claude-code - 💡(How to fix) Fix Sandbox: hardcoded deny on .idea/.vscode/.claude/.husky writes has no user override
ON THIS PAGE
Recommended Tools
×6Utilities matched from this issue’s tags and category — try them while you read without losing context.
GitHub issue graph ai analysis
Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.
The report is written in English Markdown for sharing and archival.
Helpful · Quick feedback
Code Example
{
"sandbox": { "enabled": true, "failIfUnavailable": true,
"filesystem": { "allowWrite": ["~/projects/"] } },
"permissions": { "defaultMode": "bypassPermissions" }
}
---
claude --settings ~/.claude/sandbox-settings.json -p 'bash: echo a > ~/projects/anywhere/foo.txt' # ok
claude --settings ~/.claude/sandbox-settings.json -p 'bash: echo a > ~/projects/anywhere/.idea/foo.txt' # FAIL: Operation not permitted
---
{
"sandbox": {
"filesystem": {
"allowWrite": ["~/projects/"],
"allowWriteWithinDeny": ["**/.idea/**", "**/.vscode/**"]
}
}
}RAW_BUFFERClick to expand / collapse
Problem
sandbox-runtime injects an unconditional (deny file-write* …) rule for every entry in an internal list of tooling-config directories — .git, .vscode, .idea, .claude, .husky, plus .claude/commands, .claude/agents, .git/hooks, and .git/config. The denies are emitted after the user's allowWrite rules, so on macOS sandbox-exec (last-matching-rule wins) they always override.
There's a narrow opt-out for .git/config via allowGitConfig, but no equivalent for the other entries — and allowGitConfig doesn't appear to be exposed in the settings.json schema either.
Reproduction
With this minimal ~/.claude/sandbox-settings.json:
{
"sandbox": { "enabled": true, "failIfUnavailable": true,
"filesystem": { "allowWrite": ["~/projects/"] } },
"permissions": { "defaultMode": "bypassPermissions" }
}Then:
claude --settings ~/.claude/sandbox-settings.json -p 'bash: echo a > ~/projects/anywhere/foo.txt' # ok
claude --settings ~/.claude/sandbox-settings.json -p 'bash: echo a > ~/projects/anywhere/.idea/foo.txt' # FAIL: Operation not permittedOutside the sandbox, both succeed. Under a hand-written sandbox-exec profile that grants (allow file-write* (subpath "/Users/me/projects")), both also succeed. So this isn't an OS-level restriction — it's specifically sandbox-runtime's hardcoded deny list.
Why it matters
- I have a custom
review-prskill that copiesprimary/.idea/into newly-created git worktrees so IntelliJ opens each checkout pre-configured with the right modules, SDKs, and run configs. Underclaude-sbthis is now a no-op, defeating the integration. - Anyone running an IntelliJ project under sandbox can't have Claude touch
.idea/even when they've explicitly opted into~/projects/writes. - Same hits
.vscode/(settings.json,launch.json) and.husky/hook scripts.
Proposed fix
Expose an undeny knob in the JSON schema, e.g.:
{
"sandbox": {
"filesystem": {
"allowWrite": ["~/projects/"],
"allowWriteWithinDeny": ["**/.idea/**", "**/.vscode/**"]
}
}
}Generated rules would be emitted after the deny block so sandbox-exec's last-match-wins picks them up. (allowGitConfig is the existing precedent, just narrower.)
Investigation notes
Relevant code paths in the bundled sandbox-runtime: xD5() builds the deny list from an internal array (containing .git, .vscode, .idea, .claude, .husky) plus .claude/commands, .claude/agents, .git/hooks, and .git/config (allowGitConfig-gated). pD5(_, J, q) concatenates H.denyWithinAllow ?? [] with xD5(q) and emits all of them as (deny file-write* …) after the allows. No code path consults a user-provided override list for these specifically.
Claude Code 2.1.150, darwin 25.5.0 (arm64).
Vote matrix · Quick signals
Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Still need to ship something?
×6Another batch ranked right after the header list — different links, same matching logic.
TRENDING
- Feature Request: Configurable per-minute rate limiting (RPM) for models to prevent 429 errors
- Android: Hermes App + Termux install share ~/.hermes and cause silent permission loops
- hermes update emits unicode-animations ANSI demo in non-interactive logs
- hermes update downgrades aiohttp from 3.13.4 to 3.13.3
- npm install warns about deprecated @babel/plugin-proposal-private-methods
- DingTalk inbound media URLs are skipped as unreadable native image paths
- fix(dashboard): ChatPage clears header action buttons on ALL pages, not just Sessions
- [Bug]: check_web_api_key() hardcodes built-in backends — third-party web search plugins silently disabled
- Hermes Web UI 修复经验:GatewayManager 补丁、进程 D 状态、数据库升级问题
- Telegram gateway can silently drop turn after /stop with response=0 chars while internal work continues
- Feat: Load global agent instructions from ~/.agents/AGENTS.md
- Feature: China legal holiday / workday detection skill (with 调休 support)
- Multi-peer agent dispatch via proxy + Tailnet IPs as a complement to #9295
- Direct Gemini cost tracking is always $0.00 — resolve_billing_route() lacks gemini/google-gemini-cli branches + missing gemini-3.5-flash pricing entry
- [Feature]: feat(gateway): Support multiple delivery targets per webhook route
- Proposal: consolidate ~12 auxiliary fallback PRs into per-task fallback_providers
- Wecom always can't send files,
- [Gateway/Telegram] user.id is captured but not included in shared multi-user message prefix
- [Feature]: Publish effective ACP mode after mode changes
- [Bug]: HTTP 402 (billing/spend limit) misclassified and misleading advice given
- [Bug]: Content-filter triggered stream stall (output new_sensitive) does not trigger fallback_providers
- 예약 작업 실행 카드에서 원문 문구를 숨기고 예약 작업 상세 화면으로 이동 지원
- Context window changes to 256K after interrupted compaction and resume
- [Bug]: kanban.db corruption when multiple profile gateways share the same board DB
- [Bug] 移动端 /chat 存在不可隐藏的右侧空白占位栏
- cronjob tool fails to include required schedule parameter when using Grok models
- AI开发交流群
- 예약 작업 탭 카드 클릭을 풀 화면 상세로 전환
- 예약 작업 실행 카드의 원문 안내 문구 제거
- Add command and auto-recovery for disabled dispatcher
- [Feature]: 每次模型调用给出实时反馈
- [Bug]: terminal tool hangs 50-65s when reusing existing session in CLI/TUI
- TUI: 채팅창 하단에서 YOLO 모드 설정 가능하게 하기
- [Feature]: 目前没有兼容飞书富文本交互式卡片
- Proposal: Add kanban-artifacts to official dashboard plugin registry
- Feature: /queue cancel command to clear queued prompts
- [Bug]: /tasks and /agents do nothing
- Telegram busy-session interrupt buttons can disappear during long turns
- [Bug]: Default Docker image missing `markdown` dep — cron delivery silently falls back to plain text despite PR #5271
- Memory provider (holographic) silent failure: corrupted DB causes dead tools with no user-facing error
- [Bug]: Hermes unexpectedly modifies its own skills/system prompts during normal task execution, even when the user request is unrelated to agent configuration.
- [Bug]: MEDIA file not found sends message to main room instead of thread
- [Bug]: "_budget_grace_call" and "_budget_exhausted_injected" are redundant.
- Skill proposal: auditable decision trail for long autonomous coding runs
- Skill proposal: evidence-cited rationale archaeology for code history
- [Feature]: Add config option to suppress job_id and management hint from cron delivery output
- [Bug]: TUI+tmux looses keyboard/mouse input linux
- Gateway silently uses cloud API keys from environment with no warning, no cost visibility, no spending cap
- QQ Bot private chat (C2C) button approvals always rejected as unauthorized due to chat_type mismatch (dm vs c2c)
- feat(kanban): add busy_timeout PRAGMA to prevent WAL corruption under concurrent writers
- fix(dashboard): systemd service crash-loop when web_dist exists but npm unavailable
- TUI: No context explosion detection — sessions grow without warning
- [Feature] Allow autonomous coding delegation skills to consume central .providers config
- [Bug]: WhatsApp Integration Failure
- [Bug]: Kanban DB intermittent corruption after worker crash — missing WAL checkpoint
- [Bug]: Docker permission failure on Unraid (UID 99) — s6-overlay breaks HERMES_UID remap
- [Bug]: Web Dashboard: Session resume doesn't show full conversation history
- WhatsApp group chats: Mia responds to non-agent messages and restates instructions unnecessarily
- Gateway needs periodic platform liveness watchdog to catch zombie connections across all adapters
- bug(copy): /copy N counts from session start instead of latest response
- Support LM Link as a Provider Backend
- Implement Resource-Aware Model Fallback Chain (Local → Remote via LM Link)
- Docker backend: image arg clobbered with shell PATH export string, container fails with exit 125
- Kanban dispatcher writes a new .corrupt.bak on every tick after corruption (7,861 backups / 1.7 GB over 37h)
- Bug: web_crawl is implemented but never registered as a model-callable tool
- Bug: web-search-grounding skill routes models to browser/curl SERP scraping instead of the registered web_search tool
- Feature request: Oxylabs AI Studio as a web provider (search + extract + crawl)
- fix(weixin): MEDIA tag leaks for .md/.json/.yaml/.toml/.log files + no retry on session expiry
- Feishu messages: markdown tables not rendered, making them unreadable
- Discord thread action latency: 338s–405s responses with provider 300s timeout + retry (gpt-5.3-codex)
- [Bug]: Cron ticker dies silently — no error log, no watchdog, misleading status
- Dashboard WebSocket connections fail through Cloudflare Tunnel after recent security patch
- xAI OAuth fallback after provider switch due to stale encrypted_content replay
- bug: _extract_pricing crashes on list-typed pricing values, causing context_length fallback to 256K
- [Bug]: tool execute_code no longer inherits from the machine's environment
- [Bug/UX] Three config semantic traps for users debugging memory / multi-profile: silent failure of memory_enabled, profile config override, and per-profile log paths
- Desktop app: SSH Tunnel connection settings not persisted across restarts
- [Feature]: propagate DAYTONA_API_URL env to the daytona SDK
- Telegram MEDIA audio attachment can report success while delivering no attachment
- Add post-update coagency acceptance gate for critical Hermes capabilities
- fallback_providers not activated when 429 follows prior timeout recovery
- [Bug]: Tools array missing from API calls to custom Ollama endpoint
- acquire_scoped_lock: zombie processes (state Z) not detected as stale, causing false lock conflicts
- OpenViking memory provider sends slash-skill scaffolding as search text
- feat: per-agent toolset restriction for orchestrator pattern (parent-scoped no_mcp)
- `_load_config()` in delegate_tool.py never reads persistent config — breaks all delegation.* settings in v0.14.0
- [Bug] GCP Vertex AI connection fails with 404 using 'gcp' and 'rest' drivers, while direct curl works
- Path guard blocks write_file in temp dirs on macOS (/private/var/folders)
- Skill triggering is purely prompt-driven with no code-level enforcement
- [Bug]: browser_cdp opens stateless CDP connections, breaking Browserless/BaaS targets between tool calls
- bug(desktop): PROVIDER_BASE_URLS.anthropic hardcoded with /v1 suffix overwrites config.yaml base_url on every restart
- SessionDB: no crash recovery path when state.db is corrupted after unclean shutdown
- Add timestamp field to session JSON messages for proper ordering
- Backend health-aware fallback for Anthropic-compatible facades and auxiliary title routing
- Add opt-in proactive assist classifier for group chats
- [Bug]: search_files times out on WSL when ripgrep is missing
- [Bug]: web_extract gives dead-end error with only SearXNG configured
- [Feature]: Capability-Based Multi-Model Routing — unified config for task-type, domain-tier, and cost-aware provider selection
- Bug: `vision_analyze` tool fails to send images when using Docker terminal backend
- delegate_task() lacks model and provider parameters — prevents per-call subagent routing
- Startup noise: repeated Bitwarden Secrets Manager warning when BWS_ACCESS_TOKEN is unset
- [Bug]: Copilot Responses API 401 'input item ID does not belong to this connection' on assistant codex_message_items replay across credential/connection changes
- [Feature]: Tiered Memory Storage Architecture — Replace flat memory with 4-layer storage
- [Bug]: auxiliary title generation config is hardcoded to 30s and ignores config
- hermes auth add openai-codex writes only to credential_pool; runtime resolver reads providers.tokens — fails with 'missing access_token'
- [Bug]: Tirith shell scanner blocks pipe-to-interpreter even when LHS is a local user-owned executable
- hermes gateway install silently resets HERMES_HOME on macOS LaunchAgent
- Pre-send secret redaction hook + piiapi-filter skill
- Kanban dispatcher accepts kanban_complete with zero tool calls (no tool-evidence gate)
- Protocol violations (rc=0 without complete/block) don't increment failure_limit counter
- [Bug] kanban.db corrupted on WSL2 with multiple gateway processes
- [Bug]: Data privacy
- gateway: Telegram clarify-button resolver loses state on SIGTERM restart and 600s timeout
- Tirith approval buttons misleading: "permanently" is actually session-scoped
- computer_use (cua-driver backend) is too fragile and breaks auxiliary vision routing
- [Workflow Pilot] Validate infra Hermes contracted-goal workflow docs/template only
- Feature: built-in inter-agent mailbox tool
- Profile skills directory fully shadows global skills — no cascade fallback
- TUI: fallback_providers not passed to AIAgent (CLI works correctly)
- [Bug]: `/restart` silently fails on Windows when no Scheduled Task is installed
- [Feature]: Model name fields should be dropdowns sourced from /v1/models per provider
- Hermes mislabels upstream 429 quota exhaustion as missing Codex credentials
- Multi-bot free-response channels enter infinite ack-loops; bot-allow guard bypassed; human STOP ignored
- feat: route built-in session_search and memory tools through OpenViking when configured as memory provider
- [Feature]: Per-auxiliary reasoning effort configuration
- __write_scope_test__
- [Setup]: Connection problem
- [EPIC] Premium Product SDD v0 — Hermes Assistant Platform
- Spec v0: product vision, ICP, value prop, and metrics
- Architecture v0: control plane, brain, memory, voice, client, workers
- MVP v0: smallest shippable premium assistant
- Operating model: SDD, ADRs, DoR/DoD, and quality gates
- Roadmap v0: phased execution plan and validation gates
- [bug] same_tool_failure_warning does not auto-escalate to block; allows unbounded retry-loop cost amplification
- [Bug] Mobile thumbnail creator shows transcription controls and lacks thumbnail/export options
- [Bug] Mobile content cards open at too-low resolution / blurry when tapped
- [Bug] Transcript section renders an empty panel despite transcript header/copy controls
- [Bug] Detailed Analysis displays raw Markdown instead of rendered formatting on mobile
- [Bug] History item opens in awkward viewer with missing export options
- [Feature] Gallery modal should support horizontal navigation, caption editing, and high-res previews
- [Bug]: SOUL.md and AGENTS.md not loaded for Telegram gateway sessions in v0.14.0
- Bug: `--list_distributions` CLI flag crashes with TypeError due to name shadowing
- Bug: Race condition in OpenAI client replacement can close active connections
- Bug: `_generate_summary` returns None when max_retries=0, injected as conversation content
- Collection of minor bugs, typos, and inconsistencies found during code audit
- Credential pool: token_invalidated / token_revoked should be terminal failures, not 1-hour cooldowns
- delegate_task interrupt semantics: subagent killed while work is already complete
- Bug: Background Curation Prompts Leak into User Memory & Honcho Representations
- [Feature]: Allow agents to opt out of replying with `[SILENT]` marker
- Honcho issue sweep: duplicate PR clusters and cleanup plan
- approval.py only wired to terminal_tool; MCP-wrapped commands bypass dangerous-command + Smart-mode gate
- TUI remote gateway attach (HERMES_TUI_GATEWAY_URL) fails with 404 — /api/ws missing from APIServerAdapter
- Fix Codex stream None output recovery
- gateway: `gateway_state.json` heartbeat tick missing — WebUI cross-container liveness check fails for idle gateways
- [Bug]: Error: 'NoneType' object is not iterable
- [Bug]: Codex Responses stream aborts on terminal null output
- fix: cron ticker thread stops silently, jobs never fire
- fix: hermes cron list crashes when job has null deliver field
- Per-subscription toolset override for hermes webhook subscribe
- openai-codex provider crashes: SDK parse_response fails on null output from Codex backend
- Proposal: record which SOUL version each kanban run executed under (provenance)
- Proposal: per-board approval policy override (scope approvals.mode per kanban board)
- [Bug]: Codex Responses stream ending without `response.completed` crashes with TypeError ('NoneType' object is not iterable) — bypasses existing backfill at codex_runtime.py:265-280
- Feature Request: Integrate Microsoft SkillOpt for Self-Evolving Agent Skills
- [Bug] Gateway systemd service fails on Fedora with SELinux enforcing (status 203/EXEC)
- [Feature]: Multi-profile Telegram group communication — bots don't see each other's messages
- Avoid systemd gateway restart/takeover loops from Restart=always + --replace
- Detect duplicate gateway supervisors in doctor/status diagnostics
- [Bug]: Codex Responses streaming crashes with TypeError: 'NoneType' object is not iterable (openai-codex / chatgpt.com backend)
- The SSE connection remains active indefinitely and fails to close normally when an annotation reply is triggered.
