DISABLE_TOOL_VALIDATION doesn't affect SDK-level allowed_tools, blocking MCP tools

[alexgorbatchev]

Problem

When using MCP servers (e.g., Home Assistant MCP), all mcp__* tool calls are blocked because:

1. DISABLE_TOOL_VALIDATION=true only skips the bot-side ToolMonitor checks in monitor.py
2. The hardcoded default claude_allowed_tools list (17 tools) is still passed to ClaudeAgentOptions(allowed_tools=...) in sdk_integration.py:177
3. The Claude Code CLI enforces this list independently, blocking any tool not in the default list

This means MCP tools like mcp__home-assistant__ha_get_overview are always blocked, regardless of DISABLE_TOOL_VALIDATION.

Why CLAUDE_ALLOWED_TOOLS doesn't help

The env var uses exact string matching (tool_name not in list), so prefix patterns like mcp__home-assistant don't match mcp__home-assistant__ha_get_overview. Users would need to list every individual MCP tool name, which is impractical since MCP servers can expose dozens of tools and the list changes when the server is updated.

Expected behavior

When DISABLE_TOOL_VALIDATION=true, the SDK should receive allowed_tools=None (allow all) instead of the hardcoded default list. This would let the Claude Code CLI allow all tools, including MCP tools.

Suggested fix

In sdk_integration.py, check disable_tool_validation before passing the list:

options = ClaudeAgentOptions(
    allowed_tools=None if self.config.disable_tool_validation else self.config.claude_allowed_tools,
    disallowed_tools=None if self.config.disable_tool_validation else self.config.claude_disallowed_tools,
    ...
)

Alternatively, support wildcard/prefix matching in CLAUDE_ALLOWED_TOOLS (e.g., mcp__home-assistant matching all tools from that server).

Workaround

We're currently patching sdk_integration.py in our container entrypoint to replace allowed_tools=self.config.claude_allowed_tools with allowed_tools=None when DISABLE_TOOL_VALIDATION=true.

[alexgorbatchev]

Update: Found working solution

The workaround in the original report (patching allowed_tools=None) doesn't actually work — None doesn't mean "allow all" in the SDK, it falls through to the default permission mode which still blocks MCP tools.

What works

The Claude Agent SDK supports wildcard patterns in allowed_tools:

allowed_tools=["mcp__home-assistant__*", "Read", "Write", "Edit", "Bash", ...]

The mcp__<server-name>__* pattern pre-approves all tools from that MCP server without needing bypassPermissions (which is blocked when running as root in containers).

Updated workaround

We patch sdk_integration.py in our entrypoint to replace the hardcoded default list with one that includes MCP wildcards:

allowed_tools=["mcp__home-assistant__*", "Read", "Write", "Edit", "Bash", "Glob", "Grep", "LS", "Task", "TaskOutput", "MultiEdit", "NotebookRead", "NotebookEdit", "WebFetch", "WebSearch", "TodoRead", "TodoWrite", "Skill"],

Suggested improvement

CLAUDE_ALLOWED_TOOLS should support wildcard patterns (e.g., mcp__home-assistant__*) instead of requiring exact matches. This would let users configure MCP tool access via env var without patching source code.

[RichardAtCT]

I am in the process of migrating how tool calls are controlled - let's revisit once I pull that into main?