Plugins should be able to ship default permission allowlists for their MCP tools (subagent flows broken otherwise)

Resolved 💬 1 comment Opened Jun 2, 2026 by federico-crespo-c Closed Jun 2, 2026

Problem

Claude Code plugins can ship MCP servers via plugin.json / .mcp.json, but the MCP tools they expose are subject to per-tool permission approval. The main session can approve interactively. Subagents spawned via the Agent tool cannot respond to permission prompts; the call fails silently and the subagent typically rationalises the failure as "the tool is not in my inventory" before falling back to whatever alternative path it can find.

Concrete reproduction

A plugin exposes three MCP render tools:

  • mcp__plugin_<plugin>_<plugin>__make_<format>_a
  • mcp__plugin_<plugin>_<plugin>__make_<format>_b
  • mcp__plugin_<plugin>_<plugin>__make_<format>_c

When the main session calls them, the user gets the standard permission prompt and can approve once. When the same session delegates to a general-purpose subagent and the subagent attempts the call, the call is silently denied. In our case the subagent wrote a Python fallback that imported the renderer module directly, claiming the MCP tool was not in its inventory. After we manually pre-allowed the three tools in \.claude/settings.local.json\ and re-ran the same prompt, the subagent went straight to the MCP tool and finished in roughly a third of the wall-clock time.

Tested with: Claude Code (current as of June 2026, Opus 4.7), plugin defined via \plugin.json\ + \.mcp.json\, tools using \FastMCP\ over stdio.

Current workaround

Document a one-time setup step in the plugin's README:

/permissions allow mcp__plugin_<plugin>_<plugin>__<tool>

for each MCP tool the plugin ships. Brittle, easy for new users to skip, scales badly as plugins add tools.

Proposed behaviour

Extend \plugin.json\ (or add a sibling \permissions.json\ referenced from it) so plugins can declare a default-allowed permission set:

{
  "name": "<plugin>",
  "defaultPermissions": {
    "allow": [
      "mcp__plugin_<plugin>_<plugin>__<tool>"
    ]
  }
}

On \/plugin install\, Claude Code shows a single consent dialog summarising what the plugin wants to be allowed without per-call approval. If the user accepts, the entries are merged into \settings.json\. Per-call prompts remain available for anything the user did not pre-allow.

Why this matters

Without it, plugin MCP tools are effectively unreliable for any flow that delegates to a subagent. Plugin authors either accept that delegated calls fail, ship awkward setup docs that users skip, or instruct users to manually edit \settings.local.json\ post-install.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