@kya-os/create-mcpi-app 1.7.35 → 1.7.37

package/src/helpers/fetch-cloudflare-mcpi-template.ts

@@ -79,6 +79,7 @@ export async function fetchCloudflareMcpiTemplate(
         "test:coverage": "vitest run --coverage",
       },
       dependencies: {
+        "@kya-os/contracts": "^1.5.1",
         "@kya-os/mcp-i-cloudflare": "^1.3.2",
         "@modelcontextprotocol/sdk": "^1.19.1",
         agents: "^0.2.8",
@@ -1003,7 +1004,7 @@ export class ${pascalClassName}MCP extends McpAgent {
         return undefined;
       }
 
-      const toolProtectionConfig: any = {
+      const toolProtectionConfig: import('@kya-os/mcp-i-core').ToolProtectionServiceConfig = {
         apiUrl: runtimeConfig.toolProtection.agentShield?.apiUrl || env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
         apiKey: apiKey,
         projectId: runtimeConfig.toolProtection.agentShield?.projectId || env.AGENTSHIELD_PROJECT_ID,
@@ -1804,23 +1805,22 @@ XMCP_I_SESSION_TTL = "1800"
 
 # AgentShield Integration (https://kya.vouched.id)
 AGENTSHIELD_API_URL = "https://kya.vouched.id"
-# AGENTSHIELD_API_KEY - MUST be declared here for .dev.vars to work
-#   Development: Values in .dev.vars will override this empty string
-#   Production: Use wrangler secret put AGENTSHIELD_API_KEY
-AGENTSHIELD_API_KEY = ""
 # AGENTSHIELD_PROJECT_ID - Your project ID from AgentShield dashboard (e.g., "batman-txh0ae")
 #   Required for project-scoped tool protection configuration (recommended)
 #   Find it in your dashboard URL: https://kya.vouched.id/dashboard/projects/{PROJECT_ID}
 #   Or in your project settings
-#   This is not sensitive, so it's safe to keep a value here if provided
+#   This is not sensitive, so it's safe to keep a value here
 AGENTSHIELD_PROJECT_ID = "${projectId || ""}"
-# ADMIN_API_KEY - Used for protected admin endpoints (e.g., /admin/clear-cache)
-#   Set to same value as AGENTSHIELD_API_KEY by default
-#   Development: Values in .dev.vars will override this empty string
-#   Production: Use wrangler secret put ADMIN_API_KEY
-ADMIN_API_KEY = ""
 MCPI_ENV = "development"
 
+# Secrets (NOT declared here - see instructions below)
+# For local development: Add secrets to .dev.vars file
+# For production: Use wrangler secret put COMMAND_NAME
+#   $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+#   $ wrangler secret put AGENTSHIELD_API_KEY
+#   $ wrangler secret put ADMIN_API_KEY
+# Note: .dev.vars is git-ignored and contains actual secret values for local dev
+
 # Optional: MCP Server URL for tool discovery
 # Uncomment to explicitly set your MCP server URL (auto-detected if not set)
 # MCP_SERVER_URL = "https://your-worker.workers.dev/mcp"
@@ -1847,11 +1847,12 @@ MCPI_ENV = "development"
 # Agent DID (public identifier - safe to commit)
 MCP_IDENTITY_AGENT_DID = "${identity.did}"
 
-# Identity keys - MUST be declared here for .dev.vars to work!
-# Development: Values in .dev.vars will override these empty strings
-# Production: Use wrangler secret put to set these
-MCP_IDENTITY_PRIVATE_KEY = ""
-MCP_IDENTITY_PUBLIC_KEY = ""
+# Public identity key (safe to commit - not sensitive)
+MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"
+
+# Private identity key (SECRET - NOT declared here)
+# For local development: Add to .dev.vars file
+# For production: Use wrangler secret put MCP_IDENTITY_PRIVATE_KEY
 
 # ALLOWED_ORIGINS for CORS (update for production)
 ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
@@ -1862,36 +1863,26 @@ DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
 
 `;
 
-          // Update existing values in wrangler.toml if they already exist
-          // This handles the case where variables were added by the initial template
-          // IMPORTANT: Secrets are always kept as empty strings in wrangler.toml
-          // Actual values go in .dev.vars for local dev, wrangler secret put for production
+          // Remove any secret declarations from [vars] (they should not be here)
+          // Secrets go in .dev.vars for local dev, wrangler secret put for production
+          wranglerTomlContent = wranglerTomlContent.replace(
+            /^\s*MCP_IDENTITY_PRIVATE_KEY\s*=.*$/gm,
+            `# MCP_IDENTITY_PRIVATE_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`
+          );
+          wranglerTomlContent = wranglerTomlContent.replace(
+            /^\s*AGENTSHIELD_API_KEY\s*=.*$/gm,
+            `# AGENTSHIELD_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`
+          );
+          wranglerTomlContent = wranglerTomlContent.replace(
+            /^\s*ADMIN_API_KEY\s*=.*$/gm,
+            `# ADMIN_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`
+          );
 
-          // Ensure identity keys are empty strings (not actual values)
-          if (/MCP_IDENTITY_PRIVATE_KEY\s*=/.test(wranglerTomlContent)) {
-            wranglerTomlContent = wranglerTomlContent.replace(
-              /MCP_IDENTITY_PRIVATE_KEY\s*=\s*"[^"]*"/,
-              `MCP_IDENTITY_PRIVATE_KEY = ""`
-            );
-          }
+          // Update public key if it exists (safe to keep in [vars])
           if (/MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent)) {
             wranglerTomlContent = wranglerTomlContent.replace(
               /MCP_IDENTITY_PUBLIC_KEY\s*=\s*"[^"]*"/,
-              `MCP_IDENTITY_PUBLIC_KEY = ""`
-            );
-          }
-
-          // Ensure API keys are empty strings (not actual values)
-          if (/AGENTSHIELD_API_KEY\s*=/.test(wranglerTomlContent)) {
-            wranglerTomlContent = wranglerTomlContent.replace(
-              /AGENTSHIELD_API_KEY\s*=\s*"[^"]*"/,
-              `AGENTSHIELD_API_KEY = ""`
-            );
-          }
-          if (/ADMIN_API_KEY\s*=/.test(wranglerTomlContent)) {
-            wranglerTomlContent = wranglerTomlContent.replace(
-              /ADMIN_API_KEY\s*=\s*"[^"]*"/,
-              `ADMIN_API_KEY = ""`
+              `MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"`
             );
           }
 
@@ -1907,82 +1898,21 @@ DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
             );
           }
 
-          // Check if API key variables already exist in wrangler.toml
-          // (They may have been added by the initial template)
-          const hasAgentshieldApiKey = /AGENTSHIELD_API_KEY\s*=/.test(
-            wranglerTomlContent
-          );
-          const hasAgentshieldProjectId = /AGENTSHIELD_PROJECT_ID\s*=/.test(
-            wranglerTomlContent
-          );
-          const hasAdminApiKey = /ADMIN_API_KEY\s*=/.test(wranglerTomlContent);
+          // Check if non-secret variables already exist in wrangler.toml
           const hasIdentityDid = /MCP_IDENTITY_AGENT_DID\s*=/.test(
             wranglerTomlContent
           );
-          const hasIdentityPrivateKey = /MCP_IDENTITY_PRIVATE_KEY\s*=/.test(
-            wranglerTomlContent
-          );
           const hasIdentityPublicKey = /MCP_IDENTITY_PUBLIC_KEY\s*=/.test(
             wranglerTomlContent
           );
 
