Configuration
Environment variables, plugin settings, authentication, and managing the plugin
Configuration
Authentication
ArmorClaude works in local-only mode without any authentication. To enable backend features (audit logs, signed tokens, dashboard), you need an ArmorIQ API key.
Via Installer (recommended)
The installer prompts "Connect your ArmorIQ account now?" and runs armoriq login. This opens your browser, you authorize, and the key is saved automatically.
Via CLI (anytime after install)
armoriq login # browser-based SSO, saves key
armoriq whoami # check current auth
armoriq logout # clear credentialsManual
export ARMORIQ_API_KEY=ak_live_...Or via Claude Code: /plugin then armorclaude then Configure then set api_key.
Key Resolution Order
ArmorClaude checks in this order:
- Plugin userConfig (from /plugin Configure)
- ARMORIQ_API_KEY environment variable
- ~/.armoriq/credentials.json (saved by armoriq login)
- No key found: local-only mode
Environment Variables
| Variable | Default | Description |
|---|---|---|
| ARMORIQ_API_KEY | (none) | ArmorIQ API key |
| ARMORCOWORK_MODE | enforce | enforce blocks on failure, monitor logs only |
| ARMORCOWORK_INTENT_REQUIRED | true | Require intent plan for all tool calls |
| ARMORCOWORK_VALIDITY_SECONDS | 300 | Intent token TTL in seconds |
| ARMORCOWORK_PLANNING_ENABLED | true | Inject plan directive into Claude's context |
| ARMORCOWORK_AUDIT_ENABLED | true | Send audit logs to backend (when key set) |
| ARMORCOWORK_POLICY_UPDATE_ENABLED | true | Allow runtime policy updates |
| ARMORCOWORK_DEBUG | false | Show debug logs in stderr |
| CSRG_VERIFY_ENABLED | false | Enable backend CSRG step verification |
| REQUIRE_CSRG_PROOFS | false | Require cryptographic proofs |
Plugin Settings
Configure via Claude Code: /plugin then armorclaude then Configure
| Setting | Type | Description |
|---|---|---|
| api_key | string (sensitive) | ArmorIQ API key |
| mode | string | enforce or monitor |
| intent_required | boolean | Require intent plan for all calls |
| crypto_policy_enabled | boolean | Enable Merkle tree policy binding |
| use_production | boolean | Use production endpoints |
Managing the Plugin
claude plugin list # verify installed + enabled
claude plugin disable armorclaude # turn off temporarily
claude plugin enable armorclaude # turn back on
claude plugin update armorclaude # update to latest version
claude plugin uninstall armorclaude # remove completelyFull Uninstall
To remove everything including cached data:
claude plugin uninstall armorclaude
claude plugin marketplace remove armoriq
rm -rf ~/.claude/plugins/cache/armoriq
rm -rf ~/.claude/plugins/data/armorclaude-armoriq
rm -rf ~/.armoriqMonitor Mode
To observe without blocking (useful for testing):
export ARMORCOWORK_MODE=monitor
claudeOr set mode to monitor in plugin config. All enforcement events are logged but tool calls proceed normally.
Monitor mode should only be used for testing. In production, use enforce mode to actually block unauthorized tool calls.