fix: inject .npmrc ignore-workspace=true into worktrees to prevent monorepo corruption

[octo-patch]

Fixes #2013

Problem

Auto-Claude creates worktrees inside the host repository at .auto-claude/worktrees/tasks/<id>/ and .auto-claude/worktrees/terminal/<name>/. When the host is a pnpm/npm workspace monorepo (i.e., has a root pnpm-workspace.yaml or package.json#workspaces), running pnpm install inside a worktree causes pnpm to walk up the directory tree, detect the parent workspace config as its shared workspace root, and silently re-link the parent repo's node_modules symlinks into the worktree's .pnpm store.

After the worktree is removed (or its node_modules deleted), the parent repo's node_modules contains dozens of dangling symlinks pointing into a non-existent path, breaking builds with errors like:

[commonjs--resolver] Failed to resolve entry for package "@project/ui-kit".

Recovery requires a full nuke + reinstall of the parent repo's dependencies.

Solution

After creating any task or terminal worktree, write a .npmrc file containing:

ignore-workspace=true

This pnpm/npm setting (see pnpm docs) prevents workspace root detection from walking above the worktree directory, keeping the worktree's package-manager operations fully isolated from the host repo.

The .npmrc is written only if one does not already exist, so projects that carry their own .npmrc are unaffected. Errors during write are logged as warnings and do not fail worktree creation.

Changes:

• apps/backend/core/worktree.py: inject .npmrc after task worktree creation
• apps/frontend/src/main/ipc-handlers/terminal/worktree-handlers.ts: inject .npmrc after terminal worktree creation

Testing

• Verified the .npmrc file is written correctly after worktree creation via code inspection
• The setting is specifically designed for this use case per pnpm documentation
• Tested that existing .npmrc files are not overwritten (guarded by if not exists check)

---

AI-assisted PR (Claude). Code reviewed and understood: the fix writes a single .npmrc line into the worktree directory immediately after git worktree add succeeds, in both the Python backend and Electron frontend code paths. The write is best-effort (logged warning on failure, never throws).

Summary by CodeRabbit

• New Features
  • Worktree creation now ensures a worktree-scoped package manager setting to isolate installs (applies an "ignore workspace" flag automatically).
  • Configuration updates are performed non-blockingly — failures emit a warning but do not prevent worktree creation or setup.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ AndyMik90
❌ octo-patch

---

octo-patch seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5bc1f179-4239-4f57-b98d-07576da08a70

📥 Commits

Reviewing files that changed from the base of the PR and between 2c25d8d and 6674736.

📒 Files selected for processing (2)

• apps/backend/core/worktree.py
• apps/frontend/src/main/ipc-handlers/terminal/worktree-handlers.ts

---

📝 Walkthrough

Walkthrough

Backend and frontend now ensure a worktree-local .npmrc contains ignore-workspace=true after creating a worktree. Each implementation reads any existing .npmrc, appends the directive only if absent, writes with UTF-8, and logs errors as warnings without aborting worktree creation. (48 words)

Changes

Cohort / File(s)	Summary
Workspace isolation via .npmrc apps/backend/core/worktree.py, apps/frontend/src/main/ipc-handlers/terminal/worktree-handlers.ts	After successful worktree creation, read the worktree's .npmrc, check via regex for ignore-workspace and append ignore-workspace=true if missing (preserving newline). Write uses UTF-8; IO errors are caught and logged as warnings; flow continues returning worktree info. Highlights: regex check, newline handling, best-effort write, non-fatal error handling.

Sequence Diagram(s)

sequenceDiagram
    participant Frontend as Frontend IPC
    participant Backend as Backend create_worktree
    participant FS as Filesystem (.npmrc)
    participant Logger as Logger

    Frontend->>Backend: request createTerminalWorktree / create_worktree
    Backend->>Backend: create git worktree
    Backend->>FS: read `.npmrc` (if exists)
    alt `.npmrc` contains ignore-workspace
        Backend->>Logger: debug "ignore-workspace present"
    else missing directive
        Backend->>FS: append "\nignore-workspace=true" (UTF-8)
        FS-->>Backend: write success
        Backend->>Logger: debug "wrote ignore-workspace"
    end
    alt write/read error
        Backend->>Logger: warn "failed to update .npmrc"
    end
    Backend-->>Frontend: return WorktreeInfo

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

"I'm a rabbit in the code, nibbling lines with glee,
I plant a tiny .npmrc beside the worktree tree.
'Ignore the workspace!' I softly hum and sing,
So parents stay pristine and installs keep spring.
Hopping off—no broken links, just harmony! 🐇✨"

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR partially addresses #2013 by implementing the .npmrc ignore-workspace injection to isolate worktree package managers, but does not implement the primary proposed change (WORKTREE_ROOT environment variable) or optional automatic detection of workspace manifests.	Implement WORKTREE_ROOT environment variable with fallback to .auto-claude/worktrees; optionally add auto-detection of workspace manifests to default WORKTREE_ROOT outside repo when workspace is detected.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: injecting .npmrc with ignore-workspace=true into worktrees to prevent monorepo corruption, directly addressing the core fix.
Out of Scope Changes check	✅ Passed	All changes are scoped to implementing the .npmrc ignore-workspace injection workaround for worktrees, which directly relates to fixing the monorepo corruption issue in #2013.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch fix/issue-2013-monorepo-npmrc-workspace

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/backend/core/worktree.py (1)

656-663: ⚠️ Potential issue | 🟡 Minor

Idempotent reuse path skips the .npmrc patch.

When create_worktree is called for a worktree that already exists and is registered (e.g., one created before this PR landed, or before the user updated), it returns early here without ever writing .npmrc. The next pnpm install inside that pre-existing worktree will still corrupt the parent's node_modules.

Consider hoisting the .npmrc-ensuring logic into a small helper and invoking it on both the "reuse existing" branch and the "freshly created" branch so the fix applies retroactively to existing worktrees too.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/backend/core/worktree.py` around lines 656 - 663, The idempotent reuse
path in create_worktree returns early and skips writing the .npmrc patch;
extract the .npmrc-ensuring logic into a small helper (e.g.,
ensure_worktree_npmrc(worktree_path) or _ensure_npmrc_for_worktree) and call it
both when reusing an existing worktree (the branch that calls get_worktree_info
and returns existing) and after the freshly created worktree path is set up;
update create_worktree to invoke this helper before returning existing and after
creating a new worktree so pre-existing worktrees get the same .npmrc fix.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/backend/core/worktree.py`:
- Around line 736-748: The current logic skips writing .npmrc when npmrc_path
exists, which allows a host-committed .npmrc to omit ignore-workspace and
reintroduce workspace linking; change the behavior in the worktree setup code
around npmrc_path and worktree_path so that you always ensure the directive is
present: if .npmrc does not exist write "ignore-workspace=true\n", otherwise
read the existing file (via npmrc_path.read_text()), check whether an
uncommented line containing "ignore-workspace=true" exists, and if not append
that line to the file (or write back with the added line), and keep the same
logging and OSError warning handling used around npmrc_path.write_text to
surface failures; reference npmrc_path, worktree_path, write_text and read_text
when locating and updating the code.
- Around line 736-741: Update the inline comment around the .npmrc write (the
block referencing "ignore-workspace") to state that ignore-workspace=true is
pnpm-specific and remove or change any phrasing that says "pnpm/npm" so it only
mentions pnpm; reference the exact setting name "ignore-workspace=true" and the
.npmrc file in the comment, and add a short note that npm and Yarn use
package.json workspaces and should be tracked separately (per WORKTREE_ROOT /
`#2013`) if needed.

