Feature request: Hard workspace boundary enforcement for project isolation
Problem
When Claude Code is used in a multi-project environment (e.g., multiple repos on the same machine), there is no hard enforcement preventing the agent from reading/writing files outside the current project's git root.
Observed behavior
An agent invoked in Project A attempted to modify source files in Project B (a sibling directory). The agent had knowledge of Project B's file paths and proceeded to edit them without any barrier.
Current state
- The working directory is set correctly based on the project context
- There is no filesystem-level sandbox preventing access to arbitrary paths
Read,Write,Edit, andBashtools can all access files outside the project root- The only protection is the agent's own judgment (soft isolation via system prompt)
Proposed solution
Add a hard workspace boundary option that restricts all file operations to the current project's git root (or a configured set of allowed directories):
- Permission-level enforcement: Add a setting like
"workspaceBoundary": "git-root"that causes all file tool calls targeting paths outside the boundary to be auto-denied (or require explicit user approval). - Bash sandboxing: For shell commands, restrict
cwdand validate that file arguments resolve within the boundary (similar to how MCP servers can enforceALLOWED_WORKSPACE_DIRS). - Explicit cross-project access: If cross-project access is needed, require the user to explicitly grant it (e.g., via a permission prompt or config).
Context
This is particularly important for:
- Multi-repo development environments
- Shared machines / CI environments
- Agent orchestration systems that manage multiple project contexts
- Preventing accidental cross-contamination between projects
Workaround
We are currently mitigating this via system prompt instructions in CLAUDE.md ("never access files outside the project git root"), but this is soft enforcement only and can be overridden by the model's judgment.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