[BUG] Sandbox mode generates ~607k token system prompt with large permissions.deny list

Resolved 💬 5 comments Opened Feb 22, 2026 by jdoss Closed Apr 11, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Environment:

  • Claude Code v2.1.50 (native ELF binary, not npm)
  • Fedora 43, x86_64, kernel 6.18.9-200.fc43.x86_64
  • bubblewrap 0.11.0

Steps to reproduce:

  1. Create settings.json with 33 permissions.deny rules (see below)
  2. Launch Claude Code
  3. Enable sandbox: /sandbox
  4. Send any message

Result: "prompt is too long: 607289 tokens > 200000 maximum"

Bisect result:

  • 3 deny rules → sandbox works
  • 33 deny rules → 607k tokens, sandbox broken
  • Removing deny rules entirely → sandbox works

Minimal failing settings.json:

{
  "$schema": "https://json.schemastore.org/claude-code-settings.json",
  "cleanupPeriodDays": 365,
  "env": {
    "DISABLE_TELEMETRY": "1",
    "DISABLE_ERROR_REPORTING": "1",
    "CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY": "1",
    "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS": "1"
  },
  "permissions": {
    "deny": [
      "Bash(rm -rf *)",
      "Bash(rm -fr *)",
      "Bash(sudo *)",
      "Bash(mkfs *)",
      "Bash(dd *)",
      "Bash(curl *|bash*)",
      "Bash(wget *|bash*)",
      "Bash(git push --force*)",
      "Bash(git push *--force*)",
      "Bash(git reset --hard*)",
      "Edit(~/.bashrc)",
      "Edit(~/.ssh/**)",
      "Read(~/.ssh/**)",
      "Read(~/.gnupg/**)",
      "Read(~/.aws/**)",
      "Read(~/.config/gh/**)",
      "Read(~/.git-credentials)",
      "Read(~/.docker/config.json)",
      "Read(~/.kube/**)",
      "Read(~/.pypirc)",
      "Read(~/.config/google-chrome/**/Extensions/**)",
      "Read(~/.config/chromium/**/Extensions/**)",
      "Read(~/.config/BraveSoftware/**/Extensions/**)",
      "Read(~/.mozilla/firefox/**/extensions/**)",
      "Read(~/.electrum/**)",
      "Read(~/.config/Exodus/**)",
      "Read(~/.thunderbird/**)"
    ]
  },
  "enableAllProjectMcpServers": false,
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "CMD=$(jq -r '.tool_input.command'); if echo \"$CMD\" | grep -qE 'rm[[:space:]]+-[^[:space:]]*r[^[:space:]]*f'; then echo 'BLOCKED: Use trash instead of rm -rf' >&2; exit 2; fi"
          },
          {
            "type": "command",
            "command": "CMD=$(jq -r '.tool_input.command'); if echo \"$CMD\" | grep -qE 'git[[:space:]]+push.*(main|master)'; then echo 'BLOCKED: Use feature branches, not direct push to main' >&2; exit 2; fi"
          }
        ]
      }
    ]
  },
  "statusLine": {
    "type": "command",
    "command": "~/.claude/statusline.sh"
  },
  "alwaysThinkingEnabled": true,
  "model": "sonnet"
}

Cutting the deny list down to this:

  "permissions": {
    "deny": [
      "Bash(rm -rf *)",
      "Bash(rm -fr *)",
      "Bash(sudo *)",
      "Bash(mkfs *)",
      "Bash(dd *)",
      "Bash(curl *|bash*)",
      "Bash(wget *|bash*)",
      "Bash(git push --force*)",
      "Bash(git push *--force*)",
      "Bash(git reset --hard*)",
      "Edit(~/.bashrc)",
      "Edit(~/.ssh/**)",
      "Read(~/.ssh/**)",
      "Read(~/.aws/**)"
    ]
  },

lets /sandbox work.

What Should Happen?

Claude should work with /sandbox with a large deny list.

Error Messages/Logs

Steps to Reproduce

Steps to reproduce:

  1. Create settings.json with 33 permissions.deny rules (see below)
  2. Launch Claude Code
  3. Enable sandbox: /sandbox
  4. Send any message

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

v2.1.50

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