diff --git a/.claude/HISTORY.md b/.claude/HISTORY.md index 040a4220..ee444a12 100644 --- a/.claude/HISTORY.md +++ b/.claude/HISTORY.md @@ -219,3 +219,13 @@ _Last updated: 2026-02-05_ - `luci-app-mac-guardian`: category "security", icon "wifi", description "WiFi MAC address security monitor with spoofing detection" - `secubox-app-mac-guardian`: icon "wifi", description "WiFi MAC security backend with CrowdSec integration" - Package features: MAC spoofing detection, OUI anomaly detection, MAC floods, CrowdSec scenarios integration. + +26. **Fanzine v3 Roadmap Alignment (2026-02-06)** + - Restructured TODO.md and WIP.md to align with SecuBox Fanzine v3 4-layer architecture: + - **Couche 1 — Core Mesh**: 35+ modules, v0.18 priorities, testing/validation, CVE Layer 7 + - **Couche 2 — AI Gateway**: Data Classifier, 6 Autonomous Agents, MCP Server, provider hierarchy + - **Couche 3 — MirrorNetworking**: EnigmaBox → MirrorNet, dual transport, Services Mirrors, VoIP/Matrix + - **Couche 4 — Roadmap**: v0.18/v0.19/v1.0/v1.1+ milestones, certifications (ANSSI, ISO, NIS2) + - Added strategic reference to Fanzine v3 document. + - Consolidated completed items under "Resolved" section. + - Created version milestone checklists for tracking progress. diff --git a/.claude/TODO.md b/.claude/TODO.md index f23ad35d..518f7b1f 100644 --- a/.claude/TODO.md +++ b/.claude/TODO.md @@ -1,6 +1,10 @@ # SecuBox TODOs (Claude Edition) -_Last updated: 2026-02-05_ +_Last updated: 2026-02-06_ + +> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches + +--- ## Resolved @@ -9,125 +13,214 @@ _Last updated: 2026-02-05_ - ~~Zigbee2MQTT dongle connection~~ — Done: adapter `ezsp`→`ember`, `ZIGBEE2MQTT_DATA` env var, direct `/dev/ttyUSB0` passthrough (2026-02-04). - ~~Metablogizer Upload Failures~~ — Done: Chunked upload to bypass uhttpd 64KB JSON limit (2026-02-04). - ~~Chip Header Layout Migration~~ — Done: client-guardian and auth-guardian ported to `sh-page-header` + `renderHeaderChip()` (2026-02-05). -- ~~SMB/CIFS Shared Remote Directories~~ — Done: `secubox-app-smbfs` (client mount manager) + `secubox-app-ksmbd` (server for mesh sharing) (2026-02-04/05). +- ~~SMB/CIFS Shared Remote Directories~~ — Done: `secubox-app-smbfs` + `secubox-app-ksmbd` (2026-02-04/05). - ~~P2P App Store Emancipation~~ — Done: P2P package distribution, packages.js view, devstatus.js widget (2026-02-04/05). -- ~~Navigation Component~~ — Done: `SecuNav.renderTabs()` now auto-inits theme+CSS, `renderCompactTabs()` for nested modules (2026-02-05). -- ~~Monitoring UX~~ — Done: Empty-state loading animation for charts, dynamic bandwidth units in bits (Kbps/Mbps/Gbps) via `formatBits()` (2026-02-05). -- ~~MAC Guardian Feed Integration~~ — Done: Both IPKs built and added to bonus feed with catalog entries (2026-02-05). +- ~~Navigation Component~~ — Done: `SecuNav.renderTabs()` auto-inits theme+CSS, `renderCompactTabs()` (2026-02-05). +- ~~Monitoring UX~~ — Done: Empty-state loading animation, dynamic bandwidth units via `formatBits()` (2026-02-05). +- ~~MAC Guardian Feed Integration~~ — Done: Both IPKs built and added to bonus feed (2026-02-05). +- ~~Punk Exposure Multi-Domain DNS~~ — Done: emancipate/revoke CLI, RPCD, Mesh column, Emancipate modal (2026-02-05). +- ~~Jellyfin Post-Install Wizard~~ — Done: 4-step modal wizard for media library configuration (2026-02-05). +- ~~Domoticz IoT Integration~~ — Done: LuCI dashboard, MQTT auto-bridge, Zigbee2MQTT integration (2026-02-04). -## Open +--- -1. ~~**Chip Header Layout Migration**~~ — Done (2026-02-05) - - ~~Port `sh-page-header` + `renderHeaderChip()` pattern to client-guardian and auth-guardian.