CLAIM 13 / Claude Code
"Managed settings: cannot be overridden by any other level, including command line arguments"
partial
Observed
True as currently shipped per release review, but the guarantee has failed twice: before v2.1.74, a user-level allow rule or a committed skill's allowed-tools frontmatter silently won over enterprise managed ask policies — a privilege escalation path in managed deployments — and v2.1.80 fixed managed settings (enabledPlugins, permissions.defaultMode, policy-set env vars) not being applied at startup when remote-settings.json was cached from a prior session. Both fixes are release-reviewed; TD has not re-executed the managed-policy precedence matrix.
- UPDATE 2026-06-28: a new active regression — an HTTP 304 response zeroes out the local managed-settings.json, silently dropping all deny/allow rules (#70181, open 2026-06-23).