Compare commits
No commits in common. "master" and "v2.13.18" have entirely different histories.
|
|
@ -383,13 +383,9 @@ case "$1" in
|
|||
adduser --system --group --no-create-home --home /var/lib/secubox secubox
|
||||
fi
|
||||
|
||||
# Répertoires runtime — SHARED parents, NE JAMAIS les passer en 0750/0700
|
||||
# (#623 : casse la traversée pour les daemons non-secubox → kbin/toolbox 500).
|
||||
# /run/secubox reste 1777 (sticky world-writable, sockets de tous les services,
|
||||
# #471) ; /var/lib/secubox reste 0755. Les leaves privées
|
||||
# (/var/lib/secubox/<module>) peuvent être 0750.
|
||||
install -d -o root -g root -m 1777 /run/secubox
|
||||
install -d -o secubox -g secubox -m 755 /var/lib/secubox
|
||||
# Répertoires runtime
|
||||
install -d -o secubox -g secubox -m 750 /run/secubox
|
||||
install -d -o secubox -g secubox -m 750 /var/lib/secubox
|
||||
|
||||
# Activer et démarrer le service
|
||||
systemctl daemon-reload
|
||||
|
|
|
|||
262
.claude/TODO.md
|
|
@ -1,264 +1,10 @@
|
|||
# TODO — SecuBox-DEB Backlog
|
||||
*Mis à jour : 2026-07-02*
|
||||
|
||||
---
|
||||
|
||||
## 🟢 P2P — Roadmap post-DHT/Federation/Master-link (#774 · PR #775)
|
||||
|
||||
> Socle livré & live sur le mesh 3 nœuds (voir HISTORY 2026-07-02 +
|
||||
> `docs/P2P-EVOLUTIONS-POSTER-PROMPT.md`). Suites, par priorité :
|
||||
|
||||
### 🔜 Pont bans mesh → moteur sbxwaf
|
||||
|
||||
- [ ] Alimenter sbxwaf (bouncer CrowdSec) avec les bans fédérés threatmesh (#768) :
|
||||
`cscli decisions add --ip <IP> -R "secubox-mesh" -d 4h` en plus du nft
|
||||
`inet secubox_meshban` actuel.
|
||||
- [ ] Anti-boucle : dans `secubox-threatmesh-bridge`, filtrer les décisions de *reason*
|
||||
`secubox-mesh` pour ne pas re-fédérer une décision déjà reçue par le mesh.
|
||||
- [ ] Vérifier que sbxwaf applique bien (403 + `X-SecuBox-WAF: banned`) sur une IP reçue
|
||||
uniquement via le mesh (0 décision crowdsec locale).
|
||||
|
||||
### 🔜 macroctl sur satellites (chemin privilégié)
|
||||
|
||||
- [ ] `secubox-p2p` standalone tourne `NoNewPrivileges=yes` → `sudo macroctl activate`
|
||||
refusé (« NNP flag is set »). OK sur gk2 (p2p dans l'aggregator NNP=no).
|
||||
- [ ] Fixer sans affaiblir le durcissement satellite : drop-in ciblé ou helper vetté
|
||||
(pas de `NoNewPrivileges=no` global sur l'unité durcie).
|
||||
|
||||
### 🔜 Fenêtre transitoire du socket p2p
|
||||
|
||||
- [ ] Restart de `secubox-p2p` → webui satellite 502/504 le temps de recréer `p2p.sock`.
|
||||
Lisser via socket-wait / `RuntimeDirectoryPreserve=yes` pour supprimer les erreurs
|
||||
`apiGet` visibles.
|
||||
|
||||
### 🌀 Horizon (conçu, non construit)
|
||||
|
||||
- [ ] Mesh phases 2–4 (`project_mesh_gk2_c3box`).
|
||||
- [ ] Liaison NIZK/PSI GK·HAM : remplacer les stubs `ZKP-HAM-v1` par `zkp-hamiltonian` cffi.
|
||||
- [ ] Nouveaux kinds macro (`wg-relay`, `dns-resolver`, `http-mirror`).
|
||||
- [ ] Macros en mode `pending` (fédération cross-nœud des Subscription/APPROVE).
|
||||
- [ ] Mesh master→satellite (nft c3box) + Freebox forward UDP 51822 pour le remote.
|
||||
|
||||
---
|
||||
|
||||
## ⚪ T5 — Images / OS variants / Hardware (ajouts 2026-06-27)
|
||||
|
||||
### ⬜ MOCHAbin — bootloader propre (adresses réservées + extlinux)
|
||||
|
||||
> Workaround actif : `/boot/boot.scr` compilé forçant le kernel à `0x0a000000`. Fix durable requis.
|
||||
|
||||
- [ ] **Option A — Corriger l'image** : patcher `extlinux.conf` généré par le CI pour utiliser
|
||||
`0x0a000000` (kernel) et `0x10000000` (initrd) au lieu de `0x02080000` (adresse réservée
|
||||
factory U-Boot 2020.10 → reset immédiat). Boot.scr deviendrait redondant.
|
||||
- [ ] **Option B — Enhanced Tow-Boot (#748)** : bloqué par le ciseau U-Boot (voir ci-dessous) ;
|
||||
déverrouille wget/HTTP natif dans U-Boot, supprime le besoin de TFTP pour les futures installs.
|
||||
- [ ] **Valider** que le fix d'adresse tient sur les deux MOCHAbin (gk2 + c3box).
|
||||
|
||||
### ⬜ #748 — wget dans U-Boot pour MOCHAbin (bloquant documenté)
|
||||
|
||||
> Bloquant dur (ciseau) confirmé 2026-06-27. Branche
|
||||
> `feature/748-enhanced-tow-boot-http-netboot-serial-fl` : spec + plan + Kconfig +
|
||||
> `build-uboot-overlay.sh --tow-boot` + CI `.github/workflows/build-tow-boot.yml` en place.
|
||||
> Problème : board mochabin UNIQUEMENT dans fork Tow-Boot U-Boot 2022.07 (pas de `wget`) ;
|
||||
> `wget`/TCP UNIQUEMENT dans stock U-Boot ≥2023.07 (pas de board mochabin/DTS).
|
||||
|
||||
- [ ] **Voie 1** : backporter le stack TCP + `wget` de U-Boot ≥2023.07 dans le fork Tow-Boot
|
||||
2022.07 (mochabin board natif). Diff TCP = `net/wget.c` + dépendances `CONFIG_NET_WGET`.
|
||||
- [ ] **Voie 2** : porter le board mochabin (DTS Armada 7040 + PHY + eMMC) vers U-Boot mainline
|
||||
≥2023.07 (sans Tow-Boot). Plus long mais durable.
|
||||
- [ ] Choisir une voie, débloquer #748.
|
||||
|
||||
### ⬜ Packager le flow netboot + install signé (rig temporaire → procédure reproductible)
|
||||
|
||||
> Actuellement rig manuel sur gk2 : `lan1=192.168.77.1/24`, dnsmasq DHCP, nft, nginx `:8099`.
|
||||
|
||||
- [ ] Scripter la publication de l'image signée dans le root HTTP netboot (wget + sha256 + sig).
|
||||
- [ ] Documenter / packager la config dnsmasq + nft + nginx pour un segment `lan1` dédié.
|
||||
- [ ] Intégrer dans `scripts/deploy-netboot.sh` ou équivalent.
|
||||
|
||||
### ⬜ Teardown rig netboot temporaire gk2
|
||||
|
||||
> Le rig (lan1 bridge, dnsmasq, nft iif lan1 accept, nginx extra listen) reste actif jusqu'à
|
||||
> ce que c3box soit autonome en prod.
|
||||
|
||||
- [ ] Retirer la règle nft `iif lan1 accept` (risque : tout le segment lan1 est accepté sans filtrage).
|
||||
- [ ] Désactiver / retirer dnsmasq test sur lan1.
|
||||
- [ ] Retirer le extra listen `192.168.77.1:8099` du vhost nginx netboot (ou couper le vhost si
|
||||
plus nécessaire).
|
||||
- [ ] Vérifier que c3box auto-boot sans rig (boot.scr en place → OK).
|
||||
|
||||
---
|
||||
|
||||
## ✅ Clos 2026-06-22 — DPI exfil + report Netrunner + sbxmitm
|
||||
|
||||
- ✅ **#687 DPI exfil pipeline** — flowcap + Go collector + dashboard + cumulatif 7j,
|
||||
packagé `secubox-dpi 1.1.2` (inclut #692/#693/#695/#705).
|
||||
- ✅ **#707 report kbin = fiche Netrunner** HTML+PDF (#699/#701/#703/#709/#711/#714/#716).
|
||||
- ✅ **#689** sbxmitm cert 365d · **#697** stream >8MiB (Gmail) · **#688** splice rejeté.
|
||||
|
||||
### DPI Phase 3
|
||||
- [x] Enrichissement **ASN** (GeoLite2-ASN) pour l'egress sans SNI — **#719 mergé, live**
|
||||
(`secubox-dpi 1.1.3`, maxminddb-golang vendored).
|
||||
- [x] **Historique + timeline par device** — **#721 mergé, live** (`secubox-dpi 1.1.4`,
|
||||
buckets quotidiens `history.json` 14j + `/api/v1/dpi/history` + panneau Timeline
|
||||
dashboard). NB : JSON daily buckets (pas SQLite — pas de driver CGO dans le binaire
|
||||
statique ; SQL riche reportable si besoin).
|
||||
- [x] Démon **nDPId** — **évalué puis ÉCARTÉ** (#722/#723 revertés). Raison perf :
|
||||
ndpiReader tourne en fenêtres bornées (Nice 15, ~1% CPU, libère le cœur entre
|
||||
les passes) ; nDPId = démon permanent + nDPIsrvd → CPU/RAM **continue** sur une
|
||||
board déjà saturée (load ~4.6/4 cœurs). Gain (JSON riche, pas de respawn) <
|
||||
risque. **Décision : on garde ndpiReader** comme producteur du pipeline exfil.
|
||||
(Le build CI QEMU a aussi échoué au 1er essai → chemin fragile en plus.)
|
||||
|
||||
### ⬜ Cosmétique report PDF (non bloquant)
|
||||
- [ ] Glyphes drapeaux régionaux → lettres (police embarquée). Option : drapeaux PNG.
|
||||
- [ ] Chiffres espacés dans certaines cellules (fallback police).
|
||||
|
||||
### ⬜ APK on-device #685/#686 — NON-ROOT ONLY (plan verrouillé, à faire)
|
||||
> Décision 2026-06-22 : cible **non-root uniquement** ; chemin root abandonné.
|
||||
> Plan détaillé : commentaire #685.
|
||||
- [ ] **VpnService in-app** (`com.wireguard.android:tunnel` / GoBackend wireguard-go)
|
||||
— l'APK EST le client WG, plus de Play Store, détection tunnel in-app fiable.
|
||||
- [ ] **CA en DER** (fix « nom de cert vide » du KeyChain intent) + `network-security-config`
|
||||
pour que la WebView in-app fasse confiance au CA ca-wg.
|
||||
- [ ] Retirer RootShell/RootOnboard/BootReceiver ; manifest VpnService + consent VPN.
|
||||
- [ ] Limite Android : pas de CA **système** sans root → MITM système impossible ;
|
||||
surface « safe browsing » = WebView in-app. À documenter.
|
||||
- [ ] Build via CI `build-android-apk` + **test sur appareil** (gros build, itératif).
|
||||
|
||||
---
|
||||
|
||||
## 🎯 Backlog priorisé — revue 2026-06-24 (64 issues ouvertes)
|
||||
|
||||
> Index d'autorité du triage. Les sections « Phase X » plus bas sont historiques :
|
||||
> plusieurs portent « ✅ COMPLETE » alors que l'issue est restée **ouverte** (livré
|
||||
> mais jamais fermé) → marquées **[vérifier→fermer]** ci-dessous.
|
||||
|
||||
### 🔴 T0 — Régressions & bugs sécurité (petits, débloquants, CSPN priv-sep)
|
||||
- #494 secubox-core ExecStart écrase tmpfiles.d `/run/secubox` *(worktree actif)*
|
||||
- #468 `/etc/secubox` parent 0750 casse la traversée non-secubox *(régression récurrente)*
|
||||
- #471 secubox-mesh postinst écrase perms `/run/secubox` *(régression)*
|
||||
- #421 sockets `/run/secubox` cachés en mount-ns privé (RuntimeDirectory)
|
||||
- #447 kiosk : mot de passe admin semé par le CI (users.json shippe un hash) **← fuite**
|
||||
- #91 haproxyctl régénère haproxy.cfg avec `waf_inspector` inexistant *(intégrité WAF)*
|
||||
- #65 nginx : routes API manquantes dans webui.conf
|
||||
- #53 Wazuh uvicorn 100% CPU spin
|
||||
- #121 metablog ingest : dirs en `secubox:secubox`
|
||||
|
||||
### 🟠 T1 — Plan d'enforcement sécurité (mission CSPN ; détection→action)
|
||||
- #498 Phase 7 — WAF active enforcement (mitm→CrowdSec→nft drop) *(worktree actif)*
|
||||
- ✅ #519 Phase 13 — enforcement plane **FERMÉ 2026-06-22** (livré + réparé :
|
||||
blacklist-sync avortait sur NXDOMAIN + timeout unit → fix `|| true` +
|
||||
TimeoutStartSec 600 ; vérifié live, default-off). Inclut 13.B #522.
|
||||
- #455 secubox-egress — détection egress + corrélation RDS multi-signaux
|
||||
- #500 Phase 8 — Utiq operator-grade tracking (detect/alert/bypass)
|
||||
- #514 Phase 12 — plateforme anti-human-detection (parent ; sous-tracks fermés)
|
||||
- ✅ #515 Phase 12.A CDN cache detection — **FERMÉ** (live, `social_host_meta.cdn_vendor`)
|
||||
- ✅ #516 Phase 12.B anti-bot detection — **FERMÉ** (live via #564/#565, `social_antibot`)
|
||||
- #525 Phase 14 — plan de déception (idée future, parké)
|
||||
- ⬜ Suivi #519 perf (non bloquant) : DNS-guard ne résout que les 2000 premiers
|
||||
domaines/cycle (5523 en base) → couverture partielle ; résolution séquentielle
|
||||
lourde sur board saturé. Option : résolution parallèle bornée + rotation du cap.
|
||||
|
||||
### 🟡 T2 — UX / Hub / conscommateurs report (worktrees actifs + polish)
|
||||
- #615 security-posture dans la sidebar Hub *(worktree actif)*
|
||||
- #655 webext content-script banner CSP-immune *(worktree actif)*
|
||||
- #485 toolbox SOC scoring *(worktree actif)*
|
||||
- #513 ToolBox WebUI : sous-onglets + retrait UI /admin redondante
|
||||
- #69 diagramme flux trafic responsive
|
||||
- #67 cache history-aware glances/netdata
|
||||
- #68 health checks + dépendances services au démarrage
|
||||
|
||||
### 🟢 T3 — Backlog feature (valeur, non bloquant)
|
||||
- #685 APK 'corrupt' — CI signe avec clé éphémère *(plan APK verrouillé)*
|
||||
- #686 android-toolbox flux non-root cassé *(plan APK verrouillé)*
|
||||
- #429 nextcloud dashboard : API stubs au lieu de la vraie instance *(bug)*
|
||||
- #430 nextcloud — fédération OCM (doc/outillage)
|
||||
- #472 nextcloud — Gondwana Desktop (canvas + widgets)
|
||||
- #592 secubox-webmail-hub (Gmail OAuth2 + Gandi + OVH)
|
||||
- #66 auth Google OAuth
|
||||
- #70 Health Banner System *(preplanned)*
|
||||
- #71 CDN proxy injection *(preplanned)*
|
||||
- #393 source-home des scripts health prober
|
||||
|
||||
### 🔵 T4 — Hardware-gated (dépend de pièces ; piste parallèle ; pas de spare EP06)
|
||||
- Modem/PCIe : #254 modules kernel LTE · #255 pins mPCIe modem · #460 DTS cp0_pcie2 ·
|
||||
#467 U-Boot comphy5 SerDes · #462 pivot HW AR9271/MT
|
||||
- Mesh/BLE : #449 WiFi 802.11s · #452 BT mesh · #453 QR multi-canaux · #454 sourcing BLE 5.x
|
||||
- GSM : #347 sentinelle-gsm
|
||||
- Smart-Strip : #33 module HMI · #42 sous-repo · #379 packaging
|
||||
- Eye-remote : #41 sous-repo · #79 buildroot · #127 variante square · #138 radar_concentric ·
|
||||
#155 collision link-rename *(bug)* · #158 multi-gadget L3 · #478 métriques live Round Eye
|
||||
- VILLAGE3B : #480 dossier presse · #497 poster grand public
|
||||
|
||||
### ⚪ T5 — Images / OS variants (basse urgence)
|
||||
- #446 Full Traveller OS multi-mode/arch · #125 build-live-usb +virtualbox · #422 vm-x64 cascade
|
||||
|
||||
### ⚫ T6 — Docs / housekeeping
|
||||
- #81 headers SPDX CMSD-1.0 partout · #243 clarifier scope secubox-zkp-auth *(question)*
|
||||
- #474 ToolBoX (epic parent — garder comme tracker)
|
||||
*Mis à jour : 2026-06-10*
|
||||
|
||||
---
|
||||
|
||||
## 🔥 P0 — Immediate (in flight)
|
||||
|
||||
### kbin Tor endpoint — anonymized quick-switch surfing (#683)
|
||||
|
||||
> Capstone du couteau suisse cyber : l'anonymat de la sortie. Spec :
|
||||
> `docs/superpowers/specs/2026-06-19-kbin-tor-anonymized-surfing-design.md`.
|
||||
> Invariants : inspection préservée, fail-closed, opt-in (défaut OFF), no DNS leak, CSPN audit.
|
||||
|
||||
- [ ] **Transport** — Option A dialer SOCKS5 upstream (cœur Go #662, *préféré*) vs
|
||||
Option B nft mark → Tor TransPort (fallback pré-#662).
|
||||
- [ ] **Profil Tor egress** — réutiliser `secubox-exposure` (bootstrap/NEWNYM), egress-only.
|
||||
- [ ] **API toolbox** — `POST /admin/tor/{on,off}` (WG-hash scoped) + `GET /tor/state` +
|
||||
`POST /tor/newnym` + état SQLite per-client (TTL 24h).
|
||||
- [ ] **UI kbin** — toggle 🧅 + badge état + flag pays de sortie + bouton « nouvelle identité ».
|
||||
- [ ] **Leak-guard nft** + DNS-over-Tor (test exit IP + resolver ≠ Unbound).
|
||||
- [ ] **`tls_splice` OFF en mode Tor** (#649) — sinon les flux asset fuient l'IP réelle.
|
||||
- [ ] **CSPN** — audit-log chaque bascule ; soak DARK (flag présent, UI cachée) avant flip.
|
||||
|
||||
### ToolBox clients (`clients/`)
|
||||
|
||||
- [x] **#531 Android scaffold + CI** — Gradle/Compose one-tap onboarding,
|
||||
debug APK via `build-android-apk.yml`. CI green.
|
||||
- [x] **#536 serve APK from toolbox** — `GET /wg/toolbox.apk` + onboard button +
|
||||
`secubox-toolbox-fetch-apk` helper.
|
||||
- [x] **#538 Android root-mode silent** (PR #539) — system CA install + native
|
||||
kernel WireGuard + auto R3 verify, gated behind explicit root tap.
|
||||
- [x] **#532 browser extension** (`clients/webext-toolbox/`) — MV3 Firefox
|
||||
`.xpi`/Chromium; live tracker badge + popup mini Round-Eye graph over
|
||||
`/social/*`; `GET /wg/toolbox.xpi` + fetch helper + `build-webext.yml`.
|
||||
- [x] **#532 release** — tag `webext-v0.1.1` published the `.xpi`
|
||||
(downloadable, verified 200). `make_latest:false` + tag-pinned URL so it
|
||||
doesn't steal "Latest" from the Android APK release.
|
||||
- [ ] **release signing** — Android keystore + AMO `.xpi` signing secrets in CI
|
||||
for stable published fingerprints (currently unsigned sideload).
|
||||
- [ ] **#532 follow-ups** — optional `GET /social/live/{token}` SSE (replace the
|
||||
client-side poll) ; Poke/Emancipate per-site control once #525 (deception)
|
||||
ships ; Chromium PNG icon rasterisation for the Web Store.
|
||||
|
||||
### Phase 13 — Protection enforcement plane (#519) — ✅ COMPLETE
|
||||
|
||||
- [x] **13.A spine** (#521, `2.6.8`, v2.13.17) — nft blacklist set + forward-drop
|
||||
chain + sync (CrowdSec + threat-intel). + override_dh_strip drift fix.
|
||||
- [x] **13.B DNS-guard** (#522, `2.6.9`, v2.13.17) — résout domaines blocklistés
|
||||
→ IPs ; détection DoH/DoT (block opt-in).
|
||||
- [x] **13.C attribution** (#524, `2.6.10`, v2.13.18) — per-device blocked-attempts
|
||||
+ quarantine + endpoints + tile.
|
||||
- [x] **13.D feedback** (#527, `2.6.11`, v2.13.19) — escalation evaluator
|
||||
(detections→nft/cscli/quarantine), audit-log, **default OFF**.
|
||||
- [ ] **13.x opt-in tuning** — activer `SECUBOX_ESCALATE_*` / `SECUBOX_DOH_BLOCK`
|
||||
selon politique opérateur quand voulu.
|
||||
- [ ] **threatfox feed = 0** — investiguer l'ingestion domain vide (impacte
|
||||
13.B resolved_domains).
|
||||
|
||||
### Phase 14 — Plan de déception (#525, idée future)
|
||||
|
||||
- [ ] Pseudo-réponses proxy au lieu de blocage IP (indistinguable, pollue
|
||||
le profil) + neutralisation des scripts CDN préchargés. R3 consenti,
|
||||
réutilise la détection Phase 11/12. **Pour plus tard.**
|
||||
|
||||
### Phase 11 — Social mapping per device (#502) — ✅ COMPLETE (v2.13.15)
|
||||
|
||||
- [x] **11.A backend** (#505, `2.6.0`) — correlation engine + SQLite + API.
|
||||
|
|
@ -275,9 +21,9 @@
|
|||
graph + by_cdn. Mergé.
|
||||
- [x] **12.B anti-bot** (#516, `2.6.5/2.6.6`) — detect_antibot (détection
|
||||
seule) + ring levels visibles + Carto/Reset opérateur. Mergé.
|
||||
- [x] **12.C opérateur-grade / state-adjacent** (#518, `2.6.7`, v2.13.16) —
|
||||
detect_operator_grade (telco MSISDN/x-acr + consortium Utiq/TrustPid +
|
||||
data-broker LiveRamp/BlueKai/Palantir-class). Top-severity lens + PDF.
|
||||
- [ ] **12.C opérateur-grade / state-adjacent** — étend #500 Utiq :
|
||||
identité carrier-grade (MSISDN injection, CGNAT fingerprint) + analytics
|
||||
state-adjacent. Prochain track.
|
||||
- [ ] **12.B bypass** — résolution de challenge (gated derrière doctrine
|
||||
lawful-use + design review ; R3 opt-in uniquement).
