Context
Worktree containers mask the main repo's `.git/hooks/` and `.git/config` with read-only binds. Security measure: a planted hook or config key (`core.hooksPath`, `core.fsmonitor`, `filter.*`) written from inside the container would execute on the host the next time the host user runs git in the main checkout — silently promoting worktree mode to bind-equivalent access. The masks make unattended worktree sessions meaningfully safer.
The lockdown is currently unconditional. Known in-container casualties (loud failures): `git config --local`, `git remote add`, `git push -u` (upstream tracking config write fails; the push itself succeeds).
Feature
Add a policy gate so projects can opt out of the lockdown:
- New setting under `security` (e.g. `security.worktree_git_protection`, default `true` — secure by default)
- Disabling removes the RO masks, restoring `git config --local` / `git remote add` / `git push -u` inside worktree containers
- Docs must carry a loud warning: disabling restores the host code-execution vector via shared `.git`
- Consider granular gating (hooks vs config) vs a single switch
Notes
- Caveats are documented at docs/worktrees.mdx (Worktree Caveats section)
- Upstream-tracking gap for new branches created in worktrees is part of the same caveat surface; a gate would let teams trade isolation for full git ergonomics
🤖 Generated with Claude Code
Context
Worktree containers mask the main repo's `.git/hooks/` and `.git/config` with read-only binds. Security measure: a planted hook or config key (`core.hooksPath`, `core.fsmonitor`, `filter.*`) written from inside the container would execute on the host the next time the host user runs git in the main checkout — silently promoting worktree mode to bind-equivalent access. The masks make unattended worktree sessions meaningfully safer.
The lockdown is currently unconditional. Known in-container casualties (loud failures): `git config --local`, `git remote add`, `git push -u` (upstream tracking config write fails; the push itself succeeds).
Feature
Add a policy gate so projects can opt out of the lockdown:
Notes
🤖 Generated with Claude Code