@kya-os/create-mcpi-app 1.7.34 → 1.7.36

package/src/helpers/fetch-cloudflare-mcpi-template.ts

@@ -894,7 +894,7 @@ export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
     // Create main index.ts using McpAgent with MCP-I runtime
     const indexContent = `import { McpAgent } from "agents/mcp";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { createCloudflareRuntime, type CloudflareEnv, KVProofArchive, type DetachedProof, createOAuthCallbackHandler, CloudflareRuntime } from "@kya-os/mcp-i-cloudflare";
+import { createCloudflareRuntime, type CloudflareEnv, KVProofArchive, type DetachedProof, createOAuthCallbackHandler, CloudflareRuntime, type HonoContext } from "@kya-os/mcp-i-cloudflare";
 import { DelegationRequiredError } from "@kya-os/mcp-i-core";
 import type { ToolProtectionService } from "@kya-os/mcp-i-core";
 import { Hono } from "hono";
@@ -1700,7 +1700,8 @@ app.get('/oauth/callback', async (c) => {
     autoClose: true,
     autoCloseDelay: 5000
   });
-  return await handler(c as any);
+  // Cast to HonoContext - Hono's context implements all required properties
+  return await handler(c as unknown as HonoContext);
 });
 
 // Multi-instance DO routing using McpAgent's getInstanceId() override
@@ -1803,23 +1804,22 @@ XMCP_I_SESSION_TTL = "1800"
 
 # AgentShield Integration (https://kya.vouched.id)
 AGENTSHIELD_API_URL = "https://kya.vouched.id"
-# AGENTSHIELD_API_KEY - MUST be declared here for .dev.vars to work
-#   Development: Values in .dev.vars will override this empty string
-#   Production: Use wrangler secret put AGENTSHIELD_API_KEY
-AGENTSHIELD_API_KEY = ""
 # AGENTSHIELD_PROJECT_ID - Your project ID from AgentShield dashboard (e.g., "batman-txh0ae")
 #   Required for project-scoped tool protection configuration (recommended)
 #   Find it in your dashboard URL: https://kya.vouched.id/dashboard/projects/{PROJECT_ID}
 #   Or in your project settings
-#   This is not sensitive, so it's safe to keep a value here if provided
+#   This is not sensitive, so it's safe to keep a value here
 AGENTSHIELD_PROJECT_ID = "${projectId || ""}"
-# ADMIN_API_KEY - Used for protected admin endpoints (e.g., /admin/clear-cache)
-#   Set to same value as AGENTSHIELD_API_KEY by default
-#   Development: Values in .dev.vars will override this empty string
-#   Production: Use wrangler secret put ADMIN_API_KEY
-ADMIN_API_KEY = ""
 MCPI_ENV = "development"
 
+# Secrets (NOT declared here - see instructions below)
+# For local development: Add secrets to .dev.vars file
+# For production: Use wrangler secret put COMMAND_NAME
+#   $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+#   $ wrangler secret put AGENTSHIELD_API_KEY
+#   $ wrangler secret put ADMIN_API_KEY
+# Note: .dev.vars is git-ignored and contains actual secret values for local dev
+
 # Optional: MCP Server URL for tool discovery
 # Uncomment to explicitly set your MCP server URL (auto-detected if not set)
 # MCP_SERVER_URL = "https://your-worker.workers.dev/mcp"
@@ -1846,11 +1846,12 @@ MCPI_ENV = "development"
 # Agent DID (public identifier - safe to commit)
 MCP_IDENTITY_AGENT_DID = "${identity.did}"
 
-# Identity keys - MUST be declared here for .dev.vars to work!
-# Development: Values in .dev.vars will override these empty strings
-# Production: Use wrangler secret put to set these
-MCP_IDENTITY_PRIVATE_KEY = ""
-MCP_IDENTITY_PUBLIC_KEY = ""
+# Public identity key (safe to commit - not sensitive)
+MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"
+
+# Private identity key (SECRET - NOT declared here)
+# For local development: Add to .dev.vars file
+# For production: Use wrangler secret put MCP_IDENTITY_PRIVATE_KEY
 
 # ALLOWED_ORIGINS for CORS (update for production)
 ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
@@ -1861,36 +1862,26 @@ DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
 
 `;
 
-          // Update existing values in wrangler.toml if they already exist
-          // This handles the case where variables were added by the initial template
-          // IMPORTANT: Secrets are always kept as empty strings in wrangler.toml
-          // Actual values go in .dev.vars for local dev, wrangler secret put for production
+          // Remove any secret declarations from [vars] (they should not be here)
+          // Secrets go in .dev.vars for local dev, wrangler secret put for production
+          wranglerTomlContent = wranglerTomlContent.replace(
+            /^\s*MCP_IDENTITY_PRIVATE_KEY\s*=.*$/gm,
+            `# MCP_IDENTITY_PRIVATE_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`
+          );
+          wranglerTomlContent = wranglerTomlContent.replace(
+            /^\s*AGENTSHIELD_API_KEY\s*=.*$/gm,
+            `# AGENTSHIELD_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`
+          );
+          wranglerTomlContent = wranglerTomlContent.replace(
+            /^\s*ADMIN_API_KEY\s*=.*$/gm,
+            `# ADMIN_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`
+          );
 
-          // Ensure identity keys are empty strings (not actual values)
-          if (/MCP_IDENTITY_PRIVATE_KEY\s*=/.test(wranglerTomlContent)) {
-            wranglerTomlContent = wranglerTomlContent.replace(
-              /MCP_IDENTITY_PRIVATE_KEY\s*=\s*"[^"]*"/,
-              `MCP_IDENTITY_PRIVATE_KEY = ""`
-            );
-          }
+          // Update public key if it exists (safe to keep in [vars])
           if (/MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent)) {
             wranglerTomlContent = wranglerTomlContent.replace(
               /MCP_IDENTITY_PUBLIC_KEY\s*=\s*"[^"]*"/,
-              `MCP_IDENTITY_PUBLIC_KEY = ""`
-            );
-          }
-
-          // Ensure API keys are empty strings (not actual values)
-          if (/AGENTSHIELD_API_KEY\s*=/.test(wranglerTomlContent)) {
-            wranglerTomlContent = wranglerTomlContent.replace(
-              /AGENTSHIELD_API_KEY\s*=\s*"[^"]*"/,
-              `AGENTSHIELD_API_KEY = ""`
-            );
-          }
-          if (/ADMIN_API_KEY\s*=/.test(wranglerTomlContent)) {
-            wranglerTomlContent = wranglerTomlContent.replace(
-              /ADMIN_API_KEY\s*=\s*"[^"]*"/,
-              `ADMIN_API_KEY = ""`
+              `MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"`
             );
           }
 
@@ -1906,82 +1897,21 @@ DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
             );
           }
 
-          // Check if API key variables already exist in wrangler.toml
-          // (They may have been added by the initial template)
-          const hasAgentshieldApiKey = /AGENTSHIELD_API_KEY\s*=/.test(
-            wranglerTomlContent
-          );
-          const hasAgentshieldProjectId = /AGENTSHIELD_PROJECT_ID\s*=/.test(
-            wranglerTomlContent
-          );
-          const hasAdminApiKey = /ADMIN_API_KEY\s*=/.test(wranglerTomlContent);
+          // Check if non-secret variables already exist in wrangler.toml
           const hasIdentityDid = /MCP_IDENTITY_AGENT_DID\s*=/.test(
             wranglerTomlContent
           );
-          const hasIdentityPrivateKey = /MCP_IDENTITY_PRIVATE_KEY\s*=/.test(
-            wranglerTomlContent
-          );
           const hasIdentityPublicKey = /MCP_IDENTITY_PUBLIC_KEY\s*=/.test(
             wranglerTomlContent
           );
 
-          // Build API key declarations only for variables that don't already exist
-          // Cloudflare Workers REQUIRE variables to be declared in [vars] for .dev.vars to work
-          const apiKeyVarsParts: string[] = [];
-
-          if (
-            !hasAgentshieldApiKey ||
-            !hasAgentshieldProjectId ||
-            !hasAdminApiKey
-          ) {
-            apiKeyVarsParts.push(
-              `# API keys - MUST be declared here for .dev.vars to work!`
-            );
-            apiKeyVarsParts.push(
-              `# Development: Values in .dev.vars will override these empty strings`
-            );
-            apiKeyVarsParts.push(
-              `# Production: Use wrangler secret put to set these`
-            );
-          }
-
-          if (!hasAgentshieldApiKey) {
-            apiKeyVarsParts.push(`AGENTSHIELD_API_KEY = ""`);
-          }
-          if (!hasAdminApiKey) {
-            apiKeyVarsParts.push(`ADMIN_API_KEY = ""`);
-          }
-          // Only add AGENTSHIELD_PROJECT_ID if it doesn't exist
-          // If projectId is provided, it will be set above (lines 1897-1907)
-          // If not provided, we still need to declare it for .dev.vars to work
-          if (!hasAgentshieldProjectId) {
-            apiKeyVarsParts.push(
-              `AGENTSHIELD_PROJECT_ID = "${projectId || ""}"`
-            );
-          }
-
-          const apiKeyVars =
-            apiKeyVarsParts.length > 0
-              ? `\n${apiKeyVarsParts.join("\n")}\n`
-              : "";
-
-          // Only insert identity vars and API key vars if they don't already exist in [vars]
-          // If they already exist, we've already updated them above to ensure they're empty strings
-          // Note: API keys are already in initial template, so we mainly check for identity vars
-          // But we also check for API keys in case they were removed from template
-          const needsInsertion =
-            !hasIdentityDid ||
-            !hasIdentityPrivateKey ||
-            !hasIdentityPublicKey ||
-            (!hasAgentshieldApiKey && apiKeyVarsParts.length > 0) ||
-            (!hasAdminApiKey && apiKeyVarsParts.length > 0) ||
-            (!hasAgentshieldProjectId && apiKeyVarsParts.length > 0);
+          // Only insert identity vars if they don't already exist
+          const needsInsertion = !hasIdentityDid || !hasIdentityPublicKey;
 
           if (needsInsertion) {
             wranglerTomlContent =
               wranglerTomlContent.slice(0, insertPosition) +
               identityVars +
-              apiKeyVars +
               wranglerTomlContent.slice(insertPosition);
           }
 
@@ -1989,25 +1919,24 @@ DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
           fs.writeFileSync(wranglerPath, wranglerTomlContent);
 
           // Create .dev.vars file for local development (git-ignored)
+          // Only contains SECRETS (not public keys or project IDs)
           const devVarsPath = path.join(projectPath, ".dev.vars");
           const devVarsContent = `# Local development secrets (DO NOT COMMIT)
 # This file is git-ignored and contains sensitive data
 # 
 # HOW IT WORKS:
-# 1. Variables are declared in wrangler.toml [vars] as empty strings
-# 2. This file (.dev.vars) overrides them for local development
+# 1. Secrets are NOT declared in wrangler.toml [vars] (avoids conflicts)
+# 2. This file (.dev.vars) provides secrets for local development
 # 3. Production uses: wrangler secret put VARIABLE_NAME
+#
+# Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID) are in wrangler.toml
 
-# Identity keys (generated by create-mcpi-app)
+# Private identity key (generated by create-mcpi-app)
 MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
-MCP_IDENTITY_PUBLIC_KEY="${identity.publicKey}"
 
 # AgentShield API key (get from https://kya.vouched.id/dashboard)
 AGENTSHIELD_API_KEY="${apikey || ""}"${apikey ? "  # Provided via --apikey flag" : ""}
 
-# AgentShield Project ID (from dashboard URL: /dashboard/projects/{PROJECT_ID})
-AGENTSHIELD_PROJECT_ID="${projectId || ""}"${projectId ? "  # Provided via --project flag" : ""}
-
 # Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
 ADMIN_API_KEY="${apikey || ""}"${apikey ? "  # Set to same value as AGENTSHIELD_API_KEY" : ""}
 `;
@@ -2020,15 +1949,17 @@ ADMIN_API_KEY="${apikey || ""}"${apikey ? "  # Set to same value as AGENTSHIELD_
           );
           const devVarsExampleContent = `# Copy this file to .dev.vars and fill in your values
 # DO NOT commit .dev.vars to version control
+#
+# NOTE: Only secrets go here. Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID)
+# are in wrangler.toml [vars] and can be committed safely.
 
