[FEATURE] /sandbox needs mode switching and allowlist management
Summary
/sandbox today is a binary on/off toggle per project. Users who hit sandbox-caused failures (TLS proxy breaking gh, blocked network hosts, denied writes) can only disable the whole sandbox — losing the protection for every other tool in the session. We need a way to manage the sandbox's modes and allow lists interactively.
Problem
The sandbox exposes rich controls in settings (filesystem read/write allowlists, network allowedHosts, per-command overrides), but /sandbox only flips the whole thing. In practice this leads to:
- One TLS/proxy failure for a single tool (e.g.
gh) pushes the user to disable sandboxing entirely for the project. - No quick way to add a host to
allowedHostswithout editingsettings.jsonby hand and restarting. - No quick way to scope an exclusion to a single command (e.g. "let
ghbypass, keep everything else sandboxed"). - No visibility into which restriction caused a given failure — users are left guessing between filesystem, network, or cert interception.
Requested
/sandbox (interactive, like /permissions) with at least:
- Mode switch: enabled / disabled / a middle ground ("network-open", "fs-open", etc.)
- Allowlist management:
- Add/remove hosts in
allowedHosts - Add/remove paths in read/write allowlists
- View the current effective config (merged global + project + local)
- Per-command overrides: mark specific commands as sandbox-exempt (today this requires
dangerouslyDisableSandbox: trueon every individual call, which the model has to remember to set) - Diagnostic mode: when a command fails, surface which sandbox rule rejected it (filesystem / network / TLS-proxy) so users can make a targeted fix
Concrete repro that motivated this
Fresh session, default sandbox config, github.com already in allowedHosts:
- Run
gh api rate_limit→ fails withtls: failed to verify certificate: x509: OSStatus -26276 - Run
gh auth status→ reports the token as invalid (it isn't — the auth-validation call is also going through the proxy and failing the same way, andghinterprets that as an invalid token) - Only remediation was
/sandbox→ disable for the whole project
The sandbox's TLS MITM is working as designed (cert interception on an allowed host) — but there's no in-product way to say "trust the sandbox CA for gh" or "let gh bypass the proxy" without dropping sandbox across the board. Related existing bug: #45637.
Environment
- macOS 26.4.1 (Darwin 25.4.0)
- Claude Code CLI,
gh2.90.0
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