fix: include OWASP CRS files via @-prefixed embedded FS paths

load_owasp_crs: true only merges the embedded coraza-coreruleset
filesystem - it does NOT auto-include rule files. The correct way to
load CRS rules is to explicitly Include them using the @ prefix which
references the embedded FS:

  Include @coraza.conf-recommended
  Include @crs-setup.conf.example
  Include @owasp_crs/*.conf

Without these includes, SecRuleEngine On had no rules to apply and
all requests passed through unblocked (rulesets: null in audit log).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/lib/caddy.ts

@@ -828,10 +828,15 @@ function resolveEffectiveWaf(
 
 function buildWafHandler(waf: WafSettings): Record<string, unknown> {
   // directives is a single string (Go struct type is string, not []string).
-  // load_owasp_crs: true makes the module load the embedded OWASP CRS automatically —
-  // no Include directives are needed for CRS itself (the Caddyfile adapter confirms this:
-  // `load_owasp_crs` with no directives is sufficient to load all rules).
+  // load_owasp_crs: true merges the embedded CRS filesystem so that @-prefixed paths resolve.
+  // We then explicitly Include the CRS files in the correct order via SecLang directives.
+  // The @ prefix references files from the embedded coraza-coreruleset filesystem.
   const parts = [
+    'Include @coraza.conf-recommended',
+    ...(waf.load_owasp_crs ? [
+      'Include @crs-setup.conf.example',
+      'Include @owasp_crs/*.conf',
+    ] : []),
     `SecRuleEngine ${waf.mode}`,
     'SecAuditEngine On',
     'SecAuditLog /logs/waf-audit.log',