@kya-os/create-mcpi-app 1.7.38-canary.2 → 1.7.38

package/CHANGELOG.md

@@ -1,372 +0,0 @@
-# Changelog - @kya-os/create-mcpi-app
-
-All notable changes to create-mcpi-app will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-## [1.7.12] - 2025-10-30
-
-### Fixed
-- **MCP Server URL**: Fixed server URL not being sent in proof submissions from Durable Objects
-  - Durable Objects don't have direct access to environment variables
-  - Store MCP_SERVER_URL as class property during construction
-  - Use stored property instead of this.env.MCP_SERVER_URL
-  - Added logging to verify URL configuration
-  - Ensures AgentShield can correctly associate proofs with the right server
-
-## [1.7.11] - 2025-10-30
-
-### Fixed
-- **CRITICAL**: Fixed identity persistence issue - generated identity now actually gets used!
-  - Added MCP_IDENTITY_PRIVATE_KEY and MCP_IDENTITY_PUBLIC_KEY declarations to wrangler.toml [vars]
-  - Without these declarations, .dev.vars values were not being passed to the Worker
-  - Identity generated during scaffolding is now properly used across all sessions
-  - Restores `_durableObjectState` to prevent ephemeral identity generation
-  - Fixes confusing behavior where DID was generated but not actually persistent
-
-### Technical Details
-- Cloudflare Workers require ALL environment variables to be declared in wrangler.toml [vars]
-- Even though private keys are stored in .dev.vars, they must be declared (as empty strings) in wrangler.toml
-- The WorkersIdentityProvider falls back to ephemeral generation without proper env vars
-- This fix ensures the identity generated during scaffolding is actually used consistently
-
-## [1.7.10] - 2025-10-30
-
-### Fixed
-- **CRITICAL**: Fixed multiple DID generation issue in Durable Objects
-  - Each DO instance was generating its own identity instead of sharing one
-  - Removed `_durableObjectState` from environment mapping
-  - Identity now properly stored in IDENTITY_STORAGE KV namespace
-  - All DO instances now share the same DID across all sessions
-  - Fixes delegation configuration not working (tools couldn't be associated with changing DIDs)
-
-### Technical Details
-- Multi-instance DO routing (session-based) was creating separate identities per instance
-- Identity was incorrectly stored in DO state instead of KV storage
-- This caused different DIDs for different MCP sessions (e.g., different Claude Desktop conversations)
-- AgentShield tool protection configurations couldn't be applied to constantly changing DIDs
-
-## [1.7.9] - 2025-10-30
-
-### Fixed
-- **CRITICAL DX Issue**: AGENTSHIELD_API_KEY now properly declared in wrangler.toml [vars]
-  - API key from .dev.vars was not being passed to Worker environment
-  - Caused all AgentShield API calls to fail with 401 Unauthorized
-  - Now declared as empty string in [vars], overridden by .dev.vars or secrets
-  - Also added ADMIN_API_KEY declaration for consistency
-
-### Improved
-- **Developer Experience**: Added warning logging when API keys are missing
-  - Clear console warnings when AGENTSHIELD_API_KEY is empty
-  - Instructions on how to set it for both dev and production
-  - Helps developers quickly identify configuration issues
-
-- **Documentation**: Clarified identity storage in Cloudflare
-  - Added comment explaining that devIdentityPath is ignored in Cloudflare
-  - Cloudflare stores identity in Durable Object state, not files
-  - Prevents confusion about .mcpi/identity.json references
-
-### Technical Details
-- Cloudflare Workers require environment variables to be declared in wrangler.toml [vars]
-- Without declaration, .dev.vars values are not passed to the Worker
-- This affected both local development and production deployments
-
-## [1.7.2] - 2025-10-29
-
-### Fixed
-- **Test Suite**: Fixed 22 failing template tests in test-cloudflare directory
-  - Fixed cache-invalidation.test.ts: Large token size reduced, argument count fixed
-  - Fixed cors-security.test.ts: Added env validation, empty origin handling
-  - Fixed delegation.test.ts: All 7 tests now properly invoke mocks
-  - Fixed do-routing.test.ts: Performance timing relaxed, NaN validation added
-- **Test Configuration**: Added vitest.config.ts to exclude backup tests and integration tests
-  - Excluded `__tests__.bak` directory (backup tests)
-  - Excluded integration.test.ts (requires wrangler dependency)
-- **Test Coverage**: All 90 template tests now passing
-
-### Technical Details
-- Cache invalidation tests now properly test TTL expiration and verification
-- CORS tests handle undefined env objects gracefully
-- Delegation tests actually call mocked functions before asserting
-- DO routing validates shard count to prevent NaN results
-- Performance tests account for CI environment variability
-
-## [1.7.1] - 2025-10-29
-
-### Fixed
-- **CRITICAL**: Added missing `{ replaceRequest: false }` option to `.mount()` calls
-  - Without this option, Hono doesn't properly forward requests to McpAgent
-  - Caused 404 errors when accessing `/mcp` and `/sse` endpoints on deployed Workers
-  - Now matches the working pattern from hardware-world example
-  - Both local dev and deployed Workers now work correctly
-
-### Technical Details
-- `app.mount(path, handler, { replaceRequest: false })` is required for Hono + McpAgent
-- Without `replaceRequest: false`, Hono creates a new Request object that breaks McpAgent routing
-- This is a Hono-specific requirement when mounting sub-applications
-
-## [1.7.0] - 2025-10-29
-
-### Fixed
-- **CRITICAL**: Fixed "Missing namespace or room headers" error with multi-instance DO routing
-  - Removed custom pre-routing code that broke PartyServer context
-  - Implemented `getInstanceId()` override in McpAgent class for proper multi-instance support
-  - Now uses McpAgent's `.serve()` mounting while maintaining multi-instance routing
-  - Both session-based and shard-based strategies work correctly
-  - Preserves full PartyServer/McpAgent compatibility
-
-### Changed
-- **Architecture**: Multi-instance DO routing now works internally via `getInstanceId()` override
-  - McpAgent extracts session ID and calls `getInstanceId()` to determine DO instance
-  - No more custom routing middleware that bypasses McpAgent
-  - Routing strategies controlled via `DO_ROUTING_STRATEGY` environment variable
-  - Default strategy is 'session' (one DO per MCP session)
-  - 'shard' strategy available for high-load scenarios (hash-based distribution)
-
-### Technical Details
-- `getInstanceId()` is called internally by McpAgent during request handling
-- Method returns instance ID like `session:abc123` or `shard:5`
-- McpAgent uses this ID with `idFromName()` to route to correct DO
-- Full routing context preserved - no PartyServer errors
-- Backward compatible - falls back to 'default' instance on errors
-
-## [1.6.9] - 2025-10-29
-
-### Fixed
-- **Critical**: Fixed TypeScript syntax error in generated setup.js
-  - Removed TypeScript type annotations `(n: any)` from JavaScript file
-  - Setup script now runs without syntax errors during postinstall
-  - Error was: `SyntaxError: Unexpected token ':'` at line 163/312
-
-## [1.6.8] - 2025-10-29
-
-### Fixed
-- **Critical**: Fixed "Missing namespace or room headers" error with Durable Object routing
-  - Removed incorrect custom headers (`X-Party-Name`, `X-Party-Id`) that broke McpAgent compatibility
-  - Now passes original request directly to DO stub without modification
-  - McpAgent handles internal routing automatically
-  - Both `/sse/*` and `/mcp/*` endpoints now work correctly
-  - Multi-instance DO routing now fully functional
-
-### Changed
-- Simplified DO routing by trusting McpAgent's internal request handling
-- Removed unnecessary Request object creation that stripped routing metadata
-
-## [1.6.7] - 2025-10-29
-
-### Fixed
-- **Existing Namespace Detection**: Setup script now properly finds and uses existing KV namespaces
-  - Properly parses JSON output from `wrangler kv namespace list`
-  - Matches namespaces by title (binding name) instead of fragile regex
-  - Falls back to regex matching if JSON parsing fails
-  - Extracts IDs correctly when namespaces already exist (error code 10014)
-  - No more "Failed to create or find" errors when re-running setup
-
-### Changed
-- Namespace lookup now uses JSON.parse() for reliable ID extraction
-- Better error messages when namespaces can't be found
-- Consistent behavior across both success and error paths
-
-## [1.6.6] - 2025-10-29
-
-### Fixed
-- **Critical**: Durable Object routing now works with PartyServer!
-  - Fixed "Missing namespace or room headers" error when accessing `/mcp` endpoint
-  - Custom DO routing now adds required PartyServer headers (`X-Party-Name`, `X-Party-Id`)
-  - Both `/sse/*` and `/mcp/*` routes now properly forward to Durable Objects
-  - Maintains scalability with multiple DO instances while working with PartyServer's McpAgent
-
-### Changed
-- DO routing creates new Request objects with proper headers instead of forwarding raw requests
-- Headers include `X-Party-Name: 'mcp'` and `X-Party-Id: <instance-id>` for PartyServer compatibility
-
-## [1.6.5] - 2025-10-29
-
-### Fixed
-- **Critical**: KV namespace IDs now actually get written to wrangler.toml!
-  - Previous versions couldn't match placeholder values like `id = "your_nonce_kv_namespace_id"`
-  - Regex now correctly matches and replaces ANY value in the id field
-  - Changed pattern from `id = ""` to `id = "[^"]*"` to match placeholders
-  - Setup now shows "Updated 5 namespace ID(s)" instead of "Updated 0"
-  - Fixes "Missing namespace or room headers" Durable Object error
-  - Bindings now show actual IDs instead of placeholders
-
-### Changed
-- Placeholder detection also updated to look for `your_*` pattern instead of empty strings
-- Better error reporting when IDs can't be updated
-
-## [1.6.4] - 2025-10-29
-
-### Fixed
-- **Multiple Cloudflare Accounts Detection**: Now actually works!
-  - Previous version (1.6.2-1.6.3) tried to detect before KV creation but failed
-  - Now catches the error on first KV namespace creation attempt
-  - Shows helpful instructions immediately when multiple accounts detected
-  - Skips remaining namespace creation to avoid spamming errors
-  - Continues with other setup steps (.dev.vars, identity)
-  - Clear guidance on how to set CLOUDFLARE_ACCOUNT_ID or add account_id to wrangler.toml
-
-### Changed
-- Removed ineffective pre-emptive multi-account detection via `wrangler whoami`
-- Detection now happens at first KV creation error (more reliable)
-- Better error messages that reference the actual wrangler error output
-
-## [1.6.3] - 2025-10-29
-
-### Fixed
-- **Critical**: Fixed duplicate variable declarations in setup.js
-  - Removed duplicate `wranglerTomlPath` declaration
-  - Fixed duplicate `wranglerContent` declaration
-  - Setup script now runs without syntax errors
-
-## [1.6.2] - 2025-10-29
-
-### Improved
-- **Multiple Cloudflare Accounts**: Setup script now gracefully handles users with multiple Cloudflare accounts
-  - Detects when multiple accounts are configured
-  - Provides clear instructions on how to specify which account to use
-  - Options: Set `CLOUDFLARE_ACCOUNT_ID` env var or add `account_id` to wrangler.toml
-  - Skips KV creation gracefully instead of failing with cryptic errors
-  - Can still be run later with `npm run kv:create` after account is configured
-
-### Changed
-- Installation no longer fails for users with multiple Cloudflare accounts
-- Setup script provides helpful guidance instead of obscure wrangler errors
-
-## [1.6.1] - 2025-10-29
-
-### Fixed
-- **Critical**: Fixed regex syntax error in setup.js that caused installation failure
-  - Properly escaped backslashes in regex pattern `/binding = "[^"]+"\s*\nid = ""/g`
-  - Script now runs successfully during npm postinstall
-
-## [1.6.0] - 2025-10-29
-
-### Added
-- **Automated Setup Script** (`scripts/setup.js`): Zero-configuration KV namespace setup
-  - Automatically creates all 5 required KV namespaces
-  - Extracts namespace IDs and updates wrangler.toml
-  - Creates .dev.vars from example template
-  - Generates identity if missing
-  - Reduces setup time from 15 minutes to 5 minutes
-- **Comprehensive Test Templates**: Projects now include test files by default
-  - `tests/delegation.test.ts` - Delegation verification and caching tests
-  - `tests/do-routing.test.ts` - Multi-instance routing tests
-  - `tests/security.test.ts` - CORS and API key security tests
-  - `vitest.config.ts` - Pre-configured test setup with Miniflare
-- **Parallel Proof Operations**: 2x performance improvement
-  - Proof archive storage and AgentShield submission run in parallel
-  - Uses Promise.allSettled for better error handling
-
-### Fixed
-- **Critical Security Bug**: API key no longer written to wrangler.toml
-  - When using `--apikey` flag, key is now only stored in .dev.vars
-  - Added instructions to use `wrangler secret put` for production
-
-### Changed
-- Package.json now includes setup and test scripts
-- Reduced manual setup steps from 12 to 1
-- KV namespace IDs automatically configured
-
-## [1.5.0] - 2025-10-28
-
-### Added
-- Delegation verification with AgentShield API
-- Multi-instance Durable Object routing (session and shard strategies)
-- Two-tier delegation storage (session + agent DID)
-- Cache invalidation methods
-- Secure CORS configuration with environment-based origins
-
-### Fixed
-- Plain-text secrets vulnerability (moved to .dev.vars)
-- Open CORS vulnerability (removed origin: "*")
-- Excessive cache TTL (reduced from 7 days to 5 minutes)
-
-### Security
-- Secrets moved from wrangler.toml to .dev.vars
-- Added .dev.vars.example template
-- Production secrets use wrangler secret put
-
-## [1.4.5] - 2025-10-27
-
-### Fixed
-- Session management issues with MCP protocol
-- Cache consistency problems across Durable Objects
-- Identity persistence in development mode
-
-### Changed
-- Improved session tracking with proper TTL management
-- Better error handling for failed delegations
-
-## [1.2.0] - 2025-10-06
-
-### Added
-- 🎉 **First public release!**
-- Interactive project scaffolding with beautiful CLI prompts
-- Multiple project templates:
-  - HTTP transport server
-  - STDIO transport server
-  - Next.js integration
-  - Express.js integration
-  - Authentication examples (JWT, API key)
-- Automatic identity setup integration with `@kya-os/cli`
-- Package manager detection and selection (npm, pnpm, yarn)
-- TypeScript configuration with best practices
-- Git initialization with proper `.gitignore`
-- Environment file setup with MCP-I identity variables
-
-### Features
-- **Non-interactive mode**: `create-mcpi-app my-app --yes --use-npm`
-- **Local development**: `--local` flag for testing unpublished packages
-- **Template selection**: `--template <name>` for specific templates
-- **Automatic dependency installation**: Installs based on selected package manager
-- **Platform-specific guidance**: Detects deployment platform and provides setup instructions
-
-### Templates Included
-- `http-transport`: HTTP-based MCP server
-- `stdio-transport`: STDIO-based MCP server
-- `with-nextjs`: Next.js App Router integration
-- `auth-nextjs`: Next.js with authentication
-- `vercel-deploy`: Vercel deployment ready
-- `middlewares-jwt`: JWT authentication example
-
-### Developer Experience
-- Beautiful progress indicators
-- Color-coded output
-- Helpful error messages
-- Post-install instructions
-- Platform-specific deployment guides
-
-### Technical
-- Built with TypeScript
-- ESM module support
-- Robust error handling
-- Automatic cleanup on failure
-- Cross-platform compatibility (Windows, macOS, Linux)
-
----
-
-## Usage
-
-```bash
-# Interactive mode
-npx create-mcpi-app
-
-# With project name
-npx create-mcpi-app my-mcp-server
-
-# Non-interactive
-npx create-mcpi-app my-app --yes --template http-transport --use-npm
-
-# Local development/testing
-npx create-mcpi-app my-app --local
-```
-
-## Requirements
-
-- Node.js 16.x or higher
-- npm, pnpm, or yarn
-- Git (optional, for version control)
-
-For complete documentation, visit https://docs.kya-os.com/getting-started

package/DEPRECATION_WARNINGS_ANALYSIS.md

@@ -1,192 +0,0 @@
-# Deprecation Warnings Analysis
-
-## Summary
-
-The deprecation warnings seen when running `npx @kya-os/create-mcpi-app` are **transitive dependencies** from upstream packages. They cannot be directly fixed in `create-mcpi-app` without fixing the root packages.
-
-## Warning Sources
-
-### 1. `inflight@1.0.6` (deprecated - leaks memory)
-
-**Source Chain:**
-
-```
-@kya-os/mcp-i
-  └─ clean-webpack-plugin@4.0.0
-      └─ del@4.1.1
-          └─ rimraf@2.7.1
-              └─ glob@7.2.3
-                  └─ inflight@1.0.6 ❌
-
-@kya-os/mcp-i
-  └─ del@7.1.0
-      └─ rimraf@3.0.2
-          └─ glob@7.2.3
-              └─ inflight@1.0.6 ❌
-```
-
-**Fix Required In:** `@kya-os/mcp-i` package
-
-- Update `clean-webpack-plugin` to latest version (may have fixed this)
-- Update `del` to latest version (may have fixed this)
-- Or replace `clean-webpack-plugin` with native Node.js alternatives
-
-### 2. `phin@2.9.3` and `phin@3.7.1` (deprecated - no longer supported)
-
-**Source Chain:**
-
-```
-@kya-os/cli
-  └─ terminal-image@3.1.1
-      └─ render-gif@2.0.4
-          └─ jimp@0.14.0
-              └─ @jimp/core@0.14.0
-                  └─ load-bmfont@1.4.2
-                      └─ phin@3.7.1 ❌
-```
-
-**Fix Required In:** `@kya-os/cli` package
-
-- Update `terminal-image` to latest version
-- Or replace `terminal-image` with alternative that doesn't use deprecated `jimp`
-- Or update `jimp` to latest version (if available)
-
-### 3. `rimraf@2.7.1` and `rimraf@3.0.2` (deprecated - use v4+)
-
-**Source Chain:**
-
-```
-@kya-os/mcp-i
-  └─ clean-webpack-plugin@4.0.0
-      └─ del@4.1.1
-          └─ rimraf@2.7.1 ❌
-
-@kya-os/mcp-i
-  └─ del@7.1.0
-      └─ rimraf@3.0.2 ❌
-```
-
-**Fix Required In:** `@kya-os/mcp-i` package
-
-- Update `clean-webpack-plugin` to latest (may use rimraf@4+)
-- Update `del` to latest version (may use rimraf@4+)
-- Or add `rimraf@^5.0.0` as direct dependency to force resolution
-
-### 4. `glob@7.2.3` (deprecated - use v9+)
-
-**Source Chain:**
-
-```
-@kya-os/mcp-i
-  └─ clean-webpack-plugin@4.0.0
-      └─ del@4.1.1
-          └─ rimraf@2.7.1
-              └─ glob@7.2.3 ❌
-
-@kya-os/mcp-i
-  └─ del@7.1.0
-      └─ rimraf@3.0.2
-          └─ glob@7.2.3 ❌
-```
-
-**Fix Required In:** `@kya-os/mcp-i` package
-
-- Same as rimraf - update `clean-webpack-plugin` and `del` to latest versions
-
-### 5. `node-domexception@1.0.0` (deprecated - use native DOMException)
-
-**Source Chain:**
-
-```
-@modelcontextprotocol/inspector (optional dependency)
-  └─ node-fetch@3.3.2
-      └─ fetch-blob@3.2.0
-          └─ node-domexception@1.0.0 ❌
-```
-
-**Fix Required In:** `@modelcontextprotocol/inspector` package
-
-- This is an external package we don't control
-- Node.js 20+ has native DOMException, so this could be updated upstream
-
-## Solutions
-
-### Option 1: Fix in Upstream Packages (Recommended)
-
-**For `@kya-os/mcp-i`:**
-
-1. Update `clean-webpack-plugin` to latest version
-2. Update `del` to latest version
-3. Consider replacing `clean-webpack-plugin` with native `fs.rmSync` (Node.js 14.14+)
-
-**For `@kya-os/cli`:**
-
-1. Update `terminal-image` to latest version
-2. Consider replacing with alternative image display library
-3. Or make `terminal-image` optional/feature-flag
-
-**For `@modelcontextprotocol/inspector`:**
-
-- This is external - file issue with upstream maintainers
-- Or consider making it truly optional (not installed unless needed)
-
-### Option 2: Use npm/pnpm Overrides (Quick Fix)
-
-Add to `package.json`:
-
-```json
-{
-  "pnpm": {
-    "overrides": {
-      "rimraf": "^5.0.0",
-      "glob": "^11.0.0"
-    }
-  }
-}
-```
-
-**Note:** This forces newer versions but may cause compatibility issues if upstream packages aren't compatible.
-
-### Option 3: Accept Warnings (Current State)
-
-These are **warnings, not errors**. The package works fine. The warnings are:
-
-- Informational only
-- Don't affect functionality
-- Will be resolved when upstream packages update
-
-## Impact Assessment
-
-**Risk Level:** ⚠️ **LOW**
-
-- Warnings don't affect functionality
-- All deprecated packages still work
-- No security vulnerabilities (just deprecation notices)
-
-**User Experience Impact:** ⚠️ **MINIMAL**
-
-- Users see warnings but package works
-- Warnings are common in npm ecosystem
-- Most users ignore deprecation warnings
-
-## Recommendation
-
-**Short-term:** Accept the warnings - they don't affect functionality.
-
-**Medium-term:** Fix in upstream packages (`@kya-os/mcp-i` and `@kya-os/cli`):
-
-1. Update `clean-webpack-plugin` and `del` in `@kya-os/mcp-i`
-2. Update `terminal-image` in `@kya-os/cli` or make it optional
-3. File issue with `@modelcontextprotocol/inspector` maintainers
-
-**Long-term:** Consider replacing deprecated dependencies:
-
-- Replace `clean-webpack-plugin` with native `fs.rmSync`
-- Replace `terminal-image` with modern alternative
-- Make `@modelcontextprotocol/inspector` truly optional
-
-## Quick Wins
-
-1. **Update `del` in `@kya-os/mcp-i`** - Latest version may use newer `rimraf`
-2. **Update `clean-webpack-plugin`** - Latest version may have fixed dependencies
-3. **Make `terminal-image` optional** - Only install if needed for avatar display

package/IMPLEMENTATION_SUMMARY.md

@@ -1,108 +0,0 @@
-# Scaffolder Remediation - Implementation Summary
-
-## ✅ COMPLETED: NPM Package Sourcing Implementation
-
-The scaffolder has been successfully refactored to meet all requirements:
-
-### 1. NPM Package Sourcing ✅
-
-- **Replaced local templates** with npm package fetching from `xmcp@^0.3.1`
-- **Added CLI options**: `--xmcp-version <semver>` and `--xmcp-channel next`
-- **Default caret versioning**: Uses `^0.3.1` as default
-- **Upstream dependency**: Fetches from https://www.npmjs.com/package/xmcp
