Solutions

Industries

Partners

Resources

Book a Demo

Claude managed-settings.json · Codex requirements.toml

Complete Settings File Builder for Admins

Architect admin-enforced, enterprise-grade security policies for Claude Code and OpenAI Codex — covering permissions, sandboxing, MCP server allowlists, telemetry, plugin lockdown, network controls, and more.

One-click download + steps to deploy to your tenant.

Not sure which controls fit your environment?

PromptArmor will design a hardened Claude Code and Codex policy for your use case.

Claude Code

managed-settings.json

Only managed permission rules

(Managed settings only) Prevent user and project settings from defining allow, ask, or deny permission rules. Only rules in managed settings apply. See Managed-only settings

allowManagedPermissionRulesOnly

Only managed hooks

(Managed settings only) Only managed hooks, SDK hooks, and hooks from plugins force-enabled in managed settings enabledPlugins are loaded. User, project, and all other plugin hooks are blocked. See Hook configuration

allowManagedHooksOnly

Only managed MCP servers

(Managed settings only) Only allowedMcpServers from managed settings are respected. deniedMcpServers still merges from all sources. Users can still add MCP servers, but only the admin-defined allowlist applies. See Managed MCP configuration

allowManagedMcpServersOnly

Plugin-only customization (block user skills/agents/hooks/MCP)

(Managed settings only) Block skills, agents, hooks, and MCP servers from user and project sources, so they can only come from plugins or managed settings. true locks all four surfaces; an array locks only the named ones. See strictPluginOnlyCustomization

strictPluginOnlyCustomization

Disable all hooks

Disable all hooks and any custom status line

disableAllHooks

Block startup until managed settings refresh

(Managed settings only) Block CLI startup until remote managed settings are freshly fetched from the server. If the fetch fails, the CLI exits rather than continuing with cached or no settings. When not set, startup continues without waiting for remote settings. See fail-closed enforcement

forceRemoteSettingsRefresh

WSL inherits Windows managed settings

(Windows managed settings only) When true, Claude Code on WSL reads managed settings from the Windows policy chain in addition to /etc/claude-code, with Windows sources taking priority. Only honored when set in the HKLM registry key or C:\Program Files\ClaudeCode\managed-settings.json, both of which require Windows admin to write. For HKCU policy to also apply on WSL, the flag must additionally be set in HKCU itself. Has no effect on native Windows

wslInheritsWindowsSettings

Parent settings behavior

(Managed settings only) Controls whether managed settings supplied programmatically by an embedding host process, such as the Agent SDK or an IDE extension, apply when an admin-deployed managed tier is also present. "first-wins": the parent-supplied settings are dropped and only the admin tier applies. "merge": the parent-supplied settings apply under the admin tier, filtered so they can tighten policy but not loosen it. Has no effect when no admin tier is deployed. Default: "first-wins". Requires Claude Code v2.1.133 or later

parentSettingsBehavior

Allowed MCP servers

When set in managed-settings.json, allowlist of MCP servers users can configure. Undefined = no restrictions, empty array = lockdown. Applies to all scopes. Denylist takes precedence. See Managed MCP configuration

allowedMcpServers

Emit as empty list [] (allow none)

Denied MCP servers

When set in managed-settings.json, denylist of MCP servers that are explicitly blocked. Applies to all scopes including managed servers. Denylist takes precedence over allowlist. See Managed MCP configuration

deniedMcpServers

Emit as empty list [] (allow none)

Auto-approve project .mcp.json servers

Automatically approve all MCP servers defined in project .mcp.json files

enableAllProjectMcpServers

Allow claude.ai connectors alongside managed MCP

(Managed settings only) Load claude.ai connectors alongside a deployed managed-mcp.json, which otherwise takes exclusive control and suppresses them. See Managed MCP configuration

allowAllClaudeAiMcps

Allowed marketplaces (strict)

(Managed settings only) Allowlist of plugin marketplace sources. Undefined = no restrictions, empty array = lockdown. Enforced on marketplace add and on plugin install, update, refresh, and auto-update, so a marketplace added before the policy was set cannot be used to fetch plugins. See Managed marketplace restrictions

strictKnownMarketplaces

Emit as empty list [] (allow none)

