Claude Code CLI does not honor claude.ai MCP connector "approval required" settings

Open 💬 4 comments Opened Jun 1, 2026 by robinfritze

Summary

When you log into Claude Code with a claude.ai account, MCP connectors (e.g. Asana,
tool prefix mcp__claude_ai_<server>__...) are imported automatically — but their
per-tool "approval required" toggles from the claude.ai connector UI are not
applied in the CLI. The CLI only honors its own allow/ask/deny rules + permission mode.
There is no documented sync, so the connector approval settings silently have no effect
in CLI sessions.

This is the opposite failure direction from the routine/remote issues below: not
over-gating (blocked despite "always allow"), but under-gating — a toggle set to
"approval required" produces no prompt and the write runs silently.

Observed behavior

  • Connector UI has per-tool "approval required" switches set ON for write tools

(e.g. add_comment, update_tasks).

  • In a local CLI session in auto mode, those write tools ran with no permission prompt.
  • No allow rule existed in .claude/settings.local.json. Read tools (get_task) also

ran without a prompt.

  • Only an explicit permissions.ask rule in settings.local.json reliably produced prompts.

Expected behavior

Either:

  • (a) the CLI respects the connector's per-tool approval settings imported from claude.ai, or
  • (b) the docs explicitly state that connector approval toggles do not apply to the CLI

and point users to the ask/deny mechanism.

Right now it's an undocumented gap that's easy to misread as "writes are gated" when they aren't.

Impact / risk

Users who configured "approval required" in the connector reasonably assume writes are gated
in the CLI too. In auto mode the classifier can auto-approve MCP write tools without a prompt,
so destructive/external writes (posting comments, updating/deleting tasks) can happen silently
against the user's stated intent.

Suggested fix

Import and honor the connector's per-tool approval settings as implicit ask rules in the CLI —
or, at minimum, document the separation clearly in the MCP / permissions docs.

Workaround (works today)

Add an explicit ask rule per write tool in .claude/settings.local.json:

{
  "permissions": {
    "ask": [
      "mcp__claude_ai_Asana__add_comment",
      "mcp__claude_ai_Asana__update_tasks"
    ]
  }
}

ask/deny override the permission mode and hot-reload mid-session.

Environment

  • Claude Code CLI, logged in via claude.ai account
  • MCP connectors imported from claude.ai (Asana)

Related issues

  • #60385 — Remote Control web UI: MCP approval prompts never surface (different surface; prompt exists but doesn't render).
  • #61097 / #61143 (closed) — Routines: connector calls blocked despite "always allow" (opposite, over-gating direction).

These are adjacent but distinct; this report is about the local CLI silently skipping an approval the connector UI says is required.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