diff --git a/README.md b/README.md index de283cb9..32f43924 100644 --- a/README.md +++ b/README.md @@ -197,6 +197,8 @@ Claude Code has a native sandbox that provides filesystem and network isolation Without `/sandbox`, deny rules only block Claude's built-in tools -- Bash commands bypass them. With `/sandbox` enabled, the same rules are enforced at the OS level (Seatbelt/bubblewrap), so Bash commands are also blocked. Use both. +**Hardening the escape hatch:** Under bypass-permissions mode, a Bash call blocked by the sandbox can be retried by the agent with `dangerouslyDisableSandbox: true`, and the harness honors that retry with no user prompt. The `sandbox.allowUnsandboxedCommands: false` setting (included in this `settings.json`) makes the harness refuse those retries -- the rejection surfaces back to the agent as "disabled by policy in this environment". The setting is dormant unless the sandbox is enabled (via `/sandbox` or `"enabled": true`), so it imposes no friction on devcontainer and droplet workflows that never run `/sandbox`. + For the design rationale behind sandboxing, see Anthropic's [engineering blog post](https://www.anthropic.com/engineering/claude-code-sandboxing). For the full configuration reference, see the [sandboxing docs](https://code.claude.com/docs/en/sandboxing). #### Devcontainer diff --git a/settings.json b/settings.json index 2aa8d9b9..36ab17cb 100644 --- a/settings.json +++ b/settings.json @@ -46,6 +46,9 @@ "Read(~/Library/Application Support/**/solflare*/**)" ] }, + "sandbox": { + "allowUnsandboxedCommands": false + }, "hooks": { "PreToolUse": [ {