egress-demo / observe

observe - cli-guard examples/egress

NAME

observe - log every host without enforcing

SYNOPSIS

observe

DESCRIPTION

Dials https://www.iana.org via the proxy with ModeObserve. No allowlist is consulted, every CONNECT is forwarded, every CONNECT is recorded.

Examples:

egress-demo observe
# proxy listening on 127.0.0.1:<port>
# response: 200 200 OK
# egress rows:
#   host=www.iana.org:443               decision=observe up=... down=... ms=...

When to reach for ModeObserve vs ModeEnforce: enforce when the set of legitimate hosts is small, stable, and explicitly enumerable (package registries). Observe when the set is too broad to pin (aws.amazon.com fans out into thousands of regional endpoints) but where after-the-fact "what did the agent talk to" is the actually- load-bearing telemetry.

Operating model: a row with decision=observe is not an alert; it is expected. Anomaly detection on the observed-row stream is a downstream concern, not a coily-internal one. Tools that aggregate these rows belong in the telemetry repo, not in cli-guard.

Usage:

observe [GLOBAL OPTIONS] [command [COMMAND OPTIONS]] [ARGUMENTS...]