Integrate SimpleX Chat SMP and XFTP servers for privacy-focused messaging:
- secubox-app-simplex: Backend with LXC container management
- SMP server for message relay (port 5223)
- XFTP server for encrypted file sharing (port 443)
- Auto-download of SimpleX binaries for aarch64/x86_64
- TLS certificate generation (self-signed or Let's Encrypt)
- Firewall and HAProxy integration
- luci-app-simplex: LuCI dashboard with:
- Service status monitoring
- Server address display with copy-to-clipboard
- Full configuration forms for SMP, XFTP, and TLS
- Install/certificate management actions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Restored the original settings.js functionality as setup.js with
updated nav references. The simplified version was broken.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The settings page was showing "CAPI: Error" because the status
method didn't return the capi_enrolled field. Added CAPI status
check to get_status() so the health display shows correct status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Content-Type based CVE detection must happen before SSRF patterns
to avoid false positives when routing through localhost.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LAN transparent mode now requires explicit opt-in via transparent.enabled
to prevent HTTPS certificate errors for LAN clients.
Changes:
- mitmproxyctl: Check transparent_enabled before setting up LAN firewall rules
- LuCI settings: Add warning about certificate requirements for LAN mode
- Default config already has transparent.enabled='0'
WAN protection mode remains active for incoming threat detection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add WAF-like functionality to mitmproxy for protecting services exposed
to the internet. Incoming WAN traffic is redirected through mitmproxy
for threat detection before reaching backend services.
Features:
- WAN protection mode with nftables rules for incoming traffic
- Enhanced bot scanner detection with 50+ scanner signatures
- Behavioral detection for config/admin/backup/shell hunting
- CrowdSec integration with new scenarios for bot scanners
- LuCI interface for WAN protection configuration
- DPI mirror mode support (secondary feature)
New CrowdSec scenarios:
- secubox/mitmproxy-botscan: Detect automated reconnaissance
- secubox/mitmproxy-shell-hunter: Detect shell/backdoor hunting
- secubox/mitmproxy-config-hunter: Detect credential file hunting
- secubox/mitmproxy-suspicious-ua: Detect suspicious user agents
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Instead of showing clickable model suggestions when Ollama is stopped,
display a helpful message prompting the user to start Ollama first.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace pipe-to-while loops with grep/cut to avoid subshell variable
scope issues in method_status, method_get_providers, and method_set_provider.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
DNS Guard (luci-secubox-dnsguard):
- Privacy-focused DNS manager with KISS UI
- DNS provider feed: FDN, Quad9, Cloudflare, Mullvad, AdGuard, etc.
- Smart Config auto-detects fastest DNS for location
- Category filtering (privacy, security, fast, family, adblock)
- One-click provider switching with dnsmasq integration
Ollama:
- Add suggested models grid when no models installed
- Clickable model cards to download directly
- Models: tinyllama, llama3.2, phi3, gemma2, qwen2.5, mistral, codellama
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change Gitea default port to 3001 (avoid AdGuard Home conflict)
- Add process_name and description to Gitea known service
- Use reserved port from config, verify if actually listening
- Add separate listening/running flags for better status reporting
- Reserved ports are tracked for dedup, dynamic detection fills gaps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change AdGuard Home default port to 3003 (avoid Gitea conflict)
- Update config file path to /var/lib/adguardhome/AdGuardHome.yaml
- Add netstat-based port detection for running processes
- Actual listening port overrides default when service is running
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add AdGuard Home to known services (port 3000, security category)
- Enhance _add_exposed_service to handle YAML config files
- Add process name detection and running status for known services
- Fix subshell issue in dynamic service detection (while loop)
- Add port deduplication between known and dynamic services
- Include description and process fields in service response
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Updated packages:
- luci-app-ollama: KISS UI rewrite
- luci-app-secubox-netdiag: Temperature monitoring and port mode controls
- secubox-core, secubox-p2p: Latest versions
- All other packages rebuilt with current SDK
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Ollama:
- Complete KISS UI rewrite with simplified dashboard
- RPC declarations without expect clauses for reliability
- Service controls, model management, and chat interface
Network Diagnostics:
- Add temperature display with color-coded thresholds
- Add error collection and export functionality
- Add port mode switching (speed/duplex/EEE)
- Add collect_errors, get_port_modes, get_temperature RPC methods
- Add set_port_mode RPC method for port configuration
- Fix ACL permissions for new methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change nav paths from services/crowdsec to security/crowdsec in alerts,
bouncers, decisions, and settings views to match the new menu location.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
getDecisions() was looking for result.alerts but RPC returns
result.decisions - fixed to use correct property name.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change RPCD to return alerts_raw and decisions_raw as JSON strings
- Add parseAlerts() to parse alerts_raw in JavaScript
- Fix countries and alerts now display correctly in overview
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix nav links to use correct path (security instead of services)
- Add parseCountries() to convert top_countries_raw JSON to object
- Fix geo data display in overview
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move mitmproxy from Services to SecuBox → Security & Access menu
alongside CrowdSec for better organization.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use SVG output instead of PNG (PNG disabled in OpenWrt qrencode)
- Fix endpoint port duplication when port already in endpoint string
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix qrcode require path (slash to dot notation)
- Load hosting status asynchronously to prevent XHR timeout
- Dashboard now loads instantly with sites, HAProxy/IP populate after
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPCD returns data directly without wrapping in a 'result' object,
but api.js was using expect: { result: {} } which caused empty data
in the UI (0 sites shown instead of 6).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace overview.js with dashboard.js using standard cbi-* classes
- Add api.js module for RPC declarations
- Show port, runtime, backend_running status in sites table
- Add sync_config, discover_vhosts, import_vhost RPC methods
- Update ACL with new method permissions
- Menu: Sites -> Dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Running Instances section with enable/disable/delete actions
- Add Instance form to create new instances on different ports
- Add Gitea clone functionality to pull apps from repositories
- Add Gitea configuration section in Settings page
- RPCD handler now supports:
- get_gitea_config, save_gitea_config
- gitea_clone, gitea_pull, gitea_list_repos
- API module exports all new Gitea methods
- Upload supports both .py files and .zip archives
- Instance status shown with colored indicators
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When an app has no description, return empty string instead of null
to prevent "null" text from being rendered in the instances table.
Also: secubox-p2p bumped to v0.6.0-r3 with catalog fix.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When HAProxy inspection mode routes all vhosts through mitmproxy_inspector,
the catalog now uses the original_backend UCI property to correctly map
domains to their actual services.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use POST method for creating new files and PUT for updates.
Gitea requires this distinction - PUT with no SHA fails for new files.
Changes:
- Use POST for creating new files in catalog_push_gitea()
- Use PUT only when existing SHA is available (updates)
- Add explicit branch parameter for consistency
- Bump version to 0.6.0-r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add file exec permissions for:
- /usr/bin/secubox-services-status
- /bin/sh
Required for fs.exec() to work in LuCI frontend.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create /usr/bin/secubox-services-status helper script
- Update portal scanInitServices to use helper script
- Fallback to inline script if helper not available
- Fixes 0/0 services display caused by fs.exec output buffering
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use pgrep without -f flag (OpenWrt compatibility)
- Use printf instead of echo for reliable output
- Add explicit /bin/sh path
- Add error logging for debugging
Fixes 0/0 services display on dashboard.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Distributed Catalog:
- Implement catalog_push_gitea() to push node catalogs via Gitea REST API
- Add catalog_push_merged_gitea() for merged catalog sync
- Create /api/factory/catalog-sync POST endpoint for triggering sync
- Catalogs pushed to catalog/nodes/{hostname}.json in Gitea repo
Health Probing:
- Add get_service_health() with cached latency measurement
- HTTP probe with curl to measure response time
- Fallback to /proc/net/tcp port check
- 60-second cache TTL to keep catalog endpoint fast
Files:
- factory.sh: Gitea REST API integration for catalog push
- catalog: Health probing with latency measurement
- catalog-sync: New CGI endpoint for sync operations
- Makefile: Install catalog-sync endpoint
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The bouncer creates multiple sets: crowdsec-blacklists (empty base),
crowdsec-blacklists-CAPI (community blocklists ~19k IPs), and
crowdsec-blacklists-crowdsec (local decisions). Now counts IPs from
all sets in the table instead of just the base set.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move CrowdSec from Services to Security & Access menu
- Fix get_decisions() to return {"decisions":[]} not {"alerts":[]}
- Fix active_bans to use local_decisions count instead of parsing
unreliable metrics output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The mitmproxy container mounts /srv/mitmproxy as /data, so the GeoIP
database path must use /data/GeoLite2-Country.mmdb for the addon to
find it. This enables proper country detection for external IPs in
threat logs, allowing CrowdSec SSRF scenarios to correctly identify
and ban foreign attackers.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The threat monitor now checks netifyd_running and dpi_available fields
in addition to ndpid running status. This fixes the "nDPId not running"
warning when only netifyd is installed.
- Check ndpid.running OR netifyd_running OR dpi_available
- Show flow count in DPI service badge
- Rename badge from "nDPId" to "DPI" for clarity
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change analytics addon to write threats to /data/threats.log (bind-mounted to host)
- Add CrowdSec acquisition config to read from /srv/mitmproxy/threats.log
- Add parser for mitmproxy JSON threat logs with source_ip in Meta
- Add scenarios for web attacks, scanners, SSRF, and CVE exploits
- Update RPCD to read alerts from host-visible path without lxc-attach
This enables automatic IP banning when mitmproxy detects:
- SQL injection, XSS, command injection (capacity: 3, ban: 15m)
- Path traversal, XXE, LDAP injection, Log4Shell
- Aggressive web scanning (capacity: 10, ban: 10m)
- SSRF attempts from external IPs (capacity: 5, ban: 10m)
- Known CVE exploits (immediate trigger, ban: 30m)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The alerts, threat_stats, clear_alerts, haproxy_enable, haproxy_disable,
and sync_routes methods were not in the ACL file, causing permission
denied errors when calling them from LuCI.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPCD was looking for alerts in /tmp/secubox-mitm-alerts.json but
the analytics addon writes to /var/log/crowdsec/secubox-mitm.log in
JSONL format (one JSON object per line).
Changes:
- RPCD: Read from container's /var/log/crowdsec/secubox-mitm.log
- RPCD: Convert JSONL to JSON array using awk
- JS: Handle new field names (source_ip, timestamp, request)
Alerts now display correctly in LuCI dashboard.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The sync-routes command was failing to generate routes for most vhosts due to:
- Subshell bug: pipe in while loop caused variable changes to be lost
- Only supported old-style backends (inline .server field)
- Did not support new-style backends with separate =server sections
Changes:
- Rewrite sync-routes to avoid subshell by using temp file
- Add support for both backend styles (inline and separate server sections)
- Use original_backend field when vhosts are in inspection mode
- Skip luci/fallback/mitmproxy_inspector backends in route generation
Now properly generates 13+ routes for HAProxy backend inspection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HAProxy → mitmproxy → Backend inspection chain for filtering
all vhost traffic through mitmproxy with threat detection
- Add haproxy_router.py addon for Host-based request routing
- Add mitmproxyctl commands: sync-routes, haproxy-enable, haproxy-disable
- Add auth token to status response for Web UI auto-authentication
- Add HAProxy Backend Inspection section to LuCI status page with
enable/disable/sync controls
- Add HAProxy Router settings section to LuCI settings page
- LXC container now supports dual-port mode (8888 + 8889 for HAProxy)
- Token displayed with copy button in dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Swiss Army knife for SecuBox with interactive menu and direct commands:
- status: System overview with services, docker, mesh
- mesh: P2P mesh operations (peers, discover, sync)
- security: CrowdSec status, threats, block/unblock
- docker: Container management
- haproxy: Vhosts and reload
- network: Diagnostics, ports, connections
- recover: Snapshot/restore operations
- feed: Package management
Also updates feed with Jitsi packages and core v0.10.0-r11.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-app-jitsi: Docker-based Jitsi stack with jitsctl control CLI
- luci-app-jitsi: LuCI web configuration interface
- Catalog entry for SecuBox AppStore
Features:
- End-to-end encrypted video conferencing
- HAProxy integration with WebSocket/SSL support
- Mesh federation for SecuBox P2P network
- User authentication management
- Backup/restore functionality
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Distributed service registry with HAProxy vhost discovery
- Multi-endpoint URLs (haproxy/mesh/local) per service
- DNS federation for mesh peers (*.sb.local via dnsmasq)
- Catalog tab with service filtering and QR codes
- Linked peers navigation panel
- Tools panel with DNS management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Separate static files from CGI scripts in uhttpd configuration:
- Static files (index.html) served from /www
- CGI scripts executed from /www/api/*
- API base changed from /factory/ to /api/factory/
This fixes HAProxy routing where /factory/ serves the UI and
/api/factory/* routes to the P2P API backend.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement distributed service catalog that discovers HAProxy vhosts
and provides multi-endpoint access URLs (haproxy/mesh/local). Add
dynamic DNS federation that auto-populates dnsmasq with mesh peer
hostnames (hostname.mesh.local).
New features:
- /factory/catalog API endpoint with service registry
- Catalog tab (📚) in Factory UI with endpoint filtering
- QR codes with URL type switching (haproxy/mesh/local)
- Linked mesh peers navigation panel
- DNS federation via /tmp/hosts/secubox-mesh
- CLI commands: dns-enable/disable/update, catalog sync/list/generate
Bumps secubox-p2p to v0.6.0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mesh-services CGI endpoint for aggregated service discovery
across all mesh peers
- Update Factory UI with tabbed interface: Dashboard and Mesh Services
- Mesh Services panel features:
- Real-time service discovery from all nodes
- Filter by search, status, or node
- Direct access links for services with ports
- Status indicators (running/stopped/disabled)
- Summary stats (nodes online, running/total services)
- Bump version to 0.5.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change API base URL to use relative /factory/ path instead of
absolute URL with port 7331. HAProxy routes /factory/* API paths
to the factory backend while serving UI from luci backend.
This fixes mixed content blocking when accessing via HTTPS.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace signify-openbsd calls with HMAC-based signatures
(OpenWrt's signify lacks -n flag for no-passphrase)
- Fix API paths in UI: use /factory/ not /api/factory/
- Support cross-port API calls (UI on 8081, API on 7331)
- Update LuCI view to use relative /factory/ path
- Update feed with secubox-p2p 0.4.0 packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement mesh-distributed, cryptographically-validated control center:
- Add factory.sh library with Ed25519 signing via signify-openbsd
- Add Merkle tree calculation for /etc/config validation
- Add CGI endpoints: dashboard, tools, run, snapshot, pubkey
- Add KISS Web UI (~280 lines vanilla JS, inline CSS, zero deps)
- Add gossip-based 3-peer fanout for snapshot synchronization
- Add offline operations queue with replay on reconnect
- Add LuCI iframe integration under MirrorBox > Factory tab
- Configure uhttpd alias for /factory/ on port 7331
- Bump secubox-p2p version to 0.4.0
Factory UI accessible at http://<device>:7331/factory/
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-p2p upgraded to v0.3.0 with multi-address mesh support
- WAN IP detection via ipify/ifconfig.me for NAT traversal
- WireGuard tunnel IP enumeration for secure redundancy
- Failover priority: WireGuard → WAN → LAN
- luci-app-secubox-portal KISS redesign (~1000 → ~500 lines)
- Service categorization: Web/Proxy, Security, AI/ML, Containers, Media, Apps
- Dynamic init.d service scanning with 60s caching
- Rebuilt all packages in feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_wan_ip() to detect real WAN/public IP address
- Add get_wg_ips() to enumerate WireGuard tunnel addresses
- Add get_node_addresses() returning JSON array of all addresses
- Update register_self() to include WAN and WireGuard addresses
- Update get_node_status() API to expose all addresses
- Update add_peer() to support multi-address peers
- Update daemon connectivity check to try:
1. WireGuard tunnel (secure redundancy)
2. WAN address (external reach)
3. LAN address (local fallback)
- Add UCI options: advertise_wan, advertise_wireguard, prefer_wireguard
- Version bump to 0.3.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Simplify portal to ~500 lines (from ~1000)
- Add service categories: Web/Proxy, Security, AI/ML, Containers, Media, Apps
- Dynamic init.d service scanning with status detection
- Clean dark theme with inline CSS (no external dependencies)
- Quick stats: Services, Memory, Uptime, Network
- Active ports section for external services
- Responsive grid layouts for all screen sizes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Services tab to TUI displaying services from all mesh peers
- Implement get_peer_services() fetching via P2P API (port 7331/services)
- Add 60-second caching to avoid slow repeated API calls
- Group services into categories: Web/Proxy, Security, AI/ML, Containers, Apps
- Fix service endpoint URL: /services not /api/services
- Increase API timeout to 15s for comprehensive service scans
- Version bump to 1.2.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite all views with KISS CSS (1200+ lines removed)
- Use unified cs-* CSS prefix with SecuBox theme variables
- Move CrowdSec from Security to Services menu
- Update navigation paths in all views and nav.js
- Add CSS loading in each view's load() function
- Fix Services menu as proper firstchild submenu
- Simplify dashboard.css from 950+ to 112 lines
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Console v1.1.0 with mesh participation as first-class peer
- Add announce command to register console on mesh devices
- Add mesh command to query P2P network status and peers
- Improve discovery with 3-phase approach (mesh peers, network scan, probe)
- Implement working update mechanism with SSH-based downloads
- Add proper Add Device modal dialog in Textual TUI
- Add Discover dialog with async progress display
- Show console identity in Mesh tab (node ID, name, IP, port)
- Auto-announce during discover and sync operations
- Add announce button and keybinding (m) in TUI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC `expect: { peers: [] }` extracts the array directly, so result
IS the peers array, not result.peers. Added Array.isArray() defensive
check for consistent handling.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix register_self() to handle JSON whitespace with awk
- Update get_peers() to auto-register local node if peers list is empty
- Ensure node identity is initialized before querying peers
This ensures C3BOX always shows itself in the P2P Hub peers view.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add get_settings to read permissions and save_settings to write permissions
to fix RPC access denied error (-32002) on the settings page.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add /chain/tip endpoint for blockchain tip query
- Add /catalog/console endpoint for version info
- Add symlinks for /api/ prefix compatibility
- Fix chain.json malformed JSON structure
Enables console to discover C3BOX device via mesh API
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Console Enrollment section to settings with persistent key storage
- Integrate CrowdSec CSS with SecuBox global theme variables (--cyber-*)
- Fix modules.js install button and add installModule function
- Map cs-*, soc-*, sh-* CSS variables to SecuBox theme for consistency
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CAPI status now shows "Connected" when either enrolled or LAPI is available,
fixing misleading "Disconnected" display when CAPI is actually working.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove theme.js and themes/ directory (classic, cards, cyberpunk)
- Remove theme selector from settings page
- Use fixed 'cs-theme-classic' class in overview and settings views
- Simplify load() functions by removing theme.init() calls
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace hardcoded port 8180 with dynamic detection from credentials file
- Extract LAPI port from local_api_credentials.yaml URL
- Convert port to hex for /proc/net/tcp lookup
- Fix GeoIP database path detection (check /srv/crowdsec/data and /var/lib)
- Update default API URL fallback to 8090 (actual CrowdSec default)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When a site's DNS doesn't point to our public IP, skip the external
HTTP check to avoid 5-second timeouts. This significantly speeds up
the get_hosting_status API call which was causing XHR timeouts in
the LuCI frontend.
Sites with DNS mismatch now show frontend_status: "dns_mismatch"
instead of timing out.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash does not support 'local' keyword outside of functions.
Removed 'local' from update_vhost case handler to fix "not in a function"
error that caused ubus calls to fail with no response.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mDNS service announcement via avahi-publish for _secubox._tcp
- Add REST API endpoints on port 7331 (/api/peers, /api/status, /api/services)
- Add node self-registration to ensure local node visible in mesh view
- Add UCI defaults for uhttpd P2P API instance and firewall rules
- Bump secubox-p2p version to 0.2.0
fix(vhost-manager): Fix uninitialized variable syntax errors
- Add 'local' keyword to variable declarations on lines 606, 621, 693
fix(metablogizer,service-registry): Add HAProxy availability fallback
- Add haproxy_available() helper to check if HAProxy is running
- Gracefully skip HAProxy operations when service unavailable
- Store pending HAProxy config for later when service becomes available
- Prevent crashes when HAProxy container is stopped
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Set umask 022 before file operations
- chmod 644 immediately after base64 decode
- chmod 755 on site_path after each upload
- Prevents 403 Forbidden from restrictive permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Dynamic .onion address generation for hosted sites:
- enable_tor: Create Tor hidden service for a site
- disable_tor: Remove Tor hidden service
- get_tor_status: Get Tor status for all sites
- Sites now include onion_address and onion_url in listings
When enabled, sites are accessible via both:
- Public domain (https://domain.com)
- Tor hidden service (http://xxx.onion)
Also includes DNS resolution fix using Google DNS API.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
KISS approach to DNS resolution:
