From 46c1ccb7b5bb2b8691ca2714bf5d05c341700ed5 Mon Sep 17 00:00:00 2001
From: Bryce <blewis@cycle.io>
Date: Wed, 18 Mar 2026 08:57:57 -0700
Subject: [PATCH] add sample and deny type to WAF

---
 .../loadbalancer/config/types/v1/WafConfig.yml    | 14 +++++++++++++-
 .../loadbalancer/types/v1/StackSpecWafConfig.yml  | 15 ++++++++++++++-
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/components/schemas/environments/services/loadbalancer/config/types/v1/WafConfig.yml b/components/schemas/environments/services/loadbalancer/config/types/v1/WafConfig.yml
index 97e6acfe..c01470ae 100644
--- a/components/schemas/environments/services/loadbalancer/config/types/v1/WafConfig.yml
+++ b/components/schemas/environments/services/loadbalancer/config/types/v1/WafConfig.yml
@@ -22,11 +22,15 @@ properties:
           description: A boolean that indicates if the rule should be active or skipped.
           type: boolean
         type:
-          description: A string that describes if the role should allow or deny traffic based on the conditions.
+          description: |
+            A string that describes if the role should allow, deny, or block traffic based on the conditions.
+            - block = http 403
+            - deny = connection disconnect
           type: string
           enum:
             - allow
             - deny
+            - block
         expires:
           description: The expiration date of the WAF config, if present.
           oneOf:
@@ -40,6 +44,14 @@ properties:
             - all
             # legacy value TODO remove
             - ""
+        sample:
+          description: |
+            Percentage range from 0 to 100
+            Sample = 100 => the rule is applied to 100% of requests
+            Sample = 0 => the rule applies to 0% of requests
+          type:
+            - integer
+            - "null"
         conditions:
           description: An array of the specific conditions for the rule.
           type: array
diff --git a/stackspec/schema/services/loadbalancer/types/v1/StackSpecWafConfig.yml b/stackspec/schema/services/loadbalancer/types/v1/StackSpecWafConfig.yml
index e4e425b7..e76b0a3f 100644
--- a/stackspec/schema/services/loadbalancer/types/v1/StackSpecWafConfig.yml
+++ b/stackspec/schema/services/loadbalancer/types/v1/StackSpecWafConfig.yml
@@ -27,12 +27,16 @@ properties:
                     - type: boolean
                     - $ref: ../../../../StackVariable.yml
                 type:
-                  description: A string that describes if the role should allow or deny traffic based on the conditions.
+                  description: |
+                    A string that describes if the role should allow, deny, or block traffic based on the conditions.
+                    - block = http 403
+                    - deny = connection disconnect
                   oneOf:
                     - type: string
                       enum:
                         - allow
                         - deny
+                        - block
                     - $ref: ../../../../StackVariable.yml
                 expires:
                   description: The expiration date of the WAF config, if present.
@@ -51,6 +55,15 @@ properties:
                         - any
                         - all
                     - $ref: ../../../../StackVariable.yml
+                sample:
+                  description: |
+                    Percentage range from 0 to 100
+                    Sample = 100 => the rule is applied to 100% of requests
+                    Sample = 0 => the rule applies to 0% of requests
+                  oneOf:
+                    - type: integer
+                    - type: "null"
+                    - $ref: ../../../../StackVariable.yml
                 conditions:
                   description: An array of the specific conditions for the rule.
                   oneOf: