(airflow-steward) branch main updated: claude-iso: auto-allow main repo in sandbox for -w/--worktree sessions (#157)

Thu, 14 May 2026 14:32:58 -0700 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git


The following commit(s) were added to refs/heads/main by this push:
     new ab66c57  claude-iso: auto-allow main repo in sandbox for -w/--worktree 
sessions (#157)
ab66c57 is described below

commit ab66c570d2cf1b46e178f755bc1b0d3c6e76c659
Author: Jarek Potiuk <[email protected]>
AuthorDate: Thu May 14 23:32:45 2026 +0200

    claude-iso: auto-allow main repo in sandbox for -w/--worktree sessions 
(#157)
    
    When `claude-iso -w` is launched from inside a git repo, prepend a
    one-shot `--settings` JSON to the claude argv that adds the main
    repo's path to sandbox.filesystem.allowRead. The main repo is
    resolved via `git rev-parse --git-common-dir` so it works from the
    main checkout as well as nested worktrees.
    
    This fixes the visibility gap that `-w` creates: the worktree is
    materialised mid-launch, and once Claude chdirs into it the
    sandbox's relative `"."` rule no longer covers the original main
    repo. The injection merges with the settings stack before sandbox
    init, so it takes effect for the same session without any on-disk
    edit (no settings.local.json bootstrap, no per-worktree cleanup).
    
    A short stderr banner reports the path added; no prompt.
    
    Generated-by: Claude Code (Claude Opus 4.7)
---
 tools/agent-isolation/claude-iso.sh | 51 +++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/tools/agent-isolation/claude-iso.sh 
b/tools/agent-isolation/claude-iso.sh
index f1dc198..a663237 100755
--- a/tools/agent-isolation/claude-iso.sh
+++ b/tools/agent-isolation/claude-iso.sh
@@ -39,6 +39,18 @@
 # To inject a single credential explicitly for one session:
 #   GH_TOKEN="$(gh auth token)" claude-iso
 #   AWS_PROFILE=read-only claude-iso
+#
+# Worktree mode (`claude-iso -w` / `claude-iso --worktree`):
+#   When `-w` / `--worktree` is present in the args AND the wrapper
+#   is invoked from inside a git repo, claude-iso automatically
+#   grants the new worktree session's sandbox read access to the
+#   *main* repo (resolved via `git rev-parse --git-common-dir`, so
+#   it works whether you launch from the main checkout or from a
+#   nested worktree). The wrapper prepends a one-shot
+#   `--settings '{"sandbox":{"filesystem":{"allowRead":["<main-repo>"]}}}'`
+#   to the `claude` argv — Claude merges this into the loaded
+#   settings stack at startup, before the sandbox is initialised.
+#   A stderr banner reports what was added. Nothing on disk changes.
 
 claude_iso_main() {
   # Resolve the claude binary on PATH before clobbering the env so
@@ -130,6 +142,45 @@ claude_iso_main() {
   # without a shadow. The conservative read: include these only when
   # the user named them in CLAUDE_ISO_ALLOW.)
 
+  # `-w` / `--worktree`: auto-add the main repo to the new worktree
+  # session's sandbox allowRead. See the "Worktree mode" section in
+  # the file header for the full rationale. The injection uses
+  # `claude --settings <json>`, which merges with the loaded settings
+  # stack at startup (i.e. before sandbox init), so the added path is
+  # in scope for the worktree session immediately — no on-disk
+  # settings.json edit is performed.
+  local has_worktree=0
+  local arg
+  for arg in "$@"; do
+    case "$arg" in
+      -w|--worktree|-w=*|--worktree=*) has_worktree=1; break ;;
+    esac
+  done
+
+  if [[ "$has_worktree" -eq 1 ]]; then
+    local common_dir main_repo
+    common_dir="$(git -C "$PWD" rev-parse --git-common-dir 2>/dev/null || 
true)"
+    if [[ -n "$common_dir" ]]; then
+      case "$common_dir" in
+        /*) ;;
+        *) common_dir="$PWD/$common_dir" ;;
+      esac
+      main_repo="$(cd "$(dirname "$common_dir")" 2>/dev/null && pwd)"
+      if [[ -n "$main_repo" ]]; then
+        # Escape backslashes and double quotes so a pathological
+        # repo path can't break out of the JSON string literal.
+        local escaped="${main_repo//\\/\\\\}"
+        escaped="${escaped//\"/\\\"}"
+        set -- --settings 
"{\"sandbox\":{\"filesystem\":{\"allowRead\":[\"${escaped}\"]}}}" "$@"
+        if [[ -t 2 ]]; then
+          printf '\033[2m[claude-iso] -w detected; added main repo "%s" to 
worktree sandbox allowRead\033[0m\n' "$main_repo" >&2
+        else
+          printf '[claude-iso] -w detected; added main repo "%s" to worktree 
sandbox allowRead\n' "$main_repo" >&2
+        fi
+      fi
+    fi
+  fi
+
   # When the user has aliased `claude=claude-iso`, an interactive
   # session looks indistinguishable from a normal `claude` launch.
   # Print a one-line banner on stderr (dim if a TTY) so it's obvious

Reply via email to