@kya-os/create-mcpi-app 1.7.28 → 1.7.30

package/.turbo/turbo-test$colon$coverage.log

@@ -1,6 +1,6 @@
 
 
-> @kya-os/create-mcpi-app@1.7.26 test:coverage /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/create-mcpi-app
+> @kya-os/create-mcpi-app@1.7.29 test:coverage /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/create-mcpi-app
 > vitest --run --coverage
 
 [?25l▲ [WARNING] The condition "types" here will never be used as it comes after both "import" and "require" [package.json]
@@ -44,54 +44,37 @@
       Coverage enabled with v8
 
 [?2026h
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts [queued]
+ ❯ src/__tests__/cloudflare-template.test.ts [queued]
 
  Test Files 0 passed (12)
       Tests 0 passed (0)
-   Start at 14:20:47
+   Start at 14:33:31
    Duration 201ms
-[?2026l[?2026h
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts [queued]
- ❯ src/__tests__/helpers/generate-identity.test.ts [queued]
- ❯ test-cloudflare/tests/delegation.test.ts 0/12
-
- Test Files 0 passed (12)
-      Tests 0 passed (12)
-   Start at 14:20:47
-   Duration 509ms
-[?2026l[?2026h
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts [queued]
- ❯ src/__tests__/helpers/generate-identity.test.ts [queued]
- ❯ test-cloudflare/tests/cors-security.test.ts [queued]
- ❯ test-cloudflare/tests/delegation.test.ts 0/12
+[?2026l[?2026hstdout | test-cloudflare/tests/session-management.test.ts > Session Management > Session Security > should not expose session data in logs
+[Session] Created session: secure-session
 
- Test Files 0 passed (12)
-      Tests 0 passed (12)
-   Start at 14:20:47
-   Duration 637ms
-[?2026l[?2026h ✓ test-cloudflare/tests/delegation.test.ts (12 tests) 8ms
- ✓ test-cloudflare/tests/cors-security.test.ts (29 tests) 5ms
- ✓ src/__tests__/helpers/generate-identity.test.ts (24 tests) 34ms
 
  ❯ src/__tests__/cloudflare-template.test.ts [queued]
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts [queued]
  ❯ src/__tests__/helpers/generate-config.test.ts [queued]
+ ❯ src/__tests__/helpers/generate-identity.test.ts [queued]
  ❯ src/__tests__/helpers/install.test.ts [queued]
  ❯ src/__tests__/helpers/validate-project-structure.test.ts [queued]
  ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/cache-invalidation.test.ts 1/18
+ ❯ test-cloudflare/tests/cache-invalidation.test.ts [queued]
+ ❯ test-cloudflare/tests/cors-security.test.ts 1/29
+ ❯ test-cloudflare/tests/delegation.test.ts [queued]
  ❯ test-cloudflare/tests/do-routing.test.ts 0/14
  ❯ test-cloudflare/tests/session-management.test.ts 0/17
 
- Test Files 3 passed (12)
-      Tests 66 passed (133)
-   Start at 14:20:47
-   Duration 739ms
-[?2026l[?2026h ✓ test-cloudflare/tests/cache-invalidation.test.ts (18 tests) 6ms
-stdout | test-cloudflare/tests/session-management.test.ts > Session Management > Session Security > should not expose session data in logs
-[Session] Created session: secure-session
-
- ✓ test-cloudflare/tests/session-management.test.ts (17 tests) 54ms
+ Test Files 0 passed (12)
+      Tests 1 passed (60)
+   Start at 14:33:31
+   Duration 301ms
+[?2026l[?2026h ✓ test-cloudflare/tests/cors-security.test.ts (29 tests) 10ms
+ ✓ test-cloudflare/tests/session-management.test.ts (17 tests) 17ms
+ ✓ test-cloudflare/tests/cache-invalidation.test.ts (18 tests) 7ms
+ ✓ test-cloudflare/tests/delegation.test.ts (12 tests) 5ms
 stdout | src/__tests__/helpers/install.test.ts > install > Dependency installation > should install dependencies with npm
 
 📦 Installing dependencies with npm...
@@ -113,35 +96,34 @@
 ✓ Lockfile created (package-lock.json) - remember to commit it
 
 
+
+
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 5 passed (12)
-      Tests 105 passed (225)
-   Start at 14:20:47
-   Duration 840ms
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
 [?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Install progress reporting > should report correct package manager in log
 ⚠️  Warning: No lockfile generated (pnpm-lock.yaml)
 
 
+
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 5 passed (12)
-      Tests 105 passed (225)
-   Start at 14:20:47
-   Duration 840ms
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Install progress reporting > should check for lockfile after installation
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Install progress reporting > should check for lockfile after installation
 
 📦 Installing dependencies with npm...
 ✓ Lockfile created (package-lock.json) - remember to commit it
@@ -152,1069 +134,172 @@
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 5 passed (12)
-      Tests 105 passed (225)
-   Start at 14:20:47
-   Duration 840ms
-[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should throw error when installation fails
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should throw error when installation fails
 Failed to install dependencies with npm.
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 5 passed (12)
-      Tests 105 passed (225)
-   Start at 14:20:47
-   Duration 840ms
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle network errors during installation
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle network errors during installation
 
 📦 Installing dependencies with npm...
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 5 passed (12)
-      Tests 105 passed (225)
-   Start at 14:20:47
-   Duration 840ms
-[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle network errors during installation
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle network errors during installation
 Failed to install dependencies with npm.
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 5 passed (12)
-      Tests 105 passed (225)
-   Start at 14:20:47
-   Duration 840ms
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle permission errors during installation
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle permission errors during installation
 
 📦 Installing dependencies with npm...
 
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 5 passed (12)
-      Tests 105 passed (225)
-   Start at 14:20:47
-   Duration 840ms
-[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle permission errors during installation
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle permission errors during installation
 Failed to install dependencies with npm.
 
+stderr | src/helpers/__tests__/config-builder.spec.ts > buildConfigWithRemote > should fallback to local config when remote fetch fails
+[RemoteConfig] Neither projectId nor agentDid provided
+
 
  ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
  ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 0/20
  ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 5 passed (12)
-      Tests 105 passed (225)
-   Start at 14:20:47
-   Duration 840ms
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should log error message when installation fails
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should log error message when installation fails
 
 📦 Installing dependencies with npm...
 
