feat(cloner): Add OpenWrt version selection and package profiles to image builder

- Add --version and --profile CLI options to secubox-cloner build command
- Add versions command to list available OpenWrt releases (24.10.5, 24.10.0, 23.05.5, 23.05.4)
- Add package profiles: slim (minimal), core (mesh essentials), full (clone current device)
- Add list_versions and list_build_profiles RPCD methods for LuCI
- Update build_image RPCD to accept version and profile parameters
- Update ACL permissions for new read methods

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.claude/HISTORY.md

@@ -3522,3 +3522,23 @@ git checkout HEAD -- index.html
       - `handleGenerateBulkTokens()`, `handleCopyAllTokens()`, `refreshFactory()`
     - **Polling:** Factory data included in 5-second refresh when on Factory tab
     - **UI Pattern:** KISS theme components (stat boxes, cards, tables, buttons)
+
+29. **Cloner Image Builder Version/Profile Support (2026-02-25)**
+    - Enhanced `secubox-cloner` CLI with OpenWrt version selection and package profiles
+    - **New CLI Options:**
+      - `--version VER`: Select OpenWrt version (24.10.5, 24.10.0, 23.05.5, 23.05.4)
+      - `--profile PROFILE`: Select package profile (slim, core, full)
+      - `secubox-cloner versions`: List available versions and profiles
+    - **Package Profiles:**
+      - `slim`: Minimal OpenWrt (LuCI + network essentials only)
+      - `core`: Slim + SecuBox mesh (master-link, p2p, secubox-core)
+      - `full`: Clone all installed SecuBox packages from current device
+    - **New RPCD Methods:**
+      - `list_versions`: Returns available OpenWrt versions with latest flag
+      - `list_build_profiles`: Returns available package profiles with descriptions
+      - `build_image`: Now accepts `version` and `profile` parameters
+    - **Files Modified:**
+      - `secubox-core/root/usr/sbin/secubox-cloner`: Added version/profile parsing and build_via_asu profile logic
+      - `luci-app-cloner/root/usr/libexec/rpcd/luci.cloner`: Added list_versions, list_build_profiles, updated build_image
+      - `luci-app-cloner/root/usr/share/rpcd/acl.d/luci-app-cloner.json`: Added permissions for new methods
+    - **Tested:** CLI help, versions command, RPCD methods via ubus all working

package/secubox/luci-app-cloner/root/usr/libexec/rpcd/luci.cloner

@@ -234,23 +234,30 @@ EOF
 }
 
 do_build_image() {
-	local input device_type
+	local input device_type version profile
 
 	read input
 	device_type=$(echo "$input" | jsonfilter -e '@.device_type' 2>/dev/null)
+	version=$(echo "$input" | jsonfilter -e '@.version' 2>/dev/null)
+	profile=$(echo "$input" | jsonfilter -e '@.profile' 2>/dev/null)
+
+	# Defaults
+	[ -z "$version" ] && version="24.10.5"
+	[ -z "$profile" ] && profile="slim"
 
 	json_init
 
 	if [ -x /usr/sbin/secubox-cloner ]; then
-		if [ -n "$device_type" ]; then
-			(/usr/sbin/secubox-cloner build "$device_type" 2>&1 > /tmp/cloner-build.log) &
-			json_add_boolean "success" 1
-			json_add_string "message" "Build started for $device_type"
-		else
-			(/usr/sbin/secubox-cloner build 2>&1 > /tmp/cloner-build.log) &
-			json_add_boolean "success" 1
-			json_add_string "message" "Build started for current device"
-		fi
+		local cmd_args=""
+		[ -n "$device_type" ] && cmd_args="$cmd_args --device $device_type"
+		cmd_args="$cmd_args --version $version --profile $profile"
+
+		(/usr/sbin/secubox-cloner build $cmd_args 2>&1 > /tmp/cloner-build.log) &
+		json_add_boolean "success" 1
+		json_add_string "message" "Build started: ${device_type:-auto} / $version / $profile"
+		json_add_string "device" "${device_type:-auto}"
+		json_add_string "version" "$version"
+		json_add_string "profile" "$profile"
 	else
 		json_add_boolean "success" 0
 		json_add_string "message" "secubox-cloner not installed"
@@ -291,6 +298,68 @@ do_list_devices() {
 	json_dump
 }
 
+do_list_versions() {
+	json_init
+	json_add_array "versions"
+
+	json_add_object ""
+	json_add_string "id" "24.10.5"
+	json_add_string "name" "OpenWrt 24.10.5"
+	json_add_boolean "latest" 1
+	json_close_object
+
+	json_add_object ""
+	json_add_string "id" "24.10.0"
+	json_add_string "name" "OpenWrt 24.10.0"
+	json_add_boolean "latest" 0
+	json_close_object
+
+	json_add_object ""
+	json_add_string "id" "23.05.5"
+	json_add_string "name" "OpenWrt 23.05.5 (LTS)"
+	json_add_boolean "latest" 0
+	json_close_object
+
+	json_add_object ""
+	json_add_string "id" "23.05.4"
+	json_add_string "name" "OpenWrt 23.05.4 (LTS)"
+	json_add_boolean "latest" 0
+	json_close_object
+
+	json_close_array
+	json_add_string "default" "24.10.5"
+	json_dump
+}
+
+do_list_build_profiles() {
+	json_init
+	json_add_array "profiles"
+
+	json_add_object ""
+	json_add_string "id" "slim"
+	json_add_string "name" "Slim"
+	json_add_string "description" "Minimal OpenWrt (LuCI + network essentials)"
+	json_add_boolean "default" 1
+	json_close_object
+
+	json_add_object ""
+	json_add_string "id" "core"
+	json_add_string "name" "Core"
+	json_add_string "description" "Slim + SecuBox mesh (master-link, p2p)"
+	json_add_boolean "default" 0
+	json_close_object
+
+	json_add_object ""
+	json_add_string "id" "full"
+	json_add_string "name" "Full"
+	json_add_string "description" "All SecuBox packages from current device"
+	json_add_boolean "default" 0
+	json_close_object
+
+	json_close_array
+	json_dump
+}
+
 do_tftp_start() {
 	json_init
 
@@ -1502,6 +1571,8 @@ case "$1" in
 		echo '"list_tokens":{},'
 		echo '"list_clones":{},'
 		echo '"list_devices":{},'
+		echo '"list_versions":{},'
+		echo '"list_build_profiles":{},'
 		echo '"build_progress":{},'
 		echo '"build_log":{"lines":"Number","offset":"Number"},'
 		echo '"serial_ports":{},'
@@ -1516,7 +1587,7 @@ case "$1" in
 		echo '"image_details":{"name":"String"},'
 		echo '"image_rename":{"old_name":"String","new_name":"String"},'
 		echo '"generate_token":{"auto_approve":"Boolean"},'
-		echo '"build_image":{"device_type":"String"},'
+		echo '"build_image":{"device_type":"String","version":"String","profile":"String"},'
 		echo '"tftp_start":{},'
 		echo '"tftp_stop":{},'
 		echo '"delete_token":{"token":"String"},'
@@ -1550,6 +1621,8 @@ case "$1" in
 			list_tokens) do_list_tokens ;;
 			list_clones) do_list_clones ;;
 			list_devices) do_list_devices ;;
+			list_versions) do_list_versions ;;
+			list_build_profiles) do_list_build_profiles ;;
 			build_progress) do_build_progress ;;
 			build_log) do_build_log ;;
 			serial_ports) do_serial_ports ;;

package/secubox/luci-app-cloner/root/usr/share/rpcd/acl.d/luci-app-cloner.json

@@ -5,6 +5,7 @@
 			"ubus": {
 				"luci.cloner": [
 					"status", "list_images", "list_tokens", "list_clones", "list_devices",
+					"list_versions", "list_build_profiles",
 					"build_progress", "build_log", "serial_ports", "serial_read",
 					"history_list", "storage_info", "image_details",
 					"list_remotes", "remote_status", "scan_network",

package/secubox/secubox-core/root/usr/sbin/secubox-cloner

@@ -6,7 +6,11 @@
 # Cloned devices auto-resize root and join mesh as peers.
 #
 # Usage:
-#   secubox-cloner build [--device TYPE] [--resize SIZE]  Build clone image
+#   secubox-cloner build [OPTIONS]          Build clone image via ASU API
+#     --device TYPE                         Device type (mochabin, x86-64, etc.)
+#     --version VER                         OpenWrt version (24.10.5, 24.10.0, snapshot)
+#     --profile PROFILE                     Package profile (slim, core, full)
+#   secubox-cloner versions                 List available OpenWrt versions
 #   secubox-cloner serve [--start|--stop]   Manage TFTP clone server
 #   secubox-cloner devices                  List supported device types
 #   secubox-cloner token [--auto-approve]   Generate clone join token
@@ -14,8 +18,17 @@
 #   secubox-cloner list                     List pending/joined clones
 #   secubox-cloner export [FILE]            Export clone image to file
 #
+# Package Profiles:
+#   slim  - Minimal OpenWrt (LuCI + network essentials only)
+#   core  - Slim + SecuBox core (mesh, master-link, p2p)
+#   full  - Current device's installed SecuBox packages
+#
 
-VERSION="1.0.0"
+VERSION="1.1.0"
+
+# Available OpenWrt versions (latest first)
+OPENWRT_VERSIONS="24.10.5 24.10.0 23.05.5 23.05.4"
+DEFAULT_VERSION="24.10.5"
 
 # Directories
 CLONE_DIR="/srv/secubox/clone"
@@ -99,6 +112,8 @@ get_device_id() {
 build_image() {
 	local device_type="${1:-}"
 	local resize_target="${2:-}"
+	local openwrt_version="${3:-$DEFAULT_VERSION}"
+	local pkg_profile="${4:-slim}"
 
 	log "Building clone image..."
 
