[BUG] settings.json filesystem.write.additionalPaths does not apply to sandbox restrictions for bun install

Resolved 💬 3 comments Opened Jan 13, 2026 by nobita2041 Closed Mar 3, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report
  • [x] I am using the latest version of Claude Code

What's Wrong?

The filesystem.write.additionalPaths setting in ~/.claude/settings.json does not properly extend sandbox write permissions. Even after adding paths like /tmp, /var/folders, and ~/.bun to additionalPaths, commands like bun install still fail with PermissionDenied errors.

Key finding from investigation:

  • Bash commands like mkdir -p /tmp/claude/test work fine in sandbox
  • Bun's JavaScript runtime can write to /tmp/claude successfully
  • But bun install (Zig internal code) fails with "bun is unable to access tempdir: PermissionDenied"

This suggests the sandbox restrictions are not being properly applied from the settings.json configuration.

What Should Happen?

When filesystem.write.additionalPaths contains paths like /tmp, /var/folders, /Users/<user>/.bun, etc., the sandbox should allow write operations to these directories for all processes spawned by Claude Code, including native binaries like bun.

Error Messages/Logs

[0.97ms] ".env.local", ".env.production"
bun install v1.3.3 (274e01c7)

error: bun is unable to access tempdir: PermissionDenied

Steps to Reproduce

  1. Add the following to ~/.claude/settings.json:
{
  "filesystem": {
    "write": {
      "additionalPaths": [
        "/private/tmp",
        "/var/folders",
        "/private/var/folders",
        "/tmp",
        "/var/tmp",
        "/Users/<username>/.bun"
      ]
    }
  },
  "sandbox": {
    "enabled": true
  }
}
  1. Restart Claude Code to apply settings
  1. Run a command that requires bun install (e.g., in a git worktree under /tmp/claude/)
  1. Observe: bun install fails with "bun is unable to access tempdir: PermissionDenied"
  1. Run the same command with dangerouslyDisableSandbox: true - it works

Additional verification tests performed:

# This works in sandbox:
mkdir -p /tmp/claude/test-sandbox-write

# This works in sandbox (bun JS runtime):
echo 'require("fs").mkdirSync("/tmp/claude/test-" + Date.now())' | bun run -

# This fails in sandbox (bun native code):
bun install
# error: bun is unable to access tempdir: PermissionDenied

Claude Model

Opus

Is this a regression?

I don't know

Claude Code Version

2.1.6 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Environment:

  • macOS Darwin 25.1.0 (arm64)
  • bun v1.3.3
  • TMPDIR is correctly set to /tmp/claude in sandbox mode

Analysis:
The sandbox appears to use different enforcement mechanisms for:

  1. Bash commands (uses shell, works with additionalPaths)
  2. Node.js/Bun JS runtime (works with additionalPaths)
  3. Native binaries like bun's Zig code (does NOT respect additionalPaths)

This suggests the additionalPaths configuration is only being applied to certain types of operations but not to the underlying system call restrictions that affect native code.

Workaround:
Using dangerouslyDisableSandbox: true works, but this defeats the purpose of having configurable sandbox paths.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