- Support both "*.domain" and ".domain" wildcard formats in haproxy_router.py
- Sort wildcards by length (longest first) for correct specificity matching
- Add auto-reload: check routes file mtime every 10 requests
- Update metablogizerctl to use mitmproxyctl sync-routes
Also fix luci-app-wazuh api.js to use baseclass.extend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed sdlc.gk2.secubox.in showing GK2 Hub template instead of original
"Les Seigneurs de La Chambre" cinematic presentation
- Restored content via git checkout from preserved history
- Documented Streamlit WebSocket incompatibility with MITM proxy
- All 20 Streamlit apps require waf_bypass for WebSocket functionality
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- WAF enabled for Streamlit/MetaBlogizer
- WAF bypass for infrastructure services
- 38 path ACLs with waf_bypass
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt secubox-app-jellyfin package with LXC controller
- Updated package feed with new Jellyfin ipk
- Synced all SecuBox packages to local feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Migrated services from Docker to LXC:
- mailserver: Postfix/Dovecot on Alpine (192.168.255.30)
- roundcube: Webmail on Alpine with nginx/PHP (port 8027)
- jellyfin: Media server on Debian (192.168.255.31)
All Docker containers removed, auto-start via /etc/init.d/secubox-lxc
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit apps require WebSocket connections that mitmproxy WAF
doesn't handle properly. Added waf_bypass UCI option to allow
specific vhosts to route directly to backends while other
services still get WAF protection.
- Add waf_bypass option check in haproxyctl
- Vhosts with waf_bypass=1 skip mitmproxy_inspector
- Fixes blank page issue with Streamlit apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove 'mozilla/5.0' from BOT_SIGNATURES - was flagging ALL modern
browsers as bots since this is the standard UA prefix
- Fix suspicious UA detection - no longer flags normal browsers
- Increase CrowdSec bruteforce threshold from 5/30s to 10/60s to reduce
false positives from normal login flows
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- HISTORY.md: Entry #60 documenting GoToSocial v0.17.0 deployment
- WIP.md: Added to Just Completed section
- Includes HAProxy exposure, admin user setup, key fixes
Live at https://social.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: Use network.lan.ipaddr instead of 127.0.0.1 for server address
- service-registry: Same fix for emancipate function
- hexojs: Same fix for HAProxy backend creation
- gotosocial: Switch from LXC to direct execution mode
- v0.18.0 has cgroup bugs, using v0.17.0 instead
- Remove LXC container dependency
- Use /srv/gotosocial for binary and data
- Add proper PID file management
The HAProxy container cannot reach 127.0.0.1 on the host, so all HAProxy
backend servers must use the LAN IP (typically 192.168.255.1).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add remote device management: scan_network, list_remotes, add_remote,
remove_remote, remote_status, remote_upload, remote_flash RPCD methods
- Add secubox-asu-clone script for on-the-fly firmware generation via
OpenWrt ASU (Attended Sysupgrade) API
- Include full LuCI packages in ASU builds (luci-base, luci-mod-admin-full,
luci-mod-network, luci-mod-status, luci-mod-system, etc.)
