fix(export): scrub git hook env and skip cross-worktree git-add (GH#3311) (gastownhall#3347)

When export.git-add=true (the v1.0.1+ default), the pre-commit hook in
a worktree stages a spurious issues.jsonl at the repo root instead of
(or in addition to) .beads/issues.jsonl. The ghost file lands in the
commit's diff but not on disk — easy to miss and painful to clean up.

Root cause (not what the issue body guessed): the absolute path passed
to `git add` was always correct. The bug is env inheritance. Git
invokes the pre-commit hook with GIT_DIR/GIT_WORK_TREE/GIT_INDEX_FILE/
GIT_COMMON_DIR/GIT_PREFIX set in the environment, and bd's git-add
subprocesses inherit them.

Both call sites set `cmd.Dir = filepath.Dir(fullPath)` (= `.beads/`).
With GIT_DIR set in the environment and GIT_WORK_TREE unset, git
defaults the work-tree to cwd. So the subprocess's git sees `.beads/`
as the work-tree root and records `.beads/issues.jsonl` at the root of
that broken view — which ends up in the worktree's actual index as a
bare `issues.jsonl`. Verified empirically: with GIT_DIR set and
cwd=`.beads/`, `git rev-parse --show-toplevel` returns the `.beads/`
directory itself.

Fix, in two parts:

 1. scrubGitHookEnv() strips the vars that poison repo/worktree
    auto-discovery, index routing, object routing, and config
    injection:
      - discovery: GIT_DIR, GIT_WORK_TREE, GIT_COMMON_DIR, GIT_PREFIX,
        GIT_CEILING_DIRECTORIES, GIT_DISCOVERY_ACROSS_FILESYSTEM
      - index: GIT_INDEX_FILE
      - objects: GIT_OBJECT_DIRECTORY, GIT_ALTERNATE_OBJECT_DIRECTORIES
      - config: the whole GIT_CONFIG* family (covers the case where the
        parent invoked `git -c core.worktree=… commit`, which sets
        GIT_CONFIG_PARAMETERS / GIT_CONFIG_COUNT in the child env)
    With these cleared, git rediscovers the repo/worktree from cwd.

 2. hookWorkTreeRoot() reads the inherited GIT_DIR to determine the
    worktree whose hook is currently firing. If the target path is
    outside that worktree, gitAddFile returns without staging. This
    prevents a narrower but real regression that would otherwise land
    after part 1 alone: in the .beads/redirect configuration, fullPath
    points into the main repo (not the worktree), and post-scrub git
    would silently stage the file into main's index from a worktree
    hook. The existing preCommitHookBody template (init_git_hooks.go)
    documents the same intent: "For worktrees: .beads is in the main
    repo's working tree... we skip it."

The guard uses pathInsideDir which handles the macOS symlinked-parent
case: on /tmp → /private/tmp, a fresh-file target expressed as
/tmp/.../new.txt compared against a worktree root resolved to
/private/tmp/... would otherwise misclassify as outside the worktree.
pathInsideDir resolves the parent of each side via EvalSymlinks and
reattaches the basename — sufficient for the real caller shapes, since
gitAddFile's parent directory (beadsDir or the export output dir)
always exists at call time.

Also fixes the variant reported in a follow-up comment where the
.beads/redirect workaround did not resolve the root ghost: the env
pollution broke git-add inside the `bd export -o` subprocess spawned
from exportJSONLForCommit (that subprocess has BD_GIT_HOOK stripped,
but git env vars preserved, so its PostRun auto-export hits the same
bug via the shared gitAddFile).

Deduplicates the parallel git-add invocation in exportJSONLForCommit
by delegating to gitAddFile, so both call sites share the env scrub
and the cross-worktree guard.

Adds:
 - TestGitAddFile_InWorktreeHook_StagesCorrectPath — end-to-end
   worktree regression test; fails on main, passes with the fix.
 - TestGitAddFile_RedirectCase_DoesNotStageInMainRepo — verifies
   the cross-worktree skip does not pollute main's index when a
   worktree has .beads/redirect pointing into main.
 - TestGitAddFile_NonHookContext_GuardDoesNotFire — regression guard
   confirming the cross-worktree skip is a no-op outside git hooks.
 - TestScrubGitHookEnv — unit test for the env scrub helper, covering
   the discovery/index/object vars and the GIT_CONFIG* family, and
   verifying non-discovery vars (author/committer/editor/pager) pass
   through untouched.
 - TestPathInsideDir — covers structural cases plus the macOS
   fresh-file + symlinked-parent regression.
 - TestHookWorkTreeRoot — covers linked-worktree gitdir file,
   plain-repo .git, bare/unrecognized, and not-a-hook contexts.

Workaround for users on older releases remains `BD_EXPORT_GIT_ADD=false`.

Closes GH#3311

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mpercy

cmd/bd/export_auto.go

@@ -272,9 +272,137 @@ func saveExportAutoState(beadsDir string, state *exportAutoState) {
 	}
 }
 