Blocked marketplaces

(Managed settings only) Blocklist of marketplace sources. Enforced on marketplace add and on plugin install, update, refresh, and auto-update, so a marketplace added before the policy was set cannot be used to fetch plugins. Blocked sources are checked before downloading, so they never touch the filesystem. See Managed marketplace restrictions

blockedMarketplaces

Suggestion marketplaces

(Managed settings only) Marketplace names whose plugins can appear as contextual install suggestions, in addition to the official marketplace. Suggestions come from each plugin's relevance declaration in its marketplace entry. A name only takes effect when the marketplace is registered on the machine and its registered source is also declared in managed settings, either as the extraKnownMarketplaces entry for that name or as an entry of strictKnownMarketplaces. A marketplace registered from a different source under an allowlisted name is ignored.

pluginSuggestionMarketplaces

Allowed channel plugins

(Managed settings only) Allowlist of channel plugins that may push messages. Replaces the default Anthropic allowlist when set. Undefined = fall back to the default, empty array = block all channel plugins. Requires channelsEnabled: true. See Restrict which channel plugins can run

allowedChannelPlugins

Channels for the org

(Managed settings only) Allow channels for the organization. On claude.ai Team and Enterprise plans, channels are blocked when this is unset or false. For Anthropic Console accounts using API key authentication, channels are allowed by default unless your organization deploys managed settings, in which case this key must be set to true

channelsEnabled

Plugin trust message

(Managed settings only) Custom message appended to the plugin trust warning shown before installation. Use this to add organization-specific context, for example to confirm that plugins from your internal marketplace are vetted.

pluginTrustMessage

Enable bash sandbox

Enable bash sandboxing (macOS, Linux, and WSL2). Default: false

sandbox.enabled

Fail startup if sandbox unavailable

Exit with an error at startup if sandbox.enabled is true but the sandbox cannot start (missing dependencies or unsupported platform). When false (default), a warning is shown and commands run unsandboxed. Intended for managed settings deployments that require sandboxing as a hard gate

sandbox.failIfUnavailable

Auto-approve bash when sandboxed

Auto-approve bash commands when sandboxed. Default: true

sandbox.autoAllowBashIfSandboxed

Allow unsandboxed commands

Allow commands to run outside the sandbox via the dangerouslyDisableSandbox parameter. When set to false, the dangerouslyDisableSandbox escape hatch is completely disabled and all commands must run sandboxed (or be in excludedCommands). Useful for enterprise policies that require strict sandboxing. Default: true

sandbox.allowUnsandboxedCommands

Weaker nested sandbox

Enable weaker sandbox for unprivileged Docker environments (Linux and WSL2 only). Reduces security. Default: false

sandbox.enableWeakerNestedSandbox

Weaker network isolation

(macOS only) Allow access to the system TLS trust service (com.apple.trustd.agent) in the sandbox. Required for Go-based tools like gh, gcloud, and terraform to verify TLS certificates when using httpProxyPort with a MITM proxy and custom CA. Reduces security by opening a potential data exfiltration path. Default: false

sandbox.enableWeakerNetworkIsolation

Allowed domains

Array of domains to allow for outbound network traffic. Supports wildcards (e.g., *.example.com).

sandbox.network.allowedDomains

Emit as empty list [] (allow none)

Denied domains

Array of domains to block for outbound network traffic. Supports the same wildcard syntax as allowedDomains. Takes precedence over allowedDomains when both match. Merged from all settings sources regardless of allowManagedDomainsOnly.

sandbox.network.deniedDomains

Only managed allowed-domains

(Managed settings only) Only allowedDomains and WebFetch(domain:...) allow rules from managed settings are respected. Domains from user, project, and local settings are ignored. Non-allowed domains are blocked automatically without prompting the user. Denied domains are still respected from all sources. Default: false

sandbox.network.allowManagedDomainsOnly

Allow localhost binding

Allow binding to localhost ports (macOS only). Default: false

sandbox.network.allowLocalBinding

Filesystem deny-read

Paths where sandboxed commands cannot read. Arrays are merged across all settings scopes. Also merged with paths from Read(...) deny permission rules.

sandbox.filesystem.denyRead

~/.ssh✕~/.aws✕~/.gnupg✕~/.config/gh✕

Filesystem allow-read

Paths to re-allow reading within denyRead regions. Takes precedence over denyRead. Arrays are merged across all settings scopes. Use this to create workspace-only read access patterns.

sandbox.filesystem.allowRead

Emit as empty list [] (allow none)

Filesystem deny-write

Paths where sandboxed commands cannot write. Arrays are merged across all settings scopes. Also merged with paths from Edit(...) deny permission rules.

sandbox.filesystem.denyWrite

Filesystem allow-write

Additional paths where sandboxed commands can write. Arrays are merged across all settings scopes: user, project, and managed paths are combined, not replaced. Also merged with paths from Edit(...) allow permission rules. See path prefixes below.

sandbox.filesystem.allowWrite

Only managed read paths

(Managed settings only) Only filesystem.allowRead paths from managed settings are respected. denyRead still merges from all sources. Default: false

sandbox.filesystem.allowManagedReadPathsOnly

Default permission mode

Default permission mode when opening Claude Code. Valid values: default, acceptEdits, plan, auto, dontAsk, bypassPermissions. As of Claude Code v2.1.142, auto is ignored when set in project or local settings (.claude/settings.json, .claude/settings.local.json) so a repository cannot grant itself auto mode. Set it in ~/.claude/settings.json instead. The --permission-mode CLI flag overrides this setting for a single session

permissions.defaultMode

Disable bypassPermissions mode

Set to "disable" to prevent bypassPermissions mode from being activated. This disables the --dangerously-skip-permissions command-line flag. Typically placed in managed settings to enforce organizational policy, but works from any scope

permissions.disableBypassPermissionsMode

Disable auto mode

Set to "disable" to prevent auto mode from being activated. Removes auto from the Shift+Tab cycle and rejects --permission-mode auto at startup. Most useful in managed settings where users cannot override it

permissions.disableAutoMode

Skip dangerous-mode prompt

Skip the confirmation prompt shown before entering bypass permissions mode via --dangerously-skip-permissions or defaultMode: "bypassPermissions". Ignored when set in project settings (.claude/settings.json) to prevent untrusted repositories from auto-bypassing the prompt

skipDangerousModePermissionPrompt

Deny rules

Array of permission rules to deny tool use. Use this to exclude sensitive files from Claude Code access. See Permission rule syntax and Bash permission limitations

permissions.deny

Read(.env)✕Read(.env.*)✕Read(**/.env)✕Read(**/.env.*)✕Read(**/secrets/**)✕Read(~/.ssh/**)✕Read(~/.aws/credentials)✕Read(~/.gnupg/**)✕Read(~/.config/gh/hosts.yml)✕Read(~/.npmrc)✕Read(**/.npmrc)✕Read(~/.netrc)✕Read(~/.pgpass)✕Read(~/.docker/config.json)✕Read(~/.kube/config)✕Read(~/.git-credentials)✕Read(~/.config/gcloud/**)✕Read(**/*.pem)✕Read(**/*.key)✕Read(**/id_rsa)✕Read(**/id_ed25519)✕Read(**/id_ecdsa)✕Read(**/*.tfvars)✕Read(~/.vault-token)✕Bash(nc *)✕Bash(ncat *)✕Bash(netcat *)✕Bash(telnet *)✕

Ask-first rules

Array of permission rules to ask for confirmation upon tool use. See Permission rule syntax below

permissions.ask

Allow rules

Array of permission rules to allow tool use. See Permission rule syntax below for pattern matching details

permissions.allow

Additional working directories

Additional working directories for file access. Most .claude/ configuration is not discovered from these directories

permissions.additionalDirectories

Disable dynamic workflows

Disable dynamic workflows and the bundled workflow commands. Default: false. Equivalent to setting CLAUDE_CODE_DISABLE_WORKFLOWS to 1

disableWorkflows

Disable Remote Control

Disable Remote Control: blocks claude remote-control, the --remote-control flag, auto-start, and the in-session toggle. Typically placed in managed settings for per-device MDM enforcement, but works from any scope. Requires Claude Code v2.1.128 or later

disableRemoteControl

Disable background agents / agent view

Set to true to turn off background agents and agent view: claude agents, --bg, /background, and the on-demand supervisor. Typically set in managed settings. Equivalent to setting CLAUDE_CODE_DISABLE_AGENT_VIEW to 1

disableAgentView

Disable claude-cli:// deep links

Set to "disable" to prevent Claude Code from registering the claude-cli:// protocol handler with the operating system on startup. Deep links let external tools open a Claude Code session with a pre-filled prompt. Useful in environments where protocol handler registration is restricted or managed separately

disableDeepLinkRegistration

Disable inline shell in skills

Disable inline shell execution for !... and ! blocks in skills and custom commands from user, project, plugin, or additional-directory sources. Commands are replaced with [shell command execution disabled by policy] instead of being run. Bundled and managed skills are not affected. Most useful in managed settings where users cannot override it

disableSkillShellExecution

Skip WebFetch domain safety check

Skip the WebFetch domain safety check that sends each requested hostname to api.anthropic.com before fetching. Set to true in environments that block traffic to Anthropic, such as Bedrock, Vertex AI, or Foundry deployments with restrictive egress. When skipped, WebFetch attempts any URL without consulting the blocklist

skipWebFetchPreflight

Force login method

Use claudeai to restrict login to Claude.ai accounts, console to restrict login to Claude Console (API usage billing) accounts. When set in managed settings, sessions authenticated by API key, apiKeyHelper, or a third-party provider are blocked at startup, since neither value can be satisfied without first-party OAuth

forceLoginMethod

Required organization UUID

Require login to belong to a specific organization. Accepts a single UUID string, which also pre-selects that organization during login, or an array of UUIDs where any listed organization is accepted without pre-selection. When set in managed settings, login fails if the authenticated account does not belong to a listed organization, and sessions authenticated by API key, apiKeyHelper, or a third-party provider are blocked at startup since organization membership cannot be verified for them. An empty array fails closed and blocks login with a misconfiguration message

forceLoginOrgUUID

Managed CLAUDE.md instructions

(Managed settings only) CLAUDE.md-style instructions injected as organization-managed memory. Only honored when set in managed or policy settings and ignored in user, project, and local settings. See organization-wide CLAUDE.md

claudeMd

Startup announcement

Announcement to display to users at startup. If multiple announcements are provided, they will be cycled through at random.

companyAnnouncements

HTTP proxy

Specify HTTP proxy server for network connections

env.HTTP_PROXY

HTTPS proxy

Specify HTTPS proxy server for network connections

env.HTTPS_PROXY

Anthropic base URL

Override the API endpoint to route requests through a proxy or gateway. When set to a non-first-party host, MCP tool search is disabled by default. Set ENABLE_TOOL_SEARCH=true if your proxy forwards tool_reference blocks

env.ANTHROPIC_BASE_URL

Use Amazon Bedrock

Use Bedrock

env.CLAUDE_CODE_USE_BEDROCK

Use Google Vertex

Use Vertex

env.CLAUDE_CODE_USE_VERTEX

Default model

Name of the model setting to use (see Model Configuration)

env.ANTHROPIC_MODEL

Small/fast model

\[DEPRECATED] Name of Haiku-class model for background tasks

env.ANTHROPIC_SMALL_FAST_MODEL

Model override (setting)

Override the default model to use for Claude Code. --model and ANTHROPIC_MODEL override this for one session

model

Selectable models

Restrict which models users can select via /model, --model, or ANTHROPIC_MODEL. Does not affect the Default option. See Restrict model selection

availableModels

Disable all nonessential traffic

Equivalent of setting DISABLE_AUTOUPDATER, DISABLE_FEEDBACK_COMMAND, DISABLE_ERROR_REPORTING, and DISABLE_TELEMETRY

env.CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC

Disable telemetry (Statsig)

Set to 1 to opt out of telemetry. Telemetry events do not include user data like code, file paths, or bash commands. Also disables feature-flag fetching with the same effect as DISABLE_GROWTHBOOK, so some flagged features may be unavailable

env.DISABLE_TELEMETRY

Disable error reporting (Sentry)

