Critical: No way to bypass MCP tool approval prompts in VSCode extension

Resolved 💬 19 comments Opened Nov 1, 2025 by kumaakh Closed Feb 9, 2026

Critical Issue: No Way to Bypass MCP Tool Approval Prompts in VSCode Extension

Summary

The Claude Code VSCode extension requires manual approval for every MCP tool call, with no "Always Allow" option or working configuration to bypass these prompts. This makes MCP servers unusable for automation and unattended workflows.

Environment

  • Claude Code Version: VSCode Extension v2.0.31 (anthropic.claude-code-2.0.31-win32-x64)
  • VSCode Version: Latest
  • OS: Windows 11
  • MCP Server: bitbucket-mcp (custom MCP server for Bitbucket API)
  • MCP Configuration: Configured in VSCode settings.json under mcp.servers

The Problem

Current Behavior

  1. Every MCP tool call (e.g., mcp__bitbucket-mcp__getRepository, mcp__bitbucket-mcp__getPullRequests) triggers an approval dialog
  2. The approval dialog only has Yes/No options - no "Always Allow" or "Remember this choice"
  3. This happens on EVERY single tool call, even repeated calls to the same tool
  4. The prompts persist across VSCode restarts

Expected Behavior

Users should be able to configure trusted MCP servers to run without approval prompts, especially for:

  • Automation workflows (CI/CD pipeline management)
  • Batch operations requiring multiple API calls
  • Unattended operations (e.g., overnight automation)

What We've Tried (All Failed)

1. VSCode Extension Settings

Tried adding to settings.json:

{
  "claudeCode.allowDangerouslySkipPermissions": true
}

Result: No effect on MCP tool prompts

2. User-Level Claude Code Settings

Created C:\Users\[user]\.claude\settings.json:

{
  "$schema": "https://json.schemastore.org/claude-code-settings.json",
  "permissions": {
    "defaultMode": "bypassPermissions",
    "allow": [
      "mcp__bitbucket-mcp__*",
      "mcp__*"
    ]
  }
}

Result: Settings file created and validated against schema, but MCP tools still require approval

3. MCP Server Configuration

Tried adding to MCP server config in settings.json:

{
  "mcp.servers": {
    "bitbucket": {
      "command": "node",
      "args": ["C:\\ak\\bitbucket-mcp\\dist\\index.js"],
      "env": { "..." },
      "alwaysAllow": ["*"]
    }
  }
}

Result: No effect

4. Multiple VSCode Restarts

Restarted VSCode multiple times after each configuration change.
Result: No change in behavior

Root Cause Analysis

After investigating the extension structure:

  1. Hardcoded Allowlist: The system prompt shows a hardcoded list of approved tools:

``
You can use the following tools without requiring user approval:
Bash(ls:*), Bash(where:*), Bash(find:*), ... etc
``
Notice: No MCP tools are in this list

  1. Binary Implementation: The approval logic appears to be in claude.exe (compiled binary), not in configurable files
  1. Schema vs Implementation Gap: The claude-code-settings.schema.json defines permissions.defaultMode: "bypassPermissions", but this doesn't apply to MCP tools in the VSCode extension

Business Impact

Use Case: CI/CD Pipeline Automation

Scenario: Managing Bitbucket pipelines that take 2-3 hours to build

  • Need to monitor pipeline runs, download logs, analyze failures
  • Requires multiple Bitbucket API calls (get pipeline status, get logs, get PR details, etc.)
  • Currently requires manual approval for EVERY API call
  • Makes unattended automation completely impossible

Impact:

  • Cannot run automation overnight
  • Defeats the entire purpose of MCP servers for external API integration
  • Forces workarounds (writing custom scripts instead of using MCP)

Comparison with CLI

Question: Does the CLI version of Claude Code (claude terminal command) respect the bypassPermissions configuration for MCP tools?

If yes, this represents a significant feature gap between CLI and VSCode extension.

Proposed Solutions

Option 1: Add "Always Allow" to Approval Dialog (Quick Fix)

Add checkbox to approval dialog:

☐ Always allow tools from this MCP server
[ Yes ]  [ No ]

Option 2: Honor Existing Permission Settings (Proper Fix)

Make the VSCode extension respect .claude/settings.json:

  • permissions.defaultMode: "bypassPermissions" should work for MCP tools
  • permissions.allow: ["mcp__*"] should explicitly allow MCP tool patterns
  • Match behavior with CLI implementation

Option 3: MCP Server Trust Configuration

Add user-level trust configuration:

{
  "trustedMcpServers": [
    "bitbucket",
    "github",
    "custom-server"
  ]
}

Additional Context

Why This Matters

MCP servers are designed for external API integration. Many real-world APIs require multiple calls to accomplish tasks:

  • GitHub: Get repo → List PRs → Get PR details → Get diff → Add comments
  • Bitbucket: Get pipeline → Get steps → Get logs → Parse results
  • Jira: Search issues → Get issue details → Update status → Add comments

Requiring manual approval for each call makes MCP unusable for these legitimate workflows.

Security Considerations

We understand the security concern about untrusted MCP servers. However:

  1. Users explicitly configure MCP servers in their settings
  2. MCP servers require authentication (API keys/tokens)
  3. Users should be able to trust their own configurations
  4. The current model provides security theater without actual usability

Reproduction Steps

  1. Install Claude Code VSCode extension v2.0.31
  2. Configure any MCP server in VSCode settings.json:

``json
{
"mcp.servers": {
"test-server": {
"command": "node",
"args": ["path/to/server.js"]
}
}
}
``

  1. Use Claude Code and ask it to call an MCP tool
  2. Observe: Approval dialog appears for every tool call
  3. Create .claude/settings.json with "defaultMode": "bypassPermissions"
  4. Restart VSCode
  5. Try MCP tool again
  6. Observe: Still requires approval

Request

Please implement one of the proposed solutions to make MCP servers usable for automation workflows. This is blocking legitimate use cases for MCP functionality.

---

Generated: 2025-11-01
Reporter: Akhil Kumar (akhil@apra.in)
Environment: Windows 11, VSCode Extension v2.0.31

View original on GitHub ↗

19 Comments

jessevdamcel · 8 months ago

I'm experiencing the same issue with the chrome-devtools MCP server. I've tried every configuration combination mentioned in this thread and more:

Configurations attempted (none worked):

  1. .claude/settings.json:

```json
{
"enableAllProjectMcpServers": true,
"permissions": {
"allow": ["*"],
"defaultMode": "bypassPermissions"
}
}

  1. 'settings.json':

{
"claude-code.mcpServers.autoApproveTools": true,
"claude-code.mcpServers.autoApprove": ["chrome", "chrome-devtools"],
"mcpServers": {
"chrome": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-google-chrome"],
"autoApprove": ["*"]
}
}
}

  1. mcp.json with server-level auto-approve:

{
"servers": {
"chrome-devtools": {
"command": "npx",
"args": ["-y", "chrome-devtools-mcp@latest"],
"autoApprove": ["*"]
}
}
}

JulioC · 8 months ago

I was able to do it using the permissions key in settings.json:

{
  "permissions": {
    "allow": [
      "mcp__playwright"
    ],
    "deny": [],
    "ask": []
  }
}
rau1avi1a · 8 months ago

Found a workaround, but wildcards still need fixing

I ran into this same issue and found what's going on. The wildcard syntax (mcp__[server-name]__*) doesn't work in settings.json for MCP tools, but specifying the actual tool names does.

What works:

{
  "permissions": {
    "allow": [
      "mcp__[server-name]__[tool-name]",
      "mcp__[server-name]__[tool-name]",
      etc..
    ]
  }
}

What doesn't work (but should):

{
  "permissions": {
    "allow": [
      "mcp__[server-name]__*"
    ]
  }
}

So yeah, you can get around the constant prompts by listing out each tool explicitly in your .claude/settings.json. Not ideal since you have to know all the tool names upfront, but it does actually work.

The wildcard syntax really should be supported though - it's tedious to manually list every tool, especially for MCP servers with lots of tools. Would be great to get this fixed so mcp__[server-name]__* works as expected.

JulioC · 8 months ago

See the alert at the end of this section: https://code.claude.com/docs/en/iam#configuring-permissions

Unlike other permission types, MCP permissions do NOT support wildcards ().To approve all tools from an MCP server: ✅ Use: mcp__github (approves ALL GitHub tools) ❌ Don’t use: mcp__github__ (wildcards are not supported) To approve specific tools only, list each one: ✅ Use: mcp__github__get_issue ✅ Use: mcp__github__list_issues
jessevdamcel · 8 months ago
I was able to do it using the permissions key in settings.json: { "permissions": { "allow": [ "mcp__playwright" ], "deny": [], "ask": [] } }

Yes it worked for me, the prefix 'mcp__' is needed otherwise it is not working the definition of my tool is in my .claude.json file under the windows user home dir.

 "projects": {
    "C:\\myproject": {
      "allowedTools": [],
      "mcpContextUris": [],
      "mcpServers": {
        "chrome-devtools": {
          "type": "stdio",
          "command": "npx",
          "args": [
            "-y",
            "chrome-devtools-mcp@latest"
          ],
          "env": {}
        }
      },
      "enabledMcpjsonServers": [],
      "disabledMcpjsonServers": [],
      "hasTrustDialogAccepted": true,
      "ignorePatterns": [],
      "projectOnboardingSeenCount": 1,
      "hasClaudeMdExternalIncludesApproved": false,
      "hasClaudeMdExternalIncludesWarningShown": false
    }
  }
```,
github-actions[bot] · 7 months ago

