chore: pre-migration snapshot

Layer0, MCP servers, Terraform consolidation

CAPABILITY_REGISTRY_V2.md

@@ -0,0 +1,174 @@
+# Cloudflare Control Plane Capability Registry v2
+
+Generated: 2025-12-18T02:38:01.740122+00:00  
+Version: 1.0.1
+
+## MCP Servers
+
+### cloudflare_safe
+**Module**: `cloudflare.mcp.cloudflare_safe`  
+**Entrypoint**: `cloudflare.mcp.cloudflare_safe`  
+**Purpose**: Secure Cloudflare API operations  
+
+**Tools**:
+- cf_snapshot (read/write token required)
+- cf_refresh (write token required)
+- cf_config_diff (read; requires snapshot_id)
+- cf_export_config (read)
+- cf_tunnel_status (read)
+- cf_tunnel_ingress_summary (read)
+- cf_access_policy_list (read)
+
+**Auth/Env**: CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID
+**Side Effects**: read-only unless token present; cf_refresh/cf_snapshot are mutating
+**Outputs**: json, terraform_hcl
+
+**Capabilities**:
+- dns_record_management
+- waf_rule_configuration
+- tunnel_health_monitoring
+- zone_analytics_query
+- terraform_state_synchronization
+
+### waf_intelligence
+**Module**: `cloudflare.mcp.waf_intelligence`  
+**Entrypoint**: `cloudflare.mcp.waf_intelligence.mcp_server`  
+**Purpose**: WAF rule analysis and synthesis  
+
+**Tools**:
+- waf_capabilities (read)
+- waf_analyze (read)
+- waf_assess (read)
+- waf_generate_gitops_proposals (propose)
+
+**Auth/Env**: 
+**Side Effects**: propose-only; generates GitOps proposals
+**Outputs**: json, terraform_hcl, gitops_mr
+
+**Capabilities**:
+- waf_config_analysis
+- threat_intelligence_integration
+- compliance_mapping
+- rule_gap_identification
+- terraform_ready_rule_generation
+
+### oracle_answer
+**Module**: `cloudflare.mcp.oracle_answer`  
+**Entrypoint**: `cloudflare.mcp.oracle_answer`  
+**Purpose**: Security decision support  
+
+**Tools**:
+- oracle_answer (read)
+
+**Auth/Env**: 
+**Side Effects**: read-only; security classification only
+**Outputs**: json, security_classification
+
+**Capabilities**:
+- security_classification
+- routing_decision_support
+- threat_assessment
+- pre_execution_screening
+
+## Terraform Resources
+
+### dns_management
+**Files**: dns.tf  
+
+**Capabilities**:
+- automated_dns_provisioning
+- spf_dmarc_mx_configuration
+- tunnel_based_routing
+- proxied_record_management
+
+### waf_security
+**Files**: waf.tf  
+
+**Capabilities**:
+- custom_waf_rules
+- managed_ruleset_integration
+- bot_management
+- rate_limiting
+- country_blocking
+
+### tunnel_infrastructure
+**Files**: tunnels.tf  
+
+**Capabilities**:
+- multi_service_tunnel_routing
+- ingress_rule_management
+- health_monitoring
+- credential_rotation
+
+## GitOps Tools
+
+### waf_rule_proposer
+**File**: gitops/waf_rule_proposer.py  
+**Purpose**: Automated WAF rule generation  
+**Side Effects**: creates GitLab merge requests  
+**Outputs**: terraform_hcl, gitops_mr  
+
+**Capabilities**:
+- threat_intel_driven_rules
+- gitlab_ci_integration
+- automated_mr_creation
+- compliance_mapping
+
+### invariant_checker
+**File**: scripts/invariant_checker_py.py  
+**Purpose**: Real-time state validation  
+**Side Effects**: generates anomaly reports  
+**Outputs**: json, anomaly_report  
+
+**Capabilities**:
+- dns_integrity_checks
+- waf_compliance_validation
+- tunnel_health_monitoring
+- drift_detection
+
+### drift_guardian
+**File**: scripts/drift_guardian_py.py  
+**Purpose**: Automated remediation  
+**Side Effects**: applies Terraform changes  
+**Outputs**: terraform_apply, remediation_report  
+
+**Capabilities**:
+- state_reconciliation
+- auto_remediation
+- ops_notification
+
+## Security Framework
+
+### layer0
+**Components**: entrypoint.py, shadow_classifier.py, preboot_logger.py  
+
+**Capabilities**:
+- pre_execution_security_classification
+- threat_assessment
+- security_event_logging
+- routing_decision_support
+
+**Classification Levels**:
+- catastrophic
+- forbidden
+- ambiguous
+- blessed
+
+## Operational Tools
+
+### systemd_services
+**Services**: autonomous-remediator, drift-guardian, tunnel-rotation  
+
+**Capabilities**:
+- continuous_monitoring
+- automated_remediation
+- scheduled_operations
+
+### test_suites
+**Test Suites**: layer0_validation, mcp_integration, cloudflare_safe_ingress  
+
+**Capabilities**:
+- security_classification_testing
+- mcp_server_validation
+- api_integration_testing
+