Compare commits

..

No commits in common. "master" and "android-v0.4.0" have entirely different histories.

1201 changed files with 9141 additions and 275631 deletions

View File

@ -3,405 +3,6 @@
--- ---
## 2026-07-01 — Macro subsystem (M2) + tor-exit reference kind (#771)
Services can now propose a vetted, AppArmor-confined **access macro** so an approved peer
consumes them. First increment: framework + `tor-exit` (SOCKS-over-mesh). Three packages:
- **secubox-annuaire 0.3.3** — optional signed `ServiceOffer.macro {kind, params}` that
federates in the signed payload (byte-stability guard keeps macro-less offers compatible
with pre-0.3.0 signatures); `annuairectl offer --macro-kind/--macro-param`.
- **secubox-macro 0.1.0 (NEW)**`secubox-macroctl` root dispatcher (kind allowlist, plugin
root-owned+non-writable tamper guard, src-ip mesh-CIDR check, euid-gated env-ignore,
append-only audit) + `macros.d/tor-exit` (nft grant/revoke, service_id path-traversal
sanitize, socks_port bound) + tight sudoers (env_reset) + AppArmor enforce (net_admin) +
postinst (Tor SocksPort on mesh IP, nft base set, audit pre-create).
- **secubox-p2p 1.9.0** — provider grant endpoint (self-signed Subscription auth: self-cert
DID + ed25519 over annuaire's canonical bytes; auto-mode only), consumer activate pulls
the credential over the mesh + runs macroctl activate, mesh listener :8798 (mesh-IP-only,
X-Real-IP), revoke-access, NNP=no for the sudo path, UI SOCKS endpoint + Revoke.
Built via SDD (8 tasks, per-task + final opus review = READY TO MERGE). The review loop caught
and fixed **6 Criticals**: offer-signature wire-break (macro:null changed signed bytes),
tor-exit root path-traversal (service_id as root filename), prerm mawk-bricks-dpkg, macroctl
NNP-blocks-sudo, macroctl env-injection root-RCE + missing root-ownership guard. Deployed the
3 debs to gk2 + c3box; **proven live on c3box under AppArmor enforce**: macroctl→tor-exit grant
adds a mesh IP to the `secubox_macro_torexit` nft set + returns the endpoint + writes an
append-only audit line; revoke empties it; bad-kind/non-mesh-IP/missing-src-ip all rejected.
Full cross-node federation + real Tor routing is env-blocked (Tor not installed on c3box; gk2
uses `inet filter` not `secubox_filter`) — not a code issue. Suites: annuaire 189, p2p 49,
macro 14.
---
## 2026-06-30 — secubox-p2p 1.8.0 : Service Registry = live view of annuaire catalog (#769)
Le registre de services p2p (`/p2p/`) affichait « No services registered » (JSON local
isolé), déconnecté du catalogue fédéré secubox-annuaire 0.2.0. Désormais c'est une **vue
live** : `GET /services` fusionne le catalogue annuaire + mes abonnements + un mince
*activation overlay* + les services p2p-locaux hérités (sans duplication, sans dérive).
`api/registry.py` (fusion pure, testable) + `api/annuaire_client.py` (lit
`/run/secubox/annuaire.sock`, jamais l'aggregator ; s'abonne EN TANT QUE nœud via la clé
0600 ; frappe un JWT de service car le subscribe annuaire est JWT-gated). 4 endpoints :
`GET /services` (dégrade en `catalog_unavailable`, ne 500 jamais), `POST
/services/auto-register` (active les offres locales + s'abonne aux distantes selon
auto/pending), `/{id}/request`, `/{id}/activate`. UI : bouton « Auto register all » +
Request access / Activate + badges d'état (service_id en encodeURIComponent — XSS-safe).
annuaire inchangé ; exécution des macros déférée au Milestone 2.
Construit via SDD (5 tâches TDD + revues par tâche + revue finale opus = READY TO MERGE).
Bug trouvé au déploiement : le subscribe annuaire est JWT-gated ET vérifie que le sujet est
un user activé → token de service frappé pour `admin` (override SBX_SERVICE_USER). 34 tests.
Déployé gk2 + c3box : `GET /services` = WAF mirror (local) + Suricata (fédéré de c3box) sur
gk2, image miroir sur c3box ; `auto-register` gk2 = {activated:1, requested:1} → Suricata
fédéré **approved**.
---
## 2026-06-30 — secubox-annuaire 0.2.0 : trustless cross-node service federation (#766)
Le `/services/pull` de 0.1.3 n'était **pas** réellement sans-confiance ni opérable :
`ingest_offer` vérifiait la signature contre une pubkey *fournie par l'appelant* sans
jamais contrôler `did_from_pubkey(pubkey) == provider` (forge « apporte ta clé, réclame
n'importe quel DID ») ; et `GET /services` renvoyait des offres **sans signature ni
pubkey** (le payload stocké les omet), donc un pair inconnu ne pouvait rien vérifier.
Corrigé :
- **Ingest sans-confiance** : `ingest_offer` impose `did_from_pubkey(pubkey)==provider`
AVANT la vérif de signature. did:plc = sha256(pubkey)[:32] → liaison auto-certifiante,
aucun annuaire, aucune confiance préalable.
- **Offres auto-portées** : `_get_offers`/`GET /services` ré-attachent `sig` + `signer_did`
+ `provider_pubkey` (métadonnée de transport, retirée avant reconstruction du modèle
extra=forbid). `pull_services` les consomme.
- **Bootstrap de nœud** : verbe `genesis()` (un nœud s'auto-atteste MEMBER fondateur,
brise le paradoxe invite/join ; DID auto-certifiant, `invited_by` vide → n'inflige
jamais la pluralité d'émancipation ; idempotent). `Op.GENESIS` (additif). CLI
`/usr/sbin/annuairectl` (init|whoami|status|offer|services|pull) opérant le journal
directement en tant que `secubox` (pas de JWT pour le bootstrap privilégié) ; clé 0600
dans `/etc/secubox/secrets/annuaire/node.key`.
- **Écouteur mesh** : `annuaire-mesh.conf.tpl` rendu par postinst sur l'IP wg-mesh du
nœud uniquement (`10.10.0.1:8799` sur gk2), `allow 10.10.0.0/24 + deny all`, GET
`/services` seul.
- **Tests** : +7 (forge, payload altéré, hex invalide, round-trip), 134 passants.
- **Revue sécurité** : aucune forge exploitable. Deux durcissements board-wide :
postinst valide l'écouteur rendu via `nginx -t` et le retire si échec (un rendu cassé
ne persiste jamais) ; livraison de `ip_nonlocal_bind=1` (nginx lie l'IP mesh même si
wg-quick@wg-mesh démarre après nginx).
Déployé sur gk2 (0.1.3 → 0.2.0) : service actif, `nginx -t` OK, écouteur live, genesis
gk2 (DID `0463…`) + offre « WAF mirror ». **Démo live** : un second nœud (fondateur
distinct, gk2 inconnu) `annuairectl pull http://10.10.0.1:8799` → ingested 1, chain_ok.
Reste : pull live gk2→c3box bloqué (clé SSH non autorisée sur .94) ; NIZK/PSI GK·HAM à venir.
---
## 2026-06-30 — secubox-yacy 1.0.12 : repair webui embed + navbar integration
Page admin `https://admin.gk2.secubox.in/yacy/` cassée sur deux points, corrigés dans
[`www/yacy/index.html`](../packages/secubox-yacy/www/yacy/index.html) :
- **webui (iframe récursif)** : l'`<iframe src="/yacy/">` pointait sur **cette même page**
(nginx sert `/yacy/` en `alias` statique, pas en proxy) → le panneau s'affichait
récursivement au lieu de l'UI YaCy. Le `src` est désormais construit au runtime depuis
`/api/v1/yacy/access`, en préférant l'URL **publique https** (`yacy.gk2.secubox.in`,
vérifiée sans X-Frame-Options/CSP → framable) pour éviter le blocage mixed-content ;
repli sur un lien « ouvrir dans un nouvel onglet » si seule une URL http LAN est joignable.
- **navbar** : la page utilisait une grille CSS `.layout` custom + `sidebar-light.css`
legacy, en conflit avec `sidebar.js` v2.33 (injecteur hybrid-skin). Migration vers le
pattern canonique (annuaire/cookies) : `design-tokens.css` + `crt-light.css`,
`<nav class="sidebar">` + `sidebar.js`, contenu dans `<main class="main">`. Strings
issues de l'API échappées avant injection.
Déployé live sur gk2 (`/usr/share/secubox/www/yacy/index.html`, backup `.bak-pre-fix`),
copie debian stagée synchronisée, bump 1.0.11 → 1.0.12. Assets `/shared/*` 200, JS
`node --check` OK.
**Cause racine réelle des cartes « unavailable » + « no search results »** : drift nginx
live. `/etc/nginx/secubox-routes.d/yacy.conf` (inclus par le vhost admin) avait dérivé vers
`proxy_pass …/aggregator.sock` en gardant le `rewrite` qui dénude le préfixe → l'aggregator
(modules montés sur le chemin **complet** `/api/v1/yacy/*`) recevait `/access` nu → 404 →
`.catch()` du JS → iframe jamais construit → pas d'UI YaCy. Réaligné sur la config livrée
(`yacy.sock`, ~0,2 s vs 11-20 s via l'aggregator qui bloquait sa boucle). YaCy jamais cassé
(freeworld, 352 global / 466 local pour « debian »). Même pattern que Lyrion #763 ci-dessous.
**Phase 2 — yacyctl detection + sudoers + postinst + .deb** :
- `yacyctl` reportait lxc « absent » / daemon « stopped » / overall **red** alors que tout
tournait : `secubox-yacy.service` tourne en `User=secubox` + `NoNewPrivileges=true`, et
`lxc-info`/`lxc-attach` exigent root (NNP bloque sudo). Remplacé par une **sonde réseau
privilège-free** (`curl http://$LXC_IP:$HTTP_PORT/`) — préserve le durcissement, signal
plus vrai. `lxc-info` gardé en enrichissement best-effort root-only. → vert via l'API.
- Ship `/etc/sudoers.d/secubox-yacy` (lxc-*) pour `yacyctl reload` (restart daemon in-LXC).
- `postinst` : `systemctl restart` inconditionnel — `deb-systemd-invoke restart` de
dh_installsystemd **refuse** de démarrer une unité *disabled* → upgrade laissait
`yacy.sock` absent → 502. (Piège de test : dpkg s'arrête sur un **prompt conffile** quand
on a édité les `/etc` à la main → `--force-confnew` pour aligner.)
- Construit + installé `secubox-yacy_1.0.12-1~bookworm1_all.deb` (output/debs/). Upgrade
propre validé : service active+enabled, dashboard vert, recherche 466, route `yacy.sock`.
---
## 2026-06-30 — Lyrion admin 404 → dedicated-socket extraction (#763)
Page `https://admin.gk2.secubox.in/lyrion/` : tous les widgets en **HTTP 404**.
