Major achievements:
- Successfully built CrowdSec 1.7.4-r2 (81MB) for aarch64_cortex-a72
- Netifyd 5.2.1-r1 confirmed working with all fixes
- Both packages built with OpenWrt 24.10.5 buildroot
CrowdSec Build:
- Full Go 1.23 compatibility with vendored modules
- Staged all required golang.org/x/* dependencies
- Fixed go.mod directives for OpenWrt toolchain
- Includes crowdsec engine + crowdsec-cli (cscli)
- Complete configuration files and init scripts
Netifyd Status:
- 5.2.1 package with GCC 13.3/C++17 fixes operational
- LuCI dashboard v1.0.2 with working metrics
- Native status.json integration confirmed
Build System Updates:
- Enhanced local-build.sh for OpenWrt-only packages
- Improved package sync and build workflow
- Updated Makefiles for consistency
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixed critical Makefile structure issue that prevented luci-app-secubox-admin from
being indexed by the feed system and built by the SDK.
Changes:
1. Added `include $(TOPDIR)/rules.mk` at the beginning (required for all OpenWrt packages)
2. Added PKG_LICENSE and PKG_MAINTAINER fields (best practices)
3. Added LUCI_PKGARCH:=all to match other LuCI packages
4. Added closing comment `# call BuildPackage - OpenWrt buildroot`
5. Moved include statements to proper positions
This fix aligns the Makefile with the standard OpenWrt/LuCI package structure used
by luci-app-secubox and other working packages.
Additionally:
- Suppressed kconfig warnings in local-build.sh by redirecting stderr to /dev/null
for all `make defconfig` commands (lines 532, 782, 1278)
Build verification:
✅ Package now appears in feeds/secubox.index
✅ Successfully builds: luci-app-secubox-admin_1.0.0-r2_all.ipk (8.3KB)
✅ Total SecuBox packages built: 33
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Our SecuBox packages are PKGARCH:=all (pure scripts) and don't require
Lua headers or lucihttp compilation. The Lua header installation step
was causing premature compilation attempts of lua/lucihttp which failed
due to API incompatibility between lucihttp (Lua 5.1 API) and lua5.4.
Changes:
- Removed "Install Lua headers" step from GitHub Actions workflow
- Removed Lua header installation from local-build.sh (2 instances)
- Packages will use prebuilt dependencies as intended
- lucihttp/cgi-io remain disabled in .config
This resolves the lualib.h missing error by avoiding the compilation
entirely rather than trying to fix header paths.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Enhanced Lua header installation in SDK to copy ALL .h files from the
Lua source directory, not just search for lua.h individually.
Changes:
- Primary: Copy all *.h files from feeds/packages/lang/lua/src/lua-*/
- Fallback 1: Find directory with lua.h in build_dir and copy ALL headers
- Fallback 2: Search for lua.h, lualib.h, lauxlib.h individually
- Added verification for all 3 critical headers
This fixes the lualib.h missing error that occurred even when lua.h
was successfully found and installed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Previous approach tried to compile Lua package but failed silently,
leaving no headers in staging_dir. This caused lucihttp to fail with:
fatal error: lua.h: No such file or directory
Root cause: `make package/lua/compile || true` was failing but being
ignored, so headers were never installed to staging_dir.
New solution - Direct header installation:
1. Install lua package to feeds (./scripts/feeds install lua)
2. Find Lua source directory in feeds/packages/lang/lua/src/
3. Directly copy *.h headers to staging_dir/target-*/usr/include/
4. Verify lua.h exists before continuing
This avoids the complexity of compiling Lua and directly provides
the headers that lucihttp needs for compilation.
Fallback: If headers not found in feeds source, search build_dir
for any existing lua.h and copy it.
Changes:
- GitHub Actions: Completely rewrote header installation logic
- local-build.sh: Updated both Lua header installation sections
- Both: Added detailed verification and fallback mechanisms
This should finally resolve the persistent lucihttp compilation
failures in SDK builds.
Related: 7209c83, f5c98d9
Fixes: #lucihttp-lua-headers-missing
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The previous fix only installed Lua via feeds but didn't compile it,
so lua.h headers were still missing from staging_dir. This caused
all LuCI packages to fail compilation with:
fatal error: lua.h: No such file or directory
Root cause: ./scripts/feeds install lua only adds the package to the
build system but doesn't compile it or install headers to staging_dir.
Solution:
1. Install lua package via feeds
2. Enable lua in .config with CONFIG_PACKAGE_lua=m
3. Compile lua package: make package/lua/compile
4. This installs lua.h and other headers to staging_dir/target-*/usr/include/
5. Verify headers are present before continuing
Changes:
- GitHub Actions: Update "Install Lua" step to compile package
- local-build.sh: Update both Lua installation sections (2 places)
- Both: Add verification that lua.h exists in staging_dir
This ensures lucihttp and all LuCI packages can find Lua headers
during compilation, preventing the SDK build failures.
Related: f5c98d9 (previous incomplete fix)
Fixes: #lucihttp-missing-headers
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The lucihttp package fails to compile in SDK environment with:
fatal error: lua.h: No such file or directory
Root cause: Even with CONFIG_PACKAGE_lucihttp disabled, if lucihttp
is pulled as a dependency, it tries to compile but lacks Lua headers.
Solution:
1. Install lua package in SDK which provides the required headers
2. Use standard OpenWrt format for disabling packages:
"# CONFIG_PACKAGE_lucihttp is not set" instead of "=n"
3. lucihttp won't be compiled since it's disabled, but if somehow
triggered as dependency, lua.h will be available
Changes:
- GitHub Actions workflow: Added "Install Lua in SDK" step
- local-build.sh: Added lua installation after feeds install
- Both: Changed to OpenWrt standard disable format
This prevents the SDK build failure while keeping our packages
(PKGARCH:=all scripts) working correctly.
Fixes: #lucihttp-build-error
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixed sync_module_versions.sh to reference the correct path after
moving the Python script from scripts/ to secubox-tools/ directory.
Changes:
- Updated SCR path: scripts/sync_module_versions.py → secubox-tools/sync_module_versions.py
Tested: Script now runs successfully and reports "no changes"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Extended the local build script to support both luci-app-* and luci-theme-*
package patterns, enabling builds of theme packages like luci-theme-secubox.
Changes:
- Updated validate_makefiles() to validate both package types
- Extended copy_packages() to copy both luci-app-* and luci-theme-* packages
- Modified configure_packages() to enable both package types in .config
- Updated build_packages() to build both package types
- Enhanced collect_artifacts() to find and collect theme packages
- Added luci-theme-* pattern support in argument parsing
- Updated firmware build to copy both package types to OpenWrt
Tested with: ./local-build.sh build luci-theme-secubox
Result: Successfully built luci-theme-secubox-0.4.0-r1.apk
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Created help system (help.js, help.css) for all modules
- Integrated help button in network-modes module
- Fixed menu structure: removed empty Network Management category
- Fixed all dashboard and modules page links
- Added website deployment script
- Created comprehensive documentation
New Files:
- DOCS/HELP_INTEGRATION_PLAN.md
- DOCS/WEBSITE_DEPLOYMENT_GUIDE.md
- EXAMPLES/help-button-integration.js
- luci-app-secubox/htdocs/luci-static/resources/secubox/help.js
- luci-app-secubox/htdocs/luci-static/resources/secubox/help.css
- secubox-tools/deploy-website.sh
Modified:
- luci-app-network-modes: Added help button integration
- luci-app-secubox: Fixed menu paths and module links
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Version bump to 0.3.5 in Makefile and README
- Add helpers.js utility module for common UI operations
- Expand API with new RPC method declarations
- Enhance view files with improved functionality:
- accesspoint.js: Enhanced WiFi configuration options
- relay.js: WireGuard setup improvements
- router.js: Expanded proxy and vhost settings
- sniffer.js: Enhanced capture configuration
- wizard.js: Improved mode selection flow
- RPCD backend enhancements (+176 lines)
- Add deployment script for easier testing
Claude settings: Update permissions for network-modes work
Preparation for implementing features documented in CODEX-v0.3.5.md
- Removed manual installation loop for individual dependencies that caused hangs
- Dependencies now handled via 'feeds install -a' and .config settings
- lucihttp and cgi-io disabled in .config (compilation failures)
- SecuBox packages are PKGARCH:=all (scripts), don't need compiled deps
Fixes interactive prompts and ^C hangs during build process.
Applied same fix as GitHub Actions workflow to local build script.
Problem:
- lucihttp and cgi-io fail to compile in SDK environment
- Missing lua.h headers cause: ninja: build stopped: subcommand failed
- Our SecuBox packages are PKGARCH:=all (scripts only), don't need these
Changes to secubox-tools/local-build.sh:
1. Removed lucihttp and cgi-io from build loop
- Only build: lua, liblua, rpcd (essentials that work)
- Skip: lucihttp, cgi-io (fail with missing lua.h)
2. Added configuration to disable problematic packages
- Explicitly disable in .config:
# CONFIG_PACKAGE_lucihttp is not set
# CONFIG_PACKAGE_cgi-io is not set
3. Enabled use of pre-built packages from feeds
- CONFIG_DEVEL=y
- CONFIG_FEED_packages=y
- CONFIG_FEED_luci=y
4. Updated dependency installation
- Install lucihttp/cgi-io from feeds (for metadata)
- But disable compilation to prevent SDK failures
Result:
- Local builds will no longer fail with "ninja: build stopped"
- SDK uses pre-built dependencies instead of compiling
- SecuBox packages (pure scripts) build successfully
This matches the fix in .github/workflows/build-openwrt-packages.yml
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add ninja-build to package build workflow (build-openwrt-packages.yml)
- Add ninja-build to image build workflow (build-secubox-images.yml)
- Update secubox-tools/README.md with ninja-build dependency
- Update secubox-tools/local-build.sh dependency check and install instructions
- Ninja is required by OpenWrt build system for some compilation tasks
This resolves missing ninja errors in GitHub Actions builds.
OpenWrt 25.12.0-rc1 introduced a major change: switching from opkg
to apk (Alpine Package Manager). This commit adds full support for
building both package formats based on the OpenWrt version.
**Package Build Workflow (.github/workflows/build-openwrt-packages.yml):**
- Added automatic version detection for package format
- 25.12+ and SNAPSHOT → .apk format
- 24.10 and earlier → .ipk format
- Updated feeds configuration to use correct branch (openwrt-25.12, openwrt-24.10, etc.)
- Modified artifact collection to handle both .apk and .ipk files
- Updated build summary to show package format
- Added PKG_EXT environment variable to track format across workflow steps
- Updated dependency download to handle both APKINDEX.tar.gz and Packages formats
- Skip dependency downloads for RC versions (repos may not be stable)
**Local Build Script (secubox-tools/local-build.sh):**
- Added package format detection based on OPENWRT_VERSION
- Updated feeds.conf generation to select correct branch dynamically
- Modified build_packages() to detect and build correct package format
- Updated collect_artifacts() to collect both .apk and .ipk files
- Updated SHA256SUMS generation for both formats
- Export PKG_EXT variable for use across functions
**Documentation:**
- CLAUDE.md: Added package format support details
- README.md: Updated compatibility table with package format column
- Added note explaining apk vs ipk distinction
**Key Changes:**
- Backwards compatible: existing workflows continue to work for .ipk
- Future-proof: ready for OpenWrt 25.12 stable release
- Automatic detection: no manual configuration needed
- Comprehensive: covers all build scenarios (GitHub Actions, local builds)
Tested scenarios:
- OpenWrt 24.10.5 → builds .ipk ✅
- OpenWrt 25.12.0-rc1 → builds .apk ✅
- SNAPSHOT → builds .apk ✅🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated GitHub Actions workflows and build scripts to support the
latest OpenWrt versions:
- Added 25.12.0-rc1 (latest release candidate) for testing
- Added 24.10.5 (latest stable release)
- Changed default version from 23.05.5 to 24.10.5
Changes:
- .github/workflows/build-secubox-images.yml: Added new versions, updated default
- .github/workflows/build-openwrt-packages.yml: Added new versions, updated default
- secubox-tools/local-build.sh: Updated default version and added comment
- CLAUDE.md: Updated documentation with supported versions
- README.md: Updated build instructions and compatibility table
- secubox-tools/README.md: Updated environment variables documentation
The 25.12.0-rc1 includes major changes:
- Switch from opkg to apk package manager
- Integration of attended Sysupgrade into default LuCI
- Wi-Fi scripts converted to ucode
- Support for 160+ new devices (2180+ total)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixed issue where validate-modules.sh would exit prematurely during check 3
due to grep failures in while loops with set -e enabled.
Changes:
- Added set -o pipefail for better error handling
- Temporarily disable set -e during grep checks in view file validation loop
- Script now completes all 6 validation checks successfully
- Exit code 0 when only warnings present (debug files without menu entries)
Validation results:
✓ Check 1: RPCD naming vs ubus objects (15 modules)
✓ Check 2: Menu paths vs view files (15 modules, 100+ views)
✓ Check 3: View files have menu entries (2 warnings for debug files)
✓ Check 4: RPCD permissions (15 scripts executable)
✓ Check 5: JSON syntax validation (30 files)
✓ Check 6: ubus naming convention (17 objects)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
During firmware image creation, opkg tries to create a lock file in the
staging root filesystem's /tmp directory, but this directory doesn't
always exist, causing the build to fail at the final packaging stage.
