vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f0b8d962de8f3d8a98b33d43419fa3bcb53eee58
vm-cloudflare/IDE_OPERATOR_RULES.md
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

5.3 KiB
Raw Blame History

description: CLOUDFLARE OPERATOR RULES: Load this file for ANY Cloudflare-related operations including DNS, WAF, Tunnels, Zero Trust, Terraform IaC, or security configurations. This provides operator doctrine for Cloudflare infrastructure management. MUST be read when user mentions: Cloudflare, WAF, DNS records, Tunnels, Zero Trust, Workers, or any Cloudflare-specific patterns.

IDE Operator Rules — Cloudflare Security Mesh

Control Surface: This file can be seeded into VS Code extension folders to provide policy-aware guidance for AI assistants and code generation.

Core Principles

  1. Security-First Infrastructure

    • All Cloudflare resources must be defined in Terraform
    • Never hardcode API tokens or secrets in code
    • WAF rules must have documented justification

  2. GitOps Workflow

    • No manual changes via Cloudflare dashboard
    • All changes flow through: PR → Review → Merge → Apply
    • Drift triggers automatic remediation PRs

  3. Zero Trust by Default

    • Assume all traffic is hostile until verified
    • Access policies must enforce MFA where possible
    • Tunnel configurations require explicit allow-lists

Terraform Guardrails

DNS Records

# ✅ ALWAYS include TTL and proxied status explicitly
resource "cloudflare_record" "example" {
  zone_id = var.zone_id
  name    = "api"
  type    = "A"
  value   = "192.0.2.1"
  ttl     = 300      # Explicit TTL
  proxied = true     # Explicit proxy status
}

# ❌ NEVER create unproxied A/AAAA records for sensitive services
# ❌ NEVER use TTL < 60 for production DNS

WAF Rules

# ✅ ALWAYS include description and tags
resource "cloudflare_ruleset" "waf_custom" {
  zone_id     = var.zone_id
  name        = "Custom WAF Rules"
  description = "Phase 7 WAF Intelligence generated rules"
  kind        = "zone"
  phase       = "http_request_firewall_custom"

  rules {
    action      = "block"
    expression  = "(ip.src in $threat_intel_ips)"
    description = "Block threat intel IPs - auto-generated"
    enabled     = true
  }
}

# ❌ NEVER disable managed rulesets without documented exception
# ❌ NEVER use action = "allow" for external IPs without review

Tunnels

# ✅ ALWAYS rotate tunnel secrets on schedule
# ✅ ALWAYS use ingress rules with explicit hostnames

# ❌ NEVER expose internal services without Access policies
# ❌ NEVER use catch-all ingress rules in production

Access Policies

# ✅ ALWAYS require MFA for admin applications
# ✅ ALWAYS set session duration explicitly

# ❌ NEVER use "everyone" include without additional restrictions
# ❌ NEVER bypass Access for internal tools

WAF Intelligence Integration

Using the Analyzer

# Analyze WAF configuration
python -m mcp.waf_intelligence.orchestrator analyze terraform/waf.tf

# Full threat assessment
python -m mcp.waf_intelligence.orchestrator assess --include-threat-intel

# Generate rule proposals
python -m mcp.waf_intelligence.orchestrator propose --max-rules 5

Threat Classification

The ML classifier detects:

  • sqli — SQL injection patterns
  • xss — Cross-site scripting
  • rce — Remote code execution
  • path_traversal — Directory traversal
  • scanner — Automated scanning tools

Auto-Deploy Criteria

Rules may be auto-deployed when:

  • Confidence ≥ 85%
  • Severity is critical or high
  • Pattern matches known attack signature
  • No existing rule covers the threat

GitOps Workflow Rules

PR Requirements

Risk Level Approvals Auto-Merge
Low 1 Allowed
Medium 1 Manual
High 2 Manual
Critical 2 Never

Drift Remediation

  • DNS drift → Auto-PR with drift/remediation-* branch
  • WAF drift → Security team review required
  • Tunnel drift → Infra team review required

Compliance Flags

Changes affecting these frameworks trigger warnings:

  • SOC2 — SSL settings, WAF deletions
  • PCI-DSS — TLS version, WAF modifications
  • HIPAA — Access policy deletions, encryption settings

Agent Instructions

When working with this Cloudflare infrastructure:

  1. Always check WAF impact before proposing changes
  2. Prefer Terraform patterns over ad-hoc API calls
  3. Use WAF Intelligence CLI for security analysis before generating rules
  4. Propose GitOps-style patches, not manual edits
  5. Never assume external APIs; prefer local, deterministic tools
  6. Reference compliance frameworks when implementing security features

Tool Availability

  • filesystem — Explore project structure
  • git — Track and review changes
  • waf_intel — Analyze WAF configurations
  • terraform — Plan and validate infrastructure

Quick Reference

Risk Classification

High Risk:    DNS, WAF, Tunnels, Access, Certificates
Medium Risk:  Performance, Workers, Page Rules
Low Risk:     Logging, Notifications, API Tokens

Emergency Procedures

  • DNS Compromise: See playbooks/DNS-COMPROMISE-PLAYBOOK.md
  • WAF Incident: See playbooks/waf_incident_playbook.md
  • Tunnel Rotation: See playbooks/TUNNEL-ROTATION-PROTOCOL.md

Last Updated: 2025-12-09 Phase: 7 (WAF Intelligence) Seeded By: scripts/seed_ide_rules.py

Reference in New Issue View Git Blame Copy Permalink