Sandbox improvement: Consider macOS Seatbelt for cleaner shell integration
Resolved 💬 2 comments Opened Feb 3, 2026 by binaryanomaly Closed Mar 5, 2026
Current Behavior
When running Bash commands in sandbox mode, zsh produces noisy permission errors like:
zsh:1: operation not permitted: /tmp/claude-501/cwd-045d
The commands succeed, but the exit code is 1 and the output is confusing. This happens because the sandbox blocks zsh from writing to temp files it uses for internal state.
Root Cause
Claude Code's sandbox uses an application-level approach with path allowlists. The shell runs normally but hits permission errors when trying to write to paths outside the allowlist (like /tmp/claude-*/cwd-*).
Suggested Improvement
Consider using macOS Seatbelt (the native sandbox), similar to how Gemini CLI implements sandboxing.
Benefits of Seatbelt:
- OS-level enforcement (kernel-level, transparent to applications)
- Shell runs normally inside the sandbox without spurious errors
- Same technology Apple uses for App Store apps
- Can use permissive profiles that restrict writes to current directory only
Alternatives
If Seatbelt is not feasible, a simpler fix would be:
- Add
/tmp/claude-*/cwd-*to the write allowlist - Or use a different mechanism to track working directory
References
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