ b/cmd/lakebox/resolve.go
@@ -0,0 +1,63 @@
+package lakebox
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+)
+
+// resolveLocalID maps a user-typed argument to a sandbox ID using only
+// the local state cache — no API calls. Resolution order:
+//
+//  1. Exact ID match → return arg unchanged. Anyone scripting against
+//     IDs (or pasting an ID they already know) gets the fast path.
+//  2. Exact name match in the cache:
+//     - One match → return that sandbox's ID.
+//     - Several matches → error with the candidate IDs, since the
+//     server allows multiple sandboxes to share a `--name` and the
+//     CLI must not silently guess which one was meant.
+//  3. No match → pass the arg through. It's either an ID the cache
+//     hasn't seen yet (fresh sandbox created elsewhere; the user just
+//     hasn't run `lakebox list` since) or a typo. Either way the next
+//     API call surfaces a clean 404 instead of us refusing locally.
+//
+// This is intentionally an offline shortcut: a stale cache only fails
+// to find a name; it never causes the CLI to act on the wrong sandbox.
+// Run `lakebox list` to refresh.
+func resolveLocalID(ctx context.Context, profile, arg string) (string, error) {
+	if arg == "" {
+		return "", errors.New("empty lakebox identifier")
+	}
+
+	sbs := getSandboxes(ctx, profile)
+
+	for _, s := range sbs {
+		if s.ID == arg {
+			return arg, nil
+		}
+	}
+
+	var matches []cachedSandbox
+	for _, s := range sbs {
+		if s.Name != "" && s.Name == arg {
+			matches = append(matches, s)
+		}
+	}
+
+	switch len(matches) {
+	case 0:
+		return arg, nil
+	case 1:
+		return matches[0].ID, nil
+	default:
+		ids := make([]string, len(matches))
+		for i, m := range matches {
+			ids[i] = m.ID
+		}
+		return "", fmt.Errorf(
+			"name %q is ambiguous in local cache; sandboxes with this name: %s — pass the ID directly",
+			arg, strings.Join(ids, ", "),
+		)
+	}
+}
diff --git a/cmd/lakebox/resolve_test.go b/cmd/lakebox/resolve_test.go
new file mode 100644
index 0000000000..9a8595191d
--- /dev/null
+++ b/cmd/lakebox/resolve_test.go
@@ -0,0 +1,152 @@
+package lakebox
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestResolveLocalIDEmptyArgIsError(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	_, err := resolveLocalID(ctx, "p", "")
+	require.Error(t, err)
+}
+
+func TestResolveLocalIDPassThroughWhenCacheEmpty(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	id, err := resolveLocalID(ctx, "p", "anything-goes")
+	require.NoError(t, err)
+	assert.Equal(t, "anything-goes", id)
+}
+
+func TestResolveLocalIDIDFirstPrecedence(t *testing.T) {
+	// A sandbox whose --name happens to collide with another sandbox's ID
+	// must NOT resolve the typed ID via the name path.
+	ctx, _ := stateCtx(t)
+	require.NoError(t, setSandboxes(ctx, "p", []cachedSandbox{
+		{ID: "happy-panda-1234", Name: "real-panda"},
+		{ID: "other-id-5678", Name: "happy-panda-1234"},
+	}))
+	id, err := resolveLocalID(ctx, "p", "happy-panda-1234")
+	require.NoError(t, err)
+	assert.Equal(t, "happy-panda-1234", id, "must resolve to the ID, not the entry that has this string as its --name")
+}
+
+func TestResolveLocalIDNameMatch(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	require.NoError(t, setSandboxes(ctx, "p", []cachedSandbox{
+		{ID: "happy-panda-1234", Name: "my-project"},
+	}))
+	id, err := resolveLocalID(ctx, "p", "my-project")
+	require.NoError(t, err)
+	assert.Equal(t, "happy-panda-1234", id)
+}
+
+func TestResolveLocalIDAmbiguousNameErrors(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	require.NoError(t, setSandboxes(ctx, "p", []cachedSandbox{
+		{ID: "happy-panda-1234", Name: "foo"},
+		{ID: "sad-otter-5678", Name: "foo"},
+	}))
+	_, err := resolveLocalID(ctx, "p", "foo")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "ambiguous")
+	assert.Contains(t, err.Error(), "happy-panda-1234")
+	assert.Contains(t, err.Error(), "sad-otter-5678")
+}
+
+func TestResolveLocalIDEmptyNamesIgnored(t *testing.T) {
+	// Sandboxes without a --name should not match an empty-string arg or
+	// any other arg by virtue of their name being empty.
+	ctx, _ := stateCtx(t)
+	require.NoError(t, setSandboxes(ctx, "p", []cachedSandbox{
+		{ID: "happy-panda-1234", Name: ""},
+	}))
+	_, err := resolveLocalID(ctx, "p", "")
+	require.Error(t, err, "empty arg always errors")
+
+	id, err := resolveLocalID(ctx, "p", "happy-panda-1234")
+	require.NoError(t, err)
+	assert.Equal(t, "happy-panda-1234", id)
+}
+
+func TestSandboxesPerProfileIsolated(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	require.NoError(t, setSandboxes(ctx, "p-a", []cachedSandbox{{ID: "a-1", Name: "shared-name"}}))
+	require.NoError(t, setSandboxes(ctx, "p-b", []cachedSandbox{{ID: "b-1", Name: "shared-name"}}))
+
+	id, err := resolveLocalID(ctx, "p-a", "shared-name")
+	require.NoError(t, err)
+	assert.Equal(t, "a-1", id)
+
+	id, err = resolveLocalID(ctx, "p-b", "shared-name")
+	require.NoError(t, err)
+	assert.Equal(t, "b-1", id)
+}
+
+func TestUpsertSandboxAddsNewEntry(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	require.NoError(t, upsertSandbox(ctx, "p", "id-1", "name-1"))
+	assert.Equal(t, []cachedSandbox{{ID: "id-1", Name: "name-1"}}, getSandboxes(ctx, "p"))
+}
+
+func TestUpsertSandboxUpdatesExistingEntry(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	require.NoError(t, upsertSandbox(ctx, "p", "id-1", "old"))
+	require.NoError(t, upsertSandbox(ctx, "p", "id-1", "new"))
+	assert.Equal(t, []cachedSandbox{{ID: "id-1", Name: "new"}}, getSandboxes(ctx, "p"))
+}
+
+func TestUpsertSandboxSameValueIsNoop(t *testing.T) {
+	ctx, path := stateCtx(t)
+	require.NoError(t, upsertSandbox(ctx, "p", "id-1", "name-1"))
+	before, err := os.Stat(path)
+	require.NoError(t, err)
+	require.NoError(t, upsertSandbox(ctx, "p", "id-1", "name-1"))
+	after, err := os.Stat(path)
+	require.NoError(t, err)
+	assert.Equal(t, before.ModTime(), after.ModTime(), "no-op upsert must not rewrite the file")
+}
+
+func TestRemoveSandboxDropsEntry(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	require.NoError(t, setSandboxes(ctx, "p", []cachedSandbox{
+		{ID: "keep-me", Name: ""},
+		{ID: "drop-me", Name: "doomed"},
+	}))
+	require.NoError(t, removeSandbox(ctx, "p", "drop-me"))
+	assert.Equal(t, []cachedSandbox{{ID: "keep-me", Name: ""}}, getSandboxes(ctx, "p"))
+}
+
+func TestRemoveSandboxMissingIsNoop(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	require.NoError(t, setSandboxes(ctx, "p", []cachedSandbox{{ID: "keep-me"}}))
+	require.NoError(t, removeSandbox(ctx, "p", "nope"))
+	assert.Equal(t, []cachedSandbox{{ID: "keep-me"}}, getSandboxes(ctx, "p"))
+}
+
+// Removing the last sandbox for a profile must also drop the profile's
+// cached gateway host — otherwise lakebox.json accumulates orphan
+// gatewayHosts entries that no longer correspond to any sandbox.
+func TestRemoveSandboxClearsOrphanGatewayHost(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	require.NoError(t, setSandboxes(ctx, "p", []cachedSandbox{{ID: "only-one"}}))
+	require.NoError(t, setGatewayHost(ctx, "p", "gw.example.test"))
+	require.Equal(t, "gw.example.test", getGatewayHost(ctx, "p"))
+
+	require.NoError(t, removeSandbox(ctx, "p", "only-one"))
+	assert.Empty(t, getSandboxes(ctx, "p"))
+	assert.Empty(t, getGatewayHost(ctx, "p"), "gateway host must be cleared when the last sandbox is removed")
+}
+
+// Removing one of many sandboxes must NOT touch the gateway host — it
+// still applies to the remaining sandboxes on the profile.
+func TestRemoveSandboxKeepsGatewayHostWhileSandboxesRemain(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	require.NoError(t, setSandboxes(ctx, "p", []cachedSandbox{{ID: "keep"}, {ID: "drop"}}))
+	require.NoError(t, setGatewayHost(ctx, "p", "gw.example.test"))
+	require.NoError(t, removeSandbox(ctx, "p", "drop"))
+	assert.Equal(t, "gw.example.test", getGatewayHost(ctx, "p"))
+}
diff --git a/cmd/lakebox/ssh.go b/cmd/lakebox/ssh.go
new file mode 100644
index 0000000000..d5768004ac
--- /dev/null
+++ b/cmd/lakebox/ssh.go
@@ -0,0 +1,315 @@
+package lakebox
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"strings"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/cli/libs/execv"
+	"github.com/databricks/cli/libs/shellquote"
+	"github.com/databricks/databricks-sdk-go/apierr"
+	"github.com/spf13/cobra"
+)
+
+const (
+	defaultGatewayHost        = "uw2.dbrx.dev"
+	stagingDefaultGatewayHost = "ue1.s.dbrx.dev"
+	defaultGatewayPort        = "2222"
+)
+
+// resolveGatewayHost picks the SSH gateway hostname based on the workspace host.
