# Zero-Trust Architecture (Cloudflare → VaultMesh)

Below is the high-level Zero-Trust flow integrating Cloudflare Edge, Tunnels, Access, DNS, and VaultMesh origins.

---

## 🌐 Zero-Trust System Diagram (Mermaid.js)
```mermaid
graph TD

    %% User & DNS Resolution
    U[User Browser]
    DNS[Cloudflare DNS]
    U -->|Resolve Domain| DNS
    DNS --> EDGE[Cloudflare Edge]

    %% Edge & WAF
    EDGE --> WAF[WAF / Bot Filters / TLS Termination]

    %% Access Policies
    WAF --> ACCESS[Cloudflare Access Policies]
    ACCESS -->|IdP Auth + MFA + Device Posture| AUTH[Identity Provider]

    %% Tunnel Routing
    ACCESS --> TUNNEL[Cloudflare Tunnel (cloudflared)]
    TUNNEL --> ORIGIN[VaultMesh / OffSec Internal Services]

    %% VaultMesh Integration
    ORIGIN --> RECEIPTS[VaultMesh Receipts Engine]
    ORIGIN --> CRDT[VaultMesh CRDT / State Engine]

    %% Anchoring & Proofs
    RECEIPTS --> PROOF[ProofChain Anchors]
    CRDT --> PROOF
```

---

## 🔐 Identity & Access Flow
1. User resolves domain via Cloudflare DNS.
2. Edge enforces TLS, WAF, and bot checks.
3. Cloudflare Access challenges the user (SSO, MFA, posture).
4. If approved, Access forwards the request through a private Tunnel.
5. Origin service authenticates and emits VaultMesh receipts.
6. State and proof anchors propagate to ProofChain.

---

## 🚇 Cloudflare Tunnel Integration
- `cloudflared` is the *only* transport path to origins.
- Origins listen on localhost / private networks.
- Each service has its own Access policy and Tunnel route.
- Tunnel identity is tied to short-lived credentials.

---

## 🛡️ Security Controls at Each Layer
- **Edge**: TLS enforcement, WAF rules, Bot Mode.
- **Access**: Identity gating (email/group/MFA), device posture checks.
- **Tunnel**: Mutual authentication, non-public network exposure.
- **Origin**: Capability-scoped VaultMesh API.
- **VaultMesh**: Receipt generation + Merkle-root integrity.

---

## 🔗 VaultMesh Integration Points
- Each access event → creates a VaultMesh read-proof.
- Each configuration change → DNS/WAF/Tunnel snapshot receipt.
- Weekly proof anchors → ProofChain for immutability.

---

## 📦 Outputs
This architecture defines how
- DNS routing
- Edge security
- Zero-Trust Access
- Cloudflare Tunnels
- VaultMesh integrity

all cooperate to produce a tamper-evident, private-by-default web infrastructure.