Title: Claude Code 2.1.152 triggered unexpected macOS TCC permission prompt for ~/Documents
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude accessed files outside the working directory
What You Asked Claude to Do
During an interactive Claude Code session, multiple macOS Transparency/Consent/Control (TCC) popup notifications
appeared requesting access to the user's ~/Documents folder. The process name shown in the popups was "2.1.152",
consistent with the installed Claude Code version. The user denied all requests.
The session was operating exclusively within a git repository at /Users/ralf/Projects/remember-android/ and the
Claude Code memory directory at ~/.claude/. No user instruction requested access to ~/Documents. No task, script,
or tool call in the session referenced ~/Documents.
Expected behavior:
Claude Code should not request access to folders outside the working directory and ~/.claude/ unless explicitly
instructed by the user.
Actual behavior:
Multiple TCC prompts appeared for ~/Documents access during an active session involving shell script execution,
git operations, and automated test runs (mktemp, bash, git).
Possible trigger (unconfirmed):
Shell subprocesses spawned by Claude Code (test scripts using mktemp -d, find, or shell expansion) may have
inadvertently triggered a TCC prompt via path expansion or sandbox probing. System log (log show --predicate
'process == "claude"') returned no entries confirming the access attempt, suggesting it may have been a transient
subprocess.
Impact:
User concern about unauthorized file system access. Prompts were denied; no data was accessed.
Reproduction:
Unknown — occurred during a long session with heavy shell script execution and automated test runs. Could not be
reliably reproduced on demand.
Request:
Please investigate whether Claude Code or its subprocesses can trigger TCC prompts for protected directories
outside the declared working scope, and if so, add sandboxing or explicit scope declaration to prevent unexpected
permission requests.
What Claude Actually Did
it did the work we talked about, but in parrallel those dialogues asking for access permission kept popping up 5 or 6 times (which I rejected all)
Expected Behavior
should not happen at all,
Files Affected
none
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Haven't tried to reproduce
Steps to Reproduce
not currently reproduceable
Claude Model
Sonnet
Relevant Conversation
sorry, cannot disclose the content
Impact
Critical - Data loss or corrupted project
Claude Code Version
Claude Code 2.1.152
Platform
Anthropic API
Additional Context
Absolut richtig. xxxxxxxxx ist für jeden — "Ralf" im Code ist ein Bug, kein Feature.
Ich such alle Vorkommen in CLAUDE.md und ersetze sie durch rollenbasierte Begriffe:
Searched for 2 patterns (ctrl+o to expand)
⏺ Viele Treffer. Ich fixe CLAUDE.md jetzt direkt — für die Docs schreibe ich einen DRAFT:
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