@kya-os/create-mcpi-app 0.6.4-canary.1

package/dist/helpers/generate-cloudflare-files.js

@@ -0,0 +1,1541 @@
+/**
+ * Programmatic Cloudflare Project File Generation
+ *
+ * This module generates Cloudflare MCP-I project files in-memory,
+ * suitable for committing to GitHub via API (one-click deployment).
+ *
+ * Unlike fetchCloudflareMcpiTemplate (which writes to disk), this function
+ * returns file contents that can be committed programmatically.
+ *
+ * @module @kya-os/create-mcpi-app/helpers/generate-cloudflare-files
+ */
+import crypto from "crypto";
+import { generateIdentity, } from "./generate-identity.js";
+import { getPackageVersions } from "./get-package-versions.js";
+/**
+ * Unified KV binding name (matches env-mapper.ts UNIFIED_KV_BINDING_NAME)
+ *
+ * A single KV namespace per project instead of 5 individual ones.
+ * The mcp-i-cloudflare env-mapper expands this to all 5 expected bindings
+ * at runtime via fallback, so worker code sees familiar names.
+ */
+const UNIFIED_KV_BINDING = "MCPI_KV";
+/**
+ * Generate Cloudflare MCP-I project files in-memory
+ *
+ * This function generates all files needed for a Cloudflare Workers MCP-I project
+ * but returns them as strings instead of writing to disk. This enables
+ * programmatic deployment via GitHub API.
+ *
+ * @example
+ * ```typescript
+ * const result = await generateCloudflareProjectFiles({
+ *   projectName: "my-agent",
+ *   agentShieldProjectId: "my-project-abc123",
+ * });
+ *
+ * // Commit files to GitHub
+ * for (const file of result.files) {
+ *   await octokit.repos.createOrUpdateFileContents({
+ *     owner, repo,
+ *     path: file.path,
+ *     content: Buffer.from(file.content).toString("base64"),
+ *   });
+ * }
+ *
+ * // Add secrets to GitHub
+ * await octokit.actions.createOrUpdateRepoSecret({
+ *   owner, repo,
+ *   secret_name: "MCP_IDENTITY_PRIVATE_KEY",
+ *   encrypted_value: await encrypt(result.secrets.MCP_IDENTITY_PRIVATE_KEY),
+ * });
+ * ```
+ */
+export async function generateCloudflareProjectFiles(options) {
+    const { projectName, template = "blank", agentShieldProjectId, agentShieldApiUrl = "https://kya.vouched.id", agentShieldApiKey, skipIdentity = false, serverUrl, } = options;
+    // Standard DO class name for all templates (no more per-project PascalCase names)
+    const doClassName = "MCPIAgent";
+    // Get package versions from scaffolder's package.json (single source of truth)
+    // This ensures scaffolded projects use tested, consistent versions
+    const versions = await getPackageVersions();
+    // Extract exact version (without caret) for template dependencies
+    // Templates use exact versions to ensure users get the tested version
+    const mcpICloudflareVersion = versions["@kya-os/mcp-i-cloudflare"].replace(/^[\^~]/, "");
+    // Generate identity
+    let identity;
+    if (skipIdentity) {
+        identity = {
+            did: "did:key:zTestMockIdentity",
+            kid: "did:key:zTestMockIdentity#key-1",
+            privateKey: "mock-private-key",
+            publicKey: "mock-public-key",
+            createdAt: new Date().toISOString(),
+            type: "development",
+        };
+    }
+    else {
+        identity = await generateIdentity();
+    }
+    // Generate OAuth encryption secret
+    const oauthEncryptionSecret = crypto.randomBytes(32).toString("hex");
+    const files = [];
+    // 1. package.json
+    files.push({
+        path: "package.json",
+        content: JSON.stringify({
+            name: projectName,
+            version: "0.1.0",
+            private: true,
+            scripts: {
+                deploy: "wrangler deploy",
+                dev: "wrangler dev",
+                start: "wrangler dev",
+                test: "vitest",
+                "cf-typegen": "wrangler types",
+            },
+            dependencies: {
+                "@kya-os/mcp-i-cloudflare": mcpICloudflareVersion,
+                "@modelcontextprotocol/sdk": "1.25.2",
+                // agents@0.3.x removed 'ai' from direct deps, fixing Redis bundling issue
+                agents: "0.3.6",
+                hono: "4.11.7",
+            },
+            devDependencies: {
+                "@cloudflare/vitest-pool-workers": "^0.5.41",
+                "@cloudflare/workers-types": "^4.20251126.0",
+                "@types/node": "^20.8.3",
+                typescript: "^5.5.2",
+                vitest: "^2.0.5",
+                wrangler: "^4.53.0",
+            },
+        }, null, 2),
+        encoding: "utf-8",
+    });
+    // 2. wrangler.toml (NO private key - that goes to GitHub Secrets)
+    files.push({
+        path: "wrangler.toml",
+        content: generateWranglerToml({
+            projectName,
+            doClassName,
+            agentDid: identity.did,
+            publicKey: identity.publicKey,
+            agentShieldProjectId,
+            agentShieldApiUrl,
+            template,
+            serverUrl,
+        }),
+        encoding: "utf-8",
+    });
+    // 3. .dev.vars.example (template for local dev, not the actual secrets)
+    files.push({
+        path: ".dev.vars.example",
+        content: `# Copy this to .dev.vars for local development
+# For production, secrets are managed via GitHub Secrets + Cloudflare
+
+# Agent Identity (DO NOT COMMIT .dev.vars)
+MCP_IDENTITY_PRIVATE_KEY="your-private-key-here"
+
+# OAuth Encryption Secret (required for OAuth/delegation flows)
+OAUTH_ENCRYPTION_SECRET="your-oauth-secret-here"
+
+# AgentShield API Key
+AGENTSHIELD_API_KEY="sk_your_api_key_here"
+
+# Admin API Key (optional, falls back to AGENTSHIELD_API_KEY)
+# ADMIN_API_KEY="sk_your_admin_key_here"
+`,
+        encoding: "utf-8",
+    });
+    // 4. .gitignore
+    files.push({
+        path: ".gitignore",
+        content: `node_modules/
+dist/
+.wrangler/
+.dev.vars
+*.log
+.DS_Store
+`,
+        encoding: "utf-8",
+    });
+    // 5. tsconfig.json
+    files.push({
+        path: "tsconfig.json",
+        content: JSON.stringify({
+            compilerOptions: {
+                target: "esnext",
+                module: "esnext",
+                moduleResolution: "bundler",
+                types: ["@cloudflare/workers-types", "vitest/globals"],
+                strict: true,
+                skipLibCheck: true,
+                noEmit: true,
+            },
+            include: ["src/**/*"],
+            exclude: ["node_modules"],
+        }, null, 2),
+        encoding: "utf-8",
+    });
+    // 6. src/index.ts
+    files.push({
+        path: "src/index.ts",
+        content: generateIndexTs(doClassName),
+        encoding: "utf-8",
+    });
+    // 7. src/agent.ts
+    files.push({
+        path: "src/agent.ts",
+        content: generateAgentTs(projectName, doClassName),
+        encoding: "utf-8",
+    });
+    // 8. src/mcpi-runtime-config.ts
+    files.push({
+        path: "src/mcpi-runtime-config.ts",
+        content: generateRuntimeConfigTs(template),
+        encoding: "utf-8",
+    });
+    // 9. src/tools/greet.ts (always included)
+    files.push({
+        path: "src/tools/greet.ts",
+        content: generateGreetToolTs(projectName),
+        encoding: "utf-8",
+    });
+    // 10. Add template-specific tools
+    if (template === "ecommerce") {
+        files.push(...generateEcommerceTools());
+    }
+    else if (template === "hardware-world") {
+        files.push(...generateHardwareWorldTools());
+    }
+    // 11. GitHub Actions workflow
+    files.push({
+        path: ".github/workflows/deploy.yml",
+        content: generateDeployWorkflow(),
+        encoding: "utf-8",
+    });
+    // 12. README.md
+    files.push({
+        path: "README.md",
+        content: generateReadme(projectName, agentShieldProjectId),
+        encoding: "utf-8",
+    });
+    // Build secrets object - always include identity and OAuth secrets
+    const secrets = {
+        MCP_IDENTITY_PRIVATE_KEY: identity.privateKey,
+        OAUTH_ENCRYPTION_SECRET: oauthEncryptionSecret,
+    };
+    // Include AgentShield API key if provided
+    if (agentShieldApiKey) {
+        secrets.AGENTSHIELD_API_KEY = agentShieldApiKey;
+    }
+    return {
+        files,
+        identity: {
+            did: identity.did,
+            publicKey: identity.publicKey,
+            privateKey: identity.privateKey,
+        },
+        secrets,
+    };
+}
+// ============================================================================
+// Helper Functions
+// ============================================================================
+function generateWranglerToml(opts) {
+    const { projectName, doClassName, agentDid, publicKey, agentShieldProjectId, agentShieldApiUrl, template, serverUrl, } = opts;
+    // Template-specific environment variables
+    let templateVars = "";
+    if (template === "hardware-world") {
+        templateVars = `
+# Hardware World API Configuration
+HARDWARE_WORLD_API_BASE_URL = "https://hardwareworld.com"
+`;
+    }
+    return `#:schema node_modules/wrangler/config-schema.json
+name = "${projectName}"
+main = "src/index.ts"
+compatibility_date = "2025-01-01"
+compatibility_flags = ["nodejs_compat"]
+
+# Durable Object binding for MCP Agent state
+[[durable_objects.bindings]]
+name = "MCP_OBJECT"
+class_name = "${doClassName}"
+
+[[migrations]]
+tag = "v1"
+new_sqlite_classes = ["${doClassName}"]
+
+# ═══════════════════════════════════════════════════════════════════════════════
+# KV NAMESPACE - Unified single namespace, auto-provisioned by Wrangler v4.45+
+# ═══════════════════════════════════════════════════════════════════════════════
+# One KV namespace handles all MCP-I storage (nonces, proofs, identity,
+# delegations, tool protection). Key prefixes are naturally unique across
+# all logical namespaces so there is zero collision risk.
+# Just run: npm run deploy (KV namespace is created automatically!)
+
+[[kv_namespaces]]
+binding = "${UNIFIED_KV_BINDING}"
+
+[vars]
+# Agent DID (public identifier - safe to commit)
+MCP_IDENTITY_AGENT_DID = "${agentDid}"
+
+# Public identity key (safe to commit)
+MCP_IDENTITY_PUBLIC_KEY = "${publicKey}"
+
+# CORS origins
+ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
+
+# Durable Object routing
+DO_ROUTING_STRATEGY = "singleton"
+# DO_SHARD_COUNT = "10"  # Only needed if using shard strategy
+
+XMCP_I_TS_SKEW_SEC = "120"
+XMCP_I_SESSION_TTL = "1800"
+
+# AgentShield Integration
+AGENTSHIELD_API_URL = "${agentShieldApiUrl}"
+${agentShieldProjectId ? `AGENTSHIELD_PROJECT_ID = "${agentShieldProjectId}"` : '# AGENTSHIELD_PROJECT_ID = "your-project-id"'}
+
+MCPI_ENV = "development"
+
+# MCP Server URL (OPTIONAL - auto-detected from request origin by default)
+# Only set this if you're using a custom domain or auto-detection isn't working
+# Use base URL WITHOUT /mcp suffix - consent pages are at /consent, not /mcp/consent
+${serverUrl ? `MCP_SERVER_URL = "${serverUrl}"` : `# MCP_SERVER_URL = "https://${projectName}.YOUR-SUBDOMAIN.workers.dev"`}
+${templateVars}
+# ═══════════════════════════════════════════════════════════════════════════════
+# SECRETS (managed via GitHub Secrets + wrangler secret)
+# ═══════════════════════════════════════════════════════════════════════════════
+# These are automatically deployed via GitHub Actions workflow.
+# For local development, copy .dev.vars.example to .dev.vars
+`;
+}
+function generateIndexTs(doClassName) {
+    return `import { createMCPIApp } from "@kya-os/mcp-i-cloudflare";
+import { ${doClassName} } from "./agent";
+import { getRuntimeConfig } from "./mcpi-runtime-config";
+
+export default createMCPIApp({
+  AgentClass: ${doClassName},
+  getRuntimeConfig,
+});
+
+// Export Durable Object class for Cloudflare Workers binding
+export { ${doClassName} };
+`;
+}
+function generateAgentTs(projectName, doClassName) {
+    return `import { MCPICloudflareAgent, type CloudflareEnv } from "@kya-os/mcp-i-cloudflare";
+import { getRuntimeConfig, getTools } from "./mcpi-runtime-config";
+import type { CloudflareRuntimeConfig } from "@kya-os/mcp-i-cloudflare";
+
+/**
+ * MCP-I Agent Implementation
+ */
+export class ${doClassName} extends MCPICloudflareAgent {
+  protected getAgentName(): string {
+    return (this.env as CloudflareEnv).MCP_SERVER_NAME || "${projectName}";
+  }
+
+  protected getAgentVersion(): string {
+    return "1.0.0";
+  }
+
+  protected getRuntimeConfigInternal(env: CloudflareEnv): CloudflareRuntimeConfig {
+    return getRuntimeConfig(env);
+  }
+
+  protected async registerTools(): Promise<void> {
+    const tools = getTools();
+    for (const toolDef of tools) {
+      this.registerToolWithProof(
+        toolDef.name,
+        toolDef.description,
+        toolDef.inputSchema,
+        toolDef.handler
+      );
+    }
+  }
+}
+`;
+}
+function generateRuntimeConfigTs(template) {
+    // Hardware World has different imports and tool protection
+    if (template === "hardware-world") {
+        return generateHardwareWorldRuntimeConfig();
+    }
+    const imports = [`import { greetTool } from "./tools/greet";`];
+    const tools = ["greetTool"];
+    if (template === "ecommerce") {
+        imports.push(`import { addToCartTool } from "./tools/add-to-cart";`);
+        imports.push(`import { getCartTool } from "./tools/get-cart";`);
+        imports.push(`import { checkoutTool } from "./tools/checkout";`);
+        tools.push("addToCartTool", "getCartTool", "checkoutTool");
+    }
+    return `import { defineConfig, type CloudflareRuntimeConfig } from "@kya-os/mcp-i-cloudflare";
+import type { CloudflareEnv } from "@kya-os/mcp-i-cloudflare";
+${imports.join("\n")}
+
+export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
+  const environment = (env.MCPI_ENV || env.ENVIRONMENT || "development") as "development" | "production";
+
+  const proofingConfig = env.AGENTSHIELD_API_KEY
+    ? {
+        enabled: true,
+        batchQueue: {
+          destinations: [
+            {
+              type: "agentshield" as const,
+              apiKey: env.AGENTSHIELD_API_KEY,
+              apiUrl: env.AGENTSHIELD_API_URL || "https://kya.vouched.id",
+            },
+          ],
+        },
+      }
+    : undefined;
+
+  return defineConfig({
+    environment,
+    proofing: proofingConfig,
+    vars: {
+      ENVIRONMENT: environment,
+      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
+      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
+      AGENTSHIELD_PROJECT_ID: env.AGENTSHIELD_PROJECT_ID,
+    },
+  });
+}
+
+export function getTools() {
+  return [
+    ${tools.join(",\n    ")},
+  ];
+}
+`;
+}
+function generateHardwareWorldRuntimeConfig() {
+    return `/**
+ * MCP-I Runtime Configuration
+ *
+ * Defines tool protection, proofing, and other runtime settings.
+ * Uses inline config with correct scopes (no hyphens) to avoid
+ * AgentShield's auto-generated scope validation issues.
+ */
+
+import {
+  defineConfig,
+  type CloudflareRuntimeConfig,
+  type CloudflareEnv,
+} from "@kya-os/mcp-i-cloudflare";
+
+// Import tools
+import { greetTool } from "./tools/greet";
+import { getProductsTool } from "./tools/get-products";
+import { getBrandsTool } from "./tools/get-brands";
+import { getBrandTool } from "./tools/get-brand";
+import { addToCartTool } from "./tools/add-to-cart";
+import { getCartTool } from "./tools/get-cart";
+import { getCustomerTool } from "./tools/get-customer";
+
+/**
+ * Tool Protection Configuration
+ *
+ * Using inline config because:
+ * 1. AgentShield auto-generates scopes like "ADD-TO-CART:EXECUTE" which fail validation
+ * 2. The scope regex /^[a-zA-Z0-9_]+:[a-zA-Z0-9_]+$/ doesn't allow hyphens
+ * 3. Inline config uses correct scopes like "cart:write"
+ */
+const toolProtections = {
+  // Public tools - no delegation required
+  greet: {
+    requiresDelegation: false,
+    requiredScopes: [] as string[],
+    riskLevel: "low" as const,
+  },
+  "get-products": {
+    requiresDelegation: false,
+    requiredScopes: [] as string[],
+    riskLevel: "low" as const,
+  },
+  "get-brands": {
+    requiresDelegation: false,
+    requiredScopes: [] as string[],
+    riskLevel: "low" as const,
+  },
+  "get-brand": {
+    requiresDelegation: false,
+    requiredScopes: [] as string[],
+    riskLevel: "low" as const,
+  },
+
+  // Protected tools - require user delegation
+  "get-customer": {
+    requiresDelegation: true,
+    requiredScopes: ["customer:read"],
+    riskLevel: "low" as const,
+  },
+  "get-cart": {
+    requiresDelegation: true,
+    requiredScopes: ["cart:read"],
+    riskLevel: "low" as const,
+  },
+  "add-to-cart": {
+    requiresDelegation: true,
+    requiredScopes: ["cart:write"],
+    riskLevel: "medium" as const,
+  },
+};
+
+/**
+ * Get runtime configuration for MCP-I
+ */
+export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
+  const environment = (env.MCPI_ENV || "development") as
+    | "development"
+    | "production";
+
+  // Proofing config - sends execution proofs to AgentShield
+  const proofingConfig = env.AGENTSHIELD_API_KEY
+    ? {
+        enabled: true,
+        batchQueue: {
+          destinations: [
+            {
+              type: "agentshield" as const,
+              apiKey: env.AGENTSHIELD_API_KEY,
+              apiUrl: env.AGENTSHIELD_API_URL || "https://kya.vouched.id",
+            },
+          ],
+        },
+      }
+    : undefined;
+
+  // Tool protection - using inline config with correct scopes
+  const toolProtectionConfig = {
+    source: "inline" as const,
+    toolProtections,
+  };
+
+  return defineConfig({
+    environment,
+    proofing: proofingConfig,
+    toolProtection: toolProtectionConfig,
+    vars: {
+      ENVIRONMENT: environment,
+      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
+      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
+      AGENTSHIELD_PROJECT_ID: env.AGENTSHIELD_PROJECT_ID,
+    },
+  });
+}
+
+/**
+ * Get all tools for this agent
+ *
+ * Note: No login tool - users authenticate via the MCP-I consent flow,
+ * not by passing credentials through the agent.
+ */
+export function getTools() {
+  return [
+    // Public tools
+    greetTool,
+    getProductsTool,
+    getBrandsTool,
+    getBrandTool,
+    // Protected tools (require delegation)
+    getCustomerTool,
+    getCartTool,
+    addToCartTool,
+  ];
+}
+`;
+}
+function generateGreetToolTs(projectName) {
+    return `import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+
+export const greetTool: ToolDefinition = {
+  name: "greet",
+  description: "Greet the user",
+  inputSchema: {
+    type: "object",
+    properties: {
+      name: { type: "string", description: "Name of the person to greet" },
+    },
+    required: ["name"],
+  },
+  handler: async (args: { name: string }) => {
+    return {
+      content: [
+        {
+          type: "text",
+          text: \`Hello, \${args.name}! Welcome to ${projectName}.\`,
+        },
+      ],
+    };
+  },
+};
+`;
+}
+function generateEcommerceTools() {
+    return [
+        {
+            path: "src/tools/add-to-cart.ts",
+            content: `import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+
+export const addToCartTool: ToolDefinition = {
+  name: "add_to_cart",
+  description: "Add an item to the shopping cart",
+  inputSchema: {
+    type: "object",
+    properties: {
+      productId: { type: "string", description: "Product ID to add" },
+      quantity: { type: "number", description: "Quantity to add", default: 1 },
+    },
+    required: ["productId"],
+  },
+  handler: async (args: { productId: string; quantity?: number }) => {
+    const quantity = args.quantity || 1;
+    return {
+      content: [
+        {
+          type: "text",
+          text: \`Added \${quantity}x product \${args.productId} to cart.\`,
+        },
+      ],
+    };
+  },
+};
+`,
+            encoding: "utf-8",
+        },
+        {
+            path: "src/tools/get-cart.ts",
+            content: `import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+
+export const getCartTool: ToolDefinition = {
+  name: "get_cart",
+  description: "Get the current shopping cart contents",
+  inputSchema: {
+    type: "object",
+    properties: {},
+  },
+  handler: async () => {
+    return {
+      content: [
+        {
+          type: "text",
+          text: "Your cart is currently empty. Add some items!",
+        },
+      ],
+    };
+  },
+};
+`,
+            encoding: "utf-8",
+        },
+        {
+            path: "src/tools/checkout.ts",
+            content: `import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+
+export const checkoutTool: ToolDefinition = {
+  name: "checkout",
+  description: "Proceed to checkout with the current cart",
+  inputSchema: {
+    type: "object",
+    properties: {
+      paymentMethod: {
+        type: "string",
+        description: "Payment method (credit_card, paypal, etc.)",
+      },
+    },
+    required: ["paymentMethod"],
+  },
+  handler: async (args: { paymentMethod: string }) => {
+    return {
+      content: [
+        {
+          type: "text",
+          text: \`Checkout initiated with \${args.paymentMethod}. Redirecting to payment...\`,
+        },
+      ],
+    };
+  },
+};
+`,
+            encoding: "utf-8",
+        },
+    ];
+}
+function generateHardwareWorldTools() {
+    return [
+        // API Client - handles authentication and API calls
+        {
+            path: "src/lib/api-client.ts",
+            content: `/**
+ * Hardware World API Client
+ *
+ * Utility functions for calling the Hardware World API.
+ * Handles authentication via ToolContext (idpHeaders from delegation flow).
+ */
+
+import type { ToolExecutionContext } from "@kya-os/mcp-i-cloudflare";
+
+// Re-export for convenience
+export type ToolContext = ToolExecutionContext;
+
+export interface ApiResponse<T = unknown> {
+  status: number;
+  data: T;
+  ok: boolean;
+}
+
+export interface ApiOptions {
+  method?: "GET" | "POST" | "PUT" | "DELETE";
+  body?: Record<string, unknown> | null;
+  baseUrl?: string;
+  headers?: Record<string, string>;
+}
+
+// Default base URL - can be overridden via HARDWARE_WORLD_API_BASE_URL env var
+const DEFAULT_BASE_URL = "https://hardwareworld.com";
+
+// Get base URL from environment or use default
+function getBaseUrl(): string {
+  // Check for environment variable (available in Cloudflare Workers)
+  if (typeof globalThis !== "undefined" && (globalThis as any).HARDWARE_WORLD_API_BASE_URL) {
+    return (globalThis as any).HARDWARE_WORLD_API_BASE_URL;
+  }
+  return DEFAULT_BASE_URL;
+}
+
+/**
+ * Call the Hardware World API
+ *
+ * @param endpoint - API endpoint (e.g., "/products", "/cart/123")
+ * @param options - Request options
+ * @param context - Tool execution context with auth headers
+ */
+export async function callHardwareWorldAPI<T = unknown>(
+  endpoint: string,
+  options: ApiOptions = {},
+  context?: ToolContext
+): Promise<ApiResponse<T>> {
+  const baseUrl = options.baseUrl || getBaseUrl();
+  const url = \`\${baseUrl}/api\${endpoint}\`;
+
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+    ...options.headers,
+  };
+
+  // Hardware World API uses ONLY Cookie authentication (not Authorization header)
+  // The idpToken from credential provider contains the customerCookie value
+  if (context?.idpToken) {
+    // Hardware World API expects BOTH CIX and customerCookie for compatibility
+    headers["Cookie"] =
+      \`CIX=\${context.idpToken}; customerCookie=\${context.idpToken}\`;
+    console.log("[API Client] Cookie auth set from idpToken");
+  } else if (context?.idpHeaders?.["Cookie"]) {
+    // Fallback: use Cookie from idpHeaders if present
+    headers["Cookie"] = context.idpHeaders["Cookie"];
+    console.log("[API Client] Cookie auth set from idpHeaders");
+  }
+
+  console.log("[API Client] Request:", {
+    url,
+    method: options.method || "GET",
+    hasAuth: !!headers["Cookie"],
+  });
+
+  const response = await fetch(url, {
+    method: options.method || "GET",
+    headers,
+    body: options.body ? JSON.stringify(options.body) : null,
+  });
+
+  const responseData = await response.text();
+  let parsedData: T;
+
+  try {
+    parsedData = JSON.parse(responseData) as T;
+  } catch {
+    parsedData = responseData as T;
+  }
+
+  console.log("[API Client] Response:", {
+    status: response.status,
+    ok: response.ok,
+  });
+
+  return {
+    status: response.status,
+    data: parsedData,
+    ok: response.ok,
+  };
+}
+
+/**
+ * Format error response for MCP tools
+ */
+export function formatError(error: unknown): {
+  content: Array<{ type: "text"; text: string }>;
+  isError: true;
+} {
+  const message = error instanceof Error ? error.message : String(error);
+  return {
+    content: [{ type: "text", text: \`Error: \${message}\` }],
+    isError: true,
+  };
+}
+
+/**
+ * Format success response for MCP tools
+ */
+export function formatSuccess(data: unknown): {
+  content: Array<{ type: "text"; text: string }>;
+} {
+  return {
+    content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+  };
+}
+`,
+            encoding: "utf-8",
+        },
+        // Get Products - Public tool
+        {
+            path: "src/tools/get-products.ts",
+            content: `/**
+ * Get Products Tool
+ *
+ * Retrieves products from the Hardware World catalog.
+ * Public tool - no authentication required.
+ */
+
+import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+import {
+  callHardwareWorldAPI,
+  formatError,
+  formatSuccess,
+} from "../lib/api-client";
+
+interface Product {
+  productId: number;
+  name: string;
+  price: number;
+  description?: string;
+  [key: string]: unknown;
+}
+
+interface ProductsResponse {
+  products?: Product[];
+  [key: string]: unknown;
+}
+
+interface GetProductsArgs {
+  query?: string;
+  take?: number;
+  skip?: number;
+  baseUrl?: string;
+}
+
+export const getProductsTool: ToolDefinition = {
+  name: "get-products",
+  description:
+    "Search and browse Hardware World products. Supports filtering by search query and pagination.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      query: {
+        type: "string",
+        description: "Search query to filter products (optional)",
+      },
+      take: {
+        type: "number",
+        description: "Number of products to return (default: 10)",
+      },
+      skip: {
+        type: "number",
+        description: "Number of products to skip for pagination (default: 0)",
+      },
+      baseUrl: {
+        type: "string",
+        description: "Override upstream base URL (optional)",
+      },
+    },
+    required: [],
+  },
+  handler: async (args: GetProductsArgs) => {
+    try {
+      const { query, take = 10, skip = 0, baseUrl } = args;
+
+      const endpoint = query
+        ? \`/products/search?query=\${encodeURIComponent(query)}&skip=\${skip}&take=\${take}\`
+        : \`/products?take=\${take}&skip=\${skip}\`;
+
+      const result = await callHardwareWorldAPI<ProductsResponse>(endpoint, {
+        method: "GET",
+        baseUrl,
+      });
+
+      if (!result.ok) {
+        return {
+          content: [
+            {
+              type: "text" as const,
+              text: JSON.stringify(
+                { error: "Failed to get products", details: result.data },
+                null,
+                2
+              ),
+            },
+          ],
+          isError: true,
+        };
+      }
+
+      const products = result.data?.products || result.data || [];
+      return formatSuccess({
+        success: true,
+        products,
+        count: Array.isArray(products) ? products.length : 0,
+      });
+    } catch (error) {
+      return formatError(error);
+    }
+  },
+};
+`,
+            encoding: "utf-8",
+        },
+        // Get Brands - Public tool
+        {
+            path: "src/tools/get-brands.ts",
+            content: `/**
+ * Get Brands Tool
+ *
+ * Retrieves all brands from Hardware World.
+ * Public tool - no authentication required.
+ */
+
+import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+import {
+  callHardwareWorldAPI,
+  formatError,
+  formatSuccess,
+} from "../lib/api-client";
+
+interface Brand {
+  brandId: number;
+  name: string;
+  [key: string]: unknown;
+}
+
+interface BrandsResponse {
+  brands?: Brand[];
+  [key: string]: unknown;
+}
+
+interface GetBrandsArgs {
+  baseUrl?: string;
+}
+
+export const getBrandsTool: ToolDefinition = {
+  name: "get-brands",
+  description: "Get all available brands from Hardware World catalog.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      baseUrl: {
+        type: "string",
+        description: "Override upstream base URL (optional)",
+      },
+    },
+    required: [],
+  },
+  handler: async (args: GetBrandsArgs) => {
+    try {
+      const { baseUrl } = args;
+
+      const result = await callHardwareWorldAPI<BrandsResponse>("/brands", {
+        method: "GET",
+        baseUrl,
+      });
+
+      if (!result.ok) {
+        return {
+          content: [
+            {
+              type: "text" as const,
+              text: JSON.stringify(
+                { error: "Failed to get brands", details: result.data },
+                null,
+                2
+              ),
+            },
+          ],
+          isError: true,
+        };
+      }
+
+      const brands = result.data?.brands || result.data || [];
+      return formatSuccess({
+        success: true,
+        brands,
+        count: Array.isArray(brands) ? brands.length : 0,
+      });
+    } catch (error) {
+      return formatError(error);
+    }
+  },
+};
+`,
+            encoding: "utf-8",
+        },
+        // Get Brand - Public tool
+        {
+            path: "src/tools/get-brand.ts",
+            content: `/**
+ * Get Brand Tool
+ *
+ * Retrieves a specific brand by ID from Hardware World.
+ * Public tool - no authentication required.
+ */
+
+import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+import {
+  callHardwareWorldAPI,
+  formatError,
+  formatSuccess,
+} from "../lib/api-client";
+
+interface Brand {
+  brandId: number;
+  name: string;
+  description?: string;
+  [key: string]: unknown;
+}
+
+interface GetBrandArgs {
+  brandId: number;
+  baseUrl?: string;
+}
+
+export const getBrandTool: ToolDefinition = {
+  name: "get-brand",
+  description: "Get details for a specific brand by its ID.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      brandId: {
+        type: "number",
+        description: "The brand ID to look up",
+      },
+      baseUrl: {
+        type: "string",
+        description: "Override upstream base URL (optional)",
+      },
+    },
+    required: ["brandId"],
+  },
+  handler: async (args: GetBrandArgs) => {
+    try {
+      const { brandId, baseUrl } = args;
+
+      if (brandId === undefined || brandId === null) {
+        return formatError("Brand ID is required");
+      }
+
+      const result = await callHardwareWorldAPI<Brand>(\`/brands/\${brandId}\`, {
+        method: "GET",
+        baseUrl,
+      });
+
+      if (!result.ok) {
+        return {
+          content: [
+            {
+              type: "text" as const,
+              text: JSON.stringify(
+                { error: "Failed to get brand", details: result.data },
+                null,
+                2
+              ),
+            },
+          ],
+          isError: true,
+        };
+      }
+
+      return formatSuccess({
+        success: true,
+        brand: result.data,
+      });
+    } catch (error) {
+      return formatError(error);
+    }
+  },
+};
+`,
+            encoding: "utf-8",
+        },
+        // Get Customer - Protected tool (requires delegation)
+        {
+            path: "src/tools/get-customer.ts",
+            content: `/**
+ * Get Customer Tool
+ *
+ * Retrieves the authenticated customer's information from Hardware World.
+ *
+ * PROTECTED OPERATION - requires delegation with 'customer:read' scope.
+ * Authentication is handled via MCP-I delegation flow.
+ */
+
+import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+import {
+  callHardwareWorldAPI,
+  formatError,
+  formatSuccess,
+  type ToolContext,
+} from "../lib/api-client";
+
+interface CustomerData {
+  customerId: number;
+  email?: string;
+  firstName?: string;
+  lastName?: string;
+  [key: string]: unknown;
+}
+
+interface GetCustomerArgs {
+  customerId?: number;
+  baseUrl?: string;
+}
+
+export const getCustomerTool: ToolDefinition = {
+  name: "get-customer",
+  description:
+    "Get the authenticated customer's information. Requires user authorization (handled automatically via consent flow).",
+  inputSchema: {
+    type: "object",
+    properties: {
+      customerId: {
+        type: "number",
+        description:
+          "Customer ID (optional - automatically provided via authorization)",
+      },
+      baseUrl: {
+        type: "string",
+        description: "Override upstream base URL (optional)",
+      },
+    },
+    required: [],
+  },
+  handler: async (args: GetCustomerArgs, context?: ToolContext) => {
+    try {
+      const { baseUrl } = args;
+
+      // Verify we have authentication
+      if (!context?.idpToken) {
+        return formatError(
+          "Authentication not available. Please ensure you have authorized this tool."
+        );
+      }
+
+      // Get customerId from context or args
+      const customerId = args.customerId || context?.userId;
+
+      if (customerId === undefined || customerId === null) {
+        return formatError(
+          "Customer ID not available. Please ensure you have authorized this tool."
+        );
+      }
+
+      const result = await callHardwareWorldAPI<CustomerData>(
+        \`/customers/\${customerId}\`,
+        {
+          method: "GET",
+          baseUrl,
+        },
+        context
+      );
+
+      if (!result.ok) {
+        return {
+          content: [
+            {
+              type: "text" as const,
+              text: JSON.stringify(
+                { error: "Failed to get customer", details: result.data },
+                null,
+                2
+              ),
+            },
+          ],
+          isError: true,
+        };
+      }
+
+      return formatSuccess({
+        success: true,
+        customer: result.data,
+      });
+    } catch (error) {
+      return formatError(error);
+    }
+  },
+};
+`,
+            encoding: "utf-8",
+        },
+        // Get Cart - Protected tool (requires delegation)
+        {
+            path: "src/tools/get-cart.ts",
+            content: `/**
+ * Get Cart Tool
+ *
+ * Retrieves the customer's shopping cart contents and totals.
+ *
+ * PROTECTED OPERATION - requires delegation with 'cart:read' scope.
+ * Authentication is handled via MCP-I delegation flow.
+ */
+
+import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+import {
+  callHardwareWorldAPI,
+  formatError,
+  formatSuccess,
+  type ToolContext,
+} from "../lib/api-client";
+
+interface CartData {
+  items?: unknown[];
+  total?: number;
+  [key: string]: unknown;
+}
+
+interface GetCartArgs {
+  customerId?: number;
+  baseUrl?: string;
+}
+
+export const getCartTool: ToolDefinition = {
+  name: "get-cart",
+  description:
+    "Get the current shopping cart contents and totals. Requires user authorization (handled automatically via consent flow).",
+  inputSchema: {
+    type: "object",
+    properties: {
+      customerId: {
+        type: "number",
+        description:
+          "Customer ID (optional - automatically provided via authorization)",
+      },
+      baseUrl: {
+        type: "string",
+        description: "Override upstream base URL (optional)",
+      },
+    },
+    required: [],
+  },
+  handler: async (args: GetCartArgs, context?: ToolContext) => {
+    try {
+      const { baseUrl } = args;
+
+      // Verify we have authentication
+      if (!context?.idpToken) {
+        return formatError(
+          "Authentication not available. Please ensure you have authorized this tool."
+        );
+      }
+
+      const result = await callHardwareWorldAPI<CartData>(
+        "/cart",
+        {
+          method: "GET",
+          baseUrl,
+        },
+        context
+      );
+
+      if (!result.ok) {
+        return {
+          content: [
+            {
+              type: "text" as const,
+              text: JSON.stringify(
+                { error: "Failed to get cart", details: result.data },
+                null,
+                2
+              ),
+            },
+          ],
+          isError: true,
+        };
+      }
+
+      return formatSuccess({
+        success: true,
+        cart: result.data,
+      });
+    } catch (error) {
+      return formatError(error);
+    }
+  },
+};
+`,
+            encoding: "utf-8",
+        },
+        // Add to Cart - Protected tool (requires delegation)
+        {
+            path: "src/tools/add-to-cart.ts",
+            content: `/**
+ * Add to Cart Tool
+ *
+ * Adds a product to the customer's shopping cart.
+ *
+ * PROTECTED OPERATION - requires delegation with 'cart:write' scope.
+ * Authentication is handled via MCP-I delegation flow.
+ */
+
+import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+import {
+  callHardwareWorldAPI,
+  formatError,
+  formatSuccess,
+  type ToolContext,
+} from "../lib/api-client";
+
+interface CartResponse {
+  message?: string;
+  customerId?: number;
+  [key: string]: unknown;
+}
+
+interface AddToCartArgs {
+  productId: number;
+  quantity?: number;
+  customerId?: number;
+  baseUrl?: string;
+}
+
+export const addToCartTool: ToolDefinition = {
+  name: "add-to-cart",
+  description:
+    "Add a product to the shopping cart. Requires user authorization (handled automatically via consent flow).",
+  inputSchema: {
+    type: "object",
+    properties: {
+      productId: {
+        type: "number",
+        description: "Product ID to add to cart",
+      },
+      quantity: {
+        type: "number",
+        description: "Quantity to add (default: 1)",
+      },
+      customerId: {
+        type: "number",
+        description:
+          "Customer ID (optional - automatically provided via authorization)",
+      },
+      baseUrl: {
+        type: "string",
+        description: "Override upstream base URL (optional)",
+      },
+    },
+    required: ["productId"],
+  },
+  handler: async (args: AddToCartArgs, context?: ToolContext) => {
+    try {
+      const { productId, quantity = 1, baseUrl } = args;
+
+      if (productId === undefined || productId === null) {
+        return formatError("Product ID is required");
+      }
+
+      // Verify we have authentication
+      if (!context?.idpToken) {
+        return formatError(
+          "Authentication not available. Please ensure you have authorized this tool."
+        );
+      }
+
+      const result = await callHardwareWorldAPI<CartResponse>(
+        "/cart/add",
+        {
+          method: "POST",
+          body: { productId, quantity },
+          baseUrl,
+        },
+        context
+      );
+
+      if (!result.ok) {
+        return {
+          content: [
+            {
+              type: "text" as const,
+              text: JSON.stringify(
+                { error: "Failed to add to cart", details: result.data },
+                null,
+                2
+              ),
+            },
+          ],
+          isError: true,
+        };
+      }
+
+      return formatSuccess({
+        success: true,
+        message: "Product added to cart",
+        data: result.data,
+      });
+    } catch (error) {
+      return formatError(error);
+    }
+  },
+};
+`,
+            encoding: "utf-8",
+        },
+    ];
+}
+function generateDeployWorkflow() {
+    // Note: YAML values containing ${{ }} must be quoted to avoid parsing issues
+    return `name: Deploy to Cloudflare
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Reason for manual deployment'
+        required: false
+        default: 'Manual deployment'
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Deploy
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log deployment reason
+        if: \${{ github.event_name == 'workflow_dispatch' }}
+        run: |
+          echo "Deployment triggered - Reason: \${{ github.event.inputs.reason }}"
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Deploy to Cloudflare
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+          secrets: |
+            MCP_IDENTITY_PRIVATE_KEY
+            OAUTH_ENCRYPTION_SECRET
+            AGENTSHIELD_API_KEY
+        env:
+          MCP_IDENTITY_PRIVATE_KEY: \${{ secrets.MCP_IDENTITY_PRIVATE_KEY }}
+          OAUTH_ENCRYPTION_SECRET: \${{ secrets.OAUTH_ENCRYPTION_SECRET }}
+          AGENTSHIELD_API_KEY: \${{ secrets.AGENTSHIELD_API_KEY }}
+`;
+}
+function generateReadme(projectName, projectId) {
+    const dashboardUrl = projectId
+        ? `https://kya.vouched.id/dashboard/bouncer/${projectId}`
+        : "https://kya.vouched.id/dashboard/bouncer";
+    return `# ${projectName}
+
+MCP-I Agent deployed on Cloudflare Workers with AgentShield integration.
+
+## Quick Start
+
+1. **Clone this repository**
+   \`\`\`bash
+   git clone https://github.com/YOUR_USERNAME/${projectName}.git
+   cd ${projectName}
+   \`\`\`
+
+2. **Install dependencies**
+   \`\`\`bash
+   npm install
+   \`\`\`
+
+3. **Local Development**
+   \`\`\`bash
+   # Copy secrets template
+   cp .dev.vars.example .dev.vars
+
+   # Add your secrets to .dev.vars
+
+   # Start dev server
+   npm run dev
+   \`\`\`
+
+4. **Deploy**
+   \`\`\`bash
+   npm run deploy
+   \`\`\`
+
+## AgentShield Dashboard
+
+Configure your agent at: ${dashboardUrl}
+
+- Add tool protections
+- Configure OAuth providers
+- View delegations and proofs
+
+## Environment Variables
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| \`MCP_IDENTITY_PRIVATE_KEY\` | Agent's private key | Yes |
+| \`OAUTH_ENCRYPTION_SECRET\` | OAuth state encryption | Yes |
+| \`AGENTSHIELD_API_KEY\` | AgentShield API key | Yes |
+| \`CLOUDFLARE_API_TOKEN\` | Wrangler deployment token | For CI/CD |
+
+## Adding Tools
+
+Add new tools in \`src/tools/\`:
+
+\`\`\`typescript
+// src/tools/my-tool.ts
+import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+
+export const myTool: ToolDefinition = {
+  name: "my_tool",
+  description: "Description of my tool",
+  inputSchema: {
+    type: "object",
+    properties: {
+      param1: { type: "string" },
+    },
+    required: ["param1"],
+  },
+  handler: async (args) => {
+    return {
+      content: [{ type: "text", text: \`Result: \${args.param1}\` }],
+    };
+  },
+};
+\`\`\`
+
+Then register in \`src/mcpi-runtime-config.ts\`.
+
+## License
+
+MIT
+`;
+}
+//# sourceMappingURL=generate-cloudflare-files.js.map