multicorn-shield 1.6.0 → 1.8.0

package/dist/multicorn-proxy.js

@@ -8,6 +8,7 @@ import { readFileSync, existsSync, statSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { createRequire } from 'module';
 import { createInterface } from 'readline';
+import { parse, stringify } from 'yaml';
 import 'stream';
 
 var __defProp = Object.defineProperty;
@@ -924,6 +925,22 @@ require(${JSON.stringify(destPost)});
   await writeFile(preWrapper, preContent, { encoding: "utf8", mode: 493 });
   await writeFile(postWrapper, postContent, { encoding: "utf8", mode: 493 });
 }
+function getOpenCodeGlobalPluginsDir() {
+  return join(homedir(), ".config", "opencode", "plugins");
+}
+async function installOpenCodeNativePlugin() {
+  const root = multicornShieldPackageRoot();
+  const src = join(root, "plugins", "opencode", "multicorn-shield.ts");
+  if (!existsSync(src)) {
+    throw new Error(
+      `Could not find Shield OpenCode plugin at ${src}. If you use npm, install the latest multicorn-shield package.`
+    );
+  }
+  const destDir = getOpenCodeGlobalPluginsDir();
+  await mkdir(destDir, { recursive: true });
+  const dest = join(destDir, "multicorn-shield.ts");
+  await copyFile(src, dest);
+}
 async function promptClineIntegrationMode(ask) {
   process.stderr.write("\n" + style.bold("Cline integration") + "\n");
   process.stderr.write(
@@ -1283,6 +1300,23 @@ async function promptGeminiCliIntegrationMode(ask) {
   }
   return choice === 1 ? "native" : "hosted";
 }
+async function promptOpencodeIntegrationMode(ask) {
+  process.stderr.write("\n" + style.bold("OpenCode integration") + "\n");
+  process.stderr.write(
+    "  " + style.violet("1") + ". Native plugin (recommended) - Shield checks primary-agent tool execution via OpenCode Hooks\n"
+  );
+  process.stderr.write(
+    "  " + style.violet("2") + ". Hosted proxy - govern MCP server traffic via opencode.json (full subagent coverage when tools use MCP through Shield)\n"
+  );
+  let choice = 0;
+  while (choice === 0) {
+    const input = await ask("Choose integration (1-2): ");
+    const num = parseInt(input.trim(), 10);
+    if (num === 1) choice = 1;
+    if (num === 2) choice = 2;
+  }
+  return choice === 1 ? "native" : "hosted";
+}
 function getClaudeDesktopConfigPath() {
   switch (process.platform) {
     case "win32":
@@ -1346,9 +1380,6 @@ function getClineMcpSettingsPath() {
       );
   }
 }
-function getContinueConfigJsonPath() {
-  return join(homedir(), ".continue", "config.json");
-}
 function platformMenuLabelForSelection(sel) {
   const slug = PLATFORM_BY_SELECTION[sel];
   if (slug === void 0) return "Unknown";
@@ -1650,13 +1681,56 @@ function writeMcpAddedLine(shortName, filePath) {
     style.green("\u2713") + ' MCP server "' + shortName + '" added to ' + style.cyan(filePath) + "\n"
   );
 }
-async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
+function sanitiseYamlValue(value) {
+  if (value.length === 0) {
+    return "''";
+  }
+  const needsQuoting = /[:#\n{}]/.test(value) || value.includes("[") || value.includes("]") || value !== value.trim() || value.includes("'");
+  if (!needsQuoting) {
+    return value;
+  }
+  return `'${value.replace(/'/g, "''")}'`;
+}
+function gitignoreLikelyCoversPath(relPosixPath, gitignoreBody) {
+  const norm = relPosixPath.replace(/\\/g, "/").replace(/^\.\//, "");
+  const lines = gitignoreBody.split(/\r?\n/);
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#") || line.startsWith("!")) continue;
+    const pat = line.replace(/^\//, "");
+    if (pat === norm || pat === `./${norm}`) return true;
+    if (!pat.includes("*")) {
+      if (pat.endsWith("/")) {
+        const dir = pat.slice(0, -1);
+        if (norm === dir || norm.startsWith(`${dir}/`)) return true;
+      }
+    }
+  }
+  return false;
+}
+async function warnIfApiKeyFileNotGitignored(workspaceRoot, relativePosixPath) {
+  const gitignorePath = join(workspaceRoot, ".gitignore");
+  let content;
+  try {
+    content = await readFile(gitignorePath, "utf8");
+  } catch (e) {
+    if (isErrnoException(e) && e.code === "ENOENT") return;
+    throw e;
+  }
+  const norm = relativePosixPath.replace(/\\/g, "/").replace(/^\.\//, "");
+  if (gitignoreLikelyCoversPath(norm, content)) return;
+  process.stderr.write(
+    style.yellow("\u26A0") + " Config contains your API key. Add " + style.cyan(norm) + " to .gitignore to avoid committing credentials.\n"
+  );
+}
+async function mergeTopLevelKeyedJsonFile(filePath, topLevelKey, shortName, entry, options) {
   let root = {};
   try {
     const raw = await readFile(filePath, "utf8");
+    const toParse = options.stripJsonComments ? raw.replace(/\/\/.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "") : raw;
     let parsed;
     try {
-      parsed = JSON.parse(raw);
+      parsed = JSON.parse(toParse);
     } catch {
       return "parse-error";
     }
@@ -1672,15 +1746,25 @@ async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
       throw e;
     }
   }
-  const mcpRaw = root["mcpServers"];
-  const mcpServers = typeof mcpRaw === "object" && mcpRaw !== null && !Array.isArray(mcpRaw) ? { ...mcpRaw } : {};
-  mcpServers[shortName] = entry;
-  root["mcpServers"] = mcpServers;
+  const bucketRaw = root[topLevelKey];
+  const bucket = typeof bucketRaw === "object" && bucketRaw !== null && !Array.isArray(bucketRaw) ? { ...bucketRaw } : {};
+  if (options.onExisting === "skip" && bucket[shortName] !== void 0) {
+    return "unchanged";
+  }
+  bucket[shortName] = entry;
+  root[topLevelKey] = bucket;
   await mkdir(dirname(filePath), { recursive: true });
   await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
   writeMcpAddedLine(shortName, filePath);
   return "ok";
 }
+async function mergeMcpServersObjectStyle(filePath, shortName, entry) {
+  const result = await mergeTopLevelKeyedJsonFile(filePath, "mcpServers", shortName, entry, {
+    stripJsonComments: false,
+    onExisting: "overwrite"
+  });
+  return result === "parse-error" ? "parse-error" : "ok";
+}
 async function mergeClaudeDesktopHostedMcpRemote(shortName, proxyUrl, apiKey) {
   const entry = {
     command: "npx",
@@ -1688,8 +1772,30 @@ async function mergeClaudeDesktopHostedMcpRemote(shortName, proxyUrl, apiKey) {
   };
   return mergeMcpServersObjectStyle(getClaudeDesktopConfigPath(), shortName, entry);
 }
-async function mergeContinueHostedMcp(shortName, proxyUrl, apiKey) {
-  const filePath = getContinueConfigJsonPath();
+async function mergeContinueHostedMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const dir = join(workspacePath, ".continue", "mcpServers");
+  const filePath = join(dir, `${shortName}.yaml`);
+  const sn = sanitiseYamlValue(shortName);
+  const urlEsc = sanitiseYamlValue(proxyUrl);
+  const authEsc = sanitiseYamlValue(`Bearer ${apiKey}`);
+  const yaml = `name: ${sn}
+version: 0.0.1
+schema: v1
+mcpServers:
+  - name: ${sn}
+    type: streamable-http
+    url: ${urlEsc}
+    headers:
+      Authorization: ${authEsc}
+`;
+  await mkdir(dir, { recursive: true });
+  await writeFile(filePath, yaml, SECRET_JSON_FILE_OPTIONS);
+  writeMcpAddedLine(shortName, filePath);
+  await warnIfApiKeyFileNotGitignored(workspacePath, `.continue/mcpServers/${shortName}.yaml`);
+  return "ok";
+}
+async function mergeCopilotVscodeMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const filePath = join(workspacePath, ".vscode", "mcp.json");
   let root = {};
   try {
     const raw = await readFile(filePath, "utf8");
@@ -1711,43 +1817,92 @@ async function mergeContinueHostedMcp(shortName, proxyUrl, apiKey) {
       throw e;
     }
   }
-  const rawServers = root["mcpServers"];
-  if (rawServers !== void 0) {
-    if (Array.isArray(rawServers)) ; else if (typeof rawServers === "object" && rawServers !== null) {
-      return "parse-error";
-    } else {
-      return "parse-error";
-    }
-  }
-  const servers = Array.isArray(rawServers) ? rawServers.map((s) => ({ ...s })) : [];
-  const entry = {
-    name: shortName,