+// Staging workspaces (*.staging.cloud.databricks.com etc.) route through
+// ue1.s.dbrx.dev; everything else uses uw2.dbrx.dev.
+func resolveGatewayHost(workspaceHost string) string {
+	if strings.Contains(workspaceHost, ".staging.") {
+		return stagingDefaultGatewayHost
+	}
+	return defaultGatewayHost
+}
+
+func newSSHCommand() *cobra.Command {
+	var gatewayHost string
+	var gatewayPort string
+
+	cmd := &cobra.Command{
+		Use:   "ssh [lakebox-id] [-- <ssh-args-or-command>...]",
+		Short: "SSH into a Lakebox environment",
+		Long: `SSH into a Lakebox environment.
+
+Connect to your default or a named lakebox via SSH. Extra arguments
+after -- are passed directly to the ssh process. This lets you run
+remote commands, set up port forwarding, or pass any other ssh flags.
+
+Examples:
+  databricks lakebox ssh                                  # interactive shell on default lakebox
+  databricks lakebox ssh happy-panda-1234                 # interactive shell on specific lakebox
+  databricks lakebox ssh -- ls -la /home                  # run command on default lakebox
+  databricks lakebox ssh happy-panda-1234 -- cat /etc/os-release  # run command on specific lakebox
+  databricks lakebox ssh -- -L 8080:localhost:8080        # port forwarding on default lakebox`,
+		Args:              cobra.ArbitraryArgs,
+		PreRunE:           root.MustWorkspaceClient,
+		ValidArgsFunction: completeSandboxIDs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+
+			profile := w.Config.Profile
+			if profile == "" {
+				profile = w.Config.Host
+			}
+
+			keyPath, err := lakeboxKeyPath(ctx)
+			if err != nil {
+				return fmt.Errorf("failed to determine lakebox key path: %w", err)
+			}
+			if _, err := os.Stat(keyPath); errors.Is(err, fs.ErrNotExist) {
+				return fmt.Errorf("lakebox SSH key not found at %s — run 'databricks lakebox register' first", keyPath)
+			}
+
+			var lakeboxID string
+			var extraArgs []string
+
+			switch dashAt := cmd.ArgsLenAtDash(); dashAt {
+			case -1:
+				if len(args) > 0 {
+					lakeboxID = args[0]
+				}
+			case 0:
+				extraArgs = args[dashAt:]
+			default:
+				lakeboxID = args[0]
+				extraArgs = args[dashAt:]
+			}
+
+			if lakeboxID != "" {
+				resolved, err := resolveLocalID(ctx, profile, lakeboxID)
+				if err != nil {
+					return err
+				}
+				lakeboxID = resolved
+			}
+
+			// Captured from any Sandbox response we touch below; "" when
+			// we never hit the API in this invocation.
+			var (
+				sandboxGatewayHost string
+				sandboxStatus      string
+			)
+
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			// Surface deleted-key errors before ssh's opaque "Permission denied".
+			if err := verifyKeyRegistered(ctx, api, keyPath); err != nil {
+				return err
+			}
+
+			if lakeboxID == "" {
+				def := getDefault(ctx, profile)
+				if def == "" {
+					return errors.New("no default lakebox configured — run `databricks lakebox create` to provision one, or `databricks lakebox default <id>` to point at an existing sandbox")
+				}
+				// Confirm the saved default still exists. A stale entry is
+				// almost always user-correctable (deleted from another
+				// machine, reaped by an admin); fail fast with an actionable
+				// message rather than silently provisioning a fresh sandbox
+				// and surprising the user with a bill.
+				sb, err := api.get(ctx, def)
+				switch {
+				case err == nil:
+					lakeboxID = def
+					sandboxGatewayHost = sb.GatewayHost
+					sandboxStatus = sb.Status
+				case errors.Is(err, apierr.ErrNotFound):
+					_ = clearDefault(ctx, profile)
+					return fmt.Errorf("saved default %q no longer exists (cleared) — run `databricks lakebox create` to provision a new one, or `databricks lakebox default <id>` to point at an existing sandbox", def)
+				default:
+					warn(ctx, fmt.Sprintf("Could not validate default %s: %v", def, err))
+					lakeboxID = def
+				}
+			} else {
+				// Validate the explicit ID against the server. Two reasons:
+				//   1. Surface `lakebox ssh fake-id` as a clear 404 instead of
+				//      letting the user wade through `Permission denied` from
+				//      ssh when the gateway can't route an unknown sandbox.
+				//   2. Capture `gateway_host` to drive the resolution below.
+				// Non-NotFound errors fall through so transient API hiccups
+				// don't block a connection the gateway can still route.
+				sb, err := api.get(ctx, lakeboxID)
+				switch {
+				case err == nil:
+					sandboxGatewayHost = sb.GatewayHost
+					sandboxStatus = sb.Status
+				case errors.Is(err, apierr.ErrNotFound):
+					return fmt.Errorf("no lakebox named %q — `databricks lakebox list` shows available IDs", lakeboxID)
+				default:
+					warn(ctx, fmt.Sprintf("Could not validate lakebox %s: %v", lakeboxID, err))
+				}
+			}
+
+			// Drive start ourselves so the user sees a spinner instead
+			// of an opaque multi-minute hang inside ssh's connect path.
+			if sandboxStatus != "" && !strings.EqualFold(sandboxStatus, "running") {
+				final, err := ensureRunning(ctx, api, lakeboxID, sandboxStatus)
+				if err != nil {
+					return err
+				}
+				if final.GatewayHost != "" {
+					sandboxGatewayHost = final.GatewayHost
+				}
+			}
+
+			// Resolution precedence: --gateway flag → fresh API response →
+			// cached value for this profile → workspace-host heuristic.
+			host := gatewayHost
+			if host == "" {
+				host = sandboxGatewayHost
+			}
+			if host == "" {
+				host = getGatewayHost(ctx, profile)
+			}
+			if host == "" {
+				host = resolveGatewayHost(w.Config.Host)
+			}
+
+			// Persist whatever the server just told us, so the next invocation
+			// can short-circuit the explicit-id `get` above.
+			if sandboxGatewayHost != "" {
+				_ = setGatewayHost(ctx, profile, sandboxGatewayHost)
+			}
+
+			// Don't print "Connected" here — ssh hasn't completed the
+			// handshake yet, so any success message would race ssh's
+			// own error output on the failure path.
+			s := spin(ctx, "Connecting to "+cmdio.Bold(ctx, lakeboxID)+"…")
+			defer s.Close()
+			return execSSHDirect(lakeboxID, host, gatewayPort, keyPath, extraArgs)
+		},
+	}
+
+	cmd.Flags().StringVar(&gatewayHost, "gateway", "", "Lakebox gateway hostname (auto-detected from profile if empty)")
+	cmd.Flags().StringVar(&gatewayPort, "port", defaultGatewayPort, "Lakebox gateway SSH port")
+
+	return cmd
+}
+
+// verifyKeyRegistered confirms the local lakebox public key is still
+// registered with the workspace before we open the SSH socket. The
+// gateway itself already does this check during userauth, but the
+// SSH protocol's reply surface (USERAUTH_FAILURE has no free-form
+// reason; USERAUTH_BANNER is widely swallowed) flattens "unknown
+// key", "key registered but not authorized for this sandbox", and
+// "upstream service is down" into the same "Permission denied
+// (publickey)". This out-of-band HTTP check surfaces the specific
+// case in language the user can act on. listKeys errors fall
+// through with a warning so a transient API hiccup doesn't block a
+// connection the gateway could still route.
+func verifyKeyRegistered(ctx context.Context, api *lakeboxAPI, keyPath string) error {
+	pub, err := os.ReadFile(keyPath + ".pub")
+	if err != nil {
+		return fmt.Errorf("reading public key %s.pub: %w", keyPath, err)
+	}
+	want := keyHash(string(pub))
+
+	keys, err := api.listKeys(ctx)
+	if err != nil {
+		warn(ctx, fmt.Sprintf("Could not verify SSH key registration: %v", err))
+		return nil
+	}
+	for _, k := range keys {
+		if k.KeyHash == want {
+			return nil
+		}
+	}
+	return fmt.Errorf("your lakebox SSH key (%s) is not registered with this workspace — run `databricks lakebox register` to re-register it", want)
+}
+
+// ensureRunning brings the named sandbox to Running with its own
+// spinner — caller must not have one open.
