Show, don't promise.

Reorganized the intranet from an AI-tools test bed into a company operating system — a small set of top-level domains, an extensible Tools section, and strict 'don't show it until it works' gating.

• Four domains + Dashboard

  AI System (/ai), Tools (/tools), Workflows (/workflows), Company (/company), each with a hub landing page; Dashboard is the launcher. Pre-launch, so URLs were re-pathed fresh.

• Tools registry

  A `tools` content collection — add a tool by dropping one MDX file. The hub renders live tools only. Chat, UX Review, Telescope (external subdomain) and Kegerator are live today.

• UX Review tool

  Review the Luna iOS wireframes screen-by-screen with anchored, threaded, resolvable comments + a notifications bell. Cloudflare Pages Functions + D1.

• Kegerator

  Office keg reorder — vote the next cold brew + kombucha up/down; a one-click admin 'Make Order' opens the Kegjoy email and clears the queue. D1-backed.

• Strict hide-until-live

  One helper (src/lib/content.ts) gates every surface; non-live agents and drafting workflows never build.

• Deploy CI

  GitHub Actions — typecheck + build on every PR; on main, apply D1 migrations then wrangler pages deploy.

Every page exists with reviewed copy. Welcome / onboarding is the front door; daily dashboard is one click. The site reads as the operating system for AI at Luna, not as marketing.

• / Welcome + 5-step onboarding flow

  First-run experience plus a returning-user bypass to the dashboard. Linked to the role tracks below.

• AI System home with your-agents grid

  Your agents, today's briefing, fleet-at-a-glance, and recent activity — folded onto /ai (the standalone /dashboard was retired).

• /company/vision · /ai/governance · /company/roadmap · /company/help

  Fear-and-answer pattern; roles + permissions + kill-switch + audit + PHI scope documented; user-guide written.

• /ai/agents with Yours + full catalog + scope/PHI badges

  Five live Workforce agents (non-live agents stay hidden); 1:1 owner agents called out; /ai/agents/new flow with intake template.

• /ai/fleet with By-team / By-owner / Flat groupings

  Scales to 50+ agents without layout reflow. Empty departments render a 'request one' CTA.

• Nav with hover dropdowns + active-bar fix

  Domain-grouped nav; every sub-page reachable in two clicks.

Two foundational Workers — per-agent kill switch and granular per-invocation audit log. Every Basal chat now passes through both.

• luna-killswitch Worker

  DO-SQLite, per-agent state + append-only history. checkKillSwitch() runs on every /invoke. Fails-closed for PHI agents on KV unreachable. Sensor caught a same-ms PK-collision bug; fixed before deploy.

• luna-audit-log Worker

  DO-SQLite, one row per invocation. SHA-256 hashes only; never prompt/response bodies. Sensor caught 7 validation gaps; fixed before deploy.

• AgentWorker.handle() wired

  checkKillSwitch after bearer auth; writeAudit via ctx.waitUntil after the response (never blocks the user).

• agent-basal redeployed

  KILL_SWITCH + AUDIT_LOG service bindings live. Every DM through @Basal exercises the full chain.

Fleet aggregates and per-user config persist for real. The 'Preview · not yet saving' pill on /ai/agents/me goes away.

• luna-fleet-api at fleet-api.nightluna.com

  GET /summary, /agent/:slug, /me/activity, POST /admin/kill. Non-admins see rows with user_email scrubbed at the query layer.

• luna-config-api at config-api.nightluna.com

  GET /me, PUT /me/agents/:slug (enabled, memory, custom instructions, notifications), DELETE memory wipe queue. One DO per user_email.

• Intranet Pages Functions proxy with CF Access service tokens

  /api/me/activity, /api/me/config, /api/me/memory, /api/fleet/*, /api/admin/kill. Same pattern /api/chat uses for ai-proxy.

• /ai/agents/me client-side enhancement

  Mock renders first (never empty); /api/me/activity replaces with real audit rows; toggles persist via PUT on change.

Small, known follow-ups on the new tools and the deploy pipeline — none blocking, all worth closing.

• Fix the CI deploy token

  Set a valid CLOUDFLARE_API_TOKEN GitHub Actions secret (Pages: Edit, D1: Edit, Account: Read) so pushes to main self-deploy. Until then, deploys are run manually.

• Telescope preview thumbnail

  Drop public/tools/telescope.png and add `screenshot:` to the tool entry so the Tools hub shows a live preview card.

• Kegerator flavor granularity

  If we want per-flavor voting, scrape each Kegjoy brand's lineup and split catalog rows (e.g. 'GT's · Gingerade'). Brand-level voting works today.

Today's chain (Basal → kill-switch → audit-log → fleet-api → Intranet) extended to every agent. Briefing comes off mock when there are enough real rows to summarize.

• Wire KILL_SWITCH + AUDIT_LOG bindings into the other 5 agents

  agent-pen, clara, data (with getPiiScope() = 'phi'), pump, sensor. One-line wrangler.toml addition each + secret set.

• Real fleet metrics on /ai/fleet

  Replace the per-tile mock numbers with /summary reads. Today the data is sparse; the wire is already there.

• Live kill-switch button on /ai/fleet/[agent]

  Admin can flip a switch from the Intranet UI; fleet-api forwards to luna-killswitch.

• End-to-end test with the team

  DM Basal; check /ai/agents/me activity; toggle memory; flip kill-switch and confirm 503 + auto-resume.

Daily and weekly fleet briefings generated from the audit data — written report and podcast feed. Cloudflare Workflows for long-running multi-step tasks.

• BriefingWorkflow on Cloudflare Workflows

  Cron-triggered. Fans out per-team summaries via Queues, composes the master briefing, writes Markdown + R2 audio.

• Briefing TTS pipeline + RSS feed

  Audio MP3s in R2; subscribable podcast feed at /ai/fleet/briefing/feed.xml.

• Real /ai/fleet/briefing instead of hand-written placeholder

  Reads from briefing_episodes; renders the latest.

Close the loop on /ai/agents/me memory controls and persist chat threads across reloads.

• Memory-wipe runner

  A worker reads luna-config-api memory_wipes and clears the user's history in luna-facet-memory.

• /tools/chat persisted threads + R2 attachments

  Per-user DO threads + signed-URL upload to R2.

• Vectorize index for cross-conversation memory

  Save/recall round-trip; 'show what this agent remembers about me' surface real.

Important, real, scoped — and parked until we're ready to ship them with counsel review rather than as filler.

• CCPA employee data export endpoint

  Self-serve 'export everything stored about me.' Hooks are in the schema; export endpoint awaits counsel pass.

• AB 2930 automated-decision flag

  Mandatory human-in-the-loop documentation for any agent that affects employment decisions. We don't run any such agents today.

• Surveillance policy text

  Explicit, written-down policy on what the Fleet view is and isn't. Drafted; needs counsel review.