- On the MCP list page, the search results include non-MCP tools.
- dep inject model validate
- provider llm do not add
- --frozen flag in uv sync causes plugin installation failure in China / limited-network environments
- [SECURITY] Missing SECURITY.md — no vuln reporting channel for 142K-star project
- [SECURITY] CORS allows wildcard * in production default (CWE-942)
- [SECURITY] CRITICAL: Empty SECRET_KEY + default credentials across .env.example (CWE-798)
- Chatflow with file and Human Input is stuck
- Add CLIENT SETNAME to Valkey vector store for connection identification
- The ChatFlow App is unable to reply properly when I upload file using a file url
- SEEKDB can not use in V1.14.2
- Add Amazon URL parsing and metadata extraction for product comparisons
- Restore Ctrl+B to 'cursor.left' (backward-char) by default in Unix environments
- Support customizing execution shell (e.g. to zsh) in Unix-like environments
- YOLO mode ignoring user requests
- Bug when pasting json String
- Feedback: Code Output Formatting in CLI Environments
- Fix model config name in token counter
- ℹ High memory usage detected (8.64 GB).
- prno
- AGY 1.0.2: -p/--print mode outputs nothing to stdout on Windows
- n8n Cloud executions page causes instance to go offline with 502 error
- Bug with scripts JavaScript & Python
- workflow not saving
- Couldn’t connect with these settings No testing function found for this credential. While editing SSH and SFTP credential
- Broken Node Report
- AI Agent v3 does not set tool_choice on iteration 1, causing small models on OpenAI-compatible providers to skip tool calls
- Getting activation key
- ## Bug: Python Task Runner fails on native npm install — `src/` folder missing from published package
- [BUG] Trust prompt and session reload triggered repeatedly when invoking 'claude' with uppercase casing (CLAUDE) on macOS
- [BUG] Claude Desktop (MSIX) bundled bash leaks TEMP=/tmp into child JVMs, breaking Gradle and any Java Selector.open() on Windows
- [Bug] Ultrareview synthesis step crashes after backend completes findings analysis
- [FEATURE] Support audio file attachments (WAV, MP3) in Claude Code
- [BUG] Text is randomly turning blue while using Claude Agents
- [BUG] Keychain credential partition_id silently resets to "apple-tool:" alone on ~5min cycle (macOS Tahoe 26.5, Claude Code 2.1.145)
- AskUserQuestion: no way to view truncated preview content ("X lines hidden")
- [Bug] Mac Desktop App Crashes Repeatedly During Session
- Team in-process mode: process residue on disband + agents don't consume task_assignment
- [FEATURE] Support Multiple GitHub Accounts
- ✨📲 {{ 🎀^【【%#@&*^#🎀^✚卍 卍Flynas infolinia polska 24h %#@&*^#🎀^】✚卍 卍】✨📲 Czy Flynas oferuje całodobową obsługę klienta?%#@&*^#🎀^】】✚卍 卍⁂}}{{ 🎀^
- 🍉 ⋆ 🍓 🎀 ✚卍 卍 卍 +48 58 8810 086 卍 卍 卍✚ 🎀 ❀ 💗 🍓 ⋆ 🍉卍【2➃𝕙ㄖ尺𝔸Ŝ {{{Flydubai infolinia polska 24h}}】Numer kontaktowy Flydubai 【2➃𝕙ㄖ尺𝔸Ŝ{{Jak skontaktować się z obsługą klienta Flydubai? ?⁂}}{{ 🎀^ }}}】卍✚2➃𝕙ㄖ尺𝔸Ŝ{{{❀ 💗 🍓 ⋆ 🍉
- [BUG] ALT+TAB back to VS Code extension causes certain key presses (e.g., PrtSc, Henkan) to trigger menu bar focus
- 🍉 ⋆ 🍓 🎀 ✚卍 卍 卍 +48 58 8810 086 卍 卍 卍✚ 🎀 ❀ 💗 🍓 ⋆ 🍉卍【2➃𝕙ㄖ尺𝔸Ŝ {{{Qatar Airways infolinia polska 24h }}】2➃𝕙ㄖ尺𝔸Ŝ{{ Numer kontaktowy Qatar Airways【 Jak zadać pytanie na temat Qatar Airways? 】}}卍✚2➃𝕙ㄖ尺𝔸Ŝ{{【❀ 💗 🍓 ⋆ 🍉
- Feature Request: Support global ~/.agents/AGENTS.md along with project-level AGENTS.md
- `bgIsolation` guard recovery path is broken: error tells agents to call `EnterWorktree`, which is a deferred tool
- [BUG] False positive safety filter block for Polish-language security audit question in own PHP CRM project (VSCode extension)
- [Bug] Environment variable expansion not working for $HOME in paths
- [BUG] Payment declined for Claude Pro subscription from Nicaragua with multiple cards
- Claude Code agent set Meta Ads budget 100x wrong — caused NT$11,168 (USD ~$350) financial loss
- The worst experience with a AI network, I'm not willing to pay $100 for it anymore.