-          // Build API key declarations only for variables that don't already exist
-          // Cloudflare Workers REQUIRE variables to be declared in [vars] for .dev.vars to work
-          const apiKeyVarsParts: string[] = [];
-
-          if (
-            !hasAgentshieldApiKey ||
-            !hasAgentshieldProjectId ||
-            !hasAdminApiKey
-          ) {
-            apiKeyVarsParts.push(
-              `# API keys - MUST be declared here for .dev.vars to work!`
-            );
-            apiKeyVarsParts.push(
-              `# Development: Values in .dev.vars will override these empty strings`
-            );
-            apiKeyVarsParts.push(
-              `# Production: Use wrangler secret put to set these`
-            );
-          }
-
-          if (!hasAgentshieldApiKey) {
-            apiKeyVarsParts.push(`AGENTSHIELD_API_KEY = ""`);
-          }
-          if (!hasAdminApiKey) {
-            apiKeyVarsParts.push(`ADMIN_API_KEY = ""`);
-          }
-          // Only add AGENTSHIELD_PROJECT_ID if it doesn't exist
-          // If projectId is provided, it will be set above (lines 1897-1907)
-          // If not provided, we still need to declare it for .dev.vars to work
-          if (!hasAgentshieldProjectId) {
-            apiKeyVarsParts.push(
-              `AGENTSHIELD_PROJECT_ID = "${projectId || ""}"`
-            );
-          }
-
-          const apiKeyVars =
-            apiKeyVarsParts.length > 0
-              ? `\n${apiKeyVarsParts.join("\n")}\n`
-              : "";
-
-          // Only insert identity vars and API key vars if they don't already exist in [vars]
-          // If they already exist, we've already updated them above to ensure they're empty strings
-          // Note: API keys are already in initial template, so we mainly check for identity vars
-          // But we also check for API keys in case they were removed from template
-          const needsInsertion =
-            !hasIdentityDid ||
-            !hasIdentityPrivateKey ||
-            !hasIdentityPublicKey ||
-            (!hasAgentshieldApiKey && apiKeyVarsParts.length > 0) ||
-            (!hasAdminApiKey && apiKeyVarsParts.length > 0) ||
-            (!hasAgentshieldProjectId && apiKeyVarsParts.length > 0);
+          // Only insert identity vars if they don't already exist
+          const needsInsertion = !hasIdentityDid || !hasIdentityPublicKey;
 
           if (needsInsertion) {
             wranglerTomlContent =
               wranglerTomlContent.slice(0, insertPosition) +
               identityVars +
-              apiKeyVars +
               wranglerTomlContent.slice(insertPosition);
           }
 
@@ -1990,25 +1920,24 @@ DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
           fs.writeFileSync(wranglerPath, wranglerTomlContent);
 
           // Create .dev.vars file for local development (git-ignored)
+          // Only contains SECRETS (not public keys or project IDs)
           const devVarsPath = path.join(projectPath, ".dev.vars");
           const devVarsContent = `# Local development secrets (DO NOT COMMIT)
 # This file is git-ignored and contains sensitive data
 # 
 # HOW IT WORKS:
-# 1. Variables are declared in wrangler.toml [vars] as empty strings
-# 2. This file (.dev.vars) overrides them for local development
+# 1. Secrets are NOT declared in wrangler.toml [vars] (avoids conflicts)
+# 2. This file (.dev.vars) provides secrets for local development
 # 3. Production uses: wrangler secret put VARIABLE_NAME
+#
+# Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID) are in wrangler.toml
 
-# Identity keys (generated by create-mcpi-app)
+# Private identity key (generated by create-mcpi-app)
 MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
-MCP_IDENTITY_PUBLIC_KEY="${identity.publicKey}"
 
 # AgentShield API key (get from https://kya.vouched.id/dashboard)
 AGENTSHIELD_API_KEY="${apikey || ""}"${apikey ? "  # Provided via --apikey flag" : ""}
 
-# AgentShield Project ID (from dashboard URL: /dashboard/projects/{PROJECT_ID})
-AGENTSHIELD_PROJECT_ID="${projectId || ""}"${projectId ? "  # Provided via --project flag" : ""}
-
 # Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
 ADMIN_API_KEY="${apikey || ""}"${apikey ? "  # Set to same value as AGENTSHIELD_API_KEY" : ""}
 `;
@@ -2021,15 +1950,17 @@ ADMIN_API_KEY="${apikey || ""}"${apikey ? "  # Set to same value as AGENTSHIELD_
           );
           const devVarsExampleContent = `# Copy this file to .dev.vars and fill in your values
 # DO NOT commit .dev.vars to version control
+#
+# NOTE: Only secrets go here. Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID)
+# are in wrangler.toml [vars] and can be committed safely.
 
