cb59c58617
docs: Update tracking for Metrics Dashboard v2 + caching
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-17 12:43:48 +01:00
0a2b65b913
docs: Update tracking files for Metrics Dashboard + WAF hot-reload
...
- Added LuCI Metrics Dashboard to HISTORY.md
- Documented WAF hot-reload discovery
- Updated WIP.md with completed work
- Noted HAProxy health check fix and test site cleanup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-17 11:59:17 +01:00
3127986fbc
docs: Update tracking files for HAProxy/mitmproxy WAF routing fix
...
- Fixed 503 errors on published sites (testsite, santefr, etc.)
- Root cause: mitmproxy haproxy_router_enabled missing from UCI
- Root cause: mitmproxy routes not reloaded after file update
- Root cause: HAProxy config needed reload after changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-17 10:56:14 +01:00
f46e145927
feat(crowdsec): Add geo heatmap visualization for threat origins
...
- New heatmap.js component with SVG world map and country centroids
- Colored dots show threat distribution: orange (local), cyan (CAPI), red (WAF)
- Dot size scales logarithmically with threat count (4-20px)
- Hover tooltips show country code and count
- Added geo_local_raw and geo_capi_raw fields to RPCD backend
- CAPI geo extraction from decisions with GeoIP metadata
- CSS styling for heatmap container, dots, and legend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-16 09:28:48 +01:00
b08e71fa7f
docs: Document quick-access QR page and port conflict fix
...
- Added quick-access.secubox.in QR landing page to tracking
- Documented MetaBlogizer port allocation race condition
- Existing tools: check-ports, fix-ports commands
- Fixed srvi/quick-access port 9013 conflict
- Updated mitmproxy routes (127.0.0.1 → 192.168.255.1)
- Added recommended improvements to backlog
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 19:46:30 +01:00
b659c34d57
docs: Update HISTORY.md with v1.0.0 beta release
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 18:45:58 +01:00
0809bc69c2
chore: Bump version to 1.0.0
...
All major roadmap milestones achieved:
- v0.18 MirrorBox Core
- v0.19 AI Expansion + MirrorNet
- v1.0 Full Stack (VoIP, Matrix, Factory provisioning)
- v1.1+ Extended Mesh (Yggdrasil, Meshname DNS)
Updated version strings in:
- Makefile: PKG_VERSION 0.10.0 → 1.0.0, PKG_RELEASE reset to 1
- secubox CLI: SECUBOX_VERSION 0.9.0 → 1.0.0
- secubox-core daemon: SECUBOX_VERSION 0.8.2 → 1.0.0
- RPCD handlers: core.sh, dashboard.sh, luci.secubox
- common.sh: secubox_get_version()
- README.md header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 16:05:39 +01:00
a345c16425
feat(smtp-relay): Add unified SMTP relay configuration
...
- New secubox-app-smtp-relay package with centralized SMTP config
- Shared library with send_mail(), send_html_mail(), send_text_mail()
- CLI: smtp-relayctl with status/test/send/configure/admin commands
- RPCD: 5 methods for LuCI integration
- LuCI settings page with mode selection and test button
- Modes: external (SMTP server), local (auto-detect mailserver), direct
- Migrated reporter and bandwidth-manager to use shared library
- Backwards-compatible fallback to legacy per-app config
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 16:01:12 +01:00
ccccd3d93b
feat(dpi-dual): Add WAF auto-ban tuning system
...
- UCI config: Add scoring section with event weights, sensitivity presets,
whitelist, and decay options
- dpi-correlator: Load scoring weights from UCI, apply sensitivity
multipliers, check whitelist before auto-ban, periodic reputation decay
- CLI: New 'tune', 'whitelist', 'decay' commands for runtime configuration
- RPCD: 6 new methods - get_tuning, set_tuning, whitelist_add/remove/list,
reset_reputation
- ACL: Added permissions for new tuning methods
Sensitivity presets:
- low (0.7x) - fewer false positives
- medium (1.0x) - balanced (default)
- high (1.3x) - aggressive detection
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 15:37:55 +01:00
c80b10f18d
feat(luci): Add provisioning and ttyd deployment UI
...
Config Vault Dashboard (overview.js):
- "Device Provisioning" card with 3 action buttons
- Provision Remote: Modal to push clone to remote node
- Serve via HTTP: Generate clone for HTTP download
- Restore All: Confirmation modal to restore all modules
- RPC calls: provision, serve_clone, restore_all
RTTY Remote Dashboard (dashboard.js):
- "Deploy ttyd to All" global button in controls
- Per-node "ttyd" button in Connected Nodes table
- Confirmation modal for bulk deployment
- Progress spinner and result display
- RPC calls: deploy_ttyd, install_remote
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 15:30:32 +01:00
e86545bd3a
feat(config-vault): Add device provisioning system
...
Implement full provisioning workflow for SecuBox device replication:
Auto-Restore:
- import-clone <file> --apply: Auto-restore all modules after import
- restore-all: Restore all modules from vault
Remote Provisioning:
- provision <node|all>: Push clone to remote nodes via RPC proxy
- Transfer clone as base64 to remote node
- Trigger import+apply on remote
First-Boot Pull:
- pull-config <master>: Pull config from master node
- HTTP download or RPC fallback
- Auto-reboot after apply, marks /etc/secubox-provisioned
HTTP Serve:
- serve-clone: Generate clone at /www/config-vault/
- Enables HTTP-based config distribution
RPCD Methods (6 new):
- restore_all, import_apply, provision
- pull_config, export_clone_b64, serve_clone
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 15:18:54 +01:00
ac7912e0a1
feat(rtty): Add remote package installation for mesh nodes
...
Add rttyctl commands for remote package deployment:
- rttyctl install <node|all> <app_id> - Install package on node(s)
- rttyctl install-status <node> [app] - Check package status
- rttyctl deploy-ttyd <node|all> - Deploy ttyd web terminal
RPCD methods added:
- install_remote, install_mesh, deploy_ttyd, install_status
Features:
- Node discovery from master-link, WireGuard, P2P mesh
- Auto-enables and starts ttyd after installation
- Batch install with summary stats (installed/skipped/failed)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 15:10:32 +01:00
e2723946d4
docs: Update tracking for DPI Phase 4 LAN Passive Analysis
...
- Added LAN passive flow analysis to HISTORY.md
- Updated WIP.md with completed DPI work
- Noted mitmproxy-out removal and detection fix
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 15:02:06 +01:00
7ff9ee3805
feat(dpi): Phase 3 - Correlation engine + timeline view
...
Correlation Library (correlation-lib.sh):
- IP reputation tracking with configurable decay
- Full context gathering from MITM, DPI, WAF streams
- CrowdSec decision checking and notification
- Correlation entry builder with rich context
Enhanced Correlator (dpi-correlator v2):
- Watches WAF alerts, CrowdSec decisions, DPI flows
- Auto-ban for high-reputation IPs (threshold: 80)
- Notification queue for high-severity threats
- CLI: correlate, reputation, context, search, stats
LuCI Timeline View:
- Correlation timeline with colored event cards
- IP context modal showing MITM requests + WAF alerts
- Quick ban button with CrowdSec integration
- Search by IP functionality
- Stats: total, high-threat, banned, unique IPs
RPCD Methods (8 new):
- get_correlation_stats, get_ip_context, get_ip_reputation
- get_timeline, search_correlations, ban_ip, set_auto_ban
UCI Config: auto_ban, auto_ban_threshold, notifications
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 12:27:20 +01:00
a24beaf316
feat(dpi): Phase 2 - MITM double buffer + LuCI dashboard
...
MITM Double Buffer (dpi_buffer.py):
- Compiled regex patterns for 6 threat categories
- Scanner detection (sqlmap, nikto, nmap, etc.)
- Optional blocking mode for high-score threats
- Request replay queue for forensic analysis
- Rate limiting detection
- Stats: buffer entries, threat distribution, top hosts
LuCI Dashboard (luci-app-dpi-dual):
- RPCD handler with 10 methods
- KISS-themed overview with stream status cards
- LED indicators for MITM/TAP/Correlation
- Threats table with score and blocked status
- Protocol distribution from netifyd
- Manual IP correlation trigger
Streamlit Control Panel:
- Added DPI Dual card with flows/threats/blocked metrics
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 12:21:50 +01:00
58a51eb271
feat(dpi): Implement Phase 1 of Dual-Stream DPI architecture
...
- secubox-dpi-dual package with parallel MITM + Passive TAP analysis
- TAP stream: tc mirred port mirroring to dummy interface for netifyd
- Flow collector: Stats aggregation from netifyd, cleanup, JSON output
- Correlation engine: Matches MITM WAF events with TAP flow data
- Watches CrowdSec decisions and WAF alerts for threat enrichment
- CLI: dpi-dualctl with start/stop/status/flows/threats/mirror commands
- Procd service: manages flow-collector + correlator instances
- MITM double buffer: dpi_buffer.py mitmproxy addon (Phase 2 prep)
- UCI config: dual/mitm-only/tap-only mode selection
Architecture: package/secubox/DUAL-STREAM-DPI.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 12:15:17 +01:00
d6d286d615
feat(wall): Add 3D joystick and color cycle toggle to MAGIC·CHESS·360
...
- 2D joystick controls true CSS 3D perspective (rotateX/rotateY)
- Color cycle toggle: 🎨 button enables/disables spectrum animation
- Default colorset changed to RGB with cycling OFF
- Depth slider for zoom, pixel ring for cell size
- CSS perspective: 1200px for 3D depth effect
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 11:01:20 +01:00
a25e285573
feat(wall): Add 15 colorsets to MAGIC·CHESS·360
...
- Added colorset selector to wall.maegia.tv TAO_SPECTRUM
- 15 palettes: default, alchy, emojiz, punk, hollistique, tantrique,
cosmique, solarix, oceanique, rainbow, fluo, phospho, vintage, tao, merkaba
- Minimal patch (~8KB added) preserving original functionality
- Keyboard shortcuts 1-9, localStorage persistence
- Deployed: https://wall.maegia.tv/
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 10:35:12 +01:00
10b3d3a43c
feat(torrent): Add LuCI dashboard and fix WebTorrent ESM issue
...
- Add luci-app-torrent: unified dashboard for qBittorrent + WebTorrent
- RPCD handler with status/list/start/stop/add methods
- Dark-themed UI with real-time torrent queue display
- Start/Stop controls and magnet link add functionality
- 5-second auto-refresh polling
- Fix webtorrent v2.x ESM incompatibility
- Pin to v1.9.7 (last CommonJS version)
- Use npm install with --save-exact to prevent semver drift
- HAProxy exposure configured:
- qBittorrent: torrent.gk2.secubox.in (192.168.255.42:8090)
- WebTorrent: stream.gk2.secubox.in (192.168.255.43:8095)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 06:59:07 +01:00
d308b22070
fix(nzbhydra): Fix startup script for generic release
...
- Install python3 for wrapper script
- Use nzbhydra2wrapperPy3.py instead of native binary
- Download generic release (not linux-specific)
- Handle already-installed case
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-14 18:21:43 +01:00
1598ee9391
docs: Update HISTORY.md for Droplet Publisher
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-14 11:25:53 +01:00
296eac8562
docs: Update tracking files for Hub Generator v7 NFO fix
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-14 10:11:07 +01:00
e17c73e343
feat(nfo): Add Module Manifest system with batch generation
...
Introduce flat-file UCI-style NFO manifest format for Streamlit apps
and MetaBlog sites. Enables AI context integration, search indexing,
and mesh publishing metadata.
New features:
- NFO parser library with parse/validate/update/export functions
- NFO validator with type-specific schema validation (streamlit/metablog)
- Batch generation: slforge nfo init-all, metablogizerctl nfo init-all
- RPCD methods: nfo_read, nfo_write, nfo_validate
- Reusable LuCI NFO viewer component with collapsible sections
- LuCI editor modal in Streamlit Forge overview
- Hub generator enhanced with NFO metadata (descriptions, capabilities)
- Metacatalog search with --category and --capability filters
New files:
- nfo-parser.sh, nfo-validator.sh (shell libraries)
- nfo-viewer.js (LuCI component)
- NFO-SPEC.md (specification)
- install.sh (universal NFO-based installer)
- nfo-template.nfo (templates for streamlit/metablog)
Deployed and tested: 136 NFO files generated (107 MetaBlogs, 29 Streamlit)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-14 08:51:09 +01:00
e96aeb4f17
docs: Update tracking files for Streamlit Launcher
...
- WIP.md: Added Streamlit Launcher to completed items (2026-03-14)
- HISTORY.md: Added entry 103 for Streamlit Launcher
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-14 07:57:35 +01:00
7bd1810d54
docs: Update tracking files for Config Vault and System Hardware Report
...
- WIP.md: Added Config Vault and System Hardware Report to completed items
- WIP.md: Updated Next Up section (removed completed Session Replay)
- HISTORY.md: Added entry 102 for System Hardware Report
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-13 13:15:55 +01:00
ec4aadbaa3
feat(config-vault): Add Configuration Vault system with Gitea sync
...
New packages:
- secubox-app-config-vault: Git-based config versioning CLI (configvaultctl)
- luci-app-config-vault: KISS-themed dashboard with status rings
Features:
- 9 configuration modules (users, network, services, security, etc.)
- Auto-commit and auto-push to private Gitea repository
- Export/import clone tarballs for device provisioning
- Commit history browser with restore capability
Also adds System Hardware Report to secubox-app-reporter:
- CPU/Memory/Disk/Temperature gauges with animations
- Environmental impact card (power/kWh/CO₂ estimates)
- Health recommendations based on system metrics
- Debug log viewer with severity highlighting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-13 12:49:33 +01:00
c20f55e5e4
docs: Update tracking files for luci-app-reporter
...
- HISTORY.md: Added LuCI dashboard and RPCD methods to entry #100
- WIP.md: Updated with LuCI frontend details
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-13 09:38:29 +01:00
5d316e7d72
docs: Update tracking files for secubox-app-reporter
...
- HISTORY.md: Added entry #100 for Report Generator
- WIP.md: Added 2026-03-13 section with reporter completion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-13 09:20:21 +01:00
66d9fbc6c0
feat(watchdog): Add service health monitor with auto-recovery
...
New packages for monitoring and auto-restarting critical services:
secubox-app-watchdog:
- watchdogctl CLI: status, check, check-recover, watch, restart-*
- Monitors LXC containers: haproxy, mitmproxy-in/out, streamlit
- Monitors host services: crowdsec, uhttpd, dnsmasq
- Checks HTTPS endpoints: gk2.secubox.in, admin.gk2, lldh360.maegia.tv
- Auto-recovery with alert cooldown and log rotation
- Procd service + cron fallback for redundancy
luci-app-watchdog:
- Real-time dashboard with 10s polling
- Container/service tables with restart buttons
- Endpoint health indicators
- Alert log viewer with refresh/clear
- RPCD backend: status, restart_*, check, get_logs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-12 06:46:53 +01:00
eed289850b
feat(metacatalog): Phase 2 & 3 complete - RPCD, LuCI, search
...
Phase 2:
- RPCD backend with 10 methods
- LuCI KISS dashboard with stats chips and book shelf
- HAProxy vhost scanner for domain indexing
- ACL permissions
Phase 3:
- Landing page search functionality
- Tab navigation (Collections, All, per-book)
- Scrollable entries with type badges
- Template file for landing generation
Total: 246 entries (127 MetaBlogs, 14 Streamlits, 105 HAProxy)
Deployed: https://catalog.gk2.secubox.in/metacatalog/
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-11 17:32:13 +01:00
bde9c41563
feat(metacatalog): Add Virtual Books content aggregator
...
New secubox-app-metacatalog package:
- CLI tool (metacatalogctl) with sync/scan/index/books/search commands
- Scanners for MetaBlogizer sites and Streamlit apps
- Auto-assignment engine with keyword + domain pattern matching
- 6 default virtual books (Divination, Visualization, Analytics, etc.)
- Tao prism fluoro theme landing page
- JSON APIs for catalog and books data
- Hourly cron sync
- BusyBox-compatible (sed-based extraction)
Initial test: 120 entries indexed (118 MetaBlogs, 2 Streamlits)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-11 16:42:42 +01:00
9081444c7a
feat(streamlit-control): Phase 3 - auto-refresh, permissions, UI improvements
...
Streamlit Control Dashboard Phase 3:
- Add auto-refresh toggle to all main pages (10s/30s/60s intervals)
- Add permission-aware UI with can_write() and is_admin() helpers
- Containers page: tabs (All/Running/Stopped), search filter, info panels
- Security page: better CrowdSec parsing, threat table, raw data viewer
- Streamlit apps page: restart button, delete confirmation dialog
- Network page: HAProxy filter, WireGuard/DNS placeholders
fix(crowdsec-dashboard): Handle RPC error codes in overview.js
Fix TypeError when CrowdSec RPC returns error code instead of object.
Added type check to treat non-objects as empty {} in render/pollData.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-11 14:54:30 +01:00
66b58c74d6
feat(catalog): Add Streamlit Forge and RezApp Forge to KISS Apps
...
- luci-app-streamlit-forge: Streamlit app publishing platform
- Category: productivity, runtime: lxc
- Templates, SSL exposure, mesh publishing
- luci-app-rezapp: Docker to LXC app converter
- Category: system, runtime: native
- Catalog browsing, package generation
- Updated new_releases section
- Total plugins: 37 → 39
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-11 09:44:08 +01:00
da3b8171a5
docs: Update tracking files for HAProxy health check
...
- WIP.md: Add health check panel and admin routing entries
- HISTORY.md: Add entries #79-80 for health check and WAF routing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-09 13:30:01 +01:00
d7524d6300
docs: Sync HISTORY.md and dev-status with RTTY Remote
...
- Added entry #78 for RTTY Remote Control Module (Phases 1-3)
- Updated dev-status Phase 4 progress: 55% → 65%
- Updated stats: modules 38→40, commits 1500→1650, LOC 45k→52k
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-08 18:02:18 +01:00
ac4227a5f3
docs: Update tracking files for vortex-dns zone management
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-08 08:43:43 +01:00
ee49126530
fix(routes-status): RPCD handler timeout for large vhost lists
...
- Root cause: jshn overhead + subshell issues with piped while loops
- Solution: Direct JSON output with printf, temp file for vhosts
- Deployed ACL file for LuCI authentication
- Handler now returns 226 vhosts in <10 seconds
Also:
- Added ROADMAP.md with version milestones and dependency graph
- Updated WIP.md with today's completed tasks
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-07 08:11:28 +01:00
461535e468
docs: Add PhotoPrism gallery to HISTORY.md
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-06 12:08:38 +01:00
70056e02ed
feat(ai-gateway): Add /login command with credential validation
...
- CLI: aigatewayctl login [provider] - validates credentials before saving
- Rollback on auth failure (preserves previous credentials)
- Format warnings for provider-specific API key patterns
- RPCD: login method for LuCI frontend integration
- ACL: Added write permission for login method
docs: Refactor WIP.md and update HISTORY.md
- WIP.md: 1470 → 108 lines (keep only March 2026 items)
- HISTORY.md: Add entries #74-75 (Feb 2026 milestones)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-06 09:49:46 +01:00
eb9adfd06a
feat(routes-status): Add LuCI dashboard for HAProxy vhosts and mitmproxy routes
...
New package luci-app-routes-status providing:
- HAProxy vhosts status overview (218+ vhosts supported)
- mitmproxy route configuration status (OUT/IN routes)
- SSL certificate status indicators
- WAF bypass detection (vhosts not using mitmproxy_inspector)
- Sync routes and add missing route actions
- RPCD backend with batch processing for large vhost counts
Accessible at Status → Routes Status in LuCI.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-04 10:50:27 +01:00
8769a60275
feat(sbom): Add CRA Annex I compliant SBOM pipeline
...
Implements comprehensive Software Bill of Materials generation for
EU Cyber Resilience Act compliance with ANSSI CSPN certification path.
SBOM Pipeline:
- scripts/check-sbom-prereqs.sh: Prerequisites validation (OpenWrt, tools, Kconfig)
- scripts/sbom-generate.sh: Multi-source SBOM generation (native, feed, rootfs, firmware)
- scripts/sbom-audit-feed.sh: PKG_HASH/PKG_LICENSE feed audit with MANIFEST.md
- Makefile: SBOM targets (sbom, sbom-quick, sbom-validate, sbom-scan, sbom-audit)
- .github/workflows/sbom-release.yml: CI with CVE gating and auto-security issues
Documentation:
- SECURITY.md: CRA Art. 13 §6 compliant vulnerability disclosure policy
- docs/sbom-pipeline.md: Architecture, CRA mapping, ANSSI CSPN guidance
AI Gateway (bonus feed):
- secubox-ai-gateway: 3-tier data classification (LOCAL_ONLY/SANITIZED/CLOUD_DIRECT)
- luci-app-ai-gateway: LuCI dashboard with provider management and audit logging
Output formats: CycloneDX 1.6 (primary) + SPDX 2.3 (secondary)
Tools: syft, grype, cyclonedx-cli (auto-installed if missing)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-04 08:01:00 +01:00
02d16752d1
docs: Add comprehensive service audit to tracking files
...
- Disabled WAF bypass on 21 vhosts for full traffic inspection
- Fixed mitmproxy service startup and port 8889 binding
- Enabled autostart on 9 essential LXC containers
- Fixed glances container cgroup mount issue
- Verified 18 containers running, 30 streamlit instances, 95+ metablogizer sites
- All core services responding (Nextcloud, Webmail, Jellyfin, Gitea, Matrix, PeerTube)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-03 10:26:40 +01:00
59dbd714a5
fix(tools): Add curl redirect handling to image builder scripts
...
Validated secubox-image.sh and secubox-sysupgrade.sh scripts:
- Fixed curl redirect issue: ASU API returns 301 redirects
- Added -L flag to 9 curl calls across both scripts
- Verified all device profiles valid (mochabin, espressobin, x86-64)
- Confirmed POSIX sh compatibility for sysupgrade script
- Validated first-boot script syntax
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-03 09:44:04 +01:00
29d309649e
feat(wireguard): Implement Reverse MWAN WireGuard v2 Phase 1
...
WireGuard mesh peers as backup internet uplinks via mwan3 failover.
CLI (wgctl) uplink commands:
- uplink list/add/remove/status/test - Manage peer uplinks
- uplink failover enable/disable - Toggle automatic failover
- uplink priority/offer/withdraw - Priority and mesh advertising
Uplink Library (/usr/lib/wireguard-dashboard/uplink.sh):
- Gossip protocol integration via secubox-p2p
- WireGuard interface creation with IP allocation (172.31.x.x/16)
- mwan3 failover integration
- Connectivity testing and latency measurement
RPCD Backend (9 new methods):
- Read: uplink_status, uplinks
- Write: add_uplink, remove_uplink, test_uplink, offer_uplink,
withdraw_uplink, set_uplink_priority, set_uplink_failover
UCI Config (/etc/config/wireguard_uplink):
- Global settings: auto_failover, failover_threshold, ping_interval
- Provider settings: offering state, bandwidth/latency advertisement
- Per-uplink config: interface, peer_pubkey, endpoint, priority
Phase 2 pending: LuCI dashboard integration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-01 15:43:17 +01:00
0c55ef6ec1
feat(nextcloud): Enhance integration with WAF, backups, mail, sync URLs
...
- WAF-safe SSL: Route through mitmproxy_inspector, auto-add routes
- Scheduled backups: setup-backup-cron with hourly/daily/weekly support
- Email/SMTP: setup-mail command for outbound notifications
- CalDAV/CardDAV: connections command shows sync URLs for all clients
- New RPCD methods: get_connections, setup_mail, setup_backup_cron
- ACL updated with new method permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-01 09:07:19 +01:00
00d92037b9
feat(tools): Add pre-deploy-lint.sh for syntax validation
...
- JavaScript validation via Node.js --check (with pattern fallback)
- JSON validation for menu.d and acl.d files
- Shell script validation with shellcheck integration
- CSS validation for unclosed braces and typos
- LuCI-specific checks: require format, console.log, debugger
- Integrated into quick-deploy.sh as default for LuCI apps
- --lint/--no-lint flags for deployment control
- Documentation added to secubox-tools/README.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-28 18:29:51 +01:00
f3cea01792
feat(ai-gateway): Add Data Classifier (Sovereignty Engine) for ANSSI CSPN
...
Implement secubox-ai-gateway package with intelligent AI request routing
based on data sensitivity classification for GDPR/ANSSI compliance.
Features:
- 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
- Provider hierarchy: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI
- PII sanitizer: IPv4/IPv6, MAC, credentials, private keys scrubbing
- OpenAI-compatible API proxy on port 4050
- aigatewayctl CLI: status, classify, sanitize, provider, audit commands
- RPCD backend with 11 ubus methods for LuCI integration
- ANSSI CSPN audit logging in JSONL format
Classification patterns detect:
- IP addresses, MAC addresses, private keys
- Credentials (password, secret, token, api_key)
- System paths, security tool references
- WireGuard configuration data
All cloud providers are opt-in. Default LOCAL_ONLY ensures data
sovereignty - sensitive data never leaves the device.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-28 17:55:22 +01:00
4a0ab9530f
feat(mesh): Yggdrasil extended peer discovery + bugfixes
...
## New Features
- secubox-app-yggdrasil-discovery: Mesh peer discovery via gossip protocol
- yggctl CLI: status, self, peers, announce, discover, bootstrap
- Auto-peering with trust verification (master-link fingerprint)
- Daemon for periodic announcements
## Bug Fixes
- tor-shield: Fix opkg downloads failing when Tor active
- DNS over Tor disabled by default
- Auto-exclude public DNS servers from iptables rules
- Excluded domains bypass list (openwrt.org, pool.ntp.org, etc.)
- haproxy: Fix portal 503 "End of Internet" error
- Corrected malformed vhost backend configuration
- Regenerated HAProxy config from UCI
- luci-app-nextcloud: Fix users list showing empty
- RPC expect clause was extracting array, render expected object
## Updated
- Bonus feed: All IPKs rebuilt
- Documentation: HISTORY.md, WIP.md, TODO.md updated
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-28 17:32:41 +01:00
80f2d2daa7
docs: Add Matrix/Element self-hosted chat to HISTORY.md
...
- Conduit Matrix homeserver in LXC container
- Element Web client via uhttpd on port 8088
- HAProxy integration with SSL certificates
- Routes added to central secubox-route registry
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-28 11:27:25 +01:00
55ce42cd6b
docs: Add centralized routing to HISTORY.md
...
Document the new secubox-route centralized WAF route management system
added in the previous commit.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-28 08:57:29 +01:00
