npm - multicorn-shield - Versions diffs - 1.9.0 → 1.9.2 - Mend

multicorn-shield 1.9.0 → 1.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +12 -0
package/dist/multicorn-proxy.js +5 -4
package/dist/multicorn-shield.js +4 -4
package/dist/shield-extension.js +1 -1
package/package.json +2 -1
package/plugins/codex-cli/README.md +41 -0
package/plugins/codex-cli/hooks/scripts/codex-cli-hooks-shared.cjs +273 -0
package/plugins/codex-cli/hooks/scripts/codex-cli-tool-map.cjs +151 -0
package/plugins/codex-cli/hooks/scripts/post-tool-use.cjs +95 -0
package/plugins/codex-cli/hooks/scripts/pre-tool-use.cjs +392 -0

package/CHANGELOG.md CHANGED Viewed

@@ -9,6 +9,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Bump `version` in `package.json` before publishing to npm.
+## [1.9.2] - 2026-05-12
+### Fixed
+- Codex CLI hosted proxy next-steps now includes /mcp verification step
+## [1.9.1] - 2026-05-12
+### Fixed
+- Include `plugins/codex-cli` in published npm package (missing from `files` in package.json)
 ## [1.9.0] - 2026-05-12
 ### Added

package/dist/multicorn-proxy.js CHANGED Viewed

@@ -3241,8 +3241,8 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
           );
           process.stderr.write(
             "\n" + style.dim(
-              "Add the TOML snippet above to ~/.codex/config.toml. Set the MULTICORN_API_KEY environment variable to your Shield API key. Restart Codex CLI after saving."
-            ) + "\n"
+              "Add the TOML snippet above to ~/.codex/config.toml. Then set the environment variable:"
+            ) + "\n\n  " + style.cyan(`export MULTICORN_API_KEY="${apiKey}"`) + "\n\n" + style.dim("Restart Codex CLI after saving config.toml.") + "\n"
           );
           configuredAgents.push({
             selection,
@@ -3581,7 +3581,7 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     }
     if (codexHostedConfigured) {
       blocks.push(
-        "\n" + style.bold("Codex CLI (hosted)") + "\n  \u2192 Set the MULTICORN_API_KEY environment variable to your Shield API key\n  \u2192 Restart Codex CLI after saving config.toml\n  \u2192 Try it: make a request that uses an MCP tool through Shield\n"
+        "\n" + style.bold("Codex CLI (hosted)") + "\n  \u2192 Set the MULTICORN_API_KEY environment variable to your Shield API key\n  \u2192 Restart Codex CLI after saving config.toml\n  \u2192 Verify it's connected: run /mcp in Codex CLI to see your active MCP servers\n  \u2192 Try it: make a request that uses an MCP tool through Shield\n"
       );
     }
     if (configuredPlatforms.has("other-mcp")) {
@@ -4660,7 +4660,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "multicorn-shield",
-      version: "1.9.0",
+      version: "1.9.2",
       description: "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
       license: "MIT",
       author: "Multicorn AI Pty Ltd",
@@ -4701,6 +4701,7 @@ var init_package = __esm({
         "plugins/cline",
         "plugins/gemini-cli",
         "plugins/opencode",
+        "plugins/codex-cli",
         "LICENSE",
         "README.md",
         "CHANGELOG.md"

package/dist/multicorn-shield.js CHANGED Viewed

@@ -3335,8 +3335,8 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
           );
           process.stderr.write(
             "\n" + style.dim(
-              "Add the TOML snippet above to ~/.codex/config.toml. Set the MULTICORN_API_KEY environment variable to your Shield API key. Restart Codex CLI after saving."
-            ) + "\n"
+              "Add the TOML snippet above to ~/.codex/config.toml. Then set the environment variable:"
+            ) + "\n\n  " + style.cyan(`export MULTICORN_API_KEY="${apiKey}"`) + "\n\n" + style.dim("Restart Codex CLI after saving config.toml.") + "\n"
           );
           configuredAgents.push({
             selection,
@@ -3675,7 +3675,7 @@ You have ${String(agentsForPlatform.length)} agent(s) connected for ${selectedLa
     }
     if (codexHostedConfigured) {
       blocks.push(
-        "\n" + style.bold("Codex CLI (hosted)") + "\n  \u2192 Set the MULTICORN_API_KEY environment variable to your Shield API key\n  \u2192 Restart Codex CLI after saving config.toml\n  \u2192 Try it: make a request that uses an MCP tool through Shield\n"
+        "\n" + style.bold("Codex CLI (hosted)") + "\n  \u2192 Set the MULTICORN_API_KEY environment variable to your Shield API key\n  \u2192 Restart Codex CLI after saving config.toml\n  \u2192 Verify it's connected: run /mcp in Codex CLI to see your active MCP servers\n  \u2192 Try it: make a request that uses an MCP tool through Shield\n"
       );
     }
     if (configuredPlatforms.has("other-mcp")) {
@@ -4583,7 +4583,7 @@ async function restoreClaudeDesktopMcpFromBackup() {
 // package.json
 var package_default = {
-  version: "1.9.0"};
+  version: "1.9.2"};
 // src/package-meta.ts
 var PACKAGE_VERSION = package_default.version;

package/dist/shield-extension.js CHANGED Viewed

@@ -22517,7 +22517,7 @@ async function writeExtensionBackup(claudeDesktopConfigPath, mcpServers) {
 // package.json
 var package_default = {
-  version: "1.9.0"};
+  version: "1.9.2"};
 // src/package-meta.ts
 var PACKAGE_VERSION = package_default.version;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "multicorn-shield",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "The control layer for AI agents: permissions, consent, spending limits, and audit logging.",
   "license": "MIT",
   "author": "Multicorn AI Pty Ltd",
@@ -41,6 +41,7 @@
     "plugins/cline",
     "plugins/gemini-cli",
     "plugins/opencode",
+    "plugins/codex-cli",
     "LICENSE",
     "README.md",
     "CHANGELOG.md"

package/plugins/codex-cli/README.md ADDED Viewed

@@ -0,0 +1,41 @@
+# Codex CLI hook scripts for Multicorn Shield
+These files support **Codex CLI** native hooks (`PreToolUse` / `PostToolUse`): permission checks before tools run and logging afterward.
+## Generated outputs
+The runnable scripts under `hooks/scripts/` are **built from TypeScript** in `src/hooks/`:
+| Output (`hooks/scripts/`)    | Source                                 |
+| ---------------------------- | -------------------------------------- |
+| `pre-tool-use.cjs`           | `src/hooks/codex-cli-pre-tool-use.ts`  |
+| `post-tool-use.cjs`          | `src/hooks/codex-cli-post-tool-use.ts` |
+| `codex-cli-hooks-shared.cjs` | `src/hooks/codex-cli-hooks-shared.ts`  |
+| `codex-cli-tool-map.cjs`     | `src/hooks/codex-cli-tool-map.ts`      |
+Do **not** edit the `.cjs` files by hand. Change the `.ts` sources and rebuild.
+## Build
+From the **multicorn-shield** package root:
+```bash
+pnpm build
+```
+That runs `tsup`, which emits the Codex CLI hook bundle into `plugins/codex-cli/hooks/scripts/`.
+## Manual testing
+Hooks read **one JSON object from stdin** (Codex passes the hook payload). Examples:
+```bash
+echo '{"tool_name":"Bash","tool_input":{"command":"ls"}}' | node plugins/codex-cli/hooks/scripts/pre-tool-use.cjs
+echo '{"tool_name":"Bash","tool_input":{"command":"ls"},"tool_result":"ok"}' | node plugins/codex-cli/hooks/scripts/post-tool-use.cjs
+```
+Use a valid `~/.multicorn/config.json` with `apiKey`, `baseUrl`, and agent entries when exercising the Shield API paths.
+## Main documentation
+See the [multicorn-shield README](../../README.md) for installation, configuration, and Shield concepts.

package/plugins/codex-cli/hooks/scripts/codex-cli-hooks-shared.cjs ADDED Viewed

@@ -0,0 +1,273 @@
+"use strict";
+var fs = require("fs");
+var http = require("http");
+var https = require("https");
+var os = require("os");
+var path = require("path");
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== "default") {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(
+          n,
+          k,
+          d.get
+            ? d
+            : {
+                enumerable: true,
+                get: function () {
+                  return e[k];
+                },
+              },
+        );
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+var fs__namespace = /*#__PURE__*/ _interopNamespace(fs);
+var http__namespace = /*#__PURE__*/ _interopNamespace(http);
+var https__namespace = /*#__PURE__*/ _interopNamespace(https);
+var os__namespace = /*#__PURE__*/ _interopNamespace(os);
+var path__namespace = /*#__PURE__*/ _interopNamespace(path);
+// AUTO-GENERATED from src/hooks/codex-cli-*.ts — do not edit manually. Run pnpm build from the package root to regenerate.
+var AUTH_HEADER = "X-Multicorn-Key";
+var AUDIT_METADATA_MAX_CHARS = 1e4;
+function redactSecretsForAudit(serialized) {
+  let out = serialized;
+  out = out.replace(/\bsk-[a-zA-Z0-9]{20,}\b/g, "[REDACTED]");
+  out = out.replace(/\bAKIA[0-9A-Z]{16}\b/g, "[REDACTED]");
+  out = out.replace(/\bghp_[a-zA-Z0-9]{20,}\b/g, "[REDACTED]");
+  out = out.replace(/\bgho_[a-zA-Z0-9]{20,}\b/g, "[REDACTED]");
+  out = out.replace(/\bghu_[a-zA-Z0-9]{20,}\b/g, "[REDACTED]");
+  out = out.replace(/\bghs_[a-zA-Z0-9]{20,}\b/g, "[REDACTED]");
+  out = out.replace(
+    /-----BEGIN[A-Z0-9 \n\r-]+-----[\s\S]*?-----END[A-Z0-9 \n\r-]+-----/g,
+    "[REDACTED]",
+  );
+  out = out.replace(/token=[^\s"&]+/gi, "token=[REDACTED]");
+  out = out.replace(/\bBearer\s+[a-zA-Z0-9._\-+/=]+\b/gi, "Bearer [REDACTED]");
+  return out;
+}
+function truncateForAudit(serialized, maxChars = AUDIT_METADATA_MAX_CHARS) {
+  if (serialized.length <= maxChars) return serialized;
+  return `${serialized.slice(0, maxChars)}[truncated]`;
+}
+function serializeHookAuditFragment(value) {
+  try {
+    const raw = typeof value === "string" ? value : JSON.stringify(value === void 0 ? null : value);
+    return truncateForAudit(redactSecretsForAudit(raw));
+  } catch {
+    return "[unserializable]";
+  }
+}
+function isLocalHostname(hostname) {
+  const h = hostname.toLowerCase();
+  return h === "localhost" || h === "127.0.0.1" || h === "::1";
+}
+function assertHttpsOrLocalhostForApiKey(u) {
+  if (u.protocol === "http:" && !isLocalHostname(u.hostname)) {
+    throw new Error(`HTTP_API_KEY_REFUSED:${u.hostname}`);
+  }
+}
+function cwdUnderWorkspacePath(cwdResolved, workspacePath) {
+  const w = path__namespace.resolve(workspacePath);
+  if (cwdResolved === w) return true;
+  const prefix = w.endsWith(path__namespace.sep) ? w : w + path__namespace.sep;
+  return cwdResolved.startsWith(prefix);
+}
+function resolveCodexCliAgentName(obj) {
+  const pwd = process.env["PWD"];
+  const cwdRaw = pwd !== void 0 && pwd.length > 0 ? pwd : process.cwd();
+  const agents = obj["agents"];
+  const defaultAgentRaw = obj["defaultAgent"];
+  const defaultAgentName =
+    typeof defaultAgentRaw === "string" && defaultAgentRaw.length > 0 ? defaultAgentRaw : "";
+  if (!Array.isArray(agents)) {
+    return typeof obj["agentName"] === "string" ? obj["agentName"] : "";
+  }
+  const matches = [];
+  for (const entry of agents) {
+    if (entry === null || typeof entry !== "object") continue;
+    const e = entry;
+    if (e["platform"] !== "codex-cli") continue;
+    const n = e["name"];
+    if (typeof n !== "string") continue;
+    const wp = e["workspacePath"];
+    matches.push({
+      name: n,
+      ...(typeof wp === "string" && wp.length > 0 ? { workspacePath: wp } : {}),
+    });
+  }
+  if (matches.length === 0) {
+    return typeof obj["agentName"] === "string" ? obj["agentName"] : "";
+  }
+  const withWs = matches.filter(
+    (m) => typeof m.workspacePath === "string" && m.workspacePath.length > 0,
+  );
+  const resolvedCwd = path__namespace.resolve(cwdRaw);
+  let best = null;
+  let bestLen = -1;
+  for (const m of withWs) {
+    const wp = m.workspacePath;
+    if (!cwdUnderWorkspacePath(resolvedCwd, wp)) continue;
+    const len = path__namespace.resolve(wp).length;
+    if (len > bestLen) {
+      bestLen = len;
+      best = { name: m.name, workspacePath: wp };
+    }
+  }
+  if (best !== null) return best.name;
+  if (defaultAgentName.length > 0) {
+    const d = matches.find((m) => m.name === defaultAgentName);
+    if (d !== void 0) return d.name;
+  }
+  const first = matches[0];
+  return first !== void 0 ? first.name : "";
+}
+function warnIfConfigWorldReadable(configPath) {
+  try {
+    const st = fs__namespace.statSync(configPath);
+    const mode777 = st.mode & 511;
+    if ((st.mode & 63) !== 0) {
+      process.stderr.write(
+        `[Shield] Warning: ~/.multicorn/config.json is readable by other users (current: 0${mode777.toString(8)}). Run: chmod 600 ~/.multicorn/config.json
+`,
+      );
+    }
+  } catch {}
+}
+function loadCodexCliConfig() {
+  try {
+    const configPath = path__namespace.join(os__namespace.homedir(), ".multicorn", "config.json");
+    const raw = fs__namespace.readFileSync(configPath, "utf8");
+    warnIfConfigWorldReadable(configPath);
+    const obj = JSON.parse(raw);
+    const apiKey = typeof obj["apiKey"] === "string" ? obj["apiKey"] : "";
+    const baseUrl =
+      typeof obj["baseUrl"] === "string" && obj["baseUrl"].length > 0
+        ? obj["baseUrl"].replace(/\/+$/, "")
+        : "https://api.multicorn.ai";
+    const agentName = resolveCodexCliAgentName(obj);
+    return { apiKey, baseUrl, agentName };
+  } catch {
+    return null;
+  }
+}
+function formatShieldNetworkError(err) {
+  const debugEnv = process.env["MULTICORN_DEBUG"];
+  const debug = debugEnv === "1" || debugEnv === "true" || debugEnv === "yes";
+  let line =
+    "[Shield] Error: failed to connect to Shield API. Check your network and baseUrl configuration.\n";
+  if (debug && err instanceof Error && err.message.length > 0) {
+    line += `  Debug: ${err.message}
+`;
+  }
+  return line;
+}
+function formatHttpApiKeyRefusal(hostname) {
+  return `[Shield] Error: refusing to send API key over unencrypted HTTP to ${hostname}. Use HTTPS or localhost.
+`;
+}
+function readHttpApiKeyRefusalHostname(err) {
+  if (!(err instanceof Error) || !err.message.startsWith("HTTP_API_KEY_REFUSED:")) {
+    return null;
+  }
+  return err.message.slice("HTTP_API_KEY_REFUSED:".length);
+}
+async function shieldGetJson(baseUrl, apiKey, reqPath) {
+  const root = baseUrl.replace(/\/+$/, "");
+  const p = reqPath.startsWith("/") ? reqPath : `/${reqPath}`;
+  const u = new URL(`${root}${p}`);
+  assertHttpsOrLocalhostForApiKey(u);
+  const isHttps = u.protocol === "https:";
+  const lib = isHttps ? https__namespace : http__namespace;
+  const port = u.port !== "" ? Number(u.port) : isHttps ? 443 : 80;
+  return await new Promise((resolve2, reject) => {
+    const options = {
+      hostname: u.hostname,
+      port,
+      path: u.pathname + u.search,
+      method: "GET",
+      headers: {
+        [AUTH_HEADER]: apiKey,
+      },
+    };
+    const req = lib.request(options, (res) => {
+      const chunks = [];
+      res.on("data", (c) => chunks.push(c));
+      res.on("end", () => {
+        resolve2({
+          statusCode: res.statusCode ?? 0,
+          bodyText: Buffer.concat(chunks).toString("utf8"),
+        });
+      });
+    });
+    req.on("error", reject);
+    req.end();
+  });
+}
+async function shieldPostJson(baseUrl, apiKey, bodyObj) {
+  const root = baseUrl.replace(/\/+$/, "");
+  const u = new URL(`${root}/api/v1/actions`);
+  assertHttpsOrLocalhostForApiKey(u);
+  const payload = JSON.stringify(bodyObj);
+  const isHttps = u.protocol === "https:";
+  const lib = isHttps ? https__namespace : http__namespace;
+  const port = u.port !== "" ? Number(u.port) : isHttps ? 443 : 80;
+  return await new Promise((resolve2, reject) => {
+    const options = {
+      hostname: u.hostname,
+      port,
+      path: u.pathname + u.search,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload, "utf8"),
+        [AUTH_HEADER]: apiKey,
+      },
+    };
+    const req = lib.request(options, (res) => {
+      const chunks = [];
+      res.on("data", (c) => chunks.push(c));
+      res.on("end", () => {
+        resolve2({
+          statusCode: res.statusCode ?? 0,
+          bodyText: Buffer.concat(chunks).toString("utf8"),
+        });
+      });
+    });
+    req.on("error", reject);
+    req.write(payload);
+    req.end();
+  });
+}
+async function shieldPostJsonFireAndForget(baseUrl, apiKey, bodyObj) {
+  await shieldPostJson(baseUrl, apiKey, bodyObj);
+}
+exports.AUTH_HEADER = AUTH_HEADER;
+exports.assertHttpsOrLocalhostForApiKey = assertHttpsOrLocalhostForApiKey;
+exports.cwdUnderWorkspacePath = cwdUnderWorkspacePath;
+exports.formatHttpApiKeyRefusal = formatHttpApiKeyRefusal;
+exports.formatShieldNetworkError = formatShieldNetworkError;
+exports.isLocalHostname = isLocalHostname;
+exports.loadCodexCliConfig = loadCodexCliConfig;
+exports.readHttpApiKeyRefusalHostname = readHttpApiKeyRefusalHostname;
+exports.redactSecretsForAudit = redactSecretsForAudit;
+exports.resolveCodexCliAgentName = resolveCodexCliAgentName;
+exports.serializeHookAuditFragment = serializeHookAuditFragment;
+exports.shieldGetJson = shieldGetJson;
+exports.shieldPostJson = shieldPostJson;
+exports.shieldPostJsonFireAndForget = shieldPostJsonFireAndForget;
+exports.truncateForAudit = truncateForAudit;
+exports.warnIfConfigWorldReadable = warnIfConfigWorldReadable;

package/plugins/codex-cli/hooks/scripts/codex-cli-tool-map.cjs ADDED Viewed

@@ -0,0 +1,151 @@
+"use strict";
+// AUTO-GENERATED from src/hooks/codex-cli-*.ts — do not edit manually. Run pnpm build from the package root to regenerate.
+// src/openclaw/tool-mapper.ts
+var TOOL_MAP = {
+  // OpenClaw built-in tools
+  read: { service: "filesystem", permissionLevel: "read" },
+  write: { service: "filesystem", permissionLevel: "write" },
+  edit: { service: "filesystem", permissionLevel: "write" },
+  exec: { service: "terminal", permissionLevel: "execute" },
+  browser: { service: "browser", permissionLevel: "execute" },
+  message: { service: "messaging", permissionLevel: "write" },
+  process: { service: "terminal", permissionLevel: "execute" },
+  sessions_spawn: { service: "agents", permissionLevel: "execute" },
+  // Common integration tools (MCP servers, skills, etc.)
+  // Gmail
+  gmail: { service: "gmail", permissionLevel: "execute" },
+  gmail_send: { service: "gmail", permissionLevel: "write" },
+  gmail_read: { service: "gmail", permissionLevel: "read" },
+  // Google Calendar
+  google_calendar: { service: "google_calendar", permissionLevel: "execute" },
+  calendar: { service: "google_calendar", permissionLevel: "execute" },
+  calendar_create: { service: "google_calendar", permissionLevel: "write" },
+  calendar_read: { service: "google_calendar", permissionLevel: "read" },
+  // Google Drive
+  google_drive: { service: "google_drive", permissionLevel: "execute" },
+  drive: { service: "google_drive", permissionLevel: "execute" },
+  drive_read: { service: "google_drive", permissionLevel: "read" },
+  drive_write: { service: "google_drive", permissionLevel: "write" },
+  // Slack
+  slack: { service: "slack", permissionLevel: "execute" },
+  slack_send: { service: "slack", permissionLevel: "write" },
+  slack_read: { service: "slack", permissionLevel: "read" },
+  slack_message: { service: "slack", permissionLevel: "write" },
+  // Payments
+  payments: { service: "payments", permissionLevel: "write" },
+  payment: { service: "payments", permissionLevel: "write" },
+  stripe: { service: "payments", permissionLevel: "write" },
+};
+function mapToolToScope(toolName, command) {
+  const normalized = toolName.trim().toLowerCase();
+  if (normalized.length === 0) {
+    return { service: "unknown", permissionLevel: "execute" };
+  }
+  const known = TOOL_MAP[normalized];
+  if (known !== void 0) {
+    return known;
+  }
+  const integrationPrefixes = {
+    gmail: "gmail",
+    google_calendar: "google_calendar",
+    calendar: "google_calendar",
+    google_drive: "google_drive",
+    drive: "google_drive",
+    slack: "slack",
+    payments: "payments",
+    payment: "payments",
+    stripe: "payments",
+  };
+  for (const [prefix, service] of Object.entries(integrationPrefixes)) {
+    if (normalized.startsWith(prefix + "_") || normalized === prefix) {
+      let permissionLevel = "execute";
+      if (
+        normalized.includes("_read") ||
+        normalized.includes("_get") ||
+        normalized.includes("_list")
+      ) {
+        permissionLevel = "read";
+      } else if (
+        normalized.includes("_write") ||
+        normalized.includes("_send") ||
+        normalized.includes("_create") ||
+        normalized.includes("_update") ||
+        normalized.includes("_delete")
+      ) {
+        permissionLevel = "write";
+      }
+      return { service, permissionLevel };
+    }
+  }
+  return { service: normalized, permissionLevel: "execute" };
+}
+function isKnownTool(toolName) {
+  return Object.hasOwn(TOOL_MAP, toolName.trim().toLowerCase());
+}
+// src/hooks/codex-cli-tool-map.ts
+var CODEX_DESTRUCTIVE_KEYWORDS = ["rm", "mv", "sudo", "chmod", "chown", "dd", "truncate", "shred"];
+function escapeRegExp(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function destructiveTokenRegex(keyword) {
+  const e = escapeRegExp(keyword);
+  return new RegExp(`(^|[^a-zA-Z0-9_])${e}(?![a-zA-Z0-9_-])`, "i");
+}
+function codexIsDestructiveExecCommand(command) {
+  const trimmed = command.trim();
+  if (/^\s*echo\b/i.test(trimmed) && !/[;&|]/.test(trimmed)) {
+    return false;
+  }
+  const withoutQuotes = trimmed.replace(/'[^']*'/g, " ").replace(/"([^"\\]|\\.)*"/g, " ");
+  const normalized = withoutQuotes.toLowerCase();
+  return CODEX_DESTRUCTIVE_KEYWORDS.some((kw) => destructiveTokenRegex(kw).test(normalized));
+}
+function extractExecCommand(toolInput) {
+  if (toolInput === void 0 || toolInput === null) {
+    return void 0;
+  }
+  if (typeof toolInput === "object") {
+    const o = toolInput;
+    const c = o["command"];
+    if (typeof c === "string") {
+      return c;
+    }
+  }
+  if (typeof toolInput === "string") {
+    try {
+      return extractExecCommand(JSON.parse(toolInput));
+    } catch {
+      return toolInput;
+    }
+  }
+  return void 0;
+}
+function mapCodexCliToolToShield(toolName, toolInput) {
+  const n = toolName.trim().toLowerCase();
+  if (n.length === 0) {
+    return { service: "unknown", actionType: "execute" };
+  }
+  if (n === "bash") {
+    const cmd = extractExecCommand(toolInput);
+    if (cmd !== void 0 && codexIsDestructiveExecCommand(cmd)) {
+      return { service: "terminal", actionType: "write" };
+    }
+    return { service: "terminal", actionType: "execute" };
+  }
+  if (n === "apply_patch" || n === "edit" || n === "write") {
+    return { service: "filesystem", actionType: "write" };
+  }
+  const scope = mapToolToScope(n);
+  let actionType = scope.permissionLevel;
+  if (!isKnownTool(n) && actionType === "execute") {
+    actionType = "write";
+  }
+  return { service: scope.service, actionType };
+}
+exports.codexIsDestructiveExecCommand = codexIsDestructiveExecCommand;
+exports.extractExecCommand = extractExecCommand;
+exports.mapCodexCliToolToShield = mapCodexCliToolToShield;

package/plugins/codex-cli/hooks/scripts/post-tool-use.cjs ADDED Viewed

@@ -0,0 +1,95 @@
+"use strict";
+var codexCliHooksShared_js = require("./codex-cli-hooks-shared.cjs");
+var codexCliToolMap_js = require("./codex-cli-tool-map.cjs");
+// AUTO-GENERATED from src/hooks/codex-cli-*.ts — do not edit manually. Run pnpm build from the package root to regenerate.
+function readStdin() {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    process.stdin.setEncoding("utf8");
+    process.stdin.on("data", (c) => chunks.push(c));
+    process.stdin.on("end", () => {
+      resolve(chunks.join(""));
+    });
+    process.stdin.on("error", reject);
+  });
+}
+async function main() {
+  let raw;
+  try {
+    raw = await readStdin();
+  } catch {
+    process.exit(0);
+  }
+  const config = codexCliHooksShared_js.loadCodexCliConfig();
+  if (config === null || config.apiKey.length === 0 || config.agentName.length === 0) {
+    process.exit(0);
+  }
+  let hookPayload;
+  try {
+    hookPayload = JSON.parse(raw.length > 0 ? raw : "{}");
+  } catch {
+    process.exit(0);
+  }
+  const toolNameRaw =
+    (typeof hookPayload["tool_name"] === "string" && hookPayload["tool_name"]) || "";
+  const toolInput = hookPayload["tool_input"] !== void 0 ? hookPayload["tool_input"] : void 0;
+  const toolResult =
+    hookPayload["tool_response"] !== void 0
+      ? hookPayload["tool_response"]
+      : hookPayload["tool_result"] !== void 0
+        ? hookPayload["tool_result"]
+        : void 0;
+  try {
+    void (typeof toolInput === "string"
+      ? toolInput
+      : JSON.stringify(toolInput === void 0 ? null : toolInput));
+    void (typeof toolResult === "string"
+      ? toolResult
+      : JSON.stringify(toolResult === void 0 ? null : toolResult));
+  } catch {
+    process.exit(0);
+  }
+  const { service, actionType } = codexCliToolMap_js.mapCodexCliToolToShield(
+    toolNameRaw,
+    toolInput,
+  );
+  const metadata = {
+    tool_name: toolNameRaw,
+    tool_input: codexCliHooksShared_js.serializeHookAuditFragment(toolInput),
+    tool_result: codexCliHooksShared_js.serializeHookAuditFragment(toolResult),
+    source: "codex-cli",
+  };
+  const payload = {
+    agent: config.agentName,
+    service,
+    actionType,
+    status: "approved",
+    metadata,
+    platform: "codex-cli",
+  };
+  try {
+    await codexCliHooksShared_js.shieldPostJson(config.baseUrl, config.apiKey, payload);
+  } catch (e) {
+    const refusedHost = codexCliHooksShared_js.readHttpApiKeyRefusalHostname(e);
+    if (refusedHost !== null) {
+      process.stderr.write(codexCliHooksShared_js.formatHttpApiKeyRefusal(refusedHost));
+      process.exit(0);
+    }
+    process.stderr.write("[Shield] Warning: failed to send logs to Shield.\n");
+    process.stderr.write(codexCliHooksShared_js.formatShieldNetworkError(e));
+  }
+  process.exit(0);
+}
+main().catch((e) => {
+  const refusedHost = codexCliHooksShared_js.readHttpApiKeyRefusalHostname(e);
+  if (refusedHost !== null) {
+    process.stderr.write(codexCliHooksShared_js.formatHttpApiKeyRefusal(refusedHost));
+    process.exit(0);
+  }
+  process.stderr.write("[Shield] Warning: failed to send logs to Shield.\n");
+  process.stderr.write(codexCliHooksShared_js.formatShieldNetworkError(e));
+  process.exit(0);
+});

package/plugins/codex-cli/hooks/scripts/pre-tool-use.cjs ADDED Viewed

@@ -0,0 +1,392 @@
+"use strict";
+var child_process = require("child_process");
+var fs = require("fs");
+var os = require("os");
+var path = require("path");
+var codexCliHooksShared_js = require("./codex-cli-hooks-shared.cjs");
+var codexCliToolMap_js = require("./codex-cli-tool-map.cjs");
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== "default") {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(
+          n,
+          k,
+          d.get
+            ? d
+            : {
+                enumerable: true,
+                get: function () {
+                  return e[k];
+                },
+              },
+        );
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+var fs__namespace = /*#__PURE__*/ _interopNamespace(fs);
+var os__namespace = /*#__PURE__*/ _interopNamespace(os);
+var path__namespace = /*#__PURE__*/ _interopNamespace(path);
+// AUTO-GENERATED from src/hooks/codex-cli-*.ts — do not edit manually. Run pnpm build from the package root to regenerate.
+var FAST_POLL =
+  process.env["NODE_ENV"] === "test" &&
+  process.env["MULTICORN_SHIELD_PRE_HOOK_TEST_FAST_POLL"] === "1";
+var POLL_INTERVAL_MS = FAST_POLL ? 1 : 3e3;
+var MAX_APPROVAL_POLLS = FAST_POLL ? 3 : 100;
+function readStdin() {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    process.stdin.setEncoding("utf8");
+    process.stdin.on("data", (c) => chunks.push(c));
+    process.stdin.on("end", () => {
+      resolve(chunks.join(""));
+    });
+    process.stdin.on("error", reject);
+  });
+}
+function dashboardOrigin(apiBaseUrl) {
+  try {
+    const raw = apiBaseUrl.replace(/\/+$/, "");
+    const lower = raw.toLowerCase();
+    if (lower.includes("localhost:8080") || lower.includes("127.0.0.1:8080")) {
+      return "http://localhost:5173";
+    }
+    const u = new URL(raw);
+    if (u.hostname.startsWith("api.")) {
+      u.hostname = "app." + u.hostname.slice(4);
+    }
+    return u.origin;
+  } catch {
+    return "https://app.multicorn.ai";
+  }
+}
+function dashboardHintUrl(apiBaseUrl) {
+  return `${dashboardOrigin(apiBaseUrl)}/approvals`;
+}
+function consentUrl(apiBaseUrl, agentName, service, actionType) {
+  const origin = dashboardOrigin(apiBaseUrl);
+  const params = new URLSearchParams();
+  params.set("agent", agentName);
+  params.set("scopes", `${service}:${actionType}`);
+  params.set("platform", "codex-cli");
+  return `${origin}/consent?${params.toString()}`;
+}
+function safeJsonParse(text) {
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+function unwrapData(body) {
+  if (typeof body !== "object" || body === null) return null;
+  const o = body;
+  return o["success"] === true ? o["data"] : null;
+}
+function denyViaStdout(reason) {
+  const response = JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: "PreToolUse",
+      permissionDecision: "deny",
+      permissionDecisionReason: reason,
+    },
+  });
+  process.stdout.write(response + "\n");
+}
+function blockedReason(data, service, actionType, approvalsUrl) {
+  if (data !== null && typeof data === "object") {
+    const d = data;
+    const meta = d["metadata"];
+    if (typeof meta === "string" && meta.length > 0) {
+      try {
+        const parsed = JSON.parse(meta);
+        if (parsed !== null && typeof parsed === "object" && "block_reason" in parsed) {
+          const br = parsed["block_reason"];
+          if (typeof br === "string" && br.length > 0) {
+            return `Shield blocked: ${br}. Grant access at ${approvalsUrl}`;
+          }
+        }
+      } catch {}
+    }
+  }
+  return `Shield blocked this tool call. Required permission: ${service} (${actionType}). Grant access at ${approvalsUrl}`;
+}
+function consentMarkerPath(agentName) {
+  const safe = agentName.replace(/[^a-zA-Z0-9_-]/g, "_");
+  return path__namespace.join(os__namespace.homedir(), ".multicorn", `.consent-${safe}`);
+}
+function hasConsentMarker(agentName) {
+  try {
+    fs__namespace.accessSync(consentMarkerPath(agentName));
+    return true;
+  } catch {
+    return false;
+  }
+}
+function writeConsentMarker(agentName) {
+  try {
+    const marker = consentMarkerPath(agentName);
+    fs__namespace.mkdirSync(path__namespace.dirname(marker), { recursive: true });
+    fs__namespace.writeFileSync(marker, String(Date.now()), "utf8");
+  } catch {}
+}
+function removeConsentMarker(agentName) {
+  try {
+    fs__namespace.unlinkSync(consentMarkerPath(agentName));
+  } catch {}
+}
+function openBrowser(url) {
+  try {
+    if (process.platform === "win32") {
+      child_process.execSync(`start "" ${JSON.stringify(url)}`, {
+        shell: process.env["ComSpec"] ?? "cmd.exe",
+        stdio: "ignore",
+        windowsHide: true,
+      });
+    } else if (process.platform === "darwin") {
+      child_process.execFileSync("open", [url], { stdio: "ignore" });
+    } else {
+      child_process.execFileSync("xdg-open", [url], { stdio: "ignore" });
+    }
+  } catch {}
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function pollApprovalStatus(config, approvalId) {
+  let lastProgressWrite = Date.now();
+  for (let i = 0; i < MAX_APPROVAL_POLLS; i++) {
+    if (i > 0) {
+      await sleep(POLL_INTERVAL_MS);
+    }
+    const now = Date.now();
+    if (now - lastProgressWrite >= 3e4) {
+      process.stderr.write(
+        "[Shield] Waiting for approval... (open the consent screen in your browser)\n",
+      );
+      lastProgressWrite = now;
+    }
+    let statusCode;
+    let bodyText;
+    try {
+      const res = await codexCliHooksShared_js.shieldGetJson(
+        config.baseUrl,
+        config.apiKey,
+        `/api/v1/approvals/${approvalId}`,
+      );
+      statusCode = res.statusCode;
+      bodyText = res.bodyText;
+    } catch (e) {
+      const refusedHost = codexCliHooksShared_js.readHttpApiKeyRefusalHostname(e);
+      if (refusedHost !== null) {
+        process.stderr.write(codexCliHooksShared_js.formatHttpApiKeyRefusal(refusedHost));
+        process.exit(2);
+      }
+      continue;
+    }
+    if (statusCode < 200 || statusCode >= 300) {
+      continue;
+    }
+    const parsed = safeJsonParse(bodyText);
+    const data = unwrapData(parsed);
+    if (data === null || typeof data !== "object") {
+      continue;
+    }
+    const d = data;
+    const statusRaw = d["status"];
+    const st = (typeof statusRaw === "string" ? statusRaw : "").toLowerCase();
+    if (st === "approved") {
+      return true;
+    }
+    if (st === "blocked" || st === "denied" || st === "rejected") {
+      const reasonRaw = d["reason"];
+      const reason =
+        typeof reasonRaw === "string" && reasonRaw.length > 0 ? reasonRaw : "Approval denied.";
+      denyViaStdout(`Shield denied this approval request: ${reason}`);
+      process.exit(0);
+    }
+    if (st === "expired") {
+      denyViaStdout(
+        "Shield approval request expired. Retry the tool call and complete approval when prompted.",
+      );
+      process.exit(0);
+    }
+    if (st === "pending") {
+      continue;
+    }
+  }
+  return false;
+}
+async function handlePendingWithConsentAndPoll(
+  config,
+  approvalId,
+  service,
+  actionType,
+  approvalsUrl,
+) {
+  if (hasConsentMarker(config.agentName)) {
+    process.stderr.write(
+      `[Shield] Waiting for approval (up to 5 min)...
+  Approve in the Shield dashboard: ${approvalsUrl}
+`,
+    );
+    const approved2 = await pollApprovalStatus(config, approvalId);
+    if (approved2) {
+      process.exit(0);
+    }
+    removeConsentMarker(config.agentName);
+    denyViaStdout(
+      `Shield approval timed out after 5 minutes. Approve at ${approvalsUrl} and retry.`,
+    );
+    process.exit(0);
+  }
+  const url = consentUrl(config.baseUrl, config.agentName, service, actionType);
+  writeConsentMarker(config.agentName);
+  openBrowser(url);
+  process.stderr.write(
+    "[Shield] Opening Shield consent screen... Waiting for approval (up to 5 min).\n",
+  );
+  const approved = await pollApprovalStatus(config, approvalId);
+  if (approved) {
+    process.exit(0);
+  }
+  denyViaStdout(`Shield approval timed out after 5 minutes. Approve at ${approvalsUrl} and retry.`);
+  process.exit(0);
+}
+async function main() {
+  let raw;
+  try {
+    raw = await readStdin();
+  } catch {
+    process.stderr.write("[Shield] Warning: could not read stdin. Allowing tool.\n");
+    process.exit(0);
+  }
+  const config = codexCliHooksShared_js.loadCodexCliConfig();
+  if (config === null) {
+    process.exit(0);
+  }
+  if (config.apiKey.length === 0 || config.agentName.length === 0) {
+    process.exit(0);
+  }
+  let hookPayload;
+  try {
+    hookPayload = JSON.parse(raw.length > 0 ? raw : "{}");
+  } catch {
+    process.stderr.write("[Shield] Warning: invalid hook JSON. Allowing tool.\n");
+    process.exit(0);
+  }
+  const toolNameRaw =
+    (typeof hookPayload["tool_name"] === "string" && hookPayload["tool_name"]) || "";
+  const toolInput = hookPayload["tool_input"] !== void 0 ? hookPayload["tool_input"] : void 0;
+  try {
+    void (typeof toolInput === "string"
+      ? toolInput
+      : JSON.stringify(toolInput === void 0 ? null : toolInput));
+  } catch {
+    process.stderr.write("[Shield] Warning: could not serialize tool input. Allowing tool.\n");
+    process.exit(0);
+  }
+  const { service, actionType } = codexCliToolMap_js.mapCodexCliToolToShield(
+    toolNameRaw,
+    toolInput,
+  );
+  const approvalsUrl = dashboardHintUrl(config.baseUrl);
+  const metadata = {
+    tool_name: toolNameRaw,
+    tool_input: codexCliHooksShared_js.serializeHookAuditFragment(toolInput),
+    source: "codex-cli",
+  };
+  const payload = {
+    agent: config.agentName,
+    service,
+    actionType,
+    status: "pending",
+    metadata,
+    platform: "codex-cli",
+  };
+  let statusCode;
+  let bodyText;
+  try {
+    const res = await codexCliHooksShared_js.shieldPostJson(config.baseUrl, config.apiKey, payload);
+    statusCode = res.statusCode;
+    bodyText = res.bodyText;
+  } catch (e) {
+    const refusedHost = codexCliHooksShared_js.readHttpApiKeyRefusalHostname(e);
+    if (refusedHost !== null) {
+      process.stderr.write(codexCliHooksShared_js.formatHttpApiKeyRefusal(refusedHost));
+      process.exit(2);
+    }
+    process.stderr.write(codexCliHooksShared_js.formatShieldNetworkError(e));
+    process.exit(2);
+  }
+  const parsed = safeJsonParse(bodyText);
+  const data = unwrapData(parsed);
+  if (statusCode === 202) {
+    if (data === null || typeof data !== "object") {
+      denyViaStdout("This action needs approval in the Shield dashboard before it can run.");
+      process.exit(0);
+    }
+    const approvalIdRaw = data["approval_id"];
+    const approvalId = typeof approvalIdRaw === "string" ? approvalIdRaw : "";
+    if (approvalId.length === 0) {
+      denyViaStdout("This action needs approval in the Shield dashboard before it can run.");
+      process.exit(0);
+    }
+    await handlePendingWithConsentAndPoll(config, approvalId, service, actionType, approvalsUrl);
+    return;
+  }
+  if (statusCode === 201) {
+    if (data === null || typeof data !== "object") {
+      const detail = bodyText.length > 500 ? `${bodyText.slice(0, 500)}...` : bodyText;
+      process.stderr.write(
+        `[Shield] Error: unexpected Shield response, cannot verify permissions.
+  Detail: ${detail}
+`,
+      );
+      process.exit(2);
+    }
+    const dataObj = data;
+    const statusRaw = dataObj["status"];
+    const st = (typeof statusRaw === "string" ? statusRaw : "").toLowerCase();
+    if (st === "approved") {
+      process.exit(0);
+    }
+    if (st === "blocked") {
+      denyViaStdout(blockedReason(data, service, actionType, approvalsUrl));
+      process.exit(0);
+    }
+    process.stderr.write(
+      `[Shield] Error: ambiguous Shield status, cannot verify permissions.
+  Detail: status=${JSON.stringify(dataObj["status"])}
+`,
+    );
+    process.exit(2);
+  }
+  const httpDetail = bodyText.length > 300 ? `${bodyText.slice(0, 300)}...` : bodyText;
+  process.stderr.write(
+    `[Shield] Error: Shield returned HTTP ${String(statusCode)}, cannot verify permissions.
+  Detail: HTTP ${String(statusCode)} body=${httpDetail}
+`,
+  );
+  process.exit(2);
+}
+main().catch((e) => {
+  const refusedHost = codexCliHooksShared_js.readHttpApiKeyRefusalHostname(e);
+  if (refusedHost !== null) {
+    process.stderr.write(codexCliHooksShared_js.formatHttpApiKeyRefusal(refusedHost));
+    process.exit(2);
+  }
+  process.stderr.write(codexCliHooksShared_js.formatShieldNetworkError(e));
+  process.exit(2);
+});