@ory/claude-code 0.1.3 → 0.2.1

package/README.md

@@ -120,6 +120,8 @@ The plugin is **fail-open** on its own infrastructure failures (network errors,
 
 ### Enable enforcement
 
+After install the plugin runs in **observe mode**: every tool call is checked against Ory Permissions, but a deny is recorded as a `permission.observe_deny` audit span and the tool runs anyway. This lets you see what *would* be blocked before turning on hard blocking.
+
 1. **Turn on the user gate.** In your shell:
 
    ```bash
@@ -128,19 +130,29 @@ The plugin is **fail-open** on its own infrastructure failures (network errors,
 
    The next Claude session opens a browser for PKCE login. Subsequent sessions reuse the persisted token until it expires.
 
-2. **Grant yourself permission to use a tool.** Use the Ory MCP server from inside Claude (*"grant me invoke on the Bash tool"*) or the CLI directly:
+2. **Bootstrap tuples for the built-in tools.** One idempotent command grants the current user `use` on every tool Claude ships with (Read, Write, Bash, …):
+
+   ```bash
+   npx -y -p @ory/claude-code ory-claude permissions bootstrap
+   ```
+
+   If a user identity is already cached at install time, the installer runs this for you automatically — re-run after adding tools, switching subjects, or changing the namespace.
+
+3. **Check coverage.** `permissions status` probes every tool in the harness's catalog and prints allowed / denied per tool:
 
    ```bash
-   ory create relationship \
-     --namespace AgentTools \
-     --object Bash \
-     --relation invoke \
-     --subject-id <your-user-subject-id>
+   npx -y -p @ory/claude-code ory-claude permissions status
    ```
 
-   Your subject id is printed at the start of every Claude session when `ORY_AGENT_DEBUG=true`.
+   Add tuples for any MCP server tools or custom commands by hand, or via the Ory MCP server from inside Claude (*"grant me use on the Bash tool"*).
+
+4. **Promote to enforce.** Once the observe-mode logs look right, switch over:
+
+   ```bash
+   npx -y -p @ory/claude-code ory-claude permissions enforce
+   ```
 
-3. **See a denial.** Pick a tool you didn't grant (or remove the tuple) and ask Claude to use it. The hook blocks the call and Claude shows the denial reason. The decision is recorded as a `tool.block` trace span.
+   Denies now block the tool call; Claude shows the denial reason and the decision is recorded as a `tool.block` trace span with `blocked: true`. Switch back any time with `permissions observe`.
 
 ## CLI reference
 
@@ -148,6 +160,7 @@ The plugin is **fail-open** on its own infrastructure failures (network errors,
 npx -y -p @ory/claude-code ory-claude install | uninstall              [--global]
 npx -y -p @ory/claude-code ory-claude configure                         [--project-url <url>] [--api-key <key>] [--audit-only]
 npx -y -p @ory/claude-code ory-claude agent <status|unregister>         Manage the agent's OAuth2 identity
+npx -y -p @ory/claude-code ory-claude permissions <status|bootstrap|observe|enforce>
 npx -y -p @ory/claude-code ory-claude local <up|down|status|seed|logs|env|configure|reset>
 npx -y -p @ory/claude-code ory-claude status
 ```
@@ -155,7 +168,8 @@ npx -y -p @ory/claude-code ory-claude status
 Highlights:
 
 - `agent status` — show the current persisted DCR identity for the agent.
-- `configure --audit-only` — record decisions without blocking; useful for a phased rollout.
+- `permissions observe` / `permissions enforce` — switch between "log denies, allow through" (the install default) and "block denies." `permissions bootstrap` writes `use` tuples for the harness's built-in tools so the promotion path doesn't require hand-writing relationships.
+- `configure --audit-only` — kill switch that disables Ory entirely (no auth, no permission checks; only audit logging of tool invocations). For phased rollouts, prefer `permissions observe` over `--audit-only`.
 - `local seed` / `local env` — reseed the test user, or print env vars for pointing other tools at the local stack.
