multicorn-shield 1.3.2 → 1.3.4

package/dist/multicorn-shield.js

@@ -344,6 +344,7 @@ function isPermissionShape(value) {
 }
 
 // src/proxy/config.ts
+var SECRET_JSON_FILE_OPTIONS = { encoding: "utf8", mode: 384 };
 var style = {
   violet: (s) => `\x1B[38;2;124;58;237m${s}\x1B[0m`,
   violetLight: (s) => `\x1B[38;2;167;139;250m${s}\x1B[0m`,
@@ -703,9 +704,11 @@ async function updateOpenClawConfigIfPresent(apiKey, baseUrl, agentName) {
       }
     }
   }
-  await writeFile(OPENCLAW_CONFIG_PATH, JSON.stringify(obj, null, 2) + "\n", {
-    encoding: "utf8"
-  });
+  await writeFile(
+    OPENCLAW_CONFIG_PATH,
+    JSON.stringify(obj, null, 2) + "\n",
+    SECRET_JSON_FILE_OPTIONS
+  );
   return "updated";
 }
 async function validateApiKey(apiKey, baseUrl) {
@@ -867,7 +870,7 @@ async function installWindsurfNativeHooks() {
   base["hooks"] = nextHooks;
   const hooksDir = dirname(hooksPath);
   await mkdir(hooksDir, { recursive: true });
-  await writeFile(hooksPath, JSON.stringify(base, null, 2) + "\n", { encoding: "utf8" });
+  await writeFile(hooksPath, JSON.stringify(base, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
 }
 function getClineHooksInstallDir() {
   return join(homedir(), ".multicorn", "cline-hooks");
@@ -946,6 +949,37 @@ function getGeminiCliHooksInstallDir() {
 function getGeminiCliSettingsPath() {
   return join(homedir(), ".gemini", "settings.json");
 }
+async function mergeGeminiHostedMcpServersIntoSettings(shortName, proxyUrl, apiKey) {
+  const settingsPath = getGeminiCliSettingsPath();
+  let existing = {};
+  try {
+    const rawText = await readFile(settingsPath, "utf8");
+    const parsed = JSON.parse(rawText);
+    if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
+      existing = parsed;
+    }
+  } catch (err) {
+    if (isErrnoException(err) && err.code === "ENOENT") {
+      existing = {};
+    } else {
+      const detail = err instanceof Error ? err.message : String(err);
+      throw new Error(`Could not read or parse Gemini CLI settings at ${settingsPath}: ${detail}`);
+    }
+  }
+  const mcpRaw = existing["mcpServers"];
+  const mcpServers = typeof mcpRaw === "object" && mcpRaw !== null && !Array.isArray(mcpRaw) ? { ...mcpRaw } : {};
+  mcpServers[shortName] = {
+    httpUrl: proxyUrl,
+    headers: {
+      Authorization: `Bearer ${apiKey}`
+    }
+  };
+  const out = { ...existing, mcpServers };
+  await mkdir(dirname(settingsPath), { recursive: true });
+  const serialized = JSON.stringify(out, null, 2) + "\n";
+  await writeFile(settingsPath, serialized, SECRET_JSON_FILE_OPTIONS);
+  writeMcpAddedLine(shortName, settingsPath);
+}
 function geminiInnerHooksReferenceShield(inner, multicornName) {
   if (!Array.isArray(inner)) return false;
   for (const h of inner) {
@@ -1130,7 +1164,7 @@ async function installClaudeCodeUserSettingsHooks(ask) {
   hooksObj["PostToolUse"] = postArr;
   const out = { ...existing, hooks: hooksObj };
   const serialized = JSON.stringify(out, null, 2) + "\n";
-  await writeFile(settingsPath, serialized, "utf8");
+  await writeFile(settingsPath, serialized, SECRET_JSON_FILE_OPTIONS);
   process.stderr.write(
     "\n" + style.dim("Wrote ") + style.cyan(settingsPath) + style.dim(":") + "\n"
   );
@@ -1232,7 +1266,7 @@ async function installGeminiCliNativeHooks(ask) {
     AfterTool: afterArr
   };
   await mkdir(dirname(settingsPath), { recursive: true });
-  await writeFile(settingsPath, JSON.stringify(existing, null, 2) + "\n", "utf8");
+  await writeFile(settingsPath, JSON.stringify(existing, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
 }
 async function promptGeminiCliIntegrationMode(ask) {
   process.stderr.write("\n" + style.bold("Gemini CLI integration") + "\n");
@@ -1271,6 +1305,52 @@ function getClaudeDesktopConfigPath() {
       );
   }
 }
+function getCursorMcpJsonPath() {
+  return join(homedir(), ".cursor", "mcp.json");
+}
+function getWindsurfMcpConfigPath() {
+  return join(homedir(), ".codeium", "windsurf", "mcp_config.json");
+}
+function getClineMcpSettingsPath() {
+  switch (process.platform) {
+    case "win32":
+      return join(
+        process.env["APPDATA"] ?? join(homedir(), "AppData", "Roaming"),
+        "Code",
+        "User",
+        "globalStorage",
+        "saoudrizwan.claude-dev",
+        "settings",
+        "cline_mcp_settings.json"
+      );
+    case "linux":
+      return join(
+        homedir(),
+        ".config",
+        "Code",
+        "User",
+        "globalStorage",
+        "saoudrizwan.claude-dev",
+        "settings",
+        "cline_mcp_settings.json"
+      );
+    default:
+      return join(
+        homedir(),
+        "Library",
+        "Application Support",
+        "Code",
+        "User",
+        "globalStorage",
+        "saoudrizwan.claude-dev",
+        "settings",
+        "cline_mcp_settings.json"
+      );
+  }
+}
+function getContinueConfigJsonPath() {
+  return join(homedir(), ".continue", "config.json");
+}
 var INIT_WIZARD_PLATFORM_REGISTRY = [
   { slug: "openclaw", displayName: "OpenClaw", section: "native" },
   { slug: "claude-code", displayName: "Claude Code", section: "native" },
@@ -1460,9 +1540,11 @@ async function arrowSelect(options, ask, fallbackLabel) {
     process.stdin.on("data", onData);
   });
 }
-async function promptAgentName(ask, platform) {
+async function promptAgentName(ask, platform, defaultNameOverride) {
   const dirPart = normalizeAgentName(basename(process.cwd()));
-  const defaultAgentName = dirPart.length > 0 ? normalizeAgentName(`${dirPart}-${platform}`) || platform : normalizeAgentName(platform) || platform;
+  const computedDefault = dirPart.length > 0 ? normalizeAgentName(`${dirPart}-${platform}`) || platform : normalizeAgentName(platform) || platform;
+  const fromOverride = defaultNameOverride !== void 0 && defaultNameOverride.trim().length > 0 ? normalizeAgentName(defaultNameOverride.trim()) : "";
+  const defaultAgentName = fromOverride.length > 0 ? fromOverride : computedDefault;
   let agentName = "";
   while (agentName.length === 0) {
     const input = await ask(
@@ -1553,6 +1635,240 @@ async function createProxyConfig(baseUrl, apiKey, agentName, targetUrl, serverNa
   const data = envelope["data"];
   return typeof data?.["proxy_url"] === "string" ? data["proxy_url"] : "";
 }
+function writeMcpAddedLine(shortName, filePath) {
+  process.stderr.write(
+    style.green("\u2713") + ' MCP server "' + shortName + '" added to ' + style.cyan(filePath) + "\n"
+  );
+}
+async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
+  let root = {};
+  try {
+    const raw = await readFile(filePath, "utf8");
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return "parse-error";
+    }
+    if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
+      root = parsed;
+    } else {
+      return "parse-error";
+    }
+  } catch (e) {
+    if (isErrnoException(e) && e.code === "ENOENT") {
+      root = {};
+    } else {
+      throw e;
+    }
+  }
+  const mcpRaw = root["mcpServers"];
+  const mcpServers = typeof mcpRaw === "object" && mcpRaw !== null && !Array.isArray(mcpRaw) ? { ...mcpRaw } : {};
+  mcpServers[shortName] = entry;
+  root["mcpServers"] = mcpServers;
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
+  writeMcpAddedLine(shortName, filePath);
+  return "ok";
+}
+async function mergeClaudeDesktopHostedMcpRemote(shortName, proxyUrl, apiKey) {
+  const entry = {
+    command: "npx",
+    args: ["-y", "mcp-remote", proxyUrl, "--header", `Authorization: Bearer ${apiKey}`]
+  };
+  return mergeMcpServersObjectStyle(getClaudeDesktopConfigPath(), shortName, entry);
+}
+async function mergeContinueHostedMcp(shortName, proxyUrl, apiKey) {
+  const filePath = getContinueConfigJsonPath();
+  let root = {};
+  try {
+    const raw = await readFile(filePath, "utf8");
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return "parse-error";
+    }
+    if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
+      root = parsed;
+    } else {
+      return "parse-error";
+    }
+  } catch (e) {
+    if (isErrnoException(e) && e.code === "ENOENT") {
+      root = {};
+    } else {
+      throw e;
+    }
+  }
+  const rawServers = root["mcpServers"];
+  if (rawServers !== void 0) {
+    if (Array.isArray(rawServers)) ; else if (typeof rawServers === "object" && rawServers !== null) {
+      return "parse-error";
+    } else {
+      return "parse-error";
+    }
+  }
+  const servers = Array.isArray(rawServers) ? rawServers.map((s) => ({ ...s })) : [];
+  const entry = {
+    name: shortName,
+    type: "streamable-http",
+    url: proxyUrl,
+    headers: {
+      Authorization: `Bearer ${apiKey}`
+    }
+  };
+  const idx = servers.findIndex((s) => s["name"] === shortName);
+  if (idx >= 0) {
+    servers[idx] = entry;
+  } else {
+    servers.push(entry);
+  }
+  root["mcpServers"] = servers;
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
+  writeMcpAddedLine(shortName, filePath);
+  return "ok";
+}
+async function mergeKiloCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const filePath = join(workspacePath, ".kilocode", "mcp.json");
+  return mergeMcpServersObjectStyle(filePath, shortName, {
+    url: proxyUrl,
+    headers: {
+      Authorization: `Bearer ${apiKey}`
+    }
+  });
+}
+function printHostedProxyJsonParseWarning(filePath) {
+  process.stderr.write(
+    style.yellow("\u26A0") + " Could not parse JSON at " + style.cyan(filePath) + style.dim(" - showing paste snippet instead.") + "\n"
+  );
+}
+function printHostedProxyPostWriteHints(platform, shortName) {
+  if (platform === "cursor") {
+    process.stderr.write(
+      style.dim("Restart Cursor and check Settings > Tools & MCPs for a green status indicator. ") + style.dim(`Ask Cursor to use your MCP server by its short name (e.g. ${shortName}).`) + "\n"
+    );
+  }
+  if (platform === "claude-desktop") {
+    process.stderr.write(style.dim("Restart Claude Desktop to load the MCP server.") + "\n");
+  }
+  if (platform === "cline") {
+    process.stderr.write(
+      style.dim(
+        "Restart Cline or reload the VS Code window. Cline will discover the Shield tools automatically."
+      ) + "\n"
+    );
+  }
+  if (platform === "windsurf") {
+    process.stderr.write(style.dim("Restart Windsurf (Cmd/Ctrl+Q, then reopen).") + "\n");
+    process.stderr.write(
+      style.dim(
+        "Open the Cascade panel and verify the server appears with a green status indicator."
+      ) + "\n"
+    );
+  }
+  if (platform === "github-copilot" || platform === "continue-dev") {
+    process.stderr.write(
+      style.dim("Reload the editor window if the MCP server does not appear immediately.") + "\n"
+    );
+  }
+  if (platform === "goose") {
+    process.stderr.write(style.dim("Start a new Goose session after updating config.") + "\n");
+  }
+  if (platform === "kilo-code") {
+    process.stderr.write(
+      style.dim("Restart Kilo Code or reload the window so it picks up .kilocode/mcp.json.") + "\n"
+    );
+  }
+}
+async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey, workspacePath) {
+  const authHeader = `Bearer ${apiKey}`;
+  if (platform === "gemini-cli") {
+    await mergeGeminiHostedMcpServersIntoSettings(shortName, proxyUrl, apiKey);
+    process.stderr.write(
+      style.dim(
+        "For project-specific config, copy the mcpServers entry into .gemini/settings.json in your project root. Restart Gemini CLI if it is already running."
+      ) + "\n"
+    );
+    return;
+  }
+  if (platform === "github-copilot") {
+    process.stderr.write(
+      "\n" + style.dim(
+        "GitHub Copilot uses VS Code settings - paste the snippet below into your VS Code Settings (JSON)."
