alt Hacker NewsThat's not what tool use permissions are. The LLM doesn't just magically spawn processes or run code. The Claude Code program itself does those things when the LLM indicates that it wants to. The program has checks and permissions whether those things will be done or not.
Claude Code has a sandboxing functionality that works the way you're describing when you opt into it, but my understanding is that the Claude Code program in the default configuration does not second-guess the LLM's decisions on what it'd like to run. Has Anthropic said something to the contrary?