`--allowedTools` wildcard pattern doesn't work for MCP tools
When using the --allowedTools flag with a wildcard pattern for MCP tools (e.g., mcp__myserver__*), the pattern silently fails to match and tool calls are denied with a permission error.
Steps to Reproduce
- Configure an MCP server (e.g., HTTP type)
- Run Claude Code with a wildcard pattern for allowed tools:
``bash``
claude --mcp-config '{"mcpServers":{"myserver":{"type":"http","url":"http://localhost:8000/mcp"}}}' \
--allowedTools "mcp__myserver__*" \
--print "Use mcp__myserver__some_tool to do something"
- The agent attempts to use the MCP tool but gets denied
Expected Behavior
The wildcard pattern mcp__myserver__* should match all tools from the myserver MCP server (e.g., mcp__myserver__tool_a, mcp__myserver__tool_b).
Actual Behavior
The wildcard pattern doesn't expand for MCP tools. The tool call is denied with:
"tool_use_result": "Error: Claude requested permissions to use mcp__myserver__some_tool, but you haven't granted it yet."
And in the result:
"permission_denials": [{"tool_name": "mcp__myserver__some_tool", ...}]
Workaround
Explicitly list each MCP tool name instead of using wildcards:
--allowedTools "mcp__myserver__tool_a,mcp__myserver__tool_b,mcp__myserver__tool_c"
Additional Context
- Wildcards work for built-in tools (e.g.,
Bash(git:*)) - The MCP server connects successfully and tools are listed in the init message
- No error or warning is shown when the wildcard pattern fails to match
- Tested with Claude Code CLI version 2.0.53
- Also affects the Python Agent SDK which passes
allowed_toolsto--allowedTools
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