Feature request: Hard workspace boundary enforcement for project isolation

Resolved 💬 3 comments Opened May 29, 2026 by xu75 Closed Jul 1, 2026

Problem

When Claude Code is used in a multi-project environment (e.g., multiple repos on the same machine), there is no hard enforcement preventing the agent from reading/writing files outside the current project's git root.

Observed behavior

An agent invoked in Project A attempted to modify source files in Project B (a sibling directory). The agent had knowledge of Project B's file paths and proceeded to edit them without any barrier.

Current state

  • The working directory is set correctly based on the project context
  • There is no filesystem-level sandbox preventing access to arbitrary paths
  • Read, Write, Edit, and Bash tools can all access files outside the project root
  • The only protection is the agent's own judgment (soft isolation via system prompt)

Proposed solution

Add a hard workspace boundary option that restricts all file operations to the current project's git root (or a configured set of allowed directories):

  1. Permission-level enforcement: Add a setting like "workspaceBoundary": "git-root" that causes all file tool calls targeting paths outside the boundary to be auto-denied (or require explicit user approval).
  2. Bash sandboxing: For shell commands, restrict cwd and validate that file arguments resolve within the boundary (similar to how MCP servers can enforce ALLOWED_WORKSPACE_DIRS).
  3. Explicit cross-project access: If cross-project access is needed, require the user to explicitly grant it (e.g., via a permission prompt or config).

Context

This is particularly important for:

  • Multi-repo development environments
  • Shared machines / CI environments
  • Agent orchestration systems that manage multiple project contexts
  • Preventing accidental cross-contamination between projects

Workaround

We are currently mitigating this via system prompt instructions in CLAUDE.md ("never access files outside the project git root"), but this is soft enforcement only and can be overridden by the model's judgment.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