- Add partition expansion script (10-expand-rootfs) to use full SD card/eMMC
with proper UUID and boot config handling for both MBR and GPT
- Add robust provisioning script (99-secubox-provision) with network retry,
firewall handling, and SecuBox package installation from local feed
- Use dropbear's dbclient for SSH operations (OpenWrt native)
- Support mochabin, espressobin-v7, espressobin-ultra, x86-64 devices
- Default to OpenWrt version 24.10.5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove old secubox-theme and secubox-portal/header dependencies
- Remove external dashboard.css stylesheet
- Replace ndpid/api with direct RPC declarations
- Use KISS classes (kiss-card, kiss-stat, kiss-table, kiss-badge, kiss-btn)
- Add consistent navigation tabs
- Add poll toggle for auto-refresh control
- Use CSS variables (--kiss-blue, --kiss-green, --kiss-muted, etc.)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Convert packages string to proper JSON array format
- Add -dnsmasq to avoid conflict with dnsmasq-full
- Add rootfs_size_mb: 512 for larger package sets
- Trim default packages to fit in standard rootfs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support building images for: mochabin, espressobin-v7, espressobin-ultra, x86-64
- New CLI: secubox-cloner build --device espressobin-v7
- New CLI: secubox-cloner devices (list supported devices)
- RPCD: list_devices method, build_image accepts device_type param
- LuCI: Device selection dropdown in build modal
- LuCI: Device column in images table with badges
- Each device type has its own TFTP image file
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Dashboard with status cards: device, TFTP, tokens, clones
- Quick actions: Build Image, Start/Stop TFTP, Token generation
- Clone images table with size and TFTP-ready status
- Token management with auto-approve option
- U-Boot flash commands display when TFTP is running
- RPCD handler with 10 methods for full cloner management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HAProxy multi-domain SSL certificate matching issue
- Document crt-list solution for SNI issues
- Minor updates to settings and streamlit readme
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New "🚀 Devel" tab with live GitHub commit activity (1-min cache)
- Metrics: Commits Today, This Week, Contributors, Stars
- Commit type distribution (feat/fix/docs/refactor/chore)
- Recent commits list with hash, message, author, relative time
- Repository stats: forks, watchers, open issues
- Cyberpunk-themed commit cards with color-coding
- Pulsing live indicator animation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed port conflict (console 8515, yijing360 8521)
- Deployed yijing-360.zip with generator.py
- Emancipated at yijing360.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
All 4 phases implemented:
- Stats collectors with 17 JSON cache files
- Landing page JSON symlinks for gk2.secubox.in
- Widget Fabricator with live data
- Full integration verified
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Secondary domain for La Livrée d'Hermès gallery
- OVH DNS + Let's Encrypt SSL
- Same backend as lldh.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fabricator pages now use actual UCI/JSON data (bfd2ed7c)
- La Livrée d'Hermès gallery deployed with YouTube music
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add extract_zip_flatten() to Streamlit RPCD for nested ZIP handling
- Add bot whitelist to mitmproxy WAF (Facebook, Google, Bing crawlers)
- Skip threat detection for whitelisted legitimate crawlers
- Track Fabricator app and stats evolution in HISTORY.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create cyberpunk-style End of Internet page for unknown domains
- Add http-request UCI option support in haproxyctl generator
- Support path rewriting backends with http-request set-path
- Configure end_of_internet as default backend for both frontends
- Update docs with HAProxy enhancements (entry #59)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HISTORY.md entry #49: CrowdSec Dashboard Cache & Control Panel Fixes
- CrowdSec Overview Collector v4 with background JSON cache
- RPCD fast path reading from cache first
- mitmproxy Local IP "Green Known" patch
- Control Panel file compatibility symlinks
- Update WIP.md Just Completed section with today's changes
- Renumber entries 50-57 in HISTORY.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Milestone 54:
- Triple-pulse LED heartbeat with staggered cascade (BusyBox-compatible)
- Streamlit emancipate command for KISS ULTIME MODE exposure
- Evolution dashboard real-time upgrade with auto-refresh
- SecuBox Console app live at console.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add entry 52 to HISTORY.md for Postfix/Dovecot path alignment
- Update WIP.md with fix details under completed items
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add `metablogizerctl emancipate <name>` command for one-command full
exposure workflow:
1. DNS A record via dnsctl (Gandi/OVH based on availability)
2. Vortex DNS mesh publication
3. HAProxy vhost with SSL/ACME enabled
4. SSL certificate request (webroot mode)
5. Zero-downtime HAProxy reload
Usage:
metablogizerctl create myblog blog.example.com
metablogizerctl emancipate myblog
Bump version to 1.1.0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- BIND zone was returning internal IP (192.168.255.1) instead of public IP
- Added IPv6 AAAA records to BIND zone and Gandi DNS
- Fixed nftables forward_wan chain blocking DNAT'd mail traffic
- Added mail port forwarding rules for both IPv4 and IPv6
- Documented Free ISP inbound port 25 blocking issue
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add init.d script for daemon mode with procd integration
- Update Makefile to install init script
- Add packages to bonus feed (secubox-vortex-dns, luci-app-vortex-dns)
- Update tracking files with completion status
Features:
- Master/slave hierarchical DNS delegation
- Wildcard domain management (*.domain)
- First Peek auto-registration of services
- Gossip-based exposure config sync via secubox-p2p
- Submastering for nested hierarchies
- LuCI dashboard with mode detection and action buttons
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Firewall DNAT rules were redirecting ALL port 993/587/465 traffic
to local mailserver, blocking external mail server connections.
