@kya-os/create-molti 0.1.0-canary.1

package/src/templates/auth-module.ts

@@ -0,0 +1,68 @@
+/**
+ * Auth Module Template (src/auth.ts)
+ *
+ * Generates Cloudflare Access middleware for JWT verification.
+ */
+
+export function generateAuthModule(): string {
+  return `/**
+ * Cloudflare Access Authentication Middleware
+ *
+ * Verifies CF Access JWT tokens for protected routes.
+ * Skips auth in dev mode for local development.
+ */
+
+import type { Context, Next } from "hono";
+import type { AppEnv } from "./types";
+
+interface AccessMiddlewareOptions {
+  type: "api" | "admin";
+  redirectOnMissing?: boolean;
+}
+
+/**
+ * Create CF Access authentication middleware
+ */
+export function createAccessMiddleware(options: AccessMiddlewareOptions) {
+  return async (c: Context<AppEnv>, next: Next) => {
+    const env = c.env;
+
+    // Skip auth in dev mode
+    if (env.DEV_MODE === "true") {
+      c.set("accessUser", { email: "dev@localhost", name: "Dev User" });
+      return next();
+    }
+
+    // Skip auth if CF Access is not configured
+    if (!env.CF_ACCESS_TEAM_DOMAIN || !env.CF_ACCESS_AUD) {
+      c.set("accessUser", { email: "unconfigured@localhost" });
+      return next();
+    }
+
+    // Extract JWT from CF-Access-JWT-Assertion header or cookie
+    const jwt =
+      c.req.header("CF-Access-JWT-Assertion") ||
+      getCookie(c.req.header("cookie") || "", "CF_Authorization");
+
+    if (!jwt) {
+      if (options.redirectOnMissing) {
+        return c.redirect(
+          \`https://\${env.CF_ACCESS_TEAM_DOMAIN}/cdn-cgi/access/login\`
+        );
+      }
+      return c.json({ error: "Authentication required" }, 401);
+    }
+
+    // For production, verify JWT with CF Access JWKS
+    // Simplified: trust CF Access header in Workers environment
+    c.set("accessUser", { email: "authenticated@user" });
+    await next();
+  };
+}
+
+function getCookie(cookieHeader: string, name: string): string | undefined {
+  const match = cookieHeader.match(new RegExp(\`(?:^|;\\\\s*)\${name}=([^;]*)\`));
+  return match?.[1];
+}
+`;
+}

package/src/templates/dockerfile.ts

@@ -0,0 +1,40 @@
+/**
+ * Dockerfile Template
+ *
+ * Generates a Dockerfile for the Moltworker container.
+ * Based on the Cloudflare sandbox base image with Node.js and moltbot CLI.
+ */
+
+export function generateDockerfile(): string {
+  return `FROM docker.io/cloudflare/sandbox:0.7.0
+
+# Install Node.js 22 (required by moltbot)
+ENV NODE_VERSION=22.13.1
+RUN apt-get update && apt-get install -y xz-utils ca-certificates rsync \\
+ && curl -fsSLk https://nodejs.org/dist/v\${NODE_VERSION}/node-v\${NODE_VERSION}-linux-x64.tar.xz -o /tmp/node.tar.xz \\
+ && tar -xJf /tmp/node.tar.xz -C /usr/local --strip-components=1 \\
+ && rm /tmp/node.tar.xz
+
+# Install pnpm
+RUN npm install -g pnpm
+
+# Install moltbot CLI
+RUN npm install -g clawdbot@2026.1.24-3
+
+# Create directories
+RUN mkdir -p /root/.clawdbot \\
+ && mkdir -p /root/.clawdbot-templates \\
+ && mkdir -p /root/clawd \\
+ && mkdir -p /root/clawd/skills
+
+# Copy startup script
+COPY start-moltbot.sh /usr/local/bin/start-moltbot.sh
+RUN chmod +x /usr/local/bin/start-moltbot.sh
+
+# Copy config template
+COPY moltbot.json.template /root/.clawdbot-templates/moltbot.json.template
+
+WORKDIR /root/clawd
+EXPOSE 18789
+`;
+}

package/src/templates/gateway.ts

@@ -0,0 +1,112 @@
+/**
+ * Gateway Module Template (src/gateway.ts)
+ *
+ * Generates the gateway management code that ensures the
+ * Moltbot process is running inside the container.
+ */
+
+export function generateGatewayModule(): string {
+  return `/**
+ * Moltbot Gateway Management
+ *
+ * Ensures the Moltbot process is running inside the container
+ * and waits for the gateway port to be ready.
+ */
+
+export const MOLTBOT_PORT = 18789;
+const STARTUP_TIMEOUT_MS = 180_000; // 3 minutes
+
+/**
+ * Ensure the Moltbot gateway is running and ready
+ */
+export async function ensureMoltbotGateway(
+  sandbox: any,
+  env: Record<string, unknown>
+): Promise<void> {
+  // Check for existing process
+  const processes = await sandbox.ps();
+  const existing = processes.find(
+    (p: { command: string; status: string }) =>
+      (p.command.includes("start-moltbot.sh") || p.command.includes("clawdbot gateway")) &&
+      p.status === "running"
+  );
+
+  if (existing) {
+    await waitForPort(sandbox, MOLTBOT_PORT, STARTUP_TIMEOUT_MS);
+    return;
+  }
+
+  // Build environment variables for the container process
+  const envVars = buildEnvVars(env);
+
+  // Start the moltbot process
+  await sandbox.start("/usr/local/bin/start-moltbot.sh", {
+    env: envVars,
+  });
+
+  await waitForPort(sandbox, MOLTBOT_PORT, STARTUP_TIMEOUT_MS);
+}
+
+/**
+ * Build environment variables to pass to the container
+ */
+function buildEnvVars(env: Record<string, unknown>): Record<string, string> {
+  const vars: Record<string, string> = {};
+
+  // AI Gateway priority
+  if (env.AI_GATEWAY_API_KEY) {
+    const baseUrl = String(env.AI_GATEWAY_BASE_URL || "");
+    if (baseUrl.includes("openai")) {
+      vars.OPENAI_API_KEY = String(env.AI_GATEWAY_API_KEY);
+      vars.OPENAI_BASE_URL = baseUrl.replace(/\\/$/, "");
+    } else {
+      vars.ANTHROPIC_API_KEY = String(env.AI_GATEWAY_API_KEY);
+      vars.ANTHROPIC_BASE_URL = baseUrl.replace(/\\/$/, "");
+    }
+  } else {
+    if (env.ANTHROPIC_API_KEY) vars.ANTHROPIC_API_KEY = String(env.ANTHROPIC_API_KEY);
+    if (env.OPENAI_API_KEY) vars.OPENAI_API_KEY = String(env.OPENAI_API_KEY);
+  }
+
+  // Gateway token
+  if (env.MOLTBOT_GATEWAY_TOKEN) {
+    vars.CLAWDBOT_GATEWAY_TOKEN = String(env.MOLTBOT_GATEWAY_TOKEN);
+  }
+
+  // Bot tokens
+  if (env.TELEGRAM_BOT_TOKEN) vars.TELEGRAM_BOT_TOKEN = String(env.TELEGRAM_BOT_TOKEN);
+  if (env.DISCORD_BOT_TOKEN) vars.DISCORD_BOT_TOKEN = String(env.DISCORD_BOT_TOKEN);
+  if (env.SLACK_BOT_TOKEN) vars.SLACK_BOT_TOKEN = String(env.SLACK_BOT_TOKEN);
+
+  if (env.DEV_MODE) vars.DEV_MODE = String(env.DEV_MODE);
+
+  return vars;
+}
+
+/**
+ * Wait for a port to become available
+ */
+async function waitForPort(
+  sandbox: any,
+  port: number,
+  timeoutMs: number
+): Promise<void> {
+  const start = Date.now();
+
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const response = await sandbox.containerFetch(
+        new Request(\`http://localhost:\${port}/\`),
+        port
+      );
+      if (response.status < 500) return;
+    } catch {
+      // Port not ready yet
+    }
+    await new Promise((resolve) => setTimeout(resolve, 1000));
+  }
+
+  throw new Error(\`Moltbot gateway did not start within \${timeoutMs / 1000}s\`);
+}
+`;
+}

package/src/templates/github-workflow.ts

@@ -0,0 +1,48 @@
+/**
+ * GitHub Actions Workflow Template
+ *
+ * Generates the deploy.yml for CI/CD to Cloudflare.
+ */
+
+export function generateDeployWorkflow(): string {
+  return `name: Deploy to Cloudflare
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Reason for manual deployment'
+        required: false
+        default: 'Manual deployment'
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Deploy Moltworker
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Deploy to Cloudflare
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: \${{ secrets.CLOUDFLARE_API_TOKEN }}
+          secrets: |
+            MCP_IDENTITY_PRIVATE_KEY
+            AGENTSHIELD_API_KEY
+            ANTHROPIC_API_KEY
+        env:
+          MCP_IDENTITY_PRIVATE_KEY: \${{ secrets.MCP_IDENTITY_PRIVATE_KEY }}
+          AGENTSHIELD_API_KEY: \${{ secrets.AGENTSHIELD_API_KEY }}
+          ANTHROPIC_API_KEY: \${{ secrets.ANTHROPIC_API_KEY }}
+`;
+}

package/src/templates/health-module.ts

@@ -0,0 +1,62 @@
+/**
+ * Health Module Template (src/routes/public.ts)
+ *
+ * Generates public routes including health checks and status endpoints.
+ */
+
+export function generateHealthModule(projectName: string): string {
+  return `/**
+ * Public Routes
+ *
+ * Health checks and status endpoints — no authentication required.
+ */
+
+import { Hono } from "hono";
+import type { AppEnv } from "../types";
+
+export const publicRoutes = new Hono<AppEnv>();
+
+/**
+ * Basic health check
+ */
+publicRoutes.get("/sandbox-health", (c) => {
+  return c.json({
+    status: "ok",
+    service: "${projectName}",
+    timestamp: new Date().toISOString(),
+  });
+});
+
+/**
+ * Detailed status with gateway check
+ */
+publicRoutes.get("/api/status", async (c) => {
+  const sandbox = c.get("sandbox");
+
+  try {
+    const processes = await sandbox.ps();
+    const moltbot = processes.find(
+      (p: { command: string; status: string }) =>
+        (p.command.includes("start-moltbot.sh") || p.command.includes("clawdbot gateway")) &&
+        p.status === "running"
+    );
+
+    return c.json({
+      status: moltbot ? "running" : "starting",
+      service: "${projectName}",
+      identity: {
+        did: c.env.MCP_IDENTITY_AGENT_DID,
+      },
+      gateway: moltbot
+        ? { pid: moltbot.pid, status: moltbot.status }
+        : null,
+    });
+  } catch {
+    return c.json({
+      status: "unknown",
+      service: "${projectName}",
+    });
+  }
+});
+`;
+}

package/src/templates/identity-json.ts

@@ -0,0 +1,29 @@
+/**
+ * .mcpi/identity.json Template
+ *
+ * Generates the public identity file that is committed to the repo.
+ * Contains the agent DID and public key — private key is a secret.
+ */
+
+interface IdentityJsonOptions {
+  did: string;
+  publicKey: string;
+  agentName?: string;
+  agentDescription?: string;
+}
+
+export function generateIdentityJson(opts: IdentityJsonOptions): string {
+  return JSON.stringify(
+    {
+      version: '1.0',
+      type: 'molti-agent',
+      did: opts.did,
+      publicKey: opts.publicKey,
+      agentName: opts.agentName || undefined,
+      agentDescription: opts.agentDescription || undefined,
+      createdAt: new Date().toISOString(),
+    },
+    null,
+    2
+  );
+}

package/src/templates/identity-module.ts

@@ -0,0 +1,89 @@
+/**
+ * Identity Module Template (src/identity.ts)
+ *
+ * Generates the MCP-I identity provider initialization code.
+ * Uses @kya-os/mcp-i-cloudflare for Cloudflare-specific providers.
+ */
+
+export function generateIdentityModule(): string {
+  return `/**
+ * MCP-I Identity Provider
+ *
+ * Initializes cryptographic identity from environment variables.
+ * Uses @kya-os/mcp-i-cloudflare for Cloudflare Workers-compatible
+ * Ed25519 signing via Web Crypto API.
+ */
+
+import {
+  WebCryptoProvider,
+  KVNonceCacheProvider,
+  CloudflareProofGenerator,
+} from "@kya-os/mcp-i-cloudflare";
+
+interface IdentityConfig {
+  did: string;
+  publicKey: string;
+  privateKey: string;
+}
+
+interface IdentityProviderResult {
+  proofGenerator: InstanceType<typeof CloudflareProofGenerator>;
+  config: IdentityConfig;
+}
+
+/**
+ * Get the identity provider from environment
+ */
+export function getIdentityProvider(env: {
+  MCP_IDENTITY_AGENT_DID: string;
+  MCP_IDENTITY_PUBLIC_KEY: string;
+  MCP_IDENTITY_PRIVATE_KEY: string;
+  NONCE_CACHE: KVNamespace;
+  PROOF_ARCHIVE: KVNamespace;
+}): IdentityProviderResult {
+  const config: IdentityConfig = {
+    did: env.MCP_IDENTITY_AGENT_DID,
+    publicKey: env.MCP_IDENTITY_PUBLIC_KEY,
+    privateKey: env.MCP_IDENTITY_PRIVATE_KEY,
+  };
+
+  const cryptoProvider = new WebCryptoProvider();
+  const nonceCache = new KVNonceCacheProvider(env.NONCE_CACHE);
+
+  const proofGenerator = new CloudflareProofGenerator(
+    cryptoProvider,
+    nonceCache,
+    {
+      did: config.did,
+      privateKey: config.privateKey,
+      publicKey: config.publicKey,
+    }
+  );
+
+  return { proofGenerator, config };
+}
+
+/**
+ * Generate a proof for a tool execution
+ */
+export async function generateProof(
+  proofGenerator: InstanceType<typeof CloudflareProofGenerator>,
+  toolName: string,
+  input: unknown,
+  output: unknown
+): Promise<string | null> {
+  try {
+    const proof = await proofGenerator.generateProof({
+      toolName,
+      input: JSON.stringify(input),
+      output: JSON.stringify(output),
+      timestamp: new Date().toISOString(),
+    });
+    return proof;
+  } catch {
+    // Proof generation is non-critical — don't block tool execution
+    return null;
+  }
+}
+`;
+}

package/src/templates/moltbot-config.ts

@@ -0,0 +1,23 @@
+/**
+ * Moltbot Config Template (moltbot.json.template)
+ *
+ * Default configuration for the Moltbot gateway.
+ */
+
+export function generateMoltbotConfig(): string {
+  return JSON.stringify(
+    {
+      agents: {
+        defaults: {
+          workspace: '/root/clawd',
+        },
+      },
+      gateway: {
+        port: 18789,
+        mode: 'local',
+      },
+    },
+    null,
+    2
+  );
+}

