gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f3f6eb4e4b
secubox-openwrt/.claude/WIP.md
CyberMind-FR f3f6eb4e4b fix(haproxy,mitmproxy): Fix config reload and preserve Host header 
haproxyctl:
- Copy generated config to /etc/haproxy/ inside container before reload
- HAProxy reads from /etc/haproxy/haproxy.cfg, not /opt/haproxy/config/

mitmproxy haproxy_router.py:
- Save original Host header before setting backend destination
- Restore Host header after routing to preserve it for backend validation
- Fixes PeerTube OAuth and other apps that validate Host header

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-15 07:40:20 +01:00

34 KiB
Raw Blame History

Work In Progress (Claude)

Last updated: 2026-02-15 (PeerTube + Generative LuCI Tree)

Architecture Reference: SecuBox Fanzine v3 — Les 4 Couches

Couche 1 — Core Mesh

Recently Completed (2026-02-04/05)

  • MAC Guardian Feed Integration — DONE (2026-02-05)

    • Both IPKs built and added to bonus feed
    • Catalog updated with security category, wifi icon

  • Punk Exposure Emancipate — DONE (2026-02-05)

    • CLI: emancipate and revoke commands for multi-channel exposure
    • RPCD: 3 new methods in luci.exposure
    • Dashboard: Mesh column toggle, Emancipate modal

  • Jellyfin Post-Install Wizard — DONE (2026-02-05)

    • 4-step modal wizard (Welcome, Media, Network, Complete)
    • RPCD methods for wizard status and media path management

  • Navigation Component Refactoring — DONE (2026-02-05)

    • SecuNav.renderTabs() auto-inits theme and CSS
    • renderCompactTabs() for nested modules
    • Eliminated ~1000 lines of duplicate CSS

  • ksmbd Mesh Media Sharing — DONE (2026-02-05)

    • ksmbdctl CLI with share management
    • Pre-configured shares: Media, Jellyfin, Lyrion, Backup

  • SMB/CIFS Remote Mount Manager — DONE (2026-02-04)

    • smbfsctl CLI, UCI config, init script
    • Jellyfin and Lyrion media path integration

  • Domoticz IoT Integration — DONE (2026-02-04)

    • LXC Debian container with native binary
    • MQTT auto-bridge, Zigbee2MQTT integration
    • domoticzctl configure-mqtt command

In Progress

  • Vortex DNS Firewall Phase 1 — DONE (2026-02-11)

    • Created secubox-vortex-firewall package for DNS-level threat blocking
    • Threat intel aggregator (URLhaus, OpenPhish, Malware Domains feeds)
    • SQLite blocklist database with domain deduplication
    • dnsmasq integration via sinkhole hosts file
    • ×47 vitality multiplier concept
    • CLI tool: vortex-firewall intel/stats/start/stop
    • RPCD handler with 8 methods for LuCI integration
    • Tested: 765 domains blocked from 3 feeds
    • Next phases: Sinkhole server (Phase 2), DNS Guard integration (Phase 3), Mesh threat sharing (Phase 4), LuCI dashboard (Phase 5)

  • Vortex DNS - Meshed multi-dynamic subdomain delegation (DONE 2026-02-05)

    • Created secubox-vortex-dns package with vortexctl CLI
    • Master/slave hierarchical DNS delegation
    • Wildcard domain management (*.domain.com)
    • First Peek auto-registration of services
    • Gossip-based exposure config sync via secubox-p2p
    • Created luci-app-vortex-dns dashboard

Just Completed (2026-02-15)

  • PeerTube Video Platform Package — DONE (2026-02-15)

    • Created secubox-app-peertube package for self-hosted video streaming
    • LXC Debian Bookworm container with PostgreSQL 15, Redis 7, Node.js 18, FFmpeg
    • peertubectl CLI with 15+ commands: install/uninstall/update/start/stop/status
    • Live streaming support with RTMP port 1935
    • HAProxy integration with extended timeouts (3600s) for streaming
    • Emancipation workflow for public exposure
    • User management: create-user, reset-password, list-users
    • Backup/restore PostgreSQL database
    • UCI config: main, server, live, transcoding, storage, network, admin sections
    • Fixed: Redis ARM64-COW-BUG via ignore-warnings config
    • Fixed: Redis sentinel disabled (using standalone Redis)
    • Fixed: RTMPS disabled (no SSL keys needed)
    • Fixed: HAProxy waf_bypass=1 for proper OAuth routing

  • PeerTube LuCI Dashboard — DONE (2026-02-15)

    • Created luci-app-peertube package
    • RPRD handler with 11 methods: status, start, stop, install, uninstall, update, logs, emancipate, live_enable, live_disable, configure_haproxy
    • Dashboard with install wizard, status display, service controls
    • Live streaming toggle with firewall integration
    • HAProxy configuration button
    • Emancipate form for public exposure
    • Logs viewer with refresh

  • Generative LuCI Tree — DONE (2026-02-15)

    • Created luci.secubox-portal RPCD backend for dynamic component discovery
    • Three RPC methods: get_tree, get_containers, get_vhosts
    • Auto-discovers all installed luci-app-* packages and groups by category:
      • SecuBox Core, Security, Media & Streaming, Network & Proxy
      • Development & CMS, IoT & Home, AI & Communication, System & Management
    • Discovers LXC containers from /srv/lxc/ with running state
    • Discovers HAProxy vhosts from UCI with domain/backend/ssl info
    • Updated luci-tree.js with:
      • Three tabs: LuCI Apps, Containers, Vhosts
      • Refresh button for live updates
      • Stats showing packages, containers, vhosts counts
      • Search functionality for filtering
    • ACL permissions for unauthenticated portal access

Just Completed (2026-02-14)

  • mitmproxy WAF Wildcard Route Priority Fix — DONE (2026-02-14)

    • Fixed wildcard route matching in haproxy_router.py
    • Issue: .gk2.secubox.in wildcard (port 4000) matched before specific routes like apr.gk2.secubox.in (port 8928)
    • Fix: Support both *.domain and .domain wildcard formats
    • Fix: Sort wildcards by length (longest/most specific first)
    • Added auto-reload: Routes file checked every 10 requests, reloads if modified
    • Updated metablogizerctl to use mitmproxyctl sync-routes instead of direct file manipulation
    • MetaBlogizer sites now properly routed through WAF

  • Wazuh SIEM LuCI Dashboard — DONE (2026-02-14)

    • Created luci-app-wazuh package for unified Wazuh security monitoring
    • 4 views: Overview, Alerts, File Integrity, Agents
    • SysWarden-inspired 4-layer security visualization
    • RPCD handler (luci.wazuh) with 12 API methods
    • CrowdSec integration for threat correlation display
    • Full RPCD testing verified via ubus calls

  • MetaBlogizer SDLC Content Restoration — DONE (2026-02-14)

    • sdlc.gk2.secubox.in was showing GK2 Hub template instead of original content
    • GK2 Hub generator had overwritten local index.html
    • Original "Les Seigneurs de La Chambre - Présentation Cinématique" preserved in git
    • Restored via git checkout HEAD -- index.html
    • Site now correctly displaying cinematic presentation content

  • Streamlit WebSocket WAF Bypass — DONE (2026-02-14)

    • Streamlit apps use WebSockets which are incompatible with MITM proxy
    • Re-added waf_bypass=1 to all 20 Streamlit apps
    • Apps now route directly through HAProxy without mitmproxy filtering
    • Trade-off: Streamlit apps bypass WAF for WebSocket compatibility

  • WAF Architecture Configuration — DONE (2026-02-14)

    • WAF (mitmproxy) enabled for Streamlit apps and MetaBlogizer sites
    • WAF bypass for infrastructure: Jellyfin, Mail, Glances, GoToSocial, Webmail
    • Path ACLs (/gk2/*) bypass WAF - mitmproxy routes by host only
    • 38 path ACLs configured with waf_bypass=1
    • Architecture: HAProxy → mitmproxy (WAF) → Backend (filtered) or HAProxy → Backend (bypass)

  • C3BOX SDLC Full Service Verification — DONE (2026-02-14)

    • Verified all 70 services across 12 zones on C3BOX dashboard
    • Zones: *.cybermind.fr (2), *.cybermood.eu (2), *.ganimed.fr (2), *.maegia.tv (19), *.secubox.in (29), *.sb.local (4), *.secubox.local (2)
    • 20 Streamlit apps, 15 MetaBlog sites, infrastructure services
    • 77 vhosts configured, 52 SSL certificates, 5 LXC containers running
    • All public services returning HTTP 200

  • Mitmproxy Routes Duplicate Fix — DONE (2026-02-14)

    • Fixed duplicate entries in /srv/mitmproxy-in/haproxy-routes.json
    • console.gk2.secubox.in and control.gk2.secubox.in had duplicate routes
    • Second entry (port 8081) was overriding correct Streamlit ports (8501/8511)
    • Removed duplicates, verified correct routing

  • Service Backend Fixes — DONE (2026-02-14)

    • play.maegia.tv: Changed backend from mitmproxy_inspector to streamlit_yijing
    • client.gk2.secubox.in: Enabled pinafore_srv server with health check
    • Added uhttpd instance on port 4002 for Pinafore static landing page

  • Glances System Monitor — DONE (2026-02-14)

    • Installed python3-pip via opkg
    • Installed Glances 4.5.0.4 via pip3 with dependencies
    • Created dummy webbrowser.py module for headless operation
    • Started Glances web server on port 61208
    • https://glances.gk2.secubox.in now operational

  • GoToSocial Service Start — DONE (2026-02-14)

Just Completed (2026-02-13)

  • GoToSocial Fediverse Server — DONE (2026-02-13)

    • Deployed GoToSocial v0.17.0 ActivityPub server
    • Direct execution mode (v0.18.0 has cgroup panics)
    • Domain: social.gk2.secubox.in with wildcard SSL
    • HAProxy exposure with backend to 192.168.255.1:8484
    • Admin user created and promoted
    • SQLite database, web assets configured
    • Live at https://social.gk2.secubox.in

  • Cloning Station Remote Device Management — DONE (2026-02-13)

    • 6-tab tabbed interface: Overview, Remotes, Build, Console, History, Images
    • Remote device management via UCI and RPCD
    • SSH key authentication setup using dropbear
    • Network scan for discovering SecuBox devices
    • Remote status: hostname, model, version, uptime
    • Image upload and remote flash with token injection
    • sysupgrade with keep_settings option
    • 7 new RPCD methods: list_remotes, add_remote, remove_remote, remote_status, remote_upload, remote_flash, scan_network
    • Uses dropbear's dbclient for SSH (OpenWrt native)

  • Cloning Station Dashboard Enhancements — DONE (2026-02-13)

    • 5-tab tabbed interface: Overview, Build, Console, History, Images
    • Build Progress UI: real-time log streaming, stage indicators, progress bar
    • Serial Console: port selection, live output, command input (requires stty)
    • Clone History: JSON-based tracking with timestamp/device/status
    • Image Manager: storage info, image details modal, delete/rename
    • 10 new RPCD methods added with ACL permissions

Just Completed (2026-02-08 PM)

  • Vortex Hub Wildcard Routing — DONE (2026-02-08)

    • HAProxy wildcard domain support (*.gk2.secubox.in)
    • Subdomain-to-path rewriting: {sub}.gk2.secubox.in/x/{sub}/x
    • New match_type option: exact, suffix, regex
    • Vortex fallback backend with X-Vortex-Node headers
    • Prepares infrastructure for distributed mesh node publishing

  • Mitmproxy WAF Subdomain Metrics — DONE (2026-02-08)

    • Track requests/threats per subdomain in secubox_analytics.py
    • New RPCD method: subdomain_metrics
    • Metrics: requests, threats, protocols, methods, status codes, top URIs, countries
    • LuCI dashboard shows subdomain metrics instead of alerts

  • RPCD luci.secubox Modular Refactor — DONE (2026-02-08)

    • Split 2544-line monolithic handler into 14 modules
    • Thin dispatcher + /usr/lib/secubox/rpcd.d/*.sh modules
    • Modules: core, modules, profiles, snapshots, health, dashboard, appstore, state, network, feeds, skills, feedback, p2p
    • Shared utilities in _common.sh

  • HAProxy Backend IP Fixes — DONE (2026-02-08)

    • Fixed all 127.0.0.1192.168.255.1 in backend configs
    • Cleaned up duplicate vhosts and invalid IP:port backend formats
    • Fixed presse.cybermood.eu routing
    • Fixed streamlit_evolution stale config in container

  • GK2 Node Service Mapping — DONE (2026-02-08)

    • Complete map of 10 published domains
    • 9 active backends documented
    • Wildcard certificate ready for mesh

  • HAProxy Path-Based ACL Routing — DONE (2026-02-08/09)

    • Added _add_path_acl() function to haproxyctl for UCI acl sections
    • Support for path_beg, path_end, path, path_reg, path_dir match types
    • Path ACLs processed before vhost ACLs (higher priority)
    • Fixed http_request list handling to avoid duplicate output
    • Pattern Length Sorting (2026-02-09): ACLs now sorted by pattern length (longest first)
      • Two-phase: _collect_path_acl() + _emit_sorted_path_acls()
      • Ensures /gk2/evolution matches before /gk2
    • Apex domain routing: secubox.in/gk2/** instead of *.gk2.secubox.in
    • Tested: /gk2, /gk2/evolution, /gk2/control all routing correctly

  • Gandi DNS Secondary Setup — DONE (2026-02-08)

    • Configured BIND master to allow zone transfers to Gandi (217.70.177.40)
    • Added also-notify and notify yes for automatic zone updates
    • Synced all BIND zone records to Gandi LiveDNS via API
    • Updated registrar nameservers to Gandi LiveDNS (ns-*.gandi.net)
    • DNS propagation verified: all A, MX, wildcard records resolving correctly
    • Architecture: Registrar → Gandi LiveDNS ← synced from → BIND master

Just Completed (2026-02-06/08)

  • Evolution Dashboard Real-Time Commits — DONE (2026-02-08)

    • New "🚀 Devel" tab with live GitHub commits (1-min cache)
    • Commits Today / This Week / Contributors / Stars metrics
    • Commit type distribution with color-coding (feat/fix/docs/refactor)
    • Recent commits with hash, message, author, relative time
    • Repository stats (forks, watchers, open issues)
    • Cyberpunk-themed commit cards with pulsing live indicator

  • Station Cloner/Deployer — DONE (2026-02-08)

    • Host-side secubox-clone-station.sh with MOKATOOL integration for dual USB serial control
    • On-device secubox-cloner CLI for build/serve/token/export
    • First-boot provisioning script with partition resize and mesh join
    • Master-link clone tokens with auto-approve for seamless onboarding
    • Added secubox clone and secubox master-link CLI command groups
    • Full workflow: build image on master → TFTP serve → flash target → auto-join mesh

  • Cloning Station LuCI Dashboard — DONE (2026-02-11)

    • Created luci-app-cloner package with KISS-style dashboard
    • Status cards: device type, TFTP status, token count, clone count
    • Quick actions: Build Image, Start/Stop TFTP, New/Auto-Approve Token
    • Clone images table with size and TFTP-ready indicator
    • Token management with delete functionality
    • U-Boot flash commands display when TFTP active
    • RPCD handler: 10 methods (status, list_images, list_tokens, list_clones, etc.)

  • System Hub KISS Rewrite — DONE (2026-02-11)

    • Rewrote luci-app-system-hub/overview.js to KISS style
    • Self-contained inline CSS, no external dependencies
    • 6 status cards: Hostname/Model, Uptime, Services, CPU Load, Temperature, Health Score
    • 3 resource bars: Memory, Storage, CPU Usage
    • Quick Actions + Services table with running/stopped badges
    • 5-second live polling with data-stat DOM updates
    • Full dark mode support

  • SecuBox Dashboard KISS Rewrite — DONE (2026-02-11)

    • Rewrote luci-app-secubox/dashboard.js to KISS style
    • Removed all external deps (secubox/api, secubox-theme, secubox/nav, secubox-portal/header)
    • Header chips, stats cards, health panel, public IPs, modules table, quick actions, alerts
    • 15-second live polling
    • Full dark mode support

  • HAProxy "End of Internet" Default Page — DONE (2026-02-07)

    • Cyberpunk fallback page for unknown/unmatched domains
    • Matrix rain animation, glitch text, ASCII art SecuBox logo
    • Added http-request UCI option support in haproxyctl generator
    • Path rewriting via http-request set-path for static content
    • Backend validation rejects IP:port misconfiguration

  • CrowdSec Threat Origins Fix — DONE (2026-02-07)

    • Fixed [object Object] display bug in Threat Origins widget
    • parseCountries() now handles array format [{country, count}]

  • CrowdSec Dashboard Cache System — DONE (2026-02-06)

    • Created /usr/sbin/secubox-crowdsec-collector v4 background stats collector
    • Generates /tmp/secubox/crowdsec-overview.json every minute via cron
    • RPCD fast path: reads cache first, falls back to slow cscli calls if stale
    • Fixes dashboard loading times from 5-10s to <100ms

  • mitmproxy Local IP "Green Known" — DONE (2026-02-06)

    • Patched secubox_analytics.py to skip threat logging for trusted local IPs
    • Local network traffic (192.168.x, 10.x, 172.16-18.x) no longer pollutes threats.log
    • Autoban still correctly targets only external IPs

  • Control Panel File Compatibility — DONE (2026-02-06)

    • Fixed file naming mismatch (health.json vs health-status.json, etc.)
    • Created symlinks for compatibility
    • Created missing cache files (threat.json, netifyd.json)
    • Updated stats collector to maintain symlinks on each run

  • LED Fix & Double-Buffer Status Cache — DONE (2026-02-07)

    • Removed mmc0 LED (was blocking heartbeat loop)
    • Added status_collector_loop() background daemon
    • Cache files: /tmp/secubox/{health,threat,capacity}.json
    • Fast readers for LED loop and dashboards (no subprocess calls)

  • MetaBlogizer KISS ULTIME MODE — DONE (2026-02-07)

    • Added metablogizerctl emancipate command
    • One-command workflow: DNS + Vortex + HAProxy + SSL + Reload
    • DNS registration via dnsctl (Gandi/OVH based on availability)
    • Vortex DNS mesh publication
    • HAProxy vhost with SSL and ACME
    • Zero-downtime reload via SIGUSR2

  • Streamlit LuCI Dashboard Edit & Emancipate — DONE (2026-02-06)

    • Added Edit button with modal code editor (base64 encoding)
    • Added Emancipate button with KISS ULTIME MODE workflow
    • RPCD: get_source, save_source, emancipate, get_emancipation
    • API + ACL updated

  • SecuBox Vhost Manager — DONE (2026-02-06)

    • Created secubox-vhost CLI for subdomain management
    • External (.gk2.secubox.in) and local (.gk2.sb.local) domain support
    • UCI config for vhosts: console, control, metrics, crowdsec, factory, glances, play
    • Default landing page generation
    • Integrated into secubox-core daemon and firstboot

Completed (2026-02-06)

  • AI Insights Dashboard — DONE

    • Created luci-app-ai-insights - unified view across all AI agents
    • Security posture scoring (0-100) with factor breakdown
    • Agent status grid: Threat Analyst, DNS Guard, Network Anomaly, CVE Triage
    • Aggregated alerts from all agents
    • Actions: Run All Agents, AI Analysis, View Timeline
    • Links to LocalRecall memory dashboard

  • LocalRecall Memory System — DONE

    • Created secubox-localrecall - persistent memory for AI agents
    • Categories: threats, decisions, patterns, configs, conversations
    • LocalAI integration for semantic search and AI summarization
    • Created luci-app-localrecall dashboard with add/search/summarize

  • Network Anomaly Agent — DONE

    • Created secubox-network-anomaly with 5 detection modules
    • Bandwidth spikes, connection floods, port scans, DNS anomalies, protocol anomalies
    • LocalAI integration for AI-powered analysis
    • Created luci-app-network-anomaly dashboard

  • CVE Triage Agent — DONE

    • Created secubox-cve-triage - AI-powered CVE analysis and vulnerability management
    • Architecture: Collector → Analyzer → Recommender → Applier
    • NVD API integration for CVE data
    • CrowdSec CVE alert correlation
    • LocalAI-powered impact analysis
    • Approval workflow for patch recommendations
    • Multi-source monitoring: opkg, LXC, Docker
    • Created luci-app-cve-triage dashboard with alerts, pending queue, risk score

  • Webmail Login 401 Issue — RESOLVED

    • Root cause: config.docker.inc.php overrode IMAP host to ssl://mail.secubox.in:993
    • Docker container couldn't resolve domain or connect via SSL
    • Fix: Changed to use socat proxy at 172.17.0.1:10143 (plaintext, internal)
    • Updated mailctl webmail configure to use proxy instead of direct SSL

  • Mail Send 451 "Temporary lookup failure" — RESOLVED (2026-02-06)

    • Root cause: Alpine Postfix uses LMDB, not BerkeleyDB hash maps
    • virtual_alias_maps = hash:/etc/postfix/virtual was invalid
    • Postfix chroot /var/spool/postfix/etc/resolv.conf was missing
    • Fix: Changed setup.sh to use lmdb: prefix and copy resolv.conf to chroot
    • Added mailctl fix-postfix command to repair existing installations

  • Mail Port Hijacking External Connections — RESOLVED (2026-02-06)

    • Root cause: firewall.user DNAT rules had no interface restriction
    • ALL port 993/587/etc traffic was redirected to local mailserver
    • This blocked Thunderbird from connecting to external mail (ssl0.ovh.net)
    • Fix: Added -i $WAN_IF to only redirect inbound WAN traffic

  • Mail Ports 587/465/995 Not Listening — RESOLVED (2026-02-07)

    • Root cause: Postfix master.cf missing submission/smtps entries
    • Dovecot 10-master.conf had pop3s commented out
    • dovecot-pop3d package not installed in container
    • Fix: Added mailctl fix-ports command to enable all mail ports
    • Also added password reset for mail users in LuCI dashboard

  • BIND Zone Returning Internal IP — RESOLVED (2026-02-07)

    • Root cause: /etc/bind/zones/secubox.in.zone had 192.168.255.1 (internal) instead of public IP
    • External DNS queries returned non-routable internal IP
    • Fix: Updated zone file with public IP 82.67.100.75 for all records

  • IPv6 DNS Support — DONE (2026-02-07)

    • Added AAAA records to BIND zone and Gandi DNS
    • IPv6: 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
    • Records: @, mail, ns0, ns1, wildcard

  • nftables Mail Forwarding Rules — DONE (2026-02-07)

    • Root cause: nftables forward_wan chain blocked DNAT'd mail traffic
    • iptables DNAT worked but nftables dropped packets before forwarding
    • Fix: Added explicit accept rules for mail ports (25,143,465,587,993,995)
    • Added both IPv4 and IPv6 forwarding rules
    • Persisted in /etc/firewall.user

  • Postfix/Dovecot Maildir Path Alignment — DONE (2026-02-07)

    • Root cause: Postfix delivered to /home/vmail/$domain/$user/new/ but Dovecot looks in ~/Maildir/new/
    • Emails were delivered but invisible in Roundcube
    • Fix in container.sh: Mount to home/vmail, virtual_mailbox_base = /home/vmail
    • Fix in users.sh: Create $domain/$user/Maildir/{cur,new,tmp} structure
    • Updated vmailbox format to include Maildir/ suffix

  • Inbound Port 25 Blocked by Free ISP — KNOWN ISSUE

    • Free ISP blocks inbound port 25 on residential lines
    • Outbound mail works, inbound from external fails
    • Workaround options: VPS relay, Mailgun/SendGrid, or contact Free support

Just Completed

  • Unified Backup Manager — DONE (2026-02-05)

    • Created secubox-app-backup CLI for LXC containers, UCI config, service data
    • Created luci-app-backup dashboard with container list, backup history
    • Gitea remote sync and mesh backup support
    • RPCD handler with 8 methods

  • Custom Mail Server — DONE (2026-02-05)

    • Created secubox-app-mailserver - Postfix + Dovecot in LXC container
    • mailctl CLI: user management, aliases, SSL, mesh backup
    • Webmail (Roundcube) integration
    • Mesh P2P mail backup sync

  • DNS Provider Enhanced — DONE (2026-02-05)

    • Added dnsctl generate - auto-generate subdomain A records
    • Added dnsctl suggest - name suggestions by category
    • Added dnsctl mail-setup - MX, SPF, DMARC records
    • Added dnsctl dkim-add - DKIM TXT record

  • Subdomain Generator Tool — DONE (2026-02-05)

    • secubox-subdomain CLI for generative subdomain management
    • Automates: DNS A record + HAProxy vhost + UCI registration
    • Uses wildcard certificate (*.zone) for instant SSL
    • Quick-add shortcuts for common services (gitea, grafana, jellyfin, etc.)
    • Part of Punk Exposure infrastructure

Recently Completed (2026-02-07)

  • Mesh Onboarding Testing — VALIDATED
    • Token generation: POST /api/master-link/token with HMAC tokens + TTL
    • IPK download: GET /api/master-link/ipk?token= serves pre-built 12KB IPK
    • Dynamic IPK: ml_ipk_generate creates join packages on-the-fly
    • Join flow: request → approval → peer added at depth+1
    • Blockchain: peer_approved blocks recorded correctly
    • Threat Intel: 288 local IOCs, 67 threat_ioc blocks in chain

Just Completed (2026-02-12)

  • HAProxy stats.js KISS Migration — DONE (2026-02-12)

    • Rewrote Statistics dashboard to use KissTheme
    • Stats iframe, logs viewer with refresh
    • Removed CSS import via style element

  • HAProxy backends.js KISS Migration — DONE (2026-02-12)

    • Rewrote Backends dashboard to use KissTheme
    • Backend cards with server lists, health check info
    • Add/edit server modals with quick service selector
    • Removed external dashboard.css dependency

  • HAProxy vhosts.js KISS Migration — DONE (2026-02-12)

    • Rewrote Virtual Hosts dashboard to use KissTheme
    • Self-contained inline CSS, removed external dashboard.css
    • Add vhost form, vhosts table, edit modal, delete confirmation

  • InterceptoR LXC Detection Fix — DONE (2026-02-12)

    • Changed from lxc-ls --running to lxc-info -n mitmproxy -s
    • More reliable container state detection
    • Fixed container name from secbx-mitmproxy to mitmproxy

Just Completed (2026-02-11)

  • InterceptoR Services Dashboard — DONE (2026-02-11)

    • Created luci.services-registry RPCD handler with 4 methods
    • Aggregates: HAProxy vhosts, Tor onions, mitmproxy instances, init.d services, LuCI apps, system metrics
    • Dynamic KISS dashboard with 5 tabs: Published, Proxies, Services, Dashboards, Metrics
    • Service emoji registry for visual identification
    • CrowdSec stats integration (alerts, bans)
    • 10-second live polling
    • Fixed kiss-theme.js singleton pattern for LuCI module loading

  • mitmproxy Multi-Instance Support — DONE (2026-02-11)

    • Updated init.d script with config_foreach start_instance instance
    • Updated mitmproxyctl with list-instances, instance-aware service-run/stop
    • UCI config for dual instances: out (LAN→Internet), in (WAF/services)
    • Cloned containers: mitmproxy-out, mitmproxy-in
    • Documented in README.md

  • Cookie Tracker LuCI Dashboard — DONE (2026-02-11)

    • Created luci-app-cookie-tracker with KISS theme
    • RPCD handler with 6 methods: status, list, report, block, unblock, classify
    • Category breakdown visualization (essential, functional, analytics, advertising, tracking)
    • Top trackers list with one-click blocking
    • Blocked domains display
    • 69 known tracker domains pre-loaded
    • mitmproxy addon linked for cookie capture

