Fix git worktree object database in VM snapshots

[jhrozek]

Summary

When a workspace is a git worktree, the object database lives in the main repository's .git/objects/ — outside the workspace and not included in the snapshot. This causes git inside the VM to show "No commits yet" with all files appearing untracked.

Fixes #49

Approach

Mount the main repo's .git/objects/ as a read-only virtiofs share and reconstruct a proper .git/ directory in the snapshot that references it via objects/info/alternates.

Domain layer

• Extend SnapshotPostProcessor to return PostProcessResult with optional mount requests and diff-exclude patterns
• Add ExtraMounts field to VMConfig

Infrastructure

• Add WorktreeProcessor that detects worktrees, reconstructs .git/ in the snapshot with objects/info/alternates pointing to the guest mount, and returns mount + exclude requests
• Add InjectMountConfig rootfs hook writing /etc/broodbox-mounts.json
• Wire extra virtiofs mounts in VM runner

Guest

• Add mountExtras in bbox-init reading the mount config and mounting additional virtiofs shares between boot and seccomp hardening

Application

• Collect post-processor results in sandbox orchestrator, wire mounts into VMConfig, compose diff matcher with extra excludes

Security hardening

• Path traversal prevention: Validates gitdir path contains /.git/worktrees/ before proceeding; rejects symlinks via os.Lstat in file copy
• Defense-in-depth: Verifies resolved git directory contains HEAD before treating it as a git repo
• Config sanitization: Credentials stripped from .git/config via existing SanitizeConfig()
• Host path not exposed: Guest mount config JSON excludes HostPath — guest only sees tag, mount point, and read-only flag

Trade-off

Agent file changes persist through normal flush+review but git commits do not persist (the reconstructed .git is excluded from diff). This avoids the complexity of mapping reconstructed git state back to the original worktree structure.

Known limitation: Host-side virtiofs mount has no read-only enforcement (go-microvm's VirtioFSMount lacks a ReadOnly field). Read-only is enforced guest-side via MS_RDONLY + seccomp blocking mount/umount syscalls.

Test plan

• TestWorktreeProcessor_ExternalWorktree — full reconstruction verified
• TestWorktreeProcessor_DetachedHEAD — raw SHA HEAD preserved
• TestWorktreeProcessor_CraftedGitdir — path traversal rejected
• TestWorktreeProcessor_SymlinkInGitdir — symlink not followed
• TestWorktreeProcessor_ConfigIsSanitized — credentials stripped
• TestWorktreeProcessor_NotAWorktree / NoGitEntry / MalformedGitFile / MissingObjects — graceful no-ops
• TestComposeMatcher — prefix matching verified, no false positives on .github/.gitignore
• task lint — 0 issues
• Manual: bbox claude-code in a git worktree → git log shows history

🤖 Generated with Claude Code

[jhrozek]

Draft,because I haven't had time to test this properly but this is what I used to run bbox in worktrees

[jhrozek]

no longe a draft