|
||||
- [ ] **12.D noise counter-measures** — cookie-noising / header-strip /
|
||||
|
|
|
|||
466
.claude/WIP.md
|
|
@ -1,469 +1,5 @@
|
|||
# WIP — Work In Progress
|
||||
*Mis à jour : 2026-07-02*
|
||||
|
||||
---
|
||||
|
||||
## ✅ 2026-07-02 : P2P évolutions — DHT + Federation + Master-link LIVE sur le mesh 3 nœuds (#774 · PR #775)
|
||||
|
||||
Reprise et refonte propre du chantier P2P (le code Mistral non-intégrant a été supprimé),
|
||||
puis construction **subagent-driven TDD** (17 tâches, 132 tests, revue par tâche + revue
|
||||
finale opus). Branche `feature/p2p-dht-federation`, **PR #775 ouverte**.
|
||||
|
||||
- **Kademlia DHT custom** — asyncio/UDP `:51823`, records de joignabilité signés Ed25519
|
||||
`{did,id_pubkey,wg_pubkey,endpoint,ts,sig}`, lookup itératif α-parallèle, persistance
|
||||
routing, store `put_health`/`get_health`.
|
||||
- **Federation health-checks** — probe aiohttp GET `/health` + fallback TCP, debounce
|
||||
up/down, publication via DHT.
|
||||
- **Master-link hiérarchique** — UDP `:51824`, élection déterministe `(priorité, node_id)`,
|
||||
failover par *term* monotone avec tie-break (pas de fenêtre zéro-master), heartbeats
|
||||
signés Ed25519.
|
||||
- **OPAD** — feature-flag OFF par défaut ; config `/etc/secubox/p2p.toml`
|
||||
`[dht]/[federation]/[masterlink]`.
|
||||
|
||||
**Live-activé sur les 3 nœuds** : gk2 `10.10.0.1` (MASTER, term 1, prio 10) · c3box
|
||||
`10.10.0.2` + amd64 `10.10.0.3` (satellites). Chaque DHT découvre les 2 autres (peers=2),
|
||||
pas de split-brain. Déployés aussi : **onglet Mesh viz** du dashboard p2p, **fix du rebond
|
||||
de login** (3 box), **nginx gk2** re-routé `/api/v1/p2p/` → `p2p.sock` (l'endpoint reflète
|
||||
le vrai daemon), **nft reboot-persist** `wg-mesh udp {51823,51824}` (c3box+amd64).
|
||||
|
||||
> Poster de synthèse + roadmap détaillée : `docs/P2P-EVOLUTIONS-POSTER-PROMPT.md`.
|
||||
|
||||
### ⬜ Next Up (roadmap P2P, non bloquant)
|
||||
|
||||
- **Pont bans mesh → moteur sbxwaf** — les bans fédérés (threatmesh #768) s'appliquent au
|
||||
nft (`inet secubox_meshban`) seulement ; les faire alimenter sbxwaf via
|
||||
`cscli decisions add --ip X -R "secubox-mesh" -d 4h` (anti-boucle : filtre *reason*
|
||||
`secubox-mesh` dans `secubox-threatmesh-bridge`).
|
||||
- **macroctl sur satellites** — `secubox-p2p` standalone tourne `NoNewPrivileges=yes` ⇒
|
||||
`sudo macroctl activate` refusé ; OK sur gk2 (aggregator NNP=no). Fixer le chemin
|
||||
privilégié satellite sans casser le durcissement.
|
||||
- **Fenêtre transitoire du socket p2p** — 502/504 webui satellite pendant un restart de
|
||||
`secubox-p2p` (recréation `p2p.sock`) ; lisser (socket-wait / `RuntimeDirectoryPreserve`).
|
||||
|
||||
---
|
||||
|
||||
## ✅ 2026-06-30 → 07-01 : Substrat de confiance Gondwana — fédération + registry + macros (#766 #769 #771)
|
||||
|
||||
Trois features complètes (brainstorm → spec → plan → SDD subagent-driven avec revue
|
||||
adversariale), **toutes mergées sur master**, déployées gk2 + c3box, prouvées live :
|
||||
|
||||
- **#766 — annuaire fédération sans-confiance (0.2.0→0.3.x)** ✅ CLOSED/master.
|
||||
`ingest_offer` impose `did_from_pubkey(pubkey)==provider` avant la vérif sig
|
||||
(auto-certifiant, aucune confiance préalable) ; offres portent `sig`+`signer_did`+
|
||||
`provider_pubkey` ; verbe `genesis()` + CLI `annuairectl` (init/whoami/status/offer/
|
||||
services/pull) ; écouteur mesh (postinst, IP-mesh only, `ip_nonlocal_bind`, validate-or-
|
||||
revert). Live : un 2e nœud (fondateur distinct) `annuairectl pull` → ingest sans-confiance.
|
||||
- **#769/#770 — p2p Service Registry = vue live du catalogue annuaire (secubox-p2p 1.8.0)** ✅
|
||||
MERGED. `/services` fusionne catalogue annuaire + abonnements + overlay d'activation +
|
||||
services p2p-locaux ; « Auto register all » (active locaux + s'abonne aux distants selon
|
||||
auto/pending) ; s'abonne EN TANT QUE nœud (clé 0600). Live gk2+c3box.
|
||||
- **#771/#773 — sous-système macro + tor-exit (secubox-macro 0.1.0 NEW, p2p 1.9.0, annuaire 0.3.3)** ✅
|
||||
MERGED (+#772 auto-fermé). Un service propose une **macro d'accès** vettée, confinée
|
||||
AppArmor : `macroctl` dispatcher root (allowlist kind, tamper-guard plugin, euid env-pin,
|
||||
audit append-only) + `macros.d/tor-exit` (nft SOCKS-over-mesh grant/revoke) + sudoers
|
||||
(env_reset) + auto-détection table firewall (`secubox_filter`|`filter` via
|
||||
`/etc/secubox/macro.conf`). Endpoint grant p2p (auth Subscription auto-signée, self-cert,
|
||||
auto-mode). **Démo live end-to-end** : gk2 propose son exit Tor → fédère → c3box s'abonne+
|
||||
active → pull grant sur le mesh → gk2 nft-autorise l'IP mesh de c3box → **c3box route via
|
||||
l'exit Tor de gk2** (`IsTor:true`). La boucle de revue SDD a attrapé ~10 Criticals avant merge.
|
||||
|
||||
### ⬜ Next Up (déféré, non bloquant)
|
||||
|
||||
- **Liaison NIZK/PSI GK·HAM** — les verbes annuaire utilisent encore les stubs documentés
|
||||
(`ZKP-HAM-v1`) ; brancher `zkp-hamiltonian` cffi.
|
||||
- **Nouveaux kinds macro** — `wg-relay`, `dns-resolver`, `http-mirror` (chacun = un plugin
|
||||
`macros.d/<kind>` vetté + profil AppArmor, même framework).
|
||||
- **Macros en mode `pending`** — nécessite la fédération cross-nœud des Subscription/APPROVE.
|
||||
- **Mesh gk2→c3box (sens inverse)** — pull satellite→master OK ; master→satellite bloqué
|
||||
(nft c3box) ; + installer Tor sur c3box pour un provider tor-exit natif.
|
||||
|
||||
---
|
||||
|
||||
## ✅ 2026-06-27 : c3box → SecuBox Debian — première install réussie · netboot prouvé (#748 #737)
|
||||
|
||||
### ✅ Fait (session 2026-06-27)
|
||||
|
||||
- **Netboot gk2→c3box prouvé** — factory U-Boot 2020.10 → TFTP → rescue shell installeur
|
||||
(kernel 6.12.85 #5secubox). Détour cabling résolu (impasse LAB, pas logiciel).
|
||||
- **Première install SecuBox Debian sur un MOCHAbin physique (c3box)** — image CI artefact
|
||||
`secubox-mochabin-bookworm` (run 27426515472, 8 Gio), SHA256 + signature vérifiés,
|
||||
`gunzip|dd` en RAM → eMMC. c3box boot Debian v1.9.0 avec stack complète.
|
||||
- **boot.scr workaround déployé** — extlinux.conf charge le kernel à `0x02080000` (réservé
|
||||
factory U-Boot → reset). Construit `/boot/boot.scr` (kernel@`0x0a000000`) ; auto-boot
|
||||
Debian sans intervention vérifié après reboot.
|
||||
- **#748 bloquant documenté** — ciseau U-Boot : mochabin board UNIQUEMENT dans fork Tow-Boot
|
||||
2022.07 (pas de `wget`) ↔ `wget` UNIQUEMENT dans stock ≥2023.07 (pas de board mochabin).
|
||||
Branche `feature/748-enhanced-tow-boot-http-netboot-serial-fl` parkée (spec+CI+Kconfig en
|
||||
place, dépend du backport wget OU port board mainline).
|
||||
|
||||
### ⬜ Rig netboot temporaire gk2 à démonter (quand c3box autonome)
|
||||
|
||||
- `lan1=192.168.77.1/24` avec dnsmasq DHCP + `nft iif lan1 accept` + nginx `:8099` encore actifs.
|
||||
- À retirer une fois c3box en prod (voir TODO T5 — teardown rig).
|
||||
|
||||
### ⬜ Bootloader propre à faire (#748 ou alternative)
|
||||
|
||||
- boot.scr = workaround ; fix durable = enhanced Tow-Boot (#748, bloqué ciseau) OU corriger
|
||||
les adresses de boot dans l'image (extlinux.conf → `0x0a000000`). Voir TODO T5.
|
||||
|
||||
---
|
||||
|
||||
## 🗂️ 2026-06-22 : triage issues (30 ouvertes → revue obsolètes)
|
||||
|
||||
- **Fermées (user-validé 2026-06-22)** : #722 (nDPId — décidé contre, reverté) ·
|
||||
#475 ToolBoX Phase 1 (live 2.7.x) · #502/#507/#508 Social mapping (carto +
|
||||
/social/me + report PDF live) · #495 Phase 5 mitm-LXC (superseded par #662 Go
|
||||
sbxmitm host) · #531 APK one-tap (superseded par #685/#686 non-root) ·
|
||||
#486 geoip/ASN+flags+catégories dans rapports (livré master : geo.py + dpi_class.py +
|
||||
report wiring ; complémentaire de #718 ASN collector ; worktree stale nettoyé) ·
|
||||
#515 CDN detection (live `social_host_meta.cdn_vendor`) · #516 anti-bot detection
|
||||
(live via #564/#565) · #519 enforcement plane (livré + **réparé** : blacklist-sync
|
||||
avortait NXDOMAIN + timeout unit → fix `|| true` + TimeoutStartSec 600, vérifié live,
|
||||
default-off ; inclut #522). Toolbox source bumpé 2.7.18 (fix live-patché sur gk2) ·
|
||||
#468 /etc/secubox traversal (source+live = 0755, secrets/CA enfants restent 0750).
|
||||
- **Actives (worktrees en cours)** : #655 webext banner · #615 security-posture ·
|
||||
#494 secubox-core ExecStart · #498 Phase 7 WAF enforcement · #485 SOC scoring.
|
||||
|
||||
### 🔎 Reco T0 — recon live gk2 2026-06-24 (avant fix)
|
||||
- ✅ **#494** : **FIX SYSTÉMIQUE poussé** (`fix/494-…`). Pas que core : 7 units re-chownaient
|
||||
le parent partagé `/run/secubox` (core+hub services, eye-remote/eye-square/metablogizer/
|
||||
metrics/p2p postinsts ; eye-square chownait aussi /var/log/secubox = pire). Tous nettoyés
|
||||
(mkdir fallback only ; logs modules en sous-dossier propre ; orphan /etc/tmpfiles.d nettoyé).
|
||||
**Vérifié live** : /run/secubox 1777 **root:root** stable après restart core ET hub ; webui 200.
|
||||
Bumps core 1.1.7/hub 1.4.4/eye-remote 1.0.1/eye-square 1.0.4/metablog 1.2.2/metrics 1.0.4/p2p 1.7.1.
|
||||
- ✅ **#471** (mesh /run/secubox) : déjà résolu (changelog mesh "drop install -d /run/secubox") → verify-close.
|
||||
- ⬜ **#421** : sockets cachés en mount-ns privé (RuntimeDirectory) — mécanisme distinct, non traité.
|
||||
- 🆕 Suivi (classe #511) : mesh/toolbox/admin font `install -d -o <module> /var/log/secubox`
|
||||
(propriétaire du parent partagé = user module) → autres daemons ne peuvent créer leurs logs.
|
||||
Séparé de #494, à traiter (sous-dossiers propres comme fait pour eye-square/p2p).
|
||||
- **#447** : pas une fuite — `password_hash=null` → lockout kiosk + user CI parasite ;
|
||||
**CI-image-gated** (rpi400, pas gk2).
|
||||
- **#91** : `haproxy.cfg` active valide ; backup `*.broken-by-haproxyctl-*` prouve le bug
|
||||
passé ; drift-guard #627 rattrape. Root cause = generate `haproxyctl` (api/main.py l.846/896).
|
||||
- ✅ **#53** : **FIX poussé** (`fix/53-…`) — gate `ConditionPathExists=/var/ossec/etc/ossec.conf`
|
||||
+ `RestartSec=5` ; module conservé (SIEM opt-in). Vérifié gk2 (/var/ossec absent). Bump 1.0.1.
|
||||
- ✅ **#65** : déjà résolu en prod (webui.conf déployé inclut `secubox-routes.d/*.conf`,
|
||||
163 snippets). Template `common/nginx/webui.conf` (stale) synchronisé sur `feature/65-…`.
|
||||
Reco fermer. Convention : `secubox-routes.d/`=actif, `secubox.d/`=legacy.
|
||||
- ✅ **#121** : **FIX poussé** (`fix/121-…`) — helper `fix_perms` chown -R secubox:secubox
|
||||
le site dir après chaque ingest .git (metablog-ingest-site.sh). Script dev, pas de deploy.
|
||||
- ⬜ Restent : **#91** (deploy WAF risqué) · **#65** (refactor include, risque 502) ·
|
||||
**#447** (CI kiosk) · **#494/#471/#421** (worktree fix/494). Build+deploy toolbox 2.7.18 (#519) en attente.
|
||||
- **Backlog/future** : #685/#686 APK non-root (plan verrouillé) · #592 webmail-hub ·
|
||||
#514/#515/#516/#519/#522/#525 Phase 12-14 (#515 CDN / #516 anti-bot partiellement
|
||||
couverts par antibot_sites/opgrade_sites du social graph) · #500 Utiq · #497/#480/
|
||||
#478 VILLAGE3B Eye/poster · #472/#430/#429 Nextcloud · #471/#468/#421 perms (à
|
||||
vérifier si déjà corrigées) · #467/#462/#460/#255/#254 hardware/kernel · #455 egress ·
|
||||
#454/#453/#452/#449 mesh/BLE · #448/#447/#446/#434 kiosk · #422 vm cascade ·
|
||||
#393/#379/#347 packaging · #513 WebUI sub-tabs.
|
||||
- ⚠️ Fermeture finale = **user only** (sauf issues créées en session) ; les
|
||||
recommandations ci-dessus sont commentées sur chaque issue.
|
||||
|
||||
---
|
||||
|
||||
## ✅ 2026-06-22 : DPI exfil + Netrunner report + sbxmitm fixes (tous mergés, live gk2)
|
||||
|
||||
Session livrée intégralement sur master + déployée. Détail dans HISTORY 2026-06-22.
|
||||
|
||||
### ✅ Fait (mergé + live)
|
||||
- **DPI exfil pipeline (#687)** — `secubox-dpi 1.1.2` : flowcap (ndpiReader) → Go
|
||||
collector (catégories cloud/media/game/adult/ai/messaging/filehost/social + scénarios
|
||||
exfil) → `/api/v1/dpi/exfil` ; dashboard "Cloud Exfiltration Watch" + cartes repointées ;
|
||||
beaconing tuné (#692) ; cumulatif 7j `cumulative.json` (#705) ; packagé arm64.
|
||||
- **Report kbin = fiche Netrunner (#707)** — HTML (onglets Pistage/DPI/Overall + persona
|
||||
néon) **et** PDF (`_persona_block` + "En un coup d'œil" + grille donuts + carto + tables
|
||||
emoji). Charts en **PNG matplotlib** (#714, rendu universel iOS/Chrome) ; grille = une
|
||||
image 2×2 (#716, fin des 24 pages). Classe via UA live + niveau R3 auto (wg peer).
|
||||
- **sbxmitm** — cert forgé 24h→365d (#689, fin des "certificat expiré") ; fin de la
|
||||
troncature >8MiB (#697, Gmail OK) ; splice own-domain **rejeté** (#688, on intercepte tout).
|
||||
|
||||
### ⬜ Next Up (différé)
|
||||
- **#685/#686 APK on-device — NON-ROOT ONLY (plan verrouillé)** : VpnService in-app
|
||||
(wireguard-go), CA en DER + network-security-config WebView, retrait du chemin root.
|
||||
Gros build Android (CI + test device) → session dédiée. Détail : commentaire #685 + TODO.
|
||||
- **DPI Phase 3** — ✅ enrichissement ASN (#719, 1.1.3) · ✅ historique + timeline
|
||||
(#721, 1.1.4) · ❌ démon nDPId **écarté** (#722/#723 revertés) : risque perf
|
||||
(démon permanent vs fenêtres ndpiReader bornées) sur board saturée → **on garde
|
||||
ndpiReader**. **Phase 3 close.**
|
||||
- **#685 APK on-device** — install auto CA + handoff WG + détection tunnel (en attente
|
||||
décision rooted vs non-root du user).
|
||||
- **Cosmétique PDF** — glyphes drapeaux régionaux dégradent en lettres (police embarquée) ;
|
||||
chiffres légèrement espacés dans certaines cellules. Non bloquant.
|
||||
|
||||
---
|
||||
|
||||
## 🔄 2026-06-19 : kbin Tor egress (#683) — ToolBoX 2.7.1, implémenté DARK
|
||||
|
||||
Switch + tunnel Tor quick-switch livrés sur `feature/683`, **défaut OFF / fail-closed**.
|
||||
Détail dans la section "Implémenté DARK" ci-dessous + HISTORY 2026-06-19.
|
||||
|
||||
---
|
||||
|
||||
## 🔄 2026-06-19 : kbin milestone — ToolBoX 2.7.0 + chapitre Tor (plan)
|
||||
|
||||
Checkpoint de fin de session. Pas de changement de comportement runtime — docs +
|
||||
positionnement + version + plan de la lame suivante.
|
||||
|
||||
- ✅ **ToolBoX 2.7.0** (middle release) — clôt la ligne 2.6.x (ad-intelligence /
|
||||
Anti-Track v2 / anti-bot uTLS #662), ouvre le chapitre kbin « premier outil du
|
||||
couteau suisse cyber ». kbin = perf transparente + full encrypted + poison/smog +
|
||||
bandeau anti-adware + safe browsing.
|
||||
- ✅ **Docs kbin** — wiki [`Kbin-Toolbox.md`](../docs/wiki/Kbin-Toolbox.md),
|
||||
[`FAQ-KBIN-TOR.md`](../docs/FAQ-KBIN-TOR.md), blurb README.
|
||||
- ✅ **Plan #683** — spec
|
||||
[`2026-06-19-kbin-tor-anonymized-surfing-design.md`](../docs/superpowers/specs/2026-06-19-kbin-tor-anonymized-surfing-design.md) :
|
||||
endpoint Tor quick-switch (egress sortant, fail-closed, opt-in, no DNS leak,
|
||||
inspection préservée). Dépend du cœur Go #662.
|
||||
|
||||
### ✅ Implémenté DARK — chapitre Tor (#683, ToolBoX 2.7.1, branche feature/683)
|
||||
|
||||
- ✅ **Transport tranché** : *torify l'egress MITM* (owner-match nft sur l'uid
|
||||
`secubox-toolbox`/mitm-wg → Tor TransPort 9040 / DNSPort 5353). Inspection
|
||||
préservée. Décision USER (vs dialer SOCKS5 #662 = bloqué, vs torify client = casse
|
||||
l'inspection).
|
||||
- ✅ **Switch** : flags `tor_mode`/`tor_preset` (filters.json) ; API kbin-gated
|
||||
`GET/POST /admin/tor/{state,on,off,newnym,check-leaks}` ; onglet 🧅 WebUI (badge,
|
||||
toggle, NEWNYM, sonde fuite). `tor_ctl.py` réutilise le control-port de secubox-tor.
|
||||
- ✅ **Tunnel** : `conf/nft-toolbox-tor.nft` (fail-closed kill-switch + drop v6) +
|
||||
`conf/torrc-toolbox-egress.conf` + reconciler root path-triggered
|
||||
(`secubox-toolbox-tor.path` surveille filters.json → portail reste
|
||||
NoNewPrivileges=true). nft chargé AVANT tor (pas de fenêtre clearnet).
|
||||
- ✅ 166 tests verts ; license headers OK ; changelog 2.7.1.
|
||||
|
||||
#### ⬜ Avant flip ON (USER)
|
||||
|
||||
- Soak DARK puis `tor_mode=true` via l'onglet (admin.gk2).
|
||||
- Test de fuite **hors-board** : l'IP réelle de la box ne doit jamais apparaître.
|
||||
- Forcer `tls_splice` (#649) OFF quand armé (sinon flux asset fuient l'IP réelle).
|
||||
- **Per-client (WG-hash)** : nécessite le dialer SOCKS5 du cœur Go #662 (l'owner-match
|
||||
est global). Suivi sous #662.
|
||||
|
||||
---
|
||||
|
||||
## 🔄 2026-06-17/18 : Anti-Track v2 + perf/ops sprint (gk2 live)
|
||||
|
||||
Tout mergé sur master + déployé sur gk2. Détail dans HISTORY 2026-06-18.
|
||||
|
||||
- ✅ **Anti-Track v2 (#633, PR #637)** — bloque/empoisonne/anonymise, moteur
|
||||
`privacy.py` + addon `privacy_guard.py`, learning (`learn.py`), IP-drop +
|
||||
unbound DNS-refuse (`ip_dns.py`/`escalate.py`), bypass-seed + #filtres badges,
|
||||
#social top-5. **Tourne DARK** (`privacy_enforce` unset). Wiki `Anti-Track.md`.
|
||||
- ✅ **Banner saga (#636/#639, PR #638/#640)** — mitm sert loader/bundle pour
|
||||
toute origine (PeerTube fixé), CSP fallback, top-bar, 1 bannière/visite.
|
||||
- ✅ **#634/#635** — reset-all clients + emojis device/flag/hosting.
|
||||
- ✅ **#642 (PR #643)** — social-graph ignore les edges IP-littéraux ; KPI
|
||||
"Trackers vus" = table.
|
||||
- ✅ **#644 (PR #645)** — hub dashboard/health-batch servis depuis cache TTL
|
||||
(health-batch 3.3 s → 8 ms) ; clients/rich enrichit 12 max. **hub 1.4.6**.
|
||||
- ✅ **#646 (PR #647)** — adaptive Accept-Encoding strip : plus de pages
|
||||
CSP-strict tirées décompressées via le worker R3 GIL-bound. **toolbox 2.6.53**.
|
||||
- ✅ **crowdsec** réparé (403 transitoire CDN → `dpkg --configure` RC=0, audit clean).