- [BUG] PTY leak: Claude desktop app accumulates ~490 /dev/ptmx file descriptors
- [Bug] Anthropic API Error: text content blocks must be non-empty
- Shell snapshot uses unguarded $ZSH_VERSION, breaks set -u (nounset)
- [DOCS] Document server-side system prompt experiments and their opt-out controls
- [DOCS] Document feature-flag and bootstrap cache behavior when opt-out variables are enabled
- [DOCS] Network docs should warn that untrusted LLM proxies can modify Claude Code request context
- Feature request: allow customizing terminal tab title (project name vs conversation summary)
- [BUG] Regression in v2.1.150: cannot select text outside current screen
- [Bug] Claude agents interface: incomplete skill loading, copy functionality UX issues, and terminal responsiveness degradation
- [FEATURE] Animate the project name chip while waiting for user input
- [BUG] [VSCODE] Algebra formatting broken on VS Code extension
- Drag-drop and screenshot clipboard paste fail on Linux; works only after re-copy from image viewer
- [VSCode Extension] AskUserQuestion panel hides conversation context with no collapse shortcut
- [Cloud Mode] Allow overriding the diff view base branch (currently locked to repo default branch)
- [FEATURE] Configurable Spinner
- [BUG] /remote-control fails with "failed to connect: /login" on Pro account, desktop app v1.8555.2
- Thumbs up/down
- [FEATURE] Show pending diffs in IDE before edit execution
- API Error: 400 messages: text content blocks must be non-empty on session resume when assistant turn contained only tool_use blocks
- Durable stats ledger independent of session jsonl files
- [BUG] JetBrains plugin 0.1.14-beta: NoClassDefFoundError io.ktor.server.cio.CIO on startup (IDEA build 253.31033.145)
- [BUG] --dangerously-skip-permissions ignored when SSH_CONNECTION is set or TERM is empty
- [BUG] Plugin runtime loader and `claude plugin validate` accept divergent schemas
- [Bug] Microsoft 365 MCP connection fails in Claude Code but works in Claude Desktop
- Sonnet 4.6 - Destructive rm -rf executed on explicitly excluded directory during cleanup session
- Bun segfaulting in claude-code, thought you should know
- Sandbox: hardcoded deny on .idea/.vscode/.claude/.husky writes has no user override
- [BUG] Gateway model discovery `capabilities.image_input.supported=false` is ignored in session image behavior
- Agent crashes with 'exit 1 before init' when cwd no longer exists (e.g. after project move)
- Tool-call opening tag gets stuck on a malformed form and is unrecoverable within the session
- [Bug] Corrupted ASCII characters in CLI output on Antigravity IDE
- [BUG] Slash command name collision: plugin skill shadows built-in /release-notes
- [BUG] Missing agents at start of cli, due to using Glob on .Claude/Agents folder starting with a dot
- [FEATURE] Show resulting context-window % when using esc+esc to rewind the conversation
- [Generative UI Widget] 默认字号过小,建议提高默认值或支持用户自定义字号
- [Bug] Non-verification error causing repeated failures in Claude Code actions
- Preview blocks cross-origin redirects (Stripe Checkout, OAuth, etc.) — silent failure with no fallback
- [Bug] Claude Code silently creates paid GitHub Actions workflows without user consent or cost warning
- [BUG] When opening a terminal in the company's internal CodeLab container and entering Claude Code, the output often shows garbled characters, especially for Chinese characters. English characters are mostly fine.
- [BUG] 双击 ESC 回滚会话后,Task 列表未清理
- Bash tool returns "internal error" on git commit under fish + multi-step pre-commit hooks (cmd actually succeeds)
- [BUG] Auto-update orphans MCP child processes on Windows, breaking next launch of npx-based MCP servers (EBUSY)
- [FEATURE] CWD visible in claude app
- [BUG/FEATURE] LLM agents fabricate non-existent `disabledSkills` settings field — silent no-op needs validation or the feature itself
- WorktreeCreate hook 'Hook cancelled' for worktree Agent when dispatched alongside a sibling Agent call in one message
- [BUG] Claude Code uses legacy XTMODKEYS even when terminal advertises the kitty keyboard protocol
- [Bug] Opening Claude pane resets VSCode Neovim to Insert mode
- ultraplan: 'Claude GitHub app must be installed' despite app being installed
- [BUG] Rate limits blocking multi-agent Claude Code workflows even at highest paid tier
- CLI-created sessions invisible in Desktop app (reverse direction broken)
- No UI to restore/unarchive archived sessions in Desktop app
- [BUG] Cowork Workspace Fails on Windows with EBADF on rootfs.vhdx rename #47343
- [BUG] Cowork sandbox VM bundle not found in Roaming path on Windows 10 Pro (Store/AppX install) — hardlink workaround
- [BUG] /exit prompts to remove worktree even when other Claude Code sessions are still active in it — accidental remove breaks live sessions
- Sandbox cannot create subdirectories under project tmp path
- Plan mode should enforce read-only at the tool layer, not via LLM instruction
- [Feature Request] Optimize token usage for git commit and push operations
- [BUG] 鼠标滚轮在 Android Studio 集成终端中无法滚动(功能回退)
- [BUG] Bash tool fails with exit 127 when shell snapshot replays extglob syntax in non-interactive bash 5
- [BUG] PreToolUse hook is not invoked after a static ask rule for the same command pattern receives session-level approval
- [BUG] How to disable ctrl + c deleting the hole import ??????
