WAF onboarding flow

WAF onboarding flow

1. App created — Heroku add-on provision callback creates an App row.
2. Domain selection — customer picks the domain(s) to protect; Waf row created per apex.
3. Sucuri provisioning — SucuriSetupWorker calls Sucuri.add_site, sets origin, defaults.
4. Cert issuance — ProcessCertWorker requests a bridge cert from SSLStore, completes DCV, downloads cert.
5. SSL install — bridge cert pushed to Sucuri via Sucuri.add_certificate.
6. DNS pointing — customer updates their DNS to CNAME at the Sucuri edge.
7. Health checks — DNS resolves correctly → apps.dns_set_correctly = true; traffic flows.
8. Long-term cert handoff — Sucuri issues its own long-lived cert; bridge cert is retired. Customers still on bridge cert after this point are stalled — see bridge certs.

Each step writes a metric row; failure-state rows fire Honeybadger alerts.