CyberMind-FR 18987a96dc docs: Mark AI Gateway integration complete in WIP.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-28 17:59:35 +01:00

65 KiB

Raw Blame History

Work In Progress (Claude)

Last updated: 2026-02-28 (AI Gateway Deployed)

Architecture Reference: SecuBox Fanzine v3 — Les 4 Couches

Couche 1 — Core Mesh

Recently Completed (2026-02-04/05)

MAC Guardian Feed Integration — DONE (2026-02-05)
- Both IPKs built and added to bonus feed
- Catalog updated with security category, wifi icon
Punk Exposure Emancipate — DONE (2026-02-05)
- CLI: emancipate and revoke commands for multi-channel exposure
- RPCD: 3 new methods in luci.exposure
- Dashboard: Mesh column toggle, Emancipate modal
Jellyfin Post-Install Wizard — DONE (2026-02-05)
- 4-step modal wizard (Welcome, Media, Network, Complete)
- RPCD methods for wizard status and media path management
Navigation Component Refactoring — DONE (2026-02-05)
- SecuNav.renderTabs() auto-inits theme and CSS
- renderCompactTabs() for nested modules
- Eliminated ~1000 lines of duplicate CSS
ksmbd Mesh Media Sharing — DONE (2026-02-05)
- ksmbdctl CLI with share management
- Pre-configured shares: Media, Jellyfin, Lyrion, Backup
SMB/CIFS Remote Mount Manager — DONE (2026-02-04)
- smbfsctl CLI, UCI config, init script
- Jellyfin and Lyrion media path integration
Domoticz IoT Integration — DONE (2026-02-04)
- LXC Debian container with native binary
- MQTT auto-bridge, Zigbee2MQTT integration
- domoticzctl configure-mqtt command

In Progress

Vortex DNS Firewall Phase 1 — DONE (2026-02-11)
- Created secubox-vortex-firewall package for DNS-level threat blocking
- Threat intel aggregator (URLhaus, OpenPhish, Malware Domains feeds)
- SQLite blocklist database with domain deduplication
- dnsmasq integration via sinkhole hosts file
- ×47 vitality multiplier concept
- CLI tool: vortex-firewall intel/stats/start/stop
- RPCD handler with 8 methods for LuCI integration
- Tested: 765 domains blocked from 3 feeds
- Next phases: Sinkhole server (Phase 2), DNS Guard integration (Phase 3), Mesh threat sharing (Phase 4), LuCI dashboard (Phase 5)
Vortex DNS - Meshed multi-dynamic subdomain delegation (DONE 2026-02-05)
- Created secubox-vortex-dns package with vortexctl CLI
- Master/slave hierarchical DNS delegation
- Wildcard domain management (*.domain.com)
- First Peek auto-registration of services
- Gossip-based exposure config sync via secubox-p2p
- Created luci-app-vortex-dns dashboard

Just Completed (2026-02-28)

Yggdrasil Extended Peer Discovery — DONE (2026-02-28)
- Created secubox-app-yggdrasil-discovery package for mesh peer discovery
- yggctl CLI with commands: status, self, peers, announce, discover, bootstrap
- Gossip protocol integration via mirrornet yggdrasil_peer message type
- Auto-peering with trust verification (master-link fingerprint)
- Daemon for periodic announcements (configurable interval)
- UCI config: enabled, auto_announce, announce_interval, auto_peer, require_trust, min_trust_score
- Bootstrap peers list for initial network connectivity
- Tested on C3BOX: yggctl showing correct IPv6 and peer stats
- Files: Makefile, init script, UCI config, core.sh, daemon.sh, gossip-handler.sh, yggctl CLI
- Completes v1.1+ Extended Mesh roadmap (all 3 items done)
tdahbdss Routing Fix — DONE (2026-02-28)
- AdGuard Home hijacked port 8989 (MetaBlogizer's port)
- Changed AdGuard config from port 8989 to 3000
- MetaBlogizer routes restored
Tor Shield opkg Bug Fix — DONE (2026-02-28)
- Root cause: DNS queries for package repos went through Tor DNS (slow/unreliable)
- Fix: Added dnsmasq bypass for excluded domains
- setup_dnsmasq_bypass() generates /tmp/dnsmasq.d/tor-shield-bypass.conf
- Excluded domains resolve directly via upstream DNS, bypassing Tor
- Default exclusions: openwrt.org, pool.ntp.org, letsencrypt.org, DNS provider APIs
- cleanup_dnsmasq_bypass() removes config on Tor Shield stop
HAProxy Portal 503 Fix — DONE (2026-02-28)
- Root cause: Vhost for 192.168.255.1 had malformed backend: backend='--backend'
- Container exit: unable to find required use_backend: '--backend'
- Fix: Corrected UCI to backend='luci_default', disabled ACME, regenerated config
- Portal now returns 200 and redirects to LuCI
AI Gateway (Sovereignty Engine) — DONE (2026-02-28)
- Created secubox-ai-gateway package for ANSSI CSPN compliance
- Data Classifier with 3 tiers: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
- Provider hierarchy: LocalAI > Mistral (EU) > Claude > GPT > Gemini > xAI
- PII Sanitizer: IPv4/IPv6, MAC, credentials, private keys scrubbing
- OpenAI-compatible proxy on port 4050
- aigatewayctl CLI: status, classify, sanitize, provider, audit, offline-mode
- RPCD backend: 11 ubus methods for LuCI integration
- Audit logging: JSONL format for compliance review
- Files: Makefile, UCI config, init.d, classifier.sh, sanitizer.sh, providers.sh, proxy.sh, audit.sh, 6 provider adapters
- Deployed and tested on C3BOX:
  - Classification working: IPs → LOCAL_ONLY, generic → CLOUD_DIRECT
  - Sanitization working: IPv4, MAC, credentials correctly redacted
  - Proxy running on port 4050 via socat
  - API endpoints responding: /health, /v1/models
- Integrated with MCP server and threat-analyst:
  - Both route through AI Gateway (preferred) with LocalAI fallback
  - Ensures threat data (IPs, MACs, logs) stays LOCAL_ONLY
Nextcloud Users List Fix — DONE (2026-02-28)
- RPC expect: { users: [] } extracted array, render expected object
- Fixed to expect: {} for full response

Just Completed (2026-02-27)

OpenClaw AI Assistant LuCI Package — DONE (2026-02-27)
- Created luci-app-openclaw with 3 views: Chat, Settings, Integrations
- RPCD backend with 9 ubus methods
- Multi-provider support: Claude, GPT, Ollama
- Chat interface with markdown rendering and history
- Integrations: Telegram, Discord, Slack, Email, Calendar

Just Completed (2026-02-26)

Yggdrasil IPv6 Overlay Network — DONE (2026-02-26)
- Deployed Yggdrasil on both master (aarch64) and clone (x86_64)
- Connected to 2 public peers (51.15.204.214, ygg.mkg20001.io)
- LAN multicast discovery: clone auto-peered with master via br-lan (1.73ms RTT)
- Bidirectional ping6 working:
  - Master → Clone: ~6.2ms avg
  - Clone → Master: ~2.2ms avg
- SSH over Yggdrasil working bidirectionally
- Fixed firewall zones: added device="ygg0" to nftables zones on both nodes
- IPv6 addresses:
  - Master: 201:e4d4:9d55:9a02:7427:7081:9cf9:9e46
  - Clone: 201:a9d8:5a5:e493:bd0b:2c2f:5e85:34fe
ZKP Cross-Node Verification Testing — DONE (2026-02-26)
- Full bidirectional ZKP authentication tested between master (aarch64) and clone (x86_64)
- Generated 50-node Hamiltonian graphs on both nodes
- Master → Clone: ACCEPT (clone verified master's proof)
- Clone → Master: ACCEPT (master verified clone's proof)
- Deployed x86_64 ZKP binaries (zkp_keygen, zkp_prover, zkp_verifier) to clone
- Proof sizes: ~40-80KB, verification time: <1 second
- Nodes can now cryptographically authenticate identity without sharing secrets
Mesh Blockchain Bidirectional Sync Testing — DONE (2026-02-26)
- Tested chain.json sync between master (192.168.255.1) and clone (192.168.255.156)
- Master → Clone: 112 blocks synced successfully
- Clone added block 113 (type: "clone_test", node: "clone1")
- Clone → Master: Block 113 merged back to master
- Both nodes at identical chain height with matching hash
- Validates threat intel propagation works bidirectionally
P2P Threat Intelligence Sharing — DONE (2026-02-26)
- Real CrowdSec/WAF threat IOCs propagate between mesh nodes
- Master threat (198.51.100.1) → synced to clone ✓
- Clone threat (203.0.113.99) → synced to master ✓
- 100+ real threat_ioc blocks shared (waf_bypass, jenkins_rce, sql_injection)
- Automatic sync every 5 minutes via SSH-based cron job
- Deployed p2p-mesh.sh to clone for block generation
Nextcloud nginx Static File Fix — DONE (2026-02-26)
- Talk app CSS/JS blocked with "incorrect MIME type (text/html)"
- Root cause: /apps/ location block with ^~ modifier catching static files
- Fix: Removed problematic location block, static files now served correctly
- Talk video calls now functional
Mail Server Webmail Detection Fix — DONE (2026-02-26)
- Webmail status showed "Stopped" despite Roundcube LXC running
- Root cause: RPCD only checked Docker, not LXC containers
- Fix: Added webmail.type UCI check, use lxc-info for LXC