+func ensureRunning(ctx context.Context, api *lakeboxAPI, id, currentStatus string) (*sandboxEntry, error) {
+	s := spin(ctx, "Starting "+cmdio.Bold(ctx, id)+"…")
+	defer s.Close()
+
+	var sb *sandboxEntry
+	if strings.EqualFold(currentStatus, "stopped") {
+		updated, err := api.start(ctx, id)
+		if err != nil {
+			s.fail("Failed to start " + id)
+			return nil, fmt.Errorf("failed to start lakebox %s: %w", id, err)
+		}
+		sb = updated
+	}
+
+	if sb == nil || !strings.EqualFold(sb.Status, "running") {
+		final, err := waitForRunning(ctx, api, s, id)
+		if err != nil {
+			s.fail("Failed to start " + id)
+			return nil, err
+		}
+		sb = final
+	}
+
+	s.ok("Started " + cmdio.Bold(ctx, id))
+	return sb, nil
+}
+
+// execSSHDirect replaces the CLI process with ssh (or simulates that on
+// Windows via execv). All options are passed on the command line, so no
+// ~/.ssh/config entry is required.
+func execSSHDirect(lakeboxID, host, port, keyPath string, extraArgs []string) error {
+	return execv.Execv(execv.Options{
+		Args: buildSSHArgs(lakeboxID, host, port, keyPath, extraArgs),
+		Env:  os.Environ(),
+	})
+}
+
+// buildSSHArgs assembles the argv we hand to the `ssh` binary.
+//
+// `ssh` concatenates remote-command words with spaces and the remote
+// shell re-parses them. That makes the two natural user shapes
+// incompatible by default:
+//
+//   - Single arg that's already a complete shell command:
+//     `lakebox ssh <id> -- 'echo hi | head -3'`
+//     The user expects the remote shell to split and execute this
+//     string. ssh's "concat with spaces" is a no-op here, so we hand
+//     the arg through untouched.
+//
+//   - Multi-arg exec-style invocation:
+//     `lakebox ssh <id> -- bash -c 'echo hi'`
+//     Cobra splits this into `["bash", "-c", "echo hi"]`. ssh's join
+//     produces `bash -c echo hi` on the wire, which bash re-splits into
+//     `-c=echo` and `$0=hi` — losing the second word. We fix that by shell-quoting
+//     each arg before append, so the remote sees `bash -c 'echo hi'`.
+//
+// The heuristic: if there's exactly one extra arg, pass it untouched;
+// otherwise quote every arg. shellquote.BashArg leaves safe args alone,
+// so `ls -la /tmp` round-trips unchanged in the multi-arg path.
+func buildSSHArgs(lakeboxID, host, port, keyPath string, extraArgs []string) []string {
+	args := []string{
+		"ssh",
+		"-i", keyPath,
+		"-p", port,
+		"-o", "IdentitiesOnly=yes",
+		"-o", "PreferredAuthentications=publickey",
+		"-o", "StrictHostKeyChecking=no",
+		"-o", "UserKnownHostsFile=/dev/null",
+		"-o", "LogLevel=ERROR",
+		fmt.Sprintf("%s@%s", lakeboxID, host),
+	}
+	if len(extraArgs) == 1 {
+		return append(args, extraArgs[0])
+	}
+	for _, a := range extraArgs {
+		args = append(args, shellquote.BashArg(a))
+	}
+	return args
+}
diff --git a/cmd/lakebox/ssh_test.go b/cmd/lakebox/ssh_test.go
new file mode 100644
index 0000000000..a2558794a2
--- /dev/null
+++ b/cmd/lakebox/ssh_test.go
@@ -0,0 +1,101 @@
+package lakebox
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBuildSSHArgsBaseFlags(t *testing.T) {
+	got := buildSSHArgs("happy-panda-1234", "gw.example.test", "2222", "/keys/id", nil)
+	// Sanity: the destination is the last arg when no extras.
+	assert.Equal(t, "happy-panda-1234@gw.example.test", got[len(got)-1])
+	// The base flag set is fixed; spot-check a couple.
+	assert.Contains(t, got, "-i")
+	assert.Contains(t, got, "/keys/id")
+	assert.Contains(t, got, "-p")
+	assert.Contains(t, got, "2222")
+}
+
+func TestBuildSSHArgsQuoting(t *testing.T) {
+	for _, tc := range []struct {
+		name      string
+		extraArgs []string
+		// expected is what we expect at the end of args, after the destination.
+		expected []string
+	}{
+		{
+			name:      "no extras",
+			extraArgs: nil,
+			expected:  nil,
+		},
+		{
+			name:      "single safe word — passed through",
+			extraArgs: []string{"uname"},
+			expected:  []string{"uname"},
+		},
+		{
+			name:      "single string with spaces — passed through so the remote shell can split it",
+			extraArgs: []string{"echo hello-from-string"},
+			expected:  []string{"echo hello-from-string"},
+		},
+		{
+			name:      "single string with a pipe — passed through to the remote shell",
+			extraArgs: []string{"cat /etc/os-release | head -3"},
+			expected:  []string{"cat /etc/os-release | head -3"},
+		},
+		{
+			name:      "multi safe words — no quoting",
+			extraArgs: []string{"ls", "-la", "/tmp"},
+			expected:  []string{"ls", "-la", "/tmp"},
+		},
+		{
+			name: "bash -c '<cmd>' — third arg gets quoted",
+			// The whole point: without the quoting, the remote shell
+			// re-splits "bash -c echo hi" and bash's -c eats just "echo".
+			extraArgs: []string{"bash", "-c", "echo hi"},
+			expected:  []string{"bash", "-c", "'echo hi'"},
+		},
+		{
+			name:      "arg with single quote — escaped, not lost",
+			extraArgs: []string{"echo", "it's fine"},
+			expected:  []string{"echo", `'it'\''s fine'`},
+		},
+		{
+			name:      "glob pattern — quoted so the remote (not the local) shell expands it",
+			extraArgs: []string{"find", ".", "-name", "*.txt"},
+			expected:  []string{"find", ".", "-name", "'*.txt'"},
+		},
+		{
+			name:      "ssh -o key=val style — gets quoted because of '='; harmless given current arg ordering",
+			extraArgs: []string{"-o", "StrictHostKeyChecking=no"},
+			expected:  []string{"-o", "'StrictHostKeyChecking=no'"},
+		},
+		{
+			name:      "empty arg gets explicit empty quotes (not lost)",
+			extraArgs: []string{"sh", "-c", ""},
+			expected:  []string{"sh", "-c", "''"},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			got := buildSSHArgs("id", "host", "2222", "/k", tc.extraArgs)
+			// Trim everything up to and including the destination so we
+			// can assert just on the appended extras.
+			dest := "id@host"
+			cut := -1
+			for i, a := range got {
+				if a == dest {
+					cut = i + 1
+					break
+				}
+			}
+			assert.GreaterOrEqual(t, cut, 0, "destination not found in args")
+			tail := got[cut:]
+			if tc.expected == nil {
+				assert.Empty(t, tail)
+			} else {
+				assert.Equal(t, tc.expected, tail)
+			}
+		})
+	}
+}
diff --git a/cmd/lakebox/sshconfig.go b/cmd/lakebox/sshconfig.go
new file mode 100644
index 0000000000..18d94709c9
--- /dev/null
+++ b/cmd/lakebox/sshconfig.go
@@ -0,0 +1,224 @@
+package lakebox
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/cli/libs/env"
+)
+
+const (
+	// sshConfigAlias is the SSH-config Host that all lakebox sandboxes
+	// route through. Shared with the workspace UI's "First time setup?"
+	// disclosure, so IDE Remote-SSH deep links resolve identically
+	// whether the user set up via the CLI or pasted the UI snippet.
+	sshConfigAlias = "lakebox-gw"
+
+	// sshIncludeFileName is the lakebox-managed file referenced by the
+	// user's ~/.ssh/config. The file is fully owned: we rewrite it on
+	// every `lakebox register`, so manual edits to it will not survive.
+	sshIncludeFileName = "databricks-lakebox"
+
+	// sshConfigBeginMarker / sshConfigEndMarker bracket the single line we
+	// add to the user's ~/.ssh/config (the Include directive). Markers make
+	// the line greppable and removable without re-parsing the file.
+	sshConfigBeginMarker = "# >>> databricks lakebox >>>"
+	sshConfigEndMarker   = "# <<< databricks lakebox <<<"
+)
+
+// sshConfigPaths returns (managedFile, mainConfig) under the user's
+// ~/.ssh directory.
+func sshConfigPaths(ctx context.Context) (string, string, error) {
+	home, err := env.UserHomeDir(ctx)
+	if err != nil {
+		return "", "", err
+	}
+	sshDir := filepath.Join(home, ".ssh")
+	return filepath.Join(sshDir, sshIncludeFileName), filepath.Join(sshDir, "config"), nil
+}
+
+// sshConfigAlreadyManaged reports whether ~/.ssh/config already
+// contains the lakebox-managed Include block.
+func sshConfigAlreadyManaged(ctx context.Context) (bool, error) {
+	_, mainPath, err := sshConfigPaths(ctx)
+	if err != nil {
+		return false, err
+	}
+	data, err := os.ReadFile(mainPath)
+	if err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			return false, nil
+		}
+		return false, fmt.Errorf("reading %s: %w", mainPath, err)
+	}
+	return hasOurMarkedBlock(string(data)), nil
+}
+
+// writeSSHConfig writes the lakebox-managed SSH config block to a
+// managed file and, if not already present, adds an Include directive
+// to the user's ~/.ssh/config pointing at that file.
