# Assurance Run — 2025-12-18

- Commit: 7f2e60e1c514fbe2f459d6c2080841db7e167d85
- Tooling: `terraform v1.5.7`, `python3 3.14.2`

| Check | Status | Notes |
| --- | --- | --- |
| `terraform fmt -recursive` | ✅ | Ran from repo root; terraform rewrote any files that diverged from canonical formatting (see `git status` for changes, if any). |
| `terraform validate` | ⚠️ | After `terraform init`, validation succeeded but emitted deprecation warnings (`cloudflare_access_application` and `cloudflare_record.value` usage). No fixes applied. |
| `python3 -m py_compile layer0/security_classifier.py scripts/*.py` | ✅ | All Layer0 + scripts modules compiled. |

Additional context:
- `terraform init` was executed to download `cloudflare/cloudflare v4.52.5` so that validation could run; `.terraform/` and `.terraform.lock.hcl` were created/updated.
- No other files were modified manually during this pass.

---

## Canonical Gates (CI / Audit)

These are the *operator-safe, auditor-grade* checks expected to pass on every sweep.

### 1) WAF Intel regression + CLI sanity

From `vm-cloudflare/`:

```bash
# Install dev deps (once)
python3 -m pip install -r requirements-dev.txt

# Full test suite
python3 -m pytest -q

# Analyzer regression only
python3 -m pytest -q tests/test_waf_intelligence_analyzer.py

# WAF Intel CLI (must not emit false "no managed WAF" warnings)
python3 -m mcp.waf_intelligence --file terraform/waf.tf --format json --limit 5 | python3 -m json.tool
```

Acceptance:
- Exit code 0
- JSON parses
- `insights` is `[]` (or informational-only; no false `"No managed WAF rules detected"` warning)

### 2) Terraform hardening correctness (empty-list safety + plan gates)

From `vm-cloudflare/terraform/`:

```bash
terraform fmt -recursive
terraform init
terraform validate

# Free-plan path (managed WAF + bot mgmt must be gated off even if flags are true)
terraform plan -refresh=false -var-file=assurance_free.tfvars

# Paid-plan path (managed WAF + bot mgmt appear when flags are true)
terraform plan -refresh=false -var-file=assurance_pro.tfvars
```

Acceptance:
- Both plans succeed (no `{}` expression errors)
- Paid-plan run includes `cloudflare_ruleset.managed_waf` / `cloudflare_bot_management.domains`
- Free-plan run does not include those resources

One-shot (runs all gates + JSON-plan assertions):
```bash
bash scripts/waf-and-plan-invariants.sh
```

### Notes for sandboxed runs

Some sandboxed execution environments block Terraform provider plugins from binding unix sockets, which surfaces as:

```
Unrecognized remote plugin message
...
listen unix ...: bind: operation not permitted
```

Run Terraform with the necessary OS permissions (or outside the sandbox) in that case.