secubox-openwrt/.claude/WIP.md

# Work In Progress (Claude)

_Last updated: 2026-02-15 (PeerTube + Generative LuCI Tree)_

> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches

---

## Couche 1 — Core Mesh

### Recently Completed (2026-02-04/05)

- **MAC Guardian Feed Integration** — DONE (2026-02-05)
  - Both IPKs built and added to bonus feed
  - Catalog updated with security category, wifi icon

- **Punk Exposure Emancipate** — DONE (2026-02-05)
  - CLI: `emancipate` and `revoke` commands for multi-channel exposure
  - RPCD: 3 new methods in `luci.exposure`
  - Dashboard: Mesh column toggle, Emancipate modal

- **Jellyfin Post-Install Wizard** — DONE (2026-02-05)
  - 4-step modal wizard (Welcome, Media, Network, Complete)
  - RPCD methods for wizard status and media path management

- **Navigation Component Refactoring** — DONE (2026-02-05)
  - `SecuNav.renderTabs()` auto-inits theme and CSS
  - `renderCompactTabs()` for nested modules
  - Eliminated ~1000 lines of duplicate CSS

- **ksmbd Mesh Media Sharing** — DONE (2026-02-05)
  - `ksmbdctl` CLI with share management
  - Pre-configured shares: Media, Jellyfin, Lyrion, Backup

- **SMB/CIFS Remote Mount Manager** — DONE (2026-02-04)
  - `smbfsctl` CLI, UCI config, init script
  - Jellyfin and Lyrion media path integration

- **Domoticz IoT Integration** — DONE (2026-02-04)
  - LXC Debian container with native binary
  - MQTT auto-bridge, Zigbee2MQTT integration
  - `domoticzctl configure-mqtt` command

### In Progress

- **Vortex DNS Firewall Phase 1** — DONE (2026-02-11)
  - Created `secubox-vortex-firewall` package for DNS-level threat blocking
  - Threat intel aggregator (URLhaus, OpenPhish, Malware Domains feeds)
  - SQLite blocklist database with domain deduplication
  - dnsmasq integration via sinkhole hosts file
  - ×47 vitality multiplier concept
  - CLI tool: `vortex-firewall intel/stats/start/stop`
  - RPCD handler with 8 methods for LuCI integration
  - Tested: 765 domains blocked from 3 feeds
  - **Next phases**: Sinkhole server (Phase 2), DNS Guard integration (Phase 3), Mesh threat sharing (Phase 4), LuCI dashboard (Phase 5)

- **Vortex DNS** - Meshed multi-dynamic subdomain delegation (DONE 2026-02-05)
  - Created `secubox-vortex-dns` package with `vortexctl` CLI
  - Master/slave hierarchical DNS delegation
  - Wildcard domain management (*.domain.com)
  - First Peek auto-registration of services
  - Gossip-based exposure config sync via secubox-p2p
  - Created `luci-app-vortex-dns` dashboard

### Just Completed (2026-02-15)

- **PeerTube Video Platform Package** — DONE (2026-02-15)
  - Created `secubox-app-peertube` package for self-hosted video streaming
  - LXC Debian Bookworm container with PostgreSQL 15, Redis 7, Node.js 18, FFmpeg
  - `peertubectl` CLI with 15+ commands: install/uninstall/update/start/stop/status
  - Live streaming support with RTMP port 1935
  - HAProxy integration with extended timeouts (3600s) for streaming
  - Emancipation workflow for public exposure
  - User management: create-user, reset-password, list-users
  - Backup/restore PostgreSQL database
  - UCI config: main, server, live, transcoding, storage, network, admin sections
  - Fixed: Redis ARM64-COW-BUG via `ignore-warnings` config
  - Fixed: Redis sentinel disabled (using standalone Redis)
  - Fixed: RTMPS disabled (no SSL keys needed)
  - Fixed: HAProxy waf_bypass=1 for proper OAuth routing

- **PeerTube LuCI Dashboard** — DONE (2026-02-15)
  - Created `luci-app-peertube` package
  - RPRD handler with 11 methods: status, start, stop, install, uninstall, update, logs, emancipate, live_enable, live_disable, configure_haproxy
  - Dashboard with install wizard, status display, service controls
  - Live streaming toggle with firewall integration
  - HAProxy configuration button
  - Emancipate form for public exposure
  - Logs viewer with refresh

- **Generative LuCI Tree** — DONE (2026-02-15)
  - Created `luci.secubox-portal` RPCD backend for dynamic component discovery
  - Three RPC methods: get_tree, get_containers, get_vhosts
  - Auto-discovers all installed `luci-app-*` packages and groups by category:
    - SecuBox Core, Security, Media & Streaming, Network & Proxy
    - Development & CMS, IoT & Home, AI & Communication, System & Management
  - Discovers LXC containers from `/srv/lxc/` with running state
  - Discovers HAProxy vhosts from UCI with domain/backend/ssl info
  - Updated `luci-tree.js` with:
    - Three tabs: LuCI Apps, Containers, Vhosts
    - Refresh button for live updates
    - Stats showing packages, containers, vhosts counts
    - Search functionality for filtering
  - ACL permissions for unauthenticated portal access

### Just Completed (2026-02-14)

- **mitmproxy WAF Wildcard Route Priority Fix** — DONE (2026-02-14)
  - Fixed wildcard route matching in `haproxy_router.py`
  - Issue: `.gk2.secubox.in` wildcard (port 4000) matched before specific routes like `apr.gk2.secubox.in` (port 8928)
  - Fix: Support both `*.domain` and `.domain` wildcard formats
  - Fix: Sort wildcards by length (longest/most specific first)
  - Added auto-reload: Routes file checked every 10 requests, reloads if modified
  - Updated `metablogizerctl` to use `mitmproxyctl sync-routes` instead of direct file manipulation
  - MetaBlogizer sites now properly routed through WAF

- **Wazuh SIEM LuCI Dashboard** — DONE (2026-02-14)
  - Created `luci-app-wazuh` package for unified Wazuh security monitoring
  - 4 views: Overview, Alerts, File Integrity, Agents
  - SysWarden-inspired 4-layer security visualization
  - RPCD handler (luci.wazuh) with 12 API methods
  - CrowdSec integration for threat correlation display
  - Full RPCD testing verified via ubus calls

- **MetaBlogizer SDLC Content Restoration** — DONE (2026-02-14)
  - sdlc.gk2.secubox.in was showing GK2 Hub template instead of original content
  - GK2 Hub generator had overwritten local index.html
  - Original "Les Seigneurs de La Chambre - Présentation Cinématique" preserved in git
  - Restored via `git checkout HEAD -- index.html`
  - Site now correctly displaying cinematic presentation content

- **Streamlit WebSocket WAF Bypass** — DONE (2026-02-14)
  - Streamlit apps use WebSockets which are incompatible with MITM proxy
  - Re-added `waf_bypass=1` to all 20 Streamlit apps
  - Apps now route directly through HAProxy without mitmproxy filtering
  - Trade-off: Streamlit apps bypass WAF for WebSocket compatibility

- **WAF Architecture Configuration** — DONE (2026-02-14)
  - WAF (mitmproxy) enabled for Streamlit apps and MetaBlogizer sites
  - WAF bypass for infrastructure: Jellyfin, Mail, Glances, GoToSocial, Webmail
  - Path ACLs (`/gk2/*`) bypass WAF - mitmproxy routes by host only
  - 38 path ACLs configured with `waf_bypass=1`
  - Architecture: HAProxy → mitmproxy (WAF) → Backend (filtered) or HAProxy → Backend (bypass)

- **C3BOX SDLC Full Service Verification** — DONE (2026-02-14)
  - Verified all 70 services across 12 zones on C3BOX dashboard
  - Zones: *.cybermind.fr (2), *.cybermood.eu (2), *.ganimed.fr (2), *.maegia.tv (19), *.secubox.in (29), *.sb.local (4), *.secubox.local (2)
  - 20 Streamlit apps, 15 MetaBlog sites, infrastructure services
  - 77 vhosts configured, 52 SSL certificates, 5 LXC containers running
  - All public services returning HTTP 200

- **Mitmproxy Routes Duplicate Fix** — DONE (2026-02-14)
  - Fixed duplicate entries in `/srv/mitmproxy-in/haproxy-routes.json`
  - `console.gk2.secubox.in` and `control.gk2.secubox.in` had duplicate routes
  - Second entry (port 8081) was overriding correct Streamlit ports (8501/8511)
  - Removed duplicates, verified correct routing

- **Service Backend Fixes** — DONE (2026-02-14)
  - `play.maegia.tv`: Changed backend from `mitmproxy_inspector` to `streamlit_yijing`
  - `client.gk2.secubox.in`: Enabled `pinafore_srv` server with health check
  - Added uhttpd instance on port 4002 for Pinafore static landing page

- **Glances System Monitor** — DONE (2026-02-14)
  - Installed `python3-pip` via opkg
  - Installed Glances 4.5.0.4 via pip3 with dependencies
  - Created dummy `webbrowser.py` module for headless operation
  - Started Glances web server on port 61208
  - https://glances.gk2.secubox.in now operational

- **GoToSocial Service Start** — DONE (2026-02-14)
  - Enabled GoToSocial in UCI config
  - Started LXC container via `gotosocialctl start`
  - https://social.gk2.secubox.in operational

### Just Completed (2026-02-13)

- **GoToSocial Fediverse Server** — DONE (2026-02-13)
  - Deployed GoToSocial v0.17.0 ActivityPub server
  - Direct execution mode (v0.18.0 has cgroup panics)
  - Domain: `social.gk2.secubox.in` with wildcard SSL
  - HAProxy exposure with backend to 192.168.255.1:8484
  - Admin user created and promoted
  - SQLite database, web assets configured
  - Live at https://social.gk2.secubox.in