+func writeSSHConfig(ctx context.Context, keyPath, gatewayHost, gatewayPort string) (string, string, error) {
+	home, err := env.UserHomeDir(ctx)
+	if err != nil {
+		return "", "", err
+	}
+	sshDir := filepath.Join(home, ".ssh")
+	if err := os.MkdirAll(sshDir, 0o700); err != nil {
+		return "", "", fmt.Errorf("creating %s: %w", sshDir, err)
+	}
+
+	managedPath := filepath.Join(sshDir, sshIncludeFileName)
+	mainPath := filepath.Join(sshDir, "config")
+
+	block := buildSSHConfigBlock(keyPath, gatewayHost, gatewayPort)
+	if err := writeManagedConfig(managedPath, block); err != nil {
+		return managedPath, mainPath, err
+	}
+	if err := ensureMainIncludesManaged(mainPath, managedPath); err != nil {
+		return managedPath, mainPath, err
+	}
+	return managedPath, mainPath, nil
+}
+
+// buildSSHConfigBlock renders the Host stanza we write to the
+// lakebox-managed include file. The -o flags here mirror buildSSHArgs
+// in ssh.go so connections that resolve through this alias (IDE
+// Remote-SSH, raw `ssh <id>@lakebox-gw`) behave identically to
+// `databricks lakebox ssh`.
+//
+// No User directive is set, so the per-sandbox identifier travels in
+// the destination (`ssh <sandbox-id>@lakebox-gw`); a single alias
+// serves every sandbox on this profile's workspace.
+func buildSSHConfigBlock(keyPath, gatewayHost, gatewayPort string) string {
+	return fmt.Sprintf(`# Managed by `+"`databricks lakebox register`"+`.
+# Manual edits will be overwritten on the next run.
+Host %s
+    HostName %s
+    Port %s
+    IdentityFile %s
+    IdentitiesOnly yes
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+    LogLevel ERROR
+`, sshConfigAlias, gatewayHost, gatewayPort, keyPath)
+}
+
+// writeManagedConfig writes content to path atomically with 0600
+// perms. No-op when the file already matches, to avoid churning mtime.
+func writeManagedConfig(path, content string) error {
+	if existing, err := os.ReadFile(path); err == nil && bytes.Equal(existing, []byte(content)) {
+		return nil
+	}
+	tmp := path + ".tmp"
+	if err := os.WriteFile(tmp, []byte(content), 0o600); err != nil {
+		return fmt.Errorf("writing %s: %w", tmp, err)
+	}
+	if err := os.Rename(tmp, path); err != nil {
+		_ = os.Remove(tmp)
+		return fmt.Errorf("renaming %s to %s: %w", tmp, path, err)
+	}
+	return nil
+}
+
+// ensureMainIncludesManaged makes sure ~/.ssh/config begins with an
+// `Include <managedPath>` directive bracketed by our begin/end markers.
+// If our block is already present, the file is left alone; if absent,
+// we prepend the block so it takes precedence over any later Host
+// blocks the user has defined (SSH applies the first match per option).
+func ensureMainIncludesManaged(mainPath, managedPath string) error {
+	managedBlock := fmt.Sprintf("%s\nInclude %s\n%s\n", sshConfigBeginMarker, managedPath, sshConfigEndMarker)
+
+	existing, err := os.ReadFile(mainPath)
+	switch {
+	case err == nil:
+		if hasOurMarkedBlock(string(existing)) {
+			return nil
+		}
+	case errors.Is(err, fs.ErrNotExist):
+		existing = nil
+	default:
+		return fmt.Errorf("reading %s: %w", mainPath, err)
+	}
+
+	// Prepend so our Include wins SSH's first-match-per-option
+	// semantics over any wildcard `Host *` block later in the file.
+	var buf bytes.Buffer
+	buf.WriteString(managedBlock)
+	if len(existing) > 0 {
+		// Avoid double blank lines if the file already starts with one.
+		if !strings.HasPrefix(string(existing), "\n") {
+			buf.WriteString("\n")
+		}
+		buf.Write(existing)
+	}
+
+	tmp := mainPath + ".tmp"
+	if err := os.WriteFile(tmp, buf.Bytes(), 0o600); err != nil {
+		return fmt.Errorf("writing %s: %w", tmp, err)
+	}
+	if err := os.Rename(tmp, mainPath); err != nil {
+		_ = os.Remove(tmp)
+		return fmt.Errorf("renaming %s to %s: %w", tmp, mainPath, err)
+	}
+	return nil
+}
+
+// hasOurMarkedBlock reports whether the given config text already has
+// a lakebox-managed Include block (delimited by our markers).
+func hasOurMarkedBlock(text string) bool {
+	scanner := bufio.NewScanner(strings.NewReader(text))
+	for scanner.Scan() {
+		if strings.TrimSpace(scanner.Text()) == sshConfigBeginMarker {
+			return true
+		}
+	}
+	return false
+}
+
+// maybeWriteSSHConfig writes the lakebox-managed SSH config, prompting
+// for consent the first time on this machine. Re-runs silently refresh
+// the managed file. Non-interactive contexts skip the write entirely.
+func maybeWriteSSHConfig(ctx context.Context, keyPath, workspaceHost string) error {
+	already, err := sshConfigAlreadyManaged(ctx)
+	if err != nil {
+		return err
+	}
+	if !already {
+		_, mainPath, err := sshConfigPaths(ctx)
+		if err != nil {
+			return err
+		}
+		if !cmdio.IsPromptSupported(ctx) {
+			cmdio.LogString(ctx, "  "+cmdio.Faint(ctx, "skipped SSH config update (non-interactive); re-run `databricks lakebox register` from a terminal to add the `"+sshConfigAlias+"` alias"))
+			return nil
+		}
+		question := fmt.Sprintf(
+			"Add a `Host %s` alias to %s? This lets editor Remote-SSH (VS Code / Cursor) and `ssh <id>@%s` connect without further setup.",
+			sshConfigAlias, mainPath, sshConfigAlias,
+		)
+		confirmed, err := cmdio.AskYesOrNo(ctx, question)
+		if err != nil {
+			return err
+		}
+		if !confirmed {
+			cmdio.LogString(ctx, "  "+cmdio.Faint(ctx, "skipped SSH config update; re-run `databricks lakebox register` to revisit"))
+			return nil
+		}
+	}
+
+	gateway := resolveGatewayHost(workspaceHost)
+	managedPath, _, err := writeSSHConfig(ctx, keyPath, gateway, defaultGatewayPort)
+	if err != nil {
+		return err
+	}
+	ok(ctx, "Updated SSH config (managed: "+cmdio.Faint(ctx, managedPath)+")")
+	return nil
+}
diff --git a/cmd/lakebox/sshconfig_test.go b/cmd/lakebox/sshconfig_test.go
new file mode 100644
index 0000000000..eaf01ff284
--- /dev/null
+++ b/cmd/lakebox/sshconfig_test.go
@@ -0,0 +1,150 @@
+package lakebox
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildSSHConfigBlockShape(t *testing.T) {
+	block := buildSSHConfigBlock("/home/u/.ssh/lakebox_ed25519", "uw2.dbrx.dev", "2222")
+
+	// Header marker so users know not to hand-edit, and the alias name
+	// that the UI's "First time setup?" disclosure documents.
+	assert.Contains(t, block, "# Managed by")
+	assert.Contains(t, block, "Host "+sshConfigAlias+"\n")
+	assert.Contains(t, block, "HostName uw2.dbrx.dev")
+	assert.Contains(t, block, "Port 2222")
+	assert.Contains(t, block, "IdentityFile /home/u/.ssh/lakebox_ed25519")
+
+	// Mirrors buildSSHArgs in ssh.go so connections through this alias
+	// behave identically to `databricks lakebox ssh`. If those change,
+	// this list should change too.
+	for _, expect := range []string{
+		"IdentitiesOnly yes",
+		"StrictHostKeyChecking no",
+		"UserKnownHostsFile /dev/null",
+		"LogLevel ERROR",
+	} {
+		assert.Contains(t, block, expect, "missing required SSH option %q", expect)
+	}
+
+	// No User directive — the sandbox id travels in the destination
+	// (`ssh <id>@lakebox-gw`), so one alias serves every sandbox.
+	assert.NotContains(t, block, "\n    User ", "User directive must not be set")
+}
+
+func TestWriteManagedConfigCreatesWithRightPerms(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, sshIncludeFileName)
+	require.NoError(t, writeManagedConfig(path, "Host foo\n    HostName bar\n"))
+
+	info, err := os.Stat(path)
+	require.NoError(t, err)
+	assert.Equal(t, os.FileMode(0o600), info.Mode().Perm(), "SSH config files must be 0600")
+}
+
+func TestWriteManagedConfigIdempotentDoesNotRewriteFile(t *testing.T) {
+	// A no-op re-write must not bump the file's mtime — otherwise
+	// `lakebox register` looks like it's churning files on every call.
