feat: LLM conversation reassembly and viewer UI (#10)

* feat: MITM TLS interception for HTTP content inspection

Add TLS man-in-the-middle capability so greyproxy can decrypt and log
HTTPS request/response content flowing through the proxy.

- Add `greyproxy cert generate/install` CLI for CA certificate management
- Auto-inject MITM cert paths into HTTP/SOCKS5 handler metadata on startup
- Enable sniffing by default in greyproxy.yml for both proxy services
- Add OnHTTPRoundTrip callback to Sniffer for decrypted traffic hooks
- Wire [MITM] log output in both HTTP and SOCKS5 handlers
- Fix GenerateCertificate to auto-detect key type (ECDSA/Ed25519/RSA)
  instead of hardcoding SHA256WithRSA

* feat: Phase 1 observability — capture and display MITM HTTP transactions

Add end-to-end HTTP transaction recording for MITM-intercepted requests:

- DB: migration for http_transactions table with indexes
- Models: HttpTransaction, HttpTransactionJSON, HttpTransactionCreateInput
- CRUD: create, get, query with filtering (container, destination, method, date range)
- API: GET /api/transactions (list) and GET /api/transactions/:id (detail with body)
- UI: Traffic page with HTMX table, filters, pagination, expandable row details
- Hook: GlobalHTTPRoundTripHook in sniffer + bridge via gostx.SetGlobalMitmHook
- Wire: program.go connects MITM hook to DB storage and EventBus
- Fix: auther srcAddrKey type mismatch — use xctx.SrcAddrFromContext for correct
  client IP resolution (was causing unknown-unknown container names)
- Fix: remove custom lt/gt template funcs that shadowed Go builtins and broke
  int64 comparisons in traffic table (only first row rendered)
- Tests: API handler tests (9), HTMX route tests (10), CRUD tests (5), plugin tests

* docs: add vibedocs with MITM proposal as 001-mitm.md

* feat: Phase 2 MITM - pending HTTP request approval, URL pattern matching, and UI

* feat: auto-detect Linux distro for CA cert install

Detect whether the system uses update-ca-trust (Arch, Fedora, RHEL) or
update-ca-certificates (Debian, Ubuntu) and run the install automatically
with sudo, falling back to manual instructions on failure.

* fix: increase the body capture to 2MB

Most content was truncated. But i need to see what's the required size
to support the 1M context from opus

* feat: support content decompression

* feat: experiment accross reassembly of http

* feat: step-by-step turn rendering, tool result merging, subagent linking, and system prompt capture

Restructure conversation turns from flat concatenated fields into ordered
steps that preserve the actual back-and-forth flow (assistant -> tool calls
-> tool results -> assistant). Tool results are now attached directly to
their corresponding tool calls. Subagent conversations are linked from
parent Agent tool calls. Full system prompt is captured in output JSON.

* feat: track conversation viewer and auto-copy to output directory

Move viewer.html to cmd/assembleconv/ so it's version-controlled.
The assembler now copies it into the output dir as index.html on each run.

* feat: incremental conversation assembler with API server and viewer

assemble2.py reads directly from greyproxy.db (bypassing the export step),
tracks a watermark for incremental processing, stores results in
conversation.db, and serves a REST API with a live web viewer.

* feat: native conversation dissector with Anthropic support and dashboard UI

Port the Python conversation assembler (assemble2.py) into Go as a native
greyproxy feature. Introduces a Wireshark-inspired dissector framework for
provider-specific HTTP body parsing, with Anthropic as the first dissector.

- Dissector framework: interface + registry in internal/greyproxy/dissector/
- Anthropic dissector: parses Messages API requests, SSE responses, extracts
  session IDs, models, messages, system prompts, and tool calls
- SSE parser shared across providers
- Database: conversations, turns, processing_state tables (migration 7),
  conversation_id FK on http_transactions (migration 8)
- Assembly engine: subscribes to EventTransactionNew, debounces, groups by
  session, classifies threads, builds turns with tool result merging,
  recovers SSE responses, links subagents. Backfills on startup.
- REST API: /api/conversations, /api/conversations/:id, /api/conversations/:id/subagents
- Conversations page: split-pane layout with sidebar list and detail panel,
  collapsible system prompts, thinking blocks, tool calls, subagent navigation,
  live updates via WebSocket
- Test fixtures from real Anthropic API transactions

* feat: improve conversation UI with markdown rendering, tool I/O display, URL state, and subagent linking

* feat: subagent navigation, assembler versioning, and settings maintenance UI

- Add "View subagent →" button on Agent tool calls linking to subagent conversations
- Add "← Back to parent" navigation when viewing a subagent conversation
- Improve linked subagents section with first prompt preview and model info
- Auto-scroll to top when navigating between conversations
- Add assembler version tracking with auto-rebuild on version change
- Add Settings > Advanced > Maintenance section with manual rebuild button
- Add Cache-Control: no-store on conversation detail HTMX responses

* refactor: remove HTTP pending requests and HTTP-level rule fields

Rules are back to domain/IP-level only (container, destination, port).
Removes method_pattern, path_pattern, content_action from rules, the
pending_http_requests table, and all associated API/UI/CRUD code.
Migrations renumbered from 8 to 6.

* feat: unified Activity view replacing separate Logs and Traffic pages

Merge connection logs and HTTP transactions into a single time-ordered
Activity page with UNION ALL query. Connections are deduplicated when
HTTP transactions exist for the same destination, with rule info
recovered via correlated subquery. Adds Live/Paused toggle for
real-time updates, DevTools-style header display with Raw toggle,
and full URL in expandable detail panes.

* feat: replace CONN badge with lock/unlock icons for decoded vs undecoded traffic

Use closed padlock + "TCP" for undecoded connections and open padlock +
HTTP method for decoded traffic. Rename filter options to "Decoded (HTTP)"
and "Undecoded (TCP)" to clarify why some traffic is not inspected.

* feat: add Live/Paused toggle to conversations page and preserve scroll position

Replace the static Refresh button with the same Live/Paused toggle pattern
used in the Activity page. When paused, incoming events are buffered and shown
as a badge count. Also preserve the conversation list scroll position on refresh.

* chore: remove prototype scripts and planning documents

Remove assemble2.py, viewer2.html (superseded by native Go assembler),
and root-level planning/research markdown files that are dev artifacts.

* chore: add Python and conversation.db exclusions to .gitignore

Add __pycache__/, *.pyc, *.pyo patterns and /conversation.db to
prevent development artifacts from being committed.

* fix: escape SQL LIKE wildcards in session ID matching

Session IDs containing % or _ were treated as LIKE wildcards,
causing loadTransactionsForSessions to match unrelated rows.
Add escapeLikePattern helper and ESCAPE '\' clause to the query.

Tests demonstrate the vulnerability (unescaped % matches all rows)
and verify the fix (escaped % matches none).

* fix: add mutex to conversation assembler to prevent race conditions

RebuildAllConversations (called from HTTP API) and processNewTransactions
(called from event loop and debounce timer) could run concurrently,
causing TOCTOU races on the last_processed_id cursor.

Add sync.Mutex with a locked internal method to serialize all processing.

* fix: handle errors instead of silently swallowing them in assembler

- Log warnings for rows.Scan failures instead of silent continue
- Log debug for json.Unmarshal failures on request bodies
- Log warnings for invalid strconv parsing of assembler_version and
  last_processed_id
- Handle time.Parse failures gracefully in heuristic grouping
  (keep entries in same group instead of using zero time)
- Add truncateUTF8 helper to avoid splitting multi-byte characters
  when truncating thinking previews, system prompt summaries, and
  subagent first prompts

* fix: eliminate data race in assembler debounce timer

The pending boolean was read/written from both the main event loop
goroutine and the time.AfterFunc callback without synchronization.

Replace with a channel-based trigger: the timer sends a signal on a
buffered channel, and the main select loop receives it to call
processNewTransactions. This keeps all state access on the main
goroutine.

* feat: MITM TLS visibility, cert management, global toggle, and skip reason tracking

Add end-to-end MITM interception visibility: skip reason tracking (no_cert,
mitm_disabled, mitm_error, non_http_after_tls, etc.), certificate management
API/UI, global MITM toggle in settings, and activity view dedup fixes.

Key fixes:
- RequestLog model was missing MitmSkipReason field (written but never read)
- Handlers now set mitm_error when HandleTLS returns an error
- UpdateLatestLogMitmSkipReason matches resolved_hostname (fixes IP vs SNI mismatch)
- Activity dedup handles IP-based connection logs vs hostname-based HTTP transactions
- Integration tests for HandleTLS covering 5 MITM scenarios

* feat: MITM TLS visibility, cert management, global toggle, skip reason tracking, and integration tests

Add end-to-end MITM interception visibility: skip reason tracking (no_cert,
mitm_disabled, mitm_error, non_http_after_tls, etc.), certificate management
API/UI, global MITM toggle in settings, and activity view fixes.

Key fixes:
- RequestLog model was missing MitmSkipReason field (written but never read)
- Handlers now set mitm_error when HandleTLS returns an error
- UpdateLatestLogMitmSkipReason matches resolved_hostname (fixes IP vs SNI mismatch)
- Activity dedup handles IP-based connection logs vs hostname-based HTTP transactions
- Integration tests for HandleTLS covering 5 MITM scenarios

* feat: compact collapsible tool call cards in conversation UI

- Tool calls now show as single-line cards with icon, name, and smart
  summary (file path, command description, pattern, etc.)
- Click to expand and see full input/result with truncation controls
- Add expand/collapse all tools button in conversation header
- Extract tool_summary at dissection time from full input before the
  300-char truncation, fixing broken previews for Edit/Write
- Unify Live button style between activity and conversations pages
- Fix activity Live button hover jump (overflow-hidden on ping dot)
- Flatten step layout: remove per-HTTP-request borders and padding

* fix: remove button hover translateY transform

* fix: handle new Anthropic metadata.user_id JSON object format for session extraction

The Anthropic API changed metadata.user_id from a plain string
("user_HASH_account_UUID_session_UUID") to a JSON object with a
session_id field. This broke session ID extraction, leaving all
new transactions unlinked to conversations.

* chore: remove vibedocs directory

* chore: remove exportlogs/assembleconv experiment

* feat: cert install improvements and cert uninstall command

- Print destination path on successful cert install
- Check if cert is already installed, require -f to overwrite
- Add `greyproxy cert uninstall` to remove CA from OS trust store
- `greyproxy uninstall` now also removes the CA certificate

* fix: remove environment variable hints section from settings UI

* chore: ignore local log/script

* fix: show all connections in activity log and eagerly report MITM skip reason

Remove activity dedup logic that hid connection rows when HTTP
transactions existed for the same destination. Old MITM-era transactions
were permanently suppressing connection rows even after MITM was disabled.

Fire OnMitmSkip callback immediately when MITM is skipped (before the
blocking pipe), so long-lived connections get their mitm_skip_reason
updated right away instead of waiting for connection close.

* feat: show notice that MITM toggle only affects new connections

* fix: redact real API key from testdata fixtures

Author: tito

.gitignore

@@ -31,6 +31,11 @@ _testmain.go
 
 *.bak
 
+# Python
+__pycache__/
+*.pyc
+*.pyo
+
 cmd/greyproxy/greyproxy
 snap
 
@@ -42,4 +47,9 @@ dist/
 /greyproxy.db
 /greyproxy.db-shm
 /greyproxy.db-wal
+/conversation.db
 /greyproxy
+exported_logs/
+/buildrun.sh
+/greyproxy.log
+/greyproxy.reload

