# VaultMesh — Cloudflare Infrastructure Automation

**Governed by the [Red Book](RED-BOOK.md)** | **Docs:** ✅ [Invariants enforced](scripts/doc-invariants.sh)

VaultMesh is a proof-based infrastructure platform that manages Cloudflare resources through GitOps, intelligent agents, and cryptographic receipts. Every change leaves a trail; every state is verifiable.

---

## Quick Start

```bash
# 1. Clone and configure
cd /Users/sovereign/Desktop/CLOUDFLARE
cp .env.example .env
# Edit .env with your API tokens

# 2. Initialize Terraform
cd terraform && terraform init && terraform plan

# 3. Validate environment
bash TEST_WORKFLOW.sh quick

# 4. Start OpenCode (interactive)
opencode
```

**First time?** See [FIRST_RUN.md](FIRST_RUN.md) for step-by-step guidance.

---

## Documentation Map

| Need | Document |
|------|----------|
| **Architecture overview** | [STRUCTURE.md](STRUCTURE.md) |
| **Multi-account setup** | [MULTI_ACCOUNT_AUTH.md](MULTI_ACCOUNT_AUTH.md) |
| **AI agent config** | [AGENTS.md](AGENTS.md) |
| **MCP server reference** | [MCP_GUIDE.md](MCP_GUIDE.md) |
| **Production deployment** | [DEPLOYMENT_GUIDE.md](DEPLOYMENT_GUIDE.md) |
| **Security patterns** | [WEB-INFRA-SECURITY-PATTERNS.md](WEB-INFRA-SECURITY-PATTERNS.md) |
| **Incident playbooks** | [playbooks/](playbooks/) |
| **Philosophical doctrine** | [RED-BOOK.md](RED-BOOK.md) |

---

## Core Components

```
terraform/       Infrastructure as Code (Cloudflare zones, DNS, WAF)
gitops/          CI/CD automation, PR bots, drift detection
observatory/     Monitoring, metrics, dashboards
mcp/             MCP tool implementations
scripts/         Standalone utilities
playbooks/       Incident response procedures
```

---

## Security Architecture

- **Zero Trust**: Cloudflare Tunnels replace exposed ports — see [zero_trust_architecture.md](zero_trust_architecture.md)
- **WAF Baseline**: Managed rulesets + custom rules — see [cloudflare_waf_baseline.md](cloudflare_waf_baseline.md)
- **DNS Hardening**: DNSSEC + CAA + SPF/DKIM/DMARC — see [cloudflare_dns_manifest.md](cloudflare_dns_manifest.md)
- **Agent Guardrails**: AI agents operate under strict constraints — see [AGENT_GUARDRAILS.md](AGENT_GUARDRAILS.md)

---

## Governing Doctrine

This project follows the **Red Book** principles:

> *"Nothing evolves unless it is broken, nothing endures unless it is proven, nothing is real until it is sealed."*

All changes flow through the fourfold work: **Nigredo → Albedo → Citrinitas → Rubedo**

See [RED-BOOK.md](RED-BOOK.md) for the complete operational philosophy.

---

## License

See [LICENSE](LICENSE)

---

**Version:** 2.0  
**Last Updated:** December 9, 2025