-
-### 2. Clean Template Structure ✅
-
-- **Removed identity utilities** from template (moved to CLI)
-- **Minimal template**: Only `src/server.ts`, `src/tools/index.ts`, `src/tools/hello.ts`
-- **Identity preset**: Applied on top of fetched XMCP template
-
-### 3. Exactly 8 Scripts ✅
-
-Generated apps now have exactly 8 scripts:
-
-```json
-{
-  "scripts": {
-    "dev": "xmcpi dev",
-    "build": "xmcpi build",
-    "start": "xmcpi start",
-    "init": "xmcpi init",
-    "register": "xmcpi register",
-    "keys:rotate": "xmcpi keys rotate",
-    "identity:clean": "xmcpi identity clean",
-    "status": "xmcpi status"
-  }
-}
-```
-
-### 4. Correct Dependencies ✅
-
-- **Removed**: `xmcp-i` (deprecated)
-- **Added**: `xmcpi` (new runtime) and `@kya-os/cli`
-- **Clean dependencies**: Only essential packages included
-
-### 5. Lockfile Management ✅
-
-- **Automatic detection**: Checks for appropriate lockfile after install
-- **User guidance**: Reminds to commit lockfile
-- **Warning system**: Alerts if lockfile not generated
-
-## Architecture
-
-```
-┌─────────────────────────────────────────────────────────────┐
-│ create-xmcpi-app (Scaffolder)                               │
-├─────────────────────────────────────────────────────────────┤
-│ 1. Fetch XMCP template from npm (xmcp@^0.3.1)              │
-│ 2. Apply identity preset on top                            │
-│ 3. Generate minimal XMCP-I project                         │
-└─────────────────────────────────────────────────────────────┘
-                              │
-                              ▼
-┌─────────────────────────────────────────────────────────────┐
-│ Generated XMCP-I App                                        │
-├─────────────────────────────────────────────────────────────┤
-│ src/                                                        │
-│ ├── server.ts      (XMCP + identity plugin composition)    │
-│ └── tools/                                                  │
-│     ├── index.ts   (tool exports)                          │
-│     └── hello.ts   (example tool)                          │
-│                                                             │
-│ Dependencies:                                               │
-│ ├── xmcpi          (identity-aware runtime)                │
-│ └── @kya-os/cli    (CLI for xmcpi binary)                  │
-└─────────────────────────────────────────────────────────────┘
-```
-
-## Usage Examples
-
-```bash
-# Default (uses xmcp@^0.3.1)
-npx @kya-os/create-xmcpi-app my-agent
-
-# Specific version
-npx @kya-os/create-xmcpi-app my-agent --xmcp-version 0.3.0
-
-# Next channel
-npx @kya-os/create-xmcpi-app my-agent --xmcp-channel next
-
-# Skip prompts
-npx @kya-os/create-xmcpi-app my-agent --yes
-```
-
-## Key Benefits
-
-1. **Upstream dependency**: Always uses latest XMCP template from npm
-2. **Version flexibility**: Supports specific versions and channels
-3. **Minimal footprint**: Generated apps are as small as possible
-4. **Identity integration**: Seamless identity features on top of XMCP
-5. **Proper tooling**: Uses official xmcpi CLI instead of custom scripts
-
-## Testing Needed
-
-- [ ] End-to-end scaffolding test
-- [ ] Version override testing (`--xmcp-version`)
-- [ ] Channel testing (`--xmcp-channel next`)
-- [ ] Generated app functionality
-- [ ] Identity features integration