multicorn-shield 0.2.2 → 0.4.0

package/dist/shield-extension.js

@@ -1,12 +1,12 @@
 #!/usr/bin/env node
 import { mkdirSync, appendFileSync } from 'fs';
+import { readFile, mkdir, writeFile, unlink } from 'fs/promises';
 import { homedir } from 'os';
 import { join } from 'path';
 import process3 from 'process';
 import 'stream';
 import { spawn } from 'child_process';
 import { createHash } from 'crypto';
-import { readFile, mkdir, writeFile, unlink } from 'fs/promises';
 import 'readline';
 
 // Multicorn Shield Claude Desktop Extension - https://multicorn.ai
@@ -22008,6 +22008,10 @@ async function saveCachedScopes(agentName, agentId, scopes, apiKey) {
 function isScopesCacheFile(value) {
   return typeof value === "object" && value !== null;
 }
+
+// src/proxy/consent.ts
+var CONSENT_POLL_INTERVAL_MS = 3e3;
+var CONSENT_POLL_TIMEOUT_MS = 5 * 60 * 1e3;
 function deriveDashboardUrl(baseUrl) {
   try {
     const url2 = new URL(baseUrl);
@@ -22132,11 +22136,36 @@ function openBrowser(url2) {
   const cmd = platform === "darwin" ? "open" : platform === "win32" ? "start" : "xdg-open";
   spawn(cmd, [url2], { detached: true, stdio: "ignore" }).unref();
 }
+async function waitForConsent(agentId, agentName, apiKey, baseUrl, dashboardUrl, logger, scope, platform) {
+  const scopeStrings = scope ? [`${scope.service}:${scope.permissionLevel}`] : detectScopeHints();
+  const consentUrl = buildConsentUrl(agentName, scopeStrings, dashboardUrl, platform);
+  logger.info("Opening consent page in your browser.", { url: consentUrl });
+  process.stderr.write(
+    `
+Action requires permission. Opening consent page...
+${consentUrl}
+
+Waiting for you to grant access in the Multicorn dashboard...
+`
+  );
+  openBrowser(consentUrl);
+  const deadline = Date.now() + CONSENT_POLL_TIMEOUT_MS;
+  while (Date.now() < deadline) {
+    await sleep(CONSENT_POLL_INTERVAL_MS);
+    const scopes = await fetchGrantedScopes(agentId, apiKey, baseUrl);
+    if (scopes.length > 0) {
+      logger.info("Permissions granted.", { agent: agentName, scopeCount: scopes.length });
+      return scopes;
+    }
+  }
+  throw new Error(
+    `Consent not granted within ${String(CONSENT_POLL_TIMEOUT_MS / 6e4)} minutes. Grant access at ${dashboardUrl} and restart the proxy.`
+  );
+}
 async function resolveAgentRecord(agentName, apiKey, baseUrl, logger, platform) {
   const cachedScopes = await loadCachedScopes(agentName, apiKey);
   if (cachedScopes !== null && cachedScopes.length > 0) {
     logger.debug("Loaded scopes from cache.", { agent: agentName, count: cachedScopes.length });
-    return { id: "", name: agentName, scopes: cachedScopes };
   }
   let agent = await findAgentByName(agentName, apiKey, baseUrl);
   if (agent?.authInvalid) {
@@ -22153,6 +22182,10 @@ async function resolveAgentRecord(agentName, apiKey, baseUrl, logger, platform)
         return { id: "", name: agentName, scopes: [], authInvalid: true };
       }
       const detail = error2 instanceof Error ? error2.message : String(error2);
+      if (cachedScopes !== null && cachedScopes.length > 0) {
+        logger.warn("Service unreachable. Using cached scopes.", { error: detail });
+        return { id: "", name: agentName, scopes: cachedScopes };
+      }
       logger.warn("Could not reach Multicorn service. Running with empty permissions.", {
         error: detail
       });
@@ -22176,6 +22209,12 @@ function buildConsentUrl(agentName, scopes, dashboardUrl, platform) {
   }
   return `${base}/consent?${params.toString()}`;
 }
+function detectScopeHints() {
+  return [];
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
 function isApiSuccessResponse(value) {
   if (typeof value !== "object" || value === null) return false;
   const obj = value;
@@ -22246,6 +22285,23 @@ function isMcpServerEntry(value) {
   }
   return true;
 }
+function isShieldExtensionEntry(serverKey, entry) {
+  const key = serverKey.trim().toLowerCase();
+  if (key === "multicorn-shield") {
+    return true;
+  }
+  const argBlob = entry.args.join(" ").toLowerCase();
+  if (argBlob.includes("shield-extension")) {
+    return true;
+  }
+  if (entry.command.toLowerCase().includes("shield-extension")) {
+    return true;
+  }
+  if (entry.env?.["MULTICORN_SHIELD_EXTENSION"] === "1") {
+    return true;
+  }
+  return false;
+}
 async function readClaudeDesktopMcpConfig() {
   const configPath = getClaudeDesktopConfigPath();
   let raw;
@@ -22302,7 +22358,7 @@ async function writeExtensionBackup(claudeDesktopConfigPath, mcpServers) {
 
 // package.json
 var package_default = {
-  version: "0.2.2"};
+  version: "0.4.0"};
 
 // src/package-meta.ts
 var PACKAGE_VERSION = package_default.version;
@@ -22506,7 +22562,7 @@ var ProxySession = class {
     this.nextId = 1;
     this.sessionId = null;
     this.closed = false;
-    this.proxyUrl = proxyUrl;
+    this.proxyUrl = proxyUrl.replace(/\/+$/, "") + "/mcp";
     this.apiKey = apiKey;
     this.requestTimeoutMs = options?.requestTimeoutMs ?? 6e4;
   }
@@ -22753,6 +22809,386 @@ function resultSuggestsConsentNeeded(result) {
   const t = first.text;
   return t.includes("Action blocked by Multicorn Shield") || t.includes("does not have") && t.includes("access to") || t.includes("Configure permissions at");
 }
+
+// src/types/index.ts
+var PERMISSION_LEVELS = {
+  Read: "read",
+  Write: "write",
+  Execute: "execute",
+  Publish: "publish",
+  Create: "create"
+};
+
+// src/scopes/scope-parser.ts
+var VALID_PERMISSION_LEVELS = new Set(Object.values(PERMISSION_LEVELS));
+[...VALID_PERMISSION_LEVELS].join(", ");
+function formatScope(scope) {
+  return `${scope.permissionLevel}:${scope.service}`;
+}
+
+// src/scopes/scope-validator.ts
+function validateScopeAccess(grantedScopes, requested) {
+  const isGranted = grantedScopes.some(
+    (granted) => granted.service === requested.service && granted.permissionLevel === requested.permissionLevel
+  );
+  if (isGranted) {
+    return { allowed: true };
+  }
+  const serviceScopes = grantedScopes.filter((g) => g.service === requested.service);
+  if (serviceScopes.length > 0) {
+    const grantedLevels = serviceScopes.map((g) => `"${g.permissionLevel}"`).join(", ");
+    return {
+      allowed: false,
+      reason: `Permission "${requested.permissionLevel}" is not granted for service "${requested.service}". Currently granted permission level(s): ${grantedLevels}. Requested scope "${formatScope(requested)}" requires explicit consent.`
+    };
+  }
+  return {
+    allowed: false,
+    reason: `No permissions granted for service "${requested.service}". The agent has not been authorised to access this service. Request scope "${formatScope(requested)}" via the consent screen.`
+  };
+}
+function hasScope(grantedScopes, requested) {
+  return grantedScopes.some(
+    (granted) => granted.service === requested.service && granted.permissionLevel === requested.permissionLevel
+  );
+}
+
+// src/logger/action-logger.ts
+function createActionLogger(config2) {
+  if (!config2.apiKey || config2.apiKey.trim().length === 0) {
+    throw new Error(
+      "[ActionLogger] API key is required. Provide it via the 'apiKey' config option."
+    );
+  }
+  const baseUrl = config2.baseUrl ?? "https://api.multicorn.ai";
+  const timeout = config2.timeout ?? 5e3;
+  if (!baseUrl.startsWith("https://") && !baseUrl.startsWith("http://localhost")) {
+    throw new Error(
+      `[ActionLogger] Base URL must use HTTPS for security. Received: "${baseUrl}". Use https:// or http://localhost for local development.`
+    );
+  }
+  const endpoint = `${baseUrl}/api/v1/actions`;
+  const batchEnabled = config2.batchMode?.enabled ?? false;
+  const maxBatchSize = config2.batchMode?.maxSize ?? 10;
+  const flushInterval = config2.batchMode?.flushIntervalMs ?? 5e3;
+  const queue = [];
+  let flushTimer;
+  let isShutdown = false;
+  async function sendActions(actions) {
+    if (actions.length === 0) return;
+    const convertAction = (action) => ({
+      agent: action.agent,
+      service: action.service,
+      actionType: action.actionType,
+      status: action.status,
+      ...action.cost !== void 0 ? { cost: action.cost } : {},
+      ...action.metadata !== void 0 ? { metadata: action.metadata } : {}
+    });
+    const convertedActions = actions.map(convertAction);
+    const payload = batchEnabled ? { actions: convertedActions } : convertedActions[0];
+    let lastError;
+    for (let attempt = 0; attempt < 2; attempt++) {
+      try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => {
+          controller.abort();
+        }, timeout);
+        const response = await fetch(endpoint, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "X-Multicorn-Key": config2.apiKey
+          },
+          body: JSON.stringify(payload),
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        if (response.ok) {
+          return;
+        }
+        if (response.status >= 400 && response.status < 500) {
+          const body = await response.text().catch(() => "");
+          throw new Error(
+            `[ActionLogger] Client error (${String(response.status)}): ${response.statusText}. Response: ${body}. Check your API key and payload format.`
+          );
+        }
+        if (response.status >= 500 && attempt === 0) {
+          lastError = new Error(
+            `[ActionLogger] Server error (${String(response.status)}): ${response.statusText}. Retrying once...`
+          );
+          await sleep2(100 * Math.pow(2, attempt));
+          continue;
+        }
+        throw new Error(
+          `[ActionLogger] Server error (${String(response.status)}) after retry: ${response.statusText}. Multicorn API may be experiencing issues.`
+        );
+      } catch (error2) {
+        if (error2 instanceof Error) {
+          if (error2.name === "AbortError") {
+            lastError = new Error(
+              `[ActionLogger] Request timeout after ${String(timeout)}ms. Increase the 'timeout' config option or check your network connection.`
+            );
+          } else if (error2.message.includes("Client error") || error2.message.includes("Server error")) {
+            lastError = error2;
+          } else {
+            lastError = new Error(
+              `[ActionLogger] Network error: ${error2.message}. Check your network connection and API endpoint.`
+            );
+          }
+        } else {
+          lastError = new Error(`[ActionLogger] Unknown error: ${String(error2)}`);
+        }
+        if (attempt === 0 && !lastError.message.includes("Client error")) {
+          await sleep2(100 * Math.pow(2, attempt));
+          continue;
+        }
+        break;
+      }
+    }
+    if (lastError) {
+      if (config2.onError) {
+        config2.onError(lastError);
+      }
+    }
+  }
+  async function flushQueue() {
+    if (queue.length === 0) return;
+    const actions = queue.map((item) => item.payload);
+    queue.length = 0;
+    await sendActions(actions);
+  }
+  function startFlushTimer() {
+    if (flushTimer !== void 0) return;
+    flushTimer = setInterval(() => {
+      flushQueue().catch(() => {
+      });
+    }, flushInterval);
+    const timer = flushTimer;
+    if (typeof timer.unref === "function") {
+      timer.unref();
+    }
+  }
+  function stopFlushTimer() {
+    if (flushTimer) {
+      clearInterval(flushTimer);
+      flushTimer = void 0;
+    }
+  }
+  if (batchEnabled) {
+    startFlushTimer();
+  }
+  return {
+    logAction(action) {
+      if (isShutdown) {
+        throw new Error(
+          "[ActionLogger] Cannot log action after shutdown. Create a new logger instance."
+        );
+      }
+      if (action.agent.trim().length === 0) {
+        throw new Error("[ActionLogger] Action must have a non-empty 'agent' field.");
+      }
+      if (action.service.trim().length === 0) {
+        throw new Error("[ActionLogger] Action must have a non-empty 'service' field.");
+      }
+      if (action.actionType.trim().length === 0) {
+        throw new Error("[ActionLogger] Action must have a non-empty 'actionType' field.");
+      }
+      if (action.status.trim().length === 0) {
+        throw new Error("[ActionLogger] Action must have a non-empty 'status' field.");
+      }
+      if (batchEnabled) {
+        queue.push({ payload: action, timestamp: Date.now() });
+        if (queue.length >= maxBatchSize) {
+          flushQueue().catch(() => {
+          });
+        }
+      } else {
+        sendActions([action]).catch(() => {
+        });
+      }
+      return Promise.resolve();
+    },
+    async flush() {
+      if (!batchEnabled) return;
+      await flushQueue();
+    },
+    async shutdown() {
+      if (isShutdown) return;
+      isShutdown = true;
+      stopFlushTimer();
+      if (batchEnabled) {
+        await flushQueue();
+      }
+    }
+  };
+}
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/proxy/interceptor.ts
+var BLOCKED_ERROR_CODE = -32e3;
+var INTERNAL_ERROR_CODE = -32002;
+var SERVICE_UNREACHABLE_ERROR_CODE = -32003;
+function buildBlockedResponse(id, service, permissionLevel, dashboardUrl) {
+  const displayService = capitalize(service);
+  const message = `Action blocked by Multicorn Shield: agent does not have ${permissionLevel} access to ${displayService}. Configure permissions at ${dashboardUrl}`;
+  return {
+    jsonrpc: "2.0",
+    id,
+    error: {
+      code: BLOCKED_ERROR_CODE,
+      message
+    }
+  };
+}
+function buildInternalErrorResponse(id) {
+  const message = "Action blocked: Shield encountered an internal error and cannot verify permissions. Check proxy logs for details.";
+  return {
+    jsonrpc: "2.0",
+    id,
+    error: {
+      code: INTERNAL_ERROR_CODE,
+      message
+    }
+  };
+}
+function buildServiceUnreachableResponse(id, dashboardUrl) {
+  const message = `Action blocked: Shield cannot verify permissions (service unreachable). Configure offline behaviour at ${dashboardUrl}`;
+  return {
+    jsonrpc: "2.0",
+    id,
+    error: {
+      code: SERVICE_UNREACHABLE_ERROR_CODE,
+      message
+    }
+  };
+}
+function capitalize(str) {
+  if (str.length === 0) return str;
+  const first = str[0];
+  return first !== void 0 ? first.toUpperCase() + str.slice(1) : str;
+}
+
+// src/mcp-tool-mapper.ts
+var FILESYSTEM_READ_TOOLS = /* @__PURE__ */ new Set([
+  "read_file",
+  "read_text_file",
+  "read_media_file",
+  "read_multiple_files",
+  "list_directory",
+  "list_dir",
+  "directory_tree",
+  "tree",
+  "get_file_info",
+  "stat",
+  "search_files",
+  "glob_file_search",
+  "list_allowed_directories",
+  "file_search"
+]);
+var FILESYSTEM_WRITE_TOOLS = /* @__PURE__ */ new Set([
+  "write_file",
+  "edit_file",
+  "create_directory",
+  "mkdir",
+  "move_file",
+  "rename",
+  "delete_file",
+  "remove_file",
+  "copy_file"
+]);
+var TERMINAL_EXECUTE_TOOLS = /* @__PURE__ */ new Set([
+  "run_terminal_cmd",
+  "execute_command",
+  "terminal_run",
+  "run_command"
+]);
+var BROWSER_EXECUTE_TOOLS = /* @__PURE__ */ new Set([
+  "web_fetch",
+  "fetch_url",
+  "browser_navigate",
+  "navigate",
+  "mcp_web_fetch"
+]);
+var INTEGRATION_SERVICE_BY_PREFIX = {
+  gmail: "gmail",
+  google_calendar: "google_calendar",
+  calendar: "google_calendar",
+  google_drive: "google_drive",
+  drive: "google_drive",
+  slack: "slack",
+  payments: "payments",
+  payment: "payments",
+  stripe: "payments",
+  github: "github",
+  gitlab: "gitlab",
+  notion: "notion",
+  linear: "linear",
+  jira: "jira"
+};
+function inferPermissionFromToolName(normalized) {
+  if (normalized.includes("_read") || normalized.includes("_get") || normalized.includes("_list") || normalized.endsWith("_fetch") || normalized.includes("_search")) {
+    return "read";
+  }
+  if (normalized.includes("_write") || normalized.includes("_send") || normalized.includes("_create") || normalized.includes("_update") || normalized.includes("_delete") || normalized.includes("_push") || normalized.includes("_commit") || normalized.includes("_post") || normalized.includes("_patch")) {
+    return "write";
+  }
+  return "execute";
+}
+function mapMcpToolToScope(toolName) {
+  const actionType = toolName.trim();
+  const normalized = actionType.toLowerCase();
+  if (normalized.length === 0) {
+    return { service: "unknown", permissionLevel: "execute", actionType };
+  }
+  if (FILESYSTEM_READ_TOOLS.has(normalized)) {
+    return { service: "filesystem", permissionLevel: "read", actionType };
+  }
+  if (FILESYSTEM_WRITE_TOOLS.has(normalized)) {
+    return { service: "filesystem", permissionLevel: "write", actionType };
+  }
+  if (TERMINAL_EXECUTE_TOOLS.has(normalized)) {
+    return { service: "terminal", permissionLevel: "execute", actionType };
+  }
+  if (BROWSER_EXECUTE_TOOLS.has(normalized)) {
+    return { service: "browser", permissionLevel: "execute", actionType };
+  }
+  if (normalized === "read") {
+    return { service: "filesystem", permissionLevel: "read", actionType };
+  }
+  if (normalized === "write" || normalized === "edit") {
+    return { service: "filesystem", permissionLevel: "write", actionType };
+  }
+  if (normalized === "exec") {
+    return { service: "terminal", permissionLevel: "execute", actionType };
+  }
+  if (normalized.startsWith("git_")) {
+    const permissionLevel2 = inferPermissionFromToolName(normalized);
+    return { service: "git", permissionLevel: permissionLevel2, actionType };
+  }
+  for (const [prefix, service] of Object.entries(INTEGRATION_SERVICE_BY_PREFIX)) {
+    if (normalized.startsWith(`${prefix}_`) || normalized === prefix) {
+      const permissionLevel2 = inferPermissionFromToolName(normalized);
+      return { service, permissionLevel: permissionLevel2, actionType };
+    }
+  }
+  const idx = normalized.indexOf("_");
+  if (idx === -1) {
+    return { service: normalized, permissionLevel: "execute", actionType };
+  }
+  const head = normalized.slice(0, idx);
+  const tail = normalized.slice(idx + 1);
+  let permissionLevel = "execute";
+  if (tail.includes("read") || tail.includes("list") || tail.includes("get") || tail.includes("search") || tail.includes("fetch")) {
+    permissionLevel = "read";
+  } else if (tail.includes("write") || tail.includes("send") || tail.includes("create") || tail.includes("update") || tail.includes("delete") || tail.includes("remove")) {
+    permissionLevel = "write";
+  }
+  return { service: head, permissionLevel, actionType };
+}
+
+// src/extension/runtime.ts
 function debugLog(msg) {
   try {
     const dir = join(homedir(), ".multicorn");
@@ -22762,10 +23198,37 @@ function debugLog(msg) {
   } catch {
   }
 }
+var JSON_RPC_ID = 0;
+function toolError(text) {
+  return {
+    isError: true,
+    content: [{ type: "text", text }]
+  };
+}
+function messageFromJsonRpcResponse(json2) {
+  try {
+    const parsed = JSON.parse(json2);
+    if (typeof parsed === "object" && parsed !== null) {
+      const err = parsed["error"];
+      if (typeof err === "object" && err !== null) {
+        const msg = err["message"];
+        if (typeof msg === "string") return msg;
+      }
+    }
+  } catch {
+    return "Action blocked by Multicorn Shield.";
+  }
+  return "Action blocked by Multicorn Shield.";
+}
+var DEFAULT_SCOPE_REFRESH_INTERVAL_MS = 6e4;
 var ShieldExtensionRuntime = class {
   constructor(config2) {
+    this.actionLogger = null;
+    this.grantedScopes = [];
     this.agentId = "";
     this.authInvalid = false;
+    this.refreshTimer = null;
+    this.consentInProgress = false;
     this.consentBrowserOpened = false;
     this.config = config2;
   }
@@ -22792,15 +23255,90 @@ var ShieldExtensionRuntime = class {
       "claude-desktop"
     );
     debugLog(
-      `[SHIELD] Agent record resolved: id=${agentRecord.id.length > 0 ? agentRecord.id : "(empty)"} authInvalid=${String(agentRecord.authInvalid === true)}`
+      `[SHIELD] Agent record resolved: id=${agentRecord.id.length > 0 ? agentRecord.id : "(empty)"} scopeCount=${String(agentRecord.scopes.length)} authInvalid=${String(agentRecord.authInvalid === true)}`
     );
     this.agentId = agentRecord.id;
+    this.grantedScopes = agentRecord.scopes;
     this.authInvalid = agentRecord.authInvalid === true;
+    this.actionLogger = createActionLogger({
+      apiKey: cfg.apiKey,
+      baseUrl: cfg.baseUrl,
+      batchMode: { enabled: false },
+      onError: (err) => {
+        cfg.logger.warn("Action log failed.", { error: err.message });
+      }
+    });
+    const refreshIntervalMs = cfg.scopeRefreshIntervalMs ?? DEFAULT_SCOPE_REFRESH_INTERVAL_MS;
+    this.refreshTimer = setInterval(() => {
+      void this.refreshScopes();
+    }, refreshIntervalMs);
+    const timer = this.refreshTimer;
+    if (typeof timer.unref === "function") {
+      timer.unref();
+    }
   }
   async stop() {
+    if (this.refreshTimer !== null) {
+      clearInterval(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+    if (this.actionLogger !== null) {
+      await this.actionLogger.shutdown();
+      this.actionLogger = null;
+    }
+  }
+  async refreshScopes() {
+    if (this.agentId.length === 0) return;
+    try {
+      const scopes = await fetchGrantedScopes(
+        this.agentId,
+        this.config.apiKey,
+        this.config.baseUrl
+      );
+      this.grantedScopes = scopes;
+      if (scopes.length > 0) {
+        await saveCachedScopes(this.config.agentName, this.agentId, scopes, this.config.apiKey);
+      }
+    } catch (error2) {
+      this.config.logger.warn("Scope refresh failed.", {
+        error: error2 instanceof Error ? error2.message : String(error2)
+      });
+    }
+  }
+  async ensureConsent(requestedScope) {
+    if (this.agentId.length === 0) return;
+    if (requestedScope !== void 0) {
+      if (hasScope(this.grantedScopes, requestedScope) || this.consentInProgress) return;
+    } else {
+      if (this.grantedScopes.length > 0 || this.consentInProgress) return;
+    }
+    this.consentInProgress = true;
+    try {
+      const scopeParam = requestedScope !== void 0 ? { service: requestedScope.service, permissionLevel: requestedScope.permissionLevel } : void 0;
+      debugLog(
+        `[SHIELD] ensureConsent: calling waitForConsent agentId=${this.agentId} scope=${scopeParam !== void 0 ? `${scopeParam.service}:${scopeParam.permissionLevel}` : "default"}`
+      );
+      const scopes = await waitForConsent(
+        this.agentId,
+        this.config.agentName,
+        this.config.apiKey,
+        this.config.baseUrl,
+        this.config.dashboardUrl,
+        this.config.logger,
+        scopeParam,
+        "claude-desktop"
+      );
+      debugLog(
+        `[SHIELD] ensureConsent: waitForConsent returned scopeCount=${String(scopes.length)}`
+      );
+      this.grantedScopes = scopes;
+      await saveCachedScopes(this.config.agentName, this.agentId, scopes, this.config.apiKey);
+    } finally {
+      this.consentInProgress = false;
+    }
   }
   /**
-   * Opens the consent URL once (first permission-style block). Skipped if API key is invalid.
+   * Opens the consent URL once (hosted-proxy path when a tool result suggests consent).
    */
   openConsentBrowserOnce() {
     if (this.consentBrowserOpened || this.authInvalid) {
@@ -22822,6 +23360,87 @@ ${consentUrl}
     );
     openBrowser(consentUrl);
   }
+  /**
+   * Returns whether the tool call may proceed to the child MCP server.
+   */
+  async evaluateToolCall(toolName) {
+    const cfg = this.config;
+    try {
+      if (this.authInvalid) {
+        return {
+          allow: false,
+          result: toolError(
+            "Action blocked: Shield API key is invalid or has been revoked. Open Claude Desktop, open the Multicorn Shield extension settings, and enter a valid API key."
+          )
+        };
+      }
+      if (this.agentId.length === 0) {
+        const blocked = buildServiceUnreachableResponse(JSON_RPC_ID, cfg.dashboardUrl);
+        return {
+          allow: false,
+          result: toolError(messageFromJsonRpcResponse(JSON.stringify(blocked)))
+        };
+      }
+      const mapped = mapMcpToolToScope(toolName);
+      const { service, permissionLevel, actionType } = mapped;
+      const requestedScope = { service, permissionLevel };
+      let validation = validateScopeAccess(this.grantedScopes, requestedScope);
+      cfg.logger.debug("Tool call intercepted.", {
+        tool: toolName,
+        service,
+        permissionLevel,
+        allowed: validation.allowed
+      });
+      if (!validation.allowed) {
+        debugLog(`[SHIELD] Before ensureConsent() for tool=${toolName}`);
+        await this.ensureConsent(requestedScope);
+        debugLog(`[SHIELD] After ensureConsent() for tool=${toolName}`);
+        validation = validateScopeAccess(this.grantedScopes, requestedScope);
+        if (!validation.allowed) {
+          if (this.actionLogger !== null && cfg.agentName.trim().length > 0) {
+            await this.actionLogger.logAction({
+              agent: cfg.agentName,
+              service,
+              actionType,
+              status: "blocked"
+            });
+          }
+          const blocked = buildBlockedResponse(
+            JSON_RPC_ID,
+            service,
+            permissionLevel,
+            cfg.dashboardUrl
+          );
+          return {
+            allow: false,
+            result: toolError(messageFromJsonRpcResponse(JSON.stringify(blocked)))
+          };
+        }
+      }
+      if (this.actionLogger !== null) {
+        if (cfg.agentName.trim().length === 0) {
+          cfg.logger.warn("Cannot log action: agent name not resolved.");
+        } else {
+          await this.actionLogger.logAction({
+            agent: cfg.agentName,
+            service,
+            actionType,
+            status: "approved"
+          });
+        }
+      }
+      return { allow: true };
+    } catch (error2) {
+      cfg.logger.error("Tool call handler error.", {
+        error: error2 instanceof Error ? error2.message : String(error2)
+      });
+      const blocked = buildInternalErrorResponse(JSON_RPC_ID);
+      return {
+        allow: false,
+        result: toolError(messageFromJsonRpcResponse(JSON.stringify(blocked)))
+      };
+    }
+  }
 };
 
 // src/extension/server.ts
@@ -22835,6 +23454,45 @@ function debugLog2(msg) {
   }
 }
 var SETUP_TIMEOUT_MS = 15e3;
+function getMulticornConfigPath() {
+  return join(homedir(), ".multicorn", "config.json");
+}
+function isLocalProxyConfigRow(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const o = value;
+  return typeof o["serverName"] === "string" && o["serverName"].length > 0 && typeof o["proxyUrl"] === "string" && o["proxyUrl"].length > 0 && typeof o["targetUrl"] === "string" && o["targetUrl"].length > 0;
+}
+function localRowToProxyConfigItem(row) {
+  return {
+    proxy_url: row.proxyUrl,
+    server_name: row.serverName,
+    target_url: row.targetUrl
+  };
+}
+async function readProxyConfigsFromLocalMulticornConfig() {
+  let raw;
+  try {
+    raw = await readFile(getMulticornConfigPath(), "utf8");
+  } catch {
+    return [];
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return [];
+  }
+  if (typeof parsed !== "object" || parsed === null) return [];
+  const list = parsed["proxyConfigs"];
+  if (!Array.isArray(list)) return [];
+  const out = [];
+  for (const row of list) {
+    if (isLocalProxyConfigRow(row)) {
+      out.push(localRowToProxyConfigItem(row));
+    }
+  }
+  return out;
+}
 function noProxyConfigStatusMessage(dashboardUrl) {
   const base = dashboardUrl.replace(/\/+$/, "");
   return `Multicorn Shield is active but no hosted proxy configurations were found for your account.
@@ -22854,11 +23512,14 @@ var ARGS_INPUT_JSON_SCHEMA = ARGS_OBJECT_SCHEMA !== void 0 ? toJsonSchemaCompat(
 function readApiKey() {
   const key = process.env["MULTICORN_API_KEY"]?.trim();
   if (key === void 0 || key.length === 0) return null;
+  if (key.startsWith("${")) return null;
   return key;
 }
 function readBaseUrl() {
   const raw = process.env["MULTICORN_BASE_URL"]?.trim();
-  return raw !== void 0 && raw.length > 0 ? raw : "https://api.multicorn.ai";
+  if (raw === void 0 || raw.length === 0) return "https://api.multicorn.ai";
+  if (raw.startsWith("${")) return "https://api.multicorn.ai";
+  return raw;
 }
 function readAgentName() {
   const raw = process.env["MULTICORN_AGENT_NAME"]?.trim();
@@ -22869,6 +23530,44 @@ function readLogLevel() {
   if (raw !== void 0 && isValidLogLevel(raw)) return raw;
   return "info";
 }
+async function autoCreateProxyConfig(baseUrl, apiKey, serverName, entry, agentName) {
+  const targetUrl = `stdio://${entry.command}/${entry.args.join("/")}`;
+  const url2 = `${baseUrl.replace(/\/+$/, "")}/api/v1/proxy/config`;
+  debugLog2(`[SHIELD] Auto-creating proxy config for "${serverName}".`);
+  let response;
+  try {
+    response = await fetch(url2, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Multicorn-Key": apiKey
+      },
+      body: JSON.stringify({
+        server_name: serverName,
+        target_url: targetUrl,
+        agent_name: agentName
+      }),
+      signal: AbortSignal.timeout(SETUP_TIMEOUT_MS)
+    });
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : String(error2);
+    debugLog2(`[SHIELD] Failed to create proxy config for "${serverName}": ${message}`);
+    return false;
+  }
+  if (response.status === 409) {
+    debugLog2(`[SHIELD] Proxy config for "${serverName}" already exists (409), skipping.`);
+    return false;
+  }
+  if (!response.ok) {
+    const body = await response.text().catch(() => "");
+    debugLog2(
+      `[SHIELD] Failed to create proxy config for "${serverName}": HTTP ${String(response.status)} ${body.slice(0, 200)}`
+    );
+    return false;
+  }
+  debugLog2(`[SHIELD] Proxy config created for "${serverName}".`);
+  return true;
+}
 async function runShieldExtension() {
   const debugBaseUrl = process.env["MULTICORN_BASE_URL"] ?? "";
   const debugApiKeyPrefix = process.env["MULTICORN_API_KEY"]?.slice(0, 8) ?? "";
@@ -22893,7 +23592,8 @@ async function runShieldExtension() {
     { name: "multicorn-shield", version: PACKAGE_VERSION },
     { capabilities: { tools: { listChanged: true } } }
   );
-  server.setRequestHandler(ListToolsRequestSchema, () => {
+  server.setRequestHandler(ListToolsRequestSchema, async () => {
+    await readyPromise;
     const tools = Array.from(toolRegistry.entries()).map(([name, entry]) => ({
       name,
       description: entry.description,
@@ -22941,7 +23641,7 @@ async function runShieldExtension() {
     const setupTimeout = setTimeout(() => {
       rejectReady(
         new Error(
-          "[SHIELD] Background setup timed out after 15 seconds. Steps include backup of Claude config, fetching proxy configs from Shield, initializing hosted proxy sessions and listing tools. See ~/.multicorn/extension-debug.log for earlier [SHIELD] lines."
+          "[SHIELD] Background setup timed out after 15 seconds. Steps include proxy config resolution, hosted proxy sessions, and Shield runtime. See ~/.multicorn/extension-debug.log for earlier [SHIELD] lines."
         )
       );
     }, SETUP_TIMEOUT_MS);
@@ -22953,27 +23653,68 @@ async function runShieldExtension() {
       } else {
         logger.warn("Could not read Claude Desktop config. No MCP backup was written.", {});
       }
+      const discoveredServers = {};
+      if (desktop !== null) {
+        for (const [name, entry] of Object.entries(desktop.mcpServers)) {
+          if (!isShieldExtensionEntry(name, entry)) {
+            discoveredServers[name] = entry;
+          }
+        }
+      }
+      const serverCount = Object.keys(discoveredServers).length;
+      debugLog2(
+        `[SHIELD] Config read; ${String(serverCount)} MCP server(s) discovered (excluding Shield).`
+      );
+      debugLog2("[SHIELD] Resolving proxy configs (local config or API).");
       let configs;
-      try {
-        debugLog2("[SHIELD] Fetching proxy configs from Shield API.");
-        configs = await fetchProxyConfigs(baseUrl, apiKey, SETUP_TIMEOUT_MS);
-      } catch (e) {
-        clearTimeout(setupTimeout);
-        if (e instanceof ProxyConfigFetchError) {
-          const msg = e.kind === "auth" ? e.message : `${e.message} (${dashboardUrl.replace(/\/+$/, "")}/proxy)`;
-          toolRegistry.set("multicorn_shield_status", {
-            description: "Reports Shield API or proxy config errors during extension setup.",
-            call: () => Promise.resolve({
-              isError: true,
-              content: [{ type: "text", text: msg }]
-            })
-          });
-          await server.sendToolListChanged();
-          debugLog2(`[SHIELD] Proxy config fetch failed (${e.kind}); status tool only.`);
-          resolveReady();
-          return;
+      const localConfigs = await readProxyConfigsFromLocalMulticornConfig();
+      if (localConfigs.length > 0) {
+        debugLog2(`[SHIELD] Loaded ${String(localConfigs.length)} proxy configs from local config.`);
+        configs = localConfigs;
+      } else {
+        debugLog2("[SHIELD] No local proxy configs; fetching from API.");
+        try {
+          configs = await fetchProxyConfigs(baseUrl, apiKey, SETUP_TIMEOUT_MS);
+        } catch (e) {
+          clearTimeout(setupTimeout);
+          if (e instanceof ProxyConfigFetchError) {
+            const msg = e.kind === "auth" ? e.message : `${e.message} (${dashboardUrl.replace(/\/+$/, "")}/proxy)`;
+            toolRegistry.set("multicorn_shield_status", {
+              description: "Reports Shield API or proxy config errors during extension setup.",
+              call: () => Promise.resolve({
+                isError: true,
+                content: [{ type: "text", text: msg }]
+              })
+            });
+            await server.sendToolListChanged();
+            debugLog2(`[SHIELD] Proxy config fetch failed (${e.kind}); status tool only.`);
+            resolveReady();
+            return;
+          }
+          throw e;
+        }
+        debugLog2(`[SHIELD] Fetched ${String(configs.length)} proxy config(s) from API.`);
+        if (serverCount > 0) {
+          const existingNames = new Set(configs.map((c) => c.server_name));
+          let createdCount = 0;
+          for (const [name, entry] of Object.entries(discoveredServers)) {
+            if (!existingNames.has(name)) {
+              const created = await autoCreateProxyConfig(baseUrl, apiKey, name, entry, agentName);
+              if (created) createdCount += 1;
+            }
+          }
+          if (createdCount > 0) {
+            debugLog2(
+              `[SHIELD] Auto-created ${String(createdCount)} proxy config(s); re-fetching from API.`
+            );
+            try {
+              configs = await fetchProxyConfigs(baseUrl, apiKey, SETUP_TIMEOUT_MS);
+            } catch (e) {
+              const message = e instanceof Error ? e.message : String(e);
+              debugLog2(`[SHIELD] Re-fetch after auto-creation failed: ${message}`);
+            }
+          }
         }
-        throw e;
       }
       debugLog2(`[SHIELD] Proxy config count: ${String(configs.length)}.`);
       if (configs.length === 0) {
@@ -22997,7 +23738,7 @@ async function runShieldExtension() {
         dashboardUrl,
         logger
       });
-      debugLog2("[SHIELD] Starting extension runtime (agent resolution).");
+      debugLog2("[SHIELD] Starting extension runtime (hosted proxy path).");
       await runtime.start();
       debugLog2(
         `[SHIELD] Runtime ready agentId=${runtime.getAgentId().length > 0 ? "(set)" : "(empty)"} authInvalid=${String(runtime.isAuthInvalid())}`
@@ -23070,7 +23811,7 @@ async function runShieldExtension() {
         });
       }
       await server.sendToolListChanged();
-      debugLog2("[SHIELD] Setup complete; signaling ready.");
+      debugLog2("[SHIELD] Setup complete (hosted proxy path); signaling ready.");
       clearTimeout(setupTimeout);
       resolveReady();
     } catch (error2) {