- Nextcloud upgraded from 30.0.17 to 31.0.14
- mailctl firewall_setup now persists UCI rules for mail ports
- All apps updated (mail, tasks, external, spreed/Talk)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add dovecot run directory permission setup
- Add dovenull to dovecot group (fixes login directory access)
- Update HISTORY.md with changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Autoconfig:
- Created config-v1.1.xml (Thunderbird), autodiscover.xml (Outlook),
email.mobileconfig (Apple) for automatic mail client configuration
- Added uhttpd instance on port 8025 to serve autoconfig files
- Added HAProxy backends with waf_bypass for autoconfig domains
- Added mailctl autoconfig-setup and autoconfig-status commands
LuCI Mailserver:
- Added user_repair method for mailbox repair (doveadm force-resync)
- Added repair button to user actions in overview
LuCI Nextcloud:
- Added list_users method to list Nextcloud users
- Added reset_password method for password reset via OCC
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add backup/restore commands to hexoctl (backup, restore, backup list/delete)
- Add GitHub clone support (hexoctl github clone <url> [instance] [branch])
- Add Gitea push support (hexoctl gitea push [instance] [message])
- Add quick-publish command (clean + build + publish in one step)
- Add 15 new RPCD methods for instance/backup/git management
- Rewrite LuCI dashboard with KISS theme:
- Multi-instance management with status cards
- Instance controls: start/stop, quick publish, backup, editor, preview
- GitHub/Gitea clone modals
- Backup table with restore/delete
- Stats grid: instances, posts, drafts, backups
- Update API with 12 new RPC declarations
- Update ACL with new permissions
Also includes DNS Master app created in previous session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete rewrite of overview.js with full KISS theme styling
- 4-column stats grid (Status, Users, Storage, SSL)
- Port status cards with visual indicators
- Two-column layout: Users + Aliases tables
- Webmail card with status badge and quick actions
- Connection info panel with server details
- Live polling with 10s refresh
- Added fix_ports, alias_del methods to ACL
- Added Mail Server + Nextcloud to KISS nav sidebar
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Nextcloud production deploy with HAProxy SSL
- WAF rules for Nextcloud & Roundcube CVEs
- Mail client autoconfig DNS and XML endpoint
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added mitmproxy WAF data path fix to WIP.md and HISTORY.md
- RPCD now reads from /srv/mitmproxy-in for correct threat stats
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
haproxyctl:
- Copy generated config to /etc/haproxy/ inside container before reload
- HAProxy reads from /etc/haproxy/haproxy.cfg, not /opt/haproxy/config/
mitmproxy haproxy_router.py:
- Save original Host header before setting backend destination
- Restore Host header after routing to preserve it for backend validation
- Fixes PeerTube OAuth and other apps that validate Host header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD handler (luci.peertube) with 11 methods: status, start, stop,
install, uninstall, update, logs, emancipate, live_enable,
live_disable, configure_haproxy
- ACL permissions for read (status, logs) and write operations
- Dashboard features:
- Install wizard with features and requirements
- Service status display with access URL
- Live streaming toggle with enable/disable buttons
- HAProxy configuration status
- Emancipate form for public exposure
- Logs viewer with refresh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Regenerated Packages index with proper Filename fields for all ipk files.
Updated all package versions to latest builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support both "*.domain" and ".domain" wildcard formats in haproxy_router.py
- Sort wildcards by length (longest first) for correct specificity matching
- Add auto-reload: check routes file mtime every 10 requests
- Update metablogizerctl to use mitmproxyctl sync-routes
Also fix luci-app-wazuh api.js to use baseclass.extend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed sdlc.gk2.secubox.in showing GK2 Hub template instead of original
"Les Seigneurs de La Chambre" cinematic presentation
- Restored content via git checkout from preserved history
- Documented Streamlit WebSocket incompatibility with MITM proxy
- All 20 Streamlit apps require waf_bypass for WebSocket functionality
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- WAF enabled for Streamlit/MetaBlogizer
- WAF bypass for infrastructure services
- 38 path ACLs with waf_bypass
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt secubox-app-jellyfin package with LXC controller
- Updated package feed with new Jellyfin ipk
- Synced all SecuBox packages to local feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Migrated services from Docker to LXC:
- mailserver: Postfix/Dovecot on Alpine (192.168.255.30)
- roundcube: Webmail on Alpine with nginx/PHP (port 8027)
- jellyfin: Media server on Debian (192.168.255.31)
All Docker containers removed, auto-start via /etc/init.d/secubox-lxc
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit apps require WebSocket connections that mitmproxy WAF
doesn't handle properly. Added waf_bypass UCI option to allow
specific vhosts to route directly to backends while other
services still get WAF protection.
