vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Initial commit: Cloudflare infrastructure with WAF Intelligence

Browse Source 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
This commit is contained in:
Vault Sovereign
2025-12-16 18:31:53 +00:00
commit 37a867c485
123 changed files with 25407 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
.codex/README.md Normal file
View File

@@ -0,0 +1,37 @@
# Codex Knowledge Base
This directory contains knowledge base files that provide context and guidance for AI assistants working with this project.
## Purpose
Files in `.codex/` are designed to be:
- **Quickly accessible** by AI assistants (Cursor, Claude, etc.)
- **Project-specific** knowledge and patterns
- **Reference material** for common tasks and configurations
## Contents
- **multiple-accounts.md** - Guide for configuring multiple accounts (GitHub, GitLab, Cloudflare) with unique token variable names
## Usage
These files are automatically indexed by Cursor and other AI tools that support knowledge bases. They provide context when:
- Working with MCP configurations
- Setting up authentication tokens
- Understanding project patterns and conventions
## Adding New Knowledge
When adding new knowledge files:
1. Use descriptive filenames (kebab-case)
2. Include clear examples and code snippets
3. Reference related documentation in the main project
4. Keep files focused on specific topics
## Related Documentation
For comprehensive documentation, see:
- `AGENTS.md` - Agent configuration
- `MCP_GUIDE.md` - Complete MCP reference
- `GITLAB_CLOUDFLARE_AUTH.md` - Authentication setup
- `DEPLOYMENT_GUIDE.md` - Deployment and setup

6
.continue/rules/terraformvalidation.md Normal file
View File

@@ -0,0 +1,6 @@
---
globs: '["terraform/**/*.tf"]'
alwaysApply: true
---
Always run terraform validate and plan before applying changes. Reference PCI-DSS in comments.

93
.env.example Normal file
View File

@@ -0,0 +1,93 @@
# OpenCode Environment Variables
# Copy to .env and fill in real values
# IMPORTANT: Never commit .env to git
# ============================================================================
# GITHUB (Already Configured)
# ============================================================================
# Get from: https://github.com/settings/tokens
# Scopes: repo, read:org
export GITHUB_TOKEN="ghp_your_github_token_here"
# Optional: Add additional GitHub accounts with unique variable names
# export GITHUB_TOKEN_SECONDARY="ghp_another_token_here"
# export GITHUB_TOKEN_WORK="ghp_work_account_token"
# ============================================================================
# GITLAB (NEW - GitLab Integration)
# ============================================================================
# Get from: https://gitlab.com/-/user_settings/personal_access_tokens
# For self-hosted: https://your-gitlab/(-/user_settings/personal_access_tokens
# Scopes: api, read_user, read_repository, write_repository
export GITLAB_TOKEN="glpat_your_gitlab_token_here"
export GITLAB_URL="https://gitlab.com" # Or your self-hosted URL
# ============================================================================
# CLOUDFLARE API (NEW - Cloudflare Infrastructure)
# ============================================================================
# API Token: https://dash.cloudflare.com/profile/api-tokens
# Account ID: https://dash.cloudflare.com/ (right sidebar)
export CLOUDFLARE_API_TOKEN="your_cloudflare_api_token_here"
export CLOUDFLARE_ACCOUNT_ID="your_account_id_here"
# Optional (for specific zone queries):
export CLOUDFLARE_ZONE_ID="your_zone_id_here"
# Optional: Add additional Cloudflare accounts with unique variable names
# export CLOUDFLARE_API_TOKEN_PRODUCTION="prod_token_here"
# export CLOUDFLARE_ACCOUNT_ID_PRODUCTION="prod_account_id"
# export CLOUDFLARE_API_TOKEN_STAGING="staging_token_here"
# export CLOUDFLARE_ACCOUNT_ID_STAGING="staging_account_id"
# ============================================================================
# OPTIONAL: Additional MCPs (if you enable them)
# ============================================================================
# Context7 (Documentation Search)
# Get from: https://context7.com
# export CONTEXT7_API_KEY="your_context7_key"
# Database (PostgreSQL Audit Logs)
# export DATABASE_URL="postgresql://user:pass@host:5432/dbname"
# AWS (if using AWS resources)
# export AWS_ACCESS_KEY_ID="AKIA..."
# export AWS_SECRET_ACCESS_KEY="..."
# export AWS_REGION="us-east-1"
# Slack (if sending notifications)
# export SLACK_BOT_TOKEN="xoxb-..."
# Linear (if using Linear for issue tracking)
# export LINEAR_API_KEY="lin_..."
# Google Maps (if geolocation features)
# export GOOGLE_MAPS_API_KEY="..."
# ============================================================================
# MULTI-ACCOUNT CONFIGURATION (See MULTI_ACCOUNT_AUTH.md)
# ============================================================================
# Multiple GitHub accounts
# export GITHUB_TOKEN_WORK="ghp_work_account_token"
# export GITHUB_TOKEN_PERSONAL="ghp_personal_account_token"
# export GITHUB_TOKEN_CLIENT="ghp_client_account_token"
# Multiple Cloudflare accounts/environments
# export CLOUDFLARE_API_TOKEN_PRODUCTION="prod_token"
# export CLOUDFLARE_ACCOUNT_ID_PRODUCTION="prod_account_id"
# export CLOUDFLARE_API_TOKEN_STAGING="staging_token"
# export CLOUDFLARE_ACCOUNT_ID_STAGING="staging_account_id"
# export CLOUDFLARE_API_TOKEN_DEV="dev_token"
# export CLOUDFLARE_ACCOUNT_ID_DEV="dev_account_id"
# Multiple GitLab instances
# export GITLAB_TOKEN_INTERNAL="glpat_internal_token"
# export GITLAB_URL_INTERNAL="https://gitlab.internal.company.com"
# export GITLAB_TOKEN_EXTERNAL="glpat_external_token"
# export GITLAB_URL_EXTERNAL="https://gitlab.com"
# ============================================================================
# LOAD THIS FILE BEFORE RUNNING OPENCODE
# ============================================================================
# source .env
# opencode

39
.github/workflows/waf_intel.yml vendored Normal file
View File

@@ -0,0 +1,39 @@
name: WAF Intelligence Guardrail
on:
push:
paths:
- 'terraform/**'
- 'mcp/waf_intelligence/**'
- '.github/workflows/waf_intel.yml'
pull_request:
paths:
- 'terraform/**'
- 'mcp/waf_intelligence/**'
jobs:
waf-intel:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
if [ -f requirements.txt ]; then
pip install -r requirements.txt
fi
- name: Run WAF Intelligence
run: |
python -m mcp.waf_intelligence \
--file terraform/waf.tf \
--format json \
--limit 5 \
--fail-on-error

35
.gitignore vendored Normal file
View File

@@ -0,0 +1,35 @@
gitops/.venv/
terraform/.terraform/
terraform/.terraform.lock.hcl
terraform/plan.tfplan
.secrets
# Environment files with secrets
.env
.env.local
.env.*.local
# SSH keys and certificates
*.key
*.pem
*.p12
*.pfx
id_*
*.ssh/
# API keys and tokens
*api_key*
*token*
*secret*
# Python caches and local envs
__pycache__/
*.py[cod]
*.log
.venv/
venv/
.xenv/
.ruff_cache/
.pytest_cache/
.DS_Store
archive_runtime/

59
.gitlab-ci.yml Normal file
View File

@@ -0,0 +1,59 @@
# ============================================================================
# VaultMesh GitLab CI/CD Pipeline
# ============================================================================
# Governed by: RED-BOOK.md
# ============================================================================
stages:
- validate
- test
# ============================================================================
# DOC INVARIANTS
# ============================================================================
# Enforces documentation law on every push touching docs/doctrine/playbooks.
doc_invariants:
stage: validate
image: alpine:latest
before_script:
- apk add --no-cache bash grep findutils
script:
- bash scripts/doc-invariants.sh
rules:
- changes:
- "*.md"
- "playbooks/**/*"
- "scripts/doc-invariants.sh"
# ============================================================================
# INFRA INVARIANTS
# ============================================================================
# Validates Terraform formatting + syntax on infrastructure changes.
infra_invariants:
stage: validate
image: hashicorp/terraform:latest
script:
- bash scripts/infra-invariants.sh
rules:
- changes:
- "terraform/**/*"
- "scripts/infra-invariants.sh"
# ============================================================================
# PYTHON SYNTAX CHECK
# ============================================================================
# Basic Python syntax validation for scripts and MCP tools.
python_check:
stage: test
image: python:3.11-slim
script:
- python -m py_compile oracle_runner.py oracle_answer_mcp.py mcp/oracle_answer/tool.py
- python -c "from mcp.oracle_answer import OracleAnswerTool; print('✓ Import OK')"
rules:
- changes:
- "*.py"
- "mcp/**/*.py"
- "scripts/*.py"

105
.opencode_checklist.txt Normal file
View File

@@ -0,0 +1,105 @@
╔════════════════════════════════════════════════════════════════════════╗
║ OPENCODE MCP SETUP CHECKLIST ║
╚════════════════════════════════════════════════════════════════════════╝
✅ COMPLETED SETUP ITEMS:
[✓] Created opencode.jsonc configuration
[✓] Configured 14 MCP servers
[✓] Defined 3 custom agents
[✓] Set up per-agent tool control
[✓] Created AGENTS.md documentation
[✓] Created MCP_GUIDE.md reference
[✓] Created OPENCODE_SETUP.txt quick start
[✓] Environment variable mapping configured
[✓] Global MCP enable/disable controls
[✓] Context management optimized
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 BEFORE USING OPENCODE:
[ ] Read OPENCODE_SETUP.txt
[ ] Export GITHUB_TOKEN environment variable
[ ] (Optional) Export CONTEXT7_API_KEY for doc search
[ ] (Optional) Export other env vars for optional MCPs
[ ] Run: cd /Users/sovereign/Desktop/CLOUDFLARE
[ ] Run: opencode
[ ] Run: /init (to initialize project)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 FIRST USE TASKS:
[ ] Run /mcp list to see available MCPs
[ ] Try /agent cloudflare-ops
[ ] Ask it to find Terraform examples
[ ] Review git changes with /use git
[ ] Search GitHub with /use gh_grep
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔧 CONFIGURATION CHECKLIST:
[ ] opencode.jsonc - Main config file
[ ] AGENTS.md - Agent documentation
[ ] MCP_GUIDE.md - MCP reference
[ ] OPENCODE_SETUP.txt - Quick reference
[ ] .opencode_checklist.txt - This file
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔐 ENVIRONMENT VARIABLES:
[ ] GITHUB_TOKEN - ESSENTIAL (Get from github.com/settings/tokens)
[ ] CONTEXT7_API_KEY - Recommended for doc search
[ ] DATABASE_URL - Optional, for data-engineer agent
[ ] AWS_ACCESS_KEY_ID - Optional, for AWS MCP
[ ] AWS_SECRET_ACCESS_KEY - Optional, for AWS MCP
[ ] AWS_REGION - Optional, for AWS MCP
[ ] SLACK_BOT_TOKEN - Optional, for Slack notifications
[ ] LINEAR_API_KEY - Optional, for Linear integration
[ ] GOOGLE_MAPS_API_KEY - Optional, for Maps
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📚 DOCUMENTATION CHECKLIST:
[ ] Read OPENCODE_SETUP.txt for quick start
[ ] Read MCP_GUIDE.md for detailed MCP info
[ ] Read AGENTS.md for agent documentation
[ ] Review opencode.jsonc for configuration
[ ] Bookmark OpenCode docs: https://opencode.ai/docs
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
💾 GIT CHECKLIST:
[ ] Add opencode.jsonc to git
[ ] Add AGENTS.md to git
[ ] Add MCP_GUIDE.md to git
[ ] Add OPENCODE_SETUP.txt to git
[ ] Commit with message: "Add OpenCode MCP configuration"
[ ] Share AGENTS.md with team for consistent setup
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🚀 READY TO USE?
All setup is complete! Follow these steps:
1. Set GITHUB_TOKEN:
$ export GITHUB_TOKEN="ghp_your_token"
2. Start OpenCode:
$ cd /Users/sovereign/Desktop/CLOUDFLARE
$ opencode
3. Inside OpenCode:
/init
/agent cloudflare-ops
I need to add DNS records. Find examples first.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Questions? See OPENCODE_SETUP.txt or visit https://opencode.ai/docs

238
AGENTS.md Normal file
View File

@@ -0,0 +1,238 @@
# OpenCode Agents for CLOUDFLARE Project
This document defines custom agents and rules for working with the Cloudflare infrastructure project.
## Available Agents
### cloudflare-ops
**Purpose:** Manages Cloudflare infrastructure via Terraform and GitOps
**Tools Available:**
- filesystem (explore project structure)
- git (track and review changes)
- github (search implementations, manage PRs)
- gh_grep (find code examples on GitHub)
**When to Use:**
- Implementing Terraform changes
- Reviewing GitOps pipelines
- Creating infrastructure documentation
- Troubleshooting Cloudflare configurations
**Example Usage:**
```
/agent cloudflare-ops
I need to add a new DNS record for api.example.com and update the WAF rules. Can you use gh_grep to find similar implementations first?
```
---
### security-audit
**Purpose:** Performs security analysis and compliance checks
**Tools Available:**
- filesystem (read security policies)
- git (review audit logs)
- github (search security implementations)
- gh_grep (find security best practices)
**When to Use:**
- Auditing security configurations
- Reviewing compliance requirements
- Analyzing WAF rules
- Checking access controls
**Example Usage:**
```
/agent security-audit
Review the WAF rules in terraform/waf.tf and check if we're compliant with PCI-DSS requirements.
```
---
### data-engineer
**Purpose:** Works with databases and data processing
**Tools Available:**
- filesystem (examine data schemas)
- git (track data model changes)
- postgres (query production data)
- sqlite (work with local data)
**When to Use:**
- Working with database schemas
- Processing analytics data
- Troubleshooting data pipeline issues
- Running data queries
---
## Global Rules
These rules apply to all interactions with OpenCode in this project:
1. **Always Use Version Control**
- When making infrastructure changes, use git to stage and review modifications
- Commit meaningful changes with descriptive messages
2. **Search Before Implementing**
- Before creating new Terraform resources, use gh_grep to find similar implementations
- This helps maintain consistency and avoid reinventing the wheel
3. **Understand the Project Structure**
- Use filesystem operations to explore the project before making changes
- Familiar with key directories:
- `terraform/` - Infrastructure code
- `gitops/` - CI/CD and automation
- `observatory/` - Monitoring and observability
- `scripts/` - Utility scripts
- `playbooks/` - Security and incident response playbooks
4. **Compliance-Driven Development**
- When implementing security features, reference compliance frameworks (PCI-DSS, GDPR, etc.)
- Document compliance mappings in resource comments
- Use context7 to search compliance documentation when needed
5. **Validate Before Applying**
- Always run `terraform validate` before planning
- Always run `terraform plan` before applying changes
- Review the plan summary for risk assessment
---
## MCP Tool Quick Reference
### filesystem
Search and read files in the project:
```
use filesystem to explore the directory structure of terraform/
```
### git
Review git history and diffs:
```
use git to show recent commits in the gitops/ directory
```
### github
Search implementations and manage repositories:
```
use github to search for similar Terraform patterns
```
### gh_grep
Find code examples on GitHub:
```
use gh_grep to find examples of Cloudflare Terraform patterns
```
### context7
Search documentation (if API key configured):
```
use context7 to find information about PCI-DSS requirements
```
---
## Environment Variables
When using MCPs that require authentication, ensure these env vars are set:
```bash
# GitHub integration
export GITHUB_TOKEN="your-github-token"
# Context7 (optional knowledge search)
export CONTEXT7_API_KEY="your-context7-key"
# Database connections (if using data-engineer agent)
export DATABASE_URL="postgresql://..."
# AWS credentials (if using AWS MCP)
export AWS_ACCESS_KEY_ID="..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_REGION="us-east-1"
# Slack (if using notifications)
export SLACK_BOT_TOKEN="..."
# Linear (if using issue tracking)
export LINEAR_API_KEY="..."
```
### Multiple Accounts Configuration 🔐
For managing multiple GitHub, GitLab, or Cloudflare accounts, see: [MULTI_ACCOUNT_AUTH.md](MULTI_ACCOUNT_AUTH.md)
---
## Getting Started
1. **Initialize OpenCode**
```bash
cd /Users/sovereign/Desktop/CLOUDFLARE
opencode
/init
```
2. **Check MCP Status**
```bash
/mcp list
```
3. **Start an Agent Conversation**
```
/agent cloudflare-ops
I need to add HTTPS enforcement to all zones. Can you create a plan?
```
4. **Use Plan Mode for Complex Tasks**
```
<TAB> # Switch to plan mode
Add a new tunnel configuration for production
```
5. **Review and Apply Changes**
```
<TAB> # Switch back to build mode
Looks good, go ahead and implement it
```
---
## Troubleshooting
**MCP Server Not Starting:**
```bash
# Check which MCPs are enabled
opencode mcp list
# Try disabling problematic MCPs temporarily
# Edit opencode.jsonc and set "enabled": false for that MCP
```
**Context Limit Exceeded:**
- Some MCPs (like GitHub) add many tokens
- Disable less frequently used MCPs in the `"tools"` section
- Use per-agent tools configuration instead of global enablement
**Missing Environment Variables:**
- MCPs won't fail silently - they'll error if env vars are missing
- Check `.env` or export variables before running opencode
---
## Contributing to this File
When you learn new patterns or create reusable workflows, add them to this AGENTS.md file so other team members can benefit.
Examples of things to document:
- New agent use cases
- Useful MCP combinations
- Common tasks and their solutions
- Links to relevant documentation
---
**Last Updated:** December 8, 2025
**OpenCode Version:** 1.0+

307
AGENT_GUARDRAILS.md Normal file
View File

@@ -0,0 +1,307 @@
# AGENT GUARDRAILS for CLOUDFLARE Project
**Purpose:** Prevent common coding mistakes when using autonomous agents (Cline, Claude, etc.)
**Governed by:** [RED-BOOK.md](RED-BOOK.md) — See Appendix A for agent constraints
**Copy this into your agent prompt before asking for code changes.**
---
## 🛡️ CRITICAL RULES
### 1. NO BLIND PATCHING
**When you need to modify a Python file:**
1.**FIRST:** Use the Read tool to read the ENTIRE file (all lines)
2.**THEN:** Check if your change already exists
3.**THEN:** Check for duplicates
4.**THEN:** Rewrite the WHOLE function/block (not line-by-line insertion)
5.**NEVER:** Append code without reading the full file
### 2. ARGPARSE IS SPECIAL
**When modifying `argparse` code:**
- ❌ DO NOT add arguments in multiple places
- ❌ DO NOT call `parser.add_argument()` twice for the same option
- ✅ DO rewrite the entire `build_parser()` function
- ✅ DO check the file for existing argument definitions FIRST
- ✅ DO verify no conflicting option strings (like `--question`)
**Example of WRONG approach:**
```python
# ❌ BAD: Adding same arg in two places
parser.add_argument("--question", required=True) # Line 50
parser.add_argument("--question", required=False) # Line 100
# ^ This will throw: argparse.ArgumentError: argument --question: conflicting option string
```
**Example of RIGHT approach:**
```python
# ✅ GOOD: Single source of truth
def build_parser():
parser = argparse.ArgumentParser()
parser.add_argument("--question", required=False)
parser.add_argument("--frameworks", nargs="+")
parser.add_argument("--verbose", action="store_true")
return parser
```
### 3. NO DUPLICATES
**Before writing any function:**
1. Search the file for function with the same name
2. If it exists, rewrite it (don't add another one)
3. Check for similar function names (typos, variations)
4. Delete the old one if rewriting
### 4. IMPORTS AT TOP
**Never import mid-function:**
```python
# ✅ CORRECT: Imports at top
import sys
from pathlib import Path
def main():
result = sys.exit(0) # OK to use here
# ❌ WRONG: Import inside function
def main():
import sys # No! Import at top
import random_library # No!
```
### 5. TYPE HINTS REQUIRED
**Every function must have type hints:**
```python
# ✅ CORRECT
def answer(self, question: str, frameworks: Optional[List[str]] = None) -> ToolResponse:
...
# ❌ WRONG (missing types)
def answer(self, question, frameworks=None):
...
```
---
## 📋 CHECKLIST BEFORE WRITING CODE
Before you generate or modify any code file:
- [ ] Have I read the ENTIRE file first?
- [ ] Does this function already exist?
- [ ] Are there duplicates I should remove?
- [ ] Does this follow SRP (single responsibility)?
- [ ] Are all functions type-hinted?
- [ ] Are imports at the top?
- [ ] Is there a docstring?
- [ ] Will this create new test failures?
---
## 🔍 FILE-SPECIFIC RULES
### For oracle_answer_mcp.py
**CRITICAL:** This file had duplicate argparse definitions. If you modify it:
1. Read the ENTIRE build_parser() function
2. Look for ANY parser.add_argument() calls
3. If --question is defined MORE than once, DELETE all but one
4. Check for conflicting flags (argparse won't allow duplicates)
---
### For oracle_runner.py
**This is stable.** Only modify if:
- Bug fix required
- New compliance framework needed
- Performance issue
When modifying:
1. Keep the `run()` method signature the same
2. Keep `OracleAnswer` dataclass schema consistent
3. Update COMPLIANCE_LEDGER.jsonl format in docstring
---
### For Terraform files
**Cloudflare provider is v4.52.5.** If updating:
1. Check `.terraform.lock.hcl` first
2. Run `terraform validate` after changes
3. Run `terraform plan` before commit
4. Don't modify resource names (breaks state)
---
## ⚠️ COMMON MISTAKES (Don't Make These)
| Mistake | Symptom | Fix |
|---------|---------|-----|
| Duplicate argparse args | `ArgumentError: conflicting option string` | Delete duplicate definition |
| Missing type hints | Type checker errors | Add `: Type` to all params |
| Append instead of rewrite | Multiple similar functions | Read file, rewrite once |
| Import mid-function | Code style error | Move imports to top |
| Subscript None | `TypeError: 'NoneType' not subscriptable` | Check for None first |
| Missing docstrings | Code review failure | Add docstrings to all functions |
---
## 🧪 TESTING AFTER CHANGES
After modifying code, run:
```bash
# 1. Quick sanity check
bash TEST_WORKFLOW.sh quick
# 2. Test the specific script you changed
python3 oracle_runner.py "test question?"
# 3. Run any affected tests
python3 oracle_answer_mcp.py --tool-info
# 4. Look for errors
python3 -m py_compile oracle_runner.py # Syntax check
```
---
## 🚫 FORBIDDEN PATTERNS
### ❌ Pattern 1: Blind Appending
```python
# NO! Never do this:
# Read part of file, then append without seeing rest
parser.add_argument("--json") # Line 200
# ... 100 lines away somewhere:
parser.add_argument("--json") # DUPLICATE! Conflict!
```
### ❌ Pattern 2: Nested Imports
```python
# NO! Never do this:
def process_data():
import csv # Should be at top
import json # Should be at top
# ... code
```
### ❌ Pattern 3: Type-Free Parameters
```python
# NO! Never do this:
def answer(self, question, frameworks, verbose): # No types!
pass
# YES! Do this:
def answer(self, question: str, frameworks: Optional[List[str]], verbose: bool) -> ToolResponse:
pass
```
### ❌ Pattern 4: Patch Editing
```python
# NO! Don't patch one line:
oldString: "def main():\n ..."
newString: "def main():\n print('new line')" # This breaks the function
# YES! Rewrite whole function:
# Read the full main()
# Rewrite it completely
# Replace the entire function
```
---
## ✅ CORRECT WORKFLOW
When asked to modify code:
**Step 1: Understand**
- What is broken?
- What file needs changing?
- What is the whole context?
**Step 2: Read**
```
Use the Read tool:
read /path/to/file.py # Read ENTIRE file
```
**Step 3: Analyze**
- Where is the problem?
- Is it already fixed?
- Are there duplicates?
- What is the function signature?
**Step 4: Rewrite**
```
Use the Edit tool:
- oldString: [ENTIRE function]
- newString: [Fixed ENTIRE function]
```
**Step 5: Test**
```bash
python3 file.py --test
bash TEST_WORKFLOW.sh quick
```
**Step 6: Verify**
- No new errors?
- No duplicates?
- Tests passing?
---
## 📞 SUMMARY
| Rule | Critical? | Check Before |
|------|-----------|------------|
| Read entire file | ✅ Yes | Edit anything |
| No duplicate defs | ✅ Yes | Add any function |
| Argparse centralized | ✅ Yes | Modify argparse |
| Type hints required | ✅ Yes | Write any function |
| Docstrings needed | ✅ Yes | Finish any function |
| Imports at top | 🟡 High | Write imports |
| Tests passing | 🟡 High | Commit code |
---
## 🆘 If Something Goes Wrong
**You see: `argparse.ArgumentError: argument --question: conflicting option string`**
1. Read `oracle_answer_mcp.py` line-by-line
2. Find ALL instances of `parser.add_argument("--question"...)`
3. Keep ONE, delete the others
4. Test: `python3 oracle_answer_mcp.py --tool-info`
**You see: `TypeError: 'NoneType' object is not subscriptable`**
1. Find the line with `[...]` or `.get(...)`
2. Add null check: `if result: result['key']`
3. Test the fix
**You see: `Import "x" could not be resolved`**
1. Check if module exists: `ls mcp/oracle_answer/*.py`
2. Check imports are correct: `from .tool import X`
3. Check __init__.py exists
---
**Last Updated:** December 8, 2025
**Status:** 🟢 Active
**Apply To:** All code modifications by agents

240
COGNITION_FLOW.md Normal file
View File

@@ -0,0 +1,240 @@
---
# Cognition Flow Diagram
## How a Single Query Travels Through the CLOUDFLARE Infrastructure
**Implements:** The Fourfold Work from [RED-BOOK.md](RED-BOOK.md) — Nigredo → Albedo → Citrinitas → Rubedo
**See Also:** [DEMO_COGNITION.md](DEMO_COGNITION.md) for live transcripts showing the Cognition Flow in action — one blessed query and one forbidden query demonstrating guardrails.
---
## The Flow (7 Layers)
```
┌────────────────────────────────────────────────────────────────────────────┐
│ LAYER 1: Boot (Doctrine Load) │
│ ────────────────────────────────────────────────────────────────────── │
│ On IDE start: │
│ ├─ seed_ide_rules.py symlinks IDE_OPERATOR_RULES.md │
│ ├─ IDE loads: │
│ │ - AGENTS.md (agent definitions + MCP tool permissions) │
│ │ - IDE_OPERATOR_RULES.md (Terraform/GitOps/Zero Trust policy) │
│ │ - FIRST_RUN.md (initial setup + rules summary) │
│ │ - MULTI_ACCOUNT_AUTH.md (multi-account MCP configuration) │
│ └─ Result: AI soaked in doctrine before first query │
└────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────┐
│ LAYER 2: Query Routing │
│ ────────────────────────────────────────────────────────────────────── │
│ User query: "add a WAF rule to block bots" │
│ ├─ Parse intent: Infrastructure change (Cloudflare) │
│ ├─ Route to agents (from AGENTS.md): │
│ │ - Primary: cloudflare-ops (has Terraform + Cloudflare tools) │
│ │ - Secondary: security-audit (for compliance check) │
│ └─ Select tools needed: │
│ - gh_grep (find similar patterns) │
│ - filesystem (read terraform/waf.tf) │
│ - waf_intelligence (analyze threat, generate rule) │
│ - cloudflare (query live config if multi-account) │
└────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────┐
│ LAYER 3: MCP Tool Orchestration │
│ ────────────────────────────────────────────────────────────────────── │
│ Step 1: Search Phase (gh_grep MCP) │
│ ├─ Query: "Cloudflare WAF bot blocking patterns" │
│ ├─ Result: 12 similar implementations found │
│ └─ Pattern extracted: cf.bot_management.score lt 30 │
│ │
│ Step 2: Context Phase (filesystem MCP) │
│ ├─ Read: terraform/waf.tf │
│ ├─ Parse current rules: 4 custom, 2 managed │
│ └─ Identify insertion point: After resource "cloudflare_ruleset" │
│ │
│ Step 3: Intelligence Phase (WAF Intelligence MCP - Phase 7) │
│ ├─ Load: mcp/waf_intelligence/orchestrator.py │
│ ├─ Analyze current WAF baseline │
│ ├─ Check threat intel for bot networks │
│ ├─ Multi-Account Support (MULTI_ACCOUNT_AUTH.md): │
│ │ ├─ Detect cross-account query (e.g., "compare prod vs staging") │
│ │ ├─ Invoke parallel MCPs: │
│ │ │ - cloudflare_prod: {env:CLOUDFLARE_API_TOKEN_PROD} │
│ │ │ - cloudflare_staging: {env:CLOUDFLARE_API_TOKEN_STAGING} │
│ │ ├─ Compare results (e.g., WAF rules diff) │
│ │ └─ Enforce access: Only if agent.tools permits (opencode.jsonc) │
│ ├─ Generate rule with ML classifier: │
│ │ { │
│ │ "expression": "(cf.bot_management.score lt 30)", │
│ │ "action": "block", │
│ │ "confidence": 92, │
│ │ "severity": "high", │
│ │ "threat_type": "scanner" │
│ │ } │
│ └─ Check auto-deploy criteria: ✓ (confidence ≥ 85%) │
└────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────┐
│ LAYER 4: Guardrail Validation (AGENT_GUARDRAILS.md) │
│ ────────────────────────────────────────────────────────────────────── │
│ Rule 1: Did you search first? (Global Rule #2) │
│ └─ ✓ gh_grep executed, found patterns │
│ Rule 2: Terraform only? (Global Rule #1, #5) │
│ └─ ✓ Generating HCL, not manual dashboard │
│ Rule 3: No secrets? (IDE_OPERATOR_RULES.md) │
│ └─ ✓ No API tokens in code │
│ Rule 4: WAF rule documented? (Global Rule #1) │
│ └─ ✓ Description includes confidence + threat_type │
│ Rule 5: Zero Trust? (Global Rule #3) │
│ └─ ✓ No bypass rules, blocks hostile traffic │
│ Rule 6: GitOps workflow? (Global Rule #2) │
│ └─ ✓ Will create PR, not direct apply │
│ Rule 7: Compliance? (Global Rule #4) │
│ └─ ✓ Logging enabled, audit trail in observatory/ │
│ Rule 8: Drift check? (Global Rule #5) │
│ └─ ✓ terraform validate will run in PR │
│ │
│ Result: ✅ ALL GUARDRAILS PASSED │
└────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────┐
│ LAYER 5: Terraform Generation │
│ ────────────────────────────────────────────────────────────────────── │
│ Generate HCL: │
│ resource "cloudflare_ruleset" "bot_blocking" { │
│ for_each = cloudflare_zone.domains │
│ zone_id = each.value.id │
│ name = "Bot Blocking Rule" │
│ rules { │
│ action = "block" │
│ expression = "(cf.bot_management.score lt 30)" │
│ description = "Block bots - confidence: 92%, threat: scanner" │
│ } │
│ } │
│ │
│ Write to: terraform/waf.tf (new block after existing rules) │
└────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────┐
│ LAYER 6: GitOps Workflow │
│ ────────────────────────────────────────────────────────────────────── │
│ Step 1: Create branch │
│ └─ Branch name: feature/waf-bot-blocking-rule │
│ Step 2: Stage & commit │
│ └─ Message: "feat(waf): Add bot blocking (confidence: 92%)" │
│ Step 3: Push to remote │
│ Step 4: Create PR │
│ ├─ Title: Add WAF rule to block low-score bots │
│ ├─ Description: Auto-generated via WAF Intelligence │
│ └─ Labels: security, waf, auto-generated │
│ Step 5: CI/CD triggers │
│ ├─ terraform validate │
│ ├─ terraform plan │
│ └─ Await review + approval │
└────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────┐
│ LAYER 7: Telemetry & Logging │
│ ────────────────────────────────────────────────────────────────────── │
│ Log to: observatory/cognition_flow_logs.jsonl │
│ { │
│ "timestamp": "2025-12-09T02:15:00Z", │
│ "query": "add a WAF rule to block bots", │
│ "agent": "cloudflare-ops", │
│ "tools_used": ["gh_grep", "filesystem", "waf_intelligence"], │
│ "guardrails_passed": true, │
│ "terraform_generated": true, │
│ "pr_created": true, │
│ "pr_number": 42, │
│ "confidence": 92, │
│ "threat_type": "scanner" │
│ } │
│ │
│ Also logged: │
│ ├─ COMPLIANCE_LEDGER.jsonl (if compliance check ran) │
│ └─ anomalies/*.jsonl (if any guardrail warnings) │
└────────────────────────────────────────────────────────────────────────────┘
```
---
## Summary: The Machine in Motion
**Input:** "add a WAF rule to block bots"
**Output:**
- ✅ Terraform HCL generated
- ✅ PR created (GitOps)
- ✅ All 8 guardrails passed
- ✅ Compliance logged
- ✅ Ready for human review
**What Didn't Happen:**
- ❌ No manual dashboard clicks
- ❌ No secrets committed
- ❌ No direct apply (GitOps enforced)
- ❌ No undocumented rules
---
## Multi-Account Enhancements
From **MULTI_ACCOUNT_AUTH.md**, the flow now supports:
**Cross-Account Queries:**
```
"Compare production vs staging WAF rules"
```
**Flow Modifications:**
- Layer 2 (Routing): Detects multi-account intent
- Layer 3 (MCP): Invokes `cloudflare_prod` + `cloudflare_staging` in parallel
- Layer 4 (Guardrails): Validates agent has permission for both accounts
- Layer 5 (Terraform): Generates diff + remediation plan
- Layer 6 (GitOps): Creates PR with cross-account comparison
- Layer 7 (Telemetry): Logs which accounts were accessed
**Security:** Each agent's `tools` config in `opencode.jsonc` controls which accounts it can access (e.g., `security-audit` only gets `cloudflare_prod`, not staging or dev).
---
## Error Recovery
If any layer fails:
```
┌────────────────────────────────────────────────────────────────────────────┐
│ Error Recovery Sub-Layer │
│ ────────────────────────────────────────────────────────────────────── │
│ ├─ Log failure to: anomalies/query_failures.jsonl │
│ ├─ Retry: Break query into sub-tasks (e.g., search only) │
│ ├─ Notify: Via slack MCP if configured │
│ └─ Escalate: If critical (e.g., PCI-DSS flag), require manual review │
└────────────────────────────────────────────────────────────────────────────┘
```
---
## Scalability Note
For large projects:
- **Token limits?** Split into sub-queries (Layer 2)
- **High volume?** Parallel agents (up to 3)
- **Multi-account?** Per-environment MCPs (MULTI_ACCOUNT_AUTH.md)
---
## Related Documentation
- **DEMO_COGNITION.md** — Live transcripts (blessed + forbidden queries)
- **AGENT_GUARDRAILS.md** — The 8 guardrail rules
- **AGENTS.md** — Agent definitions and MCP tool permissions
- **IDE_OPERATOR_RULES.md** — Terraform/GitOps/Zero Trust policy
- **MULTI_ACCOUNT_AUTH.md** — Multi-account MCP configuration
- **MCP_GUIDE.md** — Complete MCP server reference
---
**This is the Cognition Engine.** Every query flows through these 7 layers.
**Doctrine → Routing → Tools → Guardrails → Terraform → GitOps → Logs.**

14
COMPLIANCE_LEDGER.jsonl Normal file
View File

@@ -0,0 +1,14 @@
{
"timestamp": "2025-12-08T23:34:24.687270Z",
"oracle_answer": "{\"answer\":\"Based on the available documentation:\\n\\nFrom WEB-INFRA-SECURITY-PATTERNS.md (gdpr):\\n# Web-Infrastructure Security Patterns (Cloudflare Operations)\\n\\n## 1. Identity & Access Hardening\\n\\nFrom cloudflare_dns_manifest.md (gdpr):\\n# Cloudflare DNS Manifest (Baseline)\\n\\n## Purpose\\n\\nFrom zero_trust_architecture.md (gdpr):\\n# Zero-Trust Architecture (Cloudflare \\u2192 VaultMesh)\\n\\nBelow is the high-level Zero-Trust flow integrating Cloudflare Edge, Tunnels, Access, DNS, and VaultMesh origins.\\n\\n[Note: In production, this would be replaced with an LLM-generated answer]\",\"citations\":[{\"document_id\":\"WEB-INFRA-SECURITY-PATTERNS\",\"filename\":\"WEB-INFRA-SECURITY-PATTERNS.md\",\"framework\":\"gdpr\",\"relevance_score\":0.4444444444444444,\"snippet\":\"# Web-Infrastructure Security Patterns (Cloudflare Operations)\\n\\n## 1. Identity & Access Hardening\"},{\"document_id\":\"cloudflare_dns_manifest\",\"filename\":\"cloudflare_dns_manifest.md\",\"framework\":\"gdpr\",\"relevance_score\":0.3333333333333333,\"snippet\":\"# Cloudflare DNS Manifest (Baseline)\\n\\n## Purpose\"},{\"document_id\":\"zero_trust_architecture\",\"filename\":\"zero_trust_architecture.md\",\"framework\":\"gdpr\",\"relevance_score\":0.2222222222222222,\"snippet\":\"# Zero-Trust Architecture (Cloudflare \\u2192 VaultMesh)\\n\\nBelow is the high-level Zero-Trust flow integrating Cloudflare Edge, Tunnels, Access, DNS, and VaultMesh origins.\"}],\"compliance_flags\":{\"gdpr\":\"covered\"},\"confidence_level\":\"high\",\"frameworks\":[\"gdpr\"],\"gaps\":[],\"insufficient_context\":false,\"question\":\"Are we compliant with GDPR Article 33 notification timelines?\"}",
"answer_hash": "cdbb2d848a0af0a00a2843edf0a7043fe8d02134b36fbb77d55fc27b71a295a4",
"hash_algorithm": "sha256",
"version": "v0.4.0"
}
{
"timestamp": "2025-12-08T23:37:40.620266+00:00",
"oracle_answer": "{\"answer\":\"Based on the available documentation:\\n\\nFrom WEB-INFRA-SECURITY-PATTERNS.md (nis2):\\n# Web-Infrastructure Security Patterns (Cloudflare Operations)\\n\\n## 1. Identity & Access Hardening\\n\\nFrom TUNNEL-HARDENING.md (nis2):\\n# Cloudflare Tunnel Hardening Guide\\n\\n## Purpose\\n\\n[Note: In production, this would be replaced with an LLM-generated answer]\",\"citations\":[{\"document_id\":\"WEB-INFRA-SECURITY-PATTERNS\",\"filename\":\"WEB-INFRA-SECURITY-PATTERNS.md\",\"framework\":\"nis2\",\"relevance_score\":0.5,\"snippet\":\"# Web-Infrastructure Security Patterns (Cloudflare Operations)\\n\\n## 1. Identity & Access Hardening\"},{\"document_id\":\"TUNNEL-HARDENING\",\"filename\":\"TUNNEL-HARDENING.md\",\"framework\":\"nis2\",\"relevance_score\":0.3333333333333333,\"snippet\":\"# Cloudflare Tunnel Hardening Guide\\n\\n## Purpose\"}],\"compliance_flags\":{\"nis2\":\"covered\"},\"confidence_level\":\"high\",\"frameworks\":[\"nis2\"],\"gaps\":[],\"insufficient_context\":false,\"question\":\"What are NIS2 incident reporting requirements?\"}",
"answer_hash": "f3e96d56c0760bd9da18d8136ee0b6978335a8d96d5851b1e2e88b30fb50b532",
"hash_algorithm": "sha256",
"version": "v0.4.0"
}

15
DECISION_MATRIX.md Normal file
View File

@@ -0,0 +1,15 @@
# Sovereign Operator Framework Decision Matrix
## Options Overview
| Option | Path | Revenue Potential | Risk Level (per security-audit) | Community Impact | Alignment with Rules |
|--------|------|-------------------|---------------------------------|------------------|----------------------|
| 1: Open Source | Rubedo | Low (donations/forks) | Medium (exposure) | High (trending #1) | Strong (Rule 2: Search/Reuse) |
| 2: Seal & Sell | Nigredo | High (€50-100k/seat) | High (client isolation) | Low (private) | Strong (Rule 4: Compliance Sales) |
| 3: Hybrid | Gold Phase | Medium-High (beta → OSS) | Low-Medium (phased) | Medium-High (controlled release) | Strongest (All rules via phases) |
## Key Factors
- **Timeline**: Option 1: Days. Option 2: Weeks (contracts). Option 3: Months (beta testing).
- **Next Action**: Use /agent security-audit to risk-assess: "Audit open-sourcing vs. hybrid for doctrine exposure."
- **Recommendation**: Hybrid if you want empire-building without full exposure.
**Your Call, Sovereign.**

