system message doesn't contain actual tools field

Resolved 💬 4 comments Opened Jul 6, 2025 by hirochachacha Closed Jan 7, 2026

When I run claude with --output-format=stream-json:

claude -p "fetch http://www.example.com" --output-format=stream-json --verbose

I receive the following JSON:

{
  "type": "system",
  "subtype": "init",
  "cwd": "/home/ubuntu/d/vvv",
  "session_id": "01f271e3-b973-4c09-b518-b01a5feb030b",
  "tools": [
    "Task",
    "Bash",
    "Glob",
    "Grep",
    "LS",
    "exit_plan_mode",
    "Read",
    "Edit",
    "MultiEdit",
    "Write",
    "NotebookRead",
    "NotebookEdit",
    "WebFetch",
    "TodoRead",
    "TodoWrite",
    "WebSearch",
    "mcp__puppeteer__puppeteer_navigate",
    "mcp__puppeteer__puppeteer_screenshot",
    "mcp__puppeteer__puppeteer_click",
    "mcp__puppeteer__puppeteer_fill",
    "mcp__puppeteer__puppeteer_select",
    "mcp__puppeteer__puppeteer_hover",
    "mcp__puppeteer__puppeteer_evaluate",
    "ListMcpResourcesTool",
    "ReadMcpResourceTool"
  ],
  "mcp_servers": [
    {
      "name": "puppeteer",
      "status": "connected"
    }
  ],
  "model": "claude-opus-4-20250514",
  "permissionMode": "default",
  "apiKeySource": "none"
}

However, the tools field seems misleading because it doesn’t reflect the actual tool permissions.
(Thus, this prompt fails because it lacks the WebFetch permission.)

It should take into account the --allowedTools and --disallowedTools options.

I’m currently invoking claude code as a subprocess, and I’m considering the proper way to escalate permissions without user interaction. Since the assistant’s messages include tool_use content with the exact tool names the agent requests, if I retrieve the current permissions from the system message, the orchestrator can detect permission issues without using unreliable prompt engineering.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