gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
fe762b6eb1
secubox-openwrt/.claude/WIP.md
CyberMind-FR 0cdbffda4c feat(dev-status): Redesign widget v2.1 with dynamic architecture dashboard 
- 4-layer architecture visualization (Core, AI, MirrorNet, Certification)
- 22+ features with dependency tracking (dependsOn/usedBy)
- 80+ components with status indicators
- Interactive filters: layer, status, category with localStorage persistence
- Feature cards: click to expand and see full dependencies
- Live RPCD data refresh (60s auto-refresh)
- Standalone HTML page for public access (/dev-status.html)
- ES5 compatible for older browsers
- Milestone timeline to v1.0

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-09 13:02:28 +01:00

12 KiB
Raw Blame History

Work In Progress (Claude)

Last updated: 2026-03-09 (Dev Status Widget v2.1)

Architecture Reference: SecuBox Fanzine v3 — Les 4 Couches

Recently Completed

2026-03-09

  • Dev Status Widget v2.1 (Dynamic Dashboard)

    • Complete redesign with 4-layer architecture visualization
    • 22+ features with dependency tracking (dependsOn/usedBy)
    • 80+ components with status indicators
    • Interactive filters: layer, status, category with localStorage persistence
    • Feature cards: click to expand, show full dependencies/components
    • Layer cards: click to filter features by layer
    • Interconnection graph showing feature dependencies
    • Milestone timeline to v1.0 with progress tracking
    • Production stats display (185 packages, 226 vhosts, etc.)
    • Auto-refresh with live RPCD data (60s interval)
    • ES5 compatible for older browsers
    • Standalone HTML page: /dev-status.html (no auth required)
    • Files: dev-status-widget.js, dev-status.js, dev-status-standalone.html

  • DNS Zone Configuration Sync

    • Fixed BIND zone path mismatch: /srv/dns/zones//etc/bind/zones/
    • Added ganimed.fr zone declaration to named.conf.zones
    • Synced zone files between LuCI-managed and BIND-loaded paths

  • Mitmproxy WAF Memory Optimization

    • Diagnosed memory leak (687MB RSS)
    • Added flow limits: --set flow_detail=0 --set hardlimit=500
    • Reduced memory to 77MB
    • Fixed /srv/mitmproxy-in/haproxy-routes.json for git.maegia.tv

  • Config Backups Repository

    • Created config-backups/ directory with BIND zones
    • Created private secubox-configs repo on local Gitea
    • Git remote: git@git.maegia.tv:reepost/secubox-configs.git

2026-03-08

  • RTTY Remote Control Module (Phase 3 - Web Terminal)

    • Web Terminal view: Embeds ttyd (port 7681) via iframe
    • Node selector: Local/remote target selection
    • Remote detection: Direct ttyd connection or SSH fallback
    • RPCD method: start_terminal for remote node terminal info
    • Menu: Remote Control → Remote Support → Web Terminal
    • Fullscreen and refresh controls

  • RTTY Remote Control Module (Phase 2 - Token-Based Shared Access)

    • Token authentication: 6-character codes grant RPC/terminal access without LuCI login
    • CLI commands: rttyctl token generate/list/validate/revoke, rttyctl token-rpc
    • RPCD methods: token_generate, token_list, token_validate, token_revoke, token_rpc
    • Support Panel: Generate code → Share → Support person connects without auth
    • Configurable TTL (30m/1h/2h/4h), permission tracking, usage counter
    • Local address detection: Direct ubus for local calls (bypasses HTTP auth limits)
    • Deployed and tested: Token RPC works for all ubus methods

  • RTTY Remote Control Module (Phase 1 - RPCD Proxy)

    • Backend: secubox-app-rtty-remote with rttyctl CLI
    • Frontend: luci-app-rtty-remote with KISS dashboard
    • RPCD Proxy: Execute remote ubus calls to mesh nodes over HTTP
    • CLI commands: rttyctl nodes/rpc/rpc-list/rpc-batch/auth/sessions
    • RPCD methods: status, get_nodes, rpc_call, rpc_list, get_sessions, connect
    • Session tracking with SQLite database
    • Master-link integration for authentication
    • Tested: rttyctl rpc 127.0.0.1 system board works

  • lldh360.maegia.tv BIND Zone Fix

    • DNS was returning NXDOMAIN despite zone file existing
    • Root cause: BIND (named) is the authoritative DNS, not dnsmasq
    • Zone file /srv/dns/zones/maegia.tv.zone existed but wasn't registered in BIND
    • Added zone entry to /etc/bind/named.conf.zones
    • Restarted BIND (named), domain now resolves correctly
    • Site accessible via HTTPS (HTTP 200)

  • HAProxy mitmproxy Port Fix

    • Changed mitmproxy-in WAF port from 8890 to 22222
    • Fixed UCI config regeneration issue (was overwriting manual edits)
    • All vhosts now routing correctly through WAF

  • Vortex DNS Zone Management & Secondary DNS

    • Added zone commands: vortexctl zone list/dump/import/export/reload
    • Added secondary DNS commands: vortexctl secondary list/add/remove
    • Zone dump generates BIND format zone files in /srv/dns/zones/
    • Supports OVH as secondary DNS with AXFR zone transfer
    • RPCD methods: zone_list, zone_dump, zone_import, zone_export, zone_reload, secondary_list, secondary_add, secondary_remove
    • ACL permissions updated for all new methods
    • Enables importing zones from Gandi and becoming authoritative DNS master

  • Maegia Domains Audit & Fix

    • Fixed 3 broken domains (503 errors): crt.maegia.tv, git.maegia.tv, glances.maegia.tv
    • Created missing vhost UCI configs for all 3 domains
    • Added mitmproxy routes: crt→8503, git→3001, glances→61208
    • Fixed ganimed.maegia.fr route IP: 127.0.0.1 → 192.168.255.1
    • Fixed lldh360.maegia.tv WAF bypass: metablog_lldh360 → mitmproxy_inspector
    • All 27 maegia domains now operational (4 have 404 content issues)

2026-03-07

  • HAProxy mitmproxy_inspector Backend Fix

    • mitmproxy_inspector backend had NO server section (causing 503 for all WAF vhosts)
    • Added UCI server section: mitmproxy_inspector_srv pointing to 192.168.255.1:8890
    • Fixed haproxyctl duplicate userlist warning and _emit_sorted_path_acls indentation
    • All vhosts now correctly routing through WAF

  • Lyrion Routing Fix

    • Changed lyrion vhost backend from lyrion_web to mitmproxy_inspector
    • Was bypassing WAF, now properly routed through mitmproxy-in

  • Jellyfin Route IP Fix

    • Fixed mitmproxy route: 192.168.255.1 → 192.168.255.31 (container's actual IP)
    • Jellyfin container has dedicated veth interface on br-lan

  • lldh360.maegia.tv Routing Fix + SSL

    • Fixed mitmproxy routes: 127.0.0.1 → 192.168.255.1 (all 187 routes updated)
    • Restored HAProxy config from backup (haproxyctl generate was corrupted)
    • Installed Let's Encrypt SSL certificate (valid until 2026-06-05)
    • Enabled HTTP→HTTPS redirect
    • Site now accessible via HTTPS
    • Site now accessible via HTTP on port 9003

  • cybaxe.gk2.secubox.in Port Conflict Fix

    • Changed port from 9000 to 9004 (9000 reserved for Lyrion Music Server)
    • Updated metablogizer, HAProxy backend, and mitmproxy routes
    • Created placeholder index.html (site content needs gitea sync)
    • Site now accessible via HTTPS

  • Mitmproxy-in Port Conflict Fix

    • Changed mitmproxy-in WAF port from 8889 to 8890
    • Port 8889 conflicted with avatar-tap Streamlit service
    • Updated HAProxy mitmproxy_inspector backend configuration
    • Fixed HAProxy runtime state caching via socket command

  • Vhosts Recovery

    • Started stopped LXC containers: jellyfin, jitsi, peertube, gotosocial, glances
    • Fixed glances container cgroup v2 config (cgroup.memory.limit_in_bytes → cgroup2.memory.max)
    • Fixed mitmproxy route IPs: 127.0.0.1 → 192.168.255.1 (LXC can't reach host localhost)
    • All 11 key vhosts now operational (jellyfin, social, glances, tube, meet, zoo, portal, cloud, photos, lyrion, streamlit)

  • Vhosts-Checker RPCD Fix

    • Fixed XHR timeout issue in LuCI dashboard
    • Root cause: jshn overhead for 226 vhosts + subshell issues with pipes
    • Solution: Direct JSON output with printf, temp file instead of pipes
    • Deployed ACL file for authentication

  • ROADMAP.md Generation

    • Created comprehensive roadmap from WIP and HISTORY analysis
    • Version milestones: v0.19 → v0.20 → v0.21 → v0.22 → v1.0
    • Critical path analysis and dependency graph
    • Resource requirements and risk register

  • Avatar-Tap Session Capture & Replay

    • Backend: secubox-avatar-tap - passive network tap via mitmproxy
    • CLI: avatar-tapctl with start/stop/list/replay/label/delete commands
    • LuCI: luci-app-avatar-tap KISS dashboard with session table
    • Features: Cookie/auth header capture, session replay, SQLite storage
    • Runs in Streamlit LXC container on port 8889 (mitmproxy-in moved to 8890)
    • Future: Nitrokey/GPG integration for secure replay authorization

  • PhotoPrism Photo Gallery Deployment

    • Linked /mnt/PHOTO (673GB, 391k photos) to PhotoPrism originals
    • Fixed HFS+ read-only mount issue (sidecar writes to storage/)
    • Indexing in progress: HEIC conversion, thumbnail generation, AI labels
    • HAProxy vhost + SSL cert for photos.gk2.secubox.in

  • Service Fixes & HAProxy Vhosts

    • Fixed Lyrion music mount: /mnt/MUSIC (1.6TB) now accessible
    • Fixed Portal routing (was 503, now working)
    • Added missing vhosts: lyrion.gk2.secubox.in, streamlit.gk2.secubox.in
    • Requested and installed SSL certs for all 3 new domains
    • Fixed ACME webroot configuration (uhttpd home path)

  • Source Code Updates

    • Updated default paths: Lyrion→/mnt/MUSIC, PhotoPrism→/mnt/PHOTO
    • Committed and pushed to master

2026-03-06

  • PhotoPrism Private Photo Gallery

    • Backend: secubox-app-photoprism with LXC container (Debian Bookworm)
    • CLI: photoprismctl with install/start/stop/index/import/emancipate commands
    • LuCI: luci-app-photoprism KISS dashboard with stats and actions
    • Features: AI face recognition, object detection, places/maps
    • HAProxy integration via mitmproxy (WAF-safe, no bypass)
    • SQLite database (simpler, no external DB), FFmpeg transcoding, HEIC support
    • Dependencies: libvips42 for image processing

  • AI Gateway /login Command

    • CLI: aigatewayctl login [provider] - Interactive or scripted provider authentication
    • Validates credentials against provider API before saving
    • Rollback on validation failure (preserves previous credentials)
    • Format warnings: Claude keys should start with sk-ant-, OpenAI with sk-
    • RPCD: login method for LuCI frontend integration
    • ACL: Added write permission for login method

2026-03-04

  • SBOM Pipeline for CRA Annex I Compliance

    • scripts/check-sbom-prereqs.sh - Prerequisites validation
    • scripts/sbom-generate.sh - Multi-source SBOM generation
    • scripts/sbom-audit-feed.sh - PKG_HASH/PKG_LICENSE feed audit
    • .github/workflows/sbom-release.yml - GitHub Actions with CVE gating
    • SECURITY.md - CRA Art. 13 §6 compliant vulnerability disclosure

  • AI Gateway Full-Stack Implementation

    • 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
    • Provider routing: LocalAI > Mistral EU > Claude > OpenAI > Gemini > xAI
    • aigatewayctl CLI with classify/sanitize/provider/audit commands
    • luci-app-ai-gateway with 4 KISS-themed views

2026-03-03

  • Comprehensive Service Audit

    • WAF Enforcement: Disabled waf_bypass on 21 vhosts
    • Container Autostart: Enabled on 9 essential containers
    • Glances Fix: Resolved cgroup mount issue
    • 18 LXC Containers Running

  • Vortex DNS Firewall Phases 1-4

    • Threat intel aggregator, SQLite blocklist, dnsmasq integration
    • HTTP/HTTPS sinkhole server for infected client detection
    • DNS Guard AI detection integration
    • Mesh threat sharing via secubox-p2p blockchain

  • Image Builder Validation

    • Validated secubox-image.sh, secubox-sysupgrade.sh
    • Fixed curl redirect issue: Added -L flag

2026-03-02

  • Reverse MWAN WireGuard v2 - Phase 2
    • LuCI Dashboard for Mesh Uplinks
    • 9 RPC methods for uplink management
    • 10-second live polling

2026-03-01

  • Reverse MWAN WireGuard v2 - Phase 1

    • WireGuard mesh peers as backup internet uplinks via mwan3 failover
    • wgctl CLI: uplink list/add/remove/status/test/failover
    • UCI config for global and per-uplink settings

  • Nextcloud Integration Enhancements

    • WAF-safe SSL routing, scheduled backups, SMTP integration
    • CalDAV/CardDAV/WebDAV connection info display

In Progress

  • RTTY Remote Control Module (Phase 4 - Session Replay)
    • Avatar-tap integration for session capture
    • Replay captured sessions to target nodes
    • Session export/import functionality

Next Up

v1.0 Release Prep

  1. Session Replay - Avatar-tap integration for session capture/replay
  2. Remote ttyd Deployment - Auto-install ttyd on mesh nodes

v1.1+ Extended Mesh

  1. WAF Auto-Ban Tuning (optional, as-needed)
    • Sensitivity threshold adjustment based on production traffic

Backlog

  • SSMTP / mail host / MX record management (v2)

Strategic Documents

  • SecuBox_LocalAI_Strategic_Analysis.html — AI Management Layer roadmap
  • SecuBox_AI_Gateway_Hybrid_Architecture.html — Hybrid Local/Cloud architecture
  • SecuBox_MirrorNetworking_Paradigm_Reversal.html — EnigmaBox autopsy → MirrorNet
  • SecuBox_Fanzine_v3_Feb2026.html — 4-layer architecture overview

Blockers / Risks

  • No automated regression tests for LuCI views; manual verification required after SCP deploy.
  • Guacamole ARM64 pre-built binaries not readily available.