npm - @ory/claude-code - Versions diffs - 0.1.3 → 0.2.0 - Mend

@ory/claude-code 0.1.3 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -120,6 +120,8 @@ The plugin is **fail-open** on its own infrastructure failures (network errors,
 ### Enable enforcement
+After install the plugin runs in **observe mode**: every tool call is checked against Ory Permissions, but a deny is recorded as a `permission.observe_deny` audit span and the tool runs anyway. This lets you see what *would* be blocked before turning on hard blocking.
 1. **Turn on the user gate.** In your shell:
    ```bash
@@ -128,19 +130,29 @@ The plugin is **fail-open** on its own infrastructure failures (network errors,
    The next Claude session opens a browser for PKCE login. Subsequent sessions reuse the persisted token until it expires.
-2. **Grant yourself permission to use a tool.** Use the Ory MCP server from inside Claude (*"grant me invoke on the Bash tool"*) or the CLI directly:
+2. **Bootstrap tuples for the built-in tools.** One idempotent command grants the current user `use` on every tool Claude ships with (Read, Write, Bash, …):
+   ```bash
+   npx -y -p @ory/claude-code ory-claude permissions bootstrap
+   ```
+   If a user identity is already cached at install time, the installer runs this for you automatically — re-run after adding tools, switching subjects, or changing the namespace.
+3. **Check coverage.** `permissions status` probes every tool in the harness's catalog and prints allowed / denied per tool:
    ```bash
-   ory create relationship \
-     --namespace AgentTools \
-     --object Bash \
-     --relation invoke \
-     --subject-id <your-user-subject-id>
+   npx -y -p @ory/claude-code ory-claude permissions status
    ```
-   Your subject id is printed at the start of every Claude session when `ORY_AGENT_DEBUG=true`.
+   Add tuples for any MCP server tools or custom commands by hand, or via the Ory MCP server from inside Claude (*"grant me use on the Bash tool"*).
+4. **Promote to enforce.** Once the observe-mode logs look right, switch over:
+   ```bash
+   npx -y -p @ory/claude-code ory-claude permissions enforce
+   ```
-3. **See a denial.** Pick a tool you didn't grant (or remove the tuple) and ask Claude to use it. The hook blocks the call and Claude shows the denial reason. The decision is recorded as a `tool.block` trace span.
+   Denies now block the tool call; Claude shows the denial reason and the decision is recorded as a `tool.block` trace span with `blocked: true`. Switch back any time with `permissions observe`.
 ## CLI reference
@@ -148,6 +160,7 @@ The plugin is **fail-open** on its own infrastructure failures (network errors,
 npx -y -p @ory/claude-code ory-claude install | uninstall              [--global]
 npx -y -p @ory/claude-code ory-claude configure                         [--project-url <url>] [--api-key <key>] [--audit-only]
 npx -y -p @ory/claude-code ory-claude agent <status|unregister>         Manage the agent's OAuth2 identity
+npx -y -p @ory/claude-code ory-claude permissions <status|bootstrap|observe|enforce>
 npx -y -p @ory/claude-code ory-claude local <up|down|status|seed|logs|env|configure|reset>
 npx -y -p @ory/claude-code ory-claude status
 ```
@@ -155,7 +168,8 @@ npx -y -p @ory/claude-code ory-claude status
 Highlights:
 - `agent status` — show the current persisted DCR identity for the agent.
-- `configure --audit-only` — record decisions without blocking; useful for a phased rollout.
+- `permissions observe` / `permissions enforce` — switch between "log denies, allow through" (the install default) and "block denies." `permissions bootstrap` writes `use` tuples for the harness's built-in tools so the promotion path doesn't require hand-writing relationships.
+- `configure --audit-only` — kill switch that disables Ory entirely (no auth, no permission checks; only audit logging of tool invocations). For phased rollouts, prefer `permissions observe` over `--audit-only`.
 - `local seed` / `local env` — reseed the test user, or print env vars for pointing other tools at the local stack.
