This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new ecb05ac fix(secure-agent-setup): allow tool-cache writes in sandbox
(#86)
ecb05ac is described below
commit ecb05ac6848127a0349fe68546ad089aa1348104
Author: Jarek Potiuk <[email protected]>
AuthorDate: Thu May 7 03:52:42 2026 +0200
fix(secure-agent-setup): allow tool-cache writes in sandbox (#86)
Add `sandbox.filesystem.allowWrite` with `~/.cache/` and
`~/.local/share/uv/`, and broaden `allowRead` from `~/.cache/uv/` to
`~/.cache/`. Without write access to these paths, common dev-loop tools
fail under the sandbox: `uv` cannot open `~/.cache/uv/sdists-v9/.git`,
`prek` cannot write `~/.cache/prek/prek.log`, and `ruff`/`mypy` cannot
maintain their on-disk caches. The narrower `~/.cache/uv/` previously
in `allowRead` only covered the HTTP cache.
Also document the agent-worktree case in the adopter setup section:
sibling agent worktrees and the main repo's `.git/` need read access
to the parent path that contains them, which is project-specific.
---
.claude/settings.json | 6 +++++-
docs/setup/secure-agent-setup.md | 15 +++++++++++++--
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/.claude/settings.json b/.claude/settings.json
index ec2e50a..10b1af4 100644
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -9,12 +9,16 @@
"~/.gitconfig",
"~/.config/git/",
"~/.config/gh/",
- "~/.cache/uv/",
+ "~/.cache/",
"~/.local/share/uv/",
"~/.local/bin/",
"~/.config/apache-steward/",
"~/.gnupg/",
"/run/user/*/gnupg/"
+ ],
+ "allowWrite": [
+ "~/.cache/",
+ "~/.local/share/uv/"
]
},
"network": {
diff --git a/docs/setup/secure-agent-setup.md b/docs/setup/secure-agent-setup.md
index 82373f5..bd9f43d 100644
--- a/docs/setup/secure-agent-setup.md
+++ b/docs/setup/secure-agent-setup.md
@@ -340,12 +340,16 @@ below, annotated.
"~/.gitconfig", // git's user.name / user.email
"~/.config/git/", // git's per-host config
"~/.config/gh/", // gh CLI auth (token in hosts.yml)
- "~/.cache/uv/", // uv's HTTP cache
+ "~/.cache/", // dev tool caches (uv HTTP cache, prek
logs, ruff/mypy caches)
"~/.local/share/uv/", // uv's tool venvs (prek, etc.)
"~/.local/bin/", // uv-installed tool entry points
"~/.config/apache-steward/", // Gmail OAuth refresh token
(oauth-draft tool)
"~/.gnupg/", // gpg keys (commit signing)
"/run/user/*/gnupg/" // gpg-agent socket dir
(ssh-via-gpg-agent commit signing)
+ ],
+ "allowWrite": [
+ "~/.cache/", // uv lock files, prek log + state,
ruff/mypy caches
+ "~/.local/share/uv/" // uv's tool venvs (prek installs new
hook envs here)
]
},
"network": {
@@ -848,7 +852,14 @@ sub-section that follows.
domains you don't actually use, add any project-specific hosts.
- The `sandbox.filesystem.allowRead` list — same: drop the
dotfiles your project doesn't need, add any project-specific
- paths the host requires.
+ paths the host requires. If you use Claude Code's `--worktree`
+ agent isolation, sibling agent worktrees live next to the active
+ one (e.g. `~/code/<project>/.claude/worktrees/agent-*/`), and
+ `git` operations on a worktree follow its `.git` file up to the
+ main repo's `.git/` directory. Both require read access to the
+ parent path that contains all worktrees and the main repo —
+ adopters who keep their checkout at, say, `~/code/<project>/`
+ should add that directory to `allowRead`.
- The `permissions.ask` list — add any project-specific
write-side commands you want to confirm explicitly (e.g. a
custom release-publishing CLI).
