Shrutam CCA-F Crash › Domain 3 › d3-l03-settings-permissions English Hinglish →

settings.json — Permissions, Hooks, MCP Servers

Domain 3 · 20% ~12 min English narration

Scenario anchor

Aap Aaranya IT BFSI ke ek 800-developer org mein lead architect hain. Ek junior dev ne accidentally production database ka connection string Claude Code ke through expose kar diya — kyunki kisi ne bhi enterprise-level permissions configure nahi ki thi settings.json mein. Aaj hum dekhenge ki settings.json ka config-cascade exactly kaise kaam karta hai — user-level se project-level tak — aur MCP servers ke trust boundaries kaise enforce karte hain taki aisa incident dobara na ho.

Key Takeaways

settings.json enforces a three-tier config cascade — enterprise → user → project — where higher tiers can lock directives that lower tiers cannot override, analogous to policy inheritance in a service mesh control plane.
Hooks are lifecycle-interception points (pre-tool, post-tool, pre-compact) declared in settings.json; they let teams inject audit logging, secret-scanning, or approval gates without modifying Claude's core behaviour.
Each MCP server entry in settings.json carries its own explicit permission grant; there is no implicit privilege inheritance from the invoking user — treat each server as a distinct OAuth client with its own scope declaration.
Memory anchor: settings.json is your config-cascade — enterprise locks at the top, MCP servers get scoped grants, hooks intercept the pipeline — same mental model as a service mesh with per-route policy and sidecar interception.

← Previous lesson Same lesson in Hinglish Next lesson → Back to overview