[BUG] Sandbox issue

Resolved 💬 5 comments Opened May 15, 2026 by vt-nb Closed May 16, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

I'm using Claude Desktop 1.7196.0 (2dbd78) on MacOS with 3 accounts: personal Max account, Team, Claude via Bedrock). All accounts keeps showing annoying sandbox error

This happens even in Developer => Configure third-party inference => Sandbox & workspace: all these directories are listed as allowed workspace folders

What Should Happen?

These sandbox issues do not happened when I used Claude previous versions (and also before using Claude via Bedrock)

Error Messages/Logs

I'm hitting a sandbox-level wall: every write attempt fails in this session, regardless of path. I tested writes to:

/Users/userid/project/ (the project) → blocked
/Users/userid/.claude/plans/ (where plan mode wanted to write) → blocked
$TMPDIR (/tmp/claude-501/) → blocked
/tmp, /private/tmp/claude → blocked

All return Operation not permitted from the kernel sandbox, not a Unix-perm error. The system-prompt sandbox descriptor includes "/" in denyWithinAllow, which looks like the over-reaching deny rule blanket-blocking everything inside the allow list.

I can't implement the change from this session — Write, Edit, and Bash redirections will all fail until the sandbox is reset."

Claude itself finds this: The sandbox descriptor for writes shipped to this session contains:

"write.denyWithinAllow: [
  "/Users/userid/.claude/settings.json",
  "/Users/userid/project/.claude/settings.json",
  "/Users/userid/project/.claude/settings.local.json",
  "/tmp/claude-settings-44136fa355b3678a.json",
  "/Library/Application Support/ClaudeCode/managed-settings.json",
  "/Library/Application Support/ClaudeCode/managed-settings.d",
  "/Users/userid/project/.claude/skills",
  "/"                                      ← this is the killer
]"

I read all three settings.json files via cat (the Read tool is itself blocked for them):
~/.claude/settings.json — no permissions.deny, no Edit(/) rule
<project>/.claude/settings.json — no permissions.deny
<project>/.claude/settings.local.json — no permissions.deny

None of them contain a deny rule that would translate into a / entry in denyWithinAllow. The managed-settings file (/Library/Application Support/ClaudeCode/managed-settings.json) doesn't exist either. So this isn't user-configurable — Claude Code is computing/injecting the / itself.

Steps to Reproduce

Write bash script, push, run git

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.132 (Claude Code)

Platform

Anthropic API

Operating System

macOS 26.5

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