MCP read-only tools blocked in plan mode despite explicit configuration
Description
MCP tools configured in .mcp.json are being auto-denied in plan mode with error: Permission to use mcp__<tool>__<method> has been auto-denied in dontAsk mode, even when they are:
- Explicitly configured by the user in
.mcp.json - Read-only tools that don't modify the codebase (e.g.,
sequential-thinking,fetch)
Expected Behavior
Plan mode should allow read-only MCP tools since they don't violate plan mode's purpose (preventing codebase modifications during planning phase).
Tools that should work in plan mode:
- ✅
mcp__sequential-thinking__sequentialthinking(analysis/reasoning) - ✅
mcp__fetch__fetch(web content fetching) - ✅
mcp__filesystem__read_*(file reading) - ✅ Other read-only MCP operations
Tools that should be blocked in plan mode:
- ❌
mcp__filesystem__write_file(modifies codebase) - ❌
mcp__filesystem__edit_file(modifies codebase) - ❌ Other write/modification operations
Actual Behavior
All MCP tools are blocked unless explicitly listed in .claude/settings.json → permissions.allow[], regardless of whether they modify the codebase or not.
Error Message
sequential-thinking - sequentialthinking (MCP)(thought: "Starting comprehensive analysis..."
Error: Permission to use mcp__sequential-thinking__sequentialthinking has been auto-denied in dontAsk mode.
Steps to Reproduce
- Create
.mcp.jsonwith MCP servers:
{
"mcpServers": {
"sequential-thinking": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-sequential-thinking"]
},
"fetch": {
"type": "stdio",
"command": "uvx",
"args": ["mcp-server-fetch"]
}
}
}
- Enable MCP in
.claude/settings.json:
{
"enableAllProjectMcpServers": true
}
- Start Claude Code in plan mode
- Try to use
sequential-thinkingorfetchtools - Observe auto-denial error
Workaround
Add MCP wildcard to permissions allow list in .claude/settings.json:
{
"permissions": {
"allow": [
"Bash(npx:*)",
// ... other permissions
"mcp__*"
]
}
}
Issue Analysis
The problem appears to be a permission layer inconsistency:
Layer 1: Tool Execution Permissions (.claude/settings.json)
- Requires explicit permission even for read-only tools
- No distinction between read-only and write operations
Layer 2: Plan Mode Restrictions (internal behavior)
- Intended to prevent codebase modifications
- Should allow read-only operations
Root cause: Layer 1 blocks MCP tools before Layer 2 can evaluate if they're safe for plan mode.
Questions
- Is "dontAsk mode" configurable by users? (No configuration found in project or global settings)
- Should read-only MCP tools require explicit permissions?
- Is the current behavior intentional, or is this a design oversight?
Environment
- Claude Code Version: 2.0.53 (from VSCode extension)
- Platform: Linux (Ubuntu/Debian)
- MCP Servers: @modelcontextprotocol/server-sequential-thinking, mcp-server-fetch, @modelcontextprotocol/server-filesystem, @modelcontextprotocol/server-memory, @pinkpixel/npm-helper-mcp
Impact
This forces users to:
- Grant blanket MCP permissions (
mcp__*) even if they only want read-only tools - Reduces security granularity (can't distinguish read-only vs write operations)
- Creates confusion about plan mode's purpose (why block analysis tools?)
Suggested Solutions
Option 1: Auto-allow read-only MCP tools in all modes
- Safe: They don't modify system state
- User-friendly: Respects explicit
.mcp.jsonconfiguration - Consistent: Aligns with plan mode's stated purpose
Option 2: Add read/write permission categories
{
"permissions": {
"allow": ["mcp__*:read"], // Allow all read operations
"deny": ["mcp__*:write"] // Block all write operations
}
}
Option 3: Make "dontAsk mode" configurable
- Let users decide when to be prompted vs auto-denied
Thank you for considering this issue! Happy to provide more details or test fixes.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