VS Code/Cursor extension should pass --sandbox flag when sandbox is enabled in settings.json

Resolved 💬 3 comments Opened Mar 10, 2026 by morinmagnus Closed Mar 14, 2026

Summary

The sandbox configuration in ~/.claude/settings.json is not enforced when Claude Code runs inside the VS Code or Cursor extension. The extension spawns the native binary without the --sandbox flag, so the macOS Seatbelt profile is never applied — even when sandbox.enabled: true is set.

Current behavior

  1. User sets sandbox.enabled: true in ~/.claude/settings.json
  2. Extension spawns: .../native-binary/claude --output-format stream-json ... --setting-sources user,project,local
  3. No --sandbox flag → Seatbelt not applied → Bash can write anywhere (Desktop, Downloads, etc.)

Verified by writing a test file to ~/Desktop from inside a Cursor session with sandbox enabled — succeeded without restriction.

Expected behavior

When sandbox.enabled: true is present in settings.json (loaded via --setting-sources), the extension should either:

  • Pass --sandbox to the spawned process, or
  • The native binary should self-apply the Seatbelt profile when it reads sandbox.enabled: true from settings

Context

The SDK plumbing exists — extension.js destructures a sandbox option and passes it through to the process spawner via gs(z,v). But the VS Code/Cursor extension never sets this option from its side.

The claude-code-settings.schema.json shipped with the extension includes the full sandbox schema (filesystem, network, excludedCommands, etc.), confirming it's a supported config surface.

Environment

  • Claude Code extension: v2.1.71 / v2.1.72 (Cursor)
  • macOS Darwin 25.3.0 (arm64)
  • Settings file: ~/.claude/settings.json with sandbox.enabled: true

Workaround

Run claude --sandbox from CLI instead of using the extension. Inside the extension, rely on PreToolUse hooks (.claude/hooks/safety.sh) as a substitute guard.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