multicorn-shield 0.1.9 → 0.1.13

package/README.md

@@ -10,6 +10,12 @@ The permissions and control layer for AI agents. Open source.
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
 [![Bundle Size](https://img.shields.io/bundlephobia/minzip/multicorn-shield)](https://bundlephobia.com/package/multicorn-shield)
 
+## Demo
+
+<p align="center">
+  <img src="https://multicorn.ai/images/demo.gif" alt="Multicorn Shield demo: agent blocked, user approves in dashboard, agent proceeds" width="800" />
+</p>
+
 ## Why?
 
 AI agents are getting access to your email, calendar, bank accounts, and code repositories. Today, most agents operate with no permission boundaries: they can read, write, and spend with no oversight. Multicorn Shield gives developers a single SDK to enforce what agents can do, track what they did, and let users stay in control.
@@ -48,7 +54,79 @@ That's it. Every tool call now goes through Shield's permission layer, and activ
 
 See the [full MCP proxy guide](https://multicorn.ai/docs/mcp-proxy) for Claude Code, OpenClaw, and generic MCP client examples.
 
-### Option 2: Integrate the SDK
+### Option 2: OpenClaw Plugin (native integration)
+
+If you're running [OpenClaw](https://openclaw.ai), Shield integrates directly as a plugin. No proxy layer, no code changes. The plugin intercepts every tool call at the infrastructure level before it executes.
+
+**Step 1: Install and configure**
+
+```bash
+npm install -g multicorn-shield
+npx multicorn-proxy init
+```
+
+Enter your API key when prompted. This saves your key to `~/.multicorn/config.json` and configures the OpenClaw hook environment.
+
+**Step 2: Build the plugin**
+
+```bash
+cd $(npm root -g)/multicorn-shield
+npm run build
+```
+
+**Step 3: Register with OpenClaw**
+
+Add the plugin path to your `~/.openclaw/openclaw.json`:
+
+```json
+{
+  "plugins": {
+    "load": {
+      "paths": ["<npm-root>/multicorn-shield/dist/openclaw-plugin/index.js"]
+    },
+    "entries": {
+      "multicorn-shield": {
+        "enabled": true
+      }
+    }
+  }
+}
+```
+
+Replace `<npm-root>` with the output of `npm root -g`.
+
+**Step 4: Restart and verify**
+
+```bash
+openclaw gateway restart
+openclaw plugins list
+```
+
+You should see `multicorn-shield` in the loaded plugins list.
+
+**How it works**
+
+1. Agent tries to use a tool (read files, run commands, send emails)
+2. Shield intercepts via `before_tool_call` and checks permissions
+3. First time: A consent screen opens in your browser so you can authorize the agent
+4. Authorized actions: Proceed immediately
+5. New or elevated actions: Blocked with a link to the dashboard where you approve or reject
+6. Everything is logged to your Multicorn dashboard
+
+The plugin maps OpenClaw tools to Shield permission scopes automatically:
+
+| OpenClaw Tool       | Shield Scope     |
+| ------------------- | ---------------- |
+| read                | filesystem:read  |
+| write, edit         | filesystem:write |
+| exec                | terminal:execute |
+| exec (rm, mv, sudo) | terminal:write   |
+| browser             | browser:execute  |
+| message             | messaging:write  |
+
+Destructive commands (rm, mv, sudo, chmod) are detected automatically and require separate write-level approval.
+
+### Option 3: Integrate the SDK
 
 For full control over consent screens, spending limits, and action logging, use the SDK directly in your application code.
 

package/dist/multicorn-proxy.js

@@ -704,6 +704,9 @@ async function fetchGrantedScopes(agentId, apiKey, baseUrl) {
   return scopes;
 }
 function openBrowser(url) {
+  if (process.env["NODE_ENV"] === "test" || process.env["VITEST"] === "true") {
+    return;
+  }
   const platform = process.platform;
   const cmd = platform === "darwin" ? "open" : platform === "win32" ? "start" : "xdg-open";
   spawn(cmd, [url], { detached: true, stdio: "ignore" }).unref();

package/dist/openclaw-hook/handler.js

@@ -273,6 +273,16 @@ var POLL_INTERVAL_MS2 = 3e3;
 var POLL_TIMEOUT_MS2 = 5 * 60 * 1e3;
 function deriveDashboardUrl(baseUrl) {
   try {
+    const envBase = process.env["MULTICORN_BASE_URL"];
+    if (typeof envBase === "string" && envBase.trim().length > 0) {
+      const trimmed = envBase.trim();
+      if (trimmed.includes("localhost") || trimmed.includes("127.0.0.1")) {
+        baseUrl = /^https?:\/\//i.test(trimmed) ? trimmed : `http://${trimmed}`;
+      }
+    }
+    if (!/^https?:\/\//i.test(baseUrl) && (baseUrl.includes("localhost") || baseUrl.includes("127.0.0.1"))) {
+      baseUrl = `http://${baseUrl}`;
+    }
     const url = new URL(baseUrl);
     if (url.hostname === "localhost" || url.hostname === "127.0.0.1") {
       url.port = "5173";
@@ -301,6 +311,9 @@ function buildConsentUrl(agentName, dashboardUrl, scope) {
   return `${base}/consent?${params.toString()}`;
 }
 function openBrowser(url) {
+  if (process.env["NODE_ENV"] === "test" || process.env["VITEST"] === "true") {
+    return;
+  }
   const platform = process.platform;
   const cmd = platform === "darwin" ? "open" : platform === "win32" ? "start" : "xdg-open";
   try {
@@ -315,6 +328,7 @@ ${url}
 }
 async function waitForConsent(agentId, agentName, apiKey, baseUrl, scope, logger) {
   const dashboardUrl = deriveDashboardUrl(baseUrl);
+  console.error("[SHIELD] buildConsentUrl baseUrl:", baseUrl);
   const consentUrl = buildConsentUrl(agentName, dashboardUrl, scope);
   process.stderr.write(
     `[multicorn-shield] Opening consent page...

