@kya-os/create-mcpi-app 1.7.38-canary.1 → 1.7.38

package/dist/helpers/fetch-cloudflare-mcpi-template.js

@@ -61,7 +61,7 @@ export async function fetchCloudflareMcpiTemplate(projectPath, options = {}) {
                 zod: "^3.25.76",
             },
             devDependencies: {
-                "@cloudflare/workers-types": "^4.20240925.0",
+                "@cloudflare/workers-types": "^4.20251109.0",
                 "@kya-os/create-mcpi-app": "^1.7.23",
                 "@vitest/coverage-v8": "^3.2.4",
                 miniflare: "^3.0.0",
@@ -659,39 +659,6 @@ describe('Security Configuration', () => {
 });
 `;
         fs.writeFileSync(path.join(testsDir, "security.test.ts"), securityTestContent);
-        // Create vitest config file
-        const vitestConfigContent = `import { defineConfig } from 'vitest/config';
-
-export default defineConfig({
-  test: {
-    environment: 'miniflare',
-    environmentOptions: {
-      kvNamespaces: [
-        '${className.toUpperCase()}_NONCE_CACHE',
-        '${className.toUpperCase()}_PROOF_ARCHIVE',
-        '${className.toUpperCase()}_IDENTITY_STORAGE',
-        '${className.toUpperCase()}_DELEGATION_STORAGE',
-        '${className.toUpperCase()}_TOOL_PROTECTION_KV'
-      ],
-      durableObjects: {
-        ${className.toUpperCase()}_OBJECT: '${pascalClassName}MCP'
-      }
-    },
-    coverage: {
-      provider: 'v8',
-      reporter: ['text', 'html'],
-      exclude: ['node_modules/', 'tests/', '*.config.ts'],
-      thresholds: {
-        statements: 80,
-        branches: 70,
-        functions: 80,
-        lines: 80
-      }
-    }
-  }
-});
-`;
-        fs.writeFileSync(path.join(projectPath, "vitest.config.ts"), vitestConfigContent);
         // Create greet tool
         const greetToolContent = `import { z } from "zod";
 
@@ -740,12 +707,9 @@ export const greetTool = {
 `;
         fs.writeFileSync(path.join(toolsDir, "greet.ts"), greetToolContent);
         // Create mcpi-runtime-config.ts for AgentShield integration
-        const runtimeConfigContent = `import type { MCPIConfig } from '@kya-os/contracts/config';
-import type { CloudflareRuntimeConfig } from '@kya-os/mcp-i-cloudflare/config';
+        const runtimeConfigContent = `import type { CloudflareRuntimeConfig } from '@kya-os/mcp-i-cloudflare/config';
 import type { CloudflareEnv } from '@kya-os/mcp-i-cloudflare';
-import { buildBaseConfig } from '@kya-os/create-mcpi-app/config-builder';
-// Always import CloudflareRuntime for tool protection service creation
-import { CloudflareRuntime } from "@kya-os/mcp-i-cloudflare";
+import { defineConfig } from '@kya-os/mcp-i-cloudflare';
 
 /**
  * Runtime configuration for MCP-I server
@@ -761,106 +725,33 @@ import { CloudflareRuntime } from "@kya-os/mcp-i-cloudflare";
  *
  * Note: The service fetches tool protection config by agent DID automatically.
  * No project ID configuration needed!
- *
- * This config uses the unified MCPIConfig architecture, ensuring the same
- * base configuration shape across all platforms (Cloudflare, Node.js, Vercel).
  */
 export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
-  // Build base config that works across all platforms
-  const baseConfig = buildBaseConfig(env);
-
-  // Extend with Cloudflare-specific properties
-  return {
-    ...baseConfig,
-    // Identity configuration
-    identity: {
-      ...baseConfig.identity,
-      enabled: true,
-      environment: (env.ENVIRONMENT || env.MCPI_ENV || 'development') as 'development' | 'production'
-    },
-    // Proofing configuration
-    proofing: {
-      enabled: true,
-      batchQueue: {
-        destinations: [
-          {
-            type: "agentshield" as const,
-            apiUrl: env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
-            apiKey: env.AGENTSHIELD_API_KEY || ''
-          }
-        ],
-        maxBatchSize: 10,
-        flushIntervalMs: 5000,
-        maxRetries: 3,
-        debug: (env.ENVIRONMENT || env.MCPI_ENV || 'development') === 'development'
-      }
-    },
-    // Delegation configuration
-    delegation: {
-      ...baseConfig.delegation
-    },
-    // Audit configuration
-    audit: {
-      ...baseConfig.audit
-    },
-    // Cloudflare Workers-specific configuration
-    workers: {
-      cpuMs: 50,
-      memoryMb: 128
-    },
-    // KV namespace bindings
-    kv: env.TOOL_PROTECTION_KV ? [{
-      name: 'TOOL_PROTECTION_KV',
-      purpose: 'cache' as const
-    }] : [],
-    // Environment variable bindings
+  return defineConfig({
+    // Only specify overrides - defaults are handled automatically
     vars: {
       ENVIRONMENT: env.ENVIRONMENT || env.MCPI_ENV || 'development',
-      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY
+      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
+      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
     },
-    // Tool protection service (Cloudflare-specific)
-    toolProtection: env.TOOL_PROTECTION_KV && env.AGENTSHIELD_API_KEY ? {
-      source: 'agentshield' as const,
-      agentShield: {
-        apiUrl: env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
-        apiKey: env.AGENTSHIELD_API_KEY,
-        projectId: env.AGENTSHIELD_PROJECT_ID,
-        cacheTtl: 300000 // 5 minutes
-      },
-      fallback: {
-        greet: {
-          requiresDelegation: false,
-          requiredScopes: ['greet:execute']
-        }
-      }
-    } : undefined
-  } as CloudflareRuntimeConfig;
+    // Optional: Enable admin endpoints
+    admin: {
+      enabled: false,  // Set to true and provide ADMIN_API_KEY to enable
+      apiKey: env.ADMIN_API_KEY,
+    },
+  });
 }
 `;
         fs.writeFileSync(path.join(srcDir, "mcpi-runtime-config.ts"), runtimeConfigContent);
-        // Create main index.ts using McpAgent with MCP-I runtime
-        const indexContent = `import { McpAgent } from "agents/mcp";
-import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { createCloudflareRuntime, type CloudflareEnv, KVProofArchive, type DetachedProof, createOAuthCallbackHandler, CloudflareRuntime, type HonoContext } from "@kya-os/mcp-i-cloudflare";
-import { DelegationRequiredError } from "@kya-os/mcp-i-core";
-import type { ToolProtectionService } from "@kya-os/mcp-i-core";
-import { Hono } from "hono";
-import { cors } from "hono/cors";
+        // Create main index.ts using MCPICloudflareServer
+        const indexContent = `import { MCPICloudflareAgent, createMCPIApp, type PrefixedCloudflareEnv } from "@kya-os/mcp-i-cloudflare";
 import { greetTool } from "./tools/greet";
 import { getRuntimeConfig } from "./mcpi-runtime-config";
-import type { CloudflareRuntimeConfig } from "@kya-os/mcp-i-cloudflare/config";
 
 /**
  * Extended CloudflareEnv with prefixed KV bindings for multi-agent deployments
- * This allows multiple agents to share the same Cloudflare account without conflicts
  */
-interface PrefixedCloudflareEnv extends CloudflareEnv {
-  // Prefixed KV bindings (e.g., MYAGENT_NONCE_CACHE, MYAGENT_PROOF_ARCHIVE)
-  [key: string]: KVNamespace | string | DurableObjectState | undefined;
-  // Optional routing configuration
-  DO_ROUTING_STRATEGY?: string;
-  DO_SHARD_COUNT?: string;
-  // Prefixed KV namespaces (dynamically accessed)
+interface MyPrefixedCloudflareEnv extends PrefixedCloudflareEnv {
   ${className.toUpperCase()}_NONCE_CACHE?: KVNamespace;
   ${className.toUpperCase()}_PROOF_ARCHIVE?: KVNamespace;
   ${className.toUpperCase()}_IDENTITY_STORAGE?: KVNamespace;
@@ -868,806 +759,38 @@ interface PrefixedCloudflareEnv extends CloudflareEnv {
   ${className.toUpperCase()}_TOOL_PROTECTION_KV?: KVNamespace;
 }
 
-export class ${pascalClassName}MCP extends McpAgent {
-  server = new McpServer({
-    name: "${projectName}",
-    version: "1.0.0"
-  });
-
-  private mcpiRuntime?: ReturnType<typeof createCloudflareRuntime>;
-  private proofArchive?: KVProofArchive;
-  private agentShieldConfig?: { apiUrl: string; apiKey: string };
-  protected env: PrefixedCloudflareEnv;
-  private mcpServerUrl?: string;
-
-  constructor(state: DurableObjectState, env: PrefixedCloudflareEnv) {
-    super(state, env);
-    this.env = env;
-
-    // Create CloudflareEnv adapter to map prefixed KV bindings to expected names
-    // This allows multiple agents to be deployed without KV namespace conflicts
-    const mappedEnv: CloudflareEnv = {
-      // Map prefixed bindings to standard names expected by createCloudflareRuntime
-      // Use type assertions since these are guaranteed to exist at runtime
-      NONCE_CACHE: env.${className.toUpperCase()}_NONCE_CACHE as KVNamespace,
-      PROOF_ARCHIVE: env.${className.toUpperCase()}_PROOF_ARCHIVE as KVNamespace | undefined,
-      IDENTITY_STORAGE: env.${className.toUpperCase()}_IDENTITY_STORAGE as KVNamespace | undefined,
-      DELEGATION_STORAGE: env.${className.toUpperCase()}_DELEGATION_STORAGE as KVNamespace | undefined,
-      TOOL_PROTECTION_KV: env.${className.toUpperCase()}_TOOL_PROTECTION_KV as KVNamespace | undefined,
-      // Pass through environment variables unchanged
-      MCP_IDENTITY_PRIVATE_KEY: env.MCP_IDENTITY_PRIVATE_KEY,
-      MCP_IDENTITY_PUBLIC_KEY: env.MCP_IDENTITY_PUBLIC_KEY,
-      MCP_IDENTITY_AGENT_DID: env.MCP_IDENTITY_AGENT_DID,
-      // Pass through other env vars for runtime config
-      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
-      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
-      AGENTSHIELD_PROJECT_ID: env.AGENTSHIELD_PROJECT_ID,
-      MCPI_ENV: env.MCPI_ENV,
-      MCP_SERVER_URL: env.MCP_SERVER_URL,
-      // Pass Durable Object state for identity persistence
-      // NOTE: Without this, identity will be ephemeral (new DID every call)!