Fix: Add -i $WAN_IF to only redirect inbound WAN traffic.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Alpine Linux's Postfix is compiled with LMDB support, not BerkeleyDB
hash support. This caused "Temporary lookup failure" errors on send.
Changes:
- Changed virtual_alias_maps and virtual_mailbox_maps to lmdb: prefix
- Copy resolv.conf to Postfix chroot for DNS resolution
- Added `mailctl fix-postfix` command to repair existing installations
Root cause: virtual_alias_maps was configured as hash:/etc/postfix/virtual
but the hash map type is not supported on Alpine, only lmdb.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-backup: Unified backup for LXC containers, UCI config, services
- luci-app-backup: KISS dashboard with container list and backup history
- secubox-app-mailserver: Custom Postfix+Dovecot in LXC with mesh backup
Enhanced dnsctl with:
- generate: Auto-create subdomain A records
- suggest: Name suggestions by category
- mail-setup: MX, SPF, DMARC record creation
- dkim-add: DKIM TXT record management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-threat-analyst: AI-powered threat analysis with CrowdSec integration
- luci-app-threat-analyst: LuCI dashboard for threat intelligence
- secubox-dns-guard: DNS security monitoring and blocking
- secubox-mcp-server: Model Context Protocol server for AI assistant integration
Enhancements:
- dns-provider: Add DynDNS support (dyndns, get, update, domains commands)
- gandi.sh: Full DynDNS with WAN IP detection and record updates
- luci-app-dnsguard: Upgrade to v1.1.0 with improved dashboard
Infrastructure:
- BIND9 DNS setup for secubox.in with CAA records
- Wildcard SSL certificates via DNS-01 challenge
- HAProxy config fixes for secubox.in subdomains
- Mail server setup with Roundcube webmail
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Build and add secubox-app-mac-guardian_0.5.0-r1_all.ipk
- Build and add luci-app-mac-guardian_0.5.0-r1_all.ipk
- Sync luci-app-mac-guardian to local-feed for SDK building
- Update apps-local.json catalog with proper metadata:
- Category: security, Icon: wifi
- Descriptions for frontend and backend packages
- Rebuild all bonus feed packages
Package features:
- WiFi MAC address spoofing detection
- OUI anomaly detection for device fingerprinting
- MAC flood protection via hotplug.d integration
- CrowdSec scenarios for automated threat response
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add animated "Collecting data..." overlay with pulsing dots during
5-second chart warmup period
- Chart legend transitions from "Waiting" to "Live" when data arrives
- Add formatBits() helper for network rate display (Kbps/Mbps/Gbps)
- Network rates now use SI units (bits) instead of bytes
- Cyberpunk theme support for empty state styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SecuNav.renderTabs() now automatically initializes theme and loads CSS,
eliminating boilerplate from views. Added renderCompactTabs() for nested
modules and renderBreadcrumb() for back-navigation.
Updated module navs: cdn-cache, client-guardian, crowdsec-dashboard,
media-flow, mqtt-bridge, system-hub. Removed ~1000 lines of duplicate CSS.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Switch from Docker to LXC with Debian bookworm rootfs and native
Domoticz binary from GitHub releases (latest/download pattern)
- Fix LXC cgroup2 terminal allocation: add lxc.tty.max, lxc.pty.max,
cgroup2 device permissions for standard char devices, disable seccomp
- Fix PID 1 issue: run domoticz as child process with signal forwarding
- Use quoted heredoc with sed placeholders for start script generation
- Update LuCI view: Docker → LXC references, add memory usage display
- Remove Docker image UCI option, update catalog runtime to "lxc"
- Fix streamlit LXC config: same cgroup2/terminal/seccomp fixes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New luci-app-domoticz package with RPCD handler (12 methods), LuCI overview
(status, IoT integration, MQTT, HAProxy, mesh, logs), and full service lifecycle.