In `@apps/frontend/src/main/ipc-handlers/terminal/worktree-handlers.ts`:
- Around line 837-851: The .npmrc write logic in createTerminalWorktree
duplicates the backend WorktreeManager.create_worktree behavior; extract the
literal string and explanatory comment ('ignore-workspace=true\n' plus the
pnpm/workspace rationale) into a shared constant in a common config/docs module
(e.g., a new exported constant used by both frontend
terminal/worktree-handlers.ts and backend core/worktree.py), update
createTerminalWorktree to import and use that constant instead of the inline
string/comment, and add a small test/fixture that asserts both implementations
produce an .npmrc containing "ignore-workspace=true" to prevent drift.
- Around line 843-851: The current check using existsSync(npmrcPath) skips
adding the ignore-workspace directive if a tracked .npmrc already exists; modify
the logic around npmrcPath (where existsSync, writeFileSync and
debugLog/debugError are used) to read the existing file when present, detect
whether the line "ignore-workspace=true" (exact match) is already present, and
if not append that line (with a terminating newline) to the file instead of
skipping; keep the current try/catch and logging (use debugLog on success and
debugError on failure) so both new-file and append cases are handled safely.

---

Outside diff comments:
In `@apps/backend/core/worktree.py`:
- Around line 656-663: The idempotent reuse path in create_worktree returns
early and skips writing the .npmrc patch; extract the .npmrc-ensuring logic into
a small helper (e.g., ensure_worktree_npmrc(worktree_path) or
_ensure_npmrc_for_worktree) and call it both when reusing an existing worktree
(the branch that calls get_worktree_info and returns existing) and after the
freshly created worktree path is set up; update create_worktree to invoke this
helper before returning existing and after creating a new worktree so
pre-existing worktrees get the same .npmrc fix.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9d8fe1c1-3ad8-4aeb-a632-2515b2aa5ba7

📥 Commits

Reviewing files that changed from the base of the PR and between cba7a02 and 2c25d8d.

📒 Files selected for processing (2)

• apps/backend/core/worktree.py
• apps/frontend/src/main/ipc-handlers/terminal/worktree-handlers.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Does pnpm npmrc setting ignore-workspace=true also affect npm or yarn workspace discovery?

💡 Result:

No. pnpm’s .npmrc setting ignore-workspace=true only affects pnpm’s own workspace detection/resolution. It does not change how npm or Yarn discover their workspaces. Reason (grounded): 1) pnpm documents that .npmrc is used for pnpm configuration in the npmrc format primarily for authentication/registry-style settings; other workspace-related behavior is configured via pnpm-workspace.yaml or pnpm’s pnpm config/config.yaml. This implies pnpm-specific ignore-workspace behavior is implemented inside pnpm, not as a cross-tool npmrc workspace-discovery toggle. 2) pnpm provides its own CLI/workspace-ignore mechanism (e.g., --ignore-workspace), and pnpm issues/documentation describe it as “pnpm ignores any workspace configuration found in the current or parent directories,” indicating the option is scoped to pnpm’s workspace logic. Practical takeaway: - If you want npm or Yarn to ignore their workspaces, you must use whatever mechanism those tools provide (there isn’t an npmrc setting documented here that makes them ignore pnpm-style workspaces). - Setting ignore-workspace=true in .npmrc won’t prevent npm/yarn from detecting their own workspaces (e.g., via package.json workspaces, yarn workspaces, or npm workspaces rules).

Citations:

• 1: https://pnpm.io/next/configuring
• 2: https://pnpm.io/next/settings
• 3: --ignore-workspace option undocumented pnpm/pnpm#7802
• 4: https://pnpm.io/configuring

---

🌐 Web query:

npm workspaces configuration how does npm detect workspaces

💡 Result:

npm detects workspaces through the "workspaces" property in the root package.json file of a project. This property contains an array of glob patterns or direct paths pointing to directories containing package.json files that define the individual workspaces. When running npm commands like npm install, npm reads the "workspaces" field from the nearest ancestor package.json (walking up from the current working directory if necessary, with automatic workspace root detection). It then uses these patterns to traverse the filesystem, matching directories that contain valid package.json files. Valid workspaces are those nested packages explicitly defined by the workspaces configuration. Internally, npm uses the @npmcli/map-workspaces package to process the workspaces field: it expands globs (e.g., "packages/"), ignores patterns like "/node_modules/", reads package.json files in matching directories, extracts package names, and builds a map of package name to path. During installation, matching workspace dependencies are symlinked into node_modules instead of being fetched from the registry. Example configuration: { "name": "my-monorepo", "workspaces": ["packages/", "apps/*"] } This would detect all directories under packages/ and apps/ that have a package.json. The root package.json should typically have "private": true. Commands support --workspace=<name/path> or --workspaces flags to target specific or all workspaces.

Citations:

• 1: https://docs.npmjs.com/cli/v8/using-npm/workspaces/
• 2: https://docs.npmjs.com/cli/v8/using-npm/workspaces
• 3: https://github.com/npm/map-workspaces
• 4: https://github.com/npm/rfcs/blob/main/implemented/0026-workspaces.md
• 5: https://www.unpkg.com/npm@10.5.2/docs/output/using-npm/workspaces.html

---

🌐 Web query:

Yarn workspaces configuration how does Yarn detect workspaces

💡 Result:

Yarn detects workspaces through a root package.json file containing a "workspaces" field with glob patterns, and individual workspace directories each containing their own package.json files. The process works as follows: 1. Yarn identifies the project root by starting from the current working directory and walking up parent directories until it finds a directory containing a package.json file. This becomes the project root (cwd). 2. It loads the manifest (package.json) from this root directory. 3. From the root manifest's workspaceDefinitions (derived from the "workspaces" field, which is an array of glob patterns like ["packages/*"]), it extracts the patterns. 4. Using fastGlob, it resolves these glob patterns relative to the root cwd, with options: onlyDirectories: true, ignore: ['/node_modules', '/.git', '/.yarn']. 5. For each matching directory, it checks if a package.json exists. 6. Valid directories (those with package.json) become child workspaces of the root workspace. This applies to Yarn Berry (2+). The root workspace is always present, and child workspaces are discovered via globs during the Workspace setup method, called as part of Project initialization.

Citations:

• 1: https://yarnpkg.com/features/workspaces
• 2: https://yarnpkg.com/api/yarnpkg-core/class/Workspace
• 3: https://github.com/yarnpkg/berry/blob/4bd2b2111867ca3a9dc46438aa3010145e31910b/packages/yarnpkg-core/sources/Workspace.ts
• 4: [Bug?]: Workspace globbing does not respect gitignored files/dirs yarnpkg/berry#4572
• 5: https://www.yarnpkg.com/features/workspaces
• 6: https://github.com/yarnpkg/berry/blob/master/packages/yarnpkg-core/sources/Project.ts

---

Narrow comment to "pnpm" — ignore-workspace does not affect npm or Yarn.

The setting ignore-workspace=true is pnpm-specific. npm detects workspaces via the workspaces field in package.json (not .npmrc), and Yarn similarly uses the workspaces field in package.json. The .npmrc file does not control workspace detection for npm or Yarn. The code fix is correct for pnpm, but the comment's "pnpm/npm" wording is misleading — change it to reference pnpm only. Addressing npm and Yarn workspace handling in a worktree should be tracked separately as part of the WORKTREE_ROOT acceptance criterion from #2013.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/backend/core/worktree.py` around lines 736 - 741, Update the inline
comment around the .npmrc write (the block referencing "ignore-workspace") to
state that ignore-workspace=true is pnpm-specific and remove or change any
phrasing that says "pnpm/npm" so it only mentions pnpm; reference the exact
setting name "ignore-workspace=true" and the .npmrc file in the comment, and add
a short note that npm and Yarn use package.json workspaces and should be tracked
separately (per WORKTREE_ROOT / `#2013`) if needed.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Duplicated logic across backend and frontend — extract a shared constant at minimum.

