@kya-os/create-mcpi-app 1.8.13 → 1.8.15-canary.0

package/dist/helpers/fetch-cloudflare-mcpi-template.js

@@ -1,140 +1,616 @@
 import fs from "fs-extra";
 import path from "path";
 import chalk from "chalk";
-import { spawn } from "child_process";
-import crypto from "crypto";
 import { generateIdentity } from "./generate-identity.js";
 /**
- * Fetches the Cloudflare MCP-I template
- *
- * Generates a complete project structure:
- * - package.json with all scripts
- * - wrangler.toml with all KV namespaces configured
- * - .dev.vars with all secrets
- * - src/index.ts
- * - src/agent.ts
- * - src/tools/greet.ts
- * - src/mcpi-runtime-config.ts
- * - scripts/setup.js for KV namespace creation and key regeneration
- * - Automatically runs setup to create KV namespaces
+ * Scaffold Cloudflare Worker MCP server
+ * Uses McpAgent from agents/mcp for MCP protocol support
  */
-export async function fetchCloudflareMcpiTemplate(targetDir, options) {
-    // Handle legacy string argument (projectName) for backward compatibility
-    const opts = typeof options === "string"
-        ? { packageManager: "npm", projectName: options }
-        : options;
-    // Extract project name from path if not provided
-    let projectName = opts.projectName;
-    if (!projectName) {
-        const pathParts = targetDir.split(path.sep);
-        projectName = pathParts[pathParts.length - 1] || "worker";
+export async function fetchCloudflareMcpiTemplate(projectPath, options = {}) {
+    const { packageManager = "npm", projectName = path.basename(projectPath), apikey, projectId, skipIdentity = false, } = options;
+    // Sanitize project name for class names
+    let className = projectName
+        .replace(/[^a-zA-Z0-9]/g, "")
+        .replace(/^[0-9]/, "_$&");
+    // Fallback to prevent empty class names
+    if (!className || className.length === 0) {
+        className = "Project";
+    }
+    const pascalClassName = className.charAt(0).toUpperCase() + className.slice(1);
+    // Sanitize project name for wrangler.toml (alphanumeric, lowercase, dashes only)
+    let wranglerName = projectName
+        .toLowerCase()
+        .replace(/[^a-z0-9-]/g, "-") // Replace invalid chars with dashes
+        .replace(/-+/g, "-") // Replace multiple dashes with single dash
+        .replace(/^-|-$/g, ""); // Remove leading/trailing dashes
+    // Fallback to prevent empty wrangler names
+    if (!wranglerName || wranglerName.length === 0) {
+        wranglerName = "worker";
     }
-    const { apikey, projectId, packageManager, skipCommands } = opts;
-    const projectNameUpper = projectName.toUpperCase().replace(/-/g, "_");
-    // Centralized KV binding names (matches env-mapper.ts for consistency)
-    const KV_BINDING_NAMES = [
-        "NONCE_CACHE",
-        "PROOF_ARCHIVE",
-        "IDENTITY_STORAGE",
-        "DELEGATION_STORAGE",
-        "TOOL_PROTECTION_KV",
-    ];
-    console.log(chalk.blue(`\n🏗️  Generating Cloudflare MCP-I project: ${projectName}...`));
-    // 1. Create directory structure
-    await fs.ensureDir(path.join(targetDir, "src"));
-    await fs.ensureDir(path.join(targetDir, "src/tools"));
-    await fs.ensureDir(path.join(targetDir, "scripts"));
-    // 2. Generate Identity (Keys & DID)
-    let identity;
-    if (opts.skipIdentity) {
-        // Use a mock identity when skipping generation
-        identity = {
-            did: "did:key:zTestMockIdentity",
-            kid: "did:key:zTestMockIdentity#key-1",
-            privateKey: "mock-private-key",
-            publicKey: "mock-public-key",
-            createdAt: new Date().toISOString(),
-            type: "development",
+    try {
+        console.log(chalk.blue("📦 Setting up Cloudflare Worker MCP server..."));
+        // Create package.json
+        const packageJson = {
+            name: projectName,
+            version: "0.1.0",
+            private: true,
+            scripts: {
+                setup: "node scripts/setup.js",
+                postinstall: "npm run setup",
+                deploy: "wrangler deploy",
+                dev: "wrangler dev",
+                start: "wrangler dev",
+                "kv:create": "npm run kv:create-nonce && npm run kv:create-proof && npm run kv:create-identity && npm run kv:create-delegation && npm run kv:create-tool-protection",
+                "kv:create-nonce": `wrangler kv namespace create ${className.toUpperCase()}_NONCE_CACHE`,
+                "kv:create-proof": `wrangler kv namespace create ${className.toUpperCase()}_PROOF_ARCHIVE`,
+                "kv:create-identity": `wrangler kv namespace create ${className.toUpperCase()}_IDENTITY_STORAGE`,
+                "kv:create-delegation": `wrangler kv namespace create ${className.toUpperCase()}_DELEGATION_STORAGE`,
+                "kv:create-tool-protection": `wrangler kv namespace create ${className.toUpperCase()}_TOOL_PROTECTION_KV`,
+                "kv:list": "wrangler kv namespace list | grep -E '(NONCE|PROOF|IDENTITY|DELEGATION|TOOL_PROTECTION|MCPI)' || wrangler kv namespace list",
+                "kv:keys-nonce": `wrangler kv key list --binding=${className.toUpperCase()}_NONCE_CACHE`,
+                "kv:keys-proof": `wrangler kv key list --binding=${className.toUpperCase()}_PROOF_ARCHIVE`,
+                "kv:keys-identity": `wrangler kv key list --binding=${className.toUpperCase()}_IDENTITY_STORAGE`,
+                "kv:keys-delegation": `wrangler kv key list --binding=${className.toUpperCase()}_DELEGATION_STORAGE`,
+                "kv:keys-tool-protection": `wrangler kv key list --binding=${className.toUpperCase()}_TOOL_PROTECTION_KV`,
+                "kv:delete-nonce": `wrangler kv namespace delete --binding=${className.toUpperCase()}_NONCE_CACHE`,
+                "kv:delete-proof": `wrangler kv namespace delete --binding=${className.toUpperCase()}_PROOF_ARCHIVE`,
+                "kv:delete-identity": `wrangler kv namespace delete --binding=${className.toUpperCase()}_IDENTITY_STORAGE`,
+                "kv:delete-delegation": `wrangler kv namespace delete --binding=${className.toUpperCase()}_DELEGATION_STORAGE`,
+                "kv:delete-tool-protection": `wrangler kv namespace delete --binding=${className.toUpperCase()}_TOOL_PROTECTION_KV`,
+                "kv:delete": "npm run kv:delete-nonce && npm run kv:delete-proof && npm run kv:delete-identity && npm run kv:delete-delegation && npm run kv:delete-tool-protection",
+                "kv:reset": "npm run kv:delete && npm run kv:create",
+                "kv:setup": "echo 'KV Commands: kv:create (create all), kv:list (list all), kv:keys-* (view keys), kv:delete (delete all), kv:reset (delete+recreate)'",
+                "cf-typegen": "wrangler types",
+                "type-check": "tsc --noEmit",
+                test: "vitest",
+                "test:watch": "vitest --watch",
+                "test:coverage": "vitest run --coverage",
+            },
+            dependencies: {
+                "@kya-os/contracts": "^1.5.2-canary.5",
+                "@kya-os/mcp-i-cloudflare": "1.5.1-canary.5",
+                "@modelcontextprotocol/sdk": "^1.19.1",
+                agents: "^0.2.21", // Use latest version - constructor now only accepts 2 parameters
+                hono: "^4.9.10",
+                zod: "^3.25.76",
+            },
+            devDependencies: {
+                "@cloudflare/workers-types": "^4.20251109.0",
+                "@kya-os/create-mcpi-app": "^1.7.23",
+                "@vitest/coverage-v8": "^3.2.4",
+                miniflare: "^3.0.0",
+                typescript: "^5.6.2",
+                vitest: "^3.2.4",
+                wrangler: "^4.42.2",
+            },
         };
+        fs.ensureDirSync(projectPath); // Ensure directory exists before writing
+        fs.writeJsonSync(path.join(projectPath, "package.json"), packageJson, {
+            spaces: 2,
+        });
+        // Create src directory and tools
+        const srcDir = path.join(projectPath, "src");
+        const toolsDir = path.join(srcDir, "tools");
+        fs.ensureDirSync(toolsDir);
+        // Create scripts directory
+        const scriptsDir = path.join(projectPath, "scripts");
+        fs.ensureDirSync(scriptsDir);
+        // Create setup.js automation script
+        const setupScriptContent = `#!/usr/bin/env node
+
+/**
+ * Automated Setup Script for ${projectName}
+ *
+ * This script automates the tedious process of:
+ * 1. Checking/installing wrangler
+ * 2. Creating KV namespaces
+ * 3. Extracting namespace IDs
+ * 4. Updating wrangler.toml automatically
+ * 5. Setting up local development environment
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const readline = require('readline');
+
+const rl = readline.createInterface({
+  input: process.stdin,
+  output: process.stdout
+});
+
+// Colors for terminal output
+const colors = {
+  reset: '\\x1b[0m',
+  bright: '\\x1b[1m',
+  green: '\\x1b[32m',
+  yellow: '\\x1b[33m',
+  blue: '\\x1b[36m',
+  red: '\\x1b[31m'
+};
+
+function log(message, color = colors.reset) {
+  console.log(color + message + colors.reset);
+}
+
+function skipToPostKVSetup() {
+  // Skip KV creation but continue with other setup steps
+  const devVarsPath = path.join(__dirname, '..', '.dev.vars');
+  const devVarsExamplePath = path.join(__dirname, '..', '.dev.vars.example');
+
+  // Create .dev.vars from example if it doesn't exist
+  if (!fs.existsSync(devVarsPath) && fs.existsSync(devVarsExamplePath)) {
+    log('\\n📋 Creating .dev.vars from example...', colors.blue);
+    fs.copyFileSync(devVarsExamplePath, devVarsPath);
+    log('✅ Created .dev.vars - Please update with your values', colors.green);
+  }
+
+  // Check if identity needs to be generated
+  if (fs.existsSync(devVarsPath)) {
+    const devVarsContent = fs.readFileSync(devVarsPath, 'utf-8');
+    if (devVarsContent.includes('your-private-key-here')) {
+      log('\\n🔑 Generating agent identity...', colors.blue);
+      try {
+        execSync('npx @kya-os/create-mcpi-app regenerate-identity', { stdio: 'inherit' });
+        log('✅ Identity generated successfully', colors.green);
+      } catch {
+        log('⚠️  Could not generate identity automatically. Run: npx @kya-os/create-mcpi-app regenerate-identity', colors.yellow);
+      }
+    }
+  }
+
+  // Show modified next steps
+  log('\\n✨ Setup partially complete! Next steps:\\n', colors.bright + colors.green);
+  log('1. Set your Cloudflare account ID (required for KV namespaces):', colors.blue);
+  log('   export CLOUDFLARE_ACCOUNT_ID=your-account-id', colors.reset);
+  log('   OR add to wrangler.toml: account_id = "your-account-id"\\n', colors.reset);
+  log('2. Create KV namespaces: npm run kv:create', colors.blue);
+  log('3. Review .dev.vars and add any missing values', colors.blue);
+  log('4. Start development server: npm run dev', colors.blue);
+  log('5. Deploy to production: npm run deploy', colors.blue);
+  log('\\nUseful commands:', colors.bright);
+  log('  npm run dev                    - Start local development server');
+  log('  npm run deploy                 - Deploy to Cloudflare Workers');
+  log('  npm run kv:list                - List all KV namespaces');
+  log('  wrangler secret put <KEY>      - Set production secrets');
+  log('\\nFor more information, see the README.md file.\\n');
+
+  rl.close();
+}
+
+async function setup() {
+  log('\\n🚀 Starting automated setup for ${projectName}...\\n', colors.bright + colors.blue);
+
+  // 1. Check wrangler installation
+  try {
+    const wranglerVersion = execSync('wrangler --version', { encoding: 'utf-8' });
+    log('✅ Wrangler CLI detected: ' + wranglerVersion.trim(), colors.green);
+  } catch {
+    log('📦 Wrangler CLI not found. Installing...', colors.yellow);
+    try {
+      execSync('npm install -g wrangler', { stdio: 'inherit' });
+      log('✅ Wrangler CLI installed successfully', colors.green);
+    } catch (error) {
+      log('❌ Failed to install Wrangler. Please install manually: npm install -g wrangler', colors.red);
+      process.exit(1);
+    }
+  }
+
+  // 2. Check if user is logged in to Cloudflare
+  try {
+    execSync('wrangler whoami', { encoding: 'utf-8' });
+    log('✅ Logged in to Cloudflare', colors.green);
+  } catch {
+    log('🔑 Please log in to Cloudflare:', colors.yellow);
+    try {
+      execSync('wrangler login', { stdio: 'inherit' });
+    } catch (error) {
+      log('❌ Login failed. Please run: wrangler login', colors.red);
+      process.exit(1);
     }
-    else {
-        console.log(chalk.blue("🔑 Generating cryptographic identity..."));
-        identity = await generateIdentity();
+  }
+
+  // 2.5. Set up wrangler.toml path for later use
+  const wranglerTomlPath = path.join(__dirname, '..', 'wrangler.toml');
+  let wranglerContent = '';
+
+  try {
+    wranglerContent = fs.readFileSync(wranglerTomlPath, 'utf-8');
+  } catch (error) {
+    log('⚠️  Could not read wrangler.toml', colors.yellow);
+  }
+
+  // 3. Create KV namespaces
+  log('\\n📚 Creating KV namespaces...\\n', colors.bright);
+
+  const namespaces = [
+    { binding: '${className.toUpperCase()}_NONCE_CACHE', name: 'Nonce Cache', purpose: 'Replay attack prevention' },
+    { binding: '${className.toUpperCase()}_PROOF_ARCHIVE', name: 'Proof Archive', purpose: 'Cryptographic proof storage' },
+    { binding: '${className.toUpperCase()}_IDENTITY_STORAGE', name: 'Identity Storage', purpose: 'Agent identity persistence' },
+    { binding: '${className.toUpperCase()}_DELEGATION_STORAGE', name: 'Delegation Storage', purpose: 'OAuth token storage' },
+    { binding: '${className.toUpperCase()}_TOOL_PROTECTION_KV', name: 'Tool Protection', purpose: 'Permission caching' }
+  ];
+
+  const kvIds = {};
+  let multipleAccountsDetected = false;
+
+  for (const ns of namespaces) {
+    // If we already detected multiple accounts, skip remaining namespaces
+    if (multipleAccountsDetected) {
+      break;
     }
-    // 3. Create package.json with all scripts
-    const packageJson = {
-        name: projectName,
-        version: "0.1.0",
-        private: true,
-        scripts: {
-            deploy: "wrangler deploy",
-            dev: "wrangler dev",
-            start: "wrangler dev",
-            test: "vitest",
-            "cf-typegen": "wrangler types",
-            setup: "node scripts/setup.js",
-            "kv:create-nonce": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[0]}`,
-            "kv:create-proof": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[1]}`,
-            "kv:create-identity": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[2]}`,
-            "kv:create-delegation": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[3]}`,
-            "kv:create-tool-protection": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[4]}`,
-        },
-        dependencies: {
-            "@kya-os/mcp-i-cloudflare": "1.6.13",
-            "@modelcontextprotocol/sdk": "1.22.0",
-            agents: "0.2.21",
-            hono: "4.6.3",
-        },
-        devDependencies: {
-            "@cloudflare/vitest-pool-workers": "0.5.2",
-            "@cloudflare/workers-types": "4.20240925.0",
-            "@types/node": "20.8.3",
-            typescript: "5.5.2",
-            vitest: "2.0.5",
-            wrangler: "3.78.12",
-        },
+
+    log(\`Creating \${ns.name} (\${ns.purpose})...\`, colors.blue);
+
+    // First, check if namespace already exists
+    let existingNamespace = null;
+    try {
+      const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+      
+      try {
+        const allNamespaces = JSON.parse(listOutput);
+        existingNamespace = allNamespaces.find(n => n.title === ns.binding);
+      } catch (parseError) {
+        // Fallback to regex if JSON parsing fails
+        const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
+        if (existingMatch && existingMatch[1]) {
+          existingNamespace = { id: existingMatch[1], title: ns.binding };
+        }
+      }
+    } catch (listError) {
+      // If we can't list namespaces, continue to try creating
+    }
+
+    if (existingNamespace && existingNamespace.id) {
+      kvIds[ns.binding] = existingNamespace.id;
+      log(\`  ✅ Using existing namespace with ID: \${existingNamespace.id}\`, colors.green);
+      continue;
+    }
+
+    // Namespace doesn't exist, try to create it
+    try {
+      // Suppress stderr to avoid noisy error messages
+      const output = execSync(\`wrangler kv namespace create "\${ns.binding}"\`, { 
+        encoding: 'utf-8', 
+        stdio: ['pipe', 'pipe', 'pipe'] 
+      });
+
+      // Extract the ID from output
+      const idMatch = output.match(/id = "([^"]+)"/);
+
+      if (idMatch && idMatch[1]) {
+        kvIds[ns.binding] = idMatch[1];
+        log(\`  ✅ Created with ID: \${idMatch[1]}\`, colors.green);
+      } else {
+        log(\`  ⚠️  Created but could not extract ID. Checking existing namespaces...\`, colors.yellow);
+        // Fallback: try to find it in the list
+        const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+        try {
+          const allNamespaces = JSON.parse(listOutput);
+          const found = allNamespaces.find(n => n.title === ns.binding);
+          if (found && found.id) {
+            kvIds[ns.binding] = found.id;
+            log(\`  ✅ Found ID: \${found.id}\`, colors.green);
+          }
+        } catch {
+          // Ignore parse errors
+        }
+      }
+    } catch (error) {
+      const errorMessage = error.message || error.toString();
+      const errorOutput = error.stdout || error.stderr || '';
+
+      // Check if this is a multiple accounts error
+      if (errorMessage.includes('More than one account') || errorMessage.includes('multiple accounts') || errorOutput.includes('More than one account')) {
+        multipleAccountsDetected = true;
+        log('\\n⚠️  Multiple Cloudflare accounts detected!\\n', colors.yellow);
+        log('Wrangler cannot automatically select an account in non-interactive mode.\\n', colors.yellow);
+        log('To fix this, choose one of these options:\\n', colors.bright);
+        log('Option 1: Set environment variable (recommended):', colors.blue);
+        log('  export CLOUDFLARE_ACCOUNT_ID=your-account-id', colors.reset);
+        log('  npm run setup\\n', colors.reset);
+        log('Option 2: Add to wrangler.toml (permanent):', colors.blue);
+        log('  Edit wrangler.toml and add:', colors.reset);
+        log('  account_id = "your-account-id"\\n', colors.reset);
+        log('Find your account IDs in the error above or run:', colors.blue);
+        log('  wrangler whoami\\n', colors.reset);
+        log('⏭️  Skipping remaining KV namespace creation.', colors.yellow);
+        log('After setting account_id, run: npm run setup\\n', colors.yellow);
+        break;
+      }
+
+      // Check if namespace already exists (common case - suppress noisy error)
+      if (errorMessage.includes('already exists') || errorOutput.includes('already exists') || errorOutput.includes('code: 10014')) {
+        // Try to get the existing namespace ID
+        try {
+          const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+          
+          try {
+            const allNamespaces = JSON.parse(listOutput);
+            const found = allNamespaces.find(n => n.title === ns.binding);
+            
+            if (found && found.id) {
+              kvIds[ns.binding] = found.id;
+              log(\`  ✅ Using existing namespace with ID: \${found.id}\`, colors.green);
+            } else {
+              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
+            }
+          } catch (parseError) {
+            // Fallback to regex
+            const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
+            if (existingMatch && existingMatch[1]) {
+              kvIds[ns.binding] = existingMatch[1];
+              log(\`  ✅ Using existing namespace with ID: \${existingMatch[1]}\`, colors.green);
+            } else {
+              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
+            }
+          }
+        } catch (listError) {
+          log(\`  ⚠️  Namespace may already exist. Run 'wrangler kv namespace list' to verify.\`, colors.yellow);
+        }
+      } else {
+        // Some other error occurred
+        log(\`  ❌ Failed to create \${ns.binding}\`, colors.red);
+        log(\`     Error: \${errorMessage}\`, colors.red);
+      }
+    }
+  }
+
+  // If multiple accounts detected, skip to post-KV setup
+  if (multipleAccountsDetected) {
+    return skipToPostKVSetup();
+  }
+
+  // 4. Update wrangler.toml with KV IDs
+  if (Object.keys(kvIds).length > 0) {
+    log('\\n📝 Updating wrangler.toml with KV namespace IDs...\\n', colors.bright);
+
+    try {
+      wranglerContent = fs.readFileSync(wranglerTomlPath, 'utf-8');
+      let updatedCount = 0;
+
+      for (const [binding, id] of Object.entries(kvIds)) {
+        // Match pattern: binding = "BINDING_NAME"\\nid = "anything" (including placeholders)
+        const pattern = new RegExp(\`(binding = "\${binding}")\\\\s*\\\\nid = "[^"]*"\`, 'g');
+        const replacement = \`$1\\nid = "\${id}"\`;
+
+        const newContent = wranglerContent.replace(pattern, replacement);
+        if (newContent !== wranglerContent) {
+          updatedCount++;
+          log(\`  ✅ Updated \${binding} with ID: \${id}\`, colors.green);
+        }
+        wranglerContent = newContent;
+      }
+
+      fs.writeFileSync(wranglerTomlPath, wranglerContent);
+      log(\`\\n✅ Updated \${updatedCount} namespace ID(s) in wrangler.toml\`, colors.green);
+
+      // Show remaining placeholder IDs if any
+      const placeholderMatches = wranglerContent.match(/binding = "[^"]+"\\s*\\nid = "your_[^"]+"/g);
+      if (placeholderMatches) {
+        log('\\n⚠️  Some namespace IDs still have placeholders:', colors.yellow);
+        placeholderMatches.forEach(match => {
+          const bindingMatch = match.match(/binding = "([^"]+)"/);
+          if (bindingMatch) {
+            log(\`  - \${bindingMatch[1]}\`, colors.yellow);
+          }
+        });
+      }
+    } catch (error) {
+      log(\`❌ Failed to update wrangler.toml: \${error.message}\`, colors.red);
+    }
+  }
+
+  // 5. Create .dev.vars from example if it doesn't exist
+  const devVarsPath = path.join(__dirname, '..', '.dev.vars');
+  const devVarsExamplePath = path.join(__dirname, '..', '.dev.vars.example');
+
+  if (!fs.existsSync(devVarsPath) && fs.existsSync(devVarsExamplePath)) {
+    log('\\n📋 Creating .dev.vars from example...', colors.blue);
+    fs.copyFileSync(devVarsExamplePath, devVarsPath);
+    log('✅ Created .dev.vars - Please update with your values', colors.green);
+  }
+
+  // 6. Check if identity needs to be generated
+  if (fs.existsSync(devVarsPath)) {
+    const devVarsContent = fs.readFileSync(devVarsPath, 'utf-8');
+    if (devVarsContent.includes('your-private-key-here')) {
+      log('\\n🔑 Generating agent identity...', colors.blue);
+      try {
+        execSync('npx @kya-os/create-mcpi-app regenerate-identity', { stdio: 'inherit' });
+        log('✅ Identity generated successfully', colors.green);
+      } catch {
+        log('⚠️  Could not generate identity automatically. Run: npx @kya-os/create-mcpi-app regenerate-identity', colors.yellow);
+      }
+    }
+  }
+
+  // 7. Show next steps
+  log('\\n✨ Setup complete! Next steps:\\n', colors.bright + colors.green);
+  log('1. Review .dev.vars and add any missing values (AgentShield API key, etc.)', colors.blue);
+  log('2. Start development server: npm run dev', colors.blue);
+  log('3. Deploy to production: npm run deploy', colors.blue);
+  log('\\nUseful commands:', colors.bright);
+  log('  npm run dev                    - Start local development server');
+  log('  npm run deploy                 - Deploy to Cloudflare Workers');
+  log('  npm run kv:list                - List all KV namespaces');
+  log('  wrangler secret put <KEY>      - Set production secrets');
+  log('\\nFor more information, see the README.md file.\\n');
+
+  rl.close();
+}
+
+// Handle errors gracefully
+process.on('unhandledRejection', (error) => {
+  log(\`\\n❌ Setup failed: \${error.message}\`, colors.red);
+  process.exit(1);
+});
+
+// Run the setup
+setup().catch((error) => {
+  log(\`\\n❌ Setup failed: \${error.message}\`, colors.red);
+  process.exit(1);
+});
+`;
+        fs.writeFileSync(path.join(scriptsDir, "setup.js"), setupScriptContent);
+        // Make setup script executable
+        if (process.platform !== "win32") {
+            fs.chmodSync(path.join(scriptsDir, "setup.js"), "755");
+        }
+        // Note: Tests directory is not created by default
+        // Users can add their own tests as needed
+        // Create greet tool
+        const greetToolContent = `import { z } from "zod";
+
+/**
+ * Greet Tool - Example MCP tool with AgentShield integration
+ *
+ * This tool demonstrates proper scopeId configuration for tool auto-discovery.
+ *
+ * Configure the corresponding scope in mcpi-runtime-config.ts:
+ * \`\`\`typescript
+ * toolProtections: {
+ *   greet: {
+ *     requiresDelegation: false,
+ *     requiredScopes: ["greet:execute"],  // ← This becomes the scopeId in proofs
+ *   }
+ * }
+ * \`\`\`
+ *
+ * The scopeId format is "toolName:action":
+ * - Tool name: "greet" (extracted before the ":")
+ * - Action: "execute" (extracted after the ":")
+ * - Risk level: Auto-determined from action keyword (execute = high)
+ *
+ * Other scopeId examples:
+ * - "files:read" → Medium risk
+ * - "files:write" → High risk
+ * - "database:delete" → Critical risk
+ */
+export const greetTool = {
+  name: "greet",
+  description: "Greet a user by name",
+  inputSchema: z.object({
+    name: z.string().describe("The name of the user to greet")
+  }),
+  handler: async ({ name }: { name: string }) => {
+    return {
+      content: [
+        {
+          type: "text" as const,
+          text: \`Hello, \${name}! Welcome to your Cloudflare MCP server.\`
+        }
+      ]
     };
-    await fs.writeJson(path.join(targetDir, "package.json"), packageJson, {
-        spaces: 2,
-    });
-    // 4. Create .dev.vars with ALL secrets
-    // Generate OAuth encryption secret (32+ characters)
-    const oauthEncryptionSecret = crypto.randomBytes(32).toString("hex");
-    const devVarsContent = `# Secrets for local development
-# Generated by create-mcpi-app
-
-# Agent Identity (DO NOT COMMIT THIS FILE)
-MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
+  }
+};
+`;
+        fs.writeFileSync(path.join(toolsDir, "greet.ts"), greetToolContent);
+        // Create mcpi-runtime-config.ts for AgentShield integration
+        const runtimeConfigContent = `import type { CloudflareRuntimeConfig } from '@kya-os/mcp-i-cloudflare/config';
+import type { CloudflareEnv } from '@kya-os/mcp-i-cloudflare';
+import { defineConfig } from '@kya-os/mcp-i-cloudflare';
+
+/**
+ * Runtime configuration for MCP-I server
+ *
+ * This file configures runtime features like proof submission to AgentShield,
+ * delegation verification, and audit logging.
+ *
+ * Environment variables are automatically injected from wrangler.toml (Cloudflare)
+ * or .env (Node.js). Configure them there:
+ * - AGENTSHIELD_API_URL: AgentShield API base URL
+ * - AGENTSHIELD_API_KEY: Your AgentShield API key
+ * - AGENTSHIELD_PROJECT_ID: Your AgentShield project ID (optional but recommended)
+ * - MCPI_ENV: "development" or "production"
+ *
+ * Tool Protection:
+ * - Automatically enabled if AGENTSHIELD_API_KEY and TOOL_PROTECTION_KV are set
+ * - Fetches tool protection config from AgentShield API by project ID
+ * - Caches config for 5 minutes to minimize API calls
+ * - Falls back to local config if API is unavailable
+ * - Configure delegation requirements in AgentShield dashboard
+ */
+export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
+  return defineConfig({
+    // Only specify overrides - defaults are handled automatically
+    vars: {
+      ENVIRONMENT: env.ENVIRONMENT || env.MCPI_ENV || 'development',
+      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
+      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
+    },
+    // Tool protection is automatically enabled by defineConfig if AGENTSHIELD_API_KEY is present
+    // You can override by explicitly setting toolProtection here
+    // Optional: Enable admin endpoints
+    admin: {
+      enabled: false,  // Set to true and provide ADMIN_API_KEY to enable
+      apiKey: env.ADMIN_API_KEY,
+    },
+  });
+}
+`;
+        fs.writeFileSync(path.join(srcDir, "mcpi-runtime-config.ts"), runtimeConfigContent);
+        // Create main index.ts using MCPICloudflareServer
+        const indexContent = `import { MCPICloudflareAgent, createMCPIApp, type PrefixedCloudflareEnv } from "@kya-os/mcp-i-cloudflare";
+import { greetTool } from "./tools/greet";
+import { getRuntimeConfig } from "./mcpi-runtime-config";
 
-# OAuth Encryption Secret (required for OAuth/delegation flows)
-# Used to encrypt OAuth state parameters for secure token exchange
-OAUTH_ENCRYPTION_SECRET="${oauthEncryptionSecret}"
+/**
+ * Extended CloudflareEnv with prefixed KV bindings for multi-agent deployments
+ */
+interface MyPrefixedCloudflareEnv extends PrefixedCloudflareEnv {
+  ${className.toUpperCase()}_NONCE_CACHE?: KVNamespace;
+  ${className.toUpperCase()}_PROOF_ARCHIVE?: KVNamespace;
+  ${className.toUpperCase()}_IDENTITY_STORAGE?: KVNamespace;
+  ${className.toUpperCase()}_DELEGATION_STORAGE?: KVNamespace;
+  ${className.toUpperCase()}_TOOL_PROTECTION_KV?: KVNamespace;
+}
 
-# AgentShield Configuration
-${apikey ? `AGENTSHIELD_API_KEY="${apikey}"` : '# AGENTSHIELD_API_KEY="sk_YOUR_API_KEY_HERE"'}
+/**
+ * Your custom MCP agent - only define your tools here!
+ * All framework complexity (runtime initialization, proof generation, etc.) is handled automatically.
+ */
+export class ${pascalClassName}MCP extends MCPICloudflareAgent {
+  async registerTools() {
+    // Register your custom tools - proofs are generated automatically
+    this.server.tool(
+      greetTool.name,
+      greetTool.description,
+      greetTool.inputSchema.shape,
+      async (args: { name: string }) => {
+        return this.executeToolWithProof(
+          greetTool.name,
+          args,
+          greetTool.handler
+        );
+      }
+    );
+  }
+}
 
-# Admin API Key for cache management
-# Uses the same key as AGENTSHIELD_API_KEY for convenience
-# You can change this to a different key if you need separate admin access
-${apikey ? `ADMIN_API_KEY="${apikey}"` : '# ADMIN_API_KEY="sk_YOUR_ADMIN_KEY_HERE"'}
+// Create and export the app - all routing is handled automatically
+export default createMCPIApp({
+  AgentClass: ${pascalClassName}MCP,
+  agentName: "${projectName}",
+  agentVersion: "1.0.0",
+  envPrefix: "${className.toUpperCase()}",
+  getRuntimeConfig,
+});
 `;
-    await fs.writeFile(path.join(targetDir, ".dev.vars"), devVarsContent);
-    // 5. Create wrangler.toml with all KV namespaces (placeholders initially)
-    const wranglerToml = `#:schema node_modules/wrangler/config-schema.json
-name = "${projectName}"
+        fs.writeFileSync(path.join(srcDir, "index.ts"), indexContent);
+        const wranglerContent = `#:schema node_modules/wrangler/config-schema.json
+name = "${wranglerName}"
 main = "src/index.ts"
-compatibility_date = "2024-09-25"
+compatibility_date = "2025-06-18"
 compatibility_flags = ["nodejs_compat"]
 
-# Durable Object binding for MCP Agent state
 [[durable_objects.bindings]]
 name = "MCP_OBJECT"
-class_name = "${toPascalCase(projectName)}MCP"
+class_name = "${pascalClassName}MCP"
 
 [[migrations]]
 tag = "v1"
-# Use new_sqlite_classes instead of new_classes - required by agents package for SQL storage
-new_sqlite_classes = ["${toPascalCase(projectName)}MCP"]
+new_sqlite_classes = ["${pascalClassName}MCP"]
 
 # Cron trigger for proof batch queue flushing (OPTIONAL - CURRENTLY DISABLED)
 # 
@@ -163,8 +639,8 @@ new_sqlite_classes = ["${toPascalCase(projectName)}MCP"]
 # This namespace is automatically created by the setup script (npm run setup)
 # If you need to recreate it: npm run kv:create-nonce
 [[kv_namespaces]]
-binding = "${projectNameUpper}_${KV_BINDING_NAMES[0]}"
-id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
+binding = "${className.toUpperCase()}_NONCE_CACHE"
+id = "your_nonce_kv_namespace_id"  # Auto-filled by setup script
 
 # KV Namespace for proof archive (RECOMMENDED for auditability)
 #
@@ -175,8 +651,8 @@ id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 #
 # Note: Comment out if you don't need proof archiving
 [[kv_namespaces]]
-binding = "${projectNameUpper}_${KV_BINDING_NAMES[1]}"
-id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
+binding = "${className.toUpperCase()}_PROOF_ARCHIVE"
+id = "your_proof_kv_namespace_id"  # Auto-filled by setup script
 
 # KV Namespace for identity storage (RECOMMENDED for persistent agent identity)
 #
@@ -185,8 +661,8 @@ id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 # This namespace is automatically created by the setup script (npm run setup)
 # If you need to recreate it: npm run kv:create-identity
 [[kv_namespaces]]
-binding = "${projectNameUpper}_${KV_BINDING_NAMES[2]}"
-id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
+binding = "${className.toUpperCase()}_IDENTITY_STORAGE"
+id = "your_identity_kv_namespace_id"  # Auto-filled by setup script
 
 # KV Namespace for delegation storage (REQUIRED for OAuth/delegation flows)
 #
@@ -195,10 +671,10 @@ id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 # This namespace is automatically created by the setup script (npm run setup)
 # If you need to recreate it: npm run kv:create-delegation
 [[kv_namespaces]]
-binding = "${projectNameUpper}_${KV_BINDING_NAMES[3]}"
-id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
+binding = "${className.toUpperCase()}_DELEGATION_STORAGE"
+id = "your_delegation_kv_namespace_id"  # Auto-filled by setup script
 
-# KV Namespace for tool protection config (ENABLED for dashboard-controlled delegation)
+# KV Namespace for tool protection config (${apikey ? "ENABLED" : "OPTIONAL"} for dashboard-controlled delegation)
 #
 # 🆕 Enables dynamic tool protection configuration from AgentShield dashboard
 # Caches which tools require user delegation based on dashboard toggle switches
@@ -216,559 +692,532 @@ id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 # Note: This namespace is REQUIRED when using AgentShield API key (--apikey)
 #       It will be automatically created by the setup script (npm run setup)
 [[kv_namespaces]]
-binding = "${projectNameUpper}_${KV_BINDING_NAMES[4]}"
-id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
+binding = "${className.toUpperCase()}_TOOL_PROTECTION_KV"
+id = "your_tool_protection_kv_id"  # Auto-filled by setup script
 
 [vars]
-# Agent DID (public identifier - safe to commit)
-MCP_IDENTITY_AGENT_DID = "${identity.did}"
-
-# Public identity key (safe to commit - not sensitive)
-MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"
-
-# Private identity key (SECRET - NOT declared here)
-# For local development: Add to .dev.vars file
-# For production: Use wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-
-# ALLOWED_ORIGINS for CORS (update for production)
-ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
-
-# DO routing strategy: "session" for dev, "shard" for production high-load
-DO_ROUTING_STRATEGY = "session"
-DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
-
 XMCP_I_TS_SKEW_SEC = "120"
 XMCP_I_SESSION_TTL = "1800"
 
 # AgentShield Integration (https://kya.vouched.id)
 AGENTSHIELD_API_URL = "https://kya.vouched.id"
-
 # AGENTSHIELD_PROJECT_ID - Your project ID from AgentShield dashboard (e.g., "batman-txh0ae")
 #   Required for project-scoped tool protection configuration (recommended)
 #   Find it in your dashboard URL: https://kya.vouched.id/dashboard/projects/{PROJECT_ID}
 #   Or in your project settings
 #   This is not sensitive, so it's safe to keep a value here
-${projectId ? `AGENTSHIELD_PROJECT_ID = "${projectId}"` : '# AGENTSHIELD_PROJECT_ID = "your-project-id"'}
-
+AGENTSHIELD_PROJECT_ID = "${projectId || ""}"
 MCPI_ENV = "development"
 
 # Secrets (NOT declared here - see instructions below)
 # For local development: Add secrets to .dev.vars file
 # For production: Use wrangler secret put COMMAND_NAME
-#
-# Required secrets:
 #   $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-#   $ wrangler secret put OAUTH_ENCRYPTION_SECRET  # Required for OAuth/delegation flows
-#
-# Optional secrets (recommended for production):
-#   $ wrangler secret put AGENTSHIELD_API_KEY  # For AgentShield integration
-#
-# Optional secrets (advanced):
-#   $ wrangler secret put ADMIN_API_KEY        # For cache management endpoints
-#                                              # Falls back to AGENTSHIELD_API_KEY if not set
-#
+#   $ wrangler secret put AGENTSHIELD_API_KEY
+#   $ wrangler secret put ADMIN_API_KEY
 # Note: .dev.vars is git-ignored and contains actual secret values for local dev
 
 # Optional: MCP Server URL for tool discovery and consent page generation
 # Uncomment to explicitly set your MCP server URL (auto-detected from request origin if not set)
 # IMPORTANT: Use base URL WITHOUT /mcp suffix (e.g., "https://your-worker.workers.dev")
 # The consent pages are at /consent, not /mcp/consent
-# MCP_SERVER_URL = "https://${projectName}.YOUR-SUBDOMAIN.workers.dev"
+# MCP_SERVER_URL = "https://your-worker.workers.dev"
 `;
-    await fs.writeFile(path.join(targetDir, "wrangler.toml"), wranglerToml);
-    // 6. Create src/index.ts (Entry Point)
-    const indexTs = `import { createMCPIApp } from "@kya-os/mcp-i-cloudflare";
-import { ${toPascalCase(projectName)}MCP } from "./agent";
-import { getRuntimeConfig } from "./mcpi-runtime-config";
+        fs.writeFileSync(path.join(projectPath, "wrangler.toml"), wranglerContent);
+        // Generate persistent identity for Cloudflare Worker
+        if (!skipIdentity) {
+            console.log(chalk.cyan("🔐 Generating persistent identity..."));
+            try {
+                const identity = await generateIdentity();
+                // Read existing wrangler.toml
+                const wranglerPath = path.join(projectPath, "wrangler.toml");
+                let wranglerTomlContent = fs.readFileSync(wranglerPath, "utf8");
+                // Find [vars] section and add identity environment variables
+                // Add ALL identity variables (empty values will be overridden by .dev.vars)
+                const varsMatch = wranglerTomlContent.match(/\[vars\]/);
+                if (varsMatch) {
+                    const insertPosition = varsMatch.index + varsMatch[0].length;
+                    const identityVars = `
+# Agent DID (public identifier - safe to commit)
+MCP_IDENTITY_AGENT_DID = "${identity.did}"
 
-export default createMCPIApp({
-  AgentClass: ${toPascalCase(projectName)}MCP,
-  getRuntimeConfig,
-  envPrefix: "${projectNameUpper}", // Maps prefixed KV bindings (e.g., ${projectNameUpper}_NONCE_CACHE) to standard names
-});
+# Public identity key (safe to commit - not sensitive)
+MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"
 
-// Export Durable Object class for Cloudflare Workers binding
-export { ${toPascalCase(projectName)}MCP };
-`;
-    await fs.writeFile(path.join(targetDir, "src/index.ts"), indexTs);
-    // 7. Create src/agent.ts (Agent Class)
-    const agentTs = `import { MCPICloudflareAgent, type CloudflareEnv } from "@kya-os/mcp-i-cloudflare";
-import { getRuntimeConfig } from "./mcpi-runtime-config";
-import { getTools } from "./mcpi-runtime-config";
-import type { CloudflareRuntimeConfig } from "@kya-os/mcp-i-cloudflare";
+# Private identity key (SECRET - NOT declared here)
+# For local development: Add to .dev.vars file
+# For production: Use wrangler secret put MCP_IDENTITY_PRIVATE_KEY
 
-/**
- * MCP-I Agent Implementation
- * 
- * This class extends MCPICloudflareAgent and provides the agent-specific
- * configuration and tool registration. The Durable Object class (${toPascalCase(projectName)}MCP)
- * is exported separately for Cloudflare Workers bindings.
- */
-export class ${toPascalCase(projectName)}MCP extends MCPICloudflareAgent {
-  /**
-   * Get agent name
-   */
-  protected getAgentName(): string {
-    return "${projectName}";
-  }
+# ALLOWED_ORIGINS for CORS (update for production)
+ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
 
-  /**
-   * Get agent version
-   */
-  protected getAgentVersion(): string {
-    return "1.0.0";
-  }
+# DO routing strategy: "session" for dev, "shard" for production high-load
+DO_ROUTING_STRATEGY = "session"
+DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
 
-  /**
-   * Get environment prefix for KV bindings
-   * This allows the framework to map prefixed KV namespaces (e.g., ${projectNameUpper}_${KV_BINDING_NAMES[0]})
-   * to standard names (e.g., ${KV_BINDING_NAMES[0]}) automatically
-   */
-  protected getEnvPrefix(): string | undefined {
-    return "${projectNameUpper}";
-  }
+`;
+                    // Remove any secret declarations from [vars] (they should not be here)
+                    // Secrets go in .dev.vars for local dev, wrangler secret put for production
+                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*MCP_IDENTITY_PRIVATE_KEY\s*=.*$/gm, `# MCP_IDENTITY_PRIVATE_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
+                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*AGENTSHIELD_API_KEY\s*=.*$/gm, `# AGENTSHIELD_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
+                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*ADMIN_API_KEY\s*=.*$/gm, `# ADMIN_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
+                    // Update public key if it exists (safe to keep in [vars])
+                    if (/MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent)) {
+                        wranglerTomlContent = wranglerTomlContent.replace(/MCP_IDENTITY_PUBLIC_KEY\s*=\s*"[^"]*"/, `MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"`);
+                    }
+                    // Update AGENTSHIELD_PROJECT_ID if it exists and projectId is provided
+                    // This is safe to keep a value since it's not sensitive
+                    if (projectId &&
+                        /AGENTSHIELD_PROJECT_ID\s*=/.test(wranglerTomlContent)) {
+                        wranglerTomlContent = wranglerTomlContent.replace(/AGENTSHIELD_PROJECT_ID\s*=\s*"[^"]*"/, `AGENTSHIELD_PROJECT_ID = "${projectId}"`);
+                    }
+                    // Check if non-secret variables already exist in wrangler.toml
+                    const hasIdentityDid = /MCP_IDENTITY_AGENT_DID\s*=/.test(wranglerTomlContent);
+                    const hasIdentityPublicKey = /MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent);
+                    // Only insert identity vars if they don't already exist
+                    const needsInsertion = !hasIdentityDid || !hasIdentityPublicKey;
+                    if (needsInsertion) {
+                        wranglerTomlContent =
+                            wranglerTomlContent.slice(0, insertPosition) +
+                                identityVars +
+                                wranglerTomlContent.slice(insertPosition);
+                    }
+                    // Write updated wrangler.toml (without secrets)
+                    fs.writeFileSync(wranglerPath, wranglerTomlContent);
+                    // Create .dev.vars file for local development (git-ignored)
+                    // Only contains SECRETS (not public keys or project IDs)
+                    const devVarsPath = path.join(projectPath, ".dev.vars");
+                    const devVarsContent = `# Local development secrets (DO NOT COMMIT)
+# This file is git-ignored and contains sensitive data
+# 
+# HOW IT WORKS:
+# 1. Secrets are NOT declared in wrangler.toml [vars] (avoids conflicts)
+# 2. This file (.dev.vars) provides secrets for local development
+# 3. Production uses: wrangler secret put VARIABLE_NAME
+#
+# Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID) are in wrangler.toml
 
-  /**
-   * Get runtime configuration
-   * This is called during agent initialization and has access to the environment
-   */
-  protected getRuntimeConfigInternal(env: CloudflareEnv): CloudflareRuntimeConfig {
-    return getRuntimeConfig(env);
-  }
+# Private identity key (generated by create-mcpi-app)
+MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
 
-  /**
-   * Register tools with the MCP server
-   * Tools are defined in mcpi-runtime-config.ts
-   */
-  protected async registerTools(): Promise<void> {
-    // Get tools from the tools registry
-    const tools = getTools();
-    
-      // Register each tool with proof generation
-      for (const toolDef of tools) {
-        // Pass the full JSON Schema object - registerToolWithProof will normalize it
-        // The MCP SDK expects a JSON Schema object with type, properties, and required fields
-      this.registerToolWithProof(
-        toolDef.name,
-        toolDef.description,
-          toolDef.inputSchema, // Pass full JSON Schema object
-        toolDef.handler
-      );
-    }
-  }
-}
-`;
-    await fs.writeFile(path.join(targetDir, "src/agent.ts"), agentTs);
-    // 8. Create src/tools/greet.ts
-    const greetToolTs = `import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
+# AgentShield API key (get from https://kya.vouched.id/dashboard)
+AGENTSHIELD_API_KEY="${apikey || ""}"${apikey ? "  # Provided via --apikey flag" : ""}
 
-/**
- * Greet tool definition
- * 
- * This tool demonstrates a simple MCP tool implementation.
- * Tools are registered with the MCP server and can be called by MCP clients.
- */
-export const greetTool: ToolDefinition = {
-  name: "greet",
-  description: "Greet the user",
-  inputSchema: {
-    type: "object",
-    properties: {
-      name: { type: "string", description: "Name of the person to greet" },
-    },
-    required: ["name"],
-  },
-  handler: async (args: { name: string }) => {
-    return {
-      content: [
-        {
-          type: "text",
-          text: \`Hello, \${args.name}! Welcome to ${projectName}.\`,
-        },
-      ],
-    };
-  },
-};
+# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
+ADMIN_API_KEY="${apikey || ""}"${apikey ? "  # Set to same value as AGENTSHIELD_API_KEY" : ""}
 `;
-    await fs.writeFile(path.join(targetDir, "src/tools/greet.ts"), greetToolTs);
-    // 9. Create src/mcpi-runtime-config.ts
-    const runtimeConfigTs = `import { defineConfig, type CloudflareRuntimeConfig } from "@kya-os/mcp-i-cloudflare";
-import type { CloudflareEnv } from "@kya-os/mcp-i-cloudflare";
-import { greetTool } from "./tools/greet";
+                    fs.writeFileSync(devVarsPath, devVarsContent);
+                    // Create .dev.vars.example for reference
+                    const devVarsExamplePath = path.join(projectPath, ".dev.vars.example");
+                    const devVarsExampleContent = `# Copy this file to .dev.vars and fill in your values
+# DO NOT commit .dev.vars to version control
+#
+# NOTE: Only secrets go here. Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID)
+# are in wrangler.toml [vars] and can be committed safely.
 
-/**
- * Get runtime configuration for MCP-I Cloudflare Worker
- * 
- * This function is called by the framework to get the runtime configuration.
- */
-export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
-  // Determine environment with proper type casting
-  const environment = (env.MCPI_ENV || env.ENVIRONMENT || "development") as "development" | "production";
-  
-  // Extract proofing config from env if API key is present
-  const proofingConfig = env.AGENTSHIELD_API_KEY ? {
-    enabled: true,
-    batchQueue: {
-      destinations: [{
-        type: 'agentshield' as const,
-        apiKey: env.AGENTSHIELD_API_KEY,
-        apiUrl: env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
-      }],
-    },
-  } : undefined;
-  
-  return defineConfig({
-    environment,
-    proofing: proofingConfig,
-    // Pass environment variables through vars so defineConfig can access them
-    vars: {
-      ENVIRONMENT: environment,
-      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
-      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
-      AGENTSHIELD_PROJECT_ID: env.AGENTSHIELD_PROJECT_ID,
-    },
-    // Add other configuration options as needed
-  });
-}
+# Private identity key (generate with: npx @kya-os/create-mcpi-app regenerate-identity)
+MCP_IDENTITY_PRIVATE_KEY="your-private-key-here"
 
-/**
- * Get all tools for this agent
- * 
- * Tools are registered separately from the runtime config.
- * This function is called by the agent to get the list of tools.
- */
-export function getTools() {
-  return [
-    greetTool,
-    // Add more tools here
-  ];
-}
+# AgentShield API key (get from https://kya.vouched.id/dashboard)
+AGENTSHIELD_API_KEY="your-api-key-here"
+
+# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
+ADMIN_API_KEY="your-admin-key-here"
 `;
-    await fs.writeFile(path.join(targetDir, "src/mcpi-runtime-config.ts"), runtimeConfigTs);
-    // 10. Create scripts/setup.js (KV Namespace Creation & Key Regeneration Script)
-    const setupJs = `#!/usr/bin/env node
-const { execSync } = require('child_process');
-const fs = require('fs');
-const path = require('path');
-const crypto = require('crypto');
-
-const projectName = '${projectName}';
-const projectNameUpper = '${projectNameUpper}';
-
-console.log('🚀 Setting up MCP-I Cloudflare Worker...');
-console.log('');
-
-// Check if user is logged in to Cloudflare
-console.log('🔐 Checking Cloudflare authentication...');
-try {
-  execSync('wrangler whoami', { encoding: 'utf8', stdio: 'pipe' });
-  console.log('✅ Logged in to Cloudflare\\n');
-} catch (error) {
-  console.error('❌ Not logged in to Cloudflare!\\n');
-  console.error('Please run: wrangler login\\n');
-  console.error('Then run this setup script again: npm run setup\\n');
-  process.exit(1);
-}
+                    fs.writeFileSync(devVarsExamplePath, devVarsExampleContent);
+                    console.log(chalk.green("✅ Generated persistent identity"));
+                    console.log(chalk.dim(`   DID: ${identity.did}`));
+                    console.log(chalk.green("✅ Created secure configuration:"));
+                    console.log(chalk.dim("   • Public DID in wrangler.toml (safe to commit)"));
+                    console.log(chalk.dim("   • Private keys in .dev.vars (git-ignored)"));
+                    console.log(chalk.dim("   • Example template in .dev.vars.example"));
+                    console.log();
+                    console.log(chalk.yellow("🔒 Production Security:"));
+                    console.log(chalk.dim("   Secrets are NOT in wrangler.toml (cleaner approach)"));
+                    console.log(chalk.dim("   For production, set secrets using wrangler:"));
+                    console.log(chalk.cyan("      $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY"));
+                    console.log(chalk.cyan("      $ wrangler secret put AGENTSHIELD_API_KEY"));
+                    console.log(chalk.cyan("      $ wrangler secret put ADMIN_API_KEY"));
+                    console.log();
+                    console.log(chalk.dim("   Tip: Copy values from .dev.vars when prompted"));
+                    console.log();
+                }
+            }
+            catch (error) {
+                console.log(chalk.yellow("⚠️  Failed to generate identity:"), error.message);
+                console.log(chalk.dim("   You can generate one later with:"));
+                console.log(chalk.cyan("   $ npx @kya-os/create-mcpi-app regenerate-identity"));
+                console.log();
+            }
+        }
+        // Create tsconfig.json
+        fs.ensureDirSync(projectPath); // Ensure directory exists before writing
+        const tsconfigContent = {
+            compilerOptions: {
+                target: "ES2022",
+                module: "ES2022",
+                lib: ["ES2022"],
+                types: ["@cloudflare/workers-types"],
+                moduleResolution: "bundler",
+                resolveJsonModule: true,
+                allowSyntheticDefaultImports: true,
+                esModuleInterop: true,
+                strict: true,
+                skipLibCheck: true,
+                forceConsistentCasingInFileNames: true,
+            },
+            include: ["src/**/*"],
+        };
+        fs.writeJsonSync(path.join(projectPath, "tsconfig.json"), tsconfigContent, {
+            spaces: 2,
+        });
+        // Create .gitignore
+        const gitignoreContent = `node_modules/
+dist/
+.wrangler/
+.dev.vars
+.env
+.env.local
+*.log
+`;
+        fs.writeFileSync(path.join(projectPath, ".gitignore"), gitignoreContent);
+        // Create .npmrc to suppress harmless deprecation warnings
+        const npmrcContent = `# Suppress deprecation warnings from transitive dependencies
+# These warnings are harmless and don't affect functionality
+# They come from: inflight (glob@7), phin (jimp), rimraf (del), glob (rimraf), node-domexception (node-fetch)
+# Will be resolved when upstream packages update their dependencies
+loglevel=error
+`;
+        fs.writeFileSync(path.join(projectPath, ".npmrc"), npmrcContent);
+        // Create README.md
+        const readmeContent = `# ${projectName}
 
-// Function to execute command and capture output
-function exec(command, silent = false) {
-  try {
-    const output = execSync(command, { encoding: 'utf8', stdio: silent ? 'pipe' : 'inherit' });
-    return output?.trim();
-  } catch (error) {
-    if (!silent) {
-      console.error(\`❌ Command failed: \${command}\`);
-      console.error(error.message);
-      if (error.stderr) {
-        console.error('Error output:', error.stderr.toString());
-      }
-    }
-    throw error; // Re-throw to handle in caller
-  }
-}
+MCP server running on Cloudflare Workers with MCP-I identity features, cryptographic proofs, and full SSE/HTTP streaming support.
 
-// Function to extract namespace ID from wrangler output
-function extractNamespaceId(output) {
-  // Match patterns like: id = "abc123" or { id: "abc123" }
-  const match = output.match(/id\\s*[:=]\\s*"([^"]+)"/);
-  return match ? match[1] : null;
-}
+## Features
 
-// Function to update wrangler.toml with namespace ID
-function updateWranglerToml(binding, namespaceId) {
-  const wranglerPath = path.join(__dirname, '..', 'wrangler.toml');
-  let content = fs.readFileSync(wranglerPath, 'utf8');
-  
-  // Find the binding section and update the ID
-  const bindingPattern = new RegExp(\`binding\\\\s*=\\\\s*"\${binding}"[^\\\\[]*id\\\\s*=\\\\s*"[^"]*"\`, 's');
-  content = content.replace(bindingPattern, (match) => {
-    return match.replace(/id\\s*=\\s*"[^"]*"/, \`id = "\${namespaceId}"\`);
-  });
-  
-  fs.writeFileSync(wranglerPath, content);
-  console.log(\`✅ Updated wrangler.toml with \${binding} namespace ID: \${namespaceId}\`);
-}
+- ✅ **MCP Protocol Support**: SSE and HTTP streaming transports
+- ✅ **Cryptographic Identity**: DID-based agent identity with Ed25519 signatures
+- ✅ **Proof Generation**: Every tool call generates a cryptographic proof
+- ✅ **Audit Logging**: Track all operations with proof IDs and signatures
+- ✅ **Nonce Protection**: Replay attack prevention via KV-backed nonce cache
+- ✅ **Proof Archiving**: Optional KV storage for proof history
 
-// Create KV namespaces
-// Note: KV_BINDING_NAMES matches the constant in env-mapper.ts for consistency
-const KV_BINDING_NAMES = ['NONCE_CACHE', 'PROOF_ARCHIVE', 'IDENTITY_STORAGE', 'DELEGATION_STORAGE', 'TOOL_PROTECTION_KV'];
-const KV_BINDING_DESCRIPTIONS = [
-  'Nonce cache for replay attack prevention',
-  'Proof archive for auditability',
-  'Identity storage for persistent agent identity',
-  'Delegation storage for OAuth flows',
-  'Tool protection configuration cache'
-];
-const namespaces = KV_BINDING_NAMES.map((name, index) => ({
-  binding: \`\${projectNameUpper}_\${name}\`,
-  name: name,
-  description: KV_BINDING_DESCRIPTIONS[index]
-}));
-
-console.log('📦 Creating KV namespaces...');
-console.log('');
-
-let successCount = 0;
-let failureCount = 0;
-
-for (const ns of namespaces) {
-  console.log(\`\\n📦 Creating \${ns.name}...\`);
-  console.log(\`   Description: \${ns.description}\`);
-  
-  try {
-    // Try to create the namespace
-    const output = exec(\`wrangler kv:namespace create \${ns.binding}\`, true);
-    
-    if (output) {
-      console.log(\`   Raw output: \${output.substring(0, 200)}\`);
-      
-      const namespaceId = extractNamespaceId(output);
-      if (namespaceId) {
-        updateWranglerToml(ns.binding, namespaceId);
-        console.log(\`   ✅ Created successfully!\`);
-        successCount++;
-      } else {
-        console.log(\`   ⚠️  Could not extract namespace ID from output.\`);
-        console.log(\`   Full output: \${output}\`);
-        console.log(\`   You may need to update wrangler.toml manually.\`);
-        failureCount++;
-      }
-    } else {
-      console.log(\`   ⚠️  No output from wrangler command.\`);
-      failureCount++;
-    }
-  } catch (error) {
-    // Namespace might already exist
-    console.log(\`   ℹ️  Namespace may already exist. Checking...\`);
-    try {
-      const listOutput = exec(\`wrangler kv:namespace list\`, true);
-      if (listOutput && listOutput.includes(ns.binding)) {
-        console.log(\`   ✓ Namespace \${ns.binding} already exists\`);
-        
-        // Try to extract ID from list output
-        const listJson = JSON.parse(listOutput);
-        const existing = listJson.find(item => item.title.includes(ns.binding));
-        if (existing && existing.id) {
-          updateWranglerToml(ns.binding, existing.id);
-          console.log(\`   ✅ Updated wrangler.toml with existing ID: \${existing.id}\`);
-          successCount++;
-        } else {
-          console.log(\`   ⚠️  Found namespace but could not extract ID. Update wrangler.toml manually.\`);
-          failureCount++;
-        }
-      } else {
-        console.log(\`   ❌ Could not create or find namespace \${ns.binding}.\`);
-        console.log(\`   Error: \${error.message}\`);
-        console.log(\`   You may need to create it manually with: wrangler kv:namespace create \${ns.binding}\`);
-        failureCount++;
-      }
-    } catch (listError) {
-      console.log(\`   ❌ Failed to list namespaces: \${listError.message}\`);
-      failureCount++;
+## Quick Start
+
+### 1. Install Dependencies
+
+\`\`\`bash
+${packageManager} install
+\`\`\`
+
+### 2. Create KV Namespaces
+
+#### Create All KV Namespaces (Recommended)
+
+\`\`\`bash
+${packageManager === "npm" ? "npm run" : packageManager} kv:create
+\`\`\`
+
+This creates all 5 KV namespaces at once:
+- \`NONCE_CACHE\` - Replay attack prevention (Required)
+- \`PROOF_ARCHIVE\` - Cryptographic proof storage (Recommended)
+- \`IDENTITY_STORAGE\` - Agent identity persistence (Recommended)
+- \`DELEGATION_STORAGE\` - OAuth delegation storage (Required for delegation)
+- \`TOOL_PROTECTION_KV\` - Dashboard-controlled permissions (Optional)
+
+Copy the namespace IDs from the output and update each one in \`wrangler.toml\`:
+
+\`\`\`toml
+[[kv_namespaces]]
+binding = "NONCE_CACHE"
+id = "your_nonce_kv_id_here"  # ← Update this
+
+[[kv_namespaces]]
+binding = "PROOF_ARCHIVE"
+id = "your_proof_kv_id_here"  # ← Update this
+
+[[kv_namespaces]]
+binding = "IDENTITY_STORAGE"
+id = "your_identity_kv_id_here"  # ← Update this
+
+[[kv_namespaces]]
+binding = "DELEGATION_STORAGE"
+id = "your_delegation_kv_id_here"  # ← Update this
+
+[[kv_namespaces]]
+binding = "TOOL_PROTECTION_KV"
+id = "your_tool_protection_kv_id_here"  # ← Update this
+\`\`\`
+
+**Note:** You can also create namespaces individually:
+- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-nonce\` - Create nonce cache only
+- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-proof\` - Create proof archive only
+- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-identity\` - Create identity storage only
+- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-delegation\` - Create delegation storage only
+- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-tool-protection\` - Create tool protection cache only
+
+### 3. Test Locally
+
+\`\`\`bash
+${packageManager === "npm" ? "npm run" : packageManager} dev
+\`\`\`
+
+### 4. Deploy
+
+#### Production Deployment
+
+Secrets are **not** declared in \`wrangler.toml\` to avoid conflicts. Set them using:
+
+\`\`\`bash
+wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+wrangler secret put AGENTSHIELD_API_KEY
+wrangler secret put ADMIN_API_KEY
+\`\`\`
+
+**Tip:** Copy values from your \`.dev.vars\` file when prompted.
+
+**Note:** \`MCP_IDENTITY_PUBLIC_KEY\` and \`AGENTSHIELD_PROJECT_ID\` are not secrets and are already in \`wrangler.toml\` with values.
+
+Now deploy:
+
+\`\`\`bash
+${packageManager === "npm" ? "npm run" : packageManager} deploy
+\`\`\`
+
+## Connect with Claude Desktop
+
+Add to \`~/Library/Application Support/Claude/claude_desktop_config.json\`:
+
+\`\`\`json
+{
+  "mcpServers": {
+    "${projectName}": {
+      "command": "npx",
+      "args": ["mcp-remote", "https://your-worker.workers.dev/sse"]
     }
   }
 }
+\`\`\`
+
+**Note:** Use the \`/sse\` endpoint for Claude Desktop compatibility.
+
+Restart Claude Desktop and test: "Use the greet tool to say hello to Alice"
 
