waf: add events subcommand (SPEC-waf-events row 6)#59
Draft
acoshift wants to merge 2 commits into
Draft
Conversation
Renders waf.events (recent sampled firewall match events, newest first) via WAFEventsResult.Table(): TIME, ACTION, RULE, IP, COUNTRY, METHOD, HOST, PATH. Flags: -rule (short id filter), -action (log|allow|block), -limit (default 50, max 200), -before (keyset cursor from a previous response's next). Pins github.com/deploys-app/api to branch waf-events (380d9eb5c22f6de251183f2220fbd9ff089b8932); re-pin to the next api tag after the api PR merges.
Table mode drops WAFEventsResult.Next (no cursor column), leaving a table-mode user with no way to obtain the -before value. Print a one-line 'next: <cursor>' trailer when more pages exist; structured output modes already carry the field in the payload.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CLI leg (rollout row 6) of SPEC-waf-events (Firewall Events — sampled WAF match/block samples,
waf.events).deploys waf eventssubcommand: flags map 1:1 ontoapi.WAFEvents—-project,-location,-rule(short id fromwaf get),-action(log|allow|block),-before(keyset cursor),-limit(default 50, max 200). Rendered viaWAFEventsResult.Table()through the standardrn.printpath;-ojson/-oyaml/-otoonwork as usual.next: <cursor>trailer when more pages exist (the table has no cursor column, so without it a table-mode user could not obtain the-beforevalue; structured modes already carrynextin the payload).waf, marked as sampled events.WAF.Eventstypes.Example (illustrative values only):
Merge gate — DO NOT MERGE until api PR lands
go.modcurrently pinsgithub.com/deploys-app/api v0.0.0-20260711011307-380d9eb5c22f, the tip of the unmerged apiwaf-eventsbranch (api main has nowaf.eventsyet, and api squash-merges, so the merged commit will differ). Per SPEC-waf-events §J the api PR (row 2) merges first; re-pin this branch to the merged api main commit (usual "re-pin api" pattern) before merging.Expected merge conflicts
The open
waf-ip-listsbranch touches the same files:go.mod/go.sum— both branches re-pindeploys-app/apito different branch-tip pseudo-versions (definite conflict; whichever branch merges second re-pins to the api commit containing both features).internal/runner/help.go— this branch adds theeventssub inside thewafblock;waf-ip-listsadds awafListblock immediately after it (adjacent hunks, likely textual conflict; trivially resolvable).Test evidence
Repo has no PR CI; verified locally:
gofmt -l .clean;go build ./... && go vet ./...cleango test ./...— 78 tests pass in 3 packageswaf --helplistsevents;waf events -hshows all flags with the correct usage lineNo test added for the subcommand itself: the flag→request mapping is declarative and compile-checked against the api types, and no existing waf subcommand has one (runner tests cover pure helpers only) — matches the established pattern for thin subcommands.
Rollout notes (SPEC-waf-events §J)
Safe order — every step independently inert:
waf_eventsmigration before the binarycollector.setWAFEvents+waf.eventsmounted; table empty until fed)WAF_EVENTS_TOKENSecret + headless Service (endpoint off until both envs set; inert until polled) — engine side already implemented in feat(waf): sampled match-event ring + direct push to the deploys-app collector moonrhythm/parapet-ingress-controller#182waf_events_target+waf_events_tokenenvs (unset = loop never runs, so the binary can ship early)This CLI change ships on the next CLI build after merge, independent of the deploy steps above (rows 2–3 must be merged for the api pin, per the gate; against an older server
waf.eventssimply returns unknown action). No secrets involved; examples use placeholder values only.