|
||||
|
||||
- ✅ **#623 (PR #648, merged 9950e9ec)** — clobber systémique RÉSOLU au source.
|
||||
La vraie cause : boilerplate scaffold `install -d -m 750 /var/lib/secubox` +
|
||||
`/run/secubox` (parents NUS) dans ~56 postinsts — écrit `-m 750` (3 chiffres),
|
||||
d'où le ratage des sweeps précédents. Empiriquement prouvé que le form
|
||||
`install -d -m 750 /parent/leaf` NE clobbe PAS le parent (seuls les targets
|
||||
parents-nus). Fix : tous → 1777 (/run) / 0755 ; 6 lignes multi-arg splittées
|
||||
(4 mettaient /var/lib en world-writable 1777) ; 3 `chmod 750 /var/log` ;
|
||||
scaffold `new-package.sh` + `PATTERNS.md` ; core 1.1.8 tmpfiles.d déclare les 5
|
||||
parents 0755. **PAS de mass-deploy** (60 paquets = mass-restart = risque
|
||||
thundering-herd) ; live couvert par `dirs-guard.timer` ; arrive au prochain
|
||||
build CI / reflash.
|
||||
|
||||
- ✅ **#649 Lever A — selective SNI-splice (PR #650, toolbox 2.6.54 LIVE dark)**.
|
||||
New `tls_splice` addon (first in mitm-wg chain) splices pure-asset flows at the
|
||||
TLS ClientHello — curated media seed (googlevideo/ytimg/fbcdn/twimg/scdn…) ∪
|
||||
autolearn-promoted never-HTML hosts — so GIL-bound R3 workers skip
|
||||
forge/decrypt/parse/16-addons on no-L7-value flows. Ships `tls_splice=observe`
|
||||
(DARK: classify+log, still MITM). Deployed gk2, addon loads clean, 0 runtime
|
||||
errors. Answer to "do we need full mitm?": YES for outbound HTTPS (per-host cert
|
||||
forging is intrinsic) — but only decrypt what we modify. Lever B (Go/Rust core)
|
||||
= strategic follow-up. WAF = later.
|
||||
|
||||
### ⬜ Next Up
|
||||
|
||||
- **#649 SOAK → FLIP** — review `would-splice` logs + `/run/secubox/splice.json`
|
||||
on real traffic for a soak window, confirm no first-party/HTML host is
|
||||
classified, then flip `tls_splice=on` in `/etc/secubox/toolbox/filters.json`
|
||||
(hot-reload). Before flip: the fortknox-via-WebUI refresh gap is already fixed.
|
||||
- **Lever B (#649 follow-up)** — Go/Rust forging-proxy core if A isn't enough.
|
||||
- **Anti-Track v2 ARMING** (décision USER, gated) — soak observe-only puis flip
|
||||
`privacy_enforce=true` ; régénérer `data/cdn-allowlist.txt` depuis les plages
|
||||
publiques avant `privacy_ip_drop` ; `unbound-checkconf` avant `privacy_dns_feed`.
|
||||
- **Tunnel R3 perf** — l'encoding fix aide ; reste la contention CPU board-wide
|
||||
(load ~5/4 cœurs, workers mono-thread). Lever suivant = réduire les co-tenants
|
||||
(gitea/R2-mitm/crowdsec/metrics) ou isoler le mitm, pas du tuning d'addon.
|
||||
- **#615** — Security Posture dans la navbar du Hub (petit enhancement).
|
||||
- **#592 webmail-hub** — BLOQUÉ : besoin client OAuth Google + vhost ; Phase 1
|
||||
IMAP (Gandi/OVH) peut démarrer sans OAuth.
|
||||
|
||||
---
|
||||
|
||||
## 🔄 2026-06-14 : ToolBoX privacy/perf sprint — 2.6.36 live (see HISTORY)
|
||||
|
||||
Tout mergé + déployé sur gk2 (kbin sain, `secubox-toolbox 2.6.36`).
|
||||
Détail complet dans HISTORY 2026-06-14. Résumé :
|
||||
|
||||
- ✅ Protective spoof (#560), modular filters + ad-ghoster (#566, collapse
|
||||
#584), media cache opt-in (#577), autolearn (#589/#591), DPI media donut
|
||||
(#570), donut + domain-nugget cartographie (#553/#587, IP cachées #575,
|
||||
favicons #555), guirlande banner + pin (#572/#578), webext popup panel
|
||||
(#574), /ca/fingerprint R3 (#562), postinst restart fix (#581),
|
||||
detect_antibot deployment-vs-challenge (#564).
|
||||
- ✅ Clients : APK v0.3.0 (zero-tap launch+boot), webext v0.1.4.
|
||||
- ✅ Fixes live : Nextcloud iPhone photos (files_antivirus off + PHP
|
||||
limits), kbin 503 (#581).
|
||||
|
||||
### ⬜ Next Up
|
||||
|
||||
- **#592 secubox-webmail-hub** (Gmail OAuth2 + Gandi + OVH, inbox unifié) —
|
||||
design filé, **BLOQUÉ** : besoin d'un client OAuth Google (client_id/
|
||||
secret/redirect) + nom de vhost + (read-only Phase 1 ?). Phase 1 IMAP
|
||||
(Gandi/OVH) peut démarrer sans OAuth sur "start phase 1".
|
||||
- Côté user : re-trust R3 CA `D5:E4:3A` sur l'iPhone (bannière HTTPS) ;
|
||||
tester l'upload photo Nextcloud ; activer `media_cache` si voulu
|
||||
(`/admin/filters/ui`) et surveiller `/admin/cache`.
|
||||
|
||||
---
|
||||
|
||||
## 🔄 2026-06-13 : Browser extension — emancipate cartographie live (#532)
|
||||
|
||||
Extension navigateur (`clients/webext-toolbox/`, MV3 Firefox `.xpi` +
|
||||
Chromium) sœur de l'app Android. Sort la *cartographie sociale* R3 dans
|
||||
le navigateur : badge live des traceurs + popup.
|
||||
|
||||
- **Extension** : `manifest.json` (MV3, background `service_worker` +
|
||||
`scripts` pour FF115+/Chromium), `api.js` (client `/wg/r3-check`,
|
||||
`/social/me` → token, `/social/graph/{token}`, `/social/wipe`),
|
||||
`background.js` (badge = total_trackers, re-pair silencieux si token
|
||||
expiré, couleur escalade gold→anti-bot→opérateur), popup (4 tuiles
|
||||
stats + **mini Round-Eye graph SVG sans dépendance** + top-traceurs
|
||||
taggés CDN/anti-bot/opérateur + actions cartographie/PDF/RGPD-wipe),
|
||||
options (hôte/fenêtre/token manuel). Pas de CORS backend nécessaire
|
||||
(host_permissions). Validé : JSON+JS+SVG OK, `.xpi` build 11.8 KB.
|
||||
- **Serve depuis la toolbox** (`2.6.14`) : `GET /wg/toolbox.xpi` (local
|
||||
sinon 302 → release), bouton `🧩 Extension navigateur` sur les 2
|
||||
panneaux onboard, helper `secubox-toolbox-fetch-xpi`, postinst dir.
|
||||
- **CI** : `build-webext.yml` — `web-ext lint` (0 erreur, 2 warnings
|
||||
bénins) + build, artifact, release asset sur tag `webext-v*`.
|
||||
- **Release** (PR #540 + #541, mergées) : tag `webext-v0.1.1` poussé →
|
||||
CI a publié `secubox-toolbox-webext.xpi` (téléchargeable, vérifié 200).
|
||||
`make_latest:false` + URL **tag-pinned** dans `/wg/toolbox.xpi` +
|
||||
`secubox-toolbox-fetch-xpi` pour ne pas voler le pointeur "Latest" à la
|
||||
release APK Android (dont l'endpoint résout via `/releases/latest/...`).
|
||||
→ bumper le tag dans la constante + le helper à chaque `webext-v*`.
|
||||
- **Reste à faire** : signature AMO (`.xpi` non signé = sideload/dev) ;
|
||||
endpoint SSE `/social/live/{token}` optionnel ; icône PNG Chromium ;
|
||||
contrôle Poke/Emancipate par-site quand #525 (déception) arrive ;
|
||||
déployer `secubox-toolbox 2.6.14` sur la board pour activer le bouton.
|
||||
|
||||
---
|
||||
|
||||
## 🔄 2026-06-13 : Android ToolBox app — serve + root-mode silent onboarding (#531/#536/#538)
|
||||
|
||||
App compagnon Android **one-tap R3** pour la cabine VILLAGE3B
|
||||
(`clients/android-toolbox/`, `in.secubox.toolbox`, Kotlin + Compose).
|
||||
|
||||
- **#531 — scaffold + CI** : projet Gradle/Compose (5-step stepper
|
||||
Discover→InstallCa→ImportProfile→Verify→Done), client `HttpURLConnection`,
|
||||
workflow `build-android-apk.yml` (debug APK artifact, release asset sur
|
||||
tag `android-v*`). CI **GREEN**.
|
||||
- **#536 — serve depuis la toolbox** : endpoint `GET /wg/toolbox.apk`
|
||||
(sert le build local `/var/lib/secubox/toolbox/android/`, sinon 302 →
|
||||
release GitHub) + bouton *📱 Installer l'app ToolBoX (1-tap)* dans les
|
||||
panneaux onboard kbin + helper `secubox-toolbox-fetch-apk`. Vérifié :
|
||||
200 `application/vnd.android.package-archive`, 14.8 MB.
|
||||
- **#538 — root-mode silent onboarding** (PR #539, branche poussée) :
|
||||
bouton *⚡ Installation automatique (root)* sur devices rootés →
|
||||
install CA dans le magasin **système** (bind-mount cacerts + APEX
|
||||
conscrypt, SELinux ctx, `subject_hash_old` en Kotlin pur) + tunnel
|
||||
WireGuard **natif noyau** (`ip link add … type wireguard` + `wg set`) +
|
||||
vérif R3 auto. Fallback handoff app WireGuard si noyau sans WG. Toutes
|
||||
les actions root gated derrière le tap explicite. Nouveaux fichiers
|
||||
`RootShell.kt`, `RootOnboard.kt`, step `RootAuto` (log streamé).
|
||||
- **Reste à faire** : release signing (keystore secret CI) pour une
|
||||
empreinte publiée stable — actuellement debug-signé (sideload).
|
||||
|
||||
---
|
||||
|
||||
## 🔄 2026-06-12 : Admin WireGuard tunnel + SSH hardening (ref #529)
|
||||
|
||||
Accès admin out-of-band + fermeture de la surface SSH publique.
|
||||
|
||||
- **wg-admin** (#529) : interface dédiée UDP **51821**, server `10.98.0.1/24`,
|
||||
distincte de wg-toolbox (51820). Peer `gandalf-admin` @ `10.98.0.2`.
|
||||
nft drop-in `secubox-admin-wg.nft` (udp/51821), `wg-quick@wg-admin`
|
||||
enabled. Client importé dans NetworkManager du poste dev, tunnel UP,
|
||||
`ssh root@10.98.0.1` confirmé (key auth).
|
||||
- **Découverte sécurité** : la box subissait un brute-force SSH public
|
||||
actif (centaines de tentatives 87.251.64.x / 51.68.34.x + IPs déjà
|
||||
blacklistées). Le routeur `192.168.1.254` port-forward :22 → box sur
|
||||
`eth1`/`lan0`, et l'input chain a un blanket `iif eth1 accept` (le
|
||||
DNAT préserve l'IP source publique réelle).
|
||||
- **Hardening appliqué + vérifié** :
|
||||
- sshd : `PasswordAuthentication no` + `PermitRootLogin prohibit-password`
|
||||
(drop-in `99-secubox-hardening.conf`, key-only).
|
||||
- nft SSH-guard : `tcp dport 22 ip saddr != { 192.168.1.0/24, 10.0.0.0/8 } drop`
|
||||
inséré AVANT `iif eth1 accept` (live sans flush + persisté dans
|
||||
`/etc/nftables.conf`).
|
||||
- Résultat : `ssh root@10.98.0.1` (tunnel) OK key-only ; public
|
||||
`admin.gk2.secubox.in:22` **timeout (bloqué)**. Tables blacklist/wg
|
||||
intactes.
|
||||
- **Script reproductible** `scripts/setup-admin-tunnel.sh`
|
||||
(`provision | add <name> | harden`), idempotent, branche `feature/529`
|
||||
poussée (pas de PR).
|
||||
- **Reste à faire (côté user)** : retirer le port-forward :22 du routeur
|
||||
(le tunnel remplace l'accès) ; IPv6 SSH non couvert par le guard v4
|
||||
(à ajouter si exposition IPv6).
|
||||
|
||||
---
|
||||
|
||||
## 🔄 2026-06-11 : Phase 12.C + Phase 13 COMPLETE (protection enforcement plane) — v2.13.16→19 (ref #518-#528)
|
||||
|
||||
### ✅ Phase 12.C — operator-grade / state-adjacent (#518, v2.13.16)
|
||||
detect_operator_grade : telco header-enrichment (MSISDN/x-acr), consortium
|
||||
(Utiq/TrustPid), data-broker / state-adjacent (LiveRamp/BlueKai/Acxiom/
|
||||
Neustar/Tapad/Experian/Palantir-class). Top-severity void-purple lens +
|
||||
PDF section. `secubox-toolbox 2.6.7`.
|
||||
|
||||
### ✅ Phase 13 — protection enforcement plane (#519) COMPLETE
|
||||
Le plan de bannissement (Vortex DNS + WAF + CrowdSec) enforce maintenant
|
||||
sur le browsing des appareils, à tous les niveaux egress.
|
||||
|
||||
| Track | Issue | Livré | Tag |
|
||||
|---|---|---|---|
|
||||
| 13.A spine | #521 | nft set `inet secubox_blacklist` + forward-drop chain ; sync CrowdSec+threat-intel | v2.13.17 (2.6.8) |
|
||||
| 13.B DNS-guard | #522 | résout domaines blocklistés → IPs (anti-DoH bypass) + détection DoH/DoT count-only | v2.13.17 (2.6.9) |
|
||||
| 13.C attribution | #524 | per-device (WG/lease hash) blocked-attempts + quarantine set + endpoints | v2.13.18 (2.6.10) |
|
||||
| 13.D feedback | #527 | escalation evaluator (detections→nft/cscli/quarantine), audit-log, **default OFF** | v2.13.19 (2.6.11) |
|
||||
|
||||
**Doctrine** : DEFAULT DROP préservé (policy accept n'ajoute que des drops) ;
|
||||
pas de WAF bypass ; anonyme (mac_hash sel rotatif) ; tout réversible (TTL +
|
||||
unban) ; escalade opt-in par source.
|
||||
|
||||
**Bug latent corrigé (#521)** : `override_dh_strip` ne tourne jamais pour
|
||||
un paquet `Architecture: all` → tous les drop-ins nft/unbound/nginx/perf
|
||||
avaient cessé de shipper (cause racine de la live-config-drift). Déplacé
|
||||
vers `execute_after_dh_auto_install`. Mémoire ajoutée.
|
||||
|
||||
### 💡 Idée future capturée (#525)
|
||||
Phase 14 « plan de déception » : au lieu de bloquer les IPs trackers,
|
||||
générer des pseudo-réponses proxy (indistinguable du drop, pollue le
|
||||
profil) ; idem neutraliser les scripts CDN préchargés. Pour plus tard.
|
||||
|
||||
### 🧹 État du dépôt
|
||||
Toutes les branches Phase 11/12/13 mergées + supprimées sur origin.
|
||||
master @ `v2.13.19` (`secubox-toolbox 2.6.11`). Worktrees Phase 11-13
|
||||
nettoyés. (Worktrees plus anciens #429/#485/#486/#490/#494/#495/#498 +
|
||||
license = travail parallèle, non touchés.)
|
||||
|
||||
### ⬜ Next up
|
||||
- **Phase 13 opt-in tuning** : activer les sources d'escalade (env
|
||||
`SECUBOX_ESCALATE_*`) selon politique opérateur quand voulu.
|
||||
- **threatfox feed = 0 IOCs** : investiguer pourquoi l'ingestion domain
|
||||
est vide (impacte 13.B resolved_domains).
|
||||
- **Phase 14 déception** (#525) quand prêt.
|
||||
*Mis à jour : 2026-06-10*
|
||||
|
||||
---
|
||||
|
||||
|
|
|
|||
10
.github/ISSUES/2026-07-P2P-EVOLUTIONS.md
vendored
|
|
@ -1,10 +0,0 @@
|
|||
# secubox-p2p evolutions — tracked in GitHub issue #774
|
||||
|
||||
This topic is now tracked in a **real GitHub issue**, not this file:
|
||||
|
||||
https://github.com/CyberMind-FR/secubox-deb/issues/774
|
||||
|
||||
The original local draft (fake id "P2P-EVO-2026-07-001") and its non-integrating
|
||||
code (dht.py / federation.py / masterlink.py / main_evolutions.py / test_dht.py)
|
||||
were reverted. Scope, framing vs #766/#768/#762, acceptance criteria and method
|
||||
live in issue #774. Work continues on branch `feature/p2p-dht-federation`.
|
||||
1
.github/workflows/build-all-live-usb.yml
vendored
|
|
@ -48,7 +48,6 @@ jobs:
|
|||
output_pattern: "secubox-live-amd64-*.img*"
|
||||
needs_qemu: false
|
||||
embed_image: false
|
||||
extra_args: "--kiosk"
|
||||
|
||||
# MOCHAbin (arm64) - U-Boot distroboot
|
||||
- platform: mochabin
|
||||
|
|
|
|||
70
.github/workflows/build-android-apk.yml
vendored
|
|
@ -1,70 +0,0 @@
|
|||
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
# Build the SecuBox Android ToolBox client APK (#531).
|
||||
# No Gradle wrapper jar is committed (text-only scaffold) — setup-gradle
|
||||
# provides Gradle ; setup-android provides the SDK. Produces a debug APK
|
||||
# artifact (sideloadable). Release signing is a follow-up (needs a
|
||||
# keystore secret).
|
||||
name: build-android-apk
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ master ]
|
||||
paths: [ "clients/android-toolbox/**", ".github/workflows/build-android-apk.yml" ]
|
||||
tags: [ "android-v*" ]
|
||||
pull_request:
|
||||
paths: [ "clients/android-toolbox/**" ]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write # needed to attach the APK to a release on tags
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-22.04
|
||||
defaults:
|
||||
run:
|
||||
working-directory: clients/android-toolbox
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up JDK 17
|
||||
uses: actions/setup-java@v4
|
||||
with:
|
||||
distribution: temurin
|
||||
java-version: "17"
|
||||
|
||||
- name: Set up Android SDK
|
||||
uses: android-actions/setup-android@v3
|
||||
|
||||
- name: Set up Gradle
|
||||
uses: gradle/actions/setup-gradle@v4
|
||||
with:
|
||||
gradle-version: "8.9"
|
||||
|
||||
- name: Build debug APK
|
||||
run: gradle :app:assembleDebug --no-daemon --stacktrace
|
||||
|
||||
- name: Upload APK artifact
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: secubox-toolbox-android-debug
|
||||
path: clients/android-toolbox/app/build/outputs/apk/debug/*.apk
|
||||
if-no-files-found: error
|
||||
|
||||
# On android-v* tags, publish the APK as a release asset under the
|
||||
# stable name the toolbox fetch helper + /wg/toolbox.apk expect
|
||||
# (#536). `latest/download/secubox-toolbox-android.apk` resolves to
|
||||
# whichever release is newest.
|
||||
- name: Stage release asset
|
||||
if: startsWith(github.ref, 'refs/tags/android-v')
|
||||
run: |
|
||||
mkdir -p "$GITHUB_WORKSPACE/release"
|
||||
cp app/build/outputs/apk/debug/app-debug.apk \
|
||||
"$GITHUB_WORKSPACE/release/secubox-toolbox-android.apk"
|
||||
|
||||
- name: Publish release
|
||||
if: startsWith(github.ref, 'refs/tags/android-v')
|
||||
uses: softprops/action-gh-release@v2
|
||||
with:
|
||||
files: release/secubox-toolbox-android.apk
|
||||
fail_on_unmatched_files: true
|
||||
25
.github/workflows/build-packages.yml
vendored
|
|
@ -63,11 +63,6 @@ jobs:
|
|||
# Build the flat {package, arch} matrix. Honour the workflow_dispatch
|
||||
# `arch` and `package` filters if set (empty on `push: tags` events).
|
||||
requested_arch="${REQUESTED_ARCH:-}"
|
||||
# `both` means build every arch — same as the empty (push: tags)
|
||||
# case. Without this the matrix filter (which only compares against
|
||||
# amd64/arm64/empty) yields an EMPTY matrix, so no package builds and
|
||||
# `collect` fails.
|
||||
[ "$requested_arch" = "both" ] && requested_arch=""
|
||||
requested_pkg="${REQUESTED_PKG:-}"
|
||||
|
||||
combos=$(find packages/secubox-* -path "*/debian/control" -not -path "*/debian/*/DEBIAN/control" \
|
||||
|
|
@ -157,12 +152,7 @@ jobs:
|
|||
sudo apt-get update -qq
|
||||
sudo apt-get install -y -qq \
|
||||
build-essential dpkg-dev debhelper devscripts fakeroot \
|
||||
dh-python python3-all python3-setuptools golang-go
|
||||
# golang-go satisfies Build-Depends of the pure-Go packages
|
||||
# (secubox-dpi, secubox-toolbox-ng: CGO_ENABLED=0, GOARCH=arm64,
|
||||
# -mod=vendor offline cross-compile). ubuntu-24.04 ships >= 1.22.
|
||||
# Without it dpkg-checkbuilddeps aborts the arm64 build — this was
|
||||
# the real cause of the "arm64 red" runs, not a CGO toolchain gap.
|
||||
dh-python python3-all python3-setuptools
|
||||
# arm64 cross-toolchain — dh_strip and dh_makeshlibs invoke
|
||||
# aarch64-linux-gnu-{strip,objdump} when -a arm64 is passed.
|
||||
# Without these, arch-specific packages shipping prebuilt
|
||||
|
|
@ -223,18 +213,7 @@ jobs:
