Validated secubox-image.sh and secubox-sysupgrade.sh scripts:
- Fixed curl redirect issue: ASU API returns 301 redirects
- Added -L flag to 9 curl calls across both scripts
- Verified all device profiles valid (mochabin, espressobin, x86-64)
- Confirmed POSIX sh compatibility for sysupgrade script
- Validated first-boot script syntax
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Skip IPv6 addresses and use active_address when available
- Filter out local node from shared services query
- Increase curl max-time to 10s for slow CGI responses
- Skip null/empty peer addresses
- Reduces response time from 48s to ~5s
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change service endpoint from port 8080 to /cgi-bin/p2p-services
- Exclude local node from shared services query
- Extract .services array from response JSON
- Add peer address to each shared service for attribution
- Handle empty/null responses gracefully
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- 1 second delay between I2C writes to prevent bus lockup
- Error detection with backoff
- Max 3 consecutive errors then stops
- 10 second update interval
- Commands: start, stop, status, test
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Simple tool to sync LuCI resources, views, RPCD handlers, ACLs and
menus from master node to all mesh peers. No IPK rebuild required.
Usage: mesh-sync-packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash doesn't support 'local' keyword outside functions.
This was causing health_check RPC to hang with no response.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Share CrowdSec bans and mitmproxy detections between mesh nodes using
the existing blockchain chain + gossip sync. Received IOCs from trusted
peers are auto-applied as CrowdSec decisions based on a three-tier trust
model (direct/transitive/unknown).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The factory_audit_log function's ubus call was only redirecting stderr,
allowing stdout JSON output to leak into CGI responses when Gitea backup
is enabled. This caused JSON parse errors in the Factory dashboard when
creating snapshots.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When an app has no description, return empty string instead of null
to prevent "null" text from being rendered in the instances table.
Also: secubox-p2p bumped to v0.6.0-r3 with catalog fix.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When HAProxy inspection mode routes all vhosts through mitmproxy_inspector,
the catalog now uses the original_backend UCI property to correctly map
domains to their actual services.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use POST method for creating new files and PUT for updates.
Gitea requires this distinction - PUT with no SHA fails for new files.
Changes:
- Use POST for creating new files in catalog_push_gitea()
- Use PUT only when existing SHA is available (updates)
- Add explicit branch parameter for consistency
- Bump version to 0.6.0-r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Distributed Catalog:
- Implement catalog_push_gitea() to push node catalogs via Gitea REST API
- Add catalog_push_merged_gitea() for merged catalog sync
- Create /api/factory/catalog-sync POST endpoint for triggering sync
- Catalogs pushed to catalog/nodes/{hostname}.json in Gitea repo
Health Probing:
- Add get_service_health() with cached latency measurement
- HTTP probe with curl to measure response time
- Fallback to /proc/net/tcp port check
- 60-second cache TTL to keep catalog endpoint fast
Files:
- factory.sh: Gitea REST API integration for catalog push
- catalog: Health probing with latency measurement
- catalog-sync: New CGI endpoint for sync operations
- Makefile: Install catalog-sync endpoint
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Separate static files from CGI scripts in uhttpd configuration:
- Static files (index.html) served from /www
- CGI scripts executed from /www/api/*
- API base changed from /factory/ to /api/factory/
This fixes HAProxy routing where /factory/ serves the UI and
/api/factory/* routes to the P2P API backend.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement distributed service catalog that discovers HAProxy vhosts
and provides multi-endpoint access URLs (haproxy/mesh/local). Add
dynamic DNS federation that auto-populates dnsmasq with mesh peer
hostnames (hostname.mesh.local).
New features:
- /factory/catalog API endpoint with service registry
- Catalog tab (📚) in Factory UI with endpoint filtering
- QR codes with URL type switching (haproxy/mesh/local)
- Linked mesh peers navigation panel
- DNS federation via /tmp/hosts/secubox-mesh
- CLI commands: dns-enable/disable/update, catalog sync/list/generate
Bumps secubox-p2p to v0.6.0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mesh-services CGI endpoint for aggregated service discovery
across all mesh peers
- Update Factory UI with tabbed interface: Dashboard and Mesh Services
- Mesh Services panel features:
- Real-time service discovery from all nodes
- Filter by search, status, or node
- Direct access links for services with ports
- Status indicators (running/stopped/disabled)
- Summary stats (nodes online, running/total services)
- Bump version to 0.5.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change API base URL to use relative /factory/ path instead of
absolute URL with port 7331. HAProxy routes /factory/* API paths
to the factory backend while serving UI from luci backend.
This fixes mixed content blocking when accessing via HTTPS.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace signify-openbsd calls with HMAC-based signatures
(OpenWrt's signify lacks -n flag for no-passphrase)
- Fix API paths in UI: use /factory/ not /api/factory/
- Support cross-port API calls (UI on 8081, API on 7331)
- Update LuCI view to use relative /factory/ path
- Update feed with secubox-p2p 0.4.0 packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement mesh-distributed, cryptographically-validated control center:
- Add factory.sh library with Ed25519 signing via signify-openbsd
- Add Merkle tree calculation for /etc/config validation
- Add CGI endpoints: dashboard, tools, run, snapshot, pubkey
- Add KISS Web UI (~280 lines vanilla JS, inline CSS, zero deps)
- Add gossip-based 3-peer fanout for snapshot synchronization
- Add offline operations queue with replay on reconnect
- Add LuCI iframe integration under MirrorBox > Factory tab
- Configure uhttpd alias for /factory/ on port 7331
- Bump secubox-p2p version to 0.4.0
Factory UI accessible at http://<device>:7331/factory/
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_wan_ip() to detect real WAN/public IP address
- Add get_wg_ips() to enumerate WireGuard tunnel addresses
- Add get_node_addresses() returning JSON array of all addresses
- Update register_self() to include WAN and WireGuard addresses
- Update get_node_status() API to expose all addresses
- Update add_peer() to support multi-address peers
- Update daemon connectivity check to try:
1. WireGuard tunnel (secure redundancy)
2. WAN address (external reach)
3. LAN address (local fallback)
- Add UCI options: advertise_wan, advertise_wireguard, prefer_wireguard
- Version bump to 0.3.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix register_self() to handle JSON whitespace with awk
- Update get_peers() to auto-register local node if peers list is empty
- Ensure node identity is initialized before querying peers
This ensures C3BOX always shows itself in the P2P Hub peers view.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mDNS service announcement via avahi-publish for _secubox._tcp
- Add REST API endpoints on port 7331 (/api/peers, /api/status, /api/services)
- Add node self-registration to ensure local node visible in mesh view
- Add UCI defaults for uhttpd P2P API instance and firewall rules
- Bump secubox-p2p version to 0.2.0
fix(vhost-manager): Fix uninitialized variable syntax errors
- Add 'local' keyword to variable declarations on lines 606, 621, 693
fix(metablogizer,service-registry): Add HAProxy availability fallback
- Add haproxy_available() helper to check if HAProxy is running
- Gracefully skip HAProxy operations when service unavailable
- Store pending HAProxy config for later when service becomes available
- Prevent crashes when HAProxy container is stopped
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CDN Cache:
- Migrate from nginx to Squid proxy for better caching
- Add aggressive caching rules for Windows Update, Linux repos, Steam, Apple
- Proper firewall integration via UCI (transparent proxy)
- Real-time stats from Squid access logs
Network Modes:
- Complete UI rework with MirrorBox dark theme
- 9 network modes with emojis and descriptions
- Dynamic CSS animations and modern styling
Fixes:
- Fix jshn boolean handling in secubox-recovery (1/0 vs true/false)
- Fix nDPId RPCD to use netifyd as fallback DPI provider
- Update media-flow and security-threats dashboards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add complete backend implementation for Gitea integration and local backups
with admin permissions:
RPCD Methods (luci.secubox-p2p):
- get_gitea_config / set_gitea_config - Gitea server configuration
- create_gitea_repo - Create new Gitea repository via API
- list_gitea_repos - List user's Gitea repositories
- get_gitea_commits - Fetch commit history
- push_gitea_backup - Push config/packages/scripts to Gitea
- pull_gitea_backup - Restore from Gitea commit
- create_local_backup - Create local backup snapshot
- list_local_backups - List available local backups
- restore_local_backup - Restore from local backup
UCI Config (secubox-p2p):
- gitea section: server_url, repo_name, access_token, auto_backup options
- backup section: backup_dir, max_backups, auto_cleanup
Frontend (hub.js):
- Updated createGiteaRepo() to use backend API
- Updated backup functions to use backend storage
- Added refreshGiteaCommits() for real API calls
- Load function now fetches Gitea config and backup list
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
