@kya-os/create-mcpi-app 1.7.39-canary.1 → 1.7.39-canary.10

package/README.md

@@ -76,22 +76,20 @@ npx create-mcpi-app my-quick-agent --yes
 ```
 my-agent/
 ├── src/
-│   ├── server.ts                   # Main agent server with identity
-│   └── tools/
-│       ├── index.ts               # Tool exports
-│       └── hello.ts               # Example tool with identity integration
-│       ├── identity-info.ts       # Display agent identity information
-│       ├── sign-message.ts        # Sign messages with agent's key
-│       └── verify-signature.ts    # Verify ownership and signatures
-├── package.json                    # Dependencies including xmcp-i
-├── tsconfig.json                   # TypeScript configuration
-├── .env.example                    # Environment variables for identity
-├── .gitignore                      # Includes identity security rules
-├── .eslintrc.json                  # Code quality configuration
-└── README.md                       # Agent-specific documentation
-```
-
-**Security Note**: Identity management is now handled by the `mcpi` CLI. Development identities are stored in `.mcpi/identity.json` (gitignored) and production identities use environment variables.
+│   ├── index.ts                   # Main agent server (~40 lines - super clean!)
+│   ├── mcpi-runtime-config.ts      # Runtime configuration (~50 lines)
+│   └── tools/                      # Your business logic only
+│       └── greet.ts                # Example tool
+├── wrangler.toml                   # Cloudflare Workers config
+├── package.json                    # Dependencies
+└── README.md                       # Quick start guide
+```
+
+**Key Features:**
+- **Next.js-Style Architecture**: All framework complexity hidden in `@kya-os/mcp-i-cloudflare`
+- **Consent Pages**: Server-hosted consent flow with XSS prevention
+- **Auto-Detection**: Server URL automatically detected from requests
+- **Clean Code**: Only your business logic visible - no implementation details
 
 ## Platform-Specific Features
 
@@ -102,7 +100,48 @@ my-agent/
 - **Durable Objects**: Built-in state management for MCP sessions
 - **Zero Cold Starts**: Instant response times with Durable Objects
 - **KV Storage**: Efficient nonce caching for security
-- **WebSockets**: Real-time bidirectional communication support
+- **Consent Pages**: Server-hosted consent flow with auto-detection
+- **XSS Prevention**: Secure consent page rendering with CSP headers
+- **Proof Batching**: Automatic proof submission with cron-based flushing
+
+#### Proof Batching & Cron Jobs
+
+MCP-I automatically batches proofs for efficient submission to AgentShield. Proofs are:
+
+1. **Batched within requests**: When multiple tools are called, proofs are collected and submitted together
+2. **Flushed via cron**: A cron job flushes pending proofs every minute (configurable)
+
+**Cron Configuration:**
+
+The scaffolder automatically adds a cron trigger to `wrangler.toml`:
+
+```toml
+[[triggers.crons]]
+cron = "* * * * *"  # Every minute (default)
+```
+
+To adjust the flush frequency, edit `wrangler.toml`:
+
+```toml
+[[triggers.crons]]
+cron = "*/5 * * * *"  # Every 5 minutes (recommended for production)
+```
+
+**Verifying Proof Submission:**
+
+1. Check Cloudflare Worker logs for `[ProofService]` messages:
+   - `[ProofService] Initialized:` - Service started successfully
+   - `[ProofService] Enqueuing proof` - Proof added to batch queue
+   - `[ProofService] ✅ Proofs accepted` - Proofs submitted successfully
+
+2. View proofs in AgentShield dashboard:
+   - Navigate to `/proofs` page for your project
+   - Proofs appear within 5 minutes of tool execution
+
+3. Verify tool discovery:
+   - Navigate to `/tools` page
+   - Tools are automatically discovered from proof submissions
+   - Ensure `MCP_SERVER_URL` is set correctly (without `/mcp` suffix)
 
 ### Vercel - Edge Identity
 

package/dist/helpers/config-builder.d.ts

@@ -9,7 +9,8 @@
  * NOTE: buildBaseConfig has been moved to @kya-os/contracts/config for shared use.
  * This module re-exports it for backward compatibility and adds remote fetching support.
  */
-export { buildBaseConfig } from '@kya-os/contracts/config';
+import { buildBaseConfig } from '@kya-os/contracts/config';
+export { buildBaseConfig };
 import type { MCPIConfig } from '@kya-os/contracts/config';
 import { type RemoteConfigCache } from '../utils/fetch-remote-config.js';
 /**

package/dist/helpers/config-builder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-builder.d.ts","sourceRoot":"","sources":["../../src/helpers/config-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAG3D,OAAO,KAAK,EACV,UAAU,EAQX,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAGL,KAAK,iBAAiB,EACvB,MAAM,iCAAiC,CAAC;AAEzC;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEzB;;;;OAIG;IACH,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEzE;;;OAGG;IACH,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAE1B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,UAAU,CAAC,CAwBrB"}
+{"version":3,"file":"config-builder.d.ts","sourceRoot":"","sources":["../../src/helpers/config-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAG3D,OAAO,EAAE,eAAe,EAAE,CAAC;AAE3B,OAAO,KAAK,EACV,UAAU,EAQX,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAGL,KAAK,iBAAiB,EACvB,MAAM,iCAAiC,CAAC;AAEzC;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEzB;;;;OAIG;IACH,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEzE;;;OAGG;IACH,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAE1B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,UAAU,CAAC,CAwBrB"}

package/dist/helpers/config-builder.js

@@ -9,9 +9,10 @@
  * NOTE: buildBaseConfig has been moved to @kya-os/contracts/config for shared use.
  * This module re-exports it for backward compatibility and adds remote fetching support.
  */
-// Re-export buildBaseConfig from contracts (single source of truth)
-export { buildBaseConfig } from '@kya-os/contracts/config';
+// Import buildBaseConfig from contracts for local use and re-export
 import { buildBaseConfig } from '@kya-os/contracts/config';
+// Re-export buildBaseConfig for backward compatibility
+export { buildBaseConfig };
 import { fetchRemoteConfig } from '../utils/fetch-remote-config.js';
 /**
  * Build config with remote fetching support

package/dist/helpers/config-builder.js.map

@@ -1 +1 @@
-{"version":3,"file":"config-builder.js","sourceRoot":"","sources":["../../src/helpers/config-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,oEAAoE;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAa3D,OAAO,EACL,iBAAiB,EAGlB,MAAM,iCAAiC,CAAC;AAgCzC;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,OAA6B;IAE7B,MAAM,EAAE,GAAG,EAAE,aAAa,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAExD,sEAAsE;IACtE,IAAI,GAAG,CAAC,mBAAmB,IAAI,aAAa,EAAE,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CACpC;YACE,MAAM,EAAE,GAAG,CAAC,mBAAmB,IAAI,wBAAwB;YAC3D,MAAM,EAAE,GAAG,CAAC,mBAAmB;YAC/B,SAAS,EAAE,GAAG,CAAC,sBAAsB;YACrC,QAAQ;YACR,QAAQ,EAAE,MAAM,EAAE,YAAY;YAC9B,aAAa;SACd,EACD,KAAK,CACN,CAAC;QAEF,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC"}
+{"version":3,"file":"config-builder.js","sourceRoot":"","sources":["../../src/helpers/config-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,oEAAoE;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,uDAAuD;AACvD,OAAO,EAAE,eAAe,EAAE,CAAC;AAa3B,OAAO,EACL,iBAAiB,EAGlB,MAAM,iCAAiC,CAAC;AAgCzC;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,OAA6B;IAE7B,MAAM,EAAE,GAAG,EAAE,aAAa,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAExD,sEAAsE;IACtE,IAAI,GAAG,CAAC,mBAAmB,IAAI,aAAa,EAAE,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CACpC;YACE,MAAM,EAAE,GAAG,CAAC,mBAAmB,IAAI,wBAAwB;YAC3D,MAAM,EAAE,GAAG,CAAC,mBAAmB;YAC/B,SAAS,EAAE,GAAG,CAAC,sBAAsB;YACrC,QAAQ;YACR,QAAQ,EAAE,MAAM,EAAE,YAAY;YAC9B,aAAa;SACd,EACD,KAAK,CACN,CAAC;QAEF,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC"}

