gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0cdbffda4c
secubox-openwrt/.claude/WIP.md
CyberMind-FR 0cdbffda4c feat(dev-status): Redesign widget v2.1 with dynamic architecture dashboard 
- 4-layer architecture visualization (Core, AI, MirrorNet, Certification)
- 22+ features with dependency tracking (dependsOn/usedBy)
- 80+ components with status indicators
- Interactive filters: layer, status, category with localStorage persistence
- Feature cards: click to expand and see full dependencies
- Live RPCD data refresh (60s auto-refresh)
- Standalone HTML page for public access (/dev-status.html)
- ES5 compatible for older browsers
- Milestone timeline to v1.0

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-09 13:02:28 +01:00

294 lines
12 KiB
Markdown
Raw Blame History

# Work In Progress (Claude)
_Last updated: 2026-03-09 (Dev Status Widget v2.1)_
> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches
---
## Recently Completed
### 2026-03-09
- **Dev Status Widget v2.1 (Dynamic Dashboard)**
- Complete redesign with 4-layer architecture visualization
- 22+ features with dependency tracking (dependsOn/usedBy)
- 80+ components with status indicators
- Interactive filters: layer, status, category with localStorage persistence
- Feature cards: click to expand, show full dependencies/components
- Layer cards: click to filter features by layer
- Interconnection graph showing feature dependencies
- Milestone timeline to v1.0 with progress tracking
- Production stats display (185 packages, 226 vhosts, etc.)
- Auto-refresh with live RPCD data (60s interval)
- ES5 compatible for older browsers
- Standalone HTML page: `/dev-status.html` (no auth required)
- Files: `dev-status-widget.js`, `dev-status.js`, `dev-status-standalone.html`
- **DNS Zone Configuration Sync**
- Fixed BIND zone path mismatch: `/srv/dns/zones/``/etc/bind/zones/`
- Added ganimed.fr zone declaration to `named.conf.zones`
- Synced zone files between LuCI-managed and BIND-loaded paths
- **Mitmproxy WAF Memory Optimization**
- Diagnosed memory leak (687MB RSS)
- Added flow limits: `--set flow_detail=0 --set hardlimit=500`
- Reduced memory to 77MB
- Fixed `/srv/mitmproxy-in/haproxy-routes.json` for git.maegia.tv
- **Config Backups Repository**
- Created `config-backups/` directory with BIND zones
- Created private `secubox-configs` repo on local Gitea
- Git remote: `git@git.maegia.tv:reepost/secubox-configs.git`
### 2026-03-08
- **RTTY Remote Control Module (Phase 3 - Web Terminal)**
- Web Terminal view: Embeds ttyd (port 7681) via iframe
- Node selector: Local/remote target selection
- Remote detection: Direct ttyd connection or SSH fallback
- RPCD method: start_terminal for remote node terminal info
- Menu: Remote Control → Remote Support → Web Terminal
- Fullscreen and refresh controls
- **RTTY Remote Control Module (Phase 2 - Token-Based Shared Access)**
- Token authentication: 6-character codes grant RPC/terminal access without LuCI login
- CLI commands: `rttyctl token generate/list/validate/revoke`, `rttyctl token-rpc`
- RPCD methods: token_generate, token_list, token_validate, token_revoke, token_rpc
- Support Panel: Generate code → Share → Support person connects without auth
- Configurable TTL (30m/1h/2h/4h), permission tracking, usage counter
- Local address detection: Direct ubus for local calls (bypasses HTTP auth limits)
- Deployed and tested: Token RPC works for all ubus methods
- **RTTY Remote Control Module (Phase 1 - RPCD Proxy)**
- Backend: `secubox-app-rtty-remote` with `rttyctl` CLI
- Frontend: `luci-app-rtty-remote` with KISS dashboard
- RPCD Proxy: Execute remote ubus calls to mesh nodes over HTTP
- CLI commands: `rttyctl nodes/rpc/rpc-list/rpc-batch/auth/sessions`
- RPCD methods: status, get_nodes, rpc_call, rpc_list, get_sessions, connect
- Session tracking with SQLite database
- Master-link integration for authentication
- Tested: `rttyctl rpc 127.0.0.1 system board` works
- **lldh360.maegia.tv BIND Zone Fix**
- DNS was returning NXDOMAIN despite zone file existing
- Root cause: BIND (named) is the authoritative DNS, not dnsmasq
- Zone file `/srv/dns/zones/maegia.tv.zone` existed but wasn't registered in BIND
- Added zone entry to `/etc/bind/named.conf.zones`
- Restarted BIND (named), domain now resolves correctly
- Site accessible via HTTPS (HTTP 200)
- **HAProxy mitmproxy Port Fix**
