[BUG] Sandbox read deny paths incorrectly prefixed with `~/.claude/` directory
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When configuring read deny rules in ~/.claude/settings.json, the sandbox configuration appears to
incorrectly prepend the .claude directory path to user-specified paths, rendering the deny rules
ineffective.
What Should Happen?
Expected Behavior:
The sandbox should deny reads from /Users/username/src/** as specified, and the runtime sandbox
configuration should show:
"read": {
"denyOnly": [
"/Users/username/src"
]
}
Actual Behavior:
The runtime sandbox configuration shows the path incorrectly prefixed:
"read": {
"denyOnly": [
"/Users/username/.claude/Users/username/src"
]
}
This malformed path doesn't exist, so the deny rule has no effect and Claude can read files that should
be restricted.
Error Messages/Logs
Steps to Reproduce
- Configure ~/.claude/settings.json with deny rules:
```json
{
"permissions": {
"deny": [
"Read(/Users/username/src/)",
"Write(/Users/username/src/)"
]
}
}
2. Start Claude Code in a directory under /Users/username/src/
3. Ask Claude to read a file in that directory
### Claude Model
Opus
### Is this a regression?
I don't know
### Last Working Version
_No response_
### Claude Code Version
2.1.29 (Claude Code)
### Platform
Anthropic API
### Operating System
macOS
### Terminal/Shell
iTerm2
### Additional Information
_No response_This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