cmd/greyproxy/cert.go

@@ -0,0 +1,292 @@
+package main
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"time"
+)
+
+func handleCert(args []string) {
+	if len(args) == 0 {
+		fmt.Fprintf(os.Stderr, `Usage: greyproxy cert <command>
+
+Commands:
+  generate    Generate CA certificate and key pair
+  install     Trust the CA certificate on the OS
+  uninstall   Remove the CA certificate from the OS trust store
+
+Options:
+  -f          Force overwrite existing files (generate, install)
+`)
+		os.Exit(1)
+	}
+
+	switch args[0] {
+	case "generate":
+		force := len(args) > 1 && args[1] == "-f"
+		handleCertGenerate(force)
+	case "install":
+		force := len(args) > 1 && args[1] == "-f"
+		handleCertInstall(force)
+	case "uninstall":
+		handleCertUninstall()
+	default:
+		fmt.Fprintf(os.Stderr, "unknown cert command: %s\n", args[0])
+		os.Exit(1)
+	}
+}
+
+func handleCertGenerate(force bool) {
+	dataDir := greyproxyDataHome()
+	certFile := filepath.Join(dataDir, "ca-cert.pem")
+	keyFile := filepath.Join(dataDir, "ca-key.pem")
+
+	if !force {
+		if _, err := os.Stat(certFile); err == nil {
+			fmt.Fprintf(os.Stderr, "CA certificate already exists: %s\nUse -f to overwrite.\n", certFile)
+			os.Exit(1)
+		}
+		if _, err := os.Stat(keyFile); err == nil {
+			fmt.Fprintf(os.Stderr, "CA key already exists: %s\nUse -f to overwrite.\n", keyFile)
+			os.Exit(1)
+		}
+	}
+
+	// Generate ECDSA P-256 key
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to generate private key: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Create self-signed CA certificate
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to generate serial number: %v\n", err)
+		os.Exit(1)
+	}
+
+	template := &x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: "Greyproxy CA",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		MaxPathLen:            0,
+		MaxPathLenZero:        true,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to create certificate: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Ensure data directory exists
+	if err := os.MkdirAll(dataDir, 0700); err != nil {
+		fmt.Fprintf(os.Stderr, "failed to create data directory: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Write certificate
+	certOut, err := os.OpenFile(certFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to write certificate: %v\n", err)
+		os.Exit(1)
+	}
+	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certDER}); err != nil {
+		certOut.Close()
+		fmt.Fprintf(os.Stderr, "failed to encode certificate: %v\n", err)
+		os.Exit(1)
+	}
+	certOut.Close()
+
+	// Write private key
+	keyBytes, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to marshal private key: %v\n", err)
+		os.Exit(1)
+	}
+
+	keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to write key: %v\n", err)
+		os.Exit(1)
+	}
+	if err := pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}); err != nil {
+		keyOut.Close()
+		fmt.Fprintf(os.Stderr, "failed to encode key: %v\n", err)
+		os.Exit(1)
+	}
+	keyOut.Close()
+
+	fmt.Printf("CA certificate: %s\n", certFile)
+	fmt.Printf("CA private key: %s\n", keyFile)
+	fmt.Println("\nRun 'greyproxy cert install' to trust this CA on your system.")
+}
+
+// linuxCertInstallInfo returns the destination path and update command
+// appropriate for the current Linux distribution.
+func linuxCertInstallInfo() (destPath, updateCmd string) {
+	// Arch Linux, Fedora, RHEL, CentOS, openSUSE use update-ca-trust
+	if _, err := exec.LookPath("update-ca-trust"); err == nil {
+		return "/etc/ca-certificates/trust-source/anchors/greyproxy-ca.crt", "update-ca-trust"
+	}
+	// Debian, Ubuntu, and derivatives use update-ca-certificates
+	return "/usr/local/share/ca-certificates/greyproxy-ca.crt", "update-ca-certificates"
+}
+
+func isCertInstalled() bool {
+	switch runtime.GOOS {
+	case "darwin":
+		err := exec.Command("security", "find-certificate", "-c", "Greyproxy CA").Run()
+		return err == nil
+	case "linux":
+		destPath, _ := linuxCertInstallInfo()
+		_, err := os.Stat(destPath)
+		return err == nil
+	default:
+		return false
+	}
+}
+
+func certInstallLocation() string {
+	switch runtime.GOOS {
+	case "darwin":
+		return "/Library/Keychains/System.keychain"
+	case "linux":
+		destPath, _ := linuxCertInstallInfo()
+		return destPath
+	default:
+		return "(unknown)"
+	}
+}
+
