Firewall rules sync drops updated path_rules for same domain

[schmitthub]

Summary

When syncing rules from clawker.yaml to egress-rules.yaml, the additive merge deduplicates by dst:proto:port. If a rule for the same domain/proto/port already exists in the store, the new rule is silently dropped — even if it has different or additional path_rules.

This means updating path_rules in clawker.yaml has no effect until the old rule is manually removed with clawker firewall remove.

Two related issues

1. path_rules not updated on sync

# clawker.yaml — updated to add new path prefixes
- dst: raw.githubusercontent.com
  proto: tls
  port: 443
  path_default: deny
  path_rules:
    - path: /anchore/syft/main/
      action: allow
    - path: /schmitthub/clawker/    # NEW
      action: allow
    - path: /envoyproxy/             # NEW
      action: allow

After clawker firewall reload, egress-rules.yaml still only has /anchore/syft/main/. The new path prefixes are silently dropped because the dst:proto:port key already exists.

2. Multiple rules for same domain produce unreachable filter chains

Before the user merged into one rule, three separate rules for raw.githubusercontent.com:tls:443 each generated a separate Envoy filter chain with the same SNI. Envoy matches the first filter chain and stops — making the 2nd and 3rd rules' path_rules unreachable (always 403).

Fix: GenerateEnvoyConfig should merge path_rules from same-domain TLS rules before generating filter chains. Defense-in-depth against users who define multiple rules for the same domain.

Expected Behavior

• Sync should merge path_rules when dst:proto:port matches an existing rule
• Multiple rules for the same dst:proto:port in clawker.yaml should be merged into one before writing to the store
• GenerateEnvoyConfig should also merge same-domain rules as defense-in-depth

Workaround

1. clawker firewall remove <domain>
2. Edit clawker.yaml to combine path_rules into a single rule
3. clawker firewall reload