Set to 1 to opt out of Sentry error reporting

env.DISABLE_ERROR_REPORTING

Disable the /feedback command

Set to 1 to disable the /feedback command. The older name DISABLE_BUG_COMMAND is also accepted

env.DISABLE_FEEDBACK_COMMAND

Disable the auto-updater

Set to 1 to disable automatic background updates. Manual claude update still works. Use DISABLE_UPDATES to block both

env.DISABLE_AUTOUPDATER

Disable session quality surveys

Set to 1 to disable the "How is Claude doing?" session quality surveys. Surveys are also disabled when DISABLE_TELEMETRY, DO_NOT_TRACK, or CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC is set, unless CLAUDE_CODE_ENABLE_FEEDBACK_SURVEY_FOR_OTEL opts back in. To set a sample rate instead of disabling outright, use the feedbackSurveyRate setting. See Session quality surveys

env.CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY

Disable cost warnings

Set to 1 to disable cost warning messages

env.DISABLE_COST_WARNINGS

Auto-updates channel

Release channel to follow for updates. Use "stable" for a version that is typically about one week old and skips versions with major regressions, or "latest" (default) for the most recent release. To disable auto-updates entirely, set DISABLE_AUTOUPDATER in env

autoUpdatesChannel

Minimum allowed version

Floor that prevents background auto-updates and claude update from installing a version below this one. Switching from the "latest" channel to "stable" via /config prompts you to stay on the current version or allow the downgrade. Choosing to stay sets this value. Also useful in managed settings to pin an organization-wide minimum

minimumVersion

Feedback survey rate (0–1)

Probability (0–1) that the session quality survey appears when eligible. Set to 0 to suppress entirely, or set CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY in env. Useful when using Bedrock, Vertex, or Foundry where the default sample rate does not apply

feedbackSurveyRate

Cleanup period (days)

Session files older than this period are deleted at startup (default: 30 days, minimum 1). Setting to 0 is rejected with a validation error. Also controls the age cutoff for automatic removal of orphaned subagent worktrees at startup. To disable transcript writes entirely, set the CLAUDE_CODE_SKIP_PROMPT_HISTORY environment variable, or in non-interactive mode (-p) use the --no-session-persistence flag or the persistSession: false SDK option.

cleanupPeriodDays

Include co-authored-by Claude

Deprecated: Use attribution instead. Whether to include the co-authored-by Claude byline in git commits and pull requests (default: true)

includeCoAuthoredBy

Commit attribution

Attribution for git commits, including any trailers. Empty string hides commit attribution

attribution.commit

PR attribution

Attribution for pull request descriptions. Empty string hides pull request attribution

attribution.pr

Include built-in git instructions

Include built-in commit and PR workflow instructions and the git status snapshot in Claude's system prompt (default: true). Set to false to remove both, for example when using your own git workflow skills. The CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS environment variable takes precedence over this setting when set

includeGitInstructions

Scrub env from subprocesses

Set to 1 to strip Anthropic and cloud provider credentials from subprocess environments (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these credentials for API calls, but child processes cannot read them, reducing exposure to prompt injection attacks that attempt to exfiltrate secrets via shell expansion. On Linux, this also runs Bash subprocesses in an isolated PID namespace so they cannot read host process environments via /proc; as a side effect, ps, pgrep, and kill cannot see or signal host processes. claude-code-action sets this automatically when allowed_non_write_users is configured

env.CLAUDE_CODE_SUBPROCESS_ENV_SCRUB

Disable background tasks

Set to 1 to disable all background task functionality, including the run_in_background parameter on Bash and subagent tools, auto-backgrounding, and the Ctrl+B shortcut

env.CLAUDE_CODE_DISABLE_BACKGROUND_TASKS

Disable scheduled (cron) tasks

Set to 1 to disable scheduled tasks. The /loop skill and cron tools become unavailable and any already-scheduled tasks stop firing, including tasks that are already running mid-session

env.CLAUDE_CODE_DISABLE_CRON

Disable experimental betas

Set to 1 to strip Anthropic-specific anthropic-beta request headers and beta tool-schema fields (such as defer_loading and eager_input_streaming) from API requests. Use this when a proxy gateway rejects requests with errors like "Unexpected value(s) for the anthropic-beta header" or "Extra inputs are not permitted". Standard fields (name, description, input_schema, cache_control) are preserved.