1. Primary: Use Google DNS API (https://dns.google/resolve)
- Most reliable, bypasses local resolver issues
2. Fallback: nslookup with tail -1 to skip DNS server line
3. Fallback: host command
The bug was parsing nslookup output which includes DNS server
address (127.0.0.1) before the actual resolved IP.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- apps.js: ZIP file upload with tree view file selection
- Client-side ZIP parsing for file list preview
- Interactive tree with checkboxes for file selection
- Select All / Deselect All / Python Only buttons
- Supports both .py and .zip file uploads
- api.js: Added previewZip() and uploadZip() RPC methods
- luci.streamlit RPCD:
- preview_zip: List ZIP contents with file sizes
- upload_zip: Extract selected files to app directory
- Automatic main .py file detection and registration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CDN Cache:
- Add file read permissions for cache, logs, and SSL dirs
- Add new RPCD methods to ACL (get_ca_cert, set_ssl_bump)
Tor Shield:
- Create tor-ip-update.sh for caching exit/real IPs
- Use --socks5-hostname for DNS through Tor
- Add cron job for periodic IP updates
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CDN Cache:
- Migrate from nginx to Squid proxy for better caching
- Add aggressive caching rules for Windows Update, Linux repos, Steam, Apple
- Proper firewall integration via UCI (transparent proxy)
- Real-time stats from Squid access logs
Network Modes:
- Complete UI rework with MirrorBox dark theme
- 9 network modes with emojis and descriptions
- Dynamic CSS animations and modern styling
Fixes:
- Fix jshn boolean handling in secubox-recovery (1/0 vs true/false)
- Fix nDPId RPCD to use netifyd as fallback DPI provider
- Update media-flow and security-threats dashboards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Overview Page (SOC Admin Landing):
- Architecture diagram with layer visualization
- Modular component cards with status indicators
- Network topology with animated orbital nodes
- System status grid with health indicators
- Development roadmap timeline
Profiles Page (Dynamic Cloning):
- Component readiness tracking with progress bars
- Quick presets for common configurations
- Package feeds management with toggles
- Saved profiles list with load/delete
- Clone & deploy actions (export, import, sync, push)
Menu Structure:
- Renamed P2P Hub to MirrorBox
- Added Overview as landing page
- Added Profiles for cloning management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add new RPCD methods to luci.gitea for P2P mesh auto-setup:
- create_user: Create regular Gitea user via CLI
- generate_token: Generate access token with configurable scopes
- create_repo: Create repository for a user via admin API
These methods enable automated P2P mesh repository setup without
requiring manual token generation in Gitea web UI.
Requires lxc-attach package for container access.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add autoCreateMeshRepo() function that automatically:
- Generates repo name from hostname: secubox-mesh-{hostname}
- Detects local Gitea server (gitea.local, git.local, etc.)
- Only prompts for access token on first use (one-time setup)
- Creates private repository with README
- Pushes initial mesh state immediately
Replace manual "➕ Create" button with "🚀 Auto Setup" for seamless
mesh repository initialization.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add complete backend implementation for Gitea integration and local backups
with admin permissions:
RPCD Methods (luci.secubox-p2p):
- get_gitea_config / set_gitea_config - Gitea server configuration
- create_gitea_repo - Create new Gitea repository via API
- list_gitea_repos - List user's Gitea repositories
- get_gitea_commits - Fetch commit history
- push_gitea_backup - Push config/packages/scripts to Gitea
- pull_gitea_backup - Restore from Gitea commit
- create_local_backup - Create local backup snapshot
- list_local_backups - List available local backups
- restore_local_backup - Restore from local backup
UCI Config (secubox-p2p):
- gitea section: server_url, repo_name, access_token, auto_backup options
- backup section: backup_dir, max_backups, auto_cleanup
Frontend (hub.js):
- Updated createGiteaRepo() to use backend API
- Updated backup functions to use backend storage
- Added refreshGiteaCommits() for real API calls
- Load function now fetches Gitea config and backup list
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add createGiteaRepo() function with modal interface for creating new Gitea
repositories directly from the P2P Hub. Users can configure server URL,
repo name, description, access token, and options (private, init README,
push current state).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
