Add CLAUDE.md with project conventions and quick reference

2026-02-10 16:06:22 -06:00
parent da3a2ac3a4
commit dc5487c965
1 changed files with 79 additions and 0 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,79 @@
+# Greywall
+
+Sandboxing layer for GreyHaven that wraps commands in restrictive sandbox environments. Blocks network access by default (allowlist-based), restricts filesystem operations, and controls command execution. Supports macOS (sandbox-exec/Seatbelt) and Linux (bubblewrap + seccomp/Landlock/eBPF).
+
+## Build & Run
+
+```bash
+make setup          # install deps + lint tools (first time)
+make build          # compile binary (downloads tun2socks)
+make run            # build and run
+./greywall --help   # CLI usage
+```
+
+## Test
+
+```bash
+make test           # all unit + integration tests
+make test-ci        # with coverage and race detection (-race -coverprofile)
+GREYWALL_TEST_NETWORK=1 ./scripts/smoke_test.sh ./greywall  # smoke tests
+```
+
+## Lint & Format
+
+```bash
+make fmt            # format with gofumpt
+make lint           # golangci-lint (staticcheck, errcheck, gosec, govet, revive, gofumpt, misspell, etc.)
+```
+
+Always run `make fmt && make lint` before committing.
+
+## Project Structure
+
+```
+cmd/greywall/          CLI entry point
+internal/
+  config/              Configuration loading & validation
+  platform/            OS detection
+  sandbox/             Platform-specific sandboxing (~7k lines)
+    manager.go         Sandbox lifecycle orchestration
+    command.go         Command blocking/allow lists
+    linux.go           bubblewrap + bridges (ProxyBridge, DnsBridge)
+    macos.go           sandbox-exec Seatbelt profiles
+    linux_seccomp.go   Seccomp BPF syscall filtering
+    linux_landlock.go  Landlock filesystem control
+    linux_ebpf.go      eBPF violation monitoring
+    sanitize.go        Environment variable hardening
+    dangerous.go       Protected files/dirs lists
+pkg/greywall/          Public Go API
+docs/                  Full documentation
+scripts/               Smoke tests, benchmarks, release
+```
+
+## Code Conventions
+
+- **Language:** Go 1.25+
+- **Formatter:** `gofumpt` (enforced in CI)
+- **Linter:** `golangci-lint` v1.64.8 (config in `.golangci.yml`)
+- **Import order:** stdlib, third-party, local (`gitea.app.monadical.io/monadical/greywall`)
+- **Platform code:** build tags (`//go:build linux`, `//go:build darwin`) with `*_stub.go` for unsupported platforms
+- **Error handling:** custom error types (e.g., `CommandBlockedError`)
+- **Logging:** stderr with `[greywall:component]` prefixes
+- **Config:** JSON with comments (via `tidwall/jsonc`), optional pointer fields for three-state booleans
+
+## Dependencies
+
+4 direct deps: `doublestar` (glob matching), `cobra` (CLI), `jsonc` (config parsing), `golang.org/x/sys`.
+
+Runtime (Linux): `bubblewrap`, `socat`, embedded `tun2socks` v2.5.2.
+
+## CI
+
+GitHub Actions workflows: `main.yml` (build/lint/test on Linux+macOS), `release.yml` (GoReleaser + SLSA provenance), `benchmark.yml`.
+
+## Release
+
+```bash
+make release          # patch (v0.0.X)
+make release-minor    # minor (v0.X.0)
+```