- **Cloning Station Remote Device Management** — DONE (2026-02-13)
  - 6-tab tabbed interface: Overview, Remotes, Build, Console, History, Images
  - Remote device management via UCI and RPCD
  - SSH key authentication setup using dropbear
  - Network scan for discovering SecuBox devices
  - Remote status: hostname, model, version, uptime
  - Image upload and remote flash with token injection
  - sysupgrade with keep_settings option
  - 7 new RPCD methods: list_remotes, add_remote, remove_remote, remote_status, remote_upload, remote_flash, scan_network
  - Uses dropbear's dbclient for SSH (OpenWrt native)

- **Cloning Station Dashboard Enhancements** — DONE (2026-02-13)
  - 5-tab tabbed interface: Overview, Build, Console, History, Images
  - Build Progress UI: real-time log streaming, stage indicators, progress bar
  - Serial Console: port selection, live output, command input (requires stty)
  - Clone History: JSON-based tracking with timestamp/device/status
  - Image Manager: storage info, image details modal, delete/rename
  - 10 new RPCD methods added with ACL permissions

### Just Completed (2026-02-08 PM)

- **Vortex Hub Wildcard Routing** — DONE (2026-02-08)
  - HAProxy wildcard domain support (`*.gk2.secubox.in`)
  - Subdomain-to-path rewriting: `{sub}.gk2.secubox.in/x` → `/{sub}/x`
  - New `match_type` option: exact, suffix, regex
  - Vortex fallback backend with `X-Vortex-Node` headers
  - Prepares infrastructure for distributed mesh node publishing

- **Mitmproxy WAF Subdomain Metrics** — DONE (2026-02-08)
  - Track requests/threats per subdomain in `secubox_analytics.py`
  - New RPCD method: `subdomain_metrics`
  - Metrics: requests, threats, protocols, methods, status codes, top URIs, countries
  - LuCI dashboard shows subdomain metrics instead of alerts

- **RPCD luci.secubox Modular Refactor** — DONE (2026-02-08)
  - Split 2544-line monolithic handler into 14 modules
  - Thin dispatcher + `/usr/lib/secubox/rpcd.d/*.sh` modules
  - Modules: core, modules, profiles, snapshots, health, dashboard, appstore, state, network, feeds, skills, feedback, p2p
  - Shared utilities in `_common.sh`

- **HAProxy Backend IP Fixes** — DONE (2026-02-08)
  - Fixed all `127.0.0.1` → `192.168.255.1` in backend configs
  - Cleaned up duplicate vhosts and invalid IP:port backend formats
  - Fixed `presse.cybermood.eu` routing
  - Fixed `streamlit_evolution` stale config in container

- **GK2 Node Service Mapping** — DONE (2026-02-08)
  - Complete map of 10 published domains
  - 9 active backends documented
  - Wildcard certificate ready for mesh

- **HAProxy Path-Based ACL Routing** — DONE (2026-02-08/09)
  - Added `_add_path_acl()` function to haproxyctl for UCI `acl` sections
  - Support for path_beg, path_end, path, path_reg, path_dir match types
  - Path ACLs processed before vhost ACLs (higher priority)
  - Fixed http_request list handling to avoid duplicate output
  - **Pattern Length Sorting** (2026-02-09): ACLs now sorted by pattern length (longest first)
    - Two-phase: `_collect_path_acl()` + `_emit_sorted_path_acls()`
    - Ensures `/gk2/evolution` matches before `/gk2`
  - Apex domain routing: `secubox.in/gk2/**` instead of `*.gk2.secubox.in`
  - Tested: `/gk2`, `/gk2/evolution`, `/gk2/control` all routing correctly

- **Gandi DNS Secondary Setup** — DONE (2026-02-08)
  - Configured BIND master to allow zone transfers to Gandi (217.70.177.40)
  - Added `also-notify` and `notify yes` for automatic zone updates
  - Synced all BIND zone records to Gandi LiveDNS via API
  - Updated registrar nameservers to Gandi LiveDNS (ns-*.gandi.net)
  - DNS propagation verified: all A, MX, wildcard records resolving correctly
  - Architecture: Registrar → Gandi LiveDNS ← synced from → BIND master

### Just Completed (2026-02-06/08)

- **Evolution Dashboard Real-Time Commits** — DONE (2026-02-08)
  - New "🚀 Devel" tab with live GitHub commits (1-min cache)
  - Commits Today / This Week / Contributors / Stars metrics
  - Commit type distribution with color-coding (feat/fix/docs/refactor)
  - Recent commits with hash, message, author, relative time
  - Repository stats (forks, watchers, open issues)
  - Cyberpunk-themed commit cards with pulsing live indicator

- **Station Cloner/Deployer** — DONE (2026-02-08)
  - Host-side `secubox-clone-station.sh` with MOKATOOL integration for dual USB serial control
  - On-device `secubox-cloner` CLI for build/serve/token/export
  - First-boot provisioning script with partition resize and mesh join
  - Master-link clone tokens with auto-approve for seamless onboarding
  - Added `secubox clone` and `secubox master-link` CLI command groups
  - Full workflow: build image on master → TFTP serve → flash target → auto-join mesh

- **Cloning Station LuCI Dashboard** — DONE (2026-02-11)
  - Created `luci-app-cloner` package with KISS-style dashboard
  - Status cards: device type, TFTP status, token count, clone count
  - Quick actions: Build Image, Start/Stop TFTP, New/Auto-Approve Token
  - Clone images table with size and TFTP-ready indicator
  - Token management with delete functionality
  - U-Boot flash commands display when TFTP active
  - RPCD handler: 10 methods (status, list_images, list_tokens, list_clones, etc.)

- **System Hub KISS Rewrite** — DONE (2026-02-11)
  - Rewrote `luci-app-system-hub/overview.js` to KISS style
  - Self-contained inline CSS, no external dependencies
  - 6 status cards: Hostname/Model, Uptime, Services, CPU Load, Temperature, Health Score
  - 3 resource bars: Memory, Storage, CPU Usage
  - Quick Actions + Services table with running/stopped badges
  - 5-second live polling with data-stat DOM updates
  - Full dark mode support

- **SecuBox Dashboard KISS Rewrite** — DONE (2026-02-11)
  - Rewrote `luci-app-secubox/dashboard.js` to KISS style
  - Removed all external deps (secubox/api, secubox-theme, secubox/nav, secubox-portal/header)
  - Header chips, stats cards, health panel, public IPs, modules table, quick actions, alerts
  - 15-second live polling
  - Full dark mode support

- **HAProxy "End of Internet" Default Page** — DONE (2026-02-07)
  - Cyberpunk fallback page for unknown/unmatched domains
  - Matrix rain animation, glitch text, ASCII art SecuBox logo
  - Added `http-request` UCI option support in haproxyctl generator
  - Path rewriting via `http-request set-path` for static content
  - Backend validation rejects IP:port misconfiguration

- **CrowdSec Threat Origins Fix** — DONE (2026-02-07)
  - Fixed `[object Object]` display bug in Threat Origins widget
  - `parseCountries()` now handles array format `[{country, count}]`

- **CrowdSec Dashboard Cache System** — DONE (2026-02-06)
  - Created `/usr/sbin/secubox-crowdsec-collector` v4 background stats collector
  - Generates `/tmp/secubox/crowdsec-overview.json` every minute via cron
  - RPCD fast path: reads cache first, falls back to slow cscli calls if stale
  - Fixes dashboard loading times from 5-10s to <100ms

- **mitmproxy Local IP "Green Known"** — DONE (2026-02-06)
  - Patched secubox_analytics.py to skip threat logging for trusted local IPs
  - Local network traffic (192.168.x, 10.x, 172.16-18.x) no longer pollutes threats.log
  - Autoban still correctly targets only external IPs

- **Control Panel File Compatibility** — DONE (2026-02-06)
  - Fixed file naming mismatch (health.json vs health-status.json, etc.)
  - Created symlinks for compatibility
  - Created missing cache files (threat.json, netifyd.json)
  - Updated stats collector to maintain symlinks on each run

- **LED Fix & Double-Buffer Status Cache** — DONE (2026-02-07)
  - Removed mmc0 LED (was blocking heartbeat loop)
  - Added `status_collector_loop()` background daemon
  - Cache files: `/tmp/secubox/{health,threat,capacity}.json`
  - Fast readers for LED loop and dashboards (no subprocess calls)

- **MetaBlogizer KISS ULTIME MODE** — DONE (2026-02-07)
  - Added `metablogizerctl emancipate` command
  - One-command workflow: DNS + Vortex + HAProxy + SSL + Reload
  - DNS registration via dnsctl (Gandi/OVH based on availability)
  - Vortex DNS mesh publication
  - HAProxy vhost with SSL and ACME
  - Zero-downtime reload via SIGUSR2

- **Streamlit LuCI Dashboard Edit & Emancipate** — DONE (2026-02-06)
  - Added Edit button with modal code editor (base64 encoding)
  - Added Emancipate button with KISS ULTIME MODE workflow
  - RPCD: `get_source`, `save_source`, `emancipate`, `get_emancipation`
  - API + ACL updated

- **SecuBox Vhost Manager** — DONE (2026-02-06)
  - Created `secubox-vhost` CLI for subdomain management
  - External (*.gk2.secubox.in) and local (*.gk2.sb.local) domain support
  - UCI config for vhosts: console, control, metrics, crowdsec, factory, glances, play
  - Default landing page generation
  - Integrated into secubox-core daemon and firstboot