Just Completed (2026-02-25)

MetaBlogizer HAProxy Stability — DONE (2026-02-25)
- Fixed random 404 errors caused by multiple HAProxy instances
- Root cause: Both host and container HAProxy were listening on ports 80/443
- Fix: Disabled host HAProxy service, container HAProxy is now sole handler
- Added auto-republish on upload for emancipated sites
- All sites (rfg, form, facb, plainte) now consistently return HTTP 200
Factory Dashboard LuCI — DONE (2026-02-25)
- Added Factory tab to Cloning Station (luci-app-cloner/overview.js)
- Discovery Mode Toggle with visual status (🟢 ON / 🔴 OFF)
- Pending Devices list with approve/reject and profile assignment
- Bulk Token Generator with profile selection
- Hardware Inventory table (MAC, Model, CPU, RAM, Storage)
- 8 RPC declarations, 5 state properties, 5 render functions, 6 event handlers
- Polling: Factory data included in 5-second refresh when on tab
- UI Pattern: KISS theme components (stat boxes, cards, tables, buttons)
Factory Auto-Provisioning Backend — DONE (2026-02-24)
- Zero-touch provisioning for new mesh devices without pre-shared tokens
- Hardware inventory collection (MAC, serial, model, CPU, RAM, storage)
- Profile-based configuration (7 profiles: default, enterprise, home-*, media-server, smart-home)
- Discovery mode with pending queue and manual/auto approval
- Bulk token generation (up to 100 tokens per batch)
- Clone provision enhancements for discovery-based join
- 9 new RPCD methods in luci.cloner
- Files: inventory.sh, profiles.sh, default.json (new)
- Modified: master-link.sh, 50-secubox-clone-provision, luci.cloner, p2p-mesh.sh
- Tested: All methods working via ubus
ZKP Mesh Authentication — DONE (2026-02-24)
- Zero-Knowledge Proof integration for cryptographic mesh authentication
- Each node has ZKP identity (public graph + secret Hamiltonian cycle)
- New API endpoints: /api/master-link/zkp-challenge, /api/master-link/zkp-verify, /api/zkp/graph
- Shell functions: ml_zkp_init(), ml_zkp_challenge(), ml_zkp_verify(), ml_zkp_trust_peer()
- Blockchain acknowledgment via peer_zkp_verified block type
- UCI config options: zkp_enabled, zkp_fingerprint, zkp_require_on_join, zkp_challenge_ttl
- Tested on master (fingerprint: 7c5ead2b4e4b0106)
- Files: master-link.sh (ZKP functions), 3 new API endpoints
ZKP Join Flow Integration — DONE (2026-02-24)
- Enhanced ml_join_request() to accept and verify ZKP proofs during join
- Enhanced ml_join_approve() to auto-fetch and store peer's ZKP graph
- New peer-side ml_join_with_zkp() function for ZKP-authenticated joining
- /api/master-link/join now accepts zkp_proof and zkp_graph fields
- When ZKP proof provided: fingerprint = SHA256(graph)[0:16] (ZKP fingerprint)
- Option zkp_require_on_join to mandate ZKP for all new joins
- Join requests now store zkp_verified and zkp_proof_hash fields
- Tested: Clone joined with zkp_verified: true, graph auto-stored on approval
LuCI ZKP Dashboard — DONE (2026-02-24)
- Added ZKP Status section to luci-app-master-link Overview tab
- Cards: ZKP Identity (fingerprint), ZKP Tools status, Trusted Peers count
- Color theme: purple gradient for ZKP elements
- Added ZKP badge column to peer table (🔐ZKP vs TOKEN)
- Helper function zkpBadge() for visual auth type indicator
MirrorNet Ash Compatibility Fix — DONE (2026-02-24)
- Fixed process substitution < <(cmd) incompatibility with BusyBox ash
- Converted to pipe-based patterns with temp files for variable persistence
- Files fixed: mirror.sh (3), gossip.sh (3), health.sh (1), identity.sh (1)
- Tested: mirrorctl CLI fully functional on both routers
- Mirror features working: add service, add upstream, health check, HAProxy config generation
Mesh Blockchain Sync — DONE (2026-02-24)
- Fixed chain.json append logic for proper JSON structure preservation
- Fixed /api/chain/since/<hash> endpoint to return only new blocks as array
- chain_add_block(): Uses awk to safely insert before closing ] }
- chain_merge_block(): Same awk-based approach for remote block merging
- sync_with_peer(): Properly merges blocks into local chain
- Handles JSON with/without trailing newlines and varying whitespace
- Tested bidirectional sync: Master ↔ Clone both at height 70, matching hash
- Files: p2p-mesh.sh (chain functions), /www/api/chain (endpoint)

Just Completed (2026-02-20)

LuCI VM Manager — DONE (2026-02-20)
- luci-app-vm package for LXC container management dashboard
- Status bar: total/running/stopped containers, disk usage
- Container cards with Start/Stop/Restart, Snapshot, Export controls
- RPCD handler with 10 methods: status, list, info, logs, start, stop, restart, snapshot, export
- Polling for live status updates
Vortex Firewall Stats Fix — DONE (2026-02-20)
- Enabled BIND RPZ logging for blocked queries
- Created /usr/sbin/vortex-firewall-stats script to parse logs
- Fixed RPCD handler to read hit_count from stats file
- Added cron job for automatic stats updates every 5 minutes
- Verified: 12,370 domains blocked, RPZ NXDOMAIN working
SaaS Relay HAProxy Integration — DONE (2026-02-20)
- Fixed relay.gk2.secubox.in routing to mitmproxy on port 8891
- Created SaaS relay dashboard HTML at /srv/saas-relay/web/
- HexoJS fallback via uhttpd on port 4000
Matrix Homeserver (Conduit) — DONE (2026-02-20)
- E2EE mesh messaging server using Conduit Matrix homeserver
- LXC container with pre-built ARM64 Conduit binary (0.10.12)
- matrixctl CLI (1279 lines): install/uninstall/update, user management, rooms, federation
- luci-app-matrix dashboard with:
  - Install wizard, status cards, feature badges
  - Service controls (Start/Stop/Update/Uninstall)
  - User management form
  - Emancipate (public exposure) with HAProxy + SSL
  - Identity (DID) integration section
  - P2P mesh publication toggle
  - Logs viewer
- RPCD backend with 17 methods
- UCI config: main, server, federation, admin, database, network, identity, mesh
- Tested and verified on router (all checks pass, API responding)
SaaS Relay CDN Caching & Session Replay — DONE (2026-02-20)
- CDN cache with configurable profiles: minimal, gandalf, aggressive
- Session replay modes: shared (default), per_user, master
- New CLI commands: saasctl cache {status|clear|profile|enable|disable}
- New CLI commands: saasctl session {status|mode|master|enable|disable}
- Enhanced mitmproxy addon (415 lines) with response caching
- UCI config sections: cache, cache_profile (3), session_replay
- Config JSON export: config.json + services.json
Media Services Hub Dashboard — DONE (2026-02-20)
- Unified dashboard for all SecuBox media services at /admin/services/media-hub
- Category-organized cards: streaming, conferencing, apps, display, social, monitoring
- Service cards with status indicators, start/stop/restart controls
- RPCD backend querying 8 media services (Jellyfin, Lyrion, Jitsi, PeerTube, etc.)
- Files: luci-app-media-hub package
HexoJS KISS Static Upload — DONE (2026-02-20)
- Multi-user/multi-instance authentication with HAProxy Basic Auth
- UCI config for users, auth, and instances
- hexoctl user add/del/passwd/grant/revoke commands
- hexoctl auth enable/disable/status/haproxy commands
- KISS static upload workflow (no Hexo build required):
  - hexoctl static create <name> - Create static-only site
  - hexoctl static upload <file> - Upload HTML/CSS/JS directly
  - hexoctl static publish - Copy to /www/ for immediate serving
  - hexoctl static quick <file> - One-command upload + publish
- Tested and verified on router
HexoJS Content Upload Wizard — DONE (2026-02-20)
- 3-step wizard UI at /admin/services/hexojs/upload
- File upload: HTML, PDF, Markdown (.md) support
- Metadata: Title, Category, Tags, Public/Private visibility
- Multi-target publishing: HexoJS Blog, Gitea, Streamlit, MetaBlogizer
- Base64 encoding for binary file transfer
- RPCD methods: upload_article, upload_pdf, upload_html, publish_draft, unpublish_post, get_uploads
- Gitea integration with repo/path selection
- SecuBox Welcome Guide deployed at /guide/, /connexion.html, /accueil.html

