[BUG] deniedMcpServers serverName regex rejects plugin MCP server names
Preflight Checklist - [x] I have searched existing issues and this hasn't been reported yet - [x] This is a single bug report - [x] I am using the latest version of Claude Code
What's Wrong?
There's no way to globally disable a specific MCP server from a plugin while keeping the plugin's skills, agents, and commands active.
The deniedMcpServers setting in settings.json should be the mechanism for this, but its serverName field uses a regex that only allows [a-zA-Z0-9_-]. Plugin MCP server names use the format plugin:<pluginName>:<serverKey> which contains colons — so the validation rejects them.
Worse, adding a colon-containing serverName doesn't just reject that entry — it silently skips the entire settings.json file, breaking all other settings (statusLine, permissions, hooks, env vars, etc.) with no user-visible error.
The same issue affects allowedMcpServers.
What Should Happen?
- The
serverNameregex should allow colons (and dots) to match the plugin server name format - Users should be able to globally deny a plugin's MCP server without disabling the entire plugin
- A validation error on one setting entry should not cause the entire settings file to be skipped
Error Messages/Logs
/home/user/.claude/settings.json
└ deniedMcpServers
└ 0
└ serverName: Server name can only contain letters, numbers, hyphens, and underscores
Files with errors are skipped entirely, not just the invalid settings.
Steps to Reproduce
- Install a plugin that provides an MCP server (e.g. context7-plugin)
- Note that the plugin also provides skills you want to keep
- Add to
~/.claude/settings.json:
{
"deniedMcpServers": [
{ "serverName": "plugin:context7-plugin:context7" }
]
}
- Restart Claude Code
- Observe: entire settings.json is skipped — statusLine, hooks, permissions, env vars all stop working
- Remove the entry to restore settings
Is this a regression? No, this never worked
Claude Code Version: 2.1.34
Platform: Claude subscription (Anthropic API)
Operating System: Other Linux (WSL2)
Terminal/Shell: Warp (bash)
Additional Information
Use case: The context7 plugin's MCP server uses HTTP with OAuth which intermittently invalidates and causes connection failures. I also have the official context7 npm MCP server (@upstash/context7-mcp) configured separately in ~/.claude.json with my own API key, which is always reliable. I want to globally deny the plugin's duplicate HTTP server while keeping the plugin active for its skills — deniedMcpServers is the right mechanism but it can't match plugin server names due to the regex.
Current workarounds:
- Per-project only: Spacebar toggle in
/pluginsUI disables per-project, but must be repeated for every project - Nuclear option: Set plugin to
falseinenabledPlugins— but this removes skills, agents, and commands too
This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