Sandbox blocks Unix domain socket IPC with credential managers (rbw/Bitwarden CLI)
Problem
The macOS Seatbelt sandbox blocks Unix domain socket operations (connect(), bind(), listen()), preventing CLI tools that communicate with local daemon processes via Unix sockets from working inside Claude Code sessions.
Specific case: rbw (unofficial Bitwarden CLI) communicates with rbw-agent via a Unix domain socket at /var/folders/.../rbw-501/socket. Any rbw get call from inside a sandboxed Claude Code session fails with:
failed to listen on socket: Operation not permitted (os error 1)
This affects autonomous agent workflows where agents need runtime access to secrets (API keys, tokens) stored in a password manager.
Reproduction
- Install
rbw(brew install rbw) and configure with a Bitwarden vault - Unlock rbw from a terminal:
rbw unlock - Start a Claude Code session (sandbox enabled in settings.json)
- Ask Claude to run:
rbw get "any-entry" - Result:
Operation not permitted— socket connection blocked by Seatbelt
What doesn't work
excludedCommands: ["rbw"]— only bypasses filesystem restrictions, not Seatbelt IPC restrictions (#16076, #31551)allowUnixSockets— only coversconnect(), notbind()/listen()(#41817)allowUnsandboxedCommands: true— does not actually disable the built-in Seatbelt profile for Bash subprocesses- Starting
rbw-agentbefore Claude Code launch — agent runs fine, but Claude's process still can'tconnect()to its socket
Current workaround
Cache secrets to files at shell startup (before Claude launches), inject via $RBW_CACHE_DIR env var. Hooks and agents read cached files instead of calling rbw. This works but is a security downgrade — secrets sit as plaintext files instead of being vault-on-demand.
Impact
This blocks the recommended security pattern for autonomous agents: using a credential manager for runtime secret access with audit logging. The only alternative is pre-caching secrets to disk, which:
- Eliminates vault-on-demand security (secrets persist as files until reboot)
- Requires knowing upfront which secrets agents need
- Can't handle short-lived or rotated tokens
Proposed solutions (any of these would fix it)
- Path-scoped
allowUnixSocketsthat coversconnect()+bind()+listen()— let users allowlist specific socket paths - Fix
excludedCommandsto fully bypass Seatbelt for named binaries, including IPC restrictions (#31551) - Add
allowedSocketPathsas a new sandbox config option in settings.json - Native secret reference resolution in settings.json (similar to #23642 for 1Password
op://references)
Related issues
- #40209 — 1Password
opCLI blocked by sandbox (Mach IPC variant of same problem) - #41817 —
allowUnixSocketsdoesn't coverbind() - #50165 — Socket creation blocked in TMPDIR
- #31551 —
excludedCommandsshould bypass Mach port / IPC restrictions - #16076 —
excludedCommandsandallowUnixSocketssilently ignored - #29533 —
ghCLI TLS failures (Go Security.framework blocked by sandbox) - #44195 — Keychain access blocked (closed as not_planned)
- #23642 — Native 1Password secret references in settings.json
Environment
- macOS 15.x (Sequoia), Apple Silicon
- Claude Code 2.1.x
- rbw 1.15.0 (Rust Bitwarden CLI with background agent)
- sandbox.enabled: true, allowUnsandboxedCommands: true
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