apps/cli: pre-approve mcp__studio__ tools so classifier outages don't block the agent

[lezama]

Related

A user ran /annotate while Anthropic's claude-sonnet-4-6 model — which the SDK's auto permission mode uses as its safety classifier — was having a transient outage. Every Studio MCP tool call (mcp__studio__site_info, mcp__studio__open_annotation_browser, …) failed with:

claude-sonnet-4-6 is temporarily unavailable, so auto mode cannot determine the safety of mcp__studio__site_info right now. Wait briefly and then try this action again.

The agent kept retrying and never recovered until Sonnet came back, so the user was completely blocked.

Proposed Changes

• Register a permanent PreToolUse hook with matcher: '^mcp__studio__' that returns permissionDecision: 'allow'. This pre-approves every tool exposed by the Studio MCP server (createStudioTools / createRemoteSiteTools) so they bypass the SDK's auto classifier entirely.
• Restructure the hooks block so it's always present. The AskUserQuestion interceptor is now the second matcher in the same PreToolUse array; behavior unchanged.
• Add unit tests for the hook registration and the allow decision in both onAskUser-provided and not-provided modes.

Why this is safe

• Studio MCP tools are scoped to Studio-managed sites: local sites under ~/Studio/ (with their own WordPress/wp-cli sandbox) or the user's own WordPress.com sites authenticated via OAuth (wpcom_request). They cannot escape the user's environment.
• The system prompt already instructs the agent to confirm destructive operations with the user (apps/cli/ai/system-prompt.ts).
• Built-in tools that can do anything on the host (Bash, Write, Edit, Read, Grep, Glob, …) are unaffected — they continue to go through the auto classifier.

#3242 deliberately moved to SDK auto mode and dropped the ad-hoc canUseTool gating. This change preserves that intent (no manual gating logic, no allowlist diff to maintain) while removing the availability dependency on Sonnet for tools we ship and trust.

Testing Instructions

• npm test -- apps/cli/ai/tests/agent.test.ts — 5 tests pass, including 3 new ones covering the hook registration.
• npm test -- apps/cli/ai/tests/ — full AI test suite (109 tests) passes.
• npm run typecheck --workspace apps/cli — passes.
• Manual sanity check: simulate a classifier outage by temporarily setting permissionMode: 'plan' on a build, then run any studio code command that hits an MCP tool — Studio tools should still execute (they no longer ask the classifier), while a Bash call would still go through the gate.

Pre-merge Checklist

• Tests pass locally
• Typecheck passes for the touched workspace
• No user-visible UI surface — agent permission hook only