-// gitAddFile stages a file in the enclosing git repo.
+// gitAddFile stages a file in the enclosing git repo. When called from
+// inside a git hook, it scrubs inherited GIT_* env vars (so git
+// rediscovers the repo from cwd rather than treating cmd.Dir as the
+// worktree root) and skips staging when the target is outside the hook's
+// worktree (the .beads/redirect case, where staging would pollute the
+// main repo's index). See GH#3311, scrubGitHookEnv, hookWorkTreeRoot.
 func gitAddFile(path string) error {
+	if wt := hookWorkTreeRoot(); wt != "" && !pathInsideDir(path, wt) {
+		// Running inside a hook AND target is outside the hook's worktree.
+		// Staging here would pollute a different repo's index; skip.
+		return nil
+	}
 	cmd := exec.Command("git", "add", path)
 	cmd.Dir = filepath.Dir(path)
+	cmd.Env = scrubGitHookEnv(os.Environ())
 	return cmd.Run()
 }
+
+// scrubGitHookEnv returns env with the GIT_* variables that can poison
+// git's repo/worktree auto-discovery or object-store resolution removed,
+// so git falls back to auto-discovery from cwd. The scrub is
+// unconditional: if a user has intentionally exported any of these vars
+// for scripting purposes, they will be stripped from the git-add child
+// process. That is the correct trade-off here; we never want beads'
+// auto-stage to honor a GIT_DIR pointing at an unrelated repo.
+//
+// Covered vars:
+//   - Repo/worktree discovery: GIT_DIR, GIT_WORK_TREE, GIT_COMMON_DIR,
+//     GIT_PREFIX, GIT_CEILING_DIRECTORIES, GIT_DISCOVERY_ACROSS_FILESYSTEM
+//   - Index routing: GIT_INDEX_FILE
+//   - Object routing: GIT_OBJECT_DIRECTORY, GIT_ALTERNATE_OBJECT_DIRECTORIES
+//   - Config injection (any GIT_CONFIG* — e.g. GIT_CONFIG_PARAMETERS set
+//     when the parent ran `git -c core.worktree=… commit`): the whole
+//     GIT_CONFIG namespace, which includes _COUNT, _KEY_n, _VALUE_n,
+//     _GLOBAL, _SYSTEM, _NOSYSTEM, and the legacy GIT_CONFIG itself.
+func scrubGitHookEnv(env []string) []string {
+	// The GIT_CONFIG prefix (no trailing "=") is intentional: it matches
+	// GIT_CONFIG=, GIT_CONFIG_COUNT=, GIT_CONFIG_KEY_n=, GIT_CONFIG_VALUE_n=,
+	// GIT_CONFIG_PARAMETERS=, GIT_CONFIG_GLOBAL=, GIT_CONFIG_SYSTEM=, and
+	// GIT_CONFIG_NOSYSTEM= — the whole family — in one entry. No standard
+	// git env var starts with GIT_CONFIG that we want to preserve.
+	prefixes := []string{
+		"GIT_DIR=",
+		"GIT_WORK_TREE=",
+		"GIT_INDEX_FILE=",
+		"GIT_COMMON_DIR=",
+		"GIT_PREFIX=",
+		"GIT_OBJECT_DIRECTORY=",
+		"GIT_ALTERNATE_OBJECT_DIRECTORIES=",
+		"GIT_CEILING_DIRECTORIES=",
+		"GIT_DISCOVERY_ACROSS_FILESYSTEM=",
+		"GIT_CONFIG",
+	}
+	out := make([]string, 0, len(env))
+	for _, e := range env {
+		skip := false
+		for _, p := range prefixes {
+			if strings.HasPrefix(e, p) {
+				skip = true
+				break
+			}
+		}
+		if !skip {
+			out = append(out, e)
+		}
+	}
+	return out
+}
+
+// hookWorkTreeRoot returns the root of the worktree whose git hook we
+// are running inside, based on the inherited GIT_DIR env var. Returns ""
+// when GIT_DIR is not set (the normal non-hook case) or cannot be
+// resolved to a work-tree.
+//
+// Resolution rules:
+//   - In a linked worktree, GIT_DIR points at main/.git/worktrees/<name>
+//     and that directory contains a "gitdir" file whose contents are the
+//     absolute path to the worktree's .git FILE. The worktree root is
+//     the parent of that .git file.
+//   - In a non-worktree, GIT_DIR is typically ".git" or "<repo>/.git";
+//     the worktree root is its parent.
+func hookWorkTreeRoot() string {
+	gitDir := os.Getenv("GIT_DIR")
+	if gitDir == "" {
+		return ""
+	}
+	var root string
+	if data, err := os.ReadFile(filepath.Join(gitDir, "gitdir")); err == nil {
+		if dotGit := strings.TrimSpace(string(data)); dotGit != "" {
+			root = filepath.Dir(dotGit)
+		}
+	}
+	if root == "" && filepath.Base(gitDir) == ".git" {
+		root = filepath.Dir(gitDir)
+	}
+	if root == "" {
+		return ""
+	}
+	abs, err := filepath.Abs(root)
+	if err != nil {
+		return ""
+	}
+	return abs
+}
+
+// pathInsideDir reports whether path is the same as dir or a descendant
+// of dir, after resolving symlinks on both sides. Returns false on any
+// resolution error (conservative: when in doubt, treat as outside).
+//
+// Resolves the PARENT of path rather than path itself, which handles the
+// common "target file does not yet exist" case: on macOS /tmp is a
+// symlink to /private/tmp, so asymmetric EvalSymlinks on a nonexistent
+// file vs its existing parent would otherwise produce a spurious false.
+// Callers (gitAddFile) always pass a path whose parent exists (either
+// beadsDir, which FindBeadsDir verified, or a directory just created by
+// the export write), so this single-level resolution is sufficient.
+func pathInsideDir(path, dir string) bool {
+	absPath, err := filepath.Abs(path)
+	if err != nil {
+		return false
+	}
+	absDir, err := filepath.Abs(dir)
+	if err != nil {
+		return false
+	}
+	if r, err := filepath.EvalSymlinks(filepath.Dir(absPath)); err == nil {
+		absPath = filepath.Join(r, filepath.Base(absPath))
+	}
+	if r, err := filepath.EvalSymlinks(absDir); err == nil {
+		absDir = r
+	}
+	sep := string(filepath.Separator)
+	return absPath == absDir || strings.HasPrefix(absPath, absDir+sep)
+}