Global permissions not being applied at session start - prompts for already-configured MCP tools
Resolved 💬 3 comments Opened Feb 19, 2026 by shahzaibyounis Closed Feb 22, 2026
Claude Code is prompting for permissions on MCP tools that are already configured in the global permissions.allow list in ~/.claude.json. This happens at every session start, even though the permissions were previously granted and saved.
Steps to Reproduce
- Grant permission for MCP tools (e.g.,
mcp__ado__work_list_team_iterations) - Verify the permission is saved in
~/.claude.jsonunderpermissions.allow - Exit Claude Code and start a new session
- Attempt to use the same MCP tool again
- Claude Code prompts for permission again despite it being in the config
Expected Behavior
- Global permissions in
~/.claude.json→permissions.allowshould be loaded at session start - Previously-approved tools should not prompt for permission again
- Project-level
allowedToolsshould inherit or respect global permissions
Actual Behavior
- Claude Code prompts for permissions on every session start
- Global permissions exist but are not being applied
- Project-level
allowedToolsarray remains empty even after global permission is granted
Evidence from ~/.claude.json
Global permissions show approved tools:
"permissions": {
"allow": [
"mcp__ado__work_list_team_iterations",
"mcp__ado__wit_get_work_items_for_iteration",
"mcp__ado__wit_get_work_items_batch_by_ids",
// ... other approved tools
]
}
But project-level config shows empty allowedTools:
"projects": {
"/path/to/project": {
"allowedTools": [],
// ... rest of project config
}
}
Environment
- Claude Code version: 2.1.47
- Platform: macOS (Darwin 25.3.0)
- Shell: zsh
- Install method: native
- MCP servers: ADO (Azure DevOps) MCP tools via official marketplace
Possible Root Cause
The permission system may not be:
- Reading global
permissions.allowat session initialization, OR - Properly syncing global permissions to project-level
allowedTools, OR - Checking both global and project-level permissions during tool execution
Related Question
Is there a difference between how permissions.allow (global) and allowedTools (project-level) should work? Should tools approved globally automatically be available at the project level, or do they require separate approval?
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