pub fn content_rules_split(paranoia: u8) -> (RuleList, RuleList)Expand description
(rule_id, pattern) for every CONTENT-inspection rule active at paranoia,
split into two scope buckets (request_smuggling is excluded — it is
structural framing validation, not regex content inspection, and always runs in
the connection phase). Single source for the prefilter, so it cannot drift from
the per-module rules.
main: every rule whose pattern is safe to scan over a superset of the fields it inspects ({path, query, cookies, headers, body}) — the 6 content modules plus the non-host header-injection rules. Over-scanning is sound (it can only over-flag → run the full path), and these patterns are specific enough not to match benign paths/headers.host: the host-only header-injection rule(s) (Scope::HostHeaders), whose broad[/@]pattern MUST be scanned only against host header values — scanning it over the path (always/) is what made a global union useless.