chore(ci): update golangci-lint and fix script paths

- bump golangci-lint-action to v7 and version to v2.1.6
- correct directory paths in `smoke_test.sh`
- update `test` and `test-ci` targets in Makefile

.gitea/workflows/main.yml

@@ -42,11 +42,14 @@ jobs:
       - name: Download dependencies
         run: go mod download
 
+      - name: Download tun2socks binaries
+        run: make download-tun2socks
+
+      - name: Install golangci-lint
+        run: GOTOOLCHAIN=local go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6
+
       - name: Lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          install-mode: goinstall
-          version: v1.64.8
+        run: golangci-lint run --allow-parallel-runners
 
   test-linux:
     name: Test (Linux)
@@ -112,4 +115,4 @@ jobs:
         run: make build-ci
 
       - name: Run smoke tests
-        run: GREYWALL_TEST_NETWORK=1 ./scripts/smoke_test.sh ./greywall
+        run: ./scripts/smoke_test.sh ./greywall

Makefile

@@ -38,11 +38,11 @@ build-ci: download-tun2socks
 	$(eval GIT_COMMIT := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown"))
 	$(GOBUILD) -ldflags "-s -w -X main.version=$(VERSION) -X main.buildTime=$(BUILD_TIME) -X main.gitCommit=$(GIT_COMMIT)" -o $(BINARY_NAME) -v ./cmd/greywall
 
-test:
+test: download-tun2socks
 	@echo "Running tests..."
 	$(GOTEST) -v ./...
 
-test-ci:
+test-ci: download-tun2socks
 	@echo "CI: Running tests with coverage..."
 	$(GOTEST) -v -race -coverprofile=coverage.out ./...
 

README.md

@@ -127,7 +127,7 @@ Greywall reads from `~/.config/greywall/greywall.json` by default (or `~/Library
 
 Use `greywall --settings ./custom.json` to specify a different config file.
 
-By default (when connected to GreyHaven), traffic routes through the GreyHaven SOCKS5 proxy at `localhost:42052` with DNS via `localhost:42053`.
+By default, traffic routes through the GreyProxy SOCKS5 proxy at `localhost:43052` with DNS via `localhost:43053`.
 
 ## Features
 

cmd/greywall/main.go

@@ -15,6 +15,7 @@ import (
 
 	"gitea.app.monadical.io/monadical/greywall/internal/config"
 	"gitea.app.monadical.io/monadical/greywall/internal/platform"
+	"gitea.app.monadical.io/monadical/greywall/internal/proxy"
 	"gitea.app.monadical.io/monadical/greywall/internal/sandbox"
 	"github.com/spf13/cobra"
 )
@@ -55,8 +56,8 @@ func main() {
 		Long: `greywall is a command-line tool that runs commands in a sandboxed environment
 with network and filesystem restrictions.
 
-By default, traffic is routed through the GreyHaven SOCKS5 proxy at localhost:42051
-with DNS via localhost:42053. Use --proxy and --dns to override, or configure in
+By default, traffic is routed through the GreyProxy SOCKS5 proxy at localhost:43052
+with DNS via localhost:43053. Use --proxy and --dns to override, or configure in
 your settings file at ~/.config/greywall/greywall.json (or ~/Library/Application Support/greywall/greywall.json on macOS).
 
 On Linux, greywall uses tun2socks for truly transparent proxying: all TCP/UDP traffic
@@ -98,8 +99,8 @@ Configuration file format:
 	rootCmd.Flags().BoolVarP(&debug, "debug", "d", false, "Enable debug logging")
 	rootCmd.Flags().BoolVarP(&monitor, "monitor", "m", false, "Monitor and log sandbox violations")
 	rootCmd.Flags().StringVarP(&settingsPath, "settings", "s", "", "Path to settings file (default: OS config directory)")
-	rootCmd.Flags().StringVar(&proxyURL, "proxy", "", "External SOCKS5 proxy URL (default: socks5://localhost:42052)")
-	rootCmd.Flags().StringVar(&dnsAddr, "dns", "", "DNS server address on host (default: localhost:42053)")
+	rootCmd.Flags().StringVar(&proxyURL, "proxy", "", "External SOCKS5 proxy URL (default: socks5://localhost:43052)")
+	rootCmd.Flags().StringVar(&dnsAddr, "dns", "", "DNS server address on host (default: localhost:43053)")
 	rootCmd.Flags().StringVarP(&cmdString, "c", "c", "", "Run command string directly (like sh -c)")
 	rootCmd.Flags().StringArrayVarP(&exposePorts, "port", "p", nil, "Expose port for inbound connections (can be used multiple times)")
 	rootCmd.Flags().BoolVarP(&showVersion, "version", "v", false, "Show version information")
@@ -111,6 +112,8 @@ Configuration file format:
 
