From 98913642cfff6f6720ce92e9a9370ac71814f7b0 Mon Sep 17 00:00:00 2001
From: mkorwel <matt.korwel@gmail.com>
Date: Thu, 19 Mar 2026 01:16:22 -0700
Subject: [PATCH] feat(workspaces): use GIT_CONFIG env vars to bypass
 safe.directory on read-only FS

---
 .../skills/workspaces/scripts/orchestrator.ts | 34 ++++++++++---------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/.gemini/skills/workspaces/scripts/orchestrator.ts b/.gemini/skills/workspaces/scripts/orchestrator.ts
index cd7f54a804..85aa055c44 100644
--- a/.gemini/skills/workspaces/scripts/orchestrator.ts
+++ b/.gemini/skills/workspaces/scripts/orchestrator.ts
@@ -73,24 +73,26 @@ export async function runOrchestrator(args: string[], env: NodeJS.ProcessEnv = p
   // FIX: Ensure container user (node) owns the workspaces directories
   console.log('   - Synchronizing container permissions...');
   await provider.exec(`sudo chown -R 1000:1000 /home/node/.workspaces`);
+if (check.status !== 0) {
+  console.log(`   - Provisioning isolated git worktree for ${prNumber}...`);
 
-  if (check.status !== 0) {
-    console.log(`   - Provisioning isolated git worktree for ${prNumber}...`);
-    
-    // We run these on the host. Since setup might have left the repo root-owned, we use sudo.
-    const gitFetch = isShellMode 
-        ? `sudo git -C ${hostWorkDir} fetch --quiet origin`
-        : `sudo git -C ${hostWorkDir} fetch --quiet upstream pull/${prNumber}/head`;
-    
-    const gitTarget = isShellMode ? 'FETCH_HEAD' : 'FETCH_HEAD'; 
+  // We run these on the host. Since setup might have left the repo root-owned, we use sudo.
+  // We use environment variables to bypass safe.directory checks on a read-only filesystem.
+  const gitEnv = `GIT_CONFIG_COUNT=1 GIT_CONFIG_KEY_0=safe.directory GIT_CONFIG_VALUE_0=${hostWorkDir}`;
 
-    const setupCmd = `
-      sudo git config --global --add safe.directory ${hostWorkDir} && \
-      sudo mkdir -p ${hostWorkspaceRoot}/worktrees && \
-      ${gitFetch} && \
-      sudo git -C ${hostWorkDir} worktree add --quiet -f ${hostWorktreeDir} ${gitTarget} 2>&1 && \
-      sudo chown -R 1000:1000 ${hostWorkspaceRoot}
-    `;
+  const gitFetch = isShellMode 
+      ? `sudo ${gitEnv} git -C ${hostWorkDir} fetch --quiet origin`
+      : `sudo ${gitEnv} git -C ${hostWorkDir} fetch --quiet upstream pull/${prNumber}/head`;
+
+  const gitTarget = isShellMode ? 'FETCH_HEAD' : 'FETCH_HEAD'; 
+
+  const setupCmd = `
+    sudo mkdir -p ${hostWorkspaceRoot}/worktrees && \
+    sudo chown chronos:chronos ${hostWorkspaceRoot}/worktrees && \
+    ${gitFetch} && \
+    sudo ${gitEnv} git -C ${hostWorkDir} worktree add --quiet -f ${hostWorktreeDir} ${gitTarget} 2>&1 && \
+    sudo chown -R 1000:1000 ${hostWorkspaceRoot}
+  `;
     const setupRes = await provider.getExecOutput(setupCmd);
     if (setupRes.status !== 0) {
         console.error('   ❌ Failed to provision remote worktree.');