Fix some blocked/allow laggards after migrating. Add DuckDB for outstanding analyitcs performance. Start adding an import for all bot networks

app/models/waf_policy.rb

@@ -9,7 +9,7 @@ class WafPolicy < ApplicationRecord
   POLICY_TYPES = %w[country asn company network_type path_pattern].freeze
 
   # Actions - what to do when traffic matches this policy
-  ACTIONS = %w[allow deny redirect challenge].freeze
+  ACTIONS = %w[allow deny redirect challenge add_header].freeze
 
   # Associations
   belongs_to :user
@@ -25,6 +25,7 @@ validate :targets_must_be_array
   validate :validate_targets_by_type
   validate :validate_redirect_configuration, if: :redirect_policy_action?
   validate :validate_challenge_configuration, if: :challenge_policy_action?
+  validate :validate_add_header_configuration, if: :add_header_policy_action?
 
   # Scopes
   scope :enabled, -> { where(enabled: true) }
@@ -95,6 +96,10 @@ validate :targets_must_be_array
     policy_action == 'challenge'
   end
 
+  def add_header_policy_action?
+    policy_action == 'add_header'
+  end
+
   # Lifecycle methods
   def active?
     enabled? && !expired?
@@ -163,7 +168,7 @@ validate :targets_must_be_array
       priority: network_range.prefix_length
     )
 
-    # Handle redirect/challenge specific data
+    # Handle redirect/challenge/add_header specific data
     if redirect_action? && additional_data['redirect_url']
       rule.update!(
         metadata: rule.metadata.merge(
@@ -178,6 +183,13 @@ validate :targets_must_be_array
           challenge_message: additional_data['challenge_message']
         )
       )
+    elsif add_header_action?
+      rule.update!(
+        metadata: rule.metadata.merge(
+          header_name: additional_data['header_name'],
+          header_value: additional_data['header_value']
+        )
+      )
     end
 
     rule
@@ -212,7 +224,7 @@ validate :targets_must_be_array
         priority: 50  # Default priority for path rules
       )
 
-      # Handle redirect/challenge specific data
+      # Handle redirect/challenge/add_header specific data
       if redirect_action? && additional_data['redirect_url']
         rule.update!(
           metadata: rule.metadata.merge(
@@ -227,6 +239,13 @@ validate :targets_must_be_array
             challenge_message: additional_data['challenge_message']
           )
         )
+      elsif add_header_action?
+        rule.update!(
+          metadata: rule.metadata.merge(
+            header_name: additional_data['header_name'],
+            header_value: additional_data['header_value']
+          )
+        )
       end
 
       rule
@@ -346,6 +365,12 @@ validate :targets_must_be_array
     self.targets ||= []
     self.additional_data ||= {}
     self.enabled = true if enabled.nil?
+
+    # Set default header values for add_header action
+    if add_header_policy_action?
+      self.additional_data['header_name'] ||= 'X-Bot-Agent'
+      self.additional_data['header_value'] ||= 'Unknown'
+    end
   end
 
   def targets_must_be_array
@@ -430,6 +455,15 @@ validate :targets_must_be_array
     end
   end
 
+  def validate_add_header_configuration
+    if additional_data['header_name'].blank?
+      errors.add(:additional_data, "must include 'header_name' for add_header action")
+    end
+    if additional_data['header_value'].blank?
+      errors.add(:additional_data, "must include 'header_value' for add_header action")
+    end
+  end
+
   # Matching logic for different policy types
   def matches_country?(network_range)
     country = network_range.country || network_range.inherited_intelligence[:country]