Skip to content

docs: waf.test dry-run section#65

Merged
acoshift merged 1 commit into
mainfrom
waf-test
Jul 11, 2026
Merged

docs: waf.test dry-run section#65
acoshift merged 1 commit into
mainfrom
waf-test

Conversation

@acoshift

Copy link
Copy Markdown
Member

Summary

Documents the waf.test dry-run RPC (design doc: PLAN-waf-test.md, §4 — PR 4 of 4).

  • New "Test rules (dry run)" section on the WAF page, between Patterns and Rate limiting: expression vs zone-draft modes, the sample-request fields, the result shape (outcome / rules[] / limits[] / valid), and the simulation caveats (user-supplied country/asn, empty body & zero content_length, HTTP/1.1 proto, unsimulated baseline + managed WAF layers, per-expression vs whole-walk eval budget, filterMatched vs counted vs "would be limited").
  • Console Test panel screenshot (light + dark), captured from the console waf-test branch via a new waf-test entry in scripts/screenshots/capture.mjs (the panel needs interaction — expand, fill sample, run — like the deploy-form capture).
  • waf.test row in the API function catalog (content/api/conventions.md), anchored to the new section.
  • Fixes pre-existing request.ip references: the engine's request map exposes request.remote_ip (parapet pkg/waf/request.go); request.ip compiles but always eval-errors and fails open, so the documented "allow your own egress IPs" pattern could never match. The dry-run section is exactly what surfaces this — pasting the old example into waf.test returns a per-rule error.

Screenshot

waf-test

Test evidence

  • make build (hugo --minify) passes clean.
  • Built HTML verified: #test-rules-dry-run anchor present (conventions.md link resolves), both fingerprinted waf-test*.png images referenced, no stray TODO comments, zero remaining request.ip occurrences on the WAF page.
  • Screenshots captured against the console branch's dev:mock with the real panel flow (GET /admin → blocked by block-admin, 403; per-ip limit "matches filter — not counted").

Merge gating / post-merge notes (from the plan's rollout order)

  • Do not merge before the apiserver binary (with waf.test) is deployed — until then the documented curl returns unknown-action. Order: api → apiserver (deploy) → console → docs.
  • At apiserver launch, seed the per-(project,action) API quota '*' row for waf.test (plan §6 — cheapest authenticated CPU-burn surface).
  • apiserver's parapet pin must stay in lockstep with the ingress controller's (v0.18.4) — noted here only for the rollout checklist; no docs impact.

Follow-ups (pre-existing, not blocking)

  • scripts/screenshots/mock-enrichment.patch still targets src/lib/server/mock.js, but the console migrated to mock.tsrefresh.sh fails at git apply before capturing anything. Needs a patch regeneration against mock.ts (separate change; affects all screenshots equally).
  • The console mock's dry-run evaluator only parses the visual builder's double-quoted CEL forms; the console seed zone fixture uses single-quoted expressions, so reproducing this screenshot via refresh.sh needs the fixture switched to builder form (noted in capture.mjs; suggest doing it in the console waf-test PR).
  • content/networking/transform.md also mentions request.ip — that's the edge-transform CEL surface (ingress controller, not pkg/waf), so it was left alone; worth a separate check.

Add 'Test rules (dry run)' to the WAF page: expression vs zone-draft
modes, sample-request fields, result shape, and the simulation caveats
(user-supplied country/asn, empty body / zero content_length, HTTP/1.1
proto, unsimulated baseline+managed layers, per-expression vs whole-walk
eval budget, filterMatched vs counted vs limited). Add waf.test to the
API function catalog.

Console Test-panel screenshot (light+dark) captured via a new waf-test
entry in scripts/screenshots/capture.mjs — the panel needs interaction
(expand, fill sample, run), like the deploy form.

Also fix the pre-existing request.ip references: the engine's request
map exposes request.remote_ip (parapet pkg/waf), and request.ip always
eval-errors and fail-opens, so the documented allow-your-egress-IP
pattern could never match. The dry-run section is what surfaces this —
waf.test reports the error per rule.
@deploys-app deploys-app Bot temporarily deployed to pr-65 July 10, 2026 17:16 Destroyed
@deploys-app

deploys-app Bot commented Jul 10, 2026

Copy link
Copy Markdown

Preview deleted (PR closed).

@acoshift acoshift merged commit 99647f7 into main Jul 11, 2026
1 check passed
@acoshift acoshift deleted the waf-test branch July 11, 2026 02:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant