Cloudflare

AI in Your Environment

The Art of the Possible with Cloudflare OpenCode

MCP Protocol AI Gateway AI Security DLP

How It's Built

OpenCode architecture & the MCP protocol

The OpenCode Stack

Every model call routes through Cloudflare's own infrastructure — not directly to external providers. WARP, CF Access, and AI Gateway are already in the path.

AI MODEL PATH

OpenCode

Your laptop

WARP

Device tunnel

CF Access

Identity auth

opencode.cf.dev

Internal proxy

AI Gateway

DLP · logs · cache

LLMs

Anthropic · OpenAI

No provider keys on device

Auth is a Cloudflare Access JWT — all credentials managed centrally

MCP tools alongside

CF Portal, Google Workspace, Excalidraw — called in parallel with model requests

Every prompt logged

AI Gateway records all traffic — visible in the Cloudflare dashboard today

Model Context Protocol (MCP)

What is MCP?

An open standard that lets AI models call real-world tools — think of it as the USB-C for AI agents. Any tool that exposes an MCP server becomes instantly accessible to any AI model.

Active MCP Servers

CF Portal Demo Portal Google Workspace Excalidraw

What the AI can do with MCP tools:

Search all Cloudflare docs & internal wiki

Accurate answers grounded in real documentation

Read calendar, write Google Docs & slides

Meeting prep, follow-ups, reports — automated

Deploy to Cloudflare Workers & Pages

Code → deployed globally in seconds

Create architecture diagrams with Excalidraw

AI-generated visuals directly from a conversation

Cloudflare Components

The building blocks powering this AI environment

Cloudflare MCP Portal

portal.mcp.cfdata.org

Internal Cloudflare portal
exposed as an MCP server

The AI's single connection to all Cloudflare institutional knowledge.

Available tools via this MCP:

Cloudflare Docs Search

Full semantic search across all CF product documentation

Confluence Wiki (wiki.cfdata.org)

Internal team pages, runbooks, architecture decisions

Backstage / TechDocs

Service catalogue, API references, technical deep-dives

Google Drive Search

Slides, proposals, and documents from across the org

Your AI Demo Portal

Hosted on Cloudflare Workers

mcp.cfclarke.dpdns.org

A personal demo MCP server deployed to Cloudflare's global network. Fully customizable tool set for customer demonstrations — runs at the edge, zero cold starts.

Code Mode

?codemode=search_and_execute

Enables AI-powered code search and execution — demonstrate live coding workflows to customers

Why Cloudflare Workers for MCP?

Global edge deployment

300+ locations, <50ms response worldwide

Cloudflare Access protected

Zero Trust auth — only authorised users connect

Instant deploys via Wrangler

Add new tools in minutes, live globally in seconds

AI Gateway

Universal AI Proxy

One endpoint. Every provider.
Full visibility & control.

Already active in your OpenCode path

Every prompt routes through AI Gateway at opencode.cloudflare.dev

OpenAI Anthropic Workers AI Gemini 20+ providers

Observability

Every prompt, response, token count and cost logged in real time

Rate Limiting

Prevent runaway costs and abuse — per user, per app, per model

Semantic Cache

Cache similar questions — cut LLM spend by up to 60%

Security Rules

Block, allow, or transform requests before they reach the LLM

AI Security for Applications

Cloudflare sits between your users and your AI — inspecting every prompt and response in real time.

Prompt Injection Detection

Identify and block attempts by users to hijack AI behaviour with malicious instructions embedded in input

PII & Data Redaction

Automatically redact names, emails, phone numbers, and sensitive identifiers from prompts and AI responses

DLP — Financial Data

Detect and block credit card numbers, bank account details, and financial identifiers before they reach the LLM

Jailbreak & Abuse Prevention

Detect attempts to circumvent AI safety guidelines or extract system prompts from your applications

The Business Case

Why this matters for your organisation

Business Benefits

10×

Developer Speed

Routine tasks automated — docs, reports, boilerplate code

60%

LLM Cost Reduction

Semantic caching in AI Gateway eliminates duplicate API calls

1

Unified Platform

All AI providers, all tools, one dashboard — no vendor lock-in

Democratise company knowledge

Any employee can query docs, wikis, and systems through natural language

Faster time-to-production

AI-assisted code review, deployment, and documentation in one workflow

Custom AI tooling on day one

Deploy your own MCP server on Workers — tailored to your internal systems

Global reach, local compliance

Edge-deployed tools meet regional data residency requirements

Security Benefits

Full Visibility & Audit Trail

Every AI interaction logged — who asked what, which model responded, what data was included. Queryable via Cloudflare Logpush to your SIEM.

Zero Trust for AI Tools

MCP servers protected by Cloudflare Access — identity-verified, device-posture-checked before any AI tool call is made

Data Never Leaves Your Perimeter

AI Gateway enforces which models can be used. DLP rules ensure sensitive data is stripped before it reaches any external LLM provider

Compliance-Ready

PCI DSS, GDPR, and HIPAA aligned — credit card and PII detection built-in, audit logs retained, access policies enforced centrally

DLP in Action

Demonstrating credit card and sensitive data protection

AI Data Loss Prevention

AI Gateway inspects every prompt and response in-flight. DLP rules can detect, redact, or block sensitive content before it reaches — or leaves — the LLM.

What can be protected:

Credit Card Numbers

Visa, Mastercard, Amex, Discover — all BIN formats

BLOCK

Personally Identifiable Info

Name, email, phone, NI / SSN, passport numbers

REDACT

API Keys & Secrets

AWS keys, GitHub tokens, private key patterns

LOG

Custom Business Data

Regex or exact-match patterns for your sensitive data types

CUSTOM

How It Works

1

User sends prompt to AI app

2

Request hits AI Gateway first

3

DLP scanner analyses content

4a

Clean: forwarded to LLM

4b

Match: blocked or redacted

5

Event logged in dashboard

Demo: Credit Card Number Protection

Your traffic already goes through AI Gateway. These prompts were inspected — DLP may be in log mode. To block credit cards, enable the rule below.

To enable credit card blocking:

1

Check AI Gateway logs now

dash.cloudflare.com → AI Gateway → Logs — this session is already recorded

2

Add a DLP rule

AI Gateway → Settings → Security → DLP → Add profile: "Credit Cards"

3

Set action: Block (not Log)

Card patterns in prompts return an error before reaching the LLM

4

Test live in OpenCode

Type a prompt with a test card number — show the block response to the customer

When DLP is in Block mode:

User prompt in OpenCode:

"Process payment for card 4111 1111 1111 1111, exp 12/26"

AI Gateway response:

Error 1020: Request blocked — sensitive financial data detected

In the Gateway dashboard:

Blocked event logged with timestamp, user identity (your Access email), matched rule, and sanitised prompt — full audit trail, card number never reaches the LLM

What's Next

Deploy this in your environment

1

Enable AI Gateway

Single endpoint in front of all your AI providers — 15 min setup

2

Deploy your MCP server on Workers

Expose your internal tools and APIs to AI agents

3

Add DLP + Access policies

Protect sensitive data and control who can use which AI tools

4

Run OpenCode (or your AI agent)

Point it at your MCPs — and hand it to your team

Start with a PoC

We can run a focused proof-of-concept in your environment — AI Gateway + DLP + one custom MCP server — scoped to 2–4 weeks

Talk to your SE today
"The question is no longer whether to adopt AI — it's whether your organisation can govern, secure, and scale it responsibly."