fix: git worktree fallback in shared credential resolution

The MCP server and hooks resolve credentials via resolve_credentials(cwd)
which walks up from CWD. Codex worktrees (e.g., ~/.codex/worktrees/xyz/repo)
never reach the project's .cems/credentials. Added _resolve_main_worktree()
fallback to both shared/credentials.py and hooks/utils/credentials.py.

This is the same fix applied to the daemon's CredentialResolver in v0.11.4,
now applied to the shared module so ALL consumers benefit (MCP, hooks, CLI).

Author: Chocksy

hooks/utils/credentials.py

@@ -18,6 +18,7 @@
 from __future__ import annotations
 
 import os
+import subprocess
 from pathlib import Path
 
 _HOME = str(Path.home().resolve())  # Resolve symlinks for consistent walk-up comparison
@@ -72,10 +73,30 @@ def _find_project_credentials(cwd: str) -> str | None:
     return None
 
 
+def _resolve_main_worktree(cwd: str) -> str | None:
+    """If CWD is inside a git worktree, return the main worktree path."""
+    try:
+        result = subprocess.run(
+            ["git", "-C", cwd, "worktree", "list", "--porcelain"],
+            capture_output=True, text=True, timeout=3,
+        )
+        if result.returncode == 0:
+            for line in result.stdout.splitlines():
+                if line.startswith("worktree "):
+                    main_path = line[9:]
+                    if main_path != cwd:
+                        return main_path
+                    break
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError):
+        pass
+    return None
+
+
 def resolve_credentials(cwd: str | None = None) -> dict[str, str]:
     """Resolve CEMS credentials with full precedence chain.
 
     1. Per-project .cems/credentials (walk up from CWD, stop before $HOME)
+    1b. If CWD is a git worktree, try the main worktree path
     2. Environment variables (both CEMS_API_URL and CEMS_API_KEY must be set)
     3. Global ~/.cems/credentials (fallback)
 
@@ -87,6 +108,13 @@ def resolve_credentials(cwd: str | None = None) -> dict[str, str]:
         if project_path:
             return _parse_credentials_file(project_path)
 
+        # 1b. Git worktree fallback (e.g., Codex worktrees)
+        main_wt = _resolve_main_worktree(cwd)
+        if main_wt:
+            project_path = _find_project_credentials(main_wt)
+            if project_path:
+                return _parse_credentials_file(project_path)
+
     # 2. Check env vars — require BOTH URL and key to be set.
     # Partial env (e.g., URL in env, key in file) is intentionally not supported
     # to avoid silently mixing credentials from different sources.

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "cems"
-version = "0.12.0"
+version = "0.12.1"
 description = "Continuous Evolving Memory System - Dual-layer memory with scheduled maintenance"
 readme = "README.md"
 requires-python = ">=3.11"

src/cems/shared/credentials.py

@@ -11,6 +11,7 @@
 from __future__ import annotations
 
 import os
+import subprocess
 from pathlib import Path
 
 _HOME = str(Path.home().resolve())  # Resolve symlinks for consistent walk-up comparison
@@ -59,10 +60,34 @@ def find_project_credentials(cwd: str) -> str | None:
     return None
 
 
+def _resolve_main_worktree(cwd: str) -> str | None:
+    """If CWD is inside a git worktree, return the main worktree path.
+
+    Handles Codex worktrees: CWD like ~/.codex/worktrees/e8c3/repo
+    maps back to the main clone (e.g., ~/Development/repo).
+    """
+    try:
+        result = subprocess.run(
+            ["git", "-C", cwd, "worktree", "list", "--porcelain"],
+            capture_output=True, text=True, timeout=3,
+        )
+        if result.returncode == 0:
+            for line in result.stdout.splitlines():
+                if line.startswith("worktree "):
+                    main_path = line[9:]
+                    if main_path != cwd:
+                        return main_path
+                    break
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError):
+        pass
+    return None
+
+
 def resolve_credentials(cwd: str | None = None) -> dict[str, str]:
     """Resolve CEMS credentials with full precedence chain.
 
     1. Per-project .cems/credentials (walk up from CWD, stop before $HOME)
+    1b. If CWD is a git worktree, try the main worktree path
     2. Environment variables (both CEMS_API_URL and CEMS_API_KEY must be set)
     3. Global ~/.cems/credentials (fallback)
 
@@ -74,6 +99,13 @@ def resolve_credentials(cwd: str | None = None) -> dict[str, str]:
         if project_path:
             return parse_credentials_file(project_path)
 
+        # 1b. Git worktree fallback (e.g., Codex worktrees)
+        main_wt = _resolve_main_worktree(cwd)
+        if main_wt:
+            project_path = find_project_credentials(main_wt)
+            if project_path:
+                return parse_credentials_file(project_path)
+
     # 2. Check env vars — require BOTH URL and key
     env_url = os.environ.get("CEMS_API_URL", "")
     env_key = os.environ.get("CEMS_API_KEY", "")