Enhanced domoticzctl with configure-mqtt (auto Mosquitto+Z2M bridge), configure-haproxy,
backup/restore, mesh-register, and uninstall commands. UCI extended with mqtt/network/mesh
sections. Catalog updated with LuCI package and IoT tags. MirrorNetworking strategic
document noted in planning files.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The z2m 2.x breaking changes required three fixes discovered during
live deployment testing on the router:
- Adapter renamed from `ezsp` to `ember` in zigbee-herdsman 4.0.0
- Config format needs `version: 4` and nested `homeassistant.enabled`
- Start script needs `ZIGBEE2MQTT_DATA` env var for correct config path
- Add `mosquitto-nossl` as package dependency (MQTT broker required)
- Direct `/dev/ttyUSB0` passthrough works; socat TCP bridge does not
Also updates project planning files (HISTORY.md, TODO.md, WIP.md,
CLAUDE.md) and rebuilds bonus feed with latest IPKs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Docker-based Jellyfin media server with UCI config (port, image, media
paths, GPU transcoding), procd init, jellyfinctl CLI, and LuCI frontend
with status/config/logs view.
Also adds Punk Exposure Engine architectural README documenting the
Peek/Poke/Emancipate service exposure model and DNS provider API
roadmap. CLAUDE.md updated with architectural directive.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix ZIP upload: install unzip dependency, fix empty array check
(jsonfilter returns "[ ]" not "[]"), redirect unzip stdout to
prevent JSON corruption, use readAsArrayBuffer instead of
deprecated readAsBinaryString, add .catch() error handler
- Fix list_apps to scan subdirectories for ZIP-uploaded apps,
skip Streamlit pages/ convention dir, prefer app.py as entry point
- Fix set_active_app: replace broken streamlitctl call with direct
UCI update
- Fix remove_app: replace broken streamlitctl call with direct
file removal and UCI cleanup
- Fix add_app: replace broken streamlitctl call with direct UCI
- Add rename_app and rename_instance RPCD methods with ACL entries
- Activate now auto-creates an instance with next available port
- Apps list shows UCI display name separate from filesystem ID
- Sanitize uploaded filenames for UCI compatibility
- Add rename buttons and modals for apps and instances
- Add error notifications for failed deletes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Share CrowdSec bans and mitmproxy detections between mesh nodes using
the existing blockchain chain + gossip sync. Received IOCs from trusted
peers are auto-applied as CrowdSec decisions based on a three-tier trust
model (direct/transitive/unknown).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use >/dev/null 2>&1 instead of just 2>/dev/null when sourcing
master-link.sh and calling chain_add_block, mesh_init, peer_add,
factory_trust_peer, and gossip_sync to prevent p2p-mesh.sh usage
text and block hashes from corrupting CGI JSON responses.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Read LXC path from /etc/lxc/lxc.conf instead of hardcoding /var/lib/lxc
(OpenWrt uses /srv/lxc by default)
- Skip Alpine rootfs download if file already exists in /tmp
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The settings page was showing "CAPI: Error" because the status
method didn't return the capi_enrolled field. Added CAPI status
check to get_status() so the health display shows correct status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace pipe-to-while loops with grep/cut to avoid subshell variable
scope issues in method_status, method_get_providers, and method_set_provider.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HAProxy → mitmproxy → Backend inspection chain for filtering
all vhost traffic through mitmproxy with threat detection
- Add haproxy_router.py addon for Host-based request routing
- Add mitmproxyctl commands: sync-routes, haproxy-enable, haproxy-disable
- Add auth token to status response for Web UI auto-authentication
- Add HAProxy Backend Inspection section to LuCI status page with
enable/disable/sync controls
- Add HAProxy Router settings section to LuCI settings page
- LXC container now supports dual-port mode (8888 + 8889 for HAProxy)
- Token displayed with copy button in dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Distributed service registry with HAProxy vhost discovery
- Multi-endpoint URLs (haproxy/mesh/local) per service
- DNS federation for mesh peers (*.sb.local via dnsmasq)
- Catalog tab with service filtering and QR codes
- Linked peers navigation panel
- Tools panel with DNS management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace hardcoded port 8180 with dynamic detection from credentials file
- Extract LAPI port from local_api_credentials.yaml URL
- Convert port to hex for /proc/net/tcp lookup
- Fix GeoIP database path detection (check /srv/crowdsec/data and /var/lib)
- Update default API URL fallback to 8090 (actual CrowdSec default)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When a site's DNS doesn't point to our public IP, skip the external
HTTP check to avoid 5-second timeouts. This significantly speeds up
the get_hosting_status API call which was causing XHR timeouts in
the LuCI frontend.
