[DOCS] Critical Safety Warning Missing: Unrecoverable Data Loss Risk in Sandbox "Auto-allow" Mode
Documentation Type
Unclear/confusing documentation
Documentation Location
Section/Topic
The Sandbox modes section in sandboxing.md (specifically "Auto-allow mode") and the Limitations section in checkpointing.md.
Current Documentation
From Checkpointing:
"Bash command changes not tracked: Checkpointing does not track files modified by bash commands. For example, if Claude Code runs: rm file.txt ... These file modifications cannot be undone through rewind."
From Sandboxing:
"Auto-allow mode: Bash commands will attempt to run inside the sandbox and are automatically allowed without requiring permission. ... This means bash commands that modify files within the sandbox boundaries will execute without prompting."
What's Wrong or Missing?
There is a dangerous "blind spot" created by the interaction of these two features that is not explicitly called out.
When a user enables Sandbox Auto-allow mode, they are granting Claude the ability to execute Bash commands autonomously. If Claude decides to use a Bash command like rm or mv to delete or overwrite files, Checkpointing will not capture the state of those files.
Because the user is not prompted for permission in "Auto-allow" mode, they may not realize a destructive command has been run until after the data is gone, at which point /rewind will be unable to recover the lost files. The current documentation treats these as isolated limitations rather than a combined workflow risk.
Suggested Improvement
Add a high-visibility <Warning> block to the sandboxing.md file under the "Auto-allow mode" description.
Suggested Text for Sandboxing page:
<Warning> Risk of Unrecoverable Data Loss When using Auto-allow mode, Claude can autonomously execute Bash commands (such asrmormv) without prompting for approval. Crucially, Checkpointing does not track changes made via Bash commands. If Claude deletes or overwrites a file using a sandboxed Bash command, you will not be able to restore that file using the/rewindcommand. Always ensure you have an active version control system (e.g., Git) running alongside Claude Code when using Auto-allow mode. </Warning>
Additionally, add a cross-reference in the Limitations section of checkpointing.md:
"Bash command changes not tracked... Note: This is especially important if you have enabled Sandbox Auto-allow mode, as destructive Bash commands may be executed without a permission prompt and will not be recoverable via checkpoints."
Impact
High - Prevents users from using a feature
Additional Context
- Links to related documentation:
- Checkpointing Limitations
- Sandbox Modes
- Examples from other projects:
- Similar to how CLI tools like
rmwarn that they bypass the "Trash/Recycle Bin" on most OS documentations. Since Checkpointing acts as a "Local Undo/Trash," its inability to catch Bash-driven deletions is a major exception to the "safety net" mental model.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