- secubox-p2p upgraded to v0.3.0 with multi-address mesh support
- WAN IP detection via ipify/ifconfig.me for NAT traversal
- WireGuard tunnel IP enumeration for secure redundancy
- Failover priority: WireGuard → WAN → LAN
- luci-app-secubox-portal KISS redesign (~1000 → ~500 lines)
- Service categorization: Web/Proxy, Security, AI/ML, Containers, Media, Apps
- Dynamic init.d service scanning with 60s caching
- Rebuilt all packages in feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_wan_ip() to detect real WAN/public IP address
- Add get_wg_ips() to enumerate WireGuard tunnel addresses
- Add get_node_addresses() returning JSON array of all addresses
- Update register_self() to include WAN and WireGuard addresses
- Update get_node_status() API to expose all addresses
- Update add_peer() to support multi-address peers
- Update daemon connectivity check to try:
1. WireGuard tunnel (secure redundancy)
2. WAN address (external reach)
3. LAN address (local fallback)
- Add UCI options: advertise_wan, advertise_wireguard, prefer_wireguard
- Version bump to 0.3.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Simplify portal to ~500 lines (from ~1000)
- Add service categories: Web/Proxy, Security, AI/ML, Containers, Media, Apps
- Dynamic init.d service scanning with status detection
- Clean dark theme with inline CSS (no external dependencies)
- Quick stats: Services, Memory, Uptime, Network
- Active ports section for external services
- Responsive grid layouts for all screen sizes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Services tab to TUI displaying services from all mesh peers
- Implement get_peer_services() fetching via P2P API (port 7331/services)
- Add 60-second caching to avoid slow repeated API calls
- Group services into categories: Web/Proxy, Security, AI/ML, Containers, Apps
- Fix service endpoint URL: /services not /api/services
- Increase API timeout to 15s for comprehensive service scans
- Version bump to 1.2.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite all views with KISS CSS (1200+ lines removed)
- Use unified cs-* CSS prefix with SecuBox theme variables
- Move CrowdSec from Security to Services menu
- Update navigation paths in all views and nav.js
- Add CSS loading in each view's load() function
- Fix Services menu as proper firstchild submenu
- Simplify dashboard.css from 950+ to 112 lines
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Console v1.1.0 with mesh participation as first-class peer
- Add announce command to register console on mesh devices
- Add mesh command to query P2P network status and peers
- Improve discovery with 3-phase approach (mesh peers, network scan, probe)
- Implement working update mechanism with SSH-based downloads
- Add proper Add Device modal dialog in Textual TUI
- Add Discover dialog with async progress display
- Show console identity in Mesh tab (node ID, name, IP, port)
- Auto-announce during discover and sync operations
- Add announce button and keybinding (m) in TUI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC `expect: { peers: [] }` extracts the array directly, so result
IS the peers array, not result.peers. Added Array.isArray() defensive
check for consistent handling.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix register_self() to handle JSON whitespace with awk
- Update get_peers() to auto-register local node if peers list is empty
- Ensure node identity is initialized before querying peers
This ensures C3BOX always shows itself in the P2P Hub peers view.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add get_settings to read permissions and save_settings to write permissions
to fix RPC access denied error (-32002) on the settings page.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add /chain/tip endpoint for blockchain tip query
- Add /catalog/console endpoint for version info
- Add symlinks for /api/ prefix compatibility
- Fix chain.json malformed JSON structure
Enables console to discover C3BOX device via mesh API
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Console Enrollment section to settings with persistent key storage
- Integrate CrowdSec CSS with SecuBox global theme variables (--cyber-*)
- Fix modules.js install button and add installModule function
- Map cs-*, soc-*, sh-* CSS variables to SecuBox theme for consistency
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CAPI status now shows "Connected" when either enrolled or LAPI is available,
fixing misleading "Disconnected" display when CAPI is actually working.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove theme.js and themes/ directory (classic, cards, cyberpunk)
- Remove theme selector from settings page
- Use fixed 'cs-theme-classic' class in overview and settings views
- Simplify load() functions by removing theme.init() calls
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace hardcoded port 8180 with dynamic detection from credentials file
- Extract LAPI port from local_api_credentials.yaml URL
- Convert port to hex for /proc/net/tcp lookup
- Fix GeoIP database path detection (check /srv/crowdsec/data and /var/lib)
- Update default API URL fallback to 8090 (actual CrowdSec default)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When a site's DNS doesn't point to our public IP, skip the external
HTTP check to avoid 5-second timeouts. This significantly speeds up
the get_hosting_status API call which was causing XHR timeouts in
the LuCI frontend.
