Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00
commit 37a867c485
123 changed files with 25407 additions and 0 deletions
--- a/cloudflare_dns_manifest.md
+++ b/cloudflare_dns_manifest.md
@@ -0,0 +1,127 @@
+# Cloudflare DNS Manifest (Baseline)
+
+## Purpose
+A declarative, version-controlled DNS manifest for VaultMesh, OffSec, and related domains. This serves as the canonical source of truth for DNS state, to be captured in VaultMesh receipts and anchored regularly.
+
+---
+
+# 1. Manifest Structure
+Each domain contains:
+- SOA
+- NS
+- A / AAAA records
+- CNAME
+- TXT (SPF, DKIM, DMARC, verification)
+- MX
+- SRV (if any)
+- Proxied/Unproxied state
+- Expected TTL
+
+All manifests MUST be reproducible from Cloudflare's API and diffs anchored weekly.
+
+---
+
+# 2. Example Manifest: vaultmesh.org
+```yaml
+zone: vaultmesh.org
+records:
+  - type: A
+    name: @
+    content: 192.0.2.10
+    proxied: true
+    ttl: auto
+
+  - type: AAAA
+    name: @
+    content: 2001:db8::10
+    proxied: true
+    ttl: auto
+
+  - type: CNAME
+    name: www
+    content: vaultmesh.org
+    proxied: true
+
+  - type: TXT
+    name: @
+    content: "v=spf1 include:_spf.google.com -all"
+
+  - type: TXT
+    name: _dmarc
+    content: "v=DMARC1; p=quarantine; rua=mailto:security@vaultmesh.org"
+
+  - type: MX
+    name: @
+    content: mx1.improvmx.com
+    priority: 10
+
+  - type: MX
+    name: @
+    content: mx2.improvmx.com
+    priority: 20
+```
+
+---
+
+# 3. OffSec Domain Template
+For: offsec.global, offsecglobal.com, offsecagent.com, offsecshield.com
+
+```yaml
+zone: offsec.example
+records:
+  - type: A
+    name: @
+    content: 192.0.2.44
+    proxied: true
+
+  - type: CNAME
+    name: www
+    content: offsec.example
+    proxied: true
+
+  - type: TXT
+    name: @
+    content: "v=spf1 include:_spf.mxroute.com -all"
+
+  - type: TXT
+    name: _dmarc
+    content: "v=DMARC1; p=reject; rua=mailto:guardian@offsec.example"
+
+  - type: MX
+    name: @
+    content: mxroute1.mxlogin.com
+    priority: 10
+
+  - type: MX
+    name: @
+    content: mxroute2.mxlogin.com
+    priority: 20
+```
+
+---
+
+# 4. Security Requirements
+- DNSSEC: **Enabled** for all zones
+- Registrar Lock: **Enabled**
+- No wildcards unless justified
+- All A/AAAA/CNAME must be **proxied** unless servicing internal/private infra
+- Remove stale records within 24h of deprecation
+
+---
+
+# 5. Change-Control Pipeline
+1. Proposed DNS change → Manifest PR
+2. CI validates structure + conflicts
+3. Merge → Apply via API/Terraform
+4. Emit DNS-change receipt in VaultMesh
+5. Anchor weekly DNS snapshots
+
+---
+
+# 6. Audit Signals
+- Unexpected unproxied records
+- Sudden IP changes
+- DMARC/ SPF drift
+- Added/removed MX without change-control
+- Hostname shadowing attempts
+