@kya-os/create-mcpi-app 1.8.15-canary.0 → 1.8.16

package/dist/helpers/fetch-cloudflare-mcpi-template.js

@@ -1,616 +1,140 @@
 import fs from "fs-extra";
 import path from "path";
 import chalk from "chalk";
+import { spawn } from "child_process";
+import crypto from "crypto";
 import { generateIdentity } from "./generate-identity.js";
 /**
- * Scaffold Cloudflare Worker MCP server
- * Uses McpAgent from agents/mcp for MCP protocol support
- */
-export async function fetchCloudflareMcpiTemplate(projectPath, options = {}) {
-    const { packageManager = "npm", projectName = path.basename(projectPath), apikey, projectId, skipIdentity = false, } = options;
-    // Sanitize project name for class names
-    let className = projectName
-        .replace(/[^a-zA-Z0-9]/g, "")
-        .replace(/^[0-9]/, "_$&");
-    // Fallback to prevent empty class names
-    if (!className || className.length === 0) {
-        className = "Project";
-    }
-    const pascalClassName = className.charAt(0).toUpperCase() + className.slice(1);
-    // Sanitize project name for wrangler.toml (alphanumeric, lowercase, dashes only)
-    let wranglerName = projectName
-        .toLowerCase()
-        .replace(/[^a-z0-9-]/g, "-") // Replace invalid chars with dashes
-        .replace(/-+/g, "-") // Replace multiple dashes with single dash
-        .replace(/^-|-$/g, ""); // Remove leading/trailing dashes
-    // Fallback to prevent empty wrangler names
-    if (!wranglerName || wranglerName.length === 0) {
-        wranglerName = "worker";
-    }
-    try {
-        console.log(chalk.blue("📦 Setting up Cloudflare Worker MCP server..."));
-        // Create package.json
-        const packageJson = {
-            name: projectName,
-            version: "0.1.0",
-            private: true,
-            scripts: {
-                setup: "node scripts/setup.js",
-                postinstall: "npm run setup",
-                deploy: "wrangler deploy",
-                dev: "wrangler dev",
-                start: "wrangler dev",
-                "kv:create": "npm run kv:create-nonce && npm run kv:create-proof && npm run kv:create-identity && npm run kv:create-delegation && npm run kv:create-tool-protection",
-                "kv:create-nonce": `wrangler kv namespace create ${className.toUpperCase()}_NONCE_CACHE`,
-                "kv:create-proof": `wrangler kv namespace create ${className.toUpperCase()}_PROOF_ARCHIVE`,
-                "kv:create-identity": `wrangler kv namespace create ${className.toUpperCase()}_IDENTITY_STORAGE`,
-                "kv:create-delegation": `wrangler kv namespace create ${className.toUpperCase()}_DELEGATION_STORAGE`,
-                "kv:create-tool-protection": `wrangler kv namespace create ${className.toUpperCase()}_TOOL_PROTECTION_KV`,
-                "kv:list": "wrangler kv namespace list | grep -E '(NONCE|PROOF|IDENTITY|DELEGATION|TOOL_PROTECTION|MCPI)' || wrangler kv namespace list",
-                "kv:keys-nonce": `wrangler kv key list --binding=${className.toUpperCase()}_NONCE_CACHE`,
-                "kv:keys-proof": `wrangler kv key list --binding=${className.toUpperCase()}_PROOF_ARCHIVE`,
-                "kv:keys-identity": `wrangler kv key list --binding=${className.toUpperCase()}_IDENTITY_STORAGE`,
-                "kv:keys-delegation": `wrangler kv key list --binding=${className.toUpperCase()}_DELEGATION_STORAGE`,
-                "kv:keys-tool-protection": `wrangler kv key list --binding=${className.toUpperCase()}_TOOL_PROTECTION_KV`,
-                "kv:delete-nonce": `wrangler kv namespace delete --binding=${className.toUpperCase()}_NONCE_CACHE`,
-                "kv:delete-proof": `wrangler kv namespace delete --binding=${className.toUpperCase()}_PROOF_ARCHIVE`,
-                "kv:delete-identity": `wrangler kv namespace delete --binding=${className.toUpperCase()}_IDENTITY_STORAGE`,
-                "kv:delete-delegation": `wrangler kv namespace delete --binding=${className.toUpperCase()}_DELEGATION_STORAGE`,
-                "kv:delete-tool-protection": `wrangler kv namespace delete --binding=${className.toUpperCase()}_TOOL_PROTECTION_KV`,
-                "kv:delete": "npm run kv:delete-nonce && npm run kv:delete-proof && npm run kv:delete-identity && npm run kv:delete-delegation && npm run kv:delete-tool-protection",
-                "kv:reset": "npm run kv:delete && npm run kv:create",
-                "kv:setup": "echo 'KV Commands: kv:create (create all), kv:list (list all), kv:keys-* (view keys), kv:delete (delete all), kv:reset (delete+recreate)'",
-                "cf-typegen": "wrangler types",
-                "type-check": "tsc --noEmit",
-                test: "vitest",
-                "test:watch": "vitest --watch",
-                "test:coverage": "vitest run --coverage",
-            },
-            dependencies: {
-                "@kya-os/contracts": "^1.5.2-canary.5",
-                "@kya-os/mcp-i-cloudflare": "1.5.1-canary.5",
-                "@modelcontextprotocol/sdk": "^1.19.1",
-                agents: "^0.2.21", // Use latest version - constructor now only accepts 2 parameters
-                hono: "^4.9.10",
-                zod: "^3.25.76",
-            },
-            devDependencies: {
-                "@cloudflare/workers-types": "^4.20251109.0",
-                "@kya-os/create-mcpi-app": "^1.7.23",
-                "@vitest/coverage-v8": "^3.2.4",
-                miniflare: "^3.0.0",
-                typescript: "^5.6.2",
-                vitest: "^3.2.4",
-                wrangler: "^4.42.2",
-            },
-        };
-        fs.ensureDirSync(projectPath); // Ensure directory exists before writing
-        fs.writeJsonSync(path.join(projectPath, "package.json"), packageJson, {
-            spaces: 2,
-        });
-        // Create src directory and tools
-        const srcDir = path.join(projectPath, "src");
-        const toolsDir = path.join(srcDir, "tools");
-        fs.ensureDirSync(toolsDir);
-        // Create scripts directory
-        const scriptsDir = path.join(projectPath, "scripts");
-        fs.ensureDirSync(scriptsDir);
-        // Create setup.js automation script
-        const setupScriptContent = `#!/usr/bin/env node
-
-/**
- * Automated Setup Script for ${projectName}
+ * Fetches the Cloudflare MCP-I template
  *
- * This script automates the tedious process of:
- * 1. Checking/installing wrangler
- * 2. Creating KV namespaces
- * 3. Extracting namespace IDs
- * 4. Updating wrangler.toml automatically
- * 5. Setting up local development environment
+ * Generates a complete project structure:
+ * - package.json with all scripts
+ * - wrangler.toml with all KV namespaces configured
+ * - .dev.vars with all secrets
+ * - src/index.ts
+ * - src/agent.ts
+ * - src/tools/greet.ts
+ * - src/mcpi-runtime-config.ts
+ * - scripts/setup.js for KV namespace creation and key regeneration
+ * - Automatically runs setup to create KV namespaces
  */
-
-const { execSync } = require('child_process');
-const fs = require('fs');
-const path = require('path');
-const readline = require('readline');
-
-const rl = readline.createInterface({
-  input: process.stdin,
-  output: process.stdout
-});
-
-// Colors for terminal output
-const colors = {
-  reset: '\\x1b[0m',
-  bright: '\\x1b[1m',
-  green: '\\x1b[32m',
-  yellow: '\\x1b[33m',
-  blue: '\\x1b[36m',
-  red: '\\x1b[31m'
-};
-
-function log(message, color = colors.reset) {
-  console.log(color + message + colors.reset);
-}
-
-function skipToPostKVSetup() {
-  // Skip KV creation but continue with other setup steps
-  const devVarsPath = path.join(__dirname, '..', '.dev.vars');
-  const devVarsExamplePath = path.join(__dirname, '..', '.dev.vars.example');
-
-  // Create .dev.vars from example if it doesn't exist
-  if (!fs.existsSync(devVarsPath) && fs.existsSync(devVarsExamplePath)) {
-    log('\\n📋 Creating .dev.vars from example...', colors.blue);
-    fs.copyFileSync(devVarsExamplePath, devVarsPath);
-    log('✅ Created .dev.vars - Please update with your values', colors.green);
-  }
-
-  // Check if identity needs to be generated
-  if (fs.existsSync(devVarsPath)) {
-    const devVarsContent = fs.readFileSync(devVarsPath, 'utf-8');
-    if (devVarsContent.includes('your-private-key-here')) {
-      log('\\n🔑 Generating agent identity...', colors.blue);
-      try {
-        execSync('npx @kya-os/create-mcpi-app regenerate-identity', { stdio: 'inherit' });
-        log('✅ Identity generated successfully', colors.green);
-      } catch {
-        log('⚠️  Could not generate identity automatically. Run: npx @kya-os/create-mcpi-app regenerate-identity', colors.yellow);
-      }
-    }
-  }
-
-  // Show modified next steps
-  log('\\n✨ Setup partially complete! Next steps:\\n', colors.bright + colors.green);
-  log('1. Set your Cloudflare account ID (required for KV namespaces):', colors.blue);
-  log('   export CLOUDFLARE_ACCOUNT_ID=your-account-id', colors.reset);
-  log('   OR add to wrangler.toml: account_id = "your-account-id"\\n', colors.reset);
-  log('2. Create KV namespaces: npm run kv:create', colors.blue);
-  log('3. Review .dev.vars and add any missing values', colors.blue);
-  log('4. Start development server: npm run dev', colors.blue);
-  log('5. Deploy to production: npm run deploy', colors.blue);
-  log('\\nUseful commands:', colors.bright);
-  log('  npm run dev                    - Start local development server');
-  log('  npm run deploy                 - Deploy to Cloudflare Workers');
-  log('  npm run kv:list                - List all KV namespaces');
-  log('  wrangler secret put <KEY>      - Set production secrets');
-  log('\\nFor more information, see the README.md file.\\n');
-
-  rl.close();
-}
-
-async function setup() {