package/src/templates/package-json.ts

@@ -0,0 +1,46 @@
+/**
+ * package.json Template
+ *
+ * Generates the package.json for the scaffolded Moltworker project.
+ */
+
+import type { MoltiPackageVersions } from '../helpers/get-package-versions.js';
+
+interface PackageJsonOptions {
+  projectName: string;
+  versions: MoltiPackageVersions;
+}
+
+export function generatePackageJson(opts: PackageJsonOptions): string {
+  const { projectName, versions } = opts;
+
+  return JSON.stringify(
+    {
+      name: projectName,
+      version: '0.1.0',
+      private: true,
+      scripts: {
+        deploy: 'wrangler deploy',
+        dev: 'wrangler dev',
+        start: 'wrangler dev',
+        'type-check': 'tsc --noEmit',
+        'cf-typegen': 'wrangler types',
+      },
+      dependencies: {
+        '@cloudflare/sandbox': 'latest',
+        '@kya-os/mcp-i-core': versions['@kya-os/mcp-i-core'],
+        '@kya-os/mcp-i-cloudflare': versions['@kya-os/mcp-i-cloudflare'],
+        '@kya-os/contracts': versions['@kya-os/contracts'],
+        hono: '^4.11.6',
+        jose: '^6.0.0',
+      },
+      devDependencies: {
+        '@cloudflare/workers-types': '^4.20251126.0',
+        typescript: '^5.6.2',
+        wrangler: '^4.61.1',
+      },
+    },
+    null,
+    2
+  );
+}

package/src/templates/readme.ts

@@ -0,0 +1,101 @@
+/**
+ * README.md Template
+ *
+ * Generates documentation for the scaffolded project.
+ */
+
+interface ReadmeOptions {
+  projectName: string;
+  agentName?: string;
+  agentDescription?: string;
+  agentShieldProjectId?: string;
+}
+
+export function generateReadme(opts: ReadmeOptions): string {
+  const { projectName, agentName, agentDescription, agentShieldProjectId } = opts;
+  const displayName = agentName || projectName;
+  const description = agentDescription || 'AI agent running on Cloudflare Workers with MCP-I identity';
+
+  const dashboardUrl = agentShieldProjectId
+    ? `https://kya.vouched.id/dashboard/bouncer/${agentShieldProjectId}`
+    : 'https://kya.vouched.id/dashboard/bouncer';
+
+  return `# ${displayName}
+
+${description}
+
+Built with [Moltworker](https://github.com/cloudflare/moltworker) + [MCP-I Identity](https://github.com/modelcontextprotocol-identity/xmcp-i).
+
+## Quick Start
+
+1. **Install dependencies**
+   \`\`\`bash
+   npm install
+   \`\`\`
+
+2. **Configure secrets**
+   \`\`\`bash
+   # Add your AI provider key
+   wrangler secret put ANTHROPIC_API_KEY
+   # or
+   wrangler secret put OPENAI_API_KEY
+
+   # Identity private key (already set if deployed via AgentShield)
+   wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+
+   # AgentShield API key (for proof reporting)
+   wrangler secret put AGENTSHIELD_API_KEY
+   \`\`\`
+
+3. **Deploy**
+   \`\`\`bash
+   npm run deploy
+   \`\`\`
+
+## Architecture
+
+\`\`\`
+Cloudflare Worker (Hono)
+\u251c\u2500\u2500 /sandbox-health     \u2192 Health check (public)
+\u251c\u2500\u2500 /api/status          \u2192 Detailed status (public)
+\u251c\u2500\u2500 /api/*               \u2192 Protected API (CF Access)
+\u251c\u2500\u2500 /_admin/*            \u2192 Admin UI (CF Access)
+\u2514\u2500\u2500 /*                   \u2192 Proxy to Moltbot container (port 18789)
+
+Container (Cloudflare Sandbox)
+\u251c\u2500\u2500 OpenClaw runtime (clawdbot)
+\u251c\u2500\u2500 Node.js 22
+\u2514\u2500\u2500 R2-backed persistent storage
+\`\`\`
+
+## MCP-I Identity
+
+This agent has a cryptographic identity:
+- **DID**: See \`.mcpi/identity.json\`
+- **Proof Generation**: Tool executions are signed with Ed25519
+- **Nonce Replay Prevention**: Via KV-backed nonce cache
+- **Proof Archive**: Historical proofs stored in KV
+
+## AgentShield Dashboard
+
+Monitor and configure your agent: ${dashboardUrl}
+
+## Environment Variables
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| \`MCP_IDENTITY_PRIVATE_KEY\` | Agent's Ed25519 private key | Yes |
+| \`ANTHROPIC_API_KEY\` | Anthropic API key | Yes* |
+| \`OPENAI_API_KEY\` | OpenAI API key | Yes* |
+| \`AGENTSHIELD_API_KEY\` | AgentShield API key | Recommended |
+| \`CLOUDFLARE_API_TOKEN\` | Wrangler deployment token | For CI/CD |
+| \`CF_ACCESS_TEAM_DOMAIN\` | CF Access team domain | For auth |
+| \`CF_ACCESS_AUD\` | CF Access audience tag | For auth |
+
+*At least one AI provider key is required.
+
+## License
+
+MIT
+`;
+}