@@ -138,7 +153,7 @@ build_image() {
 		# Try to build via ASU API if curl is available
 		if command -v curl >/dev/null 2>&1; then
 			log "Building image via ASU API..."
-			build_via_asu "$device_type" "$image_path" || {
+			build_via_asu "$device_type" "$image_path" "$openwrt_version" "$pkg_profile" || {
 				warn "ASU build failed, trying local export..."
 				build_local_export "$image_path"
 			}
@@ -197,9 +212,34 @@ list_devices() {
 	echo ""
 }
 
+# List available OpenWrt versions
+list_versions() {
+	echo ""
+	echo -e "${BOLD}Available OpenWrt Versions${NC}"
+	echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+	local first=1
+	for ver in $OPENWRT_VERSIONS; do
+		if [ "$first" = "1" ]; then
+			echo "  $ver  ← latest (default)"
+			first=0
+		else
+			echo "  $ver"
+		fi
+	done
+	echo ""
+	echo -e "${BOLD}Package Profiles${NC}"
+	echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+	echo "  slim   Minimal OpenWrt (LuCI + network essentials)"
+	echo "  core   Slim + SecuBox mesh (master-link, p2p)"
+	echo "  full   Current device's SecuBox packages"
+	echo ""
+}
+
 build_via_asu() {
 	local device_type="$1"
 	local output="$2"
+	local openwrt_version="${3:-$DEFAULT_VERSION}"
+	local pkg_profile="${4:-slim}"
 
 	# Map device type to ASU profile
 	local target=""
@@ -228,14 +268,47 @@ build_via_asu() {
 			;;
 	esac
 
-	# Get installed packages (for cloning same config)
-	local packages=$(opkg list-installed 2>/dev/null | awk '{print $1}' | grep -v "^kernel" | tr '\n' ' ')
+	# Build package list based on profile
+	local clone_packages=""
 
-	# Minimal clone packages (core system + SecuBox essentials)
-	# Use -dnsmasq to remove default and replace with dnsmasq-full
-	local clone_packages="-dnsmasq dnsmasq-full luci luci-ssl curl wget-ssl ca-certificates"
-	clone_packages="$clone_packages wireguard-tools luci-proto-wireguard"
-	clone_packages="$clone_packages block-mount e2fsprogs"
+	case "$pkg_profile" in
+		slim)
+			# Minimal: just LuCI + network essentials
+			clone_packages="-dnsmasq dnsmasq-full luci luci-ssl"
+			clone_packages="$clone_packages curl wget-ssl ca-certificates"
+			clone_packages="$clone_packages wireguard-tools luci-proto-wireguard"
+			clone_packages="$clone_packages block-mount e2fsprogs"
+			log "Profile: slim (minimal OpenWrt)"
+			;;
+		core)
+			# Slim + SecuBox core packages
+			clone_packages="-dnsmasq dnsmasq-full luci luci-ssl"
+			clone_packages="$clone_packages curl wget-ssl ca-certificates"
+			clone_packages="$clone_packages wireguard-tools luci-proto-wireguard"
+			clone_packages="$clone_packages block-mount e2fsprogs"
+			clone_packages="$clone_packages luci-app-secubox luci-theme-secubox"
+			clone_packages="$clone_packages secubox-core secubox-master-link secubox-p2p"
+			log "Profile: core (SecuBox mesh essentials)"
+			;;
+		full)
+			# Clone all installed SecuBox packages
+			clone_packages="-dnsmasq dnsmasq-full luci luci-ssl"
+			clone_packages="$clone_packages curl wget-ssl ca-certificates"
+			clone_packages="$clone_packages wireguard-tools luci-proto-wireguard"
+			clone_packages="$clone_packages block-mount e2fsprogs"
+			# Add all installed SecuBox and LuCI packages
+			local secubox_pkgs=$(opkg list-installed 2>/dev/null | awk '{print $1}' | grep -E "^secubox-|^luci-app-secubox|^luci-theme-secubox" | tr '\n' ' ')
+			clone_packages="$clone_packages $secubox_pkgs"
+			log "Profile: full (all SecuBox from current device)"
+			;;
+		*)
+			warn "Unknown profile: $pkg_profile, using slim"
+			clone_packages="-dnsmasq dnsmasq-full luci luci-ssl curl wget-ssl ca-certificates wireguard-tools"
+			;;
+	esac
+
+	log "OpenWrt version: $openwrt_version"
+	log "Target: $target / $profile"
 
