Wrap for loop with output redirection in subshell for
BusyBox ash compatibility when generating Packages index.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secubox-app-repo and luci-app-repo to local feed
- Regenerate Packages index
- Update all embedded packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add usign dependency for package signing
- Sign Packages files after generation in repo-sync
- Generate signing keys automatically if not present
- Remove duplicate ACL file (now only in luci-app-repo)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Auto-create repo directories on install
- Detect device architecture and configure customfeeds.conf
- Add prerm script to cleanup on uninstall
- Points opkg to local repo at 192.168.255.1:8888
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove docker/bind-server from ARM (not available)
- Use simpler package set for ARM targets
- Fix rockchip profile name
- Keep x86-64 with full package set
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Download prebuilt packages from release artifacts
- Include 101+ SecuBox modules matching c3box.local production
- Preseed SecuBox core config (appstore, security, diagnostics)
- Configure network: 192.168.200.1 (LAN), DHCP (WAN)
- Include master-link mesh and P2P hub components
- Add fallback install script for post-boot installation
- Increase default disk to 8GB for full suite
- Update RAM recommendation to 2GB minimum
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 'version' input parameter (default: v1.0.0-beta)
- Use C3BOX_VERSION env var for consistent naming
- Artifacts now named: c3box-vm-{version}-{arch}.{format}
- Fix: manual triggers now use correct version in filenames
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- LAN IP changed to 192.168.200.1 (test subnet)
- WAN (br-wan) configured as DHCP client
- Updated banner, docs, and release notes with new IP
- Ready for SecuBox devel beta testing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename workflow to "Build C3Box VM Appliance"
- Update hostname to 'c3box'
- New ASCII banner with C3Box branding
- Update artifact names: c3box-vm-{version}-{arch}
- Update all documentation and release notes
- Config files now in /etc/c3box/
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The luci-app-* packages are in package/secubox/, not at the repo root.
Updated the workflow to copy packages from the correct location.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenWrt firmware images contain trailing data that gunzip reports
as "trailing garbage" with exit code 2. This is normal and the
extracted image is valid. The fix ignores the warning while still
checking that extraction produced output.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New build-secubox-vm.yml for ready-to-use SecuBox VM images
- Uses OpenWrt 24.10.5 (latest stable release)
- Builds VMDK, VDI, QCOW2 formats for all VM platforms
- Includes all SecuBox LuCI packages pre-installed
- Docker support enabled (dockerd, docker-compose)
- Virtio drivers and QEMU guest tools for KVM/Proxmox
- Configurable rootfs size (512MB-4GB)
- Manual dispatch + automatic on version tags
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- luci.mk auto-sets PKG_NAME from directory name
- Skip PKG_NAME check for packages using luci.mk
- PKG_VERSION/PKG_RELEASE are recommended for luci.mk packages
- PKG_LICENSE remains recommended for all packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- PKG_LICENSE is now recommended, not required
- Required: PKG_NAME, PKG_VERSION, PKG_RELEASE
- Warnings are reported but don't fail the build
- Also updated tracking docs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- WAF blocked now counts mitmproxy scenario decisions (1031 blocks)
- Removed waf_threats field (redundant with waf_blocked)
- Fixed dashboard to show 3 WAF stats: Bans, Alerts, Blocked
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
UI:
- Clean card grid with colored stat values
- Services status bar (HAProxy, WAF, CrowdSec) with glowing dots
- Two-panel layout for WAF/Security and Connections
- Live clock with pulsing indicator
- Proper KissTheme.wrap() integration
Performance:
- Double-buffer cache at /tmp/secubox/metrics-cache.json
- 30s TTL with async background refresh
- Cron job for periodic cache updates
- Instant RPCD response (no computation on request)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added LuCI Metrics Dashboard to HISTORY.md
- Documented WAF hot-reload discovery
- Updated WIP.md with completed work
- Noted HAProxy health check fix and test site cleanup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy's haproxy_router.py addon already implements hot-reload:
- Checks routes file mtime on every request
- Auto-reloads when file changes
Removed unnecessary mitmproxy restart after adding routes.
Just ensure file permissions are correct (644) for hot-reload to work.
