@ory/claude-code 0.1.0

package/.claude-plugin/marketplace.json

@@ -0,0 +1,13 @@
+{
+  "name": "ory-plugins",
+  "owner": {
+    "name": "Ory"
+  },
+  "plugins": [
+    {
+      "name": "ory-claude",
+      "source": "./",
+      "category": "development"
+    }
+  ]
+}

package/.claude-plugin/plugin.json

@@ -0,0 +1,10 @@
+{
+  "name": "ory-claude",
+  "version": "0.1.0",
+  "description": "Ory authentication and authorization for Claude Code — session auth, tool permissions, and audit logging",
+  "author": {
+    "name": "Ory",
+    "url": "https://ory.com"
+  },
+  "homepage": "https://github.com/ory/claude-plugins"
+}

package/.mcp.json

@@ -0,0 +1,12 @@
+{
+  "description": "Ory Claude Code MCP Server",
+  "mcpServers": {
+    "ory-claude-mcp": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "@ory/mcp-server"
+      ]
+    }
+  }
+}

package/README.md

@@ -0,0 +1,101 @@
+# Ory Agent Plugin: Claude Code
+
+[Ory](https://ory.com) bundled into [Claude Code](https://docs.anthropic.com/en/docs/claude-code): skills and slash commands that scaffold Ory authentication into your codebase, a local Ory stack you can spin up in one command, and (when pointed at an Ory project) authentication, authorization, and audit for every tool Claude runs.
+
+## Install
+
+From inside Claude Code. Try these in order; the first that works is the simplest path:
+
+**1. Anthropic's public plugin marketplace.** Find **Ory Agent Plugin** and install:
+
+```
+/plugin install ory-agent-plugin
+```
+
+**2. The Ory-hosted marketplace:**
+
+```
+/plugin marketplace add ory/claude-plugins
+/plugin install ory-claude@ory-plugins
+```
+
+**3. The Ory installer.** No prior `npm install` required:
+
+```bash
+npx @ory/claude-code install            # current project
+npx @ory/claude-code install --global   # all projects (user scope)
+npx @ory/claude-code uninstall
+```
+
+Every flow registers the same plugin: skills, slash commands, hooks, and the Ory MCP server.
+
+## Developer experience
+
+This plugin is a productivity layer for Ory itself. You don't need a real Ory project, an account, or any prior Ory experience to start using it.
+
+### Skills for scaffolding Ory into your application
+
+Ask Claude to add Ory auth to your codebase, or invoke the slash commands directly. Each skill is a vetted, end-to-end playbook:
+
+- **`/ory:auth-setup`**: full project setup. Install the Ory CLI, create an Ory Network project, add Ory Elements, configure the SDK, build the auth pages, wire session middleware.
+- **`/ory:login-flow`**: login, registration, recovery, verification, and settings pages with Ory Elements. Next.js App Router and React SPA variants.
+- **`/ory:social-login`**: Google, GitHub, Apple, Microsoft, Discord, and other OIDC providers with Jsonnet data mappers.
+- **`/ory:local-dev`**: drive the local Ory stack (below) from within Claude to prototype and test against without a remote project.
+
+Skills are versioned with the plugin so guidance stays in sync as Ory APIs evolve.
+
+### Ory MCP server
+
+Bundled and registered automatically. It exposes the Ory CLI and the Ory Network REST API as MCP tools so Claude can manage identities, OAuth2 clients, projects, permission tuples, and configuration without ever leaving the chat. Useful for seeding test data, verifying a scaffolded integration, or running one-off admin tasks.
+
+### Local Ory stack in one command
+
+```
+/ory:local-up      # start a local Ory instance in Docker
+/ory:local-down    # tear it all down
+```
+
+`local up` runs a local Ory instance in Docker, covering everything the plugin and your scaffolded application need. It also brings up a login UI on `:3000` and Jaeger on `:16686`, all reachable through `http://localhost:4000`. A test user identity is seeded and the credentials are printed for you. Use it to:
+
+- **Learn Ory hands-on** without signing up for a hosted project.
+- **Prototype** flows (login, social, MFA, recovery, permission tuples) against a real Ory backend in your local dev loop.
+- **Test** an auth integration end-to-end before pushing anything to a real environment.
+- **Develop** your application against the same identity, OAuth2, and permission surfaces you'll ship with.
+
+Point `ORY_PROJECT_URL` at `http://localhost:4000` (or run `npx ory-claude configure`) and the security features below run against the local stack.
+
+## Configure
+
+```bash
+npx ory-claude configure --project-url https://<id>.projects.oryapis.com --api-key ory_pat_...
+```
+
+Config is saved to `~/.config/ory-agent-plugins/config.json` and shared across every Ory agent plugin on the machine. Without it the plugin still loads cleanly and runs in **pass-through mode**: skills and commands work, but nothing is blocked.
+
+## Agent security (Argus)
+
+Once the plugin is pointed at an Ory project (local or hosted), Claude's session and every tool call are governed by Ory.
+
+- **Authentication.** Two identities. The human at the keyboard (the **user**) authenticates interactively via Ory Identities when `ORY_AUTH_GATE=1`. The Claude process (the **agent**) gets its own OAuth2 identity, self-registered via Dynamic Client Registration on first run. Sub-agents launched by the `Task` tool each receive their own typed identity.
+- **Authorization.** Before any tool runs, the plugin checks Ory Permissions against the user's subject and blocks the call on `deny`. MCP tool calls additionally get a server-level check.
+- **Audit.** Every decision (allow, deny, fallback) is recorded as a structured trace span: NDJSON file output and/or OTLP/HTTP export to Jaeger, Honeycomb, Grafana, and similar collectors. The user-to-agent (and agent-to-subagent) delegation chain is written to Ory as Zanzibar tuples so "agent X acting on behalf of user Y" stays queryable after tokens expire.
+
+The plugin is **fail-open** on its own infrastructure failures (network errors, rate limits, missing config), so enforcement is only as strong as your tuples; grant explicit `invoke` relations for the tools each user should be able to run.
+
+## CLI
+
+```
+npx ory-claude install | uninstall                [--global]
+npx ory-claude configure                           [--project-url <url>] [--api-key <key>] [--audit-only]
+npx ory-claude agent <status|unregister>           Manage the agent's OAuth2 identity
+npx ory-claude local <up|down|status|seed|logs|env|configure|reset>
+npx ory-claude status
+```
+
+## Links
+
+- [ory.com](https://ory.com)
+
+## License
+
+Apache-2.0

package/dist/cli/main.d.ts

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * Main CLI for @ory/claude-code.
+ *
+ * Usage:
+ *   npx ory-claude install [--global]     Install plugin via claude CLI marketplace
+ *   npx ory-claude uninstall [--global]   Remove plugin via claude CLI marketplace
+ *   npx ory-claude configure              Set or view Ory project URL and API key
+ *   npx ory-claude status                 Show plugin status
+ *   npx ory-claude local <cmd>            Manage local Ory dev environment
+ */
+export {};

package/dist/cli/main.js

@@ -0,0 +1,131 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * Main CLI for @ory/claude-code.
+ *
+ * Usage:
+ *   npx ory-claude install [--global]     Install plugin via claude CLI marketplace
+ *   npx ory-claude uninstall [--global]   Remove plugin via claude CLI marketplace
+ *   npx ory-claude configure              Set or view Ory project URL and API key
+ *   npx ory-claude status                 Show plugin status
+ *   npx ory-claude local <cmd>            Manage local Ory dev environment
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const path = __importStar(require("node:path"));
+const fs = __importStar(require("node:fs"));
+const argus_1 = require("@ory/argus");
+const setup_js_1 = require("./setup.js");
+const PACKAGE_ROOT = path.resolve(__dirname, "..", "..");
+const PERSISTENT_DIR = (0, argus_1.getHarnessDataDir)("claude-code");
+function main() {
+    const [command, ...args] = process.argv.slice(2);
+    switch (command) {
+        case "install":
+            (0, setup_js_1.install)(args);
+            break;
+        case "uninstall":
+            (0, setup_js_1.uninstall)(args);
+            break;
+        case "configure":
+            (0, argus_1.runConfigureCommand)("ory-claude", args);
+            break;
+        case "agent":
+            (0, argus_1.runAgentCommand)("ory-claude", args).then((code) => process.exit(code), (err) => {
+                console.error(err.message ?? err);
+                process.exit(1);
+            });
+            break;
+        case "status":
+            status();
+            break;
+        case "local":
+            (0, argus_1.runLocalCommand)("ory-claude", args).catch((err) => {
+                console.error(err.message ?? err);
+                process.exit(1);
+            });
+            break;
+        case "help":
+        case "--help":
+        case "-h":
+        case undefined:
+            help();
+            break;
+        default:
+            console.error(`Unknown command: ${command}`);
+            help();
+            process.exit(1);
+    }
+}
+function status() {
+    console.log("Ory Agent Plugin Status (Claude Code)");
+    console.log("======================================");
+    console.log("");
+    (0, argus_1.printOryConfig)();
+    (0, argus_1.printEnvironment)();
+    // Plugin-specific status
+    console.log("");
+    console.log("Plugin:");
+    const assembled = fs.existsSync(PERSISTENT_DIR);
+    console.log(`  Plugin directory: ${assembled ? PERSISTENT_DIR : "(not installed — run: npx ory-claude install)"}`);
+    console.log(`  Skills: ${assembled && fs.existsSync(path.join(PERSISTENT_DIR, "skills")) ? "installed" : "not installed"}`);
+    console.log(`  Hook script: ${fs.existsSync(path.join(PACKAGE_ROOT, "dist", "hook.js")) ? "built" : "NOT BUILT (run pnpm build)"}`);
+    (0, argus_1.printLogTail)();
+}
+function help() {
+    console.log(`
+ory-claude — Ory plugin for Claude Code
+
+Usage:
+  npx @ory/claude-code <command> [options]
+  npx ory-claude <command> [options]
+
+Commands:
+  install [--global]   Install Ory plugin via claude CLI marketplace
+  uninstall [--global] Remove Ory plugin and marketplace
+  configure            Set or view Ory project URL and API key
+  status               Show plugin status and configuration
+  local <cmd>          Manage local Ory dev environment (up, down, status, seed, ...)
+
+Examples:
+  npx @ory/claude-code install            # Install remotely (no prior npm install needed)
+  npx @ory/claude-code install --global   # Install globally (user scope)
+  npx ory-claude install                                # Install from local/global npm installation
+  npx ory-claude configure --project-url https://your-project.projects.oryapis.com --api-key ory_pat_...
+  npx ory-claude status                                 # Check configuration
+  npx ory-claude uninstall                              # Remove plugin
+`);
+}
+main();

package/dist/cli/setup.d.ts

@@ -0,0 +1,28 @@
+#!/usr/bin/env node
+/**
+ * Setup CLI for the Ory Claude Code plugin.
+ *
+ * Uses the `claude` CLI to manage plugin installation via the marketplace:
+ *   npx ory-claude-setup              # Install plugin (project scope)
+ *   npx ory-claude-setup --global     # Install plugin (user scope)
+ *   npx ory-claude-setup --uninstall  # Remove plugin
+ */
+/**
+ * Install the Ory plugin via the `claude` CLI.
+ *
+ * 1. Assembles the plugin directory (manifest, skills, commands, hooks, MCP)
+ * 2. Adds the Ory marketplace (pointing to that directory)
+ * 3. Installs the plugin from that marketplace
+ *
+ * Hooks, skills, commands, and the MCP server are picked up automatically
+ * from the assembled directory by the Claude Code plugin system.
+ */
+export declare function install(args: string[]): void;
+/**
+ * Uninstall the Ory plugin via the `claude` CLI.
+ *
+ * 1. Uninstalls the plugin
+ * 2. Removes the Ory marketplace
+ * 3. Cleans up the assembled plugin directory
+ */
+export declare function uninstall(args: string[]): void;

