sandbox.filesystem.allowWrite not enforced for Write/Edit tools in bypassPermissions mode
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (not multiple bugs)
Bug Description
When using the Agent SDK with permissionMode: "bypassPermissions" and sandbox enabled, sandbox.filesystem.allowWrite restrictions are only enforced for the Bash tool (via bubblewrap/sandbox-exec). The Write, Edit, and other file-pattern tools run in-process via fs.writeFileSync and are not subject to bwrap filesystem isolation. Their access control comes entirely from permission rules, which bypassPermissions disables.
This means an agent can use the Write tool to create or modify files anywhere on the filesystem regardless of sandbox.filesystem.allowWrite configuration.
Steps to Reproduce
- Configure Agent SDK with:
``typescript``
permissionMode: "bypassPermissions",
allowDangerouslySkipPermissions: true,
sandbox: {
enabled: true,
filesystem: {
allowWrite: ["/tmp", "/path/to/project/.git"]
}
}
- The agent's Bash commands are correctly sandboxed —
bwrap --ro-bind / / --bind /tmp /tmp ...restricts filesystem writes at the OS level. - However, when the agent uses the Write tool (or Edit tool) to write to a path outside
allowWrite(e.g.,~/somefile.md), it succeeds.
Expected Behavior
sandbox.filesystem.allowWrite should restrict all file-writing tools, not just Bash. When sandbox is enabled, Write/Edit tools should be constrained to the same paths that bwrap allows for Bash commands.
Actual Behavior
- Bash tool:
wrapWithSandbox()wraps commands in bwrap with--ro-bind / /+--bindforallowWritepaths → filesystem restrictions enforced at OS level ✅ - Write/Edit tools: Execute
fs.writeFileSync()in-process, no bwrap wrapping. Access controlled by permission rules only, whichbypassPermissionsdisables → no filesystem restrictions ❌
Root Cause
The SDK docs hint at this in the allowWrite schema description: "Additional paths to allow writing within the sandbox. Merged with paths from Edit(...) allow permission rules." — the sandbox allowWrite is merged into bwrap bind mounts for Bash, but for Write/Edit, enforcement depends on permission rules. bypassPermissions disables those rules entirely, leaving Write/Edit unrestricted.
Affected Scenario
This primarily affects Agent SDK users running headless/autonomous agents with bypassPermissions who rely on sandbox configuration to restrict filesystem access. The agent can write outside its working directory, project directory, or any intended boundary.
Discovered Via
A planning agent configured with sandbox.enabled: true and allowWrite: [".git", "/tmp"] used the Write tool to create a file in $HOME — completely outside the project directory. The Bash tool would have been blocked by bwrap for the same path.
Suggested Fix
When sandbox is enabled, the Write/Edit tool handlers should check the target path against sandbox.filesystem.allowWrite (and denyWrite) before performing the write — independent of permissionMode. This would make the sandbox config authoritative for all file-writing operations, not just Bash.
Related Issues
- #20260 — Addresses
bypassPermissions+allowUnsandboxedCommandsallowing Bash to escape bwrap. This issue is about Write/Edit never entering bwrap regardless of configuration. - #17907 — About
filesystem.write.additionalPathsnot applying to Bash sandbox restrictions.
Environment
- Claude Code CLI version: 2.1.56 (bundled in
@anthropic-ai/claude-agent-sdk) - Platform: Linux (WSL2)
- Sandbox: bubblewrap (bwrap)
🤖 Generated with Claude Code
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