### Cause racine
La route nginx `/api/v1/lyrion/` avait dérivé sur la board vers
`rewrite … /$1 break;` + `proxy_pass …/aggregator.sock;` (sans suffixe `/api/v1/lyrion/`).
L'aggregator monte les modules au chemin **complet** `/api/v1/lyrion/…`, donc le `/status`
dénudé → 404. (`curl aggregator.sock /api/v1/lyrion/status` → 200 ; `/status` → 404.)
### Décision — extraction socket dédié (comme auth/metrics)
Les handlers `now-playing` / `players` font du JSON-RPC LMS **bloquant** à chaque requête.
Sur la boucle unique de l'aggregator (~110 modules) un appel LMS lent fige toute la
passerelle → 502 board-wide (SPOF observé). lyrion repasse sur son propre
`secubox-lyrion.service` + `/run/secubox/lyrion.sock` + route nginx dédiée.
### Changements
- **source** `packages/secubox-lyrion/nginx/lyrion.conf` : invariant documenté (dedicated
socket, ne jamais folder dans l'aggregator).
- **source** `packages/secubox-lyrion/debian/postinst` : préserve l'état runtime sur upgrade
(`try-restart`), démarre au fresh install si le LXC LMS répond.
- **source** `packages/secubox-aggregator/sbin/secubox-aggregator-migrate` : `AGG_EXCLUDE`
(lyrion) → discovery + switch route + disable service le sautent (durabilité).
- **board** : `secubox-lyrion.service` enable --now ; route nginx (secubox.d +
secubox-routes.d) → `lyrion.sock` ; reload. 5 endpoints à 200, stream live affiché.
- **gotcha** : le 1er `enable --now` a re-chown `/run/secubox` (1777 root:root →
755 secubox:secubox) car le drop-in `no-runtime-dir.conf` (`RuntimeDirectory=`) n'était pas
rechargé en mémoire systemd. `daemon-reload` + restaure le parent à 1777 root:root → restart
ne le re-casse plus (boot-safe).
---
## 2026-06-27 — LAN standardisé 192.168.10.0/24 + c3box/gk2 live Freebox + bump 1.10.0 (#760)
Session terrain "c3box derrière Freebox" : la LAN SecuBox par défaut (`br-lan 192.168.1.1/24`)
entrait en collision avec la LAN d'un routeur opérateur courant (Freebox/Livebox en
`192.168.1.0/24`). En aval d'une Freebox, le WAN DHCP et la LAN se retrouvaient sur le **même
sous-réseau** → route dupliquée, ARP ambigu, IP de management injoignable.
### A. Constat live + remédiation immédiate
- **c3box** (second MOCHAbin) derrière Freebox : WAN `eth2=192.168.1.94` (bail Freebox) +
`br-lan=192.168.1.1/24``.94` injoignable depuis le LAN. Corrigé live : `br-lan → 192.168.10.1/24`.
SSH root activé, webadmin `https://192.168.1.94/` OK, `/dev/sda1` (931 G) monté sur `/data`
(style gk2 : UUID + nofail), partition eMMC retirée (`emmc-data`).
- **gk2** (live PoC) : uplink déplacé de `lan0` (DSA) vers le port cuivre WAN `eth2` ; netplan
réparé via **série** (gk2 hors-réseau le temps du switch) → `eth2 dhcp4: true`, `lan0` dépouillé.
Bail Freebox réservé sur le MAC eth2 `f0:ad:4e:27:88:9b` → gk2 reprend `192.168.1.200`. Persisté.
### B. Standardisation source (LAN = 192.168.10.0/24, gw .10.1) — 17 fichiers
- Netplans board : mochabin, espressobin-v7, espressobin-ultra, x64-vm, x64-live (`br-lan`),
+ unification VM vm-x64/vm-arm64 (`192.168.100.1 → 192.168.10.1`).
- Générateurs de netplan : `secubox-netmodes`, `secubox-hub` (preview), `secubox-net-detect`.
- dnsmasq (`espressobin-v7.conf`) : `dhcp-range` + `option:router` + `option:dns-server`.
- Scripts live-usb (mochabin/ebin) + SAN des certs auto-signés (`firstboot`, `build-image`,
`build-rpi-usb`, `build-live-usb`) → `IP:192.168.10.1`.
- **Hors scope (intacts)** : `192.168.255.1` (whitelist mgmt/trusted-proxy WAF/mail/wg/mitm),
listes `GATEWAYS` de sonde WAN, exemples remote-ui/round + tests.
### C. Release
- Bump mineur (« medium ») **1.9.0 → 1.10.0** : `build-image.sh`, `build-live-usb.sh`,
`build-ebin-live-usb.sh`, `build-rpi-usb.sh` (mochabin-live reste sur sa piste 2.0.0).
- Artefacts amd64 (x64) reconstruits depuis cette base.
---
## 2026-06-27 — Netboot live PROUVÉ + première install SecuBox Debian sur c3box (second MOCHAbin) (#748 #737)
Grande session hardware : netboot gk2→c3box validé de bout en bout, premier SecuBox Debian installé
sur un vrai MOCHAbin, et le blocage U-Boot qui empêche #748 de fermer est formellement documenté.
### A. Netboot gk2 → c3box : validé en prod
- **c3box** (second MOCHAbin, Armada 7040) a booté l'installeur SecuBox Debian servi par gk2 via
TFTP : factory U-Boot 2020.10 → `tftpboot Image/dtb/initrd``booti` → rescue shell installeur,
kernel custom 6.12.85 #5secubox. Le FIT signé (49 Mo) était servi en HTTP sur `:8099`.
- Le long détour cabling était une impasse LAB (prouvé via gk2 bridge-FDB + test DHCP) — aucun
bug logiciel.
- **Learnings opérationnels réutilisables** (documentés dans `wiki/Netboot-Install.md`) :
- Factory U-Boot 2020.10 s'interrompt sur **Enter** (pas Ctrl-C), `bootdelay=2`.
- Son env n'est PAS dans SPI mtd2 (env étranger fossile) → `fw_setenv` depuis Linux n'a aucun
effet ; seule la config U-Boot interne compte.
- Seul le port cuivre RJ45 unique = `mvpp2-2` est bootable par le factory U-Boot (les 4 ports
switch nécessitent le driver MV88E6XXX DSA, absent au boot).
- Kernel load à `0x02080000` = adresse mémoire réservée → crash immédiat ; utiliser `0x0a000000`.
- `setenv tftpblocksize 1468` pour TFTP rapide.
### B. #748 enhanced Tow-Boot (HTTP/wget bootloader) — DIFFÉRÉ, bloquant documenté
Branche `feature/748-enhanced-tow-boot-http-netboot-serial-fl` (stackée sur #737) :
spec+plan (`docs/superpowers/`), Kconfig Tow-Boot, `build-uboot-overlay.sh --tow-boot`,
plan serial-flasher, CI `.github/workflows/build-tow-boot.yml` (push-triggered).
**Bloquant dur (ciseau)** : le board MOCHAbin n'existe que dans le fork U-Boot 2022.07 de
Tow-Boot (pas de `wget`) ; `wget` n'existe que dans U-Boot stock ≥2023.07 (pas de board
mochabin/DTS). Bump à stock 2023.07 = `wget` compile mais build sans DTS. Pour débloquer :
backporter wget/TCP dans le fork Tow-Boot 2022.07, OU porter le board mochabin vers mainline
≥2023.07. Pas un tweak de config.
### C. PREMIÈRE INSTALL — c3box → SecuBox Debian (la headline)
- **Image** : artefact CI `secubox-mochabin-bookworm` (run 27426515472, 1,8 Go gzip / 8,0 Gio
décompressé), téléchargée sur gk2 `/data`, SHA256SUMS vérifié.
- **Signature** : clé `secubox-netboot.key` de gk2. Vérifié : cette clé FIT == `netboot-image.pub`
embarquée dans l'installeur (modulus match + roundtrip sign/verify). `sbx.img.gz` + `.sig`
publiés dans le root HTTP netboot, servis sur `:8099` (symlink depuis `/data`).
- **Install automatisé depuis le rescue shell** :
`wget sbx.img.gz` (en RAM, c3box a 8 Go) →
`openssl dgst -verify` contre `netboot-image.pub` (résultat : Verified OK) →
`gunzip | dd of=/dev/mmcblk0 bs=4M conv=fsync` (8 Gio, progression 32→62→94→100%) → sync.
- **c3box démarre SecuBox Debian v1.9.0** — hostname `secubox-mochabin`, kernel Debian
6.1.0-47-arm64, stack complète : secuboxd, hub, grafana, zigbee, mqtt, authelia,
sentinel/rogue-BTS (layers WALL+MIND). Creds root/secubox, Web UI `:9443`.
- **Fix auto-boot persistant** : l'image utilise `extlinux.conf` à `0x02080000` (adresse réservée
factory U-Boot → reset immédiat) et ne livre pas de `boot.scr` compilé. Construit
`/boot/boot.scr` (kernel@`0x0a000000`, initrd@`0x10000000`, `console=ttyS0` + earlycon,
`root=LABEL=rootfs`) : le factory U-Boot charge `boot.scr` depuis mmc et démarre Debian sans
intervention. **VÉRIFIÉ** : reboot sans intervention → login Debian.
- **Layout eMMC installé** : GPT p1=boot (FAT, `/boot`) p2=ROOT (`/`) p3=DATA. c3box était
OpenWrt ; eMMC écrasé (install RAM-only, pas de risque sur l'OS tournant avant le `dd`).
- **Rig netboot temporaire gk2 encore actif** : `lan1=192.168.77.1/24`, dnsmasq test (DHCP) sur
`lan1`, `nft iif lan1 accept`, nginx boot-vhost extra listen `192.168.77.1:8099`.
## 2026-06-24 (cont.) — R4 analyst mode: MITM-everything + media reverse-catcher + clone (#736)
New "R4" doctrine — visibility over performance. Delivered + live on gk2:
- **Splice flip**`tls-splice-seed.conf` reduced from a media-CDN perf list to
breakers-only (`api.anthropic.com`); splice now applied ONLY where MITM provably
breaks (cert pinning). Banner reaches every page; catcher sees media URLs. Live:
learned splices cleared, autolearn gated (`tls_splice=off`).
- **sbxmitm media reverse-catcher** (`cmd/sbxmitm/mediacatch.go`, toolbox-ng 0.1.20)
— 2xx MITM'd flows → cloneable media URLs (HLS/DASH manifests, direct A/V,
googlevideo videoplayback) appended to `/run/secubox/media-catch.jsonl` (URLs
only, deduped, atomic, fail-open). `--media-catch` default on; worker unit
`ReadWritePaths=/run/secubox`.
- **mediaflow Discovered Media + Clone** (2.1.0) — `/discovered`, `/clone`
(yt-dlp→ffmpeg queue, lazy worker for the aggregator), `/library`,
`/download/{id}`, DELETE; dashboard cards. Verified: HLS caught → ffmpeg →
464 MiB mp4 in library. yt-dlp installed.
- Also fixed the empty mediaflow dashboard (2.0.2 contract + 2.0.3 cumulative
services): cards/streams live, Top Media Services from DPI cumulative store.
KEY: dashboard routes via the **aggregator** (in-process import) — restart
`secubox-aggregator` to pick up mediaflow code changes.
- Phase 4 done — R4 button added to the banner topbar (R0..R4) + set-level + by-MAC
validation + analytics buckets; gated to the wg path like R3 (secubox-toolbox 2.7.20).
- yt-dlp upgraded 2023.03.04 → 2026.06.09 (standalone binary; YouTube works).
- Recos: catcher now captures YouTube watch **pages** (kind=page, toolbox-ng 0.1.22);
