[BUG] sandbox.autoAllowBashIfSandboxed: true from server-managed settings is not applied — all non-allowlisted commands prompt
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
- Every Bash command not matching a
permissions.allowrule triggers the generic permission dialog:
```
Bash command
java -version
This command requires approval
Do you want to proceed?
❯ 1. Yes
- Yes, and don't ask again for: java *
- No
```
ctrl+e("explain") on the dialog shows "Explanation unavailable".- Auto-allow is effectively never engaged: across many sessions, the only commands that ran without prompting were ones matching explicit allow rules (or bare variable assignments).
What Should Happen?
Per the sandboxing documentation, with auto-allow mode enabled, sandboxed Bash commands should run without permission prompts:
Auto-allow mode: Bash commands will attempt to run inside the sandbox and are automatically allowed without requiring permission.
A simple literal command such as java -version or uname -a (no shell expansions — i.e. not issue #43713) should auto-run inside the sandbox.
Error Messages/Logs
Steps to Reproduce
- In a Claude.ai org with server-managed Claude Code settings, deliver a
sandboxblock withenabled: true,autoAllowBashIfSandboxed: true,allowUnsandboxedCommands: false, plus apermissions.allowlist of read-only commands. - Start a fresh
claudesession in any project on macOS. - Ask Claude to run a simple literal command not on the allowlist, e.g.
java -versionoruname -a. - Observe the "This command requires approval" prompt instead of auto-allowed sandboxed execution.
- Run
/sandbox— observe the panel is locked with the higher-priority-configuration error, making the resolved mode uninspectable.
Claude Model
Not sure / Multiple models
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.175
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
Configuration (relevant excerpts from the effective server-managed settings)
{
"allowManagedPermissionRulesOnly": false,
"permissions": {
"allow": ["Bash(ls:*)", "Bash(cat:*)", "Bash(grep:*)", "Bash(echo:*)", "..."],
"ask": [],
"defaultMode": "default",
"deny": ["Bash(sudo:*)", "Bash(curl:*)", "..."]
},
"sandbox": {
"enabled": true,
"failIfUnavailable": false,
"autoAllowBashIfSandboxed": true,
"allowUnsandboxedCommands": false,
"excludedCommands": ["docker *"],
"filesystem": { "allowManagedReadPathsOnly": true, "denyWrite": ["..."] },
"network": { "allowManagedDomainsOnly": false, "allowedDomains": [] }
}
}
User settings (~/.claude/settings.json) also contain sandbox.autoAllowBashIfSandboxed: true. No project-level .claude/ settings exist. ~/.claude/settings.local.json is empty.
Verified facts (things ruled out)
- The sandbox itself is active and enforcing. A probe (
echo test > /tmp/probe) executed and was blocked at the OS level withoperation not permitted(/tmpis outside the allowed write paths) — so this is not a sandbox-failed-to-initialize fallback (failIfUnavailable: false). - The setting key is valid.
sandbox.autoAllowBashIfSandboxedexists in the published settings JSON schema (defaulttrue). - Not a managed-permissions lockdown.
allowManagedPermissionRulesOnlyisfalse(it wastrueearlier; changing it tofalsemade no difference to this behavior). - Not shell-expansion related (#43713). Plain literal commands (
java -version,javac -version,uname -a) prompt. - Not the IDE extension (#64061). Reproduced in plain iTerm and Terminal.app.
- No lower-scope override. No project
.claude/directory; user-levelsettings.local.jsonempty; both user and managed scope sayautoAllowBashIfSandboxed: true. /sandboxpanel cannot be opened: it errors with
Error: Sandbox settings are overridden by a higher-priority configuration and cannot be changed locally.
so there is no way to inspect the resolved mode or confirm which tier wins.
Suspected cause
Auto-allow mode appears to be suppressed whenever the sandbox configuration is delivered through the managed/server tier. The /sandbox panel lock message suggests the managed tier takes over sandbox configuration entirely, but the autoAllowBashIfSandboxed: true value inside that same managed config is then not honored — the session behaves as "regular permissions" mode.
Impact
Organizations that centrally enforce sandboxing (enabled: true, allowUnsandboxedCommands: false) — the exact deployment pattern recommended in the "Configure the sandbox for your organization" docs — cannot get auto-allow, resulting in a permission prompt for every command outside the managed allowlist. This combines the friction of regular-permissions mode with none of the autonomy the sandbox is meant to enable.