Dev Environment Bridge
scc dev
Section titled “scc dev”Run host-owned dev environment bridge actions that are already approved by the effective org/team/project configuration.
scc dev run <name> [workspace] [options]scc dev logs <name> [workspace] [options]scc dev health <name> [workspace] [options]scc dev status [workspace] [options]scc dev run
Section titled “scc dev run”scc dev run <name> executes one accepted dev_environment.commands entry from
the effective config. SCC runs only the configured fixed argv list; it does not
accept shell strings or ad hoc command text.
scc config explain --field dev_environmentscc dev run test .scc dev run test . --jsonOptions:
| Option | Description |
|---|---|
--team TEAM | Team profile to use for effective config resolution |
--provider PROVIDER | Provider identity to include in audit metadata |
--json | Output the command result as a JSON envelope |
--pretty | Pretty-print JSON output |
--output-limit-bytes N | Maximum stdout/stderr tail bytes to retain per stream |
Execution rules:
- SCC resolves effective config for the selected team and workspace.
- Unknown command names are denied and audited.
- SCC writes a pre-execution audit event before starting the host process. If that audit write fails, the command does not run.
working_directorymust be relative and remain inside the workspace after symlink resolution.- stdout/stderr are returned as bounded stdout/stderr tails.
- Durable audit metadata stores status, duration, cwd, timeout, and byte counts; it does not store stdout/stderr content.
This command does not run inside the SCC agent container, does not mount the Docker socket into the agent container, and does not attach agent containers to project Compose or devcontainer networks.
scc dev logs
Section titled “scc dev logs”scc dev logs <name> executes one accepted dev_environment.logs entry from
the effective config. This section is intended for policy-approved, bounded
service log retrieval such as docker compose logs --tail 100 api; SCC enforces
the fixed argv, cwd, timeout, output bounds, and audit contract, not semantic
read-only behavior inside the tool you choose.
scc dev logs api .scc dev logs api . --json --output-limit-bytes 4096The same execution rules as scc dev run apply: fixed argv, no shell strings,
workspace-bounded cwd, pre-execution audit, timeout, and bounded stdout/stderr
tails. Durable audit events use dev_environment.log.* event names and store
byte counts, not log content.
scc dev health
Section titled “scc dev health”scc dev health <name> executes one accepted dev_environment.health_checks
entry from the effective config. This section is intended for policy-approved,
bounded health checks such as an HTTP health endpoint or container status check;
SCC enforces the fixed argv, cwd, timeout, output bounds, and audit contract,
not semantic read-only behavior inside the tool you choose.
scc dev health api .scc dev health api . --jsonHealth checks return the same JSON result shape as commands and logs. A non-zero
exit code or timeout marks the result as failed. Durable audit events use
dev_environment.health_check.* event names.
scc dev status
Section titled “scc dev status”scc dev status shows the effective dev-environment bridge contract for the
workspace and team. It does not execute any host process.
scc dev status .scc dev status . --jsonThe JSON envelope uses kind DevEnvironmentStatus and lists accepted
commands, logs, and health_checks with their fixed argv,
working_directory, timeout_seconds, and descriptions. This is the preferred
machine-readable surface for Claude and Codex sessions to inspect what the
project allows before requesting an action.