# [BUG][security] Cowork default working directory forces Documents-level (parent-folder) macOS permission grant — least-privilege violation
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Component
Claude Desktop — Cowork (research preview)
Environment
- App: Claude Desktop for macOS
- Version / build: 1.12603.1 (3df4fd)
- macOS version: Sequoia 15.7.4
- Hardware: Apple Silicon M2
- Plan:
<FILL IN — Pro / Max / Team / Enterprise>
Severity
High — security/privacy. Affects the permission boundary, not a cosmetic or capability issue.
Summary
On first Cowork use, the app requests access to the entire ~/Documents folder rather than to a dedicated, sandboxed working directory. Because macOS TCC scopes the Documents folder as a single all-or-nothing unit, granting Cowork its working directory necessarily grants read/write/delete over every file already in ~/Documents. The default working location places an agent with delete authority inside a primary user data store. This is a least-privilege violation in the default configuration.
Impact
- Blast-radius amplification. Cowork executes model-driven, multi-step file operations including permanent deletion (per Anthropic's own safety docs). Defaulting the working directory into
~/Documentssets the maximum blast radius of any erroneous or adversarial action to the user's entire Documents store rather than to an isolated sandbox. The harness permission scope is the control that bounds the cost of every downstream model error; an over-broad default multiplies that cost. - Over-provisioning by default. The defect exists independent of whether any given user grants the request. A default that requests more than the function requires is the precondition for abuse, regardless of whether exposure has yet occurred.
- Documented-but-unenforced guidance. Anthropic's own safety documentation instructs users to "create a dedicated working folder rather than granting broad access." The product default contradicts this published guidance and offloads the mitigation onto the user.
Related / compounding defects
- #57177 — no configurable workspace base path; default location not user-overridable.
- #54138 — artifacts folder hardcoded; ignores user-selected folder.
- #27162 — revoking Documents access via macOS System Settings → Privacy & Security → Files and Folders does not prevent a subsequent session from accessing a previously mounted subfolder. This defeats user-initiated revocation and means the over-broad grant cannot be reliably withdrawn.
- #46205 — "Always allow" permission prompts not persisting within a session.
The combination of an over-broad default grant (#57177/#54138) and unreliable revocation (#27162) means the permission boundary is neither minimal at grant time nor reliably retractable afterward.
What Should Happen?
Requested resolution
- Change the default working directory to an isolated location outside all TCC-protected user folders.
- Never request
~/Documents,~/Desktop, or home-directory access as part of default setup. - Make the working directory user-configurable before first grant (resolves #57177).
- Ensure macOS-level permission revocation fully tears down all session mounts (resolves #27162).
Error Messages/Logs
Steps to Reproduce
Steps to reproduce
- Install Claude Desktop (macOS) and enable Cowork.
- Start a first Cowork session.
- Observe the macOS folder-access permission prompt presented during setup/first file operation.
Expected behavior
The default working directory is a dedicated, isolated folder created outside any TCC-protected user location (e.g. ~/Cowork or an app-scoped container). The permission prompt is scoped to that folder alone. Access to ~/Documents, ~/Desktop, or other pre-existing user data stores is never requested by default and only occurs if the user explicitly connects such a folder.
Actual behavior
The default working directory resolves inside ~/Documents (reported as hardcoded to ~/Documents/Claude in #57177 / #54138). To function, Cowork must satisfy the macOS Documents-folder TCC permission, which is all-or-nothing: the grant covers the entire ~/Documents tree, not a subfolder. The user is therefore presented with a binary choice between (a) granting an agent with delete capability access to their full Documents store, or (b) denying and being unable to use the default configuration.
Claude Model
Opus
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
Cowork App
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_