Tens of prompts for ls and grep when exploring

Detailed Analysis

A Claude Code user reports a persistent and disruptive UX friction: despite configuring a comprehensive global allowlist explicitly permitting commands such as `ls`, `grep`, `cat`, `pwd`, and several `git` operations, the tool continues to generate repeated permission prompts for every invocation of those commands during codebase exploration sessions. The user is operating with the `/sandbox` mode enabled and has attempted thorough remediation steps, including removing the `.claude` directory entirely and performing a clean reinstall, neither of which resolved the behavior. The post reflects a configuration that appears correctly formed per Claude Code's documented JSON schema, raising questions about whether the sandbox execution environment overrides or ignores global allowlist settings in ways that are not clearly documented.

The core tension exposed here involves the interaction between Claude Code's permission model and its sandbox mode. Claude Code enforces a layered security architecture in which shell commands are validated through a combination of regex pattern matching and LLM-based vetting before execution. The sandbox environment, designed to contain potentially unsafe operations, may operate under a stricter or separate permission evaluation pass that does not inherit or properly resolve entries from the global `settings.json` allowlist. If sandbox mode effectively re-evaluates all commands through its own trust pipeline regardless of pre-approved allowlists, users would experience exactly the behavior described — a flood of confirmation dialogs even for explicitly whitelisted, low-risk read-only commands like `grep` and `ls`.

This issue matters because it strikes directly at the usability of Claude Code for one of its most fundamental advertised use cases: agentic codebase exploration. Claude Code's own internal system prompts, as documented in published prompt repositories, explicitly position the tool as a "file search specialist" that excels at navigating codebases using precisely these Unix utilities. A workflow where the agent must interrupt to seek human approval for every `grep` invocation effectively negates the agentic benefit, transforming what should be a fluid, autonomous exploration session into a manual, click-through process. The user's frustration is therefore not merely cosmetic — it represents a breakdown of the core value proposition of the product for a significant class of users engaged in read-only reconnaissance tasks.

More broadly, this episode reflects an ongoing and unresolved tension in agentic AI tooling between security guarantees and operational fluency. Anthropic and other AI development companies have converged on permission-gating as the primary mechanism for building user trust in autonomous agents, but the granularity and consistency of that gating remains immature. When sandbox environments and allowlist configurations produce contradictory or unpredictable behavior, it erodes trust in the configuration system itself — users cannot be confident that their expressed preferences are being honored. The fact that a clean reinstall failed to resolve the issue suggests the problem may lie in how Claude Code's runtime resolves permission scope at execution time rather than in corrupted local state, a distinction with significant implications for how Anthropic would need to address it through either documentation clarification or a bug fix in the permission evaluation pipeline.