Managed settings (organization policy)

Managed settings allow IT administrators to enforce Cortex Code CLI behavior across an organization. Settings are deployed to a system-owned file that users can’t modify. These settings take precedence over all user-level configuration.

When managed settings are present, the CLI displays a banner at startup indicating that it’s running in managed mode.

How managed settings work

Managed settings are read from a JSON file placed in a platform-specific system directory, a location that requires administrator or root privileges to write to. Because users can’t modify files in these locations, managed settings can’t be overridden by user configuration files, environment variables, or command-line arguments (except where explicitly noted).

Administrators typically deploy the managed settings file using MDM tools (Jamf, Intune, SCCM), configuration management systems (Ansible, Chef, Puppet), or manual deployment during device provisioning.

File locations

Place the managed-settings.json file in the following system directory for your operating system:

PlatformPath
macOS/Library/Application Support/Cortex/managed-settings.json
Linux and WSL/etc/cortex/managed-settings.json
Windows%ProgramData%\Cortex\managed-settings.json

If the file doesn’t exist, the CLI runs in unmanaged mode and all user-level defaults apply.

Note

If the file exists but contains invalid JSON or fails schema validation, the CLI applies a restrictive fallback configuration and displays a banner reading “Enforcement config error - restricted mode”. This prevents a malformed policy file from silently granting unrestricted access.

Configuration schema

The managed-settings.json file must contain a version field. All top-level sections are optional.

{
  "version": "1.0",
  "permissions": { },
  "settings":    { },
  "required":    { },
  "defaults":    { },
  "files":       { },
  "ui":          { }
}

The version field must be "1.0".

permissions

Controls which tools, skills, MCP servers, and Snowflake accounts the CLI may use. For the full pattern syntax, see Permission patterns.

{
  "permissions": {
    "onlyAllow": ["read", "write", "bash(git:*)", "skill(bundled:*)"],
    "deny": ["bash(rm:*)", "skill(remote:*)"],
    "defaultMode": "allow",
    "dangerouslyAllowAll": false
  }
}
FieldTypeDefaultDescription
onlyAllowstring[]Allowlist of permission patterns. If set, only matching items are permitted. Items not matched by any pattern are blocked unless defaultMode is "allow".
denystring[]Denylist of permission patterns. Deny takes precedence over allow. A match here always blocks, regardless of onlyAllow.
defaultMode"allow" or "deny""allow"Behavior when no pattern matches. Use "deny" for a strict allowlist posture.
dangerouslyAllowAllbooleanfalseControls whether users can use the --dangerously-allow-all-tool-calls flag. In managed mode, defaults to false. Set to true only in explicitly trusted environments.

settings

Forces specific runtime behaviors that can’t be overridden by users.

{
  "settings": {
    "forceNoHistoryMode": true,
    "forceSandboxEnabled": true,
    "forceSandboxMode": "regular"
  }
}
FieldTypeDefaultDescription
forceNoHistoryModebooleanfalseWhen true, disables all conversation history persistence. Session files aren’t written to disk. Use in high-security or compliance environments where chat history must not be stored.
forceSandboxEnabledbooleanfalseWhen true, forces the sandbox to be enabled regardless of user settings. The sandbox restricts filesystem access during tool execution.
forceSandboxMode"regular" or "autoAllow"Forces a specific sandbox mode. "regular" prompts the user before allowing new filesystem paths. "autoAllow" silently permits all paths within the sandbox boundary. Only takes effect when the sandbox is enabled.

The sandbox limits which directories the CLI can read and write during a session. It adds a confirmation step before tools access paths outside the pre-approved set. "regular" mode requires user confirmation for each new directory; "autoAllow" mode trusts all directories within the working tree without prompting. Sandbox is an experimental feature. For details, see Sandbox.

required

Enforces a minimum CLI version. The CLI exits with an error if the installed version doesn’t meet the requirement.

