@ory/claude-code 0.6.2 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +6 -6
  2. package/dist/handlers.d.ts +2 -2
  3. package/dist/handlers.js +3 -3
  4. package/package.json +2 -2
package/README.md CHANGED
@@ -57,13 +57,13 @@ From any project where you'd like Ory authentication, inside Claude Code:
57
57
 
58
58
  3. **Sign in.** Start your app, visit the login page Claude added, and sign in with the seeded credentials. You now have a real Ory session backed by a real Ory stack — locally, offline, with zero configuration.
59
59
 
60
- 4. **Turn on Ory login for the Claude session itself.** *(Optional but recommended.)* Out of the box the plugin only governs your *app*. To also attach an Ory identity to *Claude's* session — so every tool call is attributed to you, not a fallback `session:<id>` subject — set:
60
+ 4. **Turn on Ory login for the Claude session itself.** *(Optional but recommended.)* Out of the box the plugin only governs your *app*. To also attach an Ory identity to *Claude's* session — so every tool call is attributed to you, not a fallback `session:<id>` subject — opt in to the user-login flow:
61
61
 
62
62
  ```bash
63
- export ORY_AUTH_GATE=1
63
+ export ORY_USER_LOGIN=1
64
64
  ```
65
65
 
66
- Then restart Claude. On next session start, Claude opens an Ory login in your browser; sign in with the same seeded credentials from step 1. This is what makes `permissions enforce` (see [Agent security](#agent-security)) deny on the right identity later.
66
+ User login is off by default. With it on, the next Claude session opens an Ory login in your browser; sign in with the same seeded credentials from step 1, and the token is reused on subsequent sessions until it expires. This is what makes `permissions enforce` (see [Agent security](#agent-security)) deny on the right identity later.
67
67
 
68
68
  That's the full Ory DX path. Stop here if you're just evaluating the plugin. Continue to [Agent security](#agent-security) when you're ready to enforce.
69
69
 
@@ -119,7 +119,7 @@ Without any configuration the plugin still loads cleanly and runs in **pass-thro
119
119
 
120
120
  Once the plugin is pointed at an Ory project (local or hosted), Claude's session and every tool call can be governed by Ory.
121
121
 
122
- - **Authentication.** Two identities. The human at the keyboard (the **user**) authenticates interactively via Ory Identities when `ORY_AUTH_GATE=1` is set. The Claude process (the **agent**) gets its own OAuth2 identity, self-registered via [Dynamic Client Registration (RFC 7591)](https://datatracker.ietf.org/doc/html/rfc7591) on first run. Sub-agents launched by the `Task` tool each receive their own typed identity.
122
+ - **Authentication.** Two identities. The human at the keyboard (the **user**) authenticates interactively via Ory Identities when user login is enabled (`ORY_USER_LOGIN=1`, off by default — browser PKCE flow on first session, persisted token thereafter). The Claude process (the **agent**) gets its own OAuth2 identity, self-registered via [Dynamic Client Registration (RFC 7591)](https://datatracker.ietf.org/doc/html/rfc7591) on first run. Sub-agents launched by the `Task` tool each receive their own typed identity.
123
123
  - **Authorization.** Before any tool runs, the plugin checks [Ory Permissions](https://www.ory.sh/docs/keto) (Zanzibar-style relations) against the user's subject and blocks the call on `deny`. MCP tool calls additionally get a server-level check.
124
124
  - **Audit.** Every decision (allow, deny, fallback) is recorded as a structured trace span: NDJSON file output and/or OTLP/HTTP export to Jaeger, Honeycomb, Grafana, and similar collectors. The user → agent (and agent → subagent) delegation chain is written to Ory as relations so *"agent X acting on behalf of user Y"* stays queryable after tokens expire.
125
125
 
@@ -129,10 +129,10 @@ The plugin is **fail-open** on its own infrastructure failures (network errors,
129
129
 
130
130
  With an Ory project configured, the plugin runs in **observe mode** by default: every tool call is checked against Ory Permissions, a deny is recorded as a `permission.observe_deny` audit span, and the tool runs anyway. This lets you see what *would* be blocked before turning on hard blocking. (Without a project configured, the plugin is in pass-through mode — no checks run at all.)
131
131
 
132
- 1. **Turn on the user gate.** In your shell:
132
+ 1. **Turn on user login.** It's off by default. In your shell:
133
133
 
134
134
  ```bash
135
- export ORY_AUTH_GATE=1
135
+ export ORY_USER_LOGIN=1
136
136
  ```
137
137
 
138
138
  The next Claude session opens a browser for PKCE login. Subsequent sessions reuse the persisted token until it expires.
package/dist/handlers.d.ts CHANGED
@@ -1,8 +1,8 @@
1
1
  import { OryAgentClient, ensureUserAuthenticated, ensureAgentIdentity, ensureSubAgentIdentity } from "@ory/argus";
2
2
  import type { ClaudeCodeHookInput, ClaudeCodeHookOutput } from "./types.js";
3
3
  export interface HandleHookEventDeps {
4
- /** Test injection point for the user auth gate. */
5
- authGate?: typeof ensureUserAuthenticated;
4
+ /** Test injection point for the user login flow. */
5
+ userLogin?: typeof ensureUserAuthenticated;
6
6
  /** Test injection point for the agent identity gate. */
7
7
  agentGate?: typeof ensureAgentIdentity;
8
8
  /** Test injection point for the sub-agent identity resolver. */
package/dist/handlers.js CHANGED
@@ -60,10 +60,10 @@ async function handleSessionStart(input, client, deps) {
60
60
  client.tracer.record("session.start", "ok", {
61
61
  attributes: { model: input.model, source: input.source },
62
62
  });
63
- // Run the user auth gate (interactive PKCE on first session, refresh
64
- // when needed). When ORY_AUTH_GATE is unset this is a no-op and we
63
+ // Run the user login (interactive PKCE on first session, refresh
64
+ // when needed). When ORY_USER_LOGIN is unset this is a no-op and we
65
65
  // fall through to the legacy verify path below.
66
- const userGate = deps.authGate ?? argus_1.ensureUserAuthenticated;
66
+ const userGate = deps.userLogin ?? argus_1.ensureUserAuthenticated;
67
67
  const decision = await userGate(client, {
68
68
  binName: "ory-claude",
69
69
  harness: "claude-code",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ory/claude-code",
3
- "version": "0.6.2",
3
+ "version": "0.7.0",
4
4
  "description": "Ory plugin for Claude Code: scaffolding skills, a local Ory instance, and authentication, authorization, and audit for every tool call",
5
5
  "license": "Apache-2.0",
6
6
  "homepage": "https://github.com/ory/claude-plugins/tree/master/plugins/ory-agent-plugin",
@@ -75,7 +75,7 @@
75
75
  "!dist/**/*.tsbuildinfo"
76
76
  ],
77
77
  "dependencies": {
78
- "@ory/argus": "0.6.2"
78
+ "@ory/argus": "0.7.0"
79
79
  },
80
80
  "engines": {
81
81
  "node": ">=22"