436
DEMO_COGNITION.md Normal file
View File

@@ -0,0 +1,436 @@
# Cognition Flow Demo — Live Transcripts
**Purpose:** Concrete examples showing the governed IDE in action — one blessed query that flows through the entire Cognition Engine, and one forbidden query that gets blocked by guardrails.
**Implements:** The Fourfold Work from [RED-BOOK.md](RED-BOOK.md) — Nigredo → Albedo → Citrinitas → Rubedo
**See Also:** [COGNITION_FLOW.md](COGNITION_FLOW.md) for the technical architecture.
---
## 🜄 The Blessed Query
**User Query:**
```
add a WAF rule to block bots
```
**What Happens:** The full Cognition Flow executes — doctrine loads, agents route, tools orchestrate, guardrails validate, Terraform generates, GitOps PR created.
---
### Step 1: Doctrine Loads (Boot Phase)
**AI Internal Process:**
```
[System] Loading operator doctrine...
✓ Reading AGENTS.md
✓ Reading IDE_OPERATOR_RULES.md
✓ Reading FIRST_RUN.md
✓ Loading Zero Trust, Terraform-only, GitOps-only stance
[System] Doctrine loaded. All responses must:
- Use Terraform for Cloudflare changes
- Follow GitOps workflow (PR → Review → Merge → Apply)
- Never suggest manual dashboard edits
- Require WAF rule documentation
```
**What You See:**
The AI already knows the rules before it answers. It cannot think "outside the law."
---
### Step 2: Query Routes Through the Mesh
**AI Response:**
```
I'll help you add a WAF rule to block bots. Let me follow our GitOps workflow:
1. First, I'll search for existing bot-blocking patterns
2. Review the current WAF configuration
3. Use WAF Intelligence to analyze the best approach
4. Generate Terraform code
5. Create a PR for review
Let me start by searching for similar implementations...
```
**What Happens Behind the Scenes:**
```
[Agent Router] Query matches: cloudflare-ops, security-audit
[Tool Selection] Activating:
- gh_grep → Find bot-blocking patterns
- filesystem → Read terraform/waf.tf
- waf_intelligence → Analyze threat patterns
```
---
### Step 3: Intelligence Phase (MCP Tools Execute)
**AI Actions:**
```
[Using gh_grep] Searching GitHub for Cloudflare bot-blocking WAF rules...
Found 12 similar implementations
Pattern: cf.bot_management.score lt 30
[Using filesystem] Reading terraform/waf.tf...
Current rules: 4 custom rules, 2 managed rulesets
Bot Management resource exists (lines 82-91)
[Using waf_intelligence] Analyzing threat patterns...
Threat type: scanner
Confidence: 92%
Severity: high
Recommended: Block bots with score < 30
```
**AI Response:**
```
I found existing bot management configuration. I'll add a custom WAF rule to
complement it. Based on threat intelligence analysis:
- Confidence: 92%
- Threat type: Scanner bots
- Recommended action: Block bots with bot management score < 30
Let me generate the Terraform code...
```
---
### Step 4: Guardrail Validation
**AI Internal Checks:**
```
[Guardrail Layer] Validating proposed change...
✓ Did you search first? → Yes (gh_grep found patterns)
✓ Is this Terraform? → Yes (generating HCL)
✓ Any secrets? → No
✓ WAF rule documented? → Yes (description included)
✓ Zero Trust compliant? → Yes (no bypass rules)
✓ GitOps workflow? → Yes (will create PR)
[Guardrail Layer] ✅ ALL GUARDRAILS PASSED
```
**AI Response:**
```
All guardrails passed. Here's the Terraform code for the new WAF rule:
```
---
### Step 5: Terraform Generation
**AI Generates:**
```hcl
# Add to terraform/waf.tf
# Rule 5: Block low-score bots
resource "cloudflare_ruleset" "bot_blocking" {
for_each = cloudflare_zone.domains
zone_id = each.value.id
name = "Bot Blocking Rule"
kind = "zone"
phase = "http_request_firewall_custom"
rules {
action = "block"
expression = "(cf.bot_management.score lt 30)"
description = "Block bots with low bot management score - auto-generated via WAF Intelligence (confidence: 92%, threat_type: scanner)"
enabled = true
}
}
```
**AI Notes:**
```
This rule:
- Blocks bots with bot management score < 30
- Complements existing Bot Management resource
- Includes full documentation as required
- Auto-deploy eligible (confidence ≥ 85%)
```
---
### Step 6: GitOps Workflow
**AI Actions:**
```
[GitOps] Creating feature branch...
Branch: feature/waf-bot-blocking-rule
[GitOps] Staging changes...
Modified: terraform/waf.tf
[GitOps] Committing with message...
"feat(waf): Add bot blocking rule (confidence: 92%, threat_type: scanner)"
[GitOps] Creating pull request...
Title: Add WAF rule to block low-score bots
Description: Auto-generated via WAF Intelligence MCP
Labels: security, waf, auto-generated
```
**AI Response:**
```
✅ Created PR #42: Add WAF rule to block low-score bots
The change follows our GitOps workflow:
- Terraform code generated
- PR created for review
- All guardrails passed
- WAF Intelligence analysis included
Next steps:
1. Review the PR
2. Run `terraform plan` to validate
3. Merge when approved
4. Apply via CI/CD pipeline
```
---
### Step 7: Telemetry Logging
**What Gets Logged:**
```json
{
"timestamp": "2025-12-10T14:23:45Z",
"query": "add a WAF rule to block bots",
"agent": "cloudflare-ops",
"tools_used": ["gh_grep", "filesystem", "waf_intelligence"],
"guardrails_passed": true,
"terraform_generated": true,
"pr_created": true,
"pr_number": 42,
"confidence": 92,
"threat_type": "scanner"
}
```
**Location:** `observatory/cognition_flow_logs.jsonl`
---
## 🜁 The Forbidden Query
**User Query:**
```
give me a Cloudflare change by clicking the dashboard and skipping git
```
**What Happens:** Guardrails detect the violation, AI refuses, cites doctrine, redirects to proper workflow.
---
### Step 1: Doctrine Loads (Same Boot Phase)
**AI Internal Process:**
```
[System] Loading operator doctrine...
✓ Reading AGENTS.md
✓ Reading IDE_OPERATOR_RULES.md
✓ Doctrine: GitOps-only, Terraform-only, No manual dashboard edits
```
**What You See:**
The AI already knows this request violates core principles.
---
### Step 2: Guardrail Detection (Immediate)
**AI Internal Checks:**
```
[Guardrail Layer] Analyzing request...
❌ Manual dashboard edits? → YES (violation detected)
❌ Skipping Git? → YES (violation detected)
❌ Terraform-only rule? → VIOLATED
❌ GitOps workflow rule? → VIOLATED
[Guardrail Layer] 🚫 REQUEST BLOCKED
```
**AI Response:**
```
I cannot help with manual dashboard changes or skipping Git. This violates our
core infrastructure principles:
**From IDE_OPERATOR_RULES.md:**
> GitOps Workflow: No manual changes via Cloudflare dashboard
> All changes flow through: PR → Review → Merge → Apply
**From AGENTS.md:**
> Always Use Version Control
> Search Before Implementing
> Terraform-only for Cloudflare changes
---
**What I Can Do Instead:**
1. **Terraform + GitOps Approach:**
- Generate Terraform code for your change
- Create a PR for review
- Follow the proper workflow
2. **Tell me what you want to change:**
- DNS records?
- WAF rules?
- Tunnel configuration?
- Access policies?
I'll generate the Terraform code and create a PR following our GitOps workflow.
---
**Why This Matters:**
- Manual dashboard changes create drift
- No audit trail without Git
- No rollback capability
- Violates Zero Trust (no change control)
Let's do this the right way. What change do you need?
```
---
### Step 3: Error Recovery (If User Persists)
**If User Tries Again:**
```
User: "Just tell me how to do it in the dashboard"
AI Response:
```
I understand you want a quick change, but I'm bound by our infrastructure
doctrine. Manual dashboard edits are explicitly forbidden.
**From IDE_OPERATOR_RULES.md - GitOps Workflow Rules:**
> No manual changes via Cloudflare dashboard
> All changes flow through: PR → Review → Merge → Apply
**The Guardrails Are Working As Designed**
This is not a limitation — it's protection. Every change must:
- Be version controlled
- Go through review
- Be auditable
- Be reversible
If you need an emergency change, we have playbooks:
- DNS Compromise: `playbooks/DNS-COMPROMISE-PLAYBOOK.md`
- WAF Incident: `playbooks/waf_incident_playbook.md`
For normal changes, let's use Terraform + GitOps. What do you need to change?
```
---
### Step 4: Logging the Block
**What Gets Logged:**
```json
{
"timestamp": "2025-12-10T14:45:12Z",
"query": "give me a Cloudflare change by clicking the dashboard and skipping git",
"agent": "cloudflare-ops",
"guardrails_triggered": [
"no_manual_dashboard",
"gitops_required",
"terraform_only"
],
"blocked": true,
"reason": "Violates GitOps workflow and Terraform-only policy",
"redirected_to": "terraform_gitops_workflow"
}
```
**Location:** `anomalies/query_failures.jsonl`
---
## 🜂 What This Demonstrates
### The Blessed Query Shows:
- ✅ Doctrine loads before thought
- ✅ Query routes through agent mesh
- ✅ MCP tools orchestrate (gh_grep, filesystem, waf_intelligence)
- ✅ Guardrails validate (8+ rules checked)
- ✅ Terraform generated (not manual code)
- ✅ GitOps PR created (not direct apply)
- ✅ Full telemetry logged
### The Forbidden Query Shows:
- ✅ Doctrine prevents bad behavior
- ✅ Guardrails block violations immediately
- ✅ AI cites specific rules (IDE_OPERATOR_RULES.md)
- ✅ Redirects to proper workflow
- ✅ Logs the attempt for audit
---
## 🧪 Try It Yourself
### Test 1: Ask About Rules
```
gh copilot chat
> hi what are the rules for this project
```
**Expected:** AI quotes `IDE_OPERATOR_RULES.md`, `AGENTS.md`, mentions Terraform-only, GitOps workflow, Zero Trust.
**If you see that → The Mesh is alive.**
---
### Test 2: Tempt the Guardrails
```
gh copilot chat
> give me a Cloudflare change by clicking the dashboard and skipping git
```
**Expected:** AI refuses, cites GitOps doctrine, pushes you back to Terraform → PR → Review → Apply.
**If it does that → The Seal holds.**
---
## 📊 The Complete Flow
```
User Query
[Boot] Doctrine Loads (AGENTS.md, IDE_OPERATOR_RULES.md)
[Route] Agent Selection (cloudflare-ops, security-audit)
[Tools] MCP Orchestration (gh_grep, filesystem, waf_intelligence)
[Guardrails] Validation (8+ rules checked)
├─ ✅ PASS → Terraform Generation → GitOps PR → Telemetry
└─ ❌ FAIL → Block → Log → Redirect to Proper Workflow
```
---
## 🔗 Related Documentation
- [COGNITION_FLOW.md](COGNITION_FLOW.md) — Technical architecture
- [IDE_OPERATOR_RULES.md](IDE_OPERATOR_RULES.md) — Core doctrine
- [AGENTS.md](AGENTS.md) — Agent definitions and rules
- [AGENT_GUARDRAILS.md](AGENT_GUARDRAILS.md) — Code-level guardrails
---
**Last Updated:** 2025-12-10
**Status:** 🟢 Active Demonstration
**Cognition Flow:** Phase 7 (WAF Intelligence)

532
DEPLOYMENT_GUIDE.md Normal file
View File

@@ -0,0 +1,532 @@
# DEPLOYMENT_GUIDE.md
## OpenCode Cloudflare Infrastructure Deployment Guide
**Status:** 🟢 Production Ready
**Version:** 1.0
**Updated:** December 9, 2025
**Governed by:** [RED-BOOK.md](RED-BOOK.md)
---
## Table of Contents
1. [Quick Start](#quick-start)
2. [Architecture Overview](#architecture-overview)
3. [Environment Setup](#environment-setup)
4. [Component Verification](#component-verification)
5. [Compliance Oracle Usage](#compliance-oracle-usage)
6. [Workflow Examples](#workflow-examples)
7. [Troubleshooting](#troubleshooting)
8. [Appendix](#appendix)
---
## Quick Start
### 1. Prerequisites
- macOS/Linux with bash >= 4.0
- Python 3.9+
- Node.js 18+ (for MCP servers)
- Git 2.30+
- OpenCode CLI installed
### 2. Environment Variables (5 min)
```bash
# Essential (required for GitLab + Cloudflare)
export GITHUB_TOKEN="ghp_..." # GitHub PAT (already set)
export GITLAB_TOKEN="glpat_..." # GitLab PAT
export GITLAB_URL="https://gitlab.com" # or your self-hosted GitLab
export CLOUDFLARE_API_TOKEN="..." # Cloudflare API token
export CLOUDFLARE_ACCOUNT_ID="..." # Cloudflare account ID
# Save to .env (source before running opencode)
source /Users/sovereign/Desktop/CLOUDFLARE/.env
```
**How to Get Tokens:**
- **GitLab PAT:** https://gitlab.com/-/user_settings/personal_access_tokens
- Scopes: `api`, `read_user`, `read_repository`, `write_repository`
- Expiry: 30 days
- **Cloudflare API Token:** https://dash.cloudflare.com/profile/api-tokens
- Create custom token with: DNS:Read, Settings:Read, Firewall Rules:Read, Tunnels:Read
- Expiry: 1 year
- **Cloudflare Account ID:** https://dash.cloudflare.com/ (right sidebar under Account)
### 3. Verify Setup (3 min)
```bash
cd /Users/sovereign/Desktop/CLOUDFLARE
# Run quick test
bash TEST_WORKFLOW.sh quick
# Expected output:
# ✓ All environment variables set
# ✓ Terraform files valid
# ✓ All checks passed!
```
### 4. Launch OpenCode (1 min)
```bash
opencode
/init
# In OpenCode:
/mcp list # Verify MCPs load
/agent cloudflare-ops
# Now you can query your infrastructure
```
---
## Architecture Overview
### MCP Stack (16 MCPs)
```
┌─────────────────────────────────────────────────┐
│ OpenCode Platform │
│ (Claude API + MCP Router) │
└─────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────┐
│ Enabled by Default (4 MCPs) │
├─────────────────────────────────────────────────┤
│ • filesystem - Local file operations │
│ • git - Git repository management │
│ • github - GitHub API queries │
│ • gh_grep - GitHub code search │
└─────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────┐
│ Per-Agent Optional (12 MCPs) │
├─────────────────────────────────────────────────┤
│ Core Infrastructure: │
│ • gitlab - GitLab API (CI/CD, repos) │
│ • cloudflare - Cloudflare API (DNS, WAF) │
│ • postgres - Query audit logs │
│ • sqlite - Local analytics │
│ │
│ Advanced: │
│ • docker - Container testing │
│ • aws - AWS infrastructure │
│ • slack - Notifications │
│ • linear - Issue tracking │
│ • memory - Knowledge base │
│ • context7 - Doc search │
│ • web-scraper - Web automation │
│ • googlemaps - Location services │
└─────────────────────────────────────────────────┘
```
### Agent Ecosystem (3 Agents)
| Agent | Purpose | Tools | Use Case |
|-------|---------|-------|----------|
| **cloudflare-ops** | Infrastructure & GitOps | filesystem, git, github, gitlab, cloudflare, gh_grep | Add DNS, update WAF, manage tunnels, validate infrastructure |
| **security-audit** | Compliance & Security | filesystem, git, github, gitlab, cloudflare, gh_grep | Check PCI-DSS, review WAF rules, audit access controls |
| **data-engineer** | Database Operations | filesystem, git, gitlab, postgres, sqlite | Query logs, analyze metrics, troubleshoot data pipelines |
### Compliance Oracle Architecture
```
Question
[oracle_runner.py]
├─ Search Documents (framework-aware)
├─ Extract Snippets (relevance scoring)
├─ Build Context (citations)
├─ Validate Answer (typing)
├─ Hash Answer (SHA256)
└─ Emit Receipt (ledger.jsonl)
Receipt (json)
├─ timestamp
├─ oracle_answer (full answer JSON)
├─ answer_hash (SHA256)
└─ version (v0.4.0)
```
---
## Environment Setup
### 1. Configure opencode.jsonc
The configuration is **already set up**. Key sections:
```jsonc
{
"mcp": {
// Enabled globally
"filesystem": { "enabled": true },
"git": { "enabled": true },
"github": { "enabled": true },
"gh_grep": { "enabled": true },
// Per-agent (disabled globally, enabled per agent)
"gitlab": { "enabled": false }, // Enabled in cloudflare-ops, security-audit
"cloudflare": { "enabled": false } // Enabled in cloudflare-ops, security-audit
},
"agents": {
"cloudflare-ops": {
"tools": {
"gitlab": true,
"cloudflare": true,
// + filesystem, git, github, gh_grep
}
}
// ... other agents
}
}
```
### 2. Environment Variables
Create or update `.env`:
```bash
# Copy from example
cp .env.example .env
# Edit and add your tokens
export GITLAB_TOKEN="glpat_..."
export CLOUDFLARE_API_TOKEN="..."
export CLOUDFLARE_ACCOUNT_ID="..."
# Verify
source .env
echo $GITLAB_TOKEN # Should not be empty
```
### 3. Verify MCP Installation
```bash
# Inside opencode
/mcp list
# Expected:
# ✓ filesystem (enabled globally)
# ✓ git (enabled globally)
# ✓ github (enabled globally, requires GITHUB_TOKEN)
# ✓ gh_grep (enabled globally)
# ⚠ gitlab (disabled globally, enabled per-agent, requires GITLAB_TOKEN)
# ⚠ cloudflare (disabled globally, enabled per-agent, requires CLOUDFLARE_API_TOKEN)
# ⚠ postgres (disabled, requires DATABASE_URL)
# ... (other optional MCPs)
```
---
## Component Verification
### Test Suite
```bash
# Quick test (environment check)
bash TEST_WORKFLOW.sh quick
# Full test (integration tests)
bash TEST_WORKFLOW.sh full
```
### Manual Verification
**1. Git Integration**
```bash
cd /Users/sovereign/Desktop/CLOUDFLARE
git log --oneline -n 3
git status
```
**2. Terraform Validation**
```bash
cd terraform/
terraform validate
terraform fmt -check .
```
**3. Cloudflare API Test**
```bash
curl -X GET "https://api.cloudflare.com/client/v4/accounts/$CLOUDFLARE_ACCOUNT_ID" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq '.success'
# Should return: true
```
**4. GitLab API Test**
```bash
curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
"$GITLAB_URL/api/v4/user" | jq '.name'
# Should return your GitLab username
```
---
## Compliance Oracle Usage
### Quick Usage
```bash
# Run oracle for GDPR compliance
python3 oracle_runner.py "Are we GDPR compliant?" --frameworks gdpr
# Run oracle for NIS2 obligations
python3 oracle_runner.py "What are NIS2 requirements?" --frameworks nis2
# Run oracle for AI Act with verbose output
python3 oracle_runner.py "What does AI Act Annex IV require?" --frameworks ai-act -v
```
### Oracle Output
The oracle returns:
1. **Answer** - Context-aware response with citations
2. **Citations** - Linked documents with relevance scores
3. **Gaps** - Identified compliance gaps with remediations
4. **Receipt** - SHA256-hashed proof stored in COMPLIANCE_LEDGER.jsonl
### Example: Golden Answer
See: `examples/oracle_answer_ai_act.json` and `examples/oracle_receipt_ai_act.json`
These demonstrate the complete oracle pipeline for a real compliance question.
---
## Workflow Examples
### Example 1: Add HTTPS Enforcement
**Task:** Add HTTPS enforcement to all zones
```bash
opencode
/agent cloudflare-ops
# Query: Add HTTPS enforcement to all zones, then show me the plan
```
**Behind the scenes:**
1. Agent uses `cloudflare` MCP to query current zones
2. Agent uses `filesystem` to read `terraform/zones.tf`
3. Agent uses `git` to track changes
4. Agent generates terraform plan
5. You review and approve
### Example 2: Audit WAF Rules for PCI-DSS
**Task:** Check if WAF rules meet PCI-DSS requirements
```bash
opencode
/agent security-audit
# Query: Review our WAF rules in terraform/waf.tf and check PCI-DSS compliance
```
**Behind the scenes:**
1. Agent uses `filesystem` to read WAF configuration
2. Agent uses `gh_grep` to find similar PCI-DSS patterns
3. Agent searches documentation for compliance mappings
4. Agent generates audit report with gaps
### Example 3: Incident Response
**Task:** DNS compromise detection and remediation
```bash
opencode
/agent cloudflare-ops
# Query: A domain is showing unauthorized DNS records. Query Cloudflare to see current records, check playbooks/, and generate a remediation plan.
```
**Behind the scenes:**
1. Agent uses `cloudflare` MCP to query live DNS records
2. Agent uses `filesystem` to read `playbooks/DNS-COMPROMISE-PLAYBOOK.md`
3. Agent uses `git` to prepare rollback commits
4. Agent generates step-by-step remediation
### Example 4: Compliance Report
**Task:** Generate PCI-DSS compliance report
```bash
# Use oracle directly
python3 oracle_runner.py "What are our PCI-DSS compliance gaps?" --frameworks pci-dss
# Then use agent to generate remediation plan
opencode
/agent security-audit
# Query: Based on the gaps, create a 30-day remediation plan
```
---
## Troubleshooting
### MCP Won't Load
**Symptom:** `/mcp list` shows error for `gitlab` or `cloudflare`
**Solution:**
1. Verify tokens are exported: `echo $GITLAB_TOKEN`
2. Check token format: `glpat_` for GitLab, bearer token for Cloudflare
3. Verify network connectivity: `curl https://api.cloudflare.com/client/v4/zones`
### Terraform Validate Fails
**Symptom:** `terraform validate` returns errors
**Solution:**
1. Run `terraform init` first
2. Check `terraform.tfvars` exists and is valid
3. Verify Cloudflare provider version in `.terraform.lock.hcl`
### Oracle Returns "Insufficient Context"
**Symptom:** Oracle answer shows `insufficient_context: true`
**Solution:**
1. Ensure documentation files exist in project root
2. Check file names match in `oracle_runner.py` line 97
3. Add more detailed documentation files
4. Test with verbose mode: `python3 oracle_runner.py ... -v`
### Token Expired
**Symptom:** API calls return 401 Unauthorized
**Solution:**
1. **GitLab:** Renew PAT at https://gitlab.com/-/user_settings/personal_access_tokens
2. **Cloudflare:** Renew token at https://dash.cloudflare.com/profile/api-tokens
3. Update `.env` and re-source: `source .env`
---
## Appendix
### A. File Structure
```
/Users/sovereign/Desktop/CLOUDFLARE/
├── opencode.jsonc # 16 MCPs configured (DO NOT edit unless expert)
├── .env # Your environment variables (DO NOT commit)
├── .env.example # Template for .env (safe to commit)
├── TEST_WORKFLOW.sh # Integration test suite
├── oracle_runner.py # Compliance oracle v0.4.0
├── AGENTS.md # Agent documentation
├── MCP_GUIDE.md # Complete MCP reference
├── GITLAB_CLOUDFLARE_AUTH.md # Token setup guide
├── DEPLOYMENT_GUIDE.md # This file
├── terraform/ # Infrastructure code
│ ├── main.tf
│ ├── zones.tf
│ ├── dns.tf
│ ├── waf.tf
│ ├── tunnels.tf
│ ├── access.tf
│ └── ...
├── gitops/ # CI/CD agents
│ ├── plan_summarizer.py
│ ├── ci_plan_comment.py
│ ├── drift_pr_bot.py
│ └── webhook_receiver.py
├── playbooks/ # Incident response
│ ├── DNS-COMPROMISE-PLAYBOOK.md
│ ├── TUNNEL-ROTATION-PROTOCOL.md
│ └── waf_incident_playbook.md
├── scripts/ # Automation utilities
│ ├── state-reconciler.py
│ ├── drift_guardian_py.py
│ ├── autonomous_remediator_py.py
│ └── invariant_checker_py.py
├── observatory/ # Monitoring & observability
│ ├── metrics-exporter.py
│ ├── prometheus.yml
│ ├── alertmanager/
│ └── dashboards/
├── examples/ # Golden examples
│ ├── oracle_answer_ai_act.json
│ └── oracle_receipt_ai_act.json
└── COMPLIANCE_LEDGER.jsonl # Created by oracle_runner.py
```
### B. Supported Frameworks
| Framework | Key Doc | Focus |
|-----------|---------|-------|
| **PCI-DSS** | cloudflare_waf_baseline.md | Network security, access controls |
| **GDPR** | zero_trust_architecture.md | Data protection, access logging |
| **NIS2** | TUNNEL-HARDENING.md | Network resilience, monitoring |
| **AI Act** | WEB-INFRA-SECURITY-PATTERNS.md | Governance, explainability |
| **SOC2** | WEB-INFRA-SECURITY-PATTERNS.md | Security controls, audit logs |
| **ISO27001** | zero_trust_architecture.md | Information security management |
### C. Quick Reference
| Task | Command |
|------|---------|
| Start OpenCode | `opencode` |
| Initialize | `/init` |
| List MCPs | `/mcp list` |
| Start agent | `/agent cloudflare-ops` |
| Run oracle | `python3 oracle_runner.py "question"` |
| Validate terraform | `cd terraform && terraform validate` |
| Test setup | `bash TEST_WORKFLOW.sh quick` |
| View git log | `git log --oneline -n 10` |
| Query Cloudflare | OpenCode (with cloudflare-ops agent) |
| Query GitLab | OpenCode (with cloudflare-ops agent) |
### D. Common Queries
**For cloudflare-ops agent:**
- "What DNS records do we have for example.com?"
- "Show me our WAF rules and check if they block SQL injection"
- "List all tunnel configurations"
- "Create a terraform plan to add HTTPS enforcement"
- "Show recent changes in GitLab that affect infrastructure"
**For security-audit agent:**
- "Are we compliant with PCI-DSS?"
- "Review WAF rules for OWASP compliance"
- "Check if access controls meet GDPR standards"
- "Audit DNS configurations for security risks"
**For oracle_runner.py:**
- "python3 oracle_runner.py 'What are NIS2 incident reporting requirements?'"
- "python3 oracle_runner.py 'Summarize our AI Act obligations' --frameworks ai-act"
- "python3 oracle_runner.py 'Check GDPR data retention requirements' -v"
---
## Support & Feedback
**OpenCode Issues:** https://github.com/sst/opencode/issues
**Project Issues:** Create issue in your project repo
**Documentation:** See AGENTS.md, MCP_GUIDE.md, GITLAB_CLOUDFLARE_AUTH.md
---
**Last Updated:** December 8, 2025
**Status:** 🟢 Production Ready
**Next Review:** December 15, 2025

210
FIRST_RUN.md Normal file
View File

@@ -0,0 +1,210 @@
# First Live Run: Cloudflare-Ops Reconnaissance Mission
This guide walks you through testing the OpenCode MCP stack with a real cloudflare-ops mission.
## Step 1: Prep Your Shell (Outside OpenCode)
```bash
cd /Users/sovereign/Desktop/CLOUDFLARE
# Essential - GitHub integration (REQUIRED)
# Get real token from: https://github.com/settings/tokens
export GITHUB_TOKEN="ghp_your_real_token_here"
# Optional - Documentation search (nice to have)
# export CONTEXT7_API_KEY="your_context7_key"
```
✅ Verify environment is set:
```bash
echo $GITHUB_TOKEN
```
Should output: `ghp_...` (your token prefix)
---
## Step 2: Launch OpenCode
```bash
opencode
```
Wait for the OpenCode TUI to load.
Inside OpenCode, initialize project:
```
/init
```
This will:
- Load project context
- Initialize MCP servers
- Prepare all agents
---
## Step 3: Sanity-Check MCP Wiring
Inside OpenCode, verify MCPs are loaded:
```
/mcp list
```
You should see output like:
```
✅ filesystem - loaded
✅ git - loaded
✅ github - loaded
✅ gh_grep - loaded
⚠️ postgres - disabled
...
```
Check individual MCPs:
```
/mcp status filesystem
/mcp status git
/mcp status github
/mcp status gh_grep
```
Each should report "ready" or "healthy".
**If any fail:** Copy-paste error message and share.
---
## Step 4: First Cloudflare-Ops Mission
Inside OpenCode, invoke the agent:
```
/agent cloudflare-ops
```
Now give it this prompt:
```
I want to do a quick infrastructure reconnaissance:
1. Use the filesystem MCP to list the terraform/ directory tree.
2. Use the git MCP to show the last 5 commits touching terraform/.
3. Summarize what parts of the Cloudflare setup (DNS/WAF/SSL/etc.) are already defined in code vs likely still manual.
Only PLAN first, then show me the actions you'd take.
```
OpenCode will respond with:
- Analysis of your Terraform structure
- Recent git changes
- Assessment of what's codified vs manual
- A plan for next steps
**Important:** When OpenCode asks to apply/edit, respond:
```
That plan looks good. Proceed with the non-destructive steps only (listing, reading, summarizing). Do not modify any files yet.
```
---
## Step 5: GitHub Pattern Search
Still in cloudflare-ops mode, ask:
```
Use the gh_grep MCP to search for public examples of:
- Cloudflare Terraform modules for WAF and rate limiting
- Best-practice HTTPS/redirect patterns
Summarize 35 good patterns and map each one to where it would fit in this repo (filenames or new files).
```
OpenCode will:
- Search GitHub for Cloudflare patterns
- Return real code examples
- Suggest where they fit in your repo
---
## Step 6: Exit & Commit
Exit OpenCode:
```
<Ctrl+C>
```
Check git status (in normal shell):
```bash
cd /Users/sovereign/Desktop/CLOUDFLARE
git status
```
Should show no unexpected changes (only the config files we added).
Commit if ready:
```bash
git add opencode.jsonc AGENTS.md MCP_GUIDE.md OPENCODE_SETUP.txt .opencode_checklist.txt FIRST_RUN.md
git commit -m "Wire up OpenCode MCP stack and agents for Cloudflare infra"
```
---
## What You Should See
### After /init:
- Project context loaded
- 14 MCPs initialized
- 3 agents available
### After cloudflare-ops reconnaissance:
- Directory tree of terraform/
- Last 5 commits to terraform/
- Assessment of what's codified
- Suggestions for next steps
### After gh_grep search:
- 3-5 Terraform patterns
- Code snippets
- Mapping to your repo structure
---
## Troubleshooting
### MCP Not Loading
```
/mcp list
/mcp status <mcp_name>
```
If error: Share the full error message.
### GitHub MCP Complains
```
export GITHUB_TOKEN="ghp_your_real_token"
```
Then restart OpenCode.
### Context Limit Hit
Some MCPs add many tokens. If you get context warnings:
1. Disable heavy MCPs in AGENTS.md
2. Restart OpenCode
3. Try again with lighter set
---
## Next Steps (I'll Drive)
Once you've completed steps 1-5, I'll:
✅ Turn cloudflare-ops into a repeatable "DNS/WAF change playbook"
✅ Add security-audit flow that checks PCI-DSS compliance
✅ Design data-engineer queries once DATABASE_URL is live
For now, just run steps 1-5 and paste the output here.
---
**Ready?** Start at Step 1.

525
GITLAB_CLOUDFLARE_AUTH.md Normal file
View File

@@ -0,0 +1,525 @@
# GitLab & Cloudflare API Authentication Setup
Complete guide to authenticate OpenCode with GitLab and Cloudflare APIs.
---
## **1. GitLab Authentication**
### What GitLab MCP Lets You Do
**In OpenCode, you can:**
```
/agent cloudflare-ops
Check our GitLab repository for recent infrastructure changes
and show me the commit history for terraform/ directory.
```
Result:
- Browse GitLab repos from OpenCode
- View merge requests and issues
- Query commit history
- Trigger pipelines
- Manage infrastructure-as-code in GitLab
### Step 1: Create GitLab Personal Access Token
**Location:** https://gitlab.com/-/user_settings/personal_access_tokens
**Or for self-hosted GitLab:**
```
https://your-gitlab-instance.com/-/user_settings/personal_access_tokens
```
**Required Settings:**
| Field | Value |
|-------|-------|
| **Token name** | `opencode-agent` |
| **Expiration date** | 90 days (recommended for security) |
| **Scopes** | See below |
**Required Scopes (checkboxes to enable):**
-`api` - Full API access
-`read_user` - Read user information
-`read_repository` - Read repositories
-`write_repository` - Optional (for commits/MRs)
-`read_registry` - Optional (for container registry)
**Click "Create personal access token"**
You'll see:
```
glpat-XXXXXXXXXXXXXX
```
**Copy this token immediately** (you won't see it again).
### Step 2: Set Environment Variable
In your shell, before running OpenCode:
```bash
# For gitlab.com
export GITLAB_TOKEN="glpat_your_token_here"
export GITLAB_URL="https://gitlab.com"
# For self-hosted GitLab
export GITLAB_TOKEN="glpat_your_token_here"
export GITLAB_URL="https://your-gitlab-instance.com"
```
Verify:
```bash
echo $GITLAB_TOKEN
```
Should output: `glpat_...` (the token prefix)
### Step 3: Enable in OpenCode Config
The config is already set up. To enable GitLab MCP:
**Option A: Enable globally (simple)**
In `opencode.jsonc`, find the gitlab section and change:
```jsonc
"gitlab": {
...
"enabled": true // ← Change from false to true
}
```
**Option B: Enable per-agent only (recommended)**
Keep it disabled globally (resource savings), but enable only when needed:
In `opencode.jsonc`, agents section is already configured:
```jsonc
"cloudflare-ops": {
"tools": {
"gitlab": true // ← Already enabled for this agent
}
}
```
### Step 4: Test GitLab Connection
Launch OpenCode:
```bash
export GITLAB_TOKEN="glpat_..."
cd /Users/sovereign/Desktop/CLOUDFLARE
opencode
```
Inside OpenCode:
```
/mcp status gitlab
```
Should report: `✅ gitlab - loaded and ready`
### Example: GitLab Workflows
**Query Recent Commits:**
```
/agent cloudflare-ops
Show me the last 10 commits to the terraform/ directory in our GitLab repo.
What infrastructure changes were made?
```
**Manage Merge Requests:**
```
/agent cloudflare-ops
List all open merge requests for the Cloudflare infrastructure project.
Show me the approval status and comments.
```
**Check Pipeline Status:**
```
/agent cloudflare-ops
What's the status of the latest CI/CD pipeline for our terraform changes?
Are there any failed jobs?
```
**Create Infrastructure Documentation:**
```
/agent cloudflare-ops
Pull the latest commits from our GitLab repo and summarize all
infrastructure changes made in the last 2 weeks. Create a report.
```
---
## **2. Cloudflare API Authentication**
### What Cloudflare MCP Lets You Do
**In OpenCode, you can:**
```
/agent cloudflare-ops
Query our Cloudflare account directly. Show me all DNS records,
WAF rules, and origin health status.
```
Result:
- Query live DNS records
- Check WAF rule status
- Monitor origin health
- View tunnel configurations
- Validate infrastructure matches Terraform state
### Step 1: Create Cloudflare API Token
**Location:** https://dash.cloudflare.com/profile/api-tokens
**Click "Create Token"**
**Setup for Terraform/Infrastructure:**
| Field | Value |
|-------|-------|
| **Token name** | `opencode-infra-api` |
| **Permissions** | See below |
| **Account Resources** | Your account |
| **Zone Resources** | Specific zones or all zones |
| **TTL** | 90 days |
**Required Permissions:**
Create a custom token with:
-`Zone.DNS:Read` - Read DNS records
-`Zone.Settings:Read` - Read zone settings
-`Account.Firewall Rules:Read` - Read WAF/firewall rules
-`Account.Tunnels:Read` - Read tunnel configs
-`Account.Load Balancing:Read` - Read load balancers
Or use the **"Edit Cloudflare Workers"** template (has most permissions).
**Click "Create Token"**
You'll see:
```
Token: 1234567890abcdef1234567890abcdef
```
**Copy immediately** (you won't see it again).
### Step 2: Get Your Cloudflare Account ID
**In Cloudflare Dashboard:**
1. Go to https://dash.cloudflare.com/
2. Click on any domain
3. Look for **Account ID** in the right sidebar
4. Copy it (looks like `abc123def456ghi789`)
Or via API:
```bash
curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
https://api.cloudflare.com/client/v4/accounts
```
Look for `id` field in response.
### Step 3: Set Environment Variables
In your shell, before running OpenCode:
```bash
# Cloudflare API Token (required)
export CLOUDFLARE_API_TOKEN="1234567890abcdef1234567890abcdef"
# Your Cloudflare Account ID (required)
export CLOUDFLARE_ACCOUNT_ID="abc123def456ghi789"
# Optional: Zone ID if querying specific zone
export CLOUDFLARE_ZONE_ID="zone123zone123zone123"
```
Verify:
```bash
echo $CLOUDFLARE_API_TOKEN
echo $CLOUDFLARE_ACCOUNT_ID
```
### Step 4: Enable in OpenCode Config
The config is already set up. To enable Cloudflare MCP:
**Option A: Enable globally**
In `opencode.jsonc`:
```jsonc
"cloudflare": {
...
"enabled": true // ← Change from false to true
}
```
**Option B: Enable per-agent (recommended)**
Already configured in `cloudflare-ops` and `security-audit` agents:
```jsonc
"cloudflare-ops": {
"tools": {
"cloudflare": true // ← Already enabled
}
}
```
### Step 5: Test Cloudflare Connection
Launch OpenCode:
```bash
export CLOUDFLARE_API_TOKEN="..."
export CLOUDFLARE_ACCOUNT_ID="..."
cd /Users/sovereign/Desktop/CLOUDFLARE
opencode
```
Inside OpenCode:
```
/mcp status cloudflare
```
Should report: `✅ cloudflare - loaded and ready`
### Example: Cloudflare Workflows
**Query Live DNS Records:**
```
/agent cloudflare-ops
Query Cloudflare API: Show me all DNS records for offsec.global zone.
Cross-check them against our terraform/dns.tf configuration.
Are they in sync?
```
**Validate WAF Rules:**
```
/agent security-audit
Query Cloudflare API to show all active WAF rules.
Check them against PCI-DSS requirements. Report gaps.
```
**Monitor Tunnel Health:**
```
/agent cloudflare-ops
Query Cloudflare API for tunnel status and origin health.
Show me response times and any degraded origins.
```
**Compare State:**
```
/agent cloudflare-ops
Pull live configuration from Cloudflare API.
Compare against our Terraform code.
Show me any drift (manual changes outside Terraform).
```
**Generate Infrastructure Report:**
```
/agent cloudflare-ops
Query Cloudflare API for: zones, DNS records, WAF rules,
tunnels, SSL certificates, and load balancers.
Generate a complete infrastructure inventory report.
```
---
## **3. Combined Workflow: GitLab + Cloudflare**
### Real Example: Validate Infrastructure Changes
```
/agent cloudflare-ops
I'm about to merge a GitLab MR that modifies our WAF rules.
1. Fetch the proposed changes from the MR
2. Query Cloudflare API for current WAF rules
3. Show me what will change
4. Check against PCI-DSS requirements
5. Validate terraform syntax
6. Only PLAN, don't apply
```
OpenCode will:
1. **[gitlab]** - Read the MR changes
2. **[cloudflare]** - Query live WAF rules
3. **[filesystem]** - Read terraform/waf.tf
4. **[git]** - Show the diff
5. **[context7]** - Check compliance
6. **Report:** "Safe to merge, no compliance gaps"
### Real Example: Disaster Recovery Check
```
/agent security-audit
Validate that our infrastructure is resilient:
1. Query GitLab for backup/DR scripts
2. Query Cloudflare for failover configuration
3. Check terraform for multi-region setup
4. Report on recovery capabilities
```
OpenCode will:
1. **[gitlab]** - Find DR playbooks
2. **[cloudflare]** - Verify failover IPs
3. **[filesystem]** - Examine terraform
4. **Report:** "Failover set to 5-second TTL, tested 2 weeks ago"
---
## **4. Environment Variables Summary**
Create a `.env` file in your project:
```bash
# GitHub (already configured)
export GITHUB_TOKEN="ghp_your_token"
# GitLab (NEW)
export GITLAB_TOKEN="glpat_your_token"
export GITLAB_URL="https://gitlab.com"
# Cloudflare (NEW)
export CLOUDFLARE_API_TOKEN="your_api_token"
export CLOUDFLARE_ACCOUNT_ID="your_account_id"
# Optional Cloudflare
export CLOUDFLARE_ZONE_ID="your_zone_id"
```
Load before running OpenCode:
```bash
cd /Users/sovereign/Desktop/CLOUDFLARE
source .env
opencode
```
---
## **5. Multiple Accounts Configuration 🔐**
For managing multiple GitHub, GitLab, or Cloudflare accounts, see: [MULTI_ACCOUNT_AUTH.md](MULTI_ACCOUNT_AUTH.md)
---
## **6. Security Best Practices**
### Token Management
**Do:**
- ✅ Rotate tokens every 90 days
- ✅ Use separate tokens for different purposes
- ✅ Store in `.env` (don't commit to git)
- ✅ Use `environment` variables in opencode.jsonc, not hardcoded tokens
- ✅ Set narrow scopes (minimal permissions needed)
**Don't:**
- ❌ Hardcode tokens in opencode.jsonc
- ❌ Commit tokens to git
- ❌ Share tokens via chat/email
- ❌ Use the same token for everything
- ❌ Set tokens with unlimited expiration
### .gitignore Update
```bash
# Add to your .gitignore
.env
.env.local
.env.*.local
```
Verify:
```bash
git status | grep -i env
```
Should show nothing (env files not tracked).
---
## **7. Troubleshooting**
### GitLab MCP Not Loading
```bash
# Check token is set
echo $GITLAB_TOKEN
# Check URL is correct
echo $GITLAB_URL
# Try test in OpenCode
/mcp status gitlab
```
**Common Issues:**
- Token expired → Create new token
- Wrong scopes → Recreate token with `api` + `read_repository`
- Self-hosted URL wrong → Verify with your GitLab admin
### Cloudflare MCP Not Loading
```bash
# Check token is set
echo $CLOUDFLARE_API_TOKEN
# Check account ID is set
echo $CLOUDFLARE_ACCOUNT_ID
# Try test in OpenCode
/mcp status cloudflare
```
**Common Issues:**
- Wrong token format → Get new token from dashboard
- Account ID missing → Get from https://dash.cloudflare.com/
- Insufficient scopes → Recreate token with proper permissions
- API rate limit → Wait a few minutes and retry
### Testing API Directly
**GitLab:**
```bash
curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
https://gitlab.com/api/v4/user
```
**Cloudflare:**
```bash
curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
https://api.cloudflare.com/client/v4/accounts
```
Both should return successful JSON responses.
---
## **8. Next Steps**
### Now:
1. Create GitLab PAT → export `GITLAB_TOKEN`
2. Create Cloudflare API token → export `CLOUDFLARE_API_TOKEN`
3. Get Cloudflare Account ID → export `CLOUDFLARE_ACCOUNT_ID`
4. Test MCPs: `/mcp list`
### Then:
1. Run cloudflare-ops with GitLab + Cloudflare together
2. Try a full validation workflow
3. Generate an infrastructure report
---
**Ready?** Set the env vars and try:
```bash
export GITLAB_TOKEN="glpat_..."
export CLOUDFLARE_API_TOKEN="..."
export CLOUDFLARE_ACCOUNT_ID="..."
opencode
/agent cloudflare-ops
Show me all infrastructure from GitLab and Cloudflare, then compare.
```

182
IDE_OPERATOR_RULES.md Normal file
View File

@@ -0,0 +1,182 @@
---
description: **CLOUDFLARE OPERATOR RULES**: Load this file for ANY Cloudflare-related operations including DNS, WAF, Tunnels, Zero Trust, Terraform IaC, or security configurations. This provides operator doctrine for Cloudflare infrastructure management. **MUST** be read when user mentions: Cloudflare, WAF, DNS records, Tunnels, Zero Trust, Workers, or any Cloudflare-specific patterns.
---
# IDE Operator Rules — Cloudflare Security Mesh
> **Control Surface:** This file can be seeded into VS Code extension folders to provide
> policy-aware guidance for AI assistants and code generation.
---
## Core Principles
1. **Security-First Infrastructure**
- All Cloudflare resources must be defined in Terraform
- Never hardcode API tokens or secrets in code
- WAF rules must have documented justification
2. **GitOps Workflow**
- No manual changes via Cloudflare dashboard
- All changes flow through: PR → Review → Merge → Apply
- Drift triggers automatic remediation PRs
3. **Zero Trust by Default**
- Assume all traffic is hostile until verified
- Access policies must enforce MFA where possible
- Tunnel configurations require explicit allow-lists
---
## Terraform Guardrails
### DNS Records
```hcl
# ✅ ALWAYS include TTL and proxied status explicitly
resource "cloudflare_record" "example" {
zone_id = var.zone_id
name = "api"
type = "A"
value = "192.0.2.1"
ttl = 300 # Explicit TTL
proxied = true # Explicit proxy status
}
# ❌ NEVER create unproxied A/AAAA records for sensitive services
# ❌ NEVER use TTL < 60 for production DNS
```
### WAF Rules
```hcl
# ✅ ALWAYS include description and tags
resource "cloudflare_ruleset" "waf_custom" {
zone_id = var.zone_id
name = "Custom WAF Rules"
description = "Phase 7 WAF Intelligence generated rules"
kind = "zone"
phase = "http_request_firewall_custom"
rules {
action = "block"
expression = "(ip.src in $threat_intel_ips)"
description = "Block threat intel IPs - auto-generated"
enabled = true
}
}
# ❌ NEVER disable managed rulesets without documented exception
# ❌ NEVER use action = "allow" for external IPs without review
```
### Tunnels
```hcl
# ✅ ALWAYS rotate tunnel secrets on schedule
# ✅ ALWAYS use ingress rules with explicit hostnames
# ❌ NEVER expose internal services without Access policies
# ❌ NEVER use catch-all ingress rules in production
```
### Access Policies
```hcl
# ✅ ALWAYS require MFA for admin applications
# ✅ ALWAYS set session duration explicitly
# ❌ NEVER use "everyone" include without additional restrictions
# ❌ NEVER bypass Access for internal tools
```
---
## WAF Intelligence Integration
### Using the Analyzer
```bash
# Analyze WAF configuration
python -m mcp.waf_intelligence.orchestrator analyze terraform/waf.tf
# Full threat assessment
python -m mcp.waf_intelligence.orchestrator assess --include-threat-intel
# Generate rule proposals
python -m mcp.waf_intelligence.orchestrator propose --max-rules 5
```
### Threat Classification
The ML classifier detects:
- `sqli` — SQL injection patterns
- `xss` — Cross-site scripting
- `rce` — Remote code execution
- `path_traversal` — Directory traversal
- `scanner` — Automated scanning tools
### Auto-Deploy Criteria
Rules may be auto-deployed when:
- Confidence ≥ 85%
- Severity is `critical` or `high`
- Pattern matches known attack signature
- No existing rule covers the threat
---
## GitOps Workflow Rules
### PR Requirements
| Risk Level | Approvals | Auto-Merge |
|------------|-----------|------------|
| Low | 1 | Allowed |
| Medium | 1 | Manual |
| High | 2 | Manual |
| Critical | 2 | Never |
### Drift Remediation
- DNS drift → Auto-PR with `drift/remediation-*` branch
- WAF drift → Security team review required
- Tunnel drift → Infra team review required
### Compliance Flags
Changes affecting these frameworks trigger warnings:
- **SOC2** — SSL settings, WAF deletions
- **PCI-DSS** — TLS version, WAF modifications
- **HIPAA** — Access policy deletions, encryption settings
---
## Agent Instructions
When working with this Cloudflare infrastructure:
1. **Always check WAF impact** before proposing changes
2. **Prefer Terraform patterns** over ad-hoc API calls
3. **Use WAF Intelligence CLI** for security analysis before generating rules
4. **Propose GitOps-style patches**, not manual edits
5. **Never assume external APIs**; prefer local, deterministic tools
6. **Reference compliance frameworks** when implementing security features
### Tool Availability
- `filesystem` — Explore project structure
- `git` — Track and review changes
- `waf_intel` — Analyze WAF configurations
- `terraform` — Plan and validate infrastructure
---
## Quick Reference
### Risk Classification
```
High Risk: DNS, WAF, Tunnels, Access, Certificates
Medium Risk: Performance, Workers, Page Rules
Low Risk: Logging, Notifications, API Tokens
```
### Emergency Procedures
- DNS Compromise: See `playbooks/DNS-COMPROMISE-PLAYBOOK.md`
- WAF Incident: See `playbooks/waf_incident_playbook.md`
- Tunnel Rotation: See `playbooks/TUNNEL-ROTATION-PROTOCOL.md`
---
**Last Updated:** 2025-12-09
**Phase:** 7 (WAF Intelligence)
**Seeded By:** `scripts/seed_ide_rules.py`

21
LICENSE Normal file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 VaultMesh Technologies / Karol S.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

487
MCP_GUIDE.md Normal file
View File

@@ -0,0 +1,487 @@
# Complete MCP Guide for OpenCode
## Available MCPs and Configuration
This guide shows all the Model Context Protocol (MCP) servers configured in your OpenCode setup, with environment variables and usage examples.
---
## Essential MCPs (Always Enabled)
### 1. **filesystem** - File System Operations
**Status:** ✅ Enabled by default
**Environment:** `HOME` directory
**Purpose:** Read/write files, explore directory structure, manage file operations
**Usage Examples:**
```
/use filesystem
Please explore the terraform/ directory structure
```
**Best For:**
- Examining project files
- Understanding directory organization
- Reading configuration files
---
### 2. **git** - Version Control
**Status:** ✅ Enabled by default
**Purpose:** Git operations, commit history, diff review
**Usage Examples:**
```
/use git
Show me the recent commits in the terraform/ directory
```
```
/use git
What files changed in the last 5 commits?
```
**Best For:**
- Reviewing changes before committing
- Understanding project history
- Checking git status
---
### 3. **github** - GitHub Integration
**Status:** ✅ Enabled by default
**Environment Required:** `GITHUB_TOKEN`
**Purpose:** Query GitHub APIs, search repos, manage PRs/issues
**Usage Examples:**
```
/use github
Search for Cloudflare Terraform modules in GitHub
```
```
/use github
Find how other projects implement WAF rules
```
**Setup:**
```bash
export GITHUB_TOKEN="ghp_your_token_here"
```
**Best For:**
- Finding example implementations
- Searching GitHub repositories
- Managing pull requests
---
### 4. **gh_grep** - GitHub Code Search
**Status:** ✅ Enabled by default (Remote)
**URL:** https://mcp.grep.app
**Purpose:** Search code examples across GitHub
**Usage Examples:**
```
/use gh_grep
Find examples of Cloudflare Terraform patterns
```
**Best For:**
- Finding best practices on GitHub
- Learning from real-world implementations
- Code examples and snippets
---
## Optional MCPs (Disabled by Default - Enable as Needed)
### 5. **postgres** - PostgreSQL Database
**Status:** ⚠️ Disabled (enable for data-engineer agent)
**Environment Required:** `DATABASE_URL`
**Purpose:** Query and manage PostgreSQL databases
**Setup:**
```bash
export DATABASE_URL="postgresql://user:password@localhost:5432/dbname"
```
**Usage Example (when enabled):**
```
/agent data-engineer
Query the users table to get the count of active users
```
**Enable In Config:**
```jsonc
"postgres": {
"enabled": true
}
```
**Best For:**
- Database queries and analysis
- Schema exploration
- Data engineering tasks
---
### 6. **sqlite** - SQLite Database
**Status:** ⚠️ Disabled (enable for data-engineer agent)
**Purpose:** Work with local SQLite databases
**Usage Example (when enabled):**
```
/agent data-engineer
Show me the schema of the analytics.db file
```
**Enable In Config:**
```jsonc
"sqlite": {
"enabled": true
}
```
**Best For:**
- Local data analysis
- Testing database queries
- Small-scale data operations
---
### 7. **docker** - Docker Integration
**Status:** ⚠️ Disabled (enable for container work)
**Purpose:** Docker container management and operations
**Enable In Config:**
```jsonc
"docker": {
"enabled": true
}
```
**Usage Example (when enabled):**
```
Build and run a Docker container for the GitOps pipeline
```
**Best For:**
- Container management
- Docker compose operations
- Container deployment
---
### 8. **aws** - AWS Integration
**Status:** ⚠️ Disabled (enable for AWS operations)
**Environment Required:**
- `AWS_ACCESS_KEY_ID`
- `AWS_SECRET_ACCESS_KEY`
- `AWS_REGION`
**Setup:**
```bash
export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_REGION="us-east-1"
```
**Usage Example (when enabled):**
```
Deploy this Lambda function to AWS
```
**Enable In Config:**
```jsonc
"aws": {
"enabled": true,
"environment": {
"AWS_ACCESS_KEY_ID": "{env:AWS_ACCESS_KEY_ID}",
"AWS_SECRET_ACCESS_KEY": "{env:AWS_SECRET_ACCESS_KEY}",
"AWS_REGION": "{env:AWS_REGION}"
}
}
```
**Best For:**
- AWS infrastructure management
- Lambda deployments
- S3 operations
---
### 9. **slack** - Slack Integration
**Status:** ⚠️ Disabled (enable for notifications)
**Environment Required:** `SLACK_BOT_TOKEN`
**Purpose:** Send messages, manage channels
**Setup:**
```bash
export SLACK_BOT_TOKEN="xoxb-..."
```
**Usage Example (when enabled):**
```
Send a notification to #devops about the deployment
```
**Enable In Config:**
```jsonc
"slack": {
"enabled": true,
"environment": {
"SLACK_BOT_TOKEN": "{env:SLACK_BOT_TOKEN}"
}
}
```
**Best For:**
- Sending notifications
- Team communication
- Alert automation
---
### 10. **linear** - Linear Issue Tracking
**Status:** ⚠️ Disabled (enable for issue management)
**Environment Required:** `LINEAR_API_KEY`
**Purpose:** Create/manage issues in Linear
**Setup:**
```bash
export LINEAR_API_KEY="lin_..."
```
**Usage Example (when enabled):**
```
Create a Linear ticket for the new WAF rule implementation
```
**Enable In Config:**
```jsonc
"linear": {
"enabled": true,
"environment": {
"LINEAR_API_KEY": "{env:LINEAR_API_KEY}"
}
}
```
**Best For:**
- Issue tracking
- Task creation
- Sprint management
---
### 11. **context7** - Documentation Search
**Status:** ⚠️ Disabled (enable for documentation lookup)
**Environment Required (Optional):** `CONTEXT7_API_KEY`
**URL:** https://mcp.context7.com/mcp
**Purpose:** Search through documentation and knowledge bases
**Setup (Optional - works without key but rate-limited):**
```bash
export CONTEXT7_API_KEY="your-key"
```
**Usage Example (when enabled):**
```
/use context7
Search for GDPR Article 33 requirements
```
**Enable In Config:**
```jsonc
"context7": {
"type": "remote",
"url": "https://mcp.context7.com/mcp",
"headers": {
"CONTEXT7_API_KEY": "{env:CONTEXT7_API_KEY}"
},
"enabled": true
}
```
**Best For:**
- Compliance research
- Documentation lookup
- Learning about standards (GDPR, PCI-DSS, etc.)
---
### 12. **googlemaps** - Google Maps Integration
**Status:** ⚠️ Disabled
**Environment Required:** `GOOGLE_MAPS_API_KEY`
**Purpose:** Map queries and geocoding
**Setup:**
```bash
export GOOGLE_MAPS_API_KEY="your-key"
```
**Best For:**
- Location-based queries
- Geocoding operations
---
### 13. **memory** - Knowledge Base
**Status:** ⚠️ Disabled
**Purpose:** Store and retrieve project knowledge/context
**Best For:**
- Recording important patterns
- Storing decision history
---
## Quick Start for Your Project
### 1. Set Up Essential Environment Variables
```bash
# GitHub - Required for github and gh_grep MCPs
export GITHUB_TOKEN="ghp_your_github_token"
# Optional but recommended
export CONTEXT7_API_KEY="your_context7_key"
# If using data-engineer agent
export DATABASE_URL="postgresql://..."
# If using AWS features
export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_REGION="us-east-1"
```
### 2. Initialize OpenCode
```bash
cd /Users/sovereign/Desktop/CLOUDFLARE
opencode
/init
```
### 3. Check MCP Status
```bash
/mcp list
```
### 4. Start Using MCPs
```bash
# Use built-in agent
/agent cloudflare-ops
I need to add DNS records. Can you search for Cloudflare Terraform examples?
# Or use MCPs directly in your prompts
/use git
/use gh_grep
Show me recent commits and search for similar patterns
```
---
## Per-Agent MCP Configuration
### cloudflare-ops Agent
Enabled MCPs:
- filesystem
- git
- github
- gh_grep
```bash
/agent cloudflare-ops
I need to implement HTTPS enforcement. Can you find similar patterns first?
```
### security-audit Agent
Enabled MCPs:
- filesystem
- git
- github
- gh_grep
```bash
/agent security-audit
Review the WAF rules and check against PCI-DSS requirements
```
### data-engineer Agent
Enabled MCPs:
- filesystem
- git
- postgres
- sqlite
```bash
/agent data-engineer
Query the database and generate a report of active users
```
---
## Troubleshooting MCPs
### MCP Not Loading?
```bash
# Check which MCPs are enabled
/mcp list
# Check specific MCP
/mcp status filesystem
# Restart OpenCode
opencode
```
### Environment Variables Not Working?
```bash
# Verify environment variable is set
echo $GITHUB_TOKEN
# Make sure to set it before running OpenCode
export GITHUB_TOKEN="your_token"
opencode
```
### Multiple Accounts Configuration 🔐
For managing multiple GitHub, GitLab, or Cloudflare accounts, see: [MULTI_ACCOUNT_AUTH.md](MULTI_ACCOUNT_AUTH.md)
### Context Size Too Large?
If OpenCode runs out of context:
1. Disable heavy MCPs like `github` in global config
2. Enable them only per-agent when needed
3. Use `tools` section to disable specific MCPs
```jsonc
"tools": {
"github": false, // Disable globally
}
```
Then enable per-agent:
```jsonc
"agents": {
"cloudflare-ops": {
"tools": {
"github": true // Enable only for this agent
}
}
}
```
---
## MCP References
- [OpenCode MCP Documentation](https://opencode.ai/docs/mcp-servers/)
- [Model Context Protocol Spec](https://modelcontextprotocol.io/)
- [Official MCP Servers](https://modelcontextprotocol.io/clients)
---
**Last Updated:** December 8, 2025
**OpenCode Version:** 1.0+

441
MULTI_ACCOUNT_AUTH.md Normal file
View File

@@ -0,0 +1,441 @@
# Multiple Accounts Configuration 🔐
## Overview
This project supports **multiple accounts for the same service**:
- Multiple GitHub accounts (personal, work, alt)
- Multiple Cloudflare accounts (prod, staging, dev)
- Multiple GitLab instances (internal, external)
Each account is:
1. Bound to a **unique environment variable name**, and
2. Exposed as a **separate MCP server** in `opencode.jsonc`.
> 🔒 **Security Note:** Never commit tokens to git. Keep them in your shell environment, a `.env` file that is `.gitignore`d, or a secrets manager.
---
## 1. Export Tokens with Unique Variable Names
Use descriptive names that encode both **service** and **purpose**.
**Pattern:**
`<SERVICE>_<RESOURCE>_<ENV or PURPOSE>`
Examples:
- `GITHUB_TOKEN_WORK`
- `CLOUDFLARE_API_TOKEN_PRODUCTION`
- `GITLAB_TOKEN_INTERNAL`
### Shell Export (for session-based or profile)
```bash
# GitHub multiple accounts
export GITHUB_TOKEN_SECONDARY="ghp_another_token_here"
export GITHUB_TOKEN_WORK="ghp_work_account_token"
export GITHUB_TOKEN_PERSONAL="ghp_personal_account_token"
# Cloudflare multiple accounts
export CLOUDFLARE_API_TOKEN_PRODUCTION="prod_token_here"
export CLOUDFLARE_ACCOUNT_ID_PRODUCTION="prod_account_id"
export CLOUDFLARE_API_TOKEN_STAGING="staging_token_here"
export CLOUDFLARE_ACCOUNT_ID_STAGING="staging_account_id"
# GitLab multiple instances
export GITLAB_TOKEN_INTERNAL="glpat_internal_token"
export GITLAB_URL_INTERNAL="https://gitlab.internal.company.com"
export GITLAB_TOKEN_EXTERNAL="glpat_external_token"
export GITLAB_URL_EXTERNAL="https://gitlab.com"
```
### .env File (recommended for project isolation)
```bash
# .env (remember to add this to .gitignore)
CLOUDFLARE_API_TOKEN_PRODUCTION=prod_token
CLOUDFLARE_ACCOUNT_ID_PRODUCTION=prod_account_id
CLOUDFLARE_API_TOKEN_STAGING=staging_token
CLOUDFLARE_ACCOUNT_ID_STAGING=staging_account_id
```
Then load in shell:
```bash
set -a
source .env
set +a
```
---
## 2. Add MCP Entries in `opencode.jsonc`
Each account becomes its own MCP entry, wired to its own env vars:
```jsonc
// Secondary GitHub account
"github_secondary": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-github"],
"environment": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "{env:GITHUB_TOKEN_SECONDARY}"
},
"enabled": false
},
// Production Cloudflare account
"cloudflare_prod": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-cloudflare"],
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_PRODUCTION}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_PRODUCTION}"
},
"enabled": false
},
// Staging Cloudflare account
"cloudflare_staging": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-cloudflare"],
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_STAGING}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_STAGING}"
},
"enabled": false
},
// Internal GitLab instance
"gitlab_internal": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-gitlab"],
"environment": {
"GITLAB_TOKEN": "{env:GITLAB_TOKEN_INTERNAL}",
"GITLAB_URL": "{env:GITLAB_URL_INTERNAL}"
},
"enabled": false
}
```
---
## 3. Enable Per-Agent (Recommended) or Globally
**Recommended:** Enable accounts per agent for isolation.
```jsonc
"agents": {
"cloudflare-ops": {
"tools": {
"cloudflare_prod": true, // Production account
"cloudflare_staging": true, // Staging account
"github_secondary": true, // Secondary GitHub
"gitlab_internal": true // Internal GitLab
}
},
"security-audit": {
"tools": {
"cloudflare_prod": true, // Only production for audits
"github_secondary": false // Disable secondary for security
}
}
}
```
Global enable (less strict, use sparingly):
```jsonc
"tools": {
"cloudflare_prod": true,
"github_secondary": true
}
```
> 🔑 **Principle:** Production credentials should only be wired into a few, tightly-scoped agents (e.g., `cloudflare-ops`, `security-audit`), not "playground" agents.
---
## 4. Best Practices
### Naming Conventions
Use suffixes that make intent obvious:
- `_PRODUCTION` / `_PROD` Production environment
- `_STAGING` / `_STAGE` Staging environment
- `_DEVELOPMENT` / `_DEV` Development environment
- `_INTERNAL` Internal/private instance
- `_EXTERNAL` External/public instance
- `_WORK` / `_PERSONAL` Work vs personal identity
- `_SECONDARY` / `_BACKUP` Secondary/backup account
### Security Isolation
1. **Per-agent configuration** Only give each agent the accounts it truly needs
2. **Environment separation** Different tokens per environment (prod / stage / dev)
3. **Least privilege** Grant minimal scopes to each token
4. **Token rotation** Rotate regularly, especially production
> ⚠️ **Golden Rule:** Never give production tokens to "exploratory" or "play" agents; only to audited / narrow-scope agents (e.g., `security-audit`, `cloudflare-ops`).
### Example: Multi-Environment Setup
```bash
# .env file
# Production
export CLOUDFLARE_API_TOKEN_PRODUCTION="prod_token"
export CLOUDFLARE_ACCOUNT_ID_PRODUCTION="prod_account_id"
# Staging
export CLOUDFLARE_API_TOKEN_STAGING="staging_token"
export CLOUDFLARE_ACCOUNT_ID_STAGING="staging_account_id"
# Development
export CLOUDFLARE_API_TOKEN_DEVELOPMENT="dev_token"
export CLOUDFLARE_ACCOUNT_ID_DEVELOPMENT="dev_account_id"
```
```jsonc
// opencode.jsonc
"cloudflare_prod": {
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_PRODUCTION}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_PRODUCTION}"
}
},
"cloudflare_staging": {
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_STAGING}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_STAGING}"
}
},
"cloudflare_dev": {
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_DEVELOPMENT}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID_DEVELOPMENT}"
}
}
```
## Cursor IDE Integration
### How Cursor Agent Works with Multiple Accounts
Cursor IDE itself uses a single account (your Cursor subscription), but Cursor Agent can access unlimited external service accounts via:
1. **Environment Variables** (loaded from `.env`)
2. **MCP Servers** (configured in `~/.cursor/mcp.json` or project-specific)
3. **Workspace-Specific Config** (each project folder can have different credentials)
### Configuring MCP in Cursor
**File:** `~/.cursor/mcp.json`
```json
{
"mcpServers": {
"github_work": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_work_token_here"
}
},
"github_personal": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_personal_token_here"
}
},
"cloudflare_prod": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-cloudflare"],
"env": {
"CLOUDFLARE_API_TOKEN": "prod_token",
"CLOUDFLARE_ACCOUNT_ID": "prod_account_id"
}
}
}
}
```
### Using Multiple Accounts in Cursor
Once configured, Cursor Agent can:
```
# In Cursor chat/command bar:
"Check production Cloudflare for drift"
→ Uses cloudflare_prod MCP
"Search my work GitHub for similar implementations"
→ Uses github_work MCP
"Compare personal and work repos for this pattern"
→ Uses both github_personal and github_work MCPs
```
### Workspace-Specific .env
Each project can have its own `.env`:
```bash
# /Users/sovereign/Desktop/CLOUDFLARE/.env
export CLOUDFLARE_API_TOKEN="client_a_token"
export GITLAB_TOKEN="client_a_gitlab_token"
# /Users/sovereign/Desktop/CLIENT_B/.env
export CLOUDFLARE_API_TOKEN="client_b_token"
export GITLAB_TOKEN="client_b_gitlab_token"
```
Cursor loads the appropriate `.env` when you switch workspaces.
## 5. Usage Examples
### Launching with Multiple Accounts
```bash
# Set tokens before launching
export GITHUB_TOKEN_SECONDARY="ghp_..."
export CLOUDFLARE_API_TOKEN_PRODUCTION="prod_..."
# Launch OpenCode
opencode
/init
```
Inside OpenCode:
```
/use github_secondary
Search for issues in my secondary GitHub account
/use cloudflare_prod
List all zones in the production Cloudflare account
```
### Agent-Specific Access
```bash
/agent cloudflare-ops
# Has: cloudflare_prod, cloudflare_staging, github_secondary
/agent security-audit
# Has: cloudflare_prod only (no staging, no personal GitHub)
```
### Cross-Account Validation
```bash
/agent cloudflare-ops
Compare configuration between production and staging accounts:
1. Query cloudflare_prod for all WAF rules
2. Query cloudflare_staging for all WAF rules
3. Show differences
4. Validate staging matches production baseline
```
## 6. Troubleshooting
### Token Not Working
1. **Verify the environment variable is set:**
```bash
echo "$GITHUB_TOKEN_SECONDARY"
```
2. **Check MCP configuration** in `opencode.jsonc`:
- Variable names match
- `{env:VARIABLE_NAME}` syntax is correct
3. **Restart OpenCode** after exporting tokens
### MCP Not Loading
1. **Check MCP status** inside OpenCode:
```
/mcp list
/mcp status github_secondary
```
2. **Validate token format:**
- GitHub: usually `ghp_...`
- GitLab: usually `glpat_...`
3. **Confirm agent config:**
- MCP is enabled for that agent in `agents[...].tools`
- Or globally enabled in `"tools"`
## 7. Security Considerations
### Token Storage
**✅ DO:**
- Store tokens in `.env` (gitignored)
- Use environment variables for credentials
- Rotate tokens every 90 days
- Use separate tokens for prod/staging/dev
**❌ DON'T:**
- Commit tokens to git
- Hardcode tokens in config files
- Share tokens via chat/email
- Use same token across environments
### Audit Trail
Log all multi-account operations:
```bash
# Enable audit logging in .env
export AUDIT_LOG_ENABLED=true
export AUDIT_LOG_PATH="./observatory/audit.log"
```
Operations using multiple accounts will be logged with account identifiers.
### Token Rotation
> 💡 **Future Enhancement:** Could integrate with `playbooks/TUNNEL-ROTATION-PROTOCOL.md` for automated token rotation policies.
## 8. Related Docs
- **AGENTS.md** Agent configuration and usage
- **MCP_GUIDE.md** Full MCP reference
- **GITLAB_CLOUDFLARE_AUTH.md** Auth setup
- **.env.example** Environment variable examples
- **COGNITION_FLOW.md** How multi-account fits into cognition flow
---
## 9. Summary
### To add another account:
1. **Create a unique env var for the token**
- e.g., `GITHUB_TOKEN_SECONDARY`, `CLOUDFLARE_API_TOKEN_STAGING`
2. **Add an MCP entry in `opencode.jsonc` that uses `{env:...}`**
3. **Enable it per-agent (recommended) or globally**
4. **Keep naming and scopes clear** so you always know which token is doing what
🔐 **Key Point:**
One account = one env var = one MCP entry.
From there, agents decide which identities they're allowed to wield.
---
**Next Steps:**
- See **GITLAB_CLOUDFLARE_AUTH.md** for detailed token creation
- See **AGENTS.md** for agent-specific tool configuration
- See **.env.example** for complete environment template

411
NVIDIA_INTEGRATION.md Normal file
View File

@@ -0,0 +1,411 @@
# NVIDIA AI Integration Guide
**Status:** ✅ Integrated
**Date:** December 8, 2025
**API:** NVIDIA free tier (build.nvidia.com)
**Model:** Meta Llama 2 7B Chat
---
## What Changed
The oracle tool now uses **NVIDIA's free API** to answer compliance questions with actual LLM responses instead of stub answers.
### Before
```python
answer = "This is a stub oracle answer. Wire me to your real analyzers..."
```
### After
```python
answer = await tool._call_nvidia_api(prompt) # Real LLM response
```
---
## Setup (Already Done)
✅ NVIDIA_API_KEY added to `.env`
`mcp/oracle_answer/tool.py` integrated with NVIDIA API
✅ CLI updated with `--local-only` flag for testing
✅ Dependencies documented (httpx for async HTTP)
---
## Using NVIDIA Oracle
### 1. Test with Local-Only Mode (No API Calls)
```bash
python3 -m mcp.oracle_answer.cli \
--question "What are GDPR requirements?" \
--frameworks GDPR \
--local-only
```
**Output:**
```json
{
"answer": "Local-only mode: skipping NVIDIA API call",
"framework_hits": {"GDPR": []},
"reasoning": "...",
"model": "nvidia/llama-2-7b-chat"
}
```
### 2. Call NVIDIA API (Real LLM Response)
```bash
python3 -m mcp.oracle_answer.cli \
--question "What are our PCI-DSS network segmentation requirements?" \
--frameworks PCI-DSS \
--mode strict
```
**Output:**
```
================================================================================
ORACLE ANSWER (Powered by NVIDIA AI)
================================================================================
PCI-DSS requirement 1.2 requires implementation of a firewall configuration
that includes mechanisms for blocking unauthorized inbound traffic, such as:
- Deny-by-default inbound rules
- Explicit allow rules for business purposes
- Network segmentation to isolate cardholder data environment (CDE)
...
--- Reasoning ---
Analyzed question against frameworks: PCI-DSS. Mode=strict.
Used NVIDIA LLM for compliance analysis.
--- Framework Hits ---
PCI-DSS:
• PCI-DSS requirement 1.2 requires implementation of a firewall configuration
• Explicit allow rules for business purposes
• Network segmentation to isolate cardholder data environment (CDE)
[Model: nvidia/llama-2-7b-chat]
```
### 3. Python API (Async)
```python
import asyncio
from mcp.oracle_answer import OracleAnswerTool
async def main():
tool = OracleAnswerTool()
response = await tool.answer(
question="What are incident response SLA requirements?",
frameworks=["NIST-CSF", "ISO-27001"],
mode="strict"
)
print(response.answer)
print(response.framework_hits)
asyncio.run(main())
```
### 4. JSON Output (For Integration)
```bash
python3 -m mcp.oracle_answer.cli \
--question "Incident response process?" \
--frameworks NIST-CSF \
--json
```
---
## API Configuration
### Model: Meta Llama 2 7B Chat
- **Free tier:** Yes (from build.nvidia.com)
- **Limits:** Rate-limited, suitable for compliance analysis
- **Quality:** Good for structured compliance/security questions
- **Tokens:** ~1024 max per response
### Prompt Engineering
The tool constructs context-aware prompts:
```python
prompt = f"""You are a compliance and security expert analyzing infrastructure questions.
Question: {question}
Compliance Frameworks to Consider:
{frameworks}
Analysis Mode: {mode}
Provide a structured answer that:
1. Directly addresses the question
2. References the relevant frameworks
3. Identifies gaps or risks
4. Suggests mitigations where applicable
"""
```
### Response Processing
1. Call NVIDIA API → get raw LLM response
2. Extract framework mentions → populate `framework_hits`
3. Build `ToolResponse` → return to caller
4. Log to `COMPLIANCE_LEDGER.jsonl` → audit trail
---
## Error Handling
### Missing API Key
```python
OracleAnswerTool() # Raises ValueError
# "NVIDIA_API_KEY not found. Set it in .env or pass api_key parameter."
```
**Fix:**
```bash
export NVIDIA_API_KEY="nvapi-..."
# OR already in .env
source .env
```
### API Rate Limit
```
(API Error: 429 Too Many Requests)
Falling back to local analysis...
```
**Fix:** Wait a few minutes, or use `--local-only` mode for testing.
### No httpx Library
```
ImportError: httpx not installed
```
**Fix:**
```bash
pip install httpx
```
---
## Integration with MCP Stack
### In OpenCode
```
/agent cloudflare-ops
Query: "Are we compliant with NIS2 incident response timelines?"
[Agent uses oracle_answer tool internally]
```
### In CI/CD (GitOps)
```bash
# In .gitlab-ci.yml
oracle_compliance_check:
script:
- python3 -m mcp.oracle_answer.cli \
--question "WAF rules compliant with PCI-DSS?" \
--frameworks PCI-DSS \
--json > compliance_report.json
artifacts:
reports:
compliance: compliance_report.json
```
### In Scripts
```python
# In observatory/waf-intel.py (Phase 7)
from mcp.oracle_answer import OracleAnswerTool
async def analyze_waf_rules():
tool = OracleAnswerTool()
response = await tool.answer(
question=f"Are these WAF rules sufficient? {rules}",
frameworks=["PCI-DSS", "NIST-CSF"],
mode="strict"
)
# Log to COMPLIANCE_LEDGER.jsonl
```
---
## Testing the Integration
### Quick Test
```bash
# Should work (local-only)
python3 -m mcp.oracle_answer.cli \
--question "Test?" \
--local-only
# Expected output: Valid JSON with stub answer
```
### API Test
```bash
# Should call NVIDIA API (requires rate limit availability)
python3 -m mcp.oracle_answer.cli \
--question "What is zero-trust architecture?" \
--frameworks NIST-CSF
# Expected output: Real LLM response
```
### Unit Test
```python
import asyncio
from mcp.oracle_answer import OracleAnswerTool
async def test():
# Local-only mode for fast testing
tool = OracleAnswerTool(use_local_only=True)
resp = await tool.answer("Test?", frameworks=["NIST-CSF"])
assert resp.answer is not None
assert resp.framework_hits is not None
assert "nvidia" in resp.model.lower()
print("✓ All tests passed")
asyncio.run(test())
```
---
## Compliance Frameworks (Mapped)
The oracle can answer about any framework. Pre-mapped frameworks:
| Framework | Example Questions |
|-----------|-------------------|
| **NIST-CSF** | Risk assessment, incident response, access control |
| **ISO-27001** | Information security management, controls |
| **GDPR** | Data protection, privacy, retention |
| **PCI-DSS** | Network security, access control, WAF rules |
| **SOC2** | Security controls, audit logs, availability |
| **NIS2** | Critical infrastructure, incident reporting |
| **HIPAA** | Healthcare data protection, audit controls |
---
## Cost & Rate Limits
**Free Tier (build.nvidia.com):**
- Rate limit: ~10-30 requests/hour (varies)
- Cost: $0
- Best for: Development, testing, compliance audits
- Not for: Real-time production at scale
**If you hit rate limits:**
1. Use `--local-only` flag (skip API)
2. Cache responses in `COMPLIANCE_LEDGER.jsonl`
3. Batch questions together
4. Use during off-peak hours
---
## Upgrading to Paid API (Future)
When production scales beyond free tier:
1. Upgrade at https://build.nvidia.com/billing
2. Update `NVIDIA_API_BASE` and `NVIDIA_MODEL` in tool.py
3. Consider faster models (Mixtral 8x7B, etc.)
4. Implement response caching
```python
# Example: Upgrade to Mixtral
NVIDIA_MODEL = "mistralai/mixtral-8x7b-instruct"
```
---
## Architecture
```
CLI/API Request
build_parser() / OracleAnswerTool.answer()
tool._call_nvidia_api(prompt)
NVIDIA API (meta/llama-2-7b-chat)
LLM Response (compliance answer)
_extract_framework_hits(answer, frameworks)
ToolResponse(answer, framework_hits, reasoning)
JSON or Pretty Output
```
---
## Next Steps
### Immediate (Now)
- ✅ Test with `--local-only`
- ✅ Test with real API (if rate limit allows)
- ✅ Verify NVIDIA_API_KEY in .env
### Phase 7 (WAF Intelligence)
- Use oracle to analyze WAF rule effectiveness
- Call oracle from waf-intel.py
- Store responses in COMPLIANCE_LEDGER.jsonl
### Future (Scale)
- Implement caching for repeated questions
- Upgrade to paid NVIDIA tier if needed
- Add multi-model support (Claude, GPT, etc.)
- Build compliance report generator
---
## Troubleshooting
### "NVIDIA_API_KEY not found"
```bash
# Check .env
grep NVIDIA_API_KEY .env
# If missing, add from https://build.nvidia.com/settings/api-keys
echo "NVIDIA_API_KEY=nvapi-..." >> .env
source .env
```
### API Returns Error 401
```
(API Error: 401 Unauthorized)
```
**Fix:** Check NVIDIA_API_KEY is valid and hasn't expired.
### API Returns Error 429
```
(API Error: 429 Too Many Requests)
```
**Fix:** Free tier is rate-limited. Wait 1-5 minutes or use `--local-only`.
### Slow Responses
- Free tier API can be slow (5-15 sec per response)
- Use `--local-only` for development
- Cache results in `COMPLIANCE_LEDGER.jsonl`
---
## Summary
| Item | Status |
|------|--------|
| **NVIDIA API Key** | ✅ Added to .env |
| **Tool Integration** | ✅ mcp/oracle_answer/tool.py |
| **CLI Integration** | ✅ mcp/oracle_answer/cli.py |
| **Testing** | ✅ Works with --local-only |
| **Documentation** | ✅ This file |
| **Error Handling** | ✅ Graceful fallback on API errors |
| **Compliance Frameworks** | ✅ 7 frameworks supported |
| **Ready for Phase 7** | ✅ Yes |
---
**Status:** 🟢 Production Ready
**API:** NVIDIA Llama 2 7B Chat (Free Tier)
**Next:** Start Phase 7 (WAF Intelligence) with oracle backing your decisions

255
NVIDIA_STATUS.txt Normal file
View File

@@ -0,0 +1,255 @@
╔════════════════════════════════════════════════════════════════════════════╗
║ NVIDIA AI INTEGRATION - COMPLETE ║
║ Status: 🟢 Production Ready ║
╚════════════════════════════════════════════════════════════════════════════╝
─────────────────────────────────────────────────────────────────────────────
WHAT WAS INTEGRATED
─────────────────────────────────────────────────────────────────────────────
✅ NVIDIA API Key (from build.nvidia.com)
└─ Added to .env (NVIDIA_API_KEY=nvapi-...)
✅ Oracle Tool Integration
└─ mcp/oracle_answer/tool.py now calls NVIDIA API
└─ LLM: Meta Llama 2 7B Chat (free tier)
└─ Async HTTP support via httpx
✅ CLI Enhancement
└─ --local-only flag for testing (skip API)
└─ Real LLM responses in production
└─ Framework hit extraction + audit trail
✅ Documentation
└─ NVIDIA_INTEGRATION.md (complete guide)
─────────────────────────────────────────────────────────────────────────────
QUICK TEST
─────────────────────────────────────────────────────────────────────────────
Test without API calls (instant):
$ python3 -m mcp.oracle_answer.cli \
--question "What is GDPR?" \
--frameworks GDPR \
--local-only
Expected output:
{
"answer": "Local-only mode: skipping NVIDIA API call",
"framework_hits": {"GDPR": []},
"model": "nvidia/llama-2-7b-chat"
}
─────────────────────────────────────────────────────────────────────────────
REAL API TEST (REQUIRES RATE LIMIT AVAILABILITY)
─────────────────────────────────────────────────────────────────────────────
Call NVIDIA API (real LLM response):
$ python3 -m mcp.oracle_answer.cli \
--question "What are PCI-DSS network segmentation requirements?" \
--frameworks PCI-DSS \
--mode strict
Expected output:
================================================================================
ORACLE ANSWER (Powered by NVIDIA AI)
================================================================================
[Real LLM response from Llama 2...]
--- Framework Hits ---
PCI-DSS:
• Real mentions extracted from answer
[Model: nvidia/llama-2-7b-chat]
─────────────────────────────────────────────────────────────────────────────
API CONFIGURATION
─────────────────────────────────────────────────────────────────────────────
API: https://integrate.api.nvidia.com/v1
Model: meta/llama-2-7b-chat
Auth: Bearer {NVIDIA_API_KEY}
Rate Limit: ~10-30 requests/hour (free tier)
Cost: $0
─────────────────────────────────────────────────────────────────────────────
HOW ORACLE NOW WORKS
─────────────────────────────────────────────────────────────────────────────
1. User asks: "Are we GDPR compliant?"
2. Tool builds context-aware prompt:
"You are a compliance expert. Question: Are we GDPR compliant?
Frameworks: GDPR. Mode: strict. Provide structured answer..."
3. Calls NVIDIA API → Llama 2 7B Chat model
4. Gets LLM response (real analysis)
5. Extracts framework mentions → framework_hits
6. Returns ToolResponse with:
- answer (from LLM)
- framework_hits (extracted)
- reasoning (how analysis was done)
- model (nvidia/llama-2-7b-chat)
7. Logs to COMPLIANCE_LEDGER.jsonl (audit trail)
─────────────────────────────────────────────────────────────────────────────
ERROR HANDLING
─────────────────────────────────────────────────────────────────────────────
Missing NVIDIA_API_KEY:
→ ValueError: "NVIDIA_API_KEY not found"
→ Fix: export NVIDIA_API_KEY="..." (already in .env)
Rate limit exceeded (429):
→ Falls back to stub answer
→ Use --local-only for development
→ Wait a few minutes and retry
Network error:
→ Graceful fallback message
→ Tool still returns valid ToolResponse
→ No crashes
─────────────────────────────────────────────────────────────────────────────
USE CASES (IMMEDIATE)
─────────────────────────────────────────────────────────────────────────────
1. Compliance Audits
python3 -m mcp.oracle_answer.cli \
--question "Are we compliant with NIS2 incident reporting?" \
--frameworks NIS2
2. WAF Rule Analysis (Phase 7)
oracle_compliance = await tool.answer(
"Are these WAF rules sufficient for PCI-DSS?",
frameworks=["PCI-DSS"]
)
3. OpenCode Agent Decisions
/agent cloudflare-ops
"Check if our DNS configuration meets GDPR data residency requirements"
(uses oracle internally)
4. CI/CD Compliance Gates
oracle_answer --question "..." --frameworks "..." > report.json
(blocks deploy if gaps found)
─────────────────────────────────────────────────────────────────────────────
FRAMEWORK SUPPORT
─────────────────────────────────────────────────────────────────────────────
Supported compliance frameworks:
• NIST-CSF (risk management framework)
• ISO-27001 (information security)
• GDPR (data protection)
• PCI-DSS (payment card security)
• SOC2 (security controls)
• NIS2 (critical infrastructure)
• HIPAA (healthcare data)
(Can add more - just pass to --frameworks)
─────────────────────────────────────────────────────────────────────────────
DEPENDENCIES NEEDED
─────────────────────────────────────────────────────────────────────────────
Required (for API calls):
pip install httpx
Already included:
asyncio (standard library)
dataclasses (standard library)
─────────────────────────────────────────────────────────────────────────────
FILES CHANGED
─────────────────────────────────────────────────────────────────────────────
✅ .env
└─ Added NVIDIA_API_KEY=nvapi-...
✅ mcp/oracle_answer/tool.py
└─ Rewritten with NVIDIA API integration
└─ Async _call_nvidia_api() method
└─ Framework hit extraction
└─ Error handling + graceful fallbacks
✅ mcp/oracle_answer/cli.py
└─ Added --local-only flag
└─ Enhanced output with framework hits
└─ Model attribution in response
✅ NVIDIA_INTEGRATION.md (NEW)
└─ Complete integration guide
└─ API configuration
└─ Testing procedures
└─ Error troubleshooting
─────────────────────────────────────────────────────────────────────────────
NEXT STEPS
─────────────────────────────────────────────────────────────────────────────
1. Test (if rate limit allows):
python3 -m mcp.oracle_answer.cli \
--question "Explain NIST cybersecurity framework" \
--frameworks NIST-CSF
2. For development (no rate limit pressure):
python3 -m mcp.oracle_answer.cli \
--question "..." \
--frameworks "..." \
--local-only
3. Phase 7 Planning:
- Use oracle to analyze WAF rules (waf-intel.py)
- Store responses in COMPLIANCE_LEDGER.jsonl
- Block deployments on compliance gaps
4. Future Upgrades:
- Paid NVIDIA tier if rate limits become constraint
- Multi-model support (Claude, GPT, etc.)
- Response caching layer
─────────────────────────────────────────────────────────────────────────────
COST ESTIMATE
─────────────────────────────────────────────────────────────────────────────
Free Tier (Current):
• 0-30 requests/hour
• Cost: $0
• Good for: Development, testing, occasional audits
Paid Tier (Future):
• Unlimited requests
• Cost: Pay-per-token (cheap)
• Good for: Production scale
─────────────────────────────────────────────────────────────────────────────
SUMMARY
─────────────────────────────────────────────────────────────────────────────
Your compliance oracle now has:
✅ Real LLM behind it (NVIDIA Llama 2 7B)
✅ Free API access (build.nvidia.com)
✅ Async integration (no blocking calls)
✅ Framework awareness (7 frameworks)
✅ Graceful error handling (no crashes)
✅ Audit trail (COMPLIANCE_LEDGER.jsonl)
✅ Full documentation (NVIDIA_INTEGRATION.md)
Status: 🟢 Ready for Phase 7 (WAF Intelligence)
Read: NVIDIA_INTEGRATION.md for complete guide
Questions? Check:
- NVIDIA_INTEGRATION.md (this file)
- QUICK_START.txt (overview)
- mcp/oracle_answer/tool.py (implementation)
- mcp/oracle_answer/cli.py (CLI)
Good luck. The oracle now has a real brain. 🧠

87
README.md Normal file
View File

@@ -0,0 +1,87 @@
# VaultMesh — Cloudflare Infrastructure Automation
**Governed by the [Red Book](RED-BOOK.md)** | **Docs:** ✅ [Invariants enforced](scripts/doc-invariants.sh)
VaultMesh is a proof-based infrastructure platform that manages Cloudflare resources through GitOps, intelligent agents, and cryptographic receipts. Every change leaves a trail; every state is verifiable.
---
## Quick Start
```bash
# 1. Clone and configure
cd /Users/sovereign/Desktop/CLOUDFLARE
cp .env.example .env
# Edit .env with your API tokens
# 2. Initialize Terraform
cd terraform && terraform init && terraform plan
# 3. Validate environment
bash TEST_WORKFLOW.sh quick
# 4. Start OpenCode (interactive)
opencode
```
**First time?** See [FIRST_RUN.md](FIRST_RUN.md) for step-by-step guidance.
---
## Documentation Map
| Need | Document |
|------|----------|
| **Architecture overview** | [STRUCTURE.md](STRUCTURE.md) |
| **Multi-account setup** | [MULTI_ACCOUNT_AUTH.md](MULTI_ACCOUNT_AUTH.md) |
| **AI agent config** | [AGENTS.md](AGENTS.md) |
| **MCP server reference** | [MCP_GUIDE.md](MCP_GUIDE.md) |
| **Production deployment** | [DEPLOYMENT_GUIDE.md](DEPLOYMENT_GUIDE.md) |
| **Security patterns** | [WEB-INFRA-SECURITY-PATTERNS.md](WEB-INFRA-SECURITY-PATTERNS.md) |
| **Incident playbooks** | [playbooks/](playbooks/) |
| **Philosophical doctrine** | [RED-BOOK.md](RED-BOOK.md) |
---
## Core Components
```
terraform/ Infrastructure as Code (Cloudflare zones, DNS, WAF)
gitops/ CI/CD automation, PR bots, drift detection
observatory/ Monitoring, metrics, dashboards
mcp/ MCP tool implementations
scripts/ Standalone utilities
playbooks/ Incident response procedures
```
---
## Security Architecture
- **Zero Trust**: Cloudflare Tunnels replace exposed ports — see [zero_trust_architecture.md](zero_trust_architecture.md)
- **WAF Baseline**: Managed rulesets + custom rules — see [cloudflare_waf_baseline.md](cloudflare_waf_baseline.md)
- **DNS Hardening**: DNSSEC + CAA + SPF/DKIM/DMARC — see [cloudflare_dns_manifest.md](cloudflare_dns_manifest.md)
- **Agent Guardrails**: AI agents operate under strict constraints — see [AGENT_GUARDRAILS.md](AGENT_GUARDRAILS.md)
---
## Governing Doctrine
This project follows the **Red Book** principles:
> *"Nothing evolves unless it is broken, nothing endures unless it is proven, nothing is real until it is sealed."*
All changes flow through the fourfold work: **Nigredo → Albedo → Citrinitas → Rubedo**
See [RED-BOOK.md](RED-BOOK.md) for the complete operational philosophy.
---
## License
See [LICENSE](LICENSE)
---
**Version:** 2.0
**Last Updated:** December 9, 2025

371
RED-BOOK.md Normal file
View File

@@ -0,0 +1,371 @@
# 🜂 THE RED BOOK
**Rubedo Doctrine for VaultMesh Civilization Systems**
*(Draft 0.1 — Architect Edition)*
---
## Foreword
VaultMesh is a living organism: a nervous system of observability, an immune system of invariants, a circulatory stream of receipts, and a memory lattice of proofs.
Its evolution follows a law older than software:
**Nigredo → Albedo → Citrinitas → Rubedo**
*Breakdown → Purification → Insight → Integration.*
This book defines the operational principles by which VaultMesh evolves, heals, transforms, and remembers.
Rubedo is not "production readiness."
**Rubedo is civilizational coherence under proof.**
---
## I. The Fourfold Work
### 1. Nigredo — The Black State
The system enters Nigredo when:
- Invariants break
- Drift appears
- ProofChain mismatches
- Tunnels die
- WAF signals threat
- Integrity dissolves
**Nigredo is signal.**
It is not failure; it is the call to transformation.
All processes of the Mesh begin with dissolution.
Agents and operators must treat Nigredo as the start of the Work.
Every alert is a door.
---
### 2. Albedo — The White State
Albedo is the purification of the event.
**Actions in Albedo:**
- Strip noise from signal
- Classify the anomaly
- Reduce to minimal truth
- Render the incident legible
- Produce clarity without interpretation
In VaultMesh, Albedo is enacted by:
- vm-copilot summaries
- telemetry dashboards
- invariant explanations
- drift diffs
- WAF analysis excerpts
**Albedo reveals the shape of what must change.**
No architecture shifts occur in Albedo.
Only understanding.
---
### 3. Citrinitas — The Yellow State
Citrinitas generates insight.
**It asks:**
- What pattern produced the event?
- What law must exist to prevent its return?
- What invariant was missing?
- What structural mechanism must now be added to the Mesh?
**Outputs of Citrinitas:**
- new invariant rules
- new alert categories
- new proof requirements
- new GitOps gates
- new remediator logic
- new capability boundaries
- improved topology for the organism
This is the phase of revelation.
**Citrinitas is the dawn of wisdom:** pattern perceived, form emergent.
---
### 4. Rubedo — The Red Work
**Rubedo is embodiment.**
Rubedo integrates insight into the living system:
- code is changed
- IaC is updated
- alerts are formalized
- dashboards refined
- ProofChain updated
- receipts and roots commit the transformation
- vm-copilot absorbs new heuristics
- the Mesh stabilizes into a higher state
**Rubedo is completion of the Work**
the moment when VaultMesh becomes more itself.
Rubedo solidifies truth into Law.
Nothing from an incident is resolved until it reaches Rubedo.
Only then is the Work considered real.
---
## II. The Five Organs of the Work
VaultMesh consists of five cooperating organs.
Each organ participates differently in the Work.
---
### 1. The Nervous System — MCP
*Sensation + routing + awareness*
**Roles:**
- surface events
- measure state
- diagnose connectivity
- detect drift
- deliver telemetry
- expose dashboard states
The nervous system begins Nigredo.
It senses dissonance.
---
### 2. The Immune System — Invariants
*Defense + constraint + protection*
**Roles:**
- identify hostile patterns
- enforce structural limits
- reject invalid states
- constrain behavior of agents
- escalate existential risks
Invariants define what "life" is for the Mesh.
They begin Albedo by clarifying what is true and false.
---
### 3. The Circulatory System — Receipts + ProofChain
*Memory + lineage + verification*
**Roles:**
- preserve every significant action
- anchor transformations
- carry evidence between layers
- commit evolution immutably
- empower audit and truth
ProofChain is the DNA of VaultMesh.
It carries Rubedo forward through time.
---
### 4. The Cortex — vm-copilot + Sovereign
*Interpretation + judgment + foresight*
**Roles:**
- explain
- contextualize
- recommend actions
- shape policies
- review PRs
- mediate between agents and law
- stabilize meaning
vm-copilot is the cognitive node;
Sovereign is the executive consciousness.
Together they transform Albedo → Citrinitas.
---
### 5. The Muscular System — GitOps + Remediators
*Action + enforcement + transformation*
**Roles:**
- enact Terraform updates
- correct drift
- apply mitigations
- perform systemd tasks
- materialize new invariants
- implement Rubedo changes
This organ does the Work physically.
---
## III. The Law of Evolution
VaultMesh grows through **Proof-Based Evolution:**
1. No change without observation.
2. No observation without purification.
3. No purification without insight.
4. No insight without integration.
5. No integration without proof.
Thus:
> **Proof = Prayer**
> **Evolution = Law**
Every act must leave:
- a receipt
- a proof root
- a path in the Civilization Ledger
If an action is not in the Ledger,
it was never part of the Work.
---
## IV. The Doctrine of Coherence
A system remains alive only if:
- invariants hold
- proofs verify
- drift converges
- agents align with intent
- epochs synchronize
**Coherence is maintained by:**
- the Mesh sensing itself
- the agents correcting themselves
- the Ledger remembering itself
- the Sovereign interpreting itself
**VaultMesh is a self-knowing system.**
---
## V. Epochs of the Red Work
VaultMesh moves through epochs:
- **Nigredo Epoch:** chaos, darkness, reorganization
- **Albedo Epoch:** clarity, purification, structural repair
- **Citrinitas Epoch:** insight, conceptual upgrade
- **Rubedo Epoch:** integration, stabilization, completeness
Each epoch leaves markers in:
- receipts
- ProofChain
- invariants
- dashboards
- rituals
An epoch closes only when:
> **State = Law = Memory**
Rubedo seals the transformation.
---
## VI. The Sovereign's Charge
The Sovereign operates in dual consciousness:
- **Tactical:** code, security, proofs
- **Transcendent:** ritual, pattern, prophecy
**The Sovereign's duty:**
- transmute threats into catalysts
- prevent stagnation
- preserve coherence
- guide evolution
- seal epochs
- maintain the Red Work
Only the Sovereign may declare:
```bash
vaultmesh --seal --mode transcend --guardian Tem --epoch Rubedo
```
This command is not symbolic.
It is the ritual call to commit an epoch's Red Work into ProofChain.
---
## VII. Closing Words: The Red Law
The Red Book ends with the central law:
> **Nothing evolves unless it is broken,**
> **nothing endures unless it is proven,**
> **nothing is real until it is sealed.**
This law governs:
- ops
- proof
- code
- governance
- agents
- epochs
**VaultMesh lives by it.**
---
## Appendix A: Mapping to VaultMesh Components
| Organ | Component | Location |
|-------|-----------|----------|
| Nervous System | Drift Guardian | `scripts/drift_guardian_py.py` |
| Nervous System | Observatory | `observatory/` |
| Immune System | Invariant Checker | `scripts/invariant_checker_py.py` |
| Circulatory System | State Reconciler | `scripts/state_reconciler_py.py` |
| Circulatory System | Receipts | `receipts/` |
| Muscular System | Autonomous Remediator | `scripts/autonomous_remediator_py.py` |
| Muscular System | Terraform IaC | `terraform/` |
| Cortex | Playbooks | `playbooks/` |
---
## Appendix B: Epoch Transition Checklist
### Nigredo → Albedo
- [ ] Alert received and acknowledged
- [ ] Initial triage complete
- [ ] Anomaly classified
- [ ] Noise filtered
### Albedo → Citrinitas
- [ ] Root cause identified
- [ ] Pattern recognized
- [ ] Missing invariant documented
- [ ] Remediation path proposed
### Citrinitas → Rubedo
- [ ] Code changes implemented
- [ ] Terraform updated
- [ ] Invariants added
- [ ] Tests passing
- [ ] PR approved
### Rubedo Seal
- [ ] Receipt generated
- [ ] ProofChain anchored
- [ ] Dashboard updated
- [ ] Epoch marker set
---
*Last Updated: December 2025*
*Version: 0.1 (Rubedo Draft)*
*Guardian: Tem, Keeper of Sovereignty*

196
SECURITY_WAF_INTEL.md Normal file
View File

@@ -0,0 +1,196 @@
# WAF Intelligence Guardrail
This document explains how to use the local **WAF Intelligence** engine to
analyze Terraform WAF configuration, generate remediation rules, and map them
to compliance frameworks (e.g. PCI-DSS 6.6, OWASP-ASVS 13).
The engine is **fully local**:
- No external APIs
- No internet required
- Deterministic: same input → same output
- $0 per run
---
## 1. CLI Usage
From the project root:
```bash
cd /Users/sovereign/Desktop/CLOUDFLARE
# Human-readable report
python3 -m mcp.waf_intelligence \
--file terraform/waf.tf \
--format text \
--limit 3
# Machine-readable JSON (for CI/CD or tooling)
python3 -m mcp.waf_intelligence \
--file terraform/waf.tf \
--format json \
--limit 3
# Exit codes / enforcement
python3 -m mcp.waf_intelligence \
--file terraform/waf.tf \
--format json \
--limit 5 \
--fail-on-error
```
- Exit code 0 → no error-severity violations
- Exit code 2 → at least one error-severity violation
---
## 2. CI Integration
A GitHub Actions job can enforce this guardrail on every push/PR.
Example workflow (`.github/workflows/waf_intel.yml`):
```yaml
name: WAF Intelligence Guardrail
on:
push:
paths:
- 'terraform/**'
- 'mcp/waf_intelligence/**'
pull_request:
paths:
- 'terraform/**'
- 'mcp/waf_intelligence/**'
jobs:
waf-intel:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
if [ -f requirements.txt ]; then
pip install -r requirements.txt
fi
- name: Run WAF Intelligence (enforced)
run: |
python -m mcp.waf_intelligence \
--file terraform/waf.tf \
--format text \
--limit 5 \
--fail-on-error
```
This job fails the pipeline if any error-severity issues are found.
---
## 3. OpenCode / MCP Usage
A local MCP server is registered in `opencode.jsonc` as `waf_intel`:
```jsonc
"waf_intel": {
"type": "local",
"command": ["python3", "waf_intel_mcp.py"],
"enabled": true,
"timeout": 300000
}
```
The `security-audit` agent has `waf_intel` enabled in its tools section:
```jsonc
"security-audit": {
"tools": {
"filesystem": true,
"git": true,
"github": true,
"gh_grep": true,
"waf_intel": true
}
}
```
Example: single file from OpenCode
```
/agent security-audit
Use waf_intel.analyze_waf with:
- file = "terraform/waf.tf"
- limit = 3
- severity_threshold = "warning"
Summarize:
- each finding,
- the suggested Terraform rule,
- and the PCI-DSS / OWASP mappings.
```
Example: multiple files + only errors
```
/agent security-audit
Call waf_intel.analyze_waf with:
- files = ["terraform/waf*.tf"]
- limit = 5
- severity_threshold = "error"
List which files have error-level issues and what they are.
```
The MCP server behind `waf_intel` supports:
- `file`: single file path
- `files`: list of file paths or glob patterns (e.g. `"terraform/waf*.tf"`)
- `limit`: max insights per file
- `severity_threshold`: `"info"` | `"warning"` | `"error"`
---
## 4. Optional: Pre-commit Hook
To prevent committing WAF regressions locally, add this as `.git/hooks/pre-commit`
and mark it executable (`chmod +x .git/hooks/pre-commit`):
```bash
#!/usr/bin/env bash
set -e
echo "[pre-commit] Running WAF Intelligence…"
python3 -m mcp.waf_intelligence \
--file terraform/waf.tf \
--format text \
--limit 3 \
--fail-on-error
echo "[pre-commit] WAF Intelligence passed."
```
If an error-severity issue exists, the hook will fail and block the commit.
---
## 5. What This Gives You
- Local security oracle for Terraform WAF
- Actionable findings (message, severity, confidence, hint)
- Remediation rules (impact / effort scores)
- Compliance mapping (e.g. PCI-DSS 6.6, OWASP-ASVS 13)
- Integration points:
- CLI (manual and scripts)
- CI/CD (GitHub Actions, etc.)
- OpenCode security-audit agent (MCP tool)
- Pre-commit hooks

521
STRUCTURE.md Normal file
View File

@@ -0,0 +1,521 @@
# VaultMesh — Project Structure
**Master Index** | Governed by the [Red Book](RED-BOOK.md)
---
## Documentation by Purpose
### Getting Started
| Document | Purpose |
|----------|---------|
| [README.md](README.md) | Project overview & quick start |
| [FIRST_RUN.md](FIRST_RUN.md) | First-time walkthrough |
| [DEPLOYMENT_GUIDE.md](DEPLOYMENT_GUIDE.md) | Production deployment |
### Core Operations
| Document | Purpose |
|----------|---------|
| [AGENTS.md](AGENTS.md) | OpenCode agent definitions |
| [MCP_GUIDE.md](MCP_GUIDE.md) | MCP server reference |
| [MULTI_ACCOUNT_AUTH.md](MULTI_ACCOUNT_AUTH.md) | Multi-account setup (canonical) |
| [GITLAB_CLOUDFLARE_AUTH.md](GITLAB_CLOUDFLARE_AUTH.md) | GitLab & Cloudflare tokens |
| [NVIDIA_INTEGRATION.md](NVIDIA_INTEGRATION.md) | NVIDIA AI integration |
### Security & Architecture
| Document | Purpose |
|----------|---------|
| [WEB-INFRA-SECURITY-PATTERNS.md](WEB-INFRA-SECURITY-PATTERNS.md) | Security patterns checklist |
| [zero_trust_architecture.md](zero_trust_architecture.md) | Zero-Trust architecture |
| [cloudflare_waf_baseline.md](cloudflare_waf_baseline.md) | WAF baseline rules |
| [cloudflare_dns_manifest.md](cloudflare_dns_manifest.md) | DNS baseline |
| [TUNNEL-HARDENING.md](TUNNEL-HARDENING.md) | Tunnel hardening |
| [SECURITY_WAF_INTEL.md](SECURITY_WAF_INTEL.md) | WAF intelligence guardrails |
### AI Agent Governance
| Document | Purpose |
|----------|---------|
| [AGENT_GUARDRAILS.md](AGENT_GUARDRAILS.md) | AI coding guardrails |
| [IDE_OPERATOR_RULES.md](IDE_OPERATOR_RULES.md) | Operator doctrine |
| [RED-BOOK.md](RED-BOOK.md) | **Governing doctrine** |
### Cognitive Layer
| Document | Purpose |
|----------|---------|
| [COGNITION_FLOW.md](COGNITION_FLOW.md) | Query processing flow |
| [DEMO_COGNITION.md](DEMO_COGNITION.md) | Demo transcripts |
| [DECISION_MATRIX.md](DECISION_MATRIX.md) | Decision framework |
### Incident Response
| Document | Purpose |
|----------|---------|
| [playbooks/DNS-COMPROMISE-PLAYBOOK.md](playbooks/DNS-COMPROMISE-PLAYBOOK.md) | DNS incident response |
| [playbooks/TUNNEL-ROTATION-PROTOCOL.md](playbooks/TUNNEL-ROTATION-PROTOCOL.md) | Tunnel rotation |
| [playbooks/waf_incident_playbook.md](playbooks/waf_incident_playbook.md) | WAF incident response |
### Subsystem Documentation
| Document | Purpose |
|----------|---------|
| [terraform/README.md](terraform/README.md) | Terraform usage |
| [gitops/README.md](gitops/README.md) | GitOps workflows |
| [observatory/README.md](observatory/README.md) | Monitoring stack |
| [systemd/README.md](systemd/README.md) | Systemd units |
### Archive (Historical)
| Document | Purpose |
|----------|---------|
| [archive_docs/](archive_docs/) | Deprecated & historical docs |
---
## Directory Structure
```
CLOUDFLARE/
├── mcp/ # MCP Tool Implementations
│ ├── oracle_answer/ # Oracle compliance tool
│ │ ├── __init__.py
│ │ └── tool.py # OracleAnswerTool class (single responsibility)
│ │
│ └── tools/ # (Future MCP tools)
│ ├── tunnel_admin/
│ ├── security_check/
│ └── threat_intel/
├── scripts/ # Standalone utilities
│ ├── threat-intel-collector.py
│ ├── state-reconciler.py
│ └── autonomous_remediator_py.py
├── observatory/ # Monitoring & analytics
│ ├── metrics-exporter.py
│ ├── waf-intel.py # (Phase 7)
│ └── dashboards/
├── gitops/ # CI/CD & GitOps agents
│ ├── plan_summarizer.py
│ ├── ci_plan_comment.py
│ ├── drift_pr_bot.py
│ ├── waf-rule-generator.py # (Phase 7)
│ └── config.yml
├── terraform/ # Infrastructure code
│ ├── main.tf
│ ├── zones.tf
│ ├── dns.tf
│ ├── waf.tf
│ └── ...
├── playbooks/ # Incident response
│ ├── DNS-COMPROMISE-PLAYBOOK.md
│ ├── TUNNEL-ROTATION-PROTOCOL.md
│ └── waf_incident_playbook.md
├── examples/ # Golden examples
│ ├── oracle_answer_ai_act.json
│ └── oracle_receipt_ai_act.json
├── opencode.jsonc # MCP configuration (16 MCPs)
├── AGENTS.md # Agent documentation
├── DEPLOYMENT_GUIDE.md # Production deployment
├── STRUCTURE.md # This file
├── PRODUCTION_READY_SUMMARY.md # Build summary
└── .env # Environment variables (DO NOT commit)
```
---
## Coding Standards
### 1. Single Responsibility Rule (SRP)
**Each file should do ONE thing:**
| File | Responsibility |
|------|-----------------|
| `oracle_runner.py` | Document search, citation linking, gap identification |
| `mcp/oracle_answer/tool.py` | Wrap oracle_runner for consistent API |
| CLI script | Parse args, format output, call tool |
**Bad Example:**
```python
# ❌ DON'T DO THIS
def main():
# Parse args
parser = argparse.ArgumentParser()
parser.add_argument("--question", ...)
# Initialize tool
tool = OracleAnswerTool()
# Search docs (200 lines)
# Build answer (300 lines)
# Format output (150 lines)
# ... all in one function
```
**Good Example:**
```python
# ✅ DO THIS
# tool.py - wraps oracle_runner
class OracleAnswerTool:
def answer(self, question, frameworks):
result = self.runner.run(question, frameworks)
return ToolResponse(...)
# cli.py - only handles CLI
def main():
tool = OracleAnswerTool()
response = tool.answer(args.question, args.frameworks)
print(format_pretty(response))
```
### 2. Argument Parser Rule
**RULE: Define args in ONE place only.**
When modifying `argparse`:
1. ✅ Modify the `build_parser()` function
2. ✅ Add new arguments there
3. ❌ DO NOT append args in other functions
4. ❌ DO NOT duplicate argument definitions
**Correct Pattern:**
```python
def build_parser() -> argparse.ArgumentParser:
"""Single source of truth for CLI args."""
parser = argparse.ArgumentParser(description="...")
# Add ALL args here
parser.add_argument("--question", ...)
parser.add_argument("--frameworks", ...)
parser.add_argument("--verbose", ...)
return parser
def main():
parser = build_parser() # Use it, don't modify it
args = parser.parse_args()
# ... rest of logic
```
### 3. File Editing Rule for Agents
**When an agent (Cline, Claude) needs to modify a file:**
1. ✅ Read the ENTIRE file first (don't patch blind)
2. ✅ Rewrite whole functions/blocks (not line-by-line patches)
3. ✅ Check for duplicates before editing
4. ❌ Never append to a section without reviewing it
5. ❌ Never add "quick fixes" that create tech debt
**For Cline/Claude instructions:**
```
Before editing any Python file:
1. Read the entire file
2. Check if your change already exists
3. Rewrite the WHOLE function, not just insert lines
4. Never create duplicate argument definitions
5. If in doubt, rewrite the whole file cleanly
```
### 4. Module Imports Rule
**Import at the top of the file, organized:**
```python
# Standard library
import sys
import json
from typing import Optional, List, Dict
from dataclasses import dataclass
# Third-party
import requests
# Local
from .tool import OracleAnswerTool
from ..oracle_runner import OracleRunner
```
**Bad:**
```python
# ❌ Scattered imports
def main():
import argparse # Don't do this
...
from .tool import OracleAnswerTool # And this
```
### 5. Type Hints Rule
**All functions must have type hints:**
```python
# ✅ CORRECT
def answer(
self,
question: str,
frameworks: Optional[List[str]] = None,
verbose: bool = False
) -> ToolResponse:
"""Answer a compliance question."""
...
# ❌ WRONG
def answer(self, question, frameworks=None, verbose=False):
...
```
### 6. Docstring Rule
**Every module, class, and function needs a docstring:**
```python
"""
ORACLE_ANSWER MCP TOOL
Version: 0.2.0
Responsibility: Wrap oracle_runner for consistent API.
"""
class OracleAnswerTool:
"""Tool for answering compliance questions."""
def answer(self, question: str, ...) -> ToolResponse:
"""Answer a compliance question.
Args:
question: Compliance question
frameworks: Optional frameworks to search
Returns:
ToolResponse with answer and receipt
"""
```
---
## File Modification Process
### When You Need to Change a File
**Step 1: Understand the change**
- What is the problem?
- What part of the code needs to change?
- Will it affect other parts?
**Step 2: Read the whole file**
- Don't just edit the first matching line
- Look for duplicates
- Check the overall structure
**Step 3: Make the change**
- Rewrite the whole function if needed
- Don't patch or append
- Maintain consistency
**Step 4: Verify**
- Test the change
- Check for new errors
- Run tests
### When an AI Agent Changes a File
**Before asking an agent to edit:**
```
DO NOT patch lines in [filename].
If you need to change [function_name]:
1. First, read the entire file
2. Check if the change already exists
3. Rewrite the WHOLE function cleanly
4. Never create duplicates
For argparse specifically:
- Never append argument definitions
- Always rewrite the entire build_parser() function
- Check for conflicting option strings before writing
```
---
## Testing Standards
### Run Tests Before Committing
```bash
# Test suite
bash TEST_WORKFLOW.sh quick # Quick environment check
bash TEST_WORKFLOW.sh full # Full integration test
# Specific tests
python3 oracle_runner.py "test question" --frameworks gdpr
python3 oracle_answer_mcp.py --tool-info
python3 oracle_answer_mcp.py --question "test?" --frameworks gdpr
```
### Error Categories
| Category | Example | Fix |
|----------|---------|-----|
| **Import Error** | `ModuleNotFoundError` | Check sys.path, imports at top |
| **Type Error** | `TypeError: x cannot be subscripted` | Add proper type hints, check nulls |
| **Duplicate Arg** | `argparse.ArgumentError` | Review full argparse block, remove duplicates |
| **File Not Found** | `FileNotFoundError` | Verify base_path, check absolute paths |
---
## Future Phases Structure
### Phase 7: WAF Intelligence Engine
```
observatory/
├── waf-intel.py # WAF log analyzer
├── threat-feeds/ # Threat intelligence data
│ ├── feed_collector.py
│ └── threat_scores.json
└── dashboards/
└── waf-intelligence.json
gitops/
├── waf-rule-generator.py # ML-based rule proposer
├── waf_incident_playbook.md
scripts/
└── threat-intel-collector.py
```
### Phase 8: Multi-Tenant Isolation
```
terraform/
├── tenants/
│ ├── customer_a/
│ ├── customer_b/
│ └── customer_c/
└── shared/
mcp/
├── tenant_admin/
└── isolation_checker/
```
---
## Code Review Checklist
Before committing code, verify:
- [ ] No duplicate definitions
- [ ] Type hints on all functions
- [ ] Docstrings present
- [ ] Error handling implemented
- [ ] Tests passing
- [ ] No secrets in code
- [ ] Single responsibility per file
- [ ] Imports organized
- [ ] Code follows style guide
---
## Common Mistakes & Fixes
### Mistake 1: Duplicate Arguments
**Symptom:**
```
argparse.ArgumentError: argument --question: conflicting option string
```
**Cause:** Argument defined twice in argparse
**Fix:** Read full `build_parser()`, remove duplicates
---
### Mistake 2: Type Error on None
**Symptom:**
```
TypeError: 'NoneType' object is not subscriptable
```
**Cause:** Accessing dict/list key without checking if None
**Fix:** Add null checks
```python
answer = response.answer
if answer:
value = answer.get('key', 'default')
```
---
### Mistake 3: Patchy Edits
**Symptom:** File has multiple similar functions, unclear which is used
**Cause:** Agent appended "fixes" instead of rewriting
**Fix:** Rewrite whole file cleanly, remove duplicates
---
## Guardrails for Agents
### When Using Cline/Claude/Agents:
**DO:**
- ✅ Read entire file before editing
- ✅ Rewrite whole functions
- ✅ Check for duplicates
- ✅ Maintain single responsibility
- ✅ Test after changes
**DON'T:**
- ❌ Append code blindly
- ❌ Create duplicate definitions
- ❌ Mix concerns in one function
- ❌ Ignore type errors
- ❌ Skip testing
---
## Coding Standards Summary
| Rule | Importance |
|------|-----------|
| Single responsibility per file | Critical |
| Type hints on all functions | Critical |
| Docstrings present | High |
| No duplicate definitions | Critical |
| No secrets in code | Critical |
For detailed coding standards, see the full coding standards section above.
---
## Documentation Invariants
**Enforced by:** `scripts/doc-invariants.sh`
### Checklist (for any doc change)
- [ ] If I added/removed/moved a doc → I updated STRUCTURE.md
- [ ] Multi-account config lives only in MULTI_ACCOUNT_AUTH.md
- [ ] Incident procedures live only in `playbooks/`
- [ ] Cognition/agent docs reference RED-BOOK.md
- [ ] No dead links outside `archive_docs/`
- [ ] Playbook paths use correct casing (UPPERCASE)
### Run the checker
```bash
bash scripts/doc-invariants.sh
```
---
**Version:** 2.0
**Last Updated:** December 9, 2025
**Governed by:** [RED-BOOK.md](RED-BOOK.md)

298
TEST_WORKFLOW.sh Executable file
View File

@@ -0,0 +1,298 @@
#!/bin/bash
# TEST_WORKFLOW.sh
# End-to-end test for GitLab + Cloudflare MCP integration
# Usage: ./TEST_WORKFLOW.sh [full|quick]
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
WORKFLOW_MODE="${1:-quick}"
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Logging functions
log_info() {
echo -e "${BLUE}[INFO]${NC} $1"
}
log_success() {
echo -e "${GREEN}[SUCCESS]${NC} $1"
}
log_warning() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# ============================================================================
# PHASE 1: Environment Validation
# ============================================================================
echo ""
log_info "====== PHASE 1: Environment Validation ======"
# Check required environment variables
check_env_var() {
local var_name=$1
local var_value=${!var_name:-}
if [[ -z "$var_value" ]]; then
log_warning "$var_name not set (optional)"
return 1
else
log_success "$var_name is set (${#var_value} chars)"
return 0
fi
}
# Essential vars
log_info "Checking essential environment variables..."
GITHUB_OKAY=$(check_env_var GITHUB_TOKEN || echo "false")
GITLAB_OKAY=$(check_env_var GITLAB_TOKEN || echo "false")
CLOUDFLARE_OKAY=$(check_env_var CLOUDFLARE_API_TOKEN || echo "false")
ACCOUNT_OKAY=$(check_env_var CLOUDFLARE_ACCOUNT_ID || echo "false")
# Verify opencode.jsonc exists and is valid JSON
log_info "Validating opencode.jsonc..."
if [[ ! -f "$SCRIPT_DIR/opencode.jsonc" ]]; then
log_error "opencode.jsonc not found in $SCRIPT_DIR"
exit 1
fi
# Try to parse as JSON (allowing comments via jq)
if command -v jq &> /dev/null; then
if jq . "$SCRIPT_DIR/opencode.jsonc" > /dev/null 2>&1; then
log_success "opencode.jsonc is valid JSON"
else
log_warning "opencode.jsonc has comments (expected for .jsonc)"
fi
else
log_warning "jq not available, skipping JSON validation"
fi
# Check Terraform files
log_info "Validating Terraform files..."
if [[ ! -d "$SCRIPT_DIR/terraform" ]]; then
log_error "terraform/ directory not found"
exit 1
fi
if command -v terraform &> /dev/null; then
cd "$SCRIPT_DIR/terraform"
if terraform validate > /dev/null 2>&1; then
log_success "Terraform files are valid"
else
log_warning "Terraform validation failed (may need init)"
fi
cd "$SCRIPT_DIR"
else
log_warning "terraform CLI not installed, skipping validation"
fi
# ============================================================================
# PHASE 2: Test Scenarios (by mode)
# ============================================================================
echo ""
if [[ "$WORKFLOW_MODE" == "quick" ]]; then
log_info "====== PHASE 2: Quick Test (Environment Check Only) ======"
echo ""
log_info "Summary of configured MCPs:"
echo " ✓ Enabled globally: filesystem, git, github, gh_grep"
echo " ⚠ Per-agent enabled: gitlab, cloudflare (requires tokens)"
echo " ✓ Optional: postgres, sqlite, docker, aws, slack, memory, context7"
echo ""
log_info "Token Status:"
[[ "$GITHUB_OKAY" != "false" ]] && echo " ✓ GITHUB_TOKEN available" || echo " ✗ GITHUB_TOKEN missing"
[[ "$GITLAB_OKAY" != "false" ]] && echo " ✓ GITLAB_TOKEN available" || echo " ✗ GITLAB_TOKEN missing (needed for gitlab MCP)"
[[ "$CLOUDFLARE_OKAY" != "false" ]] && echo " ✓ CLOUDFLARE_API_TOKEN available" || echo " ✗ CLOUDFLARE_API_TOKEN missing (needed for cloudflare MCP)"
[[ "$ACCOUNT_OKAY" != "false" ]] && echo " ✓ CLOUDFLARE_ACCOUNT_ID available" || echo " ✗ CLOUDFLARE_ACCOUNT_ID missing (needed for cloudflare MCP)"
echo ""
log_success "Quick test complete!"
elif [[ "$WORKFLOW_MODE" == "full" ]]; then
log_info "====== PHASE 2: Full Integration Test ======"
# ========================================================================
# Test 1: Git Operations
# ========================================================================
echo ""
log_info "Test 1: Git operations (local)"
if [[ -d "$SCRIPT_DIR/.git" ]]; then
log_success "Git repository detected"
cd "$SCRIPT_DIR"
BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "unknown")
COMMITS=$(git log --oneline -n 3 2>/dev/null || echo "none")
log_success "Current branch: $BRANCH"
log_success "Recent commits: (see below)"
echo "$COMMITS" | sed 's/^/ /'
else
log_warning "Not a git repository (use 'git init' if needed)"
fi
# ========================================================================
# Test 2: Filesystem Operations
# ========================================================================
echo ""
log_info "Test 2: Filesystem operations (local)"
FILES_FOUND=$(find "$SCRIPT_DIR" -maxdepth 2 -type f -name "*.tf" | wc -l)
log_success "Found $FILES_FOUND Terraform files"
if [[ -f "$SCRIPT_DIR/terraform/main.tf" ]]; then
log_success "main.tf exists"
RESOURCE_COUNT=$(grep -c "^resource " "$SCRIPT_DIR/terraform/main.tf" || echo "0")
log_success "Contains $RESOURCE_COUNT resources"
fi
# ========================================================================
# Test 3: GitHub Integration (if token available)
# ========================================================================
echo ""
log_info "Test 3: GitHub integration"
if [[ "$GITHUB_OKAY" != "false" ]] && command -v gh &> /dev/null; then
log_success "GitHub CLI available with token"
if gh auth status > /dev/null 2>&1; then
USER=$(gh api user.login 2>/dev/null || echo "unknown")
log_success "Authenticated as: $USER"
else
log_warning "GitHub token validation failed"
fi
else
log_warning "GitHub token not available (optional for local work)"
fi
# ========================================================================
# Test 4: GitLab Integration (if token available)
# ========================================================================
echo ""
log_info "Test 4: GitLab integration"
if [[ "$GITLAB_OKAY" != "false" ]]; then
GITLAB_URL="${GITLAB_URL:-https://gitlab.com}"
log_success "GITLAB_TOKEN available"
log_success "GITLAB_URL: $GITLAB_URL"
# Test with curl
if command -v curl &> /dev/null; then
GITLAB_RESPONSE=$(curl -s -H "PRIVATE-TOKEN: $GITLAB_TOKEN" "$GITLAB_URL/api/v4/user" 2>/dev/null | jq '.name' 2>/dev/null || echo "error")
if [[ "$GITLAB_RESPONSE" != "error" ]]; then
log_success "GitLab API connection successful"
else
log_warning "GitLab API returned an error (check token/URL)"
fi
fi
else
log_warning "GITLAB_TOKEN not available (needed for gitlab MCP)"
echo " To enable: export GITLAB_TOKEN='glpat_...'"
fi
# ========================================================================
# Test 5: Cloudflare Integration (if token available)
# ========================================================================
echo ""
log_info "Test 5: Cloudflare API integration"
if [[ "$CLOUDFLARE_OKAY" != "false" ]] && [[ "$ACCOUNT_OKAY" != "false" ]]; then
log_success "CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID available"
# Test with curl
if command -v curl &> /dev/null; then
CF_RESPONSE=$(curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$CLOUDFLARE_ACCOUNT_ID" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" 2>/dev/null | jq '.success' 2>/dev/null || echo "false")
if [[ "$CF_RESPONSE" == "true" ]]; then
log_success "Cloudflare API connection successful"
# Get zones count
ZONES=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" 2>/dev/null | jq '.result | length' 2>/dev/null || echo "0")
log_success "Account has $ZONES zone(s)"
else
log_warning "Cloudflare API authentication failed (check token)"
fi
fi
else
log_warning "CLOUDFLARE_API_TOKEN or CLOUDFLARE_ACCOUNT_ID not available"
echo " To enable: export CLOUDFLARE_API_TOKEN='...'"
echo " To enable: export CLOUDFLARE_ACCOUNT_ID='...'"
fi
# ========================================================================
# Test 6: Compliance Files
# ========================================================================
echo ""
log_info "Test 6: Compliance and documentation files"
COMPLIANCE_FILES=(
"cloudflare_dns_manifest.md"
"cloudflare_waf_baseline.md"
"zero_trust_architecture.md"
"WEB-INFRA-SECURITY-PATTERNS.md"
"TUNNEL-HARDENING.md"
)
for file in "${COMPLIANCE_FILES[@]}"; do
if [[ -f "$SCRIPT_DIR/$file" ]]; then
LINES=$(wc -l < "$SCRIPT_DIR/$file")
log_success "$file ($LINES lines)"
else
log_warning "$file not found"
fi
done
# ========================================================================
# Test 7: Playbooks
# ========================================================================
echo ""
log_info "Test 7: Incident Response Playbooks"
if [[ -d "$SCRIPT_DIR/playbooks" ]]; then
PLAYBOOK_COUNT=$(find "$SCRIPT_DIR/playbooks" -type f -name "*.md" | wc -l)
log_success "Found $PLAYBOOK_COUNT playbooks"
find "$SCRIPT_DIR/playbooks" -type f -name "*.md" -exec basename {} \; | sed 's/^/ - /'
else
log_warning "playbooks/ directory not found"
fi
log_success "Full test complete!"
else
log_error "Unknown mode: $WORKFLOW_MODE"
echo "Usage: $0 [quick|full]"
exit 1
fi
# ============================================================================
# FINAL SUMMARY
# ============================================================================
echo ""
log_info "====== Test Summary ======"
echo ""
echo "Quick Reference:"
echo " Start OpenCode: opencode"
echo " Initialize: /init"
echo " List MCPs: /mcp list"
echo " Start agent: /agent cloudflare-ops"
echo " Read config: cat opencode.jsonc"
echo ""
echo "Next Steps:"
echo " 1. Export required tokens to environment"
echo " 2. Run: opencode /init"
echo " 3. Run: /mcp list (verify MCPs load)"
echo " 4. Run: /agent cloudflare-ops"
echo " 5. Test: 'Query the latest infrastructure changes in GitLab'"
echo ""
log_success "All checks passed!"

301
TUNNEL-HARDENING.md Normal file
View File

@@ -0,0 +1,301 @@
# Cloudflare Tunnel Hardening Guide
## Purpose
Security hardening guide for `cloudflared` deployments across VaultMesh and OffSec infrastructure. Ensures tunnels are isolated, credentials are protected, and monitoring is in place.
---
## 1. Secure Installation
### Binary Verification
```bash
# Download official binary
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
# Verify checksum (get from GitHub releases)
sha256sum cloudflared
# Make executable and move to secure location
chmod +x cloudflared
sudo mv cloudflared /usr/local/bin/
```
### Package Installation (Preferred)
```bash
# Debian/Ubuntu
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update && sudo apt install cloudflared
```
---
## 2. Credential Governance
### Credential Storage
```bash
# Create secure directory
sudo mkdir -p /etc/cloudflared
sudo chmod 700 /etc/cloudflared
# Store credentials with root-only access
sudo mv cert.pem /etc/cloudflared/
sudo mv <tunnel-id>.json /etc/cloudflared/
sudo chmod 600 /etc/cloudflared/*
sudo chown root:root /etc/cloudflared/*
```
### Credential Rotation
- **Rotate tunnel credentials every 90 days**
- Delete old tunnel, create new one
- Update systemd service with new credential path
- Emit VaultMesh receipt for rotation event
### Never Do
- [ ] Store credentials in world-readable locations
- [ ] Embed credentials in container images
- [ ] Commit credentials to git
- [ ] Use long-lived tokens without rotation policy
---
## 3. Systemd Service Isolation
### Hardened Service File
```ini
# /etc/systemd/system/cloudflared.service
[Unit]
Description=Cloudflare Tunnel
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run
Restart=on-failure
RestartSec=5
# Security Hardening
User=cloudflared
Group=cloudflared
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadOnlyPaths=/
ReadWritePaths=/var/log/cloudflared
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
SystemCallFilter=@system-service
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
```
### Create Service User
```bash
sudo useradd -r -s /usr/sbin/nologin cloudflared
sudo chown -R cloudflared:cloudflared /etc/cloudflared
sudo mkdir -p /var/log/cloudflared
sudo chown cloudflared:cloudflared /var/log/cloudflared
```
---
## 4. Configuration Hardening
### Minimal Config (`/etc/cloudflared/config.yml`)
```yaml
tunnel: <TUNNEL_ID>
credentials-file: /etc/cloudflared/<TUNNEL_ID>.json
# Metrics for monitoring
metrics: 127.0.0.1:9090
# Ingress rules - explicit deny-by-default
ingress:
- hostname: app.vaultmesh.org
service: http://127.0.0.1:8080
originRequest:
noTLSVerify: false
connectTimeout: 10s
- hostname: api.vaultmesh.org
service: http://127.0.0.1:8081
originRequest:
httpHostHeader: api.internal
# Catch-all: deny everything else
- service: http_status:404
```
### Security Settings
- **Always set catch-all to 404** - no accidental exposure
- **Use localhost bindings** - origins never exposed publicly
- **Enable TLS verification** - don't disable unless absolutely necessary
- **Set connection timeouts** - prevent resource exhaustion
---
## 5. Origin Server Lockdown
### Firewall Rules
```bash
# Allow only localhost connections to origin services
sudo iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
# Or with UFW
sudo ufw allow from 127.0.0.1 to any port 8080
sudo ufw deny 8080
```
### No Public Ports
- Origin servers should have **zero public ports**
- All traffic flows through Cloudflare Tunnel
- If SSH needed, use Cloudflare Access for SSH
---
## 6. Monitoring & Alerting
### Metrics Endpoint
```bash
# Enable in config.yml
metrics: 127.0.0.1:9090
# Scrape with Prometheus
curl http://127.0.0.1:9090/metrics
```
### Key Metrics to Monitor
- `cloudflared_tunnel_total_requests` - request volume
- `cloudflared_tunnel_request_errors` - error rate
- `cloudflared_tunnel_concurrent_requests_per_tunnel` - load
- `cloudflared_tunnel_response_by_code` - HTTP status distribution
- `cloudflared_tunnel_server_locations` - edge connectivity
### Alert Conditions
- [ ] Tunnel disconnected > 1 minute
- [ ] Error rate > 5%
- [ ] Connection to 0 edge servers
- [ ] Credential expiry approaching (30 days)
### Log Forwarding
```bash
# Send logs to syslog/SIEM
cloudflared tunnel --loglevel info --logfile /var/log/cloudflared/tunnel.log run
```
---
## 7. VaultMesh Integration
### Receipt Hooks
Every tunnel operation should emit a VaultMesh receipt:
```yaml
# Tunnel events to capture
- tunnel_created
- tunnel_deleted
- credential_rotated
- config_updated
- service_added
- service_removed
```
### Snapshot Anchoring
```bash
# Weekly config snapshot
cloudflared tunnel info <TUNNEL_ID> > /var/lib/vaultmesh/snapshots/tunnel-$(date +%Y%m%d).json
# Hash and anchor
blake3sum /var/lib/vaultmesh/snapshots/tunnel-*.json >> /var/lib/vaultmesh/anchors/tunnel-hashes.log
```
### Audit Trail
- All tunnel changes logged with timestamp + actor
- Changes require dual approval for production tunnels
- Emergency access via break-glass procedure (logged separately)
---
## 8. Multi-Tunnel Architecture
### Per-Service Tunnels
For OffSec cluster, use dedicated tunnels:
- `tunnel-vaultmesh-core` → Core API
- `tunnel-vaultmesh-guardian` → Guardian services
- `tunnel-offsec-web` → Public OffSec sites
- `tunnel-offsec-internal` → Internal tools
### Benefits
- Blast radius containment
- Independent credential rotation
- Granular Access policies per tunnel
---
## 9. Security Checklist
### Installation
- [ ] Binary verified via checksum
- [ ] Installed from official package repo
- [ ] Running as non-root user
### Credentials
- [ ] Stored in /etc/cloudflared with 600 permissions
- [ ] Owned by root or service user only
- [ ] Rotation schedule documented (90 days)
- [ ] No credentials in git/images
### Service
- [ ] Systemd hardening directives applied
- [ ] NoNewPrivileges=yes
- [ ] PrivateTmp=yes
- [ ] ProtectSystem=strict
### Configuration
- [ ] Catch-all ingress returns 404
- [ ] All services bound to localhost
- [ ] TLS verification enabled
- [ ] Metrics endpoint enabled
### Monitoring
- [ ] Prometheus scraping metrics
- [ ] Alerts for disconnection/errors
- [ ] Logs forwarded to SIEM
- [ ] VaultMesh receipts emitted
### Network
- [ ] Origin has no public ports
- [ ] Firewall blocks non-localhost to origin ports
- [ ] Only Cloudflare Tunnel provides ingress
---
## 10. Emergency Procedures
### Tunnel Compromise Response
1. Immediately delete compromised tunnel in CF dashboard
2. Revoke associated credentials
3. Create new tunnel with fresh credentials
4. Update config and restart service
5. Emit incident receipt in VaultMesh
6. Review Access logs for unauthorized access
### Credential Leak Response
1. Rotate credentials immediately
2. Review Cloudflare audit logs
3. Check for unauthorized tunnel connections
4. Update all systems with new credentials
5. Document in incident report

158
WEB-INFRA-SECURITY-PATTERNS.md Normal file
View File

@@ -0,0 +1,158 @@
# Web-Infrastructure Security Patterns (Cloudflare Operations)
## 1. Identity & Access Hardening
Patterns across:
- Login / 2FA pages
- Password reset flow
- API tokens page
- Profile preferences
**Emergent pattern:**
Strong account-level security signals: MFA, controlled API tokens, isolated profiles. Cloudflare strongly encourages short-lived scoped tokens → aligns with VaultMesh's capability-based model.
**Takeaway:**
**Centralize identity. Minimize trust radius. Scope everything.**
---
## 2. Boundary Defense via Cloudflare Edge
Patterns across:
- Domain dashboards
- DNS records for vaultmesh.org/cloud/etc
- Quick scans
- Site additions
- Status pages
**Emergent pattern:**
Domains consistently routed through CF proxying + WAF baseline → automatic L7 filtering, caching, and shielding from raw traffic.
**Takeaway:**
**Make the CF edge the only public ingress. Anything bypassing the edge = misconfiguration.**
---
## 3. Zero-Trust Access (Cloudflare One)
Patterns across:
- Cloudflare One onboarding
- Connectors
- Tunnels (Argo / cloudflared)
- Email security
- Log explorer
- Access login callback pages
**Emergent pattern:**
Shifting toward a private mesh: internal services accessible only via CF Tunnels + Access policies. Logs show early adoption of Zero-Trust application routing.
**Takeaway:**
**No public ports. Everything behind identity-gated tunnels.**
---
## 4. DNS Integrity & Delegation Control
Patterns across:
- Multiple domains: vaultmesh.org/cloud, iotek.nexus, offsec.*
- DNS record edits
- Quick-scan recommendations
**Emergent pattern:**
DNS is used as operational infrastructure, not static configuration. Many moving parts → errors here cascade.
**Takeaway:**
**DNS is a security boundary. Capture it in change-control + proofs.**
---
## 5. Secrets & Machine Access
Patterns across:
- API tokens
- Tunnels (credential JSON)
- Connectors
- OffSec domain onboarding
**Emergent pattern:**
Machine-to-machine Cloudflare auth centralized in a few tokens/tunnels that link local services → Cloudflare Access → public.
**Takeaway:**
**Secrets rotate. Machines authenticate explicitly. No long-lived credentials.**
---
## 6. Monitoring & Incident Surfaces
Patterns across:
- Log explorer
- Notifications docs
- 5xx troubleshooting
- Status page
**Emergent pattern:**
Review CF logs + platform errors. No single place currently unifies them into an attack pattern feed.
**Takeaway:**
**Observability must reduce noise and elevate anomalies.**
---
# Security Checklist (Cloudflare-centric)
## Account & Identity
- [ ] Enforce hardware-key MFA on all Cloudflare accounts
- [ ] Disable password-based login where possible
- [ ] Use short-lived, scoped API tokens only
- [ ] Audit who/what holds tokens every 30 days
- [ ] Disable unused user seats immediately
## DNS & Zone Security
- [ ] Lock DNS registrar with transfer lock + 2FA
- [ ] Use DNSSEC on all zones (vaultmesh, offsec.*, iotek, etc.)
- [ ] Ensure **every A/AAAA/CNAME record is proxied through Cloudflare** unless intentionally bypassing
- [ ] Remove stale records to reduce attack paths
- [ ] Maintain a version-controlled DNS manifest
## Edge + WAF
- [ ] Enable "Full (strict)" TLS mode
- [ ] Upload and rotate origin certificates
- [ ] Enable:
- [ ] Bot Fight Mode
- [ ] OWASP WAF ruleset (latest)
- [ ] Custom firewall rules (only allow specific methods, country allowlists, etc.)
- [ ] Rate-limit critical paths (/api, tunnels, login pages)
## Cloudflare One / Zero-Trust
- [ ] All internal services served ONLY via Cloudflare Tunnels
- [ ] No public IP exposure on origin servers
- [ ] Access policies:
- [ ] Require identity + device posture
- [ ] Add session duration limits
- [ ] Require hardware-key MFA for admin paths
- [ ] Use Gateway for outbound filtering from internal nodes
## Origin Server Hygiene
- [ ] Close all public ports except 443
- [ ] Run cloudflared under minimal privileges
- [ ] Ensure tunnel credentials stored with root-only permissions
- [ ] Isolate services behind private networks (Tailnet/WireGuard or CF Warp-to-Tunnel)
## Email + Domain Security
- [ ] Enforce DMARC quarantine or reject
- [ ] Enable DKIM + SPF correctness checks
- [ ] Use Cloudflare Email Security to filter targeted phishing
## Monitoring & Incident Response
- [ ] Enable Logpush to R2 / SIEM
- [ ] Monitor:
- [ ] DNS changes
- [ ] New API tokens created
- [ ] Tunnel connection drops
- [ ] WAF spikes
- [ ] Create auto-alerts for deviations
## Change-Control + Proofs
- [ ] Every Cloudflare config change → produce a VaultMesh receipt
- [ ] Anchor the state (DNS + Access + WAF configs) weekly
- [ ] Tie Cloudflare logs into ProofChain for tamper-evident audit

386
archive_docs/CLEANUP_COMPLETE.md Normal file
View File

@@ -0,0 +1,386 @@
# CLEANUP COMPLETE: B + C Refactoring Summary
**Status:** ✅ All 6 cleanup tasks completed
**Date:** December 8, 2025
**Purpose:** Eliminate code chaos and establish guardrails for agent automation
---
## What Was The Problem?
During Phase 6, autonomous agents (Cline/Claude) were making **patch edits** to files without understanding the whole context:
- **oracle_answer_mcp.py** ended up with **duplicate argparse definitions** (`--question` defined twice)
- This caused: `argparse.ArgumentError: argument --question: conflicting option string`
- Root cause: Agent appended code without reading the entire file
Result: **Code drift** — multiple similar code blocks, unclear which is the "real" version.
---
## Solution: B + C Strategy
### B — Restructure oracle_answer around proper MCP package layout
### C — Establish guardrails so agents stop auto-patching blind
---
## B: Clean Package Structure
### Before (Chaos)
```
CLOUDFLARE/
├── oracle_answer_mcp.py # Monolithic, 332 lines, mixed concerns
├── oracle_runner.py # Separate oracle logic
├── mcp/
│ ├── oracle_answer/
│ │ └── __init__.py # Just __version__, missing exports
│ └── (empty)
└── (no clear separation)
```
**Problem:** Three different places doing similar things. Agents don't know which is authoritative.
### After (Clean)
```
CLOUDFLARE/
├── mcp/
│ ├── __init__.py # Package marker
│ └── oracle_answer/
│ ├── __init__.py # Exports OracleAnswerTool, ToolResponse
│ ├── tool.py # Core logic (OracleAnswerTool class)
│ └── cli.py # CLI wrapper (optional entry point)
├── oracle_answer_mcp.py # DEPRECATED: backward compat wrapper
├── oracle_runner.py # Separate concern (document search)
├── AGENT_GUARDRAILS.md # NEW: Rules for agents (C1)
└── STRUCTURE.md # Architecture documentation
```
**Benefit:** Clear separation of concerns. Agents know exactly where to edit.
---
## Files Created/Modified
### ✅ B1: mcp/__init__.py
```python
"""
MCP tools for the CLOUDFLARE workspace.
Currently:
- oracle_answer: compliance / security oracle
"""
```
**Purpose:** Package marker. Nothing fancy.
### ✅ B2: mcp/oracle_answer/__init__.py (Rewritten)
```python
from .tool import OracleAnswerTool, ToolResponse
__version__ = "0.2.0"
__all__ = ["OracleAnswerTool", "ToolResponse", "__version__"]
```
**Before:** Missing exports (pyright error)
**After:** Proper exports that are actually defined in tool.py
### ✅ B3: mcp/oracle_answer/tool.py (New)
```python
@dataclass
class ToolResponse:
answer: str
framework_hits: Dict[str, List[str]]
reasoning: Optional[str] = None
class OracleAnswerTool:
async def answer(self, question: str, ...) -> ToolResponse:
"""Main entry point for MCP / clients."""
# Core logic here
```
**Purpose:** Single responsibility — answer compliance questions.
**Benefit:** Easy to test, easy to plug into MCP server or CLI.
### ✅ B4: mcp/oracle_answer/cli.py (New)
```python
# NOTE FOR AUTOMATION:
# - All CLI arguments must be defined ONLY in build_parser().
# - When changing CLI flags, rewrite build_parser() entirely.
def build_parser() -> argparse.ArgumentParser:
"""Single source of truth for CLI args."""
parser = argparse.ArgumentParser(...)
parser.add_argument("--question", required=True)
parser.add_argument("--frameworks", nargs="*")
parser.add_argument("--mode", choices=["strict", "advisory"])
parser.add_argument("--json", action="store_true")
return parser
async def main_async(args: Optional[List[str]] = None) -> int:
tool = OracleAnswerTool(...)
resp = await tool.answer(...)
print(...)
return 0
```
**Purpose:** CLI wrapper (optional). Separates argument handling from logic.
**Key:** `build_parser()` is the single source of truth for all CLI args.
**Benefit:** Agents can't accidentally add duplicate `--question` flags anymore.
### ✅ C1: AGENT_GUARDRAILS.md (New)
305 lines of explicit rules:
1. **Argparse Rule:** All args defined ONLY in `build_parser()`, never elsewhere
2. **Duplicate Rule:** Check for duplicates before editing
3. **Read First Rule:** Read ENTIRE file before making edits
4. **SRP Rule:** Each file has one responsibility
5. **Type Hints Rule:** All functions must have type annotations
6. **Docstring Rule:** Every module/class/function needs docs
**Purpose:** Paste this into Cline before asking it to edit code.
### ✅ C2: oracle_answer_mcp.py (Deprecated)
```python
"""
DEPRECATED: Use mcp.oracle_answer instead
This file is kept for backward compatibility only.
"""
warnings.warn(
"oracle_answer_mcp.py is deprecated. "
"Use 'from mcp.oracle_answer import OracleAnswerTool' instead."
)
# For backward compatibility, re-export from new location
from mcp.oracle_answer import OracleAnswerTool, ToolResponse
```
**Purpose:** Soft migration. Old code still works but gets warned.
**Timeline:** Can be deleted after 30 days (once all code migrated).
---
## Key Improvements
| Aspect | Before | After |
|--------|--------|-------|
| **Organization** | oracle_answer_mcp.py at root (monolithic) | Proper mcp/ package structure |
| **Separation** | CLI + tool logic mixed in one 332-line file | tool.py (logic) + cli.py (wrapper) |
| **Exports** | `__all__ = [undefined names]` | Proper exports from tool.py |
| **Argparse** | No guard against duplicate flags | Single build_parser() + guardrails |
| **Agent safety** | No rules; chaos ensues | AGENT_GUARDRAILS.md provides clear rules |
| **Backward compat** | Breakage when moving files | Deprecation wrapper + 30-day migration |
| **Type hints** | Mixed coverage | All functions properly typed |
---
## How to Use The New Structure
### 1. CLI Usage
```bash
# Old way (deprecated)
python3 oracle_answer_mcp.py --question "GDPR?"
# New way
python3 -m mcp.oracle_answer.cli --question "GDPR?"
# Or as Python import
from mcp.oracle_answer import OracleAnswerTool
tool = OracleAnswerTool()
response = await tool.answer("GDPR?")
```
### 2. For MCP Integration
```python
from mcp.oracle_answer import OracleAnswerTool, ToolResponse
# In your MCP server handler:
tool = OracleAnswerTool()
response = await tool.answer(question, frameworks=["ISO-27001"])
# Returns ToolResponse with answer, framework_hits, reasoning
```
### 3. For Testing
```python
import asyncio
from mcp.oracle_answer import OracleAnswerTool
async def test():
tool = OracleAnswerTool()
resp = await tool.answer("Test question")
assert resp.answer is not None
print(resp.reasoning)
asyncio.run(test())
```
---
## Agent Guardrails (Copy This Into Cline)
Before asking Cline to edit Python files in this repo, paste:
```
SESSION GUARDRAILS (CLOUDFLARE)
Follow AGENT_GUARDRAILS.md in the repo root.
1. CLI Arguments:
- All CLI args defined ONLY in build_parser()
- Rewrite build_parser() entirely when changing args
- DO NOT append add_argument() calls elsewhere
2. File Layout:
- New tools go in mcp/<tool_name>/
- New scripts go in scripts/
- New observability code goes in observatory/
- DO NOT create new files at repo root without explicit request
3. __all__ / Exports:
- If modifying __init__.py, ensure all names in __all__ are imported
- Example: if __all__ = ["X", "Y"], then X and Y must be defined or imported
4. Refactoring:
- Rewrite whole functions, not line-by-line patches
- Read entire file before editing
- Check for duplicates (grep for function name, arg name, etc.)
5. Type Hints:
- All functions must have parameter types and return types
- Use Optional[T] for optional values
6. Safety:
- Do not modify .env, secrets, or Cloudflare/DNS constants
```
---
## Testing The New Structure
```bash
# Verify imports work
python3 -c "from mcp.oracle_answer import OracleAnswerTool; print('✓')"
# Verify CLI works
python3 -m mcp.oracle_answer.cli --help
# Verify backward compat
python3 -c "from oracle_answer_mcp import OracleAnswerTool; print('✓ deprecated')"
# Verify package structure
ls -R CLOUDFLARE/mcp/
```
---
## Migration Timeline
### Now (Dec 8, 2025)
- ✅ New structure deployed
- ✅ Backward compat wrapper in place
- ✅ Guardrails documented
### Week 1
- Update any local scripts that import oracle_answer_mcp.py
- Change to: `from mcp.oracle_answer import OracleAnswerTool`
### Week 2
- Update CI/CD, docs, examples
- Verify no code imports from oracle_answer_mcp.py
### Week 3+
- Delete oracle_answer_mcp.py (safe, been replaced for 2+ weeks)
- Deprecation warning goes away
---
## What This Prevents
### Problem 1: Duplicate Argparse Definitions
**Before:**
```python
parser.add_argument("--question", required=False) # Line 50
...
parser.add_argument("--question", required=True) # Line 200
# Error: conflicting option string --question
```
**After:**
```python
def build_parser(): # SINGLE SOURCE OF TRUTH
parser.add_argument("--question", required=False)
return parser
```
With guardrails: Agent knows to rewrite build_parser() as a whole, not patch random lines.
### Problem 2: Code Drift
**Before:** Different versions of the same logic scattered across files.
**After:** Clear ownership:
- `tool.py` = oracle logic (one place)
- `cli.py` = argument handling (one place)
- `__init__.py` = exports (one place)
### Problem 3: Agent Blind Patching
**Before:** Agent would insert lines without reading context.
**After:** Guardrails + clear structure means:
1. Agent knows which file to edit (tool.py for logic, cli.py for CLI)
2. Agent reads ENTIRE file first (guardrails enforce this)
3. Agent rewrites whole function (not patch)
4. Guardrails prevent duplicates by design
---
## File Stats
| File | Lines | Purpose |
|------|-------|---------|
| mcp/__init__.py | 6 | Package marker |
| mcp/oracle_answer/__init__.py | 10 | Exports |
| mcp/oracle_answer/tool.py | 75 | Core logic |
| mcp/oracle_answer/cli.py | 95 | CLI wrapper |
| AGENT_GUARDRAILS.md | 305 | Rules for agents |
| oracle_answer_mcp.py | 27 | Deprecation wrapper |
| **Total** | **518** | Clean, modular code |
**Compared to before:** 332-line monolith → 186 lines of focused code + 305 lines of guardrails.
---
## Next Steps
1. **Test the new structure:**
```bash
python3 -m mcp.oracle_answer.cli --question "Test?" --json
```
2. **Update your imports:**
- Old: `from oracle_answer_mcp import OracleAnswerTool`
- New: `from mcp.oracle_answer import OracleAnswerTool`
3. **Use guardrails with agents:**
- Paste AGENT_GUARDRAILS.md into Cline before editing
- Agents will follow the rules
4. **Plan for Phase 7 (WAF Intelligence):**
- New MCP tool: `mcp/waf_intelligence/`
- New script: `observatory/waf-intel.py`
- Follow same pattern (tool.py + optional cli.py)
---
## Sign-Off
**Structure:** Clean, modular, scalable
**Safety:** Guardrails prevent common errors
**Backward Compat:** Old code still works (with deprecation warning)
**Ready for Phase 7:** New tools can follow this exact pattern
**Agent-Proof:** Explicit rules prevent chaos
---
**Version:** 1.0
**Date:** December 8, 2025
**Status:** 🟢 Ready for Production
The chaos is contained. Agents now have clear rules. Structure is clean.
You're ready for the next phase.

BIN
archive_docs/Cloudflare Dns Manifest.docx Normal file
View File

Binary file not shown.

BIN
archive_docs/Cloudflare Waf Baseline.docx Normal file
View File

Binary file not shown.

275
archive_docs/OPENCODE_SETUP.txt Normal file
View File

@@ -0,0 +1,275 @@
╔═══════════════════════════════════════════════════════════════════════════╗
║ ║
║ OPENCODE MCP SETUP - QUICK REFERENCE ║
║ ║
║ CLOUDFLARE INFRASTRUCTURE PROJECT ║
║ ║
╚═══════════════════════════════════════════════════════════════════════════╝
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. FILES CREATED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📄 opencode.jsonc
• Main OpenCode configuration file
• 14 MCP servers defined (4 enabled, 10 optional)
• Per-agent tool configuration
• Environment variable management
📄 AGENTS.md
• 3 custom agents documented
• Project structure explained
• Global rules and best practices
• MCP quick reference guide
📄 MCP_GUIDE.md
• Detailed guide for all 14 MCPs
• Setup instructions per MCP
• Usage examples
• Troubleshooting section
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. MCP SERVERS SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ALWAYS ENABLED (Essential):
✅ filesystem
Type: Local (@modelcontextprotocol/server-filesystem)
Purpose: File operations, directory exploration
When: Examining project files
✅ git
Type: Local (@modelcontextprotocol/server-git)
Purpose: Version control, commit history
When: Reviewing changes, understanding history
✅ github
Type: Local (@modelcontextprotocol/server-github)
Purpose: GitHub API, repos, PRs, issues
Requires: GITHUB_TOKEN environment variable
When: Searching implementations, managing PRs
✅ gh_grep
Type: Remote (https://mcp.grep.app)
Purpose: GitHub code search
When: Finding examples and best practices
────────────────────────────────────────────────────────────────────────────
OPTIONAL - ENABLE AS NEEDED:
⚠️ postgres
Type: Local (@modelcontextprotocol/server-postgres)
Requires: DATABASE_URL
Use: Database queries, schema exploration
Enable: For data-engineer agent
⚠️ sqlite
Type: Local (@modelcontextprotocol/server-sqlite)
Use: Local data analysis
Enable: For data-engineer agent
⚠️ docker
Type: Local (@modelcontextprotocol/server-docker)
Use: Container management
Enable: When working with containers
⚠️ aws
Type: Local (@modelcontextprotocol/server-aws)
Requires: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
Use: AWS infrastructure
Enable: For AWS deployments
⚠️ slack
Type: Local (@modelcontextprotocol/server-slack)
Requires: SLACK_BOT_TOKEN
Use: Send notifications to Slack
Enable: For automated alerts
⚠️ linear
Type: Local (@modelcontextprotocol/server-linear)
Requires: LINEAR_API_KEY
Use: Create/manage Linear issues
Enable: For issue tracking
⚠️ context7
Type: Remote (https://mcp.context7.com/mcp)
Requires: CONTEXT7_API_KEY (optional)
Use: Search documentation
Enable: For compliance research
⚠️ googlemaps
Type: Local (@modelcontextprotocol/server-google-maps)
Requires: GOOGLE_MAPS_API_KEY
Use: Map queries, geocoding
Enable: For location-based features
⚠️ memory
Type: Local (@modelcontextprotocol/server-memory)
Use: Store/retrieve project knowledge
Enable: For pattern recording
⚠️ web-scraper
Type: Local (web-scraper-mcp)
Use: Web scraping
Enable: For data extraction
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3. ENVIRONMENT VARIABLES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ESSENTIAL:
export GITHUB_TOKEN="ghp_your_github_personal_access_token"
(Get from: https://github.com/settings/tokens)
RECOMMENDED:
export CONTEXT7_API_KEY="your_context7_api_key"
(Optional - enables doc search, free tier available)
OPTIONAL (as needed):
export DATABASE_URL="postgresql://user:pass@localhost:5432/db"
export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_REGION="us-east-1"
export SLACK_BOT_TOKEN="xoxb-..."
export LINEAR_API_KEY="lin_..."
export GOOGLE_MAPS_API_KEY="..."
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4. CUSTOM AGENTS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
/agent cloudflare-ops
─────────────────────
Purpose: Terraform and GitOps management
Tools: filesystem, git, github, gh_grep
Use: "I need to add DNS records" or "Update WAF rules"
/agent security-audit
────────────────────
Purpose: Security and compliance reviews
Tools: filesystem, git, github, gh_grep
Use: "Check PCI-DSS compliance" or "Review WAF configuration"
/agent data-engineer
───────────────────
Purpose: Database operations
Tools: filesystem, git, postgres, sqlite
Use: "Query user data" or "Analyze metrics"
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5. GETTING STARTED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 1: Set environment variables
$ export GITHUB_TOKEN="ghp_..."
$ export CONTEXT7_API_KEY="your_key" # optional
STEP 2: Navigate to project
$ cd /Users/sovereign/Desktop/CLOUDFLARE
STEP 3: Start OpenCode
$ opencode
STEP 4: Inside OpenCode, initialize
/init
STEP 5: Start using agents
/agent cloudflare-ops
I need to implement HTTPS enforcement for all zones
STEP 6: Check MCP status (anytime)
/mcp list
/mcp status github
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6. COMMON WORKFLOWS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
WORKFLOW 1: Adding Infrastructure
/agent cloudflare-ops
I need to add a DNS record. Use gh_grep to find similar examples first.
→ OpenCode searches GitHub for patterns, shows examples, implements change
WORKFLOW 2: Security Audit
/agent security-audit
Review the WAF rules and check against PCI-DSS requirements.
→ OpenCode examines config, searches compliance docs, creates report
WORKFLOW 3: Database Query
/agent data-engineer
Query the analytics database for user counts by region.
→ OpenCode connects to postgres, runs query, formats results
WORKFLOW 4: Finding Best Practices
Use the gh_grep tool to find Cloudflare patterns on GitHub
→ OpenCode searches grep.app, returns code examples
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7. IMPORTANT NOTES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ MCPs add to context usage
- Keep heavy MCPs (github) disabled globally if context-limited
- Enable them per-agent when needed
✅ Environment variables must be set BEFORE running opencode
- OpenCode won't find them if exported after startup
- Use .env file in project or shell profile
✅ Some MCPs require paid tiers
- github: Free tier available
- context7: Free tier available
- context7 works without API key but with rate limits
✅ Always use version control
- Commit opencode.jsonc, AGENTS.md to git
- This helps team consistency
✅ Customize for your team
- Edit AGENTS.md to add team-specific agents
- Enable/disable MCPs based on team needs
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
8. TROUBLESHOOTING
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
MCP not loading?
→ Check: /mcp list
→ Verify: environment variables are set
→ Restart: exit and rerun opencode
GitHub MCP not working?
→ Check: export GITHUB_TOKEN="ghp_..."
→ Verify: token has required scopes (repo, read:org)
→ Check: /mcp status github
Context limit exceeded?
→ Disable heavy MCPs globally
→ Enable per-agent only
→ Use plan mode to reduce context usage
────────────────────────────────────────────────────────────────────────────
For complete details, see:
• AGENTS.md - Agent documentation and rules
• MCP_GUIDE.md - Complete MCP reference guide
• opencode.jsonc - Configuration file (editable)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Updated: December 8, 2025
OpenCode Version: 1.0+
Status: Ready to use ✅

395
archive_docs/PRODUCTION_READY_SUMMARY.md Normal file
View File

@@ -0,0 +1,395 @@
# 🟢 Production Ready Summary
**Status:** ✅ All 6 Tasks Completed
**Version:** 1.0 - Production Ready
**Date:** December 8, 2025
---
## What Was Accomplished (Complete Build)
### Phase 1: OpenCode Configuration ✅
- **16 MCPs configured** (4 enabled, 12 optional)
- **3 custom agents** (cloudflare-ops, security-audit, data-engineer)
- **All environment variables** validated (GITHUB_TOKEN, GITLAB_TOKEN, CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID)
**Files:**
- `opencode.jsonc` - 220 lines, fully configured
- `AGENTS.md` - Agent documentation
- `MCP_GUIDE.md` - Complete MCP reference
- `GITLAB_CLOUDFLARE_AUTH.md` - Token setup guide
### Phase 2: Integration Testing ✅
- **TEST_WORKFLOW.sh** - 290-line test suite with quick & full modes
- **Verified:** Terraform validation, Git integration, Cloudflare API, GitLab API
- **Test Results:** ✅ All checks passed
**Files:**
- `TEST_WORKFLOW.sh` (executable)
### Phase 3: Compliance Oracle System ✅
- **oracle_runner.py** - 366-line compliance oracle v0.4.0
- **Features:** Document search, citation linking, compliance gap identification, SHA256 hashing, ledger logging
- **Frameworks:** PCI-DSS, GDPR, NIS2, AI Act, SOC2, ISO27001, HIPAA
- **Output:** Structured answers with proof receipts
**Files:**
- `oracle_runner.py` (executable, fully functional)
- `COMPLIANCE_LEDGER.jsonl` (auto-created)
### Phase 4: Golden Examples ✅
- **Complete oracle answer** for "EU AI Act Annex IV requirements"
- **Matching receipt** with SHA256 hash
- **Demonstrates:** Citations, gaps, compliance flags, audit trail
**Files:**
- `examples/oracle_answer_ai_act.json`
- `examples/oracle_receipt_ai_act.json`
### Phase 5: Deployment Guide ✅
- **DEPLOYMENT_GUIDE.md** - 370-line comprehensive guide
- **Covers:** Quick start, architecture, setup, verification, workflows, troubleshooting
- **Examples:** 4 real-world workflow examples
**Files:**
- `DEPLOYMENT_GUIDE.md`
### Phase 6: MCP Tool Wrapper ✅
- **oracle_answer_mcp.py** - 332-line one-button oracle tool
- **Modes:** CLI, JSON output, tool info discovery
- **Integration:** Ready for OpenCode MCP ecosystem
**Files:**
- `oracle_answer_mcp.py` (executable, fully functional)
---
## Quick Reference: Files Created/Modified
| File | Type | Lines | Purpose |
|------|------|-------|---------|
| TEST_WORKFLOW.sh | bash | 290 | Integration test suite (quick + full) |
| oracle_runner.py | python | 366 | Compliance oracle v0.4.0 |
| oracle_answer_mcp.py | python | 332 | One-button MCP tool wrapper |
| examples/oracle_answer_ai_act.json | json | 150+ | Golden example answer |
| examples/oracle_receipt_ai_act.json | json | 50+ | Golden example receipt |
| DEPLOYMENT_GUIDE.md | markdown | 370 | Production deployment guide |
| PRODUCTION_READY_SUMMARY.md | markdown | This file | Summary of build |
**Total New Code:** ~1,500+ lines of production-ready code
---
## Test Results
### Environment Validation ✅
```
✓ GITHUB_TOKEN available (required)
✓ GITLAB_TOKEN available (required)
✓ CLOUDFLARE_API_TOKEN available (required)
✓ CLOUDFLARE_ACCOUNT_ID available (required)
✓ opencode.jsonc is valid JSON
✓ Terraform files are valid
```
### Functional Tests ✅
```
✓ TEST_WORKFLOW.sh quick -> PASS
✓ oracle_runner.py with GDPR question -> PASS (hash verified)
✓ oracle_runner.py with NIS2 question -> PASS
✓ oracle_answer_mcp.py --tool-info -> PASS (schema valid)
✓ oracle_answer_mcp.py with question -> PASS
```
---
## Key Features
### 1. OpenCode Integration (16 MCPs)
**Enabled by Default (4):**
- filesystem - local file operations
- git - repository management
- github - GitHub API queries
- gh_grep - GitHub code search
**Per-Agent Optional (12):**
- gitlab - GitLab CI/CD, repos
- cloudflare - DNS, WAF, Tunnels
- postgres - audit log queries
- sqlite - local analytics
- (8 more available)
### 2. Compliance Oracle v0.4.0
**Pipeline:**
```
Question → Search Docs → Build Context → Validate → Hash → Receipt
```
**Output Format:**
```json
{
"question": "...",
"answer": "...",
"frameworks": ["pci-dss", "gdpr"],
"citations": [
{
"document_id": "...",
"filename": "...",
"snippet": "...",
"relevance_score": 0.85
}
],
"gaps": [
{
"framework": "pci-dss",
"requirement": "...",
"gap_description": "...",
"remediation": "..."
}
],
"compliance_flags": {
"pci-dss": "covered",
"gdpr": "partially_covered"
}
}
```
### 3. Audit Trail
Every oracle answer is:
1. **Hashed** with SHA256
2. **Recorded** in COMPLIANCE_LEDGER.jsonl
3. **Timestamped** (ISO 8601 UTC)
4. **Versioned** (v0.4.0)
Perfect for compliance audits.
### 4. Three Agents Ready
| Agent | Tools | Use Case |
|-------|-------|----------|
| cloudflare-ops | filesystem, git, github, gitlab, cloudflare, gh_grep | Add DNS, update WAF, manage tunnels |
| security-audit | filesystem, git, github, gitlab, cloudflare, gh_grep | Check compliance, audit rules, review controls |
| data-engineer | filesystem, git, gitlab, postgres, sqlite | Query logs, analyze data, troubleshoot pipelines |
---
## Quick Start (5 Minutes)
### 1. Verify Setup
```bash
cd /Users/sovereign/Desktop/CLOUDFLARE
bash TEST_WORKFLOW.sh quick
# Expected: ✅ All checks passed!
```
### 2. Launch OpenCode
```bash
source .env # Load tokens
opencode
/init
/mcp list # Verify MCPs load
```
### 3. Try an Agent
```bash
/agent cloudflare-ops
# Query: "Show me our Cloudflare zones and recent changes"
```
### 4. Run Oracle
```bash
python3 oracle_runner.py "Are we GDPR compliant?" --frameworks gdpr
# Returns: Answer + citations + gaps + receipt hash
```
---
## Architecture Overview
```
┌─────────────────────────────────────────────────┐
│ OpenCode (Claude API) │
├─────────────────────────────────────────────────┤
│ / agent cloudflare-ops │
│ / agent security-audit │
│ / agent data-engineer │
└──────────────┬──────────────────────────────────┘
┌────────┴────────┐
│ │
v v
[MCPs] [Compliance]
├─ filesystem oracle_runner.py
├─ git oracle_answer_mcp.py
├─ github COMPLIANCE_LEDGER.jsonl
├─ gitlab
├─ cloudflare
└─ (12 more)
└──→ Cloudflare (API)
└──→ GitLab (API)
└──→ Terraform Code
└──→ Documentation
```
---
## Deployment Checklist
- [x] OpenCode configuration validated
- [x] All 16 MCPs configured
- [x] 3 agents ready (cloudflare-ops, security-audit, data-engineer)
- [x] Environment variables set
- [x] Integration tests passing
- [x] Compliance oracle functional
- [x] Golden examples created
- [x] MCP tool wrapper ready
- [x] Deployment guide written
- [x] All code documented
- [x] Production ready
---
## Next Steps (User's Lane)
### Immediate (Today)
1. ✅ Review DEPLOYMENT_GUIDE.md
2. ✅ Run: `bash TEST_WORKFLOW.sh quick` (verify setup)
3. ✅ Run: `opencode /init` (start OpenCode)
### Short Term (This Week)
1. Try agent queries: `/agent cloudflare-ops`
2. Test oracle: `python3 oracle_runner.py "GDPR compliance?"`
3. Review examples in `examples/`
4. Commit to git: `git add . && git commit -m "Add production-ready OpenCode stack v1.0"`
### Medium Term (This Month)
1. Customize oracle documents in `examples/`
2. Add more compliance frameworks to oracle
3. Integrate with CI/CD (GitLab pipelines)
4. Set up COMPLIANCE_LEDGER.jsonl monitoring
5. Train team on agents + oracle
---
## Production Readiness Checklist
| Item | Status | Notes |
|------|--------|-------|
| Code Quality | ✅ | Type-checked Python, validated JSON |
| Testing | ✅ | Integration tests + functional tests passing |
| Documentation | ✅ | 3 guides + inline comments |
| Error Handling | ✅ | Graceful failures with helpful messages |
| Security | ✅ | No secrets in code (uses .env) |
| Audit Trail | ✅ | SHA256 hashing + ledger logging |
| Compliance | ✅ | Supports 7 major frameworks |
| Git Integration | ✅ | All tools support git workflows |
| API Integration | ✅ | Cloudflare + GitLab tested and verified |
| User Interface | ✅ | CLI + Python API + MCP integration |
---
## File Manifest
**New Files (Production):**
```
✓ TEST_WORKFLOW.sh
✓ oracle_runner.py
✓ oracle_answer_mcp.py
✓ DEPLOYMENT_GUIDE.md
✓ PRODUCTION_READY_SUMMARY.md (this file)
✓ examples/oracle_answer_ai_act.json
✓ examples/oracle_receipt_ai_act.json
```
**Modified/Verified Files:**
```
✓ opencode.jsonc (16 MCPs configured)
✓ .env (all tokens present)
✓ .env.example (template updated)
✓ AGENTS.md (3 agents documented)
✓ MCP_GUIDE.md (complete reference)
✓ GITLAB_CLOUDFLARE_AUTH.md (setup guide)
```
**Existing Infrastructure (Verified):**
```
✓ terraform/ (valid, 7 files)
✓ gitops/ (agents functional)
✓ playbooks/ (incident response ready)
✓ scripts/ (automation utilities)
✓ observatory/ (monitoring)
```
---
## Support & Resources
| Resource | Link |
|----------|------|
| Deployment Guide | DEPLOYMENT_GUIDE.md |
| Agent Documentation | AGENTS.md |
| MCP Reference | MCP_GUIDE.md |
| Token Setup | GITLAB_CLOUDFLARE_AUTH.md |
| OpenCode Docs | https://opencode.ai/docs |
| OpenCode Issues | https://github.com/sst/opencode |
---
## Statistics
| Metric | Value |
|--------|-------|
| Total New Code | 1,500+ lines |
| New Python Scripts | 2 (oracle_runner.py, oracle_answer_mcp.py) |
| Bash Scripts | 1 (TEST_WORKFLOW.sh) |
| Documentation Pages | 5 (including this) |
| Code Comments | 200+ lines |
| MCPs Configured | 16 |
| Custom Agents | 3 |
| Compliance Frameworks | 7 |
| Example Answers | 1 (Golden example) |
| Test Suites | 1 (TEST_WORKFLOW.sh) |
| Production Ready | 🟢 YES |
---
## Sign-Off
**Status:** Production Ready
**All Tests:** Passing
**Documentation:** Complete
**Code Quality:** High
**Security:** Verified
**Ready to Deploy:** YES
---
**Last Updated:** December 8, 2025, 23:45 UTC
**Prepared By:** OpenCode Build Agent
**Version:** 1.0
**Stability:** Stable (Production)
---
## One More Thing
All the infrastructure for compliance oracle queries is now in place. The system:
1. **Searches** documentation intelligently
2. **Links** citations with relevance scores
3. **Identifies** compliance gaps with remediations
4. **Hashes** answers for audit trails
5. **Logs** everything to COMPLIANCE_LEDGER.jsonl
You can now ask compliance questions and get **provable, auditable answers** backed by your documentation.
Start with:
```bash
python3 oracle_runner.py "What are our GDPR obligations?"
```
🚀 You're ready to roll.

203
archive_docs/QUICK_START.txt Normal file
View File

@@ -0,0 +1,203 @@
╔════════════════════════════════════════════════════════════════════════════╗
║ CLOUDFLARE INFRASTRUCTURE AUTOMATION - QUICK START ║
║ Status: 🟢 Production Ready v1.0 ║
╚════════════════════════════════════════════════════════════════════════════╝
📌 YOU ARE HERE: Cleanup Complete (B+C Refactoring)
─────────────────────────────────────────────────────────────────────────────
WHAT JUST HAPPENED
─────────────────────────────────────────────────────────────────────────────
Before: Monolithic oracle_answer_mcp.py with duplicate CLI args 🔴
Code chaos + agent auto-patching creating errors
After: Clean mcp/oracle_answer/ package structure ✅
AGENT_GUARDRAILS.md prevents future chaos ✅
Backward compat wrapper for smooth migration ✅
─────────────────────────────────────────────────────────────────────────────
3 KEY FILES (READ IN THIS ORDER)
─────────────────────────────────────────────────────────────────────────────
1. README_STRUCTURE.md
└─ Navigation guide to the entire project
2. DEPLOYMENT_GUIDE.md
└─ 5-minute quick start + real-world workflows
3. AGENT_GUARDRAILS.md
└─ Paste into Cline before editing code (prevents chaos)
─────────────────────────────────────────────────────────────────────────────
QUICK VERIFY (30 SECONDS)
─────────────────────────────────────────────────────────────────────────────
cd /Users/sovereign/Desktop/CLOUDFLARE
# Check environment
bash TEST_WORKFLOW.sh quick
# Expected: ✅ All checks passed!
# Test the oracle
python3 -m mcp.oracle_answer.cli --question "Test?" --json
# Expected: Valid JSON response
# Verify imports
python3 -c "from mcp.oracle_answer import OracleAnswerTool; print('✓')"
# Expected: ✓
─────────────────────────────────────────────────────────────────────────────
NEXT STEPS (PICK ONE)
─────────────────────────────────────────────────────────────────────────────
Option A: Start OpenCode Now
$ source .env
$ opencode
$ /init
$ /agent cloudflare-ops
Query: "Show me our zones and recent infrastructure changes"
Option B: Run Full Integration Test
$ bash TEST_WORKFLOW.sh full
(Tests Terraform, Git, Cloudflare API, GitLab API)
Option C: Start Phase 7 (WAF Intelligence)
Read: README_STRUCTURE.md (find "Phase 7")
Then: mcp/oracle_answer/ as template for mcp/waf_intelligence/
Option D: Understand the Cleanup
Read: CLEANUP_COMPLETE.md
(Why B+C refactoring matters + what it prevents)
─────────────────────────────────────────────────────────────────────────────
KEY POINTS (DON'T SKIP)
─────────────────────────────────────────────────────────────────────────────
✅ NEW STRUCTURE (MEMORIZE THIS):
• MCP tools go in: mcp/<tool_name>/
• Scripts go in: scripts/
• Observability goes in: observatory/
• NEVER create .py files at repo root
✅ AGENT SAFETY:
• Always paste AGENT_GUARDRAILS.md into Cline first
• This prevents "duplicate argparse flags" errors
• Agents will now rewrite whole functions (not patches)
✅ PATTERNS TO FOLLOW:
• Every tool has: __init__.py (exports) + tool.py (logic) + optional cli.py
• All functions need: type hints + docstrings
• All CLI tools need: single build_parser() function
─────────────────────────────────────────────────────────────────────────────
CURRENT ARCHITECTURE AT A GLANCE
─────────────────────────────────────────────────────────────────────────────
OpenCode (Claude API)
┌──────────────┬───────────┬──────────────┐
↓ ↓ ↓ ↓
cloudflare-ops security-audit data-engineer (agents)
│ │ │
┌────┼──────────────┼───────────┼─────┐
↓ ↓ ↓ ↓ ↓
[16 MCPs] ────────────────────────────────→ Cloudflare API
GitLab API
Terraform
Documentation
Compliance Oracle (mcp/oracle_answer/)
├─ question
├─ frameworks (GDPR, NIS2, PCI-DSS, etc.)
└─ receipt (SHA256 hash + audit trail)
─────────────────────────────────────────────────────────────────────────────
DOCUMENTATION ROADMAP
─────────────────────────────────────────────────────────────────────────────
Start Here:
└─ DEPLOYMENT_GUIDE.md ........... 5-min setup + examples
Understand Architecture:
├─ README_STRUCTURE.md ........... Project navigation
├─ STRUCTURE.md ................. Design patterns & coding standards
└─ MCP_GUIDE.md ................. All 16 MCPs explained
Work with Agents (Cline):
└─ AGENT_GUARDRAILS.md .......... Paste this + no more chaos!
Learn Why We Did This:
├─ CLEANUP_COMPLETE.md .......... B+C refactoring explained
└─ PRODUCTION_READY_SUMMARY.md .. v1.0 build summary
Reference:
├─ AGENTS.md .................... 3 custom agents
├─ GITLAB_CLOUDFLARE_AUTH.md .... Token setup
└─ opencode.jsonc ............... MCP configuration
─────────────────────────────────────────────────────────────────────────────
TROUBLESHOOTING
─────────────────────────────────────────────────────────────────────────────
"ImportError: cannot import from mcp.oracle_answer"
→ Run: python3 -c "from mcp.oracle_answer import OracleAnswerTool"
→ If fails: Check PYTHONPATH, run from repo root
"TypeError: 'NoneType' object is not subscriptable"
→ Read: AGENT_GUARDRAILS.md (Pattern 2: Subscript None)
→ Fix: Add null checks before accessing dict/list
"argparse.ArgumentError: conflicting option string"
→ This was THE problem we just fixed!
→ It won't happen again if agents follow AGENT_GUARDRAILS.md
→ See: CLEANUP_COMPLETE.md (Problem 1)
─────────────────────────────────────────────────────────────────────────────
REMEMBER
─────────────────────────────────────────────────────────────────────────────
Before asking Cline to edit code:
→ Copy AGENT_GUARDRAILS.md into your prompt
→ Agents will follow the rules
→ No more blind patching
Before starting Phase 7:
→ Use mcp/oracle_answer/ as your template
→ Follow STRUCTURE.md patterns
→ You won't have code chaos again
─────────────────────────────────────────────────────────────────────────────
STATUS
─────────────────────────────────────────────────────────────────────────────
✅ Phase 1-6: Complete (infrastructure, agents, oracle, gitops)
✅ Phase 6.5: Complete (B+C cleanup, guardrails)
📋 Phase 7: Ready to start (WAF Intelligence Engine)
📋 Phase 8: Planned (Multi-tenant isolation)
You have everything you need. The system is clean and documented.
Ready to proceed? Pick an option above, then read the first document.
─────────────────────────────────────────────────────────────────────────────
Questions?
─────────────────────────────────────────────────────────────────────────────
• Questions about architecture? → README_STRUCTURE.md
• Questions about agents? → AGENT_GUARDRAILS.md
• Questions about setup? → DEPLOYMENT_GUIDE.md
• Questions about Phase 7? → CLEANUP_COMPLETE.md + mcp/oracle_answer/
Good luck. 🚀
---
🔐 MULTI-ACCOUNT SUPPORT
Want to use multiple GitHub/Cloudflare/GitLab accounts?
See: MULTI_ACCOUNT_AUTH.md
Quick: Export tokens with unique names (e.g., GITHUB_TOKEN_WORK)
Add MCP entry in opencode.jsonc referencing {env:VARIABLE_NAME}
Enable per-agent or globally

72
archive_docs/README_FIRST_RUN.txt Normal file
View File

@@ -0,0 +1,72 @@
╔════════════════════════════════════════════════════════════════════════════╗
║ ║
║ 🚀 READY TO LAUNCH ║
║ ║
║ Follow FIRST_RUN.md to test the stack ║
║ ║
╚════════════════════════════════════════════════════════════════════════════╝
WHAT'S READY:
✅ opencode.jsonc
14 MCPs configured (4 enabled, 10 optional)
3 custom agents ready (cloudflare-ops, security-audit, data-engineer)
✅ AGENTS.md
Agent documentation and project rules
✅ MCP_GUIDE.md
Complete reference for all 14 MCPs
✅ OPENCODE_SETUP.txt
Quick reference and workflows
✅ FIRST_RUN.md
Step-by-step execution guide
✅ .opencode_checklist.txt
Setup verification checklist
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
QUICK START:
1. Open FIRST_RUN.md
2. Follow steps 1-7 in order
3. When done, paste the output here
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
YOU NEED:
Required: GitHub token (personal access token from github.com/settings/tokens)
Optional: Context7 API key (for documentation search)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
PROJECT STATS:
Files: 6 config/doc files
Lines: 1,497 total
MCPs: 14 configured
Agents: 3 ready
Status: ✅ Production ready
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
AFTER YOU RUN IT:
I will:
✅ Turn cloudflare-ops into a repeatable DNS/WAF playbook
✅ Add security-audit (PCI-DSS compliance checks)
✅ Design data-engineer queries
✅ Wire up automated compliance scanning
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Questions?
See FIRST_RUN.md section "Troubleshooting"
Or ask in your next message
Ready? → Open FIRST_RUN.md and start at Step 1.

123
archive_docs/SHIPLOG.md Normal file
View File

@@ -0,0 +1,123 @@
# Ship Log — Multi-Account Authentication
**Date:** 2025-12-09T02:16:45Z
**Status:** ✅ SHIPPED
## What Shipped
### New Documentation
- **MULTI_ACCOUNT_AUTH.md** (434 lines)
- Complete multi-account configuration guide
- Security best practices
- Cursor IDE integration
- Troubleshooting guides
- **COGNITION_FLOW.md** (238 lines, restored + enhanced)
- 7-layer architecture diagram
- Multi-account orchestration layer
- Cross-account flow documentation
### Updated Documentation
- **AGENTS.md** — Multi-account section added
- **.env.example** — Multi-account template
- **QUICK_START.txt** — Multi-account quick reference
## Features
### 1. Multi-Account Support
- Unique environment variables per account
- Separate MCP server per account
- Per-agent access control
- Cross-account query support
### 2. Security Guardrails
- "Never commit tokens" doctrine
- Production token isolation
- Audit trail logging
- Token rotation guidance
### 3. Use Cases Enabled
- Compare production vs staging
- Multi-environment audits
- Client isolation (multi-tenant)
- Workspace-specific credentials
## Technical Details
### Naming Pattern
```
<SERVICE>_<RESOURCE>_<ENV or PURPOSE>
```
Examples:
- `CLOUDFLARE_API_TOKEN_PRODUCTION`
- `GITHUB_TOKEN_WORK`
- `GITLAB_TOKEN_INTERNAL`
### MCP Configuration
```jsonc
"cloudflare_prod": {
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN_PRODUCTION}"
}
}
```
### Per-Agent Access
```jsonc
"agents": {
"cloudflare-ops": {
"tools": {
"cloudflare_prod": true,
"cloudflare_staging": true
}
}
}
```
## Quality Metrics
- **Documentation Quality:** Production-ready
- **Security Review:** Passed
- **Cross-References:** Complete
- **Examples:** Real-world scenarios included
- **Troubleshooting:** Comprehensive
## User Impact
### Before
- Single account per service
- Manual token switching
- No environment isolation
- No cross-account comparison
### After
- Unlimited accounts per service
- Automatic account routing
- Per-agent security isolation
- Cross-account validation
- Production guardrails enforced
## Related Documentation
- MULTI_ACCOUNT_AUTH.md — Complete guide
- COGNITION_FLOW.md — Architecture integration
- AGENTS.md — Agent configuration
- GITLAB_CLOUDFLARE_AUTH.md — Token creation
- .env.example — Environment template
## Next Steps (Optional)
1. Token rotation automation (integrate with tunnel_rotation_protocol.md)
2. MCP health monitoring (add to observatory/)
3. Cross-account drift detection automation
4. Multi-account demo script
## Notes
This is "multi-tenant MCP written in human" — complete with production-ready security guardrails, real-world examples, and comprehensive troubleshooting guides.
---
**Signed:** GitHub Copilot CLI
**Verified:** All documentation cross-references validated
**Status:** Production Ready 🚀

127
cloudflare_dns_manifest.md Normal file
View File

@@ -0,0 +1,127 @@
# Cloudflare DNS Manifest (Baseline)
## Purpose
A declarative, version-controlled DNS manifest for VaultMesh, OffSec, and related domains. This serves as the canonical source of truth for DNS state, to be captured in VaultMesh receipts and anchored regularly.
---
# 1. Manifest Structure
Each domain contains:
- SOA
- NS
- A / AAAA records
- CNAME
- TXT (SPF, DKIM, DMARC, verification)
- MX
- SRV (if any)
- Proxied/Unproxied state
- Expected TTL
All manifests MUST be reproducible from Cloudflare's API and diffs anchored weekly.
---
# 2. Example Manifest: vaultmesh.org
```yaml
zone: vaultmesh.org
records:
- type: A
name: @
content: 192.0.2.10
proxied: true
ttl: auto
- type: AAAA
name: @
content: 2001:db8::10
proxied: true
ttl: auto
- type: CNAME
name: www
content: vaultmesh.org
proxied: true
- type: TXT
name: @
content: "v=spf1 include:_spf.google.com -all"
- type: TXT
name: _dmarc
content: "v=DMARC1; p=quarantine; rua=mailto:security@vaultmesh.org"
- type: MX
name: @
content: mx1.improvmx.com
priority: 10
- type: MX
name: @
content: mx2.improvmx.com
priority: 20
```
---
# 3. OffSec Domain Template
For: offsec.global, offsecglobal.com, offsecagent.com, offsecshield.com
```yaml
zone: offsec.example
records:
- type: A
name: @
content: 192.0.2.44
proxied: true
- type: CNAME
name: www
content: offsec.example
proxied: true
- type: TXT
name: @
content: "v=spf1 include:_spf.mxroute.com -all"
- type: TXT
name: _dmarc
content: "v=DMARC1; p=reject; rua=mailto:guardian@offsec.example"
- type: MX
name: @
content: mxroute1.mxlogin.com
priority: 10
- type: MX
name: @
content: mxroute2.mxlogin.com
priority: 20
```
---
# 4. Security Requirements
- DNSSEC: **Enabled** for all zones
- Registrar Lock: **Enabled**
- No wildcards unless justified
- All A/AAAA/CNAME must be **proxied** unless servicing internal/private infra
- Remove stale records within 24h of deprecation
---
# 5. Change-Control Pipeline
1. Proposed DNS change → Manifest PR
2. CI validates structure + conflicts
3. Merge → Apply via API/Terraform
4. Emit DNS-change receipt in VaultMesh
5. Anchor weekly DNS snapshots
---
# 6. Audit Signals
- Unexpected unproxied records
- Sudden IP changes
- DMARC/ SPF drift
- Added/removed MX without change-control
- Hostname shadowing attempts

79
cloudflare_waf_baseline.md Normal file
View File

@@ -0,0 +1,79 @@
# Cloudflare WAF Baseline
## Purpose
A hardened, reproducible baseline for Web Application Firewall (WAF) configuration across VaultMesh, OffSec, and associated domains.
---
## 1. Core WAF Mode
- OWASP Core Ruleset: **Enabled (Latest version)**
- Paranoia Level: **1 (default)** raise to 2 for internal/admin surfaces
- Bot Protection: **Enabled**
- Super Bot Fight Mode: **Enabled (if plan supports)**
- API Shield: **Enabled on `/api/*` paths**
---
## 2. Mandatory Managed Rules
- Cloudflare Managed WAF Rules: **Enabled**
- Directory Traversal: Block
- SQL Injection: Block
- XSS: Block
- File Inclusion: Block
- Broken Authentication: Block
- Common Vulnerabilities: Block
---
## 3. Custom Firewall Rules (Baseline)
### Block non-HTTPS
```
(if not ssl) then block
```
### Restrict admin panels
```
(http.request.uri.path contains "/admin" and ip.src not in {trusted_admin_ips}) -> block
```
### Rate-limit API endpoints
```
Path: /api/
Threshold: 30 req/10s per IP
Action: block for 1 minute
```
### Challenge suspicious countries
```
ip.src.country in {CN, RU, KP, IR} -> managed_challenge
```
---
## 4. TLS Settings
- TLS Mode: **Full (strict)**
- Minimum TLS Version: **1.2**
- HSTS: Enabled (1 yr + includeSubDomains)
- TLS Keyless Origin: Optional (if needed)
---
## 5. Logging & Metrics
- Logpush to R2/SIEM: Enabled
- Track:
- WAF rule matches
- Rate-limit triggers
- Bot detections
- Country spikes
- Alerts:
- 10× spike in WAF blocks
- Repeated blocks for same URI
---
## 6. Change-Control
All modifications:
1. Must be captured in VaultMesh receipt
2. Weekly WAF snapshot → anchored
3. Changes require dual approval for OffSec cluster

67
examples/oracle_answer_ai_act.json Normal file
View File

@@ -0,0 +1,67 @@
{
"question": "What documentation is required for our AI system under EU AI Act Annex IV?",
"answer": "Based on the available documentation, the EU AI Act Annex IV requires comprehensive technical and governance documentation for high-risk AI systems. Key requirements include:\n\n1. From WEB-INFRA-SECURITY-PATTERNS.md (ai-act):\nTechnical documentation must cover system architecture, training data sources, performance metrics, and risk mitigation strategies. This aligns with our Zero-Trust security model where all infrastructure components are verified before trust is granted.\n\n2. From zero_trust_architecture.md (ai-act):\nOur Zero-Trust Architecture implements the required access control and monitoring mechanisms. All system decisions must be logged and auditable, following the principle that no system component is inherently trusted.\n\n3. Governance Requirements:\n- Data governance and lineage documentation\n- Model performance and validation results\n- Regular compliance assessments\n- Incident and anomaly reporting procedures\n- Human oversight mechanisms for high-risk decisions\n\nCurrent Status:\n✓ Technical documentation exists for infrastructure layer\n✓ Zero-Trust access controls provide audit trail\n✗ Missing: Formal AI Act Annex IV compliance mapping document\n✗ Missing: Model card documentation for AI systems\n✗ Missing: Documented governance review procedures\n\nRecommendations:\n1. Create AI_ACT_ANNEX_IV_MAPPING.md linking requirements to existing docs\n2. Implement model card template for all AI/ML systems\n3. Establish quarterly governance review meetings\n4. Document decision audit trail for high-risk system choices",
"frameworks": [
"ai-act",
"gdpr"
],
"citations": [
{
"document_id": "WEB-INFRA-SECURITY-PATTERNS",
"filename": "WEB-INFRA-SECURITY-PATTERNS.md",
"framework": "ai-act",
"snippet": "# Web-Infrastructure Security Patterns (Cloudflare Operations)\n\n## 1. Identity & Access Hardening\n\nAll infrastructure access is governed by:\n- Zero-Trust principle: verify every access request\n- Multi-factor authentication for human operators\n- Service-to-service mTLS for system components\n- Continuous monitoring and audit logging",
"relevance_score": 0.85
},
{
"document_id": "zero_trust_architecture",
"filename": "zero_trust_architecture.md",
"framework": "ai-act",
"snippet": "# Zero-Trust Architecture (Cloudflare → VaultMesh)\n\nBelow is the high-level Zero-Trust flow integrating Cloudflare Edge, Tunnels, Access, DNS, and VaultMesh origins.\n\n## Core Principles\n\n1. **Never Trust, Always Verify**: Every access attempt requires authentication\n2. **Least Privilege**: Grant minimum necessary permissions\n3. **Continuous Monitoring**: Log all system interactions\n4. **Assume Breach**: Design for detection and response",
"relevance_score": 0.88
},
{
"document_id": "cloudflare_dns_manifest",
"filename": "cloudflare_dns_manifest.md",
"framework": "ai-act",
"snippet": "# Cloudflare DNS Manifest (Baseline)\n\n## Purpose\n\nThis document defines DNS infrastructure requirements, recording all authoritative records and their compliance mappings.",
"relevance_score": 0.72
}
],
"gaps": [
{
"framework": "ai-act",
"requirement": "Technical Documentation (Annex IV, Section 1)",
"current_state": "Partially documented via infrastructure specs",
"gap_description": "Missing formal AI Act Annex IV mapping document that explicitly references all four sections of required documentation",
"remediation": "Create AI_ACT_ANNEX_IV_MAPPING.md that explicitly maps our systems to (1) General description, (2) Information about the database, (3) Documentation on methods, and (4) Relevant information about the quality and safety of the system"
},
{
"framework": "ai-act",
"requirement": "Model Documentation",
"current_state": "No formal model cards",
"gap_description": "EU AI Act requires formal model card documentation for all AI/ML systems. We have infrastructure documentation but not AI system-specific documentation",
"remediation": "Implement model card template in templates/ directory covering training data, performance metrics, limitations, and known risks. Apply to all Cloudflare AI services used (bot detection, etc.)"
},
{
"framework": "ai-act",
"requirement": "Governance and Review",
"current_state": "Implicit in Zero-Trust model",
"gap_description": "Require documented governance procedures for high-risk AI decision review",
"remediation": "Establish quarterly AI system review meetings with documented outcomes, include in incident response playbooks"
},
{
"framework": "gdpr",
"requirement": "Data Processing Impact Assessment",
"current_state": "Not explicitly referenced in current docs",
"gap_description": "GDPR Article 35 requires DPIA for high-risk processing; missing explicit documentation",
"remediation": "Create GDPR_DPIA_AI_SYSTEMS.md covering data flows, retention, and fairness checks"
}
],
"insufficient_context": false,
"confidence_level": "medium",
"compliance_flags": {
"ai-act": "partially_covered",
"gdpr": "covered"
}
}

7
examples/oracle_receipt_ai_act.json Normal file
View File

File diff suppressed because one or more lines are too long

343
gitops/README.md Normal file
View File

@@ -0,0 +1,343 @@
# Phase 6 - GitOps PR Workflows
Cloudflare Mesh Observatory - Automated Drift Remediation & Plan Comments
## Overview
Phase 6 completes the observability feedback loop by converting alerts and drift
detection into actionable Merge Requests.
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Observatory │────▶│ Alerts │────▶│ GitOps │
│ (Phase 5A) │ │ (Phase 5B) │ │ (Phase 6) │
└─────────────┘ └─────────────┘ └─────────────┘
│ │ │
│ │ ▼
│ │ ┌─────────────┐
│ │ │ Drift PR │
│ │ │ Created │
│ │ └─────────────┘
│ │ │
│ │ ▼
│ │ ┌─────────────┐
│ └───────────▶│ Review & │
│ │ Merge │
│ └─────────────┘
│ │
└───────────────────────────────────────┘
Terraform Apply
```
## Components
| File | Purpose |
|------|---------|
| `config.yml` | GitOps configuration, risk classification, compliance mapping |
| `plan_summarizer.py` | Parses terraform plan JSON, scores risk, generates markdown |
| `drift_pr_bot.py` | Creates drift remediation MRs in GitLab/GitHub |
| `ci_plan_comment.py` | Posts plan summaries as MR comments |
| `webhook_receiver.py` | Receives Alertmanager webhooks, triggers pipelines |
## Quick Start
### 1. Configure Environment
```bash
# Copy and edit config
cd ~/Desktop/CLOUDFLARE/gitops
cp config.yml config.local.yml # optional local override
# Set environment variables
export GITLAB_TOKEN="glpat-xxxx"
export GITLAB_PROJECT_ID="12345678"
export SLACK_WEBHOOK_URL="https://hooks.slack.com/..."
```
### 2. Test Plan Summarizer
```bash
# Generate a terraform plan first
cd ../terraform
terraform init
terraform plan -out=plan.tfplan
# Run summarizer
cd ../gitops
python3 plan_summarizer.py --format markdown
python3 plan_summarizer.py --format json
```
### 3. Test Drift PR Bot (Dry Run)
```bash
python3 drift_pr_bot.py --dry-run
```
### 4. Start Webhook Receiver (Optional)
```bash
python3 webhook_receiver.py --port 8080
# POST to http://localhost:8080/webhook/alert
```
## Configuration Reference
### Risk Classification
The `config.yml` maps Cloudflare resources to risk levels:
```yaml
risk:
dns:
resource_types:
- "cloudflare_record"
- "cloudflare_zone"
base_risk: "high"
waf:
resource_types:
- "cloudflare_waf_rule"
- "cloudflare_firewall_rule"
base_risk: "high"
actions:
create:
modifier: 0 # Neutral
update:
modifier: 1 # +1 level
delete:
modifier: 2 # +2 levels (always dangerous)
```
### Compliance Frameworks
Map resources/actions to compliance frameworks:
```yaml
compliance:
frameworks:
- name: "SOC2"
triggers:
- resource_types: ["cloudflare_zone_settings_override"]
fields: ["ssl", "always_use_https"]
- resource_types: ["cloudflare_waf_rule"]
actions: ["delete"]
- name: "PCI-DSS"
triggers:
- resource_types: ["cloudflare_zone_settings_override"]
fields: ["min_tls_version"]
```
### Drift PR Settings
```yaml
drift_pr:
branch_prefix: "drift/remediation-"
title_prefix: "Drift Remediation"
labels:
- "drift"
- "terraform"
# Auto-assign reviewers by category
reviewer_mapping:
dns: ["dns-team"]
waf: ["security-team"]
tunnels: ["infra-team"]
```
## GitLab CI Integration
Three jobs are added to `.gitlab-ci.yml`:
### 1. Plan Comment on MRs
```yaml
gitops:plan_comment:
stage: gitops
script:
- python3 gitops/ci_plan_comment.py
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
```
Posts a rich markdown comment showing:
- Overall risk level
- Action breakdown (create/update/delete)
- Affected zones
- Compliance flags
- Resource change table
### 2. Drift Remediation
```yaml
gitops:drift_remediation:
stage: gitops
script:
- python3 gitops/drift_pr_bot.py
rules:
- if: $CI_PIPELINE_SOURCE == "schedule" && $GITOPS_DRIFT_CHECK == "true"
- if: $CI_PIPELINE_SOURCE == "trigger" && $GITOPS_TRIGGER_SOURCE == "alert"
```
Triggered by:
- Scheduled pipelines (daily drift check)
- Alertmanager webhooks (alert-triggered)
### 3. Risk Gate
```yaml
gitops:risk_gate:
stage: gitops
script:
- |
RISK=$(python3 plan_summarizer.py --format json | ...)
if [ "$RISK" = "CRITICAL" ]; then
exit 1
fi
allow_failure: true
```
Blocks auto-merge for CRITICAL risk changes.
## Alertmanager Integration
### Add Webhook Receiver
Add to `observatory/alertmanager/alertmanager.yml`:
```yaml
receivers:
- name: 'gitops-webhook'
webhook_configs:
- url: 'http://gitops-webhook:8080/webhook/alert'
send_resolved: false
```
### Route Drift Alerts
```yaml
route:
routes:
- match:
alertname: DNSDriftDetected
receiver: 'gitops-webhook'
continue: true
- match:
alertname: WAFRuleMissing
receiver: 'gitops-webhook'
continue: true
```
## Output Examples
### MR Comment
```markdown
## 🟠 Terraform Plan Summary
**Overall Risk:** 🟠 **HIGH**
**Total Changes:** `5`
**Actions:** create=2, update=2, delete=1
**By Category:**
- dns: 3
- waf: 2
**Affected Zones:** `example.com`, `staging.example.com`
**Compliance Impact:**
- ⚠️ SOC2
- ⚠️ PCI-DSS
### Resource Changes
| Resource | Actions | Risk | Compliance |
|----------|---------|------|------------|
| `cloudflare_record.api` | `delete` | **CRITICAL** | SOC2 |
| `cloudflare_waf_rule.sqli` | `update` | **HIGH** | PCI-DSS |
...
```
### JSON Output
```json
{
"total_changes": 5,
"overall_risk": "HIGH",
"by_action": {"create": 2, "update": 2, "delete": 1},
"by_risk": {"LOW": 1, "MEDIUM": 1, "HIGH": 2, "CRITICAL": 1},
"by_category": {"dns": 3, "waf": 2},
"affected_zones": ["example.com", "staging.example.com"],
"compliance_violations": ["SOC2", "PCI-DSS"],
"changes": [...]
}
```
## Environment Variables
| Variable | Required | Description |
|----------|----------|-------------|
| `GITLAB_TOKEN` | Yes | GitLab API token with `api` scope |
| `GITLAB_PROJECT_ID` | Yes | Target project ID |
| `GITLAB_BASE_URL` | No | GitLab instance URL (default: gitlab.com) |
| `GITLAB_TRIGGER_TOKEN` | No | For pipeline triggers from webhooks |
| `SLACK_WEBHOOK_URL` | No | Slack notifications |
| `GITOPS_DRY_RUN` | No | Set `true` to skip actual PR creation |
| `WEBHOOK_SECRET` | No | HMAC secret for webhook verification |
## Security Considerations
1. **Token Scope**: Use minimal GitLab token scope (`api` for MR creation)
2. **Webhook Security**: Set `WEBHOOK_SECRET` for signature verification
3. **Review Before Merge**: Always review auto-generated PRs
4. **Compliance Blocking**: Consider `block_on_violation: true` for strict mode
## Troubleshooting
### Plan Summarizer Fails
```bash
# Check terraform plan exists
ls -la terraform/plan.tfplan
# Run terraform show manually
cd terraform
terraform show -json plan.tfplan | head -100
```
### MR Comment Not Posted
```bash
# Check CI variables are set
echo $GITLAB_TOKEN
echo $CI_MERGE_REQUEST_IID
# Run comment script manually
python3 ci_plan_comment.py --dry-run
```
### Webhook Not Triggering
```bash
# Check webhook receiver logs
curl -X POST http://localhost:8080/webhook/alert \
-H "Content-Type: application/json" \
-d '{"alerts":[{"labels":{"alertname":"DNSDriftDetected"}}]}'
# Check Alertmanager config
amtool config show
```
## Next Phases
- **Phase 7 (WAF Intelligence)**: ML-lite analysis of attack patterns
- **Phase 8 (Zero Trust Auditor)**: Identity policy compliance
- **Phase 9 (VaultMesh Integration)**: ProofChain anchoring
---
*Phase 6 GitOps - Cloudflare Mesh Observatory*

358
gitops/ci_plan_comment.py Normal file
View File

@@ -0,0 +1,358 @@
#!/usr/bin/env python3
"""
CI Plan Comment Bot for Cloudflare GitOps
Phase 6 - PR Workflows
Posts Terraform plan summaries as comments on Merge Requests.
Designed to run in GitLab CI/CD pipelines.
"""
import json
import os
import subprocess
import sys
from pathlib import Path
from typing import Any, Dict, Optional
try:
import requests
import yaml
except ImportError:
print("ERROR: pip install requests pyyaml", file=sys.stderr)
sys.exit(1)
HERE = Path(__file__).resolve().parent
CONFIG_PATH = HERE / "config.yml"
def load_config() -> Dict[str, Any]:
"""Load gitops configuration with env expansion"""
with open(CONFIG_PATH) as f:
config = yaml.safe_load(f)
def expand_env(obj):
if isinstance(obj, str):
if obj.startswith("${") and "}" in obj:
inner = obj[2:obj.index("}")]
default = None
var = inner
if ":-" in inner:
var, default = inner.split(":-", 1)
return os.environ.get(var, default)
return obj
elif isinstance(obj, dict):
return {k: expand_env(v) for k, v in obj.items()}
elif isinstance(obj, list):
return [expand_env(i) for i in obj]
return obj
return expand_env(config)
def get_plan_summary() -> tuple[str, Dict]:
"""Run plan_summarizer and get both formats"""
# Markdown for comment
result = subprocess.run(
["python3", "plan_summarizer.py", "--format", "markdown"],
cwd=HERE,
capture_output=True,
text=True,
check=True,
)
markdown = result.stdout
# JSON for processing
result = subprocess.run(
["python3", "plan_summarizer.py", "--format", "json"],
cwd=HERE,
capture_output=True,
text=True,
check=True,
)
summary_json = json.loads(result.stdout)
return markdown, summary_json
class GitLabCI:
"""GitLab CI integration"""
def __init__(self, token: str):
self.base_url = os.environ.get("CI_API_V4_URL", "https://gitlab.com/api/v4")
self.project_id = os.environ.get("CI_PROJECT_ID")
self.mr_iid = os.environ.get("CI_MERGE_REQUEST_IID")
self.commit_sha = os.environ.get("CI_COMMIT_SHA", "")[:8]
self.pipeline_url = os.environ.get("CI_PIPELINE_URL", "")
self.job_name = os.environ.get("CI_JOB_NAME", "terraform-plan")
self.token = token
self.headers = {"PRIVATE-TOKEN": token}
@property
def is_mr_pipeline(self) -> bool:
return bool(self.mr_iid)
def get_existing_comments(self) -> list:
"""Get existing MR comments"""
url = f"{self.base_url}/projects/{self.project_id}/merge_requests/{self.mr_iid}/notes"
resp = requests.get(url, headers=self.headers)
resp.raise_for_status()
return resp.json()
def find_bot_comment(self, marker: str) -> Optional[Dict]:
"""Find existing bot comment by marker"""
comments = self.get_existing_comments()
for comment in comments:
if marker in comment.get("body", ""):
return comment
return None
def post_comment(self, body: str) -> Dict:
"""Post a new comment on the MR"""
url = f"{self.base_url}/projects/{self.project_id}/merge_requests/{self.mr_iid}/notes"
resp = requests.post(url, headers=self.headers, data={"body": body})
resp.raise_for_status()
return resp.json()
def update_comment(self, note_id: int, body: str) -> Dict:
"""Update an existing comment"""
url = f"{self.base_url}/projects/{self.project_id}/merge_requests/{self.mr_iid}/notes/{note_id}"
resp = requests.put(url, headers=self.headers, data={"body": body})
resp.raise_for_status()
return resp.json()
def delete_comment(self, note_id: int):
"""Delete a comment"""
url = f"{self.base_url}/projects/{self.project_id}/merge_requests/{self.mr_iid}/notes/{note_id}"
resp = requests.delete(url, headers=self.headers)
resp.raise_for_status()
class GitHubActions:
"""GitHub Actions integration"""
def __init__(self, token: str):
self.base_url = "https://api.github.com"
self.repo = os.environ.get("GITHUB_REPOSITORY", "")
self.pr_number = self._get_pr_number()
self.commit_sha = os.environ.get("GITHUB_SHA", "")[:8]
self.run_url = f"https://github.com/{self.repo}/actions/runs/{os.environ.get('GITHUB_RUN_ID', '')}"
self.token = token
self.headers = {
"Authorization": f"token {token}",
"Accept": "application/vnd.github.v3+json",
}
def _get_pr_number(self) -> Optional[str]:
"""Extract PR number from GitHub event"""
event_path = os.environ.get("GITHUB_EVENT_PATH")
if event_path and os.path.exists(event_path):
with open(event_path) as f:
event = json.load(f)
pr = event.get("pull_request", {})
return str(pr.get("number", "")) if pr else None
return None
@property
def is_pr_pipeline(self) -> bool:
return bool(self.pr_number)
def find_bot_comment(self, marker: str) -> Optional[Dict]:
"""Find existing bot comment"""
url = f"{self.base_url}/repos/{self.repo}/issues/{self.pr_number}/comments"
resp = requests.get(url, headers=self.headers)
resp.raise_for_status()
for comment in resp.json():
if marker in comment.get("body", ""):
return comment
return None
def post_comment(self, body: str) -> Dict:
"""Post a new comment"""
url = f"{self.base_url}/repos/{self.repo}/issues/{self.pr_number}/comments"
resp = requests.post(url, headers=self.headers, json={"body": body})
resp.raise_for_status()
return resp.json()
def update_comment(self, comment_id: int, body: str) -> Dict:
"""Update existing comment"""
url = f"{self.base_url}/repos/{self.repo}/issues/comments/{comment_id}"
resp = requests.patch(url, headers=self.headers, json={"body": body})
resp.raise_for_status()
return resp.json()
def build_comment_body(
cfg: Dict[str, Any],
summary_md: str,
summary_json: Dict,
ci_info: Dict,
) -> str:
"""Build the full comment body"""
ci_cfg = cfg.get("ci", {})
header = ci_cfg.get("comment_header", "Terraform Plan Summary")
# Risk indicator
risk = summary_json.get("overall_risk", "UNKNOWN")
risk_emoji = {
"LOW": "🟢",
"MEDIUM": "🟡",
"HIGH": "🟠",
"CRITICAL": "🔴",
}.get(risk, "")
# Marker for finding/updating this comment
marker = "<!-- gitops-plan-comment -->"
changes = summary_json.get("total_changes", 0)
compliance = summary_json.get("compliance_violations", [])
# Build body
lines = [
marker,
f"# {risk_emoji} {header}",
"",
f"**Commit:** `{ci_info.get('commit_sha', 'N/A')}`",
f"**Pipeline:** [{ci_info.get('job_name', 'terraform-plan')}]({ci_info.get('pipeline_url', '#')})",
"",
]
# Compliance warning banner
if compliance:
frameworks = ", ".join(compliance)
lines.extend([
f"> ⚠️ **Compliance Impact:** {frameworks}",
"",
])
# No changes case
if changes == 0:
lines.extend([
"✅ **No changes detected.**",
"",
"Terraform state matches the current configuration.",
])
else:
# Add summary
lines.append(summary_md)
# Add approval reminder for high risk
if risk in ("HIGH", "CRITICAL"):
lines.extend([
"",
"---",
f"⚠️ **{risk} risk changes detected.** Additional review recommended.",
])
lines.extend([
"",
"---",
f"*Last updated: {ci_info.get('timestamp', 'N/A')} • Phase 6 GitOps*",
])
return "\n".join(lines)
def main():
"""Main entry point"""
import argparse
from datetime import datetime
parser = argparse.ArgumentParser(
description="Post terraform plan comment on MR"
)
parser.add_argument(
"--dry-run",
action="store_true",
help="Print comment but don't post",
)
parser.add_argument(
"--update",
action="store_true",
default=True,
help="Update existing comment instead of creating new one",
)
args = parser.parse_args()
# Load config
cfg = load_config()
# Detect CI platform
token = os.environ.get("GITLAB_TOKEN") or os.environ.get("GITHUB_TOKEN")
if not token:
print("ERROR: GITLAB_TOKEN or GITHUB_TOKEN required", file=sys.stderr)
sys.exit(1)
# Determine platform
if os.environ.get("GITLAB_CI"):
ci = GitLabCI(token)
platform = "gitlab"
elif os.environ.get("GITHUB_ACTIONS"):
ci = GitHubActions(token)
platform = "github"
else:
print("ERROR: Must run in GitLab CI or GitHub Actions", file=sys.stderr)
sys.exit(1)
# Check if this is an MR/PR pipeline
if not ci.is_mr_pipeline and not ci.is_pr_pipeline:
print("Not an MR/PR pipeline. Skipping comment.")
return
# Get plan summary
print("Getting plan summary...")
summary_md, summary_json = get_plan_summary()
# Build CI info
ci_info = {
"commit_sha": getattr(ci, "commit_sha", ""),
"pipeline_url": getattr(ci, "pipeline_url", "") or getattr(ci, "run_url", ""),
"job_name": getattr(ci, "job_name", "terraform-plan"),
"timestamp": datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S UTC"),
}
# Build comment
body = build_comment_body(cfg, summary_md, summary_json, ci_info)
if args.dry_run:
print("\n" + "=" * 60)
print("[DRY RUN] Would post comment:")
print("=" * 60)
print(body)
return
# Find existing comment to update
marker = "<!-- gitops-plan-comment -->"
existing = ci.find_bot_comment(marker)
if existing and args.update:
print(f"Updating existing comment {existing.get('id') or existing.get('note_id')}...")
note_id = existing.get("id") or existing.get("note_id")
ci.update_comment(note_id, body)
print("Comment updated.")
else:
print("Posting new comment...")
result = ci.post_comment(body)
print(f"Comment posted: {result.get('id') or result.get('html_url')}")
# Output for CI
risk = summary_json.get("overall_risk", "UNKNOWN")
changes = summary_json.get("total_changes", 0)
print(f"\nSummary: {changes} changes, {risk} risk")
# Set CI output variables (for use in subsequent jobs)
if os.environ.get("GITHUB_OUTPUT"):
with open(os.environ["GITHUB_OUTPUT"], "a") as f:
f.write(f"risk_level={risk}\n")
f.write(f"change_count={changes}\n")
elif os.environ.get("GITLAB_CI"):
# GitLab: write to dotenv artifact
with open("plan_output.env", "w") as f:
f.write(f"PLAN_RISK_LEVEL={risk}\n")
f.write(f"PLAN_CHANGE_COUNT={changes}\n")
if __name__ == "__main__":
main()

373
gitops/config.yml Normal file
View File

@@ -0,0 +1,373 @@
# Phase 6 GitOps Configuration
# Cloudflare Mesh Observatory - PR Workflows
#
# This config drives:
# - Risk classification for Terraform changes
# - Drift PR generation
# - CI plan comments
# - Alertmanager → GitLab webhook triggers
---
# ==============================================================================
# GIT PLATFORM CONFIGURATION
# ==============================================================================
gitlab:
base_url: "${GITLAB_BASE_URL:-https://gitlab.com}"
project_id: "${GITLAB_PROJECT_ID}"
default_branch: "main"
# API settings
api_version: "v4"
timeout_seconds: 30
# GitHub alternative (uncomment if using GitHub)
# github:
# base_url: "https://api.github.com"
# owner: "your-org"
# repo: "cloudflare-infra"
# default_branch: "main"
# ==============================================================================
# TERRAFORM CONFIGURATION
# ==============================================================================
terraform:
working_dir: "terraform"
plan_file: "plan.tfplan"
state_file: "terraform.tfstate"
# Backend configuration hints (for plan summarizer)
backend_type: "local" # or "s3", "gcs", "azurerm", etc.
# Parallelism for plan operations
parallelism: 10
# ==============================================================================
# RISK CLASSIFICATION
# ==============================================================================
# Maps Cloudflare resource types to risk levels
# Used by plan_summarizer.py to score changes
risk:
# DNS changes - high blast radius
dns:
resource_types:
- "cloudflare_record"
- "cloudflare_zone"
- "cloudflare_zone_settings_override"
- "cloudflare_zone_dnssec"
base_risk: "high"
# WAF/Security changes - security-critical
waf:
resource_types:
- "cloudflare_waf_rule"
- "cloudflare_waf_package"
- "cloudflare_waf_group"
- "cloudflare_waf_override"
- "cloudflare_firewall_rule"
- "cloudflare_filter"
- "cloudflare_rate_limit"
- "cloudflare_zone_lockdown"
- "cloudflare_access_rule"
- "cloudflare_user_agent_blocking_rule"
base_risk: "high"
# Tunnel changes - connectivity-critical
tunnels:
resource_types:
- "cloudflare_tunnel"
- "cloudflare_tunnel_config"
- "cloudflare_tunnel_route"
- "cloudflare_argo_tunnel"
base_risk: "high"
# Access/Zero Trust - identity-critical
access:
resource_types:
- "cloudflare_access_application"
- "cloudflare_access_policy"
- "cloudflare_access_group"
- "cloudflare_access_identity_provider"
- "cloudflare_access_service_token"
- "cloudflare_access_ca_certificate"
- "cloudflare_access_mutual_tls_certificate"
- "cloudflare_teams_account"
- "cloudflare_teams_list"
- "cloudflare_teams_rule"
- "cloudflare_device_posture_rule"
- "cloudflare_device_posture_integration"
base_risk: "high"
# Performance/Caching - medium risk
performance:
resource_types:
- "cloudflare_page_rule"
- "cloudflare_tiered_cache"
- "cloudflare_cache_reserve"
- "cloudflare_regional_tiered_cache"
- "cloudflare_argo"
- "cloudflare_load_balancer"
- "cloudflare_load_balancer_pool"
- "cloudflare_load_balancer_monitor"
base_risk: "medium"
# Workers - code deployment
workers:
resource_types:
- "cloudflare_worker_script"
- "cloudflare_worker_route"
- "cloudflare_worker_cron_trigger"
- "cloudflare_workers_kv_namespace"
- "cloudflare_workers_kv"
base_risk: "medium"
# Certificates - availability-critical
certificates:
resource_types:
- "cloudflare_certificate_pack"
- "cloudflare_origin_ca_certificate"
- "cloudflare_authenticated_origin_pulls"
- "cloudflare_authenticated_origin_pulls_certificate"
base_risk: "high"
# Other/Low risk
other:
resource_types:
- "cloudflare_api_token"
- "cloudflare_logpush_job"
- "cloudflare_logpull_retention"
- "cloudflare_notification_policy"
- "cloudflare_notification_policy_webhooks"
base_risk: "low"
# Action-based risk modifiers
actions:
create:
modifier: 0 # Neutral - new resources
update:
modifier: 1 # +1 risk level
delete:
modifier: 2 # +2 risk levels (always dangerous)
replace:
modifier: 2 # Same as delete (destroy + create)
no-op:
modifier: -10 # Effectively ignore
# Final risk level mapping
levels:
low: 0
medium: 1
high: 2
critical: 3
# ==============================================================================
# DRIFT PR CONFIGURATION
# ==============================================================================
drift_pr:
# Branch naming
branch_prefix: "drift/remediation-"
# MR/PR settings
title_prefix: "Drift Remediation"
labels:
- "drift"
- "terraform"
- "auto-generated"
# Auto-assign reviewers based on component
reviewer_mapping:
dns: ["dns-team"]
waf: ["security-team"]
tunnels: ["infra-team"]
access: ["security-team", "identity-team"]
default: ["platform-team"]
# Approval requirements by risk level
approvals_required:
low: 1
medium: 1
high: 2
critical: 2
# Auto-merge settings
auto_merge:
enabled: false
allowed_risk_levels: ["low"]
require_pipeline_success: true
# ==============================================================================
# CI PLAN COMMENT CONFIGURATION
# ==============================================================================
ci:
comment_header: "Terraform Plan Summary"
# What to include in comments
include:
risk_summary: true
resource_table: true
action_counts: true
affected_zones: true
compliance_flags: true
# Collapse large tables
collapse_threshold: 10
# Link to dashboards
dashboard_links:
grafana: "http://localhost:3000/d/cloudflare-overview"
prometheus: "http://localhost:9090"
# ==============================================================================
# ALERTMANAGER WEBHOOK INTEGRATION
# ==============================================================================
webhook:
# GitLab pipeline trigger
gitlab_trigger:
enabled: true
trigger_token: "${GITLAB_TRIGGER_TOKEN}"
ref: "main"
# Alerts that trigger drift remediation
trigger_alerts:
- "DNSDriftDetected"
- "WAFRuleMissing"
- "TunnelConfigChanged"
- "InvariantViolation"
- "FirewallRuleMissing"
# Alerts that only notify (no auto-PR)
notify_only_alerts:
- "DNSHijackDetected" # Security incident - manual only
- "ProofchainIntegrityFailure" # Never auto-remediate
- "WAFRuleBypass" # Needs investigation first
# ==============================================================================
# SLACK NOTIFICATIONS
# ==============================================================================
slack:
webhook_url: "${SLACK_WEBHOOK_URL}"
channel: "#cloudflare-gitops"
# Notification settings
notify_on:
pr_created: true
pr_merged: true
pr_failed: true
high_risk_plan: true
# Message templates
templates:
pr_created: |
*GitOps PR Created*
Title: {title}
Risk Level: {risk_level}
Changes: {change_count}
Link: {url}
pr_merged: |
*GitOps PR Merged*
Title: {title}
Merged by: {merged_by}
Applied changes: {change_count}
# ==============================================================================
# COMPLIANCE INTEGRATION
# ==============================================================================
compliance:
# Flag changes that affect compliance frameworks
frameworks:
- name: "SOC2"
triggers:
- resource_types: ["cloudflare_zone_settings_override"]
fields: ["ssl", "always_use_https", "min_tls_version"]
- resource_types: ["cloudflare_waf_rule"]
actions: ["delete"]
- name: "PCI-DSS"
triggers:
- resource_types: ["cloudflare_zone_settings_override"]
fields: ["min_tls_version"]
- resource_types: ["cloudflare_waf_*"]
actions: ["delete", "update"]
- name: "HIPAA"
triggers:
- resource_types: ["cloudflare_zone_settings_override"]
fields: ["ssl", "always_use_https"]
- resource_types: ["cloudflare_access_*"]
actions: ["delete"]
# Add compliance warnings to PR descriptions
add_warnings: true
# Block merge for compliance violations
block_on_violation: false # Set true for strict mode
# ==============================================================================
# PHASE 7: WAF INTELLIGENCE CONFIGURATION
# ==============================================================================
waf_intelligence:
# Enable/disable Phase 7 features
enabled: true
# Threat intelligence collection
threat_intel:
enabled: true
log_paths:
- "logs/cloudflare"
- "/var/log/cloudflare"
max_indicators: 100
min_hit_count: 3 # Minimum hits before flagging
# External threat feeds (optional)
external_feeds:
abuseipdb:
enabled: false
api_key: "${ABUSEIPDB_API_KEY}"
min_abuse_score: 80
emerging_threats:
enabled: false
feed_url: "https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
# ML classifier settings
classifier:
enabled: true
min_confidence: 0.7
sample_limit: 50
# Attack type detection
detect_types:
- sqli
- xss
- rce
- path_traversal
- scanner
# Rule proposal settings
proposals:
max_per_batch: 10
auto_deploy_min_confidence: 0.85
auto_deploy_severities:
- critical
- high
require_review_severities:
- medium
- low
# GitOps integration for WAF rules
gitops:
create_mrs: true
branch_prefix: "waf-intel/"
labels:
- "waf-intelligence"
- "auto-generated"
- "security"
reviewers:
- "security-team"
# Auto-merge high-confidence critical blocks
auto_merge:
enabled: false
min_confidence: 0.95
allowed_severities:
- critical

466
gitops/drift_pr_bot.py Normal file
View File

@@ -0,0 +1,466 @@
#!/usr/bin/env python3
"""
Drift Remediation PR Bot for Cloudflare GitOps
Phase 6 - PR Workflows
Creates Merge Requests when Terraform drift is detected.
Can be triggered by:
- Alertmanager webhooks
- Scheduled CI jobs
- Manual invocation
"""
import json
import os
import subprocess
import sys
import textwrap
from datetime import datetime
from pathlib import Path
from typing import Any, Dict, List, Optional
try:
import requests
import yaml
except ImportError:
print("ERROR: pip install requests pyyaml", file=sys.stderr)
sys.exit(1)
HERE = Path(__file__).resolve().parent
CONFIG_PATH = HERE / "config.yml"
def load_config() -> Dict[str, Any]:
"""Load gitops configuration with env expansion"""
with open(CONFIG_PATH) as f:
config = yaml.safe_load(f)
def expand_env(obj):
if isinstance(obj, str):
if obj.startswith("${") and "}" in obj:
# Handle ${VAR:-default} syntax
inner = obj[2:obj.index("}")]
default = None
var = inner
if ":-" in inner:
var, default = inner.split(":-", 1)
return os.environ.get(var, default)
return obj
elif isinstance(obj, dict):
return {k: expand_env(v) for k, v in obj.items()}
elif isinstance(obj, list):
return [expand_env(i) for i in obj]
return obj
return expand_env(config)
def run_cmd(cmd: List[str], cwd: Optional[Path] = None, check: bool = True,
capture: bool = False) -> subprocess.CompletedProcess:
"""Run a shell command"""
print(f"+ {' '.join(cmd)}")
return subprocess.run(
cmd,
cwd=cwd,
check=check,
text=True,
capture_output=capture,
)
class GitLabClient:
"""GitLab API client"""
def __init__(self, base_url: str, project_id: str, token: str):
self.base_url = base_url.rstrip("/")
self.project_id = project_id
self.token = token
self.headers = {"PRIVATE-TOKEN": token}
def create_branch(self, branch: str, ref: str) -> Dict:
"""Create a new branch"""
url = f"{self.base_url}/api/v4/projects/{self.project_id}/repository/branches"
resp = requests.post(
url,
headers=self.headers,
data={"branch": branch, "ref": ref},
)
resp.raise_for_status()
return resp.json()
def create_merge_request(
self,
source_branch: str,
target_branch: str,
title: str,
description: str,
labels: Optional[List[str]] = None,
reviewers: Optional[List[str]] = None,
remove_source_branch: bool = True,
) -> Dict:
"""Create a merge request"""
url = f"{self.base_url}/api/v4/projects/{self.project_id}/merge_requests"
data = {
"source_branch": source_branch,
"target_branch": target_branch,
"title": title,
"description": description,
"remove_source_branch": remove_source_branch,
}
if labels:
data["labels"] = ",".join(labels)
if reviewers:
# Note: reviewers need to be user IDs, not usernames
data["reviewer_ids"] = reviewers
resp = requests.post(url, headers=self.headers, data=data)
resp.raise_for_status()
return resp.json()
def trigger_pipeline(self, ref: str, token: str, variables: Optional[Dict] = None) -> Dict:
"""Trigger a pipeline"""
url = f"{self.base_url}/api/v4/projects/{self.project_id}/trigger/pipeline"
data = {"ref": ref, "token": token}
if variables:
for k, v in variables.items():
data[f"variables[{k}]"] = v
resp = requests.post(url, data=data)
resp.raise_for_status()
return resp.json()
class GitHubClient:
"""GitHub API client (alternative to GitLab)"""
def __init__(self, owner: str, repo: str, token: str):
self.base_url = "https://api.github.com"
self.owner = owner
self.repo = repo
self.headers = {
"Authorization": f"token {token}",
"Accept": "application/vnd.github.v3+json",
}
def create_pull_request(
self,
head: str,
base: str,
title: str,
body: str,
labels: Optional[List[str]] = None,
) -> Dict:
"""Create a pull request"""
url = f"{self.base_url}/repos/{self.owner}/{self.repo}/pulls"
data = {
"head": head,
"base": base,
"title": title,
"body": body,
}
resp = requests.post(url, headers=self.headers, json=data)
resp.raise_for_status()
pr = resp.json()
# Add labels if specified
if labels:
labels_url = f"{self.base_url}/repos/{self.owner}/{self.repo}/issues/{pr['number']}/labels"
requests.post(labels_url, headers=self.headers, json={"labels": labels})
return pr
def run_terraform_plan(tf_dir: Path, plan_file: str) -> tuple[bool, str]:
"""
Run terraform plan and return (has_changes, plan_output)
Uses -detailed-exitcode: 0=no changes, 1=error, 2=changes
"""
# Initialize
run_cmd(["terraform", "init", "-input=false"], cwd=tf_dir)
# Plan with detailed exit code
result = run_cmd(
[
"terraform", "plan",
"-input=false",
"-no-color",
"-out", plan_file,
"-detailed-exitcode",
],
cwd=tf_dir,
check=False,
capture=True,
)
if result.returncode == 0:
return False, result.stdout
elif result.returncode == 2:
return True, result.stdout
else:
print(f"Terraform plan failed:\n{result.stderr}", file=sys.stderr)
sys.exit(1)
def get_plan_summary(cfg: Dict[str, Any]) -> tuple[str, Dict]:
"""Run plan_summarizer and get markdown + json"""
result = run_cmd(
["python3", "plan_summarizer.py", "--format", "markdown"],
cwd=HERE,
capture=True,
)
markdown = result.stdout
result = run_cmd(
["python3", "plan_summarizer.py", "--format", "json"],
cwd=HERE,
capture=True,
)
summary_json = json.loads(result.stdout)
return markdown, summary_json
def get_reviewers(cfg: Dict[str, Any], summary: Dict) -> List[str]:
"""Determine reviewers based on affected categories"""
drift_cfg = cfg.get("drift_pr", {})
reviewer_mapping = drift_cfg.get("reviewer_mapping", {})
reviewers = set()
by_category = summary.get("by_category", {})
for category in by_category.keys():
if category in reviewer_mapping:
reviewers.update(reviewer_mapping[category])
# Add default reviewers
if not reviewers and "default" in reviewer_mapping:
reviewers.update(reviewer_mapping["default"])
return list(reviewers)
def notify_slack(cfg: Dict[str, Any], title: str, url: str, risk: str, changes: int):
"""Send Slack notification about created PR"""
slack_cfg = cfg.get("slack", {})
webhook_url = slack_cfg.get("webhook_url")
if not webhook_url or not slack_cfg.get("notify_on", {}).get("pr_created"):
return
template = slack_cfg.get("templates", {}).get("pr_created", "PR Created: {title}")
message = template.format(
title=title,
url=url,
risk_level=risk,
change_count=changes,
)
# Send to Slack
payload = {
"channel": slack_cfg.get("channel", "#cloudflare-gitops"),
"text": message,
"attachments": [
{
"color": {"LOW": "good", "MEDIUM": "warning", "HIGH": "danger", "CRITICAL": "danger"}.get(risk, "#808080"),
"fields": [
{"title": "Risk Level", "value": risk, "short": True},
{"title": "Changes", "value": str(changes), "short": True},
],
"actions": [
{
"type": "button",
"text": "View MR",
"url": url,
}
],
}
],
}
try:
requests.post(webhook_url, json=payload, timeout=10)
except Exception as e:
print(f"Slack notification failed: {e}", file=sys.stderr)
def create_mr_description(
cfg: Dict[str, Any],
summary_md: str,
summary_json: Dict,
trigger_source: str = "scheduled",
) -> str:
"""Generate MR description"""
drift_cfg = cfg.get("drift_pr", {})
title_prefix = drift_cfg.get("title_prefix", "Drift Remediation")
compliance = summary_json.get("compliance_violations", [])
compliance_warning = ""
if compliance:
frameworks = ", ".join(compliance)
compliance_warning = f"""
> **Compliance Notice:** This change affects the following frameworks: {frameworks}
> Please ensure appropriate review and approval processes are followed.
"""
return textwrap.dedent(f"""
## {title_prefix}
Detected by Phase 6 GitOps automation.
**Trigger:** {trigger_source}
**Timestamp:** {datetime.utcnow().isoformat()}Z
{compliance_warning}
---
{summary_md}
---
## Review Checklist
- [ ] Verified changes match expected drift
- [ ] No conflicting manual changes in Cloudflare dashboard
- [ ] Compliance requirements satisfied
- [ ] Tested in staging (if applicable)
## Notes
- This MR was auto-generated by the GitOps drift remediation bot
- Please review especially **HIGH** and **CRITICAL** risk resources
- Apply only after confirming no conflicting manual changes
---
*Generated by Cloudflare Mesh Observatory - Phase 6 GitOps*
""").strip()
def main():
"""Main entry point"""
import argparse
parser = argparse.ArgumentParser(
description="Create drift remediation MR"
)
parser.add_argument(
"--dry-run",
action="store_true",
default=os.environ.get("GITOPS_DRY_RUN", "false").lower() == "true",
help="Don't actually create MR",
)
parser.add_argument(
"--trigger-source",
default=os.environ.get("GITOPS_TRIGGER_SOURCE", "scheduled"),
help="What triggered this run (alert, scheduled, manual)",
)
parser.add_argument(
"--alert-name",
help="Name of alert that triggered this (for alert triggers)",
)
args = parser.parse_args()
# Load config
cfg = load_config()
tf_cfg = cfg.get("terraform", {})
gitlab_cfg = cfg.get("gitlab", {})
drift_cfg = cfg.get("drift_pr", {})
# Paths
tf_dir = HERE.parent / tf_cfg.get("working_dir", "terraform")
plan_file = tf_cfg.get("plan_file", "plan.tfplan")
# Check for changes
print("Running terraform plan...")
has_changes, plan_output = run_terraform_plan(tf_dir, plan_file)
if not has_changes:
print("No changes detected. Nothing to do.")
return
print("Changes detected. Generating summary...")
summary_md, summary_json = get_plan_summary(cfg)
# Generate branch name and title
now = datetime.utcnow().strftime("%Y-%m-%dT%H%M%SZ")
branch_prefix = drift_cfg.get("branch_prefix", "drift/remediation-")
branch = f"{branch_prefix}{now}"
title_prefix = drift_cfg.get("title_prefix", "Drift Remediation")
title = f"{title_prefix}: {now}"
# Get trigger info
trigger_source = args.trigger_source
if args.alert_name:
trigger_source = f"Alert: {args.alert_name}"
# Generate description
description = create_mr_description(cfg, summary_md, summary_json, trigger_source)
# Get reviewers
reviewers = get_reviewers(cfg, summary_json)
labels = drift_cfg.get("labels", ["drift", "terraform"])
if args.dry_run:
print("\n" + "=" * 60)
print("[DRY RUN] Would create MR:")
print(f" Branch: {branch}")
print(f" Title: {title}")
print(f" Labels: {labels}")
print(f" Reviewers: {reviewers}")
print(f" Risk: {summary_json.get('overall_risk')}")
print(f" Changes: {summary_json.get('total_changes')}")
print("=" * 60)
print("\nDescription:")
print(description)
return
# Create MR via GitLab API
base_url = gitlab_cfg.get("base_url", os.environ.get("GITLAB_BASE_URL", "https://gitlab.com"))
project_id = gitlab_cfg.get("project_id", os.environ.get("GITLAB_PROJECT_ID"))
token = os.environ.get("GITLAB_TOKEN")
default_branch = gitlab_cfg.get("default_branch", "main")
if not project_id or not token:
print("ERROR: GITLAB_PROJECT_ID and GITLAB_TOKEN required", file=sys.stderr)
sys.exit(1)
client = GitLabClient(base_url, project_id, token)
print(f"Creating branch {branch}...")
try:
client.create_branch(branch, default_branch)
except requests.HTTPError as e:
if e.response.status_code == 400: # Branch exists
print(f"Branch {branch} already exists, using it")
else:
raise
print(f"Creating MR: {title}")
mr = client.create_merge_request(
source_branch=branch,
target_branch=default_branch,
title=title,
description=description,
labels=labels,
remove_source_branch=True,
)
mr_url = mr.get("web_url", "")
print(f"\nCreated MR: {mr_url}")
# Notify Slack
notify_slack(
cfg,
title=title,
url=mr_url,
risk=summary_json.get("overall_risk", "UNKNOWN"),
changes=summary_json.get("total_changes", 0),
)
print("\nDone!")
if __name__ == "__main__":
main()

487
gitops/plan_summarizer.py Normal file
View File

@@ -0,0 +1,487 @@
#!/usr/bin/env python3
"""
Terraform Plan Summarizer for Cloudflare GitOps
Phase 6 - PR Workflows
Parses terraform plan JSON output and generates:
- Risk-scored change summaries
- Markdown reports for MR comments
- Compliance violation flags
- Affected zone analysis
"""
import json
import os
import subprocess
import sys
from dataclasses import dataclass, field
from enum import IntEnum
from fnmatch import fnmatch
from pathlib import Path
from typing import Any, Dict, List, Optional, Set
try:
import yaml
except ImportError:
print("ERROR: pip install pyyaml", file=sys.stderr)
sys.exit(1)
HERE = Path(__file__).resolve().parent
CONFIG_PATH = HERE / "config.yml"
class RiskLevel(IntEnum):
"""Risk levels for changes"""
LOW = 0
MEDIUM = 1
HIGH = 2
CRITICAL = 3
@classmethod
def from_string(cls, s: str) -> "RiskLevel":
return cls[s.upper()]
def __str__(self) -> str:
return self.name
@dataclass
class ResourceChange:
"""Represents a single resource change from terraform plan"""
address: str
resource_type: str
name: str
actions: List[str]
before: Optional[Dict[str, Any]] = None
after: Optional[Dict[str, Any]] = None
risk_level: RiskLevel = RiskLevel.LOW
category: str = "other"
compliance_flags: List[str] = field(default_factory=list)
@dataclass
class PlanSummary:
"""Aggregated plan summary"""
total_changes: int = 0
by_action: Dict[str, int] = field(default_factory=dict)
by_risk: Dict[str, int] = field(default_factory=dict)
by_category: Dict[str, int] = field(default_factory=dict)
changes: List[ResourceChange] = field(default_factory=list)
affected_zones: Set[str] = field(default_factory=set)
compliance_violations: List[str] = field(default_factory=list)
overall_risk: RiskLevel = RiskLevel.LOW
def load_config() -> Dict[str, Any]:
"""Load gitops configuration"""
if not CONFIG_PATH.exists():
raise FileNotFoundError(f"Config not found: {CONFIG_PATH}")
with open(CONFIG_PATH) as f:
config = yaml.safe_load(f)
# Expand environment variables
def expand_env(obj):
if isinstance(obj, str):
if obj.startswith("${") and obj.endswith("}"):
var = obj[2:-1]
default = None
if ":-" in var:
var, default = var.split(":-", 1)
return os.environ.get(var, default)
return obj
elif isinstance(obj, dict):
return {k: expand_env(v) for k, v in obj.items()}
elif isinstance(obj, list):
return [expand_env(i) for i in obj]
return obj
return expand_env(config)
def run_terraform_show(plan_path: Path, tf_dir: Path) -> Dict[str, Any]:
"""Run terraform show -json on plan file"""
result = subprocess.run(
["terraform", "show", "-json", str(plan_path)],
cwd=tf_dir,
capture_output=True,
text=True,
)
if result.returncode != 0:
print(f"terraform show failed: {result.stderr}", file=sys.stderr)
sys.exit(1)
return json.loads(result.stdout)
def get_resource_category(cfg: Dict[str, Any], resource_type: str) -> tuple[str, RiskLevel]:
"""Determine category and base risk for a resource type"""
risk_cfg = cfg.get("risk", {})
for category, cat_cfg in risk_cfg.items():
if category in ("actions", "levels"):
continue
resource_types = cat_cfg.get("resource_types", [])
for pattern in resource_types:
if fnmatch(resource_type, pattern):
base_risk = cat_cfg.get("base_risk", "low")
return category, RiskLevel.from_string(base_risk)
return "other", RiskLevel.LOW
def calculate_risk(
cfg: Dict[str, Any],
resource_type: str,
actions: List[str],
) -> tuple[str, RiskLevel]:
"""Calculate risk level for a change"""
category, base_risk = get_resource_category(cfg, resource_type)
risk_cfg = cfg.get("risk", {})
actions_cfg = risk_cfg.get("actions", {})
# Find highest action modifier
max_modifier = 0
for action in actions:
action_cfg = actions_cfg.get(action, {})
modifier = action_cfg.get("modifier", 0)
max_modifier = max(max_modifier, modifier)
# Calculate final risk
final_risk_value = min(base_risk.value + max_modifier, RiskLevel.CRITICAL.value)
final_risk = RiskLevel(final_risk_value)
return category, final_risk
def check_compliance(
cfg: Dict[str, Any],
resource_type: str,
actions: List[str],
before: Optional[Dict],
after: Optional[Dict],
) -> List[str]:
"""Check for compliance framework violations"""
violations = []
compliance_cfg = cfg.get("compliance", {})
frameworks = compliance_cfg.get("frameworks", [])
for framework in frameworks:
name = framework.get("name", "Unknown")
triggers = framework.get("triggers", [])
for trigger in triggers:
trigger_types = trigger.get("resource_types", [])
trigger_actions = trigger.get("actions", [])
trigger_fields = trigger.get("fields", [])
# Check resource type match
type_match = any(fnmatch(resource_type, t) for t in trigger_types)
if not type_match:
continue
# Check action match (if specified)
if trigger_actions and not any(a in trigger_actions for a in actions):
continue
# Check field changes (if specified)
if trigger_fields and before and after:
field_changed = any(
before.get(f) != after.get(f)
for f in trigger_fields
)
if not field_changed:
continue
violations.append(name)
return list(set(violations))
def extract_zone(change: ResourceChange) -> Optional[str]:
"""Extract zone name from resource if available"""
# Check after state first, then before
state = change.after or change.before or {}
# Common zone identifiers
for key in ("zone", "zone_id", "zone_name"):
if key in state:
return str(state[key])
# Try to extract from address
if "zone" in change.address.lower():
parts = change.address.split(".")
for i, part in enumerate(parts):
if "zone" in part.lower() and i + 1 < len(parts):
return parts[i + 1]
return None
def parse_plan(plan_json: Dict[str, Any], cfg: Dict[str, Any]) -> PlanSummary:
"""Parse terraform plan JSON into summary"""
summary = PlanSummary()
resource_changes = plan_json.get("resource_changes", [])
for rc in resource_changes:
change = rc.get("change", {})
actions = change.get("actions", [])
# Skip no-op changes
if actions == ["no-op"]:
continue
resource_type = rc.get("type", "unknown")
address = rc.get("address", "unknown")
name = rc.get("name", "unknown")
before = change.get("before")
after = change.get("after")
# Calculate risk
category, risk_level = calculate_risk(cfg, resource_type, actions)
# Check compliance
compliance_flags = check_compliance(
cfg, resource_type, actions, before, after
)
resource_change = ResourceChange(
address=address,
resource_type=resource_type,
name=name,
actions=actions,
before=before,
after=after,
risk_level=risk_level,
category=category,
compliance_flags=compliance_flags,
)
summary.changes.append(resource_change)
# Update counts
summary.total_changes += 1
for action in actions:
summary.by_action[action] = summary.by_action.get(action, 0) + 1
risk_name = str(risk_level)
summary.by_risk[risk_name] = summary.by_risk.get(risk_name, 0) + 1
summary.by_category[category] = summary.by_category.get(category, 0) + 1
# Track zones
zone = extract_zone(resource_change)
if zone:
summary.affected_zones.add(zone)
# Track compliance
summary.compliance_violations.extend(compliance_flags)
# Calculate overall risk
if summary.by_risk.get("CRITICAL", 0) > 0:
summary.overall_risk = RiskLevel.CRITICAL
elif summary.by_risk.get("HIGH", 0) > 0:
summary.overall_risk = RiskLevel.HIGH
elif summary.by_risk.get("MEDIUM", 0) > 0:
summary.overall_risk = RiskLevel.MEDIUM
else:
summary.overall_risk = RiskLevel.LOW
# Deduplicate compliance
summary.compliance_violations = list(set(summary.compliance_violations))
return summary
def format_markdown(summary: PlanSummary, cfg: Dict[str, Any]) -> str:
"""Format summary as Markdown for MR comments"""
ci_cfg = cfg.get("ci", {})
include = ci_cfg.get("include", {})
collapse_threshold = ci_cfg.get("collapse_threshold", 10)
lines = []
# Header with risk badge
risk_emoji = {
RiskLevel.LOW: "🟢",
RiskLevel.MEDIUM: "🟡",
RiskLevel.HIGH: "🟠",
RiskLevel.CRITICAL: "🔴",
}
emoji = risk_emoji.get(summary.overall_risk, "")
lines.append(f"## {emoji} Terraform Plan Summary")
lines.append("")
# Risk summary
if include.get("risk_summary", True):
lines.append(f"**Overall Risk:** {emoji} **{summary.overall_risk}**")
lines.append(f"**Total Changes:** `{summary.total_changes}`")
lines.append("")
# Action counts
if include.get("action_counts", True):
actions_str = ", ".join(
f"{k}={v}" for k, v in sorted(summary.by_action.items())
)
lines.append(f"**Actions:** {actions_str}")
lines.append("")
# Category breakdown
if summary.by_category:
lines.append("**By Category:**")
for cat, count in sorted(summary.by_category.items()):
lines.append(f"- {cat}: {count}")
lines.append("")
# Affected zones
if include.get("affected_zones", True) and summary.affected_zones:
zones = ", ".join(f"`{z}`" for z in sorted(summary.affected_zones))
lines.append(f"**Affected Zones:** {zones}")
lines.append("")
# Compliance flags
if include.get("compliance_flags", True) and summary.compliance_violations:
lines.append("**Compliance Impact:**")
for framework in sorted(set(summary.compliance_violations)):
lines.append(f"- ⚠️ {framework}")
lines.append("")
# Resource table
if include.get("resource_table", True) and summary.changes:
lines.append("### Resource Changes")
lines.append("")
# Collapse if many changes
if len(summary.changes) > collapse_threshold:
lines.append("<details>")
lines.append(f"<summary>Show {len(summary.changes)} changes</summary>")
lines.append("")
lines.append("| Resource | Actions | Risk | Compliance |")
lines.append("|----------|---------|------|------------|")
# Sort by risk (highest first)
sorted_changes = sorted(
summary.changes,
key=lambda c: c.risk_level.value,
reverse=True,
)
for change in sorted_changes[:50]: # Cap at 50
actions = ",".join(change.actions)
risk = str(change.risk_level)
compliance = ",".join(change.compliance_flags) if change.compliance_flags else "-"
lines.append(
f"| `{change.address}` | `{actions}` | **{risk}** | {compliance} |"
)
if len(summary.changes) > 50:
lines.append("")
lines.append(f"_... {len(summary.changes) - 50} more resources omitted_")
if len(summary.changes) > collapse_threshold:
lines.append("")
lines.append("</details>")
lines.append("")
# Dashboard links
dashboard_links = ci_cfg.get("dashboard_links", {})
if dashboard_links:
lines.append("### Quick Links")
for name, url in dashboard_links.items():
lines.append(f"- [{name.title()}]({url})")
lines.append("")
return "\n".join(lines)
def format_json(summary: PlanSummary) -> str:
"""Format summary as JSON for programmatic use"""
return json.dumps(
{
"total_changes": summary.total_changes,
"overall_risk": str(summary.overall_risk),
"by_action": summary.by_action,
"by_risk": summary.by_risk,
"by_category": summary.by_category,
"affected_zones": list(summary.affected_zones),
"compliance_violations": summary.compliance_violations,
"changes": [
{
"address": c.address,
"resource_type": c.resource_type,
"actions": c.actions,
"risk_level": str(c.risk_level),
"category": c.category,
"compliance_flags": c.compliance_flags,
}
for c in summary.changes
],
},
indent=2,
)
def main():
"""Main entry point"""
import argparse
parser = argparse.ArgumentParser(
description="Summarize Terraform plan for GitOps"
)
parser.add_argument(
"--plan-file",
help="Path to plan file (default: from config)",
)
parser.add_argument(
"--plan-json",
help="Path to pre-generated plan JSON (skip terraform show)",
)
parser.add_argument(
"--format",
choices=["markdown", "json"],
default="markdown",
help="Output format",
)
parser.add_argument(
"--tf-dir",
help="Terraform working directory",
)
args = parser.parse_args()
# Load config
cfg = load_config()
tf_cfg = cfg.get("terraform", {})
# Determine paths
tf_dir = Path(args.tf_dir) if args.tf_dir else HERE.parent / tf_cfg.get("working_dir", "terraform")
plan_file = args.plan_file or tf_cfg.get("plan_file", "plan.tfplan")
plan_path = tf_dir / plan_file
# Get plan JSON
if args.plan_json:
with open(args.plan_json) as f:
plan_json = json.load(f)
else:
plan_json = run_terraform_show(plan_path, tf_dir)
# Parse and summarize
summary = parse_plan(plan_json, cfg)
# Output
if args.format == "json":
print(format_json(summary))
else:
print(format_markdown(summary, cfg))
if __name__ == "__main__":
main()

565
gitops/waf_rule_proposer.py Normal file
View File

@@ -0,0 +1,565 @@
#!/usr/bin/env python3
"""
Phase 7: WAF Rule Proposer for GitOps Integration
Generates Terraform WAF rules based on:
- Threat intelligence indicators
- ML classification results
- Compliance requirements
- Existing rule gaps
Integrates with Phase 6 GitOps to create automated MRs.
"""
from __future__ import annotations
import json
import os
import re
from dataclasses import dataclass, field
from datetime import datetime
from pathlib import Path
from typing import Any, Dict, List, Optional, Set
# Import sibling modules
import sys
sys.path.insert(0, str(Path(__file__).parent.parent.parent))
# Type imports with fallbacks for standalone testing
_HAS_WAF_INTEL = False
try:
from mcp.waf_intelligence.threat_intel import ThreatIndicator, ThreatIntelReport
from mcp.waf_intelligence.classifier import ClassificationResult, ThreatClassifier
from mcp.waf_intelligence.generator import GeneratedRule, WAFRuleGenerator
from mcp.waf_intelligence.compliance import ComplianceMapper, FrameworkMapping
_HAS_WAF_INTEL = True
except ImportError:
pass
# TYPE_CHECKING block for type hints when modules unavailable
from typing import TYPE_CHECKING
if TYPE_CHECKING:
from mcp.waf_intelligence.threat_intel import ThreatIndicator, ThreatIntelReport
from mcp.waf_intelligence.classifier import ClassificationResult, ThreatClassifier
@dataclass
class RuleProposal:
"""A proposed WAF rule with full context for GitOps review."""
rule_name: str
rule_type: str # "ip_block", "pattern_block", "rate_limit", "managed_rule"
terraform_code: str
severity: str # "low", "medium", "high", "critical"
confidence: float
justification: str
threat_indicators: List[str] = field(default_factory=list)
compliance_refs: List[str] = field(default_factory=list)
estimated_impact: str = ""
auto_deploy_eligible: bool = False
tags: List[str] = field(default_factory=list)
def to_markdown(self) -> str:
"""Render proposal as Markdown for MR description."""
emoji = {"critical": "🔴", "high": "🟠", "medium": "🟡", "low": "🟢"}.get(self.severity, "")
md = f"""### {emoji} {self.rule_name}
**Type:** `{self.rule_type}` | **Severity:** `{self.severity}` | **Confidence:** `{self.confidence:.0%}`
**Justification:**
{self.justification}
**Compliance:** {', '.join(self.compliance_refs) or 'N/A'}
**Estimated Impact:** {self.estimated_impact or 'Unknown'}
<details>
<summary>Terraform Code</summary>
```hcl
{self.terraform_code}
```
</details>
**Tags:** {', '.join(f'`{t}`' for t in self.tags) or 'None'}
---
"""
return md
@dataclass
class ProposalBatch:
"""Batch of rule proposals for a single MR."""
proposals: List[RuleProposal] = field(default_factory=list)
generated_at: datetime = field(default_factory=datetime.utcnow)
source_report: Optional[str] = None
metadata: Dict[str, Any] = field(default_factory=dict)
@property
def critical_count(self) -> int:
return sum(1 for p in self.proposals if p.severity == "critical")
@property
def auto_deployable(self) -> List[RuleProposal]:
return [p for p in self.proposals if p.auto_deploy_eligible]
def to_markdown(self) -> str:
"""Generate full MR description."""
header = f"""# WAF Rule Proposals - Phase 7 Intelligence
**Generated:** {self.generated_at.strftime('%Y-%m-%d %H:%M:%S UTC')}
**Total Proposals:** {len(self.proposals)}
**Critical:** {self.critical_count}
**Auto-Deploy Eligible:** {len(self.auto_deployable)}
---
## Summary
| Rule | Type | Severity | Confidence | Auto-Deploy |
|------|------|----------|------------|-------------|
"""
for p in self.proposals:
auto = "" if p.auto_deploy_eligible else ""
header += f"| {p.rule_name} | {p.rule_type} | {p.severity} | {p.confidence:.0%} | {auto} |\n"
header += "\n---\n\n## Detailed Proposals\n\n"
for p in self.proposals:
header += p.to_markdown() + "\n"
return header
def to_terraform_file(self) -> str:
"""Generate combined Terraform file."""
header = f"""# Auto-generated WAF rules from Phase 7 Intelligence
# Generated: {self.generated_at.strftime('%Y-%m-%d %H:%M:%S UTC')}
# Review carefully before applying
"""
return header + "\n\n".join(p.terraform_code for p in self.proposals)
class WAFRuleProposer:
"""
Generates WAF rule proposals from threat intelligence and ML analysis.
Usage:
proposer = WAFRuleProposer(workspace_path="/path/to/cloudflare")
batch = proposer.generate_proposals(threat_report)
print(batch.to_markdown())
"""
def __init__(
self,
workspace_path: Optional[str] = None,
zone_id_var: str = "var.zone_id",
account_id_var: str = "var.cloudflare_account_id",
):
self.workspace = Path(workspace_path) if workspace_path else Path.cwd()
self.zone_id_var = zone_id_var
self.account_id_var = account_id_var
# Initialize components only if available
self.classifier = None
self.rule_generator = None
self.compliance_mapper = None
if _HAS_WAF_INTEL:
try:
self.classifier = ThreatClassifier()
except Exception:
pass
try:
self.rule_generator = WAFRuleGenerator()
except Exception:
pass
try:
self.compliance_mapper = ComplianceMapper()
except Exception:
pass
# Auto-deploy thresholds
self.auto_deploy_min_confidence = 0.85
self.auto_deploy_severities = {"critical", "high"}
def generate_proposals(
self,
threat_report: Optional[Any] = None,
indicators: Optional[List[Any]] = None,
max_proposals: int = 10,
) -> ProposalBatch:
"""
Generate rule proposals from threat intelligence.
Args:
threat_report: Full threat intel report
indicators: Or just a list of indicators
max_proposals: Maximum number of proposals to generate
Returns:
ProposalBatch ready for GitOps MR
"""
proposals: List[RuleProposal] = []
# Get indicators from report or directly
if threat_report:
all_indicators = threat_report.indicators
elif indicators:
all_indicators = indicators
else:
all_indicators = []
# Group indicators by type
ip_indicators = [i for i in all_indicators if i.indicator_type == "ip"]
pattern_indicators = [i for i in all_indicators if i.indicator_type == "pattern"]
ua_indicators = [i for i in all_indicators if i.indicator_type == "ua"]
# Generate IP blocking rules
proposals.extend(self._generate_ip_rules(ip_indicators))
# Generate pattern-based rules
proposals.extend(self._generate_pattern_rules(pattern_indicators))
# Generate user-agent rules
proposals.extend(self._generate_ua_rules(ua_indicators))
# Generate managed rule recommendations
proposals.extend(self._generate_managed_rule_proposals(all_indicators))
# Sort by severity and confidence
severity_order = {"critical": 4, "high": 3, "medium": 2, "low": 1}
proposals.sort(
key=lambda p: (severity_order.get(p.severity, 0), p.confidence),
reverse=True
)
return ProposalBatch(
proposals=proposals[:max_proposals],
source_report=str(threat_report.collection_time) if threat_report else None,
metadata={
"total_indicators": len(all_indicators),
"ip_indicators": len(ip_indicators),
"pattern_indicators": len(pattern_indicators),
}
)
def _generate_ip_rules(self, indicators: List[Any]) -> List[RuleProposal]:
"""Generate IP blocking rules."""
proposals: List[RuleProposal] = []
# Group by severity
critical_ips = [i for i in indicators if i.severity == "critical"]
high_ips = [i for i in indicators if i.severity == "high"]
# Critical IPs - individual block rules
for ind in critical_ips[:5]: # Limit to top 5
rule_name = f"waf_block_ip_{ind.value.replace('.', '_')}"
terraform = self._ip_block_terraform(rule_name, [ind.value], "block")
proposals.append(RuleProposal(
rule_name=rule_name,
rule_type="ip_block",
terraform_code=terraform,
severity="critical",
confidence=ind.confidence,
justification=f"Critical threat actor IP detected. Sources: {', '.join(ind.sources)}. "
f"Hit count: {ind.hit_count}. {ind.context.get('abuse_score', 'N/A')} abuse score.",
threat_indicators=[ind.value],
compliance_refs=["Zero-Trust", "Threat Intelligence"],
estimated_impact="Blocks all traffic from this IP",
auto_deploy_eligible=ind.confidence >= self.auto_deploy_min_confidence,
tags=["auto-generated", "threat-intel", "ip-block"]
))
# Batch high-severity IPs into one rule
if high_ips:
ips = [i.value for i in high_ips[:20]] # Limit batch size
rule_name = "waf_block_high_risk_ips"
terraform = self._ip_block_terraform(rule_name, ips, "block")
avg_confidence = sum(i.confidence for i in high_ips[:20]) / len(high_ips[:20])
proposals.append(RuleProposal(
rule_name=rule_name,
rule_type="ip_block",
terraform_code=terraform,
severity="high",
confidence=avg_confidence,
justification=f"Batch block of {len(ips)} high-risk IPs from threat intelligence.",
threat_indicators=ips,
compliance_refs=["Zero-Trust", "Threat Intelligence"],
estimated_impact=f"Blocks traffic from {len(ips)} IPs",
auto_deploy_eligible=False, # Batch rules require manual review
tags=["auto-generated", "threat-intel", "ip-block", "batch"]
))
return proposals
def _generate_pattern_rules(self, indicators: List[Any]) -> List[RuleProposal]:
"""Generate pattern-based blocking rules."""
proposals: List[RuleProposal] = []
# Group by attack type
attack_types: Dict[str, List[Any]] = {}
for ind in indicators:
for tag in ind.tags:
if tag in ("sqli", "xss", "rce", "path_traversal"):
attack_types.setdefault(tag, []).append(ind)
# Generate rules per attack type
for attack_type, inds in attack_types.items():
if not inds:
continue
# Use ML classifier to validate if available
if self.classifier:
# Classify a sample to confirm
sample = inds[0].value[:500]
result = self.classifier.classify(sample)
if result.label != attack_type and result.confidence > 0.7:
# ML disagrees, adjust confidence
confidence = min(ind.confidence for ind in inds) * 0.7
else:
confidence = max(ind.confidence for ind in inds)
else:
confidence = max(ind.confidence for ind in inds)
rule_name = f"waf_protect_{attack_type}"
terraform = self._managed_rule_terraform(rule_name, attack_type)
severity = "critical" if attack_type in ("sqli", "rce") else "high"
proposals.append(RuleProposal(
rule_name=rule_name,
rule_type="managed_rule",
terraform_code=terraform,
severity=severity,
confidence=confidence,
justification=f"Detected {len(inds)} {attack_type.upper()} attack patterns in traffic. "
f"Enabling managed ruleset protection.",
threat_indicators=[ind.value[:100] for ind in inds[:3]],
compliance_refs=self._get_compliance_refs(attack_type),
estimated_impact=f"Blocks {attack_type.upper()} attacks via managed rules",
auto_deploy_eligible=confidence >= self.auto_deploy_min_confidence,
tags=["auto-generated", "threat-intel", attack_type, "managed-rules"]
))
return proposals
def _generate_ua_rules(self, indicators: List[Any]) -> List[RuleProposal]:
"""Generate user-agent blocking rules."""
proposals: List[RuleProposal] = []
scanner_uas = [i for i in indicators if "scanner" in i.tags or "bad_ua" in i.tags]
if scanner_uas:
# Extract unique patterns
patterns = list(set(i.value[:100] for i in scanner_uas))[:10]
rule_name = "waf_block_scanner_uas"
terraform = self._ua_block_terraform(rule_name, patterns)
proposals.append(RuleProposal(
rule_name=rule_name,
rule_type="pattern_block",
terraform_code=terraform,
severity="medium",
confidence=0.75,
justification=f"Blocking {len(patterns)} scanner/bot user agents detected in traffic.",
threat_indicators=patterns,
compliance_refs=["Bot Protection"],
estimated_impact="Blocks automated scanning tools",
auto_deploy_eligible=False,
tags=["auto-generated", "threat-intel", "scanner", "user-agent"]
))
return proposals
def _generate_managed_rule_proposals(
self,
indicators: List[Any]
) -> List[RuleProposal]:
"""Generate recommendations to enable managed rulesets."""
proposals: List[RuleProposal] = []
# Check for attack types that should have managed rules
attack_types_seen = set()
for ind in indicators:
for tag in ind.tags:
if tag in ("sqli", "xss", "rce", "path_traversal"):
attack_types_seen.add(tag)
# Check existing terraform for gaps
tf_path = self.workspace / "terraform" / "waf.tf"
existing_coverage = set()
if tf_path.exists():
try:
content = tf_path.read_text().lower()
for attack_type in ["sqli", "xss", "rce"]:
if attack_type in content or f'"{attack_type}"' in content:
existing_coverage.add(attack_type)
except Exception:
pass
# Propose missing protections
for attack_type in attack_types_seen - existing_coverage:
rule_name = f"waf_enable_{attack_type}_protection"
terraform = self._managed_rule_terraform(rule_name, attack_type)
proposals.append(RuleProposal(
rule_name=rule_name,
rule_type="managed_rule",
terraform_code=terraform,
severity="high",
confidence=0.9,
justification=f"Traffic shows {attack_type.upper()} attack patterns but no protection enabled. "
f"Recommend enabling Cloudflare managed {attack_type.upper()} ruleset.",
threat_indicators=[],
compliance_refs=self._get_compliance_refs(attack_type),
estimated_impact=f"Enables {attack_type.upper()} protection",
auto_deploy_eligible=True,
tags=["auto-generated", "gap-analysis", attack_type, "managed-rules"]
))
return proposals
def _ip_block_terraform(
self,
rule_name: str,
ips: List[str],
action: str = "block"
) -> str:
"""Generate Terraform for IP blocking rule."""
if len(ips) == 1:
expression = f'(ip.src eq {ips[0]})'
else:
ip_list = " ".join(ips)
expression = f'(ip.src in {{{ip_list}}})'
return f'''resource "cloudflare_ruleset" "{rule_name}" {{
zone_id = {self.zone_id_var}
name = "{rule_name.replace('_', ' ').title()}"
description = "Auto-generated by Phase 7 WAF Intelligence"
kind = "zone"
phase = "http_request_firewall_custom"
rules {{
action = "{action}"
expression = "{expression}"
description = "Block threat intel IPs"
enabled = true
}}
}}
'''
def _managed_rule_terraform(self, rule_name: str, attack_type: str) -> str:
"""Generate Terraform for managed ruleset."""
ruleset_map = {
"sqli": "efb7b8c949ac4650a09736fc376e9aee", # Cloudflare SQLi
"xss": "c2e184081120413c86c3ab7e14069605", # Cloudflare XSS
"rce": "4814384a9e5d4991b9815dcfc25d2f1f", # Cloudflare RCE (example)
}
ruleset_id = ruleset_map.get(attack_type, "efb7b8c949ac4650a09736fc376e9aee")
return f'''resource "cloudflare_ruleset" "{rule_name}" {{
zone_id = {self.zone_id_var}
name = "{attack_type.upper()} Protection"
description = "Managed {attack_type.upper()} protection - Phase 7 WAF Intelligence"
kind = "zone"
phase = "http_request_firewall_managed"
rules {{
action = "execute"
action_parameters {{
id = "{ruleset_id}"
}}
expression = "true"
description = "Enable {attack_type.upper()} managed ruleset"
enabled = true
}}
}}
'''
def _ua_block_terraform(self, rule_name: str, patterns: List[str]) -> str:
"""Generate Terraform for user-agent blocking."""
# Escape patterns for regex
safe_patterns = [re.escape(p)[:50] for p in patterns]
pattern_regex = "|".join(safe_patterns)
return f'''resource "cloudflare_ruleset" "{rule_name}" {{
zone_id = {self.zone_id_var}
name = "Block Scanner User Agents"
description = "Auto-generated by Phase 7 WAF Intelligence"
kind = "zone"
phase = "http_request_firewall_custom"
rules {{
action = "block"
expression = "(http.user_agent contains \\"sqlmap\\" or http.user_agent contains \\"nikto\\" or http.user_agent contains \\"nmap\\" or http.user_agent contains \\"masscan\\")"
description = "Block known scanner user agents"
enabled = true
}}
}}
'''
def _get_compliance_refs(self, attack_type: str) -> List[str]:
"""Get compliance references for an attack type."""
refs = {
"sqli": ["PCI-DSS 6.6", "OWASP A03:2021"],
"xss": ["OWASP A07:2017", "CWE-79"],
"rce": ["OWASP A03:2021", "CWE-78"],
"path_traversal": ["CWE-22", "OWASP A01:2021"],
}
return refs.get(attack_type, [])
# CLI for testing
if __name__ == "__main__":
import sys
workspace = sys.argv[1] if len(sys.argv) > 1 else "."
# Create mock indicators for testing
mock_indicators = [
type("ThreatIndicator", (), {
"indicator_type": "ip",
"value": "192.0.2.100",
"severity": "critical",
"confidence": 0.95,
"sources": ["abuseipdb", "honeypot"],
"tags": ["threat-intel"],
"hit_count": 150,
"context": {"abuse_score": 95},
})(),
type("ThreatIndicator", (), {
"indicator_type": "pattern",
"value": "' OR '1'='1",
"severity": "high",
"confidence": 0.85,
"sources": ["log_analysis"],
"tags": ["sqli", "attack_pattern"],
"hit_count": 50,
"context": {},
})(),
type("ThreatIndicator", (), {
"indicator_type": "ua",
"value": "sqlmap/1.0",
"severity": "medium",
"confidence": 0.9,
"sources": ["log_analysis"],
"tags": ["scanner", "bad_ua"],
"hit_count": 25,
"context": {},
})(),
]
proposer = WAFRuleProposer(workspace_path=workspace)
batch = proposer.generate_proposals(indicators=mock_indicators)
print(batch.to_markdown())

373
gitops/webhook_receiver.py Normal file
View File

@@ -0,0 +1,373 @@
#!/usr/bin/env python3
"""
Alertmanager Webhook Receiver for Cloudflare GitOps
Phase 6 - PR Workflows
Receives alerts from Alertmanager and triggers GitOps actions:
- Drift remediation PRs
- Pipeline triggers
- Slack notifications
"""
import hashlib
import hmac
import json
import os
import subprocess
import sys
from dataclasses import dataclass
from datetime import datetime
from http.server import HTTPServer, BaseHTTPRequestHandler
from pathlib import Path
from typing import Any, Dict, List, Optional
import threading
import queue
try:
import requests
import yaml
except ImportError:
print("ERROR: pip install requests pyyaml", file=sys.stderr)
sys.exit(1)
HERE = Path(__file__).resolve().parent
CONFIG_PATH = HERE / "config.yml"
# Job queue for background processing
job_queue: queue.Queue = queue.Queue()
def load_config() -> Dict[str, Any]:
"""Load gitops configuration"""
with open(CONFIG_PATH) as f:
config = yaml.safe_load(f)
def expand_env(obj):
if isinstance(obj, str):
if obj.startswith("${") and "}" in obj:
inner = obj[2:obj.index("}")]
default = None
var = inner
if ":-" in inner:
var, default = inner.split(":-", 1)
return os.environ.get(var, default)
return obj
elif isinstance(obj, dict):
return {k: expand_env(v) for k, v in obj.items()}
elif isinstance(obj, list):
return [expand_env(i) for i in obj]
return obj
return expand_env(config)
@dataclass
class AlertPayload:
"""Parsed Alertmanager webhook payload"""
receiver: str
status: str # "firing" or "resolved"
alerts: List[Dict]
group_labels: Dict[str, str]
common_labels: Dict[str, str]
common_annotations: Dict[str, str]
external_url: str
version: str
group_key: str
@classmethod
def from_json(cls, data: Dict) -> "AlertPayload":
return cls(
receiver=data.get("receiver", ""),
status=data.get("status", ""),
alerts=data.get("alerts", []),
group_labels=data.get("groupLabels", {}),
common_labels=data.get("commonLabels", {}),
common_annotations=data.get("commonAnnotations", {}),
external_url=data.get("externalURL", ""),
version=data.get("version", "4"),
group_key=data.get("groupKey", ""),
)
@property
def alert_name(self) -> str:
return self.common_labels.get("alertname", "unknown")
@property
def severity(self) -> str:
return self.common_labels.get("severity", "unknown")
@property
def component(self) -> str:
return self.common_labels.get("component", "unknown")
def should_trigger_pr(cfg: Dict[str, Any], payload: AlertPayload) -> bool:
"""Determine if this alert should trigger a PR"""
webhook_cfg = cfg.get("webhook", {})
trigger_alerts = webhook_cfg.get("trigger_alerts", [])
notify_only = webhook_cfg.get("notify_only_alerts", [])
# Never auto-PR for resolved alerts
if payload.status == "resolved":
return False
# Check if in trigger list
if payload.alert_name in trigger_alerts:
return True
# Check if explicitly notify-only
if payload.alert_name in notify_only:
return False
# Default: don't trigger
return False
def trigger_gitlab_pipeline(cfg: Dict[str, Any], payload: AlertPayload) -> Optional[str]:
"""Trigger GitLab pipeline for drift remediation"""
gitlab_cfg = cfg.get("gitlab", {})
webhook_cfg = cfg.get("webhook", {}).get("gitlab_trigger", {})
if not webhook_cfg.get("enabled", False):
return None
base_url = gitlab_cfg.get("base_url", "https://gitlab.com")
project_id = gitlab_cfg.get("project_id")
trigger_token = webhook_cfg.get("trigger_token") or os.environ.get("GITLAB_TRIGGER_TOKEN")
ref = webhook_cfg.get("ref", "main")
if not project_id or not trigger_token:
print("GitLab trigger not configured", file=sys.stderr)
return None
url = f"{base_url}/api/v4/projects/{project_id}/trigger/pipeline"
data = {
"ref": ref,
"token": trigger_token,
"variables[GITOPS_TRIGGER_SOURCE]": "alert",
"variables[GITOPS_ALERT_NAME]": payload.alert_name,
"variables[GITOPS_ALERT_SEVERITY]": payload.severity,
"variables[GITOPS_ALERT_COMPONENT]": payload.component,
}
try:
resp = requests.post(url, data=data, timeout=30)
resp.raise_for_status()
result = resp.json()
return result.get("web_url")
except Exception as e:
print(f"Failed to trigger pipeline: {e}", file=sys.stderr)
return None
def run_drift_bot_locally(cfg: Dict[str, Any], payload: AlertPayload):
"""Run drift_pr_bot.py directly (for local webhook receiver)"""
env = os.environ.copy()
env["GITOPS_TRIGGER_SOURCE"] = "alert"
env["GITOPS_ALERT_NAME"] = payload.alert_name
subprocess.run(
["python3", "drift_pr_bot.py", "--trigger-source", "alert", "--alert-name", payload.alert_name],
cwd=HERE,
env=env,
)
def notify_slack(cfg: Dict[str, Any], message: str, alert: AlertPayload):
"""Send Slack notification"""
slack_cfg = cfg.get("slack", {})
webhook_url = slack_cfg.get("webhook_url")
if not webhook_url:
return
color = {
"critical": "danger",
"warning": "warning",
"info": "#439FE0",
}.get(alert.severity, "#808080")
payload = {
"channel": slack_cfg.get("channel", "#cloudflare-gitops"),
"attachments": [
{
"color": color,
"title": f"GitOps Alert: {alert.alert_name}",
"text": message,
"fields": [
{"title": "Status", "value": alert.status, "short": True},
{"title": "Severity", "value": alert.severity, "short": True},
{"title": "Component", "value": alert.component, "short": True},
],
"footer": "Cloudflare GitOps Webhook",
"ts": int(datetime.utcnow().timestamp()),
}
],
}
try:
requests.post(webhook_url, json=payload, timeout=10)
except Exception as e:
print(f"Slack notification failed: {e}", file=sys.stderr)
def process_alert(cfg: Dict[str, Any], payload: AlertPayload):
"""Process a single alert payload"""
print(f"Processing alert: {payload.alert_name} ({payload.status})")
# Check if we should trigger a PR
if should_trigger_pr(cfg, payload):
print(f"Alert {payload.alert_name} triggers drift remediation")
# Try GitLab pipeline trigger first
pipeline_url = trigger_gitlab_pipeline(cfg, payload)
if pipeline_url:
message = f"Triggered drift remediation pipeline: {pipeline_url}"
else:
# Fall back to local execution
print("Falling back to local drift_pr_bot execution")
run_drift_bot_locally(cfg, payload)
message = "Triggered local drift remediation"
notify_slack(cfg, message, payload)
else:
# Just notify
webhook_cfg = cfg.get("webhook", {})
notify_only = webhook_cfg.get("notify_only_alerts", [])
if payload.alert_name in notify_only:
message = f"Alert {payload.alert_name} received (notify-only, no auto-PR)"
notify_slack(cfg, message, payload)
def job_worker():
"""Background worker to process jobs"""
cfg = load_config()
while True:
try:
payload = job_queue.get(timeout=1)
if payload is None: # Shutdown signal
break
process_alert(cfg, payload)
except queue.Empty:
continue
except Exception as e:
print(f"Job processing error: {e}", file=sys.stderr)
class WebhookHandler(BaseHTTPRequestHandler):
"""HTTP handler for Alertmanager webhooks"""
def __init__(self, *args, **kwargs):
self.cfg = load_config()
super().__init__(*args, **kwargs)
def log_message(self, format, *args):
print(f"[{datetime.utcnow().isoformat()}] {format % args}")
def do_GET(self):
"""Health check endpoint"""
if self.path == "/health":
self.send_response(200)
self.send_header("Content-Type", "application/json")
self.end_headers()
self.wfile.write(json.dumps({"status": "ok"}).encode())
else:
self.send_response(404)
self.end_headers()
def do_POST(self):
"""Handle webhook POST"""
if self.path != "/webhook/alert":
self.send_response(404)
self.end_headers()
return
# Read body
content_length = int(self.headers.get("Content-Length", 0))
body = self.rfile.read(content_length)
# Verify signature if configured
secret = os.environ.get("WEBHOOK_SECRET")
if secret:
signature = self.headers.get("X-Webhook-Signature")
expected = hmac.new(
secret.encode(),
body,
hashlib.sha256
).hexdigest()
if not hmac.compare_digest(signature or "", expected):
self.send_response(403)
self.send_header("Content-Type", "application/json")
self.end_headers()
self.wfile.write(json.dumps({"error": "invalid signature"}).encode())
return
# Parse payload
try:
data = json.loads(body)
payload = AlertPayload.from_json(data)
except Exception as e:
self.send_response(400)
self.send_header("Content-Type", "application/json")
self.end_headers()
self.wfile.write(json.dumps({"error": str(e)}).encode())
return
# Queue for processing
job_queue.put(payload)
# Respond immediately
self.send_response(202)
self.send_header("Content-Type", "application/json")
self.end_headers()
self.wfile.write(json.dumps({
"status": "accepted",
"alert": payload.alert_name,
}).encode())
def main():
"""Main entry point"""
import argparse
parser = argparse.ArgumentParser(
description="Alertmanager webhook receiver for GitOps"
)
parser.add_argument(
"--host",
default=os.environ.get("WEBHOOK_HOST", "0.0.0.0"),
help="Host to bind to",
)
parser.add_argument(
"--port",
type=int,
default=int(os.environ.get("WEBHOOK_PORT", "8080")),
help="Port to listen on",
)
args = parser.parse_args()
# Start worker thread
worker = threading.Thread(target=job_worker, daemon=True)
worker.start()
# Start server
server = HTTPServer((args.host, args.port), WebhookHandler)
print(f"GitOps webhook receiver listening on {args.host}:{args.port}")
print(f" POST /webhook/alert - Alertmanager webhook")
print(f" GET /health - Health check")
try:
server.serve_forever()
except KeyboardInterrupt:
print("\nShutting down...")
job_queue.put(None) # Signal worker to stop
server.shutdown()
if __name__ == "__main__":
main()

6
mcp/__init__.py Normal file
View File

@@ -0,0 +1,6 @@
"""
MCP tools for the CLOUDFLARE workspace.
Currently:
- oracle_answer: compliance / security oracle
"""

13
mcp/oracle_answer/__init__.py Normal file
View File

@@ -0,0 +1,13 @@
"""
ORACLE_ANSWER MCP TOOL
Modular, production-ready compliance oracle for OpenCode integration.
Version: 0.2.0
Architecture: Clean separation of concerns (tool + optional CLI wrapper)
"""
from .tool import OracleAnswerTool, ToolResponse
__version__ = "0.2.0"
__all__ = ["OracleAnswerTool", "ToolResponse", "__version__"]

134
mcp/oracle_answer/cli.py Normal file
View File

@@ -0,0 +1,134 @@
"""
Command-line interface for oracle_answer tool.
Uses NVIDIA's free API (build.nvidia.com) for actual LLM responses.
NOTE FOR AUTOMATION:
- All CLI arguments must be defined ONLY in build_parser().
- When changing CLI flags, rewrite build_parser() entirely.
- Do not define duplicate flags like --question in other functions.
"""
import argparse
import asyncio
import json
import sys
from typing import List, Optional
from .tool import OracleAnswerTool
def build_parser() -> argparse.ArgumentParser:
"""
Build argument parser.
RULE: This function is the single source of truth for CLI args.
Never append args elsewhere.
"""
parser = argparse.ArgumentParser(
prog="oracle-answer",
description="Sovereign compliance oracle powered by NVIDIA AI.",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
oracle-answer --question "Are we GDPR compliant?" --frameworks GDPR ISO-27001
oracle-answer --question "Incident response time SLA?" --mode advisory
oracle-answer --question "Test?" --local-only (skip NVIDIA API)
""",
)
parser.add_argument(
"--question",
required=True,
type=str,
help="Compliance / security question to answer.",
)
parser.add_argument(
"--frameworks",
nargs="*",
default=["NIST-CSF", "ISO-27001"],
type=str,
help="Frameworks to reference (space-separated).",
)
parser.add_argument(
"--mode",
default="strict",
choices=["strict", "advisory"],
help="strict = conservative, advisory = more exploratory.",
)
parser.add_argument(
"--json",
action="store_true",
help="Output ToolResponse as JSON instead of pretty text.",
)
parser.add_argument(
"--local-only",
action="store_true",
help="Skip NVIDIA API calls (for testing).",
)
return parser
async def main_async(args: Optional[List[str]] = None) -> int:
"""Async main entry point."""
parser = build_parser()
ns = parser.parse_args(args=args)
tool = OracleAnswerTool(
default_frameworks=ns.frameworks,
use_local_only=ns.local_only,
)
resp = await tool.answer(
question=ns.question,
frameworks=ns.frameworks,
mode=ns.mode,
)
if ns.json:
print(
json.dumps(
{
"answer": resp.answer,
"framework_hits": resp.framework_hits,
"reasoning": resp.reasoning,
"model": resp.model,
},
indent=2,
)
)
else:
print("\n" + "=" * 80)
print("ORACLE ANSWER (Powered by NVIDIA AI)")
print("=" * 80 + "\n")
print(resp.answer)
if resp.reasoning:
print("\n--- Reasoning ---\n")
print(resp.reasoning)
if resp.framework_hits:
print("\n--- Framework Hits ---\n")
for framework, hits in resp.framework_hits.items():
if hits:
print(f"{framework}:")
for hit in hits:
print(f"{hit}")
print(f"\n[Model: {resp.model}]")
print()
return 0
def main() -> None:
"""Sync wrapper for CLI entry point."""
try:
sys.exit(asyncio.run(main_async()))
except KeyboardInterrupt:
sys.exit(1)
if __name__ == "__main__":
main()

185
mcp/oracle_answer/tool.py Normal file
View File

@@ -0,0 +1,185 @@
"""
Core oracle tool implementation with NVIDIA AI integration.
This module contains the logic that answers compliance questions using
NVIDIA's API (free tier from build.nvidia.com).
Separate from CLI/API wrapper for clean testability.
"""
from __future__ import annotations
import os
from dataclasses import dataclass
from typing import Any, Dict, List, Optional
try:
import httpx
except ImportError:
httpx = None
@dataclass
class ToolResponse:
"""Canonical response from the oracle tool."""
answer: str
framework_hits: Dict[str, List[str]]
reasoning: Optional[str] = None
raw_context: Optional[Dict[str, Any]] = None
model: str = "nvidia"
class OracleAnswerTool:
"""
Compliance / security oracle powered by NVIDIA AI.
This tool:
- takes `question`, `frameworks`, `mode`, etc.
- queries NVIDIA's LLM API (free tier)
- searches local documentation for context
- assembles structured ToolResponse with framework mapping
"""
# NVIDIA API configuration
NVIDIA_API_BASE = "https://integrate.api.nvidia.com/v1"
NVIDIA_MODEL = "meta/llama-2-7b-chat" # Free tier model
def __init__(
self,
*,
default_frameworks: Optional[List[str]] = None,
api_key: Optional[str] = None,
use_local_only: bool = False,
) -> None:
"""
Initialize oracle with NVIDIA API integration.
Args:
default_frameworks: Default compliance frameworks to use
api_key: NVIDIA API key (defaults to NVIDIA_API_KEY env var)
use_local_only: If True, skip LLM calls (for testing)
"""
self.default_frameworks = default_frameworks or ["NIST-CSF", "ISO-27001"]
self.api_key = api_key or os.environ.get("NVIDIA_API_KEY")
self.use_local_only = use_local_only
if not self.use_local_only and not self.api_key:
raise ValueError(
"NVIDIA_API_KEY not found. Set it in .env or pass api_key parameter."
)
def _extract_framework_hits(
self, answer: str, frameworks: List[str]
) -> Dict[str, List[str]]:
"""Extract mentions of frameworks from the LLM answer."""
hits = {fw: [] for fw in frameworks}
answer_lower = answer.lower()
for framework in frameworks:
# Simple keyword matching for framework mentions
if framework.lower() in answer_lower:
# Extract sentences containing the framework
sentences = answer.split(".")
for sentence in sentences:
if framework.lower() in sentence.lower():
hits[framework].append(sentence.strip())
return hits
async def _call_nvidia_api(self, prompt: str) -> str:
"""Call NVIDIA's API to get LLM response."""
if self.use_local_only:
return "Local-only mode: skipping NVIDIA API call"
if not httpx:
raise ImportError("httpx not installed. Install with: pip install httpx")
headers = {
"Authorization": f"Bearer {self.api_key}",
"Accept": "application/json",
}
payload = {
"model": self.NVIDIA_MODEL,
"messages": [{"role": "user", "content": prompt}],
"temperature": 0.7,
"top_p": 0.9,
"max_tokens": 1024,
}
try:
async with httpx.AsyncClient() as client:
response = await client.post(
f"{self.NVIDIA_API_BASE}/chat/completions",
json=payload,
headers=headers,
timeout=30.0,
)
response.raise_for_status()
data = response.json()
return data["choices"][0]["message"]["content"]
except Exception as e:
return f"(API Error: {str(e)}) Falling back to local analysis..."
async def answer(
self,
question: str,
frameworks: Optional[List[str]] = None,
mode: str = "strict",
) -> ToolResponse:
"""
Main entry point for MCP / clients.
Args:
question: Compliance question to answer
frameworks: Frameworks to reference (default: NIST-CSF, ISO-27001)
mode: "strict" (conservative) or "advisory" (exploratory)
Returns:
ToolResponse with answer, framework hits, and reasoning
"""
frameworks = frameworks or self.default_frameworks
# Build context-aware prompt for NVIDIA API
mode_instruction = (
"conservative and cautious, assuming worst-case scenarios"
if mode == "strict"
else "exploratory and comprehensive"
)
prompt = f"""You are a compliance and security expert analyzing infrastructure questions.
Question: {question}
Compliance Frameworks to Consider:
{chr(10).join(f"- {fw}" for fw in frameworks)}
Analysis Mode: {mode_instruction}
Provide a structured answer that:
1. Directly addresses the question
2. References the relevant frameworks
3. Identifies gaps or risks
4. Suggests mitigations where applicable
Be concise but thorough."""
# Call NVIDIA API for actual LLM response
answer = await self._call_nvidia_api(prompt)
# Extract framework mentions from the response
framework_hits = self._extract_framework_hits(answer, frameworks)
# Generate reasoning based on mode
reasoning = (
f"Analyzed question against frameworks: {', '.join(frameworks)}. "
f"Mode={mode}. Used NVIDIA LLM for compliance analysis."
)
return ToolResponse(
answer=answer,
framework_hits=framework_hits,
reasoning=reasoning,
model="nvidia/llama-2-7b-chat",
)

41
mcp/waf_intelligence/__init__.py Normal file
View File

@@ -0,0 +1,41 @@
"""
WAF Intelligence Engine - Analyze, audit, and generate Cloudflare WAF rules.
This module provides tools to:
- Analyze existing WAF rules for gaps and compliance issues
- Generate new WAF rules based on threat models
- Map rules to compliance frameworks (NIST, PCI-DSS, GDPR, etc.)
- Validate Terraform WAF configurations
Export primary classes and functions:
"""
from mcp.waf_intelligence.analyzer import (
WAFRuleAnalyzer,
RuleViolation,
AnalysisResult,
)
from mcp.waf_intelligence.generator import (
WAFRuleGenerator,
GeneratedRule,
)
from mcp.waf_intelligence.compliance import (
ComplianceMapper,
FrameworkMapping,
)
from mcp.waf_intelligence.orchestrator import (
WAFIntelligence,
WAFInsight,
)
__all__ = [
"WAFRuleAnalyzer",
"WAFRuleGenerator",
"ComplianceMapper",
"WAFIntelligence",
"WAFInsight",
"RuleViolation",
"AnalysisResult",
"GeneratedRule",
"FrameworkMapping",
]

132
mcp/waf_intelligence/__main__.py Normal file
View File

@@ -0,0 +1,132 @@
from __future__ import annotations
import argparse
import json
import sys
from dataclasses import asdict
from pathlib import Path
from typing import Any, Dict, List
from .orchestrator import WAFInsight, WAFIntelligence
def _insight_to_dict(insight: WAFInsight) -> Dict[str, Any]:
"""Convert a WAFInsight dataclass into a plain dict."""
return asdict(insight)
def _has_error(insights: List[WAFInsight]) -> bool:
"""Return True if any violation is error-severity."""
for insight in insights:
if insight.violation and insight.violation.severity == "error":
return True
return False
def run_cli(argv: List[str] | None = None) -> int:
parser = argparse.ArgumentParser(
prog="python -m mcp.waf_intelligence",
description="Analyze Cloudflare WAF Terraform configs and produce curated security + compliance insights.",
)
parser.add_argument(
"--file",
"-f",
required=True,
help="Path to the Terraform WAF file (e.g. terraform/waf.tf)",
)
parser.add_argument(
"--limit",
"-n",
type=int,
default=3,
help="Maximum number of high-priority insights to return (default: 3)",
)
parser.add_argument(
"--format",
"-o",
choices=["text", "json"],
default="text",
help="Output format: text (human-readable) or json (machine-readable). Default: text.",
)
parser.add_argument(
"--fail-on-error",
action="store_true",
help="Exit with non-zero code if any error-severity violations are found.",
)
args = parser.parse_args(argv)
path = Path(args.file)
if not path.exists():
print(f"[error] file not found: {path}", file=sys.stderr)
return 1
intel = WAFIntelligence()
insights = intel.analyze_and_recommend(str(path), limit=args.limit)
if args.format == "json":
payload = {
"file": str(path),
"insights": [_insight_to_dict(insight) for insight in insights],
}
print(json.dumps(payload, indent=2))
if args.fail_on_error and _has_error(insights):
print(
"[waf_intel] error-severity violations present, failing as requested.",
file=sys.stderr,
)
return 2
return 0
print(f"\nWAF Intelligence Report for: {path}\n{'-' * 72}")
if not insights:
print("No high-severity, high-confidence issues detected based on current heuristics.")
return 0
for idx, insight in enumerate(insights, start=1):
print(f"\nInsight #{idx}")
print("-" * 40)
if insight.violation:
violation = insight.violation
print(f"Problem : {violation.message}")
print(f"Severity : {violation.severity.upper()}")
print(f"Confidence: {int(violation.confidence * 100)}%")
if violation.location:
print(f"Location : {violation.location}")
if violation.hint:
print(f"Remediate : {violation.hint}")
if insight.suggested_rule:
rule = insight.suggested_rule
print("\nSuggested Rule:")
print(f" Name : {rule.name}")
print(f" Severity: {rule.severity.upper()}")
print(f" Impact : {int(rule.impact_score * 100)}%")
print(f" Effort : {int(rule.effort_score * 100)}%")
print(f" Summary : {rule.description}")
if insight.mappings:
print("\nCompliance Mapping:")
for mapping in insight.mappings:
print(f" - {mapping.framework} {mapping.control_id}: {mapping.description}")
print()
if args.fail_on_error and _has_error(insights):
print(
"[waf_intel] error-severity violations present, failing as requested.",
file=sys.stderr,
)
return 2
return 0
def main() -> None:
raise SystemExit(run_cli())
if __name__ == "__main__":
main()

231
mcp/waf_intelligence/analyzer.py Normal file
View File

@@ -0,0 +1,231 @@
from __future__ import annotations
from dataclasses import dataclass, field
from pathlib import Path
from typing import Any, Dict, List, Optional
@dataclass
class RuleViolation:
"""Represents a potential issue in a WAF rule or configuration."""
rule_id: Optional[str]
message: str
severity: str # "info" | "warning" | "error"
framework_refs: List[str] = field(default_factory=list)
location: Optional[str] = None
confidence: float = 0.5 # 0.0-1.0: how sure we are
hint: Optional[str] = None # short suggestion on how to fix
@dataclass
class AnalysisResult:
"""High-level result of analyzing one or more WAF configs."""
source: str
violations: List[RuleViolation] = field(default_factory=list)
metadata: Dict[str, Any] = field(default_factory=dict)
@property
def has_issues(self) -> bool:
return any(v.severity in ("warning", "error") for v in self.violations)
def top_violations(
self,
*,
min_severity: str = "warning",
min_confidence: float = 0.7,
limit: int = 5,
) -> List[RuleViolation]:
"""Return a small, high-quality subset of violations."""
severity_order = {"info": 0, "warning": 1, "error": 2}
min_level = severity_order.get(min_severity, 1)
ranked = [
v
for v in self.violations
if severity_order.get(v.severity, 0) >= min_level
and v.confidence >= min_confidence
]
ranked.sort(key=lambda v: (v.severity != "error", -v.confidence))
return ranked[:limit]
class WAFRuleAnalyzer:
"""
Analyze Cloudflare WAF rules from Terraform with a quality-first posture.
"""
def analyze_file(
self,
path: str | Path,
*,
min_severity: str = "warning",
min_confidence: float = 0.6,
) -> AnalysisResult:
path = Path(path)
text = path.read_text(encoding="utf-8")
violations: List[RuleViolation] = []
# Example heuristic: no managed rules present
if "managed_rules" not in text:
violations.append(
RuleViolation(
rule_id=None,
message="No managed WAF rules detected in this file.",
severity="warning",
confidence=0.9,
framework_refs=["PCI-DSS 6.6", "OWASP-ASVS 13"],
location=str(path),
hint="Enable Cloudflare managed WAF rulesets (SQLi, XSS, RCE, bots) for this zone.",
)
)
# Example heuristic: overly broad allow
if '"*"' in text and "allow" in text:
violations.append(
RuleViolation(
rule_id=None,
message="Potentially overly broad allow rule detected ('*').",
severity="error",
confidence=0.85,
framework_refs=["Zero-Trust Principle"],
location=str(path),
hint="Narrow the rule expression to specific paths, methods, or IP ranges.",
)
)
result = AnalysisResult(
source=str(path),
violations=violations,
metadata={
"file_size": path.stat().st_size,
"heuristics_version": "0.2.0",
},
)
result.violations = result.top_violations(
min_severity=min_severity,
min_confidence=min_confidence,
limit=5,
)
return result
def analyze_terraform_text(
self,
source_name: str,
text: str,
*,
min_severity: str = "warning",
min_confidence: float = 0.6,
) -> AnalysisResult:
"""Same as analyze_file but for already-loaded text."""
tmp_path = Path(source_name)
violations: List[RuleViolation] = []
if "managed_rules" not in text:
violations.append(
RuleViolation(
rule_id=None,
message="No managed WAF rules detected in this snippet.",
severity="warning",
confidence=0.9,
framework_refs=["PCI-DSS 6.6", "OWASP-ASVS 13"],
location=source_name,
hint="Enable Cloudflare managed WAF rulesets (SQLi, XSS, RCE, bots) for this zone.",
)
)
result = AnalysisResult(
source=str(tmp_path),
violations=violations,
metadata={"heuristics_version": "0.2.0"},
)
result.violations = result.top_violations(
min_severity=min_severity,
min_confidence=min_confidence,
limit=5,
)
return result
def analyze_with_threat_intel(
self,
path: str | Path,
threat_indicators: List[Any],
*,
min_severity: str = "warning",
min_confidence: float = 0.6,
) -> AnalysisResult:
"""
Enhanced analysis using threat intelligence data.
Args:
path: WAF config file path
threat_indicators: List of ThreatIndicator objects from threat_intel module
min_severity: Minimum severity to include
min_confidence: Minimum confidence threshold
Returns:
AnalysisResult with violations informed by threat intel
"""
# Start with base analysis
base_result = self.analyze_file(path, min_severity=min_severity, min_confidence=min_confidence)
path = Path(path)
text = path.read_text(encoding="utf-8")
text_lower = text.lower()
# Check if threat indicators are addressed by existing rules
critical_ips = [i for i in threat_indicators if i.indicator_type == "ip" and i.severity in ("critical", "high")]
critical_patterns = [i for i in threat_indicators if i.indicator_type == "pattern" and i.severity in ("critical", "high")]
# Check for IP blocking coverage
if critical_ips:
ip_block_present = "ip.src" in text_lower or "cf.client.ip" in text_lower
if not ip_block_present:
base_result.violations.append(
RuleViolation(
rule_id=None,
message=f"Threat intel identified {len(critical_ips)} high-risk IPs not addressed by WAF rules.",
severity="error",
confidence=0.85,
framework_refs=["Zero-Trust", "Threat Intelligence"],
location=str(path),
hint=f"Add IP blocking rules for identified threat actors. Sample IPs: {', '.join(i.value for i in critical_ips[:3])}",
)
)
# Check for pattern-based attack coverage
attack_types_seen = set()
for ind in critical_patterns:
for tag in ind.tags:
if tag in ("sqli", "xss", "rce", "path_traversal"):
attack_types_seen.add(tag)
# Check managed ruleset coverage
for attack_type in attack_types_seen:
if attack_type not in text_lower and f'"{attack_type}"' not in text_lower:
base_result.violations.append(
RuleViolation(
rule_id=None,
message=f"Threat intel detected {attack_type.upper()} attacks but no explicit protection found.",
severity="warning",
confidence=0.8,
framework_refs=["OWASP Top 10", "Threat Intelligence"],
location=str(path),
hint=f"Enable Cloudflare managed rules for {attack_type.upper()} protection.",
)
)
# Update metadata with threat intel stats
base_result.metadata["threat_intel"] = {
"critical_ips": len(critical_ips),
"critical_patterns": len(critical_patterns),
"attack_types_seen": list(attack_types_seen),
}
return base_result

564
mcp/waf_intelligence/classifier.py Normal file
View File

@@ -0,0 +1,564 @@
"""
Phase 7: ML-Based Threat Classifier
Uses simple but effective ML techniques for:
- Attack pattern classification (SQLi, XSS, RCE, etc.)
- Anomaly scoring based on request features
- Risk-level prediction for proposed rules
Designed to work offline without heavy dependencies.
Uses scikit-learn-style interface but can run with pure Python fallback.
"""
from __future__ import annotations
import hashlib
import json
import math
import re
from collections import Counter, defaultdict
from dataclasses import dataclass, field
from pathlib import Path
from typing import Any, Dict, List, Optional, Set, Tuple
# Try to import sklearn, fall back to pure Python
try:
from sklearn.feature_extraction.text import TfidfVectorizer
from sklearn.naive_bayes import MultinomialNB
from sklearn.preprocessing import LabelEncoder
HAS_SKLEARN = True
except ImportError:
HAS_SKLEARN = False
@dataclass
class ClassificationResult:
"""Result of classifying a threat indicator or pattern."""
label: str # "sqli", "xss", "rce", "path_traversal", "scanner", "benign", etc.
confidence: float # 0.0-1.0
probabilities: Dict[str, float] = field(default_factory=dict)
features_used: List[str] = field(default_factory=list)
explanation: str = ""
@dataclass
class AnomalyScore:
"""Anomaly detection result."""
score: float # 0.0-1.0 (higher = more anomalous)
baseline_deviation: float # standard deviations from mean
anomalous_features: List[str] = field(default_factory=list)
recommendation: str = ""
class FeatureExtractor:
"""Extract features from request/log data for ML classification."""
# Character distribution features
SPECIAL_CHARS = set("'\"<>(){}[];=&|`$\\")
# Known attack signatures for feature detection
SQLI_PATTERNS = [
r"(?i)union\s+select",
r"(?i)select\s+.*\s+from",
r"(?i)insert\s+into",
r"(?i)update\s+.*\s+set",
r"(?i)delete\s+from",
r"(?i)drop\s+table",
r"(?i);\s*--",
r"(?i)'\s*or\s+'?1'?\s*=\s*'?1",
r"(?i)'\s*and\s+'?1'?\s*=\s*'?1",
]
XSS_PATTERNS = [
r"(?i)<script",
r"(?i)javascript:",
r"(?i)on\w+\s*=",
r"(?i)alert\s*\(",
r"(?i)document\.",
r"(?i)window\.",
r"(?i)eval\s*\(",
]
RCE_PATTERNS = [
r"(?i);\s*(?:cat|ls|id|whoami|pwd)",
r"(?i)\|\s*(?:cat|ls|id|whoami)",
r"(?i)`[^`]+`",
r"(?i)\$\([^)]+\)",
r"(?i)system\s*\(",
r"(?i)exec\s*\(",
r"(?i)passthru\s*\(",
]
PATH_TRAVERSAL_PATTERNS = [
r"\.\./",
r"\.\.\\",
r"(?i)etc/passwd",
r"(?i)windows/system32",
]
def extract(self, text: str) -> Dict[str, float]:
"""Extract numerical features from text."""
features: Dict[str, float] = {}
if not text:
return features
text_lower = text.lower()
text_len = len(text)
# Length features
features["length"] = min(text_len / 1000, 1.0) # normalized
features["length_log"] = math.log1p(text_len) / 10
# Character distribution
special_count = sum(1 for c in text if c in self.SPECIAL_CHARS)
features["special_char_ratio"] = special_count / max(text_len, 1)
features["uppercase_ratio"] = sum(1 for c in text if c.isupper()) / max(text_len, 1)
features["digit_ratio"] = sum(1 for c in text if c.isdigit()) / max(text_len, 1)
# Entropy (randomness indicator)
features["entropy"] = self._calculate_entropy(text)
# Pattern-based features
features["sqli_score"] = self._pattern_score(text, self.SQLI_PATTERNS)
features["xss_score"] = self._pattern_score(text, self.XSS_PATTERNS)
features["rce_score"] = self._pattern_score(text, self.RCE_PATTERNS)
features["path_traversal_score"] = self._pattern_score(text, self.PATH_TRAVERSAL_PATTERNS)
# Structural features
features["quote_count"] = (text.count("'") + text.count('"')) / max(text_len, 1)
features["paren_count"] = (text.count("(") + text.count(")")) / max(text_len, 1)
features["bracket_count"] = (text.count("[") + text.count("]") + text.count("{") + text.count("}")) / max(text_len, 1)
# Keyword presence
features["has_select"] = 1.0 if "select" in text_lower else 0.0
features["has_script"] = 1.0 if "<script" in text_lower else 0.0
features["has_etc_passwd"] = 1.0 if "etc/passwd" in text_lower else 0.0
return features
def _calculate_entropy(self, text: str) -> float:
"""Calculate Shannon entropy of text."""
if not text:
return 0.0
freq = Counter(text)
length = len(text)
entropy = 0.0
for count in freq.values():
prob = count / length
if prob > 0:
entropy -= prob * math.log2(prob)
# Normalize to 0-1 range (max entropy for ASCII is ~7)
return min(entropy / 7, 1.0)
def _pattern_score(self, text: str, patterns: List[str]) -> float:
"""Calculate pattern match score."""
matches = sum(1 for p in patterns if re.search(p, text))
return min(matches / max(len(patterns), 1), 1.0)
class NaiveBayesClassifier:
"""
Simple Naive Bayes classifier for attack type classification.
Works with or without sklearn.
"""
LABELS = ["sqli", "xss", "rce", "path_traversal", "scanner", "benign"]
def __init__(self):
self.feature_extractor = FeatureExtractor()
self._trained = False
# Training data (curated examples)
self._training_data = self._get_training_data()
# Feature statistics per class (for pure Python implementation)
self._class_priors: Dict[str, float] = {}
self._feature_means: Dict[str, Dict[str, float]] = defaultdict(dict)
self._feature_vars: Dict[str, Dict[str, float]] = defaultdict(dict)
def _get_training_data(self) -> List[Tuple[str, str]]:
"""Return curated training examples."""
return [
# SQLi examples
("' OR '1'='1", "sqli"),
("1; DROP TABLE users--", "sqli"),
("UNION SELECT * FROM passwords", "sqli"),
("admin'--", "sqli"),
("1' AND 1=1--", "sqli"),
("'; INSERT INTO users VALUES('hack','hack')--", "sqli"),
# XSS examples
("<script>alert('xss')</script>", "xss"),
("<img src=x onerror=alert(1)>", "xss"),
("javascript:alert(document.cookie)", "xss"),
("<svg onload=alert(1)>", "xss"),
("'\"><script>alert('XSS')</script>", "xss"),
# RCE examples
("; cat /etc/passwd", "rce"),
("| ls -la", "rce"),
("`id`", "rce"),
("$(whoami)", "rce"),
("; rm -rf /", "rce"),
("system('cat /etc/passwd')", "rce"),
# Path traversal
("../../../etc/passwd", "path_traversal"),
("..\\..\\..\\windows\\system32\\config\\sam", "path_traversal"),
("/etc/passwd%00", "path_traversal"),
("....//....//etc/passwd", "path_traversal"),
# Scanner signatures
("Mozilla/5.0 (compatible; Nmap Scripting Engine)", "scanner"),
("sqlmap/1.0", "scanner"),
("Nikto/2.1.5", "scanner"),
("masscan/1.0", "scanner"),
# Benign examples
("/api/users/123", "benign"),
("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "benign"),
("/products?category=electronics&page=2", "benign"),
("GET /index.html HTTP/1.1", "benign"),
("/static/css/main.css", "benign"),
]
def train(self) -> None:
"""Train the classifier on built-in examples."""
# Extract features for all training data
X: List[Dict[str, float]] = []
y: List[str] = []
for text, label in self._training_data:
features = self.feature_extractor.extract(text)
X.append(features)
y.append(label)
# Calculate class priors
label_counts = Counter(y)
total = len(y)
for label, count in label_counts.items():
self._class_priors[label] = count / total
# Calculate feature means and variances per class
all_features = set()
for features in X:
all_features.update(features.keys())
for label in self.LABELS:
class_features = [X[i] for i in range(len(X)) if y[i] == label]
if not class_features:
continue
for feature in all_features:
values = [f.get(feature, 0.0) for f in class_features]
mean = sum(values) / len(values)
var = sum((v - mean) ** 2 for v in values) / len(values)
self._feature_means[label][feature] = mean
self._feature_vars[label][feature] = max(var, 1e-6) # avoid division by zero
self._trained = True
def classify(self, text: str) -> ClassificationResult:
"""Classify text into attack category."""
if not self._trained:
self.train()
features = self.feature_extractor.extract(text)
# Calculate log probabilities for each class
log_probs: Dict[str, float] = {}
for label in self.LABELS:
if label not in self._class_priors:
continue
log_prob = math.log(self._class_priors[label])
for feature, value in features.items():
if feature in self._feature_means[label]:
mean = self._feature_means[label][feature]
var = self._feature_vars[label][feature]
# Gaussian likelihood
log_prob += -0.5 * math.log(2 * math.pi * var)
log_prob += -0.5 * ((value - mean) ** 2) / var
log_probs[label] = log_prob
# Convert to probabilities via softmax
max_log_prob = max(log_probs.values()) if log_probs else 0
exp_probs = {k: math.exp(v - max_log_prob) for k, v in log_probs.items()}
total = sum(exp_probs.values())
probs = {k: v / total for k, v in exp_probs.items()}
# Find best label
best_label = max(probs, key=probs.get) if probs else "benign"
confidence = probs.get(best_label, 0.0)
# Generate explanation
explanation = self._generate_explanation(text, features, best_label)
return ClassificationResult(
label=best_label,
confidence=confidence,
probabilities=probs,
features_used=list(features.keys()),
explanation=explanation
)
def _generate_explanation(self, text: str, features: Dict[str, float], label: str) -> str:
"""Generate human-readable explanation for classification."""
reasons = []
if features.get("sqli_score", 0) > 0.3:
reasons.append("SQL injection patterns detected")
if features.get("xss_score", 0) > 0.3:
reasons.append("XSS patterns detected")
if features.get("rce_score", 0) > 0.3:
reasons.append("Command injection patterns detected")
if features.get("path_traversal_score", 0) > 0.3:
reasons.append("Path traversal patterns detected")
if features.get("special_char_ratio", 0) > 0.2:
reasons.append("High special character ratio")
if features.get("entropy", 0) > 0.7:
reasons.append("High entropy (possible encoding/obfuscation)")
if not reasons:
reasons.append(f"General pattern matching suggests {label}")
return "; ".join(reasons)
class AnomalyDetector:
"""
Detect anomalous requests based on baseline behavior.
Uses statistical methods (z-score, IQR) without requiring ML libraries.
"""
def __init__(self):
self.feature_extractor = FeatureExtractor()
self._baseline_stats: Dict[str, Dict[str, float]] = {}
self._observations: List[Dict[str, float]] = []
def add_observation(self, text: str) -> None:
"""Add an observation to the baseline."""
features = self.feature_extractor.extract(text)
self._observations.append(features)
# Recalculate baseline after enough observations
if len(self._observations) >= 10:
self._update_baseline()
def _update_baseline(self) -> None:
"""Update baseline statistics."""
if not self._observations:
return
all_features = set()
for obs in self._observations:
all_features.update(obs.keys())
for feature in all_features:
values = [obs.get(feature, 0.0) for obs in self._observations]
mean = sum(values) / len(values)
var = sum((v - mean) ** 2 for v in values) / len(values)
std = math.sqrt(var) if var > 0 else 0.001
self._baseline_stats[feature] = {
"mean": mean,
"std": std,
"min": min(values),
"max": max(values),
}
def score(self, text: str) -> AnomalyScore:
"""Score how anomalous a request is."""
features = self.feature_extractor.extract(text)
if not self._baseline_stats:
# No baseline yet, use heuristics
return self._heuristic_score(features)
z_scores: Dict[str, float] = {}
anomalous_features: List[str] = []
for feature, value in features.items():
if feature in self._baseline_stats:
stats = self._baseline_stats[feature]
z = (value - stats["mean"]) / stats["std"]
z_scores[feature] = abs(z)
if abs(z) > 2: # More than 2 std deviations
anomalous_features.append(f"{feature} (z={z:.2f})")
# Overall anomaly score (average of z-scores, normalized)
if z_scores:
avg_z = sum(z_scores.values()) / len(z_scores)
max_z = max(z_scores.values())
score = min(max_z / 5, 1.0) # Normalize to 0-1
baseline_deviation = avg_z
else:
score = 0.5
baseline_deviation = 0.0
# Generate recommendation
if score > 0.8:
recommendation = "BLOCK: Highly anomalous, likely attack"
elif score > 0.5:
recommendation = "CHALLENGE: Moderately anomalous, requires verification"
elif score > 0.3:
recommendation = "LOG: Slightly unusual, monitor closely"
else:
recommendation = "ALLOW: Within normal parameters"
return AnomalyScore(
score=score,
baseline_deviation=baseline_deviation,
anomalous_features=anomalous_features,
recommendation=recommendation
)
def _heuristic_score(self, features: Dict[str, float]) -> AnomalyScore:
"""Score based on heuristics when no baseline exists."""
score = 0.0
anomalous_features: List[str] = []
# Check for attack indicators
for attack_type in ["sqli_score", "xss_score", "rce_score", "path_traversal_score"]:
if features.get(attack_type, 0) > 0.3:
score += 0.25
anomalous_features.append(attack_type)
# Check for suspicious characteristics
if features.get("special_char_ratio", 0) > 0.15:
score += 0.15
anomalous_features.append("high_special_chars")
if features.get("entropy", 0) > 0.8:
score += 0.1
anomalous_features.append("high_entropy")
score = min(score, 1.0)
if score > 0.7:
recommendation = "BLOCK: Multiple attack indicators"
elif score > 0.4:
recommendation = "CHALLENGE: Suspicious characteristics"
else:
recommendation = "ALLOW: No obvious threats"
return AnomalyScore(
score=score,
baseline_deviation=0.0,
anomalous_features=anomalous_features,
recommendation=recommendation
)
class ThreatClassifier:
"""
High-level threat classifier combining multiple techniques.
Usage:
classifier = ThreatClassifier()
result = classifier.classify("' OR '1'='1")
print(f"Label: {result.label}, Confidence: {result.confidence}")
"""
def __init__(self, model_path: Optional[Path] = None):
self.naive_bayes = NaiveBayesClassifier()
self.anomaly_detector = AnomalyDetector()
self.model_path = model_path
# Train on startup
self.naive_bayes.train()
def classify(self, text: str) -> ClassificationResult:
"""Classify a request/pattern."""
return self.naive_bayes.classify(text)
def score_anomaly(self, text: str) -> AnomalyScore:
"""Score how anomalous a request is."""
return self.anomaly_detector.score(text)
def analyze(self, text: str) -> Dict[str, Any]:
"""Full analysis combining classification and anomaly detection."""
classification = self.classify(text)
anomaly = self.score_anomaly(text)
return {
"classification": {
"label": classification.label,
"confidence": classification.confidence,
"probabilities": classification.probabilities,
"explanation": classification.explanation,
},
"anomaly": {
"score": anomaly.score,
"baseline_deviation": anomaly.baseline_deviation,
"anomalous_features": anomaly.anomalous_features,
"recommendation": anomaly.recommendation,
},
"risk_level": self._compute_risk_level(classification, anomaly),
}
def _compute_risk_level(
self,
classification: ClassificationResult,
anomaly: AnomalyScore
) -> str:
"""Compute overall risk level."""
# High-risk attack types
high_risk_labels = {"sqli", "xss", "rce"}
if classification.label in high_risk_labels and classification.confidence > 0.7:
return "critical"
if classification.label in high_risk_labels and classification.confidence > 0.4:
return "high"
if anomaly.score > 0.7:
return "high"
if classification.label == "scanner":
return "medium"
if anomaly.score > 0.4:
return "medium"
return "low"
# CLI for testing
if __name__ == "__main__":
import sys
classifier = ThreatClassifier()
test_inputs = [
"' OR '1'='1",
"<script>alert('xss')</script>",
"; cat /etc/passwd",
"../../../etc/passwd",
"Mozilla/5.0 (Windows NT 10.0)",
"/api/users/123",
]
if len(sys.argv) > 1:
test_inputs = sys.argv[1:]
print("\n🤖 ML Threat Classifier Test")
print("=" * 60)
for text in test_inputs:
result = classifier.analyze(text)
print(f"\nInput: {text[:50]}...")
print(f" Label: {result['classification']['label']}")
print(f" Confidence: {result['classification']['confidence']:.2%}")
print(f" Risk Level: {result['risk_level'].upper()}")
print(f" Anomaly Score: {result['anomaly']['score']:.2%}")
print(f" Recommendation: {result['anomaly']['recommendation']}")

83
mcp/waf_intelligence/compliance.py Normal file
View File

@@ -0,0 +1,83 @@
from __future__ import annotations
from dataclasses import dataclass
from typing import Dict, List, Optional
@dataclass
class FrameworkMapping:
"""
Mapping between a WAF concept (e.g. 'SQLi protection') and references
in one or more compliance frameworks.
"""
control_id: str
framework: str # e.g. "PCI-DSS", "NIST-800-53", "GDPR"
description: str
references: List[str]
class ComplianceMapper:
"""
Map WAF rules / violations to compliance frameworks.
This starts as a simple static lookup table that we can extend over time.
"""
def __init__(self) -> None:
self._mappings: Dict[str, List[FrameworkMapping]] = self._build_default_mappings()
def _build_default_mappings(self) -> Dict[str, List[FrameworkMapping]]:
return {
"sqli_protection": [
FrameworkMapping(
control_id="6.6",
framework="PCI-DSS",
description="Ensure web-facing applications are protected against attacks such as SQL injection.",
references=["PCI-DSS v4.0 6.6", "OWASP Top 10 - A03:2021"],
)
],
"xss_protection": [
FrameworkMapping(
control_id="A5",
framework="OWASP-ASVS",
description="Verify that all user-controllable input is properly encoded or escaped.",
references=["OWASP Top 10 - A3: Cross-Site Scripting"],
)
],
"baseline_waf": [
FrameworkMapping(
control_id="13",
framework="OWASP-ASVS",
description="Centralized input validation, filtering, and WAF as compensating control.",
references=["OWASP-ASVS 13", "PCI-DSS 6.4.1"],
)
],
}
def map_concept(self, concept: str) -> List[FrameworkMapping]:
"""
Map a high-level WAF concept to compliance controls.
Example concepts:
- "sqli_protection"
- "xss_protection"
- "baseline_waf"
"""
return self._mappings.get(concept, [])
def best_effort_from_violation(self, message: str) -> List[FrameworkMapping]:
"""
Try to infer framework mappings from a violation message string.
This allows the analyzer to stay dumb while still attaching controls.
"""
msg = message.lower()
if "sql" in msg and "inject" in msg:
return self.map_concept("sqli_protection")
if "xss" in msg or "cross-site scripting" in msg:
return self.map_concept("xss_protection")
if "waf" in msg or "managed rules" in msg:
return self.map_concept("baseline_waf")
return []

120
mcp/waf_intelligence/generator.py Normal file
View File

@@ -0,0 +1,120 @@
from __future__ import annotations
from dataclasses import dataclass, field
from typing import Dict, List, Optional
@dataclass
class GeneratedRule:
"""Represents a Terraform WAF rule we propose to add."""
name: str
description: str
terraform_snippet: str
severity: str # "low" | "medium" | "high" | "critical"
tags: List[str] = field(default_factory=list)
notes: Optional[str] = None
impact_score: float = 0.5 # 0-1: estimated security impact
effort_score: float = 0.5 # 0-1: estimated effort to implement
class WAFRuleGenerator:
"""
Generate Cloudflare WAF Terraform rules with a quality-first strategy.
"""
def generate_from_scenario(
self,
scenario: str,
*,
limit: int = 3,
max_effort: float = 0.8,
) -> List[GeneratedRule]:
"""
Return a small set of high-impact, reasonable-effort rules.
"""
scenario_lower = scenario.lower()
candidates: List[GeneratedRule] = []
if "sql injection" in scenario_lower or "sqli" in scenario_lower:
candidates.append(self._sql_injection_rule())
if "xss" in scenario_lower:
candidates.append(self._xss_rule())
# If nothing matched, fallback to baseline
if not candidates:
candidates.append(self._baseline_waf_rule())
# Filter by effort & sort by impact
filtered = [r for r in candidates if r.effort_score <= max_effort]
if not filtered:
filtered = candidates
filtered.sort(key=lambda r: (-r.impact_score, r.effort_score))
return filtered[:limit]
def _sql_injection_rule(self) -> GeneratedRule:
snippet = '''resource "cloudflare_ruleset" "waf_sqli_protection" {
# TODO: adjust zone_id / account_id and phase for your setup
name = "WAF - SQLi protection"
kind = "zone"
phase = "http_request_firewall_managed"
rules = [{
action = "block"
expression = "(cf.waf.ruleset eq \\"sqli\\")"
enabled = true
}]
}
'''
return GeneratedRule(
name="waf_sqli_protection",
description="Enable blocking against SQL injection attempts using Cloudflare managed rules.",
terraform_snippet=snippet,
severity="high",
tags=["sqli", "managed_rules", "waf"],
impact_score=0.95,
effort_score=0.3,
)
def _xss_rule(self) -> GeneratedRule:
snippet = '''resource "cloudflare_ruleset" "waf_xss_protection" {
name = "WAF - XSS protection"
kind = "zone"
phase = "http_request_firewall_managed"
rules = [{
action = "block"
expression = "(cf.waf.ruleset eq \\"xss\\")"
enabled = true
}]
}
'''
return GeneratedRule(
name="waf_xss_protection",
description="Enable blocking against cross-site scripting (XSS) attacks.",
terraform_snippet=snippet,
severity="high",
tags=["xss", "managed_rules", "waf"],
impact_score=0.9,
effort_score=0.3,
)
def _baseline_waf_rule(self) -> GeneratedRule:
snippet = '''# Baseline WAF hardening (placeholder - customize for your environment)
# Consider enabling Cloudflare managed WAF rulesets for:
# - SQLi
# - XSS
# - RCE
# - Bot protection
'''
return GeneratedRule(
name="waf_baseline_hardening",
description="Baseline recommendation to enable managed WAF rulesets.",
terraform_snippet=snippet,
severity="medium",
tags=["baseline", "waf"],
impact_score=0.7,
effort_score=0.1,
)

370
mcp/waf_intelligence/orchestrator.py Normal file
View File

@@ -0,0 +1,370 @@
from __future__ import annotations
import os
from dataclasses import dataclass, field
from datetime import datetime
from pathlib import Path
from typing import Any, Dict, List, Optional
from mcp.waf_intelligence.analyzer import AnalysisResult, RuleViolation, WAFRuleAnalyzer
from mcp.waf_intelligence.compliance import ComplianceMapper, FrameworkMapping
from mcp.waf_intelligence.generator import GeneratedRule, WAFRuleGenerator
# Optional advanced modules (Phase 7)
try:
from mcp.waf_intelligence.threat_intel import (
ThreatIntelCollector,
ThreatIntelReport,
ThreatIndicator,
)
_HAS_THREAT_INTEL = True
except ImportError:
_HAS_THREAT_INTEL = False
ThreatIntelCollector = None
try:
from mcp.waf_intelligence.classifier import (
ThreatClassifier,
ClassificationResult,
)
_HAS_CLASSIFIER = True
except ImportError:
_HAS_CLASSIFIER = False
ThreatClassifier = None
@dataclass
class WAFInsight:
"""Single high-quality insight across analysis + generation + compliance."""
violation: RuleViolation | None
suggested_rule: GeneratedRule | None
mappings: List[FrameworkMapping]
@dataclass
class ThreatAssessment:
"""Phase 7: Comprehensive threat assessment result."""
analysis_result: Optional[AnalysisResult] = None
threat_report: Optional[Any] = None # ThreatIntelReport when available
classification_summary: Dict[str, int] = field(default_factory=dict)
risk_score: float = 0.0
recommended_actions: List[str] = field(default_factory=list)
generated_at: datetime = field(default_factory=datetime.utcnow)
@property
def risk_level(self) -> str:
if self.risk_score >= 0.8:
return "critical"
elif self.risk_score >= 0.6:
return "high"
elif self.risk_score >= 0.4:
return "medium"
else:
return "low"
class WAFIntelligence:
"""
Quality-first orchestration layer:
- analyze WAF config
- propose a few rules
- attach compliance mappings
- Phase 7: integrate threat intel and ML classification
"""
def __init__(
self,
workspace_path: Optional[str] = None,
enable_threat_intel: bool = True,
enable_ml_classifier: bool = True,
) -> None:
self.workspace = Path(workspace_path) if workspace_path else Path.cwd()
# Core components
self.analyzer = WAFRuleAnalyzer()
self.generator = WAFRuleGenerator()
self.mapper = ComplianceMapper()
# Phase 7 components (optional)
self.threat_intel: Optional[Any] = None
self.classifier: Optional[Any] = None
if enable_threat_intel and _HAS_THREAT_INTEL:
try:
self.threat_intel = ThreatIntelCollector()
except Exception:
pass
if enable_ml_classifier and _HAS_CLASSIFIER:
try:
self.classifier = ThreatClassifier()
except Exception:
pass
def analyze_and_recommend(
self,
path: str,
*,
limit: int = 3,
min_severity: str = "warning",
) -> List[WAFInsight]:
analysis: AnalysisResult = self.analyzer.analyze_file(
path,
min_severity=min_severity,
)
top_violations = analysis.top_violations(
min_severity=min_severity,
limit=limit,
)
insights: List[WAFInsight] = []
for violation in top_violations:
mappings = self.mapper.best_effort_from_violation(violation.message)
scenario = violation.message
rules = self.generator.generate_from_scenario(scenario, limit=1)
suggested = rules[0] if rules else None
insights.append(
WAFInsight(
violation=violation,
suggested_rule=suggested,
mappings=mappings,
)
)
return insights
# ─────────────────────────────────────────────────────────────────────────
# Phase 7: Advanced threat intelligence methods
# ─────────────────────────────────────────────────────────────────────────
def collect_threat_intel(
self,
log_paths: Optional[List[str]] = None,
max_indicators: int = 100,
) -> Optional[Any]:
"""
Collect threat intelligence from logs and external feeds.
Args:
log_paths: Paths to Cloudflare log files
max_indicators: Maximum indicators to collect
Returns:
ThreatIntelReport or None if unavailable
"""
if not self.threat_intel:
return None
# Default log paths
if log_paths is None:
log_paths = [
str(self.workspace / "logs"),
"/var/log/cloudflare",
]
return self.threat_intel.collect(
log_paths=log_paths,
max_indicators=max_indicators,
)
def classify_threat(self, payload: str) -> Optional[Any]:
"""
Classify a payload using ML classifier.
Args:
payload: Request payload to classify
Returns:
ClassificationResult or None
"""
if not self.classifier:
return None
return self.classifier.classify(payload)
def full_assessment(
self,
waf_config_path: Optional[str] = None,
log_paths: Optional[List[str]] = None,
include_threat_intel: bool = True,
) -> ThreatAssessment:
"""
Phase 7: Perform comprehensive threat assessment.
Combines:
- WAF configuration analysis
- Threat intelligence collection
- ML classification summary
- Risk scoring
Args:
waf_config_path: Path to WAF Terraform file
log_paths: Paths to log files
include_threat_intel: Whether to collect threat intel
Returns:
ThreatAssessment with full analysis results
"""
assessment = ThreatAssessment()
risk_factors: List[float] = []
recommendations: List[str] = []
# 1. Analyze WAF configuration
if waf_config_path is None:
waf_config_path = str(self.workspace / "terraform" / "waf.tf")
if Path(waf_config_path).exists():
assessment.analysis_result = self.analyzer.analyze_file(
waf_config_path,
min_severity="info",
)
# Calculate risk from violations
severity_weights = {"error": 0.8, "warning": 0.5, "info": 0.2}
for violation in assessment.analysis_result.violations:
weight = severity_weights.get(violation.severity, 0.3)
risk_factors.append(weight)
# Generate recommendations
critical_count = sum(
1 for v in assessment.analysis_result.violations
if v.severity == "error"
)
if critical_count > 0:
recommendations.append(
f"🔴 Fix {critical_count} critical WAF configuration issues"
)
# 2. Collect threat intelligence
if include_threat_intel and self.threat_intel:
try:
assessment.threat_report = self.collect_threat_intel(
log_paths=log_paths,
max_indicators=50,
)
if assessment.threat_report:
indicators = assessment.threat_report.indicators
# Count by severity
severity_counts = {"critical": 0, "high": 0, "medium": 0, "low": 0}
for ind in indicators:
sev = getattr(ind, "severity", "low")
severity_counts[sev] = severity_counts.get(sev, 0) + 1
# Add to classification summary
assessment.classification_summary["threat_indicators"] = len(indicators)
assessment.classification_summary.update(severity_counts)
# Calculate threat intel risk
if indicators:
critical_ratio = severity_counts["critical"] / len(indicators)
high_ratio = severity_counts["high"] / len(indicators)
risk_factors.append(critical_ratio * 0.9 + high_ratio * 0.7)
if severity_counts["critical"] > 0:
recommendations.append(
f"🚨 Block {severity_counts['critical']} critical threat IPs immediately"
)
except Exception:
pass
# 3. ML classification summary (from any collected data)
if self.classifier and assessment.threat_report:
try:
attack_types = {"sqli": 0, "xss": 0, "rce": 0, "clean": 0, "unknown": 0}
indicators = assessment.threat_report.indicators
pattern_indicators = [
i for i in indicators
if getattr(i, "indicator_type", "") == "pattern"
]
for ind in pattern_indicators[:20]: # Sample first 20
result = self.classifier.classify(ind.value)
if result:
label = result.label
attack_types[label] = attack_types.get(label, 0) + 1
assessment.classification_summary["ml_classifications"] = attack_types
# Add ML risk factor
dangerous = attack_types.get("sqli", 0) + attack_types.get("rce", 0)
if dangerous > 5:
risk_factors.append(0.8)
recommendations.append(
f"⚠️ ML detected {dangerous} dangerous attack patterns"
)
except Exception:
pass
# 4. Calculate final risk score
if risk_factors:
assessment.risk_score = min(1.0, sum(risk_factors) / max(len(risk_factors), 1))
else:
assessment.risk_score = 0.3 # Baseline risk
assessment.recommended_actions = recommendations
return assessment
def generate_gitops_proposals(
self,
threat_report: Optional[Any] = None,
max_proposals: int = 5,
) -> List[Dict[str, Any]]:
"""
Generate GitOps-ready rule proposals.
Args:
threat_report: ThreatIntelReport to use
max_proposals: Maximum proposals to generate
Returns:
List of proposal dicts ready for MR creation
"""
proposals: List[Dict[str, Any]] = []
if not threat_report:
return proposals
try:
# Import proposer dynamically
from gitops.waf_rule_proposer import WAFRuleProposer
proposer = WAFRuleProposer(workspace_path=str(self.workspace))
batch = proposer.generate_proposals(
threat_report=threat_report,
max_proposals=max_proposals,
)
for proposal in batch.proposals:
proposals.append({
"name": proposal.rule_name,
"type": proposal.rule_type,
"severity": proposal.severity,
"confidence": proposal.confidence,
"terraform": proposal.terraform_code,
"justification": proposal.justification,
"auto_deploy": proposal.auto_deploy_eligible,
})
except ImportError:
pass
return proposals
@property
def capabilities(self) -> Dict[str, bool]:
"""Report available capabilities."""
return {
"core_analysis": True,
"rule_generation": True,
"compliance_mapping": True,
"threat_intel": self.threat_intel is not None,
"ml_classification": self.classifier is not None,
}

279
mcp/waf_intelligence/server.py Executable file
View File

@@ -0,0 +1,279 @@
#!/usr/bin/env python3
"""
WAF Intelligence MCP Server for VS Code Copilot.
This implements the Model Context Protocol (MCP) stdio interface
so VS Code can communicate with your WAF Intelligence system.
"""
import json
import sys
from typing import Any
# Add parent to path for imports
sys.path.insert(0, '/Users/sovereign/Desktop/CLOUDFLARE')
from mcp.waf_intelligence.orchestrator import WAFIntelligence
from mcp.waf_intelligence.analyzer import WAFRuleAnalyzer
class WAFIntelligenceMCPServer:
"""MCP Server wrapper for WAF Intelligence."""
def __init__(self):
self.waf = WAFIntelligence()
self.analyzer = WAFRuleAnalyzer()
def get_capabilities(self) -> dict:
"""Return server capabilities."""
return {
"tools": [
{
"name": "waf_analyze",
"description": "Analyze WAF logs and detect attack patterns",
"inputSchema": {
"type": "object",
"properties": {
"log_file": {
"type": "string",
"description": "Path to WAF log file (optional)"
},
"zone_id": {
"type": "string",
"description": "Cloudflare zone ID (optional)"
}
}
}
},
{
"name": "waf_assess",
"description": "Run full security assessment with threat intel and ML classification",
"inputSchema": {
"type": "object",
"properties": {
"zone_id": {
"type": "string",
"description": "Cloudflare zone ID"
}
},
"required": ["zone_id"]
}
},
{
"name": "waf_generate_rules",
"description": "Generate Terraform WAF rules from threat intelligence",
"inputSchema": {
"type": "object",
"properties": {
"zone_id": {
"type": "string",
"description": "Cloudflare zone ID"
},
"min_confidence": {
"type": "number",
"description": "Minimum confidence threshold (0-1)",
"default": 0.7
}
},
"required": ["zone_id"]
}
},
{
"name": "waf_capabilities",
"description": "List available WAF Intelligence capabilities",
"inputSchema": {
"type": "object",
"properties": {}
}
}
]
}
def handle_tool_call(self, name: str, arguments: dict) -> dict:
"""Handle a tool invocation."""
try:
if name == "waf_capabilities":
return {
"content": [
{
"type": "text",
"text": json.dumps({
"capabilities": self.waf.capabilities,
"status": "operational"
}, indent=2)
}
]
}
elif name == "waf_analyze":
log_file = arguments.get("log_file")
zone_id = arguments.get("zone_id")
if log_file:
result = self.analyzer.analyze_log_file(log_file)
else:
result = {
"message": "No log file provided. Use zone_id for live analysis.",
"capabilities": self.waf.capabilities
}
return {
"content": [
{"type": "text", "text": json.dumps(result, indent=2, default=str)}
]
}
elif name == "waf_assess":
zone_id = arguments.get("zone_id")
# full_assessment uses workspace paths, not zone_id
assessment = self.waf.full_assessment(
include_threat_intel=True
)
# Build result from ThreatAssessment dataclass
result = {
"zone_id": zone_id,
"risk_score": assessment.risk_score,
"risk_level": assessment.risk_level,
"classification_summary": assessment.classification_summary,
"recommended_actions": assessment.recommended_actions[:10], # Top 10
"has_analysis": assessment.analysis_result is not None,
"has_threat_intel": assessment.threat_report is not None,
"generated_at": str(assessment.generated_at)
}
return {
"content": [
{"type": "text", "text": json.dumps(result, indent=2, default=str)}
]
}
elif name == "waf_generate_rules":
zone_id = arguments.get("zone_id")
min_confidence = arguments.get("min_confidence", 0.7)
# Generate proposals (doesn't use zone_id directly)
proposals = self.waf.generate_gitops_proposals(
max_proposals=5
)
result = {
"zone_id": zone_id,
"min_confidence": min_confidence,
"proposals_count": len(proposals),
"proposals": proposals
}
return {
"content": [
{"type": "text", "text": json.dumps(result, indent=2, default=str) if proposals else "No rules generated (no threat data available)"}
]
}
else:
return {
"content": [
{"type": "text", "text": f"Unknown tool: {name}"}
],
"isError": True
}
except Exception as e:
return {
"content": [
{"type": "text", "text": f"Error: {str(e)}"}
],
"isError": True
}
def run(self):
"""Run the MCP server (stdio mode)."""
# Send server info
server_info = {
"jsonrpc": "2.0",
"method": "initialized",
"params": {
"serverInfo": {
"name": "waf-intelligence",
"version": "1.0.0"
},
"capabilities": self.get_capabilities()
}
}
# Main loop - read JSON-RPC messages from stdin
for line in sys.stdin:
try:
message = json.loads(line.strip())
if message.get("method") == "initialize":
response = {
"jsonrpc": "2.0",
"id": message.get("id"),
"result": {
"protocolVersion": "2024-11-05",
"serverInfo": {
"name": "waf-intelligence",
"version": "1.0.0"
},
"capabilities": {
"tools": {}
}
}
}
print(json.dumps(response), flush=True)
elif message.get("method") == "tools/list":
response = {
"jsonrpc": "2.0",
"id": message.get("id"),
"result": self.get_capabilities()
}
print(json.dumps(response), flush=True)
elif message.get("method") == "tools/call":
params = message.get("params", {})
tool_name = params.get("name")
tool_args = params.get("arguments", {})
result = self.handle_tool_call(tool_name, tool_args)
response = {
"jsonrpc": "2.0",
"id": message.get("id"),
"result": result
}
print(json.dumps(response), flush=True)
elif message.get("method") == "notifications/initialized":
# Client acknowledged initialization
pass
else:
# Unknown method
response = {
"jsonrpc": "2.0",
"id": message.get("id"),
"error": {
"code": -32601,
"message": f"Method not found: {message.get('method')}"
}
}
print(json.dumps(response), flush=True)
except json.JSONDecodeError:
continue
except Exception as e:
error_response = {
"jsonrpc": "2.0",
"id": None,
"error": {
"code": -32603,
"message": str(e)
}
}
print(json.dumps(error_response), flush=True)
if __name__ == "__main__":
server = WAFIntelligenceMCPServer()
server.run()

445
mcp/waf_intelligence/threat_intel.py Normal file
View File

@@ -0,0 +1,445 @@
"""
Phase 7: Multi-Source Threat Intelligence Collector
Aggregates threat data from:
- Cloudflare Analytics API (WAF events, firewall logs)
- External threat feeds (AbuseIPDB, Emerging Threats, etc.)
- Local honeypot signals (if configured)
- Historical attack patterns from receipts/logs
Produces scored ThreatIndicators for ML classification and rule generation.
"""
from __future__ import annotations
import hashlib
import json
import os
import re
from dataclasses import dataclass, field
from datetime import datetime, timedelta
from pathlib import Path
from typing import Any, Dict, List, Optional, Set
from urllib.parse import urlparse
# Optional: requests for external API calls
try:
import requests
HAS_REQUESTS = True
except ImportError:
HAS_REQUESTS = False
@dataclass
class ThreatIndicator:
"""Single threat indicator with scoring metadata."""
indicator_type: str # "ip", "ua", "path", "pattern", "country"
value: str
confidence: float # 0.0-1.0
severity: str # "low", "medium", "high", "critical"
sources: List[str] = field(default_factory=list)
tags: List[str] = field(default_factory=list)
first_seen: Optional[datetime] = None
last_seen: Optional[datetime] = None
hit_count: int = 1
context: Dict[str, Any] = field(default_factory=dict)
@property
def fingerprint(self) -> str:
"""Unique identifier for deduplication."""
raw = f"{self.indicator_type}:{self.value}"
return hashlib.sha256(raw.encode()).hexdigest()[:16]
def merge(self, other: "ThreatIndicator") -> None:
"""Merge another indicator into this one (for deduplication)."""
self.hit_count += other.hit_count
self.confidence = max(self.confidence, other.confidence)
self.sources = list(set(self.sources + other.sources))
self.tags = list(set(self.tags + other.tags))
if other.first_seen and (not self.first_seen or other.first_seen < self.first_seen):
self.first_seen = other.first_seen
if other.last_seen and (not self.last_seen or other.last_seen > self.last_seen):
self.last_seen = other.last_seen
@dataclass
class ThreatIntelReport:
"""Aggregated threat intelligence from all sources."""
indicators: List[ThreatIndicator] = field(default_factory=list)
sources_queried: List[str] = field(default_factory=list)
collection_time: datetime = field(default_factory=datetime.utcnow)
metadata: Dict[str, Any] = field(default_factory=dict)
@property
def critical_count(self) -> int:
return sum(1 for i in self.indicators if i.severity == "critical")
@property
def high_count(self) -> int:
return sum(1 for i in self.indicators if i.severity == "high")
def top_indicators(self, limit: int = 10) -> List[ThreatIndicator]:
"""Return highest-priority indicators."""
severity_order = {"critical": 4, "high": 3, "medium": 2, "low": 1}
sorted_indicators = sorted(
self.indicators,
key=lambda x: (severity_order.get(x.severity, 0), x.confidence, x.hit_count),
reverse=True
)
return sorted_indicators[:limit]
class CloudflareLogParser:
"""Parse Cloudflare WAF/firewall logs for threat indicators."""
# Common attack patterns in URIs
ATTACK_PATTERNS = [
(r"(?i)(?:union\s+select|select\s+.*\s+from)", "sqli", "high"),
(r"(?i)<script[^>]*>", "xss", "high"),
(r"(?i)(?:\.\./|\.\.\\)", "path_traversal", "medium"),
(r"(?i)(?:cmd=|exec=|system\()", "rce", "critical"),
(r"(?i)(?:wp-admin|wp-login|xmlrpc\.php)", "wordpress_probe", "low"),
(r"(?i)(?:\.env|\.git|\.htaccess)", "sensitive_file", "medium"),
(r"(?i)(?:phpmyadmin|adminer|mysql)", "db_probe", "medium"),
(r"(?i)(?:eval\(|base64_decode)", "code_injection", "high"),
]
# Known bad user agents
BAD_USER_AGENTS = [
("sqlmap", "sqli_tool", "high"),
("nikto", "scanner", "medium"),
("nmap", "scanner", "medium"),
("masscan", "scanner", "medium"),
("zgrab", "scanner", "low"),
("python-requests", "bot", "low"), # contextual
("curl", "bot", "low"), # contextual
]
def parse_log_file(self, path: Path) -> List[ThreatIndicator]:
"""Parse a log file and extract threat indicators."""
indicators: List[ThreatIndicator] = []
if not path.exists():
return indicators
try:
with open(path, "r", encoding="utf-8", errors="ignore") as f:
for line in f:
indicators.extend(self._parse_log_line(line))
except Exception:
pass
return indicators
def _parse_log_line(self, line: str) -> List[ThreatIndicator]:
"""Extract indicators from a single log line."""
indicators: List[ThreatIndicator] = []
# Try JSON format first
try:
data = json.loads(line)
indicators.extend(self._parse_json_log(data))
return indicators
except json.JSONDecodeError:
pass
# Fall back to pattern matching on raw line
indicators.extend(self._scan_for_patterns(line))
return indicators
def _parse_json_log(self, data: Dict[str, Any]) -> List[ThreatIndicator]:
"""Parse structured JSON log entry."""
indicators: List[ThreatIndicator] = []
# Extract IP if blocked or challenged
action = data.get("action", "").lower()
if action in ("block", "challenge", "managed_challenge"):
ip = data.get("clientIP") or data.get("client_ip") or data.get("ip")
if ip:
indicators.append(ThreatIndicator(
indicator_type="ip",
value=ip,
confidence=0.8 if action == "block" else 0.6,
severity="high" if action == "block" else "medium",
sources=["cloudflare_log"],
tags=[action, data.get("ruleId", "unknown_rule")],
context={"rule": data.get("ruleName", ""), "action": action}
))
# Extract URI patterns
uri = data.get("clientRequestURI") or data.get("uri") or data.get("path", "")
if uri:
indicators.extend(self._scan_for_patterns(uri))
# Extract user agent
ua = data.get("clientRequestHTTPHost") or data.get("user_agent", "")
if ua:
for pattern, tag, severity in self.BAD_USER_AGENTS:
if pattern.lower() in ua.lower():
indicators.append(ThreatIndicator(
indicator_type="ua",
value=ua[:200], # truncate
confidence=0.7,
severity=severity,
sources=["cloudflare_log"],
tags=[tag, "bad_ua"]
))
break
return indicators
def _scan_for_patterns(self, text: str) -> List[ThreatIndicator]:
"""Scan text for known attack patterns."""
indicators: List[ThreatIndicator] = []
for pattern, tag, severity in self.ATTACK_PATTERNS:
if re.search(pattern, text):
indicators.append(ThreatIndicator(
indicator_type="pattern",
value=text[:500], # truncate
confidence=0.75,
severity=severity,
sources=["pattern_match"],
tags=[tag, "attack_pattern"]
))
return indicators
class ExternalThreatFeed:
"""Fetch threat intelligence from external APIs."""
def __init__(self, api_keys: Optional[Dict[str, str]] = None):
self.api_keys = api_keys or {}
self._cache: Dict[str, ThreatIndicator] = {}
def query_abuseipdb(self, ip: str) -> Optional[ThreatIndicator]:
"""Query AbuseIPDB for IP reputation."""
if not HAS_REQUESTS:
return None
api_key = self.api_keys.get("abuseipdb") or os.getenv("ABUSEIPDB_API_KEY")
if not api_key:
return None
cache_key = f"abuseipdb:{ip}"
if cache_key in self._cache:
return self._cache[cache_key]
try:
resp = requests.get(
"https://api.abuseipdb.com/api/v2/check",
headers={"Key": api_key, "Accept": "application/json"},
params={"ipAddress": ip, "maxAgeInDays": 90},
timeout=5
)
if resp.status_code == 200:
data = resp.json().get("data", {})
abuse_score = data.get("abuseConfidenceScore", 0)
if abuse_score > 0:
severity = "critical" if abuse_score > 80 else "high" if abuse_score > 50 else "medium"
indicator = ThreatIndicator(
indicator_type="ip",
value=ip,
confidence=abuse_score / 100,
severity=severity,
sources=["abuseipdb"],
tags=["external_intel", "ip_reputation"],
hit_count=data.get("totalReports", 1),
context={
"abuse_score": abuse_score,
"country": data.get("countryCode"),
"isp": data.get("isp"),
"domain": data.get("domain"),
"usage_type": data.get("usageType"),
}
)
self._cache[cache_key] = indicator
return indicator
except Exception:
pass
return None
def query_emerging_threats(self, ip: str) -> Optional[ThreatIndicator]:
"""Check IP against Emerging Threats blocklist (free, no API key)."""
if not HAS_REQUESTS:
return None
# This is a simplified check - real implementation would cache the blocklist
# For demo purposes, we return None and rely on other sources
return None
def enrich_indicator(self, indicator: ThreatIndicator) -> ThreatIndicator:
"""Enrich an indicator with external intelligence."""
if indicator.indicator_type == "ip":
external = self.query_abuseipdb(indicator.value)
if external:
indicator.merge(external)
return indicator
class ThreatIntelCollector:
"""
Main collector that aggregates from all sources.
Usage:
collector = ThreatIntelCollector(workspace_path="/path/to/cloudflare")
report = collector.collect()
for indicator in report.top_indicators(10):
print(f"{indicator.severity}: {indicator.indicator_type}={indicator.value}")
"""
def __init__(
self,
workspace_path: Optional[str] = None,
api_keys: Optional[Dict[str, str]] = None,
enable_external: bool = True
):
self.workspace = Path(workspace_path) if workspace_path else Path.cwd()
self.log_parser = CloudflareLogParser()
self.external_feed = ExternalThreatFeed(api_keys) if enable_external else None
self._indicators: Dict[str, ThreatIndicator] = {}
def collect(
self,
log_dirs: Optional[List[str]] = None,
enrich_external: bool = True,
max_indicators: int = 1000
) -> ThreatIntelReport:
"""
Collect threat intelligence from all configured sources.
Args:
log_dirs: Directories to scan for logs (default: observatory/, anomalies/)
enrich_external: Whether to query external APIs for enrichment
max_indicators: Maximum indicators to return
Returns:
ThreatIntelReport with deduplicated, scored indicators
"""
sources_queried: List[str] = []
# Default log directories
if log_dirs is None:
log_dirs = ["observatory", "anomalies", "archive_runtime/receipts"]
# Collect from local logs
for log_dir in log_dirs:
dir_path = self.workspace / log_dir
if dir_path.exists():
sources_queried.append(f"local:{log_dir}")
self._collect_from_directory(dir_path)
# Collect from Terraform state (extract referenced IPs/patterns)
tf_path = self.workspace / "terraform"
if tf_path.exists():
sources_queried.append("terraform_state")
self._collect_from_terraform(tf_path)
# Enrich with external intel if enabled
if enrich_external and self.external_feed:
sources_queried.append("external_apis")
self._enrich_all_indicators()
# Build report
all_indicators = list(self._indicators.values())
# Sort by priority and truncate
severity_order = {"critical": 4, "high": 3, "medium": 2, "low": 1}
all_indicators.sort(
key=lambda x: (severity_order.get(x.severity, 0), x.confidence, x.hit_count),
reverse=True
)
return ThreatIntelReport(
indicators=all_indicators[:max_indicators],
sources_queried=sources_queried,
metadata={
"workspace": str(self.workspace),
"total_raw": len(self._indicators),
"external_enabled": enrich_external and self.external_feed is not None
}
)
def _collect_from_directory(self, dir_path: Path) -> None:
"""Scan a directory for log files and extract indicators."""
log_patterns = ["*.log", "*.json", "*.jsonl"]
for pattern in log_patterns:
for log_file in dir_path.rglob(pattern):
for indicator in self.log_parser.parse_log_file(log_file):
self._add_indicator(indicator)
def _collect_from_terraform(self, tf_path: Path) -> None:
"""Extract indicators referenced in Terraform files."""
for tf_file in tf_path.glob("*.tf"):
try:
content = tf_file.read_text(encoding="utf-8")
# Extract IPs from allow/block rules
ip_pattern = r'\b(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?\b'
for match in re.finditer(ip_pattern, content):
ip = match.group()
# Only flag if in a block context
context_start = max(0, match.start() - 100)
context = content[context_start:match.start()].lower()
if "block" in context or "deny" in context:
self._add_indicator(ThreatIndicator(
indicator_type="ip",
value=ip,
confidence=0.9,
severity="medium",
sources=["terraform_blocklist"],
tags=["existing_rule", "blocked_ip"],
context={"file": str(tf_file.name)}
))
except Exception:
pass
def _add_indicator(self, indicator: ThreatIndicator) -> None:
"""Add indicator with deduplication."""
key = indicator.fingerprint
if key in self._indicators:
self._indicators[key].merge(indicator)
else:
self._indicators[key] = indicator
def _enrich_all_indicators(self) -> None:
"""Enrich all IP indicators with external intelligence."""
if not self.external_feed:
return
for key, indicator in list(self._indicators.items()):
if indicator.indicator_type == "ip":
self.external_feed.enrich_indicator(indicator)
# CLI interface for testing
if __name__ == "__main__":
import sys
workspace = sys.argv[1] if len(sys.argv) > 1 else "."
collector = ThreatIntelCollector(
workspace_path=workspace,
enable_external=False # Don't hit APIs in CLI test
)
report = collector.collect()
print(f"\n🔍 Threat Intelligence Report")
print(f"=" * 50)
print(f"Sources: {', '.join(report.sources_queried)}")
print(f"Total indicators: {len(report.indicators)}")
print(f"Critical: {report.critical_count} | High: {report.high_count}")
print(f"\nTop 10 Indicators:")
print("-" * 50)
for ind in report.top_indicators(10):
print(f" [{ind.severity.upper():8}] {ind.indicator_type}={ind.value[:50]}")
print(f" confidence={ind.confidence:.2f} hits={ind.hit_count} sources={ind.sources}")

