gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4ce50821d5
secubox-openwrt/.claude/HISTORY.md
CyberMind-FR 4ce50821d5 docs: Update HISTORY.md with metrics dashboard features 
- Entry 30: SecuBox Metrics Dashboard (v0.19.14)
- Entry 31: CrowdSec Decision Count Fix (v0.19.15)
- Entry 32: Active Sessions Panel (v0.19.15)
- Entry 33: Live Real-Time Metrics Dashboard (v0.19.16)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-10 11:53:42 +01:00

1043 lines
67 KiB
Markdown
Raw Blame History

# SecuBox UI & Theme History
_Last updated: 2026-02-10_
1. **Unified Dashboard Refresh (2025-12-20)**
- Dashboard received the "sh-page-header" layout, hero stats, and SecuNav top tabs.
- Introduced shared `secubox/common.css` design tokens.
2. **Modules & Monitoring Modernization (2025-12-24)**
- Modules view adopted the same header/tabs plus live chip counters.
- Monitoring cards switched to SVG sparkline charts with auto-refresh.
3. **Alerts + Settings Overhaul (2025-12-27)**
- Alerts page now mirrors the dashboard style, dynamic header chips, and filtering controls.
- Settings view gained the SecuNav tabs, chips, and shared design language.
4. **Theme Synchronisation & Deployment (2025-12-28)**
- All SecuBox views call `Theme.init()` to respect dark/light/system preferences.
- Navigation bar now darkens automatically for dark/cyberpunk themes.
- Monitoring menu entry simplified (no `/overview` shim) to prevent LuCI tab duplication.
5. **Router Deployment Notes**
- Use `secubox-tools/deploy-secubox-dashboard.sh` for view-only pushes.
- Use `secubox-tools/deploy-secubox-v0.1.2.sh` for RPCD/config updates.
- Always clear `/tmp/luci-*` after copying UI assets.
6. **SecuBox v0.5.0-A Polish (2025-12-29)**
- Monitoring and Modules views drop legacy hero/filter UIs; all tabs now use SecuNav styling.
- Help/Bonus page adopts the shared header, navbar entry, and chips.
- Alerts buttons use `sh-btn` components; nav + title chips inherit theme colors.
7. **Multi-Instance Support (2026-01-20)**
- CrowdSec LAPI port configuration fix for multi-instance deployments.
- Streamlit and HexoJS gain multi-instance management support.
- HAProxy enhanced with instance-specific configuration.
8. **HexoJS Build & Publish Integration (2026-01-21)**
- Added LuCI interface for Gitea-based Hexo build and publish workflows.
- Automated Git operations for static site generation.
9. **ARM64 Toolchain Build Requirement (2026-01-27)**
- Discovered SIGILL crashes on ARM64 (MochaBin) due to LSE atomics in SDK-built Go binaries.
- Documented requirement: Go/CGO packages (crowdsec, netifyd) MUST use full OpenWrt toolchain.
- SDK produces binaries with LSE atomic instructions that crash on some Cortex-A72 CPUs.
- Updated CLAUDE.md, secubox-tools/README.md with toolchain build rules.
10. **Documentation Regeneration (2026-01-27)**
- README.md updated to v0.16.0 with all 38 modules categorized.
- Added build requirement table distinguishing SDK vs toolchain builds.
- secubox-tools/README.md updated to v1.1.0 with SDK vs toolchain guidance.
11. **Service Registry & HAProxy ACME v0.15.0 (2026-01-28)**
- `service-registry`: Unified service aggregation dashboard with dynamic health checks, URL readiness wizard, public IP detection, and external port checks.
- `haproxy`: Webroot ACME mode (no HAProxy restart), async cert workflow, auto-open firewall when publishing.
- Menu reorganization: CrowdSec, Threat Monitor, Network Diagnostics, WireGuard all moved to LuCI Services menu.
- `tor-shield`: Exit node hostname (reverse DNS), presets with immediate activation, excluded destinations for CDN/direct, master protection switch.
- `network-tweaks`: AdGuard Home DNS control, CDN cache and WPAD proxy controls, cumulative impact counters for HAProxy vhosts/LXC/firewall.
- `client-guardian`: Safe defaults, emergency clear, and safety limits.
- `metablogizer`: Improved site creation and HAProxy integration.
- Portal: HTTP health checks and speedtest integration.
- CrowdSec: Dynamic LAPI port detection.
- 30 commits, 15 feat / 12 fix / 3 refactor.
12. **App Store KISS Evolution & Dependency Cleanup (2026-01-29)**
- Renamed `luci-app-secubox-bonus` to `secubox-app-bonus` (feeds-based architecture).
- Implemented KISS Evolution for app store: feeds, profiles, skills, feedback system.
- Stripped all libc/libubox/libubus/libuci dependencies from SecuBox packages.
- Added `PKG_FLAGS:=nonshared` to prevent automatic libc dependency injection.
13. **P2P Hub & SecuBox Console (2026-01-30)**
- `secubox-p2p`: Full P2P Hub with globe peer visualization, Hub Registry, Services Registry, parallel component sources, auto-self mesh, master deployment, DNS bridge, WireGuard mirror, Gitea repository creation, mesh backup, test cloning, gigogne distribution mode, and mDNS service publishing.
- `secubox-console`: Linux host TUI frontend with CLI tools lexical reference.
- `cdn-cache`: Added MITM SSL bump support for HTTPS caching.
- `metablogizer`: Tor hidden service integration, DNS resolution fixes, permissions fixes.
- `streamlit`: ZIP upload with selective tree extraction.
- `crowdsec-dashboard`: Extensible theming system (later removed), UCI ubus permissions.
- `secubox-core`: P2P Hub API and wizard-first menu.
- `secubox-app-bonus`: Added `secubox-feed install all` command.
- 40+ commits — largest single-day effort in project history.
14. **P2P MirrorBox & Factory Dashboard (2026-01-31)**
- `secubox-p2p` v0.6.0: MirrorBox NetMesh Catalog with DNS federation, distributed mesh services panel, WAN IP and WireGuard tunnel redundancy, mDNS service publishing, REST API for mesh visibility.
- `secubox-factory`: Unified dashboard with signed Merkle snapshots and HMAC-style signing for OpenWrt compatibility.
- `portal`: KISS redesign with service categorization.
- `crowdsec-dashboard`: KISS rewrite, console enrollment, CrowdSec theme integration, dynamic port/path detection.
- `secubox-swiss`: Unified CLI tool for SecuBox operations.
- `jitsi`: Jitsi Meet video conferencing integration.
- `mitmproxy`: HAProxy backend inspection, token auth, enhanced threat detection analytics v2.0.
- `secubox-core`: P2P mesh API endpoints for console discovery.
15. **KISS UI Rewrites & DNS Guard (2026-02-01)**
- `streamlit`: KISS UI redesign with instances management, Gitea integration, and multiple upload bug fixes.
- `metablogizer`: KISS UI redesign with backend status display.
- `ollama`: KISS UI rewrite with model suggestions and thermal monitoring.
- `netdiag`: Thermal monitoring integration.
- `dnsguard`: New DNS Guard app with provider lookup methods.
- `haproxy`: AdGuard Home detection, improved service discovery, reserved ports with listening verification.
- `p2p`: Distributed catalog with Gitea sync and health probing.
- `mitmproxy`: Enhanced threat patterns; moved to Security menu.
- `network-tweaks`: Moved to Network menu.
- `crowdsec-dashboard`: Nav path fixes, alerts/countries display fixes.
- `wireguard-dashboard`: QR code generation fix.
- `exposure`: Reserved ports with listening verification.
16. **WAF Auto-Ban & Security Hardening (2026-02-02)**
- `waf`: Sensitivity-based auto-ban system with CrowdSec integration and comprehensive CVE detection patterns (including CVE-2025-15467).
- `mitmproxy`: WAN protection mode for incoming traffic inspection; LAN transparent proxy disabled by default.
- `simplex`: SimpleX Chat self-hosted messaging servers.
- `crowdsec`: KISS setup simplification, CAPI enrollment status, restored working setup page.
- `local-build`: Added missing toolchain package shorthands and feeds path fix.
- WAF auto-ban statistics added to dashboards.
17. **Mesh Security & MAC Guardian (2026-02-03)**
- `mac-guardian`: New WiFi MAC security monitor with DHCP lease protection for odhcpd.
- `master-link`: Secure mesh onboarding with dynamic join IPK generation.
- `security-threats`: KISS rewrite with mesh threat intelligence, LXC mitmproxy detection.
- `p2p`: Decentralized threat intelligence sharing via mesh.
- `tor-shield`: Server mode for split-routing with public IP preservation.
