Future Modules
Some modules are planned or experimental. Keep them separate from production basics until they are stable.
WAF
The WAF track is for rule-based request filtering, logging, and challenge/block responses. It should become its own clear page when it is production-ready.
| Planned area | Expected use |
|---|---|
| Rules | Block or challenge suspicious requests before they reach an app. |
| Signals | Record bounded security events without storing sensitive payloads. |
| Exceptions | Allow controlled bypasses for known safe application paths. |
WASM extensions
WASM extensions are planned for bounded operator logic. They must stay sandboxed, explicit, and disabled in default builds until the boundary is proven.
| Rule | Reason |
|---|---|
| Disabled by default | Production builds should not run operator code unless explicitly enabled. |
| Bounded inputs | Extensions should receive only the request data they need. |
| No secret access by default | Extension code should not become a shortcut around the secret boundary. |
Not production defaults
Future modules are documented so operators can see the direction, but they should not be treated like stable features until release notes say they are ready.