[BUG] MCP wildcard permissions not being honored.

Resolved 💬 2 comments Opened Jul 7, 2025 by bigboy1122 Closed Jul 7, 2025

---
Environment

  • Claude CLI version: 1.0.43 (Claude Code)
  • Operating System: macOS Darwin 24.4.0
  • Terminal: Terminal App

Bug Description

Wildcard permissions for MCP (Model Context Protocol) tools are not working as expected. Despite having mcp__atlassian__* in the permissions allow list, Claude Code still prompts for permission
when using specific MCP functions.

Steps to Reproduce

  1. Add wildcard permission to .claude/settings.local.json:

{
"permissions": {
"allow": [
"mcp__atlassian__*"
],
"deny": []
}
}

  1. Start a new Claude session and use an MCP function that hasn't been explicitly used before (e.g., mcp__atlassian__addCommentToJiraIssue)
  2. Observe that Claude Code prompts for permission with options including "Yes, and don't ask again for atlassian:addCommentToJiraIssue commands"
  3. After accepting, the specific permission is added to settings file alongside the wildcard

Expected Behavior

The wildcard pattern mcp__atlassian__* should match all MCP functions starting with that prefix, allowing them to execute without permission prompts. This should include:

  • mcp__atlassian__getJiraIssue
  • mcp__atlassian__addCommentToJiraIssue
  • mcp__atlassian__searchJiraIssuesUsingJql
  • Any other function matching the pattern

Actual Behavior

Despite the wildcard pattern, Claude Code still prompts for permission for each new MCP function. After granting permission, the specific function is added to the allow list, resulting in
redundant entries:
{
"permissions": {
"allow": [
"mcp__atlassian__*",
"mcp__atlassian__addCommentToJiraIssue"
],
"deny": []
}
}

Additional Context

  • This defeats the purpose of wildcard permissions for MCP tools
  • The wildcard pattern works for other tools (e.g., Bash(*)), but not for MCP namespaced functions
  • This may indicate that MCP tool permissions use a different matching mechanism than standard tools
  • The issue makes it difficult to pre-authorize all functions from an MCP server without knowing every function name in advance

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