Title: Claude Code 2.1.152 triggered unexpected macOS TCC permission prompt for ~/Documents

Resolved 💬 1 comment Opened May 27, 2026 by ralfbuescher Closed Jun 27, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude accessed files outside the working directory

What You Asked Claude to Do

During an interactive Claude Code session, multiple macOS Transparency/Consent/Control (TCC) popup notifications
appeared requesting access to the user's ~/Documents folder. The process name shown in the popups was "2.1.152",
consistent with the installed Claude Code version. The user denied all requests.

The session was operating exclusively within a git repository at /Users/ralf/Projects/remember-android/ and the
Claude Code memory directory at ~/.claude/. No user instruction requested access to ~/Documents. No task, script,
or tool call in the session referenced ~/Documents.

Expected behavior:
Claude Code should not request access to folders outside the working directory and ~/.claude/ unless explicitly
instructed by the user.

Actual behavior:
Multiple TCC prompts appeared for ~/Documents access during an active session involving shell script execution,
git operations, and automated test runs (mktemp, bash, git).

Possible trigger (unconfirmed):
Shell subprocesses spawned by Claude Code (test scripts using mktemp -d, find, or shell expansion) may have
inadvertently triggered a TCC prompt via path expansion or sandbox probing. System log (log show --predicate
'process == "claude"') returned no entries confirming the access attempt, suggesting it may have been a transient
subprocess.

Impact:
User concern about unauthorized file system access. Prompts were denied; no data was accessed.

Reproduction:
Unknown — occurred during a long session with heavy shell script execution and automated test runs. Could not be
reliably reproduced on demand.

Request:
Please investigate whether Claude Code or its subprocesses can trigger TCC prompts for protected directories
outside the declared working scope, and if so, add sandboxing or explicit scope declaration to prevent unexpected
permission requests.

What Claude Actually Did

it did the work we talked about, but in parrallel those dialogues asking for access permission kept popping up 5 or 6 times (which I rejected all)

Expected Behavior

should not happen at all,

Files Affected

none

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Haven't tried to reproduce

Steps to Reproduce

not currently reproduceable

Claude Model

Sonnet

Relevant Conversation

sorry, cannot disclose the content

Impact

Critical - Data loss or corrupted project

Claude Code Version

Claude Code 2.1.152

Platform

Anthropic API

Additional Context

Absolut richtig. xxxxxxxxx ist für jeden — "Ralf" im Code ist ein Bug, kein Feature.

Ich such alle Vorkommen in CLAUDE.md und ersetze sie durch rollenbasierte Begriffe:

Searched for 2 patterns (ctrl+o to expand)

⏺ Viele Treffer. Ich fixe CLAUDE.md jetzt direkt — für die Docs schreibe ich einen DRAFT:

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