πŸ›°οΈ Platform Intel β€” 🟒 Implement Audit

Every release/change-log post labeled Implement since the reviewer started Β· through Wed Jul 8, 2026 07:00 PDT Β· Source: reviewer session transcripts (#platform-intel)
Bottom line: The reviewer has labeled 75 posts 🟒 Implement (59 unique tools/features after de-duping repeat reviews of the same thing). Of those unique items, ~5 are actually live in our stack, ~3 are partially/adjacently covered, and ~51 are recommended-but-never-implemented. The label is a recommendation; there's no closed loop turning it into action. This audit closes that loop with a tiered roadmap.
75
Implement labels
59
Unique items
5
Live in use
51
Not yet done
Full label distribution across all reviews: πŸ‘€ Watch 208 Β· ⏭️ Skip 81 Β· 🟒 Implement 75. Zero πŸ”¬ Investigate/Deny.

βœ… Implemented & in use β€” evidence-backed

ItemStatusEvidence / where it lives
Claude Opus 4.8LIVEIva's primary model (claude-cli OAuth). Running now.
Claude Fable 5 promotional accessLIVEActive trial on ACP coding spawns; promo extended to Jul 12.
Cloudflare Wrangler auth profilesLIVEUsed for CF token/profile management (iva-full-access + ephemeral minted tokens).
Cloudflare Workers bulk secrets APIUSEDUsed for the ARS retired-worker secret scrub (12 bulk deletes, Jun 30).
Cloudflare Logpush β€” account-scoped eventsLIVELogpush job ars-crm-workers-trace β†’ R2 (job 1759256), forensic pipeline.

🟑 Partial / adjacent β€” infra present, this specific upgrade not adopted

ItemStatusGap
CF Access β€” IdP federation / SAML encryption / self-managed OAuthPARTIALCF Access / Zero Trust gating is live (5+ IL Pages sites) but on email OTP, not the newer CF-as-IdP / federation.
CF AI Gateway β€” spend limits & identity budgetsPARTIALWe cap Gemini spend via a separate config file, not through CF AI Gateway's native spend controls.
CF Audit Logs v2 / account-scoped firewall eventsPARTIALLogpush forensic job exists for ARS workers-trace; not extended org-wide or to firewall-events dataset.

⬜ Recommended but not yet implemented β€” 51 items

Grouped by the roadmap tier below. This is the backlog.

πŸ—ΊοΈ Roadmap β€” how we action these going forward

⚠️ Forced changes (deprecations/EOL) β€” act only if we depend on them: CF Sandbox SDK deprecation migration, CF AMP/SXG end-of-life, DO Serverless Inference prepaid-balance requirement, CF Workflows per-step billing (starts Aug 10). These aren't optional if in use β€” audit dependency first.

Tier 1 β€” High leverage, do now NEXT 2 WEEKS

Agent-infra, cost control, and security on our Cloudflare-heavy stack. Highest ROI.
ItemWhy / action
CF AI Gateway spend limits & identity-driven budgetsRoute swarm model calls through AI Gateway with hard spend caps. Replaces ad-hoc Gemini caps with one control plane across all agents.
CF Agents SDK v0.17.0Upgrade agent workers to current SDK (schedules, rollback context). Foundation for the items below.
Temporary Cloudflare Accounts for AI agentsIsolate agent deployments into scoped/temp accounts β†’ blast-radius containment. Directly relevant post-ARS cleanup.
CF Workers VPC β€” route egress through Gateway policiesLock down swarm worker public egress. Security + auditability.
CF Access IdP federation + self-managed OAuthUpgrade the Zero Trust gating from email OTP to CF-as-IdP for internal surfaces. Lower friction, stronger auth.
CF Audit Logs v2 + account-scoped LogpushExtend the forensic Logpush pipeline org-wide, not just ARS workers-trace.
CF Workers bulk secrets API β†’ rotation toolingAlready used ad-hoc; formalize into a repeatable secret-rotation script (ties to the god-token rotation still open).

Tier 2 β€” Selective, when we touch the relevant system THIS QUARTER

ItemTrigger / action
CF Workflows β€” saga rollbacks + binding schedulesAdopt on the next multi-step worker pipeline (Premium Lead Machine, enrichment).
CF MCP portals with service tokens + tool aliasesExpose internal IL tools to agents via a governed MCP portal.
CF Browser Run β€” multi-format snapshot outputSwap into browser-QA/scrape flows for cleaner structured captures.
CF Workers Cache + memory usage metricsObservability + perf for swarm workers.
CF Gateway granular roles + Security Center scans + WAF threat-intel fieldsOne security-hardening pass across the account.
PostHog β€” AI observability / warehouse / Slack appWire PostHog into agent telemetry + bug flow.
Model adds: Sonnet 5 Β· GPT-5.6 Sol Β· Kimi K2.7 CodeBenchmark as sub-agent / fallback models vs current chain.
CF Agents sandbox preview tunnels Β· CF self-managed OAuth clientsDev-loop + auth quality-of-life for agent tooling.

Tier 3 β€” Evaluate, low urgency BACKLOG

ItemNote
Google Colab CLI Β· DO Private Droplets Β· DO Serverless Inference prepaidOnly if a workload needs them.
Claude in MS Foundry Β· Claude Tag for Slack Β· Codex role plugins/Sites Β· OpenAI DaybreakEcosystem features; adopt if a workflow calls for it.
CF PQC ML-DSA origin certs Β· named recipient addresses Β· One Client updates Β· Gateway granular rolesNice-to-have hardening / housekeeping.
CF "Flue" agent harness Β· Agent Quality Flywheel Β· Codex long-running whitepaperReference/architecture reading, not config changes.
PostHog Scout / autoresearch / DuckDB warehouse deep-divesInformational unless we adopt PostHog deeper.
Process fix (the real win): Add a status field to the reviewer so every 🟒 Implement post auto-opens a tracked task (Linear/ClickUp) and reports back when done β€” so "Implement" stops meaning "noted" and starts meaning "shipped." I can wire this into the Platform Intel Reviewer cron.
Generated by Iva πŸ¦ΉπŸ»β€β™€οΈ Β· Intuitive Labs Β· 2026-07-08 Β· Status column reflects evidence in MEMORY.md + live config; items marked PARTIAL/NOT-DONE were not verified against live Cloudflare state in this pass and can be confirmed on request.