@kya-os/create-mcpi-app 1.7.42-canary.4 → 1.7.42-canary.40

package/dist/helpers/fetch-cloudflare-mcpi-template.js

@@ -1,617 +1,104 @@
 import fs from "fs-extra";
 import path from "path";
 import chalk from "chalk";
+import { spawn } from "child_process";
+import crypto from "crypto";
 import { generateIdentity } from "./generate-identity.js";
 /**
- * Scaffold Cloudflare Worker MCP server
- * Uses McpAgent from agents/mcp for MCP protocol support
- */
-export async function fetchCloudflareMcpiTemplate(projectPath, options = {}) {
-    const { packageManager = "npm", projectName = path.basename(projectPath), apikey, projectId, skipIdentity = false, } = options;
-    // Sanitize project name for class names
-    let className = projectName
-        .replace(/[^a-zA-Z0-9]/g, "")
-        .replace(/^[0-9]/, "_$&");
-    // Fallback to prevent empty class names
-    if (!className || className.length === 0) {
-        className = "Project";
-    }
-    const pascalClassName = className.charAt(0).toUpperCase() + className.slice(1);
-    // Sanitize project name for wrangler.toml (alphanumeric, lowercase, dashes only)
-    let wranglerName = projectName
-        .toLowerCase()
-        .replace(/[^a-z0-9-]/g, "-") // Replace invalid chars with dashes
-        .replace(/-+/g, "-") // Replace multiple dashes with single dash
-        .replace(/^-|-$/g, ""); // Remove leading/trailing dashes
-    // Fallback to prevent empty wrangler names
-    if (!wranglerName || wranglerName.length === 0) {
-        wranglerName = "worker";
-    }
-    try {
-        // Create package.json
-        const packageJson = {
-            name: projectName,
-            version: "0.1.0",
-            private: true,
-            scripts: {
-                setup: "node scripts/setup.js",
-                postinstall: "npm run setup",
-                deploy: "wrangler deploy",
-                dev: "wrangler dev",
-                start: "wrangler dev",
-                "kv:create": "npm run kv:create-nonce && npm run kv:create-proof && npm run kv:create-identity && npm run kv:create-delegation && npm run kv:create-tool-protection",
-                "kv:create-nonce": `wrangler kv namespace create ${className.toUpperCase()}_NONCE_CACHE`,
-                "kv:create-proof": `wrangler kv namespace create ${className.toUpperCase()}_PROOF_ARCHIVE`,
-                "kv:create-identity": `wrangler kv namespace create ${className.toUpperCase()}_IDENTITY_STORAGE`,
-                "kv:create-delegation": `wrangler kv namespace create ${className.toUpperCase()}_DELEGATION_STORAGE`,
-                "kv:create-tool-protection": `wrangler kv namespace create ${className.toUpperCase()}_TOOL_PROTECTION_KV`,
-                "kv:list": "wrangler kv namespace list | grep -E '(NONCE|PROOF|IDENTITY|DELEGATION|TOOL_PROTECTION|MCPI)' || wrangler kv namespace list",
-                "kv:keys-nonce": `wrangler kv key list --binding=${className.toUpperCase()}_NONCE_CACHE`,
-                "kv:keys-proof": `wrangler kv key list --binding=${className.toUpperCase()}_PROOF_ARCHIVE`,
-                "kv:keys-identity": `wrangler kv key list --binding=${className.toUpperCase()}_IDENTITY_STORAGE`,
-                "kv:keys-delegation": `wrangler kv key list --binding=${className.toUpperCase()}_DELEGATION_STORAGE`,
-                "kv:keys-tool-protection": `wrangler kv key list --binding=${className.toUpperCase()}_TOOL_PROTECTION_KV`,
-                "kv:delete-nonce": `wrangler kv namespace delete --binding=${className.toUpperCase()}_NONCE_CACHE`,
-                "kv:delete-proof": `wrangler kv namespace delete --binding=${className.toUpperCase()}_PROOF_ARCHIVE`,
-                "kv:delete-identity": `wrangler kv namespace delete --binding=${className.toUpperCase()}_IDENTITY_STORAGE`,
-                "kv:delete-delegation": `wrangler kv namespace delete --binding=${className.toUpperCase()}_DELEGATION_STORAGE`,
-                "kv:delete-tool-protection": `wrangler kv namespace delete --binding=${className.toUpperCase()}_TOOL_PROTECTION_KV`,
-                "kv:delete": "npm run kv:delete-nonce && npm run kv:delete-proof && npm run kv:delete-identity && npm run kv:delete-delegation && npm run kv:delete-tool-protection",
-                "kv:reset": "npm run kv:delete && npm run kv:create",
-                "kv:setup": "echo 'KV Commands: kv:create (create all), kv:list (list all), kv:keys-* (view keys), kv:delete (delete all), kv:reset (delete+recreate)'",
-                "cf-typegen": "wrangler types",
-                "type-check": "tsc --noEmit",
-                test: "vitest",
-                "test:watch": "vitest --watch",
-                "test:coverage": "vitest run --coverage",
-            },
-            dependencies: {
-                "@kya-os/contracts": "^1.5.2-canary.5",
-                "@kya-os/mcp-i-cloudflare": "1.5.1-canary.5",
-                "@modelcontextprotocol/sdk": "^1.19.1",
-                agents: "^0.2.21", // Use latest version - constructor now only accepts 2 parameters
-                hono: "^4.9.10",
-                zod: "^3.25.76",
-            },
-            devDependencies: {
-                "@cloudflare/workers-types": "^4.20251109.0",
-                "@kya-os/create-mcpi-app": "^1.7.23",
-                "@vitest/coverage-v8": "^3.2.4",
-                miniflare: "^3.0.0",
-                typescript: "^5.6.2",
-                vitest: "^3.2.4",
-                wrangler: "^4.42.2",
-            },
-        };
-        fs.ensureDirSync(projectPath); // Ensure directory exists before writing
-        fs.writeJsonSync(path.join(projectPath, "package.json"), packageJson, {
-            spaces: 2,
-        });
-        // Create src directory and tools
-        const srcDir = path.join(projectPath, "src");
-        const toolsDir = path.join(srcDir, "tools");
-        fs.ensureDirSync(toolsDir);
-        // Create scripts directory
-        const scriptsDir = path.join(projectPath, "scripts");
-        fs.ensureDirSync(scriptsDir);
-        // Create setup.js automation script
-        const setupScriptContent = `#!/usr/bin/env node
-
-/**
- * Automated Setup Script for ${projectName}
- *
- * This script automates the tedious process of:
- * 1. Checking/installing wrangler
- * 2. Creating KV namespaces
- * 3. Extracting namespace IDs
- * 4. Updating wrangler.toml automatically
- * 5. Setting up local development environment
- */
-
-const { execSync } = require('child_process');
-const fs = require('fs');
-const path = require('path');
-const readline = require('readline');
-
-const rl = readline.createInterface({
-  input: process.stdin,
-  output: process.stdout
-});
-
-// Colors for terminal output
-const colors = {
-  reset: '\\x1b[0m',
-  bright: '\\x1b[1m',
-  green: '\\x1b[32m',
-  yellow: '\\x1b[33m',
-  blue: '\\x1b[36m',
-  red: '\\x1b[31m'
-};
-
-function log(message, color = colors.reset) {
-  console.log(color + message + colors.reset);
-}
-
-function skipToPostKVSetup() {
-  // Skip KV creation but continue with other setup steps
-  const devVarsPath = path.join(__dirname, '..', '.dev.vars');
-  const devVarsExamplePath = path.join(__dirname, '..', '.dev.vars.example');
-
-  // Create .dev.vars from example if it doesn't exist
-  if (!fs.existsSync(devVarsPath) && fs.existsSync(devVarsExamplePath)) {
-    log('\\n📋 Creating .dev.vars from example...', colors.blue);
-    fs.copyFileSync(devVarsExamplePath, devVarsPath);
-    log('✅ Created .dev.vars - Please update with your values', colors.green);
-  }
-
-  // Check if identity needs to be generated
-  if (fs.existsSync(devVarsPath)) {
-    const devVarsContent = fs.readFileSync(devVarsPath, 'utf-8');
-    if (devVarsContent.includes('your-private-key-here')) {
-      log('\\n🔑 Generating agent identity...', colors.blue);
-      try {
-        execSync('npx @kya-os/create-mcpi-app regenerate-identity', { stdio: 'inherit' });
-        log('✅ Identity generated successfully', colors.green);
-      } catch {
-        log('⚠️  Could not generate identity automatically. Run: npx @kya-os/create-mcpi-app regenerate-identity', colors.yellow);
-      }
-    }
-  }
-
-  // Show modified next steps
-  log('\\n✨ Setup partially complete! Next steps:\\n', colors.bright + colors.green);
-  log('1. Set your Cloudflare account ID (required for KV namespaces):', colors.blue);
-  log('   export CLOUDFLARE_ACCOUNT_ID=your-account-id', colors.reset);
-  log('   OR add to wrangler.toml: account_id = "your-account-id"\\n', colors.reset);
-  log('2. Create KV namespaces: npm run kv:create', colors.blue);
-  log('3. Review .dev.vars and add any missing values', colors.blue);
-  log('4. Start development server: npm run dev', colors.blue);
-  log('5. Deploy to production: npm run deploy', colors.blue);
-  log('\\nUseful commands:', colors.bright);
-  log('  npm run dev                    - Start local development server');
-  log('  npm run deploy                 - Deploy to Cloudflare Workers');
-  log('  npm run kv:list                - List all KV namespaces');
-  log('  wrangler secret put <KEY>      - Set production secrets');
-  log('\\nFor more information, see the README.md file.\\n');
-
-  rl.close();
-}
-
-async function setup() {
-  log('\\n🚀 Starting automated setup for ${projectName}...\\n', colors.bright + colors.blue);
-
-  // 1. Check wrangler installation
-  try {
-    const wranglerVersion = execSync('wrangler --version', { encoding: 'utf-8' });
-    log('✅ Wrangler CLI detected: ' + wranglerVersion.trim(), colors.green);
-  } catch {