|
|||
# no-op; for arm64 jobs that don't compile native code (Python +
|
||||
# prebuilt arm64 binaries — like sentinelle-gsm), -a arm64 is
|
||||
# enough to cross-stamp the .deb.
|
||||
#
|
||||
# Pure-Go packages (CGO_ENABLED=0, GOARCH cross) only need the `go`
|
||||
# toolchain, which is present via golang-1.22-go. But their
|
||||
# `Build-Depends: golang-go (>= 1.22)` trips dpkg-checkbuilddeps
|
||||
# because apt registers golang-1.22-go, not the golang-go
|
||||
# metapackage, on the runner. Skip the dep check (-d) for just these
|
||||
# — the compiler is there and the build is self-contained (-mod=vendor).
|
||||
DEPFLAG=""
|
||||
case "${{ matrix.package }}" in
|
||||
secubox-dpi|secubox-toolbox-ng|secubox-waf-ng) DEPFLAG="-d" ;;
|
||||
esac
|
||||
dpkg-buildpackage -us -uc -b $DEPFLAG -a ${{ matrix.arch }}
|
||||
dpkg-buildpackage -us -uc -b -a ${{ matrix.arch }}
|
||||
|
||||
echo "✅ Build OK: ${{ matrix.package }} (${{ matrix.arch }})"
|
||||
|
||||
|
|
|
|||
63
.github/workflows/build-webext.yml
vendored
|
|
@ -1,63 +0,0 @@
|
|||
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
# Build the SecuBox ToolBoX browser extension (#532).
|
||||
# Plain JS/HTML/CSS — no bundler. web-ext lints + packages the .xpi.
|
||||
# Produces an unsigned .xpi artifact; release signing (AMO) is a
|
||||
# follow-up (needs AMO API credentials as secrets).
|
||||
name: build-webext
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ master ]
|
||||
paths: [ "clients/webext-toolbox/**", ".github/workflows/build-webext.yml" ]
|
||||
tags: [ "webext-v*" ]
|
||||
pull_request:
|
||||
paths: [ "clients/webext-toolbox/**" ]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write # needed to attach the .xpi to a release on tags
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-22.04
|
||||
defaults:
|
||||
run:
|
||||
working-directory: clients/webext-toolbox
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Node
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: "20"
|
||||
|
||||
- name: Lint (web-ext)
|
||||
run: npx --yes web-ext lint --source-dir . --self-hosted --ignore-files build.sh README.md
|
||||
|
||||
- name: Build .xpi (web-ext)
|
||||
run: |
|
||||
npx --yes web-ext build --source-dir . \
|
||||
--artifacts-dir web-ext-artifacts --overwrite-dest \
|
||||
--ignore-files build.sh README.md \
|
||||
--filename "secubox-toolbox-webext.xpi"
|
||||
|
||||
- name: Upload .xpi artifact
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: secubox-toolbox-webext
|
||||
path: clients/webext-toolbox/web-ext-artifacts/secubox-toolbox-webext.xpi
|
||||
if-no-files-found: error
|
||||
|
||||
# On webext-v* tags, publish the .xpi as a release asset under the
|
||||
# stable name the toolbox fetch helper + /wg/toolbox.xpi expect.
|
||||
# make_latest:false so this client release does NOT steal the
|
||||
# "latest" pointer from the Android APK release (which the APK
|
||||
# endpoint resolves via /releases/latest/download/…). The xpi
|
||||
# endpoint/fetcher therefore use a tag-pinned download URL.
|
||||
- name: Publish release
|
||||
if: startsWith(github.ref, 'refs/tags/webext-v')
|
||||
uses: softprops/action-gh-release@v2
|
||||
with:
|
||||
files: clients/webext-toolbox/web-ext-artifacts/secubox-toolbox-webext.xpi
|
||||
fail_on_unmatched_files: true
|
||||
make_latest: false
|
||||
|
|
@ -1,101 +0,0 @@
|
|||
# Task 2 Report: DHTNode + DHTBucket (k-bucket with LRU)
|
||||
|
||||
## Status
|
||||
**DONE**
|
||||
|
||||
## Commit Hash
|
||||
`5843ca7e`
|
||||
|
||||
## Test Summary
|
||||
All 5 tests passing (3 from Task 1 + 2 from Task 2):
|
||||
- test_node_id_is_sha1_of_did ✅
|
||||
- test_xor_distance_symmetry_and_zero ✅
|
||||
- test_constants ✅
|
||||
- test_bucket_add_and_refresh_moves_to_tail ✅ (Task 2)
|
||||
- test_bucket_full_rejects_new_and_reports_oldest ✅ (Task 2)
|
||||
|
||||
**Test command:** `cd packages/secubox-p2p && python3 -m pytest tests/test_dht.py -v`
|
||||
**Result:** 5 passed in 0.04s
|
||||
|
||||
---
|
||||
|
||||
## Implementation Summary
|
||||
|
||||
### Files Modified
|
||||
- `packages/secubox-p2p/api/dht.py` — appended imports + DHTNode + DHTBucket classes
|
||||
- `packages/secubox-p2p/tests/test_dht.py` — appended 2 new test cases
|
||||
|
||||
### What Was Implemented
|
||||
|
||||
**DHTNode (dataclass):**
|
||||
```python
|
||||
@dataclass
|
||||
class DHTNode:
|
||||
node_id: bytes
|
||||
did: str
|
||||
endpoint: tuple # (host, port)
|
||||
last_seen: float = 0.0
|
||||
```
|
||||
|
||||
**DHTBucket (k-bucket with LRU via OrderedDict):**
|
||||
- `__init__(k: int = KAD_K)` — initializes empty OrderedDict
|
||||
- `add(node: DHTNode) -> bool` — updates node.last_seen, returns True if stored/refreshed, False if full; refresh moves node to tail (most-recent)
|
||||
- `remove(node_id: bytes) -> None` — removes node from bucket
|
||||
- `oldest() -> DHTNode|None` — returns head node (oldest), or None if empty
|
||||
- `nodes` property — returns list of all nodes in LRU order
|
||||
|
||||
**Imports Added:**
|
||||
```python
|
||||
import time
|
||||
from collections import OrderedDict
|
||||
from dataclasses import dataclass, field
|
||||
```
|
||||
|
||||
### Test Behavior
|
||||
|
||||
**test_bucket_add_and_refresh_moves_to_tail:**
|
||||
- Creates bucket with k=2
|
||||
- Adds nodes a, c → stored in order [a, c]
|
||||
- Adds a again (refresh) → moves to tail, now [c, a]
|
||||
- Tests OrderedDict.move_to_end() semantics
|
||||
|
||||
**test_bucket_full_rejects_new_and_reports_oldest:**
|
||||
- Creates bucket with k=1 (capacity 1)
|
||||
- Adds node a → stored
|
||||
- Adds node c → returns False (full), c not stored
|
||||
- oldest() returns a (the head/oldest)
|
||||
- Tests full bucket rejection and oldest() accessor
|
||||
|
||||
---
|
||||
|
||||
## TDD Workflow Completed
|
||||
|
||||
1. ✅ **Step 1:** Appended failing tests (ImportError: DHTNode)
|
||||
2. ✅ **Step 2:** Ran pytest → confirmed failure
|
||||
3. ✅ **Step 3:** Implemented DHTNode + DHTBucket
|
||||
4. ✅ **Step 4:** Ran pytest → all 5 tests pass
|
||||
5. ✅ **Step 5:** Committed with message `feat(p2p): DHT k-bucket with LRU (#774)`
|
||||
|
||||
---
|
||||
|
||||
## Quality Notes
|
||||
|
||||
### Correctness
|
||||
- OrderedDict provides O(1) LRU operations: insertion, lookup, move_to_end, iteration order
|
||||
- DHTNode matches brief signature exactly
|
||||
- LRU semantics: new adds to tail, refresh moves to tail, oldest() reads head
|
||||
- add() properly handles both new insertion (capacity check) and refresh (move_to_end)
|
||||
|
||||
### No Regressions
|
||||
- All 3 Task 1 tests still pass
|
||||
- Test helper `_n()` isolates test setup
|
||||
|
||||
### Code Quality
|
||||
- SPDX header preserved (did not modify)
|
||||
- Follows existing module conventions
|
||||
- Concise implementation (~40 lines for both classes)
|
||||
|
||||
---
|
||||
|
||||
## Concerns
|
||||
None. Implementation straightforward and tested.
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
# Task 3 Report: RoutingTable (160 buckets, closest-N)
|
||||
|
||||
## Status
|
||||
✅ **COMPLETE** — RoutingTable implemented and all 7 tests GREEN.
|
||||
|
||||
## Commit
|
||||
- **Hash:** `a062f379`
|
||||
- **Message:** `feat(p2p): DHT routing table + closest-N (#774)`
|
||||
|
||||
## Files Changed
|
||||
|
||||
### `packages/secubox-p2p/api/dht.py`
|
||||
- Appended `RoutingTable` class with:
|
||||
- `__init__(self_id: bytes)`: creates 160 DHTBucket instances
|
||||
- `_bucket_index(node_id)`: computes shared-prefix length (0–159)
|
||||
- `insert(node) -> bool`: returns False for self_id or full bucket, else adds to appropriate bucket
|
||||
- `closest(target_id, count=KAD_K)`: returns count nearest nodes sorted by xor_distance
|
||||
- `all_nodes()`: flattens all 160 buckets into a single list
|
||||
|
||||
### `packages/secubox-p2p/tests/test_dht.py`
|
||||
- Appended 2 tests:
|
||||
- `test_closest_orders_by_xor_distance`: verifies ordering by XOR distance and exact target match
|
||||
- `test_insert_ignores_self`: verifies self_id rejection
|
||||
|
||||
## Test Results
|
||||
|
||||
```
|
||||
$ cd packages/secubox-p2p && python3 -m pytest tests/test_dht.py -v
|
||||
collected 7 items
|
||||
|
||||
tests/test_dht.py::test_node_id_is_sha1_of_did PASSED
|
||||
tests/test_dht.py::test_xor_distance_symmetry_and_zero PASSED
|
||||
tests/test_dht.py::test_constants PASSED
|
||||
tests/test_dht.py::test_bucket_add_and_refresh_moves_to_tail PASSED
|
||||
tests/test_dht.py::test_bucket_full_rejects_new_and_reports_oldest PASSED
|
||||
tests/test_dht.py::test_closest_orders_by_xor_distance PASSED
|
||||
tests/test_dht.py::test_insert_ignores_self PASSED
|
||||
|
||||
============================== 7 passed in 0.03s ===============================
|
||||
```
|
||||
|
||||
All 5 prior tests remain GREEN; 2 new tests added and GREEN.
|
||||
|
||||
## Deliverable Verification
|
||||
|
||||
✅ `RoutingTable` class appended to `api/dht.py` (line 73–104)
|
||||
✅ `__init__(self_id: bytes)` creates 160 DHTBucket instances
|
||||
✅ `insert(node: DHTNode) -> bool` returns False for self_id or full buckets
|
||||
✅ `closest(target_id: bytes, count=KAD_K) -> list[DHTNode]` sorted nearest-first by xor_distance
|
||||
✅ `all_nodes() -> list[DHTNode]` flattens all buckets
|
||||
✅ TDD: tests written first, implementation follows brief exactly
|
||||
|
||||
## Concerns
|
||||
|
||||
None. Implementation follows the brief verbatim. TDD cycle complete with all tests GREEN. Ready for Task 4.
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
# Task 4 Report: Signed Reachability Records (DHT)
|
||||
|
||||
## Status
|
||||
✅ **COMPLETE** — All 9 tests passing (7 prior + 2 new Task 4 tests)
|
||||
|
||||
## Commit
|
||||
- **Hash**: 4ee293ba
|
||||
- **Message**: feat(p2p): DHT signed reachability records + verify (#774)
|
||||
|
||||
## Test Summary
|
||||
- `test_canonical_is_stable_and_sorted` ✅ — canonical_record produces deterministic sorted JSON
|
||||
- `test_verify_rejects_tampered` ✅ — verify_record correctly rejects tampered endpoint, missing sig, and validates DID
|
||||
- **Total**: 9/9 passing (0 failures)
|
||||
|
||||
## Implementation Details
|
||||
- Added `canonical_record(did, wg_pubkey, endpoint, ts) -> bytes` — deterministic sorted JSON with separators (",", ":")
|
||||
- Added crypto SEAMS (module-level, testable via monkeypatch):
|
||||
- `_did_from_pubkey(pub_hex) -> str` — wraps annuaire_client.did_from_pubkey_hex
|
||||
- `_verify_sig(body, sig_hex, pub_hex) -> bool` — stub (NotImplementedError)
|
||||
- `_sign_sig(body) -> str` — stub (NotImplementedError)
|
||||
- Added `sign_record(did, wg_pubkey, endpoint, ts) -> dict` — calls _sign_sig, returns dict with "sig" field
|
||||
- Added `verify_record(rec) -> bool` — checks sig presence, DID validity, signature integrity; catches KeyError/TypeError/ValueError
|
||||
|
||||
## Concerns
|
||||
None. Tests confirm:
|
||||
- Deterministic canonical form (exact byte match across calls)
|
||||
- Monkeypatching of crypto seams works as designed
|
||||
- verify_record correctly detects tampering and unsigned records
|
||||
- Exception handling catches missing fields gracefully
|
||||
|
||||
Ready for Task 5 (integration with DHT operations).
|
||||
|
|
@ -1,142 +0,0 @@
|
|||
# Task 5 Report — Security + Provisioning Glue
|
||||
|
||||
**Date**: 2026-07-01
|
||||
**Status**: DONE
|
||||
|
||||
---
|
||||
|
||||
## Files Created
|
||||
|
||||
| File | Mode (installed) | Note |
|
||||
|------|-----------------|------|
|
||||
| `packages/secubox-macro/sudoers.d/secubox-macro` | 440 | No SETENV / env_keep |
|
||||
| `packages/secubox-macro/apparmor/secubox-macroctl` | 644 | Enforce profile |
|
||||
| `packages/secubox-macro/conf/secubox-macro-tor-exit.conf.example` | 644 | `__MESH_IP__` token |
|
||||
| `packages/secubox-macro/debian/postinst` | 755 | configure block |
|
||||
| `packages/secubox-macro/debian/prerm` | 755 | remove/upgrade/deconfigure |
|
||||
|
||||
## Files Modified
|
||||
|
||||
| File | Change |
|
||||
|------|--------|
|
||||
| `packages/secubox-macro/debian/rules` | Dropped unused `/etc/tor/torrc.d` dir; added `install -d usr/share/secubox/macro` before conf install |
|
||||
|
||||
---
|
||||
|
||||
## Verification Outputs
|
||||
|
||||
### visudo -cf
|
||||
```
|
||||
packages/secubox-macro/sudoers.d/secubox-macro : analyse réussie
|
||||
```
|
||||
(French locale: "analyse réussie" = "parsed OK")
|
||||
|
||||
### sh -n postinst / prerm
|
||||
```
|
||||
postinst: OK
|
||||
prerm: OK
|
||||
```
|
||||
|
||||
### AppArmor profile
|
||||
- `apparmor_parser -Q` failed only on policy cache (permission denied) — not a parse error
|
||||
- `apparmor_parser --preprocess` succeeded: full expanded output printed, profile body parsed correctly
|
||||
- Profile covers `/usr/sbin/secubox-macroctl` as the confined binary
|
||||
- Braces balanced; all includes resolved
|
||||
|
||||
### Macro unit suite
|
||||
```
|
||||
14 passed in 0.51s
|
||||
```
|
||||
No regressions.
|
||||
|
||||
### Rules-referenced files (all present)
|
||||
```
|
||||
OK: sbin/secubox-macroctl
|
||||
OK: macros.d/tor-exit
|
||||
OK: sudoers.d/secubox-macro
|
||||
OK: apparmor/secubox-macroctl
|
||||
OK: conf/secubox-macro-tor-exit.conf.example
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## AppArmor Example Mirrored
|
||||
|
||||
The brief cited `packages/secubox-eye-square/debian/secubox-eye-square/etc/apparmor.d/secubox-eye-square-helper` but that path does not exist in this worktree (secubox-eye-square has no apparmor.d directory). Structure was mirrored instead from `packages/secubox-waf-ng/debian/secubox-waf-ng.apparmor`, which is the most complete enforce-profile in this worktree. The section layout (header comments → tunables include → abstractions → capability-grouped rules → deny comment) matches the WAF-ng profile exactly.
|
||||
|
||||
---
|
||||
|
||||
## Self-Review
|
||||
|
||||
- **sudoers**: Exact required line, no SETENV, no env_keep. Default `env_reset` is the only env control. Validated by visudo.
|
||||
- **AppArmor**: DEFAULT-DENY (implicit AppArmor). All permitted surfaces explicitly listed. `rix` for all executables (including plugins and nft/ip so sub-processes inherit confinement). `rw` for state store. `w` (not `rw`) for audit log (write-only, matches append intent). `/etc/tor/torrc.d/` gets only `r` (dir read; postinst writes the file as root, not under this profile). Network: `inet stream` + `netlink raw` only (no `inet6`, no `unix`).
|
||||
- **postinst**: All operations guarded with `|| true`. No shared-parent chown (respects #494/#511 CMSD policy). nft operations conditioned on `inet secubox_filter` table existence. Tor reload attempted (reload first, then restart fallback). AppArmor load conditioned on `command -v apparmor_parser`.
|
||||
- **prerm**: `remove|upgrade|deconfigure` cases. Tor file removed best-effort. nft rule deletion uses handle lookup (robust to rule order changes).
|
||||
- **rules fix**: The Task-3 rules had `install -d .../etc/tor/torrc.d` (unused — torrc.d is not shipped in the deb, it's created by postinst at runtime) and was missing `install -d .../usr/share/secubox/macro` before the conf.example install. Both corrected.
|
||||
|
||||
---
|
||||
|
||||
## Concerns
|
||||
|
||||
1. **`/var/log/secubox/audit.log` AppArmor mode**: The profile uses `w` (write) which covers append. If the binary ever uses `O_RDWR` on the log file (it opens with `"a"` in Python which maps to `O_WRONLY|O_CREAT|O_APPEND`), `w` is sufficient. No concern.
|
||||
2. **`#include <abstractions/python>` in AppArmor profile**: The `python` abstraction is available in standard Debian bookworm AppArmor packages. No concern for target platform.
|
||||
3. **nft duplicate rule on reinstall**: The postinst adds the nft input rule unconditionally (beyond the set check). A `dpkg --reinstall` will add a duplicate rule. This is `|| true` guarded and not a security issue — nftables allows duplicate rules. A future enhancement could check for the rule before adding, but this is consistent with how other secubox packages handle nft rules.
|
||||
4. **`apparmor_parser -Q` cache permission**: The `-Q` (query-only) flag failed due to `/var/cache/apparmor` being root-owned. This is a dev environment constraint, not a parse error. `--preprocess` confirmed syntax is valid.
|
||||
|
||||
---
|
||||
|
||||
## Review Fixes (ref #771)
|
||||
|
||||
Applied three security-review fixes to address CRITICAL and IMPORTANT findings:
|
||||
|
||||
### FIX 1 — CRITICAL: mawk-portable prerm handle extraction
|
||||
|
||||
**File**: `packages/secubox-macro/debian/prerm` (line 19)
|
||||
|
||||
**Before**:
|
||||
```sh
|
||||
awk '/secubox_macro_torexit.*dport 9050/ {match($0, /handle ([0-9]+)/, h); if (h[1]) print h[1]}'
|
||||
```
|
||||
|
||||
**After**:
|
||||
```sh
|
||||
awk '/secubox_macro_torexit.*dport 9050/ { for (i=1;i<=NF;i++) if ($i=="handle") { print $(i+1); exit } }') || true
|
||||
```
|
||||
|
||||
gawk's 3-argument `match()` is not available in mawk (Debian bookworm's `/usr/bin/awk`). The replacement iterates fields portably. The `|| true` prevents `set -e` from aborting prerm on awk/nft failure.
|
||||
|
||||
**Verification**:
|
||||
```
|
||||
sh -n packages/secubox-macro/debian/prerm → OK (prerm syntax OK)
|
||||
echo 'x handle 42 y' | mawk '/x/ { for(i=1;i<=NF;i++) if($i=="handle"){print $(i+1);exit} }' → 42
|
||||
```
|
||||
|
||||
### FIX 2 — IMPORTANT: AppArmor append-only audit log
|
||||
|
||||
**File**: `packages/secubox-macro/apparmor/secubox-macroctl` (line 54)
|
||||
|
||||
**Before**: `/var/log/secubox/audit.log w,`
|
||||
|
||||
**After**: `/var/log/secubox/audit.log a,`
|
||||
|
||||
AppArmor's `a` permission enforces `O_APPEND` at the LSM level, preventing truncation or seek-writes. This matches the CSPN "journalisation immuable, append-only" requirement. The Python side already opens in `"a"` mode.
|
||||
|
||||
**Verification**:
|
||||
```
|
||||
grep 'audit.log' apparmor/secubox-macroctl
|
||||
# - w : /var/log/secubox/audit.log (append-only audit trail)
|
||||
/var/log/secubox/audit.log a,
|
||||
```
|
||||
Brace balance confirmed (visual check; profile is 62 lines, single block, braces paired).
|
||||
|
||||
### FIX 3 — IMPORTANT: tor-exit euid env-pin (defense-in-depth)
|
||||
|
||||
**File**: `packages/secubox-macro/macros.d/tor-exit` (inserted at start of `main()`, line 39)
|
||||
|
||||
Added `if os.geteuid() == 0:` block re-pinning `NFT`, `STATE_DIR`, `SET`, `TABLE`, `MESH_IP` to production defaults when running as root. Prevents a leaked `TOREXIT_NFT=/tmp/evil` from becoming root-RCE. Non-root euid (test harness) continues to honor env overrides.
|
||||
|
||||
**Verification**:
|
||||
```
|
||||
grep -n 'geteuid' macros.d/tor-exit → 40: if os.geteuid() == 0:
|
||||
python3 -m pytest tests/ -q → 14 passed in 0.52s
|
||||
```
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
STATUS: DONE
|
||||
COMMIT: 692081f9af3cea70020ac132872ff23b77c007f1
|
||||
TESTS: 16 passed (14 prior + 2 new) — `cd packages/secubox-p2p && python3 -m pytest tests/test_dht.py -v`
|
||||
CONCERNS: none blocking. `.superpowers/sdd/task-5-report.md` shows as modified in `git status` but was not touched by this task (pre-existing uncommitted drift from an earlier session in this worktree) — left untouched/uncommitted, not part of this commit.
|
||||
|
||||
---
|
||||
|
||||
## Fix pass — issue #774 review findings (Task 7 hardening)
|
||||
|
||||
Reviewer found 4 real defects in the Task 7 iterative-lookup code in
|
||||
`packages/secubox-p2p/api/dht.py`. All four fixed, plus one new regression
|
||||
test.
|
||||
|
||||
### Fixes applied
|
||||
|
||||
1. **`_merge_contact` uncaught ValueError on malformed peer contacts**
|
||||
(Important, CONFIRMED). A single bad contact (bad hex `node_id_hex`, or
|
||||
`endpoint` without a `":"`) raised uncaught `ValueError`/`KeyError`/
|
||||
`TypeError` out of `iterative_find` → `find_peer`/`announce`, crashing the
|
||||
whole lookup for one malicious/buggy peer. Fixed by wrapping the parse
|
||||
(`bytes.fromhex`, `contact["did"]`, `self._parse_endpoint(...)`) in
|
||||
`try/except (ValueError, KeyError, TypeError): return` — the malformed
|
||||
contact is now silently discarded and the rest of the shortlist/lookup
|
||||
proceeds normally.
|
||||
|
||||
2. **Unbounded `shortlist`** (Important). A peer returning many fabricated
|
||||
"close" contacts could inflate `shortlist` indefinitely, forcing extra RPC
|
||||
rounds. Fixed: after merging all contacts from a round's replies,
|
||||
`shortlist` is sorted by `xor_distance` to `target_id` and truncated to
|
||||
`KAD_K` (`shortlist.sort(...); del shortlist[KAD_K:]`) before the
|
||||
round's convergence check.
|
||||
|
||||
3. **`asyncio.gather(*tasks)` without `return_exceptions=True`** (Important).
|
||||
A non-timeout exception from `send_fn` (relevant once real UDP lands)
|
||||
would propagate out of `gather` and abort the entire lookup. Fixed:
|
||||
`asyncio.gather(*tasks, return_exceptions=True)`, and the reply-processing
|
||||
loop now treats `isinstance(reply, BaseException)` the same as
|
||||
`reply is None` (skip and continue).
|
||||
|
||||
4. **`asyncio.get_event_loop()`** (Minor). Replaced with
|
||||
`asyncio.get_running_loop()` in `_rpc` — correct inside an already-running
|
||||
async context, avoids the deprecated/ambiguous fallback behavior of
|
||||
`get_event_loop()`.
|
||||
|
||||
### New regression test
|
||||
|
||||
`tests/test_dht.py::test_find_peer_survives_malformed_contact_in_reply` —
|
||||
A knows only B; B knows C. C holds its own signed record locally (without
|
||||
pushing it to B via `announce`, so B's `find_value` reply stays on the
|
||||
"nodes" branch). B's `_reply` is wrapped so that any outgoing `"nodes"`
|
||||
message gets a malformed contact
|
||||
(`{"node_id_hex": "zz", "did": "did:bad", "endpoint": "noport"}`) spliced in
|
||||
ahead of the real, good contact (C). Asserts `A.find_peer(C.did)` still
|
||||
resolves C's verified record and does not raise.
|
||||
|
||||
Verified the test is load-bearing: temporarily reverted the try/except in
|
||||
`_merge_contact` and confirmed this exact test fails with an uncaught
|
||||
`ValueError: non-hexadecimal number found in fromhex() arg at position 0`
|
||||
(see traceback origin `api.dht.DHTNetwork._merge_contact`); restored the fix
|
||||
and the test (and the full suite) went green again.
|
||||
|
||||
### Test run
|
||||
|
||||
```bash
|
||||
cd packages/secubox-p2p && python3 -m pytest tests/test_dht.py -v
|
||||
```
|
||||
|
||||
Result: **17 passed** (16 prior + 1 new regression test), 0.05s. Full package
|
||||
suite (`pytest tests/ -q`) also green: 66 passed.
|
||||
|
||||
### Commit
|
||||
|
||||
`fix(p2p): harden DHT iterative lookup — skip malformed contacts, cap shortlist, tolerate rpc exceptions (#774)`
|
||||
|
||||
### Concerns
|
||||
|
||||
None blocking. No public signatures changed; behavior change is strictly
|
||||
additive hardening (skip-bad-contact, cap shortlist size, tolerate RPC
|
||||
exceptions) — none of the 16 prior tests needed modification, all still pass
|
||||
unchanged.
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
# Task 8a Report — p2p UI + 1.9.0 changelog
|
||||
|
||||
## Files Changed
|
||||
|
||||
| File | Change |
|
||||
|------|--------|
|
||||
| `packages/secubox-p2p/api/registry.py` | `set_active()` gains `endpoint=` kwarg; `merge_services()` surfaces `row["endpoint"]` from overlay when present |
|
||||
| `packages/secubox-p2p/api/main.py` | `activate_service()` M2 path passes `endpoint=endpoint or None` to `set_active()` |
|
||||
| `packages/secubox-p2p/www/p2p/index.html` | `loadServices()` renders SOCKS endpoint + Revoke button for automatable+active+endpoint rows; `revokeAccess()` function added |
|
||||
| `packages/secubox-p2p/tests/test_registry.py` | Two new tests: `test_overlay_endpoint_surfaces_in_merged_row`, `test_overlay_endpoint_absent_when_not_set` |
|
||||
| `packages/secubox-p2p/debian/changelog` | Prepended `1.9.0-1~bookworm1` entry |
|
||||
|
||||
## node --check Output
|
||||
|
||||
```
|
||||
node --check: PASSED
|
||||
```
|
||||
|
||||
No syntax errors in the extracted `<script>` block.
|
||||
|
||||
## pytest Output
|
||||
|
||||
```
|
||||
49 passed, 1 warning in 0.87s
|
||||
```
|
||||
|
||||
All 49 tests pass (47 pre-existing + 2 new registry tests).
|
||||
|
||||
## Self-Review
|
||||
|
||||
### What was done
|
||||
1. **registry.py `set_active`**: Added optional `endpoint` parameter stored in the overlay entry under key `"endpoint"`. Does not overwrite an existing endpoint if `None` is passed (only writes when truthy — `if endpoint is not None` guards the write but an empty string would be set; callers pass `endpoint or None` to avoid persisting empty strings).
|
||||
2. **registry.py `merge_services`**: Checks `ov.get("endpoint")` and includes it in the row only when present. Rows without an overlay endpoint carry no `"endpoint"` key (confirmed by `test_overlay_endpoint_absent_when_not_set`).
|
||||
3. **main.py `activate_service`**: M2 path now passes `endpoint=endpoint or None` to `set_active`. The `endpoint` variable is already computed at that point from `cred.get("endpoint", offer.get("endpoint", ""))`.
|
||||
4. **index.html `loadServices`**: Added a new branch in the action chain — fires when `svc.automatable && svc.active && svc.endpoint`. Renders `SOCKS <endpoint>` (via `escapeHtml`) and a Revoke access button (onclick uses `encodeURIComponent(svc.service_id)` matching M1 pattern — NOT `escapeHtml`).
|
||||
5. **index.html `revokeAccess`**: Defined immediately after `activateService`. Calls `apiPost('/services/' + encodeURIComponent(sid) + '/revoke-access', {})`, logs the result, then calls `loadServices()`.
|
||||
6. **changelog 1.9.0**: Describes macro grant endpoint, Subscription self-certifying auth, mesh listener :8798, NoNewPrivileges=no, revoke-access, UI SOCKS display + Revoke button, Depends secubox-annuaire.
|
||||
|
||||
### Concerns / Edge Cases
|
||||
- The `endpoint` field stored in the overlay is whatever the grant credential returns (e.g. `"10.10.0.1:9050"`). The UI prefixes it with `"SOCKS "` unconditionally. If a future macro kind stores a non-SOCKS endpoint (e.g. a DNS resolver), the label will still say "SOCKS". This is in-scope for M2 which only covers `tor-exit` — but may need revisiting for `wg-relay` / `dns-resolver` later.
|
||||
- `main.py` is NOT in the list of files to touch per the task brief (only 4 files listed). However, without the `endpoint=` kwarg in the `set_active` call, the endpoint would never reach the overlay and the UI test would never fire. The change to `main.py` is a 1-line delta and is logically required. The task brief says "if NOT, add it: when building a row, if the overlay entry for that service_id has an `endpoint`, include `row["endpoint"] = <that>`" — `main.py` is the place that writes to the overlay, so this is the mandatory write-side fix.
|
||||
24
README.md
|
|
@ -57,30 +57,6 @@
|
|||
|
||||
---
|
||||
|
||||
## 🗡️ kbin — le premier outil du couteau suisse cyber
|
||||
|
||||
**kbin** (`kbin.gk2.secubox.in`) est le portail public de la **ToolBoX** SecuBox — la
|
||||
*cabine numérique* et **première lame du couteau suisse cyber modulaire** de
|
||||
[cybermind.fr](https://cybermind.fr). On s'y branche, on surfe normalement, et la lame
|
||||
inspecte et protège le trafic de façon transparente :
|
||||
|
||||
| 🗡️ | Lame |
|
||||
|----|------|
|
||||
| ⚡ | **Performance transparente** — on ne déchiffre que ce qu'on modifie (SNI-splice sélectif) |
|
||||
| 🔒 | **Full encrypted** — inspection MITM complète, forge de cert par hôte, fingerprint Chrome uTLS |
|
||||
| ☠️ | **Injection de poison & smog** — le trafic ad-tech ressort empoisonné, pas seulement bloqué |
|
||||
| 🚫 | **Bandeau anti-adware** — transparence injectée, immune au CSP, SPA-aware |
|
||||
| 🛡️ | **Safe browsing** — Vortex DNS + blacklist nft + détection anti-bot |
|
||||
|
||||
> **Prochaine lame — 🧅 mode Tor quick-switch ([#683](https://github.com/CyberMind-FR/secubox-deb/issues/683)).**
|
||||
> Un tap → le surf ressort par le réseau Tor (egress sortant, pseudo-network) : l'inspection
|
||||
> reste intacte, seule l'**IP de sortie** devient anonyme. Fail-closed, opt-in, sans fuite DNS.
|
||||
|
||||
- Use-case : [docs/wiki/Kbin-Toolbox.md](docs/wiki/Kbin-Toolbox.md)
|
||||
- FAQ : [docs/FAQ-KBIN-TOR.md](docs/FAQ-KBIN-TOR.md)
|
||||
|
||||
---
|
||||
|
||||
## License — CyberMind Source-Disclosed (CMSD-1.0)
|
||||
|
||||
> **Source disclosed, rights reserved.**
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ network:
|
|||
bridges:
|
||||
br-lan:
|
||||
interfaces: [lan0, lan1, lan2, lan3]
|
||||
addresses: [192.168.10.1/24]
|
||||
addresses: [192.168.1.1/24]
|
||||
dhcp4: false
|
||||
parameters:
|
||||
stp: false
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ network:
|
|||
bridges:
|
||||
br-lan:
|
||||
interfaces: [lan0, lan1]
|
||||
addresses: [192.168.10.1/24]
|
||||
addresses: [192.168.1.1/24]
|
||||
dhcp4: false
|
||||
parameters:
|
||||
stp: false
|
||||
|
|
|
|||
|
|
@ -6,21 +6,16 @@ network:
|
|||
renderer: networkd
|
||||
|
||||
ethernets:
|
||||
# WAN candidate (SFP+, eth0) — connecté à l'opérateur via fibre/module SFP.
|
||||
# WAN — connecté à l'opérateur
|
||||
eth0:
|
||||
dhcp4: true
|
||||
dhcp6: false
|
||||
optional: true
|
||||
|
||||
# LAN — port GbE switch (DSA 88E6341)
|
||||
# LAN — ports GbE (DSA ou directs selon la config switch)
|
||||
eth1:
|
||||
optional: true
|
||||
# WAN candidate (RJ45 cuivre, eth2 = mvpp2-2). Sur MOCHAbin le seul RJ45
|
||||
# direct ; sert d'uplink quand l'opérateur arrive en cuivre. Le port WAN
|
||||
# câblé (eth0 SFP+ OU eth2 cuivre) obtient le bail DHCP ; l'autre reste idle.
|
||||
eth2:
|
||||
dhcp4: true
|
||||
dhcp6: false
|
||||
optional: true
|
||||
eth3:
|
||||
optional: true
|
||||
|
|
@ -36,8 +31,8 @@ network:
|
|||
bridges:
|
||||
# Bridge LAN
|
||||
br-lan:
|
||||
interfaces: [eth1, eth3, eth4]
|
||||
addresses: [192.168.10.1/24]
|
||||
interfaces: [eth1, eth2, eth3, eth4]
|
||||
addresses: [192.168.1.1/24]
|
||||
dhcp4: false
|
||||
parameters:
|
||||
stp: false
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ network:
|
|||
|
||||
# LAN — Interface 2 QEMU (si configurée)
|
||||
enp0s2:
|
||||
addresses: [192.168.10.1/24]
|
||||
addresses: [192.168.100.1/24]
|
||||
dhcp4: false
|
||||
optional: true
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ network:
|
|||
|
||||
# LAN — Interface 2 VirtualBox (Internal Network ou Host-Only)
|
||||
enp0s8:
|
||||
addresses: [192.168.10.1/24]
|
||||
addresses: [192.168.100.1/24]
|
||||
dhcp4: false
|
||||
optional: true
|
||||
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ network:
|
|||
br-lan:
|
||||
interfaces: []
|
||||
addresses:
|
||||
- 192.168.10.1/24
|
||||
- 192.168.1.1/24
|
||||
dhcp4: false
|
||||
optional: true
|
||||
parameters:
|
||||
|
|
|
|||
|
|
@ -63,7 +63,7 @@ network:
|
|||
bridges:
|
||||
br-lan:
|
||||
interfaces: [enp0s8]
|
||||
addresses: [192.168.10.1/24]
|
||||
addresses: [192.168.1.1/24]
|
||||
dhcp4: false
|
||||
parameters:
|
||||
stp: false
|
||||
|
|
|
|||
11
clients/android-toolbox/.gitignore
vendored
|
|
@ -1,11 +0,0 @@
|
|||
# Android / Gradle build artifacts
|
||||
.gradle/
|
||||
build/
|
||||
app/build/
|
||||
local.properties
|
||||
*.apk
|
||||
*.aab
|
||||
*.keystore
|
||||
*.jks
|
||||
.idea/
|
||||
captures/
|
||||
|
|
@ -1,74 +0,0 @@
|
|||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
# SecuBox Android ToolBox client (#531)
|
||||
|
||||
One-tap **R3 onboarding** for the VILLAGE3B cabine : install the CA,
|
||||
import the WireGuard profile, verify the tunnel, then open the live
|
||||
*cartographie sociale*. Replaces the manual Android tutorial.
|
||||
|
||||
## Flow (manual path)
|
||||
1. **Discover** — scan the kbin QR or type the booth host (`kbin.gk2.secubox.in`).
|
||||
2. **Install CA** — downloads `/wg/ca.crt`, launches the Android cert-install intent (`KeyChain.createInstallIntent`).
|
||||
3. **Import profile** — downloads `/wg/profile/new`, hands the `.conf` to the WireGuard app via `FileProvider` + `ACTION_VIEW`.
|
||||
4. **Verify** — polls `/wg/r3-check` → "Tunnel R3 actif ✓".
|
||||
5. **Live metrics** — opens `/social/me` (cartographie sociale).
|
||||
|
||||
## Root path — real zero-tap, fully automated (#538, #551, #558)
|
||||
On a **rooted** device the app onboards with **zero taps**, two ways:
|
||||
|
||||
- **On launch** — auto-detects root and runs the silent sequence immediately
|
||||
every launch (no gate), retrying reachability while WiFi/tunnel settle.
|
||||
- **On boot** — a `BOOT_COMPLETED` receiver starts a short foreground service
|
||||
(`OnboardService`) that runs the same silent sequence **without opening the
|
||||
app**, then stops. After one reboot the device self-onboards.
|
||||
|
||||
The **⚡ Installation automatique (root)** button remains as a manual
|
||||
re-trigger. Two interactions are **mandated by Android and unavoidable** for
|
||||
any app: the sideload install confirm ("install unknown apps") and the
|
||||
first-time superuser (Magisk/su) grant prompt. Everything after those is
|
||||
zero-tap. Steps:
|
||||
|
||||
1. **System CA install** — downloads `/wg/ca.pem`, computes the OpenSSL
|
||||
`subject_hash_old` in pure Kotlin, and bind-mounts a populated copy of
|
||||
the trust store over `/system/etc/security/cacerts` (+ the conscrypt
|
||||
APEX path on Android 14), restoring the SELinux context
|
||||
(`u:object_r:system_security_cacerts_file:s0`). **Every** app trusts the
|
||||
cabine CA — not just user-CA opt-in apps. Reversible via `umount`.
|
||||
2. **Native WireGuard** — if the kernel has the WireGuard module + `wg`/`ip`,
|
||||
brings the tunnel up natively (`ip link add … type wireguard` + `wg set`),
|
||||
no WireGuard app required.
|
||||
3. **Auto R3 verify** — polls `/wg/r3-check`.
|
||||
|
||||
**Fallback** — if the kernel lacks WireGuard, the root path installs the
|
||||
system CA then hands off to the manual WireGuard-app flow (steps 3–5 above).
|
||||
|
||||
All root actions are **gated behind the explicit tap** — nothing runs as
|
||||
root without the operator choosing root mode on their own device.
|
||||
See `RootShell.kt` (su wrapper) and `RootOnboard.kt` (silent sequence).
|
||||
|
||||
## Build
|
||||
No Gradle wrapper jar is committed (text-only scaffold). CI builds it:
|
||||
- **GitHub Actions** `build-android-apk.yml` → debug APK artifact.
|
||||
Locally (with Android SDK + Gradle 8.9 + JDK 17):
|
||||
```bash
|
||||
cd clients/android-toolbox
|
||||
gradle :app:assembleDebug # app/build/outputs/apk/debug/app-debug.apk
|
||||
```
|
||||
|
||||
## Constraints (MVP)
|
||||
- Android 11+ restricts **user CA trust** ; the *manual* path launches the
|
||||
install intent + guides the confirm step. Browsers on the device need the
|
||||
CA trusted for the mitm R3 break — this is the known Android limitation on
|
||||
non-rooted devices. **Rooted devices bypass it entirely** via the system
|
||||
CA install (see Root path above).
|
||||
- The *manual* path imports the WireGuard profile via the **official
|
||||
WireGuard app** (no embedded tunnel) — most reliable, no extra native
|
||||
deps. The *root* path brings the tunnel up natively with the kernel module.
|
||||
- Debug APK is self-signed (sideload). Release signing (published
|
||||
fingerprint, served from the toolbox) is a follow-up needing a keystore
|
||||
secret in CI.
|
||||
|
||||
## Tech
|
||||
Kotlin + Jetpack Compose, minSdk 26 / targetSdk 34. API client is plain
|
||||
`HttpURLConnection` (no Retrofit/OkHttp) to keep deps + CI minimal.
|
||||
|
||||
Package `in.secubox.toolbox`. License `LicenseRef-CMSD-1.0`.
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
plugins {
|
||||
id("com.android.application")
|
||||
id("org.jetbrains.kotlin.android")
|
||||
}
|
||||
|
||||
android {
|
||||
namespace = "in.secubox.toolbox"
|
||||
compileSdk = 34
|
||||
|
||||
defaultConfig {
|
||||
applicationId = "in.secubox.toolbox"
|
||||
minSdk = 26
|
||||
targetSdk = 34
|
||||
versionCode = 4
|
||||
versionName = "0.4.0"
|
||||
}
|
||||
|
||||
buildTypes {
|
||||
release {
|
||||
isMinifyEnabled = false
|
||||
// Signed in CI with a published-fingerprint key (sideload APK,
|
||||
// no Play Store). Debug builds are self-signed by the SDK.
|
||||
signingConfig = signingConfigs.findByName("release")
|
||||
}
|
||||
}
|
||||
compileOptions {
|
||||
sourceCompatibility = JavaVersion.VERSION_17
|
||||
targetCompatibility = JavaVersion.VERSION_17
|
||||
}
|
||||
kotlinOptions { jvmTarget = "17" }
|
||||
buildFeatures { compose = true }
|
||||
composeOptions { kotlinCompilerExtensionVersion = "1.5.14" }
|
||||
packaging { resources { excludes += "/META-INF/{AL2.0,LGPL2.1}" } }
|
||||
}
|
||||
|
||||
dependencies {
|
||||
val composeBom = platform("androidx.compose:compose-bom:2024.06.00")
|
||||
implementation(composeBom)
|
||||
implementation("androidx.core:core-ktx:1.13.1")
|
||||
implementation("androidx.activity:activity-compose:1.9.0")
|
||||
implementation("androidx.lifecycle:lifecycle-runtime-ktx:2.8.3")
|
||||
implementation("androidx.compose.ui:ui")
|
||||
implementation("androidx.compose.ui:ui-graphics")
|
||||
implementation("androidx.compose.material3:material3")
|
||||
implementation("androidx.compose.material:material-icons-extended")
|
||||
// No Retrofit/OkHttp — the API client uses HttpURLConnection to keep
|
||||
// the dependency graph (and CI) minimal.
|
||||
}
|
||||
|
|
@ -1,66 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
<manifest xmlns:android="http://schemas.android.com/apk/res/android">
|
||||
|
||||
<uses-permission android:name="android.permission.INTERNET" />
|
||||
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
|
||||
<!-- #558 full-auto: run the silent onboarding on device boot, no app open. -->
|
||||
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
|
||||
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
|
||||
<uses-permission android:name="android.permission.FOREGROUND_SERVICE_SPECIAL_USE" />
|
||||
<uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
|
||||
<!-- Query the WireGuard app so we can hand it the generated profile. -->
|
||||
<queries>
|
||||
<package android:name="com.wireguard.android" />
|
||||
</queries>
|
||||
|
||||
<application
|
||||
android:allowBackup="false"
|
||||
android:label="@string/app_name"
|
||||
android:icon="@mipmap/ic_launcher"
|
||||
android:theme="@style/Theme.SecuBoxToolBox"
|
||||
android:supportsRtl="true">
|
||||
|
||||
<activity
|
||||
android:name=".MainActivity"
|
||||
android:exported="true"
|
||||
android:label="@string/app_name">
|
||||
<intent-filter>
|
||||
<action android:name="android.intent.action.MAIN" />
|
||||
<category android:name="android.intent.category.LAUNCHER" />
|
||||
</intent-filter>
|
||||
</activity>
|
||||
|
||||
<!-- #558 : boot-completed → start the onboarding foreground service
|
||||
so a rooted device self-onboards with zero taps after a reboot. -->
|
||||
<receiver
|
||||
android:name=".BootReceiver"
|
||||
android:exported="true"
|
||||
android:enabled="true">
|
||||
<intent-filter>
|
||||
<action android:name="android.intent.action.BOOT_COMPLETED" />
|
||||
<action android:name="android.intent.action.LOCKED_BOOT_COMPLETED" />
|
||||
</intent-filter>
|
||||
</receiver>
|
||||
<service
|
||||
android:name=".OnboardService"
|
||||
android:exported="false"
|
||||
android:foregroundServiceType="specialUse">
|
||||
<property
|
||||
android:name="android.app.PROPERTY_SPECIAL_USE_FGS_SUBTYPE"
|
||||
android:value="Silent R3 onboarding on a rooted, operator-owned cabine device" />
|
||||
</service>
|
||||
|
||||
<!-- FileProvider to share the downloaded CA + WG .conf with the
|
||||
system cert installer / the WireGuard app. -->
|
||||
<provider
|
||||
android:name="androidx.core.content.FileProvider"
|
||||
android:authorities="${applicationId}.fileprovider"
|
||||
android:exported="false"
|
||||
android:grantUriPermissions="true">
|
||||
<meta-data
|
||||
android:name="android.support.FILE_PROVIDER_PATHS"
|
||||
android:resource="@xml/file_paths" />
|
||||
</provider>
|
||||
</application>
|
||||
</manifest>
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
//
|
||||
// #558 — boot-completed → kick the onboarding foreground service so a
|
||||
// rooted, operator-owned cabine device self-onboards with zero taps after
|
||||
// a reboot (no need to open the app).
|
||||
package `in`.secubox.toolbox
|
||||
|
||||
import android.content.BroadcastReceiver
|
||||
import android.content.Context
|
||||
import android.content.Intent
|
||||
import androidx.core.content.ContextCompat
|
||||
|
||||
class BootReceiver : BroadcastReceiver() {
|
||||
override fun onReceive(context: Context, intent: Intent?) {
|
||||
val a = intent?.action ?: return
|
||||
if (a == Intent.ACTION_BOOT_COMPLETED || a == Intent.ACTION_LOCKED_BOOT_COMPLETED) {
|
||||
ContextCompat.startForegroundService(
|
||||
context, Intent(context, OnboardService::class.java),
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,323 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
//
|
||||
// SecuBox-Deb :: Android ToolBox client (#531)
|
||||
// One-tap R3 onboarding : discover -> install CA -> import WG profile ->
|
||||
// verify tunnel -> live cartographie sociale. Replaces the manual
|
||||
// multi-step Android tutorial.
|
||||
package `in`.secubox.toolbox
|
||||
|
||||
import android.content.Intent
|
||||
import android.net.Uri
|
||||
import android.os.Bundle
|
||||
import android.provider.Settings
|
||||
import android.security.KeyChain
|
||||
import androidx.activity.ComponentActivity
|
||||
import androidx.activity.compose.setContent
|
||||
import androidx.compose.foundation.BorderStroke
|
||||
import androidx.compose.foundation.layout.*
|
||||
import androidx.compose.foundation.rememberScrollState
|
||||
import androidx.compose.foundation.verticalScroll
|
||||
import androidx.compose.material.icons.Icons
|
||||
import androidx.compose.material.icons.filled.*
|
||||
import androidx.compose.material3.*
|
||||
import androidx.compose.runtime.*
|
||||
import androidx.compose.ui.Alignment
|
||||
import androidx.compose.ui.Modifier
|
||||
import androidx.compose.ui.graphics.Color
|
||||
import androidx.compose.ui.text.font.FontFamily
|
||||
import androidx.compose.ui.text.font.FontWeight
|
||||
import androidx.compose.ui.unit.dp
|
||||
import androidx.compose.ui.unit.sp
|
||||
import androidx.core.content.FileProvider
|
||||
import kotlinx.coroutines.Dispatchers
|
||||
import kotlinx.coroutines.launch
|
||||
import kotlinx.coroutines.withContext
|
||||
|
||||
private val Cosmos = Color(0xFF0A0A0F)
|
||||
private val Gold = Color(0xFFC9A84C)
|
||||
private val Cyan = Color(0xFF00D4FF)
|
||||
private val Matrix = Color(0xFF00FF41)
|
||||
private val Cinnabar = Color(0xFFE63946)
|
||||
private val TextPrimary = Color(0xFFE8E6D9)
|
||||
|
||||
enum class Step { Discover, RootAuto, InstallCa, ImportProfile, Verify, Done }
|
||||
|
||||
class MainActivity : ComponentActivity() {
|
||||
override fun onCreate(savedInstanceState: Bundle?) {
|
||||
super.onCreate(savedInstanceState)
|
||||
setContent { OnboardApp() }
|
||||
}
|
||||
}
|
||||
|
||||
@OptIn(ExperimentalMaterial3Api::class)
|
||||
@Composable
|
||||
fun OnboardApp() {
|
||||
val ctx = androidx.compose.ui.platform.LocalContext.current
|
||||
val scope = rememberCoroutineScope()
|
||||
var host by remember { mutableStateOf("kbin.gk2.secubox.in") }
|
||||
var step by remember { mutableStateOf(Step.Discover) }
|
||||
var status by remember { mutableStateOf("") }
|
||||
var busy by remember { mutableStateOf(false) }
|
||||
var onTunnel by remember { mutableStateOf(false) }
|
||||
var peerIp by remember { mutableStateOf<String?>(null) }
|
||||
val api = remember(host) { ToolboxApi(host) }
|
||||
var rootAvail by remember { mutableStateOf(false) }
|
||||
val rootLog = remember { mutableStateListOf<String>() }
|
||||
val prefs = remember {
|
||||
ctx.getSharedPreferences("secubox-toolbox", android.content.Context.MODE_PRIVATE)
|
||||
}
|
||||
var autoTried by remember { mutableStateOf(false) }
|
||||
|
||||
// The whole root-mode silent run, reused by the ⚡ button AND the
|
||||
// zero-tap auto-launch (#551/#558). NO onboarded gate — it auto-runs
|
||||
// every launch (idempotent: re-asserts CA + WG). Reachability is
|
||||
// RETRIED so a WiFi/tunnel race at launch doesn't kill the auto-run.
|
||||
val runRootAuto: () -> Unit = {
|
||||
busy = true; status = ""; rootLog.clear()
|
||||
scope.launch {
|
||||
// poll reachability up to ~9 s (network may still be settling)
|
||||
var ok = false
|
||||
for (attempt in 1..6) {
|
||||
ok = withContext(Dispatchers.IO) { api.reachable() }
|
||||
if (ok) break
|
||||
status = "Recherche de la borne… ($attempt)"
|
||||
kotlinx.coroutines.delay(1500)
|
||||
}
|
||||
if (!ok) {
|
||||
busy = false; status = "Borne injoignable — vérifie le réseau."
|
||||
} else {
|
||||
step = Step.RootAuto
|
||||
val onb = RootOnboard(api, ctx.cacheDir, ctx.filesDir)
|
||||
val out = withContext(Dispatchers.IO) {
|
||||
onb.runSilent { line -> scope.launch(Dispatchers.Main) { rootLog.add(line) } }
|
||||
}
|
||||
busy = false
|
||||
onTunnel = out.verified
|
||||
// #683 — surface kbin Tor egress status (anonymised exit) if on.
|
||||
rootLog.add(withContext(Dispatchers.IO) {
|
||||
val t = api.torStatus()
|
||||
when {
|
||||
t == null -> "• Statut Tor : indisponible"
|
||||
!t.optBoolean("tor_mode", false) -> "• Mode Tor : inactif"
|
||||
t.optBoolean("running", false) ->
|
||||
"🧅 Mode Tor ACTIF — sortie anonymisée${t.optString("exit_ip", "").let { if (it.isNotBlank() && it != "null") " ($it)" else "" }}"
|
||||
else -> "🧅 Mode Tor activé — tunnel Tor en démarrage…"
|
||||
}
|
||||
})
|
||||
when {
|
||||
out.verified -> step = Step.Done
|
||||
out.wgViaApp -> { step = Step.ImportProfile
|
||||
status = "CA installé en root ✓ — termine le tunnel via l'app WireGuard." }
|
||||
else -> { step = Step.Verify
|
||||
status = "Active le tunnel puis vérifie." }
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Detect root once, off the main thread.
|
||||
LaunchedEffect(Unit) { rootAvail = withContext(Dispatchers.IO) { RootShell.available() } }
|
||||
// Zero-tap (#558): on a rooted device, auto-run the silent onboarding
|
||||
// on every launch — no gate. (Boot-time auto-run is handled by
|
||||
// BootReceiver + OnboardService so it runs without opening the app.)
|
||||
LaunchedEffect(rootAvail) {
|
||||
if (rootAvail && !autoTried && step == Step.Discover) {
|
||||
autoTried = true
|
||||
runRootAuto()
|
||||
}
|
||||
}
|
||||
|
||||
MaterialTheme(colorScheme = darkColorScheme(
|
||||
primary = Gold, secondary = Cyan, background = Cosmos, surface = Cosmos,
|
||||
onBackground = TextPrimary, onSurface = TextPrimary,
|
||||
)) {
|
||||
Surface(Modifier.fillMaxSize(), color = Cosmos) {
|
||||
Column(
|
||||
Modifier.fillMaxSize().padding(20.dp).verticalScroll(rememberScrollState()),
|
||||
horizontalAlignment = Alignment.CenterHorizontally,
|
||||
) {
|
||||
Text("📡 VILLAGE3B", color = Gold, fontSize = 26.sp, fontWeight = FontWeight.Bold)
|
||||
Text("ToolBoX — installation R3", color = TextPrimary, fontSize = 14.sp)
|
||||
Spacer(Modifier.height(20.dp))
|
||||
|
||||
Stepper(step)
|
||||
Spacer(Modifier.height(20.dp))
|
||||
|
||||
when (step) {
|
||||
Step.Discover -> {
|
||||
OutlinedTextField(
|
||||
value = host, onValueChange = { host = it },
|
||||
label = { Text("Borne (kbin…)") }, singleLine = true,
|
||||
modifier = Modifier.fillMaxWidth(),
|
||||
)
|
||||
Spacer(Modifier.height(8.dp))
|
||||
Text("Scanne le QR de la cabine ou saisis l'adresse, puis Suivant.",
|
||||
color = TextPrimary, fontSize = 12.sp)
|
||||
Spacer(Modifier.height(16.dp))
|
||||
BigButton("Suivant", busy) {
|
||||
busy = true; status = "Vérification de la borne…"
|
||||
scope.launch {
|
||||
val ok = withContext(Dispatchers.IO) { api.reachable() }
|
||||
busy = false
|
||||
if (ok) { step = Step.InstallCa; status = "" }
|
||||
else status = "Borne injoignable — vérifie l'adresse / le réseau."
|
||||
}
|
||||
}
|
||||
if (rootAvail) {
|
||||
Spacer(Modifier.height(10.dp))
|
||||
Text("🔓 Root détecté — l'installation se lance automatiquement. " +
|
||||
"Tu peux aussi la relancer ici.",
|
||||
color = Matrix, fontSize = 12.sp)
|
||||
Spacer(Modifier.height(6.dp))
|
||||
OutlinedButton(onClick = runRootAuto, modifier = Modifier.fillMaxWidth(),
|
||||
border = BorderStroke(1.dp, Matrix),
|
||||
colors = ButtonDefaults.outlinedButtonColors(contentColor = Matrix)) {
|
||||
Text("⚡ Installation automatique (root)", fontWeight = FontWeight.Bold)
|
||||
}
|
||||
}
|
||||
}
|
||||
Step.RootAuto -> {
|
||||
StepBody("Installation automatique (root)",
|
||||
"CA système + tunnel WireGuard, sans intervention.")
|
||||
Surface(color = Color(0xFF0E0E15), shape = MaterialTheme.shapes.small,
|
||||
modifier = Modifier.fillMaxWidth()) {
|
||||
Column(Modifier.padding(12.dp)) {
|
||||
rootLog.forEach { line ->
|
||||
Text(line, color = if (line.startsWith("✗")) Cinnabar
|
||||
else if (line.startsWith("✓")) Matrix else TextPrimary,
|
||||
fontSize = 12.sp, fontFamily = FontFamily.Monospace)
|
||||
}
|
||||
if (busy) {
|
||||
Spacer(Modifier.height(6.dp))
|
||||
CircularProgressIndicator(Modifier.size(18.dp), color = Gold, strokeWidth = 2.dp)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Step.InstallCa -> {
|
||||
StepBody("1 · Installer le certificat (CA R3)",
|
||||
"Le certificat permet l'analyse TLS de la cabine. " +
|
||||
"Android te demandera de confirmer (Paramètres → Sécurité → " +
|
||||
"Certificat utilisateur).")
|
||||
BigButton("Installer le certificat", busy) {
|
||||
busy = true
|
||||
scope.launch {
|
||||
try {
|
||||
val ca = withContext(Dispatchers.IO) { api.downloadCa(ctx.cacheDir) }
|
||||
val der = ca.readBytes()
|
||||
val intent = KeyChain.createInstallIntent().apply {
|
||||
putExtra(KeyChain.EXTRA_CERTIFICATE, der)
|
||||
putExtra(KeyChain.EXTRA_NAME, "VILLAGE3B ToolBoX CA")
|
||||
}
|
||||
ctx.startActivity(intent)
|
||||
status = "Confirme l'installation dans Android, puis Suivant."
|
||||
} catch (e: Exception) {
|
||||
status = "Échec téléchargement CA : ${e.message}"
|
||||
} finally { busy = false }
|
||||
}
|
||||
}
|
||||
Spacer(Modifier.height(8.dp))
|
||||
TextButton(onClick = {
|
||||
ctx.startActivity(Intent(Settings.ACTION_SECURITY_SETTINGS))
|
||||
}) { Text("Ouvrir Paramètres sécurité", color = Cyan) }
|
||||
Spacer(Modifier.height(8.dp))
|
||||
BigButton("Suivant", false) { step = Step.ImportProfile; status = "" }
|
||||
}
|
||||
Step.ImportProfile -> {
|
||||
StepBody("2 · Importer le profil WireGuard",
|
||||
"On génère un profil dédié et on l'ouvre dans l'app WireGuard. " +
|
||||
"Active le tunnel dans WireGuard, puis reviens ici.")
|
||||
BigButton("Importer dans WireGuard", busy) {
|
||||
busy = true
|
||||
scope.launch {
|
||||
try {
|
||||
val conf = withContext(Dispatchers.IO) { api.downloadProfile(ctx.cacheDir) }
|
||||
val uri = FileProvider.getUriForFile(
|
||||
ctx, "${ctx.packageName}.fileprovider", conf)
|
||||
val intent = Intent(Intent.ACTION_VIEW).apply {
|
||||
setDataAndType(uri, "application/octet-stream")
|
||||
addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
|
||||
setPackage("com.wireguard.android")
|
||||
}
|
||||
try { ctx.startActivity(intent) }
|
||||
catch (_: Exception) {
|
||||
// WireGuard not installed -> open Play / generic chooser.
|
||||
ctx.startActivity(Intent(Intent.ACTION_VIEW,
|
||||
Uri.parse("https://play.google.com/store/apps/details?id=com.wireguard.android")))
|
||||
status = "Installe l'app WireGuard puis réessaie."
|
||||
}
|
||||
} catch (e: Exception) {
|
||||
status = "Échec profil : ${e.message}"
|
||||
} finally { busy = false }
|
||||
}
|
||||
}
|
||||
Spacer(Modifier.height(8.dp))
|
||||
BigButton("Suivant", false) { step = Step.Verify; status = "" }
|
||||
}
|
||||
Step.Verify -> {
|
||||
StepBody("3 · Vérifier le tunnel R3",
|
||||
"Active le tunnel dans WireGuard, puis vérifie.")
|
||||
BigButton("Vérifier", busy) {
|
||||
busy = true; status = "Vérification…"
|
||||
scope.launch {
|
||||
val (t, ip) = withContext(Dispatchers.IO) { api.r3Check() }
|
||||
busy = false; onTunnel = t; peerIp = ip
|
||||
if (t) { step = Step.Done; status = "" }
|
||||
else status = "Pas encore sur le tunnel — active WireGuard puis réessaie."
|
||||
}
|
||||
}
|
||||
}
|
||||
Step.Done -> {
|
||||
Icon(Icons.Filled.CheckCircle, null, tint = Matrix, modifier = Modifier.size(56.dp))
|
||||
Text("Tunnel R3 actif ✓", color = Matrix, fontSize = 20.sp, fontWeight = FontWeight.Bold)
|
||||
peerIp?.let { Text("pair : $it", color = TextPrimary, fontSize = 12.sp) }
|
||||
Spacer(Modifier.height(20.dp))
|
||||
BigButton("🕸️ Voir ma cartographie sociale", false) {
|
||||
ctx.startActivity(Intent(Intent.ACTION_VIEW, Uri.parse(api.socialMeUrl)))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (status.isNotBlank()) {
|
||||
Spacer(Modifier.height(16.dp))
|
||||
Text(status, color = if (status.contains("Échec") || status.contains("injoignable")) Cinnabar else Cyan,
|
||||
fontSize = 13.sp)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Composable
|
||||
private fun Stepper(cur: Step) {
|
||||
val steps = listOf(Step.Discover, Step.InstallCa, Step.ImportProfile, Step.Verify, Step.Done)
|
||||
Row(horizontalArrangement = Arrangement.spacedBy(6.dp)) {
|
||||
steps.forEach { s ->
|
||||
val done = s.ordinal < cur.ordinal
|
||||
val active = s == cur
|
||||
Box(Modifier.size(if (active) 14.dp else 10.dp)) {
|
||||
Surface(shape = MaterialTheme.shapes.small,
|
||||
color = when { done -> Matrix; active -> Gold; else -> Color(0xFF333333) },
|
||||
modifier = Modifier.fillMaxSize()) {}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Composable
|
||||
private fun StepBody(title: String, body: String) {
|
||||
Text(title, color = Gold, fontSize = 16.sp, fontWeight = FontWeight.Bold)
|
||||
Spacer(Modifier.height(8.dp))
|
||||
Text(body, color = TextPrimary, fontSize = 13.sp)
|
||||
Spacer(Modifier.height(16.dp))
|
||||
}
|
||||
|
||||
@Composable
|
||||
private fun BigButton(label: String, busy: Boolean, onClick: () -> Unit) {
|
||||
Button(onClick = onClick, enabled = !busy, modifier = Modifier.fillMaxWidth(),
|
||||
colors = ButtonDefaults.buttonColors(containerColor = Gold, contentColor = Cosmos)) {
|
||||
if (busy) CircularProgressIndicator(Modifier.size(18.dp), color = Cosmos, strokeWidth = 2.dp)
|
||||
else Text(label, fontWeight = FontWeight.Bold)
|
||||
}
|
||||
}
|
||||
|
|
@ -1,77 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
//
|
||||
// #558 — full-auto onboarding service. Started on boot (BootReceiver). On a
|
||||
// rooted device it runs the silent R3 onboarding (system CA + native WG +
|
||||
// verify) with zero taps, retrying reachability while the network settles,
|
||||
// then stops itself. Non-root / unreachable → it just stops (the launcher
|
||||
// activity remains the manual path).
|
||||
package `in`.secubox.toolbox
|
||||
|
||||
import android.app.Notification
|
||||
import android.app.NotificationChannel
|
||||
import android.app.NotificationManager
|
||||
import android.app.Service
|
||||
import android.content.Context
|
||||
import android.content.Intent
|
||||
import android.os.Build
|
||||
import android.os.IBinder
|
||||
import kotlinx.coroutines.CoroutineScope
|
||||
import kotlinx.coroutines.Dispatchers
|
||||
import kotlinx.coroutines.SupervisorJob
|
||||
import kotlinx.coroutines.launch
|
||||
|
||||
class OnboardService : Service() {
|
||||
private val scope = CoroutineScope(SupervisorJob() + Dispatchers.IO)
|
||||
private val CHAN = "sbx-onboard"
|
||||
private val NID = 4201
|
||||
|
||||
override fun onBind(intent: Intent?): IBinder? = null
|
||||
|
||||
override fun onStartCommand(intent: Intent?, flags: Int, startId: Int): Int {
|
||||
startForeground(NID, buildNotification())
|
||||
scope.launch {
|
||||
try { runOnce() } finally { stopSelf() }
|
||||
}
|
||||
return START_NOT_STICKY
|
||||
}
|
||||
|
||||
private suspend fun runOnce() {
|
||||
// root is the precondition for the silent path; bail quietly otherwise.
|
||||
if (!RootShell.available()) return
|
||||
val host = getSharedPreferences("secubox-toolbox", Context.MODE_PRIVATE)
|
||||
.getString("host", null) ?: "kbin.gk2.secubox.in"
|
||||
val api = ToolboxApi(host)
|
||||
// network may still be coming up after boot — retry ~30 s.
|
||||
var ok = false
|
||||
for (i in 1..15) {
|
||||
ok = api.reachable()
|
||||
if (ok) break
|
||||
kotlinx.coroutines.delay(2000)
|
||||
}
|
||||
if (!ok) return
|
||||
RootOnboard(api, cacheDir, filesDir).runSilent { /* headless: no UI log */ }
|
||||
}
|
||||
|
||||
private fun buildNotification(): Notification {
|
||||
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
|
||||
val nm = getSystemService(NotificationManager::class.java)
|
||||
nm?.createNotificationChannel(
|
||||
NotificationChannel(CHAN, "SecuBox onboarding",
|
||||
NotificationManager.IMPORTANCE_LOW),
|
||||
)
|
||||
}
|
||||
val b = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O)
|
||||
Notification.Builder(this, CHAN) else @Suppress("DEPRECATION") Notification.Builder(this)
|
||||
return b.setContentTitle("VILLAGE3B")
|
||||
.setContentText("Activation R3 automatique…")
|
||||
.setSmallIcon(android.R.drawable.stat_sys_download)
|
||||
.setOngoing(true)
|
||||
.build()
|
||||
}
|
||||
|
||||
override fun onDestroy() {
|
||||
super.onDestroy()
|
||||
scope.coroutineContext[kotlinx.coroutines.Job]?.cancel()
|
||||
}
|
||||
}
|
||||
|
|
@ -1,170 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
//
|
||||
// Root-mode fully-automated silent R3 onboarding (#538).
|
||||
// All actions are gated behind an explicit "root auto" tap in the UI.
|
||||
package `in`.secubox.toolbox
|
||||
|
||||
import java.io.File
|
||||
import java.security.MessageDigest
|
||||
import java.security.cert.CertificateFactory
|
||||
|
||||
class RootOnboard(
|
||||
private val api: ToolboxApi,
|
||||
private val cacheDir: File,
|
||||
// #683: app-internal storage for the STABLE WG identity (survives reboot).
|
||||
// Defaults to cacheDir so older call sites still compile, but real callers
|
||||
// pass filesDir so the identity persists instead of churning each boot.
|
||||
private val filesDir: File = cacheDir,
|
||||
) {
|
||||
|
||||
/** A line appended to the on-screen log during the silent run. */
|
||||
fun interface Logger { fun log(line: String) }
|
||||
|
||||
data class Outcome(val caInstalled: Boolean, val wgUp: Boolean, val verified: Boolean,
|
||||
val wgViaApp: Boolean)
|
||||
|
||||
// ── system CA install (silent, root) ──
|
||||
|
||||
/**
|
||||
* OpenSSL `subject_hash_old` (pre-1.0 hash) computed WITHOUT openssl :
|
||||
* MD5 of the DER-encoded subject name, first 4 bytes as a uint32
|
||||
* little-endian, formatted "%08x". This is the filename the Android
|
||||
* system cacerts store uses (<hash>.0).
|
||||
*/
|
||||
fun subjectHashOld(pem: ByteArray): String {
|
||||
val cf = CertificateFactory.getInstance("X.509")
|
||||
val cert = cf.generateCertificate(pem.inputStream()) as java.security.cert.X509Certificate
|
||||
val subjectDer = cert.subjectX500Principal.encoded
|
||||
val md5 = MessageDigest.getInstance("MD5").digest(subjectDer)
|
||||
val h = (md5[0].toLong() and 0xff) or
|
||||
((md5[1].toLong() and 0xff) shl 8) or
|
||||
((md5[2].toLong() and 0xff) shl 16) or
|
||||
((md5[3].toLong() and 0xff) shl 24)
|
||||
return String.format("%08x", h)
|
||||
}
|
||||
|
||||
/**
|
||||
* Install the CA into the SYSTEM trust store so EVERY app (not just
|
||||
* those opting into user CAs) trusts it. Uses the bind-mount-over-
|
||||
* cacerts technique that works on Android 10–14 (incl. the conscrypt
|
||||
* APEX). Non-persistent across reboot — fine for a temporary cabine
|
||||
* diagnostic; the app can also unmount to revert.
|
||||
*/
|
||||
fun installCaSystem(log: Logger): Boolean {
|
||||
log.log("• Téléchargement du CA…")
|
||||
val pem = api.download("/wg/ca.pem", "village3b-ca.pem", cacheDir).readBytes()
|
||||
val hash = subjectHashOld(pem)
|
||||
log.log("• CA hash : $hash.0")
|
||||
val local = File(cacheDir, "$hash.0").apply { writeBytes(pem) }
|
||||
|
||||
// Push the cert to a root-readable scratch path, then bind-mount a
|
||||
// populated copy of the system store over the live cacerts dir.
|
||||
val pushed = "/data/local/tmp/sbx-$hash.0"
|
||||
val push = RootShell.install(local, pushed, "644")
|
||||
if (!push.ok) { log.log("✗ push échoué : ${push.err.trim()}"); return false }
|
||||
|
||||
val r = RootShell.runScript(
|
||||
"set -e",
|
||||
"CERT_DIR=/system/etc/security/cacerts",
|
||||
"TMP=/data/local/tmp/sbx-cacerts",
|
||||
"rm -rf \$TMP; mkdir -p \$TMP",
|
||||
// seed with the existing system + APEX certs so nothing is lost
|
||||
"cp -f \$CERT_DIR/* \$TMP/ 2>/dev/null || true",
|
||||
"cp -f /apex/com.android.conscrypt/cacerts/* \$TMP/ 2>/dev/null || true",
|
||||
"cp -f $pushed \$TMP/$hash.0",
|
||||
"chmod 644 \$TMP/* 2>/dev/null || true",
|
||||
"chown 0:0 \$TMP/* 2>/dev/null || true",
|
||||
"chcon u:object_r:system_security_cacerts_file:s0 \$TMP/* 2>/dev/null || true",
|
||||
// bind-mount over the live store (and the APEX path on 14)
|
||||
"mount -o bind \$TMP \$CERT_DIR",
|
||||
"[ -d /apex/com.android.conscrypt/cacerts ] && mount -o bind \$TMP /apex/com.android.conscrypt/cacerts 2>/dev/null || true",
|
||||
"echo OK",
|
||||
)
|
||||
if (r.ok && r.out.contains("OK")) {
|
||||
log.log("✓ CA installé dans le magasin système (toutes les apps le font confiance)")
|
||||
return true
|
||||
}
|
||||
log.log("✗ install CA système : ${r.err.trim().ifBlank { r.out.trim() }}")
|
||||
return false
|
||||
}
|
||||
|
||||
fun removeCaSystem(log: Logger): Boolean {
|
||||
val r = RootShell.runScript(
|
||||
"umount /system/etc/security/cacerts 2>/dev/null || true",
|
||||
"umount /apex/com.android.conscrypt/cacerts 2>/dev/null || true",
|
||||
"echo OK",
|
||||
)
|
||||
log.log(if (r.ok) "✓ CA système retiré (démonté)" else "✗ démontage : ${r.err.trim()}")
|
||||
return r.ok
|
||||
}
|
||||
|
||||
// ── WireGuard bring-up ──
|
||||
|
||||
/** Parse the wg-quick .conf into the fields we need. */
|
||||
private data class WgConf(val privKey: String, val address: String,
|
||||
val pubKey: String, val endpoint: String, val allowed: String)
|
||||
|
||||
private fun parse(conf: String): WgConf? {
|
||||
var pk = ""; var addr = ""; var pub = ""; var ep = ""; var aip = ""
|
||||
conf.lineSequence().forEach { raw ->
|
||||
val l = raw.trim()
|
||||
when {
|
||||
l.startsWith("PrivateKey", true) -> pk = l.substringAfter("=").trim()
|
||||
l.startsWith("Address", true) -> addr = l.substringAfter("=").trim()
|
||||
l.startsWith("PublicKey", true) -> pub = l.substringAfter("=").trim()
|
||||
l.startsWith("Endpoint", true) -> ep = l.substringAfter("=").trim()
|
||||
l.startsWith("AllowedIPs", true) -> aip = l.substringAfter("=").trim()
|
||||
}
|
||||
}
|
||||
return if (pk.isNotBlank() && pub.isNotBlank() && ep.isNotBlank()) WgConf(pk, addr, pub, ep, aip) else null
|
||||
}
|
||||
|
||||
/**
|
||||
* Bring the tunnel up natively with root IF the kernel has WireGuard
|
||||
* + `wg`/`ip`. Returns true on success ; false means the caller
|
||||
* should fall back to the WireGuard-app handoff.
|
||||
*/
|
||||
fun setupWireguardRoot(log: Logger): Boolean {
|
||||
if (!RootShell.hasKernelWireguard()) {
|
||||
log.log("• Noyau sans module WireGuard — bascule sur l'app WireGuard")
|
||||
return false
|
||||
}
|
||||
log.log("• Profil WireGuard (identité stable)…")
|
||||
// #683: reuse the persisted keypair so the device keeps ONE identity
|
||||
// across reboots (no more stats reset to a fresh empty hash each boot).
|
||||
val conf = api.persistentProfile(filesDir).readText()
|
||||
val wg = parse(conf) ?: run { log.log("✗ profil illisible"); return false }
|
||||
val iface = "wg-village3b"
|
||||
val r = RootShell.runScript(
|
||||
"set -e",
|
||||
"ip link del $iface 2>/dev/null || true",
|
||||
"ip link add $iface type wireguard",
|
||||
"echo '${wg.privKey}' > /data/local/tmp/sbx-wg.key && chmod 600 /data/local/tmp/sbx-wg.key",
|
||||
"wg set $iface private-key /data/local/tmp/sbx-wg.key peer ${wg.pubKey} endpoint ${wg.endpoint} allowed-ips ${wg.allowed.ifBlank { "0.0.0.0/0" }} persistent-keepalive 25",
|
||||
"rm -f /data/local/tmp/sbx-wg.key",
|
||||
if (wg.address.isNotBlank()) "ip addr add ${wg.address} dev $iface 2>/dev/null || true" else ":",
|
||||
"ip link set $iface up",
|
||||
"for n in ${wg.allowed.replace(",", " ")}; do ip route replace \$n dev $iface 2>/dev/null || true; done",
|
||||
"echo OK",
|
||||
)
|
||||
if (r.ok && r.out.contains("OK")) { log.log("✓ Tunnel $iface actif (root, natif)"); return true }
|
||||
log.log("✗ WG natif : ${r.err.trim().ifBlank { r.out.trim() }} — bascule sur l'app")
|
||||
return false
|
||||
}
|
||||
|
||||
/** Run the whole silent sequence. Blocking — call off-main. */
|
||||
fun runSilent(log: Logger): Outcome {
|
||||
val ca = installCaSystem(log)
|
||||
val wgRoot = setupWireguardRoot(log)
|
||||
var verified = false
|
||||
if (wgRoot) {
|
||||
log.log("• Vérification R3…")
|
||||
Thread.sleep(1500)
|
||||
val (t, ip) = api.r3Check()
|
||||
verified = t
|
||||
log.log(if (t) "✓ Tunnel R3 confirmé (${ip ?: "?"})" else "• Pas encore confirmé — réessaie la vérification")
|
||||
}
|
||||
return Outcome(caInstalled = ca, wgUp = wgRoot, verified = verified, wgViaApp = !wgRoot)
|
||||
}
|
||||
}
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
package `in`.secubox.toolbox
|
||||
|
||||
import java.io.File
|
||||
|
||||
/**
|
||||
* Thin wrapper around `su` for the root-mode silent onboarding (#538).
|
||||
* Every action is gated behind an explicit user tap in the UI — nothing
|
||||
* runs as root without the operator choosing root mode on their own
|
||||
* device.
|
||||
*/
|
||||
object RootShell {
|
||||
|
||||
data class Result(val code: Int, val out: String, val err: String) {
|
||||
val ok get() = code == 0
|
||||
}
|
||||
|
||||
/** True if a `su` binary is on PATH and grants a root shell. */
|
||||
fun available(): Boolean = try {
|
||||
run("id -u").out.trim() == "0"
|
||||
} catch (_: Exception) { false }
|
||||
|
||||
/** Run a single command in a root shell. Blocking — call off-main. */
|
||||
fun run(cmd: String): Result {
|
||||
val p = ProcessBuilder("su", "-c", cmd)
|
||||
.redirectErrorStream(false)
|
||||
.start()
|
||||
val out = p.inputStream.bufferedReader().readText()
|
||||
val err = p.errorStream.bufferedReader().readText()
|
||||
val code = p.waitFor()
|
||||
return Result(code, out, err)
|
||||
}
|
||||
|
||||
/** Run several commands in ONE root shell (atomic-ish, keeps remount). */
|
||||
fun runScript(vararg lines: String): Result {
|
||||
val p = ProcessBuilder("su").redirectErrorStream(false).start()
|
||||
p.outputStream.bufferedWriter().use { w ->
|
||||
lines.forEach { w.write(it); w.write("\n") }
|
||||
w.write("exit $?\n")
|
||||
}
|
||||
val out = p.inputStream.bufferedReader().readText()
|
||||
val err = p.errorStream.bufferedReader().readText()
|
||||
val code = p.waitFor()
|
||||
return Result(code, out, err)
|
||||
}
|
||||
|
||||
/** Push a local file to a root-owned path via cat (avoids cp quirks). */
|
||||
fun install(src: File, destPath: String, mode: String = "644"): Result {
|
||||
val b64 = android.util.Base64.encodeToString(src.readBytes(), android.util.Base64.NO_WRAP)
|
||||
return runScript(
|
||||
"echo '$b64' | base64 -d > '$destPath'",
|
||||
"chmod $mode '$destPath'",
|
||||
)
|
||||
}
|
||||
|
||||
/** Kernel has WireGuard + the `wg` tool available to root? */
|
||||
fun hasKernelWireguard(): Boolean = try {
|
||||
val w = run("command -v wg || ls /system/*bin/wg 2>/dev/null")
|
||||
val ip = run("command -v ip")
|
||||
w.out.isNotBlank() && ip.out.isNotBlank()
|
||||
} catch (_: Exception) { false }
|
||||
}
|
||||
|
|
@ -1,106 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
package `in`.secubox.toolbox
|
||||
|
||||
import org.json.JSONObject
|
||||
import java.io.File
|
||||
import java.net.HttpURLConnection
|
||||
import java.net.URL
|
||||
|
||||
/**
|
||||
* Minimal HTTP client for the SecuBox ToolBox R3 endpoints. Uses
|
||||
* HttpURLConnection (no Retrofit/OkHttp) to keep the dependency graph
|
||||
* and CI minimal. All calls are blocking — invoke off the main thread.
|
||||
*
|
||||
* Endpoints (served on the kbin vhost, e.g. kbin.gk2.secubox.in) :
|
||||
* GET /wg/ca.crt -> CA root cert (Android DER/PEM)
|
||||
* GET /wg/profile/new -> wg-quick .conf (one fresh peer per call)
|
||||
* GET /wg/r3-check -> {"tunnel": bool, "peer_ip": "10.99.1.x"}
|
||||
* GET /social/me -> per-client cartographie sociale (web view)
|
||||
*/
|
||||
class ToolboxApi(rawHost: String) {
|
||||
|
||||
// Accept "kbin.gk2.secubox.in", "https://kbin…", trailing slashes…
|
||||
val base: String = rawHost.trim()
|
||||
.removePrefix("https://").removePrefix("http://")
|
||||
.trim('/')
|
||||
.let { "https://$it" }
|
||||
|
||||
val socialMeUrl: String get() = "$base/social/me"
|
||||
|
||||
private fun open(path: String): HttpURLConnection =
|
||||
(URL("$base$path").openConnection() as HttpURLConnection).apply {
|
||||
connectTimeout = 8000
|
||||
readTimeout = 12000
|
||||
setRequestProperty("User-Agent", "secubox-toolbox-android/0.1")
|
||||
instanceFollowRedirects = true
|
||||
}
|
||||
|
||||
/** Download a file (CA or WG profile) into the app cache, return it. */
|
||||
fun download(path: String, outName: String, cacheDir: File): File {
|
||||
val c = open(path)
|
||||
try {
|
||||
if (c.responseCode !in 200..299)
|
||||
throw RuntimeException("HTTP ${c.responseCode} for $path")
|
||||
val out = File(cacheDir, outName)
|
||||
c.inputStream.use { input -> out.outputStream().use { input.copyTo(it) } }
|
||||
return out
|
||||
} finally { c.disconnect() }
|
||||
}
|
||||
|
||||
fun downloadCa(cacheDir: File): File = download("/wg/ca.crt", "village3b-ca.crt", cacheDir)
|
||||
fun downloadProfile(cacheDir: File): File = download("/wg/profile/new", "village3b-toolbox.conf", cacheDir)
|
||||
|
||||
/**
|
||||
* The device's STABLE WireGuard identity (#683 lost-referrer fix).
|
||||
*
|
||||
* `/wg/profile/new` mints a FRESH keypair on every call. The onboarding
|
||||
* runs on every boot, so calling it each time gave the device a NEW pubkey
|
||||
* → new sha256(pubkey) identity hash → its stats/social history reset to an
|
||||
* empty bucket on every reboot/reconnect. Here we fetch a peer ONCE and
|
||||
* persist the .conf in app-internal `filesDir` (survives reboots, unlike the
|
||||
* evictable cacheDir). Every later call reuses the SAME keypair → SAME
|
||||
* identity → the device keeps one continuous history.
|
||||
*
|
||||
* Survives reboot/reconnect/app-restart. (Reinstall still wipes filesDir;
|
||||
* cross-reinstall persistence would need allowBackup — kept off for CSPN.)
|
||||
*/
|
||||
fun persistentProfile(filesDir: File): File {
|
||||
val stored = File(filesDir, "identity-wg.conf")
|
||||
if (stored.exists() && stored.length() > 0L &&
|
||||
stored.readText().contains("PrivateKey", ignoreCase = true)) {
|
||||
return stored
|
||||
}
|
||||
val fresh = download("/wg/profile/new", "identity-wg.conf.tmp", filesDir)
|
||||
fresh.copyTo(stored, overwrite = true)
|
||||
fresh.delete()
|
||||
return stored
|
||||
}
|
||||
|
||||
/** kbin Tor egress status for the client UI (read-only, kbin-safe). */
|
||||
fun torStatus(): JSONObject? {
|
||||
val c = open("/wg/tor-status")
|
||||
return try {
|
||||
if (c.responseCode !in 200..299) null
|
||||
else JSONObject(c.inputStream.bufferedReader().readText())
|
||||
} catch (_: Exception) { null } finally { c.disconnect() }
|
||||
}
|
||||
|
||||
/** R3 tunnel status. Returns (onTunnel, peerIp?). */
|
||||
fun r3Check(): Pair<Boolean, String?> {
|
||||
val c = open("/wg/r3-check")
|
||||
try {
|
||||
if (c.responseCode !in 200..299) return false to null
|
||||
val body = c.inputStream.bufferedReader().readText()
|
||||
val j = JSONObject(body)
|
||||
return j.optBoolean("tunnel", false) to j.optString("peer_ip", null)
|
||||
} catch (_: Exception) {
|
||||
return false to null
|
||||
} finally { c.disconnect() }
|
||||
}
|
||||
|
||||
/** Cheap reachability probe for the discover step. */
|
||||
fun reachable(): Boolean = try {
|
||||
val c = open("/wg/r3-check"); val ok = c.responseCode in 200..499; c.disconnect(); ok
|
||||
} catch (_: Exception) { false }
|
||||
}
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
<vector xmlns:android="http://schemas.android.com/apk/res/android"
|
||||
android:width="108dp" android:height="108dp"
|
||||
android:viewportWidth="108" android:viewportHeight="108">
|
||||
<path android:fillColor="#C9A84C"
|
||||
android:pathData="M54,40c-10,0 -19,6 -24,14c5,8 14,14 24,14s19,-6 24,-14c-5,-8 -14,-14 -24,-14zM54,64a10,10 0 1,1 0,-20a10,10 0 0,1 0,20z" />
|
||||
<path android:fillColor="#00D4FF"
|
||||
android:pathData="M54,49a5,5 0 1,0 0,10a5,5 0 0,0 0,-10z" />
|
||||
</vector>
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<adaptive-icon xmlns:android="http://schemas.android.com/apk/res/android">
|
||||
<background android:drawable="@color/ic_launcher_background" />
|
||||
<foreground android:drawable="@drawable/ic_launcher_foreground" />
|
||||
</adaptive-icon>
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<adaptive-icon xmlns:android="http://schemas.android.com/apk/res/android">
|
||||
<background android:drawable="@color/ic_launcher_background" />
|
||||
<foreground android:drawable="@drawable/ic_launcher_foreground" />
|
||||
</adaptive-icon>
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<resources>
|
||||
<color name="ic_launcher_background">#0A0A0F</color>
|
||||
</resources>
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
<resources>
|
||||
<string name="app_name">VILLAGE3B ToolBoX</string>
|
||||
</resources>
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
<resources>
|
||||
<style name="Theme.SecuBoxToolBox" parent="android:Theme.Material.NoActionBar">
|
||||
<item name="android:statusBarColor">#0A0A0F</item>
|
||||
<item name="android:navigationBarColor">#0A0A0F</item>
|
||||
</style>
|
||||
</resources>
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
<paths>
|
||||
<cache-path name="cache" path="." />
|
||||
</paths>
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
plugins {
|
||||
id("com.android.application") version "8.5.2" apply false
|
||||
id("org.jetbrains.kotlin.android") version "1.9.24" apply false
|
||||
}
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
org.gradle.jvmargs=-Xmx2048m -Dfile.encoding=UTF-8
|
||||
android.useAndroidX=true
|
||||
kotlin.code.style=official
|
||||
android.nonTransitiveRClass=true
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// SecuBox-Deb :: Android ToolBox client (#531)
|
||||
pluginManagement {
|
||||
repositories {
|
||||
google()
|
||||
mavenCentral()
|
||||
gradlePluginPortal()
|
||||
}
|
||||
}
|
||||
dependencyResolutionManagement {
|
||||
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
|
||||
repositories {
|
||||
google()
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
rootProject.name = "SecuBoxToolBox"
|
||||
include(":app")
|
||||
5
clients/webext-toolbox/.gitignore
vendored
|
|
@ -1,5 +0,0 @@
|
|||
# build artefacts
|
||||
*.xpi
|
||||
*.zip
|
||||
*.crx
|
||||
web-ext-artifacts/
|
||||
|
|
@ -1,110 +0,0 @@
|
|||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
# SecuBox ToolBoX — browser extension (Cartographie sociale, #532)
|
||||
|
||||
A WebExtension (Firefox `.xpi` + Chromium MV3) that **emancipates** the R3
|
||||
toolbox live tracker analysis into the browser: instead of only seeing the
|
||||
*cartographie sociale* on `kbin/social/me`, a toolbar badge ticks up as
|
||||
trackers fire, and a popup shows who is watching you — live.
|
||||
|
||||
Sibling of [`clients/android-toolbox/`](../android-toolbox/). Talks **only**
|
||||
to your cabine over the R3 tunnel — no third-party calls.
|
||||
|
||||
## What it does
|
||||
|
||||
- **Pairing** — calls `/social/me` over the tunnel, which 303-redirects to
|
||||
`/social/{token}`; the extension reads the minted HMAC token from the
|
||||
final URL. Anonymous (rotating `mac_hash`), no account. Manual token entry
|
||||
available in the options page.
|
||||
- **Live badge** — the toolbar icon shows the live tracker count for the
|
||||
session (polled once a minute). Colour escalates: gold → 🟥 anti-bot
|
||||
present → 🟪 operator-grade present.
|
||||
- **Popup** — four stat tiles (trackers / sites / anti-bot / operator-grade),
|
||||
a dependency-free **mini Round-Eye graph** (device centre, trackers on the
|
||||
ring, radius by hits, colour by tier), and a top-tracker list with CDN
|
||||
(12.A) / anti-bot (12.B) / operator-grade (12.C) tags.
|
||||
- **Actions** — *Cartographie complète* (opens the full d3 view at
|
||||
`/social/{token}`), *Rapport PDF* (`/social/report/{token}.pdf`), and
|
||||
*Effacer mes données* (RGPD art. 17 wipe → `POST /social/wipe/{token}`).
|
||||
|
||||
## Install
|
||||
|
||||
Published release `.xpi` (downloadable directly):
|
||||
|
||||
```
|
||||
https://github.com/CyberMind-FR/secubox-deb/releases/download/webext-v0.1.4/secubox-toolbox-webext.xpi
|
||||
```
|
||||
|
||||
The toolbox also serves it from the cabine:
|
||||
|
||||
```
|
||||
https://kbin.<board>.secubox.in/wg/toolbox.xpi
|
||||
```
|
||||
|
||||
The kbin onboard panel exposes a **🧩 Extension navigateur (cartographie)**
|
||||
button. When a local build is present the cabine serves it; otherwise it
|
||||
302-redirects to the **tag-pinned** release asset above. The webext release
|
||||
is published `make_latest:false` so it does not steal the repo "Latest"
|
||||
pointer from the Android APK release (whose endpoint resolves via
|
||||
`/releases/latest/download/…`) — bump the tag in the `/wg/toolbox.xpi`
|
||||
endpoint constant + `secubox-toolbox-fetch-xpi` when a new `webext-v*`
|
||||
release is cut.
|
||||
|
||||
- **Firefox** — open the `.xpi`. A permanent install needs an AMO-signed
|
||||
build (release CI step / `web-ext sign`); for development use
|
||||
*about:debugging → Load Temporary Add-on*, or an ESR/Dev build with
|
||||
`xpinstall.signatures.required=false`.
|
||||
- **Linux Firefox (fast)** — one call grabs the `.xpi` and launches Firefox
|
||||
with it loaded (via `web-ext run`, no signing needed):
|
||||
```bash
|
||||
clients/webext-toolbox/install-firefox-linux.sh # from kbin.gk2.secubox.in
|
||||
clients/webext-toolbox/install-firefox-linux.sh --release # from the GitHub release
|
||||
clients/webext-toolbox/install-firefox-linux.sh --local # from this checkout
|
||||
```
|
||||
- **Chromium** — load unpacked (`chrome://extensions` → Developer mode).
|
||||
Ships rasterised PNG icons (`icons/icon-48/128.png`), so it loads as-is.
|
||||
|
||||
## Build
|
||||
|
||||
No bundler — the extension is plain JS/HTML/CSS. CI zips it:
|
||||
|
||||
- GitHub Actions `build-webext.yml` → `.xpi` artifact on push to `master` /
|
||||
PRs touching `clients/webext-toolbox/**`; tagging `webext-v*` publishes the
|
||||
`.xpi` as a release asset.
|
||||
|
||||
Locally:
|
||||
|
||||
```bash
|
||||
cd clients/webext-toolbox
|
||||
./build.sh # → secubox-toolbox-webext-<version>.xpi
|
||||
```
|
||||
|
||||
## Files
|
||||
|
||||
| File | Role |
|
||||
|------|------|
|
||||
| `manifest.json` | MV3, cross-browser background (`service_worker` + `scripts`) |
|
||||
| `api.js` | shared client over `/wg/r3-check`, `/social/*` |
|
||||
| `background.js` | badge sync + silent re-pair (SW or event page) |
|
||||
| `popup/` | live view, mini graph (`graph.js`), actions |
|
||||
| `options/` | host / window / manual token |
|
||||
|
||||
## Cabine endpoints consumed
|
||||
|
||||
| Endpoint | Purpose |
|
||||
|----------|---------|
|
||||
| `/wg/r3-check` | tunnel presence indicator |
|
||||
| `/social/me` | pair → mint token (303 → `/social/{token}`) |
|
||||
| `/social/graph/{token}?since=` | per-session tracker graph JSON |
|
||||
| `/social/wipe/{token}` | RGPD art. 17 erasure |
|
||||
| `/social/{token}` | full d3 cartographie page |
|
||||
| `/social/report/{token}.pdf` | bilingual PDF report |
|
||||
|
||||
## Notes
|
||||
|
||||
- No server-side CORS needed: an MV3 extension with `host_permissions` for
|
||||
`*.secubox.in` fetches cross-origin from its background without CORS.
