diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9e7646da8..68253e515 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -394,6 +394,8 @@ jobs:
         uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         with:
           draft: true
+          name: v${{ github.ref_name }}
+          body_path: ${{ github.workspace }}/docs/changelog/CHANGELOG-latest.md
           files: |
             ./artifacts/**/*.tar.gz
             ./artifacts/**/*.sha256
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 0fc547ac1..d49804e34 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -209,11 +209,9 @@ jobs:
           name: coverage_${{ matrix.suffix }}_${{ matrix.arch }}
           path: ${{ github.workspace }}/Debug/coverage-${{ matrix.suffix }}-${{ matrix.arch }}.json
 
-  upload-coverage:
+  generate-coverage:
     needs: [ coverage ]
     runs-on: ubuntu-24.04
-    environment:
-      name: dd-protected-coverage
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
@@ -223,10 +221,6 @@ jobs:
         with:
           path: artifacts
 
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
-        with:
-          node-version: 24
-
       - name: Install dependencies
         run: |
           sudo apt update
@@ -234,7 +228,7 @@ jobs:
           python3 -m venv .venv
           source .venv/bin/activate
           pip install gcovr==7.2
-          npm install -g @datadog/datadog-ci
+
       - name: Generate coverage
         run: |
           source .venv/bin/activate
@@ -243,10 +237,28 @@ jobs:
           mkdir -p coverage
           gcovr --merge-mode-functions merge-use-line-0 --json-add-tracefile "artifacts/*/coverage-*.json" --html-details coverage/coverage.html
 
-      - name: Submit coverage (DataDog)
-        run: datadog-ci coverage upload coverage.xml
-        env:
-          DD_API_KEY: ${{ secrets.DD_API_KEY }}
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: coverage
+          path: ${{ github.workspace }}/coverage/
+
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: coverage-xml
+          path: ${{ github.workspace }}/coverage.xml
+
+  upload-to-codecov:
+    needs: [ generate-coverage ]
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          submodules: recursive
+
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+        with:
+          name: coverage-xml
+          path: .
 
       - name: Submit coverage (CodeCov)
         uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7
@@ -255,10 +267,34 @@ jobs:
           flags: waf_test
           verbose: true
           files: coverage.xml
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+
+  upload-to-datadog:
+    needs: [ generate-coverage ]
+    runs-on: ubuntu-24.04
+    if: github.ref == 'refs/heads/master'
+    environment:
+      name: dd-protected-coverage
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
-          name: coverage
-          path: ${{ github.workspace }}/coverage/
+          submodules: recursive
+
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+        with:
+          name: coverage-xml
+          path: .
+
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
+        with:
+          node-version: 24
+
+      - name: Install datadog-ci
+        run: npm install -g @datadog/datadog-ci
+
+      - name: Submit coverage (DataDog)
+        run: datadog-ci coverage upload coverage.xml
+        env:
+          DD_API_KEY: ${{ secrets.DD_API_KEY }}
 
   lint:
     runs-on: ubuntu-24.04
diff --git a/BINDING_IMPL_NOTES.md b/BINDING_IMPL_NOTES.md
deleted file mode 100644
index 49919f8e5..000000000
--- a/BINDING_IMPL_NOTES.md
+++ /dev/null
@@ -1,158 +0,0 @@
-# Implementation notes for bindings
-
-
-## `ddwaf_handle`
-
-`ddwaf_handle` represents a rule set, with associated rule data, exclusions,
-and so on. It is created through `ddwaf_init` and `ddwaf_update`.
-
-A tracer will want to keep only one live `ddwaf_handle`. The first one will be
-created through `ddwaf_init`, and then it will replace it through
-`ddwaf_update` as it gets new configurations through remote config.
-
-The two relevant operations on `ddwaf_handle` are `ddwaf_context_init` and
-`ddwaf_update`. Neither of these operations changes the `ddwaf_handle`. So, at
-this point, it is sufficient to ensure that threads calling
-`ddwaf_context_init` and `ddwaf_update` see a fully constructed `ddwaf_handle`
-— put in other words, it is sufficient that the write to the pointer/reference
-happens after `ddwaf_init/update` is called (as seen by other threads). For
-this, a release-acquire operation suffices:
-
-```c++
-std::atomic<ddwaf_handle> cur_ddwaf_handle; // global variable; the live handle
-
-// Initialization thread
-void initialize_handle(
-    const ddwaf_object *ruleset, const ddwaf_config *config, ddwaf_object *diagnostics)
-{
-    ddwaf_handle new_handle = ddwaf_init(ruleset, config, diagnostics);
-    if (new_handle == nullptr) { /* handle error */}
-    cur_ddwaf_handle.store(new_handle, std::memory_order_release);
-}
-
-// Request thread
-ddwaf_context create_context() {
-    ddwaf_handle handle = cur_ddwaf_handle.load(std::memory_order_acquire);
-    if (handle == nullptr) { /* handle error */ }
-    return ddwaf_context_init(handle);
-}
-```
-
-However, there is a potential problem when you update the live handle. While
-libddwaf refcounts the `ddwaf_handle` and ensures that its memory is not
-reclaimed until all associated `ddwaf_context`s have been destroyed, it cannot
-prevent a use-after-free in this situation:
-
-```c++
-// Remote config thread
-void update_handle(const ddwaf_object *ruleset, ddwaf_object *diagnostics)
-{
-    ddwaf_handle old_handle = cur_ddwaf_handle.load(std::memory_order_acquire);
-    ddwaf_handle new_handle = ddwaf_update(old_handle, ruleset, diagnostics);
-    cur_ddwaf_handle.store(new_handle, std::memory_order_release);
-
-    // will free the memory if no ddwaf_contexts are associated with it:
-    ddwaf_destroy(old_handle);
-}
-
-// Request thread
-ddwaf_context create_context() {
-    ddwaf_handle handle = cur_ddwaf_handle.load(std::memory_order_acquire);
-    if (handle == nullptr) { /* handle error */ }
-    // XXX: the handle fetched may have been destroyed in the interim
-    return ddwaf_context_init(handle);
-}
-```
-
-That is, the old `ddwaf_handle` can only be destroyed once we can be guaranteed
-that no other thread will try to create a new context from it (or update it
-through `ddwaf_update`, though that is less of a problem because generally the
-tracers will not want to update the global `ddwaf_handle` from several threads
-simultaneously).
-
-There are many possible strategies to deal with this memory reclamation
-problem, but the most straightforward are:
-
-* If the runtime uses garbage collection, we can delay the call to
-  `ddwaf_destroy` until the garbage collector determines the object wrapping
-  the native `ddwaf_handle` has no more references. This is relatively easy to
-  do and doesn't involve extra usage of locks, but the memory used by the
-  `ddwaf_handle` will not be available until the garbage collector decides
-  to reclaim the wrapped object. Because the garbage collector does not see
-  the memory being used by the `ddwaf_handle`, if garbage collection never
-  happens, there is a risk that memory consumption gets too high. This is a
-  rather unlikely scenario though.
-
-* You can use read-write locks:
-
-```c++
-// global variables
-std::shared_mutex mutex;
-ddwaf_handle cur_ddwaf_handle;
-
-// Initialization thread
-void initialize_handle(
-    const ddwaf_object *ruleset, const ddwaf_config *config, ddwaf_object *diagnostics)
-{
-    ddwaf_handle new_handle = ddwaf_init(ruleset, config, diagnostics);
-    if (new_handle == nullptr) { /* handle error */}
-
-    std::unique_lock lock{mutex}; // acquire write lock
-    cur_ddwaf_handle = new_handle;
-    // write lock released on return
-}
-
-// Remote config thread
-void update_handle(const ddwaf_object *ruleset, ddwaf_object *diagnostics)
-{
-    std::unique_lock lock{mutex}; // acquire write lock
-    ddwaf_handle old_handle = cur_ddwaf_handle.load(std::memory_order_acquire);
-    ddwaf_handle new_handle = ddwaf_update(old_handle, ruleset, diagnostics);
-    cur_ddwaf_handle = new_handle;
-    ddwaf_destroy(old_handle);
-    // write lock released on return
-}
-
-// Request thread
-ddwaf_context create_context() {
-    std::shared_lock lock{mutex}; // acquire read lock
-    if (cur_ddwaf_handle == nullptr) { /* handle error */ }
-    return ddwaf_context_init(cur_ddwaf_handle);
-    // read lock released on return
-}
-```
-
-## `ddwaf_context`
-
-On the other hand, `ddwaf_context` is not thread-safe. If a `ddwaf_context` is
-used by multiple threads (in web servers where the processing of the request
-can move between several threads, or happen in several threads simultaneously),
-you need to use locks so that calls to `ddwaf_context_eval/destroy` are not run
-concurrently, and that changes made to the `ddwaf_context` in one thread through
-`ddwaf_context_eval/destroy` are visible to the other threads subsequently run
-`ddwaf_context_eval/destroy` on the same context. You also need to ensure that no calls
-to `ddwaf_context_eval/destroy` happen after `ddwaf_destroy` is called.
-
-```c++
-// each request will have one of these associated with it
-struct ctx_wrapper {
-    std::mutex mutex;
-    ddwaf_context ctx;
-};
-
-DDWAF_RET_CODE run_waf(
-    ctx_wrapper &wrapper, ddwaf_object *data, ddwaf_object *result, uint64_t timeout)
-{
-    std::lock_guard<std::mutex> lock{wrapper.mutex}; // acquire exclusive lock
-    if (wrapper.ctx == nullptr) { /* context already destroyed */ }
-    return ddwaf_context_eval(wrapper.ctx, data, result, timeout);
-    // lock is released on return
-}
-
-void destroy_ctx(ctx_wrapper &wrapper) {
-    std::lock_guard<std::mutex> lock{wrapper.mutex};
-    if (wrapper.ctx == nullptr) { /* context already destroyed */ }
-    ddwaf_context_destroy(wrapper.ctx);
-    wrapper.ctx = nullptr;
-}
-```
diff --git a/README.md b/README.md
index 6a8617470..b7658106a 100644
--- a/README.md
+++ b/README.md
@@ -100,28 +100,47 @@ rules:
 
 int main()
 {
+    auto alloc = ddwaf_get_default_allocator();
+
     YAML::Node doc = YAML::Load(waf_rule.data());
 
-    auto rule = doc.as<ddwaf_object>();//= convert_yaml_to_args(doc);
-    ddwaf_handle handle = ddwaf_init(&rule, nullptr, nullptr);
-    ddwaf_object_free(&rule);
+    auto rule = doc.as<ddwaf_object>();
+
+    ddwaf_builder builder = ddwaf_builder_init();
+    ddwaf_object diagnostics;
+    bool success = ddwaf_builder_add_or_update_config(builder, "config", 6, &rule, &diagnostics);
+    ddwaf_object_destroy(&rule, alloc);
+    ddwaf_object_destroy(&diagnostics, alloc);
+
+    if (!success) {
+        ddwaf_builder_destroy(builder);
+        return EXIT_FAILURE;
+    }
+
+    ddwaf_handle handle = ddwaf_builder_build_instance(builder);
+    ddwaf_builder_destroy(builder);
+
     if (handle == nullptr) {
         return EXIT_FAILURE;
     }
 
-    ddwaf_context context = ddwaf_context_init(handle);
+    ddwaf_context context = ddwaf_context_init(handle, alloc);
     if (context == nullptr) {
         ddwaf_destroy(handle);
         return EXIT_FAILURE;
     }
 
-    ddwaf_object root, tmp;
-    ddwaf_object_map(&root);
-    ddwaf_object_map_add(&root, "arg1", ddwaf_object_string(&tmp, "string 1"));
-    ddwaf_object_map_add(&root, "arg2", ddwaf_object_string(&tmp, "string 2"));
+    ddwaf_object root;
+    ddwaf_object_set_map(&root, 2, alloc);
+
+    ddwaf_object *arg1 = ddwaf_object_insert_literal_key(&root, "arg1", 4, alloc);
+    ddwaf_object_set_string_literal(arg1, "string 1", 8);
+
+    ddwaf_object *arg2 = ddwaf_object_insert_literal_key(&root, "arg2", 4, alloc);
+    ddwaf_object_set_string_literal(arg2, "string 2", 8);
 
     ddwaf_object ret;
-    auto code = ddwaf_context_eval(context, &root, nullptr, &ret, 1000000 /* microseconds */);
+    auto code = ddwaf_context_eval(context, &root, alloc, &ret, 1000000 /* microseconds */);
     std::cout << "Output second run: " << code << '\n';
     if (code == DDWAF_MATCH) {
         YAML::Emitter out(std::cout);
@@ -131,7 +150,7 @@ int main()
         out << object_to_yaml(ret);
     }
 
-    ddwaf_object_free(&ret);
+    ddwaf_object_destroy(&ret, alloc);
 
     ddwaf_context_destroy(context);
     ddwaf_destroy(handle);
@@ -151,62 +170,71 @@ struct as_if<ddwaf_object, void>
 {
     explicit as_if(const Node& node_) : node(node_) {}
 
-    static ddwaf_object yaml_to_object_helper(const Node& node)
+    static ddwaf_object yaml_to_object_helper(const Node& node, ddwaf_allocator alloc)
     {
         ddwaf_object arg;
         switch (node.Type())
         {
             case NodeType::Sequence:
-                ddwaf_object_array(&arg);
+                ddwaf_object_set_array(&arg, 0, alloc);
                 break;
             case NodeType::Map:
-                ddwaf_object_map(&arg);
+                ddwaf_object_set_map(&arg, 0, alloc);
                 break;
             case NodeType::Scalar:
-                ddwaf_object_string(&arg, node.Scalar().c_str());
+            {
+                auto scalar = node.Scalar();
+                ddwaf_object_set_string(&arg, scalar.c_str(), scalar.length(), alloc);
                 break;
+            }
             case NodeType::Null:
-                ddwaf_object_null(&arg);
+                ddwaf_object_set_null(&arg);
                 break;
             case NodeType::Undefined:
             default:
-                ddwaf_object_invalid(&arg);
+                ddwaf_object_set_invalid(&arg);
                 break;
         }
         return arg;
     }
 
-    ddwaf_object operator()() const {
-        std::list<std::tuple<ddwaf_object&, YAML::Node, YAML::Node::const_iterator>> stack;
+    ddwaf_object operator()() const
+    {
+        auto alloc = ddwaf_get_default_allocator();
+        std::list<std::tuple<ddwaf_object *, YAML::Node, YAML::Node::const_iterator>> stack;
 
-        ddwaf_object root = yaml_to_object_helper(node);
+        ddwaf_object root = yaml_to_object_helper(node, alloc);
         if (root.type == DDWAF_OBJ_MAP || root.type == DDWAF_OBJ_ARRAY) {
-            stack.emplace_back(root, node, node.begin());
+            stack.emplace_back(&root, node, node.begin());
         }
 
         while (!stack.empty()) {
             auto current_depth = stack.size();
             auto &[parent_obj, parent_node, it] = stack.back();
 
-            for (;it != parent_node.end(); ++it) {
+            for (; it != parent_node.end(); ++it) {
                 YAML::Node child_node = parent_node.IsMap() ? it->second : *it;
-                auto child_obj = yaml_to_object_helper(child_node);
-                if (parent_obj.type == DDWAF_OBJ_MAP) {
+                auto child_obj = yaml_to_object_helper(child_node, alloc);
+                ddwaf_object *child_ptr = nullptr;
+                if (parent_obj->type == DDWAF_OBJ_MAP) {
                     auto key = it->first.as<std::string>();
-                    ddwaf_object_map_add(&parent_obj, key.c_str(), &child_obj);
-                } else if (parent_obj.type == DDWAF_OBJ_ARRAY) {
-                    ddwaf_object_array_add(&parent_obj, &child_obj);
+                    child_ptr = ddwaf_object_insert_key(parent_obj, key.c_str(), key.size(), alloc);
+                    *child_ptr = child_obj;
+                } else if (parent_obj->type == DDWAF_OBJ_ARRAY) {
+                    child_ptr = ddwaf_object_insert(parent_obj, alloc);
+                    *child_ptr = child_obj;
                 }
 
                 if (child_obj.type == DDWAF_OBJ_MAP || child_obj.type == DDWAF_OBJ_ARRAY) {
-                    auto &child_ptr = parent_obj.array[parent_obj.nbEntries - 1];
                     stack.emplace_back(child_ptr, child_node, child_node.begin());
                     ++it;
                     break;
                 }
             }
 
-            if (current_depth == stack.size()) { stack.pop_back(); }
+            if (current_depth == stack.size()) {
+                stack.pop_back();
+            }
         }
         return root;
     }
@@ -228,19 +256,25 @@ YAML::Node object_to_yaml_helper(const ddwaf_object &obj)
     YAML::Node output;
     switch (obj.type) {
     case DDWAF_OBJ_BOOL:
-        output = obj.boolean;
+        output = ddwaf_object_get_bool(&obj);
         break;
     case DDWAF_OBJ_SIGNED:
-        output = obj.intValue;
+        output = ddwaf_object_get_signed(&obj);
         break;
     case DDWAF_OBJ_UNSIGNED:
-        output = obj.uintValue;
+        output = ddwaf_object_get_unsigned(&obj);
         break;
     case DDWAF_OBJ_FLOAT:
-        output = obj.f64;
+        output = ddwaf_object_get_float(&obj);
         break;
     case DDWAF_OBJ_STRING:
-        output = std::string{obj.stringValue, obj.nbEntries};
+    case DDWAF_OBJ_LITERAL_STRING:
+    case DDWAF_OBJ_SMALL_STRING:
+        {
+            size_t length;
+            const char* str = ddwaf_object_get_string(&obj, &length);
+            output = std::string{str, length};
+        }
         break;
     case DDWAF_OBJ_MAP:
         output = YAML::Load("{}");
@@ -260,7 +294,7 @@ YAML::Node object_to_yaml_helper(const ddwaf_object &obj)
 
 YAML::Node object_to_yaml(const ddwaf_object &obj)
 {
-    std::list<std::tuple<const ddwaf_object&, YAML::Node, std::size_t>> stack;
+    std::list<std::tuple<const ddwaf_object &, YAML::Node, std::size_t>> stack;
 
     YAML::Node root = object_to_yaml_helper(obj);
     if (obj.type == DDWAF_OBJ_MAP || obj.type == DDWAF_OBJ_ARRAY) {
@@ -271,21 +305,34 @@ YAML::Node object_to_yaml(const ddwaf_object &obj)
         auto current_depth = stack.size();
         auto &[parent_obj, parent_node, index] = stack.back();
 
-        for (;index <parent_obj.nbEntries; ++index) {
-            auto &child_obj = parent_obj.array[index];
-            auto child_node = object_to_yaml_helper(child_obj);
-
+        size_t size = ddwaf_object_get_size(&parent_obj);
+        for (; index < size; ++index) {
+            const ddwaf_object *child_obj = nullptr;
             if (parent_obj.type == DDWAF_OBJ_MAP) {
-                std::string key{child_obj.parameterName, child_obj.parameterNameLength};
+                child_obj = ddwaf_object_at_value(&parent_obj, index);
+                auto *key_obj = ddwaf_object_at_key(&parent_obj, index);
+                size_t key_len;
+                const char* key_str = ddwaf_object_get_string(key_obj, &key_len);
+                std::string key{key_str, key_len};
+
+                auto child_node = object_to_yaml_helper(*child_obj);
                 parent_node[key] = child_node;
+
+                if (child_obj->type == DDWAF_OBJ_MAP || child_obj->type == DDWAF_OBJ_ARRAY) {
+                    stack.emplace_back(*child_obj, child_node, 0);
+                    ++index;
+                    break;
+                }
             } else if (parent_obj.type == DDWAF_OBJ_ARRAY) {
+                child_obj = ddwaf_object_at_value(&parent_obj, index);
+                auto child_node = object_to_yaml_helper(*child_obj);
                 parent_node.push_back(child_node);
-            }
 
-            if (child_obj.type == DDWAF_OBJ_MAP || child_obj.type == DDWAF_OBJ_ARRAY) {
-                stack.emplace_back(child_obj, child_node, 0);
-                ++index;
-                break;
+                if (child_obj->type == DDWAF_OBJ_MAP || child_obj->type == DDWAF_OBJ_ARRAY) {
+                    stack.emplace_back(*child_obj, child_node, 0);
+                    ++index;
+                    break;
+                }
             }
         }
 
@@ -317,39 +364,25 @@ rules:
 ```
 
 applied to the `http.server.query` value `http://localhost/?q=<script>alert() hello world` produces the following result:
-```json
-[
-  {
-    "rule": {
-      "id": "crs-042-001",
-      "name": "Detect a script tag",
-      "tags": {
-        "category": "attack_attempt",
-        "type": "xss"
-      }
-    },
-    "rule_matches": [
-      {
-        "operator": "match_regex",
-        "operator_value": "^<script>",
-        "parameters": [
-          {
-            "address": "http.server.query",
-            "key_path": [
-              "q"
-            ],
-            "value": "<script>alert() hello world",
-            "highlight": [
-              "<script>"
-            ]
-          }
-        ]
-      }
-    ]
-  }
-]
+```yaml
+- rule:
+    id: crs-042-001
+    name: Detect a script tag
+    tags:
+      category: attack_attempt
+      type: xss
+  rule_matches:
+    - operator: match_regex
+      operator_value: ^<script>
+      parameters:
+        - address: http.server.query
+          key_path:
+            - q
+          value: <script>alert() hello world
+          highlight:
+            - <script>
 ```
 
 ## Binding implementation notes
 
-See [`BINDING_IMPL_NOTES.md`](./BINDING_IMPL_NOTES.md).
+See [`docs/c-api/binding-integration-guide.md`](docs/c-api/binding-integration-guide.md).
diff --git a/UPGRADING.md b/UPGRADING.md
index d1f9b83d6..56bd7cbd5 100644
--- a/UPGRADING.md
+++ b/UPGRADING.md
@@ -1,991 +1 @@
-# Upgrading libddwaf
-
-## Upgrading from `1.29.x` to `1.30.0`
-This new version introduces no new features, however the recently introduced `block_id` action parameter has been renamed to `security_response_id` for consistency.
-
-## Upgrading from `1.27.x` to `1.28.0`
-
-This new version of `libddwaf` introduces no breaking changes to the API / ABI , however it does change the returned type of the following actions parameters:
-
-- Action type `block_request`:
-  - `grpc_status_code` and `status_code` are now provided as unsigned integers (`uint64_t`) rather than strings.
-- Action type `redirect_request`:
-  - `status_code` is now provided as an unsigned integer (`uint64_t`) rather than a string.
-
-The type changes specified above do not depend on the original parameter type provided in configuration, as these status codes are converted and validated internally.
-
-## Upgrading from `1.24.x` to `1.25.0`
-
-### Evaluation Result
-
-The main breaking change in this version of `libddwaf` is the removal of the `ddwaf_result` structure, which has been replaced by a `ddwaf_object`. Replacing C-structs with `ddwaf_object` furthers the objective of minimising the potential breaking changes that can be made, in this case to the ABI, as the dynamic nature of the `ddwaf_object` allows for adding or removing keys and values without the need for adjusting structure offsets or recompilation.
-
-With this change, the signature of `ddwaf_run` is as follows:
-```c
-DDWAF_RET_CODE ddwaf_run(ddwaf_context context, ddwaf_object *persistent_data, ddwaf_object *ephemeral_data, ddwaf_object *result,  uint64_t timeout);
-```
-The schema of the result object can be seen below:
-```
-{
-  "timeout": <boolean>,
-  "keep": <boolean>,
-  "duration": <unsigned>, 
-  "events": <array>,
-  "actions": <map>,
-  "attributes": <map>
-}
-```
-
-Where each of the fields has the following description:
-- `timeout`: formerly `ddwaf_result::timeout`, specifies whether there has been a timeout during the current call to `ddwaf_run`.
-- `keep`: a new field which specifies whether the data provided must override sampling.
-- `duration`: formerly `ddwaf_result::total_runtime`, provides the duration in nanoseconds of the current call to `ddwaf_run`.
-- `events`: formerly `ddwaf_result::events`, consists in an array of events generated as a result of the rule evaluation process.
-- `actions`: formerly `ddwaf_result::actions`, consists in a map of the actions, and their parameters, generated as a result of the rule evaluation process.
-- `attributes`: formerly `ddwaf_result::derivatives`, consists in a map of all generated attributes, such as schemas, fingerprints or rule attributes.
-
-In addition, the function `ddwaf_object_find` has been introduced to simplify the process of finding keys from an object of type map, although since maps are simple key-value arrays the operation has O(n) complexity. As a consequence it's only recommended for testing purposes.
-
-As an example, the following code using `ddwaf_result`
-
-```c
-ddwaf_result ret;
-auto code = ddwaf_run(context, &root, nullptr, &ret, LONG_TIME);
-if (code == DDWAF_MATCH) {
-    cout << object_to_yaml(&ret.events);
-}
-ddwaf_result_free(&ret);
-```
-
-
-Can be replaced as follows:
-
-```c
-ddwaf_object ret;
-auto code = ddwaf_run(context, &root, nullptr, &ret, LONG_TIME);
-if (code == DDWAF_MATCH) {
-    const ddwaf_object *events = ddwaf_object_find(&ret, "events", sizeof("events") - 1);
-    cout << object_to_yaml(events);
-}
-ddwaf_object_free(&ret);
-```
-
-Finally, extracting all relevant objects can be done efficiently through a loop as follows:
-
-```c
-const ddwaf_object *events = NULL, *actions = NULL, *attributes = NULL,
-             *keep = NULL, *duration = NULL, *timeout = NULL;
-for (size_t i = 0; i < ddwaf_object_size(&ret); ++i) {
-    const ddwaf_object *child = ddwaf_object_get_index(&ret, i);
-    if (child == NULL) { /* handle failure */ }
-
-    size_t length = 0;
-    const char *key = ddwaf_object_get_key(child, &length);
-    if (key == NULL) { /* handle failure */ }
-
-    if (length == (sizeof("events") - 1) && memcmp(key, "events", length) == 0) {
-        events = child;
-    } else if (length == (sizeof("actions") - 1) && memcmp(key, "actions", length) == 0) {
-        actions = child;
-    } else if (length == (sizeof("attributes") - 1) && memcmp(key, "attributes", length) == 0) {
-        attributes = child;
-    } else if (length == (sizeof("keep") - 1) && memcmp(key, "keep", length) == 0) {
-        keep = child;
-    } else if (length == (sizeof("duration") - 1) && memcmp(key, "duration", length) == 0) {
-        duration = child;
-    } else if (length == (sizeof("timeout") - 1) && memcmp(key, "timeout", length) == 0) {
-        timeout = child;
-    }
-}
-
-/* Perform any relevant operations with the extracted objects */
-
-ddwaf_object_free(&ret);
-```
-## Upgrading from `1.22.0` to `1.23.0`
-
-### WAF Builder
-The WAF builder is a new mechanism for generating WAF instances through the use of independent, partial and potentially overlapping configurations, effectively mirroring the process performed by the security libraries when consolidating configurations obtained through remote configuration. The outcome of the builder is equivalent to merging all available configurations into a single one, however the process is tailored towards continuous generation of instances based on the addition, update and removal of partial or complete configurations, while reusing internal objects as much as possible.
-
-> [!WARNING]
-> As a consequence of the introduction of this new interface, the `ddwaf_update` function has been deprecated and removed, as the semantics of the configurations expected by this function are incompatible with those used by the new builder API. ***
-
-In previous versions of `libddwaf`, configurations provided during `ddwaf_update` were required to be a map containing at least one of the supported top-level keys (e.g. `rules`, `exclusions`, `processors`, etc) and each of these represented the complete set of primitives of the given type. For example, a configuration containing `rules` was required to contain all rules, meaning that a future configuration update containing `rules` would result in the complete replacement of the old set with the new one. With this model, when generating a single WAF instance with multiple configurations, each of them was required to be non-overlapping.
-
-In this new version, configurations are still required to be a map, containing  at least one of the supported top-level keys, however they must also be provided with a "path", which represents a unique identifier for the given configuration and does not need to follow any particular schema; when the configuration is obtained through remote configuration, the path value must be the one obtained through it. In addition, configurations are now assumed to be overlapping, meaning that the top-level key need not represent the complete set of primitives for the given type as they will be treated as though the set is always partial and may be extended through other configurations. For example, two configurations may contribute new rules by providing the `rules` top-level key, trusting that the WAF builder will take care of the merging process.
-
-#### Builder Lifecycle
-
-The lifetime of the WAF builder should be linked to that of the remote configuration client, as its main purpose is to consume configuration additions, updates and removals as they are produced. Generally, a builder will have a consistent state throughout its lifetime, ensuring that memory use is always limited to objects contained within the loaded configurations. 
-
-Currently, the instantiation of the builder optionally requires `ddwaf_config`, a structure which allows the user to configure the evaluation limits, the obfuscator regexes and the object free function. The interaction with `ddwaf_config` follows the same principles as `ddwaf_init`, i.e. if provided it'll override existing values, if `NULL`, defaults will be used instead. 
-
-> [!NOTE]
-> `ddwaf_config` should not be confused with the configurations obtained through remote configuration, which are provided as a `ddwaf_object`. This structure may be removed in the future in favour of passing obfuscator regexes and evaluation limits through configuration. 
-
-The following snippet shows the instantiation of a builder:
-
-```cpp
-ddwaf_config config{/* limits, obfuscator regexes and free function */};
-
-// Instantiate a new builder using the previously defined ddwaf_config
-ddwaf_builder builder = ddwaf_builder_init(config);
-```
-
-At this stage, configurations may be added, updated and removed and, once ready, a WAF instance can be created as follows:
-
-```cpp
-// Build a new WAF instance, handle any potential failure by checking for NULL
-ddwaf_handle handle = ddwaf_builder_build_instance(&builder);
-if (handle == NULL) { /* handle failure */ }
-```
-
-The generated WAF instance is then available for use, and it's completely independent of the builder itself, meaning that freeing one should have no impact on the other and vice-versa. The builder can continue being used in the background and once all configuration changes have been performed, a new handle can be instantiated:
-
-```cpp
-ddwaf_handle new_handle = ddwaf_builder_build_instance(&builder)
-if (new_handle == NULL) {
-    // handle failure
-}
-ddwaf_destroy(&handle);  
-```
-Note that the two WAF instances can coexist if needed, albeit it's more likely that only one will be required. Finally, at the end of the builder's lifecycle, the memory associated with it must be released as follows:
-
-```cpp
-// At the end of application's lifetime, destroy the builder
-ddwaf_builder_destroy(&builder);
-```
-
-#### Adding, updating and removing configurations
-
-> [!CAUTION] 
-> Builder access and modification is not thread-safe, users must ensure that it's only used from one thread or they must synchronize uses from separate threads, e.g. using a mutex.
-
-The process of adding or updating configurations is a relatively simple one. Firstly, configurations must be provided as a `ddwaf_object` of type `map` and a separate `path` representing its unique identifier. For example: 
-```c
-// Generate the configuration as a map containing any of the expected top-level keys, such as `rules, exclusions, etc.
-ddwaf_object configuration;
-ddwaf_object_map(&configuration);
-...
-
-// Use a unique path for this configuration
-const char *path = "path/to/configuration/rules-c555e7ee647a3d72c2cb60a32767d586";
-uint32_t path_len = (uint32_t)strlen(path);
-```
-
-With that in hand, configurations can be added or updated with `ddwaf_builder_add_or_update_config`, letting the builder handle any update-specific logic. This function will also provide any diagnostics derived from the parsing and conversion process, this will include any errors and warnings as well as details regarding the IDs of the elements loaded, failed or skipped. Note that once the configuration is loaded, the memory associated with it must be freed by the caller:
-
-```c
-ddwaf_object diagnostics;
-ddwaf_object_invalid(&diagnostics);
-
-bool result = ddwaf_builder_add_or_update_config(&builder, path, path_len, &configuration, &diagnostics);
-ddwaf_object_free(&configuration);
-
-if (!result) { /* Failed to load configuration, check diagnostics */ }
-```
-The addition or update may fail in certain circumstances, as denoted by the returned boolean value. This may happen when invalid arguments are provided, when the configuration could not be parsed or when it doesn't yield any meaningful results, e.g. none of the primitives within are compatible.
-
-In contrast, the removal process only requires the path and it's performed through the `ddwaf_builder_remove_config` function, as can be seen on the example below:
-
-```c
-bool result = ddwaf_builder_remove_config(&builder, path, path_len);
-if (!result) { /* Non critical error, possibly indicating a bug in the user's implementation */}
-```
-
-The removal process returns a boolean value indicating success or failure, however failure in this instance only indicates that either the arguments provided were invalid or the configuration didn't actually exist.
-
-### Warning and Error Diagnostics
-In this new version, diagnostics have been split into two categories: warnings and errors. Warnings represent diagnostics which typically indicate an incompatibility between the provided configuration and the given version of `libddwaf`. On the other hand, errors indicate a more relevant failure, one which may indicate that the configuration is malformed or incomplete. In addition, a new top-level `error` field has been introduced to account for a potential global configuration parsing error.
-
-With that in mind, the schema of the diagnostics is roughly as follows:
-
-```json
-{
-  "error": "<string, when present, no other keys should be available>",
-  "ruleset_version": "<version string>",
-  "(exclusions|rules|processors|rules_override|rules_data|custom_rules|actions|scanners)" : {
-    "error": "<string, when present, no other keys should be available>",
-    "loaded": [ "<ids>" ],
-    "failed": [ "<ids>" ],
-    "skipped": [ "<ids>" ],
-    "errors": {
-      "<message>" : [ "<ids>" ],
-    },
-    "warnings": {
-      "<message>" : [ "<ids>" ],
-    }
-  }
-}
-```
-#### Rephrased diagnostics
-
-The following diagnostics have been slightly changed or rephrased, any monitors targeting them may need to be updated:
-- `unknown type '<name>'` is now `unknown type: '<name>'`.
-- `unknown matcher: <name>` is now `unknown operator: '<name>'` and has been demoted to a `warning`.
-- `invalid transformer <name>` is now `unknown transformer: '<name>'` and has been demoted to a `warning`.
-- `unknown generator '<name>'` is now `unknown generator: '<name>'`  and has been demoted to a `warning`.
-
-The following diagnostics have only been downgraded to warnings:
-- `unsupported schema version: <number>.x`
-- `unsupported operator version <operator name>@<version>, current <operator name>@<current version>`
-
-## Upgrading from `1.16.x` to `1.17.x`
-
-### Action semantics
-
-In order to support non-blocking actions, and specifically those with dynamic parameters, a number changes have been introduced in this version.
-
-The first change introduced is that users must now provide action definitions during the initialisation or update process. This information is used internally to understand the nature of an action and, more specifically, the nature of the side-effects of a rule. While this version doesn't yet take advantage of this information for rule scheduling, it does so in order to dynamically generate stack IDs when the `stack_trace` action is produced by a rule. As a reminder, action definitions have the following rough schema:
-
-```json
-{
-  "actions": [{
-    "id": "<id: string>",
-    "type": "<type: string>",
-    "parameters": { "<kv map of parameters>" }
-  }]
-}
-```
-
-Secondly, since the definition of each action is now available internally, the schema of `ddwaf_result.actions` has been updated from an array of IDs to a map of action types, each containing its own set of parameters in string format:
-
-```json
-{
-  "block_request": {
-   "status_code": "403",
-   "type":  "auto"
-  }
-}
-```
-
-This means the caller no longer has to translate action IDs to their relevant definition and any blocking action conflicts are resolved internally following a simple set of rules:
-- When multiple actions of the same type are present, the first one produced has precedence.
-- An action of type`redirect_request` has priority over an action of type `block_request`.
-
-In addition, specific action types can now have dynamic parameters, such as the `generate_stack` action type, which requires the inclusion of a stack trace UUID in both the action parameters and the relevant event:
-
-```json
-{
-  "generate_stack": {
-    "stack_id": "f96a33a2-f5c1-11ee-99aa-9bdcccee26aa"
-  }
-}
-```
-
-Finally the following set of default actions are included:
-- `block`: of type `block_request`, requires the caller to block the request and provides the following default parameters:
-    - `status_code`: `403`
-    - `type`: `auto`
-    - `grpc_status_code`: `10`
-- `stack_trace`: of type `generate_stack`, requires the user to generate a stack trace with the UUID provided in the `stack_id` parameter.
-- `extract_schema`: of type `generate_schema`, instructs the user to call the WAF again with the relevant parameters required for schema generation.
-- `monitor`: an internal reserved action.
-
-### Action type specification
-The following sections describe the action types supported and their required parameters.
-
-**Note:** If an action provided in the `actions` top-level key is of an unknown and/or unsupported type, it will still be provided to the caller without validation.
-
-#### `block_request` action type
-The `block_request` action type instructs the caller to block the current request by overriding the response. The parameters required by this action type are the following:
-- `status_code`: corresponding to the HTTP response status code which should be used by the caller when overriding the response. The default value is `403`.
-- `type`: this value provides the caller with an indication of the response format, e.g. `json` or `html`. The default value is `auto`, indicating that the caller should use the `Accept` header to determine an appropriate response format.
-- `grpc_status_code`: specifically meant for gRPC requests, this represents the status code which should be used by the caller when overriding the response. The default value is `10`.
-
-If any of these parameters is missing in an action definition, the default value is used, for example:
-
-```json
-
-{
-  "id": "block",
-  "parameters": {
-    "status_code": "404",
-    "type": "auto"
-  },
-  "type": "block_request"
-},
-```
-Is missing the `grpc_status_code`, so the default value of `10` is used instead.
-
-#### `redirect_request` action type
-The `redirect_request` action type instructs the caller to override the response with a redirect response. The parameters required by this action are the following:
-- `status_code`: corresponding to the HTTP status code which should be used by the caller to redirect, this must be a value in the `300-399` range. If the value is outside of range or missing, the default value `303` is used instead.
-- `location`: specifies the URL to redirect to. This value must always be present and there is no predefined default.
-
-**Note:** If the `location` parameter is missing, the action is converted into a `block_request` action with default parameters.
-
-#### `generate_stack` action type
-The `generate_stack` action type instructs the caller to generate a stack trace. This action type requires no parameters; however, when triggered, it provides the `stack_id` that should be included in the stack trace to properly associate it with the relevant event. For example:
-
-```json
-{
-  "generate_stack": {
-    "stack_id": "b4c7aff3-8fb0-4f6a-1bc7-582700c46abe"
-  }
-}
-```
-
-#### `generate_schema` action type
-The `generate_shema` action type instructs the caller to let `libddwaf` know that it should generate the schema for the current request whenever ready. In the future, once some of the current limitations have been resolved, this might result in the automatic generation of the schema. This action type currently requires no parameters.
-
-## Upgrading from `1.14.0` to `1.15.0`
-
-### Interface changes
-
-With the introduction of ephemeral addresses, `ddwaf_run` now allows the caller to provide data as both persistent or ephemeral. The new signature can be seen below:
-```c
-DDWAF_RET_CODE ddwaf_run(ddwaf_context context, ddwaf_object *persistent_data,
-    ddwaf_object *ephemeral_data, ddwaf_result *result, uint64_t timeout);
-```
-
-Both `persistent_data` and `ephemeral_data` are nullable, however at least one of them has to be non-null for the call to be valid. Otherwise the call to `ddwaf_run` will return the error `DDWAF_ERR_INVALID_ARGUMENT`.
-
-The other interface change is the renaming of `ddwaf_required_addresses` to `ddwaf_known_addresses`, aside from the name change, the signature hasn't changed, as can be seen below:
-
-```c
-const char* const* ddwaf_known_addresses(const ddwaf_handle handle, uint32_t *size);
-```
-
-The reason for the name change is to better reflect the nature of the addresses provided by this function, which will now provide a list of all addresses seen by the WAF, regardless of whether they are required for rule, filter or processor evaluation, or whether they are optionally used when available, such as part of an exclusion filter for inputs or a processor mapping. A more accurate distinction, as well as a breakdown of the addresses required by each of the supported high-level features, is now provided as part of the diagnostics returned by `ddwaf_init` and `ddwaf_update`.
-
-Finally, `testPowerWAF` has been renamed to `waf_test`, while this isn't an interface change it might affect those building and testing the WAF directly.
-
-### Ephemeral addresses
-
-Ephemeral addresses is a new feature aimed at providing better support for protocols composed of a single request with multiple subrequests, such as gRPC client / server streaming or GraphQL. As the name implies, ephemeral addresses are short-lived:
-- These addresses are only used for evaluation of rules and exclusion filters during the `ddwaf_run` call in which they are provided; subsequent calls will have no access to these addresses.
-- At the end of `ddwaf_run` the memory associated with the ephemeral addresses is freed.
-
-As an example, these addresses can be used to evaluate independent gRPC messages within the context of the whole HTTP request. A call with the whole HTTP context and the first gRPC message could look as follows:
-```json
-{
-  "persistent": {
-    "server.request.headers.no_cookies": [ "..." ],
-    "server.request.uri.raw": "...",
-    "http.client_ip": "..."
-  },
-  "ephemeral": {
-    "grpc.server.request.message": { "..." }
-  }
-}
-```
-
-Subsequent calls only need to provide the relevant gRPC message data:
-```json
-{
-  "ephemeral": {
-    "grpc.server.request.message": { "..." }
-  }
-}
-```
-
-When using ephemeral addresses in this manner, each call is somewhat equivalent to creating a new context and providing all of the data at once for each message, however:
-- The new approach doesn't need to reevaluate the already evaluated persistent addresses for each gRPC message.
-- Consequently the new approach does not provide duplicate events for the already evaluated persistent addresses.
-- The performance impact should be much smaller when using the new approach since less rules need to be evaluated and the context can be reused rather than created & destroyed for each message.
-
-Finally, aside from the addresses themselves being ephemeral, the outcome of any evaluation with an ephemeral address is also ephemeral. The evaluation of any condition, from either rules, filters or processors, with ephemeral addresses will always be uncached, meaning that subsequent calls to `ddwaf_run` will reevaluate said conditions if relevant addresses are provided. 
-
-Similarly, any address, object or rule excluded as a result of the evaluation of an ephemeral address, either due to the filter condition matching on an ephemeral address or the excluded address being ephemeral, will only have effect for the duration of the `ddwaf_run` call. As a result, subsequent calls to `ddwaf_run` will be able to evaluate those previously excluded rules or addresses, unless filtered again.
-
-### Address diagnostics
-In order to provide more visibility regarding the breakdown of addresses per feature and whether they are required or optional, the latest version of the WAF introduces address diagnostics. These diagnostics can typically be obtained through a call to `ddwaf_init` or `ddwaf_update` and are broken down per feature, for example:
-
-```json
-
-{
-  "rules": {
-    "loaded": [
-      "a45b55fc-5b57-4002-90bf-58cdf296124c"
-    ],
-    "failed": [],
-    "errors": {},
-    "addresses": {
-      "required": [
-        "http.client_ip",
-        "usr.id",
-        "server.request.headers.no_cookies",
-        "graphql.server.all_resolvers",
-        "grpc.server.request.message",
-        "server.request.path_params",
-        "server.request.body",
-        "server.request.query",
-        "server.request.uri.raw",
-        "server.response.status",
-        "grpc.server.request.metadata"
-      ],
-      "optional": []
-    }
-  }
-}
-```
-
-The distinction between required and optional addresses depends on the feature:
-- Rules only have required addresses.
-- Exclusion filters have both required and optional addresses:
-  - The required addresses correspond to those used within the filter conditions, i.e. those which are required for the filter to be evaluated altogether.
-  - Currently the only optional addresses are those of the excluded inputs, e.g. a filter could exclude `http.client_ip` for a specific endpoint, this address would be optional since it's only used when available.
-- Processors also have both required and optional addresses:
-  - The required addresses correspond to those used within the processor conditions.
-  - The optional addresses correspond to each of the processor mappings, for example if a processor uses `server.request.body.raw` to generate `server.request.body`, the former would be considered optional.
-
-Other diagnostics, such as `rules_data` or `rules_override`, do not provide the addresses key.
-
-## Upgrading from `1.12.0` to `1.13.0`
-
-### Interface changes
-
-For historical reasons, the integer object constructors (signed, unsigned) didn't generate an object of a numerical type, but rather a string. This has been a source of confusion and, with the changes required for schema extraction, these functions have now been adjusted to provide the same semantics as all other constructors, meaning that they now generate a numerical object type rather than a string.
-
-Similarly, the numerical object constructors suffixed with `_force` have now been renamed to more accurately express their meaning:
-```cpp
-ddwaf_object* ddwaf_object_string_from_unsigned(ddwaf_object *object, uint64_t value);
-ddwaf_object* ddwaf_object_string_from_signed(ddwaf_object *object, int64_t value);
-```
-
-To summarize:
-- `ddwaf_object_signed` has been renamed to `ddwaf_object_string_from_signed`
-- `ddwaf_object_unsigned` has been renamed to `ddwaf_object_string_from_unsigned`
-- `ddwaf_object_signed_force` has been renamed to `ddwaf_object_signed`
-- `ddwaf_object_unsigned_force` has been renamed to `ddwaf_object_unsigned`
-
-### New object types
-
-Alongside the schema extraction preprocessor, two new types have been introduced to ensure a more accurate and complete schema can be produced. These are `float` and `null`, the former for completeness of the numerical types and the latter for its semantical value which, in the context of schema extraction, differs from invalid in that it signifies a null value rather than an unknown type.
-
-Library bindings with a mirrored definition of `ddwaf_object` should now include the `f64` field, of type `double`, in the value union:
-
-```cpp
-...
-    union
-    {
-        const char* stringValue;
-        uint64_t uintValue;
-        int64_t intValue;
-        ddwaf_object* array;
-        bool boolean;
-        double f64;
-    };
-...
-```
-This new field breaks with the naming convention of the current `ddwaf_object` definition, however it matches the naming convention of the future `ddwaf_object` definition which will be included in version 2.0.
-
-Similarly, those bindings mirroring the enum types should also include the two new types:
-```cpp
-...
-    // 64-bit float (or double) type
-    DDWAF_OBJ_FLOAT    = 1 << 6,
-    // Null type, only used for its semantical value
-    DDWAF_OBJ_NULL    = 1 << 7,
-...
-```
-
-These new types can now be created with their corresponding `ddwaf_object` constructors:
-```cpp
-ddwaf_object* ddwaf_object_null(ddwaf_object *object);
-ddwaf_object* ddwaf_object_float(ddwaf_object *object, double value);
-```
-
-And finally, float values can also be accessed with the corresponding getter:
-```cpp
-double ddwaf_object_get_float(const ddwaf_object *object);
-```
-
-### Derivatives in `ddwaf_result`
-
-Preprocessors in general and, more specifically the schema extraction preprocessor, now generate objects which need to be provided to the caller of `ddwaf_run`. For this reason, a new field has been introduced to `ddwaf_result` called `derivatives`, containing generated objects:
-```cpp
-struct _ddwaf_result
-{
-    ...
-    /** Map containing all derived objects in the format (address, value) **/
-    ddwaf_object derivatives;
-    /** Total WAF runtime in nanoseconds **/
-    uint64_t total_runtime;
-};
-```
-This new field is an object which will always contain a map of generated addresses and their arbitrary-type value, for example:
-
-```json
-{
-    "server.request.body.schema": [[8],{"len":2}]
-}
-```
-
-This object is freed with `ddwaf_result_free`, so necessary conversions or copies should be performed before disposing of the result structure.
-
-### New Linux builds 
-
-The new linux builds are currently released alongside the legacy linux builds for `aarch64` and `x86_64` and will not replace them for the time being. In addition to the two aforementioned architectures, support for `i386` and `armv7` has also been included. The new archives follow a different, more standarised, naming convention which consists of `libddwaf-<version>-<arch><sub>-<sys>-<env>[-<hash>].tar.gz` with `sys` being always `linux` and `env` always `musl`, which results in the following package names:
-- `libddwaf-1.13.0-x86_64-linux-musl.tar.gz`
-- `libddwaf-1.13.0-aarch64-linux-musl.tar.gz`
-- `libddwaf-1.13.0-i386-linux-musl.tar.gz`
-- `libddwaf-1.13.0-armv7-linux-musl.tar.gz`
-
-Which are not to be confused with the legacy builds, with the following package names:
-- `libddwaf-1.13.0-linux-x86_64.tar.gz`
-- `libddwaf-1.13.0-linux-aarch64.tar.gz`
-  
-The contents of each package is essentially equivalent to the legacy builds, however the new static builds do not provide or require a separate static `libc++` package as all static libraries have been packaged together within `libddwaf.a`. Note that the directory contained within each archive still follows the old naming convention, this will also be changed once the legacy builds have been deprecated.
-
-The new builds use version 16 of `libc++` and friends, compiled against musl `1.2.4` using `clang-16`.
-
-## Upgrading from `1.10.0` to `1.11.0`
-
-Version `1.11.0` introduces a number of breaking changes to the API, notably:
-- The `ruleset_info` structure has been replaced with a `ddwaf_object`, providing many more parsing diagnostics.
-- The `ddwaf_result::data` field containing the resulting events in JSON format has been replaced with a `ddwaf_object` containing an array of events in `ddwaf_result::events`.
-- The actions array has also been replaced by a `ddwaf_object` containing an array of strings.
-
-Finally it also introduces support for per-input transformers which, while not a breaking change, will also be explained here.
-
-### Ruleset Parsing diagnostics
-
-Before `1.11.0`, basic diagnostics were provided through the `ddwaf_ruleset_info` structure, with the following definition:
-
-```c
-struct _ddwaf_ruleset_info
-{
-    /** Number of rules successfully loaded **/
-    uint16_t loaded;
-    /** Number of rules which failed to parse **/
-    uint16_t failed;
-    /** Map from an error string to an array of all the rule ids for which
-     *  that error was raised. {error: [rule_ids]} **/
-    ddwaf_object errors;
-    /** Ruleset version **/
-    const char *version;
-};
-```
-In this definition, `ddwaf_ruleset_info::errors` was always a map containing errors as keys and an array of rule IDs as values; this field was used as a compressed view of the rules which couldn't be parsed and the relevant parsing errors, e.g.:
-
-```json
-"errors": {
-  "missing key 'type'": [
-    "blk-001-002"
-  ]
-}
-```
-With the introduction of exclusion filters, rule overrides, custom rules and, to a lesser extent, rule data, the current set of diagnostics was not enough to provide an accurate understanding of the parsing result. For this reason, the `ddwaf_ruleset_info` structure has been deprecated in favour of `ddwaf_object`. This object is now provided as a parameter to both `ddwaf_init` and `ddwaf_update`, and it should be allocated by the caller (e.g. stack-allocated as a local variable):
-```c
-ddwaf_handle ddwaf_init(const ddwaf_object *ruleset, const ddwaf_config* config, ddwaf_object *diagnostics);
-ddwaf_handle ddwaf_update(ddwaf_handle handle, const ddwaf_object *ruleset, ddwaf_object *diagnostics);
-```
-The use of a `ddwaf_object` instead of a dedicated structure has a number of advantages and disadvantages, however it allows us to add more diagnostics in a backwards-compatible manner, without breaking the ABI. This translates in having the ability to automatically provide diagnostics for new high-level features without breaking existing libraries. 
-
-The new diagnostics object is always a map containing the following:
-- A map per high-level feature parsed (e.g. rules, custom rules, exclusions, etc), with the same key as said high-level feature.
-- Other metadata if present in the ruleset, such as the ruleset version.
-
-Providing the WAF with a complete ruleset typically results in a `ddwaf_object` with the following contents:
-```json
-{
-  "custom_rules": {...},
-  "exclusions": {...},
-  "rules": {...},
-  "rules_data": {...},
-  "rules_override": {...},
-  "ruleset_version": "1.7.0"
-}
-```
-The definition of the map provided for each high-level feature is generic, the complete schema can be found [here](schema/diagnostics.json). The expected keys when the high-level feature couldn't be parsed are the following:
-- `error`: this key contains a string indicating the error which prevented the relevant top-level key from being parsed and will only be present in this situation. Since this key represents a critical parsing error, no other keys are provided when this one is present.
-
-An example ruleset in which the `rules_data` key had the wrong type could result in the following diagnostics:
-```json
-{
-  "rules_data": {
-    "error": "bad cast, expected 'array', obtained 'map'"
-  }
-}
-```
-The expected keys when the high-level feature was parsed successfully are the following:
-- `loaded`: the value associated with this key is always an array of IDs and represents those elements that were loaded successfully. If the relevant feature definition does not have an ID (e.g. rule overrides), it'll contain the index within the parsed array in the form `index:x` with `x` representing the numerical index. 
-- `failed`: the value provided with this key is exactly the same as with the `loaded` key, but these are instead elements which couldn't be loaded. If the relevant element or feature definition lacks an ID, the `index:x` format is used instead.
-- `errors`: for backwards compatibility, this key contains a compressed map of errors, each containing the list of IDs which failed with said error.
-
-An example ruleset with all valid entries could look as follows:
-```json
-{
-  "custom_rules": {
-    "loaded": [
-      "a45b55fc-5b57-4002-90bf-58cdf296124c"
-    ],
-    "failed": [],
-    "errors": {}
-  },
-  "rules_override": {
-    "loaded": [
-      "index:0",
-      "index:1"
-    ],
-    "failed": [],
-    "errors": {}
-  }
-}
-```
-An example ruleset with some invalid entries could look as follows:
-```json
-{
-  "exclusions": {
-    "loaded": [
-      "1d058b7b-9b35-4a01-9b60-74c9a2a3bd78",
-    ],
-    "failed": [
-      "index:2"
-    ],
-    "errors": {
-      "missing key 'id'": [
-        "index:2"
-      ]
-    }
-  },
-  "rules": {
-    "loaded": [
-      "blk-001-001"
-    ],
-    "failed": [
-      "blk-001-002"
-    ],
-    "errors": {
-      "missing key 'conditions'": [
-        "blk-001-002"
-      ]
-    }
-  },
-  "rules_override": {
-    "loaded": [
-      "index:1"
-    ],
-    "failed": [
-      "index:0"
-    ],
-    "errors": {
-      "invalid type 'map' for key 'rules_target', expected 'array'": [
-        "index:0"
-      ]
-    }
-  },
-  "ruleset_version": "1.7.0"
-}
-```
-Note that in this example, an exclusion filter lacking a valid ID was also represented using the `index:x` notation.
-
-### Adding diagnostics to the root span
-
-In previous versions of the WAF, each field of the `ddwaf_ruleset_info` structure was added to the root span either as a meta tag or a metric as shown in the example below:
-```cpp
-ddwaf_ruleset_info info;
-auto handle = ddwaf_init(rule, &config, &info);
-
-root_span.metrics["_dd.appsec.event_rules.loaded"] = info.loaded;
-root_span.metrics["_dd.appsec.event_rules.error_count"] = info.failed;
-root_span.meta["_dd.appsec.event_rules.errors"] = object_to_json(info.errors);
-root_span.meta["_dd.appsec.event_rules.version"] = info.version;   
-
-ddwaf_ruleset_info_free(&info);
-```
-While the new diagnostics provide much more information, for backwards compatibility, rule metrics and errors still need to be reported through the root span, the following example shows a simple mechanism to traverse the diagnostics object:
-
-```cpp
-ddwaf_object diagnostics;
-ddwaf_handle handle = ddwaf_init(&rule, nullptr, &diagnostics);
-ddwaf_object_free(&rule);
-ddwaf_destroy(handle);
-
-const auto *rules = find_object(&diagnostics, "rules");
-if (rules != nullptr) {
-    size_t index = 0;
-    const ddwaf_object *node = nullptr;
-    while ((node = ddwaf_object_get_index(rules, index++)) != nullptr) {
-        std::string_view node_key = ddwaf_object_get_key(node, nullptr);
-
-        if (node_key == "loaded") {
-            root_span.metrics["_dd.appsec.event_rules.loaded"] = ddwaf_object_size(node);
-        } else if (node_key =="failed") {
-            root_span.metrics["_dd.appsec.event_rules.error_count"] = ddwaf_object_size(node);
-        }  else if (node_key == "errors") {
-            root_span.meta["_dd.appsec.event_rules.errors"] = object_to_yaml(*node);
-        } else if (node_key == "ruleset_version") {
-            root_span.meta["_dd.appsec.event_rules.version"] = ddwaf_object_get_string(node, nullptr);
-        }
-    }
-}
-ddwaf_object_free(&diagnostics);
-```
-Note that it might also be prudent to check for the `error` key before attempting to traverse the map, as the relevant keys won't be available in such case.
-
-A suitable definition of `find_object` could be the following:
-```cpp
-const ddwaf_object *find_object(const ddwaf_object *map, std::string_view key) {
-    size_t index = 0;
-    const ddwaf_object *node = nullptr;
-    while ((node = ddwaf_object_get_index(map, index++)) != nullptr) {
-        std::string_view node_key = ddwaf_object_get_key(node, nullptr);
-        if (key == node_key) {
-            return node;
-        }
-    }
-    return nullptr;
-}
-```
-#### Events & actions as `ddwaf_object`
-
-The outcome of a WAF run is provided as part of the `ddwaf_result` structure, which before `1.11.0` had the following definition:
-
-```c
-struct _ddwaf_result
-{
-    /** Whether there has been a timeout during the operation **/
-    bool timeout;
-    /** Run result in JSON format **/
-    const char* data;
-    /** Actions array and its size **/
-    struct _ddwaf_result_actions {
-        char **array;
-        uint32_t size;
-    } actions;
-    /** Total WAF runtime in nanoseconds **/
-    uint64_t total_runtime;
-};
-```
-In particular, the `data` field was a JSON-serialized string containing an array of events. Unfortunately, since WAF users typically call the WAF multiple times within the same context, extracting a meaningful result requires stitching multiple JSON strings together. Similarly, truncating the resulting JSON array to comply with trace limits also requires deserializing, performing changes and reserialising. 
-
-To work around these problems, the new version of the WAF doesn't report events as a JSON string, but rather as a `ddwaf_object` containing an array of events, with exactly the same definition as the previously provided JSON string. This new object resides in `ddwaf_result::events` rather than `ddwaf_result::data`, as it signifies more clearly the purpose of the field.
-```c
-struct _ddwaf_result
-{
-    /** Whether there has been a timeout during the operation **/
-    bool timeout;
-    /** Array of events generated, this is guaranteed to be an array **/
-    ddwaf_object events;
-    /** Array of actions generated, this is guaranteed to be an array **/
-    ddwaf_object actions;
-    /** Total WAF runtime in nanoseconds **/
-    uint64_t total_runtime;
-};
-```
-With this new definition, the caller now has the responsibility of serializing events into JSON.
-
-Similarly, actions are now also a `ddwaf_object` instead of a struct representing an array. Iterating through the old structure could be done as follows:
-
-```c
-ddwaf_result res;
-for (unsigned i = 0; i < res.actions.size; ++i) {
-    printf("%s", res.actions.array[i]);
-}
-```
-The same can now be done as follows:
-```c
-ddwaf_result res;
-for (unsigned i = 0; i < ddwaf_object_size(&res.actions); ++i) {
-    const ddwaf_object *node = ddwaf_object_get_index(&res.actions, i);
-    printf("%s", ddwaf_object_get_string(node, nullptr));
-}
-```
-Finally, the events schema can be found [here](schema/events.json) and the actions schema can be found [here](schema/actions.json).
-#### Per-input transformers
-
-Rules provide a `transformers` key which represents a list of transformers which should be applied (in order) to each scalar before evaluating the operator. An example of a rule with transformers could be the following:
-```json
-{
-  "id": "crs-933-111",
-  "name": "PHP Injection Attack: PHP Script File Upload Found",
-  "tags": {...},
-  "conditions": [...],
-  "transformers": [
-    "lowercase"
-  ]
-},
-```
-Since the transformers are rule-local, they are applied to all inputs, potentially resulting in a performance impact, as well as limiting the ability of the rule writer to use more fine-grained transformers. 
-
-In `1.11.0`, transformers can be defined per input, for example:
-```json
-"inputs": [
-  {
-    "address": "server.request.headers.no_cookies",
-    "transformers": [
-      "lowercase",
-      "removeNulls"
-    ]
-  }
-]
-```
-The existence of a `transformers` key on an input, even if empty, completely overrides any available rule transformers. Conversely, the lack of a `transformers` key on an input results in the specific input inheriting the rule transformers.
-
-### Upgrading from `1.7.x` to `1.8.0`
-
-Version `1.8.0` introduces the WAF builder, a new module with the ability to generate a new WAF instance from an existing one. This new module works transparently through the `ddwaf_update` function, which allows the user to update one, some or all of the following:
-- The complete ruleset through the `rules` key.
-- The `on_match` or `enabled` field of specific rules through the `rules_override` key.
-- Exclusion filters through the `exclusions` key.
-- Rule data through the `rules_data` key.
-
-The WAF builder has a number of objectives:
-- Provide a mechanism to generate and update the WAF as needed.
-- Remove all existing mutexes.
-- Remove all side-effects on running contexts.
-- __Potentially__ provide efficiency gains: 
-  - Avoiding the need to parse a whole ruleset on every update.
-  - Reusing internal structures, objects and containers whenever possible.
-
-With the introduction of `ddwaf_update`, the following functions have been deprecated and removed:
-- `ddwaf_toggle_rules`
-- `ddwaf_update_rule_data`
-- `ddwaf_required_rule_data_ids`
-
-The first two functions have been removed due to the added complexity of supporting multiple interfaces with a similar outcome but different inputs. On the other hand, the last function was simply removed in favour of letting the WAF handle unexpected rule data IDs more gracefully, however this function can be reintroduced later if deemed necessary.
-
-Typically, the new interface will be used as follows on all instances:
-
-```c
-    ddwaf_handle old_handle = ddwaf_init(&ruleset, &config, &info);
-    ddwaf_object_free(&ruleset);
-
-    ddwaf_handle new_handle = ddwaf_update(old_handle, &update, &new_info);
-    ddwaf_object_free(&update);
-    if (new_handle != NULL) {
-        ddwaf_destroy(old_handle);
-    }
-```
-
-The `ddwaf_update` function returns a new `ddwaf_handle` which will be a valid pointer if the update succeeded, or `NULL` if there was nothing to update or there was an error. Creating contexts while calling `ddwaf_update` is, in theory, perfectly legal as well as destroying a handle while associated contexts are still in use, for example:
-
-```c
-    ddwaf_handle old_handle = ddwaf_init(&ruleset, &config, &info);
-    ddwaf_object_free(&rule);
-
-    ddwaf_context context = ddwaf_context_init(old_handle);
-
-    ddwaf_handle new_handle = ddwaf_update(old_handle, &new_ruleset, &new_info);
-    ddwaf_object_free(&new_rule);
-    if (new_handle != NULL) {
-        // Destroying the handle should not invalidate the context
-        ddwaf_destroy(old_handle);
-    }
-    
-    // Both the context and the handle are destroyed here
-    ddwaf_context_destroy(context);
-```
-Note that the `ddwaf_update` function also has an optional input parameter for the `ruleset_info` structure, this will only provide useful diagnostics when the update provided contains new rules (within the `rules` key), also note that the `ruleset_info` should either be a fresh new structure or the previously used after calling `ddwaf_ruleset_info_free`.
-
-Finally, you can call `ddwaf_init` with all previously mentioned keys, or a combination of them, however the `rules` key is mandatory. This does not apply to `ddwaf_update.
-
-### Notes on thread-safety
-
-The thread-safety of any operations on the handle depends on whether they act on the ruleset or the builder itself, generally:
-- Calling `ddwaf_update` concurrently, regardless of the handle, is never thread-safe.
-- Calling `ddwaf_context_init` concurrently on the same handle is thread-safe.
-- Calling `ddwaf_context_init` and `ddwaf_update` concurrently on the same handle is also thread-safe.
-
-## Upgrading from `1.6.x` to `1.7.0`
-
-There are no API changes in 1.7.0, however `ddwaf_handle` is now reference-counted and shared between the user and each `ddwaf_context`. This means that it is now possible to call `ddwaf_destroy` on a `ddwaf_handle` without invalidating any `ddwaf_context` in use instantiated from said `ddwaf_handle`. For example, the following snippet is now perfectly legal and will work as expected (note that any checks have been omitted for brevity):
-
-```c
-    ddwaf_handle handle = ddwaf_init(&rule, &config, NULL);
-    ddwaf_object_free(&rule);
-
-    ddwaf_context context = ddwaf_context_init(handle);
-
-    // Destroying the handle should not invalidate the context
-    ddwaf_destroy(handle);
-
-    ...
-
-    ddwaf_run(context, &parameter, NULL, LONG_TIME);
-
-    // Both the context and the handle are destroyed here
-    ddwaf_context_destroy(context);
-```
-
-To expand on the example above:
-- `ddwaf_destroy` only destroys the `ddwaf_handle` if there are no more references to it, otherwise it relinquishes ownership to the rest of the contexts.
-- If there is more than one valid context after the user calls `ddwaf_destroy`, each context will reduce the reference count on `ddwaf_context_destroy` until it reaches zero, at which point the `ddwaf_handle` will be freed.
-- Once the user calls `ddwaf_destroy` on the `ddwaf_handle`, their reference becomes invalid and no more operations can be performed on it, including instantiating further contexts.
-
-Note that this doesn't make `ddwaf_handle` universally thread-safe, for example, replacing an existing `ddwaf_handle` shared by multiple threads still requires synchronisation.
-
-## Upgrading from `v1.4.0` to `1.5.0`
-
-### Actions
-
-The introduction of actions within the ruleset, through the `on_match` array, provides a generic mechanism to signal the user what the expected outcome of a match should be. This information is now provided to the user through `ddwaf_result`, which now has the following definition:
-
-```c
-struct _ddwaf_result
-{
-    /** Whether there has been a timeout during the operation **/
-    bool timeout;
-    /** Run result in JSON format **/
-    const char* data;
-    /** Actions array and its size **/
-    struct {
-        char **array;
-        uint32_t size;
-    } actions;
-    /** Total WAF runtime in nanoseconds **/
-    uint64_t total_runtime;
-};
-```
-
-Actions are provided as a `char *` array containing `actions.size` items. This array is currently not null-terminated. The contents of this array and the array itself are also freed by `ddwaf_result_free`.
-
-#### Return codes
-
-As a consequence of the introduction of actions, return codes such as `DDWAF_MONITOR` or `DDWAF_BLOCK` are no longer meaningful, to address this:
-- `DDWAF_MONITOR` has now been renamed to `DDWAF_MATCH`, this lets the user know that `ddwaf_result` contains meaningful data and possibly actions while making no statement regarding what the user should do with it.
-- `DDWAF_BLOCK` has been removed.
-- As a slightly unnecessary bonus, `DDWAF_GOOD` has been renamed to `DDWAF_OK` as it is more common to use `OK` than `GOOD` in return codes.
-
-### Free function
-
-In previous versions, the context is initialised with a free function in order to prevent objects provided through `ddwaf_run` from being freed by the WAF itself. In practice, this free function is always the same so it's not very useful to provide it over and over. For that reason it has now been moved to `ddwaf_config`.
-
-As an example, in version `1.4.0`, the following code would provide `ddwaf_object_free` to the context during initialisation:
-
-```c
-ddwaf_config config{{0, 0, 0}, {NULL, NULL}};
-ddwaf_handle handle = ddwaf_init(&rule, &config, &info);
-...
-ddwaf_context context = ddwaf_context_init(handle, ddwaf_object_free);
-```
-
-In version `1.5.0-alpha0`, the free function should be provided within `ddwaf_config`:
-```c
-ddwaf_config config{{0, 0, 0}, {NULL, NULL}, ddwaf_object_free};
-ddwaf_handle handle = ddwaf_init(&rule, &config, &info);
-...
-ddwaf_context context = ddwaf_context_init(handle);
-```
-
-Alternatively, to completely disable the free function, it can be set to `NULL`:
-```c
-ddwaf_config config{{0, 0, 0}, {NULL, NULL}, NULL};
-ddwaf_handle handle = ddwaf_init(&rule, &config, &info);
-```
-
-**Note that if the configuration pointer to the WAF is `NULL`, the default free function (`ddwaf_object_free`) will be used:**
-```c
-ddwaf_handle handle = ddwaf_init(&rule, NULL, &info);
-```
-
-### Version
-
-In order to support version suffixes, such as `-alpha`, `-beta` or `-rc`, the `ddwaf_version` structure has been deprecated altogether. As a result `ddwaf_get_version` now returns a const string which should not be freed by the caller.
-
-To summarize, the following code snippet:
-
-```c
-ddwaf_version version;
-ddwaf_get_version(&version);
-printf("ddwaf version: %d.%d.%d\n", version.major, version.minor, version.patch);
-```
-
-Can now be rewritten as follows:
-
-```c
-printf("ddwaf version: %s\n", ddwaf_get_version());
-```
+Moved to [docs/upgrading/](docs/upgrading/)
diff --git a/docs/README.md b/docs/README.md
new file mode 100644
index 000000000..f4c901982
--- /dev/null
+++ b/docs/README.md
@@ -0,0 +1,7 @@
+# Documentation Index
+
+- Overview (TBD) – Architectural summary and execution pipeline.
+- [C API Reference](c-api/api.md) – Comprehensive description of all exported functions, structs, and macros.
+- [Binding Integration Guide](c-api/binding-integration-guide.md) – Guidance for language bindings embedding libddwaf.
+- [Changelogs](changelog/) – Release notes for all versions, the CHANGELOG-latest.md symlink always points to the latest release changelog.
+- [Upgrading Guides](upgrading/) - Upgrading guides for all versions with relevant and / or breaking changes.
diff --git a/docs/allocators.md b/docs/allocators.md
new file mode 100644
index 000000000..5c3c17a38
--- /dev/null
+++ b/docs/allocators.md
@@ -0,0 +1,71 @@
+# Allocators
+
+As the name suggests, allocators are used for the purpose of memory management, providing functionality for allocating and deallocating memory as needed. Different allocators may follow specific memory management strategies to reduce the amount of memory that needs to be requested to the global allocators or to minimise the cost of allocation or deallocation. 
+
+The allocators provided by `libddwaf` are, under the hood, C++ memory resources, therefore the four different allocator options are provided:
+- **Default allocator**: obtained through `ddwaf_get_default_allocator`, this is the default allocator used by the standard library and it's typically relies directly on `new` / `delete`. When unsure, this is the recommended allocator. The underlying memory resource is [std::pmr::new_delete_resource](https://en.cppreference.com/w/cpp/memory/new_delete_resource.html).
+- **Unsynchronized pool allocator**: obtained through `ddwaf_unsynchronized_pool_allocator_init`, this is a thread-unsafe pool allocator. The underlying memory resource is [std::pmr::unsynchronized_pool_resource](https://en.cppreference.com/w/cpp/memory/unsynchronized_pool_resource.html).
+- **Synchronized pool allocator**: obtained through `ddwaf_synchronized_pool_allocator_init`, this is a thread-safe version of the previous pool allocator. The underlying memory resource is [std::pmr::synchronized_pool_resource](https://en.cppreference.com/w/cpp/memory/synchronized_pool_resource.html).
+- **Monotonic allocator**: obtained through `ddwaf_monotonic_allocator_init`, this is a special allocator which releases all of the allocated memory once destroyed. This allocator is not recommended as a general purpose allocator and should be used with care. The underlying memory resource is [std::pmr::monotonic_buffer_resource](https://en.cppreference.com/w/cpp/memory/monotonic_buffer_resource.html).
+
+Allocators are destroyed using `ddwaf_allocator_destroy`, note that for safety, this must only be done once all of the allocated memory has been freed. Additionally, the default allocator need not be destroyed, as destruction results in a no-op.
+
+## User Allocators
+
+In addition to the available allocators, custom memory management strategies are supported through the use of user allocators. A user allocator has four main components:
+- A function to allocate memory (alloc) based on the required size and an alignment.
+- A function to deallocate memory (dealloc) based on the allocated size and alignment.
+- Optional user data, which may typically correspond to the required structures used to store and manage the allocated memory.
+- An optional free function for user data.
+
+As an example, consider the case of a counting allocator, using the default allocator as its upstream allocator. This may be defined through the following structure, which corresponds to the aforementioned user data.
+
+```c
+struct counting_allocator {
+    unsigned alloc_count{0};
+    unsigned free_count{0};
+    ddwaf_allocator upstream{ddwaf_get_default_allocator()};
+};
+```
+
+The allocation function can then be the following:
+
+```c
+void *counting_allocator_alloc(void *udata, std::size_t bytes, std::size_t alignment)
+{
+    counting_allocator *alloc = (counting_allocator *)udata;
+    alloc->alloc_count++;
+    return ddwaf_allocator_alloc(alloc->upstream, bytes, alignment);
+}
+```
+
+Where the user data is provided as the first field, followed by the number of bytes (size) and their expected alignment. The function increases the allocation count and calls the upstream allocator.
+
+The deallocation function can then be the following:
+
+```c
+void counting_allocator_free(void *udata, void *p, std::size_t bytes, std::size_t alignment)
+{
+    counting_allocator *alloc = (counting_allocator *)udata;
+    alloc->free_count++;
+    ddwaf_allocator_free(alloc->upstream, p, bytes, alignment);
+}
+```
+
+Which requires the user data as the first field, followed by the pointer to deallocate and both the number of bytes and alignment.
+
+This particular allocator doesn't allocate memory for its own use, therefore a free function is not needed, however for illustration purposes, the following would be suitable:
+
+```c
+void counting_allocator_udata_free(void *udata)
+{
+  // noop
+}
+```
+
+Finally, the user allocator to provide to libddwaf can be instantiated as follows:
+
+```c
+counting_allocator udata;
+ddwaf_allocator alloc = ddwaf_user_allocator_init(&counting_allocator_alloc, &counting_allocator_free, &udata, &counting_allocator_udata_free);
+```
diff --git a/docs/c-api/api.md b/docs/c-api/api.md
new file mode 100644
index 000000000..b22d6f340
--- /dev/null
+++ b/docs/c-api/api.md
@@ -0,0 +1,1123 @@
+# libddwaf C API Reference
+
+This document describes the public C API of libddwaf.
+
+## Table of Contents
+
+- [Enumerations](#enumerations)
+  - [DDWAF_OBJ_TYPE](#ddwaf-obj-type)
+  - [DDWAF_RET_CODE](#ddwaf-ret-code)
+  - [DDWAF_LOG_LEVEL](#ddwaf-log-level)
+- [Type Definitions](#type-definitions)
+- [Functions](#functions)
+  - [Initialization/Destruction](#initializationdestruction)
+  - [Builder](#builder)
+  - [Context](#context)
+  - [Subcontext](#subcontext)
+  - [Allocator](#allocator)
+  - [Object Creation](#object-creation)
+  - [Object Inspection](#object-inspection)
+  - [Object Container Operations](#object-container-operations)
+  - [Object Type Checking](#object-type-checking)
+  - [Utility](#utility)
+
+---
+
+## Enumerations
+
+### DDWAF_OBJ_TYPE
+
+Specifies the type of a ddwaf::object.
+
+| Value | Code | Description |
+|-------|------|-------------|
+| `DDWAF_OBJ_INVALID` | `= 0` | Unkmown or uninitialised type |
+| `DDWAF_OBJ_NULL` | `= 0x01` | Null type, only used for its semantical value |
+| `DDWAF_OBJ_BOOL` | `= 0x02` | Boolean type |
+| `DDWAF_OBJ_SIGNED` | `= 0x04` | 64-bit signed integer type |
+| `DDWAF_OBJ_UNSIGNED` | `= 0x06` | 64-bit unsigned integer type |
+| `DDWAF_OBJ_FLOAT` | `= 0x08` | 64-bit float (or double) type |
+| `DDWAF_OBJ_STRING` | `= 0x10` | Dynamic UTF-8 string of up to max(uint32) length |
+| `DDWAF_OBJ_LITERAL_STRING` | `= 0x12` | Literal UTF-8 string of up to max(uint32) length, these are never freed |
+| `DDWAF_OBJ_SMALL_STRING` | `= 0x14` | UTF-8 string of up to 14 bytes in length |
+| `DDWAF_OBJ_ARRAY` | `= 0x20` | Array of ddwaf_object, up to max(uint16) capacity |
+| `DDWAF_OBJ_MAP` | `= 0x40` | Array of ddwaf_object_kv, up to max(uint16) capacity |
+
+### DDWAF_RET_CODE
+
+Codes returned by ddwaf_context_eval.
+
+| Value | Code | Description |
+|-------|------|-------------|
+| `DDWAF_ERR_INTERNAL` | `= -3` | Unknown error, typically due to an unexpected exception |
+| `DDWAF_ERR_INVALID_OBJECT` | `= -2` | The provided data object didn't match the expected schema |
+| `DDWAF_ERR_INVALID_ARGUMENT` | `= -1` | One or more of the provided arguments to a function is invalid |
+| `DDWAF_OK` | `= 0` | The data evaluation didn't yield any events, attributes, etc |
+| `DDWAF_MATCH` | `= 1` | The data evaluation resulted in an event, attribute, etc |
+
+### DDWAF_LOG_LEVEL
+
+Internal WAF log levels, to be used when setting the minimum log level and cb.
+
+| Value | Code | Description |
+|-------|------|-------------|
+| `DDWAF_LOG_TRACE` | `= 0` | Finest-grained logging for detailed tracing |
+| `DDWAF_LOG_DEBUG` | `= 1` | Debugging information for development |
+| `DDWAF_LOG_INFO` | `= 2` | General informational messages |
+| `DDWAF_LOG_WARN` | `= 3` | Warning messages for potential issues |
+| `DDWAF_LOG_ERROR` | `= 4` | Error messages for failures |
+| `DDWAF_LOG_OFF` | `= 5` | Disable all logging |
+
+---
+
+## Type Definitions
+
+### Handle Types
+
+| Type | Definition |
+|------|------------|
+| `ddwaf_handle` | `typedef struct _ddwaf_handle* ddwaf_handle` |
+| `ddwaf_context` | `typedef struct _ddwaf_context* ddwaf_context` |
+| `ddwaf_subcontext` | `typedef struct _ddwaf_subcontext* ddwaf_subcontext` |
+| `ddwaf_builder` | `typedef struct _ddwaf_builder* ddwaf_builder` |
+| `ddwaf_allocator` | `typedef struct _ddwaf_allocator* ddwaf_allocator` |
+| `ddwaf_alloc_fn_type` | `typedef void *() ddwaf_alloc_fn_type(void *, size_t, size_t)` |
+| `ddwaf_free_fn_type` | `typedef void() ddwaf_free_fn_type(void *, void *, size_t, size_t)` |
+| `ddwaf_udata_free_fn_type` | `typedef void() ddwaf_udata_free_fn_type(void *)` |
+| `ddwaf_object` | `typedef union _ddwaf_object ddwaf_object` |
+| `ddwaf_object_kv` | `typedef struct _ddwaf_object_kv ddwaf_object_kv` |
+
+### ddwaf_log_cb
+
+```c
+ddwaf_log_cb)(DDWAF_LOG_LEVEL level, const char *function, const char *file, unsigned line, const char *message, uint64_t message_len)
+```
+
+Callback that libddwaf will call to relay messages to the binding.
+
+**Parameters:**
+
+- `level`: The logging level.
+- `function`: The native function that emitted the message. (nonnull)
+- `file`: The file of the native function that emmitted the message. (nonnull)
+- `line`: The line where the message was emmitted.
+- `message`: The size of the logging message. NUL-terminated
+- `message_len`: The length of the logging message (excluding NUL terminator).
+
+---
+
+## Functions
+
+### Initialization/Destruction
+
+#### ddwaf_init
+
+```c
+ddwaf_handle ddwaf_init(const ddwaf_object * ruleset, ddwaf_object * diagnostics)
+```
+
+Initialize a ddwaf instance
+
+**Parameters:**
+
+- `ruleset`: ddwaf::object map containing rules, exclusions, rules_override and rules_data. (nonnull)
+- `diagnostics`: Optional ruleset parsing diagnostics. (nullable)
+
+**Returns:** Handle to the WAF instance or NULL on error.
+
+> **Note:** If ruleset is NULL, the diagnostics object will not be initialised.
+
+> **Note:** The deallocation of the diagnostics must be made with default allocator.
+
+#### ddwaf_destroy
+
+```c
+void ddwaf_destroy(ddwaf_handle handle)
+```
+
+Destroy a WAF instance.
+
+**Parameters:**
+
+- `handle`: Handle to the WAF instance.
+
+#### ddwaf_known_addresses
+
+```c
+const char *const * ddwaf_known_addresses(const ddwaf_handle handle, uint32_t * size)
+```
+
+Get an array of known (root) addresses used by rules, exclusion filters and processors. This array contains both required and optional addresses. A more accurate distinction between required and optional addresses is provided within the diagnostics.
+
+**Parameters:**
+
+- `handle`: Handle to the WAF instance.
+- `size`: Output parameter in which the size will be returned. The value of size will be 0 if the return value is NULL.
+
+**Returns:** NULL if empty, otherwise a pointer to an array with size elements.
+
+> **Note:** This function is not thread-safe
+
+> **Note:** The returned array should be considered invalid after calling ddwaf_destroy on the handle used to obtain it.
+
+#### ddwaf_known_actions
+
+```c
+const char *const * ddwaf_known_actions(const ddwaf_handle handle, uint32_t * size)
+```
+
+Get an array of all the action types which could be triggered as a result of the current set of rules and exclusion filters.
+
+**Parameters:**
+
+- `handle`: Handle to the WAF instance.
+- `size`: Output parameter in which the size will be returned. The value of size will be 0 if the return value is NULL.
+
+**Returns:** NULL if empty, otherwise a pointer to an array with size elements.
+
+> **Note:** This function is not thread-safe
+
+> **Note:** The returned array should be considered invalid after calling ddwaf_destroy on the handle used to obtain it.
+
+### Builder
+
+#### ddwaf_builder_init
+
+```c
+ddwaf_builder ddwaf_builder_init()
+```
+
+Initialize an instace of the waf builder.
+
+**Returns:** Handle to the builer instance or NULL on error.
+
+> **Note:** If config is NULL, default values will be used
+
+#### ddwaf_builder_add_or_update_config
+
+```c
+bool ddwaf_builder_add_or_update_config(ddwaf_builder builder, const char * path, uint32_t path_len, const ddwaf_object * config, ddwaf_object * diagnostics)
+```
+
+Adds or updates a configuration based on the given path, which must be a unique identifier for the provided configuration.
+
+**Parameters:**
+
+- `builder`: Builder to perform the operation on. (nonnull)
+- `path`: A string containing the path of the configuration, this must uniquely identify the configuration. (nonnull)
+- `path_len`: The length of the string contained within path.
+- `config`: ddwaf::object map containing rules, exclusions, rules_override and rules_data. (nonnull)
+- `diagnostics`: Optional ruleset parsing diagnostics. (nullable)
+
+**Returns:** Whether the operation succeeded (true) or failed (false).
+
+> **Note:** if any of the arguments are NULL, the diagnostics object will not be initialised.
+
+> **Note:** The memory associated with the path, config and diagnostics must be freed by the caller.
+
+> **Note:** The deallocation of the diagnostics must be made with default allocator.
+
+> **Note:** This function is not thread-safe.
+
+#### ddwaf_builder_remove_config
+
+```c
+bool ddwaf_builder_remove_config(ddwaf_builder builder, const char * path, uint32_t path_len)
+```
+
+Removes a configuration based on the provided path.
+
+**Parameters:**
+
+- `builder`: Builder to perform the operation on. (nonnull)
+- `path`: A string containing the path of the configuration to be removed. (nonnull)
+- `path_len`: The length of the string contained within path.
+
+**Returns:** Whether the operation succeeded (true) or failed (false).
+
+> **Note:** The memory associated with the path must be freed by the caller.
+
+> **Note:** This function is not thread-safe.
+
+#### ddwaf_builder_build_instance
+
+```c
+ddwaf_handle ddwaf_builder_build_instance(ddwaf_builder builder)
+```
+
+Builds a ddwaf instance based on the current set of configurations.
+
+**Parameters:**
+
+- `builder`: Builder to perform the operation on. (nonnull)
+
+**Returns:** Handle to the new WAF instance or NULL if there was an error.
+
+> **Note:** This function is not thread-safe.
+
+#### ddwaf_builder_get_config_paths
+
+```c
+uint32_t ddwaf_builder_get_config_paths(ddwaf_builder builder, ddwaf_object * paths, const char * filter, uint32_t filter_len)
+```
+
+Provides an array of the currently loaded paths, optionally matching the regex provided in filter. In addition, the count is provided as the return value, allowing paths to be nullptr.
+
+**Parameters:**
+
+- `builder`: Builder to perform the operation on. (nonnull)
+- `paths`: The object in which paths will be returned, as an array of strings. If NULL, only the count is provided. (nullable)
+- `filter`: An optional string regex to filter the provided paths. The provided regular expression is used unanchored so matches can be found at any point within the path, any necessary anchors must be explicitly added to the regex. (nullable).
+- `filter_len`: The length of the filter string (or 0 otherwise).
+
+**Returns:** The total number of configurations loaded or, if provided, the number of those matching the filter.
+
+> **Note:** This function is not thread-safe and the memory of the paths object must be freed by the caller using the default allocator.
+
+#### ddwaf_builder_destroy
+
+```c
+void ddwaf_builder_destroy(ddwaf_builder builder)
+```
+
+Destroy an instance of the builder.
+
+**Parameters:**
+
+- `builder`: Builder to perform the operation on. (nonnull)
+
+### Context
+
+#### ddwaf_context_init
+
+```c
+ddwaf_context ddwaf_context_init(const ddwaf_handle handle, ddwaf_allocator output_alloc)
+```
+
+Context object to perform matching using the provided WAF instance.
+
+**Parameters:**
+
+- `handle`: Handle of the WAF instance containing the ruleset definition. (nonnull)
+- `output_alloc`: Allocator used to serve output objects created during evaluation (nonnull)
+
+**Returns:** Handle to the context instance.
+
+> **Note:** The WAF instance needs to be valid for the lifetime of the context.
+
+#### ddwaf_context_eval
+
+```c
+DDWAF_RET_CODE ddwaf_context_eval(ddwaf_context context, ddwaf_object * data, ddwaf_allocator alloc, ddwaf_object * result, uint64_t timeout)
+```
+
+Perform a matching operation on the provided data
+
+**Parameters:**
+
+- `context`: WAF context to be used in this run, this will determine the ruleset which will be used and it will also ensure that parameters are taken into account across runs (nonnull)
+- `data`: (nonnull) Data on which to perform the pattern matching. This data will be stored by the context and used across multiple calls to this function or ddwaf_subcontext_eval. Once the context is destroyed, the user defined allocator will be used to free the data provided. Note that the data passed must be valid until the destruction of the context. The object must be a map of {string,
+- `alloc`: (nullable) Allocator used to free the data provided. If NULL, the data will not be freed.
+- `result`: (nullable) Object map containing the following items:
+	- `events`: an array of the generated events.
+	- `actions`: a map of the generated actions in the format: "{action type: { <parameter map> }, ...}"
+	- `duration`: an unsigned specifying the total runtime of the call in nanoseconds.
+	- `timeout`: whether there has been a timeout during the call.
+	- `attributes`: a map containing all derived objects in the format: {tag, value}
+	- `keep`: whether the data contained herein must override any transport sampling through the relevant mechanism. This structure must be freed by the caller using the output allocator provided through ddwaf_context_init. The object will contain all specified keys when the value returned by ddwaf_context_eval is either DDWAF_OK or DDWAF_MATCH and will be empty otherwise.
+	- **IMPORTANT**: This object is not allocated with the allocator passed in this call. It uses the allocator given to ddwaf_context_init instead.
+- `timeout`: Maximum time budget in microseconds.
+
+**Returns:** Return code of the operation.
+
+**Return Values:**
+
+- `DDWAF_ERR_INVALID_ARGUMENT`: The context is invalid, the data will not be freed.
+- `DDWAF_ERR_INVALID_OBJECT`: The data provided didn't match the desired structure or contained invalid objects, the data will be freed by this function.
+- `DDWAF_ERR_INTERNAL`: There was an unexpected error and the operation did not succeed. The state of the WAF is undefined if this error is produced and the ownership of the data is unknown. The result structure will not be filled if this error occurs.
+
+#### ddwaf_context_destroy
+
+```c
+void ddwaf_context_destroy(ddwaf_context context)
+```
+
+Performs the destruction of the context, freeing the data passed to it through ddwaf_context_eval using the provided allocator during evaluation.
+
+**Parameters:**
+
+- `context`: Context to destroy. (nonnull)
+
+### Subcontext
+
+#### ddwaf_subcontext_init
+
+```c
+ddwaf_subcontext ddwaf_subcontext_init(ddwaf_context context)
+```
+
+Subcontext object to perform matching using the provided WAF instance.
+
+**Parameters:**
+
+- `context`: Context from which to derive this subcontext. (nonnull)
+
+**Returns:** Handle to the subcontext instance.
+
+#### ddwaf_subcontext_eval
+
+```c
+DDWAF_RET_CODE ddwaf_subcontext_eval(ddwaf_subcontext subcontext, ddwaf_object * data, ddwaf_allocator alloc, ddwaf_object * result, uint64_t timeout)
+```
+
+Perform a matching operation on the provided data
+
+**Parameters:**
+
+- `subcontext`: WAF subcontext to be used in this run, this will determine the ruleset which will be used and it will also ensure that parameters are taken into account across runs (nonnull)
+- `data`: (nonnull) Data on which to perform the pattern matching. This data will be stored by the subcontext and used across multiple calls to this function. Once the subcontext is destroyed, the user defined allocator will be used to free the data provided. Note that the data passed must be valid until the destruction of the subcontext. The object must be a map of {string,
+- `alloc`: (nullable) Allocator used to free the data provided. If NULL, the data will not be freed.
+- `result`: (nullable) Object map containing the following items:
+	- `events`: an array of the generated events.
+	- `actions`: a map of the generated actions in the format: "{action type: { <parameter map> }, ...}"
+	- `duration`: an unsigned specifying the total runtime of the call in nanoseconds.
+	- `timeout`: whether there has been a timeout during the call.
+	- `attributes`: a map containing all derived objects in the format: {tag, value}
+	- `keep`: whether the data contained herein must override any transport sampling through the relevant mechanism. This structure must be freed by the caller and will contain all specified keys when the value returned by ddwaf_subcontext_eval is either DDWAF_OK or DDWAF_MATCH and will be empty otherwise.
+	- **IMPORTANT**: This object is not allocated with the allocator passed in this call. It uses the allocator given to ddwaf_context_init instead.
+- `timeout`: Maximum time budget in microseconds.
+
+**Returns:** Return code of the operation.
+
+**Return Values:**
+
+- `DDWAF_ERR_INVALID_ARGUMENT`: The subcontext is invalid, the data will not be freed.
+- `DDWAF_ERR_INVALID_OBJECT`: The data provided didn't match the desired structure or contained invalid objects, the data will be freed by this function.
+- `DDWAF_ERR_INTERNAL`: There was an unexpected error and the operation did not succeed. The state of the WAF is undefined if this error is produced and the ownership of the data is unknown. The result structure will not be filled if this error occurs.
+
+#### ddwaf_subcontext_destroy
+
+```c
+void ddwaf_subcontext_destroy(ddwaf_subcontext subcontext)
+```
+
+Performs the destruction of the subcontext, freeing the data passed to it through ddwaf_subcontext_eval using the used-defined allocator.
+
+**Parameters:**
+
+- `subcontext`: subcontext to destroy. (nonnull)
+
+### Allocator
+
+#### ddwaf_get_default_allocator
+
+```c
+ddwaf_allocator ddwaf_get_default_allocator()
+```
+
+Returns the default allocator used by the library.
+
+**Returns:** Allocator handle.
+
+#### ddwaf_synchronized_pool_allocator_init
+
+```c
+ddwaf_allocator ddwaf_synchronized_pool_allocator_init()
+```
+
+Creates a thread-safe pool allocator. Allocations are served from internal pools sized by block class to reduce fragmentation and allocator overhead; memory freed via the corresponding ddwaf APIs is returned to the pools for reuse. This allocator can be shared across threads safely.
+
+**Returns:** Allocator handle.
+
+#### ddwaf_unsynchronized_pool_allocator_init
+
+```c
+ddwaf_allocator ddwaf_unsynchronized_pool_allocator_init()
+```
+
+Creates a pool allocator without internal synchronization. It provides the same pooling characteristics as the synchronized variant but with lower overhead. This allocator must not be used concurrently from multiple threads unless externally synchronized.
+
+**Returns:** Allocator handle.
+
+#### ddwaf_monotonic_allocator_init
+
+```c
+ddwaf_allocator ddwaf_monotonic_allocator_init()
+```
+
+Creates a monotonic (growing) allocator. Allocations are fast and never freed individually; all memory is reclaimed only when the allocator is destroyed. This allocator must not be used concurrently from multiple threads unless externally synchronized.
+
+**Returns:** Allocator handle.
+
+#### ddwaf_user_allocator_init
+
+```c
+ddwaf_allocator ddwaf_user_allocator_init(ddwaf_alloc_fn_type alloc_fn, ddwaf_free_fn_type free_fn, void * udata, ddwaf_udata_free_fn_type udata_free_fn)
+```
+
+Creates an allocator that forwards allocation and deallocation to user provided callbacks.
+
+**Parameters:**
+
+- `alloc_fn`: Allocation callback. It receives the opaque `udata`, the requested `size` and `alignment`, and must return a pointer meeting the alignment requirements or NULL on failure. (nonnull)
+- `free_fn`: Deallocation callback. It receives the opaque `udata`, the pointer to free, and the original `size` and `alignment`. It must be able to free any pointer previously returned by `alloc_fn`. (nonnull)
+- `udata`: Opaque user pointer forwarded to both callbacks; can be used to carry custom state. (nullable)
+- `udata_free_fn`: User data destruction callback, used to perform any relevant destruction and reclamation operations on the provided user data.
+
+**Returns:** Allocator handle.
+
+#### ddwaf_allocator_alloc
+
+```c
+void * ddwaf_allocator_alloc(ddwaf_allocator alloc, size_t bytes, size_t alignment)
+```
+
+Allocates a block of memory from the given allocator with the requested alignment.
+
+**Parameters:**
+
+- `alloc`: Allocator to use for the allocation. (nonnull)
+- `bytes`: Number of bytes to allocate.
+- `alignment`: Required alignment in bytes; must be a power of two.
+
+**Returns:** Pointer to the allocated memory or NULL on failure.
+
+#### ddwaf_allocator_free
+
+```c
+void ddwaf_allocator_free(ddwaf_allocator alloc, void * p, size_t bytes, size_t alignment)
+```
+
+Releases a block of memory previously obtained via ddwaf_allocator_alloc from the same allocator.
+
+**Parameters:**
+
+- `alloc`: Allocator used for the original allocation. (nonnull)
+- `p`: Pointer to the memory to free. (nonnull)
+- `bytes`: Size in bytes of the original allocation.
+- `alignment`: Alignment in bytes of the original allocation.
+
+#### ddwaf_allocator_destroy
+
+```c
+void ddwaf_allocator_destroy(ddwaf_allocator alloc)
+```
+
+Destroys an allocator created by one of the ddwaf_*_allocator_init functions and releases any internal resources it holds.
+
+**Parameters:**
+
+- `alloc`: Allocator to destroy. (nonnull)
+
+### Object Creation
+
+#### ddwaf_object_set_invalid
+
+```c
+ddwaf_object * ddwaf_object_set_invalid(ddwaf_object * object)
+```
+
+Creates an invalid object.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_set_null
+
+```c
+ddwaf_object * ddwaf_object_set_null(ddwaf_object * object)
+```
+
+Creates an null object. Provides a different semantical value to invalid as it can be used to signify that a value is null rather than of an unknown type.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_set_string
+
+```c
+ddwaf_object * ddwaf_object_set_string(ddwaf_object * object, const char * string, uint32_t length, ddwaf_allocator alloc)
+```
+
+Creates an object from a string.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+- `string`: String to initialise the object with, this string will be copied. (nonnull)
+- `length`: Length of the string.
+- `alloc`: Allocator to use for memory allocation. (nonnull)
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_set_string_literal
+
+```c
+ddwaf_object * ddwaf_object_set_string_literal(ddwaf_object * object, const char * string, uint32_t length)
+```
+
+Creates an object from a literal string and its length.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+- `string`: Literal string to initialise the object with, this string will not be copied and must remain valid for the lifetime of the object. (nonnull)
+- `length`: Length of the string.
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_set_string_nocopy
+
+```c
+ddwaf_object * ddwaf_object_set_string_nocopy(ddwaf_object * object, const char * string, uint32_t length)
+```
+
+Creates an object with the string pointer and length provided, without copying the string.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+- `string`: String pointer to initialise the object with, this string will not be copied and must remain valid for the lifetime of the object. (nonnull)
+- `length`: Length of the string.
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+> **Note:** The provided string must have been allocated with the same allocator used with ddwaf_object_destroy.
+
+#### ddwaf_object_set_unsigned
+
+```c
+ddwaf_object * ddwaf_object_set_unsigned(ddwaf_object * object, uint64_t value)
+```
+
+Creates an object using an unsigned integer (64-bit). The resulting object will contain an unsigned integer as opposed to a string.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+- `value`: Integer to initialise the object with.
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_set_signed
+
+```c
+ddwaf_object * ddwaf_object_set_signed(ddwaf_object * object, int64_t value)
+```
+
+Creates an object using a signed integer (64-bit). The resulting object will contain a signed integer as opposed to a string.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+- `value`: Integer to initialise the object with.
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_set_bool
+
+```c
+ddwaf_object * ddwaf_object_set_bool(ddwaf_object * object, bool value)
+```
+
+Creates an object using a boolean, the resulting object will contain a boolean as opposed to a string.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+- `value`: Boolean to initialise the object with.
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_set_float
+
+```c
+ddwaf_object * ddwaf_object_set_float(ddwaf_object * object, double value)
+```
+
+Creates an object using a double, the resulting object will contain a double as opposed to a string.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+- `value`: Double to initialise the object with.
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_set_array
+
+```c
+ddwaf_object * ddwaf_object_set_array(ddwaf_object * object, uint16_t capacity, ddwaf_allocator alloc)
+```
+
+Creates an array object, for sequential storage.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+- `capacity`: Initial capacity of the array.
+- `alloc`: Allocator to use for memory allocation. (nonnull)
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_set_map
+
+```c
+ddwaf_object * ddwaf_object_set_map(ddwaf_object * object, uint16_t capacity, ddwaf_allocator alloc)
+```
+
+Creates a map object, for key-value storage.
+
+**Parameters:**
+
+- `object`: Object to perform the operation on. (nonnull)
+- `capacity`: Initial capacity of the map.
+- `alloc`: Allocator to use for memory allocation. (nonnull)
+
+**Returns:** A pointer to the passed object or NULL if the operation failed.
+
+#### ddwaf_object_from_json
+
+```c
+bool ddwaf_object_from_json(ddwaf_object * output, const char * json_str, uint32_t length, ddwaf_allocator alloc)
+```
+
+Creates a ddwaf_object from a JSON string. The JSON will be parsed and converted into the appropriate ddwaf_object structure, supporting all JSON types including objects, arrays, strings, numbers, booleans, and null values.
+
+**Parameters:**
+
+- `output`: Object to populate with the parsed JSON data. (nonnull)
+- `json_str`: The JSON string to parse. (nonnull)
+- `length`: Length of the JSON string.
+- `alloc`: Allocator to use for memory allocation. (nonnull)
+
+**Returns:** The success or failure of the operation.
+
+> **Note:** The output object must be freed by the caller using ddwaf_object_free.
+
+> **Note:** If parsing fails, the output object will be left in an undefined state.
+
+> **Note:** The provided JSON string is owned by the caller.
+
+### Object Inspection
+
+#### ddwaf_object_get_type
+
+```c
+DDWAF_OBJ_TYPE ddwaf_object_get_type(const ddwaf_object * object)
+```
+
+Returns the type of the object.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** The object type of DDWAF_OBJ_INVALID if NULL.
+
+#### ddwaf_object_get_size
+
+```c
+size_t ddwaf_object_get_size(const ddwaf_object * object)
+```
+
+Returns the size of the container object.
+
+**Parameters:**
+
+- `object`: The object from which to get the size.
+
+**Returns:** The object size or 0 if the object is not a container (array, map).
+
+#### ddwaf_object_get_length
+
+```c
+size_t ddwaf_object_get_length(const ddwaf_object * object)
+```
+
+Returns the length of the string object.
+
+**Parameters:**
+
+- `object`: The object from which to get the length.
+
+**Returns:** The string length or 0 if the object is not a string.
+
+#### ddwaf_object_get_string
+
+```c
+const char * ddwaf_object_get_string(const ddwaf_object * object, size_t * length)
+```
+
+Returns the string contained within the object.
+
+**Parameters:**
+
+- `object`: The object from which to get the string.
+- `length`: Output parameter on which to return the length of the string, this parameter is optional / nullable.
+
+**Returns:** The string of the object or NULL if the object is not a string.
+
+#### ddwaf_object_get_unsigned
+
+```c
+uint64_t ddwaf_object_get_unsigned(const ddwaf_object * object)
+```
+
+Returns the uint64 contained within the object.
+
+**Parameters:**
+
+- `object`: The object from which to get the integer.
+
+**Returns:** The integer or 0 if the object is not an unsigned.
+
+#### ddwaf_object_get_signed
+
+```c
+int64_t ddwaf_object_get_signed(const ddwaf_object * object)
+```
+
+Returns the int64 contained within the object.
+
+**Parameters:**
+
+- `object`: The object from which to get the integer.
+
+**Returns:** The integer or 0 if the object is not a signed.
+
+#### ddwaf_object_get_float
+
+```c
+double ddwaf_object_get_float(const ddwaf_object * object)
+```
+
+Returns the float64 (double) contained within the object.
+
+**Parameters:**
+
+- `object`: The object from which to get the float.
+
+**Returns:** The float or 0.0 if the object is not a float.
+
+#### ddwaf_object_get_bool
+
+```c
+bool ddwaf_object_get_bool(const ddwaf_object * object)
+```
+
+Returns the boolean contained within the object.
+
+**Parameters:**
+
+- `object`: The object from which to get the boolean.
+
+**Returns:** The boolean or false if the object is not a boolean.
+
+### Object Container Operations
+
+#### ddwaf_object_insert
+
+```c
+ddwaf_object * ddwaf_object_insert(ddwaf_object * array, ddwaf_allocator alloc)
+```
+
+Inserts a new object into an array object.
+
+**Parameters:**
+
+- `array`: Array in which to insert the object. (nonnull)
+- `alloc`: Allocator to use for memory allocation. (nonnull)
+
+**Returns:** A pointer to the newly inserted object or NULL if the operation failed.
+
+#### ddwaf_object_insert_key
+
+```c
+ddwaf_object * ddwaf_object_insert_key(ddwaf_object * map, const char * key, uint32_t length, ddwaf_allocator alloc)
+```
+
+Inserts a new object into a map object, using a key.
+
+**Parameters:**
+
+- `map`: Map in which to insert the object. (nonnull)
+- `key`: The key for indexing purposes, this string will be copied. (nonnull)
+- `length`: Length of the key.
+- `alloc`: Allocator to use for memory allocation. (nonnull)
+
+**Returns:** A pointer to the newly inserted object or NULL if the operation failed.
+
+#### ddwaf_object_insert_literal_key
+
+```c
+ddwaf_object * ddwaf_object_insert_literal_key(ddwaf_object * map, const char * key, uint32_t length, ddwaf_allocator alloc)
+```
+
+Inserts a new object into a map object, using a literal key.
+
+**Parameters:**
+
+- `map`: Map in which to insert the object. (nonnull)
+- `key`: The key for indexing purposes, this string will not be copied. (nonnull)
+- `length`: Length of the key.
+- `alloc`: Allocator to use for memory allocation. (nonnull)
+
+**Returns:** A pointer to the newly inserted object or NULL if the operation failed.
+
+#### ddwaf_object_insert_key_nocopy
+
+```c
+ddwaf_object * ddwaf_object_insert_key_nocopy(ddwaf_object * map, const char * key, uint32_t length, ddwaf_allocator alloc)
+```
+
+Inserts a new object into a map object, using a key and its length, but without creating a copy of the key.
+
+**Parameters:**
+
+- `map`: Map in which to insert the object. (nonnull)
+- `key`: The key for indexing purposes, this string will not be copied. (nonnull)
+- `length`: Length of the key.
+- `alloc`: Allocator to use for memory allocation. (nonnull)
+
+**Returns:** A pointer to the newly inserted object or NULL if the operation failed.
+
+> **Note:** The provided string must have been allocated with the same allocator used with ddwaf_object_destroy.
+
+#### ddwaf_object_at_key
+
+```c
+const ddwaf_object * ddwaf_object_at_key(const ddwaf_object * object, size_t index)
+```
+
+Returns the key contained in the container at the given index.
+
+**Parameters:**
+
+- `object`: The container from which to extract the object.
+- `index`: The position of the required object within the container.
+
+**Returns:** The requested object or NULL if the index is out of bounds or the object is not a container.
+
+#### ddwaf_object_at_value
+
+```c
+const ddwaf_object * ddwaf_object_at_value(const ddwaf_object * object, size_t index)
+```
+
+Returns the object contained in the container at the given index.
+
+**Parameters:**
+
+- `object`: The container from which to extract the object.
+- `index`: The position of the required object within the container.
+
+**Returns:** The requested object or NULL if the index is out of bounds or the object is not a container.
+
+#### ddwaf_object_find
+
+```c
+const ddwaf_object * ddwaf_object_find(const ddwaf_object * object, const char * key, size_t length)
+```
+
+Returns the object within the given map with a key matching the provided one.
+
+**Parameters:**
+
+- `object`: The container from which to extract the object.
+- `key`: A string representing the key to find.
+- `length`: Length of the key.
+
+**Returns:** The requested object or NULL if the key was not found or the object is not a container.
+
+#### ddwaf_object_clone
+
+```c
+ddwaf_object * ddwaf_object_clone(const ddwaf_object * source, ddwaf_object * destination, ddwaf_allocator alloc)
+```
+
+Creates a deep copy of the source object into the destination object.
+
+**Parameters:**
+
+- `source`: The source object to clone from. (nonnull)
+- `destination`: The destination object to clone into. (nonnull)
+- `alloc`: Allocator to use for memory allocation. (nonnull)
+
+**Returns:** A pointer to the destination object or NULL if the operation failed.
+
+#### ddwaf_object_destroy
+
+```c
+void ddwaf_object_destroy(ddwaf_object * object, ddwaf_allocator alloc)
+```
+
+Frees the memory contained within the object.
+
+**Parameters:**
+
+- `object`: Object to destroy. (nonnull)
+- `alloc`: Allocator to use for memory reclamation. (nonnull)
+
+### Object Type Checking
+
+#### ddwaf_object_is_invalid
+
+```c
+bool ddwaf_object_is_invalid(const ddwaf_object * object)
+```
+
+Returns true if the object is invalid.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** True if the object is invalid, false otherwise.
+
+#### ddwaf_object_is_null
+
+```c
+bool ddwaf_object_is_null(const ddwaf_object * object)
+```
+
+Returns true if the object is null.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** True if the object is null, false otherwise.
+
+#### ddwaf_object_is_bool
+
+```c
+bool ddwaf_object_is_bool(const ddwaf_object * object)
+```
+
+Returns true if the object is a boolean.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** True if the object is a boolean, false otherwise.
+
+#### ddwaf_object_is_signed
+
+```c
+bool ddwaf_object_is_signed(const ddwaf_object * object)
+```
+
+Returns true if the object is a signed integer.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** True if the object is a signed integer, false otherwise.
+
+#### ddwaf_object_is_unsigned
+
+```c
+bool ddwaf_object_is_unsigned(const ddwaf_object * object)
+```
+
+Returns true if the object is an unsigned integer.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** True if the object is an unsigned integer, false otherwise.
+
+#### ddwaf_object_is_float
+
+```c
+bool ddwaf_object_is_float(const ddwaf_object * object)
+```
+
+Returns true if the object is a float.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** True if the object is a float, false otherwise.
+
+#### ddwaf_object_is_string
+
+```c
+bool ddwaf_object_is_string(const ddwaf_object * object)
+```
+
+Returns true if the object is a string.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** True if the object is a string, false otherwise.
+
+#### ddwaf_object_is_array
+
+```c
+bool ddwaf_object_is_array(const ddwaf_object * object)
+```
+
+Returns true if the object is an array.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** True if the object is an array, false otherwise.
+
+#### ddwaf_object_is_map
+
+```c
+bool ddwaf_object_is_map(const ddwaf_object * object)
+```
+
+Returns true if the object is a map.
+
+**Parameters:**
+
+- `object`: The object from which to get the type.
+
+**Returns:** True if the object is a map, false otherwise.
+
+### Utility
+
+#### ddwaf_get_version
+
+```c
+const char * ddwaf_get_version()
+```
+
+Return the version of the library
+
+**Returns:** version Version string, note that this should not be freed
+
+#### ddwaf_set_log_cb
+
+```c
+bool ddwaf_set_log_cb(ddwaf_log_cb cb, DDWAF_LOG_LEVEL min_level)
+```
+
+Sets the callback to relay logging messages to the binding
+
+**Parameters:**
+
+- `cb`: The callback to call, or NULL to stop relaying messages
+- `min_level`: The minimum logging level for which to relay messages
+
+**Returns:** whether the operation succeeded or not
+
+> **Note:** This function is not thread-safe
diff --git a/docs/c-api/binding-integration-guide.md b/docs/c-api/binding-integration-guide.md
new file mode 100644
index 000000000..e88043eb7
--- /dev/null
+++ b/docs/c-api/binding-integration-guide.md
@@ -0,0 +1,219 @@
+# Implementation notes for bindings
+
+
+## `ddwaf_handle`
+
+`ddwaf_handle` represents a rule set, with associated rule data, exclusions,
+and so on. It is created through the `ddwaf_builder` API.
+
+A tracer will want to keep only one live `ddwaf_handle`. The first one will be
+created through `ddwaf_builder_build_instance`, and then it will replace it by
+updating the builder and building a new instance as it gets new configurations
+through remote config.
+
+The relevant read operations on `ddwaf_handle` are `ddwaf_context_init`,
+`ddwaf_known_addresses`, and `ddwaf_known_actions`. None of these operations
+modify the `ddwaf_handle`. So, at this point, it is sufficient to ensure that
+threads calling these functions see a fully constructed `ddwaf_handle` — or in
+other words, it is sufficient that the write to the pointer/reference happens
+after `ddwaf_builder_build_instance` is called (as seen by other threads). For
+this, a release-acquire operation suffices:
+
+```c++
+std::atomic<ddwaf_handle> cur_ddwaf_handle; // global variable; the live handle
+
+// Initialization thread
+void initialize_handle(const ddwaf_object *ruleset, ddwaf_object *diagnostics)
+{
+    ddwaf_builder builder = ddwaf_builder_init();
+    if (builder == nullptr) { /* handle error */ }
+
+    ddwaf_builder_add_or_update_config(builder, "main", 4, ruleset, diagnostics);
+    ddwaf_handle new_handle = ddwaf_builder_build_instance(builder);
+    ddwaf_builder_destroy(builder);
+
+    if (new_handle == nullptr) { /* handle error */ }
+    cur_ddwaf_handle.store(new_handle, std::memory_order_release);
+}
+
+// Request thread
+ddwaf_context create_context(ddwaf_allocator output_alloc) {
+    ddwaf_handle handle = cur_ddwaf_handle.load(std::memory_order_acquire);
+    if (handle == nullptr) { /* handle error */ }
+    return ddwaf_context_init(handle, output_alloc);
+}
+```
+
+However, there is a potential problem when you update the live handle. While
+libddwaf refcounts the `ddwaf_handle` and ensures that its memory is not
+reclaimed until all associated `ddwaf_context`s have been destroyed, it cannot
+prevent a use-after-free in this situation:
+
+```c++
+// Remote config thread
+void update_handle(ddwaf_builder builder, const ddwaf_object *ruleset, ddwaf_object *diagnostics)
+{
+    ddwaf_handle old_handle = cur_ddwaf_handle.load(std::memory_order_acquire);
+
+    // Update the builder with new configuration
+    ddwaf_builder_add_or_update_config(builder, "main", 4, ruleset, diagnostics);
+    ddwaf_handle new_handle = ddwaf_builder_build_instance(builder);
+
+    cur_ddwaf_handle.store(new_handle, std::memory_order_release);
+
+    // will free the memory if no ddwaf_contexts are associated with it:
+    ddwaf_destroy(old_handle);
+}
+
+// Request thread
+ddwaf_context create_context(ddwaf_allocator output_alloc) {
+    ddwaf_handle handle = cur_ddwaf_handle.load(std::memory_order_acquire);
+    if (handle == nullptr) { /* handle error */ }
+    // XXX: the handle fetched may have been destroyed in the interim
+    return ddwaf_context_init(handle, output_alloc);
+}
+```
+
+That is, the old `ddwaf_handle` can only be destroyed once we can be guaranteed
+that no other thread will try to create a new context from it (or build a new
+handle through the builder, though that is less of a problem because generally
+the tracers will not want to update the global `ddwaf_handle` from several
+threads simultaneously).
+
+There are many possible strategies to deal with this memory reclamation
+problem, but the most straightforward are:
+
+* If the runtime uses garbage collection, we can delay the call to
+  `ddwaf_destroy` until the garbage collector determines the object wrapping
+  the native `ddwaf_handle` has no more references. This is relatively easy to
+  do and doesn't involve extra usage of locks, but the memory used by the
+  `ddwaf_handle` will not be available until the garbage collector decides
+  to reclaim the wrapped object. Because the garbage collector does not see
+  the memory being used by the `ddwaf_handle`, if garbage collection never
+  happens, there is a risk that memory consumption gets too high. This is a
+  rather unlikely scenario though.
+
+* You can use read-write locks:
+
+```c++
+// global variables
+std::shared_mutex mutex;
+ddwaf_handle cur_ddwaf_handle;
+
+// Initialization thread
+void initialize_handle(const ddwaf_object *ruleset, ddwaf_object *diagnostics)
+{
+    ddwaf_builder builder = ddwaf_builder_init();
+    if (builder == nullptr) { /* handle error */ }
+
+    ddwaf_builder_add_or_update_config(builder, "main", 4, ruleset, diagnostics);
+    ddwaf_handle new_handle = ddwaf_builder_build_instance(builder);
+    ddwaf_builder_destroy(builder);
+
+    if (new_handle == nullptr) { /* handle error */ }
+
+    std::unique_lock lock{mutex}; // acquire write lock
+    cur_ddwaf_handle = new_handle;
+    // write lock released on return
+}
+
+// Remote config thread
+void update_handle(ddwaf_builder builder, const ddwaf_object *ruleset, ddwaf_object *diagnostics)
+{
+    std::unique_lock lock{mutex}; // acquire write lock
+    ddwaf_handle old_handle = cur_ddwaf_handle;
+
+    ddwaf_builder_add_or_update_config(builder, "main", 4, ruleset, diagnostics);
+    ddwaf_handle new_handle = ddwaf_builder_build_instance(builder);
+
+    cur_ddwaf_handle = new_handle;
+    ddwaf_destroy(old_handle);
+    // write lock released on return
+}
+
+// Request thread
+ddwaf_context create_context(ddwaf_allocator output_alloc) {
+    std::shared_lock lock{mutex}; // acquire read lock
+    if (cur_ddwaf_handle == nullptr) { /* handle error */ }
+    return ddwaf_context_init(cur_ddwaf_handle, output_alloc);
+    // read lock released on return
+}
+```
+
+## `ddwaf_context`
+
+On the other hand, `ddwaf_context` is not thread-safe. If a `ddwaf_context` is
+used by multiple threads (in web servers where the processing of the request
+can move between several threads, or happen in several threads simultaneously),
+you need to use locks so that calls to `ddwaf_context_eval` and `ddwaf_context_destroy`
+are not run concurrently, and that changes made to the `ddwaf_context` in one thread
+through `ddwaf_context_eval` are visible to the other threads subsequently running
+`ddwaf_context_eval` on the same context. You also need to ensure that no calls
+to `ddwaf_context_eval` or `ddwaf_context_destroy` happen after `ddwaf_context_destroy`
+is called.
+
+**Note**: The same thread-safety considerations apply to `ddwaf_subcontext`. Subcontexts
+are created from a parent context via `ddwaf_subcontext_init` and evaluated with
+`ddwaf_subcontext_eval`. Like contexts, they are not thread-safe and require external
+synchronization if accessed from multiple threads.
+
+```c++
+// each request will have one of these associated with it
+struct ctx_wrapper {
+    std::mutex mutex;
+    ddwaf_context ctx;
+};
+
+DDWAF_RET_CODE run_waf(
+    ctx_wrapper &wrapper, ddwaf_object *data, ddwaf_allocator alloc,
+    ddwaf_object *result, uint64_t timeout)
+{
+    std::lock_guard<std::mutex> lock{wrapper.mutex}; // acquire exclusive lock
+    if (wrapper.ctx == nullptr) { /* context already destroyed */ }
+    return ddwaf_context_eval(wrapper.ctx, data, alloc, result, timeout);
+    // lock is released on return
+}
+
+void destroy_ctx(ctx_wrapper &wrapper) {
+    std::lock_guard<std::mutex> lock{wrapper.mutex};
+    if (wrapper.ctx == nullptr) { /* context already destroyed */ }
+    ddwaf_context_destroy(wrapper.ctx);
+    wrapper.ctx = nullptr;
+}
+```
+
+## `ddwaf_builder`
+
+The `ddwaf_builder` API manages multiple configuration sources and enables
+configuration updates. This is the recommended way to create `ddwaf_handle`
+instances, especially when dealing with remote configuration updates.
+
+### Builder Lifecycle
+
+```c
+// 1. Initialize builder
+ddwaf_builder builder = ddwaf_builder_init();
+
+// 2. Add configurations with unique paths
+ddwaf_object diagnostics;
+ddwaf_builder_add_or_update_config(builder, "base", 4, base_config, &diagnostics);
+ddwaf_object_destroy(&diagnostics, ddwaf_get_default_allocator());
+
+// 3. Build instance
+ddwaf_handle handle = ddwaf_builder_build_instance(builder);
+
+// 4. Later, update configurations
+ddwaf_builder_add_or_update_config(builder, "remote/prod", 11, remote_config, &diagnostics);
+ddwaf_handle new_handle = ddwaf_builder_build_instance(builder);
+
+// 5. Remove configurations if needed
+ddwaf_builder_remove_config(builder, "remote/prod", 11);
+
+// 6. Destroy builder when no longer needed
+ddwaf_builder_destroy(builder);
+```
+
+### Thread Safety
+
+`ddwaf_builder` operations are not thread-safe. If you need to update configurations
+from multiple threads, use external synchronization (e.g., a mutex).
diff --git a/docs/changelog/CHANGELOG-latest.md b/docs/changelog/CHANGELOG-latest.md
new file mode 120000
index 000000000..d9113fc67
--- /dev/null
+++ b/docs/changelog/CHANGELOG-latest.md
@@ -0,0 +1 @@
+CHANGELOG-v2.0.0.md
\ No newline at end of file
diff --git a/CHANGELOG.md b/docs/changelog/CHANGELOG-v1.x.md
similarity index 100%
rename from CHANGELOG.md
rename to docs/changelog/CHANGELOG-v1.x.md
diff --git a/docs/changelog/CHANGELOG-v2.0.0.md b/docs/changelog/CHANGELOG-v2.0.0.md
new file mode 100644
index 000000000..76aff5d94
--- /dev/null
+++ b/docs/changelog/CHANGELOG-v2.0.0.md
@@ -0,0 +1,53 @@
+# v2.0.0-alpha0
+
+libddwaf v2.0.0 represents a significant redesign of the C API, focusing on explicit memory ownership, reduced memory footprint, and a more consistent interface. Beyond the public API, the internals have also been refactored to use safer and more C++-native abstractions. This is an alpha release intended for early adopters and binding library maintainers to begin integration work.
+
+As expected, this release is not backwards compatible; the upgrading guide at `docs/upgrading/UPGRADING-v2.0.md` provides detailed migration examples for each of the breaking changes.
+
+### Memory Ownership and Allocators
+
+The most fundamental change in v2 is the introduction of allocators throughout the API. In v1, memory ownership across the API boundary was often ambiguous, leading to potential issues in complex integration scenarios. The new allocator system makes memory ownership explicit: callers provide an allocator when creating objects and use the same allocator when destroying them. A default allocator is available via `ddwaf_get_default_allocator()` for simple use cases, while custom allocators enable advanced memory management strategies.
+
+### Object Model and Creation API
+
+The `ddwaf_object` structure has been completely redesigned to reduce memory overhead. A single object now requires only 16 bytes, down from a considerably larger footprint in v1. This was achieved through carefully redesigning each of the possible type variants and, more specifically, through the removal of map keys from the main `ddwaf_object` in favour of representing maps through a separate `ddwaf_object_kv` structure. Indirectly, this new version enables further reduction in the memory and allocations through the introduction of small strings, where strings of 14 bytes or fewer are stored directly within the object without additional heap allocation, and literal strings, which reference read-only memory that is never freed by the library.
+
+Object creation functions have been renamed to follow a consistent `ddwaf_object_set_*` pattern and now require an allocator parameter where allocation may occur. Container insertion returns a pointer to the newly inserted element, eliminating the need for intermediate objects. For example, where v1 required creating a value object separately and then adding it to a map, v2 allows direct initialisation: `ddwaf_object_set_string(ddwaf_object_insert_key(&map, "key", 3, alloc), "value", 5, alloc)`. This pattern reduces boilerplate and makes the ownership model clearer.
+
+### Context and Subcontext Lifecycle
+
+The function `ddwaf_run` has been renamed to `ddwaf_context_eval` for consistency with the rest of the API. More significantly, ephemeral data semantics have been replaced with a new subcontext mechanism. In v1, ephemeral data was passed as a separate parameter to each `ddwaf_run` call and was not retained. In v2, a subcontext is explicitly created from a parent context via `ddwaf_subcontext_init`, evaluated with `ddwaf_subcontext_eval`, and destroyed with `ddwaf_subcontext_destroy`. Subcontexts inherit all data from their parent context but maintain their own isolated evaluation state. Multiple concurrent subcontexts can be created from the same parent context, each defining its own data scope and lifetime.
+
+## Release Changelog
+### Changes
+
+- Object model overhaul: immutable `object_view`, owned/borrowed writable objects, raw configuration on `object_view`, container view types, and updated unit tests ([#341](https://github.com/DataDog/libddwaf/pull/341), [#378](https://github.com/DataDog/libddwaf/pull/378), [#382](https://github.com/DataDog/libddwaf/pull/382), [#387](https://github.com/DataDog/libddwaf/pull/387), [#390](https://github.com/DataDog/libddwaf/pull/390), [#391](https://github.com/DataDog/libddwaf/pull/391), [#394](https://github.com/DataDog/libddwaf/pull/394), [#408](https://github.com/DataDog/libddwaf/pull/408), [#413](https://github.com/DataDog/libddwaf/pull/413), [#476](https://github.com/DataDog/libddwaf/pull/476)).
+- Allocator API: propagate allocators through contexts/subcontexts, expose allocator-aware interfaces, and stop generating zero-terminated strings ([#418](https://github.com/DataDog/libddwaf/pull/418), [#420](https://github.com/DataDog/libddwaf/pull/420), [#427](https://github.com/DataDog/libddwaf/pull/427), [#452](https://github.com/DataDog/libddwaf/pull/452)).
+- Refactored evaluation lifecycle: separated data insertion from evaluation and lifted evaluation stages out of the context ([#407](https://github.com/DataDog/libddwaf/pull/407), [#442](https://github.com/DataDog/libddwaf/pull/442)).
+- Subcontexts with user-defined lifetimes and validator support for subcontexts/attributes ([#443](https://github.com/DataDog/libddwaf/pull/443), [#451](https://github.com/DataDog/libddwaf/pull/451), [#468](https://github.com/DataDog/libddwaf/pull/468)).
+- Array indexing on key paths ([#458](https://github.com/DataDog/libddwaf/pull/458)).
+- Instantiate obfuscator through configuration and remove `ddwaf_config` ([#464](https://github.com/DataDog/libddwaf/pull/464)).
+- Return `DDWAF_MATCH` when events, attributes, or actions are present ([#455](https://github.com/DataDog/libddwaf/pull/455)).
+- Remove legacy configuration schema (v1) support ([#482](https://github.com/DataDog/libddwaf/pull/482)).
+
+### Fixes
+
+- Report input attribute addresses on `ddwaf_known_addresses` ([#485](https://github.com/DataDog/libddwaf/pull/485)).
+- Remove default allocator arguments ([#486](https://github.com/DataDog/libddwaf/pull/486)).
+
+### Miscellaneous
+
+- Upgrade fmt dependency and use as header-only ([#478](https://github.com/DataDog/libddwaf/pull/478)).
+- Increase macOS target to 14.2.1 ([#477](https://github.com/DataDog/libddwaf/pull/477)).
+- Add option to build on valgrind to avoid RE2 UB noise ([#480](https://github.com/DataDog/libddwaf/pull/480)).
+- Lint all headers and add tests ([#474](https://github.com/DataDog/libddwaf/pull/474)).
+- Intertwine context and subcontext calls within benchmark ([#469](https://github.com/DataDog/libddwaf/pull/469)).
+- Disable unreliable GCC / Clang benchmarks ([#470](https://github.com/DataDog/libddwaf/pull/470)).
+- Upload coverage reports to Datadog ([#471](https://github.com/DataDog/libddwaf/pull/471)).
+- Remove mingw builds ([#381](https://github.com/DataDog/libddwaf/pull/381)).
+- Cleanup exclusion namespace and redundant references ([#456](https://github.com/DataDog/libddwaf/pull/456)).
+- Expanded fingerprint and object-view tests ([#414](https://github.com/DataDog/libddwaf/pull/414)).
+- Add fuzzer v2 ([#465](https://github.com/DataDog/libddwaf/pull/465)).
+- Update logger to avoid dependencies on `ddwaf.h` ([#453](https://github.com/DataDog/libddwaf/pull/453)).
+- Achieve 100% test coverage for src/utils.cpp ([#481](https://github.com/DataDog/libddwaf/pull/481)).
+- Documentation ([#487](https://github.com/DataDog/libddwaf/pull/487)).
diff --git a/docs/upgrading/UPGRADING-latest.md b/docs/upgrading/UPGRADING-latest.md
new file mode 120000
index 000000000..08b9e86c5
--- /dev/null
+++ b/docs/upgrading/UPGRADING-latest.md
@@ -0,0 +1 @@
+UPGRADING-v2.0.md
\ No newline at end of file
diff --git a/docs/upgrading/UPGRADING-v1.x.md b/docs/upgrading/UPGRADING-v1.x.md
new file mode 100644
index 000000000..d1f9b83d6
--- /dev/null
+++ b/docs/upgrading/UPGRADING-v1.x.md
@@ -0,0 +1,991 @@
+# Upgrading libddwaf
+
+## Upgrading from `1.29.x` to `1.30.0`
+This new version introduces no new features, however the recently introduced `block_id` action parameter has been renamed to `security_response_id` for consistency.
+
+## Upgrading from `1.27.x` to `1.28.0`
+
+This new version of `libddwaf` introduces no breaking changes to the API / ABI , however it does change the returned type of the following actions parameters:
+
+- Action type `block_request`:
+  - `grpc_status_code` and `status_code` are now provided as unsigned integers (`uint64_t`) rather than strings.
+- Action type `redirect_request`:
+  - `status_code` is now provided as an unsigned integer (`uint64_t`) rather than a string.
+
+The type changes specified above do not depend on the original parameter type provided in configuration, as these status codes are converted and validated internally.
+
+## Upgrading from `1.24.x` to `1.25.0`
+
+### Evaluation Result
+
+The main breaking change in this version of `libddwaf` is the removal of the `ddwaf_result` structure, which has been replaced by a `ddwaf_object`. Replacing C-structs with `ddwaf_object` furthers the objective of minimising the potential breaking changes that can be made, in this case to the ABI, as the dynamic nature of the `ddwaf_object` allows for adding or removing keys and values without the need for adjusting structure offsets or recompilation.
+
+With this change, the signature of `ddwaf_run` is as follows:
+```c
+DDWAF_RET_CODE ddwaf_run(ddwaf_context context, ddwaf_object *persistent_data, ddwaf_object *ephemeral_data, ddwaf_object *result,  uint64_t timeout);
+```
+The schema of the result object can be seen below:
+```
+{
+  "timeout": <boolean>,
+  "keep": <boolean>,
+  "duration": <unsigned>, 
+  "events": <array>,
+  "actions": <map>,
+  "attributes": <map>
+}
+```
+
+Where each of the fields has the following description:
+- `timeout`: formerly `ddwaf_result::timeout`, specifies whether there has been a timeout during the current call to `ddwaf_run`.
+- `keep`: a new field which specifies whether the data provided must override sampling.
+- `duration`: formerly `ddwaf_result::total_runtime`, provides the duration in nanoseconds of the current call to `ddwaf_run`.
+- `events`: formerly `ddwaf_result::events`, consists in an array of events generated as a result of the rule evaluation process.
+- `actions`: formerly `ddwaf_result::actions`, consists in a map of the actions, and their parameters, generated as a result of the rule evaluation process.
+- `attributes`: formerly `ddwaf_result::derivatives`, consists in a map of all generated attributes, such as schemas, fingerprints or rule attributes.
+
+In addition, the function `ddwaf_object_find` has been introduced to simplify the process of finding keys from an object of type map, although since maps are simple key-value arrays the operation has O(n) complexity. As a consequence it's only recommended for testing purposes.
+
+As an example, the following code using `ddwaf_result`
+
+```c
+ddwaf_result ret;
+auto code = ddwaf_run(context, &root, nullptr, &ret, LONG_TIME);
+if (code == DDWAF_MATCH) {
+    cout << object_to_yaml(&ret.events);
+}
+ddwaf_result_free(&ret);
+```
+
+
+Can be replaced as follows:
+
+```c
+ddwaf_object ret;
+auto code = ddwaf_run(context, &root, nullptr, &ret, LONG_TIME);
+if (code == DDWAF_MATCH) {
+    const ddwaf_object *events = ddwaf_object_find(&ret, "events", sizeof("events") - 1);
+    cout << object_to_yaml(events);
+}
+ddwaf_object_free(&ret);
+```
+
+Finally, extracting all relevant objects can be done efficiently through a loop as follows:
+
+```c
+const ddwaf_object *events = NULL, *actions = NULL, *attributes = NULL,
+             *keep = NULL, *duration = NULL, *timeout = NULL;
+for (size_t i = 0; i < ddwaf_object_size(&ret); ++i) {
+    const ddwaf_object *child = ddwaf_object_get_index(&ret, i);
+    if (child == NULL) { /* handle failure */ }
+
+    size_t length = 0;
+    const char *key = ddwaf_object_get_key(child, &length);
+    if (key == NULL) { /* handle failure */ }
+
+    if (length == (sizeof("events") - 1) && memcmp(key, "events", length) == 0) {
+        events = child;
+    } else if (length == (sizeof("actions") - 1) && memcmp(key, "actions", length) == 0) {
+        actions = child;
+    } else if (length == (sizeof("attributes") - 1) && memcmp(key, "attributes", length) == 0) {
+        attributes = child;
+    } else if (length == (sizeof("keep") - 1) && memcmp(key, "keep", length) == 0) {
+        keep = child;
+    } else if (length == (sizeof("duration") - 1) && memcmp(key, "duration", length) == 0) {
+        duration = child;
+    } else if (length == (sizeof("timeout") - 1) && memcmp(key, "timeout", length) == 0) {
+        timeout = child;
+    }
+}
+
+/* Perform any relevant operations with the extracted objects */
+
+ddwaf_object_free(&ret);
+```
+## Upgrading from `1.22.0` to `1.23.0`
+
+### WAF Builder
+The WAF builder is a new mechanism for generating WAF instances through the use of independent, partial and potentially overlapping configurations, effectively mirroring the process performed by the security libraries when consolidating configurations obtained through remote configuration. The outcome of the builder is equivalent to merging all available configurations into a single one, however the process is tailored towards continuous generation of instances based on the addition, update and removal of partial or complete configurations, while reusing internal objects as much as possible.
+
+> [!WARNING]
+> As a consequence of the introduction of this new interface, the `ddwaf_update` function has been deprecated and removed, as the semantics of the configurations expected by this function are incompatible with those used by the new builder API. ***
+
+In previous versions of `libddwaf`, configurations provided during `ddwaf_update` were required to be a map containing at least one of the supported top-level keys (e.g. `rules`, `exclusions`, `processors`, etc) and each of these represented the complete set of primitives of the given type. For example, a configuration containing `rules` was required to contain all rules, meaning that a future configuration update containing `rules` would result in the complete replacement of the old set with the new one. With this model, when generating a single WAF instance with multiple configurations, each of them was required to be non-overlapping.
+
+In this new version, configurations are still required to be a map, containing  at least one of the supported top-level keys, however they must also be provided with a "path", which represents a unique identifier for the given configuration and does not need to follow any particular schema; when the configuration is obtained through remote configuration, the path value must be the one obtained through it. In addition, configurations are now assumed to be overlapping, meaning that the top-level key need not represent the complete set of primitives for the given type as they will be treated as though the set is always partial and may be extended through other configurations. For example, two configurations may contribute new rules by providing the `rules` top-level key, trusting that the WAF builder will take care of the merging process.
+
+#### Builder Lifecycle
+
+The lifetime of the WAF builder should be linked to that of the remote configuration client, as its main purpose is to consume configuration additions, updates and removals as they are produced. Generally, a builder will have a consistent state throughout its lifetime, ensuring that memory use is always limited to objects contained within the loaded configurations. 
+
+Currently, the instantiation of the builder optionally requires `ddwaf_config`, a structure which allows the user to configure the evaluation limits, the obfuscator regexes and the object free function. The interaction with `ddwaf_config` follows the same principles as `ddwaf_init`, i.e. if provided it'll override existing values, if `NULL`, defaults will be used instead. 
+
+> [!NOTE]
+> `ddwaf_config` should not be confused with the configurations obtained through remote configuration, which are provided as a `ddwaf_object`. This structure may be removed in the future in favour of passing obfuscator regexes and evaluation limits through configuration. 
+
+The following snippet shows the instantiation of a builder:
+
+```cpp
+ddwaf_config config{/* limits, obfuscator regexes and free function */};
+
+// Instantiate a new builder using the previously defined ddwaf_config
+ddwaf_builder builder = ddwaf_builder_init(config);
+```
+
+At this stage, configurations may be added, updated and removed and, once ready, a WAF instance can be created as follows:
+
+```cpp
+// Build a new WAF instance, handle any potential failure by checking for NULL
+ddwaf_handle handle = ddwaf_builder_build_instance(&builder);
+if (handle == NULL) { /* handle failure */ }
+```
+
+The generated WAF instance is then available for use, and it's completely independent of the builder itself, meaning that freeing one should have no impact on the other and vice-versa. The builder can continue being used in the background and once all configuration changes have been performed, a new handle can be instantiated:
+
+```cpp
+ddwaf_handle new_handle = ddwaf_builder_build_instance(&builder)
+if (new_handle == NULL) {
+    // handle failure
+}
+ddwaf_destroy(&handle);  
+```
+Note that the two WAF instances can coexist if needed, albeit it's more likely that only one will be required. Finally, at the end of the builder's lifecycle, the memory associated with it must be released as follows:
+
+```cpp
+// At the end of application's lifetime, destroy the builder
+ddwaf_builder_destroy(&builder);
+```
+
+#### Adding, updating and removing configurations
+
+> [!CAUTION] 
+> Builder access and modification is not thread-safe, users must ensure that it's only used from one thread or they must synchronize uses from separate threads, e.g. using a mutex.
+
+The process of adding or updating configurations is a relatively simple one. Firstly, configurations must be provided as a `ddwaf_object` of type `map` and a separate `path` representing its unique identifier. For example: 
+```c
+// Generate the configuration as a map containing any of the expected top-level keys, such as `rules, exclusions, etc.
+ddwaf_object configuration;
+ddwaf_object_map(&configuration);
+...
+
+// Use a unique path for this configuration
+const char *path = "path/to/configuration/rules-c555e7ee647a3d72c2cb60a32767d586";
+uint32_t path_len = (uint32_t)strlen(path);
+```
+
+With that in hand, configurations can be added or updated with `ddwaf_builder_add_or_update_config`, letting the builder handle any update-specific logic. This function will also provide any diagnostics derived from the parsing and conversion process, this will include any errors and warnings as well as details regarding the IDs of the elements loaded, failed or skipped. Note that once the configuration is loaded, the memory associated with it must be freed by the caller:
+
+```c
+ddwaf_object diagnostics;
+ddwaf_object_invalid(&diagnostics);
+
+bool result = ddwaf_builder_add_or_update_config(&builder, path, path_len, &configuration, &diagnostics);
+ddwaf_object_free(&configuration);
+
+if (!result) { /* Failed to load configuration, check diagnostics */ }
+```
+The addition or update may fail in certain circumstances, as denoted by the returned boolean value. This may happen when invalid arguments are provided, when the configuration could not be parsed or when it doesn't yield any meaningful results, e.g. none of the primitives within are compatible.
+
+In contrast, the removal process only requires the path and it's performed through the `ddwaf_builder_remove_config` function, as can be seen on the example below:
+
+```c
+bool result = ddwaf_builder_remove_config(&builder, path, path_len);
+if (!result) { /* Non critical error, possibly indicating a bug in the user's implementation */}
+```
+
+The removal process returns a boolean value indicating success or failure, however failure in this instance only indicates that either the arguments provided were invalid or the configuration didn't actually exist.
+
+### Warning and Error Diagnostics
+In this new version, diagnostics have been split into two categories: warnings and errors. Warnings represent diagnostics which typically indicate an incompatibility between the provided configuration and the given version of `libddwaf`. On the other hand, errors indicate a more relevant failure, one which may indicate that the configuration is malformed or incomplete. In addition, a new top-level `error` field has been introduced to account for a potential global configuration parsing error.
+
+With that in mind, the schema of the diagnostics is roughly as follows:
+
+```json
+{
+  "error": "<string, when present, no other keys should be available>",
+  "ruleset_version": "<version string>",
+  "(exclusions|rules|processors|rules_override|rules_data|custom_rules|actions|scanners)" : {
+    "error": "<string, when present, no other keys should be available>",
+    "loaded": [ "<ids>" ],
+    "failed": [ "<ids>" ],
+    "skipped": [ "<ids>" ],
+    "errors": {
+      "<message>" : [ "<ids>" ],
+    },
+    "warnings": {
+      "<message>" : [ "<ids>" ],
+    }
+  }
+}
+```
+#### Rephrased diagnostics
+
+The following diagnostics have been slightly changed or rephrased, any monitors targeting them may need to be updated:
+- `unknown type '<name>'` is now `unknown type: '<name>'`.
+- `unknown matcher: <name>` is now `unknown operator: '<name>'` and has been demoted to a `warning`.
+- `invalid transformer <name>` is now `unknown transformer: '<name>'` and has been demoted to a `warning`.
+- `unknown generator '<name>'` is now `unknown generator: '<name>'`  and has been demoted to a `warning`.
+
+The following diagnostics have only been downgraded to warnings:
+- `unsupported schema version: <number>.x`
+- `unsupported operator version <operator name>@<version>, current <operator name>@<current version>`
+
+## Upgrading from `1.16.x` to `1.17.x`
+
+### Action semantics
+
+In order to support non-blocking actions, and specifically those with dynamic parameters, a number changes have been introduced in this version.
+
+The first change introduced is that users must now provide action definitions during the initialisation or update process. This information is used internally to understand the nature of an action and, more specifically, the nature of the side-effects of a rule. While this version doesn't yet take advantage of this information for rule scheduling, it does so in order to dynamically generate stack IDs when the `stack_trace` action is produced by a rule. As a reminder, action definitions have the following rough schema:
+
+```json
+{
+  "actions": [{
+    "id": "<id: string>",
+    "type": "<type: string>",
+    "parameters": { "<kv map of parameters>" }
+  }]
+}
+```
+
+Secondly, since the definition of each action is now available internally, the schema of `ddwaf_result.actions` has been updated from an array of IDs to a map of action types, each containing its own set of parameters in string format:
+
+```json
+{
+  "block_request": {
+   "status_code": "403",
+   "type":  "auto"
+  }
+}
+```
+
+This means the caller no longer has to translate action IDs to their relevant definition and any blocking action conflicts are resolved internally following a simple set of rules:
+- When multiple actions of the same type are present, the first one produced has precedence.
+- An action of type`redirect_request` has priority over an action of type `block_request`.
+
+In addition, specific action types can now have dynamic parameters, such as the `generate_stack` action type, which requires the inclusion of a stack trace UUID in both the action parameters and the relevant event:
+
+```json
+{
+  "generate_stack": {
+    "stack_id": "f96a33a2-f5c1-11ee-99aa-9bdcccee26aa"
+  }
+}
+```
+
+Finally the following set of default actions are included:
+- `block`: of type `block_request`, requires the caller to block the request and provides the following default parameters:
+    - `status_code`: `403`
+    - `type`: `auto`
+    - `grpc_status_code`: `10`
+- `stack_trace`: of type `generate_stack`, requires the user to generate a stack trace with the UUID provided in the `stack_id` parameter.
+- `extract_schema`: of type `generate_schema`, instructs the user to call the WAF again with the relevant parameters required for schema generation.
+- `monitor`: an internal reserved action.
+
+### Action type specification
+The following sections describe the action types supported and their required parameters.
+
+**Note:** If an action provided in the `actions` top-level key is of an unknown and/or unsupported type, it will still be provided to the caller without validation.
+
+#### `block_request` action type
+The `block_request` action type instructs the caller to block the current request by overriding the response. The parameters required by this action type are the following:
+- `status_code`: corresponding to the HTTP response status code which should be used by the caller when overriding the response. The default value is `403`.
+- `type`: this value provides the caller with an indication of the response format, e.g. `json` or `html`. The default value is `auto`, indicating that the caller should use the `Accept` header to determine an appropriate response format.
+- `grpc_status_code`: specifically meant for gRPC requests, this represents the status code which should be used by the caller when overriding the response. The default value is `10`.
+
+If any of these parameters is missing in an action definition, the default value is used, for example:
+
+```json
+
+{
+  "id": "block",
+  "parameters": {
+    "status_code": "404",
+    "type": "auto"
+  },
+  "type": "block_request"
+},
+```
+Is missing the `grpc_status_code`, so the default value of `10` is used instead.
+
+#### `redirect_request` action type
+The `redirect_request` action type instructs the caller to override the response with a redirect response. The parameters required by this action are the following:
+- `status_code`: corresponding to the HTTP status code which should be used by the caller to redirect, this must be a value in the `300-399` range. If the value is outside of range or missing, the default value `303` is used instead.
+- `location`: specifies the URL to redirect to. This value must always be present and there is no predefined default.
+
+**Note:** If the `location` parameter is missing, the action is converted into a `block_request` action with default parameters.
+
+#### `generate_stack` action type
+The `generate_stack` action type instructs the caller to generate a stack trace. This action type requires no parameters; however, when triggered, it provides the `stack_id` that should be included in the stack trace to properly associate it with the relevant event. For example:
+
+```json
+{
+  "generate_stack": {
+    "stack_id": "b4c7aff3-8fb0-4f6a-1bc7-582700c46abe"
+  }
+}
+```
+
+#### `generate_schema` action type
+The `generate_shema` action type instructs the caller to let `libddwaf` know that it should generate the schema for the current request whenever ready. In the future, once some of the current limitations have been resolved, this might result in the automatic generation of the schema. This action type currently requires no parameters.
+
+## Upgrading from `1.14.0` to `1.15.0`
+
+### Interface changes
+
+With the introduction of ephemeral addresses, `ddwaf_run` now allows the caller to provide data as both persistent or ephemeral. The new signature can be seen below:
+```c
+DDWAF_RET_CODE ddwaf_run(ddwaf_context context, ddwaf_object *persistent_data,
+    ddwaf_object *ephemeral_data, ddwaf_result *result, uint64_t timeout);
+```
+
+Both `persistent_data` and `ephemeral_data` are nullable, however at least one of them has to be non-null for the call to be valid. Otherwise the call to `ddwaf_run` will return the error `DDWAF_ERR_INVALID_ARGUMENT`.
+
+The other interface change is the renaming of `ddwaf_required_addresses` to `ddwaf_known_addresses`, aside from the name change, the signature hasn't changed, as can be seen below:
+
+```c
+const char* const* ddwaf_known_addresses(const ddwaf_handle handle, uint32_t *size);
+```
+
+The reason for the name change is to better reflect the nature of the addresses provided by this function, which will now provide a list of all addresses seen by the WAF, regardless of whether they are required for rule, filter or processor evaluation, or whether they are optionally used when available, such as part of an exclusion filter for inputs or a processor mapping. A more accurate distinction, as well as a breakdown of the addresses required by each of the supported high-level features, is now provided as part of the diagnostics returned by `ddwaf_init` and `ddwaf_update`.
+
+Finally, `testPowerWAF` has been renamed to `waf_test`, while this isn't an interface change it might affect those building and testing the WAF directly.
+
+### Ephemeral addresses
+
+Ephemeral addresses is a new feature aimed at providing better support for protocols composed of a single request with multiple subrequests, such as gRPC client / server streaming or GraphQL. As the name implies, ephemeral addresses are short-lived:
+- These addresses are only used for evaluation of rules and exclusion filters during the `ddwaf_run` call in which they are provided; subsequent calls will have no access to these addresses.
+- At the end of `ddwaf_run` the memory associated with the ephemeral addresses is freed.
+
+As an example, these addresses can be used to evaluate independent gRPC messages within the context of the whole HTTP request. A call with the whole HTTP context and the first gRPC message could look as follows:
+```json
+{
+  "persistent": {
+    "server.request.headers.no_cookies": [ "..." ],
+    "server.request.uri.raw": "...",
+    "http.client_ip": "..."
+  },
+  "ephemeral": {
+    "grpc.server.request.message": { "..." }
+  }
+}
+```
+
+Subsequent calls only need to provide the relevant gRPC message data:
+```json
+{
+  "ephemeral": {
+    "grpc.server.request.message": { "..." }
+  }
+}
+```
+
+When using ephemeral addresses in this manner, each call is somewhat equivalent to creating a new context and providing all of the data at once for each message, however:
+- The new approach doesn't need to reevaluate the already evaluated persistent addresses for each gRPC message.
+- Consequently the new approach does not provide duplicate events for the already evaluated persistent addresses.
+- The performance impact should be much smaller when using the new approach since less rules need to be evaluated and the context can be reused rather than created & destroyed for each message.
+
+Finally, aside from the addresses themselves being ephemeral, the outcome of any evaluation with an ephemeral address is also ephemeral. The evaluation of any condition, from either rules, filters or processors, with ephemeral addresses will always be uncached, meaning that subsequent calls to `ddwaf_run` will reevaluate said conditions if relevant addresses are provided. 
+
+Similarly, any address, object or rule excluded as a result of the evaluation of an ephemeral address, either due to the filter condition matching on an ephemeral address or the excluded address being ephemeral, will only have effect for the duration of the `ddwaf_run` call. As a result, subsequent calls to `ddwaf_run` will be able to evaluate those previously excluded rules or addresses, unless filtered again.
+
+### Address diagnostics
+In order to provide more visibility regarding the breakdown of addresses per feature and whether they are required or optional, the latest version of the WAF introduces address diagnostics. These diagnostics can typically be obtained through a call to `ddwaf_init` or `ddwaf_update` and are broken down per feature, for example:
+
+```json
+
+{
+  "rules": {
+    "loaded": [
+      "a45b55fc-5b57-4002-90bf-58cdf296124c"
+    ],
+    "failed": [],
+    "errors": {},
+    "addresses": {
+      "required": [
+        "http.client_ip",
+        "usr.id",
+        "server.request.headers.no_cookies",
+        "graphql.server.all_resolvers",
+        "grpc.server.request.message",
+        "server.request.path_params",
+        "server.request.body",
+        "server.request.query",
+        "server.request.uri.raw",
+        "server.response.status",
+        "grpc.server.request.metadata"
+      ],
+      "optional": []
+    }
+  }
+}
+```
+
+The distinction between required and optional addresses depends on the feature:
+- Rules only have required addresses.
+- Exclusion filters have both required and optional addresses:
+  - The required addresses correspond to those used within the filter conditions, i.e. those which are required for the filter to be evaluated altogether.
+  - Currently the only optional addresses are those of the excluded inputs, e.g. a filter could exclude `http.client_ip` for a specific endpoint, this address would be optional since it's only used when available.
+- Processors also have both required and optional addresses:
+  - The required addresses correspond to those used within the processor conditions.
+  - The optional addresses correspond to each of the processor mappings, for example if a processor uses `server.request.body.raw` to generate `server.request.body`, the former would be considered optional.
+
+Other diagnostics, such as `rules_data` or `rules_override`, do not provide the addresses key.
+
+## Upgrading from `1.12.0` to `1.13.0`
+
+### Interface changes
+
+For historical reasons, the integer object constructors (signed, unsigned) didn't generate an object of a numerical type, but rather a string. This has been a source of confusion and, with the changes required for schema extraction, these functions have now been adjusted to provide the same semantics as all other constructors, meaning that they now generate a numerical object type rather than a string.
+
+Similarly, the numerical object constructors suffixed with `_force` have now been renamed to more accurately express their meaning:
+```cpp
+ddwaf_object* ddwaf_object_string_from_unsigned(ddwaf_object *object, uint64_t value);
+ddwaf_object* ddwaf_object_string_from_signed(ddwaf_object *object, int64_t value);
+```
+
+To summarize:
+- `ddwaf_object_signed` has been renamed to `ddwaf_object_string_from_signed`
+- `ddwaf_object_unsigned` has been renamed to `ddwaf_object_string_from_unsigned`
+- `ddwaf_object_signed_force` has been renamed to `ddwaf_object_signed`
+- `ddwaf_object_unsigned_force` has been renamed to `ddwaf_object_unsigned`
+
+### New object types
+
+Alongside the schema extraction preprocessor, two new types have been introduced to ensure a more accurate and complete schema can be produced. These are `float` and `null`, the former for completeness of the numerical types and the latter for its semantical value which, in the context of schema extraction, differs from invalid in that it signifies a null value rather than an unknown type.
+
+Library bindings with a mirrored definition of `ddwaf_object` should now include the `f64` field, of type `double`, in the value union:
+
+```cpp
+...
+    union
+    {
+        const char* stringValue;
+        uint64_t uintValue;
+        int64_t intValue;
+        ddwaf_object* array;
+        bool boolean;
+        double f64;
+    };
+...
+```
+This new field breaks with the naming convention of the current `ddwaf_object` definition, however it matches the naming convention of the future `ddwaf_object` definition which will be included in version 2.0.
+
+Similarly, those bindings mirroring the enum types should also include the two new types:
+```cpp
+...
+    // 64-bit float (or double) type
+    DDWAF_OBJ_FLOAT    = 1 << 6,
+    // Null type, only used for its semantical value
+    DDWAF_OBJ_NULL    = 1 << 7,
+...
+```
+
+These new types can now be created with their corresponding `ddwaf_object` constructors:
+```cpp
+ddwaf_object* ddwaf_object_null(ddwaf_object *object);
+ddwaf_object* ddwaf_object_float(ddwaf_object *object, double value);
+```
+
+And finally, float values can also be accessed with the corresponding getter:
+```cpp
+double ddwaf_object_get_float(const ddwaf_object *object);
+```
+
+### Derivatives in `ddwaf_result`
+
+Preprocessors in general and, more specifically the schema extraction preprocessor, now generate objects which need to be provided to the caller of `ddwaf_run`. For this reason, a new field has been introduced to `ddwaf_result` called `derivatives`, containing generated objects:
+```cpp
+struct _ddwaf_result
+{
+    ...
+    /** Map containing all derived objects in the format (address, value) **/
+    ddwaf_object derivatives;
+    /** Total WAF runtime in nanoseconds **/
+    uint64_t total_runtime;
+};
+```
+This new field is an object which will always contain a map of generated addresses and their arbitrary-type value, for example:
+
+```json
+{
+    "server.request.body.schema": [[8],{"len":2}]
+}
+```
+
+This object is freed with `ddwaf_result_free`, so necessary conversions or copies should be performed before disposing of the result structure.
+
+### New Linux builds 
+
+The new linux builds are currently released alongside the legacy linux builds for `aarch64` and `x86_64` and will not replace them for the time being. In addition to the two aforementioned architectures, support for `i386` and `armv7` has also been included. The new archives follow a different, more standarised, naming convention which consists of `libddwaf-<version>-<arch><sub>-<sys>-<env>[-<hash>].tar.gz` with `sys` being always `linux` and `env` always `musl`, which results in the following package names:
+- `libddwaf-1.13.0-x86_64-linux-musl.tar.gz`
+- `libddwaf-1.13.0-aarch64-linux-musl.tar.gz`
+- `libddwaf-1.13.0-i386-linux-musl.tar.gz`
+- `libddwaf-1.13.0-armv7-linux-musl.tar.gz`
+
+Which are not to be confused with the legacy builds, with the following package names:
+- `libddwaf-1.13.0-linux-x86_64.tar.gz`
+- `libddwaf-1.13.0-linux-aarch64.tar.gz`
+  
+The contents of each package is essentially equivalent to the legacy builds, however the new static builds do not provide or require a separate static `libc++` package as all static libraries have been packaged together within `libddwaf.a`. Note that the directory contained within each archive still follows the old naming convention, this will also be changed once the legacy builds have been deprecated.
+
+The new builds use version 16 of `libc++` and friends, compiled against musl `1.2.4` using `clang-16`.
+
+## Upgrading from `1.10.0` to `1.11.0`
+
+Version `1.11.0` introduces a number of breaking changes to the API, notably:
+- The `ruleset_info` structure has been replaced with a `ddwaf_object`, providing many more parsing diagnostics.
+- The `ddwaf_result::data` field containing the resulting events in JSON format has been replaced with a `ddwaf_object` containing an array of events in `ddwaf_result::events`.
+- The actions array has also been replaced by a `ddwaf_object` containing an array of strings.
+
+Finally it also introduces support for per-input transformers which, while not a breaking change, will also be explained here.
+
+### Ruleset Parsing diagnostics
+
+Before `1.11.0`, basic diagnostics were provided through the `ddwaf_ruleset_info` structure, with the following definition:
+
+```c
+struct _ddwaf_ruleset_info
+{
+    /** Number of rules successfully loaded **/
+    uint16_t loaded;
+    /** Number of rules which failed to parse **/
+    uint16_t failed;
+    /** Map from an error string to an array of all the rule ids for which
+     *  that error was raised. {error: [rule_ids]} **/
+    ddwaf_object errors;
+    /** Ruleset version **/
+    const char *version;
+};
+```
+In this definition, `ddwaf_ruleset_info::errors` was always a map containing errors as keys and an array of rule IDs as values; this field was used as a compressed view of the rules which couldn't be parsed and the relevant parsing errors, e.g.:
+
+```json
+"errors": {
+  "missing key 'type'": [
+    "blk-001-002"
+  ]
+}
+```
+With the introduction of exclusion filters, rule overrides, custom rules and, to a lesser extent, rule data, the current set of diagnostics was not enough to provide an accurate understanding of the parsing result. For this reason, the `ddwaf_ruleset_info` structure has been deprecated in favour of `ddwaf_object`. This object is now provided as a parameter to both `ddwaf_init` and `ddwaf_update`, and it should be allocated by the caller (e.g. stack-allocated as a local variable):
+```c
+ddwaf_handle ddwaf_init(const ddwaf_object *ruleset, const ddwaf_config* config, ddwaf_object *diagnostics);
+ddwaf_handle ddwaf_update(ddwaf_handle handle, const ddwaf_object *ruleset, ddwaf_object *diagnostics);
+```
+The use of a `ddwaf_object` instead of a dedicated structure has a number of advantages and disadvantages, however it allows us to add more diagnostics in a backwards-compatible manner, without breaking the ABI. This translates in having the ability to automatically provide diagnostics for new high-level features without breaking existing libraries. 
+
+The new diagnostics object is always a map containing the following:
+- A map per high-level feature parsed (e.g. rules, custom rules, exclusions, etc), with the same key as said high-level feature.
+- Other metadata if present in the ruleset, such as the ruleset version.
+
+Providing the WAF with a complete ruleset typically results in a `ddwaf_object` with the following contents:
+```json
+{
+  "custom_rules": {...},
+  "exclusions": {...},
+  "rules": {...},
+  "rules_data": {...},
+  "rules_override": {...},
+  "ruleset_version": "1.7.0"
+}
+```
+The definition of the map provided for each high-level feature is generic, the complete schema can be found [here](schema/diagnostics.json). The expected keys when the high-level feature couldn't be parsed are the following:
+- `error`: this key contains a string indicating the error which prevented the relevant top-level key from being parsed and will only be present in this situation. Since this key represents a critical parsing error, no other keys are provided when this one is present.
+
+An example ruleset in which the `rules_data` key had the wrong type could result in the following diagnostics:
+```json
+{
+  "rules_data": {
+    "error": "bad cast, expected 'array', obtained 'map'"
+  }
+}
+```
+The expected keys when the high-level feature was parsed successfully are the following:
+- `loaded`: the value associated with this key is always an array of IDs and represents those elements that were loaded successfully. If the relevant feature definition does not have an ID (e.g. rule overrides), it'll contain the index within the parsed array in the form `index:x` with `x` representing the numerical index. 
+- `failed`: the value provided with this key is exactly the same as with the `loaded` key, but these are instead elements which couldn't be loaded. If the relevant element or feature definition lacks an ID, the `index:x` format is used instead.
+- `errors`: for backwards compatibility, this key contains a compressed map of errors, each containing the list of IDs which failed with said error.
+
+An example ruleset with all valid entries could look as follows:
+```json
+{
+  "custom_rules": {
+    "loaded": [
+      "a45b55fc-5b57-4002-90bf-58cdf296124c"
+    ],
+    "failed": [],
+    "errors": {}
+  },
+  "rules_override": {
+    "loaded": [
+      "index:0",
+      "index:1"
+    ],
+    "failed": [],
+    "errors": {}
+  }
+}
+```
+An example ruleset with some invalid entries could look as follows:
+```json
+{
+  "exclusions": {
+    "loaded": [
+      "1d058b7b-9b35-4a01-9b60-74c9a2a3bd78",
+    ],
+    "failed": [
+      "index:2"
+    ],
+    "errors": {
+      "missing key 'id'": [
+        "index:2"
+      ]
+    }
+  },
+  "rules": {
+    "loaded": [
+      "blk-001-001"
+    ],
+    "failed": [
+      "blk-001-002"
+    ],
+    "errors": {
+      "missing key 'conditions'": [
+        "blk-001-002"
+      ]
+    }
+  },
+  "rules_override": {
+    "loaded": [
+      "index:1"
+    ],
+    "failed": [
+      "index:0"
+    ],
+    "errors": {
+      "invalid type 'map' for key 'rules_target', expected 'array'": [
+        "index:0"
+      ]
+    }
+  },
+  "ruleset_version": "1.7.0"
+}
+```
+Note that in this example, an exclusion filter lacking a valid ID was also represented using the `index:x` notation.
+
+### Adding diagnostics to the root span
+
+In previous versions of the WAF, each field of the `ddwaf_ruleset_info` structure was added to the root span either as a meta tag or a metric as shown in the example below:
+```cpp
+ddwaf_ruleset_info info;
+auto handle = ddwaf_init(rule, &config, &info);
+
+root_span.metrics["_dd.appsec.event_rules.loaded"] = info.loaded;
+root_span.metrics["_dd.appsec.event_rules.error_count"] = info.failed;
+root_span.meta["_dd.appsec.event_rules.errors"] = object_to_json(info.errors);
+root_span.meta["_dd.appsec.event_rules.version"] = info.version;   
+
+ddwaf_ruleset_info_free(&info);
+```
+While the new diagnostics provide much more information, for backwards compatibility, rule metrics and errors still need to be reported through the root span, the following example shows a simple mechanism to traverse the diagnostics object:
+
+```cpp
+ddwaf_object diagnostics;
+ddwaf_handle handle = ddwaf_init(&rule, nullptr, &diagnostics);
+ddwaf_object_free(&rule);
+ddwaf_destroy(handle);
+
+const auto *rules = find_object(&diagnostics, "rules");
+if (rules != nullptr) {
+    size_t index = 0;
+    const ddwaf_object *node = nullptr;
+    while ((node = ddwaf_object_get_index(rules, index++)) != nullptr) {
+        std::string_view node_key = ddwaf_object_get_key(node, nullptr);
+
+        if (node_key == "loaded") {
+            root_span.metrics["_dd.appsec.event_rules.loaded"] = ddwaf_object_size(node);
+        } else if (node_key =="failed") {
+            root_span.metrics["_dd.appsec.event_rules.error_count"] = ddwaf_object_size(node);
+        }  else if (node_key == "errors") {
+            root_span.meta["_dd.appsec.event_rules.errors"] = object_to_yaml(*node);
+        } else if (node_key == "ruleset_version") {
+            root_span.meta["_dd.appsec.event_rules.version"] = ddwaf_object_get_string(node, nullptr);
+        }
+    }
+}
+ddwaf_object_free(&diagnostics);
+```
+Note that it might also be prudent to check for the `error` key before attempting to traverse the map, as the relevant keys won't be available in such case.
+
+A suitable definition of `find_object` could be the following:
+```cpp
+const ddwaf_object *find_object(const ddwaf_object *map, std::string_view key) {
+    size_t index = 0;
+    const ddwaf_object *node = nullptr;
+    while ((node = ddwaf_object_get_index(map, index++)) != nullptr) {
+        std::string_view node_key = ddwaf_object_get_key(node, nullptr);
+        if (key == node_key) {
+            return node;
+        }
+    }
+    return nullptr;
+}
+```
+#### Events & actions as `ddwaf_object`
+
+The outcome of a WAF run is provided as part of the `ddwaf_result` structure, which before `1.11.0` had the following definition:
+
+```c
+struct _ddwaf_result
+{
+    /** Whether there has been a timeout during the operation **/
+    bool timeout;
+    /** Run result in JSON format **/
+    const char* data;
+    /** Actions array and its size **/
+    struct _ddwaf_result_actions {
+        char **array;
+        uint32_t size;
+    } actions;
+    /** Total WAF runtime in nanoseconds **/
+    uint64_t total_runtime;
+};
+```
+In particular, the `data` field was a JSON-serialized string containing an array of events. Unfortunately, since WAF users typically call the WAF multiple times within the same context, extracting a meaningful result requires stitching multiple JSON strings together. Similarly, truncating the resulting JSON array to comply with trace limits also requires deserializing, performing changes and reserialising. 
+
+To work around these problems, the new version of the WAF doesn't report events as a JSON string, but rather as a `ddwaf_object` containing an array of events, with exactly the same definition as the previously provided JSON string. This new object resides in `ddwaf_result::events` rather than `ddwaf_result::data`, as it signifies more clearly the purpose of the field.
+```c
+struct _ddwaf_result
+{
+    /** Whether there has been a timeout during the operation **/
+    bool timeout;
+    /** Array of events generated, this is guaranteed to be an array **/
+    ddwaf_object events;
+    /** Array of actions generated, this is guaranteed to be an array **/
+    ddwaf_object actions;
+    /** Total WAF runtime in nanoseconds **/
+    uint64_t total_runtime;
+};
+```
+With this new definition, the caller now has the responsibility of serializing events into JSON.
+
+Similarly, actions are now also a `ddwaf_object` instead of a struct representing an array. Iterating through the old structure could be done as follows:
+
+```c
+ddwaf_result res;
+for (unsigned i = 0; i < res.actions.size; ++i) {
+    printf("%s", res.actions.array[i]);
+}
+```
+The same can now be done as follows:
+```c
+ddwaf_result res;
+for (unsigned i = 0; i < ddwaf_object_size(&res.actions); ++i) {
+    const ddwaf_object *node = ddwaf_object_get_index(&res.actions, i);
+    printf("%s", ddwaf_object_get_string(node, nullptr));
+}
+```
+Finally, the events schema can be found [here](schema/events.json) and the actions schema can be found [here](schema/actions.json).
+#### Per-input transformers
+
+Rules provide a `transformers` key which represents a list of transformers which should be applied (in order) to each scalar before evaluating the operator. An example of a rule with transformers could be the following:
+```json
+{
+  "id": "crs-933-111",
+  "name": "PHP Injection Attack: PHP Script File Upload Found",
+  "tags": {...},
+  "conditions": [...],
+  "transformers": [
+    "lowercase"
+  ]
+},
+```
+Since the transformers are rule-local, they are applied to all inputs, potentially resulting in a performance impact, as well as limiting the ability of the rule writer to use more fine-grained transformers. 
+
+In `1.11.0`, transformers can be defined per input, for example:
+```json
+"inputs": [
+  {
+    "address": "server.request.headers.no_cookies",
+    "transformers": [
+      "lowercase",
+      "removeNulls"
+    ]
+  }
+]
+```
+The existence of a `transformers` key on an input, even if empty, completely overrides any available rule transformers. Conversely, the lack of a `transformers` key on an input results in the specific input inheriting the rule transformers.
+
+### Upgrading from `1.7.x` to `1.8.0`
+
+Version `1.8.0` introduces the WAF builder, a new module with the ability to generate a new WAF instance from an existing one. This new module works transparently through the `ddwaf_update` function, which allows the user to update one, some or all of the following:
+- The complete ruleset through the `rules` key.
+- The `on_match` or `enabled` field of specific rules through the `rules_override` key.
+- Exclusion filters through the `exclusions` key.
+- Rule data through the `rules_data` key.
+
+The WAF builder has a number of objectives:
+- Provide a mechanism to generate and update the WAF as needed.
+- Remove all existing mutexes.
+- Remove all side-effects on running contexts.
+- __Potentially__ provide efficiency gains: 
+  - Avoiding the need to parse a whole ruleset on every update.
+  - Reusing internal structures, objects and containers whenever possible.
+
+With the introduction of `ddwaf_update`, the following functions have been deprecated and removed:
+- `ddwaf_toggle_rules`
+- `ddwaf_update_rule_data`
+- `ddwaf_required_rule_data_ids`
+
+The first two functions have been removed due to the added complexity of supporting multiple interfaces with a similar outcome but different inputs. On the other hand, the last function was simply removed in favour of letting the WAF handle unexpected rule data IDs more gracefully, however this function can be reintroduced later if deemed necessary.
+
+Typically, the new interface will be used as follows on all instances:
+
+```c
+    ddwaf_handle old_handle = ddwaf_init(&ruleset, &config, &info);
+    ddwaf_object_free(&ruleset);
+
+    ddwaf_handle new_handle = ddwaf_update(old_handle, &update, &new_info);
+    ddwaf_object_free(&update);
+    if (new_handle != NULL) {
+        ddwaf_destroy(old_handle);
+    }
+```
+
+The `ddwaf_update` function returns a new `ddwaf_handle` which will be a valid pointer if the update succeeded, or `NULL` if there was nothing to update or there was an error. Creating contexts while calling `ddwaf_update` is, in theory, perfectly legal as well as destroying a handle while associated contexts are still in use, for example:
+
+```c
+    ddwaf_handle old_handle = ddwaf_init(&ruleset, &config, &info);
+    ddwaf_object_free(&rule);
+
+    ddwaf_context context = ddwaf_context_init(old_handle);
+
+    ddwaf_handle new_handle = ddwaf_update(old_handle, &new_ruleset, &new_info);
+    ddwaf_object_free(&new_rule);
+    if (new_handle != NULL) {
+        // Destroying the handle should not invalidate the context
+        ddwaf_destroy(old_handle);
+    }
+    
+    // Both the context and the handle are destroyed here
+    ddwaf_context_destroy(context);
+```
+Note that the `ddwaf_update` function also has an optional input parameter for the `ruleset_info` structure, this will only provide useful diagnostics when the update provided contains new rules (within the `rules` key), also note that the `ruleset_info` should either be a fresh new structure or the previously used after calling `ddwaf_ruleset_info_free`.
+
+Finally, you can call `ddwaf_init` with all previously mentioned keys, or a combination of them, however the `rules` key is mandatory. This does not apply to `ddwaf_update.
+
+### Notes on thread-safety
+
+The thread-safety of any operations on the handle depends on whether they act on the ruleset or the builder itself, generally:
+- Calling `ddwaf_update` concurrently, regardless of the handle, is never thread-safe.
+- Calling `ddwaf_context_init` concurrently on the same handle is thread-safe.
+- Calling `ddwaf_context_init` and `ddwaf_update` concurrently on the same handle is also thread-safe.
+
+## Upgrading from `1.6.x` to `1.7.0`
+
+There are no API changes in 1.7.0, however `ddwaf_handle` is now reference-counted and shared between the user and each `ddwaf_context`. This means that it is now possible to call `ddwaf_destroy` on a `ddwaf_handle` without invalidating any `ddwaf_context` in use instantiated from said `ddwaf_handle`. For example, the following snippet is now perfectly legal and will work as expected (note that any checks have been omitted for brevity):
+
+```c
+    ddwaf_handle handle = ddwaf_init(&rule, &config, NULL);
+    ddwaf_object_free(&rule);
+
+    ddwaf_context context = ddwaf_context_init(handle);
+
+    // Destroying the handle should not invalidate the context
+    ddwaf_destroy(handle);
+
+    ...
+
+    ddwaf_run(context, &parameter, NULL, LONG_TIME);
+
+    // Both the context and the handle are destroyed here
+    ddwaf_context_destroy(context);
+```
+
+To expand on the example above:
+- `ddwaf_destroy` only destroys the `ddwaf_handle` if there are no more references to it, otherwise it relinquishes ownership to the rest of the contexts.
+- If there is more than one valid context after the user calls `ddwaf_destroy`, each context will reduce the reference count on `ddwaf_context_destroy` until it reaches zero, at which point the `ddwaf_handle` will be freed.
+- Once the user calls `ddwaf_destroy` on the `ddwaf_handle`, their reference becomes invalid and no more operations can be performed on it, including instantiating further contexts.
+
+Note that this doesn't make `ddwaf_handle` universally thread-safe, for example, replacing an existing `ddwaf_handle` shared by multiple threads still requires synchronisation.
+
+## Upgrading from `v1.4.0` to `1.5.0`
+
+### Actions
+
+The introduction of actions within the ruleset, through the `on_match` array, provides a generic mechanism to signal the user what the expected outcome of a match should be. This information is now provided to the user through `ddwaf_result`, which now has the following definition:
+
+```c
+struct _ddwaf_result
+{
+    /** Whether there has been a timeout during the operation **/
+    bool timeout;
+    /** Run result in JSON format **/
+    const char* data;
+    /** Actions array and its size **/
+    struct {
+        char **array;
+        uint32_t size;
+    } actions;
+    /** Total WAF runtime in nanoseconds **/
+    uint64_t total_runtime;
+};
+```
+
+Actions are provided as a `char *` array containing `actions.size` items. This array is currently not null-terminated. The contents of this array and the array itself are also freed by `ddwaf_result_free`.
+
+#### Return codes
+
+As a consequence of the introduction of actions, return codes such as `DDWAF_MONITOR` or `DDWAF_BLOCK` are no longer meaningful, to address this:
+- `DDWAF_MONITOR` has now been renamed to `DDWAF_MATCH`, this lets the user know that `ddwaf_result` contains meaningful data and possibly actions while making no statement regarding what the user should do with it.
+- `DDWAF_BLOCK` has been removed.
+- As a slightly unnecessary bonus, `DDWAF_GOOD` has been renamed to `DDWAF_OK` as it is more common to use `OK` than `GOOD` in return codes.
+
+### Free function
+
+In previous versions, the context is initialised with a free function in order to prevent objects provided through `ddwaf_run` from being freed by the WAF itself. In practice, this free function is always the same so it's not very useful to provide it over and over. For that reason it has now been moved to `ddwaf_config`.
+
+As an example, in version `1.4.0`, the following code would provide `ddwaf_object_free` to the context during initialisation:
+
+```c
+ddwaf_config config{{0, 0, 0}, {NULL, NULL}};
+ddwaf_handle handle = ddwaf_init(&rule, &config, &info);
+...
+ddwaf_context context = ddwaf_context_init(handle, ddwaf_object_free);
+```
+
+In version `1.5.0-alpha0`, the free function should be provided within `ddwaf_config`:
+```c
+ddwaf_config config{{0, 0, 0}, {NULL, NULL}, ddwaf_object_free};
+ddwaf_handle handle = ddwaf_init(&rule, &config, &info);
+...
+ddwaf_context context = ddwaf_context_init(handle);
+```
+
+Alternatively, to completely disable the free function, it can be set to `NULL`:
+```c
+ddwaf_config config{{0, 0, 0}, {NULL, NULL}, NULL};
+ddwaf_handle handle = ddwaf_init(&rule, &config, &info);
+```
+
+**Note that if the configuration pointer to the WAF is `NULL`, the default free function (`ddwaf_object_free`) will be used:**
+```c
+ddwaf_handle handle = ddwaf_init(&rule, NULL, &info);
+```
+
+### Version
+
+In order to support version suffixes, such as `-alpha`, `-beta` or `-rc`, the `ddwaf_version` structure has been deprecated altogether. As a result `ddwaf_get_version` now returns a const string which should not be freed by the caller.
+
+To summarize, the following code snippet:
+
+```c
+ddwaf_version version;
+ddwaf_get_version(&version);
+printf("ddwaf version: %d.%d.%d\n", version.major, version.minor, version.patch);
+```
+
+Can now be rewritten as follows:
+
+```c
+printf("ddwaf version: %s\n", ddwaf_get_version());
+```
diff --git a/docs/upgrading/UPGRADING-v2.0.md b/docs/upgrading/UPGRADING-v2.0.md
new file mode 100644
index 000000000..ce1377bad
--- /dev/null
+++ b/docs/upgrading/UPGRADING-v2.0.md
@@ -0,0 +1,593 @@
+# Upgrading libddwaf
+
+The C API in libddwaf v2 has experienced a large number of changes, primarily around the creation and use of ddwaf_object. This guide aims to provide an overview of the changes required to upgrade from v1.x to v2.x; however it is recommended that the reader carefully read the [C API Reference](c-api/api.md) and [ddwaf.h](../../include/ddwaf.h).
+
+## Summary
+- Allocators have been introduced to all relevant API functions.
+- The layout of `ddwaf_object` has dramatically changed to reduce the amount of memory required for a single object, which now only requires 16 bytes.
+- Two new string types have been introduced:
+  - Small string: a string of 14 bytes or less, stored within the object memory itself without extra allocations.
+  - Literal string: a C string which should be treated as read-only and never freed.
+- Object creation, access and destruction functions have been changed significantly, primarily to avoid the need for intermediate objects and due to the introduction of allocators.
+- For consistency, `ddwaf_run` has been renamed to `ddwaf_context_eval`.
+- Subcontexts have been introduced to replace ephemerals, their lifecycle and use are equivalent to that of the context.
+- `ddwaf_config` has been removed:
+  - Evaluation limits have been entirely removed, the caller must now enforce any relevant limits during serialisation.
+  - Obfuscator regexes must now be provided through configuration: `{obfuscator: {key_regex: <value>, value_regex: <value>}}`.
+  - The free function is no longer needed due to the introduction of allocators.
+
+## Note on Allocators
+The ownership of any allocated memory crossing the API boundary was one of the pain points of libddwaf v1. To fix this, v2 introduces allocators, which can be used to define the explicit ownership of the allocated memory.
+
+Since the use of allocators is now required on many of the API functions, the migration examples will use the default allocator and will also include allocator destruction for illustrative purposes, as the destruction of the default allocator is a no-op.
+
+However, note that other allocators are also available. See the [allocators document](../allocators.md) for more information on the different types of allocators available.
+
+## 1. WAF instantiation: Removal of `ddwaf_config`
+
+The main changes pertaining to WAF initialisation are the removal of `ddwaf_config`, as the evaluation limits have been entirely removed, in favour of user-controlled truncation, the free function is no longer required due to the explicit memory ownership defined through allocators and the obfuscator is now configured through a configuration. As a consequence, instantiation through `ddwaf_init` has changed as follows:
+
+**v1.x:**
+```c
+ddwaf_object ruleset = ...;
+ddwaf_config config = ...;
+
+ddwaf_object diagnostics;
+ddwaf_handle handle = ddwaf_init(&ruleset, &config, &diagnostics);
+```
+
+**v2.x:**
+```c
+ddwaf_object ruleset = ...;
+
+ddwaf_object diagnostics;
+ddwaf_handle handle = ddwaf_init(&ruleset, &diagnostics);
+```
+When instantiating through the builder, the deprecation of `ddwaf_config` only affects `ddwaf_builder_init`.
+
+**v1.x:**
+```c
+ddwaf_config config = ...;
+ddwaf_builder builder = ddwaf_builder_init(&config);
+```
+
+**v2.x:**
+```c
+ddwaf_builder builder = ddwaf_builder_init();
+```
+
+### Obfuscator Configuration
+
+In v1.x, the obfuscator regexes were provided through `ddwaf_config`. In v2.x, the obfuscator must be configured through the builder by providing a configuration containing the `obfuscator` key. The configuration format is:
+
+```yaml
+obfuscator:
+  key_regex: "<regex>"    # Optional, defaults to built-in key regex
+  value_regex: "<regex>"  # Optional, defaults to built-in value regex
+```
+
+Both `key_regex` and `value_regex` are optional; if not provided, the built-in defaults are used.
+
+**v1.x:**
+```c
+ddwaf_config config;
+memset(&config, 0, sizeof(config));
+config.obfuscator.key_regex = "^password$";
+config.obfuscator.value_regex = "^secret_.*";
+
+ddwaf_handle handle = ddwaf_init(&ruleset, &config, &diagnostics);
+// or
+ddwaf_builder builder = ddwaf_builder_init(&config);
+```
+
+**v2.x:**
+```c
+ddwaf_builder builder = ddwaf_builder_init();
+
+// Create an obfuscator configuration
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+ddwaf_object obfuscator_config;
+ddwaf_object_set_map(&obfuscator_config, 1, alloc);
+
+ddwaf_object *obfuscator = ddwaf_object_insert_literal_key(
+    &obfuscator_config, "obfuscator", 10, alloc);
+ddwaf_object_set_map(obfuscator, 2, alloc);
+
+ddwaf_object_set_string_literal(
+    ddwaf_object_insert_literal_key(obfuscator, "key_regex", 9, alloc),
+    "^password$", 10);
+
+ddwaf_object_set_string_literal(
+    ddwaf_object_insert_literal_key(obfuscator, "value_regex", 11, alloc),
+    "^secret_.*", 10);
+
+// Add the obfuscator configuration to the builder
+ddwaf_object diagnostics;
+ddwaf_builder_add_or_update_config(builder,
+    "obfuscator/config", 17, &obfuscator_config, &diagnostics);
+
+ddwaf_object_destroy(&obfuscator_config, alloc);
+ddwaf_object_destroy(&diagnostics, ddwaf_get_default_allocator());
+```
+
+The obfuscator configuration can be provided as a standalone configuration or combined with other configurations (e.g., rules) in a single `ddwaf_builder_add_or_update_config` call.
+
+Note that the `diagnostics` object is allocated with the default allocator and must be destroyed as follows:
+
+```c
+ddwaf_object_destroy(&diagnostics, ddwaf_get_default_allocator());
+```
+This applies to both `ddwaf_init` and to relevant `ddwaf_builder_*` functions.
+
+## 2. WAF Context: Input & Output Allocators and Removal of Ephemerals
+
+The WAF context lifecycle functions have changed significantly in v2 with the introduction of allocators and subcontexts as a replacement for ephemerals. In v1.x, `ddwaf_run` accepted separate persistent and ephemeral data parameters, while v2.x no longer provides ephemeral semantics, therefore only persistent data is provided.
+
+### Context Initialisation
+
+During context initialisation, the caller must provide the output allocator which is used by the WAF to allocate memory for the result object, provided as an output parameter to `ddwaf_context_eval`. This allocator must remain valid for the lifetime of the context.
+
+**v1.x:**
+```c
+ddwaf_handle handle = ...;
+
+// Create context without allocator
+ddwaf_context context = ddwaf_context_init(handle);
+```
+
+**v2.x:**
+```c
+ddwaf_handle handle = ...;
+
+// Get allocator for output objects (result, diagnostics, etc.)
+ddwaf_allocator output_alloc = ddwaf_get_default_allocator();
+
+// Create context with output allocator
+ddwaf_context context = ddwaf_context_init(handle, output_alloc);
+```
+
+### Context Evaluation
+
+As mentioned, context evaluation no longer supports ephemeral data, consequently the main difference between v1.x and v2.x is the removal of `ddwaf_run`, which has been renamed to `ddwaf_context_eval`. Additionally, the allocator used to generate the input data must also be provided. Note that this allocator may be the same as the output allocator provided through `ddwaf_context_init` and it must also remain valid for the lifetime of the context.
+
+**v1.x:**
+```c
+ddwaf_object persistent_data = ...;
+ddwaf_object ephemeral_data = ...;
+ddwaf_object result;
+
+// Separate persistent and ephemeral parameters
+DDWAF_RET_CODE code = ddwaf_run(context, &persistent_data, &ephemeral_data, &result, timeout);
+
+// Process result
+if (code == DDWAF_MATCH) {
+    // Handle match...
+}
+
+// Free result (v1 used internal memory management)
+ddwaf_object_free(&result);
+```
+
+**v2.x:**
+```c
+ddwaf_allocator input_alloc = ddwaf_get_default_allocator();
+
+ddwaf_object data = ...;  // All data in single parameter
+ddwaf_object result;
+
+// Single data parameter, with allocator for input data
+DDWAF_RET_CODE code = ddwaf_context_eval(context, &data, input_alloc, &result, timeout);
+
+// Process result
+if (code == DDWAF_MATCH) {
+    // Handle match...
+}
+
+// Destroy result using the output allocator from ddwaf_context_init
+ddwaf_object_destroy(&result, output_alloc);
+```
+### Multiple Evaluations Example
+
+**v1.x:**
+```c
+ddwaf_context context = ddwaf_context_init(handle);
+
+// First evaluation with persistent data
+ddwaf_object persistent = ...;
+ddwaf_object result1;
+ddwaf_run(context, &persistent, NULL, &result1, timeout);
+ddwaf_object_free(&result1);
+
+// Second evaluation - persistent data still available
+ddwaf_object more_data = ...;
+ddwaf_object result2;
+ddwaf_run(context, &more_data, NULL, &result2, timeout);
+ddwaf_object_free(&result2);
+```
+
+**v2.x:**
+```c
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+ddwaf_context context = ddwaf_context_init(handle, alloc);
+
+// First evaluation
+ddwaf_object data1 = ...;
+ddwaf_object result1;
+ddwaf_context_eval(context, &data1, alloc, &result1, timeout);
+ddwaf_object_destroy(&result1, alloc);
+
+// Second evaluation - data1 persists automatically
+ddwaf_object data2 = ...;
+ddwaf_object result2;
+ddwaf_context_eval(context, &data2, alloc, &result2, timeout);
+ddwaf_object_destroy(&result2, alloc);
+
+// Both data1 and data2 are available for evaluation
+```
+
+## 3. WAF Subcontext: Replacement of Ephemerals
+
+Subcontexts are the v2 replacement for ephemeral data. In v1.x, ephemeral data was passed separately to `ddwaf_run()` and was not stored in the context. In v2.x, subcontexts inherit all persistent data from their parent context but can be evaluated with data that doesn't persist beyond the subcontext's lifetime.
+
+Note that in the current version, any context-related side-effects within the subcontext are not visible within the parent context.
+
+**v1.x:**
+```c
+ddwaf_context context = ddwaf_context_init(handle);
+
+// Store persistent data
+ddwaf_object persistent = ...;
+ddwaf_object result1;
+ddwaf_run(context, &persistent, NULL, &result1, timeout);
+ddwaf_object_free(&result1);
+
+// Evaluate with ephemeral data
+ddwaf_object ephemeral = ...;
+ddwaf_object result2;
+ddwaf_run(context, NULL, &ephemeral, &result2, timeout);
+ddwaf_object_free(&result2);
+
+// Ephemeral data is NOT stored, persistent data remains
+```
+
+**v2.x:**
+```c
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+ddwaf_context context = ddwaf_context_init(handle, alloc);
+
+// Store persistent data in context
+ddwaf_object persistent = ...;
+ddwaf_object result1;
+ddwaf_context_eval(context, &persistent, alloc, &result1, timeout);
+ddwaf_object_destroy(&result1, alloc);
+
+// Create subcontext for ephemeral evaluation
+ddwaf_subcontext subctx = ddwaf_subcontext_init(context);
+
+// Evaluate with "ephemeral" data (inherits persistent data from parent)
+ddwaf_object ephemeral = ...;
+ddwaf_object result2;
+ddwaf_subcontext_eval(subctx, &ephemeral, alloc, &result2, timeout);
+ddwaf_object_destroy(&result2, alloc);
+
+// Clean up subcontext
+ddwaf_subcontext_destroy(subctx);
+
+// No side-effects are visible to the context
+```
+
+### Subcontext Lifecycle
+
+The subcontext follows the same lifecycle pattern as the context:
+
+1. **Initialize**: `ddwaf_subcontext_init(context)` - Creates a subcontext from parent.
+2. **Evaluate**: `ddwaf_subcontext_eval(subctx, data, alloc, result, timeout)` - Evaluates data which must be valid during the lifecycle of the subcontext.
+3. **Destroy**: `ddwaf_subcontext_destroy(subctx)` - Cleans up subcontext.
+
+Note that the subcontext inherits the output allocator of the parent context.
+
+### Multiple Subcontexts
+
+Multiple concurrent subcontexts may also be created from the same parent context, each of which defines the scope and lifecycle of the provided data:
+
+**v2.x:**
+```c
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+ddwaf_context context = ddwaf_context_init(handle, alloc);
+
+// Store persistent data
+ddwaf_object persistent = ...;
+ddwaf_context_eval(context, &persistent, alloc, NULL, timeout);
+
+// First subcontext with ephemeral data
+ddwaf_subcontext subctx1 = ddwaf_subcontext_init(context);
+ddwaf_object ephemeral1 = ...;
+ddwaf_object result1;
+ddwaf_subcontext_eval(subctx1, &ephemeral1, alloc, &result1, timeout);
+ddwaf_object_destroy(&result1, alloc);
+ddwaf_subcontext_destroy(subctx1);
+
+// Second subcontext with different ephemeral data
+ddwaf_subcontext subctx2 = ddwaf_subcontext_init(context);
+ddwaf_object ephemeral2 = ...;
+ddwaf_object result2;
+ddwaf_subcontext_eval(subctx2, &ephemeral2, alloc, &result2, timeout);
+ddwaf_object_destroy(&result2, alloc);
+ddwaf_subcontext_destroy(subctx2);
+
+// Both subcontexts inherited persistent data, but had independent ephemeral data
+```
+
+## 4. Object Creation: New API & Allocator support
+
+The object creation API has changed extensively in v2 to support allocators and reduce memory overhead. All object creation functions now use the `ddwaf_object_set_*` naming pattern, and most require an allocator parameter.
+
+### String Creation
+
+The creation of a string object typically involves an allocation, therefore the allocator parameter is now required. Additionally, the string length is now always required to avoid potential issues with NUL characters.
+
+**v1.x:**
+```c
+// Create string object (library allocates and copies)
+ddwaf_object obj;
+ddwaf_object_stringl(&obj, "hello world", 11);
+
+// Free object
+ddwaf_object_free(&obj);
+```
+
+**v2.x:**
+```c
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+
+// Create string object with allocator
+ddwaf_object obj;
+ddwaf_object_set_string(&obj, "hello world", 11, alloc);
+
+// Destroy object with allocator
+ddwaf_object_destroy(&obj, alloc);
+```
+
+**Note**: Small strings (14 bytes or less) are automatically stored inline within the object itself without additional allocation.
+
+#### Literal Strings
+
+To address some existing use cases, v2 introduces a new literal string type which, upon destruction, never frees the associated buffer. This makes it easier to provide literals or interned strings as part of an object. The associated memory must be managed by the caller:
+
+```c
+ddwaf_object obj;
+
+// String literal - no allocation, no copy
+ddwaf_object_set_string_literal(&obj, "constant string", 15);
+```
+
+#### No-Copy Strings
+
+It is still possible to create freeable strings by providing a pre-allocated/pre-initialised buffer, however note that the memory of the provided buffer must have been allocated with the same allocator used for object destruction, e.g. using `ddwaf_allocator_alloc`.
+
+```c
+ddwaf_object obj;
+
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+
+// Pre-allocated and pre-initialised
+char *str = (char*)ddwaf_allocator_alloc(alloc, 16, 1);
+memcpy(str, "constant string", sizeof("constant string"));
+
+// No-copy string - no allocation, no copy
+ddwaf_object_set_string_nocopy(&obj, str, strlen(str));
+
+// Destroy using the correct allocator
+ddwaf_object_destroy(&obj, alloc);
+```
+
+### Numeric Types
+
+**v1.x:**
+```c
+ddwaf_object obj;
+ddwaf_object_unsigned(&obj, 42);
+```
+
+**v2.x:**
+```c
+ddwaf_object obj;
+ddwaf_object_set_unsigned(&obj, 42);  // No allocator needed for numeric types
+```
+
+The same pattern applies to other numeric types:
+- `ddwaf_object_signed()` → `ddwaf_object_set_signed()`
+- `ddwaf_object_bool()` → `ddwaf_object_set_bool()`
+- `ddwaf_object_float()` → `ddwaf_object_set_float()`
+
+
+### Array Creation and Insertion
+
+The array creation now requires both the expected size of the array (which may be 0) and a suitable allocator. Note that if the size of the array is incorrect, the container will still grow dynamically.
+
+Additionally, the insertion API has changed to return a pointer to the inserted value, eliminating the need for intermediate objects.
+
+**v1.x:**
+```c
+ddwaf_object array;
+ddwaf_object_array(&array);
+
+// Create value objects and add to array
+ddwaf_object elem1;
+ddwaf_object_string(&elem1, "first");
+ddwaf_object_array_add(&array, &elem1);
+
+ddwaf_object elem2;
+ddwaf_object_string(&elem2, "second");
+ddwaf_object_array_add(&array, &elem2);
+
+ddwaf_object_free(&array);
+```
+
+**v2.x:**
+```c
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+
+ddwaf_object array;
+ddwaf_object_set_array(&array, 2, alloc);  // Initialize with capacity
+
+// Insert and set value in one step
+ddwaf_object_set_string(
+    ddwaf_object_insert(&array, alloc),
+    "first", 5, alloc);
+
+ddwaf_object_set_string(
+    ddwaf_object_insert(&array, alloc),
+    "second", 6, alloc);
+
+ddwaf_object_destroy(&array, alloc);
+```
+
+
+### Map Creation and Insertion
+
+The map creation now requires both the expected size of the map (which may be 0) and a suitable allocator. Note that if the size of the map is incorrect, the container will still grow dynamically.
+
+Additionally, the insertion API has changed to return a pointer to the inserted value, eliminating the need for intermediate objects.
+
+**v1.x:**
+```c
+ddwaf_object map;
+ddwaf_object_map(&map);
+
+// Create value object, then add to map
+ddwaf_object value;
+ddwaf_object_string(&value, "username");
+ddwaf_object_map_addl(&map, "user", 4, &value);
+
+// Create another value and add
+ddwaf_object value2;
+ddwaf_object_unsigned(&value2, 12345);
+ddwaf_object_map_addl(&map, "user_id", 7, &value2);
+
+ddwaf_object_free(&map);
+```
+
+**v2.x:**
+```c
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+
+ddwaf_object map;
+ddwaf_object_set_map(&map, 2, alloc);  // Initialize with capacity
+
+// Insert key and get pointer to value, then set value directly
+ddwaf_object_set_string(
+    ddwaf_object_insert_key(&map, "user", 4, alloc),
+    "username", 8, alloc);
+
+// Insert another key-value pair
+ddwaf_object_set_unsigned(
+    ddwaf_object_insert_key(&map, "user_id", 7, alloc),
+    12345);
+
+ddwaf_object_destroy(&map, alloc);
+```
+#### Insertion Variants
+
+To cover different allocation and/or string management strategies, v2 provides multiple insertion functions for different use cases:
+
+```c
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+ddwaf_object map;
+ddwaf_object_set_map(&map, 3, alloc);
+
+// Standard: copies the key string
+ddwaf_object *val1 = ddwaf_object_insert_key(&map, "key1", 4, alloc);
+ddwaf_object_set_string(val1, "value1", 6, alloc);
+
+// Literal: key is read-only, not copied
+ddwaf_object *val2 = ddwaf_object_insert_literal_key(&map, "key2", 4, alloc);
+ddwaf_object_set_string(val2, "value2", 6, alloc);
+
+// No-copy: key is externally managed (must be allocated with same allocator)
+char *external_key = (char*)ddwaf_allocator_alloc(alloc, 5, 1);
+memcpy(external_key, "key3", 5);
+ddwaf_object *val3 = ddwaf_object_insert_key_nocopy(&map, external_key, 4, alloc);
+ddwaf_object_set_string(val3, "value3", 6, alloc);
+
+ddwaf_object_destroy(&map, alloc);
+```
+
+### Getter Functions
+
+Object getter functions have been renamed for consistency:
+
+**v1.x:**
+```c
+DDWAF_OBJ_TYPE type = ddwaf_object_type(&obj);
+const char *str = ddwaf_object_get_string(&obj, &length);
+uint64_t num = ddwaf_object_get_unsigned(&obj);
+```
+
+**v2.x:**
+```c
+DDWAF_OBJ_TYPE type = ddwaf_object_get_type(&obj);  // Renamed from ddwaf_object_type
+const char *str = ddwaf_object_get_string(&obj, &length);  // Unchanged
+uint64_t num = ddwaf_object_get_unsigned(&obj);  // Unchanged
+```
+
+The same pattern applies to all other getters.
+
+### JSON Parsing
+
+If you use `ddwaf_object_from_json()`, it now takes an allocator and the resulting object must be destroyed with the same allocator:
+
+```c
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+ddwaf_object obj;
+
+if (ddwaf_object_from_json(&obj, json, json_len, alloc)) {
+    // use obj
+    ddwaf_object_destroy(&obj, alloc);
+}
+```
+
+### Complete Example: Building Request Data
+
+**v1.x:**
+```c
+// Build a request data structure
+ddwaf_object root;
+ddwaf_object_map(&root);
+
+ddwaf_object headers;
+ddwaf_object_map(&headers);
+ddwaf_object header_val;
+ddwaf_object_string(&header_val, "application/json");
+ddwaf_object_map_addl(&headers, "content-type", 12, &header_val);
+ddwaf_object_map_addl(&root, "headers", 7, &headers);
+
+ddwaf_object method;
+ddwaf_object_string(&method, "POST");
+ddwaf_object_map_addl(&root, "method", 6, &method);
+
+ddwaf_object_free(&root);
+```
+
+**v2.x:**
+```c
+ddwaf_allocator alloc = ddwaf_get_default_allocator();
+
+// Build a request data structure
+ddwaf_object root;
+ddwaf_object_set_map(&root, 2, alloc);
+
+// Create nested headers map
+ddwaf_object *headers = ddwaf_object_insert_key(&root, "headers", 7, alloc);
+ddwaf_object_set_map(headers, 1, alloc);
+ddwaf_object_set_string(
+    ddwaf_object_insert_key(headers, "content-type", 12, alloc),
+    "application/json", 16, alloc);
+
+// Add method
+ddwaf_object_set_string(
+    ddwaf_object_insert_key(&root, "method", 6, alloc),
+    "POST", 4, alloc);
+
+ddwaf_object_destroy(&root, alloc);
+```
diff --git a/examples/example.cpp b/examples/example.cpp
index 85492fcfa..59804065e 100644
--- a/examples/example.cpp
+++ b/examples/example.cpp
@@ -205,8 +205,21 @@ int main()
     YAML::Node doc = YAML::Load(waf_rule.data());
 
