permissions.ask is ignored for MCP tools in default mode
Resolved 💬 3 comments Opened May 12, 2026 by tavoletta Closed May 15, 2026
Summary
permissions.ask entries for MCP tools in ~/.claude/settings.json do not trigger a confirmation prompt. The tool call executes immediately, the same as if the entry were in allow.
Environment
- Claude Code: 2.1.139
- OS: macOS (Darwin 25.4.0)
- Provider: Bedrock (
CLAUDE_CODE_USE_BEDROCK=1) - Model:
us.anthropic.claude-opus-4-7 - Permission mode:
default(no--permission-mode, no--dangerously-skip-permissions)
Repro
~/.claude/settings.json (relevant extract):
{
"permissions": {
"allow": [
"mcp__atlassian__confluence_get_page",
"mcp__atlassian__confluence_search"
],
"ask": [
"mcp__atlassian__confluence_add_label",
"mcp__atlassian__confluence_update_page",
"mcp__atlassian__confluence_create_page",
"mcp__atlassian__confluence_delete_page",
"mcp__atlassian__confluence_move_page",
"mcp__atlassian__confluence_add_comment",
"mcp__atlassian__confluence_reply_to_comment",
"mcp__atlassian__confluence_upload_attachment",
"mcp__atlassian__confluence_upload_attachments",
"mcp__atlassian__confluence_delete_attachment"
]
}
}
Restarted Claude Code. In a new session, invoked:
mcp__atlassian__confluence_add_label(page_id="000000000", name="test-gate-check")
Expected
Confirmation prompt before the MCP call is dispatched.
Actual
Call dispatched immediately. Server returned:
Failed to add label 'test-gate-check' to page 000000000: There is no content with the given id, or the calling user does not have permission to view the content
The error came from the Atlassian server — proving the call reached Confluence without any user confirmation.
Confirmed
- Tool is not in any
allowlist (checked~/.claude/settings.json,<cwd>/.claude/settings.json,<cwd>/.claude/settings.local.json). - No wildcard like
mcp__atlassian__*ormcp__atlassian__confluence_*present anywhere. - No
--dangerously-skip-permissions/--permission-modeflags on the process. - Same MCP server (
atlassian), tools inallowfrom the same server work; tools inaskfrom the same server silently skip the prompt.
Impact
permissions.ask is documented as a mechanism to guard destructive operations. If it silently no-ops for MCP tools, users have no safety net short of moving them to deny.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