 
 ## Troubleshooting

package/dist/cli/main.js

@@ -55,6 +55,10 @@ function main() {
     switch (command) {
         case "install":
             (0, setup_js_1.install)(args);
+            postInstallPermissions("ory-claude", "claude-code").then(() => process.exit(0), (err) => {
+                console.error(err.message ?? err);
+                process.exit(1);
+            });
             break;
         case "uninstall":
             (0, setup_js_1.uninstall)(args);
@@ -68,6 +72,12 @@ function main() {
                 process.exit(1);
             });
             break;
+        case "permissions":
+            (0, argus_1.runPermissionsCommand)("ory-claude", "claude-code", args).then((code) => process.exit(code), (err) => {
+                console.error(err.message ?? err);
+                process.exit(1);
+            });
+            break;
         case "status":
             status();
             break;
@@ -89,18 +99,30 @@ function main() {
             process.exit(1);
     }
 }
+async function postInstallPermissions(binName, harness) {
+    const bootstrapped = await (0, argus_1.maybeAutoBootstrap)(binName, harness);
+    (0, argus_1.printPermissionsOnboardingHelp)(binName, harness, {
+        bootstrappedAutomatically: bootstrapped,
+    });
+}
 function status() {
     console.log("Ory Agent Plugin Status (Claude Code)");
     console.log("======================================");
     console.log("");
     (0, argus_1.printOryConfig)();
     (0, argus_1.printEnvironment)();
-    // Plugin-specific status
+    // Plugin-specific status. The default install path delegates plugin
+    // assembly to the public `ory/claude-plugins` marketplace, so the persistent
+    // dir below is only populated for `--from-source` installs (the dev launcher
+    // and local iteration). Run `claude plugin list` for an authoritative view
+    // of what the `claude` CLI has registered.
     console.log("");
     console.log("Plugin:");
     const assembled = fs.existsSync(PERSISTENT_DIR);
-    console.log(`  Plugin directory: ${assembled ? PERSISTENT_DIR : "(not installed — run: npx ory-claude install)"}`);
-    console.log(`  Skills: ${assembled && fs.existsSync(path.join(PERSISTENT_DIR, "skills")) ? "installed" : "not installed"}`);
+    console.log(`  Local --from-source dir: ${assembled ? PERSISTENT_DIR : "(none — production installs use the ory/claude-plugins marketplace; run 'claude plugin list' to see registered plugins)"}`);
+    if (assembled) {
+        console.log(`  Skills: ${fs.existsSync(path.join(PERSISTENT_DIR, "skills")) ? "installed" : "not installed"}`);
+    }
     console.log(`  Hook script: ${fs.existsSync(path.join(PACKAGE_ROOT, "dist", "hook.js")) ? "built" : "NOT BUILT (run pnpm build)"}`);
     (0, argus_1.printLogTail)();
 }
@@ -116,6 +138,7 @@ Commands:
   install [--global]   Install Ory plugin via claude CLI marketplace
   uninstall [--global] Remove Ory plugin and marketplace
   configure            Set or view Ory project URL and API key
+  permissions <cmd>    Manage permission mode and tool permissions (status, bootstrap, observe, enforce)
   status               Show plugin status and configuration
   local <cmd>          Manage local Ory dev environment (up, down, status, seed, ...)
 

package/dist/cli/setup.d.ts

@@ -3,26 +3,35 @@
  * Setup CLI for the Ory Claude Code plugin.
  *
  * Uses the `claude` CLI to manage plugin installation via the marketplace:
- *   npx ory-claude-setup              # Install plugin (project scope)
- *   npx ory-claude-setup --global     # Install plugin (user scope)
- *   npx ory-claude-setup --uninstall  # Remove plugin
+ *   npx ory-claude-setup                  # Install plugin (project scope)
+ *   npx ory-claude-setup --global         # Install plugin (user scope)
+ *   npx ory-claude-setup --from-source    # Install from the local source tree (dev only)
+ *   npx ory-claude-setup --uninstall      # Remove plugin
  */
 /**
  * Install the Ory plugin via the `claude` CLI.
  *
- * 1. Assembles the plugin directory (manifest, skills, commands, hooks, MCP)
- * 2. Adds the Ory marketplace (pointing to that directory)
- * 3. Installs the plugin from that marketplace
+ * Two paths exist:
  *
- * Hooks, skills, commands, and the MCP server are picked up automatically
- * from the assembled directory by the Claude Code plugin system.
+ *   1. Default (production) — point the `claude` CLI at the public
+ *      `ory/claude-plugins` GitHub marketplace and install from there. The
+ *      release workflow keeps that repo's plugin subtree pinned to the latest
+ *      `@ory/claude-code` version, so the hook commands, skills, commands,
+ *      and MCP config all come from the published artifact. The install CLI
+ *      writes nothing to the persistent data dir on this path.
+ *
+ *   2. `--from-source` (dev only) — assemble the plugin directory from this
+ *      checkout's `.claude-plugin/`, register it as a local-file marketplace,
+ *      and install from there. The dev launcher uses this so changes in the
+ *      monorepo are exercised end-to-end without going through the release
+ *      mirror. End users should never need this flag.
  */
 export declare function install(args: string[]): void;
 /**
- * Uninstall the Ory plugin via the `claude` CLI.
+ * Uninstall the Ory plugin via the `claude` CLI. Mirrors `install`:
  *
- * 1. Uninstalls the plugin
- * 2. Removes the Ory marketplace
- * 3. Cleans up the assembled plugin directory
+ *   - Default: uninstall `ory-agent-plugin`, remove the production marketplace.
+ *   - `--from-source`: uninstall the locally-assembled plugin, remove its
+ *     marketplace entry, and clean up the assembled directory.
  */
 export declare function uninstall(args: string[]): void;

package/dist/cli/setup.js

@@ -4,9 +4,10 @@
  * Setup CLI for the Ory Claude Code plugin.
  *
  * Uses the `claude` CLI to manage plugin installation via the marketplace:
- *   npx ory-claude-setup              # Install plugin (project scope)
- *   npx ory-claude-setup --global     # Install plugin (user scope)
- *   npx ory-claude-setup --uninstall  # Remove plugin
+ *   npx ory-claude-setup                  # Install plugin (project scope)
+ *   npx ory-claude-setup --global         # Install plugin (user scope)
+ *   npx ory-claude-setup --from-source    # Install from the local source tree (dev only)
+ *   npx ory-claude-setup --uninstall      # Remove plugin
  */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
@@ -50,25 +51,35 @@ const path = __importStar(require("node:path"));
 const argus_1 = require("@ory/argus");
 const PACKAGE_ROOT = path.resolve(__dirname, "..", "..");
 /**
- * Resolve the marketplace and plugin names from the local `.claude-plugin/`
- * JSON files instead of hardcoding them.
+ * Production marketplace published by the release workflow as the read-only
+ * mirror of this monorepo's Claude Code plugin. The `name` field below is the
+ * short identifier declared by that repo's top-level
+ * `.claude-plugin/marketplace.json` — that's what the `claude` CLI registers
+ * the marketplace under, and what `claude plugin install <plugin>@<name>`
+ * dereferences. The plugin name matches the local `.claude-plugin/plugin.json`
+ * because the sync script preserves it.
  *
- * Source of truth for both the dev launcher and any local `ory-claude install`
- * run is `packages/claude-code/.claude-plugin/marketplace.json` (marketplace
- * name) and `.claude-plugin/plugin.json` (plugin name). The local marketplace
- * uses intentionally dev-flavored names — e.g. `ory-plugins-local-development`
- * and `ory-agent-plugin` — so a developer can see at a glance the install
- * came from this monorepo, not the production `ory/claude-plugins` repo the
- * release workflow syncs to.
+ * Keep these in sync with whatever the production marketplace declares — if
+ * the repo's marketplace.json `name` changes, update `PROD_MARKETPLACE_NAME`
+ * here too.
+ */
+const PROD_MARKETPLACE_REPO = "ory/claude-plugins";
+const PROD_MARKETPLACE_NAME = "ory";
+const PROD_PLUGIN_NAME = "ory-agent-plugin";
+/**
+ * For `--from-source` installs, resolve the marketplace and plugin names from
+ * the local `.claude-plugin/` JSON files instead of hardcoding them.
  *
- * The previous hardcoded `ory-plugins` / `ory-claude` constants caused
- * `claude plugin install ory-claude@ory-plugins` to fail with "Plugin
- * 'ory-claude' not found in marketplace 'ory-plugins'" because the
- * assembled local marketplace announces different names. Reading the
- * names from disk keeps the install CLI in lockstep with whatever the
- * marketplace files actually declare.
+ * Source of truth is `packages/claude-code/.claude-plugin/marketplace.json`
+ * (marketplace name) and `.claude-plugin/plugin.json` (plugin name). The local
+ * marketplace uses intentionally dev-flavored names — e.g.