Just Completed (2026-02-19)

WAF VoIP/XMPP Security Filters — DONE (2026-02-19)
- Added 4 new WAF categories to mitmproxy:
  - voip: 12 SIP/VoIP patterns (header injection, ARI/AMI abuse)
  - xmpp: 10 XMPP patterns (XSS, XXE, BOSH hijack)
  - cve_voip: 9 CVEs for Asterisk/FreePBX/Kamailio/OpenSIPS
  - cve_xmpp: 8 CVEs for Prosody/ejabberd/Tigase
- Autoban options for voip/xmpp attacks
- Total: 40+ new detection patterns, 17+ CVEs
Self-Hosted Jitsi Meet — DONE (2026-02-19)
- Full LXC deployment: Prosody (5380), Jicofo, JVB, Nginx (9088)
- HAProxy vhost at meet.gk2.secubox.in with Let's Encrypt SSL
- WAF bypass for WebRTC compatibility
- Webchat integrated with self-hosted Jitsi
- Complete video conferencing without external dependencies
VoIP (Asterisk PBX) + Jabber Integration — DONE (2026-02-19)
- Created secubox-app-voip package with Asterisk PBX in LXC container
- OVH Telephony API integration for SIP trunk auto-provisioning
- voipctl CLI: install/uninstall, ext add/del, trunk add ovh, call, vm list
- Created luci-app-voip with 4 views: Overview, Extensions, Trunks, Click-to-Call
- RPCD backend with 15 methods for VoIP management
- Jabber VoIP integration:
  - Jingle VoIP support (STUN/TURN via mod_external_services)
  - SMS relay via OVH (messages to sms@domain)
  - Voicemail notifications via Asterisk AMI → XMPP
- Updated jabberctl with jingle enable/disable, sms config/send, voicemail-notify
- Updated luci.jabber RPCD with 9 new VoIP methods
- UCI config sections: jingle, sms, voicemail
Matrix Homeserver Integration — DONE (2026-02-19)
- Created secubox-app-matrix package with Conduit Matrix server in LXC
- Pre-built ARM64/x86_64 binaries (~15MB), ~500MB RAM footprint
- matrixctl CLI: install/start/stop, user management, federation, emancipate
- HAProxy integration, identity linking (DID), P2P mesh publication
- Created luci-app-matrix dashboard with KISS theme
- Install wizard, status cards, user form, emancipate form, logs viewer
- RPCD backend with 18 methods
- Completes v1.0.0 roadmap: Matrix + VoIP + Jabber = full mesh communication stack

Just Completed (2026-02-17)

PeerTube yt-dlp Video Import — DONE (2026-02-17)
- Installed yt-dlp in PeerTube LXC container
- Added RPCD methods: import_video, import_status
- LuCI UI section with URL input and download button
- Supports YouTube, Vimeo, and 1000+ sites
- Downloads to import folder for PeerTube admin upload
mitmproxy WAF Filters UI — DONE (2026-02-17)
- Added new "WAF Filters" tab to mitmproxy LuCI interface
- Displays 10 filter categories: sqli, xss, lfi, rce, cve_2024, scanners, webmail, api_abuse, nextcloud, roundcube
- Toggle enable/disable per category with live updates
- Expandable rules tables showing patterns, descriptions, CVE links
- Summary stats: total categories, active filters, rule count
- RPCD methods: get_waf_rules, toggle_waf_category
Security KISS Dashboard Enhancements — DONE (2026-02-17)
- Added ndpid (nDPI daemon) to service status monitoring
- Added Wazuh SIEM to security services list (earlier today)
- 6 services now monitored: CrowdSec, Wazuh, netifyd, ndpid, mitmproxy, Threat Intel
APPS Portal Extensions — DONE (2026-02-17)
- Added Streamlit and MetaBlogizer to Services category in KISS portal
- Apps now accessible via Extended Apps view
Jellyfin Container Restore — DONE (2026-02-17)
- Started stopped jellyfin container
- Enabled auto-start (lxc.start.auto = 1)
- Verified port 8096 accessible
Webmail PHP-FPM Fix — DONE (2026-02-17)
- Fixed 504 timeout by restarting dead PHP-FPM process in roundcube container
- Login/authentication working again
WebRadio LuCI App — DONE (2026-02-17)
- Added luci-app-webradio package from webradio-openwrt project
- 7 LuCI JS views: overview, server, playlist, schedule, jingles, live, security
- RPCD backend with 15+ methods
- CrowdSec integration for Icecast abuse detection
- Programming grid scheduler with jingle support
- Live audio input via DarkIce (ALSA)
- Source: https://github.com/gkerma/webradio-openwrt
Nextcloud LXC Enhancement — DONE (2026-02-17)
- Updated version to 31.0.5, added auto-start and cgroup memory limit
- Fixed nginx /apps/ path for static assets
- Added Storage tab with disk usage visualization
- Added backup delete functionality
- Added RPCD: uninstall, get_storage, delete_backup (20 methods total)
- Rewrote README.md with LXC architecture docs
SecuBox Cloner MochaBin LED Fix — DONE (2026-02-17)
- Added i2c LED blacklist to clone provision scripts
- Prevents PCA955x I2C bus lockup on MochaBin devices
- Three-method fix: kernel bootarg, module removal, LED trigger disable
- Clone backup generator includes 00-disable-i2c-leds firstboot script
- Successfully cloned moka1 from c3box with sysupgrade method
Mailserver Dovecot Permissions Fix — DONE (2026-02-17)
- Fixed startup permissions: login/token-login directories owned by root:dovenull
- Remove stale auth-token-secret.dat on startup (prevents "compromised token" errors)
- Fixed users file permissions in user_add/user_passwd functions (644 root:dovecot)
- Password reset no longer breaks authentication
- Released in v0.20.6
Nextcloud 31.0.14 Upgrade & Fixes — DONE (2026-02-17)
- Upgraded from 30.0.17 to 31.0.14
- Fixed nginx 403 on /apps/* paths (removed overly aggressive location block)
- Added cron job setup for background tasks (every 5 minutes)
- All apps updated: mail, tasks, external, spreed/Talk
DNS Master POSIX Fix — DONE (2026-02-17)
- Fixed bump_serial() bash-specific syntax for busybox ash compatibility
- del_record now works via RPCD (was failing with "arithmetic syntax error")
- All DNS Master LuCI buttons tested and working
LXC Container Auto-Start — DONE (2026-02-17)
- Enabled lxc.start.auto for mailserver, roundcube, nextcloud
- Containers now survive reboots
Mailctl Firewall Rules — DONE (2026-02-17)
- Updated cmd_firewall_setup() with UCI firewall rules
- Input rules for WAN (ports 25, 143, 465, 587, 993)
- Forward rules for WAN-to-LAN mailserver

Just Completed (2026-02-16)

