Working MCP Inspector CF1 CASB Toolchain

Author: Frank Meszaros

.cursor/mcp.json

@@ -0,0 +1,7 @@
+{
+  "mcpServers": {
+    "cloudflare-one-casb-local": {
+      "url": "http://localhost:8976/sse"
+    }
+  }
+}

apps/cloudflare-one-casb/.dev.vars.example

@@ -1,2 +1,2 @@
 CLOUDFLARE_CLIENT_ID=
-CLOUDFLARE_CLIENT_SECRET=
+CLOUDFLARE_CLIENT_SECRET=

apps/cloudflare-one-casb/package.json

@@ -14,7 +14,7 @@
 	"dependencies": {
 		"@cloudflare/workers-oauth-provider": "0.0.2",
 		"@hono/zod-validator": "0.4.3",
-		"@modelcontextprotocol/sdk": "1.8.0",
+		"@modelcontextprotocol/sdk": "1.9.0",
 		"@repo/mcp-common": "workspace:*",
 		"agents": "0.0.49",
 		"cloudflare": "4.2.0",

apps/cloudflare-one-casb/src/index.ts

@@ -4,13 +4,15 @@ import { McpAgent } from 'agents/mcp'
 import { env } from 'cloudflare:workers'
 
 import {
-	CloudflareAuthHandler,
+	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { registerAccountTools } from '@repo/mcp-common/src/tools/account'
 
 import { registerIntegrationsTools } from './tools/integrations'
 
+
+
 import type { AccountSchema, UserSchema } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 
 // Context from the auth process, encrypted & stored in the auth token
@@ -22,8 +24,8 @@ export type Props = {
 }
 
 export type State = { activeAccountId: string | null }
-
 export class MyMCP extends McpAgent<Env, State, Props> {
+	// @ts-ignore
 	server = new McpServer({
 		name: 'Remote MCP Server with Workers Observability',
 		version: '1.0.0',
@@ -34,11 +36,9 @@ export class MyMCP extends McpAgent<Env, State, Props> {
 	}
 
 	async init() {
+		// @ts-ignore
 		registerAccountTools(this)
-
-		registerIntegrationsTools(this, env.CLOUDFLARE_GLOBAL_API_KEY)
-
-		// TODO: registerFindingsTools @mleslie
+		registerIntegrationsTools(this)
 	}
 
 	getActiveAccountId() {
@@ -64,13 +64,22 @@ export class MyMCP extends McpAgent<Env, State, Props> {
 		}
 	}
 }
+const CloudflareOneCasbScopes = {
+	'account:read': 'See your account info such as account details, analytics, and memberships.',
+	'user:read': 'See your user info such as name, email address, and account memberships.',
+	'workers:write':
+		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
+	'workers_observability:read': 'See observability logs for your account',
+	'teams:read': 'See Cloudflare One Resources',
+	offline_access: 'Grants refresh tokens for long-lived access.',
+} as const
 
 export default new OAuthProvider({
 	apiRoute: '/sse',
 	// @ts-ignore
 	apiHandler: MyMCP.mount('/sse'),
 	// @ts-ignore
-	defaultHandler: CloudflareAuthHandler,
+	defaultHandler: createAuthHandlers({ scopes: CloudflareOneCasbScopes }),
 	authorizeEndpoint: '/oauth/authorize',
 	tokenEndpoint: '/token',
 	tokenExchangeCallback: (options) =>