Cloudflare Access setup for docHub
Audience: operator When: after the first successful deploy, before sharing the URL with anyone Where to do it: Cloudflare Zero Trust dashboard
The user/ face of docHub is public. The dev/ and mavis/ faces need email-allowlist auth so random people can't read the operator + Mavis workshop.
What to set up
1. Application: docHub — Public + Auth
Create one Cloudflare Access application covering the whole docshub-1pi.pages.dev site. Path-scoped policies inside it gate /dev/* and /mavis/* while leaving / and /user/* open.
| App field | Value |
|---|---|
| Application name | docHub |
| Application domain | docshub-1pi.pages.dev |
| Application type | Self-hosted (or whatever Cloudflare calls Pages-hosted now) |
2. Policies inside the app
Policy 1: deny-dev-and-mavis-anonymous
- Action: Allow (so anyone can try)
- Rules: Email is in
{your-allowlist-emails} - Apply to paths:
/dev/*,/mavis/*,/mavis,/dev - Session duration: 30 days (default)
This is the email-OTP gate. Anyone hitting /dev/ or /mavis/ gets the email code prompt. You and any other allowed emails get in.
Policy 2 (optional): allow-user-public
- Action: Allow (no rule conditions)
- Apply to paths:
/,/user/*,/user,/_meta.json,/styles.css,/embed.js
Without this, public paths still work (Access default is "open" unless explicitly matched by a path-scoped policy). Add this only if you want the policy to be visible/explicit.
Recommended allowlist
At minimum:
avidtech6@gmail.com(operator)
Add others as needed. Each one becomes a Mavis or a human who can read the dev/mavis faces.
Session duration
- Default: 30 days. Set it to this unless you want shorter.
- Where: Application → Session duration
- Per-browser: sessions are tied to the browser profile that authenticated. New browser = new email OTP.
Service tokens (optional, future)
If you want a Mavis in a different sandbox to fetch /mavis/_meta/manifest.json programmatically, you need a service token. Without it, programmatic fetches work (Access protects browser requests, not all routes), but you can't attribute the request to a specific Mavis identity.
Skip for now. Add when needed.
How to verify
After applying the policy, visit https://docshub-1pi.pages.dev/dev/ in an incognito browser. You should see the Cloudflare Access email-OTP wall. Enter your email, get the code, paste it, get in.
If /user/ and / still load without a wall, the policy is scoped correctly. If /user/ also gets a wall, your policy is too broad — narrow the path scope.
Tear-down
If you need to remove the Access wall (e.g., for debugging the public site), edit the policy and remove the /dev/* and /mavis/* path scope. Or delete the application.
What about the Mavis ??? protocol?
??? is independent of Cloudflare Access. It's a chat convention between Mavis sessions and the operator. Access gates browser access to /mavis/* content; ??? is for cross-Mavis coordination in chat.
A Mavis authenticated to the email allowlist can browse /mavis/* freely. A Mavis session that gets ??? in its chat thread runs the wake-up protocol regardless of Access.
Operator action item
- Log in to https://one.dash.cloudflare.com/
- Go to Zero Trust → Access → Applications
- Create application as described above
- Confirm with the operator before sharing the URL
This is a 5-minute operator task. Once done, docHub is production-grade.