[EV-6466]: Add Gateway WAF (per-route & namespaced) docs section

[electricjesus]

Product Version(s):
Calico Enterprise (next / unreleased) — tech preview. Not applicable to Calico OSS or Calico Cloud.

Issue:

• EV-6466 — [DOCS] Documentation — WAF Per-Route
• EV-6386 — epic / glossary
• Design: tigera/designs#25 (2026/PMREQ-384-per-route-namespaced-waf); Rego engine: calico-private#12137 (EV-6656)

Link to docs preview:

SME review:

• An SME has approved this change.

DOCS review:

• A member of the docs team has approved this change.

Additional information:

Adds a new Gateway WAF section under calico-enterprise/threat/gateway-waf/ documenting the per-route & namespaced WAF feature (OWASP CRS via a Coraza WASM filter on Envoy Gateway). 16 pages + sidebar category:

• Overview — big picture, CO/AO responsibility matrix, architecture flow.
• Concepts — policies/plugins/validation families; global vs namespaced; merge order + enforcement.
• Get started — operator-native enable (GatewayAPI.spec.extensions.waf.state + license); 5-minute quickstart.
• How-to — set a cluster baseline (CO); attach WAF to a Gateway/route (AO); write custom rules; validate with Rego; multi-tenant setup.
• Reference — 6-CRD family reference; Rego authoring contract; SecRule ID ranges; status conditions.
• Troubleshooting — symptom → cause → fix.

Also adds a deprecation note to threat/deploying-waf-ingress-gateway.mdx, which this feature supersedes.

Notes for reviewers:

• Uses the design-renamed short kinds (WAFPolicy, GlobalWAFPolicy, WAFPlugin, …) from designs#25, not the older WebApplicationFirewall* names in the ticket text.
• Validation is documented with Rego (package waf / violations) per designs#25 + cp#12137, not the prototype's CEL.
• Enablement is operator-native (no standalone Helm chart).
• The kubectl waf plugin, web UI/BFF (PMREQ-857), and L7 OTEL logging are out of scope here and referenced as "coming" at most.
• The prototype→GA migration guide in EV-6466's acceptance criteria is deferred to GA (this content is tech preview).
• Tracked follow-up: full removal + redirect of the legacy deploying-waf-ingress-gateway page.

Merge checklist:

• Deploy preview inspected wherever changes were made
• Build completed successfully
• Tests have passed

[netlify]

✅ Deploy Preview succeeded!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	96bb113
🔍 Latest deploy log	https://app.netlify.com/projects/tigera/deploys/6a1a0e7a22e2db00087e2b27
😎 Deploy Preview	https://deploy-preview-2758--tigera.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 87 (🟢 up 22 from production) Accessibility: 98 (no change from production) Best Practices: 83 (🔴 down 9 from production) SEO: 100 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for calico-docs-preview-next ready!

Name	Link
🔨 Latest commit	96bb113
🔍 Latest deploy log	https://app.netlify.com/projects/calico-docs-preview-next/deploys/6a1a0e7a354ddf0008e58978
😎 Deploy Preview	https://deploy-preview-2758--calico-docs-preview-next.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[electricjesus]

Build status — BUILD_NEXT=true yarn build (Docusaurus 3.10.1, Node 22.22, yarn 4.9.2):

✅ The new calico-enterprise/threat/gateway-waf/ pages compile cleanly and pass the broken-link check — the MDX build reaches the link checker (so all 16 pages parsed), and none of the flagged broken links are in this section.

⚠️ The full next build is currently red on pre-existing broken links in unrelated docs, not touched by this PR:

• /calico-cloud/next/networking/ → add-maglev-load-balancing, mark-lb-node-for-maintenance
• /calico/next/networking/configuring/add-maglev-load-balancing → ../../../operations/ebpf/enabling-ebpf#try-out-direct-server-return-mode

These are outside this PR's scope. Leaving the "Build completed successfully" checkbox unchecked until they're resolved (or confirmed handled by CI's build matrix).

[electricjesus]

Heads-up for reviewers: this PR introduces Mermaid to the docs site for the first time.

• Adds @docusaurus/theme-mermaid (package.json + yarn.lock) and registers it via themes: in docusaurus.config.js.
• The Gateway WAF overview's architecture diagram is now a Mermaid flowchart instead of ASCII — chosen over a static SVG so the diagram source stays diffable and reviewable (and editable by tooling).
• SSG note: the site builds with future.faster.ssgWorkerThreads, under which theme-mermaid's context hooks (useColorMode/useThemeConfig) throw a ReactContextError during worker-thread SSG. So the diagram renders client-side via <BrowserOnly> + @theme/Mermaid, and markdown.mermaid is deliberately left off — enabling it would auto-transform ```mermaid fences and crash the SSG build repo-wide. Future Mermaid diagrams should follow the same <BrowserOnly> pattern (or we revisit the worker-thread SSG flag).
• Verified locally with BUILD_NEXT=true yarn build: the gateway-waf pages SSG cleanly (the only build failure is pre-existing broken links in unrelated calico/calico-cloud next docs).

[electricjesus]

Update — reverted the Mermaid introduction; the architecture diagram is now a static SVG.

@docusaurus/theme-mermaid turned out to be incompatible with this repo's setup. Because the site runs three docs-plugin instances, @docusaurus/theme-common (which declares a @docusaurus/plugin-content-docs: "*" peer) gets instantiated as two yarn-berry virtual copies — the classic theme's <ColorModeProvider> and theme-mermaid's useColorMode() then bind different React contexts, throwing ReactContextError in both worker-thread SSG (future.faster.ssgWorkerThreads) and the browser.

Rather than repo-wide yarn packageExtensions/hoisting surgery, the diagram is now a static SVG at static/img/calico-enterprise/gateway-waf-architecture.svg (with descriptive alt text). The @docusaurus/theme-mermaid dependency and config change are removed (dcbfd002). This supersedes the earlier "introducing Mermaid" note above.