Managing Plugins

Plugins extend Claude Code with additional capabilities. As a team leader, you select which plugins your team uses.

Understanding Plugin Sources

Plugins come from marketplaces—repositories of approved plugins.

Official Marketplace

The official marketplace is maintained by SCC:

{
  "marketplaces": {
    "sandboxed-code-official": {
      "source": "github",
      "owner": "CCimen",
      "repo": "sandboxed-code-plugins"
    }
  }
}

Custom Marketplaces

Your organization may have internal marketplaces:

{
  "marketplaces": {
    "internal-tools": {
      "source": "github",
      "owner": "your-org",
      "repo": "scc-plugins"
    }
  }
}

Adding Plugins to Your Team

Plugin Reference Format

plugin-name@marketplace-name

Examples:

• scc-safety-net@sandboxed-code-official
• java-analyzer@internal-tools
• react-devtools@frontend-marketplace

In Your Team Config

{
  "additional_plugins": [
    "scc-safety-net@sandboxed-code-official",
    "java-analyzer@internal-tools",
    "spring-boot-helper@internal-tools"
  ]
}

Essential Plugins

scc-safety-net

The most important plugin. Blocks destructive git commands:

Blocked Command	Why
git push --force	Overwrites remote history
git reset --hard	Discards uncommitted changes
git branch -D	Force-deletes branches
git clean -fd	Deletes untracked files
git checkout/restore	Can overwrite local changes

Tip

Always enable scc-safety-net for all teams unless you have a specific reason not to.

Enable in your config:

"additional_plugins": [
  "scc-safety-net@sandboxed-code-official"
]

Plugin Governance

What Gets Blocked

Organization admins can block plugins by pattern:

{
  "security": {
    "blocked_plugins": [
      "*experimental*",
      "*beta*",
      "untrusted-*"
    ]
  }
}

Even if you add these to your team config, they will be filtered out.

What You Can Add

Your additions must:

1. Come from an approved marketplace
2. Not match any blocked_plugins pattern
3. Match allowed_plugins pattern (if org specifies one)

Caution

If you try to add a blocked plugin, it will be silently filtered. Use scc config explain to see what’s actually enabled.

Allowing Developer Additions

You can let developers add project-specific plugins:

{
  "delegation": {
    "allow_additional_plugins": ["team-*", "project-*"]
  }
}

This lets developers add plugins matching those patterns in their .scc.yaml.

Restrictive Approach

{
  "delegation": {
    "allow_additional_plugins": []
  }
}

Developers cannot add any plugins beyond team defaults.

Permissive Approach

{
  "delegation": {
    "allow_additional_plugins": ["*"]
  }
}

Developers can add any non-blocked plugin from approved marketplaces.

Auditing Plugins

See what plugins are currently installed:

scc audit plugins

Output:

Team: backend
Effective plugins:
  ✓ scc-safety-net@sandboxed-code-official (from: team)
  ✓ java-analyzer@internal (from: team)
  ✓ project-linter@internal (from: project/.scc.yaml)

Blocked plugins (attempted but filtered):
  ✗ experimental-tool@internal (matches: *experimental*)

Troubleshooting

Plugin not appearing

1. Check it’s in an approved marketplace

   scc config explain --field marketplaces

2. Check it’s not blocked

   scc config explain --field blocked_plugins

3. Check spelling of plugin and marketplace names

4. Force refresh config

   scc update --force

Plugin blocked unexpectedly

The plugin matches a blocked_plugins pattern. Contact your org admin if you believe this is incorrect.

Different plugins on different machines

Ensure everyone has the latest config:

scc update

Check effective config:

scc config explain --field plugins