package/dist/openclaw-plugin/index.js

@@ -128,9 +128,6 @@ function isScopesCacheFile(value) {
 // src/openclaw/shield-client.ts
 var REQUEST_TIMEOUT_MS = 5e3;
 var AUTH_HEADER = "X-Multicorn-Key";
-var POLL_INTERVAL_MS = 3e3;
-var MAX_POLLS = 100;
-var POLL_TIMEOUT_MS = POLL_INTERVAL_MS * MAX_POLLS;
 var authErrorLogged = false;
 function isApiSuccess(value) {
   if (typeof value !== "object" || value === null) return false;
@@ -152,11 +149,6 @@ function isPermissionEntry(value) {
   const obj = value;
   return typeof obj["service"] === "string" && typeof obj["read"] === "boolean" && typeof obj["write"] === "boolean" && typeof obj["execute"] === "boolean" && (obj["revoked_at"] === null || typeof obj["revoked_at"] === "string");
 }
-function isApprovalResponse(value) {
-  if (typeof value !== "object" || value === null) return false;
-  const obj = value;
-  return typeof obj["id"] === "string" && typeof obj["status"] === "string" && ["pending", "approved", "rejected", "expired"].includes(obj["status"]) && (obj["decided_at"] === null || typeof obj["decided_at"] === "string");
-}
 function handleHttpError(status, logger, retryDelaySeconds) {
   if (status === 401 || status === 403) {
     if (!authErrorLogged) {
@@ -169,12 +161,7 @@ function handleHttpError(status, logger, retryDelaySeconds) {
     return { shouldBlock: true };
   }
   if (status === 429) {
-    if (retryDelaySeconds !== void 0) {
-      const rateLimitMsg = `[multicorn-shield] Rate limited by Shield API. Retrying in ${String(retryDelaySeconds)}s.`;
-      logger?.warn(rateLimitMsg);
-      process.stderr.write(`${rateLimitMsg}
-`);
-    } else {
+    {
       const rateLimitMsg = "[multicorn-shield] Rate limited by Shield API. Action was not checked \u2014 proceeding with fail-open.";
       logger?.warn(rateLimitMsg);
       process.stderr.write(`${rateLimitMsg}
@@ -272,6 +259,14 @@ async function fetchGrantedScopes(agentId, apiKey, baseUrl, logger) {
 }
 async function checkActionPermission(payload, apiKey, baseUrl, logger) {
   try {
+    const requestBody = {
+      agent: payload.agent,
+      service: payload.service,
+      actionType: payload.actionType,
+      status: payload.status,
+      metadata: payload.metadata
+    };
+    console.error("[SHIELD-CLIENT] POST /api/v1/actions request: " + JSON.stringify(requestBody));
     const response = await fetch(`${baseUrl}/api/v1/actions`, {
       method: "POST",
       headers: {
@@ -282,15 +277,22 @@ async function checkActionPermission(payload, apiKey, baseUrl, logger) {
       signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
     });
     if (response.status === 201) {
+      console.error(
+        "[SHIELD-CLIENT] response status=201, returning approved (body not read - backend may have failed approval creation)"
+      );
       return { status: "approved" };
     }
     if (response.status === 202) {
       const body = await response.json();
-      if (!isApiSuccess(body)) {
+      const data = isApiSuccess(body) ? body.data : null;
+      console.error("[SHIELD-CLIENT] response status=202 body=" + JSON.stringify(data ?? body));
+      if (!isApiSuccess(body) || data === null) {
         return { status: "blocked" };
       }
-      const data = body.data;
-      const approvalId = typeof data["approvalId"] === "string" ? data["approvalId"] : void 0;
+      const approvalId = typeof data["approval_id"] === "string" ? data["approval_id"] : void 0;
+      console.error(
+        "[SHIELD-CLIENT] extracted: status=" + String(data["status"]) + " approval_id=" + (approvalId ?? "undefined")
+      );
       if (approvalId === void 0) {
         return { status: "blocked" };
       }
@@ -309,85 +311,6 @@ async function checkActionPermission(payload, apiKey, baseUrl, logger) {
     return { status: "blocked" };
   }
 }
-async function pollApprovalStatus(approvalId, apiKey, baseUrl, logger) {
-  const startTime = Date.now();
-  const logDebug = logger?.debug?.bind(logger);
-  for (let pollCount = 0; pollCount < MAX_POLLS; pollCount++) {
