CF Restructure Sprint

155

Workers indexed

Tenant hubs

Chatbot worker

Cron sync

12 MB

Backup

Secrets rotated

1 · What shipped

Eight phases delivered end-to-end

The new tenant hubs (5)

BT Internalbt.bosstorque.ai

Sperry Tree Caresperry.bosstorque.ai

GiftCuegiftcue.bosstorque.ai

Trnkatrnka.bosstorque.ai

Personalme.bosstorque.ai

Supporting infrastructure

D1 Registrybt-registry (UUID 36578b81-7532-4fac-bf4e-57c4423493f4)

155 artifacts indexed across 7 categories, FTS5 search, hourly auto-sync

AI Chatbotbt-chat (Sonnet 4.6 / Haiku 4.5)

Tenant-scoped RAG with FTS5 + recent artifacts as context

Cron Syncbt-registry-sync

Hourly :05 reconciles CF workers_list with registry; marks new, updated, broken

Plan Workerplan.bt.bosstorque.ai

Original 13-section restructure plan, pinned

Registry distribution

Tenant	Artifacts	Hub URL
Sperry	74	sperry.bosstorque.ai
BT Internal	51	bt.bosstorque.ai
GiftCue	13	giftcue.bosstorque.ai
Personal	7	me.bosstorque.ai
Trnka	6	trnka.bosstorque.ai
MDP (rolled into BT)	4	(via bt.)

2 · Backup state

Pre-sprint snapshot preserved

Before any changes, every Worker source file was pulled and saved to /Users/Jason/My Drive (jason@bosstorque.ai)/4_Strategy & IP/Internal Tech Stack/BT Hub/cf-baseline-may2026/ (syncs to Google Drive automatically).

144 worker JS source files (12 MB)
6 static-asset workers captured as live HTML
Workers list metadata (workers_list.json)
Custom domains list
Zones list

Rollback path: every change in this sprint is reversible. Workers at *.jason-8ce.workers.dev still serve their original content. Removing the new Custom Domain bindings restores DNS to clean state. The 8 new workers can be deleted in one API call each. Nothing was destroyed.

3 · Phase status

What's done, what's pending

Phase	Status	Notes
0a — Plan published	✅ Complete	Pinned card on BT hub. plan.bt.bosstorque.ai live.
0b — #bt-ops Slack channel	✅ Complete	bt-notify token rotated 2× (last value in KV). End-to-end ping confirmed.
0c — Full backup	✅ Complete	12 MB to Drive-synced folder. R2 mirror not needed since Drive sync is automatic off-machine copy.
0 — DNS prep	✅ Complete	Worker Custom Domains auto-create DNS records on attach. 6 hostnames now resolve.
1 — Cloudflare Access	⚠️ Pending	Needs Access scopes on withered-poetry-d166 token. See "What's left" below.
2 — Registry D1 + write API	✅ Complete	bt-registry D1, FTS5 search, /api/list, /api/search, /api/register on every tenant hub.
3 — BT Internal hub	✅ Complete	bt.bosstorque.ai → bt-tenant-hub. 51 BT artifacts.
4 — Sperry hub	✅ Complete	sperry.bosstorque.ai → sperry-tenant-hub. 74 Sperry artifacts.
5 — Global nav	✅ Complete	Built directly into tenant hub workers (sticky bar with brand, tenant badge, search, Ask AI).
6 — GiftCue / Trnka / Personal	✅ Complete	All 3 hubs deployed and bound.
7 — Search + AI chatbot	✅ Complete	FTS5 search per tenant. bt-chat with Sonnet 4.6 (BT) / Haiku 4.5 (clients). Tenant-scoped RAG.
8 — Auto-update + sync	✅ Complete	bt-registry-sync runs hourly at :05. POST /sync also exposed.
9 — Stale cleanup	🟡 Deferred	Excluded from sprint per the rollback plan. Stale flags now visible in registry status field.

4 · What's left

One thing, ~3 minutes of your time

The Cloudflare Access scopes weren't on withered-poetry-d166 when we started, so Phase 1 (tenant auth enforcement) didn't ship. Currently the tenant subdomains are URL-protected only — same security posture as before. To finish the security part of the restructure:

Open https://dash.cloudflare.com/profile/api-tokens (or Account API tokens if it's there).
Click withered-poetry-d166 → Edit.
Add two permissions: Access: Apps and Policies Edit, Access: Service Tokens Edit.
Save (no roll needed — token value stays the same).
Tell me "done" and I'll wire up Cloudflare Access on all 5 tenant subdomains in ~10 minutes.

Note on access policies (when we get there): bt./me. = jason@bosstorque.ai only. sperry. = jason + Rob + Michele (you give me the emails). giftcue. = jason + co-founders. trnka. = jason + Lukas. Email OTP for non-Google accounts, Google OAuth for yours.

5 · How to use the new setup

Day-to-day patterns

Browsing

Go to bt.bosstorque.ai (or any tenant subdomain). Hub renders all artifacts grouped by category, with pinned items at top. Press / to search. Click "Ask AI" to chat about anything in that tenant.

Adding a new deliverable

When you ship a new Worker, the hourly cron picks it up automatically within ~60 min. To get it into the registry instantly, the deploy step can POST to the tenant hub's /api/register:

curl -X POST https://bt.bosstorque.ai/api/register \
  -H "Authorization: Bearer <REGISTRY_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"id":"my-new-worker","tenant":"bt","category":"report","title":"My New Report","description":"...","url":"https://my-new-worker.jason-8ce.workers.dev"}'

Token is in KV under BOSSTORQUE_CONFIG.bt_notify_token (same value).

Searching

Each tenant hub's search box hits /api/search?q=... which runs FTS5 across title + description + tags. Tenant-scoped. Sub-50ms.

Chatbot

Click "💬 Ask AI" on any tenant hub. The chat panel slides up from bottom-right. Asks the right model (Sonnet for BT, Haiku for clients), pulls top 8 FTS-matched + 6 most-recent artifacts as RAG context, generates an answer with markdown citation links.

6 · Open follow-ups

Things to do in subsequent sprints (not blocking)

Cloudflare Access enforcement (waiting on token scope expansion — Phase 1).
Drive ingest worker for absorbing legacy IP from the Strategy & IP folder tree.
R2 bucket per tenant for raw asset storage (only sperry-assets and sperry-image-library exist today).
Naming convention enforcement at the deploy relay (reject deploys that don't match <tenant>-<cat>-<slug>-<mmm><yyyy>).
Activity feed per tenant ("what changed this week") from the deployments table.
Stale worker cleanup (Phase 9 — your approval needed per worker).
Bring sperry-hub legacy worker behind a redirect to sperry.bosstorque.ai.

Sprint shipped. 8 of 9 phases live.