claude-iso: auto-allow main repo in sandbox for -w worktree sessions#157
Merged
potiuk merged 1 commit intoMay 14, 2026
Merged
Conversation
When `claude-iso -w` is launched from inside a git repo, prepend a one-shot `--settings` JSON to the claude argv that adds the main repo's path to sandbox.filesystem.allowRead. The main repo is resolved via `git rev-parse --git-common-dir` so it works from the main checkout as well as nested worktrees. This fixes the visibility gap that `-w` creates: the worktree is materialised mid-launch, and once Claude chdirs into it the sandbox's relative `"."` rule no longer covers the original main repo. The injection merges with the settings stack before sandbox init, so it takes effect for the same session without any on-disk edit (no settings.local.json bootstrap, no per-worktree cleanup). A short stderr banner reports the path added; no prompt. Generated-by: Claude Code (Claude Opus 4.7)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
claude -w(andclaude --worktree) materialises a new worktree at<main>/.claude/worktrees/<name>and chdirs into it before sandboxinit. The sandbox's relative
"."allowRead rule then covers onlythe worktree subtree, not the main repo — so files outside the
worktree's own working tree (siblings of
.claude/worktrees/)aren't readable from the session.
-w/--worktreeis in the args,claude-isonow resolvesthe main repo via
git rev-parse --git-common-dir(works from themain checkout and from nested worktrees) and prepends a one-shot
--settings '{"sandbox":{"filesystem":{"allowRead":["<main-repo>"]}}}'to the
claudeargv.claudemerges this into the loaded settingsstack at startup, so the path is in scope before the sandbox
initialises — same session, no on-disk edits, nothing to clean up
when the worktree is abandoned.
-wisn'tpassed.
Test plan
bash -nandzsh -nboth accept the scriptprek run --files tools/agent-isolation/claude-iso.shpasses-wdetection covers-w,--worktree,-w <name>,--worktree=<name>, and-wmixed with other flags"and\(validatedwith
python3 -c 'import json,sys; json.load(sys.stdin)')claude-iso -wfrom/path/to/repo,confirm the main-repo path is readable inside the worktree
session