* Delete bare-repo files planted at cwd during a sandboxed command, before * Claude's unsandboxed git calls can see them. See the SECURITY block above * bareGitRepoFiles. anthropics/claude-code#29316.
()
| 402 | * bareGitRepoFiles. anthropics/claude-code#29316. |
| 403 | */ |
| 404 | function scrubBareGitRepoFiles(): void { |
| 405 | for (const p of bareGitRepoScrubPaths) { |
| 406 | try { |
| 407 | // eslint-disable-next-line custom-rules/no-sync-fs -- cleanupAfterCommand must be sync (Shell.ts:367) |
| 408 | rmSync(p, { recursive: true }) |
| 409 | logForDebugging(`[Sandbox] scrubbed planted bare-repo file: ${p}`) |
| 410 | } catch { |
| 411 | // ENOENT is the expected common case — nothing was planted |
| 412 | } |
| 413 | } |
| 414 | } |
| 415 | |
| 416 | /** |
| 417 | * Detect if cwd is a git worktree and resolve the main repo path. |
no test coverage detected