diff --git a/coraza-spoa/Dockerfile b/coraza-spoa/Dockerfile
index 3f5c401..e5cafd7 100644
--- a/coraza-spoa/Dockerfile
+++ b/coraza-spoa/Dockerfile
@@ -39,6 +39,8 @@ LABEL org.opencontainers.image.title="coraza-spoa-whp" \
 COPY --from=build /out/coraza-spoa /coraza-spoa
 COPY config.yaml /etc/coraza-spoa/config.yaml
 COPY overrides.conf /etc/coraza/overrides.conf
+COPY local-overrides.conf /etc/coraza/local-overrides.conf
+COPY host-exceptions/ /etc/coraza/host-exceptions/
 
 # Audit log directory — bind-mount /var/log/coraza:/var/log/coraza from host
 # so logs persist across container restarts and AI Monitor can tail them.
diff --git a/coraza-spoa/config.yaml b/coraza-spoa/config.yaml
index a4004e7..7d72e6d 100644
--- a/coraza-spoa/config.yaml
+++ b/coraza-spoa/config.yaml
@@ -34,6 +34,9 @@ applications:
       # to see exactly what blocks vs what's detect-only.
       Include /etc/coraza/overrides.conf
 
+      # Runtime-managed overrides written by WHP UI. Empty by default.
+      Include /etc/coraza/local-overrides.conf
+
       # Global mode: log all alerts, block only what overrides.conf
       # explicitly promotes via ctl:ruleEngine=On.
       SecRuleEngine DetectionOnly
diff --git a/coraza-spoa/host-exceptions/.gitkeep b/coraza-spoa/host-exceptions/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/coraza-spoa/local-overrides.conf b/coraza-spoa/local-overrides.conf
new file mode 100644
index 0000000..cdc803a
--- /dev/null
+++ b/coraza-spoa/local-overrides.conf
@@ -0,0 +1,3 @@
+# AUTOGENERATED by WHP — do not hand-edit.
+# Source of truth: whp.security_db coraza_rule_overrides table.
+# Empty file = no runtime overrides; baked-in overrides.conf governs.