v1.3.3 — AppSec docs¶

Docs-only patch. No code changes since v1.3.2. Closes an explainer gap that the v1.3.2 hotfix left open: operators fixing the 500-cascade regression needed to understand what AppSec actually does, how it differs from the LAPI bouncer, and how to either enable or disable it cleanly.

What landed¶

New page: AppSec (CrowdSec WAF-inline)¶

The operator-facing entry point for the WAF-inline layer. Answers three questions in three sections:

1. Is this the same as the CrowdSec bouncer? A side-by-side table + analogy (doorman with banned-IP list vs bag check on what comes through the door) that distinguishes the two. Both run in the same CrowdSec container, both are controlled from the panel, but they are fully independent — AppSec can be off while the bouncer works, and vice versa.
2. The three scenarios an operator lands in post-v1.3.2:
3. A) AppSec unreachable, fail-open absorbs it (default out-of-the-box state, bouncer still works, notification warns).
4. B) Enable AppSec properly (/setup-appsec.sh + docker compose restart, verify with wget ... :7423 expecting 403 or 200).
5. C) Disable AppSec entirely on the panel (mode: disabled; Caddy stops emitting appsec_url, no WAF round-trip, appsec_unavailable notification silences, LAPI bouncer stays active).
6. Fail policy (appsec.fail_open) explained with a table and a decision guide for fail-open vs fail-closed.

Updated: Troubleshooting → AppSec¶

• Existing "every request 500s with connection refused on :7423" entry tightened to point at the new feature page for the full story, with the three scenarios summarised inline for operators who land here from a search.
• New entry: appsec_unavailable notification firing repeatedly — how to distinguish "sidecar is up with zero collections" (404 → unhealthy) from "sidecar is actually healthy" (405 → healthy), and how to silence the notification permanently via Scenario C.

Updated: cross-links¶

• docs/features/waf.md gains a banner at the top steering operators who need setup / fail-policy content to the new page. The WAF page stays focused on rules, exclusions, paranoia, and the metrics dashboard.
• docs/features/crowdsec.md rewrites the one-line AppSec reference to name AppSec as an independent layer, explain why "both in the same container" does not mean "one component", and link to the new page.

Navigation¶

mkdocs.yml adds Features → AppSec (WAF-inline) between WAF and CrowdSec — close enough for readers who scan sequentially, separate enough to find on its own.

Not changed¶

No backend, no frontend, no schema. Existing appsec.fail_open setting + appsec_unavailable notification + setup-appsec.sh script all unchanged from v1.3.2.

Upgrade¶

cd argos-edge
git pull

That's it. Running stack untouched.

Related¶

• AppSec (CrowdSec WAF-inline) — the new page.
• v1.3.2 release notes — the fail-open hotfix this docs patch explains.
• WAF — rule-level reference.
• CrowdSec — LAPI / bouncer reference.