[BUG] --allowed-tools flag doesn't filter tools in initialization message, causing unauthorized tool access attempts
When running Claude Code in headless mode with the --allowed-tools flag, the initialization message incorrectly displays all available tools instead of only the
allowed ones. This causes Claude to attempt using tools that aren't authorized, resulting in failures.
Steps to Reproduce
- Run Claude Code with limited tools:
claude -p "Hello!" --allowed-tools Bash(*),WebSearch
- Observe the initialization message that's displayed
Expected Behavior
The initialization message should only list the tools specified in --allowed-tools:
{
"type": "system",
"subtype": "init",
"session_id": "...",
"tools": [
"Bash",
"WebSearch"
],
"mcp_servers": [...]
}
Actual Behavior
The initialization message lists ALL available tools:
{
"type": "system",
"subtype": "init",
"session_id": "017d8f79-da3b-41d3-aa6d-3fbc49413ee0",
"tools": [
"Task",
"Bash",
"Glob",
"Grep",
"LS",
"Read",
"Edit",
"MultiEdit",
"Write",
"NotebookRead",
"NotebookEdit",
"WebFetch",
"TodoRead",
"TodoWrite",
"WebSearch",
"mcp__example__tool1",
"mcp__example__tool2",
"mcp__example__tool3"
],
"mcp_servers": [
{
"name": "example",
"status": "connected"
}
]
}
Impact
- Claude attempts to use tools that aren't in the allowed list
- These attempts fail when the tool is called
- This wastes tokens and causes confusion as Claude doesn't know which tools are actually available
Environment
- Claude Code CLI (headless mode)
- Platform: macOS Darwin 24.5.0
- Using MCP server integration
Additional Notes
The tool filtering works correctly at execution time (unauthorized tools fail when called), but the initialization message doesn't respect the --allowed-tools filter, causing Claude to believe all tools are available.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