Claude Code Enterprise Environment

1. Executive Summary

Claude Code is Anthropic's AI-powered coding assistant that runs inside VS Code (and the terminal). It can read files, write code, execute shell commands, and interact with external services through a protocol called MCP (Model Context Protocol). We are already using it to build the SGA platform and have proven its value across architecture, code generation, data analysis, and reporting.

This document evaluates how to deploy Claude Code across a team in a secure, governed enterprise environment. The core question: do we run on local machines, move to hosted remote servers, or use a hybrid approach?

Recommendation: Start with hardened local machines using Anthropic's Enterprise plan with SSO, managed settings, and dev containers. The local-first approach gives us the best balance of security, cost, performance, and developer experience. Remote servers add cost and complexity without proportional security benefit for our use case — the AI API calls go to Anthropic's cloud regardless of where the client runs.

For Power BI integration, we should continue the current bridge API pattern but move it behind our VPN with proper authentication — this is safer than giving Claude Code direct access to the Power BI service.

2. What Is Claude Code

Claude Code is not a simple autocomplete tool like GitHub Copilot. It is an agentic coding environment — meaning it can autonomously execute multi-step tasks: read files, write code, run shell commands, search the web, and interact with external APIs. It operates inside VS Code through an official extension or directly in the terminal.

Key Capabilities

File I/O: Read, create, and edit any file in the project directory
Shell execution: Run bash commands (build, test, deploy, git)
Web access: Fetch URLs, search the web for documentation
MCP integrations: Connect to external services (databases, APIs, vaults) through standardized protocol servers
Agent orchestration: Spawn sub-agents to parallelize complex tasks
Persistent memory: Learns project conventions, user preferences, and decisions across sessions

How It Works Architecturally

Developer's Machine (VS Code) Anthropic Cloud ┌─────────────────────────────┐ ┌──────────────────┐ │ VS Code + Claude Extension │ │ │ │ ┌───────────────────────┐ │ HTTPS/TLS │ Claude API │ │ │ Claude Code Runtime │──│───────────────►│ (Opus/Sonnet) │ │ │ - File tools │ │ │ │ │ │ - Bash executor │ │ Conversation │ No data │ │ │ - MCP client │ │ context sent │ retention on │ │ │ - Permission engine │ │ to API │ Enterprise plan │ │ └───────────────────────┘ │ └──────────────────┘ │ │ │ Local Files / Git Repo │ │ .claude/ (settings, hooks) │ │ MCP servers (local procs) │ └─────────────────────────────┘

Key insight: Regardless of whether Claude Code runs on a local machine or a remote server, the conversation context (including code snippets being analyzed) is sent to Anthropic's API over HTTPS. The Enterprise plan guarantees this data is not used for model training and can be configured for zero data retention.

3. Architecture Options

There are four viable architectures for running Claude Code in an enterprise. Each has trade-offs around security, cost, complexity, and developer experience.

Option A: Hardened Local Machines Recommended

Each developer runs Claude Code on their own laptop/desktop with VS Code. Security is enforced through Anthropic's managed settings, OS-level sandboxing, dev containers, and organizational policies.

Dimension	Assessment
Security	Strong — managed settings lock down permissions, sandbox isolates file/network access, dev containers add OS-level isolation. Code stays on developer machine.
Cost	Low — no additional infrastructure. Only Anthropic Enterprise subscription + API usage.
Complexity	Low — standard laptop deployment with MDM-pushed settings.
Availability	Tied to machine uptime. No 24/7 unattended runs.
Developer Experience	Best — native VS Code, no latency, local file access, familiar workflow.
Power BI	Bridge API accessed over VPN from local machine. Same pattern as today.

Option B: Remote Dev Servers (VS Code Remote SSH) Viable

Each developer gets a dedicated cloud VM (AWS EC2, Azure Dev Box, or similar). They connect via VS Code Remote SSH. Claude Code runs on the remote server, files stay on the server.

