Summary
[Note: this is not specific to the python sdk and can be recreated via any agent definition path. Couldn't find a repo that better fit the bug.]
When an agent declares both an agent_toolset_20260401 and an mcp_toolset, any agent-toolset configuration that touches the server-side web tools (web_search / web_fetch) causes the MCP server's tools to be delivered to the session as agent.custom_tool_use events — with no mcp_server_name and no evaluated_permission — instead of agent.mcp_tool_use. The tools are never routed to the MCP server and never execute. Configuring only sandbox tools does not trigger it. No custom tools need be declared.
Triggers vs. safe
| agent_toolset config |
web tools |
MCP tool delivered as |
| no configs |
default (enabled) |
agent.mcp_tool_use ✅ |
disable a sandbox tool (e.g. glob) |
default (enabled) |
agent.mcp_tool_use ✅ |
disable web_search and/or web_fetch (each alone suffices) |
disabled |
agent.custom_tool_use ❌ |
default_config.enabled: false + allowlist only sandbox tools |
disabled |
agent.custom_tool_use ❌ |
web tools enabled but permission_policy: always_ask |
enabled, gated |
agent.custom_tool_use ❌ |
Rule: MCP breaks whenever web_search/web_fetch deviate from their pristine default (enabled, always_allow, unmentioned in configs). Touching only sandbox tools is safe.
Environment
Managed Agents beta (managed-agents-2026-04-01), model claude-opus-4-8, cloud environment.
Minimal reproduction
- Any MCP server exposing one tool (e.g. an
echo(text) tool).
- Agent A:
agent_toolset_20260401 with configs: [{name: web_search, enabled: false}]
plus an mcp_toolset (default_config.permission_policy: always_allow). No custom tools.
- Agent B: identical to A but with the
configs removed.
- Run an identical turn on each that calls the MCP tool ("Call the echo tool with text 'hi'").
- Read the tool-call event
type from GET /v1/sessions/{id}/events.
Expected: echo arrives as agent.mcp_tool_use for both.
Actual: B → agent.mcp_tool_use (correct); A → agent.custom_tool_use (bug).
Captured event payloads
Broken (web tools configured):
{ "type": "agent.custom_tool_use", "name": "widgets_get", "input": { "widget_id": "…" } }
Working (web tools at default):
{ "type": "agent.mcp_tool_use", "name": "widgets_get", "mcp_server_name": "example", "evaluated_permission": "allow", "input": { "widget_id": "…" } }
Impact
There is no client-side workaround - no way to both disable web_search and use an mcp server: the environment networking allowlist cannot gate server-side tools, and every config shape that disables or gates the web tools breaks MCP. An agent that needs MCP must leave web_search/web_fetch fully enabled, with no way to restrict them.
Summary
[Note: this is not specific to the python sdk and can be recreated via any agent definition path. Couldn't find a repo that better fit the bug.]
When an agent declares both an
agent_toolset_20260401and anmcp_toolset, any agent-toolset configuration that touches the server-side web tools (web_search/web_fetch) causes the MCP server's tools to be delivered to the session asagent.custom_tool_useevents — with nomcp_server_nameand noevaluated_permission— instead ofagent.mcp_tool_use. The tools are never routed to the MCP server and never execute. Configuring only sandbox tools does not trigger it. No custom tools need be declared.Triggers vs. safe
agent.mcp_tool_use✅glob)agent.mcp_tool_use✅web_searchand/orweb_fetch(each alone suffices)agent.custom_tool_use❌default_config.enabled: false+ allowlist only sandbox toolsagent.custom_tool_use❌permission_policy: always_askagent.custom_tool_use❌Rule: MCP breaks whenever
web_search/web_fetchdeviate from their pristine default (enabled,always_allow, unmentioned inconfigs). Touching only sandbox tools is safe.Environment
Managed Agents beta (
managed-agents-2026-04-01), modelclaude-opus-4-8, cloud environment.Minimal reproduction
echo(text)tool).agent_toolset_20260401withconfigs: [{name: web_search, enabled: false}]plus an
mcp_toolset(default_config.permission_policy: always_allow). No custom tools.configsremoved.typefromGET /v1/sessions/{id}/events.Expected:
echoarrives asagent.mcp_tool_usefor both.Actual: B →
agent.mcp_tool_use(correct); A →agent.custom_tool_use(bug).Captured event payloads
Broken (web tools configured):
{ "type": "agent.custom_tool_use", "name": "widgets_get", "input": { "widget_id": "…" } }Working (web tools at default):
{ "type": "agent.mcp_tool_use", "name": "widgets_get", "mcp_server_name": "example", "evaluated_permission": "allow", "input": { "widget_id": "…" } }Impact
There is no client-side workaround - no way to both disable web_search and use an mcp server: the environment
networkingallowlist cannot gate server-side tools, and every config shape that disables or gates the web tools breaks MCP. An agent that needs MCP must leaveweb_search/web_fetchfully enabled, with no way to restrict them.