package/dist/helpers/fetch-cloudflare-mcpi-template.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fetch-cloudflare-mcpi-template.d.ts","sourceRoot":"","sources":["../../src/helpers/fetch-cloudflare-mcpi-template.ts"],"names":[],"mappings":"AAKA,UAAU,6BAA6B;IACrC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,CAC/C,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,6BAAkC,GAC1C,OAAO,CAAC,IAAI,CAAC,CA09Cf"}
+{"version":3,"file":"fetch-cloudflare-mcpi-template.d.ts","sourceRoot":"","sources":["../../src/helpers/fetch-cloudflare-mcpi-template.ts"],"names":[],"mappings":"AAKA,UAAU,6BAA6B;IACrC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,CAC/C,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,6BAAkC,GAC1C,OAAO,CAAC,IAAI,CAAC,CAgyCf"}

package/dist/helpers/fetch-cloudflare-mcpi-template.js

@@ -9,10 +9,24 @@ import { generateIdentity } from "./generate-identity.js";
 export async function fetchCloudflareMcpiTemplate(projectPath, options = {}) {
     const { packageManager = "npm", projectName = path.basename(projectPath), apikey, projectId, skipIdentity = false, } = options;
     // Sanitize project name for class names
-    const className = projectName
+    let className = projectName
         .replace(/[^a-zA-Z0-9]/g, "")
         .replace(/^[0-9]/, "_$&");
+    // Fallback to prevent empty class names
+    if (!className || className.length === 0) {
+        className = "Project";
+    }
     const pascalClassName = className.charAt(0).toUpperCase() + className.slice(1);
+    // Sanitize project name for wrangler.toml (alphanumeric, lowercase, dashes only)
+    let wranglerName = projectName
+        .toLowerCase()
+        .replace(/[^a-z0-9-]/g, "-") // Replace invalid chars with dashes
+        .replace(/-+/g, "-") // Replace multiple dashes with single dash
+        .replace(/^-|-$/g, ""); // Remove leading/trailing dashes
+    // Fallback to prevent empty wrangler names
+    if (!wranglerName || wranglerName.length === 0) {
+        wranglerName = "worker";
+    }
     try {
         console.log(chalk.blue("📦 Setting up Cloudflare Worker MCP server..."));
         // Create package.json
@@ -53,8 +67,8 @@ export async function fetchCloudflareMcpiTemplate(projectPath, options = {}) {
                 "test:coverage": "vitest run --coverage",
             },
             dependencies: {
-                "@kya-os/contracts": "^1.5.1",
-                "@kya-os/mcp-i-cloudflare": "^1.3.2",
+                "@kya-os/contracts": "^1.5.2-canary.0",
+                "@kya-os/mcp-i-cloudflare": "^1.4.1-canary.1",
                 "@modelcontextprotocol/sdk": "^1.19.1",
                 agents: "^0.2.8",
                 hono: "^4.9.10",
@@ -228,9 +242,38 @@ async function setup() {
 
     log(\`Creating \${ns.name} (\${ns.purpose})...\`, colors.blue);
 
+    // First, check if namespace already exists
+    let existingNamespace = null;
+    try {
+      const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+      
+      try {
+        const allNamespaces = JSON.parse(listOutput);
+        existingNamespace = allNamespaces.find(n => n.title === ns.binding);
+      } catch (parseError) {
+        // Fallback to regex if JSON parsing fails
+        const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
+        if (existingMatch && existingMatch[1]) {
+          existingNamespace = { id: existingMatch[1], title: ns.binding };
+        }
+      }
+    } catch (listError) {
+      // If we can't list namespaces, continue to try creating
+    }
+
+    if (existingNamespace && existingNamespace.id) {
+      kvIds[ns.binding] = existingNamespace.id;
+      log(\`  ✅ Using existing namespace with ID: \${existingNamespace.id}\`, colors.green);
+      continue;
+    }
+
+    // Namespace doesn't exist, try to create it
     try {
-      // Create the namespace
-      const output = execSync(\`wrangler kv namespace create "\${ns.binding}"\`, { encoding: 'utf-8', stderr: 'pipe' });
+      // Suppress stderr to avoid noisy error messages
+      const output = execSync(\`wrangler kv namespace create "\${ns.binding}"\`, { 
+        encoding: 'utf-8', 
+        stdio: ['pipe', 'pipe', 'pipe'] 
+      });
 
       // Extract the ID from output
       const idMatch = output.match(/id = "([^"]+)"/);
@@ -239,36 +282,26 @@ async function setup() {
         kvIds[ns.binding] = idMatch[1];
         log(\`  ✅ Created with ID: \${idMatch[1]}\`, colors.green);
       } else {
-        // Try to get existing namespace
-        const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8' });
-
+        log(\`  ⚠️  Created but could not extract ID. Checking existing namespaces...\`, colors.yellow);
+        // Fallback: try to find it in the list
+        const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
         try {
-          const namespaces = JSON.parse(listOutput);
-          const existingNamespace = namespaces.find(n => n.title === ns.binding);
-
-          if (existingNamespace && existingNamespace.id) {
-            kvIds[ns.binding] = existingNamespace.id;
-            log(\`  ⚠️  Namespace already exists with ID: \${existingNamespace.id}\`, colors.yellow);
-          } else {
-            log(\`  ⚠️  Could not extract ID for \${ns.binding}. You may need to add it manually.\`, colors.yellow);
-          }
-        } catch (parseError) {
-          // Fallback to regex if JSON parsing fails
-          const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
-
-          if (existingMatch && existingMatch[1]) {
-            kvIds[ns.binding] = existingMatch[1];
-            log(\`  ⚠️  Namespace already exists with ID: \${existingMatch[1]}\`, colors.yellow);
-          } else {
-            log(\`  ⚠️  Could not extract ID for \${ns.binding}. You may need to add it manually.\`, colors.yellow);
+          const allNamespaces = JSON.parse(listOutput);
+          const found = allNamespaces.find(n => n.title === ns.binding);
+          if (found && found.id) {
+            kvIds[ns.binding] = found.id;
+            log(\`  ✅ Found ID: \${found.id}\`, colors.green);
           }
+        } catch {
+          // Ignore parse errors
         }
       }
     } catch (error) {
       const errorMessage = error.message || error.toString();
+      const errorOutput = error.stdout || error.stderr || '';
 
       // Check if this is a multiple accounts error
-      if (errorMessage.includes('More than one account') || errorMessage.includes('multiple accounts')) {
+      if (errorMessage.includes('More than one account') || errorMessage.includes('multiple accounts') || errorOutput.includes('More than one account')) {
         multipleAccountsDetected = true;
         log('\\n⚠️  Multiple Cloudflare accounts detected!\\n', colors.yellow);
         log('Wrangler cannot automatically select an account in non-interactive mode.\\n', colors.yellow);
@@ -286,37 +319,39 @@ async function setup() {
         break;
       }
 
-      // Check if namespace already exists
-      try {
-        const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8' });
-
-        // Parse JSON output
+      // Check if namespace already exists (common case - suppress noisy error)
+      if (errorMessage.includes('already exists') || errorOutput.includes('already exists') || errorOutput.includes('code: 10014')) {
+        // Try to get the existing namespace ID
         try {
-          const namespaces = JSON.parse(listOutput);
-
-          // Look for namespace by title (which matches the binding name)
-          const existingNamespace = namespaces.find(n => n.title === ns.binding);
-
-          if (existingNamespace && existingNamespace.id) {
-            kvIds[ns.binding] = existingNamespace.id;
-            log(\`  ⚠️  Found existing namespace with ID: \${existingNamespace.id}\`, colors.yellow);
-          } else {
-            log(\`  ⚠️  Could not find existing namespace: \${ns.binding}\`, colors.yellow);
-            log(\`     Error: \${errorMessage}\`, colors.yellow);
-          }
-        } catch (parseError) {
-          // If JSON parse fails, try regex as fallback
-          const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
-
-          if (existingMatch && existingMatch[1]) {
-            kvIds[ns.binding] = existingMatch[1];
-            log(\`  ⚠️  Found existing namespace with ID: \${existingMatch[1]}\`, colors.yellow);
-          } else {
-            log(\`  ❌ Failed to create \${ns.binding}: \${errorMessage}\`, colors.red);
+          const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+          
+          try {
+            const allNamespaces = JSON.parse(listOutput);
+            const found = allNamespaces.find(n => n.title === ns.binding);
+            
+            if (found && found.id) {
+              kvIds[ns.binding] = found.id;
+              log(\`  ✅ Using existing namespace with ID: \${found.id}\`, colors.green);
+            } else {
+              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
+            }
+          } catch (parseError) {
+            // Fallback to regex
+            const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
+            if (existingMatch && existingMatch[1]) {
+              kvIds[ns.binding] = existingMatch[1];
+              log(\`  ✅ Using existing namespace with ID: \${existingMatch[1]}\`, colors.green);
+            } else {
+              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
+            }
           }
+        } catch (listError) {
+          log(\`  ⚠️  Namespace may already exist. Run 'wrangler kv namespace list' to verify.\`, colors.yellow);
         }
-      } catch (listError) {
-        log(\`  ❌ Failed to create or find \${ns.binding}\`, colors.red);
+      } else {
+        // Some other error occurred
+        log(\`  ❌ Failed to create \${ns.binding}\`, colors.red);
+        log(\`     Error: \${errorMessage}\`, colors.red);
       }
     }
   }
@@ -422,243 +457,8 @@ setup().catch((error) => {
         if (process.platform !== "win32") {
             fs.chmodSync(path.join(scriptsDir, "setup.js"), "755");
         }
-        // Create tests directory
-        const testsDir = path.join(projectPath, "tests");
-        fs.ensureDirSync(testsDir);
-        // Create delegation test file
-        const delegationTestContent = `import { describe, test, expect, vi, beforeEach } from 'vitest';
-
-/**
- * Delegation Management Tests
- * Tests delegation verification, caching, and invalidation
- */
-describe('Delegation Management', () => {
-  const mockDelegationStorage = {
-    get: vi.fn(),
-    put: vi.fn(),
-    delete: vi.fn()
-  };
-
-  const mockVerificationCache = {
-    get: vi.fn(),
-    put: vi.fn(),
-    delete: vi.fn()
-  };
-
-  const mockEnv = {
-    ${className.toUpperCase()}_DELEGATION_STORAGE: mockDelegationStorage,
-    TOOL_PROTECTION_KV: mockVerificationCache,
-    AGENTSHIELD_API_KEY: 'test-key',
-    AGENTSHIELD_API_URL: 'https://test.agentshield.ai'
-  };
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    global.fetch = vi.fn();
-  });
-
-  test('should verify delegation token with AgentShield API', async () => {
-    const token = 'test-delegation-token';
-
-    // Mock verification cache miss
-    mockVerificationCache.get.mockResolvedValueOnce(null);
-
-    // Mock API success
-    global.fetch = vi.fn().mockResolvedValueOnce({
-      ok: true
-    });
-
-    // Test verification would happen here
-    expect(global.fetch).toHaveBeenCalledWith(
-      expect.stringContaining('/api/v1/bouncer/delegations/verify'),
-      expect.objectContaining({
-        method: 'POST',
-        body: JSON.stringify({ token })
-      })
-    );
-  });
-
-  test('should use 5-minute cache TTL for delegations', async () => {
-    const token = 'test-token';
-    const sessionId = 'test-session';
-
-    await mockDelegationStorage.put(
-      \`session:\${sessionId}\`,
-      token,
-      { expirationTtl: 300 } // 5 minutes
-    );
-
-    expect(mockDelegationStorage.put).toHaveBeenCalledWith(
-      expect.any(String),
-      token,
-      { expirationTtl: 300 }
-    );
-  });
-
-  test('should invalidate cache on revocation', async () => {
-    const sessionId = 'revoked-session';
-    const token = 'revoked-token';
-
-    // Test invalidation
-    await Promise.all([
-      mockDelegationStorage.delete(\`session:\${sessionId}\`),
-      mockVerificationCache.delete(\`verified:\${token.substring(0, 16)}\`)
-    ]);
-
-    expect(mockDelegationStorage.delete).toHaveBeenCalled();
-    expect(mockVerificationCache.delete).toHaveBeenCalled();
-  });
-});
-`;
-        fs.writeFileSync(path.join(testsDir, "delegation.test.ts"), delegationTestContent);
-        // Create DO routing test file
-        const doRoutingTestContent = `import { describe, test, expect } from 'vitest';
-
-/**
- * Durable Object Routing Tests
- * Tests multi-instance DO routing for horizontal scaling
- */
-describe('DO Multi-Instance Routing', () => {
-
-  function getDoInstanceId(request: Request, env: { DO_ROUTING_STRATEGY?: string; DO_SHARD_COUNT?: string }): string {
-    const strategy = env.DO_ROUTING_STRATEGY || 'session';
-    const headers = request.headers;
-
-    switch (strategy) {
-      case 'session': {
-        const sessionId = headers.get('mcp-session-id') ||
-                         headers.get('Mcp-Session-Id') ||
-                         crypto.randomUUID();
-        return \`session:\${sessionId}\`;
-      }
-
-      case 'shard': {
-        const identifier = headers.get('mcp-session-id') || Math.random().toString();
-        let hash = 0;
-        for (let i = 0; i < identifier.length; i++) {
-          hash = ((hash << 5) - hash) + identifier.charCodeAt(i);
-          hash = hash & hash;
-        }
-        const shardCount = parseInt(env.DO_SHARD_COUNT || '10');
-        // Validate shard count - must be a valid positive number
-        const validShardCount = (!isNaN(shardCount) && shardCount > 0) ? shardCount : 10;
-        const shard = Math.abs(hash) % validShardCount;
-        return \`shard:\${shard}\`;
-      }
-
-      default:
-        return 'default';
-    }
-  }
-
-  test('should route to different instances for different sessions', () => {
-    const env = { DO_ROUTING_STRATEGY: 'session' };
-
-    const req1 = new Request('http://test/mcp', {
-      headers: { 'mcp-session-id': 'session-123' }
-    });
-    const req2 = new Request('http://test/mcp', {
-      headers: { 'mcp-session-id': 'session-456' }
-    });
-
-    const id1 = getDoInstanceId(req1, env);
-    const id2 = getDoInstanceId(req2, env);
-
-    expect(id1).toBe('session:session-123');
-    expect(id2).toBe('session:session-456');
-    expect(id1).not.toBe(id2);
-  });
-
-  test('should distribute load across shards', () => {
-    const env = {
-      DO_ROUTING_STRATEGY: 'shard',
-      DO_SHARD_COUNT: '10'
-    };
-
-    const distribution = new Map<string, number>();
-
-    // Generate 100 requests
-    for (let i = 0; i < 100; i++) {
-      const req = new Request('http://test/mcp', {
-        headers: { 'mcp-session-id': \`session-\${i}\` }
-      });
-
-      const instanceId = getDoInstanceId(req, env);
-      const shard = instanceId.split(':')[1];
-
-      distribution.set(shard, (distribution.get(shard) || 0) + 1);
-    }
-
-    // Should use multiple shards
-    expect(distribution.size).toBeGreaterThan(5);
