[Bug] Sandbox write-deny on .claude/commands blocks git worktree/checkout for repos with tracked slash commands

Resolved 💬 4 comments Opened Apr 27, 2026 by johan-kjolhede-kivra Closed May 29, 2026

Bug Description
Title: Sandbox /.claude/commands/ write-deny blocks git worktree add / git checkout for repos that track shared slash commands Repro: 1. Repo with a tracked file under .claude/commands/ (any team that shares slash commands via git, e.g. .claude/commands/pr-tidy.md) 2. With sandbox enabled (default), run git worktree add ../foo -b foo from inside Claude Code 3. Fails: error: unable to create file .claude/commands/pr-tidy.md: Operation not permitted → fatal: Could not reset index file to revision 'HEAD' Same failure on plain git checkout, git pull, git stash pop, git clone — anywhere git materializes a tracked file under .claude/commands/. Verified: - Probe writes to <any-dir>/.claude/commands/x.md are denied; sibling .claude/skills/x.md and .claude/docs/x.md are allowed - sandbox.filesystem.allowWrite: ["~/git/rootdir“] does NOT override the deny (tested fresh session) - Resolved sandbox denyWithinAllow shown at session start does not list .claude/commands — the rule appears hardcoded and invisible to user config Why it matters: The user instructions in our CLAUDE.md tell Claude to use git worktree for branch work. Sharing slash commands by checking them into the repo is a documented Claude Code pattern. These two interact badly — Claude can't even create a worktree of the project Claude is working in. Suggested fix: Scope the deny to the active session's slash command paths (~/.claude/commands/, current-project .claude/commands/), or expose an override mechanism. As-is, the rule conflates "model is editing a live slash command" with "git is checking out a tracked file" — only the former is the threat the rule appears designed to mitigate. --- Also worth mentioning in the same report: writes to <repo>/.git/config are denied even for benign operations like git push -u setting upstream tracking and git branch -D cleaning local config — adds noise on every push but doesn't block them.

Environment Info

  • Platform: darwin
  • Terminal: tmux
  • Version: 2.1.119
  • Feedback ID: d54f4c94-bd97-43c6-a2e6-fdc00e690419

Errors

[{"error":"Error: NON-FATAL: Lock acquisition failed for /Users/johkjo/.local/share/claude/versions/2.1.119 (expected in multi-process scenarios)\n    at mH6 (/$bunfs/root/src/entrypoints/cli.js:2736:2177)\n    at E$8 (/$bunfs/root/src/entrypoints/cli.js:2736:1257)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-04-27T11:51:01.708Z"}]

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