333 lines
11 KiB
Python
333 lines
11 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
Cloudflare Control Plane Capability Registry Generator v2
|
|
|
|
Enhanced with exact MCP tool names, entrypoints, and operational details
|
|
for audit-grade documentation and drift prevention.
|
|
"""
|
|
|
|
import json
|
|
from pathlib import Path
|
|
from datetime import datetime, timezone
|
|
|
|
# Registry structure
|
|
CAPABILITY_REGISTRY = {
|
|
"metadata": {
|
|
"generated_at": datetime.now(timezone.utc).isoformat(),
|
|
"version": "1.0.1",
|
|
"scope": "Cloudflare Control Plane",
|
|
},
|
|
"mcp_servers": {},
|
|
"terraform_resources": {},
|
|
"gitops_tools": {},
|
|
"security_framework": {},
|
|
"operational_tools": {},
|
|
}
|
|
|
|
# MCP Server capabilities with exact tool names
|
|
MCP_CAPABILITIES = {
|
|
"cloudflare_safe": {
|
|
"module": "cloudflare.mcp.cloudflare_safe",
|
|
"entrypoint": "cloudflare.mcp.cloudflare_safe",
|
|
"purpose": "Secure Cloudflare API operations",
|
|
"tools": [
|
|
"cf_snapshot (read/write token required)",
|
|
"cf_refresh (write token required)",
|
|
"cf_config_diff (read; requires snapshot_id)",
|
|
"cf_export_config (read)",
|
|
"cf_tunnel_status (read)",
|
|
"cf_tunnel_ingress_summary (read)",
|
|
"cf_access_policy_list (read)",
|
|
],
|
|
"auth_env": ["CLOUDFLARE_API_TOKEN", "CLOUDFLARE_ACCOUNT_ID"],
|
|
"side_effects": "read-only unless token present; cf_refresh/cf_snapshot are mutating",
|
|
"outputs": ["json", "terraform_hcl"],
|
|
"capabilities": [
|
|
"dns_record_management",
|
|
"waf_rule_configuration",
|
|
"tunnel_health_monitoring",
|
|
"zone_analytics_query",
|
|
"terraform_state_synchronization",
|
|
],
|
|
"security": {
|
|
"token_redaction": True,
|
|
"error_handling": True,
|
|
"rate_limiting": True,
|
|
},
|
|
},
|
|
"waf_intelligence": {
|
|
"module": "cloudflare.mcp.waf_intelligence",
|
|
"entrypoint": "cloudflare.mcp.waf_intelligence.mcp_server",
|
|
"purpose": "WAF rule analysis and synthesis",
|
|
"tools": [
|
|
"waf_capabilities (read)",
|
|
"waf_analyze (read)",
|
|
"waf_assess (read)",
|
|
"waf_generate_gitops_proposals (propose)",
|
|
],
|
|
"auth_env": [],
|
|
"side_effects": "propose-only; generates GitOps proposals",
|
|
"outputs": ["json", "terraform_hcl", "gitops_mr"],
|
|
"capabilities": [
|
|
"waf_config_analysis",
|
|
"threat_intelligence_integration",
|
|
"compliance_mapping",
|
|
"rule_gap_identification",
|
|
"terraform_ready_rule_generation",
|
|
],
|
|
"intelligence": {
|
|
"ml_classification": True,
|
|
"threat_intel": True,
|
|
"compliance_frameworks": ["PCI-DSS 6.6", "OWASP-ASVS 13"],
|
|
},
|
|
},
|
|
"oracle_answer": {
|
|
"module": "cloudflare.mcp.oracle_answer",
|
|
"entrypoint": "cloudflare.mcp.oracle_answer",
|
|
"purpose": "Security decision support",
|
|
"tools": ["oracle_answer (read)"],
|
|
"auth_env": [],
|
|
"side_effects": "read-only; security classification only",
|
|
"outputs": ["json", "security_classification"],
|
|
"capabilities": [
|
|
"security_classification",
|
|
"routing_decision_support",
|
|
"threat_assessment",
|
|
"pre_execution_screening",
|
|
],
|
|
"integration": {
|
|
"layer0_framework": True,
|
|
"shadow_classifier": True,
|
|
"preboot_logging": True,
|
|
},
|
|
},
|
|
}
|
|
|
|
# Terraform resources (from analysis)
|
|
TERRAFORM_RESOURCES = {
|
|
"dns_management": {
|
|
"files": ["dns.tf"],
|
|
"resources": ["cloudflare_record", "cloudflare_zone"],
|
|
"capabilities": [
|
|
"automated_dns_provisioning",
|
|
"spf_dmarc_mx_configuration",
|
|
"tunnel_based_routing",
|
|
"proxied_record_management",
|
|
],
|
|
},
|
|
"waf_security": {
|
|
"files": ["waf.tf"],
|
|
"resources": ["cloudflare_ruleset", "cloudflare_bot_management"],
|
|
"capabilities": [
|
|
"custom_waf_rules",
|
|
"managed_ruleset_integration",
|
|
"bot_management",
|
|
"rate_limiting",
|
|
"country_blocking",
|
|
],
|
|
},
|
|
"tunnel_infrastructure": {
|
|
"files": ["tunnels.tf"],
|
|
"resources": ["cloudflare_tunnel", "cloudflare_tunnel_config"],
|
|
"capabilities": [
|
|
"multi_service_tunnel_routing",
|
|
"ingress_rule_management",
|
|
"health_monitoring",
|
|
"credential_rotation",
|
|
],
|
|
},
|
|
}
|
|
|
|
# GitOps tools with operational details
|
|
GITOPS_TOOLS = {
|
|
"waf_rule_proposer": {
|
|
"file": "gitops/waf_rule_proposer.py",
|
|
"purpose": "Automated WAF rule generation",
|
|
"side_effects": "creates GitLab merge requests",
|
|
"outputs": ["terraform_hcl", "gitops_mr"],
|
|
"capabilities": [
|
|
"threat_intel_driven_rules",
|
|
"gitlab_ci_integration",
|
|
"automated_mr_creation",
|
|
"compliance_mapping",
|
|
],
|
|
},
|
|
"invariant_checker": {
|
|
"file": "scripts/invariant_checker_py.py",
|
|
"purpose": "Real-time state validation",
|
|
"side_effects": "generates anomaly reports",
|
|
"outputs": ["json", "anomaly_report"],
|
|
"capabilities": [
|
|
"dns_integrity_checks",
|
|
"waf_compliance_validation",
|
|
"tunnel_health_monitoring",
|
|
"drift_detection",
|
|
],
|
|
},
|
|
"drift_guardian": {
|
|
"file": "scripts/drift_guardian_py.py",
|
|
"purpose": "Automated remediation",
|
|
"side_effects": "applies Terraform changes",
|
|
"outputs": ["terraform_apply", "remediation_report"],
|
|
"capabilities": [
|
|
"state_reconciliation",
|
|
"auto_remediation",
|
|
"ops_notification",
|
|
],
|
|
},
|
|
}
|
|
|
|
# Security framework
|
|
SECURITY_FRAMEWORK = {
|
|
"layer0": {
|
|
"components": ["entrypoint.py", "shadow_classifier.py", "preboot_logger.py"],
|
|
"capabilities": [
|
|
"pre_execution_security_classification",
|
|
"threat_assessment",
|
|
"security_event_logging",
|
|
"routing_decision_support",
|
|
],
|
|
"classification_levels": ["catastrophic", "forbidden", "ambiguous", "blessed"],
|
|
}
|
|
}
|
|
|
|
# Operational tools
|
|
OPERATIONAL_TOOLS = {
|
|
"systemd_services": {
|
|
"services": ["autonomous-remediator", "drift-guardian", "tunnel-rotation"],
|
|
"capabilities": [
|
|
"continuous_monitoring",
|
|
"automated_remediation",
|
|
"scheduled_operations",
|
|
],
|
|
},
|
|
"test_suites": {
|
|
"suites": ["layer0_validation", "mcp_integration", "cloudflare_safe_ingress"],
|
|
"capabilities": [
|
|
"security_classification_testing",
|
|
"mcp_server_validation",
|
|
"api_integration_testing",
|
|
],
|
|
},
|
|
}
|
|
|
|
|
|
def generate_registry():
|
|
"""Generate the complete capability registry."""
|
|
|
|
CAPABILITY_REGISTRY["mcp_servers"] = MCP_CAPABILITIES
|
|
CAPABILITY_REGISTRY["terraform_resources"] = TERRAFORM_RESOURCES
|
|
CAPABILITY_REGISTRY["gitops_tools"] = GITOPS_TOOLS
|
|
CAPABILITY_REGISTRY["security_framework"] = SECURITY_FRAMEWORK
|
|
CAPABILITY_REGISTRY["operational_tools"] = OPERATIONAL_TOOLS
|
|
|
|
return CAPABILITY_REGISTRY
|
|
|
|
|
|
def save_registry_formats():
|
|
"""Save registry in multiple formats for different use cases."""
