Problem Statement
The egress proxy logs CONNECT and FORWARD deny decisions at info!() level (proxy.rs:399, proxy.rs:1814), but the sandbox defaults to WARN log level. This means all connection denials are completely silent at the default log level.
This directly caused a misdiagnosis in #681 — the reporter saw 403 Forbidden responses but had no log output indicating why the proxy denied the request. They attributed the problem to a procfs identity resolution bug when it was actually a policy misconfiguration. The issue was only resolved after manually setting RUST_LOG=openshell_sandbox=debug, which revealed that identity resolution was succeeding and the deny was purely policy-related.
Connection denials are operationally significant events that users need to see by default to diagnose policy issues.
Proposed Design
Change the log level for proxy deny decisions from info!() to warn!() at the following locations:
- CONNECT deny —
crates/openshell-sandbox/src/proxy.rs:399
- FORWARD deny —
crates/openshell-sandbox/src/proxy.rs:1814
- Inference interception deny —
crates/openshell-sandbox/src/proxy.rs:331
The allow log lines can remain at info!() — allowed connections are expected behavior and don't need warn-level visibility.
This is a one-line change per location (info! → warn!).
Alternatives Considered
- Change the default log level to
info: Would expose denials but also increase log volume significantly with allow decisions, relay events, etc. Not desirable.
- Add a separate deny-specific log at warn while keeping the structured log at info: Unnecessary duplication — the structured log line already contains all the needed fields.
Agent Investigation
Confirmed the log sites by reading proxy.rs. The deny log at line 399 uses info!() with structured fields including action = "deny", reason, binary, dst_host, etc. The forward-proxy deny at line 1814 follows the same pattern. Both are guarded by if matches!(decision.action, NetworkAction::Deny { .. }), so raising to warn!() only affects actual denials.
Context: #681, #684 (PR that can be closed once this lands — the original bug was policy misconfiguration, not procfs).
Problem Statement
The egress proxy logs CONNECT and FORWARD deny decisions at
info!()level (proxy.rs:399,proxy.rs:1814), but the sandbox defaults toWARNlog level. This means all connection denials are completely silent at the default log level.This directly caused a misdiagnosis in #681 — the reporter saw
403 Forbiddenresponses but had no log output indicating why the proxy denied the request. They attributed the problem to a procfs identity resolution bug when it was actually a policy misconfiguration. The issue was only resolved after manually settingRUST_LOG=openshell_sandbox=debug, which revealed that identity resolution was succeeding and the deny was purely policy-related.Connection denials are operationally significant events that users need to see by default to diagnose policy issues.
Proposed Design
Change the log level for proxy deny decisions from
info!()towarn!()at the following locations:crates/openshell-sandbox/src/proxy.rs:399crates/openshell-sandbox/src/proxy.rs:1814crates/openshell-sandbox/src/proxy.rs:331The
allowlog lines can remain atinfo!()— allowed connections are expected behavior and don't need warn-level visibility.This is a one-line change per location (
info!→warn!).Alternatives Considered
info: Would expose denials but also increase log volume significantly with allow decisions, relay events, etc. Not desirable.Agent Investigation
Confirmed the log sites by reading
proxy.rs. The deny log at line 399 usesinfo!()with structured fields includingaction = "deny",reason,binary,dst_host, etc. The forward-proxy deny at line 1814 follows the same pattern. Both are guarded byif matches!(decision.action, NetworkAction::Deny { .. }), so raising towarn!()only affects actual denials.Context: #681, #684 (PR that can be closed once this lands — the original bug was policy misconfiguration, not procfs).