[DOCS] Managed marketplace restrictions docs omit blockedMarketplaces pattern entries

Open 💬 4 comments Opened Apr 24, 2026 by coygeek

Documentation Type

Missing documentation (feature not documented)

Documentation Location

https://code.claude.com/docs/en/plugin-marketplaces

Section/Topic

"Managed marketplace restrictions" and the blockedMarketplaces managed setting

Current Documentation

The docs currently say:

For organizations requiring strict control over plugin sources, administrators can restrict which plugin marketplaces users are allowed to add using the strictKnownMarketplaces setting in managed settings. For hostPattern sources: the marketplace host is matched against the regex pattern For pathPattern sources: the marketplace's filesystem path is matched against the regex pattern

And the settings reference currently says:

blockedMarketplaces | (Managed settings only) Blocklist of marketplace sources. Blocked sources are checked before downloading, so they never touch the filesystem. See Managed marketplace restrictions | [{ "source": "github", "repo": "untrusted/plugins" }]

What's Wrong or Missing?

Changelog v2.1.119 includes: Security: blockedMarketplaces now correctly enforces hostPattern and pathPattern entries.

Current docs explain hostPattern and pathPattern matching only for strictKnownMarketplaces, but they do not document that blockedMarketplaces also accepts those entry types or how those matches are evaluated.

As written, the docs make blockedMarketplaces look like a simple exact-match blocklist with source objects such as { "source": "github", "repo": "untrusted/plugins" }. That leaves administrators without documentation for host-wide or filesystem-path-based marketplace blocking, even though v2.1.119 confirms those entries are intended and security-relevant.

Suggested Improvement

Add blockedMarketplaces documentation alongside the existing managed marketplace restrictions coverage.

At minimum, document:

  • that blockedMarketplaces supports hostPattern and pathPattern entries
  • the matching behavior for those regex-based entries
  • one example that blocks marketplaces from a specific host
  • one example that blocks filesystem-based marketplaces from a path prefix

Also add a short cross-reference from the blockedMarketplaces row in the settings and permissions references so admins can find the full schema quickly.

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:

| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/plugin-marketplaces | Managed marketplace restrictions currently documents strictKnownMarketplaces pattern matching, but not the equivalent blockedMarketplaces behavior |
| https://code.claude.com/docs/en/settings | Settings reference lists blockedMarketplaces with only a GitHub example and no pattern-entry guidance |
| https://code.claude.com/docs/en/permissions | Managed-only settings table lists blockedMarketplaces but provides no schema or matching details |

Total scope: 3 pages affected

Source: Changelog v2.1.119

Changelog entry: Security: blockedMarketplaces now correctly enforces hostPattern and pathPattern entries

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