 	rootCmd.AddCommand(newCompletionCmd(rootCmd))
 	rootCmd.AddCommand(newTemplatesCmd())
+	rootCmd.AddCommand(newCheckCmd())
+	rootCmd.AddCommand(newSetupCmd())
 
 	if err := rootCmd.Execute(); err != nil {
 		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
@@ -121,11 +124,7 @@ Configuration file format:
 
 func runCommand(cmd *cobra.Command, args []string) error {
 	if showVersion {
-		fmt.Printf("greywall - lightweight, container-free sandbox for running untrusted commands\n")
-		fmt.Printf("  Version: %s\n", version)
-		fmt.Printf("  Built:   %s\n", buildTime)
-		fmt.Printf("  Commit:  %s\n", gitCommit)
-		sandbox.PrintDependencyStatus()
+		fmt.Printf("greywall %s\n", version)
 		return nil
 	}
 
@@ -231,18 +230,18 @@ func runCommand(cmd *cobra.Command, args []string) error {
 		cfg.Network.DnsAddr = dnsAddr
 	}
 
-	// GreyHaven defaults: when no proxy or DNS is configured (neither via CLI
-	// nor config file), use the standard GreyHaven infrastructure ports.
+	// GreyProxy defaults: when no proxy or DNS is configured (neither via CLI
+	// nor config file), use the standard GreyProxy ports.
 	if cfg.Network.ProxyURL == "" {
-		cfg.Network.ProxyURL = "socks5://localhost:42052"
+		cfg.Network.ProxyURL = "socks5://localhost:43052"
 		if debug {
-			fmt.Fprintf(os.Stderr, "[greywall] Defaulting proxy to socks5://localhost:42052\n")
+			fmt.Fprintf(os.Stderr, "[greywall] Defaulting proxy to socks5://localhost:43052\n")
 		}
 	}
 	if cfg.Network.DnsAddr == "" {
-		cfg.Network.DnsAddr = "localhost:42053"
+		cfg.Network.DnsAddr = "localhost:43053"
 		if debug {
-			fmt.Fprintf(os.Stderr, "[greywall] Defaulting DNS to localhost:42053\n")
+			fmt.Fprintf(os.Stderr, "[greywall] Defaulting DNS to localhost:43053\n")
 		}
 	}
 
@@ -412,6 +411,89 @@ func extractCommandName(args []string, cmdStr string) string {
 	return filepath.Base(name)
 }
 
+// newCheckCmd creates the check subcommand for diagnostics.
+func newCheckCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "check",
+		Short: "Check greywall status, dependencies, and greyproxy connectivity",
+		Long: `Run diagnostics to check greywall readiness.
+
+Shows version information, platform dependencies, security features,
+and greyproxy installation/running status.`,
+		Args: cobra.NoArgs,
+		RunE: runCheck,
+	}
+}
+
+func runCheck(_ *cobra.Command, _ []string) error {
+	fmt.Printf("greywall - lightweight, container-free sandbox for running untrusted commands\n")
+	fmt.Printf("  Version: %s\n", version)
+	fmt.Printf("  Built:   %s\n", buildTime)
+	fmt.Printf("  Commit:  %s\n", gitCommit)
+
+	sandbox.PrintDependencyStatus()
+
+	fmt.Printf("\n  Greyproxy:\n")
+	status := proxy.Detect()
+	if status.Installed {
+		if status.Version != "" {
+			fmt.Printf("    ✓ installed (v%s) at %s\n", status.Version, status.Path)
+		} else {
+			fmt.Printf("    ✓ installed at %s\n", status.Path)
+		}
+		if status.Running {
+			fmt.Printf("    ✓ running (SOCKS5 :43052, DNS :43053, Dashboard :43080)\n")
+		} else {
+			fmt.Printf("    ✗ not running\n")
+			fmt.Printf("      Start with: greywall setup\n")
+		}
+	} else {
+		fmt.Printf("    ✗ not installed\n")
+		fmt.Printf("      Install with: greywall setup\n")
+	}
+
+	return nil
+}
+
+// newSetupCmd creates the setup subcommand for installing greyproxy.
+func newSetupCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "setup",
+		Short: "Install and start greyproxy (network proxy for sandboxed commands)",
+		Long: `Downloads and installs greyproxy from GitHub releases.
+
+greyproxy provides SOCKS5 proxying and DNS resolution for sandboxed commands.
+The installer will:
+  1. Download the latest greyproxy release for your platform
+  2. Install the binary to ~/.local/bin/greyproxy
+  3. Register and start a systemd user service`,
+		Args: cobra.NoArgs,
+		RunE: runSetup,
+	}
+}
+
+func runSetup(_ *cobra.Command, _ []string) error {
+	status := proxy.Detect()
+
+	if status.Installed && status.Running {
+		fmt.Printf("greyproxy is already installed (v%s) and running.\n", status.Version)
+		fmt.Printf("Run 'greywall check' for full status.\n")
+		return nil
+	}
+
+	if status.Installed && !status.Running {
+		if err := proxy.Start(os.Stderr); err != nil {
+			return err
+		}
+		fmt.Printf("greyproxy started.\n")
+		return nil
+	}
+
+	return proxy.Install(proxy.InstallOptions{
+		Output: os.Stderr,
+	})
+}
+
 // newCompletionCmd creates the completion subcommand for shell completions.
 func newCompletionCmd(rootCmd *cobra.Command) *cobra.Command {
 	cmd := &cobra.Command{

install.sh

@@ -47,12 +47,17 @@ if [ -n "$REQUESTED_VERSION" ]; then
     *)  VERSION_TAG="v$REQUESTED_VERSION" ;;
   esac
 else
-  # Try manifest first (fast, no rate limits)
-  VERSION_TAG=$(curl -sL "https://gitea.app.monadical.io/monadical/greywall/latest.txt" 2>/dev/null || echo "")
-  
-  # Fallback to GitHub API if manifest fails
+  # Try manifest first (fast, no rate limits) — only accept valid semver tags
+  VERSION_TAG=$(curl -sL "https://gitea.app.monadical.io/monadical/greywall/raw/branch/gh-pages/latest.txt" 2>/dev/null | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "")
+
+  # Fallback to Gitea API if manifest fails
   if [ -z "$VERSION_TAG" ]; then
     VERSION_TAG=$(curl -s "https://gitea.app.monadical.io/api/v1/repos/$REPO/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
+    # Validate it looks like a version tag
+    case "$VERSION_TAG" in
+      v[0-9]*) ;;
+      *) VERSION_TAG="" ;;
+    esac
   fi
 fi
 
@@ -69,7 +74,7 @@ case "$OS" in
   *)      OS_TITLE="$OS" ;;
 esac
 
-DOWNLOAD_URL="https://github.com/$REPO/releases/download/${VERSION_TAG}/${BINARY_NAME}_${VERSION_NUMBER}_${OS_TITLE}_${ARCH}.tar.gz"
+DOWNLOAD_URL="https://gitea.app.monadical.io/$REPO/releases/download/${VERSION_TAG}/${BINARY_NAME}_${VERSION_NUMBER}_${OS_TITLE}_${ARCH}.tar.gz"
 
 TMP_DIR=$(mktemp -d)
 cd "$TMP_DIR"

internal/proxy/detect.go

@@ -0,0 +1,126 @@
+// Package proxy provides greyproxy detection, installation, and lifecycle management.
+package proxy
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os/exec"
+	"regexp"
+	"strings"
+	"time"
+)
+
+const (
+	healthURL     = "http://localhost:43080/api/health"
+	healthTimeout = 2 * time.Second
+	cmdTimeout    = 5 * time.Second
+)
+
+// GreyproxyStatus holds the detected state of greyproxy.
+type GreyproxyStatus struct {
+	Installed  bool   // found via exec.LookPath
+	Path       string // full path from LookPath
+	Version    string // parsed version (e.g. "0.1.1")
+	Running    bool   // health endpoint responded with valid greyproxy response
+	RunningErr error  // error from the running check (for diagnostics)
+}
+
+// healthResponse is the expected JSON from GET /api/health.
+type healthResponse struct {
+	Service string         `json:"service"`
+	Version string         `json:"version"`
+	Status  string         `json:"status"`
+	Ports   map[string]int `json:"ports"`
+}
+
+var versionRegex = regexp.MustCompile(`^greyproxy\s+(\S+)`)
+
+// Detect checks greyproxy installation status, version, and whether it's running.
+// This function never returns an error; all detection failures are captured
+// in the GreyproxyStatus fields so the caller can present them diagnostically.
+func Detect() *GreyproxyStatus {
+	s := &GreyproxyStatus{}
+
+	// 1. Check if installed
+	s.Path, s.Installed = checkInstalled()
+
+	// 2. Check if running (via health endpoint)
+	running, ver, err := checkRunning()
+	s.Running = running
+	s.RunningErr = err
+	if running && ver != "" {
+		s.Version = ver
+	}
+
+	// 3. Version fallback: if installed but version not yet known, parse from CLI
+	if s.Installed && s.Version == "" {
+		s.Version, _ = checkVersion(s.Path)
+	}
+
+	return s
+}
+
+// checkInstalled uses exec.LookPath to find greyproxy on PATH.
+func checkInstalled() (path string, found bool) {
+	p, err := exec.LookPath("greyproxy")
+	if err != nil {
+		return "", false
+	}
+	return p, true
+}
+
+// checkVersion runs "greyproxy -V" and parses the output.
+// Expected format: "greyproxy 0.1.1 (go1.x linux/amd64)"
+func checkVersion(binaryPath string) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), cmdTimeout)
+	defer cancel()
+
+	out, err := exec.CommandContext(ctx, binaryPath, "-V").Output() //nolint:gosec // binaryPath comes from exec.LookPath
+	if err != nil {
+		return "", fmt.Errorf("failed to run greyproxy -V: %w", err)
+	}
+
+	matches := versionRegex.FindStringSubmatch(strings.TrimSpace(string(out)))
+	if len(matches) < 2 {
+		return "", fmt.Errorf("unexpected version output: %s", strings.TrimSpace(string(out)))
+	}
+	return matches[1], nil
+}
+
+// checkRunning hits GET http://localhost:43080/api/health and verifies
+// the response is from greyproxy (not some other service on that port).
+// Returns running status, version string from health response, and any error.
+func checkRunning() (bool, string, error) {
+	client := &http.Client{Timeout: healthTimeout}
+
+	ctx, cancel := context.WithTimeout(context.Background(), healthTimeout)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, healthURL, nil)
+	if err != nil {
+		return false, "", fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := client.Do(req) //nolint:gosec // healthURL is a hardcoded localhost constant
+	if err != nil {
+		return false, "", fmt.Errorf("health check failed: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		return false, "", fmt.Errorf("health check returned status %d", resp.StatusCode)
+	}
+
+	var health healthResponse
+	if err := json.NewDecoder(resp.Body).Decode(&health); err != nil {
+		return false, "", fmt.Errorf("failed to parse health response: %w", err)
+	}
+
+	if health.Service != "greyproxy" {
+		return false, "", fmt.Errorf("unexpected service: %q (expected greyproxy)", health.Service)
+	}
+
+	return true, health.Version, nil
+}

internal/proxy/install.go

@@ -0,0 +1,258 @@
+package proxy
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+)
+
+const (
+	githubOwner = "greyhavenhq"
+	githubRepo  = "greyproxy"
+	apiTimeout  = 15 * time.Second
+)
+
+// release represents a GitHub release.
+type release struct {
+	TagName string  `json:"tag_name"`
+	Assets  []asset `json:"assets"`
+}
+
+// asset represents a release asset.
+type asset struct {
+	Name               string `json:"name"`
+	BrowserDownloadURL string `json:"browser_download_url"`
+}
+
+// InstallOptions controls the greyproxy installation behavior.
+type InstallOptions struct {
+	Output io.Writer // progress output (typically os.Stderr)
+}
+
+// Install downloads the latest greyproxy release and runs "greyproxy install".
+func Install(opts InstallOptions) error {
+	if opts.Output == nil {
+		opts.Output = os.Stderr
+	}
+
+	// 1. Fetch latest release
+	_, _ = fmt.Fprintf(opts.Output, "Fetching latest greyproxy release...\n")
+	rel, err := fetchLatestRelease()
+	if err != nil {
+		return fmt.Errorf("failed to fetch latest release: %w", err)
+	}
+	ver := strings.TrimPrefix(rel.TagName, "v")
+	_, _ = fmt.Fprintf(opts.Output, "Latest version: %s\n", ver)
+
+	// 2. Find the correct asset for this platform
+	assetURL, assetName, err := resolveAssetURL(rel)
+	if err != nil {
+		return err
+	}
+	_, _ = fmt.Fprintf(opts.Output, "Downloading %s...\n", assetName)
+
+	// 3. Download to temp file
+	archivePath, err := downloadAsset(assetURL)
+	if err != nil {
+		return fmt.Errorf("download failed: %w", err)
+	}
+	defer func() { _ = os.Remove(archivePath) }()
+
+	// 4. Extract
+	_, _ = fmt.Fprintf(opts.Output, "Extracting...\n")
+	extractDir, err := extractTarGz(archivePath)
+	if err != nil {
+		return fmt.Errorf("extraction failed: %w", err)
+	}
+	defer func() { _ = os.RemoveAll(extractDir) }()
+
+	// 5. Find the greyproxy binary in extracted content
+	binaryPath := filepath.Join(extractDir, "greyproxy")
+	if _, err := os.Stat(binaryPath); err != nil {
+		return fmt.Errorf("greyproxy binary not found in archive")
+	}
+
+	// 6. Shell out to "greyproxy install"
+	_, _ = fmt.Fprintf(opts.Output, "\n")
+	if err := runGreyproxyInstall(binaryPath); err != nil {
+		return fmt.Errorf("greyproxy install failed: %w", err)
+	}
+
+	// 7. Verify
+	_, _ = fmt.Fprintf(opts.Output, "\nVerifying installation...\n")
+	status := Detect()
+	if status.Installed {
+		_, _ = fmt.Fprintf(opts.Output, "greyproxy %s installed at %s\n", status.Version, status.Path)
+		if status.Running {
+			_, _ = fmt.Fprintf(opts.Output, "greyproxy is running.\n")
+		}
+	} else {
+		_, _ = fmt.Fprintf(opts.Output, "Warning: greyproxy not found on PATH after install.\n")
+		_, _ = fmt.Fprintf(opts.Output, "Ensure ~/.local/bin is in your PATH.\n")
+	}
+
+	return nil
+}
+
+// fetchLatestRelease queries the GitHub API for the latest greyproxy release.
+func fetchLatestRelease() (*release, error) {
+	apiURL := fmt.Sprintf("https://api.github.com/repos/%s/%s/releases/latest", githubOwner, githubRepo)
+
+	client := &http.Client{Timeout: apiTimeout}
+
+	ctx, cancel := context.WithTimeout(context.Background(), apiTimeout)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Accept", "application/vnd.github+json")
+	req.Header.Set("User-Agent", "greywall-setup")
+
+	resp, err := client.Do(req) //nolint:gosec // apiURL is built from hardcoded constants
+	if err != nil {
+		return nil, fmt.Errorf("GitHub API request failed: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("GitHub API returned status %d", resp.StatusCode)
+	}
+
+	var rel release
+	if err := json.NewDecoder(resp.Body).Decode(&rel); err != nil {
+		return nil, fmt.Errorf("failed to parse release response: %w", err)
+	}
+	return &rel, nil
+}
+
+// resolveAssetURL finds the correct asset download URL for the current OS/arch.
+func resolveAssetURL(rel *release) (downloadURL, name string, err error) {
+	ver := strings.TrimPrefix(rel.TagName, "v")
+	osName := runtime.GOOS
+	archName := runtime.GOARCH
+
+	expected := fmt.Sprintf("greyproxy_%s_%s_%s.tar.gz", ver, osName, archName)
+
+	for _, a := range rel.Assets {
+		if a.Name == expected {
+			return a.BrowserDownloadURL, a.Name, nil
+		}
+	}
+	return "", "", fmt.Errorf("no release asset found for %s/%s (expected: %s)", osName, archName, expected)
+}
+
+// downloadAsset downloads a URL to a temp file, returning its path.
+func downloadAsset(downloadURL string) (string, error) {
+	client := &http.Client{Timeout: 5 * time.Minute}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, downloadURL, nil)
+	if err != nil {
+		return "", err
+	}
+
+	resp, err := client.Do(req) //nolint:gosec // downloadURL comes from GitHub API response
+	if err != nil {
+		return "", err
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("download returned status %d", resp.StatusCode)
+	}
+
+	tmpFile, err := os.CreateTemp("", "greyproxy-*.tar.gz")
+	if err != nil {
+		return "", err
+	}
+
+	if _, err := io.Copy(tmpFile, resp.Body); err != nil {
+		_ = tmpFile.Close()
+		_ = os.Remove(tmpFile.Name()) //nolint:gosec // tmpFile.Name() is from os.CreateTemp, not user input
+		return "", err
+	}
+	_ = tmpFile.Close()
+
+	return tmpFile.Name(), nil
+}
+
+// extractTarGz extracts a .tar.gz archive to a temp directory, returning the dir path.
+func extractTarGz(archivePath string) (string, error) {
+	f, err := os.Open(archivePath) //nolint:gosec // archivePath is a temp file we created
+	if err != nil {
+		return "", err
+	}
+	defer func() { _ = f.Close() }()
+
+	gz, err := gzip.NewReader(f)
+	if err != nil {
+		return "", fmt.Errorf("failed to create gzip reader: %w", err)
+	}
+	defer func() { _ = gz.Close() }()
+
+	tmpDir, err := os.MkdirTemp("", "greyproxy-extract-*")
+	if err != nil {
+		return "", err
+	}
+
+	tr := tar.NewReader(gz)
+	for {
+		header, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			_ = os.RemoveAll(tmpDir)
+			return "", fmt.Errorf("tar read error: %w", err)
+		}
+
+		// Sanitize: only extract regular files with safe names
+		name := filepath.Base(header.Name)
+		if name == "." || name == ".." || strings.Contains(header.Name, "..") {
+			continue
+		}
+
+		target := filepath.Join(tmpDir, name) //nolint:gosec // name is sanitized via filepath.Base and path traversal check above
+
+		switch header.Typeflag {
+		case tar.TypeReg:
+			out, err := os.OpenFile(target, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, os.FileMode(header.Mode)) //nolint:gosec // mode from tar header of trusted archive
+			if err != nil {
+				_ = os.RemoveAll(tmpDir)
+				return "", err
+			}
+			if _, err := io.Copy(out, io.LimitReader(tr, 256<<20)); err != nil { // 256 MB limit per file
+				_ = out.Close()
+				_ = os.RemoveAll(tmpDir)
+				return "", err
+			}
+			_ = out.Close()
+		}
+	}
+
+	return tmpDir, nil
+}
+
+// runGreyproxyInstall shells out to the extracted greyproxy binary with "install" arg.
+// Stdin/stdout/stderr are passed through so the interactive [y/N] prompt works.
+func runGreyproxyInstall(binaryPath string) error {
+	cmd := exec.Command(binaryPath, "install") //nolint:gosec // binaryPath is from our extracted archive
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}

internal/proxy/start.go

@@ -0,0 +1,30 @@
+package proxy
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+)
+
+// Start runs "greyproxy service start" to start the greyproxy service.
+func Start(output io.Writer) error {
+	if output == nil {
+		output = os.Stderr
+	}
+
+	path, found := checkInstalled()
+	if !found {
+		return fmt.Errorf("greyproxy not found on PATH")
+	}
+
+	_, _ = fmt.Fprintf(output, "Starting greyproxy service...\n")
+	cmd := exec.Command(path, "service", "start") //nolint:gosec // path comes from exec.LookPath
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to start greyproxy service: %w", err)
+	}
+
+	return nil
+}

scripts/smoke_test.sh

@@ -25,11 +25,11 @@ GREYWALL_BIN="${1:-}"
 if [[ -z "$GREYWALL_BIN" ]]; then
     if [[ -x "./greywall" ]]; then
         GREYWALL_BIN="./greywall"
-    elif [[ -x "./dis./greywall" ]]; then
-        GREYWALL_BIN="./dis./greywall"
+    elif [[ -x "./dist/greywall" ]]; then
+        GREYWALL_BIN="./dist/greywall"
     else
         echo "Building greywall..."
-        go build -o ./greywall ./cm./greywall
+        go build -o ./greywall ./cmd/greywall
         GREYWALL_BIN="./greywall"
     fi
 fi
@@ -121,7 +121,7 @@ run_test "read file in workspace" "pass" "$GREYWALL_BIN" -c "cat $WORKSPACE/test
 
 # Test: Write outside workspace blocked
 # Create a settings file that only allows write to current workspace
-SETTINGS_FILE="$WORKSPAC./greywall.json"
+SETTINGS_FILE="$WORKSPACE/greywall.json"
 cat > "$SETTINGS_FILE" << EOF
 {
   "filesystem": {

scripts/test_install.sh

@@ -0,0 +1,185 @@
+#!/bin/bash
+# test_install.sh - Test the install.sh script logic
+#
+# Tests version detection, URL construction, and error handling
+# without requiring a published release.
+#
+# Usage:
+#   ./scripts/test_install.sh
+#
+# Set GREYWALL_TEST_INSTALL_LIVE=1 to also test against a real release
+# (requires a published release on Gitea).
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+INSTALL_SCRIPT="$SCRIPT_DIR/../install.sh"
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+PASSED=0
+FAILED=0
+SKIPPED=0
+
+pass() { echo -e "Testing: $1... ${GREEN}PASS${NC}"; PASSED=$((PASSED + 1)); }
+fail() { echo -e "Testing: $1... ${RED}FAIL${NC} ($2)"; FAILED=$((FAILED + 1)); }
+skip() { echo -e "Testing: $1... ${YELLOW}SKIPPED${NC} ($2)"; SKIPPED=$((SKIPPED + 1)); }
+
+echo "Install script: $INSTALL_SCRIPT"
+echo "=============================================="
+
+# ============================================================
+echo ""
+echo "=== Script Sanity ==="
+echo ""
+
+# Script exists and is executable
+if [[ -f "$INSTALL_SCRIPT" ]]; then
+    pass "install.sh exists"
+else
+    fail "install.sh exists" "file not found at $INSTALL_SCRIPT"
+fi
+
+if sh -n "$INSTALL_SCRIPT" 2>/dev/null; then
+    pass "install.sh has valid shell syntax"
+else
+    fail "install.sh has valid shell syntax" "syntax error reported by sh -n"
+fi
+
+# ============================================================
+echo ""
+echo "=== Version Detection ==="
+echo ""
+
+# No releases → must fail with clean error (not malformed URL garbage)
+output=$(sh "$INSTALL_SCRIPT" 2>&1) || true
+if echo "$output" | grep -q "Error: Unable to determine version to install"; then
+    pass "no releases → clean error message"
+elif echo "$output" | grep -q "Not found\|null\|undefined"; then
+    fail "no releases → clean error message" "leaked raw API/HTTP response: $output"
+else
+    # Could be passing if a real release now exists — check if it downloaded correctly
+    if echo "$output" | grep -q "installed successfully"; then
+        pass "no releases → clean error message (release exists, install succeeded)"
+    else
+        fail "no releases → clean error message" "unexpected output: $output"
+    fi
+fi
+
+# Explicit version arg (v-prefixed) → used as-is
+output=$(sh "$INSTALL_SCRIPT" v99.0.0 2>&1) || true
+if echo "$output" | grep -q "v99.0.0"; then
+    pass "explicit version (v-prefixed) passed through"
+else
+    fail "explicit version (v-prefixed) passed through" "version not found in output: $output"
+fi
+
+# Explicit version arg (no v prefix) → v added automatically
+output=$(sh "$INSTALL_SCRIPT" 99.0.0 2>&1) || true
+if echo "$output" | grep -q "v99.0.0"; then
+    pass "explicit version (no v-prefix) gets v added"
+else
+    fail "explicit version (no v-prefix) gets v added" "output: $output"
+fi
+
+# GREYWALL_VERSION env var respected
+output=$(GREYWALL_VERSION=99.1.0 sh "$INSTALL_SCRIPT" 2>&1) || true
+if echo "$output" | grep -q "v99.1.0"; then
+    pass "GREYWALL_VERSION env var respected"
+else
+    fail "GREYWALL_VERSION env var respected" "output: $output"
+fi
+
+# ============================================================
+echo ""
+echo "=== URL Construction ==="
+echo ""
+
+# Download URL must point to Gitea, not GitHub
+output=$(sh "$INSTALL_SCRIPT" v1.2.3 2>&1) || true
+if echo "$output" | grep -q "gitea.app.monadical.io"; then
+    pass "download URL uses Gitea host"
+else
+    fail "download URL uses Gitea host" "output: $output"
+fi
+
+if echo "$output" | grep -q "github.com"; then
+    fail "download URL does not use GitHub" "found github.com in output: $output"
+else
+    pass "download URL does not use GitHub"
+fi
+
+# URL contains the version, binary name, OS, and arch
+OS_TITLE="Linux"
+if [[ "$(uname -s)" == "Darwin" ]]; then OS_TITLE="Darwin"; fi
+ARCH="x86_64"
+if [[ "$(uname -m)" == "aarch64" || "$(uname -m)" == "arm64" ]]; then ARCH="arm64"; fi
+
+if echo "$output" | grep -q "greywall_1.2.3_${OS_TITLE}_${ARCH}.tar.gz"; then
+    pass "download URL has correct filename format"
+else
+    fail "download URL has correct filename format" "expected greywall_1.2.3_${OS_TITLE}_${ARCH}.tar.gz in: $output"
+fi
+
+# ============================================================
+echo ""
+echo "=== Error Handling ==="
+echo ""
+
+# Non-existent version → curl 404 → clean error, no crash
+output=$(sh "$INSTALL_SCRIPT" v0.0.0-nonexistent 2>&1) || true
+if echo "$output" | grep -q "Error: Failed to download release"; then
+    pass "non-existent version → clean download error"
+else
+    fail "non-existent version → clean download error" "output: $output"
+fi
+
+# ============================================================
+echo ""
+echo "=== Live Install (optional) ==="
+echo ""
+
+if [[ "${GREYWALL_TEST_INSTALL_LIVE:-}" == "1" ]]; then
+    # Check a release actually exists before attempting live install
+    LATEST_TAG=$(curl -s "https://gitea.app.monadical.io/api/v1/repos/monadical/greywall/releases/latest" \
+        2>/dev/null | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' || echo "")
+    case "$LATEST_TAG" in
+        v[0-9]*)
+            TMP_BIN=$(mktemp -d)
+            trap 'rm -rf "$TMP_BIN"' EXIT
+            install_out=$(HOME="$TMP_BIN" sh "$INSTALL_SCRIPT" 2>&1) || true
+            if echo "$install_out" | grep -q "installed successfully"; then
+                if [[ -x "$TMP_BIN/.local/bin/greywall" ]]; then
+                    pass "live install: binary downloaded and executable"
+                    version_out=$("$TMP_BIN/.local/bin/greywall" --version 2>&1)
+                    if echo "$version_out" | grep -qE '^greywall v?[0-9]'; then
+                        pass "live install: binary runs and reports version"
+                    else
+                        fail "live install: binary runs and reports version" "output: $version_out"
+                    fi
+                else
+                    fail "live install: binary downloaded and executable" "binary not found at $TMP_BIN/.local/bin/greywall"
+                fi
+            else
+                fail "live install: install succeeded" "output: $install_out"
+            fi
+            ;;
+        *)
+            skip "live install (download + run binary)" "no releases published on Gitea yet"
+            ;;
+    esac
+else
+    skip "live install (download + run binary)" "set GREYWALL_TEST_INSTALL_LIVE=1 to enable"
+fi
+
+# ============================================================
+echo ""
+echo "=============================================="
+echo ""
+echo -e "Results: ${GREEN}$PASSED passed${NC}, ${RED}$FAILED failed${NC}, ${YELLOW}$SKIPPED skipped${NC}"
+echo ""
+
+[[ $FAILED -eq 0 ]]