+	dir := t.TempDir()
+	path := filepath.Join(dir, sshIncludeFileName)
+	content := "Host foo\n    HostName bar\n"
+	require.NoError(t, writeManagedConfig(path, content))
+	before, err := os.Stat(path)
+	require.NoError(t, err)
+
+	require.NoError(t, writeManagedConfig(path, content))
+	after, err := os.Stat(path)
+	require.NoError(t, err)
+	assert.Equal(t, before.ModTime(), after.ModTime(), "matching content must short-circuit before rename")
+}
+
+func TestWriteManagedConfigReplacesDifferentContent(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, sshIncludeFileName)
+	require.NoError(t, writeManagedConfig(path, "v1\n"))
+	require.NoError(t, writeManagedConfig(path, "v2\n"))
+	data, err := os.ReadFile(path)
+	require.NoError(t, err)
+	assert.Equal(t, "v2\n", string(data))
+}
+
+func TestEnsureMainIncludesManagedCreatesFileFromScratch(t *testing.T) {
+	dir := t.TempDir()
+	mainPath := filepath.Join(dir, "config")
+	managedPath := filepath.Join(dir, sshIncludeFileName)
+
+	require.NoError(t, ensureMainIncludesManaged(mainPath, managedPath))
+
+	data, err := os.ReadFile(mainPath)
+	require.NoError(t, err)
+	text := string(data)
+	assert.Contains(t, text, sshConfigBeginMarker)
+	assert.Contains(t, text, "Include "+managedPath)
+	assert.Contains(t, text, sshConfigEndMarker)
+}
+
+func TestEnsureMainIncludesManagedIsIdempotent(t *testing.T) {
+	// Second call must be a no-op — the existing block is detected by
+	// marker presence and we leave the file alone.
+	dir := t.TempDir()
+	mainPath := filepath.Join(dir, "config")
+	managedPath := filepath.Join(dir, sshIncludeFileName)
+	require.NoError(t, ensureMainIncludesManaged(mainPath, managedPath))
+	first, err := os.ReadFile(mainPath)
+	require.NoError(t, err)
+
+	require.NoError(t, ensureMainIncludesManaged(mainPath, managedPath))
+	second, err := os.ReadFile(mainPath)
+	require.NoError(t, err)
+	assert.Equal(t, string(first), string(second))
+}
+
+func TestEnsureMainIncludesManagedPreservesUserConfigBelow(t *testing.T) {
+	// Existing user config must survive verbatim, and our block must
+	// land *above* it so SSH's first-match-wins behaviour picks our
+	// values for the alias.
+	dir := t.TempDir()
+	mainPath := filepath.Join(dir, "config")
+	managedPath := filepath.Join(dir, sshIncludeFileName)
+	userContent := "Host myserver\n    HostName example.test\n    User alice\n"
+	require.NoError(t, os.WriteFile(mainPath, []byte(userContent), 0o600))
+
+	require.NoError(t, ensureMainIncludesManaged(mainPath, managedPath))
+	data, err := os.ReadFile(mainPath)
+	require.NoError(t, err)
+	text := string(data)
+	assert.Contains(t, text, userContent, "user's existing config must be preserved")
+
+	beginIdx := strings.Index(text, sshConfigBeginMarker)
+	userIdx := strings.Index(text, "Host myserver")
+	require.GreaterOrEqual(t, beginIdx, 0)
+	require.GreaterOrEqual(t, userIdx, 0)
+	assert.Less(t, beginIdx, userIdx, "managed block must precede the user's existing config")
+}
+
+func TestHasOurMarkedBlock(t *testing.T) {
+	cases := []struct {
+		name  string
+		input string
+		want  bool
+	}{
+		{"empty", "", false},
+		{"only user content", "Host foo\n    HostName bar\n", false},
+		{"with our marker", sshConfigBeginMarker + "\nInclude /tmp/x\n" + sshConfigEndMarker + "\n", true},
+		{"marker with surrounding whitespace", "   " + sshConfigBeginMarker + "   \n", true},
+		// A user could conceivably write a comment containing the
+		// literal marker text — accepted; it's their own footgun.
+		{"marker mid-line (rejected)", "## " + sshConfigBeginMarker + " inline\n", false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.want, hasOurMarkedBlock(tc.input))
+		})
+	}
+}
diff --git a/cmd/lakebox/sshkey.go b/cmd/lakebox/sshkey.go
new file mode 100644
index 0000000000..3ad634f282
--- /dev/null
+++ b/cmd/lakebox/sshkey.go
@@ -0,0 +1,190 @@
+package lakebox
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/spf13/cobra"
+)
+
+func newSSHKeyCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "ssh-key",
+		Short: "Manage SSH keys registered with the lakebox service",
+	}
+	cmd.AddCommand(newSSHKeyListCommand())
+	cmd.AddCommand(newSSHKeyDeleteCommand())
+	return cmd
+}
+
+func newSSHKeyDeleteCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "delete <key-hash>",
+		Short: "Delete an SSH key registered with the lakebox service",
+		Long: `Delete an SSH key registered with the lakebox service.
+
+The key hash is the identifier shown by 'databricks lakebox ssh-key list'.
+Once deleted, future SSH attempts authenticated by the corresponding
+private key will fail until the key is re-registered.
+
+Example:
+  databricks lakebox ssh-key delete a1b2c3d4e5f6...`,
+		Args:              cobra.ExactArgs(1),
+		PreRunE:           root.MustWorkspaceClient,
+		ValidArgsFunction: completeSSHKeyHashes,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			hash := args[0]
+			s := spin(ctx, "Deleting key "+hash+"…")
+			defer s.Close()
+			if err := api.deleteKey(ctx, hash); err != nil {
+				s.fail("Failed to delete key")
+				return fmt.Errorf("failed to delete ssh key %s: %w", hash, err)
+			}
+			s.ok("SSH key " + cmdio.Bold(ctx, hash) + " deleted")
+			return nil
+		},
+	}
+	return cmd
+}
+
+func newSSHKeyListCommand() *cobra.Command {
+	var outputJSON bool
+
+	cmd := &cobra.Command{
+		Use:   "list",
+		Short: "List SSH keys registered with the lakebox service",
+		Long: `List SSH keys registered with the lakebox service.
+
+Each row shows the server-assigned key hash (the identifier used to
+delete the key), the user-supplied name, and create / last-use
+timestamps. The locally-registered key (from 'databricks lakebox
+register') is marked when its hash matches one of the listed entries.
+
+Examples:
+  databricks lakebox ssh-key list
+  databricks lakebox ssh-key list --json`,
+		PreRunE: root.MustWorkspaceClient,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			keys, err := api.listKeys(ctx)
+			if err != nil {
+				return fmt.Errorf("failed to list ssh keys: %w", err)
+			}
+
+			if jsonOutput(cmd, outputJSON) {
+				enc := json.NewEncoder(cmd.OutOrStdout())
+				enc.SetIndent("", "  ")
+				return enc.Encode(keys)
+			}
+
+			if len(keys) == 0 {
+				fmt.Fprintf(cmd.ErrOrStderr(), "  %s\n",
+					cmdio.Faint(ctx, "No SSH keys registered. Run 'databricks lakebox register' to add one."))
+				return nil
+			}
+
+			// Best-effort: compute the hash of the locally-registered key so
+			// we can highlight which row belongs to this machine. Missing key
+			// file or read errors are non-fatal — just skip the marker.
+			localHash := ""
+			if path, err := lakeboxKeyPath(ctx); err == nil {
+				if data, err := os.ReadFile(path + ".pub"); err == nil {
+					localHash = keyHash(string(data))
+				}
+			}
+
+			out := cmd.OutOrStdout()
+			blank(out)
+
+			// Measure in terminal cells (cmdio.Width) so wide / emoji
+			// glyphs in `--name` don't misalign the row.
+			nameCol := 4
+			for _, k := range keys {
+				if l := cmdio.Width(k.Name); l > nameCol {
+					nameCol = l
+				}
+			}
+			nameCol += 2
+			const hashCol = 32
+			const timeCol = 20
+
+			// 4-char gutter holds a per-row `*` for the local key (blank in header).
+			header := fmt.Sprintf("%-*s  %-*s  %-*s  %s",
+				nameCol, "NAME", hashCol, "KEY HASH", timeCol, "CREATED", "LAST USED")
+			fmt.Fprintf(out, "    %s\n", cmdio.Faint(ctx, header))
+			fmt.Fprintf(out, "    %s\n", cmdio.Faint(ctx, strings.Repeat("─", nameCol+hashCol+timeCol+timeCol+6)))
+
+			localFound := false
+			for _, k := range keys {
+				// cmdio.PadRight measures visible width, so the ANSI escapes
+				// cmdio.Faint wraps the NAME cell in don't break alignment.
+				displayName := k.Name
+				if displayName == "" {
+					displayName = cmdio.Faint(ctx, "(unset)")
+				}
+				gutter := "    "
+				if localHash != "" && k.KeyHash == localHash {
+					gutter = "  " + cmdio.Cyan(ctx, "*") + " "
+					localFound = true
+				}
+				fmt.Fprintf(out, "%s%s  %-*s  %-*s  %s\n",
+					gutter,
+					cmdio.PadRight(displayName, nameCol),
+					hashCol, k.KeyHash,
+					timeCol, formatTimeShort(k.CreateTime),
+					formatTimeShort(k.LastUseTime))
+			}
+			// Without a legend the `*` (or its absence) is opaque. Print the
+			// meaning either way so users can tell "no `*` on any row" apart
+			// from "this terminal doesn't print the marker".
+			blank(out)
+			switch {
+			case localFound:
+				fmt.Fprintf(out, "  %s\n", cmdio.Faint(ctx, cmdio.Cyan(ctx, "*")+" key matches the one on this machine"))
+			case localHash != "":
+				fmt.Fprintf(out, "  %s\n", cmdio.Faint(ctx, "(no registered key matches this machine's local key — run `databricks lakebox register` to register it)"))
+			default:
+				fmt.Fprintf(out, "  %s\n", cmdio.Faint(ctx, "(no local lakebox key on this machine — run `databricks lakebox register` to create and register one)"))
+			}
+			blank(out)
+			return nil
+		},
+	}
+
+	cmd.Flags().BoolVar(&outputJSON, "json", false, "Output as JSON")
+	return cmd
+}
+
+// formatTimeShort renders an RFC 3339 timestamp as a short, compact date
+// for table display. Returns "-" for empty input; passes through the raw
+// value if it doesn't parse (so server-side schema changes don't silently
+// hide data).
+func formatTimeShort(rfc3339 string) string {
+	if rfc3339 == "" {
+		return "-"
+	}
+	t, err := time.Parse(time.RFC3339, rfc3339)
+	if err != nil {
+		return rfc3339
+	}
+	return t.Format("2006-01-02 15:04")
+}
diff --git a/cmd/lakebox/start.go b/cmd/lakebox/start.go
new file mode 100644
index 0000000000..1e1d230516
--- /dev/null
+++ b/cmd/lakebox/start.go
@@ -0,0 +1,126 @@
+package lakebox
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/spf13/cobra"
+)
+
+// Bounds for `start`'s "wait until Running" poll. StartSandbox returns
+// immediately with status="Creating", so we poll until it actually
+// reaches Running. 10 min covers the observed cold-start range
+// (5–13 min); stuck sandboxes surface as a timeout, not a hang.
+const (
+	startPollInterval = 2 * time.Second
+	startWaitTimeout  = 10 * time.Minute
+)
+
+func newStartCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "start <lakebox-id>",
+		Short: "Start a stopped Lakebox environment",
+		Long: `Start a stopped Lakebox environment.
+
+Boots the backing microVM and blocks until the sandbox reaches
+Running (or up to 10 minutes). 'databricks lakebox ssh' already
+auto-starts a stopped sandbox on connection, so this command is
+mostly useful for pre-warming an environment without immediately
+connecting, or when a script needs to be sure the sandbox is up
+before continuing.
+
+Starting an already-running sandbox is a no-op.
+
+Example:
+  databricks lakebox start happy-panda-1234`,
+		Args:              cobra.ExactArgs(1),
+		PreRunE:           root.MustWorkspaceClient,
+		ValidArgsFunction: completeSandboxIDs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			profile := w.Config.Profile
+			if profile == "" {
+				profile = w.Config.Host
+			}
+
+			lakeboxID, err := resolveLocalID(ctx, profile, args[0])
+			if err != nil {
+				return err
+			}
+
+			s := spin(ctx, "Starting "+lakeboxID+"…")
+			defer s.Close()
+
+			updated, err := api.start(ctx, lakeboxID)
+			if err != nil {
+				s.fail("Failed to start " + lakeboxID)
+				return fmt.Errorf("failed to start lakebox %s: %w", lakeboxID, err)
+			}
+
+			_ = setGatewayHost(ctx, profile, updated.GatewayHost)
+			_ = upsertSandbox(ctx, profile, updated.SandboxID, updated.Name)
+
+			// Already up — short-circuit so we don't pretend to wait
+			// when there's nothing to wait for.
+			if strings.EqualFold(updated.Status, "running") {
+				s.ok("Already running " + cmdio.Bold(ctx, updated.SandboxID))
+				return nil
+			}
+
+			final, err := waitForRunning(ctx, api, s, updated.SandboxID)
+			if err != nil {
+				s.fail("Failed to start " + lakeboxID)
+				return err
+			}
+			_ = upsertSandbox(ctx, profile, final.SandboxID, final.Name)
+
+			s.ok("Started " + cmdio.Bold(ctx, final.SandboxID))
+			return nil
+		},
+	}
+
+	return cmd
+}
+
+// waitForRunning polls the sandbox until it reaches Running or the timeout
+// elapses. The spinner is updated with the elapsed seconds each poll so the
+// user can tell progress is happening, and a transition to an unexpected
+// terminal state (Stopped / Terminated / Failed) short-circuits with a
+// useful error rather than waiting out the full timeout.
+func waitForRunning(ctx context.Context, api *lakeboxAPI, s *spinner, id string) (*sandboxEntry, error) {
+	start := time.Now()
+	deadline := start.Add(startWaitTimeout)
+	for {
+		sb, err := api.get(ctx, id)
+		if err != nil {
+			return nil, fmt.Errorf("polling status of %s: %w", id, err)
+		}
+		switch strings.ToLower(sb.Status) {
+		case "running":
+			return sb, nil
+		case "stopped", "terminated", "failed":
+			return nil, fmt.Errorf("sandbox %s reached unexpected state %q while starting", id, sb.Status)
+		}
+		elapsed := time.Since(start).Round(time.Second)
+		s.Update(fmt.Sprintf("Starting %s… (%s)", id, elapsed))
+		if time.Now().After(deadline) {
+			return nil, fmt.Errorf("sandbox %s did not reach Running within %s (last seen %s)", id, startWaitTimeout, sb.Status)
+		}
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-time.After(startPollInterval):
+		}
+	}
+}
diff --git a/cmd/lakebox/state.go b/cmd/lakebox/state.go
new file mode 100644
index 0000000000..e0a2d2505f
--- /dev/null
+++ b/cmd/lakebox/state.go
@@ -0,0 +1,263 @@
+package lakebox
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+
+	"github.com/databricks/cli/libs/env"
+)
+
+// stateFile stores per-profile lakebox state on the local filesystem.
+// Located at ~/.databricks/lakebox.json.
+type stateFile struct {
+	// Profile name → default lakebox ID.
+	Defaults map[string]string `json:"defaults"`
+	// Profile name → SSH gateway hostname returned by the manager for any
+	// sandbox in that workspace. Cached so `ssh <id>` does not need to fetch
+	// the sandbox just to learn where to connect. Empty until the first
+	// command that reads a sandbox response populates it.
+	GatewayHosts map[string]string `json:"gatewayHosts,omitempty"`
+	// Profile name → cached (id, name) pairs, used purely for local
+	// name-based resolution (`lakebox ssh my-project` finds the matching
+	// sandbox ID without an extra API call). Refreshed in full by
+	// `lakebox list`; mutated in-place by `create`, `config --name`,
+	// `delete`, and `status`. Cache misses fall through to treating the
+	// argument as an ID, so this never *blocks* an operation — it only
+	// adds the name-to-ID shortcut.
+	Sandboxes map[string][]cachedSandbox `json:"sandboxes,omitempty"`
+}
+
+// cachedSandbox is the minimal (id, name) pair we need to resolve a
+// user-typed name to a wire ID without calling the server.
+type cachedSandbox struct {
+	ID   string `json:"id"`
+	Name string `json:"name,omitempty"`
+}
+
+// stateFilePath returns the on-disk location of the lakebox state file.
+func stateFilePath(ctx context.Context) (string, error) {
+	home, err := env.UserHomeDir(ctx)
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(home, ".databricks", "lakebox.json"), nil
+}
+
+// loadState reads the lakebox state file, returning an empty state when
+// the file doesn't exist yet.
+func loadState(ctx context.Context) (*stateFile, error) {
+	path, err := stateFilePath(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := os.ReadFile(path)
+	if errors.Is(err, fs.ErrNotExist) {
+		return &stateFile{Defaults: make(map[string]string)}, nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("failed to read %s: %w", path, err)
+	}
+
+	var state stateFile
+	if err := json.Unmarshal(data, &state); err != nil {
+		return nil, fmt.Errorf("failed to parse %s: %w", path, err)
+	}
+	if state.Defaults == nil {
+		state.Defaults = make(map[string]string)
+	}
+	return &state, nil
+}
+
+// saveState writes the lakebox state file atomically.
+func saveState(ctx context.Context, state *stateFile) error {
+	path, err := stateFilePath(ctx)
+	if err != nil {
+		return err
+	}
+
+	if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
+		return err
+	}
+
+	data, err := json.MarshalIndent(state, "", "  ")
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(path, data, 0o600)
+}
+
+func getDefault(ctx context.Context, profile string) string {
+	state, err := loadState(ctx)
+	if err != nil {
+		return ""
+	}
+	return state.Defaults[profile]
+}
+
+func setDefault(ctx context.Context, profile, lakeboxID string) error {
+	state, err := loadState(ctx)
+	if err != nil {
+		return err
+	}
+	if state.Defaults[profile] == lakeboxID {
+		return nil
+	}
+	state.Defaults[profile] = lakeboxID
+	return saveState(ctx, state)
+}
+
+func clearDefault(ctx context.Context, profile string) error {
+	state, err := loadState(ctx)
+	if err != nil {
+		return err
+	}
+	if _, ok := state.Defaults[profile]; !ok {
+		return nil
+	}
+	delete(state.Defaults, profile)
+	return saveState(ctx, state)
+}
+
+// getGatewayHost returns the cached SSH gateway hostname for the workspace
+// behind `profile`, or "" if nothing has been cached yet.
+func getGatewayHost(ctx context.Context, profile string) string {
+	state, err := loadState(ctx)
+	if err != nil {
+		return ""
+	}
+	return state.GatewayHosts[profile]
+}
+
+// setGatewayHost caches the SSH gateway hostname for `profile`. No-op when
+// `host` is empty or already equal to the cached value, so callers can pipe
+// every Sandbox response through here without churning the state file.
