WAF Rules

The shared rule registry stores reusable WAF/block and rate-limit rules. uplink.yaml syncs inline firewall_rules: into the same registry the desktop app reads.

Enforced WAF/block rules reject matching requests before proxying. Monitor mode records the match without blocking, which is useful before turning on enforcement.

Unknown rule ids are not attached to a service from config; referenced service rules must be defined in the same uplink.yaml.