Security Model
Isolation Layers
Section titled “Isolation Layers”- Docker Container: Claude Code runs isolated from host
- Network Policy: Control container network posture (partial enforcement in v1)
- Plugin Governance: Only approved plugins execute
- Git Protection: Safety net blocks destructive commands
Enforcement States
Section titled “Enforcement States”SCC uses these enforcement states in docs and CLI output:
- Enforced: SCC changes runtime behavior deterministically.
- Partially enforced: SCC enforces part of the intent and warns about the rest.
- Advisory: SCC validates and reports but does not enforce at runtime.
- Out of scope: SCC does not attempt to govern this surface.
Permissions Mode
Section titled “Permissions Mode”SCC launches Claude Code with permission prompts skipped by default inside the sandbox. This reduces friction but does not provide data loss prevention. You can re-enable prompts inside Claude if you want stricter confirmation.
Trust Boundaries
Section titled “Trust Boundaries”| Source | Trust Level | Can Override |
|---|---|---|
| Organization | Absolute | Nothing |
| Team | Delegated | Within org bounds |
| Project | Restricted | Within team bounds |
| User | Advisory | Profile apply enforces org blocks; manual overrides are advisory |
Security Blocks
Section titled “Security Blocks”Patterns in security.blocked_* are absolute:
- Cannot be overridden by teams
- Cannot be overridden by projects
- Cannot be overridden by exceptions
Exceptions
Section titled “Exceptions”Time-bounded overrides for governance controls. See Exceptions.