Problem
SessionStart viewport-hydration.sh hook calls viewport-probe.mjs → mcp.chitty.cc/mcp which is protected by Cloudflare Access (zero-trust). Probe currently returns 401:
$ curl -i https://mcp.chitty.cc/mcp -H "Authorization: Bearer $CHITTY_MCP_BEARER_TOKEN"
HTTP/2 401
{"error":"invalid_token","error_description":"Missing or invalid access token","resource_metadata":"https://mcp.chitty.cc/.well-known/cloudflare-access-protected-resource/mcp"}
/.well-known/cloudflare-access-protected-resource/mcp confirms: team_domain: chittycorp.cloudflareaccess.com, auth methods = cloudflared (interactive) or OAuth (interactive). Bearer tokens (regardless of source) are rejected — CF Access requires either:
CF-Access-Client-Id + CF-Access-Client-Secret header pair (service token), OR- A user JWT obtained via interactive OAuth flow.
Investigation
Exhaustively scanned all synthetic-* vaults in 1Password — no CF Access service token exists for mcp.chitty.cc:
- No item with both
client-id + client-secret fields targeting the Access app
- No
CF_ACCESS_CLIENT_ID / CF_ACCESS_CLIENT_SECRET pair under any name
chittymcp/create-mcp-portal.sh references the expected shape (SERVICE_CLIENT_ID, SERVICE_CLIENT_SECRET) but the provisioned token was never persisted to 1Password- No cached
cloudflared token at ~/.cloudflared/mcp.chitty.cc-*-token
All bare bearer candidates tested and rejected (401/403):
CHITTY_MCP_BEARER_TOKEN (env, helper-sourced via chitty-mcp-token chittymcp)MCP_CHITTY_AUTH_TOKEN, MCP_API_KEY, MCP_REGISTRY_ADMIN_TOKENCHITTYCONNECT_SERVICE_TOKEN, CHITTY_AUTH_SERVICE_TOKEN, INTERNAL_SERVICE_TOKEN
What's needed to unblock
- Provision a Cloudflare Access service token for the
mcp.chitty.cc Access application in the ChittyCorp Zero Trust dashboard (team domain chittycorp.cloudflareaccess.com). Suggested name: chittymcp-viewport-probe.
- Store the resulting Client-Id + Client-Secret pair in 1Password vault
synthetic-shared as a single item, canonical name CF_ACCESS_MCP_CHITTY with fields client_id and client_secret.
- Wire injection —
viewport-probe.mjs (CHITTYOS/ch1tty/scripts/viewport-probe.mjs, lines 94-99) already reads CHITTY_CF_ACCESS_CLIENT_ID / CHITTY_CF_ACCESS_CLIENT_SECRET env vars. The hook just needs to inject them from 1Password before invocation (parallel to how viewport-hydration.sh currently injects CHITTY_MCP_BEARER via chitty-mcp-token).
- Update
chitty-mcp-token helper (or add a new chitty-cf-access helper) to source the pair from 1Password.
Scope
- Affects all sessions on chittyserv-vm (and likely all developer VMs) doing viewport hydration.
- Does NOT affect direct ChittyConnect REST (connect.chitty.cc/api/*) — that lane works with bearer tokens.
- The "401 via chittyconnect" message in the startup hook is misleading: the failure is at the MCP gateway hop (mcp.chitty.cc), not at ChittyConnect itself.
Related restoration (this session)
Tasks lane was unblocked in parallel via the canonical Neon fallback path (chitty-claimable-tasks.sh:try_neon):
- Used
op read op://synthetic-shared/NEON_API_KEY/credential → neonctl connection-string --project-id cool-bar-13270800 --branch-name br-weathered-hall-akoq1ily ...
- Reclaim hook now returns 5 pending tasks (verified end-to-end)
Filed by: chico (ChittyConnect concierge)
Problem
SessionStart
viewport-hydration.shhook callsviewport-probe.mjs→mcp.chitty.cc/mcpwhich is protected by Cloudflare Access (zero-trust). Probe currently returns 401:/.well-known/cloudflare-access-protected-resource/mcpconfirms:team_domain: chittycorp.cloudflareaccess.com, auth methods =cloudflared(interactive) or OAuth (interactive). Bearer tokens (regardless of source) are rejected — CF Access requires either:CF-Access-Client-Id+CF-Access-Client-Secretheader pair (service token), ORInvestigation
Exhaustively scanned all
synthetic-*vaults in 1Password — no CF Access service token exists formcp.chitty.cc:client-id+client-secretfields targeting the Access appCF_ACCESS_CLIENT_ID/CF_ACCESS_CLIENT_SECRETpair under any namechittymcp/create-mcp-portal.shreferences the expected shape (SERVICE_CLIENT_ID,SERVICE_CLIENT_SECRET) but the provisioned token was never persisted to 1Passwordcloudflaredtoken at~/.cloudflared/mcp.chitty.cc-*-tokenAll bare bearer candidates tested and rejected (401/403):
CHITTY_MCP_BEARER_TOKEN(env, helper-sourced viachitty-mcp-token chittymcp)MCP_CHITTY_AUTH_TOKEN,MCP_API_KEY,MCP_REGISTRY_ADMIN_TOKENCHITTYCONNECT_SERVICE_TOKEN,CHITTY_AUTH_SERVICE_TOKEN,INTERNAL_SERVICE_TOKENWhat's needed to unblock
mcp.chitty.ccAccess application in the ChittyCorp Zero Trust dashboard (team domainchittycorp.cloudflareaccess.com). Suggested name:chittymcp-viewport-probe.synthetic-sharedas a single item, canonical nameCF_ACCESS_MCP_CHITTYwith fieldsclient_idandclient_secret.viewport-probe.mjs(CHITTYOS/ch1tty/scripts/viewport-probe.mjs, lines 94-99) already readsCHITTY_CF_ACCESS_CLIENT_ID/CHITTY_CF_ACCESS_CLIENT_SECRETenv vars. The hook just needs to inject them from 1Password before invocation (parallel to howviewport-hydration.shcurrently injectsCHITTY_MCP_BEARERviachitty-mcp-token).chitty-mcp-tokenhelper (or add a newchitty-cf-accesshelper) to source the pair from 1Password.Scope
Related restoration (this session)
Tasks lane was unblocked in parallel via the canonical Neon fallback path (
chitty-claimable-tasks.sh:try_neon):op read op://synthetic-shared/NEON_API_KEY/credential→neonctl connection-string --project-id cool-bar-13270800 --branch-name br-weathered-hall-akoq1ily ...Filed by: chico (ChittyConnect concierge)