chore(dpi): gitignore Go build artifacts (ref #687)

Ship Phase 2/3 instead of scp-deploying it:
- Architecture all -> arm64 (now carries a compiled collector).
- debian/rules builds the pure-stdlib Go collector offline for arm64
  (GOTOOLCHAIN=local, GOPROXY=off, CGO off) and installs:
    /usr/sbin/secubox-dpi-collector
    /usr/sbin/secubox-dpi-flowcap
    /usr/lib/systemd/system/secubox-dpi-flowcap.service (dh_installsystemd
    auto-enables + starts it)
- control: Depends libndpi-bin (ndpiReader); Build-Depends golang-go.
- postinst pre-creates /var/lib/secubox/dpi (0755) so the collector (root,
  0644 state.json) and the dpi API (secubox) interoperate.
- changelog 1.1.0-1~bookworm1.

Validated on gk2: dpkg upgrade 1.0.5 -> 1.1.0; both secubox-dpi and
secubox-dpi-flowcap enabled+active from the packaged units; /api/v1/dpi/exfil
serving live; libndpi-bin dependency satisfied.

packages/secubox-dpi/.gitignore

@@ -0,0 +1,4 @@
+# debian/rules build artifacts (Go collector + module caches)
+collector/secubox-dpi-collector
+_gocache/
+_gopath/

packages/secubox-dpi/debian/changelog

@@ -1,3 +1,19 @@
+secubox-dpi (1.1.0-1~bookworm1) bookworm; urgency=low
+
+  * #687 Phase 2/3: ship the per-device R3 cloud-exfiltration pipeline as a
+    proper package — no more manual scp deploys.
+    - Build the pure-stdlib Go collector (secubox-dpi-collector) offline for
+      arm64 in debian/rules (GOTOOLCHAIN=local, GOPROXY=off).
+    - Ship sbin/secubox-dpi-flowcap (ndpiReader capture loop) +
+      secubox-dpi-flowcap.service (auto-enabled), Nice 15 / MemoryMax 256M.
+    - GET /api/v1/dpi/exfil serves the collector state; dashboard gains the
+      "Cloud Exfiltration Watch" panel with per-device service categorization
+      (cloud/filehost/messaging/ai/media/game/social/adult).
+  * Architecture: all -> arm64 (now ships a compiled collector).
+  * Depends: libndpi-bin (provides ndpiReader); Build-Depends: golang-go.
+
+ -- Gerald KERMA <devel@cybermind.fr>  Mon, 22 Jun 2026 09:30:00 +0000
+
 secubox-dpi (1.0.5-1~bookworm1) bookworm; urgency=low
 
   * Clarify Description: this is the netifyd-backed analytics layer

packages/secubox-dpi/debian/control

@@ -2,14 +2,14 @@ Source: secubox-dpi
 Section: net
 Priority: optional
 Maintainer: Gerald KERMA <devel@cybermind.fr>
-Build-Depends: debhelper-compat (= 13)
+Build-Depends: debhelper-compat (= 13), golang-go (>= 2:1.22~)
 Standards-Version: 4.6.2
 Homepage: https://cybermind.fr/secubox
 Rules-Requires-Root: no
 
 Package: secubox-dpi
-Architecture: all
-Depends: ${misc:Depends}, secubox-core (>= 1.0), iproute2
+Architecture: arm64
+Depends: ${misc:Depends}, secubox-core (>= 1.0), iproute2, libndpi-bin
 Recommends: netifyd, secubox-netifyd
 Description: SecuBox DPI Analytics — netifyd-backed app/protocol classification
  Analytics layer on top of netifyd: top applications, top protocols,

packages/secubox-dpi/debian/postinst

@@ -7,6 +7,10 @@ case "$1" in
         --home /var/lib/secubox --shell /usr/sbin/nologin secubox
     install -d -o root -g root -m 1777 /run/secubox
     install -d -o secubox -g secubox -m 755 /var/lib/secubox
+    # #687 exfil collector state dir — collector (root) writes state.json 0644,
+    # dpi API (secubox) reads it; keep 0755 so secubox can traverse.
+    install -d -o root -g root -m 0755 /var/lib/secubox/dpi
+    install -d -o root -g root -m 0755 /run/secubox/dpi
     systemctl daemon-reload
     systemctl enable secubox-dpi.service
     systemctl start  secubox-dpi.service || true