- Add waf_bypass option check in haproxyctl
- Vhosts with waf_bypass=1 skip mitmproxy_inspector
- Fixes blank page issue with Streamlit apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove 'mozilla/5.0' from BOT_SIGNATURES - was flagging ALL modern
browsers as bots since this is the standard UA prefix
- Fix suspicious UA detection - no longer flags normal browsers
- Increase CrowdSec bruteforce threshold from 5/30s to 10/60s to reduce
false positives from normal login flows
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- HISTORY.md: Entry #60 documenting GoToSocial v0.17.0 deployment
- WIP.md: Added to Just Completed section
- Includes HAProxy exposure, admin user setup, key fixes
Live at https://social.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: Use network.lan.ipaddr instead of 127.0.0.1 for server address
- service-registry: Same fix for emancipate function
- hexojs: Same fix for HAProxy backend creation
- gotosocial: Switch from LXC to direct execution mode
- v0.18.0 has cgroup bugs, using v0.17.0 instead
- Remove LXC container dependency
- Use /srv/gotosocial for binary and data
- Add proper PID file management
The HAProxy container cannot reach 127.0.0.1 on the host, so all HAProxy
backend servers must use the LAN IP (typically 192.168.255.1).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add remote device management: scan_network, list_remotes, add_remote,
remove_remote, remote_status, remote_upload, remote_flash RPCD methods
- Add secubox-asu-clone script for on-the-fly firmware generation via
OpenWrt ASU (Attended Sysupgrade) API
- Include full LuCI packages in ASU builds (luci-base, luci-mod-admin-full,
luci-mod-network, luci-mod-status, luci-mod-system, etc.)
- Add partition expansion script (10-expand-rootfs) to use full SD card/eMMC
with proper UUID and boot config handling for both MBR and GPT
- Add robust provisioning script (99-secubox-provision) with network retry,
firewall handling, and SecuBox package installation from local feed
- Use dropbear's dbclient for SSH operations (OpenWrt native)
- Support mochabin, espressobin-v7, espressobin-ultra, x86-64 devices
- Default to OpenWrt version 24.10.5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove old secubox-theme and secubox-portal/header dependencies
- Remove external dashboard.css stylesheet
- Replace ndpid/api with direct RPC declarations
- Use KISS classes (kiss-card, kiss-stat, kiss-table, kiss-badge, kiss-btn)
- Add consistent navigation tabs
- Add poll toggle for auto-refresh control
- Use CSS variables (--kiss-blue, --kiss-green, --kiss-muted, etc.)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Convert packages string to proper JSON array format
- Add -dnsmasq to avoid conflict with dnsmasq-full
- Add rootfs_size_mb: 512 for larger package sets
- Trim default packages to fit in standard rootfs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support building images for: mochabin, espressobin-v7, espressobin-ultra, x86-64
- New CLI: secubox-cloner build --device espressobin-v7
- New CLI: secubox-cloner devices (list supported devices)
- RPCD: list_devices method, build_image accepts device_type param
- LuCI: Device selection dropdown in build modal
- LuCI: Device column in images table with badges
- Each device type has its own TFTP image file
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Dashboard with status cards: device, TFTP, tokens, clones
- Quick actions: Build Image, Start/Stop TFTP, Token generation
- Clone images table with size and TFTP-ready status
- Token management with auto-approve option
- U-Boot flash commands display when TFTP is running
- RPCD handler with 10 methods for full cloner management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HAProxy multi-domain SSL certificate matching issue
- Document crt-list solution for SNI issues
- Minor updates to settings and streamlit readme
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New "🚀 Devel" tab with live GitHub commit activity (1-min cache)
- Metrics: Commits Today, This Week, Contributors, Stars
- Commit type distribution (feat/fix/docs/refactor/chore)
- Recent commits list with hash, message, author, relative time
- Repository stats: forks, watchers, open issues
- Cyberpunk-themed commit cards with color-coding
- Pulsing live indicator animation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed port conflict (console 8515, yijing360 8521)
- Deployed yijing-360.zip with generator.py
- Emancipated at yijing360.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
All 4 phases implemented:
- Stats collectors with 17 JSON cache files
- Landing page JSON symlinks for gk2.secubox.in
- Widget Fabricator with live data
- Full integration verified
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Secondary domain for La Livrée d'Hermès gallery
- OVH DNS + Let's Encrypt SSL
- Same backend as lldh.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fabricator pages now use actual UCI/JSON data (bfd2ed7c)
- La Livrée d'Hermès gallery deployed with YouTube music
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add extract_zip_flatten() to Streamlit RPCD for nested ZIP handling
- Add bot whitelist to mitmproxy WAF (Facebook, Google, Bing crawlers)
- Skip threat detection for whitelisted legitimate crawlers
- Track Fabricator app and stats evolution in HISTORY.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create cyberpunk-style End of Internet page for unknown domains
- Add http-request UCI option support in haproxyctl generator
- Support path rewriting backends with http-request set-path
- Configure end_of_internet as default backend for both frontends
- Update docs with HAProxy enhancements (entry #59)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HISTORY.md entry #49: CrowdSec Dashboard Cache & Control Panel Fixes
- CrowdSec Overview Collector v4 with background JSON cache
- RPCD fast path reading from cache first
- mitmproxy Local IP "Green Known" patch
- Control Panel file compatibility symlinks
- Update WIP.md Just Completed section with today's changes
- Renumber entries 50-57 in HISTORY.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Milestone 54:
- Triple-pulse LED heartbeat with staggered cascade (BusyBox-compatible)
- Streamlit emancipate command for KISS ULTIME MODE exposure
- Evolution dashboard real-time upgrade with auto-refresh
- SecuBox Console app live at console.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add entry 52 to HISTORY.md for Postfix/Dovecot path alignment
- Update WIP.md with fix details under completed items
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add `metablogizerctl emancipate <name>` command for one-command full
exposure workflow:
1. DNS A record via dnsctl (Gandi/OVH based on availability)
2. Vortex DNS mesh publication
3. HAProxy vhost with SSL/ACME enabled
4. SSL certificate request (webroot mode)
5. Zero-downtime HAProxy reload
Usage:
metablogizerctl create myblog blog.example.com
metablogizerctl emancipate myblog
Bump version to 1.1.0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- BIND zone was returning internal IP (192.168.255.1) instead of public IP
- Added IPv6 AAAA records to BIND zone and Gandi DNS
- Fixed nftables forward_wan chain blocking DNAT'd mail traffic
- Added mail port forwarding rules for both IPv4 and IPv6
- Documented Free ISP inbound port 25 blocking issue
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add init.d script for daemon mode with procd integration
- Update Makefile to install init script
- Add packages to bonus feed (secubox-vortex-dns, luci-app-vortex-dns)
- Update tracking files with completion status
Features:
- Master/slave hierarchical DNS delegation
- Wildcard domain management (*.domain)
- First Peek auto-registration of services
- Gossip-based exposure config sync via secubox-p2p
- Submastering for nested hierarchies
- LuCI dashboard with mode detection and action buttons
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Firewall DNAT rules were redirecting ALL port 993/587/465 traffic
to local mailserver, blocking external mail server connections.
Fix: Add -i $WAN_IF to only redirect inbound WAN traffic.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Alpine Linux's Postfix is compiled with LMDB support, not BerkeleyDB
hash support. This caused "Temporary lookup failure" errors on send.
Changes:
- Changed virtual_alias_maps and virtual_mailbox_maps to lmdb: prefix
- Copy resolv.conf to Postfix chroot for DNS resolution
- Added `mailctl fix-postfix` command to repair existing installations
Root cause: virtual_alias_maps was configured as hash:/etc/postfix/virtual
but the hash map type is not supported on Alpine, only lmdb.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-backup: Unified backup for LXC containers, UCI config, services
- luci-app-backup: KISS dashboard with container list and backup history
- secubox-app-mailserver: Custom Postfix+Dovecot in LXC with mesh backup
Enhanced dnsctl with:
- generate: Auto-create subdomain A records
- suggest: Name suggestions by category
- mail-setup: MX, SPF, DMARC record creation
- dkim-add: DKIM TXT record management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-threat-analyst: AI-powered threat analysis with CrowdSec integration
- luci-app-threat-analyst: LuCI dashboard for threat intelligence
- secubox-dns-guard: DNS security monitoring and blocking
- secubox-mcp-server: Model Context Protocol server for AI assistant integration
Enhancements:
- dns-provider: Add DynDNS support (dyndns, get, update, domains commands)
- gandi.sh: Full DynDNS with WAN IP detection and record updates
- luci-app-dnsguard: Upgrade to v1.1.0 with improved dashboard
Infrastructure:
- BIND9 DNS setup for secubox.in with CAA records
- Wildcard SSL certificates via DNS-01 challenge
- HAProxy config fixes for secubox.in subdomains
- Mail server setup with Roundcube webmail
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Build and add secubox-app-mac-guardian_0.5.0-r1_all.ipk
- Build and add luci-app-mac-guardian_0.5.0-r1_all.ipk
- Sync luci-app-mac-guardian to local-feed for SDK building
- Update apps-local.json catalog with proper metadata:
- Category: security, Icon: wifi
- Descriptions for frontend and backend packages
- Rebuild all bonus feed packages
Package features:
- WiFi MAC address spoofing detection
- OUI anomaly detection for device fingerprinting
- MAC flood protection via hotplug.d integration
- CrowdSec scenarios for automated threat response
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add animated "Collecting data..." overlay with pulsing dots during
5-second chart warmup period
- Chart legend transitions from "Waiting" to "Live" when data arrives
- Add formatBits() helper for network rate display (Kbps/Mbps/Gbps)
- Network rates now use SI units (bits) instead of bytes
- Cyberpunk theme support for empty state styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SecuNav.renderTabs() now automatically initializes theme and loads CSS,
eliminating boilerplate from views. Added renderCompactTabs() for nested
modules and renderBreadcrumb() for back-navigation.
Updated module navs: cdn-cache, client-guardian, crowdsec-dashboard,
media-flow, mqtt-bridge, system-hub. Removed ~1000 lines of duplicate CSS.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Switch from Docker to LXC with Debian bookworm rootfs and native
Domoticz binary from GitHub releases (latest/download pattern)
- Fix LXC cgroup2 terminal allocation: add lxc.tty.max, lxc.pty.max,
cgroup2 device permissions for standard char devices, disable seccomp
- Fix PID 1 issue: run domoticz as child process with signal forwarding
- Use quoted heredoc with sed placeholders for start script generation
- Update LuCI view: Docker → LXC references, add memory usage display
- Remove Docker image UCI option, update catalog runtime to "lxc"
- Fix streamlit LXC config: same cgroup2/terminal/seccomp fixes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New luci-app-domoticz package with RPCD handler (12 methods), LuCI overview
(status, IoT integration, MQTT, HAProxy, mesh, logs), and full service lifecycle.
Enhanced domoticzctl with configure-mqtt (auto Mosquitto+Z2M bridge), configure-haproxy,
backup/restore, mesh-register, and uninstall commands. UCI extended with mqtt/network/mesh
sections. Catalog updated with LuCI package and IoT tags. MirrorNetworking strategic
document noted in planning files.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The z2m 2.x breaking changes required three fixes discovered during
live deployment testing on the router:
- Adapter renamed from `ezsp` to `ember` in zigbee-herdsman 4.0.0
- Config format needs `version: 4` and nested `homeassistant.enabled`
- Start script needs `ZIGBEE2MQTT_DATA` env var for correct config path
- Add `mosquitto-nossl` as package dependency (MQTT broker required)
- Direct `/dev/ttyUSB0` passthrough works; socat TCP bridge does not
Also updates project planning files (HISTORY.md, TODO.md, WIP.md,
CLAUDE.md) and rebuilds bonus feed with latest IPKs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Docker-based Jellyfin media server with UCI config (port, image, media
paths, GPU transcoding), procd init, jellyfinctl CLI, and LuCI frontend
with status/config/logs view.
Also adds Punk Exposure Engine architectural README documenting the
Peek/Poke/Emancipate service exposure model and DNS provider API
roadmap. CLAUDE.md updated with architectural directive.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix ZIP upload: install unzip dependency, fix empty array check
(jsonfilter returns "[ ]" not "[]"), redirect unzip stdout to
prevent JSON corruption, use readAsArrayBuffer instead of
deprecated readAsBinaryString, add .catch() error handler
- Fix list_apps to scan subdirectories for ZIP-uploaded apps,
skip Streamlit pages/ convention dir, prefer app.py as entry point
- Fix set_active_app: replace broken streamlitctl call with direct
UCI update
- Fix remove_app: replace broken streamlitctl call with direct
file removal and UCI cleanup
- Fix add_app: replace broken streamlitctl call with direct UCI
- Add rename_app and rename_instance RPCD methods with ACL entries
- Activate now auto-creates an instance with next available port
- Apps list shows UCI display name separate from filesystem ID
- Sanitize uploaded filenames for UCI compatibility
- Add rename buttons and modals for apps and instances
- Add error notifications for failed deletes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Share CrowdSec bans and mitmproxy detections between mesh nodes using
the existing blockchain chain + gossip sync. Received IOCs from trusted
peers are auto-applied as CrowdSec decisions based on a three-tier trust
model (direct/transitive/unknown).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use >/dev/null 2>&1 instead of just 2>/dev/null when sourcing
master-link.sh and calling chain_add_block, mesh_init, peer_add,
factory_trust_peer, and gossip_sync to prevent p2p-mesh.sh usage
text and block hashes from corrupting CGI JSON responses.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Read LXC path from /etc/lxc/lxc.conf instead of hardcoding /var/lib/lxc
(OpenWrt uses /srv/lxc by default)
- Skip Alpine rootfs download if file already exists in /tmp
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The settings page was showing "CAPI: Error" because the status
method didn't return the capi_enrolled field. Added CAPI status
check to get_status() so the health display shows correct status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace pipe-to-while loops with grep/cut to avoid subshell variable
scope issues in method_status, method_get_providers, and method_set_provider.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HAProxy → mitmproxy → Backend inspection chain for filtering
all vhost traffic through mitmproxy with threat detection
- Add haproxy_router.py addon for Host-based request routing
- Add mitmproxyctl commands: sync-routes, haproxy-enable, haproxy-disable
- Add auth token to status response for Web UI auto-authentication
- Add HAProxy Backend Inspection section to LuCI status page with
enable/disable/sync controls
- Add HAProxy Router settings section to LuCI settings page
- LXC container now supports dual-port mode (8888 + 8889 for HAProxy)
- Token displayed with copy button in dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Distributed service registry with HAProxy vhost discovery
- Multi-endpoint URLs (haproxy/mesh/local) per service
- DNS federation for mesh peers (*.sb.local via dnsmasq)
- Catalog tab with service filtering and QR codes
- Linked peers navigation panel
- Tools panel with DNS management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace hardcoded port 8180 with dynamic detection from credentials file
- Extract LAPI port from local_api_credentials.yaml URL
- Convert port to hex for /proc/net/tcp lookup
- Fix GeoIP database path detection (check /srv/crowdsec/data and /var/lib)
- Update default API URL fallback to 8090 (actual CrowdSec default)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When a site's DNS doesn't point to our public IP, skip the external
HTTP check to avoid 5-second timeouts. This significantly speeds up
the get_hosting_status API call which was causing XHR timeouts in
the LuCI frontend.
Sites with DNS mismatch now show frontend_status: "dns_mismatch"
instead of timing out.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash does not support 'local' keyword outside of functions.
Removed 'local' from update_vhost case handler to fix "not in a function"
error that caused ubus calls to fail with no response.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CDN Cache:
- Migrate from nginx to Squid proxy for better caching
- Add aggressive caching rules for Windows Update, Linux repos, Steam, Apple
- Proper firewall integration via UCI (transparent proxy)
- Real-time stats from Squid access logs
Network Modes:
- Complete UI rework with MirrorBox dark theme
- 9 network modes with emojis and descriptions
- Dynamic CSS animations and modern styling
Fixes:
- Fix jshn boolean handling in secubox-recovery (1/0 vs true/false)
- Fix nDPId RPCD to use netifyd as fallback DPI provider
- Update media-flow and security-threats dashboards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Installs all packages from the local feed in dependency order:
1. secubox-core and secubox-app (base)
2. secubox-app-* backend packages
3. luci-app-* frontend packages
4. luci-theme-* themes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The OpenWrt SDK automatically adds libc as a dependency to all packages,
even pure shell/JavaScript packages that don't need it. This causes
opkg installation failures when the local feed version of libc doesn't
match the router's installed version.
