Docs / Integrations / Adapters

Cloudflare Adapter

Govern DNS, Workers, and firewall intent paths through one policy/evidence workflow.

Back to Directory Integration Hub Policy Guides API Reference

What it does

Govern DNS, Workers, and firewall intent paths through one policy/evidence workflow.

How it works

1. Validate intent

Adapter checks structure only (required fields, types, unknown fields). It does not run policy logic.

2. Normalize action

Intent is mapped to a generic NormalizedAction with action type DEPLOY / CONFIG_CHANGE.

3. Evaluate policy

Governor evaluates centrally with fail-closed semantics. Any uncertainty returns deny.

4. Build plan + execute

Execution plan is descriptive. Default path is dry-run and returns planned external calls.

5. Emit evidence

Decision output includes deterministic evidence packet and stable evidence hash.

Why this is useful

Removes adapter-specific policy drift by centralizing decisions.

Creates one audit and evidence model across all integrations.

Supports safe rollout with dry-run first and explicit approval paths.

Improves incident response because every decision has a deterministic hash.

Use it for

Edge and DNS change control

Tier: Tier 3 · DevOps/Deploy Platforms

Adapter ID: cloudflare

Action family: DEPLOY / CONFIG_CHANGE

Example intent

{
  "action": "dns_change",
  "zone": "example.com",
  "record_type": "A",
  "name": "api",
  "value": "203.0.113.10",
  "requested_by": "netops-bot"
}

Where to monitor

Integration Runtime View

Adapter health, evaluation outcomes, and dry-run execution traces.

Incidents + Deny Analysis

Investigate denied actions and policy matches with evidence references.

Evidence Docs

Validate evidence hashes and export packets for audits.

Policy Docs

Define allowlists, thresholds, manual gates, and environment controls.