HexoCMS Multi-Instance Enhancement — DONE (2026-02-16)
- Added backup/restore commands to hexoctl
- Added GitHub clone support (hexoctl github clone <url> [instance] [branch])
- Added Gitea push support (hexoctl gitea push [instance] [message])
- Added quick-publish command (clean + build + publish)
- Added status-json and instance-list-json for RPCD
- Enhanced RPCD handler with 15 new methods:
  - Instance: list_instances, create_instance, delete_instance, start_instance, stop_instance
  - Backup: list_backups, create_backup, restore_backup, delete_backup
  - Git: github_clone, gitea_push, quick_publish
- Rewrote LuCI dashboard with KISS theme:
  - Multi-instance management with cards
  - Instance controls: start/stop, quick publish, backup, editor, preview
  - GitHub/Gitea clone modals
  - Backup table with restore/delete
  - Stats grid: instances, posts, drafts, backups
  - Quick actions: new instance, clone from GitHub/Gitea, new post, settings
- Updated API with 12 new RPC declarations
- Updated ACL with new permissions
DNS Master LuCI App — DONE (2026-02-16)
- Created secubox-app-dns-master with dnsmaster CLI
- Commands: status, zone-list, zone-add, records-json, record-add/del, reload, check, backup
- Created luci-app-dns-master with KISS dashboard
- Zones table with Edit/Check/Backup, Records editor with type badges
- Add Zone/Record modals, live polling, auto serial bump
- Added to KISS nav Network category
Mailserver LuCI KISS Regeneration — DONE (2026-02-16)
- Complete rewrite of overview.js with KISS theme
- Fixed IMAP hairpin NAT issue (hosts override in Nextcloud container)
- Fixed port 143 detection in RPCD script
- Stats grid, port cards, users/aliases tables, webmail card
- Added to KISS nav Apps category
Nextcloud LXC Production Deploy — DONE (2026-02-16)
- Installed on c3box with Debian 12 LXC
- Fixed nginx port conflict (80→8080) with HAProxy
- Fixed PHP-FPM socket path (php8.2-fpm.sock)
- Fixed nginx routing (rewrite to index.php for /apps/*)
- HAProxy SSL configured: https://cloud.gk2.secubox.in
- Mitmproxy routes updated for direct backend access
WAF Rules for Nextcloud & Roundcube — DONE (2026-02-16)
- Added 20 CVE-based rules to /srv/mitmproxy/waf-rules.json
- Nextcloud: CVE-2023-49791, CVE-2024-22403, CVE-2024-37315, etc.
- Roundcube: CVE-2024-37383, CVE-2023-5631, CVE-2020-35730, etc.
- Common attack patterns: path traversal, XSS, SQLi, RCE
Mail Client Autoconfig — DONE (2026-02-16)
- DNS records: autoconfig., autodiscover., SRV for _imaps/_submission
- Autoconfig XML at /.well-known/autoconfig/mail/config-v1.1.xml
- Mozilla/Thunderbird format with IMAP (993/143) and SMTP (587/465)
- HAProxy vhost and mitmproxy routes configured
Nextcloud Upgrade 31.0.14 — DONE (2026-02-16)
- Upgraded from 30.0.17 → 31.0.14 via OCC updater
- All apps updated: mail, tasks, external, spreed/Talk
- Database schema migrations completed
Mailctl Firewall Rules Persistence — DONE (2026-02-16)
- Updated cmd_firewall_setup() with UCI firewall rules
- Input rules for WAN (ports 25, 143, 465, 587, 993)
- Forward rules for WAN-to-LAN mailserver
- Rules persist across firewall restarts

Recently Completed (2026-02-15)

HAProxy & Mitmproxy WAF Fixes — DONE (2026-02-15)
- Fixed HAProxy reload: copy config to /etc/haproxy/ before signal
- Fixed mitmproxy Host header preservation for OAuth compatibility
- Reset WAF globally: removed waf_bypass from 70 vhosts/ACLs
- All traffic now routes through mitmproxy for inspection
- Committed: f3f6eb4e
PeerTube Email Configuration — DONE (2026-02-15)
- Configured SMTP with local mailserver (192.168.255.30:25)
- Fixed STARTTLS self-signed cert error (disable_starttls: true)
- Password resets and notifications working
Wazuh Agent Watchdog — DONE (2026-02-15)
- Added watchdog loop to check wazuh-agentd every 60 seconds
- Auto-restarts service if process dies
- Logs to /var/log/wazuh-watchdog.log
- Committed: 851910e1
Streamlit Gitea Integration — DONE (2026-02-15)
- Auto-push on first upload confirmed working
- Pushed 4 missing apps to Gitea (cineposter_fixed, pdf_slideshow, pharmacopoeia_secubox, wuyun_liuqi)
- 18 apps now have Gitea repos
- Fixed secubox-evolution repo privacy (was public → now private)
- All Gitea repos now created with private:true by default
Mailserver gk2 Account Restoration — DONE (2026-02-15)
- Container was reinstalled on Feb 14, only admin@ was recreated
- Restored gk2@secubox.in from backup (config-20260206-171132.tar.gz)
- Same password hash preserved (no password change needed)
- Note: Maildir was already empty in backup (emails lost before Feb 6)
Mitmproxy WAF Dashboard Data Path Fix — DONE (2026-02-15)
- Dashboard was showing 0 threats because RPCD read from /srv/mitmproxy (out)
- Fixed to read from /srv/mitmproxy-in (WAF input instance)
- Now displays correct stats: 997 threats today, 29 pending autobans
- Updated: get_status, get_alerts, get_threat_stats, get_subdomain_metrics
- Committed: 42d85c4d
PeerTube Transcoding Jobs Fix — DONE (2026-02-15)
- Videos were stuck with waitTranscoding=true and not showing in public listing
- Root cause: Admin enabled "remote runners" for transcoding but no runners registered
- runnerJob table had 6 jobs stuck in pending state (state=1)
- Fix: Set waitTranscoding=false directly in database to make videos visible
- Alternative fix (for future uploads): Disable remote runners in admin panel, use local ffmpeg
GK2 Hub Landing Page Subdomain URLs — DONE (2026-02-15)
- Previous version used redirect paths (secubox.in/gk2/service)
- Updated gk2hub-generate to use direct subdomain URLs (service.gk2.secubox.in)
- Added HAProxy vhost lookup for automatic subdomain detection
- Added PeerTube, GoToSocial, Wazuh to Infrastructure section
- 67 services now display with proper subdomain URLs
PeerTube Video Platform Package — DONE (2026-02-15)
- Created secubox-app-peertube package for self-hosted video streaming
- LXC Debian Bookworm container with PostgreSQL 15, Redis 7, Node.js 18, FFmpeg
- peertubectl CLI with 15+ commands: install/uninstall/update/start/stop/status
- Live streaming support with RTMP port 1935
- HAProxy integration with extended timeouts (3600s) for streaming
- Emancipation workflow for public exposure
- User management: create-user, reset-password, list-users
- Backup/restore PostgreSQL database
- UCI config: main, server, live, transcoding, storage, network, admin sections
- Fixed: Redis ARM64-COW-BUG via ignore-warnings config
- Fixed: Redis sentinel disabled (using standalone Redis)
- Fixed: RTMPS disabled (no SSL keys needed)
- Fixed: HAProxy waf_bypass=1 for proper OAuth routing
PeerTube LuCI Dashboard — DONE (2026-02-15)
- Created luci-app-peertube package
- RPRD handler with 11 methods: status, start, stop, install, uninstall, update, logs, emancipate, live_enable, live_disable, configure_haproxy
- Dashboard with install wizard, status display, service controls
- Live streaming toggle with firewall integration
- HAProxy configuration button
- Emancipate form for public exposure
- Logs viewer with refresh
Generative LuCI Tree — DONE (2026-02-15)
- Created luci.secubox-portal RPCD backend for dynamic component discovery
- Three RPC methods: get_tree, get_containers, get_vhosts
- Auto-discovers all installed luci-app-* packages and groups by category:
  - SecuBox Core, Security, Media & Streaming, Network & Proxy
  - Development & CMS, IoT & Home, AI & Communication, System & Management
- Discovers LXC containers from /srv/lxc/ with running state
- Discovers HAProxy vhosts from UCI with domain/backend/ssl info
- Updated luci-tree.js with:
  - Three tabs: LuCI Apps, Containers, Vhosts
  - Refresh button for live updates
  - Stats showing packages, containers, vhosts counts
  - Search functionality for filtering
- ACL permissions for unauthenticated portal access

Just Completed (2026-02-14)

mitmproxy WAF Wildcard Route Priority Fix — DONE (2026-02-14)
- Fixed wildcard route matching in haproxy_router.py
- Issue: .gk2.secubox.in wildcard (port 4000) matched before specific routes like apr.gk2.secubox.in (port 8928)
- Fix: Support both *.domain and .domain wildcard formats
- Fix: Sort wildcards by length (longest/most specific first)
- Added auto-reload: Routes file checked every 10 requests, reloads if modified
- Updated metablogizerctl to use mitmproxyctl sync-routes instead of direct file manipulation
- MetaBlogizer sites now properly routed through WAF
Wazuh SIEM LuCI Dashboard — DONE (2026-02-14)
- Created luci-app-wazuh package for unified Wazuh security monitoring
- 4 views: Overview, Alerts, File Integrity, Agents
- SysWarden-inspired 4-layer security visualization
- RPCD handler (luci.wazuh) with 12 API methods
- CrowdSec integration for threat correlation display
- Full RPCD testing verified via ubus calls
MetaBlogizer SDLC Content Restoration — DONE (2026-02-14)
- sdlc.gk2.secubox.in was showing GK2 Hub template instead of original content
- GK2 Hub generator had overwritten local index.html
- Original "Les Seigneurs de La Chambre - Présentation Cinématique" preserved in git
- Restored via git checkout HEAD -- index.html
- Site now correctly displaying cinematic presentation content
Streamlit WebSocket WAF Bypass — DONE (2026-02-14)
- Streamlit apps use WebSockets which are incompatible with MITM proxy
- Re-added waf_bypass=1 to all 20 Streamlit apps
- Apps now route directly through HAProxy without mitmproxy filtering
- Trade-off: Streamlit apps bypass WAF for WebSocket compatibility
WAF Architecture Configuration — DONE (2026-02-14)
- WAF (mitmproxy) enabled for Streamlit apps and MetaBlogizer sites
- WAF bypass for infrastructure: Jellyfin, Mail, Glances, GoToSocial, Webmail
- Path ACLs (/gk2/*) bypass WAF - mitmproxy routes by host only
- 38 path ACLs configured with waf_bypass=1
- Architecture: HAProxy → mitmproxy (WAF) → Backend (filtered) or HAProxy → Backend (bypass)
C3BOX SDLC Full Service Verification — DONE (2026-02-14)
- Verified all 70 services across 12 zones on C3BOX dashboard
- Zones: *.cybermind.fr (2), *.cybermood.eu (2), *.ganimed.fr (2), *.maegia.tv (19), *.secubox.in (29), *.sb.local (4), *.secubox.local (2)
- 20 Streamlit apps, 15 MetaBlog sites, infrastructure services
- 77 vhosts configured, 52 SSL certificates, 5 LXC containers running
- All public services returning HTTP 200
Mitmproxy Routes Duplicate Fix — DONE (2026-02-14)
- Fixed duplicate entries in /srv/mitmproxy-in/haproxy-routes.json
- console.gk2.secubox.in and control.gk2.secubox.in had duplicate routes
- Second entry (port 8081) was overriding correct Streamlit ports (8501/8511)
- Removed duplicates, verified correct routing
Service Backend Fixes — DONE (2026-02-14)
- play.maegia.tv: Changed backend from mitmproxy_inspector to streamlit_yijing
- client.gk2.secubox.in: Enabled pinafore_srv server with health check
- Added uhttpd instance on port 4002 for Pinafore static landing page
Glances System Monitor — DONE (2026-02-14)
- Installed python3-pip via opkg
- Installed Glances 4.5.0.4 via pip3 with dependencies
- Created dummy webbrowser.py module for headless operation
- Started Glances web server on port 61208
- https://glances.gk2.secubox.in now operational
GoToSocial Service Start — DONE (2026-02-14)
- Enabled GoToSocial in UCI config
- Started LXC container via gotosocialctl start
- https://social.gk2.secubox.in operational

Just Completed (2026-02-13)

GoToSocial Fediverse Server — DONE (2026-02-13)
- Deployed GoToSocial v0.17.0 ActivityPub server
- Direct execution mode (v0.18.0 has cgroup panics)
- Domain: social.gk2.secubox.in with wildcard SSL
- HAProxy exposure with backend to 192.168.255.1:8484
- Admin user created and promoted
- SQLite database, web assets configured
- Live at https://social.gk2.secubox.in
Cloning Station Remote Device Management — DONE (2026-02-13)
- 6-tab tabbed interface: Overview, Remotes, Build, Console, History, Images
- Remote device management via UCI and RPCD
- SSH key authentication setup using dropbear
- Network scan for discovering SecuBox devices
- Remote status: hostname, model, version, uptime
- Image upload and remote flash with token injection
- sysupgrade with keep_settings option
- 7 new RPCD methods: list_remotes, add_remote, remove_remote, remote_status, remote_upload, remote_flash, scan_network
- Uses dropbear's dbclient for SSH (OpenWrt native)
Cloning Station Dashboard Enhancements — DONE (2026-02-13)
- 5-tab tabbed interface: Overview, Build, Console, History, Images
- Build Progress UI: real-time log streaming, stage indicators, progress bar
- Serial Console: port selection, live output, command input (requires stty)
- Clone History: JSON-based tracking with timestamp/device/status
- Image Manager: storage info, image details modal, delete/rename
- 10 new RPCD methods added with ACL permissions

Just Completed (2026-02-08 PM)

Vortex Hub Wildcard Routing — DONE (2026-02-08)
- HAProxy wildcard domain support (*.gk2.secubox.in)
- Subdomain-to-path rewriting: {sub}.gk2.secubox.in/x → /{sub}/x
- New match_type option: exact, suffix, regex
- Vortex fallback backend with X-Vortex-Node headers
- Prepares infrastructure for distributed mesh node publishing
Mitmproxy WAF Subdomain Metrics — DONE (2026-02-08)
- Track requests/threats per subdomain in secubox_analytics.py
- New RPCD method: subdomain_metrics
- Metrics: requests, threats, protocols, methods, status codes, top URIs, countries
- LuCI dashboard shows subdomain metrics instead of alerts
RPCD luci.secubox Modular Refactor — DONE (2026-02-08)
- Split 2544-line monolithic handler into 14 modules
- Thin dispatcher + /usr/lib/secubox/rpcd.d/*.sh modules
- Modules: core, modules, profiles, snapshots, health, dashboard, appstore, state, network, feeds, skills, feedback, p2p
- Shared utilities in _common.sh
HAProxy Backend IP Fixes — DONE (2026-02-08)
- Fixed all 127.0.0.1 → 192.168.255.1 in backend configs
- Cleaned up duplicate vhosts and invalid IP:port backend formats
- Fixed presse.cybermood.eu routing
- Fixed streamlit_evolution stale config in container
GK2 Node Service Mapping — DONE (2026-02-08)
- Complete map of 10 published domains
- 9 active backends documented
- Wildcard certificate ready for mesh
HAProxy Path-Based ACL Routing — DONE (2026-02-08/09)
- Added _add_path_acl() function to haproxyctl for UCI acl sections
- Support for path_beg, path_end, path, path_reg, path_dir match types
- Path ACLs processed before vhost ACLs (higher priority)
- Fixed http_request list handling to avoid duplicate output
- Pattern Length Sorting (2026-02-09): ACLs now sorted by pattern length (longest first)
  - Two-phase: _collect_path_acl() + _emit_sorted_path_acls()
  - Ensures /gk2/evolution matches before /gk2
- Apex domain routing: secubox.in/gk2/** instead of *.gk2.secubox.in
- Tested: /gk2, /gk2/evolution, /gk2/control all routing correctly
Gandi DNS Secondary Setup — DONE (2026-02-08)
- Configured BIND master to allow zone transfers to Gandi (217.70.177.40)
- Added also-notify and notify yes for automatic zone updates
- Synced all BIND zone records to Gandi LiveDNS via API
- Updated registrar nameservers to Gandi LiveDNS (ns-*.gandi.net)
- DNS propagation verified: all A, MX, wildcard records resolving correctly
- Architecture: Registrar → Gandi LiveDNS ← synced from → BIND master

Just Completed (2026-02-06/08)

Evolution Dashboard Real-Time Commits — DONE (2026-02-08)
- New "🚀 Devel" tab with live GitHub commits (1-min cache)
- Commits Today / This Week / Contributors / Stars metrics
- Commit type distribution with color-coding (feat/fix/docs/refactor)
- Recent commits with hash, message, author, relative time
- Repository stats (forks, watchers, open issues)
- Cyberpunk-themed commit cards with pulsing live indicator
Station Cloner/Deployer — DONE (2026-02-08)
- Host-side secubox-clone-station.sh with MOKATOOL integration for dual USB serial control
- On-device secubox-cloner CLI for build/serve/token/export
- First-boot provisioning script with partition resize and mesh join
- Master-link clone tokens with auto-approve for seamless onboarding
- Added secubox clone and secubox master-link CLI command groups
- Full workflow: build image on master → TFTP serve → flash target → auto-join mesh
Cloning Station LuCI Dashboard — DONE (2026-02-11)
- Created luci-app-cloner package with KISS-style dashboard
- Status cards: device type, TFTP status, token count, clone count
- Quick actions: Build Image, Start/Stop TFTP, New/Auto-Approve Token
- Clone images table with size and TFTP-ready indicator
- Token management with delete functionality
- U-Boot flash commands display when TFTP active
- RPCD handler: 10 methods (status, list_images, list_tokens, list_clones, etc.)
System Hub KISS Rewrite — DONE (2026-02-11)
- Rewrote luci-app-system-hub/overview.js to KISS style
- Self-contained inline CSS, no external dependencies
- 6 status cards: Hostname/Model, Uptime, Services, CPU Load, Temperature, Health Score
- 3 resource bars: Memory, Storage, CPU Usage
- Quick Actions + Services table with running/stopped badges
- 5-second live polling with data-stat DOM updates
- Full dark mode support
SecuBox Dashboard KISS Rewrite — DONE (2026-02-11)
- Rewrote luci-app-secubox/dashboard.js to KISS style
- Removed all external deps (secubox/api, secubox-theme, secubox/nav, secubox-portal/header)
- Header chips, stats cards, health panel, public IPs, modules table, quick actions, alerts
- 15-second live polling
- Full dark mode support
HAProxy "End of Internet" Default Page — DONE (2026-02-07)
- Cyberpunk fallback page for unknown/unmatched domains
- Matrix rain animation, glitch text, ASCII art SecuBox logo
- Added http-request UCI option support in haproxyctl generator
- Path rewriting via http-request set-path for static content
- Backend validation rejects IP:port misconfiguration
CrowdSec Threat Origins Fix — DONE (2026-02-07)
- Fixed [object Object] display bug in Threat Origins widget
- parseCountries() now handles array format [{country, count}]
CrowdSec Dashboard Cache System — DONE (2026-02-06)
- Created /usr/sbin/secubox-crowdsec-collector v4 background stats collector
- Generates /tmp/secubox/crowdsec-overview.json every minute via cron
- RPCD fast path: reads cache first, falls back to slow cscli calls if stale
- Fixes dashboard loading times from 5-10s to <100ms
mitmproxy Local IP "Green Known" — DONE (2026-02-06)
- Patched secubox_analytics.py to skip threat logging for trusted local IPs
- Local network traffic (192.168.x, 10.x, 172.16-18.x) no longer pollutes threats.log
- Autoban still correctly targets only external IPs
Control Panel File Compatibility — DONE (2026-02-06)
- Fixed file naming mismatch (health.json vs health-status.json, etc.)
- Created symlinks for compatibility
- Created missing cache files (threat.json, netifyd.json)
- Updated stats collector to maintain symlinks on each run
LED Fix & Double-Buffer Status Cache — DONE (2026-02-07)
- Removed mmc0 LED (was blocking heartbeat loop)
- Added status_collector_loop() background daemon
- Cache files: /tmp/secubox/{health,threat,capacity}.json
- Fast readers for LED loop and dashboards (no subprocess calls)
MetaBlogizer KISS ULTIME MODE — DONE (2026-02-07)
- Added metablogizerctl emancipate command
- One-command workflow: DNS + Vortex + HAProxy + SSL + Reload
- DNS registration via dnsctl (Gandi/OVH based on availability)
- Vortex DNS mesh publication
- HAProxy vhost with SSL and ACME
- Zero-downtime reload via SIGUSR2
Streamlit LuCI Dashboard Edit & Emancipate — DONE (2026-02-06)
- Added Edit button with modal code editor (base64 encoding)
- Added Emancipate button with KISS ULTIME MODE workflow
- RPCD: get_source, save_source, emancipate, get_emancipation
- API + ACL updated
SecuBox Vhost Manager — DONE (2026-02-06)
- Created secubox-vhost CLI for subdomain management
- External (.gk2.secubox.in) and local (.gk2.sb.local) domain support
- UCI config for vhosts: console, control, metrics, crowdsec, factory, glances, play
- Default landing page generation
- Integrated into secubox-core daemon and firstboot

Completed (2026-02-06)

AI Insights Dashboard — DONE
- Created luci-app-ai-insights - unified view across all AI agents
- Security posture scoring (0-100) with factor breakdown
- Agent status grid: Threat Analyst, DNS Guard, Network Anomaly, CVE Triage
- Aggregated alerts from all agents
- Actions: Run All Agents, AI Analysis, View Timeline
- Links to LocalRecall memory dashboard
LocalRecall Memory System — DONE
- Created secubox-localrecall - persistent memory for AI agents
- Categories: threats, decisions, patterns, configs, conversations
- LocalAI integration for semantic search and AI summarization
- Created luci-app-localrecall dashboard with add/search/summarize
Network Anomaly Agent — DONE
- Created secubox-network-anomaly with 5 detection modules
- Bandwidth spikes, connection floods, port scans, DNS anomalies, protocol anomalies
- LocalAI integration for AI-powered analysis
- Created luci-app-network-anomaly dashboard
CVE Triage Agent — DONE
- Created secubox-cve-triage - AI-powered CVE analysis and vulnerability management
- Architecture: Collector → Analyzer → Recommender → Applier
- NVD API integration for CVE data
- CrowdSec CVE alert correlation
- LocalAI-powered impact analysis
- Approval workflow for patch recommendations
- Multi-source monitoring: opkg, LXC, Docker
- Created luci-app-cve-triage dashboard with alerts, pending queue, risk score
Webmail Login 401 Issue — RESOLVED
- Root cause: config.docker.inc.php overrode IMAP host to ssl://mail.secubox.in:993
- Docker container couldn't resolve domain or connect via SSL
- Fix: Changed to use socat proxy at 172.17.0.1:10143 (plaintext, internal)
- Updated mailctl webmail configure to use proxy instead of direct SSL
Mail Send 451 "Temporary lookup failure" — RESOLVED (2026-02-06)
- Root cause: Alpine Postfix uses LMDB, not BerkeleyDB hash maps
- virtual_alias_maps = hash:/etc/postfix/virtual was invalid
- Postfix chroot /var/spool/postfix/etc/resolv.conf was missing
- Fix: Changed setup.sh to use lmdb: prefix and copy resolv.conf to chroot
- Added mailctl fix-postfix command to repair existing installations
Mail Port Hijacking External Connections — RESOLVED (2026-02-06)
- Root cause: firewall.user DNAT rules had no interface restriction
- ALL port 993/587/etc traffic was redirected to local mailserver
- This blocked Thunderbird from connecting to external mail (ssl0.ovh.net)
- Fix: Added -i $WAN_IF to only redirect inbound WAN traffic
Mail Ports 587/465/995 Not Listening — RESOLVED (2026-02-07)
- Root cause: Postfix master.cf missing submission/smtps entries
- Dovecot 10-master.conf had pop3s commented out
- dovecot-pop3d package not installed in container
- Fix: Added mailctl fix-ports command to enable all mail ports
- Also added password reset for mail users in LuCI dashboard
BIND Zone Returning Internal IP — RESOLVED (2026-02-07)
- Root cause: /etc/bind/zones/secubox.in.zone had 192.168.255.1 (internal) instead of public IP
- External DNS queries returned non-routable internal IP
- Fix: Updated zone file with public IP 82.67.100.75 for all records
IPv6 DNS Support — DONE (2026-02-07)
- Added AAAA records to BIND zone and Gandi DNS
- IPv6: 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
- Records: @, mail, ns0, ns1, wildcard
nftables Mail Forwarding Rules — DONE (2026-02-07)
- Root cause: nftables forward_wan chain blocked DNAT'd mail traffic
- iptables DNAT worked but nftables dropped packets before forwarding
- Fix: Added explicit accept rules for mail ports (25,143,465,587,993,995)
- Added both IPv4 and IPv6 forwarding rules
- Persisted in /etc/firewall.user
Postfix/Dovecot Maildir Path Alignment — DONE (2026-02-07)
- Root cause: Postfix delivered to /home/vmail/$domain/$user/new/ but Dovecot looks in ~/Maildir/new/
- Emails were delivered but invisible in Roundcube
- Fix in container.sh: Mount to home/vmail, virtual_mailbox_base = /home/vmail
- Fix in users.sh: Create $domain/$user/Maildir/{cur,new,tmp} structure
- Updated vmailbox format to include Maildir/ suffix
Inbound Port 25 Blocked by Free ISP — RESOLVED (2026-02-16)
- Free ISP blocks inbound port 25 on residential lines
- Outbound mail works, inbound from external fails
- Workaround options: VPS relay, Mailgun/SendGrid, or contact Free support

Just Completed

Unified Backup Manager — DONE (2026-02-05)
- Created secubox-app-backup CLI for LXC containers, UCI config, service data
- Created luci-app-backup dashboard with container list, backup history
- Gitea remote sync and mesh backup support
- RPCD handler with 8 methods
Custom Mail Server — DONE (2026-02-05)
- Created secubox-app-mailserver - Postfix + Dovecot in LXC container
- mailctl CLI: user management, aliases, SSL, mesh backup
- Webmail (Roundcube) integration
- Mesh P2P mail backup sync
DNS Provider Enhanced — DONE (2026-02-05)
- Added dnsctl generate - auto-generate subdomain A records
- Added dnsctl suggest - name suggestions by category
- Added dnsctl mail-setup - MX, SPF, DMARC records
- Added dnsctl dkim-add - DKIM TXT record
Subdomain Generator Tool — DONE (2026-02-05)
- secubox-subdomain CLI for generative subdomain management
- Automates: DNS A record + HAProxy vhost + UCI registration
- Uses wildcard certificate (*.zone) for instant SSL
- Quick-add shortcuts for common services (gitea, grafana, jellyfin, etc.)
- Part of Punk Exposure infrastructure

Recently Completed (2026-02-07)

Mesh Onboarding Testing — VALIDATED
- Token generation: POST /api/master-link/token with HMAC tokens + TTL
- IPK download: GET /api/master-link/ipk?token= serves pre-built 12KB IPK
- Dynamic IPK: ml_ipk_generate creates join packages on-the-fly
- Join flow: request → approval → peer added at depth+1
- Blockchain: peer_approved blocks recorded correctly
- Threat Intel: 288 local IOCs, 67 threat_ioc blocks in chain

Just Completed (2026-02-12)

HAProxy stats.js KISS Migration — DONE (2026-02-12)
- Rewrote Statistics dashboard to use KissTheme
- Stats iframe, logs viewer with refresh
- Removed CSS import via style element
HAProxy backends.js KISS Migration — DONE (2026-02-12)
- Rewrote Backends dashboard to use KissTheme
- Backend cards with server lists, health check info
- Add/edit server modals with quick service selector
- Removed external dashboard.css dependency
HAProxy vhosts.js KISS Migration — DONE (2026-02-12)
- Rewrote Virtual Hosts dashboard to use KissTheme
- Self-contained inline CSS, removed external dashboard.css
- Add vhost form, vhosts table, edit modal, delete confirmation
InterceptoR LXC Detection Fix — DONE (2026-02-12)
- Changed from lxc-ls --running to lxc-info -n mitmproxy -s
- More reliable container state detection
- Fixed container name from secbx-mitmproxy to mitmproxy

Just Completed (2026-02-11)

InterceptoR Services Dashboard — DONE (2026-02-11)
- Created luci.services-registry RPCD handler with 4 methods
- Aggregates: HAProxy vhosts, Tor onions, mitmproxy instances, init.d services, LuCI apps, system metrics
- Dynamic KISS dashboard with 5 tabs: Published, Proxies, Services, Dashboards, Metrics
- Service emoji registry for visual identification
- CrowdSec stats integration (alerts, bans)
- 10-second live polling
- Fixed kiss-theme.js singleton pattern for LuCI module loading
mitmproxy Multi-Instance Support — DONE (2026-02-11)
- Updated init.d script with config_foreach start_instance instance
- Updated mitmproxyctl with list-instances, instance-aware service-run/stop
- UCI config for dual instances: out (LAN→Internet), in (WAF/services)
- Cloned containers: mitmproxy-out, mitmproxy-in
- Documented in README.md
Cookie Tracker LuCI Dashboard — DONE (2026-02-11)
- Created luci-app-cookie-tracker with KISS theme
- RPCD handler with 6 methods: status, list, report, block, unblock, classify
- Category breakdown visualization (essential, functional, analytics, advertising, tracking)
- Top trackers list with one-click blocking
- Blocked domains display
- 69 known tracker domains pre-loaded
- mitmproxy addon linked for cookie capture
CDN Cache KISS Theme — DONE (2026-02-11)
- Rewrote overview.js with full KISS styling
- Circular gauge for hit ratio
- Stats grid, top domains table, 10s polling
IoT Guard Implementation — DONE (2026-02-11)
- Created secubox-iot-guard package for IoT device isolation and security
- OUI-based classification with 100+ IoT manufacturer prefixes
- 10 device classes with risk scoring (0-100)
- Anomaly detection: bandwidth spikes, new destinations, port scans, time anomalies
- Integration: Client Guardian (zones), MAC Guardian (L2), Vortex Firewall (DNS), Bandwidth Manager (QoS)
- CLI: iot-guardctl with status/list/show/scan/isolate/trust/block/anomalies/cloud-map
- Created luci-app-iot-guard with KISS-style dashboard
- 4 views: Overview, Devices, Policies, Settings
- RPCD handler with 11 methods + public ACL for unauthenticated access

Just Completed (2026-02-24)

LuCI ZKP Dashboard — DONE (2026-02-24)
- Web UI for ZKP Hamiltonian cryptographic proofs
- Features: keygen, prove, verify, keys management
- KISS theme with dark mode
- Commit: b60d7fd0
MetaBlogizer Upload Workflow Fix — DONE (2026-02-24)
- Sites now work immediately after upload without unpublish + expose cycle
- Root cause: mitmproxy never received reload signal after route creation
- Fix: reload_haproxy() now calls mitmproxyctl sync-routes
- Commit: ec8e96a7
ZKP Hamiltonian Library — DONE (2026-02-24)
- Zero-Knowledge Proof implementation based on Hamiltonian Cycle (Blum 1986)
- NIZK via Fiat-Shamir heuristic, SHA3-256 commitments (OpenSSL)
- Complete library: prove/verify/serialize + CLI tools (keygen/prover/verifier)
- 41 tests passing: completeness, soundness, tamper detection, anti-replay
- C99 targeting OpenWrt ARM64, CMake build system
- Commit: 65539368
Service Stability & LED Pulse Fix — DONE (2026-02-24)
- CrowdSec autostart: Fixed machine registration mismatch, downloaded GeoLite2-City.mmdb
- LED pulse: Fixed HAProxy check to run on host instead of non-existent LXC container
- Docker: Restored corrupted nextcloud-talk-hpb container
- HAProxy: Fixed cloud.gk2.secubox.in 503 (wrong backend)
- LXC: Enabled autostart for mailserver and roundcube containers
- Verified: All 13 LXC containers + 6 core services running after reboot

Just Completed (2026-02-21)

SecuBox KISS UI Full Regeneration — DONE (2026-02-21)
- Complete KISS pattern rewrite of 5 core LuCI views
- Removed legacy deps: SecuNav, Theme, Cascade, SbHeader
- All views now use inline CSS with dark mode support
- Files rewritten:
  - modules.js: 565→280 lines — Module grid with filters
  - monitoring.js: 442→245 lines — Live SVG charts
  - alerts.js: 451→255 lines — Alert timeline with dismiss
  - settings.js: 540→220 lines — UCI form with chips
  - services.js: 1334→410 lines — Services registry
- Total reduction: 3,332→1,410 lines (~58% less code)

Just Completed (2026-02-20 PM)

IP Blocklist - Evolution #1 — DONE (2026-02-20)
- Created secubox-app-ipblocklist backend package
- ipblocklist-update.sh CLI with ipset management
- Supports nftables (fw4) and iptables backends
- Default sources: Data-Shield (~100k IPs), Firehol Level 1
- Created luci-app-ipblocklist KISS dashboard
- RPCD handler with 12 methods
- Layer 1 pre-emptive defense before CrowdSec Layer 2
AbuseIPDB Reporter - Evolution #2 — DONE (2026-02-20)
- Added to luci-app-crowdsec-dashboard (v0.8.0)
- New "AbuseIPDB" tab in CrowdSec Dashboard
- crowdsec-reporter.sh CLI for reporting blocked IPs
- RPCD handler luci.crowdsec-abuseipdb with 9 methods
- UCI config for API key, categories, cooldown settings
- Cron job for automatic reporting every 15 minutes
- IP reputation checker in dashboard
Log Denoising - Evolution #3 — DONE (2026-02-20)
- Added smart log denoising to luci-app-system-hub (v0.5.2)
- Three modes: RAW (all logs), SMART (filter known IPs), SIGNAL_ONLY (new threats only)
- Integrates with IP Blocklist ipset + CrowdSec decisions
- RPCD methods: get_denoised_logs, get_denoise_stats
- LuCI dashboard additions:
  - Denoise mode selector panel
  - Noise ratio indicator with color coding
  - Known threats counter
  - Blocklist status warning
- Filters private IPs (10., 172.16-31., 192.168., 127.)
- Supports both nftables and iptables backends

SysWarden Evolution Plan (2026-02-20)

Implementing 3 evolutions inspired by SysWarden patterns:

#	Module	Priority	Status
1	`luci-app-ipblocklist`	HIGH	DONE
2	AbuseIPDB Reporter	HIGH	DONE
3	Log Denoising (System Hub)	MEDIUM	DONE

Next Up — Couche 1

v1.1+ Extended Mesh — COMPLETE (2026-02-28)

~~Multi-Node Mesh Testing~~ — DONE (2026-02-26)
- ZKP, blockchain sync, and threat intel propagation all validated
~~Yggdrasil Extended Peer Discovery~~ — DONE (2026-02-28)
- secubox-app-yggdrasil-discovery + yggctl CLI
- Gossip-based peer announcements, trust-verified auto-peering
WAF Auto-Ban Tuning (optional, as-needed)
- Sensitivity threshold adjustment based on production traffic

Backlog / Deferred:

~~Tor Shield / opkg bug~~ — FIXED (2026-02-28) - dnsmasq bypass for excluded domains
Nextcloud self-hosted cloud storage (v2)
SSMTP / mail host / MX record management (v2)
Reverse MWAN WireGuard peers (v2)

Couche 2 — AI Gateway

Recently Completed (2026-02-06)

