gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Align tracking files with Fanzine v3 4-layer architecture

Browse Source 
Restructure TODO.md and WIP.md to follow SecuBox Fanzine v3 structure:

- Couche 1 — Core Mesh: 35+ modules, v0.18 priorities, CVE Layer 7
- Couche 2 — AI Gateway: Data Classifier, 6 Agents, MCP Server
- Couche 3 — MirrorNetworking: EnigmaBox → MirrorNet, VoIP, Matrix
- Couche 4 — Roadmap: v0.18/v0.19/v1.0/v1.1+ milestones, certifications

Key additions:
- Data classification table (LOCAL ONLY / SANITIZED / CLOUD DIRECT)
- 6 Autonomous Agents with phase assignments
- MCP Server tools specification
- AI provider hierarchy (Mistral > Claude > GPT > Gemini > xAI)
- Certification targets (ANSSI CSPN, ISO 27001, NIS2, CE, GDPR, SOC2)
- Version milestone checklists

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-02-05 04:59:59 +01:00
parent a0d0bb24ca
commit 8cf4039fbb
3 changed files with 325 additions and 222 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.claude/HISTORY.md
View File

@ -219,3 +219,13 @@ _Last updated: 2026-02-05_
- `luci-app-mac-guardian`: category "security", icon "wifi", description "WiFi MAC address security monitor with spoofing detection"
- `secubox-app-mac-guardian`: icon "wifi", description "WiFi MAC security backend with CrowdSec integration"
- Package features: MAC spoofing detection, OUI anomaly detection, MAC floods, CrowdSec scenarios integration.
26. **Fanzine v3 Roadmap Alignment (2026-02-06)**
- Restructured TODO.md and WIP.md to align with SecuBox Fanzine v3 4-layer architecture:
- **Couche 1 — Core Mesh**: 35+ modules, v0.18 priorities, testing/validation, CVE Layer 7
- **Couche 2 — AI Gateway**: Data Classifier, 6 Autonomous Agents, MCP Server, provider hierarchy
- **Couche 3 — MirrorNetworking**: EnigmaBox → MirrorNet, dual transport, Services Mirrors, VoIP/Matrix
- **Couche 4 — Roadmap**: v0.18/v0.19/v1.0/v1.1+ milestones, certifications (ANSSI, ISO, NIS2)
- Added strategic reference to Fanzine v3 document.
- Consolidated completed items under "Resolved" section.
- Created version milestone checklists for tracking progress.

287
.claude/TODO.md
View File

@ -1,6 +1,10 @@
# SecuBox TODOs (Claude Edition)
_Last updated: 2026-02-05_
_Last updated: 2026-02-06_
> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches
---
## Resolved
@ -9,125 +13,214 @@ _Last updated: 2026-02-05_
- ~~Zigbee2MQTT dongle connection~~ — Done: adapter `ezsp`→`ember`, `ZIGBEE2MQTT_DATA` env var, direct `/dev/ttyUSB0` passthrough (2026-02-04).
- ~~Metablogizer Upload Failures~~ — Done: Chunked upload to bypass uhttpd 64KB JSON limit (2026-02-04).
- ~~Chip Header Layout Migration~~ — Done: client-guardian and auth-guardian ported to `sh-page-header` + `renderHeaderChip()` (2026-02-05).
- ~~SMB/CIFS Shared Remote Directories~~ — Done: `secubox-app-smbfs` (client mount manager) + `secubox-app-ksmbd` (server for mesh sharing) (2026-02-04/05).
- ~~SMB/CIFS Shared Remote Directories~~ — Done: `secubox-app-smbfs` + `secubox-app-ksmbd` (2026-02-04/05).
- ~~P2P App Store Emancipation~~ — Done: P2P package distribution, packages.js view, devstatus.js widget (2026-02-04/05).
- ~~Navigation Component~~ — Done: `SecuNav.renderTabs()` now auto-inits theme+CSS, `renderCompactTabs()` for nested modules (2026-02-05).
- ~~Monitoring UX~~ — Done: Empty-state loading animation for charts, dynamic bandwidth units in bits (Kbps/Mbps/Gbps) via `formatBits()` (2026-02-05).
- ~~MAC Guardian Feed Integration~~ — Done: Both IPKs built and added to bonus feed with catalog entries (2026-02-05).
- ~~Navigation Component~~ — Done: `SecuNav.renderTabs()` auto-inits theme+CSS, `renderCompactTabs()` (2026-02-05).
- ~~Monitoring UX~~ — Done: Empty-state loading animation, dynamic bandwidth units via `formatBits()` (2026-02-05).
- ~~MAC Guardian Feed Integration~~ — Done: Both IPKs built and added to bonus feed (2026-02-05).
- ~~Punk Exposure Multi-Domain DNS~~ — Done: emancipate/revoke CLI, RPCD, Mesh column, Emancipate modal (2026-02-05).
- ~~Jellyfin Post-Install Wizard~~ — Done: 4-step modal wizard for media library configuration (2026-02-05).
- ~~Domoticz IoT Integration~~ — Done: LuCI dashboard, MQTT auto-bridge, Zigbee2MQTT integration (2026-02-04).
## Open
---
1. ~~**Chip Header Layout Migration**~~ — Done (2026-02-05)
- ~~Port `sh-page-header` + `renderHeaderChip()` pattern to client-guardian and auth-guardian.~~
- ~~Both now use `sh-page-header` with chip stats.~~
## Couche 1 — Core Mesh (35+ modules)
2. ~~**Navigation Component**~~ — Done (2026-02-05)
- ~~Convert `SecuNav.renderTabs()` into a reusable LuCI widget (avoid duplicating `Theme.init` in each view).~~
- ~~Provide a compact variant for nested modules (e.g., CDN Cache, Network Modes).~~
### v0.18 Module Priorities
3. ~~**Monitoring UX**~~ — Done (2026-02-05)
- ~~Add empty-state copy while charts warm up.~~
- ~~Display bandwidth units dynamically (Kbps/Mbps/Gbps) based on rate.~~
| Package | Status | Notes |
|---------|--------|-------|
| `secubox-app-guacamole` | DEFERRED | LXC build-from-source too slow; needs pre-built binaries |
| `secubox-app-rustdesk` | DONE | Native hbbs/hbbr binaries, auto-key generation |
| `secubox-app-ksmbd` | DONE | Mesh media server with pre-configured shares |
| `secubox-app-domoticz` | DONE | LXC Debian, MQTT bridge, Zigbee2MQTT |
| `secubox-app-smbfs` | DONE | Client-side SMB mount manager |
4. ~~**MAC Guardian Feed Integration**~~ — Done (2026-02-05)
- ~~Build and include mac-guardian IPK in bonus feed (new package from 2026-02-03, not yet in feed).~~
- `secubox-app-mac-guardian` and `luci-app-mac-guardian` IPKs added to bonus feed with catalog entries.
### Testing & Validation
5. **Mesh Onboarding Testing**
1. **Mesh Onboarding Testing**
- master-link dynamic join IPK generation needs end-to-end testing on multi-node mesh.
- P2P decentralized threat intelligence sharing needs validation with real CrowdSec alerts.
6. **WAF Auto-Ban Tuning**
2. **WAF Auto-Ban Tuning**
- Sensitivity thresholds may need adjustment based on real traffic patterns.
- CVE detection patterns (including CVE-2025-15467) need false-positive analysis.
7. **Image Builder Validation**
- `secubox-tools/` image builder and sysupgrade scripts (added 2026-02-03) need testing on physical hardware.
3. **Image Builder Validation**
- `secubox-tools/` image builder and sysupgrade scripts need testing on physical hardware.
8. **Docs & Tooling**
- Document deployment scripts in `README.md` (what each script copies).
- Add lint/upload pre-check (LuCI `lua -l luci.dispatcher`) to prevent syntax errors before SCP.
### Innovation CVE Layer 7
9. **Testing**
- Capture screenshot baselines for dark/light/cyberpunk themes.
- Automate browser cache busting (append `?v=<git sha>` to view URLs).
- WAF analysis via Modsec IP + traffic analysis + CrowdSec CVE detection
- Combines: `secubox-app-waf` + `mitmproxy` threat patterns + CrowdSec scenarios
10. ~~**SMB/CIFS Shared Remote Directories**~~ — Done (2026-02-04/05)
- ~~`secubox-app-smbfs` for client-side mount management (`smbfsctl` CLI, UCI config, init script).~~
- ~~`secubox-app-ksmbd` for server-side mesh sharing (`ksmbdctl` CLI, pre-configured shares).~~
- ~~Integrates with Jellyfin, Lyrion media paths.~~
### Docs & Tooling
11. ~~**Metablogizer Upload Failures**~~ — Done (2026-02-04)
- ~~Investigate and fix failed file uploads in Metablogizer.~~
- ~~Fixed: Chunked upload to bypass uhttpd 64KB JSON limit (same pattern as Streamlit).~~
- Document deployment scripts in `README.md` (what each script copies).
- Add lint/upload pre-check (LuCI `lua -l luci.dispatcher`) to prevent syntax errors before SCP.
- Capture screenshot baselines for dark/light/cyberpunk themes.
- Automate browser cache busting (append `?v=<git sha>` to view URLs).
12. **SecuBox v2 Roadmap & Objectives**
- EnigmaBox integration evaluation (community vote?).
- VoIP integration (SIP/WebRTC).
- Domoticz home automation integration.
- SSMTP / mail host / MX record management.
- Reverse MWAN WireGuard peers (multi-WAN failover over mesh).
- Nextcloud self-hosted cloud storage.
- Version v2 release planning and feature prioritization.
---
**AI Management Layer** (ref: `SecuBox_LocalAI_Strategic_Analysis.html`):
- Phase 1 (v0.18): Upgrade LocalAI → 3.9, MCP Server, Threat Analyst agent, DNS Guard migration.
- Phase 2 (v0.19): CVE Triage + Network Anomaly agents, LocalRecall memory, AI Insights dashboard.
- Phase 3 (v1.0): Config Advisor (ANSSI prep), P2P Mesh Intelligence, Factory auto-provisioning.
- Hybrid approach: Ollama (inference) + LocalAI (orchestrator) + LocalAGI (agents) + LocalRecall (memory).
- MCP tools: crowdsec.alerts, waf.logs, dns.queries, network.flows, system.metrics, wireguard.status, uci.config.
## Couche 2 — AI Gateway
**AI Gateway Hybrid Architecture** (ref: `SecuBox_AI_Gateway_Hybrid_Architecture.html`):
- `secubox-ai-gateway` package: LiteLLM Proxy (port 4000) + Data Classifier + MCP Server.
- Data classification: LOCAL ONLY (raw network data) / SANITIZED (IPs scrubbed) / CLOUD DIRECT (generic).
- Providers: Mistral (EU sovereign, priority 1) > Claude > GPT > Gemini > xAI (all opt-in).
- Offline resilience: Local tier always active, cloud is bonus not dependency.
- Budget cap: configurable monthly cloud spend limit via LiteLLM.
- ANSSI CSPN: Data Classifier + Mistral EU + offline mode = triple sovereignty proof.
### Data Classifier (Sovereignty Engine)
13. ~~**Punk Exposure Multi-Domain DNS**~~ — DONE (2026-02-05)
- ~~Multi-domain DNS with P2P exposure and Tor endpoints.~~
- ~~Classical HTTPS endpoint (DNS provider API: OVH, Gandi, Cloudflare).~~
- ~~Administrable DNS provider API integration via `dnsctl`.~~
- ~~Mapped to local services, mesh-federated, locally tweakable.~~
- ~~Follows Peek / Poke / Emancipate model (see `PUNK-EXPOSURE.md`).~~
- Phase 1: `emancipate` and `revoke` CLI commands added to secubox-exposure.
- Phase 2-4: RPCD methods, API wrapper, Mesh column, Emancipate modal, CSS styles.
| Classification | Description | Destination |
|----------------|-------------|-------------|
| LOCAL ONLY | Raw network data, IPs, MACs, logs | Never leaves device |
| SANITIZED | IPs scrubbed, anonymized patterns | Mistral EU (opt-in) |
| CLOUD DIRECT | Generic queries, no sensitive data | Claude/GPT (opt-in) |
14. ~~**Jellyfin Post-Install**~~ — DONE (2026-02-05)
- ~~Complete startup wizard (media library configuration)~~ — 4-step modal wizard added.
- ~~README documentation~~ — Done (2026-02-04).
**Package**: `secubox-ai-gateway` — LiteLLM Proxy (port 4000) + Data Classifier + MCP Server
15. ~~**Domoticz IoT Integration & SecuBox Peering**~~ — Done (2026-02-04)
- ~~`luci-app-domoticz` created with RPCD handler, LuCI overview.~~
- ~~`domoticzctl configure-mqtt` auto-configures Mosquitto + Zigbee2MQTT bridge.~~
- ~~P2P mesh registration, HAProxy integration, backup/restore.~~
- ~~UCI config extended with mqtt/network/mesh sections.~~
### 6 Autonomous Agents
16. ~~**App Store P2P Emancipation**~~ — Done (2026-02-04)
- ~~P2P package distribution via mesh peers (CGI API, RPCD, CLI).~~
- ~~`packages.js` view with LOCAL/PEER badges, fetch/install actions.~~
- ~~`devstatus.js` widget with v1.0 progress tracking.~~
- ~~`secubox-content-pkg` for Metablogizer/Streamlit IPK distribution.~~
| Agent | Phase | Description |
|-------|-------|-------------|
| Threat Analyst | v0.18 | CrowdSec alert analysis, threat correlation |
| DNS Guard | v0.18 | DNS anomaly detection, migration from current |
| CVE Triage | v0.19 | Vulnerability prioritization, patch recommendations |
| Network Anomaly | v0.19 | Traffic pattern analysis, baseline deviation |
| Log Analyzer | v0.19 | Cross-log correlation, incident timeline |
| Config Advisor | v1.0 | ANSSI compliance prep, configuration hardening |
17. **MirrorNetworking Stack** (ref: `SecuBox_MirrorNetworking_Paradigm_Reversal.html`)
- EnigmaBox paradigm reversal: zero central authority, each box is the network.
- Dual transport: WireGuard (tier 1, known peers) + Yggdrasil (tier 2, discovery/extended mesh, optional).
- New packages roadmap:
- `secubox-mirrornet` (v0.19): Core mesh orchestration, gossip protocol, peer management.
- `secubox-identity` (v0.19): did:plc generation, key rotation, trust scoring.
- `secubox-p2p-intel` (v0.19): IoC signed gossip, threat intelligence sharing.
- `luci-app-secubox-mirror` (v0.19): Dashboard for peers, trust, services, comms.
- `secubox-voip` (v1.0): Asterisk micro-PBX, SIP/SRTP direct over WireGuard mesh.
- `secubox-matrix` (v1.0): Conduit Matrix server (Rust, ~15MB RAM), federation on mesh.
- `secubox-factory` (v1.0): Auto-provisioning new box via mesh P2P.
- `yggdrasil-secubox` (v1.1+): Yggdrasil overlay + meshname DNS.
- Mirror concepts: Threat Intel sharing, AI Inference distribution, Reputation scoring, Config & Updates P2P.
- Communication: VoIP E2E (Asterisk/SRTP, no exit server), Matrix E2EE, optional mesh email.
- ANSSI CSPN: Zero central authority = verifiable sovereignty.
- Crowdfunding target: 2027.
### MCP Server — Le lien manquant
18. **Tor Shield / opkg Bug** (deferred)
- opkg downloads fail (`wget returned 4`) when Tor Shield is active.
- Direct `wget` to full URL works — likely DNS/routing interference.
- Investigate: opkg proxy settings, Tor split-routing exclusions for package repos.
SecuBox MCP Server exposes device context to AI agents via Model Context Protocol:
**MCP Tools**:
- `crowdsec.alerts` — Active threats and decisions
- `waf.logs` — Web application firewall events
- `dns.queries` — DNS query logs and anomalies
- `network.flows` — Traffic flow summaries
- `system.metrics` — CPU, memory, disk, temperature
- `wireguard.status` — VPN tunnel status
- `uci.config` — OpenWrt configuration access
**Integration targets**: Claude Desktop, Cursor, VS Code, custom agents
### AI Provider Hierarchy
1. **Mistral** (EU sovereign, GDPR compliant) — Priority 1
2. **Claude** — Priority 2
3. **GPT** — Priority 3
4. **Gemini** — Priority 4
5. **xAI** — Priority 5
All cloud providers are **opt-in**. Offline resilience: local tier always active.
---
## Couche 3 — MirrorNetworking
### EnigmaBox → MirrorNet Paradigm Reversal
> Zero central authority: each box IS the network.
### Dual Transport Architecture
| Tier | Protocol | Purpose |
|------|----------|---------|
| Tier 1 | WireGuard | Known peers, trusted mesh |
| Tier 2 | Yggdrasil | Discovery, extended mesh (optional) |
### Services Mirrors (P2P Gossip)
- **Threat Intel**: IoC signed gossip, distributed threat intelligence
- **AI Inference**: Distributed model inference across mesh
- **Reputation**: Trust scoring, peer reputation
- **Config & Updates**: P2P configuration sync, firmware distribution
### New Packages Roadmap
| Package | Version | Description |
|---------|---------|-------------|
| `secubox-mirrornet` | v0.19 | Core mesh orchestration, gossip protocol |
| `secubox-identity` | v0.19 | did:plc generation, key rotation, trust scoring |
| `secubox-p2p-intel` | v0.19 | IoC signed gossip, threat intelligence |
| `luci-app-secubox-mirror` | v0.19 | Dashboard for peers, trust, services |
| `secubox-voip` | v1.0 | Asterisk micro-PBX, SIP/SRTP over mesh |
| `secubox-matrix` | v1.0 | Conduit Matrix server (~15MB RAM) |
| `secubox-factory` | v1.0 | Auto-provisioning via mesh P2P |
| `yggdrasil-secubox` | v1.1+ | Yggdrasil overlay + meshname DNS |
### Communication Layer
- **VoIP E2E**: Asterisk/SRTP direct over WireGuard mesh (no exit server)
- **Matrix E2EE**: Conduit federation on mesh
- **Mesh Email**: Optional, deferred
---
## Couche 4 — Roadmap
### v0.18.0 — MirrorBox Core v1.0
- [ ] LocalAI upgrade → 3.9
- [ ] MCP Server implementation
- [ ] Threat Analyst agent
- [ ] DNS Guard migration
- [ ] Guacamole pre-built binaries
### v0.19.0 — AI Expansion
- [ ] CVE Triage agent
- [ ] Network Anomaly agent
- [ ] LocalRecall memory integration
- [ ] AI Insights dashboard
- [ ] MirrorNet core packages
### v1.0.0 — Full Stack
- [ ] Config Advisor (ANSSI prep)
- [ ] P2P Mesh Intelligence
- [ ] Factory auto-provisioning
- [ ] VoIP integration
- [ ] Matrix integration
### v1.1+ — Extended Mesh
- [ ] Yggdrasil overlay
- [ ] Meshname DNS
- [ ] Extended peer discovery
### Certifications Ciblees
| Certification | Status | Target |
|---------------|--------|--------|
| ANSSI CSPN | In Progress | v1.0 |
| ISO 27001 | Planned | v1.1 |
| NIS2 | Planned | v1.1 |
| CE | Planned | v1.0 |
| GDPR | Compliant | Current |
| SOC2 | Planned | v1.2 |
**ANSSI CSPN Strategy**: Data Classifier + Mistral EU + offline mode = triple sovereignty proof
---
## Deferred / Backlog
### Tor Shield / opkg Bug
- opkg downloads fail (`wget returned 4`) when Tor Shield is active.
- Direct `wget` to full URL works — likely DNS/routing interference.
- Investigate: opkg proxy settings, Tor split-routing exclusions for package repos.
### v2 Long-term
- Nextcloud self-hosted cloud storage
- SSMTP / mail host / MX record management
- Reverse MWAN WireGuard peers (multi-WAN failover over mesh)
---
## Veille Cyber — Février 2026
_Space for current threat intelligence and security news relevant to SecuBox development._
- CVE-2025-15467: WAF detection patterns added
- [ ] Monitor for new CrowdSec scenarios
- [ ] Track OpenWrt security advisories

250
.claude/WIP.md
View File

@ -1,141 +1,141 @@
# Work In Progress (Claude)
## Active Threads
_Last updated: 2026-02-06_
- **SMB/CIFS Remote Mount Manager**
Status: DONE — package created (2026-02-04)
Notes: New `secubox-app-smbfs` package with `smbfsctl` CLI, UCI config, init script, catalog entry.
Integrates with Jellyfin and Lyrion media paths.
> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches
- **Jellyfin README**
Status: DONE (2026-02-04)
Notes: KISS READMEs created for both `secubox-app-jellyfin` and `luci-app-jellyfin`.
---
- **Glances Full System Monitoring**
Status: COMPLETE (2026-02-04)
Notes: LXC host bind mounts, Docker socket, fs plugin patch, hostname/OS identity.
## Couche 1 — Core Mesh
- **Zigbee2mqtt LXC Rewrite**
Status: COMPLETE (2026-02-04)
Notes: Direct `/dev/ttyUSB0` passthrough, adapter `ezsp`→`ember`, `ZIGBEE2MQTT_DATA` env var.
### Recently Completed (2026-02-04/05)
- **MAC Guardian Feed Integration** — DONE (2026-02-05)
- Both IPKs built and added to bonus feed
- Catalog updated with security category, wifi icon
- **Punk Exposure Emancipate** — DONE (2026-02-05)
- CLI: `emancipate` and `revoke` commands for multi-channel exposure
- RPCD: 3 new methods in `luci.exposure`
- Dashboard: Mesh column toggle, Emancipate modal
- **Jellyfin Post-Install Wizard** — DONE (2026-02-05)
- 4-step modal wizard (Welcome, Media, Network, Complete)
- RPCD methods for wizard status and media path management
- **Navigation Component Refactoring** — DONE (2026-02-05)
- `SecuNav.renderTabs()` auto-inits theme and CSS
- `renderCompactTabs()` for nested modules
- Eliminated ~1000 lines of duplicate CSS
- **ksmbd Mesh Media Sharing** — DONE (2026-02-05)
- `ksmbdctl` CLI with share management
- Pre-configured shares: Media, Jellyfin, Lyrion, Backup
- **SMB/CIFS Remote Mount Manager** — DONE (2026-02-04)
- `smbfsctl` CLI, UCI config, init script
- Jellyfin and Lyrion media path integration
- **Domoticz IoT Integration** — DONE (2026-02-04)
- LXC Debian container with native binary
- MQTT auto-bridge, Zigbee2MQTT integration
- `domoticzctl configure-mqtt` command
### In Progress
_None currently active_
### Next Up — Couche 1
1. **Guacamole Pre-built Binaries**
- Current LXC build-from-source approach is too slow
- Need to find/create pre-built ARM64 binaries for guacd + Tomcat
2. **Mesh Onboarding Testing**
- End-to-end test of master-link dynamic join IPK generation
- Validate P2P threat intelligence with real CrowdSec alerts
---
## Couche 2 — AI Gateway
### Next Up — v0.18 AI Components
1. **MCP Server Implementation**
- Create `secubox-mcp-server` package
- Implement MCP tools: crowdsec.alerts, waf.logs, dns.queries, network.flows, system.metrics, wireguard.status, uci.config
- Integration with Claude Desktop, Cursor
2. **Threat Analyst Agent**
- CrowdSec alert analysis and correlation
- Automated threat severity assessment
3. **DNS Guard Migration**
- Migrate current `luci-app-dnsguard` to AI-powered agent
- DNS anomaly detection with ML patterns
4. **LocalAI Upgrade → 3.9**
- Update `secubox-app-localai` to version 3.9
- Add new model presets
---
## Couche 3 — MirrorNetworking
### Packages to Build (v0.19)
| Package | Priority | Notes |
|---------|----------|-------|
| `secubox-mirrornet` | HIGH | Core mesh orchestration, gossip protocol |
| `secubox-identity` | HIGH | did:plc generation, key rotation |
| `secubox-p2p-intel` | MEDIUM | IoC signed gossip |
| `luci-app-secubox-mirror` | MEDIUM | Dashboard for peers, trust, services |
### Communication Layer (v1.0)
- `secubox-voip` — Asterisk micro-PBX
- `secubox-matrix` — Conduit Matrix server
---
## Couche 4 — Roadmap Tracking
### v0.18.0 Progress
| Item | Status |
|------|--------|
| Core Mesh modules | 35+ DONE |
| Guacamole | DEFERRED |
| MCP Server | TODO |
| Threat Analyst | TODO |
| DNS Guard migration | TODO |
| LocalAI 3.9 | TODO |
### Certifications
- ANSSI CSPN: Data Classifier + Mistral EU + offline mode
- GDPR: Currently compliant
- ISO 27001, NIS2, SOC2: Planned for v1.1+
---
## Strategic Documents Received
- `SecuBox_LocalAI_Strategic_Analysis.html` — AI Management Layer roadmap (LocalAI 3.9 + LocalAGI + MCP).
- `SecuBox_AI_Gateway_Hybrid_Architecture.html` — Hybrid Local/Cloud architecture (LiteLLM + Data Classifier + multi-provider).
- `SecuBox_MirrorNetworking_Paradigm_Reversal.html` — EnigmaBox autopsy → MirrorNet zero-central-authority architecture. Dual transport (WireGuard + Yggdrasil), VoIP E2E (Asterisk), Matrix/Conduit messaging, did:plc identity, P2P gossip threat intel, Mirror concepts (Threat Intel, AI Inference, Reputation, Config & Updates). New packages: secubox-mirrornet (v0.19), secubox-identity (v0.19), secubox-voip (v1.0), secubox-matrix (v1.0), secubox-p2p-intel (v0.19), yggdrasil-secubox (v1.1+), luci-app-secubox-mirror (v0.19). Crowdfunding target: 2027.
- `SecuBox_LocalAI_Strategic_Analysis.html` — AI Management Layer roadmap
- `SecuBox_AI_Gateway_Hybrid_Architecture.html` — Hybrid Local/Cloud architecture
- `SecuBox_MirrorNetworking_Paradigm_Reversal.html` — EnigmaBox autopsy → MirrorNet
- `SecuBox_Fanzine_v3_Feb2026.html` — 4-layer architecture overview
- **Domoticz IoT Integration**
Status: DONE (2026-02-04)
Notes: `luci-app-domoticz` created with RPCD handler, LuCI overview (status, MQTT, Z2M, HAProxy, mesh, logs).
`domoticzctl` enhanced with `configure-mqtt`, `configure-haproxy`, `backup/restore`, `mesh-register`, `uninstall`.
UCI config extended with mqtt, network, mesh sections. Catalog updated with LuCI package and IoT tags.
- **P2P App Store Emancipation**
Status: DONE (2026-02-04)
Notes: HTTP P2P package distribution across mesh peers.
CGI endpoints: `/api/factory/packages`, `/api/factory/packages-sync`.
RPCD methods: get_feed_peers, get_peer_packages, get_all_packages, fetch_package, sync_package_catalog, get_feed_settings, set_feed_settings.
CLI commands: `secubox-feed peers/search/fetch-peer/fetch-any/sync-peers`.
LuCI view: `packages.js` under MirrorBox > App Store.
UCI config: `p2p_feed` section with share_feed, auto_sync, sync_interval, prefer_local.
- **RustDesk & Guacamole Remote Access**
Status: PARTIAL (2026-02-04)
Notes: `secubox-app-rustdesk` — WORKING: native hbbs/hbbr binaries from GitHub releases, auto-key generation.
`secubox-app-guacamole` — DEFERRED: LXC build-from-source too slow; needs pre-built binaries or Docker approach.
RustDesk deployed and tested on router (ports 21116-21117).
- **Development Status Widget**
Status: DONE (2026-02-04)
Notes: `devstatus.js` view under MirrorBox > Dev Status.
- Generative/dynamic dashboard with real-time polling
- Gitea commit activity and repository stats
- MirrorBox App Store package counts (local/peer/unique)
- Progress bar toward v1.0 (0-100%) with milestone tracking
- 8 milestone categories with dynamic progress indicators
Plan for later: cross-compile RustDesk binaries via toolchain.
- **Content Distribution System**
Status: DONE (2026-02-04)
Notes: `secubox-content-pkg` — auto-package Metablogizer sites and Streamlit apps as IPKs.
Auto-publish hooks in metablogizerctl and streamlitctl.
`secubox-feed sync-content` — auto-install content packages from mesh peers.
P2P distribution: sites → HAProxy vhosts, Streamlit → service instances.
- **ksmbd Mesh Media Sharing**
Status: DONE (2026-02-05)
Notes: `secubox-app-ksmbd` package with `ksmbdctl` CLI, UCI config, pre-configured media shares.
Commands: enable/disable/status/add-share/remove-share/list-shares/add-user/mesh-register.
Default shares: Media, Jellyfin, Lyrion, Backup.
- **Chip Header Layout Port**
Status: DONE (2026-02-05)
Notes: `client-guardian` and `auth-guardian` overview.js updated to use `sh-page-header` chip layout.
Shared CSS from `secubox/common.css`. Consistent with SecuBox dashboard design.
- **Navigation Component Refactoring**
Status: DONE (2026-02-05)
Notes: Unified navigation widget in `secubox/nav.js`.
- `SecuNav.renderTabs()` now auto-inits theme and loads CSS (no more boilerplate in views).
- `SecuNav.renderCompactTabs()` for nested modules (CDN Cache, CrowdSec, System Hub, etc.).
- `SecuNav.renderBreadcrumb()` for back-navigation to SecuBox.
- Updated module navs: cdn-cache, client-guardian, crowdsec-dashboard, media-flow, mqtt-bridge, system-hub.
- Removed ~1000 lines of duplicate CSS from module nav files.
- **Monitoring UX Improvements**
Status: DONE (2026-02-05)
Notes: Empty-state loading and dynamic bandwidth units.
- Empty-state overlay with animated dots during 5-second warmup.
- Chart legend "Waiting" → "Live" transition.
- `formatBits()` helper for network rates (Kbps/Mbps/Gbps).
- Cyberpunk theme support for empty state.
- **Punk Exposure Emancipate CLI**
Status: DONE (2026-02-05)
Notes: Phase 1 of multi-channel exposure system.
- `secubox-exposure emancipate <svc> <port> <domain> [--tor] [--dns] [--mesh] [--all]`
- `secubox-exposure revoke <svc> [--tor] [--dns] [--mesh] [--all]`
- UCI tracking for emancipated services with channel status.
- Status command shows emancipated services.
- TODO: Fix mesh integration (secubox-p2p uses different commands).
- **Punk Exposure LuCI Dashboard**
Status: DONE (2026-02-05)
Notes: Phases 2-4 of Punk Exposure.
- RPCD methods: `emancipate`, `revoke`, `get_emancipated` added to `luci.exposure`.
- API wrapper: `emancipate()`, `revoke()`, `getEmancipated()` exported.
- ACL updated with new methods.
- Dashboard: Mesh column with toggle, Emancipate button with multi-channel modal.
- CSS: Mesh badge (blue), mesh slider, action button styles.
- **Jellyfin Post-Install Wizard**
Status: DONE (2026-02-05)
Notes: 4-step modal setup wizard for first-time Jellyfin configuration.
- RPCD methods: `get_wizard_status`, `set_wizard_complete`, `add_media_path`, `remove_media_path`, `get_media_paths`.
- Wizard auto-shows when Jellyfin is installed but wizard_complete=0.
- Step 1 (Welcome): Docker/container status checks, install/start buttons.
- Step 2 (Media): Add/remove media library paths with type presets.
- Step 3 (Network): Domain, HAProxy, ACME configuration.
- Step 4 (Complete): Success message with link to Jellyfin Web UI.
- CSS: `jellyfin/wizard.css` with step indicators, media list, form styles.
- **MAC Guardian Feed Integration**
Status: DONE (2026-02-05)
Notes: Both IPKs built and added to bonus feed. Catalog updated with proper metadata.
## Next Up
1. Commit bonus feed rebuild (IPKs updated with MAC Guardian packages).
- All packages rebuilt including new mac-guardian IPKs
- apps-local.json catalog updated
---
## Known Bugs (Deferred)
- **Tor Shield / opkg conflict**: opkg downloads fail (`wget returned 4`) when Tor Shield is active. Direct `wget` to full URL works. Likely DNS/routing interference from Tor split-routing. To be fixed later.
- **Tor Shield / opkg conflict**: opkg downloads fail (`wget returned 4`) when Tor Shield is active. Likely DNS/routing interference.
---
## Blockers / Risks
- No automated regression tests for LuCI views; manual verification required after each SCP deploy.
- Glances + Zigbee2MQTT + SMB/CIFS source changes uncommitted in working tree.
- Strategic AI + MirrorNetworking documents noted but not yet implemented (v0.18+ roadmap).
- No automated regression tests for LuCI views; manual verification required after SCP deploy.
- Guacamole ARM64 pre-built binaries not readily available.
- MCP Server requires understanding of Model Context Protocol specification.