- `wireguard-dashboard`: jshn bypass for QR code (argument size limit), peer private key persistence in UCI, server endpoint persistence.
- `localai`: gte-small preset, RPC expect unwrapping and chat JSON escaping fixes.
- `lyrion`: WAN access checkbox for firewall rules, networking fixes for device discovery.
- `tools`: SecuBox image builder and sysupgrade scripts.
- RPCD/LuCI frontend guidelines added to CLAUDE.md.
- KISS READMEs added for all 46 remaining packages.
18. **New Packages & Exposure Redesign (2026-02-04)**
- `jellyfin`: New media server package with LXC container, uninstall/update/backup, HAProxy integration, and LuCI actions.
- `zigbee2mqtt`: Complete rewrite from Docker to LXC Alpine container.
- `device-intel`: New device intelligence package with OUI emoji display (BusyBox compatibility fixes, SDK build pattern alignment).
- `dns-provider`: New DNS provider management package.
- `exposure`: KISS redesign with enriched service names, vhost integration, DNS domain sorting; toggle switch fix.
- `streamlit`: Chunked upload to bypass uhttpd 64KB JSON limit, UTF-8 `.py` file upload fix, auto-install requirements from ZIP, non-standard filename support.
- `crowdsec-dashboard`: Decisions list fix (wrong RPC expect key).
- RPCD: BusyBox ash `local` keyword compatibility fix (wrap call handlers in function).
- `glances`: Full host system visibility — LXC bind mounts for `/rom`, `/overlay`, `/boot`, `/srv`, Docker socket at `/run/docker.sock` (symlink loop fix), `@exit_after` fs plugin patch (multiprocessing fails in LXC), host hostname via `lxc.uts.name`, OpenWrt OS identity from `/etc/openwrt_release`, pre-generated `/etc/mtab` from host `/proc/mounts`.
- `zigbee2mqtt`: Direct `/dev/ttyUSB0` passthrough (socat TCP bridge fails ASH protocol), adapter `ezsp`→`ember` (z2m 2.x), `ZIGBEE2MQTT_DATA` env var, `mosquitto-nossl` dependency.
- `smbfs`: New SMB/CIFS remote mount manager package — UCI config, `smbfsctl` CLI (add/remove/mount/umount/test/status), auto-mount init script, credentials storage, Jellyfin+Lyrion integration, catalog entry.
- `jellyfin`: KISS READMEs for both backend and LuCI packages.
- `domoticz`: Rewrite from Docker to LXC Debian container with native binary from GitHub releases. LuCI dashboard with IoT integration status (Mosquitto, Zigbee2MQTT, MQTT bridge), service lifecycle, HAProxy, mesh P2P, logs. `domoticzctl` with `configure-mqtt` (auto Mosquitto+Z2M bridge), `configure-haproxy`, `backup/restore`, `mesh-register`, `uninstall`. UCI extended with mqtt/network/mesh sections. Catalog updated.
- LXC cgroup2 fix: Added `lxc.tty.max`, `lxc.pty.max`, `lxc.cgroup2.devices.allow` for standard character devices, and `lxc.seccomp.profile` disable to fix terminal allocation failures on cgroup v2 systems. Applied to `streamlit` and `domoticz`.
- `metablogizer`: Chunked upload to bypass uhttpd 64KB JSON limit (same pattern as Streamlit). Added `upload_chunk` and `upload_finalize` RPCD methods, binary file support via ArrayBuffer read.
- `p2p`: P2P App Store Emancipation — decentralized package distribution across mesh peers.
CGI API: `/api/factory/packages` (local catalog JSON), `/api/factory/packages-sync` (aggregated mesh catalog).
RPCD: 7 new methods for peer packages, fetch, sync, feed settings.
CLI: `secubox-feed peers/search/fetch-peer/fetch-any/sync-peers` commands.
LuCI: `packages.js` view under MirrorBox > App Store with LOCAL/PEER badges, unified catalog, one-click fetch/install.
UCI: `config p2p_feed` section with share_feed, auto_sync, sync_interval, prefer_local, cache_ttl.
- `rustdesk`: New self-hosted RustDesk relay server package — pre-built ARM64 binaries from GitHub releases (hbbs/hbbr), auto-key generation, `rustdeskctl` CLI with install/status/keygen/logs/configure-firewall/mesh-register.
- `guacamole`: New Apache Guacamole clientless remote desktop gateway — LXC Debian container with guacd + Tomcat, UCI-based connection management (SSH/VNC/RDP), `guacamolectl` CLI with install/add-ssh/add-vnc/add-rdp/list-connections/configure-haproxy.
- `services.js`: Fixed RPC expect unwrapping bug causing empty local services list.
- `content-pkg`: New content distribution system — `secubox-content-pkg` CLI packages Metablogizer sites and Streamlit apps as IPKs for P2P mesh distribution. Auto-publish hooks in metablogizerctl/streamlitctl. `secubox-feed sync-content` auto-installs content packages from peers. Sites get HAProxy vhosts, Streamlit apps run as service instances.
- `devstatus.js`: New Development Status widget under MirrorBox > Dev Status — generative/dynamic dashboard with real-time polling, Gitea commit activity (15 recent commits), repository stats, MirrorBox App Store package counts (local/peer/unique), v1.0 progress bar (0-100%) with 8 milestone categories, color-coded completion indicators.
19. **ksmbd & UI Consistency (2026-02-05)**
- `ksmbd`: New `secubox-app-ksmbd` mesh media server package — `ksmbdctl` CLI with enable/disable/status/add-share/remove-share/list-shares/add-user/mesh-register, UCI config with pre-configured shares (Media, Jellyfin, Lyrion, Backup), Avahi mDNS announcement, P2P mesh registration.
- `client-guardian`: Ported to `sh-page-header` chip layout with 6 status chips (Online, Approved, Quarantine, Banned, Threats, Zones).
- `auth-guardian`: Ported to `sh-page-header` chip layout with 4 status chips (Status, Sessions, Portal, Method), sessions table, quick actions card.
20. **Navigation Component Refactoring (2026-02-05)**
- `secubox/nav.js`: Unified navigation widget with auto-theme initialization.
- `renderTabs(active)`: Main SecuBox tabs with automatic Theme.init() and CSS loading.
- `renderCompactTabs(active, tabs, options)`: Compact variant for nested modules.
- `renderBreadcrumb(moduleName, icon)`: Back-navigation to SecuBox dashboard.
- Eliminated ~1000 lines of duplicate CSS from module nav files.
- Updated modules: `cdn-cache`, `client-guardian`, `crowdsec-dashboard`, `media-flow`, `mqtt-bridge`, `system-hub`.
- Views no longer need to require Theme separately or manually load CSS.
21. **Monitoring UX Improvements (2026-02-05)**
- Empty-state loading animation for charts during 5-second data collection warmup.
- Animated "Collecting data..." overlay with pulsing dots.
- Chart legend shows "Waiting" → "Live" transition.
- Cyberpunk theme support for empty state styling.
- Dynamic bandwidth units via new `formatBits()` helper.
- Network rates now display in bits (Kbps/Mbps/Gbps) instead of bytes.
- Uses SI units (1000 base) for industry-standard notation.
- Dash placeholder ("— ↓ · — ↑") before first data point.
22. **Punk Exposure Emancipate CLI (2026-02-05)**
- `secubox-exposure emancipate <service> <port> <domain> [--tor] [--dns] [--mesh] [--all]`
- Unified multi-channel exposure: Tor + DNS/SSL + Mesh in single command.
- Creates DNS A record via `dnsctl`, HAProxy vhost, requests certificate.
- Publishes to mesh via `secubox-p2p publish`.
- Stores emancipation state in UCI for status tracking.
- `secubox-exposure revoke <service> [--tor] [--dns] [--mesh] [--all]`
- Inverse of emancipate: removes exposure from selected channels.
- Cleans up DNS records, HAProxy vhosts, certificates, mesh publishing.
- Enhanced `status` command shows emancipated services with active channels.
23. **Punk Exposure LuCI Dashboard (2026-02-05)**
- RPCD handler extended with three new methods:
- `emancipate` - orchestrates multi-channel exposure via CLI
- `revoke` - removes exposure from selected channels
- `get_emancipated` - returns list of emancipated services with channel status
- API wrapper (`exposure/api.js`) exports `emancipate()`, `revoke()`, `getEmancipated()`.
- ACL updated in `luci-app-exposure.json` for new methods.
- Dashboard UI enhancements:
- New Mesh column with toggle switch (blue theme)
- Emancipate button in header with rocket emoji
- Multi-channel modal with Tor/DNS/Mesh checkboxes
- Mesh badge count in header stats
- CSS additions: `.exp-badge-mesh`, `.mesh-slider`, `.exp-btn-action`.
