multicornChangelog
Multicorn Shield Changelog
Everything that shipped in each release of the Shield SDK. New features, fixes, and security updates. All in one place.
Changed
- CLI "Try it" prompt matches dashboard example: "Use the {agent} MCP server to list my GitHub repositories"
Fixed
- CLI "Try it" prompt now suggests a real tool call instead of metadata discovery
- Duplicate "Add a new agent alongside these" menu option removed
Changed
- Codex CLI hosted proxy next-steps updated: "Restart Codex CLI to load the new MCP server config"
- Added copy-pasteable "Try it out" prompt to Codex CLI hosted proxy next-steps
Fixed
- Double "Bearer" prefix in Codex CLI hosted proxy TOML snippet (was outputting
Bearer Bearer mcs_...) - Codex CLI hosted proxy now auto-writes MCP server config to
~/.codex/config.tomlinstead of asking users to paste manually - PreToolUse hook now prints the consent/approval URL to stderr so users know where to approve
Fixed
- Codex CLI hosted proxy snippet uses
http_headerswith inline API key instead ofbearer_token_env_var(no env var setup needed) - Removed "Set MULTICORN_API_KEY environment variable" instruction from hosted proxy next-steps
- Added
/mcpverification step to Codex CLI hosted proxy next-steps
Fixed
- Include
plugins/codex-cliin published npm package (missing fromfilesin package.json)
Fixed
- Include
plugins/codex-cliin published npm package (missing fromfilesin package.json)
Added
- OpenAI Codex CLI as a supported platform (native hooks + hosted proxy)
- Codex CLI hook scripts (PreToolUse, PostToolUse) for terminal command interception
- Codex CLI agent resolution and tool name mapping
- CLI wizard support for Codex CLI: native plugin install and hosted proxy TOML snippet
plugins/codex-cli/README.mddocumenting hook script build and test workflow
Changed
- Error message prefix shortened from
[multicorn-shield]to[Shield] - "Audit trail" terminology replaced with "record the action" in user-facing messages
Fixed
- Codex config.toml feature flag updated from deprecated
codex_hookstohooks - Config.toml migration: init now detects and replaces deprecated
codex_hooksflag automatically - Hook scripts reject plaintext HTTP for non-localhost API calls
- Config file permission warning when
~/.multicorn/config.jsonis readable by other users - Destructive command detection uses word-boundary matching instead of substring includes
- Unknown tool names default to restrictive
writepermission level instead ofexecute - Audit log payloads size-bounded and secret patterns redacted before transmission
- Error messages sanitised: internal details hidden unless
MULTICORN_DEBUGis set - Test-mode polling escape hatch removed from production hook scripts
- Shared utility module extracted to eliminate duplication between hook scripts
Added
- OpenCode as a supported platform (native plugin + hosted proxy paths)
- Native Shield plugin for OpenCode (
plugins/opencode/multicorn-shield.ts) usingtool.execute.before/tool.execute.afterhooks for permission checks and audit logging - OpenCode in CLI init wizard with native plugin and hosted proxy integration modes
- Tool name mapping for OpenCode built-in tools (
bash,read,write,edit,apply_patch,glob,grep,list,webfetch,websearch) - Shell reload hint in CLI native plugin output for freshly installed tools
'opencode'toAGENT_PLATFORM_SLUGS
Changed
- Add runtime dependency on [
yaml](https://www.npmjs.com/package/yaml) (ISC) for safe Gooseconfig.yamlread/write in the hosted-proxy CLI path - GitHub Copilot: CLI auto-writes config to
.vscode/mcp.json - Kilo Code: CLI writes to
.kilo/kilo.jsoncwith correct format (mcpkey,type: remote) - Continue: CLI writes YAML to
.continue/mcpServers/<name>.yamlin workspace root - Goose: CLI auto-writes to
~/.config/goose/config.yaml - All hosted proxy platforms: Next Steps includes where to verify connection and example prompt
- Claude Desktop removed from hosted proxy platform list (consent URL not clickable)
Fixed
- Agent name now uses user-provided short name instead of auto-generated default
- Goose config snippet uses
uriinstead of incorrecturl - Replace flow deduplicates agent list loaded from config on startup
Added
- Claude Code promotion note when selecting Cursor in the CLI
- Example usage prompt in CLI "Next steps" output
--versionflag prints version number and exits- Consent-required errors now display a clear multi-line message with the approval URL on its own line
Changed
- Auth prompt detects token pasted at the y/N confirmation and treats it as the token value directly
- Single-item arrow select skips the interactive picker and selects immediately
- Blocked response message reformatted for clarity
Fixed
- Hosted proxy blocks
.well-knownOAuth discovery probes to preventmcp-remoteentering OAuth mode
Changed
- Upstream auth prompt accepts a raw API token (
Beareradded automatically) or a full Authorization-style value (Bearer,Basic,Token,ApiKeyprefixes are passed through unchanged)
Fixed
- CLI replace flow no longer shows duplicate agent entries
Added
- Hosted proxy wizard now prompts for upstream MCP server authentication (header name and value) when the target server requires credentials
- Helpful examples shown during hosted proxy setup: common MCP server URLs (GitHub, Supabase, Atlassian, Stripe) with links to where to find tokens
- Upstream auth headers are stored encrypted and forwarded by the proxy to the target MCP server on every request
Changed
- Target MCP server URL prompt now shows common examples instead of a generic placeholder
- "govern" replaced with "control" in all user-facing copy
- "upstream auth" replaced with "server credentials" in all user-facing copy
Fixed
- Hosted proxy connections to MCP servers requiring authentication (e.g. GitHub, Supabase) now work end-to-end - previously the proxy forwarded requests without credentials
Fixed
- Hosted proxy URLs now embed the API key as a query parameter fallback for MCP clients that don't send static Authorization headers (fixes Cursor, Claude Desktop, and other clients that ignore the headers config during discovery)
Fixed
- Replace flow no longer shows duplicate agent names (deduplication fix from 1.3.4 was incomplete)
Added
- Claude model recommendation note shown when selecting Cursor or GitHub Copilot in the wizard
Fixed
- Hosted proxy wizard now auto-writes MCP server config to platform config files instead of showing paste-only snippets (Cursor, Claude Desktop, Windsurf, Cline, Gemini CLI)
- Claude Desktop config snippet now uses mcp-remote bridge format (url + headers format not supported by Claude Desktop)
- Replace flow no longer shows duplicate agent names when agent exists in both local config and account API
- Replace flow name prompt now defaults to the selected agent's name instead of the generic platform default
Added
- Print signup URL and API key instructions before the key prompt in the CLI wizard for new users who don't yet have an account.
- Print dashboard URL at the end of the CLI wizard setup summary.
- Log a one-time "First action recorded" message with dashboard link on the first approved action in both the MCP proxy and OpenClaw plugin.
Fixed
- Pass action cost (USD) to the backend when logging approved and spending-blocked actions via the MCP proxy. Previously cost was computed locally for spending-limit checks but never sent to the API, causing all agent spend totals to show $0.
- Add optional
costfield toActionLogPayloadinshield-client.tsso OpenClaw plugin callers can include cost when it becomes available upstream. - Sanitise cost values extracted from tool arguments before logging (reject negative, NaN, Infinity, and values exceeding $1M).
Fixed
- Consent screen not opening for re-created agents with the same name (stale consent marker now cleared on polling timeout)
- One-time approvals not working in Claude Code and Windsurf hooks (hook now polls approval status instead of immediately blocking when consent marker exists)
Added
- Agents now remember which project directory they were set up in - running
initfrom different repos creates separate agents on the same platform (e.g. one Cursor agent per project) - When a platform already has agents registered, the wizard offers to replace a specific one, add a new agent alongside them, or skip to another platform
- If the current directory already has an agent for the selected platform, the wizard detects it and offers a targeted replace prompt
- Default agent names now include the project folder (e.g.
multicorn-dashboard-cursorinstead ofcursor) - Extracted Claude Code tool-to-Shield mapping into dedicated module (
src/hooks/claude-code-tool-map.ts), exported as CommonJS for hook scripts - Updated plugin hook scripts to v1.2.0
- After API key validation,
initmay warn when the installedmulticorn-shieldis older than the version published on npm (fetch errors are ignored)
Changed
- Claude Code path in
initwrites PreToolUse and PostToolUse command hooks to~/.claude/settings.json(script paths resolve via the installedmulticorn-shieldpackage). Marketplace andclaude plugin installsteps were removed from the wizard - "Next steps" after setup complete only lists how to start or restart each platform (no repeated paste-into-file instructions)
- Agent resolution now picks the most specific workspace match when multiple agents share a platform - falls back to the original behaviour for existing setups
- Native hook scripts (Cline, Claude Code, Windsurf, Gemini CLI) use workspace-aware agent resolution. Claude Code hooks use
PWDwhen set, then longest matchingworkspacePath, thendefaultAgent, then the firstclaude-codeagent - Replacing an agent no longer removes all agents for that platform - only the specific one being replaced
Fixed
- Stripe/payment tools incorrectly classified as
executeinstead ofwritein tool mapper - If the old Claude Code plugin is still installed,
initprints a note that hooks now live insettings.jsonand suggestsclaude plugin uninstall multicorn-shield@multicorn-shield
Added
- Kilo Code as a hosted proxy platform
- GitHub Copilot as a hosted proxy platform
- Continue as a hosted proxy platform
- Goose as a hosted proxy platform
- Claude Desktop as a hosted proxy platform
- Prereq check step in CLI wizard for all hosted proxy platforms
- Platform filter and search in dashboard platform select
Changed
- GitHub Copilot moved from native plugin to hosted proxy section in CLI wizard
- Kilo Code config snippet now includes
"type": "streamable-http" - Goose config snippet uses
"type": "streamable_http"and"url"(SSE deprecated) - ProxySetup is now a stepped wizard (prereq check, OS selection, proxy form, snippet, completion)
- Short name prompt removed from CLI wizard (uses agent name automatically)
Fixed
- Proxy ALLOW_PRIVATE_TARGETS env var not bypassing localhost validation
- Goose prereq URL updated (moved from Block to the Agentic AI Foundation (AAIF))
- Continue prereq URL updated
- ProxySetup form input contrast (WCAG AA fix)
- Governance disclosure now lists all four native plugin platforms
Added
- Gemini CLI native plugin: BeforeTool/AfterTool hook scripts for full governance
- Gemini CLI hosted proxy support with httpUrl config field
- CLI wizard: Gemini CLI platform with native plugin and hosted proxy integration modes
- CLI wizard: platform prerequisite detection (warns if target platform is not installed) ## [X.Y.Z] - YYYY-MM-DD
- Cline native plugin support via PreToolUse/PostToolUse hooks
- Hook scripts for Cline: pre-tool-use.cjs, post-tool-use.cjs, shared.cjs
- Cline plugin README with setup instructions and troubleshooting
- Browser auto-open for consent screen when Shield blocks an action
- Licence headers on all plugin scripts
Changed
- CLI binary renamed from
multicorn-proxytomulticorn-shield. Themulticorn-proxycommand still works but prints a deprecation warning. All user-facing documentation and dashboard references usenpx multicorn-shield. - CLI wizard installs Cline hooks to ~/Documents/Cline/Hooks/ (previously ~/Documents/Cline/Rules/Hooks/)
- Cline hook reads toolName field from hook input (Cline v3.81+ sends toolName, not tool)
- Consent flow no longer polls for approval (blocks immediately with consent URL to avoid Cline's 30-second hook timeout)
- Extracted shared utilities (config loading, HTTP, tool mapping) into shared.cjs to eliminate duplication between hooks
- Parameter metadata scrubbed before sending to Shield API (file contents redacted, commands truncated)
- HTTPS enforced for non-local Shield API connections
Security
- Fixed Windows shell injection in openBrowser (replaced execSync with execFileSync)
- Added HTTPS enforcement for non-localhost baseUrl in hook config
- Added parameter and result scrubbing to prevent sensitive data leakage in audit metadata
Added
<multicorn-badge>trust badge web component for embedding in third-party products. Shadow DOM encapsulation, dark/light themes, compact/standard sizes, optional action count display.- CDN entrypoint (
dist/badge.js) for single-script-tag embedding:<script src="https://cdn.multicorn.ai/badge.js" data-agent-id="..."></script>. Self-contained, no Lit runtime dependency. MulticornBadgeclass exported from the main SDK barrel for programmatic usage.- Shared
shield-tokens.tsmodule (src/shared/) extractingSHIELD_COLORSdesign tokens for reuse across consent and badge components. size-limitbudget enforcement fordist/badge.jsat 5 kB gzip (actual ~1.75 kB).
Added
requestContentReview()and supporting types (ContentReviewResult,ContentReviewRequestPayload,ContentReviewStatusResponse) for submitting public-content actions to the Content Review queue and awaiting the human decision.waitForReviewDecisionopt-in flag onMcpAdapterConfig. When true, the MCP adapter blocks until a human approves or blocks the action (5 minute ceiling) and forwards the call if approved. Default false preserves existing block-fast behaviour.- Public exports of
requiresContentReviewandisPublicContentActionfromsrc/scopes/content-review-detector.ts. - SDK-side mapping of backend
PLAN_TIER_INSUFFICIENTresponses to a distinctplan_tier_insufficientreason code with the "Content review requires an Enterprise plan" user message.
Changed
pollContentReviewStatusfast-fails on 404 (maps toreview_not_found) instead of retrying, diverging frompollApprovalStatuswhich treats 404 as transient. Content reviews can be hard-deleted by admin action in a way approvals cannot.
Added
- Windsurf native integration via Cascade Hooks (
pre_*/post_*for reads, writes, terminal, and MCP). Hook scripts install to~/.multicorn/windsurf-hooks/and add entries to~/.codeium/windsurf/hooks.json. npx multicorn-shield init: when you pick Windsurf, choose Native plugin (recommended) or Hosted proxy. Native path registers Shield hooks and reminds you to restart Windsurf.
Added
- Windsurf IDE as a supported platform in
npx multicorn-shield init. Generates a proxy config and prints an~/.codeium/windsurf/mcp_config.jsonsnippet using the WindsurfmcpServers/serverUrlschema. - Auto-detection of existing Windsurf proxy entries (shows "● detected locally" in the platform selection list).
Changed
- Next Steps block for Cursor and Windsurf rewritten as clear three-step numbered actions: download the IDE if needed, paste the config snippet, restart. Previous copy ("Config file: ...", "Restart Cursor to pick up MCP config changes") gave no guidance to first-time users.
Added
- New
--api-key <key>CLI flag onmulticorn-shield --wrap. Lets users run the proxy without first creating a config file. - New
MULTICORN_API_KEYenvironment variable support. Resolves with priority--api-keyflag >MULTICORN_API_KEYenv var >~/.multicorn/config.json. - New "Local MCP / Other" option in the
multicorn-shield initwizard. Skips the platform-specific setup steps and writes a minimal config suitable for wrapping any local MCP server with--wrap. - SDK constructor now validates the API key format and rejects invalid keys (empty, wrong prefix, too short, or the literal placeholder
mcs_your_key_here) with a clear error pointing at the settings page.
Changed
multicorn-shield initplatform menu now labels detected platforms as "detected locally" instead of "connected", with a dimmed dot icon instead of a green checkmark. The previous label implied account-level connection state, but the underlying detection only checks for local config files.- Error message when no API key is configured now mentions all three sources: the
--api-keyflag, theMULTICORN_API_KEYenvironment variable, and thenpx multicorn-shield initconfig file path. - All references to the API keys settings page now use the fragment URL
https://app.multicorn.ai/settings#api-keysinstead of the previous/settings/api-keyspath which did not exist.
Fixed
multicorn-shield --wrapnow fails immediately at startup with a clear error if the configured API key is rejected by the Multicorn service. Previously the proxy logged "Agent resolved" and "Proxy ready" with empty agent state and only blocked tool calls at runtime, leaving users confused about why their setup was not working.multicorn-shield --wrapnow correctly accepts proxy flags (--api-key,--base-url,--log-level,--dashboard-url,--agent-name) when they appear between--wrapand the wrap command. Previously the parser bailed with "requires a command to run" because the early-exit guard rejected any flag-shaped token in that position before the stripping logic ran.multicorn-shield initexit summary no longer renders a trailing dash for the "Local MCP / Other" option (which has no agent name). The summary line now reads✓ Local MCP / Otherinstead of✓ Local MCP / Other -.multicorn-shield initno longer prints a misleading "Next steps" block referencing "Other MCP Agent" and--agent-nameafter the "Local MCP / Other" option. The "Try it" example printed inside the option 4 branch is sufficient guidance.
Added
readBaseUrlFromConfig()helper for reading base URL from partial config files.parseConfigFile()shared helper eliminating duplicated file read/parse logic betweenloadConfigandreadBaseUrlFromConfig.isAllowedShieldApiBaseUrl()exported validator for HTTPS/localhost scheme checks.DEFAULT_SHIELD_API_BASE_URLnamed constant replacing hardcoded fallback string.- HTTPS scheme validation in
runInit()init flow (previously only enforced in wrap flow).
Changed
runInitparameter changed frombaseUrl = "https://api.multicorn.ai"toexplicitBaseUrl?: stringto distinguish "no flag" from "explicitly passed default."- Base URL resolution priority: explicit flag > full config > partial config > env var > default.
- HTTPS validation error messages no longer include the actual URL value.
- Wrap flow validates
--base-urlbefore loading config when the flag is present.
Fixed
- Proxy CLI
initcommand now readsbaseUrlfrom~/.multicorn/config.jsonon the new-key path, not just the reuse-key path. Previously required--base-urlflag as a workaround. --base-urlCLI flag correctly overrides config file value (previously indistinguishable from the default).
Fixed
- Updated README badges and npm package metadata to reflect current branding.
Added
- Multi-agent config support:
~/.multicorn/config.jsonnow stores anagentsarray with per-platform entries instead of a singleagentName - New CLI commands:
npx multicorn-shield agents(list configured agents) andnpx multicorn-shield delete-agent <name>(remove an agent) - New exported helpers:
getAgentByPlatform(),getDefaultAgent(),collectAgentsFromConfig(),deleteAgentByName() AgentEntryinterface exported from the SDK- Automatic migration: legacy single-agent configs are upgraded to the new format on first read and written back to disk
- Platform-based agent lookup in Claude Code hooks (
pre-tool-use.cjs,post-tool-use.cjs), OpenClaw plugin, and Claude Desktop extension - CLI agent name sanitisation:
delete-agentstrips non-printable characters before echoing to terminal
Changed
ProxyConfiginterface now includes optionalagents(readonlyAgentEntry[]) anddefaultAgentfieldsagentNameandplatformfields onProxyConfigare deprecated (kept for backward compatibility during migration)runInit()appends to the agents array instead of overwriting; detects duplicate platforms and prompts to replace- Restored inline OpenClaw setup flow with version detection, auto-config of
~/.openclaw/openclaw.json, and "Next steps" instructions (openclaw gateway restart,openclaw tui) - Restored inline Claude Code setup instructions (marketplace add, plugin install, start claude,
/pluginverification) - "Next steps" summary restored at end of init wizard with per-platform instructions
- Help text clarified for non-technical users ("List configured agents and show which is the default", "Remove a saved agent")
- CJS hook duplication comment updated to explain why shared modules are not possible
Fixed
- Running
npx multicorn-shield initfor a second platform no longer overwrites the first agent's config delete-agentclearsdefaultAgentwhen deleting the default agent instead of leaving a dangling reference
Security
- Agent names from CLI input are sanitised before echoing to stdout/stderr to prevent terminal escape sequence injection
Changed
- CLI rewrite: extracted platform selection, agent naming, and proxy config prompts into separate helper functions
- Reduced platform options from 4 (OpenClaw, Claude Code, Claude Desktop, Other MCP Agent) to 3 (OpenClaw, Claude Code, Cursor)
- Cursor connection detection via
~/.cursor/mcp.json - Claude Code connection detection via
~/.claude/plugins/cache/multicorn-shield - Cursor (selection 3) now prompts for target MCP server URL and creates a hosted proxy config via the Shield API
- Platform-specific MCP config snippets shown after proxy config creation
- "Connect another agent?" prompt changed from
(y/N)default-no to(Y/n)default-yes - Setup complete summary now shows agent names and proxy URLs alongside platform labels
Added
- Claude Desktop Extension (.mcpb) for one-click install. Packages Shield as a Desktop Extension that wraps existing MCP servers, enforces permissions via the Shield API, and logs all tool calls.
npx multicorn-shield restorecommand to recover original MCP server config after disabling the extension.multicorn-shield/proxysubpath export with interceptor helpers, consent utilities, logger, scope validator, and tool mapper for hosted proxy consumers.- HTTP client for hosted proxy URLs (
proxy-client) supporting Streamable HTTP transport, session management, and JSON-RPC error handling. - Optional extension setting
base_url(envMULTICORN_BASE_URL) for enterprise or self-hosted Shield API endpoints. Defaults tohttps://api.multicorn.aiwhen empty.
Changed
- Desktop Extension routes tool calls to hosted proxy URLs over Streamable HTTP instead of spawning child MCP processes locally. Permission enforcement and audit logging now run server-side, avoiding sandbox limits in Claude Desktop.
runInitbase URL resolution checks config file andMULTICORN_BASE_URLenv var before falling back to the default API endpoint.platformfield threaded through proxy config and CLI init flow for connection method tracking in the dashboard.
Security
- Claude Code PreToolUse hook now fails closed when the Shield API is unreachable or returns an error. Previously, all error paths exited with code 0 (allow). Now, any error after config is successfully loaded exits with code 2 (block). This matches the fail-closed behaviour of the OpenClaw plugin and MCP proxy since v0.1.15.
Added
- Claude Code plugin: PreToolUse hook intercepts tool calls and checks permissions via Shield API before allowing execution
- Claude Code plugin: PostToolUse hook logs completed tool calls to Shield audit trail
- Claude Code plugin: consent screen opens in browser on first tool call for new agents, polls for approval
- Claude Code plugin: consent marker file prevents repeated browser opens after initial consent
- Claude Desktop: CLI wizard auto-writes
claude_desktop_config.jsonwith MCP proxy config (macOS, Linux, Windows paths) - Claude Desktop: wizard prompts for MCP server command and merges config without clobbering existing entries
- MCP proxy: comprehensive tool name mapper with explicit mappings for filesystem, git, web, terminal, email, and calendar MCP servers
- CLI wizard: "connected" checkmark for Claude Code and Claude Desktop in platform selection menu
- CLI wizard: Step 3 added to Claude Code output ("Start Claude Code: claude")
- Agent name validation: must match /^[a-zA-Z0-9_-]+$/ before use in config files
shelltool name mapping to terminal:execute in Claude Code hook (covers Claude Code's Shell tool variant)
Changed
- Claude Desktop wizard path now auto-writes config instead of showing manual JSON snippet (falls back to manual on invalid JSON or user skip)
- MCP proxy tool mapping replaced:
extractServiceFromToolName/extractActionFromToolNameunderscore-split replaced with explicitmapMcpToolToScopelookup table isClaudeDesktopConnecteduses proper args array inspection instead of substring match on serialized JSON
Fixed
- Claude Code plugin install: removed
skillsarray from plugin.json that caused validation error onclaude plugin install - Claude Code consent flow: consent screen only opens once per agent (not per scope), subsequent permission requests block with approvals link
- Claude Code hook: localhost:8080 API base URL correctly maps to localhost:5173 dashboard URL for consent and approvals links
- MCP proxy: filesystem server tools (read_file, write_file, list_directory, etc.) now correctly map to filesystem:read/write instead of garbage service names
Added
- Claude Code marketplace manifest at
.claude-plugin/marketplace.json - Claude Code plugin structure at
plugins/multicorn-shield/with plugin.json and shield-governance skill - Repository field added to marketplace.json linking to GitHub source
Added
ShieldAuthErrorclass for clean 401/403 error propagation throughresolveAgentRecordbuildInternalErrorResponse,buildServiceUnreachableResponse, andbuildAuthErrorResponsein interceptor module- Early auth-invalid and offline-mode guards at the top of
handleToolCall(before scope validation) authInvalidflag onAgentRecordfor propagating auth failures from consent module to proxyproxy.fail-closed.test.tscovering service-down, timeout, 500, malformed JSON, 401, 403, and internal error scenariosplugin.fail-closed.test.tscovering exception handling, 5xx responses, and malformed response blocking
Changed
- All proxy and plugin failure modes now fail closed (block action when Shield cannot verify permissions)
handleHttpErrorreturnsshouldBlock: truefor 429 (rate limit) and 5xx (server error), matching the existingcheckActionPermissionbehavior and fixing misleading comments- Service-unreachable, auth-error, and internal-error responses use distinct JSON-RPC error codes: -32000 (permission denied), -32002 (internal error), -32003 (service unreachable), -32004 (auth error)
- Plugin output filename changed from
index.jstomulticorn-shield.jsto fix OpenClaw plugin ID mismatch warning
Fixed
- Proxy
handleToolCallno longer hangs or returns wrong error code when service is unreachable at startup findAgentByNamewrapsresponse.json()in try/catch so malformed responses flow through the offline path instead of throwing unhandled rejections- Existing test assertions updated to match new error codes (-32003 for service unreachable, -32004 for auth errors)
Fixed
- Audit log payload column uses
textinstead ofjsonbto preserve SHA-256 hash chain integrity (PostgreSQLjsonbnormalizes key ordering and whitespace) Instant.toString()timestamp precision preserved usingDateTimeFormatterwithSSSSSSpattern inAuditHasher.formatTimestamp()- All 40 integration tests passing after audit log migration (V030)
Fixed
- Consent screen now pre-selects the permission level the agent actually requested (e.g. terminal:execute pre-selects the Execute button)
- Scope param parsing supports both formats: service:permission (terminal:execute) and permission:service (execute:terminal)
- deriveDashboardUrl respects MULTICORN_BASE_URL env var for local development instead of always resolving to production
- Plugin re-checks permission after consent completes in the blocked path, so the user doesn't have to trigger a second tool call
Fixed
- Approval flow: plugin correctly handles consent-then-permission-check sequence
- Flaky tests stabilised across handler, plugin, proxy blocking, and edge-case suites
Fixed
- Plugin fail mode now defaults to closed (block on API error, never fail open)
- approval_id field name corrected from camelCase to snake_case to match backend API
- Plugin beforeToolCall wrapped in try/catch so errors block instead of crashing silently
- Config cascade documented: ~/.multicorn/config.json takes priority over openclaw.json plugin env
Fixed
- API key resolution from config.json when openclaw.json env block is not available
Fixed
- Plugin correctly maps destructive exec commands (rm, mv, sudo, chmod) to terminal:write instead of terminal:execute
- Approval descriptions now show human-readable summaries instead of raw shell commands
- Agent polling removed in favour of immediate block with dashboard redirect (OpenClaw hook timeout was shorter than human approval time)
Added
- README header SVG banner
Changed
- Consent flow updated for OpenClaw Plugin API (replaces deprecated gateway hook approach)
Fixed
- Handler and plugin consent test alignment with new Plugin API structure
Added
- Comprehensive plugin test suite for beforeToolCall and afterToolCall hooks
Fixed
- Plugin registration and lifecycle handling with OpenClaw Plugin API
Changed
- Package metadata updates for npm listing
Fixed
- Test stability improvements across the full suite
Changed
- MCP proxy improved for edge cases in tool call interception
Fixed
- Proxy test reliability
Added
- Shield API client (shield-client.ts) for permission checks and action logging from the plugin
- Consent flow module with browser-open and polling for user authorization
- OpenClaw Plugin API integration (beforeToolCall/afterToolCall hooks)
- Tool name mapper: OpenClaw tools (exec, read, write, browser, message) mapped to Shield service scopes
- Hook documentation (HOOK.md)
Fixed
- OpenClaw integration issues discovered during end-to-end testing
Changed
- Publish workflow switched to OIDC trusted publishing via GitHub Actions
Fixed
- Plugin loading path resolution for OpenClaw
Added
- Consent screen web component with Shadow DOM isolation, focus trapping, and keyboard navigation
- Scope system with hierarchical definitions, parsing, and validation
- Action logger for audit-trail recording of agent activity
- Spending controls with per-agent and per-scope limit checking
- MCP protocol adapter for Model Context Protocol integration
- TypeScript strict mode with full type safety across all modules
- ESM and CJS dual-format builds via tsup
- Full test suite with >85% coverage thresholds