Port secuboxd from Debian/Go to OpenWrt shell implementation:
- secuboxd daemon with Unix control socket at /var/run/secuboxd/topo.sock
- secuboxctl CLI compatible with Debian version interface
- Mesh libraries: topology, discovery, election, telemetry, control
- Mesh gate election with weighted scoring (uptime, peers, CPU, memory, role)
- mDNS service discovery (_secubox._udp.local) via umdns
- DID integration via mirrornet identity library
- RPCD handler with 11 ubus methods for LuCI integration
- procd init script with respawn and network triggers
- UCI config sections: mesh, node, telemetry, discovery
Fixes subprocess state access for socat handler by saving daemon state to file.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
grep -c returns exit code 1 when count is 0, which triggered
the `|| echo 0` fallback to also output "0", resulting in:
"waf_threats_today":0
0,
This broke JSON parsing and caused the dashboard to show
CrowdSec as "STOPPED" even when running.
Fix: Use `|| :` (no-op) and set defaults with `: "${var:=0}"`
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added wiki internationalization (French + Chinese) for all 17 pages
- Documented secubox-full meta-package with tiered bundles
- Documented CI updates for default secubox-core inclusion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace stat -c %Y with date -r for BusyBox compatibility (stat not available)
- Fix get_cache_age() to properly return early when cache file missing
- Fix grep -c || echo 0 pattern that caused "invalid number '0\n0'" errors
- Add proper numeric defaults using : "${var:=0}" pattern
- Add freshness metadata (_freshness) with age, timestamp, and fresh boolean
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add visible "Updated Xs ago" timestamps and freshness indicators to
make cached stats look more alive and help users know data currency.
Backend changes:
- luci.metrics: Add _freshness metadata (age, fresh, timestamp_epoch)
to overview, waf_stats, and connections responses
- luci.crowdsec-dashboard: Add _freshness metadata to get_overview
response using sed injection into cached JSON
Frontend changes:
- metrics/dashboard.js: Display freshness indicator (green/yellow/red)
in header, animate value changes with flash effect
- crowdsec-dashboard/overview.js: Display freshness indicator next to
running badge, update on poll
Shared utilities (kiss-theme.js):
- formatAge(seconds): Format "Xs ago", "Xm ago", "Xh ago"
- getFreshnessClass(age): Return fresh/recent/stale based on age
- getFreshnessColor(class): Return #00c853/#ff9800/#f44336
- freshnessIndicator(age, id): Create indicator DOM element
- updateFreshness(age, id): Update existing indicator
Freshness thresholds:
- Fresh (green): < 15s for metrics, < 30s for CrowdSec
- Recent (yellow): < 45s for metrics, < 90s for CrowdSec
- Stale (red): > threshold
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Wait for /var/lock/opkg.lock to be released before retrying
package installation to avoid "Resource temporarily unavailable" errors.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Disable opkg signature checking for unsigned SecuBox feeds
- Add retry logic (3 attempts) for repository validation
- Add retry logic (3 attempts) for opkg update
- Add retry logic (3 attempts) for package installation
- Increase wget timeout from 10s to 15s
- Update slipstream firstboot to also disable signature checking
- Fix CORE_PACKAGES to use packages that actually exist
This fixes the "Unknown package" errors when installing from
repo.secubox.in caused by opkg discarding unsigned package lists.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The release contains individual ipk files, not architecture-specific
tarballs. Update the workflow to:
- Download all *.ipk files from the release
- Copy packages to all architecture directories (most SecuBox packages
are architecture-independent LuCI/shell packages)
- Simplify the repository structure creation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Send log messages to stderr in find_working_repo() to avoid
polluting the URL output captured by configure_repo()
- Actually download and validate Packages.gz file content instead
of just checking if server responds (spider check)
- Handle find_working_repo() failure gracefully with || true
- Clean up old feed entries properly when reconfiguring
Fixes the issue where log messages were being written to
customfeeds.conf along with the URL.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add complete French (fr) and Chinese (zh) translations for all documentation:
- Root files: README, CHANGELOG, SECURITY, BETA-RELEASE
- docs/: All 16 core documentation files
- DOCS/: All 19 deep-dive documents including embedded/ and archive/
- package/secubox/: All 123+ package READMEs
- Misc: secubox-tools/, scripts/, EXAMPLES/, config-backups/, streamlit-apps/
Total: 346 translation files created
Each file includes language switcher links for easy navigation between
English, French, and Chinese versions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The all-architectures tar archive may change during creation due to
other files being written. This causes tar to exit with code 1 even
though the archive is created successfully.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The rockchip-armv8 toolchain build fails because u-boot requires
