- JavaScript validation via Node.js --check (with pattern fallback)
- JSON validation for menu.d and acl.d files
- Shell script validation with shellcheck integration
- CSS validation for unclosed braces and typos
- LuCI-specific checks: require format, console.log, debugger
- Integrated into quick-deploy.sh as default for LuCI apps
- --lint/--no-lint flags for deployment control
- Documentation added to secubox-tools/README.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changes:
- Enable WAF auto-ban by default (sensitivity: moderate, min_severity: high)
- Add whitelist for common safe IPs (localhost, router)
- Add browser cache busting via version parameter in CSS loads
- Document deployment scripts in secubox-tools/README.md
- Create CVE Layer 7 architecture documentation
WAF auto-ban now active with:
- 3 threats within 5 minutes triggers ban
- 4-hour ban duration
- Critical CVEs (Log4Shell, SQLi, CMDi) ban immediately
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix LAPI status check to dynamically read port from config
- Previously hardcoded wrong port (8080 vs 8180)
- Add comprehensive SecuBox feed documentation to README
- Document opkg configuration, HAProxy publishing, troubleshooting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- README.md: Update to v0.16.0 with all 38 modules categorized
- CHANGELOG.md: Create comprehensive changelog (v0.12.0-v0.16.0)
- CLAUDE.md: Add toolchain build rules for Go/CGO packages
- secubox-tools/README.md: Add SDK vs toolchain build guidance
- TODO-ANALYSE.md: Mark completed tasks, update health score
- HISTORY.md: Document ARM64 toolchain discovery, multi-instance
- dev-status-widget.js: Update stats (38 modules, 1500 commits)
SDK builds produce LSE atomics that crash on some ARM64 CPUs.
Go/CGO packages (crowdsec, netifyd) must use full toolchain.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The previous fix only installed Lua via feeds but didn't compile it,
so lua.h headers were still missing from staging_dir. This caused
all LuCI packages to fail compilation with:
fatal error: lua.h: No such file or directory
Root cause: ./scripts/feeds install lua only adds the package to the
build system but doesn't compile it or install headers to staging_dir.
Solution:
1. Install lua package via feeds
2. Enable lua in .config with CONFIG_PACKAGE_lua=m
3. Compile lua package: make package/lua/compile
4. This installs lua.h and other headers to staging_dir/target-*/usr/include/
5. Verify headers are present before continuing
Changes:
- GitHub Actions: Update "Install Lua" step to compile package
- local-build.sh: Update both Lua installation sections (2 places)
- Both: Add verification that lua.h exists in staging_dir
This ensures lucihttp and all LuCI packages can find Lua headers
during compilation, preventing the SDK build failures.
Related: f5c98d9 (previous incomplete fix)
Fixes: #lucihttp-missing-headers
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add ninja-build to package build workflow (build-openwrt-packages.yml)
- Add ninja-build to image build workflow (build-secubox-images.yml)
- Update secubox-tools/README.md with ninja-build dependency
- Update secubox-tools/local-build.sh dependency check and install instructions
- Ninja is required by OpenWrt build system for some compilation tasks
This resolves missing ninja errors in GitHub Actions builds.
Updated GitHub Actions workflows and build scripts to support the
latest OpenWrt versions:
- Added 25.12.0-rc1 (latest release candidate) for testing
- Added 24.10.5 (latest stable release)
- Changed default version from 23.05.5 to 24.10.5
Changes:
- .github/workflows/build-secubox-images.yml: Added new versions, updated default
- .github/workflows/build-openwrt-packages.yml: Added new versions, updated default
- secubox-tools/local-build.sh: Updated default version and added comment
- CLAUDE.md: Updated documentation with supported versions
- README.md: Updated build instructions and compatibility table
- secubox-tools/README.md: Updated environment variables documentation
The 25.12.0-rc1 includes major changes:
- Switch from opkg to apk package manager
- Integration of attended Sysupgrade into default LuCI
- Wi-Fi scripts converted to ucode
- Support for 160+ new devices (2180+ total)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add comprehensive firmware building functionality to local-build.sh,
replicating the GitHub Actions firmware build workflow. Users can now
build complete OpenWrt firmware images with SecuBox pre-installed
locally, in addition to building packages.
New Features:
- New 'build-firmware' command to build complete firmware images
- Support for GlobalScale devices (ESPRESSObin, Sheeva64, MOCHAbin)
- Device profile definitions with automatic target/subtarget configuration
- Automatic OpenWrt source download and caching
- Device-specific package configuration (10G for MOCHAbin, WiFi for Ultra)
- Firmware configuration with same settings as GitHub Actions workflow:
* CONFIG_TARGET_PER_DEVICE_ROOTFS=y for image generation
* Explicit PROFILE parameter in make commands
* Device profile verification before building
- Artifact collection with firmware images, packages, and checksums
- Build time tracking and verbose logging
- 'clean-all' command to remove OpenWrt source (saves ~20GB)
Device Profiles:
- espressobin-v7 (mvebu/cortexa53)
- espressobin-ultra (mvebu/cortexa53 with WiFi)
- sheeva64 (mvebu/cortexa53)
- mochabin (mvebu/cortexa72 with 10G networking)
- x86-64 (x86/64 generic PC)
Usage:
./secubox-tools/local-build.sh build-firmware mochabin
./secubox-tools/local-build.sh build-firmware espressobin-v7
Output:
Firmware images placed in build/firmware/<device>/
- *.img.gz, *sysupgrade.bin, *factory.bin files
- SHA256SUMS checksums
- BUILD_INFO.txt with build details
- packages/ directory with SecuBox .ipk files
Documentation:
- Updated README.md with firmware building examples
- Added device profiles and environment variables
- Added example workflows for firmware building
- Distinguished between package building (SDK) and firmware building (full source)
Technical Details:
- Uses full OpenWrt source (not SDK) for firmware builds
- Configures feeds identically to GitHub Actions workflow
- Includes same configuration fixes for image generation
- Verifies device profile selection before lengthy build
- Supports parallel and single-threaded builds with automatic retry
- Downloads and caches OpenWrt source for reuse
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add local-build.sh: comprehensive local build system
- Validates packages (Makefiles, JSON, JavaScript, shell scripts)
- Downloads and caches OpenWrt SDK
- Builds .ipk packages locally
- Supports multiple architectures (x86-64, ARM, MIPS)
- Collects artifacts with SHA256 checksums
- Update CLAUDE.md with local build documentation
- Add Local Build section with usage examples
- Update Development Workflow to include local testing
- List supported architectures and environment variables
- Update secubox-tools/README.md
- Add comprehensive local-build.sh documentation
- Update workflow examples to include local building
- Add dependencies and installation instructions
Benefits:
- Test builds locally before CI/CD
- Faster development iteration
- Reduced GitHub Actions usage
- Offline development support
Usage:
./secubox-tools/local-build.sh validate
./secubox-tools/local-build.sh build
./secubox-tools/local-build.sh build luci-app-<name>
./secubox-tools/local-build.sh build --arch <arch>
./secubox-tools/local-build.sh full
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add validate-modules.sh script that validates critical naming conventions
and module structure to prevent common RPC and HTTP 404 errors.
New validation checks:
- RPCD script names must match ubus object names (luci.* prefix)
- Menu paths must match view file locations
- View files must have corresponding menu entries
- RPCD scripts must be executable
- JSON files must have valid syntax
- ubus objects must follow naming convention
Updated CLAUDE.md documentation with:
- Critical naming conventions section with examples
- Common error patterns and solutions
- Updated development workflow to include validation
- Enhanced troubleshooting guide for RPC and 404 errors
- Updated package structure diagram with correct RPCD naming
Added secubox-tools/README.md:
- Detailed usage instructions for validation script
- Common fixes for naming issues
- CI/CD integration examples
- Quick reference for critical naming rules
This tooling prevents deployment of modules with naming mismatches that
cause runtime errors like:
- RPC call failed with error -32000: Object not found
- HTTP error 404 while loading view files
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
