π°οΈ Platform Intel β π’ Implement Audit
Every release/change-log post labeled Implement since the reviewer started Β· through Wed Jul 8, 2026 07:00 PDT Β· Source: reviewer session transcripts (#platform-intel)
Bottom line: The reviewer has labeled 75 posts π’ Implement (59 unique tools/features after de-duping repeat reviews of the same thing). Of those unique items, ~5 are actually live in our stack, ~3 are partially/adjacently covered, and ~51 are recommended-but-never-implemented. The label is a recommendation; there's no closed loop turning it into action. This audit closes that loop with a tiered roadmap.
Full label distribution across all reviews: π Watch 208 Β· βοΈ Skip 81 Β· π’ Implement 75. Zero π¬ Investigate/Deny.
β
Implemented & in use β evidence-backed
| Item | Status | Evidence / where it lives |
| Claude Opus 4.8 | LIVE | Iva's primary model (claude-cli OAuth). Running now. |
| Claude Fable 5 promotional access | LIVE | Active trial on ACP coding spawns; promo extended to Jul 12. |
| Cloudflare Wrangler auth profiles | LIVE | Used for CF token/profile management (iva-full-access + ephemeral minted tokens). |
| Cloudflare Workers bulk secrets API | USED | Used for the ARS retired-worker secret scrub (12 bulk deletes, Jun 30). |
| Cloudflare Logpush β account-scoped events | LIVE | Logpush job ars-crm-workers-trace β R2 (job 1759256), forensic pipeline. |
π‘ Partial / adjacent β infra present, this specific upgrade not adopted
| Item | Status | Gap |
| CF Access β IdP federation / SAML encryption / self-managed OAuth | PARTIAL | CF Access / Zero Trust gating is live (5+ IL Pages sites) but on email OTP, not the newer CF-as-IdP / federation. |
| CF AI Gateway β spend limits & identity budgets | PARTIAL | We cap Gemini spend via a separate config file, not through CF AI Gateway's native spend controls. |
| CF Audit Logs v2 / account-scoped firewall events | PARTIAL | Logpush forensic job exists for ARS workers-trace; not extended org-wide or to firewall-events dataset. |
β¬ Recommended but not yet implemented β 51 items
Grouped by the roadmap tier below. This is the backlog.
πΊοΈ Roadmap β how we action these going forward
β οΈ Forced changes (deprecations/EOL) β act only if we depend on them: CF Sandbox SDK deprecation migration, CF AMP/SXG end-of-life, DO Serverless Inference prepaid-balance requirement, CF Workflows per-step billing (starts Aug 10). These aren't optional if in use β audit dependency first.
Tier 1 β High leverage, do now NEXT 2 WEEKS
Agent-infra, cost control, and security on our Cloudflare-heavy stack. Highest ROI.
| Item | Why / action |
| CF AI Gateway spend limits & identity-driven budgets | Route swarm model calls through AI Gateway with hard spend caps. Replaces ad-hoc Gemini caps with one control plane across all agents. |
| CF Agents SDK v0.17.0 | Upgrade agent workers to current SDK (schedules, rollback context). Foundation for the items below. |
| Temporary Cloudflare Accounts for AI agents | Isolate agent deployments into scoped/temp accounts β blast-radius containment. Directly relevant post-ARS cleanup. |
| CF Workers VPC β route egress through Gateway policies | Lock down swarm worker public egress. Security + auditability. |
| CF Access IdP federation + self-managed OAuth | Upgrade the Zero Trust gating from email OTP to CF-as-IdP for internal surfaces. Lower friction, stronger auth. |
| CF Audit Logs v2 + account-scoped Logpush | Extend the forensic Logpush pipeline org-wide, not just ARS workers-trace. |
| CF Workers bulk secrets API β rotation tooling | Already used ad-hoc; formalize into a repeatable secret-rotation script (ties to the god-token rotation still open). |
Tier 2 β Selective, when we touch the relevant system THIS QUARTER
| Item | Trigger / action |
| CF Workflows β saga rollbacks + binding schedules | Adopt on the next multi-step worker pipeline (Premium Lead Machine, enrichment). |
| CF MCP portals with service tokens + tool aliases | Expose internal IL tools to agents via a governed MCP portal. |
| CF Browser Run β multi-format snapshot output | Swap into browser-QA/scrape flows for cleaner structured captures. |
| CF Workers Cache + memory usage metrics | Observability + perf for swarm workers. |
| CF Gateway granular roles + Security Center scans + WAF threat-intel fields | One security-hardening pass across the account. |
| PostHog β AI observability / warehouse / Slack app | Wire PostHog into agent telemetry + bug flow. |
| Model adds: Sonnet 5 Β· GPT-5.6 Sol Β· Kimi K2.7 Code | Benchmark as sub-agent / fallback models vs current chain. |
| CF Agents sandbox preview tunnels Β· CF self-managed OAuth clients | Dev-loop + auth quality-of-life for agent tooling. |
Tier 3 β Evaluate, low urgency BACKLOG
| Item | Note |
| Google Colab CLI Β· DO Private Droplets Β· DO Serverless Inference prepaid | Only if a workload needs them. |
| Claude in MS Foundry Β· Claude Tag for Slack Β· Codex role plugins/Sites Β· OpenAI Daybreak | Ecosystem features; adopt if a workflow calls for it. |
| CF PQC ML-DSA origin certs Β· named recipient addresses Β· One Client updates Β· Gateway granular roles | Nice-to-have hardening / housekeeping. |
| CF "Flue" agent harness Β· Agent Quality Flywheel Β· Codex long-running whitepaper | Reference/architecture reading, not config changes. |
| PostHog Scout / autoresearch / DuckDB warehouse deep-dives | Informational unless we adopt PostHog deeper. |
Process fix (the real win): Add a status field to the reviewer so every π’ Implement post auto-opens a tracked task (Linear/ClickUp) and reports back when done β so "Implement" stops meaning "noted" and starts meaning "shipped." I can wire this into the Platform Intel Reviewer cron.