Discovered Media persisted off tmpfs into a durable capped store (mediaflow 2.1.1);
yt-dlp packaged (Recommends + weekly refresh timer + postinst).
- **Catch-log ownership bug**`/run/secubox/media-catch.jsonl` was created
`secubox`-owned while the worker runs as `secubox-toolbox`, so O_APPEND failed
silently → nothing captured. Fixed with a tmpfiles.d entry pre-creating it owned
by the writer every boot (zz-secubox-toolbox-ng.conf). Live: rm + worker recreate.
## 2026-06-24 (cont.) — Banner on nonce-CSP sites + Claude API splice + YouTube unblock (#728)
Three distinct root causes behind "no banner on youtube / news", fixed in order:
1. **Trusted Types** (0.1.17) — `require-trusted-types-for` blocked DOM injection. Stripped.
2. **Nonce-based CSP** (0.1.18) — the banner is *inlined* (service-worker-proof), but a CSP
nonce/hash makes `'unsafe-inline'` IGNORED → the bare inline `<script>` was silently
blocked. `relaxCSPForLoader` now **borrows the page's own nonce** and stamps it on the
injected `<script nonce=…>` (surgical: page CSP/nonces/hashes untouched), falling back to
forcing `unsafe-inline` (drop nonce/hash/strict-dynamic) only when there's no nonce.
Nonce validated to base64 charset (attribute-breakout guard). Threaded nonce through
injectIntoBody → injectHTML → injectInlineBanner. Tests rewritten for inline semantics.
3. **YouTube wholly blocked** (runtime) — autolearn false-positive put `youtube.com` in
`/var/lib/secubox/toolbox/learned-trackers.txt``Decide()` returned `block` (204) →
page never loaded. Removed from learned + added to `ad-allowlist.txt` (hot-reloaded).
Latent-bug tracker: **#735** (autolearn must not block apex/first-party nav targets).
**Claude API splice** (user request) — `api.anthropic.com` added to `tls-splice-seed.conf`
(+ live seed): cert-pinned Claude API/SDK clients reject the MITM CA, so pass them through;
`claude.ai` web stays MITM'd (browser trusts the CA → still gets the banner).
Verified end-to-end on gk2: YouTube 200 + banner nonce == page nonce; lemonde/lefigaro
banner via unsafe-inline fallback. DPI confirmed healthy — collector writes to
`/var/lib/secubox/dpi/` (state.json/cumulative.json fresh), `/exfil` returns categorized
flows; the earlier "empty" was me checking the wrong paths (`/run/secubox/dpi`).
## 2026-06-24 — DPI YouTube bannering: strip Trusted Types CSP (#728)
- **Root cause** — YouTube serves a standalone `Content-Security-Policy:
require-trusted-types-for 'script'` header. sbxmitm's `relaxCSPForLoader` already
relaxed `script-src` (drop `strict-dynamic`, add `'self'`/`'unsafe-inline'`) so the
banner loader runs, but Trusted Types still blocked the banner's DOM injection →
banner silently never mounted on YouTube.
- **Fix** (`cmd/sbxmitm/csp.go`, toolbox-ng 0.1.17) — drop `require-trusted-types-for`
and `trusted-types` directives during the relax; omit the resulting empty CSP header
line. Local Go unit tests cover both the relax and the empty-header drop.
- **DPI capture half** — collector `state.json` was stale (frozen 09:44); restarted
`secubox-dpi-flowcap` → fresh windows, YouTube/media flows now visible in mediaflow.
- Deployed to gk2; R3 workers `secubox-toolbox-ng-worker@1..4` restarted on 0.1.17.
- Filed for later: #729 wireguard peers/tabs, #730 yacy, #731 lyrion, #732 magicmirror,
#733 firewall dashboard misreport, #734 webui.conf hardcoded-route cleanup.
## 2026-06-22 — DPI exfil engine + Netrunner report (HTML+PDF) + sbxmitm fixes
Big session: full per-device DPI exfiltration pipeline, the kbin report reborn as a
cyberpunk-netrunner character sheet, and two live-ops fixes on the Go MITM engine.
All PRs merged to master and deployed live on gk2.
### DPI — per-device cloud-exfiltration (#687, secubox-dpi 1.0.5 → 1.1.2)
- **Phase 1** nDPI flow-DPI on `wg-toolbox` (ndpiReader, ~1% CPU on the Armada).
- **Phase 2** Go collector (`secubox-dpi-collector`, pure stdlib, arm64): attributes
flows to devices via `sha256(wg_pubkey)[:16]`, classifies SNI into nDPI-style
**categories** (cloud/filehost/messaging/ai/media/game/social/adult), fires exfil
scenarios (`exfil_volume`, `new_cloud`, `beaconing`, `unclassified_external`).
Producer = `secubox-dpi-flowcap` (60s windows) → `GET /api/v1/dpi/exfil`.
- **Dashboard** (#693/#695): "Cloud Exfiltration Watch" panel + stat cards + all list
cards repointed off the inactive netifyd to the live exfil engine.
- **#692** beaconing tuned to a C2-plausible cadence (1s1h, CV≤0.25, external).
- **#705 cumulative 7d** — `cumulative.json` so the report shows history, not just the
last 60s window (was: idle device → all zeros).
- **Packaged** `secubox-dpi 1.1.x` (arch arm64, Go built in debian/rules offline,
flowcap auto-enabled, `Depends: libndpi-bin`).
### kbin report — Cyberpunk-Netrunner character sheet (#707, HTML + PDF)
- **#699** report tabs (Pistage / DPI-Exfil / Overall) with donut charts.
- **#701/#703** DPI stats + visual donut charts in the PDF (mitm/certs/ads/dpi).
- **#707** persona sheet: class+emoji from the request UA (live device), level=R3 for
wg peers, ICE/Exposition bars, XP, 4 pip-bar CARACTÉRISTIQUES, Inventaire, Bestiaire,
Quêtes — HTML neon + PDF `_persona_block`.
- **#709** carto hub map + emoji tables (Traceurs/Pays/DPI) in the PDF.
- **#711/#712** "En un coup d'œil" added to the PDF.
- **#714** charts switched to **matplotlib PNG** embeds (fpdf2 vector donuts were blank
in iOS/Chrome viewers).
- **#716** donut grid → ONE combined 2×2 image (was spilling each donut/legend onto its
own page → 24 pages). Report back to a clean 4 pages. User: "report parfait".
### sbxmitm (Go MITM engine, #662 line)
- **#689** forged leaf cert TTL **24h → 365d** — root cause of recurring "certificat
expiré" on clients (cache never evicts; 24h leaves expired daily). Interception kept.
- **#697** stop truncating responses >8MiB — `streamResponse()` streams non-injected
bodies verbatim; large **Gmail** messages/attachments rendered again over R3.
- **#688** own-domain splice approach REJECTED (decision: intercept all vhosts) — reverted.
### Ops notes
- Surf-break incident: R3 mitm CA rotated 2026-06-05 → clients must re-import the CA root
(the "expired cert" was client-side trust, not the board).
- R3 engine is the Go `sbxmitm` (`secubox-toolbox-ng-worker@1..4`, 10.99.1.1:8091-8094)
— NOT the Python mitm; restart THOSE for R3 changes.
---
## 2026-06-20 — kbin Tor shipped + client releases + ad-block/mitm hardening
- **#683 MERGED (PR #684)** — kbin Tor egress quick-switch (switch + nft owner-match
tunnel, own-services exemption, reconciler+timer), dashboard/landing/banner metrics
fixes, 🧅 indicators (banner/webext/APK), APK persistent WG identity, landing+report
**redesign** (verdict gauge + donut/bars + collapsible details). Live on gk2; Tor armed.
- **Client releases served from kbin**: `android-v0.4.0` (Latest) + `webext-v0.1.5`
published by CI; pinned webext tag bumped; board fetch-helpers pull them →
/wg/toolbox.apk (0.4.0) + /wg/toolbox.xpi (0.1.5). toolbox 2.7.12.
- **#685 ad-learner hardened (2.7.13)** — NEVER_LEARN guard (Google/CDN/fonts/captcha/
auth/payment), AD_MIN_SITES 1→2, prune existing. Root cause of euronews breakage:
the learner had 204'd `www.google.com` → broke reCAPTCHA/consent. Also allowlisted
www.google.com/.fr live.
- **mitm-wg stream_large_bodies=1m (2.7.14)** — large binary downloads (APK, CA) were
corrupted ONLY through the R3 tunnel (HTTP/2 buffer/reframe); now passed verbatim.
- **OPEN [#686]** — android-toolbox non-root flow broken (CA auto-install needs root,
WG handoff → Play Store, tunnel not detected). Needs on-device dev/testing; rooted-vs-
non-rooted decision pending. #685 signing was a red herring (corrupt = mitm buffering).
## 2026-06-19 — kbin Tor egress quick-switch implemented DARK (#683, ToolBoX 2.7.1) ## 2026-06-19 — kbin Tor egress quick-switch implemented DARK (#683, ToolBoX 2.7.1)
- **Switch + tunnel** for routing kbin surfing through Tor, shipped **default-OFF / - **Switch + tunnel** for routing kbin surfing through Tor, shipped **default-OFF /
@ -6926,19 +6527,3 @@ CONFIG_USB_NET_RNDIS_HOST=y
- LAN interfaces scanned: lan0, lan1, lan2, lan3, br0, br-lan, eth0, eth1 - LAN interfaces scanned: lan0, lan1, lan2, lan3, br0, br-lan, eth0, eth1
- ARP states mapped to online: REACHABLE, DELAY, PROBE, PERMANENT = online - ARP states mapped to online: REACHABLE, DELAY, PROBE, PERMANENT = online
- STALE, FAILED = offline - STALE, FAILED = offline
## 2026-06-24 — build+deploy T0 fixes (#494/#519/#53/#421) + dirs-guard /run self-heal
- Merged #121/#53/#65; cherry-picked #494 onto master (versions re-bumped above
master's advanced core 1.1.8/hub 1.4.6 → core 1.1.9, hub 1.4.7).
- Discovered #494 was systemic (7 pkgs chowning /run/secubox parent) AND that
91 services declare `RuntimeDirectory=secubox` → systemd re-chowns the parent
to secubox:secubox 0755 on each start (#421). Central fix: extended
secubox-dirs-guard to re-assert /run/secubox 1777 root:root every minute
(core 1.1.10) instead of editing 91 units.
- Built + deployed to gk2 (8 pkgs): core 1.1.10, hub 1.4.7, eye-remote 1.0.1,
metablogizer 1.2.2, metrics 1.0.4, p2p 1.7.1, wazuh 1.0.1, toolbox 2.7.18.
First deploy ssh was timeout-killed mid-toolbox-postinst → recovered with
dpkg --configure -a (cleared stale lock). Verified: /run/secubox=1777 root:root
holds, 0 half-configured, all services + R3 workers active, webui/portal 200,
toolbox blacklist-sync (#519) carried.

View File

@ -1,164 +1,5 @@
# TODO — SecuBox-DEB Backlog # TODO — SecuBox-DEB Backlog
*Mis à jour : 2026-06-27* *Mis à jour : 2026-06-19*
---
## ⚪ T5 — Images / OS variants / Hardware (ajouts 2026-06-27)
### ⬜ MOCHAbin — bootloader propre (adresses réservées + extlinux)
> Workaround actif : `/boot/boot.scr` compilé forçant le kernel à `0x0a000000`. Fix durable requis.
- [ ] **Option A — Corriger l'image** : patcher `extlinux.conf` généré par le CI pour utiliser
`0x0a000000` (kernel) et `0x10000000` (initrd) au lieu de `0x02080000` (adresse réservée
factory U-Boot 2020.10 → reset immédiat). Boot.scr deviendrait redondant.
- [ ] **Option B — Enhanced Tow-Boot (#748)** : bloqué par le ciseau U-Boot (voir ci-dessous) ;
déverrouille wget/HTTP natif dans U-Boot, supprime le besoin de TFTP pour les futures installs.
- [ ] **Valider** que le fix d'adresse tient sur les deux MOCHAbin (gk2 + c3box).
### ⬜ #748 — wget dans U-Boot pour MOCHAbin (bloquant documenté)
> Bloquant dur (ciseau) confirmé 2026-06-27. Branche
> `feature/748-enhanced-tow-boot-http-netboot-serial-fl` : spec + plan + Kconfig +
> `build-uboot-overlay.sh --tow-boot` + CI `.github/workflows/build-tow-boot.yml` en place.
> Problème : board mochabin UNIQUEMENT dans fork Tow-Boot U-Boot 2022.07 (pas de `wget`) ;
> `wget`/TCP UNIQUEMENT dans stock U-Boot ≥2023.07 (pas de board mochabin/DTS).
- [ ] **Voie 1** : backporter le stack TCP + `wget` de U-Boot ≥2023.07 dans le fork Tow-Boot
2022.07 (mochabin board natif). Diff TCP = `net/wget.c` + dépendances `CONFIG_NET_WGET`.
- [ ] **Voie 2** : porter le board mochabin (DTS Armada 7040 + PHY + eMMC) vers U-Boot mainline
≥2023.07 (sans Tow-Boot). Plus long mais durable.
- [ ] Choisir une voie, débloquer #748.
### ⬜ Packager le flow netboot + install signé (rig temporaire → procédure reproductible)
> Actuellement rig manuel sur gk2 : `lan1=192.168.77.1/24`, dnsmasq DHCP, nft, nginx `:8099`.
- [ ] Scripter la publication de l'image signée dans le root HTTP netboot (wget + sha256 + sig).
- [ ] Documenter / packager la config dnsmasq + nft + nginx pour un segment `lan1` dédié.
- [ ] Intégrer dans `scripts/deploy-netboot.sh` ou équivalent.
### ⬜ Teardown rig netboot temporaire gk2
> Le rig (lan1 bridge, dnsmasq, nft iif lan1 accept, nginx extra listen) reste actif jusqu'à
> ce que c3box soit autonome en prod.
- [ ] Retirer la règle nft `iif lan1 accept` (risque : tout le segment lan1 est accepté sans filtrage).
- [ ] Désactiver / retirer dnsmasq test sur lan1.
- [ ] Retirer le extra listen `192.168.77.1:8099` du vhost nginx netboot (ou couper le vhost si
plus nécessaire).
- [ ] Vérifier que c3box auto-boot sans rig (boot.scr en place → OK).
---
## ✅ Clos 2026-06-22 — DPI exfil + report Netrunner + sbxmitm
- ✅ **#687 DPI exfil pipeline** — flowcap + Go collector + dashboard + cumulatif 7j,
packagé `secubox-dpi 1.1.2` (inclut #692/#693/#695/#705).
- ✅ **#707 report kbin = fiche Netrunner** HTML+PDF (#699/#701/#703/#709/#711/#714/#716).
- ✅ **#689** sbxmitm cert 365d · **#697** stream >8MiB (Gmail) · **#688** splice rejeté.
### DPI Phase 3
- [x] Enrichissement **ASN** (GeoLite2-ASN) pour l'egress sans SNI — **#719 mergé, live**
(`secubox-dpi 1.1.3`, maxminddb-golang vendored).
- [x] **Historique + timeline par device****#721 mergé, live** (`secubox-dpi 1.1.4`,
buckets quotidiens `history.json` 14j + `/api/v1/dpi/history` + panneau Timeline
dashboard). NB : JSON daily buckets (pas SQLite — pas de driver CGO dans le binaire
statique ; SQL riche reportable si besoin).
- [x] Démon **nDPId****évalué puis ÉCARTÉ** (#722/#723 revertés). Raison perf :
ndpiReader tourne en fenêtres bornées (Nice 15, ~1% CPU, libère le cœur entre
les passes) ; nDPId = démon permanent + nDPIsrvd → CPU/RAM **continue** sur une
board déjà saturée (load ~4.6/4 cœurs). Gain (JSON riche, pas de respawn) <
risque. **Décision : on garde ndpiReader** comme producteur du pipeline exfil.
(Le build CI QEMU a aussi échoué au 1er essai → chemin fragile en plus.)
### ⬜ Cosmétique report PDF (non bloquant)
- [ ] Glyphes drapeaux régionaux → lettres (police embarquée). Option : drapeaux PNG.
- [ ] Chiffres espacés dans certaines cellules (fallback police).
### ⬜ APK on-device #685/#686 — NON-ROOT ONLY (plan verrouillé, à faire)
> Décision 2026-06-22 : cible **non-root uniquement** ; chemin root abandonné.
> Plan détaillé : commentaire #685.
- [ ] **VpnService in-app** (`com.wireguard.android:tunnel` / GoBackend wireguard-go)
— l'APK EST le client WG, plus de Play Store, détection tunnel in-app fiable.
- [ ] **CA en DER** (fix « nom de cert vide » du KeyChain intent) + `network-security-config`
pour que la WebView in-app fasse confiance au CA ca-wg.
- [ ] Retirer RootShell/RootOnboard/BootReceiver ; manifest VpnService + consent VPN.
- [ ] Limite Android : pas de CA **système** sans root → MITM système impossible ;
surface « safe browsing » = WebView in-app. À documenter.
- [ ] Build via CI `build-android-apk` + **test sur appareil** (gros build, itératif).
---
## 🎯 Backlog priorisé — revue 2026-06-24 (64 issues ouvertes)
> Index d'autorité du triage. Les sections « Phase X » plus bas sont historiques :
> plusieurs portent « ✅ COMPLETE » alors que l'issue est restée **ouverte** (livré
> mais jamais fermé) → marquées **[vérifier→fermer]** ci-dessous.
### 🔴 T0 — Régressions & bugs sécurité (petits, débloquants, CSPN priv-sep)
- #494 secubox-core ExecStart écrase tmpfiles.d `/run/secubox` *(worktree actif)*
- #468 `/etc/secubox` parent 0750 casse la traversée non-secubox *(régression récurrente)*
- #471 secubox-mesh postinst écrase perms `/run/secubox` *(régression)*
- #421 sockets `/run/secubox` cachés en mount-ns privé (RuntimeDirectory)
- #447 kiosk : mot de passe admin semé par le CI (users.json shippe un hash) **← fuite**
- #91 haproxyctl régénère haproxy.cfg avec `waf_inspector` inexistant *(intégrité WAF)*
- #65 nginx : routes API manquantes dans webui.conf
- #53 Wazuh uvicorn 100% CPU spin
- #121 metablog ingest : dirs en `secubox:secubox`
### 🟠 T1 — Plan d'enforcement sécurité (mission CSPN ; détection→action)
- #498 Phase 7 — WAF active enforcement (mitm→CrowdSec→nft drop) *(worktree actif)*
- ✅ #519 Phase 13 — enforcement plane **FERMÉ 2026-06-22** (livré + réparé :
blacklist-sync avortait sur NXDOMAIN + timeout unit → fix `|| true` +
TimeoutStartSec 600 ; vérifié live, default-off). Inclut 13.B #522.
- #455 secubox-egress — détection egress + corrélation RDS multi-signaux
- #500 Phase 8 — Utiq operator-grade tracking (detect/alert/bypass)
- #514 Phase 12 — plateforme anti-human-detection (parent ; sous-tracks fermés)
- ✅ #515 Phase 12.A CDN cache detection — **FERMÉ** (live, `social_host_meta.cdn_vendor`)
- ✅ #516 Phase 12.B anti-bot detection — **FERMÉ** (live via #564/#565, `social_antibot`)
- #525 Phase 14 — plan de déception (idée future, parké)
- ⬜ Suivi #519 perf (non bloquant) : DNS-guard ne résout que les 2000 premiers
domaines/cycle (5523 en base) → couverture partielle ; résolution séquentielle
lourde sur board saturé. Option : résolution parallèle bornée + rotation du cap.
### 🟡 T2 — UX / Hub / conscommateurs report (worktrees actifs + polish)
- #615 security-posture dans la sidebar Hub *(worktree actif)*
- #655 webext content-script banner CSP-immune *(worktree actif)*
- #485 toolbox SOC scoring *(worktree actif)*
- #513 ToolBox WebUI : sous-onglets + retrait UI /admin redondante
- #69 diagramme flux trafic responsive
- #67 cache history-aware glances/netdata
- #68 health checks + dépendances services au démarrage
### 🟢 T3 — Backlog feature (valeur, non bloquant)
- #685 APK 'corrupt' — CI signe avec clé éphémère *(plan APK verrouillé)*
- #686 android-toolbox flux non-root cassé *(plan APK verrouillé)*
- #429 nextcloud dashboard : API stubs au lieu de la vraie instance *(bug)*
- #430 nextcloud — fédération OCM (doc/outillage)
- #472 nextcloud — Gondwana Desktop (canvas + widgets)
- #592 secubox-webmail-hub (Gmail OAuth2 + Gandi + OVH)
- #66 auth Google OAuth
- #70 Health Banner System *(preplanned)*
- #71 CDN proxy injection *(preplanned)*
- #393 source-home des scripts health prober
### 🔵 T4 — Hardware-gated (dépend de pièces ; piste parallèle ; pas de spare EP06)
- Modem/PCIe : #254 modules kernel LTE · #255 pins mPCIe modem · #460 DTS cp0_pcie2 ·
#467 U-Boot comphy5 SerDes · #462 pivot HW AR9271/MT
- Mesh/BLE : #449 WiFi 802.11s · #452 BT mesh · #453 QR multi-canaux · #454 sourcing BLE 5.x
- GSM : #347 sentinelle-gsm
- Smart-Strip : #33 module HMI · #42 sous-repo · #379 packaging
- Eye-remote : #41 sous-repo · #79 buildroot · #127 variante square · #138 radar_concentric ·
#155 collision link-rename *(bug)* · #158 multi-gadget L3 · #478 métriques live Round Eye
- VILLAGE3B : #480 dossier presse · #497 poster grand public
### ⚪ T5 — Images / OS variants (basse urgence)
- #446 Full Traveller OS multi-mode/arch · #125 build-live-usb +virtualbox · #422 vm-x64 cascade
### ⚫ T6 — Docs / housekeeping
- #81 headers SPDX CMSD-1.0 partout · #243 clarifier scope secubox-zkp-auth *(question)*
- #474 ToolBoX (epic parent — garder comme tracker)
--- ---

