multicorn-shield 0.11.0 → 0.13.0

package/dist/multicorn-proxy.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
-import { existsSync } from 'fs';
-import { mkdir, writeFile, readFile, copyFile, unlink } from 'fs/promises';
+import { existsSync, statSync } from 'fs';
+import { mkdir, writeFile, readFile, copyFile, chmod, unlink } from 'fs/promises';
 import { join, dirname } from 'path';
 import { homedir } from 'os';
 import { fileURLToPath } from 'url';
@@ -43,6 +43,23 @@ function withSpinner(message) {
     }
   };
 }
+var NativePluginPrerequisiteMissingError = class extends Error {
+  constructor() {
+    super("Native plugin prerequisites not met");
+    this.name = "NativePluginPrerequisiteMissingError";
+  }
+};
+function isExistingDirectory(path) {
+  try {
+    if (!existsSync(path)) return false;
+    return statSync(path).isDirectory();
+  } catch {
+    return false;
+  }
+}
+function nativePluginSkippedSaveNote(wizardCommand, productName) {
+  return "\n" + style.dim("Your agent config has been saved. Run ") + style.cyan(wizardCommand) + style.dim(` again after installing ${productName} to complete hook setup.`) + "\n";
+}
 var CONFIG_DIR = join(homedir(), ".multicorn");
 var CONFIG_PATH = join(CONFIG_DIR, "config.json");
 var OPENCLAW_CONFIG_PATH = join(homedir(), ".openclaw", "openclaw.json");
@@ -426,6 +443,18 @@ async function installWindsurfNativeHooks() {
       `Could not find Shield Windsurf hook scripts at ${srcPre}. If you use npm, install the latest multicorn-shield package.`
     );
   }
+  const windsurfConfigDir = join(homedir(), ".codeium", "windsurf");
+  if (!isExistingDirectory(windsurfConfigDir)) {
+    process.stderr.write(
+      style.yellow("\u26A0") + "  Windsurf does not appear to be installed (~/.codeium/windsurf/ not found).\n\n"
+    );
+    process.stderr.write(
+      "Open Windsurf at least once so this folder exists, or install from:\n  " + style.cyan("https://windsurf.com/download") + "\n\n"
+    );
+    process.stderr.write("Then run this wizard again:\n");
+    process.stderr.write("  " + style.cyan("npx multicorn-proxy init") + "\n");
+    throw new NativePluginPrerequisiteMissingError();
+  }
   const installDir = getWindsurfHooksInstallDir();
   await mkdir(installDir, { recursive: true });
   const destPre = join(installDir, "pre-action.cjs");
@@ -473,19 +502,302 @@ async function installWindsurfNativeHooks() {
   await mkdir(hooksDir, { recursive: true });
   await writeFile(hooksPath, JSON.stringify(base, null, 2) + "\n", { encoding: "utf8" });
 }
-var PLATFORM_LABELS = ["OpenClaw", "Claude Code", "Cursor", "Windsurf", "Local MCP / Other"];
+function getClineHooksInstallDir() {
+  return join(homedir(), ".multicorn", "cline-hooks");
+}
+function getClineGlobalHooksDir() {
+  return join(homedir(), "Documents", "Cline", "Hooks");
+}
+async function installClineNativeHooks() {
+  const root = multicornShieldPackageRoot();
+  const srcPre = join(root, "plugins", "cline", "hooks", "scripts", "pre-tool-use.cjs");
+  const srcPost = join(root, "plugins", "cline", "hooks", "scripts", "post-tool-use.cjs");
+  const srcShared = join(root, "plugins", "cline", "hooks", "scripts", "shared.cjs");
+  if (!existsSync(srcPre) || !existsSync(srcPost) || !existsSync(srcShared)) {
+    throw new Error(
+      `Could not find Shield Cline hook scripts at ${srcPre}. If you use npm, install the latest multicorn-shield package.`
+    );
+  }
+  const clineDocsDir = join(homedir(), "Documents", "Cline");
