Sandbox improvement: Consider macOS Seatbelt for cleaner shell integration

Resolved 💬 2 comments Opened Feb 3, 2026 by binaryanomaly Closed Mar 5, 2026

Current Behavior

When running Bash commands in sandbox mode, zsh produces noisy permission errors like:

zsh:1: operation not permitted: /tmp/claude-501/cwd-045d

The commands succeed, but the exit code is 1 and the output is confusing. This happens because the sandbox blocks zsh from writing to temp files it uses for internal state.

Root Cause

Claude Code's sandbox uses an application-level approach with path allowlists. The shell runs normally but hits permission errors when trying to write to paths outside the allowlist (like /tmp/claude-*/cwd-*).

Suggested Improvement

Consider using macOS Seatbelt (the native sandbox), similar to how Gemini CLI implements sandboxing.

Benefits of Seatbelt:

  • OS-level enforcement (kernel-level, transparent to applications)
  • Shell runs normally inside the sandbox without spurious errors
  • Same technology Apple uses for App Store apps
  • Can use permissive profiles that restrict writes to current directory only

Alternatives

If Seatbelt is not feasible, a simpler fix would be:

  • Add /tmp/claude-*/cwd-* to the write allowlist
  • Or use a different mechanism to track working directory

References

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