-# Identity keys (generate with: npx @kya-os/create-mcpi-app regenerate-identity)
+# Private identity key (generate with: npx @kya-os/create-mcpi-app regenerate-identity)
 MCP_IDENTITY_PRIVATE_KEY="your-private-key-here"
-MCP_IDENTITY_PUBLIC_KEY="your-public-key-here"
 
-# AgentShield API key (get from https://agentshield.ai)
+# AgentShield API key (get from https://kya.vouched.id/dashboard)
 AGENTSHIELD_API_KEY="your-api-key-here"
 
-# Admin API key for protected endpoints
+# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
 ADMIN_API_KEY="your-admin-key-here"
 `;
           fs.writeFileSync(devVarsExamplePath, devVarsExampleContent);
@@ -2046,18 +1977,22 @@ ADMIN_API_KEY="your-admin-key-here"
           console.log();
           console.log(chalk.yellow("🔒 Production Security:"));
           console.log(
-            chalk.dim("   Set secrets using wrangler (never commit them):")
+            chalk.dim("   Secrets are NOT in wrangler.toml (cleaner approach)")
           );
           console.log(
-            chalk.cyan("   $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY")
+            chalk.dim("   For production, set secrets using wrangler:")
           );
           console.log(
-            chalk.cyan("   $ wrangler secret put MCP_IDENTITY_PUBLIC_KEY")
+            chalk.cyan("      $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY")
           );
           console.log(
-            chalk.cyan("   $ wrangler secret put AGENTSHIELD_API_KEY")
+            chalk.cyan("      $ wrangler secret put AGENTSHIELD_API_KEY")
+          );
+          console.log(chalk.cyan("      $ wrangler secret put ADMIN_API_KEY"));
+          console.log();
+          console.log(
+            chalk.dim("   Tip: Copy values from .dev.vars when prompted")
           );
-          console.log(chalk.cyan("   $ wrangler secret put ADMIN_API_KEY"));
           console.log();
         }
       } catch (error: any) {
@@ -2181,6 +2116,22 @@ ${packageManager === "npm" ? "npm run" : packageManager} dev
 
 ### 4. Deploy
 
+#### Production Deployment
+
+Secrets are **not** declared in \`wrangler.toml\` to avoid conflicts. Set them using:
+
+\`\`\`bash
+wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+wrangler secret put AGENTSHIELD_API_KEY
+wrangler secret put ADMIN_API_KEY
+\`\`\`
+
+**Tip:** Copy values from your \`.dev.vars\` file when prompted.
+
+**Note:** \`MCP_IDENTITY_PUBLIC_KEY\` and \`AGENTSHIELD_PROJECT_ID\` are not secrets and are already in \`wrangler.toml\` with values.
+
+Now deploy:
+
 \`\`\`bash
 ${packageManager === "npm" ? "npm run" : packageManager} deploy
 \`\`\`
@@ -2438,3 +2389,4 @@ Or simply don't configure the \`AGENTSHIELD_API_KEY\` environment variable.
     throw error;
   }
 }
+

package/test-cloudflare/src/index.ts

@@ -1,3 +1,4 @@
+/// <reference types="@cloudflare/workers-types" />
 import { McpAgent } from "agents/mcp";
 import { Hono } from "hono";
 import { cors } from "hono/cors";

package/test-cloudflare/tsconfig.json

@@ -2,21 +2,15 @@
   "compilerOptions": {
     "target": "ES2022",
     "module": "ES2022",
-    "lib": [
-      "ES2022"
-    ],
-    "types": [
-      "@cloudflare/workers-types"
-    ],
+    "lib": ["ES2022"],
     "moduleResolution": "bundler",
     "resolveJsonModule": true,
     "allowSyntheticDefaultImports": true,
     "esModuleInterop": true,
     "strict": true,
     "skipLibCheck": true,
-    "forceConsistentCasingInFileNames": true
+    "forceConsistentCasingInFileNames": true,
+    "noEmit": true
   },
-  "include": [
-    "src/**/*"
-  ]
+  "include": ["src/**/*", "tests/**/*"]
 }