 	# Convert packages string to JSON array
 	local packages_json=$(echo "$clone_packages" | tr ' ' '\n' | grep -v '^$' | sed 's/.*/"&"/' | tr '\n' ',' | sed 's/,$//')
@@ -246,10 +319,10 @@ build_via_asu() {
 {
   "profile": "$profile",
   "target": "$target",
-  "version": "24.10.0",
+  "version": "$openwrt_version",
   "packages": [$packages_json],
   "rootfs_size_mb": 512,
-  "client": "secubox-cloner/1.0"
+  "client": "secubox-cloner/$VERSION"
 }
 EOF
 
@@ -859,13 +932,26 @@ SecuBox Cloner - On-device clone image builder and server
 Usage: secubox-cloner <command> [options]
 
 Commands:
-  build [--resize SIZE]     Build clone image for current device type
+  build [OPTIONS]           Build clone image via ASU API
+  versions                  List available OpenWrt versions and profiles
+  devices                   List supported device types
   serve [--start|--stop]    Manage TFTP clone server
   token [--auto-approve]    Generate clone join token (24h TTL)
   status                    Show cloner status (images, tokens, clones)
   list                      List pending and joined clones
   export [FILE]             Export clone image to file
 
+Build Options:
+  --device TYPE             Device type (mochabin, x86-64, etc.)
+  --version VER             OpenWrt version (default: 24.10.5)
+  --profile PROFILE         Package profile: slim, core, full (default: slim)
+  --resize SIZE             Pre-resize image (e.g., 16G for eMMC)
+
+Package Profiles:
+  slim   Minimal OpenWrt (LuCI + network essentials only)
+  core   Slim + SecuBox mesh (master-link, p2p, core)
+  full   All SecuBox packages from current device
+
 Serial Flash Commands:
   flash detect              Detect available serial ports
   flash break [PORT]        Send break to enter U-Boot
@@ -874,34 +960,32 @@ Serial Flash Commands:
   flash run [PORT] [IMAGE]  Send U-Boot flash commands
   flash uboot               Print manual U-Boot commands
 
-Options:
-  --resize SIZE             Pre-resize image (e.g., 16G for eMMC)
-  --auto-approve            Token auto-approves clone join (no manual step)
-
 Examples:
-  # Build and serve clone image
-  secubox-cloner build
+  # Build slim image with latest OpenWrt
+  secubox-cloner build --profile slim
+
+  # Build core image with specific version
+  secubox-cloner build --version 24.10.0 --profile core
+
+  # Build full clone (all SecuBox packages)
+  secubox-cloner build --device x86-64 --profile full
+
+  # List available versions
+  secubox-cloner versions
+
+  # Start TFTP server
   secubox-cloner serve --start
 
-  # Flash a clone device via serial
+  # Flash via serial
   secubox-cloner flash break        # Enter U-Boot on target
   secubox-cloner flash run          # Send TFTP flash commands
-  secubox-cloner flash console      # Monitor progress
-
-  # Generate auto-approve token
-  secubox-cloner token --auto-approve
-
-  # Check status
-  secubox-cloner status
-
-  # Export for USB transfer
-  secubox-cloner export /mnt/usb/clone.img.gz
 
 Clone Workflow:
-  1. Master: secubox-cloner build && secubox-cloner serve --start
-  2. Target: Boot via TFTP (U-Boot commands shown after serve)
-  3. Target auto-resizes root and joins mesh
-  4. Master: secubox-cloner list (shows new clone)
+  1. Master: secubox-cloner build --profile core
+  2. Master: secubox-cloner serve --start
+  3. Target: Boot via TFTP (U-Boot commands shown after serve)
+  4. Target auto-resizes root and joins mesh
+  5. Master: secubox-cloner list (shows new clone)
 EOF
 }
 
@@ -914,21 +998,30 @@ case "${1:-}" in
 		shift
 		device_type=""
 		resize=""
+		version="$DEFAULT_VERSION"
+		profile="slim"
 		while [ $# -gt 0 ]; do
 			case "$1" in
 				--device|-d) device_type="$2"; shift 2 ;;
 				--resize) resize="$2"; shift 2 ;;
+				--version|-v) version="$2"; shift 2 ;;
+				--profile|-p) profile="$2"; shift 2 ;;
 				mochabin|espressobin-v7|espressobin-ultra|x86-64) device_type="$1"; shift ;;
+				slim|core|full) profile="$1"; shift ;;
 				*) shift ;;
 			esac
 		done
-		build_image "$device_type" "$resize"
+		build_image "$device_type" "$resize" "$version" "$profile"
 		;;
 
 	devices)
 		list_devices
 		;;
 
+	versions)
+		list_versions
+		;;
+
 	serve)
 		case "${2:-start}" in
 			--start|start) serve_start ;;