multicorn-shield 1.8.0 → 1.9.1

package/CHANGELOG.md

@@ -9,6 +9,40 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Bump `version` in `package.json` before publishing to npm.
 
+## [1.9.1] - 2026-05-12
+
+### Fixed
+
+- Include `plugins/codex-cli` in published npm package (missing from `files` in package.json)
+
+## [1.9.0] - 2026-05-12
+
+### Added
+
+- OpenAI Codex CLI as a supported platform (native hooks + hosted proxy)
+- Codex CLI hook scripts (PreToolUse, PostToolUse) for terminal command interception
+- Codex CLI agent resolution and tool name mapping
+- CLI wizard support for Codex CLI: native plugin install and hosted proxy TOML snippet
+- `plugins/codex-cli/README.md` documenting hook script build and test workflow
+
+### Fixed
+
+- Codex config.toml feature flag updated from deprecated `codex_hooks` to `hooks`
+- Config.toml migration: init now detects and replaces deprecated `codex_hooks` flag automatically
+- Hook scripts reject plaintext HTTP for non-localhost API calls
+- Config file permission warning when `~/.multicorn/config.json` is readable by other users
+- Destructive command detection uses word-boundary matching instead of substring includes
+- Unknown tool names default to restrictive `write` permission level instead of `execute`
+- Audit log payloads size-bounded and secret patterns redacted before transmission
+- Error messages sanitised: internal details hidden unless `MULTICORN_DEBUG` is set
+- Test-mode polling escape hatch removed from production hook scripts
+- Shared utility module extracted to eliminate duplication between hook scripts
+
+### Changed
+
+- Error message prefix shortened from `[multicorn-shield]` to `[Shield]`
+- "Audit trail" terminology replaced with "record the action" in user-facing messages
+
 ## [1.8.0] - 2026-05-11
 
 ### Added

package/dist/index.cjs

@@ -27,6 +27,7 @@ var AGENT_PLATFORM_SLUGS = [
   "goose",
   "kilo-code",
   "opencode",
+  "codex-cli",
   "other-mcp",
   "github-actions",
   "unknown"

package/dist/index.d.cts

@@ -12,7 +12,7 @@ import { LitElement, PropertyValues, HTMLTemplateResult } from 'lit';
 /**
  * Agent client platforms supported by hosted proxy and native hooks (aligned with API validation).
  */
-declare const AGENT_PLATFORM_SLUGS: readonly ["openclaw", "claude-code", "claude-desktop", "cursor", "windsurf", "cline", "gemini-cli", "continue-dev", "github-copilot", "goose", "kilo-code", "opencode", "other-mcp", "github-actions", "unknown"];
+declare const AGENT_PLATFORM_SLUGS: readonly ["openclaw", "claude-code", "claude-desktop", "cursor", "windsurf", "cline", "gemini-cli", "continue-dev", "github-copilot", "goose", "kilo-code", "opencode", "codex-cli", "other-mcp", "github-actions", "unknown"];
 type AgentPlatformSlug = (typeof AGENT_PLATFORM_SLUGS)[number];
 /**
  * Possible operational states for an agent.

package/dist/index.d.ts

@@ -12,7 +12,7 @@ import { LitElement, PropertyValues, HTMLTemplateResult } from 'lit';
 /**
  * Agent client platforms supported by hosted proxy and native hooks (aligned with API validation).
  */
-declare const AGENT_PLATFORM_SLUGS: readonly ["openclaw", "claude-code", "claude-desktop", "cursor", "windsurf", "cline", "gemini-cli", "continue-dev", "github-copilot", "goose", "kilo-code", "opencode", "other-mcp", "github-actions", "unknown"];
+declare const AGENT_PLATFORM_SLUGS: readonly ["openclaw", "claude-code", "claude-desktop", "cursor", "windsurf", "cline", "gemini-cli", "continue-dev", "github-copilot", "goose", "kilo-code", "opencode", "codex-cli", "other-mcp", "github-actions", "unknown"];
 type AgentPlatformSlug = (typeof AGENT_PLATFORM_SLUGS)[number];
 /**
  * Possible operational states for an agent.

package/dist/index.js

@@ -25,6 +25,7 @@ var AGENT_PLATFORM_SLUGS = [
   "goose",
   "kilo-code",
   "opencode",
+  "codex-cli",
   "other-mcp",
   "github-actions",
   "unknown"

package/dist/multicorn-proxy.js

@@ -941,6 +941,99 @@ async function installOpenCodeNativePlugin() {
   const dest = join(destDir, "multicorn-shield.ts");
   await copyFile(src, dest);
 }
+function getCodexCliHooksInstallDir() {
+  return join(homedir(), ".multicorn", "codex-cli-hooks");
+}
+function getCodexConfigTomlPath() {
+  return join(homedir(), ".codex", "config.toml");
+}
+function getCodexHooksJsonPath() {
+  return join(homedir(), ".codex", "hooks.json");
+}
+async function installCodexCliNativeHooks() {
+  const root = multicornShieldPackageRoot();
+  const scriptsDir = join(root, "plugins", "codex-cli", "hooks", "scripts");
+  const preHook = join(scriptsDir, "pre-tool-use.cjs");
+  const postHook = join(scriptsDir, "post-tool-use.cjs");
+  const toolMap = join(scriptsDir, "codex-cli-tool-map.cjs");
+  const sharedHook = join(scriptsDir, "codex-cli-hooks-shared.cjs");
+  if (!existsSync(preHook) || !existsSync(postHook) || !existsSync(toolMap) || !existsSync(sharedHook)) {
+    throw new Error(
+      `Could not find Shield Codex CLI hook scripts at ${scriptsDir}. If you use npm, install the latest multicorn-shield package.`
+    );
+  }
+  const destDir = getCodexCliHooksInstallDir();
+  await mkdir(destDir, { recursive: true });
+  await copyFile(preHook, join(destDir, "pre-tool-use.cjs"));
+  await copyFile(postHook, join(destDir, "post-tool-use.cjs"));
+  await copyFile(toolMap, join(destDir, "codex-cli-tool-map.cjs"));
+  await copyFile(sharedHook, join(destDir, "codex-cli-hooks-shared.cjs"));
+  const configTomlPath = getCodexConfigTomlPath();
+  await mkdir(join(homedir(), ".codex"), { recursive: true });
+  let tomlContent = "";
+  try {
+    tomlContent = await readFile(configTomlPath, "utf8");
+  } catch (err) {
+    if (!isErrnoException(err) || err.code !== "ENOENT") {
+      throw err;
+    }
+  }
+  if (tomlContent.includes("codex_hooks")) {
+    tomlContent = tomlContent.replace(/codex_hooks/g, "hooks");
+    await writeFile(configTomlPath, tomlContent, "utf8");
+  }
+  if (!/\bhooks\s*=\s*true/.test(tomlContent)) {
+    tomlContent = tomlContent.includes("[features]") ? tomlContent.replace("[features]", "[features]\nhooks = true") : tomlContent.trimEnd() + (tomlContent.length > 0 ? "\n\n" : "") + "[features]\nhooks = true\n";
+    await writeFile(configTomlPath, tomlContent, "utf8");
+  }
+  const hooksConfig = {
+    hooks: {
+      PreToolUse: [
+        {
+          matcher: "",
+          hooks: [
+            {
+              type: "command",
+              command: `node ${join(destDir, "pre-tool-use.cjs")}`,
+              statusMessage: "Checking Shield permissions"
+            }
+          ]
+        }
+      ],
+      PostToolUse: [
+        {
+          matcher: "",
+          hooks: [
+            {
+              type: "command",
+              command: `node ${join(destDir, "post-tool-use.cjs")}`,
+              timeout: 30,
+              statusMessage: "Logging to Shield"
+            }
+          ]
+        }
+      ]
+    }
+  };
+  await writeFile(getCodexHooksJsonPath(), JSON.stringify(hooksConfig, null, 2) + "\n", "utf8");
+}
+async function promptCodexCliIntegrationMode(ask) {
+  process.stderr.write("\n" + style.bold("Codex CLI integration") + "\n");
+  process.stderr.write(
+    "  " + style.violet("1") + ". Native plugin - Shield checks terminal (Bash) commands via Codex Hooks\n"
+  );
+  process.stderr.write(
+    "  " + style.violet("2") + ". Hosted proxy - govern MCP server traffic via config.toml\n"
+  );
+  let choice = 0;
+  while (choice === 0) {
+    const input = await ask("Choose integration (1-2): ");
+    const num = parseInt(input.trim(), 10);
+    if (num === 1) choice = 1;
+    if (num === 2) choice = 2;
+  }
+  return choice === 1 ? "native" : "hosted";
+}
 async function promptClineIntegrationMode(ask) {
   process.stderr.write("\n" + style.bold("Cline integration") + "\n");
   process.stderr.write(
@@ -2059,6 +2152,9 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
       if (result === "parse-error") {
         printHostedProxyJsonParseWarning(join(workspacePath, "opencode.json"));
       }
+    } else if (platform === "codex-cli") {
+      printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
+      return;
     } else if (platform === "continue-dev") {
       result = await mergeContinueHostedMcp(
         workspacePath,
@@ -2194,7 +2290,8 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     "github-copilot",
     "continue-dev",
     "goose",
-    "opencode"
+    "opencode",
+    "codex-cli"
   ]);
   const usesInlineKey = hostedInlinePlatforms.has(platform);
   const authHeader = usesInlineKey ? `Bearer ${apiKey}` : "Bearer YOUR_SHIELD_API_KEY";
@@ -2295,6 +2392,11 @@ mcpServers:
       null,
       2
     );
+  } else if (platform === "codex-cli") {
+    snippetText = `[mcp_servers.${shortName}]
+url = "${urlInSnippet}"
+bearer_token_env_var = "MULTICORN_API_KEY"
+`;
   } else {
     const urlKey = platform === "windsurf" ? "serverUrl" : "url";
     snippetText = JSON.stringify(
@@ -2338,6 +2440,12 @@ mcpServers:
         "Add this to opencode.json in your project root (or ~/.config/opencode/opencode.json for global config). OpenCode detects configured MCP servers on the next session start."
       ) + "\n\n"
     );
+  } else if (platform === "codex-cli") {
+    process.stderr.write(
+      "\n" + style.dim(
+        "Add this to ~/.codex/config.toml (create the file if it does not exist). Set the MULTICORN_API_KEY environment variable to your Shield API key. Restart Codex CLI after saving."
+      ) + "\n\n"
+    );
   } else if (platform === "github-copilot") {
     process.stderr.write(
       "\n" + style.dim(
@@ -3054,6 +3162,100 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
           setupSucceeded = true;
         }
       }
+    } else if (selectedPlatform === "codex-cli") {
+      const codexMode = await promptCodexCliIntegrationMode(ask);
+      if (codexMode === "native") {
+        try {
+          await installCodexCliNativeHooks();
+          process.stderr.write("\n" + style.bold("Shield Codex CLI hooks installed") + "\n\n");
+          process.stderr.write(
+            style.dim("Hook scripts: ") + style.cyan(getCodexCliHooksInstallDir()) + "\n"
+          );
+          process.stderr.write(
+            style.dim("Hooks config: ") + style.cyan(getCodexHooksJsonPath()) + "\n"
+          );
+          process.stderr.write(
+            style.dim("Feature flag: ") + style.cyan(getCodexConfigTomlPath()) + "\n"
+          );
+          process.stderr.write("\n");
+          process.stderr.write(
+            style.dim(
+              "Codex hooks currently intercept terminal (Bash) commands only. File edits and MCP tool calls are not yet covered by hooks."
+            ) + "\n\n"
+          );
+          process.stderr.write(
+            style.dim(
+              "Start Codex CLI, then type /hooks to review the Shield hooks. Press 't' to trust each one before they can run."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            codexCliIntegration: "native"
+          });
+          setupSucceeded = true;
+        } catch (error) {
+          const detail = error instanceof Error ? error.message : String(error);
+          process.stderr.write(style.red("\u2717 ") + detail + "\n");
+        }
+      } else {
+        const { targetUrl, shortName, upstreamHeaders } = await promptProxyConfig(ask, agentName);
+        let proxyUrl = "";
+        let created = false;
+        while (!created) {
+          const spinner = withSpinner("Creating proxy config...");
+          try {
+            proxyUrl = await createProxyConfig(
+              resolvedBaseUrl,
+              apiKey,
+              agentName,
+              targetUrl,
+              shortName,
+              selectedPlatform,
+              upstreamHeaders
+            );
+            spinner.stop(true, "Proxy config created!");
+            created = true;
+          } catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            spinner.stop(false, detail);
+            const retry = await ask("Try again? (Y/n) ");
+            if (retry.trim().toLowerCase() === "n") {
+              break;
+            }
+          }
+        }
+        if (created && proxyUrl.length > 0) {
+          process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
+          process.stderr.write(
+            "  " + style.cyan(formatHostedProxyUrlForStderr(selectedPlatform, proxyUrl, apiKey)) + "\n"
+          );
+          await applyHostedProxyMcpConfig(
+            selectedPlatform,
+            proxyUrl,
+            shortName,
+            apiKey,
+            initWorkspacePath
+          );
+          process.stderr.write(
+            "\n" + style.dim(
+              "Add the TOML snippet above to ~/.codex/config.toml. Set the MULTICORN_API_KEY environment variable to your Shield API key. Restart Codex CLI after saving."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            shortName,
+            proxyUrl,
+            codexCliIntegration: "hosted"
+          });
+          setupSucceeded = true;
+        }
+      }
     } else if (selectedPlatform === "cline") {
       const clineMode = await promptClineIntegrationMode(ask);
       if (clineMode === "native") {
@@ -3366,6 +3568,22 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         "\n" + style.bold("OpenCode (hosted)") + '\n  \u2192 Restart OpenCode or start a new session after saving opencode.json\n  \u2192 Try it: paste this into OpenCode:\n    "Use the ' + ocLabel + ' MCP server to list allowed directories"\n'
       );
     }
+    const codexNativeConfigured = configuredAgents.some(
+      (a) => a.platform === "codex-cli" && a.codexCliIntegration === "native"
+    );
+    const codexHostedConfigured = configuredAgents.some(
+      (a) => a.platform === "codex-cli" && a.codexCliIntegration === "hosted"
+    );
+    if (codexNativeConfigured) {
+      blocks.push(
+        "\n" + style.bold("Codex CLI (native)") + "\n  \u2192 Start Codex CLI (run 'codex' in your terminal)\n  \u2192 Type /hooks to review the Shield hooks - press 't' to trust each one\n  \u2192 Once both hooks are trusted, try a Bash command - Shield will intercept and check permissions\n  \u2192 Note: hooks currently cover terminal (Bash) commands only\n"
+      );
+    }
+    if (codexHostedConfigured) {
+      blocks.push(
+        "\n" + style.bold("Codex CLI (hosted)") + "\n  \u2192 Set the MULTICORN_API_KEY environment variable to your Shield API key\n  \u2192 Restart Codex CLI after saving config.toml\n  \u2192 Try it: make a request that uses an MCP tool through Shield\n"
+      );
+    }
     if (configuredPlatforms.has("other-mcp")) {
       blocks.push(
         "\n" + style.bold("Local MCP / Other") + "\n  \u2192 Run your configured wrap command (for example " + style.cyan("npx multicorn-shield --wrap ...") + ")\n  \u2192 Try it: make a request in your coding agent - Shield will intercept the first tool call and ask for your consent\n"
@@ -3431,6 +3649,12 @@ var init_config = __esm({
         section: "native",
         prereqUrl: "https://opencode.ai"
       },
+      {
+        slug: "codex-cli",
+        displayName: "Codex CLI",
+        section: "native",
+        prereqUrl: "https://github.com/openai/codex"
+      },
       {
         slug: "cursor",
         displayName: "Cursor",
@@ -4436,7 +4660,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "multicorn-shield",
-      version: "1.8.0",
+      version: "1.9.1",
       description: "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
       license: "MIT",
       author: "Multicorn AI Pty Ltd",
@@ -4477,6 +4701,7 @@ var init_package = __esm({
         "plugins/cline",
         "plugins/gemini-cli",
         "plugins/opencode",
+        "plugins/codex-cli",
         "LICENSE",
         "README.md",
         "CHANGELOG.md"

package/dist/multicorn-shield.js

@@ -955,6 +955,99 @@ async function installOpenCodeNativePlugin() {
   const dest = join(destDir, "multicorn-shield.ts");
   await copyFile(src, dest);
 }
+function getCodexCliHooksInstallDir() {
+  return join(homedir(), ".multicorn", "codex-cli-hooks");
+}
+function getCodexConfigTomlPath() {
+  return join(homedir(), ".codex", "config.toml");
+}
+function getCodexHooksJsonPath() {
+  return join(homedir(), ".codex", "hooks.json");
+}
+async function installCodexCliNativeHooks() {
+  const root = multicornShieldPackageRoot();
+  const scriptsDir = join(root, "plugins", "codex-cli", "hooks", "scripts");
+  const preHook = join(scriptsDir, "pre-tool-use.cjs");
+  const postHook = join(scriptsDir, "post-tool-use.cjs");
+  const toolMap = join(scriptsDir, "codex-cli-tool-map.cjs");
+  const sharedHook = join(scriptsDir, "codex-cli-hooks-shared.cjs");
+  if (!existsSync(preHook) || !existsSync(postHook) || !existsSync(toolMap) || !existsSync(sharedHook)) {
+    throw new Error(
+      `Could not find Shield Codex CLI hook scripts at ${scriptsDir}. If you use npm, install the latest multicorn-shield package.`
+    );
+  }
+  const destDir = getCodexCliHooksInstallDir();
+  await mkdir(destDir, { recursive: true });
+  await copyFile(preHook, join(destDir, "pre-tool-use.cjs"));
+  await copyFile(postHook, join(destDir, "post-tool-use.cjs"));
+  await copyFile(toolMap, join(destDir, "codex-cli-tool-map.cjs"));
+  await copyFile(sharedHook, join(destDir, "codex-cli-hooks-shared.cjs"));
+  const configTomlPath = getCodexConfigTomlPath();
+  await mkdir(join(homedir(), ".codex"), { recursive: true });
+  let tomlContent = "";
+  try {
+    tomlContent = await readFile(configTomlPath, "utf8");
+  } catch (err) {
+    if (!isErrnoException(err) || err.code !== "ENOENT") {
+      throw err;
+    }
+  }
+  if (tomlContent.includes("codex_hooks")) {
+    tomlContent = tomlContent.replace(/codex_hooks/g, "hooks");
+    await writeFile(configTomlPath, tomlContent, "utf8");
+  }
+  if (!/\bhooks\s*=\s*true/.test(tomlContent)) {
+    tomlContent = tomlContent.includes("[features]") ? tomlContent.replace("[features]", "[features]\nhooks = true") : tomlContent.trimEnd() + (tomlContent.length > 0 ? "\n\n" : "") + "[features]\nhooks = true\n";
+    await writeFile(configTomlPath, tomlContent, "utf8");
+  }
+  const hooksConfig = {
+    hooks: {
+      PreToolUse: [
+        {
+          matcher: "",
+          hooks: [
+            {
+              type: "command",
+              command: `node ${join(destDir, "pre-tool-use.cjs")}`,
+              statusMessage: "Checking Shield permissions"
+            }
+          ]
+        }
+      ],
+      PostToolUse: [
+        {
+          matcher: "",
+          hooks: [
+            {
+              type: "command",
+              command: `node ${join(destDir, "post-tool-use.cjs")}`,
+              timeout: 30,
+              statusMessage: "Logging to Shield"
+            }
+          ]
+        }
+      ]
+    }
+  };
+  await writeFile(getCodexHooksJsonPath(), JSON.stringify(hooksConfig, null, 2) + "\n", "utf8");
+}
+async function promptCodexCliIntegrationMode(ask) {
+  process.stderr.write("\n" + style.bold("Codex CLI integration") + "\n");
+  process.stderr.write(
+    "  " + style.violet("1") + ". Native plugin - Shield checks terminal (Bash) commands via Codex Hooks\n"
+  );
+  process.stderr.write(
+    "  " + style.violet("2") + ". Hosted proxy - govern MCP server traffic via config.toml\n"
+  );
+  let choice = 0;
+  while (choice === 0) {
+    const input = await ask("Choose integration (1-2): ");
+    const num = parseInt(input.trim(), 10);
+    if (num === 1) choice = 1;
+    if (num === 2) choice = 2;
+  }
+  return choice === 1 ? "native" : "hosted";
+}
 async function promptClineIntegrationMode(ask) {
   process.stderr.write("\n" + style.bold("Cline integration") + "\n");
   process.stderr.write(
@@ -1406,6 +1499,12 @@ var INIT_WIZARD_PLATFORM_REGISTRY = [
     section: "native",
     prereqUrl: "https://opencode.ai"
   },
+  {
+    slug: "codex-cli",
+    displayName: "Codex CLI",
+    section: "native",
+    prereqUrl: "https://github.com/openai/codex"
+  },
   {
     slug: "cursor",
     displayName: "Cursor",
@@ -2146,6 +2245,9 @@ async function applyHostedProxyMcpConfig(platform, proxyUrl, shortName, apiKey,
       if (result === "parse-error") {
         printHostedProxyJsonParseWarning(join(workspacePath, "opencode.json"));
       }
+    } else if (platform === "codex-cli") {
+      printPlatformSnippet(platform, proxyUrl, shortName, apiKey);
+      return;
     } else if (platform === "continue-dev") {
       result = await mergeContinueHostedMcp(
         workspacePath,
@@ -2281,7 +2383,8 @@ function printPlatformSnippet(platform, routingToken, shortName, apiKey) {
     "github-copilot",
     "continue-dev",
     "goose",
-    "opencode"
+    "opencode",
+    "codex-cli"
   ]);
   const usesInlineKey = hostedInlinePlatforms.has(platform);
   const authHeader = usesInlineKey ? `Bearer ${apiKey}` : "Bearer YOUR_SHIELD_API_KEY";
@@ -2382,6 +2485,11 @@ mcpServers:
       null,
       2
     );
+  } else if (platform === "codex-cli") {
+    snippetText = `[mcp_servers.${shortName}]
+url = "${urlInSnippet}"
+bearer_token_env_var = "MULTICORN_API_KEY"
+`;
   } else {
     const urlKey = platform === "windsurf" ? "serverUrl" : "url";
     snippetText = JSON.stringify(
@@ -2425,6 +2533,12 @@ mcpServers:
         "Add this to opencode.json in your project root (or ~/.config/opencode/opencode.json for global config). OpenCode detects configured MCP servers on the next session start."
       ) + "\n\n"
     );
+  } else if (platform === "codex-cli") {
+    process.stderr.write(
+      "\n" + style.dim(
+        "Add this to ~/.codex/config.toml (create the file if it does not exist). Set the MULTICORN_API_KEY environment variable to your Shield API key. Restart Codex CLI after saving."
+      ) + "\n\n"
+    );
   } else if (platform === "github-copilot") {
     process.stderr.write(
       "\n" + style.dim(
@@ -3142,6 +3256,100 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
           setupSucceeded = true;
         }
       }
+    } else if (selectedPlatform === "codex-cli") {
+      const codexMode = await promptCodexCliIntegrationMode(ask);
+      if (codexMode === "native") {
+        try {
+          await installCodexCliNativeHooks();
+          process.stderr.write("\n" + style.bold("Shield Codex CLI hooks installed") + "\n\n");
+          process.stderr.write(
+            style.dim("Hook scripts: ") + style.cyan(getCodexCliHooksInstallDir()) + "\n"
+          );
+          process.stderr.write(
+            style.dim("Hooks config: ") + style.cyan(getCodexHooksJsonPath()) + "\n"
+          );
+          process.stderr.write(
+            style.dim("Feature flag: ") + style.cyan(getCodexConfigTomlPath()) + "\n"
+          );
+          process.stderr.write("\n");
+          process.stderr.write(
+            style.dim(
+              "Codex hooks currently intercept terminal (Bash) commands only. File edits and MCP tool calls are not yet covered by hooks."
+            ) + "\n\n"
+          );
+          process.stderr.write(
+            style.dim(
+              "Start Codex CLI, then type /hooks to review the Shield hooks. Press 't' to trust each one before they can run."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            codexCliIntegration: "native"
+          });
+          setupSucceeded = true;
+        } catch (error) {
+          const detail = error instanceof Error ? error.message : String(error);
+          process.stderr.write(style.red("\u2717 ") + detail + "\n");
+        }
+      } else {
+        const { targetUrl, shortName, upstreamHeaders } = await promptProxyConfig(ask, agentName);
+        let proxyUrl = "";
+        let created = false;
+        while (!created) {
+          const spinner = withSpinner("Creating proxy config...");
+          try {
+            proxyUrl = await createProxyConfig(
+              resolvedBaseUrl,
+              apiKey,
+              agentName,
+              targetUrl,
+              shortName,
+              selectedPlatform,
+              upstreamHeaders
+            );
+            spinner.stop(true, "Proxy config created!");
+            created = true;
+          } catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            spinner.stop(false, detail);
+            const retry = await ask("Try again? (Y/n) ");
+            if (retry.trim().toLowerCase() === "n") {
+              break;
+            }
+          }
+        }
+        if (created && proxyUrl.length > 0) {
+          process.stderr.write("\n" + style.bold("Your Shield proxy URL:") + "\n");
+          process.stderr.write(
+            "  " + style.cyan(formatHostedProxyUrlForStderr(selectedPlatform, proxyUrl, apiKey)) + "\n"
+          );
+          await applyHostedProxyMcpConfig(
+            selectedPlatform,
+            proxyUrl,
+            shortName,
+            apiKey,
+            initWorkspacePath
+          );
+          process.stderr.write(
+            "\n" + style.dim(
+              "Add the TOML snippet above to ~/.codex/config.toml. Set the MULTICORN_API_KEY environment variable to your Shield API key. Restart Codex CLI after saving."
+            ) + "\n"
+          );
+          configuredAgents.push({
+            selection,
+            platform: selectedPlatform,
+            platformLabel: selectedLabel,
+            agentName,
+            shortName,
+            proxyUrl,
+            codexCliIntegration: "hosted"
+          });
+          setupSucceeded = true;
+        }
+      }
     } else if (selectedPlatform === "cline") {
       const clineMode = await promptClineIntegrationMode(ask);
       if (clineMode === "native") {
@@ -3454,6 +3662,22 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
         "\n" + style.bold("OpenCode (hosted)") + '\n  \u2192 Restart OpenCode or start a new session after saving opencode.json\n  \u2192 Try it: paste this into OpenCode:\n    "Use the ' + ocLabel + ' MCP server to list allowed directories"\n'
       );
     }
+    const codexNativeConfigured = configuredAgents.some(
+      (a) => a.platform === "codex-cli" && a.codexCliIntegration === "native"
+    );
+    const codexHostedConfigured = configuredAgents.some(
+      (a) => a.platform === "codex-cli" && a.codexCliIntegration === "hosted"
+    );
+    if (codexNativeConfigured) {
+      blocks.push(
+        "\n" + style.bold("Codex CLI (native)") + "\n  \u2192 Start Codex CLI (run 'codex' in your terminal)\n  \u2192 Type /hooks to review the Shield hooks - press 't' to trust each one\n  \u2192 Once both hooks are trusted, try a Bash command - Shield will intercept and check permissions\n  \u2192 Note: hooks currently cover terminal (Bash) commands only\n"
+      );
+    }
+    if (codexHostedConfigured) {
+      blocks.push(
+        "\n" + style.bold("Codex CLI (hosted)") + "\n  \u2192 Set the MULTICORN_API_KEY environment variable to your Shield API key\n  \u2192 Restart Codex CLI after saving config.toml\n  \u2192 Try it: make a request that uses an MCP tool through Shield\n"
+      );
+    }
     if (configuredPlatforms.has("other-mcp")) {
       blocks.push(
         "\n" + style.bold("Local MCP / Other") + "\n  \u2192 Run your configured wrap command (for example " + style.cyan("npx multicorn-shield --wrap ...") + ")\n  \u2192 Try it: make a request in your coding agent - Shield will intercept the first tool call and ask for your consent\n"
@@ -4359,7 +4583,7 @@ async function restoreClaudeDesktopMcpFromBackup() {
 
 // package.json
 var package_default = {
-  version: "1.8.0"};
+  version: "1.9.1"};
 
 // src/package-meta.ts
 var PACKAGE_VERSION = package_default.version;