Sandbox network proxy causes TLS failures for gh CLI (and other Go binaries)
Bug Description
gh CLI fails with TLS certificate verification errors when run inside Claude Code's sandbox, even when gh is in excludedCommands and api.github.com is in allowedHosts.
Error
Post "https://api.github.com/graphql": tls: failed to verify certificate: x509: OSStatus -26276
Environment
- OS: macOS (Darwin 23.6.0)
- Claude Code: Latest
- gh CLI: Latest
- Go: Uses native x509 certificate verification
Steps to Reproduce
- Add
ghtoexcludedCommandsin settings - Add
api.github.comandgithub.comtosandbox.allowedHosts - Run any
ghcommand from Claude Code (e.g.,gh api /zen) - Observe TLS verification failure
Expected Behavior
gh should be able to reach api.github.com without TLS errors, especially when:
- The host is in
allowedHosts - The binary is in
excludedCommands
Actual Behavior
The sandbox injects HTTPS_PROXY=http://localhost:<port> (and http_proxy, ALL_PROXY) into the shell environment for all commands, including those in excludedCommands. The proxy performs TLS MITM on outbound HTTPS connections. Go's x509 verifier rejects the proxy's injected certificate.
Root Cause Analysis
excludedCommandsonly bypasses filesystem sandboxing, not the network proxy. The proxy env vars are still injected.- The proxy does TLS MITM on all HTTPS traffic, even for hosts explicitly listed in
allowedHosts. - Go binaries are especially affected because Go's x509 verifier uses the OS certificate store and rejects the proxy's certificate (which isn't in the system trust store).
gitworks because it uses SSH (git@github.com:...), never hitting the HTTPS proxy.ghhas no SSH mode — it must use HTTPS.NO_PROXYis set by the sandbox but doesn't includeapi.github.com.- Managed settings
envcannot override proxy vars — the sandbox injects them after managed env vars.
Evidence
gh api /zenfails inside sandboxgh api /zenworks withdangerouslyDisableSandbox: true- Same
ghbinary, same auth token, same host — only difference is the proxy env vars
Suggested Fixes (any of these would resolve it)
excludedCommandsshould also exclude from the network proxy — don't injectHTTPS_PROXY/http_proxy/ALL_PROXYfor excluded binaries- Add a
sandbox.networkExcludedCommandssetting for binaries that should bypass the network proxy - Transparent passthrough for
allowedHosts— the proxy should not perform TLS MITM for hosts already in the allowlist; just pass the TLS connection through without intercepting
Current Workaround
Users must use dangerouslyDisableSandbox: true for every gh command, which defeats the purpose of the sandbox and requires manual approval each time.
Impact
This affects any Go binary (and potentially other languages with strict certificate verification) that needs to make HTTPS requests through the sandbox. gh is particularly impactful since it's a core developer tool for GitHub operations (creating PRs, checking CI status, managing issues).
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