-      // Note: createCloudflareRuntime will automatically use KVIdentityProvider if IDENTITY_STORAGE KV is available
-      _durableObjectState: state,
-    };
-
-    // Store MCP server URL for proof submission context
-    // Auto-detect from request URL if not explicitly set (will be set in fetch handler)
-    this.mcpServerUrl = env.MCP_SERVER_URL;
-    if (this.mcpServerUrl) {
-      // Ensure URL includes /mcp path if not already present
-      if (!this.mcpServerUrl.endsWith('/mcp')) {
-        // Remove trailing slash if present, then append /mcp
-        const urlWithoutTrailingSlash = this.mcpServerUrl.endsWith('/') 
-          ? this.mcpServerUrl.slice(0, -1) 
-          : this.mcpServerUrl;
-        this.mcpServerUrl = urlWithoutTrailingSlash + '/mcp';
-      }
-      console.log('[MCP-I] MCP Server URL configured:', this.mcpServerUrl);
-    } else {
-      // Will be auto-detected from request URL in fetch handler
-      console.log('[MCP-I] MCP Server URL will be auto-detected from request');
-    }
-
-    // Load runtime configuration for AgentShield integration
-    // Pass mappedEnv so it can access KV bindings with standard names
-    const runtimeConfig = getRuntimeConfig(mappedEnv);
-
-    // ✅ Create tool protection service helper function
-    // Always import CloudflareRuntime but conditionally instantiate
-    function createToolProtectionService(env: CloudflareEnv, runtimeConfig: CloudflareRuntimeConfig): ToolProtectionService | undefined {
-      if (!runtimeConfig.toolProtection) {
-        return undefined;
-      }
-
-      if (!env.TOOL_PROTECTION_KV || !env.AGENTSHIELD_API_KEY) {
-        console.log('[MCP-I] Tool protection disabled - configure TOOL_PROTECTION_KV and AGENTSHIELD_API_KEY to enable');
-        return undefined;
-      }
-
-      const apiKey = env.AGENTSHIELD_API_KEY;
-      if (!apiKey) {
-        console.log('[MCP-I] Tool protection disabled - AGENTSHIELD_API_KEY not configured');
-        return undefined;
-      }
-
-      const toolProtectionConfig: import('@kya-os/mcp-i-core').ToolProtectionServiceConfig = {
-        apiUrl: runtimeConfig.toolProtection.agentShield?.apiUrl || env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
-        apiKey: apiKey,
-        projectId: runtimeConfig.toolProtection.agentShield?.projectId || env.AGENTSHIELD_PROJECT_ID,
-        cacheTtl: runtimeConfig.toolProtection.agentShield?.cacheTtl || 300000,
-        debug: runtimeConfig.environment === 'development',
-      };
-
-      if (runtimeConfig.toolProtection.fallback) {
-        toolProtectionConfig.fallbackConfig = {
-          toolProtections: runtimeConfig.toolProtection.fallback
-        };
-      }
-
-      return CloudflareRuntime.createToolProtectionService(
-        env.TOOL_PROTECTION_KV!,
-        toolProtectionConfig
-      );
-    }
-
-    // Create tool protection service if configured
-    // Note: createCloudflareRuntime will automatically use KVIdentityProvider if IDENTITY_STORAGE KV is available
-    const toolProtectionService = createToolProtectionService(mappedEnv, runtimeConfig);
-
-    // Initialize MCP-I runtime for cryptographic proofs and identity
-    this.mcpiRuntime = createCloudflareRuntime({
-      env: mappedEnv as CloudflareEnv,
-      environment: runtimeConfig.environment,
-      audit: {
-        enabled: runtimeConfig.audit?.enabled ?? true,
-        logFunction: runtimeConfig.audit?.logFunction || ((record) => console.log('[MCP-I Audit]', record))
-      },
-      toolProtectionService
-    });
-
-    // Initialize proof archive if PROOF_ARCHIVE KV is available
-    if (mappedEnv.PROOF_ARCHIVE) {
-      this.proofArchive = new KVProofArchive(mappedEnv.PROOF_ARCHIVE);
-      console.log('[MCP-I] Proof archive enabled');
-    }
-
-    // Load AgentShield config for proof submission
-    if (runtimeConfig.proofing?.enabled && runtimeConfig.proofing.batchQueue) {
-      const agentShieldDest = runtimeConfig.proofing.batchQueue.destinations?.find(
-        (dest) => dest.type === "agentshield" && dest.apiKey
-      );
-      if (agentShieldDest && agentShieldDest.apiKey && agentShieldDest.apiUrl) {
-        this.agentShieldConfig = {
-          apiUrl: agentShieldDest.apiUrl,
-          apiKey: agentShieldDest.apiKey
-        };
-        console.log('[MCP-I] AgentShield enabled:', agentShieldDest.apiUrl);
-      }
-    }
-  }
-
-  /**
-   * Handle incoming requests
-   * Auto-detects MCP Server URL from request if not explicitly configured
-   */
-  async fetch(request: Request): Promise<Response> {
-    // Auto-detect MCP Server URL from request if not already set
-    if (!this.mcpServerUrl && request.url) {
-      try {
-        const requestUrl = new URL(request.url);
-        // Extract origin and ensure /mcp path is included
-        this.mcpServerUrl = requestUrl.origin + '/mcp';
-        console.log('[MCP-I] MCP Server URL auto-detected from request:', this.mcpServerUrl);
-      } catch (error) {
-        console.warn('[MCP-I] Failed to auto-detect MCP Server URL from request:', error);
-      }
-    }
-
-    // Delegate to McpAgent's fetch handler
-    return super.fetch(request);
-  }
-
-  /**
-   * Override getInstanceId() to enable multi-instance Durable Object routing
-   *
-   * This method is called internally by McpAgent to determine which DO instance
-   * should handle the request. By overriding it, we can implement custom routing
-   * strategies (session-based, shard-based, etc.) while maintaining full
-   * McpAgent compatibility and preserving PartyServer routing context.
-   *
-   * @returns Instance ID used by McpAgent for DO routing
-   */
-  getInstanceId(): string {
-    try {
-      // Get session ID from McpAgent's built-in extraction
-      const sessionId = this.getSessionId();
-
-      // Get routing strategy from environment (default: session)
-      const strategy = this.env.DO_ROUTING_STRATEGY || 'session';
-
-      if (strategy === 'session') {
-        // One DO instance per MCP session (recommended for most use cases)
-        // Sessions are isolated, ensuring data consistency per client
-        return \`session:\${sessionId}\`;
-      } else if (strategy === 'shard') {
-        // Hash-based sharding across N DO instances (for high load)
-        // Distributes load evenly while maintaining session affinity
-        const shardCount = parseInt(this.env.DO_SHARD_COUNT || '10');
-        // Validate shard count - must be a valid positive number
-        const validShardCount = (!isNaN(shardCount) && shardCount > 0) ? shardCount : 10;
-
-        // Simple hash function for session ID
-        let hash = 0;
-        for (let i = 0; i < sessionId.length; i++) {
-          hash = ((hash << 5) - hash) + sessionId.charCodeAt(i);
-          hash = hash & hash; // Convert to 32bit integer
-        }
-
-        const shard = Math.abs(hash) % validShardCount;
-        return \`shard:\${shard}\`;
-      }
-
-      // Fallback to single instance (legacy behavior)
-      return 'default';
-    } catch (error) {
-      // If session extraction fails, fall back to default instance
-      console.error('[DO Routing] Failed to extract session ID:', error);
-      return 'default';
-    }
-  }
-
-  /**
-   * Retrieve delegation token from KV storage
-   * Uses two-tier lookup: session cache (fast) → agent DID (stable)
-   *
-   * @param sessionId - MCP session ID from Claude Desktop
-   * @returns Delegation token if found, null otherwise
-   */
-  private async getDelegationToken(sessionId?: string): Promise<string | null> {
-    const delegationStorage = this.env.${className.toUpperCase()}_DELEGATION_STORAGE;
-
-    if (!delegationStorage) {
-      console.log('[Delegation] No delegation storage configured');
-      return null;
-    }
-
-    try {
-      // Fast path: Try session cache first
-      if (sessionId) {
-        const sessionKey = \`session:\${sessionId}\`;
-        const sessionToken = await delegationStorage.get(sessionKey);
-
-        if (sessionToken) {
-          // Verify token is still valid before returning
-          const isValid = await this.verifyDelegationWithAgentShield(sessionToken);
-          if (isValid) {
-            console.log('[Delegation] ✅ Token retrieved from session cache and verified');
-            return sessionToken;
-          } else {
-            // Token invalid, remove from cache
-            await this.invalidateDelegationCache(sessionId, sessionToken);
-            console.log('[Delegation] ⚠️ Cached token was invalid, removed from cache');
-          }
-        }
-      }
-
-      // Fallback: Try agent DID (stable across session changes)
-      if (this.mcpiRuntime) {
-        const identity = await this.mcpiRuntime.getIdentity();
-        if (identity?.did) {
-          const agentKey = \`agent:\${identity.did}:delegation\`;
-          const agentToken = await delegationStorage.get(agentKey);
-
-          if (agentToken) {
-            // Verify token is still valid before returning
-            const isValid = await this.verifyDelegationWithAgentShield(agentToken);
-            if (isValid) {
-              console.log('[Delegation] ✅ Token retrieved using agent DID and verified');
-
-              // Re-cache for current session (performance optimization)
-              if (sessionId) {
-                const sessionCacheKey = \`session:\${sessionId}\`;
-                await delegationStorage.put(sessionCacheKey, agentToken, {
-                  expirationTtl: 300 // 5 minutes for security (reduced from 30)
-                });
-                console.log('[Delegation] Token cached for session with 5-minute TTL:', sessionId);
-              }
-
-              return agentToken;
-            } else {
-              // Token invalid, remove from cache
-              await this.invalidateDelegationCache(sessionId, agentToken, identity.did);
-              console.log('[Delegation] ⚠️ Agent token was invalid, removed from cache');
-            }
-          }
-        }
-      }
-
-      console.log('[Delegation] No delegation token found');
-      return null;
-    } catch (error) {
-      console.error('[Delegation] Failed to retrieve token:', error);
-      return null;
-    }
-  }
-
-  /**
-   * Verify delegation token with AgentShield API
-   * @param token - Delegation token to verify
-   * @returns True if token is valid, false otherwise
-   */
-  private async verifyDelegationWithAgentShield(token: string): Promise<boolean> {
-    // Check verification cache first (1 minute TTL for verified tokens)
-    const verificationCache = this.env.TOOL_PROTECTION_KV;
-    if (verificationCache) {
-      const cacheKey = \`verified:\${token.substring(0, 16)}\`; // Use prefix to avoid key size issues
-      const cached = await verificationCache.get(cacheKey);
-      if (cached === '1') {
-        console.log('[Delegation] Token verification cached as valid');
-        return true;
-      }
-    }
-
-    try {
-      const agentShieldUrl = this.env.AGENTSHIELD_API_URL || 'https://kya.vouched.id';
-      const apiKey = this.env.AGENTSHIELD_API_KEY;
-
-      if (!apiKey) {
-        console.warn('[Delegation] No AgentShield API key configured, skipping verification');
-        return true; // Allow in development without API key
-      }
-
-      // Verify with AgentShield API
-      const response = await fetch(\`\${agentShieldUrl}/api/v1/bouncer/delegations/verify\`, {
-        method: 'POST',
-        headers: {
-          'Authorization': \`Bearer \${apiKey}\`,
-          'Content-Type': 'application/json'
-        },
-        body: JSON.stringify({ token })
-      });
-
-      if (response.ok) {
-        // Cache successful verification for 1 minute
-        if (verificationCache) {
-          const cacheKey = \`verified:\${token.substring(0, 16)}\`;
-          await verificationCache.put(cacheKey, '1', {
-            expirationTtl: 60 // 1 minute cache for verified tokens
-          });
-        }
-        console.log('[Delegation] Token verified successfully with AgentShield');
-        return true;
-      }
-
-      if (response.status === 401 || response.status === 403) {
-        console.log('[Delegation] Token verification failed: unauthorized');
-        return false;
-      }
-
-      console.warn('[Delegation] Token verification returned unexpected status:', response.status);
-      return false; // Fail closed for security
-
-    } catch (error) {
-      console.error('[Delegation] Error verifying token with AgentShield:', error);
-      return false; // Fail closed on errors
-    }
-  }
-
-  /**
-   * Invalidate delegation token in all caches
-   * @param sessionId - Session ID to clear
-   * @param token - Token to invalidate
-   * @param agentDid - Agent DID to clear
-   */
-  private async invalidateDelegationCache(sessionId?: string, token?: string, agentDid?: string): Promise<void> {
-    const delegationStorage = this.env.${className.toUpperCase()}_DELEGATION_STORAGE;
-    const verificationCache = this.env.TOOL_PROTECTION_KV;
-
-    if (!delegationStorage) return;
-
-    const deletions: Promise<void>[] = [];
-
-    // Clear session cache
-    if (sessionId) {
-      const sessionKey = \`session:\${sessionId}\`;
-      deletions.push(delegationStorage.delete(sessionKey));
-    }
-
-    // Clear agent cache
-    if (agentDid) {
-      const agentKey = \`agent:\${agentDid}:delegation\`;
-      deletions.push(delegationStorage.delete(agentKey));
-    }
-
-    // Clear verification cache
-    if (token && verificationCache) {
-      const cacheKey = \`verified:\${token.substring(0, 16)}\`;
-      deletions.push(verificationCache.delete(cacheKey));
-    }
-
-    await Promise.all(deletions);
-    console.log('[Delegation] Cache invalidated for revoked/invalid token');
-  }
-
-  /**
-   * Submit proof to AgentShield API
-   * Uses the proof.jws directly (full JWS format from CloudflareRuntime)
-   *
-   * Also submits optional context for AgentShield dashboard integration.
-   * Context provides plaintext tool/args data while proof provides cryptographic verification.
-   */
-  private async submitProofToAgentShield(
-    proof: DetachedProof,
-    session: { id: string },
-    toolName: string,
-    args: Record<string, unknown>,
-    result: unknown
-  ): Promise<void> {
-    if (!this.agentShieldConfig || !proof.jws || !proof.meta) return;
-
-    const { apiUrl, apiKey } = this.agentShieldConfig;
-
-    // Get tool call context from runtime (if available)
-    const toolCallContext = this.mcpiRuntime?.getLastToolCallContext();
-
-    // Proof already has correct format from CloudflareRuntime
-    // Adding optional context for AgentShield dashboard (Option A architecture)
-    const requestBody = {
-      session_id: session.id,
-      delegation_id: null,
-      proofs: [{
-        jws: proof.jws,  // Already in full JWS format
-        meta: proof.meta  // Already has all required fields
-      }],
-      // ✅ NEW: Optional context for dashboard integration
-      context: {
-        toolCalls: toolCallContext ? [toolCallContext] : [{
-          // Fallback if context not available from runtime
-          tool: toolName,
-          args: args,
-          result: result,
-          scopeId: proof.meta.scopeId || \`\${toolName}:execute\`
-        }],
-        // ✅ NEW: MCP server URL for tool discovery (optional, only needed once)
-        mcpServerUrl: this.mcpServerUrl
-      }
-    };
-
-    console.log('[AgentShield] Submitting proof with context:', {
-      did: proof.meta.did,
-      sessionId: proof.meta.sessionId,
-      jwsFormat: proof.jws.split('.').length === 3 ? 'valid (3 parts)' : 'invalid',
-      contextTool: requestBody.context.toolCalls[0]?.tool,
-      contextScopeId: requestBody.context.toolCalls[0]?.scopeId,
-      mcpServerUrl: requestBody.context.mcpServerUrl || 'not-set'
-    });
-
-    const response = await fetch(\`\${apiUrl}/api/v1/bouncer/proofs\`, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': \`Bearer \${apiKey}\`
-      },
-      body: JSON.stringify(requestBody)
-    });
-
-    if (!response.ok) {
-      const errorText = await response.text();
-      console.error('[AgentShield] Submission failed:', response.status, errorText);
-      throw new Error(\`AgentShield error: \${response.status}\`);
-    }
-
-    const responseData = await response.json() as { success?: boolean; received?: number; processed?: number; accepted?: number; rejected?: number; errors?: Array<{ proofId: string; error: string }> };
-    console.log('[AgentShield] Response:', responseData);
-
-    if (responseData.accepted) {
-      console.log('[AgentShield] ✅ Proofs accepted:', responseData.accepted);
-    }
-    if (responseData.rejected) {
-      console.log('[AgentShield] ❌ Proofs rejected:', responseData.rejected);
-    }
-  }
-
-  async init() {
-    // Initialize MCP-I runtime (generates/loads identity, sets up nonce cache)
-    await this.mcpiRuntime?.initialize();
-
-    const identity = await this.mcpiRuntime?.getIdentity();
-    console.log('[MCP-I] Initialized with DID:', identity?.did);
-
+/**
+ * Your custom MCP agent - only define your tools here!
+ * All framework complexity (runtime initialization, proof generation, etc.) is handled automatically.
+ */
+export class ${pascalClassName}MCP extends MCPICloudflareAgent {
+  async registerTools() {
+    // Register your custom tools - proofs are generated automatically
     this.server.tool(
       greetTool.name,
       greetTool.description,
       greetTool.inputSchema.shape,
       async (args: { name: string }) => {
-        // Use MCP-I runtime's processToolCall for automatic proof generation
-        if (this.mcpiRuntime) {
-          try {
-            // Read MCP session ID from Claude Desktop (via agents framework)
-            let mcpSessionId: string | undefined;
-            try {
-              mcpSessionId = this.getSessionId();
-              console.log('[Delegation] Session ID from agents framework:', mcpSessionId);
-            } catch (error) {
-              console.log('[Delegation] Failed to get session ID from framework:', error);
-              mcpSessionId = undefined;
-            }
-
-            // Retrieve delegation token if available
-            const delegationToken = await this.getDelegationToken(mcpSessionId);
-
-            // Create session with proper ID (use actual session ID when available)
-            const timestamp = Date.now();
-            const sessionId = mcpSessionId || \`ephemeral-\${timestamp}-\${Math.random().toString(36).substring(2, 10)}\`;
-
-            const session = {
-              id: sessionId,  // Use actual session ID from Claude Desktop
-              audience: 'https://kya.vouched.id',  // CRITICAL: Must match AgentShield domain
-              agentDid: (await this.mcpiRuntime.getIdentity()).did,
-              createdAt: timestamp,
-              expiresAt: timestamp + (30 * 60 * 1000), // 30 minutes
-              delegationToken  // Include delegation token if available
-            };
-
-            // Execute tool with automatic proof generation
-            const result = await this.mcpiRuntime.processToolCall(
-              greetTool.name,
-              args,
-              greetTool.handler,
-              session
-            );
-
-            // Get proof in DetachedProof format
-            const proof = this.mcpiRuntime.getLastProof() as DetachedProof;
-
-            if (proof && proof.jws && proof.meta) {
-              // Log proof details (using DetachedProof format)
-              console.log('[MCP-I Proof]', {
-                tool: greetTool.name,
-                did: proof.meta.did,
-                timestamp: proof.meta.ts,
-                jws: proof.jws.substring(0, 50) + '...',
-                jwsValid: proof.jws.split('.').length === 3
-              });
-
-              // Parallelize proof operations for better performance
-              const proofOperations: Promise<void>[] = [];
-
-              // Add proof archive operation
-              if (this.proofArchive) {
-                proofOperations.push(
-                  this.proofArchive.store(proof, {
-                    toolName: greetTool.name
-                  }).then(() => {
-                    console.log('[MCP-I] Proof stored in archive');
-                  }).catch((archiveError: unknown) => {
-                    console.error('[MCP-I] Archive error:', archiveError instanceof Error ? archiveError.message : String(archiveError));
-                  })
-                );
-              }
-
-              // Add AgentShield submission operation
-              if (this.agentShieldConfig) {
-                proofOperations.push(
-                  this.submitProofToAgentShield(proof, session, greetTool.name, args, result)
-                    .catch((err: unknown) => {
-                      console.error('[MCP-I] AgentShield failed:', err instanceof Error ? err.message : String(err));
-                    })
-                );
-              }
-
-              // Execute all proof operations in parallel for better performance
-              if (proofOperations.length > 0) {
-                await Promise.allSettled(proofOperations);
-              }
-
-              // Attach proof to result for MCP Inspector
-              if (result && typeof result === 'object' && result !== null) {
-                (result as Record<string, unknown>)._meta = {
-                  proof: {
-                    jws: proof.jws,
-                    did: proof.meta.did,
-                    kid: proof.meta.kid,
-                    timestamp: proof.meta.ts,
-                    nonce: proof.meta.nonce,
-                    sessionId: proof.meta.sessionId,
-                    requestHash: proof.meta.requestHash,
-                    responseHash: proof.meta.responseHash
-                  }
-                };
-              }
-            }
-
-            return result;
-          } catch (error: unknown) {
-            // If this is a DelegationRequiredError, re-throw it so the MCP framework can handle it properly
-            // The agents/mcp framework will format it as a proper error response to Claude Desktop
-            if (error instanceof DelegationRequiredError) {
-              console.warn('[MCP-I] Delegation required, propagating error:', {
-                tool: error.toolName,
-                requiredScopes: error.requiredScopes,
-                consentUrl: error.consentUrl
-              });
-              throw error;
-            }
-            // Check for DelegationRequiredError by name (for cases where error is not instanceof)
-            if (error && typeof error === 'object' && 'name' in error && error.name === 'DelegationRequiredError') {
-              const delegationError = error as DelegationRequiredError;
-              console.warn('[MCP-I] Delegation required, propagating error:', {
-                tool: delegationError.toolName,
-                requiredScopes: delegationError.requiredScopes,
-                consentUrl: delegationError.consentUrl
-              });
-              throw error;
-            }
-            
-            // For other errors, log and fallback to direct execution
-            console.error('[MCP-I] Failed to process tool with runtime:', error);
-            // Fallback to direct execution
-            return await greetTool.handler(args);
-          }
-        }
-
-        // Fallback if runtime not available
-        return await greetTool.handler(args);
+        return this.executeToolWithProof(
+          greetTool.name,
+          args,
+          greetTool.handler
+        );
       }
     );
   }
 }
 
-const app = new Hono();
-
-// Secure CORS configuration
-app.use("/*", (c, next) => {
-  const env = c.env as PrefixedCloudflareEnv;
-  // Ensure ALLOWED_ORIGINS is a string, not a KVNamespace or DurableObjectState
-  const allowedOriginsStr = typeof env.ALLOWED_ORIGINS === 'string' ? env.ALLOWED_ORIGINS : undefined;
-  const allowedOrigins = allowedOriginsStr?.split(',').map((o: string) => o.trim()) || [
-    'https://claude.ai',
-    'https://app.anthropic.com'
-  ];
-
-  // Add localhost for development if not in production
-  const mcpiEnv = typeof env.MCPI_ENV === 'string' ? env.MCPI_ENV : undefined;
-  if (mcpiEnv !== 'production' && !allowedOrigins.includes('http://localhost:3000')) {
-    allowedOrigins.push('http://localhost:3000');
-  }
-
-  const origin = c.req.header('Origin') || '';
-  const isAllowed = allowedOrigins.includes(origin);
-
-  return cors({
-    origin: isAllowed ? origin : allowedOrigins[0], // Default to first allowed origin if not matched
-    allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-    allowHeaders: ["Content-Type", "Authorization", "mcp-session-id", "Mcp-Session-Id", "mcp-protocol-version"],
-    exposeHeaders: ["mcp-session-id", "Mcp-Session-Id"],
-    credentials: true,
-  })(c, next);
+// Create and export the app - all routing is handled automatically
+export default createMCPIApp({
+  AgentClass: ${pascalClassName}MCP,
+  agentName: "${projectName}",
+  agentVersion: "1.0.0",
+  envPrefix: "${className.toUpperCase()}",
+  getRuntimeConfig,
 });
-
-app.get("/health", (c) => c.json({
-  status: 'healthy',
-  timestamp: new Date().toISOString(),
-  transport: { sse: '/sse', streamableHttp: '/mcp' }
-}));
-
-/**
- * Admin endpoint to clear tool protection cache
- *
- * This allows AgentShield dashboard to invalidate cached tool protection
- * config immediately after changing delegation requirements.
- *
- * The API key is validated by making a test call to AgentShield API.
- *
- * Usage:
- *   POST /admin/clear-cache
- *   Headers: Authorization: Bearer <AGENTSHIELD_ADMIN_API_KEY>
- *   Body: { "agent_did": "did:key:z6Mk..." }
- *
- * Response:
- *   { "success": true, "message": "Cache cleared", "agent_did": "..." }
- */
-app.post("/admin/clear-cache", async (c) => {
-  const env = c.env as PrefixedCloudflareEnv;
-
-  // Parse request body first to get agent_did
-  const body = await c.req.json().catch(() => ({}));
-  const agentDid = body.agent_did;
-
-  if (!agentDid || typeof agentDid !== 'string') {
-    return c.json({
-      success: false,
-      error: "Bad Request - agent_did required in body"
-    }, 400);
-  }
-
-  // Extract API key from Authorization header
-  const authHeader = c.req.header("Authorization");
-  if (!authHeader || !authHeader.startsWith("Bearer ")) {
-    return c.json({
-      success: false,
-      error: "Unauthorized - Missing or invalid Authorization header"
-    }, 401);
-  }
-
-  const apiKey = authHeader.slice(7); // Remove "Bearer " prefix
-
-  // Validate API key by making a test call to AgentShield
-  // Use the bouncer config endpoint as the validation mechanism
-  const agentShieldUrl = env.AGENTSHIELD_API_URL || "https://kya.vouched.id";
-  const validationUrl = \`\${agentShieldUrl}/api/v1/bouncer/config?agent_did=\${encodeURIComponent(agentDid)}\`;
-
-  try {
-    const validationResponse = await fetch(validationUrl, {
-      method: 'GET',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': \`Bearer \${apiKey}\`
-      }
-    });
-
-    if (!validationResponse.ok) {
-      console.warn('[Admin] API key validation failed:', validationResponse.status);
-      return c.json({
-        success: false,
-        error: "Unauthorized - Invalid API key"
-      }, 401);
-    }
-
-    // API key is valid, proceed to clear cache
-    console.log('[Admin] API key validated successfully');
-  } catch (error) {
-    console.error('[Admin] API key validation error:', error);
-    return c.json({
-      success: false,
-      error: "Failed to validate API key with AgentShield"
-    }, 500);
-  }
-
-  // Clear cache from KV
-  // Cache key format: KVToolProtectionCache uses 'tool-protection:' prefix + agentDid
-  // Since we're accessing KV directly (not through cache service), we need the full key
-  const cacheKey = \`tool-protection:\${agentDid}\`;
-  const kvNamespace = env.${className.toUpperCase()}_TOOL_PROTECTION_KV;
-
-  if (!kvNamespace) {
-    return c.json({
-      success: false,
-      error: "Tool protection KV namespace not configured"
-    }, 500);
-  }
-
-  try {
-    // Log before and after for debugging
-    const before = await kvNamespace.get(cacheKey);
-    await kvNamespace.delete(cacheKey);
-    const after = await kvNamespace.get(cacheKey);
-    
-    console.log('[Admin] Cache clear operation', {
-      agentDid: agentDid.slice(0, 20) + '...',
-      cacheKey,
-      hadValue: !!before,
-      cleared: !after,
-    });
-    
-    return c.json({
-      success: true,
-      message: "Cache cleared successfully. Next tool call will fetch fresh config from AgentShield.",
-      agent_did: agentDid,
-      cache_key: cacheKey,
-      had_value: !!before,
-    });
-  } catch (error) {
-    console.error('[Admin] Failed to clear cache:', error);
-    return c.json({
-      success: false,
-      error: "Internal error clearing cache",
-      details: error instanceof Error ? error.message : String(error)
-    }, 500);
-  }
-});
-
-/**
- * OAuth Authorization Code Flow callback handler
- *
- * Handles the redirect from AgentShield after user approves delegation.
- * Exchanges authorization code for delegation token and stores in KV.
- *
- * This endpoint is called by AgentShield after user approves delegation:
- * 1. Receives authorization code and state from query params
- * 2. Exchanges code for delegation token with AgentShield API
- * 3. Stores token in KV with session ID as key
- * 4. Returns success page to user
- */
-app.get('/oauth/callback', async (c) => {
-  const env = c.env as PrefixedCloudflareEnv;
-  const handler = createOAuthCallbackHandler({
-    agentShieldApiUrl: env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
-    delegationStorage: env.${className.toUpperCase()}_DELEGATION_STORAGE,
-    autoClose: true,
-    autoCloseDelay: 5000
-  });
-  // Cast to HonoContext - Hono's context implements all required properties
-  return await handler(c as unknown as HonoContext);
-});
-
-// Multi-instance DO routing using McpAgent's getInstanceId() override
-// The ${pascalClassName}MCP class overrides getInstanceId() to enable session-based
-// or shard-based routing while preserving PartyServer compatibility.
-//
-// Routing strategies (configured via DO_ROUTING_STRATEGY env var):
-//   - 'session' (default): One DO per MCP session - ensures data isolation
-//   - 'shard': Hash-based distribution across N shards - for high load
-//
-// McpAgent automatically routes to the correct DO instance using the ID
-// returned by getInstanceId(), maintaining full routing context.
-app.mount("/sse", ${pascalClassName}MCP.serveSSE("/sse").fetch, { replaceRequest: false });
-app.mount("/mcp", ${pascalClassName}MCP.serve("/mcp").fetch, { replaceRequest: false });
-
-export default app;
 `;
         fs.writeFileSync(path.join(srcDir, "index.ts"), indexContent);
-        // Create wrangler.toml with optional API key
         const wranglerContent = `#:schema node_modules/wrangler/config-schema.json
 name = "${projectName}"
 main = "src/index.ts"
@@ -1927,6 +1050,14 @@ dist/
 *.log
 `;
         fs.writeFileSync(path.join(projectPath, ".gitignore"), gitignoreContent);
+        // Create .npmrc to suppress harmless deprecation warnings
+        const npmrcContent = `# Suppress deprecation warnings from transitive dependencies
+# These warnings are harmless and don't affect functionality
+# They come from: inflight (glob@7), phin (jimp), rimraf (del), glob (rimraf), node-domexception (node-fetch)
+# Will be resolved when upstream packages update their dependencies
+loglevel=error
+`;
+        fs.writeFileSync(path.join(projectPath, ".npmrc"), npmrcContent);
         // Create README.md
         const readmeContent = `# ${projectName}