vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f0b8d962de8f3d8a98b33d43419fa3bcb53eee58
vm-cloudflare/IDE_OPERATOR_RULES.md
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

183 lines
5.3 KiB
Markdown
Raw Blame History

---
description: **CLOUDFLARE OPERATOR RULES**: Load this file for ANY Cloudflare-related operations including DNS, WAF, Tunnels, Zero Trust, Terraform IaC, or security configurations. This provides operator doctrine for Cloudflare infrastructure management. **MUST** be read when user mentions: Cloudflare, WAF, DNS records, Tunnels, Zero Trust, Workers, or any Cloudflare-specific patterns.
---
# IDE Operator Rules — Cloudflare Security Mesh
> **Control Surface:** This file can be seeded into VS Code extension folders to provide
> policy-aware guidance for AI assistants and code generation.
---
## Core Principles
1. **Security-First Infrastructure**
- All Cloudflare resources must be defined in Terraform
- Never hardcode API tokens or secrets in code
- WAF rules must have documented justification
2. **GitOps Workflow**
- No manual changes via Cloudflare dashboard
- All changes flow through: PR → Review → Merge → Apply
- Drift triggers automatic remediation PRs
3. **Zero Trust by Default**
- Assume all traffic is hostile until verified
- Access policies must enforce MFA where possible
- Tunnel configurations require explicit allow-lists
---
## Terraform Guardrails
### DNS Records
```hcl
# ✅ ALWAYS include TTL and proxied status explicitly
resource "cloudflare_record" "example" {
zone_id = var.zone_id
name = "api"
type = "A"
value = "192.0.2.1"
ttl = 300 # Explicit TTL
proxied = true # Explicit proxy status
}
# ❌ NEVER create unproxied A/AAAA records for sensitive services
# ❌ NEVER use TTL < 60 for production DNS
```
### WAF Rules
```hcl
# ✅ ALWAYS include description and tags
resource "cloudflare_ruleset" "waf_custom" {
zone_id = var.zone_id
name = "Custom WAF Rules"
description = "Phase 7 WAF Intelligence generated rules"
kind = "zone"
phase = "http_request_firewall_custom"
rules {
action = "block"
expression = "(ip.src in $threat_intel_ips)"
description = "Block threat intel IPs - auto-generated"
enabled = true
}
}
# ❌ NEVER disable managed rulesets without documented exception
# ❌ NEVER use action = "allow" for external IPs without review
```
### Tunnels
```hcl
# ✅ ALWAYS rotate tunnel secrets on schedule
# ✅ ALWAYS use ingress rules with explicit hostnames
# ❌ NEVER expose internal services without Access policies
# ❌ NEVER use catch-all ingress rules in production
```
### Access Policies
```hcl
# ✅ ALWAYS require MFA for admin applications
# ✅ ALWAYS set session duration explicitly
# ❌ NEVER use "everyone" include without additional restrictions
# ❌ NEVER bypass Access for internal tools
```
---
## WAF Intelligence Integration
### Using the Analyzer
```bash
# Analyze WAF configuration
python -m mcp.waf_intelligence.orchestrator analyze terraform/waf.tf
# Full threat assessment
python -m mcp.waf_intelligence.orchestrator assess --include-threat-intel
# Generate rule proposals
python -m mcp.waf_intelligence.orchestrator propose --max-rules 5
```
### Threat Classification
The ML classifier detects:
- `sqli` — SQL injection patterns
- `xss` — Cross-site scripting
- `rce` — Remote code execution
- `path_traversal` — Directory traversal
- `scanner` — Automated scanning tools
### Auto-Deploy Criteria
Rules may be auto-deployed when:
- Confidence ≥ 85%
- Severity is `critical` or `high`
- Pattern matches known attack signature
- No existing rule covers the threat
---
## GitOps Workflow Rules
### PR Requirements
| Risk Level | Approvals | Auto-Merge |
|------------|-----------|------------|
| Low | 1 | Allowed |
| Medium | 1 | Manual |
| High | 2 | Manual |
| Critical | 2 | Never |
### Drift Remediation
- DNS drift → Auto-PR with `drift/remediation-*` branch
- WAF drift → Security team review required
- Tunnel drift → Infra team review required
### Compliance Flags
Changes affecting these frameworks trigger warnings:
- **SOC2** — SSL settings, WAF deletions
- **PCI-DSS** — TLS version, WAF modifications
- **HIPAA** — Access policy deletions, encryption settings
---
## Agent Instructions
When working with this Cloudflare infrastructure:
1. **Always check WAF impact** before proposing changes
2. **Prefer Terraform patterns** over ad-hoc API calls
3. **Use WAF Intelligence CLI** for security analysis before generating rules
4. **Propose GitOps-style patches**, not manual edits
5. **Never assume external APIs**; prefer local, deterministic tools
6. **Reference compliance frameworks** when implementing security features
### Tool Availability
- `filesystem` — Explore project structure
- `git` — Track and review changes
- `waf_intel` — Analyze WAF configurations
- `terraform` — Plan and validate infrastructure
---
## Quick Reference
### Risk Classification
```
High Risk: DNS, WAF, Tunnels, Access, Certificates
Medium Risk: Performance, Workers, Page Rules
Low Risk: Logging, Notifications, API Tokens
```
### Emergency Procedures
- DNS Compromise: See `playbooks/DNS-COMPROMISE-PLAYBOOK.md`
- WAF Incident: See `playbooks/waf_incident_playbook.md`
- Tunnel Rotation: See `playbooks/TUNNEL-ROTATION-PROTOCOL.md`
---
**Last Updated:** 2025-12-09
**Phase:** 7 (WAF Intelligence)
**Seeded By:** `scripts/seed_ide_rules.py`
Reference in New Issue View Git Blame Copy Permalink