# SecuBox Development Roadmap _Generated: 2026-03-07 | Based on WIP.md and HISTORY.md analysis_ > **Reference Architecture**: SecuBox Fanzine v3 — Les 4 Couches --- ## Executive Summary SecuBox is progressing through 4 architectural layers toward v1.0 certification readiness: - **Couche 1 (Core Mesh)**: ~85% complete — 40+ modules, mesh networking, services - **Couche 2 (AI Gateway)**: ~60% complete — LocalAI, agents, MCP server - **Couche 3 (MirrorNetworking)**: ~40% complete — Vortex DNS, identity, gossip - **Couche 4 (Certification)**: ~20% complete — Config Advisor, ANSSI prep --- ## Version Milestones ### v0.19 — Core Stability (Target: 2026-03-15) **Status: IN PROGRESS** | Task | Status | Dependencies | Priority | |------|--------|--------------|----------| | PhotoPrism full indexing | In Progress | HFS+ mount fix | High | | Avatar-Tap session replay | Complete | Mitmproxy integration | — | | Vhosts-checker RPCD fix | Complete | — | — | | Nextcloud Talk HPB (LXC) | Complete | coturn, NATS | — | | All Docker→LXC migration | 95% | — | Medium | | HAProxy crt-list SNI | Complete | — | — | | Streamlit emancipate CLI | Complete | DNS, HAProxy, Vortex | — | **Blockers:** - PhotoPrism indexing 391k photos (~4k done, ~96h estimated) --- ### v0.20 — AI Gateway Expansion (Target: 2026-03-30) **Status: PLANNED** | Task | Dependencies | Combo Opportunities | |------|--------------|---------------------| | LocalAI v3.9.0 Agent Jobs | LocalAI running | + Threat Analyst | | Threat Analyst auto-rules | LocalAI, CrowdSec | + DNS Guard AI | | DNS Guard AI detection | LocalAI, Vortex Firewall | + Insider WAF | | Network Anomaly AI | LocalAI, netifyd | + LocalRecall | | LocalRecall memory persist | SQLite | + All AI agents | | MCP Server tool expansion | LocalAI | + Claude Desktop | **Requirements:** - LocalAI operational (port 8091) - Minimum 2GB RAM for AI models - CrowdSec LAPI running **Combos:** - **AI Security Suite**: Threat Analyst + DNS Guard + Network Anomaly = comprehensive AI-powered defense - **Memory-Enhanced Agents**: LocalRecall + any agent = contextual learning --- ### v0.21 — MirrorNet Phase 1 (Target: 2026-04-15) **Status: PLANNED** | Task | Dependencies | Combo Opportunities | |------|--------------|---------------------| | MirrorNet identity (DID) | secubox-identity | + P2P Intel | | MirrorNet reputation | Identity | + IOC sharing | | MirrorNet gossip protocol | WireGuard mesh | + Config sync | | P2P Intel signed IOCs | Identity, CrowdSec | + Vortex Firewall | | Service mirroring | HAProxy, Vortex DNS | + Load balancing | **Requirements:** - At least 2 SecuBox nodes for mesh testing - WireGuard tunnels established - Vortex DNS master configured **Combos:** - **Mesh Security**: P2P Intel + Reputation + IOC sharing = distributed threat defense - **Service HA**: Mirroring + Health checks = automatic failover --- ### v0.22 — Station Cloning (Target: 2026-04-30) **Status: PLANNED** | Task | Dependencies | Priority | |------|--------------|----------| | Clone image builder | OpenWrt imagebuilder | High | | TFTP boot server | uhttpd | Medium | | Remote device flash | Dropbear SSH | Medium | | Auto-mesh join | Master-link tokens | High | | First-boot provisioning | UCI defaults | High | **Requirements:** - USB serial adapter for MochaBin - Network connectivity between master/clone - ~2GB storage for clone images --- ### v1.0 — Certification Ready (Target: 2026-06-01) **Status: PLANNING** | Task | Dependencies | Certification | |------|--------------|---------------| | Config Advisor ANSSI full | All security modules | ANSSI CSPN | | SBOM pipeline complete | CVE gating | CRA Annex I | | Vulnerability disclosure | SECURITY.md | CRA Art. 13 | | Security documentation | All modules | ISO 27001 | | Penetration test fixes | External audit | NIS2 | **Requirements:** - All v0.19-v0.22 complete - External security audit - Documentation review - Test coverage >80% --- ## Critical Path Analysis ``` v0.19 ──┬──> v0.20 (AI) ──┬──> v0.21 (MirrorNet) ──> v1.0 │ │ │ └──> v0.22 (Cloning) ──────┘ │ └──> PhotoPrism (background, non-blocking) ``` **Parallel Tracks:** 1. **AI Track**: LocalAI → Agents → MCP → Memory (requires LocalAI operational) 2. **Mesh Track**: Identity → Gossip → P2P Intel → Mirroring (requires WireGuard mesh) 3. **Ops Track**: Cloning → Remote flash → Auto-provision (can start anytime) --- ## Dependency Graph ### Module Dependencies ``` ┌─────────────────┐ │ secubox-core │ └────────┬────────┘ ┌─────────────────┼─────────────────┐ │ │ │ ┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐ │ HAProxy │ │ CrowdSec │ │ mitmproxy │ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │ │ ┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐ │ Vortex DNS │ │Threat Analyst│ │ Cookie Tracker│ └──────┬──────┘ └──────┬──────┘ └─────────────┘ │ │ ┌──────▼──────┐ ┌──────▼──────┐ │ MirrorNet │ │ LocalAI │ └─────────────┘ └──────┬──────┘ │ ┌──────▼──────┐ │ AI Agents │ └─────────────┘ ``` ### Service Dependencies | Service | Requires | Provides | |---------|----------|----------| | HAProxy | LXC, SSL certs | Vhost routing, WAF bypass | | CrowdSec | LAPI, scenarios | Threat decisions, bans | | mitmproxy | HAProxy routes | WAF inspection, analytics | | Vortex DNS | dnsmasq, DNS provider | DNS firewall, mesh domains | | LocalAI | 2GB+ RAM | Inference API | | Threat Analyst | LocalAI, CrowdSec | Auto-generated rules | | MirrorNet | WireGuard, Identity | Gossip, mirroring | | P2P Intel | Identity, CrowdSec | Signed IOC sharing | --- ## Resource Requirements ### Current Production (C3BOX gk2) | Resource | Usage | Notes | |----------|-------|-------| | RAM | 8GB total, ~4GB free | PhotoPrism uses 3.7GB during indexing | | Storage | 2TB NVMe, 1.6TB /mnt/MUSIC, 673GB /mnt/PHOTO | HFS+ read-only | | LXC Containers | 18 running | Auto-start enabled | | HAProxy Vhosts | 226 domains | 92 SSL certificates | | Services | 40+ running | Monitored by heartbeat | ### Minimum for v1.0 | Resource | Requirement | Purpose | |----------|-------------|---------| | RAM | 4GB | Core services + LocalAI | | Storage | 64GB + external | System + media | | Network | WAN + LAN | HAProxy + mitmproxy | | CPU | ARM64 4-core | Indexing, AI inference | --- ## Risk Register | Risk | Impact | Mitigation | Status | |------|--------|------------|--------| | PhotoPrism HFS+ writes | High | Sidecar to storage/, READONLY=true | Mitigated | | RPCD timeout large responses | Medium | Direct JSON output, no jshn for arrays | Mitigated | | LXC cgroup v2 compatibility | High | Remove cgroup:mixed, explicit device permissions | Mitigated | | BusyBox command limitations | Medium | Fallback methods (no timeout, read -t, etc.) | Documented | | Guacamole ARM64 binaries | Low | Manual build or alternative | Deferred | | No automated UI tests | Medium | Manual verification post-deploy | Accepted | --- ## Quick Reference: Current Task Priorities ### Immediate (This Week) 1. ~~Vhosts-checker RPCD fix~~ ✅ 2. ~~Nextcloud Talk HPB LXC~~ ✅ 3. Monitor PhotoPrism indexing completion 4. Test all new vhosts (photos, lyrion, streamlit) ### Short-term (2 Weeks) 1. LocalAI Agent Jobs integration 2. Threat Analyst daemon tuning 3. MirrorNet identity module testing 4. Clone station documentation ### Medium-term (1 Month) 1. v0.20 AI Gateway features 2. P2P Intel mesh sharing 3. Remote device management 4. ANSSI compliance gaps --- ## Changelog - 2026-03-07: Initial roadmap generated from WIP.md and HISTORY.md analysis - Based on 60+ completed features since 2026-02-01 - 4 major version milestones defined - Critical path and dependency graph established