{
  "metadata": {
    "generated_at": "2025-12-18T02:38:01.740122+00:00",
    "version": "1.0.1",
    "scope": "Cloudflare Control Plane"
  },
  "mcp_servers": {
    "cloudflare_safe": {
      "module": "cloudflare.mcp.cloudflare_safe",
      "entrypoint": "cloudflare.mcp.cloudflare_safe",
      "purpose": "Secure Cloudflare API operations",
      "tools": [
        "cf_snapshot (read/write token required)",
        "cf_refresh (write token required)",
        "cf_config_diff (read; requires snapshot_id)",
        "cf_export_config (read)",
        "cf_tunnel_status (read)",
        "cf_tunnel_ingress_summary (read)",
        "cf_access_policy_list (read)"
      ],
      "auth_env": [
        "CLOUDFLARE_API_TOKEN",
        "CLOUDFLARE_ACCOUNT_ID"
      ],
      "side_effects": "read-only unless token present; cf_refresh/cf_snapshot are mutating",
      "outputs": [
        "json",
        "terraform_hcl"
      ],
      "capabilities": [
        "dns_record_management",
        "waf_rule_configuration",
        "tunnel_health_monitoring",
        "zone_analytics_query",
        "terraform_state_synchronization"
      ],
      "security": {
        "token_redaction": true,
        "error_handling": true,
        "rate_limiting": true
      }
    },
    "waf_intelligence": {
      "module": "cloudflare.mcp.waf_intelligence",
      "entrypoint": "cloudflare.mcp.waf_intelligence.mcp_server",
      "purpose": "WAF rule analysis and synthesis",
      "tools": [
        "waf_capabilities (read)",
        "waf_analyze (read)",
        "waf_assess (read)",
        "waf_generate_gitops_proposals (propose)"
      ],
      "auth_env": [],
      "side_effects": "propose-only; generates GitOps proposals",
      "outputs": [
        "json",
        "terraform_hcl",
        "gitops_mr"
      ],
      "capabilities": [
        "waf_config_analysis",
        "threat_intelligence_integration",
        "compliance_mapping",
        "rule_gap_identification",
        "terraform_ready_rule_generation"
      ],
      "intelligence": {
        "ml_classification": true,
        "threat_intel": true,
        "compliance_frameworks": [
          "PCI-DSS 6.6",
          "OWASP-ASVS 13"
        ]
      }
    },
    "oracle_answer": {
      "module": "cloudflare.mcp.oracle_answer",
      "entrypoint": "cloudflare.mcp.oracle_answer",
      "purpose": "Security decision support",
      "tools": [
        "oracle_answer (read)"
      ],
      "auth_env": [],
      "side_effects": "read-only; security classification only",
      "outputs": [
        "json",
        "security_classification"
      ],
      "capabilities": [
        "security_classification",
        "routing_decision_support",
        "threat_assessment",
        "pre_execution_screening"
      ],
      "integration": {
        "layer0_framework": true,
        "shadow_classifier": true,
        "preboot_logging": true
      }
    }
  },
  "terraform_resources": {
    "dns_management": {
      "files": [
        "dns.tf"
      ],
      "resources": [
        "cloudflare_record",
        "cloudflare_zone"
      ],
      "capabilities": [
        "automated_dns_provisioning",
        "spf_dmarc_mx_configuration",
        "tunnel_based_routing",
        "proxied_record_management"
      ]
    },
    "waf_security": {
      "files": [
        "waf.tf"
      ],
      "resources": [
        "cloudflare_ruleset",
        "cloudflare_bot_management"
      ],
      "capabilities": [
        "custom_waf_rules",
        "managed_ruleset_integration",
        "bot_management",
        "rate_limiting",
        "country_blocking"
      ]
    },
    "tunnel_infrastructure": {
      "files": [
        "tunnels.tf"
      ],
      "resources": [
        "cloudflare_tunnel",
        "cloudflare_tunnel_config"
      ],
      "capabilities": [
        "multi_service_tunnel_routing",
        "ingress_rule_management",
        "health_monitoring",
        "credential_rotation"
      ]
    }
  },
  "gitops_tools": {
    "waf_rule_proposer": {
      "file": "gitops/waf_rule_proposer.py",
      "purpose": "Automated WAF rule generation",
      "side_effects": "creates GitLab merge requests",
      "outputs": [
        "terraform_hcl",
        "gitops_mr"
      ],
      "capabilities": [
        "threat_intel_driven_rules",
        "gitlab_ci_integration",
        "automated_mr_creation",
        "compliance_mapping"
      ]
    },
    "invariant_checker": {
      "file": "scripts/invariant_checker_py.py",
      "purpose": "Real-time state validation",
      "side_effects": "generates anomaly reports",
      "outputs": [
        "json",
        "anomaly_report"
      ],
      "capabilities": [
        "dns_integrity_checks",
        "waf_compliance_validation",
        "tunnel_health_monitoring",
        "drift_detection"
      ]
    },
    "drift_guardian": {
      "file": "scripts/drift_guardian_py.py",
      "purpose": "Automated remediation",
      "side_effects": "applies Terraform changes",
      "outputs": [
        "terraform_apply",
        "remediation_report"
      ],
      "capabilities": [
        "state_reconciliation",
        "auto_remediation",
        "ops_notification"
      ]
    }
  },
  "security_framework": {
    "layer0": {
      "components": [
        "entrypoint.py",
        "shadow_classifier.py",
        "preboot_logger.py"
      ],
      "capabilities": [
        "pre_execution_security_classification",
        "threat_assessment",
        "security_event_logging",
        "routing_decision_support"
      ],
      "classification_levels": [
        "catastrophic",
        "forbidden",
        "ambiguous",
        "blessed"
      ]
    }
  },
  "operational_tools": {
    "systemd_services": {
      "services": [
        "autonomous-remediator",
        "drift-guardian",
        "tunnel-rotation"
      ],
      "capabilities": [
        "continuous_monitoring",
        "automated_remediation",
        "scheduled_operations"
      ]
    },
    "test_suites": {
      "suites": [
        "layer0_validation",
        "mcp_integration",
        "cloudflare_safe_ingress"
      ],
      "capabilities": [
        "security_classification_testing",
        "mcp_server_validation",
        "api_integration_testing"
      ]
    }
  }
}