- Changed mitmproxy-in WAF port from 8890 to 22222
- Fixed UCI config regeneration issue (was overwriting manual edits)
- All vhosts now routing correctly through WAF
- **Vortex DNS Zone Management & Secondary DNS**
- Added zone commands: `vortexctl zone list/dump/import/export/reload`
- Added secondary DNS commands: `vortexctl secondary list/add/remove`
- Zone dump generates BIND format zone files in `/srv/dns/zones/`
- Supports OVH as secondary DNS with AXFR zone transfer
- RPCD methods: zone_list, zone_dump, zone_import, zone_export, zone_reload, secondary_list, secondary_add, secondary_remove
- ACL permissions updated for all new methods
- Enables importing zones from Gandi and becoming authoritative DNS master
- **Maegia Domains Audit & Fix**
- Fixed 3 broken domains (503 errors): crt.maegia.tv, git.maegia.tv, glances.maegia.tv
- Created missing vhost UCI configs for all 3 domains
- Added mitmproxy routes: crt→8503, git→3001, glances→61208
- Fixed ganimed.maegia.fr route IP: 127.0.0.1 → 192.168.255.1
- Fixed lldh360.maegia.tv WAF bypass: metablog_lldh360 → mitmproxy_inspector
- All 27 maegia domains now operational (4 have 404 content issues)
### 2026-03-07
- **HAProxy mitmproxy_inspector Backend Fix**
- mitmproxy_inspector backend had NO server section (causing 503 for all WAF vhosts)
- Added UCI server section: `mitmproxy_inspector_srv` pointing to 192.168.255.1:8890
- Fixed haproxyctl duplicate userlist warning and _emit_sorted_path_acls indentation
- All vhosts now correctly routing through WAF
- **Lyrion Routing Fix**
- Changed lyrion vhost backend from `lyrion_web` to `mitmproxy_inspector`
- Was bypassing WAF, now properly routed through mitmproxy-in
- **Jellyfin Route IP Fix**
- Fixed mitmproxy route: 192.168.255.1 → 192.168.255.31 (container's actual IP)
- Jellyfin container has dedicated veth interface on br-lan
- **lldh360.maegia.tv Routing Fix + SSL**
- Fixed mitmproxy routes: 127.0.0.1 → 192.168.255.1 (all 187 routes updated)
- Restored HAProxy config from backup (haproxyctl generate was corrupted)
- Installed Let's Encrypt SSL certificate (valid until 2026-06-05)
- Enabled HTTP→HTTPS redirect
- Site now accessible via HTTPS
- Site now accessible via HTTP on port 9003
- **cybaxe.gk2.secubox.in Port Conflict Fix**
- Changed port from 9000 to 9004 (9000 reserved for Lyrion Music Server)
- Updated metablogizer, HAProxy backend, and mitmproxy routes
- Created placeholder index.html (site content needs gitea sync)
- Site now accessible via HTTPS
- **Mitmproxy-in Port Conflict Fix**
- Changed mitmproxy-in WAF port from 8889 to 8890
- Port 8889 conflicted with avatar-tap Streamlit service
- Updated HAProxy mitmproxy_inspector backend configuration
- Fixed HAProxy runtime state caching via socket command
- **Vhosts Recovery**
- Started stopped LXC containers: jellyfin, jitsi, peertube, gotosocial, glances
- Fixed glances container cgroup v2 config (cgroup.memory.limit_in_bytes → cgroup2.memory.max)
- Fixed mitmproxy route IPs: 127.0.0.1 → 192.168.255.1 (LXC can't reach host localhost)
- All 11 key vhosts now operational (jellyfin, social, glances, tube, meet, zoo, portal, cloud, photos, lyrion, streamlit)
- **Vhosts-Checker RPCD Fix**
- Fixed XHR timeout issue in LuCI dashboard
- Root cause: jshn overhead for 226 vhosts + subshell issues with pipes
- Solution: Direct JSON output with printf, temp file instead of pipes
- Deployed ACL file for authentication
- **ROADMAP.md Generation**
- Created comprehensive roadmap from WIP and HISTORY analysis
- Version milestones: v0.19 → v0.20 → v0.21 → v0.22 → v1.0
- Critical path analysis and dependency graph
- Resource requirements and risk register
- **Avatar-Tap Session Capture & Replay**
- Backend: `secubox-avatar-tap` - passive network tap via mitmproxy
- CLI: `avatar-tapctl` with start/stop/list/replay/label/delete commands
- LuCI: `luci-app-avatar-tap` KISS dashboard with session table
- Features: Cookie/auth header capture, session replay, SQLite storage
- Runs in Streamlit LXC container on port 8889 (mitmproxy-in moved to 8890)
- Future: Nitrokey/GPG integration for secure replay authorization
- **PhotoPrism Photo Gallery Deployment**
- Linked /mnt/PHOTO (673GB, 391k photos) to PhotoPrism originals
- Fixed HFS+ read-only mount issue (sidecar writes to storage/)
- Indexing in progress: HEIC conversion, thumbnail generation, AI labels
- HAProxy vhost + SSL cert for photos.gk2.secubox.in
- **Service Fixes & HAProxy Vhosts**
- Fixed Lyrion music mount: /mnt/MUSIC (1.6TB) now accessible
- Fixed Portal routing (was 503, now working)
- Added missing vhosts: lyrion.gk2.secubox.in, streamlit.gk2.secubox.in
- Requested and installed SSL certs for all 3 new domains
- Fixed ACME webroot configuration (uhttpd home path)
- **Source Code Updates**
- Updated default paths: Lyrion→/mnt/MUSIC, PhotoPrism→/mnt/PHOTO
- Committed and pushed to master
### 2026-03-06
- **PhotoPrism Private Photo Gallery**
- Backend: `secubox-app-photoprism` with LXC container (Debian Bookworm)
- CLI: `photoprismctl` with install/start/stop/index/import/emancipate commands
- LuCI: `luci-app-photoprism` KISS dashboard with stats and actions
- Features: AI face recognition, object detection, places/maps
- HAProxy integration via mitmproxy (WAF-safe, no bypass)
- SQLite database (simpler, no external DB), FFmpeg transcoding, HEIC support
- Dependencies: libvips42 for image processing
- **AI Gateway `/login` Command**
- CLI: `aigatewayctl login [provider]` - Interactive or scripted provider authentication
- Validates credentials against provider API before saving
- Rollback on validation failure (preserves previous credentials)
- Format warnings: Claude keys should start with `sk-ant-`, OpenAI with `sk-`
- RPCD: `login` method for LuCI frontend integration
- ACL: Added write permission for `login` method
### 2026-03-04
- **SBOM Pipeline for CRA Annex I Compliance**
- `scripts/check-sbom-prereqs.sh` - Prerequisites validation
- `scripts/sbom-generate.sh` - Multi-source SBOM generation
- `scripts/sbom-audit-feed.sh` - PKG_HASH/PKG_LICENSE feed audit
- `.github/workflows/sbom-release.yml` - GitHub Actions with CVE gating
- `SECURITY.md` - CRA Art. 13 §6 compliant vulnerability disclosure
- **AI Gateway Full-Stack Implementation**
- 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
- Provider routing: LocalAI > Mistral EU > Claude > OpenAI > Gemini > xAI
- `aigatewayctl` CLI with classify/sanitize/provider/audit commands
- `luci-app-ai-gateway` with 4 KISS-themed views
### 2026-03-03
- **Comprehensive Service Audit**
- WAF Enforcement: Disabled `waf_bypass` on 21 vhosts
- Container Autostart: Enabled on 9 essential containers
- Glances Fix: Resolved cgroup mount issue
- 18 LXC Containers Running
- **Vortex DNS Firewall Phases 1-4**
- Threat intel aggregator, SQLite blocklist, dnsmasq integration
- HTTP/HTTPS sinkhole server for infected client detection
- DNS Guard AI detection integration
- Mesh threat sharing via secubox-p2p blockchain
- **Image Builder Validation**
- Validated `secubox-image.sh`, `secubox-sysupgrade.sh`
- Fixed curl redirect issue: Added `-L` flag
### 2026-03-02
- **Reverse MWAN WireGuard v2 - Phase 2**
- LuCI Dashboard for Mesh Uplinks
- 9 RPC methods for uplink management
- 10-second live polling
### 2026-03-01
- **Reverse MWAN WireGuard v2 - Phase 1**
- WireGuard mesh peers as backup internet uplinks via mwan3 failover
- `wgctl` CLI: uplink list/add/remove/status/test/failover
- UCI config for global and per-uplink settings
- **Nextcloud Integration Enhancements**
- WAF-safe SSL routing, scheduled backups, SMTP integration
- CalDAV/CardDAV/WebDAV connection info display
---
## In Progress
- **RTTY Remote Control Module (Phase 4 - Session Replay)**
- Avatar-tap integration for session capture
- Replay captured sessions to target nodes
- Session export/import functionality
---
## Next Up
### v1.0 Release Prep
1. **Session Replay** - Avatar-tap integration for session capture/replay
2. **Remote ttyd Deployment** - Auto-install ttyd on mesh nodes
### v1.1+ Extended Mesh
1. **WAF Auto-Ban Tuning** (optional, as-needed)
- Sensitivity threshold adjustment based on production traffic
### Backlog
- SSMTP / mail host / MX record management (v2)
---
## Strategic Documents
- `SecuBox_LocalAI_Strategic_Analysis.html` — AI Management Layer roadmap
- `SecuBox_AI_Gateway_Hybrid_Architecture.html` — Hybrid Local/Cloud architecture
- `SecuBox_MirrorNetworking_Paradigm_Reversal.html` — EnigmaBox autopsy → MirrorNet
- `SecuBox_Fanzine_v3_Feb2026.html` — 4-layer architecture overview
---
## Blockers / Risks
- No automated regression tests for LuCI views; manual verification required after SCP deploy.
- Guacamole ARM64 pre-built binaries not readily available.
Reference in New Issue View Git Blame Copy Permalink