Security Block vs Delegation Denial
Local exceptions can only override delegation denials, not security blocks.
Security Exceptions
Exceptions let you temporarily bypass governance blocks for specific plugins, MCP servers, or base images.
Quick Commands
Section titled “Quick Commands”# List active exceptionsscc exceptions list
# Create a temporary exceptionscc unblock <target> --reason "Testing feature X" --ttl 8h
# Clean up expired exceptionsscc exceptions cleanupCommon Issues
Section titled “Common Issues”Local Override Not Working
Section titled “Local Override Not Working”Symptom: Created an exception but plugin/server still blocked.
Causes:
Wrong Target Name
The target name must match exactly what’s shown in scc config explain.
Diagnose:
# Check what's blocked vs deniedscc config explain --field blocked_itemsscc config explain --field denied_additionsUnderstanding the difference:
| Type | Source | Can Override Locally? |
|---|---|---|
| Security Block | Org blocked_plugins pattern | No — requires policy PR |
| Delegation Denial | Team doesn’t allow additions | Yes — use scc unblock |
Fix for security blocks:
# Generate YAML for policy PR (cannot override locally)scc exceptions create --policy --id my-exception \ --allow-plugin "blocked-plugin@marketplace" \ --reason "Approved by security team"Exception Already Expired
Section titled “Exception Already Expired”Symptom: scc exceptions list shows exception but it’s not working.
Check expiration:
scc exceptions list --allLook for the “Expires In” column — if negative or says “expired”, it’s no longer active.
Fix:
# Create a new exception with longer TTLscc unblock <target> --reason "Extended testing" --ttl 24hCorrupt Exception File
Section titled “Corrupt Exception File”Symptom: Commands fail with JSON errors or exceptions behave strangely.
Location of exception files:
| Scope | File Path |
|---|---|
| User (local) | ~/.config/scc/exceptions.json |
| Repo (shared) | .scc/exceptions.json |
Fix:
-
Backup the corrupt file
Terminal window cp ~/.config/scc/exceptions.json ~/.config/scc/exceptions.json.bak -
Reset the exception store
Terminal window # Reset user exceptionsscc exceptions reset --user --yes# Reset repo exceptionsscc exceptions reset --repo --yes -
Recreate needed exceptions
Terminal window scc unblock <target> --reason "Recreated after reset" --ttl 8h
Shared Exception Not Visible
Section titled “Shared Exception Not Visible”Symptom: Team member created --shared exception but you can’t see it.
Causes:
- File not committed —
.scc/exceptions.jsonneeds to be in git - Git ignored — Check if
.scc/is in.gitignore - Not pulled — Run
git pullto get latest
Check:
# See if shared exceptions existcat .scc/exceptions.json
# Check if git-ignoredgit check-ignore .scc/exceptions.jsonFix for git-ignored:
# Add exception to .gitignore exclusionecho "!.scc/exceptions.json" >> .gitignoregit add .scc/exceptions.jsongit commit -m "Add shared SCC exceptions"Exception Commands Reference
Section titled “Exception Commands Reference”scc exceptions list
Section titled “scc exceptions list”scc exceptions list [OPTIONS]| Option | Description |
|---|---|
--active | Show only active (non-expired) exceptions |
--expired | Show only expired exceptions |
--all | Show all exceptions |
--json | Output as JSON |
scc exceptions create
Section titled “scc exceptions create”scc exceptions create [OPTIONS]| Option | Description |
|---|---|
--allow-mcp NAME | Allow MCP server (repeatable) |
--allow-plugin NAME | Allow plugin (repeatable) |
--allow-image REF | Allow base image (repeatable) |
--reason TEXT | Reason for exception (required) |
--ttl DURATION | Time-to-live (e.g., 8h, 30m, 1d) |
--expires-at RFC3339 | Exact expiration time |
--until HH:MM | Expire at time of day |
--shared | Save to repo store (.scc/exceptions.json) |
--policy | Generate YAML for policy PR |
scc exceptions delete
Section titled “scc exceptions delete”scc exceptions delete <EXCEPTION_ID> [OPTIONS]| Option | Description |
|---|---|
-y, --yes | Skip confirmation |
scc exceptions cleanup
Section titled “scc exceptions cleanup”Remove all expired exceptions from both stores.
scc exceptions cleanupscc exceptions reset
Section titled “scc exceptions reset”Remove all exceptions (destructive).
scc exceptions reset --user --yes # Reset user storescc exceptions reset --repo --yes # Reset repo storescc unblock
Section titled “scc unblock”Quick way to create an exception for a denied target.
scc unblock <TARGET> [OPTIONS]| Option | Description |
|---|---|
--reason TEXT | Reason (required with --yes) |
--ticket ID | Related ticket ID for audit trail |
--ttl DURATION | Time-to-live |
--shared | Save to repo store |
-y, --yes | Skip confirmation (requires --reason) |
Examples:
# Interactive - prompts for reasonscc unblock my-plugin@marketplace# Non-interactive with ticket referencescc unblock my-plugin@marketplace \ --reason "Testing JIRA-123" \ --ticket JIRA-123 \ --ttl 4h \ --yes# Create shared exception for teamscc unblock context7-server \ --reason "Team needs this MCP server" \ --ttl 7d \ --sharedException File Schema
Section titled “Exception File Schema”{ "schema_version": 1, "exceptions": [ { "id": "local-20250106-a3f2", "created_at": "2025-01-06T10:00:00Z", "expires_at": "2025-01-06T18:00:00Z", "reason": "Testing new feature", "scope": "local", "allow": { "plugins": ["my-plugin@marketplace"], "mcp_servers": [], "base_images": [] } } ]}