Fix CrowdSec review findings: observe metadata, idempotent Start, HasRestrictions, proto map alias

proxy/internal/restrict/restrict.go

@@ -174,7 +174,12 @@ func (v Verdict) String() string {
 
 // IsCrowdSec returns true when the verdict originates from a CrowdSec check.
 func (v Verdict) IsCrowdSec() bool {
-	return v >= DenyCrowdSecBan && v <= DenyCrowdSecUnavailable
+	switch v {
+	case DenyCrowdSecBan, DenyCrowdSecCaptcha, DenyCrowdSecThrottle, DenyCrowdSecUnavailable:
+		return true
+	default:
+		return false
+	}
 }
 
 // IsObserveOnly returns true when v is a CrowdSec verdict and the filter is in
@@ -306,5 +311,5 @@ func (f *Filter) HasRestrictions() bool {
 	}
 	return len(f.AllowedCIDRs) > 0 || len(f.BlockedCIDRs) > 0 ||
 		len(f.AllowedCountries) > 0 || len(f.BlockedCountries) > 0 ||
-		(f.CrowdSec != nil && f.CrowdSecMode != CrowdSecOff)
+		f.CrowdSecMode == CrowdSecEnforce || f.CrowdSecMode == CrowdSecObserve
 }

proxy/internal/restrict/restrict_test.go

@@ -403,4 +403,9 @@ func TestFilter_HasRestrictions_CrowdSec(t *testing.T) {
 	cs := &mockCrowdSec{ready: true}
 	f := ParseFilter(FilterConfig{CrowdSec: cs, CrowdSecMode: CrowdSecEnforce})
 	assert.True(t, f.HasRestrictions())
+
+	// Enforce mode without checker (LAPI not configured): still has restrictions
+	// because Check() will fail-closed with DenyCrowdSecUnavailable.
+	f2 := ParseFilter(FilterConfig{CrowdSec: nil, CrowdSecMode: CrowdSecEnforce})
+	assert.True(t, f2.HasRestrictions())
 }