diff --git a/.claude/WIP.md b/.claude/WIP.md
index a17a6b1d..54bbb51e 100644
--- a/.claude/WIP.md
+++ b/.claude/WIP.md
@@ -1,6 +1,6 @@
 # Work In Progress (Claude)
 
-_Last updated: 2026-02-14 (C3BOX 70 services verified)_
+_Last updated: 2026-02-14 (WAF architecture configured)_
 
 > **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches
 
@@ -64,6 +64,13 @@ _Last updated: 2026-02-14 (C3BOX 70 services verified)_
 
 ### Just Completed (2026-02-14)
 
+- **WAF Architecture Configuration** — DONE (2026-02-14)
+  - WAF (mitmproxy) enabled for Streamlit apps and MetaBlogizer sites
+  - WAF bypass for infrastructure: Jellyfin, Mail, Glances, GoToSocial, Webmail
+  - Path ACLs (`/gk2/*`) bypass WAF - mitmproxy routes by host only
+  - 38 path ACLs configured with `waf_bypass=1`
+  - Architecture: HAProxy → mitmproxy (WAF) → Backend (filtered) or HAProxy → Backend (bypass)
+
 - **C3BOX SDLC Full Service Verification** — DONE (2026-02-14)
   - Verified all 70 services across 12 zones on C3BOX dashboard
   - Zones: *.cybermind.fr (2), *.cybermood.eu (2), *.ganimed.fr (2), *.maegia.tv (19), *.secubox.in (29), *.sb.local (4), *.secubox.local (2)