Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation

TEST_WORKFLOW.sh

@@ -0,0 +1,298 @@
+#!/bin/bash
+# TEST_WORKFLOW.sh
+# End-to-end test for GitLab + Cloudflare MCP integration
+# Usage: ./TEST_WORKFLOW.sh [full|quick]
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+WORKFLOW_MODE="${1:-quick}"
+
+# Color codes for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Logging functions
+log_info() {
+    echo -e "${BLUE}[INFO]${NC} $1"
+}
+
+log_success() {
+    echo -e "${GREEN}[SUCCESS]${NC} $1"
+}
+
+log_warning() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+log_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# ============================================================================
+# PHASE 1: Environment Validation
+# ============================================================================
+echo ""
+log_info "====== PHASE 1: Environment Validation ======"
+
+# Check required environment variables
+check_env_var() {
+    local var_name=$1
+    local var_value=${!var_name:-}
+    
+    if [[ -z "$var_value" ]]; then
+        log_warning "$var_name not set (optional)"
+        return 1
+    else
+        log_success "$var_name is set (${#var_value} chars)"
+        return 0
+    fi
+}
+
+# Essential vars
+log_info "Checking essential environment variables..."
+GITHUB_OKAY=$(check_env_var GITHUB_TOKEN || echo "false")
+GITLAB_OKAY=$(check_env_var GITLAB_TOKEN || echo "false")
+CLOUDFLARE_OKAY=$(check_env_var CLOUDFLARE_API_TOKEN || echo "false")
+ACCOUNT_OKAY=$(check_env_var CLOUDFLARE_ACCOUNT_ID || echo "false")
+
+# Verify opencode.jsonc exists and is valid JSON
+log_info "Validating opencode.jsonc..."
+if [[ ! -f "$SCRIPT_DIR/opencode.jsonc" ]]; then
+    log_error "opencode.jsonc not found in $SCRIPT_DIR"
+    exit 1
+fi
+
+# Try to parse as JSON (allowing comments via jq)
+if command -v jq &> /dev/null; then
+    if jq . "$SCRIPT_DIR/opencode.jsonc" > /dev/null 2>&1; then
+        log_success "opencode.jsonc is valid JSON"
+    else
+        log_warning "opencode.jsonc has comments (expected for .jsonc)"
+    fi
+else
+    log_warning "jq not available, skipping JSON validation"
+fi
+
+# Check Terraform files
+log_info "Validating Terraform files..."
+if [[ ! -d "$SCRIPT_DIR/terraform" ]]; then
+    log_error "terraform/ directory not found"
+    exit 1
+fi
+
+if command -v terraform &> /dev/null; then
+    cd "$SCRIPT_DIR/terraform"
+    if terraform validate > /dev/null 2>&1; then
+        log_success "Terraform files are valid"
+    else
+        log_warning "Terraform validation failed (may need init)"
+    fi
+    cd "$SCRIPT_DIR"
+else
+    log_warning "terraform CLI not installed, skipping validation"
+fi
+
+# ============================================================================
+# PHASE 2: Test Scenarios (by mode)
+# ============================================================================
+echo ""
+
+if [[ "$WORKFLOW_MODE" == "quick" ]]; then
+    log_info "====== PHASE 2: Quick Test (Environment Check Only) ======"
+    
+    echo ""
+    log_info "Summary of configured MCPs:"
+    echo "  ✓ Enabled globally: filesystem, git, github, gh_grep"
+    echo "  ⚠ Per-agent enabled: gitlab, cloudflare (requires tokens)"
+    echo "  ✓ Optional: postgres, sqlite, docker, aws, slack, memory, context7"
+    
+    echo ""
+    log_info "Token Status:"
+    [[ "$GITHUB_OKAY" != "false" ]] && echo "  ✓ GITHUB_TOKEN available" || echo "  ✗ GITHUB_TOKEN missing"
+    [[ "$GITLAB_OKAY" != "false" ]] && echo "  ✓ GITLAB_TOKEN available" || echo "  ✗ GITLAB_TOKEN missing (needed for gitlab MCP)"
+    [[ "$CLOUDFLARE_OKAY" != "false" ]] && echo "  ✓ CLOUDFLARE_API_TOKEN available" || echo "  ✗ CLOUDFLARE_API_TOKEN missing (needed for cloudflare MCP)"
+    [[ "$ACCOUNT_OKAY" != "false" ]] && echo "  ✓ CLOUDFLARE_ACCOUNT_ID available" || echo "  ✗ CLOUDFLARE_ACCOUNT_ID missing (needed for cloudflare MCP)"
+    
+    echo ""
+    log_success "Quick test complete!"
+    
+elif [[ "$WORKFLOW_MODE" == "full" ]]; then
+    log_info "====== PHASE 2: Full Integration Test ======"
+    
+    # ========================================================================
+    # Test 1: Git Operations
+    # ========================================================================
+    echo ""
+    log_info "Test 1: Git operations (local)"
+    
+    if [[ -d "$SCRIPT_DIR/.git" ]]; then
+        log_success "Git repository detected"
+        cd "$SCRIPT_DIR"
+        BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "unknown")
+        COMMITS=$(git log --oneline -n 3 2>/dev/null || echo "none")
+        log_success "Current branch: $BRANCH"
+        log_success "Recent commits: (see below)"
+        echo "$COMMITS" | sed 's/^/  /'
+    else
+        log_warning "Not a git repository (use 'git init' if needed)"
+    fi
+    
+    # ========================================================================
+    # Test 2: Filesystem Operations
+    # ========================================================================
+    echo ""
+    log_info "Test 2: Filesystem operations (local)"
+    
+    FILES_FOUND=$(find "$SCRIPT_DIR" -maxdepth 2 -type f -name "*.tf" | wc -l)
+    log_success "Found $FILES_FOUND Terraform files"
+    
+    if [[ -f "$SCRIPT_DIR/terraform/main.tf" ]]; then
+        log_success "main.tf exists"
+        RESOURCE_COUNT=$(grep -c "^resource " "$SCRIPT_DIR/terraform/main.tf" || echo "0")
+        log_success "Contains $RESOURCE_COUNT resources"
+    fi
+    
+    # ========================================================================
+    # Test 3: GitHub Integration (if token available)
+    # ========================================================================
+    echo ""
+    log_info "Test 3: GitHub integration"
+    
+    if [[ "$GITHUB_OKAY" != "false" ]] && command -v gh &> /dev/null; then
+        log_success "GitHub CLI available with token"
+        if gh auth status > /dev/null 2>&1; then
+            USER=$(gh api user.login 2>/dev/null || echo "unknown")
+            log_success "Authenticated as: $USER"
+        else
+            log_warning "GitHub token validation failed"
+        fi
+    else
+        log_warning "GitHub token not available (optional for local work)"
+    fi
+    
+    # ========================================================================
+    # Test 4: GitLab Integration (if token available)
+    # ========================================================================
+    echo ""
+    log_info "Test 4: GitLab integration"
+    
+    if [[ "$GITLAB_OKAY" != "false" ]]; then
+        GITLAB_URL="${GITLAB_URL:-https://gitlab.com}"
+        log_success "GITLAB_TOKEN available"
+        log_success "GITLAB_URL: $GITLAB_URL"
+        
+        # Test with curl
+        if command -v curl &> /dev/null; then
+            GITLAB_RESPONSE=$(curl -s -H "PRIVATE-TOKEN: $GITLAB_TOKEN" "$GITLAB_URL/api/v4/user" 2>/dev/null | jq '.name' 2>/dev/null || echo "error")
+            if [[ "$GITLAB_RESPONSE" != "error" ]]; then
+                log_success "GitLab API connection successful"
+            else
+                log_warning "GitLab API returned an error (check token/URL)"
+            fi
+        fi
+    else
+        log_warning "GITLAB_TOKEN not available (needed for gitlab MCP)"
+        echo "  To enable: export GITLAB_TOKEN='glpat_...'"
