A single detection rule: an id (used as rule_id in the emitted decision),
a regex pattern compiled into a RegexSet at module init time, a severity
class (mapped to points by the pipeline), and the minimum paranoia level at
which the rule becomes active.
Highest paranoia level any shipped rule currently declares. The config
contract allows up to waf_core::MAX_PARANOIA_LEVEL (4), but no rule uses 4
yet — so a higher paranoia_level activates no additional rules. The proxy
logs this at startup so PL4 is “empty but legal”, never silently == PL3.
Bump this when the first higher-paranoia rule is added.
(rule_id, pattern) for every CONTENT-inspection rule active at paranoia,
split into two scope buckets (request_smuggling is excluded — it is
structural framing validation, not regex content inspection, and always runs in
the connection phase). Single source for the prefilter, so it cannot drift from
the per-module rules.