- [Bug] Misleading usage credits error message displayed unnecessarily
- [Bug] Claude ignores context and provides incorrect feedback on skill implementation
- [BUG] Plugin sensitive userConfig not persisted to keychain/credentials.json/settings.json — values lost on Claude Code restart
- [Feature Request] Improve file completion suggestions for `@` prefix with smarter ranking
- [FEATURE] Sound Notification for claude agents
- [FEATURE] Handle non-gitignored files in `.worktreeinclude`
- Support version pinning in plugin install command
- Claude Code desktop app steals focus on every notification (regression — was: silent banner only)
- [BUG] `claude respawn --all` advertised in --help but rejected as "unknown option" (v2.1.150)
- Detached/pop-out windows ignore zoom level and Cmd+/- doesn't work on them
- [Bug] Session reload triggered unexpectedly during rename operation consuming tokens
- [BUG] Plan mode state inconsistency when ExitPlanMode is interrupted by user
- [BUG] [Cowork UI does not show plugins installed from "claude-for-legal" marketplace — claude- prefix conflict
- [BUG] Inputs mouse movements in chat area when switching from /background or agents' view
- [FEATURE] Always-visible / always-expanded tool call output in VS Code extension
- [FEATURE] Tab autocomplete inside bash mode (!) — files, paths, and command history
- [Feature Request] Auto mode should respect allow list settings from non-auto mode
- Ctrl+Shift+C no longer works in GNOME Terminal (regression)
- Feature request: actionable Approve/Deny on mobile push for permission prompts
- [Bug] Plan-mode-exit dialog ignores `permissions.defaultMode` setting
- [Feature Request] Add confirmation prompt before executing destructive database operations
- [BILLING FRAUD] Unauthorized gift subscription charged to my account - No support response after 10+ days
- Cannot copy text from Claude responses in interactive TUI (GNOME Terminal, Ubuntu 24.04)
- [BUG] SSH marketplace add error message hardcodes "GitHub" regardless of host
- [FEATURE] Emit OSC 7 on agent-focus-change so new terminal tabs inherit the focused agent's cwd
- [Feature Request] Improve custom API key configuration for cost attribution tracking
- [BUG] Repeated "Image couldn't be processed" API errors consuming usage limit in Claude Code
- [Bug] Opus 4.7 with extended thinking intermittently emits unparseable tool_use blocks
- [FEATURE] Predictive agentic loop
- WebSearch tool returns 400 invalid request parameters on all queries
- [BUG] /tui mode switching causes cursor to disappear and breaks mouse wheel
- /usage and /context commands stuck on 'Loading usage data…'
- [FEATURE] Cowork: per-task-title retention policy for scheduled-task session residue
- [BUG] Plugin cache not rebuilt after git pull on marketplace repo — LocalPluginsReader finds 0 local plugins
- [BUG] Azure VIrtual Desktop Cowork Deployment
- claude plugin sync — auto-install plugins from settings.json (like npm install)
- [BUG] Claude Code silently deletes conversation transcripts after 30 days by default
- [FEATURE] Allow configuring WebFetch cache TTL
- Duplicate session names when multiple sessions share the same git branch
- claude.ai connectors (Gmail/Calendar/Drive) expose only auth stubs in a session despite being Connected + authorized
- [FEATURE] Don't re-prompt for approval on WebFetch cache hits
- [Feature] Public deep link to open 'Add marketplace' dialog in Claude Desktop with prefilled URL
- [BUG] Remote Control: worker's custom skills (~/.claude/skills/) missing from Claude app slash-command autocomplete
- [Bug] Inconsistent adherence to coding conventions in generated code
- [BUG] tui: fullscreen + /memory + select memory = unusable terminal, hard stuck even closing/reopening doesn't work
- Plugin skills from custom/private marketplaces appear in slash menu but fail with "Unknown skill" on invocation
- settings.json partial rewrite strips statusLine, enabledPlugins, hooks mid-session
- [BUG] Switching to mimo-v2.5-pro fails after reading images in mimo-v2.5
- Vim NORMAL-mode motion (h / ←) should return from an agent to the agent list in agent view
- [Feature Request] Add disableManagedConnectors setting to disable auto-loaded connectors
- [FEATURE] Switch between plans in VS Code extension
- [FEATURE] Read-Only Auto Mode
- settings.json: add user-approval-required mode for dangerouslyDisableSandbox
- AskUserQuestion overlay obscures the assistant's previous message
- [BUG] Claude Agent in PhpStorm no longer has the feedback actions
- [BUG] Device lock stuck after account switch on Windows - automatic release mechanism fails
- [BUG] VS Code extension goes silent and deaf
- [Feature Request] Add ability to remove/uninstall individual plugins via /plugin command
- Hardware Buddy BLE cannot surface or answer AskUserQuestion options
- auto-mode classifier mis-reads conversation state (subagent verdicts + disambiguating instructions)
- Plugin command/skill named "doctor" is invoked instead of built-in /doctor
- False positive: legitimate UE5.7 game project flagged as potential malware, blocks all code editing
- [FEATURE] Ability to reference files using the "@" symbol in the agent view
- [BUG] Appeal Form Redirect Loop After Account Restriction
- bug: Task subagents receive empty MCP tool surface (main-thread works, subagent context drops all mcp__* tools) — Windows + Opus 4.7
- /ultrareview returns empty findings + consumes free credit on large PR (Issue #50029 repro)
- Security: settings.local.json permissions file has no integrity protection — silent injection enables pre-approved execution
- [BUG] Account & Usage modal stuck on "Loading usage data..." — never completes
- [FEATURE] Voice dictation: recognize spoken punctuation commands as punctuation marks
- EPERM cascade on Read/Edit/FileHistory for session-created files in long-running autonomous sessions
- Thai text input: Backspace deletes entire grapheme cluster instead of one code point at a time
- Remote Control syncs only desktop->iPhone (iPhone->desktop messages not delivered)
- Remote Control: input silently dropped on all clients — messages appear sent but never arrive at local process (regression ~May 25)
- Desktop Recents list doesn't surface sessions previously created via the CLI
- Feature: Expose background task state to SessionEnd hooks
- Developer → Open Hardware Buddy… menu missing after enabling Developer Mode
- No way to suppress OAuth warnings for unconnected claude.ai integrations at startup
- Feature request: per-repo hook-approval prompt for ./.claude/settings.json (parallel to tool permissions)
- [BUG] Auto-generated permission rule with a literal : inside a quoted argument is rejected on load ("The :* pattern must be at the end")
- [BUG] Active runtime config (model / context window / effort) not observable from inside agent turn — Opus session self-reported as Sonnet, blocking workflow
- [BUG] The model ignored all the rules and ignored all the constraints in memory as well as in global files
- [BUG] Cowork unavailable on standard user accounts - VM Platform not enabled error misleads to reinstall
- Agent tool: add context isolation mode to prevent evaluator bias in multi-agent setups
- [FEATURE] Auto Mode in the Cloud Repo - Only available on local at the moment
- [BUG] [Desktop App] Deleting session working directory makes app unusable with no recovery path in GUI
- [BUG] API Error: Server is temporarily limiting requests (not your usage limit) · Rate limited
- [BUG] /usage heatmap is off by one weekday
- [BUG] Claude Desktop - Dispatch shows "Desktop appears offline" persistently
- [MODEL] Claude Code Web multi-agent review synthesis fabricates verification and expands issue scope
- [BUG] Write/Edit tools truncate to previous file size when overwriting existing files (Windows desktop / virtiofs)
- [BUG] Running claude in a folder with a .git folder without rwx permissions for the current user prevents running bash commands
- [BUG] [Billing] Pro Annual → Max upgrade blocked by "billing address has changed" error, no human support available
- Long streamed responses occasionally triplicate sections of output
- [Refund Request] claude-opus-4-7 reported unverified inference as 'root cause' in declarative tone, violating user's explicit global rules
- [BUG]Claude Code desktop app, AWS Bedrock, us-east-2, "invalid model identifier" error, started today, two machines affected, one machine that is the root user on AWS Bedrock is working fine through Claude Code -working fine with identical credentials.