packages/secubox-dpi/debian/rules

@@ -1,8 +1,34 @@
 #!/usr/bin/make -f
+# SPDX-License-Identifier: LicenseRef-CMSD-1.0
+# SecuBox-Deb :: secubox-dpi — DPI dashboard (Python) + R3 exfil collector (Go)
+#
+# The per-device cloud-exfiltration collector (#687) is a pure-stdlib Go binary
+# cross-built for arm64, fully offline (no module download): the collector has
+# no external deps so no vendor tree is needed. GOTOOLCHAIN=local pins the build
+# to the distro Go; GOPROXY=off forbids any network. CI cross-builds the same.
+export DH_VERBOSE = 1
+
+export GOOS = linux
+export GOARCH = arm64
+export CGO_ENABLED = 0
+export GOPROXY = off
+export GOTOOLCHAIN = local
+# Keep the Go build/module cache inside the build tree (sandbox-friendly).
+export GOCACHE = $(CURDIR)/_gocache
+export GOPATH  = $(CURDIR)/_gopath
+
 %:
 	dh $@
 
+override_dh_auto_build:
+	cd collector && go build -trimpath -ldflags=-s -o secubox-dpi-collector .
+
+# The arm64 cross-binary cannot run its tests on the build host; CI runs Go
+# unit tests on the host arch instead.
+override_dh_auto_test:
+
 override_dh_auto_install:
+	# Python API + dashboard (arch-independent payload, shipped in the arm64 deb)
 	install -d debian/secubox-dpi/usr/lib/secubox/dpi/
 	cp -r api debian/secubox-dpi/usr/lib/secubox/dpi/
 	install -d debian/secubox-dpi/usr/share/secubox/www
@@ -12,3 +38,15 @@ override_dh_auto_install:
 	# Modular nginx config
 	install -d debian/secubox-dpi/etc/nginx/secubox.d
 	[ -f nginx/dpi.conf ] && cp nginx/dpi.conf debian/secubox-dpi/etc/nginx/secubox.d/ || true
+	# #687 R3 exfil pipeline: Go collector + capture loop
+	install -d debian/secubox-dpi/usr/sbin
+	install -m 0755 collector/secubox-dpi-collector debian/secubox-dpi/usr/sbin/secubox-dpi-collector
+	install -m 0755 sbin/secubox-dpi-flowcap        debian/secubox-dpi/usr/sbin/secubox-dpi-flowcap
+	# flowcap unit — installed into the tree so dh_installsystemd auto-enables it
+	install -d debian/secubox-dpi/usr/lib/systemd/system
+	install -m 0644 systemd/secubox-dpi-flowcap.service \
+	  debian/secubox-dpi/usr/lib/systemd/system/secubox-dpi-flowcap.service
+
+override_dh_auto_clean:
+	rm -f collector/secubox-dpi-collector
+	rm -rf _gocache _gopath

packages/secubox-dpi/systemd/secubox-dpi-flowcap.service

@@ -1,10 +1,10 @@
 # SPDX-License-Identifier: LicenseRef-CMSD-1.0
-# Per-device flow-DPI on the R3 tap (#687, Phase 2): ndpiReader → Go collector →
-# cloud-exfiltration scenarios → /var/lib/secubox/dpi/state.json (read by the
-# secubox-dpi dashboard).
+# Per-device flow-DPI on the R3 tap (#687): ndpiReader → Go collector →
+# cloud-exfiltration scenarios → /var/lib/secubox/dpi/state.json (served by the
+# secubox-dpi dashboard at /api/v1/dpi/exfil).
 [Unit]
 Description=SecuBox-Deb DPI flow capture + exfil collector (#687)
-After=network-online.target secubox-toolbox-mitm-wg.service
+After=network-online.target
 Wants=network-online.target
 
 [Service]
@@ -12,12 +12,12 @@ Type=simple
 ExecStart=/usr/sbin/secubox-dpi-flowcap
 Restart=always
 RestartSec=10
-Nice=15
-# ndpiReader needs raw packet capture on wg-toolbox.
+# ndpiReader needs raw packet capture on wg-toolbox; nothing else.
 AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
-# Bound memory; nDPI flow table + collector are light (~20 MB observed).
-MemoryMax=256M
+# Light on a saturated board (~1% CPU observed); bound memory + low priority.
+Nice=15
 CPUWeight=20
+MemoryMax=256M
 
 [Install]
 WantedBy=multi-user.target