feat: log proxy-blocked connections to system log via logger

javabrett · claude · javabrett · commit a6e16efdf8fa · 2026-04-14T08:13:35.000+10:00
When a network connection is blocked because its domain is not in
allowedDomains, srt previously offered no visible signal under normal
operation. Users hitting a blocked domain saw only a 403 or a failed
tool call, with no indication of which domain was responsible. SRT_DEBUG=1
was required to see anything, which is not practical in normal use.

This change adds logProxyDeny(), called from all three proxy handlers
(HTTP CONNECT, HTTP request, SOCKS), which writes blocked-connection
events to the system log via logger(1) rather than stderr:

- Avoids stderr because the srt host process shares a terminal with
  the sandboxed child. stderr output interrupts TUI rendering in
  applications such as Claude Code CLI.

- On macOS the message is suffixed with _SBX - the same tag srt uses
  in its seatbelt deny rules - making proxy-blocks visible in the same
  log stream as filesystem and mach-lookup denials:

    log stream --predicate 'eventMessage ENDSWITH "_SBX"' --style compact

  Example:
    srt proxy-blocked: HTTPS-CONNECT api.example.com:443_SBX

- On Linux the message is written to syslog without the _SBX suffix
  (which is macOS seatbelt-specific). Monitor with journalctl -f or
  tail -f /var/log/syslog.

  Example:
    srt proxy-blocked: HTTPS-CONNECT api.example.com:443

The existing logForDebugging() call is retained alongside so SRT_DEBUG=1
users continue to see proxy-block events in the debug stream.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/sandbox/http-proxy.ts b/src/sandbox/http-proxy.ts
@@ -5,7 +5,7 @@ import { request as httpRequest } from 'node:http'
 import { request as httpsRequest } from 'node:https'
 import { connect } from 'node:net'
 import { URL } from 'node:url'
-import { logForDebugging } from '../utils/debug.js'
+import { logForDebugging, logProxyDeny } from '../utils/debug.js'
 import type { ResolvedParentProxy } from './parent-proxy.js'
 import {
   connectViaParentProxy,
@@ -69,6 +69,7 @@ export function createHttpProxyServer(options: HttpProxyServerOptions): Server {
 
       const allowed = await options.filter(port, hostname, socket)
       if (!allowed) {
+        logProxyDeny('HTTPS-CONNECT', hostname, port)
         logForDebugging(`Connection blocked to ${hostname}:${port}`, {
           level: 'error',
         })
@@ -156,6 +157,7 @@ export function createHttpProxyServer(options: HttpProxyServerOptions): Server {
 
       const allowed = await options.filter(port, hostname, req.socket)
       if (!allowed) {
+        logProxyDeny('HTTP', hostname, port)
         logForDebugging(`HTTP request blocked to ${hostname}:${port}`, {
           level: 'error',
         })
diff --git a/src/sandbox/socks-proxy.ts b/src/sandbox/socks-proxy.ts
@@ -1,7 +1,7 @@
 import type { Server as NetServer, Socket } from 'net'
 import type { Socks5Server } from '@pondwader/socks5-server'
 import { createServer } from '@pondwader/socks5-server'
-import { logForDebugging } from '../utils/debug.js'
+import { logForDebugging, logProxyDeny } from '../utils/debug.js'
 import type { ResolvedParentProxy } from './parent-proxy.js'
 import {
   connectViaParentProxy,
@@ -57,6 +57,7 @@ export function createSocksProxyServer(
       const allowed = await options.filter(port, hostname)
 