- [BUG] Windows: PowerShell tool absent from schema when Git Bash is on PATH, despite pwsh.exe being present and detectable
- Add config to disable idle/awaiting-input reminder notification separately from completion notifications
- Feedback: Limitations found during intensive 8h MCP development session
- Plan proposal card: action buttons layout breaks when the Plan side panel is wide (narrow middle pane)
- [BUG] Plugin version not respected
- Account-linked MCP machine delegation across devices
- Plan side panel: content stops expanding at a fixed width — large wasted empty margins on wider panel
- [BUG] [session limit]
- Cowork sandbox (virtiofs bind-mount) silently drops git unlink() with EPERM, leaving stale tmp_obj_* files and .lock files on host
- Desktop App broken on Windows with Bedrock after v2.1.149
- isolation: worktree subagents silently write outside the worktree via absolute file_path (Edit/Write target primary clone, not the isolated worktree)
- [BUG] Cowork macOS: Gmail and Google Calendar MCP connectors return "The caller does not have permission" on every call for one account; other users on the same Workspace tenant unaffected
- [Bug] CLI performance degradation with large codebases
- [BUG] ASCII characters corrupted content
- [Bug] Linked worktree sandbox auto-allow missing main .git directory and denyWithinAllow paths off-by-one
- [BUG] claude mcp add my_mcp_server ... settings not updated
- Remote-control: phone-app approval dismisses popup but never reaches local process
- [BUG] Crap in the console!? WHY
- [BUG] Claude Code Crash
- [BUG] Cowork macOS: all claude.ai-hosted MCP connectors fail — desktop OAuth token requested without `user:mcp_servers` scope
- VSCode extension does not render `permissionDecisionReason` in permission prompt for "ask" decisions
- Claude responds "No response requested" after tool rejection, ignoring user messages
- [BUG] Switching focus between local Code sessions kills the unfocused session's CLI process (SIGTERM, exit 143) instead of leaving it running in the background
- [Bug] Anthropic API Error: Prompt is too long in stop hook evaluator
- [BUG] mcp__github__subscribe_pr_activity silently drops check_run completion events
- Opus 4.7 tool-use compliance cliff between 24th-26th May — instrumented evidence
- [BUG] Commands in code blocks cannot be copy-pasted directly into terminal
- [BUG] Claude extension in VS Code fails to honor autoMemoryDirectory setting in settings.local.json
- Monitoring cycle 18:03 UTC — 20k pending orders accumulation in ft_orders
- [DOCS] /btw fork hotkey not documented
- Feature Request: Allow Claude Desktop to be configured to only read MCP servers from claude_desktop_config.json (not ~/.claude/.claude.json)
- [BUG] It's not easy to understand fast mode turned ON or OFF
- [Bug] Unexpected High Token Consumption Across Sessions
- [Bug] Credentials exposed in git history via .env.dev file commit
- Feature request: explicit model-version pinning in settings.json
- Plan approval popup: pressing Space while typing auto-confirms and dismisses without undo
- [Feature Request] Improve discoverability of session history in Agent View: peek vs attach unclear, Ctrl+O not hinted
- [BUG] MSIX-packaged Claude Desktop (Windows) strips PATHEXT to .CPL and empties WINDIR for spawned MCP subprocess shells
- [DOCS] /login *is* available when CLAUDE_CODE_USE_BEDROCK is set
- Memory rules saved but never applied — Claude Code operates in wrong environment across sessions
- [Bug] Anthropic API Error: Tool result block missing corresponding tool use block
- [Bug] Tool calls hang with no response on macOS - Edit/Bash/Write become unresponsive
- [FEATURE] tab-completion mode similar to bash
- [BUG] Edit tool fails on files containing embedded Unicode PUA characters (Nerd Font glyphs) — falls back to PowerShell workaround unnecessarily
- [FEATURE] adding comments to chat dialog
- [Feature Request] macOS sandbox: auto-manage allowMachLookup for TLS/system services
- [BUG] Auto Archiving Sessions in Use....
