From 73ec93961a5dcf9964329b76affbe15b48628cfc Mon Sep 17 00:00:00 2001 From: Jacob Sussmilch Date: Tue, 12 May 2026 14:24:39 +1000 Subject: [PATCH] chore: remove Cloudflare Access section from public docs Drop the "Gated Environments (Cloudflare Access)" block from docs/concepts.md. The CF Access env vars (CF_ACCESS_CLIENT_ID/SECRET, CF_AUTHORIZATION) and per-host hosts.yml headers map continue to work unchanged; this is a documentation-only removal so the public-facing guide does not advertise the Cloudflare gating mechanism. --- docs/concepts.md | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/docs/concepts.md b/docs/concepts.md index b54200a..b5fabef 100644 --- a/docs/concepts.md +++ b/docs/concepts.md @@ -26,26 +26,6 @@ Run `kh auth login` to authenticate via browser OAuth. For headless environments Run `kh auth status` to see which method is active and whether your token is valid. -## Gated Environments (Cloudflare Access) - -Hosts behind Cloudflare Access (PR previews, staging) require additional credentials on every request. The CLI sends them as headers from two sources: - -1. **Environment variables** (precedence: env > hosts.yml): - - `CF_ACCESS_CLIENT_ID` + `CF_ACCESS_CLIENT_SECRET` -- service-token pair, sent as `CF-Access-Client-Id` / `CF-Access-Client-Secret`. Both must be set; partial values are ignored. - - `CF_AUTHORIZATION` -- the `cf_authorization` JWT minted by `cloudflared access login`, sent as `Cookie: CF_Authorization=`. -2. **Per-host `headers:` map in `hosts.yml`** -- arbitrary headers attached to every request to that host: - - ```yaml - hosts: - app-pr-1234.keeperhub.com: - token: kh_prte_... - headers: - CF-Access-Client-Id: - CF-Access-Client-Secret: - ``` - -Use env vars in CI; use `hosts.yml` for stable per-environment config that follows your machine. - ## Output Formats By default, most commands render a human-readable table. Use these flags for machine-readable output: