- Add gte-small embedding model preset to localaictl with proper YAML
config (embeddings: true, context_size: 512)
- Fix RPC expect declarations across api.js, dashboard.js, models.js to
use empty expect objects, preserving full response including error fields
- Replace fragile sed/awk JSON escaping in RPCD chat and completion
handlers with file I/O streaming through awk for robust handling of
special characters in LLM responses
- Switch RPCD chat handler from curl to wget to avoid missing output
file on timeout (curl doesn't create -o file on exit code 28)
- Bypass RPCD 30s script timeout for chat by calling LocalAI API
directly from the browser via fetch()
- Add embeddings flag to models RPC and filter embedding models from
chat view model selector
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Health check grep was case-sensitive ("ok") but LocalAI returns "OK".
Uptime detection fell into the lxc-info branch (command exists on router)
even though no localai container runs, causing uptime to always be 0.
Simplified to always use /proc/PID which works for both native and
containerized processes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Server endpoints were stored only in browser sessionStorage, lost on tab
close/refresh. Now endpoints are saved in a dedicated UCI config file
(wireguard_dashboard) with RPCD methods to manage them. The wizard
auto-saves the endpoint after tunnel creation, and peers/QR views use a
dropdown of saved endpoints instead of requiring manual re-entry.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change generateConfig/generateQR RPC declarations to use empty expect
so error responses are not silently discarded by LuCI's RPC unwrapper
- Simplify handleShowQR to always check backend for stored key first
- Auto-detect next available interface name in wizard (wg1 if wg0 exists)
- Pass private key to addPeer in wizard's createPeers for QR persistence
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The base64-encoded SVG QR code exceeded jshn's argument list limit,
causing "Argument list too long" errors. Build the JSON response
manually via file I/O so the large string is never passed as a
command argument.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Store the client private key in UCI config (_client_private_key) when a
peer is created, so QR codes and config files can be generated after
page refresh without prompting the user to manually re-enter the key.
Old peers without stored keys still get the manual entry fallback.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Prevent odhcpd crashes from MAC randomization causing hostname conflicts,
stale lease pile-up, and lease flooding. Adds hostname dedup, stale lease
cleanup, flood detection, CLI commands, RPC methods, and LuCI dashboard card.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rename package folder to follow secubox-app-* convention and add
luci-app-mac-guardian with KISS dashboard: status cards, client table
with trust/block actions, recent alerts, and configuration form.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Pure-shell WiFi MAC address security monitor detecting randomized MACs,
OUI anomalies, MAC floods, and spoofing. Integrates with CrowdSec via
JSON log parsing and provides real-time hostapd hotplug detection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Server mode routes all outbound traffic through Tor while preserving
inbound connections (HAProxy, etc) on the public IP. Fixes kill switch
blocking response packets by adding ESTABLISHED,RELATED conntrack rule,
and adds PREROUTING chain for LAN client Tor routing.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LuCI's E() renders null array children as literal "null" text.
Use concat with empty arrays instead of ternary-to-null for
conditional peer/IOC table sections and top-level sections.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The process name is mitmweb (not mitmdump) when running inside the
mitmproxy LXC container. Use pgrep -f mitmweb for correct detection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Share CrowdSec bans and mitmproxy detections between mesh nodes using
the existing blockchain chain + gossip sync. Received IOCs from trusted
peers are auto-applied as CrowdSec decisions based on a three-tier trust
model (direct/transitive/unknown).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Generate a minimal IPK on-the-fly when a client visits the master-link
landing page, so the "Download Package" step always works even without
a pre-built IPK bundle. The IPK configures the peer via postinst uci
commands (avoiding file conflicts with secubox-master-link), and can be
installed directly via opkg install URL from SSH.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
secubox-image.sh: Dev-side image builder via OpenWrt ASU API with
build, download, firmware-selector commands. Includes first-boot
script that resizes root, adds SecuBox feed, and installs all
packages. Supports --resize flag for full eMMC utilization.
secubox-sysupgrade.sh: On-device upgrade script that detects current
device/packages, builds custom image via ASU, and applies sysupgrade.
Uses jsonfilter (OpenWrt native) for JSON parsing.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add wan_access UCI option and LuCI checkbox to optionally open Lyrion
ports (9000, 9090, 3483 TCP+UDP) on the WAN interface. WAN rules are
automatically removed when the option is disabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Open LAN firewall ports (TCP 9000/9090/3483, UDP 3483) on install and
service start so Squeezebox devices can discover and connect to Lyrion.
Fix LXC config to use host networking properly and add missing Docker
TCP 9090 CLI port mapping.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Read timestamp, approved_at, and other fields into variables before
`cat > "$request_file"` truncates the file. Fixes invalid JSON output
(`"timestamp": ,`) in ml_join_approve, ml_join_reject, and
ml_promote_to_submaster.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Hyphens in RPCD filenames break ubus CLI argument parsing. Rename
luci.master-link to luci.master_link and update all references in
the JS view, ACL, and Makefile. Also pipe RPCD method output through
tr -d '\n\t' so ubus receives single-line JSON it can parse.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use >/dev/null 2>&1 instead of just 2>/dev/null when sourcing
master-link.sh and calling chain_add_block, mesh_init, peer_add,
factory_trust_peer, and gossip_sync to prevent p2p-mesh.sh usage
text and block hashes from corrupting CGI JSON responses.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement secubox-master-link (backend) and luci-app-master-link (LuCI
frontend) for secure node onboarding into the SecuBox mesh via
HMAC-SHA256 join tokens, blockchain-backed peer trust, and gigogne
(nested) hierarchy with depth limiting.
Backend provides: token management, join/approve/reject protocol, IPK
bundle serving, CGI API endpoints, and a dark-themed landing page for
new nodes. Frontend provides a 3-tab LuCI view (overview, join requests,
mesh tree) with RPCD integration.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
grep -c returns exit code 1 when no matches found (even though it
outputs 0), causing `|| echo 0` to append an extra 0 and corrupt
the JSON response. This broke ubus calls and LuCI status display.
Use `: ${var:=0}` pattern instead to provide defaults.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Read LXC path from /etc/lxc/lxc.conf instead of hardcoding /var/lib/lxc
(OpenWrt uses /srv/lxc by default)
- Skip Alpine rootfs download if file already exists in /tmp
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The factory_audit_log function's ubus call was only redirecting stderr,
allowing stdout JSON output to leak into CGI responses when Gitea backup
is enabled. This caused JSON parse errors in the Factory dashboard when
creating snapshots.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-app-mitmproxy: Sensitivity-based auto-ban system
- luci-app-mitmproxy: Updated frontend
- luci-app-crowdsec-dashboard: Ban button on alerts page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
WAF Auto-ban Features:
- Three sensitivity levels: aggressive, moderate, permissive
- Aggressive: Immediate ban on first critical threat
- Moderate: Ban after 3 attempts in 5 minutes (default)
- Permissive: Ban after 5 attempts in 1 hour
- Attempt tracking with configurable thresholds
Critical threats (immediate in aggressive/moderate):
- CVE exploits, SQL injection, Command injection
- XXE, Log4Shell, SSTI attacks
CrowdSec Integration:
- Auto-ban requests written to /srv/mitmproxy/autoban-requests.log
- Cron job processes bans every minute via mitmproxyctl
- Bans sent to CrowdSec for network-wide enforcement
New Commands:
- mitmproxyctl process-autoban: Process pending bans
- mitmproxyctl reload-autoban: Reload config after UCI changes
CrowdSec Dashboard:
- Added ban button to alerts page
- Modal confirmation with 24h ban duration
- Real-time banned IP tracking
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Integrate SimpleX Chat SMP and XFTP servers for privacy-focused messaging:
- secubox-app-simplex: Backend with LXC container management
- SMP server for message relay (port 5223)
- XFTP server for encrypted file sharing (port 443)
- Auto-download of SimpleX binaries for aarch64/x86_64
- TLS certificate generation (self-signed or Let's Encrypt)
- Firewall and HAProxy integration
- luci-app-simplex: LuCI dashboard with:
- Service status monitoring
- Server address display with copy-to-clipboard
- Full configuration forms for SMP, XFTP, and TLS
- Install/certificate management actions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Restored the original settings.js functionality as setup.js with
updated nav references. The simplified version was broken.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The settings page was showing "CAPI: Error" because the status
method didn't return the capi_enrolled field. Added CAPI status
check to get_status() so the health display shows correct status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Content-Type based CVE detection must happen before SSRF patterns
to avoid false positives when routing through localhost.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LAN transparent mode now requires explicit opt-in via transparent.enabled
to prevent HTTPS certificate errors for LAN clients.
Changes:
- mitmproxyctl: Check transparent_enabled before setting up LAN firewall rules
- LuCI settings: Add warning about certificate requirements for LAN mode
- Default config already has transparent.enabled='0'
WAN protection mode remains active for incoming threat detection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add WAF-like functionality to mitmproxy for protecting services exposed
to the internet. Incoming WAN traffic is redirected through mitmproxy
for threat detection before reaching backend services.
Features:
- WAN protection mode with nftables rules for incoming traffic
- Enhanced bot scanner detection with 50+ scanner signatures
- Behavioral detection for config/admin/backup/shell hunting
- CrowdSec integration with new scenarios for bot scanners
- LuCI interface for WAN protection configuration
- DPI mirror mode support (secondary feature)
New CrowdSec scenarios:
- secubox/mitmproxy-botscan: Detect automated reconnaissance
- secubox/mitmproxy-shell-hunter: Detect shell/backdoor hunting
- secubox/mitmproxy-config-hunter: Detect credential file hunting
- secubox/mitmproxy-suspicious-ua: Detect suspicious user agents
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change build path from package/secubox/ to package/feeds/secubox/
- Add -f flag to force install from secubox feed
- Add verification that package exists after feed install
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add shorthand names for all toolchain packages so they can be used
directly with the build command without requiring full directory names.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Instead of showing clickable model suggestions when Ollama is stopped,
display a helpful message prompting the user to start Ollama first.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace pipe-to-while loops with grep/cut to avoid subshell variable
scope issues in method_status, method_get_providers, and method_set_provider.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