Sites with DNS mismatch now show frontend_status: "dns_mismatch"
instead of timing out.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash does not support 'local' keyword outside of functions.
Removed 'local' from update_vhost case handler to fix "not in a function"
error that caused ubus calls to fail with no response.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CDN Cache:
- Migrate from nginx to Squid proxy for better caching
- Add aggressive caching rules for Windows Update, Linux repos, Steam, Apple
- Proper firewall integration via UCI (transparent proxy)
- Real-time stats from Squid access logs
Network Modes:
- Complete UI rework with MirrorBox dark theme
- 9 network modes with emojis and descriptions
- Dynamic CSS animations and modern styling
Fixes:
- Fix jshn boolean handling in secubox-recovery (1/0 vs true/false)
- Fix nDPId RPCD to use netifyd as fallback DPI provider
- Update media-flow and security-threats dashboards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Installs all packages from the local feed in dependency order:
1. secubox-core and secubox-app (base)
2. secubox-app-* backend packages
3. luci-app-* frontend packages
4. luci-theme-* themes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The OpenWrt SDK automatically adds libc as a dependency to all packages,
even pure shell/JavaScript packages that don't need it. This causes
opkg installation failures when the local feed version of libc doesn't
match the router's installed version.
Solution: Add PKG_FLAGS:=nonshared to Makefiles of arch-independent
packages (secubox-core, luci-app-secubox-admin, secubox-app-bonus).
This tells the build system these packages don't link against libc.
Changes:
- secubox-core: 0.10.0-r6 → r7 with PKG_FLAGS:=nonshared
- luci-app-secubox-admin: 1.0.0-r17 → r18 with PKG_FLAGS:=nonshared
- secubox-app-bonus: 0.3.0-r1 → r2 with PKG_FLAGS:=nonshared
- Regenerated Packages index without libc dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add four major features to enhance SecuBox AppStore:
1. Feed Source Management:
- Feed types: published, unpublished, development
- Share tokens for private feed access
- CLI: secubox feed list/add/share/import
- LuCI: Feed type badges and share URLs in catalog-sources
2. Profile Export/Import:
- Export configurations with feed sources embedded
- Import from URL or file with merge/replace modes
- CLI: secubox profile export/import/share
- LuCI: New profiles.js view with export/import dialogs
3. Skill System:
- Capability discovery from module catalogs
- Quality indicators based on provider count
- CLI: secubox skill list/providers/install/check
- LuCI: New skills.js view with provider browser
4. Feedback Loop:
- Issue reporting and resolution tracking
- Search existing resolutions
- CLI: secubox feedback report/resolve/search/list
- LuCI: New feedback.js view for knowledge base
Technical changes:
- RPCD backend with 17 new API methods
- POSIX shell compatibility fixes (ESC via printf, tr A-Z a-z)
- LuCI menu entries for new views
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove all LuCI dependencies (luci-base, rpcd, luci-lib-jsonc)
- Remove LuCI-specific files (RPCD backend, ACL, menu, JS views)
- Package now only provides local opkg feed and documentation
- Remove Packages.sig to avoid signature verification errors
- Update local-build.sh to skip signature generation for local feeds
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move 9 service apps from admin/secubox/services/ to admin/services/:
- localai, lyrion, magicmirror2, mailinabox, mmpm
- nextcloud, ollama, vhost-manager, mitmproxy
Services now appear under standard LuCI Services menu for consistency.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove expect clause from RPC declarations to get raw response
- Add proper error handling with catch blocks for all RPC calls
- Fix landing page generator to chmod 644 after generation
- Fixes "No Services Found" issue in dashboard
- Fixes "Forbidden" error when accessing landing page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
