[BUG] Cowork live artifact: connector tool calls on page load trigger one-shot Allow/Deny prompt with no "Always allow," even when connector permission is set to "Always Allow"

Resolved 💬 3 comments Opened May 8, 2026 by professionalsomething Closed Jun 10, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The artifact issues several execute_sql calls via window.cowork.callMcpTool on page load.
All queries are read-only SELECT statements.
The Supabase connector's execute_sql permission is set to "Always Allow."
On first open in a session, every distinct query produces its own Allow/Deny dialog (cascade of N popups for N distinct queries).
After the cascade is dismissed, subsequent calls within the same session do not re-prompt — including different query shapes.
Reopening the artifact in a fresh session reproduces the cascade.

Connector: Supabase MCP, execute_sql

The dialog appears to be a user-activation gate triggered by tool calls flagged as "can modify data" being invoked without a user click or keypress. The classification appears to be tool-level (execute_sql can write, therefore prompt) rather than call-level (this specific call is a read-only SELECT). This causes any artifact that fetches data from Postgres on load to hit the gate for every distinct query.

Impact:
Live artifacts that fan out into multiple Postgres queries — the canonical Cowork use case for connector-backed dashboards — become unusable on first open of each session.

What Should Happen?

Per the help docs ("What are artifacts and how do I use them?"): "When an artifact needs to access an MCP tool, you'll be prompted to approve access on first interaction. Your preferences persist for subsequent uses of that artifact." Connector settings also have execute_sql set to "Always Allow."

Concerns / asks:

Read-only SELECT queries should not be classified as "can modify data" calls; consider gating only on actual write/DDL.
The connector-level "Always Allow" setting does not appear to apply in the artifact context. If this is intentional (sound security argument), the dialog should say so; if not, the connector setting should suppress the gate for fetch-on-load.
Consider an artifact-manifest opt-in along the lines of "this artifact's mcp_tools calls are trusted to run on load," approved once at artifact creation.

Error Messages/Logs

The live artifact "[artifact name]" wants to call the connector tool "execute_sql", which can modify data. This happened without a click or keypress from you.

Steps to Reproduce

1) Build a live artifact issuing 3+ distinct read-only execute_sql calls via callMcpTool on page load.
2) Set Supabase execute_sql to Always Allow at the connector level.
3) Open the artifact in a fresh session.
4) Observe N Allow/Deny dialogs (no Always-allow option) before the artifact renders.

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.117 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