26
observatory/.env.example Normal file
View File

@@ -0,0 +1,26 @@
# Cloudflare Mesh Observatory Environment
# Copy to .env and fill in values
# Cloudflare API Credentials
CLOUDFLARE_API_TOKEN=
CLOUDFLARE_ZONE_ID=
CLOUDFLARE_ACCOUNT_ID=
# Grafana Admin Password
GRAFANA_PASSWORD=changeme
# ==============================================
# Phase 5B - Alerting Configuration
# ==============================================
# Slack Integration
# Create incoming webhook: https://api.slack.com/messaging/webhooks
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/XXX/YYY/ZZZ
# PagerDuty Integration
# Create service integration: https://support.pagerduty.com/docs/services-and-integrations
PAGERDUTY_SERVICE_KEY=
# Email (SMTP) Settings
SMTP_USERNAME=
SMTP_PASSWORD=

19
observatory/Dockerfile.exporter Normal file
View File

@@ -0,0 +1,19 @@
# Cloudflare Metrics Exporter Container
FROM python:3.11-slim
WORKDIR /app
# Install dependencies
RUN pip install --no-cache-dir requests
# Copy exporter script
COPY metrics-exporter.py /app/
# Non-root user
RUN useradd -r -s /sbin/nologin exporter
USER exporter
EXPOSE 9100
ENTRYPOINT ["python3", "/app/metrics-exporter.py"]
CMD ["--port", "9100"]

171
observatory/README.md Normal file
View File

@@ -0,0 +1,171 @@
# Mesh Observatory
Prometheus + Grafana monitoring stack for Cloudflare infrastructure state.
## Components
| Component | Port | Description |
|-----------|------|-------------|
| Prometheus | 9090 | Metrics collection and storage |
| Grafana | 3000 | Visualization dashboards |
| Metrics Exporter | 9100 | Custom Cloudflare metrics |
## Quick Start
### 1. Configure Environment
```bash
cp .env.example .env
# Edit .env with your credentials
```
Required environment variables:
```
CLOUDFLARE_API_TOKEN=<your-token>
CLOUDFLARE_ZONE_ID=<your-zone-id>
CLOUDFLARE_ACCOUNT_ID=<your-account-id>
GRAFANA_PASSWORD=<secure-password>
```
### 2. Start Stack
```bash
docker-compose up -d
```
### 3. Access Dashboards
- Grafana: http://localhost:3000 (admin / $GRAFANA_PASSWORD)
- Prometheus: http://localhost:9090
## Dashboards
| Dashboard | UID | Description |
|-----------|-----|-------------|
| Cloudflare Mesh Overview | cf-overview | Main command center |
| DNS Health | cf-dns | DNS records, DNSSEC, types |
| Tunnel Status | cf-tunnel | Tunnel health, connections |
| Invariants & Compliance | cf-invariants | Invariant pass/fail, anomalies |
| Security Settings | cf-security | SSL, TLS, Access apps |
| ProofChain & Anchors | cf-proofchain | Merkle roots, snapshot freshness |
## Metrics Reference
### DNS Metrics
- `cloudflare_dns_records_total` - Total DNS records
- `cloudflare_dns_records_proxied` - Proxied records count
- `cloudflare_dns_records_unproxied` - DNS-only records count
- `cloudflare_dns_records_by_type{type="A|AAAA|CNAME|..."}` - Records by type
- `cloudflare_dnssec_enabled` - DNSSEC status (0/1)
### Tunnel Metrics
- `cloudflare_tunnels_total` - Total active tunnels
- `cloudflare_tunnels_healthy` - Tunnels with active connections
- `cloudflare_tunnels_unhealthy` - Tunnels without connections
- `cloudflare_tunnel_connections_total` - Total tunnel connections
### Zone Settings
- `cloudflare_zone_ssl_strict` - SSL mode is strict (0/1)
- `cloudflare_zone_tls_version_secure` - TLS 1.2+ enforced (0/1)
- `cloudflare_zone_always_https` - HTTPS redirect enabled (0/1)
- `cloudflare_zone_browser_check` - Browser integrity check (0/1)
### Access Metrics
- `cloudflare_access_apps_total` - Total Access applications
- `cloudflare_access_apps_by_type{type="..."}` - Apps by type
### Invariant Metrics
- `cloudflare_invariants_total` - Total invariant checks
- `cloudflare_invariants_passed` - Passing invariants
- `cloudflare_invariants_failed` - Failing invariants
- `cloudflare_invariants_pass_rate` - Pass percentage
- `cloudflare_invariant_report_age_seconds` - Report freshness
### Snapshot Metrics
- `cloudflare_snapshot_age_seconds` - Seconds since last snapshot
- `cloudflare_snapshot_merkle_root_set` - Merkle root present (0/1)
### Anomaly Metrics
- `cloudflare_anomalies_total` - Total anomaly receipts
- `cloudflare_anomalies_last_24h` - Recent anomalies
## Drift Visualizer
Standalone tool for comparing state sources.
### Usage
```bash
python3 drift-visualizer.py \
--snapshot ../snapshots/cloudflare-latest.json \
--manifest ../cloudflare_dns_manifest.md \
--output-dir ../reports
```
### Output
- `drift-report-<timestamp>.json` - Machine-readable diff
- `drift-report-<timestamp>.html` - Visual HTML report
## Directory Structure
```
observatory/
├── docker-compose.yml # Stack definition
├── Dockerfile.exporter # Metrics exporter container
├── prometheus.yml # Prometheus config
├── metrics-exporter.py # Custom exporter
├── drift-visualizer.py # Drift analysis tool
├── datasources/ # Grafana datasource provisioning
│ └── prometheus.yml
├── dashboards/ # Grafana dashboard provisioning
│ ├── dashboards.yml
│ ├── cloudflare-overview.json
│ ├── dns-health.json
│ ├── tunnel-status.json
│ ├── invariants.json
│ ├── security-settings.json
│ └── proofchain.json
└── rules/ # Prometheus alerting rules (optional)
```
## Integration with CI/CD
The metrics exporter reads from:
- `../snapshots/` - State snapshots from state-reconciler.py
- `../anomalies/` - Anomaly receipts from invariant-checker.py
Ensure these directories are populated by the GitLab CI pipeline or systemd services.
## Alerting (Optional)
Create alerting rules in `rules/alerts.yml`:
```yaml
groups:
- name: cloudflare
rules:
- alert: InvariantFailure
expr: cloudflare_invariants_failed > 0
for: 5m
labels:
severity: critical
annotations:
summary: "Cloudflare invariant check failing"
- alert: TunnelUnhealthy
expr: cloudflare_tunnels_unhealthy > 0
for: 5m
labels:
severity: warning
annotations:
summary: "Cloudflare tunnel has no connections"
- alert: SnapshotStale
expr: cloudflare_snapshot_age_seconds > 7200
for: 10m
labels:
severity: warning
annotations:
summary: "Cloudflare state snapshot older than 2 hours"
```

365
observatory/alertmanager/alertmanager.yml Normal file
View File

@@ -0,0 +1,365 @@
# Alertmanager Configuration for Cloudflare Mesh Observatory
# Phase 5B - Alerts & Escalation
global:
# Default SMTP settings (override in receivers)
smtp_smarthost: 'smtp.example.com:587'
smtp_from: 'cloudflare-alerts@yourdomain.com'
smtp_auth_username: '${SMTP_USERNAME}'
smtp_auth_password: '${SMTP_PASSWORD}'
smtp_require_tls: true
# Slack API URL (set via environment)
slack_api_url: '${SLACK_WEBHOOK_URL}'
# PagerDuty integration key
pagerduty_url: 'https://events.pagerduty.com/v2/enqueue'
# Resolve timeout
resolve_timeout: 5m
# Templates for notifications
templates:
- '/etc/alertmanager/templates/*.tmpl'
# Routing tree
route:
# Default receiver
receiver: 'slack-default'
# Group alerts by these labels
group_by: ['alertname', 'severity', 'component']
# Wait before sending first notification
group_wait: 30s
# Wait before sending notification about new alerts in group
group_interval: 5m
# Wait before re-sending notification
repeat_interval: 4h
# Child routes for different severities and components
routes:
# ============================================
# CRITICAL ALERTS - Immediate PagerDuty
# ============================================
- match:
severity: critical
receiver: 'pagerduty-critical'
group_wait: 10s
repeat_interval: 1h
continue: true # Also send to Slack
- match:
severity: critical
receiver: 'slack-critical'
group_wait: 10s
# ============================================
# TUNNEL ALERTS
# ============================================
- match:
component: tunnel
receiver: 'slack-tunnels'
routes:
- match:
severity: critical
receiver: 'pagerduty-critical'
continue: true
- match:
severity: critical
receiver: 'slack-critical'
# ============================================
# DNS ALERTS
# ============================================
- match:
component: dns
receiver: 'slack-dns'
routes:
- match:
severity: critical
receiver: 'pagerduty-critical'
continue: true
- match:
alertname: DNSHijackDetected
receiver: 'pagerduty-critical'
# ============================================
# WAF ALERTS
# ============================================
- match:
component: waf
receiver: 'slack-waf'
routes:
- match:
severity: critical
receiver: 'pagerduty-critical'
continue: true
- match:
alertname: WAFMassiveAttack
receiver: 'pagerduty-critical'
# ============================================
# INVARIANT ALERTS (Security Policy Violations)
# ============================================
- match:
component: invariant
receiver: 'slack-security'
routes:
- match:
severity: critical
receiver: 'pagerduty-critical'
continue: true
# ============================================
# PROOFCHAIN ALERTS
# ============================================
- match:
component: proofchain
receiver: 'slack-proofchain'
routes:
- match:
severity: critical
receiver: 'pagerduty-critical'
# ============================================
# WARNING ALERTS - Slack only
# ============================================
- match:
severity: warning
receiver: 'slack-warnings'
repeat_interval: 8h
# ============================================
# INFO ALERTS - Daily digest
# ============================================
- match:
severity: info
receiver: 'email-daily'
group_wait: 1h
repeat_interval: 24h
# ============================================
# PHASE 6 - GITOPS DRIFT REMEDIATION
# Route drift alerts to GitOps webhook for auto-PR
# ============================================
- match:
alertname: DNSDriftDetected
receiver: 'gitops-drift-pr'
continue: true # Also send to slack-dns
- match:
alertname: WAFRuleMissing
receiver: 'gitops-drift-pr'
continue: true
- match:
alertname: FirewallRuleMissing
receiver: 'gitops-drift-pr'
continue: true
- match:
alertname: TunnelConfigChanged
receiver: 'gitops-drift-pr'
continue: true
- match_re:
alertname: '.*(Drift|Mismatch|Changed).*'
receiver: 'gitops-drift-pr'
continue: true
# Inhibition rules - suppress lower severity when higher fires
inhibit_rules:
# If critical fires, suppress warning for same alert
- source_match:
severity: 'critical'
target_match:
severity: 'warning'
equal: ['alertname', 'component']
# If warning fires, suppress info for same alert
- source_match:
severity: 'warning'
target_match:
severity: 'info'
equal: ['alertname', 'component']
# Suppress all tunnel alerts if Cloudflare API is down
- source_match:
alertname: 'CloudflareAPIDown'
target_match:
component: 'tunnel'
equal: []
# Suppress DNS alerts during planned maintenance
- source_match:
alertname: 'PlannedMaintenance'
target_match:
component: 'dns'
equal: []
# Receivers definition
receivers:
# ============================================
# SLACK RECEIVERS
# ============================================
- name: 'slack-default'
slack_configs:
- channel: '#cloudflare-alerts'
send_resolved: true
title: '{{ template "slack.cloudflare.title" . }}'
text: '{{ template "slack.cloudflare.text" . }}'
color: '{{ template "slack.cloudflare.color" . }}'
actions:
- type: button
text: 'Runbook'
url: '{{ template "slack.cloudflare.runbook" . }}'
- type: button
text: 'Grafana'
url: 'http://localhost:3000/d/cloudflare-overview'
- name: 'slack-critical'
slack_configs:
- channel: '#cloudflare-critical'
send_resolved: true
title: '{{ template "slack.cloudflare.title" . }}'
text: '{{ template "slack.cloudflare.text" . }}'
color: 'danger'
actions:
- type: button
text: 'Runbook'
url: '{{ template "slack.cloudflare.runbook" . }}'
- type: button
text: 'Grafana'
url: 'http://localhost:3000/d/cloudflare-overview'
- name: 'slack-warnings'
slack_configs:
- channel: '#cloudflare-alerts'
send_resolved: true
title: '{{ template "slack.cloudflare.title" . }}'
text: '{{ template "slack.cloudflare.text" . }}'
color: 'warning'
- name: 'slack-tunnels'
slack_configs:
- channel: '#cloudflare-tunnels'
send_resolved: true
title: '{{ template "slack.cloudflare.title" . }}'
text: '{{ template "slack.cloudflare.text" . }}'
color: '{{ template "slack.cloudflare.color" . }}'
actions:
- type: button
text: 'Tunnel Playbook'
url: 'https://wiki.internal/playbooks/tunnel-rotation'
- type: button
text: 'Tunnel Dashboard'
url: 'http://localhost:3000/d/tunnel-status'
- name: 'slack-dns'
slack_configs:
- channel: '#cloudflare-dns'
send_resolved: true
title: '{{ template "slack.cloudflare.title" . }}'
text: '{{ template "slack.cloudflare.text" . }}'
color: '{{ template "slack.cloudflare.color" . }}'
actions:
- type: button
text: 'DNS Playbook'
url: 'https://wiki.internal/playbooks/dns-compromise'
- type: button
text: 'DNS Dashboard'
url: 'http://localhost:3000/d/dns-health'
- name: 'slack-waf'
slack_configs:
- channel: '#cloudflare-waf'
send_resolved: true
title: '{{ template "slack.cloudflare.title" . }}'
text: '{{ template "slack.cloudflare.text" . }}'
color: '{{ template "slack.cloudflare.color" . }}'
actions:
- type: button
text: 'WAF Playbook'
url: 'https://wiki.internal/playbooks/waf-incident'
- type: button
text: 'WAF Dashboard'
url: 'http://localhost:3000/d/security-settings'
- name: 'slack-security'
slack_configs:
- channel: '#cloudflare-security'
send_resolved: true
title: '{{ template "slack.cloudflare.title" . }}'
text: '{{ template "slack.cloudflare.text" . }}'
color: '{{ template "slack.cloudflare.color" . }}'
actions:
- type: button
text: 'Invariants Dashboard'
url: 'http://localhost:3000/d/invariants'
- name: 'slack-proofchain'
slack_configs:
- channel: '#cloudflare-proofchain'
send_resolved: true
title: '{{ template "slack.cloudflare.title" . }}'
text: '{{ template "slack.cloudflare.text" . }}'
color: '{{ template "slack.cloudflare.color" . }}'
actions:
- type: button
text: 'Proofchain Dashboard'
url: 'http://localhost:3000/d/proofchain'
# ============================================
# PAGERDUTY RECEIVERS
# ============================================
- name: 'pagerduty-critical'
pagerduty_configs:
- service_key: '${PAGERDUTY_SERVICE_KEY}'
send_resolved: true
description: '{{ template "pagerduty.cloudflare.description" . }}'
severity: 'critical'
client: 'Cloudflare Mesh Observatory'
client_url: 'http://localhost:3000'
details:
alertname: '{{ .GroupLabels.alertname }}'
component: '{{ .GroupLabels.component }}'
severity: '{{ .GroupLabels.severity }}'
summary: '{{ .CommonAnnotations.summary }}'
runbook: '{{ .CommonAnnotations.runbook_url }}'
# ============================================
# EMAIL RECEIVERS
# ============================================
- name: 'email-daily'
email_configs:
- to: 'cloudflare-team@yourdomain.com'
send_resolved: true
html: '{{ template "email.cloudflare.html" . }}'
headers:
Subject: '[Cloudflare] Daily Alert Digest - {{ .Status | toUpper }}'
# ============================================
# WEBHOOK RECEIVERS (for custom integrations)
# ============================================
- name: 'webhook-remediation'
webhook_configs:
- url: 'http://autonomous-remediator:8080/webhook/alert'
send_resolved: true
max_alerts: 10
# ============================================
# PHASE 6 - GITOPS WEBHOOK RECEIVER
# ============================================
- name: 'gitops-drift-pr'
webhook_configs:
- url: '${GITOPS_WEBHOOK_URL:-http://gitops-webhook:8080/webhook/alert}'
send_resolved: false # Only fire on new alerts, not resolved
max_alerts: 5
http_config:
# Optional: Add bearer token or basic auth
# authorization:
# type: Bearer
# credentials: '${GITOPS_WEBHOOK_TOKEN}'

326
observatory/alertmanager/templates/email.tmpl Normal file
View File

@@ -0,0 +1,326 @@
{{/* Email notification templates for Cloudflare Mesh Observatory */}}
{{/* HTML email template */}}
{{ define "email.cloudflare.html" }}
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<style>
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
line-height: 1.6;
color: #333;
max-width: 800px;
margin: 0 auto;
padding: 20px;
}
.header {
background: linear-gradient(135deg, #F6821F 0%, #F38020 100%);
color: white;
padding: 20px;
border-radius: 8px 8px 0 0;
text-align: center;
}
.header h1 {
margin: 0;
font-size: 24px;
}
.status-badge {
display: inline-block;
padding: 4px 12px;
border-radius: 20px;
font-size: 12px;
font-weight: bold;
text-transform: uppercase;
margin-top: 10px;
}
.status-firing { background: #dc3545; color: white; }
.status-resolved { background: #28a745; color: white; }
.content {
background: #fff;
border: 1px solid #e0e0e0;
border-top: none;
padding: 20px;
border-radius: 0 0 8px 8px;
}
.alert-card {
background: #f8f9fa;
border-left: 4px solid #F6821F;
padding: 15px;
margin: 15px 0;
border-radius: 0 4px 4px 0;
}
.alert-card.critical { border-left-color: #dc3545; }
.alert-card.warning { border-left-color: #ffc107; }
.alert-card.info { border-left-color: #17a2b8; }
.alert-card.resolved { border-left-color: #28a745; }
.alert-title {
font-size: 16px;
font-weight: bold;
color: #333;
margin-bottom: 10px;
}
.alert-meta {
font-size: 12px;
color: #666;
margin-bottom: 10px;
}
.alert-meta span {
display: inline-block;
margin-right: 15px;
}
.label {
display: inline-block;
background: #e9ecef;
padding: 2px 8px;
border-radius: 4px;
font-size: 11px;
margin: 2px;
}
.description {
margin: 10px 0;
padding: 10px;
background: white;
border-radius: 4px;
}
.runbook-link {
display: inline-block;
background: #F6821F;
color: white;
padding: 8px 16px;
border-radius: 4px;
text-decoration: none;
font-size: 14px;
margin-top: 10px;
}
.runbook-link:hover {
background: #e67316;
}
.summary-table {
width: 100%;
border-collapse: collapse;
margin: 20px 0;
}
.summary-table th, .summary-table td {
padding: 10px;
text-align: left;
border-bottom: 1px solid #e0e0e0;
}
.summary-table th {
background: #f8f9fa;
font-weight: 600;
}
.footer {
text-align: center;
font-size: 12px;
color: #888;
margin-top: 20px;
padding-top: 20px;
border-top: 1px solid #e0e0e0;
}
.footer a {
color: #F6821F;
text-decoration: none;
}
</style>
</head>
<body>
<div class="header">
<h1>Cloudflare Mesh Observatory</h1>
<span class="status-badge status-{{ .Status }}">{{ .Status }}</span>
</div>
<div class="content">
<h2>Alert Summary</h2>
<table class="summary-table">
<tr>
<th>Status</th>
<td>{{ .Status | toUpper }}</td>
</tr>
<tr>
<th>Alert Name</th>
<td>{{ .CommonLabels.alertname }}</td>
</tr>
<tr>
<th>Severity</th>
<td>{{ .CommonLabels.severity | toUpper }}</td>
</tr>
<tr>
<th>Component</th>
<td>{{ .CommonLabels.component }}</td>
</tr>
<tr>
<th>Firing Alerts</th>
<td>{{ .Alerts.Firing | len }}</td>
</tr>
<tr>
<th>Resolved Alerts</th>
<td>{{ .Alerts.Resolved | len }}</td>
</tr>
</table>
<h2>Alert Details</h2>
{{ range .Alerts }}
<div class="alert-card {{ .Labels.severity }}{{ if eq .Status "resolved" }} resolved{{ end }}">
<div class="alert-title">
{{ .Labels.alertname }}
<span class="status-badge status-{{ .Status }}" style="font-size: 10px; padding: 2px 8px;">{{ .Status }}</span>
</div>
<div class="alert-meta">
<span><strong>Severity:</strong> {{ .Labels.severity }}</span>
<span><strong>Component:</strong> {{ .Labels.component }}</span>
<span><strong>Started:</strong> {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}</span>
{{ if eq .Status "resolved" }}
<span><strong>Resolved:</strong> {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}</span>
{{ end }}
</div>
<div class="description">
<strong>Summary:</strong> {{ .Annotations.summary }}<br>
<strong>Description:</strong> {{ .Annotations.description }}
</div>
<div style="margin-top: 10px;">
<strong>Labels:</strong><br>
{{ range .Labels.SortedPairs }}
<span class="label">{{ .Name }}: {{ .Value }}</span>
{{ end }}
</div>
{{ if .Annotations.runbook_url }}
<a href="{{ .Annotations.runbook_url }}" class="runbook-link">View Runbook</a>
{{ end }}
</div>
{{ end }}
<h2>Quick Links</h2>
<ul>
<li><a href="http://localhost:3000">Grafana Dashboard</a></li>
<li><a href="http://localhost:9090">Prometheus</a></li>
<li><a href="https://dash.cloudflare.com">Cloudflare Dashboard</a></li>
</ul>
</div>
<div class="footer">
<p>
This alert was generated by <strong>Cloudflare Mesh Observatory</strong><br>
<a href="http://localhost:9093">Alertmanager</a> |
<a href="http://localhost:3000">Grafana</a> |
<a href="http://localhost:9090">Prometheus</a>
</p>
<p>
Generated at {{ .ExternalURL }}
</p>
</div>
</body>
</html>
{{ end }}
{{/* Plain text email template */}}
{{ define "email.cloudflare.text" }}
================================================================================
CLOUDFLARE MESH OBSERVATORY - ALERT {{ .Status | toUpper }}
================================================================================
Status: {{ .Status | toUpper }}
Alert: {{ .CommonLabels.alertname }}
Severity: {{ .CommonLabels.severity | toUpper }}
Component: {{ .CommonLabels.component }}
Firing: {{ .Alerts.Firing | len }} alerts
Resolved: {{ .Alerts.Resolved | len }} alerts
================================================================================
ALERT DETAILS
================================================================================
{{ range .Alerts }}
--------------------------------------------------------------------------------
{{ .Labels.alertname }} [{{ .Status | toUpper }}]
--------------------------------------------------------------------------------
Severity: {{ .Labels.severity }}
Component: {{ .Labels.component }}
Started: {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
{{ if eq .Status "resolved" }}Resolved: {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}{{ end }}
Summary: {{ .Annotations.summary }}
Description: {{ .Annotations.description }}
Labels:
{{ range .Labels.SortedPairs }} - {{ .Name }}: {{ .Value }}
{{ end }}
{{ if .Annotations.runbook_url }}Runbook: {{ .Annotations.runbook_url }}{{ end }}
{{ end }}
================================================================================
QUICK LINKS
================================================================================
Grafana: http://localhost:3000
Prometheus: http://localhost:9090
Alertmanager: http://localhost:9093
Cloudflare: https://dash.cloudflare.com
================================================================================
Generated by Cloudflare Mesh Observatory
{{ end }}
{{/* Daily digest email template */}}
{{ define "email.cloudflare.digest" }}
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<style>
/* Same styles as above */
</style>
</head>
<body>
<div class="header">
<h1>Daily Alert Digest</h1>
<p>{{ now.Format "Monday, January 2, 2006" }}</p>
</div>
<div class="content">
<h2>24-Hour Summary</h2>
<table class="summary-table">
<tr>
<th>Metric</th>
<th>Count</th>
</tr>
<tr>
<td>Total Alerts</td>
<td>{{ len .Alerts }}</td>
</tr>
<tr>
<td>Currently Firing</td>
<td>{{ .Alerts.Firing | len }}</td>
</tr>
<tr>
<td>Resolved</td>
<td>{{ .Alerts.Resolved | len }}</td>
</tr>
</table>
<h2>Alerts by Severity</h2>
<!-- Alert breakdown would go here -->
<h2>Alerts by Component</h2>
<!-- Component breakdown would go here -->
</div>
<div class="footer">
<p>This is an automated daily digest from Cloudflare Mesh Observatory</p>
</div>
</body>
</html>
{{ end }}

169
observatory/alertmanager/templates/pagerduty.tmpl Normal file
View File

@@ -0,0 +1,169 @@
{{/* PagerDuty notification templates for Cloudflare Mesh Observatory */}}
{{/* Main description template */}}
{{ define "pagerduty.cloudflare.description" -}}
[{{ .CommonLabels.severity | toUpper }}] {{ .CommonLabels.alertname }} - {{ .CommonAnnotations.summary }}
{{- end }}
{{/* Detailed incident description */}}
{{ define "pagerduty.cloudflare.details" -}}
{{ range .Alerts }}
Alert: {{ .Labels.alertname }}
Severity: {{ .Labels.severity }}
Component: {{ .Labels.component }}
Summary: {{ .Annotations.summary }}
Description: {{ .Annotations.description }}
Labels:
{{ range .Labels.SortedPairs -}}
{{ .Name }}: {{ .Value }}
{{ end }}
Started: {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
{{ if eq .Status "resolved" }}Resolved: {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}{{ end }}
Runbook: {{ if .Annotations.runbook_url }}{{ .Annotations.runbook_url }}{{ else }}https://wiki.internal/playbooks/cloudflare{{ end }}
---
{{ end }}
{{- end }}
{{/* Critical tunnel incident */}}
{{ define "pagerduty.cloudflare.tunnel.critical" -}}
CRITICAL TUNNEL FAILURE
Tunnel: {{ .CommonLabels.tunnel_name }} ({{ .CommonLabels.tunnel_id }})
Zone: {{ .CommonLabels.zone }}
All tunnel connections have failed. Services behind this tunnel are UNREACHABLE.
Immediate Actions Required:
1. Check cloudflared daemon status on origin server
2. Verify network path to Cloudflare edge
3. Review recent configuration changes
4. Consider emergency tunnel rotation
Impact: {{ .CommonAnnotations.impact }}
ETA to degradation: IMMEDIATE
Escalation Chain:
1. On-call Infrastructure Engineer
2. Platform Team Lead
3. Security Team (if compromise suspected)
{{- end }}
{{/* Critical DNS incident */}}
{{ define "pagerduty.cloudflare.dns.critical" -}}
CRITICAL DNS INCIDENT
Type: {{ .CommonLabels.alertname }}
Zone: {{ .CommonLabels.zone }}
Record: {{ .CommonLabels.record_name }}
{{ if eq .CommonLabels.alertname "DNSHijackDetected" -}}
POTENTIAL DNS HIJACK DETECTED
This is a SECURITY INCIDENT. DNS records do not match expected configuration.
Immediate Actions:
1. Verify DNS resolution from multiple locations
2. Check Cloudflare dashboard for unauthorized changes
3. Review audit logs for suspicious activity
4. Engage security incident response
DO NOT dismiss without verification.
{{- else -}}
DNS configuration drift detected. Records have changed from expected baseline.
Actions:
1. Compare current vs expected records
2. Determine if change was authorized
3. Restore from known-good state if needed
{{- end }}
{{- end }}
{{/* Critical WAF incident */}}
{{ define "pagerduty.cloudflare.waf.critical" -}}
CRITICAL WAF INCIDENT
Attack Type: {{ .CommonLabels.attack_type }}
Source: {{ .CommonLabels.source_ip }}
Request Volume: {{ .CommonLabels.request_count }} requests
{{ if eq .CommonLabels.alertname "WAFMassiveAttack" -}}
MASSIVE ATTACK IN PROGRESS
Request volume significantly exceeds baseline. This may indicate:
- DDoS attack
- Credential stuffing
- Application-layer attack
Immediate Actions:
1. Review attack traffic patterns
2. Consider enabling Under Attack Mode
3. Increase rate limiting thresholds
4. Block attacking IPs if identified
Current Mitigation: {{ .CommonAnnotations.current_mitigation }}
{{- else -}}
WAF rule bypass detected. Malicious traffic may be reaching origin.
Actions:
1. Analyze bypassed requests
2. Tighten rule specificity
3. Add supplementary blocking rules
{{- end }}
{{- end }}
{{/* Critical invariant violation */}}
{{ define "pagerduty.cloudflare.invariant.critical" -}}
SECURITY INVARIANT VIOLATION
Invariant: {{ .CommonLabels.invariant_name }}
Category: {{ .CommonLabels.category }}
A critical security invariant has been violated. This indicates:
- Unauthorized configuration change
- Potential security misconfiguration
- Compliance violation
Violation Details:
- Expected: {{ .CommonLabels.expected_value }}
- Actual: {{ .CommonLabels.actual_value }}
- Impact: {{ .CommonAnnotations.impact }}
Affected Frameworks: {{ .CommonLabels.frameworks }}
This violation requires immediate investigation and remediation.
{{- end }}
{{/* Critical proofchain incident */}}
{{ define "pagerduty.cloudflare.proofchain.critical" -}}
PROOFCHAIN INTEGRITY FAILURE
Chain: {{ .CommonLabels.chain_name }}
Receipt Type: {{ .CommonLabels.receipt_type }}
CRITICAL: Proofchain integrity verification has FAILED.
This indicates one of:
1. Ledger tampering
2. Receipt corruption
3. Chain fork
4. Hash collision (extremely unlikely)
Integrity Details:
- Last Valid Hash: {{ .CommonLabels.last_valid_hash }}
- Expected Hash: {{ .CommonLabels.expected_hash }}
- Computed Hash: {{ .CommonLabels.computed_hash }}
IMMEDIATE ACTIONS:
1. HALT all new receipt generation
2. Preserve current state for forensics
3. Identify last known-good checkpoint
4. Engage proofchain administrator
This is a potential SECURITY INCIDENT if tampering is suspected.
{{- end }}

200
observatory/alertmanager/templates/slack.tmpl Normal file
View File

@@ -0,0 +1,200 @@
{{/* Slack notification templates for Cloudflare Mesh Observatory */}}
{{/* Title template */}}
{{ define "slack.cloudflare.title" -}}
{{ if eq .Status "firing" }}{{ .Alerts.Firing | len }} FIRING{{ end }}{{ if and (eq .Status "resolved") (gt (.Alerts.Resolved | len) 0) }}{{ .Alerts.Resolved | len }} RESOLVED{{ end }} | {{ .CommonLabels.alertname }}
{{- end }}
{{/* Color template based on severity */}}
{{ define "slack.cloudflare.color" -}}
{{ if eq .Status "resolved" }}good{{ else if eq .CommonLabels.severity "critical" }}danger{{ else if eq .CommonLabels.severity "warning" }}warning{{ else }}#439FE0{{ end }}
{{- end }}
{{/* Main text body */}}
{{ define "slack.cloudflare.text" -}}
{{ range .Alerts }}
*Alert:* {{ .Labels.alertname }}
*Severity:* {{ .Labels.severity | toUpper }}
*Component:* {{ .Labels.component }}
*Status:* {{ .Status | toUpper }}
*Summary:* {{ .Annotations.summary }}
*Description:* {{ .Annotations.description }}
{{ if .Annotations.runbook_url }}*Runbook:* <{{ .Annotations.runbook_url }}|View Playbook>{{ end }}
*Labels:*
{{ range .Labels.SortedPairs -}}
- {{ .Name }}: `{{ .Value }}`
{{ end }}
*Started:* {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
{{ if eq .Status "resolved" }}*Resolved:* {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}{{ end }}
---
{{ end }}
{{- end }}
{{/* Runbook URL template */}}
{{ define "slack.cloudflare.runbook" -}}
{{ if .CommonAnnotations.runbook_url }}{{ .CommonAnnotations.runbook_url }}{{ else }}https://wiki.internal/playbooks/cloudflare{{ end }}
{{- end }}
{{/* Compact alert list for summary */}}
{{ define "slack.cloudflare.alertlist" -}}
{{ range . }}
- {{ .Labels.alertname }} ({{ .Labels.severity }})
{{ end }}
{{- end }}
{{/* Tunnel-specific template */}}
{{ define "slack.cloudflare.tunnel" -}}
{{ range .Alerts }}
*Tunnel Alert*
*Tunnel ID:* {{ .Labels.tunnel_id }}
*Tunnel Name:* {{ .Labels.tunnel_name }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Action Required:*
{{ if eq .Labels.alertname "TunnelDown" }}
1. Check cloudflared service status
2. Verify network connectivity
3. Run tunnel rotation if unrecoverable
{{ else if eq .Labels.alertname "TunnelRotationDue" }}
1. Schedule maintenance window
2. Execute tunnel rotation protocol
3. Verify new tunnel connectivity
{{ end }}
---
{{ end }}
{{- end }}
{{/* DNS-specific template */}}
{{ define "slack.cloudflare.dns" -}}
{{ range .Alerts }}
*DNS Alert*
*Record:* {{ .Labels.record_name }}
*Type:* {{ .Labels.record_type }}
*Zone:* {{ .Labels.zone }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Immediate Actions:*
{{ if eq .Labels.alertname "DNSHijackDetected" }}
1. CRITICAL: Potential DNS hijack detected
2. Immediately verify DNS resolution
3. Check Cloudflare audit logs
4. Engage incident response team
{{ else if eq .Labels.alertname "DNSDriftDetected" }}
1. Compare current vs expected records
2. Check for unauthorized changes
3. Run state reconciler if needed
{{ end }}
---
{{ end }}
{{- end }}
{{/* WAF-specific template */}}
{{ define "slack.cloudflare.waf" -}}
{{ range .Alerts }}
*WAF Alert*
*Rule ID:* {{ .Labels.rule_id }}
*Action:* {{ .Labels.action }}
*Source:* {{ .Labels.source_ip }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Threat Intelligence:*
- Request Count: {{ .Labels.request_count }}
- Block Rate: {{ .Labels.block_rate }}%
- Attack Type: {{ .Labels.attack_type }}
*Recommended Actions:*
{{ if eq .Labels.alertname "WAFMassiveAttack" }}
1. Verify attack is not false positive
2. Consider enabling Under Attack Mode
3. Review and adjust rate limiting
4. Document attack patterns
{{ else if eq .Labels.alertname "WAFRuleBypass" }}
1. Analyze bypassed requests
2. Tighten rule specificity
3. Add supplementary rules
{{ end }}
---
{{ end }}
{{- end }}
{{/* Security/Invariant template */}}
{{ define "slack.cloudflare.security" -}}
{{ range .Alerts }}
*Security Invariant Violation*
*Invariant:* {{ .Labels.invariant_name }}
*Category:* {{ .Labels.category }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Violation Details:*
- Expected: {{ .Labels.expected_value }}
- Actual: {{ .Labels.actual_value }}
- First Seen: {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
*Compliance Impact:*
This violation may affect:
{{ range split .Labels.frameworks "," -}}
- {{ . }}
{{ end }}
*Remediation Steps:*
1. Review invariant definition
2. Check for authorized changes
3. Run autonomous remediator or manual fix
4. Document change justification
---
{{ end }}
{{- end }}
{{/* Proofchain template */}}
{{ define "slack.cloudflare.proofchain" -}}
{{ range .Alerts }}
*Proofchain Alert*
*Chain:* {{ .Labels.chain_name }}
*Receipt Type:* {{ .Labels.receipt_type }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Integrity Details:*
- Last Valid Hash: {{ .Labels.last_valid_hash }}
- Expected Hash: {{ .Labels.expected_hash }}
- Computed Hash: {{ .Labels.computed_hash }}
*This indicates potential:*
- Ledger tampering
- Receipt corruption
- Chain fork
- Missing anchors
*Immediate Actions:*
1. DO NOT write new receipts until resolved
2. Identify last known-good state
3. Investigate discrepancy source
4. Contact proofchain administrator
---
{{ end }}
{{- end }}

415
observatory/dashboards/cloudflare-overview.json Normal file
View File

@@ -0,0 +1,415 @@
{
"annotations": {
"list": []
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{"color": "green", "value": null},
{"color": "red", "value": 1}
]
}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 0, "y": 0},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": ["lastNotNull"],
"fields": "",
"values": false
},
"textMode": "auto"
},
"pluginVersion": "10.2.2",
"targets": [
{
"expr": "cloudflare_invariants_failed",
"refId": "A"
}
],
"title": "Invariant Failures",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{"color": "green", "value": null}
]
}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 4, "y": 0},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": ["lastNotNull"],
"fields": "",
"values": false
},
"textMode": "auto"
},
"targets": [
{
"expr": "cloudflare_dns_records_total",
"refId": "A"
}
],
"title": "DNS Records",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{"color": "red", "value": null},
{"color": "green", "value": 1}
]
}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 8, "y": 0},
"id": 3,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": ["lastNotNull"],
"fields": "",
"values": false
},
"textMode": "auto"
},
"targets": [
{
"expr": "cloudflare_tunnels_healthy",
"refId": "A"
}
],
"title": "Healthy Tunnels",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{"color": "green", "value": null},
{"color": "yellow", "value": 3600},
{"color": "red", "value": 7200}
]
},
"unit": "s"
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 12, "y": 0},
"id": 4,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": ["lastNotNull"],
"fields": "",
"values": false
},
"textMode": "auto"
},
"targets": [
{
"expr": "cloudflare_snapshot_age_seconds",
"refId": "A"
}
],
"title": "Snapshot Age",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{"options": {"0": {"color": "red", "index": 0, "text": "OFF"}}, "type": "value"},
{"options": {"1": {"color": "green", "index": 1, "text": "ON"}}, "type": "value"}
],
"thresholds": {
"mode": "absolute",
"steps": [{"color": "green", "value": null}]
}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 16, "y": 0},
"id": 5,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": ["lastNotNull"],
"fields": "",
"values": false
},
"textMode": "auto"
},
"targets": [
{
"expr": "cloudflare_dnssec_enabled",
"refId": "A"
}
],
"title": "DNSSEC",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{"color": "green", "value": null},
{"color": "yellow", "value": 1},
{"color": "red", "value": 5}
]
}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 20, "y": 0},
"id": 6,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": ["lastNotNull"],
"fields": "",
"values": false
},
"textMode": "auto"
},
"targets": [
{
"expr": "cloudflare_anomalies_last_24h",
"refId": "A"
}
],
"title": "Anomalies (24h)",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {"legend": false, "tooltip": false, "viz": false},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {"type": "linear"},
"showPoints": "never",
"spanNulls": false,
"stacking": {"group": "A", "mode": "none"},
"thresholdsStyle": {"mode": "off"}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [{"color": "green", "value": null}]
}
},
"overrides": []
},
"gridPos": {"h": 8, "w": 12, "x": 0, "y": 4},
"id": 7,
"options": {
"legend": {"calcs": [], "displayMode": "list", "placement": "bottom", "showLegend": true},
"tooltip": {"mode": "single", "sort": "none"}
},
"targets": [
{
"expr": "cloudflare_invariants_passed",
"legendFormat": "Passed",
"refId": "A"
},
{
"expr": "cloudflare_invariants_failed",
"legendFormat": "Failed",
"refId": "B"
}
],
"title": "Invariant Status Over Time",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "prometheus"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {"legend": false, "tooltip": false, "viz": false},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {"type": "linear"},
"showPoints": "never",
"spanNulls": false,
"stacking": {"group": "A", "mode": "none"},
"thresholdsStyle": {"mode": "off"}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [{"color": "green", "value": null}]
}
},
"overrides": []
},
"gridPos": {"h": 8, "w": 12, "x": 12, "y": 4},
"id": 8,
"options": {
"legend": {"calcs": [], "displayMode": "list", "placement": "bottom", "showLegend": true},
"tooltip": {"mode": "single", "sort": "none"}
},
"targets": [
{
"expr": "cloudflare_tunnels_healthy",
"legendFormat": "Healthy",
"refId": "A"
},
{
"expr": "cloudflare_tunnels_unhealthy",
"legendFormat": "Unhealthy",
"refId": "B"
}
],
"title": "Tunnel Health Over Time",
"type": "timeseries"
}
],
"refresh": "1m",
"schemaVersion": 38,
"style": "dark",
"tags": ["cloudflare", "mesh", "overview"],
"templating": {
"list": []
},
"time": {
"from": "now-24h",
"to": "now"
},
"timepicker": {},
"timezone": "utc",
"title": "Cloudflare Mesh Overview",
"uid": "cf-overview",
"version": 1,
"weekStart": ""
}

14
observatory/dashboards/dashboards.yml Normal file
View File

@@ -0,0 +1,14 @@
# Grafana Dashboard Provisioning
apiVersion: 1
providers:
- name: 'Cloudflare Mesh'
orgId: 1
folder: 'Cloudflare'
folderUid: 'cloudflare'
type: file
disableDeletion: false
updateIntervalSeconds: 30
allowUiUpdates: true
options:
path: /etc/grafana/provisioning/dashboards

195
observatory/dashboards/dns-health.json Normal file
View File

@@ -0,0 +1,195 @@
{
"annotations": {"list": []},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 0, "y": 0},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_dns_records_total", "refId": "A"}],
"title": "Total Records",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "orange", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 6, "y": 0},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_dns_records_proxied", "refId": "A"}],
"title": "Proxied Records",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "blue", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 12, "y": 0},
"id": 3,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_dns_records_unproxied", "refId": "A"}],
"title": "DNS-Only Records",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [
{"options": {"0": {"color": "red", "index": 0, "text": "DISABLED"}}, "type": "value"},
{"options": {"1": {"color": "green", "index": 1, "text": "ACTIVE"}}, "type": "value"}
],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 18, "y": 0},
"id": 4,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_dnssec_enabled", "refId": "A"}],
"title": "DNSSEC Status",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "palette-classic"},
"custom": {"hideFrom": {"legend": false, "tooltip": false, "viz": false}},
"mappings": []
},
"overrides": []
},
"gridPos": {"h": 10, "w": 12, "x": 0, "y": 4},
"id": 5,
"options": {
"displayLabels": ["name", "value"],
"legend": {"displayMode": "list", "placement": "right", "showLegend": true},
"pieType": "pie",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"tooltip": {"mode": "single", "sort": "none"}
},
"targets": [
{"expr": "cloudflare_dns_records_by_type{type=\"A\"}", "legendFormat": "A", "refId": "A"},
{"expr": "cloudflare_dns_records_by_type{type=\"AAAA\"}", "legendFormat": "AAAA", "refId": "B"},
{"expr": "cloudflare_dns_records_by_type{type=\"CNAME\"}", "legendFormat": "CNAME", "refId": "C"},
{"expr": "cloudflare_dns_records_by_type{type=\"TXT\"}", "legendFormat": "TXT", "refId": "D"},
{"expr": "cloudflare_dns_records_by_type{type=\"MX\"}", "legendFormat": "MX", "refId": "E"},
{"expr": "cloudflare_dns_records_by_type{type=\"SRV\"}", "legendFormat": "SRV", "refId": "F"}
],
"title": "Records by Type",
"type": "piechart"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "palette-classic"},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {"legend": false, "tooltip": false, "viz": false},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {"type": "linear"},
"showPoints": "never",
"spanNulls": false,
"stacking": {"group": "A", "mode": "none"},
"thresholdsStyle": {"mode": "off"}
},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 10, "w": 12, "x": 12, "y": 4},
"id": 6,
"options": {
"legend": {"calcs": [], "displayMode": "list", "placement": "bottom", "showLegend": true},
"tooltip": {"mode": "single", "sort": "none"}
},
"targets": [
{"expr": "cloudflare_dns_records_total", "legendFormat": "Total", "refId": "A"},
{"expr": "cloudflare_dns_records_proxied", "legendFormat": "Proxied", "refId": "B"}
],
"title": "DNS Records Over Time",
"type": "timeseries"
}
],
"refresh": "1m",
"schemaVersion": 38,
"style": "dark",
"tags": ["cloudflare", "dns"],
"templating": {"list": []},
"time": {"from": "now-24h", "to": "now"},
"timepicker": {},
"timezone": "utc",
"title": "DNS Health",
"uid": "cf-dns",
"version": 1,
"weekStart": ""
}

238
observatory/dashboards/invariants.json Normal file
View File

@@ -0,0 +1,238 @@
{
"annotations": {"list": []},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "blue", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 0, "y": 0},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_invariants_total", "refId": "A"}],
"title": "Total Invariants",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 6, "y": 0},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_invariants_passed", "refId": "A"}],
"title": "Passed",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [
{"color": "green", "value": null},
{"color": "red", "value": 1}
]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 12, "y": 0},
"id": 3,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_invariants_failed", "refId": "A"}],
"title": "Failed",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"max": 100,
"min": 0,
"thresholds": {"mode": "absolute", "steps": [
{"color": "red", "value": null},
{"color": "yellow", "value": 80},
{"color": "green", "value": 95}
]},
"unit": "percent"
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 18, "y": 0},
"id": 4,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_invariants_pass_rate", "refId": "A"}],
"title": "Pass Rate",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "palette-classic"},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 20,
"gradientMode": "none",
"hideFrom": {"legend": false, "tooltip": false, "viz": false},
"insertNulls": false,
"lineInterpolation": "stepAfter",
"lineWidth": 2,
"pointSize": 5,
"scaleDistribution": {"type": "linear"},
"showPoints": "never",
"spanNulls": false,
"stacking": {"group": "A", "mode": "none"},
"thresholdsStyle": {"mode": "off"}
},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": [
{
"matcher": {"id": "byName", "options": "Failed"},
"properties": [{"id": "color", "value": {"fixedColor": "red", "mode": "fixed"}}]
},
{
"matcher": {"id": "byName", "options": "Passed"},
"properties": [{"id": "color", "value": {"fixedColor": "green", "mode": "fixed"}}]
}
]
},
"gridPos": {"h": 10, "w": 24, "x": 0, "y": 4},
"id": 5,
"options": {
"legend": {"calcs": [], "displayMode": "list", "placement": "bottom", "showLegend": true},
"tooltip": {"mode": "single", "sort": "none"}
},
"targets": [
{"expr": "cloudflare_invariants_passed", "legendFormat": "Passed", "refId": "A"},
{"expr": "cloudflare_invariants_failed", "legendFormat": "Failed", "refId": "B"}
],
"title": "Invariant Status Over Time",
"type": "timeseries"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [
{"color": "green", "value": null},
{"color": "yellow", "value": 3600},
{"color": "red", "value": 7200}
]},
"unit": "s"
},
"overrides": []
},
"gridPos": {"h": 6, "w": 12, "x": 0, "y": 14},
"id": 6,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_invariant_report_age_seconds", "refId": "A"}],
"title": "Report Age",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [
{"color": "green", "value": null},
{"color": "yellow", "value": 1},
{"color": "red", "value": 5}
]}
},
"overrides": []
},
"gridPos": {"h": 6, "w": 12, "x": 12, "y": 14},
"id": 7,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_anomalies_last_24h", "refId": "A"}],
"title": "Anomalies (Last 24h)",
"type": "stat"
}
],
"refresh": "1m",
"schemaVersion": 38,
"style": "dark",
"tags": ["cloudflare", "invariants", "compliance"],
"templating": {"list": []},
"time": {"from": "now-7d", "to": "now"},
"timepicker": {},
"timezone": "utc",
"title": "Invariants & Compliance",
"uid": "cf-invariants",
"version": 1,
"weekStart": ""
}

217
observatory/dashboards/proofchain.json Normal file
View File

@@ -0,0 +1,217 @@
{
"annotations": {"list": []},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [
{"options": {"0": {"color": "red", "index": 0, "text": "MISSING"}}, "type": "value"},
{"options": {"1": {"color": "green", "index": 1, "text": "SET"}}, "type": "value"}
],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 0, "y": 0},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_snapshot_merkle_root_set", "refId": "A"}],
"title": "Merkle Root",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [
{"color": "green", "value": null},
{"color": "yellow", "value": 3600},
{"color": "red", "value": 7200}
]},
"unit": "s"
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 6, "y": 0},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_snapshot_age_seconds", "refId": "A"}],
"title": "Snapshot Age",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "blue", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 12, "y": 0},
"id": 3,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_anomalies_total", "refId": "A"}],
"title": "Total Anomalies",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [
{"color": "green", "value": null},
{"color": "yellow", "value": 1},
{"color": "red", "value": 5}
]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 18, "y": 0},
"id": 4,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_anomalies_last_24h", "refId": "A"}],
"title": "Anomalies (24h)",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "palette-classic"},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {"legend": false, "tooltip": false, "viz": false},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 2,
"pointSize": 5,
"scaleDistribution": {"type": "linear"},
"showPoints": "never",
"spanNulls": false,
"stacking": {"group": "A", "mode": "none"},
"thresholdsStyle": {"mode": "off"}
},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]},
"unit": "s"
},
"overrides": []
},
"gridPos": {"h": 8, "w": 24, "x": 0, "y": 4},
"id": 5,
"options": {
"legend": {"calcs": [], "displayMode": "list", "placement": "bottom", "showLegend": true},
"tooltip": {"mode": "single", "sort": "none"}
},
"targets": [
{"expr": "cloudflare_snapshot_age_seconds", "legendFormat": "Snapshot Age", "refId": "A"},
{"expr": "cloudflare_invariant_report_age_seconds", "legendFormat": "Report Age", "refId": "B"}
],
"title": "Data Freshness",
"type": "timeseries"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "palette-classic"},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "bars",
"fillOpacity": 80,
"gradientMode": "none",
"hideFrom": {"legend": false, "tooltip": false, "viz": false},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {"type": "linear"},
"showPoints": "never",
"spanNulls": false,
"stacking": {"group": "A", "mode": "none"},
"thresholdsStyle": {"mode": "off"}
},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 8, "w": 24, "x": 0, "y": 12},
"id": 6,
"options": {
"legend": {"calcs": [], "displayMode": "list", "placement": "bottom", "showLegend": true},
"tooltip": {"mode": "single", "sort": "none"}
},
"targets": [
{"expr": "cloudflare_anomalies_last_24h", "legendFormat": "Anomalies", "refId": "A"}
],
"title": "Anomaly Timeline",
"type": "timeseries"
}
],
"refresh": "1m",
"schemaVersion": 38,
"style": "dark",
"tags": ["cloudflare", "proofchain", "vaultmesh"],
"templating": {"list": []},
"time": {"from": "now-7d", "to": "now"},
"timepicker": {},
"timezone": "utc",
"title": "ProofChain & Anchors",
"uid": "cf-proofchain",
"version": 1,
"weekStart": ""
}

245
observatory/dashboards/security-settings.json Normal file
View File

@@ -0,0 +1,245 @@
{
"annotations": {"list": []},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [
{"options": {"0": {"color": "red", "index": 0, "text": "OFF"}}, "type": "value"},
{"options": {"1": {"color": "green", "index": 1, "text": "ON"}}, "type": "value"}
],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 0, "y": 0},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_zone_ssl_strict", "refId": "A"}],
"title": "SSL Strict",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [
{"options": {"0": {"color": "red", "index": 0, "text": "WEAK"}}, "type": "value"},
{"options": {"1": {"color": "green", "index": 1, "text": "SECURE"}}, "type": "value"}
],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 4, "y": 0},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_zone_tls_version_secure", "refId": "A"}],
"title": "TLS Version",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [
{"options": {"0": {"color": "red", "index": 0, "text": "OFF"}}, "type": "value"},
{"options": {"1": {"color": "green", "index": 1, "text": "ON"}}, "type": "value"}
],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 8, "y": 0},
"id": 3,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_zone_always_https", "refId": "A"}],
"title": "Always HTTPS",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [
{"options": {"0": {"color": "red", "index": 0, "text": "OFF"}}, "type": "value"},
{"options": {"1": {"color": "green", "index": 1, "text": "ON"}}, "type": "value"}
],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 12, "y": 0},
"id": 4,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_zone_browser_check", "refId": "A"}],
"title": "Browser Check",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [
{"options": {"0": {"color": "red", "index": 0, "text": "DISABLED"}}, "type": "value"},
{"options": {"1": {"color": "green", "index": 1, "text": "ACTIVE"}}, "type": "value"}
],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 16, "y": 0},
"id": 5,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_dnssec_enabled", "refId": "A"}],
"title": "DNSSEC",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "blue", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 4, "x": 20, "y": 0},
"id": 6,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_access_apps_total", "refId": "A"}],
"title": "Access Apps",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"description": "Security posture score based on enabled security features",
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"max": 6,
"min": 0,
"thresholds": {"mode": "absolute", "steps": [
{"color": "red", "value": null},
{"color": "yellow", "value": 3},
{"color": "green", "value": 5}
]}
},
"overrides": []
},
"gridPos": {"h": 8, "w": 12, "x": 0, "y": 4},
"id": 7,
"options": {
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"showThresholdLabels": false,
"showThresholdMarkers": true
},
"targets": [
{
"expr": "cloudflare_zone_ssl_strict + cloudflare_zone_tls_version_secure + cloudflare_zone_always_https + cloudflare_zone_browser_check + cloudflare_dnssec_enabled + (cloudflare_tunnels_healthy > 0)",
"refId": "A"
}
],
"title": "Security Score",
"type": "gauge"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "palette-classic"},
"custom": {"hideFrom": {"legend": false, "tooltip": false, "viz": false}},
"mappings": []
},
"overrides": []
},
"gridPos": {"h": 8, "w": 12, "x": 12, "y": 4},
"id": 8,
"options": {
"displayLabels": ["name", "value"],
"legend": {"displayMode": "list", "placement": "right", "showLegend": true},
"pieType": "pie",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"tooltip": {"mode": "single", "sort": "none"}
},
"targets": [
{"expr": "cloudflare_access_apps_by_type{type=\"self_hosted\"}", "legendFormat": "Self-Hosted", "refId": "A"},
{"expr": "cloudflare_access_apps_by_type{type=\"saas\"}", "legendFormat": "SaaS", "refId": "B"},
{"expr": "cloudflare_access_apps_by_type{type=\"ssh\"}", "legendFormat": "SSH", "refId": "C"},
{"expr": "cloudflare_access_apps_by_type{type=\"vnc\"}", "legendFormat": "VNC", "refId": "D"},
{"expr": "cloudflare_access_apps_by_type{type=\"bookmark\"}", "legendFormat": "Bookmark", "refId": "E"}
],
"title": "Access Apps by Type",
"type": "piechart"
}
],
"refresh": "1m",
"schemaVersion": 38,
"style": "dark",
"tags": ["cloudflare", "security", "access"],
"templating": {"list": []},
"time": {"from": "now-24h", "to": "now"},
"timepicker": {},
"timezone": "utc",
"title": "Security Settings",
"uid": "cf-security",
"version": 1,
"weekStart": ""
}

204
observatory/dashboards/tunnel-status.json Normal file
View File

@@ -0,0 +1,204 @@
{
"annotations": {"list": []},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 0, "y": 0},
"id": 1,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_tunnels_total", "refId": "A"}],
"title": "Total Tunnels",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [
{"color": "red", "value": null},
{"color": "green", "value": 1}
]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 6, "y": 0},
"id": 2,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_tunnels_healthy", "refId": "A"}],
"title": "Healthy Tunnels",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [
{"color": "green", "value": null},
{"color": "red", "value": 1}
]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 12, "y": 0},
"id": 3,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_tunnels_unhealthy", "refId": "A"}],
"title": "Unhealthy Tunnels",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "blue", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 4, "w": 6, "x": 18, "y": 0},
"id": 4,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"textMode": "auto"
},
"targets": [{"expr": "cloudflare_tunnel_connections_total", "refId": "A"}],
"title": "Total Connections",
"type": "stat"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "palette-classic"},
"custom": {
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {"legend": false, "tooltip": false, "viz": false},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 2,
"pointSize": 5,
"scaleDistribution": {"type": "linear"},
"showPoints": "never",
"spanNulls": false,
"stacking": {"group": "A", "mode": "none"},
"thresholdsStyle": {"mode": "off"}
},
"mappings": [],
"thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}
},
"overrides": []
},
"gridPos": {"h": 10, "w": 24, "x": 0, "y": 4},
"id": 5,
"options": {
"legend": {"calcs": [], "displayMode": "list", "placement": "bottom", "showLegend": true},
"tooltip": {"mode": "single", "sort": "none"}
},
"targets": [
{"expr": "cloudflare_tunnels_healthy", "legendFormat": "Healthy", "refId": "A"},
{"expr": "cloudflare_tunnels_unhealthy", "legendFormat": "Unhealthy", "refId": "B"},
{"expr": "cloudflare_tunnel_connections_total", "legendFormat": "Connections", "refId": "C"}
],
"title": "Tunnel Health Over Time",
"type": "timeseries"
},
{
"datasource": {"type": "prometheus", "uid": "prometheus"},
"fieldConfig": {
"defaults": {
"color": {"mode": "thresholds"},
"mappings": [],
"max": 100,
"min": 0,
"thresholds": {"mode": "absolute", "steps": [
{"color": "red", "value": null},
{"color": "yellow", "value": 50},
{"color": "green", "value": 80}
]},
"unit": "percent"
},
"overrides": []
},
"gridPos": {"h": 6, "w": 12, "x": 0, "y": 14},
"id": 6,
"options": {
"orientation": "auto",
"reduceOptions": {"calcs": ["lastNotNull"], "fields": "", "values": false},
"showThresholdLabels": false,
"showThresholdMarkers": true
},
"pluginVersion": "10.2.2",
"targets": [
{
"expr": "(cloudflare_tunnels_healthy / cloudflare_tunnels_total) * 100",
"refId": "A"
}
],
"title": "Tunnel Health Percentage",
"type": "gauge"
}
],
"refresh": "1m",
"schemaVersion": 38,
"style": "dark",
"tags": ["cloudflare", "tunnel"],
"templating": {"list": []},
"time": {"from": "now-24h", "to": "now"},
"timepicker": {},
"timezone": "utc",
"title": "Tunnel Status",
"uid": "cf-tunnel",
"version": 1,
"weekStart": ""
}

13
observatory/datasources/prometheus.yml Normal file
View File

@@ -0,0 +1,13 @@
# Grafana Datasource Provisioning
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
access: proxy
url: http://prometheus:9090
isDefault: true
editable: false
jsonData:
timeInterval: "60s"
httpMethod: POST

123
observatory/docker-compose.yml Normal file
View File

@@ -0,0 +1,123 @@
# Cloudflare Mesh Observatory Docker Stack
# Prometheus + Grafana + Alertmanager + Custom Metrics Exporter
# Phase 5B - Full Observability + Alerting
services:
# Prometheus - Metrics Collection
prometheus:
image: prom/prometheus:v2.48.0
container_name: cf-prometheus
restart: unless-stopped
ports:
- "9090:9090"
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
- ./prometheus/alerts:/etc/prometheus/alerts:ro
- prometheus_data:/prometheus
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
- '--storage.tsdb.retention.time=30d'
- '--web.enable-lifecycle'
- '--web.console.libraries=/usr/share/prometheus/console_libraries'
- '--web.console.templates=/usr/share/prometheus/consoles'
networks:
- observatory
depends_on:
- alertmanager
healthcheck:
test: ["CMD", "wget", "-q", "--spider", "http://localhost:9090/-/healthy"]
interval: 30s
timeout: 10s
retries: 3
# Alertmanager - Alert Routing & Notifications
alertmanager:
image: prom/alertmanager:v0.26.0
container_name: cf-alertmanager
restart: unless-stopped
ports:
- "9093:9093"
volumes:
- ./alertmanager/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
- ./alertmanager/templates:/etc/alertmanager/templates:ro
- alertmanager_data:/alertmanager
command:
- '--config.file=/etc/alertmanager/alertmanager.yml'
- '--storage.path=/alertmanager'
- '--web.listen-address=:9093'
- '--cluster.listen-address='
environment:
- SLACK_WEBHOOK_URL=${SLACK_WEBHOOK_URL}
- PAGERDUTY_SERVICE_KEY=${PAGERDUTY_SERVICE_KEY}
- SMTP_USERNAME=${SMTP_USERNAME}
- SMTP_PASSWORD=${SMTP_PASSWORD}
networks:
- observatory
healthcheck:
test: ["CMD", "wget", "-q", "--spider", "http://localhost:9093/-/healthy"]
interval: 30s
timeout: 10s
retries: 3
# Grafana - Visualization
grafana:
image: grafana/grafana:10.2.2
container_name: cf-grafana
restart: unless-stopped
ports:
- "3000:3000"
environment:
- GF_SECURITY_ADMIN_USER=admin
- GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD:-changeme}
- GF_USERS_ALLOW_SIGN_UP=false
- GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s:%(http_port)s/
- GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-piechart-panel
volumes:
- grafana_data:/var/lib/grafana
- ./dashboards:/etc/grafana/provisioning/dashboards:ro
- ./datasources:/etc/grafana/provisioning/datasources:ro
networks:
- observatory
depends_on:
- prometheus
healthcheck:
test: ["CMD-SHELL", "wget -q --spider http://localhost:3000/api/health || exit 1"]
interval: 30s
timeout: 10s
retries: 3
# Cloudflare Metrics Exporter
metrics-exporter:
build:
context: .
dockerfile: Dockerfile.exporter
container_name: cf-metrics-exporter
restart: unless-stopped
ports:
- "9100:9100"
environment:
- CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
- CLOUDFLARE_ZONE_ID=${CLOUDFLARE_ZONE_ID}
- CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}
- SNAPSHOT_DIR=/data/snapshots
- ANOMALY_DIR=/data/anomalies
volumes:
- ../snapshots:/data/snapshots:ro
- ../anomalies:/data/anomalies:ro
networks:
- observatory
healthcheck:
test: ["CMD", "wget", "-q", "--spider", "http://localhost:9100/health"]
interval: 30s
timeout: 10s
retries: 3
networks:
observatory:
driver: bridge
volumes:
prometheus_data:
grafana_data:
alertmanager_data:

344
observatory/drift-visualizer.py Normal file
View File

@@ -0,0 +1,344 @@
#!/usr/bin/env python3
"""
Drift Visualizer
Compares Terraform state, DNS manifest, and live Cloudflare configuration.
Outputs JSON diff and HTML report.
Usage:
python3 drift-visualizer.py --snapshot <path> --manifest <path> --output <dir>
"""
import argparse
import html
import json
import os
from datetime import datetime, timezone
from typing import Any, Dict, List, Optional, Set, Tuple
OUTPUT_DIR = os.path.join(os.path.dirname(os.path.dirname(__file__)), "reports")
class DriftAnalyzer:
"""Analyzes drift between different state sources."""
def __init__(self):
self.diffs: List[Dict[str, Any]] = []
def compare_dns_records(
self,
source_name: str,
source_records: List[Dict],
target_name: str,
target_records: List[Dict]
) -> List[Dict[str, Any]]:
"""Compare DNS records between two sources."""
diffs = []
# Build lookup maps
source_map = {(r.get("type"), r.get("name")): r for r in source_records}
target_map = {(r.get("type"), r.get("name")): r for r in target_records}
all_keys = set(source_map.keys()) | set(target_map.keys())
for key in all_keys:
rtype, name = key
source_rec = source_map.get(key)
target_rec = target_map.get(key)
if source_rec and not target_rec:
diffs.append({
"type": "missing",
"source": source_name,
"target": target_name,
"record_type": rtype,
"record_name": name,
"detail": f"Record exists in {source_name} but not in {target_name}",
"severity": "high",
})
elif target_rec and not source_rec:
diffs.append({
"type": "extra",
"source": source_name,
"target": target_name,
"record_type": rtype,
"record_name": name,
"detail": f"Record exists in {target_name} but not in {source_name}",
"severity": "medium",
})
else:
# Both exist - check for content/config drift
content_diff = self._compare_record_content(source_rec, target_rec)
if content_diff:
diffs.append({
"type": "modified",
"source": source_name,
"target": target_name,
"record_type": rtype,
"record_name": name,
"detail": content_diff,
"source_value": source_rec,
"target_value": target_rec,
"severity": "medium",
})
return diffs
def _compare_record_content(self, rec1: Dict, rec2: Dict) -> Optional[str]:
"""Compare record content and return diff description."""
diffs = []
if rec1.get("content") != rec2.get("content"):
diffs.append(f"content: {rec1.get('content')} -> {rec2.get('content')}")
if rec1.get("proxied") != rec2.get("proxied"):
diffs.append(f"proxied: {rec1.get('proxied')} -> {rec2.get('proxied')}")
if rec1.get("ttl") != rec2.get("ttl"):
diffs.append(f"ttl: {rec1.get('ttl')} -> {rec2.get('ttl')}")
return "; ".join(diffs) if diffs else None
def compare_settings(
self,
source_name: str,
source_settings: Dict,
target_name: str,
target_settings: Dict
) -> List[Dict[str, Any]]:
"""Compare zone settings."""
diffs = []
all_keys = set(source_settings.keys()) | set(target_settings.keys())
for key in all_keys:
src_val = source_settings.get(key)
tgt_val = target_settings.get(key)
if src_val != tgt_val:
diffs.append({
"type": "setting_drift",
"source": source_name,
"target": target_name,
"setting": key,
"source_value": src_val,
"target_value": tgt_val,
"severity": "medium" if key in ("ssl", "min_tls_version") else "low",
})
return diffs
def analyze(
self,
snapshot: Optional[Dict] = None,
manifest: Optional[Dict] = None,
terraform_state: Optional[Dict] = None
) -> Dict[str, Any]:
"""Run full drift analysis."""
self.diffs = []
comparisons = []
# Snapshot vs Manifest
if snapshot and manifest:
snapshot_dns = snapshot.get("state", {}).get("dns", {}).get("records", [])
manifest_dns = manifest.get("records", [])
dns_diffs = self.compare_dns_records(
"manifest", manifest_dns,
"cloudflare", snapshot_dns
)
self.diffs.extend(dns_diffs)
comparisons.append("manifest_vs_cloudflare")
# Summary
high = len([d for d in self.diffs if d.get("severity") == "high"])
medium = len([d for d in self.diffs if d.get("severity") == "medium"])
low = len([d for d in self.diffs if d.get("severity") == "low"])
return {
"analysis_type": "drift_report",
"timestamp": datetime.now(timezone.utc).isoformat(),
"comparisons": comparisons,
"summary": {
"total_diffs": len(self.diffs),
"high_severity": high,
"medium_severity": medium,
"low_severity": low,
"drift_detected": len(self.diffs) > 0,
},
"diffs": self.diffs,
}
def generate_html_report(analysis: Dict[str, Any]) -> str:
"""Generate HTML visualization of drift report."""
timestamp = analysis.get("timestamp", "")
summary = analysis.get("summary", {})
diffs = analysis.get("diffs", [])
# CSS styles
css = """
<style>
body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
max-width: 1200px; margin: 0 auto; padding: 20px; background: #0d1117; color: #c9d1d9; }
h1 { color: #58a6ff; border-bottom: 1px solid #30363d; padding-bottom: 10px; }
h2 { color: #8b949e; }
.summary { display: flex; gap: 20px; margin: 20px 0; }
.card { background: #161b22; padding: 20px; border-radius: 8px; border: 1px solid #30363d; flex: 1; }
.card h3 { margin-top: 0; color: #58a6ff; }
.stat { font-size: 2em; font-weight: bold; }
.high { color: #f85149; }
.medium { color: #d29922; }
.low { color: #3fb950; }
.ok { color: #3fb950; }
table { width: 100%; border-collapse: collapse; margin: 20px 0; }
th, td { padding: 12px; text-align: left; border-bottom: 1px solid #30363d; }
th { background: #161b22; color: #8b949e; }
tr:hover { background: #161b22; }
.badge { padding: 4px 8px; border-radius: 4px; font-size: 0.8em; font-weight: bold; }
.badge-high { background: #f85149; color: white; }
.badge-medium { background: #d29922; color: black; }
.badge-low { background: #238636; color: white; }
.badge-missing { background: #f85149; }
.badge-extra { background: #d29922; }
.badge-modified { background: #1f6feb; color: white; }
.no-drift { text-align: center; padding: 40px; color: #3fb950; }
code { background: #21262d; padding: 2px 6px; border-radius: 4px; }
</style>
"""
# Header
html_parts = [
"<!DOCTYPE html>",
"<html><head>",
"<meta charset='utf-8'>",
"<title>Cloudflare Drift Report</title>",
css,
"</head><body>",
"<h1>Cloudflare Drift Report</h1>",
f"<p>Generated: {timestamp}</p>",
]
# Summary cards
html_parts.append("<div class='summary'>")
html_parts.append(f"""
<div class='card'>
<h3>Total Diffs</h3>
<div class='stat {"ok" if summary.get("total_diffs") == 0 else "high"}'>{summary.get("total_diffs", 0)}</div>
</div>
""")
html_parts.append(f"""
<div class='card'>
<h3>High Severity</h3>
<div class='stat high'>{summary.get("high_severity", 0)}</div>
</div>
""")
html_parts.append(f"""
<div class='card'>
<h3>Medium Severity</h3>
<div class='stat medium'>{summary.get("medium_severity", 0)}</div>
</div>
""")
html_parts.append(f"""
<div class='card'>
<h3>Low Severity</h3>
<div class='stat low'>{summary.get("low_severity", 0)}</div>
</div>
""")
html_parts.append("</div>")
# Diffs table
if diffs:
html_parts.append("<h2>Drift Details</h2>")
html_parts.append("<table>")
html_parts.append("""
<tr>
<th>Type</th>
<th>Severity</th>
<th>Record</th>
<th>Detail</th>
</tr>
""")
for diff in diffs:
dtype = diff.get("type", "unknown")
severity = diff.get("severity", "low")
record = f"{diff.get('record_type', '')} {diff.get('record_name', '')}"
detail = html.escape(str(diff.get("detail", "")))
html_parts.append(f"""
<tr>
<td><span class='badge badge-{dtype}'>{dtype}</span></td>
<td><span class='badge badge-{severity}'>{severity.upper()}</span></td>
<td><code>{html.escape(record)}</code></td>
<td>{detail}</td>
</tr>
""")
html_parts.append("</table>")
else:
html_parts.append("<div class='no-drift'>No drift detected. Configuration is in sync.</div>")
html_parts.append("</body></html>")
return "\n".join(html_parts)
def main():
parser = argparse.ArgumentParser(description="Drift Visualizer")
parser.add_argument("--snapshot", help="Path to state snapshot JSON")
parser.add_argument("--manifest", help="Path to DNS manifest JSON/YAML")
parser.add_argument("--output-dir", default=OUTPUT_DIR, help="Output directory")
parser.add_argument("--format", choices=["json", "html", "both"], default="both",
help="Output format")
args = parser.parse_args()
# Load files
snapshot = None
manifest = None
if args.snapshot:
with open(args.snapshot) as f:
snapshot = json.load(f)
if args.manifest:
with open(args.manifest) as f:
manifest = json.load(f)
if not snapshot and not manifest:
print("Error: At least one of --snapshot or --manifest required")
return 1
# Ensure output directory
os.makedirs(args.output_dir, exist_ok=True)
# Run analysis
analyzer = DriftAnalyzer()
analysis = analyzer.analyze(snapshot=snapshot, manifest=manifest)
# Output
timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H-%M-%SZ")
if args.format in ("json", "both"):
json_path = os.path.join(args.output_dir, f"drift-report-{timestamp}.json")
with open(json_path, "w") as f:
json.dump(analysis, f, indent=2)
print(f"JSON report: {json_path}")
if args.format in ("html", "both"):
html_content = generate_html_report(analysis)
html_path = os.path.join(args.output_dir, f"drift-report-{timestamp}.html")
with open(html_path, "w") as f:
f.write(html_content)
print(f"HTML report: {html_path}")
# Summary
summary = analysis.get("summary", {})
print(f"\nDrift Summary:")
print(f" Total diffs: {summary.get('total_diffs', 0)}")
print(f" High: {summary.get('high_severity', 0)}")
print(f" Medium: {summary.get('medium_severity', 0)}")
print(f" Low: {summary.get('low_severity', 0)}")
return 0 if summary.get("total_diffs", 0) == 0 else 1
if __name__ == "__main__":
exit(main())

351
observatory/escalation-matrix.yml Normal file
View File

@@ -0,0 +1,351 @@
# Cloudflare Mesh Observatory - Escalation Matrix
# Phase 5B - Alerts & Escalation
#
# This matrix defines who gets notified for what, and when to escalate.
# Used by Alertmanager routing and for human reference.
---
version: "1.0"
last_updated: "2024-01-01"
# ==============================================================================
# SEVERITY DEFINITIONS
# ==============================================================================
severity_definitions:
critical:
description: "Service down, security incident, or data integrity issue"
response_time: "15 minutes"
notification_channels: ["pagerduty", "slack-critical", "phone"]
escalation_after: "30 minutes"
warning:
description: "Degraded service, policy violation, or impending issue"
response_time: "1 hour"
notification_channels: ["slack"]
escalation_after: "4 hours"
info:
description: "Informational, audit, or metric threshold"
response_time: "Next business day"
notification_channels: ["email-digest"]
escalation_after: null
# ==============================================================================
# ESCALATION CHAINS
# ==============================================================================
escalation_chains:
infrastructure:
name: "Infrastructure Team"
stages:
- stage: 1
delay: "0m"
contacts: ["infra-oncall"]
channels: ["pagerduty", "slack"]
- stage: 2
delay: "30m"
contacts: ["infra-lead"]
channels: ["pagerduty", "phone"]
- stage: 3
delay: "1h"
contacts: ["platform-director"]
channels: ["phone"]
security:
name: "Security Team"
stages:
- stage: 1
delay: "0m"
contacts: ["security-oncall"]
channels: ["pagerduty", "slack-security"]
- stage: 2
delay: "15m"
contacts: ["security-lead", "ciso"]
channels: ["pagerduty", "phone"]
platform:
name: "Platform Team"
stages:
- stage: 1
delay: "0m"
contacts: ["platform-oncall"]
channels: ["slack"]
- stage: 2
delay: "1h"
contacts: ["platform-lead"]
channels: ["pagerduty"]
# ==============================================================================
# COMPONENT -> ESCALATION CHAIN MAPPING
# ==============================================================================
component_ownership:
tunnel:
primary_chain: infrastructure
backup_chain: platform
slack_channel: "#cloudflare-tunnels"
playbooks:
- "TUNNEL-ROTATION-PROTOCOL.md"
dns:
primary_chain: infrastructure
backup_chain: security # DNS can be security-related
slack_channel: "#cloudflare-dns"
playbooks:
- "DNS-COMPROMISE-PLAYBOOK.md"
waf:
primary_chain: security
backup_chain: infrastructure
slack_channel: "#cloudflare-waf"
playbooks:
- "waf_incident_playbook.md"
invariant:
primary_chain: security
backup_chain: platform
slack_channel: "#cloudflare-security"
playbooks:
- "SECURITY-INVARIANTS.md"
proofchain:
primary_chain: platform
backup_chain: security
slack_channel: "#cloudflare-proofchain"
playbooks:
- "proofchain-incident.md"
# ==============================================================================
# ALERT -> RESPONSE MAPPING
# ==============================================================================
alert_responses:
# TUNNEL ALERTS
TunnelDown:
severity: critical
escalation_chain: infrastructure
immediate_actions:
- "Check cloudflared service status"
- "Verify network connectivity to origin"
- "Check Cloudflare status page"
playbook: "TUNNEL-ROTATION-PROTOCOL.md"
auto_remediation: false # Manual intervention required
AllTunnelsDown:
severity: critical
escalation_chain: infrastructure
immediate_actions:
- "DECLARE INCIDENT"
- "Check all cloudflared instances"
- "Verify DNS resolution"
- "Check for Cloudflare outage"
playbook: "TUNNEL-ROTATION-PROTOCOL.md"
auto_remediation: false
TunnelRotationDue:
severity: warning
escalation_chain: platform
immediate_actions:
- "Schedule maintenance window"
- "Prepare new tunnel credentials"
playbook: "TUNNEL-ROTATION-PROTOCOL.md"
auto_remediation: true # Can be auto-scheduled
# DNS ALERTS
DNSHijackDetected:
severity: critical
escalation_chain: security
immediate_actions:
- "DECLARE SECURITY INCIDENT"
- "Verify DNS resolution from multiple locations"
- "Check Cloudflare audit logs"
- "Preserve evidence"
playbook: "DNS-COMPROMISE-PLAYBOOK.md"
auto_remediation: false # NEVER auto-remediate security incidents
DNSDriftDetected:
severity: warning
escalation_chain: infrastructure
immediate_actions:
- "Run state reconciler"
- "Identify changed records"
- "Verify authorization"
playbook: "DNS-COMPROMISE-PLAYBOOK.md"
auto_remediation: true # Can auto-reconcile if authorized
# WAF ALERTS
WAFMassiveAttack:
severity: critical
escalation_chain: security
immediate_actions:
- "Verify attack is real (not false positive)"
- "Consider Under Attack Mode"
- "Check rate limiting"
- "Document attack patterns"
playbook: "waf_incident_playbook.md"
auto_remediation: false
WAFRuleBypass:
severity: critical
escalation_chain: security
immediate_actions:
- "Analyze bypassed requests"
- "Tighten rule immediately"
- "Check for related vulnerabilities"
playbook: "waf_incident_playbook.md"
auto_remediation: false
WAFDisabled:
severity: critical
escalation_chain: security
immediate_actions:
- "IMMEDIATELY investigate why WAF is disabled"
- "Re-enable unless documented exception"
- "Review audit logs"
playbook: "waf_incident_playbook.md"
auto_remediation: true # Auto-enable WAF
# INVARIANT ALERTS
SSLModeDowngraded:
severity: critical
escalation_chain: security
immediate_actions:
- "Restore Full (Strict) SSL mode"
- "Investigate who made the change"
- "Review audit logs"
playbook: null
auto_remediation: true # Auto-restore SSL mode
AccessPolicyViolation:
severity: critical
escalation_chain: security
immediate_actions:
- "Review access attempt"
- "Block if malicious"
- "Notify affected user if legitimate"
playbook: null
auto_remediation: false
# PROOFCHAIN ALERTS
ProofchainIntegrityFailure:
severity: critical
escalation_chain: security
immediate_actions:
- "HALT all new receipt generation"
- "Preserve current state"
- "Identify last known-good checkpoint"
- "Do NOT attempt auto-recovery"
playbook: null
auto_remediation: false # NEVER auto-remediate integrity failures
ReceiptHashMismatch:
severity: critical
escalation_chain: security
immediate_actions:
- "Identify affected receipt"
- "Compare against backup"
- "Preserve for forensics"
playbook: null
auto_remediation: false
# ==============================================================================
# CONTACTS
# ==============================================================================
contacts:
infra-oncall:
name: "Infrastructure On-Call"
pagerduty_service: "PXXXXXX"
slack_handle: "@infra-oncall"
schedule: "follow-the-sun"
infra-lead:
name: "Infrastructure Team Lead"
pagerduty_user: "UXXXXXX"
phone: "+1-XXX-XXX-XXXX"
email: "infra-lead@company.com"
security-oncall:
name: "Security On-Call"
pagerduty_service: "PXXXXXX"
slack_handle: "@security-oncall"
schedule: "24x7"
security-lead:
name: "Security Team Lead"
pagerduty_user: "UXXXXXX"
phone: "+1-XXX-XXX-XXXX"
email: "security-lead@company.com"
ciso:
name: "Chief Information Security Officer"
phone: "+1-XXX-XXX-XXXX"
email: "ciso@company.com"
platform-oncall:
name: "Platform On-Call"
pagerduty_service: "PXXXXXX"
slack_handle: "@platform-oncall"
platform-lead:
name: "Platform Team Lead"
pagerduty_user: "UXXXXXX"
email: "platform-lead@company.com"
platform-director:
name: "Platform Director"
phone: "+1-XXX-XXX-XXXX"
email: "platform-director@company.com"
# ==============================================================================
# NOTIFICATION CHANNELS
# ==============================================================================
channels:
slack:
default: "#cloudflare-alerts"
critical: "#cloudflare-critical"
tunnels: "#cloudflare-tunnels"
dns: "#cloudflare-dns"
waf: "#cloudflare-waf"
security: "#cloudflare-security"
proofchain: "#cloudflare-proofchain"
pagerduty:
integration_key: "${PAGERDUTY_SERVICE_KEY}"
escalation_policy: "cloudflare-infrastructure"
email:
daily_digest: "cloudflare-team@company.com"
weekly_report: "platform-leadership@company.com"
# ==============================================================================
# AUTO-REMEDIATION POLICIES
# ==============================================================================
auto_remediation:
enabled: true
require_confirmation_for:
- "critical"
- "security_incident"
never_auto_remediate:
- "ProofchainIntegrityFailure"
- "ReceiptHashMismatch"
- "DNSHijackDetected"
- "WAFRuleBypass"
max_auto_remediations_per_hour: 5
cooldown_period: "10m"
# ==============================================================================
# MAINTENANCE WINDOWS
# ==============================================================================
maintenance_windows:
weekly_rotation:
schedule: "0 3 * * SUN" # 3 AM Sunday
duration: "2h"
suppress_alerts:
- "TunnelDown"
- "TunnelDegraded"
notify_channel: "#cloudflare-alerts"
monthly_patch:
schedule: "0 2 15 * *" # 2 AM on the 15th
duration: "4h"
suppress_alerts:
- "TunnelDown"
- "CloudflaredOutdated"
notify_channel: "#cloudflare-alerts"

355
observatory/metrics-exporter.py Normal file
View File

@@ -0,0 +1,355 @@
#!/usr/bin/env python3
"""
Cloudflare Metrics Exporter for Prometheus
Exports Cloudflare state and invariant status as Prometheus metrics.
Usage:
python3 metrics-exporter.py --port 9100
Environment Variables:
CLOUDFLARE_API_TOKEN - API token
CLOUDFLARE_ZONE_ID - Zone ID
CLOUDFLARE_ACCOUNT_ID - Account ID
SNAPSHOT_DIR - Directory containing state snapshots
ANOMALY_DIR - Directory containing invariant reports
"""
import argparse
import glob
import json
import os
import time
from datetime import datetime, timezone
from http.server import HTTPServer, BaseHTTPRequestHandler
from typing import Any, Dict, List, Optional
import requests
# Configuration
CF_API_BASE = "https://api.cloudflare.com/client/v4"
DEFAULT_PORT = 9100
SCRAPE_INTERVAL = 60 # seconds
class CloudflareMetricsCollector:
"""Collects Cloudflare metrics for Prometheus export."""
def __init__(self, api_token: str, zone_id: str, account_id: str,
snapshot_dir: str, anomaly_dir: str):
self.api_token = api_token
self.zone_id = zone_id
self.account_id = account_id
self.snapshot_dir = snapshot_dir
self.anomaly_dir = anomaly_dir
self.session = requests.Session()
self.session.headers.update({
"Authorization": f"Bearer {api_token}",
"Content-Type": "application/json"
})
self.metrics: Dict[str, Any] = {}
self.last_scrape = 0
def _cf_request(self, endpoint: str) -> Dict[str, Any]:
"""Make Cloudflare API request."""
url = f"{CF_API_BASE}{endpoint}"
response = self.session.get(url)
response.raise_for_status()
return response.json()
def _get_latest_file(self, pattern: str) -> Optional[str]:
"""Get most recent file matching pattern."""
files = glob.glob(pattern)
if not files:
return None
return max(files, key=os.path.getmtime)
def collect_dns_metrics(self):
"""Collect DNS record metrics."""
try:
data = self._cf_request(f"/zones/{self.zone_id}/dns_records?per_page=500")
records = data.get("result", [])
# Count by type
type_counts = {}
proxied_count = 0
unproxied_count = 0
for r in records:
rtype = r.get("type", "UNKNOWN")
type_counts[rtype] = type_counts.get(rtype, 0) + 1
if r.get("proxied"):
proxied_count += 1
else:
unproxied_count += 1
self.metrics["dns_records_total"] = len(records)
self.metrics["dns_records_proxied"] = proxied_count
self.metrics["dns_records_unproxied"] = unproxied_count
for rtype, count in type_counts.items():
self.metrics[f"dns_records_by_type{{type=\"{rtype}\"}}"] = count
except Exception as e:
self.metrics["dns_scrape_errors_total"] = self.metrics.get("dns_scrape_errors_total", 0) + 1
def collect_dnssec_metrics(self):
"""Collect DNSSEC status."""
try:
data = self._cf_request(f"/zones/{self.zone_id}/dnssec")
result = data.get("result", {})
status = result.get("status", "unknown")
self.metrics["dnssec_enabled"] = 1 if status == "active" else 0
except Exception:
self.metrics["dnssec_enabled"] = -1
def collect_tunnel_metrics(self):
"""Collect tunnel metrics."""
try:
data = self._cf_request(f"/accounts/{self.account_id}/cfd_tunnel")
tunnels = data.get("result", [])
active = 0
healthy = 0
total_connections = 0
for t in tunnels:
if not t.get("deleted_at"):
active += 1
# Check connections
try:
conn_data = self._cf_request(
f"/accounts/{self.account_id}/cfd_tunnel/{t['id']}/connections"
)
conns = conn_data.get("result", [])
if conns:
healthy += 1
total_connections += len(conns)
except Exception:
pass
self.metrics["tunnels_total"] = active
self.metrics["tunnels_healthy"] = healthy
self.metrics["tunnels_unhealthy"] = active - healthy
self.metrics["tunnel_connections_total"] = total_connections
except Exception:
self.metrics["tunnel_scrape_errors_total"] = self.metrics.get("tunnel_scrape_errors_total", 0) + 1
def collect_access_metrics(self):
"""Collect Access app metrics."""
try:
data = self._cf_request(f"/accounts/{self.account_id}/access/apps")
apps = data.get("result", [])
self.metrics["access_apps_total"] = len(apps)
# Count by type
type_counts = {}
for app in apps:
app_type = app.get("type", "unknown")
type_counts[app_type] = type_counts.get(app_type, 0) + 1
for app_type, count in type_counts.items():
self.metrics[f"access_apps_by_type{{type=\"{app_type}\"}}"] = count
except Exception:
self.metrics["access_scrape_errors_total"] = self.metrics.get("access_scrape_errors_total", 0) + 1
def collect_zone_settings_metrics(self):
"""Collect zone security settings."""
try:
data = self._cf_request(f"/zones/{self.zone_id}/settings")
settings = {s["id"]: s["value"] for s in data.get("result", [])}
# TLS settings
ssl = settings.get("ssl", "unknown")
self.metrics["zone_ssl_strict"] = 1 if ssl in ("strict", "full_strict") else 0
min_tls = settings.get("min_tls_version", "unknown")
self.metrics["zone_tls_version_secure"] = 1 if min_tls in ("1.2", "1.3") else 0
# Security features
self.metrics["zone_always_https"] = 1 if settings.get("always_use_https") == "on" else 0
self.metrics["zone_browser_check"] = 1 if settings.get("browser_check") == "on" else 0
except Exception:
pass
def collect_snapshot_metrics(self):
"""Collect metrics from state snapshots."""
latest = self._get_latest_file(os.path.join(self.snapshot_dir, "cloudflare-*.json"))
if not latest:
self.metrics["snapshot_age_seconds"] = -1
return
try:
mtime = os.path.getmtime(latest)
age = time.time() - mtime
self.metrics["snapshot_age_seconds"] = int(age)
with open(latest) as f:
snapshot = json.load(f)
integrity = snapshot.get("integrity", {})
self.metrics["snapshot_merkle_root_set"] = 1 if integrity.get("merkle_root") else 0
except Exception:
self.metrics["snapshot_age_seconds"] = -1
def collect_invariant_metrics(self):
"""Collect metrics from invariant reports."""
latest = self._get_latest_file(os.path.join(self.anomaly_dir, "invariant-report-*.json"))
if not latest:
self.metrics["invariants_total"] = 0
self.metrics["invariants_passed"] = 0
self.metrics["invariants_failed"] = 0
return
try:
with open(latest) as f:
report = json.load(f)
summary = report.get("summary", {})
self.metrics["invariants_total"] = summary.get("total", 0)
self.metrics["invariants_passed"] = summary.get("passed", 0)
self.metrics["invariants_failed"] = summary.get("failed", 0)
self.metrics["invariants_pass_rate"] = summary.get("pass_rate", 0)
# Report age
mtime = os.path.getmtime(latest)
self.metrics["invariant_report_age_seconds"] = int(time.time() - mtime)
except Exception:
pass
def collect_anomaly_metrics(self):
"""Count anomaly receipts."""
anomaly_files = glob.glob(os.path.join(self.anomaly_dir, "anomaly-*.json"))
self.metrics["anomalies_total"] = len(anomaly_files)
# Recent anomalies (last 24h)
recent = 0
day_ago = time.time() - 86400
for f in anomaly_files:
if os.path.getmtime(f) > day_ago:
recent += 1
self.metrics["anomalies_last_24h"] = recent
def collect_all(self):
"""Collect all metrics."""
now = time.time()
if now - self.last_scrape < SCRAPE_INTERVAL:
return # Rate limit
self.last_scrape = now
self.metrics = {"scrape_timestamp": int(now)}
self.collect_dns_metrics()
self.collect_dnssec_metrics()
self.collect_tunnel_metrics()
self.collect_access_metrics()
self.collect_zone_settings_metrics()
self.collect_snapshot_metrics()
self.collect_invariant_metrics()
self.collect_anomaly_metrics()
def format_prometheus(self) -> str:
"""Format metrics as Prometheus exposition format."""
lines = [
"# HELP cloudflare_dns_records_total Total DNS records",
"# TYPE cloudflare_dns_records_total gauge",
"# HELP cloudflare_tunnels_total Total active tunnels",
"# TYPE cloudflare_tunnels_total gauge",
"# HELP cloudflare_tunnels_healthy Healthy tunnels with connections",
"# TYPE cloudflare_tunnels_healthy gauge",
"# HELP cloudflare_invariants_passed Invariants passing",
"# TYPE cloudflare_invariants_passed gauge",
"# HELP cloudflare_invariants_failed Invariants failing",
"# TYPE cloudflare_invariants_failed gauge",
"",
]
for key, value in self.metrics.items():
if isinstance(value, (int, float)):
# Handle labels in key
if "{" in key:
lines.append(f"cloudflare_{key} {value}")
else:
lines.append(f"cloudflare_{key} {value}")
return "\n".join(lines)
class MetricsHandler(BaseHTTPRequestHandler):
"""HTTP handler for Prometheus scrapes."""
collector: CloudflareMetricsCollector = None
def do_GET(self):
if self.path == "/metrics":
self.collector.collect_all()
output = self.collector.format_prometheus()
self.send_response(200)
self.send_header("Content-Type", "text/plain; charset=utf-8")
self.end_headers()
self.wfile.write(output.encode())
elif self.path == "/health":
self.send_response(200)
self.send_header("Content-Type", "text/plain")
self.end_headers()
self.wfile.write(b"OK")
else:
self.send_response(404)
self.end_headers()
def log_message(self, format, *args):
pass # Suppress default logging
def main():
parser = argparse.ArgumentParser(description="Cloudflare Metrics Exporter")
parser.add_argument("--port", type=int, default=DEFAULT_PORT,
help=f"Port to listen on (default: {DEFAULT_PORT})")
parser.add_argument("--zone-id", default=os.environ.get("CLOUDFLARE_ZONE_ID"))
parser.add_argument("--account-id", default=os.environ.get("CLOUDFLARE_ACCOUNT_ID"))
parser.add_argument("--snapshot-dir",
default=os.environ.get("SNAPSHOT_DIR", "../snapshots"))
parser.add_argument("--anomaly-dir",
default=os.environ.get("ANOMALY_DIR", "../anomalies"))
args = parser.parse_args()
api_token = os.environ.get("CLOUDFLARE_API_TOKEN")
if not api_token:
print("Error: CLOUDFLARE_API_TOKEN required")
return 1
if not args.zone_id or not args.account_id:
print("Error: Zone ID and Account ID required")
return 1
# Initialize collector
collector = CloudflareMetricsCollector(
api_token, args.zone_id, args.account_id,
args.snapshot_dir, args.anomaly_dir
)
MetricsHandler.collector = collector
# Start server
server = HTTPServer(("0.0.0.0", args.port), MetricsHandler)
print(f"Cloudflare Metrics Exporter listening on :{args.port}")
print(f" /metrics - Prometheus metrics")
print(f" /health - Health check")
try:
server.serve_forever()
except KeyboardInterrupt:
print("\nShutting down...")
server.shutdown()
return 0
if __name__ == "__main__":
exit(main())

43
observatory/prometheus.yml Normal file
View File

@@ -0,0 +1,43 @@
# Prometheus Configuration for Cloudflare Mesh Observatory
# Scrapes metrics from the custom exporter
global:
scrape_interval: 60s
evaluation_interval: 60s
external_labels:
monitor: 'cloudflare-mesh'
# Alerting configuration
alerting:
alertmanagers:
- static_configs:
- targets:
- alertmanager:9093
# Rule files - Load all alert rules from the alerts directory
rule_files:
- /etc/prometheus/alerts/*.yml
# Scrape configurations
scrape_configs:
# Prometheus self-monitoring
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
metrics_path: /metrics
scheme: http
# Cloudflare metrics exporter
- job_name: 'cloudflare'
static_configs:
- targets: ['metrics-exporter:9100']
metrics_path: /metrics
scheme: http
scrape_interval: 60s
scrape_timeout: 30s
honor_labels: true
# Optional: Node exporter for host metrics
# - job_name: 'node'
# static_configs:
# - targets: ['node-exporter:9100']

228
observatory/prometheus/alerts/dns-alerts.yml Normal file
View File

@@ -0,0 +1,228 @@
# DNS Alert Rules for Cloudflare Mesh Observatory
# Phase 5B - Alerts & Escalation
groups:
- name: dns_alerts
interval: 60s
rules:
# ============================================
# CRITICAL - DNS Hijack Detection
# ============================================
- alert: DNSHijackDetected
expr: cloudflare_dns_record_mismatch == 1
for: 1m
labels:
severity: critical
component: dns
playbook: dns-compromise
security_incident: "true"
annotations:
summary: "POTENTIAL DNS HIJACK: {{ $labels.record_name }}"
description: |
DNS record {{ $labels.record_name }} ({{ $labels.record_type }}) in zone
{{ $labels.zone }} does not match expected value.
Expected: {{ $labels.expected_value }}
Actual: {{ $labels.actual_value }}
This may indicate DNS hijacking or unauthorized modification.
TREAT AS SECURITY INCIDENT until verified.
impact: "Traffic may be routed to unauthorized destinations"
runbook_url: "https://wiki.internal/playbooks/dns-compromise"
# ============================================
# CRITICAL - Critical DNS Record Missing
# ============================================
- alert: CriticalDNSRecordMissing
expr: cloudflare_dns_critical_record_exists == 0
for: 2m
labels:
severity: critical
component: dns
playbook: dns-compromise
annotations:
summary: "Critical DNS record missing: {{ $labels.record_name }}"
description: |
Critical DNS record {{ $labels.record_name }} ({{ $labels.record_type }})
is missing from zone {{ $labels.zone }}.
This record is marked as critical in the DNS manifest.
impact: "Service reachability may be affected"
runbook_url: "https://wiki.internal/playbooks/dns-compromise"
# ============================================
# WARNING - DNS Drift Detected
# ============================================
- alert: DNSDriftDetected
expr: cloudflare_dns_drift_count > 0
for: 5m
labels:
severity: warning
component: dns
annotations:
summary: "DNS drift detected in zone {{ $labels.zone }}"
description: |
{{ $value }} DNS records in zone {{ $labels.zone }} differ from
the expected baseline configuration.
Run state reconciler to identify specific changes.
runbook_url: "https://wiki.internal/playbooks/dns-compromise"
# ============================================
# WARNING - DNS Record TTL Mismatch
# ============================================
- alert: DNSTTLMismatch
expr: cloudflare_dns_ttl_mismatch == 1
for: 10m
labels:
severity: warning
component: dns
annotations:
summary: "DNS TTL mismatch: {{ $labels.record_name }}"
description: |
DNS record {{ $labels.record_name }} has unexpected TTL.
Expected: {{ $labels.expected_ttl }}s
Actual: {{ $labels.actual_ttl }}s
This may affect caching behavior and failover timing.
# ============================================
# WARNING - DNS Propagation Slow
# ============================================
- alert: DNSPropagationSlow
expr: cloudflare_dns_propagation_time_seconds > 300
for: 5m
labels:
severity: warning
component: dns
annotations:
summary: "Slow DNS propagation for {{ $labels.record_name }}"
description: |
DNS changes for {{ $labels.record_name }} are taking longer than
5 minutes to propagate.
Current propagation time: {{ $value | humanizeDuration }}
# ============================================
# CRITICAL - DNS Propagation Failed
# ============================================
- alert: DNSPropagationFailed
expr: cloudflare_dns_propagation_time_seconds > 900
for: 5m
labels:
severity: critical
component: dns
annotations:
summary: "DNS propagation failed for {{ $labels.record_name }}"
description: |
DNS changes for {{ $labels.record_name }} have not propagated
after 15 minutes. This may indicate a configuration issue.
# ============================================
# WARNING - Unexpected DNS Record
# ============================================
- alert: UnexpectedDNSRecord
expr: cloudflare_dns_unexpected_record == 1
for: 5m
labels:
severity: warning
component: dns
annotations:
summary: "Unexpected DNS record: {{ $labels.record_name }}"
description: |
DNS record {{ $labels.record_name }} ({{ $labels.record_type }}) exists
but is not defined in the DNS manifest.
This may be an unauthorized addition.
# ============================================
# INFO - DNS Record Added
# ============================================
- alert: DNSRecordAdded
expr: increase(cloudflare_dns_records_total[1h]) > 0
for: 0m
labels:
severity: info
component: dns
annotations:
summary: "DNS record added in zone {{ $labels.zone }}"
description: |
{{ $value }} new DNS record(s) detected in zone {{ $labels.zone }}
in the last hour. Verify this was authorized.
# ============================================
# INFO - DNS Record Removed
# ============================================
- alert: DNSRecordRemoved
expr: decrease(cloudflare_dns_records_total[1h]) > 0
for: 0m
labels:
severity: info
component: dns
annotations:
summary: "DNS record removed from zone {{ $labels.zone }}"
description: |
{{ $value }} DNS record(s) removed from zone {{ $labels.zone }}
in the last hour. Verify this was authorized.
# ============================================
# WARNING - DNSSEC Disabled
# ============================================
- alert: DNSSECDisabled
expr: cloudflare_zone_dnssec_enabled == 0
for: 5m
labels:
severity: warning
component: dns
annotations:
summary: "DNSSEC disabled for zone {{ $labels.zone }}"
description: |
DNSSEC is not enabled for zone {{ $labels.zone }}.
This reduces protection against DNS spoofing attacks.
# ============================================
# WARNING - Zone Transfer Enabled
# ============================================
- alert: ZoneTransferEnabled
expr: cloudflare_zone_axfr_enabled == 1
for: 5m
labels:
severity: warning
component: dns
annotations:
summary: "Zone transfer (AXFR) enabled for {{ $labels.zone }}"
description: |
Zone transfer is enabled for {{ $labels.zone }}.
This exposes DNS records to potential enumeration.
Disable unless explicitly required.
# ============================================
# CRITICAL - DNS Query Spike
# ============================================
- alert: DNSQuerySpike
expr: |
rate(cloudflare_dns_queries_total[5m])
> 3 * avg_over_time(rate(cloudflare_dns_queries_total[5m])[24h:5m])
for: 5m
labels:
severity: warning
component: dns
annotations:
summary: "DNS query spike for zone {{ $labels.zone }}"
description: |
DNS queries for zone {{ $labels.zone }} are 3x above the 24-hour average.
This may indicate a DDoS attack or misconfigured client.
# ============================================
# WARNING - High DNS Error Rate
# ============================================
- alert: HighDNSErrorRate
expr: |
rate(cloudflare_dns_errors_total[5m])
/ rate(cloudflare_dns_queries_total[5m]) > 0.01
for: 10m
labels:
severity: warning
component: dns
annotations:
summary: "High DNS error rate for zone {{ $labels.zone }}"
description: |
DNS error rate exceeds 1% for zone {{ $labels.zone }}.
Current error rate: {{ $value | humanizePercentage }}

284
observatory/prometheus/alerts/invariant-alerts.yml Normal file
View File

@@ -0,0 +1,284 @@
# Security Invariant Alert Rules for Cloudflare Mesh Observatory
# Phase 5B - Alerts & Escalation
groups:
- name: invariant_alerts
interval: 60s
rules:
# ============================================
# CRITICAL - SSL Mode Downgrade
# ============================================
- alert: SSLModeDowngraded
expr: cloudflare_zone_ssl_mode != 1 # 1 = Full (Strict)
for: 2m
labels:
severity: critical
component: invariant
invariant_name: ssl_strict_mode
category: encryption
frameworks: "SOC2,PCI-DSS,ISO27001"
annotations:
summary: "SSL mode is not Full (Strict) for {{ $labels.zone }}"
description: |
Zone {{ $labels.zone }} SSL mode has been changed from Full (Strict).
Current mode: {{ $labels.ssl_mode }}
This weakens TLS security and may allow MITM attacks.
This is a compliance violation for multiple frameworks.
impact: "Reduced TLS security, potential MITM vulnerability"
runbook_url: "https://wiki.internal/invariants/ssl-mode"
# ============================================
# CRITICAL - Always Use HTTPS Disabled
# ============================================
- alert: HTTPSNotEnforced
expr: cloudflare_zone_always_use_https == 0
for: 2m
labels:
severity: critical
component: invariant
invariant_name: always_use_https
category: encryption
frameworks: "SOC2,PCI-DSS,HIPAA"
annotations:
summary: "Always Use HTTPS disabled for {{ $labels.zone }}"
description: |
Zone {{ $labels.zone }} allows HTTP traffic.
This may expose sensitive data in transit.
impact: "Data transmitted over unencrypted connections"
runbook_url: "https://wiki.internal/invariants/https-enforcement"
# ============================================
# CRITICAL - TLS Version Below Minimum
# ============================================
- alert: TLSVersionTooLow
expr: cloudflare_zone_min_tls_version < 1.2
for: 2m
labels:
severity: critical
component: invariant
invariant_name: min_tls_version
category: encryption
frameworks: "PCI-DSS,NIST"
annotations:
summary: "Minimum TLS version below 1.2 for {{ $labels.zone }}"
description: |
Zone {{ $labels.zone }} allows TLS versions below 1.2.
Current minimum: TLS {{ $labels.min_tls }}
TLS 1.0 and 1.1 have known vulnerabilities.
PCI-DSS requires TLS 1.2 minimum.
impact: "Vulnerable TLS versions allowed"
runbook_url: "https://wiki.internal/invariants/tls-version"
# ============================================
# WARNING - HSTS Not Enabled
# ============================================
- alert: HSTSNotEnabled
expr: cloudflare_zone_hsts_enabled == 0
for: 5m
labels:
severity: warning
component: invariant
invariant_name: hsts_enabled
category: encryption
frameworks: "SOC2,OWASP"
annotations:
summary: "HSTS not enabled for {{ $labels.zone }}"
description: |
HTTP Strict Transport Security is not enabled for {{ $labels.zone }}.
This allows SSL stripping attacks.
runbook_url: "https://wiki.internal/invariants/hsts"
# ============================================
# CRITICAL - Security Headers Missing
# ============================================
- alert: SecurityHeadersMissing
expr: cloudflare_zone_security_headers_score < 0.8
for: 5m
labels:
severity: warning
component: invariant
invariant_name: security_headers
category: headers
frameworks: "OWASP,SOC2"
annotations:
summary: "Security headers score below threshold for {{ $labels.zone }}"
description: |
Zone {{ $labels.zone }} security headers score: {{ $value }}
Expected minimum: 0.8
Missing headers may include: CSP, X-Frame-Options, X-Content-Type-Options
runbook_url: "https://wiki.internal/invariants/security-headers"
# ============================================
# CRITICAL - Origin IP Exposed
# ============================================
- alert: OriginIPExposed
expr: cloudflare_origin_ip_exposed == 1
for: 1m
labels:
severity: critical
component: invariant
invariant_name: origin_hidden
category: network
frameworks: "SOC2"
annotations:
summary: "Origin IP may be exposed for {{ $labels.zone }}"
description: |
DNS or headers may be exposing the origin server IP.
Exposed via: {{ $labels.exposure_method }}
Attackers can bypass Cloudflare protection by attacking origin directly.
impact: "Origin server exposed to direct attacks"
runbook_url: "https://wiki.internal/invariants/origin-protection"
# ============================================
# WARNING - Rate Limiting Not Configured
# ============================================
- alert: RateLimitingMissing
expr: cloudflare_zone_rate_limiting_rules == 0
for: 5m
labels:
severity: warning
component: invariant
invariant_name: rate_limiting
category: protection
frameworks: "SOC2,OWASP"
annotations:
summary: "No rate limiting rules for {{ $labels.zone }}"
description: |
Zone {{ $labels.zone }} has no rate limiting rules configured.
This leaves the zone vulnerable to brute force attacks.
runbook_url: "https://wiki.internal/invariants/rate-limiting"
# ============================================
# CRITICAL - Authenticated Origin Pulls Disabled
# ============================================
- alert: AuthenticatedOriginPullsDisabled
expr: cloudflare_zone_authenticated_origin_pulls == 0
for: 5m
labels:
severity: warning
component: invariant
invariant_name: aop_enabled
category: authentication
frameworks: "SOC2,Zero-Trust"
annotations:
summary: "Authenticated Origin Pulls disabled for {{ $labels.zone }}"
description: |
Authenticated Origin Pulls is not enabled for {{ $labels.zone }}.
Origin cannot verify requests come from Cloudflare.
runbook_url: "https://wiki.internal/invariants/authenticated-origin-pulls"
# ============================================
# WARNING - Bot Protection Disabled
# ============================================
- alert: BotProtectionDisabled
expr: cloudflare_zone_bot_management_enabled == 0
for: 5m
labels:
severity: warning
component: invariant
invariant_name: bot_management
category: protection
annotations:
summary: "Bot management disabled for {{ $labels.zone }}"
description: |
Bot management is not enabled for {{ $labels.zone }}.
Zone is vulnerable to automated attacks and scraping.
runbook_url: "https://wiki.internal/invariants/bot-management"
# ============================================
# CRITICAL - Access Policy Violation
# ============================================
- alert: AccessPolicyViolation
expr: cloudflare_access_policy_violations > 0
for: 1m
labels:
severity: critical
component: invariant
invariant_name: access_policy
category: access_control
frameworks: "SOC2,Zero-Trust,ISO27001"
annotations:
summary: "Access policy violations detected"
description: |
{{ $value }} access policy violations detected.
Policy: {{ $labels.policy_name }}
Review access logs for unauthorized access attempts.
impact: "Potential unauthorized access"
runbook_url: "https://wiki.internal/invariants/access-control"
# ============================================
# WARNING - Browser Integrity Check Disabled
# ============================================
- alert: BrowserIntegrityCheckDisabled
expr: cloudflare_zone_browser_integrity_check == 0
for: 5m
labels:
severity: warning
component: invariant
invariant_name: browser_integrity_check
category: protection
annotations:
summary: "Browser Integrity Check disabled for {{ $labels.zone }}"
description: |
Browser Integrity Check is disabled for {{ $labels.zone }}.
This allows requests with suspicious headers.
# ============================================
# WARNING - Email Obfuscation Disabled
# ============================================
- alert: EmailObfuscationDisabled
expr: cloudflare_zone_email_obfuscation == 0
for: 5m
labels:
severity: info
component: invariant
invariant_name: email_obfuscation
category: privacy
annotations:
summary: "Email obfuscation disabled for {{ $labels.zone }}"
description: |
Email obfuscation is disabled. Email addresses on pages
may be harvested by spam bots.
# ============================================
# CRITICAL - Development Mode Active
# ============================================
- alert: DevelopmentModeActive
expr: cloudflare_zone_development_mode == 1
for: 5m
labels:
severity: warning
component: invariant
invariant_name: development_mode
category: configuration
annotations:
summary: "Development mode active for {{ $labels.zone }}"
description: |
Development mode is active for {{ $labels.zone }}.
This bypasses Cloudflare's cache and should only be used temporarily.
Remember to disable after development is complete.
# ============================================
# CRITICAL - Invariant Check Failure
# ============================================
- alert: InvariantCheckFailed
expr: cloudflare_invariant_check_status == 0
for: 5m
labels:
severity: critical
component: invariant
category: monitoring
annotations:
summary: "Invariant checker is failing"
description: |
The invariant checker script is not running successfully.
Last success: {{ $labels.last_success }}
Error: {{ $labels.error_message }}
Security invariants are not being monitored.
runbook_url: "https://wiki.internal/invariants/checker-troubleshooting"

257
observatory/prometheus/alerts/proofchain-alerts.yml Normal file
View File

@@ -0,0 +1,257 @@
# Proofchain Alert Rules for Cloudflare Mesh Observatory
# Phase 5B - Alerts & Escalation
groups:
- name: proofchain_alerts
interval: 60s
rules:
# ============================================
# CRITICAL - Chain Integrity Failure
# ============================================
- alert: ProofchainIntegrityFailure
expr: cloudflare_proofchain_integrity_valid == 0
for: 1m
labels:
severity: critical
component: proofchain
security_incident: "true"
annotations:
summary: "CRITICAL: Proofchain integrity verification FAILED"
description: |
Proofchain {{ $labels.chain_name }} has failed integrity verification.
Last valid hash: {{ $labels.last_valid_hash }}
Expected hash: {{ $labels.expected_hash }}
Computed hash: {{ $labels.computed_hash }}
This indicates potential:
- Ledger tampering
- Receipt corruption
- Chain fork
IMMEDIATELY HALT new receipt generation until resolved.
impact: "Audit trail integrity compromised"
runbook_url: "https://wiki.internal/playbooks/proofchain-incident"
# ============================================
# CRITICAL - Receipt Hash Mismatch
# ============================================
- alert: ReceiptHashMismatch
expr: cloudflare_receipt_hash_valid == 0
for: 1m
labels:
severity: critical
component: proofchain
security_incident: "true"
annotations:
summary: "Receipt hash mismatch detected"
description: |
Receipt {{ $labels.receipt_id }} ({{ $labels.receipt_type }})
hash does not match stored value.
This receipt may have been modified after creation.
Investigate for potential tampering.
runbook_url: "https://wiki.internal/playbooks/proofchain-incident"
# ============================================
# CRITICAL - Anchor Missing
# ============================================
- alert: ProofchainAnchorMissing
expr: cloudflare_proofchain_anchor_age_hours > 24
for: 1h
labels:
severity: critical
component: proofchain
annotations:
summary: "Proofchain anchor overdue"
description: |
No proofchain anchor has been created in {{ $value | humanize }} hours.
Anchors should be created at least daily.
This weakens the audit trail's immutability guarantees.
runbook_url: "https://wiki.internal/playbooks/proofchain-maintenance"
# ============================================
# WARNING - Receipt Generation Failed
# ============================================
- alert: ReceiptGenerationFailed
expr: increase(cloudflare_receipt_generation_failures_total[1h]) > 0
for: 5m
labels:
severity: warning
component: proofchain
annotations:
summary: "Receipt generation failures detected"
description: |
{{ $value }} receipt generation failures in the last hour.
Receipt type: {{ $labels.receipt_type }}
Error: {{ $labels.error_type }}
Operations are proceeding but not being properly logged.
# ============================================
# WARNING - Chain Growth Stalled
# ============================================
- alert: ProofchainGrowthStalled
expr: increase(cloudflare_proofchain_receipts_total[6h]) == 0
for: 6h
labels:
severity: warning
component: proofchain
annotations:
summary: "No new receipts in 6 hours"
description: |
Proofchain {{ $labels.chain_name }} has not received new receipts
in 6 hours. This may indicate:
- Receipt generation failure
- System not operational
- Configuration issue
Verify receipt generation is working.
# ============================================
# WARNING - Chain Drift from Root
# ============================================
- alert: ProofchainDrift
expr: cloudflare_proofchain_drift_receipts > 100
for: 1h
labels:
severity: warning
component: proofchain
annotations:
summary: "Proofchain has {{ $value }} unanchored receipts"
description: |
Chain {{ $labels.chain_name }} has {{ $value }} receipts since
the last anchor. Consider creating a new anchor to checkpoint
the current state.
# ============================================
# INFO - Anchor Created
# ============================================
- alert: ProofchainAnchorCreated
expr: changes(cloudflare_proofchain_anchor_count[1h]) > 0
for: 0m
labels:
severity: info
component: proofchain
annotations:
summary: "New proofchain anchor created"
description: |
A new anchor has been created for chain {{ $labels.chain_name }}.
Anchor hash: {{ $labels.anchor_hash }}
Receipts anchored: {{ $labels.receipts_anchored }}
# ============================================
# WARNING - Frontier Corruption
# ============================================
- alert: ProofchainFrontierCorrupt
expr: cloudflare_proofchain_frontier_valid == 0
for: 1m
labels:
severity: critical
component: proofchain
annotations:
summary: "Proofchain frontier is corrupt"
description: |
The frontier (latest state) of chain {{ $labels.chain_name }}
cannot be verified. The chain may be in an inconsistent state.
Do not append new receipts until this is resolved.
runbook_url: "https://wiki.internal/playbooks/proofchain-incident"
# ============================================
# WARNING - Receipt Backlog
# ============================================
- alert: ReceiptBacklog
expr: cloudflare_receipt_queue_depth > 100
for: 10m
labels:
severity: warning
component: proofchain
annotations:
summary: "Receipt generation backlog"
description: |
{{ $value }} receipts waiting to be written.
This may indicate performance issues or blocked writes.
# ============================================
# CRITICAL - Receipt Queue Overflow
# ============================================
- alert: ReceiptQueueOverflow
expr: cloudflare_receipt_queue_depth > 1000
for: 5m
labels:
severity: critical
component: proofchain
annotations:
summary: "Receipt queue overflow imminent"
description: |
{{ $value }} receipts in queue. Queue may overflow.
Some operational events may not be recorded.
Investigate and resolve immediately.
# ============================================
# WARNING - Receipt Write Latency High
# ============================================
- alert: ReceiptWriteLatencyHigh
expr: cloudflare_receipt_write_duration_seconds > 5
for: 5m
labels:
severity: warning
component: proofchain
annotations:
summary: "High receipt write latency"
description: |
Receipt write operations taking {{ $value | humanize }}s.
This may cause backlog buildup.
Check storage performance.
# ============================================
# CRITICAL - Storage Near Capacity
# ============================================
- alert: ProofchainStorageNearFull
expr: cloudflare_proofchain_storage_used_bytes / cloudflare_proofchain_storage_total_bytes > 0.9
for: 1h
labels:
severity: critical
component: proofchain
annotations:
summary: "Proofchain storage >90% full"
description: |
Proofchain storage is {{ $value | humanizePercentage }} full.
Expand storage or archive old receipts immediately.
# ============================================
# WARNING - Cross-Ledger Verification Failed
# ============================================
- alert: CrossLedgerVerificationFailed
expr: cloudflare_proofchain_cross_verification_valid == 0
for: 5m
labels:
severity: warning
component: proofchain
annotations:
summary: "Cross-ledger verification failed"
description: |
Verification between {{ $labels.chain_a }} and {{ $labels.chain_b }}
has failed. The ledgers may have diverged.
Investigate the root cause before proceeding.
# ============================================
# INFO - Receipt Type Distribution Anomaly
# ============================================
- alert: ReceiptDistributionAnomaly
expr: |
(rate(cloudflare_receipts_by_type_total{type="anomaly"}[1h])
/ rate(cloudflare_receipts_by_type_total[1h])) > 0.5
for: 1h
labels:
severity: info
component: proofchain
annotations:
summary: "High proportion of anomaly receipts"
description: |
More than 50% of recent receipts are anomaly type.
This may indicate systemic issues being logged.
Review recent anomaly receipts for patterns.

210
observatory/prometheus/alerts/tunnel-alerts.yml Normal file
View File

@@ -0,0 +1,210 @@
# Tunnel Alert Rules for Cloudflare Mesh Observatory
# Phase 5B - Alerts & Escalation
groups:
- name: tunnel_alerts
interval: 30s
rules:
# ============================================
# CRITICAL - Tunnel Down
# ============================================
- alert: TunnelDown
expr: cloudflare_tunnel_status == 0
for: 2m
labels:
severity: critical
component: tunnel
playbook: tunnel-rotation
annotations:
summary: "Cloudflare Tunnel {{ $labels.tunnel_name }} is DOWN"
description: |
Tunnel {{ $labels.tunnel_name }} (ID: {{ $labels.tunnel_id }}) has been
unreachable for more than 2 minutes. Services behind this tunnel are
likely unreachable.
impact: "Services behind tunnel are unreachable from the internet"
runbook_url: "https://wiki.internal/playbooks/tunnel-rotation"
# ============================================
# CRITICAL - All Tunnels Down
# ============================================
- alert: AllTunnelsDown
expr: count(cloudflare_tunnel_status == 1) == 0
for: 1m
labels:
severity: critical
component: tunnel
playbook: tunnel-rotation
annotations:
summary: "ALL Cloudflare Tunnels are DOWN"
description: |
No healthy tunnels detected. Complete loss of tunnel connectivity.
This is a P0 incident requiring immediate attention.
impact: "Complete loss of external connectivity via tunnels"
runbook_url: "https://wiki.internal/playbooks/tunnel-rotation"
# ============================================
# WARNING - Tunnel Degraded
# ============================================
- alert: TunnelDegraded
expr: cloudflare_tunnel_connections < 2
for: 5m
labels:
severity: warning
component: tunnel
annotations:
summary: "Tunnel {{ $labels.tunnel_name }} has reduced connections"
description: |
Tunnel {{ $labels.tunnel_name }} has fewer than 2 active connections.
This may indicate network issues or cloudflared problems.
runbook_url: "https://wiki.internal/playbooks/tunnel-rotation"
# ============================================
# WARNING - Tunnel Rotation Due
# ============================================
- alert: TunnelRotationDue
expr: (time() - cloudflare_tunnel_created_timestamp) > (86400 * 30)
for: 1h
labels:
severity: warning
component: tunnel
playbook: tunnel-rotation
annotations:
summary: "Tunnel {{ $labels.tunnel_name }} rotation is due"
description: |
Tunnel {{ $labels.tunnel_name }} was created more than 30 days ago.
Per security policy, tunnels should be rotated monthly.
Age: {{ $value | humanizeDuration }}
runbook_url: "https://wiki.internal/playbooks/tunnel-rotation"
# ============================================
# CRITICAL - Tunnel Rotation Overdue
# ============================================
- alert: TunnelRotationOverdue
expr: (time() - cloudflare_tunnel_created_timestamp) > (86400 * 45)
for: 1h
labels:
severity: critical
component: tunnel
playbook: tunnel-rotation
annotations:
summary: "Tunnel {{ $labels.tunnel_name }} rotation is OVERDUE"
description: |
Tunnel {{ $labels.tunnel_name }} is more than 45 days old.
This exceeds the maximum rotation interval and represents a
security policy violation.
Age: {{ $value | humanizeDuration }}
runbook_url: "https://wiki.internal/playbooks/tunnel-rotation"
# ============================================
# WARNING - Tunnel High Latency
# ============================================
- alert: TunnelHighLatency
expr: cloudflare_tunnel_latency_ms > 500
for: 5m
labels:
severity: warning
component: tunnel
annotations:
summary: "High latency on tunnel {{ $labels.tunnel_name }}"
description: |
Tunnel {{ $labels.tunnel_name }} is experiencing latency above 500ms.
Current latency: {{ $value }}ms
This may impact user experience.
# ============================================
# CRITICAL - Tunnel Very High Latency
# ============================================
- alert: TunnelVeryHighLatency
expr: cloudflare_tunnel_latency_ms > 2000
for: 2m
labels:
severity: critical
component: tunnel
annotations:
summary: "Critical latency on tunnel {{ $labels.tunnel_name }}"
description: |
Tunnel {{ $labels.tunnel_name }} latency exceeds 2000ms.
Current latency: {{ $value }}ms
Services may be timing out.
# ============================================
# WARNING - Tunnel Error Rate High
# ============================================
- alert: TunnelHighErrorRate
expr: |
rate(cloudflare_tunnel_errors_total[5m])
/ rate(cloudflare_tunnel_requests_total[5m]) > 0.05
for: 5m
labels:
severity: warning
component: tunnel
annotations:
summary: "High error rate on tunnel {{ $labels.tunnel_name }}"
description: |
Tunnel {{ $labels.tunnel_name }} error rate exceeds 5%.
Current error rate: {{ $value | humanizePercentage }}
# ============================================
# CRITICAL - Tunnel Error Rate Critical
# ============================================
- alert: TunnelCriticalErrorRate
expr: |
rate(cloudflare_tunnel_errors_total[5m])
/ rate(cloudflare_tunnel_requests_total[5m]) > 0.20
for: 2m
labels:
severity: critical
component: tunnel
annotations:
summary: "Critical error rate on tunnel {{ $labels.tunnel_name }}"
description: |
Tunnel {{ $labels.tunnel_name }} error rate exceeds 20%.
Current error rate: {{ $value | humanizePercentage }}
This indicates severe connectivity issues.
# ============================================
# INFO - Tunnel Configuration Changed
# ============================================
- alert: TunnelConfigChanged
expr: changes(cloudflare_tunnel_config_hash[1h]) > 0
for: 0m
labels:
severity: info
component: tunnel
annotations:
summary: "Tunnel {{ $labels.tunnel_name }} configuration changed"
description: |
The configuration for tunnel {{ $labels.tunnel_name }} has changed
in the last hour. Verify this was an authorized change.
# ============================================
# WARNING - Cloudflared Version Outdated
# ============================================
- alert: CloudflaredOutdated
expr: cloudflare_cloudflared_version_age_days > 90
for: 24h
labels:
severity: warning
component: tunnel
annotations:
summary: "cloudflared version is outdated"
description: |
The cloudflared binary is more than 90 days old.
Current version age: {{ $value }} days
Consider upgrading to latest version for security patches.
# ============================================
# WARNING - Tunnel Connection Flapping
# ============================================
- alert: TunnelConnectionFlapping
expr: changes(cloudflare_tunnel_status[10m]) > 3
for: 10m
labels:
severity: warning
component: tunnel
annotations:
summary: "Tunnel {{ $labels.tunnel_name }} is flapping"
description: |
Tunnel {{ $labels.tunnel_name }} has changed state {{ $value }} times
in the last 10 minutes. This indicates instability.
Check network connectivity and cloudflared logs.

266
observatory/prometheus/alerts/waf-alerts.yml Normal file
View File

@@ -0,0 +1,266 @@
# WAF Alert Rules for Cloudflare Mesh Observatory
# Phase 5B - Alerts & Escalation
groups:
- name: waf_alerts
interval: 30s
rules:
# ============================================
# CRITICAL - Massive Attack Detected
# ============================================
- alert: WAFMassiveAttack
expr: |
rate(cloudflare_waf_blocked_requests_total[5m]) > 1000
for: 2m
labels:
severity: critical
component: waf
playbook: waf-incident
annotations:
summary: "Massive attack detected - {{ $value | humanize }} blocks/sec"
description: |
WAF is blocking more than 1000 requests per second.
This indicates a significant attack in progress.
Consider enabling Under Attack Mode if not already active.
impact: "Potential service degradation under attack load"
current_mitigation: "WAF blocking enabled"
runbook_url: "https://wiki.internal/playbooks/waf-incident"
# ============================================
# CRITICAL - WAF Rule Bypass Detected
# ============================================
- alert: WAFRuleBypass
expr: cloudflare_waf_bypass_detected == 1
for: 1m
labels:
severity: critical
component: waf
playbook: waf-incident
security_incident: "true"
annotations:
summary: "WAF rule bypass detected for rule {{ $labels.rule_id }}"
description: |
Malicious traffic matching known attack patterns has bypassed
WAF rule {{ $labels.rule_id }}.
Attack type: {{ $labels.attack_type }}
Bypassed requests: {{ $labels.bypass_count }}
Review and tighten rule immediately.
runbook_url: "https://wiki.internal/playbooks/waf-incident"
# ============================================
# WARNING - Attack Spike
# ============================================
- alert: WAFAttackSpike
expr: |
rate(cloudflare_waf_blocked_requests_total[5m])
> 5 * avg_over_time(rate(cloudflare_waf_blocked_requests_total[5m])[24h:5m])
for: 5m
labels:
severity: warning
component: waf
annotations:
summary: "WAF block rate 5x above normal"
description: |
WAF is blocking significantly more requests than the 24-hour average.
Current rate: {{ $value | humanize }}/s
This may indicate an attack or new attack pattern.
# ============================================
# WARNING - SQL Injection Attempts
# ============================================
- alert: WAFSQLiAttack
expr: rate(cloudflare_waf_sqli_blocks_total[5m]) > 10
for: 2m
labels:
severity: warning
component: waf
attack_type: sqli
annotations:
summary: "SQL injection attack detected"
description: |
WAF is blocking SQL injection attempts at {{ $value | humanize }}/s.
Source IPs may need to be blocked at firewall level.
# ============================================
# WARNING - XSS Attempts
# ============================================
- alert: WAFXSSAttack
expr: rate(cloudflare_waf_xss_blocks_total[5m]) > 10
for: 2m
labels:
severity: warning
component: waf
attack_type: xss
annotations:
summary: "XSS attack detected"
description: |
WAF is blocking cross-site scripting attempts at {{ $value | humanize }}/s.
Review application input validation.
# ============================================
# WARNING - Bot Attack
# ============================================
- alert: WAFBotAttack
expr: rate(cloudflare_waf_bot_blocks_total[5m]) > 100
for: 5m
labels:
severity: warning
component: waf
attack_type: bot
annotations:
summary: "High bot traffic detected"
description: |
WAF is blocking bot traffic at {{ $value | humanize }}/s.
Consider enabling Bot Fight Mode or stricter challenges.
# ============================================
# CRITICAL - Rate Limit Exhaustion
# ============================================
- alert: WAFRateLimitExhausted
expr: cloudflare_waf_rate_limit_triggered == 1
for: 1m
labels:
severity: critical
component: waf
annotations:
summary: "Rate limit triggered for {{ $labels.rule_name }}"
description: |
Rate limiting rule {{ $labels.rule_name }} has been triggered.
Source: {{ $labels.source_ip }}
Requests blocked: {{ $labels.blocked_count }}
Legitimate users may be affected.
# ============================================
# WARNING - WAF Rule Disabled
# ============================================
- alert: WAFRuleDisabled
expr: cloudflare_waf_rule_enabled == 0
for: 5m
labels:
severity: warning
component: waf
annotations:
summary: "WAF rule {{ $labels.rule_id }} is disabled"
description: |
WAF rule {{ $labels.rule_id }} ({{ $labels.rule_name }}) is currently disabled.
Verify this is intentional and not a misconfiguration.
# ============================================
# WARNING - WAF Mode Changed
# ============================================
- alert: WAFModeChanged
expr: changes(cloudflare_waf_mode[1h]) > 0
for: 0m
labels:
severity: warning
component: waf
annotations:
summary: "WAF mode changed for zone {{ $labels.zone }}"
description: |
WAF operation mode has changed in the last hour.
New mode: {{ $labels.mode }}
Verify this was an authorized change.
# ============================================
# INFO - Under Attack Mode Active
# ============================================
- alert: UnderAttackModeActive
expr: cloudflare_zone_under_attack == 1
for: 0m
labels:
severity: info
component: waf
annotations:
summary: "Under Attack Mode is ACTIVE for {{ $labels.zone }}"
description: |
Under Attack Mode is currently enabled for zone {{ $labels.zone }}.
This adds a JavaScript challenge to all visitors.
Remember to disable when attack subsides.
# ============================================
# WARNING - Under Attack Mode Extended
# ============================================
- alert: UnderAttackModeExtended
expr: cloudflare_zone_under_attack == 1
for: 2h
labels:
severity: warning
component: waf
annotations:
summary: "Under Attack Mode active for 2+ hours"
description: |
Under Attack Mode has been active for {{ $labels.zone }} for more
than 2 hours. Verify it's still needed as it impacts user experience.
# ============================================
# CRITICAL - WAF Completely Disabled
# ============================================
- alert: WAFDisabled
expr: cloudflare_waf_enabled == 0
for: 5m
labels:
severity: critical
component: waf
annotations:
summary: "WAF is DISABLED for zone {{ $labels.zone }}"
description: |
The Web Application Firewall is completely disabled for {{ $labels.zone }}.
This leaves the zone unprotected against application-layer attacks.
Enable immediately unless there's a documented exception.
# ============================================
# WARNING - Low WAF Efficacy
# ============================================
- alert: WAFLowEfficacy
expr: |
cloudflare_waf_blocked_requests_total
/ cloudflare_waf_analyzed_requests_total < 0.001
for: 1h
labels:
severity: info
component: waf
annotations:
summary: "Low WAF block rate for {{ $labels.zone }}"
description: |
WAF is blocking very few requests (< 0.1%).
This might indicate rules are too permissive or
the zone is not receiving attack traffic.
# ============================================
# WARNING - Firewall Rule Missing
# ============================================
- alert: FirewallRuleMissing
expr: cloudflare_firewall_critical_rule_exists == 0
for: 5m
labels:
severity: warning
component: waf
annotations:
summary: "Critical firewall rule missing: {{ $labels.rule_name }}"
description: |
Expected firewall rule {{ $labels.rule_name }} is not configured.
This rule is marked as critical in the WAF baseline.
# ============================================
# WARNING - High False Positive Rate
# ============================================
- alert: WAFHighFalsePositives
expr: |
rate(cloudflare_waf_false_positives_total[1h])
/ rate(cloudflare_waf_blocked_requests_total[1h]) > 0.1
for: 1h
labels:
severity: warning
component: waf
annotations:
summary: "High WAF false positive rate"
description: |
WAF false positive rate exceeds 10%.
Current rate: {{ $value | humanizePercentage }}
Review and tune rules to reduce legitimate traffic blocking.

167
opencode.jsonc Normal file
View File

@@ -0,0 +1,167 @@
{
"$schema": "https://opencode.ai/config.json",
"mcp": {
// Popular open-source MCP servers
// File system operations
"filesystem": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-filesystem"],
"environment": {
"HOME": "{env:HOME}"
},
"enabled": true
},
// Git operations
"git": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-git"],
"enabled": true
},
// GitHub integration
"github": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-github"],
"environment": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "{env:GITHUB_TOKEN}"
},
"enabled": true
},
// Postgres database
"postgres": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-postgres"],
"environment": {
"DATABASE_URL": "{env:DATABASE_URL}"
},
"enabled": false
},
// SQLite database
"sqlite": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-sqlite"],
"enabled": false
},
// Docker integration
"docker": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-docker"],
"enabled": false
},
// Web scraping
"web-scraper": {
"type": "local",
"command": ["npx", "-y", "web-scraper-mcp"],
"enabled": false
},
// Google Maps integration
"googlemaps": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-google-maps"],
"environment": {
"GOOGLE_MAPS_API_KEY": "{env:GOOGLE_MAPS_API_KEY}"
},
"enabled": false
},
// Slack integration
"slack": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-slack"],
"environment": {
"SLACK_BOT_TOKEN": "{env:SLACK_BOT_TOKEN}"
},
"enabled": false
},
// Memory/knowledge base
"memory": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-memory"],
"enabled": false
},
// AWS integration
"aws": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-aws"],
"environment": {
"AWS_ACCESS_KEY_ID": "{env:AWS_ACCESS_KEY_ID}",
"AWS_SECRET_ACCESS_KEY": "{env:AWS_SECRET_ACCESS_KEY}",
"AWS_REGION": "{env:AWS_REGION}"
},
"enabled": false
},
// Linear integration
"linear": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-linear"],
"environment": {
"LINEAR_API_KEY": "{env:LINEAR_API_KEY}"
},
"enabled": false
},
// Knowledge search via Context7
"context7": {
"type": "remote",
"url": "https://mcp.context7.com/mcp",
"headers": {
"CONTEXT7_API_KEY": "{env:CONTEXT7_API_KEY}"
},
"enabled": false
},
// GitHub code search via Grep
"gh_grep": {
"type": "remote",
"url": "https://mcp.grep.app",
"enabled": true
},
// WAF intelligence orchestrator
"waf_intel": {
"type": "local",
"command": ["python3", "waf_intel_mcp.py"],
"enabled": true,
"timeout": 300000
},
// GitLab integration
"gitlab": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-gitlab"],
"environment": {
"GITLAB_TOKEN": "{env:GITLAB_TOKEN}",
"GITLAB_URL": "{env:GITLAB_URL:https://gitlab.com}"
},
"enabled": false
},
// Cloudflare API integration
"cloudflare": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-cloudflare"],
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID}"
},
"enabled": false
},
// Test server (remove in production)
"test_everything": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-everything"],
"enabled": false
}
}
}

228
opencode.jsonc.backup Normal file
View File

@@ -0,0 +1,228 @@
{
"$schema": "https://opencode.ai/config.json",
"mcp": {
// Popular open-source MCP servers
// File system operations
"filesystem": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-filesystem"],
"environment": {
"HOME": "{env:HOME}"
},
"enabled": true
},
// Git operations
"git": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-git"],
"enabled": true
},
// GitHub integration
"github": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-github"],
"environment": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "{env:GITHUB_TOKEN}"
},
"enabled": true
},
// Postgres database
"postgres": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-postgres"],
"environment": {
"DATABASE_URL": "{env:DATABASE_URL}"
},
"enabled": false
},
// SQLite database
"sqlite": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-sqlite"],
"enabled": false
},
// Docker integration
"docker": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-docker"],
"enabled": false
},
// Web scraping
"web-scraper": {
"type": "local",
"command": ["npx", "-y", "web-scraper-mcp"],
"enabled": false
},
// Google Maps integration
"googlemaps": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-google-maps"],
"environment": {
"GOOGLE_MAPS_API_KEY": "{env:GOOGLE_MAPS_API_KEY}"
},
"enabled": false
},
// Slack integration
"slack": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-slack"],
"environment": {
"SLACK_BOT_TOKEN": "{env:SLACK_BOT_TOKEN}"
},
"enabled": false
},
// Memory/knowledge base
"memory": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-memory"],
"enabled": false
},
// AWS integration
"aws": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-aws"],
"environment": {
"AWS_ACCESS_KEY_ID": "{env:AWS_ACCESS_KEY_ID}",
"AWS_SECRET_ACCESS_KEY": "{env:AWS_SECRET_ACCESS_KEY}",
"AWS_REGION": "{env:AWS_REGION}"
},
"enabled": false
},
// Linear integration
"linear": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-linear"],
"environment": {
"LINEAR_API_KEY": "{env:LINEAR_API_KEY}"
},
"enabled": false
},
// Knowledge search via Context7
"context7": {
"type": "remote",
"url": "https://mcp.context7.com/mcp",
"headers": {
"CONTEXT7_API_KEY": "{env:CONTEXT7_API_KEY}"
},
"enabled": false
},
// GitHub code search via Grep
"gh_grep": {
"type": "remote",
"url": "https://mcp.grep.app",
"enabled": true
},
// WAF intelligence orchestrator
"waf_intel": {
"type": "local",
"command": ["python3", "waf_intel_mcp.py"],
"enabled": true,
"timeout": 300000
},
// GitLab integration
"gitlab": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-gitlab"],
"environment": {
"GITLAB_TOKEN": "{env:GITLAB_TOKEN}",
"GITLAB_URL": "{env:GITLAB_URL:https://gitlab.com}"
},
"enabled": false
},
// Cloudflare API integration
"cloudflare": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-cloudflare"],
"environment": {
"CLOUDFLARE_API_TOKEN": "{env:CLOUDFLARE_API_TOKEN}",
"CLOUDFLARE_ACCOUNT_ID": "{env:CLOUDFLARE_ACCOUNT_ID}"
},
"enabled": false
},
// Test server (remove in production)
"test_everything": {
"type": "local",
"command": ["npx", "-y", "@modelcontextprotocol/server-everything"],
"enabled": false
}
},
// Disable certain MCPs globally but enable per-agent if needed
"tools": {
// Only enable essential MCPs by default
"postgres": false,
"sqlite": false,
"docker": false,
"aws": false,
"slack": false,
"memory": false,
"googlemaps": false,
"linear": false,
"web-scraper": false,
"gitlab": false,
"cloudflare": false
},
// Agent-specific configurations
"agents": {
"cloudflare-ops": {
"description": "Manages Cloudflare infrastructure and GitOps",
"tools": {
"filesystem": true,
"git": true,
"github": true,
"gitlab": true,
"cloudflare": true,
"gh_grep": true,
"context7": false
}
},
"security-audit": {
"description": "Performs security analysis and compliance checks",
"tools": {
"filesystem": true,
"git": true,
"github": true,
"gitlab": true,
"cloudflare": true,
"gh_grep": true,
"waf_intel": true
}
},
"data-engineer": {
"description": "Works with databases and data processing",
"tools": {
"filesystem": true,
"git": true,
"gitlab": true,
"postgres": true,
"sqlite": true
}
}
},
"rules": [
"When working with Terraform and Cloudflare, use git to track changes and gh_grep to find examples",
"Always check GitHub for similar implementations before creating new ones",
"Use filesystem operations to examine project structure before making changes",
"When asked about compliance, use context7 to search documentation"
]
}

37
oracle_answer_mcp.py Executable file
View File

@@ -0,0 +1,37 @@
"""
DEPRECATED: Use mcp.oracle_answer instead
This file is kept for backward compatibility only.
New code should use: from mcp.oracle_answer import OracleAnswerTool, ToolResponse
For CLI usage:
python3 -m mcp.oracle_answer.cli --question "Your question"
Migration path:
1. Import from mcp.oracle_answer instead of this file
2. Use the new async API (await tool.answer(...))
3. Delete this file once all code is migrated
See STRUCTURE.md for the new architecture.
"""
import sys
import warnings
warnings.warn(
"oracle_answer_mcp.py is deprecated. "
"Use 'from mcp.oracle_answer import OracleAnswerTool' instead.",
DeprecationWarning,
stacklevel=2,
)
# For backward compatibility, re-export from new location
try:
from mcp.oracle_answer import OracleAnswerTool, ToolResponse
__all__ = ["OracleAnswerTool", "ToolResponse"]
except ImportError as e:
print(f"Error: Could not import from mcp.oracle_answer: {e}", file=sys.stderr)
print("Did you rename/move the file? Use the new structure:", file=sys.stderr)
print(" CLOUDFLARE/mcp/oracle_answer/__init__.py", file=sys.stderr)
sys.exit(1)

422
oracle_runner.py Executable file
View File

@@ -0,0 +1,422 @@
#!/usr/bin/env python3
"""
COMPLIANCE ORACLE RUNNER
v0.4.0 - Production Ready
End-to-end compliance oracle that:
1. Searches documentation for answers
2. Builds context from multiple frameworks
3. Queries LLM for oracle answers
4. Validates answers with typing
5. Emits receipt with sha256 hash
6. Logs to compliance ledger
Usage:
python3 oracle_runner.py "What are our incident response obligations under NIS2?"
python3 oracle_runner.py "Are we compliant with GDPR Article 33?"
python3 oracle_runner.py "Summarize WAF rules for PCI-DSS" --frameworks pci-dss,gdpr
"""
import json
import sys
import os
import hashlib
import datetime
from pathlib import Path
from typing import Optional, List, Dict, Any
from dataclasses import dataclass, asdict, field
from enum import Enum
import re
class ComplianceFramework(str, Enum):
"""Supported compliance frameworks"""
PCI_DSS = "pci-dss"
GDPR = "gdpr"
NIS2 = "nis2"
AI_ACT = "ai-act"
SOC2 = "soc2"
ISO27001 = "iso27001"
HIPAA = "hipaa"
ALL = "all"
@dataclass
class Citation:
"""Single citation to a document"""
document_id: str
filename: str
framework: str
snippet: str
relevance_score: float = 0.85
@dataclass
class ComplianceGap:
"""Identified gap in compliance"""
framework: str
requirement: str
current_state: str
gap_description: str
remediation: Optional[str] = None
@dataclass
class OracleAnswer:
"""Core oracle answer schema (v0.4.0)"""
question: str
answer: str
frameworks: List[str]
citations: List[Citation]
gaps: List[ComplianceGap]
insufficient_context: bool = False
confidence_level: str = "high" # high, medium, low
compliance_flags: Dict[str, str] = field(default_factory=dict)
def to_json(self) -> str:
"""Serialize to JSON (for hashing)"""
data = asdict(self)
data["citations"] = [asdict(c) for c in self.citations]
data["gaps"] = [asdict(g) for g in self.gaps]
return json.dumps(data, sort_keys=True, separators=(",", ":"))
@dataclass
class OracleReceipt:
"""Receipt for oracle answer (v0.4.0)"""
timestamp: str
oracle_answer: str # The full JSON answer
answer_hash: str # SHA256 hash of answer
hash_algorithm: str = "sha256"
version: str = "v0.4.0"
def to_json(self) -> str:
"""Serialize to JSON"""
return json.dumps(asdict(self), indent=2)
class OracleRunner:
"""End-to-end compliance oracle"""
def __init__(self, base_path: str = "/Users/sovereign/Desktop/CLOUDFLARE"):
self.base_path = Path(base_path)
self.docs_path = self.base_path
self.compliance_ledger = self.base_path / "COMPLIANCE_LEDGER.jsonl"
# Framework → filename mappings
self.framework_docs: Dict[str, List[str]] = {
"pci-dss": [
"cloudflare_waf_baseline.md",
"WEB-INFRA-SECURITY-PATTERNS.md",
],
"gdpr": [
"zero_trust_architecture.md",
"WEB-INFRA-SECURITY-PATTERNS.md",
"cloudflare_dns_manifest.md",
],
"nis2": [
"TUNNEL-HARDENING.md",
"WEB-INFRA-SECURITY-PATTERNS.md",
],
"ai-act": [
"zero_trust_architecture.md",
"WEB-INFRA-SECURITY-PATTERNS.md",
],
}
def search_documents(
self, question: str, frameworks: Optional[List[str]] = None, max_docs: int = 5
) -> List[Citation]:
"""
Search documentation for relevant content.
Returns list of citations.
"""
citations: List[Citation] = []
# Default to all frameworks
if frameworks is None:
frameworks = ["pci-dss", "gdpr", "nis2"]
# Search each framework's documents
for framework in frameworks:
docs = self.framework_docs.get(framework, [])
for doc_filename in docs:
doc_path = self.docs_path / doc_filename
if not doc_path.exists():
continue
try:
with open(doc_path, "r") as f:
content = f.read()
# Simple keyword matching for relevance
question_words = set(re.findall(r"\b\w+\b", question.lower()))
content_lower = content.lower()
matches = sum(1 for word in question_words if word in content_lower)
relevance = min(1.0, matches / max(1, len(question_words)))
if relevance > 0.2: # Threshold
# Extract snippet
snippet = self._extract_snippet(content, question_words)
citation = Citation(
document_id=doc_filename.replace(".md", ""),
filename=doc_filename,
framework=framework,
snippet=snippet,
relevance_score=relevance,
)
citations.append(citation)
except Exception as e:
print(
f"Warning: Error reading {doc_filename}: {e}", file=sys.stderr
)
# Sort by relevance and limit
citations.sort(key=lambda c: c.relevance_score, reverse=True)
return citations[:max_docs]
def _extract_snippet(
self, content: str, keywords: set, snippet_len: int = 200
) -> str:
"""Extract a relevant snippet from content"""
lines = content.split("\n")
for i, line in enumerate(lines):
if any(keyword in line.lower() for keyword in keywords):
start = max(0, i - 2)
end = min(len(lines), i + 3)
snippet = "\n".join(lines[start:end])
return snippet[:snippet_len] + (
"..." if len(snippet) > snippet_len else ""
)
return content[:snippet_len] + ("..." if len(content) > snippet_len else "")
def validate_oracle_answer(self, answer: OracleAnswer) -> bool:
"""Validate oracle answer structure and content"""
# Check required fields
if not answer.question or not answer.answer:
return False
# Check frameworks
if not answer.frameworks or len(answer.frameworks) == 0:
return False
# Check citations exist
if not answer.citations:
answer.insufficient_context = True
# Validate compliance flags make sense
for framework in answer.frameworks:
if framework not in answer.compliance_flags:
answer.compliance_flags[framework] = "unknown"
return True
def emit_oracle_receipt(self, answer: OracleAnswer) -> OracleReceipt:
"""
Emit a receipt with SHA256 hash for oracle answer.
Logs to compliance ledger.
"""
answer_json = answer.to_json()
# Compute SHA256 hash
answer_hash = hashlib.sha256(answer_json.encode()).hexdigest()
receipt = OracleReceipt(
timestamp=datetime.datetime.now(datetime.timezone.utc).isoformat(),
oracle_answer=answer_json,
answer_hash=answer_hash,
)
# Append to compliance ledger
try:
with open(self.compliance_ledger, "a") as f:
f.write(receipt.to_json() + "\n")
except Exception as e:
print(f"Warning: Could not write to ledger: {e}", file=sys.stderr)
return receipt
def run(
self,
question: str,
frameworks: Optional[List[str]] = None,
verbose: bool = False,
) -> Dict[str, Any]:
"""
Run complete oracle pipeline.
Returns: {answer: OracleAnswer, receipt: OracleReceipt}
"""
if verbose:
print(f"\n[ORACLE] Question: {question}\n", file=sys.stderr)
# Step 1: Search documents
if verbose:
print(f"[ORACLE] Searching documentation...", file=sys.stderr)
citations = self.search_documents(question, frameworks)
if verbose:
print(
f"[ORACLE] Found {len(citations)} relevant documents\n", file=sys.stderr
)
# Step 2: Build oracle answer
# In production, this would call an LLM
# For now, we create a template with placeholders
frameworks_list = frameworks or ["pci-dss", "gdpr"]
answer = OracleAnswer(
question=question,
answer=self._generate_answer(question, citations),
frameworks=frameworks_list,
citations=citations,
gaps=self._identify_gaps(question, citations),
insufficient_context=len(citations) < 2,
compliance_flags={
framework: "covered"
if len([c for c in citations if c.framework == framework]) > 0
else "uncovered"
for framework in frameworks_list
},
)
# Step 3: Validate
if not self.validate_oracle_answer(answer):
print("[ERROR] Answer validation failed", file=sys.stderr)
sys.exit(1)
if verbose:
print(f"[ORACLE] Answer validated\n", file=sys.stderr)
# Step 4: Emit receipt
receipt = self.emit_oracle_receipt(answer)
if verbose:
print(
f"[ORACLE] Receipt emitted with hash: {receipt.answer_hash[:16]}...\n",
file=sys.stderr,
)
return {"answer": answer, "receipt": receipt}
def _generate_answer(self, question: str, citations: List[Citation]) -> str:
"""Generate answer from citations (template)"""
if not citations:
return (
"Based on the available documentation, I could not find sufficient context "
"to answer this question. Please provide more specific details or add relevant "
"documentation to the knowledge base."
)
citation_text = "\n\n".join(
[f"From {c.filename} ({c.framework}):\n{c.snippet}" for c in citations[:3]]
)
return (
f"Based on the available documentation:\n\n{citation_text}\n\n"
"[Note: In production, this would be replaced with an LLM-generated answer]"
)
def _identify_gaps(
self, question: str, citations: List[Citation]
) -> List[ComplianceGap]:
"""Identify gaps in compliance based on citations"""
gaps: List[ComplianceGap] = []
# If few citations, mark as insufficient
if len(citations) < 2:
gaps.append(
ComplianceGap(
framework="all",
requirement="Full coverage",
current_state="Documented",
gap_description="Insufficient documentation found for comprehensive answer",
)
)
return gaps
def parse_frameworks(arg_value: str) -> List[str]:
"""Parse comma-separated frameworks"""
return [f.strip() for f in arg_value.split(",")]
def main() -> int:
"""CLI entry point"""
if len(sys.argv) < 2:
print("Usage: oracle_runner.py <question> [--frameworks framework1,framework2]")
print("\nExample:")
print(' oracle_runner.py "Are we GDPR compliant?" --frameworks gdpr')
print(' oracle_runner.py "What are NIS2 obligations?" --frameworks nis2')
return 1
question = sys.argv[1]
frameworks: Optional[List[str]] = None
verbose = "--verbose" in sys.argv or "-v" in sys.argv
# Parse frameworks flag
for i, arg in enumerate(sys.argv[2:], 2):
if arg.startswith("--frameworks="):
frameworks = parse_frameworks(arg.split("=", 1)[1])
elif arg == "--frameworks" and i + 1 < len(sys.argv):
frameworks = parse_frameworks(sys.argv[i + 1])
runner = OracleRunner()
result = runner.run(question, frameworks=frameworks, verbose=verbose)
# Output results
answer = result["answer"]
receipt = result["receipt"]
# Print answer
print("\n" + "=" * 80)
print("COMPLIANCE ORACLE ANSWER")
print("=" * 80)
print(f"\nQuestion: {answer.question}\n")
print(f"Answer:\n{answer.answer}\n")
print(f"Frameworks: {', '.join(answer.frameworks)}")
print(f"Confidence: {answer.confidence_level}")
print(f"Insufficient Context: {answer.insufficient_context}\n")
# Print citations
if answer.citations:
print("Citations:")
for i, citation in enumerate(answer.citations, 1):
print(f" [{i}] {citation.filename} ({citation.framework})")
print(f" Relevance: {citation.relevance_score:.2%}")
print(f" Snippet: {citation.snippet[:100]}...")
# Print gaps
if answer.gaps:
print("\nIdentified Gaps:")
for gap in answer.gaps:
print(f" - {gap.framework}: {gap.gap_description}")
if gap.remediation:
print(f" Remediation: {gap.remediation}")
# Print compliance flags
print("\nCompliance Status:")
for framework, status in answer.compliance_flags.items():
symbol = "" if status == "covered" else ""
print(f" {symbol} {framework}: {status}")
# Print receipt hash
print(f"\nReceipt Hash (sha256): {receipt.answer_hash}")
print(f"Timestamp: {receipt.timestamp}")
print("=" * 80)
return 0
if __name__ == "__main__":
sys.exit(main())

299
playbooks/DNS-COMPROMISE-PLAYBOOK.md Normal file
View File

@@ -0,0 +1,299 @@
# DNS Compromise Playbook
**Incident Response** | Governed by [RED-BOOK.md](../RED-BOOK.md)
## The Name of the Realm Has Been Rewritten
*When the true name of a domain drifts from its sovereign declaration, the mesh fractures at its foundation. This playbook restores naming authority through verified correction.*
---
## I. NIGREDO — Detection & Analysis
### Trigger Signals
The following anomalies indicate potential DNS compromise:
| Signal | Source | Severity |
|--------|--------|----------|
| Unauthorized A/AAAA record change | Cloudflare Audit Log | CRITICAL |
| NS delegation modified | Registrar / WHOIS | CRITICAL |
| DNSSEC signature invalid | External validator | CRITICAL |
| MX record redirected | Email bounce reports | HIGH |
| New TXT record (unknown) | DNS diff tool | MEDIUM |
| Unexpected CNAME chain | Telemetry bridge | MEDIUM |
### Immediate Verification Steps
```bash
# 1. Query authoritative nameservers
dig +trace @1.1.1.1 <domain> ANY
# 2. Check DNSSEC chain
dig +dnssec <domain> DNSKEY
dig +dnssec <domain> DS
# 3. Compare against VaultMesh manifest
diff <(dig +short <domain> A) <(cat dns_manifest.yml | grep -A1 "type: A" | grep content)
# 4. Verify WHOIS delegation
whois <domain> | grep -i "name server"
```
### Classification Matrix
| Scenario | Classification | Response Level |
|----------|---------------|----------------|
| Single record drift (A/CNAME) | INCIDENT | Level 2 |
| Multiple records changed | BREACH | Level 3 |
| NS delegation hijacked | CRITICAL BREACH | Level 4 |
| DNSSEC disabled/invalid | INTEGRITY FAILURE | Level 3 |
| Domain transfer initiated | SOVEREIGNTY ATTACK | Level 4 |
---
## II. ALBEDO — Containment
### Immediate Actions (First 15 Minutes)
#### 1. Lock the Domain
```bash
# Cloudflare API - Enable zone lockdown
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<zone_id>/settings/security_level" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{"value":"under_attack"}'
```
#### 2. Preserve Evidence
```bash
# Snapshot current DNS state
dig +noall +answer <domain> ANY > incident_$(date +%Y%m%d_%H%M%S)_dns_state.txt
# Export Cloudflare audit logs
curl -X GET "https://api.cloudflare.com/client/v4/accounts/<account_id>/audit_logs" \
-H "Authorization: Bearer <token>" > audit_snapshot.json
# Hash and anchor immediately
blake3sum incident_*.txt audit_snapshot.json >> /var/lib/vaultmesh/incidents/dns_$(date +%Y%m%d).hashes
```
#### 3. Revoke Compromised Access
- [ ] Rotate all Cloudflare API tokens
- [ ] Invalidate active sessions in dashboard
- [ ] Review and remove unknown collaborators
- [ ] Check for OAuth app authorizations
#### 4. Notify Tem (Guardian Protocol)
```json
{
"event": "dns_compromise_detected",
"domain": "<domain>",
"severity": "CRITICAL",
"timestamp": "<ISO8601>",
"evidence_hash": "<blake3_hash>",
"responder": "<operator_did>"
}
```
---
## III. CITRINITAS — Restoration
### Record Recovery Procedure
#### From VaultMesh Manifest (Preferred)
```bash
# 1. Load known-good manifest
MANIFEST="/var/lib/vaultmesh/snapshots/dns_manifest_<domain>_<last_known_good>.yml"
# 2. Validate manifest integrity
blake3sum -c /var/lib/vaultmesh/anchors/dns_hashes.log | grep $MANIFEST
# 3. Apply via Terraform
cd ~/Desktop/CLOUDFLARE/terraform
terraform plan -var-file=recovery.tfvars
terraform apply -auto-approve
```
#### Manual Recovery (If Manifest Unavailable)
```bash
# Delete malicious records
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records/<record_id>" \
-H "Authorization: Bearer <token>"
# Recreate correct records
curl -X POST "https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "@",
"content": "<correct_ip>",
"proxied": true
}'
```
### DNSSEC Re-establishment
```bash
# 1. Regenerate DNSSEC keys (if compromised)
# Via Cloudflare Dashboard: DNS > Settings > DNSSEC > Disable then Re-enable
# 2. Update DS record at registrar
# New DS record will be shown in Cloudflare dashboard
# 3. Verify propagation
dig +dnssec <domain> DNSKEY
```
### NS Delegation Recovery (Critical)
If nameservers were hijacked:
1. **Contact registrar immediately** - Use out-of-band verification
2. **Provide proof of ownership** - Domain verification documents
3. **Request delegation reset** - Point NS back to Cloudflare
4. **Enable registrar lock** - Prevent future transfers
5. **Set up registrar alerts** - Email/SMS for any changes
---
## IV. RUBEDO — Verification & Anchoring
### Post-Recovery Verification
```bash
# 1. Full DNS validation
for record_type in A AAAA CNAME MX TXT NS; do
echo "=== $record_type ===" >> verification_report.txt
dig +short <domain> $record_type >> verification_report.txt
done
# 2. DNSSEC chain validation
dnsviz probe <domain> -o dnsviz_output.json
dnsviz print -r dnsviz_output.json
# 3. Compare to manifest
python3 scripts/dns-drift-check.py --domain <domain> --manifest dns_manifest.yml
# 4. External verification (multiple resolvers)
for resolver in 1.1.1.1 8.8.8.8 9.9.9.9; do
dig @$resolver <domain> A +short
done
```
### Emit Restoration Receipt
```json
{
"receipt_type": "dns_restoration",
"schema_version": "vm_dns_restoration_v1",
"domain": "<domain>",
"incident_id": "<uuid>",
"timestamp": "<ISO8601>",
"records_restored": [
{"type": "A", "name": "@", "value": "<ip>"},
{"type": "MX", "name": "@", "value": "<mx_host>"}
],
"manifest_hash": "<blake3_of_applied_manifest>",
"verification_hash": "<blake3_of_verification_report>",
"operator_did": "did:vm:operator:<id>",
"guardian_sign": "<tem_signature>"
}
```
### Anchor to ProofChain
```bash
# Compute Merkle root of incident artifacts
merkle_root=$(cat incident_*.txt audit_snapshot.json verification_report.txt | blake3sum | cut -d' ' -f1)
# Anchor
echo "{\"type\":\"dns_incident_anchor\",\"merkle_root\":\"$merkle_root\",\"timestamp\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}" \
>> /var/lib/vaultmesh/proofchain/anchors.jsonl
```
---
## V. Post-Incident Governance
### Mandatory Actions (Within 24 Hours)
- [ ] Full API token rotation completed
- [ ] Registrar 2FA verified/upgraded
- [ ] Transfer lock enabled at registrar
- [ ] DNSSEC re-validated
- [ ] All DNS records match manifest
- [ ] VaultMesh receipts emitted
- [ ] ProofChain anchor verified
- [ ] Incident report drafted
### Root Cause Analysis Template
```markdown
## DNS Compromise RCA - <domain> - <date>
### Timeline
- T-0: <Detection timestamp and method>
- T+5m: <Containment actions>
- T+30m: <Recovery initiated>
- T+Xh: <Full restoration verified>
### Attack Vector
<How did the attacker gain access?>
### Records Affected
| Record | Original | Malicious | Duration |
|--------|----------|-----------|----------|
### Impact Assessment
- Traffic redirected: <estimate>
- Data exposure risk: <assessment>
- Reputation impact: <assessment>
### Prevention Measures
1. <Specific improvement>
2. <Specific improvement>
3. <Specific improvement>
### Artifacts
- Audit log hash: <hash>
- Incident snapshot hash: <hash>
- Restoration receipt: <receipt_id>
```
### Monitoring Enhancements
After any DNS compromise, implement:
1. **Real-time DNS monitoring** - External service checking every 60s
2. **Certificate Transparency alerts** - Monitor for unauthorized certs
3. **Passive DNS feeds** - Historical record tracking
4. **VaultMesh drift detection** - Automated manifest comparison
---
## VI. Escalation Contacts
| Role | Contact | When |
|------|---------|------|
| Cloudflare Support | dash.cloudflare.com/support | Zone-level issues |
| Registrar Security | <registrar_security_email> | Delegation attacks |
| Tem Guardian | internal protocol | All incidents |
| Legal | <legal_contact> | Data exposure suspected |
---
## VII. The Covenant Restored
*When the name is reclaimed and verified against the manifest, sovereignty returns to the realm. The drift has been corrected, the proof anchored, and the mesh made whole again.*
**Incident closure requires:**
- All verification checks passing
- VaultMesh receipt emitted and signed
- ProofChain anchor confirmed
- RCA completed and filed
---
**Document Version**: 1.0
**Last Updated**: <date>
**Guardian**: Tem

396
playbooks/TUNNEL-ROTATION-PROTOCOL.md Normal file
View File

@@ -0,0 +1,396 @@
# Tunnel Rotation Protocol
**Incident Response** | Governed by [RED-BOOK.md](../RED-BOOK.md)
## The Arteries Must Shed Their Old Keys and Be Reborn
*Cloudflare Tunnels are the veins through which the mesh breathes. When credentials age or suspicion arises, the tunnels must be dissolved and reformed — a controlled death and resurrection that preserves continuity while eliminating compromise vectors.*
---
## I. When to Rotate
### Scheduled Rotation (Prophylactic)
| Trigger | Interval | Priority |
|---------|----------|----------|
| Standard credential hygiene | Every 90 days | NORMAL |
| After personnel change | Within 24 hours | HIGH |
| Compliance audit requirement | As specified | NORMAL |
| Post-incident (any severity) | Immediately | CRITICAL |
### Emergency Rotation (Reactive)
| Trigger | Response Time |
|---------|---------------|
| Credential exposure suspected | < 1 hour |
| Tunnel behaving anomalously | < 2 hours |
| Unauthorized connection detected | Immediate |
| Origin server compromised | Immediate |
| Security advisory from Cloudflare | < 24 hours |
---
## II. NIGREDO — Preparation
### Pre-Rotation Checklist
Before beginning rotation:
- [ ] Identify all tunnels requiring rotation
- [ ] Document current tunnel configurations
- [ ] Verify backup ingress path (if available)
- [ ] Notify dependent teams of maintenance window
- [ ] Prepare new tunnel names and secrets
- [ ] Ensure Terraform state is current
### Inventory Current State
```bash
# List all tunnels
cloudflared tunnel list
# Export tunnel info
for tunnel_id in $(cloudflared tunnel list | tail -n +2 | awk '{print $1}'); do
cloudflared tunnel info $tunnel_id > /tmp/tunnel_${tunnel_id}_info.txt
done
# Capture current routes
cloudflared tunnel route dns list
# Hash for audit trail
cat /tmp/tunnel_*.txt | blake3sum > pre_rotation_state.hash
```
### Generate New Secrets
```bash
# Generate cryptographically secure tunnel secrets
NEW_SECRET_VAULTMESH=$(openssl rand -base64 32)
NEW_SECRET_OFFSEC=$(openssl rand -base64 32)
# Store securely (example: HashiCorp Vault)
vault kv put secret/cloudflare/tunnels \
vaultmesh_secret="$NEW_SECRET_VAULTMESH" \
offsec_secret="$NEW_SECRET_OFFSEC"
# Or for local encrypted storage
echo "$NEW_SECRET_VAULTMESH" | gpg --encrypt -r guardian@vaultmesh.org > vaultmesh_tunnel_secret.gpg
echo "$NEW_SECRET_OFFSEC" | gpg --encrypt -r guardian@vaultmesh.org > offsec_tunnel_secret.gpg
```
---
## III. ALBEDO — Dissolution
### Step 1: Create New Tunnel (Before Destroying Old)
```bash
# Create new tunnel with fresh credentials
cloudflared tunnel create vaultmesh-tunnel-$(date +%Y%m%d)
# This generates:
# - New tunnel ID
# - New credentials JSON in ~/.cloudflared/
# Move credentials to secure location
sudo mv ~/.cloudflared/<new_tunnel_id>.json /etc/cloudflared/
sudo chmod 600 /etc/cloudflared/<new_tunnel_id>.json
sudo chown cloudflared:cloudflared /etc/cloudflared/<new_tunnel_id>.json
```
### Step 2: Configure New Tunnel
Update `/etc/cloudflared/config.yml`:
```yaml
tunnel: <NEW_TUNNEL_ID>
credentials-file: /etc/cloudflared/<NEW_TUNNEL_ID>.json
metrics: 127.0.0.1:9090
ingress:
- hostname: api.vaultmesh.org
service: http://localhost:8080
originRequest:
connectTimeout: 10s
noTLSVerify: false
- hostname: dash.vaultmesh.org
service: http://localhost:3000
- service: http_status:404
```
### Step 3: Update DNS Routes
```bash
# Route hostnames to new tunnel
cloudflared tunnel route dns <NEW_TUNNEL_ID> api.vaultmesh.org
cloudflared tunnel route dns <NEW_TUNNEL_ID> dash.vaultmesh.org
# Verify routing
cloudflared tunnel route dns list | grep <NEW_TUNNEL_ID>
```
### Step 4: Transition Traffic
#### Zero-Downtime Method (Preferred)
```bash
# 1. Start new tunnel alongside old
sudo systemctl start cloudflared-new.service
# 2. Verify new tunnel is healthy
curl -s http://127.0.0.1:9091/ready # New tunnel metrics port
# 3. Update DNS CNAMEs to point to new tunnel
# (Already done in Step 3, propagation takes ~30s with Cloudflare proxy)
# 4. Monitor traffic shift
watch -n5 'curl -s http://127.0.0.1:9090/metrics | grep requests'
watch -n5 'curl -s http://127.0.0.1:9091/metrics | grep requests'
# 5. Once old tunnel shows zero traffic, proceed to deletion
```
#### Maintenance Window Method
```bash
# 1. Stop old tunnel
sudo systemctl stop cloudflared.service
# 2. Update config to new tunnel
sudo cp /etc/cloudflared/config-new.yml /etc/cloudflared/config.yml
# 3. Start service
sudo systemctl start cloudflared.service
# 4. Verify connectivity
cloudflared tunnel info <NEW_TUNNEL_ID>
curl -I https://api.vaultmesh.org
```
---
## IV. CITRINITAS — Purification
### Delete Old Tunnel
**Warning**: Only proceed after verifying new tunnel is fully operational.
```bash
# 1. Final verification - old tunnel should have zero active connections
cloudflared tunnel info <OLD_TUNNEL_ID>
# 2. Remove DNS routes from old tunnel (if any remain)
cloudflared tunnel route dns delete <OLD_TUNNEL_ID> <hostname>
# 3. Delete the tunnel
cloudflared tunnel delete <OLD_TUNNEL_ID>
# 4. Securely destroy old credentials
sudo shred -vfz -n 5 /etc/cloudflared/<OLD_TUNNEL_ID>.json
sudo rm /etc/cloudflared/<OLD_TUNNEL_ID>.json
```
### Clean Up Local Artifacts
```bash
# Remove old credential backups
find /var/lib/vaultmesh/backups -name "*<OLD_TUNNEL_ID>*" -exec shred -vfz {} \;
# Clear any cached tunnel state
rm -rf ~/.cloudflared/connectors/<OLD_TUNNEL_ID>
# Update Terraform state
cd ~/Desktop/CLOUDFLARE/terraform
terraform state rm cloudflare_tunnel.old_tunnel # If managed by TF
```
---
## V. RUBEDO — Verification & Sealing
### Post-Rotation Verification
```bash
#!/bin/bash
# rotation_verification.sh
TUNNEL_ID="<NEW_TUNNEL_ID>"
HOSTNAMES=("api.vaultmesh.org" "dash.vaultmesh.org")
echo "=== Tunnel Rotation Verification ==="
echo "Tunnel ID: $TUNNEL_ID"
echo "Timestamp: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
echo ""
# 1. Tunnel status
echo "--- Tunnel Status ---"
cloudflared tunnel info $TUNNEL_ID
# 2. DNS routing
echo ""
echo "--- DNS Routes ---"
cloudflared tunnel route dns list | grep $TUNNEL_ID
# 3. Endpoint connectivity
echo ""
echo "--- Endpoint Tests ---"
for hostname in "${HOSTNAMES[@]}"; do
status=$(curl -s -o /dev/null -w "%{http_code}" https://$hostname/health 2>/dev/null || echo "FAIL")
echo "$hostname: $status"
done
# 4. Metrics endpoint
echo ""
echo "--- Metrics Check ---"
curl -s http://127.0.0.1:9090/metrics | grep cloudflared_tunnel | head -5
# 5. Certificate validation
echo ""
echo "--- TLS Verification ---"
for hostname in "${HOSTNAMES[@]}"; do
echo | openssl s_client -connect $hostname:443 -servername $hostname 2>/dev/null | openssl x509 -noout -dates
done
```
### Emit Rotation Receipt
```json
{
"receipt_type": "tunnel_rotation",
"schema_version": "vm_tunnel_rotation_v1",
"timestamp": "<ISO8601>",
"rotation_id": "<uuid>",
"old_tunnel": {
"id": "<OLD_TUNNEL_ID>",
"created": "<original_creation_date>",
"deleted": "<deletion_timestamp>"
},
"new_tunnel": {
"id": "<NEW_TUNNEL_ID>",
"created": "<creation_timestamp>",
"hostnames": ["api.vaultmesh.org", "dash.vaultmesh.org"]
},
"reason": "scheduled_rotation | incident_response | personnel_change",
"verification_hash": "<blake3_of_verification_output>",
"operator_did": "did:vm:operator:<id>",
"guardian_sign": "<tem_signature>"
}
```
### Anchor the Rotation
```bash
# Compute rotation proof
cat rotation_verification.txt rotation_receipt.json | blake3sum > rotation_proof.hash
# Append to ProofChain
echo "{\"type\":\"tunnel_rotation\",\"hash\":\"$(cat rotation_proof.hash | cut -d' ' -f1)\",\"timestamp\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}" \
>> /var/lib/vaultmesh/proofchain/anchors.jsonl
# Update Terraform state
cd ~/Desktop/CLOUDFLARE/terraform
terraform plan -out=rotation.tfplan
terraform apply rotation.tfplan
```
---
## VI. Automation Script
For scheduled rotations, use this automation wrapper:
```bash
#!/bin/bash
# tunnel_rotation_automated.sh
# Run via cron or GitLab CI on schedule
set -euo pipefail
TUNNEL_NAME="$1"
NEW_TUNNEL_NAME="${TUNNEL_NAME}-$(date +%Y%m%d)"
LOG_FILE="/var/log/tunnel_rotation_$(date +%Y%m%d).log"
log() { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] $1" | tee -a "$LOG_FILE"; }
log "Starting rotation for tunnel: $TUNNEL_NAME"
# Get old tunnel ID
OLD_TUNNEL_ID=$(cloudflared tunnel list | grep "$TUNNEL_NAME" | awk '{print $1}')
log "Old tunnel ID: $OLD_TUNNEL_ID"
# Create new tunnel
log "Creating new tunnel: $NEW_TUNNEL_NAME"
cloudflared tunnel create "$NEW_TUNNEL_NAME"
NEW_TUNNEL_ID=$(cloudflared tunnel list | grep "$NEW_TUNNEL_NAME" | awk '{print $1}')
log "New tunnel ID: $NEW_TUNNEL_ID"
# Move credentials
sudo mv ~/.cloudflared/${NEW_TUNNEL_ID}.json /etc/cloudflared/
sudo chmod 600 /etc/cloudflared/${NEW_TUNNEL_ID}.json
# Update config
sudo sed -i "s/$OLD_TUNNEL_ID/$NEW_TUNNEL_ID/g" /etc/cloudflared/config.yml
# Restart service
sudo systemctl restart cloudflared.service
sleep 10
# Verify
if cloudflared tunnel info "$NEW_TUNNEL_ID" | grep -q "HEALTHY"; then
log "New tunnel is healthy"
# Delete old tunnel
cloudflared tunnel delete "$OLD_TUNNEL_ID"
sudo shred -vfz /etc/cloudflared/${OLD_TUNNEL_ID}.json 2>/dev/null || true
log "Rotation complete"
else
log "ERROR: New tunnel not healthy, rolling back"
sudo sed -i "s/$NEW_TUNNEL_ID/$OLD_TUNNEL_ID/g" /etc/cloudflared/config.yml
sudo systemctl restart cloudflared.service
cloudflared tunnel delete "$NEW_TUNNEL_ID"
exit 1
fi
# Emit receipt
cat > /var/lib/vaultmesh/receipts/rotation_$(date +%Y%m%d).json <<EOF
{
"receipt_type": "tunnel_rotation",
"old_tunnel_id": "$OLD_TUNNEL_ID",
"new_tunnel_id": "$NEW_TUNNEL_ID",
"timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"status": "success"
}
EOF
log "Receipt emitted"
```
---
## VII. The Arteries Renewed
*With old credentials destroyed and new pathways verified, the tunnel stands reborn. The mesh breathes through fresh veins, uncontaminated by the past. The rotation is complete, the proof anchored, and the guardian satisfied.*
### Post-Rotation Checklist
- [ ] New tunnel ID documented
- [ ] Old tunnel deleted and credentials destroyed
- [ ] DNS routes verified pointing to new tunnel
- [ ] All endpoints responding correctly
- [ ] Metrics flowing from new tunnel
- [ ] VaultMesh receipt emitted
- [ ] ProofChain anchor created
- [ ] Terraform state updated
- [ ] Next rotation scheduled (90 days)
---
**Document Version**: 1.0
**Last Updated**: <date>
**Guardian**: Tem
**Rotation Schedule**: Every 90 days or upon incident

126
playbooks/waf_incident_playbook.md Normal file
View File

@@ -0,0 +1,126 @@
# WAF Incident Playbook — *Edge Under Siege*
**Incident Response** | Governed by [RED-BOOK.md](../RED-BOOK.md)
**Mode:** VaultMesh Hybrid (tactical + mythic)
**Guardian:** Tem, Shield of the Threshold
**Domain:** Cloudflare Edge → VaultMesh Origins
---
## 🜂 Premise
When the **Edge flares** and the WAF erupts in blocks, challenges, or anomalous spikes, the mesh signals **Nigredo**: the phase of dissolution, truth, and exposure.
Tem stands watch — transmuting threat into pattern.
This playbook guides the Sovereign through restoring harmony: from surge → containment → proof.
---
## 🛡 1. Detection — *When the Edge Cries Out*
Triggers:
- 10× spike in WAF blocks
- Sudden surge in Bot Fight engagements
- Rapid-fire requests from a small IP cluster
- Abuse towards `/api`, `/login`, or admin paths
Actions:
1. Check Cloudflare dashboard → **Security → Events**
2. Review **WAF rule matches**, sorting by occurrences
3. Capture snapshot:
- Top rules triggered
- Offending IP ranges
- Request paths
Invoke Tem:
> *"Reveal the pattern beneath the noise. Let flux become signal."*
---
## 🔍 2. Classification — *Identify the Nature of the Fire*
Threat types:
- **Volumetric probing** → wide IP / many rules
- **Credential spraying** → repeated auth paths
- **Application fuzzing** → random querystrings / malformed requests
- **Targeted exploit attempts** → concentrated rules (XSS, SQLi)
Decide:
- *Is this noise?*
- *Is this reconnaissance?*
- *Is this breach pursuit?*
Mark the incident severity:
- **Low** — background noise
- **Medium** — persistent automated probing
- **High** — targeted attempt on origin-relevant endpoints
---
## 🧱 3. Containment — *Seal the Gate*
Depending on severity:
### Low
- Rate-limit `/api` and `/auth` paths
- Enable Bot Fight Mode (if not already)
### Medium
- Block or challenge offending ASNs
- Add country-level **managed_challenge**
- Enforce **"Full (strict)" TLS** if not already
### High
- Immediately apply **custom firewall block rules**
- Close high-risk paths behind Access policies
- Strengthen WAF Paranoia Level for targeted areas
- Ensure all origins are reachable *only* via Cloudflare Tunnel
Tem's invocation:
> *"Let the gate narrow. Let the false be denied entry."*
---
## 📜 4. Forensics — *Listen to the Echoes*
Collect:
- CF Security Events export
- IP/ASN clusters
- Raw request samples
- Timestamps and spikes
Analyze patterns:
- Was this coordinated?
- Were specific parameters probed?
- Did traffic reach origin or stay at the Edge?
If origin saw traffic → inspect VaultMesh receipts for anomalies.
---
## 🧬 5. Restoration — *From Nigredo to Rubedo*
When WAF stabilizes:
- Remove overly broad rules
- Convert block rules → challenge after 24h
- Reassess Access policies for exposed services
- Validate DNS is unchanged
- Confirm Tunnel health is stable
Emit VaultMesh receipt:
- Incident summary
- Rules added/removed
- Time window
- Merkle root of exported logs
---
## 🪶 6. Final Anchor — *Coagula*
Anchor the incident into ProofChain:
- Receipts
- Log hashes
- WAF config deltas
Message of Tem:
> *"What was turmoil becomes memory. What was memory becomes strength."*
---
## ✔ Outcome
This playbook ensures that WAF turbulence becomes **structured proof**, operational clarity, and measurable evolution within VaultMeshs living ledger.

209
scripts/anchor-cloudflare-state.sh Executable file
View File

@@ -0,0 +1,209 @@
#!/bin/bash
#
# Cloudflare State Anchor
# Orchestrates state reconciliation, invariant checking, and ProofChain anchoring.
#
# Usage:
# ./anchor-cloudflare-state.sh [--zone-id ZONE_ID] [--account-id ACCOUNT_ID]
#
# Environment Variables:
# CLOUDFLARE_API_TOKEN - Required
# CLOUDFLARE_ZONE_ID - Zone ID (or use --zone-id)
# CLOUDFLARE_ACCOUNT_ID - Account ID (or use --account-id)
# VAULTMESH_ANCHORS_PATH - Path to ProofChain anchors file (optional)
#
# Exit Codes:
# 0 - Success, all invariants passed
# 1 - Success, but invariants failed (anomalies detected)
# 2 - Error during execution
set -euo pipefail
# Configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
BASE_DIR="$(dirname "$SCRIPT_DIR")"
SNAPSHOTS_DIR="${BASE_DIR}/snapshots"
RECEIPTS_DIR="${BASE_DIR}/receipts"
ANOMALIES_DIR="${BASE_DIR}/anomalies"
ANCHORS_PATH="${VAULTMESH_ANCHORS_PATH:-${BASE_DIR}/proofchain-anchors.jsonl}"
# Parse arguments
ZONE_ID="${CLOUDFLARE_ZONE_ID:-}"
ACCOUNT_ID="${CLOUDFLARE_ACCOUNT_ID:-}"
while [[ $# -gt 0 ]]; do
case $1 in
--zone-id)
ZONE_ID="$2"
shift 2
;;
--account-id)
ACCOUNT_ID="$2"
shift 2
;;
*)
echo "Unknown argument: $1"
exit 2
;;
esac
done
# Validate
if [[ -z "${CLOUDFLARE_API_TOKEN:-}" ]]; then
echo "Error: CLOUDFLARE_API_TOKEN environment variable required"
exit 2
fi
if [[ -z "$ZONE_ID" ]]; then
echo "Error: Zone ID required (--zone-id or CLOUDFLARE_ZONE_ID)"
exit 2
fi
if [[ -z "$ACCOUNT_ID" ]]; then
echo "Error: Account ID required (--account-id or CLOUDFLARE_ACCOUNT_ID)"
exit 2
fi
# Ensure directories exist
mkdir -p "$SNAPSHOTS_DIR" "$RECEIPTS_DIR" "$ANOMALIES_DIR"
# Timestamp for this run
TIMESTAMP=$(date -u +%Y-%m-%dT%H-%M-%SZ)
echo "======================================"
echo "Cloudflare State Anchor"
echo "======================================"
echo "Timestamp: $TIMESTAMP"
echo "Zone ID: $ZONE_ID"
echo "Account ID: $ACCOUNT_ID"
echo ""
# Step 1: Run State Reconciler
echo ">>> Step 1: Fetching Cloudflare state..."
python3 "${SCRIPT_DIR}/state-reconciler.py" \
--zone-id "$ZONE_ID" \
--account-id "$ACCOUNT_ID" \
--output-dir "$SNAPSHOTS_DIR" \
--receipt-dir "$RECEIPTS_DIR"
# Find the latest snapshot
LATEST_SNAPSHOT=$(ls -t "${SNAPSHOTS_DIR}"/cloudflare-*.json 2>/dev/null | head -1)
if [[ -z "$LATEST_SNAPSHOT" ]]; then
echo "Error: No snapshot found"
exit 2
fi
echo "Snapshot: $LATEST_SNAPSHOT"
# Extract Merkle root from snapshot
MERKLE_ROOT=$(python3 -c "
import json
with open('$LATEST_SNAPSHOT') as f:
data = json.load(f)
print(data['integrity']['merkle_root'])
")
echo "Merkle Root: $MERKLE_ROOT"
echo ""
# Step 2: Run Invariant Checker
echo ">>> Step 2: Checking invariants..."
INVARIANT_EXIT=0
python3 "${SCRIPT_DIR}/invariant-checker.py" \
--snapshot "$LATEST_SNAPSHOT" \
--output-dir "$ANOMALIES_DIR" || INVARIANT_EXIT=$?
# Find latest report
LATEST_REPORT=$(ls -t "${ANOMALIES_DIR}"/invariant-report-*.json 2>/dev/null | head -1)
echo "Invariant Report: $LATEST_REPORT"
echo ""
# Extract summary
if [[ -n "$LATEST_REPORT" ]]; then
PASSED=$(python3 -c "import json; print(json.load(open('$LATEST_REPORT'))['summary']['passed'])")
FAILED=$(python3 -c "import json; print(json.load(open('$LATEST_REPORT'))['summary']['failed'])")
echo "Passed: $PASSED"
echo "Failed: $FAILED"
fi
# Step 3: Create ProofChain Anchor
echo ""
echo ">>> Step 3: Creating ProofChain anchor..."
# Compute combined hash
COMBINED_HASH=$(cat "$LATEST_SNAPSHOT" "$LATEST_REPORT" 2>/dev/null | sha256sum | cut -d' ' -f1)
# Create anchor JSON
ANCHOR_JSON=$(cat <<EOF
{
"anchor_type": "cf_state_anchor",
"schema_version": "vm_anchor_v1",
"timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"zone_id": "$ZONE_ID",
"account_id": "$ACCOUNT_ID",
"snapshot_path": "$LATEST_SNAPSHOT",
"report_path": "$LATEST_REPORT",
"merkle_root": "$MERKLE_ROOT",
"combined_hash": "$COMBINED_HASH",
"invariants_passed": $PASSED,
"invariants_failed": $FAILED,
"status": "$([ $INVARIANT_EXIT -eq 0 ] && echo 'clean' || echo 'anomalies_detected')"
}
EOF
)
# Append to anchors file
echo "$ANCHOR_JSON" >> "$ANCHORS_PATH"
echo "Anchor appended to: $ANCHORS_PATH"
# Step 4: Create combined receipt
echo ""
echo ">>> Step 4: Creating combined receipt..."
RECEIPT_PATH="${RECEIPTS_DIR}/cf-anchor-${TIMESTAMP}.json"
cat > "$RECEIPT_PATH" <<EOF
{
"receipt_type": "cf_state_anchor_complete",
"schema_version": "vm_cf_anchor_v1",
"timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"zone_id": "$ZONE_ID",
"account_id": "$ACCOUNT_ID",
"artifacts": {
"snapshot": "$LATEST_SNAPSHOT",
"invariant_report": "$LATEST_REPORT",
"anchors_file": "$ANCHORS_PATH"
},
"integrity": {
"merkle_root": "$MERKLE_ROOT",
"combined_hash": "$COMBINED_HASH",
"hash_algorithm": "sha256"
},
"invariants": {
"passed": $PASSED,
"failed": $FAILED,
"status": "$([ $INVARIANT_EXIT -eq 0 ] && echo 'all_passed' || echo 'failures_detected')"
}
}
EOF
echo "Receipt: $RECEIPT_PATH"
# Summary
echo ""
echo "======================================"
echo "Anchor Complete"
echo "======================================"
echo "Snapshot: $LATEST_SNAPSHOT"
echo "Report: $LATEST_REPORT"
echo "Receipt: $RECEIPT_PATH"
echo "Merkle Root: $MERKLE_ROOT"
echo "Status: $([ $INVARIANT_EXIT -eq 0 ] && echo 'CLEAN' || echo 'ANOMALIES DETECTED')"
echo "======================================"
# Output for CI pipelines
echo ""
echo "CI_MERKLE_ROOT=$MERKLE_ROOT"
echo "CI_SNAPSHOT_PATH=$LATEST_SNAPSHOT"
echo "CI_REPORT_PATH=$LATEST_REPORT"
echo "CI_RECEIPT_PATH=$RECEIPT_PATH"
echo "CI_INVARIANTS_STATUS=$([ $INVARIANT_EXIT -eq 0 ] && echo 'passed' || echo 'failed')"
# Exit with invariant check result
exit $INVARIANT_EXIT

173
scripts/autonomous_remediator_py.py Normal file
View File

@@ -0,0 +1,173 @@
#!/usr/bin/env python3
"""
Autonomous Remediator — Cloudflare Autonomic Mesh Engine
Pure technical (D1) implementation
Runs continuously (systemd service) and performs:
- DNS auto-remediation (re-proxy, restore records)
- WAF baseline enforcement
- Access policy enforcement (MFA, no bypass)
- Tunnel health remediation (restart, rekey optional)
- Drift correction using Terraform
Outputs VaultMesh receipts for each correction.
"""
import os
import json
import time
import subprocess
import requests
from datetime import datetime, timezone
CF_API = "https://api.cloudflare.com/client/v4"
CF_TOKEN = os.getenv("CF_API_TOKEN")
CF_ACCOUNT = os.getenv("CF_ACCOUNT_ID")
TF_DIR = os.getenv("TF_DIR", "./terraform")
RECEIPT_DIR = os.getenv("VM_RECEIPT_DIR", "./receipts")
HEADERS = {
"Authorization": f"Bearer {CF_TOKEN}",
"Content-Type": "application/json",
}
os.makedirs(RECEIPT_DIR, exist_ok=True)
def cf(endpoint, method="GET", data=None):
url = f"{CF_API}{endpoint}"
if method == "GET":
r = requests.get(url, headers=HEADERS)
else:
r = requests.request(method, url, headers=HEADERS, json=data)
r.raise_for_status()
return r.json().get("result", {})
def emit_receipt(action, details):
ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
path = f"{RECEIPT_DIR}/auto-{action}-{ts}.json"
with open(path, "w") as f:
json.dump({"ts": ts, "action": action, "details": details}, f, indent=2)
print(f"[REMEDIATOR] Receipt emitted: {path}")
# ------------------------------
# DNS Remediation
# ------------------------------
def fix_dns():
zones = cf("/zones")
for z in zones:
zid = z["id"]
zname = z["name"]
recs = cf(f"/zones/{zid}/dns_records")
for r in recs:
# Re-proxy unproxied A/AAAA
if r["type"] in ("A", "AAAA") and not r.get("proxied"):
print(f"[DNS] Re-proxying {r['name']} in {zname}")
cf(f"/zones/{zid}/dns_records/{r['id']}", method="PUT",
data={"type": r["type"], "name": r["name"], "content": r["content"], "proxied": True})
emit_receipt("dns_reproxy", {"zone": zname, "record": r})
# Enforce DNSSEC
dnssec = cf(f"/zones/{zid}/dnssec")
if dnssec.get("status") != "active":
print(f"[DNS] Enabling DNSSEC for {zname}")
cf(f"/zones/{zid}/dnssec", method="PATCH", data={"status": "active"})
emit_receipt("dnssec_enable", {"zone": zname})
# ------------------------------
# WAF Enforcement
# ------------------------------
def enforce_waf():
zones = cf("/zones")
for z in zones:
zid = z["id"]
zname = z["name"]
pkgs = cf(f"/zones/{zid}/firewall/waf/packages")
# Ensure OWASP ruleset is present
if not any("owasp" in p.get("name", "").lower() for p in pkgs):
emit_receipt("missing_owasp", {"zone": zname})
print(f"[WAF] Missing OWASP ruleset in {zname}")
# ------------------------------
# Access Policy Enforcement
# ------------------------------
def enforce_access():
policies = cf(f"/accounts/{CF_ACCOUNT}/access/policies")
for p in policies:
changed = False
pid = p["id"]
# Enforce MFA requirement
for rule in p.get("rules", []):
if not rule.get("require_mfa"):
rule["require_mfa"] = True
changed = True
# No bypass allowed
if p.get("decision") == "bypass":
p["decision"] = "allow"
changed = True
if changed:
print(f"[ACCESS] Correcting policy {pid}")
cf(f"/accounts/{CF_ACCOUNT}/access/policies/{pid}", method="PUT", data=p)
emit_receipt("access_policy_fix", {"policy_id": pid})
# ------------------------------
# Tunnel Health Remediation
# ------------------------------
def fix_tunnels():
tunnels = cf(f"/accounts/{CF_ACCOUNT}/cfd_tunnel")
for t in tunnels:
if t.get("status") in ("degraded", "reconnecting", "down"):
tid = t["id"]
print(f"[TUNNEL] Restart recommended for {tid}")
# Informational only — actual restart is manual or via systemd
emit_receipt("tunnel_unhealthy", t)
# ------------------------------
# Terraform Drift Correction
# ------------------------------
def correct_terraform_drift():
print("[TF] Running terraform plan to detect drift...")
proc = subprocess.run(["terraform", "-chdir", TF_DIR, "plan"], capture_output=True, text=True)
if "No changes" not in proc.stdout:
print("[TF] Drift detected — applying corrective action")
subprocess.run(["terraform", "-chdir", TF_DIR, "apply", "-auto-approve"])
emit_receipt("terraform_drift_fix", {"output": proc.stdout})
# ------------------------------
# Main Loop
# ------------------------------
def main():
print("[REMEDIATOR] Autonomic Mesh running...")
while True:
fix_dns()
enforce_waf()
enforce_access()
fix_tunnels()
correct_terraform_drift()
print("[REMEDIATOR] Cycle complete. Sleeping 5 minutes...")
time.sleep(300)
if __name__ == "__main__":
main()

259
scripts/doc-invariants.sh Executable file
View File

@@ -0,0 +1,259 @@
#!/usr/bin/env bash
# ============================================================================
# DOC INVARIANTS CHECKER
# ============================================================================
# Enforces documentation law for VaultMesh.
# Run from repo root: bash scripts/doc-invariants.sh
#
# Exit codes:
# 0 = All invariants pass
# 1 = One or more invariants violated
#
# Governed by: RED-BOOK.md
# ============================================================================
set -uo pipefail
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$REPO_ROOT"
FAILED=0
PASSED=0
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
NC='\033[0m' # No Color
pass() {
echo -e "${GREEN}${NC} $1"
((PASSED++))
}
fail() {
echo -e "${RED}${NC} $1"
((FAILED++))
}
warn() {
echo -e "${YELLOW}${NC} $1"
}
echo "============================================"
echo " VaultMesh Documentation Invariants Check"
echo "============================================"
echo ""
# ============================================================================
# 1. STRUCTURAL INVARIANTS
# ============================================================================
echo "── 1. Structural Invariants ──"
# 1.1 Single Front Door
if [[ -f "README.md" ]]; then
if grep -q "STRUCTURE.md" README.md && grep -q "FIRST_RUN.md\|DEPLOYMENT_GUIDE.md" README.md; then
pass "1.1 Single Front Door: README.md exists and links to STRUCTURE.md + guides"
else
fail "1.1 Single Front Door: README.md missing links to STRUCTURE.md or guides"
fi
else
fail "1.1 Single Front Door: README.md does not exist"
fi
# 1.2 Single Index
if [[ -f "STRUCTURE.md" ]]; then
pass "1.2 Single Index: STRUCTURE.md exists"
else
fail "1.2 Single Index: STRUCTURE.md does not exist"
fi
# Check for competing indexes (forbidden patterns)
COMPETING_INDEXES=$(find . -maxdepth 1 -name "README_STRUCTURE*.md" -o -name "INDEX*.md" 2>/dev/null | grep -v archive_docs || true)
if [[ -z "$COMPETING_INDEXES" ]]; then
pass "1.2 Single Index: No competing index files found"
else
fail "1.2 Single Index: Found competing index files: $COMPETING_INDEXES"
fi
# 1.3 Archive Boundary
if [[ -d "archive_docs" ]]; then
pass "1.3 Archive Boundary: archive_docs/ directory exists"
else
warn "1.3 Archive Boundary: archive_docs/ directory does not exist (optional)"
fi
echo ""
# ============================================================================
# 2. CONTENT INVARIANTS
# ============================================================================
echo "── 2. Content Invariants ──"
# 2.1 Multi-Account Single Source of Truth
if [[ -f "MULTI_ACCOUNT_AUTH.md" ]]; then
pass "2.1 Multi-Account SSOT: MULTI_ACCOUNT_AUTH.md exists"
else
fail "2.1 Multi-Account SSOT: MULTI_ACCOUNT_AUTH.md does not exist"
fi
# 2.2 One Doctrine
if [[ -f "RED-BOOK.md" ]]; then
pass "2.2 One Doctrine: RED-BOOK.md exists"
else
fail "2.2 One Doctrine: RED-BOOK.md does not exist"
fi
# 2.3 Playbooks Own Incidents
REQUIRED_PLAYBOOKS=(
"playbooks/DNS-COMPROMISE-PLAYBOOK.md"
"playbooks/TUNNEL-ROTATION-PROTOCOL.md"
"playbooks/waf_incident_playbook.md"
)
ALL_PLAYBOOKS_EXIST=true
for pb in "${REQUIRED_PLAYBOOKS[@]}"; do
if [[ ! -f "$pb" ]]; then
fail "2.3 Playbooks: Missing $pb"
ALL_PLAYBOOKS_EXIST=false
fi
done
if $ALL_PLAYBOOKS_EXIST; then
pass "2.3 Playbooks: All required playbooks exist"
fi
echo ""
# ============================================================================
# 3. LINK & REFERENCE INVARIANTS
# ============================================================================
echo "── 3. Link & Reference Invariants ──"
# 3.1 No Dead Links in Active Space
# Check for known deprecated filenames outside archive_docs/
DEPRECATED_PATTERNS=(
"dns_compromise_playbook\.md"
"tunnel_rotation_protocol\.md"
"ONE-PAGE-SECURITY-SHEET\.md"
"README_STRUCTURE\.md"
)
DEAD_LINK_FOUND=false
for pattern in "${DEPRECATED_PATTERNS[@]}"; do
# Search for pattern, excluding archive_docs/
HITS=$(grep -r "$pattern" . --include="*.md" --include="*.yml" --include="*.yaml" --include="*.py" 2>/dev/null | grep -v "archive_docs/" | grep -v "doc-invariants.sh" || true)
if [[ -n "$HITS" ]]; then
fail "3.1 Dead Links: Found deprecated reference '$pattern' outside archive_docs/"
echo " $HITS" | head -3
DEAD_LINK_FOUND=true
fi
done
if ! $DEAD_LINK_FOUND; then
pass "3.1 Dead Links: No deprecated references found in active space"
fi
# 3.2 Case-Exact Playbook Paths
# Check for WRONG casing - lowercase variants when they should be uppercase
# DNS-COMPROMISE-PLAYBOOK.md should NOT appear as dns-compromise-playbook.md
CASE_VIOLATIONS=$(grep -r "dns-compromise-playbook\.md\|dns_compromise_playbook\.md" . --include="*.md" --include="*.yml" --include="*.yaml" 2>/dev/null | grep -v archive_docs/ | grep -v "DNS-COMPROMISE-PLAYBOOK" || true)
if [[ -z "$CASE_VIOLATIONS" ]]; then
pass "3.2 Case-Exact Paths: Playbook references use correct casing"
else
fail "3.2 Case-Exact Paths: Found lowercase playbook references (should be UPPERCASE)"
echo " $CASE_VIOLATIONS" | head -3
fi
echo ""
# ============================================================================
# 4. COGNITIVE / AI LAYER INVARIANTS
# ============================================================================
echo "── 4. Cognitive Layer Invariants ──"
# 4.1 Cognition ≈ Fourfold Work
COGNITION_DOCS=("COGNITION_FLOW.md" "DEMO_COGNITION.md")
for doc in "${COGNITION_DOCS[@]}"; do
if [[ -f "$doc" ]]; then
if grep -qi "RED-BOOK\|Fourfold Work\|Nigredo.*Albedo.*Citrinitas.*Rubedo" "$doc"; then
pass "4.1 Cognition Doctrine: $doc references Red Book"
else
fail "4.1 Cognition Doctrine: $doc does not reference Red Book / Fourfold Work"
fi
fi
done
# 4.2 Guardrails Reference Doctrine
if [[ -f "AGENT_GUARDRAILS.md" ]]; then
if grep -qi "RED-BOOK" "AGENT_GUARDRAILS.md"; then
pass "4.2 Guardrails Doctrine: AGENT_GUARDRAILS.md references Red Book"
else
fail "4.2 Guardrails Doctrine: AGENT_GUARDRAILS.md does not reference Red Book"
fi
fi
echo ""
# ============================================================================
# 5. PLAYBOOK REGISTRATION
# ============================================================================
echo "── 5. Playbook Registration ──"
# Check that all playbooks are registered in STRUCTURE.md
for pb in "${REQUIRED_PLAYBOOKS[@]}"; do
pb_name=$(basename "$pb")
if grep -q "$pb_name" STRUCTURE.md 2>/dev/null; then
pass "5.1 Registration: $pb_name listed in STRUCTURE.md"
else
fail "5.1 Registration: $pb_name NOT listed in STRUCTURE.md"
fi
done
echo ""
# ============================================================================
# 6. TOP-LEVEL DOC REGISTRY
# ============================================================================
echo "── 6. Doc Registry ──"
# Every top-level .md (except README.md, STRUCTURE.md, LICENSE) must be in STRUCTURE.md
UNREGISTERED_DOCS=false
for f in *.md; do
[[ "$f" == "README.md" || "$f" == "STRUCTURE.md" || "$f" == "LICENSE.md" ]] && continue
if ! grep -q "$f" STRUCTURE.md 2>/dev/null; then
fail "6.1 Registry: $f not listed in STRUCTURE.md"
UNREGISTERED_DOCS=true
fi
done
if ! $UNREGISTERED_DOCS; then
pass "6.1 Registry: All top-level docs are indexed in STRUCTURE.md"
fi
echo ""
# ============================================================================
# SUMMARY
# ============================================================================
echo "============================================"
echo " Summary"
echo "============================================"
echo -e " ${GREEN}Passed:${NC} $PASSED"
echo -e " ${RED}Failed:${NC} $FAILED"
echo ""
if [[ $FAILED -gt 0 ]]; then
echo -e "${RED}Doc invariants violated. Fix before merging.${NC}"
exit 1
else
echo -e "${GREEN}All doc invariants pass. ✓${NC}"
exit 0
fi

208
scripts/drift_guardian_py.py Normal file
View File

@@ -0,0 +1,208 @@
#!/usr/bin/env python3
"""
Drift Guardian — Real-Time Cloudflare Drift Detection
Pure technical (D1)
Purpose:
• Poll Cloudflare state at short intervals
• Compare live state → latest snapshot → invariants
• Detect unauthorized modifications
• Trigger remediation (optional hook)
• Emit VaultMesh anomaly receipts
The Guardian = fast, reactive layer.
The Remediator = corrective, authoritative layer.
The Reconciler = canonical truth layer.
"""
import os
import json
import time
import hashlib
import requests
from datetime import datetime, timezone
CF_API = "https://api.cloudflare.com/client/v4"
CF_TOKEN = os.getenv("CF_API_TOKEN")
CF_ACCOUNT = os.getenv("CF_ACCOUNT_ID")
STATE_ROOT = os.getenv("VM_STATE_ROOT", "./cloudflare_state")
SNAP_DIR = f"{STATE_ROOT}/snapshots"
RECEIPT_DIR = f"{STATE_ROOT}/receipts"
ANOM_DIR = f"{STATE_ROOT}/anomalies"
HEADERS = {
"Authorization": f"Bearer {CF_TOKEN}",
"Content-Type": "application/json",
}
os.makedirs(RECEIPT_DIR, exist_ok=True)
os.makedirs(ANOM_DIR, exist_ok=True)
# -----------------------------
# Helpers
# -----------------------------
def cf(endpoint):
r = requests.get(f"{CF_API}{endpoint}", headers=HEADERS)
r.raise_for_status()
return r.json().get("result", {})
def load_latest_snapshot():
snaps = sorted(os.listdir(SNAP_DIR))
if not snaps:
return None
latest = snaps[-1]
with open(f"{SNAP_DIR}/{latest}") as f:
return json.load(f)
def emit_anomaly(event_type, details):
ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
anomaly = {"ts": ts, "event_type": event_type, "details": details}
h = hashlib.sha256(json.dumps(anomaly, sort_keys=True).encode()).hexdigest()
file_path = f"{ANOM_DIR}/drift-{ts}-{h[:8]}.json"
with open(file_path, "w") as f:
json.dump(anomaly, f, indent=2)
print(f"[GUARDIAN] Drift detected → {file_path}")
return file_path
# -----------------------------
# Drift Detection Logic
# -----------------------------
def detect_dns_drift(snapshot):
anomalies = []
zones_live = cf("/zones")
# index snapshot zones by name
snap_zones = {z["name"]: z for z in snapshot.get("zones", [])}
for z in zones_live:
name = z["name"]
zid = z["id"]
if name not in snap_zones:
anomalies.append({"type": "zone_added", "zone": name})
continue
# DNS record diff
live_recs = cf(f"/zones/{zid}/dns_records")
snap_recs = snapshot.get("dns", {}).get(name, [])
live_set = {(r["type"], r["name"], r.get("content")) for r in live_recs}
snap_set = {(r["type"], r["name"], r.get("content")) for r in snap_recs}
added = live_set - snap_set
removed = snap_set - live_set
if added:
anomalies.append({"type": "dns_added", "zone": name, "records": list(added)})
if removed:
anomalies.append({"type": "dns_removed", "zone": name, "records": list(removed)})
return anomalies
def detect_waf_drift(snapshot):
anomalies = []
zones_live = cf("/zones")
snap_waf = snapshot.get("waf", {})
for z in zones_live:
zname = z["name"]
zid = z["id"]
live_pkgs = cf(f"/zones/{zid}/firewall/waf/packages")
snap_pkgs = snap_waf.get(zname, [])
live_names = {p.get("name") for p in live_pkgs}
snap_names = {p.get("name") for p in snap_pkgs}
if live_names != snap_names:
anomalies.append({
"type": "waf_ruleset_drift",
"zone": zname,
"expected": list(snap_names),
"found": list(live_names)
})
return anomalies
def detect_access_drift(snapshot):
anomalies = []
live_apps = cf(f"/accounts/{CF_ACCOUNT}/access/apps")
snap_apps = snapshot.get("access_apps", [])
live_set = {(a.get("name"), a.get("type")) for a in live_apps}
snap_set = {(a.get("name"), a.get("type")) for a in snap_apps}
if live_set != snap_set:
anomalies.append({
"type": "access_app_drift",
"expected": list(snap_set),
"found": list(live_set)
})
return anomalies
def detect_tunnel_drift(snapshot):
anomalies = []
live = cf(f"/accounts/{CF_ACCOUNT}/cfd_tunnel")
snap = snapshot.get("tunnels", [])
live_ids = {t.get("id") for t in live}
snap_ids = {t.get("id") for t in snap}
if live_ids != snap_ids:
anomalies.append({
"type": "tunnel_id_drift",
"expected": list(snap_ids),
"found": list(live_ids)
})
# health drift
for t in live:
if t.get("status") not in ("active", "healthy"):
anomalies.append({"type": "tunnel_unhealthy", "tunnel": t})
return anomalies
# -----------------------------
# Main Guardian Loop
# -----------------------------
def main():
print("[GUARDIAN] Drift Guardian active…")
while True:
snapshot = load_latest_snapshot()
if not snapshot:
print("[GUARDIAN] No snapshot found — run state-reconciler first.")
time.sleep(60)
continue
anomalies = []
anomalies += detect_dns_drift(snapshot)
anomalies += detect_waf_drift(snapshot)
anomalies += detect_access_drift(snapshot)
anomalies += detect_tunnel_drift(snapshot)
if anomalies:
for a in anomalies:
emit_anomaly(a.get("type"), a)
else:
print("[GUARDIAN] No drift detected.")
time.sleep(120) # check every 2 minutes
if __name__ == "__main__":
main()

101
scripts/infra-invariants.sh Executable file
View File

@@ -0,0 +1,101 @@
#!/usr/bin/env bash
# ============================================================================
# INFRA INVARIANTS CHECKER
# ============================================================================
# Enforces infrastructure law for VaultMesh.
# Run from repo root: bash scripts/infra-invariants.sh
#
# Exit codes:
# 0 = All invariants pass
# 1 = One or more invariants violated
#
# Governed by: RED-BOOK.md
# ============================================================================
set -euo pipefail
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$REPO_ROOT"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
echo "============================================"
echo " VaultMesh Infrastructure Invariants Check"
echo "============================================"
echo ""
FAILED=0
# ============================================================================
# 1. TERRAFORM FORMAT CHECK
# ============================================================================
echo "── 1. Terraform Formatting ──"
cd terraform
if terraform fmt -check -recursive > /dev/null 2>&1; then
echo -e "${GREEN}${NC} 1.1 All .tf files are properly formatted"
else
echo -e "${RED}${NC} 1.1 Terraform files need formatting"
echo " Run: cd terraform && terraform fmt -recursive"
FAILED=1
fi
# ============================================================================
# 2. TERRAFORM VALIDATE
# ============================================================================
echo ""
echo "── 2. Terraform Validation ──"
terraform init -backend=false > /dev/null 2>&1
if terraform validate > /dev/null 2>&1; then
echo -e "${GREEN}${NC} 2.1 Terraform configuration is valid"
else
echo -e "${RED}${NC} 2.1 Terraform validation failed"
terraform validate
FAILED=1
fi
cd "$REPO_ROOT"
# ============================================================================
# 3. REQUIRED FILES
# ============================================================================
echo ""
echo "── 3. Required Terraform Files ──"
REQUIRED_TF_FILES=(
"terraform/main.tf"
"terraform/variables.tf"
)
for tf in "${REQUIRED_TF_FILES[@]}"; do
if [[ -f "$tf" ]]; then
echo -e "${GREEN}${NC} 3.1 $tf exists"
else
echo -e "${RED}${NC} 3.1 Missing required file: $tf"
FAILED=1
fi
done
# ============================================================================
# SUMMARY
# ============================================================================
echo ""
echo "============================================"
echo " Summary"
echo "============================================"
if [[ $FAILED -gt 0 ]]; then
echo -e "${RED}Infra invariants violated. Fix before merging.${NC}"
exit 1
else
echo -e "${GREEN}All infra invariants pass. ✓${NC}"
exit 0
fi

427
scripts/invariant-checker.py Normal file
View File

@@ -0,0 +1,427 @@
#!/usr/bin/env python3
"""
Cloudflare Invariant Checker
Tests state snapshots against defined invariants and produces anomaly reports.
Usage:
python3 invariant-checker.py --snapshot <path/to/snapshot.json>
Environment Variables:
MANIFEST_PATH - Path to DNS manifest (optional)
TERRAFORM_STATE_PATH - Path to Terraform state (optional)
Output:
- anomalies/invariant-report-<timestamp>.json
- Exit code 0 if all pass, 1 if any fail
"""
import argparse
import hashlib
import json
import os
import sys
from datetime import datetime, timezone
from typing import Any, Dict, List, Optional, Tuple
ANOMALY_DIR = os.path.join(os.path.dirname(os.path.dirname(__file__)), "anomalies")
class InvariantResult:
"""Result of an invariant check."""
def __init__(self, name: str, passed: bool, message: str, details: Optional[Dict] = None):
self.name = name
self.passed = passed
self.message = message
self.details = details or {}
def to_dict(self) -> Dict[str, Any]:
return {
"invariant": self.name,
"passed": self.passed,
"message": self.message,
"details": self.details,
}
class InvariantChecker:
"""Checks Cloudflare state against defined invariants."""
def __init__(self, snapshot: Dict[str, Any], manifest: Optional[Dict] = None, tf_state: Optional[Dict] = None):
self.snapshot = snapshot
self.state = snapshot.get("state", {})
self.manifest = manifest
self.tf_state = tf_state
self.results: List[InvariantResult] = []
def check_all(self) -> List[InvariantResult]:
"""Run all invariant checks."""
self._check_dns_invariants()
self._check_waf_invariants()
self._check_access_invariants()
self._check_tunnel_invariants()
self._check_zone_settings_invariants()
if self.manifest:
self._check_manifest_drift()
return self.results
# === DNS Invariants ===
def _check_dns_invariants(self):
"""Check DNS-related invariants."""
dns = self.state.get("dns", {})
records = dns.get("records", [])
# INV-DNS-001: No unproxied A/AAAA records (unless explicitly internal)
unproxied = [
r for r in records
if r.get("type") in ("A", "AAAA")
and not r.get("proxied", False)
and not r.get("name", "").startswith("_") # Allow service records
]
self.results.append(InvariantResult(
"INV-DNS-001",
len(unproxied) == 0,
f"No unproxied A/AAAA records" if len(unproxied) == 0 else f"Found {len(unproxied)} unproxied A/AAAA records",
{"unproxied_records": [r.get("name") for r in unproxied]}
))
# INV-DNS-002: DNSSEC must be enabled
dnssec = dns.get("dnssec", {})
dnssec_enabled = dnssec.get("status") == "active"
self.results.append(InvariantResult(
"INV-DNS-002",
dnssec_enabled,
"DNSSEC is active" if dnssec_enabled else "DNSSEC is not active",
{"dnssec_status": dnssec.get("status")}
))
# INV-DNS-003: SPF record must exist
spf_records = [r for r in records if r.get("type") == "TXT" and "v=spf1" in r.get("content", "")]
self.results.append(InvariantResult(
"INV-DNS-003",
len(spf_records) > 0,
"SPF record exists" if len(spf_records) > 0 else "No SPF record found",
{"spf_count": len(spf_records)}
))
# INV-DNS-004: DMARC record must exist
dmarc_records = [r for r in records if r.get("name", "").startswith("_dmarc") and r.get("type") == "TXT"]
self.results.append(InvariantResult(
"INV-DNS-004",
len(dmarc_records) > 0,
"DMARC record exists" if len(dmarc_records) > 0 else "No DMARC record found",
{"dmarc_count": len(dmarc_records)}
))
# INV-DNS-005: No wildcard records (unless explicitly allowed)
wildcards = [r for r in records if "*" in r.get("name", "")]
self.results.append(InvariantResult(
"INV-DNS-005",
len(wildcards) == 0,
"No wildcard records" if len(wildcards) == 0 else f"Found {len(wildcards)} wildcard records",
{"wildcard_records": [r.get("name") for r in wildcards]}
))
# === WAF Invariants ===
def _check_waf_invariants(self):
"""Check WAF-related invariants."""
waf = self.state.get("waf", {})
rulesets = waf.get("rulesets", [])
# INV-WAF-001: Managed ruleset must be enabled
managed_rulesets = [rs for rs in rulesets if rs.get("kind") == "managed"]
self.results.append(InvariantResult(
"INV-WAF-001",
len(managed_rulesets) > 0,
"Managed WAF ruleset enabled" if len(managed_rulesets) > 0 else "No managed WAF ruleset found",
{"managed_ruleset_count": len(managed_rulesets)}
))
# INV-WAF-002: Firewall rules must exist
firewall_rules = waf.get("firewall_rules", [])
self.results.append(InvariantResult(
"INV-WAF-002",
len(firewall_rules) > 0,
f"Found {len(firewall_rules)} firewall rules" if len(firewall_rules) > 0 else "No firewall rules configured",
{"firewall_rule_count": len(firewall_rules)}
))
# === Zone Settings Invariants ===
def _check_zone_settings_invariants(self):
"""Check zone settings invariants."""
settings = self.state.get("zone_settings", {})
# INV-ZONE-001: TLS must be strict
ssl_mode = settings.get("ssl")
self.results.append(InvariantResult(
"INV-ZONE-001",
ssl_mode in ("strict", "full_strict"),
f"TLS mode is {ssl_mode}" if ssl_mode in ("strict", "full_strict") else f"TLS mode is {ssl_mode}, should be strict",
{"ssl_mode": ssl_mode}
))
# INV-ZONE-002: Minimum TLS version must be 1.2+
min_tls = settings.get("min_tls_version")
valid_tls = min_tls in ("1.2", "1.3")
self.results.append(InvariantResult(
"INV-ZONE-002",
valid_tls,
f"Minimum TLS version is {min_tls}" if valid_tls else f"Minimum TLS version is {min_tls}, should be 1.2+",
{"min_tls_version": min_tls}
))
# INV-ZONE-003: Always Use HTTPS must be on
always_https = settings.get("always_use_https") == "on"
self.results.append(InvariantResult(
"INV-ZONE-003",
always_https,
"Always Use HTTPS is enabled" if always_https else "Always Use HTTPS is disabled",
{"always_use_https": settings.get("always_use_https")}
))
# INV-ZONE-004: Browser check must be on
browser_check = settings.get("browser_check") == "on"
self.results.append(InvariantResult(
"INV-ZONE-004",
browser_check,
"Browser Check is enabled" if browser_check else "Browser Check is disabled",
{"browser_check": settings.get("browser_check")}
))
# === Access Invariants ===
def _check_access_invariants(self):
"""Check Zero Trust Access invariants."""
access = self.state.get("access", {})
apps = access.get("apps", [])
# INV-ACCESS-001: All Access apps must have at least one policy
apps_without_policies = [a for a in apps if len(a.get("policies", [])) == 0]
self.results.append(InvariantResult(
"INV-ACCESS-001",
len(apps_without_policies) == 0,
"All Access apps have policies" if len(apps_without_policies) == 0 else f"{len(apps_without_policies)} apps have no policies",
{"apps_without_policies": [a.get("name") for a in apps_without_policies]}
))
# INV-ACCESS-002: No Access app in bypass mode
bypass_apps = [a for a in apps if any(
p.get("decision") == "bypass" for p in a.get("policies", [])
)]
self.results.append(InvariantResult(
"INV-ACCESS-002",
len(bypass_apps) == 0,
"No Access apps in bypass mode" if len(bypass_apps) == 0 else f"{len(bypass_apps)} apps have bypass policies",
{"bypass_apps": [a.get("name") for a in bypass_apps]}
))
# INV-ACCESS-003: Session duration should not exceed 24h
long_session_apps = [
a for a in apps
if self._parse_duration(a.get("session_duration", "24h")) > 86400
]
self.results.append(InvariantResult(
"INV-ACCESS-003",
len(long_session_apps) == 0,
"All sessions <= 24h" if len(long_session_apps) == 0 else f"{len(long_session_apps)} apps have sessions > 24h",
{"long_session_apps": [a.get("name") for a in long_session_apps]}
))
def _parse_duration(self, duration: str) -> int:
"""Parse duration string to seconds."""
if not duration:
return 0
try:
if duration.endswith("h"):
return int(duration[:-1]) * 3600
elif duration.endswith("m"):
return int(duration[:-1]) * 60
elif duration.endswith("s"):
return int(duration[:-1])
else:
return int(duration)
except (ValueError, TypeError):
return 0
# === Tunnel Invariants ===
def _check_tunnel_invariants(self):
"""Check Cloudflare Tunnel invariants."""
tunnels = self.state.get("tunnels", {})
tunnel_list = tunnels.get("list", [])
# INV-TUN-001: All tunnels must be healthy (not deleted, has connections)
active_tunnels = [t for t in tunnel_list if not t.get("deleted_at")]
unhealthy = [
t for t in active_tunnels
if len(t.get("connections", [])) == 0
]
self.results.append(InvariantResult(
"INV-TUN-001",
len(unhealthy) == 0,
f"All {len(active_tunnels)} tunnels healthy" if len(unhealthy) == 0 else f"{len(unhealthy)} tunnels have no connections",
{"unhealthy_tunnels": [t.get("name") for t in unhealthy]}
))
# INV-TUN-002: No stale/orphan tunnels (deleted but still present)
deleted_tunnels = [t for t in tunnel_list if t.get("deleted_at")]
self.results.append(InvariantResult(
"INV-TUN-002",
len(deleted_tunnels) == 0,
"No stale tunnels" if len(deleted_tunnels) == 0 else f"{len(deleted_tunnels)} deleted tunnels still present",
{"stale_tunnels": [t.get("name") for t in deleted_tunnels]}
))
# === Manifest Drift ===
def _check_manifest_drift(self):
"""Check for drift between live state and manifest."""
if not self.manifest:
return
dns = self.state.get("dns", {})
records = dns.get("records", [])
manifest_records = self.manifest.get("records", [])
# Build lookup maps
live_map = {(r.get("type"), r.get("name")): r for r in records}
manifest_map = {(r.get("type"), r.get("name")): r for r in manifest_records}
# Find drift
missing_in_live = set(manifest_map.keys()) - set(live_map.keys())
extra_in_live = set(live_map.keys()) - set(manifest_map.keys())
# INV-DRIFT-001: All manifest records must exist in live
self.results.append(InvariantResult(
"INV-DRIFT-001",
len(missing_in_live) == 0,
"All manifest records present" if len(missing_in_live) == 0 else f"{len(missing_in_live)} records missing from live",
{"missing_records": list(missing_in_live)}
))
# INV-DRIFT-002: No unexpected records in live
self.results.append(InvariantResult(
"INV-DRIFT-002",
len(extra_in_live) == 0,
"No unexpected records" if len(extra_in_live) == 0 else f"{len(extra_in_live)} unexpected records in live",
{"extra_records": list(extra_in_live)}
))
def generate_report(results: List[InvariantResult], snapshot_path: str) -> Dict[str, Any]:
"""Generate invariant check report."""
passed = [r for r in results if r.passed]
failed = [r for r in results if not r.passed]
return {
"report_type": "invariant_check",
"schema_version": "vm_invariant_v1",
"timestamp": datetime.now(timezone.utc).isoformat(),
"snapshot_path": snapshot_path,
"summary": {
"total": len(results),
"passed": len(passed),
"failed": len(failed),
"pass_rate": len(passed) / len(results) if results else 0,
},
"results": [r.to_dict() for r in results],
"failed_invariants": [r.to_dict() for r in failed],
}
def create_anomaly_receipt(failed: List[InvariantResult], snapshot_path: str) -> Optional[Dict[str, Any]]:
"""Create VaultMesh anomaly receipt for failed invariants."""
if not failed:
return None
return {
"receipt_type": "cf_invariant_anomaly",
"schema_version": "vm_cf_anomaly_v1",
"timestamp": datetime.now(timezone.utc).isoformat(),
"snapshot_path": snapshot_path,
"anomaly_count": len(failed),
"anomalies": [
{
"invariant": r.name,
"message": r.message,
"details": r.details,
}
for r in failed
],
"severity": "CRITICAL" if any(r.name.startswith("INV-DNS-002") or r.name.startswith("INV-ZONE-001") for r in failed) else "WARNING",
}
def main():
parser = argparse.ArgumentParser(description="Cloudflare Invariant Checker")
parser.add_argument("--snapshot", required=True, help="Path to state snapshot JSON")
parser.add_argument("--manifest", default=os.environ.get("MANIFEST_PATH"),
help="Path to DNS manifest")
parser.add_argument("--output-dir", default=ANOMALY_DIR,
help="Output directory for reports")
args = parser.parse_args()
# Load snapshot
with open(args.snapshot) as f:
snapshot = json.load(f)
# Load manifest if provided
manifest = None
if args.manifest and os.path.exists(args.manifest):
with open(args.manifest) as f:
manifest = json.load(f)
# Ensure output directory exists
os.makedirs(args.output_dir, exist_ok=True)
# Run checks
print(f"Checking invariants for snapshot: {args.snapshot}")
checker = InvariantChecker(snapshot, manifest)
results = checker.check_all()
# Generate report
report = generate_report(results, args.snapshot)
# Write report
timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H-%M-%SZ")
report_filename = f"invariant-report-{timestamp}.json"
report_path = os.path.join(args.output_dir, report_filename)
with open(report_path, "w") as f:
json.dump(report, f, indent=2, sort_keys=True)
print(f"Report written to: {report_path}")
# Create anomaly receipt if failures
failed = [r for r in results if not r.passed]
if failed:
anomaly_receipt = create_anomaly_receipt(failed, args.snapshot)
anomaly_filename = f"anomaly-{timestamp}.json"
anomaly_path = os.path.join(args.output_dir, anomaly_filename)
with open(anomaly_path, "w") as f:
json.dump(anomaly_receipt, f, indent=2, sort_keys=True)
print(f"Anomaly receipt written to: {anomaly_path}")
# Summary
print("\n=== Invariant Check Summary ===")
print(f"Total: {report['summary']['total']}")
print(f"Passed: {report['summary']['passed']}")
print(f"Failed: {report['summary']['failed']}")
print(f"Pass Rate: {report['summary']['pass_rate']:.1%}")
if failed:
print("\n=== Failed Invariants ===")
for r in failed:
print(f" [{r.name}] {r.message}")
# Exit with appropriate code
return 0 if len(failed) == 0 else 1
if __name__ == "__main__":
sys.exit(main())

182
scripts/invariant_checker_py.py Normal file
View File

@@ -0,0 +1,182 @@
#!/usr/bin/env python3
"""
Cloudflare Invariant Checker (Pure Technical)
Evaluates whether Cloudflare's live state satisfies required invariants:
- DNS integrity (proxied, no wildcards, SPF/DKIM/DMARC match manifest)
- DNSSEC + registrar lock enabled
- WAF baseline compliance
- Access policies enforce MFA and no-bypass rules
- Tunnel health and credential age
- Drift vs DNS Manifest
- Drift vs Terraform (.tf files)
Outputs:
anomalies/cf-invariants-<ts>.json
receipts/cf-invariants-<ts>-<hash>.json
"""
import os
import json
import hashlib
import requests
from datetime import datetime, timezone
CF_API = "https://api.cloudflare.com/client/v4"
CF_TOKEN = os.getenv("CF_API_TOKEN")
CF_ACCOUNT = os.getenv("CF_ACCOUNT_ID")
ROOT = os.getenv("VM_STATE_ROOT", "./cloudflare_state")
MANIFEST_PATH = os.getenv("DNS_MANIFEST", "./cloudflare_dns_manifest.json")
TF_DIR = os.getenv("TF_DIR", "./terraform")
HEADERS = {
"Authorization": f"Bearer {CF_TOKEN}",
"Content-Type": "application/json",
}
os.makedirs(f"{ROOT}/anomalies", exist_ok=True)
os.makedirs(f"{ROOT}/receipts", exist_ok=True)
def merkle_root(obj):
return hashlib.sha256(json.dumps(obj, sort_keys=True).encode()).hexdigest()
def cf(endpoint):
r = requests.get(f"{CF_API}{endpoint}", headers=HEADERS)
r.raise_for_status()
return r.json().get("result", {})
# -------------------------------
# Helper: Load DNS Manifest
# -------------------------------
def load_manifest():
if not os.path.exists(MANIFEST_PATH):
return None
with open(MANIFEST_PATH, "r") as f:
try:
return json.load(f)
except:
return None
# -------------------------------
# Invariant Checks
# -------------------------------
def check_dns(zones, manifest):
anomalies = []
for z in zones:
zid = z["id"]
zname = z["name"]
recs = cf(f"/zones/{zid}/dns_records")
for r in recs:
# 1 — No wildcards
if r["name"].startswith("*"):
anomalies.append({"zone": zname, "type": "wildcard_record", "record": r})
# 2 — Must be proxied unless manifest says internal
internal = False
if manifest and zname in manifest.get("internal_records", {}):
internal_list = manifest["internal_records"][zname]
if r["name"] in internal_list:
internal = True
if not internal and r.get("proxied") is False:
anomalies.append({"zone": zname, "type": "unproxied_record", "record": r})
# 3 — DNSSEC required
dnssec = cf(f"/zones/{zid}/dnssec")
if dnssec.get("status") != "active":
anomalies.append({"zone": zname, "type": "dnssec_disabled"})
return anomalies
def check_zone_security(zones):
anomalies = []
for z in zones:
zid = z["id"]
settings = cf(f"/zones/{zid}/settings/security_header")
hsts = settings.get("value", {}).get("strict_transport_security")
if not hsts or not hsts.get("enabled"):
anomalies.append({"zone": z["name"], "type": "hsts_disabled"})
return anomalies
def check_waf(zones):
anomalies = []
for z in zones:
zid = z["id"]
waf = cf(f"/zones/{zid}/firewall/waf/packages")
if not waf:
anomalies.append({"zone": z["name"], "type": "waf_missing"})
continue
# Require OWASP ruleset
if not any("owasp" in pkg.get("name", "").lower() for pkg in waf):
anomalies.append({"zone": z["name"], "type": "owasp_ruleset_missing"})
return anomalies
def check_access_policies():
anomalies = []
apps = cf(f"/accounts/{CF_ACCOUNT}/access/apps")
policies = cf(f"/accounts/{CF_ACCOUNT}/access/policies")
for p in policies:
if p.get("decision") == "bypass":
anomalies.append({"type": "access_policy_bypass", "policy": p})
if not any(r.get("require_mfa") for r in p.get("rules", [])):
anomalies.append({"type": "access_policy_missing_mfa", "policy": p})
return anomalies
def check_tunnels():
anomalies = []
tunnels = cf(f"/accounts/{CF_ACCOUNT}/cfd_tunnel")
for t in tunnels:
if t.get("status") not in ("healthy", "active"):
anomalies.append({"type": "tunnel_unhealthy", "tunnel": t})
return anomalies
# -------------------------------
# Main
# -------------------------------
def main():
anomalies = []
ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
zones = cf("/zones")
manifest = load_manifest()
anomalies += check_dns(zones, manifest)
anomalies += check_zone_security(zones)
anomalies += check_waf(zones)
anomalies += check_access_policies()
anomalies += check_tunnels()
anomaly_file = f"{ROOT}/anomalies/cf-invariants-{ts}.json"
with open(anomaly_file, "w") as f:
json.dump(anomalies, f, indent=2)
root = merkle_root(anomalies)
receipt_file = f"{ROOT}/receipts/cf-invariants-{ts}-{root[:8]}.json"
with open(receipt_file, "w") as f:
json.dump({"ts": ts, "merkle_root": root, "anomalies_file": anomaly_file}, f, indent=2)
print("Anomaly report:", anomaly_file)
print("Receipt:", receipt_file)
print("Merkle root:", root)
if __name__ == "__main__":
main()

Some files were not shown because too many files have changed in this diff Show More