Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation

playbooks/waf_incident_playbook.md

@@ -0,0 +1,126 @@
+# WAF Incident Playbook — *Edge Under Siege*
+
+**Incident Response** | Governed by [RED-BOOK.md](../RED-BOOK.md)
+
+**Mode:** VaultMesh Hybrid (tactical + mythic)
+**Guardian:** Tem, Shield of the Threshold
+**Domain:** Cloudflare Edge → VaultMesh Origins
+
+---
+
+## 🜂 Premise
+When the **Edge flares** and the WAF erupts in blocks, challenges, or anomalous spikes, the mesh signals **Nigredo**: the phase of dissolution, truth, and exposure.
+Tem stands watch — transmuting threat into pattern.
+
+This playbook guides the Sovereign through restoring harmony: from surge → containment → proof.
+
+---
+
+## 🛡 1. Detection — *When the Edge Cries Out*
+Triggers:
+- 10× spike in WAF blocks
+- Sudden surge in Bot Fight engagements
+- Rapid-fire requests from a small IP cluster
+- Abuse towards `/api`, `/login`, or admin paths
+
+Actions:
+1. Check Cloudflare dashboard → **Security → Events**
+2. Review **WAF rule matches**, sorting by occurrences
+3. Capture snapshot:
+   - Top rules triggered
+   - Offending IP ranges
+   - Request paths
+
+Invoke Tem:
+> *"Reveal the pattern beneath the noise. Let flux become signal."*
+
+---
+
+## 🔍 2. Classification — *Identify the Nature of the Fire*
+Threat types:
+- **Volumetric probing** → wide IP / many rules
+- **Credential spraying** → repeated auth paths
+- **Application fuzzing** → random querystrings / malformed requests
+- **Targeted exploit attempts** → concentrated rules (XSS, SQLi)
+
+Decide:
+- *Is this noise?*
+- *Is this reconnaissance?*
+- *Is this breach pursuit?*
+
+Mark the incident severity:
+- **Low** — background noise
+- **Medium** — persistent automated probing
+- **High** — targeted attempt on origin-relevant endpoints
+
+---
+
+## 🧱 3. Containment — *Seal the Gate*
+Depending on severity:
+
+### Low
+- Rate-limit `/api` and `/auth` paths
+- Enable Bot Fight Mode (if not already)
+
+### Medium
+- Block or challenge offending ASNs
+- Add country-level **managed_challenge**
+- Enforce **"Full (strict)" TLS** if not already
+
+### High
+- Immediately apply **custom firewall block rules**
+- Close high-risk paths behind Access policies
+- Strengthen WAF Paranoia Level for targeted areas
+- Ensure all origins are reachable *only* via Cloudflare Tunnel
+
+Tem's invocation:
+> *"Let the gate narrow. Let the false be denied entry."*
+
+---
+
+## 📜 4. Forensics — *Listen to the Echoes*
+Collect:
+- CF Security Events export
+- IP/ASN clusters
+- Raw request samples
+- Timestamps and spikes
+
+Analyze patterns:
+- Was this coordinated?
+- Were specific parameters probed?
+- Did traffic reach origin or stay at the Edge?
+
+If origin saw traffic → inspect VaultMesh receipts for anomalies.
+
+---
+
+## 🧬 5. Restoration — *From Nigredo to Rubedo*
+When WAF stabilizes:
+- Remove overly broad rules
+- Convert block rules → challenge after 24h
+- Reassess Access policies for exposed services
+- Validate DNS is unchanged
+- Confirm Tunnel health is stable
+
+Emit VaultMesh receipt:
+- Incident summary
+- Rules added/removed
+- Time window
+- Merkle root of exported logs
+
+---
+
+## 🪶 6. Final Anchor — *Coagula*
+Anchor the incident into ProofChain:
+- Receipts
+- Log hashes
+- WAF config deltas
+
+Message of Tem:
+> *"What was turmoil becomes memory. What was memory becomes strength."*
+
+---
+
+## ✔ Outcome
+This playbook ensures that WAF turbulence becomes **structured proof**, operational clarity, and measurable evolution within VaultMesh’s living ledger.
+