Sessions ignore CLAUDE.md worktree isolation rules, causing cross-session contamination

Resolved 💬 4 comments Opened Apr 9, 2026 by nordscope-fi Closed May 23, 2026

Problem

CLAUDE.md contains explicit, unambiguous rules about parallel session isolation:

Never run two Claude Code sessions on the same working directory. Every parallel session MUST use a dedicated git worktree.

Despite this, a session launched in the main worktree (on branch content/audit-tools-pricing-refresh with 30 dirty files) proceeded to work on an unrelated fix task. It tried to stash unrelated files, got blocked by a PreToolUse hook (branch-guard.sh), then scrambled to recover — causing force-pushes, CI failures, and merge conflicts.

Expected behavior

The session should have:

  1. Checked git branch --show-current
  2. Recognized it was in the wrong place for the requested task
  3. Created a worktree before doing anything
  4. Never touched, referenced, or attempted to stash the unrelated content files

These steps are clearly documented in the project's CLAUDE.md. The AI had the rules but didn't follow them.

What we've tried

We've built 4 layers of defense (permission tightening, PreToolUse hooks, canary files, application security). The branch-guard.sh hook did catch and block the destructive stash — preventing data loss. But the session was already confused by that point, operating in the wrong directory.

We could add more hooks (e.g., a PreToolUse hook that validates pwd against expected worktree paths), but this is compensating for the model not reading and following its own instructions. The rules are there. They're clear. They should be followed.

Root cause

The model doesn't reliably check its working context (current branch, dirty files, which worktree it's in) before starting work. It jumps straight to the task without situational awareness, even when CLAUDE.md explicitly requires it.

Feature request

Consider a built-in mechanism for session-directory binding — e.g., if a session is launched in a directory, enforce or strongly warn when tools target files outside that git rev-parse --show-toplevel. This would make CLAUDE.md rules about worktree isolation enforceable at the platform level rather than relying on model compliance.

Environment

  • Claude Code CLI
  • macOS
  • Git worktrees for parallel session isolation
  • Multiple PreToolUse hooks for safety (branch-guard, credential-guard, write-guard, etc.)

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