env.CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS

Disable official marketplace auto-install

Set to 1 to skip automatic addition of the official plugin marketplace on first run

env.CLAUDE_CODE_DISABLE_OFFICIAL_MARKETPLACE_AUTOINSTALL

Skip IDE extension auto-install

Skip auto-installation of IDE extensions. Equivalent to setting autoInstallIdeExtension to false

env.CLAUDE_CODE_IDE_SKIP_AUTO_INSTALL

Enforce MCP allowlist via env

Set to 1 to spawn stdio MCP servers with only a safe baseline environment plus the server's configured env, instead of inheriting your shell environment

env.CLAUDE_CODE_MCP_ALLOWLIST_ENV

Enable OpenTelemetry export

Set to 1 to enable OpenTelemetry data collection for metrics and logging. Required before configuring OTel exporters. See Monitoring

env.CLAUDE_CODE_ENABLE_TELEMETRY

OTEL metrics exporter

Metrics exporter types, comma-separated. Use none to disable

env.OTEL_METRICS_EXPORTER

OTEL logs exporter

Logs/events exporter types, comma-separated. Use none to disable

env.OTEL_LOGS_EXPORTER

OTEL protocol

Protocol for OTLP exporter, applies to all signals

env.OTEL_EXPORTER_OTLP_PROTOCOL

OTEL collector endpoint

OTLP collector endpoint for all signals

env.OTEL_EXPORTER_OTLP_ENDPOINT

OTEL auth headers

Authentication headers for OTLP

env.OTEL_EXPORTER_OTLP_HEADERS

Authorization=Bearer YOUR_OTEL_AUTH_TOKEN

Please populate after downloading

Log user prompts

Set to 1 to include user prompt text in OpenTelemetry traces and logs. Disabled by default (prompts are redacted). See Monitoring

env.OTEL_LOG_USER_PROMPTS

Log tool details

Set to 1 to include tool input arguments, MCP server names, raw error strings on tool failures, and other tool details in OpenTelemetry traces and logs. Disabled by default to protect PII. See Monitoring

env.OTEL_LOG_TOOL_DETAILS

Log tool content

Set to 1 to include tool input and output content in OpenTelemetry span events. Disabled by default to protect sensitive data. See Monitoring

env.OTEL_LOG_TOOL_CONTENT

Log raw API bodies

Emit Anthropic Messages API request and response JSON as api_request_body / api_response_body log events. Set to 1 for inline bodies truncated at 60 KB, or file:<dir> to write untruncated bodies to disk and emit a body_ref path instead. Disabled by default; bodies include the entire conversation history. See Monitoring

env.OTEL_LOG_RAW_API_BODIES

Include session ID in metrics

Set to false to exclude session ID from metrics attributes (default: included). See Monitoring

env.OTEL_METRICS_INCLUDE_SESSION_ID

Include account UUID in metrics

Set to false to exclude account UUID from metrics attributes (default: included). See Monitoring

