Spicedb-dev. Claude Code plugin that adds authorization as you build

We built a Claude Code plugin that adds fine-grained authorization to apps. Works for creating new apps, adding features to existing apps, and migrating legacy authorization layers. The plugin helps design the permission model, write a SpiceDB schema, identify authorization points in the code base, generate SpiceDB client code, and test the authorization model.

We designed the plugin around different modes of working with Claude Code:

1. Guided workflow. /spicedb-dev:plan is the single entry point for anyone unsure where to start. It scans your data model, produces an authorization plan, and takes you through model design, schema generation, implementation, coverage auditing, and testing in sequence.

2. Single-purpose commands. Nine commands, each doing one thing. If you already know what you need, use a command directly.

3. Shared skills. Schema design patterns, client best practices, and testing strategies, exposed as skills that Claude and plugins like Superpowers can draw on for authorization related planning and work.

4. Ambient authorization. Add a snippet to your project's CLAUDE.md. From then on, Claude adds permission checks and relationship writes to every handler it generates or modifies. Authorization becomes part of code generation.

A live coding session where we used the plugin while generating a bookmark sharing app and adding a sharing feature to Immich (an open source photo sharing app) is here: https://www.youtube.com/watch?v=td3q9ZWLI5Y

We went through a number of iterations while developing and using the plugin internally. An early version assumed too much authorization knowledge so it wasn’t clear how to sequence the commands. Another was too prescriptive and became cumbersome when we just needed one specific thing done. We arrived at the current design by feel honestly and has worked well for our recent use. Would love feedback on how well or not well it works under other scenarios so we can continue to improve it