Dimension	Assessment
Security	Server-side controls, VPC isolation, no code on laptops. But API calls still go to Anthropic cloud.
Cost	Medium-High — $50-200/user/month for always-on VMs, plus storage, networking, management overhead.
Complexity	High — VM provisioning, patching, user management, SSH key rotation, storage management.
Availability	24/7 — servers run continuously. Can run unattended jobs overnight.
Developer Experience	Good — slight latency on file operations. SSH disconnects can lose context.
Power BI	Bridge API on same VPC — lower latency, no VPN needed for data access.

Option C: Dev Containers (Cloud or Local) Viable

Each developer runs Claude Code inside a Docker dev container — either locally or on a cloud host like GitHub Codespaces. The container provides OS-level isolation with a firewall that restricts network access to whitelisted domains only.

Dimension	Assessment
Security	Strongest isolation — filesystem sandboxed, network firewall default-deny, reproducible environments.
Cost	Low (local) to Medium (Codespaces at ~$0.18/hr per user).
Complexity	Medium — Docker required, container config maintained, rebuild on changes.
Availability	On-demand. Codespaces can be always-on but bills hourly.
Developer Experience	Good — some container rebuild friction, but consistent environments.
Power BI	Bridge API whitelisted in container firewall. Works with both local and cloud containers.

Option D: Hybrid (Local + Scheduled Remote) Future

Developers work locally during the day. A shared remote server runs scheduled Claude Code tasks overnight (automated code reviews, report generation, monitoring). Anthropic's "Remote Control" and "Dispatch" features (released Feb 2026) enable this.

Dimension	Assessment
Security	Best of both — local for interactive work, locked-down server for automation.
Cost	Low-Medium — one shared automation server, not per-user VMs.
Complexity	Medium — two environments to maintain, task scheduling infrastructure.
Availability	24/7 for automated tasks, business hours for interactive.
Developer Experience	Best — local dev experience plus automated overnight processing.
Power BI	Automation server can pull Power BI data on schedule for morning reports.

4. Recommended Architecture

Start with Option A (Hardened Local) and evolve to Option D (Hybrid) as the team grows.

Why Not Remote Servers?

The instinct to centralize on remote servers comes from traditional security thinking: "keep the code off laptops." But with Claude Code, this reasoning has a flaw:

The API calls go to Anthropic regardless. Whether Claude Code runs on a laptop or a server, the conversation context (including code being analyzed) is sent to Anthropic's cloud over HTTPS. Moving to a remote server does not eliminate this data flow — it just adds infrastructure cost.
Anthropic's Enterprise plan already provides zero-data-retention. Your code is not stored or used for training. The data protection is contractual, not architectural.
Local sandboxing is strong. Anthropic's OS-level sandbox (Seatbelt on macOS, bubblewrap on Linux) restricts file and network access at the kernel level. Managed settings prevent users from disabling these protections.
Remote servers add attack surface. SSH keys, VM patching, network configuration, shared storage — each is a potential vulnerability that local machines don't have.

When Remote Makes Sense (Future)

Unattended automation: Nightly code reviews, scheduled report generation, CI/CD integration
Contractor access: Give contractors a locked-down cloud environment instead of VPN access
Compliance requirements: If a future audit requires all code access from managed infrastructure
Team scale: Above ~20 Claude Code users, centralized management becomes more efficient

Architecture Diagram — Recommended Setup

SGA Network (VPN) ┌────────────────────────────────────────────────┐ │ │ │ Developer Machines (Local) │ │ ┌──────────────────────┐ │ │ │ VS Code + Claude Code│ │ │ │ ┌──────────────────┐ │ │ │ │ │ Managed Settings │ │ ┌───────────────┐ │ │ │ │ (pushed via MDM) │ │ │ Power BI │ │ │ │ ├──────────────────┤ │ │ Bridge API │ │ │ │ │ OS Sandbox │ │──►│ (VPN-only) │ │ │ │ │ (bubblewrap) │ │ │ │ │ │ │ ├──────────────────┤ │ │ ┌───────────┐ │ │ │ │ │ Dev Container │ │ │ │ Power BI │ │ │ │ │ │ (optional) │ │ │ │ Service │ │ │ │ │ └──────────────────┘ │ │ └───────────┘ │ │ │ └──────────┬───────────┘ └───────────────┘ │ │ │ │ └─────────────│───────────────────────────────────┘ │ HTTPS/TLS 1.3 │ (conversation context) ▼ ┌─────────────────────────┐ ┌──────────────┐ │ Anthropic Cloud │ │ Entra ID │ │ ┌───────────────────┐ │ │ (SSO/SAML) │ │ │ Claude API │ │ └──────────────┘ │ │ - Enterprise plan │ │ │ │ - Zero retention │ │ ┌──────────────┐ │ │ - No training │ │ │ Audit Logs │ │ │ - SOC 2 / ISO │ │ │ → SIEM │ │ └───────────────────┘ │ └──────────────┘ └─────────────────────────┘

5. Security Hardening

Anthropic provides a layered security model that can be locked down for enterprise use. Here is the hardening plan, ordered from most critical to least.

5.1 Managed Settings (Non-Overridable)

These settings are pushed via MDM (Intune for Windows, Jamf for macOS) to ~/.claude/managed-settings.json. Users and project-level configs cannot override them.

{
  "permissions": {
    "deny": [
      "Bash(rm -rf *)",
      "Bash(curl * | bash)",
      "Bash(wget * | bash)",
      "Bash(git push --force *)",
      "Read(~/.ssh/*)",
      "Read(~/.aws/*)"
    ],
    "ask": [
      "Bash(git push *)",
      "Bash(npm publish *)",
      "Edit(*.env*)"
    ],
    "allow": [
      "Bash(npm run *)",
      "Bash(npm test *)",
      "Bash(git status)",
      "Bash(git diff *)",
      "Bash(git log *)",
      "Read(*)",
      "Glob(*)",
      "Grep(*)"
    ]
  },
  "allowManagedPermissionRulesOnly": true,
  "allowManagedMcpServersOnly": true,
  "permissions.disableBypassPermissionsMode": true,
  "sandbox.network.allowManagedDomainsOnly": true,
  "forceRemoteSettingsRefresh": true
}

Key flags explained:

allowManagedPermissionRulesOnly — users cannot add their own permission rules. Only IT-approved rules apply.
allowManagedMcpServersOnly — users cannot connect unauthorized MCP servers (prevents data exfiltration).
disableBypassPermissionsMode — blocks the --dangerously-skip-permissions flag enterprise-wide.
forceRemoteSettingsRefresh — Claude Code won't start if it can't fetch the latest managed settings (fail-closed).

5.2 OS-Level Sandboxing

Platform	Sandbox Tech	What It Restricts
macOS	Seatbelt (built-in)	File access, network, process spawning at kernel level
Linux / WSL2	bubblewrap	Filesystem mount isolation, network namespace, PID namespace
Windows (native)	Planned	Not yet available — use WSL2 or dev containers for now

For SGA on Windows: Our developers run Windows 11. Native Windows sandboxing is not yet available in Claude Code. We should use WSL2 with bubblewrap or dev containers to get OS-level isolation. Both work with VS Code seamlessly.

5.3 Network Restrictions

The sandbox proxy controls outbound network access. In managed mode, only whitelisted domains are reachable:

api.anthropic.com — Claude API (required)
registry.npmjs.org — npm packages
github.com, api.github.com — source control
142.93.182.236:3050 — Power BI bridge API (internal, VPN-only)
Block everything else by default

5.4 Pre-Tool-Use Hooks

Hooks run before every tool invocation and can block, allow, or require approval. They are shell scripts that execute locally:

# .claude/hooks/pre-tool-use.sh
# Block any command that touches production databases
if [[ "$CLAUDE_TOOL" == "Bash" ]]; then
  if echo "$CLAUDE_TOOL_INPUT" | grep -qiE "(DROP|DELETE|TRUNCATE|ALTER).*production"; then
    echo "BLOCKED: Production database operations require manual execution"
    exit 2  # deny
  fi
fi
exit 0  # allow

5.5 Dev Container Isolation (Optional Layer)

For maximum isolation, developers can run Claude Code inside Anthropic's reference dev container. This adds:

Docker-level filesystem isolation (code cannot escape the container)
iptables firewall with default-deny outbound policy
Reproducible environments (no "works on my machine" issues)
Pre-configured Node.js 20, npm, git, and dev tools

6. Power BI Integration

SGA has 96% Power BI adoption. Our current integration uses a bridge API — a lightweight Node.js service that accepts DAX queries and returns results from the Power BI service. This is the right pattern; here's how to harden it for enterprise.

Current Architecture

Developer Machine VPS (Bridge) Microsoft ┌─────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ Claude Code │ HTTP POST │ Bridge API │ │ Power BI │ │ (via MCP or │───────────────►│ :3050 │────►│ Service │ │ Bash script) │ DAX query │ │ │ │ │ │◄───────────────│ - Auth token │◄────│ REST API │ │ │ JSON result │ - Rate limiting │ │ │ └─────────────────┘ └──────────────────┘ └─────────────┘

Hardening Recommendations

Area	Current	Recommended
Network access	Public VPS, any IP	Move behind VPN or VPC; restrict to SGA IP ranges only
Authentication	Static Bearer token	Rotate tokens monthly; tie to Entra ID service principal
Query scope	Any DAX query	Allowlist of named queries only (no raw DAX from Claude Code)
Rate limiting	None	Max 30 queries/minute per user; daily budget caps
Data filtering	Full dataset	Row-level security (RLS) — users see only their practices
Audit logging	Minimal	Log every query with user ID, timestamp, query text, result size
TLS	HTTP	HTTPS with valid certificate (Let's Encrypt)

Why not give Claude Code direct Power BI access? The bridge API pattern is intentionally indirect. Claude Code should never hold Power BI credentials directly because: (1) API keys in environment variables are accessible to any bash command Claude runs, (2) a prompt injection attack could exfiltrate credentials, and (3) the bridge gives us a single point to audit, rate-limit, and filter queries.

Recommended: Named Query Pattern

Instead of allowing Claude Code to compose arbitrary DAX, the bridge should expose named queries — pre-approved business questions mapped to parameterized DAX:

// Instead of raw DAX:
POST /query { "dax": "EVALUATE SUMMARIZE(..." }  // DANGEROUS

// Use named queries:
POST /query/morning-brief { "practice_id": "P123" }  // SAFE
POST /query/production-ytd { "region": "Southeast" }  // SAFE
POST /query/underperformers { "threshold": 0.85 }     // SAFE

This eliminates the risk of Claude Code composing a DAX query that returns sensitive data outside the user's scope. We already have this pattern started in the powerbi-queries skill.

7. Data Flow & Privacy

What Data Goes Where

Data Type	Where It Lives	Sent to Anthropic?	Risk Level
Source code files	Developer machine / Git repo	Yes, when analyzed in conversation	Medium — mitigated by Enterprise ZDR
Conversation history	Local `.claude/` directory	Yes, sent as context with each request	Medium — mitigated by Enterprise ZDR
Git credentials	OS credential store	No	Low
Power BI query results	Bridge API response → local	Yes, if included in conversation	Medium — use named queries to limit scope
.env files / API keys	Developer machine	Only if Claude reads them	High — deny Read access to .env files
PHI / Patient data	NOT in this system (Phase B)	Must never be sent	Critical — blocked at multiple layers
MCP tool inputs/outputs	Local process	Yes, included in conversation context	Medium — audit MCP server capabilities

PHI Boundary: Claude Code must never process patient health information until Phase B BAAs are executed. This is enforced by: (1) no PHI in the codebase, (2) Power BI bridge returns only aggregate/practice-level data, (3) MCP servers do not connect to clinical systems, (4) managed settings deny access to clinical database connection strings.

Anthropic's Enterprise Data Commitments

No model training: Enterprise inputs/outputs are never used to train Claude models (contractual guarantee)
Zero Data Retention (ZDR): Configurable — no inputs/outputs stored after response is delivered
SOC 2 Type II + ISO 27001: Independently audited security controls
ISO/IEC 42001:2023: AI-specific governance standard
Encryption: TLS 1.3 in transit, AES-256 at rest (if retained), BYOK coming H1 2026

8. Identity & Governance

SSO Integration

Anthropic Enterprise supports SAML 2.0 and OIDC. SGA should integrate with Microsoft Entra ID (our existing identity provider) for:

Single sign-on — developers authenticate with their SGA credentials
SCIM provisioning — auto-create/deactivate accounts based on Entra ID group membership
Conditional access — enforce MFA, block untrusted devices, geo-restrict
Domain verification — prove ownership of sgadental.com via DNS TXT record

Role-Based Access

Role	Claude Code Access	Power BI Access	MCP Servers
Developer	Full (with managed settings)	Named queries — own region	Approved list only
Analyst	Read-only mode (plan permission)	Named queries — full network	Power BI MCP only
Manager	No direct access	Power BI dashboards (native)	N/A
IT Admin	Full + managed settings control	Full query access	All servers + approval authority

Audit Logging

Anthropic Enterprise provides 180-day audit logs covering:

Authentication events (who logged in, when, from where)
API usage (tokens consumed, model used, session duration)
Permission denials (what was blocked and why)
Export: JSON/CSV download or SIEM push (Splunk, Datadog, Elastic)

Additionally, our own PreToolUse hooks can log every tool invocation locally for compliance review.

9. MCP Server Security

MCP (Model Context Protocol) servers extend Claude Code with external capabilities. They are powerful but represent a significant attack surface because they are executable code that Claude Code can invoke.

Current MCP Servers in Use

Server	Purpose	Risk	Hardening
obsidian-mcp	Read/write to Obsidian vault	Medium — writes to knowledge base	Restrict to personal vault paths only
discord	Send/receive Discord messages	Medium — external communication	Channel allowlist, access pairing
Power BI (future)	Query Power BI via bridge	Medium — financial data access	Named queries only, RLS enforcement

Enterprise MCP Policy

Allowlist only: Set allowManagedMcpServersOnly: true — users cannot add their own MCP servers
Code review: Every new MCP server must be reviewed by IT before being added to the allowlist
Source control: Only MCP servers from our GitHub org or trusted vendors (Anthropic, verified npm packages)
Network isolation: MCP servers that access external APIs must go through the VPN
No credential exposure: MCP servers should use service principals / environment variables, never hardcoded secrets

Prompt injection risk: MCP tools can return content that tries to manipulate Claude Code into performing unintended actions. Managed settings with strict permission deny rules are the primary defense — even if Claude is tricked, it cannot execute blocked operations.

10. Cost Model

Anthropic Enterprise Pricing

Component	Detail	Per User/Month	5-User Annual
Enterprise seat (self-serve)	SSO, audit logs, SCIM, ZDR	$20	$1,200
API usage (estimated)	~2M tokens/day per active developer	$50-150	$3,000-9,000
Subtotal: Anthropic		$70-170	$4,200-10,200

Infrastructure Costs by Architecture

Architecture	Detail	Per User/Month	5-User Annual
A: Local (recommended)	No additional infra	$0	$0
B: Remote VMs	EC2 t3.xlarge or Azure Dev Box	$100-200	$6,000-12,000
C: Dev containers (Codespaces)	~40hrs/week × $0.18/hr	$30-60	$1,800-3,600
D: Hybrid (future)	1 shared automation server	$20 (shared)	$1,200 (shared)

Total Annual Cost Comparison (5 Users)

Architecture	Low Estimate	High Estimate
A: Local (recommended)	$4,200	$10,200
B: Remote VMs	$10,200	$22,200
C: Dev containers	$6,000	$13,800
D: Hybrid	$5,400	$11,400

Note: The dominant cost is API usage (tokens), not infrastructure. Moving to remote servers roughly doubles infrastructure costs without reducing API costs. The ROI case for Claude Code rests on developer productivity gains, not infrastructure savings.

