Add a rules controller

app/controllers/api/events_controller.rb

@@ -18,8 +18,42 @@ class Api::EventsController < ApplicationController
       headers: extract_serializable_headers(request)
     )
 
-    # Always return 200 OK to avoid agent retries
-    head :ok
+    # Include rule version in response for agent optimization
+    rule_version = Rule.latest_version
+    response.headers['X-Rule-Version'] = rule_version.to_s
+
+    # Get current sampling for back-pressure management
+    current_sampling = HubLoad.current_sampling
+    response.headers['X-Sample-Rate'] = current_sampling[:allowed_requests].to_s
+    response.headers['X-Sample-Until'] = current_sampling[:effective_until]
+
+    # Check if agent sent a rule version to compare against
+    client_version = request.headers['X-Rule-Version']&.to_i
+
+    response_data = {
+      success: true,
+      rule_version: rule_version,
+      sampling: current_sampling
+    }
+
+    # If agent has old rules or no version, include new rules in response
+    if client_version.blank? || client_version != rule_version
+      # Get rules updated since client version
+      if client_version.present?
+        since_time = Time.at(client_version / 1_000_000, client_version % 1_000_000)
+        rules = Rule.where("updated_at > ?", since_time).enabled.sync_order
+      else
+        # Full sync for new agents
+        rules = Rule.active.sync_order
+      end
+
+      response_data[:rules] = rules.map(&:to_agent_format)
+      response_data[:rules_changed] = true
+    else
+      response_data[:rules_changed] = false
+    end
+
+    render json: response_data
   rescue DsnAuthenticationService::AuthenticationError => e
     Rails.logger.warn "DSN authentication failed: #{e.message}"
     head :unauthorized

app/controllers/api/rules_controller.rb

@@ -9,15 +9,18 @@ module Api
     # GET /api/:public_key/rules/version
     # Quick version check - returns latest updated_at timestamp
     def version
+      current_sampling = HubLoad.current_sampling
+      response.headers['X-Sample-Rate'] = current_sampling[:allowed_requests].to_s
+
       render json: {
         version: Rule.latest_version,
         count: Rule.active.count,
-        sampling: HubLoad.current_sampling
+        sampling: current_sampling
       }
     end
 
-    # GET /api/:public_key/rules?since=2024-11-03T12:00:00.000Z
-    # Incremental sync - returns rules updated since timestamp
+    # GET /api/:public_key/rules?since=1730646186272060
+    # Incremental sync - returns rules updated since timestamp (microsecond Unix timestamp)
     # GET /api/:public_key/rules
     # Full sync - returns all active rules
     def index
@@ -30,9 +33,12 @@ module Api
         Rule.active.sync_order
       end
 
+      current_sampling = HubLoad.current_sampling
+      response.headers['X-Sample-Rate'] = current_sampling[:allowed_requests].to_s
+
       render json: {
         version: Rule.latest_version,
-        sampling: HubLoad.current_sampling,
+        sampling: current_sampling,
         rules: rules.map(&:to_agent_format)
       }
     rescue ArgumentError => e
@@ -59,9 +65,17 @@ module Api
     end
 
     def parse_timestamp(timestamp_str)
-      Time.parse(timestamp_str)
+      # Parse microsecond Unix timestamp
+      unless timestamp_str.match?(/^\d+$/)
+        raise ArgumentError, "Invalid timestamp format. Expected microsecond Unix timestamp (e.g., 1730646186272060)"
+      end
+
+      total_microseconds = timestamp_str.to_i
+      seconds = total_microseconds / 1_000_000
+      microseconds = total_microseconds % 1_000_000
+      Time.at(seconds, microseconds)
     rescue ArgumentError => e
-      raise ArgumentError, "Invalid timestamp format. Expected ISO8601 format (e.g., 2024-11-03T12:00:00.000Z)"
+      raise ArgumentError, "Invalid timestamp format: #{e.message}. Use microsecond Unix timestamp (e.g., 1730646186272060)"
     end
   end
 end

app/controllers/projects_controller.rb

@@ -44,7 +44,7 @@ class ProjectsController < ApplicationController
 
     # Apply filters
     @events = @events.by_ip(params[:ip]) if params[:ip].present?
-    @events = @events.by_action(params[:action]) if params[:action].present?
+    @events = @events.by_waf_action(params[:action]) if params[:action].present?
     @events = @events.where(country_code: params[:country]) if params[:country].present?
 
     # Debug info
@@ -81,8 +81,8 @@ class ProjectsController < ApplicationController
     # Action distribution
     @action_stats = @project.events
       .where(timestamp: @time_range.hours.ago..Time.current)
-      .group(:action)
-      .select('action, COUNT(*) as count')
+      .group(:waf_action)
+      .select('waf_action as action, COUNT(*) as count')
       .order('count DESC')
   end
 

app/controllers/rules_controller.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+class RulesController < ApplicationController
+  before_action :set_rule, only: [:show, :edit, :update, :disable, :enable]
+  before_action :authorize_rule
+
+  # GET /rules
+  def index
+    @rules = Rule.includes(:project).order(created_at: :desc)
+    @rule_types = Rule::RULE_TYPES
+    @actions = Rule::ACTIONS
+  end
+
+  # GET /rules/new
+  def new
+    @rule = Rule.new
+    @rule_types = Rule::RULE_TYPES
+    @actions = Rule::ACTIONS
+  end
+
+  # POST /rules
+  def create
+    @rule = Rule.new(rule_params)
+    @rule_types = Rule::RULE_TYPES
+    @actions = Rule::ACTIONS
+
+    if @rule.save
+      redirect_to @rule, notice: 'Rule was successfully created.'
+    else
+      render :new, status: :unprocessable_entity
+    end
+  end
+
+  # GET /rules/:id
+  def show
+  end
+
+  # GET /rules/:id/edit
+  def edit
+    @rule_types = Rule::RULE_TYPES
+    @actions = Rule::ACTIONS
+  end
+
+  # PATCH/PUT /rules/:id
+  def update
+    if @rule.update(rule_params)
+      redirect_to @rule, notice: 'Rule was successfully updated.'
+    else
+      render :edit, status: :unprocessable_entity
+    end
+  end
+
+  # POST /rules/:id/disable
+  def disable
+    reason = params[:reason] || "Disabled manually"
+    @rule.disable!(reason: reason)
+    redirect_to @rule, notice: 'Rule was successfully disabled.'
+  end
+
+  # POST /rules/:id/enable
+  def enable
+    @rule.enable!
+    redirect_to @rule, notice: 'Rule was successfully enabled.'
+  end
+
+  private
+
+  def set_rule
+    @rule = Rule.find(params[:id])
+  end
+
+  def authorize_rule
+    # Add authorization logic here if needed
+    # For now, allow all authenticated users
+  end
+
+  def rule_params
+    params.require(:rule).permit(
+      :rule_type,
+      :action,
+      :conditions,
+      :metadata,
+      :expires_at,
+      :enabled,
+      :source
+    )
+  end
+end