multicorn-shield 1.2.0 → 1.3.0

package/dist/multicorn-shield.js

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
-import { existsSync, statSync } from 'fs';
+import { readFileSync, existsSync, statSync } from 'fs';
 import { readFile, mkdir, writeFile, copyFile, chmod, unlink } from 'fs/promises';
 import { join, dirname, resolve, basename, sep } from 'path';
 import { homedir } from 'os';
 import { fileURLToPath } from 'url';
+import { createRequire } from 'module';
 import { createInterface } from 'readline';
 import { spawn } from 'child_process';
 import { createHash } from 'crypto';
@@ -391,6 +392,32 @@ function isExistingDirectory(path) {
     return false;
   }
 }
+function jsonValueMentionsMulticornShield(value) {
+  if (typeof value === "string") {
+    return value.includes("multicorn-shield");
+  }
+  if (Array.isArray(value)) {
+    return value.some(jsonValueMentionsMulticornShield);
+  }
+  if (value !== null && typeof value === "object") {
+    for (const [k, v] of Object.entries(value)) {
+      if (k.includes("multicorn-shield")) return true;
+      if (jsonValueMentionsMulticornShield(v)) return true;
+    }
+  }
+  return false;
+}
+function claudeInstalledPluginsListsMulticornShield() {
+  const path = join(homedir(), ".claude", "plugins", "installed_plugins.json");
+  if (!existsSync(path)) return false;
+  try {
+    const raw = readFileSync(path, "utf8");
+    const parsed = JSON.parse(raw);
+    return jsonValueMentionsMulticornShield(parsed);
+  } catch {
+    return false;
+  }
+}
 function nativePluginSkippedSaveNote(wizardCommand, productName) {
   return "\n" + style.dim("Your agent config has been saved. Run ") + style.cyan(wizardCommand) + style.dim(` again after installing ${productName} to complete hook setup.`) + "\n";
 }
@@ -705,78 +732,48 @@ async function validateApiKey(apiKey, baseUrl) {
     };
   }
 }
-async function isOpenClawConnected() {
-  try {
-    const raw = await readFile(OPENCLAW_CONFIG_PATH, "utf8");
-    const obj = JSON.parse(raw);
-    const hooks = obj["hooks"];
-    const internal = hooks?.["internal"];
-    const entries = internal?.["entries"];
-    const shield = entries?.["multicorn-shield"];
-    const env = shield?.["env"];
-    const key = env?.["MULTICORN_API_KEY"];
-    return typeof key === "string" && key.length > 0;
-  } catch {
-    return false;
-  }
+function multicornShieldPackageRoot() {
+  return join(dirname(fileURLToPath(import.meta.url)), "..");
 }
-function isClaudeCodeConnected() {
+function multicornShieldInstallRoot() {
   try {
-    return existsSync(join(homedir(), ".claude", "plugins", "cache", "multicorn-shield"));
+    const req = createRequire(import.meta.url);
+    return dirname(req.resolve("multicorn-shield/package.json"));
   } catch {
-    return false;
+    return multicornShieldPackageRoot();
   }
 }
-function getCursorConfigPath() {
-  return join(homedir(), ".cursor", "mcp.json");
+function shieldInstalledVersionOlderThan(latest, installed) {
+  return latest.localeCompare(installed, void 0, { numeric: true }) > 0;
 }
-async function isCursorConnected() {
+async function warnIfInstalledShieldIsOutdated() {
   try {
-    const raw = await readFile(getCursorConfigPath(), "utf8");
-    const obj = JSON.parse(raw);
-    const mcpServers = obj["mcpServers"];
-    if (mcpServers === void 0 || typeof mcpServers !== "object") return false;
-    for (const entry of Object.values(mcpServers)) {
-      if (typeof entry !== "object" || entry === null) continue;
-      const rec = entry;
-      const url = rec["url"];
-      if (typeof url === "string" && url.includes("multicorn")) return true;
-      const args = rec["args"];
-      if (Array.isArray(args) && (args.includes("multicorn-shield") || args.includes("multicorn-proxy")))
-        return true;
+    const res = await fetch("https://registry.npmjs.org/multicorn-shield/latest");
+    if (!res.ok) return;
+    const data = await res.json();
+    const latest = typeof data.version === "string" ? data.version : "";
+    if (latest.length === 0) return;
+    let installed = "";
+    try {
+      const req = createRequire(import.meta.url);
+      const pkgPath = req.resolve("multicorn-shield/package.json");
+      const raw = readFileSync(pkgPath, "utf8");
+      const pkg = JSON.parse(raw);
+      installed = typeof pkg.version === "string" ? pkg.version : "";
+    } catch {
+      return;
+    }
+    if (installed.length === 0 || !shieldInstalledVersionOlderThan(latest, installed)) {
+      return;
     }
-    return false;
-  } catch (err) {
     process.stderr.write(
-      `Warning: could not check Cursor connection status: ${err instanceof Error ? err.message : String(err)}
+      style.yellow("\u26A0") + ` multicorn-shield v${installed} is installed but v${latest} is available. Run npm update multicorn-shield to update.
+
 `
     );
-    return false;
-  }
-}
-function getWindsurfConfigPath() {
-  return join(homedir(), ".codeium", "windsurf", "mcp_config.json");
-}
-async function isWindsurfConnected() {
-  try {
-    const raw = await readFile(getWindsurfConfigPath(), "utf8");
-    const obj = JSON.parse(raw);
-    const mcpServers = obj["mcpServers"];
-    if (mcpServers === void 0 || typeof mcpServers !== "object") return false;
-    for (const entry of Object.values(mcpServers)) {
-      if (typeof entry !== "object" || entry === null) continue;
-      const rec = entry;
-      const url = rec["serverUrl"];
-      if (typeof url === "string" && url.includes("multicorn")) return true;
-    }
-    return false;
   } catch {
-    return false;
   }
 }
-function multicornShieldPackageRoot() {
-  return join(dirname(fileURLToPath(import.meta.url)), "..");
-}
 function getWindsurfHooksInstallDir() {
   return join(homedir(), ".multicorn", "windsurf-hooks");
 }
@@ -1006,6 +1003,140 @@ function geminiStripMulticornHookEntries(hooks) {
   out["AfterTool"] = geminiStripMatcherGroups(out["AfterTool"]);
   return out;
 }
+function getClaudeCodeUserSettingsPath() {
+  return join(homedir(), ".claude", "settings.json");
+}
+function commandLooksLikeMulticornClaudePre(cmd) {
+  return typeof cmd === "string" && cmd.includes("pre-tool-use.cjs") && cmd.includes("multicorn-shield");
+}
+function commandLooksLikeMulticornClaudePost(cmd) {
+  return typeof cmd === "string" && cmd.includes("post-tool-use.cjs") && cmd.includes("multicorn-shield");
+}
+function claudeSettingsMatcherGroupReferencesShield(group, kind) {
+  const inner = group["hooks"];
+  if (!Array.isArray(inner)) return false;
+  const pred = kind === "pre" ? commandLooksLikeMulticornClaudePre : commandLooksLikeMulticornClaudePost;
+  for (const h of inner) {
+    if (typeof h !== "object" || h === null) continue;
+    const rec = h;
+    if (pred(rec["command"])) return true;
+  }
+  return false;
+}
+function claudeHooksHaveShieldEntries(hooks) {
+  for (const key of ["PreToolUse", "PostToolUse"]) {
+    const arr = hooks[key];
+    if (!Array.isArray(arr)) continue;
+    const kind = key === "PreToolUse" ? "pre" : "post";
+    for (const g of arr) {
+      if (typeof g === "object" && g !== null) {
+        if (claudeSettingsMatcherGroupReferencesShield(g, kind)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+function stripClaudeShieldHookGroups(arr, kind) {
+  return arr.filter((g) => {
+    if (typeof g !== "object" || g === null) return true;
+    return !claudeSettingsMatcherGroupReferencesShield(g, kind);
+  });
+}
+async function installClaudeCodeUserSettingsHooks(ask) {
+  const root = multicornShieldInstallRoot();
+  const prePath = join(root, "plugins", "multicorn-shield", "hooks", "scripts", "pre-tool-use.cjs");
+  const postPath = join(
+    root,
+    "plugins",
+    "multicorn-shield",
+    "hooks",
+    "scripts",
+    "post-tool-use.cjs"
+  );
+  if (!existsSync(prePath) || !existsSync(postPath)) {
+    process.stderr.write(
+      style.red(
+        "Could not find Shield Claude Code hook scripts next to the multicorn-shield package.\n"
+      )
+    );
+    process.stderr.write(style.dim(`  Expected: ${prePath}`) + "\n");
+    return false;
+  }
+  const settingsPath = getClaudeCodeUserSettingsPath();
+  await mkdir(dirname(settingsPath), { recursive: true });
+  let existing = {};
+  try {
+    const rawText = await readFile(settingsPath, "utf8");
+    const parsed = JSON.parse(rawText);
+    if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
+      existing = parsed;
+    }
+  } catch (err) {
+    if (isErrnoException(err) && err.code === "ENOENT") {
+      existing = {};
+    } else {
+      process.stderr.write(
+        style.yellow("\u26A0") + ` Could not parse ${settingsPath}. Fix or remove the file, then run init again.
+`
+      );
+      return false;
+    }
+  }
+  const hooksRaw = existing["hooks"];
+  const hooksObj = typeof hooksRaw === "object" && hooksRaw !== null && !Array.isArray(hooksRaw) ? { ...hooksRaw } : {};
+  if (claudeHooksHaveShieldEntries(hooksObj)) {
+    const answer = await ask(
+      "Existing Multicorn Shield hooks were found in ~/.claude/settings.json. Overwrite? (Y/n) "
+    );
+    if (answer.trim().toLowerCase() === "n") {
+      return false;
+    }
+  }
+  const preCmd = `node ${JSON.stringify(prePath)}`;
+  const postCmd = `node ${JSON.stringify(postPath)}`;
+  const preArr = stripClaudeShieldHookGroups(
+    Array.isArray(hooksObj["PreToolUse"]) ? [...hooksObj["PreToolUse"]] : [],
+    "pre"
+  );
+  const postArr = stripClaudeShieldHookGroups(
+    Array.isArray(hooksObj["PostToolUse"]) ? [...hooksObj["PostToolUse"]] : [],
+    "post"
+  );
+  preArr.push({
+    matcher: "*",
+    hooks: [
+      {
+        type: "command",
+        name: "multicorn-shield-pre",
+        command: preCmd,
+        timeout: 600
+      }
+    ]
+  });
+  postArr.push({
+    matcher: "*",
+    hooks: [
+      {
+        type: "command",
+        name: "multicorn-shield-post",
+        command: postCmd,
+        timeout: 120
+      }
+    ]
+  });
+  hooksObj["PreToolUse"] = preArr;
+  hooksObj["PostToolUse"] = postArr;
+  const out = { ...existing, hooks: hooksObj };
+  const serialized = JSON.stringify(out, null, 2) + "\n";
+  await writeFile(settingsPath, serialized, "utf8");
+  process.stderr.write(
+    "\n" + style.dim("Wrote ") + style.cyan(settingsPath) + style.dim(":") + "\n"
+  );
+  process.stderr.write(style.dim(JSON.stringify({ hooks: hooksObj }, null, 2)) + "\n");
+  return true;
+}
 async function installGeminiCliNativeHooks(ask) {
   const root = multicornShieldPackageRoot();
   const srcBefore = join(root, "plugins", "gemini-cli", "hooks", "scripts", "before-tool.cjs");
@@ -1141,54 +1272,48 @@ function getClaudeDesktopConfigPath() {
   }
 }
 var INIT_WIZARD_PLATFORM_REGISTRY = [
-  { slug: "openclaw", displayName: "OpenClaw", section: "native", detectable: true },
-  { slug: "claude-code", displayName: "Claude Code", section: "native", detectable: true },
-  { slug: "windsurf", displayName: "Windsurf", section: "native", detectable: true },
-  { slug: "cline", displayName: "Cline", section: "native", detectable: false },
-  { slug: "gemini-cli", displayName: "Gemini CLI", section: "native", detectable: false },
+  { slug: "openclaw", displayName: "OpenClaw", section: "native" },
+  { slug: "claude-code", displayName: "Claude Code", section: "native" },
+  { slug: "windsurf", displayName: "Windsurf", section: "native" },
+  { slug: "cline", displayName: "Cline", section: "native" },
+  { slug: "gemini-cli", displayName: "Gemini CLI", section: "native" },
   {
     slug: "cursor",
     displayName: "Cursor",
     section: "hosted",
-    prereqUrl: "https://www.cursor.com/downloads",
-    detectable: true
+    prereqUrl: "https://www.cursor.com/downloads"
   },
   {
     slug: "claude-desktop",
     displayName: "Claude Desktop",
     section: "hosted",
-    prereqUrl: "https://claude.ai/download",
-    detectable: false
+    prereqUrl: "https://claude.ai/download"
   },
   {
     slug: "github-copilot",
     displayName: "GitHub Copilot",
     section: "hosted",
-    prereqUrl: "https://docs.github.com/en/copilot/get-started",
-    detectable: false
+    prereqUrl: "https://docs.github.com/en/copilot/get-started"
   },
   {
     slug: "kilo-code",
     displayName: "Kilo Code",
     section: "hosted",
-    prereqUrl: "https://kilocode.ai/docs/getting-started",
-    detectable: false
+    prereqUrl: "https://kilocode.ai/docs/getting-started"
   },
   {
     slug: "continue-dev",
     displayName: "Continue",
     section: "hosted",
-    prereqUrl: "https://docs.continue.dev/ide-extensions/install",
-    detectable: false
+    prereqUrl: "https://docs.continue.dev/ide-extensions/install"
   },
   {
     slug: "goose",
     displayName: "Goose",
     section: "hosted",
-    prereqUrl: "https://goose-docs.ai/docs/quickstart/",
-    detectable: false
+    prereqUrl: "https://goose-docs.ai/docs/quickstart/"
   },
-  { slug: "other-mcp", displayName: "Local MCP / Other", section: "hosted", detectable: false }
+  { slug: "other-mcp", displayName: "Local MCP / Other", section: "hosted" }
 ];
 var INIT_WIZARD_MENU_SECTIONS = (() => {
   const itemsFor = (section) => INIT_WIZARD_PLATFORM_REGISTRY.filter((e) => e.section === section).map((e) => ({
@@ -1219,45 +1344,17 @@ async function promptHostedProxyInstallPrereq(ask, platformLabel, prereqUrl) {
   const answer = await ask("Ready to continue? (Y/n) ");
   return answer.trim().toLowerCase() !== "n";
 }
-function isPlatformDetectedForMenu(slug) {
-  switch (slug) {
-    case "openclaw":
-      return isOpenClawConnected();
-    case "claude-code":
-      return Promise.resolve(isClaudeCodeConnected());
-    case "cursor":
-      return isCursorConnected();
-    case "windsurf":
-      return isWindsurfConnected();
-    default:
-      return Promise.resolve(false);
-  }
-}
 async function promptPlatformSelection(ask) {
   process.stderr.write(
     "\n" + style.bold(style.violet("Which platform are you connecting?")) + "\n\n"
   );
-  const detectionSlugs = INIT_WIZARD_PLATFORM_REGISTRY.filter((e) => e.detectable).map(
-    (e) => e.slug
-  );
-  const connectedFlags = await Promise.all(
-    detectionSlugs.map((slug) => isPlatformDetectedForMenu(slug))
-  );
-  function markerFor(platform) {
-    const idx = detectionSlugs.indexOf(platform);
-    if (idx === -1) return "";
-    if (!connectedFlags[idx]) return "";
-    return " " + style.dim("\u25CF detected locally");
-  }
   let optionNum = 1;
   for (const section of INIT_WIZARD_MENU_SECTIONS) {
     process.stderr.write("  " + style.dim(section.title) + "\n");
     for (const item of section.items) {
       const indent = optionNum >= 10 ? "   " : "    ";
-      process.stderr.write(
-        `${indent}${style.violet(String(optionNum))}. ${item.label}${markerFor(item.platform)}
-`
-      );
+      process.stderr.write(`${indent}${style.violet(String(optionNum))}. ${item.label}
+`);
       optionNum++;
     }
   }
@@ -1720,6 +1817,7 @@ async function runInit(explicitBaseUrl) {
     spinner.stop(true, "Key validated");
     apiKey = key;
   }
+  await warnIfInstalledShieldIsOutdated();
   const configuredAgents = [];
   let currentAgents = collectAgentsFromConfig(existing);
   let lastConfig = {
@@ -1791,63 +1889,41 @@ async function runInit(explicitBaseUrl) {
       ) + "\n"
     );
     if (agentsForPlatform.length > 0) {
-      const exactForWorkspace = agentsForPlatform.find(
-        (a) => typeof a.workspacePath === "string" && a.workspacePath.length > 0 && resolve(a.workspacePath) === initWorkspacePath
-      );
-      if (exactForWorkspace !== void 0) {
-        process.stderr.write(
-          `
-This workspace already has a ${selectedLabel} agent registered (${style.cyan(
-            exactForWorkspace.name
-          )}).
-`
-        );
-        process.stderr.write(
-          style.dim(
-            "Replace updates this directory's saved agent. (n) returns to platform selection \u2014 the wizard keeps running."
-          ) + "\n"
-        );
-        const replace = await ask("Replace it? (Y/n) ");
-        if (replace.trim().toLowerCase() === "n") {
-          process.stderr.write(style.dim("Skipping. Returning to platform selection.") + "\n");
-          continue;
-        }
-        removeAgentNameBeforeSave = exactForWorkspace.name;
-      } else {
-        process.stderr.write(
-          `
+      process.stderr.write(
+        `
 You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLabel}:
 `
-        );
-        for (const a of agentsForPlatform) {
-          const wsHint = typeof a.workspacePath === "string" && a.workspacePath.length > 0 ? `  ${style.dim(a.workspacePath)}` : "";
-          process.stderr.write(`  ${style.dim("\u2022")} ${style.cyan(a.name)}${wsHint}
+      );
+      for (const a of agentsForPlatform) {
+        const isThisWorkspace = typeof a.workspacePath === "string" && a.workspacePath.length > 0 && resolve(a.workspacePath) === initWorkspacePath;
+        const wsHint = typeof a.workspacePath === "string" && a.workspacePath.length > 0 ? `  ${style.dim(a.workspacePath)}` : "";
+        const marker = isThisWorkspace ? `  ${style.yellow("(this workspace)")}` : "";
+        process.stderr.write(`  ${style.dim("\u2022")} ${style.cyan(a.name)}${wsHint}${marker}
 `);
-        }
-        process.stderr.write("\n" + style.bold("What would you like to do?") + "\n");
-        const actionIdx = await arrowSelect(
-          [
-            "Add a new agent alongside these",
-            "Replace an existing agent",
-            "Skip \u2014 choose a different platform"
-          ],
+      }
+      process.stderr.write("\n" + style.bold("What would you like to do?") + "\n");
+      const actionIdx = await arrowSelect(
+        [
+          "Add a new agent alongside these",
+          "Replace an existing agent",
+          "Skip - choose a different platform"
+        ],
+        ask,
+        "Action"
+      );
+      if (actionIdx === 2) {
+        continue;
+      }
+      if (actionIdx === 1) {
+        process.stderr.write("\n" + style.bold("Which agent to replace?") + "\n");
+        const replaceIdx = await arrowSelect(
+          agentsForPlatform.map((a) => a.name),
           ask,
-          "Action"
+          "Agent"
         );
-        if (actionIdx === 2) {
-          continue;
-        }
-        if (actionIdx === 1) {
-          process.stderr.write("\n" + style.bold("Which agent to replace?") + "\n");
-          const replaceIdx = await arrowSelect(
-            agentsForPlatform.map((a) => a.name),
-            ask,
-            "Agent"
-          );
-          const victim = agentsForPlatform[replaceIdx];
-          if (victim !== void 0) {
-            removeAgentNameBeforeSave = victim.name;
-          }
+        const victim = agentsForPlatform[replaceIdx];
+        if (victim !== void 0) {
+          removeAgentNameBeforeSave = victim.name;
         }
       }
     }
@@ -1949,16 +2025,24 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
       });
       setupSucceeded = true;
     } else if (selectedPlatform === "claude-code") {
-      process.stderr.write("\nTo connect Claude Code to Shield:\n\n");
-      process.stderr.write(
-        "  " + style.bold("Step 1") + " - Add the Multicorn marketplace:\n    " + style.cyan("claude plugin marketplace add Multicorn-AI/multicorn-shield") + "\n\n"
-      );
       process.stderr.write(
-        "  " + style.bold("Step 2") + " - Install the plugin:\n    " + style.cyan("claude plugin install multicorn-shield@multicorn-shield") + "\n\n"
+        "\n" + style.dim("Configuring Shield hooks in Claude Code user settings...") + "\n"
       );
+      const hooksOk = await installClaudeCodeUserSettingsHooks(ask);
+      if (!hooksOk) {
+        process.stderr.write(style.dim("Skipped Claude Code hook installation.\n"));
+        continue;
+      }
       process.stderr.write(
-        style.dim("Requires Claude Code to be installed. Get it at https://code.claude.com") + "\n"
+        style.green("\u2713") + " Shield hooks added to " + style.cyan("~/.claude/settings.json") + "\n"
       );
+      if (claudeInstalledPluginsListsMulticornShield()) {
+        process.stderr.write(
+          style.dim(
+            "Note: You have the multicorn-shield Claude Code plugin installed. The plugin is no longer needed - hooks are now written directly to settings.json. You can uninstall it with: "
+          ) + style.cyan("claude plugin uninstall multicorn-shield@multicorn-shield") + "\n"
+        );
+      }
       configuredAgents.push({
         selection,
         platform: selectedPlatform,
@@ -2313,42 +2397,42 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     const blocks = [];
     if (configuredPlatforms.has("openclaw")) {
       blocks.push(
-        "\n" + style.bold("To complete your OpenClaw setup:") + "\n  \u2192 Restart your gateway: " + style.cyan("openclaw gateway restart") + "\n  \u2192 Start a session: " + style.cyan("openclaw tui") + "\n"
+        "\n" + style.bold("OpenClaw") + "\n  \u2192 Restart your gateway: " + style.cyan("openclaw gateway restart") + "\n  \u2192 Start a session: " + style.cyan("openclaw tui") + "\n"
       );
     }
     if (configuredPlatforms.has("claude-code")) {
       blocks.push(
-        "\n" + style.bold("To complete your Claude Code setup:") + "\n  \u2192 Add marketplace: " + style.cyan("claude plugin marketplace add Multicorn-AI/multicorn-shield") + "\n  \u2192 Install plugin: " + style.cyan("claude plugin install multicorn-shield@multicorn-shield") + "\n"
+        "\n" + style.bold("Claude Code") + "\n  \u2192 Start Claude Code: " + style.cyan("claude") + "\n  \u2192 Shield will intercept tool calls automatically.\n"
       );
     }
     if (configuredPlatforms.has("claude-desktop")) {
       blocks.push(
-        "\n" + style.bold("To complete your Claude Desktop setup:") + "\n  \u2192 Restart Claude Desktop to pick up config changes\n"
+        "\n" + style.bold("Claude Desktop") + "\n  \u2192 Restart Claude Desktop to pick up config changes\n"
       );
     }
     if (configuredPlatforms.has("cursor")) {
       blocks.push(
-        "\n" + style.bold("To complete your Cursor setup:") + "\n  1. If you don't have Cursor yet, download it from " + style.cyan("https://cursor.com/downloads") + "\n  2. Open " + style.cyan("~/.cursor/mcp.json") + " and paste the config snippet shown above\n  3. Restart Cursor (or launch it for the first time) to load the new MCP server\n"
+        "\n" + style.bold("Cursor") + "\n  \u2192 If needed, download Cursor from " + style.cyan("https://cursor.com/downloads") + "\n  \u2192 Restart Cursor so it loads the MCP server\n  \u2192 Ask the agent to use your Shield MCP tools by short name\n"
       );
     }
     if (configuredPlatforms.has("kilo-code")) {
       blocks.push(
-        "\n" + style.bold("To complete your Kilo Code setup:") + "\n  1. Save the snippet to " + style.cyan(".kilocode/mcp.json") + " in your project root, or under the mcp key in " + style.cyan("kilo.jsonc") + "\n  2. Run your next task in Kilo Code so it picks up the MCP server\n"
+        "\n" + style.bold("Kilo Code") + "\n  \u2192 Restart the editor or reload the window if the MCP server does not appear\n  \u2192 Run your next task in Kilo Code so it picks up Shield\n"
       );
     }
     if (configuredPlatforms.has("github-copilot")) {
       blocks.push(
-        "\n" + style.bold("GitHub Copilot MCP:") + "\n  1. Open VS Code Command Palette: Preferences: Open User Settings (JSON)\n  2. Merge the snippet under the " + style.cyan("mcp") + " key and save\n  3. Use Copilot Agent mode and verify the MCP server connects\n"
+        "\n" + style.bold("GitHub Copilot") + "\n  \u2192 Reload the editor window if the MCP server does not appear\n  \u2192 Use Copilot Agent mode and verify the MCP server connects\n"
       );
     }
     if (configuredPlatforms.has("continue-dev")) {
       blocks.push(
-        "\n" + style.bold("Continue MCP:") + "\n  1. If you don't have Continue yet, install from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + "\n  2. Save JSON as " + style.cyan(".continue/mcpServers/shield.json") + " in your workspace, or add to " + style.cyan("~/.continue/config.yaml") + "\n  3. Reload VS Code and open Continue agent mode\n"
+        "\n" + style.bold("Continue") + "\n  \u2192 If needed, install Continue from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + "\n  \u2192 Reload VS Code and open Continue agent mode\n"
       );
     }
     if (configuredPlatforms.has("goose")) {
       blocks.push(
-        "\n" + style.bold("Goose MCP extension:") + "\n  1. Edit " + style.cyan("~/.config/goose/config.yaml") + " (or use goose configure)\n  2. Restart Goose CLI or Desktop\n"
+        "\n" + style.bold("Goose") + "\n  \u2192 Start a new Goose session after updating config\n"
       );
     }
     const windsurfNativeConfigured = configuredAgents.some(
@@ -2359,12 +2443,12 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     );
     if (windsurfNativeConfigured) {
       blocks.push(
-        "\n" + style.bold("To complete native Windsurf (Shield) setup:") + "\n  1. Hook scripts: " + style.cyan(getWindsurfHooksInstallDir()) + "\n  2. Hooks config: " + style.cyan(getWindsurfCascadeHooksJsonPath()) + "\n  3. Restart Windsurf (quit fully, then reopen)\n"
+        "\n" + style.bold("Windsurf (native)") + "\n  \u2192 Restart Windsurf (quit fully, then reopen)\n"
       );
     }
     if (windsurfHostedConfigured) {
       blocks.push(
-        "\n" + style.bold("To complete your Windsurf hosted-proxy setup:") + "\n  1. If you don't have Windsurf yet, download it from " + style.cyan("https://windsurf.com/download") + "\n  2. Open " + style.cyan("~/.codeium/windsurf/mcp_config.json") + " and paste the config snippet shown above\n  3. Restart Windsurf (or launch it for the first time) to load the new MCP server\n"
+        "\n" + style.bold("Windsurf (hosted)") + "\n  \u2192 If needed, install from " + style.cyan("https://windsurf.com/download") + "\n  \u2192 Restart Windsurf so it loads the MCP server\n"
       );
     }
     const clineNativeConfigured = configuredAgents.some(
@@ -2375,12 +2459,12 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     );
     if (clineNativeConfigured) {
       blocks.push(
-        "\n" + style.bold("To complete native Cline (Shield) setup:") + "\n  1. Enable Hooks in Cline: open VS Code, click the Cline sidebar icon, click the gear icon,\n     scroll down to the Advanced section, and toggle Hooks on.\n  2. Reload the VS Code window (Cmd+Shift+P > Reload Window)\n  3. Trigger any tool call to verify Shield is intercepting\n"
+        "\n" + style.bold("Cline (native)") + "\n  \u2192 Enable Hooks in Cline settings (Advanced), then reload the VS Code window\n  \u2192 Trigger a tool call to verify Shield is intercepting\n"
       );
     }
     if (clineHostedConfigured) {
       blocks.push(
-        "\n" + style.bold("To complete your Cline hosted-proxy setup:") + "\n  1. If you don't have Cline yet, install it from the VS Code marketplace\n  2. Open your Cline MCP settings file and paste the config snippet shown above\n  3. Restart Cline or reload the VS Code window\n"
+        "\n" + style.bold("Cline (hosted)") + "\n  \u2192 Restart Cline or reload the VS Code window\n"
       );
     }
     const geminiCliNativeConfigured = configuredAgents.some(
@@ -2391,12 +2475,12 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     );
     if (geminiCliNativeConfigured) {
       blocks.push(
-        "\n" + style.bold("Gemini CLI native hooks:") + "\n  Your Gemini CLI hooks are installed. Restart Gemini CLI to activate Shield governance.\n"
+        "\n" + style.bold("Gemini CLI (native)") + "\n  \u2192 Restart Gemini CLI to activate Shield governance\n"
       );
     }
     if (geminiCliHostedConfigured) {
       blocks.push(
-        "\n" + style.bold("To complete your Gemini CLI setup:") + "\n  1. Open " + style.cyan("~/.gemini/settings.json") + "\n  2. Paste the config snippet shown above\n  3. Restart Gemini CLI, then run /mcp to verify\n"
+        "\n" + style.bold("Gemini CLI (hosted)") + "\n  \u2192 Restart Gemini CLI, then run " + style.cyan("/mcp") + " to verify the server\n"
       );
     }
     if (blocks.length > 0) {

package/dist/openclaw-hook/handler.js

@@ -45,9 +45,9 @@ var TOOL_MAP = {
   slack_read: { service: "slack", permissionLevel: "read" },
   slack_message: { service: "slack", permissionLevel: "write" },
   // Payments
-  payments: { service: "payments", permissionLevel: "execute" },
-  payment: { service: "payments", permissionLevel: "execute" },
-  stripe: { service: "payments", permissionLevel: "execute" }
+  payments: { service: "payments", permissionLevel: "write" },
+  payment: { service: "payments", permissionLevel: "write" },
+  stripe: { service: "payments", permissionLevel: "write" }
 };
 function mapToolToScope(toolName, command) {
   const normalized = toolName.trim().toLowerCase();