11. Rollout Plan

Phase 1

Weeks 1-2

Phase 2

Weeks 3-4

Phase 3

Weeks 5-8

Phase 4

Ongoing

Phase 1: Foundation (Weeks 1-2)

Purchase Anthropic Enterprise plan (self-serve, 5 seats)
Configure SSO with Microsoft Entra ID (SAML 2.0)
Verify sgadental.com domain
Draft and deploy managed settings via Intune
Set up audit log export to existing SIEM

Phase 2: Hardening (Weeks 3-4)

Install WSL2 + bubblewrap on all developer machines (for sandbox)
Configure MCP server allowlist (obsidian-mcp, discord only initially)
Move Power BI bridge behind VPN with HTTPS + token rotation
Implement named query pattern for Power BI (block raw DAX)
Deploy PreToolUse hooks for compliance logging
Create CLAUDE.md governance file for org-wide standards

Phase 3: Team Onboarding (Weeks 5-8)

Onboard 3-5 developers with guided setup
Provide dev container configs for isolated project work
Run security awareness session (prompt injection risks, data handling)
Monitor audit logs for anomalies — tune permission rules based on actual usage
Document approved workflows and escalation procedures

Phase 4: Scale & Automate (Ongoing)

Add automation server for scheduled tasks (morning briefs, nightly code reviews)
Expand MCP server allowlist as new integrations are vetted
Evaluate moving to sales-assisted Enterprise plan as seats exceed 50
Quarterly security review of managed settings, hooks, and MCP servers
Assess BYOK encryption when available (H1 2026)

12. Risk Matrix

Risk	Likelihood	Impact	Mitigation
Code sent to Anthropic API is intercepted	Very Low	High	TLS 1.3, SOC 2 / ISO 27001 certified, Enterprise ZDR
Developer bypasses sandbox / permissions	Low	Medium	Managed settings (non-overridable), `disableBypassPermissionsMode`
Prompt injection via MCP server	Medium	Medium	MCP allowlist, permission deny rules block dangerous actions even if Claude is tricked
PHI accidentally enters conversation context	Low	Critical	No PHI in codebase (Phase A), Power BI returns aggregates only, deny rules on clinical DB paths
API cost overrun	Medium	Low	Budget caps per user (`--max-budget-usd`), usage monitoring in admin console
Credential leakage through Claude conversation	Low	High	Deny Read on .env / .ssh / .aws, use OS credential stores, rotate tokens
VS Code extension permission bug	Medium	Low	Known issue (#29159) — use managed settings + hooks as defense-in-depth
Unauthorized MCP server installed by developer	Low	High	`allowManagedMcpServersOnly: true` — blocks all non-approved servers

Appendix: Decision Summary for Ron

Decision	Recommendation	Rationale
Local vs. Remote	Local first	API calls go to Anthropic cloud regardless; remote servers add cost without proportional security gain
Anthropic plan	Enterprise (self-serve)	SSO, audit logs, ZDR, SCIM — everything needed for governance at $20/seat/month
Identity provider	Microsoft Entra ID (SAML)	Already our IdP; adds MFA, conditional access, SCIM provisioning
Sandbox approach	WSL2 + bubblewrap	OS-level isolation on Windows; dev containers as optional additional layer
Power BI pattern	Named queries via bridge API	No raw DAX from Claude; bridge behind VPN; audit every query
MCP server policy	Allowlist only	IT reviews and approves each MCP server before use
PHI handling	Block until Phase B BAAs	Conservative classification; multiple enforcement layers
24/7 automation	Phase 4 — shared server	Start local; add automation server when scheduled tasks justify it