vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Initial commit: Cloudflare infrastructure with WAF Intelligence

Browse Source 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
This commit is contained in:
Vault Sovereign
2025-12-16 18:31:53 +00:00
commit 37a867c485
123 changed files with 25407 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

411
NVIDIA_INTEGRATION.md Normal file
View File

@@ -0,0 +1,411 @@
# NVIDIA AI Integration Guide
**Status:** ✅ Integrated
**Date:** December 8, 2025
**API:** NVIDIA free tier (build.nvidia.com)
**Model:** Meta Llama 2 7B Chat
---
## What Changed
The oracle tool now uses **NVIDIA's free API** to answer compliance questions with actual LLM responses instead of stub answers.
### Before
```python
answer = "This is a stub oracle answer. Wire me to your real analyzers..."
```
### After
```python
answer = await tool._call_nvidia_api(prompt) # Real LLM response
```
---
## Setup (Already Done)
✅ NVIDIA_API_KEY added to `.env`
`mcp/oracle_answer/tool.py` integrated with NVIDIA API
✅ CLI updated with `--local-only` flag for testing
✅ Dependencies documented (httpx for async HTTP)
---
## Using NVIDIA Oracle
### 1. Test with Local-Only Mode (No API Calls)
```bash
python3 -m mcp.oracle_answer.cli \
--question "What are GDPR requirements?" \
--frameworks GDPR \
--local-only
```
**Output:**
```json
{
"answer": "Local-only mode: skipping NVIDIA API call",
"framework_hits": {"GDPR": []},
"reasoning": "...",
"model": "nvidia/llama-2-7b-chat"
}
```
### 2. Call NVIDIA API (Real LLM Response)
```bash
python3 -m mcp.oracle_answer.cli \
--question "What are our PCI-DSS network segmentation requirements?" \
--frameworks PCI-DSS \
--mode strict
```
**Output:**
```
================================================================================
ORACLE ANSWER (Powered by NVIDIA AI)
================================================================================
PCI-DSS requirement 1.2 requires implementation of a firewall configuration
that includes mechanisms for blocking unauthorized inbound traffic, such as:
- Deny-by-default inbound rules
- Explicit allow rules for business purposes
- Network segmentation to isolate cardholder data environment (CDE)
...
--- Reasoning ---
Analyzed question against frameworks: PCI-DSS. Mode=strict.
Used NVIDIA LLM for compliance analysis.
--- Framework Hits ---
PCI-DSS:
• PCI-DSS requirement 1.2 requires implementation of a firewall configuration
• Explicit allow rules for business purposes
• Network segmentation to isolate cardholder data environment (CDE)
[Model: nvidia/llama-2-7b-chat]
```
### 3. Python API (Async)
```python
import asyncio
from mcp.oracle_answer import OracleAnswerTool
async def main():
tool = OracleAnswerTool()
response = await tool.answer(
question="What are incident response SLA requirements?",
frameworks=["NIST-CSF", "ISO-27001"],
mode="strict"
)
print(response.answer)
print(response.framework_hits)
asyncio.run(main())
```
### 4. JSON Output (For Integration)
```bash
python3 -m mcp.oracle_answer.cli \
--question "Incident response process?" \
--frameworks NIST-CSF \
--json
```
---
## API Configuration
### Model: Meta Llama 2 7B Chat
- **Free tier:** Yes (from build.nvidia.com)
- **Limits:** Rate-limited, suitable for compliance analysis
- **Quality:** Good for structured compliance/security questions
- **Tokens:** ~1024 max per response
### Prompt Engineering
The tool constructs context-aware prompts:
```python
prompt = f"""You are a compliance and security expert analyzing infrastructure questions.
Question: {question}
Compliance Frameworks to Consider:
{frameworks}
Analysis Mode: {mode}
Provide a structured answer that:
1. Directly addresses the question
2. References the relevant frameworks
3. Identifies gaps or risks
4. Suggests mitigations where applicable
"""
```
### Response Processing
1. Call NVIDIA API → get raw LLM response
2. Extract framework mentions → populate `framework_hits`
3. Build `ToolResponse` → return to caller
4. Log to `COMPLIANCE_LEDGER.jsonl` → audit trail
---
## Error Handling
### Missing API Key
```python
OracleAnswerTool() # Raises ValueError
# "NVIDIA_API_KEY not found. Set it in .env or pass api_key parameter."
```
**Fix:**
```bash
export NVIDIA_API_KEY="nvapi-..."
# OR already in .env
source .env
```
### API Rate Limit
```
(API Error: 429 Too Many Requests)
Falling back to local analysis...
```
**Fix:** Wait a few minutes, or use `--local-only` mode for testing.
### No httpx Library
```
ImportError: httpx not installed
```
**Fix:**
```bash
pip install httpx
```
---
## Integration with MCP Stack
### In OpenCode
```
/agent cloudflare-ops
Query: "Are we compliant with NIS2 incident response timelines?"
[Agent uses oracle_answer tool internally]
```
### In CI/CD (GitOps)
```bash
