multicorn-shield 1.7.0 → 1.8.0

package/CHANGELOG.md

@@ -9,6 +9,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Bump `version` in `package.json` before publishing to npm.
 
+## [1.8.0] - 2026-05-11
+
+### Added
+
+- OpenCode as a supported platform (native plugin + hosted proxy paths)
+- Native Shield plugin for OpenCode (`plugins/opencode/multicorn-shield.ts`) using `tool.execute.before`/`tool.execute.after` hooks for permission checks and audit logging
+- OpenCode in CLI init wizard with native plugin and hosted proxy integration modes
+- Tool name mapping for OpenCode built-in tools (`bash`, `read`, `write`, `edit`, `apply_patch`, `glob`, `grep`, `list`, `webfetch`, `websearch`)
+- Shell reload hint in CLI native plugin output for freshly installed tools
+- `'opencode'` to `AGENT_PLATFORM_SLUGS`
+
 ## [1.7.0] - 2026-05-11
 
 ### Fixed

package/dist/index.cjs

@@ -26,6 +26,7 @@ var AGENT_PLATFORM_SLUGS = [
   "github-copilot",
   "goose",
   "kilo-code",
+  "opencode",
   "other-mcp",
   "github-actions",
   "unknown"

package/dist/index.d.cts

@@ -12,7 +12,7 @@ import { LitElement, PropertyValues, HTMLTemplateResult } from 'lit';
 /**
  * Agent client platforms supported by hosted proxy and native hooks (aligned with API validation).
  */
-declare const AGENT_PLATFORM_SLUGS: readonly ["openclaw", "claude-code", "claude-desktop", "cursor", "windsurf", "cline", "gemini-cli", "continue-dev", "github-copilot", "goose", "kilo-code", "other-mcp", "github-actions", "unknown"];
+declare const AGENT_PLATFORM_SLUGS: readonly ["openclaw", "claude-code", "claude-desktop", "cursor", "windsurf", "cline", "gemini-cli", "continue-dev", "github-copilot", "goose", "kilo-code", "opencode", "other-mcp", "github-actions", "unknown"];
 type AgentPlatformSlug = (typeof AGENT_PLATFORM_SLUGS)[number];
 /**
  * Possible operational states for an agent.

package/dist/index.d.ts

@@ -12,7 +12,7 @@ import { LitElement, PropertyValues, HTMLTemplateResult } from 'lit';
 /**
  * Agent client platforms supported by hosted proxy and native hooks (aligned with API validation).
  */
-declare const AGENT_PLATFORM_SLUGS: readonly ["openclaw", "claude-code", "claude-desktop", "cursor", "windsurf", "cline", "gemini-cli", "continue-dev", "github-copilot", "goose", "kilo-code", "other-mcp", "github-actions", "unknown"];
+declare const AGENT_PLATFORM_SLUGS: readonly ["openclaw", "claude-code", "claude-desktop", "cursor", "windsurf", "cline", "gemini-cli", "continue-dev", "github-copilot", "goose", "kilo-code", "opencode", "other-mcp", "github-actions", "unknown"];
 type AgentPlatformSlug = (typeof AGENT_PLATFORM_SLUGS)[number];
 /**
  * Possible operational states for an agent.

package/dist/index.js

@@ -24,6 +24,7 @@ var AGENT_PLATFORM_SLUGS = [
   "github-copilot",
   "goose",
   "kilo-code",
+  "opencode",
   "other-mcp",
   "github-actions",
   "unknown"

package/dist/multicorn-proxy.js

@@ -925,6 +925,22 @@ require(${JSON.stringify(destPost)});
   await writeFile(preWrapper, preContent, { encoding: "utf8", mode: 493 });
   await writeFile(postWrapper, postContent, { encoding: "utf8", mode: 493 });
 }
+function getOpenCodeGlobalPluginsDir() {
+  return join(homedir(), ".config", "opencode", "plugins");
+}
+async function installOpenCodeNativePlugin() {
+  const root = multicornShieldPackageRoot();
+  const src = join(root, "plugins", "opencode", "multicorn-shield.ts");
+  if (!existsSync(src)) {
+    throw new Error(
+      `Could not find Shield OpenCode plugin at ${src}. If you use npm, install the latest multicorn-shield package.`
+    );
+  }
+  const destDir = getOpenCodeGlobalPluginsDir();
+  await mkdir(destDir, { recursive: true });
+  const dest = join(destDir, "multicorn-shield.ts");
+  await copyFile(src, dest);
+}
 async function promptClineIntegrationMode(ask) {
   process.stderr.write("\n" + style.bold("Cline integration") + "\n");
   process.stderr.write(
@@ -1284,6 +1300,23 @@ async function promptGeminiCliIntegrationMode(ask) {
   }
   return choice === 1 ? "native" : "hosted";
 }
+async function promptOpencodeIntegrationMode(ask) {
+  process.stderr.write("\n" + style.bold("OpenCode integration") + "\n");
+  process.stderr.write(
+    "  " + style.violet("1") + ". Native plugin (recommended) - Shield checks primary-agent tool execution via OpenCode Hooks\n"
+  );
+  process.stderr.write(
+    "  " + style.violet("2") + ". Hosted proxy - govern MCP server traffic via opencode.json (full subagent coverage when tools use MCP through Shield)\n"
+  );
+  let choice = 0;
+  while (choice === 0) {
+    const input = await ask("Choose integration (1-2): ");
+    const num = parseInt(input.trim(), 10);
+    if (num === 1) choice = 1;
+    if (num === 2) choice = 2;
+  }
+  return choice === 1 ? "native" : "hosted";
+}
 function getClaudeDesktopConfigPath() {
   switch (process.platform) {
     case "win32":
@@ -1828,6 +1861,49 @@ async function mergeKiloCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKe
   }
   return "ok";
 }
+async function injectOpencodeSchemaIntoConfigIfMissing(filePath) {
+  try {
+    const raw = await readFile(filePath, "utf8");
+    const stripped = raw.replace(/\/\/.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "");
+    let parsed;
+    try {
+      parsed = JSON.parse(stripped);
+    } catch {
+      return;
+    }
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) return;
+    const root = parsed;
+    const existingSchema = root["$schema"];
+    if (typeof existingSchema === "string" && existingSchema.length > 0) return;
+    root["$schema"] = OPENCODE_CONFIG_SCHEMA_URL;
+    await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
+  } catch {
+  }
+}
+async function mergeOpenCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const filePath = join(workspacePath, "opencode.json");
+  const result = await mergeTopLevelKeyedJsonFile(
+    filePath,
+    "mcp",
+    shortName,
+    {
+      type: "remote",
+      url: proxyUrl,
+      headers: { Authorization: `Bearer ${apiKey}` },
+      enabled: true
+    },
+    {
+      stripJsonComments: true,
+      onExisting: "skip"
+    }
+  );
+  if (result === "parse-error") return "parse-error";
+  await injectOpencodeSchemaIntoConfigIfMissing(filePath);
+  if (result === "ok") {
+    await warnIfApiKeyFileNotGitignored(workspacePath, "opencode.json");
+  }
+  return "ok";
+}
 function printHostedProxyJsonParseWarning(filePath) {
   process.stderr.write(
     style.yellow("\u26A0") + " Could not parse JSON at " + style.cyan(filePath) + style.dim(" - showing paste snippet instead.") + "\n"
@@ -1870,6 +1946,13 @@ function printHostedProxyPostWriteHints(platform, shortName) {
       style.dim("Restart Kilo Code or reload the window so it picks up .kilo/kilo.jsonc.") + "\n"
     );
   }
+  if (platform === "opencode") {
+    process.stderr.write(
+      style.dim(
+        "Restart OpenCode or start a new session so it picks up opencode.json. For global MCP, merge the same snippet into ~/.config/opencode/opencode.json."
+      ) + "\n"
+    );
+  }
 }
 async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey, workspacePath) {
   const authHeader = `Bearer ${apiKey}`;
@@ -1966,6 +2049,16 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
       if (result === "parse-error") {
         printHostedProxyJsonParseWarning(join(workspacePath, ".kilo", "kilo.jsonc"));
       }
+    } else if (platform === "opencode") {
+      result = await mergeOpenCodeProjectMcp(
+        workspacePath,
+        shortName,
+        proxyUrlWithKeyWhenNeeded,
+        apiKey
+      );
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(join(workspacePath, "opencode.json"));
+      }
     } else if (platform === "continue-dev") {
       result = await mergeContinueHostedMcp(
         workspacePath,
@@ -2100,7 +2193,8 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     "kilo-code",
     "github-copilot",
     "continue-dev",
-    "goose"
+    "goose",
+    "opencode"
   ]);
   const usesInlineKey = hostedInlinePlatforms.has(platform);
   const authHeader = usesInlineKey ? `Bearer ${apiKey}` : "Bearer YOUR_SHIELD_API_KEY";
@@ -2183,6 +2277,24 @@ mcpServers:
       null,
       2
     );
+  } else if (platform === "opencode") {
+    snippetText = JSON.stringify(
+      {
+        $schema: OPENCODE_CONFIG_SCHEMA_URL,
+        mcp: {
+          [shortName]: {
+            type: "remote",
+            url: urlInSnippet,
+            headers: {
+              Authorization: authHeader
+            },
+            enabled: true
+          }
+        }
+      },
+      null,
+      2
+    );
   } else {
     const urlKey = platform === "windsurf" ? "serverUrl" : "url";
     snippetText = JSON.stringify(
@@ -2220,6 +2332,12 @@ mcpServers:
     process.stderr.write(
       "\n" + style.dim(`Add this to ${join(resolve(process.cwd()), ".kilo", "kilo.jsonc")}:`) + "\n\n"
     );
+  } else if (platform === "opencode") {
+    process.stderr.write(
+      "\n" + style.dim(
+        "Add this to opencode.json in your project root (or ~/.config/opencode/opencode.json for global config). OpenCode detects configured MCP servers on the next session start."
+      ) + "\n\n"
+    );
   } else if (platform === "github-copilot") {
     process.stderr.write(
       "\n" + style.dim(
@@ -2283,6 +2401,11 @@ mcpServers:
   if (platform === "goose") {
     process.stderr.write(style.dim("Start a new Goose session after updating config.") + "\n");
   }
+  if (platform === "opencode") {
+    process.stderr.write(
+      style.dim("Restart OpenCode or start a new session after saving opencode.json.") + "\n"
+    );
+  }
 }
 function agentDisplayNameDedupeKey(name) {
   return name.trim().normalize("NFKC").toLowerCase();
@@ -2842,6 +2965,95 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
           setupSucceeded = true;
         }
       }
+    } else if (selectedPlatform === "opencode") {
+      const opencodeMode = await promptOpencodeIntegrationMode(ask);
+      if (opencodeMode === "native") {
+        try {
+          await installOpenCodeNativePlugin();
+          process.stderr.write("\n" + style.bold("Shield OpenCode plugin installed") + "\n\n");
