CL proxy deploy blocked: COURTLISTENER_API_TOKEN unreachable from prod VM

[chitcommit]

Summary

Two downstream PRs are blocked from production deploy because the prod VM operator cannot reach a COURTLISTENER_API_TOKEN via the canonical 1Password → ChittyConnect path. The token is required for the CourtListener proxy route used by ChittyCounsel evidence/case enrichment.

Per the ChittyConnect credential layer hierarchy (operator-manifest.json → policy.secret_env_model), the operator is not a secrets store and we will not paste credentials through chat. Filing this as the durable unblock channel.

Downstream waiters

• CHITTYCORP/CHITTYCOUNSEL PR Configure CI/CD Pipelines #4 — https://github.com/chittycorp/CHITTYCOUNSEL/pull/4
• CHITTYOS/chittyconnect PR feat(courtlistener): add /api/proxy/courtlistener proxy for ChittyCounsel #234 (this repo) — CL proxy route

Both PRs are merge-ready on code/tests; deploy is deferred pending credential routing.

Evidence from credential probe (prod VM, op CLI as configured operator identity)

Vaults visible to the operator:

• ChittyOS
• ChittyOS-Core
• synthetic-prod
• synthetic-shared

Vaults NOT visible (expected but absent):

• ChittyOS-Integrations — this is where third-party API tokens like COURTLISTENER_API_TOKEN should live per convention.

Cloudflare Secrets Store state:

• Empty for the chittyconnect-prod worker — no COURTLISTENER_API_TOKEN binding.

synthetic-shared state:

• Contains a CHITTY_CONNECT_TOKEN entry, but it is stale (created prior to last rotation cycle, fails verification against connect.chitty.cc/.well-known/token-introspect).
• No COURTLISTENER_API_TOKEN present.

Net effect: no path from cold store → Secrets Store → worker env exists for the CL token, and the broker token (CHITTY_CONNECT_TOKEN) the worker would use to fetch it dynamically is itself stale.

Canonical fix paths (any one unblocks; doing all three closes the gap properly)

1. Grant the prod VM operator identity read access to the ChittyOS-Integrations 1Password vault. This is the cleanest fix — the token already exists there per integrations convention, and grant restores the normal op run --env-file injection path for the worker deploy.

2. Drop a COURTLISTENER_API_TOKEN item into synthetic-shared (the vault the operator can already read). Lower-friction interim; downside is it puts a third-party integration secret in a shared vault rather than the integrations-scoped vault.

3. Rotate CHITTY_CONNECT_TOKEN in synthetic-shared and push the fresh value to the prod Secrets Store binding for chittyconnect-prod. This restores the broker path so the worker can resolve COURTLISTENER_API_TOKEN at runtime via ChittyConnect rather than at deploy time. Should be done regardless — the stale broker token is its own latent failure.

Recommended: (1) for durability + (3) for hygiene. (2) only if (1) is gated on an admin who is unreachable.

Definition of done

• op item get COURTLISTENER_API_TOKEN succeeds from prod VM operator identity (whichever vault)
• wrangler secret list --env production for chittyconnect-prod shows COURTLISTENER_API_TOKEN (or it resolves via Secrets Store binding)
• CHITTY_CONNECT_TOKEN in synthetic-shared passes introspect against connect.chitty.cc
• CHITTYCOUNSEL PR Configure CI/CD Pipelines #4 and chittyconnect PR feat(courtlistener): add /api/proxy/courtlistener proxy for ChittyCounsel #234 redeployed and /health green
• This issue closed with a comment linking the deploy run

Non-asks

• Do not ask the operator to paste a token value in chat or in an issue comment.
• Do not commit the token to any repo.
• Do not extend KV TTL as a workaround — KV is hot cache only.

[chitcommit]

CloudflareMCP probe results — token does not exist anywhere on infra

With newly restored CloudflareMCP access to account 0bc21e3a5a9de1a4cc843be9c3e98121 (ChittyCorp LLC), I conducted an exhaustive search for COURTLISTENER_API_TOKEN across every credential surface available to the prod platform. No CourtListener token exists anywhere in the ChittyCorp Cloudflare account.

Surfaces probed (all negative for court|cl_|pacer|legal|opinion)

Surface	Path	Entries	CL matches
Secrets Store default_secrets_store (e914522471964c3c8cf1e601770edcc3)	/accounts/{acct}/secrets_store/stores/{id}/secrets	53	0
Worker chittyconnect plain secrets	/accounts/{acct}/workers/scripts/chittyconnect/secrets	39	0
Worker chittyconnect bindings (incl. Secrets Store)	/accounts/{acct}/workers/scripts/chittyconnect/settings	108 bindings	0
Worker chittyconnect-staging secrets	same	0	0
Worker chittycounsel secrets	same	6 (CF_AI_GATEWAY_TOKEN, CF_API_TOKEN, CHITTY_EVIDENCE_, NEON_)	0
Worker chittyresolution secrets	same	0	0
Worker chittyadvocate secrets	same	1 (ADVOCATE_WRITE_TOKEN)	0
KV CREDENTIAL_CACHE (7b71b58ad724477888b37d8beeb5d825)	/accounts/{acct}/storage/kv/namespaces/{ns}/keys	0	0
All 92 workers scanned by name	—	—	none matching court|legal|cl_|pacer|research aside from chittycounsel itself

Sample of what is in the Secrets Store (53 entries): chittygateway provider keys (anthropic/openai/deepseek/mistral/grok/perplexity/elevenlabs/parallel), 14 Mercury tokens, Cloudflare Access client pairs for chittyagent/chittycommand/chittyfinance, Mercury OIDC, USPS, ChittyFinance webhooks, multiple Neon DB URLs, GOVEE, ch1tty_mcp_token, chittyauth_issued_mint_api_key. Zero CourtListener-shaped entry under any naming convention (COURTLISTENER_*, CL_*, COURT_*, PACER_*).

Conclusion

The premise of fix paths (1) and (2) in this issue ("the token already exists in ChittyOS-Integrations per convention" / "drop a token into synthetic-shared") is not satisfiable — the token does not exist in any 1Password vault either, because if it did the integration sync would have placed it in either the Secrets Store or a worker binding by now, and neither shows it.

The only remaining action that actually moves the token into existence is a CourtListener API token mint at https://www.courtlistener.com/profile/api/, which requires a human-attested login to the CourtListener web UI. That is a genuinely human-only step — not a chat credential ask, not a workaround. It is the canonical out-of-band capability acquisition.

Action

Closing this issue as superseded by a narrower follow-up: #TBD (operator mints CL token at courtlistener.com, then standard op item create → Secrets Store sync runs and unblocks the deploy).

Fix path (3) — rotate CHITTY_CONNECT_TOKEN — remains independently valid hygiene work but is orthogonal to the CL deploy and will be tracked separately.

[chitcommit]

Closed as superseded by #238. CloudflareMCP probe established the token does not exist on any credential surface (not just unrouted), so the three fix paths in the original issue are not satisfiable. #238 captures the single genuinely human-required action: mint a CourtListener API key at courtlistener.com/profile/api/.