Error:
opkg_conf_load: Could not create lock file
.../root.orig-mvebu//tmp/opkg.lock: No such file or directory
ERROR: target/linux failed to build
Solution:
- Create tmp directories in all staging root filesystems before build
- Apply fix in both parallel and single-threaded build paths
- Use wildcard patterns to catch all target architectures
Changes:
- local-build.sh: Create tmp dirs before and during retry
- build-secubox-images.yml: Create tmp dirs in workflow
- .gitignore: Ignore build artifacts (openwrt/, local-feed/, .vscode/)
This ensures the build can complete the final image packaging step
successfully, generating the firmware images.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The firmware builds were failing during toolchain compilation due to
GDB (GNU debugger) missing testsuite/Makefile. This is a known issue
with OpenWrt's GDB toolchain component.
Error:
Missing testsuite/Makefile
make[7]: *** [Makefile:1992: subdir_do] Error 1
ERROR: toolchain/gdb failed to build
Solution:
- Disable GDB in toolchain with '# CONFIG_GDB is not set'
- GDB is not needed for building firmware images
- Only useful for on-device debugging (can be installed separately)
- Enable BUILD_LOG for better debugging
This fix applies to both:
- Local firmware builds (local-build.sh)
- GitHub Actions firmware builds (build-secubox-images.yml)
Impact:
- Toolchain will compile successfully
- Firmware images will be generated
- Build time remains the same (1-2 hours for full build)
- No impact on firmware functionality
Tested with:
- OpenWrt 23.05.5
- Target: mvebu/cortexa72 (MOCHAbin)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add comprehensive diagnostics when firmware images aren't generated and
a new debug-firmware command to troubleshoot build configuration without
running the full build process.
New Features:
- debug-firmware command to check configuration and available profiles
- Enhanced diagnostic output when no firmware images are found:
* Shows all files in target directory
* Lists available targets that were built
* Scans build log for errors
* Analyzes file types in target directory
* Provides actionable troubleshooting steps
The debug-firmware command shows:
- Device configuration (target, subtarget, profile)
- Current .config settings
- Whether device profile is properly configured
- Available device profiles for the target
- Build output directory contents
- Suggestions for next steps
Usage:
./secubox-tools/local-build.sh debug-firmware mochabin
This helps identify configuration issues before running the lengthy
build process again.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add comprehensive firmware building functionality to local-build.sh,
replicating the GitHub Actions firmware build workflow. Users can now
build complete OpenWrt firmware images with SecuBox pre-installed
locally, in addition to building packages.
New Features:
- New 'build-firmware' command to build complete firmware images
- Support for GlobalScale devices (ESPRESSObin, Sheeva64, MOCHAbin)
- Device profile definitions with automatic target/subtarget configuration
- Automatic OpenWrt source download and caching
- Device-specific package configuration (10G for MOCHAbin, WiFi for Ultra)
- Firmware configuration with same settings as GitHub Actions workflow:
* CONFIG_TARGET_PER_DEVICE_ROOTFS=y for image generation
* Explicit PROFILE parameter in make commands
* Device profile verification before building
- Artifact collection with firmware images, packages, and checksums
- Build time tracking and verbose logging
- 'clean-all' command to remove OpenWrt source (saves ~20GB)
Device Profiles:
- espressobin-v7 (mvebu/cortexa53)
- espressobin-ultra (mvebu/cortexa53 with WiFi)
- sheeva64 (mvebu/cortexa53)
- mochabin (mvebu/cortexa72 with 10G networking)
- x86-64 (x86/64 generic PC)
Usage:
./secubox-tools/local-build.sh build-firmware mochabin
./secubox-tools/local-build.sh build-firmware espressobin-v7
Output:
Firmware images placed in build/firmware/<device>/
- *.img.gz, *sysupgrade.bin, *factory.bin files
- SHA256SUMS checksums
- BUILD_INFO.txt with build details
- packages/ directory with SecuBox .ipk files
Documentation:
- Updated README.md with firmware building examples
- Added device profiles and environment variables
- Added example workflows for firmware building
- Distinguished between package building (SDK) and firmware building (full source)
Technical Details:
- Uses full OpenWrt source (not SDK) for firmware builds
- Configures feeds identically to GitHub Actions workflow
- Includes same configuration fixes for image generation
- Verifies device profile selection before lengthy build
- Supports parallel and single-threaded builds with automatic retry
- Downloads and caches OpenWrt source for reuse
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
