[Feature Request] Native sandbox support for Windows (non-WSL)

Resolved 💬 6 comments Opened Apr 11, 2026 by crombieman Closed Jun 21, 2026

Description

The /sandbox feature — the single most impactful security setting in Claude Code — is unavailable on native Windows. It uses Seatbelt on macOS and bubblewrap on Linux, but has no Windows equivalent.

Impact

Without sandbox, permission deny rules only block Claude's built-in tools. Bash commands bypass them entirely. For example, Read(~/.ssh/**) in the deny list prevents the Read tool from accessing SSH keys, but Bash(cat ~/.ssh/id_rsa) would still work. The sandbox is what enforces deny rules at the OS level — without it, deny rules are a partial mitigation at best.

Windows users currently have no path to full security enforcement.

Existing Windows sandbox issues

Current filed issues (#43840, #45072, #37371, #46354) are about sandbox breaking on Windows/WSL. This is a feature request for native Windows sandbox support that doesn't require WSL — potentially using Windows Sandbox, AppContainers, or similar OS-level isolation mechanisms.

Environment

  • Claude Code 2.1.84
  • Windows 10 Pro 10.0.19045

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