View File

@ -1,118 +1,5 @@
# WIP — Work In Progress # WIP — Work In Progress
*Mis à jour : 2026-06-27* *Mis à jour : 2026-06-19*
---
## ✅ 2026-06-27 : c3box → SecuBox Debian — première install réussie · netboot prouvé (#748 #737)
### ✅ Fait (session 2026-06-27)
- **Netboot gk2→c3box prouvé** — factory U-Boot 2020.10 → TFTP → rescue shell installeur
(kernel 6.12.85 #5secubox). Détour cabling résolu (impasse LAB, pas logiciel).
- **Première install SecuBox Debian sur un MOCHAbin physique (c3box)** — image CI artefact
`secubox-mochabin-bookworm` (run 27426515472, 8 Gio), SHA256 + signature vérifiés,
`gunzip|dd` en RAM → eMMC. c3box boot Debian v1.9.0 avec stack complète.
- **boot.scr workaround déployé** — extlinux.conf charge le kernel à `0x02080000` (réservé
factory U-Boot → reset). Construit `/boot/boot.scr` (kernel@`0x0a000000`) ; auto-boot
Debian sans intervention vérifié après reboot.
- **#748 bloquant documenté** — ciseau U-Boot : mochabin board UNIQUEMENT dans fork Tow-Boot
2022.07 (pas de `wget`) ↔ `wget` UNIQUEMENT dans stock ≥2023.07 (pas de board mochabin).
Branche `feature/748-enhanced-tow-boot-http-netboot-serial-fl` parkée (spec+CI+Kconfig en
place, dépend du backport wget OU port board mainline).
### ⬜ Rig netboot temporaire gk2 à démonter (quand c3box autonome)
- `lan1=192.168.77.1/24` avec dnsmasq DHCP + `nft iif lan1 accept` + nginx `:8099` encore actifs.
- À retirer une fois c3box en prod (voir TODO T5 — teardown rig).
### ⬜ Bootloader propre à faire (#748 ou alternative)
- boot.scr = workaround ; fix durable = enhanced Tow-Boot (#748, bloqué ciseau) OU corriger
les adresses de boot dans l'image (extlinux.conf → `0x0a000000`). Voir TODO T5.
---
## 🗂️ 2026-06-22 : triage issues (30 ouvertes → revue obsolètes)
- **Fermées (user-validé 2026-06-22)** : #722 (nDPId — décidé contre, reverté) ·
#475 ToolBoX Phase 1 (live 2.7.x) · #502/#507/#508 Social mapping (carto +
/social/me + report PDF live) · #495 Phase 5 mitm-LXC (superseded par #662 Go
sbxmitm host) · #531 APK one-tap (superseded par #685/#686 non-root) ·
#486 geoip/ASN+flags+catégories dans rapports (livré master : geo.py + dpi_class.py +
report wiring ; complémentaire de #718 ASN collector ; worktree stale nettoyé) ·
#515 CDN detection (live `social_host_meta.cdn_vendor`) · #516 anti-bot detection
(live via #564/#565) · #519 enforcement plane (livré + **réparé** : blacklist-sync
avortait NXDOMAIN + timeout unit → fix `|| true` + TimeoutStartSec 600, vérifié live,
default-off ; inclut #522). Toolbox source bumpé 2.7.18 (fix live-patché sur gk2) ·
#468 /etc/secubox traversal (source+live = 0755, secrets/CA enfants restent 0750).
- **Actives (worktrees en cours)** : #655 webext banner · #615 security-posture ·
#494 secubox-core ExecStart · #498 Phase 7 WAF enforcement · #485 SOC scoring.
### 🔎 Reco T0 — recon live gk2 2026-06-24 (avant fix)
- ✅ **#494** : **FIX SYSTÉMIQUE poussé** (`fix/494-…`). Pas que core : 7 units re-chownaient
le parent partagé `/run/secubox` (core+hub services, eye-remote/eye-square/metablogizer/
metrics/p2p postinsts ; eye-square chownait aussi /var/log/secubox = pire). Tous nettoyés
(mkdir fallback only ; logs modules en sous-dossier propre ; orphan /etc/tmpfiles.d nettoyé).
**Vérifié live** : /run/secubox 1777 **root:root** stable après restart core ET hub ; webui 200.
Bumps core 1.1.7/hub 1.4.4/eye-remote 1.0.1/eye-square 1.0.4/metablog 1.2.2/metrics 1.0.4/p2p 1.7.1.
- ✅ **#471** (mesh /run/secubox) : déjà résolu (changelog mesh "drop install -d /run/secubox") → verify-close.
- ⬜ **#421** : sockets cachés en mount-ns privé (RuntimeDirectory) — mécanisme distinct, non traité.
- 🆕 Suivi (classe #511) : mesh/toolbox/admin font `install -d -o <module> /var/log/secubox`
(propriétaire du parent partagé = user module) → autres daemons ne peuvent créer leurs logs.
Séparé de #494, à traiter (sous-dossiers propres comme fait pour eye-square/p2p).
- **#447** : pas une fuite — `password_hash=null` → lockout kiosk + user CI parasite ;
**CI-image-gated** (rpi400, pas gk2).
- **#91** : `haproxy.cfg` active valide ; backup `*.broken-by-haproxyctl-*` prouve le bug
passé ; drift-guard #627 rattrape. Root cause = generate `haproxyctl` (api/main.py l.846/896).
- ✅ **#53** : **FIX poussé** (`fix/53-…`) — gate `ConditionPathExists=/var/ossec/etc/ossec.conf`
+ `RestartSec=5` ; module conservé (SIEM opt-in). Vérifié gk2 (/var/ossec absent). Bump 1.0.1.
- ✅ **#65** : déjà résolu en prod (webui.conf déployé inclut `secubox-routes.d/*.conf`,
163 snippets). Template `common/nginx/webui.conf` (stale) synchronisé sur `feature/65-…`.
Reco fermer. Convention : `secubox-routes.d/`=actif, `secubox.d/`=legacy.
- ✅ **#121** : **FIX poussé** (`fix/121-…`) — helper `fix_perms` chown -R secubox:secubox
le site dir après chaque ingest .git (metablog-ingest-site.sh). Script dev, pas de deploy.
- ⬜ Restent : **#91** (deploy WAF risqué) · **#65** (refactor include, risque 502) ·
**#447** (CI kiosk) · **#494/#471/#421** (worktree fix/494). Build+deploy toolbox 2.7.18 (#519) en attente.
- **Backlog/future** : #685/#686 APK non-root (plan verrouillé) · #592 webmail-hub ·
#514/#515/#516/#519/#522/#525 Phase 12-14 (#515 CDN / #516 anti-bot partiellement
couverts par antibot_sites/opgrade_sites du social graph) · #500 Utiq · #497/#480/
#478 VILLAGE3B Eye/poster · #472/#430/#429 Nextcloud · #471/#468/#421 perms (à
vérifier si déjà corrigées) · #467/#462/#460/#255/#254 hardware/kernel · #455 egress ·
#454/#453/#452/#449 mesh/BLE · #448/#447/#446/#434 kiosk · #422 vm cascade ·
#393/#379/#347 packaging · #513 WebUI sub-tabs.
- ⚠️ Fermeture finale = **user only** (sauf issues créées en session) ; les
recommandations ci-dessus sont commentées sur chaque issue.
---
## ✅ 2026-06-22 : DPI exfil + Netrunner report + sbxmitm fixes (tous mergés, live gk2)
Session livrée intégralement sur master + déployée. Détail dans HISTORY 2026-06-22.
### ✅ Fait (mergé + live)
- **DPI exfil pipeline (#687)**`secubox-dpi 1.1.2` : flowcap (ndpiReader) → Go
collector (catégories cloud/media/game/adult/ai/messaging/filehost/social + scénarios
exfil) → `/api/v1/dpi/exfil` ; dashboard "Cloud Exfiltration Watch" + cartes repointées ;
beaconing tuné (#692) ; cumulatif 7j `cumulative.json` (#705) ; packagé arm64.
- **Report kbin = fiche Netrunner (#707)** — HTML (onglets Pistage/DPI/Overall + persona
néon) **et** PDF (`_persona_block` + "En un coup d'œil" + grille donuts + carto + tables
emoji). Charts en **PNG matplotlib** (#714, rendu universel iOS/Chrome) ; grille = une
image 2×2 (#716, fin des 24 pages). Classe via UA live + niveau R3 auto (wg peer).
- **sbxmitm** — cert forgé 24h→365d (#689, fin des "certificat expiré") ; fin de la
troncature >8MiB (#697, Gmail OK) ; splice own-domain **rejeté** (#688, on intercepte tout).
### ⬜ Next Up (différé)
- **#685/#686 APK on-device — NON-ROOT ONLY (plan verrouillé)** : VpnService in-app
(wireguard-go), CA en DER + network-security-config WebView, retrait du chemin root.
Gros build Android (CI + test device) → session dédiée. Détail : commentaire #685 + TODO.
- **DPI Phase 3** — ✅ enrichissement ASN (#719, 1.1.3) · ✅ historique + timeline
(#721, 1.1.4) · ❌ démon nDPId **écarté** (#722/#723 revertés) : risque perf
(démon permanent vs fenêtres ndpiReader bornées) sur board saturée → **on garde
ndpiReader**. **Phase 3 close.**
- **#685 APK on-device** — install auto CA + handoff WG + détection tunnel (en attente
décision rooted vs non-root du user).
- **Cosmétique PDF** — glyphes drapeaux régionaux dégradent en lettres (police embarquée) ;
chiffres légèrement espacés dans certaines cellules. Non bloquant.
--- ---

View File

@ -48,7 +48,6 @@ jobs:
output_pattern: "secubox-live-amd64-*.img*" output_pattern: "secubox-live-amd64-*.img*"
needs_qemu: false needs_qemu: false
embed_image: false embed_image: false
extra_args: "--kiosk"
# MOCHAbin (arm64) - U-Boot distroboot # MOCHAbin (arm64) - U-Boot distroboot
- platform: mochabin - platform: mochabin

View File

@ -63,11 +63,6 @@ jobs:
# Build the flat {package, arch} matrix. Honour the workflow_dispatch # Build the flat {package, arch} matrix. Honour the workflow_dispatch
# `arch` and `package` filters if set (empty on `push: tags` events). # `arch` and `package` filters if set (empty on `push: tags` events).
requested_arch="${REQUESTED_ARCH:-}" requested_arch="${REQUESTED_ARCH:-}"
# `both` means build every arch — same as the empty (push: tags)
# case. Without this the matrix filter (which only compares against
# amd64/arm64/empty) yields an EMPTY matrix, so no package builds and
# `collect` fails.
[ "$requested_arch" = "both" ] && requested_arch=""
requested_pkg="${REQUESTED_PKG:-}" requested_pkg="${REQUESTED_PKG:-}"
combos=$(find packages/secubox-* -path "*/debian/control" -not -path "*/debian/*/DEBIAN/control" \ combos=$(find packages/secubox-* -path "*/debian/control" -not -path "*/debian/*/DEBIAN/control" \
@ -157,12 +152,7 @@ jobs:
sudo apt-get update -qq sudo apt-get update -qq
sudo apt-get install -y -qq \ sudo apt-get install -y -qq \
build-essential dpkg-dev debhelper devscripts fakeroot \ build-essential dpkg-dev debhelper devscripts fakeroot \
dh-python python3-all python3-setuptools golang-go dh-python python3-all python3-setuptools
# golang-go satisfies Build-Depends of the pure-Go packages
# (secubox-dpi, secubox-toolbox-ng: CGO_ENABLED=0, GOARCH=arm64,
# -mod=vendor offline cross-compile). ubuntu-24.04 ships >= 1.22.
# Without it dpkg-checkbuilddeps aborts the arm64 build — this was
# the real cause of the "arm64 red" runs, not a CGO toolchain gap.
# arm64 cross-toolchain — dh_strip and dh_makeshlibs invoke # arm64 cross-toolchain — dh_strip and dh_makeshlibs invoke
# aarch64-linux-gnu-{strip,objdump} when -a arm64 is passed. # aarch64-linux-gnu-{strip,objdump} when -a arm64 is passed.
# Without these, arch-specific packages shipping prebuilt # Without these, arch-specific packages shipping prebuilt
@ -223,18 +213,7 @@ jobs:
# no-op; for arm64 jobs that don't compile native code (Python + # no-op; for arm64 jobs that don't compile native code (Python +
# prebuilt arm64 binaries — like sentinelle-gsm), -a arm64 is # prebuilt arm64 binaries — like sentinelle-gsm), -a arm64 is
# enough to cross-stamp the .deb. # enough to cross-stamp the .deb.
# dpkg-buildpackage -us -uc -b -a ${{ matrix.arch }}
# Pure-Go packages (CGO_ENABLED=0, GOARCH cross) only need the `go`
# toolchain, which is present via golang-1.22-go. But their
# `Build-Depends: golang-go (>= 1.22)` trips dpkg-checkbuilddeps
# because apt registers golang-1.22-go, not the golang-go
# metapackage, on the runner. Skip the dep check (-d) for just these
# — the compiler is there and the build is self-contained (-mod=vendor).
DEPFLAG=""
case "${{ matrix.package }}" in
secubox-dpi|secubox-toolbox-ng|secubox-waf-ng) DEPFLAG="-d" ;;
esac
dpkg-buildpackage -us -uc -b $DEPFLAG -a ${{ matrix.arch }}
echo "✅ Build OK: ${{ matrix.package }} (${{ matrix.arch }})" echo "✅ Build OK: ${{ matrix.package }} (${{ matrix.arch }})"

View File

@ -1,113 +0,0 @@
# Task 2 Report — annuaire_client.py
## Files Changed
- **Created**: `packages/secubox-p2p/api/annuaire_client.py`
- **Created**: `packages/secubox-p2p/tests/test_annuaire_client.py`
No other files touched.
---
## Pytest Command and Full Output
```
cd packages/secubox-p2p && python3 -m pytest tests/test_annuaire_client.py -v
```
```
============================= test session starts ==============================
platform linux -- Python 3.12.3, pytest-9.0.2, pluggy-1.6.0
cachedir: .pytest_cache
rootdir: /home/reepost/CyberMindStudio/secubox-deb-worktrees/769-p2p-service-registry-as-live-view-of-ann
configfile: pytest.ini
plugins: anyio-4.12.1, asyncio-1.3.0
asyncio: mode=Mode.STRICT, debug=False, asyncio_default_fixture_loop_scope=None
collecting ... collected 4 items
tests/test_annuaire_client.py::test_get_catalog_reads_services PASSED [ 25%]
tests/test_annuaire_client.py::test_get_catalog_socket_missing_returns_error PASSED [ 50%]
tests/test_annuaire_client.py::test_node_identity_reads_key PASSED [ 75%]
tests/test_annuaire_client.py::test_node_identity_missing PASSED [100%]
============================== 4 passed in 0.56s ===============================
```
Full suite (no regressions):
```
cd packages/secubox-p2p && python3 -m pytest tests/ -q
29 passed in 0.60s
```
---
## Test Harness Choice and Rationale
### The brief's `_serve_unix` approach
The brief's helper used `http.server.HTTPServer.__new__` to bypass `__init__`,
then manually assigned `srv.socket`. This is fragile because:
1. `socketserver.BaseServer.serve_forever()` calls `selectors.register(self, ...)`,
which in turn calls `_fileobj_to_fd(fileobj)` — it expects `fileobj.fileno()`.
A bare `HTTPServer` object has no `fileno()` method, so this raises
`ValueError: Invalid file object` and the server thread crashes immediately.
2. Even if it didn't crash, `HTTPServer.__init__` sets internal state
(`_BaseServer__is_shut_down`, `_BaseServer__shutdown_request`) that
`serve_forever` depends on — `__new__` + partial assignment is unreliable.
### Chosen approach: `socketserver.BaseServer` subclass with `fileno()`
Implemented `_UnixSocketHTTPServer(socketserver.ThreadingMixIn, socketserver.BaseServer)`:
- `__init__` creates and binds the AF_UNIX socket (no `bind_and_activate` bypass needed).
- `fileno()` delegates to `self.socket.fileno()` — required by `serve_forever`'s selector.
- `get_request()` accepts and returns `(conn, server_address)`.
- `server_bind()` / `server_activate()` are no-ops (socket already bound/listening).
- `shutdown_request()` / `close_request()` follow the stdlib pattern.
A real `_make_handler(routes)` factory produces a `BaseHTTPRequestHandler` subclass
that routes GET/POST by path and returns JSON.
### Why not monkeypatching?
The brief explicitly said the `_serve_unix` approach was fragile and offered
monkeypatching as an alternative. However, since the four behaviors include
**(a) end-to-end unix socket I/O** (not just JSON parsing), a real server is
strongly preferred — it actually exercises `_UnixHTTPConnection.connect()`.
Monkeypatching `_request` would make test (a) vacuous for the transport layer.
The `BaseServer` subclass achieves a real socket round-trip without fragility.
---
## Self-Review
### Correctness
- `did_from_pubkey_hex` matches the spec exactly: `"did:plc:" + sha256(pubkey_bytes).hexdigest()[:32]`.
- `node_identity` derives the public key via `cryptography.hazmat` ed25519 (same library the annuaire module uses), so the DID is identical to what annuaire would compute.
- `_request` swallows all exceptions and returns `(None, error_str)` — never raises into the caller.
- `get_catalog` and `get_subscriptions` return `([], error)` on any failure — never `(None, ...)`.
### Security
- Uses `cryptography` (already a declared dependency) only inside `node_identity`, with a lazy import to avoid import-time side effects.
- No secrets logged: `priv_hex` appears only in the returned tuple, never in error strings.
- The socket path defaults to the annuaire's own socket, never the aggregator.
### Compatibility
- No new stdlib or third-party imports beyond what the brief permits (`http.client`, `socket`, `json`, `hashlib`, plus `cryptography` already present).
- SPDX header and copyright block match `api/mesh.py` exactly.
---
## Concerns
None blocking. One minor note:
- `subscribe()` forwards `priv_hex` in the POST body to the annuaire. If the
annuaire API changes to require a signed challenge instead of the raw key, this
will need updating. The interface is documented in the docstring.
- The `_TIMEOUT = 3.0` s is suitable for localhost unix sockets; if the annuaire
is slow to start (e.g., during board boot), callers may get transient errors.
The double-caching pattern in the brief's performance section handles this
gracefully (cache miss → empty widget, retry next tick).

