permissions.ask is ignored for MCP tools in default mode

Resolved 💬 3 comments Opened May 12, 2026 by tavoletta Closed May 15, 2026

Summary

permissions.ask entries for MCP tools in ~/.claude/settings.json do not trigger a confirmation prompt. The tool call executes immediately, the same as if the entry were in allow.

Environment

  • Claude Code: 2.1.139
  • OS: macOS (Darwin 25.4.0)
  • Provider: Bedrock (CLAUDE_CODE_USE_BEDROCK=1)
  • Model: us.anthropic.claude-opus-4-7
  • Permission mode: default (no --permission-mode, no --dangerously-skip-permissions)

Repro

~/.claude/settings.json (relevant extract):

{
  "permissions": {
    "allow": [
      "mcp__atlassian__confluence_get_page",
      "mcp__atlassian__confluence_search"
    ],
    "ask": [
      "mcp__atlassian__confluence_add_label",
      "mcp__atlassian__confluence_update_page",
      "mcp__atlassian__confluence_create_page",
      "mcp__atlassian__confluence_delete_page",
      "mcp__atlassian__confluence_move_page",
      "mcp__atlassian__confluence_add_comment",
      "mcp__atlassian__confluence_reply_to_comment",
      "mcp__atlassian__confluence_upload_attachment",
      "mcp__atlassian__confluence_upload_attachments",
      "mcp__atlassian__confluence_delete_attachment"
    ]
  }
}

Restarted Claude Code. In a new session, invoked:

mcp__atlassian__confluence_add_label(page_id="000000000", name="test-gate-check")

Expected

Confirmation prompt before the MCP call is dispatched.

Actual

Call dispatched immediately. Server returned:

Failed to add label 'test-gate-check' to page 000000000: There is no content with the given id, or the calling user does not have permission to view the content

The error came from the Atlassian server — proving the call reached Confluence without any user confirmation.

Confirmed

  • Tool is not in any allow list (checked ~/.claude/settings.json, <cwd>/.claude/settings.json, <cwd>/.claude/settings.local.json).
  • No wildcard like mcp__atlassian__* or mcp__atlassian__confluence_* present anywhere.
  • No --dangerously-skip-permissions / --permission-mode flags on the process.
  • Same MCP server (atlassian), tools in allow from the same server work; tools in ask from the same server silently skip the prompt.

Impact

permissions.ask is documented as a mechanism to guard destructive operations. If it silently no-ops for MCP tools, users have no safety net short of moving them to deny.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