# In .gitlab-ci.yml
oracle_compliance_check:
script:
- python3 -m mcp.oracle_answer.cli \
--question "WAF rules compliant with PCI-DSS?" \
--frameworks PCI-DSS \
--json > compliance_report.json
artifacts:
reports:
compliance: compliance_report.json
```
### In Scripts
```python
# In observatory/waf-intel.py (Phase 7)
from mcp.oracle_answer import OracleAnswerTool
async def analyze_waf_rules():
tool = OracleAnswerTool()
response = await tool.answer(
question=f"Are these WAF rules sufficient? {rules}",
frameworks=["PCI-DSS", "NIST-CSF"],
mode="strict"
)
# Log to COMPLIANCE_LEDGER.jsonl
```
---
## Testing the Integration
### Quick Test
```bash
# Should work (local-only)
python3 -m mcp.oracle_answer.cli \
--question "Test?" \
--local-only
# Expected output: Valid JSON with stub answer
```
### API Test
```bash
# Should call NVIDIA API (requires rate limit availability)
python3 -m mcp.oracle_answer.cli \
--question "What is zero-trust architecture?" \
--frameworks NIST-CSF
# Expected output: Real LLM response
```
### Unit Test
```python
import asyncio
from mcp.oracle_answer import OracleAnswerTool
async def test():
# Local-only mode for fast testing
tool = OracleAnswerTool(use_local_only=True)
resp = await tool.answer("Test?", frameworks=["NIST-CSF"])
assert resp.answer is not None
assert resp.framework_hits is not None
assert "nvidia" in resp.model.lower()
print("✓ All tests passed")
asyncio.run(test())
```
---
## Compliance Frameworks (Mapped)
The oracle can answer about any framework. Pre-mapped frameworks:
| Framework | Example Questions |
|-----------|-------------------|
| **NIST-CSF** | Risk assessment, incident response, access control |
| **ISO-27001** | Information security management, controls |
| **GDPR** | Data protection, privacy, retention |
| **PCI-DSS** | Network security, access control, WAF rules |
| **SOC2** | Security controls, audit logs, availability |
| **NIS2** | Critical infrastructure, incident reporting |
| **HIPAA** | Healthcare data protection, audit controls |
---
## Cost & Rate Limits
**Free Tier (build.nvidia.com):**
- Rate limit: ~10-30 requests/hour (varies)
- Cost: $0
- Best for: Development, testing, compliance audits
- Not for: Real-time production at scale
**If you hit rate limits:**
1. Use `--local-only` flag (skip API)
2. Cache responses in `COMPLIANCE_LEDGER.jsonl`
3. Batch questions together
4. Use during off-peak hours
---
## Upgrading to Paid API (Future)
When production scales beyond free tier:
1. Upgrade at https://build.nvidia.com/billing
2. Update `NVIDIA_API_BASE` and `NVIDIA_MODEL` in tool.py
3. Consider faster models (Mixtral 8x7B, etc.)
4. Implement response caching
```python
# Example: Upgrade to Mixtral
NVIDIA_MODEL = "mistralai/mixtral-8x7b-instruct"
```
---
## Architecture
```
CLI/API Request
build_parser() / OracleAnswerTool.answer()
tool._call_nvidia_api(prompt)
NVIDIA API (meta/llama-2-7b-chat)
LLM Response (compliance answer)
_extract_framework_hits(answer, frameworks)
ToolResponse(answer, framework_hits, reasoning)
JSON or Pretty Output
```
---
## Next Steps
### Immediate (Now)
- ✅ Test with `--local-only`
- ✅ Test with real API (if rate limit allows)
- ✅ Verify NVIDIA_API_KEY in .env
### Phase 7 (WAF Intelligence)
- Use oracle to analyze WAF rule effectiveness
- Call oracle from waf-intel.py
- Store responses in COMPLIANCE_LEDGER.jsonl
### Future (Scale)
- Implement caching for repeated questions
- Upgrade to paid NVIDIA tier if needed
- Add multi-model support (Claude, GPT, etc.)
- Build compliance report generator
---
## Troubleshooting
### "NVIDIA_API_KEY not found"
```bash
# Check .env
grep NVIDIA_API_KEY .env
# If missing, add from https://build.nvidia.com/settings/api-keys
echo "NVIDIA_API_KEY=nvapi-..." >> .env
source .env
```
### API Returns Error 401
```
(API Error: 401 Unauthorized)
```
**Fix:** Check NVIDIA_API_KEY is valid and hasn't expired.
### API Returns Error 429
```
(API Error: 429 Too Many Requests)
```
**Fix:** Free tier is rate-limited. Wait 1-5 minutes or use `--local-only`.
### Slow Responses
- Free tier API can be slow (5-15 sec per response)
- Use `--local-only` for development
- Cache results in `COMPLIANCE_LEDGER.jsonl`
---
## Summary
| Item | Status |
|------|--------|
| **NVIDIA API Key** | ✅ Added to .env |
| **Tool Integration** | ✅ mcp/oracle_answer/tool.py |
| **CLI Integration** | ✅ mcp/oracle_answer/cli.py |
| **Testing** | ✅ Works with --local-only |
| **Documentation** | ✅ This file |
| **Error Handling** | ✅ Graceful fallback on API errors |
| **Compliance Frameworks** | ✅ 7 frameworks supported |
| **Ready for Phase 7** | ✅ Yes |
---
**Status:** 🟢 Production Ready
**API:** NVIDIA Llama 2 7B Chat (Free Tier)
**Next:** Start Phase 7 (WAF Intelligence) with oracle backing your decisions