GreyhavenHQ
diff --git a/‎README.md‎
Lines changed: 29 additions & 0 deletions b/‎README.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎cmd/greyproxy/cert.go‎
Lines changed: 34 additions & 5 deletions b/‎cmd/greyproxy/cert.go‎
Lines changed: 34 additions & 5 deletions
diff --git a/‎cmd/greyproxy/install.go‎
Lines changed: 8 additions & 1 deletion b/‎cmd/greyproxy/install.go‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎cmd/greyproxy/program.go‎
Lines changed: 120 additions & 26 deletions b/‎cmd/greyproxy/program.go‎
Lines changed: 120 additions & 26 deletions
@@ -45,6 +45,35 @@ cd greyproxy
 go build ./cmd/greyproxy
 ```
 
+**macOS only:** after building, codesign the binary to avoid Gatekeeper quarantine:
+
+```bash
+codesign --sign - --force ./greyproxy
+```
+
+Install the binary and register it as a service:
+
+```bash
+./greyproxy install
+```
+
+This copies the binary to `~/.local/bin/`, registers a launchd user agent (macOS) or systemd user service (Linux), and starts it automatically. The dashboard will be available at `http://localhost:43080`.
+
+Generate and install the CA certificate for HTTPS inspection:
+
+```bash
+greyproxy cert generate
+greyproxy cert install
+```
+
+`greyproxy install` generates the certificate automatically on first install if one does not exist. If you regenerate the certificate later, greyproxy detects the change and reloads automatically — no restart needed. You can also trigger a reload manually:
+
+```bash
+greyproxy cert reload
+```
+
+Alternatively, use [`greywall setup`](https://github.com/GreyhavenHQ/greywall) to handle the full build and install automatically.
+
 ### Install
 
 Install the binary to `~/.local/bin/` and register it as a systemd user service:
 
@@ -1,14 +1,18 @@
 package main
 
 import (
+	"bytes"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/json"
 	"encoding/pem"
 	"fmt"
+	"io"
 	"math/big"
+	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -24,6 +28,7 @@ Commands:
   generate    Generate CA certificate and key pair
   install     Trust the CA certificate on the OS
   uninstall   Remove the CA certificate from the OS trust store
+  reload      Reload the CA certificate in the running greyproxy (no restart needed)
 
 Options:
   -f          Force overwrite existing files (generate, install)
@@ -40,6 +45,8 @@ Options:
 		handleCertInstall(force)
 	case "uninstall":
 		handleCertUninstall()
+	case "reload":
+		handleCertReload()
 	default:
 		fmt.Fprintf(os.Stderr, "unknown cert command: %s\n", args[0])
 		os.Exit(1)
@@ -62,14 +69,12 @@ func handleCertGenerate(force bool) {
 		}
 	}
 
-	// Generate ECDSA P-256 key
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "failed to generate private key: %v\n", err)
 		os.Exit(1)
 	}
 
-	// Create self-signed CA certificate
 	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "failed to generate serial number: %v\n", err)
@@ -96,13 +101,11 @@ func handleCertGenerate(force bool) {
 		os.Exit(1)
 	}
 
-	// Ensure data directory exists
 	if err := os.MkdirAll(dataDir, 0700); err != nil {
 		fmt.Fprintf(os.Stderr, "failed to create data directory: %v\n", err)
 		os.Exit(1)
 	}
 
-	// Write certificate
 	certOut, err := os.OpenFile(certFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "failed to write certificate: %v\n", err)
@@ -115,7 +118,6 @@ func handleCertGenerate(force bool) {
 	}
 	certOut.Close()
 
-	// Write private key
 	keyBytes, err := x509.MarshalECPrivateKey(privateKey)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "failed to marshal private key: %v\n", err)
@@ -290,3 +292,30 @@ func handleCertUninstall() {
 		fmt.Println("Please remove the Greyproxy CA certificate manually from your OS trust store.")
 	}
 }
+
+// handleCertReload sends a reload request to the running greyproxy instance.
+func handleCertReload() {
+	apiURL := "http://localhost:43080/api/cert/reload"
+	resp, err := http.Post(apiURL, "application/json", bytes.NewReader(nil)) //nolint:gosec,noctx // localhost only, no user input
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed to reach greyproxy at %s: %v\n", apiURL, err)
+		fmt.Fprintf(os.Stderr, "Is greyproxy running? Check with: greyproxy service status\n")
+		os.Exit(1)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, _ := io.ReadAll(resp.Body)
+	if resp.StatusCode != http.StatusOK {
+		fmt.Fprintf(os.Stderr, "reload failed (HTTP %d): %s\n", resp.StatusCode, string(body))
+		os.Exit(1)
+	}
+
+	var result struct {
+		Message string `json:"message"`
+	}
+	if err := json.Unmarshal(body, &result); err == nil && result.Message != "" {
+		fmt.Println(result.Message)
+	} else {
+		fmt.Println("MITM cert reloaded successfully.")
+	}
+}
@@ -109,7 +109,8 @@ func handleInstall(args []string) {
 	fmt.Printf("Ready to install greyproxy. This will:\n")
 	fmt.Printf("  1. Copy %s -> %s\n", binSrc, binDst)
 	fmt.Printf("  2. Register greyproxy as a %s\n", label)
-	fmt.Printf("  3. Start the service\n")
+	fmt.Printf("  3. Generate CA certificate (if not already present)\n")
+	fmt.Printf("  4. Start the service\n")
 
 	if !force {
 		fmt.Printf("\nProceed? [Y/n] ")
@@ -226,6 +227,12 @@ func freshInstall(binSrc, binDst string) {
 	}
 	fmt.Printf("Registered %s\n", label)
 
+	// Generate CA certificate if not already present
+	certFile := filepath.Join(greyproxyDataHome(), "ca-cert.pem")
+	if _, err := os.Stat(certFile); os.IsNotExist(err) {
+		handleCertGenerate(false)
+	}
+
 	// Start service
 	if err := service.Control(s, "start"); err != nil {
 		fmt.Fprintf(os.Stderr, "error: starting service: %v\n", err)
 
@@ -15,10 +15,12 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
-	"time"
+	"sync"
 	"syscall"
+	"time"
 
 	"github.com/andybalholm/brotli"
+	"github.com/fsnotify/fsnotify"
 	"github.com/klauspost/compress/zstd"
 	defaults "github.com/greyhavenhq/greyproxy"
 	"github.com/greyhavenhq/greyproxy/internal/gostcore/logger"
@@ -47,6 +49,9 @@ type program struct {
 	cancel           context.CancelFunc
 	assemblerCancel  context.CancelFunc
 	credStoreCancel  context.CancelFunc
+
+	certMtimeMu sync.Mutex
+	certMtime   time.Time // mtime of ca-cert.pem at last successful reload
 }
 
 func (p *program) initParser() {
@@ -75,27 +80,7 @@ func (p *program) Start(s service.Service) error {
 	}
 
 	// Auto-inject MITM cert paths if CA files exist
-	certFile := filepath.Join(greyproxyDataHome(), "ca-cert.pem")
-	keyFile := filepath.Join(greyproxyDataHome(), "ca-key.pem")
-	if _, err := os.Stat(certFile); err == nil {
-		if _, err := os.Stat(keyFile); err == nil {
-			for _, svc := range cfg.Services {
-				if svc.Handler == nil {
-					continue
-				}
-				if svc.Handler.Type != "http" && svc.Handler.Type != "socks5" {
-					continue
-				}
-				if svc.Handler.Metadata == nil {
-					svc.Handler.Metadata = make(map[string]any)
-				}
-				if _, ok := svc.Handler.Metadata["mitm.certFile"]; !ok {
-					svc.Handler.Metadata["mitm.certFile"] = certFile
-					svc.Handler.Metadata["mitm.keyFile"] = keyFile
-				}
-			}
-		}
-	}
+	injectCertPaths(cfg, greyproxyDataHome())
 
 	config.Set(cfg)
 
@@ -114,10 +99,104 @@ func (p *program) Start(s service.Service) error {
 	ctx, cancel := context.WithCancel(context.Background())
 	p.cancel = cancel
 	go p.reload(ctx)
+	go p.watchCertFiles(ctx, greyproxyDataHome())
 
 	return nil
 }
 
+// injectCertPaths injects the CA cert/key paths into HTTP and SOCKS5 handler configs if the files exist.
+func injectCertPaths(cfg *config.Config, dataDir string) {
+	certFile := filepath.Join(dataDir, "ca-cert.pem")
+	keyFile := filepath.Join(dataDir, "ca-key.pem")
+	if _, err := os.Stat(certFile); err != nil {
+		return
+	}
+	if _, err := os.Stat(keyFile); err != nil {
+		return
+	}
+	for _, svc := range cfg.Services {
+		if svc.Handler == nil {
+			continue
+		}
+		if svc.Handler.Type != "http" && svc.Handler.Type != "socks5" {
+			continue
+		}
+		if svc.Handler.Metadata == nil {
+			svc.Handler.Metadata = make(map[string]any)
+		}
+		if _, ok := svc.Handler.Metadata["mitm.certFile"]; !ok {
+			svc.Handler.Metadata["mitm.certFile"] = certFile
+			svc.Handler.Metadata["mitm.keyFile"] = keyFile
+		}
+	}
+}
+
+// watchCertFiles watches ca-cert.pem and ca-key.pem using inotify (fsnotify) and
+// triggers a config reload when either file is written or created.
+func (p *program) watchCertFiles(ctx context.Context, dataDir string) {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		logger.Default().Errorf("cert watcher: failed to create watcher: %v", err)
+		return
+	}
+	defer watcher.Close()
+
+	if err := watcher.Add(dataDir); err != nil {
+		logger.Default().Errorf("cert watcher: failed to watch %s: %v", dataDir, err)
+		return
+	}
+
+	certFile := filepath.Join(dataDir, "ca-cert.pem")
+	keyFile := filepath.Join(dataDir, "ca-key.pem")
+
+	var debounce *time.Timer
+	sawCert, sawKey := false, false
+	for {
+		select {
+		case <-ctx.Done():
+			if debounce != nil {
+				debounce.Stop()
+			}
+			return
+		case event, ok := <-watcher.Events:
+			if !ok {
+				return
+			}
+			if !event.Has(fsnotify.Write) && !event.Has(fsnotify.Create) {
+				continue
+			}
+			if event.Name == certFile {
+				sawCert = true
+			} else if event.Name == keyFile {
+				sawKey = true
+			} else {
+				continue
+			}
+
+			if !sawCert || !sawKey {
+				continue
+			}
+			sawCert, sawKey = false, false
+			if debounce != nil {
+				debounce.Stop()
+			}
+			debounce = time.AfterFunc(100*time.Millisecond, func() {
+				logger.Default().Info("cert files changed, reloading MITM cert...")
+				if err := p.reloadConfig(); err != nil {
+					logger.Default().Errorf("cert reload failed: %v", err)
+				} else {
+					logger.Default().Info("MITM cert reloaded")
+				}
+			})
+		case err, ok := <-watcher.Errors:
+			if !ok {
+				return
+			}
+			logger.Default().Errorf("cert watcher error: %v", err)
+		}
+	}
+}
+
 func (p *program) run(cfg *config.Config) error {
 	for _, svc := range registry.ServiceRegistry().GetAll() {
 		svc := svc
@@ -244,6 +323,7 @@ func (p *program) reloadConfig() error {
 	if err != nil {
 		return err
 	}
+	injectCertPaths(cfg, greyproxyDataHome())
 	config.Set(cfg)
 
 	if err := loader.Load(cfg); err != nil {
@@ -254,6 +334,14 @@ func (p *program) reloadConfig() error {
 		return err
 	}
 
+	// Record mtime of ca-cert.pem so CertReloadHandler can detect no-op calls.
+	certFile := filepath.Join(greyproxyDataHome(), "ca-cert.pem")
+	if info, err := os.Stat(certFile); err == nil {
+		p.certMtimeMu.Lock()
+		p.certMtime = info.ModTime()
+		p.certMtimeMu.Unlock()
+	}
+
 	return nil
 }
 
@@ -365,20 +453,26 @@ func (p *program) buildGreyproxyService() error {
 		}
 	}
 
+	shared.ReloadCertFn = p.reloadConfig
+	shared.CertMtimeFn = func() time.Time {
+		p.certMtimeMu.Lock()
+		defer p.certMtimeMu.Unlock()
+		return p.certMtime
+	}
 	shared.Version = version
 
 	// Collect listening ports for the health endpoint
 	ports := make(map[string]int)
 	if _, portStr, err := net.SplitHostPort(gaCfg.Addr); err == nil {
-		if p, err := strconv.Atoi(portStr); err == nil {
-			ports["api"] = p
+		if portNum, err := strconv.Atoi(portStr); err == nil {
+			ports["api"] = portNum
 		}
 	}
 	for name, svc := range registry.ServiceRegistry().GetAll() {
 		if addr := svc.Addr(); addr != nil {
 			if _, portStr, err := net.SplitHostPort(addr.String()); err == nil {
-				if p, err := strconv.Atoi(portStr); err == nil {
-					ports[name] = p
+				if portNum, err := strconv.Atoi(portStr); err == nil {
+					ports[name] = portNum
 				}
 			}
 		}