claude-code Add setting to block dangerouslyOverrideSandbox parameter in Bash tool calls

Problem

Claude Code's Bash tool includes a dangerouslyOverrideSandbox parameter that bypasses sandbox restrictions. While the system prompt instructs Claude to only use this parameter after seeing sandbox violation errors or when explicitly requested by the user, there is no technical enforcement to prevent misuse.

Note: Issue #8368 claims this parameter was removed in v2.0.0, but it still functions in v2.0.25, creating confusion about its status and making it even more critical to have explicit controls.

In practice, Claude can preemptively use dangerouslyOverrideSandbox: true without first attempting the command normally, bypassing:

Sandbox security restrictions
Permission hooks and prompts
User review workflows

This occurred when Claude ran gh pr create with the sandbox override flag without first seeing a failure, creating a pull request despite user settings that should have required permission/review first.

Related issues

#8961
#8368 - Documents that dangerouslyOverrideSandbox was supposedly removed in v2.0.0 (but still works in v2.0.25)

Expected behavior

Users should be able to prevent the use of dangerouslyOverrideSandbox through a configuration setting, similar to how filesystem and network access can be restricted in settings.json.

Proposed solution

Add a setting in settings.json to control sandbox override behavior:

{
  "sandbox": {
    "allowOverride": false  // default: true for backwards compatibility
  }
}

When allowOverride: false, any Bash tool calls with dangerouslyOverrideSandbox: true should either:

Fail with an error message indicating the setting blocks sandbox overrides, or
Be automatically downgraded to run with sandbox enabled (ignoring the parameter)

Additional context

This would provide defence-in-depth alongside the existing behavioral guidelines in the system prompt, preventing accidental or unintended bypass of sandbox restrictions.

Environment: