diff --git a/.claude/HISTORY.md b/.claude/HISTORY.md index 725039b2..9ce12611 100644 --- a/.claude/HISTORY.md +++ b/.claude/HISTORY.md @@ -1,6 +1,6 @@ # SecuBox UI & Theme History -_Last updated: 2026-03-03 (Comprehensive Service Audit)_ +_Last updated: 2026-03-06 (AI Gateway Login)_ 1. **Unified Dashboard Refresh (2025-12-20)** - Dashboard received the "sh-page-header" layout, hero stats, and SecuNav top tabs. @@ -4404,3 +4404,69 @@ git checkout HEAD -- index.html - **Mailserver Recovery:** - Fixed webmail.gk2.secubox.in login error by starting mailserver container - Verified IMAP/SMTP connectivity (ports 143, 993, 25, 587, 465) + +74. **February 2026 Milestones (2026-02-01 to 2026-02-28)** + - **Mesh & P2P:** + - ZKP Hamiltonian cryptographic authentication between mesh nodes + - Mesh blockchain bidirectional sync (Master ↔ Clone) + - P2P threat intelligence sharing (100+ IOC blocks) + - Yggdrasil IPv6 overlay network with LAN multicast peering + - Yggdrasil Extended Peer Discovery with gossip protocol + - MirrorNet core package (identity, reputation, mirror, gossip, health) + - Factory auto-provisioning with zero-touch device onboarding + - **AI & Security:** + - AI Gateway (Sovereignty Engine) with ANSSI CSPN compliance + - 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT + - Provider hierarchy: LocalAI > Mistral EU > Claude > OpenAI > Gemini > xAI + - DNS Guard AI migration with 5 detection modules + - Threat Analyst autonomous agent with rule generation + - MCP Server with 14 tools for Claude Desktop integration + - CVE Triage agent with NVD integration + - Network Anomaly agent with 5 detection modules + - LocalRecall memory system for AI agents + - Config Advisor for ANSSI CSPN compliance checking + - **Communication:** + - Matrix Homeserver (Conduit) with E2EE mesh messaging + - VoIP (Asterisk PBX) with OVH trunk auto-provisioning + - Jabber integration with Jingle VoIP and SMS relay + - Self-hosted Jitsi Meet video conferencing + - **Media & Content:** + - PeerTube video platform with yt-dlp import + - GoToSocial Fediverse server + - Nextcloud LXC with nginx, PHP-FPM, Talk app + - HexoJS multi-instance with GitHub/Gitea integration + - MetaBlogizer KISS ULTIME MODE with one-command emancipation + - WebRadio with CrowdSec integration + - **Infrastructure:** + - HAProxy path-based ACL routing with pattern length sorting + - Mitmproxy multi-instance support (out/in) + - Vortex Hub wildcard routing + - Gandi DNS secondary setup with zone transfers + - Custom mailserver (Postfix + Dovecot in LXC) + - IoT Guard with OUI-based classification + - IP Blocklist with nftables/iptables backends + - AbuseIPDB reporter integration + - Log denoising for System Hub + - **Cloning & Deployment:** + - Cloning Station with MOKATOOL integration + - Remote device management via SSH + - Clone history and image manager + - Pre-deploy lint script for syntax validation + - **LuCI Dashboards (KISS rewrites):** + - SecuBox Dashboard, System Hub, Modules, Monitoring, Alerts, Settings + - HAProxy (vhosts, backends, stats) + - CrowdSec, Wazuh SIEM, mitmproxy WAF + - VM Manager, Cookie Tracker, CDN Cache + - InterceptoR Services Registry + - **Bug Fixes:** + - Tor Shield opkg DNS bypass + - HAProxy Portal 503 fix + - Mailserver Dovecot permissions + - MirrorNet ash compatibility + - Various POSIX shell fixes for BusyBox + +75. **AI Gateway Login Command (2026-03-06)** + - CLI: `aigatewayctl login [provider]` with credential validation + - Rollback on authentication failure + - RPCD: `login` method for LuCI integration + - Format warnings for provider-specific API key patterns diff --git a/.claude/WIP.md b/.claude/WIP.md index 2b978286..f871ab56 100644 --- a/.claude/WIP.md +++ b/.claude/WIP.md @@ -1,1454 +1,99 @@ # Work In Progress (Claude) -_Last updated: 2026-03-04 (SBOM Pipeline + AI Gateway)_ +_Last updated: 2026-03-06 (AI Gateway Login)_ > **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches --- -## Couche 1 — Core Mesh +## Recently Completed -### Just Completed (2026-03-04) +### 2026-03-06 -- **SBOM Pipeline for CRA Annex I Compliance** — DONE (2026-03-04) - - `scripts/check-sbom-prereqs.sh` - Prerequisites validation (OpenWrt version, tools, Kconfig) - - `scripts/sbom-generate.sh` - Multi-source SBOM generation (OpenWrt, feed, rootfs, firmware) - - `scripts/sbom-audit-feed.sh` - PKG_HASH/PKG_LICENSE feed audit with MANIFEST.md output - - `Makefile` - SBOM targets (sbom, sbom-quick, sbom-validate, sbom-scan, sbom-audit, sbom-prereqs) - - `.github/workflows/sbom-release.yml` - GitHub Actions with CVE gating and auto-security issues - - `docs/sbom-pipeline.md` - Full documentation with CRA mapping and ANSSI CSPN guidance - - `SECURITY.md` - CRA Art. 13 §6 compliant vulnerability disclosure policy +- **AI Gateway `/login` Command** + - CLI: `aigatewayctl login [provider]` - Interactive or scripted provider authentication + - Validates credentials against provider API before saving + - Rollback on validation failure (preserves previous credentials) + - Format warnings: Claude keys should start with `sk-ant-`, OpenAI with `sk-` + - RPCD: `login` method for LuCI frontend integration + - ACL: Added write permission for `login` method -- **AI Gateway Full-Stack Implementation** — DONE (2026-03-04) - - **Backend** (`secubox-ai-gateway`): - - 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT - - PII sanitizer: IP anonymization, credential scrubbing - - Provider routing: LocalAI > Mistral EU > Claude > OpenAI > Gemini > xAI - - `aigatewayctl` CLI with classify/sanitize/provider/audit commands - - RPCD backend with 11 ubus methods - - ANSSI CSPN compliant audit logging - - **Frontend** (`luci-app-ai-gateway`): - - 4 KISS-themed views: Overview, Providers, Classify, Audit - - Provider management with API key storage - - Interactive classification testing - - Audit log viewer with distribution charts - - Deployed and tested on router (classification + sanitization working) +### 2026-03-04 -### Recently Completed (2026-02-04/05) +- **SBOM Pipeline for CRA Annex I Compliance** + - `scripts/check-sbom-prereqs.sh` - Prerequisites validation + - `scripts/sbom-generate.sh` - Multi-source SBOM generation + - `scripts/sbom-audit-feed.sh` - PKG_HASH/PKG_LICENSE feed audit + - `.github/workflows/sbom-release.yml` - GitHub Actions with CVE gating + - `SECURITY.md` - CRA Art. 13 §6 compliant vulnerability disclosure -- **MAC Guardian Feed Integration** — DONE (2026-02-05) - - Both IPKs built and added to bonus feed - - Catalog updated with security category, wifi icon +- **AI Gateway Full-Stack Implementation** + - 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT + - Provider routing: LocalAI > Mistral EU > Claude > OpenAI > Gemini > xAI + - `aigatewayctl` CLI with classify/sanitize/provider/audit commands + - `luci-app-ai-gateway` with 4 KISS-themed views -- **Punk Exposure Emancipate** — DONE (2026-02-05) - - CLI: `emancipate` and `revoke` commands for multi-channel exposure - - RPCD: 3 new methods in `luci.exposure` - - Dashboard: Mesh column toggle, Emancipate modal +### 2026-03-03 -- **Jellyfin Post-Install Wizard** — DONE (2026-02-05) - - 4-step modal wizard (Welcome, Media, Network, Complete) - - RPCD methods for wizard status and media path management +- **Comprehensive Service Audit** + - WAF Enforcement: Disabled `waf_bypass` on 21 vhosts + - Container Autostart: Enabled on 9 essential containers + - Glances Fix: Resolved cgroup mount issue + - 18 LXC Containers Running -- **Navigation Component Refactoring** — DONE (2026-02-05) - - `SecuNav.renderTabs()` auto-inits theme and CSS - - `renderCompactTabs()` for nested modules - - Eliminated ~1000 lines of duplicate CSS +- **Vortex DNS Firewall Phases 1-4** + - Threat intel aggregator, SQLite blocklist, dnsmasq integration + - HTTP/HTTPS sinkhole server for infected client detection + - DNS Guard AI detection integration + - Mesh threat sharing via secubox-p2p blockchain -- **ksmbd Mesh Media Sharing** — DONE (2026-02-05) - - `ksmbdctl` CLI with share management - - Pre-configured shares: Media, Jellyfin, Lyrion, Backup +- **Image Builder Validation** + - Validated `secubox-image.sh`, `secubox-sysupgrade.sh` + - Fixed curl redirect issue: Added `-L` flag -- **SMB/CIFS Remote Mount Manager** — DONE (2026-02-04) - - `smbfsctl` CLI, UCI config, init script - - Jellyfin and Lyrion media path integration +### 2026-03-02 -- **Domoticz IoT Integration** — DONE (2026-02-04) - - LXC Debian container with native binary - - MQTT auto-bridge, Zigbee2MQTT integration - - `domoticzctl configure-mqtt` command +- **Reverse MWAN WireGuard v2 - Phase 2** + - LuCI Dashboard for Mesh Uplinks + - 9 RPC methods for uplink management + - 10-second live polling -### In Progress +### 2026-03-01 -- **Vortex DNS Firewall Phases 1-4** — DONE (2026-03-03) - - Created `secubox-vortex-firewall` package for DNS-level threat blocking - - Threat intel aggregator (URLhaus, OpenPhish, Malware Domains feeds) - - SQLite blocklist database with domain deduplication - - dnsmasq integration via sinkhole hosts file - - ×47 vitality multiplier concept - - CLI tool: `vortex-firewall intel/stats/start/stop/sinkhole/dnsguard/mesh` - - RPCD handler with 21 methods for LuCI integration - - Phase 2: HTTP/HTTPS sinkhole server for infected client detection - - Phase 3: DNS Guard AI detection integration with metadata import - - Phase 4: Mesh threat sharing via secubox-p2p blockchain - - LuCI dashboard with Overview, Sinkhole, DNS Guard, and Mesh tabs +- **Reverse MWAN WireGuard v2 - Phase 1** + - WireGuard mesh peers as backup internet uplinks via mwan3 failover + - `wgctl` CLI: uplink list/add/remove/status/test/failover + - UCI config for global and per-uplink settings + +- **Nextcloud Integration Enhancements** + - WAF-safe SSL routing, scheduled backups, SMTP integration + - CalDAV/CardDAV/WebDAV connection info display + +--- + +## In Progress - **Vortex DNS** - Meshed multi-dynamic subdomain delegation (DONE 2026-02-05) - - Created `secubox-vortex-dns` package with `vortexctl` CLI + - `secubox-vortex-dns` package with `vortexctl` CLI - Master/slave hierarchical DNS delegation - - Wildcard domain management (*.domain.com) - - First Peek auto-registration of services - - Gossip-based exposure config sync via secubox-p2p - - Created `luci-app-vortex-dns` dashboard + - Wildcard domain management -### Just Completed (2026-03-03) +--- -- **Comprehensive Service Audit** — DONE (2026-03-03) - - **WAF Enforcement**: Disabled `waf_bypass` on 21 vhosts - all traffic now routes through mitmproxy WAF - - **Mitmproxy WAF**: Restarted service, verified port 8889 binding, HAProxy routing working - - **Container Autostart**: Enabled `lxc.start.auto=1` on 9 essential containers (haproxy, mitmproxy-in, streamlit, matrix, jabber, voip, gitea, domoticz, glances) - - **Glances Fix**: Resolved cgroup mount issue - simplified LXC config to `proc:mixed sys:ro` without cgroup mount - - **Service Verification**: All 30 streamlit instances running, 95+ metablogizer sites configured - - **Health Checks**: HAProxy backend health checks verified (`check` option on all servers) - - **18 LXC Containers Running**: domoticz, gitea, glances, haproxy, jabber, jellyfin, lyrion, mailserver, matrix, mitmproxy-in, mitmproxy-out, nextcloud, peertube, roundcube, streamlit, voip, wazuh - - **Core Services Responding**: Nextcloud, Webmail, Jellyfin, Gitea, Matrix, PeerTube (all return HTTP 301 redirect to HTTPS) +## Next Up -- **Vortex DNS Firewall Phase 3 - DNS Guard Integration** — DONE (2026-03-03) - - Integrated DNS Guard AI detection engine with Vortex Firewall - - Enhanced import with metadata (type, confidence, reason) from alerts.json - - CLI: `dnsguard status/sync/export/alerts` - - RPCD: 3 new methods (dnsguard_status/alerts/sync) - - LuCI DNS Guard Dashboard: status, detection types, alerts table - - Bidirectional feed: Vortex imports DNS Guard, can export back +### v1.1+ Extended Mesh -- **Vortex DNS Firewall Phase 2 - Sinkhole Server** — DONE (2026-03-03) - - HTTP/HTTPS sinkhole captures blocked domain connections - - Warning page with threat type, client IP, domain, timestamp - - CLI: `sinkhole start/stop/status/logs/export/gencert/clear` - - RPCD: 5 new methods (sinkhole_status/events/stats/toggle/clear) - - LuCI Sinkhole Dashboard: infected clients table, event log, toggle - - Transforms Vortex from passive blocker to active threat analyzer - -- **AI Gateway LuCI Dashboard** — DONE (2026-03-03) - - Created `luci-app-ai-gateway` package with 4 KISS-themed views - - Overview: Status cards, provider grid, classification legend, audit stats - - Providers: API key management, enable/disable toggles, test buttons - - Classifier: Interactive testing tool with example inputs - - Audit Log: ANSSI CSPN compliance viewer with distribution chart - - Completes AI Gateway full-stack implementation - -- **Image Builder Validation** — DONE (2026-03-03) - - Validated `secubox-image.sh`, `secubox-sysupgrade.sh`, `resize-openwrt-image.sh` - - Confirmed all device profiles valid (mochabin, espressobin, x86-64) - - Fixed curl redirect issue: Added `-L` flag to 9 curl calls - - First-boot script validated for correct shell syntax - - ASU API connectivity tested successfully - -### Just Completed (2026-03-02) - -- **Reverse MWAN WireGuard v2 - Phase 2** — DONE (2026-03-02) - - LuCI Dashboard for Mesh Uplinks (`uplinks.js`) - - Status cards: Uplink Status, Active Uplinks, Mesh Offers, Provider Mode - - Active Uplinks table with test/priority/remove actions - - Peer Offers grid with "Use as Uplink" button - - API additions: 9 RPC methods for uplink management - - Menu entry: "Mesh Uplinks" tab in WireGuard Dashboard - - 10-second live polling for status updates - - Completes full Reverse MWAN WireGuard v2 feature - -### Just Completed (2026-03-01) - -- **Reverse MWAN WireGuard v2 - Phase 1** — DONE (2026-03-01) - - WireGuard mesh peers as backup internet uplinks via mwan3 failover - - `wgctl` CLI: uplink list/add/remove/status/test/failover/priority/offer/withdraw - - Uplink library (`/usr/lib/wireguard-dashboard/uplink.sh`) with gossip integration - - RPCD backend: 9 new methods for uplink management - - UCI config (`/etc/config/wireguard_uplink`) for global and per-uplink settings - -- **Nextcloud Integration Enhancements** — DONE (2026-03-01) - - WAF-safe SSL routing via mitmproxy_inspector - - Scheduled backups with cron (hourly/daily/weekly) - - SMTP email integration (Gmail, mailserver, Mailcow) - - CalDAV/CardDAV/WebDAV connection info display - - 3 new RPCD methods: get_connections, setup_mail, setup_backup_cron - -### Just Completed (2026-02-28) - -- **Pre-Deploy Lint Script** — DONE (2026-02-28) - - Created `secubox-tools/pre-deploy-lint.sh` for syntax validation before deployment - - JavaScript: Node.js syntax checking, LuCI-specific pattern validation - - JSON: Menu and ACL syntax validation - - Shell: bash -n syntax + shellcheck integration - - CSS: Brace matching, typo detection - - Integrated into `quick-deploy.sh` with `--lint` flag (default for LuCI apps) - - Prevents deployment if errors detected, warns on suspicious patterns - -- **Yggdrasil Extended Peer Discovery** — DONE (2026-02-28) - - Created `secubox-app-yggdrasil-discovery` package for mesh peer discovery - - **yggctl CLI** with commands: status, self, peers, announce, discover, bootstrap - - Gossip protocol integration via mirrornet `yggdrasil_peer` message type - - Auto-peering with trust verification (master-link fingerprint) - - Daemon for periodic announcements (configurable interval) - - UCI config: enabled, auto_announce, announce_interval, auto_peer, require_trust, min_trust_score - - Bootstrap peers list for initial network connectivity - - Tested on C3BOX: yggctl showing correct IPv6 and peer stats - - Files: Makefile, init script, UCI config, core.sh, daemon.sh, gossip-handler.sh, yggctl CLI - - Completes v1.1+ Extended Mesh roadmap (all 3 items done) - -- **tdahbdss Routing Fix** — DONE (2026-02-28) - - AdGuard Home hijacked port 8989 (MetaBlogizer's port) - - Changed AdGuard config from port 8989 to 3000 - - MetaBlogizer routes restored - -- **Tor Shield opkg Bug Fix** — DONE (2026-02-28) - - Root cause: DNS queries for package repos went through Tor DNS (slow/unreliable) - - Fix: Added dnsmasq bypass for excluded domains - - `setup_dnsmasq_bypass()` generates `/tmp/dnsmasq.d/tor-shield-bypass.conf` - - Excluded domains resolve directly via upstream DNS, bypassing Tor - - Default exclusions: openwrt.org, pool.ntp.org, letsencrypt.org, DNS provider APIs - - `cleanup_dnsmasq_bypass()` removes config on Tor Shield stop - -- **HAProxy Portal 503 Fix** — DONE (2026-02-28) - - Root cause: Vhost for 192.168.255.1 had malformed backend: `backend='--backend'` - - Container exit: `unable to find required use_backend: '--backend'` - - Fix: Corrected UCI to `backend='luci_default'`, disabled ACME, regenerated config - - Portal now returns 200 and redirects to LuCI - -- **AI Gateway (Sovereignty Engine)** — DONE (2026-02-28) - - Created `secubox-ai-gateway` package for ANSSI CSPN compliance - - **Data Classifier** with 3 tiers: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT - - **Provider hierarchy**: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI - - **PII Sanitizer**: IPv4/IPv6, MAC, credentials, private keys scrubbing - - **OpenAI-compatible proxy** on port 4050 - - **aigatewayctl CLI**: status, classify, sanitize, provider, audit, offline-mode - - **RPCD backend**: 11 ubus methods for LuCI integration - - **Audit logging**: JSONL format for compliance review - - Files: Makefile, UCI config, init.d, classifier.sh, sanitizer.sh, providers.sh, proxy.sh, audit.sh, 6 provider adapters - - **Deployed and tested** on C3BOX: - - Classification working: IPs → LOCAL_ONLY, generic → CLOUD_DIRECT - - Sanitization working: IPv4, MAC, credentials correctly redacted - - Proxy running on port 4050 via socat - - API endpoints responding: /health, /v1/models - - **Integrated** with MCP server and threat-analyst: - - Both route through AI Gateway (preferred) with LocalAI fallback - - Ensures threat data (IPs, MACs, logs) stays LOCAL_ONLY - -- **Nextcloud Users List Fix** — DONE (2026-02-28) - - RPC `expect: { users: [] }` extracted array, render expected object - - Fixed to `expect: {}` for full response - -### Just Completed (2026-02-27) - -- **OpenClaw AI Assistant LuCI Package** — DONE (2026-02-27) - - Created `luci-app-openclaw` with 3 views: Chat, Settings, Integrations - - RPCD backend with 9 ubus methods - - Multi-provider support: Claude, GPT, Ollama - - Chat interface with markdown rendering and history - - Integrations: Telegram, Discord, Slack, Email, Calendar - -### Just Completed (2026-02-26) - -- **Yggdrasil IPv6 Overlay Network** — DONE (2026-02-26) - - Deployed Yggdrasil on both master (aarch64) and clone (x86_64) - - Connected to 2 public peers (51.15.204.214, ygg.mkg20001.io) - - LAN multicast discovery: clone auto-peered with master via br-lan (1.73ms RTT) - - Bidirectional ping6 working: - - Master → Clone: ~6.2ms avg - - Clone → Master: ~2.2ms avg - - SSH over Yggdrasil working bidirectionally - - Fixed firewall zones: added `device="ygg0"` to nftables zones on both nodes - - IPv6 addresses: - - Master: `201:e4d4:9d55:9a02:7427:7081:9cf9:9e46` - - Clone: `201:a9d8:5a5:e493:bd0b:2c2f:5e85:34fe` - -- **ZKP Cross-Node Verification Testing** — DONE (2026-02-26) - - Full bidirectional ZKP authentication tested between master (aarch64) and clone (x86_64) - - Generated 50-node Hamiltonian graphs on both nodes - - Master → Clone: ACCEPT (clone verified master's proof) - - Clone → Master: ACCEPT (master verified clone's proof) - - Deployed x86_64 ZKP binaries (zkp_keygen, zkp_prover, zkp_verifier) to clone - - Proof sizes: ~40-80KB, verification time: <1 second - - Nodes can now cryptographically authenticate identity without sharing secrets - -- **Mesh Blockchain Bidirectional Sync Testing** — DONE (2026-02-26) - - Tested chain.json sync between master (192.168.255.1) and clone (192.168.255.156) - - Master → Clone: 112 blocks synced successfully - - Clone added block 113 (type: "clone_test", node: "clone1") - - Clone → Master: Block 113 merged back to master - - Both nodes at identical chain height with matching hash - - Validates threat intel propagation works bidirectionally - -- **P2P Threat Intelligence Sharing** — DONE (2026-02-26) - - Real CrowdSec/WAF threat IOCs propagate between mesh nodes - - Master threat (198.51.100.1) → synced to clone ✓ - - Clone threat (203.0.113.99) → synced to master ✓ - - 100+ real threat_ioc blocks shared (waf_bypass, jenkins_rce, sql_injection) - - Automatic sync every 5 minutes via SSH-based cron job - - Deployed p2p-mesh.sh to clone for block generation - -- **Nextcloud nginx Static File Fix** — DONE (2026-02-26) - - Talk app CSS/JS blocked with "incorrect MIME type (text/html)" - - Root cause: `/apps/` location block with `^~` modifier catching static files - - Fix: Removed problematic location block, static files now served correctly - - Talk video calls now functional - -- **Mail Server Webmail Detection Fix** — DONE (2026-02-26) - - Webmail status showed "Stopped" despite Roundcube LXC running - - Root cause: RPCD only checked Docker, not LXC containers - - Fix: Added `webmail.type` UCI check, use `lxc-info` for LXC - -### Just Completed (2026-02-25) - -- **MetaBlogizer HAProxy Stability** — DONE (2026-02-25) - - Fixed random 404 errors caused by multiple HAProxy instances - - Root cause: Both host and container HAProxy were listening on ports 80/443 - - Fix: Disabled host HAProxy service, container HAProxy is now sole handler - - Added auto-republish on upload for emancipated sites - - All sites (rfg, form, facb, plainte) now consistently return HTTP 200 - -- **Factory Dashboard LuCI** — DONE (2026-02-25) - - Added Factory tab to Cloning Station (`luci-app-cloner/overview.js`) - - Discovery Mode Toggle with visual status (🟢 ON / 🔴 OFF) - - Pending Devices list with approve/reject and profile assignment - - Bulk Token Generator with profile selection - - Hardware Inventory table (MAC, Model, CPU, RAM, Storage) - - 8 RPC declarations, 5 state properties, 5 render functions, 6 event handlers - - Polling: Factory data included in 5-second refresh when on tab - - UI Pattern: KISS theme components (stat boxes, cards, tables, buttons) - -- **Factory Auto-Provisioning Backend** — DONE (2026-02-24) - - Zero-touch provisioning for new mesh devices without pre-shared tokens - - Hardware inventory collection (MAC, serial, model, CPU, RAM, storage) - - Profile-based configuration (7 profiles: default, enterprise, home-*, media-server, smart-home) - - Discovery mode with pending queue and manual/auto approval - - Bulk token generation (up to 100 tokens per batch) - - Clone provision enhancements for discovery-based join - - 9 new RPCD methods in luci.cloner - - Files: `inventory.sh`, `profiles.sh`, `default.json` (new) - - Modified: `master-link.sh`, `50-secubox-clone-provision`, `luci.cloner`, `p2p-mesh.sh` - - Tested: All methods working via ubus - -- **ZKP Mesh Authentication** — DONE (2026-02-24) - - Zero-Knowledge Proof integration for cryptographic mesh authentication - - Each node has ZKP identity (public graph + secret Hamiltonian cycle) - - New API endpoints: `/api/master-link/zkp-challenge`, `/api/master-link/zkp-verify`, `/api/zkp/graph` - - Shell functions: `ml_zkp_init()`, `ml_zkp_challenge()`, `ml_zkp_verify()`, `ml_zkp_trust_peer()` - - Blockchain acknowledgment via `peer_zkp_verified` block type - - UCI config options: `zkp_enabled`, `zkp_fingerprint`, `zkp_require_on_join`, `zkp_challenge_ttl` - - Tested on master (fingerprint: `7c5ead2b4e4b0106`) - - Files: `master-link.sh` (ZKP functions), 3 new API endpoints - -- **ZKP Join Flow Integration** — DONE (2026-02-24) - - Enhanced `ml_join_request()` to accept and verify ZKP proofs during join - - Enhanced `ml_join_approve()` to auto-fetch and store peer's ZKP graph - - New peer-side `ml_join_with_zkp()` function for ZKP-authenticated joining - - `/api/master-link/join` now accepts `zkp_proof` and `zkp_graph` fields - - When ZKP proof provided: fingerprint = SHA256(graph)[0:16] (ZKP fingerprint) - - Option `zkp_require_on_join` to mandate ZKP for all new joins - - Join requests now store `zkp_verified` and `zkp_proof_hash` fields - - Tested: Clone joined with `zkp_verified: true`, graph auto-stored on approval - -- **LuCI ZKP Dashboard** — DONE (2026-02-24) - - Added ZKP Status section to `luci-app-master-link` Overview tab - - Cards: ZKP Identity (fingerprint), ZKP Tools status, Trusted Peers count - - Color theme: purple gradient for ZKP elements - - Added ZKP badge column to peer table (🔐ZKP vs TOKEN) - - Helper function `zkpBadge()` for visual auth type indicator - -- **MirrorNet Ash Compatibility Fix** — DONE (2026-02-24) - - Fixed process substitution `< <(cmd)` incompatibility with BusyBox ash - - Converted to pipe-based patterns with temp files for variable persistence - - Files fixed: mirror.sh (3), gossip.sh (3), health.sh (1), identity.sh (1) - - Tested: `mirrorctl` CLI fully functional on both routers - - Mirror features working: add service, add upstream, health check, HAProxy config generation - -- **Mesh Blockchain Sync** — DONE (2026-02-24) - - Fixed chain.json append logic for proper JSON structure preservation - - Fixed `/api/chain/since/` endpoint to return only new blocks as array - - `chain_add_block()`: Uses awk to safely insert before closing `] }` - - `chain_merge_block()`: Same awk-based approach for remote block merging - - `sync_with_peer()`: Properly merges blocks into local chain - - Handles JSON with/without trailing newlines and varying whitespace - - Tested bidirectional sync: Master ↔ Clone both at height 70, matching hash - - Files: `p2p-mesh.sh` (chain functions), `/www/api/chain` (endpoint) - -### Just Completed (2026-02-20) - -- **LuCI VM Manager** — DONE (2026-02-20) - - `luci-app-vm` package for LXC container management dashboard - - Status bar: total/running/stopped containers, disk usage - - Container cards with Start/Stop/Restart, Snapshot, Export controls - - RPCD handler with 10 methods: status, list, info, logs, start, stop, restart, snapshot, export - - Polling for live status updates - -- **Vortex Firewall Stats Fix** — DONE (2026-02-20) - - Enabled BIND RPZ logging for blocked queries - - Created `/usr/sbin/vortex-firewall-stats` script to parse logs - - Fixed RPCD handler to read hit_count from stats file - - Added cron job for automatic stats updates every 5 minutes - - Verified: 12,370 domains blocked, RPZ NXDOMAIN working - -- **SaaS Relay HAProxy Integration** — DONE (2026-02-20) - - Fixed relay.gk2.secubox.in routing to mitmproxy on port 8891 - - Created SaaS relay dashboard HTML at /srv/saas-relay/web/ - - HexoJS fallback via uhttpd on port 4000 - -- **Matrix Homeserver (Conduit)** — DONE (2026-02-20) - - E2EE mesh messaging server using Conduit Matrix homeserver - - LXC container with pre-built ARM64 Conduit binary (0.10.12) - - `matrixctl` CLI (1279 lines): install/uninstall/update, user management, rooms, federation - - `luci-app-matrix` dashboard with: - - Install wizard, status cards, feature badges - - Service controls (Start/Stop/Update/Uninstall) - - User management form - - Emancipate (public exposure) with HAProxy + SSL - - Identity (DID) integration section - - P2P mesh publication toggle - - Logs viewer - - RPCD backend with 17 methods - - UCI config: main, server, federation, admin, database, network, identity, mesh - - Tested and verified on router (all checks pass, API responding) - -- **SaaS Relay CDN Caching & Session Replay** — DONE (2026-02-20) - - CDN cache with configurable profiles: minimal, gandalf, aggressive - - Session replay modes: shared (default), per_user, master - - New CLI commands: `saasctl cache {status|clear|profile|enable|disable}` - - New CLI commands: `saasctl session {status|mode|master|enable|disable}` - - Enhanced mitmproxy addon (415 lines) with response caching - - UCI config sections: cache, cache_profile (3), session_replay - - Config JSON export: config.json + services.json - -- **Media Services Hub Dashboard** — DONE (2026-02-20) - - Unified dashboard for all SecuBox media services at `/admin/services/media-hub` - - Category-organized cards: streaming, conferencing, apps, display, social, monitoring - - Service cards with status indicators, start/stop/restart controls - - RPCD backend querying 8 media services (Jellyfin, Lyrion, Jitsi, PeerTube, etc.) - - Files: `luci-app-media-hub` package - -- **HexoJS KISS Static Upload** — DONE (2026-02-20) - - Multi-user/multi-instance authentication with HAProxy Basic Auth - - UCI config for users, auth, and instances - - `hexoctl user add/del/passwd/grant/revoke` commands - - `hexoctl auth enable/disable/status/haproxy` commands - - KISS static upload workflow (no Hexo build required): - - `hexoctl static create ` - Create static-only site - - `hexoctl static upload ` - Upload HTML/CSS/JS directly - - `hexoctl static publish` - Copy to /www/ for immediate serving - - `hexoctl static quick ` - One-command upload + publish - - Tested and verified on router - -- **HexoJS Content Upload Wizard** — DONE (2026-02-20) - - 3-step wizard UI at `/admin/services/hexojs/upload` - - File upload: HTML, PDF, Markdown (.md) support - - Metadata: Title, Category, Tags, Public/Private visibility - - Multi-target publishing: HexoJS Blog, Gitea, Streamlit, MetaBlogizer - - Base64 encoding for binary file transfer - - RPCD methods: upload_article, upload_pdf, upload_html, publish_draft, unpublish_post, get_uploads - - Gitea integration with repo/path selection - - SecuBox Welcome Guide deployed at /guide/, /connexion.html, /accueil.html - -### Just Completed (2026-02-19) - -- **WAF VoIP/XMPP Security Filters** — DONE (2026-02-19) - - Added 4 new WAF categories to mitmproxy: - - `voip`: 12 SIP/VoIP patterns (header injection, ARI/AMI abuse) - - `xmpp`: 10 XMPP patterns (XSS, XXE, BOSH hijack) - - `cve_voip`: 9 CVEs for Asterisk/FreePBX/Kamailio/OpenSIPS - - `cve_xmpp`: 8 CVEs for Prosody/ejabberd/Tigase - - Autoban options for voip/xmpp attacks - - Total: 40+ new detection patterns, 17+ CVEs - -- **Self-Hosted Jitsi Meet** — DONE (2026-02-19) - - Full LXC deployment: Prosody (5380), Jicofo, JVB, Nginx (9088) - - HAProxy vhost at `meet.gk2.secubox.in` with Let's Encrypt SSL - - WAF bypass for WebRTC compatibility - - Webchat integrated with self-hosted Jitsi - - Complete video conferencing without external dependencies - -- **VoIP (Asterisk PBX) + Jabber Integration** — DONE (2026-02-19) - - Created `secubox-app-voip` package with Asterisk PBX in LXC container - - OVH Telephony API integration for SIP trunk auto-provisioning - - `voipctl` CLI: install/uninstall, ext add/del, trunk add ovh, call, vm list - - Created `luci-app-voip` with 4 views: Overview, Extensions, Trunks, Click-to-Call - - RPCD backend with 15 methods for VoIP management - - Jabber VoIP integration: - - Jingle VoIP support (STUN/TURN via mod_external_services) - - SMS relay via OVH (messages to sms@domain) - - Voicemail notifications via Asterisk AMI → XMPP - - Updated jabberctl with `jingle enable/disable`, `sms config/send`, `voicemail-notify` - - Updated luci.jabber RPCD with 9 new VoIP methods - - UCI config sections: jingle, sms, voicemail - -- **Matrix Homeserver Integration** — DONE (2026-02-19) - - Created `secubox-app-matrix` package with Conduit Matrix server in LXC - - Pre-built ARM64/x86_64 binaries (~15MB), ~500MB RAM footprint - - `matrixctl` CLI: install/start/stop, user management, federation, emancipate - - HAProxy integration, identity linking (DID), P2P mesh publication - - Created `luci-app-matrix` dashboard with KISS theme - - Install wizard, status cards, user form, emancipate form, logs viewer - - RPCD backend with 18 methods - - Completes v1.0.0 roadmap: Matrix + VoIP + Jabber = full mesh communication stack - -### Just Completed (2026-02-17) - -- **PeerTube yt-dlp Video Import** — DONE (2026-02-17) - - Installed yt-dlp in PeerTube LXC container - - Added RPCD methods: import_video, import_status - - LuCI UI section with URL input and download button - - Supports YouTube, Vimeo, and 1000+ sites - - Downloads to import folder for PeerTube admin upload - -- **mitmproxy WAF Filters UI** — DONE (2026-02-17) - - Added new "WAF Filters" tab to mitmproxy LuCI interface - - Displays 10 filter categories: sqli, xss, lfi, rce, cve_2024, scanners, webmail, api_abuse, nextcloud, roundcube - - Toggle enable/disable per category with live updates - - Expandable rules tables showing patterns, descriptions, CVE links - - Summary stats: total categories, active filters, rule count - - RPCD methods: get_waf_rules, toggle_waf_category - -- **Security KISS Dashboard Enhancements** — DONE (2026-02-17) - - Added ndpid (nDPI daemon) to service status monitoring - - Added Wazuh SIEM to security services list (earlier today) - - 6 services now monitored: CrowdSec, Wazuh, netifyd, ndpid, mitmproxy, Threat Intel - -- **APPS Portal Extensions** — DONE (2026-02-17) - - Added Streamlit and MetaBlogizer to Services category in KISS portal - - Apps now accessible via Extended Apps view - -- **Jellyfin Container Restore** — DONE (2026-02-17) - - Started stopped jellyfin container - - Enabled auto-start (lxc.start.auto = 1) - - Verified port 8096 accessible - -- **Webmail PHP-FPM Fix** — DONE (2026-02-17) - - Fixed 504 timeout by restarting dead PHP-FPM process in roundcube container - - Login/authentication working again - -- **WebRadio LuCI App** — DONE (2026-02-17) - - Added `luci-app-webradio` package from webradio-openwrt project - - 7 LuCI JS views: overview, server, playlist, schedule, jingles, live, security - - RPCD backend with 15+ methods - - CrowdSec integration for Icecast abuse detection - - Programming grid scheduler with jingle support - - Live audio input via DarkIce (ALSA) - - Source: https://github.com/gkerma/webradio-openwrt - -- **Nextcloud LXC Enhancement** — DONE (2026-02-17) - - Updated version to 31.0.5, added auto-start and cgroup memory limit - - Fixed nginx /apps/ path for static assets - - Added Storage tab with disk usage visualization - - Added backup delete functionality - - Added RPCD: uninstall, get_storage, delete_backup (20 methods total) - - Rewrote README.md with LXC architecture docs - -- **SecuBox Cloner MochaBin LED Fix** — DONE (2026-02-17) - - Added i2c LED blacklist to clone provision scripts - - Prevents PCA955x I2C bus lockup on MochaBin devices - - Three-method fix: kernel bootarg, module removal, LED trigger disable - - Clone backup generator includes 00-disable-i2c-leds firstboot script - - Successfully cloned moka1 from c3box with sysupgrade method - -- **Mailserver Dovecot Permissions Fix** — DONE (2026-02-17) - - Fixed startup permissions: login/token-login directories owned by root:dovenull - - Remove stale auth-token-secret.dat on startup (prevents "compromised token" errors) - - Fixed users file permissions in user_add/user_passwd functions (644 root:dovecot) - - Password reset no longer breaks authentication - - Released in v0.20.6 - -- **Nextcloud 31.0.14 Upgrade & Fixes** — DONE (2026-02-17) - - Upgraded from 30.0.17 to 31.0.14 - - Fixed nginx 403 on /apps/* paths (removed overly aggressive location block) - - Added cron job setup for background tasks (every 5 minutes) - - All apps updated: mail, tasks, external, spreed/Talk - -- **DNS Master POSIX Fix** — DONE (2026-02-17) - - Fixed bump_serial() bash-specific syntax for busybox ash compatibility - - del_record now works via RPCD (was failing with "arithmetic syntax error") - - All DNS Master LuCI buttons tested and working - -- **LXC Container Auto-Start** — DONE (2026-02-17) - - Enabled lxc.start.auto for mailserver, roundcube, nextcloud - - Containers now survive reboots - -- **Mailctl Firewall Rules** — DONE (2026-02-17) - - Updated cmd_firewall_setup() with UCI firewall rules - - Input rules for WAN (ports 25, 143, 465, 587, 993) - - Forward rules for WAN-to-LAN mailserver - -### Just Completed (2026-02-16) - -- **HexoCMS Multi-Instance Enhancement** — DONE (2026-02-16) - - Added backup/restore commands to hexoctl - - Added GitHub clone support (`hexoctl github clone [instance] [branch]`) - - Added Gitea push support (`hexoctl gitea push [instance] [message]`) - - Added quick-publish command (clean + build + publish) - - Added status-json and instance-list-json for RPCD - - Enhanced RPCD handler with 15 new methods: - - Instance: list_instances, create_instance, delete_instance, start_instance, stop_instance - - Backup: list_backups, create_backup, restore_backup, delete_backup - - Git: github_clone, gitea_push, quick_publish - - Rewrote LuCI dashboard with KISS theme: - - Multi-instance management with cards - - Instance controls: start/stop, quick publish, backup, editor, preview - - GitHub/Gitea clone modals - - Backup table with restore/delete - - Stats grid: instances, posts, drafts, backups - - Quick actions: new instance, clone from GitHub/Gitea, new post, settings - - Updated API with 12 new RPC declarations - - Updated ACL with new permissions - -- **DNS Master LuCI App** — DONE (2026-02-16) - - Created `secubox-app-dns-master` with `dnsmaster` CLI - - Commands: status, zone-list, zone-add, records-json, record-add/del, reload, check, backup - - Created `luci-app-dns-master` with KISS dashboard - - Zones table with Edit/Check/Backup, Records editor with type badges - - Add Zone/Record modals, live polling, auto serial bump - - Added to KISS nav Network category - -- **Mailserver LuCI KISS Regeneration** — DONE (2026-02-16) - - Complete rewrite of overview.js with KISS theme - - Fixed IMAP hairpin NAT issue (hosts override in Nextcloud container) - - Fixed port 143 detection in RPCD script - - Stats grid, port cards, users/aliases tables, webmail card - - Added to KISS nav Apps category - -- **Nextcloud LXC Production Deploy** — DONE (2026-02-16) - - Installed on c3box with Debian 12 LXC - - Fixed nginx port conflict (80→8080) with HAProxy - - Fixed PHP-FPM socket path (php8.2-fpm.sock) - - Fixed nginx routing (rewrite to index.php for /apps/*) - - HAProxy SSL configured: https://cloud.gk2.secubox.in - - Mitmproxy routes updated for direct backend access - -- **WAF Rules for Nextcloud & Roundcube** — DONE (2026-02-16) - - Added 20 CVE-based rules to `/srv/mitmproxy/waf-rules.json` - - Nextcloud: CVE-2023-49791, CVE-2024-22403, CVE-2024-37315, etc. - - Roundcube: CVE-2024-37383, CVE-2023-5631, CVE-2020-35730, etc. - - Common attack patterns: path traversal, XSS, SQLi, RCE - -- **Mail Client Autoconfig** — DONE (2026-02-16) - - DNS records: autoconfig.*, autodiscover.*, SRV for _imaps/_submission - - Autoconfig XML at `/.well-known/autoconfig/mail/config-v1.1.xml` - - Mozilla/Thunderbird format with IMAP (993/143) and SMTP (587/465) - - HAProxy vhost and mitmproxy routes configured - -- **Nextcloud Upgrade 31.0.14** — DONE (2026-02-16) - - Upgraded from 30.0.17 → 31.0.14 via OCC updater - - All apps updated: mail, tasks, external, spreed/Talk - - Database schema migrations completed - -- **Mailctl Firewall Rules Persistence** — DONE (2026-02-16) - - Updated `cmd_firewall_setup()` with UCI firewall rules - - Input rules for WAN (ports 25, 143, 465, 587, 993) - - Forward rules for WAN-to-LAN mailserver - - Rules persist across firewall restarts - -### Recently Completed (2026-02-15) - -- **HAProxy & Mitmproxy WAF Fixes** — DONE (2026-02-15) - - Fixed HAProxy reload: copy config to `/etc/haproxy/` before signal - - Fixed mitmproxy Host header preservation for OAuth compatibility - - Reset WAF globally: removed `waf_bypass` from 70 vhosts/ACLs - - All traffic now routes through mitmproxy for inspection - - Committed: f3f6eb4e - -- **PeerTube Email Configuration** — DONE (2026-02-15) - - Configured SMTP with local mailserver (192.168.255.30:25) - - Fixed STARTTLS self-signed cert error (disable_starttls: true) - - Password resets and notifications working - -- **Wazuh Agent Watchdog** — DONE (2026-02-15) - - Added watchdog loop to check wazuh-agentd every 60 seconds - - Auto-restarts service if process dies - - Logs to `/var/log/wazuh-watchdog.log` - - Committed: 851910e1 - -- **Streamlit Gitea Integration** — DONE (2026-02-15) - - Auto-push on first upload confirmed working - - Pushed 4 missing apps to Gitea (cineposter_fixed, pdf_slideshow, pharmacopoeia_secubox, wuyun_liuqi) - - 18 apps now have Gitea repos - - Fixed `secubox-evolution` repo privacy (was public → now private) - - All Gitea repos now created with `private:true` by default - -- **Mailserver gk2 Account Restoration** — DONE (2026-02-15) - - Container was reinstalled on Feb 14, only admin@ was recreated - - Restored gk2@secubox.in from backup (config-20260206-171132.tar.gz) - - Same password hash preserved (no password change needed) - - Note: Maildir was already empty in backup (emails lost before Feb 6) - -- **Mitmproxy WAF Dashboard Data Path Fix** — DONE (2026-02-15) - - Dashboard was showing 0 threats because RPCD read from `/srv/mitmproxy` (out) - - Fixed to read from `/srv/mitmproxy-in` (WAF input instance) - - Now displays correct stats: 997 threats today, 29 pending autobans - - Updated: get_status, get_alerts, get_threat_stats, get_subdomain_metrics - - Committed: 42d85c4d - -- **PeerTube Transcoding Jobs Fix** — DONE (2026-02-15) - - Videos were stuck with `waitTranscoding=true` and not showing in public listing - - Root cause: Admin enabled "remote runners" for transcoding but no runners registered - - `runnerJob` table had 6 jobs stuck in pending state (state=1) - - Fix: Set `waitTranscoding=false` directly in database to make videos visible - - Alternative fix (for future uploads): Disable remote runners in admin panel, use local ffmpeg - -- **GK2 Hub Landing Page Subdomain URLs** — DONE (2026-02-15) - - Previous version used redirect paths (`secubox.in/gk2/service`) - - Updated `gk2hub-generate` to use direct subdomain URLs (`service.gk2.secubox.in`) - - Added HAProxy vhost lookup for automatic subdomain detection - - Added PeerTube, GoToSocial, Wazuh to Infrastructure section - - 67 services now display with proper subdomain URLs - -- **PeerTube Video Platform Package** — DONE (2026-02-15) - - Created `secubox-app-peertube` package for self-hosted video streaming - - LXC Debian Bookworm container with PostgreSQL 15, Redis 7, Node.js 18, FFmpeg - - `peertubectl` CLI with 15+ commands: install/uninstall/update/start/stop/status - - Live streaming support with RTMP port 1935 - - HAProxy integration with extended timeouts (3600s) for streaming - - Emancipation workflow for public exposure - - User management: create-user, reset-password, list-users - - Backup/restore PostgreSQL database - - UCI config: main, server, live, transcoding, storage, network, admin sections - - Fixed: Redis ARM64-COW-BUG via `ignore-warnings` config - - Fixed: Redis sentinel disabled (using standalone Redis) - - Fixed: RTMPS disabled (no SSL keys needed) - - Fixed: HAProxy waf_bypass=1 for proper OAuth routing - -- **PeerTube LuCI Dashboard** — DONE (2026-02-15) - - Created `luci-app-peertube` package - - RPRD handler with 11 methods: status, start, stop, install, uninstall, update, logs, emancipate, live_enable, live_disable, configure_haproxy - - Dashboard with install wizard, status display, service controls - - Live streaming toggle with firewall integration - - HAProxy configuration button - - Emancipate form for public exposure - - Logs viewer with refresh - -- **Generative LuCI Tree** — DONE (2026-02-15) - - Created `luci.secubox-portal` RPCD backend for dynamic component discovery - - Three RPC methods: get_tree, get_containers, get_vhosts - - Auto-discovers all installed `luci-app-*` packages and groups by category: - - SecuBox Core, Security, Media & Streaming, Network & Proxy - - Development & CMS, IoT & Home, AI & Communication, System & Management - - Discovers LXC containers from `/srv/lxc/` with running state - - Discovers HAProxy vhosts from UCI with domain/backend/ssl info - - Updated `luci-tree.js` with: - - Three tabs: LuCI Apps, Containers, Vhosts - - Refresh button for live updates - - Stats showing packages, containers, vhosts counts - - Search functionality for filtering - - ACL permissions for unauthenticated portal access - -### Just Completed (2026-02-14) - -- **mitmproxy WAF Wildcard Route Priority Fix** — DONE (2026-02-14) - - Fixed wildcard route matching in `haproxy_router.py` - - Issue: `.gk2.secubox.in` wildcard (port 4000) matched before specific routes like `apr.gk2.secubox.in` (port 8928) - - Fix: Support both `*.domain` and `.domain` wildcard formats - - Fix: Sort wildcards by length (longest/most specific first) - - Added auto-reload: Routes file checked every 10 requests, reloads if modified - - Updated `metablogizerctl` to use `mitmproxyctl sync-routes` instead of direct file manipulation - - MetaBlogizer sites now properly routed through WAF - -- **Wazuh SIEM LuCI Dashboard** — DONE (2026-02-14) - - Created `luci-app-wazuh` package for unified Wazuh security monitoring - - 4 views: Overview, Alerts, File Integrity, Agents - - SysWarden-inspired 4-layer security visualization - - RPCD handler (luci.wazuh) with 12 API methods - - CrowdSec integration for threat correlation display - - Full RPCD testing verified via ubus calls - -- **MetaBlogizer SDLC Content Restoration** — DONE (2026-02-14) - - sdlc.gk2.secubox.in was showing GK2 Hub template instead of original content - - GK2 Hub generator had overwritten local index.html - - Original "Les Seigneurs de La Chambre - Présentation Cinématique" preserved in git - - Restored via `git checkout HEAD -- index.html` - - Site now correctly displaying cinematic presentation content - -- **Streamlit WebSocket WAF Bypass** — DONE (2026-02-14) - - Streamlit apps use WebSockets which are incompatible with MITM proxy - - Re-added `waf_bypass=1` to all 20 Streamlit apps - - Apps now route directly through HAProxy without mitmproxy filtering - - Trade-off: Streamlit apps bypass WAF for WebSocket compatibility - -- **WAF Architecture Configuration** — DONE (2026-02-14) - - WAF (mitmproxy) enabled for Streamlit apps and MetaBlogizer sites - - WAF bypass for infrastructure: Jellyfin, Mail, Glances, GoToSocial, Webmail - - Path ACLs (`/gk2/*`) bypass WAF - mitmproxy routes by host only - - 38 path ACLs configured with `waf_bypass=1` - - Architecture: HAProxy → mitmproxy (WAF) → Backend (filtered) or HAProxy → Backend (bypass) - -- **C3BOX SDLC Full Service Verification** — DONE (2026-02-14) - - Verified all 70 services across 12 zones on C3BOX dashboard - - Zones: *.cybermind.fr (2), *.cybermood.eu (2), *.ganimed.fr (2), *.maegia.tv (19), *.secubox.in (29), *.sb.local (4), *.secubox.local (2) - - 20 Streamlit apps, 15 MetaBlog sites, infrastructure services - - 77 vhosts configured, 52 SSL certificates, 5 LXC containers running - - All public services returning HTTP 200 - -- **Mitmproxy Routes Duplicate Fix** — DONE (2026-02-14) - - Fixed duplicate entries in `/srv/mitmproxy-in/haproxy-routes.json` - - `console.gk2.secubox.in` and `control.gk2.secubox.in` had duplicate routes - - Second entry (port 8081) was overriding correct Streamlit ports (8501/8511) - - Removed duplicates, verified correct routing - -- **Service Backend Fixes** — DONE (2026-02-14) - - `play.maegia.tv`: Changed backend from `mitmproxy_inspector` to `streamlit_yijing` - - `client.gk2.secubox.in`: Enabled `pinafore_srv` server with health check - - Added uhttpd instance on port 4002 for Pinafore static landing page - -- **Glances System Monitor** — DONE (2026-02-14) - - Installed `python3-pip` via opkg - - Installed Glances 4.5.0.4 via pip3 with dependencies - - Created dummy `webbrowser.py` module for headless operation - - Started Glances web server on port 61208 - - https://glances.gk2.secubox.in now operational - -- **GoToSocial Service Start** — DONE (2026-02-14) - - Enabled GoToSocial in UCI config - - Started LXC container via `gotosocialctl start` - - https://social.gk2.secubox.in operational - -### Just Completed (2026-02-13) - -- **GoToSocial Fediverse Server** — DONE (2026-02-13) - - Deployed GoToSocial v0.17.0 ActivityPub server - - Direct execution mode (v0.18.0 has cgroup panics) - - Domain: `social.gk2.secubox.in` with wildcard SSL - - HAProxy exposure with backend to 192.168.255.1:8484 - - Admin user created and promoted - - SQLite database, web assets configured - - Live at https://social.gk2.secubox.in - -- **Cloning Station Remote Device Management** — DONE (2026-02-13) - - 6-tab tabbed interface: Overview, Remotes, Build, Console, History, Images - - Remote device management via UCI and RPCD - - SSH key authentication setup using dropbear - - Network scan for discovering SecuBox devices - - Remote status: hostname, model, version, uptime - - Image upload and remote flash with token injection - - sysupgrade with keep_settings option - - 7 new RPCD methods: list_remotes, add_remote, remove_remote, remote_status, remote_upload, remote_flash, scan_network - - Uses dropbear's dbclient for SSH (OpenWrt native) - -- **Cloning Station Dashboard Enhancements** — DONE (2026-02-13) - - 5-tab tabbed interface: Overview, Build, Console, History, Images - - Build Progress UI: real-time log streaming, stage indicators, progress bar - - Serial Console: port selection, live output, command input (requires stty) - - Clone History: JSON-based tracking with timestamp/device/status - - Image Manager: storage info, image details modal, delete/rename - - 10 new RPCD methods added with ACL permissions - -### Just Completed (2026-02-08 PM) - -- **Vortex Hub Wildcard Routing** — DONE (2026-02-08) - - HAProxy wildcard domain support (`*.gk2.secubox.in`) - - Subdomain-to-path rewriting: `{sub}.gk2.secubox.in/x` → `/{sub}/x` - - New `match_type` option: exact, suffix, regex - - Vortex fallback backend with `X-Vortex-Node` headers - - Prepares infrastructure for distributed mesh node publishing - -- **Mitmproxy WAF Subdomain Metrics** — DONE (2026-02-08) - - Track requests/threats per subdomain in `secubox_analytics.py` - - New RPCD method: `subdomain_metrics` - - Metrics: requests, threats, protocols, methods, status codes, top URIs, countries - - LuCI dashboard shows subdomain metrics instead of alerts - -- **RPCD luci.secubox Modular Refactor** — DONE (2026-02-08) - - Split 2544-line monolithic handler into 14 modules - - Thin dispatcher + `/usr/lib/secubox/rpcd.d/*.sh` modules - - Modules: core, modules, profiles, snapshots, health, dashboard, appstore, state, network, feeds, skills, feedback, p2p - - Shared utilities in `_common.sh` - -- **HAProxy Backend IP Fixes** — DONE (2026-02-08) - - Fixed all `127.0.0.1` → `192.168.255.1` in backend configs - - Cleaned up duplicate vhosts and invalid IP:port backend formats - - Fixed `presse.cybermood.eu` routing - - Fixed `streamlit_evolution` stale config in container - -- **GK2 Node Service Mapping** — DONE (2026-02-08) - - Complete map of 10 published domains - - 9 active backends documented - - Wildcard certificate ready for mesh - -- **HAProxy Path-Based ACL Routing** — DONE (2026-02-08/09) - - Added `_add_path_acl()` function to haproxyctl for UCI `acl` sections - - Support for path_beg, path_end, path, path_reg, path_dir match types - - Path ACLs processed before vhost ACLs (higher priority) - - Fixed http_request list handling to avoid duplicate output - - **Pattern Length Sorting** (2026-02-09): ACLs now sorted by pattern length (longest first) - - Two-phase: `_collect_path_acl()` + `_emit_sorted_path_acls()` - - Ensures `/gk2/evolution` matches before `/gk2` - - Apex domain routing: `secubox.in/gk2/**` instead of `*.gk2.secubox.in` - - Tested: `/gk2`, `/gk2/evolution`, `/gk2/control` all routing correctly - -- **Gandi DNS Secondary Setup** — DONE (2026-02-08) - - Configured BIND master to allow zone transfers to Gandi (217.70.177.40) - - Added `also-notify` and `notify yes` for automatic zone updates - - Synced all BIND zone records to Gandi LiveDNS via API - - Updated registrar nameservers to Gandi LiveDNS (ns-*.gandi.net) - - DNS propagation verified: all A, MX, wildcard records resolving correctly - - Architecture: Registrar → Gandi LiveDNS ← synced from → BIND master - -### Just Completed (2026-02-06/08) - -- **Evolution Dashboard Real-Time Commits** — DONE (2026-02-08) - - New "🚀 Devel" tab with live GitHub commits (1-min cache) - - Commits Today / This Week / Contributors / Stars metrics - - Commit type distribution with color-coding (feat/fix/docs/refactor) - - Recent commits with hash, message, author, relative time - - Repository stats (forks, watchers, open issues) - - Cyberpunk-themed commit cards with pulsing live indicator - -- **Station Cloner/Deployer** — DONE (2026-02-08) - - Host-side `secubox-clone-station.sh` with MOKATOOL integration for dual USB serial control - - On-device `secubox-cloner` CLI for build/serve/token/export - - First-boot provisioning script with partition resize and mesh join - - Master-link clone tokens with auto-approve for seamless onboarding - - Added `secubox clone` and `secubox master-link` CLI command groups - - Full workflow: build image on master → TFTP serve → flash target → auto-join mesh - -- **Cloning Station LuCI Dashboard** — DONE (2026-02-11) - - Created `luci-app-cloner` package with KISS-style dashboard - - Status cards: device type, TFTP status, token count, clone count - - Quick actions: Build Image, Start/Stop TFTP, New/Auto-Approve Token - - Clone images table with size and TFTP-ready indicator - - Token management with delete functionality - - U-Boot flash commands display when TFTP active - - RPCD handler: 10 methods (status, list_images, list_tokens, list_clones, etc.) - -- **System Hub KISS Rewrite** — DONE (2026-02-11) - - Rewrote `luci-app-system-hub/overview.js` to KISS style - - Self-contained inline CSS, no external dependencies - - 6 status cards: Hostname/Model, Uptime, Services, CPU Load, Temperature, Health Score - - 3 resource bars: Memory, Storage, CPU Usage - - Quick Actions + Services table with running/stopped badges - - 5-second live polling with data-stat DOM updates - - Full dark mode support - -- **SecuBox Dashboard KISS Rewrite** — DONE (2026-02-11) - - Rewrote `luci-app-secubox/dashboard.js` to KISS style - - Removed all external deps (secubox/api, secubox-theme, secubox/nav, secubox-portal/header) - - Header chips, stats cards, health panel, public IPs, modules table, quick actions, alerts - - 15-second live polling - - Full dark mode support - -- **HAProxy "End of Internet" Default Page** — DONE (2026-02-07) - - Cyberpunk fallback page for unknown/unmatched domains - - Matrix rain animation, glitch text, ASCII art SecuBox logo - - Added `http-request` UCI option support in haproxyctl generator - - Path rewriting via `http-request set-path` for static content - - Backend validation rejects IP:port misconfiguration - -- **CrowdSec Threat Origins Fix** — DONE (2026-02-07) - - Fixed `[object Object]` display bug in Threat Origins widget - - `parseCountries()` now handles array format `[{country, count}]` - -- **CrowdSec Dashboard Cache System** — DONE (2026-02-06) - - Created `/usr/sbin/secubox-crowdsec-collector` v4 background stats collector - - Generates `/tmp/secubox/crowdsec-overview.json` every minute via cron - - RPCD fast path: reads cache first, falls back to slow cscli calls if stale - - Fixes dashboard loading times from 5-10s to <100ms - -- **mitmproxy Local IP "Green Known"** — DONE (2026-02-06) - - Patched secubox_analytics.py to skip threat logging for trusted local IPs - - Local network traffic (192.168.x, 10.x, 172.16-18.x) no longer pollutes threats.log - - Autoban still correctly targets only external IPs - -- **Control Panel File Compatibility** — DONE (2026-02-06) - - Fixed file naming mismatch (health.json vs health-status.json, etc.) - - Created symlinks for compatibility - - Created missing cache files (threat.json, netifyd.json) - - Updated stats collector to maintain symlinks on each run - -- **LED Fix & Double-Buffer Status Cache** — DONE (2026-02-07) - - Removed mmc0 LED (was blocking heartbeat loop) - - Added `status_collector_loop()` background daemon - - Cache files: `/tmp/secubox/{health,threat,capacity}.json` - - Fast readers for LED loop and dashboards (no subprocess calls) - -- **MetaBlogizer KISS ULTIME MODE** — DONE (2026-02-07) - - Added `metablogizerctl emancipate` command - - One-command workflow: DNS + Vortex + HAProxy + SSL + Reload - - DNS registration via dnsctl (Gandi/OVH based on availability) - - Vortex DNS mesh publication - - HAProxy vhost with SSL and ACME - - Zero-downtime reload via SIGUSR2 - -- **Streamlit LuCI Dashboard Edit & Emancipate** — DONE (2026-02-06) - - Added Edit button with modal code editor (base64 encoding) - - Added Emancipate button with KISS ULTIME MODE workflow - - RPCD: `get_source`, `save_source`, `emancipate`, `get_emancipation` - - API + ACL updated - -- **SecuBox Vhost Manager** — DONE (2026-02-06) - - Created `secubox-vhost` CLI for subdomain management - - External (*.gk2.secubox.in) and local (*.gk2.sb.local) domain support - - UCI config for vhosts: console, control, metrics, crowdsec, factory, glances, play - - Default landing page generation - - Integrated into secubox-core daemon and firstboot - -### Completed (2026-02-06) - -- **AI Insights Dashboard** — DONE - - Created `luci-app-ai-insights` - unified view across all AI agents - - Security posture scoring (0-100) with factor breakdown - - Agent status grid: Threat Analyst, DNS Guard, Network Anomaly, CVE Triage - - Aggregated alerts from all agents - - Actions: Run All Agents, AI Analysis, View Timeline - - Links to LocalRecall memory dashboard - -- **LocalRecall Memory System** — DONE - - Created `secubox-localrecall` - persistent memory for AI agents - - Categories: threats, decisions, patterns, configs, conversations - - LocalAI integration for semantic search and AI summarization - - Created `luci-app-localrecall` dashboard with add/search/summarize - -- **Network Anomaly Agent** — DONE - - Created `secubox-network-anomaly` with 5 detection modules - - Bandwidth spikes, connection floods, port scans, DNS anomalies, protocol anomalies - - LocalAI integration for AI-powered analysis - - Created `luci-app-network-anomaly` dashboard - -- **CVE Triage Agent** — DONE - - Created `secubox-cve-triage` - AI-powered CVE analysis and vulnerability management - - Architecture: Collector → Analyzer → Recommender → Applier - - NVD API integration for CVE data - - CrowdSec CVE alert correlation - - LocalAI-powered impact analysis - - Approval workflow for patch recommendations - - Multi-source monitoring: opkg, LXC, Docker - - Created `luci-app-cve-triage` dashboard with alerts, pending queue, risk score - -- **Webmail Login 401 Issue** — RESOLVED - - Root cause: `config.docker.inc.php` overrode IMAP host to `ssl://mail.secubox.in:993` - - Docker container couldn't resolve domain or connect via SSL - - Fix: Changed to use socat proxy at `172.17.0.1:10143` (plaintext, internal) - - Updated `mailctl webmail configure` to use proxy instead of direct SSL - -- **Mail Send 451 "Temporary lookup failure"** — RESOLVED (2026-02-06) - - Root cause: Alpine Postfix uses LMDB, not BerkeleyDB hash maps - - `virtual_alias_maps = hash:/etc/postfix/virtual` was invalid - - Postfix chroot `/var/spool/postfix/etc/resolv.conf` was missing - - Fix: Changed setup.sh to use `lmdb:` prefix and copy resolv.conf to chroot - - Added `mailctl fix-postfix` command to repair existing installations - -- **Mail Port Hijacking External Connections** — RESOLVED (2026-02-06) - - Root cause: firewall.user DNAT rules had no interface restriction - - ALL port 993/587/etc traffic was redirected to local mailserver - - This blocked Thunderbird from connecting to external mail (ssl0.ovh.net) - - Fix: Added `-i $WAN_IF` to only redirect inbound WAN traffic - -- **Mail Ports 587/465/995 Not Listening** — RESOLVED (2026-02-07) - - Root cause: Postfix master.cf missing submission/smtps entries - - Dovecot 10-master.conf had pop3s commented out - - `dovecot-pop3d` package not installed in container - - Fix: Added `mailctl fix-ports` command to enable all mail ports - - Also added password reset for mail users in LuCI dashboard - -- **BIND Zone Returning Internal IP** — RESOLVED (2026-02-07) - - Root cause: `/etc/bind/zones/secubox.in.zone` had 192.168.255.1 (internal) instead of public IP - - External DNS queries returned non-routable internal IP - - Fix: Updated zone file with public IP 82.67.100.75 for all records - -- **IPv6 DNS Support** — DONE (2026-02-07) - - Added AAAA records to BIND zone and Gandi DNS - - IPv6: `2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f` - - Records: @, mail, ns0, ns1, wildcard - -- **nftables Mail Forwarding Rules** — DONE (2026-02-07) - - Root cause: nftables `forward_wan` chain blocked DNAT'd mail traffic - - iptables DNAT worked but nftables dropped packets before forwarding - - Fix: Added explicit accept rules for mail ports (25,143,465,587,993,995) - - Added both IPv4 and IPv6 forwarding rules - - Persisted in `/etc/firewall.user` - -- **Postfix/Dovecot Maildir Path Alignment** — DONE (2026-02-07) - - Root cause: Postfix delivered to `/home/vmail/$domain/$user/new/` but Dovecot looks in `~/Maildir/new/` - - Emails were delivered but invisible in Roundcube - - Fix in `container.sh`: Mount to `home/vmail`, virtual_mailbox_base = `/home/vmail` - - Fix in `users.sh`: Create `$domain/$user/Maildir/{cur,new,tmp}` structure - - Updated vmailbox format to include `Maildir/` suffix - -- **Inbound Port 25 Blocked by Free ISP** — RESOLVED (2026-02-16) - - Free ISP blocks inbound port 25 on residential lines - - Outbound mail works, inbound from external fails - - Workaround options: VPS relay, Mailgun/SendGrid, or contact Free support - -### Just Completed - -- **Unified Backup Manager** — DONE (2026-02-05) - - Created `secubox-app-backup` CLI for LXC containers, UCI config, service data - - Created `luci-app-backup` dashboard with container list, backup history - - Gitea remote sync and mesh backup support - - RPCD handler with 8 methods - -- **Custom Mail Server** — DONE (2026-02-05) - - Created `secubox-app-mailserver` - Postfix + Dovecot in LXC container - - `mailctl` CLI: user management, aliases, SSL, mesh backup - - Webmail (Roundcube) integration - - Mesh P2P mail backup sync - -- **DNS Provider Enhanced** — DONE (2026-02-05) - - Added `dnsctl generate` - auto-generate subdomain A records - - Added `dnsctl suggest` - name suggestions by category - - Added `dnsctl mail-setup` - MX, SPF, DMARC records - - Added `dnsctl dkim-add` - DKIM TXT record - -- **Subdomain Generator Tool** — DONE (2026-02-05) - - `secubox-subdomain` CLI for generative subdomain management - - Automates: DNS A record + HAProxy vhost + UCI registration - - Uses wildcard certificate (*.zone) for instant SSL - - Quick-add shortcuts for common services (gitea, grafana, jellyfin, etc.) - - Part of Punk Exposure infrastructure - -### Recently Completed (2026-02-07) - -- **Mesh Onboarding Testing** — VALIDATED - - Token generation: POST `/api/master-link/token` with HMAC tokens + TTL - - IPK download: GET `/api/master-link/ipk?token=` serves pre-built 12KB IPK - - Dynamic IPK: `ml_ipk_generate` creates join packages on-the-fly - - Join flow: request → approval → peer added at depth+1 - - Blockchain: `peer_approved` blocks recorded correctly - - Threat Intel: 288 local IOCs, 67 threat_ioc blocks in chain - -### Just Completed (2026-02-12) - -- **HAProxy stats.js KISS Migration** — DONE (2026-02-12) - - Rewrote Statistics dashboard to use KissTheme - - Stats iframe, logs viewer with refresh - - Removed CSS import via style element - -- **HAProxy backends.js KISS Migration** — DONE (2026-02-12) - - Rewrote Backends dashboard to use KissTheme - - Backend cards with server lists, health check info - - Add/edit server modals with quick service selector - - Removed external dashboard.css dependency - -- **HAProxy vhosts.js KISS Migration** — DONE (2026-02-12) - - Rewrote Virtual Hosts dashboard to use KissTheme - - Self-contained inline CSS, removed external dashboard.css - - Add vhost form, vhosts table, edit modal, delete confirmation - -- **InterceptoR LXC Detection Fix** — DONE (2026-02-12) - - Changed from `lxc-ls --running` to `lxc-info -n mitmproxy -s` - - More reliable container state detection - - Fixed container name from `secbx-mitmproxy` to `mitmproxy` - -### Just Completed (2026-02-11) - -- **InterceptoR Services Dashboard** — DONE (2026-02-11) - - Created `luci.services-registry` RPCD handler with 4 methods - - Aggregates: HAProxy vhosts, Tor onions, mitmproxy instances, init.d services, LuCI apps, system metrics - - Dynamic KISS dashboard with 5 tabs: Published, Proxies, Services, Dashboards, Metrics - - Service emoji registry for visual identification - - CrowdSec stats integration (alerts, bans) - - 10-second live polling - - Fixed `kiss-theme.js` singleton pattern for LuCI module loading - -- **mitmproxy Multi-Instance Support** — DONE (2026-02-11) - - Updated init.d script with `config_foreach start_instance instance` - - Updated mitmproxyctl with `list-instances`, instance-aware `service-run/stop` - - UCI config for dual instances: out (LAN→Internet), in (WAF/services) - - Cloned containers: mitmproxy-out, mitmproxy-in - - Documented in README.md - -- **Cookie Tracker LuCI Dashboard** — DONE (2026-02-11) - - Created `luci-app-cookie-tracker` with KISS theme - - RPCD handler with 6 methods: status, list, report, block, unblock, classify - - Category breakdown visualization (essential, functional, analytics, advertising, tracking) - - Top trackers list with one-click blocking - - Blocked domains display - - 69 known tracker domains pre-loaded - - mitmproxy addon linked for cookie capture - -- **CDN Cache KISS Theme** — DONE (2026-02-11) - - Rewrote overview.js with full KISS styling - - Circular gauge for hit ratio - - Stats grid, top domains table, 10s polling - -- **IoT Guard Implementation** — DONE (2026-02-11) - - Created `secubox-iot-guard` package for IoT device isolation and security - - OUI-based classification with 100+ IoT manufacturer prefixes - - 10 device classes with risk scoring (0-100) - - Anomaly detection: bandwidth spikes, new destinations, port scans, time anomalies - - Integration: Client Guardian (zones), MAC Guardian (L2), Vortex Firewall (DNS), Bandwidth Manager (QoS) - - CLI: `iot-guardctl` with status/list/show/scan/isolate/trust/block/anomalies/cloud-map - - Created `luci-app-iot-guard` with KISS-style dashboard - - 4 views: Overview, Devices, Policies, Settings - - RPCD handler with 11 methods + public ACL for unauthenticated access - -### Just Completed (2026-02-24) - -- **LuCI ZKP Dashboard** — DONE (2026-02-24) - - Web UI for ZKP Hamiltonian cryptographic proofs - - Features: keygen, prove, verify, keys management - - KISS theme with dark mode - - Commit: b60d7fd0 - -- **MetaBlogizer Upload Workflow Fix** — DONE (2026-02-24) - - Sites now work immediately after upload without unpublish + expose cycle - - Root cause: mitmproxy never received reload signal after route creation - - Fix: `reload_haproxy()` now calls `mitmproxyctl sync-routes` - - Commit: ec8e96a7 - -- **ZKP Hamiltonian Library** — DONE (2026-02-24) - - Zero-Knowledge Proof implementation based on Hamiltonian Cycle (Blum 1986) - - NIZK via Fiat-Shamir heuristic, SHA3-256 commitments (OpenSSL) - - Complete library: prove/verify/serialize + CLI tools (keygen/prover/verifier) - - 41 tests passing: completeness, soundness, tamper detection, anti-replay - - C99 targeting OpenWrt ARM64, CMake build system - - Commit: 65539368 - -- **Service Stability & LED Pulse Fix** — DONE (2026-02-24) - - CrowdSec autostart: Fixed machine registration mismatch, downloaded GeoLite2-City.mmdb - - LED pulse: Fixed HAProxy check to run on host instead of non-existent LXC container - - Docker: Restored corrupted nextcloud-talk-hpb container - - HAProxy: Fixed cloud.gk2.secubox.in 503 (wrong backend) - - LXC: Enabled autostart for mailserver and roundcube containers - - Verified: All 13 LXC containers + 6 core services running after reboot - -### Just Completed (2026-02-21) - -- **SecuBox KISS UI Full Regeneration** — DONE (2026-02-21) - - Complete KISS pattern rewrite of 5 core LuCI views - - Removed legacy deps: SecuNav, Theme, Cascade, SbHeader - - All views now use inline CSS with dark mode support - - Files rewritten: - - `modules.js`: 565→280 lines — Module grid with filters - - `monitoring.js`: 442→245 lines — Live SVG charts - - `alerts.js`: 451→255 lines — Alert timeline with dismiss - - `settings.js`: 540→220 lines — UCI form with chips - - `services.js`: 1334→410 lines — Services registry - - Total reduction: 3,332→1,410 lines (~58% less code) - -### Just Completed (2026-02-20 PM) - -- **IP Blocklist - Evolution #1** — DONE (2026-02-20) - - Created `secubox-app-ipblocklist` backend package - - `ipblocklist-update.sh` CLI with ipset management - - Supports nftables (fw4) and iptables backends - - Default sources: Data-Shield (~100k IPs), Firehol Level 1 - - Created `luci-app-ipblocklist` KISS dashboard - - RPCD handler with 12 methods - - Layer 1 pre-emptive defense before CrowdSec Layer 2 - -- **AbuseIPDB Reporter - Evolution #2** — DONE (2026-02-20) - - Added to `luci-app-crowdsec-dashboard` (v0.8.0) - - New "AbuseIPDB" tab in CrowdSec Dashboard - - `crowdsec-reporter.sh` CLI for reporting blocked IPs - - RPCD handler `luci.crowdsec-abuseipdb` with 9 methods - - UCI config for API key, categories, cooldown settings - - Cron job for automatic reporting every 15 minutes - - IP reputation checker in dashboard - -- **Log Denoising - Evolution #3** — DONE (2026-02-20) - - Added smart log denoising to `luci-app-system-hub` (v0.5.2) - - Three modes: RAW (all logs), SMART (filter known IPs), SIGNAL_ONLY (new threats only) - - Integrates with IP Blocklist ipset + CrowdSec decisions - - RPCD methods: `get_denoised_logs`, `get_denoise_stats` - - LuCI dashboard additions: - - Denoise mode selector panel - - Noise ratio indicator with color coding - - Known threats counter - - Blocklist status warning - - Filters private IPs (10.*, 172.16-31.*, 192.168.*, 127.*) - - Supports both nftables and iptables backends - -### SysWarden Evolution Plan (2026-02-20) - -Implementing 3 evolutions inspired by SysWarden patterns: - -| # | Module | Priority | Status | -|---|--------|----------|--------| -| 1 | `luci-app-ipblocklist` | HIGH | DONE | -| 2 | AbuseIPDB Reporter | HIGH | DONE | -| 3 | Log Denoising (System Hub) | MEDIUM | DONE | - -### Next Up — Couche 1 - -**v1.1+ Extended Mesh — COMPLETE (2026-02-28)** - -1. ~~**Multi-Node Mesh Testing**~~ — DONE (2026-02-26) - - ZKP, blockchain sync, and threat intel propagation all validated - -2. ~~**Yggdrasil Extended Peer Discovery**~~ — DONE (2026-02-28) - - `secubox-app-yggdrasil-discovery` + `yggctl` CLI - - Gossip-based peer announcements, trust-verified auto-peering - -3. **WAF Auto-Ban Tuning** (optional, as-needed) +1. **WAF Auto-Ban Tuning** (optional, as-needed) - Sensitivity threshold adjustment based on production traffic -**Backlog / Deferred:** -- ~~Tor Shield / opkg bug~~ — FIXED (2026-02-28) - dnsmasq bypass for excluded domains -- ~~Nextcloud self-hosted cloud storage (v2)~~ — ENHANCED (2026-03-01) - WAF-safe SSL, scheduled backups, email, connections +### Backlog + - SSMTP / mail host / MX record management (v2) -- ~~Reverse MWAN WireGuard peers (v2)~~ — COMPLETE (2026-03-02) - CLI, library, RPCD, LuCI dashboard --- -## Couche 2 — AI Gateway - -### Recently Completed (2026-02-06) - -- **DNS Guard AI Migration** — DONE (2026-02-06) - - Created `secubox-dns-guard` daemon with 5 detection modules: - - DGA (Domain Generation Algorithm) detection via entropy analysis - - DNS tunneling/exfiltration detection - - Rate anomaly detection (queries/min, unique domains/min) - - Known bad domain matching against blocklists - - TLD anomaly detection (suspicious TLDs, punycode/IDN) - - LocalAI integration for intelligent threat analysis - - Approval workflow: auto-apply or queue for review - - Updated `luci-app-dnsguard` v1.1.0 with: - - AI Guard tab with pending blocks approval - - Real-time alerts panel - - Domain analysis with AI - - Detection module status display - -- **LocalAI Multi-Channel Emancipation** — DONE (2026-02-06) - - Exposed LocalAI via Punk Exposure: - - Tor: `b7lmlfs3b55jhgqdwbn6unhjhlfflq6ch235xa2gsdvxe7toxcf7qyad.onion` - - DNS/SSL: `localai.secubox.local` - - mDNS: `_secubox._tcp.local` (mesh advertised) - -- **Threat Analyst Agent** — DONE (2026-02-05) - - Created `secubox-threat-analyst` autonomous threat analysis daemon - - Rule generation for mitmproxy (Python), CrowdSec (YAML), WAF (JSON) - - Approval workflow: auto-apply mitmproxy, queue CrowdSec/WAF - - Created `luci-app-threat-analyst` with AI chatbot dashboard - - RPCD handler with 10 methods for status, chat, rules, approval - -- **Threat Analyst KISS Dashboard v0.1.0** — DONE (2026-02-05) - - Regenerated LuCI dashboard following CrowdSec KISS template pattern - - External CSS loading, baseclass.extend() API pattern - - CVE alerts in System Health section - - CVE column in threats table with NVD hyperlinks - - AI Security Assistant chat interface - -- **MCP Server Implementation** — DONE (2026-02-06) - - Created `secubox-mcp-server` package with JSON-RPC 2.0 over stdio - - 9 core tools: crowdsec.alerts/decisions, waf.logs, dns.queries, network.flows, system.metrics, wireguard.status, uci.get/set - - 5 AI-powered tools (via LocalAI): ai.analyze_threats, ai.cve_lookup, ai.suggest_waf_rules, ai.explain_ban, ai.security_posture - - Claude Desktop integration via SSH - -### Next Up — v0.18 AI Components - -1. ~~**DNS Guard Migration**~~ — DONE (2026-02-06) - -2. ~~**LocalAI Upgrade → 3.9**~~ — DONE (2026-02-06) - - Upgraded to v3.9.0 with Agent Jobs Panel and Memory Reclaimer - - Updated README with complete CLI reference and model presets - ---- - -## Couche 3 — MirrorNetworking - -### Just Completed (2026-02-07) - -- **MirrorNet Core Package** — DONE - - Created `secubox-mirrornet` with 5 library modules: - - `identity.sh` - DID-based identity (did:plc:), keypair generation, signing - - `reputation.sh` - Peer trust scoring (0-100), event logging, decay, ban thresholds - - `mirror.sh` - Service mirroring, upstream management, HAProxy backend generation - - `gossip.sh` - Enhanced gossip protocol, priority routing, deduplication, TTL-based forwarding - - `health.sh` - Peer health monitoring, latency/packet loss, anomaly detection, alerts - - `mirrorctl` CLI with 30+ commands - - UCI config for roles (master/submaster/peer), reputation, gossip, mirror, health settings - -- **MirrorNet Dashboard** — DONE - - Created `luci-app-secubox-mirror` with RPCD handler (15 methods) - - Identity card with DID, hostname, role, version - - Peer reputation table with trust levels and reset action - - Gossip protocol stats (sent/received/forwarded/dropped) - - Health alerts panel with acknowledgment - - Mirrored services table - -- **SecuBox Identity Package** — DONE - - Created `secubox-identity` standalone identity management - - DID generation (did:plc:) compatible with AT Protocol - - Keypair management (HMAC-SHA256, Ed25519 fallback) - - Key rotation with backup - - Peer identity storage and resolution - - Trust scoring integration - - `identityctl` CLI with 25+ commands - -- **P2P Intel Package** — DONE - - Created `secubox-p2p-intel` for signed IOC sharing - - Collector: CrowdSec, mitmproxy, WAF, DNS Guard sources - - Signer: Cryptographic signing of IOC batches - - Validator: Source trust, age, format validation - - Applier: nftables/iptables/CrowdSec application - - Approval workflow for manual review - - `p2p-intelctl` CLI with 20+ commands - -### MirrorNet Packages Summary (v0.19) - -| Package | Status | Description | -|---------|--------|-------------| -| `secubox-mirrornet` | DONE | Core mesh orchestration, gossip, health | -| `secubox-identity` | DONE | DID-based identity, key management, trust | -| `secubox-p2p-intel` | DONE | IOC signed gossip, validation, application | -| `luci-app-secubox-mirror` | DONE | Dashboard for peers, trust, services | - -### Master/Slave CDN Architecture (User Vision) - -> "multipoint CDN for SSL dependencies, root/master with *.sb, xxx.sb slaved, first peek meshed, submastering/multimixslaving" - -Target architecture for service mirroring: -1. **Root Master** owns wildcard domain `*.secubox.io` (or similar) -2. **Slave Nodes** get delegated subdomains (`node1.secubox.io`) -3. **First Peek** = service discovery auto-registers in mesh -4. **Mirror Cascade** = master pushes exposure config to slaves -5. **Submastering** = hierarchical delegation (master → submaster → slaves) - -Required components: -- Dynamic DNS delegation with zone transfer -- Service mirroring via reverse proxy chaining -- Gossip-based exposure config sync -- Trust hierarchy with certificate delegation - -### Communication Layer (v1.0) - -- `secubox-voip` — Asterisk micro-PBX -- `secubox-matrix` — Conduit Matrix server - ---- - -## Couche 4 — Roadmap Tracking - -### v0.18.0 Progress - -| Item | Status | -|------|--------| -| Core Mesh modules | 35+ DONE | -| Guacamole | DEFERRED | -| MCP Server | DONE | -| Threat Analyst | DONE | -| DNS Guard AI Migration | DONE | -| LocalAI 3.9 | DONE | -| LocalAI Emancipation | DONE (Tor + DNS + mDNS) | - -### v1.0.0 Progress - -| Item | Status | -|------|--------| -| Config Advisor | DONE | -| ANSSI CSPN Compliance | DONE | -| Remediation Engine | DONE | -| LuCI Dashboard | DONE | - -### Just Completed (2026-02-07) - -- **Config Advisor Package** — DONE - - Created `secubox-config-advisor` - ANSSI CSPN compliance checking daemon - - 7 check categories, 25+ security rules - - Risk scoring (0-100) with grade (A-F) and risk level - - Auto-remediation for 7 checks with dry-run mode - - LocalAI integration for AI-powered suggestions - - `config-advisorctl` CLI with 20+ commands - -- **Config Advisor Dashboard** — DONE - - Created `luci-app-config-advisor` - LuCI dashboard - - Score display with grade circle and risk level - - Compliance view by category with pass/fail/warn badges - - Remediation view with apply/preview buttons - - Settings for framework, weights, categories, LocalAI - -### Certifications - -- ANSSI CSPN: Config Advisor compliance tool DONE -- GDPR: Currently compliant -- ISO 27001, NIS2, SOC2: Planned for v1.1+ - ---- - -## Strategic Documents Received +## Strategic Documents - `SecuBox_LocalAI_Strategic_Analysis.html` — AI Management Layer roadmap - `SecuBox_AI_Gateway_Hybrid_Architecture.html` — Hybrid Local/Cloud architecture @@ -1457,14 +102,7 @@ Required components: --- -## Known Bugs (Deferred) - -- ~~**Tor Shield / opkg conflict**~~: FIXED (2026-02-28) - Added dnsmasq bypass for excluded domains - ---- - ## Blockers / Risks - No automated regression tests for LuCI views; manual verification required after SCP deploy. - Guacamole ARM64 pre-built binaries not readily available. -- MCP Server requires understanding of Model Context Protocol specification. diff --git a/package/secubox/secubox-ai-gateway/files/usr/libexec/rpcd/luci.ai-gateway b/package/secubox/secubox-ai-gateway/files/usr/libexec/rpcd/luci.ai-gateway index fdc7b213..fd2b86f6 100644 --- a/package/secubox/secubox-ai-gateway/files/usr/libexec/rpcd/luci.ai-gateway +++ b/package/secubox/secubox-ai-gateway/files/usr/libexec/rpcd/luci.ai-gateway @@ -169,6 +169,97 @@ method_test_provider() { json_dump } +# Method: login - validate credentials and save on success +method_login() { + local provider="$1" + local api_key="$2" + + # Validate provider name + case "$provider" in + localai|mistral|claude|openai|gemini|xai) + ;; + *) + json_init + json_add_boolean "success" "false" + json_add_string "error" "Unknown provider: $provider" + json_dump + return + ;; + esac + + # LocalAI doesn't need API key + if [ "$provider" = "localai" ]; then + uci set ${CONFIG}.localai.enabled='1' + uci commit ${CONFIG} + + json_init + json_add_boolean "success" "true" + json_add_string "provider" "localai" + json_add_string "message" "LocalAI enabled (on-device)" + json_dump + return + fi + + # API key required for cloud providers + if [ -z "$api_key" ]; then + json_init + json_add_boolean "success" "false" + json_add_string "error" "API key required" + json_dump + return + fi + + # Save old values for rollback on failure + local old_key=$(uci -q get ${CONFIG}.${provider}.api_key) + local old_enabled=$(uci -q get ${CONFIG}.${provider}.enabled) + + # Temporarily set credentials for testing + uci set ${CONFIG}.${provider}.api_key="$api_key" + uci set ${CONFIG}.${provider}.enabled='1' + + # Test the credentials + local adapter="$LIB_DIR/providers/${provider}.sh" + local test_failed="false" + + if [ -f "$adapter" ]; then + . "$adapter" + local result=$(provider_test 2>&1) + + if echo "$result" | grep -qi "error\|fail\|unauthorized\|invalid"; then + test_failed="true" + + # Rollback + if [ -n "$old_key" ]; then + uci set ${CONFIG}.${provider}.api_key="$old_key" + else + uci -q delete ${CONFIG}.${provider}.api_key + fi + uci set ${CONFIG}.${provider}.enabled="${old_enabled:-0}" + uci commit ${CONFIG} + + json_init + json_add_boolean "success" "false" + json_add_string "error" "Authentication failed" + json_add_string "details" "$result" + json_dump + return + fi + fi + + # Commit working credentials + uci commit ${CONFIG} + + local class=$(uci -q get ${CONFIG}.${provider}.classification) + local model=$(uci -q get ${CONFIG}.${provider}.model) + + json_init + json_add_boolean "success" "true" + json_add_string "provider" "$provider" + json_add_string "model" "$model" + json_add_string "classification" "$class" + json_dump +} + # Method: start method_start() { /etc/init.d/ai-gateway start >/dev/null 2>&1 @@ -205,6 +296,7 @@ case "$1" in "get_providers": {}, "get_audit_stats": {}, "classify": {"text": "string"}, + "login": {"provider": "string", "api_key": "string"}, "set_provider": {"provider": "string", "enabled": "string", "api_key": "string"}, "set_offline_mode": {"mode": "string"}, "test_provider": {"provider": "string"}, @@ -224,6 +316,12 @@ case "$1" in text=$(echo "$input" | jsonfilter -e '@.text' 2>/dev/null) method_classify "$text" ;; + login) + read -r input + provider=$(echo "$input" | jsonfilter -e '@.provider' 2>/dev/null) + api_key=$(echo "$input" | jsonfilter -e '@.api_key' 2>/dev/null) + method_login "$provider" "$api_key" + ;; set_provider) read -r input provider=$(echo "$input" | jsonfilter -e '@.provider' 2>/dev/null) diff --git a/package/secubox/secubox-ai-gateway/files/usr/sbin/aigatewayctl b/package/secubox/secubox-ai-gateway/files/usr/sbin/aigatewayctl index 2f81f700..fbedbc9c 100644 --- a/package/secubox/secubox-ai-gateway/files/usr/sbin/aigatewayctl +++ b/package/secubox/secubox-ai-gateway/files/usr/sbin/aigatewayctl @@ -28,6 +28,7 @@ Classification: sanitize Sanitize text and show result Provider Management: + login [provider] Authenticate with a provider (validates before saving) provider list List configured providers provider enable Enable a provider (prompts for API key) provider disable Disable a provider @@ -191,6 +192,136 @@ cmd_provider_test() { provider_test } +# Login command - validates credentials before saving +cmd_login() { + local provider="$1" + local api_key="$2" + + # Interactive provider selection if not provided + if [ -z "$provider" ]; then + echo "Available providers:" + echo " localai - On-device AI (no API key required)" + echo " mistral - Mistral AI (EU sovereign, GDPR compliant)" + echo " claude - Anthropic Claude" + echo " openai - OpenAI GPT" + echo " gemini - Google Gemini" + echo " xai - xAI Grok" + echo "" + printf "Provider: " + read provider + fi + + # Validate provider name + case "$provider" in + localai|mistral|claude|openai|gemini|xai) + ;; + *) + echo "Error: Unknown provider '$provider'" + echo "Valid providers: localai, mistral, claude, openai, gemini, xai" + return 1 + ;; + esac + + # LocalAI doesn't need API key + if [ "$provider" = "localai" ]; then + echo "LocalAI runs on-device - no API key required" + uci set ${CONFIG}.localai.enabled='1' + uci commit ${CONFIG} + echo "✓ LocalAI enabled" + return 0 + fi + + # Interactive API key input if not provided + if [ -z "$api_key" ]; then + printf "API key for $provider: " + stty -echo 2>/dev/null + read -r api_key + stty echo 2>/dev/null + echo "" + fi + + [ -z "$api_key" ] && { echo "Error: API key required"; return 1; } + + # Validate API key format based on provider + case "$provider" in + mistral) + # Mistral keys are alphanumeric, typically 32+ chars + if [ ${#api_key} -lt 20 ]; then + echo "Warning: Mistral API key seems too short" + fi + ;; + claude) + # Anthropic keys start with sk-ant- + if ! echo "$api_key" | grep -q "^sk-ant-"; then + echo "Warning: Claude API key should start with 'sk-ant-'" + fi + ;; + openai) + # OpenAI keys start with sk- + if ! echo "$api_key" | grep -q "^sk-"; then + echo "Warning: OpenAI API key should start with 'sk-'" + fi + ;; + esac + + # Test credentials before saving + echo "Validating credentials..." + + # Temporarily set credentials for testing + local old_key=$(uci -q get ${CONFIG}.${provider}.api_key) + local old_enabled=$(uci -q get ${CONFIG}.${provider}.enabled) + + uci set ${CONFIG}.${provider}.api_key="$api_key" + uci set ${CONFIG}.${provider}.enabled='1' + + local adapter="$LIB_DIR/providers/${provider}.sh" + if [ -f "$adapter" ]; then + . "$adapter" + local result=$(provider_test 2>&1) + + if echo "$result" | grep -qi "error\|fail\|unauthorized\|invalid"; then + # Restore old values on failure + if [ -n "$old_key" ]; then + uci set ${CONFIG}.${provider}.api_key="$old_key" + else + uci -q delete ${CONFIG}.${provider}.api_key + fi + uci set ${CONFIG}.${provider}.enabled="${old_enabled:-0}" + uci commit ${CONFIG} + + echo "✗ Authentication failed" + echo "$result" + return 1 + fi + fi + + # Commit the working credentials + uci commit ${CONFIG} + + local class=$(uci -q get ${CONFIG}.${provider}.classification) + local model=$(uci -q get ${CONFIG}.${provider}.model) + + echo "✓ Login successful" + echo " Provider: $provider" + echo " Model: $model" + echo " Classification: $class" + + # Show sovereignty info + case "$class" in + local_only) + echo " Data: Stays on device" + ;; + sanitized) + echo " Data: PII sanitized before sending to EU provider" + ;; + cloud_direct) + echo " Data: May be sent to cloud (non-sensitive queries only)" + ;; + esac + + return 0 +} + # Audit stats command cmd_audit_stats() { . "$LIB_DIR/audit.sh" @@ -308,6 +439,10 @@ case "${1:-}" in shift cmd_sanitize "$@" ;; + login) + shift + cmd_login "$@" + ;; provider) shift case "$1" in diff --git a/package/secubox/secubox-ai-gateway/files/usr/share/rpcd/acl.d/luci-ai-gateway.json b/package/secubox/secubox-ai-gateway/files/usr/share/rpcd/acl.d/luci-ai-gateway.json index 79a4bbc2..e785bb64 100644 --- a/package/secubox/secubox-ai-gateway/files/usr/share/rpcd/acl.d/luci-ai-gateway.json +++ b/package/secubox/secubox-ai-gateway/files/usr/share/rpcd/acl.d/luci-ai-gateway.json @@ -16,6 +16,7 @@ "write": { "ubus": { "luci.ai-gateway": [ + "login", "set_provider", "set_offline_mode", "test_provider",