npm - @kya-os/create-mcpi-app - Versions diffs - 1.7.42-canary.34 → 1.7.42-canary.36 - Mend

@kya-os/create-mcpi-app 1.7.42-canary.34 → 1.7.42-canary.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.turbo/turbo-build.log +1 -1
package/dist/helpers/fetch-cloudflare-mcpi-template.d.ts +7 -6
package/dist/helpers/fetch-cloudflare-mcpi-template.d.ts.map +1 -1
package/dist/helpers/fetch-cloudflare-mcpi-template.js +143 -1193
package/dist/helpers/fetch-cloudflare-mcpi-template.js.map +1 -1
package/package.json +25 -67

package/dist/helpers/fetch-cloudflare-mcpi-template.js CHANGED Viewed

@@ -1,1222 +1,172 @@
 import fs from "fs-extra";
 import path from "path";
 import chalk from "chalk";
-import { generateIdentity } from "./generate-identity.js";
 /**
- * Scaffold Cloudflare Worker MCP server
- * Uses McpAgent from agents/mcp for MCP protocol support
+ * Fetches the Cloudflare MCP-I template
+ * Since this is inside the monorepo, we can copy from local packages
+ * But for the published package, we need to construct package.json with correct versions
  */
-export async function fetchCloudflareMcpiTemplate(projectPath, options = {}) {
-    const { packageManager = "npm", projectName = path.basename(projectPath), apikey, projectId, skipIdentity = false, } = options;
-    // Sanitize project name for class names
-    let className = projectName
-        .replace(/[^a-zA-Z0-9]/g, "")
-        .replace(/^[0-9]/, "_$&");
-    // Fallback to prevent empty class names
-    if (!className || className.length === 0) {
-        className = "Project";
-    }
-    const pascalClassName = className.charAt(0).toUpperCase() + className.slice(1);
-    // Sanitize project name for wrangler.toml (alphanumeric, lowercase, dashes only)
-    let wranglerName = projectName
-        .toLowerCase()
-        .replace(/[^a-z0-9-]/g, "-") // Replace invalid chars with dashes
-        .replace(/-+/g, "-") // Replace multiple dashes with single dash
-        .replace(/^-|-$/g, ""); // Remove leading/trailing dashes
-    // Fallback to prevent empty wrangler names
-    if (!wranglerName || wranglerName.length === 0) {
-        wranglerName = "worker";
-    }
-    try {
-        console.log(chalk.blue("📦 Setting up Cloudflare Worker MCP server..."));
-        // Create package.json
-        const packageJson = {
-            name: projectName,
-            version: "0.1.0",
-            private: true,
-            scripts: {
-                setup: "node scripts/setup.js",
-                postinstall: "npm run setup",
-                deploy: "wrangler deploy",
-                dev: "wrangler dev",
-                start: "wrangler dev",
-                "kv:create": "npm run kv:create-nonce && npm run kv:create-proof && npm run kv:create-identity && npm run kv:create-delegation && npm run kv:create-tool-protection",
-                "kv:create-nonce": `wrangler kv namespace create ${className.toUpperCase()}_NONCE_CACHE`,
-                "kv:create-proof": `wrangler kv namespace create ${className.toUpperCase()}_PROOF_ARCHIVE`,
-                "kv:create-identity": `wrangler kv namespace create ${className.toUpperCase()}_IDENTITY_STORAGE`,
-                "kv:create-delegation": `wrangler kv namespace create ${className.toUpperCase()}_DELEGATION_STORAGE`,
-                "kv:create-tool-protection": `wrangler kv namespace create ${className.toUpperCase()}_TOOL_PROTECTION_KV`,
-                "kv:list": "wrangler kv namespace list | grep -E '(NONCE|PROOF|IDENTITY|DELEGATION|TOOL_PROTECTION|MCPI)' || wrangler kv namespace list",
-                "kv:keys-nonce": `wrangler kv key list --binding=${className.toUpperCase()}_NONCE_CACHE`,
-                "kv:keys-proof": `wrangler kv key list --binding=${className.toUpperCase()}_PROOF_ARCHIVE`,
-                "kv:keys-identity": `wrangler kv key list --binding=${className.toUpperCase()}_IDENTITY_STORAGE`,
-                "kv:keys-delegation": `wrangler kv key list --binding=${className.toUpperCase()}_DELEGATION_STORAGE`,
-                "kv:keys-tool-protection": `wrangler kv key list --binding=${className.toUpperCase()}_TOOL_PROTECTION_KV`,
-                "kv:delete-nonce": `wrangler kv namespace delete --binding=${className.toUpperCase()}_NONCE_CACHE`,
-                "kv:delete-proof": `wrangler kv namespace delete --binding=${className.toUpperCase()}_PROOF_ARCHIVE`,
-                "kv:delete-identity": `wrangler kv namespace delete --binding=${className.toUpperCase()}_IDENTITY_STORAGE`,
-                "kv:delete-delegation": `wrangler kv namespace delete --binding=${className.toUpperCase()}_DELEGATION_STORAGE`,
-                "kv:delete-tool-protection": `wrangler kv namespace delete --binding=${className.toUpperCase()}_TOOL_PROTECTION_KV`,
-                "kv:delete": "npm run kv:delete-nonce && npm run kv:delete-proof && npm run kv:delete-identity && npm run kv:delete-delegation && npm run kv:delete-tool-protection",
-                "kv:reset": "npm run kv:delete && npm run kv:create",
-                "kv:setup": "echo 'KV Commands: kv:create (create all), kv:list (list all), kv:keys-* (view keys), kv:delete (delete all), kv:reset (delete+recreate)'",
-                "cf-typegen": "wrangler types",
-                "type-check": "tsc --noEmit",
-                test: "vitest",
-                "test:watch": "vitest --watch",
-                "test:coverage": "vitest run --coverage",
-            },
-            dependencies: {
-                "@kya-os/contracts": "^1.5.3-canary.16",
-                "@kya-os/mcp-i-cloudflare": "1.5.8-canary.45",
-                "@kya-os/mcp-i-core": "1.2.2-canary.25",
-                "@kya-os/mcp-i": "^1.5.9-canary.18",
-                "@modelcontextprotocol/sdk": "^1.19.1",
-                agents: "^0.2.21", // Use latest version - constructor now only accepts 2 parameters
-                hono: "^4.9.10",
-                zod: "^3.25.76",
-            },
-            devDependencies: {
-                "@cloudflare/workers-types": "^4.20251109.0",
-                "@kya-os/create-mcpi-app": "^1.7.23",
-                "@vitest/coverage-v8": "^3.2.4",
-                miniflare: "^3.0.0",
-                typescript: "^5.6.2",
-                vitest: "^3.2.4",
-                wrangler: "^4.42.2",
-            },
-        };
-        fs.ensureDirSync(projectPath); // Ensure directory exists before writing
-        fs.writeJsonSync(path.join(projectPath, "package.json"), packageJson, {
-            spaces: 2,
-        });
-        // Create src directory and tools
-        const srcDir = path.join(projectPath, "src");
-        const toolsDir = path.join(srcDir, "tools");
-        fs.ensureDirSync(toolsDir);
-        // Create scripts directory
-        const scriptsDir = path.join(projectPath, "scripts");
-        fs.ensureDirSync(scriptsDir);
-        // Create setup.js automation script
-        const setupScriptContent = `#!/usr/bin/env node
-/**
- * Automated Setup Script for ${projectName}
- *
- * This script automates the tedious process of:
- * 1. Checking/installing wrangler
- * 2. Creating KV namespaces
- * 3. Extracting namespace IDs
- * 4. Updating wrangler.toml automatically
- * 5. Setting up local development environment
- */
-const { execSync } = require('child_process');
-const fs = require('fs');
-const path = require('path');
-const readline = require('readline');
-const rl = readline.createInterface({
-  input: process.stdin,
-  output: process.stdout
-});
-// Colors for terminal output
-const colors = {
-  reset: '\\x1b[0m',
-  bright: '\\x1b[1m',
-  green: '\\x1b[32m',
-  yellow: '\\x1b[33m',
-  blue: '\\x1b[36m',
-  red: '\\x1b[31m'
-};
-function log(message, color = colors.reset) {
-  console.log(color + message + colors.reset);
-}
-function skipToPostKVSetup() {
-  // Skip KV creation but continue with other setup steps
-  const devVarsPath = path.join(__dirname, '..', '.dev.vars');
-  const devVarsExamplePath = path.join(__dirname, '..', '.dev.vars.example');
-  // Create .dev.vars from example if it doesn't exist
-  if (!fs.existsSync(devVarsPath) && fs.existsSync(devVarsExamplePath)) {
-    log('\\n📋 Creating .dev.vars from example...', colors.blue);
-    fs.copyFileSync(devVarsExamplePath, devVarsPath);
-    log('✅ Created .dev.vars - Please update with your values', colors.green);
-  }
-  // Check if identity needs to be generated
-  if (fs.existsSync(devVarsPath)) {
-    const devVarsContent = fs.readFileSync(devVarsPath, 'utf-8');
-    if (devVarsContent.includes('your-private-key-here')) {
-      log('\\n🔑 Generating agent identity...', colors.blue);
-      try {
-        execSync('npx @kya-os/create-mcpi-app regenerate-identity', { stdio: 'inherit' });
-        log('✅ Identity generated successfully', colors.green);
-      } catch {
-        log('⚠️  Could not generate identity automatically. Run: npx @kya-os/create-mcpi-app regenerate-identity', colors.yellow);
-      }
-    }
-  }
-  // Show modified next steps
-  log('\\n✨ Setup partially complete! Next steps:\\n', colors.bright + colors.green);
-  log('1. Set your Cloudflare account ID (required for KV namespaces):', colors.blue);
-  log('   export CLOUDFLARE_ACCOUNT_ID=your-account-id', colors.reset);
-  log('   OR add to wrangler.toml: account_id = "your-account-id"\\n', colors.reset);
-  log('2. Create KV namespaces: npm run kv:create', colors.blue);
-  log('3. Review .dev.vars and add any missing values', colors.blue);
-  log('4. Start development server: npm run dev', colors.blue);
-  log('5. Deploy to production: npm run deploy', colors.blue);
-  log('\\nUseful commands:', colors.bright);
-  log('  npm run dev                    - Start local development server');
-  log('  npm run deploy                 - Deploy to Cloudflare Workers');
-  log('  npm run kv:list                - List all KV namespaces');
-  log('  wrangler secret put <KEY>      - Set production secrets');
-  log('\\nFor more information, see the README.md file.\\n');
-  rl.close();
-}
-async function setup() {
-  log('\\n🚀 Starting automated setup for ${projectName}...\\n', colors.bright + colors.blue);
-  // 1. Check wrangler installation
-  try {
-    const wranglerVersion = execSync('wrangler --version', { encoding: 'utf-8' });
-    log('✅ Wrangler CLI detected: ' + wranglerVersion.trim(), colors.green);
-  } catch {
-    log('📦 Wrangler CLI not found. Installing...', colors.yellow);
-    try {
-      execSync('npm install -g wrangler', { stdio: 'inherit' });
-      log('✅ Wrangler CLI installed successfully', colors.green);
-    } catch (error) {
-      log('❌ Failed to install Wrangler. Please install manually: npm install -g wrangler', colors.red);
-      process.exit(1);
-    }
-  }
-  // 2. Check if user is logged in to Cloudflare
-  try {
-    execSync('wrangler whoami', { encoding: 'utf-8' });
-    log('✅ Logged in to Cloudflare', colors.green);
-  } catch {
-    log('🔑 Please log in to Cloudflare:', colors.yellow);
-    try {
-      execSync('wrangler login', { stdio: 'inherit' });
-    } catch (error) {
-      log('❌ Login failed. Please run: wrangler login', colors.red);
-      process.exit(1);
-    }
-  }
-  // 2.5. Set up wrangler.toml path for later use
-  const wranglerTomlPath = path.join(__dirname, '..', 'wrangler.toml');
-  let wranglerContent = '';
-  try {
-    wranglerContent = fs.readFileSync(wranglerTomlPath, 'utf-8');
-  } catch (error) {
-    log('⚠️  Could not read wrangler.toml', colors.yellow);
-  }
-  // 3. Create KV namespaces
-  log('\\n📚 Creating KV namespaces...\\n', colors.bright);
-  const namespaces = [
-    { binding: '${className.toUpperCase()}_NONCE_CACHE', name: 'Nonce Cache', purpose: 'Replay attack prevention' },
-    { binding: '${className.toUpperCase()}_PROOF_ARCHIVE', name: 'Proof Archive', purpose: 'Cryptographic proof storage' },
-    { binding: '${className.toUpperCase()}_IDENTITY_STORAGE', name: 'Identity Storage', purpose: 'Agent identity persistence' },
-    { binding: '${className.toUpperCase()}_DELEGATION_STORAGE', name: 'Delegation Storage', purpose: 'OAuth token storage' },
-    { binding: '${className.toUpperCase()}_TOOL_PROTECTION_KV', name: 'Tool Protection', purpose: 'Permission caching' }
-  ];
-  const kvIds = {};
-  let multipleAccountsDetected = false;
-  for (const ns of namespaces) {
-    // If we already detected multiple accounts, skip remaining namespaces
-    if (multipleAccountsDetected) {
-      break;
-    }
-    log(\`Creating \${ns.name} (\${ns.purpose})...\`, colors.blue);
-    // First, check if namespace already exists
-    let existingNamespace = null;
-    try {
-      const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-      try {
-        const allNamespaces = JSON.parse(listOutput);
-        existingNamespace = allNamespaces.find(n => n.title === ns.binding);
-      } catch (parseError) {
-        // Fallback to regex if JSON parsing fails
-        const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
-        if (existingMatch && existingMatch[1]) {
-          existingNamespace = { id: existingMatch[1], title: ns.binding };
-        }
-      }
-    } catch (listError) {
-      // If we can't list namespaces, continue to try creating
-    }
-    if (existingNamespace && existingNamespace.id) {
-      kvIds[ns.binding] = existingNamespace.id;
-      log(\`  ✅ Using existing namespace with ID: \${existingNamespace.id}\`, colors.green);
-      continue;
-    }
-    // Namespace doesn't exist, try to create it
-    try {
-      // Suppress stderr to avoid noisy error messages
-      const output = execSync(\`wrangler kv namespace create "\${ns.binding}"\`, {
-        encoding: 'utf-8',
-        stdio: ['pipe', 'pipe', 'pipe']
-      });
-      // Extract the ID from output
-      const idMatch = output.match(/id = "([^"]+)"/);
-      if (idMatch && idMatch[1]) {
-        kvIds[ns.binding] = idMatch[1];
-        log(\`  ✅ Created with ID: \${idMatch[1]}\`, colors.green);
-      } else {
-        log(\`  ⚠️  Created but could not extract ID. Checking existing namespaces...\`, colors.yellow);
-        // Fallback: try to find it in the list
-        const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-        try {
-          const allNamespaces = JSON.parse(listOutput);
-          const found = allNamespaces.find(n => n.title === ns.binding);
-          if (found && found.id) {
-            kvIds[ns.binding] = found.id;
-            log(\`  ✅ Found ID: \${found.id}\`, colors.green);
-          }
-        } catch {
-          // Ignore parse errors
-        }
-      }
-    } catch (error) {
-      const errorMessage = error.message || error.toString();
-      const errorOutput = error.stdout || error.stderr || '';
-      // Check if this is a multiple accounts error
-      if (errorMessage.includes('More than one account') || errorMessage.includes('multiple accounts') || errorOutput.includes('More than one account')) {
-        multipleAccountsDetected = true;
-        log('\\n⚠️  Multiple Cloudflare accounts detected!\\n', colors.yellow);
-        log('Wrangler cannot automatically select an account in non-interactive mode.\\n', colors.yellow);
-        log('To fix this, choose one of these options:\\n', colors.bright);
-        log('Option 1: Set environment variable (recommended):', colors.blue);
-        log('  export CLOUDFLARE_ACCOUNT_ID=your-account-id', colors.reset);
-        log('  npm run setup\\n', colors.reset);
-        log('Option 2: Add to wrangler.toml (permanent):', colors.blue);
-        log('  Edit wrangler.toml and add:', colors.reset);
-        log('  account_id = "your-account-id"\\n', colors.reset);
-        log('Find your account IDs in the error above or run:', colors.blue);
-        log('  wrangler whoami\\n', colors.reset);
-        log('⏭️  Skipping remaining KV namespace creation.', colors.yellow);
-        log('After setting account_id, run: npm run setup\\n', colors.yellow);
-        break;
-      }
-      // Check if namespace already exists (common case - suppress noisy error)
-      if (errorMessage.includes('already exists') || errorOutput.includes('already exists') || errorOutput.includes('code: 10014')) {
-        // Try to get the existing namespace ID
-        try {
-          const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-          try {
-            const allNamespaces = JSON.parse(listOutput);
-            const found = allNamespaces.find(n => n.title === ns.binding);
-            if (found && found.id) {
-              kvIds[ns.binding] = found.id;
-              log(\`  ✅ Using existing namespace with ID: \${found.id}\`, colors.green);
-            } else {
-              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
-            }
-          } catch (parseError) {
-            // Fallback to regex
-            const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
-            if (existingMatch && existingMatch[1]) {
-              kvIds[ns.binding] = existingMatch[1];
-              log(\`  ✅ Using existing namespace with ID: \${existingMatch[1]}\`, colors.green);
-            } else {
-              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
-            }
-          }
-        } catch (listError) {
-          log(\`  ⚠️  Namespace may already exist. Run 'wrangler kv namespace list' to verify.\`, colors.yellow);
-        }
-      } else {
-        // Some other error occurred
-        log(\`  ❌ Failed to create \${ns.binding}\`, colors.red);
-        log(\`     Error: \${errorMessage}\`, colors.red);
-      }
-    }
-  }
-  // If multiple accounts detected, skip to post-KV setup
-  if (multipleAccountsDetected) {
-    return skipToPostKVSetup();
-  }
-  // 4. Update wrangler.toml with KV IDs
-  if (Object.keys(kvIds).length > 0) {
-    log('\\n📝 Updating wrangler.toml with KV namespace IDs...\\n', colors.bright);
-    try {
-      wranglerContent = fs.readFileSync(wranglerTomlPath, 'utf-8');
-      let updatedCount = 0;
-      for (const [binding, id] of Object.entries(kvIds)) {
-        // Match pattern: binding = "BINDING_NAME"\\nid = "anything" (including placeholders)
-        const pattern = new RegExp(\`(binding = "\${binding}")\\\\s*\\\\nid = "[^"]*"\`, 'g');
-        const replacement = \`$1\\nid = "\${id}"\`;
-        const newContent = wranglerContent.replace(pattern, replacement);
-        if (newContent !== wranglerContent) {
-          updatedCount++;
-          log(\`  ✅ Updated \${binding} with ID: \${id}\`, colors.green);
+export async function fetchCloudflareMcpiTemplate(targetDir, options) {
+    // Handle legacy string argument (projectName) for backward compatibility if needed
+    const projectName = typeof options === 'string' ? options : options.projectName;
+    // In a real implementation, this might download from a repo
+    // For now, we'll construct the template files
+    // 1. Create directory structure
+    await fs.ensureDir(path.join(targetDir, "src"));
+    // 2. Create package.json
+    const packageJson = {
+        name: projectName,
+        version: "0.1.0",
+        private: true,
+        scripts: {
+            deploy: "wrangler deploy",
+            dev: "wrangler dev",
+            start: "wrangler dev",
+            test: "vitest",
+            "cf-typegen": "wrangler types"
+        },
+        dependencies: {
+            "@kya-os/mcp-i-cloudflare": "^1.5.8-canary.47",
+            "@modelcontextprotocol/sdk": "^0.6.0",
+            "hono": "^4.6.3"
+        },
+        devDependencies: {
+            "@cloudflare/vitest-pool-workers": "^0.5.2",
+            "@cloudflare/workers-types": "^4.20240925.0",
+            "@types/node": "^20.8.3",
+            "typescript": "^5.5.2",
+            "vitest": "2.0.5",
+            "wrangler": "^3.78.12"
         }
-        wranglerContent = newContent;
-      }
-      fs.writeFileSync(wranglerTomlPath, wranglerContent);
-      log(\`\\n✅ Updated \${updatedCount} namespace ID(s) in wrangler.toml\`, colors.green);
-      // Show remaining placeholder IDs if any
-      const placeholderMatches = wranglerContent.match(/binding = "[^"]+"\\s*\\nid = "your_[^"]+"/g);
-      if (placeholderMatches) {
-        log('\\n⚠️  Some namespace IDs still have placeholders:', colors.yellow);
-        placeholderMatches.forEach(match => {
-          const bindingMatch = match.match(/binding = "([^"]+)"/);
-          if (bindingMatch) {
-            log(\`  - \${bindingMatch[1]}\`, colors.yellow);
-          }
-        });
-      }
-    } catch (error) {
-      log(\`❌ Failed to update wrangler.toml: \${error.message}\`, colors.red);
-    }
-  }
-  // 5. Create .dev.vars from example if it doesn't exist
-  const devVarsPath = path.join(__dirname, '..', '.dev.vars');
-  const devVarsExamplePath = path.join(__dirname, '..', '.dev.vars.example');
-  if (!fs.existsSync(devVarsPath) && fs.existsSync(devVarsExamplePath)) {
-    log('\\n📋 Creating .dev.vars from example...', colors.blue);
-    fs.copyFileSync(devVarsExamplePath, devVarsPath);
-    log('✅ Created .dev.vars - Please update with your values', colors.green);
-  }
-  // 6. Check if identity needs to be generated
-  if (fs.existsSync(devVarsPath)) {
-    const devVarsContent = fs.readFileSync(devVarsPath, 'utf-8');
-    if (devVarsContent.includes('your-private-key-here')) {
-      log('\\n🔑 Generating agent identity...', colors.blue);
-      try {
-        execSync('npx @kya-os/create-mcpi-app regenerate-identity', { stdio: 'inherit' });
-        log('✅ Identity generated successfully', colors.green);
-      } catch {
-        log('⚠️  Could not generate identity automatically. Run: npx @kya-os/create-mcpi-app regenerate-identity', colors.yellow);
-      }
-    }
-  }
-  // 7. Show next steps
-  log('\\n✨ Setup complete! Next steps:\\n', colors.bright + colors.green);
-  log('1. Review .dev.vars and add any missing values (AgentShield API key, etc.)', colors.blue);
-  log('2. Start development server: npm run dev', colors.blue);
-  log('3. Deploy to production: npm run deploy', colors.blue);
-  log('\\nUseful commands:', colors.bright);
-  log('  npm run dev                    - Start local development server');
-  log('  npm run deploy                 - Deploy to Cloudflare Workers');
-  log('  npm run kv:list                - List all KV namespaces');
-  log('  wrangler secret put <KEY>      - Set production secrets');
-  log('\\nFor more information, see the README.md file.\\n');
-  rl.close();
-}
-// Handle errors gracefully
-process.on('unhandledRejection', (error) => {
-  log(\`\\n❌ Setup failed: \${error.message}\`, colors.red);
-  process.exit(1);
-});
-// Run the setup
-setup().catch((error) => {
-  log(\`\\n❌ Setup failed: \${error.message}\`, colors.red);
-  process.exit(1);
-});
-`;
-        fs.writeFileSync(path.join(scriptsDir, "setup.js"), setupScriptContent);
-        // Make setup script executable
-        if (process.platform !== "win32") {
-            fs.chmodSync(path.join(scriptsDir, "setup.js"), "755");
-        }
-        // Note: Tests directory is not created by default
-        // Users can add their own tests as needed
-        // Create greet tool
-        const greetToolContent = `import { z } from "zod";
-/**
- * Greet Tool - Example MCP tool with AgentShield integration
- *
- * This tool demonstrates proper scopeId configuration for tool auto-discovery.
- *
- * Configure the corresponding scope in mcpi-runtime-config.ts:
- * \`\`\`typescript
- * toolProtections: {
- *   greet: {
- *     requiresDelegation: false,
- *     requiredScopes: ["greet:execute"],  // ← This becomes the scopeId in proofs
- *   }
- * }
- * \`\`\`
- *
- * The scopeId format is "toolName:action":
- * - Tool name: "greet" (extracted before the ":")
- * - Action: "execute" (extracted after the ":")
- * - Risk level: Auto-determined from action keyword (execute = high)
- *
- * Other scopeId examples:
- * - "files:read" → Medium risk
- * - "files:write" → High risk
- * - "database:delete" → Critical risk
- */
-export const greetTool = {
-  name: "greet",
-  description: "Greet a user by name",
-  inputSchema: z.object({
-    name: z.string().describe("The name of the user to greet")
-  }),
-  handler: async ({ name }: { name: string }) => {
-    return {
-      content: [
-        {
-          type: "text" as const,
-          text: \`Hello, \${name}! Welcome to your Cloudflare MCP server.\`
-        }
-      ]
     };
-  }
-};
-`;
-        fs.writeFileSync(path.join(toolsDir, "greet.ts"), greetToolContent);
-        // Create mcpi-runtime-config.ts for AgentShield integration
-        const runtimeConfigContent = `import type { CloudflareRuntimeConfig } from '@kya-os/mcp-i-cloudflare/config';
-import type { CloudflareEnv } from '@kya-os/mcp-i-cloudflare';
-import { defineConfig } from '@kya-os/mcp-i-cloudflare';
-/**
- * Runtime configuration for MCP-I server
- *
- * This file configures runtime features like proof submission to AgentShield,
- * delegation verification, and audit logging.
- *
- * Environment variables are automatically injected from wrangler.toml (Cloudflare)
- * or .env (Node.js). Configure them there:
- * - AGENTSHIELD_API_URL: AgentShield API base URL
- * - AGENTSHIELD_API_KEY: Your AgentShield API key
- * - AGENTSHIELD_PROJECT_ID: Your AgentShield project ID (optional but recommended)
- * - MCPI_ENV: "development" or "production"
- *
- * Tool Protection:
- * - Automatically enabled if AGENTSHIELD_API_KEY and TOOL_PROTECTION_KV are set
- * - Fetches tool protection config from AgentShield API by project ID
- * - Caches config for 5 minutes to minimize API calls
- * - Falls back to local config if API is unavailable
- * - Configure delegation requirements in AgentShield dashboard
- */
-export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
-  return defineConfig({
-    // Only specify overrides - defaults are handled automatically
-    vars: {
-      ENVIRONMENT: env.ENVIRONMENT || env.MCPI_ENV || 'development',
-      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
-      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
-    },
-    // Tool protection is automatically enabled by defineConfig if AGENTSHIELD_API_KEY is present
-    // You can override by explicitly setting toolProtection here
-    // Admin endpoints are automatically enabled when AGENTSHIELD_API_KEY is present
-    // They use ADMIN_API_KEY (or fallback to AGENTSHIELD_API_KEY) for authentication
-    // To override: admin: { enabled: true/false, apiKey: env.ADMIN_API_KEY }
-    // To disable: admin: { enabled: false }
-  });
-}
-`;
-        fs.writeFileSync(path.join(srcDir, "mcpi-runtime-config.ts"), runtimeConfigContent);
-        // Create main index.ts using MCPICloudflareServer
-        const indexContent = `import { MCPICloudflareAgent, createMCPIApp, type PrefixedCloudflareEnv } from "@kya-os/mcp-i-cloudflare";
-import { greetTool } from "./tools/greet";
-import { getRuntimeConfig } from "./mcpi-runtime-config";
-/**
- * Extended CloudflareEnv with prefixed KV bindings for multi-agent deployments
- */
-interface MyPrefixedCloudflareEnv extends PrefixedCloudflareEnv {
-  ${className.toUpperCase()}_NONCE_CACHE?: KVNamespace;
-  ${className.toUpperCase()}_PROOF_ARCHIVE?: KVNamespace;
-  ${className.toUpperCase()}_IDENTITY_STORAGE?: KVNamespace;
-  ${className.toUpperCase()}_DELEGATION_STORAGE?: KVNamespace;
-  ${className.toUpperCase()}_TOOL_PROTECTION_KV?: KVNamespace;
-}
-/**
- * Your custom MCP agent - only define your tools here!
- * All framework complexity (runtime initialization, proof generation, etc.) is handled automatically.
- */
-export class ${pascalClassName}MCP extends MCPICloudflareAgent {
-  async registerTools() {
-    // Register your custom tools - proofs are generated automatically
-    // ✅ The registerToolWithProof helper automatically extracts sessionId from the request
-    //    and passes it to executeToolWithProof, ensuring delegation tokens stored with
-    //    the original session ID can be retrieved on subsequent tool calls
-    this.registerToolWithProof(
-      greetTool.name,
-      greetTool.description,
-      greetTool.inputSchema.shape,
-      greetTool.handler
-    );
-  }
-}
-// Create and export the app - all routing is handled automatically
-export default createMCPIApp({
-  AgentClass: ${pascalClassName}MCP,
-  agentName: "${projectName}",
-  agentVersion: "1.0.0",
-  envPrefix: "${className.toUpperCase()}",
-  getRuntimeConfig,
-});
-`;
-        fs.writeFileSync(path.join(srcDir, "index.ts"), indexContent);
-        const wranglerContent = `#:schema node_modules/wrangler/config-schema.json
-name = "${wranglerName}"
+    await fs.writeJson(path.join(targetDir, "package.json"), packageJson, {
+        spaces: 2,
+    });
+    // 3. Create wrangler.toml
+    const wranglerToml = `#:schema node_modules/wrangler/config-schema.json
+name = "${projectName}"
 main = "src/index.ts"
-compatibility_date = "2025-06-18"
+compatibility_date = "2024-09-25"
 compatibility_flags = ["nodejs_compat"]
+# Durable Object binding for MCP Agent state
 [[durable_objects.bindings]]
 name = "MCP_OBJECT"
-class_name = "${pascalClassName}MCP"
+class_name = "${toPascalCase(projectName)}MCP"
 [[migrations]]
 tag = "v1"
-new_sqlite_classes = ["${pascalClassName}MCP"]
-# Cron trigger for proof batch queue flushing (OPTIONAL - CURRENTLY DISABLED)
-#
-# NOTE: Cloudflare Workers cron triggers are currently experiencing API parsing issues
-# that prevent deployment. This section is commented out by default.
-#
-# Proofs will still work correctly without cron because:
-# 1. First proof submits immediately (for dashboard setup detection)
-# 2. Proofs auto-flush when batch size is reached (default: 10 proofs)
-#
-# If you want to enable cron-based flushing in the future:
-# 1. Uncomment the section below
-# 2. Adjust the schedule as needed (cron format: minute hour day month weekday)
-# 3. Try deploying - if it fails with "Could not parse request body", cron triggers
-#    may not be supported for your account/region yet
-#
-# [[triggers.crons]]
-# cron = "*/5 * * * *"  # Every 5 minutes
-#
-# Note: Proofs are also flushed immediately when batch size is reached (default: 10 proofs),
-# so cron is mainly for flushing small batches that haven't reached the size limit yet.
-# KV Namespace for nonce cache (REQUIRED for replay attack prevention)
-#
-# RECOMMENDED: Share a single NONCE_CACHE namespace across all MCP-I workers
-# This namespace is automatically created by the setup script (npm run setup)
-# If you need to recreate it: npm run kv:create-nonce
-[[kv_namespaces]]
-binding = "${className.toUpperCase()}_NONCE_CACHE"
-id = "your_nonce_kv_namespace_id"  # Auto-filled by setup script
+new_classes = ["${toPascalCase(projectName)}MCP"]
-# KV Namespace for proof archive (RECOMMENDED for auditability)
-#
-# Stores detached cryptographic proofs for all tool calls
-# Enables proof querying, session tracking, and audit trails
-# This namespace is automatically created by the setup script (npm run setup)
-# If you need to recreate it: npm run kv:create-proof
-#
-# Note: Comment out if you don't need proof archiving
-[[kv_namespaces]]
-binding = "${className.toUpperCase()}_PROOF_ARCHIVE"
-id = "your_proof_kv_namespace_id"  # Auto-filled by setup script
-# KV Namespace for identity storage (RECOMMENDED for persistent agent identity)
-#
-# Stores the agent's cryptographic identity (DID, keys) in KV
-# Ensures consistent identity across Worker restarts and deployments
-# This namespace is automatically created by the setup script (npm run setup)
-# If you need to recreate it: npm run kv:create-identity
-[[kv_namespaces]]
-binding = "${className.toUpperCase()}_IDENTITY_STORAGE"
-id = "your_identity_kv_namespace_id"  # Auto-filled by setup script
-# KV Namespace for delegation storage (REQUIRED for OAuth/delegation flows)
-#
-# Stores active delegations from users to agents
-# Enables OAuth consent flows and scope-based authorization
-# This namespace is automatically created by the setup script (npm run setup)
-# If you need to recreate it: npm run kv:create-delegation
-[[kv_namespaces]]
-binding = "${className.toUpperCase()}_DELEGATION_STORAGE"
-id = "your_delegation_kv_namespace_id"  # Auto-filled by setup script
-# KV Namespace for tool protection config (${apikey ? "ENABLED" : "OPTIONAL"} for dashboard-controlled delegation)
-#
-# 🆕 Enables dynamic tool protection configuration from AgentShield dashboard
-# Caches which tools require user delegation based on dashboard toggle switches
-#
-# Benefits:
-# - Control tool permissions from AgentShield dashboard without code changes
-# - Update delegation requirements in real-time (5-minute cache)
-# - No redeployments needed to change tool permissions
-#
-# Setup:
-# This namespace is automatically created by the setup script (npm run setup)
-# If you need to recreate it: npm run kv:create-tool-protection
-# After deployment, toggle delegation requirements in AgentShield dashboard
-#
-# Note: This namespace is REQUIRED when using AgentShield API key (--apikey)
-#       It will be automatically created by the setup script (npm run setup)
-[[kv_namespaces]]
-binding = "${className.toUpperCase()}_TOOL_PROTECTION_KV"
-id = "your_tool_protection_kv_id"  # Auto-filled by setup script
+# KV Namespace for nonce cache (replay protection)
+# Run 'npm run kv:create-nonce' to generate ID
+# [[kv_namespaces]]
+# binding = "NONCE_CACHE"
+# id = "TODO_REPLACE_WITH_ID"
 [vars]
-XMCP_I_TS_SKEW_SEC = "120"
-XMCP_I_SESSION_TTL = "1800"
-# AgentShield Integration (https://kya.vouched.id)
-AGENTSHIELD_API_URL = "https://kya.vouched.id"
-# AGENTSHIELD_PROJECT_ID - Your project ID from AgentShield dashboard (e.g., "batman-txh0ae")
-#   Required for project-scoped tool protection configuration (recommended)
-#   Find it in your dashboard URL: https://kya.vouched.id/dashboard/projects/{PROJECT_ID}
-#   Or in your project settings
-#   This is not sensitive, so it's safe to keep a value here
-AGENTSHIELD_PROJECT_ID = "${projectId || ""}"
-MCPI_ENV = "development"
-# Secrets (NOT declared here - see instructions below)
-# For local development: Add secrets to .dev.vars file
-# For production: Use wrangler secret put COMMAND_NAME
-#   $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-#   $ wrangler secret put AGENTSHIELD_API_KEY
-#   $ wrangler secret put ADMIN_API_KEY
-# Note: .dev.vars is git-ignored and contains actual secret values for local dev
-# Optional: MCP Server URL for tool discovery and consent page generation
-# Uncomment to explicitly set your MCP server URL (auto-detected from request origin if not set)
-# IMPORTANT: Use base URL WITHOUT /mcp suffix (e.g., "https://your-worker.workers.dev")
-# The consent pages are at /consent, not /mcp/consent
-# MCP_SERVER_URL = "https://your-worker.workers.dev"
+# Environment variables
+# AGENTSHIELD_API_URL = "https://kya.vouched.id"
+# MCPI_ENV = "development"
 `;
-        fs.writeFileSync(path.join(projectPath, "wrangler.toml"), wranglerContent);
-        // Generate persistent identity for Cloudflare Worker
-        if (!skipIdentity) {
-            console.log(chalk.cyan("🔐 Generating persistent identity..."));
-            try {
-                const identity = await generateIdentity();
-                // Read existing wrangler.toml
-                const wranglerPath = path.join(projectPath, "wrangler.toml");
-                let wranglerTomlContent = fs.readFileSync(wranglerPath, "utf8");
-                // Find [vars] section and add identity environment variables
-                // Add ALL identity variables (empty values will be overridden by .dev.vars)
-                const varsMatch = wranglerTomlContent.match(/\[vars\]/);
-                if (varsMatch) {
-                    const insertPosition = varsMatch.index + varsMatch[0].length;
-                    const identityVars = `
-# Agent DID (public identifier - safe to commit)
-MCP_IDENTITY_AGENT_DID = "${identity.did}"
-# Public identity key (safe to commit - not sensitive)
-MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"
-# Private identity key (SECRET - NOT declared here)
-# For local development: Add to .dev.vars file
-# For production: Use wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-# ALLOWED_ORIGINS for CORS (update for production)
-ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
-# DO routing strategy: "session" for dev, "shard" for production high-load
-DO_ROUTING_STRATEGY = "session"
-DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
-`;
-                    // Remove any secret declarations from [vars] (they should not be here)
-                    // Secrets go in .dev.vars for local dev, wrangler secret put for production
-                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*MCP_IDENTITY_PRIVATE_KEY\s*=.*$/gm, `# MCP_IDENTITY_PRIVATE_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
-                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*AGENTSHIELD_API_KEY\s*=.*$/gm, `# AGENTSHIELD_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
-                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*ADMIN_API_KEY\s*=.*$/gm, `# ADMIN_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
-                    // Update public key if it exists (safe to keep in [vars])