This makes publishing faster and avoids service disruption.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mitmproxy restart after _add_mitmproxy_route() to load new routes
- mitmproxy loads routes at startup only, so restart is required
- Run restart in background to avoid blocking publish command
Also fixed on router:
- Disabled health check for mitmproxy_inspector backend
- HAProxy health check fails because mitmproxy returns 404 for
requests without valid Host header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed vhost backend from direct metablog_* to mitmproxy_inspector
- Added original_backend tracking for mitmproxy route resolution
- Changed server address from 192.168.255.1 to 127.0.0.1
- Added _add_mitmproxy_route helper for route registration
- Fixed both cmd_publish() and _emancipate_haproxy() functions
This ensures all newly published sites go through WAF inspection
rather than bypassing security checks.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD handler returns immediately with job_id (~0.04s)
- Background script uses file output to avoid pipe inheritance issues
- LuCI JS polls job_status every 2s until completion
- Uses setsid for proper process detachment
- jsonfilter for reliable parameter parsing
Fixes "Failed to publish" error caused by ubus timeout during
40+ second publish operations.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- dropletctl: Remove pipe to grep that blocked on background children
- metablogizerctl: Background HAProxy generate/reload (~90s with 95 certs)
- dpi-lan-collector: Pre-compute flow counts in single pass instead of
spawning grep per client (eliminates broken pipe errors)
Publish time reduced from ~2 min to ~35 seconds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add headless UCI option to use mitmdump instead of mitmweb
- Enable headless by default for WAF (mitmproxy-in) instance
- Increase default memory limit from 256MB to 2GB
- Fix LXC config generation to always recreate on service start
- Fix rootfs check path (/usr/local/bin not /usr/bin)
- Use exec in startup script for proper foreground execution
Headless mode runs mitmdump (CLI) instead of mitmweb (web UI),
saving ~3.3GB RAM while maintaining full WAF functionality.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New heatmap.js component with SVG world map and country centroids
- Colored dots show threat distribution: orange (local), cyan (CAPI), red (WAF)
- Dot size scales logarithmically with threat count (4-20px)
- Hover tooltips show country code and count
- Added geo_local_raw and geo_capi_raw fields to RPCD backend
- CAPI geo extraction from decisions with GeoIP metadata
- CSS styling for heatmap container, dots, and legend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed waf_bans_today to count all mitmproxy-* scenarios instead of
only mitmproxy-waf (which doesn't exist). Now correctly counts
mitmproxy-scanner, mitmproxy-botscan, etc.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Make refresh_cache async to prevent rpcd watchdog kills
- Fix JSON escaping for top_scenarios/countries arrays
- Show decisions as "Active Bans" when alerts_raw is empty
- Display ban expiry time instead of creation time
- Update cron to run cache refresh in background
Fixes LuCI crashes caused by 16s blocking refresh calls.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- alerts_24h now uses local_decisions count instead of empty file
- top_scenarios_raw now extracts from decisions JSON (was parsing CAPI metrics)
- top_countries_raw now correctly parses IsoCode from alerts GeoIP metadata
- Double-buffer caching via cron job already in place
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite smtp-relay/settings.js with proper KISS theme styling
- Rewrite secubox-users/overview.js with proper KISS theme styling
- Use KissTheme.wrap() for consistent dark theme rendering
- Add stat cards with colored values matching mailserver reference
- Add proper form styling with inline CSS variables
- Add NZB tools (SABnzbd, NZBHydra) to KISS menu Downloads
- Add webtorrent to portal tree Downloads category
- Fix portal tree webtorrent pattern
KISS = Keep It Simple Sexy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The updateUI function was incorrectly disabling the Rescan button when
Lyrion was running. Rescan should only be enabled when running.
- Split forEach into separate button handlers
- Start button: disabled when running (correct)
- Rescan button: disabled when NOT running (fixed)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Optimize exposure RPCD: O(n) single-pass awk parsing for vhost_list
and ssl_list (fixes XHR timeout on 200+ vhosts)
- Fix portal tree URLs: Use get_menu_path() to read actual LuCI menu
paths from JSON instead of hardcoded paths
- Add Downloads category to portal tree (torrent, droplet patterns)
- Add new apps to System category (config-vault, reporter, smtp-relay,
rtty, dpi-dual, metacatalog)
- Enhance KISS theme menu: Add Downloads, Monitoring categories
- Fix Lyrion URL: Use HTTPS vhost instead of dynamic port URL
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- QR codes for LuCI access (default, SecuBox router)
- QR codes for GitHub docs and release
- QR codes for Droplet and Streamlit Forge tools
- Default credentials display
- Dark theme matching SecuBox design
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- PROJECT-STATUS-AND-INNOVATION.md: Complete rewrite with current status
- Four-layer architecture documentation
- Punk Exposure three-channel model
- All implemented innovations (AI Gateway, MCP, DPI, etc.)
- Bug bounty scope and attack surface
- VM distribution details
- README.md: Added default VM credentials
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- BETA-RELEASE.md: Complete security testing guide
- Attack surface overview (HAProxy, WAF, LXC, P2P)
- High-value targets and secrets locations
- Known weak points (intentional disclosure)
- Bug bounty scope and reporting guidelines
- Test environment setup (VirtualBox, Docker)
- SECURITY.md: Updated with Hall of Fame and beta info
- README.md: Version bump to 1.0.0-beta
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move Web Interface section to top for visibility
- Always show Open Lyrion Web UI button with dynamic URL
- Display URL text next to button
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
