Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix [FEATURE] /sandbox needs mode switching and allowlist management

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

/sandbox today is a binary on/off toggle per project. Users who hit sandbox-caused failures (TLS proxy breaking gh, blocked network hosts, denied writes) can only disable the whole sandbox — losing the protection for every other tool in the session. We need a way to manage the sandbox's modes and allow lists interactively.

Root Cause

/sandbox today is a binary on/off toggle per project. Users who hit sandbox-caused failures (TLS proxy breaking gh, blocked network hosts, denied writes) can only disable the whole sandbox — losing the protection for every other tool in the session. We need a way to manage the sandbox's modes and allow lists interactively.

RAW_BUFFERClick to expand / collapse

Summary

/sandbox today is a binary on/off toggle per project. Users who hit sandbox-caused failures (TLS proxy breaking gh, blocked network hosts, denied writes) can only disable the whole sandbox — losing the protection for every other tool in the session. We need a way to manage the sandbox's modes and allow lists interactively.

Problem

The sandbox exposes rich controls in settings (filesystem read/write allowlists, network allowedHosts, per-command overrides), but /sandbox only flips the whole thing. In practice this leads to:

  • One TLS/proxy failure for a single tool (e.g. gh) pushes the user to disable sandboxing entirely for the project.
  • No quick way to add a host to allowedHosts without editing settings.json by hand and restarting.
  • No quick way to scope an exclusion to a single command (e.g. "let gh bypass, keep everything else sandboxed").
  • No visibility into which restriction caused a given failure — users are left guessing between filesystem, network, or cert interception.

Requested

/sandbox (interactive, like /permissions) with at least:

  • Mode switch: enabled / disabled / a middle ground ("network-open", "fs-open", etc.)
  • Allowlist management:
    • Add/remove hosts in allowedHosts
    • Add/remove paths in read/write allowlists
    • View the current effective config (merged global + project + local)
  • Per-command overrides: mark specific commands as sandbox-exempt (today this requires dangerouslyDisableSandbox: true on every individual call, which the model has to remember to set)
  • Diagnostic mode: when a command fails, surface which sandbox rule rejected it (filesystem / network / TLS-proxy) so users can make a targeted fix

Concrete repro that motivated this

Fresh session, default sandbox config, github.com already in allowedHosts:

  1. Run gh api rate_limit → fails with tls: failed to verify certificate: x509: OSStatus -26276
  2. Run gh auth status → reports the token as invalid (it isn't — the auth-validation call is also going through the proxy and failing the same way, and gh interprets that as an invalid token)
  3. Only remediation was /sandbox → disable for the whole project

The sandbox's TLS MITM is working as designed (cert interception on an allowed host) — but there's no in-product way to say "trust the sandbox CA for gh" or "let gh bypass the proxy" without dropping sandbox across the board. Related existing bug: #45637.

Environment

  • macOS 26.4.1 (Darwin 25.4.0)
  • Claude Code CLI, gh 2.90.0

extent analysis

TL;DR

Implement an interactive /sandbox command with mode switching, allowlist management, per-command overrides, and diagnostic mode to provide more granular control over sandboxing.

Guidance

  • Introduce a mode switch for the sandbox, allowing users to choose between enabled, disabled, or a middle ground (e.g., "network-open", "fs-open") to balance security and usability.
  • Develop an allowlist management system, enabling users to add or remove hosts from allowedHosts and paths from read/write allowlists interactively, without requiring manual edits to settings.json.
  • Implement per-command overrides, allowing users to mark specific commands as sandbox-exempt, reducing the need for dangerouslyDisableSandbox: true on individual calls.
  • Create a diagnostic mode to provide visibility into which sandbox rule caused a command failure, helping users make targeted fixes.

Example

/sandbox mode network-open
/sandbox allowlist add host github.com
/sandbox override add command gh

These commands illustrate potential interactive sandbox management, but the actual implementation may vary based on the specific requirements and existing codebase.

Notes

The proposed solution aims to address the limitations of the current binary sandbox toggle. However, the exact implementation details, such as the user interface and command syntax, will depend on the existing codebase and design preferences.

Recommendation

Apply a workaround by implementing an interactive /sandbox command with the proposed features, as this will provide more granular control over sandboxing and address the current usability issues.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#retrieval issue#search optimization#API routing#API middleware

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING