Two-report system for SecuBox status reporting:
- Development Status Report: health score, HISTORY.md completions, WIP items, roadmap progress
- Services Distribution Report: Tor hidden services, DNS/SSL vhosts, mesh services
Features:
- CLI: secubox-reportctl generate|send|schedule|status|preview|list|clean
- HTML output with KissTheme dark styling
- Email delivery via msmtp/sendmail with MIME multipart
- UCI configuration for SMTP and scheduling
- Cron integration for automated reports
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace hardcoded #fff backgrounds with var(--kiss-bg) dark theme
- Convert all text colors to var(--kiss-text) and var(--kiss-muted)
- Update borders to var(--kiss-line) for consistent styling
- Use color-mix() for transparent accent backgrounds
- Map --sb-* variables to --kiss-* for unified theming
Fixes white background issue on admin dashboard.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace hardcoded rgba() colors with var(--kiss-purple), var(--kiss-text), var(--kiss-muted)
- Use color-mix() for transparent purple backgrounds and borders in service links
- Consistent styling with KissTheme design system
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add --httpaddr 0.0.0.0 to squeezeboxserver startup args
- Set httpaddr in default server.prefs
- Improve DNS config with multiple nameservers and search domain
Fixes Squeezebox devices on WAN network (192.168.1.x) getting
"connection reset by peer" when trying to stream from Lyrion
bound only to LAN IP (192.168.255.1).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace hardcoded RGBA colors with kiss-badge-green/kiss-badge-red
classes for consistent theming of port status indicators.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Edit, pull, and push Streamlit apps via Gitea:
CLI (slforge):
- edit: Open app source in Gitea web editor
- pull: Pull latest changes from Gitea repo
- push: Commit and push local changes to Gitea
- preview: Generate HTML preview of app
- Auto-creates org/repo on first edit
RPCD (5 new methods):
- gitea_status: Check Gitea connectivity and app repo status
- edit: Get Gitea editor URL for app
- pull: Pull from Gitea to local
- push: Push local changes to Gitea
- preview: Generate preview capture
LuCI (overview.js):
- Gitea status card with connection indicator
- Edit button opens Gitea web editor
- Pull button syncs from remote
- Editor modal for inline editing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- generate_landing() now uses /usr/share/metacatalog/templates/landing.html.tpl
- Fallback to basic inline HTML if template missing
- Enables easier landing page customization
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New scan_haproxy() function indexes HAProxy vhosts as catalog entries
- Skips entries already indexed from MetaBlogizer/Streamlit sources
- Extracts backend, port, SSL/WAF status from UCI config
- Auto-detects content type from backend name (streamlit, metablog, media, cloud)
- Updated cmd_scan to include haproxy source
- Total entries: 120 -> 246
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New luci-app-metacatalog package:
- RPCD backend with 10 methods (list_entries, list_books, search, etc.)
- ACL permissions for read/write access
- Menu entry under SecuBox
- KISS-themed dashboard with:
- Stats chips (entries, metablogs, streamlits, books)
- Virtual books shelf with color-coded cards
- Entry links to published content
- Sync button for manual refresh
- Landing page link
Deployed and tested on router.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add automatic mitmproxy route sync after vhost operations
- Route through WAF by default: sets original_backend for route resolution
- Add --nowaf option to bypass WAF routing if needed
- Prevents missing routes when creating new vhosts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Problem: get_overview RPC was timing out (30s+) due to 12+ sequential
cscli calls with CAPI data, causing "TypeError: can't assign to property
'countries' on 5" in LuCI.
Solution:
- Pre-cached architecture with /tmp/secubox/crowdsec-overview.json
- get_overview() returns cached data instantly (0.08s)
- refresh_overview_cache() runs via cron every minute
- Reduced cscli calls from 12 to 4 (metrics, decisions, alerts, bouncers)
- Extract flat decisions array using jsonfilter
- Manual JSON building to avoid jshn argument size limits
- Add /etc/cron.d/crowdsec-dashboard for periodic refresh
Also includes:
- Streamlit Control: Deploy functionality like metablogizer
- Streamlit Control: Enhanced Security page with WAF/CrowdSec data
- mitmproxy LuCI: Add timeout race to prevent page hang
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- get_installed_apps: Returns installed apps with menu paths and status
- get_kiss_menu: Returns dynamic menu by category (security, system, productivity, media)
- Enables KISS UI to dynamically show installed apps
- Updated ACL to include new methods
Also on router:
- Created rpcd-watchdog service that monitors rpcd every 60s
- Automatically restarts rpcd if luci module fails
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use printf to generate actual escape sequences instead of literal strings
- Fixes colors not rendering in 'secubox help' output
- POSIX sh heredoc doesn't interpret \033 escapes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Custom ASCII art banner with SecuBox branding
- Shows helpful info: CLI help, dashboard URL
- Installed to /etc/banner on device
- Added to conffiles for upgrade preservation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- PeerTube port conflict resolved (9001 → 9002)
- Lyrion moved to port 9000
- Fixed PeerTube database hostname config
- Updated mitmproxy routes for both services
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Without this rule, the build system attempts to run 'make' in the
build directory, which fails because there's no Makefile there.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix get_next_port() to check both uhttpd and metablogizer configs
- Add check-ports command to scan for duplicate port assignments
- Add fix-ports command to auto-assign new ports to duplicates
- Update WIP.md with 2026-03-10 changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- WIP.md: Add health check panel and admin routing entries
- HISTORY.md: Add entries #79-80 for health check and WAF routing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_service_health RPCD method to check all HAProxy routes
- Integrate /usr/sbin/service-health-check for backend HTTP probing
- Add health panel in services.js with up/down stats and health %
- Display down services list with tooltips showing IP:port
- Add refresh button for manual health check trigger
- Update ACL with get_service_health read permission
- 5-minute cache for health data with force-refresh option
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- 4-layer architecture visualization (Core, AI, MirrorNet, Certification)
- 22+ features with dependency tracking (dependsOn/usedBy)
- 80+ components with status indicators
- Interactive filters: layer, status, category with localStorage persistence
- Feature cards: click to expand and see full dependencies
- Live RPCD data refresh (60s auto-refresh)
- Standalone HTML page for public access (/dev-status.html)
- ES5 compatible for older browsers
- Milestone timeline to v1.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete module inventory (185 packages across 10 domains)
- 4-layer architecture documentation (Core, AI, MirrorNet, Certification)
- All backend packages and LuCI apps with status indicators
- Production deployment statistics (C3BOX gk2)
- Roadmap to v1.0 with milestones
- CLI quick reference and directory structure
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add named.conf and named.conf.zones from router
- Add all zone files (maegia.tv, ganimed.fr, secubox.in, etc.)
- Include README with sync instructions
- Fixed zone path in named.conf.zones for LuCI DNS Master compatibility
- Added ganimed.fr zone declaration to BIND config
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added Web Terminal (Phase 3) to completed items
- Updated In Progress to Phase 4 (Session Replay)
- Updated Next Up priorities
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Integrates ttyd WebSocket terminal into RTTY Remote module:
- New "Web Terminal" menu item in System Hub
- Iframe-based terminal embedding ttyd on port 7681
- Node selector for local/remote terminal access
- Remote node detection (direct ttyd or SSH fallback)
- Fullscreen and refresh controls
- RPCD method: start_terminal for remote node terminal info
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added token-based shared access feature to completed items
- Updated In Progress with Phase 3 (RTTY Terminal)
- Updated Next Up with release prep tasks
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements token-based authentication that grants RPC and terminal access
without requiring LuCI credentials. Support technicians can connect using
a short 6-character code.
CLI commands:
- rttyctl token generate [ttl] [permissions]
- rttyctl token list
- rttyctl token validate <code>
- rttyctl token revoke <code>
- rttyctl token-rpc <code> <object> <method> [params]
RPCD methods:
- token_generate: Create support token with TTL
- token_list: List active tokens
- token_validate: Check token validity
- token_revoke: Revoke a token
- token_rpc: Execute RPC with token auth (no LuCI session needed)
LuCI Support Panel:
- Generate code with selectable validity (30m/1h/2h/4h)
- Enter code to connect to remote node
- Token-authenticated RPC execution
- Live token list with copy/revoke actions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Local addresses (127.0.0.1, localhost, 192.168.255.1, lan IP) now use
direct ubus call instead of HTTP JSON-RPC, providing full access to
all ubus methods without authentication restrictions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- jshn cannot embed raw JSON in objects, use printf instead
- Return proper {"success":true,"result":{...}} format
- Handle error cases with escaped error messages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix TypeError in support.js: add null checks for DOM elements
- Move menu entries from Services to System Hub (KISS UI)
- Menu paths: admin/secubox/system/system-hub/rtty-remote
- Menu paths: admin/secubox/system/system-hub/support
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Dashboard now includes:
- Authoritative Zones table with View/Dump/Reload actions
- Import Zone modal with domain input
- Zone content viewer with download option
- Secondary DNS providers section
- Add Secondary modal (OVH/Gandi/Cloudflare support)
New RPC calls for zone_list, zone_dump, zone_import, zone_export,
zone_reload, secondary_list, secondary_add, secondary_remove.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove 2>/dev/null from for-loop glob pattern which causes syntax
error in BusyBox ash shell. The [ -f "$zf" ] check handles the
case when no zone files exist.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add comprehensive zone management for DNS master functionality:
- vortexctl zone list/dump/import/export/reload commands
- Secondary DNS provider configuration (OVH support)
- RPCD methods for LuCI integration
- ACL permissions for new methods
This enables importing zones from external providers (Gandi) and
configuring OVH as secondary DNS with SecuBox as authoritative master.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed 503 errors on crt/git/glances.maegia.tv (missing vhost configs)
- Added mitmproxy routes for 3 domains
- Fixed ganimed.maegia.fr and lldh360.maegia.tv routing
- All 27 maegia domains now operational
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed missing server section in mitmproxy_inspector backend
- Fixed lyrion vhost routing through WAF instead of direct backend
- Fixed jellyfin route IP to container's veth address
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Skip UCI userlists already defined in AUTH_USERLIST_FILE to avoid
duplicate 'secubox_users' userlist warning
- Fix indentation of nocache http-request rules in _emit_sorted_path_acls
- Use correct ACL names for path-based nocache rules
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- lldh360.maegia.tv: Fixed mitmproxy routes (127.0.0.1 → 192.168.255.1)
- cybaxe.gk2.secubox.in: Changed port from 9000 to 9004 (Lyrion conflict)
- Restored HAProxy config from backup after haproxyctl generate corruption
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
