docs: Add Request Logging page with BigQuery example

- Document --request-log flag and log format
- Show example output with allowed/blocked indicators
- Add BigQuery streaming integration example using Line Processor
- Demonstrate combining local logging with cloud analytics

Author: ammario

docs/guide/configuration.md

@@ -8,7 +8,6 @@ httpjail follows a simple configuration hierarchy:
 
 1. **Command-line options** - Highest priority, override everything
 2. **Environment variables** - Set by httpjail for the jailed process
-3. **Default behavior** - Deny all requests unless explicitly allowed
 
 ## Key Configuration Areas
 
@@ -76,22 +75,22 @@ httpjail --proc ./rate-limiter.py \
 
 These are automatically set in the jailed process:
 
-| Variable | Description | Example |
-|----------|-------------|---------|
-| `HTTP_PROXY` | HTTP proxy address | `http://127.0.0.1:34567` |
-| `HTTPS_PROXY` | HTTPS proxy address | `http://127.0.0.1:34567` |
-| `SSL_CERT_FILE` | CA certificate path | `/tmp/httpjail-ca.pem` |
-| `SSL_CERT_DIR` | CA certificate directory | `/tmp/httpjail-certs/` |
-| `NO_PROXY` | Bypass proxy for these hosts | `localhost,127.0.0.1` |
+| Variable        | Description                  | Example                  |
+| --------------- | ---------------------------- | ------------------------ |
+| `HTTP_PROXY`    | HTTP proxy address           | `http://127.0.0.1:34567` |
+| `HTTPS_PROXY`   | HTTPS proxy address          | `http://127.0.0.1:34567` |
+| `SSL_CERT_FILE` | CA certificate path          | `/tmp/httpjail-ca.pem`   |
+| `SSL_CERT_DIR`  | CA certificate directory     | `/tmp/httpjail-certs/`   |
+| `NO_PROXY`      | Bypass proxy for these hosts | `localhost,127.0.0.1`    |
 
 ### Controlling httpjail
 
 These affect httpjail's behavior:
 
-| Variable | Description | Example |
-|----------|-------------|---------|
-| `RUST_LOG` | Logging level | `debug`, `info`, `warn`, `error` |
-| `HTTPJAIL_CA_CERT` | Custom CA certificate path | `/etc/pki/custom-ca.pem` |
+| Variable           | Description                | Example                          |
+| ------------------ | -------------------------- | -------------------------------- |
+| `RUST_LOG`         | Logging level              | `debug`, `info`, `warn`, `error` |
+| `HTTPJAIL_CA_CERT` | Custom CA certificate path | `/etc/pki/custom-ca.pem`         |
 
 ## Platform-Specific Configuration
 
@@ -111,14 +110,6 @@ These affect httpjail's behavior:
 
 See [Platform Support](./platform-support.md) for detailed information.
 
-## Configuration Best Practices
-
-1. **Start simple**: Begin with basic JavaScript rules
-2. **Log everything in dev**: Use `--request-log /dev/stdout` during development
-3. **Test isolation**: Verify no requests leak through
-4. **Monitor performance**: Watch for slow rule evaluation
-5. **Document rules**: Keep rule logic clear and maintainable
-
 ## Troubleshooting Configuration
 
 ### Rules not matching
@@ -155,4 +146,4 @@ openssl x509 -in ~/.config/httpjail/ca-cert.pem -text -noout
 
 - [Rule Engines](./rule-engines/index.md) - Choose the right evaluation method
 - [Request Logging](./request-logging.md) - Monitor and audit requests
-- [Platform Support](./platform-support.md) - Platform-specific details
+- [Platform Support](./platform-support.md) - Platform-specific details

docs/guide/installation.md

@@ -2,11 +2,23 @@
 
 httpjail can be installed in several ways depending on your needs and platform.
 
+## Cargo
+
+If you have Rust installed, you can install httpjail using Cargo:
+
+```bash
+# optional: brew install rust
+cargo install httpjail
+```
+
+This will compile httpjail from source and install it to your Cargo bin directory (usually `~/.cargo/bin/`).
+
 ## Pre-built Binaries
 
 The easiest way to install httpjail is to download a pre-built binary from the [releases page](https://github.com/coder/httpjail/releases).
 