+ * `ory-plugins-local-development` — so a developer can see at a glance the
+ * install came from this monorepo and not the production
+ * `ory/claude-plugins` repo. The default install path (no `--from-source`)
+ * bypasses these entirely and points the `claude` CLI at the production
+ * GitHub marketplace.
  */
-function readMarketplaceName() {
+function readLocalMarketplaceName() {
     const mfPath = path.join(PACKAGE_ROOT, ".claude-plugin", "marketplace.json");
     const data = JSON.parse(fs.readFileSync(mfPath, "utf-8"));
     if (!data.name) {
@@ -76,7 +87,7 @@ function readMarketplaceName() {
     }
     return data.name;
 }
-function readPluginName() {
+function readLocalPluginName() {
     const pjPath = path.join(PACKAGE_ROOT, ".claude-plugin", "plugin.json");
     const data = JSON.parse(fs.readFileSync(pjPath, "utf-8"));
     if (!data.name) {
@@ -89,18 +100,19 @@ const RENDER_OPTS = {
     packageName: "@ory/claude-code",
 };
 /**
- * Persistent install location used as the marketplace root. Lives under the
- * shared OS-agnostic data dir so all plugin state — config, DCR creds, harness
- * assets — sits in one place per platform. The plugin directory is assembled
- * here for both local and remote installs so the marketplace never points at
- * (or writes into) the package source tree.
+ * Persistent install location used as the marketplace root for `--from-source`
+ * installs. Lives under the shared OS-agnostic data dir so all plugin state —
+ * config, DCR creds, harness assets — sits in one place per platform. The
+ * production install path never touches this directory: the `claude` CLI
+ * fetches everything directly from the GitHub marketplace.
  */
 const PERSISTENT_DIR = (0, argus_1.getHarnessDataDir)("claude-code");
 /** Hook command that resolves the binary via the npm registry. */
 const HOOK_CMD_REMOTE = "npx -y -p @ory/claude-code ory-claude-hook";
 /**
  * Detect if we're running from a temporary npx/pnpm-dlx cache directory
- * rather than a proper local or global npm installation.
+ * rather than a proper local or global npm installation. Only consulted on
+ * the `--from-source` path to pick the right hook command.
  */
 function isRemoteContext() {
     const normalized = PACKAGE_ROOT.replace(/\\/g, "/");
@@ -112,7 +124,7 @@ function localHookCommand() {
 }
 /**
  * Assemble the Claude Code plugin directory in the persistent location and
- * return its path (used as the marketplace root).
+ * return its path (used as the marketplace root for `--from-source`).
  *
  * The plugin manifest (`.claude-plugin/`) and MCP config (`.mcp.json`) are
  * copied from the package; the skills, commands, and hooks are generated:
@@ -196,30 +208,100 @@ function checkClaudeCli() {
 /**
  * Install the Ory plugin via the `claude` CLI.
  *
- * 1. Assembles the plugin directory (manifest, skills, commands, hooks, MCP)
- * 2. Adds the Ory marketplace (pointing to that directory)
- * 3. Installs the plugin from that marketplace
+ * Two paths exist:
+ *
+ *   1. Default (production) — point the `claude` CLI at the public
+ *      `ory/claude-plugins` GitHub marketplace and install from there. The
+ *      release workflow keeps that repo's plugin subtree pinned to the latest
+ *      `@ory/claude-code` version, so the hook commands, skills, commands,
+ *      and MCP config all come from the published artifact. The install CLI
+ *      writes nothing to the persistent data dir on this path.
  *
- * Hooks, skills, commands, and the MCP server are picked up automatically
- * from the assembled directory by the Claude Code plugin system.
+ *   2. `--from-source` (dev only) — assemble the plugin directory from this
+ *      checkout's `.claude-plugin/`, register it as a local-file marketplace,
+ *      and install from there. The dev launcher uses this so changes in the
+ *      monorepo are exercised end-to-end without going through the release
+ *      mirror. End users should never need this flag.
  */
 function install(args) {
     const isGlobal = args.includes("--global");
+    const fromSource = args.includes("--from-source");
     const scope = claudeScope(isGlobal);
     if (!checkClaudeCli()) {
         console.error("Error: 'claude' CLI not found in PATH.");
         console.error("Install Claude Code first: https://docs.anthropic.com/en/docs/claude-code");
         process.exit(1);
     }
+    if (fromSource) {
+        installFromSource(scope);
+    }
+    else {
+        installFromProductionMarketplace(scope);
+    }
+    (0, argus_1.printNextSteps)("Claude Code", fromSource
+        ? "npx ory-claude uninstall --from-source"
+        : isRemoteContext()
+            ? "npx @ory/claude-code uninstall"
+            : "npx ory-claude uninstall");
+}
+/**
+ * Default production install path: register the `ory/claude-plugins` GitHub
+ * marketplace and install `ory-agent-plugin` from it. Nothing is assembled
+ * locally — the marketplace and the plugin tree both live in the GitHub repo,
+ * and the `claude` CLI fetches them on demand.
+ */
+function installFromProductionMarketplace(scope) {
+    console.log(`Registering Ory plugin marketplace from ${PROD_MARKETPLACE_REPO}...`);
+    const addResult = runClaude([
+        "plugin",
+        "marketplace",
+        "add",
+        PROD_MARKETPLACE_REPO,
+        "--scope",
+        scope,
+    ]);
+    if (!addResult.ok) {
+        if (addResult.output.toLowerCase().includes("already")) {
+            console.log("  Marketplace already registered, updating...");
+            runClaude(["plugin", "marketplace", "update", PROD_MARKETPLACE_NAME]);
+        }
+        else {
+            console.error(`Failed to add marketplace: ${addResult.output}`);
+            process.exit(1);
+        }
+    }
+    else {
+        console.log("  Marketplace added.");
+    }
+    console.log(`Installing ${PROD_PLUGIN_NAME}@${PROD_MARKETPLACE_NAME} plugin...`);
+    const installResult = runClaude([
+        "plugin",
+        "install",
+        `${PROD_PLUGIN_NAME}@${PROD_MARKETPLACE_NAME}`,
+        "--scope",
+        scope,
+    ]);
+    if (!installResult.ok) {
+        console.error(`Failed to install plugin: ${installResult.output}`);
+        process.exit(1);
+    }
+    console.log("  Plugin installed.");
+}
+/**
+ * Dev-only install path: assemble the plugin from this checkout and register
+ * it as a local-file marketplace. Used by the dev launcher (which publishes
+ * the monorepo packages to a local Verdaccio registry and then calls this CLI
+ * with `--from-source`) and by anyone hand-iterating on plugin code locally.
+ */
+function installFromSource(scope) {
     const remote = isRemoteContext();
     console.log("Assembling Ory plugin (skills, commands, hooks, MCP) at:");
     console.log(`  ${PERSISTENT_DIR}`);
     const pluginRoot = assemblePluginDir(remote ? HOOK_CMD_REMOTE : localHookCommand());
-    const marketplaceName = readMarketplaceName();
-    const pluginName = readPluginName();
+    const marketplaceName = readLocalMarketplaceName();
+    const pluginName = readLocalPluginName();
     console.log(`Source: ${pluginName}@${marketplaceName} (from ${pluginRoot})`);
-    // Step 1: Add the Ory marketplace
-    console.log("Adding Ory plugin marketplace...");
+    console.log("Adding local Ory plugin marketplace...");
     const addResult = runClaude([
         "plugin",
         "marketplace",
@@ -241,7 +323,6 @@ function install(args) {
     else {
         console.log("  Marketplace added.");
     }
-    // Step 2: Install the plugin from the marketplace
     console.log(`Installing ${pluginName} plugin...`);
     const installResult = runClaude([
         "plugin",
@@ -255,25 +336,26 @@ function install(args) {
         process.exit(1);
     }
     console.log("  Plugin installed.");
-    (0, argus_1.printNextSteps)("Claude Code", remote ? "npx @ory/claude-code uninstall" : "npx ory-claude uninstall");
 }
 /**
- * Uninstall the Ory plugin via the `claude` CLI.
+ * Uninstall the Ory plugin via the `claude` CLI. Mirrors `install`:
  *
- * 1. Uninstalls the plugin
- * 2. Removes the Ory marketplace
- * 3. Cleans up the assembled plugin directory
+ *   - Default: uninstall `ory-agent-plugin`, remove the production marketplace.
+ *   - `--from-source`: uninstall the locally-assembled plugin, remove its
+ *     marketplace entry, and clean up the assembled directory.
  */
 function uninstall(args) {
     const isGlobal = args.includes("--global");
+    const fromSource = args.includes("--from-source");
     const scope = claudeScope(isGlobal);
     if (!checkClaudeCli()) {
         console.error("Error: 'claude' CLI not found in PATH.");
         process.exit(1);
     }
-    const marketplaceName = readMarketplaceName();
-    const pluginName = readPluginName();
-    // Step 1: Uninstall the plugin
+    const pluginName = fromSource ? readLocalPluginName() : PROD_PLUGIN_NAME;
+    const marketplaceName = fromSource
+        ? readLocalMarketplaceName()
+        : PROD_MARKETPLACE_NAME;
     console.log(`Uninstalling ${pluginName} plugin...`);
     const uninstallResult = runClaude([
         "plugin",
@@ -288,7 +370,6 @@ function uninstall(args) {
     else {
         console.log("  Plugin uninstalled.");
     }
-    // Step 2: Remove the marketplace
     console.log("Removing Ory plugin marketplace...");
     const removeResult = runClaude([
         "plugin",
@@ -302,8 +383,9 @@ function uninstall(args) {
     else {
         console.log("  Marketplace removed.");
     }
-    // Step 3: Clean up the assembled plugin directory.
-    cleanPersistentDir();
+    if (fromSource) {
+        cleanPersistentDir();
+    }
 }
 // --- Standalone binary entry point (ory-claude-setup) ---
 if (require.main === module) {
@@ -315,13 +397,14 @@ Usage:
   npx ory-claude-setup [options]
 
 Options:
-  --global     Install to user scope (default: project scope)
-  --uninstall  Remove the Ory plugin and marketplace
-  -h, --help   Show this help
+  --global       Install to user scope (default: project scope)
+  --from-source  Install from this checkout's local marketplace (dev only)
+  --uninstall    Remove the Ory plugin and marketplace
+  -h, --help     Show this help
 
-Uses the 'claude' CLI to manage plugins via the marketplace system.
-The plugin's skills, commands, hooks, and MCP server are configured
-automatically.
+By default, points the 'claude' CLI at the public ory/claude-plugins
+marketplace and installs ory-agent-plugin from it. Pass --from-source to
+install from the local monorepo checkout instead (used by the dev launcher).
 `);
         process.exit(0);
     }

package/dist/handlers.js

@@ -188,40 +188,65 @@ async function handlePreToolUse(input, client, deps = {}) {
                 subject,
                 spanAttributes: { toolName },
             });
-            if (!mcpResult.allowed) {
+            const mcpAttrs = {
+                toolName,
+                mcpServer: mcpTool.serverName,
+                mcpTool: mcpTool.toolName,
+                ...inputSummary,
+            };
+            const decision = (0, argus_1.applyPermissionMode)(client, mcpResult.allowed, {
+                object: mcpTool.serverName,
+                relation: "use",
+                subjectId,
+                spanAttributes: mcpAttrs,
+            });
+            if (decision.kind === "allow") {
+                client.tracer.record("tool.invoke", "ok", { attributes: mcpAttrs });
+                return {};
+            }
+            if (decision.kind === "observe") {
                 client.tracer.record("tool.block", "denied", {
-                    attributes: { toolName, mcpServer: mcpTool.serverName, mcpTool: mcpTool.toolName, ...inputSummary, ...(0, argus_1.alertAttributes)(true) },
+                    attributes: { ...mcpAttrs, allowed: false, ...(0, argus_1.alertAttributes)(false) },
+                });
+                client.tracer.record("tool.invoke", "ok", {
+                    attributes: { ...mcpAttrs, allowed: false, observed: true },
                 });
-                return {
-                    decision: "block",
-                    reason: (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, mcp: mcpTool }),
-                };
+                return {};
             }
-            client.tracer.record("tool.invoke", "ok", {
-                attributes: { toolName, mcpServer: mcpTool.serverName, mcpTool: mcpTool.toolName, ...inputSummary },
-            });
-            return {};
-        }
-        const namespace = resolveNamespace();
-        const result = await client.checkPermission({
-            namespace,
-            object: toolName,
-            relation: "use",
-            ...subject,
-        }, { spanAttributes: { toolName } });
-        if (!result.allowed) {
             client.tracer.record("tool.block", "denied", {
-                attributes: { toolName, ...inputSummary, allowed: result.allowed, ...(0, argus_1.alertAttributes)(true) },
+                attributes: { ...mcpAttrs, allowed: false, ...(0, argus_1.alertAttributes)(true) },
             });
             return {
                 decision: "block",
-                reason: (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, namespace }),
+                reason: (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, mcp: mcpTool }),
             };
         }
-        client.tracer.record("tool.invoke", "ok", {
-            attributes: { toolName, ...inputSummary, allowed: result.allowed },
+        const namespace = resolveNamespace();
+        const decision = await (0, argus_1.checkAndDecide)(client, { namespace, object: toolName, relation: "use", ...subject }, { spanAttributes: { toolName } });
+        if (decision.kind === "fail_open") {
+            return handlePermissionError(decision.error, toolName, client);
+        }
+        const attrs = { toolName, ...inputSummary };
+        if (decision.kind === "allow") {
+            client.tracer.record("tool.invoke", "ok", { attributes: { ...attrs, allowed: true } });
+            return {};
+        }
+        if (decision.kind === "observe") {
+            client.tracer.record("tool.block", "denied", {
+                attributes: { ...attrs, allowed: false, ...(0, argus_1.alertAttributes)(false) },
+            });
+            client.tracer.record("tool.invoke", "ok", {
+                attributes: { ...attrs, allowed: false, observed: true },
+            });
+            return {};
+        }
+        client.tracer.record("tool.block", "denied", {
+            attributes: { ...attrs, allowed: false, ...(0, argus_1.alertAttributes)(true) },
         });
-        return {};
+        return {
+            decision: "block",
+            reason: (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, namespace }),
+        };
     }
     catch (err) {
         return handlePermissionError(err, toolName, client);
@@ -354,20 +379,34 @@ async function handlePermissionRequest(input, client) {
                 subject,
                 spanAttributes: { toolName },
             });
-            return permissionRequestDecision(mcpResult.allowed ? "allow" : "deny", mcpResult.allowed
-                ? "Ory MCP server permission granted"
-                : (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, mcp: mcpTool }));
+            const decision = (0, argus_1.applyPermissionMode)(client, mcpResult.allowed, {
+                object: mcpTool.serverName,
+                relation: "use",
+                subjectId,
+                spanAttributes: { toolName, mcpServer: mcpTool.serverName, mcpTool: mcpTool.toolName },
+            });
+            if (decision.kind === "deny") {
+                return permissionRequestDecision("deny", (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, mcp: mcpTool }));
+            }
+            return permissionRequestDecision("allow", decision.kind === "observe"
+                ? "Ory observe mode — denied by policy but allowed through"
+                : "Ory MCP server permission granted");
         }
         const namespace = resolveNamespace();
-        const result = await client.checkPermission({
-            namespace,
-            object: toolName,
-            relation: "use",
-            ...subject,
-        }, { spanAttributes: { toolName } });
-        return permissionRequestDecision(result.allowed ? "allow" : "deny", result.allowed
-            ? "Ory permission granted"
-            : (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, namespace }));
+        const decision = await (0, argus_1.checkAndDecide)(client, { namespace, object: toolName, relation: "use", ...subject }, { spanAttributes: { toolName } });
+        if (decision.kind === "fail_open") {
+            const code = decision.error.code;
+            const fallbackReason = code === "network_error" || code === "rate_limited"
+                ? `Ory unavailable (${code}), falling back to user prompt`
+                : `Ory permission check failed: ${decision.error.message}`;
+            return permissionRequestFallback(fallbackReason);
+        }
+        if (decision.kind === "deny") {
+            return permissionRequestDecision("deny", (0, argus_1.formatDenialMessage)({ tool: toolName, subjectId, namespace }));
+        }
+        return permissionRequestDecision("allow", decision.kind === "observe"
+            ? "Ory observe mode — denied by policy but allowed through"
+            : "Ory permission granted");
     }
     catch (err) {
         const oryErr = err;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ory/claude-code",
-  "version": "0.1.3",
+  "version": "0.2.1",
   "description": "Ory plugin for Claude Code: scaffolding skills, a local Ory instance, and authentication, authorization, and audit for every tool call",
   "license": "Apache-2.0",
   "homepage": "https://ory.com",
@@ -72,7 +72,7 @@
     "!dist/**/*.tsbuildinfo"
   ],
   "dependencies": {
-    "@ory/argus": "0.1.3"
+    "@ory/argus": "0.2.1"
   },
   "engines": {
     "node": ">=24"