-  log('\\n🚀 Starting automated setup for ${projectName}...\\n', colors.bright + colors.blue);
-
-  // 1. Check wrangler installation
-  try {
-    const wranglerVersion = execSync('wrangler --version', { encoding: 'utf-8' });
-    log('✅ Wrangler CLI detected: ' + wranglerVersion.trim(), colors.green);
-  } catch {
-    log('📦 Wrangler CLI not found. Installing...', colors.yellow);
-    try {
-      execSync('npm install -g wrangler', { stdio: 'inherit' });
-      log('✅ Wrangler CLI installed successfully', colors.green);
-    } catch (error) {
-      log('❌ Failed to install Wrangler. Please install manually: npm install -g wrangler', colors.red);
-      process.exit(1);
-    }
-  }
-
-  // 2. Check if user is logged in to Cloudflare
-  try {
-    execSync('wrangler whoami', { encoding: 'utf-8' });
-    log('✅ Logged in to Cloudflare', colors.green);
-  } catch {
-    log('🔑 Please log in to Cloudflare:', colors.yellow);
-    try {
-      execSync('wrangler login', { stdio: 'inherit' });
-    } catch (error) {
-      log('❌ Login failed. Please run: wrangler login', colors.red);
-      process.exit(1);
+export async function fetchCloudflareMcpiTemplate(targetDir, options) {
+    // Handle legacy string argument (projectName) for backward compatibility
+    const opts = typeof options === "string"
+        ? { packageManager: "npm", projectName: options }
+        : options;
+    // Extract project name from path if not provided
+    let projectName = opts.projectName;
+    if (!projectName) {
+        const pathParts = targetDir.split(path.sep);
+        projectName = pathParts[pathParts.length - 1] || "worker";
     }
-  }
-
-  // 2.5. Set up wrangler.toml path for later use
-  const wranglerTomlPath = path.join(__dirname, '..', 'wrangler.toml');
-  let wranglerContent = '';
-
-  try {
-    wranglerContent = fs.readFileSync(wranglerTomlPath, 'utf-8');
-  } catch (error) {
-    log('⚠️  Could not read wrangler.toml', colors.yellow);
-  }
-
-  // 3. Create KV namespaces
-  log('\\n📚 Creating KV namespaces...\\n', colors.bright);
-
-  const namespaces = [
-    { binding: '${className.toUpperCase()}_NONCE_CACHE', name: 'Nonce Cache', purpose: 'Replay attack prevention' },
-    { binding: '${className.toUpperCase()}_PROOF_ARCHIVE', name: 'Proof Archive', purpose: 'Cryptographic proof storage' },
-    { binding: '${className.toUpperCase()}_IDENTITY_STORAGE', name: 'Identity Storage', purpose: 'Agent identity persistence' },
-    { binding: '${className.toUpperCase()}_DELEGATION_STORAGE', name: 'Delegation Storage', purpose: 'OAuth token storage' },
-    { binding: '${className.toUpperCase()}_TOOL_PROTECTION_KV', name: 'Tool Protection', purpose: 'Permission caching' }
-  ];
-
-  const kvIds = {};
-  let multipleAccountsDetected = false;
-
-  for (const ns of namespaces) {
-    // If we already detected multiple accounts, skip remaining namespaces
-    if (multipleAccountsDetected) {
-      break;
-    }
-
-    log(\`Creating \${ns.name} (\${ns.purpose})...\`, colors.blue);
-
-    // First, check if namespace already exists
-    let existingNamespace = null;
-    try {
-      const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-      
-      try {
-        const allNamespaces = JSON.parse(listOutput);
-        existingNamespace = allNamespaces.find(n => n.title === ns.binding);
-      } catch (parseError) {
-        // Fallback to regex if JSON parsing fails
-        const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
-        if (existingMatch && existingMatch[1]) {
-          existingNamespace = { id: existingMatch[1], title: ns.binding };
-        }
-      }
-    } catch (listError) {
-      // If we can't list namespaces, continue to try creating
-    }
-
-    if (existingNamespace && existingNamespace.id) {
-      kvIds[ns.binding] = existingNamespace.id;
-      log(\`  ✅ Using existing namespace with ID: \${existingNamespace.id}\`, colors.green);
-      continue;
-    }
-
-    // Namespace doesn't exist, try to create it
-    try {
-      // Suppress stderr to avoid noisy error messages
-      const output = execSync(\`wrangler kv namespace create "\${ns.binding}"\`, { 
-        encoding: 'utf-8', 
-        stdio: ['pipe', 'pipe', 'pipe'] 
-      });
-
-      // Extract the ID from output
-      const idMatch = output.match(/id = "([^"]+)"/);
-
-      if (idMatch && idMatch[1]) {
-        kvIds[ns.binding] = idMatch[1];
-        log(\`  ✅ Created with ID: \${idMatch[1]}\`, colors.green);
-      } else {
-        log(\`  ⚠️  Created but could not extract ID. Checking existing namespaces...\`, colors.yellow);
-        // Fallback: try to find it in the list
-        const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-        try {
-          const allNamespaces = JSON.parse(listOutput);
-          const found = allNamespaces.find(n => n.title === ns.binding);
-          if (found && found.id) {
-            kvIds[ns.binding] = found.id;
-            log(\`  ✅ Found ID: \${found.id}\`, colors.green);
-          }
-        } catch {
-          // Ignore parse errors
-        }
-      }
-    } catch (error) {
-      const errorMessage = error.message || error.toString();
-      const errorOutput = error.stdout || error.stderr || '';
-
-      // Check if this is a multiple accounts error
-      if (errorMessage.includes('More than one account') || errorMessage.includes('multiple accounts') || errorOutput.includes('More than one account')) {
-        multipleAccountsDetected = true;
-        log('\\n⚠️  Multiple Cloudflare accounts detected!\\n', colors.yellow);
-        log('Wrangler cannot automatically select an account in non-interactive mode.\\n', colors.yellow);
-        log('To fix this, choose one of these options:\\n', colors.bright);
-        log('Option 1: Set environment variable (recommended):', colors.blue);
-        log('  export CLOUDFLARE_ACCOUNT_ID=your-account-id', colors.reset);
-        log('  npm run setup\\n', colors.reset);
-        log('Option 2: Add to wrangler.toml (permanent):', colors.blue);
-        log('  Edit wrangler.toml and add:', colors.reset);
-        log('  account_id = "your-account-id"\\n', colors.reset);
-        log('Find your account IDs in the error above or run:', colors.blue);
-        log('  wrangler whoami\\n', colors.reset);
-        log('⏭️  Skipping remaining KV namespace creation.', colors.yellow);
-        log('After setting account_id, run: npm run setup\\n', colors.yellow);
-        break;
-      }
-
-      // Check if namespace already exists (common case - suppress noisy error)
-      if (errorMessage.includes('already exists') || errorOutput.includes('already exists') || errorOutput.includes('code: 10014')) {
-        // Try to get the existing namespace ID
-        try {
-          const listOutput = execSync('wrangler kv namespace list', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
-          
-          try {
-            const allNamespaces = JSON.parse(listOutput);
-            const found = allNamespaces.find(n => n.title === ns.binding);
-            
-            if (found && found.id) {
-              kvIds[ns.binding] = found.id;
-              log(\`  ✅ Using existing namespace with ID: \${found.id}\`, colors.green);
-            } else {
-              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
-            }
-          } catch (parseError) {
-            // Fallback to regex
-            const existingMatch = listOutput.match(new RegExp(\`"title":\\s*"\${ns.binding}"[^}]*"id":\\s*"([^"]+)"\`));
-            if (existingMatch && existingMatch[1]) {
-              kvIds[ns.binding] = existingMatch[1];
-              log(\`  ✅ Using existing namespace with ID: \${existingMatch[1]}\`, colors.green);
-            } else {
-              log(\`  ⚠️  Namespace exists but could not find ID. You may need to add it manually.\`, colors.yellow);
-            }
-          }
-        } catch (listError) {
-          log(\`  ⚠️  Namespace may already exist. Run 'wrangler kv namespace list' to verify.\`, colors.yellow);
-        }
-      } else {
-        // Some other error occurred
-        log(\`  ❌ Failed to create \${ns.binding}\`, colors.red);
-        log(\`     Error: \${errorMessage}\`, colors.red);
-      }
+    const { apikey, projectId, packageManager, skipCommands } = opts;
+    const projectNameUpper = projectName.toUpperCase().replace(/-/g, "_");
+    // Centralized KV binding names (matches env-mapper.ts for consistency)
+    const KV_BINDING_NAMES = [
+        "NONCE_CACHE",
+        "PROOF_ARCHIVE",
+        "IDENTITY_STORAGE",
+        "DELEGATION_STORAGE",
+        "TOOL_PROTECTION_KV",
+    ];
+    console.log(chalk.blue(`\n🏗️  Generating Cloudflare MCP-I project: ${projectName}...`));
+    // 1. Create directory structure
+    await fs.ensureDir(path.join(targetDir, "src"));
+    await fs.ensureDir(path.join(targetDir, "src/tools"));
+    await fs.ensureDir(path.join(targetDir, "scripts"));
+    // 2. Generate Identity (Keys & DID)
+    let identity;
+    if (opts.skipIdentity) {
+        // Use a mock identity when skipping generation
+        identity = {
+            did: "did:key:zTestMockIdentity",
+            kid: "did:key:zTestMockIdentity#key-1",
+            privateKey: "mock-private-key",
+            publicKey: "mock-public-key",
+            createdAt: new Date().toISOString(),
+            type: "development",
+        };
     }
-  }
-
-  // If multiple accounts detected, skip to post-KV setup
-  if (multipleAccountsDetected) {
-    return skipToPostKVSetup();
-  }
-
-  // 4. Update wrangler.toml with KV IDs
-  if (Object.keys(kvIds).length > 0) {
-    log('\\n📝 Updating wrangler.toml with KV namespace IDs...\\n', colors.bright);
-
-    try {
-      wranglerContent = fs.readFileSync(wranglerTomlPath, 'utf-8');
-      let updatedCount = 0;
-
-      for (const [binding, id] of Object.entries(kvIds)) {
-        // Match pattern: binding = "BINDING_NAME"\\nid = "anything" (including placeholders)
-        const pattern = new RegExp(\`(binding = "\${binding}")\\\\s*\\\\nid = "[^"]*"\`, 'g');
-        const replacement = \`$1\\nid = "\${id}"\`;
-
-        const newContent = wranglerContent.replace(pattern, replacement);
-        if (newContent !== wranglerContent) {
-          updatedCount++;
-          log(\`  ✅ Updated \${binding} with ID: \${id}\`, colors.green);
-        }
-        wranglerContent = newContent;
-      }
-
-      fs.writeFileSync(wranglerTomlPath, wranglerContent);
-      log(\`\\n✅ Updated \${updatedCount} namespace ID(s) in wrangler.toml\`, colors.green);
-
-      // Show remaining placeholder IDs if any
-      const placeholderMatches = wranglerContent.match(/binding = "[^"]+"\\s*\\nid = "your_[^"]+"/g);
-      if (placeholderMatches) {
-        log('\\n⚠️  Some namespace IDs still have placeholders:', colors.yellow);
-        placeholderMatches.forEach(match => {
-          const bindingMatch = match.match(/binding = "([^"]+)"/);
-          if (bindingMatch) {
-            log(\`  - \${bindingMatch[1]}\`, colors.yellow);
-          }
-        });
-      }
-    } catch (error) {
-      log(\`❌ Failed to update wrangler.toml: \${error.message}\`, colors.red);
+    else {
+        console.log(chalk.blue("🔑 Generating cryptographic identity..."));
+        identity = await generateIdentity();
     }
-  }
-
-  // 5. Create .dev.vars from example if it doesn't exist
-  const devVarsPath = path.join(__dirname, '..', '.dev.vars');
-  const devVarsExamplePath = path.join(__dirname, '..', '.dev.vars.example');
-
-  if (!fs.existsSync(devVarsPath) && fs.existsSync(devVarsExamplePath)) {
-    log('\\n📋 Creating .dev.vars from example...', colors.blue);
-    fs.copyFileSync(devVarsExamplePath, devVarsPath);
-    log('✅ Created .dev.vars - Please update with your values', colors.green);
-  }
-
-  // 6. Check if identity needs to be generated
-  if (fs.existsSync(devVarsPath)) {
-    const devVarsContent = fs.readFileSync(devVarsPath, 'utf-8');
-    if (devVarsContent.includes('your-private-key-here')) {
-      log('\\n🔑 Generating agent identity...', colors.blue);
-      try {
-        execSync('npx @kya-os/create-mcpi-app regenerate-identity', { stdio: 'inherit' });
-        log('✅ Identity generated successfully', colors.green);
-      } catch {
-        log('⚠️  Could not generate identity automatically. Run: npx @kya-os/create-mcpi-app regenerate-identity', colors.yellow);
-      }
-    }
-  }
-
-  // 7. Show next steps
-  log('\\n✨ Setup complete! Next steps:\\n', colors.bright + colors.green);
-  log('1. Review .dev.vars and add any missing values (AgentShield API key, etc.)', colors.blue);
-  log('2. Start development server: npm run dev', colors.blue);
-  log('3. Deploy to production: npm run deploy', colors.blue);
-  log('\\nUseful commands:', colors.bright);
-  log('  npm run dev                    - Start local development server');
-  log('  npm run deploy                 - Deploy to Cloudflare Workers');
-  log('  npm run kv:list                - List all KV namespaces');
-  log('  wrangler secret put <KEY>      - Set production secrets');
-  log('\\nFor more information, see the README.md file.\\n');
-
-  rl.close();
-}
-
-// Handle errors gracefully
-process.on('unhandledRejection', (error) => {
-  log(\`\\n❌ Setup failed: \${error.message}\`, colors.red);
-  process.exit(1);
-});
-
-// Run the setup
-setup().catch((error) => {
-  log(\`\\n❌ Setup failed: \${error.message}\`, colors.red);
-  process.exit(1);
-});
-`;
-        fs.writeFileSync(path.join(scriptsDir, "setup.js"), setupScriptContent);
-        // Make setup script executable
-        if (process.platform !== "win32") {
-            fs.chmodSync(path.join(scriptsDir, "setup.js"), "755");
-        }
-        // Note: Tests directory is not created by default
-        // Users can add their own tests as needed
-        // Create greet tool
-        const greetToolContent = `import { z } from "zod";
-
-/**
- * Greet Tool - Example MCP tool with AgentShield integration
- *
- * This tool demonstrates proper scopeId configuration for tool auto-discovery.
- *
- * Configure the corresponding scope in mcpi-runtime-config.ts:
- * \`\`\`typescript
- * toolProtections: {
- *   greet: {
- *     requiresDelegation: false,
- *     requiredScopes: ["greet:execute"],  // ← This becomes the scopeId in proofs
- *   }
- * }
- * \`\`\`
- *
- * The scopeId format is "toolName:action":
- * - Tool name: "greet" (extracted before the ":")
- * - Action: "execute" (extracted after the ":")
- * - Risk level: Auto-determined from action keyword (execute = high)
- *
- * Other scopeId examples:
- * - "files:read" → Medium risk
- * - "files:write" → High risk
- * - "database:delete" → Critical risk
- */
-export const greetTool = {
-  name: "greet",
-  description: "Greet a user by name",
-  inputSchema: z.object({
-    name: z.string().describe("The name of the user to greet")
-  }),
-  handler: async ({ name }: { name: string }) => {
-    return {
-      content: [
-        {
-          type: "text" as const,
-          text: \`Hello, \${name}! Welcome to your Cloudflare MCP server.\`
-        }
-      ]
+    // 3. Create package.json with all scripts
+    const packageJson = {
+        name: projectName,
+        version: "0.1.0",
+        private: true,
+        scripts: {
+            deploy: "wrangler deploy",
+            dev: "wrangler dev",
+            start: "wrangler dev",
+            test: "vitest",
+            "cf-typegen": "wrangler types",
+            setup: "node scripts/setup.js",
+            "kv:create-nonce": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[0]}`,
+            "kv:create-proof": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[1]}`,
+            "kv:create-identity": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[2]}`,
+            "kv:create-delegation": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[3]}`,
+            "kv:create-tool-protection": `wrangler kv:namespace create ${projectNameUpper}_${KV_BINDING_NAMES[4]}`,
+        },
+        dependencies: {
+            "@kya-os/mcp-i-cloudflare": "1.6.16",
+            "@modelcontextprotocol/sdk": "1.19.1",
+            agents: "0.2.21",
+            hono: "4.6.3",
+        },
+        devDependencies: {
+            "@cloudflare/vitest-pool-workers": "0.5.2",
+            "@cloudflare/workers-types": "4.20240925.0",
+            "@types/node": "20.8.3",
+            typescript: "5.5.2",
+            vitest: "2.0.5",
+            wrangler: "3.78.12",
+        },
     };
-  }
-};
-`;
-        fs.writeFileSync(path.join(toolsDir, "greet.ts"), greetToolContent);
-        // Create mcpi-runtime-config.ts for AgentShield integration
-        const runtimeConfigContent = `import type { CloudflareRuntimeConfig } from '@kya-os/mcp-i-cloudflare/config';
-import type { CloudflareEnv } from '@kya-os/mcp-i-cloudflare';
-import { defineConfig } from '@kya-os/mcp-i-cloudflare';
-
-/**
- * Runtime configuration for MCP-I server
- *
- * This file configures runtime features like proof submission to AgentShield,
- * delegation verification, and audit logging.
- *
- * Environment variables are automatically injected from wrangler.toml (Cloudflare)
- * or .env (Node.js). Configure them there:
- * - AGENTSHIELD_API_URL: AgentShield API base URL
- * - AGENTSHIELD_API_KEY: Your AgentShield API key
- * - AGENTSHIELD_PROJECT_ID: Your AgentShield project ID (optional but recommended)
- * - MCPI_ENV: "development" or "production"
- *
- * Tool Protection:
- * - Automatically enabled if AGENTSHIELD_API_KEY and TOOL_PROTECTION_KV are set
- * - Fetches tool protection config from AgentShield API by project ID
- * - Caches config for 5 minutes to minimize API calls
- * - Falls back to local config if API is unavailable
- * - Configure delegation requirements in AgentShield dashboard
- */
-export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
-  return defineConfig({
-    // Only specify overrides - defaults are handled automatically
-    vars: {
-      ENVIRONMENT: env.ENVIRONMENT || env.MCPI_ENV || 'development',
-      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
-      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
-    },
-    // Tool protection is automatically enabled by defineConfig if AGENTSHIELD_API_KEY is present
-    // You can override by explicitly setting toolProtection here
-    // Optional: Enable admin endpoints
-    admin: {
-      enabled: false,  // Set to true and provide ADMIN_API_KEY to enable
-      apiKey: env.ADMIN_API_KEY,
-    },
-  });
-}
-`;
-        fs.writeFileSync(path.join(srcDir, "mcpi-runtime-config.ts"), runtimeConfigContent);
-        // Create main index.ts using MCPICloudflareServer
-        const indexContent = `import { MCPICloudflareAgent, createMCPIApp, type PrefixedCloudflareEnv } from "@kya-os/mcp-i-cloudflare";
-import { greetTool } from "./tools/greet";
-import { getRuntimeConfig } from "./mcpi-runtime-config";
+    await fs.writeJson(path.join(targetDir, "package.json"), packageJson, {
+        spaces: 2,
+    });
+    // 4. Create .dev.vars with ALL secrets
+    // Generate OAuth encryption secret (32+ characters)
+    const oauthEncryptionSecret = crypto.randomBytes(32).toString("hex");
+    const devVarsContent = `# Secrets for local development
+# Generated by create-mcpi-app
+
+# Agent Identity (DO NOT COMMIT THIS FILE)
+MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
 
