sandbox: enableWeakerNetworkIsolation not wired from settings to sandbox-runtime config
Bug Description
sandbox.enableWeakerNetworkIsolation: true in project .claude/settings.json has no effect. The setting is defined in the sandbox-runtime library schema and correctly adds (allow mach-lookup (global-name "com.apple.trustd.agent")) to the Seatbelt profile, but Claude Code's settings-to-sandbox-config translator omits it.
This causes all Go-based CLI tools (gh, terraform, kubectl, etc.) to fail TLS verification inside the sandbox on macOS.
Root Cause (binary analysis of v2.1.59)
1. Settings validator strips the key. The allowed keys for the sandbox section do not include enableWeakerNetworkIsolation:
// From minified source in v2.1.59 binary
sandbox: new Set([
"network", "ignoreViolations", "excludedCommands",
"autoAllowBashIfSandboxed", "enableWeakerNestedSandbox"
// ← enableWeakerNetworkIsolation is MISSING
])
2. Config translator does not pass it. The function that builds SandboxRuntimeConfig from user settings maps enableWeakerNestedSandbox but not enableWeakerNetworkIsolation:
return {
network: { allowedDomains: A, deniedDomains: _, ... },
filesystem: { denyRead: $, allowWrite: B, denyWrite: D },
ignoreViolations: T.sandbox?.ignoreViolations,
enableWeakerNestedSandbox: T.sandbox?.enableWeakerNestedSandbox,
// enableWeakerNetworkIsolation: T.sandbox?.enableWeakerNetworkIsolation ← MISSING
ripgrep: W
}
3. The sandbox-runtime library handles it correctly. In @anthropic-ai/sandbox-runtime (open source), the SandboxRuntimeConfig schema accepts enableWeakerNetworkIsolation, and generateSandboxProfile() correctly adds the trustd mach-lookup rule when it's true. The code path works end-to-end — only the Claude Code application layer fails to wire it through.
Steps to Reproduce
- Add to
.claude/settings.json:
``json``
{ "sandbox": { "enableWeakerNetworkIsolation": true } }
- Restart Claude Code
- Run
gh api /zenfrom a Bash tool call - Observe:
tls: failed to verify certificate: x509: OSStatus -26276 - Run the same command with
dangerouslyDisableSandbox: true - Observe: succeeds (trustd accessible, real cert verified through tunnel)
Proof the sandbox-runtime library works
When run outside sandbox-exec (dangerouslyDisableSandbox: true), the proxy correctly tunnels CONNECT requests (no MITM), and Go verifies GitHub's real certificate via the Security framework → trustd. The macOS system log confirms trustd is accessed successfully:
gh: [com.apple.xpc:connection] activating connection: name=com.apple.trustd.agent
trustd: [com.apple.xpc:connection] activating connection: name=com.apple.trustd.agent.peer[7742]
Fix
Two lines in the Claude Code source:
- Add
"enableWeakerNetworkIsolation"to the sandbox settings validator's allowed keys set - Add
enableWeakerNetworkIsolation: T.sandbox?.enableWeakerNetworkIsolationto the config translator return object
Related
- #26466 (Go TLS tools fail — same root cause)
@anthropic-ai/sandbox-runtimesandbox-config.ts L192-200 — library schema is correct@anthropic-ai/sandbox-runtimemacos-sandbox-utils.ts L383-388 — profile generation is correct
Environment
- Claude Code: 2.1.59
- macOS: Darwin 25.2.0 (arm64)
- gh: linked to Security.framework (cgo)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