Security Model
Isolation Layers
Section titled “Isolation Layers”- Docker Container: Claude Code runs isolated from host
- Network Policy: Control container network access
- Plugin Governance: Only approved plugins execute
- Git Protection: Safety net blocks destructive commands
Trust Boundaries
Section titled “Trust Boundaries”| Source | Trust Level | Can Override |
|---|---|---|
| Organization | Absolute | Nothing |
| Team | Delegated | Within org bounds |
| Project | Restricted | Within team bounds |
| User | None | Exceptions only |
Security Blocks
Section titled “Security Blocks”Patterns in security.blocked_* are absolute:
- Cannot be overridden by teams
- Cannot be overridden by projects
- Cannot be overridden by exceptions
Exceptions
Section titled “Exceptions”Time-bounded overrides for governance controls. See Exceptions.