secubox-openwrt/.claude/TODO.md

SecuBox TODOs (Claude Edition)

Last updated: 2026-02-04

Resolved

• Expose cyberpunk option inside SecuBox Settings — Done: THEME_CHOICES now includes cyberpunk in settings.js.
• Glances full system monitoring — Done: LXC host bind mounts, Docker socket, fs plugin patch, hostname/OS identity (2026-02-04).
• Zigbee2MQTT dongle connection — Done: adapter ezsp→ember, ZIGBEE2MQTT_DATA env var, direct /dev/ttyUSB0 passthrough (2026-02-04).

Open

1. Chip Header Layout Migration

   • Port sh-page-header + renderHeaderChip() pattern to client-guardian and auth-guardian.
   • Both still use legacy header layouts (cg-header, ag-hdr).

2. Navigation Component

   • Convert SecuNav.renderTabs() into a reusable LuCI widget (avoid duplicating Theme.init in each view).
   • Provide a compact variant for nested modules (e.g., CDN Cache, Network Modes).

3. Monitoring UX

   • Add empty-state copy while charts warm up.
   • Display bandwidth units dynamically (Kbps/Mbps/Gbps) based on rate.

4. MAC Guardian Feed Integration

   • Build and include mac-guardian IPK in bonus feed (new package from 2026-02-03, not yet in feed).

5. Mesh Onboarding Testing

   • master-link dynamic join IPK generation needs end-to-end testing on multi-node mesh.
   • P2P decentralized threat intelligence sharing needs validation with real CrowdSec alerts.

6. WAF Auto-Ban Tuning

   • Sensitivity thresholds may need adjustment based on real traffic patterns.
   • CVE detection patterns (including CVE-2025-15467) need false-positive analysis.

7. Image Builder Validation

   • secubox-tools/ image builder and sysupgrade scripts (added 2026-02-03) need testing on physical hardware.

8. Docs & Tooling

   • Document deployment scripts in README.md (what each script copies).
   • Add lint/upload pre-check (LuCI lua -l luci.dispatcher) to prevent syntax errors before SCP.

9. Testing

   • Capture screenshot baselines for dark/light/cyberpunk themes.
   • Automate browser cache busting (append ?v=<git sha> to view URLs).

10. SMB/CIFS Shared Remote Directories

    • Implement smbfs/cifs mount management for shared remote directories.
    • Media handling: backups, sources, Lyrion music library, Jellyfin media paths.
    • UCI config + LuCI UI for mount management (credentials, auto-mount, mount points).
    • Integration hooks for media apps (Jellyfin, Lyrion, backup scripts).

11. Metablogizer Upload Failures

    • Investigate and fix failed file uploads in Metablogizer.
    • May be related to uhttpd 64KB JSON limit (similar to Streamlit fix).

12. SecuBox v2 Roadmap & Objectives

    • EnigmaBox integration evaluation (community vote?).
    • VoIP integration (SIP/WebRTC).
    • Domoticz home automation integration.
    • SSMTP / mail host / MX record management.
    • Reverse MWAN WireGuard peers (multi-WAN failover over mesh).
    • Nextcloud self-hosted cloud storage.
    • Version v2 release planning and feature prioritization.

    AI Management Layer (ref: SecuBox_LocalAI_Strategic_Analysis.html):

    • Phase 1 (v0.18): Upgrade LocalAI → 3.9, MCP Server, Threat Analyst agent, DNS Guard migration.
    • Phase 2 (v0.19): CVE Triage + Network Anomaly agents, LocalRecall memory, AI Insights dashboard.
    • Phase 3 (v1.0): Config Advisor (ANSSI prep), P2P Mesh Intelligence, Factory auto-provisioning.
    • Hybrid approach: Ollama (inference) + LocalAI (orchestrator) + LocalAGI (agents) + LocalRecall (memory).
    • MCP tools: crowdsec.alerts, waf.logs, dns.queries, network.flows, system.metrics, wireguard.status, uci.config.

    AI Gateway Hybrid Architecture (ref: SecuBox_AI_Gateway_Hybrid_Architecture.html):

    • secubox-ai-gateway package: LiteLLM Proxy (port 4000) + Data Classifier + MCP Server.
    • Data classification: LOCAL ONLY (raw network data) / SANITIZED (IPs scrubbed) / CLOUD DIRECT (generic).
    • Providers: Mistral (EU sovereign, priority 1) > Claude > GPT > Gemini > xAI (all opt-in).
    • Offline resilience: Local tier always active, cloud is bonus not dependency.
    • Budget cap: configurable monthly cloud spend limit via LiteLLM.
    • ANSSI CSPN: Data Classifier + Mistral EU + offline mode = triple sovereignty proof.

13. Punk Exposure Multi-Domain DNS

    • Multi-domain DNS with P2P exposure and Tor endpoints.
    • Classical HTTPS endpoint (DNS provider API: OVH, Gandi, Cloudflare).
    • Administrable DNS provider API integration via dnsctl.
    • Mapped to local services, mesh-federated, locally tweakable.
    • Follows Peek / Poke / Emancipate model (see PUNK-EXPOSURE.md).

14. Jellyfin Post-Install

    • Complete startup wizard (media library configuration).
    • README documentation — Done (2026-02-04).

15. Domoticz IoT Integration & SecuBox Peering

    • Create dedicated luci-app-domoticz (currently no LuCI app — only generic vhost-manager).
    • MQTT auto-bridge: auto-configure Domoticz ↔ zigbee2mqtt via Mosquitto broker.
    • Zigbee device discovery: expose z2m device list in Domoticz setup wizard.
    • SecuBox P2P mesh: register Domoticz as a mesh service (secubox-p2p register-service).
    • Tor/DNS exposure channels: add to exposure scanner and Punk Exposure model.
    • USB device passthrough: document /srv/devices for additional IoT dongles.
    • Backup integration: include /srv/domoticz/config in secubox-recovery.
    • Service registry: add Domoticz to secubox-p2p catalog and health checks.

16. App Store P2P Emancipation

    • Emancipate the app store WebUI as a remote P2P/torrent endpoint.
    • Generative remote IPK distribution (like master-link dynamic join IPK generation).
    • Decentralized package distribution across mesh nodes.
    • Compatible with existing bonus-feed and secubox-feed infrastructure.
    • Torrent-style swarming for large IPK downloads across mesh peers.