Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements

- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements

docs/configs/cloudflare/README.md

@@ -0,0 +1,190 @@
+# Cloudflare Tunnel Configuration Guide
+
+## Overview
+This guide covers configuring the Cloudflare Tunnel VM for SMOM-DBIS-138 deployment to provide secure public access.
+
+## Prerequisites
+- Cloudflare Tunnel VM deployed and running
+- SSH access to the VM
+- Cloudflare account with Zero Trust enabled
+- Domain configured in Cloudflare
+
+## Quick Start
+
+### 1. Get VM IP Address
+```bash
+kubectl get proxmoxvm cloudflare-tunnel-vm -n default -o jsonpath='{.status.ipAddress}'
+```
+
+### 2. Create Tunnel in Cloudflare
+
+#### Option A: Via Cloudflare Dashboard
+1. Go to Zero Trust → Networks → Tunnels
+2. Click "Create a tunnel"
+3. Select "Cloudflared"
+4. Name it: `smom-dbis-138-tunnel`
+5. Copy the tunnel token
+
+#### Option B: Via API
+```bash
+./scripts/configure-cloudflare.sh
+```
+
+### 3. SSH into the VM
+```bash
+ssh admin@<vm-ip-address>
+```
+
+### 4. Configure Tunnel Credentials
+```bash
+# Create credentials file
+sudo mkdir -p /etc/cloudflared
+sudo nano /etc/cloudflared/tunnel-credentials.json
+```
+
+Paste the tunnel credentials JSON:
+```json
+{
+  "AccountTag": "your-account-tag",
+  "TunnelSecret": "your-tunnel-secret",
+  "TunnelID": "your-tunnel-id",
+  "TunnelName": "smom-dbis-138-tunnel"
+}
+```
+
+### 5. Configure Tunnel
+```bash
+# Copy configuration template
+sudo cp /path/to/tunnel-config.yaml /etc/cloudflared/config.yaml
+
+# Edit configuration
+sudo nano /etc/cloudflared/config.yaml
+```
+
+### 6. Start Tunnel Service
+```bash
+# Start service
+sudo systemctl start cloudflared
+
+# Enable auto-start
+sudo systemctl enable cloudflared
+
+# Check status
+sudo systemctl status cloudflared
+```
+
+## Configuration Details
+
+### Tunnel Credentials
+Location: `/etc/cloudflared/tunnel-credentials.json`
+
+Contains:
+- AccountTag: Your Cloudflare account ID
+- TunnelSecret: Secret key for the tunnel
+- TunnelID: Unique tunnel identifier
+- TunnelName: Human-readable tunnel name
+
+### Tunnel Configuration
+Location: `/etc/cloudflared/config.yaml`
+
+Key sections:
+- `tunnel`: Tunnel name (must match credentials)
+- `credentials-file`: Path to credentials JSON
+- `ingress`: Routing rules for services
+- `metrics`: Prometheus metrics endpoint
+- `health-probe`: Health check configuration
+
+## Ingress Rules
+
+### Pattern
+```yaml
+ingress:
+  - hostname: service.example.com
+    service: http://backend-service:port
+    originRequest:
+      connectTimeout: 30s
+      tcpKeepAlive: 30s
+```
+
+### Important Notes
+- Rules are evaluated in order (first match wins)
+- Catch-all rule (`http_status:404`) must be last
+- Use internal hostnames or IPs for backend services
+
+## DNS Configuration
+
+For each hostname in ingress rules, create a CNAME record:
+```
+Type: CNAME
+Name: smom-api
+Content: <tunnel-id>.cfargotunnel.com
+Proxy: Enabled (orange cloud)
+```
+
+Or use Cloudflare API:
+```bash
+curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \
+  -H "Authorization: Bearer {api_token}" \
+  -H "Content-Type: application/json" \
+  --data '{
+    "type": "CNAME",
+    "name": "smom-api",
+    "content": "<tunnel-id>.cfargotunnel.com",
+    "proxied": true
+  }'
+```
+
+## Monitoring
+
+### Check Tunnel Status
+```bash
+sudo systemctl status cloudflared
+```
+
+### View Logs
+```bash
+sudo tail -f /var/log/cloudflared/tunnel.log
+```
+
+### Metrics Endpoint
+```bash
+curl http://localhost:9090/metrics
+```
+
+## Troubleshooting
+
+### Tunnel Not Connecting
+1. Verify credentials file is correct
+2. Check tunnel is created in Cloudflare dashboard
+3. Verify DNS records point to tunnel
+4. Check firewall allows outbound HTTPS (443)
+
+### Service Not Accessible
+1. Verify ingress rule matches hostname
+2. Check backend service is running
+3. Verify internal network connectivity
+4. Check tunnel logs for errors
+
+### Test Connection
+```bash
+# Test from Cloudflare Tunnel VM
+curl http://backend-service:port
+
+# Test from external
+curl https://your-domain.com
+```
+
+## Security Best Practices
+
+1. **Rotate Tunnel Secrets**: Regularly rotate tunnel credentials
+2. **Use Access Policies**: Configure Cloudflare Access for authentication
+3. **Monitor Logs**: Review tunnel logs for suspicious activity
+4. **Limit Ingress Rules**: Only expose necessary services
+5. **Use Private Networks**: Keep backend services on private networks
+
+## Next Steps
+1. Configure Cloudflare Access policies
+2. Set up monitoring and alerting
+3. Configure rate limiting
+4. Set up backup tunnel for redundancy
+

