cal/claude-home
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

docs: sync KB — backlog-triage-sandbox-fix.md

Browse Source
This commit is contained in:
Cal Corum 2026-04-07 12:00:02 -05:00
parent 92c5ce0ebb
commit d3b9e43016
1 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
scheduled-tasks/backlog-triage-sandbox-fix.md Normal file
View File

@ -0,0 +1,46 @@
---
title: "Backlog triage sandbox fix — repos.json outside working directory"
description: "Fix for backlog-triage scheduled task failing to read repos.json because the file was outside the claude -p sandbox (working_dir). Resolved by symlinking into the working directory."
type: troubleshooting
domain: scheduled-tasks
tags: [claude-code, backlog-triage, sandbox, runner, troubleshooting]
---
# Backlog Triage — repos.json Outside Sandbox
**Date**: 2026-04-07
## Problem
The `backlog-triage` scheduled task reported:
> `~/.config/claude-scheduled/repos.json` is outside the allowed session directories and couldn't be read.
The task fell back to querying all discoverable repos via Gitea instead of using the curated repo list.
## Root Cause
`claude -p` sandboxes file access to the **working directory** (`/mnt/NV2/Development/claude-home`). The `repos.json` file lives at `~/.config/claude-scheduled/repos.json` (`/home/cal/`), which is outside the sandbox.
The `--allowedTools "Read(~/.config/claude-scheduled/repos.json)"` flag controls **tool permissions** (which tools the session can call), not **filesystem access**. The sandbox boundary is set by the working directory, and `allowedTools` cannot override it.
## Fix
1. **Symlinked** `repos.json` into the working directory:
```bash
ln -sf /home/cal/.config/claude-scheduled/repos.json \
/mnt/NV2/Development/claude-home/.claude/repos.json
```
2. **Updated** `tasks/backlog-triage/prompt.md` to reference `.claude/repos.json` instead of the absolute home-dir path.
3. **Updated** `tasks/backlog-triage/settings.json` allowed_tools to `Read(.claude/repos.json)`.
## Key Lesson
For `runner.sh` template tasks, any file the task needs to read **must be inside the working directory** or reachable via a symlink within it. The `--allowedTools` flag is a permissions layer on top of the sandbox — it cannot grant access to paths outside the sandbox.
## Also Changed (same session)
- Removed `cognitive-memory` MCP from backlog-triage; replaced with `kb-search` (HTTP MCP at `10.10.0.226:8001/mcp`) for cross-referencing issue context against the knowledge base.
- Removed all `mcp__cognitive-memory__*` tools from allowed_tools; added `mcp__kb-search__search` and `mcp__kb-search__get_document`.