|
|
|
|
registry = generate_registry()
|
|
|
|
# JSON format (machine-readable)
|
|
with open("capability_registry_v2.json", "w") as f:
|
|
json.dump(registry, f, indent=2)
|
|
|
|
# Markdown format (documentation)
|
|
markdown_content = generate_markdown_doc(registry)
|
|
with open("CAPABILITY_REGISTRY_V2.md", "w") as f:
|
|
f.write(markdown_content)
|
|
|
|
print("✅ Enhanced capability registry generated:")
|
|
print(" - capability_registry_v2.json (machine-readable)")
|
|
print(" - CAPABILITY_REGISTRY_V2.md (documentation)")
|
|
|
|
|
|
def generate_markdown_doc(registry: dict) -> str:
|
|
"""Generate Markdown documentation from registry."""
|
|
|
|
md = f"""# Cloudflare Control Plane Capability Registry v2
|
|
|
|
Generated: {registry["metadata"]["generated_at"]}
|
|
Version: {registry["metadata"]["version"]}
|
|
|
|
## MCP Servers
|
|
|
|
"""
|
|
|
|
for server_name, server_info in registry["mcp_servers"].items():
|
|
md += f"### {server_name}\n"
|
|
md += f"**Module**: `{server_info['module']}` \n"
|
|
md += f"**Entrypoint**: `{server_info['entrypoint']}` \n"
|
|
md += f"**Purpose**: {server_info['purpose']} \n\n"
|
|
|
|
md += "**Tools**:\n"
|
|
for tool in server_info["tools"]:
|
|
md += f"- {tool}\n"
|
|
|
|
md += f"\n**Auth/Env**: {', '.join(server_info['auth_env'])}\n"
|
|
md += f"**Side Effects**: {server_info['side_effects']}\n"
|
|
md += f"**Outputs**: {', '.join(server_info['outputs'])}\n\n"
|
|
|
|
md += "**Capabilities**:\n"
|
|
for cap in server_info["capabilities"]:
|
|
md += f"- {cap}\n"
|
|
md += "\n"
|
|
|
|
md += "## Terraform Resources\n\n"
|
|
for resource_name, resource_info in registry["terraform_resources"].items():
|
|
md += f"### {resource_name}\n"
|
|
md += f"**Files**: {', '.join(resource_info['files'])} \n\n"
|
|
|
|
md += "**Capabilities**:\n"
|
|
for cap in resource_info["capabilities"]:
|
|
md += f"- {cap}\n"
|
|
md += "\n"
|
|
|
|
md += "## GitOps Tools\n\n"
|
|
for tool_name, tool_info in registry["gitops_tools"].items():
|
|
md += f"### {tool_name}\n"
|
|
md += f"**File**: {tool_info['file']} \n"
|
|
md += f"**Purpose**: {tool_info['purpose']} \n"
|
|
md += f"**Side Effects**: {tool_info['side_effects']} \n"
|
|
md += f"**Outputs**: {', '.join(tool_info['outputs'])} \n\n"
|
|
|
|
md += "**Capabilities**:\n"
|
|
for cap in tool_info["capabilities"]:
|
|
md += f"- {cap}\n"
|
|
md += "\n"
|
|
|
|
md += "## Security Framework\n\n"
|
|
for framework_name, framework_info in registry["security_framework"].items():
|
|
md += f"### {framework_name}\n"
|
|
md += f"**Components**: {', '.join(framework_info['components'])} \n\n"
|
|
|
|
md += "**Capabilities**:\n"
|
|
for cap in framework_info["capabilities"]:
|
|
md += f"- {cap}\n"
|
|
md += "\n"
|
|
|
|
md += "**Classification Levels**:\n"
|
|
for level in framework_info["classification_levels"]:
|
|
md += f"- {level}\n"
|
|
md += "\n"
|
|
|
|
md += "## Operational Tools\n\n"
|
|
for tool_category, tool_info in registry["operational_tools"].items():
|
|
md += f"### {tool_category}\n"
|
|
if "services" in tool_info:
|
|
md += f"**Services**: {', '.join(tool_info['services'])} \n\n"
|
|
elif "suites" in tool_info:
|
|
md += f"**Test Suites**: {', '.join(tool_info['suites'])} \n\n"
|
|
|
|
md += "**Capabilities**:\n"
|
|
for cap in tool_info["capabilities"]:
|
|
md += f"- {cap}\n"
|
|
md += "\n"
|
|
|
|
return md
|
|
|
|
|
|
if __name__ == "__main__":
|
|
save_registry_formats()
|