gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a25e285573
secubox-openwrt/.claude/WIP.md
CyberMind-FR a25e285573 feat(wall): Add 15 colorsets to MAGIC·CHESS·360 
- Added colorset selector to wall.maegia.tv TAO_SPECTRUM
- 15 palettes: default, alchy, emojiz, punk, hollistique, tantrique,
  cosmique, solarix, oceanique, rainbow, fluo, phospho, vintage, tao, merkaba
- Minimal patch (~8KB added) preserving original functionality
- Keyboard shortcuts 1-9, localStorage persistence
- Deployed: https://wall.maegia.tv/

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 10:35:12 +01:00

30 KiB
Raw Blame History

Work In Progress (Claude)

Last updated: 2026-03-15 (Wall Colorsets)

Architecture Reference: SecuBox Fanzine v3 — Les 4 Couches

Recently Completed

2026-03-15

  • MAGIC·CHESS·360 Colorset Enhancement (Complete)
    • Added 15 color palettes to wall.maegia.tv TAO_SPECTRUM system
    • Colorsets: default, alchy, emojiz, punk, hollistique, tantrique, cosmique, solarix, oceanique, rainbow, fluo, phospho, vintage, tao, merkaba
    • Each colorset changes the animated prism colors cycling through the chess pieces
    • Minimal patch: only added colorset selector + COLORSETS object (~8KB added)
    • Original app preserved: canvas animation, audio sync, HUD controls unchanged
    • Colorset selector: 15 circular gradient buttons (top-left corner)
    • Keyboard shortcuts (1-9) for first 9, click for rest
    • LocalStorage persistence for user preference
    • Deployed to: https://wall.maegia.tv/

2026-03-14

  • Hub Generator v7 - NFO Integration Fix (Complete)

    • Fixed BusyBox awk compatibility issue with bracket parsing
    • Single-pass awk extraction for 7 NFO fields (category, desc, keywords, caps, audience, icon, version)
    • Replaced gsub(/[\[\]]/) with two sub() calls for reliable section parsing
    • 110 NFO entries now correctly extracted from 239 total items
    • Capability and audience filter clouds working with actual values
    • Dynamic preview modal with eye button for live site preview

  • Module Manifest (NFO) System Extension (Complete)

    • Flat-file UCI-style .nfo manifest format for Streamlit/MetaBlog apps
    • Sections: identity, description, tags, runtime, dependencies, exposure, launcher, settings, dynamics, mesh, media
    • [dynamics] section for AI/generative content integration with prompt_context, capabilities, input/output types
    • NFO parser library: /usr/share/streamlit-forge/lib/nfo-parser.sh
    • NFO validator library: /usr/share/streamlit-forge/lib/nfo-validator.sh (type-specific validation)
    • slforge nfo commands: init, init-all, info, edit, validate, json, install
    • metablogizerctl nfo commands: init, init-all, info, edit, validate, sync, json
    • Batch NFO generation for all installed apps/sites
    • RPCD methods: nfo_read, nfo_write, nfo_validate for LuCI integration
    • Reusable NFO viewer component (nfo-viewer.js) with collapsible sections
    • LuCI editor modal for NFO editing in Streamlit Forge
    • Hub generator reads full NFO metadata for category/description/capabilities
    • Metacatalog search enhanced with NFO indexing and filters
    • Full spec at /usr/share/streamlit-forge/NFO-SPEC.md

  • Streamlit On-Demand Launcher (Complete)

    • New secubox-app-streamlit-launcher package
    • On-demand startup: Apps start only when first accessed (lazy loading)
    • Idle shutdown: Stop apps after configurable timeout (default 30 min)
    • Memory management: Force-stop low-priority apps when memory < threshold
    • Priority system (1-100): Higher priority = keep running longer
    • Always-on mode for critical apps that should never auto-stop
    • CLI: streamlit-launcherctl daemon|status|list|start|stop|priority|check|check-memory
    • Procd daemon with respawn for background monitoring
    • Access tracking via touch files in /tmp/streamlit-access/
    • Loading page template for cold-start user feedback
    • Updated slforge with launcher integration:
      • slforge launcher status|priority|always-on commands
      • Access tracking on app start
    • UCI config: /etc/config/streamlit-launcher
    • Documentation: Full README with architecture diagram

2026-03-13

  • Configuration Vault System (Complete)

    • New secubox-app-config-vault + luci-app-config-vault packages
    • Git-based config versioning with auto-commit and auto-push
    • 9 configuration modules: users, network, services, security, system, containers, reporter, dns, mesh
    • CLI: configvaultctl init|backup|restore|push|pull|status|history|diff|modules|export-clone|import-clone
    • RPCD: status, modules, history, diff, backup, restore, push, pull, init, export_clone
    • Gitea integration: Private repo sync (gandalf/secubox-config-vault)
    • LuCI Dashboard: KISS-themed with status rings, module table, commit history, quick actions
    • Export/import clone tarballs for device provisioning and cloning
    • Menu: SecuBox → System → Config Vault

  • System Hardware Report (Complete)

    • Added new report type to secubox-app-reporter
    • CLI: secubox-reportctl generate system
    • CPU/Memory/Disk/Temperature gauges with animated rings
    • Environmental impact card: Power usage (W), daily kWh, CO₂ emissions
    • CPU load histogram (24-bar visualization)
    • Health recommendations based on system metrics
    • Top processes table and debug log viewer
    • Network interface stats (RX/TX per interface)
    • BusyBox-compatible collectors using /proc filesystem
    • KissTheme dark styling with responsive layout

  • SecuBox Report Generator (Complete)

    • New secubox-app-reporter + luci-app-reporter packages
    • Two report types:
      • Development Status: health score, HISTORY.md completions, WIP items, roadmap
      • Services Distribution: Tor services (5), DNS/SSL vhosts (243), mesh services (1)
    • CLI: secubox-reportctl generate|send|schedule|status|preview|list|clean
    • RPCD: status, list_reports, generate, send, schedule, delete_report, test_email
    • LuCI Dashboard: KISS-themed overview, quick actions, reports list, schedule config
    • Email delivery via msmtp/sendmail with MIME multipart HTML
    • KissTheme dark styling with responsive layout
    • UCI config for SMTP and cron scheduling
    • Deployed and tested on router: /www/reports/
    • Menu: SecuBox → System → Report Generator

2026-03-12

  • SecuBox Watchdog - Service Health Monitor (Complete)

    • New secubox-app-watchdog + luci-app-watchdog packages
    • Monitors: LXC containers (haproxy, mitmproxy-in/out, streamlit), host services (crowdsec, uhttpd, dnsmasq), HTTPS endpoints
    • CLI: watchdogctl status/check/check-recover/watch/restart-container/restart-service/logs
    • Auto-recovery: detects stopped containers/services and restarts them
    • RPCD: status, get_containers, get_services, get_endpoints, restart_*, check, get_logs
    • LuCI Dashboard: Real-time status with 10s polling, restart buttons, log viewer
    • Alert cooldown and log rotation
    • Procd service + cron fallback
    • Fixed HAProxy missing backends (luci_direct, fallback) and port mismatch

  • RTTY Remote Control Phase 4 - Session Replay (Complete)

    • Avatar-Tap integration: passive session capture via mitmproxy WAF
    • CLI: tap-sessions, tap-show, tap-replay, tap-export, tap-import
    • RPCD: 6 new methods (get_tap_status, get_tap_sessions, get_tap_session, replay_to_node, export_session, import_session)
    • LuCI: session-replay.js view with stats, filters, replay panel, import/export
    • Menu: System Hub → Session Replay
    • Tested: 10 captured sessions from multiple domains

2026-03-11

  • Streamlit Forge Phase 2 - Gitea Integration (Complete)

    • CLI: slforge edit/pull/push/preview commands
    • Gitea API integration with token auth
    • Auto-creates org/repo on first edit
    • RPCD: 5 new methods (gitea_status, edit, pull, push, preview)
    • LuCI: Gitea status card, Edit/Pull buttons, editor modal
    • Preview generation: HTML capture + SVG placeholder

  • HERMÈS·360 Full I-Ching Translation

    • All 64 hexagrams translated in 5 languages (DE, ES, PT, ZH, JA):
      • Image texts (_i): 320 translations - symbolic imagery
      • Description texts (_d): 320 translations - hexagram meaning
      • Judgment texts (_j): 320 translations - oracle guidance
      • Total: 960 new translation fields added
    • Visual enhancements from wall.maegia.tv:
      • Canvas CSS filters: saturate(1.3) brightness(1.15) contrast(1.05)
      • Hover effect: saturate(1.4) brightness(1.25) contrast(1.08)
    • Added grid rendering during coin toss animation (drawGrid function)
    • File size: 1.7MB (up from 1.6MB)
    • Deployed to: https://lldh360.maegia.tv/

  • Meta Cataloger Phase 2 & 3 (Complete)

    • Phase 2: RPCD + LuCI
      • RPCD backend: luci.metacatalog with 10 methods (list_entries, list_books, get_entry, get_book, search, get_stats, sync, scan, assign, unassign)
      • LuCI dashboard: KISS-themed overview with stats chips, virtual books shelf
      • HAProxy vhost scanner: Auto-indexes all HAProxy domains
      • ACL permissions for read/write operations
    • Phase 3: Landing Page Enhancements
      • Search functionality: Real-time filter across all entries
      • Tab navigation: Collections view, All entries view, per-book filters
      • Scrollable book entries with max-height
      • Link to LuCI dashboard in footer
      • Responsive grid layout
    • Deployed at: https://catalog.gk2.secubox.in/metacatalog/
    • Total entries: 246 (127 MetaBlogs, 14 Streamlits, 105 HAProxy)

  • Meta Cataloger - Virtual Books (Phase 1 Complete)

    • New secubox-app-metacatalog package for unified content aggregation
    • Organizes MetaBlogizer sites, Streamlit apps into themed Virtual Books
    • CLI: /usr/sbin/metacatalogctl with sync/scan/index/books/search/status/landing
    • Scanners: MetaBlogizer (title, description, languages, colors, canvas/audio)
    • Scanners: Streamlit (from app.py and UCI config)
    • Auto-assignment: keyword + domain pattern matching to books
    • 6 default books: Divination, Visualization, Analytics, Publications, Security, Media
    • Landing page: Tao prism fluoro theme at /www/metacatalog/index.html
    • APIs: /metacatalog/api/index.json, /metacatalog/api/books.json
    • Initial sync: 120 entries (118 MetaBlogs, 2 Streamlits)
    • BusyBox-compatible: sed-based regex (no grep -P)
    • Cron: hourly auto-sync via /etc/cron.d/metacatalog

  • HAProxy Auto-Sync Mitmproxy Routes

    • Fixed: New vhosts missing mitmproxy route entries causing 404 WAF errors
    • haproxyctl vhost add/remove now triggers mitmproxyctl sync-routes
    • Commit: 7cbd6406

  • CrowdSec Dashboard Performance Optimization

    • Problem: get_overview RPC call was timing out (30s+), causing "TypeError: can't assign to property 'countries' on 5"
    • Root cause: Function made 12+ sequential cscli calls, each taking 2-5s with CAPI data
    • Solution: Pre-cached architecture with background refresh
      • Cache file: /tmp/secubox/crowdsec-overview.json (60s TTL)
      • get_overview() returns cached data instantly (0.08s)
      • refresh_overview_cache() runs via cron every minute
      • Background async refresh triggered when cache is stale
    • Technical fixes:
      • Reduced cscli calls from 12 to 4 (metrics, decisions, alerts, bouncers)
      • Extracted flat decisions array from nested alert structure using jsonfilter
      • Simplified alerts_raw to empty array (full alerts too large for ubus JSON)
      • Manual JSON building to avoid jshn argument size limits (BusyBox constraint)
      • Added /etc/cron.d/crowdsec-dashboard for periodic cache refresh
    • Files modified: luci.crowdsec-dashboard RPCD, Makefile
    • Result: Dashboard loads instantly, no more TypeError

  • Streamlit Control Dashboard Phase 3 (Complete)

    • Auto-refresh: Toggle + interval selector on all main pages (10s/30s/60s)
    • Permission-aware UI: Hide/disable action buttons for SecuBox users (limited access)
    • Containers page: Tabs (All/Running/Stopped), search filter, improved info panels
    • Security page: Better CrowdSec status parsing, threat table with columns, raw data expander
    • Streamlit apps page: Restart button, delete confirmation dialog
    • Network page: HAProxy filter, vhost count stats, WireGuard/DNS placeholders
    • Auth helpers: can_write(), is_admin() functions for permission checks

  • CrowdSec Dashboard Bugfix

    • Fixed: TypeError: can't assign to property "countries" on 5: not an object
    • Root cause: RPC error code 5 returned instead of object (transient service state)
    • Fix: Added type check in overview.js to treat non-objects as empty {}
    • Deployed fix to router, cleared LuCI caches

  • Streamlit Control Dashboard Phase 1 & 2 (Complete)

    • Package: secubox-app-streamlit-control with Python ubus client
    • KISS-themed UI inspired by metablogizer design
    • 7 pages: Home, Sites, Streamlit, Containers, Network, Security, System
    • Phase 2: RPCD Integration
      • HTTPS connection with self-signed cert support
      • Dual auth: root (full access) + SecuBox users (read-only dashboard)
      • Updated ACL: unauthenticated.json allows dashboard data without login
      • Fixed LXC via luci.secubox-portal.get_containers
      • Fixed CrowdSec via luci.crowdsec-dashboard.status
      • All service status methods working (HAProxy, WAF, containers)
    • Deployed on port 8531, exposed at control.gk2.secubox.in
    • Test user: testdash / Password123

  • RezApp Forge - Docker to SecuBox App Converter (Complete)

    • Package: secubox-app-rezapp with rezappctl CLI
    • UCI config: /etc/config/rezapp with catalog sources (Docker Hub, LinuxServer.io, GHCR)
    • Commands: catalog, search, info, import, convert, run, stop, package, publish, expose, list, cache
    • Docker to LXC workflow: pull → export → extract → generate LXC config
    • Offline mode: Convert from local tarball (--from-tar) or OCI directory (--from-oci)
    • Runtime fallback: Docker → Podman automatic fallback
    • Network modes: host (shared namespace), bridge (veth), none (isolated)
    • ENV extraction: Docker ENV vars → LXC environment + UCI config
    • HAProxy integration: expose command adds vhost + mitmproxy route
    • Templates: Makefile.tpl, init.d.tpl, ctl.tpl, config.tpl, start-lxc.tpl, lxc-config.tpl, manifest.tpl
    • Tested: Offline conversion from cached tarball, container runs successfully

  • Streamlit Forge Phase 1 (implemented)

    • Package: secubox-app-streamlit-forge with slforge CLI
    • UCI config for app management
    • 3 templates: basic, dashboard, data-viewer
    • Commands: create, start, stop, restart, status, list, info, delete, templates
    • Runs apps in Streamlit LXC container with proper mount paths
    • Port-based status detection (container PID namespaces)
    • HAProxy expose integration
    • Mesh catalog publish
    • LuCI dashboard: luci-app-streamlit-forge with create/start/stop/expose/publish

  • RezApp Forge LuCI

    • Package: luci-app-rezapp
    • Dashboard with Docker search, conversion dialog
    • Converted apps table with Package/Publish/Delete
    • Status cards for apps count, catalogs, Docker status

  • SecuBox KISS Apps Catalog Update

    • Added luci-app-streamlit-forge and luci-app-rezapp to catalog.json
    • Category: productivity (Streamlit), system (RezApp)
    • Featured in new_releases section
    • Total plugins: 37 → 39

  • HAProxy Vhost Rename Feature

    • Added haproxyctl vhost rename <old> <new> command
    • Renamed MC360_Streamlit_BPM_v2.gk2.secubox.in → mc360.gk2.secubox.in

  • Lyrion Music Server Upgrade (9.0.3 → 9.1.1)

    • Diagnosed library showing 0 tracks (Perl XS module version mismatches)
    • Root cause: Alpine 3.19 Perl 5.038 incompatible with bundled modules
    • Solution: Rebuilt LXC container from official Docker image
      • Pulled lmscommunity/lyrionmusicserver:stable (Debian Bookworm based)
      • Exported Docker to tarball, extracted to LXC rootfs
      • Created /start-lxc.sh wrapper for LXC execution
      • Updated LXC config: UID 499 (squeezeboxserver), new paths
      • Fixed /srv/lyrion ownership for new UID
    • Library scan working: 81,430 files discovered
    • Preserved config in /srv/lyrion (prefs, logs, cache)

  • Metablogizer Package Conflict

    • opkg install fails: /etc/config/metablogizer file conflict
    • Both secubox-app-metablogizer and luci-app-metablogizer provide same file
    • Workaround: Deploy scripts directly via SCP instead of package install
    • TODO: Fix package to use conffiles properly

2026-03-10

  • PeerTube Routing Fix

    • tube.gk2.secubox.in was serving Lyrion instead of PeerTube (port conflict)
    • Lyrion moved from port 9001 → 9000 (server.prefs)
    • PeerTube moved from port 9001 → 9002 (production.yaml)
    • Fixed PeerTube database hostname: 192.168.255.1 → 127.0.0.1 (internal PostgreSQL)
    • Updated mitmproxy routes for both services
    • Both services now accessible: tube.gk2.secubox.in, lyrion.gk2.secubox.in

  • Metablogizer Port Conflict Prevention

    • Fixed duplicate port detection in get_next_port() to check both uhttpd and metablogizer configs
    • Added check-ports command: Scans all sites for duplicate port assignments
    • Added fix-ports command: Auto-assigns new ports to duplicates
    • Fixed 4 duplicate port conflicts:
      • santefr.gk2.secubox.in: 8991 → 9010
      • ganimed.maegia.fr: 9004 → 9011
      • magic.maegia.tv: 8991 → 9012
      • cybaxe.gk2.secubox.in: 9000 → 9004 (earlier fix)
    • Fixed Makefile: Added empty Build/Compile rule for shell-only package

  • magic.maegia.tv Full Publication

    • DNS A record added via Gandi API (dnsctl -z maegia.tv add A magic)
    • Fixed ACME webroot path mismatch (/var/www/acme-challenge)
    • SSL certificate issued and installed
    • Fixed missing luci_direct HAProxy backend

  • HAProxy Container Recovery

    • Diagnosed container startup failure (missing backend reference)
    • Added luci_direct backend to generated config

2026-03-09

  • HAProxy Routes Health Check Panel

    • Backend: /usr/sbin/service-health-check script checks all routes in haproxy-routes.json
    • RPCD method: get_service_health with 5-min cache and force-refresh option
    • LuCI panel: Up/Down/Total stats, health %, down services list
    • Refresh button for manual health check trigger
    • CSS styling with KISS theme integration
    • ACL permission added for read access
    • Deployed and tested: 174 routes, 21 down (intentionally stopped LXC containers)

  • admin.gk2.secubox.in WAF Routing Fix

    • Added route through mitmproxy WAF (port 8081 for LuCI)
    • Fixed haproxy_router.py blocking 8081 routes
    • Domain now accessible through WAF with proper access control

  • Dev Status Widget v2.1 (Dynamic Dashboard)

    • Complete redesign with 4-layer architecture visualization
    • 22+ features with dependency tracking (dependsOn/usedBy)
    • 80+ components with status indicators
    • Interactive filters: layer, status, category with localStorage persistence
    • Feature cards: click to expand, show full dependencies/components
    • Layer cards: click to filter features by layer
    • Interconnection graph showing feature dependencies
    • Milestone timeline to v1.0 with progress tracking
    • Production stats display (185 packages, 226 vhosts, etc.)
    • Auto-refresh with live RPCD data (60s interval)
    • ES5 compatible for older browsers
    • Standalone HTML page: /dev-status.html (no auth required)
    • Files: dev-status-widget.js, dev-status.js, dev-status-standalone.html

  • DNS Zone Configuration Sync

    • Fixed BIND zone path mismatch: /srv/dns/zones//etc/bind/zones/
    • Added ganimed.fr zone declaration to named.conf.zones
    • Synced zone files between LuCI-managed and BIND-loaded paths

  • Mitmproxy WAF Memory Optimization

    • Diagnosed memory leak (687MB RSS)
    • Added flow limits: --set flow_detail=0 --set hardlimit=500
    • Reduced memory to 77MB
    • Fixed /srv/mitmproxy-in/haproxy-routes.json for git.maegia.tv

  • Config Backups Repository

    • Created config-backups/ directory with BIND zones
    • Created private secubox-configs repo on local Gitea
    • Git remote: git@git.maegia.tv:reepost/secubox-configs.git

2026-03-08

  • RTTY Remote Control Module (Phase 3 - Web Terminal)

    • Web Terminal view: Embeds ttyd (port 7681) via iframe
    • Node selector: Local/remote target selection
    • Remote detection: Direct ttyd connection or SSH fallback
    • RPCD method: start_terminal for remote node terminal info
    • Menu: Remote Control → Remote Support → Web Terminal
    • Fullscreen and refresh controls

  • RTTY Remote Control Module (Phase 2 - Token-Based Shared Access)

    • Token authentication: 6-character codes grant RPC/terminal access without LuCI login
    • CLI commands: rttyctl token generate/list/validate/revoke, rttyctl token-rpc
    • RPCD methods: token_generate, token_list, token_validate, token_revoke, token_rpc
    • Support Panel: Generate code → Share → Support person connects without auth
    • Configurable TTL (30m/1h/2h/4h), permission tracking, usage counter
    • Local address detection: Direct ubus for local calls (bypasses HTTP auth limits)
    • Deployed and tested: Token RPC works for all ubus methods

  • RTTY Remote Control Module (Phase 1 - RPCD Proxy)

    • Backend: secubox-app-rtty-remote with rttyctl CLI
    • Frontend: luci-app-rtty-remote with KISS dashboard
    • RPCD Proxy: Execute remote ubus calls to mesh nodes over HTTP
    • CLI commands: rttyctl nodes/rpc/rpc-list/rpc-batch/auth/sessions
    • RPCD methods: status, get_nodes, rpc_call, rpc_list, get_sessions, connect
    • Session tracking with SQLite database
    • Master-link integration for authentication
    • Tested: rttyctl rpc 127.0.0.1 system board works

  • lldh360.maegia.tv BIND Zone Fix

    • DNS was returning NXDOMAIN despite zone file existing
    • Root cause: BIND (named) is the authoritative DNS, not dnsmasq
    • Zone file /srv/dns/zones/maegia.tv.zone existed but wasn't registered in BIND
    • Added zone entry to /etc/bind/named.conf.zones
    • Restarted BIND (named), domain now resolves correctly
    • Site accessible via HTTPS (HTTP 200)

  • HAProxy mitmproxy Port Fix

    • Changed mitmproxy-in WAF port from 8890 to 22222
    • Fixed UCI config regeneration issue (was overwriting manual edits)
    • All vhosts now routing correctly through WAF

  • Vortex DNS Zone Management & Secondary DNS

    • Added zone commands: vortexctl zone list/dump/import/export/reload
    • Added secondary DNS commands: vortexctl secondary list/add/remove
    • Zone dump generates BIND format zone files in /srv/dns/zones/
    • Supports OVH as secondary DNS with AXFR zone transfer
    • RPCD methods: zone_list, zone_dump, zone_import, zone_export, zone_reload, secondary_list, secondary_add, secondary_remove
    • ACL permissions updated for all new methods
    • Enables importing zones from Gandi and becoming authoritative DNS master

  • Maegia Domains Audit & Fix

    • Fixed 3 broken domains (503 errors): crt.maegia.tv, git.maegia.tv, glances.maegia.tv
    • Created missing vhost UCI configs for all 3 domains
    • Added mitmproxy routes: crt→8503, git→3001, glances→61208
    • Fixed ganimed.maegia.fr route IP: 127.0.0.1 → 192.168.255.1
    • Fixed lldh360.maegia.tv WAF bypass: metablog_lldh360 → mitmproxy_inspector
    • All 27 maegia domains now operational (4 have 404 content issues)

2026-03-07

  • HAProxy mitmproxy_inspector Backend Fix

    • mitmproxy_inspector backend had NO server section (causing 503 for all WAF vhosts)
    • Added UCI server section: mitmproxy_inspector_srv pointing to 192.168.255.1:8890
    • Fixed haproxyctl duplicate userlist warning and _emit_sorted_path_acls indentation
    • All vhosts now correctly routing through WAF

  • Lyrion Routing Fix

    • Changed lyrion vhost backend from lyrion_web to mitmproxy_inspector
    • Was bypassing WAF, now properly routed through mitmproxy-in

  • Jellyfin Route IP Fix

    • Fixed mitmproxy route: 192.168.255.1 → 192.168.255.31 (container's actual IP)
    • Jellyfin container has dedicated veth interface on br-lan

  • lldh360.maegia.tv Routing Fix + SSL

    • Fixed mitmproxy routes: 127.0.0.1 → 192.168.255.1 (all 187 routes updated)
    • Restored HAProxy config from backup (haproxyctl generate was corrupted)
    • Installed Let's Encrypt SSL certificate (valid until 2026-06-05)
    • Enabled HTTP→HTTPS redirect
    • Site now accessible via HTTPS
    • Site now accessible via HTTP on port 9003

  • cybaxe.gk2.secubox.in Port Conflict Fix

    • Changed port from 9000 to 9004 (9000 reserved for Lyrion Music Server)
    • Updated metablogizer, HAProxy backend, and mitmproxy routes
    • Created placeholder index.html (site content needs gitea sync)
    • Site now accessible via HTTPS

  • Mitmproxy-in Port Conflict Fix

    • Changed mitmproxy-in WAF port from 8889 to 8890
    • Port 8889 conflicted with avatar-tap Streamlit service
    • Updated HAProxy mitmproxy_inspector backend configuration
    • Fixed HAProxy runtime state caching via socket command

  • Vhosts Recovery

    • Started stopped LXC containers: jellyfin, jitsi, peertube, gotosocial, glances
    • Fixed glances container cgroup v2 config (cgroup.memory.limit_in_bytes → cgroup2.memory.max)
    • Fixed mitmproxy route IPs: 127.0.0.1 → 192.168.255.1 (LXC can't reach host localhost)
    • All 11 key vhosts now operational (jellyfin, social, glances, tube, meet, zoo, portal, cloud, photos, lyrion, streamlit)

  • Vhosts-Checker RPCD Fix

    • Fixed XHR timeout issue in LuCI dashboard
    • Root cause: jshn overhead for 226 vhosts + subshell issues with pipes
    • Solution: Direct JSON output with printf, temp file instead of pipes
    • Deployed ACL file for authentication

  • ROADMAP.md Generation

    • Created comprehensive roadmap from WIP and HISTORY analysis
    • Version milestones: v0.19 → v0.20 → v0.21 → v0.22 → v1.0
    • Critical path analysis and dependency graph
    • Resource requirements and risk register

  • Avatar-Tap Session Capture & Replay

    • Backend: secubox-avatar-tap - passive network tap via mitmproxy
    • CLI: avatar-tapctl with start/stop/list/replay/label/delete commands
    • LuCI: luci-app-avatar-tap KISS dashboard with session table
    • Features: Cookie/auth header capture, session replay, SQLite storage
    • Runs in Streamlit LXC container on port 8889 (mitmproxy-in moved to 8890)
    • Future: Nitrokey/GPG integration for secure replay authorization

  • PhotoPrism Photo Gallery Deployment

    • Linked /mnt/PHOTO (673GB, 391k photos) to PhotoPrism originals
    • Fixed HFS+ read-only mount issue (sidecar writes to storage/)
    • Indexing in progress: HEIC conversion, thumbnail generation, AI labels
    • HAProxy vhost + SSL cert for photos.gk2.secubox.in

  • Service Fixes & HAProxy Vhosts

    • Fixed Lyrion music mount: /mnt/MUSIC (1.6TB) now accessible
    • Fixed Portal routing (was 503, now working)
    • Added missing vhosts: lyrion.gk2.secubox.in, streamlit.gk2.secubox.in
    • Requested and installed SSL certs for all 3 new domains
    • Fixed ACME webroot configuration (uhttpd home path)

  • Source Code Updates

    • Updated default paths: Lyrion→/mnt/MUSIC, PhotoPrism→/mnt/PHOTO
    • Committed and pushed to master

2026-03-06

  • PhotoPrism Private Photo Gallery

    • Backend: secubox-app-photoprism with LXC container (Debian Bookworm)
    • CLI: photoprismctl with install/start/stop/index/import/emancipate commands
    • LuCI: luci-app-photoprism KISS dashboard with stats and actions
    • Features: AI face recognition, object detection, places/maps
    • HAProxy integration via mitmproxy (WAF-safe, no bypass)
    • SQLite database (simpler, no external DB), FFmpeg transcoding, HEIC support
    • Dependencies: libvips42 for image processing

  • AI Gateway /login Command

    • CLI: aigatewayctl login [provider] - Interactive or scripted provider authentication
    • Validates credentials against provider API before saving
    • Rollback on validation failure (preserves previous credentials)
    • Format warnings: Claude keys should start with sk-ant-, OpenAI with sk-
    • RPCD: login method for LuCI frontend integration
    • ACL: Added write permission for login method

2026-03-04

  • SBOM Pipeline for CRA Annex I Compliance

    • scripts/check-sbom-prereqs.sh - Prerequisites validation
    • scripts/sbom-generate.sh - Multi-source SBOM generation
    • scripts/sbom-audit-feed.sh - PKG_HASH/PKG_LICENSE feed audit
    • .github/workflows/sbom-release.yml - GitHub Actions with CVE gating
    • SECURITY.md - CRA Art. 13 §6 compliant vulnerability disclosure

  • AI Gateway Full-Stack Implementation

    • 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
    • Provider routing: LocalAI > Mistral EU > Claude > OpenAI > Gemini > xAI
    • aigatewayctl CLI with classify/sanitize/provider/audit commands
    • luci-app-ai-gateway with 4 KISS-themed views

2026-03-03

  • Comprehensive Service Audit

    • WAF Enforcement: Disabled waf_bypass on 21 vhosts
    • Container Autostart: Enabled on 9 essential containers
    • Glances Fix: Resolved cgroup mount issue
    • 18 LXC Containers Running

  • Vortex DNS Firewall Phases 1-4

    • Threat intel aggregator, SQLite blocklist, dnsmasq integration
    • HTTP/HTTPS sinkhole server for infected client detection
    • DNS Guard AI detection integration
    • Mesh threat sharing via secubox-p2p blockchain

  • Image Builder Validation

    • Validated secubox-image.sh, secubox-sysupgrade.sh
    • Fixed curl redirect issue: Added -L flag

2026-03-02

  • Reverse MWAN WireGuard v2 - Phase 2
    • LuCI Dashboard for Mesh Uplinks
    • 9 RPC methods for uplink management
    • 10-second live polling

2026-03-01

  • Reverse MWAN WireGuard v2 - Phase 1

    • WireGuard mesh peers as backup internet uplinks via mwan3 failover
    • wgctl CLI: uplink list/add/remove/status/test/failover
    • UCI config for global and per-uplink settings

  • Nextcloud Integration Enhancements

    • WAF-safe SSL routing, scheduled backups, SMTP integration
    • CalDAV/CardDAV/WebDAV connection info display

In Progress

(No active tasks)

Next Up

v1.0 Release Prep

  1. Remote ttyd Deployment - Auto-install ttyd on mesh nodes
  2. Device Provisioning - Use Config Vault export-clone for SecuBox replication

v1.1+ Extended Mesh

  1. WAF Auto-Ban Tuning (optional, as-needed)
    • Sensitivity threshold adjustment based on production traffic

Backlog

  • SSMTP / mail host / MX record management (v2)

Strategic Documents

  • SecuBox_LocalAI_Strategic_Analysis.html — AI Management Layer roadmap
  • SecuBox_AI_Gateway_Hybrid_Architecture.html — Hybrid Local/Cloud architecture
  • SecuBox_MirrorNetworking_Paradigm_Reversal.html — EnigmaBox autopsy → MirrorNet
  • SecuBox_Fanzine_v3_Feb2026.html — 4-layer architecture overview

Blockers / Risks

  • No automated regression tests for LuCI views; manual verification required after SCP deploy.
  • Guacamole ARM64 pre-built binaries not readily available.