HighPR-scope

Validate edge/CDN redirect and header rules against Cloudflare

If a PR changes redirect/header configuration (e.g., middleware redirects, CDN headers, security headers), validate it against the active edge rules to avoid conflicts. - If a Cloudflare MCP is available: fetch active rules and detect potential redirect loops, duplicate rules, or header conflicts. - Otherwise: require the author to link the relevant Cloudflare rules/screenshots in the PR description.

Add to Mesrai Open workspace

Why this matters

Edge misconfigurations can cause global outages (redirect loops) and security regressions.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

Adds app-level redirect that conflicts with an existing Cloudflare redirect rule.

Prefer

Checks active Cloudflare rules, avoids loops, and documents the intended precedence.

More snippets

Bad

redirect change; no edge-rule validation

Good

Cloudflare rule check + no loop + precedence documented

Related rules

From the same buckets as this rule.

Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1
Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret