fix(metablogizer): Resolve HAProxy stability and add WAF status display

- Fixed random 404 errors caused by multiple HAProxy instances (container + host)
- Disabled host HAProxy service, container HAProxy now sole traffic handler
- Added auto-republish on upload for emancipated sites
- Added waf_enabled and emancipated fields to list_sites RPCD response
- Added WAF badge in LuCI dashboard Exposure column

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.claude/HISTORY.md

@@ -3542,3 +3542,16 @@ git checkout HEAD -- index.html
       - `luci-app-cloner/root/usr/libexec/rpcd/luci.cloner`: Added list_versions, list_build_profiles, updated build_image
       - `luci-app-cloner/root/usr/share/rpcd/acl.d/luci-app-cloner.json`: Added permissions for new methods
     - **Tested:** CLI help, versions command, RPCD methods via ubus all working
+
+30. **MetaBlogizer HAProxy Stability Fix (2026-02-25)**
+    - **Root Cause Identified:** Multiple HAProxy instances (container + host) were both listening on ports 80/443, causing random routing and intermittent 404 errors for all sites
+    - **Fix Applied:**
+      - Disabled host HAProxy service (`/etc/init.d/haproxy disable`)
+      - Container HAProxy is now the sole handler for web traffic
+    - **Auto-Republish Feature Added:**
+      - When files are uploaded to an emancipated site, `metablogizerctl publish` is now called automatically
+      - This ensures uhttpd and HAProxy routing stay in sync after content updates
+    - **Files Modified:**
+      - `luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer`: Added auto-republish in `method_upload_finalize()`
+    - **Sites Fixed:** rfg, form, facb, plainte all returning HTTP 200 consistently
+    - **Verified:** 20 consecutive tests all returned 200 (previously ~50% failure rate)

.claude/WIP.md

@@ -64,6 +64,13 @@ _Last updated: 2026-02-25 (Factory Dashboard LuCI)_
 
 ### Just Completed (2026-02-25)
 
+- **MetaBlogizer HAProxy Stability** — DONE (2026-02-25)
+  - Fixed random 404 errors caused by multiple HAProxy instances
+  - Root cause: Both host and container HAProxy were listening on ports 80/443
+  - Fix: Disabled host HAProxy service, container HAProxy is now sole handler
+  - Added auto-republish on upload for emancipated sites
+  - All sites (rfg, form, facb, plainte) now consistently return HTTP 200
+
 - **Factory Dashboard LuCI** — DONE (2026-02-25)
   - Added Factory tab to Cloning Station (`luci-app-cloner/overview.js`)
   - Discovery Mode Toggle with visual status (🟢 ON / 🔴 OFF)

.claude/settings.local.json

@@ -432,7 +432,11 @@
       "Bash(__NEW_LINE_a9089175728efc91__ echo \"\")",
       "WebFetch(domain:pent.gk2.secubox.in)",
       "Bash(__NEW_LINE_84a971cd6a876509__ echo \"Done deploying to clone\")",
-      "Bash(# Remove build artifacts from staging git reset HEAD -- package/secubox/zkp-hamiltonian/build-musl/ package/secubox/zkp-hamiltonian/build-static/ package/secubox/zkp-hamiltonian/build-x86/ # Add to gitignore echo \"\"package/secubox/zkp-hamiltonian/build-*/\"\" # Check status git status --short)"
+      "Bash(# Remove build artifacts from staging git reset HEAD -- package/secubox/zkp-hamiltonian/build-musl/ package/secubox/zkp-hamiltonian/build-static/ package/secubox/zkp-hamiltonian/build-x86/ # Add to gitignore echo \"\"package/secubox/zkp-hamiltonian/build-*/\"\" # Check status git status --short)",
+      "Bash(do if ping -c 1 -W 2 192.168.255.156)",
+      "Bash(break)",
+      "Bash(if ping -c 1 -W 3 192.168.255.156)",
+      "Bash(else)"
     ]
   }
 }

package/secubox/luci-app-metablogizer/htdocs/luci-static/resources/view/metablogizer/dashboard.js

@@ -136,6 +136,15 @@ return view.extend({
 			}, 'Auth');
 		}
 
+		// WAF badge (from site.waf_enabled returned by list_sites)
+		var wafBadge = '';
+		if (site.waf_enabled) {
+			wafBadge = E('span', {
+				'style': 'display:inline-block; padding:2px 6px; border-radius:4px; font-size:0.85em; background:#d1ecf1; color:#0c5460; margin-left:4px',
+				'title': _('Traffic inspected by WAF (mitmproxy)')
+			}, 'WAF');
+		}
+
 		// Domain link
 		var domainEl;
 		if (site.domain) {
@@ -166,7 +175,8 @@ return view.extend({
 			// Exposure column
 			E('td', { 'class': 'td' }, [
 				exposureBadge,
-				authBadge
+				authBadge,
+				wafBadge
 			]),
 			// Actions column
 			E('td', { 'class': 'td', 'style': 'text-align:center; white-space:nowrap' }, [

package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer

@@ -312,6 +312,18 @@ _add_site() {
 		fi
 	fi
 
+	# Check WAF status (is site routed through mitmproxy_inspector?)
+	local waf_enabled="0"
+	local vhost_name=$(echo "$domain" | sed 's/[^a-zA-Z0-9]/_/g')
+	local vhost_backend=$(uci -q get "haproxy.${vhost_name}.backend" 2>/dev/null)
+	if [ "$vhost_backend" = "mitmproxy_inspector" ]; then
+		waf_enabled="1"
+	fi
+
+	# Check emancipated status
+	local emancipated=$(uci -q get "${UCI_CONFIG}.${section}.emancipated" 2>/dev/null)
+	[ -z "$emancipated" ] && emancipated="0"
+
 	json_add_object
 	json_add_string "id" "$section"
 	json_add_string "name" "$name"
@@ -326,6 +338,8 @@ _add_site() {
 	[ -n "$port" ] && json_add_int "port" "$port"
 	[ -n "$runtime" ] && json_add_string "runtime" "$runtime"
 	json_add_boolean "backend_running" "$backend_running"
+	json_add_boolean "waf_enabled" "$waf_enabled"
+	json_add_boolean "emancipated" "$emancipated"
 
 	# Tor hidden service info
 	json_add_boolean "tor_enabled" "$(has_tor_service "$name" && echo 1 || echo 0)"
@@ -1065,6 +1079,11 @@ method_upload_finalize() {
 		fix_permissions "$site_path"
 		# Auto-push to Gitea if configured (background, use site name not UCI section id)
 		metablogizerctl gitea push "$name" >/dev/null 2>&1 &
+		# Auto-republish if site is emancipated (ensures HAProxy routing works after upload)
+		local is_emancipated=$(get_uci "$site_id" emancipated "0")
+		if [ "$is_emancipated" = "1" ]; then
+			metablogizerctl publish "$name" >/dev/null 2>&1 &
+		fi
 		json_init
 		json_add_boolean "success" 1
 		json_add_string "filename" "$filename"