vm-cloudflare/CAPABILITY_REGISTRY_V2.md

# Cloudflare Control Plane Capability Registry v2

Generated: 2025-12-18T02:38:01.740122+00:00  
Version: 1.0.1

## MCP Servers

### cloudflare_safe
**Module**: `cloudflare.mcp.cloudflare_safe`  
**Entrypoint**: `cloudflare.mcp.cloudflare_safe`  
**Purpose**: Secure Cloudflare API operations  

**Tools**:
- cf_snapshot (read/write token required)
- cf_refresh (write token required)
- cf_config_diff (read; requires snapshot_id)
- cf_export_config (read)
- cf_tunnel_status (read)
- cf_tunnel_ingress_summary (read)
- cf_access_policy_list (read)

**Auth/Env**: CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID
**Side Effects**: read-only unless token present; cf_refresh/cf_snapshot are mutating
**Outputs**: json, terraform_hcl

**Capabilities**:
- dns_record_management
- waf_rule_configuration
- tunnel_health_monitoring
- zone_analytics_query
- terraform_state_synchronization

### waf_intelligence
**Module**: `cloudflare.mcp.waf_intelligence`  
**Entrypoint**: `cloudflare.mcp.waf_intelligence.mcp_server`  
**Purpose**: WAF rule analysis and synthesis  

**Tools**:
- waf_capabilities (read)
- waf_analyze (read)
- waf_assess (read)
- waf_generate_gitops_proposals (propose)

**Auth/Env**: 
**Side Effects**: propose-only; generates GitOps proposals
**Outputs**: json, terraform_hcl, gitops_mr

**Capabilities**:
- waf_config_analysis
- threat_intelligence_integration
- compliance_mapping
- rule_gap_identification
- terraform_ready_rule_generation

### oracle_answer
**Module**: `cloudflare.mcp.oracle_answer`  
**Entrypoint**: `cloudflare.mcp.oracle_answer`  
**Purpose**: Security decision support  

**Tools**:
- oracle_answer (read)

**Auth/Env**: 
**Side Effects**: read-only; security classification only
**Outputs**: json, security_classification

**Capabilities**:
- security_classification
- routing_decision_support
- threat_assessment
- pre_execution_screening

## Terraform Resources

### dns_management
**Files**: dns.tf  

**Capabilities**:
- automated_dns_provisioning
- spf_dmarc_mx_configuration
- tunnel_based_routing
- proxied_record_management

### waf_security
**Files**: waf.tf  

**Capabilities**:
- custom_waf_rules
- managed_ruleset_integration
- bot_management
- rate_limiting
- country_blocking

### tunnel_infrastructure
**Files**: tunnels.tf  

**Capabilities**:
- multi_service_tunnel_routing
- ingress_rule_management
- health_monitoring
- credential_rotation

## GitOps Tools

### waf_rule_proposer
**File**: gitops/waf_rule_proposer.py  
**Purpose**: Automated WAF rule generation  
**Side Effects**: creates GitLab merge requests  
**Outputs**: terraform_hcl, gitops_mr  

**Capabilities**:
- threat_intel_driven_rules
- gitlab_ci_integration
- automated_mr_creation
- compliance_mapping

### invariant_checker
**File**: scripts/invariant_checker_py.py  
**Purpose**: Real-time state validation  
**Side Effects**: generates anomaly reports  
**Outputs**: json, anomaly_report  

**Capabilities**:
- dns_integrity_checks
- waf_compliance_validation
- tunnel_health_monitoring
- drift_detection

### drift_guardian
**File**: scripts/drift_guardian_py.py  
**Purpose**: Automated remediation  
**Side Effects**: applies Terraform changes  
**Outputs**: terraform_apply, remediation_report  

**Capabilities**:
- state_reconciliation
- auto_remediation
- ops_notification

## Security Framework

### layer0
**Components**: entrypoint.py, shadow_classifier.py, preboot_logger.py  

**Capabilities**:
- pre_execution_security_classification
- threat_assessment
- security_event_logging
- routing_decision_support

**Classification Levels**:
- catastrophic
- forbidden
- ambiguous
- blessed

## Operational Tools

### systemd_services
**Services**: autonomous-remediator, drift-guardian, tunnel-rotation  

**Capabilities**:
- continuous_monitoring
- automated_remediation
- scheduled_operations

### test_suites
**Test Suites**: layer0_validation, mcp_integration, cloudflare_safe_ingress  

**Capabilities**:
- security_classification_testing
- mcp_server_validation
- api_integration_testing