Sites with DNS mismatch now show frontend_status: "dns_mismatch"
instead of timing out.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash does not support 'local' keyword outside of functions.
Removed 'local' from update_vhost case handler to fix "not in a function"
error that caused ubus calls to fail with no response.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mDNS service announcement via avahi-publish for _secubox._tcp
- Add REST API endpoints on port 7331 (/api/peers, /api/status, /api/services)
- Add node self-registration to ensure local node visible in mesh view
- Add UCI defaults for uhttpd P2P API instance and firewall rules
- Bump secubox-p2p version to 0.2.0
fix(vhost-manager): Fix uninitialized variable syntax errors
- Add 'local' keyword to variable declarations on lines 606, 621, 693
fix(metablogizer,service-registry): Add HAProxy availability fallback
- Add haproxy_available() helper to check if HAProxy is running
- Gracefully skip HAProxy operations when service unavailable
- Store pending HAProxy config for later when service becomes available
- Prevent crashes when HAProxy container is stopped
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Set umask 022 before file operations
- chmod 644 immediately after base64 decode
- chmod 755 on site_path after each upload
- Prevents 403 Forbidden from restrictive permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Dynamic .onion address generation for hosted sites:
- enable_tor: Create Tor hidden service for a site
- disable_tor: Remove Tor hidden service
- get_tor_status: Get Tor status for all sites
- Sites now include onion_address and onion_url in listings
When enabled, sites are accessible via both:
- Public domain (https://domain.com)
- Tor hidden service (http://xxx.onion)
Also includes DNS resolution fix using Google DNS API.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
KISS approach to DNS resolution:
1. Primary: Use Google DNS API (https://dns.google/resolve)
- Most reliable, bypasses local resolver issues
2. Fallback: nslookup with tail -1 to skip DNS server line
3. Fallback: host command
The bug was parsing nslookup output which includes DNS server
address (127.0.0.1) before the actual resolved IP.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- apps.js: ZIP file upload with tree view file selection
- Client-side ZIP parsing for file list preview
- Interactive tree with checkboxes for file selection
- Select All / Deselect All / Python Only buttons
- Supports both .py and .zip file uploads
- api.js: Added previewZip() and uploadZip() RPC methods
- luci.streamlit RPCD:
- preview_zip: List ZIP contents with file sizes
- upload_zip: Extract selected files to app directory
- Automatic main .py file detection and registration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CDN Cache:
- Add file read permissions for cache, logs, and SSL dirs
- Add new RPCD methods to ACL (get_ca_cert, set_ssl_bump)
Tor Shield:
- Create tor-ip-update.sh for caching exit/real IPs
- Use --socks5-hostname for DNS through Tor
- Add cron job for periodic IP updates
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CDN Cache:
- Migrate from nginx to Squid proxy for better caching
- Add aggressive caching rules for Windows Update, Linux repos, Steam, Apple
- Proper firewall integration via UCI (transparent proxy)
- Real-time stats from Squid access logs
Network Modes:
- Complete UI rework with MirrorBox dark theme
- 9 network modes with emojis and descriptions
- Dynamic CSS animations and modern styling
Fixes:
- Fix jshn boolean handling in secubox-recovery (1/0 vs true/false)
- Fix nDPId RPCD to use netifyd as fallback DPI provider
- Update media-flow and security-threats dashboards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Overview Page (SOC Admin Landing):
- Architecture diagram with layer visualization
- Modular component cards with status indicators
- Network topology with animated orbital nodes
- System status grid with health indicators
- Development roadmap timeline
Profiles Page (Dynamic Cloning):
- Component readiness tracking with progress bars
- Quick presets for common configurations
- Package feeds management with toggles
- Saved profiles list with load/delete
- Clone & deploy actions (export, import, sync, push)
Menu Structure:
- Renamed P2P Hub to MirrorBox
- Added Overview as landing page
- Added Profiles for cloning management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add new RPCD methods to luci.gitea for P2P mesh auto-setup:
- create_user: Create regular Gitea user via CLI
- generate_token: Generate access token with configurable scopes
- create_repo: Create repository for a user via admin API
These methods enable automated P2P mesh repository setup without
requiring manual token generation in Gitea web UI.
Requires lxc-attach package for container access.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add autoCreateMeshRepo() function that automatically:
- Generates repo name from hostname: secubox-mesh-{hostname}
- Detects local Gitea server (gitea.local, git.local, etc.)
- Only prompts for access token on first use (one-time setup)
- Creates private repository with README
- Pushes initial mesh state immediately
Replace manual "➕ Create" button with "🚀 Auto Setup" for seamless
mesh repository initialization.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add complete backend implementation for Gitea integration and local backups
with admin permissions:
RPCD Methods (luci.secubox-p2p):
- get_gitea_config / set_gitea_config - Gitea server configuration
- create_gitea_repo - Create new Gitea repository via API
- list_gitea_repos - List user's Gitea repositories
- get_gitea_commits - Fetch commit history
- push_gitea_backup - Push config/packages/scripts to Gitea
- pull_gitea_backup - Restore from Gitea commit
- create_local_backup - Create local backup snapshot
- list_local_backups - List available local backups
- restore_local_backup - Restore from local backup
UCI Config (secubox-p2p):
- gitea section: server_url, repo_name, access_token, auto_backup options
- backup section: backup_dir, max_backups, auto_cleanup
Frontend (hub.js):
- Updated createGiteaRepo() to use backend API
- Updated backup functions to use backend storage
- Added refreshGiteaCommits() for real API calls
- Load function now fetches Gitea config and backup list
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add createGiteaRepo() function with modal interface for creating new Gitea
repositories directly from the P2P Hub. Users can configure server URL,
repo name, description, access token, and options (private, init README,
push current state).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Backup & Versioning panel with three cards:
- Mesh Auto-Backup: scheduled snapshots with configurable targets
- Test Cloning: clone config from any peer with auto-sync option
- Gitea History: connect to Gitea for version control and commit feed
- Add backup history modal with restore/delete actions
- Add Gitea configuration modal with server/repo/token settings
- Add formatTime helper for relative timestamps
- Add comprehensive CSS for backup panel, gitea commits, history modal
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add self-peer for local mesh testing without remote nodes
- Add gigogne (nested matryoshka) distribution mode with configurable depth
- Add distribution mode selector: gigogne, mono, ring, full-mesh
- Add visual indicators for self/gigogne peers on globe and peers panel
- Add test mode badge and clear test button
- Add rebuildGigogneStructure for dynamic mode switching
- Update CSS with gigogne/self peer styles and animations
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Animated 3D globe with CSS transformations
- Peer nodes positioned around globe with depth sorting
- Master node at center with pulse animation
- Connection lines between master and peers
- Stars background with twinkle animation
- Health indicators with emoji status (💚💛❤️)
- Quick stats (Peers, Online, Services, Registry)
- Quick actions (Discover, Sync All, Add Peer)
- Responsive layout for mobile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix "not a constructor" error by using baseclass.singleton()
pattern instead of baseclass.extend() with manual instantiation.
Theme module now exports a singleton directly.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Make Setup Wizard the first menu item in SecuBox (order 5)
- Add P2P Hub collaborative catalog API methods:
- Peer discovery and management
- Catalog sharing between SecuBox instances
- Settings for P2P sharing preferences
- Fix crowdsec-dashboard theme.js to return class instead of instance
- Update views to properly instantiate theme class
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add theme manager with selectable themes and profiles:
- classic: Professional SOC-style dark theme (default)
- cards: Modern card-based UI with gradients
- cyberpunk: Neon glow effects with terminal aesthetics
Profiles extend themes with custom options:
- default, soc, modern, hacker
Theme selection available in Settings > Appearance with live preview.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move CrowdSec dashboard from admin/services/crowdsec to
admin/secubox/security/crowdsec to integrate with SecuBox menu structure.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Installs all packages from the local feed in dependency order:
1. secubox-core and secubox-app (base)
2. secubox-app-* backend packages
3. luci-app-* frontend packages
4. luci-theme-* themes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix recursive inclusion bug where secubox-app-bonus was including itself
causing 1GB package size (now 7.5MB with 73 packages)
- Fix Packages index generation to strip Source/SourceName/SourceDateEpoch/URL
fields that caused opkg parsing issues
- Add rebuild_bonus_package() to local-build.sh for proper feed embedding
- Update secubox-feed install command to handle local dependencies from files
(workaround for opkg signature bug with file:// URLs)
- Clean up libc dependency stripping in Packages generation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Even rpcd, bash, jsonfilter, jq depend on libc themselves. Since these
packages are always present on a working OpenWrt/SecuBox system, we should
not declare any dependencies at all.
- secubox-core 0.10.0-r9: DEPENDS:= (empty)
- luci-app-secubox-admin 1.0.0-r19: LUCI_DEPENDS:= (empty)
This prevents opkg from trying to resolve any feed packages and their
cascading libc dependencies.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The OpenWrt SDK automatically adds libc as a dependency to all packages,
even pure shell/JavaScript packages that don't need it. This causes
opkg installation failures when the local feed version of libc doesn't
match the router's installed version.
Solution: Add PKG_FLAGS:=nonshared to Makefiles of arch-independent
packages (secubox-core, luci-app-secubox-admin, secubox-app-bonus).
This tells the build system these packages don't link against libc.
Changes:
- secubox-core: 0.10.0-r6 → r7 with PKG_FLAGS:=nonshared
- luci-app-secubox-admin: 1.0.0-r17 → r18 with PKG_FLAGS:=nonshared
- secubox-app-bonus: 0.3.0-r1 → r2 with PKG_FLAGS:=nonshared
- Regenerated Packages index without libc dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add four major features to enhance SecuBox AppStore:
1. Feed Source Management:
- Feed types: published, unpublished, development
- Share tokens for private feed access
- CLI: secubox feed list/add/share/import
- LuCI: Feed type badges and share URLs in catalog-sources
2. Profile Export/Import:
- Export configurations with feed sources embedded
- Import from URL or file with merge/replace modes
- CLI: secubox profile export/import/share
- LuCI: New profiles.js view with export/import dialogs
3. Skill System:
- Capability discovery from module catalogs
- Quality indicators based on provider count
- CLI: secubox skill list/providers/install/check
- LuCI: New skills.js view with provider browser
4. Feedback Loop:
- Issue reporting and resolution tracking
- Search existing resolutions
- CLI: secubox feedback report/resolve/search/list
- LuCI: New feedback.js view for knowledge base
Technical changes:
- RPCD backend with 17 new API methods
- POSIX shell compatibility fixes (ESC via printf, tr A-Z a-z)
- LuCI menu entries for new views
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove all LuCI dependencies (luci-base, rpcd, luci-lib-jsonc)
- Remove LuCI-specific files (RPCD backend, ACL, menu, JS views)
- Package now only provides local opkg feed and documentation
- Remove Packages.sig to avoid signature verification errors
- Update local-build.sh to skip signature generation for local feeds
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update local-build.sh to remove libc from Packages index
- Prevents opkg architecture mismatch errors on install
- Regenerate secubox-feed with 74 packages
- Update RPCD scripts for lyrion, mailinabox, metablogizer, nextcloud
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add RPCD methods to mitmproxy: settings, save_settings, set_mode,
setup_firewall, clear_firewall
- Add apply_now parameter to tor-shield save_settings to restart
service and apply iptables rules immediately
- Update ACL files with new permissions
- Add Save & Apply button to tor-shield settings page
- Update api.js files to use correct RPCD method signatures
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The direct services provider was calling jsonfilter in a loop for each
listening port (~40 ports), causing XHR timeouts in the UI.
