CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF Access cleanup pass — 3 apps + library prune (parked 2026-05-27)
DARE.CO.UK · PARKED SKETCH · 2026-05-30
Mirrored from ~/.claude/.../memory/parked_sketch_cf_access_cleanup_pass_2026-05-27.md. This is a design sketch parked for future build — read for context, not as a current deliverable.
Three Access apps (kb.gf.cx, ask-opus.gf.cx, claim.gf.cx) need a bypass + allow policy pass, but the CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF Access dashboard UI is so deeply nested + repetitive that Dan hit hard fatigue (“way way way too complex and nested”). Parked until either (a) Dan wants to do them all in one batch sitting, or (b) we mint a real write-capable Access token. API can DELETE but not POST/PATCH on Access apps with current tokens.
Status as of 2026-05-27 stop-work
| App | Needs | Resume action |
|---|---|---|
kb.gf.cx |
Add Owner Only ALLOW policy (id 9fc9526b or 34405122). Currently has 2 bypass policies and ZERO allow — locked out from non-home networks. | Dashboard: Apps → kb.gf.cx → Policies → Add existing policy → “Owner Only (allow)” → Save the app (this is the step that got missed; the staged add didn’t persist) |
ask-opus.gf.cx/api/ask (Portfolio AI connector) |
Add Bypass home IP policy | Dashboard: same shape, attach Bypass home IP (bypass) from the dropdown |
claim.gf.cx |
Add Bypass home IP policy | Same shape |
| Library cleanup | After above, delete remaining orphans via API | Claude can do via ~/bin/cf-api DELETE accounts/{acct}/access/policies/{id} — see verify list below |
Resume conditions
Do this when ALL of:
1. Dan has fresh energy + 15 uninterrupted minutes
2. Dashboard work can be batched (do all 3 apps in one pass, not three separate visits)
3. Optionally: a new write-capable Access token is minted first (per feedback_cf_access_token_verify_with_post_create_test.md) so future work is fully programmatic
Pre-loaded API DELETE list (Claude runs after Dan’s dashboard pass)
Library policies safe to delete IF the dashboard pass completes correctly:
�STASH7�
Canonicals to standardize on:
- 72b6b0cf-0916-4526-8bc8-e5f153691f29 — Bypass home IP (decision=bypass, ip=108.52.141.41/32). Originated on pa.gf.cx.
- 9fc9526b-2bd5-41b6-8cbf-fd77e7e8acc9 — Owner Only (decision=allow, 4 emails). Most-used.
Why parked, specifically
Dan: “Its way way way too complex and nested, within nested, with variances!”
The CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF Access dashboard for policy management requires: - Apps menu → click app row → Policies tab → either “Add existing” (multi-level dropdown with 6-10 lookalike options) or “Create new” (separate full form with rules, action, session settings) - After adding: scroll to bottom, Save the app (easy to miss; staged adds don’t persist without this) - Reusable policy library lives separately (Access → Policies); editing a reusable policy is a 5-click round-trip per change - Multiple policies with identical names + different actions creates pick-the-right-one cognitive load
Doing this for 3 apps + library cleanup = ~30 dashboard interactions. Anyone would get exhausted. Park until energy returns OR token-write path is unblocked.
Cross-refs
feedback_audit_cleanup_work_is_fatigue_inducing.md— DO NOT push more clicks todayfeedback_cf_access_token_verify_with_post_create_test.md— recipe to mint a real write-capable token next timefeedback_cf_access_apps_edit_token_create_api_blocked_2026-05-27.md— the current token’s actual scope (GET+DELETE only)user_cf_access_session_30day_default.md— Dan’s preferred session duration