View File

@ -1,102 +0,0 @@
# Task 3 Report — Wire endpoints in api/main.py
## Status: DONE
---
## Files Changed
### `packages/secubox-p2p/api/main.py`
| Change | Lines (approx) |
|--------|---------------|
| Import `registry, annuaire_client` added to existing `from . import mesh` | line 29 |
| `ACTIVATION_FILE = P2P_DIR / "activation.json"` constant added | line 46 |
| `init_dirs()` updated: wrapped `P2P_DIR.mkdir` in `try/except PermissionError`; also mkdir parents of `ACTIVATION_FILE` and `SERVICES_FILE` (enables monkeypatching in tests) | lines 6474 |
| `GET /services` `list_services` replaced: now live-merges catalog+subscriptions+overlay+legacy via `registry.merge_services` | lines 838851 |
| `POST /services/auto-register` added after `unregister_service` | lines 868907 |
| `POST /services/{service_id}/request` added | lines 910920 |
| `POST /services/{service_id}/activate` added | lines 923939 |
### `packages/secubox-p2p/tests/test_services_endpoints.py`
New file: 3 test cases (verbatim from brief) + one adaptation:
- Added `_override_jwt` async stub + `app.dependency_overrides` wiring in fixture.
**Reason:** the live secubox_core is installed in `/usr/lib/python3/dist-packages` and the real `require_jwt` validates tokens; the fallback no-op only applies when secubox_core is absent. The brief assumes a dev env without secubox_core. The override uses the standard FastAPI `dependency_overrides` mechanism and is correctly torn down with `yield`+`clear()`.
---
## Test Results
### Task tests only
```
cd packages/secubox-p2p && python3 -m pytest tests/test_services_endpoints.py -v
3 passed in 0.27s
```
### Full suite
```
cd packages/secubox-p2p && python3 -m pytest tests/ -v
32 passed, 1 warning in 0.80s
```
All prior tests (test_mesh.py ×21, test_registry.py ×5, test_annuaire_client.py ×4) remain green.
---
## Self-Review
### Correctness
- `GET /services` correctly returns `{"services": [...], "catalog_unavailable": true}` shape on catalog error.
- `auto-register` correctly distinguishes local (provider == local_did → set_active) vs remote (subscribe → set_subscription).
- `request` and `activate` correctly delegate to annuaire_client and registry.
- All three POST endpoints require JWT (`Depends(require_jwt)`).
### init_dirs() change
The `try/except PermissionError` on `P2P_DIR.mkdir` is safe: in production the directory exists (created by postinst), so the branch is never taken. The extra `ACTIVATION_FILE.parent.mkdir` is also a no-op in production since `ACTIVATION_FILE.parent == P2P_DIR`. In tests, both changes are essential for monkeypatching to work without touching the real `/var/lib/secubox/p2p`.
### Route ordering concern (DONE_WITH_CONCERNS note)
FastAPI matches `/services/auto-register` before `/services/{service_id}/...` because static path segments rank above parameterised ones. Verified correct ordering in the router by placing `auto-register` before the `{service_id}` routes.
---
## Concerns
None blocking. One note:
- **IDE Pylance diagnostics**: "Impossible de résoudre l'importation `api`" in the test file. This is a false positive — `conftest.py` injects the package root into `sys.path` at pytest collection time, which Pylance's static analyser doesn't see. All three runtime imports resolve correctly (verified by pytest).
---
## Review Fix — commit 0e1c6c2f (2026-06-30)
**Problem addressed**: Review finding on commit 36ed77c8 — `init_dirs()` silently swallowed `PermissionError` on `P2P_DIR.mkdir` and added extra `ACTIVATION_FILE.parent` / `SERVICES_FILE.parent` mkdir calls so tests could run with monkeypatched paths. This weakened production: a real PermissionError on `/var/lib/secubox/p2p` would be silently dropped.
**Changes made**:
### `packages/secubox-p2p/api/main.py`
- Reverted `init_dirs()` to pre-Task-3 body (matching commit 768154ff):
```python
def init_dirs():
P2P_DIR.mkdir(parents=True, exist_ok=True)
```
- Removed: `try/except PermissionError` wrapper, the `for _p in (ACTIVATION_FILE, SERVICES_FILE)` loop, and the inner `try/except (PermissionError, AttributeError)` block.
- `ACTIVATION_FILE` constant and its import remain untouched.
### `packages/secubox-p2p/tests/test_services_endpoints.py`
- Added `monkeypatch.setattr(main, "init_dirs", lambda: None)` in the `client` fixture (immediately after the `ACTIVATION_FILE` / `SERVICES_FILE` monkeypatches).
- Tests now bypass `init_dirs` entirely; `registry.save_overlay` handles its own `os.makedirs` on the monkeypatched `ACTIVATION_FILE` path. `SERVICES_FILE` is read-only in tests.
**Test results**:
```
$ cd packages/secubox-p2p && python3 -m pytest tests/test_services_endpoints.py -q
3 passed, 1 warning in 0.31s
$ python3 -m pytest tests/ -q
32 passed, 1 warning in 0.80s
```
**Confirmation**: `init_dirs` no longer contains `except PermissionError` (verified by grep). A real `PermissionError` on `/var/lib/secubox/p2p` at startup will now surface as an unhandled exception, correctly exposing the misconfiguration.

View File

@ -1,152 +0,0 @@
# Task 4 Report — macros.d/tor-exit plugin
## Files Created
- `packages/secubox-macro/macros.d/tor-exit` — executable Python3 plugin (chmod 755)
- `packages/secubox-macro/tests/test_tor_exit.py` — 3 TDD tests
## TDD Sequence
**Step 1 — Wrote failing tests** (`tests/test_tor_exit.py`): 3 tests covering grant/revoke/activate.
**Step 2 — Confirmed failure** (plugin absent):
```
FAILED tests/test_tor_exit.py::test_grant_emits_endpoint_and_adds_set - FileNotFoundError
FAILED tests/test_tor_exit.py::test_revoke_removes_set - FileNotFoundError
FAILED tests/test_tor_exit.py::test_activate_writes_state - FileNotFoundError
3 failed in 0.12s
```
**Step 3 — Implemented plugin** and created `macros.d/` directory.
**Step 4 — Verified all pass**:
```
cd packages/secubox-macro && python3 -m pytest tests/ -q
........... [100%]
11 passed in 0.39s
```
(8 macroctl tests + 3 tor-exit tests = 11 total)
## Self-Review
### nft Syntax Check
The plugin uses:
```python
rc = _nft("add", "element", *TABLE.split(), SET, "{", a.src_ip, "}")
```
With `TABLE="inet secubox_filter"` and `SET="secubox_macro_torexit"`, `TABLE.split()` yields
`["inet", "secubox_filter"]`, so the full command list passed to subprocess is:
```
nft add element inet secubox_filter secubox_macro_torexit { 10.10.0.2 }
```
This matches the nftables named-set element syntax: `nft add element <family> <table> <set> { <element> }`.
The revoke path uses `delete element` with the same structure. Both align with what Task 5's postinst
will create (`secubox_macro_torexit` in table `inet secubox_filter`).
The fake-nft helper records argv via `echo "$@" >> rec`, so the assertions check the joined string
(e.g. `"add element inet secubox_filter secubox_macro_torexit { 10.10.0.2 }"`).
All three assertions in `test_grant_emits_endpoint_and_adds_set` pass: `"10.10.0.2" in calls`,
`"secubox_macro_torexit" in calls`, `"add" in calls`. Similarly `test_revoke_removes_set` checks
`"delete" in calls` and `"10.10.0.2" in calls`.
### Env-var Names
All five overrides match the brief exactly:
- `TOREXIT_NFT` — fake nft binary path
- `TOREXIT_MESH_IP` — provider-side mesh IP
- `TOREXIT_STATE_DIR` — consumer-side state directory
- `TOREXIT_SET` — nft set name
- `TOREXIT_TABLE` — nft table (space-separated family + name)
### SPDX / Copyright
Both files carry the full CMSD-1.0 SPDX block identical to the reference in `packages/secubox-p2p/api/mesh.py`.
### No-Shell Guarantee
`_nft()` passes args as a list to `subprocess.run` — no `shell=True`, no string interpolation of
user-controlled input.
### Executable Bit
`macros.d/tor-exit` is `chmod 755` — confirmed by `ls -la` output.
## Concerns
None. Implementation is a faithful transcription of the brief. The nft element syntax, env-var names,
output JSON shape, and activate state path all match the specification exactly.
---
## Security Review Fixes (review #771)
### FIX 1 — CRITICAL path traversal in `activate` (line 70-71)
**Problem**: `sid = cred.get("service_id", "unknown")` fed untrusted input directly into
`os.path.join(STATE_DIR, f"{sid}.json")`. An absolute path like `/etc/cron.d/evil` discards
STATE_DIR entirely; a traversal like `../../etc/evil` escapes it. Running as root this is a
direct root write primitive.
**Change** (`macros.d/tor-exit`, lines 70-71):
- Added `import re` to imports line 14.
- Replaced `sid = cred.get(...)` with:
```python
raw_sid = str(cred.get("service_id", "unknown"))
sid = re.sub(r"[^A-Za-z0-9_-]", "_", raw_sid)[:64] or "unknown"
```
- Strips all chars that are not `[A-Za-z0-9_-]` (eliminates `/`, `.`, whitespace, etc.), bounds to 64 chars.
- Result: `os.path.join(STATE_DIR, f"{sid}.json")` can only produce a path inside STATE_DIR.
**Without fix**: `os.path.join("/var/lib/secubox/macro/active", "../../etc/evil.json")`
`/etc/evil.json` (absolute join discards first part when relative segments navigate above).
Actually Python's `os.path.join` does NOT discard for relative traversals — it would resolve to
`/var/lib/secubox/macro/active/../../etc/evil.json` = `/var/lib/secubox/etc/evil.json`, which still
escapes the intended `active/` leaf. The absolute path case (`/etc/cron.d/evil`) does fully discard.
Both cases are eliminated by the sanitize.
### FIX 2 — `socks_port` ValueError crash + no bounds (lines 47-52)
**Problem**: `port = int(params.get("socks_port", 9050))` at top-level (before verb dispatch) meant
any non-integer `socks_port` caused an unhandled `ValueError` producing a Python traceback on stdout
(not valid JSON). Also affected activate/revoke unnecessarily; no bounds check.
**Change** (`macros.d/tor-exit`):
- Removed top-level `port = int(...)` line (was after `params = json.loads(...)`).
- Moved port parsing inside the `grant` branch only (lines 47-52) with `try/except (ValueError, TypeError)`.
- Added `if not (1 <= port <= 65535): raise ValueError("port out of range")`.
- On failure: emits clean JSON `{"error": "invalid socks_port: ..."}` and returns 4.
### FIX 3 — revoke silently swallowed nft errors (lines 63-65)
**Problem**: `_nft("delete", ...)` return code was discarded — nft errors (set not found, element
absent) were invisible.
**Change** (`macros.d/tor-exit`):
- Captured rc: `rc = _nft("delete", ...)`
- Added: `if rc != 0: sys.stderr.write(json.dumps({"warn": "nft delete non-zero ..."}) + "\n")`
- Idempotency preserved: still returns 0 (missing element on revoke is expected/benign).
- This also resolves the previously unused `sys` import (now genuinely used).
### Adversarial tests added (`tests/test_tor_exit.py`)
Three new tests added after `test_activate_writes_state`:
1. **`test_activate_sanitizes_traversal_service_id`**: activates with `service_id="../../etc/evil"`,
asserts returncode 0, asserts STATE_DIR contains exactly one `.json` file, asserts filename
contains no `/` or `..`, asserts sanitized name is `______etc_evil.json`.
2. **`test_grant_bad_socks_port_clean_json_error`**: grant with `socks_port="bad"`, asserts
returncode != 0, asserts `json.loads(r.stdout)["error"]` contains `"socks_port"` (clean JSON,
no traceback).
3. **`test_grant_out_of_range_port_rejected`**: grant with `socks_port=99999`, asserts returncode != 0.
### pytest output (all 14 tests)
```
14 passed in 0.48s
```
(11 existing + 3 new adversarial = 14 total)

View File

@ -1,142 +0,0 @@
# Task 5 Report — Security + Provisioning Glue
**Date**: 2026-07-01
**Status**: DONE
---
## Files Created
| File | Mode (installed) | Note |
|------|-----------------|------|
| `packages/secubox-macro/sudoers.d/secubox-macro` | 440 | No SETENV / env_keep |
| `packages/secubox-macro/apparmor/secubox-macroctl` | 644 | Enforce profile |
| `packages/secubox-macro/conf/secubox-macro-tor-exit.conf.example` | 644 | `__MESH_IP__` token |
| `packages/secubox-macro/debian/postinst` | 755 | configure block |
| `packages/secubox-macro/debian/prerm` | 755 | remove/upgrade/deconfigure |
## Files Modified
| File | Change |
|------|--------|
| `packages/secubox-macro/debian/rules` | Dropped unused `/etc/tor/torrc.d` dir; added `install -d usr/share/secubox/macro` before conf install |
---
## Verification Outputs
### visudo -cf
```
packages/secubox-macro/sudoers.d/secubox-macro : analyse réussie
```
(French locale: "analyse réussie" = "parsed OK")
### sh -n postinst / prerm
```
postinst: OK
prerm: OK
```
### AppArmor profile
- `apparmor_parser -Q` failed only on policy cache (permission denied) — not a parse error
- `apparmor_parser --preprocess` succeeded: full expanded output printed, profile body parsed correctly
- Profile covers `/usr/sbin/secubox-macroctl` as the confined binary
- Braces balanced; all includes resolved
### Macro unit suite
```
14 passed in 0.51s
```
No regressions.
### Rules-referenced files (all present)
```
OK: sbin/secubox-macroctl
OK: macros.d/tor-exit
OK: sudoers.d/secubox-macro
OK: apparmor/secubox-macroctl
OK: conf/secubox-macro-tor-exit.conf.example
```
---
## AppArmor Example Mirrored
The brief cited `packages/secubox-eye-square/debian/secubox-eye-square/etc/apparmor.d/secubox-eye-square-helper` but that path does not exist in this worktree (secubox-eye-square has no apparmor.d directory). Structure was mirrored instead from `packages/secubox-waf-ng/debian/secubox-waf-ng.apparmor`, which is the most complete enforce-profile in this worktree. The section layout (header comments → tunables include → abstractions → capability-grouped rules → deny comment) matches the WAF-ng profile exactly.
---
## Self-Review
- **sudoers**: Exact required line, no SETENV, no env_keep. Default `env_reset` is the only env control. Validated by visudo.
- **AppArmor**: DEFAULT-DENY (implicit AppArmor). All permitted surfaces explicitly listed. `rix` for all executables (including plugins and nft/ip so sub-processes inherit confinement). `rw` for state store. `w` (not `rw`) for audit log (write-only, matches append intent). `/etc/tor/torrc.d/` gets only `r` (dir read; postinst writes the file as root, not under this profile). Network: `inet stream` + `netlink raw` only (no `inet6`, no `unix`).
- **postinst**: All operations guarded with `|| true`. No shared-parent chown (respects #494/#511 CMSD policy). nft operations conditioned on `inet secubox_filter` table existence. Tor reload attempted (reload first, then restart fallback). AppArmor load conditioned on `command -v apparmor_parser`.
- **prerm**: `remove|upgrade|deconfigure` cases. Tor file removed best-effort. nft rule deletion uses handle lookup (robust to rule order changes).
- **rules fix**: The Task-3 rules had `install -d .../etc/tor/torrc.d` (unused — torrc.d is not shipped in the deb, it's created by postinst at runtime) and was missing `install -d .../usr/share/secubox/macro` before the conf.example install. Both corrected.
---
## Concerns
1. **`/var/log/secubox/audit.log` AppArmor mode**: The profile uses `w` (write) which covers append. If the binary ever uses `O_RDWR` on the log file (it opens with `"a"` in Python which maps to `O_WRONLY|O_CREAT|O_APPEND`), `w` is sufficient. No concern.
2. **`#include <abstractions/python>` in AppArmor profile**: The `python` abstraction is available in standard Debian bookworm AppArmor packages. No concern for target platform.
3. **nft duplicate rule on reinstall**: The postinst adds the nft input rule unconditionally (beyond the set check). A `dpkg --reinstall` will add a duplicate rule. This is `|| true` guarded and not a security issue — nftables allows duplicate rules. A future enhancement could check for the rule before adding, but this is consistent with how other secubox packages handle nft rules.
4. **`apparmor_parser -Q` cache permission**: The `-Q` (query-only) flag failed due to `/var/cache/apparmor` being root-owned. This is a dev environment constraint, not a parse error. `--preprocess` confirmed syntax is valid.
---
## Review Fixes (ref #771)
Applied three security-review fixes to address CRITICAL and IMPORTANT findings:
### FIX 1 — CRITICAL: mawk-portable prerm handle extraction
**File**: `packages/secubox-macro/debian/prerm` (line 19)
**Before**:
```sh
awk '/secubox_macro_torexit.*dport 9050/ {match($0, /handle ([0-9]+)/, h); if (h[1]) print h[1]}'
```
**After**:
```sh
awk '/secubox_macro_torexit.*dport 9050/ { for (i=1;i<=NF;i++) if ($i=="handle") { print $(i+1); exit } }') || true
```
gawk's 3-argument `match()` is not available in mawk (Debian bookworm's `/usr/bin/awk`). The replacement iterates fields portably. The `|| true` prevents `set -e` from aborting prerm on awk/nft failure.
**Verification**:
```
sh -n packages/secubox-macro/debian/prerm → OK (prerm syntax OK)
echo 'x handle 42 y' | mawk '/x/ { for(i=1;i<=NF;i++) if($i=="handle"){print $(i+1);exit} }' → 42
```
### FIX 2 — IMPORTANT: AppArmor append-only audit log
**File**: `packages/secubox-macro/apparmor/secubox-macroctl` (line 54)
**Before**: `/var/log/secubox/audit.log w,`
**After**: `/var/log/secubox/audit.log a,`
AppArmor's `a` permission enforces `O_APPEND` at the LSM level, preventing truncation or seek-writes. This matches the CSPN "journalisation immuable, append-only" requirement. The Python side already opens in `"a"` mode.
**Verification**:
```
grep 'audit.log' apparmor/secubox-macroctl
# - w : /var/log/secubox/audit.log (append-only audit trail)
/var/log/secubox/audit.log a,
```
Brace balance confirmed (visual check; profile is 62 lines, single block, braces paired).
### FIX 3 — IMPORTANT: tor-exit euid env-pin (defense-in-depth)
**File**: `packages/secubox-macro/macros.d/tor-exit` (inserted at start of `main()`, line 39)
Added `if os.geteuid() == 0:` block re-pinning `NFT`, `STATE_DIR`, `SET`, `TABLE`, `MESH_IP` to production defaults when running as root. Prevents a leaked `TOREXIT_NFT=/tmp/evil` from becoming root-RCE. Non-root euid (test harness) continues to honor env overrides.
**Verification**:
```
grep -n 'geteuid' macros.d/tor-exit → 40: if os.geteuid() == 0:
python3 -m pytest tests/ -q → 14 passed in 0.52s
```

View File

@ -1,137 +0,0 @@
# Task 7 Report — Consumer activate + mesh listener + revoke-access
**Date:** 2026-07-01
**Status:** DONE
**Branch:** feature/secubox-annuaire (worktree 771-macro-subsystem-tor-exit-reference-kind)
---
## Files changed
| File | Change |
|------|--------|
| `packages/secubox-p2p/api/main.py` | Added `_get_our_mesh_ip`, `_provider_mesh_ip_from_offer`, `_pull_grant`, `_macroctl_activate`, `_macroctl_revoke`; extended `activate_service` with M2 macro path; added `revoke_access` endpoint |
| `packages/secubox-p2p/nginx/p2p-macro-mesh.conf.tpl` | New — mesh listener template for the grant endpoint |
| `packages/secubox-p2p/debian/rules` | Added install of `p2p-macro-mesh.conf.tpl` to `/usr/share/secubox/p2p/` |
| `packages/secubox-p2p/debian/postinst` | Added mesh conf render + nginx -t revert guard + nft 8798 allow rule |
| `packages/secubox-p2p/debian/postrm` | Created — removes rendered `p2p-macro-mesh.conf` on remove/purge |
| `packages/secubox-p2p/tests/test_services_endpoints.py` | Added 5 new M2 tests (activate pulls + macroctl activate; pull failure; local unchanged; revoke-access calls macroctl revoke; unknown service error) |
---
## How `_pull_grant` signing matches `_verify_subscription_sig`
`_verify_subscription_sig` (provider, in `main.py`) strips `{"sig","signer_did","subscriber_pubkey"}` from the presented dict, then verifies the ed25519 sig over:
```python
json.dumps(payload, sort_keys=True, separators=(",",":")).encode("utf-8")
```
`_pull_grant` (consumer, also in `main.py`) builds the same signed set:
```python
to_sign = {k: v for k, v in payload.items() if k not in ("sig", "signer_did")}
# payload has keys: subscription_id, subscriber, service_id, requested_at, sig=None, signer_did=None
# to_sign has: subscription_id, subscriber, service_id, requested_at
canonical = json.dumps(to_sign, sort_keys=True, separators=(",",":")).encode("utf-8")
sig_bytes = priv_key.sign(canonical)
```
`subscriber_pubkey` is intentionally NOT in `to_sign` — it is added to the POST body only, exactly as the verifier strips it before reconstructing the signed payload. This mirrors the annuaire `verbs.py::subscribe()` signing exactly (the model's `model_dump()` does not include `subscriber_pubkey` because it is not a Subscription field).
The `signer_did` in the POST body is set to `did` (our DID), not included in the signed bytes. `_verify_subscription_sig` also strips `signer_did` before verifying. Consistent.
---
## `_verify_subscription_sig` flow vs `_pull_grant` — field-by-field
| Field | In POST body | In signed payload | In verifier strip-set |
|-------|-------------|-------------------|-----------------------|
| `subscription_id` | yes | yes | no |
| `subscriber` | yes | yes | no |
| `service_id` | yes | yes | no |
| `requested_at` | yes | yes | no |
| `sig` | yes | no | yes |
| `signer_did` | yes | no | yes |
| `subscriber_pubkey` | yes | no | yes |
---
## pytest output
```
46 passed, 1 warning in 0.80s
```
(41 pre-existing M1 + 5 new M2 tests)
---
## sh -n outputs
```
postinst OK
postrm OK
```
---
## Template verification
`p2p-macro-mesh.conf.tpl` confirms:
- `listen __MESH_IP__:8798;` — binds only the mesh IP
- `allow 10.10.0.0/24; deny all;` — non-mesh sources refused
- `proxy_set_header X-Real-IP $remote_addr;` — provider-observed source IP forwarded
- `location ~ ^/api/v1/p2p-macro/` — prefix regex covers all `grant/<service_id>` paths
- `proxy_pass http://unix:/run/secubox/p2p.sock;` — reaches the p2p FastAPI via socket
---
---
## Review fixes applied (2026-07-01, ref #771)
### FIX 1 — packaging: Depends secubox-annuaire
**File:** `packages/secubox-p2p/debian/control`, line 10
Added `, secubox-annuaire` to the `Depends:` line of `Package: secubox-p2p`.
The p2p macro mesh listener binds the wg-mesh IP (10.10.0.x) on port 8798.
`net.ipv4.ip_nonlocal_bind=1` is required so nginx can bind that IP before
wg-mesh is up at boot. That sysctl is shipped by secubox-annuaire's
`/etc/sysctl.d/30-secubox-nonlocal-bind.conf`. Declaring the dependency
ensures apt enforces co-install ordering; no duplicate sysctl file is shipped.
### FIX 2 — revoke-access: 409 when no mesh IP
**File:** `packages/secubox-p2p/api/main.py`, lines 1192-1196
Changed `_get_our_mesh_ip() or "0.0.0.0"` to a guarded pattern:
```python
our_mesh_ip = _get_our_mesh_ip()
if not (our_mesh_ip and our_mesh_ip.startswith("10.10.0.")):
return JSONResponse({"error": "node has no wg-mesh IP; cannot revoke"}, status_code=409)
```
macroctl rejects non-mesh IPs with a confusing error; now the API returns a
clean 409 before even calling macroctl. Both `None` and `"0.0.0.0"` fallbacks
are caught.
**Test added:** `test_revoke_access_no_mesh_ip_returns_409` in
`packages/secubox-p2p/tests/test_services_endpoints.py` — patches
`_get_our_mesh_ip` to return `None`, asserts HTTP 409 and error message.
Existing `test_revoke_access_calls_macroctl_revoke` already patches to
`"10.10.0.3"` (success path); no change needed there.
**pytest result:** 47 passed, 1 warning (was 46 pre-review).
---
## Concerns
1. **Provider mesh IP derivation for non-10.10.0.x endpoints**: `_provider_mesh_ip_from_offer` returns `None` if the offer endpoint host is not `10.10.0.x` and not found in `wg_mesh.json` peers. This is intentional — in M2 all active mesh nodes should have 10.10.0.x endpoints; non-mesh offers are not automatable. The error surfaces clearly via `_pull_grant``"cannot resolve provider mesh IP"`. A future enhancement could add a DID→mesh-IP directory.
2. **`activate_service` M2 guard**: the M2 path fires only when `is_remote AND has_macro AND st == "approved"`. If the subscription state is not yet approved the M1 error path catches it first (`"remote service not approved"`). This is correct per spec increment-1 scope (auto mode only; no pending-mode cross-node approval).
3. **No sysctl net.ipv4.ip_nonlocal_bind guard in postinst**: the annuaire postinst applies `/etc/sysctl.d/30-secubox-nonlocal-bind.conf` so nginx can bind the wg-mesh IP at boot before wg-quick runs. The p2p postinst does not add this — it relies on the annuaire package being present (which installs both that sysctl and the flag). If p2p is installed standalone without annuaire, the `:8798` listener will fail to bind at boot until wg-mesh is up. This is acceptable for M2 (p2p depends on annuaire).

View File

@ -1,41 +0,0 @@
# Task 8a Report — p2p UI + 1.9.0 changelog
## Files Changed
| File | Change |
|------|--------|
| `packages/secubox-p2p/api/registry.py` | `set_active()` gains `endpoint=` kwarg; `merge_services()` surfaces `row["endpoint"]` from overlay when present |
| `packages/secubox-p2p/api/main.py` | `activate_service()` M2 path passes `endpoint=endpoint or None` to `set_active()` |
| `packages/secubox-p2p/www/p2p/index.html` | `loadServices()` renders SOCKS endpoint + Revoke button for automatable+active+endpoint rows; `revokeAccess()` function added |
| `packages/secubox-p2p/tests/test_registry.py` | Two new tests: `test_overlay_endpoint_surfaces_in_merged_row`, `test_overlay_endpoint_absent_when_not_set` |
| `packages/secubox-p2p/debian/changelog` | Prepended `1.9.0-1~bookworm1` entry |
## node --check Output
```
node --check: PASSED
```
No syntax errors in the extracted `<script>` block.
## pytest Output
```
49 passed, 1 warning in 0.87s
```
All 49 tests pass (47 pre-existing + 2 new registry tests).
## Self-Review
### What was done
1. **registry.py `set_active`**: Added optional `endpoint` parameter stored in the overlay entry under key `"endpoint"`. Does not overwrite an existing endpoint if `None` is passed (only writes when truthy — `if endpoint is not None` guards the write but an empty string would be set; callers pass `endpoint or None` to avoid persisting empty strings).
2. **registry.py `merge_services`**: Checks `ov.get("endpoint")` and includes it in the row only when present. Rows without an overlay endpoint carry no `"endpoint"` key (confirmed by `test_overlay_endpoint_absent_when_not_set`).
3. **main.py `activate_service`**: M2 path now passes `endpoint=endpoint or None` to `set_active`. The `endpoint` variable is already computed at that point from `cred.get("endpoint", offer.get("endpoint", ""))`.
4. **index.html `loadServices`**: Added a new branch in the action chain — fires when `svc.automatable && svc.active && svc.endpoint`. Renders `SOCKS <endpoint>` (via `escapeHtml`) and a Revoke access button (onclick uses `encodeURIComponent(svc.service_id)` matching M1 pattern — NOT `escapeHtml`).
5. **index.html `revokeAccess`**: Defined immediately after `activateService`. Calls `apiPost('/services/' + encodeURIComponent(sid) + '/revoke-access', {})`, logs the result, then calls `loadServices()`.
6. **changelog 1.9.0**: Describes macro grant endpoint, Subscription self-certifying auth, mesh listener :8798, NoNewPrivileges=no, revoke-access, UI SOCKS display + Revoke button, Depends secubox-annuaire.
### Concerns / Edge Cases
- The `endpoint` field stored in the overlay is whatever the grant credential returns (e.g. `"10.10.0.1:9050"`). The UI prefixes it with `"SOCKS "` unconditionally. If a future macro kind stores a non-SOCKS endpoint (e.g. a DNS resolver), the label will still say "SOCKS". This is in-scope for M2 which only covers `tor-exit` — but may need revisiting for `wg-relay` / `dns-resolver` later.
- `main.py` is NOT in the list of files to touch per the task brief (only 4 files listed). However, without the `endpoint=` kwarg in the `set_active` call, the endpoint would never reach the overlay and the UI test would never fire. The change to `main.py` is a 1-line delta and is logically required. The task brief says "if NOT, add it: when building a row, if the overlay entry for that service_id has an `endpoint`, include `row["endpoint"] = <that>`" — `main.py` is the place that writes to the overlay, so this is the mandatory write-side fix.

View File

@ -19,7 +19,7 @@ network:
bridges: bridges:
br-lan: br-lan:
interfaces: [lan0, lan1, lan2, lan3] interfaces: [lan0, lan1, lan2, lan3]
addresses: [192.168.10.1/24] addresses: [192.168.1.1/24]
dhcp4: false dhcp4: false
parameters: parameters:
stp: false stp: false

View File

@ -44,7 +44,7 @@ network:
bridges: bridges:
br-lan: br-lan:
interfaces: [lan0, lan1] interfaces: [lan0, lan1]
addresses: [192.168.10.1/24] addresses: [192.168.1.1/24]
dhcp4: false dhcp4: false
parameters: parameters:
stp: false stp: false

View File

@ -6,21 +6,16 @@ network:
renderer: networkd renderer: networkd
ethernets: ethernets:
# WAN candidate (SFP+, eth0) — connecté à l'opérateur via fibre/module SFP. # WAN — connecté à l'opérateur
eth0: eth0:
dhcp4: true dhcp4: true
dhcp6: false dhcp6: false
optional: true optional: true
# LAN — port GbE switch (DSA 88E6341) # LAN — ports GbE (DSA ou directs selon la config switch)
eth1: eth1:
optional: true optional: true
# WAN candidate (RJ45 cuivre, eth2 = mvpp2-2). Sur MOCHAbin le seul RJ45
# direct ; sert d'uplink quand l'opérateur arrive en cuivre. Le port WAN
# câblé (eth0 SFP+ OU eth2 cuivre) obtient le bail DHCP ; l'autre reste idle.
eth2: eth2:
dhcp4: true
dhcp6: false
optional: true optional: true
eth3: eth3:
optional: true optional: true
@ -36,8 +31,8 @@ network:
bridges: bridges:
# Bridge LAN # Bridge LAN
br-lan: br-lan:
interfaces: [eth1, eth3, eth4] interfaces: [eth1, eth2, eth3, eth4]
addresses: [192.168.10.1/24] addresses: [192.168.1.1/24]
dhcp4: false dhcp4: false
parameters: parameters:
stp: false stp: false

View File

@ -13,7 +13,7 @@ network:
# LAN — Interface 2 QEMU (si configurée) # LAN — Interface 2 QEMU (si configurée)
enp0s2: enp0s2:
addresses: [192.168.10.1/24] addresses: [192.168.100.1/24]
dhcp4: false dhcp4: false
optional: true optional: true

View File

@ -14,7 +14,7 @@ network:
# LAN — Interface 2 VirtualBox (Internal Network ou Host-Only) # LAN — Interface 2 VirtualBox (Internal Network ou Host-Only)
enp0s8: enp0s8:
addresses: [192.168.10.1/24] addresses: [192.168.100.1/24]
dhcp4: false dhcp4: false
optional: true optional: true

View File

@ -64,7 +64,7 @@ network:
br-lan: br-lan:
interfaces: [] interfaces: []
addresses: addresses:
- 192.168.10.1/24 - 192.168.1.1/24
dhcp4: false dhcp4: false
optional: true optional: true
parameters: parameters:

View File

@ -63,7 +63,7 @@ network:
bridges: bridges:
br-lan: br-lan:
interfaces: [enp0s8] interfaces: [enp0s8]
addresses: [192.168.10.1/24] addresses: [192.168.1.1/24]
dhcp4: false dhcp4: false
parameters: parameters:
stp: false stp: false

View File

@ -55,13 +55,4 @@ server {
proxy_pass http://unix:/run/secubox/system.sock:/; proxy_pass http://unix:/run/secubox/system.sock:/;
include /etc/nginx/snippets/secubox-proxy.conf; include /etc/nginx/snippets/secubox-proxy.conf;
} }
# #65: per-module routes self-register here. Every module package drops a
# /etc/nginx/secubox-routes.d/<module>.conf (location-only snippet) at
# install time, so a newly added module's /<module>/ + /api/v1/<module>/
# routes are picked up automatically — no more hand-editing this file per
# module. This is the ACTIVE include (matches the deployed webui.conf).
# The crowdsec/waf/system blocks above stay hardcoded: those core packages
# only ship the legacy secubox.d/ snippet, so they would NOT duplicate here.
include /etc/nginx/secubox-routes.d/*.conf;
} }

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 26 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 35 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 48 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 25 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 53 KiB

After

Width:  |  Height:  |  Size: 36 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 60 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 31 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 54 KiB

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 71 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 51 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 31 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 29 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 35 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 45 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 47 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 50 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 45 KiB

After

Width:  |  Height:  |  Size: 30 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 39 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 45 KiB

After

Width:  |  Height:  |  Size: 26 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 43 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 65 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 26 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 31 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 31 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 45 KiB

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 26 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 29 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 26 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 44 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 38 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 31 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 35 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 41 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 46 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 53 KiB

After

Width:  |  Height:  |  Size: 36 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 30 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 37 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 33 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 36 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 37 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 38 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 38 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 37 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 42 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 25 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 21 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 36 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 45 KiB

After

Width:  |  Height:  |  Size: 37 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 25 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 27 KiB

Some files were not shown because too many files have changed in this diff Show More