From 41d5fadf3f3494d6ba5697b9aaeac9a38f0f20df Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Wed, 25 Feb 2026 11:31:21 +0100
Subject: [PATCH] fix(streamlit): CLI emancipate sets waf_enabled and uses
 container reload

- streamlitctl emancipate now sets waf_enabled="1" in instance UCI
- _emancipate_reload() uses haproxyctl reload (container) instead of
  deprecated /etc/init.d/haproxy restart (host init script)
- Properly verifies LXC container status after reload
- Tested: test2.gk2.secubox.in emancipation successful with WAF

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .claude/HISTORY.md                            | 12 ++++++++++++
 .../files/usr/sbin/streamlitctl               | 19 +++++++++----------
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/.claude/HISTORY.md b/.claude/HISTORY.md
index 478991b3..3f82e8e5 100644
--- a/.claude/HISTORY.md
+++ b/.claude/HISTORY.md
@@ -3592,3 +3592,15 @@ git checkout HEAD -- index.html
     - **Files Modified:**
       - `luci-app-streamlit/root/usr/libexec/rpcd/luci.streamlit`: emancipate_instance, rename_app, rename_instance, get_exposure_status
       - `luci-app-streamlit/htdocs/luci-static/resources/view/streamlit/dashboard.js`: WAF badge display
+
+33. **Streamlit CLI Emancipate Fix & Container Reload (2026-02-25)**
+    - **CLI Emancipate UCI Fix:**
+      - `streamlitctl emancipate` now sets `waf_enabled="1"` in instance UCI
+      - Previously only set `emancipated` and `domain`
+    - **Container-Aware Reload:**
+      - `_emancipate_reload()` now uses `haproxyctl reload` (container reload)
+      - Previously used deprecated `/etc/init.d/haproxy restart` (host init script)
+      - Properly verifies LXC container status after reload
+    - **Verified:** test2.gk2.secubox.in emancipation successful with WAF enabled
+    - **Files Modified:**
+      - `secubox-app-streamlit/files/usr/sbin/streamlitctl`: Added waf_enabled UCI field, use haproxyctl reload
diff --git a/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl b/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl
index aeee48c5..52e9f9f8 100644
--- a/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl
+++ b/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl
@@ -1372,17 +1372,15 @@ _emancipate_mitmproxy() {
 
 _emancipate_reload() {
 	log_info "[RELOAD] Applying HAProxy configuration"
-	# Generate fresh config
+	# Generate fresh config and reload container
 	haproxyctl generate 2>/dev/null
-	# Restart for clean state with new vhosts/certs
-	log_info "[RELOAD] Restarting HAProxy for clean state..."
-	/etc/init.d/haproxy restart 2>/dev/null
-	sleep 1
-	# Verify HAProxy is running
-	if pgrep haproxy >/dev/null 2>&1; then
-		log_info "[RELOAD] HAProxy restarted successfully"
+	log_info "[RELOAD] Reloading HAProxy container..."
+	haproxyctl reload 2>/dev/null
+	# Verify HAProxy container is running
+	if lxc-info -n haproxy -s 2>/dev/null | grep -q RUNNING; then
+		log_info "[RELOAD] HAProxy container reloaded successfully"
 	else
-		log_warn "[RELOAD] HAProxy may not have started properly"
+		log_warn "[RELOAD] HAProxy container may not be running properly"
 	fi
 
 	# Regenerate GK2 Hub landing page if generator exists
@@ -1594,10 +1592,11 @@ cmd_emancipate() {
 	# Step 8: Reload HAProxy
 	_emancipate_reload
 
-	# Mark app as emancipated
+	# Mark instance as emancipated with WAF enabled
 	uci set ${CONFIG}.${name}.emancipated="1"
 	uci set ${CONFIG}.${name}.emancipated_at="$(date -Iseconds)"
 	uci set ${CONFIG}.${name}.domain="$domain"
+	uci set ${CONFIG}.${name}.waf_enabled="1"
 	uci commit ${CONFIG}
 
 	echo ""