Collective Vision

Cloudflare Access

Restrict preview deployments on the admin and docs Pages projects while keeping production public.

This project ships two Cloudflare Pages projects. The org policy requires every Pages project to restrict its preview deployments — the auto-generated per-commit <hash>.<project>.pages.dev URLs — so they can't be crawled or leak un-hardened prototypes. The production aliases stay public.

Projects

Pages projectProduction URLContents
collective-vision-admin-devcollective-vision-admin-dev.pages.devPublic marketing landing + admin SPA (login-gated app routes)
collective-vision-docs-devcollective-vision-docs-dev.pages.devPublic product documentation (this site)

What to restrict (and what to leave public)

Both production aliases are intentionally public: this docs site is end-user documentation, and the admin project's production alias serves the public marketing landing. The admin app routes already self-gate via the worker's ADMIN_API_TOKEN login (src/middleware/auth.ts). So Access is applied to preview deployments only.

SurfaceAccess policy
*.collective-vision-admin-dev.pages.dev (preview hashes)Restrict to the owner
collective-vision-admin-dev.pages.dev (production)Public (app routes self-gate via admin login)
*.collective-vision-docs-dev.pages.dev (preview hashes)Restrict to the owner
collective-vision-docs-dev.pages.dev (production)Public (product docs)
feedback-dev.jfcreations.com (the Worker, not Pages)Public by design — the widget + API embed on third-party sites

Enable it (dashboard)

For each Pages project:

  1. Cloudflare Dashboard → Workers & Pages → select the project → SettingsGeneral.
  2. Under Access policy (in the Preview deployments section) click Enable. This creates a Zero Trust Access application scoped to the project's preview hostnames.
  3. Allow only the owner's identities (email allow-list or an Access Group).
  4. Identity provider: One-time PIN (email OTP) is sufficient.
  5. Save, then open a preview URL in an incognito window to confirm it prompts for auth while the production alias still loads publicly.

wrangler has no command for this — preview Access is a Zero Trust Access application, configured in the dashboard (or via the account-scoped Access Applications API in CI once a token is available).

DNS Setup

Connect a client's custom domain to their Collective Vision deployment.

MCP Integration

Let AI agents read and write feedback over a JSON-RPC 2.0 MCP surface.

On this page

ProjectsWhat to restrict (and what to leave public)Enable it (dashboard)