Federation
Federated teams store their configuration in external repositories, enabling team autonomy while maintaining organization security.
When to Use Federation
Section titled “When to Use Federation”- Teams need to update plugins without org admin involvement
- Large organizations with many teams
- Teams want PR-based review for config changes
- Different teams need different update cycles
Setting Up Federated Teams
Section titled “Setting Up Federated Teams”Basic Configuration
Section titled “Basic Configuration”{ "profiles": { "platform": { "description": "Platform team - externally managed", "config_source": { "source": "github", "owner": "myorg", "repo": "platform-team-config", "branch": "main" }, "trust": { "inherit_org_marketplaces": true, "allow_additional_marketplaces": false } } }}Config Source Types
Section titled “Config Source Types”"config_source": { "source": "github", "owner": "org-name", "repo": "team-config", "branch": "main", "path": "team-config.json"}For private repos, configure token auth at the organization level.
"config_source": { "source": "git", "url": "git@gitlab.example.com:team/config.git", "branch": "main"}Works with GitLab, Bitbucket, or any Git hosting.
"config_source": { "source": "url", "url": "https://config.example.com/team.json", "headers": { "Authorization": "Bearer ${CONFIG_TOKEN}" }}For config servers or internal endpoints.
Trust Grants
Section titled “Trust Grants”Control what federated teams can do:
{ "profiles": { "platform": { "config_source": { ... }, "trust": { "inherit_org_marketplaces": true, "allow_additional_marketplaces": true, "marketplace_source_patterns": [ "github.com/myorg/**" ] } } }}| Field | Default | Description |
|---|---|---|
inherit_org_marketplaces | true | Team can use org-defined marketplaces |
allow_additional_marketplaces | false | Team can define their own marketplaces |
marketplace_source_patterns | [] | URL patterns for team marketplace sources |
Trust Validation
Section titled “Trust Validation”Two-layer validation:
- Permission Check: Does
allow_additional_marketplacesallow team to define marketplaces? - Source Validation: Does each marketplace URL match
marketplace_source_patterns?
URL Pattern Matching
Section titled “URL Pattern Matching”Patterns support glob syntax with ** for path matching:
| Pattern | Matches |
|---|---|
github.com/myorg/** | Any repo under myorg organization |
*.internal.com/** | Any path on any internal subdomain |
github.com/myorg/approved-* | Only repos starting with “approved-” |
Federated Team Config File
Section titled “Federated Team Config File”The team’s config repository contains:
{ "schema_version": 1, "enabled_plugins": [ "platform-tools@team-internal", "monitoring@shared" ], "disabled_plugins": [ "legacy-tool" ], "marketplaces": { "team-internal": { "source": "github", "owner": "myorg", "repo": "platform-internal-plugins" } }}Marketplace Name Collisions
Section titled “Marketplace Name Collisions”Team-defined marketplaces cannot conflict with:
- Org marketplaces: Names in org config’s
marketplacessection - Implicit marketplaces:
claude-plugins-official
If a collision is detected, config is rejected with a clear error.
When inherit_org_marketplaces is false
Section titled “When inherit_org_marketplaces is false”If team sets inherit_org_marketplaces: false:
- Team won’t have access to org-defined marketplaces
- Org defaults referencing those marketplaces become invalid
SCC validates this and rejects configurations where:
- Team has
inherit_org_marketplaces: false - Org defaults reference plugins from org marketplaces
Fix: Set inherit_org_marketplaces: true or remove conflicting plugins from org defaults.
Example: Full Federation Setup
Section titled “Example: Full Federation Setup”Organization Config
Section titled “Organization Config”{ "marketplaces": { "shared": { "source": "github", "owner": "myorg", "repo": "shared-plugins" } }, "security": { "blocked_plugins": ["*malicious*"] }, "profiles": { "platform": { "description": "Platform team - config managed externally", "config_source": { "source": "github", "owner": "myorg", "repo": "platform-config", "branch": "main" }, "trust": { "inherit_org_marketplaces": true, "allow_additional_marketplaces": true, "marketplace_source_patterns": [ "github.com/myorg/**" ] } } }}Team Config (platform-config repo)
Section titled “Team Config (platform-config repo)”{ "schema_version": 1, "enabled_plugins": [ "platform-tools@team-internal", "monitoring@shared" ], "disabled_plugins": [ "legacy-tool" ], "marketplaces": { "team-internal": { "source": "github", "owner": "myorg", "repo": "platform-internal-plugins" } }}Result
Section titled “Result”- Team can use
sharedmarketplace (inherited from org) - Team can define
team-internalmarketplace (allowed by trust, matches pattern) - Team can reference plugins from both marketplaces
- Team can disable plugins from org defaults
- Org security rules still apply to all plugins
Trust Violation Example
Section titled “Trust Violation Example”Organization config:
{ "profiles": { "contractor": { "config_source": { "source": "url", "url": "https://contractor-configs.example.com/team.json" }, "trust": { "allow_additional_marketplaces": true, "marketplace_source_patterns": [ "github.com/approved-vendors/**" ] } } }}External team config tries unauthorized source:
{ "marketplaces": { "unauthorized": { "source": "github", "owner": "random-org", "repo": "plugins" } }}Result: Trust violation error. Source github.com/random-org/plugins doesn’t match github.com/approved-vendors/**.
Refreshing Federated Configs
Section titled “Refreshing Federated Configs”# Refresh all team configsscc org update
# Refresh specific teamscc org update --team platform
# Check cache statusscc org statusValidating Federation
Section titled “Validating Federation”# Validate team config locallyscc team validate
# Test before deploymentscc org validate org-config.json