-# Identity keys (generate with: npx @kya-os/create-mcpi-app regenerate-identity)
+# Private identity key (generate with: npx @kya-os/create-mcpi-app regenerate-identity)
 MCP_IDENTITY_PRIVATE_KEY="your-private-key-here"
-MCP_IDENTITY_PUBLIC_KEY="your-public-key-here"
 
-# AgentShield API key (get from https://agentshield.ai)
+# AgentShield API key (get from https://kya.vouched.id/dashboard)
 AGENTSHIELD_API_KEY="your-api-key-here"
 
-# Admin API key for protected endpoints
+# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
 ADMIN_API_KEY="your-admin-key-here"
 `;
           fs.writeFileSync(devVarsExamplePath, devVarsExampleContent);
@@ -2047,18 +1978,22 @@ ADMIN_API_KEY="your-admin-key-here"
           console.log();
           console.log(chalk.yellow("🔒 Production Security:"));
           console.log(
-            chalk.dim("   Set secrets using wrangler (never commit them):")
+            chalk.dim("   Secrets are NOT in wrangler.toml (cleaner approach)")
           );
           console.log(
-            chalk.cyan("   $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY")
+            chalk.dim("   For production, set secrets using wrangler:")
           );
           console.log(
-            chalk.cyan("   $ wrangler secret put MCP_IDENTITY_PUBLIC_KEY")
+            chalk.cyan("      $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY")
           );
           console.log(
-            chalk.cyan("   $ wrangler secret put AGENTSHIELD_API_KEY")
+            chalk.cyan("      $ wrangler secret put AGENTSHIELD_API_KEY")
+          );
+          console.log(chalk.cyan("      $ wrangler secret put ADMIN_API_KEY"));
+          console.log();
+          console.log(
+            chalk.dim("   Tip: Copy values from .dev.vars when prompted")
           );
-          console.log(chalk.cyan("   $ wrangler secret put ADMIN_API_KEY"));
           console.log();
         }
       } catch (error: any) {
@@ -2182,6 +2117,22 @@ ${packageManager === "npm" ? "npm run" : packageManager} dev
 
 ### 4. Deploy
 
+#### Production Deployment
+
+Secrets are **not** declared in \`wrangler.toml\` to avoid conflicts. Set them using:
+
+\`\`\`bash
+wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+wrangler secret put AGENTSHIELD_API_KEY
+wrangler secret put ADMIN_API_KEY
+\`\`\`
+
+**Tip:** Copy values from your \`.dev.vars\` file when prompted.
+
+**Note:** \`MCP_IDENTITY_PUBLIC_KEY\` and \`AGENTSHIELD_PROJECT_ID\` are not secrets and are already in \`wrangler.toml\` with values.
+
+Now deploy:
+
 \`\`\`bash
 ${packageManager === "npm" ? "npm run" : packageManager} deploy
 \`\`\`
@@ -2439,3 +2390,4 @@ Or simply don't configure the \`AGENTSHIELD_API_KEY\` environment variable.
     throw error;
   }
 }
+

package/src/index.ts

@@ -15,8 +15,10 @@ import {
   validateProjectName,
   validateDirectoryAvailability,
 } from "./utils/validate-project-name.js";
-import { ScaffolderResult, ScaffolderOptions } from "@kya-os/contracts";
-import { resetIdentity, regenerateIdentity } from "./helpers/identity-manager.js";
+import {
+  resetIdentity,
+  regenerateIdentity,
+} from "./helpers/identity-manager.js";
 
 checkNodeVersion();
 
@@ -44,10 +46,7 @@ const program = new Command()
   .option("--use-pnpm", "Use pnpm as package manager")
   .option("--skip-install", "Skip installing dependencies", false)
   .option("--skip-identity", "Skip identity generation", false)
-  .option(
-    "--no-identity",
-    "Create plain MCP project without identity features"
-  )
+  .option("--no-identity", "Create plain MCP project without identity features")
   .option("--vercel", "Add Vercel support for deployment", false)
   .option("--http", "Enable HTTP transport", false)
   .option("--stdio", "Enable STDIO transport", false)
@@ -55,11 +54,18 @@ const program = new Command()
   .option("--mcpi-version <version>", "Specify MCP-I version (e.g., ^1.2.7)")
   .option("--no-animation", "Skip the black hole animation", false)
   .option("--fast", "Use shorter animation duration", false)
-  .option("--platform <name>", "Deployment platform: node (default), cloudflare", "node")
+  .option(
+    "--platform <name>",
+    "Deployment platform: node (default), cloudflare",
+    "node"
+  )
   .option("--mode <name>", "Server mode: mcp-i (default), verifier", "mcp-i")
   .option("--template <name>", "[DEPRECATED] Use --platform and --mode instead")
   .option("--apikey <key>", "AgentShield API key for Cloudflare deployment")
-  .option("--project <id>", "AgentShield Project ID for Cloudflare deployment (enables project-scoped tool protection)")
+  .option(
+    "--project <id>",
+    "AgentShield Project ID for Cloudflare deployment (enables project-scoped tool protection)"
+  )
   .action(async (projectDir, options) => {
     console.log(chalk.bold(`\ncreate-mcpi-app@${packageJson.version}`));
 
@@ -122,7 +128,11 @@ const program = new Command()
 
     // Backward compatibility: map --template to --platform/--mode
     if (options.template) {
-      console.log(chalk.yellow("⚠️  --template is deprecated. Use --platform and --mode instead."));
+      console.log(
+        chalk.yellow(
+          "⚠️  --template is deprecated. Use --platform and --mode instead."
+        )
+      );
       if (options.template === "cloudflare") {
         platform = "cloudflare";
         mode = "verifier";
@@ -144,7 +154,9 @@ const program = new Command()
     );
 
     if (!isValid) {
-      console.error(chalk.red(`\n❌ Invalid platform/mode combination: ${platform}/${mode}`));
+      console.error(
+        chalk.red(`\n❌ Invalid platform/mode combination: ${platform}/${mode}`)
+      );
       console.log(chalk.yellow("\nSupported combinations:"));
       console.log(chalk.cyan("  - node + mcp-i (default)"));
       console.log(chalk.cyan("  - cloudflare + mcp-i"));
@@ -212,7 +224,11 @@ const program = new Command()
       }
 
       // Vercel deployment option (only for Node.js platform)
-      if (!options.vercel && transports.includes("http") && platform === "node") {
+      if (
+        !options.vercel &&
+        transports.includes("http") &&
+        platform === "node"
+      ) {
         const vercelAnswers = await inquirer.prompt([
           {
             type: "confirm",
@@ -349,15 +365,27 @@ const program = new Command()
         }
         console.log();
         console.log("2. Create KV namespaces (creates both NONCE and PROOF):");
-        console.log(`  ${chalk.cyan(`${packageManager === "npm" ? "npm run" : packageManager} kv:create`)}`);
-        console.log(chalk.gray("   Copy both namespace IDs from output and update wrangler.toml"));
+        console.log(
+          `  ${chalk.cyan(`${packageManager === "npm" ? "npm run" : packageManager} kv:create`)}`
+        );
+        console.log(
+          chalk.gray(
+            "   Copy both namespace IDs from output and update wrangler.toml"
+          )
+        );
         console.log();
         console.log("3. Test locally:");
-        console.log(`  ${chalk.cyan(`${packageManager === "npm" ? "npm run" : packageManager} dev`)}`);
+        console.log(
+          `  ${chalk.cyan(`${packageManager === "npm" ? "npm run" : packageManager} dev`)}`
+        );
         console.log();
         console.log("4. Deploy to Cloudflare:");
-        console.log(`  ${chalk.cyan("npx wrangler login")} ${chalk.gray("(first time only)")}`);
-        console.log(`  ${chalk.cyan(`${packageManager === "npm" ? "npm run" : packageManager} deploy`)}`);
+        console.log(
+          `  ${chalk.cyan("npx wrangler login")} ${chalk.gray("(first time only)")}`
+        );
+        console.log(
+          `  ${chalk.cyan(`${packageManager === "npm" ? "npm run" : packageManager} deploy`)}`
+        );
       } else {
         // Default MCP-I server instructions
         // Show agent management with claim URL first
@@ -449,30 +477,42 @@ const program = new Command()
 
 // Add subcommand for resetting identity
 program
-  .command('reset-identity')
-  .description('Reset the current project\'s identity (removes identity files)')
-  .option('-d, --dir <directory>', 'Project directory (defaults to current directory)')
+  .command("reset-identity")
+  .description("Reset the current project's identity (removes identity files)")
+  .option(
+    "-d, --dir <directory>",
+    "Project directory (defaults to current directory)"
+  )
   .action(async (options) => {
     try {
-      const projectPath = options.dir ? path.resolve(process.cwd(), options.dir) : process.cwd();
+      const projectPath = options.dir
+        ? path.resolve(process.cwd(), options.dir)
+        : process.cwd();
       await resetIdentity(projectPath);
     } catch (error) {
-      console.error(chalk.red('Failed to reset identity:'), error);
+      console.error(chalk.red("Failed to reset identity:"), error);
       process.exit(1);
     }
   });
 
 // Add subcommand for regenerating identity
 program
-  .command('regenerate-identity')
-  .description('Regenerate the current project\'s identity (creates new DID and keys)')
-  .option('-d, --dir <directory>', 'Project directory (defaults to current directory)')
+  .command("regenerate-identity")
+  .description(
+    "Regenerate the current project's identity (creates new DID and keys)"
+  )
+  .option(
+    "-d, --dir <directory>",
+    "Project directory (defaults to current directory)"
+  )
   .action(async (options) => {
     try {
-      const projectPath = options.dir ? path.resolve(process.cwd(), options.dir) : process.cwd();
+      const projectPath = options.dir
+        ? path.resolve(process.cwd(), options.dir)
+        : process.cwd();
       await regenerateIdentity(projectPath);
     } catch (error) {
-      console.error(chalk.red('Failed to regenerate identity:'), error);
+      console.error(chalk.red("Failed to regenerate identity:"), error);
       process.exit(1);
     }
   });

package/test-cloudflare/src/index.ts

@@ -1,3 +1,4 @@
+/// <reference types="@cloudflare/workers-types" />
 import { McpAgent } from "agents/mcp";
 import { Hono } from "hono";
 import { cors } from "hono/cors";

package/test-cloudflare/tsconfig.json

@@ -2,21 +2,15 @@
   "compilerOptions": {
     "target": "ES2022",
     "module": "ES2022",
-    "lib": [
-      "ES2022"
-    ],
-    "types": [
-      "@cloudflare/workers-types"
-    ],
+    "lib": ["ES2022"],
     "moduleResolution": "bundler",
     "resolveJsonModule": true,
     "allowSyntheticDefaultImports": true,
     "esModuleInterop": true,
     "strict": true,
     "skipLibCheck": true,
-    "forceConsistentCasingInFileNames": true
+    "forceConsistentCasingInFileNames": true,
+    "noEmit": true
   },
-  "include": [
-    "src/**/*"
-  ]
+  "include": ["src/**/*", "tests/**/*"]
 }