-    log('📦 Wrangler CLI not found. Installing...', colors.yellow);
-    try {
-      execSync('npm install -g wrangler', { stdio: 'inherit' });
-      log('✅ Wrangler CLI installed successfully', colors.green);
-    } catch (error) {
-      log('❌ Failed to install Wrangler. Please install manually: npm install -g wrangler', colors.red);
-      process.exit(1);
-    }
-  }
-
-  // 2. Check if user is logged in to Cloudflare
-  try {
-    execSync('wrangler whoami', { encoding: 'utf-8' });
-    log('✅ Logged in to Cloudflare', colors.green);
-  } catch {
-    log('🔑 Please log in to Cloudflare:', colors.yellow);
-    try {
-      execSync('wrangler login', { stdio: 'inherit' });
-    } catch (error) {
-      log('❌ Login failed. Please run: wrangler login', colors.red);
-      process.exit(1);
-    }
-  }
-
-  // 2.5. Set up wrangler.toml path for later use
-  const wranglerTomlPath = path.join(__dirname, '..', 'wrangler.toml');
-  let wranglerContent = '';
-
-  try {
-    wranglerContent = fs.readFileSync(wranglerTomlPath, 'utf-8');
-  } catch (error) {
-    log('⚠️  Could not read wrangler.toml', colors.yellow);
-  }
-
-  // 3. Create KV namespaces
-  log('\\n📚 Creating KV namespaces...\\n', colors.bright);
-
-  const namespaces = [
-    { binding: '${className.toUpperCase()}_NONCE_CACHE', name: 'Nonce Cache', purpose: 'Replay attack prevention' },
-    { binding: '${className.toUpperCase()}_PROOF_ARCHIVE', name: 'Proof Archive', purpose: 'Cryptographic proof storage' },
-    { binding: '${className.toUpperCase()}_IDENTITY_STORAGE', name: 'Identity Storage', purpose: 'Agent identity persistence' },
-    { binding: '${className.toUpperCase()}_DELEGATION_STORAGE', name: 'Delegation Storage', purpose: 'OAuth token storage' },
-    { binding: '${className.toUpperCase()}_TOOL_PROTECTION_KV', name: 'Tool Protection', purpose: 'Permission caching' }
-  ];
-
-  const kvIds = {};
-  let multipleAccountsDetected = false;
-
-  for (const ns of namespaces) {
-    // If we already detected multiple accounts, skip remaining namespaces
-    if (multipleAccountsDetected) {
-      break;
-    }
-
-    log(\`Creating \${ns.name} (\${ns.purpose})...\`, colors.blue);
-
-    // First, check if namespace already exists
-    let existingNamespace = null;
-    try {
-      const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-      
-      try {
-        const allNamespaces = JSON.parse(listOutput);
-        existingNamespace = allNamespaces.find(n => n.title === ns.binding);
-      } catch (parseError) {
-        // Fallback to regex if JSON parsing fails
-        const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
-        if (existingMatch && existingMatch[1]) {
-          existingNamespace = { id: existingMatch[1], title: ns.binding };
-        }
-      }
-    } catch (listError) {
-      // If we can't list namespaces, continue to try creating
-    }
-
-    if (existingNamespace && existingNamespace.id) {
-      kvIds[ns.binding] = existingNamespace.id;
-      log(\`  ✅ Using existing namespace with ID: \${existingNamespace.id}\`, colors.green);
-      continue;
-    }
-
-    // Namespace doesn't exist, try to create it
-    try {
-      // Suppress stderr to avoid noisy error messages
-      const output = execSync(\`wrangler kv namespace create "\${ns.binding}"\`, { 
-        encoding: 'utf-8', 
-        stdio: ['pipe', 'pipe', 'pipe'] 
-      });
-
-      // Extract the ID from output
-      const idMatch = output.match(/id = "([^"]+)"/);
-
-      if (idMatch && idMatch[1]) {
-        kvIds[ns.binding] = idMatch[1];
-        log(\`  ✅ Created with ID: \${idMatch[1]}\`, colors.green);
-      } else {
-        log(\`  ⚠️  Created but could not extract ID. Checking existing namespaces...\`, colors.yellow);
-        // Fallback: try to find it in the list
-        const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-        try {
-          const allNamespaces = JSON.parse(listOutput);
-          const found = allNamespaces.find(n => n.title === ns.binding);
-          if (found && found.id) {
-            kvIds[ns.binding] = found.id;
-            log(\`  ✅ Found ID: \${found.id}\`, colors.green);
-          }
-        } catch {
-          // Ignore parse errors
-        }
-      }
-    } catch (error) {
-      const errorMessage = error.message || error.toString();
-      const errorOutput = error.stdout || error.stderr || '';
-
-      // Check if this is a multiple accounts error
-      if (errorMessage.includes('More than one account') || errorMessage.includes('multiple accounts') || errorOutput.includes('More than one account')) {
-        multipleAccountsDetected = true;
-        log('\\n⚠️  Multiple Cloudflare accounts detected!\\n', colors.yellow);
-        log('Wrangler cannot automatically select an account in non-interactive mode.\\n', colors.yellow);
-        log('To fix this, choose one of these options:\\n', colors.bright);
-        log('Option 1: Set environment variable (recommended):', colors.blue);
-        log('  export CLOUDFLARE_ACCOUNT_ID=your-account-id', colors.reset);
-        log('  npm run setup\\n', colors.reset);
-        log('Option 2: Add to wrangler.toml (permanent):', colors.blue);
-        log('  Edit wrangler.toml and add:', colors.reset);
-        log('  account_id = "your-account-id"\\n', colors.reset);
-        log('Find your account IDs in the error above or run:', colors.blue);
-        log('  wrangler whoami\\n', colors.reset);
-        log('⏭️  Skipping remaining KV namespace creation.', colors.yellow);
-        log('After setting account_id, run: npm run setup\\n', colors.yellow);
-        break;
-      }
-
-      // Check if namespace already exists (common case - suppress noisy error)
-      if (errorMessage.includes('already exists') || errorOutput.includes('already exists') || errorOutput.includes('code: 10014')) {
-        // Try to get the existing namespace ID
-        try {
-          const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-          
-          try {
-            const allNamespaces = JSON.parse(listOutput);
-            const found = allNamespaces.find(n => n.title === ns.binding);
-            
-            if (found && found.id) {
-              kvIds[ns.binding] = found.id;
-              log(\`  ✅ Using existing namespace with ID: \${found.id}\`, colors.green);
-            } else {
-              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
-            }
-          } catch (parseError) {
-            // Fallback to regex
-            const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
-            if (existingMatch && existingMatch[1]) {
-              kvIds[ns.binding] = existingMatch[1];
-              log(\`  ✅ Using existing namespace with ID: \${existingMatch[1]}\`, colors.green);
-            } else {
-              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
-            }
-          }
-        } catch (listError) {
-          log(\`  ⚠️  Namespace may already exist. Run 'wrangler kv namespace list' to verify.\`, colors.yellow);
-        }
-      } else {
-        // Some other error occurred
-        log(\`  ❌ Failed to create \${ns.binding}\`, colors.red);
-        log(\`     Error: \${errorMessage}\`, colors.red);
-      }
-    }
-  }
-
-  // If multiple accounts detected, skip to post-KV setup
-  if (multipleAccountsDetected) {
-    return skipToPostKVSetup();
-  }
-
-  // 4. Update wrangler.toml with KV IDs
-  if (Object.keys(kvIds).length > 0) {
-    log('\\n📝 Updating wrangler.toml with KV namespace IDs...\\n', colors.bright);
-
-    try {
-      wranglerContent = fs.readFileSync(wranglerTomlPath, 'utf-8');
-      let updatedCount = 0;
-
-      for (const [binding, id] of Object.entries(kvIds)) {
-        // Match pattern: binding = "BINDING_NAME"\\nid = "anything" (including placeholders)
-        const pattern = new RegExp(\`(binding = "\${binding}")\\\\s*\\\\nid = "[^"]*"\`, 'g');
-        const replacement = \`$1\\nid = "\${id}"\`;
-
-        const newContent = wranglerContent.replace(pattern, replacement);
-        if (newContent !== wranglerContent) {
-          updatedCount++;
-          log(\`  ✅ Updated \${binding} with ID: \${id}\`, colors.green);
-        }
-        wranglerContent = newContent;
-      }
-
-      fs.writeFileSync(wranglerTomlPath, wranglerContent);
-      log(\`\\n✅ Updated \${updatedCount} namespace ID(s) in wrangler.toml\`, colors.green);
-
-      // Show remaining placeholder IDs if any
-      const placeholderMatches = wranglerContent.match(/binding = "[^"]+"\\s*\\nid = "your_[^"]+"/g);
-      if (placeholderMatches) {
-        log('\\n⚠️  Some namespace IDs still have placeholders:', colors.yellow);
-        placeholderMatches.forEach(match => {
-          const bindingMatch = match.match(/binding = "([^"]+)"/);
-          if (bindingMatch) {
-            log(\`  - \${bindingMatch[1]}\`, colors.yellow);
-          }
-        });
-      }
-    } catch (error) {
-      log(\`❌ Failed to update wrangler.toml: \${error.message}\`, colors.red);
-    }
-  }
-
-  // 5. Create .dev.vars from example if it doesn't exist
-  const devVarsPath = path.join(__dirname, '..', '.dev.vars');
-  const devVarsExamplePath = path.join(__dirname, '..', '.dev.vars.example');
-
-  if (!fs.existsSync(devVarsPath) && fs.existsSync(devVarsExamplePath)) {
-    log('\\n📋 Creating .dev.vars from example...', colors.blue);
-    fs.copyFileSync(devVarsExamplePath, devVarsPath);
-    log('✅ Created .dev.vars - Please update with your values', colors.green);
-  }
-