24. **Jellyfin Post-Install Setup Wizard (2026-02-05)**
- 4-step modal wizard for first-time Jellyfin configuration.
- RPCD methods added to `luci.jellyfin`:
- `get_wizard_status` - checks container state and wizard completion
- `set_wizard_complete` - marks wizard as finished in UCI
- `add_media_path` / `remove_media_path` - manage media library entries
- `get_media_paths` - returns configured media libraries
- Wizard auto-triggers when installed but `wizard_complete=0`.
- Steps: Welcome (Docker/container checks), Media (add paths), Network (domain/HAProxy), Complete.
- New CSS file `jellyfin/wizard.css` with step indicators and form styling.
- Makefile updated to install CSS resources.
25. **MAC Guardian Feed Integration (2026-02-05)**
- Built and added `secubox-app-mac-guardian` and `luci-app-mac-guardian` IPKs to bonus feed.
- Synced `luci-app-mac-guardian` to local-feed (backend was already synced).
- Updated `apps-local.json` catalog with proper metadata:
- `luci-app-mac-guardian`: category "security", icon "wifi", description "WiFi MAC address security monitor with spoofing detection"
- `secubox-app-mac-guardian`: icon "wifi", description "WiFi MAC security backend with CrowdSec integration"
- Package features: MAC spoofing detection, OUI anomaly detection, MAC floods, CrowdSec scenarios integration.
26. **Fanzine v3 Roadmap Alignment (2026-02-06)**
- Restructured TODO.md and WIP.md to align with SecuBox Fanzine v3 4-layer architecture:
- **Couche 1 — Core Mesh**: 35+ modules, v0.18 priorities, testing/validation, CVE Layer 7
- **Couche 2 — AI Gateway**: Data Classifier, 6 Autonomous Agents, MCP Server, provider hierarchy
- **Couche 3 — MirrorNetworking**: EnigmaBox → MirrorNet, dual transport, Services Mirrors, VoIP/Matrix
- **Couche 4 — Roadmap**: v0.18/v0.19/v1.0/v1.1+ milestones, certifications (ANSSI, ISO, NIS2)
- Added strategic reference to Fanzine v3 document.
- Consolidated completed items under "Resolved" section.
- Created version milestone checklists for tracking progress.
27. **LocalAI Upgrade to v3.9.0 (2026-02-06)**
- Upgraded `secubox-app-localai` from v2.25.0 to v3.9.0.
- New features in v3.9.0:
- **Agent Jobs Panel**: Schedule and manage background agentic tasks via web UI and API
- **Memory Reclaimer**: LRU eviction for loaded models, automatic VRAM cleanup
- **VibeVoice backend**: New voice synthesis support
- Updated README with complete CLI reference, model presets table, API endpoints.
- Part of v0.18 AI Gateway roadmap (Couche 2).
28. **MCP Server Implementation (2026-02-06)**
- Created `secubox-mcp-server` package — Model Context Protocol server for AI integration.
- **Protocol**: JSON-RPC 2.0 over stdio, MCP version 2024-11-05.
- **Core tools** (9 total):
- `crowdsec.alerts`, `crowdsec.decisions` — CrowdSec threat intelligence
- `waf.logs` — WAF/mitmproxy threat events
- `dns.queries` — DNS statistics from AdGuard Home/dnsmasq
- `network.flows` — Network traffic summary with interface stats
- `system.metrics` — CPU, memory, disk, temperature monitoring
- `wireguard.status` — VPN tunnel status with peer details
- `uci.get`, `uci.set` — OpenWrt configuration access (set disabled by default)
- **AI-powered tools** (5 total, require LocalAI):
- `ai.analyze_threats` — AI analysis of CrowdSec alerts with recommendations
- `ai.cve_lookup` — CVE vulnerability analysis with mitigation advice
- `ai.suggest_waf_rules` — AI-suggested mitmproxy/WAF filter patterns
- `ai.explain_ban` — Explain CrowdSec ban decisions in plain language
- `ai.security_posture` — Full security assessment with scoring
- **Security features**:
- UCI-based tool whitelist — only allowed tools can be invoked
- Sensitive data blocked in uci.get (password, secret, key, token)
- uci.set disabled by default, requires explicit enable
- Data classification support (local_only, sanitized, cloud_direct)
- **Claude Desktop integration** via SSH:
```json
{"mcpServers":{"secubox":{"command":"ssh","args":["root@192.168.255.1","/usr/bin/secubox-mcp"]}}}
```
- Files: `secubox-mcp` main server, `protocol.sh` JSON-RPC handler, 8 tool modules.
- Part of v0.18 AI Gateway roadmap (Couche 2).
29. **Threat Analyst Agent Implementation (2026-02-05)**
- Created `secubox-threat-analyst` — AI-powered autonomous threat analysis and filter generation agent.
- **Architecture**:
- Collector: Gathers threats from CrowdSec, mitmproxy, netifyd DPI
- Analyzer: LocalAI-powered intelligent analysis and pattern recognition
- Generators: Rule creation for three targets
- Appliers: Auto-apply or queue for approval
- **Generated rule types**:
- `mitmproxy`: Python filter class with IP blocklist, URL patterns, User-Agent detection
- `CrowdSec`: YAML scenarios for AI-detected attack patterns
- `WAF`: JSON rules for SQLi, XSS, path traversal, scanner detection
- **CLI commands**: status, run, daemon, analyze, generate, gen-mitmproxy, gen-crowdsec, gen-waf, list-pending, approve, reject
- **UCI configuration**: interval, LocalAI URL/model, auto-apply per target (mitmproxy auto, CrowdSec/WAF queued), min_confidence, max_rules_per_cycle
- Created `luci-app-threat-analyst` — LuCI dashboard with AI chatbot.
- **Dashboard features**:
- Status panel: daemon state, LocalAI connectivity, threat counts
- AI Chat: real-time conversation with threat analyst AI
- Pending rules: approve/reject queue for generated rules
- Threats table: recent security events with severity badges
- **RPCD methods**: status, get_threats, get_alerts, get_pending, chat, analyze, generate_rules, approve_rule, reject_rule, run_cycle
- Part of v0.18 AI Gateway roadmap (Couche 2).
30. **DNS Guard AI Migration (2026-02-06)**
- Created `secubox-dns-guard` — AI-powered DNS anomaly detection daemon.
- **Detection modules** (5 total):
- `dga`: Domain Generation Algorithm detection via Shannon entropy analysis (threshold 3.2)
- `tunneling`: DNS tunneling/exfiltration detection (subdomain length, base64/hex patterns, TXT rate)
- `rate_anomaly`: Unusual query rate detection (queries/min, unique domains/min thresholds)
- `known_bad`: Known malicious domain matching against external blocklists
- `tld_anomaly`: Suspicious TLD detection (xyz, top, club, etc.) and punycode/IDN homograph detection
- **LocalAI integration**:
- Intelligent threat analysis and domain classification (BLOCK/MONITOR/SAFE)
- Pattern analysis and malware family identification
- Single domain analysis via CLI
- **Approval workflow**:
- Auto-apply mode for trusted detections
- Queue mode for human approval (configurable per confidence threshold)
- Pending blocks approval via CLI or LuCI
- **CLI commands**: status, run, daemon, analyze, detect, check <domain>, stats, top-domains, top-clients, list-pending, approve/reject/approve-all
- **UCI configuration**: interval, LocalAI URL/model, auto_apply_blocks, min_confidence (80%), max_blocks_per_cycle, per-detector settings
- Updated `luci-app-dnsguard` to v1.1.0:
- New "AI Guard" tab with daemon toggle, alert/pending/blocked counts
- Pending blocks approval panel with approve/reject actions
- Real-time alerts panel with type-colored badges
- "Analyze" tab with domain checker and detection module status
- RPCD extended with 11 new methods: guard_status, get_alerts, get_pending, approve_block, reject_block, approve_all, ai_check, get_blocklist, unblock, get_stats, toggle_guard
- Part of v0.18 AI Gateway roadmap (Couche 2).
31. **LocalAI Multi-Channel Emancipation (2026-02-06)**
- Exposed LocalAI (port 8091) via Punk Exposure system with 3 channels:
- **Tor**: `b7lmlfs3b55jhgqdwbn6unhjhlfflq6ch235xa2gsdvxe7toxcf7qyad.onion`
- **DNS/SSL**: `localai.secubox.local` via HAProxy with ACME certificate
- **mDNS**: `_secubox._tcp.local` mesh advertisement via Avahi
- Command: `secubox-exposure emancipate localai 8091 localai.secubox.local --all`
- Documented MirrorNetworking vision for v0.19:
- Master/slave hierarchical domain delegation (*.sb → xxx.sb)
- Service mirroring via reverse proxy chaining
- Gossip-based exposure config sync
- Submastering/multimixslaving architecture
32. **Threat Analyst KISS Dashboard v0.1.0 (2026-02-05)**
- Regenerated `luci-app-threat-analyst` following CrowdSec dashboard KISS template pattern.
- **Architectural changes**:
- `api.js`: Migrated from plain object to `baseclass.extend()` pattern
- `dashboard.css`: External CSS file (loaded dynamically in view)
- `dashboard.js`: View-only JS following CrowdSec pattern with `view.extend()`
- **CVE integration**:
- System Health: New "CVE Alerts" indicator with warning icon (yellow) when CVEs detected
- Threats table: New CVE column with hyperlinks to NVD (`https://nvd.nist.gov/vuln/detail/CVE-XXXX-XXXXX`)
- CVE extraction: `extractCVE()` function in API parses CVE-YYYY-NNNNN patterns from scenarios
- CVE row styling: Red-tinted background for CVE-related threats
- **RPCD updates**:
- Status method now returns `cve_alerts` count from CrowdSec alerts
- Fixed output bug (grep `|| echo 0` causing double output)
- **CSS additions**:
- `.ta-health-icon.warning` for CVE alerts in health section
- `.ta-cve-link` for NVD hyperlinks (red badge style)
- `.ta-cve-row` for highlighted CVE threat rows
- Following LuCI UI Generation Model Template v0.1.0 for future KISS modules.
33. **Unified Backup Manager & Custom Mail Server (2026-02-05)**
- Created `secubox-app-backup` — unified backup system for LXC containers, UCI config, service data.
- **CLI commands**: create (full/config/containers/services), list, restore, status, cleanup
- **Container ops**: container list/backup/restore/backups
- **Profile ops**: profile list/create/apply/share (delegates to secubox-profile)
- **Remote sync**: sync --push/--pull (Gitea integration)
- **Libraries**: containers.sh, config.sh, remote.sh
- **Storage structure**: /srv/backups/{config,containers,services,profiles}
- Created `luci-app-backup` — LuCI dashboard for backup management.
- **Status panel**: storage path, usage, last backup times
- **Quick actions**: Full/Config/Containers backup buttons
- **Container table**: name, state, size, backup count, backup button
- **Backup history**: file, type, size, date (sorted by timestamp)
- **RPCD methods**: status, list, container_list, create, restore, cleanup, container_backup, container_restore
- Created `secubox-app-mailserver` — custom Postfix + Dovecot mail server in LXC container.
- **mailctl CLI**: install, start/stop/restart, status
- **User management**: user add/del/list/passwd, alias add/list
- **SSL**: ssl-setup (ACME DNS-01), ssl-status
- **DNS integration**: dns-setup (creates MX, SPF, DMARC via dnsctl)
- **Mesh backup**: mesh backup/restore/sync/add-peer/peers/enable/disable
- **Webmail integration**: webmail status/configure (Roundcube container)
- **Libraries**: container.sh, users.sh, mesh.sh
- Enhanced `dnsctl` with subdomain generation and mail DNS:
- `generate <service> [prefix]` — auto-create subdomain A record with public IP
- `suggest [category]` — subdomain name suggestions (web, mail, dev, media, iot, security)
- `mail-setup [host] [priority]` — create MX, SPF, DMARC records
- `dkim-add [selector] <pubkey>` — add DKIM TXT record
- Renamed `secbx-webmail` Docker container to `secubox-webmail` for consistency.
34. **HAProxy/Mailserver LXC cgroup Fixes & Documentation (2026-02-06)**
- Fixed HAProxy LXC container cgroup mount failure:
- Removed `lxc.mount.auto = proc:mixed sys:ro cgroup:mixed` which fails on cgroup v2 hosts
- Simplified to explicit `lxc.mount.entry` bind mounts only
- Updated `haproxyctl` `lxc_create_config()` function with working config
- Fixed Docker-to-LXC mailserver connectivity:
- Added socat TCP proxies on ports 10143/10025 in mailserver init.d script
- Configured Dovecot with `disable_plaintext_auth = no` for local connections
- Roundcube can now reach LXC mailserver via host-bridged ports
- Documentation updates:
- Added "LXC container fails with cgroup:mixed" section to FAQ-TROUBLESHOOTING.md
- Updated CLAUDE.md Session Startup section to include FAQ-TROUBLESHOOTING.md consultation
- Key recommendation: avoid `lxc.mount.auto` entirely, use explicit bind mounts
35. **Vortex DNS - Meshed Subdomain Delegation (2026-02-05)**
- Created `secubox-vortex-dns` — meshed multi-dynamic subdomain delegation system.
- **Modes**:
- **Master**: Owns wildcard domain (*.secubox.io), delegates subzones to slaves
- **Slave**: Receives delegated subdomain from master (node1.secubox.io)
- **Submaster**: Hierarchical delegation (master → submaster → slaves)
- **Standalone**: Default mode, mesh-only participation
- **CLI commands** (`vortexctl`):
- Master: `master init <domain>`, `master delegate <node> <zone>`, `master revoke <zone>`, `master list-slaves`
- Slave: `slave join <master> <token>`, `slave leave`, `slave status`
- Mesh: `mesh sync`, `mesh publish <service> <domain>`, `mesh unpublish`, `mesh status`
- Submaster: `submaster promote`, `submaster demote`
- General: `status`, `daemon`
- **Mesh integration**:
- First Peek: Auto-registers new services in mesh DNS
- Gossip-based exposure config sync via `secubox-p2p`
- Published services tracked in `/var/lib/vortex-dns/published.json`
- **DNS provider integration**:
- Uses `dnsctl` from `secubox-app-dns-provider` for programmatic DNS record management
- Auto-creates wildcard A record on master init
- NS/A records for zone delegation
- Created `luci-app-vortex-dns` — LuCI dashboard.
- Status panel: mode badge, enabled state, sync interval, last sync time
- Master section: wildcard domain, DNS provider, delegated slave count, zones table
- Slave section: parent master, delegated zone
- Mesh section: gossip state, First Peek, peer count, published services
- Actions: Sync Mesh, Initialize as Master, Join as Slave, Delegate Zone
- **RPCD methods**: status, get_slaves, get_peers, get_published, master_init, delegate, revoke, slave_join, mesh_sync, mesh_publish
- Part of v0.19 MirrorNetworking roadmap (Couche 3).
36. **Network Anomaly Detection Agent (2026-02-06)**
- Created `secubox-network-anomaly` — AI-powered network traffic anomaly detection.
- **Detection modules** (5 total):
- `bandwidth_anomaly`: Traffic spike detection via EMA baseline comparison
- `connection_flood`: Connection count threshold monitoring
- `port_scan`: Unique destination port enumeration detection
- `dns_anomaly`: DNS query volume anomaly detection
- `protocol_anomaly`: TCP/UDP ratio deviation (flags >50% UDP as suspicious)
- **Data collection**:
- Interface bandwidth from `/sys/class/net/*/statistics/`
- Connection tracking from `/proc/net/nf_conntrack`
- DNS queries from dnsmasq/AdGuard logs
- **CLI commands** (`network-anomalyctl`):
- `status`, `run`, `daemon` — service control
- `analyze` — LocalAI-powered threat assessment
- `list-alerts`, `ack <id>`, `clear-alerts` — alert management
- `baseline [reset]` — EMA baseline control
- **UCI configuration**:
- Thresholds: bandwidth_spike_percent (200%), new_connections_per_min (50), unique_ports_per_host (20), dns_queries_per_min (100)
- Detection flags: per-detector enable/disable
- LocalAI integration: url, model, min_confidence (75%)
- Auto-block: optional CrowdSec integration
- Created `luci-app-network-anomaly` — LuCI dashboard.
- Status panel: daemon state, LocalAI, alert count, connection count
- Health checks: daemon, LocalAI, auto-block, interval, last run
- Network stats: real-time RX/TX, connections, unique ports
- Actions: Run Detection, AI Analysis, Reset Baseline, Clear Alerts
- Alerts table: time, type, severity, message, ack button
- **RPCD methods**: status, get_alerts, get_stats, run, ack_alert, clear_alerts, reset_baseline, analyze
- Part of v0.19 AI Gateway roadmap (Couche 2).
37. **LocalRecall AI Memory System (2026-02-06)**
- Created `secubox-localrecall` — persistent memory for AI agents.
- **Memory categories**:
- `threats`: Security threat patterns and detections
- `decisions`: Agent decisions with outcomes (approved/rejected/auto)
- `patterns`: Learned behavioral patterns
- `configs`: Configuration snapshots and changes
- `conversations`: AI conversation context
- **Memory storage**:
- JSON-based storage in `/var/lib/localrecall/memories.json`
- EMA-based importance scoring (1-10)
- Access tracking with timestamps and counts
- Category-based indexing
- **CLI commands** (`localrecallctl`):
- `status`, `add`, `get`, `search`, `list`, `recent`, `important`
- `delete`, `cleanup`, `export`, `import`
- `summarize`, `context`, `stats`
- **LocalAI integration**:
- `summarize_memories()` — AI-powered memory summarization
- `auto_memorize()` — Extract key facts from text
- `get_agent_context()` — Build context for agent tasks
- `record_decision()`, `record_threat()` — Structured memory helpers
- **UCI configuration**:
- Retention: max_memories (1000), retention_days (90)
- Categories: enable/disable per category
- Agents: enable/disable per agent
- Cleanup: auto_cleanup, cleanup_hour, keep_important
- Created `luci-app-localrecall` — LuCI dashboard.
- Stats: total/threats/decisions/patterns counts
- Categories panel with icons and counts
- Agent breakdown panel
- Actions: AI Summary, Search, Cleanup, Export
- Add memory form with category, importance, content
- Recent memories table with delete
- **RPCD methods**: status, get_memories, search, stats, add, delete, cleanup, summarize, export, import
- Part of v0.19 AI Gateway roadmap (Couche 2).
38. **AI Insights Dashboard (2026-02-06)**
- Created `luci-app-ai-insights` — unified AI security insights dashboard.
- **Security Posture Score**:
- 0-100 score with color-coded display (Excellent/Good/Fair/Poor/Critical)
- Dynamic factor calculation: LocalAI status, agent online counts, CrowdSec alerts, CVE severity
- Real-time score updates via polling
- **Agent Status Grid**:
- Visual cards for 4 agents: Threat Analyst, DNS Guard, Network Anomaly, CVE Triage
- Online/offline status with color indicators
- Alert count badges per agent
- **Aggregated Alerts**:
- Unified view of alerts from all agents
- Source-colored badges (rule/alert/cve)
- Relative timestamps
- **Actions**:
- Run All Agents — triggers detection cycles on all agents
- AI Analysis — LocalAI-powered security assessment with recommendations
- View Timeline — security events from system log (24h)
- Link to LocalRecall memory dashboard
- **RPCD methods**: status, get_alerts, get_posture, get_timeline, run_all, analyze
- Part of v0.19 AI Gateway roadmap (Couche 2).
39. **MirrorNet Core Packages (2026-02-07)**
- Created `secubox-mirrornet` — mesh orchestration core with 5 library modules.
- **Identity module** (`identity.sh`):
- DID generation: `did:plc:<16-char-fingerprint>` (AT Protocol compatible)
- HMAC-SHA256 keypair management with Ed25519 fallback
- Key rotation with backup, identity document export/import
- Peer identity storage and resolution
- **Reputation module** (`reputation.sh`):
- Trust scoring (0-100) with decay and ban thresholds
- Event logging: sync_success/failed, valid/invalid_ioc, fast/slow_response, offline/online
- Trust levels: excellent (80+), good (60+), moderate (40+), low (20+), untrusted
- Ban threshold (default 10), min_trust threshold (default 20)
- **Mirror module** (`mirror.sh`):
- Service mirroring via reverse proxy chaining
- Upstream management with priority-based failover
- HAProxy backend configuration generation
- Health check integration with automatic failover
- **Gossip module** (`gossip.sh`):
- Enhanced gossip protocol with priority routing (critical > high > normal > low > background)
- TTL-based message forwarding with configurable max_hops (default 5)
- Deduplication with 5-minute window
- Message types: ioc, peer_status, config_sync, service_announce, mirror_update, reputation_update
- **Health module** (`health.sh`):
- Per-peer latency and packet loss monitoring
- HTTP health checks with configurable endpoints
- Anomaly detection against EMA baselines
- Alert generation with acknowledgment workflow
- **CLI** (`mirrorctl`): 30+ commands for identity, reputation, mirror, gossip, health, daemon
- **UCI configuration**: roles (master/submaster/peer), gossip interval, health thresholds, mirror settings
- Created `luci-app-secubox-mirror` — LuCI dashboard.
- Identity card: DID, hostname, role, version
- Status grid: peers, messages, services, alerts
- Peer reputation table with trust levels and reset action
- Gossip stats: sent/received/forwarded/dropped
- Health alerts with acknowledgment
- Mirrored services table
- **RPCD methods**: status, get_identity, get_peers, get_reputation, get_health, get_mirrors, get_gossip_stats, get_alerts, reset_reputation, ack_alert, add_mirror, trigger_failover, broadcast
- Part of v0.19 MirrorNetworking roadmap (Couche 3).
40. **SecuBox Identity Package (2026-02-07)**
- Created `secubox-identity` — standalone DID identity management.
- **Core module** (`core.sh`):
- DID generation: `did:plc:<fingerprint>` from machine-id + MAC
- Identity document creation (DID Document format with @context)
- Peer identity import/export
- Identity backup and restore
- **Keys module** (`keys.sh`):
- HMAC-SHA256 keypair generation (Ed25519 fallback if available)
- Key rotation with configurable backup
- Sign/verify operations
- Key rotation check (configurable rotation_days: default 90)
- **Trust module** (`trust.sh`):
- Peer trust scoring (0-100)
- Trust events: valid/invalid_signature, successful/failed_exchange, verified_identity, referred_by_trusted
- Trust levels: verified, trusted, neutral, suspicious, untrusted
- Ban functionality
- **CLI** (`identityctl`): 25+ commands for DID, keys, peers, trust, backup
- **UCI configuration**: did_method, key algorithm, rotation settings, trust thresholds
41. **P2P Intel Package (2026-02-07)**
- Created `secubox-p2p-intel` — signed IOC sharing for mesh.
- **Collector module** (`collector.sh`):
- Source integrations: CrowdSec, mitmproxy, WAF, DNS Guard
- Severity classification: critical, high, medium, low
- Scenario-based severity mapping
- **Signer module** (`signer.sh`):
- Cryptographic signing of individual IOCs and batches
- Batch hash verification (SHA256)
- Identity integration for signer DID
- **Validator module** (`validator.sh`):
- Source trust verification (min_source_trust threshold)
- Age validation (max_age_hours: default 168)
- Format validation (IP, domain, URL, hash)
- Local IP whitelist protection
- **Applier module** (`applier.sh`):
- Application methods: nftables (ipset), iptables, CrowdSec
- Ban duration configuration (default 24h)
- Approval workflow: auto-apply or queue for manual review
- Pending queue management (approve/reject)
- **CLI** (`p2p-intelctl`): 20+ commands for collect, sign, share, validate, apply, approve
- **UCI configuration**: sources enable/disable, signing, validation settings, application method, auto-apply
- **Daemon**: Configurable collect_interval (default 300s), auto_collect, auto_share, auto_apply
- Part of v0.19 MirrorNetworking roadmap (Couche 3).
42. **Config Advisor - ANSSI CSPN Compliance (2026-02-07)**
- Created `secubox-config-advisor` — security configuration analysis and hardening tool.
- **ANSSI CSPN compliance framework**:
- 7 check categories: network, firewall, authentication, encryption, services, logging, updates
- 25+ security check rules with severity levels (critical, high, medium, low, info)
- JSON rules database in `/usr/share/config-advisor/anssi-rules.json`
- **Security check modules** (`checks.sh`):
- Network: IPv6, management access restriction, SYN flood protection
- Firewall: default deny policy, drop invalid packets, WAN port exposure
- Authentication: root password, SSH key auth, SSH password auth
- Encryption: HTTPS enabled, WireGuard configured, DNS encryption
- Services: CrowdSec running, services bound to localhost
- Logging: syslog enabled, log rotation configured
- **Risk scoring module** (`scoring.sh`):
- 0-100 score with severity weights (critical=40, high=25, medium=20, low=10, info=5)
- Grade calculation (A-F) based on thresholds (90/80/70/60)
- Risk level classification: critical, high, medium, low, minimal
- Score history tracking and trend analysis
- **ANSSI compliance module** (`anssi.sh`):
- Compliance rate calculation (percentage of passing rules)
- Report generation in text, JSON, and Markdown formats
- Category filtering and strict mode
- **Remediation module** (`remediate.sh`):
- Auto-remediation for 7 checks: NET-002, NET-004, FW-001, FW-002, AUTH-003, CRYPT-001, LOG-002
- Safe vs manual remediation separation
- Dry-run mode for preview
- LocalAI integration for AI-powered suggestions
- Pending approvals queue
- **CLI** (`config-advisorctl`):
- Check commands: `check`, `check-category`, `results`
- Compliance commands: `compliance`, `compliance-status`, `compliance-report`, `is-compliant`
- Scoring commands: `score`, `score-history`, `score-trend`, `risk-summary`
- Remediation commands: `remediate`, `remediate-dry`, `remediate-safe`, `remediate-pending`, `suggest`
- Daemon mode with configurable check interval
- Created `luci-app-config-advisor` — LuCI dashboard.