env.OTEL_METRICS_INCLUDE_ACCOUNT_UUID

managed-settings.json22 keys

{
  "allowManagedHooksOnly": true,
  "allowManagedMcpServersOnly": true,
  "allowManagedPermissionRulesOnly": true,
  "allowedMcpServers": [],
  "autoUpdatesChannel": "stable",
  "channelsEnabled": false,
  "cleanupPeriodDays": 30,
  "deniedMcpServers": [],
  "disableAllHooks": true,
  "disableDeepLinkRegistration": "disable",
  "disableSkillShellExecution": true,
  "enableAllProjectMcpServers": false,
  "env": {
    "CLAUDE_CODE_DISABLE_BACKGROUND_TASKS": "1",
    "CLAUDE_CODE_DISABLE_CRON": "1",
    "CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS": "1",
    "CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY": "1",
    "CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC": "1",
    "CLAUDE_CODE_DISABLE_OFFICIAL_MARKETPLACE_AUTOINSTALL": "1",
    "CLAUDE_CODE_ENABLE_TELEMETRY": "1",
    "CLAUDE_CODE_IDE_SKIP_AUTO_INSTALL": "1",
    "CLAUDE_CODE_MCP_ALLOWLIST_ENV": "1",
    "CLAUDE_CODE_SUBPROCESS_ENV_SCRUB": "1",
    "DISABLE_AUTOUPDATER": "1",
    "DISABLE_ERROR_REPORTING": "1",
    "DISABLE_TELEMETRY": "1",
    "OTEL_EXPORTER_OTLP_ENDPOINT": "http://collector.example.com:4317",
    "OTEL_EXPORTER_OTLP_HEADERS": "Authorization=Bearer YOUR_OTEL_AUTH_TOKEN",
    "OTEL_EXPORTER_OTLP_PROTOCOL": "grpc",
    "OTEL_LOGS_EXPORTER": "otlp",
    "OTEL_LOG_RAW_API_BODIES": "1",
    "OTEL_LOG_TOOL_CONTENT": "1",
    "OTEL_LOG_TOOL_DETAILS": "1",
    "OTEL_LOG_USER_PROMPTS": "1",
    "OTEL_METRICS_EXPORTER": "otlp",
    "OTEL_METRICS_INCLUDE_ACCOUNT_UUID": "true",
    "OTEL_METRICS_INCLUDE_SESSION_ID": "true"
  },
  "feedbackSurveyRate": 0,
  "forceLoginMethod": "claudeai",
  "forceLoginOrgUUID": "YOUR_ORG_UUID_HERE",
  "forceRemoteSettingsRefresh": true,
  "permissions": {
    "deny": [
      "Read(.env)",
      "Read(.env.*)",
      "Read(**/.env)",
      "Read(**/.env.*)",
      "Read(**/secrets/**)",
      "Read(~/.ssh/**)",
      "Read(~/.aws/credentials)",
      "Read(~/.gnupg/**)",
      "Read(~/.config/gh/hosts.yml)",
      "Read(~/.npmrc)",
      "Read(**/.npmrc)",
      "Read(~/.netrc)",
      "Read(~/.pgpass)",
      "Read(~/.docker/config.json)",
      "Read(~/.kube/config)",
      "Read(~/.git-credentials)",
      "Read(~/.config/gcloud/**)",
      "Read(**/*.pem)",
      "Read(**/*.key)",
      "Read(**/id_rsa)",
      "Read(**/id_ed25519)",
      "Read(**/id_ecdsa)",
      "Read(**/*.tfvars)",
      "Read(~/.vault-token)",
      "Bash(nc *)",
      "Bash(ncat *)",
      "Bash(netcat *)",
      "Bash(telnet *)"
    ],
    "disableAutoMode": "disable",
    "disableBypassPermissionsMode": "disable"
  },
  "pluginTrustMessage": "Plugins must be approved by your organization before use.",
  "sandbox": {
    "allowUnsandboxedCommands": false,
    "autoAllowBashIfSandboxed": false,
    "enableWeakerNestedSandbox": false,
    "enableWeakerNetworkIsolation": false,
    "enabled": true,
    "failIfUnavailable": true,
    "filesystem": {
      "allowManagedReadPathsOnly": true,
      "allowRead": [],
      "denyRead": [
        "~/.ssh",
        "~/.aws",
        "~/.gnupg",
        "~/.config/gh"
      ]
    },
    "network": {
      "allowLocalBinding": false,
      "allowManagedDomainsOnly": true,
      "allowedDomains": []
    }
  },
  "skipWebFetchPreflight": false,
  "strictKnownMarketplaces": []
}

Jump to setting in Claude Code

Codex

requirements.toml

Allowed approval policies

Allowed values for approval_policy (for example untrusted, on-request, never, and granular).

allowed_approval_policies

Allowed reviewers

Allowed values for approvals_reviewer, such as user and auto_review.

allowed_approvals_reviewers

Allowed sandbox modes

Allowed values for sandbox_mode.

allowed_sandbox_modes

Allowed web-search modes

Allowed values for web_search (disabled, cached, live). disabled is always allowed; an empty list effectively allows only disabled.

allowed_web_search_modes

Allowed MCP servers

Allowlist of MCP servers that may be enabled. Both the server name (<id>) and its identity must match for the MCP server to be enabled. Any configured MCP server not in the allowlist (or with a mismatched identity) is disabled.

mcp_servers

Browser Use / Browser Agent

Set to false in requirements.toml to disable Browser Use and Browser Agent availability.

features.browser_use

Computer Use

Set to false in requirements.toml to disable Computer Use availability and related install or enablement flows.

features.computer_use

In-app browser pane

Set to false in requirements.toml to disable the in-app browser pane.

features.in_app_browser

ChatGPT Apps / connectors

Enable ChatGPT Apps/connectors support (experimental).

features.apps

Sandboxed networking

Enable sandboxed networking. Use a table form when setting network policy options such as domains (experimental; off by default).

features.network_proxy

Multi-agent collaboration

Enable multi-agent collaboration tools (spawn_agent, send_input, resume_agent, wait_agent, and close_agent) (stable; on by default).

features.multi_agent

Lifecycle hooks

Enable lifecycle hooks loaded from hooks.json or inline [hooks] config. features.codex_hooks is a deprecated alias.

features.hooks

Memories

Enable Memories (off by default).

features.memories

Codex-generated git commits

Enable Codex-generated git commits. When enabled, Codex uses commit_attribution to append a Co-authored-by: trailer to generated commit messages.

features.codex_git_commit

Undo support

Enable undo support (stable; off by default).

features.undo

Unified exec tool

Use the unified PTY-backed exec tool (stable; enabled by default except on Windows).

features.unified_exec

Default shell tool

Enable the default shell tool for running commands (stable; on by default).

features.shell_tool

Shell environment snapshot

Snapshot shell environment to speed up repeated commands (stable; on by default).

features.shell_snapshot

Personality controls

Enable personality selection controls (stable; on by default).

features.personality

Fast-tier model selection

Enable model-catalog service tier selection in the TUI, including Fast-tier commands when the active model advertises them (stable; on by default).

features.fast_mode

Skill MCP dependency install

Allow prompting and installing missing MCP dependencies for skills (stable; on by default).

features.skill_mcp_dependency_install

Request compression

Compress streaming request bodies with zstd when supported (stable; on by default).

features.enable_request_compression

Prevent idle sleep

Prevent the machine from sleeping while a turn is actively running (experimental; off by default).

features.prevent_idle_sleep

Web search (legacy toggle)

Deprecated legacy toggle; prefer the top-level web_search setting.

features.web_search

Enable network requirements

Enable sandboxed networking requirements. This does not grant network access when the active sandbox keeps command networking off.

experimental_network.enabled

Allowed domains

List-shaped administrator allow rules for sandboxed networking. Do not combine this with experimental_network.domains.

experimental_network.allowed_domains

Emit as empty list [] (allow none)

Denied domains

List-shaped administrator deny rules for sandboxed networking. Do not combine this with experimental_network.domains.

experimental_network.denied_domains

Only managed allow rules

When true, only administrator-managed allow rules remain effective while sandboxed networking requirements are active; user allowlist additions are ignored. Without managed allow rules, user-added domain allow rules do not remain effective.

experimental_network.managed_allowed_domains_only

Allow local/private binding

Permit broader local/private-network access for sandboxed networking. Exact local IP literal or localhost allow rules can still permit specific local targets when this stays false.

experimental_network.allow_local_binding

Allow upstream proxy chaining

Allow sandboxed networking to chain through an upstream proxy from the environment.

experimental_network.allow_upstream_proxy

HTTP listener port

Loopback HTTP listener port to use for [experimental_network] requirements.

experimental_network.http_port

SOCKS5 listener port

Loopback SOCKS5 listener port to use for [experimental_network] requirements.

experimental_network.socks_port

Filesystem deny-read

Admin-enforced filesystem read denials. Entries can be paths or glob patterns, and users cannot weaken them with local config.

permissions.filesystem.deny_read

.env✕**/.env✕**.env.*✕

Command prefix rules

List of enforced prefix rules. Each rule must include pattern and decision.

rules.prefix_rules

Only managed hooks

When true, Codex skips user, project, session, and plugin hooks while still allowing managed hooks from requirements.toml and other managed config layers.

allow_managed_hooks_only

Managed hook directory (macOS/Linux)

Directory containing managed hook scripts on macOS and Linux. Codex validates that it is absolute and exists before loading managed hooks.

hooks.managed_dir

Managed hook directory (Windows)

Directory containing managed hook scripts on Windows. Codex validates that it is absolute and exists before loading managed hooks.

hooks.windows_managed_dir

Guardian review policy (Markdown)

Managed Markdown policy instructions for automatic review. This takes precedence over local [auto_review].policy. Blank values are ignored.

guardian_policy_config

Plugin workspace sharing

Set to false in cloud-managed requirements.toml to disable workspace sharing for locally built plugins.

plugin_sharing

requirements.toml13 keys

allowed_approval_policies = ["never"]
allowed_approvals_reviewers = ["user"]
allowed_sandbox_modes = ["read-only"]
allowed_web_search_modes = ["disabled"]

[features]
browser_use = false
computer_use = false
in_app_browser = false
apps = false
memories = false
skill_mcp_dependency_install = false

[permissions.filesystem]
deny_read = [".env", "**/.env", "**.env.*"]

Jump to setting in Codex