Sandbox blocks Unix domain socket IPC with credential managers (rbw/Bitwarden CLI)

Resolved 💬 3 comments Opened Apr 23, 2026 by pleasedodisturb Closed May 29, 2026

Problem

The macOS Seatbelt sandbox blocks Unix domain socket operations (connect(), bind(), listen()), preventing CLI tools that communicate with local daemon processes via Unix sockets from working inside Claude Code sessions.

Specific case: rbw (unofficial Bitwarden CLI) communicates with rbw-agent via a Unix domain socket at /var/folders/.../rbw-501/socket. Any rbw get call from inside a sandboxed Claude Code session fails with:

failed to listen on socket: Operation not permitted (os error 1)

This affects autonomous agent workflows where agents need runtime access to secrets (API keys, tokens) stored in a password manager.

Reproduction

  1. Install rbw (brew install rbw) and configure with a Bitwarden vault
  2. Unlock rbw from a terminal: rbw unlock
  3. Start a Claude Code session (sandbox enabled in settings.json)
  4. Ask Claude to run: rbw get "any-entry"
  5. Result: Operation not permitted — socket connection blocked by Seatbelt

What doesn't work

  • excludedCommands: ["rbw"] — only bypasses filesystem restrictions, not Seatbelt IPC restrictions (#16076, #31551)
  • allowUnixSockets — only covers connect(), not bind()/listen() (#41817)
  • allowUnsandboxedCommands: true — does not actually disable the built-in Seatbelt profile for Bash subprocesses
  • Starting rbw-agent before Claude Code launch — agent runs fine, but Claude's process still can't connect() to its socket

Current workaround

Cache secrets to files at shell startup (before Claude launches), inject via $RBW_CACHE_DIR env var. Hooks and agents read cached files instead of calling rbw. This works but is a security downgrade — secrets sit as plaintext files instead of being vault-on-demand.

Impact

This blocks the recommended security pattern for autonomous agents: using a credential manager for runtime secret access with audit logging. The only alternative is pre-caching secrets to disk, which:

  • Eliminates vault-on-demand security (secrets persist as files until reboot)
  • Requires knowing upfront which secrets agents need
  • Can't handle short-lived or rotated tokens

Proposed solutions (any of these would fix it)

  1. Path-scoped allowUnixSockets that covers connect() + bind() + listen() — let users allowlist specific socket paths
  2. Fix excludedCommands to fully bypass Seatbelt for named binaries, including IPC restrictions (#31551)
  3. Add allowedSocketPaths as a new sandbox config option in settings.json
  4. Native secret reference resolution in settings.json (similar to #23642 for 1Password op:// references)

Related issues

  • #40209 — 1Password op CLI blocked by sandbox (Mach IPC variant of same problem)
  • #41817 — allowUnixSockets doesn't cover bind()
  • #50165 — Socket creation blocked in TMPDIR
  • #31551 — excludedCommands should bypass Mach port / IPC restrictions
  • #16076 — excludedCommands and allowUnixSockets silently ignored
  • #29533 — gh CLI TLS failures (Go Security.framework blocked by sandbox)
  • #44195 — Keychain access blocked (closed as not_planned)
  • #23642 — Native 1Password secret references in settings.json

Environment

  • macOS 15.x (Sequoia), Apple Silicon
  • Claude Code 2.1.x
  • rbw 1.15.0 (Rust Bitwarden CLI with background agent)
  • sandbox.enabled: true, allowUnsandboxedCommands: true

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