diff --git a/tasks/pi/_docker_flags b/tasks/pi/_docker_flags
index 78055a3..cdbbdf3 100644
--- a/tasks/pi/_docker_flags
+++ b/tasks/pi/_docker_flags
@@ -135,3 +135,28 @@ if [[ -n "${PI_SSH_AGENT:-}" ]]; then
     echo "warning: PI_SSH_AGENT=1 but SSH_AUTH_SOCK is not set or is not a socket — SSH agent forwarding disabled" >&2
   fi
 fi
+
+# PI_PARENT_GIT_MOUNT=1: mount the repo's common .git dir when pi is launched
+# from a subdirectory or a separate worktree. Sets GIT_DIR and GIT_WORK_TREE
+# inside the container so git commands work correctly. The .git dir is always
+# mounted read-only. If you need the agent to commit, it should do so through
+# the working-tree path.
+if [[ -n "${PI_PARENT_GIT_MOUNT:-}" ]]; then
+  _pi_git_common_dir="$(git rev-parse --path-format=absolute --git-common-dir 2>/dev/null || true)"
+  _pi_git_work_tree="$(git rev-parse --show-toplevel 2>/dev/null || true)"
+  if [[ -n "${_pi_git_common_dir}" ]]; then
+    DOCKER_FLAGS+=(
+      "--volume" "${_pi_git_common_dir}:/git-data${_PI_WORKDIR_RO:+:ro}"  # :ro set by pi:readonly
+      "--env" "GIT_DIR=/git-data"
+    )
+    # Mount the worktree root read-only only when it isn't already covered by
+    # the primary $(pwd):$(pwd) mount — i.e. launching from a subdirectory or
+    # a linked worktree whose root differs from the working directory.
+    if [[ "$(pwd -P)" != "${_pi_git_work_tree}" ]]; then
+      DOCKER_FLAGS+=(
+        "--volume" "${_pi_git_work_tree}:${_pi_git_work_tree}:ro"
+        "--env" "GIT_WORK_TREE=${_pi_git_work_tree}"
+      )
+    fi
+  fi
+fi