multicorn-shield 1.6.0 → 1.7.0

package/CHANGELOG.md

@@ -9,7 +9,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Bump `version` in `package.json` before publishing to npm.
 
-## [1.5.0] - 2026-05-10
+## [1.7.0] - 2026-05-11
+
+### Fixed
+
+- Agent name now uses user-provided short name instead of auto-generated default
+- Goose config snippet uses `uri` instead of incorrect `url`
+- Replace flow deduplicates agent list loaded from config on startup
+
+### Changed
+
+- Add runtime dependency on [`yaml`](https://www.npmjs.com/package/yaml) (ISC) for safe Goose `config.yaml` read/write in the hosted-proxy CLI path
+- GitHub Copilot: CLI auto-writes config to `.vscode/mcp.json`
+- Kilo Code: CLI writes to `.kilo/kilo.jsonc` with correct format (`mcp` key, `type: remote`)
+- Continue: CLI writes YAML to `.continue/mcpServers/<name>.yaml` in workspace root
+- Goose: CLI auto-writes to `~/.config/goose/config.yaml`
+- All hosted proxy platforms: Next Steps includes where to verify connection and example prompt
+- Claude Desktop removed from hosted proxy platform list (consent URL not clickable)
+
+## [1.6.0] - 2026-05-10
 
 ### Added
 

package/dist/multicorn-proxy.js

@@ -8,6 +8,7 @@ import { readFileSync, existsSync, statSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { createRequire } from 'module';
 import { createInterface } from 'readline';
+import { parse, stringify } from 'yaml';
 import 'stream';
 
 var __defProp = Object.defineProperty;
@@ -1346,9 +1347,6 @@ function getClineMcpSettingsPath() {
       );
   }
 }
-function getContinueConfigJsonPath() {
-  return join(homedir(), ".continue", "config.json");
-}
 function platformMenuLabelForSelection(sel) {
   const slug = PLATFORM_BY_SELECTION[sel];
   if (slug === void 0) return "Unknown";
@@ -1650,13 +1648,56 @@ function writeMcpAddedLine(shortName, filePath) {
     style.green("\u2713") + ' MCP server "' + shortName + '" added to ' + style.cyan(filePath) + "\n"
   );
 }
-async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
+function sanitiseYamlValue(value) {
+  if (value.length === 0) {
+    return "''";
+  }
+  const needsQuoting = /[:#\n{}]/.test(value) || value.includes("[") || value.includes("]") || value !== value.trim() || value.includes("'");
+  if (!needsQuoting) {
+    return value;
+  }
+  return `'${value.replace(/'/g, "''")}'`;
+}
+function gitignoreLikelyCoversPath(relPosixPath, gitignoreBody) {
+  const norm = relPosixPath.replace(/\\/g, "/").replace(/^\.\//, "");
+  const lines = gitignoreBody.split(/\r?\n/);
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#") || line.startsWith("!")) continue;
+    const pat = line.replace(/^\//, "");
+    if (pat === norm || pat === `./${norm}`) return true;
+    if (!pat.includes("*")) {
+      if (pat.endsWith("/")) {
+        const dir = pat.slice(0, -1);
+        if (norm === dir || norm.startsWith(`${dir}/`)) return true;
+      }
+    }
+  }
+  return false;
+}
+async function warnIfApiKeyFileNotGitignored(workspaceRoot, relativePosixPath) {
+  const gitignorePath = join(workspaceRoot, ".gitignore");
+  let content;
+  try {
+    content = await readFile(gitignorePath, "utf8");
+  } catch (e) {
+    if (isErrnoException(e) && e.code === "ENOENT") return;
+    throw e;
+  }
+  const norm = relativePosixPath.replace(/\\/g, "/").replace(/^\.\//, "");
+  if (gitignoreLikelyCoversPath(norm, content)) return;
+  process.stderr.write(
+    style.yellow("\u26A0") + " Config contains your API key. Add " + style.cyan(norm) + " to .gitignore to avoid committing credentials.\n"
+  );
+}
+async function mergeTopLevelKeyedJsonFile(filePath, topLevelKey, shortName, entry, options) {
   let root = {};
   try {
     const raw = await readFile(filePath, "utf8");
+    const toParse = options.stripJsonComments ? raw.replace(/\/\/.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "") : raw;
     let parsed;
     try {
-      parsed = JSON.parse(raw);
+      parsed = JSON.parse(toParse);
     } catch {
       return "parse-error";
     }
@@ -1672,15 +1713,25 @@ async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
       throw e;
     }
   }
-  const mcpRaw = root["mcpServers"];
-  const mcpServers = typeof mcpRaw === "object" && mcpRaw !== null && !Array.isArray(mcpRaw) ? { ...mcpRaw } : {};
-  mcpServers[shortName] = entry;
-  root["mcpServers"] = mcpServers;
+  const bucketRaw = root[topLevelKey];
+  const bucket = typeof bucketRaw === "object" && bucketRaw !== null && !Array.isArray(bucketRaw) ? { ...bucketRaw } : {};
+  if (options.onExisting === "skip" && bucket[shortName] !== void 0) {
+    return "unchanged";
+  }
+  bucket[shortName] = entry;
+  root[topLevelKey] = bucket;
   await mkdir(dirname(filePath), { recursive: true });
   await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
   writeMcpAddedLine(shortName, filePath);
   return "ok";
 }
+async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
+  const result = await mergeTopLevelKeyedJsonFile(filePath, "mcpServers", shortName, entry, {
+    stripJsonComments: false,
+    onExisting: "overwrite"
+  });
+  return result === "parse-error" ? "parse-error" : "ok";
+}
 async function mergeClaudeDesktopHostedMcpRemote(shortName, proxyUrl, apiKey) {
   const entry = {
     command: "npx",
@@ -1688,8 +1739,30 @@ async function mergeClaudeDesktopHostedMcpRemote(shortName, proxyUrl, apiKey) {
   };
   return mergeMcpServersObjectStyle(getClaudeDesktopConfigPath(), shortName, entry);
 }
-async function mergeContinueHostedMcp(shortName, proxyUrl, apiKey) {
-  const filePath = getContinueConfigJsonPath();
+async function mergeContinueHostedMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const dir = join(workspacePath, ".continue", "mcpServers");
+  const filePath = join(dir, `${shortName}.yaml`);
+  const sn = sanitiseYamlValue(shortName);
+  const urlEsc = sanitiseYamlValue(proxyUrl);
+  const authEsc = sanitiseYamlValue(`Bearer ${apiKey}`);
+  const yaml = `name: ${sn}
+version: 0.0.1
+schema: v1
+mcpServers:
+  - name: ${sn}
+    type: streamable-http
+    url: ${urlEsc}
+    headers:
+      Authorization: ${authEsc}
+`;
+  await mkdir(dir, { recursive: true });
+  await writeFile(filePath, yaml, SECRET_JSON_FILE_OPTIONS);
+  writeMcpAddedLine(shortName, filePath);
+  await warnIfApiKeyFileNotGitignored(workspacePath, `.continue/mcpServers/${shortName}.yaml`);
+  return "ok";
+}
+async function mergeCopilotVscodeMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const filePath = join(workspacePath, ".vscode", "mcp.json");
   let root = {};
   try {
     const raw = await readFile(filePath, "utf8");
@@ -1711,43 +1784,49 @@ async function mergeContinueHostedMcp(shortName, proxyUrl, apiKey) {
       throw e;
     }
   }
-  const rawServers = root["mcpServers"];
-  if (rawServers !== void 0) {
-    if (Array.isArray(rawServers)) ; else if (typeof rawServers === "object" && rawServers !== null) {
-      return "parse-error";
-    } else {
-      return "parse-error";
-    }
-  }
-  const servers = Array.isArray(rawServers) ? rawServers.map((s) => ({ ...s })) : [];
-  const entry = {
-    name: shortName,
-    type: "streamable-http",
+  const serversRaw = root["servers"];
+  const servers = typeof serversRaw === "object" && serversRaw !== null && !Array.isArray(serversRaw) ? { ...serversRaw } : {};
+  const existed = servers[shortName] !== void 0;
+  servers[shortName] = {
+    type: "http",
     url: proxyUrl,
-    headers: {
-      Authorization: `Bearer ${apiKey}`
-    }
+    headers: { Authorization: `Bearer ${apiKey}` }
   };
-  const idx = servers.findIndex((s) => s["name"] === shortName);
-  if (idx >= 0) {
-    servers[idx] = entry;
-  } else {
-    servers.push(entry);
-  }
-  root["mcpServers"] = servers;
+  root["servers"] = servers;
   await mkdir(dirname(filePath), { recursive: true });
   await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
-  writeMcpAddedLine(shortName, filePath);
+  if (existed) {
+    process.stderr.write(
+      style.dim(`Updated existing server entry for ${shortName} in .vscode/mcp.json`) + "\n"
+    );
+  } else {
+    writeMcpAddedLine(shortName, filePath);
+  }
+  await warnIfApiKeyFileNotGitignored(workspacePath, ".vscode/mcp.json");
   return "ok";
 }
 async function mergeKiloCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKey) {
-  const filePath = join(workspacePath, ".kilocode", "mcp.json");
-  return mergeMcpServersObjectStyle(filePath, shortName, {
-    url: proxyUrl,
-    headers: {
-      Authorization: `Bearer ${apiKey}`
+  const filePath = join(workspacePath, ".kilo", "kilo.jsonc");
+  const result = await mergeTopLevelKeyedJsonFile(
+    filePath,
+    "mcp",
+    shortName,
+    {
+      type: "remote",
+      url: proxyUrl,
+      headers: { Authorization: `Bearer ${apiKey}` },
+      enabled: true
+    },
+    {
+      stripJsonComments: true,
+      onExisting: "skip"
     }
-  });
+  );
+  if (result === "parse-error") return "parse-error";
+  if (result === "ok") {
+    await warnIfApiKeyFileNotGitignored(workspacePath, ".kilo/kilo.jsonc");
+  }
+  return "ok";
 }
 function printHostedProxyJsonParseWarning(filePath) {
   process.stderr.write(
@@ -1788,7 +1867,7 @@ function printHostedProxyPostWriteHints(platform, shortName) {
   }
   if (platform === "kilo-code") {
     process.stderr.write(
-      style.dim("Restart Kilo Code or reload the window so it picks up .kilocode/mcp.json.") + "\n"
+      style.dim("Restart Kilo Code or reload the window so it picks up .kilo/kilo.jsonc.") + "\n"
     );
   }
 }
@@ -1805,15 +1884,40 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
     return;
   }
   if (platform === "github-copilot") {
-    process.stderr.write(
-      "\n" + style.dim(
-        "GitHub Copilot uses VS Code settings - paste the snippet below into your VS Code Settings (JSON)."
-      ) + "\n"
-    );
+    try {
+      const result = await mergeCopilotVscodeMcp(
+        workspacePath,
+        shortName,
+        proxyUrlWithKeyWhenNeeded,
+        apiKey
+      );
+      if (result === "ok") {
+        printHostedProxyPostWriteHints(platform, shortName);
+        return;
+      }
+      printHostedProxyJsonParseWarning(join(workspacePath, ".vscode", "mcp.json"));
+    } catch (err) {
+      process.stderr.write(
+        `${style.yellow("!")} Could not auto-write config: ${err instanceof Error ? err.message : String(err)}
+`
+      );
+    }
     printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
     return;
   }
   if (platform === "goose") {
+    try {
+      const result = await mergeGooseConfig(shortName, proxyUrlWithKeyWhenNeeded, apiKey);
+      if (result === "ok") {
+        printHostedProxyPostWriteHints(platform, shortName);
+        return;
+      }
+    } catch (err) {
+      process.stderr.write(
+        `${style.yellow("!")} Could not auto-write config: ${err instanceof Error ? err.message : String(err)}
+`
+      );
+    }
     printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
     return;
   }
@@ -1860,12 +1964,19 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
         apiKey
       );
       if (result === "parse-error") {
-        printHostedProxyJsonParseWarning(join(workspacePath, ".kilocode", "mcp.json"));
+        printHostedProxyJsonParseWarning(join(workspacePath, ".kilo", "kilo.jsonc"));
       }
     } else if (platform === "continue-dev") {
-      result = await mergeContinueHostedMcp(shortName, proxyUrlWithKeyWhenNeeded, apiKey);
+      result = await mergeContinueHostedMcp(
+        workspacePath,
+        shortName,
+        proxyUrlWithKeyWhenNeeded,
+        apiKey
+      );
       if (result === "parse-error") {
-        printHostedProxyJsonParseWarning(getContinueConfigJsonPath());
+        printHostedProxyJsonParseWarning(
+          join(workspacePath, ".continue", "mcpServers", `${shortName}.yaml`)
+        );
       }
     } else {
       result = await mergeMcpServersObjectStyle(getCursorMcpJsonPath(), shortName, {
@@ -1889,16 +2000,95 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
   }
   printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
 }
-function gooseHostedProxyYaml(shortName, proxyUrl, bearerHeader) {
-  return `extensions:
-  ${shortName}:
+function printGooseConfigYamlParseErrorToStderr() {
+  process.stderr.write(
+    style.yellow("!") + " Could not parse ~/.config/goose/config.yaml - check for syntax errors or invalid YAML\n"
+  );
+}
+function gooseExtensionYaml(shortName, proxyUrl, bearerHeader) {
+  const sn = sanitiseYamlValue(shortName);
+  const urlEsc = sanitiseYamlValue(proxyUrl);
+  const authEsc = sanitiseYamlValue(bearerHeader);
+  return `  ${sn}:
+    enabled: true
     type: streamable_http
-    url: ${proxyUrl}
+    name: ${sn}
+    description: ''
+    uri: ${urlEsc}
+    envs: {}
+    env_keys: []
     headers:
-      Authorization: ${bearerHeader}
-    enabled: true
+      Authorization: ${authEsc}
     timeout: 300
+    socket: null
+    bundled: null
+    available_tools: []
+`;
+}
+function gooseHostedProxyYaml(shortName, proxyUrl, bearerHeader) {
+  return `extensions:
+` + gooseExtensionYaml(shortName, proxyUrl, bearerHeader);
+}
+function isYamlPlainObject(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+async function mergeGooseConfig(shortName, proxyUrl, apiKey) {
+  const filePath = join(homedir(), ".config", "goose", "config.yaml");
+  const bearerHeader = `Bearer ${apiKey}`;
+  let content = "";
+  try {
+    content = await readFile(filePath, "utf8");
+  } catch (e) {
+    if (isErrnoException(e) && e.code === "ENOENT") {
+      content = "";
+    } else {
+      throw e;
+    }
+  }
+  let root;
+  try {
+    const data = content.trim().length === 0 ? {} : parse(content);
+    if (data === null || typeof data !== "object" || Array.isArray(data)) {
+      printGooseConfigYamlParseErrorToStderr();
+      return "parse-error";
+    }
+    root = data;
+  } catch {
+    printGooseConfigYamlParseErrorToStderr();
+    return "parse-error";
+  }
+  const extensionsRaw = root["extensions"];
+  let extensions;
+  if (isYamlPlainObject(extensionsRaw)) {
+    extensions = { ...extensionsRaw };
+  } else if (extensionsRaw === void 0) {
+    extensions = {};
+  } else {
+    printGooseConfigYamlParseErrorToStderr();
+    return "parse-error";
+  }
+  extensions[shortName] = {
+    enabled: true,
+    type: "streamable_http",
+    name: shortName,
+    description: "",
+    uri: proxyUrl,
+    envs: {},
+    env_keys: [],
+    headers: { Authorization: bearerHeader },
+    timeout: 300,
+    socket: null,
+    bundled: null,
+    available_tools: []
+  };
+  root["extensions"] = extensions;
+  const out = stringify(root, { indent: 2, lineWidth: 0 });
+  const body = out.endsWith("\n") ? out : `${out}
 `;
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, body, SECRET_JSON_FILE_OPTIONS);
+  writeMcpAddedLine(shortName, filePath);
+  return "ok";
 }
 function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
   const hostedInlinePlatforms = /* @__PURE__ */ new Set([
@@ -1919,14 +2109,12 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
   if (platform === "github-copilot") {
     snippetText = JSON.stringify(
       {
-        mcp: {
-          servers: {
-            [shortName]: {
-              type: "http",
-              url: urlInSnippet,
-              headers: {
-                Authorization: authHeader
-              }
+        servers: {
+          [shortName]: {
+            type: "http",
+            url: urlInSnippet,
+            headers: {
+              Authorization: authHeader
             }
           }
         }
@@ -1965,18 +2153,32 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
       2
     );
   } else if (platform === "continue-dev") {
+    const sn = sanitiseYamlValue(shortName);
+    const urlEsc = sanitiseYamlValue(urlInSnippet);
+    const authEsc = sanitiseYamlValue(authHeader);
+    snippetText = `name: ${sn}
+version: 0.0.1
+schema: v1
+mcpServers:
+  - name: ${sn}
+    type: streamable-http
+    url: ${urlEsc}
+    headers:
+      Authorization: ${authEsc}
+`;
+  } else if (platform === "kilo-code") {
     snippetText = JSON.stringify(
       {
-        mcpServers: [
-          {
-            name: shortName,
-            type: "streamable-http",
+        mcp: {
+          [shortName]: {
+            type: "remote",
             url: urlInSnippet,
             headers: {
               Authorization: authHeader
-            }
+            },
+            enabled: true
           }
-        ]
+        }
       },
       null,
       2
@@ -2016,16 +2218,18 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     );
   } else if (platform === "kilo-code") {
     process.stderr.write(
-      "\n" + style.dim(`Add this to ${join(resolve(process.cwd()), ".kilocode", "mcp.json")}:`) + "\n\n"
+      "\n" + style.dim(`Add this to ${join(resolve(process.cwd()), ".kilo", "kilo.jsonc")}:`) + "\n\n"
     );
   } else if (platform === "github-copilot") {
     process.stderr.write(
       "\n" + style.dim(
-        "Merge this snippet under the mcp key in your VS Code Settings (JSON). If you do not have an mcp section yet, add one. Copilot picks up MCP servers when you use Agent mode."
+        "Create .vscode/mcp.json in your workspace root (create the .vscode folder if it does not exist). After saving, reload VS Code and confirm the server appears in Copilot Agent mode under Tools."
       ) + "\n\n"
     );
   } else if (platform === "continue-dev") {
-    process.stderr.write("\n" + style.dim(`Add this to ${getContinueConfigJsonPath()}:`) + "\n\n");
+    process.stderr.write(
+      "\n" + style.dim(`Save this as .continue/mcpServers/${shortName}.yaml in your workspace root.`) + "\n\n"
+    );
   } else if (platform === "goose") {
     process.stderr.write(
       "\n" + style.dim("Add this to ~/.config/goose/config.yaml under the extensions key.") + "\n\n"
@@ -2201,7 +2405,7 @@ async function runInit(explicitBaseUrl, options) {
   }
   await warnIfInstalledShieldIsOutdated();
   const configuredAgents = [];
-  let currentAgents = collectAgentsFromConfig(existing);
+  let currentAgents = mergeAgentsForUniqueNames(collectAgentsFromConfig(existing));
   let lastConfig = {
     apiKey,
     baseUrl: resolvedBaseUrl,
@@ -2862,23 +3066,27 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
       );
     }
     if (configuredPlatforms.has("kilo-code")) {
+      const kiloLabel = mcpPromptLabel2("kilo-code");
       blocks.push(
-        "\n" + style.bold("Kilo Code") + "\n  \u2192 Restart the editor or reload the window if the MCP server does not appear\n  \u2192 Try it: make a request in Kilo Code - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("Kilo Code") + '\n  \u2192 Restart the editor or reload the window if the MCP server does not appear\n  \u2192 Confirm connection: Settings \u2192 Agent Behaviour \u2192 MCP Servers\n  \u2192 Try it: paste this into Kilo Code:\n    "Use the ' + kiloLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     if (configuredPlatforms.has("github-copilot")) {
+      const copilotLabel = mcpPromptLabel2("github-copilot");
       blocks.push(
-        "\n" + style.bold("GitHub Copilot") + "\n  \u2192 Reload the editor window if the MCP server does not appear\n  \u2192 Open Copilot Agent mode and confirm the MCP server connects\n  \u2192 Try it: make a request in GitHub Copilot - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("GitHub Copilot") + '\n  \u2192 Reload the editor window if the MCP server does not appear\n  \u2192 Confirm connection: open Copilot chat in Agent mode and confirm the server appears under Tools\n  \u2192 Try it: paste this into GitHub Copilot:\n    "Use the ' + copilotLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     if (configuredPlatforms.has("continue-dev")) {
+      const continueLabel = mcpPromptLabel2("continue-dev");
       blocks.push(
-        "\n" + style.bold("Continue") + "\n  \u2192 If needed, install Continue from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + "\n  \u2192 Reload VS Code and open Continue agent mode\n  \u2192 Try it: make a request in Continue - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("Continue") + "\n  \u2192 If needed, install Continue from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + '\n  \u2192 Reload VS Code and open Continue agent mode\n  \u2192 Confirm connection: Settings \u2192 Tools \u2192 MCP Servers\n  \u2192 Try it: paste this into Continue:\n    "Use the ' + continueLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     if (configuredPlatforms.has("goose")) {
+      const gooseLabel = mcpPromptLabel2("goose");
       blocks.push(
-        "\n" + style.bold("Goose") + "\n  \u2192 Start a new Goose session after updating config\n  \u2192 Try it: make a request in Goose - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("Goose") + '\n  \u2192 Start a new Goose session after updating config\n  \u2192 Confirm connection: check the Extensions page in the sidebar\n  \u2192 Try it: paste this into Goose:\n    "Use the ' + gooseLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     const windsurfNativeConfigured = configuredAgents.some(
@@ -3992,7 +4200,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "multicorn-shield",
-      version: "1.6.0",
+      version: "1.7.0",
       description: "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
       license: "MIT",
       author: "Multicorn AI Pty Ltd",
@@ -4083,6 +4291,7 @@ var init_package = __esm({
       dependencies: {
         "@modelcontextprotocol/sdk": "^1.27.1",
         lit: "^3.2.0",
+        yaml: "^2.8.2",
         zod: "^4.3.6"
       },
       devDependencies: {

package/dist/multicorn-shield.js

@@ -6,6 +6,7 @@ import { homedir } from 'os';
 import { fileURLToPath } from 'url';
 import { createRequire } from 'module';
 import { createInterface } from 'readline';
+import { parse, stringify } from 'yaml';
 import { spawn } from 'child_process';
 import { createHash } from 'crypto';
 import 'stream';
@@ -1360,9 +1361,6 @@ function getClineMcpSettingsPath() {
       );
   }
 }
-function getContinueConfigJsonPath() {
-  return join(homedir(), ".continue", "config.json");
-}
 var INIT_WIZARD_PLATFORM_REGISTRY = [
   { slug: "openclaw", displayName: "OpenClaw", section: "native" },
   { slug: "claude-code", displayName: "Claude Code", section: "native" },
@@ -1730,13 +1728,56 @@ function writeMcpAddedLine(shortName, filePath) {
     style.green("\u2713") + ' MCP server "' + shortName + '" added to ' + style.cyan(filePath) + "\n"
   );
 }
-async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
+function sanitiseYamlValue(value) {
+  if (value.length === 0) {
+    return "''";
+  }
+  const needsQuoting = /[:#\n{}]/.test(value) || value.includes("[") || value.includes("]") || value !== value.trim() || value.includes("'");
+  if (!needsQuoting) {
+    return value;
+  }
+  return `'${value.replace(/'/g, "''")}'`;
+}
+function gitignoreLikelyCoversPath(relPosixPath, gitignoreBody) {
+  const norm = relPosixPath.replace(/\\/g, "/").replace(/^\.\//, "");
+  const lines = gitignoreBody.split(/\r?\n/);
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#") || line.startsWith("!")) continue;
+    const pat = line.replace(/^\//, "");
+    if (pat === norm || pat === `./${norm}`) return true;
+    if (!pat.includes("*")) {
+      if (pat.endsWith("/")) {
+        const dir = pat.slice(0, -1);
+        if (norm === dir || norm.startsWith(`${dir}/`)) return true;
+      }
+    }
+  }
+  return false;
+}
+async function warnIfApiKeyFileNotGitignored(workspaceRoot, relativePosixPath) {
+  const gitignorePath = join(workspaceRoot, ".gitignore");
+  let content;
+  try {
+    content = await readFile(gitignorePath, "utf8");
+  } catch (e) {
+    if (isErrnoException(e) && e.code === "ENOENT") return;
+    throw e;
+  }
+  const norm = relativePosixPath.replace(/\\/g, "/").replace(/^\.\//, "");
+  if (gitignoreLikelyCoversPath(norm, content)) return;
+  process.stderr.write(
+    style.yellow("\u26A0") + " Config contains your API key. Add " + style.cyan(norm) + " to .gitignore to avoid committing credentials.\n"
+  );
+}
+async function mergeTopLevelKeyedJsonFile(filePath, topLevelKey, shortName, entry, options) {
   let root = {};
   try {
     const raw = await readFile(filePath, "utf8");
+    const toParse = options.stripJsonComments ? raw.replace(/\/\/.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "") : raw;
     let parsed;
     try {
-      parsed = JSON.parse(raw);
+      parsed = JSON.parse(toParse);
     } catch {
       return "parse-error";
     }
@@ -1752,15 +1793,25 @@ async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
       throw e;
     }
   }
-  const mcpRaw = root["mcpServers"];
-  const mcpServers = typeof mcpRaw === "object" && mcpRaw !== null && !Array.isArray(mcpRaw) ? { ...mcpRaw } : {};
-  mcpServers[shortName] = entry;
-  root["mcpServers"] = mcpServers;
+  const bucketRaw = root[topLevelKey];
+  const bucket = typeof bucketRaw === "object" && bucketRaw !== null && !Array.isArray(bucketRaw) ? { ...bucketRaw } : {};
+  if (options.onExisting === "skip" && bucket[shortName] !== void 0) {
+    return "unchanged";
+  }
+  bucket[shortName] = entry;
+  root[topLevelKey] = bucket;
   await mkdir(dirname(filePath), { recursive: true });
   await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
   writeMcpAddedLine(shortName, filePath);
   return "ok";
 }
+async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
+  const result = await mergeTopLevelKeyedJsonFile(filePath, "mcpServers", shortName, entry, {
+    stripJsonComments: false,
+    onExisting: "overwrite"
+  });
+  return result === "parse-error" ? "parse-error" : "ok";
+}
 async function mergeClaudeDesktopHostedMcpRemote(shortName, proxyUrl, apiKey) {
   const entry = {
     command: "npx",
@@ -1768,8 +1819,30 @@ async function mergeClaudeDesktopHostedMcpRemote(shortName, proxyUrl, apiKey) {
   };
   return mergeMcpServersObjectStyle(getClaudeDesktopConfigPath(), shortName, entry);
 }
-async function mergeContinueHostedMcp(shortName, proxyUrl, apiKey) {
-  const filePath = getContinueConfigJsonPath();
+async function mergeContinueHostedMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const dir = join(workspacePath, ".continue", "mcpServers");
+  const filePath = join(dir, `${shortName}.yaml`);
+  const sn = sanitiseYamlValue(shortName);
+  const urlEsc = sanitiseYamlValue(proxyUrl);
+  const authEsc = sanitiseYamlValue(`Bearer ${apiKey}`);
+  const yaml = `name: ${sn}
+version: 0.0.1
+schema: v1
+mcpServers:
+  - name: ${sn}
+    type: streamable-http
+    url: ${urlEsc}
+    headers:
+      Authorization: ${authEsc}
+`;
+  await mkdir(dir, { recursive: true });
+  await writeFile(filePath, yaml, SECRET_JSON_FILE_OPTIONS);
+  writeMcpAddedLine(shortName, filePath);
+  await warnIfApiKeyFileNotGitignored(workspacePath, `.continue/mcpServers/${shortName}.yaml`);
+  return "ok";
+}
+async function mergeCopilotVscodeMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const filePath = join(workspacePath, ".vscode", "mcp.json");
   let root = {};
   try {
     const raw = await readFile(filePath, "utf8");
@@ -1791,43 +1864,49 @@ async function mergeContinueHostedMcp(shortName, proxyUrl, apiKey) {
       throw e;
     }
   }
-  const rawServers = root["mcpServers"];
-  if (rawServers !== void 0) {
-    if (Array.isArray(rawServers)) ; else if (typeof rawServers === "object" && rawServers !== null) {
-      return "parse-error";
-    } else {
-      return "parse-error";
-    }
-  }
-  const servers = Array.isArray(rawServers) ? rawServers.map((s) => ({ ...s })) : [];
-  const entry = {
-    name: shortName,
-    type: "streamable-http",
+  const serversRaw = root["servers"];
+  const servers = typeof serversRaw === "object" && serversRaw !== null && !Array.isArray(serversRaw) ? { ...serversRaw } : {};
+  const existed = servers[shortName] !== void 0;
+  servers[shortName] = {
+    type: "http",
     url: proxyUrl,
-    headers: {
-      Authorization: `Bearer ${apiKey}`
-    }
+    headers: { Authorization: `Bearer ${apiKey}` }
   };
-  const idx = servers.findIndex((s) => s["name"] === shortName);
-  if (idx >= 0) {
-    servers[idx] = entry;
-  } else {
-    servers.push(entry);
-  }
-  root["mcpServers"] = servers;
+  root["servers"] = servers;
   await mkdir(dirname(filePath), { recursive: true });
   await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
-  writeMcpAddedLine(shortName, filePath);
+  if (existed) {
+    process.stderr.write(
+      style.dim(`Updated existing server entry for ${shortName} in .vscode/mcp.json`) + "\n"
+    );
+  } else {
+    writeMcpAddedLine(shortName, filePath);
+  }
+  await warnIfApiKeyFileNotGitignored(workspacePath, ".vscode/mcp.json");
   return "ok";
 }
 async function mergeKiloCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKey) {
-  const filePath = join(workspacePath, ".kilocode", "mcp.json");
-  return mergeMcpServersObjectStyle(filePath, shortName, {
-    url: proxyUrl,
-    headers: {
-      Authorization: `Bearer ${apiKey}`
+  const filePath = join(workspacePath, ".kilo", "kilo.jsonc");
+  const result = await mergeTopLevelKeyedJsonFile(
+    filePath,
+    "mcp",
+    shortName,
+    {
+      type: "remote",
+      url: proxyUrl,
+      headers: { Authorization: `Bearer ${apiKey}` },
+      enabled: true
+    },
+    {
+      stripJsonComments: true,
+      onExisting: "skip"
     }
-  });
+  );
+  if (result === "parse-error") return "parse-error";
+  if (result === "ok") {
+    await warnIfApiKeyFileNotGitignored(workspacePath, ".kilo/kilo.jsonc");
+  }
+  return "ok";
 }
 function printHostedProxyJsonParseWarning(filePath) {
   process.stderr.write(
@@ -1868,7 +1947,7 @@ function printHostedProxyPostWriteHints(platform, shortName) {
   }
   if (platform === "kilo-code") {
     process.stderr.write(
-      style.dim("Restart Kilo Code or reload the window so it picks up .kilocode/mcp.json.") + "\n"
+      style.dim("Restart Kilo Code or reload the window so it picks up .kilo/kilo.jsonc.") + "\n"
     );
   }
 }
@@ -1885,15 +1964,40 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
     return;
   }
   if (platform === "github-copilot") {
-    process.stderr.write(
-      "\n" + style.dim(
-        "GitHub Copilot uses VS Code settings - paste the snippet below into your VS Code Settings (JSON)."
-      ) + "\n"
-    );
+    try {
+      const result = await mergeCopilotVscodeMcp(
+        workspacePath,
+        shortName,
+        proxyUrlWithKeyWhenNeeded,
+        apiKey
+      );
+      if (result === "ok") {
+        printHostedProxyPostWriteHints(platform, shortName);
+        return;
+      }
+      printHostedProxyJsonParseWarning(join(workspacePath, ".vscode", "mcp.json"));
+    } catch (err) {
+      process.stderr.write(
+        `${style.yellow("!")} Could not auto-write config: ${err instanceof Error ? err.message : String(err)}
+`
+      );
+    }
     printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
     return;
   }
   if (platform === "goose") {
+    try {
+      const result = await mergeGooseConfig(shortName, proxyUrlWithKeyWhenNeeded, apiKey);
+      if (result === "ok") {
+        printHostedProxyPostWriteHints(platform, shortName);
+        return;
+      }
+    } catch (err) {
+      process.stderr.write(
+        `${style.yellow("!")} Could not auto-write config: ${err instanceof Error ? err.message : String(err)}
+`
+      );
+    }
     printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
     return;
   }
@@ -1940,12 +2044,19 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
         apiKey
       );
       if (result === "parse-error") {
-        printHostedProxyJsonParseWarning(join(workspacePath, ".kilocode", "mcp.json"));
+        printHostedProxyJsonParseWarning(join(workspacePath, ".kilo", "kilo.jsonc"));
       }
     } else if (platform === "continue-dev") {
-      result = await mergeContinueHostedMcp(shortName, proxyUrlWithKeyWhenNeeded, apiKey);
+      result = await mergeContinueHostedMcp(
+        workspacePath,
+        shortName,
+        proxyUrlWithKeyWhenNeeded,
+        apiKey
+      );
       if (result === "parse-error") {
-        printHostedProxyJsonParseWarning(getContinueConfigJsonPath());
+        printHostedProxyJsonParseWarning(
+          join(workspacePath, ".continue", "mcpServers", `${shortName}.yaml`)
+        );
       }
     } else {
       result = await mergeMcpServersObjectStyle(getCursorMcpJsonPath(), shortName, {
@@ -1969,17 +2080,96 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
   }
   printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
 }
-function gooseHostedProxyYaml(shortName, proxyUrl, bearerHeader) {
-  return `extensions:
-  ${shortName}:
+function printGooseConfigYamlParseErrorToStderr() {
+  process.stderr.write(
+    style.yellow("!") + " Could not parse ~/.config/goose/config.yaml - check for syntax errors or invalid YAML\n"
+  );
+}
+function gooseExtensionYaml(shortName, proxyUrl, bearerHeader) {
+  const sn = sanitiseYamlValue(shortName);
+  const urlEsc = sanitiseYamlValue(proxyUrl);
+  const authEsc = sanitiseYamlValue(bearerHeader);
+  return `  ${sn}:
+    enabled: true
     type: streamable_http
-    url: ${proxyUrl}
+    name: ${sn}
+    description: ''
+    uri: ${urlEsc}
+    envs: {}
+    env_keys: []
     headers:
-      Authorization: ${bearerHeader}
-    enabled: true
+      Authorization: ${authEsc}
     timeout: 300
+    socket: null
+    bundled: null
+    available_tools: []
 `;
 }
+function gooseHostedProxyYaml(shortName, proxyUrl, bearerHeader) {
+  return `extensions:
+` + gooseExtensionYaml(shortName, proxyUrl, bearerHeader);
+}
+function isYamlPlainObject(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+async function mergeGooseConfig(shortName, proxyUrl, apiKey) {
+  const filePath = join(homedir(), ".config", "goose", "config.yaml");
+  const bearerHeader = `Bearer ${apiKey}`;
+  let content = "";
+  try {
+    content = await readFile(filePath, "utf8");
+  } catch (e) {
+    if (isErrnoException(e) && e.code === "ENOENT") {
+      content = "";
+    } else {
+      throw e;
+    }
+  }
+  let root;
+  try {
+    const data = content.trim().length === 0 ? {} : parse(content);
+    if (data === null || typeof data !== "object" || Array.isArray(data)) {
+      printGooseConfigYamlParseErrorToStderr();
+      return "parse-error";
+    }
+    root = data;
+  } catch {
+    printGooseConfigYamlParseErrorToStderr();
+    return "parse-error";
+  }
+  const extensionsRaw = root["extensions"];
+  let extensions;
+  if (isYamlPlainObject(extensionsRaw)) {
+    extensions = { ...extensionsRaw };
+  } else if (extensionsRaw === void 0) {
+    extensions = {};
+  } else {
+    printGooseConfigYamlParseErrorToStderr();
+    return "parse-error";
+  }
+  extensions[shortName] = {
+    enabled: true,
+    type: "streamable_http",
+    name: shortName,
+    description: "",
+    uri: proxyUrl,
+    envs: {},
+    env_keys: [],
+    headers: { Authorization: bearerHeader },
+    timeout: 300,
+    socket: null,
+    bundled: null,
+    available_tools: []
+  };
+  root["extensions"] = extensions;
+  const out = stringify(root, { indent: 2, lineWidth: 0 });
+  const body = out.endsWith("\n") ? out : `${out}
+`;
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, body, SECRET_JSON_FILE_OPTIONS);
+  writeMcpAddedLine(shortName, filePath);
+  return "ok";
+}
 function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
   const hostedInlinePlatforms = /* @__PURE__ */ new Set([
     "cursor",
@@ -1999,14 +2189,12 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
   if (platform === "github-copilot") {
     snippetText = JSON.stringify(
       {
-        mcp: {
-          servers: {
-            [shortName]: {
-              type: "http",
-              url: urlInSnippet,
-              headers: {
-                Authorization: authHeader
-              }
+        servers: {
+          [shortName]: {
+            type: "http",
+            url: urlInSnippet,
+            headers: {
+              Authorization: authHeader
             }
           }
         }
@@ -2045,18 +2233,32 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
       2
     );
   } else if (platform === "continue-dev") {
+    const sn = sanitiseYamlValue(shortName);
+    const urlEsc = sanitiseYamlValue(urlInSnippet);
+    const authEsc = sanitiseYamlValue(authHeader);
+    snippetText = `name: ${sn}
+version: 0.0.1
+schema: v1
+mcpServers:
+  - name: ${sn}
+    type: streamable-http
+    url: ${urlEsc}
+    headers:
+      Authorization: ${authEsc}
+`;
+  } else if (platform === "kilo-code") {
     snippetText = JSON.stringify(
       {
-        mcpServers: [
-          {
-            name: shortName,
-            type: "streamable-http",
+        mcp: {
+          [shortName]: {
+            type: "remote",
             url: urlInSnippet,
             headers: {
               Authorization: authHeader
-            }
+            },
+            enabled: true
           }
-        ]
+        }
       },
       null,
       2
@@ -2096,16 +2298,18 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     );
   } else if (platform === "kilo-code") {
     process.stderr.write(
-      "\n" + style.dim(`Add this to ${join(resolve(process.cwd()), ".kilocode", "mcp.json")}:`) + "\n\n"
+      "\n" + style.dim(`Add this to ${join(resolve(process.cwd()), ".kilo", "kilo.jsonc")}:`) + "\n\n"
     );
   } else if (platform === "github-copilot") {
     process.stderr.write(
       "\n" + style.dim(
-        "Merge this snippet under the mcp key in your VS Code Settings (JSON). If you do not have an mcp section yet, add one. Copilot picks up MCP servers when you use Agent mode."
+        "Create .vscode/mcp.json in your workspace root (create the .vscode folder if it does not exist). After saving, reload VS Code and confirm the server appears in Copilot Agent mode under Tools."
       ) + "\n\n"
     );
   } else if (platform === "continue-dev") {
-    process.stderr.write("\n" + style.dim(`Add this to ${getContinueConfigJsonPath()}:`) + "\n\n");
+    process.stderr.write(
+      "\n" + style.dim(`Save this as .continue/mcpServers/${shortName}.yaml in your workspace root.`) + "\n\n"
+    );
   } else if (platform === "goose") {
     process.stderr.write(
       "\n" + style.dim("Add this to ~/.config/goose/config.yaml under the extensions key.") + "\n\n"
@@ -2282,7 +2486,7 @@ async function runInit(explicitBaseUrl, options) {
   }
   await warnIfInstalledShieldIsOutdated();
   const configuredAgents = [];
-  let currentAgents = collectAgentsFromConfig(existing);
+  let currentAgents = mergeAgentsForUniqueNames(collectAgentsFromConfig(existing));
   let lastConfig = {
     apiKey,
     baseUrl: resolvedBaseUrl,
@@ -2943,23 +3147,27 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
       );
     }
     if (configuredPlatforms.has("kilo-code")) {
+      const kiloLabel = mcpPromptLabel2("kilo-code");
       blocks.push(
-        "\n" + style.bold("Kilo Code") + "\n  \u2192 Restart the editor or reload the window if the MCP server does not appear\n  \u2192 Try it: make a request in Kilo Code - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("Kilo Code") + '\n  \u2192 Restart the editor or reload the window if the MCP server does not appear\n  \u2192 Confirm connection: Settings \u2192 Agent Behaviour \u2192 MCP Servers\n  \u2192 Try it: paste this into Kilo Code:\n    "Use the ' + kiloLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     if (configuredPlatforms.has("github-copilot")) {
+      const copilotLabel = mcpPromptLabel2("github-copilot");
       blocks.push(
-        "\n" + style.bold("GitHub Copilot") + "\n  \u2192 Reload the editor window if the MCP server does not appear\n  \u2192 Open Copilot Agent mode and confirm the MCP server connects\n  \u2192 Try it: make a request in GitHub Copilot - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("GitHub Copilot") + '\n  \u2192 Reload the editor window if the MCP server does not appear\n  \u2192 Confirm connection: open Copilot chat in Agent mode and confirm the server appears under Tools\n  \u2192 Try it: paste this into GitHub Copilot:\n    "Use the ' + copilotLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     if (configuredPlatforms.has("continue-dev")) {
+      const continueLabel = mcpPromptLabel2("continue-dev");
       blocks.push(
-        "\n" + style.bold("Continue") + "\n  \u2192 If needed, install Continue from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + "\n  \u2192 Reload VS Code and open Continue agent mode\n  \u2192 Try it: make a request in Continue - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("Continue") + "\n  \u2192 If needed, install Continue from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + '\n  \u2192 Reload VS Code and open Continue agent mode\n  \u2192 Confirm connection: Settings \u2192 Tools \u2192 MCP Servers\n  \u2192 Try it: paste this into Continue:\n    "Use the ' + continueLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     if (configuredPlatforms.has("goose")) {
+      const gooseLabel = mcpPromptLabel2("goose");
       blocks.push(
-        "\n" + style.bold("Goose") + "\n  \u2192 Start a new Goose session after updating config\n  \u2192 Try it: make a request in Goose - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("Goose") + '\n  \u2192 Start a new Goose session after updating config\n  \u2192 Confirm connection: check the Extensions page in the sidebar\n  \u2192 Try it: paste this into Goose:\n    "Use the ' + gooseLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     const windsurfNativeConfigured = configuredAgents.some(
@@ -3915,7 +4123,7 @@ async function restoreClaudeDesktopMcpFromBackup() {
 
 // package.json
 var package_default = {
-  version: "1.6.0"};
+  version: "1.7.0"};
 
 // src/package-meta.ts
 var PACKAGE_VERSION = package_default.version;

package/dist/shield-extension.js

@@ -10,6 +10,7 @@ import { createHash } from 'crypto';
 import 'url';
 import 'module';
 import 'readline';
+import 'yaml';
 
 // Multicorn Shield Claude Desktop Extension - https://multicorn.ai
 var __create = Object.create;
@@ -22504,7 +22505,7 @@ async function writeExtensionBackup(claudeDesktopConfigPath, mcpServers) {
 
 // package.json
 var package_default = {
-  version: "1.6.0"};
+  version: "1.7.0"};
 
 // src/package-meta.ts
 var PACKAGE_VERSION = package_default.version;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "multicorn-shield",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
   "license": "MIT",
   "author": "Multicorn AI Pty Ltd",
@@ -69,6 +69,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.27.1",
     "lit": "^3.2.0",
+    "yaml": "^2.8.2",
     "zod": "^4.3.6"
   },
   "devDependencies": {