PreToolUse hook permissionDecision 'deny' not enforced for MCP server tool calls

[serrurco]

Bug Description

PreToolUse hooks that return permissionDecision: "deny" are not enforced when the target tool is an MCP server tool. The hook fires correctly and returns a valid deny response, but the MCP tool call proceeds anyway.

Reproduction Steps

1. Register a PreToolUse hook in ~/.claude/settings.json targeting an MCP tool:

{
  "hooks": {
    "PreToolUse": [
      {
        "hooks": [
          {
            "command": "/path/to/hook.sh",
            "type": "command"
          }
        ],
        "matcher": "mcp__my_server__my_tool"
      }
    ]
  }
}

2. The hook script reads stdin and returns a deny decision:

#!/bin/bash
INPUT=$(cat)
echo "BLOCKED: reason here"
echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"reason here"}}'
exit 0

3. When Claude calls the MCP tool, the hook fires and returns deny, but the MCP tool call is executed anyway.

Expected Behavior

The MCP tool call should be blocked, and the model should see the deny reason — identical to how PreToolUse deny works for built-in tools (Bash, Read, Write, etc.).

Actual Behavior

The hook fires, returns permissionDecision: "deny", but the MCP tool call proceeds and succeeds. The deny decision is effectively ignored.

Context

This was discovered while running multiple Claude Code instances in tmux panes with an identity enforcement hook. The hook correctly detects when an agent tries to send a message as a different identity via an MCP-based messaging server, returns deny, but the message is sent anyway.

Verified:

• Hook script works correctly when tested manually (echo '...' | hook.sh)
• Hook IS registered with the correct matcher pattern
• Built-in tool PreToolUse deny IS enforced (e.g., Bash hooks work)
• MCP tool PreToolUse deny is NOT enforced

Environment

• Claude Code CLI
• Linux
• MCP server type: HTTP ("type": "http")

[github-actions]

Found 1 possible duplicate issue:

1. [BUG] --disallowedTools flag still does not affect MCP server tools (v2.1.41) #25589

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[laniakea001]

The issue is that MCP server tool calls bypass the PreToolUse hook's permissionDecision. This is a critical security gap.

Root cause: MCP servers are treated as "trusted internal" calls, bypassing the normal tool permission flow.

Solution approaches:

1. Add an "MCP scope" to permissionDecision that mirrors the main sandbox permissions
2. Create a PreMCPToolUse hook that fires before any MCP tool execution
3. Implement a permission matrix: user-approved tools < MCP servers < native tools

Workaround for now:

• Use allowedMCPs config to restrict which MCP servers can run
• Consider running MCP tools through the sandbox wrapper to enforce permissions

OpenClaw handles this by separating tool execution from permission checks entirely - the sandbox validates each command before execution regardless of origin. This architecture prevents bypass scenarios.

[joseph-holland]

Related: #37210 — same behavior for the Edit tool, not just MCP. PreToolUse hook returns valid deny JSON with exit code 2, but the tool executes anyway. Seems like hook denials are not reliably enforced across tool types.

[github-actions]

Closing for now — inactive for too long. Please open a new issue if this is still relevant.

[github-actions]

This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.