+      ) + "\n"
+    );
+    printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
+    return;
+  }
+  if (platform === "goose") {
+    printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
+    return;
+  }
+  try {
+    let result = "parse-error";
+    if (platform === "cursor") {
+      result = await mergeMcpServersObjectStyle(getCursorMcpJsonPath(), shortName, {
+        url: proxyUrl,
+        headers: { Authorization: authHeader }
+      });
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(getCursorMcpJsonPath());
+      }
+    } else if (platform === "claude-desktop") {
+      result = await mergeClaudeDesktopHostedMcpRemote(shortName, proxyUrl, apiKey);
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(getClaudeDesktopConfigPath());
+      }
+    } else if (platform === "windsurf") {
+      result = await mergeMcpServersObjectStyle(getWindsurfMcpConfigPath(), shortName, {
+        serverUrl: proxyUrl,
+        headers: { Authorization: authHeader }
+      });
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(getWindsurfMcpConfigPath());
+      }
+    } else if (platform === "cline") {
+      result = await mergeMcpServersObjectStyle(getClineMcpSettingsPath(), shortName, {
+        url: proxyUrl,
+        headers: { Authorization: authHeader }
+      });
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(getClineMcpSettingsPath());
+      }
+    } else if (platform === "kilo-code") {
+      result = await mergeKiloCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKey);
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(join(workspacePath, ".kilocode", "mcp.json"));
+      }
+    } else if (platform === "continue-dev") {
+      result = await mergeContinueHostedMcp(shortName, proxyUrl, apiKey);
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(getContinueConfigJsonPath());
+      }
+    } else {
+      result = await mergeMcpServersObjectStyle(getCursorMcpJsonPath(), shortName, {
+        url: proxyUrl,
+        headers: { Authorization: authHeader }
+      });
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(getCursorMcpJsonPath());
+      }
+    }
+    if (result === "ok") {
+      printHostedProxyPostWriteHints(platform, shortName);
+      return;
+    }
+  } catch (e) {
+    const detail = e instanceof Error ? e.message : String(e);
+    process.stderr.write(
+      style.yellow("\u26A0") + ` Could not write MCP config automatically (${detail}).
+`
+    );
+  }
+  printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
+}
 function gooseHostedProxyYaml(shortName, proxyUrl, bearerHeader) {
   return `extensions:
   ${shortName}:
@@ -1614,6 +1930,36 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
       null,
       2
     );
+  } else if (platform === "claude-desktop") {
+    snippetText = JSON.stringify(
+      {
+        mcpServers: {
+          [shortName]: {
+            command: "npx",
+            args: ["-y", "mcp-remote", routingToken, "--header", `Authorization: ${authHeader}`]
+          }
+        }
+      },
+      null,
+      2
+    );
+  } else if (platform === "continue-dev") {
+    snippetText = JSON.stringify(
+      {
+        mcpServers: [
+          {
+            name: shortName,
+            type: "streamable-http",
+            url: routingToken,
+            headers: {
+              Authorization: authHeader
+            }
+          }
+        ]
+      },
+      null,
+      2
+    );
   } else {
     const urlKey = platform === "windsurf" ? "serverUrl" : "url";
     snippetText = JSON.stringify(
@@ -1638,52 +1984,33 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
   } else if (platform === "claude-desktop") {
     process.stderr.write("\n" + style.dim(`Add this to ${getClaudeDesktopConfigPath()}:`) + "\n\n");
   } else if (platform === "windsurf") {
-    process.stderr.write(
-      "\n" + style.dim("Add this to ~/.codeium/windsurf/mcp_config.json:") + "\n\n"
-    );
+    process.stderr.write("\n" + style.dim(`Add this to ${getWindsurfMcpConfigPath()}:`) + "\n\n");
   } else if (platform === "cline") {
-    process.stderr.write("\n" + style.dim("Add this to your Cline MCP settings file:") + "\n");
-    process.stderr.write(
-      style.dim(
-        "  macOS: ~/Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json"
-      ) + "\n"
-    );
-    process.stderr.write(
-      style.dim(
-        "  Windows: %APPDATA%\\Code\\User\\globalStorage\\saoudrizwan.claude-dev\\settings\\cline_mcp_settings.json"
-      ) + "\n"
-    );
-    process.stderr.write(
-      style.dim(
-        "  Linux: ~/.config/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json"
-      ) + "\n\n"
-    );
+    process.stderr.write("\n" + style.dim(`Add this to ${getClineMcpSettingsPath()}:`) + "\n\n");
   } else if (platform === "gemini-cli") {
     process.stderr.write(
       "\n" + style.dim(
-        "Add this to ~/.gemini/settings.json (create the file if it does not exist). For project-specific config, use .gemini/settings.json in your project root. Restart Gemini CLI after saving. Run /mcp to verify the server is connected."
+        `Merge the snippet below into ${getGeminiCliSettingsPath()} (keep existing hooks and other keys). Restart Gemini CLI if it is already running.`
       ) + "\n\n"
     );
   } else if (platform === "kilo-code") {
     process.stderr.write(
-      "\n" + style.dim("Add this to .kilocode/mcp.json in your project root.") + "\n\n"
+      "\n" + style.dim(`Add this to ${join(resolve(process.cwd()), ".kilocode", "mcp.json")}:`) + "\n\n"
     );
   } else if (platform === "github-copilot") {
     process.stderr.write(
       "\n" + style.dim(
-        "Open VS Code Settings (JSON) and merge this under the mcp key. If you do not have an mcp section yet, add one. Copilot picks up MCP servers when you use Agent mode."
+        "Merge this snippet under the mcp key in your VS Code Settings (JSON). If you do not have an mcp section yet, add one. Copilot picks up MCP servers when you use Agent mode."
       ) + "\n\n"
     );
   } else if (platform === "continue-dev") {
-    process.stderr.write(
-      "\n" + style.dim("Save this as .continue/mcpServers/shield.json in your workspace root.") + "\n\n"
-    );
+    process.stderr.write("\n" + style.dim(`Add this to ${getContinueConfigJsonPath()}:`) + "\n\n");
   } else if (platform === "goose") {
     process.stderr.write(
       "\n" + style.dim("Add this to ~/.config/goose/config.yaml under the extensions key.") + "\n\n"
     );
   } else {
-    process.stderr.write("\n" + style.dim("Add this to ~/.cursor/mcp.json:") + "\n\n");
+    process.stderr.write("\n" + style.dim(`Add this to ${getCursorMcpJsonPath()}:`) + "\n\n");
   }
   process.stderr.write(style.cyan(snippetText) + "\n\n");
   if (!usesInlineKey) {
@@ -1732,20 +2059,35 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     process.stderr.write(style.dim("Start a new Goose session after updating config.") + "\n");
   }
 }
+function dedupeAgentsByName(agents) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const a of agents) {
+    if (seen.has(a.name)) continue;
+    seen.add(a.name);
+    out.push(a);
+  }
+  return out;
+}
 function mergeAgentsForPlatform(localAgents, remoteAgents, selectedPlatform) {
-  const localMatches = localAgents.filter((a) => a.platform === selectedPlatform);
-  const seen = new Set(localMatches.map((a) => a.name));
-  const out = localMatches.map((a) => ({ ...a }));
+  const byName = /* @__PURE__ */ new Map();
+  for (const a of localAgents) {
+    if (a.platform !== selectedPlatform) continue;
+    if (!byName.has(a.name)) {
+      byName.set(a.name, { ...a });
+    }
+  }
   for (const r of remoteAgents) {
     if (r.platform !== selectedPlatform) continue;
-    if (seen.has(r.name)) continue;
-    seen.add(r.name);
-    out.push({ name: r.name, platform: selectedPlatform });
+    if (!byName.has(r.name)) {
+      byName.set(r.name, { name: r.name, platform: selectedPlatform });
+    }
   }
-  return out;
+  return [...byName.values()];
 }
 var DEFAULT_SHIELD_API_BASE_URL = "https://api.multicorn.ai";
-async function runInit(explicitBaseUrl) {
+async function runInit(explicitBaseUrl, options) {
+  const verbose = options?.verbose === true;
   if (!process.stdin.isTTY) {
     process.stderr.write(
       style.red("Error: interactive terminal required. Cannot run init with piped input.") + "\n"
@@ -1860,7 +2202,7 @@ async function runInit(explicitBaseUrl) {
 `
         );
         process.stderr.write(
-          "\n" + style.bold("Try it:") + " " + style.cyan(
+          "\n" + style.bold("Try it:") + " make a request in your coding agent - Shield will intercept the first tool call and ask for your consent.\n" + style.dim("Example wrap command: ") + style.cyan(
             "npx multicorn-shield --wrap npx @modelcontextprotocol/server-filesystem /tmp"
           ) + "\n"
         );
@@ -1881,10 +2223,8 @@ async function runInit(explicitBaseUrl) {
       continue;
     }
     const remoteAccountAgents = await fetchRemoteAgentsSummaries(apiKey, resolvedBaseUrl);
-    const agentsForPlatform = mergeAgentsForPlatform(
-      currentAgents,
-      remoteAccountAgents,
-      selectedPlatform
+    const agentsForPlatform = dedupeAgentsByName(
+      mergeAgentsForPlatform(currentAgents, remoteAccountAgents, selectedPlatform)
     );
     const localForPlatformCount = currentAgents.filter(
       (a) => a.platform === selectedPlatform
@@ -1893,11 +2233,13 @@ async function runInit(explicitBaseUrl) {
       (r) => r.platform === selectedPlatform
     ).length;
     const savedSummary = currentAgents.length === 0 ? "none on disk" : currentAgents.map((a) => `${a.name} (${a.platform})`).join(", ");
-    process.stderr.write(
-      style.dim(
-        `[shield init] Menu option ${String(selection)} -> platform slug "${selectedPlatform}". ${String(agentsForPlatform.length)} agent(s) for this platform (local file: ${String(localForPlatformCount)}, account API: ${String(accountForPlatformCount)}). On-disk entries: ${savedSummary}.`
-      ) + "\n"
-    );
+    if (verbose) {
+      process.stderr.write(
+        style.dim(
+          `[shield init] Menu option ${String(selection)} -> platform slug "${selectedPlatform}". ${String(agentsForPlatform.length)} agent(s) for this platform (local file: ${String(localForPlatformCount)}, account API: ${String(accountForPlatformCount)}). On-disk entries: ${savedSummary}.`
+        ) + "\n"
+      );
+    }
     if (agentsForPlatform.length > 0) {
       process.stderr.write(
         `
@@ -1937,6 +2279,14 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         }
       }
     }
+    if (selectedPlatform === "cursor" || selectedPlatform === "github-copilot") {
+      const where = selectedPlatform === "cursor" ? "Cursor" : "GitHub Copilot";
+      process.stderr.write(
+        "\n" + style.dim(
+          `Using Claude models (Sonnet, Opus, Haiku) in ${where}? The Claude Code native plugin is recommended - it governs all tool calls, not just MCP traffic. Run init again and select Claude Code.`
+        ) + "\n\n"
+      );
+    }
     const prereqEntry = INIT_WIZARD_PLATFORM_REGISTRY.find((e) => e.slug === selectedPlatform);
     if (prereqEntry?.prereqUrl !== void 0) {
       const proceed = await promptHostedProxyInstallPrereq(
@@ -1952,7 +2302,7 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         continue;
       }
     }
-    const agentName = await promptAgentName(ask, selectedPlatform);
+    const agentName = await promptAgentName(ask, selectedPlatform, removeAgentNameBeforeSave);
     let setupSucceeded = false;
     if (selectedPlatform === "openclaw") {
       let detection;
@@ -2078,7 +2428,9 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
             ) + style.cyan("~/.multicorn/windsurf-hooks") + style.dim(" if that is a concern.") + "\n\n"
           );
           process.stderr.write(
-            style.dim("Restart Windsurf (quit fully, then reopen) so hooks load.") + "\n"
+            style.dim(
+              "Try it: make a request in Windsurf - Shield will intercept the first tool call and ask for your consent."
+            ) + "\n"
           );
           configuredAgents.push({
             selection,
@@ -2135,7 +2487,13 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         if (created && proxyUrl.length > 0) {
           process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
           process.stderr.write("  " + style.cyan(proxyUrl) + "\n");
-          printPlatformSnippet(selectedPlatform, proxyUrl, shortName, apiKey);
+          await applyHostedProxyMcpConfig(
+            selectedPlatform,
+            proxyUrl,
+            shortName,
+            apiKey,
+            initWorkspacePath
+          );
           configuredAgents.push({
             selection,
             platform: selectedPlatform,
@@ -2220,7 +2578,13 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         if (created && proxyUrl.length > 0) {
           process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
           process.stderr.write("  " + style.cyan(proxyUrl) + "\n");
-          printPlatformSnippet(selectedPlatform, proxyUrl, shortName, apiKey);
+          await applyHostedProxyMcpConfig(
+            selectedPlatform,
+            proxyUrl,
+            shortName,
+            apiKey,
+            initWorkspacePath
+          );
           configuredAgents.push({
             selection,
             platform: selectedPlatform,
@@ -2299,7 +2663,13 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         if (created && proxyUrl.length > 0) {
           process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
           process.stderr.write("  " + style.cyan(proxyUrl) + "\n");
-          printPlatformSnippet(selectedPlatform, proxyUrl, shortName, apiKey);
+          await applyHostedProxyMcpConfig(
+            selectedPlatform,
+            proxyUrl,
+            shortName,
+            apiKey,
+            initWorkspacePath
+          );
           configuredAgents.push({
             selection,
             platform: selectedPlatform,
@@ -2341,7 +2711,13 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
       if (created && proxyUrl.length > 0) {
         process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
         process.stderr.write("  " + style.cyan(proxyUrl) + "\n");
-        printPlatformSnippet(selectedPlatform, proxyUrl, shortName, apiKey);
+        await applyHostedProxyMcpConfig(
+          selectedPlatform,
+          proxyUrl,
+          shortName,
+          apiKey,
+          initWorkspacePath
+        );
         configuredAgents.push({
           selection,
           platform: selectedPlatform,
@@ -2407,42 +2783,42 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     const blocks = [];
     if (configuredPlatforms.has("openclaw")) {
       blocks.push(
-        "\n" + style.bold("OpenClaw") + "\n  \u2192 Restart your gateway: " + style.cyan("openclaw gateway restart") + "\n  \u2192 Start a session: " + style.cyan("openclaw tui") + "\n"
+        "\n" + style.bold("OpenClaw") + "\n  \u2192 Restart your gateway: " + style.cyan("openclaw gateway restart") + "\n  \u2192 Start a session: " + style.cyan("openclaw tui") + "\n  \u2192 Try it: make a request in OpenClaw - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (configuredPlatforms.has("claude-code")) {
       blocks.push(
-        "\n" + style.bold("Claude Code") + "\n  \u2192 Start Claude Code: " + style.cyan("claude") + "\n  \u2192 Shield will intercept tool calls automatically.\n"
+        "\n" + style.bold("Claude Code") + "\n  \u2192 Start coding: run " + style.cyan("claude") + " in the terminal, or use Cursor with a Claude model - Shield hooks apply to both\n  \u2192 Try it: make a request in Claude Code - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (configuredPlatforms.has("claude-desktop")) {
       blocks.push(
-        "\n" + style.bold("Claude Desktop") + "\n  \u2192 Restart Claude Desktop to pick up config changes\n"
+        "\n" + style.bold("Claude Desktop") + "\n  \u2192 Restart Claude Desktop to pick up config changes\n  \u2192 Try it: make a request in Claude Desktop - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (configuredPlatforms.has("cursor")) {
       blocks.push(
-        "\n" + style.bold("Cursor") + "\n  \u2192 If needed, download Cursor from " + style.cyan("https://cursor.com/downloads") + "\n  \u2192 Restart Cursor so it loads the MCP server\n  \u2192 Ask the agent to use your Shield MCP tools by short name\n"
+        "\n" + style.bold("Cursor") + "\n  \u2192 If needed, download Cursor from " + style.cyan("https://www.cursor.com/downloads") + "\n  \u2192 Restart Cursor so it loads the MCP server\n  \u2192 Try it: make a request in Cursor - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (configuredPlatforms.has("kilo-code")) {
       blocks.push(
-        "\n" + style.bold("Kilo Code") + "\n  \u2192 Restart the editor or reload the window if the MCP server does not appear\n  \u2192 Run your next task in Kilo Code so it picks up Shield\n"
+        "\n" + style.bold("Kilo Code") + "\n  \u2192 Restart the editor or reload the window if the MCP server does not appear\n  \u2192 Try it: make a request in Kilo Code - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (configuredPlatforms.has("github-copilot")) {
       blocks.push(
-        "\n" + style.bold("GitHub Copilot") + "\n  \u2192 Reload the editor window if the MCP server does not appear\n  \u2192 Use Copilot Agent mode and verify the MCP server connects\n"
+        "\n" + style.bold("GitHub Copilot") + "\n  \u2192 Reload the editor window if the MCP server does not appear\n  \u2192 Open Copilot Agent mode and confirm the MCP server connects\n  \u2192 Try it: make a request in GitHub Copilot - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (configuredPlatforms.has("continue-dev")) {
       blocks.push(
-        "\n" + style.bold("Continue") + "\n  \u2192 If needed, install Continue from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + "\n  \u2192 Reload VS Code and open Continue agent mode\n"
+        "\n" + style.bold("Continue") + "\n  \u2192 If needed, install Continue from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + "\n  \u2192 Reload VS Code and open Continue agent mode\n  \u2192 Try it: make a request in Continue - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (configuredPlatforms.has("goose")) {
       blocks.push(
-        "\n" + style.bold("Goose") + "\n  \u2192 Start a new Goose session after updating config\n"
+        "\n" + style.bold("Goose") + "\n  \u2192 Start a new Goose session after updating config\n  \u2192 Try it: make a request in Goose - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     const windsurfNativeConfigured = configuredAgents.some(
@@ -2453,12 +2829,12 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     );
     if (windsurfNativeConfigured) {
       blocks.push(
-        "\n" + style.bold("Windsurf (native)") + "\n  \u2192 Restart Windsurf (quit fully, then reopen)\n"
+        "\n" + style.bold("Windsurf (native)") + "\n  \u2192 Open Windsurf (or restart if it is already running)\n  \u2192 Try it: make a request in Windsurf - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (windsurfHostedConfigured) {
       blocks.push(
-        "\n" + style.bold("Windsurf (hosted)") + "\n  \u2192 If needed, install from " + style.cyan("https://windsurf.com/download") + "\n  \u2192 Restart Windsurf so it loads the MCP server\n"
+        "\n" + style.bold("Windsurf (hosted)") + "\n  \u2192 If needed, install from " + style.cyan("https://windsurf.com/download") + "\n  \u2192 Restart Windsurf so it loads the MCP server\n  \u2192 In Windsurf, open the three-dot menu (top-right of Cascade panel), find your Shield server at the bottom of the list, and toggle it on\n  \u2192 Try it: make a request in Windsurf - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     const clineNativeConfigured = configuredAgents.some(
@@ -2469,12 +2845,12 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     );
     if (clineNativeConfigured) {
       blocks.push(
-        "\n" + style.bold("Cline (native)") + "\n  \u2192 Enable Hooks in Cline settings (Advanced), then reload the VS Code window\n  \u2192 Trigger a tool call to verify Shield is intercepting\n"
+        "\n" + style.bold("Cline (native)") + "\n  \u2192 In Cline, click the settings icon \u2192 Feature Settings \u2192 scroll down to Advanced \u2192 enable Hooks, then reload the VS Code window\n  \u2192 Try it: make a request in Cline - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (clineHostedConfigured) {
       blocks.push(
-        "\n" + style.bold("Cline (hosted)") + "\n  \u2192 Restart Cline or reload the VS Code window\n"
+        "\n" + style.bold("Cline (hosted)") + "\n  \u2192 Restart Cline or reload the VS Code window\n  \u2192 In Cline, open server settings using the plug icon, open the Configure tab, and confirm your Shield server is listed and toggled on\n  \u2192 Try it: make a request in Cline - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     const geminiCliNativeConfigured = configuredAgents.some(
@@ -2485,12 +2861,17 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     );
     if (geminiCliNativeConfigured) {
       blocks.push(
-        "\n" + style.bold("Gemini CLI (native)") + "\n  \u2192 Restart Gemini CLI to activate Shield governance\n"
+        "\n" + style.bold("Gemini CLI (native)") + "\n  \u2192 Start Gemini CLI: run " + style.cyan("gemini") + " in your terminal (exit any existing session first)\n  \u2192 Try it: make a request in Gemini CLI - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (geminiCliHostedConfigured) {
       blocks.push(
-        "\n" + style.bold("Gemini CLI (hosted)") + "\n  \u2192 Restart Gemini CLI, then run " + style.cyan("/mcp") + " to verify the server\n"
+        "\n" + style.bold("Gemini CLI (hosted)") + "\n  \u2192 Try it: make a request in Gemini CLI - Shield will intercept the first tool call and ask for your consent\n"
+      );
+    }
+    if (configuredPlatforms.has("other-mcp")) {
+      blocks.push(
+        "\n" + style.bold("Local MCP / Other") + "\n  \u2192 Run your configured wrap command (for example " + style.cyan("npx multicorn-shield --wrap ...") + ")\n  \u2192 Try it: make a request in your coding agent - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
     if (blocks.length > 0) {
@@ -3381,7 +3762,10 @@ async function restoreClaudeDesktopMcpFromBackup() {
   }
   root["mcpServers"] = backup.mcpServers;
   await mkdir(dirname(configPath), { recursive: true });
-  await writeFile(configPath, JSON.stringify(root, null, 2) + "\n", { encoding: "utf8" });
+  await writeFile(configPath, JSON.stringify(root, null, 2) + "\n", {
+    encoding: "utf8",
+    mode: 384
+  });
 }
 
 // bin/multicorn-shield.ts
@@ -3396,6 +3780,7 @@ function parseArgs(argv) {
   let agentName = "";
   let deleteAgentName = "";
   let apiKey = void 0;
+  let verbose = false;
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
     if (arg === "init") {
@@ -3495,6 +3880,8 @@ function parseArgs(argv) {
         apiKey = next;
         i++;
       }
+    } else if (arg === "--verbose" || arg === "--debug") {
+      verbose = true;
     }
   }
   return {
@@ -3506,7 +3893,8 @@ function parseArgs(argv) {
     dashboardUrl,
     agentName,
     deleteAgentName,
-    apiKey
+    apiKey,
+    verbose
   };
 }
 function printHelp() {
@@ -3532,6 +3920,7 @@ function printHelp() {
       "      Shield's permission layer.",
       "",
       "Options:",
+      "  --verbose, --debug   Print extra diagnostics during init (menu selection, agent counts)",
       "  --api-key <key>       Multicorn API key (overrides MULTICORN_API_KEY env var and config file)",
       "  --log-level <level>   Log level: debug | info | warn | error  (default: info)",
       "  --base-url <url>      Multicorn API base URL  (default: https://api.multicorn.ai)",
@@ -3562,7 +3951,7 @@ async function runCli() {
     process.exit(0);
   }
   if (cli.subcommand === "init") {
-    await runInit(cli.baseUrl);
+    await runInit(cli.baseUrl, { verbose: cli.verbose });
     return;
   }
   if (cli.subcommand === "agents") {