[FEATURE] Support wildcard/regex for `sandbox.network.allowUnixSockets` on macOS

Open 💬 1 comment Opened Jun 25, 2026 by cflee

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

I would like Claude Code to be able to run git commit using the Bash tool inside the sandbox, when git is configured to sign commits using SSH keys, and the SSH keys need to be loaded from a SSH agent (due to being encrypted with a passphrase).

For ssh keys that have a passphrase, the git/ssh processes involved running inside the sandbox need to have access to the SSH agent over the unix socket listed in the SSH_AUTH_SOCK env var.

On macOS, the system provided ssh-agent socket is at a path that looks like /private/tmp/com.apple.launchd.AAAAAAAAAA/Listeners, where the directory name is different for each user session, so there is no fixed value that can be set.

Proposed Solution

Have sandbox.network.allowUnixSockets support wildcards, so that I can set it to ["/private/tmp/com.apple.launchd.*/Listeners"] to allow access to those launchd-managed ssh-agent unix sockets. For macOS sandbox this would be switching from subpath to regex predicate.

Alternatively, have a specific sandbox setting that has the effect of allowing access to whatever socket the environment's SSH_AUTH_SOCK env var points to.

Alternative Solutions

If I set sandbox.network.allowAllUnixSockets to true, then all the unix sockets on the filesystem become accessible, which is not my intended behaviour. I would like to avoid exposing other unix sockets.

Possible workaround: we may be able to exclude git * (or just git commit *) from the sandbox, but I would prefer to run as many commands inside the sandbox as possible.

Workaround: we can manually approve the retry of Bash tool command outside the sandbox. This works but we have to wait for the fail and thinking and then the prompt to dangerously retry outside of sandbox.

Priority

Medium - Would be very helpful

Feature Category

File operations

Use Case Example

Scenario:

  1. My machine is set up to perform Git commit signing using SSH keys. This lives in my ~/.gitconfig file, which all git operations running inside the sandbox already follow.

``
[user]
signingkey = /Users/redacted/.ssh/id_ed25519.pub
[gpg]
format = ssh
[commit]
gpgsign = true
`
The private key for the signing key is already loaded into an ssh-agent on macOS, i.e.
ssh-add ...`

  1. Claude Code works on some changes
  2. Claude Code decides or is told to git commit
  3. Claude Code uses the Bash tool to run various git commands including git commit

Additional Context

This is a duplicate of #35686 #19932 which were closed for inactivity.

Other commenters have confirmed that this also affects other use cases, whether GPG agents or ruby libraries using sockets

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