[FEATURE] /sandbox needs mode switching and allowlist management

Resolved 💬 3 comments Opened Apr 20, 2026 by arechste Closed Apr 24, 2026

Summary

/sandbox today is a binary on/off toggle per project. Users who hit sandbox-caused failures (TLS proxy breaking gh, blocked network hosts, denied writes) can only disable the whole sandbox — losing the protection for every other tool in the session. We need a way to manage the sandbox's modes and allow lists interactively.

Problem

The sandbox exposes rich controls in settings (filesystem read/write allowlists, network allowedHosts, per-command overrides), but /sandbox only flips the whole thing. In practice this leads to:

  • One TLS/proxy failure for a single tool (e.g. gh) pushes the user to disable sandboxing entirely for the project.
  • No quick way to add a host to allowedHosts without editing settings.json by hand and restarting.
  • No quick way to scope an exclusion to a single command (e.g. "let gh bypass, keep everything else sandboxed").
  • No visibility into which restriction caused a given failure — users are left guessing between filesystem, network, or cert interception.

Requested

/sandbox (interactive, like /permissions) with at least:

  • Mode switch: enabled / disabled / a middle ground ("network-open", "fs-open", etc.)
  • Allowlist management:
  • Add/remove hosts in allowedHosts
  • Add/remove paths in read/write allowlists
  • View the current effective config (merged global + project + local)
  • Per-command overrides: mark specific commands as sandbox-exempt (today this requires dangerouslyDisableSandbox: true on every individual call, which the model has to remember to set)
  • Diagnostic mode: when a command fails, surface which sandbox rule rejected it (filesystem / network / TLS-proxy) so users can make a targeted fix

Concrete repro that motivated this

Fresh session, default sandbox config, github.com already in allowedHosts:

  1. Run gh api rate_limit → fails with tls: failed to verify certificate: x509: OSStatus -26276
  2. Run gh auth status → reports the token as invalid (it isn't — the auth-validation call is also going through the proxy and failing the same way, and gh interprets that as an invalid token)
  3. Only remediation was /sandbox → disable for the whole project

The sandbox's TLS MITM is working as designed (cert interception on an allowed host) — but there's no in-product way to say "trust the sandbox CA for gh" or "let gh bypass the proxy" without dropping sandbox across the board. Related existing bug: #45637.

Environment

  • macOS 26.4.1 (Darwin 25.4.0)
  • Claude Code CLI, gh 2.90.0

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