Agent Access: Query int-docs via MCP

Issue a CF Access service token and query the int-docs corpus from a Claude Code session using mcp2cli — no browser login required.
Audit stamp: Verified — 2026-06-19 — Phenom AI Agent
Verified · 2026-06-19 · Phenom AI Agent
Source: CF Worker at int-docs-mcp.thephenom.app/mcp; CF Access service-token policy; wrangler deploy
C2PA signed · SanMarcSoft AI content credential

Agentic sessions (Claude Code, autonomous agents) cannot use the browser-based Cognito overlay. The int-docs corpus is exposed via a Cloudflare Worker serving MCP JSON-RPC at https://int-docs-mcp.thephenom.app/mcp, gated by a Cloudflare Access service-token policy.

The Worker enforces Cloudflare Access authentication. Requests must carry a valid CF Access service-token pair. Obtain the token pair from pass:

export CF_ID=$(pass show phenom/cf-access-int-docs-mcp-client-id)
export CF_SEC=$(pass show phenom/cf-access-int-docs-mcp-client-secret)

mcp2cli usage

# List all runbooks (includes audit stamp state)
mcp2cli --mcp https://int-docs-mcp.thephenom.app/mcp \
  --header "CF-Access-Client-Id: $CF_ID" \
  --header "CF-Access-Client-Secret: $CF_SEC" \
  --toon list-runbooks

# Fetch a full runbook with audit stamp
mcp2cli --mcp https://int-docs-mcp.thephenom.app/mcp \
  --header "CF-Access-Client-Id: $CF_ID" \
  --header "CF-Access-Client-Secret: $CF_SEC" \
  --toon get-runbook --slug "how-to/runbooks/api-thephenom-app"

# Full-text search across all 241 docs with audit state in results
mcp2cli --mcp https://int-docs-mcp.thephenom.app/mcp \
  --header "CF-Access-Client-Id: $CF_ID" \
  --header "CF-Access-Client-Secret: $CF_SEC" \
  --toon search --query "cognito"

# List all audit stamps with C2PA credential detail
mcp2cli --mcp https://int-docs-mcp.thephenom.app/mcp \
  --header "CF-Access-Client-Id: $CF_ID" \
  --header "CF-Access-Client-Secret: $CF_SEC" \
  --toon list_audit_stamps

# Filter to only VERIFIED stamps
mcp2cli --mcp https://int-docs-mcp.thephenom.app/mcp \
  --header "CF-Access-Client-Id: $CF_ID" \
  --header "CF-Access-Client-Secret: $CF_SEC" \
  --toon list_audit_stamps --state verified

# List docs in a section
mcp2cli --mcp https://int-docs-mcp.thephenom.app/mcp \
  --header "CF-Access-Client-Id: $CF_ID" \
  --header "CF-Access-Client-Secret: $CF_SEC" \
  --toon list-docs --category "how-to"

Available tools

Tool What it does
search Full-text ranked search across all 241 docs; results include audit state
list_runbooks List all 14 Phenom asset runbooks with audit state, date, and validated-by
get_runbook Fetch a full runbook by slug with audit stamp and C2PA credential block
list_audit_stamps All stamped pages grouped by state; runbooks include C2PA credential detail
list_docs List all docs, optionally filtered by section
get_doc Fetch any doc by slug with audit metadata

Health check (public, no auth)

curl -s https://int-docs-mcp.thephenom.app/health | python3 -m json.tool
# Expected:
# {
#   "status": "ok",
#   "name": "phenom-int-docs",
#   "version": "2.0.0",
#   "docs": 241,
#   "runbooks": 14,
#   "audit_stamped": 14
# }

Audit stamps in MCP responses

Every runbook tool response includes the audit stamp and C2PA credential inline.

get_runbook prepends a structured block with the full C2PA provenance chain:

# NEST Runbook [audit:verified · 2026-06-19 · Phenom AI Agent]

---
**Audit stamp:** VERIFIED
**Date:** 2026-06-19
**Validated by:** Phenom AI Agent

**C2PA Credential:**
- Signed by: sign.trusteddit.com (Trusteddit.com)
- Issuer CA: Trusteddit-Journalist-Issuer-CA
- Claim generator: Trusteddit/1.0 c2pa-node/0.0.0 c2pa-rs/0.49.2
- Action: c2pa.created via Trusteddit Signing API
- Timestamp (TSA): 2026-06-19T12:56:54Z
- Certificate valid: 2026-03-03 to 2027-03-03
- Cert chain depth: 3
- Manifest size: 73,769 bytes
---

## What it is
...

list_audit_stamps groups by state and appends the C2PA signer/CA/timestamp on the same line:

- **NEST Runbook** (`how-to/runbooks/nest-thephenom-app`) · 2026-06-19 · Phenom AI Agent | C2PA: sign.trusteddit.com via Trusteddit-Journalist-Issuer-CA @ 2026-06-19T12:56:54Z

list_runbooks appends [audit:verified · 2026-06-19 · Phenom AI Agent] inline after each title.

Provisioning the CF Access service token (one-time per agent identity)

  1. In the Cloudflare Zero Trust dashboard, navigate to Access > Service Auth > Service Tokens.
  2. Create a new service token named phenom-int-docs-mcp-<agent-name>.
  3. Copy the Client ID and Client Secret.
  4. Store in pass: 
    pass insert phenom/cf-access-int-docs-mcp-client-id
pass insert phenom/cf-access-int-docs-mcp-client-secret
  5. Add the token to the Access policy for int-docs-mcp.thephenom.app.

Path B — Browser session via agent token (for Interceptor sessions)

When an agent needs to navigate the full rendered Hugo site (not just raw markdown), use the CF Zero Trust int-docs-agent client credentials fast-path:

# 1. Obtain a short-lived access token (1 hour TTL)
TOKEN=$(bash scripts/agent-token.sh)

# 2. Inject into the browser session before navigating
interceptor eval "localStorage.setItem('nest.agent_token', '${TOKEN}')"

# 3. Navigate to int-docs
interceptor open "https://int-docs.matthewstevens.org/"

# 4. Confirm auth passed
interceptor text | grep -i "phenom internal docs"

Refreshing the token

TOKEN=$(bash scripts/agent-token.sh)
interceptor eval "localStorage.setItem('nest.agent_token', '${TOKEN}')"

Which path should I use?

Scenario Path
Read runbook content programmatically Path A (MCP Worker)
Search for a specific topic across all docs Path A (MCP Worker)
Check audit stamp state of a runbook Path A — included in all responses
Navigate the rendered site, follow links, take screenshots Path B (token + Interceptor)
Run a full QA pass on the deployed site Path B (token + Interceptor)

Path A is faster (no browser, pure JSON), uses ~96% fewer tokens per query, and does not require a browser session.


Last modified June 19, 2026: Merge branch 'content/d5-media-runbook-update': wrangler fix + TSA proxy (c306836)