Add allowGitCommonDir support for linked Git worktrees

[goncalossilva]

Improves linked worktree support in the sandbox.

In common sandbox configurations, filesystem write access is limited to the current directory. In a linked Git worktree, some Git state lives in the shared common dir outside that directory, so normal Git operations can fail. This is especially relevant for agentic development workflows, where linked worktrees and multiple parallel worktrees are common.

Support is added via filesystem.allowGitCommonDir so sandboxed commands can write to Git’s common dir from linked worktrees.

General behavior:

• only applies to linked worktrees, with no effect in the main worktree
• explicit deny rules still take precedence
• hooks remain blocked, and config writes still require allowGitConfig
• linked-worktree config.worktree is also blocked unless allowGitConfig is enabled

The implementation also hardens commondir handling so extra write access is only granted for verified linked-worktree layouts and adds tests for config validation, linked-worktree behavior, custom-config overrides, and main-worktree behavior.

[Copilot]

Pull request overview

Adds a new sandbox option to better support Git linked worktrees by optionally allowing writes to the worktree’s resolved Git common dir while keeping sensitive Git paths (hooks and config) protected.

Changes:

• Introduces filesystem.allowGitCommonDir and wires it through the sandbox manager and both Linux (bwrap) and macOS (sandbox-exec) implementations.
• Adds hardened Git directory resolution (getGitDirs) to only grant extra access for verified linked-worktree layouts.
• Expands test coverage with linked/main worktree fixtures and new integration/unit tests for common-dir behavior and config validation.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
test/sandbox/wrap-with-sandbox.test.ts	Adds an integration test ensuring customConfig.filesystem.allowGitCommonDir enables writing to the Git common dir.
test/sandbox/mandatory-deny-paths.test.ts	Adds integration coverage for allow/deny semantics around Git common dir, config, config.worktree, hooks, and explicit denies.
test/sandbox/git-dirs.test.ts	New unit tests for getGitDirs main vs linked worktree resolution and hardening cases.
test/helpers/git-fixtures.ts	Adds reusable fixtures for main and linked worktree layouts used across tests.
test/config-validation.test.ts	Extends config validation fixture to include the new filesystem booleans.
src/sandbox/sandbox-utils.ts	Implements Git dir/common dir discovery, verification, and helper APIs to adjust allow/deny write paths.
src/sandbox/sandbox-manager.ts	Threads allowGitCommonDir through wrap flow and integrates common-dir allow-path resolution.
src/sandbox/sandbox-config.ts	Extends FilesystemConfigSchema with allowGitCommonDir.
src/sandbox/macos-sandbox-utils.ts	Adds allowGitCommonDir handling and injects common-dir deny paths into the seatbelt profile.
src/sandbox/linux-sandbox-utils.ts	Adds allowGitCommonDir handling and injects common-dir deny paths into mandatory deny resolution/bwrap binds.
README.md	Documents filesystem.allowGitConfig and filesystem.allowGitCommonDir.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.