MCP read-only tools blocked in plan mode despite explicit configuration

Resolved 💬 3 comments Opened Nov 25, 2025 by castocolina Closed Jan 27, 2026

Description

MCP tools configured in .mcp.json are being auto-denied in plan mode with error: Permission to use mcp__<tool>__<method> has been auto-denied in dontAsk mode, even when they are:

  1. Explicitly configured by the user in .mcp.json
  2. Read-only tools that don't modify the codebase (e.g., sequential-thinking, fetch)

Expected Behavior

Plan mode should allow read-only MCP tools since they don't violate plan mode's purpose (preventing codebase modifications during planning phase).

Tools that should work in plan mode:

  • mcp__sequential-thinking__sequentialthinking (analysis/reasoning)
  • mcp__fetch__fetch (web content fetching)
  • mcp__filesystem__read_* (file reading)
  • ✅ Other read-only MCP operations

Tools that should be blocked in plan mode:

  • mcp__filesystem__write_file (modifies codebase)
  • mcp__filesystem__edit_file (modifies codebase)
  • ❌ Other write/modification operations

Actual Behavior

All MCP tools are blocked unless explicitly listed in .claude/settings.jsonpermissions.allow[], regardless of whether they modify the codebase or not.

Error Message

sequential-thinking - sequentialthinking (MCP)(thought: "Starting comprehensive analysis..."
Error: Permission to use mcp__sequential-thinking__sequentialthinking has been auto-denied in dontAsk mode.

Steps to Reproduce

  1. Create .mcp.json with MCP servers:
{
  "mcpServers": {
    "sequential-thinking": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-sequential-thinking"]
    },
    "fetch": {
      "type": "stdio",
      "command": "uvx",
      "args": ["mcp-server-fetch"]
    }
  }
}
  1. Enable MCP in .claude/settings.json:
{
  "enableAllProjectMcpServers": true
}
  1. Start Claude Code in plan mode
  2. Try to use sequential-thinking or fetch tools
  3. Observe auto-denial error

Workaround

Add MCP wildcard to permissions allow list in .claude/settings.json:

{
  "permissions": {
    "allow": [
      "Bash(npx:*)",
      // ... other permissions
      "mcp__*"
    ]
  }
}

Issue Analysis

The problem appears to be a permission layer inconsistency:

Layer 1: Tool Execution Permissions (.claude/settings.json)

  • Requires explicit permission even for read-only tools
  • No distinction between read-only and write operations

Layer 2: Plan Mode Restrictions (internal behavior)

  • Intended to prevent codebase modifications
  • Should allow read-only operations

Root cause: Layer 1 blocks MCP tools before Layer 2 can evaluate if they're safe for plan mode.

Questions

  1. Is "dontAsk mode" configurable by users? (No configuration found in project or global settings)
  2. Should read-only MCP tools require explicit permissions?
  3. Is the current behavior intentional, or is this a design oversight?

Environment

  • Claude Code Version: 2.0.53 (from VSCode extension)
  • Platform: Linux (Ubuntu/Debian)
  • MCP Servers: @modelcontextprotocol/server-sequential-thinking, mcp-server-fetch, @modelcontextprotocol/server-filesystem, @modelcontextprotocol/server-memory, @pinkpixel/npm-helper-mcp

Impact

This forces users to:

  • Grant blanket MCP permissions (mcp__*) even if they only want read-only tools
  • Reduces security granularity (can't distinguish read-only vs write operations)
  • Creates confusion about plan mode's purpose (why block analysis tools?)

Suggested Solutions

Option 1: Auto-allow read-only MCP tools in all modes

  • Safe: They don't modify system state
  • User-friendly: Respects explicit .mcp.json configuration
  • Consistent: Aligns with plan mode's stated purpose

Option 2: Add read/write permission categories

{
  "permissions": {
    "allow": ["mcp__*:read"],  // Allow all read operations
    "deny": ["mcp__*:write"]   // Block all write operations
  }
}

Option 3: Make "dontAsk mode" configurable

  • Let users decide when to be prompted vs auto-denied

Thank you for considering this issue! Happy to provide more details or test fixes.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