gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dd18e5c4aa
secubox-openwrt/.claude/TODO.md
CyberMind-FR 0809bc69c2 chore: Bump version to 1.0.0 
All major roadmap milestones achieved:
- v0.18 MirrorBox Core
- v0.19 AI Expansion + MirrorNet
- v1.0 Full Stack (VoIP, Matrix, Factory provisioning)
- v1.1+ Extended Mesh (Yggdrasil, Meshname DNS)

Updated version strings in:
- Makefile: PKG_VERSION 0.10.0 → 1.0.0, PKG_RELEASE reset to 1
- secubox CLI: SECUBOX_VERSION 0.9.0 → 1.0.0
- secubox-core daemon: SECUBOX_VERSION 0.8.2 → 1.0.0
- RPCD handlers: core.sh, dashboard.sh, luci.secubox
- common.sh: secubox_get_version()
- README.md header

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 16:05:39 +01:00

256 lines
11 KiB
Markdown
Raw Blame History

# SecuBox TODOs (Claude Edition)
_Last updated: 2026-03-16 (v1.0.0)_
> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches
---
## Resolved
- ~~Expose cyberpunk option inside SecuBox Settings~~ — Done: `THEME_CHOICES` now includes `cyberpunk` in `settings.js`.
- ~~Glances full system monitoring~~ — Done: LXC host bind mounts, Docker socket, fs plugin patch, hostname/OS identity (2026-02-04).
- ~~Zigbee2MQTT dongle connection~~ — Done: adapter `ezsp`→`ember`, `ZIGBEE2MQTT_DATA` env var, direct `/dev/ttyUSB0` passthrough (2026-02-04).
- ~~Metablogizer Upload Failures~~ — Done: Chunked upload to bypass uhttpd 64KB JSON limit (2026-02-04).
- ~~Chip Header Layout Migration~~ — Done: client-guardian and auth-guardian ported to `sh-page-header` + `renderHeaderChip()` (2026-02-05).
- ~~SMB/CIFS Shared Remote Directories~~ — Done: `secubox-app-smbfs` + `secubox-app-ksmbd` (2026-02-04/05).
- ~~P2P App Store Emancipation~~ — Done: P2P package distribution, packages.js view, devstatus.js widget (2026-02-04/05).
- ~~Navigation Component~~ — Done: `SecuNav.renderTabs()` auto-inits theme+CSS, `renderCompactTabs()` (2026-02-05).
- ~~Monitoring UX~~ — Done: Empty-state loading animation, dynamic bandwidth units via `formatBits()` (2026-02-05).
- ~~MAC Guardian Feed Integration~~ — Done: Both IPKs built and added to bonus feed (2026-02-05).
- ~~Punk Exposure Multi-Domain DNS~~ — Done: emancipate/revoke CLI, RPCD, Mesh column, Emancipate modal (2026-02-05).
- ~~Jellyfin Post-Install Wizard~~ — Done: 4-step modal wizard for media library configuration (2026-02-05).
- ~~Domoticz IoT Integration~~ — Done: LuCI dashboard, MQTT auto-bridge, Zigbee2MQTT integration (2026-02-04).
- ~~MCP Server~~ — Done: `secubox-mcp-server` with 9 core tools + 5 AI-powered tools (LocalAI integration), Claude Desktop via SSH (2026-02-06).
---
## Couche 1 — Core Mesh (35+ modules)
### v0.18 Module Priorities
| Package | Status | Notes |
|---------|--------|-------|
| `secubox-app-rustdesk` | DONE | Native hbbs/hbbr binaries, auto-key generation |
| `secubox-app-ksmbd` | DONE | Mesh media server with pre-configured shares |
| `secubox-app-domoticz` | DONE | LXC Debian, MQTT bridge, Zigbee2MQTT |
| `secubox-app-smbfs` | DONE | Client-side SMB mount manager |
### Testing & Validation
1. **Mesh Onboarding Testing** — DONE (2026-02-26)
- ~~master-link dynamic join IPK generation needs end-to-end testing on multi-node mesh.~~
- ~~P2P decentralized threat intelligence sharing needs validation with real CrowdSec alerts.~~
- ZKP cross-node verification tested (bidirectional ACCEPT)
- Threat IOC propagation tested (116 blocks synced)
- Automatic SSH-based mesh sync configured (5-min cron)
2. **WAF Auto-Ban Tuning** — DONE (2026-03-03)
- ~~Sensitivity thresholds may need adjustment based on real traffic patterns.~~
- ~~CVE detection patterns (including CVE-2025-15467) need false-positive analysis.~~
- Added Amazon/OpenAI/Meta to bot whitelist
- Changed sensitivity from strict to moderate (5 attempts in 600s)
- Updated waf_bypass scenario to skip known bots
3. **Image Builder Validation** — DONE (2026-03-03)
- ~~`secubox-tools/` image builder and sysupgrade scripts need testing on physical hardware.~~
- Syntax validation passed for all scripts (bash/POSIX sh)
- ASU API connectivity verified, all device profiles valid
- Fixed curl redirect handling (added `-L` flag to 9 curl calls)
- First-boot script validated for correct package installation
### Innovation CVE Layer 7
- WAF analysis via Modsec IP + traffic analysis + CrowdSec CVE detection
- Combines: `secubox-app-waf` + `mitmproxy` threat patterns + CrowdSec scenarios
### Docs & Tooling
- ~~Document deployment scripts in `README.md` (what each script copies).~~ — Done (2026-02-28)
- ~~Add lint/upload pre-check to prevent syntax errors before SCP.~~ — Done (2026-02-28): `pre-deploy-lint.sh` validates JS/JSON/Shell/CSS syntax
- Capture screenshot baselines for dark/light/cyberpunk themes.
- ~~Automate browser cache busting (append `?v=<version>` to CSS URLs).~~ — Done (2026-02-28): nav.js cache bust parameter
---
## Couche 2 — AI Gateway
### Data Classifier (Sovereignty Engine) — DONE (2026-02-28)
| Classification | Description | Destination |
|----------------|-------------|-------------|
| LOCAL ONLY | Raw network data, IPs, MACs, logs | Never leaves device |
| SANITIZED | IPs scrubbed, anonymized patterns | Mistral EU (opt-in) |
| CLOUD DIRECT | Generic queries, no sensitive data | Claude/GPT (opt-in) |
**Package**: `secubox-ai-gateway` — OpenAI-compatible proxy (port 4050) + Data Classifier + Audit Logging
- [x] Data Classifier with 3 tiers (LOCAL_ONLY, SANITIZED, CLOUD_DIRECT)
- [x] Provider hierarchy: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI
- [x] PII Sanitizer for SANITIZED tier
- [x] OpenAI-compatible API on port 4050
- [x] aigatewayctl CLI
- [x] RPCD backend (11 methods)
- [x] ANSSI CSPN audit logging
### 6 Autonomous Agents
| Agent | Phase | Description |
|-------|-------|-------------|
| Threat Analyst | v0.18 | CrowdSec alert analysis, threat correlation |
| DNS Guard | v0.18 | DNS anomaly detection, migration from current |
| CVE Triage | v0.19 | Vulnerability prioritization, patch recommendations |
| Network Anomaly | v0.19 | Traffic pattern analysis, baseline deviation |
| Log Analyzer | v0.19 | Cross-log correlation, incident timeline |
| Config Advisor | v1.0 | ANSSI compliance prep, configuration hardening |
### MCP Server — Le lien manquant
SecuBox MCP Server exposes device context to AI agents via Model Context Protocol:
**MCP Tools**:
- `crowdsec.alerts` — Active threats and decisions
- `waf.logs` — Web application firewall events
- `dns.queries` — DNS query logs and anomalies
- `network.flows` — Traffic flow summaries
- `system.metrics` — CPU, memory, disk, temperature
- `wireguard.status` — VPN tunnel status
- `uci.config` — OpenWrt configuration access
**Integration targets**: Claude Desktop, Cursor, VS Code, custom agents
### AI Provider Hierarchy
1. **Mistral** (EU sovereign, GDPR compliant) — Priority 1
2. **Claude** — Priority 2
3. **GPT** — Priority 3
4. **Gemini** — Priority 4
5. **xAI** — Priority 5
All cloud providers are **opt-in**. Offline resilience: local tier always active.
---
## Couche 3 — MirrorNetworking
### EnigmaBox → MirrorNet Paradigm Reversal
> Zero central authority: each box IS the network.
### Dual Transport Architecture
| Tier | Protocol | Purpose |
|------|----------|---------|
| Tier 1 | WireGuard | Known peers, trusted mesh |
| Tier 2 | Yggdrasil | Discovery, extended mesh (optional) |
### Services Mirrors (P2P Gossip)
- **Threat Intel**: IoC signed gossip, distributed threat intelligence
- **AI Inference**: Distributed model inference across mesh
- **Reputation**: Trust scoring, peer reputation
- **Config & Updates**: P2P configuration sync, firmware distribution
### New Packages Roadmap
| Package | Version | Description |
|---------|---------|-------------|
| `secubox-mirrornet` | v0.19 | Core mesh orchestration, gossip protocol |
| `secubox-identity` | v0.19 | did:plc generation, key rotation, trust scoring |
| `secubox-p2p-intel` | v0.19 | IoC signed gossip, threat intelligence |
| `luci-app-secubox-mirror` | v0.19 | Dashboard for peers, trust, services |
| `secubox-voip` | v1.0 | Asterisk micro-PBX, SIP/SRTP over mesh |
| `secubox-matrix` | v1.0 | Conduit Matrix server (~15MB RAM) |
| `secubox-factory` | v1.0 | Auto-provisioning via mesh P2P |
| `yggdrasil-secubox` | v1.1+ | Yggdrasil overlay + meshname DNS |
### Communication Layer
- **VoIP E2E**: Asterisk/SRTP direct over WireGuard mesh (no exit server)
- **Matrix E2EE**: Conduit federation on mesh
- **Mesh Email**: Optional, deferred
---
## Couche 4 — Roadmap
### v0.18.0 — MirrorBox Core v1.0
- [x] LocalAI upgrade → 3.9 (Done 2026-02-06)
- [x] MCP Server implementation (Done 2026-02-06)
- [x] Threat Analyst agent (Done 2026-02-05)
- [x] DNS Guard AI migration (Done 2026-02-06)
- [x] LocalAI multi-channel emancipation (Done 2026-02-06)
### v0.19.0 — AI Expansion + MirrorNet
- [x] CVE Triage agent (Done 2026-02-06)
- [x] Network Anomaly agent (Done 2026-02-06)
- [x] LocalRecall memory integration (Done 2026-02-06)
- [x] AI Insights dashboard (Done 2026-02-06)
- [x] MirrorNet core packages: (Done 2026-02-07)
- [x] `secubox-mirrornet` — Mesh orchestration, gossip protocol
- [x] `secubox-identity` — did:plc generation, trust scoring
- [x] `secubox-p2p-intel` — IoC signed gossip
- [x] `luci-app-secubox-mirror` — Dashboard for peers, trust, services
- [x] Master/Slave CDN Architecture:
- [x] Wildcard domain delegation (*.secubox.io concept) — `secubox-vortex-dns` (2026-02-05)
- [x] Service mirroring via reverse proxy chaining — `mirrorctl` (2026-02-07)
- [x] Gossip-based exposure config sync — `vortexctl mesh sync` (2026-02-05)
- [x] Hierarchical submastering/multimixslaving — `vortexctl submaster` (2026-02-05)
### v1.0.0 — Full Stack
- [x] Config Advisor (ANSSI prep) — Done 2026-02-07
- [x] P2P Mesh Intelligence — Done 2026-02-26
- [x] Factory auto-provisioning — Done 2026-02-24
- [x] VoIP integration — Done 2026-02-19
- [x] Matrix integration — Done 2026-02-19
### v1.1+ — Extended Mesh
- [x] Yggdrasil overlay — Done 2026-02-26 (bidirectional IPv6, SSH, LAN multicast discovery)
- [x] Meshname DNS — Done 2026-02-28 (decentralized .ygg resolution via gossip + dnsmasq)
- [x] Extended peer discovery — Done 2026-02-28 (yggctl CLI, gossip-based peer announcements, trust-verified auto-peering)
### Certifications Ciblees
| Certification | Status | Target |
|---------------|--------|--------|
| ANSSI CSPN | In Progress | v1.0 |
| ISO 27001 | Planned | v1.1 |
| NIS2 | Planned | v1.1 |
| CE | Planned | v1.0 |
| GDPR | Compliant | Current |
| SOC2 | Planned | v1.2 |
**ANSSI CSPN Strategy**: Data Classifier + Mistral EU + offline mode = triple sovereignty proof
---
## Deferred / Backlog
### ~~Tor Shield / opkg Bug~~ — RESOLVED (2026-02-28)
- ~~opkg downloads fail (`wget returned 4`) when Tor Shield is active.~~
- **Root cause**: DNS queries for package repos went through Tor DNS, which is slow/unreliable
- **Fix**: Added dnsmasq bypass for excluded domains (`/tmp/dnsmasq.d/tor-shield-bypass.conf`)
- Excluded domains now resolve directly via upstream DNS, bypassing Tor
- Default exclusions include: openwrt.org, pool.ntp.org, letsencrypt.org, DNS provider APIs
### v2 Long-term
- Nextcloud self-hosted cloud storage
- SSMTP / mail host / MX record management
- Reverse MWAN WireGuard peers (multi-WAN failover over mesh)
---
## Veille Cyber — Février 2026
_Space for current threat intelligence and security news relevant to SecuBox development._
- CVE-2025-15467: WAF detection patterns added
- [ ] Monitor for new CrowdSec scenarios
- [ ] Track OpenWrt security advisories
Reference in New Issue View Git Blame Copy Permalink