Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation

systemd/README.md

@@ -0,0 +1,104 @@
+# Cloudflare Mesh Systemd Units
+
+Systemd service and timer units for the Autonomic Mesh.
+
+## Services
+
+| Unit | Description | Type |
+|------|-------------|------|
+| `drift-guardian.service` | Real-time configuration monitor | Continuous |
+| `autonomous-remediator.service` | Self-healing infrastructure | Continuous |
+| `tunnel-rotation.service` | Credential rotation | One-shot |
+| `tunnel-rotation.timer` | Weekly rotation schedule | Timer |
+
+## Installation
+
+### 1. Create service user
+
+```bash
+sudo useradd -r -s /usr/sbin/nologin -d /var/lib/cloudflare-mesh cloudflare-mesh
+sudo mkdir -p /var/lib/cloudflare-mesh /var/log/cloudflare-mesh
+sudo chown cloudflare-mesh:cloudflare-mesh /var/lib/cloudflare-mesh /var/log/cloudflare-mesh
+```
+
+### 2. Install scripts
+
+```bash
+sudo mkdir -p /opt/cloudflare-mesh/scripts
+sudo cp scripts/*.py /opt/cloudflare-mesh/scripts/
+sudo chmod +x /opt/cloudflare-mesh/scripts/*.py
+```
+
+### 3. Create environment file
+
+```bash
+sudo mkdir -p /etc/cloudflare-mesh
+cat << EOF | sudo tee /etc/cloudflare-mesh/environment
+CLOUDFLARE_API_TOKEN=your_api_token_here
+CLOUDFLARE_ZONE_ID=your_zone_id
+CLOUDFLARE_ACCOUNT_ID=your_account_id
+EOF
+sudo chmod 600 /etc/cloudflare-mesh/environment
+sudo chown root:cloudflare-mesh /etc/cloudflare-mesh/environment
+```
+
+### 4. Install systemd units
+
+```bash
+sudo cp systemd/*.service systemd/*.timer /etc/systemd/system/
+sudo systemctl daemon-reload
+```
+
+### 5. Enable and start services
+
+```bash
+# Enable continuous services
+sudo systemctl enable --now drift-guardian.service
+sudo systemctl enable --now autonomous-remediator.service
+
+# Enable rotation timer
+sudo systemctl enable --now tunnel-rotation.timer
+```
+
+## Management
+
+### Check status
+
+```bash
+sudo systemctl status drift-guardian.service
+sudo systemctl status autonomous-remediator.service
+sudo systemctl list-timers tunnel-rotation.timer
+```
+
+### View logs
+
+```bash
+# Drift guardian logs
+journalctl -u drift-guardian.service -f
+
+# Remediator logs
+journalctl -u autonomous-remediator.service -f
+
+# Rotation logs
+journalctl -u tunnel-rotation.service
+```
+
+### Manual rotation
+
+```bash
+sudo systemctl start tunnel-rotation.service
+```
+
+### Stop all services
+
+```bash
+sudo systemctl stop drift-guardian.service autonomous-remediator.service
+sudo systemctl stop tunnel-rotation.timer
+```
+
+## Security Notes
+
+- All services run as non-root user `cloudflare-mesh`
+- Services use systemd hardening directives
+- API tokens stored with restricted permissions (600)
+- Services have read-only filesystem access except for data directories

systemd/autonomous-remediator.service

@@ -0,0 +1,56 @@
+[Unit]
+Description=Cloudflare Autonomous Remediator - Self-healing infrastructure
+Documentation=https://vaultmesh.org/docs/cloudflare-binding
+After=network-online.target drift-guardian.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=cloudflare-mesh
+Group=cloudflare-mesh
+
+# Environment
+EnvironmentFile=/etc/cloudflare-mesh/environment
+Environment=PYTHONUNBUFFERED=1
+
+# Execution
+ExecStart=/usr/bin/python3 /opt/cloudflare-mesh/scripts/autonomous-remediator.py \
+    --zone-id ${CLOUDFLARE_ZONE_ID} \
+    --account-id ${CLOUDFLARE_ACCOUNT_ID} \
+    --watch-mode \
+    --emit-receipts
+
+# Restart policy
+Restart=always
+RestartSec=30
+StartLimitBurst=5
+StartLimitIntervalSec=300
+
+# Security hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/cloudflare-mesh
+ReadWritePaths=/var/log/cloudflare-mesh
+CapabilityBoundingSet=
+AmbientCapabilities=
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+SystemCallFilter=@system-service
+SystemCallArchitectures=native
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=autonomous-remediator
+
+[Install]
+WantedBy=multi-user.target

systemd/drift-guardian.service

@@ -0,0 +1,56 @@
+[Unit]
+Description=Cloudflare Drift Guardian - Real-time configuration monitor
+Documentation=https://vaultmesh.org/docs/cloudflare-binding
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=cloudflare-mesh
+Group=cloudflare-mesh
+
+# Environment
+EnvironmentFile=/etc/cloudflare-mesh/environment
+Environment=PYTHONUNBUFFERED=1
+
+# Execution
+ExecStart=/usr/bin/python3 /opt/cloudflare-mesh/scripts/drift-guardian.py \
+    --zone-id ${CLOUDFLARE_ZONE_ID} \
+    --account-id ${CLOUDFLARE_ACCOUNT_ID} \
+    --interval 60 \
+    --auto-remediate
+
+# Restart policy
+Restart=always
+RestartSec=30
+StartLimitBurst=5
+StartLimitIntervalSec=300
+
+# Security hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/cloudflare-mesh
+ReadWritePaths=/var/log/cloudflare-mesh
+CapabilityBoundingSet=
+AmbientCapabilities=
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+SystemCallFilter=@system-service
+SystemCallArchitectures=native
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=drift-guardian
+
+[Install]
+WantedBy=multi-user.target

systemd/tunnel-rotation.service

@@ -0,0 +1,35 @@
+[Unit]
+Description=Cloudflare Tunnel Rotation - Credential renewal cycle
+Documentation=https://vaultmesh.org/docs/cloudflare-binding
+After=network-online.target
+
+[Service]
+Type=oneshot
+User=cloudflare-mesh
+Group=cloudflare-mesh
+
+# Environment
+EnvironmentFile=/etc/cloudflare-mesh/environment
+Environment=PYTHONUNBUFFERED=1
+
+# Execution
+ExecStart=/usr/bin/python3 /opt/cloudflare-mesh/scripts/tunnel-rotation-scheduler.py \
+    --account-id ${CLOUDFLARE_ACCOUNT_ID} \
+    --zone-id ${CLOUDFLARE_ZONE_ID} \
+    --max-age 90
+
+# Security hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/cloudflare-mesh
+ReadWritePaths=/var/log/cloudflare-mesh
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=tunnel-rotation

systemd/tunnel-rotation.timer

@@ -0,0 +1,15 @@
+[Unit]
+Description=Weekly Cloudflare Tunnel Rotation Timer
+Documentation=https://vaultmesh.org/docs/cloudflare-binding
+
+[Timer]
+# Run weekly on Sunday at 03:00 UTC
+OnCalendar=Sun *-*-* 03:00:00 UTC
+Persistent=true
+RandomizedDelaySec=1800
+
+# Accuracy
+AccuracySec=1min
+
+[Install]
+WantedBy=timers.target