GFS Software Estate — everything that talks to gfs-platform
Single admin (Mike Levine) · HITL invariant: human-in-loop on every NS write-back · Cross-family multi-agent practice (Claude + Codex + Kimi)
PEOPLE & EXTERNAL SENDERS
Mike Levine (admin)
mikelevine@globalfoodsolutions.co
Single admin, HITL approver
Browser + macOS terminal
Founder mode · everything ends here
GFS Team
Admin, finance, sales, ops
~116 employees in NS
7 active pillars (R96)
K-12 / Bid Buyers
NYC DOE B5875, school districts,
USDA commodity programs
View hub + bid PDFs
June 3 2026 due date (B5875)
Vendors
Bongards, Echo Lake, Driscoll,
Cardinal, Ace Endico, others
Email vendor@ for cost updates
11 customer/vendor overlaps
Customers
Schools, distributors, food svc
$170.9M cumulative, $29M pace
Driscoll 36.4% (top concentration)
Pillar 1 pricing target
Email senders
bids@ · pricing@ · pricerequest@
customer@ · vendor@
DKIM enforced per mailbox
SURFACES — what users actually open
chat.ai-globalfoodsolutions.co
The main chat UI — council_v2 default
10 chat roles · HITL approval surface
/admin-dashboard.html (Mike)
/training.html (Mike)
/review.html (HITL queue)
Hosted: Pages project gfs-netsuite
gfs-hub.pages.dev
Corporate Hub v10.0 DNA
15-item backlog: CF Access, routing,
live NS data integration
CF Pages project gfs-hub
gfs-nycdoe-hub.pages.dev
B5875 bid response platform
246 specs (Amend 13) · 6 PPI tabs
Sept 2026 menus, 34 recipes
GFS Price Quotes module
Backup: ~/Desktop/NYC-DOE-Hub-backups/
gfs-system-guide.pages.dev
System guide · 1,897 lines · 29 files
LLM context + JSON-LD · C-suite reviewed
6 process maps, security audit
Onboarding/orientation surface
gfs-netsuite-tools.pages.dev
60+ NS tools catalog
Chartstone, SuiteQL, SuiteAPI
Toolkit + MCP · SuiteAttach
Reference, not transactional
flows-diagrams/ (this repo)
25+ archify diagrams · 2 canvases (this)
User-facing system explainer
Static HTML, served from Pages
PLATFORM — gfs-platform (the Worker)
gfs-platform
src/index.ts (single file ~18.5K)
api.ai-globalfoodsolutions.co/*
Tools & pipelines:
• council_v2 (3-model parallel)
• HITL gates (preview → confirm)
• 175+ endpoints, 10 chat tools
• CHAT_ROLE_FILTERS (R85)
• Canonical pattern routing
• PDF vision (bids, price reqs)
• R201 morning digest, R347 Jarvis
Data layer it owns:
• D1 (109 tables, 311K+ rows)
• R2 gfs-files + gfs-hub-backups
• KV CACHE · Vectorize
• 3 queues (push retry/DLQ/failsafe)
See cloudflare-platform-canvas.html for the full CF surface
Cloudflare AI Gateway
AI_GATEWAY_URL → gateway.ai.cloudflare
.com/v1/<acct>/<gw>/anthropic
Cache + cost + rate limit + telemetry
Falls back to direct api.anthropic.com
Dropbox (source-document repo)
~/Dropbox/Claude_*
• Food Safety Response Program
• Specification-Sheet/ (124+ products)
• Bids/ (B5875 canonical example)
Mirrored to D1 spec_items (136 rows)
Anthropic API
Claude Haiku (chat verifier, text-to-SuiteQL)
Claude Opus (heavy reasoning)
ANTHROPIC_API_KEY (Worker secret)
~$0.007 / council_v2 query
SYSTEMS OF RECORD & INTEGRATIONS
NetSuite (system of record)
Account 3818ecd5 production
Surfaces:
• Custom RESTlet:
customscript_gfs_platform_query (R55)
• SuiteAttach RESTlet (uploads)
• SuiteQL (#2947) · SuiteAPI (#2948)
• Toolkit (#2949) · Chartstone · MCP
Auth:
TBA OAuth1 (account / consumer /
token, all in Worker secrets)
Inventory: 313 fields, 231 records, 968 saved searches, 1,141 scripts
Cursor agent CLI
~/.claude/plugins/marketplaces/local-cursor/
Models routed:
• Composer 2.5 — structured generation
• Kimi K2.5 — FREE default reviewer
• Token economy: route review to Kimi,
preserve Anthropic budget for build
Codex CLI (codex-rescue)
• OpenAI GPT-5 / 4 model family
• Independent adversarial auditor
• Different family = catches Claude blind spots
• Established R63 multi-skill audit pattern
Pairs with gfsmultiagent skill suite
gfsmultiagent skill suite
~/.claude/skills/gfsmultiagent-*
7 flows + foundation (Phase 0 done):
• architect (dossier 3+ rounds)
• auditor (every 10-15 rounds)
• composer, kimi, scout, surgeon
• cartographer, discipline, spotter
Cross-family audit: standard practice
AUTH & IDENTITY — what every line crossing this canvas means
NS TBA OAuth1
Worker ↔ NetSuite
consumer_key + token_id + HMAC-SHA256
Per-request signature
All NS reads + writes signed
Writes → NS_PUSH_QUEUE only
X-Edit-Token (Bearer)
Browser → Worker write endpoints
EDIT_TOKEN secret
?preview → ?confirm step
HITL invariant (ADR-031)
Every write needs Mike's confirm
Anthropic API key
Worker → AI Gateway / Anthropic
ANTHROPIC_API_KEY secret
Cached prompts (system, context)
Telemetry: AI Gateway cost dash
~$0.007/query council_v2
DKIM (inbound)
Sender domain → Email Routing
Per-mailbox require_dkim
Authentication-Results header captured
DKIM != pass → parse_status =
manual_review_needed (urgent)
CF Access (planned)
gfs-hub · tools subdomain
Zero-Trust gating
Top-3 corporate-hub backlog item
Not yet enforced on all surfaces
Other secrets
• OPENAI_API_KEY (fallback)
• CF_AI_GATEWAY_URL (legacy)
• Dropbox app key (local)
• Cursor / Codex local CLIs
No live deploy creds, no AWS/GCP
FLOW SUMMARY (the 6 lines you see crossing this canvas):
HOT PATH
user prompt → chat surface → Worker → AI Gateway → Anthropic (sub-second, council_v2)
STANDARD
Worker → D1/R2/KV/Vectorize reads, Pages serving, schedule fires, Dropbox source pulls
AUTH
NS TBA OAuth1 to NetSuite · X-Edit-Token from browser · DKIM on inbound mail · CF Access where wired
ASYNC / VECTOR
Queue retry · Vectorize embeddings · nightly D1 backups to R2 · weekly llm-wiki rebuild
TYPICAL USER LIFECYCLE:
(1) Mike opens chat.ai-globalfoodsolutions.co → (2) Worker council_v2 + 10 tools answer → (3) Action proposed in HITL queue →
(4) Mike approves with X-Edit-Token → (5) Push enqueued to NS_PUSH_QUEUE → (6) Consumer signs TBA OAuth1, writes to NetSuite → (7) Mirror back on next */5 sync.
TYPICAL INBOUND BID:
(1) Buyer emails bids@ai-globalfoodsolutions.co → (2) Email Routing fires email() handler → (3) DKIM gate + persist raw to R2 →
(4) PDF vision via Claude → (5) Proposal lands in review_queue → (6) Admin reviews on /review.html → (7) Confirmed bid pushed back to NS.
Counts at a glance: 5 people/groups · 6 user-facing surfaces (4 Pages + 2 sub-projects) · 1 Worker + 4 supporting CF services · 4 SaaS systems (NS, Dropbox, Cursor, Anthropic) · 1 auxiliary agent CLI (Codex) · 6 auth surfaces · 22 cron triggers driving the loops
Email Routing → email() handler
/api/*
model call
TBA OAuth1
RESTlet mirror sync */5
local CLI (Mike's terminal)
audit reports
Legend
People / Senders
Surface (Pages)
Worker / Agent
System of record
SaaS / Gateway
Auth surface
Agent suite
• 5 people / sender groups (admin, team, K-12, vendors, customers)
• 6 user-facing surfaces (chat, hub, NYC DOE, guide, tools, diagrams)
• 1 platform Worker + AI Gateway + Dropbox
• 4 SaaS systems of record (NetSuite, Cursor, Codex, Anthropic)
• 6 auth surfaces (TBA OAuth1, Edit-Token, API key, DKIM, CF Access, misc)
• User chat: browser → Worker → AI Gateway → Anthropic (sub-sec)
• Inbound bid: email → Email Routing → Worker → HITL queue → NS
• Authoring loop: Mike's terminal → Cursor + Codex + Kimi cross-family audit → Worker codebase
• Cloudflare is the ONLY infra vendor — no AWS, no GCP
• NetSuite is the ONLY system of record — D1 mirrors it for reads
• Anthropic is the ONLY paid LLM (Codex/Kimi are token-economy plays)
• Dropbox is the ONLY out-of-CF document store (read-only mirror)
• HITL is non-negotiable on writes (ADR-031, Mike confirms each)