package/src/templates/startup-script.ts

@@ -0,0 +1,54 @@
+/**
+ * Startup Script Template (start-moltbot.sh)
+ *
+ * Generates the bash script that runs inside the container
+ * to initialize config and start the Moltbot gateway.
+ */
+
+export function generateStartupScript(): string {
+  return `#!/bin/bash
+set -e
+
+CONFIG_DIR="/root/.clawdbot"
+CONFIG_FILE="\${CONFIG_DIR}/moltbot.json"
+TEMPLATE_FILE="/root/.clawdbot-templates/moltbot.json.template"
+BACKUP_DIR="/data/moltbot/.clawdbot"
+
+# Exit early if already running
+if pgrep -f 'clawdbot gateway' > /dev/null 2>&1; then
+  echo "Moltbot gateway is already running, exiting."
+  exit 0
+fi
+
+# Restore from R2 backup if newer
+if [ -d "\${BACKUP_DIR}" ] && [ -f "\${BACKUP_DIR}/moltbot.json" ]; then
+  BACKUP_MTIME=\$(stat -c %Y "\${BACKUP_DIR}/moltbot.json" 2>/dev/null || echo 0)
+  CONFIG_MTIME=\$(stat -c %Y "\${CONFIG_FILE}" 2>/dev/null || echo 0)
+
+  if [ "\${BACKUP_MTIME}" -gt "\${CONFIG_MTIME}" ]; then
+    echo "Restoring config from R2 backup..."
+    rsync -a "\${BACKUP_DIR}/" "\${CONFIG_DIR}/"
+  fi
+fi
+
+# Initialize config from template if needed
+if [ ! -f "\${CONFIG_FILE}" ]; then
+  if [ -f "\${TEMPLATE_FILE}" ]; then
+    cp "\${TEMPLATE_FILE}" "\${CONFIG_FILE}"
+    echo "Initialized config from template"
+  else
+    echo '{"agents":{"defaults":{"workspace":"/root/clawd"}},"gateway":{"port":18789,"mode":"local"}}' > "\${CONFIG_FILE}"
+    echo "Initialized config with defaults"
+  fi
+fi
+
+echo "Starting Moltbot gateway on port 18789..."
+
+# Start gateway with or without token
+if [ -n "\${CLAWDBOT_GATEWAY_TOKEN}" ]; then
+  exec clawdbot gateway --port 18789 --verbose --bind 0.0.0.0 --token "\${CLAWDBOT_GATEWAY_TOKEN}"
+else
+  exec clawdbot gateway --port 18789 --verbose --bind 0.0.0.0 --allow-unconfigured
+fi
+`;
+}