Claude Code as an MCP client
In this snapshot, Claude Code is clearly an MCP client. It supports:- connecting to MCP servers from settings
- registering external tool surfaces
- listing resources
- reading resources
- surfacing MCP-specific auth and validation flows
ListMcpResourcesTool and ReadMcpResourceTool.
Why MCP is normalized into the tool system
Claude Code does not treat MCP as a separate execution universe. Instead it adapts MCP tools into the same broad contract used by built-ins:- normalized naming
- prompt injection
- permission routing
- tool result shaping
- progress reporting
Naming and rule matching
src/utils/permissions/permissions.ts and src/services/mcp/mcpStringUtils.js show that MCP tools are matched through fully qualified names such as mcp__server__tool.
The permission layer also supports server-wide rules by prefix, not just per-tool rules.
That is important operationally because admins can suppress or allow an entire MCP server from the same permission framework.
Resources versus tools
Claude Code distinguishes between:- MCP tools: action-oriented remote capabilities
- MCP resources: content-oriented data sources
Instruction budget
The prompt layer includes MCP-specific instruction handling and deltas. The code comments and helpers around MCP instruction deltas make it clear that Claude Code actively manages how much MCP description text reaches the model. That protects prompt budget and avoids flooding the context window with large external schemas.Security posture
MCP trust is not automatic. A connected server can expose executable tools or large content surfaces, so MCP still runs through:- settings and policy configuration
- permission rules
- server-prefix matching
- auth flows for remote servers
- resource and tool-specific validation