     auto rule = doc.as<ddwaf_object>();
-    ddwaf_handle handle = ddwaf_init(&rule, nullptr);
+
+    ddwaf_builder builder = ddwaf_builder_init();
+    ddwaf_object diagnostics;
+    bool success = ddwaf_builder_add_or_update_config(builder, "config", 6, &rule, &diagnostics);
     ddwaf_object_destroy(&rule, alloc);
+    ddwaf_object_destroy(&diagnostics, alloc);
+
+    if (!success) {
+        ddwaf_builder_destroy(builder);
+        return EXIT_FAILURE;
+    }
+
+    ddwaf_handle handle = ddwaf_builder_build_instance(builder);
+    ddwaf_builder_destroy(builder);
+
     if (handle == nullptr) {
         return EXIT_FAILURE;
     }
diff --git a/include/ddwaf.h b/include/ddwaf.h
index 9c124640e..043d21d29 100644
--- a/include/ddwaf.h
+++ b/include/ddwaf.h
@@ -41,26 +41,27 @@ extern "C"
  **/
 typedef enum
 {
+    /** Unkmown or uninitialised type **/
     DDWAF_OBJ_INVALID  = 0,
-    // Null type, only used for its semantical value
+    /** Null type, only used for its semantical value **/
     DDWAF_OBJ_NULL     = 0x01,
-    // Boolean type
+    /** Boolean type **/
     DDWAF_OBJ_BOOL     = 0x02,
-    // 64-bit signed integer type
+    /** 64-bit signed integer type **/
     DDWAF_OBJ_SIGNED   = 0x04,
-    // 64-bit unsigned integer type
+    /** 64-bit unsigned integer type **/
     DDWAF_OBJ_UNSIGNED = 0x06,
-    // 64-bit float (or double) type
+    /** 64-bit float (or double) type **/
     DDWAF_OBJ_FLOAT    = 0x08,
-    // Dynamic UTF-8 string of up to max(uint16) length
+    /** Dynamic UTF-8 string of up to max(uint32) length **/
     DDWAF_OBJ_STRING   = 0x10,
-    // Literal UTF-8 string of up to max(uint32) length, these are never freed
+    /** Literal UTF-8 string of up to max(uint32) length, these are never freed **/
     DDWAF_OBJ_LITERAL_STRING   = 0x12,
-    // UTF-8 string of up to 14 bytes in length
+    /** UTF-8 string of up to 14 bytes in length **/
     DDWAF_OBJ_SMALL_STRING   = 0x14,
-    // Array of ddwaf_object of length nbEntries, each item having no parameterName
+    /** Array of ddwaf_object, up to max(uint16) capacity **/
     DDWAF_OBJ_ARRAY    = 0x20,
-    // Array of ddwaf_object of length nbEntries, each item having a parameterName
+    /** Array of ddwaf_object_kv, up to max(uint16) capacity **/
     DDWAF_OBJ_MAP      = 0x40,
 } DDWAF_OBJ_TYPE;
 
@@ -71,10 +72,15 @@ typedef enum
  **/
 typedef enum
 {
+    /** Unknown error, typically due to an unexpected exception **/
     DDWAF_ERR_INTERNAL          = -3,
+    /** The provided data object didn't match the expected schema **/
     DDWAF_ERR_INVALID_OBJECT    = -2,
+    /** One or more of the provided arguments to a function is invalid **/
     DDWAF_ERR_INVALID_ARGUMENT  = -1,
+    /** The data evaluation didn't yield any events, attributes, etc **/
     DDWAF_OK                    = 0,
+    /** The data evaluation resulted in an event, attribute, etc **/
     DDWAF_MATCH                 = 1,
 } DDWAF_RET_CODE;
 
@@ -85,12 +91,18 @@ typedef enum
  **/
 typedef enum
 {
-    DDWAF_LOG_TRACE,
-    DDWAF_LOG_DEBUG,
-    DDWAF_LOG_INFO,
-    DDWAF_LOG_WARN,
-    DDWAF_LOG_ERROR,
-    DDWAF_LOG_OFF,
+    /** Finest-grained logging for detailed tracing */
+    DDWAF_LOG_TRACE = 0,
+    /** Debugging information for development */
+    DDWAF_LOG_DEBUG = 1,
+    /** General informational messages */
+    DDWAF_LOG_INFO = 2,
+    /** Warning messages for potential issues */
+    DDWAF_LOG_WARN = 3,
+    /** Error messages for failures */
+    DDWAF_LOG_ERROR = 4,
+    /** Disable all logging */
+    DDWAF_LOG_OFF = 5,
 } DDWAF_LOG_LEVEL;
 
 #ifndef __cplusplus
@@ -106,8 +118,7 @@ typedef void (ddwaf_udata_free_fn_type)(void *);
 #endif
 
 typedef union _ddwaf_object ddwaf_object;
-
-struct _ddwaf_object_kv;
+typedef struct _ddwaf_object_kv ddwaf_object_kv;
 
 struct _ddwaf_object_bool {
     uint8_t type;
@@ -196,7 +207,7 @@ static_assert(sizeof(struct _ddwaf_object_kv) == 32);
 /**
  * @typedef ddwaf_log_cb
  *
- * Callback that powerwaf will call to relay messages to the binding.
+ * Callback that libddwaf will call to relay messages to the binding.
  *
  * @param level The logging level.
  * @param function The native function that emitted the message. (nonnull)
@@ -210,8 +221,6 @@ typedef void (*ddwaf_log_cb)(
     const char* message, uint64_t message_len);
 
 /**
- * ddwaf_init
- *
  * Initialize a ddwaf instance
  *
  * @param ruleset ddwaf::object map containing rules, exclusions, rules_override and rules_data. (nonnull)
@@ -226,8 +235,6 @@ typedef void (*ddwaf_log_cb)(
 ddwaf_handle ddwaf_init(const ddwaf_object *ruleset,  ddwaf_object *diagnostics);
 
 /**
- * ddwaf_destroy
- *
  * Destroy a WAF instance.
  *
  * @param handle Handle to the WAF instance.
@@ -235,8 +242,6 @@ ddwaf_handle ddwaf_init(const ddwaf_object *ruleset,  ddwaf_object *diagnostics)
 void ddwaf_destroy(ddwaf_handle handle);
 
 /**
- * ddwaf_known_addresses
- *
  * Get an array of known (root) addresses used by rules, exclusion filters and
  * processors. This array contains both required and optional addresses. A more
  * accurate distinction between required and optional addresses is provided
@@ -255,8 +260,6 @@ void ddwaf_destroy(ddwaf_handle handle);
  **/
 const char* const* ddwaf_known_addresses(const ddwaf_handle handle, uint32_t *size);
 /**
- * ddwaf_known_actions
- *
  * Get an array of all the action types which could be triggered as a result of
  * the current set of rules and exclusion filters.
  *
@@ -273,12 +276,10 @@ const char* const* ddwaf_known_addresses(const ddwaf_handle handle, uint32_t *si
  **/
 const char *const *ddwaf_known_actions(const ddwaf_handle handle, uint32_t *size);
 /**
- * ddwaf_context_init
- *
  * Context object to perform matching using the provided WAF instance.
  *
  * @param handle Handle of the WAF instance containing the ruleset definition. (nonnull)
- * @param output Allocator used to serve output objects created during evaluation (nonnull)
+ * @param output_alloc Allocator used to serve output objects created during evaluation (nonnull)
 
  * @return Handle to the context instance.
  *
@@ -287,8 +288,6 @@ const char *const *ddwaf_known_actions(const ddwaf_handle handle, uint32_t *size
 ddwaf_context ddwaf_context_init(const ddwaf_handle handle, ddwaf_allocator output_alloc);
 
 /**
- * ddwaf_context_eval
- *
  * Perform a matching operation on the provided data
  *
  * @param context WAF context to be used in this run, this will determine the
@@ -310,7 +309,7 @@ ddwaf_context ddwaf_context_init(const ddwaf_handle handle, ddwaf_allocator outp
  * @param result (nullable) Object map containing the following items:
  *               - events: an array of the generated events.
  *               - actions: a map of the generated actions in the format:
- *                          {action type: { <parameter map> }, ...}
+ *                          "{action type: { <parameter map> }, ...}"
  *               - duration: an unsigned specifying the total runtime of the
  *                           call in nanoseconds.
  *               - timeout: whether there has been a timeout during the call.
@@ -318,21 +317,23 @@ ddwaf_context ddwaf_context_init(const ddwaf_handle handle, ddwaf_allocator outp
  *                             format: {tag, value}
  *               - keep: whether the data contained herein must override any
  *                       transport sampling through the relevant mechanism.
- *               This structure must be freed by the caller and will contain all
- *               specified keys when the value returned by ddwaf_context_eval is either
- *               DDWAF_OK or DDWAF_MATCH and will be empty otherwise.
+ *               This structure must be freed by the caller using the output
+ *               allocator provided through ddwaf_context_init. The object will
+ *               contain all specified keys when the value returned by
+ *               ddwaf_context_eval is either DDWAF_OK or DDWAF_MATCH and will
+ *               be empty otherwise.
  *               IMPORTANT: This object is not allocated with the allocator
  *               passed in this call. It uses the allocator given to
  *               ddwaf_context_init instead.
  * @param timeout Maximum time budget in microseconds.
  *
  * @return Return code of the operation.
- * @error DDWAF_ERR_INVALID_ARGUMENT The context is invalid, the data will not
+ * @retval DDWAF_ERR_INVALID_ARGUMENT The context is invalid, the data will not
  *                                   be freed.
- * @error DDWAF_ERR_INVALID_OBJECT The data provided didn't match the desired
+ * @retval DDWAF_ERR_INVALID_OBJECT The data provided didn't match the desired
  *                                 structure or contained invalid objects, the
  *                                 data will be freed by this function.
- * @error DDWAF_ERR_INTERNAL There was an unexpected error and the operation did
+ * @retval DDWAF_ERR_INTERNAL There was an unexpected error and the operation did
  *                           not succeed. The state of the WAF is undefined if
  *                           this error is produced and the ownership of the
  *                           data is unknown. The result structure will not be
@@ -349,29 +350,23 @@ DDWAF_RET_CODE ddwaf_context_eval(ddwaf_context context, ddwaf_object *data,
     ddwaf_allocator alloc, ddwaf_object *result,  uint64_t timeout);
 
 /**
- * ddwaf_context_destroy
- *
  * Performs the destruction of the context, freeing the data passed to it through
- * ddwaf_context_eval using the used-defined free function.
+ * ddwaf_context_eval using the provided allocator during evaluation.
  *
  * @param context Context to destroy. (nonnull)
  **/
 void ddwaf_context_destroy(ddwaf_context context);
 
 /**
- * ddwaf_subcontext_init
- *
  * Subcontext object to perform matching using the provided WAF instance.
  *
- * @param conext Context from which to derive this subcontext. (nonnull)
+ * @param context Context from which to derive this subcontext. (nonnull)
 
  * @return Handle to the subcontext instance.
  **/
 ddwaf_subcontext ddwaf_subcontext_init(ddwaf_context context);
 
 /**
- * ddwaf_subcontext_eval
- *
  * Perform a matching operation on the provided data
  *
  * @param subcontext WAF subcontext to be used in this run, this will determine
@@ -392,7 +387,7 @@ ddwaf_subcontext ddwaf_subcontext_init(ddwaf_context context);
  * @param result (nullable) Object map containing the following items:
  *               - events: an array of the generated events.
  *               - actions: a map of the generated actions in the format:
- *                          {action type: { <parameter map> }, ...}
+ *                          "{action type: { <parameter map> }, ...}"
  *               - duration: an unsigned specifying the total runtime of the
  *                           call in nanoseconds.
  *               - timeout: whether there has been a timeout during the call.
@@ -401,20 +396,20 @@ ddwaf_subcontext ddwaf_subcontext_init(ddwaf_context context);
  *               - keep: whether the data contained herein must override any
  *                       transport sampling through the relevant mechanism.
  *               This structure must be freed by the caller and will contain all
- *               specified keys when the value returned by ddwaf_subcontext_eval is either
- *               DDWAF_OK or DDWAF_MATCH and will be empty otherwise.
+ *               specified keys when the value returned by ddwaf_subcontext_eval
+ *               is either DDWAF_OK or DDWAF_MATCH and will be empty otherwise.
  *               IMPORTANT: This object is not allocated with the allocator
  *               passed in this call. It uses the allocator given to
  *               ddwaf_context_init instead.
  * @param timeout Maximum time budget in microseconds.
  *
  * @return Return code of the operation.
- * @error DDWAF_ERR_INVALID_ARGUMENT The subcontext is invalid, the data will not
+ * @retval DDWAF_ERR_INVALID_ARGUMENT The subcontext is invalid, the data will not
  *                                   be freed.
- * @error DDWAF_ERR_INVALID_OBJECT The data provided didn't match the desired
+ * @retval DDWAF_ERR_INVALID_OBJECT The data provided didn't match the desired
  *                                 structure or contained invalid objects, the
  *                                 data will be freed by this function.
- * @error DDWAF_ERR_INTERNAL There was an unexpected error and the operation did
+ * @retval DDWAF_ERR_INTERNAL There was an unexpected error and the operation did
  *                           not succeed. The state of the WAF is undefined if
  *                           this error is produced and the ownership of the
  *                           data is unknown. The result structure will not be
@@ -431,8 +426,6 @@ DDWAF_RET_CODE ddwaf_subcontext_eval(ddwaf_subcontext subcontext, ddwaf_object *
     ddwaf_allocator alloc, ddwaf_object *result,  uint64_t timeout);
 
 /**
- * ddwaf_subcontext_destroy
- *
  * Performs the destruction of the subcontext, freeing the data passed to it through
  * ddwaf_subcontext_eval using the used-defined allocator.
  *
@@ -442,8 +435,6 @@ void ddwaf_subcontext_destroy(ddwaf_subcontext subcontext);
 
 
 /**
- * ddwaf_builder_init
- *
  * Initialize an instace of the waf builder.
  *
  * @return Handle to the builer instance or NULL on error.
@@ -453,8 +444,6 @@ void ddwaf_subcontext_destroy(ddwaf_subcontext subcontext);
 ddwaf_builder ddwaf_builder_init();
 
 /**
- * ddwaf_builder_add_or_update_config
- *
  * Adds or updates a configuration based on the given path, which must be a unique
  * identifier for the provided configuration.
  *
@@ -468,13 +457,12 @@ ddwaf_builder ddwaf_builder_init();
  *
  * @note if any of the arguments are NULL, the diagnostics object will not be initialised.
  * @note The memory associated with the path, config and diagnostics must be freed by the caller.
+ * @note The deallocation of the diagnostics must be made with default allocator.
  * @note This function is not thread-safe.
  **/
 bool ddwaf_builder_add_or_update_config(ddwaf_builder builder, const char *path, uint32_t path_len, const ddwaf_object *config, ddwaf_object *diagnostics);
 
 /**
- * ddwaf_builder_remove_config
- *
  * Removes a configuration based on the provided path.
  *
  * @param builder Builder to perform the operation on. (nonnull)
@@ -489,8 +477,6 @@ bool ddwaf_builder_add_or_update_config(ddwaf_builder builder, const char *path,
 bool ddwaf_builder_remove_config(ddwaf_builder builder, const char *path, uint32_t path_len);
 
 /**
- * ddwaf_builder_build_instance
- *
  * Builds a ddwaf instance based on the current set of configurations.
  *
  * @param builder Builder to perform the operation on. (nonnull)
@@ -502,8 +488,6 @@ bool ddwaf_builder_remove_config(ddwaf_builder builder, const char *path, uint32
 ddwaf_handle ddwaf_builder_build_instance(ddwaf_builder builder);
 
 /**
- * ddwaf_builder_get_config_paths
- *
  * Provides an array of the currently loaded paths, optionally matching the
  * regex provided in filter. In addition, the count is provided as the return
  * value, allowing paths to be nullptr.
@@ -526,8 +510,6 @@ ddwaf_handle ddwaf_builder_build_instance(ddwaf_builder builder);
 uint32_t ddwaf_builder_get_config_paths(ddwaf_builder builder, ddwaf_object *paths, const char *filter, uint32_t filter_len);
 
 /**
- * ddwaf_builder_destroy
- *
  * Destroy an instance of the builder.
  *
  * @param builder Builder to perform the operation on. (nonnull)
@@ -535,8 +517,6 @@ uint32_t ddwaf_builder_get_config_paths(ddwaf_builder builder, ddwaf_object *pat
 void ddwaf_builder_destroy(ddwaf_builder builder);
 
 /**
- * ddwaf_get_default_allocator
- *
  * Returns the default allocator used by the library.
  *
  * @return Allocator handle.
@@ -544,8 +524,6 @@ void ddwaf_builder_destroy(ddwaf_builder builder);
 ddwaf_allocator ddwaf_get_default_allocator();
 
 /**
- * ddwaf_synchronized_pool_allocator_init
- *
  * Creates a thread-safe pool allocator. Allocations are served from internal
  * pools sized by block class to reduce fragmentation and allocator overhead;
  * memory freed via the corresponding ddwaf APIs is returned to the pools for
@@ -560,8 +538,6 @@ ddwaf_allocator ddwaf_get_default_allocator();
 ddwaf_allocator ddwaf_synchronized_pool_allocator_init();
 
 /**
- * ddwaf_unsynchronized_pool_allocator_init
- *
  * Creates a pool allocator without internal synchronization. It provides the
  * same pooling characteristics as the synchronized variant but with lower
  * overhead. This allocator must not be used concurrently from multiple threads
@@ -576,8 +552,6 @@ ddwaf_allocator ddwaf_synchronized_pool_allocator_init();
 ddwaf_allocator ddwaf_unsynchronized_pool_allocator_init();
 
 /**
- * ddwaf_monotonic_allocator_init
- *
  * Creates a monotonic (growing) allocator. Allocations are fast and never freed
  * individually; all memory is reclaimed only when the allocator is destroyed.
  * This allocator must not be used concurrently from multiple threads unless
@@ -594,8 +568,6 @@ ddwaf_allocator ddwaf_unsynchronized_pool_allocator_init();
 ddwaf_allocator ddwaf_monotonic_allocator_init();
 
 /**
- * ddwaf_user_allocator_init
- *
  * Creates an allocator that forwards allocation and deallocation to user
  * provided callbacks.
  *
@@ -607,14 +579,15 @@ ddwaf_allocator ddwaf_monotonic_allocator_init();
  *        able to free any pointer previously returned by `alloc_fn`. (nonnull)
  * @param udata Opaque user pointer forwarded to both callbacks; can be used to
  *        carry custom state. (nullable)
+ * @param udata_free_fn User data destruction callback, used to perform any
+ *        relevant destruction and reclamation operations on the provided user
+ *        data.
  *
  * @return Allocator handle.
  **/
 ddwaf_allocator ddwaf_user_allocator_init(ddwaf_alloc_fn_type alloc_fn, ddwaf_free_fn_type free_fn, void *udata, ddwaf_udata_free_fn_type udata_free_fn);
 
 /**
- * ddwaf_allocator_alloc
- *
  * Allocates a block of memory from the given allocator with the requested
  * alignment.
  *
@@ -636,8 +609,6 @@ ddwaf_allocator ddwaf_user_allocator_init(ddwaf_alloc_fn_type alloc_fn, ddwaf_fr
 void *ddwaf_allocator_alloc(ddwaf_allocator alloc, size_t bytes, size_t alignment);
 
 /**
- * ddwaf_allocator_free
- *
  * Releases a block of memory previously obtained via ddwaf_allocator_alloc
  * from the same allocator.
  *
@@ -658,8 +629,6 @@ void ddwaf_allocator_free(ddwaf_allocator alloc, void *p, size_t bytes, size_t a
 
 
 /**
- * ddwaf_allocator_destroy
- *
  * Destroys an allocator created by one of the ddwaf_*_allocator_init functions
  * and releases any internal resources it holds.
  *
@@ -674,8 +643,6 @@ void ddwaf_allocator_free(ddwaf_allocator alloc, void *p, size_t bytes, size_t a
 void ddwaf_allocator_destroy(ddwaf_allocator alloc);
 
 /**
- * ddwaf_object_set_invalid
- *
  * Creates an invalid object.
  *
  * @param object Object to perform the operation on. (nonnull)
@@ -685,8 +652,6 @@ void ddwaf_allocator_destroy(ddwaf_allocator alloc);
 ddwaf_object* ddwaf_object_set_invalid(ddwaf_object *object);
 
 /**
- * ddwaf_object_set_null
- *
  * Creates an null object. Provides a different semantical value to invalid as
  * it can be used to signify that a value is null rather than of an unknown type.
  *
@@ -697,8 +662,6 @@ ddwaf_object* ddwaf_object_set_invalid(ddwaf_object *object);
 ddwaf_object* ddwaf_object_set_null(ddwaf_object *object);
 
 /**
- * ddwaf_object_set_string
- *
  * Creates an object from a string.
  *
  * @param object Object to perform the operation on. (nonnull)
@@ -711,8 +674,6 @@ ddwaf_object* ddwaf_object_set_null(ddwaf_object *object);
 ddwaf_object* ddwaf_object_set_string(ddwaf_object *object, const char *string, uint32_t length, ddwaf_allocator alloc);
 
 /**
- * ddwaf_object_set_string_literal
- *
  * Creates an object from a literal string and its length.
  *
  * @param object Object to perform the operation on. (nonnull)
@@ -725,8 +686,6 @@ ddwaf_object* ddwaf_object_set_string(ddwaf_object *object, const char *string,
 ddwaf_object* ddwaf_object_set_string_literal(ddwaf_object *object, const char *string, uint32_t length);
 
 /**
- * ddwaf_object_set_string_nocopy
- *
  * Creates an object with the string pointer and length provided, without copying the string.
  *
  * @param object Object to perform the operation on. (nonnull)
@@ -741,8 +700,6 @@ ddwaf_object* ddwaf_object_set_string_literal(ddwaf_object *object, const char *
  **/
 ddwaf_object* ddwaf_object_set_string_nocopy(ddwaf_object *object, const char *string, uint32_t length);
 /**
- * ddwaf_object_set_unsigned
- *
  * Creates an object using an unsigned integer (64-bit). The resulting object
  * will contain an unsigned integer as opposed to a string.
  *
@@ -754,8 +711,6 @@ ddwaf_object* ddwaf_object_set_string_nocopy(ddwaf_object *object, const char *s
 ddwaf_object* ddwaf_object_set_unsigned(ddwaf_object *object, uint64_t value);
 
 /**
- * ddwaf_object_set_signed
- *
  * Creates an object using a signed integer (64-bit). The resulting object
  * will contain a signed integer as opposed to a string.
  *
@@ -767,8 +722,6 @@ ddwaf_object* ddwaf_object_set_unsigned(ddwaf_object *object, uint64_t value);
 ddwaf_object* ddwaf_object_set_signed(ddwaf_object *object, int64_t value);
 
 /**
- * ddwaf_object_set_bool
- *
  * Creates an object using a boolean, the resulting object will contain a
  * boolean as opposed to a string.
  *
@@ -780,8 +733,6 @@ ddwaf_object* ddwaf_object_set_signed(ddwaf_object *object, int64_t value);
 ddwaf_object* ddwaf_object_set_bool(ddwaf_object *object, bool value);
 
 /**
- * ddwaf_object_set_float
- *
  * Creates an object using a double, the resulting object will contain a
  * double as opposed to a string.
  *
@@ -793,8 +744,6 @@ ddwaf_object* ddwaf_object_set_bool(ddwaf_object *object, bool value);
 ddwaf_object* ddwaf_object_set_float(ddwaf_object *object, double value);
 
 /**
- * ddwaf_object_set_array
- *
  * Creates an array object, for sequential storage.
  *
  * @param object Object to perform the operation on. (nonnull)
@@ -806,8 +755,6 @@ ddwaf_object* ddwaf_object_set_float(ddwaf_object *object, double value);
 ddwaf_object* ddwaf_object_set_array(ddwaf_object *object, uint16_t capacity, ddwaf_allocator alloc);
 
 /**
- * ddwaf_object_set_map
- *
  * Creates a map object, for key-value storage.
  *
  * @param object Object to perform the operation on. (nonnull)
@@ -819,8 +766,6 @@ ddwaf_object* ddwaf_object_set_array(ddwaf_object *object, uint16_t capacity, dd
 ddwaf_object* ddwaf_object_set_map(ddwaf_object *object, uint16_t capacity, ddwaf_allocator alloc);
 
 /**
- * ddwaf_object_insert
- *
  * Inserts a new object into an array object.
  *
  * @param array Array in which to insert the object. (nonnull)
@@ -832,8 +777,6 @@ ddwaf_object* ddwaf_object_set_map(ddwaf_object *object, uint16_t capacity, ddwa
 ddwaf_object *ddwaf_object_insert(ddwaf_object *array, ddwaf_allocator alloc);
 
 /**
- * ddwaf_object_insert_key
- *
  * Inserts a new object into a map object, using a key.
  *
  * @param map Map in which to insert the object. (nonnull)
@@ -846,8 +789,6 @@ ddwaf_object *ddwaf_object_insert(ddwaf_object *array, ddwaf_allocator alloc);
 ddwaf_object *ddwaf_object_insert_key(ddwaf_object *map, const char *key, uint32_t length, ddwaf_allocator alloc);
 
 /**
- * ddwaf_object_insert_literal_key
- *
  * Inserts a new object into a map object, using a literal key.
  *
  * @param map Map in which to insert the object. (nonnull)
@@ -861,8 +802,6 @@ ddwaf_object *ddwaf_object_insert_literal_key(ddwaf_object *map, const char *key
 
 
 /**
- * ddwaf_object_insert_key_nocopy
- *
  * Inserts a new object into a map object, using a key and its length, but without
  * creating a copy of the key.
  *
@@ -879,8 +818,6 @@ ddwaf_object *ddwaf_object_insert_literal_key(ddwaf_object *map, const char *key
 ddwaf_object *ddwaf_object_insert_key_nocopy(ddwaf_object *map, const char *key, uint32_t length, ddwaf_allocator alloc);
 
 /**
- * ddwaf_object_from_json
- *
  * Creates a ddwaf_object from a JSON string. The JSON will be parsed and converted
  * into the appropriate ddwaf_object structure, supporting all JSON types including
  * objects, arrays, strings, numbers, booleans, and null values.
@@ -888,6 +825,7 @@ ddwaf_object *ddwaf_object_insert_key_nocopy(ddwaf_object *map, const char *key,
  * @param output Object to populate with the parsed JSON data. (nonnull)
  * @param json_str The JSON string to parse. (nonnull)
  * @param length Length of the JSON string.
+ * @param alloc Allocator to use for memory allocation. (nonnull)
  *
  * @return The success or failure of the operation.
  *
@@ -898,8 +836,6 @@ ddwaf_object *ddwaf_object_insert_key_nocopy(ddwaf_object *map, const char *key,
 bool ddwaf_object_from_json(ddwaf_object *output, const char *json_str, uint32_t length, ddwaf_allocator alloc);
 
 /**
- * ddwaf_object_type
- *
  * Returns the type of the object.
  *
  * @param object The object from which to get the type.
@@ -909,8 +845,6 @@ bool ddwaf_object_from_json(ddwaf_object *output, const char *json_str, uint32_t
 DDWAF_OBJ_TYPE ddwaf_object_get_type(const ddwaf_object *object);
 
 /**
- * ddwaf_object_get_size
- *
  * Returns the size of the container object.
  *
  * @param object The object from which to get the size.
@@ -920,8 +854,6 @@ DDWAF_OBJ_TYPE ddwaf_object_get_type(const ddwaf_object *object);
 size_t ddwaf_object_get_size(const ddwaf_object *object);
 
 /**
- * ddwaf_object_get_length
- *
  * Returns the length of the string object.
  *
  * @param object The object from which to get the length.
@@ -931,8 +863,6 @@ size_t ddwaf_object_get_size(const ddwaf_object *object);
 size_t ddwaf_object_get_length(const ddwaf_object *object);
 
 /**
- * ddwaf_object_get_string
- *
  * Returns the string contained within the object.
  *
  * @param object The object from which to get the string.
@@ -944,8 +874,6 @@ size_t ddwaf_object_get_length(const ddwaf_object *object);
 const char* ddwaf_object_get_string(const ddwaf_object *object, size_t *length);
 
 /**
- * ddwaf_object_get_unsigned
- *
  * Returns the uint64 contained within the object.
  *
  * @param object The object from which to get the integer.
@@ -955,8 +883,6 @@ const char* ddwaf_object_get_string(const ddwaf_object *object, size_t *length);
 uint64_t ddwaf_object_get_unsigned(const ddwaf_object *object);
 
 /**
- * ddwaf_object_get_signed
- *
  * Returns the int64 contained within the object.
  *
  * @param object The object from which to get the integer.
@@ -966,8 +892,6 @@ uint64_t ddwaf_object_get_unsigned(const ddwaf_object *object);
 int64_t ddwaf_object_get_signed(const ddwaf_object *object);
 
 /**
- * ddwaf_object_get_float
- *
  * Returns the float64 (double) contained within the object.
  *
  * @param object The object from which to get the float.
@@ -977,8 +901,6 @@ int64_t ddwaf_object_get_signed(const ddwaf_object *object);
 double ddwaf_object_get_float(const ddwaf_object *object);
 
 /**
- * ddwaf_object_get_bool
- *
  * Returns the boolean contained within the object.
  *
  * @param object The object from which to get the boolean.
@@ -988,8 +910,6 @@ double ddwaf_object_get_float(const ddwaf_object *object);
 bool ddwaf_object_get_bool(const ddwaf_object *object);
 
 /**
- * ddwaf_object_at_key
- *
  * Returns the key contained in the container at the given index.
  *
  * @param object The container from which to extract the object.
@@ -1002,8 +922,6 @@ const ddwaf_object* ddwaf_object_at_key(const ddwaf_object *object, size_t index
 
 
 /**
- * ddwaf_object_at_value
- *
  * Returns the object contained in the container at the given index.
  *
  * @param object The container from which to extract the object.
@@ -1015,8 +933,6 @@ const ddwaf_object* ddwaf_object_at_key(const ddwaf_object *object, size_t index
 const ddwaf_object* ddwaf_object_at_value(const ddwaf_object *object, size_t index);
 
 /**
- * ddwaf_object_find
- *
  * Returns the object within the given map with a key matching the provided one.
  *
  * @param object The container from which to extract the object.
@@ -1029,8 +945,6 @@ const ddwaf_object* ddwaf_object_at_value(const ddwaf_object *object, size_t ind
 const ddwaf_object* ddwaf_object_find(const ddwaf_object *object, const char *key, size_t length);
 
 /**
- * ddwaf_object_clone
- *
  * Creates a deep copy of the source object into the destination object.
  *
  * @param source The source object to clone from. (nonnull)
@@ -1042,8 +956,6 @@ const ddwaf_object* ddwaf_object_find(const ddwaf_object *object, const char *ke
 ddwaf_object* ddwaf_object_clone(const ddwaf_object *source, ddwaf_object *destination, ddwaf_allocator alloc);
 
 /**
- * ddwaf_object_is_invalid
- *
  * Returns true if the object is invalid.
  *
  * @param object The object from which to get the type.
@@ -1053,8 +965,6 @@ ddwaf_object* ddwaf_object_clone(const ddwaf_object *source, ddwaf_object *desti
 bool ddwaf_object_is_invalid(const ddwaf_object *object);
 
 /**
- * ddwaf_object_is_null
- *
  * Returns true if the object is null.
  *
  * @param object The object from which to get the type.
@@ -1064,8 +974,6 @@ bool ddwaf_object_is_invalid(const ddwaf_object *object);
 bool ddwaf_object_is_null(const ddwaf_object *object);
 
 /**
- * ddwaf_object_is_bool
- *
  * Returns true if the object is a boolean.
  *
  * @param object The object from which to get the type.
@@ -1075,8 +983,6 @@ bool ddwaf_object_is_null(const ddwaf_object *object);
 bool ddwaf_object_is_bool(const ddwaf_object *object);
 
 /**
- * ddwaf_object_is_signed
- *
  * Returns true if the object is a signed integer.
  *
  * @param object The object from which to get the type.
@@ -1086,8 +992,6 @@ bool ddwaf_object_is_bool(const ddwaf_object *object);
 bool ddwaf_object_is_signed(const ddwaf_object *object);
 
 /**
- * ddwaf_object_is_unsigned
- *
  * Returns true if the object is an unsigned integer.
  *
  * @param object The object from which to get the type.
@@ -1097,8 +1001,6 @@ bool ddwaf_object_is_signed(const ddwaf_object *object);
 bool ddwaf_object_is_unsigned(const ddwaf_object *object);
 
 /**
- * ddwaf_object_is_float
- *
  * Returns true if the object is a float.
  *
  * @param object The object from which to get the type.
@@ -1108,8 +1010,6 @@ bool ddwaf_object_is_unsigned(const ddwaf_object *object);
 bool ddwaf_object_is_float(const ddwaf_object *object);
 
 /**
- * ddwaf_object_is_string
- *
  * Returns true if the object is a string.
  *
  * @param object The object from which to get the type.
@@ -1119,8 +1019,6 @@ bool ddwaf_object_is_float(const ddwaf_object *object);
 bool ddwaf_object_is_string(const ddwaf_object *object);
 
 /**
- * ddwaf_object_is_array
- *
  * Returns true if the object is an array.
  *
  * @param object The object from which to get the type.
@@ -1130,8 +1028,6 @@ bool ddwaf_object_is_string(const ddwaf_object *object);
 bool ddwaf_object_is_array(const ddwaf_object *object);
 
 /**
- * ddwaf_object_is_map
- *
  * Returns true if the object is a map.
  *
  * @param object The object from which to get the type.
@@ -1141,8 +1037,6 @@ bool ddwaf_object_is_array(const ddwaf_object *object);
 bool ddwaf_object_is_map(const ddwaf_object *object);
 
 /**
- * ddwaf_object_destroy
- *
  * Frees the memory contained within the object.
  *
  * @param object Object to destroy. (nonnull)
@@ -1151,8 +1045,6 @@ bool ddwaf_object_is_map(const ddwaf_object *object);
 void ddwaf_object_destroy(ddwaf_object *object, ddwaf_allocator alloc);
 
 /**
- * ddwaf_get_version
- *
  * Return the version of the library
  *
  * @return version Version string, note that this should not be freed
@@ -1160,8 +1052,6 @@ void ddwaf_object_destroy(ddwaf_object *object, ddwaf_allocator alloc);
 const char *ddwaf_get_version();
 
 /**
- * ddwaf_set_log_cb
- *
  * Sets the callback to relay logging messages to the binding
  *
  * @param cb The callback to call, or NULL to stop relaying messages
diff --git a/tools/common/utils.cpp b/tools/common/utils.cpp
index 86c4be608..e7457f4ff 100644
--- a/tools/common/utils.cpp
+++ b/tools/common/utils.cpp
@@ -275,9 +275,11 @@ void object_to_json_helper(
     case DDWAF_OBJ_FLOAT:
         output.SetDouble(ddwaf_object_get_float(&obj));
         break;
-    case DDWAF_OBJ_STRING: {
-        auto sv = std::string_view(obj.via.str.ptr, obj.via.str.size);
-        output.SetString(sv.data(), sv.size(), alloc);
+    case DDWAF_OBJ_STRING:
+    case DDWAF_OBJ_SMALL_STRING:
+    case DDWAF_OBJ_LITERAL_STRING: {
+        output.SetString(
+            ddwaf_object_get_string(&obj, nullptr), ddwaf_object_get_length(&obj), alloc);
     } break;
     case DDWAF_OBJ_MAP:
         output.SetObject();
@@ -287,8 +289,10 @@ void object_to_json_helper(
 
             auto child = obj.via.map.ptr[i];
             object_to_json_helper(child.val, value, alloc);
+            const auto *child_key = ddwaf_object_at_key(&obj, i);
+            key.SetString(ddwaf_object_get_string(child_key, nullptr),
+                ddwaf_object_get_length(child_key), alloc);
 
-            key.SetString(child.key.via.str.ptr, child.key.via.str.size, alloc);
             output.AddMember(key, value, alloc);
         }
         break;
diff --git a/tools/generate_documentation.py b/tools/generate_documentation.py
new file mode 100755
index 000000000..6903d352b
--- /dev/null
+++ b/tools/generate_documentation.py
@@ -0,0 +1,547 @@
+#!/usr/bin/env python3
+"""
+Generate C API documentation for libddwaf.
+
+This script:
+1. Runs Doxygen to generate XML from include/ddwaf.h
+2. Converts the XML to a single Markdown file
+3. Cleans up the intermediate Doxygen files
+
+Usage:
+    ./tools/generate_documentation.py [--keep-xml]
+
+Options:
+    --keep-xml    Keep the intermediate Doxygen XML files
+"""
+
+import xml.etree.ElementTree as ET
+import subprocess
+import shutil
+import sys
+import re
+import tempfile
+from pathlib import Path
+
+
+def get_text(element):
+    """Extract all text content from an element, handling nested elements."""
+    if element is None:
+        return ""
+
+    result = []
+    if element.text:
+        result.append(element.text)
+
+    for child in element:
+        if child.tag == "para":
+            result.append(get_text(child))
+            result.append("\n\n")
+        elif child.tag == "parameterlist":
+            pass  # Handle separately
+        elif child.tag == "simplesect":
+            pass  # Handle separately
+        elif child.tag == "ref":
+            result.append(child.text or "")
+        elif child.tag == "computeroutput":
+            result.append(f"`{child.text or ''}`")
+        elif child.tag == "emphasis":
+            result.append(f"*{child.text or ''}*")
+        elif child.tag == "bold":
+            result.append(f"**{child.text or ''}**")
+        elif child.tag == "itemizedlist":
+            for item in child.findall("listitem"):
+                result.append(f"\n- {get_text(item).strip()}")
+            result.append("\n")
+        elif child.tag == "orderedlist":
+            for i, item in enumerate(child.findall("listitem"), 1):
+                result.append(f"\n{i}. {get_text(item).strip()}")
+            result.append("\n")
+        else:
+            result.append(get_text(child))
+
+        if child.tail:
+            result.append(child.tail)
+
+    return "".join(result).strip()
+
+
+def extract_description(memberdef):
+    """Extract brief and detailed description from a memberdef."""
+    brief = memberdef.find("briefdescription")
+    detailed = memberdef.find("detaileddescription")
+
+    brief_text = get_text(brief) if brief is not None else ""
+    detailed_text = get_text(detailed) if detailed is not None else ""
+
+    if detailed_text:
+        return detailed_text
+    return brief_text
+
+
+def extract_params(memberdef):
+    """Extract parameter documentation from a memberdef."""
+    params = []
+    detailed = memberdef.find("detaileddescription")
+    if detailed is None:
+        return params
+
+    for paramlist in detailed.iter("parameterlist"):
+        if paramlist.get("kind") == "param":
+            for item in paramlist.findall("parameteritem"):
+                name_elem = item.find(".//parametername")
+                desc_elem = item.find("parameterdescription")
+                if name_elem is not None:
+                    name = name_elem.text or ""
+                    desc = get_text(desc_elem) if desc_elem is not None else ""
+                    params.append((name, desc))
+
+    return params
+
+
+def extract_return(memberdef):
+    """Extract return value documentation."""
+    detailed = memberdef.find("detaileddescription")
+    if detailed is None:
+        return ""
+
+    for simplesect in detailed.iter("simplesect"):
+        if simplesect.get("kind") == "return":
+            return get_text(simplesect)
+
+    return ""
+
+
+def extract_retvals(memberdef):
+    """Extract return value codes documentation."""
+    retvals = []
+    detailed = memberdef.find("detaileddescription")
+    if detailed is None:
+        return retvals
+
+    for paramlist in detailed.iter("parameterlist"):
+        if paramlist.get("kind") == "retval":
+            for item in paramlist.findall("parameteritem"):
+                name_elem = item.find(".//parametername")
+                desc_elem = item.find("parameterdescription")
+                if name_elem is not None:
+                    name = name_elem.text or ""
+                    desc = get_text(desc_elem) if desc_elem is not None else ""
+                    retvals.append((name, desc))
+
+    return retvals
+
+
+def extract_notes(memberdef):
+    """Extract notes from documentation."""
+    notes = []
+    detailed = memberdef.find("detaileddescription")
+    if detailed is None:
+        return notes
+
+    for simplesect in detailed.iter("simplesect"):
+        if simplesect.get("kind") == "note":
+            notes.append(get_text(simplesect))
+
+    return notes
+
+
+def format_function_signature(memberdef):
+    """Format a function signature."""
+    return_type = memberdef.find("type")
+    name = memberdef.find("name")
+
+    ret_text = ""
+    if return_type is not None:
+        ret_text = get_text(return_type)
+        for ref in return_type.findall(".//ref"):
+            if ref.text:
+                ret_text = ret_text.replace(ref.text, ref.text)
+
+    func_name = name.text if name is not None else ""
+
+    params = []
+    for param in memberdef.findall("param"):
+        param_type = param.find("type")
+        param_name = param.find("declname")
+
+        type_text = get_text(param_type) if param_type is not None else ""
+        name_text = param_name.text if param_name is not None else ""
+
+        if type_text or name_text:
+            params.append(f"{type_text} {name_text}".strip())
+
+    return f"{ret_text} {func_name}({', '.join(params)})"
+
+
+def format_typedef_signature(memberdef):
+    """Format a typedef signature."""
+    definition = memberdef.find("definition")
+    argsstring = memberdef.find("argsstring")
+
+    def_text = definition.text if definition is not None else ""
+    args_text = argsstring.text if argsstring is not None and argsstring.text else ""
+
+    if args_text and args_text in def_text:
+        return def_text
+
+    return f"{def_text}{args_text}"
+
+
+def parse_header_xml(xml_path):
+    """Parse the main header XML file."""
+    tree = ET.parse(xml_path)
+    root = tree.getroot()
+
+    data = {
+        "enums": [],
+        "typedefs": [],
+        "functions": [],
+    }
+
+    compounddef = root.find("compounddef")
+    if compounddef is None:
+        return data
+
+    for sectiondef in compounddef.findall("sectiondef"):
+        for memberdef in sectiondef.findall("memberdef"):
+            member_kind = memberdef.get("kind")
+            name_elem = memberdef.find("name")
+            name = name_elem.text if name_elem is not None else ""
+
+            # Skip internal/compiler-specific stuff
+            if name.startswith("__") or name.startswith("_ddwaf_object_"):
+                continue
+
+            if member_kind == "enum":
+                enum_data = {
+                    "name": name,
+                    "description": extract_description(memberdef),
+                    "values": []
+                }
+
+                for enumvalue in memberdef.findall("enumvalue"):
+                    val_name = enumvalue.find("name")
+                    val_init = enumvalue.find("initializer")
+                    val_desc = enumvalue.find("detaileddescription")
+
+                    enum_data["values"].append({
+                        "name": val_name.text if val_name is not None else "",
+                        "value": val_init.text if val_init is not None else "",
+                        "description": get_text(val_desc) if val_desc is not None else ""
+                    })
+
+                data["enums"].append(enum_data)
+
+            elif member_kind == "typedef":
+                typedef_data = {
+                    "name": name,
+                    "signature": format_typedef_signature(memberdef),
+                    "description": extract_description(memberdef),
+                    "params": extract_params(memberdef),
+                }
+                data["typedefs"].append(typedef_data)
+
+            elif member_kind == "function":
+                func_data = {
+                    "name": name,
+                    "signature": format_function_signature(memberdef),
+                    "description": extract_description(memberdef),
+                    "params": extract_params(memberdef),
+                    "return": extract_return(memberdef),
+                    "retvals": extract_retvals(memberdef),
+                    "notes": extract_notes(memberdef),
+                }
+                data["functions"].append(func_data)
+
+    return data
+
+
+def categorize_functions(functions):
+    """Categorize functions by their purpose."""
+    categories = {
+        "Initialization/Destruction": [],
+        "Builder": [],
+        "Context": [],
+        "Subcontext": [],
+        "Allocator": [],
+        "Object Creation": [],
+        "Object Inspection": [],
+        "Object Container Operations": [],
+        "Object Type Checking": [],
+        "Utility": [],
+    }
+
+    for func in functions:
+        name = func["name"]
+
+        if name in ("ddwaf_init", "ddwaf_destroy"):
+            categories["Initialization/Destruction"].append(func)
+        elif "builder" in name:
+            categories["Builder"].append(func)
+        elif "subcontext" in name:
+            categories["Subcontext"].append(func)
+        elif "context" in name:
+            categories["Context"].append(func)
+        elif "allocator" in name or name.endswith("_allocator_init"):
+            categories["Allocator"].append(func)
+        elif name.startswith("ddwaf_object_set_") or name == "ddwaf_object_from_json":
+            categories["Object Creation"].append(func)
+        elif name.startswith("ddwaf_object_get_"):
+            categories["Object Inspection"].append(func)
+        elif name.startswith("ddwaf_object_is_"):
+            categories["Object Type Checking"].append(func)
+        elif name.startswith("ddwaf_object_"):
+            categories["Object Container Operations"].append(func)
+        elif name.startswith("ddwaf_known_"):
+            categories["Initialization/Destruction"].append(func)
+        else:
+            categories["Utility"].append(func)
+
+    order = [
+        "Initialization/Destruction",
+        "Builder",
+        "Context",
+        "Subcontext",
+        "Allocator",
+        "Object Creation",
+        "Object Inspection",
+        "Object Container Operations",
+        "Object Type Checking",
+        "Utility",
+    ]
+
+    return [(cat, categories[cat]) for cat in order if categories[cat]]
+
+
+def generate_markdown(data):
+    """Generate markdown from parsed data."""
+    lines = []
+
+    # Header
+    lines.append("# libddwaf C API Reference")
+    lines.append("")
+    lines.append("This document describes the public C API of libddwaf.")
+    lines.append("")
+
+    # Table of Contents
+    lines.append("## Table of Contents")
+    lines.append("")
+    lines.append("- [Enumerations](#enumerations)")
+    for enum in data["enums"]:
+        lines.append(f"  - [{enum['name']}](#{enum['name'].lower().replace('_', '-')})")
+    lines.append("- [Type Definitions](#type-definitions)")
+    lines.append("- [Functions](#functions)")
+
+    func_categories = categorize_functions(data["functions"])
+    for category, _ in func_categories:
+        anchor = category.lower().replace(" ", "-").replace("/", "")
+        lines.append(f"  - [{category}](#{anchor})")
+
+    lines.append("")
+
+    # Enumerations
+    lines.append("---")
+    lines.append("")
+    lines.append("## Enumerations")
+    lines.append("")
+
+    for enum in data["enums"]:
+        lines.append(f"### {enum['name']}")
+        lines.append("")
+        if enum["description"]:
+            lines.append(enum["description"])
+            lines.append("")
+
+        lines.append("| Value | Code | Description |")
+        lines.append("|-------|------|-------------|")
+        for val in enum["values"]:
+            desc = val["description"].replace("\n", " ").strip()
+            lines.append(f"| `{val['name']}` | `{val['value']}` | {desc} |")
+        lines.append("")
+
+    # Type Definitions
+    lines.append("---")
+    lines.append("")
+    lines.append("## Type Definitions")
+    lines.append("")
+
+    notable_typedefs = [t for t in data["typedefs"] if t["description"] or t["params"]]
+    simple_typedefs = [t for t in data["typedefs"] if not t["description"] and not t["params"]]
+
+    if simple_typedefs:
+        lines.append("### Handle Types")
+        lines.append("")
+        lines.append("| Type | Definition |")
+        lines.append("|------|------------|")
+        for typedef in simple_typedefs:
+            sig = typedef["signature"].replace("|", "\\|")
+            lines.append(f"| `{typedef['name']}` | `{sig}` |")
+        lines.append("")
+
+    for typedef in notable_typedefs:
+        lines.append(f"### {typedef['name']}")
+        lines.append("")
+        lines.append("```c")
+        lines.append(typedef["signature"])
+        lines.append("```")
+        lines.append("")
+
+        if typedef["description"]:
+            lines.append(typedef["description"])
+            lines.append("")
+
+        if typedef["params"]:
+            lines.append("**Parameters:**")
+            lines.append("")
+            for pname, pdesc in typedef["params"]:
+                lines.append(f"- `{pname}`: {pdesc}")
+            lines.append("")
+
+    # Functions
+    lines.append("---")
+    lines.append("")
+    lines.append("## Functions")
+    lines.append("")
+
+    for category, funcs in func_categories:
+        lines.append(f"### {category}")
+        lines.append("")
+
+        for func in funcs:
+            lines.append(f"#### {func['name']}")
+            lines.append("")
+            lines.append("```c")
+            lines.append(func["signature"])
+            lines.append("```")
+            lines.append("")
+
+            desc = func["description"]
+            desc_clean = re.split(r'\n\n', desc)[0] if desc else ""
+            if desc_clean:
+                lines.append(desc_clean)
+                lines.append("")
+
+            if func["params"]:
+                lines.append("**Parameters:**")
+                lines.append("")
+                for pname, pdesc in func["params"]:
+                    lines.append(f"- `{pname}`: {pdesc}")
+                lines.append("")
+
+            if func["return"]:
+                lines.append(f"**Returns:** {func['return']}")
+                lines.append("")
+
+            if func["retvals"]:
+                lines.append("**Return Values:**")
+                lines.append("")
+                for rname, rdesc in func["retvals"]:
+                    lines.append(f"- `{rname}`: {rdesc}")
+                lines.append("")
+
+            if func["notes"]:
+                for note in func["notes"]:
+                    lines.append(f"> **Note:** {note}")
+                    lines.append("")
+
+    return "\n".join(lines)
+
+
+def run_doxygen(root_dir, output_dir):
+    """Run Doxygen to generate XML output."""
+    # Create a temporary Doxyfile
+    doxyfile_content = f"""
+PROJECT_NAME = libddwaf
+OUTPUT_DIRECTORY = {output_dir}
+INPUT = {root_dir / 'include' / 'ddwaf.h'}
+FILE_PATTERNS = *.h
+RECURSIVE = NO
+EXTRACT_ALL = YES
+EXTRACT_STATIC = YES
+EXTRACT_PRIVATE = NO
+GENERATE_HTML = NO
+GENERATE_LATEX = NO
+GENERATE_MAN = NO
+GENERATE_RTF = NO
+GENERATE_DOCBOOK = NO
+GENERATE_XML = YES
+XML_OUTPUT = xml
+QUIET = YES
+WARNINGS = NO
+"""
+
+    doxyfile_path = output_dir / "Doxyfile"
+    doxyfile_path.write_text(doxyfile_content)
+
+    # Run doxygen
+    result = subprocess.run(
+        ["doxygen", str(doxyfile_path)],
+        cwd=root_dir,
+        capture_output=True,
+        text=True
+    )
+
+    if result.returncode != 0:
+        print(f"Doxygen error: {result.stderr}")
+        return False
+
+    return True
+
+
+def main():
+    # Parse arguments
+    keep_xml = "--keep-xml" in sys.argv
+
+    # Determine paths
+    script_path = Path(__file__).resolve()
+    root_dir = script_path.parent.parent
+    output_file = root_dir / "docs" / "c-api" / "api.md"
+
+    # Check for doxygen
+    if shutil.which("doxygen") is None:
+        print("Error: doxygen not found in PATH")
+        print("Please install doxygen: apt install doxygen / brew install doxygen")
+        sys.exit(1)
+
+    # Create temporary directory for doxygen output
+    with tempfile.TemporaryDirectory() as temp_dir:
+        temp_path = Path(temp_dir)
+
+        print("Running Doxygen...")
+        if not run_doxygen(root_dir, temp_path):
+            print("Error: Doxygen failed")
+            sys.exit(1)
+
+        # Find the XML file
+        xml_file = temp_path / "xml" / "ddwaf_8h.xml"
+        if not xml_file.exists():
+            print(f"Error: Expected XML file not found: {xml_file}")
+            sys.exit(1)
+
+        print("Parsing XML...")
+        data = parse_header_xml(xml_file)
+
+        print(f"Found {len(data['enums'])} enums, {len(data['typedefs'])} typedefs, {len(data['functions'])} functions")
+
+        print("Generating Markdown...")
+        markdown = generate_markdown(data)
+
+        # Ensure output directory exists
+        output_file.parent.mkdir(parents=True, exist_ok=True)
+
+        print(f"Writing {output_file}...")
+        output_file.write_text(markdown)
+
+        # Optionally keep XML files
+        if keep_xml:
+            xml_dest = root_dir / "docs" / "c-api" / "doxygen"
+            if xml_dest.exists():
+                shutil.rmtree(xml_dest)
+            shutil.copytree(temp_path, xml_dest)
+            print(f"XML files saved to {xml_dest}")
+
+    print("Done!")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/tools/infer_schema.cpp b/tools/infer_schema.cpp
index 2a04692ad..b37a8d721 100644
--- a/tools/infer_schema.cpp
+++ b/tools/infer_schema.cpp
@@ -4,14 +4,9 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
 #include "common/utils.hpp"
-#include "generator/extract_schema.hpp"
 #include "ddwaf.h"
 
-#include <algorithm>
-#include <stdexcept>
-#include <type_traits>
-#include <unordered_set>
-#include <variant>
+#include <limits>
 
 
 int main(int argc, char *argv[])
@@ -22,11 +17,12 @@ int main(int argc, char *argv[])
         return EXIT_FAILURE;
     }
 
+    auto *alloc = ddwaf_get_default_allocator();
+
     std::string rule_str = read_file(argv[1]);
     auto rule = YAML::Load(rule_str).as<ddwaf_object>();
 
-    ddwaf_config config{{nullptr, nullptr}, nullptr};
-    ddwaf_handle handle = ddwaf_init(&rule, &config, nullptr);
+    ddwaf_handle handle = ddwaf_init(&rule, nullptr);
     ddwaf_object_destroy(&rule, alloc);
     if (handle == nullptr) {
         std::cout << "Failed to load " << argv[1] << '\n';
@@ -36,32 +32,40 @@ int main(int argc, char *argv[])
     std::string body_str = read_file(argv[2]);
     auto body = json_to_object(body_str);
 
-    ddwaf_object tmp;
     ddwaf_object settings;
     ddwaf_object input;
 
-    ddwaf_object_map(&input);
-    ddwaf_object_map(&settings);
-    ddwaf_object_map_add(&settings, "extract-schema", ddwaf_object_set_bool(&tmp, true));
-    ddwaf_object_map_add(&input, "waf.context.processor", &settings);
-    ddwaf_object_map_add(&input, "server.request.body", &body);
+    ddwaf_object_set_map(&input, 2, alloc);
+    ddwaf_object_set_map(&settings, 1, alloc);
+
+    ddwaf_object *extract_schema = ddwaf_object_insert_literal_key(&settings, STRL("extract-schema"), alloc);
+    ddwaf_object_set_bool(extract_schema, true);
+
+    ddwaf_object *processor = ddwaf_object_insert_literal_key(&input, STRL("waf.context.processor"), alloc);
+    *processor = settings;
+
+    ddwaf_object *request_body = ddwaf_object_insert_literal_key(&input, STRL("server.request.body"), alloc);
+    *request_body = body;
 
-    ddwaf_context context = ddwaf_context_init(handle);
+    ddwaf_context context = ddwaf_context_init(handle, alloc);
     if (context == nullptr) {
+        ddwaf_object_destroy(&input, alloc);
         ddwaf_destroy(handle);
         return EXIT_FAILURE;
     }
 
-    ddwaf_result ret;
-    ddwaf_context_eval(context, &input, nullptr, &ret, std::numeric_limits<uint32_t>::max());
-    if (ddwaf_object_get_size(&ret.derivatives) > 0) {
-        std::cout << object_to_json(ret.derivatives) << '\n';
+    ddwaf_object result;
+    auto code = ddwaf_context_eval(context, &input, alloc, &result, std::numeric_limits<uint64_t>::max());
+    if (code == DDWAF_MATCH) {
+        const ddwaf_object *attributes = ddwaf_object_find(&result, STRL("attributes"));
+        if (attributes != nullptr && ddwaf_object_get_size(attributes) > 0) {
+            std::cout << object_to_json(*attributes) << '\n';
+        }
     }
 
-    ddwaf_result_free(&ret);
+    ddwaf_object_destroy(&result, alloc);
     ddwaf_context_destroy(context);
 
-    ddwaf_object_destroy(&input, alloc);
     ddwaf_destroy(handle);
 
     return EXIT_SUCCESS;