@kya-os/create-mcpi-app 1.7.17 → 1.7.20

package/src/helpers/fetch-xmcp-template.ts

@@ -0,0 +1,153 @@
+import { execSync } from "child_process";
+import fs from "fs-extra";
+import path from "path";
+import os from "os";
+import chalk from "chalk";
+
+interface ScaffoldTemplateOptions {
+  xmcpVersion?: string;
+  xmcpChannel?: string;
+  packageManager?: string;
+}
+
+/**
+ * Scaffold XMCP project using the upstream xmcp npm package
+ * This follows the requirements specification to use the xmcp package
+ * with default caret ^0.3.1 and support for dist-tags
+ */
+export async function fetchXMCPTemplate(
+  projectPath: string,
+  options: ScaffoldTemplateOptions = {}
+): Promise<void> {
+  const { xmcpVersion, xmcpChannel = "latest", packageManager = "npm" } = options;
+
+  // Get XMCP package configuration from environment or use defaults
+  const xmcpPackageName = process.env.XMCP_PACKAGE_NAME || "xmcp";
+  const defaultCaret = process.env.XMCP_DEFAULT_CARET || "^0.3.1";
+
+  // Determine which version to use
+  let targetVersion = xmcpVersion || defaultCaret;
+
+  // If using a channel, check if the dist-tag exists
+  if (xmcpChannel === "next") {
+    try {
+      // Check if 'next' dist-tag exists
+      execSync(`npm view ${xmcpPackageName}@next version`, {
+        stdio: 'pipe'
+      });
+      targetVersion = "next";
+    } catch (error) {
+      console.warn(chalk.yellow(`⚠️  dist-tag 'next' not available for ${xmcpPackageName}, falling back to ${defaultCaret}`));
+      targetVersion = defaultCaret;
+    }
+  }
+
+  try {
+    console.log(
+      chalk.blue(`📦 Setting up XMCP project with ${xmcpPackageName}@${targetVersion}...`)
+    );
+
+    // Create package.json with xmcp dependency
+    // NOTE: Do NOT add "type": "module" as xmcp framework generates CommonJS code
+    const packageJson = {
+      name: path.basename(projectPath),
+      version: "0.1.0",
+      dependencies: {
+        [xmcpPackageName]: targetVersion,
+        // Other dependencies will be added by apply-identity-preset
+      },
+      scripts: {
+        // Basic scripts - will be enhanced by identity preset
+        dev: "xmcp dev",
+        build: "xmcp build",
+        start: "xmcp start"
+      }
+    };
+
+    // Write package.json
+    fs.ensureDirSync(projectPath);
+    fs.writeJsonSync(path.join(projectPath, "package.json"), packageJson, { spaces: 2 });
+
+    // Create basic XMCP project structure
+    const srcDir = path.join(projectPath, "src");
+    const toolsDir = path.join(srcDir, "tools");
+    const promptsDir = path.join(srcDir, "prompts");
+    const resourcesDir = path.join(srcDir, "resources");
+
+    fs.ensureDirSync(toolsDir);
+    fs.ensureDirSync(promptsDir);
+    fs.ensureDirSync(resourcesDir);
+
+    // Create a basic greet tool (XMCP default)
+    const greetToolContent = `import { z } from "zod";
+import { type InferSchema, type ToolMetadata } from "${xmcpPackageName}";
+
+// Define the schema for tool parameters
+export const schema = {
+  name: z.string().describe("The name of the user to greet"),
+};
+
+// Define tool metadata
+export const metadata: ToolMetadata = {
+  name: "greet",
+  description: "Greet the user",
+};
+
+// Tool implementation
+export default async function greet({ name }: InferSchema<typeof schema>) {
+  return {
+    content: [
+      {
+        type: "text" as const,
+        text: \`Hello, \${name}!\`,
+      },
+    ],
+  };
+}
+`;
+
+    fs.writeFileSync(path.join(toolsDir, "greet.ts"), greetToolContent);
+
+    // Create tools index (no .js extension needed for TypeScript imports)
+    const toolsIndexContent = `export * from "./greet";\n`;
+    fs.writeFileSync(path.join(toolsDir, "index.ts"), toolsIndexContent);
+
+    // Create prompts index (placeholder for xmcp)
+    const promptsIndexContent = `// Prompts can be defined here if needed\nexport {};\n`;
+    fs.writeFileSync(path.join(promptsDir, "index.ts"), promptsIndexContent);
+
+    // Create resources index with a comment
+    // Note: We don't export anything to avoid "Invalid file path format" warnings
+    // Users can add resources here when needed
+    const resourcesIndexContent = `// Resources can be defined here if needed
+// Example:
+// export const myResource = {
+//   name: "my-resource",
+//   description: "A sample resource",
+//   uri: "file:///path/to/resource"
+// };
+`;
+    fs.writeFileSync(path.join(resourcesDir, "index.ts"), resourcesIndexContent);
+
+    // Create basic xmcp.config.ts (will be enhanced by generate-config)
+    const configContent = `export default {
+  tools: "./src/tools",
+  transport: "stdio",
+};
+`;
+    fs.writeFileSync(path.join(projectPath, "xmcp.config.ts"), configContent);
+
+    // Create .gitignore
+    const gitignoreContent = `node_modules/
+dist/
+.env
+.env.local
+`;
+    fs.writeFileSync(path.join(projectPath, ".gitignore"), gitignoreContent);
+
+    console.log(chalk.green("✅ XMCP project structure created"));
+  } catch (error) {
+    console.error(chalk.red("Failed to set up XMCP project:"), error);
+    throw error;
+  }
+}

package/src/helpers/generate-config.ts

@@ -0,0 +1,117 @@
+import fs from "fs-extra";
+import path from "path";
+import type { NodeRuntimeConfig } from "@kya-os/mcp-i";
+
+export function generateConfig(
+  projectPath: string,
+  transports: string[],
+  skipIdentity = false
+): void {
+  const hasHttp = transports.includes("http");
+  const hasStdio = transports.includes("stdio");
+
+  let configContent = `import type { XmcpConfig } from "@kya-os/mcp-i";
+
+const config: XmcpConfig = {
+  // Point to the tools directory
+  paths: {
+    tools: "./src/tools",
+  },`;
+
+  // Only add identity config if not skipped
+  if (!skipIdentity) {
+    configContent += `
+
+  // Enable MCP-I identity features
+  identity: {
+    enabled: true,
+    environment: "development",
+  },`;
+  }
+
+  if (hasHttp) {
+    configContent += `
+
+  // Enable HTTP transport
+  http: true,`;
+  }
+
+  if (hasStdio) {
+    configContent += `
+
+  // Enable STDIO transport
+  stdio: true,`;
+  }
+
+  configContent += `
+};
+
+export default config;
+`;
+
+  const configPath = path.join(projectPath, "xmcp.config.ts");
+  fs.writeFileSync(configPath, configContent);
+
+  // Generate runtime config for proof submission and delegation
+  generateRuntimeConfig(projectPath, skipIdentity);
+}
+
+/**
+ * Generate runtime config file for ProofBatchQueue and delegation
+ */
+function generateRuntimeConfig(projectPath: string, skipIdentity: boolean): void {
+  const runtimeConfigContent = `import type { NodeRuntimeConfig } from "@kya-os/mcp-i";
+import { buildBaseConfig } from "@kya-os/create-mcpi-app/config-builder";
+
+/**
+ * Runtime configuration for MCP-I server
+ *
+ * This file configures runtime features like proof submission to AgentShield,
+ * delegation verification, and audit logging.
+ *
+ * Note: Environment variables are automatically injected by the MCP-I compiler
+ * from wrangler.toml (Cloudflare) or .env (Node.js). Configure them there:
+ * - AGENTSHIELD_API_URL: AgentShield API base URL
+ * - AGENTSHIELD_API_KEY: Your AgentShield API key
+ * - MCPI_ENV: "development" or "production"
+ *
+ * This config uses the unified MCPIConfig architecture, ensuring the same
+ * base configuration shape across all platforms (Cloudflare, Node.js, Vercel).
+ */
+export function getRuntimeConfig(): NodeRuntimeConfig {
+  // Access environment variables (works in both Node.js and Cloudflare Workers)
+  // The compiler injects these from wrangler.toml or .env
+  const env = process.env;
+
+  // Build base config that works across all platforms
+  const baseConfig = buildBaseConfig(env);
+
+  // Extend with Node.js-specific properties
+  return {
+    ...baseConfig,
+    // Node.js-specific server configuration
+    server: {
+      port: parseInt(env.PORT || "3000", 10),
+      host: env.HOST || "0.0.0.0",
+      cors: true,
+      timeout: 30000
+    },
+    // Node.js-specific storage configuration
+    storage: {
+      type: "memory" as const
+    },
+    // Node.js-specific environment configuration
+    nodeEnv: {
+      environment: (env.NODE_ENV as "development" | "production" | "test") || "development",
+      debug: env.MCPI_ENV === "development"
+    }
+  } as NodeRuntimeConfig;
+}
+
+export default getRuntimeConfig();
+`;
+
+  const runtimeConfigPath = path.join(projectPath, "src", "mcpi-runtime-config.ts");
+  fs.ensureDirSync(path.join(projectPath, "src"));
+  fs.writeFileSync(runtimeConfigPath, runtimeConfigContent);
+}

package/src/helpers/generate-identity.ts

@@ -0,0 +1,163 @@
+/**
+ * Identity Generation for MCP-I Applications
+ *
+ * Generates Ed25519 keypairs and DID:key identifiers
+ * for persistent agent identity across deployments.
+ */
+
+import { webcrypto } from 'crypto';
+import baseX from 'base-x';
+
+/**
+ * Type for Web Crypto API key pair
+ */
+interface WebCryptoKeyPair {
+  privateKey: webcrypto.CryptoKey;
+  publicKey: webcrypto.CryptoKey;
+}
+
+/**
+ * Generated identity structure
+ */
+export interface GeneratedIdentity {
+  did: string;
+  kid: string;
+  privateKey: string;
+  publicKey: string;
+  createdAt: string;
+  type: 'development' | 'production';
+}
+
+/**
+ * Generate a new Ed25519 identity with DID:key
+ *
+ * @returns Promise<GeneratedIdentity> - Complete identity with keys and DID
+ */
+export async function generateIdentity(): Promise<GeneratedIdentity> {
+  // 1. Generate Ed25519 keypair using Web Crypto API
+  const keyPair = (await webcrypto.subtle.generateKey(
+    {
+      name: 'Ed25519',
+    },
+    true, // extractable
+    ['sign', 'verify']
+  )) as WebCryptoKeyPair;
+
+  // 2. Export keys in PKCS#8 (private) and SPKI (public) formats
+  const privateKeyPKCS8 = await webcrypto.subtle.exportKey('pkcs8', keyPair.privateKey);
+  const publicKeySPKI = await webcrypto.subtle.exportKey('spki', keyPair.publicKey);
+
+  // 3. Extract RAW keys from PKCS#8/SPKI wrappers
+  // This matches WebCryptoProvider.generateKeyPair() behavior
+  const privateKeyRaw = extractEd25519PrivateKey(new Uint8Array(privateKeyPKCS8 as ArrayBuffer));
+  const publicKeyRaw = extractEd25519PublicKey(Buffer.from(publicKeySPKI as ArrayBuffer).toString('base64'));
+
+  // 4. Convert to base64 strings for storage
+  const privateKey = Buffer.from(privateKeyRaw).toString('base64');
+  const publicKey = Buffer.from(publicKeyRaw).toString('base64');
+
+  // 5. Generate DID:key from raw public key bytes
+  const did = generateDIDFromPublicKeyBytes(publicKeyRaw);
+
+  // 5. Return complete identity
+  return {
+    did,
+    kid: `${did}#key-1`,
+    privateKey,
+    publicKey,
+    createdAt: new Date().toISOString(),
+    type: 'development'
+  };
+}
+
+/**
+ * Generate a DID:key identifier from raw Ed25519 public key bytes
+ *
+ * Following the DID:key specification:
+ * https://w3c-ccg.github.io/did-method-key/
+ *
+ * Format: did:key:z<multibase-base58btc(<multicodec-ed25519-pub><publicKey>)>
+ *
+ * @param publicKeyBytes - Raw 32-byte Ed25519 public key
+ * @returns DID:key string (e.g., "did:key:z6Mk...")
+ */
+function generateDIDFromPublicKeyBytes(publicKeyBytes: Uint8Array): string {
+  // 1. Ed25519 multicodec prefix (0xed 0x01)
+  const multicodecPrefix = new Uint8Array([0xed, 0x01]);
+
+  // 2. Combine multicodec prefix + public key
+  const multicodecKey = new Uint8Array(multicodecPrefix.length + publicKeyBytes.length);
+  multicodecKey.set(multicodecPrefix);
+  multicodecKey.set(publicKeyBytes, multicodecPrefix.length);
+
+  // 3. Encode with base58-btc (Bitcoin alphabet)
+  const base58 = baseX('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
+  const base58Encoded = base58.encode(multicodecKey);
+
+  // 4. Add multibase prefix 'z' for base58-btc
+  const multibaseEncoded = 'z' + base58Encoded;
+
+  return `did:key:${multibaseEncoded}`;
+}
+
+/**
+ * Extract the raw 32-byte Ed25519 private key from PKCS#8 format
+ *
+ * PKCS#8 format for Ed25519 (48 bytes total):
+ * - 16-byte header (algorithm identifier, version, etc.)
+ * - 32-byte raw Ed25519 private key
+ *
+ * @param pkcs8 - PKCS#8 private key as Uint8Array
+ * @returns Uint8Array - Raw 32-byte Ed25519 private key
+ */
+function extractEd25519PrivateKey(pkcs8: Uint8Array): Uint8Array {
+  // Extract bytes 16-48 (the raw 32-byte key)
+  // This matches WebCryptoProvider.extractRawPrivateKey()
+  return pkcs8.slice(16, 48);
+}
+
+/**
+ * Extract the raw 32-byte Ed25519 public key from SPKI format
+ *
+ * SPKI (SubjectPublicKeyInfo) format:
+ * - 12-byte header (algorithm identifier)
+ * - 32-byte raw Ed25519 public key
+ *
+ * @param publicKey - Base64-encoded SPKI public key
+ * @returns Uint8Array - Raw 32-byte Ed25519 public key
+ */
+function extractEd25519PublicKey(publicKey: string): Uint8Array {
+  const spkiBytes = Buffer.from(publicKey, 'base64');
+
+  // SPKI format: 12-byte header + 32-byte public key
+  // We extract the last 32 bytes
+  // This matches WebCryptoProvider.extractRawPublicKey()
+  return spkiBytes.slice(-32);
+}
+
+/**
+ * Validate that a string is a valid DID:key identifier
+ *
+ * @param did - String to validate
+ * @returns boolean - True if valid DID:key format
+ */
+export function isValidDIDKey(did: string): boolean {
+  // DID:key format: did:key:z<base58-encoded-multicodec-key>
+  const didKeyRegex = /^did:key:z[1-9A-HJ-NP-Za-km-z]{47,}$/;
+  return didKeyRegex.test(did);
+}
+
+/**
+ * Extract the base58-encoded multicodec key from a DID:key
+ *
+ * @param did - DID:key identifier
+ * @returns string - Base58-encoded multicodec key (without 'z' prefix)
+ */
+export function extractMultibaseFromDID(did: string): string | null {
+  if (!isValidDIDKey(did)) {
+    return null;
+  }
+
+  // Remove "did:key:z" prefix
+  return did.slice('did:key:z'.length);
+}

package/src/helpers/identity-manager.ts

@@ -0,0 +1,186 @@
+/**
+ * Identity Management Utilities
+ *
+ * Provides functions for resetting and regenerating MCP-I identities
+ * for both Node.js (.mcpi/identity.json) and Cloudflare Workers (wrangler.toml).
+ */
+
+import fs from 'fs-extra';
+import path from 'path';
+import chalk from 'chalk';
+import { generateIdentity } from './generate-identity.js';
+
+/**
+ * Check if a directory is a Node.js MCP-I project
+ */
+export function isNodeMcpiProject(projectPath: string): boolean {
+  const identityPath = path.join(projectPath, '.mcpi', 'identity.json');
+  const configPath = path.join(projectPath, 'xmcp.config.ts');
+  return fs.existsSync(identityPath) || fs.existsSync(configPath);
+}
+
+/**
+ * Check if a directory is a Cloudflare Worker MCP-I project
+ */
+export function isCloudflareProject(projectPath: string): boolean {
+  const wranglerPath = path.join(projectPath, 'wrangler.toml');
+  if (!fs.existsSync(wranglerPath)) {
+    return false;
+  }
+  // Check if wrangler.toml contains MCP-I or MCP-related content
+  const content = fs.readFileSync(wranglerPath, 'utf8');
+  return (
+    content.includes('MCP_IDENTITY_AGENT_DID') ||
+    content.includes('[[durable_objects.bindings]]') ||
+    content.includes('AGENTSHIELD_API_KEY')
+  );
+}
+
+/**
+ * Reset identity by deleting existing identity files
+ */
+export async function resetIdentity(projectPath: string = process.cwd()): Promise<void> {
+  console.log(chalk.cyan('\n🔄 Resetting identity...'));
+
+  let identityFound = false;
+
+  // Check for Node.js project
+  const mcpiDir = path.join(projectPath, '.mcpi');
+  const identityPath = path.join(mcpiDir, 'identity.json');
+
+  if (fs.existsSync(identityPath)) {
+    fs.removeSync(identityPath);
+    console.log(chalk.green('✅ Removed Node.js identity file'));
+    console.log(chalk.dim(`   Deleted: ${identityPath}`));
+    identityFound = true;
+  }
+
+  // Check for Cloudflare project
+  const wranglerPath = path.join(projectPath, 'wrangler.toml');
+  const devVarsPath = path.join(projectPath, '.dev.vars');
+
+  if (fs.existsSync(wranglerPath)) {
+    let content = fs.readFileSync(wranglerPath, 'utf8');
+
+    if (content.includes('MCP_IDENTITY_AGENT_DID')) {
+      // Remove identity variables from wrangler.toml (handles both old and new formats)
+      content = content.replace(
+        /# Persistent Identity.*?\nMCP_IDENTITY_AGENT_DID = ".*?"\nMCP_IDENTITY_PRIVATE_KEY = ".*?"\nMCP_IDENTITY_PUBLIC_KEY = ".*?"\n/gs,
+        ''
+      );
+      content = content.replace(
+        /# Persistent Identity.*?\nMCP_IDENTITY_AGENT_DID = ".*?"\n/gs,
+        ''
+      );
+
+      fs.writeFileSync(wranglerPath, content);
+      console.log(chalk.green('✅ Removed Cloudflare Worker identity variables'));
+      console.log(chalk.dim(`   Updated: ${wranglerPath}`));
+      identityFound = true;
+    }
+
+    // Remove .dev.vars if it exists
+    if (fs.existsSync(devVarsPath)) {
+      fs.removeSync(devVarsPath);
+      console.log(chalk.green('✅ Removed .dev.vars file'));
+      console.log(chalk.dim(`   Deleted: ${devVarsPath}`));
+      identityFound = true;
+    }
+  }
+
+  // Check if any identity was found
+  if (!identityFound) {
+    console.log(chalk.yellow('⚠️  No identity found to reset'));
+    return;
+  }
+
+  console.log(chalk.green('\n✨ Identity reset complete'));
+  console.log(chalk.dim('   Run regenerate command to create a new identity'));
+}
+
+/**
+ * Regenerate identity by creating a new one
+ */
+export async function regenerateIdentity(projectPath: string = process.cwd()): Promise<void> {
+  console.log(chalk.cyan('\n🔄 Regenerating identity...'));
+
+  const isNode = isNodeMcpiProject(projectPath);
+  const isCloudflare = isCloudflareProject(projectPath);
+
+  if (!isNode && !isCloudflare) {
+    console.log(chalk.red('❌ Not an MCP-I project'));
+    console.log(chalk.dim('   Could not detect .mcpi/identity.json or wrangler.toml with MCP_IDENTITY variables'));
+    process.exit(1);
+  }
+
+  // Generate new identity
+  const identity = await generateIdentity();
+
+  // Node.js project
+  if (isNode) {
+    const mcpiDir = path.join(projectPath, '.mcpi');
+    fs.ensureDirSync(mcpiDir);
+
+    const identityPath = path.join(mcpiDir, 'identity.json');
+    fs.writeJsonSync(identityPath, identity, { spaces: 2 });
+
+    console.log(chalk.green('✅ Generated new Node.js identity'));
+    console.log(chalk.dim(`   DID: ${identity.did}`));
+    console.log(chalk.dim(`   Saved to: ${identityPath}`));
+  }
+
+  // Cloudflare Worker project
+  if (isCloudflare) {
+    const wranglerPath = path.join(projectPath, 'wrangler.toml');
+    const devVarsPath = path.join(projectPath, '.dev.vars');
+    let wranglerContent = fs.readFileSync(wranglerPath, 'utf8');
+
+    // Remove old identity if exists from wrangler.toml
+    wranglerContent = wranglerContent.replace(
+      /# Persistent Identity.*?\nMCP_IDENTITY_AGENT_DID = ".*?"\nMCP_IDENTITY_PRIVATE_KEY = ".*?"\nMCP_IDENTITY_PUBLIC_KEY = ".*?"\n/gs,
+      ''
+    );
+
+    // Remove old DID-only format if exists
+    wranglerContent = wranglerContent.replace(
+      /# Persistent Identity.*?\nMCP_IDENTITY_AGENT_DID = ".*?"\n/gs,
+      ''
+    );
+
+    // Write private keys to .dev.vars (git-ignored)
+    const devVarsContent = `# MCP-I Identity Private Keys (NEVER COMMIT THIS FILE)
+# Generated by create-mcpi-app
+MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
+MCP_IDENTITY_PUBLIC_KEY="${identity.publicKey}"
+`;
+    fs.writeFileSync(devVarsPath, devVarsContent);
+
+    // Add only public DID to wrangler.toml
+    const varsMatch = wranglerContent.match(/\[vars\]/);
+    if (varsMatch) {
+      const insertPosition = varsMatch.index! + varsMatch[0].length;
+      const identityVars = `
+# Persistent Identity (generated by create-mcpi-app)
+# Public DID - safe to commit
+MCP_IDENTITY_AGENT_DID = "${identity.did}"
+`;
+
+      wranglerContent =
+        wranglerContent.slice(0, insertPosition) +
+        identityVars +
+        wranglerContent.slice(insertPosition);
+
+      fs.writeFileSync(wranglerPath, wranglerContent);
+
+      console.log(chalk.green('✅ Generated new Cloudflare Worker identity'));
+      console.log(chalk.dim(`   DID: ${identity.did}`));
+      console.log(chalk.dim(`   Public DID saved to: ${wranglerPath}`));
+      console.log(chalk.dim(`   Private keys saved to: ${devVarsPath}`));
+      console.log(chalk.yellow('   ⚠️  NEVER commit .dev.vars to version control!'));
+    } else {
+      console.log(chalk.yellow('⚠️  Could not find [vars] section in wrangler.toml'));
+    }
+  }
+
+  console.log(chalk.green('\n✨ Identity regeneration complete'));
+}

package/src/helpers/install.ts

@@ -0,0 +1,79 @@
+import { execSync } from "child_process";
+import fs from "fs-extra";
+import path from "path";
+import chalk from "chalk";
+
+export function detectPackageManager(
+  projectPath: string
+): "npm" | "yarn" | "pnpm" | null {
+  if (fs.existsSync(path.join(projectPath, "pnpm-lock.yaml"))) {
+    return "pnpm";
+  }
+  if (fs.existsSync(path.join(projectPath, "yarn.lock"))) {
+    return "yarn";
+  }
+  if (fs.existsSync(path.join(projectPath, "package-lock.json"))) {
+    return "npm";
+  }
+  return null;
+}
+
+export function install(
+  projectPath: string,
+  packageManager: string,
+  packageVersion: string
+): void {
+  console.log(`\n📦 Installing dependencies with ${packageManager}...`);
+
+  const command =
+    packageManager === "yarn"
+      ? "yarn install"
+      : packageManager === "pnpm"
+        ? "pnpm install"
+        : "npm install";
+
+  try {
+    execSync(command, {
+      cwd: projectPath,
+      stdio: "inherit",
+    });
+
+    // Check for lockfile and provide guidance
+    checkLockfile(projectPath, packageManager);
+  } catch (error) {
+    console.error(`Failed to install dependencies with ${packageManager}.`);
+    throw error;
+  }
+}
+
+function checkLockfile(projectPath: string, packageManager: string): void {
+  const lockfiles = {
+    npm: "package-lock.json",
+    yarn: "yarn.lock",
+    pnpm: "pnpm-lock.yaml",
+  };
+
+  const expectedLockfile = lockfiles[packageManager as keyof typeof lockfiles];
+  
+  // Handle unknown package managers gracefully
+  if (!expectedLockfile) {
+    console.warn(
+      chalk.yellow(`⚠️  Warning: Unknown package manager "${packageManager}", cannot check lockfile`)
+    );
+    return;
+  }
+  
+  const lockfilePath = path.join(projectPath, expectedLockfile);
+
+  if (fs.existsSync(lockfilePath)) {
+    console.log(
+      chalk.gray(
+        `✓ Lockfile created (${expectedLockfile}) - remember to commit it`
+      )
+    );
+  } else {
+    console.warn(
+      chalk.yellow(`⚠️  Warning: No lockfile generated (${expectedLockfile})`)
+    );
+  }
+}