Hey, thanks for the detailed report.
This is a known limitation. Right now, hooks can only deny actions. Returning allow from a hook does not override the MCP approval system. The two permission paths, hooks and the MCP allowlist and approval flow, are independent. So even if your hook correctly returns allow, the MCP permission check still runs and prompts you.
The same root cause has been reported for shell hooks too:
- Hook ASK output not stopping agent Hook ASK output not stopping agent
- beforeShellExecution hook permissions ignored beforeShellExecution hook permissions (allow/ask) ignored - allow-list takes precedence
As a workaround for now, to auto-approve specific MCP tools, add them to the MCP allowlist in Cursor Settings instead of relying on hooks to grant allow. Hooks are currently most useful for the deny case, blocking risky operations.
I also noticed your other report about beforeShellExecution plus sandbox beforeShellExecution returns permission: "ask" but sandboxed Agent shell still runs the command (sandbox: true). Same root cause. ask is also not enforced in the shell execution paths.
Let me know if the allowlist workaround helps.