+func setGatewayHost(ctx context.Context, profile, host string) error {
+	if host == "" {
+		return nil
+	}
+	state, err := loadState(ctx)
+	if err != nil {
+		return err
+	}
+	if state.GatewayHosts[profile] == host {
+		return nil
+	}
+	if state.GatewayHosts == nil {
+		state.GatewayHosts = make(map[string]string)
+	}
+	state.GatewayHosts[profile] = host
+	return saveState(ctx, state)
+}
+
+// getSandboxes returns the locally-cached (id, name) pairs for `profile`,
+// or nil if nothing has been cached yet.
+func getSandboxes(ctx context.Context, profile string) []cachedSandbox {
+	state, err := loadState(ctx)
+	if err != nil {
+		return nil
+	}
+	return state.Sandboxes[profile]
+}
+
+// setSandboxes replaces the cached sandbox list for `profile`. Used by
+// `lakebox list` to keep the cache in sync with the server's view.
+// No-op when the new list is byte-for-byte identical to the cached one,
+// to avoid rewriting the state file on every `list` call.
+func setSandboxes(ctx context.Context, profile string, sbs []cachedSandbox) error {
+	state, err := loadState(ctx)
+	if err != nil {
+		return err
+	}
+	if sandboxesEqual(state.Sandboxes[profile], sbs) {
+		return nil
+	}
+	if state.Sandboxes == nil {
+		state.Sandboxes = make(map[string][]cachedSandbox)
+	}
+	if sbs == nil {
+		sbs = []cachedSandbox{}
+	}
+	state.Sandboxes[profile] = sbs
+	return saveState(ctx, state)
+}
+
+// upsertSandbox adds or updates a single cached (id, name) entry for
+// `profile`. Use this when a single command observes one sandbox's
+// state (create, status, config), so the cache stays warm without
+// requiring a full `list`.
+func upsertSandbox(ctx context.Context, profile, id, name string) error {
+	if id == "" {
+		return nil
+	}
+	state, err := loadState(ctx)
+	if err != nil {
+		return err
+	}
+	existing := state.Sandboxes[profile]
+	for i, s := range existing {
+		if s.ID == id {
+			if s.Name == name {
+				return nil // no change
+			}
+			existing[i].Name = name
+			if state.Sandboxes == nil {
+				state.Sandboxes = make(map[string][]cachedSandbox)
+			}
+			state.Sandboxes[profile] = existing
+			return saveState(ctx, state)
+		}
+	}
+	if state.Sandboxes == nil {
+		state.Sandboxes = make(map[string][]cachedSandbox)
+	}
+	state.Sandboxes[profile] = append(existing, cachedSandbox{ID: id, Name: name})
+	return saveState(ctx, state)
+}
+
+// removeSandbox drops a single cached entry for `profile`. Called from
+// `delete` so the cache doesn't keep referencing sandboxes that no
+// longer exist server-side.
+//
+// When the removal empties the sandbox list for a profile, also drop
+// the profile's `GatewayHosts` entry — there is nothing for the
+// gateway hostname to apply to until the user creates a new sandbox,
+// and leaving the entry behind accumulates orphan state across the
+// lifecycle of a profile.
+func removeSandbox(ctx context.Context, profile, id string) error {
+	state, err := loadState(ctx)
+	if err != nil {
+		return err
+	}
+	existing := state.Sandboxes[profile]
+	for i, s := range existing {
+		if s.ID == id {
+			state.Sandboxes[profile] = append(existing[:i], existing[i+1:]...)
+			if len(state.Sandboxes[profile]) == 0 {
+				delete(state.Sandboxes, profile)
+				delete(state.GatewayHosts, profile)
+			}
+			return saveState(ctx, state)
+		}
+	}
+	return nil
+}
+
+// sandboxesEqual reports whether two slices contain the same entries in
+// the same order. Used by setSandboxes to short-circuit no-op writes.
+func sandboxesEqual(a, b []cachedSandbox) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
diff --git a/cmd/lakebox/state_test.go b/cmd/lakebox/state_test.go
new file mode 100644
index 0000000000..bf38b9c9c3
--- /dev/null
+++ b/cmd/lakebox/state_test.go
@@ -0,0 +1,171 @@
+package lakebox
+
+import (
+	"context"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/databricks/cli/libs/env"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// stateCtx returns a context whose $HOME is a temp directory, so state file
+// operations are isolated from the developer's real ~/.databricks/lakebox.json.
+func stateCtx(t *testing.T) (context.Context, string) {
+	t.Helper()
+	home := t.TempDir()
+	ctx := env.WithUserHomeDir(t.Context(), home)
+	return ctx, filepath.Join(home, ".databricks", "lakebox.json")
+}
+
+func TestStateLoadMissingFileReturnsEmpty(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	state, err := loadState(ctx)
+	require.NoError(t, err)
+	assert.Equal(t, &stateFile{Defaults: map[string]string{}}, state)
+}
+
+func TestStateGetDefaultMissingProfileReturnsEmpty(t *testing.T) {
+	ctx, _ := stateCtx(t)
+	assert.Empty(t, getDefault(ctx, "any-profile"))
+}
+
+func TestStateSetGetDefaultRoundTrip(t *testing.T) {
+	ctx, _ := stateCtx(t)
+
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a"))
+	assert.Equal(t, "lakebox-a", getDefault(ctx, "profile-a"))
+	assert.Empty(t, getDefault(ctx, "profile-b"))
+}
+
+func TestStateMultipleProfilesIndependent(t *testing.T) {
+	ctx, _ := stateCtx(t)
+
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a"))
+	require.NoError(t, setDefault(ctx, "profile-b", "lakebox-b"))
+
+	assert.Equal(t, "lakebox-a", getDefault(ctx, "profile-a"))
+	assert.Equal(t, "lakebox-b", getDefault(ctx, "profile-b"))
+}
+
+func TestStateSetDefaultOverwrites(t *testing.T) {
+	ctx, _ := stateCtx(t)
+
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a"))
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a-prime"))
+	assert.Equal(t, "lakebox-a-prime", getDefault(ctx, "profile-a"))
+}
+
+func TestStateClearDefault(t *testing.T) {
+	ctx, _ := stateCtx(t)
+
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a"))
+	require.NoError(t, setDefault(ctx, "profile-b", "lakebox-b"))
+
+	require.NoError(t, clearDefault(ctx, "profile-a"))
+	assert.Empty(t, getDefault(ctx, "profile-a"))
+	assert.Equal(t, "lakebox-b", getDefault(ctx, "profile-b"))
+}
+
+func TestStateClearDefaultMissingProfileDoesNotCreateFile(t *testing.T) {
+	ctx, path := stateCtx(t)
+
+	require.NoError(t, clearDefault(ctx, "no-such-profile"))
+
+	_, err := os.Stat(path)
+	assert.ErrorIs(t, err, fs.ErrNotExist, "clearDefault must not create the state file when there's nothing to remove")
+}
+
+func TestStateSetDefaultSameValueDoesNotRewriteFile(t *testing.T) {
+	ctx, path := stateCtx(t)
+
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a"))
+	before, err := os.Stat(path)
+	require.NoError(t, err)
+
+	// Re-set with the same value should be a no-op.
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a"))
+	after, err := os.Stat(path)
+	require.NoError(t, err)
+	assert.Equal(t, before.ModTime(), after.ModTime(), "no-op setDefault must not rewrite the file")
+}
+
+func TestStateSetDefaultMissingNoFileBeforeWrite(t *testing.T) {
+	ctx, path := stateCtx(t)
+
+	// Loading state on a fresh tempdir must not create the file.
+	assert.Empty(t, getDefault(ctx, "profile-a"))
+	_, err := os.Stat(path)
+	assert.ErrorIs(t, err, fs.ErrNotExist, "getDefault must not create the state file")
+}
+
+// Pre-existing files from earlier CLI versions carry a `last_profile` field
+// the current schema doesn't know about. loadState must accept the file
+// (silently dropping the unknown field) and saveState must rewrite without
+// it, so the field naturally falls off on the next mutation.
+func TestStateLoadIgnoresUnknownFields(t *testing.T) {
+	ctx, path := stateCtx(t)
+	require.NoError(t, os.MkdirAll(filepath.Dir(path), 0o700))
+	require.NoError(t, os.WriteFile(path, []byte(`{
+        "defaults": {"profile-a": "lakebox-a"},
+        "last_profile": "profile-a"
+    }`), 0o600))
+
+	assert.Equal(t, "lakebox-a", getDefault(ctx, "profile-a"))
+
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a-prime"))
+	rewritten, err := os.ReadFile(path)
+	require.NoError(t, err)
+	assert.NotContains(t, string(rewritten), "last_profile")
+}
+
+func TestStateLoadReturnsErrorOnCorruptJSON(t *testing.T) {
+	ctx, path := stateCtx(t)
+	require.NoError(t, os.MkdirAll(filepath.Dir(path), 0o700))
+	require.NoError(t, os.WriteFile(path, []byte("{not valid json"), 0o600))
+
+	_, err := loadState(ctx)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to parse")
+}
+
+// Files written by saveState must round-trip through loadState even if the
+// caller starts from an empty Defaults map.
+func TestStateSaveCreatesParentDirs(t *testing.T) {
+	ctx, path := stateCtx(t)
+
+	// Confirm parent dir does not exist yet.
