- Added gemini provider with models: gemini-1.5-flash, gemini-1.5-pro, gemini-pro
- Updated RPCD handler with Gemini API endpoint
- Updated settings.js with Google AI Studio link
- Updated chat.js to parse Gemini response format
- Changed Ollama default URL to LocalAI (port 8091)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: reload_haproxy() now copies config to /etc/haproxy.cfg
- haproxyctl: generate_config() syncs to /etc/haproxy.cfg after generation
- Fixes issue where newly uploaded sites return 404 because HAProxy
reads config from /etc/haproxy.cfg but config was only generated to
/srv/haproxy/config/haproxy.cfg
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add login.html with RPCD authentication via luci.secubox-users
- Add reset.html for token-based password recovery
- Both pages use SecuBox cyberpunk dark theme
- Default password: Secubox@2026
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The IP Blocklist backend package was missing from the feed.
Manually built and added the IPK since wget-ssl dependency
failed to build in the SDK.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace jsonfilter with grep for CrowdSec decision counting
- Add ipset existence check before listing blocked IPs
- Add safety fallbacks for empty/invalid counts
- Bump version to 0.5.2-r2
The jsonfilter -e '@[*]' approach failed with CrowdSec's
multi-line JSON output, causing exit code 251 errors.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Parse HTML directory listing instead of non-existent index.json
- URL-encode colon in date path for LXC image server
- Add mount_chroot_fs/umount_chroot_fs helpers for proper chroot
- Mount /dev, /dev/pts, /proc, /sys before running apt
- Remove php-smbclient (not in base repos)
- Install gnupg/gpgv first for apt verification
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Regenerated Packages index with proper Filename fields for all ipk files.
Updated all package versions to latest builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite overview.js to use KissTheme wrapper
- Add health status cards for Agent, Manager, Indexer, CrowdSec
- Add alert statistics with color-coded counters
- Add security layers table (Firewall, IPS, SIEM, WAF)
- Add quick actions with restart agent button
- Include built IPK in secubox-feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt secubox-app-jellyfin package with LXC controller
- Updated package feed with new Jellyfin ipk
- Synced all SecuBox packages to local feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove 'mozilla/5.0' from BOT_SIGNATURES - was flagging ALL modern
browsers as bots since this is the standard UA prefix
- Fix suspicious UA detection - no longer flags normal browsers
- Increase CrowdSec bruteforce threshold from 5/30s to 10/60s to reduce
false positives from normal login flows
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Reset Password button to user table
- Add showResetPasswordModal with password confirmation
- Add callUserPasswd RPC declaration
- Fix RPCD handler to read JSON from stdin or $3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add init.d script for daemon mode with procd integration
- Update Makefile to install init script
- Add packages to bonus feed (secubox-vortex-dns, luci-app-vortex-dns)
- Update tracking files with completion status
Features:
- Master/slave hierarchical DNS delegation
- Wildcard domain management (*.domain)
- First Peek auto-registration of services
- Gossip-based exposure config sync via secubox-p2p
- Submastering for nested hierarchies
- LuCI dashboard with mode detection and action buttons
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-threat-analyst: AI-powered threat analysis with CrowdSec integration
- luci-app-threat-analyst: LuCI dashboard for threat intelligence
- secubox-dns-guard: DNS security monitoring and blocking
- secubox-mcp-server: Model Context Protocol server for AI assistant integration
Enhancements:
- dns-provider: Add DynDNS support (dyndns, get, update, domains commands)
- gandi.sh: Full DynDNS with WAN IP detection and record updates
- luci-app-dnsguard: Upgrade to v1.1.0 with improved dashboard
Infrastructure:
- BIND9 DNS setup for secubox.in with CAA records
- Wildcard SSL certificates via DNS-01 challenge
- HAProxy config fixes for secubox.in subdomains
- Mail server setup with Roundcube webmail
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Build and add secubox-app-mac-guardian_0.5.0-r1_all.ipk
- Build and add luci-app-mac-guardian_0.5.0-r1_all.ipk
- Sync luci-app-mac-guardian to local-feed for SDK building
- Update apps-local.json catalog with proper metadata:
- Category: security, Icon: wifi
- Descriptions for frontend and backend packages
- Rebuild all bonus feed packages
Package features:
- WiFi MAC address spoofing detection
- OUI anomaly detection for device fingerprinting
- MAC flood protection via hotplug.d integration
- CrowdSec scenarios for automated threat response
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The z2m 2.x breaking changes required three fixes discovered during
live deployment testing on the router:
- Adapter renamed from `ezsp` to `ember` in zigbee-herdsman 4.0.0
- Config format needs `version: 4` and nested `homeassistant.enabled`
- Start script needs `ZIGBEE2MQTT_DATA` env var for correct config path
- Add `mosquitto-nossl` as package dependency (MQTT broker required)
- Direct `/dev/ttyUSB0` passthrough works; socat TCP bridge does not
Also updates project planning files (HISTORY.md, TODO.md, WIP.md,
CLAUDE.md) and rebuilds bonus feed with latest IPKs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Includes rebuilt packages with RPCD function wrapper fix, crowdsec
decisions fix, and new secubox-app-jellyfin package.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Includes device-intel, dns-provider, crowdsec-dashboard, and jellyfin
packages plus updated Packages index.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Docker-based Jellyfin media server with UCI config (port, image, media
paths, GPU transcoding), procd init, jellyfinctl CLI, and LuCI frontend
with status/config/logs view.
Also adds Punk Exposure Engine architectural README documenting the
Peek/Poke/Emancipate service exposure model and DNS provider API
roadmap. CLAUDE.md updated with architectural directive.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use >/dev/null 2>&1 instead of just 2>/dev/null when sourcing
master-link.sh and calling chain_add_block, mesh_init, peer_add,
factory_trust_peer, and gossip_sync to prevent p2p-mesh.sh usage
text and block hashes from corrupting CGI JSON responses.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Read LXC path from /etc/lxc/lxc.conf instead of hardcoding /var/lib/lxc
(OpenWrt uses /srv/lxc by default)
- Skip Alpine rootfs download if file already exists in /tmp
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-app-mitmproxy: Sensitivity-based auto-ban system
- luci-app-mitmproxy: Updated frontend
- luci-app-crowdsec-dashboard: Ban button on alerts page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Integrate SimpleX Chat SMP and XFTP servers for privacy-focused messaging:
- secubox-app-simplex: Backend with LXC container management
- SMP server for message relay (port 5223)
- XFTP server for encrypted file sharing (port 443)
- Auto-download of SimpleX binaries for aarch64/x86_64
- TLS certificate generation (self-signed or Let's Encrypt)
- Firewall and HAProxy integration
- luci-app-simplex: LuCI dashboard with:
- Service status monitoring
- Server address display with copy-to-clipboard
- Full configuration forms for SMP, XFTP, and TLS
- Install/certificate management actions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace pipe-to-while loops with grep/cut to avoid subshell variable
scope issues in method_status, method_get_providers, and method_set_provider.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Updated packages:
- luci-app-ollama: KISS UI rewrite
- luci-app-secubox-netdiag: Temperature monitoring and port mode controls
- secubox-core, secubox-p2p: Latest versions
- All other packages rebuilt with current SDK
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change nav paths from services/crowdsec to security/crowdsec in alerts,
bouncers, decisions, and settings views to match the new menu location.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPCD returns data directly without wrapping in a 'result' object,
but api.js was using expect: { result: {} } which caused empty data
in the UI (0 sites shown instead of 6).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace overview.js with dashboard.js using standard cbi-* classes
- Add api.js module for RPC declarations
- Show port, runtime, backend_running status in sites table
- Add sync_config, discover_vhosts, import_vhost RPC methods
- Update ACL with new method permissions
- Menu: Sites -> Dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Running Instances section with enable/disable/delete actions
- Add Instance form to create new instances on different ports
- Add Gitea clone functionality to pull apps from repositories
- Add Gitea configuration section in Settings page
- RPCD handler now supports:
- get_gitea_config, save_gitea_config
- gitea_clone, gitea_pull, gitea_list_repos
- API module exports all new Gitea methods
- Upload supports both .py files and .zip archives
- Instance status shown with colored indicators
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When an app has no description, return empty string instead of null
to prevent "null" text from being rendered in the instances table.
Also: secubox-p2p bumped to v0.6.0-r3 with catalog fix.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use POST method for creating new files and PUT for updates.
Gitea requires this distinction - PUT with no SHA fails for new files.
Changes:
- Use POST for creating new files in catalog_push_gitea()
- Use PUT only when existing SHA is available (updates)
- Add explicit branch parameter for consistency
- Bump version to 0.6.0-r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The sync-routes command was failing to generate routes for most vhosts due to:
- Subshell bug: pipe in while loop caused variable changes to be lost
- Only supported old-style backends (inline .server field)
- Did not support new-style backends with separate =server sections
Changes:
- Rewrite sync-routes to avoid subshell by using temp file
- Add support for both backend styles (inline and separate server sections)
- Use original_backend field when vhosts are in inspection mode
- Skip luci/fallback/mitmproxy_inspector backends in route generation
Now properly generates 13+ routes for HAProxy backend inspection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HAProxy → mitmproxy → Backend inspection chain for filtering
all vhost traffic through mitmproxy with threat detection
- Add haproxy_router.py addon for Host-based request routing
- Add mitmproxyctl commands: sync-routes, haproxy-enable, haproxy-disable
- Add auth token to status response for Web UI auto-authentication
- Add HAProxy Backend Inspection section to LuCI status page with
enable/disable/sync controls
- Add HAProxy Router settings section to LuCI settings page
- LXC container now supports dual-port mode (8888 + 8889 for HAProxy)
- Token displayed with copy button in dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Swiss Army knife for SecuBox with interactive menu and direct commands:
- status: System overview with services, docker, mesh
- mesh: P2P mesh operations (peers, discover, sync)
- security: CrowdSec status, threats, block/unblock
- docker: Container management
- haproxy: Vhosts and reload
- network: Diagnostics, ports, connections
- recover: Snapshot/restore operations
- feed: Package management
Also updates feed with Jitsi packages and core v0.10.0-r11.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
