From 98f9cbf256151cf576f2b307d5fe4d8f4b35bf43 Mon Sep 17 00:00:00 2001
From: DanConwayDev <DanConwayDev@protonmail.com>
Date: Wed, 25 Feb 2026 14:35:14 +0000
Subject: make read-only the default probe mode; add --create-repo to opt into
 write path

---
 grasp-audit/src/bin/grasp-audit.rs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/grasp-audit/src/bin/grasp-audit.rs b/grasp-audit/src/bin/grasp-audit.rs
index 9bd7826..becc4b2 100644
--- a/grasp-audit/src/bin/grasp-audit.rs
+++ b/grasp-audit/src/bin/grasp-audit.rs
@@ -37,9 +37,11 @@ enum Commands {
         #[arg(long)]
         nsec: Option<String>,
 
-        /// Read-only mode: skip write steps, only check existing repos
+        /// Create a test repo on the relay to verify the full write path
+        /// (publish events, git push, verify refs match state).
+        /// Requires write access; use --nsec for whitelisted relays.
         #[arg(long, default_value_t = false)]
-        read_only: bool,
+        create_repo: bool,
     },
 
     /// Run audit tests against a server
@@ -90,7 +92,7 @@ async fn main() -> Result<()> {
             timeout,
             watch,
             nsec,
-            read_only,
+            create_repo,
         } => {
             // Parse nsec if provided
             let keys = if let Some(nsec_str) = nsec {
@@ -102,6 +104,9 @@ async fn main() -> Result<()> {
                 None
             };
 
+            // read_only is the default; --create-repo opts into the write path
+            let read_only = !create_repo;
+
             // Overall probe timeout: min(20s, watch_interval) to prevent
             // overlapping runs under --watch or cron scheduling.
             let overall_secs = match watch {
-- 
cgit v1.2.3