-
- ❯ src/__tests__/cloudflare-template.test.ts 0/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
- ❯ src/__tests__/helpers/generate-config.test.ts 0/25
- ❯ src/__tests__/helpers/install.test.ts 0/20
- ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 1/14
-
- Test Files 5 passed (12)
-      Tests 105 passed (225)
-   Start at 14:20:47
-   Duration 840ms
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle invalid package manager gracefully
+stdout | src/__tests__/helpers/install.test.ts > install > Error handling > should handle invalid package manager gracefully
 
 📦 Installing dependencies with unknown...
 
 
- ❯ src/__tests__/cloudflare-template.test.ts 2/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
- ❯ src/__tests__/helpers/generate-config.test.ts 18/25
- ❯ src/__tests__/helpers/validate-project-structure.test.ts 18/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 10/14
+ ❯ src/__tests__/cloudflare-template.test.ts 0/24
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/generate-config.test.ts 0/25
+ ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 6 passed (12)
-      Tests 172 passed (225)
-   Start at 14:20:47
-   Duration 1.00s
-[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle invalid package manager gracefully
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026hstderr | src/__tests__/helpers/install.test.ts > install > Error handling > should handle invalid package manager gracefully
 ⚠️  Warning: Unknown package manager "unknown", cannot check lockfile
 
 
- ❯ src/__tests__/cloudflare-template.test.ts 2/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
- ❯ src/__tests__/helpers/generate-config.test.ts 18/25
- ❯ src/__tests__/helpers/validate-project-structure.test.ts 18/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 10/14
+ ❯ src/__tests__/cloudflare-template.test.ts 0/24
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/generate-config.test.ts 0/25
+ ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
 
- Test Files 6 passed (12)
-      Tests 172 passed (225)
-   Start at 14:20:47
-   Duration 1.00s
-[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Lockfile validation > should warn when lockfile not created
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026hstdout | src/__tests__/helpers/install.test.ts > install > Lockfile validation > should warn when lockfile not created
 
 📦 Installing dependencies with npm...
 
- ✓ src/__tests__/helpers/install.test.ts (20 tests) 79ms
-
- ❯ src/__tests__/cloudflare-template.test.ts 2/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 4/19
- ❯ src/__tests__/helpers/generate-config.test.ts 18/25
- ❯ src/__tests__/helpers/validate-project-structure.test.ts 18/23
- ❯ src/helpers/__tests__/config-builder.spec.ts [queued]
- ❯ test-cloudflare/tests/do-routing.test.ts 10/14
-
- Test Files 6 passed (12)
-      Tests 172 passed (225)
-   Start at 14:20:47
-   Duration 1.00s
-[?2026l[?2026hstderr | src/helpers/__tests__/config-builder.spec.ts > buildConfigWithRemote > should fallback to local config when remote fetch fails
-[RemoteConfig] Neither projectId nor agentDid provided
-
-
-
+ ✓ src/__tests__/helpers/generate-identity.test.ts (24 tests) 49ms
+ ✓ src/helpers/__tests__/config-builder.spec.ts (12 tests) 4ms
+ ✓ src/__tests__/helpers/install.test.ts (20 tests) 40ms
 
- ❯ src/__tests__/cloudflare-template.test.ts 4/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 18/19
-
- Test Files 1 failed | 9 passed (12)
-      Tests 1 failed | 215 passed (237)
-   Start at 14:20:47
-   Duration 1.10s
-[?2026l[?2026h ✓ src/__tests__/helpers/validate-project-structure.test.ts (23 tests) 128ms
- ✓ src/__tests__/helpers/generate-config.test.ts (25 tests) 197ms
- ✓ src/helpers/__tests__/config-builder.spec.ts (12 tests) 6ms
- ❯ test-cloudflare/tests/do-routing.test.ts (14 tests | 1 failed) 320ms
-       ✓ should route to different instances for different sessions 15ms
-       ✓ should route to same instance for same session 0ms
-       ✓ should handle both mcp-session-id header casings 0ms
-       ✓ should generate random session if header missing 0ms
-       ✓ should distribute requests across shards 50ms
-       ✓ should consistently route same session to same shard 0ms
-       ✓ should respect custom shard count 2ms
-       ✓ should fall back to default when strategy unknown 0ms
-       ✓ should use session strategy when not configured 0ms
-       ✓ session routing should have O(1) complexity 85ms
-       × shard routing should have O(n) complexity for hash 164ms
-       ✓ should handle empty session ID 0ms
-       ✓ should handle non-numeric shard count 0ms
-       ✓ should handle special characters in session ID 1ms
-
- ❯ src/__tests__/cloudflare-template.test.ts 4/24
- ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 18/19
-
- Test Files 1 failed | 9 passed (12)
-      Tests 1 failed | 215 passed (237)
-   Start at 14:20:47
-   Duration 1.10s
-[?2026l ✓ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts (19 tests) 391ms
- ❯ src/__tests__/cloudflare-template.test.ts (24 tests | 1 failed) 381ms
-       ✓ should create all required files and directories 40ms
-       ✓ should create mcpi-runtime-config.ts with correct structure 30ms
-       ✓ should create index.ts with correct structure 95ms
-       ✓ should include MCP_SERVER_URL placeholder in wrangler.toml 26ms
-       × should log warning when MCP_SERVER_URL not configured 27ms
-       ✓ should store MCP_SERVER_URL in class property 22ms
-       ✓ should include all required KV namespace bindings in wrangler.toml 11ms
-       ✓ should create KV namespace creation scripts in package.json 9ms
-       ✓ should create KV namespace listing scripts 8ms
-       ✓ should include tool protection configuration in runtime config 9ms
-       ✓ should include CloudflareRuntime import for tool protection 7ms
-       ✓ should conditionally enable tool protection KV when API key provided 12ms
-       ✓ should comment out tool protection KV when no API key provided 9ms
-       ✓ should generate identity when skipIdentity is false 7ms
-       ✓ should skip identity generation when skipIdentity is true 4ms
-       ✓ should include identity variables in wrangler.toml 10ms
-       ✓ should create .dev.vars.example template 9ms
-       ✓ should handle file system errors gracefully 1ms
-       ✓ should handle invalid project names 6ms
-       ✓ should use correct package manager in scripts 8ms
-       ✓ should create correct package.json structure 11ms
-       ✓ should create greet tool with correct structure 8ms
-       ✓ should create test files with correct structure 6ms
-       ✓ should create README with project name 5ms
-
-⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯ Failed Tests 2 ⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
-
- FAIL  src/__tests__/cloudflare-template.test.ts > Cloudflare Template Generation > MCP_SERVER_URL configuration > should log warning when MCP_SERVER_URL not configured
-AssertionError: expected 'import { McpAgent } from "agents/mcp"…' to contain 'Warning: MCP_SERVER_URL not configured'
-
-- Expected
-+ Received
-
-- Warning: MCP_SERVER_URL not configured
-+ import { McpAgent } from "agents/mcp";
-+ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-+ import { createCloudflareRuntime, type CloudflareEnv, KVProofArchive, type DetachedProof, createOAuthCallbackHandler, CloudflareRuntime } from "@kya-os/mcp-i-cloudflare";
-+ import { DelegationRequiredError } from "@kya-os/mcp-i-core";
-+ import type { ToolProtectionService } from "@kya-os/mcp-i-core";
-+ import { Hono } from "hono";
-+ import { cors } from "hono/cors";
-+ import { greetTool } from "./tools/greet";
-+ import { getRuntimeConfig } from "./mcpi-runtime-config";
-+ import type { CloudflareRuntimeConfig } from "@kya-os/mcp-i-cloudflare/config";
-+
-+ /**
-+  * Extended CloudflareEnv with prefixed KV bindings for multi-agent deployments
-+  * This allows multiple agents to share the same Cloudflare account without conflicts
-+  */
-+ interface PrefixedCloudflareEnv extends CloudflareEnv {
-+   // Prefixed KV bindings (e.g., MYAGENT_NONCE_CACHE, MYAGENT_PROOF_ARCHIVE)
-+   [key: string]: KVNamespace | string | DurableObjectState | undefined;
-+   // Optional routing configuration
-+   DO_ROUTING_STRATEGY?: string;
-+   DO_SHARD_COUNT?: string;
-+   // Prefixed KV namespaces (dynamically accessed)
-+   TESTPROJECT_NONCE_CACHE?: KVNamespace;
-+   TESTPROJECT_PROOF_ARCHIVE?: KVNamespace;
-+   TESTPROJECT_IDENTITY_STORAGE?: KVNamespace;
-+   TESTPROJECT_DELEGATION_STORAGE?: KVNamespace;
-+   TESTPROJECT_TOOL_PROTECTION_KV?: KVNamespace;
-+ }
-+
-+ export class TestprojectMCP extends McpAgent {
-+   server = new McpServer({
-+     name: "test-project",
-+     version: "1.0.0"
-+   });
-+
-+   private mcpiRuntime?: ReturnType<typeof createCloudflareRuntime>;
-+   private proofArchive?: KVProofArchive;
-+   private agentShieldConfig?: { apiUrl: string; apiKey: string };
-+   private env: PrefixedCloudflareEnv;
-+   private mcpServerUrl?: string;
-+
-+   constructor(state: DurableObjectState, env: PrefixedCloudflareEnv) {
-+     super(state, env);
-+     this.env = env;
-+
-+     // Create CloudflareEnv adapter to map prefixed KV bindings to expected names
-+     // This allows multiple agents to be deployed without KV namespace conflicts
-+     const mappedEnv: CloudflareEnv = {
-+       // Map prefixed bindings to standard names expected by createCloudflareRuntime
-+       NONCE_CACHE: env.TESTPROJECT_NONCE_CACHE,
-+       PROOF_ARCHIVE: env.TESTPROJECT_PROOF_ARCHIVE,
-+       IDENTITY_STORAGE: env.TESTPROJECT_IDENTITY_STORAGE,
-+       DELEGATION_STORAGE: env.TESTPROJECT_DELEGATION_STORAGE,
-+       TOOL_PROTECTION_KV: env.TESTPROJECT_TOOL_PROTECTION_KV,
-+       // Pass through environment variables unchanged
-+       MCP_IDENTITY_PRIVATE_KEY: env.MCP_IDENTITY_PRIVATE_KEY,
-+       MCP_IDENTITY_PUBLIC_KEY: env.MCP_IDENTITY_PUBLIC_KEY,
-+       MCP_IDENTITY_AGENT_DID: env.MCP_IDENTITY_AGENT_DID,
-+       // Pass through other env vars for runtime config
-+       AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
-+       AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
-+       AGENTSHIELD_PROJECT_ID: env.AGENTSHIELD_PROJECT_ID,
-+       MCPI_ENV: env.MCPI_ENV,
-+       MCP_SERVER_URL: env.MCP_SERVER_URL,
-+       // Pass Durable Object state for identity persistence
-+       // NOTE: Without this, identity will be ephemeral (new DID every call)!
-+       // Note: createCloudflareRuntime will automatically use KVIdentityProvider if IDENTITY_STORAGE KV is available
-+       _durableObjectState: state,
-+     };
-+
-+     // Store MCP server URL for proof submission context
-+     // Auto-detect from request URL if not explicitly set (will be set in fetch handler)
-+     this.mcpServerUrl = env.MCP_SERVER_URL;
-+     if (this.mcpServerUrl) {
-+       // Ensure URL includes /mcp path if not already present
-+       if (!this.mcpServerUrl.endsWith('/mcp')) {
-+         this.mcpServerUrl = this.mcpServerUrl.replace(//$/, '') + '/mcp';
-+       }
-+       console.log('[MCP-I] MCP Server URL configured:', this.mcpServerUrl);
-+     } else {
-+       // Will be auto-detected from request URL in fetch handler
-+       console.log('[MCP-I] MCP Server URL will be auto-detected from request');
-+     }
-+
-+     // Load runtime configuration for AgentShield integration
-+     // Pass mappedEnv so it can access KV bindings with standard names
-+     const runtimeConfig = getRuntimeConfig(mappedEnv);
-+
-+     // ✅ Create tool protection service helper function
-+     // Always import CloudflareRuntime but conditionally instantiate
-+     function createToolProtectionService(env: CloudflareEnv, runtimeConfig: CloudflareRuntimeConfig): ToolProtectionService | undefined {
-+       if (!runtimeConfig.toolProtection) {
-+         return undefined;
-+       }
-+
-+       if (!env.TOOL_PROTECTION_KV || !env.AGENTSHIELD_API_KEY) {
-+         console.log('[MCP-I] Tool protection disabled - configure TOOL_PROTECTION_KV and AGENTSHIELD_API_KEY to enable');
-+         return undefined;
-+       }
-+
-+       return CloudflareRuntime.createToolProtectionService(
-+         env.TOOL_PROTECTION_KV,
-+         {
-+           apiUrl: runtimeConfig.toolProtection.agentShield?.apiUrl || env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
-+           apiKey: env.AGENTSHIELD_API_KEY,
-+           projectId: runtimeConfig.toolProtection.agentShield?.projectId || env.AGENTSHIELD_PROJECT_ID,
-+           cacheTtl: runtimeConfig.toolProtection.agentShield?.cacheTtl || 300000,
-+           debug: runtimeConfig.environment === 'development',
-+           fallbackConfig: runtimeConfig.toolProtection.fallback
-+         }
-+       );
-+     }
-+
-+     // Create tool protection service if configured
-+     // Note: createCloudflareRuntime will automatically use KVIdentityProvider if IDENTITY_STORAGE KV is available
-+     const toolProtectionService = createToolProtectionService(mappedEnv, runtimeConfig);
-+
-+     // Initialize MCP-I runtime for cryptographic proofs and identity
-+     this.mcpiRuntime = createCloudflareRuntime({
-+       env: mappedEnv,
-+       environment: runtimeConfig.environment,
-+       audit: {
-+         enabled: runtimeConfig.audit?.enabled ?? true,
-+         logFunction: runtimeConfig.audit?.logFunction || ((record) => console.log('[MCP-I Audit]', record))
-+       },
-+       toolProtectionService
-+     });
-+
-+     // Initialize proof archive if PROOF_ARCHIVE KV is available
-+     if (mappedEnv.PROOF_ARCHIVE) {
-+       this.proofArchive = new KVProofArchive(mappedEnv.PROOF_ARCHIVE);
-+       console.log('[MCP-I] Proof archive enabled');
-+     }
-+
-+     // Load AgentShield config for proof submission
-+     if (runtimeConfig.proofing?.enabled && runtimeConfig.proofing.batchQueue) {
-+       const agentShieldDest = runtimeConfig.proofing.batchQueue.destinations?.find(
-+         (dest) => dest.type === "agentshield" && dest.apiKey
-+       );
-+       if (agentShieldDest) {
-+         this.agentShieldConfig = {
-+           apiUrl: agentShieldDest.apiUrl,
-+           apiKey: agentShieldDest.apiKey!
-+         };
-+         console.log('[MCP-I] AgentShield enabled:', agentShieldDest.apiUrl);
-+       }
-+     }
-+   }
-+
-+   /**
-+    * Handle incoming requests
-+    * Auto-detects MCP Server URL from request if not explicitly configured
-+    */
-+   async fetch(request: Request): Promise<Response> {
-+     // Auto-detect MCP Server URL from request if not already set
-+     if (!this.mcpServerUrl && request.url) {
-+       try {
-+         const requestUrl = new URL(request.url);
-+         // Extract origin and ensure /mcp path is included
-+         this.mcpServerUrl = requestUrl.origin + '/mcp';
-+         console.log('[MCP-I] MCP Server URL auto-detected from request:', this.mcpServerUrl);
-+       } catch (error) {
-+         console.warn('[MCP-I] Failed to auto-detect MCP Server URL from request:', error);
-+       }
-+     }
-+
-+     // Delegate to McpAgent's fetch handler
-+     return super.fetch(request);
-+   }
-+
-+   /**
-+    * Override getInstanceId() to enable multi-instance Durable Object routing
-+    *
-+    * This method is called internally by McpAgent to determine which DO instance
-+    * should handle the request. By overriding it, we can implement custom routing
-+    * strategies (session-based, shard-based, etc.) while maintaining full
-+    * McpAgent compatibility and preserving PartyServer routing context.
-+    *
-+    * @returns Instance ID used by McpAgent for DO routing
-+    */
-+   getInstanceId(): string {
-+     try {
-+       // Get session ID from McpAgent's built-in extraction
-+       const sessionId = this.getSessionId();
-+
-+       // Get routing strategy from environment (default: session)
-+       const strategy = this.env.DO_ROUTING_STRATEGY || 'session';
-+
-+       if (strategy === 'session') {
-+         // One DO instance per MCP session (recommended for most use cases)
-+         // Sessions are isolated, ensuring data consistency per client
-+         return `session:${sessionId}`;
-+       } else if (strategy === 'shard') {
-+         // Hash-based sharding across N DO instances (for high load)
-+         // Distributes load evenly while maintaining session affinity
-+         const shardCount = parseInt(this.env.DO_SHARD_COUNT || '10');
-+         // Validate shard count - must be a valid positive number
-+         const validShardCount = (!isNaN(shardCount) && shardCount > 0) ? shardCount : 10;
-+
-+         // Simple hash function for session ID
-+         let hash = 0;
-+         for (let i = 0; i < sessionId.length; i++) {
-+           hash = ((hash << 5) - hash) + sessionId.charCodeAt(i);
-+           hash = hash & hash; // Convert to 32bit integer
-+         }
-+
-+         const shard = Math.abs(hash) % validShardCount;
-+         return `shard:${shard}`;
-+       }
-+
-+       // Fallback to single instance (legacy behavior)
-+       return 'default';
-+     } catch (error) {
-+       // If session extraction fails, fall back to default instance
-+       console.error('[DO Routing] Failed to extract session ID:', error);
-+       return 'default';
-+     }
-+   }
-+
-+   /**
-+    * Retrieve delegation token from KV storage
-+    * Uses two-tier lookup: session cache (fast) → agent DID (stable)
-+    *
-+    * @param sessionId - MCP session ID from Claude Desktop
-+    * @returns Delegation token if found, null otherwise
-+    */
-+   private async getDelegationToken(sessionId?: string): Promise<string | null> {
-+     const delegationStorage = this.env.TESTPROJECT_DELEGATION_STORAGE;
-+
-+     if (!delegationStorage) {
-+       console.log('[Delegation] No delegation storage configured');
-+       return null;
-+     }
-+
-+     try {
-+       // Fast path: Try session cache first
-+       if (sessionId) {
-+         const sessionKey = `session:${sessionId}`;
-+         const sessionToken = await delegationStorage.get(sessionKey);
-+
-+         if (sessionToken) {
-+           // Verify token is still valid before returning
-+           const isValid = await this.verifyDelegationWithAgentShield(sessionToken);
-+           if (isValid) {
-+             console.log('[Delegation] ✅ Token retrieved from session cache and verified');
-+             return sessionToken;
-+           } else {
-+             // Token invalid, remove from cache
-+             await this.invalidateDelegationCache(sessionId, sessionToken);
-+             console.log('[Delegation] ⚠️ Cached token was invalid, removed from cache');
-+           }
-+         }
-+       }
-+
-+       // Fallback: Try agent DID (stable across session changes)
-+       if (this.mcpiRuntime) {
-+         const identity = await this.mcpiRuntime.getIdentity();
-+         if (identity?.did) {
-+           const agentKey = `agent:${identity.did}:delegation`;
-+           const agentToken = await delegationStorage.get(agentKey);
-+
-+           if (agentToken) {
-+             // Verify token is still valid before returning
-+             const isValid = await this.verifyDelegationWithAgentShield(agentToken);
-+             if (isValid) {
-+               console.log('[Delegation] ✅ Token retrieved using agent DID and verified');
-+
-+               // Re-cache for current session (performance optimization)
-+               if (sessionId) {
-+                 const sessionCacheKey = `session:${sessionId}`;
-+                 await delegationStorage.put(sessionCacheKey, agentToken, {
-+                   expirationTtl: 300 // 5 minutes for security (reduced from 30)
-+                 });
-+                 console.log('[Delegation] Token cached for session with 5-minute TTL:', sessionId);
-+               }
-+
-+               return agentToken;
-+             } else {
-+               // Token invalid, remove from cache
-+               await this.invalidateDelegationCache(sessionId, agentToken, identity.did);
-+               console.log('[Delegation] ⚠️ Agent token was invalid, removed from cache');
-+             }
-+           }
-+         }
-+       }
-+
-+       console.log('[Delegation] No delegation token found');
-+       return null;
-+     } catch (error) {
-+       console.error('[Delegation] Failed to retrieve token:', error);
-+       return null;
-+     }
-+   }
-+
-+   /**
-+    * Verify delegation token with AgentShield API
-+    * @param token - Delegation token to verify
-+    * @returns True if token is valid, false otherwise
-+    */
-+   private async verifyDelegationWithAgentShield(token: string): Promise<boolean> {
-+     // Check verification cache first (1 minute TTL for verified tokens)
-+     const verificationCache = this.env.TOOL_PROTECTION_KV;
-+     if (verificationCache) {
-+       const cacheKey = `verified:${token.substring(0, 16)}`; // Use prefix to avoid key size issues
-+       const cached = await verificationCache.get(cacheKey);
-+       if (cached === '1') {
-+         console.log('[Delegation] Token verification cached as valid');
-+         return true;
-+       }
-+     }
-+
-+     try {
-+       const agentShieldUrl = this.env.AGENTSHIELD_API_URL || 'https://kya.vouched.id';
-+       const apiKey = this.env.AGENTSHIELD_API_KEY;
-+
-+       if (!apiKey) {
-+         console.warn('[Delegation] No AgentShield API key configured, skipping verification');
-+         return true; // Allow in development without API key
-+       }
-+
-+       // Verify with AgentShield API
-+       const response = await fetch(`${agentShieldUrl}/api/v1/bouncer/delegations/verify`, {
-+         method: 'POST',
-+         headers: {
-+           'Authorization': `Bearer ${apiKey}`,
-+           'Content-Type': 'application/json'
-+         },
-+         body: JSON.stringify({ token })
-+       });
-+
-+       if (response.ok) {
-+         // Cache successful verification for 1 minute
-+         if (verificationCache) {
-+           const cacheKey = `verified:${token.substring(0, 16)}`;
-+           await verificationCache.put(cacheKey, '1', {
-+             expirationTtl: 60 // 1 minute cache for verified tokens
-+           });
-+         }
-+         console.log('[Delegation] Token verified successfully with AgentShield');
-+         return true;
-+       }
-+
-+       if (response.status === 401 || response.status === 403) {
-+         console.log('[Delegation] Token verification failed: unauthorized');
-+         return false;
-+       }
-+
-+       console.warn('[Delegation] Token verification returned unexpected status:', response.status);
-+       return false; // Fail closed for security
-+
-+     } catch (error) {
-+       console.error('[Delegation] Error verifying token with AgentShield:', error);
-+       return false; // Fail closed on errors
-+     }
-+   }
-+
-+   /**
-+    * Invalidate delegation token in all caches
-+    * @param sessionId - Session ID to clear
-+    * @param token - Token to invalidate
-+    * @param agentDid - Agent DID to clear
-+    */
-+   private async invalidateDelegationCache(sessionId?: string, token?: string, agentDid?: string): Promise<void> {
-+     const delegationStorage = this.env.TESTPROJECT_DELEGATION_STORAGE;
-+     const verificationCache = this.env.TOOL_PROTECTION_KV;
-+
-+     if (!delegationStorage) return;
-+
-+     const deletions: Promise<void>[] = [];
-+
-+     // Clear session cache
-+     if (sessionId) {
-+       const sessionKey = `session:${sessionId}`;
-+       deletions.push(delegationStorage.delete(sessionKey));
-+     }
-+
-+     // Clear agent cache
-+     if (agentDid) {
-+       const agentKey = `agent:${agentDid}:delegation`;
-+       deletions.push(delegationStorage.delete(agentKey));
-+     }
-+
-+     // Clear verification cache
-+     if (token && verificationCache) {
-+       const cacheKey = `verified:${token.substring(0, 16)}`;
-+       deletions.push(verificationCache.delete(cacheKey));
-+     }
-+
-+     await Promise.all(deletions);
-+     console.log('[Delegation] Cache invalidated for revoked/invalid token');
-+   }
-+
-+   /**
-+    * Submit proof to AgentShield API
-+    * Uses the proof.jws directly (full JWS format from CloudflareRuntime)
-+    *
-+    * Also submits optional context for AgentShield dashboard integration.
-+    * Context provides plaintext tool/args data while proof provides cryptographic verification.
-+    */
-+   private async submitProofToAgentShield(
-+     proof: DetachedProof,
-+     session: { id: string },
-+     toolName: string,
-+     args: Record<string, unknown>,
-+     result: unknown
-+   ): Promise<void> {
-+     if (!this.agentShieldConfig || !proof.jws || !proof.meta) return;
-+
-+     const { apiUrl, apiKey } = this.agentShieldConfig;
-+
-+     // Get tool call context from runtime (if available)
-+     const toolCallContext = this.mcpiRuntime?.getLastToolCallContext();
-+
-+     // Proof already has correct format from CloudflareRuntime
-+     // Adding optional context for AgentShield dashboard (Option A architecture)
-+     const requestBody = {
-+       session_id: session.id,
-+       delegation_id: null,
-+       proofs: [{
-+         jws: proof.jws,  // Already in full JWS format
-+         meta: proof.meta  // Already has all required fields
-+       }],
-+       // ✅ NEW: Optional context for dashboard integration
-+       context: {
-+         toolCalls: toolCallContext ? [toolCallContext] : [{
-+           // Fallback if context not available from runtime
-+           tool: toolName,
-+           args: args,
-+           result: result,
-+           scopeId: proof.meta.scopeId || `${toolName}:execute`
-+         }],
-+         // ✅ NEW: MCP server URL for tool discovery (optional, only needed once)
-+         mcpServerUrl: this.mcpServerUrl
-+       }
-+     };
-+
-+     console.log('[AgentShield] Submitting proof with context:', {
-+       did: proof.meta.did,
-+       sessionId: proof.meta.sessionId,
-+       jwsFormat: proof.jws.split('.').length === 3 ? 'valid (3 parts)' : 'invalid',
-+       contextTool: requestBody.context.toolCalls[0]?.tool,
-+       contextScopeId: requestBody.context.toolCalls[0]?.scopeId,
-+       mcpServerUrl: requestBody.context.mcpServerUrl || 'not-set'
-+     });
-+
-+     const response = await fetch(`${apiUrl}/api/v1/bouncer/proofs`, {
-+       method: 'POST',
-+       headers: {
-+         'Content-Type': 'application/json',
-+         'Authorization': `Bearer ${apiKey}`
-+       },
-+       body: JSON.stringify(requestBody)
-+     });
-+
-+     if (!response.ok) {
-+       const errorText = await response.text();
-+       console.error('[AgentShield] Submission failed:', response.status, errorText);
-+       throw new Error(`AgentShield error: ${response.status}`);
-+     }
-+
-+     const responseData = await response.json() as { success?: boolean; received?: number; processed?: number; accepted?: number; rejected?: number; errors?: Array<{ proofId: string; error: string }> };
-+     console.log('[AgentShield] Response:', responseData);
-+
-+     if (responseData.accepted) {
-+       console.log('[AgentShield] ✅ Proofs accepted:', responseData.accepted);
-+     }
-+     if (responseData.rejected) {
-+       console.log('[AgentShield] ❌ Proofs rejected:', responseData.rejected);
-+     }
-+   }
-+
-+   async init() {
-+     // Initialize MCP-I runtime (generates/loads identity, sets up nonce cache)
-+     await this.mcpiRuntime?.initialize();
-+
-+     const identity = await this.mcpiRuntime?.getIdentity();
-+     console.log('[MCP-I] Initialized with DID:', identity?.did);
-+
-+     this.server.tool(
-+       greetTool.name,
-+       greetTool.description,
-+       greetTool.inputSchema.shape,
-+       async (args: { name: string }) => {
-+         // Use MCP-I runtime's processToolCall for automatic proof generation
-+         if (this.mcpiRuntime) {
-+           try {
-+             // Read MCP session ID from Claude Desktop (via agents framework)
-+             let mcpSessionId: string | undefined;
-+             try {
-+               mcpSessionId = this.getSessionId();
-+               console.log('[Delegation] Session ID from agents framework:', mcpSessionId);
-+             } catch (error) {
-+               console.log('[Delegation] Failed to get session ID from framework:', error);
-+               mcpSessionId = undefined;
-+             }
-+
-+             // Retrieve delegation token if available
-+             const delegationToken = await this.getDelegationToken(mcpSessionId);
-+
-+             // Create session with proper ID (use actual session ID when available)
-+             const timestamp = Date.now();
-+             const sessionId = mcpSessionId || `ephemeral-${timestamp}-${Math.random().toString(36).substring(2, 10)}`;
-+
-+             const session = {
-+               id: sessionId,  // Use actual session ID from Claude Desktop
-+               audience: 'https://kya.vouched.id',  // CRITICAL: Must match AgentShield domain
-+               agentDid: (await this.mcpiRuntime.getIdentity()).did,
-+               createdAt: timestamp,
-+               expiresAt: timestamp + (30 * 60 * 1000), // 30 minutes
-+               delegationToken  // Include delegation token if available
-+             };
-+
-+             // Execute tool with automatic proof generation
-+             const result = await this.mcpiRuntime.processToolCall(
-+               greetTool.name,
-+               args,
-+               greetTool.handler,
-+               session
-+             );
-+
-+             // Get proof in DetachedProof format
-+             const proof = this.mcpiRuntime.getLastProof() as DetachedProof;
-+
-+             if (proof && proof.jws && proof.meta) {
-+               // Log proof details (using DetachedProof format)
-+               console.log('[MCP-I Proof]', {
-+                 tool: greetTool.name,
-+                 did: proof.meta.did,
-+                 timestamp: proof.meta.ts,
-+                 jws: proof.jws.substring(0, 50) + '...',
-+                 jwsValid: proof.jws.split('.').length === 3
-+               });
-+
-+               // Parallelize proof operations for better performance
-+               const proofOperations: Promise<void>[] = [];
-+
-+               // Add proof archive operation
-+               if (this.proofArchive) {
-+                 proofOperations.push(
-+                   this.proofArchive.store(proof, {
-+                     toolName: greetTool.name
-+                   }).then(() => {
-+                     console.log('[MCP-I] Proof stored in archive');
-+                   }).catch((archiveError: unknown) => {
-+                     console.error('[MCP-I] Archive error:', archiveError instanceof Error ? archiveError.message : String(archiveError));
-+                   })
-+                 );
-+               }
-+
-+               // Add AgentShield submission operation
-+               if (this.agentShieldConfig) {
-+                 proofOperations.push(
-+                   this.submitProofToAgentShield(proof, session, greetTool.name, args, result)
-+                     .catch((err: unknown) => {
-+                       console.error('[MCP-I] AgentShield failed:', err instanceof Error ? err.message : String(err));
-+                     })
-+                 );
-+               }
-+
-+               // Execute all proof operations in parallel for better performance
-+               if (proofOperations.length > 0) {
-+                 await Promise.allSettled(proofOperations);
-+               }
-+
-+               // Attach proof to result for MCP Inspector
-+               if (result && typeof result === 'object' && result !== null) {
-+                 (result as Record<string, unknown>)._meta = {
-+                   proof: {
-+                     jws: proof.jws,
-+                     did: proof.meta.did,
-+                     kid: proof.meta.kid,
-+                     timestamp: proof.meta.ts,
-+                     nonce: proof.meta.nonce,
-+                     sessionId: proof.meta.sessionId,
-+                     requestHash: proof.meta.requestHash,
-+                     responseHash: proof.meta.responseHash
-+                   }
-+                 };
-+               }
-+             }
-+
-+             return result;
-+           } catch (error: unknown) {
-+             // If this is a DelegationRequiredError, re-throw it so the MCP framework can handle it properly
-+             // The agents/mcp framework will format it as a proper error response to Claude Desktop
-+             if (error instanceof DelegationRequiredError) {
-+               console.warn('[MCP-I] Delegation required, propagating error:', {
-+                 tool: error.toolName,
-+                 requiredScopes: error.requiredScopes,
-+                 consentUrl: error.consentUrl
-+               });
-+               throw error;
-+             }
-+             // Check for DelegationRequiredError by name (for cases where error is not instanceof)
-+             if (error && typeof error === 'object' && 'name' in error && error.name === 'DelegationRequiredError') {
-+               const delegationError = error as DelegationRequiredError;
-+               console.warn('[MCP-I] Delegation required, propagating error:', {
-+                 tool: delegationError.toolName,
-+                 requiredScopes: delegationError.requiredScopes,
-+                 consentUrl: delegationError.consentUrl
-+               });
-+               throw error;
-+             }
-+             
-+             // For other errors, log and fallback to direct execution
-+             console.error('[MCP-I] Failed to process tool with runtime:', error);
-+             // Fallback to direct execution
-+             return await greetTool.handler(args);
-+           }
-+         }
-+
-+         // Fallback if runtime not available
-+         return await greetTool.handler(args);
-+       }
-+     );
-+   }
-+ }
-+
-+ const app = new Hono();
-+
-+ // Secure CORS configuration
-+ app.use("/*", (c, next) => {
-+   const allowedOrigins = c.env.ALLOWED_ORIGINS?.split(',').map((o: string) => o.trim()) || [
-+     'https://claude.ai',
-+     'https://app.anthropic.com'
-+   ];
-+
-+   // Add localhost for development if not in production
-+   if (c.env.MCPI_ENV !== 'production' && !allowedOrigins.includes('http://localhost:3000')) {
-+     allowedOrigins.push('http://localhost:3000');
-+   }
-+
-+   const origin = c.req.header('Origin') || '';
-+   const isAllowed = allowedOrigins.includes(origin);
-+
-+   return cors({
-+     origin: isAllowed ? origin : allowedOrigins[0], // Default to first allowed origin if not matched
-+     allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-+     allowHeaders: ["Content-Type", "Authorization", "mcp-session-id", "Mcp-Session-Id", "mcp-protocol-version"],
-+     exposeHeaders: ["mcp-session-id", "Mcp-Session-Id"],
-+     credentials: true,
-+   })(c, next);
-+ });
-+
-+ app.get("/health", (c) => c.json({
-+   status: 'healthy',
-+   timestamp: new Date().toISOString(),
-+   transport: { sse: '/sse', streamableHttp: '/mcp' }
-+ }));
-+
-+ /**
-+  * Admin endpoint to clear tool protection cache
-+  *
-+  * This allows AgentShield dashboard to invalidate cached tool protection
-+  * config immediately after changing delegation requirements.
-+  *
-+  * The API key is validated by making a test call to AgentShield API.
-+  *
-+  * Usage:
-+  *   POST /admin/clear-cache
-+  *   Headers: Authorization: Bearer <AGENTSHIELD_ADMIN_API_KEY>
-+  *   Body: { "agent_did": "did:key:z6Mk..." }
-+  *
-+  * Response:
-+  *   { "success": true, "message": "Cache cleared", "agent_did": "..." }
-+  */
-+ app.post("/admin/clear-cache", async (c) => {
-+   const env = c.env as PrefixedCloudflareEnv;
-+
-+   // Parse request body first to get agent_did
-+   const body = await c.req.json().catch(() => ({}));
-+   const agentDid = body.agent_did;
-+
-+   if (!agentDid || typeof agentDid !== 'string') {
-+     return c.json({
-+       success: false,
-+       error: "Bad Request - agent_did required in body"
-+     }, 400);
-+   }
-+
-+   // Extract API key from Authorization header
-+   const authHeader = c.req.header("Authorization");
-+   if (!authHeader || !authHeader.startsWith("Bearer ")) {
-+     return c.json({
-+       success: false,
-+       error: "Unauthorized - Missing or invalid Authorization header"
-+     }, 401);
-+   }
-+
-+   const apiKey = authHeader.slice(7); // Remove "Bearer " prefix
-+
-+   // Validate API key by making a test call to AgentShield
-+   // Use the bouncer config endpoint as the validation mechanism
-+   const agentShieldUrl = env.AGENTSHIELD_API_URL || "https://kya.vouched.id";
-+   const validationUrl = `${agentShieldUrl}/api/v1/bouncer/config?agent_did=${encodeURIComponent(agentDid)}`;
-+
-+   try {
-+     const validationResponse = await fetch(validationUrl, {
-+       method: 'GET',
-+       headers: {
-+         'Content-Type': 'application/json',
-+         'Authorization': `Bearer ${apiKey}`
-+       }
-+     });
-+
-+     if (!validationResponse.ok) {
-+       console.warn('[Admin] API key validation failed:', validationResponse.status);
-+       return c.json({
-+         success: false,
-+         error: "Unauthorized - Invalid API key"
-+       }, 401);
-+     }
-+
-+     // API key is valid, proceed to clear cache
-+     console.log('[Admin] API key validated successfully');
-+   } catch (error) {
-+     console.error('[Admin] API key validation error:', error);
-+     return c.json({
-+       success: false,
-+       error: "Failed to validate API key with AgentShield"
-+     }, 500);
-+   }
-+
-+   // Clear cache from KV
-+   // Cache key format: KVToolProtectionCache uses 'tool-protection:' prefix + agentDid
-+   // Since we're accessing KV directly (not through cache service), we need the full key
-+   const cacheKey = `tool-protection:${agentDid}`;
-+   const kvNamespace = env.TESTPROJECT_TOOL_PROTECTION_KV;
-+
-+   if (!kvNamespace) {
-+     return c.json({
-+       success: false,
-+       error: "Tool protection KV namespace not configured"
-+     }, 500);
-+   }
-+
-+   try {
-+     // Log before and after for debugging
-+     const before = await kvNamespace.get(cacheKey);
-+     await kvNamespace.delete(cacheKey);
-+     const after = await kvNamespace.get(cacheKey);
-+     
-+     console.log('[Admin] Cache clear operation', {
-+       agentDid: agentDid.slice(0, 20) + '...',
-+       cacheKey,
-+       hadValue: !!before,
-+       cleared: !after,
-+     });
-+     
-+     return c.json({
-+       success: true,
-+       message: "Cache cleared successfully. Next tool call will fetch fresh config from AgentShield.",
-+       agent_did: agentDid,
-+       cache_key: cacheKey,
-+       had_value: !!before,
-+     });
-+   } catch (error) {
-+     console.error('[Admin] Failed to clear cache:', error);
-+     return c.json({
-+       success: false,
-+       error: "Internal error clearing cache",
-+       details: error instanceof Error ? error.message : String(error)
-+     }, 500);
-+   }
-+ });
-+
-+ /**
-+  * OAuth Authorization Code Flow callback handler
-+  *
-+  * Handles the redirect from AgentShield after user approves delegation.
-+  * Exchanges authorization code for delegation token and stores in KV.
-+  *
-+  * This endpoint is called by AgentShield after user approves delegation:
-+  * 1. Receives authorization code and state from query params
-+  * 2. Exchanges code for delegation token with AgentShield API
-+  * 3. Stores token in KV with session ID as key
-+  * 4. Returns success page to user
-+  */
-+ app.get('/oauth/callback', (c) => {
-+   const env = c.env as PrefixedCloudflareEnv;
-+   return createOAuthCallbackHandler({
-+     agentShieldApiUrl: env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
-+     delegationStorage: env.TESTPROJECT_DELEGATION_STORAGE,
-+     autoClose: true,
-+     autoCloseDelay: 5000
-+   })(c);
-+ });
-+
-+ // Multi-instance DO routing using McpAgent's getInstanceId() override
-+ // The TestprojectMCP class overrides getInstanceId() to enable session-based
-+ // or shard-based routing while preserving PartyServer compatibility.
-+ //
-+ // Routing strategies (configured via DO_ROUTING_STRATEGY env var):
-+ //   - 'session' (default): One DO per MCP session - ensures data isolation
-+ //   - 'shard': Hash-based distribution across N shards - for high load
-+ //
-+ // McpAgent automatically routes to the correct DO instance using the ID
-+ // returned by getInstanceId(), maintaining full routing context.
-+ app.mount("/sse", TestprojectMCP.serveSSE("/sse").fetch, { replaceRequest: false });
-+ app.mount("/mcp", TestprojectMCP.serve("/mcp").fetch, { replaceRequest: false });
-+
-+ export default app;
-+
-
- ❯ src/__tests__/cloudflare-template.test.ts:149:28
-    147| 
-    148|       // Check that warning is logged in index.ts
-    149|       expect(indexContent).toContain("Warning: MCP_SERVER_URL not configured");
-       |                            ^
-    150|     });
-    151| 
-
-⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯[1/2]⎯
-
- FAIL  test-cloudflare/tests/do-routing.test.ts > Durable Object Multi-Instance Routing > Performance Characteristics > shard routing should have O(n) complexity for hash
-AssertionError: expected 145.8617079999999 to be less than 100
- ❯ test-cloudflare/tests/do-routing.test.ts:263:44
-    261|       expect(shortDuration).toBeGreaterThan(0);
-    262|       // Both operations should complete in reasonable time (< 100ms total for 1000 iterations)
-    263|       expect(longDuration + shortDuration).toBeLessThan(100);
-       |                                            ^
-    264|     });
-    265|   });
-
-⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯[2/2]⎯
-
-
- Test Files  2 failed | 10 passed (12)
-      Tests  2 failed | 235 passed (237)
-   Start at  14:20:47
-   Duration  1.25s (transform 1.21s, setup 0ms, collect 2.23s, tests 1.61s, environment 1ms, prepare 1.06s)
-
-[?25h ELIFECYCLE  Command failed with exit code 1.
+ ❯ src/__tests__/cloudflare-template.test.ts 0/24
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 0/19
+ ❯ src/__tests__/helpers/generate-config.test.ts 0/25
+ ❯ src/__tests__/helpers/validate-project-structure.test.ts 0/23
+ ❯ test-cloudflare/tests/do-routing.test.ts 12/14
+
+ Test Files 7 passed (12)
+      Tests 144 passed (237)
+   Start at 14:33:31
+   Duration 401ms
+[?2026l[?2026h ✓ test-cloudflare/tests/do-routing.test.ts (14 tests) 111ms
+ ✓ src/__tests__/helpers/generate-config.test.ts (25 tests) 64ms
+ ✓ src/__tests__/helpers/validate-project-structure.test.ts (23 tests) 58ms
+
+
+
+ ❯ src/__tests__/cloudflare-template.test.ts 8/24
+ ❯ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts 6/19
+
+ Test Files 10 passed (12)
+      Tests 208 passed (237)
+   Start at 14:33:31
+   Duration 501ms
+[?2026l ✓ src/__tests__/helpers/fetch-cloudflare-mcpi-template.test.ts (19 tests) 176ms
+ ✓ src/__tests__/cloudflare-template.test.ts (24 tests) 193ms
+
+ Test Files  12 passed (12)
+      Tests  237 passed (237)
+   Start at  14:33:31
+   Duration  628ms (transform 543ms, setup 0ms, collect 1.03s, tests 732ms, environment 1ms, prepare 323ms)
+
+ % Coverage report from v8
+-----------------------------------|---------|----------|---------|---------|---------------------------------------------------
+File                               | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s                                 
+-----------------------------------|---------|----------|---------|---------|---------------------------------------------------
+All files                          |   94.67 |    91.07 |     100 |   94.67 |                                                   
+ config-builder.ts                 |     100 |      100 |     100 |     100 |                                                   
+ fetch-cloudflare-mcpi-template.ts |   89.84 |    84.37 |     100 |   89.84 | 1863,1869,1888,1930-1936,1942,1945,1948,2044-2052 
+ generate-config.ts                |     100 |      100 |     100 |     100 |                                                   
+ generate-identity.ts              |     100 |      100 |     100 |     100 |                                                   
+ install.ts                        |     100 |      100 |     100 |     100 |                                                   
+ validate-project-structure.ts     |     100 |      100 |     100 |     100 |                                                   
+-----------------------------------|---------|----------|---------|---------|---------------------------------------------------
+[?25h