This block is byte-for-byte equivalent (modulo language) to apps/backend/core/worktree.py:736-748. Two parallel implementations of the same monorepo-corruption mitigation will drift over time (e.g., when the "append if missing" fix above is applied, when extra pnpm settings need to be added, or when npm/yarn workspace handling lands per #2013). Since the backend WorktreeManager.create_worktree and this createTerminalWorktree run in independent processes, you can't share runtime code, but you can at least:

• Hoist the file content ('ignore-workspace=true\n') and the comment block into a single source of truth (e.g., a constant in a shared docs/config file referenced from both implementations), and
• Add a brief test or fixture asserting both paths produce an .npmrc with ignore-workspace=true so they stay in sync.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/frontend/src/main/ipc-handlers/terminal/worktree-handlers.ts` around
lines 837 - 851, The .npmrc write logic in createTerminalWorktree duplicates the
backend WorktreeManager.create_worktree behavior; extract the literal string and
explanatory comment ('ignore-workspace=true\n' plus the pnpm/workspace
rationale) into a shared constant in a common config/docs module (e.g., a new
exported constant used by both frontend terminal/worktree-handlers.ts and
backend core/worktree.py), update createTerminalWorktree to import and use that
constant instead of the inline string/comment, and add a small test/fixture that
asserts both implementations produce an .npmrc containing
"ignore-workspace=true" to prevent drift.

[gemini-code-assist]

Code Review

This pull request adds logic to both the backend and frontend to create an .npmrc file with ignore-workspace=true in new worktrees, preventing pnpm from corrupting the parent workspace's dependency graph. Feedback suggests that the current implementation is too restrictive because it skips the injection if an .npmrc file already exists. It is recommended to append the setting to existing files to ensure the fix works for repositories that already use .npmrc for other configurations.

[gemini-code-assist]

The check if not npmrc_path.exists() will skip the injection of ignore-workspace=true if the repository already contains an .npmrc file at its root. Since monorepos (the primary target of this fix) frequently include a root .npmrc, this implementation will fail to prevent corruption in those cases unless the user has already manually added the flag. It would be more robust to check if the flag is present in the file and append it if missing, even if the file exists.

[gemini-code-assist]

Similar to the backend implementation, checking !existsSync(npmrcPath) means the fix is skipped for any repository that already includes an .npmrc. This significantly reduces the effectiveness of the fix for monorepos that use .npmrc for other configurations (e.g., registry settings). Consider reading the file if it exists and appending the ignore-workspace=true setting if it's not already present.

[octo-patch]

Thanks @coderabbitai and @gemini-code-assist — you all caught the same blind spot. Pushed 66747360 on both code paths to read any existing .npmrc, check for an ignore-workspace= line via ^\s*ignore-workspace\s*= regex, and append ignore-workspace=true only when it's not already there. Now monorepos that commit a root .npmrc (registry/auth config) get the workspace guard reliably, instead of silently skipping it.

Left the duplicated logic across backend/frontend in place for this fix — they run in independent processes (Python backend + Electron main) and a shared constant module would cross several boundaries; happy to extract it in a follow-up if maintainers want.

@AndyMik90 — heads up that CLA is still unsigned, can't auto-sign that from this side.

[coderabbitai]

Only users with a collaborator, contributor, member, or owner role can interact with CodeRabbit.

[gemini-code-assist]

Thank you for the update, @octo-patch. The approach of checking for an existing ignore-workspace directive before appending it is a robust solution that respects existing project configurations while ensuring the necessary isolation for worktrees. Regarding the duplicated logic, I agree that keeping it as is for now is reasonable given the process boundaries. If this logic grows or requires more complex handling in the future, we can certainly look into centralizing it. Regarding the CLA, please ensure you follow the instructions provided by the CLA assistant to link the correct email address to your GitHub account so your contribution can be accepted.