Remote routines cannot bypass MCP tool approval gate (CreateSessionRequest has no permission_mode field)

Resolved 💬 3 comments Opened May 21, 2026 by vinguyen-arent Closed May 23, 2026

Summary

Remote scheduled routines (created via /schedule / RemoteTrigger API) cannot bypass the Claude Code MCP tool approval prompt. Every MCP tool call inside a routine hits a "needs your approval to proceed" gate, but headless remote runs have no UI to approve, so the routine fails. There appears to be no equivalent of --dangerously-skip-permissions exposed in the API schema.

Steps to reproduce

  1. Create a routine that calls any MCP connector (e.g., Google Drive search_files, Notion notion-create-pages).
  2. Run it (cron-scheduled or manual RemoteTrigger run).
  3. The routine logs:

``
Used Google-Drive: search files
The Google Drive tool needs your approval to proceed — please allow the MCP call when prompted. Re-attempting now.
``

  1. The agent loops on approval prompts and never completes the workflow. No Notion row / Drive interaction actually happens.

What I tried (all failed)

| Attempt | Where | Result |
|---|---|---|
| mcp_connections[].permitted_tools: ["search_files", "read_file_content", …] | mcp connection | HTTP 200 — but approval still required |
| mcp_connections[].permitted_tools: ["*"] | mcp connection | HTTP 200 — but approval still required |
| session_context.allowed_tools: ["mcp__Google-Drive", "mcp__Google-Drive__search_files", …] | session | HTTP 200 — but approval still required |
| session_context.permission_mode: "bypassPermissions" | session | HTTP 400 unknown field "permission_mode" |
| session_context.dangerously_skip_permissions: true | session | HTTP 400 unknown field |
| session_context.bypass_permissions: true | session | HTTP 400 unknown field |
| session_context.skip_permissions: true | session | HTTP 400 unknown field |
| session_context.auto_approve: true | session | HTTP 400 unknown field |
| session_context.settings: {permissions: {allow: [...]}} | session | HTTP 400 unknown field |
| session_context.permissions: {allow: [...]} | session | HTTP 400 unknown field |
| session_context.env: {CLAUDE_DANGEROUSLY_SKIP_PERMISSIONS: "1"} | session | HTTP 400 unknown field |
| job_config.ccr.permission_mode / bypass_permissions | ccr | HTTP 400 unknown field |

The server reports the proto type as CreateSessionRequest (error: translate job_config v1→v2: job_config is not a valid CreateSessionRequest: proto: ... unknown field).

Expected behavior

Routines should provide a way to either:

  1. Auto-approve all MCP tool calls (permission_mode: "bypassPermissions"), OR
  2. Auto-approve a specific allowlist of MCP tools via either:
  • permitted_tools on mcp_connections[] (the field exists but does not actually skip approval), or
  • allowed_tools on session_context (the field exists but does not actually skip approval for MCP tools)

Actual behavior

permitted_tools and allowed_tools are silently no-ops for MCP approval. The routine cannot run unattended. Any routine that depends on connectors other than the Claude GitHub App (which appears bypassed) is effectively broken.

Impact

  • Two of my production routines (daily meeting memo sync, weekly SQA bug batch) have been silently failing since the connectors were attached. There is no error surfaced to the cron scheduler — last_fired_at updates but no Notion/Drive writes happen.
  • Workaround: rewrite the routines to call Notion/Google REST APIs directly via Bash + curl + tokens stored in a private git source. This defeats the purpose of MCP connectors.

Workaround proposed (not great)

  • Skip MCP. Bake long-lived integration tokens into a private repo cloned as sources. Use Bash + curl for everything.

Ask

Please expose permission_mode (or equivalent) on CreateSessionRequest for routines, OR make permitted_tools/allowed_tools actually skip approval as their naming suggests.

Environment

  • Routine API used via Claude Code in-process auth (no curl).
  • Tested on env env_01WaEV5cppQjQegViV3rcxEM (Default, anthropic_cloud).
  • Model: claude-sonnet-4-6.
  • Connectors: Google Drive (a0cc30be-…), Notion (9456db5b-…).

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