diff --git a/coraza-spoa/overrides.conf b/coraza-spoa/overrides.conf
index 62aeca4..57bfcd0 100644
--- a/coraza-spoa/overrides.conf
+++ b/coraza-spoa/overrides.conf
@@ -94,3 +94,12 @@ SecRuleUpdateActionById 930130 "ctl:ruleEngine=On"
 #                         (`session_start` literal appearing in billing form data)
 #   950xxx-953xxx       — Data leakage / backup-file disclosure (mixed FP)
 # ---------------------------------------------------------------------------
+
+# ---------------------------------------------------------------------------
+# RESERVED RULE-ID RANGE: 990000000 – 990999999
+# WHP's coraza_rule_manager generates per-host-exception rules in this range
+# (rule ID = 990000000 + target_rule_id). Do NOT add new rules in this range
+# from any other source. When bumping the coraza-spoa pin, check the CRS
+# changelog for new rules with 9-digit IDs (rare but possible) and re-namespace
+# if collision risk emerges.
+# ---------------------------------------------------------------------------