Git-level worktree adoption bypasses cross-checkout guard and allows parallel collision

[halindrome]

Summary

Two related gaps exist in the worktree isolation layer that can cause workflows to operate in the wrong or shared directory:

1. Git-level adoption bypasses cross-checkout guard

WorktreeProvider.findExisting() (packages/isolation/src/providers/worktree.ts) checks the filesystem for an existing worktree at the computed path. Since two local clones of the same remote resolve to the same worktree base directory (~/.archon/workspaces/owner/repo/worktrees/), a worktree created from clone A is visible on disk when clone B checks. The DB-level guard added in #1186 prevents reuse via findActiveByWorkflow, but the git-level adoption in findExisting() runs independently during provider.create() and has no equivalent check.

2. Parallel workflows with the same identifier share a worktree without coordination

Two concurrent workflows with the same branch name (e.g., both using --branch fix/issue-123) compute identical worktree paths. The second workflow adopts the first's worktree via findExisting(). Both AI agents then operate in the same filesystem directory concurrently with no locking or coordination mechanism. This can cause:

• File write conflicts
• Partial/interleaved commits
• Unpredictable workflow outcomes

Steps to Reproduce

Cross-checkout adoption:

1. Clone the same repo to ~/project-a and ~/project-b
2. From ~/project-a: archon workflow run my-workflow --branch fix/shared "task"
3. From ~/project-b: archon workflow run my-workflow --branch fix/shared "task"
4. Step 3 bypasses the DB guard (fix: prevent worktree reuse across different local clones #1186) because provider.create() → findExisting() detects the worktree on disk and adopts it before the DB lookup path is reached

Parallel collision:

1. From the same directory, run two workflows simultaneously with the same --branch
2. Both resolve to the same worktree path; the second adopts the first's worktree
3. Both AI agents write to the same directory concurrently

Suggested Fix

For cross-checkout adoption: findExisting() should incorporate the source repo root into its path computation or existence check, similar to how #1186 guards the DB-level reuse path. One approach: include a hash of the source repo root in the worktree directory name.

For parallel collision: Consider advisory locking (e.g., a lockfile in the worktree directory) or refusing to adopt an environment that is currently in use by another active workflow run.

Related

• Worktree reuse matches environments from different local clones of the same remote #1183 — original worktree reuse bug report
• fix: prevent worktree reuse across different local clones #1186 — DB-level reuse guard (merged)
• Worktrees created from monorepos do not initialize git submodules #1187 — submodule initialization gap

🤖 Generated with Claude Code

[Wirasm]

Cross-reference: Combined investigation with #1193

I investigated this alongside #1193 (prompt-level branch bypass in archon-implement). The two bugs compound:

1. Git-level worktree adoption bypasses cross-checkout guard and allows parallel collision #1188 (this issue): findExisting() adopts worktrees across clones; createNewBranch() silently checks out stale branches
2. bug(implement): archon-implement reuses pre-existing branch from unrelated task, implementing wrong fix #1193: archon-implement prompt tells the AI "on feature branch → use it" with no guard

See the full investigation on #1193 for the combined root cause analysis and implementation plan.

Code fixes for this issue (Steps 2-3 of the plan):

• findExisting(): Read worktree .git file to verify parent repo matches request.canonicalRepoPath before adopting
• createNewBranch(): When branch already exists, git branch -f branchName startPoint before checkout to reset stale refs

Both are in packages/isolation/src/providers/worktree.ts.

[Wirasm]

Closing as fixed by #1198 (merged).

This issue nailed the exact code paths — WorktreeProvider.findExisting() at the git layer and the parallel-collision vector through createNewBranch()'s "already exists" fallback. Both are addressed in #1198.

What changed

1. findExisting() cross-checkout guard

Added a live ownership check: before adopting any existing worktree at the computed path, read the worktree's .git file and verify its parent repo matches request.canonicalRepoPath. On mismatch (or any unverifiable state — permission denied, EISDIR, malformed pointer, submodule pointer), throw instead of returning null. A permissive fallback would have re-introduced the exact bug being fixed.

Errors are classified (classifyIsolationError) so users see:

Error: A worktree at the target path was created by a different local clone. Remove it from that clone, or register this codebase from the same local path.

2. createNewBranch() stale branch reset

When git worktree add -b branchName startPoint fails with "already exists", the fallback now does git branch -f branchName startPoint before git worktree add — resetting orphaned branch refs to the intended base instead of inheriting stale commits.

On the parallel-collision vector

Your analysis was right that two concurrent workflows with the same branch name still compute the same worktree path. Under #1198 the second workflow now:

1. Hits findExisting() → sees the first workflow's worktree at the path
2. Reads .git → parent repo matches (same clone) → adopts

So adoption still happens for same-clone concurrent runs. We debated advisory locking and decided against it for now — the stale-branch-reset + hard cross-checkout throw prevents the worst outcomes (silent data corruption across clones, stale commits leaking in), while concurrent same-branch runs are a user-controllable scenario (use distinct --branch names).

If you hit real issues with concurrent same-branch runs in practice, happy to revisit with a lockfile approach in a follow-up.

Related

As you noted in #1192, a fix to the codebase identity model would eliminate this bug class entirely (distinct codebase_id per clone → distinct worktree namespaces → no collision possible). That architectural fix is tracked in #1192.

Thanks for the clean repro steps and the precise file:line references — made this a much easier fix to land correctly.