       if (!allowed) {
+        logProxyDeny('SOCKS', hostname, port)
         logForDebugging(`Connection blocked to ${hostname}:${port}`, {
           level: 'error',
         })
diff --git a/src/utils/debug.ts b/src/utils/debug.ts
@@ -1,3 +1,55 @@
+import { spawn } from 'node:child_process'
+
+/**
+ * Log a proxy deny via the system logger so it is visible in system logs
+ * without writing to stderr.
+ *
+ * Writing to stderr is avoided because the srt host process shares a terminal
+ * with the sandboxed child, and stderr output interrupts TUI rendering in
+ * applications such as Claude Code CLI.
+ *
+ * On macOS the message is written via `logger`, which emits to the unified
+ * log. The message is suffixed with `_SBX` - the same tag srt uses in its
+ * seatbelt deny rules - so it can be captured alongside other srt violations:
+ *
+ *   log stream --predicate 'eventMessage ENDSWITH "_SBX"' --style compact
+ *
+ * Example output:
+ *   srt proxy-blocked: HTTPS-CONNECT api.example.com:443_SBX
+ *
+ * On Linux the message is written via `logger` to syslog, without the _SBX
+ * suffix (which is macOS seatbelt-specific). Monitor with:
+ *
+ *   journalctl -f    (systemd systems)
+ *   tail -f /var/log/syslog    (syslog-ng / rsyslog systems)
+ *
+ * Example output:
+ *   srt proxy-blocked: HTTPS-CONNECT api.example.com:443
+ */
+export function logProxyDeny(
+  protocol: 'HTTPS-CONNECT' | 'HTTP' | 'SOCKS',
+  hostname: string,
+  port: number,
+): void {
+  if (process.platform === 'darwin') {
+    // Suffix _SBX matches the seatbelt deny tag used throughout the srt
+    // profile, making proxy-blocks visible in the same log stream as
+    // filesystem and mach-lookup denials:
+    //   log stream --predicate 'eventMessage ENDSWITH "_SBX"'
+    const message = `srt proxy-blocked: ${protocol} ${hostname}:${port}_SBX`
+    spawn('logger', [message], { detached: true, stdio: 'ignore' }).unref()
+  } else if (process.platform === 'linux') {
+    // No _SBX suffix on Linux - that convention is macOS seatbelt-specific.
+    const message = `srt proxy-blocked: ${protocol} ${hostname}:${port}`
+    spawn('logger', [message], { detached: true, stdio: 'ignore' }).unref()
+  }
+  // Also surface in SRT_DEBUG stream for users with verbose logging enabled
+  logForDebugging(
+    `proxy-blocked: ${protocol} ${hostname}:${port} - not in allowedDomains`,
+    { level: 'error' },
+  )
+}
+
 /**
  * Simple debug logging for standalone sandbox
  */
diff --git a/test/utils/debug.test.ts b/test/utils/debug.test.ts
@@ -0,0 +1,110 @@
+import { describe, test, expect, spyOn } from 'bun:test'
+import { logProxyDeny, logForDebugging } from '../../src/utils/debug.js'
+
+describe('logProxyDeny', () => {
+  // The key contract: proxy-deny messages must NOT go to stderr.
+  // Writing to stderr from the srt host process corrupts TUI rendering
+  // in the sandboxed child (e.g. Claude Code CLI).
+  // Instead, on macOS the message is sent to the unified log via logger.
+  test('does not write to stderr for HTTPS-CONNECT', () => {
+    const saved = process.env.SRT_DEBUG
+    delete process.env.SRT_DEBUG
+
+    const writes: string[] = []
+    const spy = spyOn(process.stderr, 'write').mockImplementation(
+      (chunk: string | Uint8Array) => {
+        writes.push(typeof chunk === 'string' ? chunk : chunk.toString())
+        return true
+      },
+    )
+
+    logProxyDeny('HTTPS-CONNECT', 'api.example.com', 443)
+
+    expect(writes).toHaveLength(0)
+    spy.mockRestore()
+    if (saved !== undefined) process.env.SRT_DEBUG = saved
+  })
+
+  test('does not write to stderr for HTTP', () => {
+    const writes: string[] = []
+    const spy = spyOn(process.stderr, 'write').mockImplementation(
+      (chunk: string | Uint8Array) => {
+        writes.push(typeof chunk === 'string' ? chunk : chunk.toString())
+        return true
+      },
+    )
+
+    logProxyDeny('HTTP', 'example.com', 80)
+
+    expect(writes).toHaveLength(0)
+    spy.mockRestore()
+  })
+
+  test('does not write to stderr for SOCKS', () => {
+    const writes: string[] = []
+    const spy = spyOn(process.stderr, 'write').mockImplementation(
+      (chunk: string | Uint8Array) => {
+        writes.push(typeof chunk === 'string' ? chunk : chunk.toString())
+        return true
+      },
+    )
+
+    logProxyDeny('SOCKS', 'internal.corp', 1080)
+
+    expect(writes).toHaveLength(0)
+    spy.mockRestore()
+  })
+
+  test('does not write to stderr even when SRT_DEBUG is set', () => {
+    const saved = process.env.SRT_DEBUG
+    process.env.SRT_DEBUG = '1'
+
+    const writes: string[] = []
+    const spy = spyOn(process.stderr, 'write').mockImplementation(
+      (chunk: string | Uint8Array) => {
+        writes.push(typeof chunk === 'string' ? chunk : chunk.toString())
+        return true
+      },
+    )
+
+    logProxyDeny('HTTPS-CONNECT', 'blocked.example.com', 443)
+
+    expect(writes).toHaveLength(0)
+    spy.mockRestore()
+
+    process.env.SRT_DEBUG = saved ?? ''
+    if (saved === undefined) delete process.env.SRT_DEBUG
+  })
+})
+
+describe('logForDebugging', () => {
+  test('is silent when SRT_DEBUG is not set', () => {
+    const saved = process.env.SRT_DEBUG
+    delete process.env.SRT_DEBUG
+
+    const spy = spyOn(console, 'error').mockImplementation(() => {})
+    logForDebugging('should not appear', { level: 'error' })
+    expect(spy).not.toHaveBeenCalled()
+    spy.mockRestore()
+
+    if (saved !== undefined) process.env.SRT_DEBUG = saved
+  })
+
+  test('logs when SRT_DEBUG is set', () => {
+    const saved = process.env.SRT_DEBUG
+    process.env.SRT_DEBUG = '1'
+
+    const messages: string[] = []
+    const spy = spyOn(console, 'error').mockImplementation(
+      (...args: unknown[]) => {
+        messages.push(String(args[0]))
+      },
+    )
+    logForDebugging('test message', { level: 'error' })
+    expect(messages.some(m => m.includes('test message'))).toBe(true)
+    spy.mockRestore()
+
+    process.env.SRT_DEBUG = saved ?? ''
+    if (saved === undefined) delete process.env.SRT_DEBUG
+  })
+})
