Glossary
Core Concepts
Section titled “Core Concepts”Provider
Section titled “Provider”An AI coding agent that SCC can run inside a governed sandbox. Currently supported: Claude Code (Anthropic) and Codex (OpenAI). The architecture is extensible to additional providers.
Session
Section titled “Session”A running agent environment inside a container. Sessions persist across restarts and can be resumed with scc start --resume. Each session is tied to a specific workspace, provider, and team profile.
Sandbox
Section titled “Sandbox”The OCI container that isolates the agent from the host system. Sandboxes provide filesystem and process isolation while allowing workspace access. Network access is controlled separately through network_policy. Works with Docker Engine, OrbStack, Colima, or Docker Desktop.
Profile (Team Profile)
Section titled “Profile (Team Profile)”A configuration set for a specific team. Profiles define plugins, MCP servers, session settings, and delegation rules.
Worktree
Section titled “Worktree”A git worktree created for parallel development. Each worktree has its own working directory and can run independent agent sessions.
Workspace
Section titled “Workspace”The directory mounted into the sandbox. Typically a git repository root where the agent operates.
Configuration
Section titled “Configuration”Organization Config (org-config.json)
Section titled “Organization Config (org-config.json)”The top-level configuration file hosted by an organization. Defines security policies, marketplaces, defaults, and team profiles.
Team Config
Section titled “Team Config”Configuration specific to a team. Can be inline (in org config) or federated (external repository).
Project Config (.scc.yaml)
Section titled “Project Config (.scc.yaml)”Optional per-repository configuration. Allows projects to add plugins and MCP servers within team-allowed boundaries.
Federation (Federated Teams)
Section titled “Federation (Federated Teams)”Teams that store their configuration in external repositories, enabling independent management while respecting organization security policies.
Config Source
Section titled “Config Source”The location of a federated team’s configuration (GitHub, GitLab, HTTPS URL).
Provider Preference
Section titled “Provider Preference”The global or per-workspace setting that determines which provider SCC uses by default. Values: ask (prompt), claude, or codex. When ask is active, SCC still prompts if multiple providers are viable and uses workspace context only to preselect a sensible default. Set the global preference with scc provider set.
Security & Governance
Section titled “Security & Governance”Safety Engine
Section titled “Safety Engine”SCC’s built-in fail-closed command interception system. Includes a shell tokenizer, git safety rules, and network tool rules. Runs inside every container via shell wrappers. Provider-neutral.
Safety Net
Section titled “Safety Net”The scc-safety-net plugin that provides additional protection via agent-native hooks. Currently supports Claude Code; Codex support is planned. Complementary to the built-in safety engine.
Security Block
Section titled “Security Block”Glob patterns that absolutely prevent usage of certain plugins, MCP servers, or Docker images. Cannot be overridden.
Network Policy
Section titled “Network Policy”Egress control for the agent container. Values: open (unrestricted), web-egress-enforced (topology-enforced proxy), locked-down-web (no network).
Delegation
Section titled “Delegation”The system controlling which teams can add resources and whether projects can extend team configurations.
Exception
Section titled “Exception”A time-bounded override for governance controls. Local overrides bypass delegation; policy exceptions bypass security blocks.
Trust Grant
Section titled “Trust Grant”Permissions given to federated teams, controlling marketplace inheritance and additional marketplace definitions.
Plugins & Tools
Section titled “Plugins & Tools”Plugin
Section titled “Plugin”An extension that adds capabilities to the agent. Installed from marketplaces. Claude Code and Codex have different native plugin surfaces — SCC unifies governance at the approval/bundle level.
Marketplace
Section titled “Marketplace”A repository containing plugins. Can be official, organization-internal, or team-specific.
MCP Server (Model Context Protocol)
Section titled “MCP Server (Model Context Protocol)”External services that provide context or tools to the agent. Types: HTTP, SSE (Server-Sent Events), or stdio (local process).
Stdio MCP
Section titled “Stdio MCP”An MCP server running as a local process. Disabled by default due to elevated privileges.
Container Runtime
Section titled “Container Runtime”Container Image
Section titled “Container Image”OCI images owned by SCC: scc-base (shared tooling), scc-agent-claude, scc-agent-codex, scc-egress-proxy (Squid proxy sidecar). Auto-built on first use.
Provider Runtime Spec
Section titled “Provider Runtime Spec”A frozen dataclass mapping each provider to its runtime constants: image ref, config directory, settings path, data volume. Stored in PROVIDER_REGISTRY.
Launch Readiness
Section titled “Launch Readiness”Three-tier status for each provider: launch-ready (auth + image), auth cache present (auth only), image available (image only), sign-in needed (neither).
Operations
Section titled “Operations”Dry Run
Section titled “Dry Run”Preview mode that shows what would happen without actually executing. Used with scc start --dry-run.
Config Explain
Section titled “Config Explain”Command that shows effective configuration with source tracking. Run with scc config explain.
Inspection of installed plugins and their status. Run with scc audit plugins.
Cleanup of stopped containers or stale worktree entries.
Support Bundle
Section titled “Support Bundle”Diagnostic package containing config state, launch audit, and safety audit for troubleshooting. Generated with scc support bundle.
Technical Terms
Section titled “Technical Terms”TTL (Time To Live)
Section titled “TTL (Time To Live)”Duration before an exception expires. Specified as 8h, 30m, 1d, etc.
Glob Pattern
Section titled “Glob Pattern”Wildcard pattern using * for matching. For example, *experimental* matches any string containing “experimental”.
Cache TTL
Section titled “Cache TTL”How long SCC caches remote configurations before re-fetching. Default: 24 hours.
Exit Code
Section titled “Exit Code”Numeric code returned by commands indicating success or failure type. See CLI Overview.