~~ - - ~~Both now use `sh-page-header` with chip stats.~~ +## Couche 1 — Core Mesh (35+ modules) -2. ~~**Navigation Component**~~ — Done (2026-02-05) - - ~~Convert `SecuNav.renderTabs()` into a reusable LuCI widget (avoid duplicating `Theme.init` in each view).~~ - - ~~Provide a compact variant for nested modules (e.g., CDN Cache, Network Modes).~~ +### v0.18 Module Priorities -3. ~~**Monitoring UX**~~ — Done (2026-02-05) - - ~~Add empty-state copy while charts warm up.~~ - - ~~Display bandwidth units dynamically (Kbps/Mbps/Gbps) based on rate.~~ +| Package | Status | Notes | +|---------|--------|-------| +| `secubox-app-guacamole` | DEFERRED | LXC build-from-source too slow; needs pre-built binaries | +| `secubox-app-rustdesk` | DONE | Native hbbs/hbbr binaries, auto-key generation | +| `secubox-app-ksmbd` | DONE | Mesh media server with pre-configured shares | +| `secubox-app-domoticz` | DONE | LXC Debian, MQTT bridge, Zigbee2MQTT | +| `secubox-app-smbfs` | DONE | Client-side SMB mount manager | -4. ~~**MAC Guardian Feed Integration**~~ — Done (2026-02-05) - - ~~Build and include mac-guardian IPK in bonus feed (new package from 2026-02-03, not yet in feed).~~ - - `secubox-app-mac-guardian` and `luci-app-mac-guardian` IPKs added to bonus feed with catalog entries. +### Testing & Validation -5. **Mesh Onboarding Testing** +1. **Mesh Onboarding Testing** - master-link dynamic join IPK generation needs end-to-end testing on multi-node mesh. - P2P decentralized threat intelligence sharing needs validation with real CrowdSec alerts. -6. **WAF Auto-Ban Tuning** +2. **WAF Auto-Ban Tuning** - Sensitivity thresholds may need adjustment based on real traffic patterns. - CVE detection patterns (including CVE-2025-15467) need false-positive analysis. -7. **Image Builder Validation** - - `secubox-tools/` image builder and sysupgrade scripts (added 2026-02-03) need testing on physical hardware. +3. **Image Builder Validation** + - `secubox-tools/` image builder and sysupgrade scripts need testing on physical hardware. -8. **Docs & Tooling** - - Document deployment scripts in `README.md` (what each script copies). - - Add lint/upload pre-check (LuCI `lua -l luci.dispatcher`) to prevent syntax errors before SCP. +### Innovation CVE Layer 7 -9. **Testing** - - Capture screenshot baselines for dark/light/cyberpunk themes. - - Automate browser cache busting (append `?v=` to view URLs). +- WAF analysis via Modsec IP + traffic analysis + CrowdSec CVE detection +- Combines: `secubox-app-waf` + `mitmproxy` threat patterns + CrowdSec scenarios -10. ~~**SMB/CIFS Shared Remote Directories**~~ — Done (2026-02-04/05) - - ~~`secubox-app-smbfs` for client-side mount management (`smbfsctl` CLI, UCI config, init script).~~ - - ~~`secubox-app-ksmbd` for server-side mesh sharing (`ksmbdctl` CLI, pre-configured shares).~~ - - ~~Integrates with Jellyfin, Lyrion media paths.~~ +### Docs & Tooling -11. ~~**Metablogizer Upload Failures**~~ — Done (2026-02-04) - - ~~Investigate and fix failed file uploads in Metablogizer.~~ - - ~~Fixed: Chunked upload to bypass uhttpd 64KB JSON limit (same pattern as Streamlit).