+  if (!isExistingDirectory(clineDocsDir)) {
+    process.stderr.write(
+      style.yellow("\u26A0") + "  Cline does not appear to be installed (~/Documents/Cline/ not found).\n\n"
+    );
+    process.stderr.write("Install the Cline VS Code extension first. See:\n");
+    process.stderr.write(
+      "  " + style.cyan("https://docs.cline.bot/getting-started/installing-cline") + "\n\n"
+    );
+    process.stderr.write("Then run this wizard again:\n");
+    process.stderr.write("  " + style.cyan("npx multicorn-shield init") + "\n");
+    throw new NativePluginPrerequisiteMissingError();
+  }
+  const installDir = getClineHooksInstallDir();
+  await mkdir(installDir, { recursive: true });
+  const destPre = join(installDir, "pre-tool-use.cjs");
+  const destPost = join(installDir, "post-tool-use.cjs");
+  const destShared = join(installDir, "shared.cjs");
+  await copyFile(srcPre, destPre);
+  await copyFile(srcPost, destPost);
+  await copyFile(srcShared, destShared);
+  const hookScriptMode = 493;
+  await chmod(destPre, hookScriptMode);
+  await chmod(destPost, hookScriptMode);
+  await chmod(destShared, hookScriptMode);
+  const hooksDir = getClineGlobalHooksDir();
+  await mkdir(hooksDir, { recursive: true });
+  const preWrapper = join(hooksDir, "PreToolUse");
+  const postWrapper = join(hooksDir, "PostToolUse");
+  const preContent = `#!/usr/bin/env node
+require(${JSON.stringify(destPre)});
+`;
+  const postContent = `#!/usr/bin/env node
+require(${JSON.stringify(destPost)});
+`;
+  await writeFile(preWrapper, preContent, { encoding: "utf8", mode: 493 });
+  await writeFile(postWrapper, postContent, { encoding: "utf8", mode: 493 });
+}
+async function promptClineIntegrationMode(ask) {
+  process.stderr.write("\n" + style.bold("Cline integration") + "\n");
+  process.stderr.write(
+    "  " + style.violet("1") + ". Native plugin (recommended) - Cline Hooks see every file, terminal, browser, and MCP action\n"
+  );
+  process.stderr.write(
+    "  " + style.violet("2") + ". Hosted proxy - govern MCP traffic only (paste proxy URL into Cline MCP settings)\n"
+  );
+  let choice = 0;
+  while (choice === 0) {
+    const input = await ask("Choose integration (1-2): ");
+    const num = parseInt(input.trim(), 10);
+    if (num === 1) choice = 1;
+    if (num === 2) choice = 2;
+  }
+  return choice === 1 ? "native" : "hosted";
+}
+function getGeminiCliHooksInstallDir() {
+  return join(homedir(), ".multicorn", "gemini-cli-hooks");
+}
+function getGeminiCliSettingsPath() {
+  return join(homedir(), ".gemini", "settings.json");
+}
+function geminiInnerHooksReferenceShield(inner, multicornName) {
+  if (!Array.isArray(inner)) return false;
+  for (const h of inner) {
+    if (typeof h !== "object" || h === null) continue;
+    const rec = h;
+    if (rec["name"] === multicornName) return true;
+    const cmd = rec["command"];
+    if (typeof cmd === "string" && cmd.includes("gemini-cli-hooks")) return true;
+  }
+  return false;
+}
+function geminiHookEventsReferenceShield(arr) {
+  if (!Array.isArray(arr)) return false;
+  for (const entry of arr) {
+    if (typeof entry !== "object" || entry === null) continue;
+    const hooks = entry["hooks"];
+    if (geminiInnerHooksReferenceShield(hooks, "multicorn-shield") || geminiInnerHooksReferenceShield(hooks, "multicorn-shield-log")) {
+      return true;
+    }
+  }
+  return false;
+}
+function geminiSettingsHasMulticornHooks(hooks) {
+  if (hooks === null || typeof hooks !== "object" || Array.isArray(hooks)) return false;
+  const h = hooks;
+  return geminiHookEventsReferenceShield(h["BeforeTool"]) || geminiHookEventsReferenceShield(h["AfterTool"]);
+}
+function geminiFilterInnerHooks(inner) {
+  if (!Array.isArray(inner)) return [];
+  return inner.filter((h) => {
+    if (typeof h !== "object" || h === null) return true;
+    const rec = h;
+    if (rec["name"] === "multicorn-shield" || rec["name"] === "multicorn-shield-log") return false;
+    const cmd = rec["command"];
+    if (typeof cmd === "string" && cmd.includes("gemini-cli-hooks")) return false;
+    return true;
+  });
+}
+function geminiStripMatcherGroups(arr) {
+  if (!Array.isArray(arr)) return [];
+  const out = [];
+  for (const entry of arr) {
+    if (typeof entry !== "object" || entry === null) continue;
+    const e = entry;
+    const filtered = geminiFilterInnerHooks(e["hooks"]);
+    if (filtered.length > 0) {
+      out.push({ ...e, hooks: filtered });
+    }
+  }
+  return out;
+}
+function geminiStripMulticornHookEntries(hooks) {
+  const out = { ...hooks };
+  out["BeforeTool"] = geminiStripMatcherGroups(out["BeforeTool"]);
+  out["AfterTool"] = geminiStripMatcherGroups(out["AfterTool"]);
+  return out;
+}
+async function installGeminiCliNativeHooks(ask) {
+  const root = multicornShieldPackageRoot();
+  const srcBefore = join(root, "plugins", "gemini-cli", "hooks", "scripts", "before-tool.cjs");
+  const srcAfter = join(root, "plugins", "gemini-cli", "hooks", "scripts", "after-tool.cjs");
+  const srcShared = join(root, "plugins", "gemini-cli", "hooks", "scripts", "shared.cjs");
+  if (!existsSync(srcBefore) || !existsSync(srcAfter) || !existsSync(srcShared)) {
+    throw new Error(
+      `Could not find Shield Gemini CLI hook scripts at ${srcBefore}. If you use npm, install the latest multicorn-shield package.`
+    );
+  }
+  const geminiConfigDir = join(homedir(), ".gemini");
+  if (!isExistingDirectory(geminiConfigDir)) {
+    process.stderr.write(
+      style.yellow("\u26A0") + "  Gemini CLI does not appear to be installed (~/.gemini/ not found).\n\n"
+    );
+    process.stderr.write("Install Gemini CLI first:\n");
+    process.stderr.write("  " + style.cyan("npm install -g @google/gemini-cli") + "\n\n");
+    process.stderr.write("Then run this wizard again:\n");
+    process.stderr.write("  " + style.cyan("npx multicorn-shield init") + "\n");
+    throw new NativePluginPrerequisiteMissingError();
+  }
+  const installDir = getGeminiCliHooksInstallDir();
+  await mkdir(installDir, { recursive: true });
+  const destBefore = join(installDir, "before-tool.cjs");
+  const destAfter = join(installDir, "after-tool.cjs");
+  const destShared = join(installDir, "shared.cjs");
+  await copyFile(srcBefore, destBefore);
+  await copyFile(srcAfter, destAfter);
+  await copyFile(srcShared, destShared);
+  const mode = 493;
+  await chmod(destBefore, mode);
+  await chmod(destAfter, mode);
+  await chmod(destShared, mode);
+  const settingsPath = getGeminiCliSettingsPath();
+  let existing = {};
+  try {
+    const rawText = await readFile(settingsPath, "utf8");
+    const parsed = JSON.parse(rawText);
+    if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
+      existing = parsed;
+    }
+  } catch (err) {
+    if (isErrnoException(err) && err.code === "ENOENT") {
+      existing = {};
+    } else {
+      process.stderr.write(
+        style.yellow("\u26A0") + ` Could not parse ${settingsPath}. Create valid JSON or remove the file, then run init again.
+`
+      );
+      throw new Error(`Invalid Gemini CLI settings at ${settingsPath}`);
+    }
+  }
+  const hooksRaw = existing["hooks"];
+  const hooksObj = typeof hooksRaw === "object" && hooksRaw !== null && !Array.isArray(hooksRaw) ? hooksRaw : {};
+  if (geminiSettingsHasMulticornHooks(hooksObj)) {
+    const answer = await ask(
+      "Existing Multicorn Shield hooks were found in ~/.gemini/settings.json. Overwrite? (Y/n) "
+    );
+    if (answer.trim().toLowerCase() === "n") {
+      throw new Error("Installation cancelled: existing Shield hooks left unchanged.");
+    }
+  }
+  const cleaned = geminiStripMulticornHookEntries({ ...hooksObj });
+  const beforeArr = Array.isArray(cleaned["BeforeTool"]) ? [...cleaned["BeforeTool"]] : [];
+  const afterArr = Array.isArray(cleaned["AfterTool"]) ? [...cleaned["AfterTool"]] : [];
+  const beforeCmd = `node ${destBefore}`;
+  const afterCmd = `node ${destAfter}`;
+  beforeArr.push({
+    matcher: ".*",
+    hooks: [
+      {
+        type: "command",
+        name: "multicorn-shield",
+        command: beforeCmd,
+        timeout: 6e4
+      }
+    ]
+  });
+  afterArr.push({
+    matcher: ".*",
+    hooks: [
+      {
+        type: "command",
+        name: "multicorn-shield-log",
+        command: afterCmd,
+        timeout: 1e4
+      }
+    ]
+  });
+  existing["hooks"] = {
+    ...cleaned,
+    BeforeTool: beforeArr,
+    AfterTool: afterArr
+  };
+  await mkdir(dirname(settingsPath), { recursive: true });
+  await writeFile(settingsPath, JSON.stringify(existing, null, 2) + "\n", "utf8");
+}
+async function promptGeminiCliIntegrationMode(ask) {
+  process.stderr.write("\n" + style.bold("Gemini CLI integration") + "\n");
+  process.stderr.write(
+    "  " + style.violet("1") + ". Native plugin (recommended) - Gemini CLI Hooks see every file, terminal, web, and MCP action\n"
+  );
+  process.stderr.write(
+    "  " + style.violet("2") + ". Hosted proxy - govern MCP traffic only (paste proxy URL into Gemini CLI settings)\n"
+  );
+  let choice = 0;
+  while (choice === 0) {
+    const input = await ask("Choose integration (1-2): ");
+    const num = parseInt(input.trim(), 10);
+    if (num === 1) choice = 1;
+    if (num === 2) choice = 2;
+  }
+  return choice === 1 ? "native" : "hosted";
+}
+function getClaudeDesktopConfigPath() {
+  switch (process.platform) {
+    case "win32":
+      return join(
+        process.env["APPDATA"] ?? join(homedir(), "AppData", "Roaming"),
+        "Claude",
+        "claude_desktop_config.json"
+      );
+    case "linux":
+      return join(homedir(), ".config", "Claude", "claude_desktop_config.json");
+    default:
+      return join(
+        homedir(),
+        "Library",
+        "Application Support",
+        "Claude",
+        "claude_desktop_config.json"
+      );
+  }
+}
+var PLATFORM_LABELS = [
+  "OpenClaw",
+  "Claude Code",
+  "Cursor",
+  "Windsurf",
+  "Cline",
+  "Claude Desktop",
+  "Gemini CLI",
+  "Local MCP / Other"
+];
 var PLATFORM_BY_SELECTION = {
   1: "openclaw",
   2: "claude-code",
   3: "cursor",
   4: "windsurf",
-  5: "other-mcp"
+  5: "cline",
+  6: "claude-desktop",
+  7: "gemini-cli",
+  8: "other-mcp"
 };
 var DEFAULT_AGENT_NAMES = {
   openclaw: "my-openclaw-agent",
   "claude-code": "my-claude-code-agent",
   cursor: "my-cursor-agent",
-  windsurf: "my-windsurf-agent"
+  windsurf: "my-windsurf-agent",
+  cline: "my-cline-agent",
+  "claude-desktop": "my-claude-desktop-agent",
+  "gemini-cli": "my-gemini-cli-agent"
 };
 async function promptPlatformSelection(ask) {
   process.stderr.write(
@@ -505,13 +817,13 @@ async function promptPlatformSelection(ask) {
     );
   }
   process.stderr.write(
-    style.dim("     Pick 5 if you want to wrap a local MCP server with multicorn-proxy --wrap.") + "\n"
+    style.dim("     Pick 8 if you want to wrap a local MCP server with multicorn-proxy --wrap.") + "\n"
   );
   let selection = 0;
   while (selection === 0) {
-    const input = await ask("Select (1-5): ");
+    const input = await ask("Select (1-8): ");
     const num = parseInt(input.trim(), 10);
-    if (num >= 1 && num <= 5) {
+    if (num >= 1 && num <= 8) {
       selection = num;
     }
   }
@@ -520,10 +832,10 @@ async function promptPlatformSelection(ask) {
 async function promptWindsurfIntegrationMode(ask) {
   process.stderr.write("\n" + style.bold("Windsurf integration") + "\n");
   process.stderr.write(
-    "  " + style.violet("1") + ". Native plugin (recommended) \u2014 Cascade Hooks see every file, terminal, and MCP action\n"
+    "  " + style.violet("1") + ". Native plugin (recommended) - Cascade Hooks see every file, terminal, and MCP action\n"
   );
   process.stderr.write(
-    "  " + style.violet("2") + ". Hosted proxy \u2014 govern MCP traffic only (paste proxy URL into mcp_config)\n"
+    "  " + style.violet("2") + ". Hosted proxy - govern MCP traffic only (paste proxy URL into mcp_config)\n"
   );
   let choice = 0;
   while (choice === 0) {
@@ -632,9 +944,9 @@ async function createProxyConfig(baseUrl, apiKey, agentName, targetUrl, serverNa
   return typeof data?.["proxy_url"] === "string" ? data["proxy_url"] : "";
 }
 function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
-  const usesInlineKey = platform === "cursor" || platform === "windsurf";
+  const usesInlineKey = platform === "cursor" || platform === "claude-desktop" || platform === "windsurf" || platform === "cline" || platform === "gemini-cli";
   const authHeader = usesInlineKey ? `Bearer ${apiKey}` : "Bearer YOUR_SHIELD_API_KEY";
-  const urlKey = platform === "windsurf" ? "serverUrl" : "url";
+  const urlKey = platform === "windsurf" ? "serverUrl" : platform === "gemini-cli" ? "httpUrl" : "url";
   const mcpSnippet = JSON.stringify(
     {
       mcpServers: {
@@ -653,10 +965,35 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     process.stderr.write("\n" + style.dim("Add this to your OpenClaw agent config:") + "\n\n");
   } else if (platform === "claude-code") {
     process.stderr.write("\n" + style.dim("Add this to your Claude Code MCP config:") + "\n\n");
+  } else if (platform === "claude-desktop") {
+    process.stderr.write("\n" + style.dim(`Add this to ${getClaudeDesktopConfigPath()}:`) + "\n\n");
   } else if (platform === "windsurf") {
     process.stderr.write(
       "\n" + style.dim("Add this to ~/.codeium/windsurf/mcp_config.json:") + "\n\n"
     );
+  } else if (platform === "cline") {
+    process.stderr.write("\n" + style.dim("Add this to your Cline MCP settings file:") + "\n");
+    process.stderr.write(
+      style.dim(
+        "  macOS: ~/Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json"
+      ) + "\n"
+    );
+    process.stderr.write(
+      style.dim(
+        "  Windows: %APPDATA%\\Code\\User\\globalStorage\\saoudrizwan.claude-dev\\settings\\cline_mcp_settings.json"
+      ) + "\n"
+    );
+    process.stderr.write(
+      style.dim(
+        "  Linux: ~/.config/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json"
+      ) + "\n\n"
+    );
+  } else if (platform === "gemini-cli") {
+    process.stderr.write(
+      "\n" + style.dim(
+        "Add this to ~/.gemini/settings.json (create the file if it does not exist). For project-specific config, use .gemini/settings.json in your project root. Restart Gemini CLI after saving. Run /mcp to verify the server is connected."
+      ) + "\n\n"
+    );
   } else {
     process.stderr.write("\n" + style.dim("Add this to ~/.cursor/mcp.json:") + "\n\n");
   }
@@ -680,6 +1017,16 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
       ) + "\n"
     );
   }
+  if (platform === "claude-desktop") {
+    process.stderr.write(style.dim("Then restart Claude Desktop to load the MCP server.") + "\n");
+  }
+  if (platform === "cline") {
+    process.stderr.write(
+      style.dim(
+        "After pasting, restart Cline or reload the VS Code window. Cline will discover the Shield tools automatically."
+      ) + "\n"
+    );
+  }
   if (platform === "windsurf") {
     process.stderr.write(style.dim("Then restart Windsurf (Cmd/Ctrl+Q, then reopen).") + "\n");
     process.stderr.write(
@@ -774,10 +1121,11 @@ async function runInit(explicitBaseUrl) {
   };
   let configuring = true;
   while (configuring) {
+    let postSaveNativeSkipNote = null;
     const selection = await promptPlatformSelection(ask);
     const selectedPlatform = PLATFORM_BY_SELECTION[selection] ?? "cursor";
     const selectedLabel = PLATFORM_LABELS[selection - 1] ?? "Cursor";
-    if (selection === 5) {
+    if (selection === 8) {
       const raw = existing !== null ? { ...existing } : {};
       raw["apiKey"] = apiKey;
       raw["baseUrl"] = resolvedBaseUrl;
@@ -956,8 +1304,22 @@ An agent for ${selectedLabel} already exists: ${style.cyan(existingForPlatform.n
           });
           setupSucceeded = true;
         } catch (error) {
-          const detail = error instanceof Error ? error.message : String(error);
-          process.stderr.write(style.red("\u2717 ") + detail + "\n");
+          if (error instanceof NativePluginPrerequisiteMissingError) {
+            postSaveNativeSkipNote = nativePluginSkippedSaveNote(
+              "npx multicorn-proxy init",
+              "Windsurf"
+            );
+            configuredAgents.push({
+              selection,
+              platform: selectedPlatform,
+              platformLabel: selectedLabel,
+              agentName
+            });
+            setupSucceeded = true;
+          } else {
+            const detail = error instanceof Error ? error.message : String(error);
+            process.stderr.write(style.red("\u2717 ") + detail + "\n");
+          }
         }
       } else {
         const { targetUrl, shortName } = await promptProxyConfig(ask, agentName);
@@ -1001,6 +1363,170 @@ An agent for ${selectedLabel} already exists: ${style.cyan(existingForPlatform.n
           setupSucceeded = true;
         }
       }
+    } else if (selection === 7) {
+      const geminiMode = await promptGeminiCliIntegrationMode(ask);
+      if (geminiMode === "native") {
+        try {
+          await installGeminiCliNativeHooks(ask);
+          process.stderr.write("\n" + style.bold("Shield Gemini CLI hooks installed") + "\n\n");
+          process.stderr.write(
+            style.dim("Hook scripts: ") + style.cyan(getGeminiCliHooksInstallDir()) + "\n"
+          );
+          process.stderr.write(
+            style.dim("Settings updated at ") + style.cyan("~/.gemini/settings.json") + "\n"
+          );
+          process.stderr.write(
+            style.dim(
+              "The Shield hook runs with your user permissions. It intercepts Gemini CLI tool calls to check permissions and log activity. Review the scripts if that is a concern."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            geminiCliIntegration: "native"
+          });
+          setupSucceeded = true;
+        } catch (error) {
+          if (error instanceof NativePluginPrerequisiteMissingError) {
+            postSaveNativeSkipNote = nativePluginSkippedSaveNote(
+              "npx multicorn-shield init",
+              "Gemini CLI"
+            );
+            configuredAgents.push({
+              selection,
+              platform: selectedPlatform,
+              platformLabel: selectedLabel,
+              agentName
+            });
+            setupSucceeded = true;
+          } else {
+            const detail = error instanceof Error ? error.message : String(error);
+            process.stderr.write(style.red("\u2717 ") + detail + "\n");
+          }
+        }
+      } else {
+        const { targetUrl, shortName } = await promptProxyConfig(ask, agentName);
+        let proxyUrl = "";
+        let created = false;
+        while (!created) {
+          const spinner = withSpinner("Creating proxy config...");
+          try {
+            proxyUrl = await createProxyConfig(
+              resolvedBaseUrl,
+              apiKey,
+              agentName,
+              targetUrl,
+              shortName,
+              selectedPlatform
+            );
+            spinner.stop(true, "Proxy config created!");
+            created = true;
+          } catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            spinner.stop(false, detail);
+            const retry = await ask("Try again? (Y/n) ");
+            if (retry.trim().toLowerCase() === "n") {
+              break;
+            }
+          }
+        }
+        if (created && proxyUrl.length > 0) {
+          process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
+          process.stderr.write("  " + style.cyan(proxyUrl) + "\n");
+          printPlatformSnippet(selectedPlatform, proxyUrl, shortName, apiKey);
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            shortName,
+            proxyUrl,
+            geminiCliIntegration: "hosted"
+          });
+          setupSucceeded = true;
+        }
+      }
+    } else if (selection === 5) {
+      const clineMode = await promptClineIntegrationMode(ask);
+      if (clineMode === "native") {
+        try {
+          await installClineNativeHooks();
+          process.stderr.write("\n" + style.bold("Shield Cline hooks installed") + "\n\n");
+          process.stderr.write(
+            style.dim(
+              "The Shield hook runs with your user permissions. It intercepts Cline tool calls to check permissions and log activity. Review the scripts under "
+            ) + style.cyan("~/.multicorn/cline-hooks") + style.dim(" if that is a concern.") + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            clineIntegration: "native"
+          });
+          setupSucceeded = true;
+        } catch (error) {
+          if (error instanceof NativePluginPrerequisiteMissingError) {
+            postSaveNativeSkipNote = nativePluginSkippedSaveNote(
+              "npx multicorn-shield init",
+              "Cline"
+            );
+            configuredAgents.push({
+              selection,
+              platform: selectedPlatform,
+              platformLabel: selectedLabel,
+              agentName
+            });
+            setupSucceeded = true;
+          } else {
+            const detail = error instanceof Error ? error.message : String(error);
+            process.stderr.write(style.red("\u2717 ") + detail + "\n");
+          }
+        }
+      } else {
+        const { targetUrl, shortName } = await promptProxyConfig(ask, agentName);
+        let proxyUrl = "";
+        let created = false;
+        while (!created) {
+          const spinner = withSpinner("Creating proxy config...");
+          try {
+            proxyUrl = await createProxyConfig(
+              resolvedBaseUrl,
+              apiKey,
+              agentName,
+              targetUrl,
+              shortName,
+              selectedPlatform
+            );
+            spinner.stop(true, "Proxy config created!");
+            created = true;
+          } catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            spinner.stop(false, detail);
+            const retry = await ask("Try again? (Y/n) ");
+            if (retry.trim().toLowerCase() === "n") {
+              break;
+            }
+          }
+        }
+        if (created && proxyUrl.length > 0) {
+          process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
+          process.stderr.write("  " + style.cyan(proxyUrl) + "\n");
+          printPlatformSnippet(selectedPlatform, proxyUrl, shortName, apiKey);
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            shortName,
+            proxyUrl,
+            clineIntegration: "hosted"
+          });
+          setupSucceeded = true;
+        }
+      }
     } else {
       const { targetUrl, shortName } = await promptProxyConfig(ask, agentName);
       let proxyUrl = "";
@@ -1059,9 +1585,14 @@ An agent for ${selectedLabel} already exists: ${style.cyan(existingForPlatform.n
           style.green("\u2713") + ` Config saved to ${style.cyan(CONFIG_PATH)}
 `
         );
+        if (postSaveNativeSkipNote != null) {
+          process.stderr.write(postSaveNativeSkipNote);
+          postSaveNativeSkipNote = null;
+        }
       } catch (error) {
         const detail = error instanceof Error ? error.message : String(error);
         process.stderr.write(style.red(`Failed to save config: ${detail}`) + "\n");
+        postSaveNativeSkipNote = null;
       }
     }
     const another = await ask("\nConnect another agent? (Y/n) ");
@@ -1119,6 +1650,38 @@ An agent for ${selectedLabel} already exists: ${style.cyan(existingForPlatform.n
         "\n" + style.bold("To complete your Windsurf hosted-proxy setup:") + "\n  1. If you don't have Windsurf yet, download it from " + style.cyan("https://windsurf.com/download") + "\n  2. Open " + style.cyan("~/.codeium/windsurf/mcp_config.json") + " and paste the config snippet shown above\n  3. Restart Windsurf (or launch it for the first time) to load the new MCP server\n"
       );
     }
+    const clineNativeConfigured = configuredAgents.some(
+      (a) => a.platform === "cline" && a.clineIntegration === "native"
+    );
+    const clineHostedConfigured = configuredAgents.some(
+      (a) => a.platform === "cline" && a.clineIntegration === "hosted"
+    );
+    if (clineNativeConfigured) {
+      blocks.push(
+        "\n" + style.bold("To complete native Cline (Shield) setup:") + "\n  1. Enable Hooks in Cline: open VS Code, click the Cline sidebar icon, click the gear icon,\n     scroll down to the Advanced section, and toggle Hooks on.\n  2. Reload the VS Code window (Cmd+Shift+P > Reload Window)\n  3. Trigger any tool call to verify Shield is intercepting\n"
+      );
+    }
+    if (clineHostedConfigured) {
+      blocks.push(
+        "\n" + style.bold("To complete your Cline hosted-proxy setup:") + "\n  1. If you don't have Cline yet, install it from the VS Code marketplace\n  2. Open your Cline MCP settings file and paste the config snippet shown above\n  3. Restart Cline or reload the VS Code window\n"
+      );
+    }
+    const geminiCliNativeConfigured = configuredAgents.some(
+      (a) => a.platform === "gemini-cli" && a.geminiCliIntegration === "native"
+    );
+    const geminiCliHostedConfigured = configuredAgents.some(
+      (a) => a.platform === "gemini-cli" && a.geminiCliIntegration === "hosted"
+    );
+    if (geminiCliNativeConfigured) {
+      blocks.push(
+        "\n" + style.bold("Gemini CLI native hooks:") + "\n  Your Gemini CLI hooks are installed. Restart Gemini CLI to activate Shield governance.\n"
+      );
+    }
+    if (geminiCliHostedConfigured) {
+      blocks.push(
+        "\n" + style.bold("To complete your Gemini CLI setup:") + "\n  1. Open " + style.cyan("~/.gemini/settings.json") + "\n  2. Paste the config snippet shown above\n  3. Restart Gemini CLI, then run /mcp to verify\n"
+      );
+    }
     if (blocks.length > 0) {
       process.stderr.write("\n" + style.bold(style.violet("Next steps")) + "\n");
       process.stderr.write(blocks.join("") + "\n");