+          process.stderr.write(
+            style.dim("Plugin file: ") + style.cyan(getOpenCodeGlobalPluginsDir()) + "\n"
+          );
+          process.stderr.write("\n");
+          process.stderr.write(
+            style.dim(
+              "Shield plugin saved under ~/.config/opencode/plugins/. Restart OpenCode. Every tool call from the primary agent will be checked by Shield."
+            ) + "\n"
+          );
+          process.stderr.write("\n");
+          process.stderr.write(
+            style.dim(
+              "Note: Tool calls delegated to subagents via the task tool are not intercepted by this plugin (OpenCode limitation). Use the hosted proxy path for MCP traffic you route through Shield for broader coverage."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            opencodeCliIntegration: "native"
+          });
+          setupSucceeded = true;
+        } catch (error) {
+          const detail = error instanceof Error ? error.message : String(error);
+          process.stderr.write(style.red("\u2717 ") + detail + "\n");
+        }
+      } else {
+        const { targetUrl, shortName, upstreamHeaders } = await promptProxyConfig(ask, agentName);
+        let proxyUrl = "";
+        let created = false;
+        while (!created) {
+          const spinner = withSpinner("Creating proxy config...");
+          try {
+            proxyUrl = await createProxyConfig(
+              resolvedBaseUrl,
+              apiKey,
+              agentName,
+              targetUrl,
+              shortName,
+              selectedPlatform,
+              upstreamHeaders
+            );
+            spinner.stop(true, "Proxy config created!");
+            created = true;
+          } catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            spinner.stop(false, detail);
+            const retry = await ask("Try again? (Y/n) ");
+            if (retry.trim().toLowerCase() === "n") {
+              break;
+            }
+          }
+        }
+        if (created && proxyUrl.length > 0) {
+          process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
+          process.stderr.write(
+            "  " + style.cyan(formatHostedProxyUrlForStderr(selectedPlatform, proxyUrl, apiKey)) + "\n"
+          );
+          await applyHostedProxyMcpConfig(
+            selectedPlatform,
+            proxyUrl,
+            shortName,
+            apiKey,
+            initWorkspacePath
+          );
+          process.stderr.write(
+            "\n" + style.dim(
+              "Add this to opencode.json in your project root (or ~/.config/opencode/opencode.json for global config). OpenCode detects configured MCP servers on the next session start."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            shortName,
+            proxyUrl,
+            opencodeCliIntegration: "hosted"
+          });
+          setupSucceeded = true;
+        }
+      }
     } else if (selectedPlatform === "cline") {
       const clineMode = await promptClineIntegrationMode(ask);
       if (clineMode === "native") {
@@ -3137,6 +3349,23 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         "\n" + style.bold("Gemini CLI (hosted)") + "\n  \u2192 Try it: make a request in Gemini CLI - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
+    const opencodeNativeConfigured = configuredAgents.some(
+      (a) => a.platform === "opencode" && a.opencodeCliIntegration === "native"
+    );
+    const opencodeHostedConfigured = configuredAgents.some(
+      (a) => a.platform === "opencode" && a.opencodeCliIntegration === "hosted"
+    );
+    if (opencodeNativeConfigured) {
+      blocks.push(
+        "\n" + style.bold("OpenCode (native)") + "\n  \u2192 If you just installed OpenCode, open a new terminal tab (or run: source ~/.zshrc)\n  \u2192 Restart OpenCode so it loads ~/.config/opencode/plugins/multicorn-shield.ts\n  \u2192 Try it: trigger a primary-agent tool call - Shield will intercept the first actionable tool and ask for your consent\n"
+      );
+    }
+    if (opencodeHostedConfigured) {
+      const ocLabel = mcpPromptLabel2("opencode");
+      blocks.push(
+        "\n" + style.bold("OpenCode (hosted)") + '\n  \u2192 Restart OpenCode or start a new session after saving opencode.json\n  \u2192 Try it: paste this into OpenCode:\n    "Use the ' + ocLabel + ' MCP server to list allowed directories"\n'
+      );
+    }
     if (configuredPlatforms.has("other-mcp")) {
       blocks.push(
         "\n" + style.bold("Local MCP / Other") + "\n  \u2192 Run your configured wrap command (for example " + style.cyan("npx multicorn-shield --wrap ...") + ")\n  \u2192 Try it: make a request in your coding agent - Shield will intercept the first tool call and ask for your consent\n"
@@ -3156,7 +3385,7 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
   }
   return lastConfig;
 }
-var SECRET_JSON_FILE_OPTIONS, style, BANNER, NativePluginPrerequisiteMissingError, CONFIG_DIR, CONFIG_PATH, OPENCLAW_CONFIG_PATH, ANSI_PATTERN, UPSTREAM_AUTH_KNOWN_SCHEME_WITH_PAYLOAD, OPENCLAW_MIN_VERSION, INIT_WIZARD_PLATFORM_REGISTRY, INIT_WIZARD_MENU_SECTIONS, INIT_WIZARD_SELECTION_MAX, PLATFORM_BY_SELECTION, HOSTED_PROXY_PLATFORMS_WITH_URL_KEY, DEFAULT_SHIELD_API_BASE_URL;
+var SECRET_JSON_FILE_OPTIONS, style, BANNER, NativePluginPrerequisiteMissingError, CONFIG_DIR, CONFIG_PATH, OPENCLAW_CONFIG_PATH, ANSI_PATTERN, UPSTREAM_AUTH_KNOWN_SCHEME_WITH_PAYLOAD, OPENCLAW_MIN_VERSION, INIT_WIZARD_PLATFORM_REGISTRY, INIT_WIZARD_MENU_SECTIONS, INIT_WIZARD_SELECTION_MAX, PLATFORM_BY_SELECTION, HOSTED_PROXY_PLATFORMS_WITH_URL_KEY, OPENCODE_CONFIG_SCHEMA_URL, DEFAULT_SHIELD_API_BASE_URL;
 var init_config = __esm({
   "src/proxy/config.ts"() {
     init_consent();
@@ -3196,6 +3425,12 @@ var init_config = __esm({
       { slug: "windsurf", displayName: "Windsurf", section: "native" },
       { slug: "cline", displayName: "Cline", section: "native" },
       { slug: "gemini-cli", displayName: "Gemini CLI", section: "native" },
+      {
+        slug: "opencode",
+        displayName: "OpenCode",
+        section: "native",
+        prereqUrl: "https://opencode.ai"
+      },
       {
         slug: "cursor",
         displayName: "Cursor",
@@ -3256,6 +3491,7 @@ var init_config = __esm({
       "continue-dev",
       "goose"
     ]);
+    OPENCODE_CONFIG_SCHEMA_URL = "https://opencode.ai/config.json";
     DEFAULT_SHIELD_API_BASE_URL = "https://api.multicorn.ai";
   }
 });
@@ -4200,7 +4436,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "multicorn-shield",
-      version: "1.7.0",
+      version: "1.8.0",
       description: "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
       license: "MIT",
       author: "Multicorn AI Pty Ltd",
@@ -4240,6 +4476,7 @@ var init_package = __esm({
         "plugins/windsurf",
         "plugins/cline",
         "plugins/gemini-cli",
+        "plugins/opencode",
         "LICENSE",
         "README.md",
         "CHANGELOG.md"
@@ -4298,6 +4535,7 @@ var init_package = __esm({
         "@anthropic-ai/mcpb": "^2.1.2",
         "@eslint/js": "^9.19.0",
         "@open-wc/testing-helpers": "^3.0.1",
+        "@opencode-ai/plugin": "^1.14.48",
         "@size-limit/file": "^11.1.6",
         "@types/node": "^22.0.0",
         "@vitest/coverage-v8": "^3.0.5",

package/dist/multicorn-shield.js

@@ -939,6 +939,22 @@ require(${JSON.stringify(destPost)});
   await writeFile(preWrapper, preContent, { encoding: "utf8", mode: 493 });
   await writeFile(postWrapper, postContent, { encoding: "utf8", mode: 493 });
 }
+function getOpenCodeGlobalPluginsDir() {
+  return join(homedir(), ".config", "opencode", "plugins");
+}
+async function installOpenCodeNativePlugin() {
+  const root = multicornShieldPackageRoot();
+  const src = join(root, "plugins", "opencode", "multicorn-shield.ts");
+  if (!existsSync(src)) {
+    throw new Error(
+      `Could not find Shield OpenCode plugin at ${src}. If you use npm, install the latest multicorn-shield package.`
+    );
+  }
+  const destDir = getOpenCodeGlobalPluginsDir();
+  await mkdir(destDir, { recursive: true });
+  const dest = join(destDir, "multicorn-shield.ts");
+  await copyFile(src, dest);
+}
 async function promptClineIntegrationMode(ask) {
   process.stderr.write("\n" + style.bold("Cline integration") + "\n");
   process.stderr.write(
@@ -1298,6 +1314,23 @@ async function promptGeminiCliIntegrationMode(ask) {
   }
   return choice === 1 ? "native" : "hosted";
 }
+async function promptOpencodeIntegrationMode(ask) {
+  process.stderr.write("\n" + style.bold("OpenCode integration") + "\n");
+  process.stderr.write(
+    "  " + style.violet("1") + ". Native plugin (recommended) - Shield checks primary-agent tool execution via OpenCode Hooks\n"
+  );
+  process.stderr.write(
+    "  " + style.violet("2") + ". Hosted proxy - govern MCP server traffic via opencode.json (full subagent coverage when tools use MCP through Shield)\n"
+  );
+  let choice = 0;
+  while (choice === 0) {
+    const input = await ask("Choose integration (1-2): ");
+    const num = parseInt(input.trim(), 10);
+    if (num === 1) choice = 1;
+    if (num === 2) choice = 2;
+  }
+  return choice === 1 ? "native" : "hosted";
+}
 function getClaudeDesktopConfigPath() {
   switch (process.platform) {
     case "win32":
@@ -1367,6 +1400,12 @@ var INIT_WIZARD_PLATFORM_REGISTRY = [
   { slug: "windsurf", displayName: "Windsurf", section: "native" },
   { slug: "cline", displayName: "Cline", section: "native" },
   { slug: "gemini-cli", displayName: "Gemini CLI", section: "native" },
+  {
+    slug: "opencode",
+    displayName: "OpenCode",
+    section: "native",
+    prereqUrl: "https://opencode.ai"
+  },
   {
     slug: "cursor",
     displayName: "Cursor",
@@ -1908,6 +1947,50 @@ async function mergeKiloCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKe
   }
   return "ok";
 }
+var OPENCODE_CONFIG_SCHEMA_URL = "https://opencode.ai/config.json";
+async function injectOpencodeSchemaIntoConfigIfMissing(filePath) {
+  try {
+    const raw = await readFile(filePath, "utf8");
+    const stripped = raw.replace(/\/\/.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "");
+    let parsed;
+    try {
+      parsed = JSON.parse(stripped);
+    } catch {
+      return;
+    }
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) return;
+    const root = parsed;
+    const existingSchema = root["$schema"];
+    if (typeof existingSchema === "string" && existingSchema.length > 0) return;
+    root["$schema"] = OPENCODE_CONFIG_SCHEMA_URL;
+    await writeFile(filePath, JSON.stringify(root, null, 2) + "\n", SECRET_JSON_FILE_OPTIONS);
+  } catch {
+  }
+}
+async function mergeOpenCodeProjectMcp(workspacePath, shortName, proxyUrl, apiKey) {
+  const filePath = join(workspacePath, "opencode.json");
+  const result = await mergeTopLevelKeyedJsonFile(
+    filePath,
+    "mcp",
+    shortName,
+    {
+      type: "remote",
+      url: proxyUrl,
+      headers: { Authorization: `Bearer ${apiKey}` },
+      enabled: true
+    },
+    {
+      stripJsonComments: true,
+      onExisting: "skip"
+    }
+  );
+  if (result === "parse-error") return "parse-error";
+  await injectOpencodeSchemaIntoConfigIfMissing(filePath);
+  if (result === "ok") {
+    await warnIfApiKeyFileNotGitignored(workspacePath, "opencode.json");
+  }
+  return "ok";
+}
 function printHostedProxyJsonParseWarning(filePath) {
   process.stderr.write(
     style.yellow("\u26A0") + " Could not parse JSON at " + style.cyan(filePath) + style.dim(" - showing paste snippet instead.") + "\n"
@@ -1950,6 +2033,13 @@ function printHostedProxyPostWriteHints(platform, shortName) {
       style.dim("Restart Kilo Code or reload the window so it picks up .kilo/kilo.jsonc.") + "\n"
     );
   }
+  if (platform === "opencode") {
+    process.stderr.write(
+      style.dim(
+        "Restart OpenCode or start a new session so it picks up opencode.json. For global MCP, merge the same snippet into ~/.config/opencode/opencode.json."
+      ) + "\n"
+    );
+  }
 }
 async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey, workspacePath) {
   const authHeader = `Bearer ${apiKey}`;
@@ -2046,6 +2136,16 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
       if (result === "parse-error") {
         printHostedProxyJsonParseWarning(join(workspacePath, ".kilo", "kilo.jsonc"));
       }
+    } else if (platform === "opencode") {
+      result = await mergeOpenCodeProjectMcp(
+        workspacePath,
+        shortName,
+        proxyUrlWithKeyWhenNeeded,
+        apiKey
+      );
+      if (result === "parse-error") {
+        printHostedProxyJsonParseWarning(join(workspacePath, "opencode.json"));
+      }
     } else if (platform === "continue-dev") {
       result = await mergeContinueHostedMcp(
         workspacePath,
@@ -2180,7 +2280,8 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     "kilo-code",
     "github-copilot",
     "continue-dev",
-    "goose"
+    "goose",
+    "opencode"
   ]);
   const usesInlineKey = hostedInlinePlatforms.has(platform);
   const authHeader = usesInlineKey ? `Bearer ${apiKey}` : "Bearer YOUR_SHIELD_API_KEY";
@@ -2263,6 +2364,24 @@ mcpServers:
       null,
       2
     );
+  } else if (platform === "opencode") {
+    snippetText = JSON.stringify(
+      {
+        $schema: OPENCODE_CONFIG_SCHEMA_URL,
+        mcp: {
+          [shortName]: {
+            type: "remote",
+            url: urlInSnippet,
+            headers: {
+              Authorization: authHeader
+            },
+            enabled: true
+          }
+        }
+      },
+      null,
+      2
+    );
   } else {
     const urlKey = platform === "windsurf" ? "serverUrl" : "url";
     snippetText = JSON.stringify(
@@ -2300,6 +2419,12 @@ mcpServers:
     process.stderr.write(
       "\n" + style.dim(`Add this to ${join(resolve(process.cwd()), ".kilo", "kilo.jsonc")}:`) + "\n\n"
     );
+  } else if (platform === "opencode") {
+    process.stderr.write(
+      "\n" + style.dim(
+        "Add this to opencode.json in your project root (or ~/.config/opencode/opencode.json for global config). OpenCode detects configured MCP servers on the next session start."
+      ) + "\n\n"
+    );
   } else if (platform === "github-copilot") {
     process.stderr.write(
       "\n" + style.dim(
@@ -2363,6 +2488,11 @@ mcpServers:
   if (platform === "goose") {
     process.stderr.write(style.dim("Start a new Goose session after updating config.") + "\n");
   }
+  if (platform === "opencode") {
+    process.stderr.write(
+      style.dim("Restart OpenCode or start a new session after saving opencode.json.") + "\n"
+    );
+  }
 }
 function agentDisplayNameDedupeKey(name) {
   return name.trim().normalize("NFKC").toLowerCase();
@@ -2923,6 +3053,95 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
           setupSucceeded = true;
         }
       }
+    } else if (selectedPlatform === "opencode") {
+      const opencodeMode = await promptOpencodeIntegrationMode(ask);
+      if (opencodeMode === "native") {
+        try {
+          await installOpenCodeNativePlugin();
+          process.stderr.write("\n" + style.bold("Shield OpenCode plugin installed") + "\n\n");
+          process.stderr.write(
+            style.dim("Plugin file: ") + style.cyan(getOpenCodeGlobalPluginsDir()) + "\n"
+          );
+          process.stderr.write("\n");
+          process.stderr.write(
+            style.dim(
+              "Shield plugin saved under ~/.config/opencode/plugins/. Restart OpenCode. Every tool call from the primary agent will be checked by Shield."
+            ) + "\n"
+          );
+          process.stderr.write("\n");
+          process.stderr.write(
+            style.dim(
+              "Note: Tool calls delegated to subagents via the task tool are not intercepted by this plugin (OpenCode limitation). Use the hosted proxy path for MCP traffic you route through Shield for broader coverage."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            opencodeCliIntegration: "native"
+          });
+          setupSucceeded = true;
+        } catch (error) {
+          const detail = error instanceof Error ? error.message : String(error);
+          process.stderr.write(style.red("\u2717 ") + detail + "\n");
+        }
+      } else {
+        const { targetUrl, shortName, upstreamHeaders } = await promptProxyConfig(ask, agentName);
+        let proxyUrl = "";
+        let created = false;
+        while (!created) {
+          const spinner = withSpinner("Creating proxy config...");
+          try {
+            proxyUrl = await createProxyConfig(
+              resolvedBaseUrl,
+              apiKey,
+              agentName,
+              targetUrl,
+              shortName,
+              selectedPlatform,
+              upstreamHeaders
+            );
+            spinner.stop(true, "Proxy config created!");
+            created = true;
+          } catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            spinner.stop(false, detail);
+            const retry = await ask("Try again? (Y/n) ");
+            if (retry.trim().toLowerCase() === "n") {
+              break;
+            }
+          }
+        }
+        if (created && proxyUrl.length > 0) {
+          process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
+          process.stderr.write(
+            "  " + style.cyan(formatHostedProxyUrlForStderr(selectedPlatform, proxyUrl, apiKey)) + "\n"
+          );
+          await applyHostedProxyMcpConfig(
+            selectedPlatform,
+            proxyUrl,
+            shortName,
+            apiKey,
+            initWorkspacePath
+          );
+          process.stderr.write(
+            "\n" + style.dim(
+              "Add this to opencode.json in your project root (or ~/.config/opencode/opencode.json for global config). OpenCode detects configured MCP servers on the next session start."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            shortName,
+            proxyUrl,
+            opencodeCliIntegration: "hosted"
+          });
+          setupSucceeded = true;
+        }
+      }
     } else if (selectedPlatform === "cline") {
       const clineMode = await promptClineIntegrationMode(ask);
       if (clineMode === "native") {
@@ -3218,6 +3437,23 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         "\n" + style.bold("Gemini CLI (hosted)") + "\n  \u2192 Try it: make a request in Gemini CLI - Shield will intercept the first tool call and ask for your consent\n"
       );
     }
+    const opencodeNativeConfigured = configuredAgents.some(
+      (a) => a.platform === "opencode" && a.opencodeCliIntegration === "native"
+    );
+    const opencodeHostedConfigured = configuredAgents.some(
+      (a) => a.platform === "opencode" && a.opencodeCliIntegration === "hosted"
+    );
+    if (opencodeNativeConfigured) {
+      blocks.push(
+        "\n" + style.bold("OpenCode (native)") + "\n  \u2192 If you just installed OpenCode, open a new terminal tab (or run: source ~/.zshrc)\n  \u2192 Restart OpenCode so it loads ~/.config/opencode/plugins/multicorn-shield.ts\n  \u2192 Try it: trigger a primary-agent tool call - Shield will intercept the first actionable tool and ask for your consent\n"
+      );
+    }
+    if (opencodeHostedConfigured) {
+      const ocLabel = mcpPromptLabel2("opencode");
+      blocks.push(
+        "\n" + style.bold("OpenCode (hosted)") + '\n  \u2192 Restart OpenCode or start a new session after saving opencode.json\n  \u2192 Try it: paste this into OpenCode:\n    "Use the ' + ocLabel + ' MCP server to list allowed directories"\n'
+      );
+    }
     if (configuredPlatforms.has("other-mcp")) {
       blocks.push(
         "\n" + style.bold("Local MCP / Other") + "\n  \u2192 Run your configured wrap command (for example " + style.cyan("npx multicorn-shield --wrap ...") + ")\n  \u2192 Try it: make a request in your coding agent - Shield will intercept the first tool call and ask for your consent\n"
@@ -4123,7 +4359,7 @@ async function restoreClaudeDesktopMcpFromBackup() {
 
 // package.json
 var package_default = {
-  version: "1.7.0"};
+  version: "1.8.0"};
 
 // src/package-meta.ts
 var PACKAGE_VERSION = package_default.version;

package/dist/shield-extension.js

@@ -22354,6 +22354,12 @@ var INIT_WIZARD_PLATFORM_REGISTRY = [
   { slug: "windsurf", displayName: "Windsurf", section: "native" },
   { slug: "cline", displayName: "Cline", section: "native" },
   { slug: "gemini-cli", displayName: "Gemini CLI", section: "native" },
+  {
+    slug: "opencode",
+    displayName: "OpenCode",
+    section: "native",
+    prereqUrl: "https://opencode.ai"
+  },
   {
     slug: "cursor",
     displayName: "Cursor",
@@ -22505,7 +22511,7 @@ async function writeExtensionBackup(claudeDesktopConfigPath, mcpServers) {
 
 // package.json
 var package_default = {
-  version: "1.7.0"};
+  version: "1.8.0"};
 
 // src/package-meta.ts
 var PACKAGE_VERSION = package_default.version;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "multicorn-shield",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "description": "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
   "license": "MIT",
   "author": "Multicorn AI Pty Ltd",
@@ -40,6 +40,7 @@
     "plugins/windsurf",
     "plugins/cline",
     "plugins/gemini-cli",
+    "plugins/opencode",
     "LICENSE",
     "README.md",
     "CHANGELOG.md"
@@ -76,6 +77,7 @@
     "@anthropic-ai/mcpb": "^2.1.2",
     "@eslint/js": "^9.19.0",
     "@open-wc/testing-helpers": "^3.0.1",
+    "@opencode-ai/plugin": "^1.14.48",
     "@size-limit/file": "^11.1.6",
     "@types/node": "^22.0.0",
     "@vitest/coverage-v8": "^3.0.5",

package/plugins/opencode/multicorn-shield.ts

@@ -0,0 +1,485 @@
+// Copyright (c) Multicorn AI Pty Ltd. MIT License. See LICENSE file.
+
+/**
+ * Shield native plugin for OpenCode: permission checks via tool.execute.before,
+ * audit logging via tool.execute.after.
+ */
+
+import type { Hooks, Plugin, PluginInput } from "@opencode-ai/plugin";
+import { execFileSync } from "node:child_process";
+import * as fs from "node:fs";
+import { homedir } from "node:os";
+import * as path from "node:path";
+
+const MULTICORN_CONFIG = path.join(homedir(), ".multicorn", "config.json");
+const HTTP_MS = 10_000;
+const PLATFORM = "opencode";
+
+interface ShieldConfigLoaded {
+  readonly apiKey: string;
+  readonly baseUrl: string;
+  readonly agentName: string;
+}
+
+function cwdUnderWorkspacePath(cwdResolved: string, workspacePath: string): boolean {
+  const w = path.resolve(workspacePath);
+  if (cwdResolved === w) return true;
+  const prefix = w.endsWith(path.sep) ? w : w + path.sep;
+  return cwdResolved.startsWith(prefix);
+}
+
+function pickAgentName(obj: Record<string, unknown>, cwd: string): string {
+  const agents = obj["agents"];
+  if (!Array.isArray(agents)) {
+    return typeof obj["agentName"] === "string" ? obj["agentName"] : "";
+  }
+  const matches = agents.filter((e) => {
+    if (!e || typeof e !== "object") return false;
+    const row = e as Record<string, unknown>;
+    return row["platform"] === PLATFORM && typeof row["name"] === "string";
+  }) as readonly { name: string; workspacePath?: string }[];
+  if (matches.length === 0) {
+    return typeof obj["agentName"] === "string" ? obj["agentName"] : "";
+  }
+  const withWs = matches.filter(
+    (m) => typeof m.workspacePath === "string" && m.workspacePath.length > 0,
+  );
+  if (withWs.length === 0) {
+    const fb = matches[0];
+    return fb !== undefined ? fb.name : "";
+  }
+  const resolvedCwd = path.resolve(cwd);
+  let best: { name: string; workspacePath: string } | null = null;
+  let bestLen = -1;
+  for (const m of withWs) {
+    const wp = m.workspacePath;
+    if (typeof wp !== "string" || !cwdUnderWorkspacePath(resolvedCwd, wp)) continue;
+    const len = path.resolve(wp).length;
+    if (len > bestLen) {
+      bestLen = len;
+      best = { name: m.name, workspacePath: wp };
+    }
+  }
+  if (best !== null) {
+    return best.name;
+  }
+  const fb2 = matches[0];
+  return fb2 !== undefined ? fb2.name : "";
+}
+
+function loadShieldConfig(cwd: string): ShieldConfigLoaded | null {
+  try {
+    const raw = fs.readFileSync(MULTICORN_CONFIG, "utf8");
+    const parsed: unknown = JSON.parse(raw);
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) return null;
+    const obj = parsed as Record<string, unknown>;
+    const apiKey = typeof obj["apiKey"] === "string" ? obj["apiKey"] : "";
+    const baseUrl =
+      typeof obj["baseUrl"] === "string" && obj["baseUrl"].length > 0
+        ? obj["baseUrl"].replace(/\/+$/, "")
+        : "https://api.multicorn.ai";
+    const baseLower = baseUrl.toLowerCase();
+    const isHttps = baseLower.startsWith("https://");
+    const isLocal = baseLower.includes("localhost") || baseLower.includes("127.0.0.1");
+    if (!isHttps && !isLocal) {
+      return null;
+    }
+    const agentName = pickAgentName(obj, cwd);
+    return { apiKey, baseUrl, agentName };
+  } catch {
+    return null;
+  }
+}
+
+type ToolTriple = readonly [service: string, actionType: string, skipShieldCheck: boolean];
+
+/** Maps OpenCode tool names to Shield service/actionType. Third element skips pre-tool Shield check only. */
+function mapTool(toolName: string): ToolTriple {
+  const name = toolName.trim();
+  if (name === "task") {
+    return ["agent", "delegate", true] as const;
+  }
+  if (name.startsWith("mcp_") || name.includes(":")) {
+    if (name.startsWith("mcp_")) {
+      const rest = name.slice(4);
+      const sanitized = rest.replace(/[^a-zA-Z0-9._-]+/g, "_");
+      return [`mcp:${sanitized}`, "execute", false] as const;
+    }
+    const idx = name.indexOf(":");
+    if (idx > 0) {
+      const server = name.slice(0, idx).replace(/[^a-zA-Z0-9._-]+/g, "_");
+      const tool = name.slice(idx + 1).replace(/[^a-zA-Z0-9._-]+/g, "_");
+      return [`mcp:${server}.${tool}`, "execute", false] as const;
+    }
+  }
+  const builtin: Record<string, readonly [string, string]> = {
+    bash: ["terminal", "execute"],
+    read: ["filesystem", "read"],
+    write: ["filesystem", "write"],
+    edit: ["filesystem", "write"],
+    apply_patch: ["filesystem", "write"],
+    glob: ["filesystem", "read"],
+    grep: ["filesystem", "read"],
+    list: ["filesystem", "read"],
+    webfetch: ["network", "request"],
+    websearch: ["network", "request"],
+  };
+  const hit = builtin[name];
+  if (hit !== undefined) {
+    return [hit[0], hit[1], false] as const;
+  }
+  return ["other", "execute", false] as const;
+}
+
+function unwrapData(body: unknown): unknown {
+  if (typeof body !== "object" || body === null) return null;
+  const o = body as Record<string, unknown>;
+  return o["success"] === true ? o["data"] : null;
+}
+
+function safeParseJson(text: string): unknown {
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+
+function dashboardHintUrl(apiBaseUrl: string): string {
+  try {
+    const raw = apiBaseUrl.replace(/\/+$/, "");
+    const lower = raw.toLowerCase();
+    if (lower.includes("localhost:8080") || lower.includes("127.0.0.1:8080")) {
+      return "http://localhost:5173/approvals";
+    }
+    const u = new URL(raw);
+    if (u.hostname.startsWith("api.")) {
+      u.hostname = "app." + u.hostname.slice(4);
+    }
+    return `${u.origin}/approvals`;
+  } catch {
+    return "https://app.multicorn.ai/approvals";
+  }
+}
+
+function consentUrl(
+  apiBaseUrl: string,
+  agentName: string,
+  service: string,
+  actionType: string,
+): string {
+  const raw = apiBaseUrl.replace(/\/+$/, "");
+  let origin: string;
+  try {
+    const lower = raw.toLowerCase();
+    if (lower.includes("localhost:8080") || lower.includes("127.0.0.1:8080")) {
+      origin = "http://localhost:5173";
+    } else {
+      const u = new URL(raw);
+      if (u.hostname.startsWith("api.")) {
+        u.hostname = "app." + u.hostname.slice(4);
+      }
+      origin = u.origin;
+    }
+  } catch {
+    origin = "https://app.multicorn.ai";
+  }
+  const params = new URLSearchParams();
+  params.set("agent", agentName);
+  params.set("scopes", `${service}:${actionType}`);
+  params.set("platform", PLATFORM);
+  return `${origin}/consent?${params.toString()}`;
+}
+
+function openBrowser(url: string): void {
+  try {
+    if (process.platform === "darwin") {
+      execFileSync("open", [url], { stdio: "ignore" });
+    } else if (process.platform === "win32") {
+      execFileSync("cmd.exe", ["/c", "start", "", url], {
+        stdio: "ignore",
+        windowsHide: true,
+      });
+    } else {
+      execFileSync("xdg-open", [url], { stdio: "ignore" });
+    }
+  } catch {
+    /* ignore */
+  }
+}
+
+function blockedMessage(
+  data: unknown,
+  service: string,
+  actionType: string,
+  approvalsUrl: string,
+): string {
+  if (data !== null && typeof data === "object") {
+    const d = data as Record<string, unknown>;
+    const meta = d["metadata"];
+    if (typeof meta === "string" && meta.length > 0) {
+      const parsed = safeParseJson(meta);
+      if (parsed !== null && typeof parsed === "object") {
+        const br = (parsed as Record<string, unknown>)["block_reason"];
+        if (typeof br === "string" && br.length > 0) {
+          return `Shield: Action blocked - ${br}. Grant access at ${approvalsUrl}`;
+        }
+      }
+    }
+  }
+  return `Shield: Action blocked. Required permission: ${service} (${actionType}). Grant access at ${approvalsUrl}`;
+}
+
+function scrubMetadataArgs(args: unknown): string {
+  try {
+    if (typeof args !== "object" || args === null) return "{}";
+    const clone = { ...(args as Record<string, unknown>) };
+    const contentKey = clone["content"];
+    if (typeof contentKey === "string") {
+      clone["content"] = "[" + contentKey.length.toString() + " chars redacted]";
+    }
+    const cmd = clone["command"];
+    if (typeof cmd === "string" && cmd.length > 200) {
+      clone["command"] = cmd.slice(0, 200) + "... [truncated]";
+    }
+    let out = JSON.stringify(clone);
+    if (out.length > 4096) out = out.slice(0, 4096);
+    return out;
+  } catch {
+    return "{}";
+  }
+}
+
+function scrubResultSnippet(text: unknown): string {
+  if (typeof text !== "string") return "";
+  let s = text;
+  s = s.replace(/\bsk-[A-Za-z0-9_-]{8,}\b/g, "[REDACTED]");
+  s = s.replace(/\bmcs_[A-Za-z0-9_-]+\b/g, "[REDACTED]");
+  s = s.replace(/\bghp_[A-Za-z0-9]{20,}\b/g, "[REDACTED]");
+  s = s.replace(/Bearer\s+[^\s]+/gi, "[REDACTED]");
+  if (s.length > 500) {
+    return s.slice(0, 500) + "[truncated]";
+  }
+  return s;
+}
+
+async function shieldPostActions(
+  baseUrl: string,
+  apiKey: string,
+  body: Record<string, unknown>,
+): Promise<{ readonly statusCode: number; readonly bodyText: string }> {
+  const url = `${baseUrl.replace(/\/+$/, "")}/api/v1/actions`;
+  const ac = new AbortController();
+  const t = setTimeout(() => {
+    ac.abort();
+  }, HTTP_MS);
+  try {
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        Connection: "close",
+        "Content-Type": "application/json",
+        "X-Multicorn-Key": apiKey,
+      },
+      body: JSON.stringify(body),
+      signal: ac.signal,
+    });
+    const bodyText = await res.text();
+    return { statusCode: res.status, bodyText };
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+async function notifyPluginLog(
+  client: PluginInput["client"],
+  level: "info" | "warn" | "error",
+  message: string,
+): Promise<void> {
+  try {
+    const appUnknown = (
+      client as unknown as {
+        app?: {
+          log?: (p: unknown) => Promise<void>;
+        };
+      }
+    ).app;
+    if (appUnknown?.log === undefined) return;
+    await appUnknown.log({
+      body: { service: "multicorn-shield-opencode", level, message },
+    });
+  } catch {
+    /* ignore */
+  }
+}
+
+async function shieldBeforeDecision(
+  cfg: ShieldConfigLoaded,
+  toolName: string,
+  args: Record<string, unknown>,
+  approvalsUrlApp: string,
+): Promise<{ readonly allow: true } | { readonly allow: false; readonly msg: string }> {
+  const [service, actionType, skipCheck] = mapTool(toolName);
+  if (skipCheck || cfg.apiKey.length === 0 || cfg.agentName.length === 0) {
+    return { allow: true };
+  }
+
+  /** @type {Record<string, unknown>} */
+  const metadata = {
+    tool_name: toolName,
+    parameters: scrubMetadataArgs(args),
+    source: PLATFORM,
+  };
+
+  /** @type {Record<string, unknown>} */
+  const payload = {
+    agent: cfg.agentName,
+    service,
+    actionType,
+    status: "pending",
+    metadata,
+    platform: PLATFORM,
+  };
+
+  let statusCode: number;
+  let bodyText: string;
+  try {
+    const res = await shieldPostActions(cfg.baseUrl, cfg.apiKey, payload);
+    statusCode = res.statusCode;
+    bodyText = res.bodyText;
+  } catch {
+    return { allow: true };
+  }
+
+  const parsed = typeof bodyText === "string" ? safeParseJson(bodyText) : null;
+  const data = unwrapData(parsed);
+
+  if (statusCode === 202) {
+    const url = consentUrl(cfg.baseUrl, cfg.agentName, service, actionType);
+    openBrowser(url);
+    return {
+      allow: false,
+      msg: `Shield: ${cfg.agentName} needs ${service}:${actionType} permission. Authorize at ${url} then retry this action.`,
+    };
+  }
+
+  if (statusCode === 201) {
+    if (data === null || typeof data !== "object") {
+      const u = consentUrl(cfg.baseUrl, cfg.agentName, service, actionType);
+      return {
+        allow: false,
+        msg: `Shield: ${cfg.agentName} needs ${service}:${actionType} permission. Approve at ${u} or review at ${approvalsUrlApp}`,
+      };
+    }
+    const row = data as Record<string, unknown>;
+    const rawStatus = row["status"];
+    const st = typeof rawStatus === "string" ? rawStatus.toLowerCase() : "";
+    if (st === "approved") {
+      return { allow: true };
+    }
+    if (st === "blocked" || st === "requires_approval") {
+      return {
+        allow: false,
+        msg: blockedMessage(data, service, actionType, approvalsUrlApp),
+      };
+    }
+    const u = consentUrl(cfg.baseUrl, cfg.agentName, service, actionType);
+    return {
+      allow: false,
+      msg: `Shield: ${cfg.agentName} needs ${service}:${actionType} permission. Approve at ${u} or review at ${approvalsUrlApp}`,
+    };
+  }
+
+  const u = consentUrl(cfg.baseUrl, cfg.agentName, service, actionType);
+  return {
+    allow: false,
+    msg: `Shield: ${cfg.agentName} needs ${service}:${actionType} permission. Approve at ${u} or review at ${approvalsUrlApp}`,
+  };
+}
+
+function scheduleLogApproved(
+  cfg: ShieldConfigLoaded,
+  toolName: string,
+  resultPreview: string,
+): void {
+  const [service, actionType] = mapTool(toolName);
+  /** @type {Record<string, unknown>} */
+  const metadata = {
+    tool_name: toolName,
+    result: resultPreview,
+    source: PLATFORM,
+  };
+
+  /** @type {Record<string, unknown>} */
+  const payload = {
+    agent: cfg.agentName,
+    service,
+    actionType,
+    status: "approved",
+    metadata,
+    platform: PLATFORM,
+  };
+
+  void shieldPostActions(cfg.baseUrl, cfg.apiKey, payload).catch(() => {
+    /* intentionally ignored */
+  });
+}
+
+export const MulticornShieldPlugin: Plugin = (input: PluginInput): Promise<Hooks> => {
+  const directoryResolved = typeof input.directory === "string" ? input.directory : process.cwd();
+
+  return Promise.resolve({
+    "tool.execute.before": async ({ tool: toolNameRaw }, output) => {
+      const cfg = loadShieldConfig(directoryResolved);
+      if (cfg === null || cfg.apiKey.length === 0 || cfg.agentName.length === 0) {
+        return;
+      }
+
+      const toolName = typeof toolNameRaw === "string" ? toolNameRaw : "";
+      if (toolName.length === 0) return;
+
+      const args =
+        output.args !== null && typeof output.args === "object" && !Array.isArray(output.args)
+          ? (output.args as Record<string, unknown>)
+          : {};
+
+      const approvalsUrl = dashboardHintUrl(cfg.baseUrl);
+
+      try {
+        const verdict = await shieldBeforeDecision(cfg, toolName, args, approvalsUrl);
+        if (!verdict.allow && "msg" in verdict) {
+          throw new Error(verdict.msg);
+        }
+      } catch (e) {
+        if (e instanceof Error && e.message.startsWith("Shield:")) throw e;
+        void notifyPluginLog(
+          input.client,
+          "warn",
+          `Shield pre-tool check skipped: ${e instanceof Error ? e.message : String(e)}`,
+        );
+      }
+    },
+    "tool.execute.after": (hookInput, output): Promise<void> => {
+      const cfg = loadShieldConfig(directoryResolved);
+      if (cfg === null || cfg.apiKey.length === 0 || cfg.agentName.length === 0) {
+        return Promise.resolve();
+      }
+
+      const toolName = typeof hookInput.tool === "string" ? hookInput.tool : "";
+      if (toolName.length === 0) {
+        return Promise.resolve();
+      }
+
+      let snippet = "";
+      if (typeof output === "object" && "output" in output) {
+        const rawOut = (output as Record<string, unknown>)["output"];
+        if (typeof rawOut === "string") {
+          snippet = scrubResultSnippet(rawOut);
+        }
+      }
+
+      scheduleLogApproved(cfg, toolName, snippet);
+      return Promise.resolve();
+    },
+  });
+};