Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation

terraform/tunnels.tf

@@ -0,0 +1,121 @@
+# Cloudflare Tunnels
+
+# Tunnel for VaultMesh services
+resource "cloudflare_tunnel" "vaultmesh" {
+  account_id = local.account_id
+  name       = "vaultmesh-tunnel"
+  secret     = var.tunnel_secret_vaultmesh
+}
+
+# Tunnel for OffSec services
+resource "cloudflare_tunnel" "offsec" {
+  account_id = local.account_id
+  name       = "offsec-tunnel"
+  secret     = var.tunnel_secret_offsec
+}
+
+# Tunnel configuration for VaultMesh
+resource "cloudflare_tunnel_config" "vaultmesh" {
+  account_id = local.account_id
+  tunnel_id  = cloudflare_tunnel.vaultmesh.id
+
+  config {
+    # VaultMesh Core API
+    ingress_rule {
+      hostname = "api.vaultmesh.org"
+      service  = "http://localhost:8080"
+      origin_request {
+        connect_timeout = "10s"
+        no_tls_verify   = false
+      }
+    }
+
+    # VaultMesh Dashboard
+    ingress_rule {
+      hostname = "dash.vaultmesh.org"
+      service  = "http://localhost:3000"
+    }
+
+    # VaultMesh Guardian
+    ingress_rule {
+      hostname = "guardian.vaultmesh.org"
+      service  = "http://localhost:8081"
+    }
+
+    # Catch-all
+    ingress_rule {
+      service = "http_status:404"
+    }
+  }
+}
+
+# Tunnel configuration for OffSec
+resource "cloudflare_tunnel_config" "offsec" {
+  account_id = local.account_id
+  tunnel_id  = cloudflare_tunnel.offsec.id
+
+  config {
+    # OffSec main site
+    ingress_rule {
+      hostname = "offsec.global"
+      service  = "http://localhost:8090"
+    }
+
+    # OffSec Agent portal
+    ingress_rule {
+      hostname = "offsecagent.com"
+      service  = "http://localhost:8091"
+    }
+
+    # OffSec Shield dashboard
+    ingress_rule {
+      hostname = "offsecshield.com"
+      service  = "http://localhost:8092"
+    }
+
+    # Catch-all
+    ingress_rule {
+      service = "http_status:404"
+    }
+  }
+}
+
+# DNS records pointing to tunnels
+resource "cloudflare_record" "tunnel_vaultmesh_api" {
+  zone_id = cloudflare_zone.domains["vaultmesh.org"].id
+  name    = "api"
+  value   = "${cloudflare_tunnel.vaultmesh.id}.cfargotunnel.com"
+  type    = "CNAME"
+  proxied = true
+}
+
+resource "cloudflare_record" "tunnel_vaultmesh_dash" {
+  zone_id = cloudflare_zone.domains["vaultmesh.org"].id
+  name    = "dash"
+  value   = "${cloudflare_tunnel.vaultmesh.id}.cfargotunnel.com"
+  type    = "CNAME"
+  proxied = true
+}
+
+resource "cloudflare_record" "tunnel_vaultmesh_guardian" {
+  zone_id = cloudflare_zone.domains["vaultmesh.org"].id
+  name    = "guardian"
+  value   = "${cloudflare_tunnel.vaultmesh.id}.cfargotunnel.com"
+  type    = "CNAME"
+  proxied = true
+}
+
+# Variables for tunnel secrets
+variable "tunnel_secret_vaultmesh" {
+  description = "Secret for VaultMesh tunnel (base64 encoded 32+ bytes)"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "tunnel_secret_offsec" {
+  description = "Secret for OffSec tunnel (base64 encoded 32+ bytes)"
+  type        = string
+  sensitive   = true
+  default     = ""
+}