### Completed (2026-02-06)

- **AI Insights Dashboard** — DONE
  - Created `luci-app-ai-insights` - unified view across all AI agents
  - Security posture scoring (0-100) with factor breakdown
  - Agent status grid: Threat Analyst, DNS Guard, Network Anomaly, CVE Triage
  - Aggregated alerts from all agents
  - Actions: Run All Agents, AI Analysis, View Timeline
  - Links to LocalRecall memory dashboard

- **LocalRecall Memory System** — DONE
  - Created `secubox-localrecall` - persistent memory for AI agents
  - Categories: threats, decisions, patterns, configs, conversations
  - LocalAI integration for semantic search and AI summarization
  - Created `luci-app-localrecall` dashboard with add/search/summarize

- **Network Anomaly Agent** — DONE
  - Created `secubox-network-anomaly` with 5 detection modules
  - Bandwidth spikes, connection floods, port scans, DNS anomalies, protocol anomalies
  - LocalAI integration for AI-powered analysis
  - Created `luci-app-network-anomaly` dashboard

- **CVE Triage Agent** — DONE
  - Created `secubox-cve-triage` - AI-powered CVE analysis and vulnerability management
  - Architecture: Collector → Analyzer → Recommender → Applier
  - NVD API integration for CVE data
  - CrowdSec CVE alert correlation
  - LocalAI-powered impact analysis
  - Approval workflow for patch recommendations
  - Multi-source monitoring: opkg, LXC, Docker
  - Created `luci-app-cve-triage` dashboard with alerts, pending queue, risk score

- **Webmail Login 401 Issue** — RESOLVED
  - Root cause: `config.docker.inc.php` overrode IMAP host to `ssl://mail.secubox.in:993`
  - Docker container couldn't resolve domain or connect via SSL
  - Fix: Changed to use socat proxy at `172.17.0.1:10143` (plaintext, internal)
  - Updated `mailctl webmail configure` to use proxy instead of direct SSL

- **Mail Send 451 "Temporary lookup failure"** — RESOLVED (2026-02-06)
  - Root cause: Alpine Postfix uses LMDB, not BerkeleyDB hash maps
  - `virtual_alias_maps = hash:/etc/postfix/virtual` was invalid
  - Postfix chroot `/var/spool/postfix/etc/resolv.conf` was missing
  - Fix: Changed setup.sh to use `lmdb:` prefix and copy resolv.conf to chroot
  - Added `mailctl fix-postfix` command to repair existing installations

- **Mail Port Hijacking External Connections** — RESOLVED (2026-02-06)
  - Root cause: firewall.user DNAT rules had no interface restriction
  - ALL port 993/587/etc traffic was redirected to local mailserver
  - This blocked Thunderbird from connecting to external mail (ssl0.ovh.net)
  - Fix: Added `-i $WAN_IF` to only redirect inbound WAN traffic

- **Mail Ports 587/465/995 Not Listening** — RESOLVED (2026-02-07)
  - Root cause: Postfix master.cf missing submission/smtps entries
  - Dovecot 10-master.conf had pop3s commented out
  - `dovecot-pop3d` package not installed in container
  - Fix: Added `mailctl fix-ports` command to enable all mail ports
  - Also added password reset for mail users in LuCI dashboard

- **BIND Zone Returning Internal IP** — RESOLVED (2026-02-07)
  - Root cause: `/etc/bind/zones/secubox.in.zone` had 192.168.255.1 (internal) instead of public IP
  - External DNS queries returned non-routable internal IP
  - Fix: Updated zone file with public IP 82.67.100.75 for all records

- **IPv6 DNS Support** — DONE (2026-02-07)
  - Added AAAA records to BIND zone and Gandi DNS
  - IPv6: `2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f`
  - Records: @, mail, ns0, ns1, wildcard

- **nftables Mail Forwarding Rules** — DONE (2026-02-07)
  - Root cause: nftables `forward_wan` chain blocked DNAT'd mail traffic
  - iptables DNAT worked but nftables dropped packets before forwarding
  - Fix: Added explicit accept rules for mail ports (25,143,465,587,993,995)
  - Added both IPv4 and IPv6 forwarding rules
  - Persisted in `/etc/firewall.user`

- **Postfix/Dovecot Maildir Path Alignment** — DONE (2026-02-07)
  - Root cause: Postfix delivered to `/home/vmail/$domain/$user/new/` but Dovecot looks in `~/Maildir/new/`
  - Emails were delivered but invisible in Roundcube
  - Fix in `container.sh`: Mount to `home/vmail`, virtual_mailbox_base = `/home/vmail`
  - Fix in `users.sh`: Create `$domain/$user/Maildir/{cur,new,tmp}` structure
  - Updated vmailbox format to include `Maildir/` suffix