package/dist/cli/setup.js

@@ -0,0 +1,297 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * Setup CLI for the Ory Claude Code plugin.
+ *
+ * Uses the `claude` CLI to manage plugin installation via the marketplace:
+ *   npx ory-claude-setup              # Install plugin (project scope)
+ *   npx ory-claude-setup --global     # Install plugin (user scope)
+ *   npx ory-claude-setup --uninstall  # Remove plugin
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.install = install;
+exports.uninstall = uninstall;
+const node_child_process_1 = require("node:child_process");
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const argus_1 = require("@ory/argus");
+const PACKAGE_ROOT = path.resolve(__dirname, "..", "..");
+const MARKETPLACE_NAME = "ory-plugins";
+const PLUGIN_NAME = "ory-claude";
+const RENDER_OPTS = {
+    binName: "ory-claude",
+    packageName: "@ory/claude-code",
+};
+/**
+ * Persistent install location used as the marketplace root. Lives under the
+ * shared OS-agnostic data dir so all plugin state — config, DCR creds, harness
+ * assets — sits in one place per platform. The plugin directory is assembled
+ * here for both local and remote installs so the marketplace never points at
+ * (or writes into) the package source tree.
+ */
+const PERSISTENT_DIR = (0, argus_1.getHarnessDataDir)("claude-code");
+/** Hook command that resolves the binary via the npm registry. */
+const HOOK_CMD_REMOTE = "npx -y -p @ory/claude-code ory-claude-hook";
+/**
+ * Detect if we're running from a temporary npx/pnpm-dlx cache directory
+ * rather than a proper local or global npm installation.
+ */
+function isRemoteContext() {
+    const normalized = PACKAGE_ROOT.replace(/\\/g, "/");
+    return normalized.includes("/_npx/") || normalized.includes("/dlx-");
+}
+/** Hook command for a local/global install — runs the built hook directly. */
+function localHookCommand() {
+    return `node ${path.join(PACKAGE_ROOT, "dist", "hook.js")}`;
+}
+/**
+ * Assemble the Claude Code plugin directory in the persistent location and
+ * return its path (used as the marketplace root).
+ *
+ * The plugin manifest (`.claude-plugin/`) and MCP config (`.mcp.json`) are
+ * copied from the package; the skills, commands, and hooks are generated:
+ * skills/commands are materialized from the shared `@ory/argus` templates (the
+ * single source of truth across every harness), and `hooks.json` is written
+ * with a hook command appropriate for the install context.
+ */
+function assemblePluginDir(hookCommand) {
+    fs.mkdirSync(PERSISTENT_DIR, { recursive: true });
+    // Static manifests copied straight from the package.
+    for (const asset of [".claude-plugin", ".mcp.json"]) {
+        const src = path.join(PACKAGE_ROOT, asset);
+        if (fs.existsSync(src)) {
+            fs.cpSync(src, path.join(PERSISTENT_DIR, asset), {
+                recursive: true,
+                force: true,
+            });
+        }
+    }
+    // Skills — materialized fresh from the shared core templates.
+    const skillsDir = path.join(PERSISTENT_DIR, "skills");
+    fs.rmSync(skillsDir, { recursive: true, force: true });
+    (0, argus_1.writeSkillTree)(skillsDir, (0, argus_1.renderOrySkills)("claude-code", RENDER_OPTS));
+    // Commands — plain markdown command files (Claude Code's `/ory:<name>`).
+    const commandsDir = path.join(PERSISTENT_DIR, "commands");
+    fs.rmSync(commandsDir, { recursive: true, force: true });
+    fs.mkdirSync(commandsDir, { recursive: true });
+    for (const cmd of (0, argus_1.renderOryCommands)("claude-code", RENDER_OPTS)) {
+        fs.writeFileSync(path.join(commandsDir, `${cmd.slug}.md`), (0, argus_1.commandToPlainMarkdown)(cmd));
+    }
+    // Hooks — generated with a command appropriate for the install context.
+    const hooksDir = path.join(PERSISTENT_DIR, "hooks");
+    fs.mkdirSync(hooksDir, { recursive: true });
+    const entry = [
+        { matcher: "", hooks: [{ type: "command", command: hookCommand }] },
+    ];
+    fs.writeFileSync(path.join(hooksDir, "hooks.json"), JSON.stringify({
+        description: "Ory Claude Code Hooks",
+        hooks: {
+            SessionStart: entry,
+            SessionEnd: entry,
+            UserPromptSubmit: entry,
+            PreToolUse: entry,
+            PostToolUse: entry,
+            PostToolUseFailure: entry,
+            SubagentStart: entry,
+            SubagentStop: entry,
+            PermissionRequest: entry,
+        },
+    }, null, 2) + "\n");
+    return PERSISTENT_DIR;
+}
+/** Remove the persistent install directory if it exists. */
+function cleanPersistentDir() {
+    if (fs.existsSync(PERSISTENT_DIR)) {
+        fs.rmSync(PERSISTENT_DIR, { recursive: true, force: true });
+        console.log(`  Removed ${PERSISTENT_DIR}`);
+    }
+}
+/** Map --global flag to the claude CLI's scope values. */
+function claudeScope(isGlobal) {
+    return isGlobal ? "user" : "project";
+}
+/** Run a `claude` CLI command and capture output. */
+function runClaude(args) {
+    const result = (0, node_child_process_1.spawnSync)("claude", args, {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"],
+    });
+    const output = ((result.stdout ?? "") + (result.stderr ?? "")).trim();
+    return { ok: result.status === 0, output };
+}
+/** Check that the `claude` CLI is available. */
+function checkClaudeCli() {
+    const result = (0, node_child_process_1.spawnSync)("claude", ["--version"], {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"],
+    });
+    return result.status === 0;
+}
+/**
+ * Install the Ory plugin via the `claude` CLI.
+ *
+ * 1. Assembles the plugin directory (manifest, skills, commands, hooks, MCP)
+ * 2. Adds the Ory marketplace (pointing to that directory)
+ * 3. Installs the plugin from that marketplace
+ *
+ * Hooks, skills, commands, and the MCP server are picked up automatically
+ * from the assembled directory by the Claude Code plugin system.
+ */
+function install(args) {
+    const isGlobal = args.includes("--global");
+    const scope = claudeScope(isGlobal);
+    if (!checkClaudeCli()) {
+        console.error("Error: 'claude' CLI not found in PATH.");
+        console.error("Install Claude Code first: https://docs.anthropic.com/en/docs/claude-code");
+        process.exit(1);
+    }
+    const remote = isRemoteContext();
+    console.log("Assembling Ory plugin (skills, commands, hooks, MCP) at:");
+    console.log(`  ${PERSISTENT_DIR}`);
+    const pluginRoot = assemblePluginDir(remote ? HOOK_CMD_REMOTE : localHookCommand());
+    // Step 1: Add the Ory marketplace
+    console.log("Adding Ory plugin marketplace...");
+    const addResult = runClaude([
+        "plugin",
+        "marketplace",
+        "add",
+        pluginRoot,
+        "--scope",
+        scope,
+    ]);
+    if (!addResult.ok) {
+        if (addResult.output.toLowerCase().includes("already")) {
+            console.log("  Marketplace already registered, updating...");
+            runClaude(["plugin", "marketplace", "update", MARKETPLACE_NAME]);
+        }
+        else {
+            console.error(`Failed to add marketplace: ${addResult.output}`);
+            process.exit(1);
+        }
+    }
+    else {
+        console.log("  Marketplace added.");
+    }
+    // Step 2: Install the plugin from the marketplace
+    console.log("Installing ory-claude plugin...");
+    const installResult = runClaude([
+        "plugin",
+        "install",
+        `${PLUGIN_NAME}@${MARKETPLACE_NAME}`,
+        "--scope",
+        scope,
+    ]);
+    if (!installResult.ok) {
+        console.error(`Failed to install plugin: ${installResult.output}`);
+        process.exit(1);
+    }
+    console.log("  Plugin installed.");
+    (0, argus_1.printNextSteps)("Claude Code", remote ? "npx @ory/claude-code uninstall" : "npx ory-claude uninstall");
+}
+/**
+ * Uninstall the Ory plugin via the `claude` CLI.
+ *
+ * 1. Uninstalls the plugin
+ * 2. Removes the Ory marketplace
+ * 3. Cleans up the assembled plugin directory
+ */
+function uninstall(args) {
+    const isGlobal = args.includes("--global");
+    const scope = claudeScope(isGlobal);
+    if (!checkClaudeCli()) {
+        console.error("Error: 'claude' CLI not found in PATH.");
+        process.exit(1);
+    }
+    // Step 1: Uninstall the plugin
+    console.log("Uninstalling ory-claude plugin...");
+    const uninstallResult = runClaude([
+        "plugin",
+        "uninstall",
+        PLUGIN_NAME,
+        "--scope",
+        scope,
+    ]);
+    if (!uninstallResult.ok) {
+        console.warn(`  Warning: ${uninstallResult.output}`);
+    }
+    else {
+        console.log("  Plugin uninstalled.");
+    }
+    // Step 2: Remove the marketplace
+    console.log("Removing Ory plugin marketplace...");
+    const removeResult = runClaude([
+        "plugin",
+        "marketplace",
+        "remove",
+        MARKETPLACE_NAME,
+    ]);
+    if (!removeResult.ok) {
+        console.warn(`  Warning: ${removeResult.output}`);
+    }
+    else {
+        console.log("  Marketplace removed.");
+    }
+    // Step 3: Clean up the assembled plugin directory.
+    cleanPersistentDir();
+}
+// --- Standalone binary entry point (ory-claude-setup) ---
+if (require.main === module) {
+    if (process.argv.includes("--help") || process.argv.includes("-h")) {
+        console.log(`
+ory-claude-setup — Install or remove the Ory plugin for Claude Code
+
+Usage:
+  npx ory-claude-setup [options]
+
+Options:
+  --global     Install to user scope (default: project scope)
+  --uninstall  Remove the Ory plugin and marketplace
+  -h, --help   Show this help
+
+Uses the 'claude' CLI to manage plugins via the marketplace system.
+The plugin's skills, commands, hooks, and MCP server are configured
+automatically.
+`);
+        process.exit(0);
+    }
+    const args = process.argv.slice(2);
+    if (args.includes("--uninstall")) {
+        uninstall(args);
+    }
+    else {
+        install(args);
+    }
+}

package/dist/handlers.d.ts

@@ -0,0 +1,14 @@
+import { OryAgentClient, ensureUserAuthenticated, ensureAgentIdentity, ensureSubAgentIdentity } from "@ory/argus";
+import type { ClaudeCodeHookInput, ClaudeCodeHookOutput } from "./types.js";
+export interface HandleHookEventDeps {
+    /** Test injection point for the user auth gate. */
+    authGate?: typeof ensureUserAuthenticated;
+    /** Test injection point for the agent identity gate. */
+    agentGate?: typeof ensureAgentIdentity;
+    /** Test injection point for the sub-agent identity resolver. */
+    subAgentGate?: typeof ensureSubAgentIdentity;
+}
+/**
+ * Route a Claude Code hook event to the appropriate Ory integration.
+ */
+export declare function handleHookEvent(input: ClaudeCodeHookInput, client: OryAgentClient, deps?: HandleHookEventDeps): Promise<ClaudeCodeHookOutput>;