From b2adcdbed9f6a93a7e9041d03348c8ddea09f748 Mon Sep 17 00:00:00 2001
From: Josh Knapp <jknapp85@gmail.com>
Date: Thu, 14 May 2026 06:53:37 -0700
Subject: [PATCH] coraza: reserve rule-ID range 990000000-990999999 for
 WHP-generated rules

---
 coraza-spoa/overrides.conf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/coraza-spoa/overrides.conf b/coraza-spoa/overrides.conf
index 62aeca4..57bfcd0 100644
--- a/coraza-spoa/overrides.conf
+++ b/coraza-spoa/overrides.conf
@@ -94,3 +94,12 @@ SecRuleUpdateActionById 930130 "ctl:ruleEngine=On"
 #                         (`session_start` literal appearing in billing form data)
 #   950xxx-953xxx       — Data leakage / backup-file disclosure (mixed FP)
 # ---------------------------------------------------------------------------
+
+# ---------------------------------------------------------------------------
+# RESERVED RULE-ID RANGE: 990000000 – 990999999
+# WHP's coraza_rule_manager generates per-host-exception rules in this range
+# (rule ID = 990000000 + target_rule_id). Do NOT add new rules in this range
+# from any other source. When bumping the coraza-spoa pin, check the CRS
+# changelog for new rules with 9-digit IDs (rare but possible) and re-namespace
+# if collision risk emerges.
+# ---------------------------------------------------------------------------