The rockchip-armv8 toolchain build fails because u-boot requires
the Python3 elftools module. Adding python3-pyelftools to the
toolchain job dependencies.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add "Sync WAF Routes" button to HAProxy vhosts page in LuCI
- Add sync_mitmproxy_routes RPC method to HAProxy RPCD backend
- Fix mitmproxyctl and secubox-route to handle LuCI backends (luci, luci_default, luci_control)
- Remove outdated port 8081 skip filter in route sync that prevented LuCI routes
- These changes allow vhosts with original_backend='luci' to be properly
routed through the WAF
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The buggy tr '[:upper:]' '[:lower:]' was also used for sanitizing
site names, causing 'ziptest' to become 'ziwtest'. Use awk tolower()
for all lowercase conversions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Allow selecting and uploading multiple files at once
- Each file gets its own name input field
- Files are processed sequentially with progress indicator
- Errors are collected and displayed at the end
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox tr '[:upper:]' '[:lower:]' has a bug that converts 'p' to 'w',
causing .zip to be detected as .ziw. Use awk tolower() instead.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Windows uploads may include carriage returns in filenames, causing
.zip to be detected as .ziw. Strip \r\n from extension string.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Wrap for loop with output redirection in subshell for
BusyBox ash compatibility when generating Packages index.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secubox-app-repo and luci-app-repo to local feed
- Regenerate Packages index
- Update all embedded packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add usign dependency for package signing
- Sign Packages files after generation in repo-sync
- Generate signing keys automatically if not present
- Remove duplicate ACL file (now only in luci-app-repo)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Auto-create repo directories on install
- Detect device architecture and configure customfeeds.conf
- Add prerm script to cleanup on uninstall
- Points opkg to local repo at 192.168.255.1:8888
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove docker/bind-server from ARM (not available)
- Use simpler package set for ARM targets
- Fix rockchip profile name
- Keep x86-64 with full package set
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Download prebuilt packages from release artifacts
- Include 101+ SecuBox modules matching c3box.local production
- Preseed SecuBox core config (appstore, security, diagnostics)
- Configure network: 192.168.200.1 (LAN), DHCP (WAN)
- Include master-link mesh and P2P hub components
- Add fallback install script for post-boot installation
- Increase default disk to 8GB for full suite
- Update RAM recommendation to 2GB minimum
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 'version' input parameter (default: v1.0.0-beta)
- Use C3BOX_VERSION env var for consistent naming
- Artifacts now named: c3box-vm-{version}-{arch}.{format}
- Fix: manual triggers now use correct version in filenames
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- LAN IP changed to 192.168.200.1 (test subnet)
- WAN (br-wan) configured as DHCP client
- Updated banner, docs, and release notes with new IP
- Ready for SecuBox devel beta testing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename workflow to "Build C3Box VM Appliance"
- Update hostname to 'c3box'
- New ASCII banner with C3Box branding
- Update artifact names: c3box-vm-{version}-{arch}
- Update all documentation and release notes
- Config files now in /etc/c3box/
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The luci-app-* packages are in package/secubox/, not at the repo root.
Updated the workflow to copy packages from the correct location.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenWrt firmware images contain trailing data that gunzip reports
as "trailing garbage" with exit code 2. This is normal and the
extracted image is valid. The fix ignores the warning while still
checking that extraction produced output.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New build-secubox-vm.yml for ready-to-use SecuBox VM images
- Uses OpenWrt 24.10.5 (latest stable release)
- Builds VMDK, VDI, QCOW2 formats for all VM platforms
- Includes all SecuBox LuCI packages pre-installed
- Docker support enabled (dockerd, docker-compose)
- Virtio drivers and QEMU guest tools for KVM/Proxmox
- Configurable rootfs size (512MB-4GB)
- Manual dispatch + automatic on version tags
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- luci.mk auto-sets PKG_NAME from directory name
- Skip PKG_NAME check for packages using luci.mk
- PKG_VERSION/PKG_RELEASE are recommended for luci.mk packages
- PKG_LICENSE remains recommended for all packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- PKG_LICENSE is now recommended, not required
- Required: PKG_NAME, PKG_VERSION, PKG_RELEASE
- Warnings are reported but don't fail the build
- Also updated tracking docs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- WAF blocked now counts mitmproxy scenario decisions (1031 blocks)
- Removed waf_threats field (redundant with waf_blocked)
- Fixed dashboard to show 3 WAF stats: Bans, Alerts, Blocked
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
UI:
- Clean card grid with colored stat values
- Services status bar (HAProxy, WAF, CrowdSec) with glowing dots
- Two-panel layout for WAF/Security and Connections
- Live clock with pulsing indicator
- Proper KissTheme.wrap() integration
Performance:
- Double-buffer cache at /tmp/secubox/metrics-cache.json
- 30s TTL with async background refresh
- Cron job for periodic cache updates
- Instant RPCD response (no computation on request)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added LuCI Metrics Dashboard to HISTORY.md
- Documented WAF hot-reload discovery
- Updated WIP.md with completed work
- Noted HAProxy health check fix and test site cleanup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy's haproxy_router.py addon already implements hot-reload:
- Checks routes file mtime on every request
- Auto-reloads when file changes
Removed unnecessary mitmproxy restart after adding routes.
Just ensure file permissions are correct (644) for hot-reload to work.
This makes publishing faster and avoids service disruption.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mitmproxy restart after _add_mitmproxy_route() to load new routes
- mitmproxy loads routes at startup only, so restart is required
- Run restart in background to avoid blocking publish command
Also fixed on router:
- Disabled health check for mitmproxy_inspector backend
- HAProxy health check fails because mitmproxy returns 404 for
requests without valid Host header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed vhost backend from direct metablog_* to mitmproxy_inspector
- Added original_backend tracking for mitmproxy route resolution
- Changed server address from 192.168.255.1 to 127.0.0.1
- Added _add_mitmproxy_route helper for route registration
- Fixed both cmd_publish() and _emancipate_haproxy() functions
This ensures all newly published sites go through WAF inspection
rather than bypassing security checks.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD handler returns immediately with job_id (~0.04s)
- Background script uses file output to avoid pipe inheritance issues
- LuCI JS polls job_status every 2s until completion
- Uses setsid for proper process detachment
- jsonfilter for reliable parameter parsing
Fixes "Failed to publish" error caused by ubus timeout during
40+ second publish operations.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- dropletctl: Remove pipe to grep that blocked on background children
- metablogizerctl: Background HAProxy generate/reload (~90s with 95 certs)
- dpi-lan-collector: Pre-compute flow counts in single pass instead of
spawning grep per client (eliminates broken pipe errors)
Publish time reduced from ~2 min to ~35 seconds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add headless UCI option to use mitmdump instead of mitmweb
- Enable headless by default for WAF (mitmproxy-in) instance
- Increase default memory limit from 256MB to 2GB
- Fix LXC config generation to always recreate on service start
- Fix rootfs check path (/usr/local/bin not /usr/bin)
- Use exec in startup script for proper foreground execution
Headless mode runs mitmdump (CLI) instead of mitmweb (web UI),
saving ~3.3GB RAM while maintaining full WAF functionality.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New heatmap.js component with SVG world map and country centroids
- Colored dots show threat distribution: orange (local), cyan (CAPI), red (WAF)
- Dot size scales logarithmically with threat count (4-20px)
- Hover tooltips show country code and count
- Added geo_local_raw and geo_capi_raw fields to RPCD backend
- CAPI geo extraction from decisions with GeoIP metadata
- CSS styling for heatmap container, dots, and legend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed waf_bans_today to count all mitmproxy-* scenarios instead of
only mitmproxy-waf (which doesn't exist). Now correctly counts
mitmproxy-scanner, mitmproxy-botscan, etc.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Make refresh_cache async to prevent rpcd watchdog kills
- Fix JSON escaping for top_scenarios/countries arrays
- Show decisions as "Active Bans" when alerts_raw is empty
- Display ban expiry time instead of creation time
- Update cron to run cache refresh in background
Fixes LuCI crashes caused by 16s blocking refresh calls.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