-console.log('');
-console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
-console.log('📊 Setup Summary:');
-console.log(\`   ✅ Success: \${successCount}/\${namespaces.length} namespaces\`);
-console.log(\`   ❌ Failed: \${failureCount}/\${namespaces.length} namespaces\`);
-console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\\n');
-
-if (failureCount > 0) {
-  console.log('⚠️  Some namespaces failed to create.\\n');
-  console.log('Manual steps required:');
-  console.log('1. Check wrangler.toml for any "TODO_REPLACE_WITH_ID" entries');
-  console.log('2. Create missing namespaces manually with:');
-  console.log('   wrangler kv:namespace create NAMESPACE_BINDING\\n');
-  console.log('3. Copy the ID from the output to wrangler.toml\\n');
-} else {
-  console.log('✨ Setup complete!\\n');
+## Adding Tools
+
+Create tools in \`src/tools/\`:
+
+\`\`\`typescript
+import { z } from "zod";
+
+export const myTool = {
+  name: "my_tool",
+  description: "Tool description",
+  inputSchema: z.object({
+    input: z.string().describe("Input parameter")
+  }),
+  handler: async ({ input }: { input: string }) => ({
+    content: [{ type: "text" as const, text: \`Result: \${input}\` }]
+  })
+};
+\`\`\`
+
+Register in \`src/index.ts\` init method:
+
+\`\`\`typescript
+this.server.tool(
+  myTool.name,
+  myTool.description,
+  myTool.inputSchema.shape,
+  myTool.handler
+);
+\`\`\`
+
+## Endpoints
+
+- \`/health\` - Health check
+- \`/sse\` - SSE transport for MCP
+- \`/mcp\` - Streamable HTTP transport for MCP
+- \`/oauth/callback\` - OAuth callback for delegation flows
+- \`/admin/clear-cache\` - Clear tool protection cache (requires API key)
+
+## Viewing Cryptographic Proofs
+
+Every tool call generates a cryptographic proof that's logged to the console:
+
+\`\`\`bash
+${packageManager === "npm" ? "npm run" : packageManager} dev
+\`\`\`
+
+When you call a tool, you'll see logs like:
+
+\`\`\`
+[MCP-I] Initialized with DID: did:web:localhost:agents:key-abc123
+[MCP-I Proof] {
+  tool: 'greet',
+  did: 'did:web:localhost:agents:key-abc123',
+  proofId: 'proof_1234567890_abcd',
+  signature: 'mNYP8x2k9FqV3...'
 }
+\`\`\`
+
+### Proof Archives (Optional)
+
+If you configured the \`PROOF_ARCHIVE\` KV namespace, proofs are also stored for querying:
+
+\`\`\`bash
+# List all proofs
+wrangler kv:key list --namespace-id=your_proof_kv_id
+
+# View a specific proof
+wrangler kv:key get "proof_1234567890_abcd" --namespace-id=your_proof_kv_id
+\`\`\`
+
+## Identity Management
+
+Your agent's cryptographic identity is stored in Durable Objects state. To view your agent's DID:
+
+1. Check the logs during \`init()\` - it prints the DID
+2. Or query the runtime: \`await mcpiRuntime.getIdentity()\`
+
+The identity includes:
+- \`did\`: Decentralized identifier (e.g., \`did:web:your-worker.workers.dev:agents:key-xyz\`)
+- \`publicKey\`: Ed25519 public key for signature verification
+- \`privateKey\`: Ed25519 private key (secured in Durable Object state)
+
+## AgentShield Integration
+
+This project is configured to send cryptographic proofs to AgentShield for audit trails and compliance monitoring.
 
-console.log('🚀 Next steps:');
-console.log('1. Review wrangler.toml to ensure all namespace IDs are populated');
-console.log('2. Review .dev.vars for secrets configuration');
-console.log('3. Run "npm run dev" to start the development server');
-console.log('4. Run "npm run deploy" to deploy to Cloudflare Workers\\n');
-
-console.log('📝 For production deployment:');
-console.log('   wrangler secret put MCP_IDENTITY_PRIVATE_KEY');
-if (failureCount === 0) {
-  console.log('   wrangler secret put AGENTSHIELD_API_KEY');
-  console.log('   # ADMIN_API_KEY is optional - falls back to AGENTSHIELD_API_KEY if not set');
+### Setup
+
+1. **Get your AgentShield API key**:
+   - Sign up at https://kya.vouched.id
+   - Create a project
+   - Copy your API key from the dashboard
+
+2. **Update \`wrangler.toml\`**:
+   \`\`\`toml
+   [vars]
+   AGENTSHIELD_API_URL = "https://kya.vouched.id"
+   AGENTSHIELD_API_KEY = "sk_your_actual_key_here"  # ← Replace this
+   MCPI_ENV = "development"
+   \`\`\`
+
+3. **Test proof submission**:
+   \`\`\`bash
+   ${packageManager === "npm" ? "npm run" : packageManager} dev
+   \`\`\`
+
+   Call a tool and check the logs:
+   \`\`\`
+   [AgentShield] Submitting proof: { did: 'did:web:...', sessionId: '...', jwsFormat: 'valid (3 parts)' }
+   [AgentShield] ✅ Proofs accepted: 1
+   \`\`\`
+
+4. **View proofs in dashboard**:
+   - Go to https://kya.vouched.id/dashboard
+   - Select your project
+   - Click "Interactions" tab
+   - See your proofs in real-time
+
+### Configuration
+
+The AgentShield integration is configured in \`src/mcpi-runtime-config.ts\`. You can customize:
+- Proof batch size (\`maxBatchSize\`)
+- Flush interval (\`flushIntervalMs\`)
+- Retry policy (\`maxRetries\`)
+- Tool protection rules (\`toolProtections\`)
+
+### Dashboard-Controlled Tool Protection (Advanced)
+
+🆕 **NEW**: Control which tools require user delegation directly from the AgentShield dashboard - no code changes needed!
+
+Instead of hardcoding \`requiresDelegation\` in your config, enable dynamic tool protection:
+
+1. **Create Tool Protection KV namespace**:
+   \`\`\`bash
+   ${packageManager === "npm" ? "npm run" : packageManager} kv:create-tool-protection
+   \`\`\`
+
+2. **Uncomment TOOL_PROTECTION_KV in \`wrangler.toml\`**:
+   \`\`\`toml
+   [[kv_namespaces]]
+   binding = "TOOL_PROTECTION_KV"
+   id = "your_tool_protection_kv_id"  # ← Add the ID from step 1
+   \`\`\`
+
+3. **Enable Tool Protection Service in \`src/mcpi-runtime-config.ts\`**:
+   - Uncomment the import: \`import { CloudflareRuntime } from "@kya-os/mcp-i-cloudflare";\`
+   - Uncomment the \`toolProtectionService\` configuration block
+
+4. **Deploy and test**:
+   \`\`\`bash
+   ${packageManager === "npm" ? "npm run" : packageManager} deploy
+   \`\`\`
+
+5. **Control delegation from dashboard**:
+   - Go to https://kya.vouched.id/dashboard
+   - Select your project → "Tools" tab
+   - Toggle "Require Delegation" for any tool
+   - Changes apply in real-time (5-minute cache)
+
+**Benefits:**
+- Update tool permissions without redeploying
+- Test delegation flows instantly
+- Different requirements per environment (dev vs prod)
+- Automatic tool discovery from proof submissions
+
+**Note:** The first time a tool is called, it auto-discovers in the dashboard. The \`requiresDelegation\` toggle will appear after the first proof is submitted.
+
+### Disable AgentShield (Optional)
+
+If you don't want to use AgentShield, edit \`src/mcpi-runtime-config.ts\`:
+
+\`\`\`typescript
+proofing: {
+  enabled: false,  // Disable proof submission
+  // ...
 }
+\`\`\`
+
+Or simply don't configure the \`AGENTSHIELD_API_KEY\` environment variable.
+
+## References
+
+- [Cloudflare Agents MCP](https://developers.cloudflare.com/agents/model-context-protocol/)
+- [MCP Specification](https://spec.modelcontextprotocol.io/)
+- [MCP-I Documentation](https://github.com/kya-os/xmcp-i)
 `;
-    await fs.writeFile(path.join(targetDir, "scripts/setup.js"), setupJs);
-    await fs.chmod(path.join(targetDir, "scripts/setup.js"), "755");
-    // 11. Create tsconfig.json
-    const tsConfig = {
-        compilerOptions: {
-            target: "esnext",
-            module: "esnext",
-            moduleResolution: "bundler",
-            types: ["@cloudflare/workers-types", "vitest/globals"],
-            strict: true,
-            skipLibCheck: true,
-            noEmit: true,
-        },
-        include: ["src/**/*"],
-        exclude: ["node_modules"],
-    };
-    await fs.writeJson(path.join(targetDir, "tsconfig.json"), tsConfig, {
-        spaces: 2,
-    });
-    // 12. Create .gitignore
-    const gitignore = `node_modules
-dist
-.wrangler
-.dev.vars
-`;
-    await fs.writeFile(path.join(targetDir, ".gitignore"), gitignore);
-    console.log(chalk.green("✔ Created Cloudflare MCP-I template files"));
-    console.log(chalk.gray("  - Generated identity keys in .dev.vars"));
-    console.log(chalk.gray("  - Configured wrangler.toml with KV namespaces"));
-    console.log(chalk.gray("  - Created modular tool structure"));
-    console.log(chalk.gray("  - Created setup script for KV namespace creation"));
-    // 13. Run npm install first (skip in tests)
-    if (!skipCommands) {
-        console.log(chalk.blue("\n📦 Installing dependencies..."));
-        await runCommand(packageManager, ["install"], targetDir);
-        // 13a. Verify installed version matches expected version
-        console.log(chalk.blue("\n🔍 Verifying package versions..."));
-        const expectedVersion = "1.6.13";
-        try {
-            const installedPackagePath = path.join(targetDir, "node_modules", "@kya-os", "mcp-i-cloudflare", "package.json");
-            if (fs.existsSync(installedPackagePath)) {
-                const installedPackage = await fs.readJson(installedPackagePath);
-                const installedVersion = installedPackage.version;
-                if (installedVersion !== expectedVersion) {
-                    console.log(chalk.yellow(`\n⚠️  Warning: Expected @kya-os/mcp-i-cloudflare@${expectedVersion} but got ${installedVersion}`));
-                    console.log(chalk.yellow("   This might cause issues with MCP-I handshake. Consider clearing package cache:"));
-                    if (packageManager === "npm") {
-                        console.log(chalk.gray("   npm cache clean --force"));
-                    }
-                    else if (packageManager === "pnpm") {
-                        console.log(chalk.gray("   pnpm store prune"));
-                    }
-                    else if (packageManager === "yarn") {
-                        console.log(chalk.gray("   yarn cache clean"));
-                    }
-                    console.log(chalk.yellow("   Then reinstall dependencies."));
-                }
-                else {
-                    console.log(chalk.green(`✅ @kya-os/mcp-i-cloudflare@${installedVersion} installed correctly`));
-                }
-            }
-            else {
-                console.log(chalk.yellow("⚠️  Could not verify package installation"));
-            }
+        fs.writeFileSync(path.join(projectPath, "README.md"), readmeContent);
+        console.log(chalk.green("✅ Cloudflare Worker MCP server created"));
+        console.log();
+        if (apikey) {
+            console.log(chalk.green("🔑 AgentShield API key configured in wrangler.toml"));
+            console.log(chalk.dim("   Your API key has been added to the [vars] section"));
+            console.log(chalk.dim("   Tool protection enforcement is ready to use!"));
+            console.log();
         }
-        catch (error) {
-            console.log(chalk.yellow("⚠️  Could not verify package versions"));
-            if (process.env.DEBUG) {
-                console.error(error);
-            }
-        }
-        // 14. Run setup script to create KV namespaces
-        console.log(chalk.blue("\n🔧 Running setup script to create KV namespaces..."));
-        try {
-            // Use npm run setup instead of direct node execution to match user's manual workflow
-            // This ensures the same environment and PATH resolution as when users run it manually
-            await runCommand(packageManager, ["run", "setup"], targetDir);
-            console.log(chalk.green("\n✅ KV namespaces created successfully!"));
-        }
-        catch (error) {
-            console.log(chalk.yellow("\n⚠️  KV namespace setup encountered issues."));
-            if (error?.message) {
-                console.log(chalk.gray(`   Error: ${error.message}`));
-            }
-            console.log(chalk.yellow("\nYou can run it manually:"));
-            console.log(chalk.cyan(`   cd ${projectName}`));
-            console.log(chalk.cyan(`   ${packageManager} run setup`));
-            console.log(chalk.gray("\nThe setup script will create all required KV namespaces and update wrangler.toml."));
+        else {
+            console.log(chalk.yellow("⚠️  No AgentShield API key provided"));
+            console.log(chalk.dim("   Add your API key to wrangler.toml [vars] section before deployment"));
+            console.log(chalk.dim("   Get your key at: https://kya.vouched.id/dashboard"));
+            console.log();
         }
+        console.log(chalk.bold("📦 All KV Namespaces Configured"));
+        console.log(chalk.dim("   - NONCE_CACHE: Replay attack prevention"));
+        console.log(chalk.dim("   - PROOF_ARCHIVE: Cryptographic proof storage"));
+        console.log(chalk.dim("   - IDENTITY_STORAGE: Agent identity persistence"));
+        console.log(chalk.dim("   - DELEGATION_STORAGE: OAuth delegation storage"));
+        console.log(chalk.dim("   - TOOL_PROTECTION_KV: Dashboard-controlled permissions"));
+        console.log();
+        console.log(chalk.cyan("   Run 'npm run kv:create' to create all namespaces"));
+        console.log();
     }
-    // 15. Final instructions
-    console.log(chalk.blue("\n" + "=".repeat(60)));
-    console.log(chalk.bold.green("🎉 Cloudflare MCP-I project created successfully!"));
-    console.log(chalk.blue("=".repeat(60)));
-    console.log(chalk.bold("\n📝 Important Configuration Notes:"));
-    console.log(chalk.gray("\n1. ADMIN_API_KEY (in .dev.vars):"));
-    console.log(chalk.gray("   - Set to same value as AGENTSHIELD_API_KEY for convenience"));
-    console.log(chalk.gray("   - You can change it if you need separate admin endpoint security"));
-    console.log(chalk.gray("   - Required for admin endpoints like /admin/clear-cache\n"));
-    console.log(chalk.gray("2. KV Namespaces (in wrangler.toml):"));
-    console.log(chalk.gray("   - Required for MCP-I security features"));
-    console.log(chalk.gray("   - Auto-created by 'npm run setup' script"));
-    console.log(chalk.gray("   - Check wrangler.toml for 'TODO_REPLACE_WITH_ID' if setup failed\n"));
-    console.log(chalk.bold("🚀 Next Steps:"));
-    console.log(chalk.cyan("   cd " + projectName));
-    // Check if they need to run setup
-    const wranglerPath = path.join(targetDir, "wrangler.toml");
-    if (fs.existsSync(wranglerPath)) {
-        const wranglerContent = await fs.readFile(wranglerPath, "utf-8");
-        if (wranglerContent.includes("TODO_REPLACE_WITH_ID")) {
-            console.log(chalk.yellow("   wrangler login              # Login to Cloudflare first!"));
-            console.log(chalk.yellow("   npm run setup               # Create KV namespaces"));
-        }
-    }
-    console.log(chalk.cyan("   npm run dev                 # Start local development"));
-    console.log(chalk.cyan("   npm run deploy              # Deploy to Cloudflare\n"));
-}
-function toPascalCase(str) {
-    const result = str
-        .replace(/(?:^\w|[A-Z]|\b\w)/g, (word, index) => {
-        return word.toUpperCase();
-    })
-        .replace(/\s+/g, "")
-        .replace(/-/g, "")
-        .replace(/[^a-zA-Z0-9]/g, ""); // Remove all non-alphanumeric characters
-    // Fallback to "Project" if result is empty or invalid
-    let className = result || "Project";
-    // Prefix with underscore if starts with a number (invalid JavaScript identifier)
-    if (/^\d/.test(className)) {
-        className = "_" + className;
+    catch (error) {
+        console.error(chalk.red("Failed to set up Cloudflare Worker MCP server:"), error);
+        throw error;
     }
-    return className;
-}
-function runCommand(command, args, cwd) {
-    return new Promise((resolve, reject) => {
-        const child = spawn(command, args, {
-            cwd,
-            stdio: "inherit",
-            shell: process.platform === "win32",
-        });
-        child.on("error", reject);
-        child.on("exit", (code) => {
-            if (code === 0) {
-                resolve();
-            }
-            else {
-                reject(new Error(`Command failed with exit code ${code}`));
-            }
-        });
-    });
 }
 //# sourceMappingURL=fetch-cloudflare-mcpi-template.js.map