system message doesn't contain actual tools field
When I run claude with --output-format=stream-json:
claude -p "fetch http://www.example.com" --output-format=stream-json --verbose
I receive the following JSON:
{
"type": "system",
"subtype": "init",
"cwd": "/home/ubuntu/d/vvv",
"session_id": "01f271e3-b973-4c09-b518-b01a5feb030b",
"tools": [
"Task",
"Bash",
"Glob",
"Grep",
"LS",
"exit_plan_mode",
"Read",
"Edit",
"MultiEdit",
"Write",
"NotebookRead",
"NotebookEdit",
"WebFetch",
"TodoRead",
"TodoWrite",
"WebSearch",
"mcp__puppeteer__puppeteer_navigate",
"mcp__puppeteer__puppeteer_screenshot",
"mcp__puppeteer__puppeteer_click",
"mcp__puppeteer__puppeteer_fill",
"mcp__puppeteer__puppeteer_select",
"mcp__puppeteer__puppeteer_hover",
"mcp__puppeteer__puppeteer_evaluate",
"ListMcpResourcesTool",
"ReadMcpResourceTool"
],
"mcp_servers": [
{
"name": "puppeteer",
"status": "connected"
}
],
"model": "claude-opus-4-20250514",
"permissionMode": "default",
"apiKeySource": "none"
}
However, the tools field seems misleading because it doesn’t reflect the actual tool permissions.
(Thus, this prompt fails because it lacks the WebFetch permission.)
It should take into account the --allowedTools and --disallowedTools options.
I’m currently invoking claude code as a subprocess, and I’m considering the proper way to escalate permissions without user interaction. Since the assistant’s messages include tool_use content with the exact tool names the agent requests, if I retrieve the current permissions from the system message, the orchestrator can detect permission issues without using unreliable prompt engineering.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