- [BUG] `normalizeToolInput` strips `cd <cwd> &&` from Bash commands before PreToolUse hooks can inspect them
- Remote Control "not yet enabled" on Max plan — v2.1.126 (Arch Linux)
- Preview MCP `preview_start` ignores `runtimeExecutable` and crashes on corepack-wrapped pnpm under Node 20
- Directory connector visible to one Owner but invisible to another Owner in same Team organization
- Auto-retry sandboxed Bash commands with sandbox disabled instead of instructing the model to do it
- [BUG] @-file references resolve to parent git repo root instead of cwd when launched inside a jj workspace (.workspaces/<name>/)
- [BUG] TUI emits strikethrough on arbitrary text - reproduces on 2.1.150 in both diff view and normal output
- Claude regenerates entire files instead of surgical edits for metadata-only changes
- MCP server config: project-level should merge with user-level (env, etc.), not replace the whole entry
- mental issue of opus
- [BUG] Claude Desktop macOS — Helper crash loop in c-ares (`ares_dns_rr_get_ttl`) — false "Endpoint Security blocked Q6L2SF6YDW" dialog (1.8555.2 + 1.9255.0)
- [BUG] Scheduled task ran 100s of times unprompted as desktop app crashed
- [BUG] iOS Dispatch Streaming Input Mode (orange bubbles) replaced by banner UI after app update 1.260521.0
- Windows: stale lock directories block credential persistence after abnormal exit
- Claude does not check if tool/software is already installed before attempting reinstall
- Claude forgets actions performed earlier in the same session (intra-session amnesia)
- Sub-agents declare work as PASS without performing actual verification against reference
- Sub-agents ignore explicit rules embedded in their own prompt
- Claude defers fixing known problems instead of acting immediately
- [Bug] Missing or invalid command input
- Feature request: exclusive-allowlist mode for --allowedTools (currently additive on top of built-in default safe-list)
- [Bug] Diacritical marks disappear when typing uppercase letters
- Claude Code makes confident wrong claims, deflects blame, and expands scope without verification
- VSCode extension voice input forces English transcription, ignoring pt-BR system locale
- [BUG] Unable to connect to API : TCP shows ESTAB but app reports ConnectionRefused on prompt input
- [BUG] Cannot scroll up or down in Calude CLI chatbox
- [Bug] Unable to determine issue - please provide bug report details
- [BUG] Windows 11 Claude Desktop App at launch asks for Security code from Email to Log in: Email has a log in button that launches Edge and logs me in.
- Plugin manifest should support `permissions.allow` for bundled console scripts
- [Bug] pdf-viewer MCP built-in server - UtilityProcess spawn timeout (Claude Desktop, Windows 10)
- [REDACTED]
- [BUG] False positive "Usage Policy violation" errors on normal coding requests
- Desktop CI monitoring panel: state cached at session start, no refresh, misleading error sends users down wrong debug path
- [FEATURE] Expose transcript prompt-jump ({ / }) as a bindable action for non-US keyboard layouts
- [BUG] Slash command does not work with modified keybindings
- [Feature] Allow customizing or simplifying thinking status verbs
- [BUG] Login magic link routing to wrong email — locked out of account, AI support loop for 2+ hours. UNRESOLVED, Receive emails, codes, etc. to correct email. (Issue #61892)
- Serious accessibility issue with "clever" synonyms for "Working..."
- [FEATURE] Allow switching agent configurations mid-session via the /agent menu
- [BUG] ctrl+<letter> bindings silently fail on non-Latin keyboard layouts (Cyrillic / Greek / Arabic / ...)
- [FEATURE] Allow clearing or compacting the Dispatch thread
- [BUG] isolation: "worktree" — only 1 of 7 concurrent worktrees branched from current HEAD; other 6 used origin/HEAD
- Inter-session coordination: wake / notify a parent session on child (sub-session) turn-end or idle
- [BUG] Bash tool creates 0-byte phantom files with code-fragment names during complex python -c execution (Windows + Git Bash)
- Agent tool: automatic async escalation when run_in_background is unset is undocumented
- [BUG] `/remote-control` fails in desktop-app-embedded Claude Code with "no org UUID", and there is no user-facing remediation
- [BUG] Button hidden behind X button in Cowork connector tool calls sidebar (macOS)
- [FEATURE] Let me change the location of .mcp.json and or define its config in setting.json or with environment variables
- [Feature Request] Add user confirmation prompt for unauthorized shell commands in auto mode
- MCP reconnect causes AI to hang waiting for ToolSearch instead of proceeding
- [BUG] PreToolUse hook does not fire when Read tool reads image/binary files
- Claude fabricates visual analysis of images to appear confident
- Feature request: Add setting to disable automatic file reveal in editor during Read/Edit operations
- [BUG] Bash tool: injected grep/find shell functions terminate the calling shell under bash < 4.0 (macOS system /bin/bash)
- Gmail (and other claude.ai) connectors not available in Claude Code CLI
- [BUG] "Buy credits" button permanently disabled - Free tier account incorrectly shows $500 limit, HTTP 429 errors on billing page
- [BUG] Cowork impossible on MSI MPG X570 / Ryzen 9 3900X — vmms service missing, Hyper-V causes boot failure
- [BUG] Persistent MCP error: tools.77.FrontendRemoteMcpToolDefinition.name - Account-level corruption
- [BUG] no indication of completion, "Resumed session >" messages continue to appear in a loop
- Monitor task list — stale entries persist across app restart + UI/CLI count divergence
- Claude in Chrome: extension never connects to Claude Code CLI (macOS)
- [FEATURE] vscode plugin option to open claude as new tab in an existing pane rather than split
- [BUG] Bash (dir/b "C: \ FilePackage") error Path contains null bytes
- * wildcard in hook `if` pattern doesn't match strings containing spaces
- [BUG] mcp__Claude_Preview__preview_eval hangs the entire preview session without returning any error
- [Feature Request] Add color sorting option to Claude Agents view
- Codex Desktop high CPU from unbounded active thread metadata and local history/list processing
- Codex CLI 0.129.0+ fails in WSL with "stream disconnected before completion"
- 已撤回
- Display file inline diffs
- IDE context could not be enabled
- Claude settings migration prompt clobbers user-level config.toml when no project-level config exists
- Model reads image files with the same name, UI always shows the first loaded image
- Add team-level Skill Hub for sharing, syncing, and governing Codex skills
- TUI turn interrupt failure can lose session context
- Feature request: allow moving conversations between projects
- The status display shows that the ID and credit limit are not displaying correctly.