chore: pre-migration snapshot

Layer0, MCP servers, Terraform consolidation
2025-12-27 01:52:27 +00:00
parent 7f2e60e1c5
commit f0b8d962de
67 changed files with 14887 additions and 650 deletions
--- a/OPERATIONAL_FLOWS.md
+++ b/OPERATIONAL_FLOWS.md
@@ -0,0 +1,153 @@
+# Cloudflare Control Plane Operational Flows
+
+## 🔄 Threat Intelligence → WAF Enforcement Flow
+
+```
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│  Threat Intel   │───►│ WAF Intel MCP   │───►│   GitOps MR    │
+│   Collector     │    │  (Analysis)     │    │  (Proposal)     │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│  Classification │◄──►│  Rule Synthesis │◄──►│  MR Automation  │
+│   (ML/Intel)    │    │   (Generator)   │    │   (CI/CD)       │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│ Compliance Map  │───►│ Terraform Apply │───►│ Invariant Check │
+│   (Mapper)      │    │   (Safe MCP)    │    │   (Validator)   │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│  Audit Trail   │◄───│  Live State     │◄───│  Remediation    │
+│   (Logger)      │    │   (Cloudflare)  │    │   (Guardian)    │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+```
+
+### Flow Steps:
+1. **Threat Intel Collection**: Gather indicators from external sources
+2. **WAF Intelligence Analysis**: ML classification + rule gap analysis
+3. **Rule Proposal**: Generate Terraform-ready WAF rules
+4. **GitOps MR**: Automated merge request creation
+5. **Compliance Mapping**: Attach PCI-DSS/OWASP compliance data
+6. **Terraform Apply**: Safe MCP server applies changes
+7. **Invariant Validation**: Real-time state verification
+8. **Remediation**: Automated fix if invariants violated
+
+## 🌐 DNS/Tunnel Management Flow
+
+```
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│ Service Def     │───►│ Tunnel Config   │───►│ DNS Routing     │
+│  (Manifest)     │    │   (Terraform)   │    │   (Records)     │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│ Health Monitor  │◄──►│ Safe MCP Apply  │◄──►│ Invariant Check │
+│   (Checker)     │    │   (Mutation)     │    │   (DNS/Tunnel)  │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│ Rotation Sched  │───►│ Credential Rot  │───►│ Audit Logging   │
+│   (Timer)       │    │   (Automation)   │    │   (Compliance)   │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+```
+
+### Flow Steps:
+1. **Service Definition**: Define service endpoints and requirements
+2. **Tunnel Configuration**: Create Cloudflare Tunnel ingress rules
+3. **DNS Routing**: Point domains/subdomains to tunnel endpoints
+4. **Health Monitoring**: Continuous tunnel connectivity checks
+5. **Safe MCP Operations**: Programmatic DNS/tunnel management
+6. **Invariant Validation**: DNS integrity + tunnel health checks
+7. **Credential Rotation**: Automated tunnel secret rotation
+8. **Audit Logging**: Comprehensive operational tracking
+
+## 🛡️ Security Classification Flow
+
+```
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│   User Query    │───►│ Layer0 Classify │───►│ Routing Decision │
+│   (Input)       │    │   (Pre-exec)    │    │   (Action)      │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│ Shadow Eval     │◄──►│ Oracle Answer   │◄──►│ Security Context │
+│   (Classifier)   │    │   (MCP Server)  │    │   (Environment)  │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│ Preboot Log     │───►│ Execute/Block   │───►│ Audit Trail     │
+│   (Security)    │    │   (Decision)     │    │   (Compliance)   │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+```
+
+### Flow Steps:
+1. **User Query Input**: Receive command/query from user/agent
+2. **Layer0 Classification**: Pre-execution security assessment
+3. **Routing Decision**: Determine allow/block/redirect action
+4. **Shadow Evaluation**: ML-based threat assessment
+5. **Oracle Answer**: Security decision support via MCP
+6. **Preboot Logging**: Security event recording
+7. **Execution/Block**: Allow safe operations, block dangerous ones
+8. **Audit Trail**: Comprehensive security event tracking
+
+## 🔄 Continuous Verification Loop
+
+```
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│   Live State    │───►│ Invariant Check │───►│   Anomalies     │
+│  (Cloudflare)   │    │   (Validator)    │    │   (Detection)    │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│  Drift Detect   │◄──►│ Auto Remediate  │◄──►│  Notify Ops     │
+│   (Guardian)    │    │   (Fixer)       │    │   (Alerting)     │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│  State Update   │───►│  Re-check Inv   │───►│  Close Loop     │
+│   (Terraform)   │    │   (Validation)   │    │   (Complete)     │
+└─────────────────┘    └─────────────────┘    └─────────────────┘
+```
+
+### Flow Steps:
+1. **Live State Monitoring**: Continuous Cloudflare API polling
+2. **Invariant Validation**: Check against desired state + security policies
+3. **Anomaly Detection**: Identify configuration drift or violations
+4. **Drift Analysis**: Determine root cause and severity
+5. **Auto Remediation**: Apply fixes via Safe MCP server
+6. **Ops Notification**: Alert human operators if needed
+7. **State Update**: Apply Terraform changes if remediation successful
+8. **Re-validation**: Confirm invariants are restored
+
+## 🎯 Key Operational Principles
+
+### Separation of Concerns
+- **MCP = Intent**: What should happen
+- **Terraform = State**: What the desired state is
+- **GitOps = Change**: How changes propagate
+- **Layer0 = Security**: Whether actions are safe
+
+### Deterministic Operations
+- Same inputs → same outputs
+- No ambient dependencies
+- Explicit environment configuration
+- Version-controlled everything
+
+### Continuous Verification
+- Real-time state validation
+- Automated remediation
+- Comprehensive audit trails
+- Security classification at every step
+
+These flows represent a **production-grade operational model** where each component has clear responsibilities and the system self-corrects when deviations occur.