diff --git a/claude/Dockerfile b/claude/Dockerfile
index 1a70a05..3025650 100644
--- a/claude/Dockerfile
+++ b/claude/Dockerfile
@@ -11,6 +11,10 @@ RUN apk add --no-cache \
 # Entrypoint used by the webui service (ttyd wrapping claude)
 COPY --chmod=755 webui-entrypoint.sh /usr/local/bin/webui-entrypoint.sh
 
+# System-level Claude Code policy — owned by root, not writable by the node user.
+# Restricts available models; cannot be bypassed via CLI flags or env vars.
+COPY managed-settings.json /etc/claude-code/managed-settings.json
+
 # Install Claude Code globally
 RUN npm install -g @anthropic-ai/claude-code
 
diff --git a/claude/managed-settings.json b/claude/managed-settings.json
new file mode 100644
index 0000000..f43cb85
--- /dev/null
+++ b/claude/managed-settings.json
@@ -0,0 +1,3 @@
+{
+  "availableModels": ["sonnet", "opus", "haiku"]
+}