[FEATURE] Add sandbox.filesystem.allowRead
Resolved 💬 4 comments Opened Mar 6, 2026 by Voxar Closed May 12, 2026
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
The sandbox does not have protective enough read defaults so we need to configure that ourselves by setting sandbox.filesystem.denyRead: ["//"]. Now Claude can not read its own configuration dir on startup which means that the sandboxing seems to be working as expected. But we lack any means of giving selective read access to config and project folders.
Proposed Solution
Add sandbox.filesystem.allowRead to add overrides to denyRead
Alternative Solutions
_No response_
Priority
Critical - Blocking my work
Feature Category
Configuration and settings
Use Case Example
I want to feel confident that Claude does not have unbounded access to my private files. I want to deny all and only allow exactly what it needs.
Additional Context
_No response_
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