Organization Schema

Complete schema reference for organization configuration files.

Top-Level Structure

{
  "schema_version": "1.0.0",
  "organization": { },
  "marketplaces": { },
  "security": { },
  "stats": { },
  "defaults": { },
  "delegation": { },
  "profiles": { }
}

organization

Organization identification.

{
  "organization": {
    "name": "Acme Corp",
    "id": "acme"
  }
}

Field	Type	Required	Description
name	string	Yes	Human-readable organization name
id	string	Yes	Unique identifier (lowercase, no spaces)

marketplaces

Plugin marketplace sources.

{
  "marketplaces": {
    "sandboxed-code-official": {
      "source": "github",
      "owner": "CCimen",
      "repo": "sandboxed-code-plugins"
    },
    "internal": {
      "source": "github",
      "owner": "your-org",
      "repo": "scc-plugins"
    }
  }
}

Marketplace Entry

Field	Type	Required	Description
source	string	Yes	github, git, or url
owner	string	For GitHub	Repository owner/organization
repo	string	For GitHub	Repository name
branch	string	No	Branch name (default: main)
url	string	For git/url	Full URL to marketplace

security

Security policies that cannot be overridden.

{
  "security": {
    "blocked_plugins": ["*experimental*", "*beta*"],
    "blocked_mcp_servers": ["*.untrusted.com"],
    "blocked_base_images": ["*:latest"],
    "allow_stdio_mcp": false,
    "allowed_stdio_prefixes": ["/usr/local/bin/"]
  }
}

Field	Type	Default	Description
blocked_plugins	string[]	[]	Glob patterns for blocked plugins
blocked_mcp_servers	string[]	[]	Glob patterns for blocked servers
blocked_base_images	string[]	[]	Glob patterns for blocked images
allow_stdio_mcp	boolean	false	Allow stdio MCP servers
allowed_stdio_prefixes	string[]	[]	Allowed paths for stdio commands

Note

Patterns use glob syntax (fnmatch) with case-insensitive matching.

safety_net

Safety net configuration for the scc-safety-net plugin. Controls which destructive git commands are blocked.

{
  "security": {
    "safety_net": {
      "action": "block",
      "block_force_push": true,
      "block_reset_hard": true,
      "block_branch_force_delete": true,
      "block_checkout_restore": true,
      "block_clean": true,
      "block_stash_destructive": true
    }
  }
}

Field	Type	Default	Description
action	string	"block"	Action mode: block, warn, or allow
block_force_push	boolean	true	Block git push --force and +refspec force pushes
block_reset_hard	boolean	true	Block git reset --hard (destroys uncommitted changes)
block_branch_force_delete	boolean	true	Block git branch -D (force delete without merge check)
block_checkout_restore	boolean	true	Block git checkout -- <file> and git restore <file>
block_clean	boolean	true	Block git clean -f (deletes untracked files)
block_stash_destructive	boolean	true	Block git stash drop and git stash clear

Tip

The action field controls the plugin behavior:

• block — Stop execution and show error (default, most secure)
• warn — Show warning but allow the command
• allow — No checks (disables safety net)

stats

Usage statistics and telemetry configuration.

{
  "stats": {
    "enabled": true,
    "user_identity_mode": "hashed",
    "retention_days": 90
  }
}

Field	Type	Default	Description
enabled	boolean	true	Enable usage statistics collection
user_identity_mode	string	"hashed"	User identity tracking mode (anonymous, hashed, identified)
retention_days	number	90	Number of days to retain stats data

Note

• anonymous: No user identification
• hashed: User IDs are hashed for privacy
• identified: Full user identification (requires user consent)

defaults

Organization-wide defaults applied to all teams.

{
  "defaults": {
    "enabled_plugins": ["scc-safety-net@sandboxed-code-official"],
    "allowed_plugins": ["*@internal", "*@sandboxed-code-official"],
    "disabled_plugins": [],
    "allowed_mcp_servers": ["*"],
    "network_policy": "allow",
    "session": {
      "timeout_hours": 12,
      "auto_resume": true
    }
  }
}

Field	Type	Description
enabled_plugins	string[]	Plugins enabled for all teams
allowed_plugins	string[]	Governance whitelist for plugins
disabled_plugins	string[]	Plugins disabled by default
allowed_mcp_servers	string[]	MCP server patterns allowed by default
network_policy	string	Network access policy (allow or deny)
session	object	Default session settings
session.timeout_hours	number	Session timeout in hours
session.auto_resume	boolean	Auto-resume sessions

allowed_plugins Semantics

Value	Meaning
Missing/undefined	Unrestricted (all allowed)
[] (empty)	Deny all (lockdown mode)
["*"]	Explicit unrestricted
Patterns	Only matching plugins allowed

delegation

Controls what teams can add.

{
  "delegation": {
    "teams": {
      "allow_additional_plugins": ["*"],
      "allow_additional_mcp_servers": ["platform", "data"]
    }
  }
}

Field	Type	Description
teams.allow_additional_plugins	string[]	Teams that can add plugins
teams.allow_additional_mcp_servers	string[]	Teams that can add MCP servers

Values:

• ["*"] - All teams
• ["team1", "team2"] - Only listed teams
• [] or missing - No teams

profiles

Team profile definitions.

Inline Profile

{
  "profiles": {
    "backend": {
      "description": "Backend development team",
      "additional_plugins": ["java-analyzer@internal"],
      "additional_mcp_servers": [
        {
          "name": "context7",
          "type": "http",
          "url": "https://context7.example.com"
        }
      ],
      "delegation": {
        "allow_project_overrides": true,
        "allow_additional_plugins": ["project-*"]
      },
      "session": {
        "timeout_hours": 12
      }
    }
  }
}

Federated Profile

{
  "profiles": {
    "platform": {
      "description": "Platform team - externally managed",
      "config_source": {
        "source": "github",
        "owner": "myorg",
        "repo": "platform-config",
        "branch": "main"
      },
      "trust": {
        "inherit_org_marketplaces": true,
        "allow_additional_marketplaces": true,
        "marketplace_source_patterns": ["github.com/myorg/**"]
      }
    }
  }
}

Profile Fields

Field	Type	Description
description	string	Human-readable description
additional_plugins	string[]	Plugins for this team
additional_mcp_servers	array	MCP servers for this team
delegation	object	Project override settings
session	object	Session settings
config_source	object	External config (federated)
trust	object	Trust grants (federated)

Trust Grants

Field	Type	Default	Description
inherit_org_marketplaces	boolean	true	Use org marketplaces
allow_additional_marketplaces	boolean	false	Team can add marketplaces
marketplace_source_patterns	string[]	[]	Allowed marketplace URLs