[FEATURE] Allow configuration of custom sandbox profiles

Resolved 💬 3 comments Opened Mar 4, 2026 by fmarl Closed Apr 1, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Hello everyone,

During a test of the sandbox, I've discovered that with the current sandbox policy, it is possible to enumerate and read the arguments and environment variables of most processes running on the system under macOS.
Even though storing secrets in environment variables is considered an anti-pattern, many tools require it, and these can leak into the Claude sandbox.

I understand that it may not be practical for all users to adjust the policy. However, it would be useful to be able to pass completely separate sandbox policies to the Claude config, so that our security team has more control over the sandbox.

Example: we want to set (deny sysctl-read (sysctl-name-prefix "kern.proc"))) or something similar, and it gets merged with your seatbelt profile.

Thank you.

Proposed Solution

I want to be able to set something like that in the settings.json:

{
  "$schema": "https://json.schemastore.org/claude-code-settings.json",
  ...
  "sandbox": {
      "enabled": true,
      "extraProfiles": {
  	  "darwin": [
  	      "./company-seatbelt-policy.sb"
  	  ]
      }
  }
}

Alternative Solutions

_No response_

Priority

Critical - Blocking my work

Feature Category

CLI commands and flags

Use Case Example

_No response_

Additional Context

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