+func handleCertInstall(force bool) {
+	certFile := filepath.Join(greyproxyDataHome(), "ca-cert.pem")
+
+	if _, err := os.Stat(certFile); os.IsNotExist(err) {
+		fmt.Fprintf(os.Stderr, "CA certificate not found: %s\nRun 'greyproxy cert generate' first.\n", certFile)
+		os.Exit(1)
+	}
+
+	if !force && isCertInstalled() {
+		fmt.Fprintf(os.Stderr, "CA certificate is already installed at %s\nUse -f to overwrite.\n", certInstallLocation())
+		os.Exit(1)
+	}
+
+	switch runtime.GOOS {
+	case "darwin":
+		// Remove any existing Greyproxy CA cert to avoid errSecDuplicateItem (-25294)
+		exec.Command("security", "delete-certificate", "-c", "Greyproxy CA").Run()
+
+		fmt.Println("Installing CA certificate into system trust store (requires sudo)...")
+		cmd := exec.Command("sudo", "security", "add-trusted-cert",
+			"-d", "-r", "trustRoot",
+			"-k", "/Library/Keychains/System.keychain",
+			certFile,
+		)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		cmd.Stdin = os.Stdin
+		if err := cmd.Run(); err != nil {
+			fmt.Fprintf(os.Stderr, "\nAutomatic install failed. Please run manually:\n\n")
+			fmt.Fprintf(os.Stderr, "  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain \"%s\"\n\n", certFile)
+			os.Exit(1)
+		}
+		fmt.Printf("CA certificate installed and trusted in %s\n", certInstallLocation())
+
+	case "linux":
+		destPath, updateCmd := linuxCertInstallInfo()
+		fmt.Println("Installing CA certificate into system trust store (requires sudo)...")
+		cpCmd := exec.Command("sudo", "cp", certFile, destPath)
+		cpCmd.Stdout = os.Stdout
+		cpCmd.Stderr = os.Stderr
+		cpCmd.Stdin = os.Stdin
+		if err := cpCmd.Run(); err != nil {
+			fmt.Fprintf(os.Stderr, "\nAutomatic install failed. Please run manually:\n\n")
+			fmt.Fprintf(os.Stderr, "  sudo cp %s %s\n", certFile, destPath)
+			fmt.Fprintf(os.Stderr, "  sudo %s\n\n", updateCmd)
+			os.Exit(1)
+		}
+		updCmd := exec.Command("sudo", updateCmd)
+		updCmd.Stdout = os.Stdout
+		updCmd.Stderr = os.Stderr
+		updCmd.Stdin = os.Stdin
+		if err := updCmd.Run(); err != nil {
+			fmt.Fprintf(os.Stderr, "\nCertificate copied but trust update failed. Please run manually:\n\n")
+			fmt.Fprintf(os.Stderr, "  sudo %s\n\n", updateCmd)
+			os.Exit(1)
+		}
+		fmt.Printf("CA certificate installed and trusted at %s\n", destPath)
+
+	default:
+		fmt.Printf("CA certificate is at: %s\n", certFile)
+		fmt.Printf("Please install it manually in your OS trust store.\n")
+	}
+}
+
+func handleCertUninstall() {
+	switch runtime.GOOS {
+	case "darwin":
+		if !isCertInstalled() {
+			fmt.Println("CA certificate is not installed in the system trust store.")
+			return
+		}
+		fmt.Println("Removing CA certificate from system trust store...")
+		cmd := exec.Command("security", "delete-certificate", "-c", "Greyproxy CA")
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		if err := cmd.Run(); err != nil {
+			fmt.Fprintf(os.Stderr, "\nAutomatic removal failed. Please run manually:\n\n")
+			fmt.Fprintf(os.Stderr, "  security delete-certificate -c \"Greyproxy CA\"\n\n")
+			os.Exit(1)
+		}
+		fmt.Println("CA certificate removed from system trust store.")
+
+	case "linux":
+		destPath, updateCmd := linuxCertInstallInfo()
+		if _, err := os.Stat(destPath); os.IsNotExist(err) {
+			fmt.Println("CA certificate is not installed in the system trust store.")
+			return
+		}
+		fmt.Println("Removing CA certificate from system trust store (requires sudo)...")
+		rmCmd := exec.Command("sudo", "rm", destPath)
+		rmCmd.Stdout = os.Stdout
+		rmCmd.Stderr = os.Stderr
+		rmCmd.Stdin = os.Stdin
+		if err := rmCmd.Run(); err != nil {
+			fmt.Fprintf(os.Stderr, "\nAutomatic removal failed. Please run manually:\n\n")
+			fmt.Fprintf(os.Stderr, "  sudo rm %s\n", destPath)
+			fmt.Fprintf(os.Stderr, "  sudo %s\n\n", updateCmd)
+			os.Exit(1)
+		}
+		updCmd := exec.Command("sudo", updateCmd)
+		updCmd.Stdout = os.Stdout
+		updCmd.Stderr = os.Stderr
+		updCmd.Stdin = os.Stdin
+		if err := updCmd.Run(); err != nil {
+			fmt.Fprintf(os.Stderr, "\nCertificate removed but trust update failed. Please run manually:\n\n")
+			fmt.Fprintf(os.Stderr, "  sudo %s\n\n", updateCmd)
+			os.Exit(1)
+		}
+		fmt.Printf("CA certificate removed from %s\n", destPath)
+
+	default:
+		fmt.Println("Please remove the Greyproxy CA certificate manually from your OS trust store.")
+	}
+}

cmd/greyproxy/install.go

@@ -249,10 +249,15 @@ func handleUninstall(args []string) {
 	binDst := installBinPath()
 	label := serviceLabel()
 
+	certInstalled := isCertInstalled()
+
 	fmt.Printf("Ready to uninstall greyproxy. This will:\n")
 	fmt.Printf("  1. Stop the greyproxy service\n")
 	fmt.Printf("  2. Remove the %s\n", label)
 	fmt.Printf("  3. Remove %s\n", binDst)
+	if certInstalled {
+		fmt.Printf("  4. Remove CA certificate from system trust store\n")
+	}
 
 	if !force {
 		fmt.Printf("\nProceed? [Y/n] ")
@@ -284,6 +289,11 @@ func handleUninstall(args []string) {
 		os.Exit(1)
 	}
 	fmt.Printf("Removed %s\n", binDst)
+
+	// 4. Remove CA certificate from trust store
+	if certInstalled {
+		handleCertUninstall()
+	}
 }
 
 func copyBinary(src, dst string) error {

cmd/greyproxy/main.go

@@ -142,6 +142,9 @@ func main() {
 	case "uninstall":
 		handleUninstall(os.Args[2:])
 
+	case "cert":
+		handleCert(os.Args[2:])
+
 	case "-V", "--version":
 		fmt.Fprintf(os.Stdout, "greyproxy %s (%s %s/%s)\n  built:  %s\n  commit: %s\n",
 			version, runtime.Version(), runtime.GOOS, runtime.GOARCH, buildTime, gitCommit)
@@ -159,6 +162,7 @@ Usage: greyproxy <command>
 
 Commands:
   serve       Run the proxy server in foreground
+  cert        Manage MITM CA certificate (generate/install/uninstall)
   install     Install binary and register as a background service [-f]
   uninstall   Stop service, remove registration and binary [-f]
   service     Manage the OS service (start/stop/restart/status/...)