docs/configs/cloudflare/tunnel-config.yaml

@@ -0,0 +1,83 @@
+# Cloudflare Tunnel Configuration for SMOM-DBIS-138
+# Place this file at: /etc/cloudflared/config.yaml
+
+tunnel: smom-dbis-138-tunnel
+credentials-file: /etc/cloudflared/tunnel-credentials.json
+
+ingress:
+  # Nginx Proxy (main entry point)
+  - hostname: nginx-proxy.sankofa.nexus
+    service: http://nginx-proxy-vm:80
+    originRequest:
+      noHappyEyeballs: true
+      connectTimeout: 30s
+      tcpKeepAlive: 30s
+      keepAliveConnections: 100
+      keepAliveTimeout: 90s
+
+  # SMOM-DBIS-138 API Services
+  - hostname: smom-api.sankofa.nexus
+    service: http://smom-services:8080
+    originRequest:
+      noHappyEyeballs: true
+      connectTimeout: 30s
+      tcpKeepAlive: 30s
+
+  # Blockscout Explorer
+  - hostname: smom-blockscout.sankofa.nexus
+    service: http://smom-blockscout:4000
+    originRequest:
+      noHappyEyeballs: true
+      connectTimeout: 30s
+
+  # Monitoring Dashboard
+  - hostname: smom-monitoring.sankofa.nexus
+    service: http://smom-monitoring:3000
+    originRequest:
+      noHappyEyeballs: true
+      connectTimeout: 30s
+
+  # RPC Node 1
+  - hostname: smom-rpc-01.sankofa.nexus
+    service: http://smom-rpc-node-01:8545
+    originRequest:
+      noHappyEyeballs: true
+      connectTimeout: 30s
+
+  # RPC Node 2
+  - hostname: smom-rpc-02.sankofa.nexus
+    service: http://smom-rpc-node-02:8545
+    originRequest:
+      noHappyEyeballs: true
+      connectTimeout: 30s
+
+  # RPC Node 3
+  - hostname: smom-rpc-03.sankofa.nexus
+    service: http://smom-rpc-node-03:8545
+    originRequest:
+      noHappyEyeballs: true
+      connectTimeout: 30s
+
+  # RPC Node 4
+  - hostname: smom-rpc-04.sankofa.nexus
+    service: http://smom-rpc-node-04:8545
+    originRequest:
+      noHappyEyeballs: true
+      connectTimeout: 30s
+
+  # Catch-all rule (must be last)
+  - service: http_status:404
+
+# Logging
+loglevel: info
+logfile: /var/log/cloudflared/tunnel.log
+
+# Metrics
+metrics: 0.0.0.0:9090
+
+# Health check
+health-probe:
+  enabled: true
+  path: /health
+  port: 8080
+