-    if (Date.now() - startTime >= POLL_TIMEOUT_MS) {
-      return "timeout";
-    }
-    let approval = null;
-    for (let retry = 0; retry < 3; retry++) {
-      try {
-        const response = await fetch(`${baseUrl}/api/v1/approvals/${approvalId}`, {
-          headers: { [AUTH_HEADER]: apiKey },
-          signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
-        });
-        if (!response.ok) {
-          if (response.status === 401 || response.status === 403) {
-            handleHttpError(response.status, logger);
-            return "timeout";
-          }
-          if (response.status === 429 || response.status >= 500 && response.status < 600) {
-            const retryDelay = retry < 2 ? Math.pow(2, retry) : void 0;
-            handleHttpError(response.status, logger, retryDelay);
-          }
-          logDebug?.(
-            `Poll ${String(pollCount + 1)} failed: HTTP ${String(response.status)}. Retrying...`
-          );
-          if (retry < 2) {
-            await new Promise((resolve) => setTimeout(resolve, 1e3 * Math.pow(2, retry)));
-          }
-          continue;
-        }
-        const body = await response.json();
-        if (!isApiSuccess(body)) {
-          logDebug?.(`Poll ${String(pollCount + 1)} failed: invalid response format. Retrying...`);
-          if (retry < 2) {
-            await new Promise((resolve) => setTimeout(resolve, 1e3 * Math.pow(2, retry)));
-          }
-          continue;
-        }
-        const approvalData = body.data;
-        if (!isApprovalResponse(approvalData)) {
-          logDebug?.(`Poll ${String(pollCount + 1)} failed: invalid approval data. Retrying...`);
-          if (retry < 2) {
-            await new Promise((resolve) => setTimeout(resolve, 1e3 * Math.pow(2, retry)));
-          }
-          continue;
-        }
-        approval = approvalData;
-        break;
-      } catch (error) {
-        const errorMessage = error instanceof Error ? error.message : String(error);
-        logDebug?.(`Poll ${String(pollCount + 1)} failed: ${errorMessage}. Retrying...`);
-        if (retry < 2) {
-          await new Promise((resolve) => setTimeout(resolve, 1e3 * Math.pow(2, retry)));
-        }
-      }
-    }
-    if (approval !== null) {
-      if (approval.status === "approved") {
-        return "approved";
-      }
-      if (approval.status === "rejected") {
-        return "rejected";
-      }
-      if (approval.status === "expired") {
-        return "expired";
-      }
-      if (pollCount < MAX_POLLS - 1) {
-        await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
-      }
-    } else {
-      logDebug?.(`All retries failed for poll ${String(pollCount + 1)}. Continuing...`);
-      if (pollCount < MAX_POLLS - 1) {
-        await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
-      }
-    }
-  }
-  return "timeout";
-}
 async function logAction(payload, apiKey, baseUrl, logger) {
   try {
     const response = await fetch(`${baseUrl}/api/v1/actions`, {
@@ -412,6 +335,16 @@ var POLL_INTERVAL_MS2 = 3e3;
 var POLL_TIMEOUT_MS2 = 5 * 60 * 1e3;
 function deriveDashboardUrl(baseUrl) {
   try {
+    const envBase = process.env["MULTICORN_BASE_URL"];
+    if (typeof envBase === "string" && envBase.trim().length > 0) {
+      const trimmed = envBase.trim();
+      if (trimmed.includes("localhost") || trimmed.includes("127.0.0.1")) {
+        baseUrl = /^https?:\/\//i.test(trimmed) ? trimmed : `http://${trimmed}`;
+      }
+    }
+    if (!/^https?:\/\//i.test(baseUrl) && (baseUrl.includes("localhost") || baseUrl.includes("127.0.0.1"))) {
+      baseUrl = `http://${baseUrl}`;
+    }
     const url = new URL(baseUrl);
     if (url.hostname === "localhost" || url.hostname === "127.0.0.1") {
       url.port = "5173";
@@ -440,6 +373,9 @@ function buildConsentUrl(agentName, dashboardUrl, scope) {
   return `${base}/consent?${params.toString()}`;
 }
 function openBrowser(url) {
+  if (process.env["NODE_ENV"] === "test" || process.env["VITEST"] === "true") {
+    return;
+  }
   const platform = process.platform;
   const cmd = platform === "darwin" ? "open" : platform === "win32" ? "start" : "xdg-open";
   try {
@@ -454,6 +390,7 @@ ${url}
 }
 async function waitForConsent(agentId, agentName, apiKey, baseUrl, scope, logger) {
   const dashboardUrl = deriveDashboardUrl(baseUrl);
+  console.error("[SHIELD] buildConsentUrl baseUrl:", baseUrl);
   const consentUrl = buildConsentUrl(agentName, dashboardUrl, scope);
   process.stderr.write(
     `[multicorn-shield] Opening consent page...
@@ -507,11 +444,10 @@ function loadMulticornConfig() {
 }
 function readConfig() {
   const pc = pluginConfig ?? {};
-  const resolvedApiKey = asString(process.env["MULTICORN_API_KEY"]) ?? asString(cachedMulticornConfig?.apiKey) ?? "";
-  const resolvedBaseUrl = asString(process.env["MULTICORN_BASE_URL"]) ?? asString(cachedMulticornConfig?.baseUrl) ?? "https://api.multicorn.ai";
+  const resolvedApiKey = asString(cachedMulticornConfig?.apiKey) ?? asString(process.env["MULTICORN_API_KEY"]) ?? "";
+  const resolvedBaseUrl = asString(cachedMulticornConfig?.baseUrl) ?? asString(process.env["MULTICORN_BASE_URL"]) ?? "https://api.multicorn.ai";
   const agentName = asString(pc["agentName"]) ?? process.env["MULTICORN_AGENT_NAME"] ?? null;
-  const failModeRaw = asString(pc["failMode"]) ?? process.env["MULTICORN_FAIL_MODE"] ?? "open";
-  const failMode = failModeRaw === "closed" ? "closed" : "open";
+  const failMode = "closed";
   return { apiKey: resolvedApiKey, baseUrl: resolvedBaseUrl, agentName, failMode };
 }
 function asString(value) {
@@ -683,110 +619,156 @@ function buildApprovalDescription(agentName, permissionLevel, service, toolName,
   return truncated;
 }
 async function beforeToolCall(event, ctx) {
-  const config = readConfig();
-  if (config.apiKey.length === 0) {
-    pluginLogger?.warn(
-      "Multicorn Shield: No API key found. Run 'npx multicorn-proxy init' or set MULTICORN_API_KEY."
+  try {
+    console.error("[SHIELD] beforeToolCall ENTRY: tool=" + event.toolName);
+    const config = readConfig();
+    console.error(
+      "[SHIELD] config loaded: baseUrl=" + config.baseUrl + " apiKey=" + (config.apiKey ? "present" : "MISSING") + " failMode=" + config.failMode
     );
-    return void 0;
-  }
-  const agentName = resolveAgentName(ctx.sessionKey ?? "", config.agentName);
-  const readiness = await ensureAgent(agentName, config.apiKey, config.baseUrl, config.failMode);
-  if (readiness === "block") {
-    return {
-      block: true,
-      blockReason: "Multicorn Shield could not verify permissions. The Shield API is unreachable and fail-closed mode is enabled."
-    };
-  }
-  if (readiness === "skip") {
-    return void 0;
-  }
-  const command = event.toolName === "exec" && typeof event.params["command"] === "string" ? event.params["command"] : void 0;
-  const mapping = mapToolToScope(event.toolName, command);
-  pluginLogger?.info(
-    `Multicorn Shield: tool=${event.toolName}, service=${mapping.service}, permissionLevel=${mapping.permissionLevel}`
-  );
-  const actionType = mapping.permissionLevel === "write" && event.toolName === "exec" ? "exec_write" : event.toolName;
-  const description = buildApprovalDescription(
-    agentName,
-    mapping.permissionLevel,
-    mapping.service,
-    event.toolName,
-    event.params
-  );
-  const permissionResult = await checkActionPermission(
-    {
-      agent: agentName,
-      service: mapping.service,
-      actionType,
-      status: "approved",
-      // Status doesn't matter for permission check
-      metadata: {
-        description
-      }
-    },
-    config.apiKey,
-    config.baseUrl,
-    pluginLogger ?? void 0
-  );
-  if (permissionResult.status === "approved") {
-    if (agentRecord !== null) {
-      const scopes = await fetchGrantedScopes(
-        agentRecord.id,
-        config.apiKey,
-        config.baseUrl,
-        pluginLogger ?? void 0
+    if (config.apiKey.length === 0) {
+      pluginLogger?.warn(
+        "Multicorn Shield: No API key found. Run 'npx multicorn-proxy init' or set MULTICORN_API_KEY."
       );
-      grantedScopes = scopes;
-      lastScopeRefresh = Date.now();
-      if (scopes.length > 0) {
-        await saveCachedScopes(agentName, agentRecord.id, scopes).catch(() => {
-        });
-      }
+      console.error("[SHIELD] DECISION: allow (no API key)");
+      return void 0;
     }
-    return void 0;
-  }
-  if (permissionResult.status === "pending" && permissionResult.approvalId !== void 0) {
+    const agentName = resolveAgentName(ctx.sessionKey ?? "", config.agentName);
+    const readiness = await ensureAgent(agentName, config.apiKey, config.baseUrl, config.failMode);
+    console.error("[SHIELD] ensureAgent result: " + JSON.stringify(readiness));
+    if (readiness === "block") {
+      const returnValue2 = {
+        block: true,
+        blockReason: "Multicorn Shield could not verify permissions. The Shield API is unreachable and fail-closed mode is enabled."
+      };
+      console.error("[SHIELD] DECISION: " + JSON.stringify(returnValue2));
+      return returnValue2;
+    }
+    if (readiness === "skip") {
+      console.error("[SHIELD] DECISION: allow (skip mode)");
+      return void 0;
+    }
+    const command = event.toolName === "exec" && typeof event.params["command"] === "string" ? event.params["command"] : void 0;
+    const mapping = mapToolToScope(event.toolName, command);
     pluginLogger?.info(
-      `Multicorn Shield: action pending approval (ID: ${permissionResult.approvalId}). Polling for status...`
+      `Multicorn Shield: tool=${event.toolName}, service=${mapping.service}, permissionLevel=${mapping.permissionLevel}`
     );
-    const pollResult = await pollApprovalStatus(
-      permissionResult.approvalId,
+    const actionType = mapping.permissionLevel === "write" && event.toolName === "exec" ? "exec_write" : event.toolName;
+    const description = buildApprovalDescription(
+      agentName,
+      mapping.permissionLevel,
+      mapping.service,
+      event.toolName,
+      event.params
+    );
+    if (grantedScopes.length === 0 && agentRecord !== null) {
+      await ensureConsent(agentName, config.apiKey, config.baseUrl, mapping);
+      console.error("[SHIELD] ensureConsent result: completed (zero-scopes path)");
+    }
+    console.error(
+      "[SHIELD] calling checkActionPermission: service=" + mapping.service + " actionType=" + actionType
+    );
+    const permissionResult = await checkActionPermission(
+      {
+        agent: agentName,
+        service: mapping.service,
+        actionType,
+        status: "approved",
+        // Status doesn't matter for permission check
+        metadata: {
+          description
+        }
+      },
       config.apiKey,
       config.baseUrl,
       pluginLogger ?? void 0
     );
-    if (pollResult === "approved") {
+    console.error("[SHIELD] permission result: " + JSON.stringify(permissionResult));
+    if (permissionResult.status === "approved") {
+      if (agentRecord !== null) {
+        const scopes = await fetchGrantedScopes(
+          agentRecord.id,
+          config.apiKey,
+          config.baseUrl,
+          pluginLogger ?? void 0
+        );
+        grantedScopes = scopes;
+        lastScopeRefresh = Date.now();
+        if (Array.isArray(scopes) && scopes.length > 0) {
+          await saveCachedScopes(agentName, agentRecord.id, scopes).catch(() => {
+          });
+        }
+      }
+      console.error("[SHIELD] DECISION: allow (approved)");
       return void 0;
     }
-    if (pollResult === "rejected") {
-      return {
-        block: true,
-        blockReason: "Action was reviewed and rejected."
-      };
-    }
-    if (pollResult === "expired") {
-      return {
+    if (permissionResult.status === "pending" && permissionResult.approvalId !== void 0) {
+      const dashboardUrl2 = deriveDashboardUrl(config.baseUrl);
+      const returnValue2 = {
         block: true,
-        blockReason: "Approval request expired before a decision was made."
+        blockReason: `Action pending approval. Visit ${dashboardUrl2}approvals to approve or reject, then try again.`
       };
+      console.error("[SHIELD] DECISION: " + JSON.stringify(returnValue2));
+      return returnValue2;
     }
-    return {
-      block: true,
-      blockReason: "Approval request timed out after 5 minutes."
+    const requestedScope = {
+      service: mapping.service,
+      permissionLevel: mapping.permissionLevel
     };
+    if (!hasScope(grantedScopes, requestedScope) && agentRecord !== null) {
+      await ensureConsent(agentName, config.apiKey, config.baseUrl, mapping);
+      console.error("[SHIELD] ensureConsent result: completed (blocked path)");
+      const scopes = await fetchGrantedScopes(
+        agentRecord.id,
+        config.apiKey,
+        config.baseUrl,
+        pluginLogger ?? void 0
+      );
+      grantedScopes = scopes;
+      lastScopeRefresh = Date.now();
+      if (Array.isArray(scopes) && scopes.length > 0) {
+        await saveCachedScopes(agentName, agentRecord.id, scopes).catch(() => {
+        });
+      }
+      const recheckResult = await checkActionPermission(
+        {
+          agent: agentName,
+          service: mapping.service,
+          actionType,
+          status: "approved",
+          metadata: { description }
+        },
+        config.apiKey,
+        config.baseUrl,
+        pluginLogger ?? void 0
+      );
+      if (recheckResult.status === "approved") {
+        const refreshedScopes = await fetchGrantedScopes(
+          agentRecord.id,
+          config.apiKey,
+          config.baseUrl,
+          pluginLogger ?? void 0
+        );
+        grantedScopes = refreshedScopes;
+        lastScopeRefresh = Date.now();
+        if (Array.isArray(refreshedScopes) && refreshedScopes.length > 0) {
+          await saveCachedScopes(agentName, agentRecord.id, refreshedScopes).catch(() => {
+          });
+        }
+        console.error("[SHIELD] DECISION: allow (re-check after consent)");
+        return void 0;
+      }
+    }
+    const capitalizedService = mapping.service.charAt(0).toUpperCase() + mapping.service.slice(1);
+    const dashboardUrl = deriveDashboardUrl(config.baseUrl);
+    const reason = `${capitalizedService} ${mapping.permissionLevel} access is not allowed. Check pending approvals at ${dashboardUrl}/approvals `;
+    const returnValue = { block: true, blockReason: reason };
+    console.error("[SHIELD] DECISION: " + JSON.stringify(returnValue));
+    return returnValue;
+  } catch (e) {
+    console.error("[SHIELD] CRASH in beforeToolCall: " + String(e));
+    console.error("[SHIELD] Stack: " + ((e instanceof Error ? e.stack : void 0) ?? "no stack"));
+    return { block: true, blockReason: "Shield internal error: " + String(e) };
   }
-  const requestedScope = {
-    service: mapping.service,
-    permissionLevel: mapping.permissionLevel
-  };
-  if (!hasScope(grantedScopes, requestedScope) && agentRecord !== null) {
-    await ensureConsent(agentName, config.apiKey, config.baseUrl, mapping);
-  }
-  const capitalizedService = mapping.service.charAt(0).toUpperCase() + mapping.service.slice(1);
-  const dashboardUrl = deriveDashboardUrl(config.baseUrl);
-  const reason = `${capitalizedService} ${mapping.permissionLevel} access is not allowed. Check pending approvals at ${dashboardUrl}/approvals `;
-  return { block: true, blockReason: reason };
 }
 function afterToolCall(event, ctx) {
   const config = readConfig();
@@ -819,6 +801,7 @@ var plugin = {
     pluginLogger = api.logger;
     pluginConfig = api.pluginConfig;
     cachedMulticornConfig = loadMulticornConfig();
+    console.error("[SHIELD-DIAG] cachedMulticornConfig: " + JSON.stringify(cachedMulticornConfig));
     api.on("before_tool_call", beforeToolCall, { priority: 10 });
     api.on("after_tool_call", afterToolCall);
     api.logger.info("Multicorn Shield plugin registered.");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "multicorn-shield",
-  "version": "0.1.9",
+  "version": "0.1.13",
   "description": "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
   "license": "MIT",
   "type": "module",