`--allowedTools` wildcard pattern doesn't work for MCP tools

Resolved 💬 2 comments Opened Dec 4, 2025 by olehpalianytsiagr Closed Dec 4, 2025

When using the --allowedTools flag with a wildcard pattern for MCP tools (e.g., mcp__myserver__*), the pattern silently fails to match and tool calls are denied with a permission error.

Steps to Reproduce

  1. Configure an MCP server (e.g., HTTP type)
  2. Run Claude Code with a wildcard pattern for allowed tools:

``bash
claude --mcp-config '{"mcpServers":{"myserver":{"type":"http","url":"http://localhost:8000/mcp"}}}' \
--allowedTools "mcp__myserver__*" \
--print "Use mcp__myserver__some_tool to do something"
``

  1. The agent attempts to use the MCP tool but gets denied

Expected Behavior

The wildcard pattern mcp__myserver__* should match all tools from the myserver MCP server (e.g., mcp__myserver__tool_a, mcp__myserver__tool_b).

Actual Behavior

The wildcard pattern doesn't expand for MCP tools. The tool call is denied with:

"tool_use_result": "Error: Claude requested permissions to use mcp__myserver__some_tool, but you haven't granted it yet."

And in the result:

"permission_denials": [{"tool_name": "mcp__myserver__some_tool", ...}]

Workaround

Explicitly list each MCP tool name instead of using wildcards:

--allowedTools "mcp__myserver__tool_a,mcp__myserver__tool_b,mcp__myserver__tool_c"

Additional Context

  • Wildcards work for built-in tools (e.g., Bash(git:*))
  • The MCP server connects successfully and tools are listed in the init message
  • No error or warning is shown when the wildcard pattern fails to match
  • Tested with Claude Code CLI version 2.0.53
  • Also affects the Python Agent SDK which passes allowed_tools to --allowedTools

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