Skip to content

feat(protect): opt-in route-level WAF (env) + protect --demo sample rules#77

Merged
patchstackdave merged 2 commits into
mainfrom
feat/protect-route-waf-and-demo
Jul 15, 2026
Merged

feat(protect): opt-in route-level WAF (env) + protect --demo sample rules#77
patchstackdave merged 2 commits into
mainfrom
feat/protect-route-waf-and-demo

Conversation

@patchstackdave

Copy link
Copy Markdown
Contributor

Two scaffolder features. Includes the #75 guard.ts type-safety fix (this branch was cut from it), so #75 can be closed in favor of this — or merge #75 first and I'll rebase.

1. Route-level WAF — PATCHSTACK_ROUTE_WAF=1 (opt-in, env-only)

By default the guard only runs request rules on the data path (Supabase tunnel + server-fn args), so a plain GET /?file=.. is never inspected. This adds an opt-in route WAF:

  • guard.ts exports guardRequest(request) — runs the request-phase rules via fetchGuard on a cloned request (so the app can still read the body), 403 on match, fail-open.
  • the scaffolded request middleware calls it only when PATCHSTACK_ROUTE_WAF=1.

Opt-in because it runs broad request rules on all traffic (classic-WAF false-positive surface). No CLI flag — env-gated per your call.

Verified: GET /?file=../../etc/passwd403, ?file=report.pdf → allowed.

2. protect --demo

  • Seeds a broad, many-class sample rule set (templates/demo-rules.json, generated from & kept in lockstep with examples/protect/demo-rules.json minus its _demo vectors) instead of the high-precision starter.
  • Skips baking a site UUID, so the local sample rules stay active (a baked UUID makes the guard fetch live Pulse rules and ignore the bundle — this was the earlier "nothing blocks" gotcha).
  • Default install now writes the starter only if absent — no longer clobbers a customized rules.json on re-run.
  • Disclosed in the CLI help + AGENT-INSTALL.md; PATCHSTACK_MODE / PATCHSTACK_ROUTE_WAF added to the env list.

Tests

+8 scaffolder tests (route-WAF wiring, --demo bundle + no-bake, starter+bake, no-clobber, and a template↔examples parity check). 416 pass, typecheck + build clean.

Note — existing installs

patchStart is idempotent and won't rewrite an already-wired start.ts, so an app installed before this ships won't get the route-WAF line on a plain re-run (same upgrade limitation as #70). Fresh installs get it; existing apps add the one gated block manually or re-scaffold.

🤖 Generated with Claude Code

@coderbuds

coderbuds Bot commented Jul 15, 2026

Copy link
Copy Markdown

Well-structured opt-in WAF feature with comprehensive scaffolding and tests.

🎯 Quality: 100% Elite · 📦 Size: Large — consider splitting if possible

📈 This month: Your 29th PR — above team average · Averaging Elite

See how your team is trending →

patchstackdave and others added 2 commits July 15, 2026 10:00
… rules

Two scaffolder features (both build on the #75 guard.ts type-safety fix, included here):

Route-level WAF (env-gated, off by default):
- guard.ts exports guardRequest(request) — runs the request-phase rules via fetchGuard
  on a cloned request and returns a 403 on a match (fail-open).
- the scaffolded request middleware calls it only when PATCHSTACK_ROUTE_WAF=1, so a plain
  `GET /?file=../../etc/passwd` gets a 403. Opt-in because it runs broad request rules on
  all traffic (classic-WAF false-positive surface); the default only screens the data path.

`protect --demo`:
- seeds a broad, many-class sample rule set (src/protect/templates/demo-rules.json, generated
  from + kept in lockstep with examples/protect/demo-rules.json minus its _demo vectors) instead
  of the high-precision starter, and SKIPS baking a site UUID so the local sample rules stay
  active (a baked UUID makes the guard fetch live Pulse rules instead).
- default install now writes the starter rules only if absent (no longer clobbers a
  customized rules.json on re-run).
- disclosed in the CLI help + AGENT-INSTALL.md; PATCHSTACK_MODE / PATCHSTACK_ROUTE_WAF added
  to the env list.

Verified: real CLI `protect --demo` seeds the 11-class bundle; route-WAF blocks a path-traversal
URL (403) and allows benign; +8 scaffolder tests incl. a template/examples parity check. 416 tests.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…nstalls)

patchStart previously skipped an already-wired start.ts, so a re-run after a
connect upgrade never refreshed the middleware (e.g. an existing app couldn't
pick up the new route-WAF hook). Make the generated blocks MANAGED:

- wrap each middleware block in `// #region patchstack-guard` … `// #endregion`
  markers; a re-run replaces the marked region in place (upgrade), and the guard
  import line is refreshed wholesale.
- migrate a legacy (pre-markers) block: bound it from its `const …` line (plus the
  comment header above) to its terminating `});`, and replace with the marked block.
- fresh installs insert as before. All paths stay idempotent (a second run is a no-op).

Verified end-to-end: re-running the CLI on a legacy-wired app adds the route-WAF
hook + markers + refreshed import with no duplication. +1 upgrade test (417 total).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@patchstackdave patchstackdave force-pushed the feat/protect-route-waf-and-demo branch from 1b1a3e5 to ca005de Compare July 15, 2026 08:04
@patchstackdave

Copy link
Copy Markdown
Contributor Author

/review

@patchstackdave patchstackdave merged commit d9044cf into main Jul 15, 2026
4 checks passed
@patchstackdave patchstackdave deleted the feat/protect-route-waf-and-demo branch July 15, 2026 08:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants