feat(worktree): add worktree isolation plugin to marketplace

[amondnet]

Summary

• Add worktree plugin (Type 5 manually-maintained) ported from chatbot-pf/engineering-standards
• Provides git worktree isolation via two hooks:
  • SessionStart: detects worktree and injects context warning Claude not to access parent project path
  • PreToolUse: blocks Read/Grep/Glob/Edit/Write/MultiEdit tool calls targeting parent project paths
• Add worktree entry to .claude-plugin/marketplace.json (category: tooling)

Plugin structure

plugins/worktree/
├── .claude-plugin/plugin.json       # hooks-only manifest
├── CHANGELOG.md
└── hooks/
    ├── worktree-context.ts          # SessionStart hook
    ├── worktree-context.test.ts     # 20 tests
    ├── deny-parent-access.ts        # PreToolUse hook
    └── deny-parent-access.test.ts   # 34 tests

Test plan

• 54/54 tests pass (bun test in plugins/worktree/)
• marketplace.json and plugin.json are valid JSON

---

Summary by cubic

Adds a new worktree isolation plugin to the marketplace to keep tool operations inside the active git worktree. Also hardens path checks to block relative-path bypasses and improves Windows support.

• New Features

  • Adds plugins/worktree with hooks-only manifest; marketplace.json updated (tooling).
  • SessionStart: detects worktrees via /.claude/worktrees/ or git rev-parse and injects “use worktree, not parent” context.
  • PreToolUse: intercepts Read|Grep|Glob|Edit|Write|MultiEdit and denies parent paths with normalization.
  • README updated with Worktree section and install command; 54 tests added and passing.

• Bug Fixes

  • Resolve relative paths against cwd before boundary checks to prevent ../../ bypass.
  • Use path.join for .git comparisons to support Windows separators.
  • Extract resolveCwd() for reuse across hooks; add coverage for relative-path bypass and make tests path-portable.

^{Written for commit b861a34. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
claude-code-plugins	Ready	Preview, Comment	Mar 6, 2026 4:49am

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates a new worktree plugin into the system, which aims to provide robust isolation for Git worktrees within the Claude Code environment. By leveraging both SessionStart and PreToolUse hooks, the plugin ensures that the AI is aware of worktree boundaries and is prevented from inadvertently interacting with the main project repository, thereby improving operational safety and clarity.

Highlights

• New Worktree Plugin Added: A new worktree plugin has been introduced to the marketplace, designed to enhance safety and isolation within Git worktrees.
• SessionStart Hook for Context Injection: A SessionStart hook was implemented to detect when Claude Code is operating within a Git worktree and injects context warning against accessing the parent project path.
• PreToolUse Hook for Access Prevention: A PreToolUse hook was added to actively block specific tool calls (Read, Grep, Glob, Edit, Write, MultiEdit) from targeting and modifying files in the parent project outside the active worktree.

Changelog

• .claude-plugin/marketplace.json
  • Added a new entry for the worktree plugin to the marketplace.
• plugins/worktree/.claude-plugin/plugin.json
  • Created the plugin manifest for the worktree plugin, defining its SessionStart and PreToolUse hooks.
• plugins/worktree/CHANGELOG.md
  • Initialized the changelog for the worktree plugin with version 1.0.0.
• plugins/worktree/hooks/deny-parent-access.test.ts
  • Implemented comprehensive unit tests for the deny-parent-access hook, covering path extraction and validation logic.
• plugins/worktree/hooks/deny-parent-access.ts
  • Developed the PreToolUse hook to prevent tools from accessing paths outside the current Git worktree.
• plugins/worktree/hooks/worktree-context.test.ts
  • Implemented unit tests for the worktree-context hook, verifying worktree detection and context building.
• plugins/worktree/hooks/worktree-context.ts
  • Developed the SessionStart hook to detect Git worktrees and inject informative context into the session.

Activity

• The author confirmed that all 54 tests for the worktree plugin passed successfully.
• The author verified the JSON validity of marketplace.json and plugin.json.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new worktree plugin to provide isolation for git worktrees. While the implementation is well-structured and includes a comprehensive test suite, a critical security vulnerability was identified in the PreToolUse hook. This vulnerability allows relative paths to bypass access restrictions because the hook only checks absolute paths; resolving all paths against the current working directory before the security check is suggested as a remediation. Additionally, there is a minor opportunity to improve maintainability by reducing code duplication.

[cubic-dev-ai]

4 issues found across 7 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="plugins/worktree/hooks/deny-parent-access.ts">

<violation number="1" location="plugins/worktree/hooks/deny-parent-access.ts:147">
P1: Security bypass: relative paths are not resolved before the security check. A tool can pass a relative path like `../../parent/secret.ts` to bypass the parent path protection entirely, since `isParentPath()` returns `false` for non-absolute paths, immediately allowing the request.

The path should be resolved to absolute using `resolve(cwd, filePath)` before the security checks.</violation>
</file>

<file name="plugins/worktree/hooks/worktree-context.ts">

<violation number="1" location="plugins/worktree/hooks/worktree-context.ts:78">
P2: Linked-worktree detection compares paths using inconsistent separator normalization, which can misclassify the main repo as a worktree on Windows.</violation>

<violation number="2" location="plugins/worktree/hooks/worktree-context.ts:87">
P2: Parent project path extraction is POSIX-only and fails for Windows-style paths ending in `\\.git`.</violation>
</file>

<file name="plugins/worktree/hooks/worktree-context.test.ts">

<violation number="1" location="plugins/worktree/hooks/worktree-context.test.ts:86">
P2: This test is environment-dependent due to a hardcoded local path, so it may pass for the wrong reason and fail to validate the intended main-repo-root behavior.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 8 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="plugins/worktree/hooks/deny-parent-access.ts">

<violation number="1" location="plugins/worktree/hooks/deny-parent-access.ts:140">
P1: Security bypass: relative paths are not resolved to absolute before checking, allowing access to parent project via paths like `../../../secret.ts`. The `cwd` should be used to resolve relative paths before calling `isParentPath`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}