chore: pre-migration snapshot

Layer0, MCP servers, Terraform consolidation

tests/test_mcp_cloudflare_safe_ingress.py

@@ -0,0 +1,22 @@
+from mcp.cloudflare_safe.cloudflare_api import parse_cloudflared_config_ingress
+
+
+def test_parse_cloudflared_config_ingress_extracts_hostnames_and_services():
+    sample = """\
+tunnel: 00000000-0000-0000-0000-000000000000
+credentials-file: /etc/cloudflared/0000.json
+
+ingress:
+  - hostname: "api.example.com"
+    service: http://127.0.0.1:8080
+  - hostname: app.example.com
+    service: "http://127.0.0.1:3000"
+  - service: http_status:404
+"""
+
+    rules = parse_cloudflared_config_ingress(sample)
+
+    assert rules == [
+        {"hostname": "api.example.com", "service": "http://127.0.0.1:8080"},
+        {"hostname": "app.example.com", "service": "http://127.0.0.1:3000"},
+    ]

tests/test_waf_intelligence_analyzer.py

@@ -0,0 +1,43 @@
+from mcp.waf_intelligence.analyzer import WAFRuleAnalyzer
+
+
+def test_analyzer_detects_managed_waf_ruleset():
+    analyzer = WAFRuleAnalyzer()
+
+    tf = """
+resource "cloudflare_ruleset" "managed_waf" {
+  name  = "Managed WAF"
+  kind  = "zone"
+  phase = "http_request_firewall_managed"
+
+  rules {
+    action = "execute"
+    action_parameters {
+      id = "efb7b8c949ac4650a09736fc376e9aee"
+    }
+    expression  = "true"
+    description = "Execute Cloudflare Managed Ruleset"
+    enabled     = true
+  }
+}
+"""
+
+    result = analyzer.analyze_terraform_text("snippet.tf", tf, min_severity="warning")
+    assert result.violations == []
+
+
+def test_analyzer_warns_when_managed_waf_missing():
+    analyzer = WAFRuleAnalyzer()
+
+    tf = """
+resource "cloudflare_ruleset" "security_rules" {
+  name  = "Security Rules"
+  kind  = "zone"
+  phase = "http_request_firewall_custom"
+}
+"""
+
+    result = analyzer.analyze_terraform_text("snippet.tf", tf, min_severity="warning")
+    assert [v.message for v in result.violations] == [
+        "No managed WAF rules detected in this snippet."
+    ]