Solution: Add PKG_FLAGS:=nonshared to Makefiles of arch-independent
packages (secubox-core, luci-app-secubox-admin, secubox-app-bonus).
This tells the build system these packages don't link against libc.
Changes:
- secubox-core: 0.10.0-r6 → r7 with PKG_FLAGS:=nonshared
- luci-app-secubox-admin: 1.0.0-r17 → r18 with PKG_FLAGS:=nonshared
- secubox-app-bonus: 0.3.0-r1 → r2 with PKG_FLAGS:=nonshared
- Regenerated Packages index without libc dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add four major features to enhance SecuBox AppStore:
1. Feed Source Management:
- Feed types: published, unpublished, development
- Share tokens for private feed access
- CLI: secubox feed list/add/share/import
- LuCI: Feed type badges and share URLs in catalog-sources
2. Profile Export/Import:
- Export configurations with feed sources embedded
- Import from URL or file with merge/replace modes
- CLI: secubox profile export/import/share
- LuCI: New profiles.js view with export/import dialogs
3. Skill System:
- Capability discovery from module catalogs
- Quality indicators based on provider count
- CLI: secubox skill list/providers/install/check
- LuCI: New skills.js view with provider browser
4. Feedback Loop:
- Issue reporting and resolution tracking
- Search existing resolutions
- CLI: secubox feedback report/resolve/search/list
- LuCI: New feedback.js view for knowledge base
Technical changes:
- RPCD backend with 17 new API methods
- POSIX shell compatibility fixes (ESC via printf, tr A-Z a-z)
- LuCI menu entries for new views
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove all LuCI dependencies (luci-base, rpcd, luci-lib-jsonc)
- Remove LuCI-specific files (RPCD backend, ACL, menu, JS views)
- Package now only provides local opkg feed and documentation
- Remove Packages.sig to avoid signature verification errors
- Update local-build.sh to skip signature generation for local feeds
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move 9 service apps from admin/secubox/services/ to admin/services/:
- localai, lyrion, magicmirror2, mailinabox, mmpm
- nextcloud, ollama, vhost-manager, mitmproxy
Services now appear under standard LuCI Services menu for consistency.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove expect clause from RPC declarations to get raw response
- Add proper error handling with catch blocks for all RPC calls
- Fix landing page generator to chmod 644 after generation
- Fixes "No Services Found" issue in dashboard
- Fixes "Forbidden" error when accessing landing page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- README.md: Update to v0.16.0 with all 38 modules categorized
- CHANGELOG.md: Create comprehensive changelog (v0.12.0-v0.16.0)
- CLAUDE.md: Add toolchain build rules for Go/CGO packages
- secubox-tools/README.md: Add SDK vs toolchain build guidance
- TODO-ANALYSE.md: Mark completed tasks, update health score
- HISTORY.md: Document ARM64 toolchain discovery, multi-instance
- dev-status-widget.js: Update stats (38 modules, 1500 commits)
SDK builds produce LSE atomics that crash on some ARM64 CPUs.
Go/CGO packages (crowdsec, netifyd) must use full toolchain.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Instances tab to LuCI Streamlit dashboard
- RPCD backend: list/add/remove/enable/disable instances
- API module: instance management methods
- UI: Instance table with status, port, enable/disable/remove actions
- Add Instance form with app selector and auto port assignment
- Apply & Restart button to apply instance changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The -x flag requires exact process name match which doesn't work
reliably on OpenWrt/BusyBox. Removed -x from all pgrep calls in:
- luci-app-bandwidth-manager
- luci-app-secubox-security-threats
- luci-app-auth-guardian
- luci-app-media-flow
- luci-app-vhost-manager
- luci-app-network-modes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New LuCI application for Ollama management:
- Dashboard with service status and controls
- Model management (pull, remove, list)
- Chat interface with model selection
- Settings page for configuration
Files:
- RPCD backend (luci.ollama)
- Dashboard, Models, Chat, Settings views
- ACL and menu definitions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add runtime_is_working() to verify daemon connectivity
- Falls back to standalone binary with helpful message if daemon not running
- Provides hint: /etc/init.d/dockerd start
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
werkzeug 3.0+ removed url_quote from werkzeug.urls which breaks
Flask imports in mitmproxy 8.1.1.
Bump release to r5.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt all luci-app-* and secubox-app-* packages for aarch64-cortex-a72
- Updated local-build.sh with FORCE=1 to bypass rsync prereq check
- Removed packages that failed SDK build (require full buildroot)
- Updated Packages index and apps-local.json manifest
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add embed_local_feed() to local-build.sh that copies built packages
into bonus app as /www/secubox-feed/ for offline installation
- Generate Packages index and apps-local.json manifest for opkg
- Add RPCD backend (luci.secubox-store) for package install/remove
- Add LuCI view for browsing and managing local packages
- Fix OPENWRT_ONLY_PACKAGES to allow secubox-app-* wrappers in SDK build
- Remove experimental python3-* packages (unfinished mitmproxy native plan)
- Set rootfs partition size to 16GB for larger overlay
- Bump luci-app-secubox-bonus to v0.2.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add OpenWrt .config for mvebu/cortexa72 target
- Update .gitignore
- Update Claude settings
- Minor portal.js update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix Client Guardian JS files: replace invalid 'require X as Y' syntax
with direct RPC declarations (LuCI doesn't support as alias)
- Add factory default profile to Client Guardian profiles.json
- Redesign Netifyd devices page with modern card-based UI:
- Device type detection with emoji icons
- Gradient summary cards for stats
- Responsive grid layout
- Traffic distribution bars
- Real-time refresh with pulse animation
- Fix Netifyd RPC calls: use correct luci.secubox-netifyd object name
- Add WAN access control feature to secubox-admin
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed form sections from type 'secubox' to match actual UCI config
- General/Dashboard/Module/Notification sections now use type 'core'
- Alert Thresholds section now uses type 'diagnostics'
- Security Settings section now uses type 'security'
- Advanced Settings section uses type 'core'
- Fixes "This section contains no values yet" errors
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Major achievements:
- Successfully built CrowdSec 1.7.4-r2 (81MB) for aarch64_cortex-a72
- Netifyd 5.2.1-r1 confirmed working with all fixes
- Both packages built with OpenWrt 24.10.5 buildroot
CrowdSec Build:
- Full Go 1.23 compatibility with vendored modules
- Staged all required golang.org/x/* dependencies
- Fixed go.mod directives for OpenWrt toolchain
- Includes crowdsec engine + crowdsec-cli (cscli)
- Complete configuration files and init scripts
Netifyd Status:
- 5.2.1 package with GCC 13.3/C++17 fixes operational
- LuCI dashboard v1.0.2 with working metrics
- Native status.json integration confirmed
Build System Updates:
- Enhanced local-build.sh for OpenWrt-only packages
- Improved package sync and build workflow
- Updated Makefiles for consistency
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Our SecuBox packages are PKGARCH:=all (pure scripts) and don't require
Lua headers or lucihttp compilation. The Lua header installation step
was causing premature compilation attempts of lua/lucihttp which failed
due to API incompatibility between lucihttp (Lua 5.1 API) and lua5.4.
Changes:
- Removed "Install Lua headers" step from GitHub Actions workflow
- Removed Lua header installation from local-build.sh (2 instances)
- Packages will use prebuilt dependencies as intended
- lucihttp/cgi-io remain disabled in .config
This resolves the lualib.h missing error by avoiding the compilation
entirely rather than trying to fix header paths.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The previous fix only installed Lua via feeds but didn't compile it,
so lua.h headers were still missing from staging_dir. This caused
all LuCI packages to fail compilation with:
fatal error: lua.h: No such file or directory
Root cause: ./scripts/feeds install lua only adds the package to the
build system but doesn't compile it or install headers to staging_dir.
Solution:
1. Install lua package via feeds
2. Enable lua in .config with CONFIG_PACKAGE_lua=m
3. Compile lua package: make package/lua/compile
4. This installs lua.h and other headers to staging_dir/target-*/usr/include/
5. Verify headers are present before continuing
Changes:
- GitHub Actions: Update "Install Lua" step to compile package
- local-build.sh: Update both Lua installation sections (2 places)
- Both: Add verification that lua.h exists in staging_dir
This ensures lucihttp and all LuCI packages can find Lua headers
during compilation, preventing the SDK build failures.
Related: f5c98d9 (previous incomplete fix)
Fixes: #lucihttp-missing-headers
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