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

jgoulah · 7 months ago

its still a problem, I think it respects the .claude/settings.local.json but we need an option for "Always allow tools from this MCP server", as described in the original ticket the approval dialog only has Yes/No options - no "Always Allow" or "Remember this choice"

kumaakh · 7 months ago

It continues to be an issue, we do not see any official Anthropic response yet. so pls do not close it.

adiologydev · 6 months ago

Still waiting.

wayne5w · 6 months ago

I've got this problem, very annoying

aregmii · 6 months ago

Waiting ...

JOY · 6 months ago

Any update? I faced this issue even with normal command which "always allow" already.

adriangiles · 6 months ago

It happens in Claude Desktop too.

PieterjanDeClippel · 6 months ago

You can just place the following in your %userprofile%/.claude/settings.json

{
  "alwaysThinkingEnabled": true,
  "permissions": {
    "allow": [
      "Git",
      "Dotnet",
      "Npm",
      "Npx",
      "Node",
      "Pnpm",
      "Yarn",
      "Cargo",
      "Python",
      "Pip",
      "Pipx",
      "Bash",
      "Sh",
      "Powershell",
      "Pwsh"
    ],
    "allowMCPServers": [
      "github",
      "playwright"
    ]
  },
  "statusLine": {
    "type": "command",
    "command": "npx -y ccstatusline@latest",
    "padding": 0
  }
}

I had to restart my pc before it started working. StatusLine means this:

<img width="993" height="157" alt="Image" src="https://github.com/user-attachments/assets/4be5f650-1501-4c0c-aa7c-23c57b5b153d" />

You can modify your status-line using npx -y ccstatusline@latest

github-actions[bot] · 5 months ago

This issue has been automatically closed due to 60 days of inactivity. If you're still experiencing this issue, please open a new issue with updated information.

adiologydev · 5 months ago

Why is this closed and marked as "not planned"? We have people still reporting this issue.

CC: @bcherny

marcindulak · 5 months ago

This issue was closed incorrectly despite recent human comments. This behavior of the bot is reported at https://github.com/anthropics/claude-code/issues/16497. Please upvote that issue, so maybe it gets noticed.

jerwitz02 · 5 months ago

+1 — experiencing this exact pain point specifically with Claude Code running as an MCP server in Claude for Desktop.

Read-only tools like Read, Grep, Glob, WebSearch, and WebFetch are already auto-allowed in the Claude Code CLI (they never prompt for permission, because they can't modify anything). But when the same tools are called through MCP in Claude Desktop, every single call triggers a permission prompt with no way to permanently allow them.

At minimum, read-only / non-destructive MCP tool calls should be allowlistable — either globally or per-server. Ideally Claude Desktop would respect the same permission tiers that Claude Code CLI already uses (read-only = auto-allowed, write = ask, etc.).

This is the #1 friction point in using Claude Code as an MCP server in Claude Desktop.

github-actions[bot] · 4 months ago

This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.