feat(watch): --watch observability mode and greywatch alias#94
Merged
Conversation
--watch flag turns greywall into an observation layer instead of a deny-by-default sandbox: it skips profile loading, registers a single */* allow rule with greyproxy so every request is visible on the dashboard but reaches its destination, and relaxes local filesystem and command policies (mandatory denies like .ssh/authorized_keys and git hooks are preserved as a safety floor). Network containment is unchanged: --unshare-net + tun2socks on Linux, Seatbelt deny-default-with-proxy-allow on macOS still force all traffic through greyproxy. Invoking the binary as "greywatch" auto-injects --watch via argv[0] dispatch, so installing a "greywatch -> greywall" symlink gives users a dedicated entry point. The Makefile, install.sh, and Homebrew cask post-install hook now create the symlink. Also fix a pre-existing edge case where a session with network rules but no detected credentials would never register with greyproxy: the fallback registration was gated on credSessionID being empty, but the credential block always pre-generates a session id. Gate on credSubstitutionActive instead.
Reframe the README so the two modes are clear from the first paragraph: greywall as the deny-by-default sandbox, greywatch (alias for "greywall --watch") as the allow-by-default observability layer that surfaces every request on the greyproxy dashboard without denying anything. Adds: - two-mode lead paragraph - "Observability mode" key feature bullet - greywatch example in the quickstart block - install note that greywatch ships alongside greywall (Homebrew, install.sh, make build) plus the manual "ln -s greywall greywatch" step for "go install" and manual tarball downloads - new "Watch mode (observability)" usage subsection covering the unchanged network containment, retained safety floor, and how it differs from normal mode
CI's gofumpt is newer than what most contributors have locally and now flags pre-existing multi-line call formatting across the profiles and sandbox packages. Run the formatter and shift one //nolint:gosec directive (monitor.go) onto the exec.CommandContext( line so it still attaches after the reformat. No behavior changes.
# Conflicts: # internal/sandbox/manager.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
--watchflag that turns greywall into an observability layer instead of a deny-by-default sandbox, plus agreywatchalias that auto-applies it.In
--watchmode:*/*allowrule with greyproxy per session. Every request is logged on the dashboard but reaches its destination. Greyproxy's pattern matcher already treats*as match-all for both destination and port, so no greyproxy changes are needed..ssh/authorized_keys, git hooks, etc.) are preserved as a safety floor.--unshare-net+ tun2socks on Linux and Seatbelt(deny default)+ proxy allow on macOS still force every connection through greyproxy.-mimplied — combine--watch -mif you want violation monitoring on top.--blankuntouched.--no-credential-protection).greywatchaliasSame binary, dispatched via
argv[0]. Runninggreywatch <cmd>is equivalent togreywall --watch -- <cmd>. The symlink is created by:Makefile(build,build-linux,build-darwin)install.sh(after binary extraction)Manual tarball users can create the symlink themselves:
ln -s greywall greywatch.Drive-by bug fix
The existing fallback session-registration was gated on
credSessionID == "", but the credential block always pre-generates a session id even when no credentials are detected — so any session that needed network rules but had no credentials silently never registered. Now gated oncredSubstitutionActive, the source of truth for whether registration actually happened. Without this fix,--watch(and--learning --blankin some setups) wouldn't push their rules to greyproxy.Test plan
make buildproduces bothgreywallandgreywatch(symlink)golangci-lint run— 0 issuesgo test ./...— all packages pass./greywall --watch -- echo helloprints watch-mode banner and runs./greywatch -- echo hello(via symlink) dispatches identically./greywall --watch -d -- echo testconfirms session registration is attempted against greyproxy (HTTP error when greyproxy is not running, as expected)./greywall --helplists the--watchflag with a clear description*/*allow rule appears in the dashboard and all traffic is logged but not denied--unshare-netis still applied and tun2socks routes traffic through greyproxy