[Bug] Sandbox write-deny on .claude/commands blocks git worktree/checkout for repos with tracked slash commands
Bug Description
Title: Sandbox /.claude/commands/ write-deny blocks git worktree add / git checkout for repos that track shared slash commands
Repro:
1. Repo with a tracked file under .claude/commands/ (any team that shares slash commands via git, e.g. .claude/commands/pr-tidy.md)
2. With sandbox enabled (default), run git worktree add ../foo -b foo from inside Claude Code
3. Fails: error: unable to create file .claude/commands/pr-tidy.md: Operation not permitted → fatal: Could not reset index file to revision 'HEAD'
Same failure on plain git checkout, git pull, git stash pop, git clone — anywhere git materializes a tracked file under .claude/commands/.
Verified:
- Probe writes to <any-dir>/.claude/commands/x.md are denied; sibling .claude/skills/x.md and .claude/docs/x.md are allowed
- sandbox.filesystem.allowWrite: ["~/git/rootdir“] does NOT override the deny (tested fresh session)
- Resolved sandbox denyWithinAllow shown at session start does not list .claude/commands — the rule appears hardcoded and invisible to user config
Why it matters:
The user instructions in our CLAUDE.md tell Claude to use git worktree for branch work. Sharing slash commands by checking them into the repo is a documented Claude Code pattern. These two interact badly — Claude can't even create a worktree of the project Claude is working in.
Suggested fix:
Scope the deny to the active session's slash command paths (~/.claude/commands/, current-project .claude/commands/), or expose an override mechanism. As-is, the rule conflates "model is editing a live slash command" with "git is checking out a tracked file" — only the former is the threat the rule appears designed to mitigate.
---
Also worth mentioning in the same report: writes to <repo>/.git/config are denied even for benign operations like git push -u setting upstream tracking and git branch -D cleaning local config — adds noise on every push but doesn't block them.
Environment Info
- Platform: darwin
- Terminal: tmux
- Version: 2.1.119
- Feedback ID: d54f4c94-bd97-43c6-a2e6-fdc00e690419
Errors
[{"error":"Error: NON-FATAL: Lock acquisition failed for /Users/johkjo/.local/share/claude/versions/2.1.119 (expected in multi-process scenarios)\n at mH6 (/$bunfs/root/src/entrypoints/cli.js:2736:2177)\n at E$8 (/$bunfs/root/src/entrypoints/cli.js:2736:1257)\n at processTicksAndRejections (native:7:39)","timestamp":"2026-04-27T11:51:01.708Z"}]This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