[DOCS] Sandboxing docs overstate auto-allow behavior for dangerous `rm`/`rmdir` paths

Open 💬 3 comments Opened Apr 20, 2026 by coygeek

Documentation Type

Incorrect/outdated documentation

Documentation Location

https://code.claude.com/docs/en/sandboxing

Section/Topic

Sandbox modesAuto-allow mode

Current Documentation

The docs currently say:

Auto-allow mode: Bash commands will attempt to run inside the sandbox and are automatically allowed without requiring permission. Commands that cannot be sandboxed (such as those needing network access to non-allowed hosts) fall back to the regular permission flow. Explicit deny rules are always respected. Ask rules apply only to commands that fall back to the regular permission flow. Auto-allow mode works independently of your permission mode setting. Even if you're not in "accept edits" mode, sandboxed bash commands will run automatically when auto-allow is enabled. This means bash commands that modify files within the sandbox boundaries will execute without prompting, even when file edit tools would normally require approval.

Related permission docs also say:

When sandboxing is enabled with autoAllowBashIfSandboxed: true, which is the default, sandboxed Bash commands run without prompting even if your permissions include ask: Bash(*). The sandbox boundary substitutes for the per-command prompt.

What's Wrong or Missing?

Changelog v2.1.116 documents a security change: sandbox auto-allow no longer bypasses the dangerous-path safety check for rm/rmdir targeting /, $HOME, or other critical system directories.

The current docs describe sandbox auto-allow as if sandboxed Bash commands always run without prompting, with no documented exception for destructive rm/rmdir targets. That is now outdated and can mislead users or administrators into thinking autoAllowBashIfSandboxed suppresses all prompts for sandboxed filesystem deletions.

The missing nuance is that dangerous-path safety checks still apply to destructive rm/rmdir commands even in sandbox auto-allow mode, so these commands are not silently auto-approved just because sandboxing is enabled.

Suggested Improvement

Update the sandboxing and related permission docs to explicitly document this exception.

Suggested addition near the Auto-allow mode description:

Even in auto-allow mode, Claude Code still applies dangerous-path safety checks to destructive rm and rmdir commands. Targets such as /, $HOME, and other critical system directories are not silently auto-approved just because the command is sandboxed.

Also add a short cross-reference from the autoAllowBashIfSandboxed setting/reference docs so readers do not interpret it as a blanket bypass for destructive filesystem commands.

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:

| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/sandboxing | Auto-allow mode says sandboxed Bash commands are automatically allowed and run without prompting |
| https://code.claude.com/docs/en/permissions | Says sandboxed Bash commands run without prompting when autoAllowBashIfSandboxed: true |
| https://code.claude.com/docs/en/settings | autoAllowBashIfSandboxed setting description says "Auto-approve bash commands when sandboxed" |
| https://code.claude.com/docs/en/agent-sdk/typescript | SandboxSettings.autoAllowBashIfSandboxed description says "Auto-approve bash commands when sandbox is enabled" |
| https://code.claude.com/docs/en/agent-sdk/python | SandboxSettings.autoAllowBashIfSandboxed description says "Auto-approve bash commands when sandbox is enabled" |

Total scope: 5 pages affected

Source: Changelog v2.1.116

Exact changelog entry:

Security: sandbox auto-allow no longer bypasses the dangerous-path safety check for rm/rmdir targeting /, $HOME, or other critical system directories

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