3.9 KiB
Cloudflare Control Plane Capability Registry v2
Generated: 2025-12-18T02:38:01.740122+00:00
Version: 1.0.1
MCP Servers
cloudflare_safe
Module: cloudflare.mcp.cloudflare_safe
Entrypoint: cloudflare.mcp.cloudflare_safe
Purpose: Secure Cloudflare API operations
Tools:
- cf_snapshot (read/write token required)
- cf_refresh (write token required)
- cf_config_diff (read; requires snapshot_id)
- cf_export_config (read)
- cf_tunnel_status (read)
- cf_tunnel_ingress_summary (read)
- cf_access_policy_list (read)
Auth/Env: CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID Side Effects: read-only unless token present; cf_refresh/cf_snapshot are mutating Outputs: json, terraform_hcl
Capabilities:
- dns_record_management
- waf_rule_configuration
- tunnel_health_monitoring
- zone_analytics_query
- terraform_state_synchronization
waf_intelligence
Module: cloudflare.mcp.waf_intelligence
Entrypoint: cloudflare.mcp.waf_intelligence.mcp_server
Purpose: WAF rule analysis and synthesis
Tools:
- waf_capabilities (read)
- waf_analyze (read)
- waf_assess (read)
- waf_generate_gitops_proposals (propose)
Auth/Env: Side Effects: propose-only; generates GitOps proposals Outputs: json, terraform_hcl, gitops_mr
Capabilities:
- waf_config_analysis
- threat_intelligence_integration
- compliance_mapping
- rule_gap_identification
- terraform_ready_rule_generation
oracle_answer
Module: cloudflare.mcp.oracle_answer
Entrypoint: cloudflare.mcp.oracle_answer
Purpose: Security decision support
Tools:
- oracle_answer (read)
Auth/Env: Side Effects: read-only; security classification only Outputs: json, security_classification
Capabilities:
- security_classification
- routing_decision_support
- threat_assessment
- pre_execution_screening
Terraform Resources
dns_management
Files: dns.tf
Capabilities:
- automated_dns_provisioning
- spf_dmarc_mx_configuration
- tunnel_based_routing
- proxied_record_management
waf_security
Files: waf.tf
Capabilities:
- custom_waf_rules
- managed_ruleset_integration
- bot_management
- rate_limiting
- country_blocking
tunnel_infrastructure
Files: tunnels.tf
Capabilities:
- multi_service_tunnel_routing
- ingress_rule_management
- health_monitoring
- credential_rotation
GitOps Tools
waf_rule_proposer
File: gitops/waf_rule_proposer.py
Purpose: Automated WAF rule generation
Side Effects: creates GitLab merge requests
Outputs: terraform_hcl, gitops_mr
Capabilities:
- threat_intel_driven_rules
- gitlab_ci_integration
- automated_mr_creation
- compliance_mapping
invariant_checker
File: scripts/invariant_checker_py.py
Purpose: Real-time state validation
Side Effects: generates anomaly reports
Outputs: json, anomaly_report
Capabilities:
- dns_integrity_checks
- waf_compliance_validation
- tunnel_health_monitoring
- drift_detection
drift_guardian
File: scripts/drift_guardian_py.py
Purpose: Automated remediation
Side Effects: applies Terraform changes
Outputs: terraform_apply, remediation_report
Capabilities:
- state_reconciliation
- auto_remediation
- ops_notification
Security Framework
layer0
Components: entrypoint.py, shadow_classifier.py, preboot_logger.py
Capabilities:
- pre_execution_security_classification
- threat_assessment
- security_event_logging
- routing_decision_support
Classification Levels:
- catastrophic
- forbidden
- ambiguous
- blessed
Operational Tools
systemd_services
Services: autonomous-remediator, drift-guardian, tunnel-rotation
Capabilities:
- continuous_monitoring
- automated_remediation
- scheduled_operations
test_suites
Test Suites: layer0_validation, mcp_integration, cloudflare_safe_ingress
Capabilities:
- security_classification_testing
- mcp_server_validation
- api_integration_testing