From f93f614768c992febb1672428b52901f2360aae8 Mon Sep 17 00:00:00 2001 From: Kurt Carpenter Date: Fri, 30 Jan 2026 16:57:26 -0800 Subject: [PATCH 1/4] docs: example settings files --- examples/settings/README.md | 31 ++++++++++++++++++++ examples/settings/settings-bash-sandbox.json | 16 ++++++++++ examples/settings/settings-lax.json | 6 ++++ examples/settings/settings-strict.json | 15 ++++++++++ 4 files changed, 68 insertions(+) create mode 100644 examples/settings/README.md create mode 100644 examples/settings/settings-bash-sandbox.json create mode 100644 examples/settings/settings-lax.json create mode 100644 examples/settings/settings-strict.json diff --git a/examples/settings/README.md b/examples/settings/README.md new file mode 100644 index 00000000..9bc4f381 --- /dev/null +++ b/examples/settings/README.md @@ -0,0 +1,31 @@ +# Settings Examples + +Example Claude Code settings files, primarily intended for organization-wide deployments. Use these are starting points — adjust them to fit your needs. + +These may be applied at any level of the [settings hierarchy](https://code.claude.com/docs/en/settings#settings-files), though certain properties only take effect if specified in enterprise settings (e.g. `strictKnownMarketplaces`, `allowManagedHooksOnly`, `allowManagedPermissionRulesOnly`). + + +## Configuration Examples + +> [!WARNING] +> These examples are community-maintained snippets which may be unsupported or incorrect. You are responsible for the correctness of your own settings configuration. + +| Setting | [`settings-lax.json`](./settings-lax.json) | [`settings-strict.json`](./settings-strict.json) | [`settings-bash-sandbox.json`](./settings-bash-sandbox.json) | +|---------|:---:|:---:|:---:| +| Disable `--dangerously-skip-permissions` | ✅ | ✅ | | +| Block plugin marketplaces | ✅ | ✅ | | +| Block user and project-defined permission `allow` / `ask` / `deny` | | ✅ | ✅ | +| Block user and project-defined hooks | | ✅ | | +| Deny web fetch and search tools | | ✅ | | +| Bash tool requires approval | | ✅ | | +| Bash tool must run inside of sandbox | | | ✅ | + +## Tips +- Consider merging snippets of the above examples to reach your desired configuration +- Settings files must be valid JSON +- Before deploying configuration files to your organization, test them locally by applying to `managed-settings.json`, `settings.json` or `settings.local.json` +- The `sandbox` property only applies to the `Bash` tool; it does not apply to other tools (like Read, Write, WebSearch, WebFetch, MCPs), hooks, or internal commands + +## Full Documentation + +See https://code.claude.com/docs/en/settings for complete documentation on all available managed settings. diff --git a/examples/settings/settings-bash-sandbox.json b/examples/settings/settings-bash-sandbox.json new file mode 100644 index 00000000..de646128 --- /dev/null +++ b/examples/settings/settings-bash-sandbox.json @@ -0,0 +1,16 @@ +{ + "allowManagedPermissionRulesOnly": true, + "sandbox": { + "enabled": true, + "autoAllowBashIfSandboxed": false, + "allowUnsandboxedCommands": false, + "excludedCommands": [], + "network": { + "allowUnixSockets": [], + "allowLocalBinding": false, + "httpProxyPort": null, + "socksProxyPort": null + }, + "enableWeakerNestedSandbox": false + } +} diff --git a/examples/settings/settings-lax.json b/examples/settings/settings-lax.json new file mode 100644 index 00000000..b348560c --- /dev/null +++ b/examples/settings/settings-lax.json @@ -0,0 +1,6 @@ +{ + "permissions": { + "disableBypassPermissionsMode": "disable" + }, + "strictKnownMarketplaces": [] +} diff --git a/examples/settings/settings-strict.json b/examples/settings/settings-strict.json new file mode 100644 index 00000000..faa1fb0f --- /dev/null +++ b/examples/settings/settings-strict.json @@ -0,0 +1,15 @@ +{ + "permissions": { + "disableBypassPermissionsMode": "disable", + "ask": [ + "Bash" + ], + "deny": [ + "WebSearch", + "WebFetch" + ] + }, + "allowManagedPermissionRulesOnly": true, + "allowManagedHooksOnly": true, + "strictKnownMarketplaces": [] +} From 90c07d1c7e501318d60c59c3c9047ea063ab46fc Mon Sep 17 00:00:00 2001 From: Kurt Carpenter Date: Fri, 30 Jan 2026 16:59:39 -0800 Subject: [PATCH 2/4] Stricter sandbox config --- examples/settings/settings-strict.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/examples/settings/settings-strict.json b/examples/settings/settings-strict.json index faa1fb0f..73ef2ecd 100644 --- a/examples/settings/settings-strict.json +++ b/examples/settings/settings-strict.json @@ -11,5 +11,16 @@ }, "allowManagedPermissionRulesOnly": true, "allowManagedHooksOnly": true, - "strictKnownMarketplaces": [] + "strictKnownMarketplaces": [], + "sandbox": { + "autoAllowBashIfSandboxed": false, + "excludedCommands": [], + "network": { + "allowUnixSockets": [], + "allowLocalBinding": false, + "httpProxyPort": null, + "socksProxyPort": null + }, + "enableWeakerNestedSandbox": false + } } From 43d0eac708280d9270884e4d08c3e49df9cb65a5 Mon Sep 17 00:00:00 2001 From: ant-kurt Date: Sun, 1 Feb 2026 22:44:11 -0800 Subject: [PATCH 3/4] Update settings-bash-sandbox.json --- examples/settings/settings-bash-sandbox.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/settings/settings-bash-sandbox.json b/examples/settings/settings-bash-sandbox.json index de646128..65d66dcf 100644 --- a/examples/settings/settings-bash-sandbox.json +++ b/examples/settings/settings-bash-sandbox.json @@ -7,7 +7,9 @@ "excludedCommands": [], "network": { "allowUnixSockets": [], + "allowAllUnixSockets": false, "allowLocalBinding": false, + "allowedDomains": [], "httpProxyPort": null, "socksProxyPort": null }, From 493630229309e8dbc97044324792066529aa886b Mon Sep 17 00:00:00 2001 From: ant-kurt Date: Sun, 1 Feb 2026 22:44:32 -0800 Subject: [PATCH 4/4] Update settings-strict.json --- examples/settings/settings-strict.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/settings/settings-strict.json b/examples/settings/settings-strict.json index 73ef2ecd..c0fcc79c 100644 --- a/examples/settings/settings-strict.json +++ b/examples/settings/settings-strict.json @@ -17,7 +17,9 @@ "excludedCommands": [], "network": { "allowUnixSockets": [], + "allowAllUnixSockets": false, "allowLocalBinding": false, + "allowedDomains": [], "httpProxyPort": null, "socksProxyPort": null },