[BUG] --allowed-tools flag doesn't filter tools in initialization message, causing unauthorized tool access attempts

Resolved 💬 3 comments Opened May 30, 2025 by jdsalomon Closed Dec 7, 2025

When running Claude Code in headless mode with the --allowed-tools flag, the initialization message incorrectly displays all available tools instead of only the
allowed ones. This causes Claude to attempt using tools that aren't authorized, resulting in failures.

Steps to Reproduce

  1. Run Claude Code with limited tools:

claude -p "Hello!" --allowed-tools Bash(*),WebSearch

  1. Observe the initialization message that's displayed

Expected Behavior

The initialization message should only list the tools specified in --allowed-tools:
{
"type": "system",
"subtype": "init",
"session_id": "...",
"tools": [
"Bash",
"WebSearch"
],
"mcp_servers": [...]
}

Actual Behavior

The initialization message lists ALL available tools:
{
"type": "system",
"subtype": "init",
"session_id": "017d8f79-da3b-41d3-aa6d-3fbc49413ee0",
"tools": [
"Task",
"Bash",
"Glob",
"Grep",
"LS",
"Read",
"Edit",
"MultiEdit",
"Write",
"NotebookRead",
"NotebookEdit",
"WebFetch",
"TodoRead",
"TodoWrite",
"WebSearch",
"mcp__example__tool1",
"mcp__example__tool2",
"mcp__example__tool3"
],
"mcp_servers": [
{
"name": "example",
"status": "connected"
}
]
}

Impact

  • Claude attempts to use tools that aren't in the allowed list
  • These attempts fail when the tool is called
  • This wastes tokens and causes confusion as Claude doesn't know which tools are actually available

Environment

  • Claude Code CLI (headless mode)
  • Platform: macOS Darwin 24.5.0
  • Using MCP server integration

Additional Notes

The tool filtering works correctly at execution time (unauthorized tools fail when called), but the initialization message doesn't respect the --allowed-tools filter, causing Claude to believe all tools are available.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