Owner: Anthony (human-gated lever L-IANVA-CLOUD). Surfaced once, never nagged, never auto-pulled. This issue is the lever's permanent, individually-closeable home in the graph — the registry his-hand-levers.json is its source of truth.
Stop the claude.ai connector prompts — the whole /doctor / claude mcp list 'needs authentication' class, not just Sentry. This is the ONE re-auth disease a local gateway physically cannot fix, because claude.ai runs that OAuth from Anthropic's cloud, not your machine. Cure = expose ianva as ONE public, bearer-enforced HTTPS connector that holds every upstream's creds behind it and never returns 401, then add a SINGLE custom connector in claude.ai pointing at it — replacing the dozen per-service connectors. Needs the local face (L-IANVA-LOCAL, #262) running first. The cost is real and honest: it is internet-reachable, so it goes up bearer-first and the tunnel script REFUSES to expose an endpoint that answers /mcp without auth.
The class this owns (as of 2026-06-25, claude mcp list)
Every connector below shows ! Needs authentication. One bearer'd ianva connector fronts all of them once this lever is pulled — and any future claude.ai connector that needs auth belongs here, never in a chat:
| Connector |
Upstream MCP URL |
| Sentry |
https://mcp.sentry.dev/mcp |
| Scholar Gateway |
https://connector.scholargateway.ai/mcp |
| Indeed |
https://mcp.indeed.com/claude/mcp |
| Candid |
https://mcp.candid.org/mcp |
| Cloudflare Developer Platform |
https://bindings.mcp.cloudflare.com/mcp |
| Jam |
https://mcp.jam.dev/mcp |
| Netlify |
https://netlify-mcp.netlify.app/mcp |
Machine-readable inventory (what ianva fronts): ianva/upstreams.example.json — one oauth:true entry per upstream.
What it unlocks
the claude.ai connector re-auth prompts stop — one bearer'd connector replaces the ~17 per-service ones
Cost
~15 min once + a security pass; durable — one connector that never expires from your side
Gate
HOLD — touches your claude.ai account and exposes a public endpoint; do L-IANVA-LOCAL (#262) first
Cheapest path
python3 -m ianva.cli bearer --newbash scripts/set-credential.sh IANVA_BEARER_TOKEN # silent prompt, lands in ~/.limen.envpython3 -m ianva.cli up # restart so the gateway ENFORCES the bearerbash ianva/scripts/ianva-tunnel.sh # refuses unless /mcp returns 401 unauth'd; prints the public URL- Set
gateway.public_url in ianva.toml to <url>/mcp, then in claude.ai add ONE custom connector at that URL with the bearer in its auth header — it replaces the per-service connectors
Source
ianva (session 6cdc53d9) — disease A · generalized to the full connector class 2026-06-25 (Scholar Gateway + 5 others added) · registry: his-hand-levers.json -> lever L-IANVA-CLOUD
Close this issue when the action is done — the lever is pulled then.
Owner: Anthony (human-gated lever
L-IANVA-CLOUD). Surfaced once, never nagged, never auto-pulled. This issue is the lever's permanent, individually-closeable home in the graph — the registryhis-hand-levers.jsonis its source of truth.Stop the claude.ai connector prompts — the whole
/doctor/claude mcp list'needs authentication' class, not just Sentry. This is the ONE re-auth disease a local gateway physically cannot fix, because claude.ai runs that OAuth from Anthropic's cloud, not your machine. Cure = expose ianva as ONE public, bearer-enforced HTTPS connector that holds every upstream's creds behind it and never returns 401, then add a SINGLE custom connector in claude.ai pointing at it — replacing the dozen per-service connectors. Needs the local face (L-IANVA-LOCAL, #262) running first. The cost is real and honest: it is internet-reachable, so it goes up bearer-first and the tunnel script REFUSES to expose an endpoint that answers /mcp without auth.The class this owns (as of 2026-06-25,
claude mcp list)Every connector below shows
! Needs authentication. One bearer'd ianva connector fronts all of them once this lever is pulled — and any future claude.ai connector that needs auth belongs here, never in a chat:https://mcp.sentry.dev/mcphttps://connector.scholargateway.ai/mcphttps://mcp.indeed.com/claude/mcphttps://mcp.candid.org/mcphttps://bindings.mcp.cloudflare.com/mcphttps://mcp.jam.dev/mcphttps://netlify-mcp.netlify.app/mcpMachine-readable inventory (what ianva fronts):
ianva/upstreams.example.json— oneoauth:trueentry per upstream.What it unlocks
the claude.ai connector re-auth prompts stop — one bearer'd connector replaces the ~17 per-service ones
Cost
~15 min once + a security pass; durable — one connector that never expires from your side
Gate
HOLD — touches your claude.ai account and exposes a public endpoint; do L-IANVA-LOCAL (#262) first
Cheapest path
python3 -m ianva.cli bearer --newbash scripts/set-credential.sh IANVA_BEARER_TOKEN# silent prompt, lands in ~/.limen.envpython3 -m ianva.cli up# restart so the gateway ENFORCES the bearerbash ianva/scripts/ianva-tunnel.sh# refuses unless /mcp returns 401 unauth'd; prints the public URLgateway.public_urlin ianva.toml to<url>/mcp, then in claude.ai add ONE custom connector at that URL with the bearer in its auth header — it replaces the per-service connectorsSource
ianva (session 6cdc53d9) — disease A· generalized to the full connector class 2026-06-25 (Scholar Gateway + 5 others added) · registry:his-hand-levers.json-> leverL-IANVA-CLOUDClose this issue when the action is done — the lever is pulled then.