revert SecAuditEngine to RelevantOnly to prevent log flooding

SecAuditEngine On logs every request through the WAF regardless of whether
any rules matched, causing massive disk I/O on busy hosts (e.g. during
Docker image pushes). RelevantOnly still captures DetectionOnly hits because
OWASP CRS rules include auditlog in their SecDefaultAction, so rule-matched
transactions are marked for audit logging. Only truly clean requests (no
rule match at all) are silently skipped.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/lib/caddy.ts

@@ -852,9 +852,10 @@ function buildWafHandler(waf: WafSettings): Record<string, unknown> {
     ...(waf.mode === 'DetectionOnly' ? [
       'SecAction "id:9998001,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=9999999,setvar:tx.outbound_anomaly_score_threshold=9999999"',
     ] : []),
-    // Log all transactions so DetectionOnly hits are captured and shown in WAF Events.
-    // Body parts are excluded (see SecAuditLogParts below) so large uploads don't bloat the log.
-    'SecAuditEngine On',
+    // RelevantOnly logs transactions where a rule fired with the auditlog action (which all OWASP
+    // CRS rules include via SecDefaultAction), covering both blocked and DetectionOnly hits.
+    // Clean requests with no rule matches are silently skipped, avoiding massive log growth.
+    'SecAuditEngine RelevantOnly',
     'SecAuditLog /logs/waf-audit.log',
     'SecAuditLogFormat JSON',
     // Omit request/response bodies (parts I, J, E) and intermediate response headers (D)