~~ +- Document deployment scripts in `README.md` (what each script copies). +- Add lint/upload pre-check (LuCI `lua -l luci.dispatcher`) to prevent syntax errors before SCP. +- Capture screenshot baselines for dark/light/cyberpunk themes. +- Automate browser cache busting (append `?v=` to view URLs). -12. **SecuBox v2 Roadmap & Objectives** - - EnigmaBox integration evaluation (community vote?). - - VoIP integration (SIP/WebRTC). - - Domoticz home automation integration. - - SSMTP / mail host / MX record management. - - Reverse MWAN WireGuard peers (multi-WAN failover over mesh). - - Nextcloud self-hosted cloud storage. - - Version v2 release planning and feature prioritization. +--- - **AI Management Layer** (ref: `SecuBox_LocalAI_Strategic_Analysis.html`): - - Phase 1 (v0.18): Upgrade LocalAI → 3.9, MCP Server, Threat Analyst agent, DNS Guard migration. - - Phase 2 (v0.19): CVE Triage + Network Anomaly agents, LocalRecall memory, AI Insights dashboard. - - Phase 3 (v1.0): Config Advisor (ANSSI prep), P2P Mesh Intelligence, Factory auto-provisioning. - - Hybrid approach: Ollama (inference) + LocalAI (orchestrator) + LocalAGI (agents) + LocalRecall (memory). - - MCP tools: crowdsec.alerts, waf.logs, dns.queries, network.flows, system.metrics, wireguard.status, uci.config. +## Couche 2 — AI Gateway - **AI Gateway Hybrid Architecture** (ref: `SecuBox_AI_Gateway_Hybrid_Architecture.html`): - - `secubox-ai-gateway` package: LiteLLM Proxy (port 4000) + Data Classifier + MCP Server. - - Data classification: LOCAL ONLY (raw network data) / SANITIZED (IPs scrubbed) / CLOUD DIRECT (generic). - - Providers: Mistral (EU sovereign, priority 1) > Claude > GPT > Gemini > xAI (all opt-in). - - Offline resilience: Local tier always active, cloud is bonus not dependency. - - Budget cap: configurable monthly cloud spend limit via LiteLLM. - - ANSSI CSPN: Data Classifier + Mistral EU + offline mode = triple sovereignty proof. +### Data Classifier (Sovereignty Engine) -13. ~~**Punk Exposure Multi-Domain DNS**~~ — DONE (2026-02-05) - - ~~Multi-domain DNS with P2P exposure and Tor endpoints.~~ - - ~~Classical HTTPS endpoint (DNS provider API: OVH, Gandi, Cloudflare).~~ - - ~~Administrable DNS provider API integration via `dnsctl`.~~ - - ~~Mapped to local services, mesh-federated, locally tweakable.~~ - - ~~Follows Peek / Poke / Emancipate model (see `PUNK-EXPOSURE.md`).~~ - - Phase 1: `emancipate` and `revoke` CLI commands added to secubox-exposure. - - Phase 2-4: RPCD methods, API wrapper, Mesh column, Emancipate modal, CSS styles. +| Classification | Description | Destination | +|----------------|-------------|-------------| +| LOCAL ONLY | Raw network data, IPs, MACs, logs | Never leaves device | +| SANITIZED | IPs scrubbed, anonymized patterns | Mistral EU (opt-in) | +| CLOUD DIRECT | Generic queries, no sensitive data | Claude/GPT (opt-in) | -14. ~~**Jellyfin Post-Install**~~ — DONE (2026-02-05) - - ~~Complete startup wizard (media library configuration)~~ — 4-step modal wizard added. - - ~~README documentation~~ — Done (2026-02-04). +**Package**: `secubox-ai-gateway` — LiteLLM Proxy (port 4000) + Data Classifier + MCP Server -15. ~~**Domoticz IoT Integration & SecuBox Peering**~~ — Done (2026-02-04) - - ~~`luci-app-domoticz` created with RPCD handler, LuCI overview.~~ - - ~~`domoticzctl configure-mqtt` auto-configures Mosquitto + Zigbee2MQTT bridge.~~ - - ~~P2P mesh registration, HAProxy integration, backup/restore.~~ - - ~~UCI config extended with mqtt/network/mesh sections.~~ +### 6 Autonomous Agents -16. ~~**App Store P2P Emancipation**~~ — Done (2026-02-04) - - ~~P2P package distribution via mesh peers (CGI API, RPCD, CLI).~~ - - ~~`packages.js` view with LOCAL/PEER badges, fetch/install actions.~~ - - ~~`devstatus.js` widget with v1.0 progress tracking.~~ - - ~~`secubox-content-pkg` for Metablogizer/Streamlit IPK distribution.~~ +| Agent | Phase | Description | +|-------|-------|-------------| +| Threat Analyst | v0.18 | CrowdSec alert analysis, threat correlation | +| DNS Guard | v0.18 | DNS anomaly detection, migration from current | +| CVE Triage | v0.19 | Vulnerability prioritization, patch recommendations | +| Network Anomaly | v0.19 | Traffic pattern analysis, baseline deviation | +| Log Analyzer | v0.19 | Cross-log correlation, incident timeline | +| Config Advisor | v1.0 | ANSSI compliance prep, configuration hardening | -17. **MirrorNetworking Stack** (ref: `SecuBox_MirrorNetworking_Paradigm_Reversal.html`) - - EnigmaBox paradigm reversal: zero central authority, each box is the network. - - Dual transport: WireGuard (tier 1, known peers) + Yggdrasil (tier 2, discovery/extended mesh, optional). - - New packages roadmap: - - `secubox-mirrornet` (v0.19): Core mesh orchestration, gossip protocol, peer management. - - `secubox-identity` (v0.19): did:plc generation, key rotation, trust scoring. - - `secubox-p2p-intel` (v0.19): IoC signed gossip, threat intelligence sharing. - - `luci-app-secubox-mirror` (v0.19): Dashboard for peers, trust, services, comms. - - `secubox-voip` (v1.0): Asterisk micro-PBX, SIP/SRTP direct over WireGuard mesh. - - `secubox-matrix` (v1.0): Conduit Matrix server (Rust, ~15MB RAM), federation on mesh. - - `secubox-factory` (v1.0): Auto-provisioning new box via mesh P2P. - - `yggdrasil-secubox` (v1.1+): Yggdrasil overlay + meshname DNS. - - Mirror concepts: Threat Intel sharing, AI Inference distribution, Reputation scoring, Config & Updates P2P. - - Communication: VoIP E2E (Asterisk/SRTP, no exit server), Matrix E2EE, optional mesh email. - - ANSSI CSPN: Zero central authority = verifiable sovereignty. - - Crowdfunding target: 2027. +### MCP Server — Le lien manquant -18. **Tor Shield / opkg Bug** (deferred) - - opkg downloads fail (`wget returned 4`) when Tor Shield is active. - - Direct `wget` to full URL works — likely DNS/routing interference. - - Investigate: opkg proxy settings, Tor split-routing exclusions for package repos. +SecuBox MCP Server exposes device context to AI agents via Model Context Protocol: + +**MCP Tools**: +- `crowdsec.alerts` — Active threats and decisions +- `waf.logs` — Web application firewall events +- `dns.queries` — DNS query logs and anomalies +- `network.flows` — Traffic flow summaries +- `system.metrics` — CPU, memory, disk, temperature +- `wireguard.status` — VPN tunnel status +- `uci.config` — OpenWrt configuration access + +**Integration targets**: Claude Desktop, Cursor, VS Code, custom agents + +### AI Provider Hierarchy + +1. **Mistral** (EU sovereign, GDPR compliant) — Priority 1 +2. **Claude** — Priority 2 +3. **GPT** — Priority 3 +4. **Gemini** — Priority 4 +5. **xAI** — Priority 5 + +All cloud providers are **opt-in**. Offline resilience: local tier always active. + +--- + +## Couche 3 — MirrorNetworking + +### EnigmaBox → MirrorNet Paradigm Reversal + +> Zero central authority: each box IS the network. + +### Dual Transport Architecture + +| Tier | Protocol | Purpose | +|------|----------|---------| +| Tier 1 | WireGuard | Known peers, trusted mesh | +| Tier 2 | Yggdrasil | Discovery, extended mesh (optional) | + +### Services Mirrors (P2P Gossip) + +- **Threat Intel**: IoC signed gossip, distributed threat intelligence +- **AI Inference**: Distributed model inference across mesh +- **Reputation**: Trust scoring, peer reputation +- **Config & Updates**: P2P configuration sync, firmware distribution + +### New Packages Roadmap + +| Package | Version | Description | +|---------|---------|-------------| +| `secubox-mirrornet` | v0.19 | Core mesh orchestration, gossip protocol | +| `secubox-identity` | v0.19 | did:plc generation, key rotation, trust scoring | +| `secubox-p2p-intel` | v0.19 | IoC signed gossip, threat intelligence | +| `luci-app-secubox-mirror` | v0.19 | Dashboard for peers, trust, services | +| `secubox-voip` | v1.0 | Asterisk micro-PBX, SIP/SRTP over mesh | +| `secubox-matrix` | v1.0 | Conduit Matrix server (~15MB RAM) | +| `secubox-factory` | v1.0 | Auto-provisioning via mesh P2P | +| `yggdrasil-secubox` | v1.1+ | Yggdrasil overlay + meshname DNS | + +### Communication Layer + +- **VoIP E2E**: Asterisk/SRTP direct over WireGuard mesh (no exit server) +- **Matrix E2EE**: Conduit federation on mesh +- **Mesh Email**: Optional, deferred + +--- + +## Couche 4 — Roadmap + +### v0.18.0 — MirrorBox Core v1.0 + +- [ ] LocalAI upgrade → 3.9 +- [ ] MCP Server implementation +- [ ] Threat Analyst agent +- [ ] DNS Guard migration +- [ ] Guacamole pre-built binaries + +### v0.19.0 — AI Expansion + +- [ ] CVE Triage agent +- [ ] Network Anomaly agent +- [ ] LocalRecall memory integration +- [ ] AI Insights dashboard +- [ ] MirrorNet core packages + +### v1.0.0 — Full Stack + +- [ ] Config Advisor (ANSSI prep) +- [ ] P2P Mesh Intelligence +- [ ] Factory auto-provisioning +- [ ] VoIP integration +- [ ] Matrix integration + +### v1.1+ — Extended Mesh + +- [ ] Yggdrasil overlay +- [ ] Meshname DNS +- [ ] Extended peer discovery + +### Certifications Ciblees + +| Certification | Status | Target | +|---------------|--------|--------| +| ANSSI CSPN | In Progress | v1.0 | +| ISO 27001 | Planned | v1.1 | +| NIS2 | Planned | v1.1 | +| CE | Planned | v1.0 | +| GDPR | Compliant | Current | +| SOC2 | Planned | v1.2 | + +**ANSSI CSPN Strategy**: Data Classifier + Mistral EU + offline mode = triple sovereignty proof + +--- + +## Deferred / Backlog + +### Tor Shield / opkg Bug + +- opkg downloads fail (`wget returned 4`) when Tor Shield is active. +- Direct `wget` to full URL works — likely DNS/routing interference. +- Investigate: opkg proxy settings, Tor split-routing exclusions for package repos. + +### v2 Long-term + +- Nextcloud self-hosted cloud storage +- SSMTP / mail host / MX record management +- Reverse MWAN WireGuard peers (multi-WAN failover over mesh) + +--- + +## Veille Cyber — Février 2026 + +_Space for current threat intelligence and security news relevant to SecuBox development._ + +- CVE-2025-15467: WAF detection patterns added +- [ ] Monitor for new CrowdSec scenarios +- [ ] Track OpenWrt security advisories diff --git a/.claude/WIP.md b/.claude/WIP.md index e870c9cc..74f8f98f 100644 --- a/.claude/WIP.md +++ b/.claude/WIP.md @@ -1,141 +1,141 @@ # Work In Progress (Claude) -## Active Threads +_Last updated: 2026-02-06_ -- **SMB/CIFS Remote Mount Manager** - Status: DONE — package created (2026-02-04) - Notes: New `secubox-app-smbfs` package with `smbfsctl` CLI, UCI config, init script, catalog entry. - Integrates with Jellyfin and Lyrion media paths. +> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches -- **Jellyfin README** - Status: DONE (2026-02-04) - Notes: KISS READMEs created for both `secubox-app-jellyfin` and `luci-app-jellyfin`. +--- -- **Glances Full System Monitoring** - Status: COMPLETE (2026-02-04) - Notes: LXC host bind mounts, Docker socket, fs plugin patch, hostname/OS identity. +## Couche 1 — Core Mesh -- **Zigbee2mqtt LXC Rewrite** - Status: COMPLETE (2026-02-04) - Notes: Direct `/dev/ttyUSB0` passthrough, adapter `ezsp`→`ember`, `ZIGBEE2MQTT_DATA` env var. +### Recently Completed (2026-02-04/05) + +- **MAC Guardian Feed Integration** — DONE (2026-02-05) + - Both IPKs built and added to bonus feed + - Catalog updated with security category, wifi icon + +- **Punk Exposure Emancipate** — DONE (2026-02-05) + - CLI: `emancipate` and `revoke` commands for multi-channel exposure + - RPCD: 3 new methods in `luci.exposure` + - Dashboard: Mesh column toggle, Emancipate modal + +- **Jellyfin Post-Install Wizard** — DONE (2026-02-05) + - 4-step modal wizard (Welcome, Media, Network, Complete) + - RPCD methods for wizard status and media path management + +- **Navigation Component Refactoring** — DONE (2026-02-05) + - `SecuNav.renderTabs()` auto-inits theme and CSS + - `renderCompactTabs()` for nested modules + - Eliminated ~1000 lines of duplicate CSS + +- **ksmbd Mesh Media Sharing** — DONE (2026-02-05) + - `ksmbdctl` CLI with share management + - Pre-configured shares: Media, Jellyfin, Lyrion, Backup + +- **SMB/CIFS Remote Mount Manager** — DONE (2026-02-04) + - `smbfsctl` CLI, UCI config, init script + - Jellyfin and Lyrion media path integration + +- **Domoticz IoT Integration** — DONE (2026-02-04) + - LXC Debian container with native binary + - MQTT auto-bridge, Zigbee2MQTT integration + - `domoticzctl configure-mqtt` command + +### In Progress + +_None currently active_ + +### Next Up — Couche 1 + +1. **Guacamole Pre-built Binaries** + - Current LXC build-from-source approach is too slow + - Need to find/create pre-built ARM64 binaries for guacd + Tomcat + +2. **Mesh Onboarding Testing** + - End-to-end test of master-link dynamic join IPK generation + - Validate P2P threat intelligence with real CrowdSec alerts + +--- + +## Couche 2 — AI Gateway + +### Next Up — v0.18 AI Components + +1. **MCP Server Implementation** + - Create `secubox-mcp-server` package + - Implement MCP tools: crowdsec.alerts, waf.logs, dns.queries, network.flows, system.metrics, wireguard.status, uci.config + - Integration with Claude Desktop, Cursor + +2. **Threat Analyst Agent** + - CrowdSec alert analysis and correlation + - Automated threat severity assessment + +3. **DNS Guard Migration** + - Migrate current `luci-app-dnsguard` to AI-powered agent + - DNS anomaly detection with ML patterns + +4. **LocalAI Upgrade → 3.9** + - Update `secubox-app-localai` to version 3.9 + - Add new model presets + +--- + +## Couche 3 — MirrorNetworking + +### Packages to Build (v0.19) + +| Package | Priority | Notes | +|---------|----------|-------| +| `secubox-mirrornet` | HIGH | Core mesh orchestration, gossip protocol | +| `secubox-identity` | HIGH | did:plc generation, key rotation | +| `secubox-p2p-intel` | MEDIUM | IoC signed gossip | +| `luci-app-secubox-mirror` | MEDIUM | Dashboard for peers, trust, services | + +### Communication Layer (v1.0) + +- `secubox-voip` — Asterisk micro-PBX +- `secubox-matrix` — Conduit Matrix server + +--- + +## Couche 4 — Roadmap Tracking + +### v0.18.0 Progress + +| Item | Status | +|------|--------| +| Core Mesh modules | 35+ DONE | +| Guacamole | DEFERRED | +| MCP Server | TODO | +| Threat Analyst | TODO | +| DNS Guard migration | TODO | +| LocalAI 3.9 | TODO | + +### Certifications + +- ANSSI CSPN: Data Classifier + Mistral EU + offline mode +- GDPR: Currently compliant +- ISO 27001, NIS2, SOC2: Planned for v1.1+ + +--- ## Strategic Documents Received -- `SecuBox_LocalAI_Strategic_Analysis.html` — AI Management Layer roadmap (LocalAI 3.9 + LocalAGI + MCP). -- `SecuBox_AI_Gateway_Hybrid_Architecture.html` — Hybrid Local/Cloud architecture (LiteLLM + Data Classifier + multi-provider). -- `SecuBox_MirrorNetworking_Paradigm_Reversal.html` — EnigmaBox autopsy → MirrorNet zero-central-authority architecture. Dual transport (WireGuard + Yggdrasil), VoIP E2E (Asterisk), Matrix/Conduit messaging, did:plc identity, P2P gossip threat intel, Mirror concepts (Threat Intel, AI Inference, Reputation, Config & Updates). New packages: secubox-mirrornet (v0.19), secubox-identity (v0.19), secubox-voip (v1.0), secubox-matrix (v1.0), secubox-p2p-intel (v0.19), yggdrasil-secubox (v1.1+), luci-app-secubox-mirror (v0.19). Crowdfunding target: 2027. +- `SecuBox_LocalAI_Strategic_Analysis.html` — AI Management Layer roadmap +- `SecuBox_AI_Gateway_Hybrid_Architecture.html` — Hybrid Local/Cloud architecture +- `SecuBox_MirrorNetworking_Paradigm_Reversal.html` — EnigmaBox autopsy → MirrorNet +- `SecuBox_Fanzine_v3_Feb2026.html` — 4-layer architecture overview -- **Domoticz IoT Integration** - Status: DONE (2026-02-04) - Notes: `luci-app-domoticz` created with RPCD handler, LuCI overview (status, MQTT, Z2M, HAProxy, mesh, logs). - `domoticzctl` enhanced with `configure-mqtt`, `configure-haproxy`, `backup/restore`, `mesh-register`, `uninstall`. - UCI config extended with mqtt, network, mesh sections. Catalog updated with LuCI package and IoT tags. - -- **P2P App Store Emancipation** - Status: DONE (2026-02-04) - Notes: HTTP P2P package distribution across mesh peers. - CGI endpoints: `/api/factory/packages`, `/api/factory/packages-sync`. - RPCD methods: get_feed_peers, get_peer_packages, get_all_packages, fetch_package, sync_package_catalog, get_feed_settings, set_feed_settings. - CLI commands: `secubox-feed peers/search/fetch-peer/fetch-any/sync-peers`. - LuCI view: `packages.js` under MirrorBox > App Store. - UCI config: `p2p_feed` section with share_feed, auto_sync, sync_interval, prefer_local. - -- **RustDesk & Guacamole Remote Access** - Status: PARTIAL (2026-02-04) - Notes: `secubox-app-rustdesk` — WORKING: native hbbs/hbbr binaries from GitHub releases, auto-key generation. - `secubox-app-guacamole` — DEFERRED: LXC build-from-source too slow; needs pre-built binaries or Docker approach. - RustDesk deployed and tested on router (ports 21116-21117). - -- **Development Status Widget** - Status: DONE (2026-02-04) - Notes: `devstatus.js` view under MirrorBox > Dev Status. - - Generative/dynamic dashboard with real-time polling - - Gitea commit activity and repository stats - - MirrorBox App Store package counts (local/peer/unique) - - Progress bar toward v1.0 (0-100%) with milestone tracking - - 8 milestone categories with dynamic progress indicators - Plan for later: cross-compile RustDesk binaries via toolchain. - -- **Content Distribution System** - Status: DONE (2026-02-04) - Notes: `secubox-content-pkg` — auto-package Metablogizer sites and Streamlit apps as IPKs. - Auto-publish hooks in metablogizerctl and streamlitctl. - `secubox-feed sync-content` — auto-install content packages from mesh peers. - P2P distribution: sites → HAProxy vhosts, Streamlit → service instances. - -- **ksmbd Mesh Media Sharing** - Status: DONE (2026-02-05) - Notes: `secubox-app-ksmbd` package with `ksmbdctl` CLI, UCI config, pre-configured media shares. - Commands: enable/disable/status/add-share/remove-share/list-shares/add-user/mesh-register. - Default shares: Media, Jellyfin, Lyrion, Backup. - -- **Chip Header Layout Port** - Status: DONE (2026-02-05) - Notes: `client-guardian` and `auth-guardian` overview.js updated to use `sh-page-header` chip layout. - Shared CSS from `secubox/common.css`. Consistent with SecuBox dashboard design. - -- **Navigation Component Refactoring** - Status: DONE (2026-02-05) - Notes: Unified navigation widget in `secubox/nav.js`. - - `SecuNav.renderTabs()` now auto-inits theme and loads CSS (no more boilerplate in views). - - `SecuNav.renderCompactTabs()` for nested modules (CDN Cache, CrowdSec, System Hub, etc.). - - `SecuNav.renderBreadcrumb()` for back-navigation to SecuBox. - - Updated module navs: cdn-cache, client-guardian, crowdsec-dashboard, media-flow, mqtt-bridge, system-hub. - - Removed ~1000 lines of duplicate CSS from module nav files. - -- **Monitoring UX Improvements** - Status: DONE (2026-02-05) - Notes: Empty-state loading and dynamic bandwidth units. - - Empty-state overlay with animated dots during 5-second warmup. - - Chart legend "Waiting" → "Live" transition. - - `formatBits()` helper for network rates (Kbps/Mbps/Gbps). - - Cyberpunk theme support for empty state. - -- **Punk Exposure Emancipate CLI** - Status: DONE (2026-02-05) - Notes: Phase 1 of multi-channel exposure system. - - `secubox-exposure emancipate [--tor] [--dns] [--mesh] [--all]` - - `secubox-exposure revoke [--tor] [--dns] [--mesh] [--all]` - - UCI tracking for emancipated services with channel status. - - Status command shows emancipated services. - - TODO: Fix mesh integration (secubox-p2p uses different commands). - -- **Punk Exposure LuCI Dashboard** - Status: DONE (2026-02-05) - Notes: Phases 2-4 of Punk Exposure. - - RPCD methods: `emancipate`, `revoke`, `get_emancipated` added to `luci.exposure`. - - API wrapper: `emancipate()`, `revoke()`, `getEmancipated()` exported. - - ACL updated with new methods. - - Dashboard: Mesh column with toggle, Emancipate button with multi-channel modal. - - CSS: Mesh badge (blue), mesh slider, action button styles. - -- **Jellyfin Post-Install Wizard** - Status: DONE (2026-02-05) - Notes: 4-step modal setup wizard for first-time Jellyfin configuration. - - RPCD methods: `get_wizard_status`, `set_wizard_complete`, `add_media_path`, `remove_media_path`, `get_media_paths`. - - Wizard auto-shows when Jellyfin is installed but wizard_complete=0. - - Step 1 (Welcome): Docker/container status checks, install/start buttons. - - Step 2 (Media): Add/remove media library paths with type presets. - - Step 3 (Network): Domain, HAProxy, ACME configuration. - - Step 4 (Complete): Success message with link to Jellyfin Web UI. - - CSS: `jellyfin/wizard.css` with step indicators, media list, form styles. - -- **MAC Guardian Feed Integration** - Status: DONE (2026-02-05) - Notes: Both IPKs built and added to bonus feed. Catalog updated with proper metadata. - -## Next Up - -1. Commit bonus feed rebuild (IPKs updated with MAC Guardian packages). - - All packages rebuilt including new mac-guardian IPKs - - apps-local.json catalog updated +--- ## Known Bugs (Deferred) -- **Tor Shield / opkg conflict**: opkg downloads fail (`wget returned 4`) when Tor Shield is active. Direct `wget` to full URL works. Likely DNS/routing interference from Tor split-routing. To be fixed later. +- **Tor Shield / opkg conflict**: opkg downloads fail (`wget returned 4`) when Tor Shield is active. Likely DNS/routing interference. + +--- ## Blockers / Risks -- No automated regression tests for LuCI views; manual verification required after each SCP deploy. -- Glances + Zigbee2MQTT + SMB/CIFS source changes uncommitted in working tree. -- Strategic AI + MirrorNetworking documents noted but not yet implemented (v0.18+ roadmap). +- No automated regression tests for LuCI views; manual verification required after SCP deploy. +- Guacamole ARM64 pre-built binaries not readily available. +- MCP Server requires understanding of Model Context Protocol specification.