[BUG] Claude Code Routines (CCR) with MCP connectors blocked by silent permission gate — regression since ~2026-05-20/21
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Since approximately 2026-05-21 (UTC morning), scheduled Claude Code Routines that use MCP connectors
silently fail to do any work.
The trigger fires correctly (last_fired_at updates on schedule), a session opens on claude.ai and is
visible in the Runs history with a "completed" green checkmark, but the routine cannot actually execute
MCP tool calls without a per-call permission prompt — even for MCP servers that are explicitly attached to
the trigger and that the same routine had used unattended for weeks.
Because the session "completes" cleanly (the model gives up and writes a post-mortem), no failure surfaces
in the UI. The only way to detect the broken state is an external watchdog noticing the missing
downstream effect.
What Should Happen?
MCP tools whose servers are explicitly attached to a Routine trigger should execute without per-call
permission prompts when the routine is invoked by its scheduled cron (or POST). This was the behavior in place for weeks before 2026-05-20.
/v1/code/triggers/{id}/run
If a new permission gate is intentional, it should be:
- documented in a changelog;
- exposed via the trigger API (e.g. a
permission_mode/bypassPermissionsfield onsession_context); - opt-in, not retroactively enforced on existing triggers.
Error Messages/Logs
Excerpt from the transcript of a session triggered manually at ~2026-05-21 10:00 UTC (after attempted
config workarounds):
Step 1-3: Execute Health Check Queries
Utilisé supabase-report: execute sql
I need to execute SQL queries against your Supabase database to complete the pipeline health check.
These are read-only queries that inspect the health of your signal ingestion pipeline,
agent sessions, and system invariants.
Shall I proceed with executing these queries to complete the health check routine?
The model is interrupting itself mid-routine to ask the user for approval — inside a scheduled job that
runs while no human is at the keyboard.
`RemoteTrigger get` shows no field that disables this prompt. `permitted_tools` on `mcp_connections`
exists but does not pre-approve tool calls (see Steps to Reproduce).
Steps to Reproduce
- Create a Routine with at least one MCP connector attached (e.g. a Supabase MCP) and a scheduled
trigger.
- Make the routine prompt instruct the model to use that MCP, e.g. "Use MCP supabase-report for
execute_sql queries".
- Wait for the scheduled run, or call
POST /v1/code/triggers/{id}/run. - Observe via the API that
last_fired_atupdates correctly. - Observe in the claude.ai UI that the session opens and quickly "completes" with a green checkmark.
- Observe that no MCP tool calls actually executed — the transcript shows the model asking the user for
approval mid-routine.
Workarounds attempted, all unsuccessful:
- Setting
mcp_connections[].permitted_tools = ["execute_sql"](bare tool names) → still blocked. - Adding
mcp__<server>__<tool>entries tojob_config.ccr.session_context.allowed_tools(SDK-style
namespaced names) → still blocked.
The exact same routine ran nominally every day for 14 days before 2026-05-20 with zero permitted_tools
and zero MCP entries in allowed_tools. No code or config change on our side between the last successful
run and the first broken run.
Claude Model
Other
Is this a regression?
Yes, this worked in a previous version
Last Working Version
Last successful run: 2026-05-20 06:26:44Z (wrote output to DB at 06:32 UTC). First broken run: 2026-05-21 06:27:29Z (trigger last_fired_at updated, but no session/output produced).
Claude Code Version
2.1.146 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Affected trigger IDs in our account:
trig_01AL4PZ6cHqNSDqS2gcTfkAy(pipeline-health-check, cron27 6 * * *, daily critical sentinel)trig_011Lc7hQKGgrdFviAgoG7ApU(email-harvester, cron45 6 * * *)
Account UUID: cd2c5c63-fd1a-44e5-bc1e-aec312eb9a11
Manual re-runs via POST /run on 2026-05-21 at 09:25 UTC and 10:00 UTC: same symptom, blocked on MCP
permission prompt after two config workaround attempts (both reverted).
Happy to share full transcripts or trigger configs privately if useful.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