[BUG] Sandbox read deny paths incorrectly prefixed with `~/.claude/` directory

Resolved 💬 3 comments Opened Feb 3, 2026 by cloud-j-luna Closed Mar 5, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When configuring read deny rules in ~/.claude/settings.json, the sandbox configuration appears to
incorrectly prepend the .claude directory path to user-specified paths, rendering the deny rules
ineffective.

What Should Happen?

Expected Behavior:

The sandbox should deny reads from /Users/username/src/** as specified, and the runtime sandbox
configuration should show:

  "read": {
    "denyOnly": [
      "/Users/username/src"
    ]
  }

Actual Behavior:

The runtime sandbox configuration shows the path incorrectly prefixed:

  "read": {
    "denyOnly": [
      "/Users/username/.claude/Users/username/src"
    ]
  }

This malformed path doesn't exist, so the deny rule has no effect and Claude can read files that should
be restricted.

Error Messages/Logs

Steps to Reproduce

  1. Configure ~/.claude/settings.json with deny rules:

```json
{
"permissions": {
"deny": [
"Read(/Users/username/src/)",
"Write(/Users/username/src/
)"
]
}
}


  2. Start Claude Code in a directory under /Users/username/src/
  3. Ask Claude to read a file in that directory

### Claude Model

Opus

### Is this a regression?

I don't know

### Last Working Version

_No response_

### Claude Code Version

2.1.29 (Claude Code)

### Platform

Anthropic API

### Operating System

macOS

### Terminal/Shell

iTerm2

### Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