- Add LED heartbeat to secubox-core daemon using MochaBin's RGB LEDs (led1)
- Green flash: system healthy
- Double red flash: warning state
- Long red flash: error state
- Blue flash: boot/startup
- LED pulses once per watchdog cycle (default 60s)
- New UCI options: led_heartbeat (default 1), watchdog_interval (default 60)
- Add "Node Services" section to Vortex DNS LuCI dashboard showing published sites
- Bump secubox-core version to 0.10.0-r12
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add -z/--zone option to dnsctl for zone override
- Detect correct DNS zone from domain suffix (secubox.in, maegia.tv, cybermind.fr)
- Register on both published domain zone AND vortex node subdomain
- Fix hyphenated site names (e.g., bazi-weekly) in UCI lookups
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Emancipate button to dashboard sites table
- Implement async RPC with job polling to avoid XHR timeout
- Add emancipate + emancipate_status RPCD methods
- Add ACL permissions for new RPC methods
- Change HAProxy reload to restart for clean state
- Document RPCD ACL requirements in CLAUDE.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add `metablogizerctl emancipate <name>` command for one-command full
exposure workflow:
1. DNS A record via dnsctl (Gandi/OVH based on availability)
2. Vortex DNS mesh publication
3. HAProxy vhost with SSL/ACME enabled
4. SSL certificate request (webroot mode)
5. Zero-downtime HAProxy reload
Usage:
metablogizerctl create myblog blog.example.com
metablogizerctl emancipate myblog
Bump version to 1.1.0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- BIND zone was returning internal IP (192.168.255.1) instead of public IP
- Added IPv6 AAAA records to BIND zone and Gandi DNS
- Fixed nftables forward_wan chain blocking DNAT'd mail traffic
- Added mail port forwarding rules for both IPv4 and IPv6
- Documented Free ISP inbound port 25 blocking issue
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- user_passwd now updates /etc/dovecot/users inside container
- user_add also syncs new users to Dovecot
- Fixes password reset not working (was only updating host file)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Reset Password button to user table
- Add showResetPasswordModal with password confirmation
- Add callUserPasswd RPC declaration
- Fix RPCD handler to read JSON from stdin or $3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace bash arrays with POSIX loops in scoring.sh
- Replace bc with shell arithmetic (bc not available on OpenWrt)
- Wrap RPCD handlers in functions for local keyword compatibility
- Fix process substitution < <() to use pipe instead
Tested on router: CLI and RPCD working, score calculation correct.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Network Anomaly Agent (secubox-network-anomaly):
- 5 detection modules: bandwidth, connection flood, port scan, DNS, protocol
- EMA-based baseline comparison
- LocalAI integration for threat assessment
- network-anomalyctl CLI
LocalRecall Memory System (secubox-localrecall):
- Persistent memory for AI agents
- Categories: threats, decisions, patterns, configs, conversations
- EMA-based importance scoring
- LocalAI integration for summarization
- localrecallctl CLI with 13 commands
AI Insights Dashboard (luci-app-ai-insights):
- Unified view across all AI agents
- Security posture scoring (0-100)
- Agent status grid with alert counts
- Aggregated alerts from all agents
- Run All Agents and AI Analysis actions
LuCI Dashboards:
- luci-app-network-anomaly with real-time stats
- luci-app-localrecall with memory management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- LocalAI inference takes 30-60s on ARM64 hardware
- Changed RPCD chat handler to async pattern:
- Returns poll_id immediately
- Background process runs AI query (120s timeout)
- Saves result to /var/lib/threat-analyst/chat_*.json
- Client polls with poll_id to get result
- Updated api.js with chatAsync() that polls automatically
- Changed default LocalAI port from 8081 to 8091
- Frontend shows "Thinking..." message with spinner during inference
- Uses curl instead of wget (BusyBox wget doesn't support --post-data=-)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add init.d script for daemon mode with procd integration
- Update Makefile to install init script
- Add packages to bonus feed (secubox-vortex-dns, luci-app-vortex-dns)
- Update tracking files with completion status
Features:
- Master/slave hierarchical DNS delegation
- Wildcard domain management (*.domain)
- First Peek auto-registration of services
- Gossip-based exposure config sync via secubox-p2p
- Submastering for nested hierarchies
- LuCI dashboard with mode detection and action buttons
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New RPCD method: reset_password
- Resets Domoticz admin password via SQLite
- Accessible from LuCI dashboard
- MD5 hashes the password before storing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Firewall DNAT rules were redirecting ALL port 993/587/465 traffic
to local mailserver, blocking external mail server connections.
Fix: Add -i $WAN_IF to only redirect inbound WAN traffic.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mydestination included $mydomain which caused "User unknown in local
recipient table" errors because Postfix treated the domain as local
instead of virtual.
Changes:
- Remove $mydomain from mydestination in setup.sh
- Update fix-postfix command to also fix this issue
- Ensure vdomains file is properly created
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Alpine Linux's Postfix is compiled with LMDB support, not BerkeleyDB
hash support. This caused "Temporary lookup failure" errors on send.
Changes:
- Changed virtual_alias_maps and virtual_mailbox_maps to lmdb: prefix
- Copy resolv.conf to Postfix chroot for DNS resolution
- Added `mailctl fix-postfix` command to repair existing installations
Root cause: virtual_alias_maps was configured as hash:/etc/postfix/virtual
but the hash map type is not supported on Alpine, only lmdb.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Port status now checks inside container (not localhost)
- Added report command: generate, send, enable, disable
- Daily report includes server status, mail queue, logs, storage
- Cron job setup for automated daily reports at 7 AM
- Report sent to admin_email configured in UCI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
All-in-one LuCI interface for:
- Mail server status and control
- User/alias management with modals
- Port status monitoring
- DNS/SSL setup actions
- Webmail configuration
- Mesh backup integration
RPCD handler with 17 methods for full mail management.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-backup: Unified backup for LXC containers, UCI config, services
- luci-app-backup: KISS dashboard with container list and backup history
- secubox-app-mailserver: Custom Postfix+Dovecot in LXC with mesh backup
Enhanced dnsctl with:
- generate: Auto-create subdomain A records
- suggest: Name suggestions by category
- mail-setup: MX, SPF, DMARC record creation
- dkim-add: DKIM TXT record management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-threat-analyst: AI-powered threat analysis with CrowdSec integration
- luci-app-threat-analyst: LuCI dashboard for threat intelligence
- secubox-dns-guard: DNS security monitoring and blocking
- secubox-mcp-server: Model Context Protocol server for AI assistant integration
Enhancements:
- dns-provider: Add DynDNS support (dyndns, get, update, domains commands)
- gandi.sh: Full DynDNS with WAN IP detection and record updates
- luci-app-dnsguard: Upgrade to v1.1.0 with improved dashboard
Infrastructure:
- BIND9 DNS setup for secubox.in with CAA records
- Wildcard SSL certificates via DNS-01 challenge
- HAProxy config fixes for secubox.in subdomains
- Mail server setup with Roundcube webmail
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upgrade LocalAI from v2.25.0 to v3.9.0 with new features:
- **Agent Jobs Panel**: Schedule and manage background agentic tasks
- **Memory Reclaimer**: LRU eviction for loaded models, automatic VRAM cleanup
- **VibeVoice backend**: New voice synthesis support
Update README with:
- v3.9 feature highlights
- Complete CLI command reference
- Model presets table (tinyllama, phi2, mistral, gte-small)
- API endpoints documentation
- SecuBox Couche 2 integration notes
This is part of the v0.18 AI Gateway roadmap.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Build and add secubox-app-mac-guardian_0.5.0-r1_all.ipk
- Build and add luci-app-mac-guardian_0.5.0-r1_all.ipk
- Sync luci-app-mac-guardian to local-feed for SDK building
- Update apps-local.json catalog with proper metadata:
- Category: security, Icon: wifi
- Descriptions for frontend and backend packages
- Rebuild all bonus feed packages
Package features:
- WiFi MAC address spoofing detection
- OUI anomaly detection for device fingerprinting
- MAC flood protection via hotplug.d integration
- CrowdSec scenarios for automated threat response
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 4-step modal wizard for first-time configuration
- Step 1: Welcome with Docker/container status checks
- Step 2: Add/remove media library paths with type presets
- Step 3: Network configuration (domain, HAProxy, ACME)
- Step 4: Complete with link to Jellyfin Web UI
- Add RPCD methods: get_wizard_status, set_wizard_complete,
add_media_path, remove_media_path, get_media_paths
- Auto-trigger wizard when installed but not configured
- Add wizard.css with step indicators and form styling
- Update Makefile to install CSS resources
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add emancipate/revoke/get_emancipated RPCD methods
- Add Mesh toggle column with blue theme styling
- Add Emancipate button in header with multi-channel modal
- Modal allows selecting Tor/DNS/Mesh channels
- Add mesh badge to header stats
- Update ACL and API wrapper for new methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add animated "Collecting data..." overlay with pulsing dots during
5-second chart warmup period
- Chart legend transitions from "Waiting" to "Live" when data arrives
- Add formatBits() helper for network rate display (Kbps/Mbps/Gbps)
- Network rates now use SI units (bits) instead of bytes
- Cyberpunk theme support for empty state styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SecuNav.renderTabs() now automatically initializes theme and loads CSS,
eliminating boilerplate from views. Added renderCompactTabs() for nested
modules and renderBreadcrumb() for back-navigation.
Updated module navs: cdn-cache, client-guardian, crowdsec-dashboard,
media-flow, mqtt-bridge, system-hub. Removed ~1000 lines of duplicate CSS.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Switch from Docker to LXC with Debian bookworm rootfs and native
Domoticz binary from GitHub releases (latest/download pattern)
- Fix LXC cgroup2 terminal allocation: add lxc.tty.max, lxc.pty.max,
cgroup2 device permissions for standard char devices, disable seccomp
- Fix PID 1 issue: run domoticz as child process with signal forwarding
- Use quoted heredoc with sed placeholders for start script generation
- Update LuCI view: Docker → LXC references, add memory usage display
- Remove Docker image UCI option, update catalog runtime to "lxc"
- Fix streamlit LXC config: same cgroup2/terminal/seccomp fixes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New luci-app-domoticz package with RPCD handler (12 methods), LuCI overview
(status, IoT integration, MQTT, HAProxy, mesh, logs), and full service lifecycle.
Enhanced domoticzctl with configure-mqtt (auto Mosquitto+Z2M bridge), configure-haproxy,
backup/restore, mesh-register, and uninstall commands. UCI extended with mqtt/network/mesh
sections. Catalog updated with LuCI package and IoT tags. MirrorNetworking strategic
document noted in planning files.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The z2m 2.x breaking changes required three fixes discovered during
live deployment testing on the router:
- Adapter renamed from `ezsp` to `ember` in zigbee-herdsman 4.0.0
- Config format needs `version: 4` and nested `homeassistant.enabled`
- Start script needs `ZIGBEE2MQTT_DATA` env var for correct config path
- Add `mosquitto-nossl` as package dependency (MQTT broker required)
- Direct `/dev/ttyUSB0` passthrough works; socat TCP bridge does not
Also updates project planning files (HISTORY.md, TODO.md, WIP.md,
CLAUDE.md) and rebuilds bonus feed with latest IPKs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace Docker-based zigbee2mqtt with a KISS LXC approach using Alpine
Linux container with Node.js + zigbee2mqtt, matching the HAProxy LXC
pattern. Adds USB serial passthrough for Sonoff Dongle Lite MG21.
- zigbee2mqttctl: Full LXC lifecycle (install, update, check, shell)
- RPCD: LXC diagnostics (lxc, cp210x, serial, container, service)
- api.js: Fix callApply missing params (payload was silently dropped)
- overview.js: Match new LXC diagnostics, fix applyConfig call
- Makefiles: Replace +dockerd +docker +containerd with +lxc +kmod-usb-serial-cp210x
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Includes rebuilt packages with RPCD function wrapper fix, crowdsec
decisions fix, and new secubox-app-jellyfin package.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