 ## Troubleshooting

package/dist/cli/main.js CHANGED Viewed

@@ -55,6 +55,10 @@ function main() {
     switch (command) {
         case "install":
             (0, setup_js_1.install)(args);
+            postInstallPermissions("ory-claude", "claude-code").then(() => process.exit(0), (err) => {
+                console.error(err.message ?? err);
+                process.exit(1);
+            });
             break;
         case "uninstall":
             (0, setup_js_1.uninstall)(args);
@@ -68,6 +72,12 @@ function main() {
                 process.exit(1);
             });
             break;
+        case "permissions":
+            (0, argus_1.runPermissionsCommand)("ory-claude", "claude-code", args).then((code) => process.exit(code), (err) => {
+                console.error(err.message ?? err);
+                process.exit(1);
+            });
+            break;
         case "status":
             status();
             break;
@@ -89,6 +99,12 @@ function main() {
             process.exit(1);
     }
 }
+async function postInstallPermissions(binName, harness) {
+    const bootstrapped = await (0, argus_1.maybeAutoBootstrap)(binName, harness);
+    (0, argus_1.printPermissionsOnboardingHelp)(binName, harness, {
+        bootstrappedAutomatically: bootstrapped,
+    });
+}
 function status() {
     console.log("Ory Agent Plugin Status (Claude Code)");
     console.log("======================================");
@@ -116,6 +132,7 @@ Commands:
   install [--global]   Install Ory plugin via claude CLI marketplace
   uninstall [--global] Remove Ory plugin and marketplace
   configure            Set or view Ory project URL and API key
+  permissions <cmd>    Manage permission mode and tool tuples (status, bootstrap, observe, enforce)
   status               Show plugin status and configuration
   local <cmd>          Manage local Ory dev environment (up, down, status, seed, ...)

package/dist/handlers.js CHANGED Viewed

@@ -188,40 +188,65 @@ async function handlePreToolUse(input, client, deps = {}) {
                 subject,
                 spanAttributes: { toolName },
             });
-            if (!mcpResult.allowed) {
+            const mcpAttrs = {
+                toolName,
+                mcpServer: mcpTool.serverName,
+                mcpTool: mcpTool.toolName,
+                ...inputSummary,
+            };
+            const decision = (0, argus_1.applyPermissionMode)(client, mcpResult.allowed, {
+                object: mcpTool.serverName,
+                relation: "use",
+                subjectId,
+                spanAttributes: mcpAttrs,
+            });
+            if (decision.kind === "allow") {
+                client.tracer.record("tool.invoke", "ok", { attributes: mcpAttrs });
+                return {};
+            }
+            if (decision.kind === "observe") {
                 client.tracer.record("tool.block", "denied", {
-                    attributes: { toolName, mcpServer: mcpTool.serverName, mcpTool: mcpTool.toolName, ...inputSummary, ...(0, argus_1.alertAttributes)(true) },
+                    attributes: { ...mcpAttrs, allowed: false, ...(0, argus_1.alertAttributes)(false) },
+                });
+                client.tracer.record("tool.invoke", "ok", {
+                    attributes: { ...mcpAttrs, allowed: false, observed: true },
                 });
-                return {
-                    decision: "block",
-                    reason: (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, mcp: mcpTool }),
-                };
+                return {};
             }
-            client.tracer.record("tool.invoke", "ok", {
-                attributes: { toolName, mcpServer: mcpTool.serverName, mcpTool: mcpTool.toolName, ...inputSummary },
-            });
-            return {};
-        }
-        const namespace = resolveNamespace();
-        const result = await client.checkPermission({
-            namespace,
-            object: toolName,
-            relation: "use",
-            ...subject,
-        }, { spanAttributes: { toolName } });
-        if (!result.allowed) {
             client.tracer.record("tool.block", "denied", {
-                attributes: { toolName, ...inputSummary, allowed: result.allowed, ...(0, argus_1.alertAttributes)(true) },
+                attributes: { ...mcpAttrs, allowed: false, ...(0, argus_1.alertAttributes)(true) },
             });
             return {
                 decision: "block",
-                reason: (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, namespace }),
+                reason: (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, mcp: mcpTool }),
             };
         }
-        client.tracer.record("tool.invoke", "ok", {
-            attributes: { toolName, ...inputSummary, allowed: result.allowed },
+        const namespace = resolveNamespace();
+        const decision = await (0, argus_1.checkAndDecide)(client, { namespace, object: toolName, relation: "use", ...subject }, { spanAttributes: { toolName } });
+        if (decision.kind === "fail_open") {
+            return handlePermissionError(decision.error, toolName, client);
+        }
+        const attrs = { toolName, ...inputSummary };
+        if (decision.kind === "allow") {
+            client.tracer.record("tool.invoke", "ok", { attributes: { ...attrs, allowed: true } });
+            return {};
+        }
+        if (decision.kind === "observe") {
+            client.tracer.record("tool.block", "denied", {
+                attributes: { ...attrs, allowed: false, ...(0, argus_1.alertAttributes)(false) },
+            });
+            client.tracer.record("tool.invoke", "ok", {
+                attributes: { ...attrs, allowed: false, observed: true },
+            });
+            return {};
+        }
+        client.tracer.record("tool.block", "denied", {
+            attributes: { ...attrs, allowed: false, ...(0, argus_1.alertAttributes)(true) },
         });
-        return {};
+        return {
+            decision: "block",
+            reason: (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, namespace }),
+        };
     }
     catch (err) {
         return handlePermissionError(err, toolName, client);
@@ -354,20 +379,34 @@ async function handlePermissionRequest(input, client) {
                 subject,
                 spanAttributes: { toolName },
             });
-            return permissionRequestDecision(mcpResult.allowed ? "allow" : "deny", mcpResult.allowed
-                ? "Ory MCP server permission granted"
-                : (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, mcp: mcpTool }));
+            const decision = (0, argus_1.applyPermissionMode)(client, mcpResult.allowed, {
+                object: mcpTool.serverName,
+                relation: "use",
+                subjectId,
+                spanAttributes: { toolName, mcpServer: mcpTool.serverName, mcpTool: mcpTool.toolName },
+            });
+            if (decision.kind === "deny") {
+                return permissionRequestDecision("deny", (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, mcp: mcpTool }));
+            }
+            return permissionRequestDecision("allow", decision.kind === "observe"
+                ? "Ory observe mode — denied by policy but allowed through"
+                : "Ory MCP server permission granted");
         }
         const namespace = resolveNamespace();
-        const result = await client.checkPermission({
-            namespace,
-            object: toolName,
-            relation: "use",
-            ...subject,
-        }, { spanAttributes: { toolName } });
-        return permissionRequestDecision(result.allowed ? "allow" : "deny", result.allowed
-            ? "Ory permission granted"
-            : (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, namespace }));
+        const decision = await (0, argus_1.checkAndDecide)(client, { namespace, object: toolName, relation: "use", ...subject }, { spanAttributes: { toolName } });
+        if (decision.kind === "fail_open") {
+            const code = decision.error.code;
+            const fallbackReason = code === "network_error" || code === "rate_limited"
+                ? `Ory unavailable (${code}), falling back to user prompt`
+                : `Ory permission check failed: ${decision.error.message}`;
+            return permissionRequestFallback(fallbackReason);
+        }
+        if (decision.kind === "deny") {
+            return permissionRequestDecision("deny", (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, namespace }));
+        }
+        return permissionRequestDecision("allow", decision.kind === "observe"
+            ? "Ory observe mode — denied by policy but allowed through"
+            : "Ory permission granted");
     }
     catch (err) {
         const oryErr = err;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ory/claude-code",
-  "version": "0.1.3",
+  "version": "0.2.0",
   "description": "Ory plugin for Claude Code: scaffolding skills, a local Ory instance, and authentication, authorization, and audit for every tool call",
   "license": "Apache-2.0",
   "homepage": "https://ory.com",
@@ -72,7 +72,7 @@
     "!dist/**/*.tsbuildinfo"
   ],
   "dependencies": {
-    "@ory/argus": "0.1.3"
+    "@ory/argus": "0.2.0"
   },
   "engines": {
     "node": ">=24"