the Python3 elftools module. Adding python3-pyelftools to the
toolchain job dependencies.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add "Sync WAF Routes" button to HAProxy vhosts page in LuCI
- Add sync_mitmproxy_routes RPC method to HAProxy RPCD backend
- Fix mitmproxyctl and secubox-route to handle LuCI backends (luci, luci_default, luci_control)
- Remove outdated port 8081 skip filter in route sync that prevented LuCI routes
- These changes allow vhosts with original_backend='luci' to be properly
routed through the WAF
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The buggy tr '[:upper:]' '[:lower:]' was also used for sanitizing
site names, causing 'ziptest' to become 'ziwtest'. Use awk tolower()
for all lowercase conversions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Allow selecting and uploading multiple files at once
- Each file gets its own name input field
- Files are processed sequentially with progress indicator
- Errors are collected and displayed at the end
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox tr '[:upper:]' '[:lower:]' has a bug that converts 'p' to 'w',
causing .zip to be detected as .ziw. Use awk tolower() instead.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Windows uploads may include carriage returns in filenames, causing
.zip to be detected as .ziw. Strip \r\n from extension string.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Wrap for loop with output redirection in subshell for
BusyBox ash compatibility when generating Packages index.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secubox-app-repo and luci-app-repo to local feed
- Regenerate Packages index
- Update all embedded packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add usign dependency for package signing
- Sign Packages files after generation in repo-sync
- Generate signing keys automatically if not present
- Remove duplicate ACL file (now only in luci-app-repo)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Auto-create repo directories on install
- Detect device architecture and configure customfeeds.conf
- Add prerm script to cleanup on uninstall
- Points opkg to local repo at 192.168.255.1:8888
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove docker/bind-server from ARM (not available)
- Use simpler package set for ARM targets
- Fix rockchip profile name
- Keep x86-64 with full package set
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Download prebuilt packages from release artifacts
- Include 101+ SecuBox modules matching c3box.local production
- Preseed SecuBox core config (appstore, security, diagnostics)
- Configure network: 192.168.200.1 (LAN), DHCP (WAN)
- Include master-link mesh and P2P hub components
- Add fallback install script for post-boot installation
- Increase default disk to 8GB for full suite
- Update RAM recommendation to 2GB minimum
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 'version' input parameter (default: v1.0.0-beta)
- Use C3BOX_VERSION env var for consistent naming
- Artifacts now named: c3box-vm-{version}-{arch}.{format}
- Fix: manual triggers now use correct version in filenames
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- LAN IP changed to 192.168.200.1 (test subnet)
- WAN (br-wan) configured as DHCP client
- Updated banner, docs, and release notes with new IP
- Ready for SecuBox devel beta testing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename workflow to "Build C3Box VM Appliance"
- Update hostname to 'c3box'
- New ASCII banner with C3Box branding
- Update artifact names: c3box-vm-{version}-{arch}
- Update all documentation and release notes
- Config files now in /etc/c3box/
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The luci-app-* packages are in package/secubox/, not at the repo root.
Updated the workflow to copy packages from the correct location.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenWrt firmware images contain trailing data that gunzip reports
as "trailing garbage" with exit code 2. This is normal and the
extracted image is valid. The fix ignores the warning while still
checking that extraction produced output.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New build-secubox-vm.yml for ready-to-use SecuBox VM images
- Uses OpenWrt 24.10.5 (latest stable release)
- Builds VMDK, VDI, QCOW2 formats for all VM platforms
- Includes all SecuBox LuCI packages pre-installed
- Docker support enabled (dockerd, docker-compose)
- Virtio drivers and QEMU guest tools for KVM/Proxmox
- Configurable rootfs size (512MB-4GB)
- Manual dispatch + automatic on version tags
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- luci.mk auto-sets PKG_NAME from directory name
- Skip PKG_NAME check for packages using luci.mk
- PKG_VERSION/PKG_RELEASE are recommended for luci.mk packages
- PKG_LICENSE remains recommended for all packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- PKG_LICENSE is now recommended, not required
- Required: PKG_NAME, PKG_VERSION, PKG_RELEASE
- Warnings are reported but don't fail the build
- Also updated tracking docs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- WAF blocked now counts mitmproxy scenario decisions (1031 blocks)
- Removed waf_threats field (redundant with waf_blocked)
- Fixed dashboard to show 3 WAF stats: Bans, Alerts, Blocked
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
