gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
secubox-openwrt/.claude/TODO.md
CyberMind-FR 0809bc69c2 chore: Bump version to 1.0.0 
All major roadmap milestones achieved:
- v0.18 MirrorBox Core
- v0.19 AI Expansion + MirrorNet
- v1.0 Full Stack (VoIP, Matrix, Factory provisioning)
- v1.1+ Extended Mesh (Yggdrasil, Meshname DNS)

Updated version strings in:
- Makefile: PKG_VERSION 0.10.0 → 1.0.0, PKG_RELEASE reset to 1
- secubox CLI: SECUBOX_VERSION 0.9.0 → 1.0.0
- secubox-core daemon: SECUBOX_VERSION 0.8.2 → 1.0.0
- RPCD handlers: core.sh, dashboard.sh, luci.secubox
- common.sh: secubox_get_version()
- README.md header

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 16:05:39 +01:00

11 KiB
Raw Permalink Blame History

SecuBox TODOs (Claude Edition)

Last updated: 2026-03-16 (v1.0.0)

Architecture Reference: SecuBox Fanzine v3 — Les 4 Couches

Resolved

  • Expose cyberpunk option inside SecuBox Settings — Done: THEME_CHOICES now includes cyberpunk in settings.js.
  • Glances full system monitoring — Done: LXC host bind mounts, Docker socket, fs plugin patch, hostname/OS identity (2026-02-04).
  • Zigbee2MQTT dongle connection — Done: adapter ezspember, ZIGBEE2MQTT_DATA env var, direct /dev/ttyUSB0 passthrough (2026-02-04).
  • Metablogizer Upload Failures — Done: Chunked upload to bypass uhttpd 64KB JSON limit (2026-02-04).
  • Chip Header Layout Migration — Done: client-guardian and auth-guardian ported to sh-page-header + renderHeaderChip() (2026-02-05).
  • SMB/CIFS Shared Remote Directories — Done: secubox-app-smbfs + secubox-app-ksmbd (2026-02-04/05).
  • P2P App Store Emancipation — Done: P2P package distribution, packages.js view, devstatus.js widget (2026-02-04/05).
  • Navigation Component — Done: SecuNav.renderTabs() auto-inits theme+CSS, renderCompactTabs() (2026-02-05).
  • Monitoring UX — Done: Empty-state loading animation, dynamic bandwidth units via formatBits() (2026-02-05).
  • MAC Guardian Feed Integration — Done: Both IPKs built and added to bonus feed (2026-02-05).
  • Punk Exposure Multi-Domain DNS — Done: emancipate/revoke CLI, RPCD, Mesh column, Emancipate modal (2026-02-05).
  • Jellyfin Post-Install Wizard — Done: 4-step modal wizard for media library configuration (2026-02-05).
  • Domoticz IoT Integration — Done: LuCI dashboard, MQTT auto-bridge, Zigbee2MQTT integration (2026-02-04).
  • MCP Server — Done: secubox-mcp-server with 9 core tools + 5 AI-powered tools (LocalAI integration), Claude Desktop via SSH (2026-02-06).

Couche 1 — Core Mesh (35+ modules)

v0.18 Module Priorities

Package Status Notes
secubox-app-rustdesk DONE Native hbbs/hbbr binaries, auto-key generation
secubox-app-ksmbd DONE Mesh media server with pre-configured shares
secubox-app-domoticz DONE LXC Debian, MQTT bridge, Zigbee2MQTT
secubox-app-smbfs DONE Client-side SMB mount manager

Testing & Validation

  1. Mesh Onboarding Testing — DONE (2026-02-26)

    • master-link dynamic join IPK generation needs end-to-end testing on multi-node mesh.
    • P2P decentralized threat intelligence sharing needs validation with real CrowdSec alerts.
    • ZKP cross-node verification tested (bidirectional ACCEPT)
    • Threat IOC propagation tested (116 blocks synced)
    • Automatic SSH-based mesh sync configured (5-min cron)

  2. WAF Auto-Ban Tuning — DONE (2026-03-03)

    • Sensitivity thresholds may need adjustment based on real traffic patterns.
    • CVE detection patterns (including CVE-2025-15467) need false-positive analysis.
    • Added Amazon/OpenAI/Meta to bot whitelist
    • Changed sensitivity from strict to moderate (5 attempts in 600s)
    • Updated waf_bypass scenario to skip known bots

