[FEATURE] Support wildcard/regex for `sandbox.network.allowUnixSockets` on macOS

Resolved 💬 5 comments Opened Mar 18, 2026 by cflee Closed May 21, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

I would like Claude Code to be able to run git commit using the Bash tool inside the sandbox, when git is configured to sign commits using SSH keys.

For ssh keys that have a passphrase, the git/ssh processes involved running inside the sandbox need to have access to the SSH agent over the unix socket listed in the SSH_AUTH_SOCK env var. On macOS, the system provided ssh-agent socket is at a path that looks like /private/tmp/com.apple.launchd.AAAAAAAAAA/Listeners, where the directory name is different for each user session, it changes every time.

Proposed Solution

Have sandbox.network.allowUnixSockets support wildcards, so that I can set it to ["/private/tmp/com.apple.launchd.*/Listeners"] to allow access to those launchd-managed ssh-agent unix sockets. For macOS sandbox this would be switching from subpath to regex predicate.

Alternatively, have a specific sandbox setting that has the effect of allowing access to whatever socket the environment's SSH_AUTH_SOCK env var points to.

Alternative Solutions

If I set sandbox.network.allowAllUnixSockets to true, then all the unix sockets on the filesystem become accessible, which is not my intended behaviour. I would like to avoid exposing other unix sockets.

Possible workaround: we may be able to exclude git (or just git commit) from the sandbox, but I would prefer to run as many commands inside the sandbox as possible.

Workaround: we can manually approve the retry of Bash tool command outside the sandbox. This works but we have to wait for the fail and thinking and then the prompt to dangerously retry outside of sandbox.

Priority

Medium - Would be very helpful

Feature Category

Configuration and settings

Use Case Example

Scenario:

  1. My machine is set up to perform Git commit signing using SSH keys. This lives in my ~/.gitconfig file, which all git operations running inside the sandbox already follow.

``
[user]
signingkey = /Users/redacted/.ssh/id_ed25519.pub
[gpg]
format = ssh
[commit]
gpgsign = true
`
The private key for the signing key is already loaded into an ssh-agent on macOS, i.e.
ssh-add ...`

  1. Claude Code works on some changes
  2. Claude Code decides or is told to git commit
  3. Claude Code uses the Bash tool to run various git commands including git commit

Additional Context

Previous feature request that was closed due to age: #19932

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