-  });
-});
-`;
-        fs.writeFileSync(path.join(testsDir, "do-routing.test.ts"), doRoutingTestContent);
-        // Create security test file
-        const securityTestContent = `import { describe, test, expect } from 'vitest';
-
-/**
- * Security Tests
- * Tests CORS configuration and API key handling
- */
-describe('Security Configuration', () => {
-
-  function getCorsOrigin(requestOrigin: string | null, env: { ALLOWED_ORIGINS?: string; MCPI_ENV?: string }): string | null {
-    const allowedOrigins = env.ALLOWED_ORIGINS?.split(',').map((o: string) => o.trim()) || [
-      'https://claude.ai',
-      'https://app.anthropic.com'
-    ];
-
-    if (env.MCPI_ENV !== 'production' && !allowedOrigins.includes('http://localhost:3000')) {
-      allowedOrigins.push('http://localhost:3000');
-    }
-
-    const origin = requestOrigin || '';
-    const isAllowed = allowedOrigins.includes(origin);
-
-    return isAllowed ? origin : allowedOrigins[0];
-  }
-
-  test('should allow Claude.ai by default', () => {
-    const env = {};
-    const origin = 'https://claude.ai';
-    const result = getCorsOrigin(origin, env);
-
-    expect(result).toBe(origin);
-  });
-
-  test('should reject unauthorized origins', () => {
-    const env = { MCPI_ENV: 'production' };
-    const origin = 'https://evil.com';
-    const result = getCorsOrigin(origin, env);
-
-    expect(result).toBe('https://claude.ai');
-    expect(result).not.toBe(origin);
-  });
-
-  test('should not expose API keys in wrangler.toml', () => {
-    // This test validates that API keys are only in .dev.vars
-    const wranglerContent = \`
-      [vars]
-      AGENTSHIELD_API_URL = "https://kya.vouched.id"
-      # AGENTSHIELD_API_KEY - Set securely
-    \`;
-
-    expect(wranglerContent).not.toContain('sk_');
-    expect(wranglerContent).toContain('Set securely');
-  });
-
-  test('should use short TTLs for security', () => {
-    const DELEGATION_TTL = 300; // 5 minutes
-    const VERIFICATION_TTL = 60; // 1 minute
-
-    expect(DELEGATION_TTL).toBeLessThanOrEqual(300);
-    expect(VERIFICATION_TTL).toBeLessThanOrEqual(60);
-  });
-});
-`;
-        fs.writeFileSync(path.join(testsDir, "security.test.ts"), securityTestContent);
+        // Note: Tests directory is not created by default
+        // Users can add their own tests as needed
         // Create greet tool
         const greetToolContent = `import { z } from "zod";
 
@@ -792,11 +592,26 @@ export default createMCPIApp({
 `;
         fs.writeFileSync(path.join(srcDir, "index.ts"), indexContent);
         const wranglerContent = `#:schema node_modules/wrangler/config-schema.json
-name = "${projectName}"
+name = "${wranglerName}"
 main = "src/index.ts"
 compatibility_date = "2025-06-18"
 compatibility_flags = ["nodejs_compat"]
 
+# Build configuration
+# Exclude native Node.js modules that can't be bundled by esbuild
+[build]
+external = [
+  "@swc/core-darwin-arm64",
+  "@swc/core-darwin-x64",
+  "@swc/core-linux-arm64-gnu",
+  "@swc/core-linux-arm64-musl",
+  "@swc/core-linux-x64-gnu",
+  "@swc/core-linux-x64-musl",
+  "@swc/core-win32-arm64-msvc",
+  "@swc/core-win32-x64-msvc",
+  "@swc/wasm"
+]
+
 [[durable_objects.bindings]]
 name = "MCP_OBJECT"
 class_name = "${pascalClassName}MCP"
@@ -805,6 +620,13 @@ class_name = "${pascalClassName}MCP"
 tag = "v1"
 new_sqlite_classes = ["${pascalClassName}MCP"]
 
+# Cron trigger for proof batch queue flushing
+# Flushes pending proofs every minute to ensure timely submission
+# Adjust schedule as needed (cron format: minute hour day month weekday)
+# Recommended: "*/5 * * * *" for production (every 5 minutes)
+[[triggers.crons]]
+cron = "* * * * *"  # Every minute
+
 # KV Namespace for nonce cache (REQUIRED for replay attack prevention)
 #
 # RECOMMENDED: Share a single NONCE_CACHE namespace across all MCP-I workers