Role of MCP in Claude Code
MCP is the mechanism Claude Code uses to attach external tool and resource providers to the local agent runtime. In source, MCP support is not an add-on. It is wired into:- Session startup
- Tool registration
- Slash command registration
- Resource browsing
- Auth and re-auth flows
- Dynamic reconnect and toggle operations
src/services/mcp/.
Claude Code’s MCP model
Claude Code treats MCP servers as first-class runtime inputs. Each connected server can contribute:- Tools
- Prompt-like commands
- Skills
- Resources
Supported transport and config shapes
The schema insrc/services/mcp/types.ts includes these server forms:
stdiossehttpwssdk- Internal IDE-specific variants
- A Claude.ai proxy server type
Configuration scopes
The source distinguishes several scopes for MCP config:localuserprojectdynamicenterpriseclaudeaimanaged
Config file locations visible in source
The most explicit file locations visible in source are:- Project-local
.mcp.jsonin the current working directory - Managed enterprise file
managed-mcp.jsonunder the managed settings path - Global and project config objects that also carry
mcpServers
src/services/mcp/config.ts contains the writer for .mcp.json, and src/utils/config.ts shows both project and global config types carrying MCP server records.
The exact on-disk locations of global and managed settings depend on helper functions such as
getGlobalConfig(), getManagedFilePath(), and related environment utilities. The broad storage model is clear in source; some path details are indirect in this snapshot.Merge and dedup behavior
MCP config merging is not name-based only.src/services/mcp/config.ts computes content signatures so it can detect duplicates by:
- stdio command plus args
- remote URL, with special handling for CCR proxy rewrites
Connection state model
src/services/mcp/types.ts models servers as one of:
connectedfailedneeds-authpendingdisabled
/mcp and to runtime reconnection logic.
Tool and command normalization
MCP contributions are normalized into Claude Code naming conventions. Tools:- Are exposed with an
mcp__<server>__<tool>prefix model - Can be filtered or removed by server name
- May appear as
mcp__<server>__<prompt> - MCP skills may use
<server>:<skill>
src/services/mcp/utils.ts have to account for both naming schemes.
Auth flow
src/services/mcp/client.ts contains explicit auth error handling, including:
- OAuth-aware connection logic
- 401 refresh and retry support
- auth-needed server states
- dedicated reconnect and clear-auth flows
McpAuthTool, which means auth is not treated as purely out-of-band UI.
Runtime lifecycle
At a high level, the MCP lifecycle looks like this:Why this matters for security
An MCP server in Claude Code can do more than answer lookups. It can:- Expand the tool catalog the model can call
- Add commands and skills
- Return resources that become prompt context
- Trigger auth and reconnect flows
/mcp command behavior
The slash command entry in src/commands/mcp/index.ts is a local-jsx command used to manage servers.
Visible behaviors in source include:
- Open the MCP settings UI
- Reconnect a named server
- Enable or disable one server or all servers
Practical reading of the code
If you are exploring MCP internals, the highest-value files are:src/services/mcp/types.tssrc/services/mcp/config.tssrc/services/mcp/client.tssrc/services/mcp/utils.tssrc/commands/mcp/index.ts