fix: only log WAF events where rules matched

- Change SecAuditEngine from On to RelevantOnly so Coraza only writes
  audit log entries for transactions that triggered at least one rule.
  Previously all requests were logged regardless of matches.
- Add parser-side guard to skip entries with empty messages array as
  belt-and-suspenders against any pre-existing clean entries in log.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/lib/caddy.ts

@@ -838,7 +838,7 @@ function buildWafHandler(waf: WafSettings): Record<string, unknown> {
       'Include @owasp_crs/*.conf',
     ] : []),
     `SecRuleEngine ${waf.mode}`,
-    'SecAuditEngine On',
+    'SecAuditEngine RelevantOnly',
     'SecAuditLog /logs/waf-audit.log',
     'SecAuditLogFormat JSON',
     'SecAuditLogParts ABIJDEFHZ',

src/lib/waf-log-parser.ts

@@ -107,7 +107,10 @@ function parseLine(line: string): typeof wafEvents.$inferInsert | null {
   const hostArr = req.headers?.['host'] ?? req.headers?.['Host'];
   const host = Array.isArray(hostArr) ? (hostArr[0] ?? '') : (hostArr ?? '');
 
-  const firstMsg = entry.messages?.[0];
+  // Only store events where at least one rule matched
+  if (!entry.messages?.length) return null;
+
+  const firstMsg = entry.messages[0];
   const ruleId = firstMsg?.data?.id != null ? Number(firstMsg.data.id) : null;
   const ruleMessage = firstMsg?.data?.msg ?? null;
   const severity = firstMsg?.data?.severity ?? null;