[BUG] Claude Code Routines (CCR) with MCP connectors blocked by silent permission gate — regression since ~2026-05-20/21

Resolved 💬 4 comments Opened May 21, 2026 by ludobos Closed May 23, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Since approximately 2026-05-21 (UTC morning), scheduled Claude Code Routines that use MCP connectors
silently fail to do any work.

The trigger fires correctly (last_fired_at updates on schedule), a session opens on claude.ai and is
visible in the Runs history with a "completed" green checkmark, but the routine cannot actually execute
MCP tool calls without a per-call permission prompt — even for MCP servers that are explicitly attached to
the trigger and that the same routine had used unattended for weeks.

Because the session "completes" cleanly (the model gives up and writes a post-mortem), no failure surfaces
in the UI. The only way to detect the broken state is an external watchdog noticing the missing
downstream effect.

What Should Happen?

MCP tools whose servers are explicitly attached to a Routine trigger should execute without per-call
permission prompts when the routine is invoked by its scheduled cron (or POST
/v1/code/triggers/{id}/run
). This was the behavior in place for weeks before 2026-05-20.

If a new permission gate is intentional, it should be:

  • documented in a changelog;
  • exposed via the trigger API (e.g. a permission_mode / bypassPermissions field on session_context);
  • opt-in, not retroactively enforced on existing triggers.

Error Messages/Logs

Excerpt from the transcript of a session triggered manually at ~2026-05-21 10:00 UTC (after attempted
  config workarounds):
  
    Step 1-3: Execute Health Check Queries
    Utilisé supabase-report: execute sql
    I need to execute SQL queries against your Supabase database to complete the pipeline health check.
    These are read-only queries that inspect the health of your signal ingestion pipeline,
    agent sessions, and system invariants.
    Shall I proceed with executing these queries to complete the health check routine?
    
  The model is interrupting itself mid-routine to ask the user for approval — inside a scheduled job that
  runs while no human is at the keyboard.
  
  `RemoteTrigger get` shows no field that disables this prompt. `permitted_tools` on `mcp_connections`
  exists but does not pre-approve tool calls (see Steps to Reproduce).

Steps to Reproduce

  1. Create a Routine with at least one MCP connector attached (e.g. a Supabase MCP) and a scheduled

trigger.

  1. Make the routine prompt instruct the model to use that MCP, e.g. "Use MCP supabase-report for

execute_sql queries".

  1. Wait for the scheduled run, or call POST /v1/code/triggers/{id}/run.
  2. Observe via the API that last_fired_at updates correctly.
  3. Observe in the claude.ai UI that the session opens and quickly "completes" with a green checkmark.
  4. Observe that no MCP tool calls actually executed — the transcript shows the model asking the user for

approval mid-routine.

Workarounds attempted, all unsuccessful:

  • Setting mcp_connections[].permitted_tools = ["execute_sql"] (bare tool names) → still blocked.
  • Adding mcp__<server>__<tool> entries to job_config.ccr.session_context.allowed_tools (SDK-style

namespaced names) → still blocked.

The exact same routine ran nominally every day for 14 days before 2026-05-20 with zero permitted_tools
and zero MCP entries in allowed_tools. No code or config change on our side between the last successful
run and the first broken run.

Claude Model

Other

Is this a regression?

Yes, this worked in a previous version

Last Working Version

Last successful run: 2026-05-20 06:26:44Z (wrote output to DB at 06:32 UTC). First broken run: 2026-05-21 06:27:29Z (trigger last_fired_at updated, but no session/output produced).

Claude Code Version

2.1.146 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Affected trigger IDs in our account:

  • trig_01AL4PZ6cHqNSDqS2gcTfkAy (pipeline-health-check, cron 27 6 * * *, daily critical sentinel)
  • trig_011Lc7hQKGgrdFviAgoG7ApU (email-harvester, cron 45 6 * * *)

Account UUID: cd2c5c63-fd1a-44e5-bc1e-aec312eb9a11

Manual re-runs via POST /run on 2026-05-21 at 09:25 UTC and 10:00 UTC: same symptom, blocked on MCP
permission prompt after two config workaround attempts (both reverted).

Happy to share full transcripts or trigger configs privately if useful.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