Add RequiredScopes, and remove unnecessary observability scope from container and bindings servers

Author: Maximo-Guk

apps/sandbox-container/server/index.ts

@@ -5,6 +5,7 @@ import {
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
+import { RequiredScopes } from '@repo/mcp-common/src/scopes'
 import { MetricsTracker } from '@repo/mcp-observability'
 
 import { ContainerManager } from './containerManager'
@@ -32,12 +33,9 @@ export type Props = {
 }
 
 const ContainerScopes = {
-	'account:read': 'See your account info such as account details, analytics, and memberships.',
-	'user:read': 'See your user info such as name, email address, and account memberships.',
+	...RequiredScopes,
 	'workers:write':
 		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
-	'workers_observability:read': 'See observability logs for your account',
-	offline_access: 'Grants refresh tokens for long-lived access.',
 } as const
 
 export default {

apps/workers-bindings/src/index.ts

@@ -6,6 +6,7 @@ import {
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
+import { RequiredScopes } from '@repo/mcp-common/src/scopes'
 import { CloudflareMCPServer } from '@repo/mcp-common/src/server'
 import { registerAccountTools } from '@repo/mcp-common/src/tools/account'
 import { registerD1Tools } from '@repo/mcp-common/src/tools/d1'
@@ -91,13 +92,10 @@ export class WorkersBindingsMCP extends McpAgent<Env, WorkersBindingsMCPState, P
 }
 
 const BindingsScopes = {
-	'account:read': 'See your account info such as account details, analytics, and memberships.',
-	'user:read': 'See your user info such as name, email address, and account memberships.',
+	...RequiredScopes,
 	'workers:write':
 		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
-	'workers_observability:read': 'See observability logs for your account',
 	'd1:write': 'Create, read, and write to D1 databases',
-	offline_access: 'Grants refresh tokens for long-lived access.',
 } as const
 
 // Export the OAuth handler as the default

apps/workers-observability/src/index.ts

@@ -6,6 +6,7 @@ import {
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
+import { RequiredScopes } from '@repo/mcp-common/src/scopes'
 import { CloudflareMCPServer } from '@repo/mcp-common/src/server'
 import { registerAccountTools } from '@repo/mcp-common/src/tools/account'
 import { registerWorkersTools } from '@repo/mcp-common/src/tools/worker'
@@ -93,12 +94,10 @@ export class ObservabilityMCP extends McpAgent<Env, State, Props> {
 }
 
 const ObservabilityScopes = {
-	'account:read': 'See your account info such as account details, analytics, and memberships.',
-	'user:read': 'See your user info such as name, email address, and account memberships.',
+	...RequiredScopes,
 	'workers:write':
 		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
 	'workers_observability:read': 'See observability logs for your account',
-	offline_access: 'Grants refresh tokens for long-lived access.',
 } as const
 
 export default new OAuthProvider({

packages/mcp-common/src/scopes.ts

@@ -0,0 +1,6 @@
+// These scopes are required for Cloudflare auth
+export const RequiredScopes = {
+	'account:read': 'See your account info such as account details, analytics, and memberships.',
+	'user:read': 'See your user info such as name, email address, and account memberships.',
+	offline_access: 'Grants refresh tokens for long-lived access.',
+} as const