-  // 6. Check if identity needs to be generated
-  if (fs.existsSync(devVarsPath)) {
-    const devVarsContent = fs.readFileSync(devVarsPath, 'utf-8');
-    if (devVarsContent.includes('your-private-key-here')) {
-      log('\\n🔑 Generating agent identity...', colors.blue);
-      try {
-        execSync('npx @kya-os/create-mcpi-app regenerate-identity', { stdio: 'inherit' });
-        log('✅ Identity generated successfully', colors.green);
-      } catch {
-        log('⚠️  Could not generate identity automatically. Run: npx @kya-os/create-mcpi-app regenerate-identity', colors.yellow);
-      }
-    }
-  }
-
-  // 7. Show next steps
-  log('\\n✨ Setup complete! Next steps:\\n', colors.bright + colors.green);
-  log('1. Review .dev.vars and add any missing values (AgentShield API key, etc.)', colors.blue);
-  log('2. Start development server: npm run dev', colors.blue);
-  log('3. Deploy to production: npm run deploy', colors.blue);
-  log('\\nUseful commands:', colors.bright);
-  log('  npm run dev                    - Start local development server');
-  log('  npm run deploy                 - Deploy to Cloudflare Workers');
-  log('  npm run kv:list                - List all KV namespaces');
-  log('  wrangler secret put <KEY>      - Set production secrets');
-  log('\\nFor more information, see the README.md file.\\n');
-
-  rl.close();
-}
-
-// Handle errors gracefully
-process.on('unhandledRejection', (error) => {
-  log(\`\\n❌ Setup failed: \${error.message}\`, colors.red);
-  process.exit(1);
-});
-
-// Run the setup
-setup().catch((error) => {
-  log(\`\\n❌ Setup failed: \${error.message}\`, colors.red);
-  process.exit(1);
-});
-`;
-        fs.writeFileSync(path.join(scriptsDir, "setup.js"), setupScriptContent);
-        // Make setup script executable
-        if (process.platform !== "win32") {
-            fs.chmodSync(path.join(scriptsDir, "setup.js"), "755");
-        }
-        // Note: Tests directory is not created by default
-        // Users can add their own tests as needed
-        // Create greet tool
-        const greetToolContent = `import { z } from "zod";
-
-/**
- * Greet Tool - Example MCP tool with AgentShield integration
- *
- * This tool demonstrates proper scopeId configuration for tool auto-discovery.
- *
- * Configure the corresponding scope in mcpi-runtime-config.ts:
- * \`\`\`typescript
- * toolProtections: {
- *   greet: {
- *     requiresDelegation: false,
- *     requiredScopes: ["greet:execute"],  // ← This becomes the scopeId in proofs
- *   }
- * }
- * \`\`\`
- *
- * The scopeId format is "toolName:action":
- * - Tool name: "greet" (extracted before the ":")
- * - Action: "execute" (extracted after the ":")
- * - Risk level: Auto-determined from action keyword (execute = high)
+ * Fetches the Cloudflare MCP-I template
  *
- * Other scopeId examples:
- * - "files:read" → Medium risk
- * - "files:write" → High risk
- * - "database:delete" → Critical risk
+ * Generates a complete project structure:
+ * - package.json with all scripts
+ * - wrangler.toml with all KV namespaces configured
+ * - .dev.vars with all secrets
+ * - src/index.ts
+ * - src/agent.ts
+ * - src/tools/greet.ts
+ * - src/mcpi-runtime-config.ts
+ * - scripts/setup.js for KV namespace creation and key regeneration
+ * - Automatically runs setup to create KV namespaces
  */
-export const greetTool = {
-  name: "greet",
-  description: "Greet a user by name",
-  inputSchema: z.object({
-    name: z.string().describe("The name of the user to greet")
-  }),
-  handler: async ({ name }: { name: string }) => {
-    return {
-      content: [
-        {
-          type: "text" as const,
-          text: \`Hello, \${name}! Welcome to your Cloudflare MCP server.\`
+export async function fetchCloudflareMcpiTemplate(targetDir, options) {
+    // Handle legacy string argument (projectName) for backward compatibility
+    const opts = typeof options === 'string'
+        ? { packageManager: 'npm', projectName: options }
+        : options;
+    const { projectName, apikey, projectId, packageManager } = opts;
+    const projectNameUpper = projectName.toUpperCase().replace(/-/g, '_');
+    console.log(chalk.blue(`\n🏗️  Generating Cloudflare MCP-I project: ${projectName}...`));
+    // 1. Create directory structure
+    await fs.ensureDir(path.join(targetDir, "src"));
+    await fs.ensureDir(path.join(targetDir, "src/tools"));
+    await fs.ensureDir(path.join(targetDir, "scripts"));
+    // 2. Generate Identity (Keys & DID)
+    console.log(chalk.blue("🔑 Generating cryptographic identity..."));
+    const identity = await generateIdentity();
+    // 3. Create package.json with all scripts
+    const packageJson = {
+        name: projectName,
+        version: "0.1.0",
+        private: true,
+        scripts: {
+            deploy: "wrangler deploy",
+            dev: "wrangler dev",
+            start: "wrangler dev",
+            test: "vitest",
+            "cf-typegen": "wrangler types",
+            "setup": "node scripts/setup.js",
+            "kv:create-nonce": `wrangler kv:namespace create ${projectNameUpper}_NONCE_CACHE`,
+            "kv:create-proof": `wrangler kv:namespace create ${projectNameUpper}_PROOF_ARCHIVE`,
+            "kv:create-identity": `wrangler kv:namespace create ${projectNameUpper}_IDENTITY_STORAGE`,
+            "kv:create-delegation": `wrangler kv:namespace create ${projectNameUpper}_DELEGATION_STORAGE`,
+            "kv:create-tool-protection": `wrangler kv:namespace create ${projectNameUpper}_TOOL_PROTECTION_KV`
+        },
+        dependencies: {
+            "@kya-os/mcp-i-cloudflare": "^1.5.8-canary.48",
+            "@modelcontextprotocol/sdk": "^0.6.0",
+            "agents": "^0.2.21",
+            "hono": "^4.6.3"
+        },
+        devDependencies: {
+            "@cloudflare/vitest-pool-workers": "^0.5.2",
+            "@cloudflare/workers-types": "^4.20240925.0",
+            "@types/node": "^20.8.3",
+            "typescript": "^5.5.2",
+            "vitest": "2.0.5",
+            "wrangler": "^3.78.12"
         }
-      ]
     };
-  }
-};
-`;
-        fs.writeFileSync(path.join(toolsDir, "greet.ts"), greetToolContent);
-        // Create mcpi-runtime-config.ts for AgentShield integration
-        const runtimeConfigContent = `import type { CloudflareRuntimeConfig } from '@kya-os/mcp-i-cloudflare/config';
-import type { CloudflareEnv } from '@kya-os/mcp-i-cloudflare';
-import { defineConfig } from '@kya-os/mcp-i-cloudflare';
-
-/**
- * Runtime configuration for MCP-I server
- *
- * This file configures runtime features like proof submission to AgentShield,
- * delegation verification, and audit logging.
- *
- * Environment variables are automatically injected from wrangler.toml (Cloudflare)
- * or .env (Node.js). Configure them there:
- * - AGENTSHIELD_API_URL: AgentShield API base URL
- * - AGENTSHIELD_API_KEY: Your AgentShield API key
- * - AGENTSHIELD_PROJECT_ID: Your AgentShield project ID (optional but recommended)
- * - MCPI_ENV: "development" or "production"
- *
- * Tool Protection:
- * - Automatically enabled if AGENTSHIELD_API_KEY and TOOL_PROTECTION_KV are set
- * - Fetches tool protection config from AgentShield API by project ID
- * - Caches config for 5 minutes to minimize API calls
- * - Falls back to local config if API is unavailable
- * - Configure delegation requirements in AgentShield dashboard
- */
-export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
-  return defineConfig({
-    // Only specify overrides - defaults are handled automatically
-    vars: {
-      ENVIRONMENT: env.ENVIRONMENT || env.MCPI_ENV || 'development',
-      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
-      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
-    },
-    // Tool protection is automatically enabled by defineConfig if AGENTSHIELD_API_KEY is present
-    // You can override by explicitly setting toolProtection here
-    // Admin endpoints: automatically enabled by defineConfig if AGENTSHIELD_API_KEY is present
-    // Uses AGENTSHIELD_API_KEY for authentication (same as tool protection)
-    // No need to explicitly set admin - defineConfig handles it automatically
-    // admin: {
-    //   enabled: true,  // Auto-enabled by defineConfig when AGENTSHIELD_API_KEY is present
-    //   apiKey: env.ADMIN_API_KEY || env.AGENTSHIELD_API_KEY,
-    // },
-  });
-}
-`;
-        fs.writeFileSync(path.join(srcDir, "mcpi-runtime-config.ts"), runtimeConfigContent);
-        // Create main index.ts using MCPICloudflareServer
-        const indexContent = `import { MCPICloudflareAgent, createMCPIApp, type PrefixedCloudflareEnv } from "@kya-os/mcp-i-cloudflare";
-import { greetTool } from "./tools/greet";
-import { getRuntimeConfig } from "./mcpi-runtime-config";
-
-/**
- * Extended CloudflareEnv with prefixed KV bindings for multi-agent deployments
- */
-interface MyPrefixedCloudflareEnv extends PrefixedCloudflareEnv {
-  ${className.toUpperCase()}_NONCE_CACHE?: KVNamespace;
-  ${className.toUpperCase()}_PROOF_ARCHIVE?: KVNamespace;
-  ${className.toUpperCase()}_IDENTITY_STORAGE?: KVNamespace;
-  ${className.toUpperCase()}_DELEGATION_STORAGE?: KVNamespace;
-  ${className.toUpperCase()}_TOOL_PROTECTION_KV?: KVNamespace;
-}
+    await fs.writeJson(path.join(targetDir, "package.json"), packageJson, {
+        spaces: 2,
+    });
+    // 4. Create .dev.vars with ALL secrets
+    const devVarsContent = `# Secrets for local development
+# Generated by create-mcpi-app
+
+# Agent Identity (DO NOT COMMIT THIS FILE)
+MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
 
-/**
- * Your custom MCP agent - only define your tools here!
- * All framework complexity (runtime initialization, proof generation, etc.) is handled automatically.
- */
-export class ${pascalClassName}MCP extends MCPICloudflareAgent {
-  async registerTools() {
-    // Register your custom tools - proofs are generated automatically
-    this.server.tool(
-      greetTool.name,
-      greetTool.description,
-      greetTool.inputSchema.shape,
-      async (args: { name: string }) => {
-        return this.executeToolWithProof(
-          greetTool.name,
-          args,
-          greetTool.handler
-        );
-      }
-    );
-  }
-}
+# AgentShield Configuration
+${apikey ? `AGENTSHIELD_API_KEY="${apikey}"` : '# AGENTSHIELD_API_KEY="sk_YOUR_API_KEY_HERE"'}
 
-// Create and export the app - all routing is handled automatically
-export default createMCPIApp({
-  AgentClass: ${pascalClassName}MCP,
-  agentName: "${projectName}",
-  agentVersion: "1.0.0",
-  envPrefix: "${className.toUpperCase()}",
-  getRuntimeConfig,
-});
+# Admin API Key for cache management
+# Generate a secure key: openssl rand -base64 32
+ADMIN_API_KEY="${generateAdminApiKey()}"
 `;
-        fs.writeFileSync(path.join(srcDir, "index.ts"), indexContent);
-        const wranglerContent = `#:schema node_modules/wrangler/config-schema.json
-name = "${wranglerName}"
+    await fs.writeFile(path.join(targetDir, ".dev.vars"), devVarsContent);
+    // 5. Create wrangler.toml with all KV namespaces (placeholders initially)
+    const wranglerToml = `#:schema node_modules/wrangler/config-schema.json
+name = "${projectName}"
 main = "src/index.ts"
-compatibility_date = "2025-06-18"
+compatibility_date = "2024-09-25"
 compatibility_flags = ["nodejs_compat"]
 
+# Durable Object binding for MCP Agent state
 [[durable_objects.bindings]]
 name = "MCP_OBJECT"
-class_name = "${pascalClassName}MCP"
+class_name = "${toPascalCase(projectName)}MCP"
 
 [[migrations]]
 tag = "v1"
-new_sqlite_classes = ["${pascalClassName}MCP"]
+new_classes = ["${toPascalCase(projectName)}MCP"]
 
 # Cron trigger for proof batch queue flushing (OPTIONAL - CURRENTLY DISABLED)
 # 
@@ -640,8 +127,8 @@ new_sqlite_classes = ["${pascalClassName}MCP"]
 # This namespace is automatically created by the setup script (npm run setup)
 # If you need to recreate it: npm run kv:create-nonce
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_NONCE_CACHE"
-id = "your_nonce_kv_namespace_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_NONCE_CACHE"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
 # KV Namespace for proof archive (RECOMMENDED for auditability)
 #
@@ -652,8 +139,8 @@ id = "your_nonce_kv_namespace_id"  # Auto-filled by setup script
 #
 # Note: Comment out if you don't need proof archiving
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_PROOF_ARCHIVE"
-id = "your_proof_kv_namespace_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_PROOF_ARCHIVE"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
 # KV Namespace for identity storage (RECOMMENDED for persistent agent identity)
 #
@@ -662,8 +149,8 @@ id = "your_proof_kv_namespace_id"  # Auto-filled by setup script
 # This namespace is automatically created by the setup script (npm run setup)
 # If you need to recreate it: npm run kv:create-identity
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_IDENTITY_STORAGE"
-id = "your_identity_kv_namespace_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_IDENTITY_STORAGE"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
 # KV Namespace for delegation storage (REQUIRED for OAuth/delegation flows)
 #
@@ -672,10 +159,10 @@ id = "your_identity_kv_namespace_id"  # Auto-filled by setup script
 # This namespace is automatically created by the setup script (npm run setup)
 # If you need to recreate it: npm run kv:create-delegation
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_DELEGATION_STORAGE"
-id = "your_delegation_kv_namespace_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_DELEGATION_STORAGE"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
-# KV Namespace for tool protection config (${apikey ? "ENABLED" : "OPTIONAL"} for dashboard-controlled delegation)
+# KV Namespace for tool protection config (ENABLED for dashboard-controlled delegation)
 #
 # 🆕 Enables dynamic tool protection configuration from AgentShield dashboard
 # Caches which tools require user delegation based on dashboard toggle switches
@@ -693,21 +180,40 @@ id = "your_delegation_kv_namespace_id"  # Auto-filled by setup script
 # Note: This namespace is REQUIRED when using AgentShield API key (--apikey)
 #       It will be automatically created by the setup script (npm run setup)
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_TOOL_PROTECTION_KV"
-id = "your_tool_protection_kv_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_TOOL_PROTECTION_KV"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
 [vars]
+# Agent DID (public identifier - safe to commit)
+MCP_IDENTITY_AGENT_DID = "${identity.did}"
+
+# Public identity key (safe to commit - not sensitive)
+MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"
+
+# Private identity key (SECRET - NOT declared here)
+# For local development: Add to .dev.vars file
+# For production: Use wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+
+# ALLOWED_ORIGINS for CORS (update for production)
+ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
+
+# DO routing strategy: "session" for dev, "shard" for production high-load
+DO_ROUTING_STRATEGY = "session"
+DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
+
 XMCP_I_TS_SKEW_SEC = "120"
 XMCP_I_SESSION_TTL = "1800"
 
 # AgentShield Integration (https://kya.vouched.id)
 AGENTSHIELD_API_URL = "https://kya.vouched.id"
+
 # AGENTSHIELD_PROJECT_ID - Your project ID from AgentShield dashboard (e.g., "batman-txh0ae")
 #   Required for project-scoped tool protection configuration (recommended)
 #   Find it in your dashboard URL: https://kya.vouched.id/dashboard/projects/{PROJECT_ID}
 #   Or in your project settings
 #   This is not sensitive, so it's safe to keep a value here
-AGENTSHIELD_PROJECT_ID = "${projectId || ""}"
+${projectId ? `AGENTSHIELD_PROJECT_ID = "${projectId}"` : '# AGENTSHIELD_PROJECT_ID = "your-project-id"'}
+
 MCPI_ENV = "development"
 
 # Secrets (NOT declared here - see instructions below)
@@ -716,467 +222,289 @@ MCPI_ENV = "development"
 #   $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY
 #   $ wrangler secret put AGENTSHIELD_API_KEY
 #   $ wrangler secret put ADMIN_API_KEY
+
 # Note: .dev.vars is git-ignored and contains actual secret values for local dev
 
 # Optional: MCP Server URL for tool discovery and consent page generation
 # Uncomment to explicitly set your MCP server URL (auto-detected from request origin if not set)
 # IMPORTANT: Use base URL WITHOUT /mcp suffix (e.g., "https://your-worker.workers.dev")
 # The consent pages are at /consent, not /mcp/consent
-# MCP_SERVER_URL = "https://your-worker.workers.dev"
+# MCP_SERVER_URL = "https://${projectName}.YOUR-SUBDOMAIN.workers.dev"
 `;
-        fs.writeFileSync(path.join(projectPath, "wrangler.toml"), wranglerContent);
-        // Generate persistent identity for Cloudflare Worker
-        if (!skipIdentity) {
-            try {
-                const identity = await generateIdentity();
-                // Logs removed - identity generation is silent
-                // Read existing wrangler.toml
-                const wranglerPath = path.join(projectPath, "wrangler.toml");
-                let wranglerTomlContent = fs.readFileSync(wranglerPath, "utf8");
-                // Find [vars] section and add identity environment variables
-                // Add ALL identity variables (empty values will be overridden by .dev.vars)
-                const varsMatch = wranglerTomlContent.match(/\[vars\]/);
-                if (varsMatch) {
-                    const insertPosition = varsMatch.index + varsMatch[0].length;
-                    const identityVars = `
-# Agent DID (public identifier - safe to commit)
-MCP_IDENTITY_AGENT_DID = "${identity.did}"
-
-# Public identity key (safe to commit - not sensitive)
-MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"
-
-# Private identity key (SECRET - NOT declared here)
-# For local development: Add to .dev.vars file
-# For production: Use wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-
-# ALLOWED_ORIGINS for CORS (update for production)
-ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
-
-# DO routing strategy: "session" for dev, "shard" for production high-load
-DO_ROUTING_STRATEGY = "session"
-DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
+    await fs.writeFile(path.join(targetDir, "wrangler.toml"), wranglerToml);
+    // 6. Create src/index.ts (Entry Point)
+    const indexTs = `import { createMCPICloudflareAdapter } from "@kya-os/mcp-i-cloudflare";
+import { ${toPascalCase(projectName)}Agent } from "./agent";
+import config from "./mcpi-runtime-config";
+
+// Create the adapter
+const adapter = createMCPICloudflareAdapter({
+  agent: ${toPascalCase(projectName)}Agent,
+  env: {} as any, // Will be injected by Cloudflare
+  serverInfo: {
+    name: "${projectName}",
+    version: "1.0.0",
+  },
+  tools: config.tools, // Pass tools from config
+});
 
+// Export the fetch handler and Durable Object
+export default adapter;
+export { ${toPascalCase(projectName)}MCP } from "./agent";
 `;
-                    // Remove any secret declarations from [vars] (they should not be here)
-                    // Secrets go in .dev.vars for local dev, wrangler secret put for production
-                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*MCP_IDENTITY_PRIVATE_KEY\s*=.*$/gm, `# MCP_IDENTITY_PRIVATE_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
-                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*AGENTSHIELD_API_KEY\s*=.*$/gm, `# AGENTSHIELD_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
-                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*ADMIN_API_KEY\s*=.*$/gm, `# ADMIN_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
-                    // Update public key if it exists (safe to keep in [vars])
-                    if (/MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent)) {
-                        wranglerTomlContent = wranglerTomlContent.replace(/MCP_IDENTITY_PUBLIC_KEY\s*=\s*"[^"]*"/, `MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"`);
-                    }
-                    // Update AGENTSHIELD_PROJECT_ID if it exists and projectId is provided
-                    // This is safe to keep a value since it's not sensitive
-                    if (projectId &&
-                        /AGENTSHIELD_PROJECT_ID\s*=/.test(wranglerTomlContent)) {
-                        wranglerTomlContent = wranglerTomlContent.replace(/AGENTSHIELD_PROJECT_ID\s*=\s*"[^"]*"/, `AGENTSHIELD_PROJECT_ID = "${projectId}"`);
-                    }
-                    // Check if non-secret variables already exist in wrangler.toml
-                    const hasIdentityDid = /MCP_IDENTITY_AGENT_DID\s*=/.test(wranglerTomlContent);
-                    const hasIdentityPublicKey = /MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent);
-                    // Only insert identity vars if they don't already exist
-                    const needsInsertion = !hasIdentityDid || !hasIdentityPublicKey;
-                    if (needsInsertion) {
-                        wranglerTomlContent =
-                            wranglerTomlContent.slice(0, insertPosition) +
-                                identityVars +
-                                wranglerTomlContent.slice(insertPosition);
-                    }
-                    // Write updated wrangler.toml (without secrets)
-                    fs.writeFileSync(wranglerPath, wranglerTomlContent);
-                    // Create .dev.vars file for local development (git-ignored)
-                    // Only contains SECRETS (not public keys or project IDs)
-                    const devVarsPath = path.join(projectPath, ".dev.vars");
-                    const devVarsContent = `# Local development secrets (DO NOT COMMIT)
-# This file is git-ignored and contains sensitive data
-# 
-# HOW IT WORKS:
-# 1. Secrets are NOT declared in wrangler.toml [vars] (avoids conflicts)
-# 2. This file (.dev.vars) provides secrets for local development
-# 3. Production uses: wrangler secret put VARIABLE_NAME
-#
-# Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID) are in wrangler.toml
+    await fs.writeFile(path.join(targetDir, "src/index.ts"), indexTs);
+    // 7. Create src/agent.ts (Agent Class)
+    const agentTs = `import { MCPICloudflareAgent } from "@kya-os/mcp-i-cloudflare";
+import config from "./mcpi-runtime-config";
+import type { Tool } from "@modelcontextprotocol/sdk/types.js";
 
-# Private identity key (generated by create-mcpi-app)
-MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
+/**
+ * MCP-I Agent Implementation
+ */
+export class ${toPascalCase(projectName)}Agent extends MCPICloudflareAgent {
+  /**
+   * Get tools definition from runtime config
+   */
+  protected getTools(): Tool[] {
+    return config.tools || [];
+  }
 
-# AgentShield API key (get from https://kya.vouched.id/dashboard)
-AGENTSHIELD_API_KEY="${apikey || ""}"${apikey ? "  # Provided via --apikey flag" : ""}
+  /**
+   * Handle tool execution by routing to handlers defined in config
+   */
+  protected async executeTool(name: string, args: any): Promise<any> {
+    // Find the tool handler in our config
+    const toolDef = config.tools?.find(t => t.name === name);
+    
+    if (toolDef && (toolDef as any).handler) {
+      return (toolDef as any).handler(args);
+    }
+    
+    throw new Error(\`Unknown tool: \${name}\`);
+  }
+}
 
-# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
-ADMIN_API_KEY="${apikey || ""}"${apikey ? "  # Set to same value as AGENTSHIELD_API_KEY" : ""}
+// Export Durable Object class
+export class ${toPascalCase(projectName)}MCP extends ${toPascalCase(projectName)}Agent {}
 `;
-                    fs.writeFileSync(devVarsPath, devVarsContent);
-                    // Create .dev.vars.example for reference
-                    const devVarsExamplePath = path.join(projectPath, ".dev.vars.example");
-                    const devVarsExampleContent = `# Copy this file to .dev.vars and fill in your values
-# DO NOT commit .dev.vars to version control
-#
-# NOTE: Only secrets go here. Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID)
-# are in wrangler.toml [vars] and can be committed safely.
-
-# Private identity key (generate with: npx @kya-os/create-mcpi-app regenerate-identity)
-MCP_IDENTITY_PRIVATE_KEY="your-private-key-here"
+    await fs.writeFile(path.join(targetDir, "src/agent.ts"), agentTs);
+    // 8. Create src/tools/greet.ts
+    const greetToolTs = `import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
 
-# AgentShield API key (get from https://kya.vouched.id/dashboard)
-AGENTSHIELD_API_KEY="your-api-key-here"
-
-# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
-ADMIN_API_KEY="your-admin-key-here"
-`;
-                    fs.writeFileSync(devVarsExamplePath, devVarsExampleContent);
-                }
-            }
-            catch (error) {
-                // Logs removed - errors are silent during scaffolding
-            }
-        }
-        // Create tsconfig.json
-        fs.ensureDirSync(projectPath); // Ensure directory exists before writing
-        const tsconfigContent = {
-            compilerOptions: {
-                target: "ES2022",
-                module: "ES2022",
-                lib: ["ES2022"],
-                types: ["@cloudflare/workers-types"],
-                moduleResolution: "bundler",
-                resolveJsonModule: true,
-                allowSyntheticDefaultImports: true,
-                esModuleInterop: true,
-                strict: true,
-                skipLibCheck: true,
-                forceConsistentCasingInFileNames: true,
-            },
-            include: ["src/**/*"],
-        };
-        fs.writeJsonSync(path.join(projectPath, "tsconfig.json"), tsconfigContent, {
-            spaces: 2,
-        });
-        // Create .gitignore
-        const gitignoreContent = `node_modules/
-dist/
-.wrangler/
-.dev.vars
-.env
-.env.local
-*.log
-`;
-        fs.writeFileSync(path.join(projectPath, ".gitignore"), gitignoreContent);
-        // Create .npmrc to suppress harmless deprecation warnings
-        const npmrcContent = `# Suppress deprecation warnings from transitive dependencies
-# These warnings are harmless and don't affect functionality
-# They come from: inflight (glob@7), phin (jimp), rimraf (del), glob (rimraf), node-domexception (node-fetch)
-# Will be resolved when upstream packages update their dependencies
-loglevel=error
+export const greetTool: ToolDefinition = {
+  name: "greet",
+  description: "Greet the user",
+  inputSchema: {
+    type: "object",
+    properties: {
+      name: { type: "string", description: "Name of the person to greet" },
+    },
+    required: ["name"],
+  },
+  handler: async (args: { name: string }) => {
+    return {
+      content: [
+        {
+          type: "text",
+          text: \`Hello, \${args.name}! Welcome to ${projectName}.\`,
+        },
+      ],
+    };
+  },
+};
 `;
-        fs.writeFileSync(path.join(projectPath, ".npmrc"), npmrcContent);
-        // Create README.md
-        const readmeContent = `# ${projectName}
-
-MCP server running on Cloudflare Workers with MCP-I identity features, cryptographic proofs, and full SSE/HTTP streaming support.
-
-## Features
-
-- ✅ **MCP Protocol Support**: SSE and HTTP streaming transports
-- ✅ **Cryptographic Identity**: DID-based agent identity with Ed25519 signatures
-- ✅ **Proof Generation**: Every tool call generates a cryptographic proof
-- ✅ **Audit Logging**: Track all operations with proof IDs and signatures
-- ✅ **Nonce Protection**: Replay attack prevention via KV-backed nonce cache
-- ✅ **Proof Archiving**: Optional KV storage for proof history
-
-## Quick Start
-
-### 1. Install Dependencies
-
-\`\`\`bash
-${packageManager} install
-\`\`\`
-
-### 2. Create KV Namespaces
-
-#### Create All KV Namespaces (Recommended)
-
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} kv:create
-\`\`\`
-
-This creates all 5 KV namespaces at once:
-- \`NONCE_CACHE\` - Replay attack prevention (Required)
-- \`PROOF_ARCHIVE\` - Cryptographic proof storage (Recommended)
-- \`IDENTITY_STORAGE\` - Agent identity persistence (Recommended)
-- \`DELEGATION_STORAGE\` - OAuth delegation storage (Required for delegation)
-- \`TOOL_PROTECTION_KV\` - Dashboard-controlled permissions (Optional)
-
-Copy the namespace IDs from the output and update each one in \`wrangler.toml\`:
-
-\`\`\`toml
-[[kv_namespaces]]
-binding = "NONCE_CACHE"
-id = "your_nonce_kv_id_here"  # ← Update this
-
-[[kv_namespaces]]
-binding = "PROOF_ARCHIVE"
-id = "your_proof_kv_id_here"  # ← Update this
-
-[[kv_namespaces]]
-binding = "IDENTITY_STORAGE"
-id = "your_identity_kv_id_here"  # ← Update this
-
-[[kv_namespaces]]
-binding = "DELEGATION_STORAGE"
-id = "your_delegation_kv_id_here"  # ← Update this
-
-[[kv_namespaces]]
-binding = "TOOL_PROTECTION_KV"
-id = "your_tool_protection_kv_id_here"  # ← Update this
-\`\`\`
-
-**Note:** You can also create namespaces individually:
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-nonce\` - Create nonce cache only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-proof\` - Create proof archive only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-identity\` - Create identity storage only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-delegation\` - Create delegation storage only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-tool-protection\` - Create tool protection cache only
-
-### 3. Test Locally
-
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} dev
-\`\`\`
-
-### 4. Deploy
-
-#### Production Deployment
-
-Secrets are **not** declared in \`wrangler.toml\` to avoid conflicts. Set them using:
-
-\`\`\`bash
-wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-wrangler secret put AGENTSHIELD_API_KEY
-wrangler secret put ADMIN_API_KEY
-\`\`\`
-
-**Tip:** Copy values from your \`.dev.vars\` file when prompted.
+    await fs.writeFile(path.join(targetDir, "src/tools/greet.ts"), greetToolTs);
+    // 9. Create src/mcpi-runtime-config.ts
+    const runtimeConfigTs = `import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+import { greetTool } from "./tools/greet";
 
-**Note:** \`MCP_IDENTITY_PUBLIC_KEY\` and \`AGENTSHIELD_PROJECT_ID\` are not secrets and are already in \`wrangler.toml\` with values.
+interface RuntimeConfig {
+  tools: ToolDefinition[];
+}
 
-Now deploy:
+const config: RuntimeConfig = {
+  tools: [
+    greetTool,
+    // Add more tools here
+  ],
+};
 
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} deploy
-\`\`\`
+export default config;
+`;
+    await fs.writeFile(path.join(targetDir, "src/mcpi-runtime-config.ts"), runtimeConfigTs);
+    // 10. Create scripts/setup.js (KV Namespace Creation & Key Regeneration Script)
+    const setupJs = `#!/usr/bin/env node
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
 
-## Connect with Claude Desktop
+const projectName = '${projectName}';
+const projectNameUpper = '${projectNameUpper}';
 
-Add to \`~/Library/Application Support/Claude/claude_desktop_config.json\`:
+console.log('🚀 Setting up MCP-I Cloudflare Worker...');
+console.log('');
 
-\`\`\`json
-{
-  "mcpServers": {
-    "${projectName}": {
-      "command": "npx",
-      "args": ["mcp-remote", "https://your-worker.workers.dev/sse"]
+// Function to execute command and capture output
+function exec(command, silent = false) {
+  try {
+    const output = execSync(command, { encoding: 'utf8', stdio: silent ? 'pipe' : 'inherit' });
+    return output?.trim();
+  } catch (error) {
+    if (!silent) {
+      console.error(\`❌ Command failed: \${command}\`);
+      console.error(error.message);
     }
+    return null;
   }
 }
-\`\`\`
-
-**Note:** Use the \`/sse\` endpoint for Claude Desktop compatibility.
-
-Restart Claude Desktop and test: "Use the greet tool to say hello to Alice"
-
-## Adding Tools
-
-Create tools in \`src/tools/\`:
-
-\`\`\`typescript
-import { z } from "zod";
-
-export const myTool = {
-  name: "my_tool",
-  description: "Tool description",
-  inputSchema: z.object({
-    input: z.string().describe("Input parameter")
-  }),
-  handler: async ({ input }: { input: string }) => ({
-    content: [{ type: "text" as const, text: \`Result: \${input}\` }]
-  })
-};
-\`\`\`
-
-Register in \`src/index.ts\` init method:
 
-\`\`\`typescript
-this.server.tool(
-  myTool.name,
-  myTool.description,
-  myTool.inputSchema.shape,
-  myTool.handler
-);
-\`\`\`
-
-## Endpoints
-
-- \`/health\` - Health check
-- \`/sse\` - SSE transport for MCP
-- \`/mcp\` - Streamable HTTP transport for MCP
-- \`/oauth/callback\` - OAuth callback for delegation flows
-- \`/admin/clear-cache\` - Clear tool protection cache (requires API key)
-
-## Viewing Cryptographic Proofs
-
-Every tool call generates a cryptographic proof that's logged to the console:
-
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} dev
-\`\`\`
-
-When you call a tool, you'll see logs like:
-
-\`\`\`
-[MCP-I] Initialized with DID: did:web:localhost:agents:key-abc123
-[MCP-I Proof] {
-  tool: 'greet',
-  did: 'did:web:localhost:agents:key-abc123',
-  proofId: 'proof_1234567890_abcd',
-  signature: 'mNYP8x2k9FqV3...'
+// Function to extract namespace ID from wrangler output
+function extractNamespaceId(output) {
+  // Match patterns like: id = "abc123" or { id: "abc123" }
+  const match = output.match(/id\\s*[:=]\\s*"([^"]+)"/);
+  return match ? match[1] : null;
 }
-\`\`\`
-
-### Proof Archives (Optional)
-
-If you configured the \`PROOF_ARCHIVE\` KV namespace, proofs are also stored for querying:
-
-\`\`\`bash
-# List all proofs
-wrangler kv:key list --namespace-id=your_proof_kv_id
-
-# View a specific proof
-wrangler kv:key get "proof_1234567890_abcd" --namespace-id=your_proof_kv_id
-\`\`\`
-
-## Identity Management
-
-Your agent's cryptographic identity is stored in Durable Objects state. To view your agent's DID:
-
-1. Check the logs during \`init()\` - it prints the DID
-2. Or query the runtime: \`await mcpiRuntime.getIdentity()\`
-
-The identity includes:
-- \`did\`: Decentralized identifier (e.g., \`did:web:your-worker.workers.dev:agents:key-xyz\`)
-- \`publicKey\`: Ed25519 public key for signature verification
-- \`privateKey\`: Ed25519 private key (secured in Durable Object state)
-
-## AgentShield Integration
-
-This project is configured to send cryptographic proofs to AgentShield for audit trails and compliance monitoring.
-
-### Setup
 
-1. **Get your AgentShield API key**:
-   - Sign up at https://kya.vouched.id
-   - Create a project
-   - Copy your API key from the dashboard
-
-2. **Update \`wrangler.toml\`**:
-   \`\`\`toml
-   [vars]
-   AGENTSHIELD_API_URL = "https://kya.vouched.id"
-   AGENTSHIELD_API_KEY = "sk_your_actual_key_here"  # ← Replace this
-   MCPI_ENV = "development"
-   \`\`\`
-
-3. **Test proof submission**:
-   \`\`\`bash
-   ${packageManager === "npm" ? "npm run" : packageManager} dev
-   \`\`\`
-
-   Call a tool and check the logs:
-   \`\`\`
-   [AgentShield] Submitting proof: { did: 'did:web:...', sessionId: '...', jwsFormat: 'valid (3 parts)' }
-   [AgentShield] ✅ Proofs accepted: 1
-   \`\`\`
-
-4. **View proofs in dashboard**:
-   - Go to https://kya.vouched.id/dashboard
-   - Select your project
-   - Click "Interactions" tab
-   - See your proofs in real-time
-
-### Configuration
-
-The AgentShield integration is configured in \`src/mcpi-runtime-config.ts\`. You can customize:
-- Proof batch size (\`maxBatchSize\`)
-- Flush interval (\`flushIntervalMs\`)
-- Retry policy (\`maxRetries\`)
-- Tool protection rules (\`toolProtections\`)
-
-### Dashboard-Controlled Tool Protection (Advanced)
-
-🆕 **NEW**: Control which tools require user delegation directly from the AgentShield dashboard - no code changes needed!
-
-Instead of hardcoding \`requiresDelegation\` in your config, enable dynamic tool protection:
-
-1. **Create Tool Protection KV namespace**:
-   \`\`\`bash
-   ${packageManager === "npm" ? "npm run" : packageManager} kv:create-tool-protection
-   \`\`\`
-
-2. **Uncomment TOOL_PROTECTION_KV in \`wrangler.toml\`**:
-   \`\`\`toml
-   [[kv_namespaces]]
-   binding = "TOOL_PROTECTION_KV"
-   id = "your_tool_protection_kv_id"  # ← Add the ID from step 1
-   \`\`\`
-
-3. **Enable Tool Protection Service in \`src/mcpi-runtime-config.ts\`**:
-   - Uncomment the import: \`import { CloudflareRuntime } from "@kya-os/mcp-i-cloudflare";\`
-   - Uncomment the \`toolProtectionService\` configuration block
-
-4. **Deploy and test**:
-   \`\`\`bash
-   ${packageManager === "npm" ? "npm run" : packageManager} deploy
-   \`\`\`
-
-5. **Control delegation from dashboard**:
-   - Go to https://kya.vouched.id/dashboard
-   - Select your project → "Tools" tab
-   - Toggle "Require Delegation" for any tool
-   - Changes apply in real-time (5-minute cache)
-
-**Benefits:**
-- Update tool permissions without redeploying
-- Test delegation flows instantly
-- Different requirements per environment (dev vs prod)
-- Automatic tool discovery from proof submissions
-
-**Note:** The first time a tool is called, it auto-discovers in the dashboard. The \`requiresDelegation\` toggle will appear after the first proof is submitted.
-
-### Disable AgentShield (Optional)
-
-If you don't want to use AgentShield, edit \`src/mcpi-runtime-config.ts\`:
-
-\`\`\`typescript
-proofing: {
-  enabled: false,  // Disable proof submission
-  // ...
+// Function to update wrangler.toml with namespace ID
+function updateWranglerToml(binding, namespaceId) {
+  const wranglerPath = path.join(__dirname, '..', 'wrangler.toml');
+  let content = fs.readFileSync(wranglerPath, 'utf8');
+  
+  // Find the binding section and update the ID
+  const bindingPattern = new RegExp(\`binding\\\\s*=\\\\s*"\${binding}"[^\\\\[]*id\\\\s*=\\\\s*"[^"]*"\`, 's');
+  content = content.replace(bindingPattern, (match) => {
+    return match.replace(/id\\s*=\\s*"[^"]*"/, \`id = "\${namespaceId}"\`);
+  });
+  
+  fs.writeFileSync(wranglerPath, content);
+  console.log(\`✅ Updated wrangler.toml with \${binding} namespace ID: \${namespaceId}\`);
 }
-\`\`\`
-
-Or simply don't configure the \`AGENTSHIELD_API_KEY\` environment variable.
 
-## References
+// Create KV namespaces
+const namespaces = [
+  { binding: \`\${projectNameUpper}_NONCE_CACHE\`, name: 'NONCE_CACHE', description: 'Nonce cache for replay attack prevention' },
+  { binding: \`\${projectNameUpper}_PROOF_ARCHIVE\`, name: 'PROOF_ARCHIVE', description: 'Proof archive for auditability' },
+  { binding: \`\${projectNameUpper}_IDENTITY_STORAGE\`, name: 'IDENTITY_STORAGE', description: 'Identity storage for persistent agent identity' },
+  { binding: \`\${projectNameUpper}_DELEGATION_STORAGE\`, name: 'DELEGATION_STORAGE', description: 'Delegation storage for OAuth flows' },
+  { binding: \`\${projectNameUpper}_TOOL_PROTECTION_KV\`, name: 'TOOL_PROTECTION_KV', description: 'Tool protection configuration cache' },
+];
+
+console.log('📦 Creating KV namespaces...');
+console.log('');
+
+for (const ns of namespaces) {
+  console.log(\`Creating \${ns.name} (\${ns.description})...\`);
+  
+  // Try to create the namespace
+  const output = exec(\`wrangler kv:namespace create \${ns.binding}\`, true);
+  
+  if (output) {
+    const namespaceId = extractNamespaceId(output);
+    if (namespaceId) {
+      updateWranglerToml(ns.binding, namespaceId);
+    } else {
+      console.log(\`⚠️  Could not extract namespace ID for \${ns.binding}. You may need to update wrangler.toml manually.\`);
+      console.log(\`   Output: \${output}\`);
+    }
+  } else {
+    // Namespace might already exist, try to list and find it
+    console.log(\`   Checking if namespace already exists...\`);
+    const listOutput = exec(\`wrangler kv:namespace list\`, true);
+    if (listOutput && listOutput.includes(ns.binding)) {
+      console.log(\`   ✓ Namespace \${ns.binding} already exists\`);
+    } else {
+      console.log(\`   ⚠️  Could not create or find namespace \${ns.binding}. You may need to create it manually.\`);
+    }
+  }
+}
 
-- [Cloudflare Agents MCP](https://developers.cloudflare.com/agents/model-context-protocol/)
-- [MCP Specification](https://spec.modelcontextprotocol.io/)
-- [MCP-I Documentation](https://github.com/kya-os/xmcp-i)
+console.log('');
+console.log('✨ Setup complete!');
+console.log('');
+console.log('Next steps:');
+console.log('1. Review wrangler.toml to ensure all namespace IDs are populated');
+console.log('2. Run "npm run dev" to start the development server');
+console.log('3. Run "npm run deploy" to deploy to Cloudflare Workers');
+console.log('');
+console.log('For production deployment:');
+console.log('  wrangler secret put MCP_IDENTITY_PRIVATE_KEY');
+console.log('  wrangler secret put AGENTSHIELD_API_KEY');
+console.log('  wrangler secret put ADMIN_API_KEY');
+`;
+    await fs.writeFile(path.join(targetDir, "scripts/setup.js"), setupJs);
+    await fs.chmod(path.join(targetDir, "scripts/setup.js"), '755');
+    // 11. Create tsconfig.json
+    const tsConfig = {
+        compilerOptions: {
+            target: "esnext",
+            module: "esnext",
+            moduleResolution: "bundler",
+            types: ["@cloudflare/workers-types", "vitest/globals"],
+            strict: true,
+            skipLibCheck: true,
+            noEmit: true,
+        },
+        include: ["src/**/*"],
+        exclude: ["node_modules"],
+    };
+    await fs.writeJson(path.join(targetDir, "tsconfig.json"), tsConfig, {
+        spaces: 2,
+    });
+    // 12. Create .gitignore
+    const gitignore = `node_modules
+dist
+.wrangler
+.dev.vars
 `;
-        fs.writeFileSync(path.join(projectPath, "README.md"), readmeContent);
+    await fs.writeFile(path.join(targetDir, ".gitignore"), gitignore);
+    console.log(chalk.green("✔ Created Cloudflare MCP-I template files"));
+    console.log(chalk.gray("  - Generated identity keys in .dev.vars"));
+    console.log(chalk.gray("  - Configured wrangler.toml with KV namespaces"));
+    console.log(chalk.gray("  - Created modular tool structure"));
+    console.log(chalk.gray("  - Created setup script for KV namespace creation"));
+    // 13. Run npm install first
+    console.log(chalk.blue("\n📦 Installing dependencies..."));
+    await runCommand(packageManager, ["install"], targetDir);
+    // 14. Run setup script to create KV namespaces
+    console.log(chalk.blue("\n🔧 Running setup script to create KV namespaces..."));
+    try {
+        await runCommand("node", ["scripts/setup.js"], targetDir);
     }
     catch (error) {
-        console.error(chalk.red("Failed to set up Cloudflare Worker MCP server:"), error);
-        throw error;
+        console.log(chalk.yellow("\n⚠️  Setup script encountered issues. You may need to:"));
+        console.log(chalk.yellow("   1. Make sure you're logged in to Cloudflare: wrangler login"));
+        console.log(chalk.yellow("   2. Run 'npm run setup' manually after logging in"));
     }
 }
+function toPascalCase(str) {
+    return str
+        .replace(/(?:^\w|[A-Z]|\b\w)/g, (word, index) => {
+        return word.toUpperCase();
+    })
+        .replace(/\s+/g, "")
+        .replace(/-/g, "");
+}
+function generateAdminApiKey() {
+    // Generate a secure random API key
+    return Buffer.from(crypto.randomBytes(32)).toString('base64');
+}
+function runCommand(command, args, cwd) {
+    return new Promise((resolve, reject) => {
+        const child = spawn(command, args, {
+            cwd,
+            stdio: 'inherit',
+            shell: process.platform === 'win32'
+        });
+        child.on('error', reject);
+        child.on('exit', (code) => {
+            if (code === 0) {
+                resolve();
+            }
+            else {
+                reject(new Error(`Command failed with exit code ${code}`));
+            }
+        });
+    });
+}
 //# sourceMappingURL=fetch-cloudflare-mcpi-template.js.map