claude-code icon indicating copy to clipboard operation
claude-code copied to clipboard
Published 3 weeks ago verified publisher icon anthropics

MCP read-only tools blocked in plan mode despite explicit configuration

Open castocolina opened this issue 2 months ago • 1 comments

Description

MCP tools configured in .mcp.json are being auto-denied in plan mode with error: Permission to use mcp__<tool>__<method> has been auto-denied in dontAsk mode, even when they are:

  1. Explicitly configured by the user in .mcp.json
  2. Read-only tools that don't modify the codebase (e.g., sequential-thinking, fetch)

Expected Behavior

Plan mode should allow read-only MCP tools since they don't violate plan mode's purpose (preventing codebase modifications during planning phase).

Tools that should work in plan mode:

  • mcp__sequential-thinking__sequentialthinking (analysis/reasoning)
  • mcp__fetch__fetch (web content fetching)
  • mcp__filesystem__read_* (file reading)
  • ✅ Other read-only MCP operations

Tools that should be blocked in plan mode:

  • mcp__filesystem__write_file (modifies codebase)
  • mcp__filesystem__edit_file (modifies codebase)
  • ❌ Other write/modification operations

Actual Behavior

All MCP tools are blocked unless explicitly listed in .claude/settings.jsonpermissions.allow[], regardless of whether they modify the codebase or not.

Error Message

sequential-thinking - sequentialthinking (MCP)(thought: "Starting comprehensive analysis..."
Error: Permission to use mcp__sequential-thinking__sequentialthinking has been auto-denied in dontAsk mode.

Steps to Reproduce

  1. Create .mcp.json with MCP servers:
{
  "mcpServers": {
    "sequential-thinking": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-sequential-thinking"]
    },
    "fetch": {
      "type": "stdio",
      "command": "uvx",
      "args": ["mcp-server-fetch"]
    }
  }
}
  1. Enable MCP in .claude/settings.json:
{
  "enableAllProjectMcpServers": true
}
  1. Start Claude Code in plan mode
  2. Try to use sequential-thinking or fetch tools
  3. Observe auto-denial error

Workaround

Add MCP wildcard to permissions allow list in .claude/settings.json:

{
  "permissions": {
    "allow": [
      "Bash(npx:*)",
      // ... other permissions
      "mcp__*"
    ]
  }
}

Issue Analysis

The problem appears to be a permission layer inconsistency:

Layer 1: Tool Execution Permissions (.claude/settings.json)

  • Requires explicit permission even for read-only tools
  • No distinction between read-only and write operations

Layer 2: Plan Mode Restrictions (internal behavior)

  • Intended to prevent codebase modifications
  • Should allow read-only operations

Root cause: Layer 1 blocks MCP tools before Layer 2 can evaluate if they're safe for plan mode.

Questions

  1. Is "dontAsk mode" configurable by users? (No configuration found in project or global settings)
  2. Should read-only MCP tools require explicit permissions?
  3. Is the current behavior intentional, or is this a design oversight?

Environment

  • Claude Code Version: 2.0.53 (from VSCode extension)
  • Platform: Linux (Ubuntu/Debian)
  • MCP Servers: @modelcontextprotocol/server-sequential-thinking, mcp-server-fetch, @modelcontextprotocol/server-filesystem, @modelcontextprotocol/server-memory, @pinkpixel/npm-helper-mcp

Impact

This forces users to:

  • Grant blanket MCP permissions (mcp__*) even if they only want read-only tools
  • Reduces security granularity (can't distinguish read-only vs write operations)
  • Creates confusion about plan mode's purpose (why block analysis tools?)

Suggested Solutions

Option 1: Auto-allow read-only MCP tools in all modes

  • Safe: They don't modify system state
  • User-friendly: Respects explicit .mcp.json configuration
  • Consistent: Aligns with plan mode's stated purpose

Option 2: Add read/write permission categories

{
  "permissions": {
    "allow": ["mcp__*:read"],  // Allow all read operations
    "deny": ["mcp__*:write"]   // Block all write operations
  }
}

Option 3: Make "dontAsk mode" configurable

  • Let users decide when to be prompted vs auto-denied

Thank you for considering this issue! Happy to provide more details or test fixes.

castocolina avatar Nov 25 '25 15:11 castocolina

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

github-actions[bot] avatar Dec 26 '25 10:12 github-actions[bot]