1. The access collection black hole You need Figma access, Google Analytics, WordPress admin, GitHub, and the client's Slack. You ask. They forward a password email from two years ago. You ask again. Their developer says they'll get back to you. Three days pass. The fix: Send a single, complete access list on Day 1 — not "we'll need some access" but the exact list, with specifics for each tool,
The problem: too many clients, too few discovery hooks We expose Supabase Edge Functions as MCP (Model Context Protocol) servers. The clients that hit them are heterogeneous — Claude Desktop, Codex CLI, Cursor, VS Code Continue, a couple of in-house browser extensions. None of them ship with a hard-coded "use WorkOS AuthKit, scope is tool:ai_chat, audience must contain urn:jibun:tool:<tool>" rec