diff --git a/packaging/freebsd/agent-jail-bootstrap.sh b/packaging/freebsd/agent-jail-bootstrap.sh
index 236f2af..3bebd1e 100755
--- a/packaging/freebsd/agent-jail-bootstrap.sh
+++ b/packaging/freebsd/agent-jail-bootstrap.sh
@@ -10,6 +10,7 @@
 set -eu
 
 JAIL_NAME="${1:-}"
+PKG_CACHE_DIR="${PKG_CACHE_DIR:-/var/cache/pkg}"
 
 # The jail name becomes a path component, so reject anything that could escape
 # /usr/local/bastille/jails/<name>/root (empty, traversal, odd characters).
@@ -45,6 +46,12 @@ for p in ${PKGS}; do
         echo "       (versions are pinned to the host; the cache has nothing to serve otherwise)" >&2
         exit 1
     fi
+    if ! ls "${PKG_CACHE_DIR}/${p}-${ver}"*.pkg >/dev/null 2>&1; then
+        echo "error: host pkg cache is missing ${p}-${ver}" >&2
+        echo "       prime it first: pkg fetch -y ${p}-${ver}" >&2
+        echo "       (offline/exact-version bootstrap depends on ${PKG_CACHE_DIR})" >&2
+        exit 1
+    fi
     echo "  ${p}-${ver}"
     pkg -c "${JAIL_ROOT}" install -y "${p}-${ver}"
 done