Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation

IDE_OPERATOR_RULES.md

@@ -0,0 +1,182 @@
+---
+description: **CLOUDFLARE OPERATOR RULES**: Load this file for ANY Cloudflare-related operations including DNS, WAF, Tunnels, Zero Trust, Terraform IaC, or security configurations. This provides operator doctrine for Cloudflare infrastructure management. **MUST** be read when user mentions: Cloudflare, WAF, DNS records, Tunnels, Zero Trust, Workers, or any Cloudflare-specific patterns.
+---
+
+# IDE Operator Rules — Cloudflare Security Mesh
+
+> **Control Surface:** This file can be seeded into VS Code extension folders to provide
+> policy-aware guidance for AI assistants and code generation.
+
+---
+
+## Core Principles
+
+1. **Security-First Infrastructure**
+   - All Cloudflare resources must be defined in Terraform
+   - Never hardcode API tokens or secrets in code
+   - WAF rules must have documented justification
+
+2. **GitOps Workflow**
+   - No manual changes via Cloudflare dashboard
+   - All changes flow through: PR → Review → Merge → Apply
+   - Drift triggers automatic remediation PRs
+
+3. **Zero Trust by Default**
+   - Assume all traffic is hostile until verified
+   - Access policies must enforce MFA where possible
+   - Tunnel configurations require explicit allow-lists
+
+---
+
+## Terraform Guardrails
+
+### DNS Records
+```hcl
+# ✅ ALWAYS include TTL and proxied status explicitly
+resource "cloudflare_record" "example" {
+  zone_id = var.zone_id
+  name    = "api"
+  type    = "A"
+  value   = "192.0.2.1"
+  ttl     = 300      # Explicit TTL
+  proxied = true     # Explicit proxy status
+}
+
+# ❌ NEVER create unproxied A/AAAA records for sensitive services
+# ❌ NEVER use TTL < 60 for production DNS
+```
+
+### WAF Rules
+```hcl
+# ✅ ALWAYS include description and tags
+resource "cloudflare_ruleset" "waf_custom" {
+  zone_id     = var.zone_id
+  name        = "Custom WAF Rules"
+  description = "Phase 7 WAF Intelligence generated rules"
+  kind        = "zone"
+  phase       = "http_request_firewall_custom"
+
+  rules {
+    action      = "block"
+    expression  = "(ip.src in $threat_intel_ips)"
+    description = "Block threat intel IPs - auto-generated"
+    enabled     = true
+  }
+}
+
+# ❌ NEVER disable managed rulesets without documented exception
+# ❌ NEVER use action = "allow" for external IPs without review
+```
+
+### Tunnels
+```hcl
+# ✅ ALWAYS rotate tunnel secrets on schedule
+# ✅ ALWAYS use ingress rules with explicit hostnames
+
+# ❌ NEVER expose internal services without Access policies
+# ❌ NEVER use catch-all ingress rules in production
+```
+
+### Access Policies
+```hcl
+# ✅ ALWAYS require MFA for admin applications
+# ✅ ALWAYS set session duration explicitly
+
+# ❌ NEVER use "everyone" include without additional restrictions
+# ❌ NEVER bypass Access for internal tools
+```
+
+---
+
+## WAF Intelligence Integration
+
+### Using the Analyzer
+```bash
+# Analyze WAF configuration
+python -m mcp.waf_intelligence.orchestrator analyze terraform/waf.tf
+
+# Full threat assessment
+python -m mcp.waf_intelligence.orchestrator assess --include-threat-intel
+
+# Generate rule proposals
+python -m mcp.waf_intelligence.orchestrator propose --max-rules 5
+```
+
+### Threat Classification
+The ML classifier detects:
+- `sqli` — SQL injection patterns
+- `xss` — Cross-site scripting
+- `rce` — Remote code execution
+- `path_traversal` — Directory traversal
+- `scanner` — Automated scanning tools
+
+### Auto-Deploy Criteria
+Rules may be auto-deployed when:
+- Confidence ≥ 85%
+- Severity is `critical` or `high`
+- Pattern matches known attack signature
+- No existing rule covers the threat
+
+---
+
+## GitOps Workflow Rules
+
+### PR Requirements
+| Risk Level | Approvals | Auto-Merge |
+|------------|-----------|------------|
+| Low        | 1         | Allowed    |
+| Medium     | 1         | Manual     |
+| High       | 2         | Manual     |
+| Critical   | 2         | Never      |
+
+### Drift Remediation
+- DNS drift → Auto-PR with `drift/remediation-*` branch
+- WAF drift → Security team review required
+- Tunnel drift → Infra team review required
+
+### Compliance Flags
+Changes affecting these frameworks trigger warnings:
+- **SOC2** — SSL settings, WAF deletions
+- **PCI-DSS** — TLS version, WAF modifications
+- **HIPAA** — Access policy deletions, encryption settings
+
+---
+
+## Agent Instructions
+
+When working with this Cloudflare infrastructure:
+
+1. **Always check WAF impact** before proposing changes
+2. **Prefer Terraform patterns** over ad-hoc API calls
+3. **Use WAF Intelligence CLI** for security analysis before generating rules
+4. **Propose GitOps-style patches**, not manual edits
+5. **Never assume external APIs**; prefer local, deterministic tools
+6. **Reference compliance frameworks** when implementing security features
+
+### Tool Availability
+- `filesystem` — Explore project structure
+- `git` — Track and review changes
+- `waf_intel` — Analyze WAF configurations
+- `terraform` — Plan and validate infrastructure
+
+---
+
+## Quick Reference
+
+### Risk Classification
+```
+High Risk:    DNS, WAF, Tunnels, Access, Certificates
+Medium Risk:  Performance, Workers, Page Rules
+Low Risk:     Logging, Notifications, API Tokens
+```
+
+### Emergency Procedures
+- DNS Compromise: See `playbooks/DNS-COMPROMISE-PLAYBOOK.md`
+- WAF Incident: See `playbooks/waf_incident_playbook.md`
+- Tunnel Rotation: See `playbooks/TUNNEL-ROTATION-PROTOCOL.md`
+
+---
+
+**Last Updated:** 2025-12-09
+**Phase:** 7 (WAF Intelligence)
+**Seeded By:** `scripts/seed_ide_rules.py`