Cloudflare Access setup for fv-dochub.pages.dev

Estimated time: 5 minutes Operator task (cannot be done from Mavis sandbox — needs the Cloudflare dashboard) Auth model: email allowlist Paths to protect: /dev/* and /mavis/*

Why this is needed

docHub has three faces with different audiences:

Face	URL path	Audience	Auth needed
User	`/user/*`	End users, FVS apps	None (public)
Dev	`/dev/*`	Operator + AI agents	Cloudflare Access
Mavis	`/mavis/*`	Operator + Helper + lane Mavises	Cloudflare Access

Without Cloudflare Access, the dev and mavis faces are world-readable. That's the operator's private workspace (decisions, prompts, lane coordination) — it should not be on the open internet.

The user face stays public because that's the embeddable web-component API surface for FVS apps.

Step-by-step (5 min, browser required)

Step 1: Open Cloudflare Zero Trust dashboard

Go to: https://one.dash.cloudflare.com/

Make sure you're on the avidtech6@gmail.com account (top-right account picker if needed).

Step 2: Navigate to Access → Applications

Left sidebar → Access → Applications → Add an application → Self-hosted

Step 3: Configure the application

Application name: fv-dochub-gates (or anything memorable — this is a single app covering both /dev and /mavis paths)

Application domain:

Choose: fv-dochub.pages.dev
Subdomain: leave blank (we use path-based rules, not subdomain)

Session duration: 30 days (per D-060 spec)

Step 4: Add path-scoped policies

Under Policies, click Add a policy and create TWO policies (one per face):

Policy 1: `dev-face`

Policy name: dev-face
Action: Allow
Session duration: 30 days
Apply to: *dev* (path selector, matches /dev/ and anything under it)
Policy criteria:
Email → avidtech6@gmail.com (operator's email)

Policy 2: `mavis-face`

Policy name: mavis-face
Action: Allow
Session duration: 30 days
Apply to: *mavis* (path selector, matches /mavis/ and anything under it)
Policy criteria:
Email → avidtech6@gmail.com

(If you want lane Mavises to access, add their session-emails to the allowlist too. Currently lane Mavises authenticate via their own sandbox, so this isn't strictly needed — but you can add a broader pattern like *@minimaxi.com if desired.)

Step 5: Save and test

Hit Save in the top-right. Wait ~30 seconds for the policy to propagate.

Test 1: Anonymous access to `/user/` should work

Open an incognito window. Visit:

https://fv-dochub.pages.dev/user/

Expected: 200 OK, page renders. ✅

Test 2: Anonymous access to `/dev/` should bounce to login

In the same incognito window:

https://fv-dochub.pages.dev/dev/

Expected: Cloudflare Access login page (email OTP). After entering the allowlisted email, you get a 6-digit code → access granted. ✅

Test 3: Authenticated access to `/mavis/prompts/` should work

After logging in via Test 2:

https://fv-dochub.pages.dev/mavis/prompts/_viewer/

Expected: 200 OK, prompt archive viewer renders. ✅

What this protects

✅ /dev/ — all FVS doctrine (decisions, plans, reports, dangerous lessons, lanes)
✅ /mavis/ — all Mavis coordination (prompts, decisions, bootstrap, lane profiles)
✅ /mavis/prompts/_viewer/ — the prompt archive (technically behind Access, but the manifest itself doesn't contain secrets)

What this does NOT protect

❌ /user/ — public by design (the web-component surface for FVS apps)
❌ /embed.js — the web component bundle (public, loaded by FVS apps)
❌ /_meta.json — top-level face index (public, used by the SPA shell)
❌ /user/_meta/manifest.json etc. — public manifests

If you want finer-grained access (e.g., protect specific decisions), add more specific path rules. The current two-policy setup protects /dev/* and /mavis/* wholesale.

Lane-Mavis access

Lane Mavises (🟠 cards, 🟣 chrome, 🟢 fvre, 🟪 doctrine) currently operate inside the Mavis sandbox with their own authentication. They don't need Cloudflare Access because they access docHub via the GitHub API (not the browser). If you want them to access docHub directly via the web component, add their session IDs to the allowlist — but this isn't needed for the current architecture.

Rollback

If something goes wrong, delete the application in Access → Applications. Within ~30 seconds, the /dev/ and /mavis/ paths become world-readable again (back to the un-protected state).

Decision trace

D-060 established the three-flag model and explicitly called for dev and mavis faces to be deployable but auth-gated. This doc is the implementation.
D-064 migrated the Cloudflare project from docshub-1pi to fv-dochub, so the path-protected domain is now fv-dochub.pages.dev.
Operator directive 2026-06-23 15:21 ("NEVER embed mavis face in FVS apps; NEVER redistribute mavis content") is enforced by this Access policy.

Time saved for next time

After you've done this once, you can clone the policy for fv-vibehub.pages.dev (Q2) in ~2 minutes. The same auth-gating pattern applies.