fix: store expires_at in UTC format compatible with SQLite datetime() (#4)

expires_at was stored using Go's sql.NullTime which serializes time.Time
in Go's default format (local timezone + monotonic clock suffix). This
made all datetime comparisons with SQLite's datetime('now') fail in
non-UTC timezones, causing temporary rules to appear expired immediately.

This broke "Allow this time", "Allow for 1h", etc: the rule was created
but FindMatchingRule and GetRules both filtered it out, so waiting
connections were never released.

Also hides the "Allow this time" UI option when no connections are
actively waiting, since the 30s rule is only useful during the grace
period.

Author: tito

internal/greyproxy/crud.go

@@ -47,9 +47,10 @@ func CreateRule(db *DB, input RuleCreateInput) (*Rule, error) {
 		input.CreatedBy = "admin"
 	}
 
-	var expiresAt sql.NullTime
+	var expiresAt sql.NullString
 	if input.ExpiresInSeconds != nil && *input.ExpiresInSeconds > 0 {
-		expiresAt = sql.NullTime{Time: time.Now().Add(time.Duration(*input.ExpiresInSeconds) * time.Second), Valid: true}
+		t := time.Now().UTC().Add(time.Duration(*input.ExpiresInSeconds) * time.Second)
+		expiresAt = sql.NullString{String: t.Format("2006-01-02 15:04:05"), Valid: true}
 	}
 
 	var notes sql.NullString

internal/greyproxy/crud_test.go

@@ -112,6 +112,42 @@ func TestCreateRuleWithExpiration(t *testing.T) {
 	}
 }
 
+func TestTemporaryRuleVisibleInGetRules(t *testing.T) {
+	db := setupTestDB(t)
+
+	// Create a temporary rule with 1h expiry
+	expires := int64(3600)
+	_, err := CreateRule(db, RuleCreateInput{
+		ContainerPattern:   "myapp",
+		DestinationPattern: "example.com",
+		ExpiresInSeconds:   &expires,
+		Action:             "allow",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// The rule should be visible in GetRules (not filtered as expired)
+	rules, total, err := GetRules(db, RuleFilter{Limit: 10})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if total != 1 {
+		t.Errorf("expected 1 rule, got %d (temporary rule incorrectly filtered as expired)", total)
+	}
+	if len(rules) != 1 {
+		t.Errorf("expected 1 rule in list, got %d", len(rules))
+	}
+
+	// The rule should also be found by FindMatchingRule
+	found := FindMatchingRule(db, "myapp", "example.com", 443, "")
+	if found == nil {
+		t.Error("expected FindMatchingRule to find the temporary rule")
+	} else if found.Action != "allow" {
+		t.Errorf("expected allow action, got %s", found.Action)
+	}
+}
+
 func TestGetRules(t *testing.T) {
 	db := setupTestDB(t)
 

internal/greyproxy/ui/templates/partials/pending_list.html

@@ -106,11 +106,13 @@ <h4 class="text-sm font-medium text-destructive mb-3">Deny — block this destin
                         <!-- Dropdown menu -->
                         <div id="allow-menu-{{.ID}}" class="hidden absolute right-0 top-full mt-1 w-40 bg-card rounded-md shadow-lg border border-border z-50">
                             <div class="py-1">
+                                {{if gt .WaitingCount 0}}
                                 <button hx-post="{{$.Prefix}}/htmx/pending/{{.ID}}/allow" hx-vals='{"scope": "exact", "duration": "once"}'
                                     hx-target="#pending-list" hx-swap="innerHTML"
                                     class="btn-menu-item w-full text-left px-3 py-1.5 text-xs text-foreground hover:bg-muted transition-colors">
                                     Allow this time
                                 </button>
+                                {{end}}
                                 <button hx-post="{{$.Prefix}}/htmx/pending/{{.ID}}/allow" hx-vals='{"scope": "exact", "duration": "1h"}'
                                     hx-target="#pending-list" hx-swap="innerHTML"
                                     class="btn-menu-item w-full text-left px-3 py-1.5 text-xs text-foreground hover:bg-muted transition-colors">