-                    if (/MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent)) {
-                        wranglerTomlContent = wranglerTomlContent.replace(/MCP_IDENTITY_PUBLIC_KEY\s*=\s*"[^"]*"/, `MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"`);
-                    }
-                    // Update AGENTSHIELD_PROJECT_ID if it exists and projectId is provided
-                    // This is safe to keep a value since it's not sensitive
-                    if (projectId &&
-                        /AGENTSHIELD_PROJECT_ID\s*=/.test(wranglerTomlContent)) {
-                        wranglerTomlContent = wranglerTomlContent.replace(/AGENTSHIELD_PROJECT_ID\s*=\s*"[^"]*"/, `AGENTSHIELD_PROJECT_ID = "${projectId}"`);
-                    }
-                    // Check if non-secret variables already exist in wrangler.toml
-                    const hasIdentityDid = /MCP_IDENTITY_AGENT_DID\s*=/.test(wranglerTomlContent);
-                    const hasIdentityPublicKey = /MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent);
-                    // Only insert identity vars if they don't already exist
-                    const needsInsertion = !hasIdentityDid || !hasIdentityPublicKey;
-                    if (needsInsertion) {
-                        wranglerTomlContent =
-                            wranglerTomlContent.slice(0, insertPosition) +
-                                identityVars +
-                                wranglerTomlContent.slice(insertPosition);
-                    }
-                    // Write updated wrangler.toml (without secrets)
-                    fs.writeFileSync(wranglerPath, wranglerTomlContent);
-                    // Create .dev.vars file for local development (git-ignored)
-                    // Only contains SECRETS (not public keys or project IDs)
-                    const devVarsPath = path.join(projectPath, ".dev.vars");
-                    const devVarsContent = `# Local development secrets (DO NOT COMMIT)
-# This file is git-ignored and contains sensitive data
-#
-# HOW IT WORKS:
-# 1. Secrets are NOT declared in wrangler.toml [vars] (avoids conflicts)
-# 2. This file (.dev.vars) provides secrets for local development
-# 3. Production uses: wrangler secret put VARIABLE_NAME
-#
-# Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID) are in wrangler.toml
-# Private identity key (generated by create-mcpi-app)
-MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
-# AgentShield API key (get from https://kya.vouched.id/dashboard)
-AGENTSHIELD_API_KEY="${apikey || ""}"${apikey ? "  # Provided via --apikey flag" : ""}
-# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
-ADMIN_API_KEY="${apikey || ""}"${apikey ? "  # Set to same value as AGENTSHIELD_API_KEY" : ""}
-`;
-                    fs.writeFileSync(devVarsPath, devVarsContent);
-                    // Create .dev.vars.example for reference
-                    const devVarsExamplePath = path.join(projectPath, ".dev.vars.example");
-                    const devVarsExampleContent = `# Copy this file to .dev.vars and fill in your values
-# DO NOT commit .dev.vars to version control
-#
-# NOTE: Only secrets go here. Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID)
-# are in wrangler.toml [vars] and can be committed safely.
-# Private identity key (generate with: npx @kya-os/create-mcpi-app regenerate-identity)
-MCP_IDENTITY_PRIVATE_KEY="your-private-key-here"
-# AgentShield API key (get from https://kya.vouched.id/dashboard)
-AGENTSHIELD_API_KEY="your-api-key-here"
+    await fs.writeFile(path.join(targetDir, "wrangler.toml"), wranglerToml);
+    // 4. Create src/index.ts (entry point)
+    const indexTs = `import { createMCPICloudflareAdapter } from "@kya-os/mcp-i-cloudflare";
+import { ${toPascalCase(projectName)}Agent } from "./agent";
+// Create the adapter
+const adapter = createMCPICloudflareAdapter({
+  agent: ${toPascalCase(projectName)}Agent,
+  env: {} as any, // Will be injected by Cloudflare
+  serverInfo: {
+    name: "${projectName}",
+    version: "1.0.0",
+  },
+});
-# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
-ADMIN_API_KEY="your-admin-key-here"
+// Export the fetch handler and Durable Object
+export default adapter;
+export { ${toPascalCase(projectName)}MCP } from "./agent";
 `;
-                    fs.writeFileSync(devVarsExamplePath, devVarsExampleContent);
-                    console.log(chalk.green("✅ Generated persistent identity"));
-                    console.log(chalk.dim(`   DID: ${identity.did}`));
-                    console.log(chalk.green("✅ Created secure configuration:"));
-                    console.log(chalk.dim("   • Public DID in wrangler.toml (safe to commit)"));
-                    console.log(chalk.dim("   • Private keys in .dev.vars (git-ignored)"));
-                    console.log(chalk.dim("   • Example template in .dev.vars.example"));
-                    console.log();
-                    console.log(chalk.yellow("🔒 Production Security:"));
-                    console.log(chalk.dim("   Secrets are NOT in wrangler.toml (cleaner approach)"));
-                    console.log(chalk.dim("   For production, set secrets using wrangler:"));
-                    console.log(chalk.cyan("      $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY"));
-                    console.log(chalk.cyan("      $ wrangler secret put AGENTSHIELD_API_KEY"));
-                    console.log(chalk.cyan("      $ wrangler secret put ADMIN_API_KEY"));
-                    console.log();
-                    console.log(chalk.dim("   Tip: Copy values from .dev.vars when prompted"));
-                    console.log();
-                }
-            }
-            catch (error) {
-                console.log(chalk.yellow("⚠️  Failed to generate identity:"), error.message);
-                console.log(chalk.dim("   You can generate one later with:"));
-                console.log(chalk.cyan("   $ npx @kya-os/create-mcpi-app regenerate-identity"));
-                console.log();
-            }
-        }
-        // Create tsconfig.json
-        fs.ensureDirSync(projectPath); // Ensure directory exists before writing
-        const tsconfigContent = {
-            compilerOptions: {
-                target: "ES2022",
-                module: "ES2022",
-                lib: ["ES2022"],
-                types: ["@cloudflare/workers-types"],
-                moduleResolution: "bundler",
-                resolveJsonModule: true,
-                allowSyntheticDefaultImports: true,
-                esModuleInterop: true,
-                strict: true,
-                skipLibCheck: true,
-                forceConsistentCasingInFileNames: true,
-            },
-            include: ["src/**/*"],
-        };
-        fs.writeJsonSync(path.join(projectPath, "tsconfig.json"), tsconfigContent, {
-            spaces: 2,
-        });
-        // Create .gitignore
-        const gitignoreContent = `node_modules/
-dist/
-.wrangler/
-.dev.vars
-.env
-.env.local
-*.log
-`;
-        fs.writeFileSync(path.join(projectPath, ".gitignore"), gitignoreContent);
-        // Create .npmrc to suppress harmless deprecation warnings
-        const npmrcContent = `# Suppress deprecation warnings from transitive dependencies
-# These warnings are harmless and don't affect functionality
-# They come from: inflight (glob@7), phin (jimp), rimraf (del), glob (rimraf), node-domexception (node-fetch)
-# Will be resolved when upstream packages update their dependencies
-loglevel=error
-`;
-        fs.writeFileSync(path.join(projectPath, ".npmrc"), npmrcContent);
-        // Create README.md
-        const readmeContent = `# ${projectName}
-MCP server running on Cloudflare Workers with MCP-I identity features, cryptographic proofs, and full SSE/HTTP streaming support.
-## Features
-- ✅ **MCP Protocol Support**: SSE and HTTP streaming transports
-- ✅ **Cryptographic Identity**: DID-based agent identity with Ed25519 signatures
-- ✅ **Proof Generation**: Every tool call generates a cryptographic proof
-- ✅ **Audit Logging**: Track all operations with proof IDs and signatures
-- ✅ **Nonce Protection**: Replay attack prevention via KV-backed nonce cache
-- ✅ **Proof Archiving**: Optional KV storage for proof history
-## Quick Start
-### 1. Install Dependencies
-\`\`\`bash
-${packageManager} install
-\`\`\`
-### 2. Create KV Namespaces
-#### Create All KV Namespaces (Recommended)
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} kv:create
-\`\`\`
-This creates all 5 KV namespaces at once:
-- \`NONCE_CACHE\` - Replay attack prevention (Required)
-- \`PROOF_ARCHIVE\` - Cryptographic proof storage (Recommended)
-- \`IDENTITY_STORAGE\` - Agent identity persistence (Recommended)
-- \`DELEGATION_STORAGE\` - OAuth delegation storage (Required for delegation)
-- \`TOOL_PROTECTION_KV\` - Dashboard-controlled permissions (Optional)
-Copy the namespace IDs from the output and update each one in \`wrangler.toml\`:
-\`\`\`toml
-[[kv_namespaces]]
-binding = "NONCE_CACHE"
-id = "your_nonce_kv_id_here"  # ← Update this
-[[kv_namespaces]]
-binding = "PROOF_ARCHIVE"
-id = "your_proof_kv_id_here"  # ← Update this
-[[kv_namespaces]]
-binding = "IDENTITY_STORAGE"
-id = "your_identity_kv_id_here"  # ← Update this
-[[kv_namespaces]]
-binding = "DELEGATION_STORAGE"
-id = "your_delegation_kv_id_here"  # ← Update this
-[[kv_namespaces]]
-binding = "TOOL_PROTECTION_KV"
-id = "your_tool_protection_kv_id_here"  # ← Update this
-\`\`\`
-**Note:** You can also create namespaces individually:
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-nonce\` - Create nonce cache only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-proof\` - Create proof archive only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-identity\` - Create identity storage only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-delegation\` - Create delegation storage only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-tool-protection\` - Create tool protection cache only
-### 3. Test Locally
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} dev
-\`\`\`
-### 4. Deploy
-#### Production Deployment
-Secrets are **not** declared in \`wrangler.toml\` to avoid conflicts. Set them using:
-\`\`\`bash
-wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-wrangler secret put AGENTSHIELD_API_KEY
-wrangler secret put ADMIN_API_KEY
-\`\`\`
-**Tip:** Copy values from your \`.dev.vars\` file when prompted.
-**Note:** \`MCP_IDENTITY_PUBLIC_KEY\` and \`AGENTSHIELD_PROJECT_ID\` are not secrets and are already in \`wrangler.toml\` with values.
-Now deploy:
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} deploy
-\`\`\`
-## Connect with Claude Desktop
-Add to \`~/Library/Application Support/Claude/claude_desktop_config.json\`:
+    await fs.writeFile(path.join(targetDir, "src/index.ts"), indexTs);
+    // 5. Create src/agent.ts (Agent implementation)
+    const agentTs = `import { MCPICloudflareAgent } from "@kya-os/mcp-i-cloudflare";
+import type { Tool } from "@modelcontextprotocol/sdk/types.js";
+export class ${toPascalCase(projectName)}Agent extends MCPICloudflareAgent {
+  /**
+   * Define tools available to this agent
+   */
+  protected getTools(): Tool[] {
+    return [
+      {
+        name: "greet",
+        description: "Greet the user",
+        inputSchema: {
+          type: "object",
+          properties: {
+            name: { type: "string" },
+          },
+          required: ["name"],
+        },
+      },
+    ];
+  }
-\`\`\`json
-{
-  "mcpServers": {
-    "${projectName}": {
-      "command": "npx",
-      "args": ["mcp-remote", "https://your-worker.workers.dev/sse"]
+  /**
+   * Handle tool execution
+   */
+  protected async executeTool(name: string, args: any): Promise<any> {
+    if (name === "greet") {
+      return {
+        content: [
+          {
+            type: "text",
+            text: \`Hello, \${args.name}!\`,
+          },
+        ],
+      };
     }
+    throw new Error(\`Unknown tool: \${name}\`);
   }
 }
-\`\`\`
-**Note:** Use the \`/sse\` endpoint for Claude Desktop compatibility.
-Restart Claude Desktop and test: "Use the greet tool to say hello to Alice"
-## Adding Tools
-Create tools in \`src/tools/\`:
-\`\`\`typescript
-import { z } from "zod";
-export const myTool = {
-  name: "my_tool",
-  description: "Tool description",
-  inputSchema: z.object({
-    input: z.string().describe("Input parameter")
-  }),
-  handler: async ({ input }: { input: string }) => ({
-    content: [{ type: "text" as const, text: \`Result: \${input}\` }]
-  })
-};
-\`\`\`
-Register in \`src/index.ts\` init method:
-\`\`\`typescript
-this.server.tool(
-  myTool.name,
-  myTool.description,
-  myTool.inputSchema.shape,
-  myTool.handler
-);
-\`\`\`
-## Endpoints
-- \`/health\` - Health check
-- \`/sse\` - SSE transport for MCP
-- \`/mcp\` - Streamable HTTP transport for MCP
-- \`/oauth/callback\` - OAuth callback for delegation flows
-- \`/admin/clear-cache\` - Clear tool protection cache (requires API key)
-## Viewing Cryptographic Proofs
-Every tool call generates a cryptographic proof that's logged to the console:
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} dev
-\`\`\`
-When you call a tool, you'll see logs like:
-\`\`\`
-[MCP-I] Initialized with DID: did:web:localhost:agents:key-abc123
-[MCP-I Proof] {
-  tool: 'greet',
-  did: 'did:web:localhost:agents:key-abc123',
-  proofId: 'proof_1234567890_abcd',
-  signature: 'mNYP8x2k9FqV3...'
