Locked: 2026-07-16 22:55 UTC · Commissioned by: Marc CDAIO · Personas: EnRoute Systems Architect + Reliability/Ops + Security/Trust + Pinnacle-II Audit-Rigor
Problem. Wave 3 (30 unverified .cloud sending domains, T-15 days to 2026-07-31 delivery) is blocked by two operational failures tonight: no first-party batch DNS tooling, and even our best ad-hoc script hit CF Free-plan record-cap + insufficient API-token scope. Marc's mandate: scope an in-house tool that owns the full sending-domain lifecycle so we never hit these walls again.
Recommendation. Ship a one-day MVP tomorrow (Backend Architect's Section 12) that unblocks Wave 3 tonight+tomorrow. Formalize Phase-1 spec Friday with security + reliability + audit hardening layered in over the next 30 days. Total incremental infra cost: ~$5/mo (S3 Object Lock + Fly.io shared-cpu-1x).
Decision needed from Marc: greenlight the one-day MVP. That's the only immediate ask. Everything else is autonomous execution.
1) Backend Architect — SDLS system design. Single-binary Python 3.12 FastAPI on Fly.io (2 shared-cpu-1x, IAD+ORD) with SQLite + Litestream → R2 for durable state. Multi-provider adapter pattern (Mailgun today · Postmark/SES/SendGrid forward-compat). 8 core tables covering domains · records · providers · verify_attempts · warmup_phases · quota_ledger · audit_log. REST API with bearer auth · token-bucket rate limits per external cred (CF 4rps · Mailgun 300/hr). Idempotency via content-checksum on every record write · orphan sweeper hourly. Quota abstraction treats zones as fungible pools with pre-flight reservation. MVP effort: 1 senior backend × 5 days. Full report: tasks/af0ac22b5c72e6094.output.
2) SRE / Reliability — SLOs + Runbooks + Rollout. Commit SLOs: DNS batch 99% success within 5 min · verify convergence median ≤90s / p99 ≤8min · quota-exceeded events ≤ 2/month · tool control-plane 99.5% avail. 8 runbooks written pre-launch (quota near cap · verify fails N=5 · Mailgun rate-limit · CF token rotation · provider outage · reputation drop · complaint spike · bulk partial-failure recovery). Guardrails: dry-run default · bulk-delete cap 20 records · two-person rule > 50 records · global kill-switch flag with <5s halt. DR: 6h snapshot cadence · 15min zone restore SLO. Rollout: Phase-0 shadow-mode → canary 5 domains → 15 domains → full cutover. Ship gate at T-9d: canary 100% verify success + 72h clean + all 8 runbooks drilled → ELSE keep ad-hoc scripts for Wave 3, cutover Wave 4. Full report: tasks/ac1a36f32b577eef4.output.
3) Security / Trust — Threats + Secret hygiene + Blast radius. Top threats: compromised CF token → mass DNS wipe (catastrophic) · Mailgun key theft → spoofed spam · sub-agent goes off-script · supply-chain compromise. Secret hygiene: CF Workers Secrets in prod · direnv+.env local · zero Global API Keys ever · 90-day rotation with 60-second dual-token overlap · one token per (persona × zone-set × permission-set) via committed token-matrix.yaml. AuthN: Cloudflare Access SSO on ops UI · JWT service tokens 15-min TTL for sub-agent → tool. RBAC 5 roles. Audit trail: hash-chained append-only D1 dns_mutations table + R2 Object Lock mirror. Guardrails: canonical apexes (enroute.global · enrouteglobal.com · egp1.io) require Marc single-touch even in 4BT autonomous mode. Kill-switch worker flag halts writes org-wide in <5s. Wave 3 minimum control set = 10 items · all must be green before touching prod. Full report: tasks/a662ac0506cd7513f.output.
4) Pinnacle-II Audit Rigor — Attestation posture. Control framework mapping across SOC 2 (CC6.1, CC6.2, CC6.3, CC7.1, CC7.2, CC7.3, CC8.1, CC9.2) · ISO 27001 · NIST CSF. Attestation-ready evidence via WORM S3 Object Lock (Compliance mode · 7-year retention · cross-region · ~$2/mo). Ed25519 signature per log entry · hash-chained · RFC 3161 timestamp against FreeTSA every 15 min (free). Two-person rule tool-enforced (not policy prose) on 7 ops: bulk delete >25 · zone plan changes · apex mutations · DKIM rotation on active selector · warmup phase demotion · DMARC tightening · SPF include-list changes on apex. Segregation of duties matrix in-repo as YAML with CI test blocking violations. Regulatory footprint (CAN-SPAM · GDPR · CASL · PIPEDA) surfaced per-domain via compliance_profile.yaml; tool refuses to warm invalid profiles. Wave 3 gate: 8 of 10 attestation items must be true by 2026-07-31 · items 9-10 (full access-review generator + full compliance-profile enforcement) may slip to 2026-08-31 with documented risk acceptance. Full report: tasks/abb5668b5151575d6.output.
POST /domains/bulk, POST /records/bulk, POST /verify/bulkPUT /domains/{name}/verify with 5-min propagation waitsdls add-wave3 --file wave3_domains.csvfly launch + fly secrets set CF_TOKEN=... MG_KEY=...MVP intentionally SKIPS on Day 1 (added Days 2-30): - Warmup cadence engine (Willemena's current path stays authoritative for now) - Quota rebalancer (manual + registry-lookup fine for 179 domains) - Full audit posture (append-only log ships Day 1 · WORM/timestamp/SoD Days 2-30) - Ops UI (CLI-only Day 1)
Full plan lives at: 00148-EGP-CDAIO-Knowledge-Access/plans/WAVE-3-T-MINUS-15-REMEDIATION-PLAN-2026-07-16.md
Compact timeline:
| Date | Milestone |
|---|---|
| T-15 (2026-07-16 tonight) | ✅ Dashboard live · ✅ 4-persona scoping complete · 🟡 Wave 3 P0 escalated (CF Pro upgrade) |
| T-14 (2026-07-17) | Marc clicks CF Pro upgrade → autonomous auto-detects → Hakeem re-fires · PPMO-LH re-verify · Willemena adds to phase-0 · greenlight one-day MVP |
| T-13 (2026-07-18) | Convergence pass 2 · SDLS MVP Day 1 (if greenlit) |
| T-11 (2026-07-20) | Target: 30/30 verified · in warmup phase-0 · SDLS dogfood on 30 Wave 3 domains |
| T-10 to T-1 | Warmup cadence + reputation watch · SDLS Phase-2 (warmup engine + quota rebalancer) |
| T-0 (2026-07-31) | Wave 3 delivered · dashboard flips RED → GREEN |
| Risk | Prob | Impact | Mitigation |
|---|---|---|---|
| CF Pro upgrade delayed past T-14 | Low | High | Fallback: manual CF UI adds (~5 hrs ops toil) |
| Domains never verify (persistent DKIM mismatch) | Med | Med | 3-retry backoff · escalate to MDQ after 3 fails |
| MVP ships buggy · breaks live domain | Low | Very High | Canary on 5 Wave 3 domains only · not the 149 active |
| Warmup CSV rebuild corrupts existing data | Very Low | High | Archive stale CSV first · atomic write |
| Personas step outside scope (bulk delete etc) | Low | Very High | Guardrails per Security brief §5 · dry-run default |
https://dash.cloudflare.com/74acb3ee716eacc542b75ec312cb1227/enroutegrowthplatform.cloud/plans (30 sec · $25/mo)Everything else is autonomous. 4BT continuing.