Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation

observatory/alertmanager/templates/slack.tmpl

@@ -0,0 +1,200 @@
+{{/* Slack notification templates for Cloudflare Mesh Observatory */}}
+
+{{/* Title template */}}
+{{ define "slack.cloudflare.title" -}}
+{{ if eq .Status "firing" }}{{ .Alerts.Firing | len }} FIRING{{ end }}{{ if and (eq .Status "resolved") (gt (.Alerts.Resolved | len) 0) }}{{ .Alerts.Resolved | len }} RESOLVED{{ end }} | {{ .CommonLabels.alertname }}
+{{- end }}
+
+{{/* Color template based on severity */}}
+{{ define "slack.cloudflare.color" -}}
+{{ if eq .Status "resolved" }}good{{ else if eq .CommonLabels.severity "critical" }}danger{{ else if eq .CommonLabels.severity "warning" }}warning{{ else }}#439FE0{{ end }}
+{{- end }}
+
+{{/* Main text body */}}
+{{ define "slack.cloudflare.text" -}}
+{{ range .Alerts }}
+*Alert:* {{ .Labels.alertname }}
+*Severity:* {{ .Labels.severity | toUpper }}
+*Component:* {{ .Labels.component }}
+*Status:* {{ .Status | toUpper }}
+
+*Summary:* {{ .Annotations.summary }}
+
+*Description:* {{ .Annotations.description }}
+
+{{ if .Annotations.runbook_url }}*Runbook:* <{{ .Annotations.runbook_url }}|View Playbook>{{ end }}
+
+*Labels:*
+{{ range .Labels.SortedPairs -}}
+  - {{ .Name }}: `{{ .Value }}`
+{{ end }}
+
+*Started:* {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
+{{ if eq .Status "resolved" }}*Resolved:* {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}{{ end }}
+
+---
+{{ end }}
+{{- end }}
+
+{{/* Runbook URL template */}}
+{{ define "slack.cloudflare.runbook" -}}
+{{ if .CommonAnnotations.runbook_url }}{{ .CommonAnnotations.runbook_url }}{{ else }}https://wiki.internal/playbooks/cloudflare{{ end }}
+{{- end }}
+
+{{/* Compact alert list for summary */}}
+{{ define "slack.cloudflare.alertlist" -}}
+{{ range . }}
+- {{ .Labels.alertname }} ({{ .Labels.severity }})
+{{ end }}
+{{- end }}
+
+{{/* Tunnel-specific template */}}
+{{ define "slack.cloudflare.tunnel" -}}
+{{ range .Alerts }}
+*Tunnel Alert*
+
+*Tunnel ID:* {{ .Labels.tunnel_id }}
+*Tunnel Name:* {{ .Labels.tunnel_name }}
+*Status:* {{ .Status | toUpper }}
+
+{{ .Annotations.description }}
+
+*Action Required:*
+{{ if eq .Labels.alertname "TunnelDown" }}
+1. Check cloudflared service status
+2. Verify network connectivity
+3. Run tunnel rotation if unrecoverable
+{{ else if eq .Labels.alertname "TunnelRotationDue" }}
+1. Schedule maintenance window
+2. Execute tunnel rotation protocol
+3. Verify new tunnel connectivity
+{{ end }}
+
+---
+{{ end }}
+{{- end }}
+
+{{/* DNS-specific template */}}
+{{ define "slack.cloudflare.dns" -}}
+{{ range .Alerts }}
+*DNS Alert*
+
+*Record:* {{ .Labels.record_name }}
+*Type:* {{ .Labels.record_type }}
+*Zone:* {{ .Labels.zone }}
+*Status:* {{ .Status | toUpper }}
+
+{{ .Annotations.description }}
+
+*Immediate Actions:*
+{{ if eq .Labels.alertname "DNSHijackDetected" }}
+1. CRITICAL: Potential DNS hijack detected
+2. Immediately verify DNS resolution
+3. Check Cloudflare audit logs
+4. Engage incident response team
+{{ else if eq .Labels.alertname "DNSDriftDetected" }}
+1. Compare current vs expected records
+2. Check for unauthorized changes
+3. Run state reconciler if needed
+{{ end }}
+
+---
+{{ end }}
+{{- end }}
+
+{{/* WAF-specific template */}}
+{{ define "slack.cloudflare.waf" -}}
+{{ range .Alerts }}
+*WAF Alert*
+
+*Rule ID:* {{ .Labels.rule_id }}
+*Action:* {{ .Labels.action }}
+*Source:* {{ .Labels.source_ip }}
+*Status:* {{ .Status | toUpper }}
+
+{{ .Annotations.description }}
+
+*Threat Intelligence:*
+- Request Count: {{ .Labels.request_count }}
+- Block Rate: {{ .Labels.block_rate }}%
+- Attack Type: {{ .Labels.attack_type }}
+
+*Recommended Actions:*
+{{ if eq .Labels.alertname "WAFMassiveAttack" }}
+1. Verify attack is not false positive
+2. Consider enabling Under Attack Mode
+3. Review and adjust rate limiting
+4. Document attack patterns
+{{ else if eq .Labels.alertname "WAFRuleBypass" }}
+1. Analyze bypassed requests
+2. Tighten rule specificity
+3. Add supplementary rules
+{{ end }}
+
+---
+{{ end }}
+{{- end }}
+
+{{/* Security/Invariant template */}}
+{{ define "slack.cloudflare.security" -}}
+{{ range .Alerts }}
+*Security Invariant Violation*
+
+*Invariant:* {{ .Labels.invariant_name }}
+*Category:* {{ .Labels.category }}
+*Status:* {{ .Status | toUpper }}
+
+{{ .Annotations.description }}
+
+*Violation Details:*
+- Expected: {{ .Labels.expected_value }}
+- Actual: {{ .Labels.actual_value }}
+- First Seen: {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
+
+*Compliance Impact:*
+This violation may affect:
+{{ range split .Labels.frameworks "," -}}
+- {{ . }}
+{{ end }}
+
+*Remediation Steps:*
+1. Review invariant definition
+2. Check for authorized changes
+3. Run autonomous remediator or manual fix
+4. Document change justification
+
+---
+{{ end }}
+{{- end }}
+
+{{/* Proofchain template */}}
+{{ define "slack.cloudflare.proofchain" -}}
+{{ range .Alerts }}
+*Proofchain Alert*
+
+*Chain:* {{ .Labels.chain_name }}
+*Receipt Type:* {{ .Labels.receipt_type }}
+*Status:* {{ .Status | toUpper }}
+
+{{ .Annotations.description }}
+
+*Integrity Details:*
+- Last Valid Hash: {{ .Labels.last_valid_hash }}
+- Expected Hash: {{ .Labels.expected_hash }}
+- Computed Hash: {{ .Labels.computed_hash }}
+
+*This indicates potential:*
+- Ledger tampering
+- Receipt corruption
+- Chain fork
+- Missing anchors
+
+*Immediate Actions:*
+1. DO NOT write new receipts until resolved
+2. Identify last known-good state
+3. Investigate discrepancy source
+4. Contact proofchain administrator
+
+---
+{{ end }}
+{{- end }}