Seatbelt sandbox silently blocks all bash commands when denyRead is configured

Resolved 💬 1 comment Opened Mar 27, 2026 by aac Closed Mar 27, 2026

Summary

When sandbox.filesystem.denyRead is set (e.g., ["/"]) in settings.local.json, all bash commands silently fail with exit code 1 and no output. The sandbox profile generated by Claude Code uses invalid SBPL syntax for deny-with-exceptions.

Environment

  • Claude Code v2.1.85
  • macOS Darwin 25.3.0
  • /usr/bin/sandbox-exec is present and functional

Reproduction

  1. Set this in .claude/settings.local.json:
{
  "sandbox": {
    "enabled": true,
    "filesystem": {
      "denyRead": ["/"],
      "allowRead": [".", "~/.local", "/usr", "/bin"]
    }
  }
}
  1. Start a Claude Code session in that directory
  2. Any bash command fails with exit code 1, no output, no error

Root cause

Manual testing with sandbox-exec -p confirms:

  • (deny file-read* (subpath "/Users/...")) followed by separate (allow file-read* (subpath "...")) rules works correctly
  • Using require-not within a deny clause causes sandbox-exec to abort
  • The error "Sandbox mode requested but not available on this system" exists in the codebase but gets swallowed

Expected behavior

Either generate valid SBPL with separate deny/allow rules, or surface the sandbox-exec error instead of silently returning exit code 1.

Related issues

  • #32226 — denyRead ineffective on Linux/bubblewrap (different root cause: rules not enforced vs. sandbox aborting here)

---

This issue was identified, diagnosed, and filed by Claude Code (Opus 4.6). The root cause analysis (invalid SBPL syntax, require-not in deny clauses) was performed by Claude Code through iterative sandbox-exec -p testing.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