DNS Guard AI Migration — DONE (2026-02-06)
- Created secubox-dns-guard daemon with 5 detection modules:
  - DGA (Domain Generation Algorithm) detection via entropy analysis
  - DNS tunneling/exfiltration detection
  - Rate anomaly detection (queries/min, unique domains/min)
  - Known bad domain matching against blocklists
  - TLD anomaly detection (suspicious TLDs, punycode/IDN)
- LocalAI integration for intelligent threat analysis
- Approval workflow: auto-apply or queue for review
- Updated luci-app-dnsguard v1.1.0 with:
  - AI Guard tab with pending blocks approval
  - Real-time alerts panel
  - Domain analysis with AI
  - Detection module status display
LocalAI Multi-Channel Emancipation — DONE (2026-02-06)
- Exposed LocalAI via Punk Exposure:
  - Tor: b7lmlfs3b55jhgqdwbn6unhjhlfflq6ch235xa2gsdvxe7toxcf7qyad.onion
  - DNS/SSL: localai.secubox.local
  - mDNS: _secubox._tcp.local (mesh advertised)
Threat Analyst Agent — DONE (2026-02-05)
- Created secubox-threat-analyst autonomous threat analysis daemon
- Rule generation for mitmproxy (Python), CrowdSec (YAML), WAF (JSON)
- Approval workflow: auto-apply mitmproxy, queue CrowdSec/WAF
- Created luci-app-threat-analyst with AI chatbot dashboard
- RPCD handler with 10 methods for status, chat, rules, approval
Threat Analyst KISS Dashboard v0.1.0 — DONE (2026-02-05)
- Regenerated LuCI dashboard following CrowdSec KISS template pattern
- External CSS loading, baseclass.extend() API pattern
- CVE alerts in System Health section
- CVE column in threats table with NVD hyperlinks
- AI Security Assistant chat interface
MCP Server Implementation — DONE (2026-02-06)
- Created secubox-mcp-server package with JSON-RPC 2.0 over stdio
- 9 core tools: crowdsec.alerts/decisions, waf.logs, dns.queries, network.flows, system.metrics, wireguard.status, uci.get/set
- 5 AI-powered tools (via LocalAI): ai.analyze_threats, ai.cve_lookup, ai.suggest_waf_rules, ai.explain_ban, ai.security_posture
- Claude Desktop integration via SSH

Next Up — v0.18 AI Components

~~DNS Guard Migration~~ — DONE (2026-02-06)
~~LocalAI Upgrade → 3.9~~ — DONE (2026-02-06)
- Upgraded to v3.9.0 with Agent Jobs Panel and Memory Reclaimer
- Updated README with complete CLI reference and model presets

Couche 3 — MirrorNetworking

Just Completed (2026-02-07)

MirrorNet Core Package — DONE
- Created secubox-mirrornet with 5 library modules:
  - identity.sh - DID-based identity (did:plc:), keypair generation, signing
  - reputation.sh - Peer trust scoring (0-100), event logging, decay, ban thresholds
  - mirror.sh - Service mirroring, upstream management, HAProxy backend generation
  - gossip.sh - Enhanced gossip protocol, priority routing, deduplication, TTL-based forwarding
  - health.sh - Peer health monitoring, latency/packet loss, anomaly detection, alerts
- mirrorctl CLI with 30+ commands
- UCI config for roles (master/submaster/peer), reputation, gossip, mirror, health settings
MirrorNet Dashboard — DONE
- Created luci-app-secubox-mirror with RPCD handler (15 methods)
- Identity card with DID, hostname, role, version
- Peer reputation table with trust levels and reset action
- Gossip protocol stats (sent/received/forwarded/dropped)
- Health alerts panel with acknowledgment
- Mirrored services table
SecuBox Identity Package — DONE
- Created secubox-identity standalone identity management
- DID generation (did:plc:) compatible with AT Protocol
- Keypair management (HMAC-SHA256, Ed25519 fallback)
- Key rotation with backup
- Peer identity storage and resolution
- Trust scoring integration
- identityctl CLI with 25+ commands
P2P Intel Package — DONE
- Created secubox-p2p-intel for signed IOC sharing
- Collector: CrowdSec, mitmproxy, WAF, DNS Guard sources
- Signer: Cryptographic signing of IOC batches
- Validator: Source trust, age, format validation
- Applier: nftables/iptables/CrowdSec application
- Approval workflow for manual review
- p2p-intelctl CLI with 20+ commands

MirrorNet Packages Summary (v0.19)

Package	Status	Description
`secubox-mirrornet`	DONE	Core mesh orchestration, gossip, health
`secubox-identity`	DONE	DID-based identity, key management, trust
`secubox-p2p-intel`	DONE	IOC signed gossip, validation, application
`luci-app-secubox-mirror`	DONE	Dashboard for peers, trust, services

Master/Slave CDN Architecture (User Vision)

"multipoint CDN for SSL dependencies, root/master with *.sb, xxx.sb slaved, first peek meshed, submastering/multimixslaving"

Target architecture for service mirroring:

Root Master owns wildcard domain *.secubox.io (or similar)
Slave Nodes get delegated subdomains (node1.secubox.io)
First Peek = service discovery auto-registers in mesh
Mirror Cascade = master pushes exposure config to slaves
Submastering = hierarchical delegation (master → submaster → slaves)

Required components:

Dynamic DNS delegation with zone transfer
Service mirroring via reverse proxy chaining
Gossip-based exposure config sync
Trust hierarchy with certificate delegation

Communication Layer (v1.0)

secubox-voip — Asterisk micro-PBX
secubox-matrix — Conduit Matrix server

Couche 4 — Roadmap Tracking

v0.18.0 Progress

Item	Status
Core Mesh modules	35+ DONE
Guacamole	DEFERRED
MCP Server	DONE
Threat Analyst	DONE
DNS Guard AI Migration	DONE
LocalAI 3.9	DONE
LocalAI Emancipation	DONE (Tor + DNS + mDNS)

v1.0.0 Progress

Item	Status
Config Advisor	DONE
ANSSI CSPN Compliance	DONE
Remediation Engine	DONE
LuCI Dashboard	DONE

Just Completed (2026-02-07)

Config Advisor Package — DONE
- Created secubox-config-advisor - ANSSI CSPN compliance checking daemon
- 7 check categories, 25+ security rules
- Risk scoring (0-100) with grade (A-F) and risk level
- Auto-remediation for 7 checks with dry-run mode
- LocalAI integration for AI-powered suggestions
- config-advisorctl CLI with 20+ commands
Config Advisor Dashboard — DONE
- Created luci-app-config-advisor - LuCI dashboard
- Score display with grade circle and risk level
- Compliance view by category with pass/fail/warn badges
- Remediation view with apply/preview buttons
- Settings for framework, weights, categories, LocalAI

Certifications

ANSSI CSPN: Config Advisor compliance tool DONE
GDPR: Currently compliant
ISO 27001, NIS2, SOC2: Planned for v1.1+

Strategic Documents Received

SecuBox_LocalAI_Strategic_Analysis.html — AI Management Layer roadmap
SecuBox_AI_Gateway_Hybrid_Architecture.html — Hybrid Local/Cloud architecture
SecuBox_MirrorNetworking_Paradigm_Reversal.html — EnigmaBox autopsy → MirrorNet
SecuBox_Fanzine_v3_Feb2026.html — 4-layer architecture overview

Known Bugs (Deferred)

~~Tor Shield / opkg conflict~~: FIXED (2026-02-28) - Added dnsmasq bypass for excluded domains

Blockers / Risks

No automated regression tests for LuCI views; manual verification required after SCP deploy.
Guacamole ARM64 pre-built binaries not readily available.
MCP Server requires understanding of Model Context Protocol specification.

65 KiB Raw Blame History Unescape Escape

Work In Progress (Claude)

Couche 1 — Core Mesh

Recently Completed (2026-02-04/05)

In Progress

Just Completed (2026-02-28)

Just Completed (2026-02-27)

Just Completed (2026-02-26)

Just Completed (2026-02-25)

Just Completed (2026-02-20)

Just Completed (2026-02-19)

Just Completed (2026-02-17)

Just Completed (2026-02-16)

Recently Completed (2026-02-15)

Just Completed (2026-02-14)

Just Completed (2026-02-13)

Just Completed (2026-02-08 PM)

Just Completed (2026-02-06/08)

Completed (2026-02-06)

Just Completed

Recently Completed (2026-02-07)

Just Completed (2026-02-12)

Just Completed (2026-02-11)

Just Completed (2026-02-24)

Just Completed (2026-02-21)

Just Completed (2026-02-20 PM)

SysWarden Evolution Plan (2026-02-20)

Next Up — Couche 1

Couche 2 — AI Gateway

Recently Completed (2026-02-06)

Next Up — v0.18 AI Components

Couche 3 — MirrorNetworking

Just Completed (2026-02-07)

MirrorNet Packages Summary (v0.19)

Master/Slave CDN Architecture (User Vision)

Communication Layer (v1.0)

Couche 4 — Roadmap Tracking

v0.18.0 Progress

v1.0.0 Progress

Just Completed (2026-02-07)

Certifications

Strategic Documents Received

Known Bugs (Deferred)

Blockers / Risks

65 KiB

Raw Blame History