Problem
Go's go build VCS stamping fails with error obtaining VCS status: exit status 128 inside clawker containers when using worktrees. The root cause is Git's ownership protection (safe.directory) — the worktree path is owned by claude but lives under /Users/<host-user>/..., and Go's internal git subprocess doesn't inherit any safe.directory config.
Interactive git commands work fine (clawker's shell setup handles it), but go build spawns git fresh and hits the ownership check.
Reproduction
clawker run with a Go projectgo build ./... → error obtaining VCS status: exit status 128go build -buildvcs=false ./... → works (but loses VCS stamping)
Current workaround
git config --global --add safe.directory <worktree-path>
git config --global --add safe.directory <parent-repo-path>
The problem with the workaround
Worktrees are ephemeral. Each clawker run or worktree creation adds a new path. Since safe.directory entries persist in ~/.gitconfig (which lives on a named volume), they accumulate as stale entries over time.
Suggested fix
Clawker should manage safe.directory lifecycle for worktrees:
- On worktree creation: add the worktree path + parent repo path to
safe.directory in the container's git config
- On worktree cleanup: remove the corresponding
safe.directory entries
- Consider using
safe.directory = * inside containers as a simpler alternative, since the container is already an isolation boundary and all paths within it are trusted
Option 3 is the simplest — a single wildcard entry avoids the accumulation problem entirely, and the container sandbox already provides the security boundary that safe.directory is meant to enforce.
Environment
- Go 1.26.2
- Git (with safe.directory enforcement, 2.35.2+)
- Clawker worktree at
.clawkerlocal/.local/share/clawker/worktrees/
Problem
Go's
go buildVCS stamping fails witherror obtaining VCS status: exit status 128inside clawker containers when using worktrees. The root cause is Git's ownership protection (safe.directory) — the worktree path is owned byclaudebut lives under/Users/<host-user>/..., and Go's internal git subprocess doesn't inherit any safe.directory config.Interactive
gitcommands work fine (clawker's shell setup handles it), butgo buildspawns git fresh and hits the ownership check.Reproduction
clawker runwith a Go projectgo build ./...→error obtaining VCS status: exit status 128go build -buildvcs=false ./...→ works (but loses VCS stamping)Current workaround
The problem with the workaround
Worktrees are ephemeral. Each
clawker runor worktree creation adds a new path. Sincesafe.directoryentries persist in~/.gitconfig(which lives on a named volume), they accumulate as stale entries over time.Suggested fix
Clawker should manage
safe.directorylifecycle for worktrees:safe.directoryin the container's git configsafe.directoryentriessafe.directory = *inside containers as a simpler alternative, since the container is already an isolation boundary and all paths within it are trustedOption 3 is the simplest — a single wildcard entry avoids the accumulation problem entirely, and the container sandbox already provides the security boundary that
safe.directoryis meant to enforce.Environment
.clawkerlocal/.local/share/clawker/worktrees/