+    fi
+    
+    # ========================================================================
+    # Test 5: Cloudflare Integration (if token available)
+    # ========================================================================
+    echo ""
+    log_info "Test 5: Cloudflare API integration"
+    
+    if [[ "$CLOUDFLARE_OKAY" != "false" ]] && [[ "$ACCOUNT_OKAY" != "false" ]]; then
+        log_success "CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID available"
+        
+        # Test with curl
+        if command -v curl &> /dev/null; then
+            CF_RESPONSE=$(curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$CLOUDFLARE_ACCOUNT_ID" \
+                -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" 2>/dev/null | jq '.success' 2>/dev/null || echo "false")
+            
+            if [[ "$CF_RESPONSE" == "true" ]]; then
+                log_success "Cloudflare API connection successful"
+                
+                # Get zones count
+                ZONES=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones" \
+                    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" 2>/dev/null | jq '.result | length' 2>/dev/null || echo "0")
+                log_success "Account has $ZONES zone(s)"
+            else
+                log_warning "Cloudflare API authentication failed (check token)"
+            fi
+        fi
+    else
+        log_warning "CLOUDFLARE_API_TOKEN or CLOUDFLARE_ACCOUNT_ID not available"
+        echo "  To enable: export CLOUDFLARE_API_TOKEN='...'"
+        echo "  To enable: export CLOUDFLARE_ACCOUNT_ID='...'"
+    fi
+    
+    # ========================================================================
+    # Test 6: Compliance Files
+    # ========================================================================
+    echo ""
+    log_info "Test 6: Compliance and documentation files"
+    
+    COMPLIANCE_FILES=(
+        "cloudflare_dns_manifest.md"
+        "cloudflare_waf_baseline.md"
+        "zero_trust_architecture.md"
+        "WEB-INFRA-SECURITY-PATTERNS.md"
+        "TUNNEL-HARDENING.md"
+    )
+    
+    for file in "${COMPLIANCE_FILES[@]}"; do
+        if [[ -f "$SCRIPT_DIR/$file" ]]; then
+            LINES=$(wc -l < "$SCRIPT_DIR/$file")
+            log_success "$file ($LINES lines)"
+        else
+            log_warning "$file not found"
+        fi
+    done
+    
+    # ========================================================================
+    # Test 7: Playbooks
+    # ========================================================================
+    echo ""
+    log_info "Test 7: Incident Response Playbooks"
+    
+    if [[ -d "$SCRIPT_DIR/playbooks" ]]; then
+        PLAYBOOK_COUNT=$(find "$SCRIPT_DIR/playbooks" -type f -name "*.md" | wc -l)
+        log_success "Found $PLAYBOOK_COUNT playbooks"
+        find "$SCRIPT_DIR/playbooks" -type f -name "*.md" -exec basename {} \; | sed 's/^/  - /'
+    else
+        log_warning "playbooks/ directory not found"
+    fi
+    
+    log_success "Full test complete!"
+    
+else
+    log_error "Unknown mode: $WORKFLOW_MODE"
+    echo "Usage: $0 [quick|full]"
+    exit 1
+fi
+
+# ============================================================================
+# FINAL SUMMARY
+# ============================================================================
+echo ""
+log_info "====== Test Summary ======"
+echo ""
+echo "Quick Reference:"
+echo "  Start OpenCode:        opencode"
+echo "  Initialize:            /init"
+echo "  List MCPs:             /mcp list"
+echo "  Start agent:           /agent cloudflare-ops"
+echo "  Read config:           cat opencode.jsonc"
+echo ""
+echo "Next Steps:"
+echo "  1. Export required tokens to environment"
+echo "  2. Run: opencode /init"
+echo "  3. Run: /mcp list (verify MCPs load)"
+echo "  4. Run: /agent cloudflare-ops"
+echo "  5. Test: 'Query the latest infrastructure changes in GitLab'"
+echo ""
+log_success "All checks passed!"