📋 Pre-flight Checks
🔍 Problem Description
Engram cloud sync only supports ENGRAM_CLOUD_TOKEN (Authorization: Bearer).
Deployments behind Cloudflare Access, reverse proxies, or zero-trust networks require additional service headers on every outgoing request.
For example:
CF-Access-Client-Id and CF-Access-Client-Secret. Currently there is no way to inject these without patching the binary, making programmatic sync impossible when the server sits behind an Access policy (results in a 302 redirect to login).
💡 Proposed Solution
Add ENGRAM_CLOUD_EXTRA_HEADERS env var accepting comma-separated Key: Value pairs injected into all outgoing cloud sync HTTP requests:
ENGRAM_CLOUD_EXTRA_HEADERS="CF-Access-Client-Id: abc.access, CF-Access-Client-Secret: secret"
- Parsed once at construction, zero allocation per request
- Authorization override rejected (security guardrail)
- Malformed pairs skipped with a warning; values never logged
- Fully backward-compatible, no change when unset
📦 Affected Area
MCP Server (tools, transport)
🔄 Alternatives Considered
- Wrapping engram in a proxy that injects headers but adds infrastructure complexity
- Using ENGRAM_CLOUD_TOKEN but only covers Authorization, not service headers
- Patching the binary per deployment
📎 Additional Context
Verified working against a self-hosted engram instance behind Cloudflare Tunnel + Access policy. Without the headers, every sync request gets a 302 to the CF Access login page.
With ENGRAM_CLOUD_EXTRA_HEADERS set, sync completes successfully.
📋 Pre-flight Checks
status:approvedbefore a PR can be opened🔍 Problem Description
Engram cloud sync only supports ENGRAM_CLOUD_TOKEN (Authorization: Bearer).
Deployments behind Cloudflare Access, reverse proxies, or zero-trust networks require additional service headers on every outgoing request.
For example:
CF-Access-Client-Id and CF-Access-Client-Secret. Currently there is no way to inject these without patching the binary, making programmatic sync impossible when the server sits behind an Access policy (results in a 302 redirect to login).
💡 Proposed Solution
Add ENGRAM_CLOUD_EXTRA_HEADERS env var accepting comma-separated Key: Value pairs injected into all outgoing cloud sync HTTP requests:
ENGRAM_CLOUD_EXTRA_HEADERS="CF-Access-Client-Id: abc.access, CF-Access-Client-Secret: secret"
📦 Affected Area
MCP Server (tools, transport)
🔄 Alternatives Considered
📎 Additional Context
Verified working against a self-hosted engram instance behind Cloudflare Tunnel + Access policy. Without the headers, every sync request gets a 302 to the CF Access login page.
With ENGRAM_CLOUD_EXTRA_HEADERS set, sync completes successfully.