Skip to content

Add git worktree management slash commands#120

Merged
igerber merged 3 commits intomainfrom
feature/worktree-commands
Feb 1, 2026
Merged

Add git worktree management slash commands#120
igerber merged 3 commits intomainfrom
feature/worktree-commands

Conversation

@igerber
Copy link
Copy Markdown
Owner

@igerber igerber commented Feb 1, 2026

Summary

  • Add /worktree-new <name> [base-branch] command to create isolated worktrees with full dev environment (venv, deps, Rust backend)
  • Add /worktree-rm <name> command to safely remove worktrees with uncommitted-change checks and branch cleanup
  • Add /worktree-ls command to list all active worktrees with status info

All commands resolve paths dynamically from the main worktree root, making them safe to run from any worktree. Input validation prevents shell metacharacters in names.

Methodology references (required if estimator / math changes)

  • N/A — no methodology changes

Validation

  • Tests added/updated: N/A — command definition files only (.claude/commands/*.md), no Python code changes
  • Backtest / simulation / notebook evidence: N/A

Security / privacy

  • Confirm no secrets/PII in this PR: Yes

Generated with Claude Code

@igerber @claude
Add git worktree management slash commands
6cb81bb 
Add /worktree-new, /worktree-rm, and /worktree-ls commands for managing
parallel development worktrees directly from Claude Code sessions. Each
command resolves paths dynamically from the main worktree root, validates
input, and handles edge cases (existing branches, uncommitted changes).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 1, 2026

Overall assessment: ⚠️ Needs changes

Executive summary

  • P1 Security: base-ref is unvalidated/unquoted before being used in a shell command; this enables option/shell injection in /worktree-new.
  • P2 Code Quality: /worktree-ls relies on non‑porcelain output and unquoted paths, which breaks on spaces and is brittle to parse.
  • P2 Maintainability: /worktree-rm deletes branches without -- while allowing names that can be parsed as options; this can fail or behave unexpectedly.
  • No estimator/methodology changes detected; Methodology Registry cross‑check not applicable.

Methodology

  • No findings — this PR only adds .claude/commands/*.md command definitions and does not change estimators, assumptions, or inference.

Code Quality

  • P2 — Worktree listing uses git worktree list (non‑porcelain) and git -C <path> without quoting, which breaks when worktree paths contain spaces and makes parsing ambiguous. Impact: /worktree-ls can misreport status or error in common directory layouts. Fix: switch to git worktree list --porcelain, parse worktree/branch/HEAD lines, and quote paths in status calls. Location: .claude/commands/worktree-ls.md:L12-L22.

Performance

  • No findings.

Maintainability

  • P2 — Branch deletion uses git branch -d "$BRANCH" while the allowed name pattern permits leading -, which can be interpreted as an option. Impact: deletion can fail or behave inconsistently when branch names begin with - (allowed by current validation). Fix: either disallow leading - in the name validation or use git branch -d -- "$BRANCH". Location: .claude/commands/worktree-rm.md:L20-L87.
  • P3 — The “branch already exists” path asks the user what to do but doesn’t specify the follow‑up command for the “use existing branch” choice. Impact: inconsistent behavior across runs or ad‑hoc decisions by the agent. Fix: explicitly document the command, e.g. git worktree add "$WORKTREE_PATH" <name>, and clarify how it differs from base-ref. Location: .claude/commands/worktree-new.md:L51-L63.

Tech Debt

  • No findings.

Security

  • P1 — base-ref is unvalidated and inserted into a shell command without quoting. Impact: a crafted base-ref can inject options or shell metacharacters, leading to unintended execution or command failure. Fix: validate base-ref (e.g., git rev-parse --verify --quiet -- "$base_ref"), and always pass with quotes and -- to end option parsing (e.g., git worktree add -- "$WORKTREE_PATH" "$base_ref"). Location: .claude/commands/worktree-new.md:L14-L63.

Documentation/Tests

  • No findings.

@igerber @claude
Address PR #120 review: harden worktree commands against injection an…
e72c7aa 
…d brittle parsing

- Validate base-ref input (character allowlist + git rev-parse --verify) before shell use
- Disallow leading-dash names in worktree-new and worktree-rm to prevent option injection
- Add -- separators to git worktree add and git branch -d commands
- Switch worktree-ls to --porcelain output for reliable parsing (handles spaces in paths)
- Specify exact git command for "use existing branch" path in worktree-new

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@igerber
Copy link
Copy Markdown
Owner Author

igerber commented Feb 1, 2026

/ai-review

@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 1, 2026

🔁 AI review rerun (requested by @igerber)

Head SHA: e72c7aa7f2ffbbcb30b2b2d4764514e675c7f6fc

Overall assessment

⚠️ Needs changes

Executive summary

  • P1: /worktree-new with a base-ref checks out that ref directly; this fails if it’s an already‑checked‑out branch (e.g., main) and leaves detached HEAD for remote refs/tags. Fix by creating a new branch off base-ref. (.claude/commands/worktree-new.md:L77-L83)
  • P2: “Use existing branch” path doesn’t guard against branches already checked out in another worktree; the command will error without a clear, user‑friendly message. (.claude/commands/worktree-new.md:L66-L73)
  • P3: No estimator/math/default‑behavior changes; methodology registry cross‑check not applicable.
  • P3: No tests/docs updates; acceptable for command‑definition files but note lack of validation.

Methodology

  • P3 (info) Impact: No estimator/identification/variance/default‑behavior changes in this diff; registry/docstring cross‑check not required. Fix: None.

Code Quality

  • P1 Impact: git worktree add -- "$WORKTREE_PATH" "$BASE_REF" checks out the base ref directly. If $BASE_REF is a local branch already checked out (e.g., main), the command fails; if it’s a remote branch/tag/commit, the new worktree is detached. This breaks common usage /worktree-new <name> main. Fix: create a new branch off the base ref instead, e.g. git worktree add -b "<name>" -- "$WORKTREE_PATH" "$BASE_REF" (or detect branch‑already‑checked‑out and prompt). (.claude/commands/worktree-new.md:L77-L83)
  • P2 Impact: The “existing branch” flow assumes git worktree add will succeed, but if that branch is already checked out in another worktree, it fails with a Git error and no guidance. Fix: detect this via git worktree list --porcelain and emit a clear error or prompt for a new branch name. (.claude/commands/worktree-new.md:L66-L73)

Performance

  • P3 (info) Impact: No performance‑sensitive changes; command docs only. Fix: None.

Maintainability

  • P3 (info) Impact: No maintainability issues found in these command docs. Fix: None.

Tech Debt

  • P3 (info) Impact: No new tech debt identified. Fix: None.

Security

  • P3 (info) Impact: Input validation appears to block shell metacharacters; no security issues found. Fix: None.

Documentation/Tests

  • P3 (info) Impact: No tests or docs updates; acceptable for .claude/commands additions but leaves behavior unverified. Fix: Optional—add a brief note on expected behavior for base-ref handling after fix.

@igerber @claude
Fix worktree-new: always create branch from base-ref and guard agains…
fdf44d0 
…t checked-out branches

- Step 4: Use `git worktree add -b` when base-ref is provided so the
  command creates a new branch instead of checking out the ref directly.
  This avoids detached HEAD for tags/remote refs and failures when the
  ref is already checked out elsewhere.
- Step 3: Before offering to reuse an existing branch, check
  `git worktree list --porcelain` to detect if the branch is already
  checked out in another worktree and abort with a clear message.
- Step 1: Update base-ref description to say "branch from" instead of
  "check out".

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@igerber
Copy link
Copy Markdown
Owner Author

igerber commented Feb 1, 2026

/ai-review

@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 1, 2026

🔁 AI review rerun (requested by @igerber)

Head SHA: fdf44d07989788bfd789ec86dafd1af073b3fe29

Overall assessment: ✅ Looks good

Executive summary:

  • No estimator/math/SE/identification changes; Methodology Registry impact is none.
  • Changes are limited to new .claude/commands docs for worktree management; no library code touched.
  • Input validation and path quoting are consistently emphasized, reducing shell‑injection risk.
  • Minor maintainability nit: duplicate validation rules across commands (see Maintainability).

Methodology

  • No findings. No estimator, weighting, variance/SE, or identification logic changes in the diff.

Code Quality

  • No findings.

Performance

  • No findings.

Maintainability

  • P3 — Duplicate validation rules in .claude/commands/worktree-new.md:L25-L33 and .claude/commands/worktree-rm.md:L20-L25. Impact: if allowed characters change, docs can drift and instruct inconsistent behavior. Concrete fix: factor the validation regex into a shared snippet/template or reference a single canonical pattern in both files.

Tech Debt

  • No findings.

Security

  • No findings.

Documentation/Tests

  • No findings (docs-only command definitions; no tests expected).

@igerber igerber merged commit 21ca9eb into main Feb 1, 2026
@igerber igerber deleted the feature/worktree-commands branch February 1, 2026 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@igerber