Changes:
- Disable direct provider by default (set enabled=0)
- Add limit of 20 services if enabled
- Skip common system ports (22, 53, 67, 68, 123, 547, 953)
- Add note about enabling via UCI if needed
The real services come from HAProxy vhosts and UCI published services.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Run Lyrion as nobody (uid 65534) via LXC init.uid/gid settings
- Use cgroup2 memory limit format (lxc.cgroup2.memory.max)
- Convert memory limit string (1G, 256M) to bytes for cgroup2
- Skip opkg install if LXC binaries already exist
- Set proper file ownership during rootfs creation
- Remove su command from start.sh (handled by LXC config)
Fixes the container crash loop caused by Lyrion refusing to run as root.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Tor Shield:
- Store current_preset in UCI when enabling with preset
- Return current_preset in status response
- Initialize currentPreset from stored UCI value on page load
Security Threats:
- Fix get_security_stats() firewall packet counting
- Use correct nftables chain names (input_wan, handle_reject)
- Fix grep -c exit code issue (returns 1 when no matches)
- Improve numeric validation (use tr -cd to strip non-digits)
- Add fallbacks for HAProxy socket paths
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- refresh_ips now fetches reverse DNS for exit IP
- Status includes exit_hostname from cache
- Dashboard displays hostname below exit IP
- get_exit_ip also returns hostname
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The expect: { success: false } was causing LuCI RPC to return false
instead of the actual response. Changed all expect declarations to
empty objects to get raw API responses.
Also improved error messages to show actual response for debugging.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Clicking a preset card now enables/restarts Tor with that preset
- Previously it only selected the preset for next toggle
- Added better error handling for toggle and preset changes
- Page reloads after successful preset change
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The toggle handler was receiving status captured at render time which
could be stale due to polling. Now fetches fresh status before deciding
to enable or disable, and does a full page reload after action.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The cumulative impact summary was showing zeros because it only checked
the plugins catalog. Now also counts:
- HAProxy vhosts directly from UCI
- Running LXC containers
- Running Docker containers
- Firewall WAN ACCEPT rules with ports
- DNSmasq entries
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix disabled buttons in Network Tweaks using conditional rendering
- Change AdGuard Home ports to avoid conflicts (web: 3003, dns: 5353)
- Add DNS & Proxy link from Tor Shield to Network Tweaks
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add always-visible toggle switch at top of dashboard
- Clear visual indication: green when protected, red when exposed
- Shows protection status text and toggle switch
- Easier one-click enable/disable of Tor protection
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add AdGuard Home status card with enable/disable and Open UI button
- Add setAdGuardEnabled RPCD method for Docker container control
- Rename section to "DNS & Proxy Services"
- Responsive grid layout for 3 service cards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CDN cache status card with enable/disable and restart buttons
- Add WPAD auto-proxy card with enable/disable toggle
- Add getProxyStatus, getWpadStatus, setWpadEnabled RPCD methods
- Move menu to Services section
- Update ACL for CDN cache and WPAD control
Also fixes:
- security-threats: Fix HAProxy socket path for connection stats
- tor-shield: Add missing ACL methods for excluded destinations
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_excluded_destinations() method to list bypassed destinations
- Add add_excluded_destination() to exclude IPs/CIDRs/domains from Tor
- Add remove_excluded_destination() to remove exclusions
- Add apply_exclusions() to restart tor-shield with new rules
- Domain resolution attempts to get IP for iptables compatibility
- Existing private network CIDRs (192.168/10/172.16/127) are default excluded
Also includes metablogizer fixes:
- reload_haproxy() helper function
- Server address uses 127.0.0.1 for uhttpd backends
- fix_permissions() on file uploads
PKG_RELEASE: tor-shield=3, metablogizer=3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add reload_haproxy() helper function for consistent reloads
- Use 127.0.0.1 for uhttpd backend address instead of 192.168.255.1
- Call fix_permissions() on upload_file to ensure correct file access
- Update delete_site to use reload_haproxy helper
- Bump PKG_RELEASE to 3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BREAKING: Default policy changed from quarantine to open
- Disabled by default (was enabled)
- Default policy: open (was quarantine - blocked new devices!)