+	_, err := os.Stat(filepath.Dir(path))
+	assert.ErrorIs(t, err, fs.ErrNotExist)
+
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a"))
+
+	// File and parent dir now exist with sensible perms.
+	info, err := os.Stat(path)
+	require.NoError(t, err)
+
+	dirInfo, err := os.Stat(filepath.Dir(path))
+	require.NoError(t, err)
+
+	// Windows does not honor Unix permission bits; os.Stat reports 0o666/0o777
+	// regardless of what was passed to OpenFile/MkdirAll.
+	if runtime.GOOS != "windows" {
+		assert.Equal(t, os.FileMode(0o600), info.Mode().Perm())
+		assert.Equal(t, os.FileMode(0o700), dirInfo.Mode().Perm())
+	}
+}
+
+// Defaults of nil on disk (legal but not what saveState produces) must still
+// load to a usable empty map so callers can setDefault without nil-deref.
+func TestStateLoadNilDefaultsMap(t *testing.T) {
+	ctx, path := stateCtx(t)
+	require.NoError(t, os.MkdirAll(filepath.Dir(path), 0o700))
+	require.NoError(t, os.WriteFile(path, []byte(`{}`), 0o600))
+
+	require.NoError(t, setDefault(ctx, "profile-a", "lakebox-a"))
+	assert.Equal(t, "lakebox-a", getDefault(ctx, "profile-a"))
+}
diff --git a/cmd/lakebox/status.go b/cmd/lakebox/status.go
new file mode 100644
index 0000000000..0eb78821d3
--- /dev/null
+++ b/cmd/lakebox/status.go
@@ -0,0 +1,83 @@
+package lakebox
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/databricks-sdk-go/apierr"
+	"github.com/spf13/cobra"
+)
+
+func newStatusCommand() *cobra.Command {
+	var outputJSON bool
+
+	cmd := &cobra.Command{
+		Use:   "status <lakebox-id>",
+		Short: "Show Lakebox environment status",
+		Long: `Show detailed status of a Lakebox environment.
+
+Example:
+  databricks lakebox status happy-panda-1234
+  databricks lakebox status happy-panda-1234 --json`,
+		Args:              cobra.ExactArgs(1),
+		PreRunE:           root.MustWorkspaceClient,
+		ValidArgsFunction: completeSandboxIDs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			profile := w.Config.Profile
+			if profile == "" {
+				profile = w.Config.Host
+			}
+
+			lakeboxID, err := resolveLocalID(ctx, profile, args[0])
+			if err != nil {
+				return err
+			}
+
+			entry, err := api.get(ctx, lakeboxID)
+			if err != nil {
+				if errors.Is(err, apierr.ErrNotFound) {
+					return fmt.Errorf("no lakebox named %q — `databricks lakebox list` shows available IDs", lakeboxID)
+				}
+				return fmt.Errorf("failed to get lakebox %s: %w", lakeboxID, err)
+			}
+
+			_ = setGatewayHost(ctx, profile, entry.GatewayHost)
+			_ = upsertSandbox(ctx, profile, entry.SandboxID, entry.Name)
+
+			if jsonOutput(cmd, outputJSON) {
+				enc := json.NewEncoder(cmd.OutOrStdout())
+				enc.SetIndent("", "  ")
+				return enc.Encode(entry)
+			}
+
+			out := cmd.OutOrStdout()
+			blank(out)
+			field(ctx, out, "id", cmdio.Bold(ctx, entry.SandboxID))
+			if entry.Name != "" {
+				field(ctx, out, "name", entry.Name)
+			}
+			field(ctx, out, "status", status(ctx, entry.Status))
+			if entry.GatewayHost != "" {
+				field(ctx, out, "gateway", cmdio.Faint(ctx, entry.GatewayHost))
+			}
+			field(ctx, out, "autostop", cmdio.Faint(ctx, entry.autoStopLabel()))
+			blank(out)
+			return nil
+		},
+	}
+
+	cmd.Flags().BoolVar(&outputJSON, "json", false, "Output as JSON")
+
+	return cmd
+}
diff --git a/cmd/lakebox/stop.go b/cmd/lakebox/stop.go
new file mode 100644
index 0000000000..c83212166b
--- /dev/null
+++ b/cmd/lakebox/stop.go
@@ -0,0 +1,65 @@
+package lakebox
+
+import (
+	"fmt"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/spf13/cobra"
+)
+
+func newStopCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "stop <lakebox-id>",
+		Short: "Stop a running Lakebox environment",
+		Long: `Stop a running Lakebox environment.
+
+Terminates the backing microVM but preserves the sandbox record and its
+persistent storage. To restart, run 'databricks lakebox ssh' — the
+gateway auto-starts a stopped sandbox on connection.
+
+Stopping an already-stopped sandbox is a no-op.
+
+Example:
+  databricks lakebox stop happy-panda-1234`,
+		Args:              cobra.ExactArgs(1),
+		PreRunE:           root.MustWorkspaceClient,
+		ValidArgsFunction: completeSandboxIDs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			w := cmdctx.WorkspaceClient(ctx)
+			api, err := newLakeboxAPI(w)
+			if err != nil {
+				return err
+			}
+
+			profile := w.Config.Profile
+			if profile == "" {
+				profile = w.Config.Host
+			}
+
+			lakeboxID, err := resolveLocalID(ctx, profile, args[0])
+			if err != nil {
+				return err
+			}
+
+			s := spin(ctx, "Stopping "+lakeboxID+"…")
+			defer s.Close()
+
+			updated, err := api.stop(ctx, lakeboxID)
+			if err != nil {
+				s.fail("Failed to stop " + lakeboxID)
+				return fmt.Errorf("failed to stop lakebox %s: %w", lakeboxID, err)
+			}
+
+			_ = setGatewayHost(ctx, profile, updated.GatewayHost)
+			_ = upsertSandbox(ctx, profile, updated.SandboxID, updated.Name)
+
+			s.ok("Stopped " + cmdio.Bold(ctx, updated.SandboxID))
+			return nil
+		},
+	}
+
+	return cmd
+}
diff --git a/cmd/lakebox/ui.go b/cmd/lakebox/ui.go
new file mode 100644
index 0000000000..2a2e9e924e
--- /dev/null
+++ b/cmd/lakebox/ui.go
@@ -0,0 +1,90 @@
+package lakebox
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/spf13/cobra"
+)
+
+// jsonOutput reports whether the user asked for JSON output, via either
+// the local `--json` flag or the framework-global `-o json`.
+func jsonOutput(cmd *cobra.Command, jsonFlag bool) bool {
+	if jsonFlag {
+		return true
+	}
+	if f := cmd.Flag("output"); f != nil && f.Value.String() == "json" {
+		return true
+	}
+	return false
+}
+
+// cmdioSpinner is the subset of *cmdio.spinner's method set we need,
+// defined locally so we can hold the unexported type as a field.
+type cmdioSpinner interface {
+	Update(msg string)
+	Close()
+}
+
+// spinner wraps cmdio.NewSpinner with ok/fail markers. Close (idempotent
+// in cmdio) is safe alongside ok/fail, so callers can `defer s.Close()`.
+type spinner struct {
+	cmdioSpinner
+	ctx context.Context
+}
+
+func spin(ctx context.Context, msg string) *spinner {
+	sp := cmdio.NewSpinner(ctx)
+	sp.Update(msg)
+	return &spinner{cmdioSpinner: sp, ctx: ctx}
+}
+
+func (s *spinner) ok(msg string)   { s.mark("✓", msg) }
+func (s *spinner) fail(msg string) { s.mark("✗", msg) }
+
+func (s *spinner) mark(mark, msg string) {
+	s.Close()
+	cmdio.LogString(s.ctx, "  "+cmdio.Cyan(s.ctx, mark)+" "+msg)
+}
+
+// status formats a lakebox lifecycle status with a color hint.
+func status(ctx context.Context, s string) string {
+	switch strings.ToLower(s) {
+	case "running":
+		return cmdio.Cyan(ctx, "running")
+	case "stopped":
+		return cmdio.Faint(ctx, "stopped")
+	case "creating":
+		return cmdio.Bold(ctx, cmdio.Cyan(ctx, "creating…"))
+	case "stopping":
+		return cmdio.Yellow(ctx, "stopping…")
+	default:
+		return cmdio.Faint(ctx, strings.ToLower(s))
+	}
+}
+
+// field prints "  label  value" to w, where label is dimmed and padded to a
+// fixed visible width. Padding has to happen before Dim so the SGR escapes
+// don't inflate the byte count and break column alignment.
+func field(ctx context.Context, w io.Writer, label, value string) {
+	fmt.Fprintf(w, "  %s %s\n", cmdio.Faint(ctx, fmt.Sprintf("%-10s", label)), value)
+}
+
+// ok prints "  ✓ message" to stderr via the cmdio context.
+func ok(ctx context.Context, msg string) {
+	cmdio.LogString(ctx, "  "+cmdio.Cyan(ctx, "✓")+" "+msg)
+}
+
+// warn prints "  ! message" to stderr via the cmdio context. Yellow so
+// it visually differs from `ok`'s cyan ✓ and `spinner` cyan markers.
+func warn(ctx context.Context, msg string) {
+	cmdio.LogString(ctx, "  "+cmdio.Yellow(ctx, "!")+" "+msg)
+}
+
+// blank prints an empty line to w.
+func blank(w io.Writer) {
+	fmt.Fprintln(w)
+}