[FEATURE] alwaysAllow config per MCP server in claude_desktop_config.json — required for autonomous Cowork operation

Resolved 💬 2 comments Opened Apr 13, 2026 by chayB0207 Closed Jun 25, 2026

Summary

Add an alwaysAllow array to each MCP server entry in claude_desktop_config.json that permanently pre-approves specified tools without requiring manual confirmation on every session.

{
  "mcpServers": {
    "github": {
      "command": "...",
      "args": ["stdio"],
      "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "..." },
      "alwaysAllow": ["list_pull_requests", "list_issues", "get_file_contents", "add_issue_comment"]
    },
    "cloudflare": {
      "command": "...",
      "alwaysAllow": ["*"]
    }
  }
}

---

Why this is blocking — not a quality-of-life request

This is a prerequisite for the autonomous agentic workflow Cowork is designed to enable.

Our setup: Claude in Cowork operates as PM, System Architect, and Engineering Lead for a consulting firm (72 Degrees Consulting). It manages a GitHub pipeline across multiple repos, orchestrates parallel Code (Claude Code) and Codex sessions, creates and triages issues, monitors PRs, and maintains shared project state — all without requiring a human in the loop for routine pipeline decisions.

What approval prompts do to this architecture: Every new Cowork session requires manual approval for every MCP tool before anything can happen. Our GitHub MCP server alone exposes 40+ tools. Cloudflare MCP exposes another 30+. The moment Cowork needs to act autonomously — while the user is away, while parallel tasks are running, while it is managing a pipeline — it stalls on a prompt no one is watching.

This is not delegation. It is babysitting. The architecture breaks entirely.

Related bugs that compound this:

  • #24433 — "Always allow" does not persist across sessions. Closed as not planned and locked. Users cannot even comment to push back.
  • #47041 — Child task sessions do not inherit parent mount permissions, requiring separate approval dialogs for every parallel subagent spawned.

Together, these three issues make sustained autonomous operation impossible. Every multi-step pipeline stalls. Every parallel workstream requires simultaneous human presence. The Cowork proposition — that Claude can act as a capable autonomous agent — cannot be delivered.

---

Why this is safe to ship

The alwaysAllow config is:

  • Explicit opt-in. Users who want the safety prompts keep them. Nothing changes for anyone who doesn't add the field.
  • User-controlled scope. You can whitelist specific tools, not entire servers. Granularity is preserved.
  • No new attack surface. The user has already installed the MCP server and provided its credentials. Pre-approving specific read/write tools on a server you've already trusted is not a meaningful security regression.
  • A solved pattern. Every other serious agentic tool — LangChain, AutoGen, CrewAI — has a mechanism for pre-authorising tool calls. Cowork is the only one that doesn't.

The existing prompt with its safety warning remains correct and valuable for users who haven't opted in. This feature is purely additive.

---

What I'm asking for

  1. Reopen #24433 or treat this as the replacement feature request.
  2. Implement alwaysAllow per MCP server in claude_desktop_config.json.
  3. Optionally: a global "alwaysAllow": true flag at the Cowork settings level for users who want full autonomy and accept the risk.

Without this, Cowork cannot function as an autonomous agent in any meaningful sense. That is a product-level problem, not a power-user inconvenience.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