{ "//": "──────────────────────────────────────────────────────────────────────", "//desc": "Enterprise policy plane · managed-settings.json · QRefAI Field Guide Part 2 (Q2.6)", "//override": "This file CANNOT be overridden by the developer. Distribute it via MDM: macOS plist com.anthropic.claudecode | Windows registry HKLM\\SOFTWARE\\Policies\\ClaudeCode | Linux /etc/claude-code/managed-settings.json. Use the managed-settings.d/ drop-in dir so Security, Platform, and FinOps can each own a fragment.", "//audit": "In practice this deployed file is the artifact a SOC 2 / ISO 27001 auditor wants as your AI access-control evidence.", "//MERGE-RULE": "★ The one subtle rule that makes layered governance work ★", "//merge1": "For ordinary SCALAR fields, it's first-source-wins.", "//merge2": "But ARRAY fields — permissions.allow[], permissions.deny[], hooks, enabledMcpjsonServers — are CONCATENATED and DE-DUPLICATED across all layers (enterprise + team fragments + project). That's why Security's deny rules and a team's allow rules COMBINE rather than overwrite each other.", "//note": "JSON has no comments; the \"//\"-prefixed keys are inert documentation — delete them in production.", "//────": "──────────────────────────────────────────────────────────────────────", "permissions": { "deny": [ "Read(**/.env)", "Read(**/secrets/**)", "Bash(sudo:*)", "Bash(curl:*)" ] }, "disableBypassPermissionsMode": "disable", "allowManagedMcpServersOnly": true, "allowManagedPermissionRulesOnly": true, "allowedMcpServers": ["acme-code-intel", "jira", "datadog"], "strictKnownMarketplaces": [ { "hostPattern": "^github\\.acme\\.com$" } ], "//models": "Pin every model ID. Unpinned, Bedrock/Vertex may silently fall back on updates; Foundry may hard-error. Use specific inference-profile ARNs / version names / deployment names.", "env": { "ANTHROPIC_DEFAULT_OPUS_MODEL": "", "ANTHROPIC_DEFAULT_SONNET_MODEL": "", "ANTHROPIC_DEFAULT_HAIKU_MODEL": "" } }