Skip to content

Settings, policy, and integrations

This page reverse-engineers settings, managed policy, helper scripts, and local integration paths in the Claude Code runtime.

Use Settings schema reference for the canonical settings roots/key groups and Environment variables reference for env-var-only controls. This page owns the settings/policy/integration behavior narrative.

Source anchors

Semantic aliasString or symbolMeaning
ProjectUserSettingsSchema.claude/settings.jsonProject/user settings overlay schema text.
TranscriptRetentionSettingcleanupPeriodDaysTranscript retention setting.
ManagedUiPolicySettingsdisableAllHooks, statusLine, disableAgentViewManaged settings/policy surfaces for hooks/status/agent view.
RemoteControlPolicySettingdisableRemoteControlManaged policy surface for Remote Control.
SkillShellPolicySettingdisableSkillShellExecutionManaged policy surface for shell execution in skills/custom slash commands.
ApiKeyHelperSettingapiKeyHelperSettings helper script that outputs authentication values.
OtelHeadersHelperOriginisOtelHeadersHelperFromProjectOrLocalSettings, checkHasTrustDialogAcceptedProject/local OTEL header helpers are suppressed until workspace trust is accepted.
StatusLineSettingsMutation~/.claude/settings.jsonStatus-line setup instructions mutate user settings.
SettingsInjectionFlag--settings <file-or-json>Adds settings JSON file or inline JSON for a session.
IdeIntegrationFlag--ideAuto-connect IDE integration flag.
ChromeIntegrationFlag--chromeChrome integration flag.
StartupFileResourceFlag--file <specs...>Startup file-resource download integration.

Bundle modules in cli.renamed.js

Semantic aliasLoader lineRepresentative renamed exportsAtlas entry
TrustedPathGlobalConfig169401isPathTrusted, setPathTrusted, checkHasTrustDialogAccepted, resetTrustDialogAcceptedCache, isGlobalConfigKey, saveGlobalConfig, saveCurrentProjectConfig, isProjectConfigKey, getRemoteControlAtStartup, getDaemonColdStart, isAutoUpdaterDisabled, shouldSkipPluginAutoupdate, recordFirstStartTimeBundle module map — permission, trust, hooks, and policy
ProxyClientFactory91577shouldBypassProxy, prefetchProxyAuthFromHelperIfSafe, getWebSocketProxyUrl, getProxyUrl, getProxyFetchOptions, getProxyAuthFromHelperCached, getProxyAuthFromHelper, getProxyAgentBundle module map — remote control, feature flags, networking
LspIdeClient428870createLSPClientBundle module map — integrations (MCP, plugins, MCPB, LSP)

Settings layers

flowchart TD
User[~/.claude/settings.json] --> Merge[Settings merge]
Project[.claude/settings.json] --> Merge
Local[.claude/settings.local.json] --> Merge
Managed[managed settings / policy] --> Merge
Flags[--settings / --managed-settings / --setting-sources] --> Merge
Merge --> Runtime[Runtime config]
Runtime --> Tools[Tools and permissions]
Runtime --> Context[Prompt/context]
Runtime --> Integrations[IDE / Chrome / MCP / plugins]

Confirmed settings and policy groups

GroupExamplesRuntime implication
Settings roots~/.claude/settings.json, .claude/settings.json, .claude/settings.local.jsonUser, project, and local overlays participate in runtime config.
RetentioncleanupPeriodDaysControls chat transcript retention period.
Hooks/status linedisableAllHooks, statusLine, subagentStatusLineEnables/disables hook and status-line execution.
Remote/agent policydisableRemoteControl, disableAgentViewManaged policy can disable Remote Control and agent UI paths.
Skills/slash safetydisableSkillShellExecutionReplaces inline shell execution in skills/custom slash commands with placeholders.
Authentication and telemetry helpersapiKeyHelper, proxyAuthHelper, otelHeadersHelperLets settings point to helper scripts for credentials/proxy auth and telemetry headers.
Plugin/MCP configmcpServers, plugin marketplaces, output styles, hooksIntegrations can be contributed through settings and plugins.
IDE/Chrome/file resources--ide, --chrome, --fileAdds editor/browser/file startup integration surfaces.

Security interpretation

The settings schema exposes both capability-enabling and capability-disabling controls. This matters because the runtime accepts rich extension points—hooks, plugins, MCP, custom slash commands, status lines, helper scripts—but also exposes managed-policy switches that can disable or constrain those extension points.

Helper-script trust origin

Helper scripts are sensitive because they execute local commands to obtain credentials or headers. The decoded auth/settings chunk shows otelHeadersHelper is considered project/local-owned only when the merged helper command exactly matches the value from projectSettings or localSettings. In that case getOtelHeadersFromHelper returns an empty header object until the workspace trust dialog has been accepted, instead of executing the helper early.

This mirrors the broader trust-boundary pattern: helper script settings can extend runtime behavior, but project/local helper execution is gated by workspace trust.

Created and maintained by Yingting Huang.