  3. Image Builder Validation — DONE (2026-03-03)

    • secubox-tools/ image builder and sysupgrade scripts need testing on physical hardware.
    • Syntax validation passed for all scripts (bash/POSIX sh)
    • ASU API connectivity verified, all device profiles valid
    • Fixed curl redirect handling (added -L flag to 9 curl calls)
    • First-boot script validated for correct package installation

Innovation CVE Layer 7

  • WAF analysis via Modsec IP + traffic analysis + CrowdSec CVE detection
  • Combines: secubox-app-waf + mitmproxy threat patterns + CrowdSec scenarios

Docs & Tooling

  • Document deployment scripts in README.md (what each script copies). — Done (2026-02-28)
  • Add lint/upload pre-check to prevent syntax errors before SCP. — Done (2026-02-28): pre-deploy-lint.sh validates JS/JSON/Shell/CSS syntax
  • Capture screenshot baselines for dark/light/cyberpunk themes.
  • Automate browser cache busting (append ?v=<version> to CSS URLs). — Done (2026-02-28): nav.js cache bust parameter

Couche 2 — AI Gateway

Data Classifier (Sovereignty Engine) — DONE (2026-02-28)

Classification Description Destination
LOCAL ONLY Raw network data, IPs, MACs, logs Never leaves device
SANITIZED IPs scrubbed, anonymized patterns Mistral EU (opt-in)
CLOUD DIRECT Generic queries, no sensitive data Claude/GPT (opt-in)

Package: secubox-ai-gateway — OpenAI-compatible proxy (port 4050) + Data Classifier + Audit Logging

  • Data Classifier with 3 tiers (LOCAL_ONLY, SANITIZED, CLOUD_DIRECT)
  • Provider hierarchy: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI
  • PII Sanitizer for SANITIZED tier
  • OpenAI-compatible API on port 4050
  • aigatewayctl CLI
  • RPCD backend (11 methods)
  • ANSSI CSPN audit logging

6 Autonomous Agents

Agent Phase Description
Threat Analyst v0.18 CrowdSec alert analysis, threat correlation
DNS Guard v0.18 DNS anomaly detection, migration from current
CVE Triage v0.19 Vulnerability prioritization, patch recommendations
Network Anomaly v0.19 Traffic pattern analysis, baseline deviation
Log Analyzer v0.19 Cross-log correlation, incident timeline
Config Advisor v1.0 ANSSI compliance prep, configuration hardening

MCP Server — Le lien manquant

SecuBox MCP Server exposes device context to AI agents via Model Context Protocol:

MCP Tools:

  • crowdsec.alerts — Active threats and decisions
  • waf.logs — Web application firewall events
  • dns.queries — DNS query logs and anomalies
  • network.flows — Traffic flow summaries
  • system.metrics — CPU, memory, disk, temperature
  • wireguard.status — VPN tunnel status
  • uci.config — OpenWrt configuration access

Integration targets: Claude Desktop, Cursor, VS Code, custom agents

AI Provider Hierarchy

  1. Mistral (EU sovereign, GDPR compliant) — Priority 1
  2. Claude — Priority 2
  3. GPT — Priority 3
  4. Gemini — Priority 4
  5. xAI — Priority 5

All cloud providers are opt-in. Offline resilience: local tier always active.

Couche 3 — MirrorNetworking

EnigmaBox → MirrorNet Paradigm Reversal

Zero central authority: each box IS the network.

Dual Transport Architecture

Tier Protocol Purpose
Tier 1 WireGuard Known peers, trusted mesh
Tier 2 Yggdrasil Discovery, extended mesh (optional)

Services Mirrors (P2P Gossip)

  • Threat Intel: IoC signed gossip, distributed threat intelligence
  • AI Inference: Distributed model inference across mesh
  • Reputation: Trust scoring, peer reputation
  • Config & Updates: P2P configuration sync, firmware distribution

New Packages Roadmap

Package Version Description
secubox-mirrornet v0.19 Core mesh orchestration, gossip protocol
secubox-identity v0.19 did:plc generation, key rotation, trust scoring
secubox-p2p-intel v0.19 IoC signed gossip, threat intelligence
luci-app-secubox-mirror v0.19 Dashboard for peers, trust, services
secubox-voip v1.0 Asterisk micro-PBX, SIP/SRTP over mesh
secubox-matrix v1.0 Conduit Matrix server (~15MB RAM)
secubox-factory v1.0 Auto-provisioning via mesh P2P
yggdrasil-secubox v1.1+ Yggdrasil overlay + meshname DNS

Communication Layer

  • VoIP E2E: Asterisk/SRTP direct over WireGuard mesh (no exit server)
  • Matrix E2EE: Conduit federation on mesh
  • Mesh Email: Optional, deferred

Couche 4 — Roadmap

v0.18.0 — MirrorBox Core v1.0

  • LocalAI upgrade → 3.9 (Done 2026-02-06)
  • MCP Server implementation (Done 2026-02-06)
  • Threat Analyst agent (Done 2026-02-05)
  • DNS Guard AI migration (Done 2026-02-06)
  • LocalAI multi-channel emancipation (Done 2026-02-06)

v0.19.0 — AI Expansion + MirrorNet

  • CVE Triage agent (Done 2026-02-06)
  • Network Anomaly agent (Done 2026-02-06)
  • LocalRecall memory integration (Done 2026-02-06)
  • AI Insights dashboard (Done 2026-02-06)
  • MirrorNet core packages: (Done 2026-02-07)
    • secubox-mirrornet — Mesh orchestration, gossip protocol
    • secubox-identity — did:plc generation, trust scoring
    • secubox-p2p-intel — IoC signed gossip
    • luci-app-secubox-mirror — Dashboard for peers, trust, services
  • Master/Slave CDN Architecture:
    • Wildcard domain delegation (*.secubox.io concept) — secubox-vortex-dns (2026-02-05)
    • Service mirroring via reverse proxy chaining — mirrorctl (2026-02-07)
    • Gossip-based exposure config sync — vortexctl mesh sync (2026-02-05)
    • Hierarchical submastering/multimixslaving — vortexctl submaster (2026-02-05)

v1.0.0 — Full Stack

  • Config Advisor (ANSSI prep) — Done 2026-02-07
  • P2P Mesh Intelligence — Done 2026-02-26
  • Factory auto-provisioning — Done 2026-02-24
  • VoIP integration — Done 2026-02-19
  • Matrix integration — Done 2026-02-19

v1.1+ — Extended Mesh

  • Yggdrasil overlay — Done 2026-02-26 (bidirectional IPv6, SSH, LAN multicast discovery)
  • Meshname DNS — Done 2026-02-28 (decentralized .ygg resolution via gossip + dnsmasq)
  • Extended peer discovery — Done 2026-02-28 (yggctl CLI, gossip-based peer announcements, trust-verified auto-peering)

Certifications Ciblees

Certification Status Target
ANSSI CSPN In Progress v1.0
ISO 27001 Planned v1.1
NIS2 Planned v1.1
CE Planned v1.0
GDPR Compliant Current
SOC2 Planned v1.2

ANSSI CSPN Strategy: Data Classifier + Mistral EU + offline mode = triple sovereignty proof

Deferred / Backlog

Tor Shield / opkg Bug — RESOLVED (2026-02-28)

  • opkg downloads fail (wget returned 4) when Tor Shield is active.
  • Root cause: DNS queries for package repos went through Tor DNS, which is slow/unreliable
  • Fix: Added dnsmasq bypass for excluded domains (/tmp/dnsmasq.d/tor-shield-bypass.conf)
  • Excluded domains now resolve directly via upstream DNS, bypassing Tor
  • Default exclusions include: openwrt.org, pool.ntp.org, letsencrypt.org, DNS provider APIs

v2 Long-term

  • Nextcloud self-hosted cloud storage
  • SSMTP / mail host / MX record management
  • Reverse MWAN WireGuard peers (multi-WAN failover over mesh)

Veille Cyber — Février 2026

Space for current threat intelligence and security news relevant to SecuBox development.

  • CVE-2025-15467: WAF detection patterns added
  • Monitor for new CrowdSec scenarios
  • Track OpenWrt security advisories