-    type: "streamable-http",
+  const serversRaw = root["servers"];
+  const servers = typeof serversRaw === "object" && serversRaw !== null && !Array.isArray(serversRaw) ? { ...serversRaw } : {};
+  const existed = servers[shortName] !== void 0;
+  servers[shortName] = {
+    type: "http",
     url: proxyUrl,
-    headers: {
-      Authorization: `Bearer ${apiKey}`
-    }
+    headers: { Authorization: `Bearer ${apiKey}` }
   };
-  const idx = servers.findIndex((s) => s["name"] === shortName);
-  if (idx >= 0) {
-    servers[idx] = entry;
-  } else {
-    servers.push(entry);
-  }
-  root["mcpServers"] = servers;
+  root["servers"] = servers;
   await mkdir(dirname(filePath), { recursive: true });
   await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
-  writeMcpAddedLine(shortName, filePath);
+  if (existed) {
+    process.stderr.write(
+      style.dim(`Updated existing server entry for ${shortName} in .vscode/mcp.json`) + "\n"
+    );
+  } else {
+    writeMcpAddedLine(shortName, filePath);
+  }
+  await warnIfApiKeyFileNotGitignored(workspacePath, ".vscode/mcp.json");
   return "ok";
 }
 async function mergeKiloCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKey) {
-  const filePath = join(workspacePath, ".kilocode", "mcp.json");
-  return mergeMcpServersObjectStyle(filePath, shortName, {
-    url: proxyUrl,
-    headers: {
-      Authorization: `Bearer ${apiKey}`
+  const filePath = join(workspacePath, ".kilo", "kilo.jsonc");
+  const result = await mergeTopLevelKeyedJsonFile(
+    filePath,
+    "mcp",
+    shortName,
+    {
+      type: "remote",
+      url: proxyUrl,
+      headers: { Authorization: `Bearer ${apiKey}` },
+      enabled: true
+    },
+    {
+      stripJsonComments: true,
+      onExisting: "skip"
     }
-  });
+  );
+  if (result === "parse-error") return "parse-error";
+  if (result === "ok") {
+    await warnIfApiKeyFileNotGitignored(workspacePath, ".kilo/kilo.jsonc");
+  }
+  return "ok";
+}
+async function injectOpencodeSchemaIntoConfigIfMissing(filePath) {
+  try {
+    const raw = await readFile(filePath, "utf8");
+    const stripped = raw.replace(/\/\/.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "");
+    let parsed;
+    try {
+      parsed = JSON.parse(stripped);
+    } catch {
+      return;
+    }
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) return;
+    const root = parsed;
+    const existingSchema = root["$schema"];
+    if (typeof existingSchema === "string" && existingSchema.length > 0) return;
+    root["$schema"] = OPENCODE_CONFIG_SCHEMA_URL;
+    await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
+  } catch {
+  }
+}
+async function mergeOpenCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const filePath = join(workspacePath, "opencode.json");
+  const result = await mergeTopLevelKeyedJsonFile(
+    filePath,
+    "mcp",
+    shortName,
+    {
+      type: "remote",
+      url: proxyUrl,
+      headers: { Authorization: `Bearer ${apiKey}` },
+      enabled: true
+    },
+    {
+      stripJsonComments: true,
+      onExisting: "skip"
+    }
+  );
+  if (result === "parse-error") return "parse-error";
+  await injectOpencodeSchemaIntoConfigIfMissing(filePath);
+  if (result === "ok") {
+    await warnIfApiKeyFileNotGitignored(workspacePath, "opencode.json");
+  }
+  return "ok";
 }
 function printHostedProxyJsonParseWarning(filePath) {
   process.stderr.write(
@@ -1788,7 +1943,14 @@ function printHostedProxyPostWriteHints(platform, shortName) {
   }
   if (platform === "kilo-code") {
     process.stderr.write(
-      style.dim("Restart Kilo Code or reload the window so it picks up .kilocode/mcp.json.") + "\n"
+      style.dim("Restart Kilo Code or reload the window so it picks up .kilo/kilo.jsonc.") + "\n"
+    );
+  }
+  if (platform === "opencode") {
+    process.stderr.write(
+      style.dim(
+        "Restart OpenCode or start a new session so it picks up opencode.json. For global MCP, merge the same snippet into ~/.config/opencode/opencode.json."
+      ) + "\n"
     );
   }
 }
@@ -1805,15 +1967,40 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
     return;
   }
   if (platform === "github-copilot") {
-    process.stderr.write(
-      "\n" + style.dim(
-        "GitHub Copilot uses VS Code settings - paste the snippet below into your VS Code Settings (JSON)."
-      ) + "\n"
-    );
+    try {
+      const result = await mergeCopilotVscodeMcp(
+        workspacePath,
+        shortName,
+        proxyUrlWithKeyWhenNeeded,
+        apiKey
+      );
+      if (result === "ok") {
+        printHostedProxyPostWriteHints(platform, shortName);
+        return;
+      }
+      printHostedProxyJsonParseWarning(join(workspacePath, ".vscode", "mcp.json"));
+    } catch (err) {
+      process.stderr.write(
+        `${style.yellow("!")} Could not auto-write config: ${err instanceof Error ? err.message : String(err)}
+`
+      );
+    }
     printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
     return;
   }
   if (platform === "goose") {
+    try {
+      const result = await mergeGooseConfig(shortName, proxyUrlWithKeyWhenNeeded, apiKey);
+      if (result === "ok") {
+        printHostedProxyPostWriteHints(platform, shortName);
+        return;
+      }
+    } catch (err) {
+      process.stderr.write(
+        `${style.yellow("!")} Could not auto-write config: ${err instanceof Error ? err.message : String(err)}
+`
+      );
+    }
     printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
     return;
   }
@@ -1860,12 +2047,29 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
         apiKey
       );
       if (result === "parse-error") {
-        printHostedProxyJsonParseWarning(join(workspacePath, ".kilocode", "mcp.json"));
+        printHostedProxyJsonParseWarning(join(workspacePath, ".kilo", "kilo.jsonc"));
+      }
+    } else if (platform === "opencode") {
+      result = await mergeOpenCodeProjectMcp(
+        workspacePath,
+        shortName,
+        proxyUrlWithKeyWhenNeeded,
+        apiKey
+      );
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(join(workspacePath, "opencode.json"));
       }
     } else if (platform === "continue-dev") {
-      result = await mergeContinueHostedMcp(shortName, proxyUrlWithKeyWhenNeeded, apiKey);
+      result = await mergeContinueHostedMcp(
+        workspacePath,
+        shortName,
+        proxyUrlWithKeyWhenNeeded,
+        apiKey
+      );
       if (result === "parse-error") {
-        printHostedProxyJsonParseWarning(getContinueConfigJsonPath());
+        printHostedProxyJsonParseWarning(
+          join(workspacePath, ".continue", "mcpServers", `${shortName}.yaml`)
+        );
       }
     } else {
       result = await mergeMcpServersObjectStyle(getCursorMcpJsonPath(), shortName, {
@@ -1889,17 +2093,96 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
   }
   printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
 }
-function gooseHostedProxyYaml(shortName, proxyUrl, bearerHeader) {
-  return `extensions:
-  ${shortName}:
+function printGooseConfigYamlParseErrorToStderr() {
+  process.stderr.write(
+    style.yellow("!") + " Could not parse ~/.config/goose/config.yaml - check for syntax errors or invalid YAML\n"
+  );
+}
+function gooseExtensionYaml(shortName, proxyUrl, bearerHeader) {
+  const sn = sanitiseYamlValue(shortName);
+  const urlEsc = sanitiseYamlValue(proxyUrl);
+  const authEsc = sanitiseYamlValue(bearerHeader);
+  return `  ${sn}:
+    enabled: true
     type: streamable_http
-    url: ${proxyUrl}
+    name: ${sn}
+    description: ''
+    uri: ${urlEsc}
+    envs: {}
+    env_keys: []
     headers:
-      Authorization: ${bearerHeader}
-    enabled: true
+      Authorization: ${authEsc}
     timeout: 300
+    socket: null
+    bundled: null
+    available_tools: []
 `;
 }
+function gooseHostedProxyYaml(shortName, proxyUrl, bearerHeader) {
+  return `extensions:
+` + gooseExtensionYaml(shortName, proxyUrl, bearerHeader);
+}
+function isYamlPlainObject(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+async function mergeGooseConfig(shortName, proxyUrl, apiKey) {
+  const filePath = join(homedir(), ".config", "goose", "config.yaml");
+  const bearerHeader = `Bearer ${apiKey}`;
+  let content = "";
+  try {
+    content = await readFile(filePath, "utf8");
+  } catch (e) {
+    if (isErrnoException(e) && e.code === "ENOENT") {
+      content = "";
+    } else {
+      throw e;
+    }
+  }
+  let root;
+  try {
+    const data = content.trim().length === 0 ? {} : parse(content);
+    if (data === null || typeof data !== "object" || Array.isArray(data)) {
+      printGooseConfigYamlParseErrorToStderr();
+      return "parse-error";
+    }
+    root = data;
+  } catch {
+    printGooseConfigYamlParseErrorToStderr();
+    return "parse-error";
+  }
+  const extensionsRaw = root["extensions"];
+  let extensions;
+  if (isYamlPlainObject(extensionsRaw)) {
+    extensions = { ...extensionsRaw };
+  } else if (extensionsRaw === void 0) {
+    extensions = {};
+  } else {
+    printGooseConfigYamlParseErrorToStderr();
+    return "parse-error";
+  }
+  extensions[shortName] = {
+    enabled: true,
+    type: "streamable_http",
+    name: shortName,
+    description: "",
+    uri: proxyUrl,
+    envs: {},
+    env_keys: [],
+    headers: { Authorization: bearerHeader },
+    timeout: 300,
+    socket: null,
+    bundled: null,
+    available_tools: []
+  };
+  root["extensions"] = extensions;
+  const out = stringify(root, { indent: 2, lineWidth: 0 });
+  const body = out.endsWith("\n") ? out : `${out}
+`;
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, body, SECRET_JSON_FILE_OPTIONS);
+  writeMcpAddedLine(shortName, filePath);
+  return "ok";
+}
 function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
   const hostedInlinePlatforms = /* @__PURE__ */ new Set([
     "cursor",
@@ -1910,7 +2193,8 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     "kilo-code",
     "github-copilot",
     "continue-dev",
-    "goose"
+    "goose",
+    "opencode"
   ]);
   const usesInlineKey = hostedInlinePlatforms.has(platform);
   const authHeader = usesInlineKey ? `Bearer ${apiKey}` : "Bearer YOUR_SHIELD_API_KEY";
@@ -1919,14 +2203,12 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
   if (platform === "github-copilot") {
     snippetText = JSON.stringify(
       {
-        mcp: {
-          servers: {
-            [shortName]: {
-              type: "http",
-              url: urlInSnippet,
-              headers: {
-                Authorization: authHeader
-              }
+        servers: {
+          [shortName]: {
+            type: "http",
+            url: urlInSnippet,
+            headers: {
+              Authorization: authHeader
             }
           }
         }
@@ -1965,18 +2247,50 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
       2
     );
   } else if (platform === "continue-dev") {
+    const sn = sanitiseYamlValue(shortName);
+    const urlEsc = sanitiseYamlValue(urlInSnippet);
+    const authEsc = sanitiseYamlValue(authHeader);
+    snippetText = `name: ${sn}
+version: 0.0.1
+schema: v1
+mcpServers:
+  - name: ${sn}
+    type: streamable-http
+    url: ${urlEsc}
+    headers:
+      Authorization: ${authEsc}
+`;
+  } else if (platform === "kilo-code") {
     snippetText = JSON.stringify(
       {
-        mcpServers: [
-          {
-            name: shortName,
-            type: "streamable-http",
+        mcp: {
+          [shortName]: {
+            type: "remote",
             url: urlInSnippet,
             headers: {
               Authorization: authHeader
-            }
+            },
+            enabled: true
           }
-        ]
+        }
+      },
+      null,
+      2
+    );
+  } else if (platform === "opencode") {
+    snippetText = JSON.stringify(
+      {
+        $schema: OPENCODE_CONFIG_SCHEMA_URL,
+        mcp: {
+          [shortName]: {
+            type: "remote",
+            url: urlInSnippet,
+            headers: {
+              Authorization: authHeader
+            },
+            enabled: true
+          }
+        }
       },
       null,
       2
@@ -2016,16 +2330,24 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     );
   } else if (platform === "kilo-code") {
     process.stderr.write(
-      "\n" + style.dim(`Add this to ${join(resolve(process.cwd()), ".kilocode", "mcp.json")}:`) + "\n\n"
+      "\n" + style.dim(`Add this to ${join(resolve(process.cwd()), ".kilo", "kilo.jsonc")}:`) + "\n\n"
+    );
+  } else if (platform === "opencode") {
+    process.stderr.write(
+      "\n" + style.dim(
+        "Add this to opencode.json in your project root (or ~/.config/opencode/opencode.json for global config). OpenCode detects configured MCP servers on the next session start."
+      ) + "\n\n"
     );
   } else if (platform === "github-copilot") {
     process.stderr.write(
       "\n" + style.dim(
-        "Merge this snippet under the mcp key in your VS Code Settings (JSON). If you do not have an mcp section yet, add one. Copilot picks up MCP servers when you use Agent mode."
+        "Create .vscode/mcp.json in your workspace root (create the .vscode folder if it does not exist). After saving, reload VS Code and confirm the server appears in Copilot Agent mode under Tools."
       ) + "\n\n"
     );
   } else if (platform === "continue-dev") {
-    process.stderr.write("\n" + style.dim(`Add this to ${getContinueConfigJsonPath()}:`) + "\n\n");
+    process.stderr.write(
+      "\n" + style.dim(`Save this as .continue/mcpServers/${shortName}.yaml in your workspace root.`) + "\n\n"
+    );
   } else if (platform === "goose") {
     process.stderr.write(
       "\n" + style.dim("Add this to ~/.config/goose/config.yaml under the extensions key.") + "\n\n"
@@ -2079,6 +2401,11 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
   if (platform === "goose") {
     process.stderr.write(style.dim("Start a new Goose session after updating config.") + "\n");
   }
+  if (platform === "opencode") {
+    process.stderr.write(
+      style.dim("Restart OpenCode or start a new session after saving opencode.json.") + "\n"
+    );
+  }
 }
 function agentDisplayNameDedupeKey(name) {
   return name.trim().normalize("NFKC").toLowerCase();
@@ -2201,7 +2528,7 @@ async function runInit(explicitBaseUrl, options) {
   }
   await warnIfInstalledShieldIsOutdated();
   const configuredAgents = [];
-  let currentAgents = collectAgentsFromConfig(existing);
+  let currentAgents = mergeAgentsForUniqueNames(collectAgentsFromConfig(existing));
   let lastConfig = {
     apiKey,
     baseUrl: resolvedBaseUrl,
@@ -2638,6 +2965,95 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
           setupSucceeded = true;
         }
       }
+    } else if (selectedPlatform === "opencode") {
+      const opencodeMode = await promptOpencodeIntegrationMode(ask);
+      if (opencodeMode === "native") {
+        try {
+          await installOpenCodeNativePlugin();
+          process.stderr.write("\n" + style.bold("Shield OpenCode plugin installed") + "\n\n");
+          process.stderr.write(
+            style.dim("Plugin file: ") + style.cyan(getOpenCodeGlobalPluginsDir()) + "\n"
+          );
+          process.stderr.write("\n");
+          process.stderr.write(
+            style.dim(
+              "Shield plugin saved under ~/.config/opencode/plugins/. Restart OpenCode. Every tool call from the primary agent will be checked by Shield."
+            ) + "\n"
+          );
+          process.stderr.write("\n");
+          process.stderr.write(
+            style.dim(
+              "Note: Tool calls delegated to subagents via the task tool are not intercepted by this plugin (OpenCode limitation). Use the hosted proxy path for MCP traffic you route through Shield for broader coverage."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            opencodeCliIntegration: "native"
+          });
+          setupSucceeded = true;
+        } catch (error) {
+          const detail = error instanceof Error ? error.message : String(error);
+          process.stderr.write(style.red("\u2717 ") + detail + "\n");
+        }
+      } else {
+        const { targetUrl, shortName, upstreamHeaders } = await promptProxyConfig(ask, agentName);
+        let proxyUrl = "";
+        let created = false;
+        while (!created) {
+          const spinner = withSpinner("Creating proxy config...");
+          try {
+            proxyUrl = await createProxyConfig(
+              resolvedBaseUrl,
+              apiKey,
+              agentName,
+              targetUrl,
+              shortName,
+              selectedPlatform,
+              upstreamHeaders
+            );
+            spinner.stop(true, "Proxy config created!");
+            created = true;
+          } catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            spinner.stop(false, detail);
+            const retry = await ask("Try again? (Y/n) ");
+            if (retry.trim().toLowerCase() === "n") {
+              break;
+            }
+          }
+        }
+        if (created && proxyUrl.length > 0) {
+          process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
+          process.stderr.write(
+            "  " + style.cyan(formatHostedProxyUrlForStderr(selectedPlatform, proxyUrl, apiKey)) + "\n"
+          );
+          await applyHostedProxyMcpConfig(
+            selectedPlatform,
+            proxyUrl,
+            shortName,
+            apiKey,
+            initWorkspacePath
+          );
+          process.stderr.write(
+            "\n" + style.dim(
+              "Add this to opencode.json in your project root (or ~/.config/opencode/opencode.json for global config). OpenCode detects configured MCP servers on the next session start."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            shortName,
+            proxyUrl,
+            opencodeCliIntegration: "hosted"
+          });
+          setupSucceeded = true;
+        }
+      }
     } else if (selectedPlatform === "cline") {
       const clineMode = await promptClineIntegrationMode(ask);
       if (clineMode === "native") {
@@ -2862,23 +3278,27 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
       );
     }
     if (configuredPlatforms.has("kilo-code")) {
+      const kiloLabel = mcpPromptLabel2("kilo-code");
       blocks.push(
-        "\n" + style.bold("Kilo Code") + "\n  \u2192 Restart the editor or reload the window if the MCP server does not appear\n  \u2192 Try it: make a request in Kilo Code - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("Kilo Code") + '\n  \u2192 Restart the editor or reload the window if the MCP server does not appear\n  \u2192 Confirm connection: Settings \u2192 Agent Behaviour \u2192 MCP Servers\n  \u2192 Try it: paste this into Kilo Code:\n    "Use the ' + kiloLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     if (configuredPlatforms.has("github-copilot")) {
+      const copilotLabel = mcpPromptLabel2("github-copilot");
       blocks.push(
-        "\n" + style.bold("GitHub Copilot") + "\n  \u2192 Reload the editor window if the MCP server does not appear\n  \u2192 Open Copilot Agent mode and confirm the MCP server connects\n  \u2192 Try it: make a request in GitHub Copilot - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("GitHub Copilot") + '\n  \u2192 Reload the editor window if the MCP server does not appear\n  \u2192 Confirm connection: open Copilot chat in Agent mode and confirm the server appears under Tools\n  \u2192 Try it: paste this into GitHub Copilot:\n    "Use the ' + copilotLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     if (configuredPlatforms.has("continue-dev")) {
+      const continueLabel = mcpPromptLabel2("continue-dev");
       blocks.push(
-        "\n" + style.bold("Continue") + "\n  \u2192 If needed, install Continue from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + "\n  \u2192 Reload VS Code and open Continue agent mode\n  \u2192 Try it: make a request in Continue - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("Continue") + "\n  \u2192 If needed, install Continue from " + style.cyan("https://docs.continue.dev/ide-extensions/install") + '\n  \u2192 Reload VS Code and open Continue agent mode\n  \u2192 Confirm connection: Settings \u2192 Tools \u2192 MCP Servers\n  \u2192 Try it: paste this into Continue:\n    "Use the ' + continueLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     if (configuredPlatforms.has("goose")) {
+      const gooseLabel = mcpPromptLabel2("goose");
       blocks.push(
-        "\n" + style.bold("Goose") + "\n  \u2192 Start a new Goose session after updating config\n  \u2192 Try it: make a request in Goose - Shield will intercept the first tool call and ask for your consent\n"
+        "\n" + style.bold("Goose") + '\n  \u2192 Start a new Goose session after updating config\n  \u2192 Confirm connection: check the Extensions page in the sidebar\n  \u2192 Try it: paste this into Goose:\n    "Use the ' + gooseLabel + ' MCP server to list my GitHub repositories"\n'
       );
     }
     const windsurfNativeConfigured = configuredAgents.some(
@@ -2929,6 +3349,23 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         "\n" + style.bold("Gemini CLI (hosted)") + "\n  \u2192 Try it: make a request in Gemini CLI - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
+    const opencodeNativeConfigured = configuredAgents.some(
+      (a) => a.platform === "opencode" && a.opencodeCliIntegration === "native"
+    );
+    const opencodeHostedConfigured = configuredAgents.some(
+      (a) => a.platform === "opencode" && a.opencodeCliIntegration === "hosted"
+    );
+    if (opencodeNativeConfigured) {
+      blocks.push(
+        "\n" + style.bold("OpenCode (native)") + "\n  \u2192 If you just installed OpenCode, open a new terminal tab (or run: source ~/.zshrc)\n  \u2192 Restart OpenCode so it loads ~/.config/opencode/plugins/multicorn-shield.ts\n  \u2192 Try it: trigger a primary-agent tool call - Shield will intercept the first actionable tool and ask for your consent\n"
+      );
+    }
+    if (opencodeHostedConfigured) {
+      const ocLabel = mcpPromptLabel2("opencode");
+      blocks.push(
+        "\n" + style.bold("OpenCode (hosted)") + '\n  \u2192 Restart OpenCode or start a new session after saving opencode.json\n  \u2192 Try it: paste this into OpenCode:\n    "Use the ' + ocLabel + ' MCP server to list allowed directories"\n'
+      );
+    }
     if (configuredPlatforms.has("other-mcp")) {
       blocks.push(
         "\n" + style.bold("Local MCP / Other") + "\n  \u2192 Run your configured wrap command (for example " + style.cyan("npx multicorn-shield --wrap ...") + ")\n  \u2192 Try it: make a request in your coding agent - Shield will intercept the first tool call and ask for your consent\n"
@@ -2948,7 +3385,7 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
   }
   return lastConfig;
 }
-var SECRET_JSON_FILE_OPTIONS, style, BANNER, NativePluginPrerequisiteMissingError, CONFIG_DIR, CONFIG_PATH, OPENCLAW_CONFIG_PATH, ANSI_PATTERN, UPSTREAM_AUTH_KNOWN_SCHEME_WITH_PAYLOAD, OPENCLAW_MIN_VERSION, INIT_WIZARD_PLATFORM_REGISTRY, INIT_WIZARD_MENU_SECTIONS, INIT_WIZARD_SELECTION_MAX, PLATFORM_BY_SELECTION, HOSTED_PROXY_PLATFORMS_WITH_URL_KEY, DEFAULT_SHIELD_API_BASE_URL;
+var SECRET_JSON_FILE_OPTIONS, style, BANNER, NativePluginPrerequisiteMissingError, CONFIG_DIR, CONFIG_PATH, OPENCLAW_CONFIG_PATH, ANSI_PATTERN, UPSTREAM_AUTH_KNOWN_SCHEME_WITH_PAYLOAD, OPENCLAW_MIN_VERSION, INIT_WIZARD_PLATFORM_REGISTRY, INIT_WIZARD_MENU_SECTIONS, INIT_WIZARD_SELECTION_MAX, PLATFORM_BY_SELECTION, HOSTED_PROXY_PLATFORMS_WITH_URL_KEY, OPENCODE_CONFIG_SCHEMA_URL, DEFAULT_SHIELD_API_BASE_URL;
 var init_config = __esm({
   "src/proxy/config.ts"() {
     init_consent();
@@ -2988,6 +3425,12 @@ var init_config = __esm({
       { slug: "windsurf", displayName: "Windsurf", section: "native" },
       { slug: "cline", displayName: "Cline", section: "native" },
       { slug: "gemini-cli", displayName: "Gemini CLI", section: "native" },
+      {
+        slug: "opencode",
+        displayName: "OpenCode",
+        section: "native",
+        prereqUrl: "https://opencode.ai"
+      },
       {
         slug: "cursor",
         displayName: "Cursor",
@@ -3048,6 +3491,7 @@ var init_config = __esm({
       "continue-dev",
       "goose"
     ]);
+    OPENCODE_CONFIG_SCHEMA_URL = "https://opencode.ai/config.json";
     DEFAULT_SHIELD_API_BASE_URL = "https://api.multicorn.ai";
   }
 });
@@ -3992,7 +4436,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "multicorn-shield",
-      version: "1.6.0",
+      version: "1.8.0",
       description: "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
       license: "MIT",
       author: "Multicorn AI Pty Ltd",
@@ -4032,6 +4476,7 @@ var init_package = __esm({
         "plugins/windsurf",
         "plugins/cline",
         "plugins/gemini-cli",
+        "plugins/opencode",
         "LICENSE",
         "README.md",
         "CHANGELOG.md"
@@ -4083,12 +4528,14 @@ var init_package = __esm({
       dependencies: {
         "@modelcontextprotocol/sdk": "^1.27.1",
         lit: "^3.2.0",
+        yaml: "^2.8.2",
         zod: "^4.3.6"
       },
       devDependencies: {
         "@anthropic-ai/mcpb": "^2.1.2",
         "@eslint/js": "^9.19.0",
         "@open-wc/testing-helpers": "^3.0.1",
+        "@opencode-ai/plugin": "^1.14.48",
         "@size-limit/file": "^11.1.6",
         "@types/node": "^22.0.0",
         "@vitest/coverage-v8": "^3.0.5",