Sandbox filesystem rules can't scope to git root, breaking worktree workflows
Resolved 💬 2 comments Opened Apr 10, 2026 by willfindlay Closed May 22, 2026
Problem
The sandbox's filesystem.allowWrite paths are static (set in settings.json), but git worktree operations require write access to the parent repo's .git/worktrees/<name>/ directory, which lives outside the worktree's CWD. There's no way to express "the git common dir of the current repo" as a static path, so worktree users face an impossible trade-off:
- Tight rules (CWD + specific dirs): git operations in worktrees fail because the parent repo's
.git/isn't writable. Claude learns to usedangerouslyDisableSandboxfor everything, defeating the sandbox. - Broad rules (
allowWrite: ["~"]): worktrees work, but a compromised agent has write access to the entire home directory, which defeats much of the sandbox's value.
This isn't a niche workflow. Claude Code has first-class worktree support via EnterWorktree, and worktrees are the recommended way to isolate concurrent work. The sandbox should work well with them out of the box.
Proposed solutions (any of these would help)
- Auto-detect git root: when the sandbox is enabled and CWD is inside a git repo, automatically add the git common dir (
git rev-parse --git-common-dir) toallowWrite. This covers both regular repos and worktrees.
- Dynamic path variables in
allowWrite: support tokens like${GIT_COMMON_DIR}or${GIT_WORK_TREE}that resolve at session start (or on CWD change) rather than at config parse time.
EnterWorktreesandbox integration: when Claude enters a worktree, automatically extend the sandbox's write permissions to include the parent repo's.git/worktrees/directory for the duration of that worktree session.
Environment
- Platform: Linux (WSL2, bubblewrap sandbox)
- Claude Code version: latest
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