  • CDN Cache KISS Theme — DONE (2026-02-11)

    • Rewrote overview.js with full KISS styling
    • Circular gauge for hit ratio
    • Stats grid, top domains table, 10s polling

  • IoT Guard Implementation — DONE (2026-02-11)

    • Created secubox-iot-guard package for IoT device isolation and security
    • OUI-based classification with 100+ IoT manufacturer prefixes
    • 10 device classes with risk scoring (0-100)
    • Anomaly detection: bandwidth spikes, new destinations, port scans, time anomalies
    • Integration: Client Guardian (zones), MAC Guardian (L2), Vortex Firewall (DNS), Bandwidth Manager (QoS)
    • CLI: iot-guardctl with status/list/show/scan/isolate/trust/block/anomalies/cloud-map
    • Created luci-app-iot-guard with KISS-style dashboard
    • 4 views: Overview, Devices, Policies, Settings
    • RPCD handler with 11 methods + public ACL for unauthenticated access

Next Up — Couche 1

  1. Guacamole Pre-built Binaries

    • Current LXC build-from-source approach is too slow
    • Need to find/create pre-built ARM64 binaries for guacd + Tomcat

  2. Multi-Node Mesh Testing

    • Deploy second SecuBox node to test real peer-to-peer sync
    • Validate bidirectional threat intelligence sharing

Couche 2 — AI Gateway

Recently Completed (2026-02-06)

  • DNS Guard AI Migration — DONE (2026-02-06)

    • Created secubox-dns-guard daemon with 5 detection modules:
      • DGA (Domain Generation Algorithm) detection via entropy analysis
      • DNS tunneling/exfiltration detection
      • Rate anomaly detection (queries/min, unique domains/min)
      • Known bad domain matching against blocklists
      • TLD anomaly detection (suspicious TLDs, punycode/IDN)
    • LocalAI integration for intelligent threat analysis
    • Approval workflow: auto-apply or queue for review
    • Updated luci-app-dnsguard v1.1.0 with:
      • AI Guard tab with pending blocks approval
      • Real-time alerts panel
      • Domain analysis with AI
      • Detection module status display

  • LocalAI Multi-Channel Emancipation — DONE (2026-02-06)

    • Exposed LocalAI via Punk Exposure:
      • Tor: b7lmlfs3b55jhgqdwbn6unhjhlfflq6ch235xa2gsdvxe7toxcf7qyad.onion
      • DNS/SSL: localai.secubox.local
      • mDNS: _secubox._tcp.local (mesh advertised)

  • Threat Analyst Agent — DONE (2026-02-05)

    • Created secubox-threat-analyst autonomous threat analysis daemon
    • Rule generation for mitmproxy (Python), CrowdSec (YAML), WAF (JSON)
    • Approval workflow: auto-apply mitmproxy, queue CrowdSec/WAF
    • Created luci-app-threat-analyst with AI chatbot dashboard
    • RPCD handler with 10 methods for status, chat, rules, approval

  • Threat Analyst KISS Dashboard v0.1.0 — DONE (2026-02-05)

    • Regenerated LuCI dashboard following CrowdSec KISS template pattern
    • External CSS loading, baseclass.extend() API pattern
    • CVE alerts in System Health section
    • CVE column in threats table with NVD hyperlinks
    • AI Security Assistant chat interface

  • MCP Server Implementation — DONE (2026-02-06)

    • Created secubox-mcp-server package with JSON-RPC 2.0 over stdio
    • 9 core tools: crowdsec.alerts/decisions, waf.logs, dns.queries, network.flows, system.metrics, wireguard.status, uci.get/set
    • 5 AI-powered tools (via LocalAI): ai.analyze_threats, ai.cve_lookup, ai.suggest_waf_rules, ai.explain_ban, ai.security_posture
    • Claude Desktop integration via SSH

Next Up — v0.18 AI Components

  1. DNS Guard Migration — DONE (2026-02-06)

  2. LocalAI Upgrade → 3.9 — DONE (2026-02-06)

    • Upgraded to v3.9.0 with Agent Jobs Panel and Memory Reclaimer
    • Updated README with complete CLI reference and model presets

Couche 3 — MirrorNetworking

Just Completed (2026-02-07)

  • MirrorNet Core Package — DONE

    • Created secubox-mirrornet with 5 library modules:
      • identity.sh - DID-based identity (did:plc:), keypair generation, signing
      • reputation.sh - Peer trust scoring (0-100), event logging, decay, ban thresholds
      • mirror.sh - Service mirroring, upstream management, HAProxy backend generation
      • gossip.sh - Enhanced gossip protocol, priority routing, deduplication, TTL-based forwarding
      • health.sh - Peer health monitoring, latency/packet loss, anomaly detection, alerts
    • mirrorctl CLI with 30+ commands
    • UCI config for roles (master/submaster/peer), reputation, gossip, mirror, health settings

  • MirrorNet Dashboard — DONE

    • Created luci-app-secubox-mirror with RPCD handler (15 methods)
    • Identity card with DID, hostname, role, version
    • Peer reputation table with trust levels and reset action
    • Gossip protocol stats (sent/received/forwarded/dropped)
    • Health alerts panel with acknowledgment
    • Mirrored services table

  • SecuBox Identity Package — DONE

    • Created secubox-identity standalone identity management
    • DID generation (did:plc:) compatible with AT Protocol
    • Keypair management (HMAC-SHA256, Ed25519 fallback)
    • Key rotation with backup
    • Peer identity storage and resolution
    • Trust scoring integration
    • identityctl CLI with 25+ commands

  • P2P Intel Package — DONE

    • Created secubox-p2p-intel for signed IOC sharing
    • Collector: CrowdSec, mitmproxy, WAF, DNS Guard sources
    • Signer: Cryptographic signing of IOC batches
    • Validator: Source trust, age, format validation
    • Applier: nftables/iptables/CrowdSec application
    • Approval workflow for manual review
    • p2p-intelctl CLI with 20+ commands

MirrorNet Packages Summary (v0.19)

Package Status Description
secubox-mirrornet DONE Core mesh orchestration, gossip, health
secubox-identity DONE DID-based identity, key management, trust
secubox-p2p-intel DONE IOC signed gossip, validation, application
luci-app-secubox-mirror DONE Dashboard for peers, trust, services

Master/Slave CDN Architecture (User Vision)

"multipoint CDN for SSL dependencies, root/master with *.sb, xxx.sb slaved, first peek meshed, submastering/multimixslaving"

Target architecture for service mirroring:

  1. Root Master owns wildcard domain *.secubox.io (or similar)
  2. Slave Nodes get delegated subdomains (node1.secubox.io)
  3. First Peek = service discovery auto-registers in mesh
  4. Mirror Cascade = master pushes exposure config to slaves
  5. Submastering = hierarchical delegation (master → submaster → slaves)

Required components:

  • Dynamic DNS delegation with zone transfer
  • Service mirroring via reverse proxy chaining
  • Gossip-based exposure config sync
  • Trust hierarchy with certificate delegation

Communication Layer (v1.0)

  • secubox-voip — Asterisk micro-PBX
  • secubox-matrix — Conduit Matrix server

Couche 4 — Roadmap Tracking

v0.18.0 Progress

Item Status
Core Mesh modules 35+ DONE
Guacamole DEFERRED
MCP Server DONE
Threat Analyst DONE
DNS Guard AI Migration DONE
LocalAI 3.9 DONE
LocalAI Emancipation DONE (Tor + DNS + mDNS)

v1.0.0 Progress

Item Status
Config Advisor DONE
ANSSI CSPN Compliance DONE
Remediation Engine DONE
LuCI Dashboard DONE

Just Completed (2026-02-07)

  • Config Advisor Package — DONE

    • Created secubox-config-advisor - ANSSI CSPN compliance checking daemon
    • 7 check categories, 25+ security rules
    • Risk scoring (0-100) with grade (A-F) and risk level
    • Auto-remediation for 7 checks with dry-run mode
    • LocalAI integration for AI-powered suggestions
    • config-advisorctl CLI with 20+ commands

  • Config Advisor Dashboard — DONE

    • Created luci-app-config-advisor - LuCI dashboard
    • Score display with grade circle and risk level
    • Compliance view by category with pass/fail/warn badges
    • Remediation view with apply/preview buttons
    • Settings for framework, weights, categories, LocalAI

Certifications

  • ANSSI CSPN: Config Advisor compliance tool DONE
  • GDPR: Currently compliant
  • ISO 27001, NIS2, SOC2: Planned for v1.1+

Strategic Documents Received

  • SecuBox_LocalAI_Strategic_Analysis.html — AI Management Layer roadmap
  • SecuBox_AI_Gateway_Hybrid_Architecture.html — Hybrid Local/Cloud architecture
  • SecuBox_MirrorNetworking_Paradigm_Reversal.html — EnigmaBox autopsy → MirrorNet
  • SecuBox_Fanzine_v3_Feb2026.html — 4-layer architecture overview

Known Bugs (Deferred)

  • Tor Shield / opkg conflict: opkg downloads fail (wget returned 4) when Tor Shield is active. Likely DNS/routing interference.

Blockers / Risks

  • No automated regression tests for LuCI views; manual verification required after SCP deploy.
  • Guacamole ARM64 pre-built binaries not readily available.
  • MCP Server requires understanding of Model Context Protocol specification.