{
  "required": {
    "minimumVersion": "0.26.0"
  }
}
FieldTypeDescription
minimumVersionstringMinimum CLI version in semver format (for example, "0.26.0"). Users on older versions see an error and are prompted to update before they can continue.

Use this field to ensure all users are on a version that supports any security fix or feature your policy depends on.

defaults

Sets organization-recommended defaults that users can override in their own settings.json. Unlike the settings section, these are suggestions, not enforcement.

{
  "defaults": {
    "connectionName": "prod",
    "profileName": "data-analyst",
    "theme": "dark"
  }
}
FieldTypeDescription
connectionNamestringDefault Snowflake connection name from connections.toml. Users can override this with -c or by changing their own settings.
profileNamestringDefault profile to load at startup.
theme"dark", "light", or "pro"Default UI color theme.

files

Points the CLI to admin-provided configuration files. These are loaded in addition to, or instead of, the user’s own equivalents.

{
  "files": {
    "connectionsFile": "/etc/cortex/connections.toml",
    "mcpFile": "/etc/cortex/mcp.json"
  }
}
FieldTypeDescription
connectionsFilestringAbsolute path to an admin-provided connections.toml. Use this to pre-configure Snowflake connections for all users without requiring individual setup.
mcpFilestringAbsolute path to an admin-provided mcp.json. Use this to deploy organization-approved MCP servers to all users.

ui

Customizes UI elements to indicate managed state.

{
  "ui": {
    "showManagedBanner": true,
    "bannerText": "Managed by Acme IT - support: helpdesk@acme.com",
    "hideDangerousOptions": true
  }
}
FieldTypeDefaultDescription
showManagedBannerbooleanfalseWhen true, displays a banner in the welcome screen indicating this is a managed installation. Helps users understand why certain features may be restricted.
bannerTextstring"This device is managed by your organization"Custom text for the managed banner. Use this to include a support contact or policy reference.
hideDangerousOptionsbooleanfalseWhen true, suppresses dangerous options from help output and UI menus.

Permission patterns

The onlyAllow and deny arrays in the permissions section accept patterns in two forms:

  • Simple name: matches a named tool or feature category exactly. For example, "bash" or "read".
  • Filtered name: type(filter). This matches a specific tool invocation or resource within a category. For example, "bash(git:*)" or "account(myorg-prod)".

Both forms support * (any characters) and ? (single character) glob wildcards. Matching is case-insensitive.

Pattern reference

PatternWhat it controls
"read"The read (file reading) tool
"write"The write (file writing) tool
"edit"The edit (file editing) tool
"bash"All bash shell invocations
"bash(git:*)"Bash restricted to git commands
"bash(dbt:*)"Bash restricted to dbt commands
"bash(ls:*)"Bash restricted to ls commands
"bash(rm:*)"Bash rm commands (commonly denied)
"snowflake_sql_execute"SQL execution against Snowflake
"mcp(*)"All MCP servers
"mcp(https://*.company.com/*)"MCP servers matching a URL glob
"skill(bundled:*)"Built-in (bundled) skills
"skill(profile:*)"Skills from any loaded profile
"skill(profile:my-profile)"Skills from a specific named profile
"skill(user:*)"Skills installed to the user’s home directory
"skill(project:*)"Skills in the project’s .cortex/skills/ directory
"skill(remote:*)"Remotely installed skills (via git or tarball)
"plugin(*)"All plugins
"plugin(bundled:*)"Built-in plugins only
"account(myorg)"Exact Snowflake account name
"account(myorg-*)"Snowflake accounts matching a glob

bash(command:*) filtering

When using bash filtering patterns, the filter matches the first token of the shell command. For example, "bash(git:*)" permits git status, git commit, and any other git subcommand, but blocks curl, python, and any other command.

Note

If "bash" (without a filter) appears in onlyAllow, then any bash command is permitted for that rule. If "bash(git:*)" appears but plain "bash" doesn’t, then only git commands are allowed and all other bash commands are blocked.

Permission evaluation

When the CLI decides whether a tool, skill, MCP server, or Snowflake account is permitted, it evaluates the following rules in order:

  1. Managed deny matches: block. If any pattern in the managed settings deny array matches, access is denied. This can’t be overridden by profiles or user settings.
  2. Profile deny matches: block. If any pattern in the active profile’s deny list matches, access is denied.
  3. Managed onlyAllow is set and no pattern matches: block. If onlyAllow is configured in managed settings and the item doesn’t match any listed pattern, access is denied.
  4. Profile onlyAllow is set for this type and no pattern matches: block. Profile onlyAllow is type-scoped: it only restricts types that are explicitly listed. If the profile lists skill(bundled:*) but says nothing about bash, bash access isn’t affected by the profile.
  5. defaultMode determines the outcome. If defaultMode is "deny", access is blocked. If "allow" (the default), access is permitted.

Key guarantees:

  • A profile can’t grant access that managed settings have explicitly denied.
  • A profile can’t expand the managed settings allowlist.
  • Profiles can only further restrict: they operate within the boundary that managed settings define.

Common policy examples

Basic corporate setup

Allow all default tools but block bypass mode and display a managed banner.

{
  "version": "1.0",
  "permissions": {
    "dangerouslyAllowAll": false,
    "defaultMode": "allow"
  },
  "required": {
    "minimumVersion": "0.26.0"
  },
  "ui": {
    "showManagedBanner": true,
    "bannerText": "Managed by Corporate IT - helpdesk@example.com"
  }
}

Restrict to approved Snowflake accounts

Only allow connections to specific accounts. Users who try to connect to any other account see an error.

{
  "version": "1.0",
  "permissions": {
    "onlyAllow": [
      "account(mycompany-prod)",
      "account(mycompany-staging)"
    ],
    "defaultMode": "allow"
  }
}

Lock down to approved tools only

Only allow file reading, SQL execution, and bundled skills. Block all bash, MCP, and user-installed skills.

{
  "version": "1.0",
  "permissions": {
    "onlyAllow": [
      "read",
      "write",
      "edit",
      "snowflake_sql_execute",
      "skill(bundled:*)",
      "skill(profile:*)"
    ],
    "defaultMode": "deny"
  }
}

Allow bash but block dangerous commands

Permit bash access but explicitly deny rm, curl, and wget.

{
  "version": "1.0",
  "permissions": {
    "deny": [
      "bash(rm:*)",
      "bash(curl:*)",
      "bash(wget:*)"
    ],
    "dangerouslyAllowAll": false,
    "defaultMode": "allow"
  }
}

High-security deployment

Force no history, force sandbox, block bypass mode, restrict to specific accounts and MCP servers, and block remote skill installation.

{
  "version": "1.0",
  "permissions": {
    "onlyAllow": [
      "read", "write", "edit", "bash", "snowflake_sql_execute",
      "skill(bundled:*)", "skill(profile:*)",
      "mcp(https://*.mycompany.com/*)",
      "account(mycompany-*)"
    ],
    "deny": [
      "bash(rm:*)",
      "bash(curl:*)",
      "skill(remote:*)"
    ],
    "defaultMode": "allow",
    "dangerouslyAllowAll": false
  },
  "settings": {
    "forceNoHistoryMode": true,
    "forceSandboxEnabled": true,
    "forceSandboxMode": "regular"
  },
  "required": {
    "minimumVersion": "0.26.0"
  },
  "files": {
    "connectionsFile": "/etc/cortex/connections.toml",
    "mcpFile": "/etc/cortex/mcp.json"
  },
  "ui": {
    "showManagedBanner": true,
    "bannerText": "Managed by IT Security - policy questions: security@mycompany.com",
    "hideDangerousOptions": true
  }
}

Verification

To confirm that managed settings are active and review what restrictions are applied, inspect the welcome banner on startup. When managed settings are present and showManagedBanner is true, a banner is shown at the top of the session output.

To check the enforcement config path for your platform, verify whether the file exists at the OS-specific path listed in File locations.