feat(protect): opt-in route-level WAF (env) + protect --demo sample rules#77
Merged
Merged
Conversation
|
Well-structured opt-in WAF feature with comprehensive scaffolding and tests. 🎯 Quality: 100% Elite · 📦 Size: Large — consider splitting if possible 📈 This month: Your 29th PR — above team average · Averaging Elite |
… rules Two scaffolder features (both build on the #75 guard.ts type-safety fix, included here): Route-level WAF (env-gated, off by default): - guard.ts exports guardRequest(request) — runs the request-phase rules via fetchGuard on a cloned request and returns a 403 on a match (fail-open). - the scaffolded request middleware calls it only when PATCHSTACK_ROUTE_WAF=1, so a plain `GET /?file=../../etc/passwd` gets a 403. Opt-in because it runs broad request rules on all traffic (classic-WAF false-positive surface); the default only screens the data path. `protect --demo`: - seeds a broad, many-class sample rule set (src/protect/templates/demo-rules.json, generated from + kept in lockstep with examples/protect/demo-rules.json minus its _demo vectors) instead of the high-precision starter, and SKIPS baking a site UUID so the local sample rules stay active (a baked UUID makes the guard fetch live Pulse rules instead). - default install now writes the starter rules only if absent (no longer clobbers a customized rules.json on re-run). - disclosed in the CLI help + AGENT-INSTALL.md; PATCHSTACK_MODE / PATCHSTACK_ROUTE_WAF added to the env list. Verified: real CLI `protect --demo` seeds the 11-class bundle; route-WAF blocks a path-traversal URL (403) and allows benign; +8 scaffolder tests incl. a template/examples parity check. 416 tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…nstalls) patchStart previously skipped an already-wired start.ts, so a re-run after a connect upgrade never refreshed the middleware (e.g. an existing app couldn't pick up the new route-WAF hook). Make the generated blocks MANAGED: - wrap each middleware block in `// #region patchstack-guard` … `// #endregion` markers; a re-run replaces the marked region in place (upgrade), and the guard import line is refreshed wholesale. - migrate a legacy (pre-markers) block: bound it from its `const …` line (plus the comment header above) to its terminating `});`, and replace with the marked block. - fresh installs insert as before. All paths stay idempotent (a second run is a no-op). Verified end-to-end: re-running the CLI on a legacy-wired app adds the route-WAF hook + markers + refreshed import with no duplication. +1 upgrade test (417 total). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1b1a3e5 to
ca005de
Compare
Contributor
Author
|
/review |
ejntaylor
approved these changes
Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two scaffolder features. Includes the #75 guard.ts type-safety fix (this branch was cut from it), so #75 can be closed in favor of this — or merge #75 first and I'll rebase.
1. Route-level WAF —
PATCHSTACK_ROUTE_WAF=1(opt-in, env-only)By default the guard only runs request rules on the data path (Supabase tunnel + server-fn args), so a plain
GET /?file=..is never inspected. This adds an opt-in route WAF:guard.tsexportsguardRequest(request)— runs the request-phase rules viafetchGuardon a cloned request (so the app can still read the body), 403 on match, fail-open.PATCHSTACK_ROUTE_WAF=1.Opt-in because it runs broad request rules on all traffic (classic-WAF false-positive surface). No CLI flag — env-gated per your call.
Verified:
GET /?file=../../etc/passwd→ 403,?file=report.pdf→ allowed.2.
protect --demotemplates/demo-rules.json, generated from & kept in lockstep withexamples/protect/demo-rules.jsonminus its_demovectors) instead of the high-precision starter.rules.jsonon re-run.AGENT-INSTALL.md;PATCHSTACK_MODE/PATCHSTACK_ROUTE_WAFadded to the env list.Tests
+8 scaffolder tests (route-WAF wiring,
--demobundle + no-bake, starter+bake, no-clobber, and a template↔examples parity check). 416 pass, typecheck + build clean.Note — existing installs
patchStartis idempotent and won't rewrite an already-wiredstart.ts, so an app installed before this ships won't get the route-WAF line on a plain re-run (same upgrade limitation as #70). Fresh installs get it; existing apps add the one gated block manually or re-scaffold.🤖 Generated with Claude Code