-/**
- * Extended CloudflareEnv with prefixed KV bindings for multi-agent deployments
- */
-interface MyPrefixedCloudflareEnv extends PrefixedCloudflareEnv {
-  ${className.toUpperCase()}_NONCE_CACHE?: KVNamespace;
-  ${className.toUpperCase()}_PROOF_ARCHIVE?: KVNamespace;
-  ${className.toUpperCase()}_IDENTITY_STORAGE?: KVNamespace;
-  ${className.toUpperCase()}_DELEGATION_STORAGE?: KVNamespace;
-  ${className.toUpperCase()}_TOOL_PROTECTION_KV?: KVNamespace;
-}
+# OAuth Encryption Secret (required for OAuth/delegation flows)
+# Used to encrypt OAuth state parameters for secure token exchange
+OAUTH_ENCRYPTION_SECRET="${oauthEncryptionSecret}"
 
-/**
- * Your custom MCP agent - only define your tools here!
- * All framework complexity (runtime initialization, proof generation, etc.) is handled automatically.
- */
-export class ${pascalClassName}MCP extends MCPICloudflareAgent {
-  async registerTools() {
-    // Register your custom tools - proofs are generated automatically
-    this.server.tool(
-      greetTool.name,
-      greetTool.description,
-      greetTool.inputSchema.shape,
-      async (args: { name: string }) => {
-        return this.executeToolWithProof(
-          greetTool.name,
-          args,
-          greetTool.handler
-        );
-      }
-    );
-  }
-}
+# AgentShield Configuration
+${apikey ? `AGENTSHIELD_API_KEY="${apikey}"` : '# AGENTSHIELD_API_KEY="sk_YOUR_API_KEY_HERE"'}
 
-// Create and export the app - all routing is handled automatically
-export default createMCPIApp({
-  AgentClass: ${pascalClassName}MCP,
-  agentName: "${projectName}",
-  agentVersion: "1.0.0",
-  envPrefix: "${className.toUpperCase()}",
-  getRuntimeConfig,
-});
+# Admin API Key for cache management
+# Uses the same key as AGENTSHIELD_API_KEY for convenience
+# You can change this to a different key if you need separate admin access
+${apikey ? `ADMIN_API_KEY="${apikey}"` : '# ADMIN_API_KEY="sk_YOUR_ADMIN_KEY_HERE"'}
 `;
-        fs.writeFileSync(path.join(srcDir, "index.ts"), indexContent);
-        const wranglerContent = `#:schema node_modules/wrangler/config-schema.json
-name = "${wranglerName}"
+    await fs.outputFile(path.join(targetDir, ".dev.vars"), devVarsContent);
+    // 5. Create wrangler.toml with all KV namespaces (placeholders initially)
+    const wranglerToml = `#:schema node_modules/wrangler/config-schema.json
+name = "${projectName}"
 main = "src/index.ts"
-compatibility_date = "2025-06-18"
+compatibility_date = "2024-09-25"
 compatibility_flags = ["nodejs_compat"]
 
+# Durable Object binding for MCP Agent state
 [[durable_objects.bindings]]
 name = "MCP_OBJECT"
-class_name = "${pascalClassName}MCP"
+class_name = "${toPascalCase(projectName)}MCP"
 
 [[migrations]]
 tag = "v1"
-new_sqlite_classes = ["${pascalClassName}MCP"]
+# Use new_sqlite_classes instead of new_classes - required by agents package for SQL storage
+new_sqlite_classes = ["${toPascalCase(projectName)}MCP"]
 
 # Cron trigger for proof batch queue flushing (OPTIONAL - CURRENTLY DISABLED)
 # 
@@ -639,8 +163,8 @@ new_sqlite_classes = ["${pascalClassName}MCP"]
 # This namespace is automatically created by the setup script (npm run setup)
 # If you need to recreate it: npm run kv:create-nonce
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_NONCE_CACHE"
-id = "your_nonce_kv_namespace_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_${KV_BINDING_NAMES[0]}"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
 # KV Namespace for proof archive (RECOMMENDED for auditability)
 #
@@ -651,8 +175,8 @@ id = "your_nonce_kv_namespace_id"  # Auto-filled by setup script
 #
 # Note: Comment out if you don't need proof archiving
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_PROOF_ARCHIVE"
-id = "your_proof_kv_namespace_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_${KV_BINDING_NAMES[1]}"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
 # KV Namespace for identity storage (RECOMMENDED for persistent agent identity)
 #
@@ -661,8 +185,8 @@ id = "your_proof_kv_namespace_id"  # Auto-filled by setup script
 # This namespace is automatically created by the setup script (npm run setup)
 # If you need to recreate it: npm run kv:create-identity
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_IDENTITY_STORAGE"
-id = "your_identity_kv_namespace_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_${KV_BINDING_NAMES[2]}"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
 # KV Namespace for delegation storage (REQUIRED for OAuth/delegation flows)
 #
@@ -671,10 +195,10 @@ id = "your_identity_kv_namespace_id"  # Auto-filled by setup script
 # This namespace is automatically created by the setup script (npm run setup)
 # If you need to recreate it: npm run kv:create-delegation
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_DELEGATION_STORAGE"
-id = "your_delegation_kv_namespace_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_${KV_BINDING_NAMES[3]}"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
-# KV Namespace for tool protection config (${apikey ? "ENABLED" : "OPTIONAL"} for dashboard-controlled delegation)
+# KV Namespace for tool protection config (ENABLED for dashboard-controlled delegation)
 #
 # 🆕 Enables dynamic tool protection configuration from AgentShield dashboard
 # Caches which tools require user delegation based on dashboard toggle switches
@@ -692,532 +216,559 @@ id = "your_delegation_kv_namespace_id"  # Auto-filled by setup script
 # Note: This namespace is REQUIRED when using AgentShield API key (--apikey)
 #       It will be automatically created by the setup script (npm run setup)
 [[kv_namespaces]]
-binding = "${className.toUpperCase()}_TOOL_PROTECTION_KV"
-id = "your_tool_protection_kv_id"  # Auto-filled by setup script
+binding = "${projectNameUpper}_${KV_BINDING_NAMES[4]}"
+id = "TODO_REPLACE_WITH_ID"  # Auto-filled by setup script
 
 [vars]
+# Agent DID (public identifier - safe to commit)
+MCP_IDENTITY_AGENT_DID = "${identity.did}"
+
+# Public identity key (safe to commit - not sensitive)
+MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"
+
+# Private identity key (SECRET - NOT declared here)
+# For local development: Add to .dev.vars file
+# For production: Use wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+
+# ALLOWED_ORIGINS for CORS (update for production)
+ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
+
+# DO routing strategy: "session" for dev, "shard" for production high-load
+DO_ROUTING_STRATEGY = "session"
+DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
+
 XMCP_I_TS_SKEW_SEC = "120"
 XMCP_I_SESSION_TTL = "1800"
 
 # AgentShield Integration (https://kya.vouched.id)
 AGENTSHIELD_API_URL = "https://kya.vouched.id"
+
 # AGENTSHIELD_PROJECT_ID - Your project ID from AgentShield dashboard (e.g., "batman-txh0ae")
 #   Required for project-scoped tool protection configuration (recommended)
 #   Find it in your dashboard URL: https://kya.vouched.id/dashboard/projects/{PROJECT_ID}
 #   Or in your project settings
 #   This is not sensitive, so it's safe to keep a value here
-AGENTSHIELD_PROJECT_ID = "${projectId || ""}"
+${projectId ? `AGENTSHIELD_PROJECT_ID = "${projectId}"` : '# AGENTSHIELD_PROJECT_ID = "your-project-id"'}
+
 MCPI_ENV = "development"
 
 # Secrets (NOT declared here - see instructions below)
 # For local development: Add secrets to .dev.vars file
 # For production: Use wrangler secret put COMMAND_NAME
+#
+# Required secrets:
 #   $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-#   $ wrangler secret put AGENTSHIELD_API_KEY
-#   $ wrangler secret put ADMIN_API_KEY
+#   $ wrangler secret put OAUTH_ENCRYPTION_SECRET  # Required for OAuth/delegation flows
+#
+# Optional secrets (recommended for production):
+#   $ wrangler secret put AGENTSHIELD_API_KEY  # For AgentShield integration
+#
+# Optional secrets (advanced):
+#   $ wrangler secret put ADMIN_API_KEY        # For cache management endpoints
+#                                              # Falls back to AGENTSHIELD_API_KEY if not set
+#
 # Note: .dev.vars is git-ignored and contains actual secret values for local dev
 
 # Optional: MCP Server URL for tool discovery and consent page generation
 # Uncomment to explicitly set your MCP server URL (auto-detected from request origin if not set)
 # IMPORTANT: Use base URL WITHOUT /mcp suffix (e.g., "https://your-worker.workers.dev")
 # The consent pages are at /consent, not /mcp/consent
-# MCP_SERVER_URL = "https://your-worker.workers.dev"
+# MCP_SERVER_URL = "https://${projectName}.YOUR-SUBDOMAIN.workers.dev"
 `;
-        fs.writeFileSync(path.join(projectPath, "wrangler.toml"), wranglerContent);
-        // Generate persistent identity for Cloudflare Worker
-        if (!skipIdentity) {
-            console.log(chalk.cyan("🔐 Generating persistent identity..."));
-            try {
-                const identity = await generateIdentity();
-                // Read existing wrangler.toml
-                const wranglerPath = path.join(projectPath, "wrangler.toml");
-                let wranglerTomlContent = fs.readFileSync(wranglerPath, "utf8");
-                // Find [vars] section and add identity environment variables
-                // Add ALL identity variables (empty values will be overridden by .dev.vars)
-                const varsMatch = wranglerTomlContent.match(/\[vars\]/);
-                if (varsMatch) {
-                    const insertPosition = varsMatch.index + varsMatch[0].length;
-                    const identityVars = `
-# Agent DID (public identifier - safe to commit)
-MCP_IDENTITY_AGENT_DID = "${identity.did}"
-
-# Public identity key (safe to commit - not sensitive)
-MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"
-
-# Private identity key (SECRET - NOT declared here)
-# For local development: Add to .dev.vars file
-# For production: Use wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-
-# ALLOWED_ORIGINS for CORS (update for production)
-ALLOWED_ORIGINS = "https://claude.ai,https://app.anthropic.com"
-
-# DO routing strategy: "session" for dev, "shard" for production high-load
-DO_ROUTING_STRATEGY = "session"
-DO_SHARD_COUNT = "10"  # Number of shards if using shard strategy
-
-`;
-                    // Remove any secret declarations from [vars] (they should not be here)
-                    // Secrets go in .dev.vars for local dev, wrangler secret put for production
-                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*MCP_IDENTITY_PRIVATE_KEY\s*=.*$/gm, `# MCP_IDENTITY_PRIVATE_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
-                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*AGENTSHIELD_API_KEY\s*=.*$/gm, `# AGENTSHIELD_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
-                    wranglerTomlContent = wranglerTomlContent.replace(/^\s*ADMIN_API_KEY\s*=.*$/gm, `# ADMIN_API_KEY - SECRET (not declared here, see .dev.vars or wrangler secret put)`);
-                    // Update public key if it exists (safe to keep in [vars])
-                    if (/MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent)) {
-                        wranglerTomlContent = wranglerTomlContent.replace(/MCP_IDENTITY_PUBLIC_KEY\s*=\s*"[^"]*"/, `MCP_IDENTITY_PUBLIC_KEY = "${identity.publicKey}"`);
-                    }
-                    // Update AGENTSHIELD_PROJECT_ID if it exists and projectId is provided
-                    // This is safe to keep a value since it's not sensitive
-                    if (projectId &&
-                        /AGENTSHIELD_PROJECT_ID\s*=/.test(wranglerTomlContent)) {
-                        wranglerTomlContent = wranglerTomlContent.replace(/AGENTSHIELD_PROJECT_ID\s*=\s*"[^"]*"/, `AGENTSHIELD_PROJECT_ID = "${projectId}"`);
-                    }
-                    // Check if non-secret variables already exist in wrangler.toml
-                    const hasIdentityDid = /MCP_IDENTITY_AGENT_DID\s*=/.test(wranglerTomlContent);
-                    const hasIdentityPublicKey = /MCP_IDENTITY_PUBLIC_KEY\s*=/.test(wranglerTomlContent);
-                    // Only insert identity vars if they don't already exist
-                    const needsInsertion = !hasIdentityDid || !hasIdentityPublicKey;
-                    if (needsInsertion) {
-                        wranglerTomlContent =
-                            wranglerTomlContent.slice(0, insertPosition) +
-                                identityVars +
-                                wranglerTomlContent.slice(insertPosition);
-                    }
-                    // Write updated wrangler.toml (without secrets)
-                    fs.writeFileSync(wranglerPath, wranglerTomlContent);
-                    // Create .dev.vars file for local development (git-ignored)
-                    // Only contains SECRETS (not public keys or project IDs)
-                    const devVarsPath = path.join(projectPath, ".dev.vars");
-                    const devVarsContent = `# Local development secrets (DO NOT COMMIT)
-# This file is git-ignored and contains sensitive data
-# 
-# HOW IT WORKS:
-# 1. Secrets are NOT declared in wrangler.toml [vars] (avoids conflicts)
-# 2. This file (.dev.vars) provides secrets for local development
-# 3. Production uses: wrangler secret put VARIABLE_NAME
-#
-# Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID) are in wrangler.toml
-
-# Private identity key (generated by create-mcpi-app)
-MCP_IDENTITY_PRIVATE_KEY="${identity.privateKey}"
-
-# AgentShield API key (get from https://kya.vouched.id/dashboard)
-AGENTSHIELD_API_KEY="${apikey || ""}"${apikey ? "  # Provided via --apikey flag" : ""}
-
-# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
-ADMIN_API_KEY="${apikey || ""}"${apikey ? "  # Set to same value as AGENTSHIELD_API_KEY" : ""}
-`;
-                    fs.writeFileSync(devVarsPath, devVarsContent);
-                    // Create .dev.vars.example for reference
-                    const devVarsExamplePath = path.join(projectPath, ".dev.vars.example");
-                    const devVarsExampleContent = `# Copy this file to .dev.vars and fill in your values
-# DO NOT commit .dev.vars to version control
-#
-# NOTE: Only secrets go here. Non-secrets (MCP_IDENTITY_PUBLIC_KEY, AGENTSHIELD_PROJECT_ID)
-# are in wrangler.toml [vars] and can be committed safely.
-
-# Private identity key (generate with: npx @kya-os/create-mcpi-app regenerate-identity)
-MCP_IDENTITY_PRIVATE_KEY="your-private-key-here"
+    await fs.outputFile(path.join(targetDir, "wrangler.toml"), wranglerToml);
+    // 6. Create src/index.ts (Entry Point)
+    const indexTs = `import { createMCPIApp } from "@kya-os/mcp-i-cloudflare";
+import { ${toPascalCase(projectName)}MCP } from "./agent";
+import { getRuntimeConfig } from "./mcpi-runtime-config";
 
-# AgentShield API key (get from https://kya.vouched.id/dashboard)
-AGENTSHIELD_API_KEY="your-api-key-here"
+export default createMCPIApp({
+  AgentClass: ${toPascalCase(projectName)}MCP,
+  getRuntimeConfig,
+  envPrefix: "${projectNameUpper}", // Maps prefixed KV bindings (e.g., ${projectNameUpper}_NONCE_CACHE) to standard names
+});
 
-# Admin API key for protected endpoints (set to same value as AGENTSHIELD_API_KEY)
-ADMIN_API_KEY="your-admin-key-here"
+// Export Durable Object class for Cloudflare Workers binding
+export { ${toPascalCase(projectName)}MCP };
 `;
-                    fs.writeFileSync(devVarsExamplePath, devVarsExampleContent);
-                    console.log(chalk.green("✅ Generated persistent identity"));
-                    console.log(chalk.dim(`   DID: ${identity.did}`));
-                    console.log(chalk.green("✅ Created secure configuration:"));
-                    console.log(chalk.dim("   • Public DID in wrangler.toml (safe to commit)"));
-                    console.log(chalk.dim("   • Private keys in .dev.vars (git-ignored)"));
-                    console.log(chalk.dim("   • Example template in .dev.vars.example"));
-                    console.log();
-                    console.log(chalk.yellow("🔒 Production Security:"));
-                    console.log(chalk.dim("   Secrets are NOT in wrangler.toml (cleaner approach)"));
-                    console.log(chalk.dim("   For production, set secrets using wrangler:"));
-                    console.log(chalk.cyan("      $ wrangler secret put MCP_IDENTITY_PRIVATE_KEY"));
-                    console.log(chalk.cyan("      $ wrangler secret put AGENTSHIELD_API_KEY"));
-                    console.log(chalk.cyan("      $ wrangler secret put ADMIN_API_KEY"));
-                    console.log();
-                    console.log(chalk.dim("   Tip: Copy values from .dev.vars when prompted"));
-                    console.log();
-                }
-            }
-            catch (error) {
-                console.log(chalk.yellow("⚠️  Failed to generate identity:"), error.message);
-                console.log(chalk.dim("   You can generate one later with:"));
-                console.log(chalk.cyan("   $ npx @kya-os/create-mcpi-app regenerate-identity"));
-                console.log();
-            }
-        }
-        // Create tsconfig.json
-        fs.ensureDirSync(projectPath); // Ensure directory exists before writing
-        const tsconfigContent = {
-            compilerOptions: {
-                target: "ES2022",
-                module: "ES2022",
-                lib: ["ES2022"],
-                types: ["@cloudflare/workers-types"],
-                moduleResolution: "bundler",
-                resolveJsonModule: true,
-                allowSyntheticDefaultImports: true,
-                esModuleInterop: true,
-                strict: true,
-                skipLibCheck: true,
-                forceConsistentCasingInFileNames: true,
-            },
-            include: ["src/**/*"],
-        };
-        fs.writeJsonSync(path.join(projectPath, "tsconfig.json"), tsconfigContent, {
-            spaces: 2,
-        });
-        // Create .gitignore
-        const gitignoreContent = `node_modules/
-dist/
-.wrangler/
-.dev.vars
-.env
-.env.local
-*.log
-`;
-        fs.writeFileSync(path.join(projectPath, ".gitignore"), gitignoreContent);
-        // Create .npmrc to suppress harmless deprecation warnings
-        const npmrcContent = `# Suppress deprecation warnings from transitive dependencies
-# These warnings are harmless and don't affect functionality
-# They come from: inflight (glob@7), phin (jimp), rimraf (del), glob (rimraf), node-domexception (node-fetch)
-# Will be resolved when upstream packages update their dependencies
-loglevel=error
-`;
-        fs.writeFileSync(path.join(projectPath, ".npmrc"), npmrcContent);
-        // Create README.md
-        const readmeContent = `# ${projectName}
-
-MCP server running on Cloudflare Workers with MCP-I identity features, cryptographic proofs, and full SSE/HTTP streaming support.
-
-## Features
-
-- ✅ **MCP Protocol Support**: SSE and HTTP streaming transports
-- ✅ **Cryptographic Identity**: DID-based agent identity with Ed25519 signatures
-- ✅ **Proof Generation**: Every tool call generates a cryptographic proof
-- ✅ **Audit Logging**: Track all operations with proof IDs and signatures
-- ✅ **Nonce Protection**: Replay attack prevention via KV-backed nonce cache
-- ✅ **Proof Archiving**: Optional KV storage for proof history
-
-## Quick Start
-
-### 1. Install Dependencies
-
-\`\`\`bash
-${packageManager} install
-\`\`\`
-
-### 2. Create KV Namespaces
-
-#### Create All KV Namespaces (Recommended)
-
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} kv:create
-\`\`\`
-
-This creates all 5 KV namespaces at once:
-- \`NONCE_CACHE\` - Replay attack prevention (Required)
-- \`PROOF_ARCHIVE\` - Cryptographic proof storage (Recommended)
-- \`IDENTITY_STORAGE\` - Agent identity persistence (Recommended)
-- \`DELEGATION_STORAGE\` - OAuth delegation storage (Required for delegation)
-- \`TOOL_PROTECTION_KV\` - Dashboard-controlled permissions (Optional)
-
-Copy the namespace IDs from the output and update each one in \`wrangler.toml\`:
-
-\`\`\`toml
-[[kv_namespaces]]
-binding = "NONCE_CACHE"
-id = "your_nonce_kv_id_here"  # ← Update this
-
-[[kv_namespaces]]
-binding = "PROOF_ARCHIVE"
-id = "your_proof_kv_id_here"  # ← Update this
-
-[[kv_namespaces]]
-binding = "IDENTITY_STORAGE"
-id = "your_identity_kv_id_here"  # ← Update this
-
-[[kv_namespaces]]
-binding = "DELEGATION_STORAGE"
-id = "your_delegation_kv_id_here"  # ← Update this
-
-[[kv_namespaces]]
-binding = "TOOL_PROTECTION_KV"
-id = "your_tool_protection_kv_id_here"  # ← Update this
-\`\`\`
-
-**Note:** You can also create namespaces individually:
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-nonce\` - Create nonce cache only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-proof\` - Create proof archive only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-identity\` - Create identity storage only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-delegation\` - Create delegation storage only
-- \`${packageManager === "npm" ? "npm run" : packageManager} kv:create-tool-protection\` - Create tool protection cache only
-
-### 3. Test Locally
-
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} dev
-\`\`\`
-
-### 4. Deploy
-
-#### Production Deployment
-
-Secrets are **not** declared in \`wrangler.toml\` to avoid conflicts. Set them using:
-
-\`\`\`bash
-wrangler secret put MCP_IDENTITY_PRIVATE_KEY
-wrangler secret put AGENTSHIELD_API_KEY
-wrangler secret put ADMIN_API_KEY
-\`\`\`
-
-**Tip:** Copy values from your \`.dev.vars\` file when prompted.
-
-**Note:** \`MCP_IDENTITY_PUBLIC_KEY\` and \`AGENTSHIELD_PROJECT_ID\` are not secrets and are already in \`wrangler.toml\` with values.
+    await fs.outputFile(path.join(targetDir, "src/index.ts"), indexTs);
+    // 7. Create src/agent.ts (Agent Class)
+    const agentTs = `import { MCPICloudflareAgent, type CloudflareEnv } from "@kya-os/mcp-i-cloudflare";
+import { getRuntimeConfig } from "./mcpi-runtime-config";
+import { getTools } from "./mcpi-runtime-config";
+import type { CloudflareRuntimeConfig } from "@kya-os/mcp-i-cloudflare";
 
-Now deploy:
+/**
+ * MCP-I Agent Implementation
+ * 
+ * This class extends MCPICloudflareAgent and provides the agent-specific
+ * configuration and tool registration. The Durable Object class (${toPascalCase(projectName)}MCP)
+ * is exported separately for Cloudflare Workers bindings.
+ */
+export class ${toPascalCase(projectName)}MCP extends MCPICloudflareAgent {
+  /**
+   * Get agent name
+   */
+  protected getAgentName(): string {
+    return "${projectName}";
+  }
 
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} deploy
-\`\`\`
+  /**
+   * Get agent version
+   */
+  protected getAgentVersion(): string {
+    return "1.0.0";
+  }
 
-## Connect with Claude Desktop
+  /**
+   * Get environment prefix for KV bindings
+   * This allows the framework to map prefixed KV namespaces (e.g., ${projectNameUpper}_${KV_BINDING_NAMES[0]})
+   * to standard names (e.g., ${KV_BINDING_NAMES[0]}) automatically
+   */
+  protected getEnvPrefix(): string | undefined {
+    return "${projectNameUpper}";
+  }
 
-Add to \`~/Library/Application Support/Claude/claude_desktop_config.json\`:
+  /**
+   * Get runtime configuration
+   * This is called during agent initialization and has access to the environment
+   */
+  protected getRuntimeConfigInternal(env: CloudflareEnv): CloudflareRuntimeConfig {
+    return getRuntimeConfig(env);
+  }
 
-\`\`\`json
-{
-  "mcpServers": {
-    "${projectName}": {
-      "command": "npx",
-      "args": ["mcp-remote", "https://your-worker.workers.dev/sse"]
+  /**
+   * Register tools with the MCP server
+   * Tools are defined in mcpi-runtime-config.ts
+   */
+  protected async registerTools(): Promise<void> {
+    // Get tools from the tools registry
+    const tools = getTools();
+    
+      // Register each tool with proof generation
+      for (const toolDef of tools) {
+        // Pass the full JSON Schema object - registerToolWithProof will normalize it
+        // The MCP SDK expects a JSON Schema object with type, properties, and required fields
+      this.registerToolWithProof(
+        toolDef.name,
+        toolDef.description,
+          toolDef.inputSchema, // Pass full JSON Schema object
+        toolDef.handler
+      );
     }
   }
 }
-\`\`\`
-
-**Note:** Use the \`/sse\` endpoint for Claude Desktop compatibility.
-
-Restart Claude Desktop and test: "Use the greet tool to say hello to Alice"
-
-## Adding Tools
-
-Create tools in \`src/tools/\`:
-
-\`\`\`typescript
-import { z } from "zod";
+`;
+    await fs.outputFile(path.join(targetDir, "src/agent.ts"), agentTs);
+    // 8. Create src/tools/greet.ts
+    const greetToolTs = `import type { ToolDefinition } from "@kya-os/mcp-i-cloudflare";
 
-export const myTool = {
-  name: "my_tool",
-  description: "Tool description",
-  inputSchema: z.object({
-    input: z.string().describe("Input parameter")
-  }),
-  handler: async ({ input }: { input: string }) => ({
-    content: [{ type: "text" as const, text: \`Result: \${input}\` }]
-  })
+/**
+ * Greet tool definition
+ * 
+ * This tool demonstrates a simple MCP tool implementation.
+ * Tools are registered with the MCP server and can be called by MCP clients.
+ */
+export const greetTool: ToolDefinition = {
+  name: "greet",
+  description: "Greet the user",
+  inputSchema: {
+    type: "object",
+    properties: {
+      name: { type: "string", description: "Name of the person to greet" },
+    },
+    required: ["name"],
+  },
+  handler: async (args: { name: string }) => {
+    return {
+      content: [
+        {
+          type: "text",
+          text: \`Hello, \${args.name}! Welcome to ${projectName}.\`,
+        },
+      ],
+    };
+  },
 };
-\`\`\`
-
-Register in \`src/index.ts\` init method:
-
-\`\`\`typescript
-this.server.tool(
-  myTool.name,
-  myTool.description,
-  myTool.inputSchema.shape,
-  myTool.handler
-);
-\`\`\`
-
-## Endpoints
-
-- \`/health\` - Health check
-- \`/sse\` - SSE transport for MCP
-- \`/mcp\` - Streamable HTTP transport for MCP
-- \`/oauth/callback\` - OAuth callback for delegation flows
-- \`/admin/clear-cache\` - Clear tool protection cache (requires API key)
-
-## Viewing Cryptographic Proofs
-
-Every tool call generates a cryptographic proof that's logged to the console:
-
-\`\`\`bash
-${packageManager === "npm" ? "npm run" : packageManager} dev
-\`\`\`
-
-When you call a tool, you'll see logs like:
+`;
+    await fs.outputFile(path.join(targetDir, "src/tools/greet.ts"), greetToolTs);
+    // 9. Create src/mcpi-runtime-config.ts
+    const runtimeConfigTs = `import { defineConfig, type CloudflareRuntimeConfig } from "@kya-os/mcp-i-cloudflare";
+import type { CloudflareEnv } from "@kya-os/mcp-i-cloudflare";
+import { greetTool } from "./tools/greet";
 
-\`\`\`
-[MCP-I] Initialized with DID: did:web:localhost:agents:key-abc123
-[MCP-I Proof] {
-  tool: 'greet',
-  did: 'did:web:localhost:agents:key-abc123',
-  proofId: 'proof_1234567890_abcd',
-  signature: 'mNYP8x2k9FqV3...'
+/**
+ * Get runtime configuration for MCP-I Cloudflare Worker
+ * 
+ * This function is called by the framework to get the runtime configuration.
+ */
+export function getRuntimeConfig(env: CloudflareEnv): CloudflareRuntimeConfig {
+  // Determine environment with proper type casting
+  const environment = (env.MCPI_ENV || env.ENVIRONMENT || "development") as "development" | "production";
+  
+  // Extract proofing config from env if API key is present
+  const proofingConfig = env.AGENTSHIELD_API_KEY ? {
+    enabled: true,
+    batchQueue: {
+      destinations: [{
+        type: 'agentshield' as const,
+        apiKey: env.AGENTSHIELD_API_KEY,
+        apiUrl: env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
+      }],
+    },
+  } : undefined;
+  
+  return defineConfig({
+    environment,
+    proofing: proofingConfig,
+    // Pass environment variables through vars so defineConfig can access them
+    vars: {
+      ENVIRONMENT: environment,
+      AGENTSHIELD_API_KEY: env.AGENTSHIELD_API_KEY,
+      AGENTSHIELD_API_URL: env.AGENTSHIELD_API_URL,
+      AGENTSHIELD_PROJECT_ID: env.AGENTSHIELD_PROJECT_ID,
+    },
+    // Add other configuration options as needed
+  });
 }
-\`\`\`
-
-### Proof Archives (Optional)
-
-If you configured the \`PROOF_ARCHIVE\` KV namespace, proofs are also stored for querying:
-
-\`\`\`bash
-# List all proofs
-wrangler kv:key list --namespace-id=your_proof_kv_id
-
-# View a specific proof
-wrangler kv:key get "proof_1234567890_abcd" --namespace-id=your_proof_kv_id
-\`\`\`
-
-## Identity Management
-
-Your agent's cryptographic identity is stored in Durable Objects state. To view your agent's DID:
-
-1. Check the logs during \`init()\` - it prints the DID
-2. Or query the runtime: \`await mcpiRuntime.getIdentity()\`
-
-The identity includes:
-- \`did\`: Decentralized identifier (e.g., \`did:web:your-worker.workers.dev:agents:key-xyz\`)
-- \`publicKey\`: Ed25519 public key for signature verification
-- \`privateKey\`: Ed25519 private key (secured in Durable Object state)
-
-## AgentShield Integration
-
-This project is configured to send cryptographic proofs to AgentShield for audit trails and compliance monitoring.
-
-### Setup
-
-1. **Get your AgentShield API key**:
-   - Sign up at https://kya.vouched.id
-   - Create a project
-   - Copy your API key from the dashboard
-
-2. **Update \`wrangler.toml\`**:
-   \`\`\`toml
-   [vars]
-   AGENTSHIELD_API_URL = "https://kya.vouched.id"
-   AGENTSHIELD_API_KEY = "sk_your_actual_key_here"  # ← Replace this
-   MCPI_ENV = "development"
-   \`\`\`
-
-3. **Test proof submission**:
-   \`\`\`bash
-   ${packageManager === "npm" ? "npm run" : packageManager} dev
-   \`\`\`
-
-   Call a tool and check the logs:
-   \`\`\`
-   [AgentShield] Submitting proof: { did: 'did:web:...', sessionId: '...', jwsFormat: 'valid (3 parts)' }
-   [AgentShield] ✅ Proofs accepted: 1
-   \`\`\`
 
-4. **View proofs in dashboard**:
-   - Go to https://kya.vouched.id/dashboard
-   - Select your project
-   - Click "Interactions" tab
-   - See your proofs in real-time
-
-### Configuration
-
-The AgentShield integration is configured in \`src/mcpi-runtime-config.ts\`. You can customize:
-- Proof batch size (\`maxBatchSize\`)
-- Flush interval (\`flushIntervalMs\`)
-- Retry policy (\`maxRetries\`)
-- Tool protection rules (\`toolProtections\`)
-
-### Dashboard-Controlled Tool Protection (Advanced)
-
-🆕 **NEW**: Control which tools require user delegation directly from the AgentShield dashboard - no code changes needed!
-
-Instead of hardcoding \`requiresDelegation\` in your config, enable dynamic tool protection:
-
-1. **Create Tool Protection KV namespace**:
-   \`\`\`bash
-   ${packageManager === "npm" ? "npm run" : packageManager} kv:create-tool-protection
-   \`\`\`
-
-2. **Uncomment TOOL_PROTECTION_KV in \`wrangler.toml\`**:
-   \`\`\`toml
-   [[kv_namespaces]]
-   binding = "TOOL_PROTECTION_KV"
-   id = "your_tool_protection_kv_id"  # ← Add the ID from step 1
-   \`\`\`
-
-3. **Enable Tool Protection Service in \`src/mcpi-runtime-config.ts\`**:
-   - Uncomment the import: \`import { CloudflareRuntime } from "@kya-os/mcp-i-cloudflare";\`
-   - Uncomment the \`toolProtectionService\` configuration block
-
-4. **Deploy and test**:
-   \`\`\`bash
-   ${packageManager === "npm" ? "npm run" : packageManager} deploy
-   \`\`\`
-
-5. **Control delegation from dashboard**:
-   - Go to https://kya.vouched.id/dashboard
-   - Select your project → "Tools" tab
-   - Toggle "Require Delegation" for any tool
-   - Changes apply in real-time (5-minute cache)
-
-**Benefits:**
-- Update tool permissions without redeploying
-- Test delegation flows instantly
-- Different requirements per environment (dev vs prod)
-- Automatic tool discovery from proof submissions
-
-**Note:** The first time a tool is called, it auto-discovers in the dashboard. The \`requiresDelegation\` toggle will appear after the first proof is submitted.
+/**
+ * Get all tools for this agent
+ * 
+ * Tools are registered separately from the runtime config.
+ * This function is called by the agent to get the list of tools.
+ */
+export function getTools() {
+  return [
+    greetTool,
+    // Add more tools here
+  ];
+}
+`;
+    await fs.outputFile(path.join(targetDir, "src/mcpi-runtime-config.ts"), runtimeConfigTs);
+    // 10. Create scripts/setup.js (KV Namespace Creation & Key Regeneration Script)
+    const setupJs = `#!/usr/bin/env node
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const projectName = '${projectName}';
+const projectNameUpper = '${projectNameUpper}';
+
+console.log('🚀 Setting up MCP-I Cloudflare Worker...');
+console.log('');
+
+// Check if user is logged in to Cloudflare
+console.log('🔐 Checking Cloudflare authentication...');
+try {
+  execSync('wrangler whoami', { encoding: 'utf8', stdio: 'pipe' });
+  console.log('✅ Logged in to Cloudflare\\n');
+} catch (error) {
+  console.error('❌ Not logged in to Cloudflare!\\n');
+  console.error('Please run: wrangler login\\n');
+  console.error('Then run this setup script again: npm run setup\\n');
+  process.exit(1);
+}
 
-### Disable AgentShield (Optional)
+// Function to execute command and capture output
+function exec(command, silent = false) {
+  try {
+    const output = execSync(command, { encoding: 'utf8', stdio: silent ? 'pipe' : 'inherit' });
+    return output?.trim();
+  } catch (error) {
+    if (!silent) {
+      console.error(\`❌ Command failed: \${command}\`);
+      console.error(error.message);
+      if (error.stderr) {
+        console.error('Error output:', error.stderr.toString());
+      }
+    }
+    throw error; // Re-throw to handle in caller
+  }
+}
 
-If you don't want to use AgentShield, edit \`src/mcpi-runtime-config.ts\`:
+// Function to extract namespace ID from wrangler output
+function extractNamespaceId(output) {
+  // Match patterns like: id = "abc123" or { id: "abc123" }
+  const match = output.match(/id\\s*[:=]\\s*"([^"]+)"/);
+  return match ? match[1] : null;
+}
 
-\`\`\`typescript
-proofing: {
-  enabled: false,  // Disable proof submission
-  // ...
+// Function to update wrangler.toml with namespace ID
+function updateWranglerToml(binding, namespaceId) {
+  const wranglerPath = path.join(__dirname, '..', 'wrangler.toml');
+  let content = fs.readFileSync(wranglerPath, 'utf8');
+  
+  // Find the binding section and update the ID
+  const bindingPattern = new RegExp(\`binding\\\\s*=\\\\s*"\${binding}"[^\\\\[]*id\\\\s*=\\\\s*"[^"]*"\`, 's');
+  content = content.replace(bindingPattern, (match) => {
+    return match.replace(/id\\s*=\\s*"[^"]*"/, \`id = "\${namespaceId}"\`);
+  });
+  
+  fs.outputFileSync(wranglerPath, content);
+  console.log(\`✅ Updated wrangler.toml with \${binding} namespace ID: \${namespaceId}\`);
 }
-\`\`\`
 
-Or simply don't configure the \`AGENTSHIELD_API_KEY\` environment variable.
+// Create KV namespaces
+// Note: KV_BINDING_NAMES matches the constant in env-mapper.ts for consistency
+const KV_BINDING_NAMES = ['NONCE_CACHE', 'PROOF_ARCHIVE', 'IDENTITY_STORAGE', 'DELEGATION_STORAGE', 'TOOL_PROTECTION_KV'];
+const KV_BINDING_DESCRIPTIONS = [
+  'Nonce cache for replay attack prevention',
+  'Proof archive for auditability',
+  'Identity storage for persistent agent identity',
+  'Delegation storage for OAuth flows',
+  'Tool protection configuration cache'
+];
+const namespaces = KV_BINDING_NAMES.map((name, index) => ({
+  binding: \`\${projectNameUpper}_\${name}\`,
+  name: name,
+  description: KV_BINDING_DESCRIPTIONS[index]
+}));
+
+console.log('📦 Creating KV namespaces...');
+console.log('');
+
+let successCount = 0;
+let failureCount = 0;
+
+for (const ns of namespaces) {
+  console.log(\`\\n📦 Creating \${ns.name}...\`);
+  console.log(\`   Description: \${ns.description}\`);
+  
+  try {
+    // Try to create the namespace
+    const output = exec(\`wrangler kv:namespace create \${ns.binding}\`, true);
+    
+    if (output) {
+      console.log(\`   Raw output: \${output.substring(0, 200)}\`);
+      
+      const namespaceId = extractNamespaceId(output);
+      if (namespaceId) {
+        updateWranglerToml(ns.binding, namespaceId);
+        console.log(\`   ✅ Created successfully!\`);
+        successCount++;
+      } else {
+        console.log(\`   ⚠️  Could not extract namespace ID from output.\`);
+        console.log(\`   Full output: \${output}\`);
+        console.log(\`   You may need to update wrangler.toml manually.\`);
+        failureCount++;
+      }
+    } else {
+      console.log(\`   ⚠️  No output from wrangler command.\`);
+      failureCount++;
+    }
+  } catch (error) {
+    // Namespace might already exist
+    console.log(\`   ℹ️  Namespace may already exist. Checking...\`);
+    try {
+      const listOutput = exec(\`wrangler kv:namespace list\`, true);
+      if (listOutput && listOutput.includes(ns.binding)) {
+        console.log(\`   ✓ Namespace \${ns.binding} already exists\`);
+        
+        // Try to extract ID from list output
+        const listJson = JSON.parse(listOutput);
+        const existing = listJson.find(item => item.title.includes(ns.binding));
+        if (existing && existing.id) {
+          updateWranglerToml(ns.binding, existing.id);
+          console.log(\`   ✅ Updated wrangler.toml with existing ID: \${existing.id}\`);
+          successCount++;
+        } else {
+          console.log(\`   ⚠️  Found namespace but could not extract ID. Update wrangler.toml manually.\`);
+          failureCount++;
+        }
+      } else {
+        console.log(\`   ❌ Could not create or find namespace \${ns.binding}.\`);
+        console.log(\`   Error: \${error.message}\`);
+        console.log(\`   You may need to create it manually with: wrangler kv:namespace create \${ns.binding}\`);
+        failureCount++;
+      }
+    } catch (listError) {
+      console.log(\`   ❌ Failed to list namespaces: \${listError.message}\`);
+      failureCount++;
+    }
+  }
+}
 
-## References
+console.log('');
+console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+console.log('📊 Setup Summary:');
+console.log(\`   ✅ Success: \${successCount}/\${namespaces.length} namespaces\`);
+console.log(\`   ❌ Failed: \${failureCount}/\${namespaces.length} namespaces\`);
+console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\\n');
+
+if (failureCount > 0) {
+  console.log('⚠️  Some namespaces failed to create.\\n');
+  console.log('Manual steps required:');
+  console.log('1. Check wrangler.toml for any "TODO_REPLACE_WITH_ID" entries');
+  console.log('2. Create missing namespaces manually with:');
+  console.log('   wrangler kv:namespace create NAMESPACE_BINDING\\n');
+  console.log('3. Copy the ID from the output to wrangler.toml\\n');
+} else {
+  console.log('✨ Setup complete!\\n');
+}
 
-- [Cloudflare Agents MCP](https://developers.cloudflare.com/agents/model-context-protocol/)
-- [MCP Specification](https://spec.modelcontextprotocol.io/)
-- [MCP-I Documentation](https://github.com/kya-os/xmcp-i)
+console.log('🚀 Next steps:');
+console.log('1. Review wrangler.toml to ensure all namespace IDs are populated');
+console.log('2. Review .dev.vars for secrets configuration');
+console.log('3. Run "npm run dev" to start the development server');
+console.log('4. Run "npm run deploy" to deploy to Cloudflare Workers\\n');
+
+console.log('📝 For production deployment:');
+console.log('   wrangler secret put MCP_IDENTITY_PRIVATE_KEY');
+if (failureCount === 0) {
+  console.log('   wrangler secret put AGENTSHIELD_API_KEY');
+  console.log('   # ADMIN_API_KEY is optional - falls back to AGENTSHIELD_API_KEY if not set');
+}
 `;
-        fs.writeFileSync(path.join(projectPath, "README.md"), readmeContent);
-        console.log(chalk.green("✅ Cloudflare Worker MCP server created"));
-        console.log();
-        if (apikey) {
-            console.log(chalk.green("🔑 AgentShield API key configured in wrangler.toml"));
-            console.log(chalk.dim("   Your API key has been added to the [vars] section"));
-            console.log(chalk.dim("   Tool protection enforcement is ready to use!"));
-            console.log();
+    await fs.outputFile(path.join(targetDir, "scripts/setup.js"), setupJs);
+    await fs.chmod(path.join(targetDir, "scripts/setup.js"), "755");
+    // 11. Create tsconfig.json
+    const tsConfig = {
+        compilerOptions: {
+            target: "esnext",
+            module: "esnext",
+            moduleResolution: "bundler",
+            types: ["@cloudflare/workers-types", "vitest/globals"],
+            strict: true,
+            skipLibCheck: true,
+            noEmit: true,
+        },
+        include: ["src/**/*"],
+        exclude: ["node_modules"],
+    };
+    await fs.writeJson(path.join(targetDir, "tsconfig.json"), tsConfig, {
+        spaces: 2,
+    });
+    // 12. Create .gitignore
+    const gitignore = `node_modules
+dist
+.wrangler
+.dev.vars
+`;
+    await fs.outputFile(path.join(targetDir, ".gitignore"), gitignore);
+    console.log(chalk.green("✔ Created Cloudflare MCP-I template files"));
+    console.log(chalk.gray("  - Generated identity keys in .dev.vars"));
+    console.log(chalk.gray("  - Configured wrangler.toml with KV namespaces"));
+    console.log(chalk.gray("  - Created modular tool structure"));
+    console.log(chalk.gray("  - Created setup script for KV namespace creation"));
+    // 13. Run npm install first (skip in tests)
+    if (!skipCommands) {
+        console.log(chalk.blue("\n📦 Installing dependencies..."));
+        await runCommand(packageManager, ["install"], targetDir);
+        // 13a. Verify installed version matches expected version
+        console.log(chalk.blue("\n🔍 Verifying package versions..."));
+        const expectedVersion = "1.6.16";
+        try {
+            const installedPackagePath = path.join(targetDir, "node_modules", "@kya-os", "mcp-i-cloudflare", "package.json");
+            if (fs.existsSync(installedPackagePath)) {
+                const installedPackage = await fs.readJson(installedPackagePath);
+                const installedVersion = installedPackage.version;
+                if (installedVersion !== expectedVersion) {
+                    console.log(chalk.yellow(`\n⚠️  Warning: Expected @kya-os/mcp-i-cloudflare@${expectedVersion} but got ${installedVersion}`));
+                    console.log(chalk.yellow("   This might cause issues with MCP-I handshake. Consider clearing package cache:"));
+                    if (packageManager === "npm") {
+                        console.log(chalk.gray("   npm cache clean --force"));
+                    }
+                    else if (packageManager === "pnpm") {
+                        console.log(chalk.gray("   pnpm store prune"));
+                    }
+                    else if (packageManager === "yarn") {
+                        console.log(chalk.gray("   yarn cache clean"));
+                    }
+                    console.log(chalk.yellow("   Then reinstall dependencies."));
+                }
+                else {
+                    console.log(chalk.green(`✅ @kya-os/mcp-i-cloudflare@${installedVersion} installed correctly`));
+                }
+            }
+            else {
+                console.log(chalk.yellow("⚠️  Could not verify package installation"));
+            }
         }
-        else {
-            console.log(chalk.yellow("⚠️  No AgentShield API key provided"));
-            console.log(chalk.dim("   Add your API key to wrangler.toml [vars] section before deployment"));
-            console.log(chalk.dim("   Get your key at: https://kya.vouched.id/dashboard"));
-            console.log();
+        catch (error) {
+            console.log(chalk.yellow("⚠️  Could not verify package versions"));
+            if (process.env.DEBUG) {
+                console.error(error);
+            }
+        }
+        // 14. Run setup script to create KV namespaces
+        console.log(chalk.blue("\n🔧 Running setup script to create KV namespaces..."));
+        try {
+            // Use npm run setup instead of direct node execution to match user's manual workflow
+            // This ensures the same environment and PATH resolution as when users run it manually
+            await runCommand(packageManager, ["run", "setup"], targetDir);
+            console.log(chalk.green("\n✅ KV namespaces created successfully!"));
+        }
+        catch (error) {
+            console.log(chalk.yellow("\n⚠️  KV namespace setup encountered issues."));
+            if (error?.message) {
+                console.log(chalk.gray(`   Error: ${error.message}`));
+            }
+            console.log(chalk.yellow("\nYou can run it manually:"));
+            console.log(chalk.cyan(`   cd ${projectName}`));
+            console.log(chalk.cyan(`   ${packageManager} run setup`));
+            console.log(chalk.gray("\nThe setup script will create all required KV namespaces and update wrangler.toml."));
         }
-        console.log(chalk.bold("📦 All KV Namespaces Configured"));
-        console.log(chalk.dim("   - NONCE_CACHE: Replay attack prevention"));
-        console.log(chalk.dim("   - PROOF_ARCHIVE: Cryptographic proof storage"));
-        console.log(chalk.dim("   - IDENTITY_STORAGE: Agent identity persistence"));
-        console.log(chalk.dim("   - DELEGATION_STORAGE: OAuth delegation storage"));
-        console.log(chalk.dim("   - TOOL_PROTECTION_KV: Dashboard-controlled permissions"));
-        console.log();
-        console.log(chalk.cyan("   Run 'npm run kv:create' to create all namespaces"));
-        console.log();
     }
-    catch (error) {
-        console.error(chalk.red("Failed to set up Cloudflare Worker MCP server:"), error);
-        throw error;
+    // 15. Final instructions
+    console.log(chalk.blue("\n" + "=".repeat(60)));
+    console.log(chalk.bold.green("🎉 Cloudflare MCP-I project created successfully!"));
+    console.log(chalk.blue("=".repeat(60)));
+    console.log(chalk.bold("\n📝 Important Configuration Notes:"));
+    console.log(chalk.gray("\n1. ADMIN_API_KEY (in .dev.vars):"));
+    console.log(chalk.gray("   - Set to same value as AGENTSHIELD_API_KEY for convenience"));
+    console.log(chalk.gray("   - You can change it if you need separate admin endpoint security"));
+    console.log(chalk.gray("   - Required for admin endpoints like /admin/clear-cache\n"));
+    console.log(chalk.gray("2. KV Namespaces (in wrangler.toml):"));
+    console.log(chalk.gray("   - Required for MCP-I security features"));
+    console.log(chalk.gray("   - Auto-created by 'npm run setup' script"));
+    console.log(chalk.gray("   - Check wrangler.toml for 'TODO_REPLACE_WITH_ID' if setup failed\n"));
+    console.log(chalk.bold("🚀 Next Steps:"));
+    console.log(chalk.cyan("   cd " + projectName));
+    // Check if they need to run setup
+    const wranglerPath = path.join(targetDir, "wrangler.toml");
+    if (fs.existsSync(wranglerPath)) {
+        const wranglerContent = await fs.readFile(wranglerPath, "utf-8");
+        if (wranglerContent.includes("TODO_REPLACE_WITH_ID")) {
+            console.log(chalk.yellow("   wrangler login              # Login to Cloudflare first!"));
+            console.log(chalk.yellow("   npm run setup               # Create KV namespaces"));
+        }
+    }
+    console.log(chalk.cyan("   npm run dev                 # Start local development"));
+    console.log(chalk.cyan("   npm run deploy              # Deploy to Cloudflare\n"));
+}
+function toPascalCase(str) {
+    const result = str
+        .replace(/(?:^\w|[A-Z]|\b\w)/g, (word, index) => {
+        return word.toUpperCase();
+    })
+        .replace(/\s+/g, "")
+        .replace(/-/g, "")
+        .replace(/[^a-zA-Z0-9]/g, ""); // Remove all non-alphanumeric characters
+    // Fallback to "Project" if result is empty or invalid
+    let className = result || "Project";
+    // Prefix with underscore if starts with a number (invalid JavaScript identifier)
+    if (/^\d/.test(className)) {
+        className = "_" + className;
     }
+    return className;
+}
+function runCommand(command, args, cwd) {
+    return new Promise((resolve, reject) => {
+        const child = spawn(command, args, {
+            cwd,
+            stdio: "inherit",
+            shell: process.platform === "win32",
+        });
+        child.on("error", reject);
+        child.on("exit", (code) => {
+            if (code === 0) {
+                resolve();
+            }
+            else {
+                reject(new Error(`Command failed with exit code ${code}`));
+            }
+        });
+    });
 }
 //# sourceMappingURL=fetch-cloudflare-mcpi-template.js.map