)]}'
{
  "commit": "bf30aecb675c58f5ab7c3c6e66880868c79ab760",
  "tree": "b151ed19dd56c8be58ac934cb0b88df5dba589b5",
  "parents": [
    "1b569a837831da11870aa77475aa94238a85a88a"
  ],
  "author": {
    "name": "Jarek Potiuk",
    "email": "jarek@potiuk.com",
    "time": "Wed Apr 29 15:49:12 2026 +0200"
  },
  "committer": {
    "name": "Jarek Potiuk",
    "email": "jarek@potiuk.com",
    "time": "Wed Apr 29 15:49:12 2026 +0200"
  },
  "message": "fix(secure-agent-setup): allow gpg-agent socket + key paths in sandbox\n\nThe .claude/settings.json this PR ships denies all of ~/ from the\nBash sandbox, with only a tiny allowRead allowlist. That set\ncovers git/gh/uv but not commit signing — git users on Linux who\nsign commits via gpg-agent (either gpg-format or ssh-format with\nSSH_AUTH_SOCK pointing at gpg-agent\u0027s ssh-compat socket) hit:\n\n    error: Couldn\u0027t get agent socket?\n    fatal: failed to write commit object\n\non the first commit attempt inside the sandboxed session, because\n~/.gnupg/ and /run/user/\u003cUID\u003e/gnupg/ are both behind the denyRead.\n\nAdds two entries to sandbox.filesystem.allowRead:\n\n  ~/.gnupg/             # gpg keyring + trustdb\n  /run/user/*/gnupg/    # gpg-agent socket dir (the * is the UID)\n\nBoth are needed: the keyring so gpg can read the signing key\nmaterial, the runtime socket so gpg-agent / its ssh-compat s\ncan be reached. The * glob in the runtime path lets the same\nallowRead work for any UID — Claude Code\u0027s sandbox allowRead\nsupports glob wildcards.\n\nThe matching documentation block in secure-agent-setup.md is\nupdated to mirror the new entries with inline comments.\n\nGenerated-by: Claude Code (Claude Opus 4.7)\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "f72773771001e04678caa01581634e419e4269e2",
      "old_mode": 33188,
      "old_path": ".claude/settings.json",
      "new_id": "20c6f96827bb27618a69dfd591e7c550c832d019",
      "new_mode": 33188,
      "new_path": ".claude/settings.json"
    },
    {
      "type": "modify",
      "old_id": "ca2740c147e528188bba98d2b7b0b7372bd5d216",
      "old_mode": 33188,
      "old_path": "secure-agent-setup.md",
      "new_id": "e6f8db753d643bf4de0020c70a5e47ce845467ee",
      "new_mode": 33188,
      "new_path": "secure-agent-setup.md"
    }
  ]
}