 ### Linux
+
 ```bash
 # Download the latest release (example for Linux x86_64)
 curl -L https://github.com/coder/httpjail/releases/latest/download/httpjail-linux-amd64 -o httpjail
@@ -15,23 +27,14 @@ sudo mv httpjail /usr/local/bin/
 ```
 
 ### macOS
+
 ```bash
 # Download the latest release (example for macOS arm64)
 curl -L https://github.com/coder/httpjail/releases/latest/download/httpjail-darwin-arm64 -o httpjail
 chmod +x httpjail
 sudo mv httpjail /usr/local/bin/
 ```
 
-## Install via Cargo
-
-If you have Rust installed, you can install httpjail using Cargo:
-
-```bash
-cargo install httpjail
-```
-
-This will compile httpjail from source and install it to your Cargo bin directory (usually `~/.cargo/bin/`).
-
 ## Build from Source
 
 For development or to get the latest unreleased features:
@@ -61,11 +64,13 @@ This profile provides reasonable performance with significantly faster build tim
 ## System Requirements
 
 ### Linux
+
 - Linux kernel 3.8+ (for network namespaces)
 - Root privileges (for network namespace creation)
 - iptables (for traffic redirection)
 
-### macOS  
+### macOS
+
 - macOS 10.15+ (Catalina or later)
 - No special privileges required (uses weak mode)
 
@@ -98,4 +103,4 @@ This is especially important on macOS for applications that use the system keych
 
 ## Next Steps
 
-Now that you have httpjail installed, check out the [Quick Start](./quick-start.md) guide to learn how to use it.
+Now that you have httpjail installed, check out the [Quick Start](./quick-start.md) guide to learn how to use it.

docs/guide/platform-support.md

@@ -29,6 +29,7 @@ Full network isolation using namespaces and nftables.
 ┌─────────────────────────────────────────────────┐
 │              Target Process                     │
 │  • Isolated in network namespace                │
+│  • User dropped to $SUDO_USER                   │
 │  • All HTTP/HTTPS → local proxy                 │
 │  • All DNS queries → dummy resolver (6.6.6.6)   │
 │  • CA cert trusted via env vars                 │

docs/guide/request-logging.md

@@ -1 +1,71 @@
 # Request Logging
+
+Log all HTTP/HTTPS requests to a file for auditing, debugging, or analysis.
+
+## Basic Usage
+
+```bash
+httpjail --request-log requests.log --js "true" -- npm install
+```
+
+## Log Format
+
+Each request is logged on a single line:
+```
+<timestamp> <+/-> <METHOD> <URL>
+```
+
+- `+` indicates allowed requests
+- `-` indicates blocked requests
+
+## Example Output
+
+```
+2025-09-22T14:23:45.123Z + GET https://registry.npmjs.org/react
+2025-09-22T14:23:45.234Z + GET https://registry.npmjs.org/react-dom
+2025-09-22T14:23:45.345Z - POST https://analytics.example.com/track
+```
+
+## BigQuery Integration
+
+Stream request logs to BigQuery using Line Processor mode:
+
+```bash
+#!/bin/bash
+# log-to-bigquery.sh
+
+# Configure BigQuery
+PROJECT="my-project"
+DATASET="httpjail_logs"
+TABLE="requests"
+
+# Process requests and log to BigQuery
+while read -r line; do
+    # Parse the request JSON
+    request=$(echo "$line" | jq -c '{
+        timestamp: now | todate,
+        url: .url,
+        method: .method,
+        host: .host,
+        path: .path
+    }')
+    
+    # Log to BigQuery (streaming insert)
+    echo "$request" | bq insert --project_id="$PROJECT" \
+        "$DATASET.$TABLE"
+    
+    # Allow all requests
+    echo "true"
+done
+```
+
+Usage:
+```bash
+httpjail --proc ./log-to-bigquery.sh --request-log local-backup.log -- your-app
+```
+
+This approach:
+- Streams requests to BigQuery in real-time
+- Maintains a local backup in `local-backup.log`
+- Allows custom processing and enrichment
+- Scales to high-volume applications