[BUG] Sandbox mode generates ~607k token system prompt with large permissions.deny list
Resolved 💬 5 comments Opened Feb 22, 2026 by jdoss Closed Apr 11, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Environment:
- Claude Code v2.1.50 (native ELF binary, not npm)
- Fedora 43, x86_64, kernel 6.18.9-200.fc43.x86_64
- bubblewrap 0.11.0
Steps to reproduce:
- Create settings.json with 33 permissions.deny rules (see below)
- Launch Claude Code
- Enable sandbox: /sandbox
- Send any message
Result: "prompt is too long: 607289 tokens > 200000 maximum"
Bisect result:
- 3 deny rules → sandbox works
- 33 deny rules → 607k tokens, sandbox broken
- Removing deny rules entirely → sandbox works
Minimal failing settings.json:
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"cleanupPeriodDays": 365,
"env": {
"DISABLE_TELEMETRY": "1",
"DISABLE_ERROR_REPORTING": "1",
"CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY": "1",
"CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS": "1"
},
"permissions": {
"deny": [
"Bash(rm -rf *)",
"Bash(rm -fr *)",
"Bash(sudo *)",
"Bash(mkfs *)",
"Bash(dd *)",
"Bash(curl *|bash*)",
"Bash(wget *|bash*)",
"Bash(git push --force*)",
"Bash(git push *--force*)",
"Bash(git reset --hard*)",
"Edit(~/.bashrc)",
"Edit(~/.ssh/**)",
"Read(~/.ssh/**)",
"Read(~/.gnupg/**)",
"Read(~/.aws/**)",
"Read(~/.config/gh/**)",
"Read(~/.git-credentials)",
"Read(~/.docker/config.json)",
"Read(~/.kube/**)",
"Read(~/.pypirc)",
"Read(~/.config/google-chrome/**/Extensions/**)",
"Read(~/.config/chromium/**/Extensions/**)",
"Read(~/.config/BraveSoftware/**/Extensions/**)",
"Read(~/.mozilla/firefox/**/extensions/**)",
"Read(~/.electrum/**)",
"Read(~/.config/Exodus/**)",
"Read(~/.thunderbird/**)"
]
},
"enableAllProjectMcpServers": false,
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "CMD=$(jq -r '.tool_input.command'); if echo \"$CMD\" | grep -qE 'rm[[:space:]]+-[^[:space:]]*r[^[:space:]]*f'; then echo 'BLOCKED: Use trash instead of rm -rf' >&2; exit 2; fi"
},
{
"type": "command",
"command": "CMD=$(jq -r '.tool_input.command'); if echo \"$CMD\" | grep -qE 'git[[:space:]]+push.*(main|master)'; then echo 'BLOCKED: Use feature branches, not direct push to main' >&2; exit 2; fi"
}
]
}
]
},
"statusLine": {
"type": "command",
"command": "~/.claude/statusline.sh"
},
"alwaysThinkingEnabled": true,
"model": "sonnet"
}
Cutting the deny list down to this:
"permissions": {
"deny": [
"Bash(rm -rf *)",
"Bash(rm -fr *)",
"Bash(sudo *)",
"Bash(mkfs *)",
"Bash(dd *)",
"Bash(curl *|bash*)",
"Bash(wget *|bash*)",
"Bash(git push --force*)",
"Bash(git push *--force*)",
"Bash(git reset --hard*)",
"Edit(~/.bashrc)",
"Edit(~/.ssh/**)",
"Read(~/.ssh/**)",
"Read(~/.aws/**)"
]
},
lets /sandbox work.
What Should Happen?
Claude should work with /sandbox with a large deny list.
Error Messages/Logs
Steps to Reproduce
Steps to reproduce:
- Create settings.json with 33 permissions.deny rules (see below)
- Launch Claude Code
- Enable sandbox: /sandbox
- Send any message
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
v2.1.50
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Other
Additional Information
_No response_
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