Skip to content

fix(security): allow linked worktrees below config roots#1301

Open
WangErgouaaaa wants to merge 2 commits into
colbymchenry:mainfrom
WangErgouaaaa:fix/linked-worktree-sensitive-path-v2-20260716
Open

fix(security): allow linked worktrees below config roots#1301
WangErgouaaaa wants to merge 2 commits into
colbymchenry:mainfrom
WangErgouaaaa:fix/linked-worktree-sensitive-path-v2-20260716

Conversation

@WangErgouaaaa

Copy link
Copy Markdown

Summary

  • allow a Git linked worktree below ~/.config when its primary checkout is
    also below ~/.config
  • keep the exception limited to a worktree root with a .git file and a
    distinct shared Git checkout
  • continue rejecting ordinary config directories and ordinary Git repositories

Root cause

The sensitive-path guard rejected every descendant of ~/.config. The first
linked-worktree exception still required the primary checkout to live outside
all protected home directories, but agent harnesses can place both the primary
checkout and its linked task worktree below ~/.config/superpowers/worktrees.

Verification

  • focused regression demonstrated RED with both checkouts below a temporary
    ~/.config sandbox, then GREEN after the fix
  • security.test.ts + worktree-detection.test.ts: 63 passed, 2 skipped
  • TypeScript build passed
  • actual affected worktree now returns validateProjectPath(...) === null
  • built CLI advances past the sensitive-directory gate to the expected
    uninitialized-index response
  • full suite on current upstream-compatible tree: 2401 passed, 4 skipped

Security boundary

  • ~/.ssh, ~/.gnupg, and ~/.aws remain unconditional denials
  • a normal repository under ~/.config remains denied because its .git is a
    directory, not a linked-worktree pointer file
  • no configurable trust roots or new dependencies were added

visible-agent-orchestrator bootstrap added 2 commits July 16, 2026 00:49
Agent harnesses place legitimate task worktrees below ~/.config, which the sensitive-path guard previously rejected wholesale. Permit only Git-linked worktrees whose standard main checkout is outside every protected home directory, while preserving the block for ordinary config paths and all other sensitive roots.

Constraint: ~/.ssh, ~/.gnupg, and ~/.aws must remain unconditional denials
Rejected: Allow every Git repository under ~/.config | ordinary repositories there are still configuration data and should remain protected
Confidence: high
Scope-risk: narrow
Directive: Do not widen this exception beyond verified linked worktrees without equivalent boundary tests
Tested: security and worktree suites; full build; full suite 2373 passed with 2 host EMFILE watcher failures unrelated to this change
Not-tested: Windows linked-worktree layout
A linked worktree under ~/.config can legitimately share its Git directory with a primary checkout that is also under ~/.config. Keep the exception limited to roots with a .git file and a distinct shared checkout, while ordinary config repositories remain blocked.

Tested: focused RED/GREEN regression; 63 security/worktree tests; TypeScript build; actual worktree validation; full suite 2375 passed, 4 skipped.
@WangErgouaaaa

Copy link
Copy Markdown
Author

Local runtime acceptance completed against the PR branch:

  • packaged and installed CodeGraph 1.4.1 into a clean global prefix
  • created a temporary primary checkout and linked worktree, both below
    ~/.config
  • initialized the linked worktree index: 1 file, 2 nodes, 1 edge
  • spawned a fresh stdio MCP process and called codegraph_explore with the
    linked worktree as projectPath
  • result returned the expected acceptanceHelper symbol and did not report a
    sensitive-directory rejection
  • an ordinary Git repository below the same config sandbox remained rejected
  • temporary fixture removed after the run

Full branch suite remains 2401 passed, 4 skipped.

@WangErgouaaaa

Copy link
Copy Markdown
Author

Post-closeout acceptance on the original affected worktree is complete:

project:
  /home/ergou-aa/.config/superpowers/worktrees/oh-my-openagent/
  call-omo-thinker-v2-runtime-clean

CodeGraph version: 1.4.1
initialized: true
files: 3260
nodes: 31512
edges: 141987
index state: complete
pending refs: 0
worktree mismatch: null

The patched CLI successfully executed:

codegraph explore --path <affected-worktree> "prompt resolver"

and returned resolveCallOmoPromptWithReceipt plus current source and blast
radius evidence.

The safety control also passed:

  • linked task worktree: accepted
  • ordinary primary repository below the same ~/.config hierarchy: rejected
    with Refusing to operate on sensitive directory

The two pre-existing source modifications in the affected worktree remained
unchanged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant