@kya-os/create-mcpi-app 1.7.25 → 1.7.27

package/.turbo/turbo-test$colon$coverage.log

@@ -1,81 +1,97 @@
 
 
-> @kya-os/create-mcpi-app@1.7.18 test:coverage /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/create-mcpi-app
+> @kya-os/create-mcpi-app@1.7.26 test:coverage /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/create-mcpi-app
 > vitest --run --coverage
 
-[?25l
+[?25l▲ [WARNING] The condition "types" here will never be used as it comes after both "import" and "require" [package.json]
+
+    package.json:15:6:
+      15 │       "types": "./dist/index.d.ts"
+         ╵       ~~~~~~~
+
+  The "import" condition comes earlier and will be used for all "import" statements:
+
+    package.json:13:6:
+      13 │       "import": "./dist/index.js",
+         ╵       ~~~~~~~~
+
+  The "require" condition comes earlier and will be used for all "require" calls:
+
+    package.json:14:6:
+      14 │       "require": "./dist/index.js",
+         ╵       ~~~~~~~~~
+
+▲ [WARNING] The condition "types" here will never be used as it comes after both "import" and "require" [package.json]
+
+    package.json:20:6:
+      20 │       "types": "./dist/helpers/config-builder.d.ts"
+         ╵       ~~~~~~~
+
+  The "import" condition comes earlier and will be used for all "import" statements:
+
+    package.json:18:6:
+      18 │       "import": "./dist/helpers/config-builder.js",
+         ╵       ~~~~~~~~
+
+  The "require" condition comes earlier and will be used for all "require" calls:
+
+    package.json:19:6:
+      19 │       "require": "./dist/helpers/config-builder.js",
+         ╵       ~~~~~~~~~
+
+
  RUN  v4.0.5 /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/create-mcpi-app
       Coverage enabled with v8
 
 [?2026h
- ❯ src/__tests__/helpers/generate-identity.test.ts [queued]
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts [queued]
 
  Test Files 0 passed (12)
       Tests 0 passed (0)
-   Start at 11:56:38
-   Duration 202ms
+   Start at 14:20:47
+   Duration 201ms
 [?2026l[?2026h
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts [queued]
  ❯ src/__tests__/helpers/generate-identity.test.ts [queued]
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/cache-invalidation.test.ts [queued]
- ❯ test-cloudflare/tests/cors-security.test.ts [queued]
- ❯ test-cloudflare/tests/session-management.test.ts [queued]
+ ❯ test-cloudflare/tests/delegation.test.ts 0/12
 
  Test Files 0 passed (12)
-      Tests 0 passed (0)
-   Start at 11:56:38
-   Duration 305ms
-[?2026l[?2026h
+      Tests 0 passed (12)
+   Start at 14:20:47
+   Duration 509ms
+[?2026l[?2026h
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts [queued]
  ❯ src/__tests__/helpers/generate-identity.test.ts [queued]
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/cache-invalidation.test.ts [queued]
- ❯ test-cloudflare/tests/cors-security.test.ts 1/29
- ❯ test-cloudflare/tests/delegation.test.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts [queued]
- ❯ test-cloudflare/tests/session-management.test.ts 0/17
+ ❯ test-cloudflare/tests/cors-security.test.ts [queued]
+ ❯ test-cloudflare/tests/delegation.test.ts 0/12
 
  Test Files 0 passed (12)
-      Tests 1 passed (46)
-   Start at 11:56:38
-   Duration 439ms
-[?2026l[?2026h ✓ test-cloudflare/tests/cors-security.test.ts (29 tests) 48ms
-stdout | test-cloudflare/tests/session-management.test.ts > Session Management > Session Security > should not expose session data in logs
-[Session] Created session: secure-session
-
- ✓ test-cloudflare/tests/session-management.test.ts (17 tests) 57ms
- ✓ test-cloudflare/tests/delegation.test.ts (12 tests) 5ms
- ✓ test-cloudflare/tests/cache-invalidation.test.ts (18 tests) 11ms
+      Tests 0 passed (12)
+   Start at 14:20:47
+   Duration 637ms
+[?2026l[?2026h ✓ test-cloudflare/tests/delegation.test.ts (12 tests) 8ms
+ ✓ test-cloudflare/tests/cors-security.test.ts (29 tests) 5ms
+ ✓ src/__tests__/helpers/generate-identity.test.ts (24 tests) 34ms
 
  ❯ src/__tests__/cloudflare-template.test.ts [queued]
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts [queued]
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
  ❯ src/__tests__/helpers/generate-config.test.ts [queued]
- ❯ src/__tests__/helpers/generate-identity.test.ts 0/24
  ❯ src/__tests__/helpers/install.test.ts [queued]
  ❯ src/__tests__/helpers/validate-project-structure.test.ts [queued]
  ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
+ ❯ test-cloudflare/tests/cache-invalidation.test.ts 1/18
  ❯ test-cloudflare/tests/do-routing.test.ts 0/14
+ ❯ test-cloudflare/tests/session-management.test.ts 0/17
 
- Test Files 4 passed (12)
-      Tests 76 passed (114)
-   Start at 11:56:38
-   Duration 539ms
-[?2026l[?2026hstderr | src/helpers/__tests__/config-builder.spec.ts > buildConfigWithRemote > should fallback to local config when remote fetch fails
-[RemoteConfig] Neither projectId nor agentDid provided
-
-
- ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
- ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
- ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ Test Files 3 passed (12)
+      Tests 66 passed (133)
+   Start at 14:20:47
+   Duration 739ms
+[?2026l[?2026h ✓ test-cloudflare/tests/cache-invalidation.test.ts (18 tests) 6ms
+stdout | test-cloudflare/tests/session-management.test.ts > Session Management > Session Security > should not expose session data in logs
+[Session] Created session: secure-session
 
- Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026h ✓ src/__tests__/helpers/generate-identity.test.ts (24 tests) 44ms
- ✓ src/helpers/__tests__/config-builder.spec.ts (12 tests) 6ms
+ ✓ test-cloudflare/tests/session-management.test.ts (17 tests) 54ms
 stdout | src/__tests__/helpers/install.test.ts > install > Dependency installation > should install dependencies with npm
 
 📦 Installing dependencies with npm...
@@ -98,32 +114,34 @@
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
+ ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 1/14
 
- Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Install progress reporting > should report correct package manager in log
+ Test Files 5 passed (12)
+      Tests 105 passed (225)
+   Start at 14:20:47
+   Duration 840ms
+[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Install progress reporting > should report correct package manager in log
 ⚠️  Warning: No lockfile generated (pnpm-lock.yaml)
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
+ ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 1/14
 
- Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Install progress reporting > should check for lockfile after installation
+ Test Files 5 passed (12)
+      Tests 105 passed (225)
+   Start at 14:20:47
+   Duration 840ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Install progress reporting > should check for lockfile after installation
 
 📦 Installing dependencies with npm...
 ✓ Lockfile created (package-lock.json) - remember to commit it
@@ -134,182 +152,1069 @@
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
+ ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 1/14
 
- Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should throw error when installation fails
+ Test Files 5 passed (12)
+      Tests 105 passed (225)
+   Start at 14:20:47
+   Duration 840ms
+[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should throw error when installation fails
 Failed to install dependencies with npm.
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
+ ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 1/14
 
- Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle network errors during installation
+ Test Files 5 passed (12)
+      Tests 105 passed (225)
+   Start at 14:20:47
+   Duration 840ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle network errors during installation
 
 📦 Installing dependencies with npm...
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
+ ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 1/14
 
- Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle network errors during installation
+ Test Files 5 passed (12)
+      Tests 105 passed (225)
+   Start at 14:20:47
+   Duration 840ms
+[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle network errors during installation
 Failed to install dependencies with npm.
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
+ ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 1/14
 
- Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle permission errors during installation
+ Test Files 5 passed (12)
+      Tests 105 passed (225)
+   Start at 14:20:47
+   Duration 840ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle permission errors during installation
 
 📦 Installing dependencies with npm...
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
+ ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 1/14
 
- Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle permission errors during installation
+ Test Files 5 passed (12)
+      Tests 105 passed (225)
+   Start at 14:20:47
+   Duration 840ms
+[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle permission errors during installation
 Failed to install dependencies with npm.
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
+ ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 1/14
 
- Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should log error message when installation fails
+ Test Files 5 passed (12)
+      Tests 105 passed (225)
+   Start at 14:20:47
+   Duration 840ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should log error message when installation fails
 
 📦 Installing dependencies with npm...
 
-stdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle invalid package manager gracefully
-
-📦 Installing dependencies with unknown...
-
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
+ ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 1/14
 
+ Test Files 5 passed (12)
+      Tests 105 passed (225)
+   Start at 14:20:47
+   Duration 840ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle invalid package manager gracefully
+
+📦 Installing dependencies with unknown...
+
+
+ ❯ src/__tests__/cloudflare-template.test.ts 2/24
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/generate-config.test.ts 18/25
+ ❯ src/__tests__/helpers/validate-project-structure.test.ts 18/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
+ ❯ test-cloudflare/tests/do-routing.test.ts 10/14
+
  Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
+      Tests 172 passed (225)
+   Start at 14:20:47
+   Duration 1.00s
 [?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle invalid package manager gracefully
 ⚠️  Warning: Unknown package manager "unknown", cannot check lockfile
 
 
- ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
- ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
- ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ src/__tests__/cloudflare-template.test.ts 2/24
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/generate-config.test.ts 18/25
+ ❯ src/__tests__/helpers/validate-project-structure.test.ts 18/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
+ ❯ test-cloudflare/tests/do-routing.test.ts 10/14
 
  Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
+      Tests 172 passed (225)
+   Start at 14:20:47
+   Duration 1.00s
 [?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Lockfile validation > should warn when lockfile not created
 
 📦 Installing dependencies with npm...
 
+ ✓ src/__tests__/helpers/install.test.ts (20 tests) 79ms
 
- ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
- ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 1/20
- ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ src/__tests__/cloudflare-template.test.ts 2/24
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/generate-config.test.ts 18/25
+ ❯ src/__tests__/helpers/validate-project-structure.test.ts 18/23
+ ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
+ ❯ test-cloudflare/tests/do-routing.test.ts 10/14
 
  Test Files 6 passed (12)
-      Tests 114 passed (237)
-   Start at 11:56:38
-   Duration 645ms
-[?2026l[?2026h ✓ src/__tests__/helpers/install.test.ts (20 tests) 56ms
- ✓ test-cloudflare/tests/do-routing.test.ts (14 tests) 200ms
- ✓ src/__tests__/helpers/generate-config.test.ts (25 tests) 84ms
- ✓ src/__tests__/helpers/validate-project-structure.test.ts (23 tests) 90ms
-
-
- ❯ src/__tests__/cloudflare-template.test.ts 5/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 2/19
-
- Test Files 10 passed (12)
-      Tests 201 passed (237)
-   Start at 11:56:38
-   Duration 852ms
-[?2026l[?2026h ✓ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts (19 tests) 261ms
- ✓ src/__tests__/cloudflare-template.test.ts (24 tests) 297ms
-
-
-
- Test Files 12 passed (12)
-      Tests 237 passed (237)
-   Start at 11:56:38
-   Duration 953ms
-[?2026l
- Test Files  12 passed (12)
-      Tests  237 passed (237)
-   Start at  11:56:38
-   Duration  1.06s (transform 749ms, setup 0ms, collect 1.70s, tests 1.16s, environment 1ms, prepare 693ms)
-
- % Coverage report from v8
------------------------------------|---------|----------|---------|---------|---------------------
-File                               | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s   
------------------------------------|---------|----------|---------|---------|---------------------
-All files                          |   97.36 |    95.48 |     100 |   97.36 |                     
- config-builder.ts                 |     100 |      100 |     100 |     100 |                     
- fetch-cloudflare-mcpi-template.ts |   94.69 |    90.16 |     100 |   94.69 | 1836,1842,1931-1939 
- generate-config.ts                |     100 |      100 |     100 |     100 |                     
- generate-identity.ts              |     100 |      100 |     100 |     100 |                     
- install.ts                        |     100 |      100 |     100 |     100 |                     
- validate-project-structure.ts     |     100 |      100 |     100 |     100 |                     
------------------------------------|---------|----------|---------|---------|---------------------
-[?25h
+      Tests 172 passed (225)
+   Start at 14:20:47
+   Duration 1.00s
+[?2026l[?2026hstderr | src/helpers/__tests__/config-builder.spec.ts > buildConfigWithRemote > should fallback to local config when remote fetch fails
+[RemoteConfig] Neither projectId nor agentDid provided
+
+
+
+
+ ❯ src/__tests__/cloudflare-template.test.ts 4/24
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 18/19
+
+ Test Files 1 failed | 9 passed (12)
+      Tests 1 failed | 215 passed (237)
+   Start at 14:20:47
+   Duration 1.10s
+[?2026l[?2026h ✓ src/__tests__/helpers/validate-project-structure.test.ts (23 tests) 128ms
+ ✓ src/__tests__/helpers/generate-config.test.ts (25 tests) 197ms
+ ✓ src/helpers/__tests__/config-builder.spec.ts (12 tests) 6ms
+ ❯ test-cloudflare/tests/do-routing.test.ts (14 tests | 1 failed) 320ms
+       ✓ should route to different instances for different sessions 15ms
+       ✓ should route to same instance for same session 0ms
+       ✓ should handle both mcp-session-id header casings 0ms
+       ✓ should generate random session if header missing 0ms
+       ✓ should distribute requests across shards 50ms
+       ✓ should consistently route same session to same shard 0ms
+       ✓ should respect custom shard count 2ms
+       ✓ should fall back to default when strategy unknown 0ms
+       ✓ should use session strategy when not configured 0ms
+       ✓ session routing should have O(1) complexity 85ms
+       × shard routing should have O(n) complexity for hash 164ms
+       ✓ should handle empty session ID 0ms
+       ✓ should handle non-numeric shard count 0ms
+       ✓ should handle special characters in session ID 1ms
+
+ ❯ src/__tests__/cloudflare-template.test.ts 4/24
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 18/19
+
+ Test Files 1 failed | 9 passed (12)
+      Tests 1 failed | 215 passed (237)
+   Start at 14:20:47
+   Duration 1.10s
+[?2026l ✓ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts (19 tests) 391ms
+ ❯ src/__tests__/cloudflare-template.test.ts (24 tests | 1 failed) 381ms
+       ✓ should create all required files and directories 40ms
+       ✓ should create mcpi-runtime-config.ts with correct structure 30ms
+       ✓ should create index.ts with correct structure 95ms
+       ✓ should include MCP_SERVER_URL placeholder in wrangler.toml 26ms
+       × should log warning when MCP_SERVER_URL not configured 27ms
+       ✓ should store MCP_SERVER_URL in class property 22ms
+       ✓ should include all required KV namespace bindings in wrangler.toml 11ms
+       ✓ should create KV namespace creation scripts in package.json 9ms
+       ✓ should create KV namespace listing scripts 8ms
+       ✓ should include tool protection configuration in runtime config 9ms
+       ✓ should include CloudflareRuntime import for tool protection 7ms
+       ✓ should conditionally enable tool protection KV when API key provided 12ms
+       ✓ should comment out tool protection KV when no API key provided 9ms
+       ✓ should generate identity when skipIdentity is false 7ms
+       ✓ should skip identity generation when skipIdentity is true 4ms
+       ✓ should include identity variables in wrangler.toml 10ms
+       ✓ should create .dev.vars.example template 9ms
+       ✓ should handle file system errors gracefully 1ms
+       ✓ should handle invalid project names 6ms
+       ✓ should use correct package manager in scripts 8ms
+       ✓ should create correct package.json structure 11ms
+       ✓ should create greet tool with correct structure 8ms
+       ✓ should create test files with correct structure 6ms
+       ✓ should create README with project name 5ms
+
+⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯ Failed Tests 2 ⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
+
+ FAIL  src/__tests__/cloudflare-template.test.ts > Cloudflare Template Generation > MCP_SERVER_URL configuration > should log warning when MCP_SERVER_URL not configured
+AssertionError: expected 'import { McpAgent } from "agents/mcp"…' to contain 'Warning: MCP_SERVER_URL not configured'
+
+- Expected
++ Received
+
+- Warning: MCP_SERVER_URL not configured
++ import { McpAgent } from "agents/mcp";
++ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
++ import { createCloudflareRuntime, type CloudflareEnv, KVProofArchive, type DetachedProof, createOAuthCallbackHandler, CloudflareRuntime } from "@kya-os/mcp-i-cloudflare";
++ import { DelegationRequiredError } from "@kya-os/mcp-i-core";
++ import type { ToolProtectionService } from "@kya-os/mcp-i-core";
++ import { Hono } from "hono";
++ import { cors } from "hono/cors";
++ import { greetTool } from "./tools/greet";
++ import { getRuntimeConfig } from "./mcpi-runtime-config";
++ import type { CloudflareRuntimeConfig } from "@kya-os/mcp-i-cloudflare/config";
++
++ /**
++  * Extended CloudflareEnv with prefixed KV bindings for multi-agent deployments
++  * This allows multiple agents to share the same Cloudflare account without conflicts
++  */
++ interface PrefixedCloudflareEnv extends CloudflareEnv {
++   // Prefixed KV bindings (e.g., MYAGENT_NONCE_CACHE, MYAGENT_PROOF_ARCHIVE)
++   [key: string]: KVNamespace | string | DurableObjectState | undefined;
++   // Optional routing configuration
++   DO_ROUTING_STRATEGY?: string;
++   DO_SHARD_COUNT?: string;
++   // Prefixed KV namespaces (dynamically accessed)
++   TESTPROJECT_NONCE_CACHE?: KVNamespace;
++   TESTPROJECT_PROOF_ARCHIVE?: KVNamespace;
++   TESTPROJECT_IDENTITY_STORAGE?: KVNamespace;
++   TESTPROJECT_DELEGATION_STORAGE?: KVNamespace;
++   TESTPROJECT_TOOL_PROTECTION_KV?: KVNamespace;
++ }
++
++ export class TestprojectMCP extends McpAgent {
++   server = new McpServer({
++     name: "test-project",
++     version: "1.0.0"
++   });
++
++   private mcpiRuntime?: ReturnType<typeof createCloudflareRuntime>;
++   private proofArchive?: KVProofArchive;
++   private agentShieldConfig?: { apiUrl: string; apiKey: string };
++   private env: PrefixedCloudflareEnv;
++   private mcpServerUrl?: string;
++
++   constructor(state: DurableObjectState, env: PrefixedCloudflareEnv) {
++     super(state, env);
++     this.env = env;
++
++     // Create CloudflareEnv adapter to map prefixed KV bindings to expected names
++     // This allows multiple agents to be deployed without KV namespace conflicts
++     const mappedEnv: CloudflareEnv = {
++       // Map prefixed bindings to standard names expected by createCloudflareRuntime
++       NONCE_CACHE: env.TESTPROJECT_NONCE_CACHE,
++       PROOF_ARCHIVE: env.TESTPROJECT_PROOF_ARCHIVE,
++       IDENTITY_STORAGE: env.TESTPROJECT_IDENTITY_STORAGE,
++       DELEGATION_STORAGE: env.TESTPROJECT_DELEGATION_STORAGE,
++       TOOL_PROTECTION_KV: env.TESTPROJECT_TOOL_PROTECTION_KV,
++       // Pass through environment variables unchanged
++       MCP_IDENTITY_PRIVATE_KEY: env.MCP_IDENTITY_PRIVATE_KEY,
++       MCP_IDENTITY_PUBLIC_KEY: env.MCP_IDENTITY_PUBLIC_KEY,
++       MCP_IDENTITY_AGENT_DID: env.MCP_IDENTITY_AGENT_DID,
++       // Pass through other env vars for runtime config
++       AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
++       AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
++       AGENTSHIELD_PROJECT_ID: env.AGENTSHIELD_PROJECT_ID,
++       MCPI_ENV: env.MCPI_ENV,
++       MCP_SERVER_URL: env.MCP_SERVER_URL,
++       // Pass Durable Object state for identity persistence
++       // NOTE: Without this, identity will be ephemeral (new DID every call)!
++       // Note: createCloudflareRuntime will automatically use KVIdentityProvider if IDENTITY_STORAGE KV is available
++       _durableObjectState: state,
++     };
++
++     // Store MCP server URL for proof submission context
++     // Auto-detect from request URL if not explicitly set (will be set in fetch handler)
++     this.mcpServerUrl = env.MCP_SERVER_URL;
++     if (this.mcpServerUrl) {
++       // Ensure URL includes /mcp path if not already present
++       if (!this.mcpServerUrl.endsWith('/mcp')) {
++         this.mcpServerUrl = this.mcpServerUrl.replace(//$/, '') + '/mcp';
++       }
++       console.log('[MCP-I] MCP Server URL configured:', this.mcpServerUrl);
++     } else {
++       // Will be auto-detected from request URL in fetch handler
++       console.log('[MCP-I] MCP Server URL will be auto-detected from request');
++     }
++
++     // Load runtime configuration for AgentShield integration
++     // Pass mappedEnv so it can access KV bindings with standard names
++     const runtimeConfig = getRuntimeConfig(mappedEnv);
++
++     // ✅ Create tool protection service helper function
++     // Always import CloudflareRuntime but conditionally instantiate
++     function createToolProtectionService(env: CloudflareEnv, runtimeConfig: CloudflareRuntimeConfig): ToolProtectionService | undefined {
++       if (!runtimeConfig.toolProtection) {
++         return undefined;
++       }
++
++       if (!env.TOOL_PROTECTION_KV || !env.AGENTSHIELD_API_KEY) {
++         console.log('[MCP-I] Tool protection disabled - configure TOOL_PROTECTION_KV and AGENTSHIELD_API_KEY to enable');
++         return undefined;
++       }
++
++       return CloudflareRuntime.createToolProtectionService(
++         env.TOOL_PROTECTION_KV,
++         {
++           apiUrl: runtimeConfig.toolProtection.agentShield?.apiUrl || env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
++           apiKey: env.AGENTSHIELD_API_KEY,
++           projectId: runtimeConfig.toolProtection.agentShield?.projectId || env.AGENTSHIELD_PROJECT_ID,
++           cacheTtl: runtimeConfig.toolProtection.agentShield?.cacheTtl || 300000,
++           debug: runtimeConfig.environment === 'development',
++           fallbackConfig: runtimeConfig.toolProtection.fallback
++         }
++       );
++     }
++
++     // Create tool protection service if configured
++     // Note: createCloudflareRuntime will automatically use KVIdentityProvider if IDENTITY_STORAGE KV is available
++     const toolProtectionService = createToolProtectionService(mappedEnv, runtimeConfig);
++
++     // Initialize MCP-I runtime for cryptographic proofs and identity
++     this.mcpiRuntime = createCloudflareRuntime({
++       env: mappedEnv,
++       environment: runtimeConfig.environment,
++       audit: {
++         enabled: runtimeConfig.audit?.enabled ?? true,
++         logFunction: runtimeConfig.audit?.logFunction || ((record) => console.log('[MCP-I Audit]', record))
++       },
++       toolProtectionService
++     });
++
++     // Initialize proof archive if PROOF_ARCHIVE KV is available
++     if (mappedEnv.PROOF_ARCHIVE) {
++       this.proofArchive = new KVProofArchive(mappedEnv.PROOF_ARCHIVE);
++       console.log('[MCP-I] Proof archive enabled');
++     }
++
++     // Load AgentShield config for proof submission
++     if (runtimeConfig.proofing?.enabled && runtimeConfig.proofing.batchQueue) {
++       const agentShieldDest = runtimeConfig.proofing.batchQueue.destinations?.find(
++         (dest) => dest.type === "agentshield" && dest.apiKey
++       );
++       if (agentShieldDest) {
++         this.agentShieldConfig = {
++           apiUrl: agentShieldDest.apiUrl,
++           apiKey: agentShieldDest.apiKey!
++         };
++         console.log('[MCP-I] AgentShield enabled:', agentShieldDest.apiUrl);
++       }
++     }
++   }
++
++   /**
++    * Handle incoming requests
++    * Auto-detects MCP Server URL from request if not explicitly configured
++    */
++   async fetch(request: Request): Promise<Response> {
++     // Auto-detect MCP Server URL from request if not already set
++     if (!this.mcpServerUrl && request.url) {
++       try {
++         const requestUrl = new URL(request.url);
++         // Extract origin and ensure /mcp path is included
++         this.mcpServerUrl = requestUrl.origin + '/mcp';
++         console.log('[MCP-I] MCP Server URL auto-detected from request:', this.mcpServerUrl);
++       } catch (error) {
++         console.warn('[MCP-I] Failed to auto-detect MCP Server URL from request:', error);
++       }
++     }
++
++     // Delegate to McpAgent's fetch handler
++     return super.fetch(request);
++   }
++
++   /**
++    * Override getInstanceId() to enable multi-instance Durable Object routing
++    *
++    * This method is called internally by McpAgent to determine which DO instance
++    * should handle the request. By overriding it, we can implement custom routing
++    * strategies (session-based, shard-based, etc.) while maintaining full
++    * McpAgent compatibility and preserving PartyServer routing context.
++    *
++    * @returns Instance ID used by McpAgent for DO routing
++    */
++   getInstanceId(): string {
++     try {
++       // Get session ID from McpAgent's built-in extraction
++       const sessionId = this.getSessionId();
++
++       // Get routing strategy from environment (default: session)
++       const strategy = this.env.DO_ROUTING_STRATEGY || 'session';
++
++       if (strategy === 'session') {
++         // One DO instance per MCP session (recommended for most use cases)
++         // Sessions are isolated, ensuring data consistency per client
++         return `session:${sessionId}`;
++       } else if (strategy === 'shard') {
++         // Hash-based sharding across N DO instances (for high load)
++         // Distributes load evenly while maintaining session affinity
++         const shardCount = parseInt(this.env.DO_SHARD_COUNT || '10');
++         // Validate shard count - must be a valid positive number
++         const validShardCount = (!isNaN(shardCount) && shardCount > 0) ? shardCount : 10;
++
++         // Simple hash function for session ID
++         let hash = 0;
++         for (let i = 0; i < sessionId.length; i++) {
++           hash = ((hash << 5) - hash) + sessionId.charCodeAt(i);
++           hash = hash & hash; // Convert to 32bit integer
++         }
++
++         const shard = Math.abs(hash) % validShardCount;
++         return `shard:${shard}`;
++       }
++
++       // Fallback to single instance (legacy behavior)
++       return 'default';
++     } catch (error) {
++       // If session extraction fails, fall back to default instance
++       console.error('[DO Routing] Failed to extract session ID:', error);
++       return 'default';
++     }
++   }
++
++   /**
++    * Retrieve delegation token from KV storage
++    * Uses two-tier lookup: session cache (fast) → agent DID (stable)
++    *
++    * @param sessionId - MCP session ID from Claude Desktop
++    * @returns Delegation token if found, null otherwise
++    */
++   private async getDelegationToken(sessionId?: string): Promise<string | null> {
++     const delegationStorage = this.env.TESTPROJECT_DELEGATION_STORAGE;
++
++     if (!delegationStorage) {
++       console.log('[Delegation] No delegation storage configured');
++       return null;
++     }
++
++     try {
++       // Fast path: Try session cache first
++       if (sessionId) {
++         const sessionKey = `session:${sessionId}`;
++         const sessionToken = await delegationStorage.get(sessionKey);
++
++         if (sessionToken) {
++           // Verify token is still valid before returning
++           const isValid = await this.verifyDelegationWithAgentShield(sessionToken);
++           if (isValid) {
++             console.log('[Delegation] ✅ Token retrieved from session cache and verified');
++             return sessionToken;
++           } else {
++             // Token invalid, remove from cache
++             await this.invalidateDelegationCache(sessionId, sessionToken);
++             console.log('[Delegation] ⚠️ Cached token was invalid, removed from cache');
++           }
++         }
++       }
++
++       // Fallback: Try agent DID (stable across session changes)
++       if (this.mcpiRuntime) {
++         const identity = await this.mcpiRuntime.getIdentity();
++         if (identity?.did) {
++           const agentKey = `agent:${identity.did}:delegation`;
++           const agentToken = await delegationStorage.get(agentKey);
++
++           if (agentToken) {
++             // Verify token is still valid before returning
++             const isValid = await this.verifyDelegationWithAgentShield(agentToken);
++             if (isValid) {
++               console.log('[Delegation] ✅ Token retrieved using agent DID and verified');
++
++               // Re-cache for current session (performance optimization)
++               if (sessionId) {
++                 const sessionCacheKey = `session:${sessionId}`;
++                 await delegationStorage.put(sessionCacheKey, agentToken, {
++                   expirationTtl: 300 // 5 minutes for security (reduced from 30)
++                 });
++                 console.log('[Delegation] Token cached for session with 5-minute TTL:', sessionId);
++               }
++
++               return agentToken;
++             } else {
++               // Token invalid, remove from cache
++               await this.invalidateDelegationCache(sessionId, agentToken, identity.did);
++               console.log('[Delegation] ⚠️ Agent token was invalid, removed from cache');
++             }
++           }
++         }
++       }
++
++       console.log('[Delegation] No delegation token found');
++       return null;
++     } catch (error) {
++       console.error('[Delegation] Failed to retrieve token:', error);
++       return null;
++     }
++   }
++
++   /**
++    * Verify delegation token with AgentShield API
++    * @param token - Delegation token to verify
++    * @returns True if token is valid, false otherwise
++    */
++   private async verifyDelegationWithAgentShield(token: string): Promise<boolean> {
++     // Check verification cache first (1 minute TTL for verified tokens)
++     const verificationCache = this.env.TOOL_PROTECTION_KV;
++     if (verificationCache) {
++       const cacheKey = `verified:${token.substring(0, 16)}`; // Use prefix to avoid key size issues
++       const cached = await verificationCache.get(cacheKey);
++       if (cached === '1') {
++         console.log('[Delegation] Token verification cached as valid');
++         return true;
++       }
++     }
++
++     try {
++       const agentShieldUrl = this.env.AGENTSHIELD_API_URL || 'https://kya.vouched.id';
++       const apiKey = this.env.AGENTSHIELD_API_KEY;
++
++       if (!apiKey) {
++         console.warn('[Delegation] No AgentShield API key configured, skipping verification');
++         return true; // Allow in development without API key
++       }
++
++       // Verify with AgentShield API
++       const response = await fetch(`${agentShieldUrl}/api/v1/bouncer/delegations/verify`, {
++         method: 'POST',
++         headers: {
++           'Authorization': `Bearer ${apiKey}`,
++           'Content-Type': 'application/json'
++         },
++         body: JSON.stringify({ token })
++       });
++
++       if (response.ok) {
++         // Cache successful verification for 1 minute
++         if (verificationCache) {
++           const cacheKey = `verified:${token.substring(0, 16)}`;
++           await verificationCache.put(cacheKey, '1', {
++             expirationTtl: 60 // 1 minute cache for verified tokens
++           });
++         }
++         console.log('[Delegation] Token verified successfully with AgentShield');
++         return true;
++       }
++
++       if (response.status === 401 || response.status === 403) {
++         console.log('[Delegation] Token verification failed: unauthorized');
++         return false;
++       }
++
++       console.warn('[Delegation] Token verification returned unexpected status:', response.status);
++       return false; // Fail closed for security
++
++     } catch (error) {
++       console.error('[Delegation] Error verifying token with AgentShield:', error);
++       return false; // Fail closed on errors
++     }
++   }
++
++   /**
++    * Invalidate delegation token in all caches
++    * @param sessionId - Session ID to clear
++    * @param token - Token to invalidate
++    * @param agentDid - Agent DID to clear
++    */
++   private async invalidateDelegationCache(sessionId?: string, token?: string, agentDid?: string): Promise<void> {
++     const delegationStorage = this.env.TESTPROJECT_DELEGATION_STORAGE;
++     const verificationCache = this.env.TOOL_PROTECTION_KV;
++
++     if (!delegationStorage) return;
++
++     const deletions: Promise<void>[] = [];
++
++     // Clear session cache
++     if (sessionId) {
++       const sessionKey = `session:${sessionId}`;
++       deletions.push(delegationStorage.delete(sessionKey));
++     }
++
++     // Clear agent cache
++     if (agentDid) {
++       const agentKey = `agent:${agentDid}:delegation`;
++       deletions.push(delegationStorage.delete(agentKey));
++     }
++
++     // Clear verification cache
++     if (token && verificationCache) {
++       const cacheKey = `verified:${token.substring(0, 16)}`;
++       deletions.push(verificationCache.delete(cacheKey));
++     }
++
++     await Promise.all(deletions);
++     console.log('[Delegation] Cache invalidated for revoked/invalid token');
++   }
++
++   /**
++    * Submit proof to AgentShield API
++    * Uses the proof.jws directly (full JWS format from CloudflareRuntime)
++    *
++    * Also submits optional context for AgentShield dashboard integration.
++    * Context provides plaintext tool/args data while proof provides cryptographic verification.
++    */
++   private async submitProofToAgentShield(
++     proof: DetachedProof,
++     session: { id: string },
++     toolName: string,
++     args: Record<string, unknown>,
++     result: unknown
++   ): Promise<void> {
++     if (!this.agentShieldConfig || !proof.jws || !proof.meta) return;
++
++     const { apiUrl, apiKey } = this.agentShieldConfig;
++
++     // Get tool call context from runtime (if available)
++     const toolCallContext = this.mcpiRuntime?.getLastToolCallContext();
++
++     // Proof already has correct format from CloudflareRuntime
++     // Adding optional context for AgentShield dashboard (Option A architecture)
++     const requestBody = {
++       session_id: session.id,
++       delegation_id: null,
++       proofs: [{
++         jws: proof.jws,  // Already in full JWS format
++         meta: proof.meta  // Already has all required fields
++       }],
++       // ✅ NEW: Optional context for dashboard integration
++       context: {
++         toolCalls: toolCallContext ? [toolCallContext] : [{
++           // Fallback if context not available from runtime
++           tool: toolName,
++           args: args,
++           result: result,
++           scopeId: proof.meta.scopeId || `${toolName}:execute`
++         }],
++         // ✅ NEW: MCP server URL for tool discovery (optional, only needed once)
++         mcpServerUrl: this.mcpServerUrl
++       }
++     };
++
++     console.log('[AgentShield] Submitting proof with context:', {
++       did: proof.meta.did,
++       sessionId: proof.meta.sessionId,
++       jwsFormat: proof.jws.split('.').length === 3 ? 'valid (3 parts)' : 'invalid',
++       contextTool: requestBody.context.toolCalls[0]?.tool,
++       contextScopeId: requestBody.context.toolCalls[0]?.scopeId,
++       mcpServerUrl: requestBody.context.mcpServerUrl || 'not-set'
++     });
++
++     const response = await fetch(`${apiUrl}/api/v1/bouncer/proofs`, {
++       method: 'POST',
++       headers: {
++         'Content-Type': 'application/json',
++         'Authorization': `Bearer ${apiKey}`
++       },
++       body: JSON.stringify(requestBody)
++     });
++
++     if (!response.ok) {
++       const errorText = await response.text();
++       console.error('[AgentShield] Submission failed:', response.status, errorText);
++       throw new Error(`AgentShield error: ${response.status}`);
++     }
++
++     const responseData = await response.json() as { success?: boolean; received?: number; processed?: number; accepted?: number; rejected?: number; errors?: Array<{ proofId: string; error: string }> };
++     console.log('[AgentShield] Response:', responseData);
++
++     if (responseData.accepted) {
++       console.log('[AgentShield] ✅ Proofs accepted:', responseData.accepted);
++     }
++     if (responseData.rejected) {
++       console.log('[AgentShield] ❌ Proofs rejected:', responseData.rejected);
++     }
++   }
++
++   async init() {
++     // Initialize MCP-I runtime (generates/loads identity, sets up nonce cache)
++     await this.mcpiRuntime?.initialize();
++
++     const identity = await this.mcpiRuntime?.getIdentity();
++     console.log('[MCP-I] Initialized with DID:', identity?.did);
++
++     this.server.tool(
++       greetTool.name,
++       greetTool.description,
++       greetTool.inputSchema.shape,
++       async (args: { name: string }) => {
++         // Use MCP-I runtime's processToolCall for automatic proof generation
++         if (this.mcpiRuntime) {
++           try {
++             // Read MCP session ID from Claude Desktop (via agents framework)
++             let mcpSessionId: string | undefined;
++             try {
++               mcpSessionId = this.getSessionId();
++               console.log('[Delegation] Session ID from agents framework:', mcpSessionId);
++             } catch (error) {
++               console.log('[Delegation] Failed to get session ID from framework:', error);
++               mcpSessionId = undefined;
++             }
++
++             // Retrieve delegation token if available
++             const delegationToken = await this.getDelegationToken(mcpSessionId);
++
++             // Create session with proper ID (use actual session ID when available)
++             const timestamp = Date.now();
++             const sessionId = mcpSessionId || `ephemeral-${timestamp}-${Math.random().toString(36).substring(2, 10)}`;
++
++             const session = {
++               id: sessionId,  // Use actual session ID from Claude Desktop
++               audience: 'https://kya.vouched.id',  // CRITICAL: Must match AgentShield domain
++               agentDid: (await this.mcpiRuntime.getIdentity()).did,
++               createdAt: timestamp,
++               expiresAt: timestamp + (30 * 60 * 1000), // 30 minutes
++               delegationToken  // Include delegation token if available
++             };
++
++             // Execute tool with automatic proof generation
++             const result = await this.mcpiRuntime.processToolCall(
++               greetTool.name,
++               args,
++               greetTool.handler,
++               session
++             );
++
++             // Get proof in DetachedProof format
++             const proof = this.mcpiRuntime.getLastProof() as DetachedProof;
++
++             if (proof && proof.jws && proof.meta) {
++               // Log proof details (using DetachedProof format)
++               console.log('[MCP-I Proof]', {
++                 tool: greetTool.name,
++                 did: proof.meta.did,
++                 timestamp: proof.meta.ts,
++                 jws: proof.jws.substring(0, 50) + '...',
++                 jwsValid: proof.jws.split('.').length === 3
++               });
++
++               // Parallelize proof operations for better performance
++               const proofOperations: Promise<void>[] = [];
++
++               // Add proof archive operation
++               if (this.proofArchive) {
++                 proofOperations.push(
++                   this.proofArchive.store(proof, {
++                     toolName: greetTool.name
++                   }).then(() => {
++                     console.log('[MCP-I] Proof stored in archive');
++                   }).catch((archiveError: unknown) => {
++                     console.error('[MCP-I] Archive error:', archiveError instanceof Error ? archiveError.message : String(archiveError));
++                   })
++                 );
++               }
++
++               // Add AgentShield submission operation
++               if (this.agentShieldConfig) {
++                 proofOperations.push(
++                   this.submitProofToAgentShield(proof, session, greetTool.name, args, result)
++                     .catch((err: unknown) => {
++                       console.error('[MCP-I] AgentShield failed:', err instanceof Error ? err.message : String(err));
++                     })
++                 );
++               }
++
++               // Execute all proof operations in parallel for better performance
++               if (proofOperations.length > 0) {
++                 await Promise.allSettled(proofOperations);
++               }
++
++               // Attach proof to result for MCP Inspector
++               if (result && typeof result === 'object' && result !== null) {
++                 (result as Record<string, unknown>)._meta = {
++                   proof: {
++                     jws: proof.jws,
++                     did: proof.meta.did,
++                     kid: proof.meta.kid,
++                     timestamp: proof.meta.ts,
++                     nonce: proof.meta.nonce,
++                     sessionId: proof.meta.sessionId,
++                     requestHash: proof.meta.requestHash,
++                     responseHash: proof.meta.responseHash
++                   }
++                 };
++               }
++             }
++
++             return result;
++           } catch (error: unknown) {
++             // If this is a DelegationRequiredError, re-throw it so the MCP framework can handle it properly
++             // The agents/mcp framework will format it as a proper error response to Claude Desktop
++             if (error instanceof DelegationRequiredError) {
++               console.warn('[MCP-I] Delegation required, propagating error:', {
++                 tool: error.toolName,
++                 requiredScopes: error.requiredScopes,
++                 consentUrl: error.consentUrl
++               });
++               throw error;
++             }
++             // Check for DelegationRequiredError by name (for cases where error is not instanceof)
++             if (error && typeof error === 'object' && 'name' in error && error.name === 'DelegationRequiredError') {
++               const delegationError = error as DelegationRequiredError;
++               console.warn('[MCP-I] Delegation required, propagating error:', {
++                 tool: delegationError.toolName,
++                 requiredScopes: delegationError.requiredScopes,
++                 consentUrl: delegationError.consentUrl
++               });
++               throw error;
++             }
++             
++             // For other errors, log and fallback to direct execution
++             console.error('[MCP-I] Failed to process tool with runtime:', error);
++             // Fallback to direct execution
++             return await greetTool.handler(args);
++           }
++         }
++
++         // Fallback if runtime not available
++         return await greetTool.handler(args);
++       }
++     );
++   }
++ }
++
++ const app = new Hono();
++
++ // Secure CORS configuration
++ app.use("/*", (c, next) => {
++   const allowedOrigins = c.env.ALLOWED_ORIGINS?.split(',').map((o: string) => o.trim()) || [
++     'https://claude.ai',
++     'https://app.anthropic.com'
++   ];
++
++   // Add localhost for development if not in production
++   if (c.env.MCPI_ENV !== 'production' && !allowedOrigins.includes('http://localhost:3000')) {
++     allowedOrigins.push('http://localhost:3000');
++   }
++
++   const origin = c.req.header('Origin') || '';
++   const isAllowed = allowedOrigins.includes(origin);
++
++   return cors({
++     origin: isAllowed ? origin : allowedOrigins[0], // Default to first allowed origin if not matched
++     allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
++     allowHeaders: ["Content-Type", "Authorization", "mcp-session-id", "Mcp-Session-Id", "mcp-protocol-version"],
++     exposeHeaders: ["mcp-session-id", "Mcp-Session-Id"],
++     credentials: true,
++   })(c, next);
++ });
++
++ app.get("/health", (c) => c.json({
++   status: 'healthy',
++   timestamp: new Date().toISOString(),
++   transport: { sse: '/sse', streamableHttp: '/mcp' }
++ }));
++
++ /**
++  * Admin endpoint to clear tool protection cache
++  *
++  * This allows AgentShield dashboard to invalidate cached tool protection
++  * config immediately after changing delegation requirements.
++  *
++  * The API key is validated by making a test call to AgentShield API.
++  *
++  * Usage:
++  *   POST /admin/clear-cache
++  *   Headers: Authorization: Bearer <AGENTSHIELD_ADMIN_API_KEY>
++  *   Body: { "agent_did": "did:key:z6Mk..." }
++  *
++  * Response:
++  *   { "success": true, "message": "Cache cleared", "agent_did": "..." }
++  */
++ app.post("/admin/clear-cache", async (c) => {
++   const env = c.env as PrefixedCloudflareEnv;
++
++   // Parse request body first to get agent_did
++   const body = await c.req.json().catch(() => ({}));
++   const agentDid = body.agent_did;
++
++   if (!agentDid || typeof agentDid !== 'string') {
++     return c.json({
++       success: false,
++       error: "Bad Request - agent_did required in body"
++     }, 400);
++   }
++
++   // Extract API key from Authorization header
++   const authHeader = c.req.header("Authorization");
++   if (!authHeader || !authHeader.startsWith("Bearer ")) {
++     return c.json({
++       success: false,
++       error: "Unauthorized - Missing or invalid Authorization header"
++     }, 401);
++   }
++
++   const apiKey = authHeader.slice(7); // Remove "Bearer " prefix
++
++   // Validate API key by making a test call to AgentShield
++   // Use the bouncer config endpoint as the validation mechanism
++   const agentShieldUrl = env.AGENTSHIELD_API_URL || "https://kya.vouched.id";
++   const validationUrl = `${agentShieldUrl}/api/v1/bouncer/config?agent_did=${encodeURIComponent(agentDid)}`;
++
++   try {
++     const validationResponse = await fetch(validationUrl, {
++       method: 'GET',
++       headers: {
++         'Content-Type': 'application/json',
++         'Authorization': `Bearer ${apiKey}`
++       }
++     });
++
++     if (!validationResponse.ok) {
++       console.warn('[Admin] API key validation failed:', validationResponse.status);
++       return c.json({
++         success: false,
++         error: "Unauthorized - Invalid API key"
++       }, 401);
++     }
++
++     // API key is valid, proceed to clear cache
++     console.log('[Admin] API key validated successfully');
++   } catch (error) {
++     console.error('[Admin] API key validation error:', error);
++     return c.json({
++       success: false,
++       error: "Failed to validate API key with AgentShield"
++     }, 500);
++   }
++
++   // Clear cache from KV
++   // Cache key format: KVToolProtectionCache uses 'tool-protection:' prefix + agentDid
++   // Since we're accessing KV directly (not through cache service), we need the full key
++   const cacheKey = `tool-protection:${agentDid}`;
++   const kvNamespace = env.TESTPROJECT_TOOL_PROTECTION_KV;
++
++   if (!kvNamespace) {
++     return c.json({
++       success: false,
++       error: "Tool protection KV namespace not configured"
++     }, 500);
++   }
++
++   try {
++     // Log before and after for debugging
++     const before = await kvNamespace.get(cacheKey);
++     await kvNamespace.delete(cacheKey);
++     const after = await kvNamespace.get(cacheKey);
++     
++     console.log('[Admin] Cache clear operation', {
++       agentDid: agentDid.slice(0, 20) + '...',
++       cacheKey,
++       hadValue: !!before,
++       cleared: !after,
++     });
++     
++     return c.json({
++       success: true,
++       message: "Cache cleared successfully. Next tool call will fetch fresh config from AgentShield.",
++       agent_did: agentDid,
++       cache_key: cacheKey,
++       had_value: !!before,
++     });
++   } catch (error) {
++     console.error('[Admin] Failed to clear cache:', error);
++     return c.json({
++       success: false,
++       error: "Internal error clearing cache",
++       details: error instanceof Error ? error.message : String(error)
++     }, 500);
++   }
++ });
++
++ /**
++  * OAuth Authorization Code Flow callback handler
++  *
++  * Handles the redirect from AgentShield after user approves delegation.
++  * Exchanges authorization code for delegation token and stores in KV.
++  *
++  * This endpoint is called by AgentShield after user approves delegation:
++  * 1. Receives authorization code and state from query params
++  * 2. Exchanges code for delegation token with AgentShield API
++  * 3. Stores token in KV with session ID as key
++  * 4. Returns success page to user
++  */
++ app.get('/oauth/callback', (c) => {
++   const env = c.env as PrefixedCloudflareEnv;
++   return createOAuthCallbackHandler({
++     agentShieldApiUrl: env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
++     delegationStorage: env.TESTPROJECT_DELEGATION_STORAGE,
++     autoClose: true,
++     autoCloseDelay: 5000
++   })(c);
++ });
++
++ // Multi-instance DO routing using McpAgent's getInstanceId() override
++ // The TestprojectMCP class overrides getInstanceId() to enable session-based
++ // or shard-based routing while preserving PartyServer compatibility.
++ //
++ // Routing strategies (configured via DO_ROUTING_STRATEGY env var):
++ //   - 'session' (default): One DO per MCP session - ensures data isolation
++ //   - 'shard': Hash-based distribution across N shards - for high load
++ //
++ // McpAgent automatically routes to the correct DO instance using the ID
++ // returned by getInstanceId(), maintaining full routing context.
++ app.mount("/sse", TestprojectMCP.serveSSE("/sse").fetch, { replaceRequest: false });
++ app.mount("/mcp", TestprojectMCP.serve("/mcp").fetch, { replaceRequest: false });
++
++ export default app;
++
+
+ ❯ src/__tests__/cloudflare-template.test.ts:149:28
+    147| 
+    148|       // Check that warning is logged in index.ts
+    149|       expect(indexContent).toContain("Warning: MCP_SERVER_URL not configured");
+       |                            ^
+    150|     });
+    151| 
+
+⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯[1/2]⎯
+
+ FAIL  test-cloudflare/tests/do-routing.test.ts > Durable Object Multi-Instance Routing > Performance Characteristics > shard routing should have O(n) complexity for hash
+AssertionError: expected 145.8617079999999 to be less than 100
+ ❯ test-cloudflare/tests/do-routing.test.ts:263:44
+    261|       expect(shortDuration).toBeGreaterThan(0);
+    262|       // Both operations should complete in reasonable time (< 100ms total for 1000 iterations)
+    263|       expect(longDuration + shortDuration).toBeLessThan(100);
+       |                                            ^
+    264|     });
+    265|   });
+
+⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯[2/2]⎯
+
+
+ Test Files  2 failed | 10 passed (12)
+      Tests  2 failed | 235 passed (237)
+   Start at  14:20:47
+   Duration  1.25s (transform 1.21s, setup 0ms, collect 2.23s, tests 1.61s, environment 1ms, prepare 1.06s)
+
+[?25h ELIFECYCLE  Command failed with exit code 1.