anthropics
[BUG] Edit(.git/**) permission doesn't allow git to write .git/config in sandbox
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When Edit(.git/**) is added to permissions.allow in settings, git commands running in the sandbox still cannot write to .git/config. This occurs during git push --set-upstream when git tries to save the tracking branch configuration.
According to issue #10377, Edit() allow rules should extend filesystem write permissions for bash commands in the sandbox. However, this doesn't appear to work for .git/ directories.
Key finding: Running the same command with dangerouslyDisableSandbox: true works without error, confirming this is a sandbox permission issue.
What Should Happen?
With Edit(.git/**) in the permissions allow list, git commands should be able to write to .git/config without errors.
Error Messages/Logs
# Sandboxed (fails):
$ git push --set-upstream origin branch-name
branch 'branch-name' set up to track 'origin/branch-name'.
To https://github.com/user/repo.git
abc1234..def5678 branch-name -> branch-name
error: could not write config file .git/config: Operation not permitted
error: could not write config file .git/config: Operation not permitted
# Unsandboxed (works):
$ git push --set-upstream origin branch-name
branch 'branch-name' set up to track 'origin/branch-name'.
Everything up-to-date
Note: The push itself succeeds even when sandboxed, but the local config write fails.
Steps to Reproduce
- Enable sandbox in
~/.claude/settings.json:
{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true
},
"permissions": {
"allow": [
"Edit(.git/**)"
]
}
}
-
Restart Claude Code
-
Run
git push --set-upstream origin <branch>via Claude Code -
Observe the push succeeds but
.git/configwrite fails with "Operation not permitted" -
Run the same command with
dangerouslyDisableSandbox: true- it works without error
Configuration Used
{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true,
"network": {
"allowLocalBinding": true
}
},
"permissions": {
"allow": [
"Edit(.git/**)",
"Edit(.claude/**)"
]
}
}
Claude Model
Opus (claude-opus-4-5-20251101)
Is this a regression?
I don't know
Last Working Version
No response
Claude Code Version
Latest (as of 2025-12-06)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
- The push to remote succeeds; only the local
.git/configwrite fails - Workaround: Add
git:*toexcludedCommands(note: requires:*suffix per #10524), but this requires addingBash(git:*)to permissions.allow to avoid prompts on every git command - Related issues: #10377 (documents Edit() should work for bash writes), #11481 (mentions same error but focuses on network)
- The error is cosmetic but causes confusion and noise in the output
Possible causes:
-
Edit(.git/**)relative path not resolving correctly against the absolute path git uses -
.git/being treated specially by the sandbox - The permission check happening before path normalization
It probably works if Claude uses the Edit tool rather than executing git.
I think this is a very reasonable use case that should be supported. I should have the option to allow sandbox to write in the .git subfolder if I wanted to.
As far as I can tell this isn't exclusive to .git - at least on Linux. This can be really annoying for applications that rely on the ~/.cache directory, like bazel (similar to https://github.com/anthropics/claude-code/issues/10221).
My expectation would be that when we add Edit - we can get something that appears as a --bind mount in bwrap, but that doesn't seem to be the case. When I look at the bwrap invocation under the hood, it looks like we only get binds for /tmp/claude, a logs directory, and the current working directory. Using /add-dir also doesn't seem to influence the mounts on bwrap. This is such a great feature to make sure teams are interacting with claude securely, but it needs a few extra knobs.
