feat(vpn): add PIA split tunnel config watchdog (Stage 1.5)#63
Merged
smartwatermelon merged 3 commits intomainfrom Feb 13, 2026
Merged
Conversation
PIA frequently "forgets" its split tunnel configuration. With the Stage 1 inversion architecture, this means all traffic goes through VPN — including Plex, which is unusable through a multi-hop overseas connection. This watchdog monitors PIA's settings.json every 60s, detects drift, and auto-restores from a saved reference using piactl -u applysettings with disconnect/reconnect cycle. - Create pia-split-tunnel-monitor.sh template (follows vpn-monitor.sh patterns) - Add deployment section to transmission-setup.sh (save reference + deploy + LaunchAgent) - Update vpn-transmission.md with Stage 1.5 documentation AI review: code-reviewer (2 iterations) Adversarial review: code-critic:adversarial-reviewer (1 iteration) - fixed Python injection via shell variable interpolation, made reference save non-fatal Issues fixed: Python code injection in configs_match() and extract_monitored_fields(), non-fatal reference save failure handling Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Prefix Stage 1.5 subheadings to be unique (matching the Stage 4 convention), fixing CI markdown lint failures. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Eliminate TOCTOU race in reference file reads by using atomic cat-or-fail pattern instead of separate -f check + cat. Both check_and_fix() and verify_fix() now return 1 on missing reference (consistent severity). Main loop tolerates check_and_fix() failures with || true to prevent crash loops under set -e. Addresses Seer review on PR #63. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
smartwatermelon
deleted the
claude/feat-pia-split-tunnel-monitor-20260213
branch
This was referenced Feb 13, 2026
smartwatermelon
pushed a commit
that referenced
this pull request
Feb 13, 2026
Individual template copies by filename silently omitted vpn-monitor.sh and pia-split-tunnel-monitor.sh (added in PRs #57 and #63). Replace with a glob loop matching the pattern already used for server scripts and app-setup scripts, so future templates are picked up automatically. Core templates (mount-nas-media.sh, start-rclone.sh) retain REQUIRED severity; app-specific templates are OPTIONAL since their setup scripts handle missing templates gracefully. Closes #64 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
4 tasks
smartwatermelon
added a commit
that referenced
this pull request
Feb 13, 2026
## Summary - Replace individual template `copy_with_manifest` calls with a glob loop, matching the pattern already used for server scripts and app-setup scripts - Fixes silent omission of `vpn-monitor.sh` and `pia-split-tunnel-monitor.sh` (added in PRs #57 and #63) - Future templates are picked up automatically without code changes - Core templates (`mount-nas-media.sh`, `start-rclone.sh`) retain REQUIRED severity; app-specific templates are OPTIONAL ## Test plan - [x] `shellcheck prep-airdrop.sh` passes - [x] Code-reviewer: PASS - [x] Adversarial-reviewer: PASS - [ ] Verify glob matches 6 deployable templates and skips `transmission-done-template.sh` Closes #64 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Code Bot <claude-code@smartwatermelon.github> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
app-setup/templates/pia-split-tunnel-monitor.sh— monitors PIA'ssettings.jsonevery 60s for split tunnel config drift and auto-restores from a saved reference usingpiactl -u applysettingstransmission-setup.sh(save reference + deploy template + create LaunchAgent)docs/vpn-transmission.mdwith Stage 1.5 architectureWhy
PIA frequently "forgets" its split tunnel rules. With the Stage 1 inversion (Bypass VPN for Plex/Backblaze/Safari), forgetting means all traffic goes through VPN — including Plex, which is unusable through a multi-hop overseas connection. This watchdog detects drift within 60 seconds and auto-restores.
Design
python3 -with heredoc for JSON parsing (no jq on stock macOS)--save-referenceflag for initial setup or manual reference updatesTest plan
transmission-setup.shlaunchctl list | grep pia-monitorcat ~/.local/etc/pia-split-tunnel-reference.jsontail -f ~/.local/state/tilsit-pia-monitor.log🤖 Generated with Claude Code