- **Inbound Port 25 Blocked by Free ISP** — KNOWN ISSUE
  - Free ISP blocks inbound port 25 on residential lines
  - Outbound mail works, inbound from external fails
  - Workaround options: VPS relay, Mailgun/SendGrid, or contact Free support

### Just Completed

- **Unified Backup Manager** — DONE (2026-02-05)
  - Created `secubox-app-backup` CLI for LXC containers, UCI config, service data
  - Created `luci-app-backup` dashboard with container list, backup history
  - Gitea remote sync and mesh backup support
  - RPCD handler with 8 methods

- **Custom Mail Server** — DONE (2026-02-05)
  - Created `secubox-app-mailserver` - Postfix + Dovecot in LXC container
  - `mailctl` CLI: user management, aliases, SSL, mesh backup
  - Webmail (Roundcube) integration
  - Mesh P2P mail backup sync

- **DNS Provider Enhanced** — DONE (2026-02-05)
  - Added `dnsctl generate` - auto-generate subdomain A records
  - Added `dnsctl suggest` - name suggestions by category
  - Added `dnsctl mail-setup` - MX, SPF, DMARC records
  - Added `dnsctl dkim-add` - DKIM TXT record

- **Subdomain Generator Tool** — DONE (2026-02-05)
  - `secubox-subdomain` CLI for generative subdomain management
  - Automates: DNS A record + HAProxy vhost + UCI registration
  - Uses wildcard certificate (*.zone) for instant SSL
  - Quick-add shortcuts for common services (gitea, grafana, jellyfin, etc.)
  - Part of Punk Exposure infrastructure

### Recently Completed (2026-02-07)

- **Mesh Onboarding Testing** — VALIDATED
  - Token generation: POST `/api/master-link/token` with HMAC tokens + TTL
  - IPK download: GET `/api/master-link/ipk?token=` serves pre-built 12KB IPK
  - Dynamic IPK: `ml_ipk_generate` creates join packages on-the-fly
  - Join flow: request → approval → peer added at depth+1
  - Blockchain: `peer_approved` blocks recorded correctly
  - Threat Intel: 288 local IOCs, 67 threat_ioc blocks in chain

### Just Completed (2026-02-12)

- **HAProxy stats.js KISS Migration** — DONE (2026-02-12)
  - Rewrote Statistics dashboard to use KissTheme
  - Stats iframe, logs viewer with refresh
  - Removed CSS import via style element

- **HAProxy backends.js KISS Migration** — DONE (2026-02-12)
  - Rewrote Backends dashboard to use KissTheme
  - Backend cards with server lists, health check info
  - Add/edit server modals with quick service selector
  - Removed external dashboard.css dependency

- **HAProxy vhosts.js KISS Migration** — DONE (2026-02-12)
  - Rewrote Virtual Hosts dashboard to use KissTheme
  - Self-contained inline CSS, removed external dashboard.css
  - Add vhost form, vhosts table, edit modal, delete confirmation

- **InterceptoR LXC Detection Fix** — DONE (2026-02-12)
  - Changed from `lxc-ls --running` to `lxc-info -n mitmproxy -s`
  - More reliable container state detection
  - Fixed container name from `secbx-mitmproxy` to `mitmproxy`

### Just Completed (2026-02-11)

- **InterceptoR Services Dashboard** — DONE (2026-02-11)
  - Created `luci.services-registry` RPCD handler with 4 methods
  - Aggregates: HAProxy vhosts, Tor onions, mitmproxy instances, init.d services, LuCI apps, system metrics
  - Dynamic KISS dashboard with 5 tabs: Published, Proxies, Services, Dashboards, Metrics
  - Service emoji registry for visual identification
  - CrowdSec stats integration (alerts, bans)
  - 10-second live polling
  - Fixed `kiss-theme.js` singleton pattern for LuCI module loading

- **mitmproxy Multi-Instance Support** — DONE (2026-02-11)
  - Updated init.d script with `config_foreach start_instance instance`
  - Updated mitmproxyctl with `list-instances`, instance-aware `service-run/stop`
  - UCI config for dual instances: out (LAN→Internet), in (WAF/services)
  - Cloned containers: mitmproxy-out, mitmproxy-in
  - Documented in README.md

- **Cookie Tracker LuCI Dashboard** — DONE (2026-02-11)
  - Created `luci-app-cookie-tracker` with KISS theme
  - RPCD handler with 6 methods: status, list, report, block, unblock, classify
  - Category breakdown visualization (essential, functional, analytics, advertising, tracking)
  - Top trackers list with one-click blocking
  - Blocked domains display
  - 69 known tracker domains pre-loaded
  - mitmproxy addon linked for cookie capture

- **CDN Cache KISS Theme** — DONE (2026-02-11)
  - Rewrote overview.js with full KISS styling
  - Circular gauge for hit ratio
  - Stats grid, top domains table, 10s polling

- **IoT Guard Implementation** — DONE (2026-02-11)
  - Created `secubox-iot-guard` package for IoT device isolation and security
  - OUI-based classification with 100+ IoT manufacturer prefixes
  - 10 device classes with risk scoring (0-100)
  - Anomaly detection: bandwidth spikes, new destinations, port scans, time anomalies
  - Integration: Client Guardian (zones), MAC Guardian (L2), Vortex Firewall (DNS), Bandwidth Manager (QoS)
  - CLI: `iot-guardctl` with status/list/show/scan/isolate/trust/block/anomalies/cloud-map
  - Created `luci-app-iot-guard` with KISS-style dashboard
  - 4 views: Overview, Devices, Policies, Settings
  - RPCD handler with 11 methods + public ACL for unauthenticated access

### Next Up — Couche 1

1. **Guacamole Pre-built Binaries**
   - Current LXC build-from-source approach is too slow
   - Need to find/create pre-built ARM64 binaries for guacd + Tomcat

2. **Multi-Node Mesh Testing**
   - Deploy second SecuBox node to test real peer-to-peer sync
   - Validate bidirectional threat intelligence sharing

---

## Couche 2 — AI Gateway

### Recently Completed (2026-02-06)

- **DNS Guard AI Migration** — DONE (2026-02-06)
  - Created `secubox-dns-guard` daemon with 5 detection modules:
    - DGA (Domain Generation Algorithm) detection via entropy analysis
    - DNS tunneling/exfiltration detection
    - Rate anomaly detection (queries/min, unique domains/min)
    - Known bad domain matching against blocklists
    - TLD anomaly detection (suspicious TLDs, punycode/IDN)
  - LocalAI integration for intelligent threat analysis
  - Approval workflow: auto-apply or queue for review
  - Updated `luci-app-dnsguard` v1.1.0 with:
    - AI Guard tab with pending blocks approval
    - Real-time alerts panel
    - Domain analysis with AI
    - Detection module status display

- **LocalAI Multi-Channel Emancipation** — DONE (2026-02-06)
  - Exposed LocalAI via Punk Exposure:
    - Tor: `b7lmlfs3b55jhgqdwbn6unhjhlfflq6ch235xa2gsdvxe7toxcf7qyad.onion`
    - DNS/SSL: `localai.secubox.local`
    - mDNS: `_secubox._tcp.local` (mesh advertised)

- **Threat Analyst Agent** — DONE (2026-02-05)
  - Created `secubox-threat-analyst` autonomous threat analysis daemon
  - Rule generation for mitmproxy (Python), CrowdSec (YAML), WAF (JSON)
  - Approval workflow: auto-apply mitmproxy, queue CrowdSec/WAF
  - Created `luci-app-threat-analyst` with AI chatbot dashboard
  - RPCD handler with 10 methods for status, chat, rules, approval

- **Threat Analyst KISS Dashboard v0.1.0** — DONE (2026-02-05)
  - Regenerated LuCI dashboard following CrowdSec KISS template pattern
  - External CSS loading, baseclass.extend() API pattern
  - CVE alerts in System Health section
  - CVE column in threats table with NVD hyperlinks
  - AI Security Assistant chat interface

- **MCP Server Implementation** — DONE (2026-02-06)
  - Created `secubox-mcp-server` package with JSON-RPC 2.0 over stdio
  - 9 core tools: crowdsec.alerts/decisions, waf.logs, dns.queries, network.flows, system.metrics, wireguard.status, uci.get/set
  - 5 AI-powered tools (via LocalAI): ai.analyze_threats, ai.cve_lookup, ai.suggest_waf_rules, ai.explain_ban, ai.security_posture
  - Claude Desktop integration via SSH

### Next Up — v0.18 AI Components

1. ~~**DNS Guard Migration**~~ — DONE (2026-02-06)

2. ~~**LocalAI Upgrade → 3.9**~~ — DONE (2026-02-06)
   - Upgraded to v3.9.0 with Agent Jobs Panel and Memory Reclaimer
   - Updated README with complete CLI reference and model presets

---

## Couche 3 — MirrorNetworking

### Just Completed (2026-02-07)

- **MirrorNet Core Package** — DONE
  - Created `secubox-mirrornet` with 5 library modules:
    - `identity.sh` - DID-based identity (did:plc:<fingerprint>), keypair generation, signing
    - `reputation.sh` - Peer trust scoring (0-100), event logging, decay, ban thresholds
    - `mirror.sh` - Service mirroring, upstream management, HAProxy backend generation
    - `gossip.sh` - Enhanced gossip protocol, priority routing, deduplication, TTL-based forwarding
    - `health.sh` - Peer health monitoring, latency/packet loss, anomaly detection, alerts
  - `mirrorctl` CLI with 30+ commands
  - UCI config for roles (master/submaster/peer), reputation, gossip, mirror, health settings

- **MirrorNet Dashboard** — DONE
  - Created `luci-app-secubox-mirror` with RPCD handler (15 methods)
  - Identity card with DID, hostname, role, version
  - Peer reputation table with trust levels and reset action
  - Gossip protocol stats (sent/received/forwarded/dropped)
  - Health alerts panel with acknowledgment
  - Mirrored services table

- **SecuBox Identity Package** — DONE
  - Created `secubox-identity` standalone identity management
  - DID generation (did:plc:<fingerprint>) compatible with AT Protocol
  - Keypair management (HMAC-SHA256, Ed25519 fallback)
  - Key rotation with backup
  - Peer identity storage and resolution
  - Trust scoring integration
  - `identityctl` CLI with 25+ commands

- **P2P Intel Package** — DONE
  - Created `secubox-p2p-intel` for signed IOC sharing
  - Collector: CrowdSec, mitmproxy, WAF, DNS Guard sources
  - Signer: Cryptographic signing of IOC batches
  - Validator: Source trust, age, format validation
  - Applier: nftables/iptables/CrowdSec application
  - Approval workflow for manual review
  - `p2p-intelctl` CLI with 20+ commands

### MirrorNet Packages Summary (v0.19)

| Package | Status | Description |
|---------|--------|-------------|
| `secubox-mirrornet` | DONE | Core mesh orchestration, gossip, health |
| `secubox-identity` | DONE | DID-based identity, key management, trust |
| `secubox-p2p-intel` | DONE | IOC signed gossip, validation, application |
| `luci-app-secubox-mirror` | DONE | Dashboard for peers, trust, services |

### Master/Slave CDN Architecture (User Vision)

> "multipoint CDN for SSL dependencies, root/master with *.sb, xxx.sb slaved, first peek meshed, submastering/multimixslaving"

Target architecture for service mirroring:
1. **Root Master** owns wildcard domain `*.secubox.io` (or similar)
2. **Slave Nodes** get delegated subdomains (`node1.secubox.io`)
3. **First Peek** = service discovery auto-registers in mesh
4. **Mirror Cascade** = master pushes exposure config to slaves
5. **Submastering** = hierarchical delegation (master → submaster → slaves)

Required components:
- Dynamic DNS delegation with zone transfer
- Service mirroring via reverse proxy chaining
- Gossip-based exposure config sync
- Trust hierarchy with certificate delegation

### Communication Layer (v1.0)

- `secubox-voip` — Asterisk micro-PBX
- `secubox-matrix` — Conduit Matrix server

---

## Couche 4 — Roadmap Tracking

### v0.18.0 Progress

| Item | Status |
|------|--------|
| Core Mesh modules | 35+ DONE |
| Guacamole | DEFERRED |
| MCP Server | DONE |
| Threat Analyst | DONE |
| DNS Guard AI Migration | DONE |
| LocalAI 3.9 | DONE |
| LocalAI Emancipation | DONE (Tor + DNS + mDNS) |

### v1.0.0 Progress

| Item | Status |
|------|--------|
| Config Advisor | DONE |
| ANSSI CSPN Compliance | DONE |
| Remediation Engine | DONE |
| LuCI Dashboard | DONE |

### Just Completed (2026-02-07)

- **Config Advisor Package** — DONE
  - Created `secubox-config-advisor` - ANSSI CSPN compliance checking daemon
  - 7 check categories, 25+ security rules
  - Risk scoring (0-100) with grade (A-F) and risk level
  - Auto-remediation for 7 checks with dry-run mode
  - LocalAI integration for AI-powered suggestions
  - `config-advisorctl` CLI with 20+ commands

- **Config Advisor Dashboard** — DONE
  - Created `luci-app-config-advisor` - LuCI dashboard
  - Score display with grade circle and risk level
  - Compliance view by category with pass/fail/warn badges
  - Remediation view with apply/preview buttons
  - Settings for framework, weights, categories, LocalAI

### Certifications

- ANSSI CSPN: Config Advisor compliance tool DONE
- GDPR: Currently compliant
- ISO 27001, NIS2, SOC2: Planned for v1.1+

---

## Strategic Documents Received

- `SecuBox_LocalAI_Strategic_Analysis.html` — AI Management Layer roadmap
- `SecuBox_AI_Gateway_Hybrid_Architecture.html` — Hybrid Local/Cloud architecture
- `SecuBox_MirrorNetworking_Paradigm_Reversal.html` — EnigmaBox autopsy → MirrorNet
- `SecuBox_Fanzine_v3_Feb2026.html` — 4-layer architecture overview

---

## Known Bugs (Deferred)

- **Tor Shield / opkg conflict**: opkg downloads fail (`wget returned 4`) when Tor Shield is active. Likely DNS/routing interference.

---

## Blockers / Risks

- No automated regression tests for LuCI views; manual verification required after SCP deploy.
- Guacamole ARM64 pre-built binaries not readily available.
- MCP Server requires understanding of Model Context Protocol specification.