vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

chore: pre-migration snapshot
Some checks failed
WAF Intelligence Guardrail / waf-intel (push) Waiting to run
Details
Cloudflare Registry Validation / validate-registry (push) Has been cancelled
Details

Browse Source 
Layer0, MCP servers, Terraform consolidation
This commit is contained in:
Vault Sovereign
2025-12-27 01:52:27 +00:00
parent 7f2e60e1c5
commit f0b8d962de
67 changed files with 14887 additions and 650 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
ASSURANCE.md Normal file
View File

@@ -0,0 +1,81 @@
# Assurance Run — 2025-12-18
- Commit: 7f2e60e1c514fbe2f459d6c2080841db7e167d85
- Tooling: `terraform v1.5.7`, `python3 3.14.2`
| Check | Status | Notes |
| --- | --- | --- |
| `terraform fmt -recursive` | ✅ | Ran from repo root; terraform rewrote any files that diverged from canonical formatting (see `git status` for changes, if any). |
| `terraform validate` | ⚠️ | After `terraform init`, validation succeeded but emitted deprecation warnings (`cloudflare_access_application` and `cloudflare_record.value` usage). No fixes applied. |
| `python3 -m py_compile layer0/security_classifier.py scripts/*.py` | ✅ | All Layer0 + scripts modules compiled. |
Additional context:
- `terraform init` was executed to download `cloudflare/cloudflare v4.52.5` so that validation could run; `.terraform/` and `.terraform.lock.hcl` were created/updated.
- No other files were modified manually during this pass.
---
## Canonical Gates (CI / Audit)
These are the *operator-safe, auditor-grade* checks expected to pass on every sweep.
### 1) WAF Intel regression + CLI sanity
From `cloudflare/`:
```bash
# Install dev deps (once)
python3 -m pip install -r requirements-dev.txt
# Full test suite
python3 -m pytest -q
# Analyzer regression only
python3 -m pytest -q tests/test_waf_intelligence_analyzer.py
# WAF Intel CLI (must not emit false "no managed WAF" warnings)
python3 -m mcp.waf_intelligence --file terraform/waf.tf --format json --limit 5 | python3 -m json.tool
```
Acceptance:
- Exit code 0
- JSON parses
- `insights` is `[]` (or informational-only; no false `"No managed WAF rules detected"` warning)
### 2) Terraform hardening correctness (empty-list safety + plan gates)
From `cloudflare/terraform/`:
```bash
terraform fmt -recursive
terraform init
terraform validate
# Free-plan path (managed WAF + bot mgmt must be gated off even if flags are true)
terraform plan -refresh=false -var-file=assurance_free.tfvars
# Paid-plan path (managed WAF + bot mgmt appear when flags are true)
terraform plan -refresh=false -var-file=assurance_pro.tfvars
```
Acceptance:
- Both plans succeed (no `{}` expression errors)
- Paid-plan run includes `cloudflare_ruleset.managed_waf` / `cloudflare_bot_management.domains`
- Free-plan run does not include those resources
One-shot (runs all gates + JSON-plan assertions):
```bash
bash scripts/waf-and-plan-invariants.sh
```
### Notes for sandboxed runs
Some sandboxed execution environments block Terraform provider plugins from binding unix sockets, which surfaces as:
```
Unrecognized remote plugin message
...
listen unix ...: bind: operation not permitted
```
Run Terraform with the necessary OS permissions (or outside the sandbox) in that case.