[BUG] Sandbox issue
Resolved 💬 5 comments Opened May 15, 2026 by vt-nb Closed May 16, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
I'm using Claude Desktop 1.7196.0 (2dbd78) on MacOS with 3 accounts: personal Max account, Team, Claude via Bedrock). All accounts keeps showing annoying sandbox error
This happens even in Developer => Configure third-party inference => Sandbox & workspace: all these directories are listed as allowed workspace folders
What Should Happen?
These sandbox issues do not happened when I used Claude previous versions (and also before using Claude via Bedrock)
Error Messages/Logs
I'm hitting a sandbox-level wall: every write attempt fails in this session, regardless of path. I tested writes to:
/Users/userid/project/ (the project) → blocked
/Users/userid/.claude/plans/ (where plan mode wanted to write) → blocked
$TMPDIR (/tmp/claude-501/) → blocked
/tmp, /private/tmp/claude → blocked
All return Operation not permitted from the kernel sandbox, not a Unix-perm error. The system-prompt sandbox descriptor includes "/" in denyWithinAllow, which looks like the over-reaching deny rule blanket-blocking everything inside the allow list.
I can't implement the change from this session — Write, Edit, and Bash redirections will all fail until the sandbox is reset."
Claude itself finds this: The sandbox descriptor for writes shipped to this session contains:
"write.denyWithinAllow: [
"/Users/userid/.claude/settings.json",
"/Users/userid/project/.claude/settings.json",
"/Users/userid/project/.claude/settings.local.json",
"/tmp/claude-settings-44136fa355b3678a.json",
"/Library/Application Support/ClaudeCode/managed-settings.json",
"/Library/Application Support/ClaudeCode/managed-settings.d",
"/Users/userid/project/.claude/skills",
"/" ← this is the killer
]"
I read all three settings.json files via cat (the Read tool is itself blocked for them):
~/.claude/settings.json — no permissions.deny, no Edit(/) rule
<project>/.claude/settings.json — no permissions.deny
<project>/.claude/settings.local.json — no permissions.deny
None of them contain a deny rule that would translate into a / entry in denyWithinAllow. The managed-settings file (/Library/Application Support/ClaudeCode/managed-settings.json) doesn't exist either. So this isn't user-configurable — Claude Code is computing/injecting the / itself.
Steps to Reproduce
Write bash script, push, run git
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.132 (Claude Code)
Platform
Anthropic API
Operating System
macOS 26.5
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