-}
-\`\`\`
-### Proof Archives (Optional)
-If you configured the \`PROOF_ARCHIVE\` KV namespace, proofs are also stored for querying:
-\`\`\`bash
-# List all proofs
-wrangler kv:key list --namespace-id=your_proof_kv_id
-# View a specific proof
-wrangler kv:key get "proof_1234567890_abcd" --namespace-id=your_proof_kv_id
-\`\`\`
-## Identity Management
-Your agent's cryptographic identity is stored in Durable Objects state. To view your agent's DID:
-1. Check the logs during \`init()\` - it prints the DID
-2. Or query the runtime: \`await mcpiRuntime.getIdentity()\`
-The identity includes:
-- \`did\`: Decentralized identifier (e.g., \`did:web:your-worker.workers.dev:agents:key-xyz\`)
-- \`publicKey\`: Ed25519 public key for signature verification
-- \`privateKey\`: Ed25519 private key (secured in Durable Object state)
-## AgentShield Integration
-This project is configured to send cryptographic proofs to AgentShield for audit trails and compliance monitoring.
-### Setup
-1. **Get your AgentShield API key**:
-   - Sign up at https://kya.vouched.id
-   - Create a project
-   - Copy your API key from the dashboard
-2. **Update \`wrangler.toml\`**:
-   \`\`\`toml
-   [vars]
-   AGENTSHIELD_API_URL = "https://kya.vouched.id"
-   AGENTSHIELD_API_KEY = "sk_your_actual_key_here"  # ← Replace this
-   MCPI_ENV = "development"
-   \`\`\`
-3. **Test proof submission**:
-   \`\`\`bash
-   ${packageManager === "npm" ? "npm run" : packageManager} dev
-   \`\`\`
-   Call a tool and check the logs:
-   \`\`\`
-   [AgentShield] Submitting proof: { did: 'did:web:...', sessionId: '...', jwsFormat: 'valid (3 parts)' }
-   [AgentShield] ✅ Proofs accepted: 1
-   \`\`\`
-4. **View proofs in dashboard**:
-   - Go to https://kya.vouched.id/dashboard
-   - Select your project
-   - Click "Interactions" tab
-   - See your proofs in real-time
-### Configuration
-The AgentShield integration is configured in \`src/mcpi-runtime-config.ts\`. You can customize:
-- Proof batch size (\`maxBatchSize\`)
-- Flush interval (\`flushIntervalMs\`)
-- Retry policy (\`maxRetries\`)
-- Tool protection rules (\`toolProtections\`)
-### Dashboard-Controlled Tool Protection (Advanced)
-🆕 **NEW**: Control which tools require user delegation directly from the AgentShield dashboard - no code changes needed!
-Instead of hardcoding \`requiresDelegation\` in your config, enable dynamic tool protection:
-1. **Create Tool Protection KV namespace**:
-   \`\`\`bash
-   ${packageManager === "npm" ? "npm run" : packageManager} kv:create-tool-protection
-   \`\`\`
-2. **Uncomment TOOL_PROTECTION_KV in \`wrangler.toml\`**:
-   \`\`\`toml
-   [[kv_namespaces]]
-   binding = "TOOL_PROTECTION_KV"
-   id = "your_tool_protection_kv_id"  # ← Add the ID from step 1
-   \`\`\`
-3. **Enable Tool Protection Service in \`src/mcpi-runtime-config.ts\`**:
-   - Uncomment the import: \`import { CloudflareRuntime } from "@kya-os/mcp-i-cloudflare";\`
-   - Uncomment the \`toolProtectionService\` configuration block
-4. **Deploy and test**:
-   \`\`\`bash
-   ${packageManager === "npm" ? "npm run" : packageManager} deploy
-   \`\`\`
-5. **Control delegation from dashboard**:
-   - Go to https://kya.vouched.id/dashboard
-   - Select your project → "Tools" tab
-   - Toggle "Require Delegation" for any tool
-   - Changes apply in real-time (5-minute cache)
-**Benefits:**
-- Update tool permissions without redeploying
-- Test delegation flows instantly
-- Different requirements per environment (dev vs prod)
-- Automatic tool discovery from proof submissions
-**Note:** The first time a tool is called, it auto-discovers in the dashboard. The \`requiresDelegation\` toggle will appear after the first proof is submitted.
-### Disable AgentShield (Optional)
-If you don't want to use AgentShield, edit \`src/mcpi-runtime-config.ts\`:
-\`\`\`typescript
-proofing: {
-  enabled: false,  // Disable proof submission
-  // ...
-}
-\`\`\`
-Or simply don't configure the \`AGENTSHIELD_API_KEY\` environment variable.
-## References
-- [Cloudflare Agents MCP](https://developers.cloudflare.com/agents/model-context-protocol/)
-- [MCP Specification](https://spec.modelcontextprotocol.io/)
-- [MCP-I Documentation](https://github.com/kya-os/xmcp-i)
+// Export Durable Object class
+export class ${toPascalCase(projectName)}MCP extends ${toPascalCase(projectName)}Agent {}
 `;
-        fs.writeFileSync(path.join(projectPath, "README.md"), readmeContent);
-        console.log(chalk.green("✅ Cloudflare Worker MCP server created"));
-        console.log();
-        if (apikey) {
-            console.log(chalk.green("🔑 AgentShield API key configured in wrangler.toml"));
-            console.log(chalk.dim("   Your API key has been added to the [vars] section"));
-            console.log(chalk.dim("   Tool protection enforcement is ready to use!"));
-            console.log();
-        }
-        else {
-            console.log(chalk.yellow("⚠️  No AgentShield API key provided"));
-            console.log(chalk.dim("   Add your API key to wrangler.toml [vars] section before deployment"));
-            console.log(chalk.dim("   Get your key at: https://kya.vouched.id/dashboard"));
-            console.log();
-        }
-        console.log(chalk.bold("📦 All KV Namespaces Configured"));
-        console.log(chalk.dim("   - NONCE_CACHE: Replay attack prevention"));
-        console.log(chalk.dim("   - PROOF_ARCHIVE: Cryptographic proof storage"));
-        console.log(chalk.dim("   - IDENTITY_STORAGE: Agent identity persistence"));
-        console.log(chalk.dim("   - DELEGATION_STORAGE: OAuth delegation storage"));
-        console.log(chalk.dim("   - TOOL_PROTECTION_KV: Dashboard-controlled permissions"));
-        console.log();
-        console.log(chalk.cyan("   Run 'npm run kv:create' to create all namespaces"));
-        console.log();
-    }
-    catch (error) {
-        console.error(chalk.red("Failed to set up Cloudflare Worker MCP server:"), error);
-        throw error;
-    }
+    await fs.writeFile(path.join(targetDir, "src/agent.ts"), agentTs);
+    // 6. Create tsconfig.json
+    const tsConfig = {
+        compilerOptions: {
+            target: "esnext",
+            module: "esnext",
+            moduleResolution: "bundler",
+            types: ["@cloudflare/workers-types", "vitest/globals"],
+            strict: true,
+            skipLibCheck: true,
+            noEmit: true,
+        },
+        include: ["src/**/*"],
+        exclude: ["node_modules"],
+    };
+    await fs.writeJson(path.join(targetDir, "tsconfig.json"), tsConfig, {
+        spaces: 2,
+    });
+    // 7. Create .gitignore
+    const gitignore = `node_modules
+dist
+.wrangler
+.dev.vars
+`;
+    await fs.writeFile(path.join(targetDir, ".gitignore"), gitignore);
+    console.log(chalk.green("✔ Created Cloudflare MCP-I template files"));
+}
+function toPascalCase(str) {
+    return str
+        .replace(/(?:^\w|[A-Z]|\b\w)/g, (word, index) => {
+        return word.toUpperCase();
+    })
+        .replace(/\s+/g, "")
+        .replace(/-/g, "");
 }
 //# sourceMappingURL=fetch-cloudflare-mcpi-template.js.map