- Auto-zoning: disabled by default
- Auto-parking zone: lan_private (was guest)
- Night block schedule: disabled by default
- Threat auto-ban: disabled by default
Safety mechanisms added:
- MAX_BLOCKED_DEVICES limit (10) prevents mass blocking
- check_safety_limit() function validates before blocking
- clear_all_cg_rules() emergency function via RPCD
- safety_status RPCD method to check current state
UI improvements:
- Added warnings for restrictive policies
- Reordered options (safe options first)
- Clearer descriptions of consequences
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move 9 service apps from admin/secubox/services/ to admin/services/:
- localai, lyrion, magicmirror2, mailinabox, mmpm
- nextcloud, ollama, vhost-manager, mitmproxy
Services now appear under standard LuCI Services menu for consistency.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix LAPI status check to dynamically read port from config
- Previously hardcoded wrong port (8080 vs 8180)
- Add comprehensive SecuBox feed documentation to README
- Document opkg configuration, HAProxy publishing, troubleshooting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_network_info RPCD method:
- Public IPv4/IPv6 detection via external services
- Reverse DNS hostname lookup
- External port accessibility test (upstream router/ISP check)
- Enhance check_service_health:
- Compare DNS resolution against actual public IP
- Detect private IP misconfiguration (192.168.x.x pointing)
- Test external port reachability
- Add Network Connectivity panel to dashboard:
- Shows public IPs with hostnames
- External port 80/443 accessibility status
- Local firewall and HAProxy status
- Improve URL Readiness Checker:
- Display public IP info
- Show specific recommendations with IP addresses
- Detect and explain DNS pointing to private IP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Document all features including:
- Health monitoring and URL readiness checker
- Service publishing workflow
- Health check API usage
- Troubleshooting guide for common issues
- UCI configuration reference
- RPCD methods reference
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add health check RPCD methods:
- check_service_health: Check DNS, cert, firewall for single domain
- check_all_health: Batch check all published services
- Add URL Readiness Checker wizard card to dashboard:
- Check if domain DNS resolves correctly
- Verify firewall ports 80/443 are open
- Check SSL certificate status
- Show actionable recommendations
- Display inline health status badges on service rows:
- DNS resolution status (ok/failed)
- Certificate expiry (ok/warning/critical/expired)
- Add health summary bar showing overall system status
- Add per-service health check button
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Automatically creates firewall rules for HAProxy when:
- Requesting a certificate (haproxyctl cert add)
- Publishing a service with a domain (service-registry)
Added firewall rules:
- HAProxy-HTTP: Allow port 80 from WAN (ACME challenges)
- HAProxy-HTTPS: Allow port 443 from WAN (HTTPS traffic)
Rules are only created if they don't exist, preventing duplicates.
Firewall reloads automatically after rule creation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Certificate issuance now uses webroot mode instead of standalone:
- HAProxy routes /.well-known/acme-challenge/ to local ACME webserver
- Added acme_challenge backend on port 8402
- Uses busybox httpd to serve challenge files
- No HAProxy restart required during certificate requests
- Config auto-regenerates before cert request to ensure ACME backend
This eliminates downtime during certificate issuance and allows
multiple concurrent certificate requests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy Certificates:
- Add async certificate request API (start_cert_request, get_cert_task)
- Non-blocking ACME requests with background processing
- Real-time progress tracking with phases (starting → validating → requesting → verifying → complete)
- Add staging vs production mode toggle for ACME
- New modern UI with visual progress indicators
- Task persistence and polling support
Service Registry:
- Fix QR codes using api.qrserver.com (Google Charts deprecated)
- Fix form prefill with proper _new section selectors
- Add change event dispatch for LuCI form bindings
- Update landing page generator with working QR API
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove expect clause from RPC declarations to get raw response
- Add proper error handling with catch blocks for all RPC calls
- Fix landing page generator to chmod 644 after generation
- Fixes "No Services Found" issue in dashboard
- Fixes "Forbidden" error when accessing landing page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement Service Registry LuCI app for unified service management:
- RPCD backend aggregating services from HAProxy, Tor, netstat, LXC
- One-click publish to clearnet (HAProxy+ACME) and/or Tor hidden service
- Static landing page generator with QR codes for all URLs
- LuCI dashboard with service grid, quick publish form
- CLI tool (secubox-registry) for command-line management
- Share buttons for X, Telegram, WhatsApp
RPCD methods: list_services, publish_service, unpublish_service,
generate_landing_page, get_qr_data, list_categories
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix tor-shield/api.js: Use baseclass.extend() pattern correctly
- Fix tor-shield ACL: Add missing 'restart' write permission
- Fix secubox-app-tor: Disable conflicting default tor init in postinst
- Move metablogizer menu from secubox/services to admin/services
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC declaration with `expect: { sites: [] }` extracts the array
directly, so data[1] IS the sites array, not an object with .sites property.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
