diff --git a/deploy/sync-to-vm.sh b/deploy/sync-to-vm.sh
index 5b862c5..4d9f337 100755
--- a/deploy/sync-to-vm.sh
+++ b/deploy/sync-to-vm.sh
@@ -113,9 +113,13 @@ for entry in "${MOUNT_PATTERNS[@]}"; do
     ssh_cmd "mkdir -p ${remote_path}"
 
     # Sync with rsync (fall back to scp if rsync unavailable)
-    # Exclude generated/cached content that gets recreated on the remote
+    # Exclude generated/cached content that gets recreated on the remote.
+    # Use -rlptD (archive minus -o -g) so ownership on the remote is set
+    # by the receiving user (devbox). Preserving host UID/GID with -a
+    # tagged files with the pusher's numeric GID, which leaked through
+    # whenever the VM happened to have a matching group (see #group-1001).
     if command -v rsync &>/dev/null; then
-      rsync -az --progress \
+      rsync -rlptDz --progress \
         --exclude='node_modules' \
         --exclude='__pycache__' \
         --exclude='.venv' \