- Dashboard: score circle, grade, risk level, compliance rate, last check time
- Check results table with status icons
- Score history table
- Compliance view: summary cards, progress bar, results by category
- Remediation view: quick actions, failed checks with apply buttons, pending approvals
- Settings: framework selection, scoring weights, category toggles, LocalAI config
- **RPCD methods**: status, results, score, compliance, check, pending, history, suggest, remediate, remediate_safe, set_config
- **UCI configuration**: main (enabled, check_interval, auto_remediate), compliance (framework, strict_mode), scoring (passing_score, weights), categories (enable/disable), localai (url, model)
- Part of v1.0.0 certification roadmap (ANSSI CSPN compliance tooling).
43. **Mail Server Port Fixes & Password Reset (2026-02-07)**
- Fixed mail ports 587 (Submission), 465 (SMTPS), and 995 (POP3S) not listening.
- **Root causes identified**:
- Postfix master.cf missing submission and smtps service entries
- Dovecot 10-master.conf had pop3s listener commented out
- `dovecot-pop3d` package not installed in Alpine LXC container
- **mailctl fix-ports command**:
- Adds submission (587) service to Postfix master.cf with SASL auth
- Adds smtps (465) service with TLS wrapper mode
- Installs `dovecot-pop3d` if missing
- Uncomments pop3/pop3s listeners in Dovecot 10-master.conf
- Enables SSL on pop3s (995) and imaps (993) listeners
- Restarts Postfix and Dovecot to apply changes
- **LuCI password reset feature**:
- Added "Reset Password" button in mail users table
- Modal dialog with password and confirmation fields
- RPCD `user_passwd` method with stdin JSON fallback
- `callUserPasswd` RPC declaration in overview.js
- **LuCI Fix Ports button**:
- Added to Quick Actions section
- RPCD `fix_ports` method wrapping CLI command
- Visual feedback with modal spinner
- Updated container.sh to include `dovecot-pop3d` in initial package list.
44. **MetaBlogizer KISS ULTIME MODE (2026-02-07)**
- Added `metablogizerctl emancipate <name>` — one-command full exposure workflow.
- **Workflow steps** (automated in sequence):
- DNS Registration: Creates A record via `dnsctl` (Gandi/OVH based on availability)
- Vortex Mesh: Publishes to mesh via `vortexctl mesh publish`
- HAProxy: Creates backend, server, and vhost with SSL/ACME enabled
- SSL Certificate: Requests ACME cert via `haproxyctl cert add` (webroot mode)
- Zero-downtime Reload: Applies HAProxy config via SIGUSR2
- **Helper functions**:
- `_emancipate_dns()`: Public IP detection, subdomain extraction, dnsctl integration
- `_emancipate_vortex()`: Mesh publication if vortex-dns enabled
- `_emancipate_haproxy()`: UCI backend/server/vhost creation, haproxyctl generate
- `_emancipate_ssl()`: ACME certificate request with status feedback
- `_emancipate_reload()`: Graceful HAProxy reload with restart fallback
- **Usage**: `metablogizerctl create myblog blog.example.com && metablogizerctl emancipate myblog`
- **Tracking**: Stores `emancipated=1` and `emancipated_at` timestamp in UCI
- Part of Punk Exposure architecture (multi-channel emancipation).
45. **LED Heartbeat & Vortex Dashboard Services (2026-02-06)**
- Added LED heartbeat to `secubox-core` daemon for MochaBin RGB LEDs (led1).
- **LED status indicators**:
- Green flash: System healthy
- Double red flash: Warning state (services down, high resource usage)
- Long red flash: Error state
- Blue flash: Boot/startup
- **Configuration**:
- `uci set secubox.main.led_heartbeat='1'` (enabled by default)
- `uci set secubox.main.watchdog_interval='60'` (pulse every 60s)
- **LED auto-detection**: Only activates if `/sys/class/leds/green:led1` exists.
- **Vortex DNS dashboard enhancement**:
- Added "Node Services" section showing published services
- Displays domain links and vortex node URLs
- Deduplicated service list with clickable links
- Bumped `secubox-core` version to 0.10.0-r12.
46. **4-LED Status Dashboard (2026-02-06)**
- Enhanced `secubox-core` with dedicated 4-LED status dashboard for MochaBin.
- **LED assignments**:
- `led1` (RGB): Global health status — green (healthy), yellow (warning), red (critical)
- `led2` (RGB): Security threat level — green (safe), blue (activity), red (threats)
- `led3` (RGB): Global capacity meter — color varies by CPU + network combined load
- `mmc0`: Classic heartbeat — steady when stable, rapid blink on state changes
- **Fast reactive loop**: 1.5-second heartbeat interval (down from 60s)
- **Health scoring**: Combines services status, memory, disk usage
- **Threat detection**: CrowdSec alerts + mitmproxy threat events
- **Capacity monitoring**: Real-time CPU load + network throughput from `/proc`
- Bumped `secubox-core` version to 0.10.0-r14.
47. **File Integrity Monitoring (2026-02-06)**
- Created `secubox-integrity` — SHA256-based file integrity monitor.
- **Monitored files**:
- `/srv/haproxy/config/haproxy.cfg`
- `/etc/config/haproxy`, `/etc/config/firewall`, `/etc/config/network`
- `/etc/config/wireless`, `/etc/config/dropbear`
- `/etc/passwd`, `/etc/shadow`
- **CLI commands**: init, check, status, clear
- **Cron integration**: Runs every 5 minutes via `/etc/cron.d/secubox-integrity`
- **LED alert**: Triggers LED event pulse on file changes
- **Logging**: System log and `/var/log/secubox/integrity.log`
- Added to `secubox-core` Makefile with install rules.
48. **Custom Error Pages (2026-02-06)**
- Created "End of the Internet" custom error page for HAProxy backend failures.
- **Error pages generated**: 502, 503, 504 HTTP responses
- **Design**: Full-page artistic "End of the Internet" message
- **Location**: `/srv/haproxy/errors/{502,503,504}.http`
- **Integration**: HAProxy serves custom pages for backend errors
49. **CrowdSec Dashboard Cache & Control Panel Fixes (2026-02-06)**
- **CrowdSec Overview Collector v4**: Created `/usr/sbin/secubox-crowdsec-collector` for background stats collection.
- Generates comprehensive JSON cache at `/tmp/secubox/crowdsec-overview.json`
- Collects: service status, decisions (local + CAPI), alerts, bouncers, scenarios, GeoIP, LAPI/CAPI status
- WAF stats: autoban status, sensitivity, bans today, threats today
- Countries breakdown from alerts (top 10)
- Uses jshn for valid JSON generation with subshell-safe array collection
- Atomic writes with temp file + mv pattern
- Cron entry: runs every minute
- **RPCD Fast Path**: Patched `luci.crowdsec-dashboard` to read from cache first.
- Cache freshness check (5 minute TTL)
- Falls back to original slow cscli calls if cache stale/missing
- **mitmproxy Local IP "Green Known"**: Patched `/data/addons/secubox_analytics.py` in mitmproxy container.
- Skip threat logging for trusted local IPs (192.168.x.x, 10.x.x.x, 172.16-18.x.x, 127.x.x.x)
- Local network traffic no longer pollutes threats.log
- Autoban still correctly targets only external IPs
- **Control Panel File Compatibility**: Fixed file naming mismatch.
- Control Panel expected: health.json, crowdsec.json, mitmproxy.json
- Collectors created: health-status.json, crowdsec-stats.json, mitmproxy-stats.json
- Created symlinks for compatibility
- Created missing files: threat.json, netifyd.json with proper structure
- Updated stats collector to maintain symlinks on each run
50. **Local Mesh Domain Configuration (2026-02-07)**
- Configured `.sblocal` as local mesh domain suffix for internal service discovery.
- **DNS setup**: Added to dnsmasq local zones
- **Host entries**: c3box.sblocal, evolution.sblocal, gk2.sblocal, gitea.sblocal, bazi.sblocal
- **HAProxy vhosts**: HTTP vhosts for sblocal domains (no SSL, internal only)
- **Purpose**: Local network service discovery without external DNS dependency
- Enables LAN clients to access services via `<service>.sblocal`
51. **Evolution Streamlit Local Mirror (2026-02-07)**
- Migrated Evolution dashboard from GitHub to local Gitea mirror.
- **Source change**: `raw.githubusercontent.com``localhost:3001/gandalf/secubox-openwrt`
- **Benefits**: Instant loading, no external dependency, works offline
- **Cache TTL**: Reduced from 5 minutes to 1 minute for faster updates
- **Gitea raw URL format**: `/raw/branch/master/<path>`
52. **LXC Container Stability & HAProxy Recovery (2026-02-07)**
- **Root cause identified**: cgroup v2 incompatibility with `lxc.mount.auto = cgroup:mixed`
- **Fix applied to ALL containers**: Removed `cgroup:mixed`, added cgroup v2 device permissions
- **HAProxy fix**: Added `lxc.mount.auto = proc:mixed sys:ro` for /proc mount
- **Containers fixed**: haproxy, streamlit, gitea, domoticz, glances, hexojs, lyrion, magicmirror2, mailserver, mitmproxy, picobrew, zigbee2mqtt
- **HAProxy config regeneration**: Config was truncated to global/defaults only — regenerated full config with frontends/backends
- **Streamlit apps restored**: Added `secubox_control:8511` to instances.conf, all 9 apps running
- **Services confirmed operational**:
- HAProxy: RUNNING with full SSL termination
- Streamlit: 9 apps on ports 8501-8511
- Gitea: RUNNING
- CrowdSec: RUNNING
- DNS (named): RUNNING
- **External URLs verified**: gk2.secubox.in, evolution.gk2.secubox.in, control.gk2.secubox.in all returning HTTP 200
53. **Mailserver Postfix/Dovecot Maildir Path Alignment (2026-02-07)**
- Fixed emails delivered but invisible in Roundcube webmail.
- **Root cause**: Path mismatch between Postfix delivery and Dovecot mail_location.
- Postfix delivered to: `/home/vmail/$domain/$user/new/`
- Dovecot expected: `/home/vmail/$domain/$user/Maildir/new/`
- **container.sh fixes**:
- Changed mount point from `var/mail` to `home/vmail`
- Changed `virtual_mailbox_base` from `/var/mail` to `/home/vmail`
- Changed vmail user home from `/var/mail` to `/home/vmail`
- **users.sh fixes**:
- Create `$domain/$user/Maildir/{cur,new,tmp}` structure (was `$domain/$user/{cur,new,tmp}`)
- Updated vmailbox entries to use `$domain/$user/Maildir/` suffix
- Bumped `secubox-app-mailserver` version to 1.0.0-r2.
- New mail verified delivering correctly to Maildir location.
54. **LED Fix & Double-Buffer Status Cache (2026-02-07)**
- **LED mmc0 removed**: The 4th LED (mmc0) was causing the heartbeat loop to hang.
- Removed `LED_MMC0` variable, `led_mmc0_heartbeat()` function, and mmc0 calls from loop
- Now only 3 RGB LEDs controlled: led1 (health), led2 (threat), led3 (capacity)
- **Double-buffer status caching**: Prevents blocking when multiple dashboards/APIs call status functions.
- New `status_collector_loop()` runs in background, updates cache files atomically
- Cache files: `/tmp/secubox/{health,threat,capacity}.json` with staggered intervals (15s/9s/3s)
- Fast readers `get_health_score()`, `get_threat_level()`, `get_capacity()` — no subprocess calls
- LED loop and dashboards/APIs now read from cache instantly
- Uses atomic `mv` pattern for consistent reads during writes
- Daemon starts status collector before LED loop for cache warmup.
55. **Triple-Pulse LED Heartbeat & Streamlit Emancipate (2026-02-06)**
- **Triple-pulse LED heartbeat**: Organic "bump-bump-bump (pause)" pattern across RGB LEDs.
- LED1 (health) leads, LED2 (threat) follows décalé, LED3 (capacity) trails
- BusyBox-compatible: no fractional sleep, uses rapid burst + 3s rest
- Intensity transitions (30-100%) create smooth cascade effect
- **Avahi-publish fix**: Prevent duplicate processes via PID file tracking.
- **Streamlit emancipate command**: KISS ULTIME MODE for full exposure workflow.
- DNS A record (Gandi/OVH via dnsctl)
- Vortex DNS mesh publication
- HAProxy vhost with SSL + backend creation
- ACME certificate request
- Zero-downtime reload
- Usage: `streamlitctl emancipate <app> [domain]`
- **Evolution dashboard real-time upgrade**:
- Auto-refresh with configurable intervals (30s/1m/2m/5m)
- Real-time system metrics from double-buffer cache
- Live console with debug level emojis (🔴🟠🟢🔵🟣)
- Multiple log sources: SecuBox, Kernel, CrowdSec, System
- **SecuBox Console app** (`secubox_console.py`):
- Dedicated real-time console with 5s auto-refresh
- Cyberpunk theme with metric cards
- Live at: https://console.gk2.secubox.in/
- **Commits**: 301dccec, a47ae965, 22caf0c9, aab58a2b, 7b77f839
56. **Streamlit LuCI Dashboard Edit & Emancipate (2026-02-06)**
- Added **Edit button** to Streamlit Apps table for editing app source code:
- RPCD methods: `get_source`, `save_source` with base64 encoding
- Modal code editor with syntax highlighting (monospace textarea)
- Backup creation before save
- Added **Emancipate button** for KISS ULTIME MODE exposure:
- RPCD methods: `emancipate`, `get_emancipation`
- Multi-channel modal showing DNS + Vortex + HAProxy + SSL workflow
- Pre-check for existing instance (requires port for exposure)
- Tracks emancipation status in UCI
- Updated `streamlit/api.js` with 4 new API methods
- Updated ACL permissions in `luci-app-streamlit.json`
57. **Fabricator Embedder & Service Profile Watchdog (2026-02-06)**
- **Fabricator Embedder Tab**: Added 7th tab "🪟 Embedder" for creating unified portal pages.
- Embeds Streamlit apps, MetaBlogizer sites, and custom URLs in single page
- Three layouts: Grid (iframe grid), Tabs (tab-switching), Sidebar (navigation panel)
- Auto-fetches available services from JSON endpoints
- Deploys HTML portal to /www
- **Service Profile Snapshot** (`/usr/sbin/secubox-profile-snapshot`):
- `snapshot`: Captures current enabled/running services to UCI config
- `check`: Returns JSON status comparing current vs expected
- `watchdog`: Attempts to restart failed services
- `list`: Displays profile with current status
- Monitors: Core services (5), LXC containers (3), Streamlit apps (11), MetaBlogizer sites (14)
- **Heartbeat Status** (`/usr/sbin/secubox-heartbeat-status`):
- Returns JSON health score (0-100) with level (healthy/warning/critical)
- Resource metrics: CPU load, memory %, disk %
- Service counts: up/down
- Exported to `/tmp/secubox/heartbeat.json` and `/www/heartbeat.json`
- **Cron Integration**:
- Watchdog runs every 5 minutes to auto-restart failed services
- Heartbeat updates every minute for LED/dashboard status
- **Fabricator Emancipation**: Published at https://fabric.gk2.secubox.in
58. **SecuBox Vhost Manager (2026-02-06)**
- Created `secubox-vhost` CLI for subdomain management in secubox-core:
- Manages external (`*.gk2.secubox.in`) and local (`*.gk2.sb.local`) domains
- Commands: init, set-domain, list, enable, disable, add, sync, landing, dnsmasq
- Generates dnsmasq config for local wildcard resolution
- Creates HAProxy vhosts for both external and local domains
- Generates default landing page at `/www/secubox-landing.html`
- Added UCI config section for domain and vhost management:
- `config domain 'external'` - base domain, wildcard settings
- `config domain 'local'` - local domain suffix (default: sb.local)
- `config vhost` sections for: console, control, metrics, crowdsec, factory, glances, play
- Integrated into secubox-core daemon startup (vhost init after 5s delay)
- Added to uci-defaults for firstboot initialization
- Updated Makefile to install `secubox-vhost` script
59. **HAProxy "End of Internet" Default Page & http-request Support (2026-02-07)**
- **End of Internet Page** (`/www/end-of-internet.html`):
- Cyberpunk-style fallback page for unknown/unmatched domains
- Animated matrix rain effect, glitch text, ASCII art logo
- Real-time packet counter animation
- Displays "REALITY NOT FOUND" error for unregistered domains
- Fetches live stats from `/secubox-status.json` if available
- **HAProxy Generator Enhancements** (`haproxyctl`):
- Added `http-request` UCI option support for backends
- Supports both single value and list of http-request directives
- Static backends (http-request return) skip server config
- Path-rewriting backends (http-request set-path) include servers
- Backend validation: rejects IP:port format in backend names
- **Default Backend Configuration**:
- Set `end_of_internet` as default_backend for both HTTP and HTTPS frontends
- Uses http-request set-path to serve /end-of-internet.html via uhttpd
- Deployed page to /srv/haproxy for container access
- **Commits**: e25509cb (backend validation), this session (http-request support)
60. **CrowdSec Dashboard Threat Origins Fix (2026-02-07)**
- Fixed `[object Object]` display bug in Threat Origins widget
- `parseCountries()` now correctly handles countries as array of objects
- Data format: `[{country: "US", count: 67}, ...]` vs plain `{US: 67}`
- Commit: 58b6dc1d
22. **Stats Evolution & Fabricator (2026-02-07)**
- Silenced CrowdSec kernel log spam (deny_log=0 in bouncer config)
- Added metablogizer-json to cron for blog site status updates
- Created Widget Fabricator Streamlit app (port 8520): Collectors, Apps, Blogs, Services, Widgets
- Added bot whitelist to mitmproxy WAF (Facebook, Google, Bing, etc.) to prevent false positive SSRF alerts
- Fixed Streamlit ZIP upload with extract_zip_flatten() for nested root directories
- Emancipated yijing-360 and fabricator apps with DNS + SSL
- **Fabricator Live Data Update**: All pages now use actual UCI configs and JSON cache files
- Collectors: shows real scripts, JSON cache with run/view buttons
- Apps: live UCI streamlit instances with test/restart/open
- Blogs: reads metablogizer sites from UCI with test/rebuild/expose
- Services: real HAProxy vhosts/backends from UCI
- Widgets: reads /tmp/secubox/*.json with live stats display
- Commit: bfd2ed7c
23. **La Livrée d'Hermès Gallery (2026-02-07)**
- Deployed lldh.gk2.secubox.in with full 82-image gallery
- Added YouTube background music embed with autoplay/loop
- Toggle button (🎵) for mute/unmute control
- Multi-domain SSL: added lldh.ganimed.fr (OVH DNS) as secondary domain
- Both domains share same backend (metablog_lldh on port 8914)
24. **Stats Evolution Plan Complete (2026-02-07)**
- **Phase 1**: Stats infrastructure with 17 JSON cache files, cron collectors
- **Phase 2**: Landing page JSON symlinks for gk2.secubox.in access
- **Phase 3**: Widget Fabricator with live UCI/JSON data on all pages
- **Phase 4**: Full integration - Fabricator in landing page instances
- All JSON endpoints verified: streamlit-instances, metablogizer-sites, secubox-status, heartbeat
25. **yijing360 Deployment (2026-02-07)**
- Fixed port conflict: console (8515), yijing360 (8521)
- Deployed yijing-360.zip with generator.py
- Emancipated: yijing360.gk2.secubox.in with SSL
26. **HAProxy Multi-Certificate SNI Fix (2026-02-07)**
- Fixed multi-domain SSL certificate handling using `crt-list` instead of directory mode
- Added `generate_certs_list()` function in haproxyctl to create certs.list from .pem files
- Updated `haproxy-sync-certs` to regenerate certs.list after syncing ACME certs
- HTTPS frontend now uses `crt-list /opt/haproxy/certs/certs.list` for reliable SNI matching
- Each certificate's SANs and CN are extracted to create explicit domain-to-cert mappings
- Fallback to directory mode if certs.list doesn't exist (backwards compatible)
27. **HAProxy Backend IP Fix (2026-02-07)**
- Fixed localhost (127.0.0.1) usage in HAProxy backends - must use 192.168.255.1 (host bridge IP)
- HAProxy runs in LXC container, cannot reach host services via 127.0.0.1
- Added auto-conversion in RPCD handler: 127.0.0.1/localhost → 192.168.255.1
- Fixed CLI tools: secubox-exposure, jellyfinctl, jitsctl, simplexctl, secubox-subdomain
- Fixed Fabricator Streamlit Services page backend creation
- Fixed HAProxy config templates for jitsi
28. **Station Cloner/Deployer Implementation (2026-02-08)**
- Created `secubox-tools/secubox-clone-station.sh` — host-side cloning orchestrator for dual USB serial.
- Commands: detect, pull, flash, verify, clone (full workflow), console, uboot, env-backup
- Integrates with MOKATOOL (`mochabin_tool.py`) for serial console automation
- Uses ASU API (firmware-selector.openwrt.org) for building clone images
- TFTP serving for network boot with auto-generated U-Boot commands
- Created `secubox-core/root/usr/sbin/secubox-cloner` — on-device clone manager CLI.
- Commands: build, serve, token, status, list, export
- Builds ext4 images for same device type (required for partition resize)
- Generates clone provision scripts for TFTP download
- Integrates with master-link for mesh join tokens
- Created `secubox-core/root/etc/uci-defaults/50-secubox-clone-provision` — first-boot provisioning.
- Step 1: Resize root partition to full disk (parted + resize2fs)
- Step 2: Discover master via mDNS or network scan
- Step 3: Configure as mesh peer (master-link UCI)
- Step 4: Join mesh with token or request approval
- Enhanced `secubox-master-link`:
- Added `ml_clone_token_generate()` for auto-approve clone tokens (24h TTL)
- Added `ml_token_is_auto_approve()` for token type detection
- Updated `ml_join_request()` to auto-approve clone tokens
- New CLI commands: clone-token, register-token
- Updated `secubox` CLI:
- Added `secubox clone` command group (build, serve, token, status, list, export)
- Added `secubox master-link` command group (status, peers, token, clone-token, join, approve, pending)
- **Clone workflow**:
1. Master: `secubox clone build && secubox clone serve --start`
2. Host: `./secubox-clone-station.sh clone` (detects, pulls, flashes target)
3. Target boots, resizes root, auto-joins mesh with pre-approved token
- Part of v0.19 mesh deployment automation.
29. **Evolution Dashboard Real-Time Commits (2026-02-08)**
- Enhanced `secubox-app-streamlit-evolution` with live GitHub commits display.
- New "🚀 Devel" tab (first tab) showing real-time development activity:
- Commits Today / This Week / Contributors / Stars metrics
- Commit type distribution (feat/fix/docs/refactor/chore)
- Recent commits list with:
- Short hash (7 chars) with link to GitHub
- Commit message (80 char truncated)
- Author name
- Relative time (e.g., "2h ago", "just now")
- Commit type color-coding (green=feat, red=fix, orange=docs, purple=refactor)
- Repository stats (forks, watchers, open issues)
- GitHub API integration:
- `fetch_commits(limit=30)` with 1-minute cache TTL for near real-time updates
- `fetch_repo_info()` for repository statistics
- `parse_commit_type()` for conventional commit parsing
- `format_time_ago()` for human-readable timestamps
- `get_commit_stats()` for daily/weekly aggregation
- Cyberpunk theme styling for commits (matching existing dashboard theme)
- Live indicator animation (pulsing green dot)
30. **SecuBox Metrics Dashboard (2026-02-09)**
- Added new SecuBox Metrics view under Status menu.
- Features web traffic country statistics panel.
- Integrated with `luci.secubox-security-threats` RPCD backend.
- Visit stats include: requests by country, by host, by type, bots vs humans.
- Tag: v0.19.14
31. **CrowdSec Dashboard Decision Count Fix (2026-02-09)**
- Fixed Active Bans showing 0 when 100+ decisions existed.
- Root cause: `--no-api` flag returned empty, jsonfilter couldn't count arrays.
- Fix: Use `cscli decisions list -o json | jq 'length'` with grep fallback.
- Tag: v0.19.15
32. **Active Sessions Panel (2026-02-10)**
- Added active sessions panel to SecuBox Metrics.
- Tracks: Tor circuits, HTTPS visitors, Streamlit sessions, Mitmproxy connections, SSH sessions.
- New RPCD method `get_active_sessions` in dashboard.sh.
- Uses netstat/who for session counting.
- Tag: v0.19.15
33. **Live Real-Time Metrics Dashboard (2026-02-10)**
- Rewrote secubox-metrics.js for continuous live updates.
- 3-second polling interval with poll.add().
- Data-attributes for efficient DOM targeting (no page rebuilds).
- CSS pulse animation on value changes.
- Live indicator with timestamp display.
- Efficient updateValue/updateBar/updateList methods.
- Tag: v0.19.16
Reference in New Issue View Git Blame Copy Permalink