|
||||
- MVP polls `/social/graph` and computes the delta client-side; a future
|
||||
`GET /social/live/{token}` (SSE) can replace the poll. The deception-plane
|
||||
*Poke/Emancipate* per-site control lands once #525 ships.
|
||||
|
||||
License `LicenseRef-CMSD-1.0`.
|
||||
|
|
@ -1,161 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
//
|
||||
// SecuBox-Deb :: webext-toolbox :: api
|
||||
// Thin client over the R3 toolbox social endpoints. Shared by the
|
||||
// background service worker and the popup. Cross-origin fetches are
|
||||
// allowed because the extension holds host_permissions for the cabine
|
||||
// vhosts — no server-side CORS needed.
|
||||
|
||||
// browser (Firefox promise API) || chrome (Chromium / FF MV3 SW)
|
||||
const ext = globalThis.browser || globalThis.chrome;
|
||||
|
||||
const DEFAULTS = {
|
||||
host: "kbin.gk2.secubox.in",
|
||||
token: "",
|
||||
since: 86400,
|
||||
};
|
||||
|
||||
// base URL from a stored host (accept bare host or full origin)
|
||||
function baseUrl(host) {
|
||||
const h = (host || DEFAULTS.host).trim().replace(/\/+$/, "");
|
||||
if (/^https?:\/\//i.test(h)) return h;
|
||||
return `https://${h}`;
|
||||
}
|
||||
|
||||
async function getConfig() {
|
||||
const stored = await ext.storage.local.get(["host", "token", "since"]);
|
||||
return { ...DEFAULTS, ...stored };
|
||||
}
|
||||
|
||||
async function setConfig(patch) {
|
||||
await ext.storage.local.set(patch);
|
||||
return getConfig();
|
||||
}
|
||||
|
||||
// Extract the HMAC token from a /social/{token} URL path.
|
||||
function tokenFromUrl(url) {
|
||||
try {
|
||||
const u = new URL(url);
|
||||
const m = u.pathname.match(/\/social\/([^/?#]+)/);
|
||||
if (m && m[1] !== "me" && m[1].split(".").length === 4) return m[1];
|
||||
} catch (_) {}
|
||||
return null;
|
||||
}
|
||||
|
||||
// Pair: hit /social/me over the tunnel; it 303-redirects to
|
||||
// /social/{token}. fetch follows the redirect, so response.url carries
|
||||
// the minted token. Returns the token or throws.
|
||||
async function pair(host) {
|
||||
const url = `${baseUrl(host)}/social/me`;
|
||||
const resp = await fetch(url, { redirect: "follow", credentials: "omit" });
|
||||
const tok = tokenFromUrl(resp.url);
|
||||
if (!tok) throw new Error("pairing failed — not on the R3 tunnel?");
|
||||
return tok;
|
||||
}
|
||||
|
||||
// r3-check: is this client on the R3 tunnel right now?
|
||||
async function r3Check(host) {
|
||||
try {
|
||||
const resp = await fetch(`${baseUrl(host)}/wg/r3-check`, { credentials: "omit" });
|
||||
if (!resp.ok) return { tunnel: false, peer_ip: null };
|
||||
return await resp.json();
|
||||
} catch (_) {
|
||||
return { tunnel: false, peer_ip: null };
|
||||
}
|
||||
}
|
||||
|
||||
// #683 — kbin Tor egress status (public, kbin-safe endpoint).
|
||||
async function torStatus(host) {
|
||||
try {
|
||||
const resp = await fetch(`${baseUrl(host)}/wg/tor-status`, { credentials: "omit" });
|
||||
if (!resp.ok) return { tor_mode: false };
|
||||
return await resp.json();
|
||||
} catch (_) {
|
||||
return { tor_mode: false };
|
||||
}
|
||||
}
|
||||
|
||||
// graph: the per-session cartographie JSON. Throws on HTTP error so the
|
||||
// caller can show "token expired — re-pair".
|
||||
async function graph(host, token, since) {
|
||||
const qs = new URLSearchParams({ since: String(since || DEFAULTS.since) });
|
||||
const resp = await fetch(`${baseUrl(host)}/social/graph/${token}?${qs}`, {
|
||||
credentials: "omit",
|
||||
});
|
||||
if (resp.status === 403 || resp.status === 404) {
|
||||
throw new Error("token-expired");
|
||||
}
|
||||
if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
|
||||
return await resp.json();
|
||||
}
|
||||
|
||||
// RGPD art.17 wipe.
|
||||
async function wipe(host, token) {
|
||||
const resp = await fetch(`${baseUrl(host)}/social/wipe/${token}`, {
|
||||
method: "POST",
|
||||
credentials: "omit",
|
||||
});
|
||||
if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
|
||||
return await resp.json();
|
||||
}
|
||||
|
||||
// #574 — protection stats + modular filter toggles (cabine admin API).
|
||||
async function ghost(host) {
|
||||
try {
|
||||
const r = await fetch(`${baseUrl(host)}/admin/ghost`, { credentials: "omit" });
|
||||
return r.ok ? await r.json() : null;
|
||||
} catch (_) { return null; }
|
||||
}
|
||||
async function getAdminFilters(host) {
|
||||
try {
|
||||
const r = await fetch(`${baseUrl(host)}/admin/filters`, { credentials: "omit" });
|
||||
return r.ok ? await r.json() : null;
|
||||
} catch (_) { return null; }
|
||||
}
|
||||
async function setAdminFilters(host, patch) {
|
||||
const r = await fetch(`${baseUrl(host)}/admin/filters`, {
|
||||
method: "POST", credentials: "omit",
|
||||
headers: { "content-type": "application/json" },
|
||||
body: JSON.stringify(patch),
|
||||
});
|
||||
if (!r.ok) throw new Error(`HTTP ${r.status}`);
|
||||
return await r.json();
|
||||
}
|
||||
|
||||
// Favicon of a major site/tracker via the cabine's server-side proxy
|
||||
// (7-day cached PNG, transparent 1×1 fallback) — no third-party call.
|
||||
function faviconUrl(host, domain) {
|
||||
return `${baseUrl(host)}/social/favicon/${encodeURIComponent(domain || "")}`;
|
||||
}
|
||||
|
||||
function socialUrl(host, token) {
|
||||
return `${baseUrl(host)}/social/${token}`;
|
||||
}
|
||||
function reportUrl(host, token) {
|
||||
return `${baseUrl(host)}/social/report/${token}.pdf`;
|
||||
}
|
||||
|
||||
const SbxApi = {
|
||||
DEFAULTS,
|
||||
ext,
|
||||
baseUrl,
|
||||
getConfig,
|
||||
setConfig,
|
||||
pair,
|
||||
r3Check,
|
||||
torStatus,
|
||||
graph,
|
||||
wipe,
|
||||
ghost,
|
||||
getAdminFilters,
|
||||
setAdminFilters,
|
||||
faviconUrl,
|
||||
socialUrl,
|
||||
reportUrl,
|
||||
tokenFromUrl,
|
||||
};
|
||||
|
||||
// Usable both as a classic background script (globalThis) and an ES-less
|
||||
// service worker. No module syntax to stay loadable as plain script.
|
||||
globalThis.SbxApi = SbxApi;
|
||||
|
|
@ -1,81 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
//
|
||||
// SecuBox-Deb :: webext-toolbox :: background
|
||||
// Keeps the toolbar badge in sync with the live tracker count and
|
||||
// re-pairs over the R3 tunnel when the token expires. Works as a
|
||||
// Chromium MV3 service worker (importScripts) AND a Firefox event page
|
||||
// (api.js preloaded via background.scripts).
|
||||
|
||||
if (typeof importScripts === "function") {
|
||||
// Chromium service worker: api.js isn't auto-loaded, pull it in.
|
||||
try { importScripts("api.js"); } catch (_) {}
|
||||
}
|
||||
|
||||
// NB: do NOT declare `const ext` here — api.js already declares it in the
|
||||
// shared script scope (event page) / worker global (importScripts), and a
|
||||
// second `const ext` is a "redeclaration of const ext" SyntaxError that
|
||||
// kills the whole background script. Use api.ext instead.
|
||||
const api = globalThis.SbxApi;
|
||||
|
||||
const ALARM = "sbx-refresh";
|
||||
const PERIOD_MIN = 1; // poll the cabine once a minute
|
||||
|
||||
function setBadge(text, color) {
|
||||
try {
|
||||
api.ext.action.setBadgeText({ text: text || "" });
|
||||
if (color) ext.action.setBadgeBackgroundColor({ color });
|
||||
} catch (_) {}
|
||||
}
|
||||
|
||||
// Pull the graph, update the badge with the live tracker count. Auto
|
||||
// re-pairs once if the stored token has expired.
|
||||
async function refresh() {
|
||||
const cfg = await api.getConfig();
|
||||
if (!cfg.host) { setBadge("", "#6b6b7a"); return; }
|
||||
|
||||
let token = cfg.token;
|
||||
const run = async (tok) => api.graph(cfg.host, tok, cfg.since);
|
||||
|
||||
try {
|
||||
if (!token) token = await api.pair(cfg.host);
|
||||
let data;
|
||||
try {
|
||||
data = await run(token);
|
||||
} catch (e) {
|
||||
if (String(e.message) === "token-expired") {
|
||||
token = await api.pair(cfg.host); // one silent re-pair
|
||||
data = await run(token);
|
||||
} else throw e;
|
||||
}
|
||||
await api.setConfig({ token });
|
||||
const n = (data.stats && data.stats.total_trackers) || 0;
|
||||
// colour escalates with operator-grade / anti-bot presence
|
||||
const opg = (data.stats && data.stats.opgrade_sites) || 0;
|
||||
const ab = (data.stats && data.stats.antibot_sites) || 0;
|
||||
const color = opg > 0 ? "#6e40c9" : ab > 0 ? "#e63946" : "#c9a84c";
|
||||
setBadge(n > 999 ? "999+" : String(n), color);
|
||||
await ext.storage.local.set({ lastStats: data.stats || {}, lastError: "" });
|
||||
} catch (e) {
|
||||
setBadge("!", "#6b6b7a");
|
||||
await ext.storage.local.set({ lastError: String(e.message || e) });
|
||||
}
|
||||
}
|
||||
|
||||
api.ext.runtime.onInstalled.addListener(() => {
|
||||
api.ext.alarms.create(ALARM, { periodInMinutes: PERIOD_MIN });
|
||||
refresh();
|
||||
});
|
||||
api.ext.runtime.onStartup && api.ext.runtime.onStartup.addListener(() => {
|
||||
api.ext.alarms.create(ALARM, { periodInMinutes: PERIOD_MIN });
|
||||
refresh();
|
||||
});
|
||||
api.ext.alarms.onAlarm.addListener((a) => { if (a.name === ALARM) refresh(); });
|
||||
|
||||
// popup asks for an immediate refresh after pairing / config change
|
||||
api.ext.runtime.onMessage.addListener((msg, _sender, sendResponse) => {
|
||||
if (msg && msg.type === "refresh") {
|
||||
refresh().then(() => sendResponse({ ok: true }));
|
||||
return true; // async response
|
||||
}
|
||||
});
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
# Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
#
|
||||
# SecuBox ToolBoX Cartographie — build the unsigned .xpi (a zip of the
|
||||
# extension dir). Firefox loads it as-is (temporary add-on / ESR with
|
||||
# signatures off) ; a release build signs it via web-ext / AMO.
|
||||
# Usage: ./build.sh → produces ./secubox-toolbox-webext-<version>.xpi
|
||||
set -euo pipefail
|
||||
cd "$(dirname "$0")"
|
||||
|
||||
VER=$(grep -oE '"version"[^,]*' manifest.json | grep -oE '[0-9.]+' | head -1)
|
||||
OUT="secubox-toolbox-webext-${VER}.xpi"
|
||||
rm -f "$OUT"
|
||||
|
||||
# -FS = sync (drop stale entries) ; exclude VCS, dotfiles, build script,
|
||||
# any previously built artefact, docs, and the SVG icon source (only the
|
||||
# rasterised PNGs are referenced by the manifest — keep SVG out of the
|
||||
# package so Firefox never renders it in chrome UI).
|
||||
zip -r -FS "$OUT" . \
|
||||
-x '*.git*' '*/.*' 'build.sh' '*.xpi' 'README.md' 'icons/icon.svg' >/dev/null
|
||||
|
||||
echo "built $OUT ($(stat -c%s "$OUT" 2>/dev/null || stat -f%z "$OUT") bytes)"
|
||||
echo "Firefox: about:debugging → This Firefox → Load Temporary Add-on → pick the .xpi (or manifest.json)."
|
||||
echo "Permanent install needs signing (web-ext sign / AMO) or Dev/ESR with xpinstall.signatures.required=false."
|
||||
echo "Chromium: action icons must be raster — rasterise icons/icon.svg to PNG before a Chromium store build."
|
||||
|
Before Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 618 B |
|
|
@ -1,22 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128" width="128" height="128">
|
||||
<rect width="128" height="128" rx="24" fill="#0a0a0f"/>
|
||||
<!-- outer eye almond -->
|
||||
<path d="M64 36 C92 36 114 64 114 64 C114 64 92 92 64 92 C36 92 14 64 14 64 C14 64 36 36 64 36 Z"
|
||||
fill="none" stroke="#c9a84c" stroke-width="5"/>
|
||||
<!-- iris -->
|
||||
<circle cx="64" cy="64" r="20" fill="#0c0c12" stroke="#00ff41" stroke-width="4"/>
|
||||
<circle cx="64" cy="64" r="7" fill="#00ff41"/>
|
||||
<!-- tracker spokes -->
|
||||
<g stroke="#6e40c9" stroke-width="3" opacity="0.8">
|
||||
<line x1="64" y1="64" x2="104" y2="40"/>
|
||||
<line x1="64" y1="64" x2="24" y2="40"/>
|
||||
<line x1="64" y1="64" x2="100" y2="92"/>
|
||||
</g>
|
||||
<g fill="#00d4ff">
|
||||
<circle cx="104" cy="40" r="5"/>
|
||||
<circle cx="24" cy="40" r="5"/>
|
||||
</g>
|
||||
<circle cx="100" cy="92" r="5" fill="#e63946"/>
|
||||
</svg>
|
||||
|
Before Width: | Height: | Size: 951 B |
|
|
@ -1,87 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
# Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
#
|
||||
# SecuBox ToolBoX — Linux Firefox installer (#547)
|
||||
# One call: grab the ToolBoX cartographie extension and launch Firefox with
|
||||
# it loaded. Prefers `web-ext run` (temporary load, works unsigned — fastest)
|
||||
# and falls back to opening the .xpi for the install prompt.
|
||||
#
|
||||
# Usage:
|
||||
# ./install-firefox-linux.sh # from kbin.gk2.secubox.in
|
||||
# ./install-firefox-linux.sh kbin.my.box # from another cabine host
|
||||
# ./install-firefox-linux.sh --release # from the latest GitHub release
|
||||
# ./install-firefox-linux.sh --local # build from this checkout (web-ext)
|
||||
set -euo pipefail
|
||||
|
||||
DEFAULT_HOST="kbin.gk2.secubox.in"
|
||||
RELEASE_URL="https://github.com/CyberMind-FR/secubox-deb/releases/download/webext-v0.1.4/secubox-toolbox-webext.xpi"
|
||||
SELF_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
|
||||
say(){ printf '\033[1;36m▸\033[0m %s\n' "$*"; }
|
||||
warn(){ printf '\033[1;33m!\033[0m %s\n' "$*" >&2; }
|
||||
die(){ printf '\033[1;31m✗\033[0m %s\n' "$*" >&2; exit 1; }
|
||||
|
||||
# ── resolve source ──
|
||||
MODE="host"; HOST="$DEFAULT_HOST"; SRC_URL=""
|
||||
case "${1:-}" in
|
||||
--release) MODE="release"; SRC_URL="$RELEASE_URL" ;;
|
||||
--local) MODE="local" ;;
|
||||
"") SRC_URL="https://${HOST}/wg/toolbox.xpi" ;;
|
||||
-*) die "unknown flag: $1 (use --release | --local | <host>)" ;;
|
||||
*) HOST="$1"; SRC_URL="https://${HOST}/wg/toolbox.xpi" ;;
|
||||
esac
|
||||
|
||||
# ── find a Firefox binary ──
|
||||
FX=""
|
||||
for c in firefox firefox-esr firefox-bin firefox-developer-edition; do
|
||||
if command -v "$c" >/dev/null 2>&1; then FX="$c"; break; fi
|
||||
done
|
||||
if [ -z "$FX" ] && command -v flatpak >/dev/null 2>&1 \
|
||||
&& flatpak info org.mozilla.firefox >/dev/null 2>&1; then
|
||||
FX="flatpak run org.mozilla.firefox"
|
||||
fi
|
||||
[ -n "$FX" ] || die "no Firefox found (install firefox / firefox-esr, or flatpak org.mozilla.firefox)"
|
||||
say "Firefox: $FX"
|
||||
|
||||
have_webext(){ command -v web-ext >/dev/null 2>&1 || command -v npx >/dev/null 2>&1; }
|
||||
runwebext(){ if command -v web-ext >/dev/null 2>&1; then web-ext "$@"; else npx --yes web-ext "$@"; fi; }
|
||||
|
||||
# ── fastest path: web-ext run (temporary load, no signing needed) ──
|
||||
if have_webext; then
|
||||
SRCDIR=""
|
||||
if [ "$MODE" = "local" ]; then
|
||||
[ -f "$SELF_DIR/manifest.json" ] || die "--local: no manifest.json next to this script"
|
||||
SRCDIR="$SELF_DIR"
|
||||
else
|
||||
TMP="$(mktemp -d)"; trap 'rm -rf "$TMP"' EXIT
|
||||
say "Downloading extension from ${SRC_URL} …"
|
||||
curl -fsSL "$SRC_URL" -o "$TMP/sbx.xpi" || die "download failed: $SRC_URL"
|
||||
head -c2 "$TMP/sbx.xpi" | grep -q PK || die "not a valid .xpi (zip) — wrong host/URL?"
|
||||
mkdir -p "$TMP/ext" && ( cd "$TMP/ext" && unzip -q "$TMP/sbx.xpi" )
|
||||
SRCDIR="$TMP/ext"
|
||||
fi
|
||||
say "Launching Firefox with the ToolBoX extension loaded (temporary)…"
|
||||
FXBIN="${FX%% *}" # web-ext wants the binary, not a flatpak wrapper
|
||||
if [ "$FX" = "${FX# }" ] && command -v "$FXBIN" >/dev/null 2>&1; then
|
||||
exec runwebext run --source-dir "$SRCDIR" --firefox "$FXBIN" \
|
||||
--start-url "https://${HOST}/social/me"
|
||||
fi
|
||||
exec runwebext run --source-dir "$SRCDIR" --start-url "https://${HOST}/social/me"
|
||||
fi
|
||||
|
||||
# ── fallback: open the .xpi so Firefox shows the install prompt ──
|
||||
warn "web-ext not found (no npx) — falling back to the install prompt."
|
||||
TMP="$(mktemp -d)"; trap 'rm -rf "$TMP"' EXIT
|
||||
[ "$MODE" = "local" ] && die "--local needs web-ext/npx; install nodejs or use a host/--release"
|
||||
say "Downloading ${SRC_URL} …"
|
||||
curl -fsSL "$SRC_URL" -o "$TMP/secubox-toolbox-webext.xpi" || die "download failed"
|
||||
head -c2 "$TMP/secubox-toolbox-webext.xpi" | grep -q PK || die "not a valid .xpi"
|
||||
cat <<'NOTE'
|
||||
! The .xpi is unsigned. Stock Firefox release refuses a permanent install.
|
||||
Use Firefox ESR/Developer/Nightly, or set in about:config:
|
||||
xpinstall.signatures.required = false
|
||||
…then accept the install prompt that opens now.
|
||||
NOTE
|
||||
say "Opening Firefox on the extension…"
|
||||
exec $FX "$TMP/secubox-toolbox-webext.xpi"
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
{
|
||||
"manifest_version": 3,
|
||||
"name": "SecuBox ToolBoX — Cartographie sociale",
|
||||
"version": "0.1.5",
|
||||
"description": "Surface the SecuBox R3 toolbox live tracker analysis (cartographie sociale) in your browser: live badge, per-session trackers, mini Round-Eye graph, RGPD wipe + PDF report.",
|
||||
"browser_specific_settings": {
|
||||
"gecko": {
|
||||
"id": "secubox-toolbox-webext@cybermind.fr",
|
||||
"strict_min_version": "115.0"
|
||||
}
|
||||
},
|
||||
"permissions": ["storage", "alarms"],
|
||||
"host_permissions": [
|
||||
"*://*.secubox.in/*"
|
||||
],
|
||||
"action": {
|
||||
"default_title": "SecuBox Cartographie",
|
||||
"default_popup": "popup/popup.html",
|
||||
"default_icon": {
|
||||
"48": "icons/icon-48.png",
|
||||
"128": "icons/icon-128.png"
|
||||
}
|
||||
},
|
||||
"icons": {
|
||||
"48": "icons/icon-48.png",
|
||||
"128": "icons/icon-128.png"
|
||||
},
|
||||
"background": {
|
||||
"service_worker": "background.js",
|
||||
"scripts": ["api.js", "background.js"]
|
||||
},
|
||||
"options_ui": {
|
||||
"page": "options/options.html",
|
||||
"open_in_tab": true
|
||||
}
|
||||
}
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
<html lang="fr">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>SecuBox Cartographie — Réglages</title>
|
||||
<style>
|
||||
body { background:#0a0a0f; color:#e8e6d9; font:14px/1.5 system-ui,sans-serif;
|
||||
max-width:520px; margin:40px auto; padding:0 20px; }
|
||||
h1 { color:#c9a84c; font-size:18px; }
|
||||
label { display:block; color:#6b6b7a; font-size:12px; margin:14px 0 4px; }
|
||||
input,select { width:100%; padding:8px; border-radius:6px; border:1px solid #333;
|
||||
background:#14141c; color:#e8e6d9; }
|
||||
button { margin-top:16px; padding:9px 14px; border-radius:6px; border:1px solid #c9a84c;
|
||||
background:#c9a84c; color:#0a0a0f; font-weight:700; cursor:pointer; }
|
||||
.muted { color:#6b6b7a; font-size:12px; }
|
||||
#msg { color:#00ff41; min-height:18px; margin-top:10px; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<h1>👁️ SecuBox Cartographie — Réglages</h1>
|
||||
<p class="muted">L'extension parle uniquement à ta cabine via le tunnel R3.
|
||||
Aucune donnée n'est envoyée ailleurs.</p>
|
||||
|
||||
<label>Borne (hôte de la cabine)
|
||||
<input id="host" type="text" placeholder="kbin.gk2.secubox.in" autocomplete="off">
|
||||
</label>
|
||||
<label>Fenêtre d'analyse
|
||||
<select id="since">
|
||||
<option value="3600">1 heure</option>
|
||||
<option value="86400" selected>24 heures</option>
|
||||
<option value="604800">7 jours</option>
|
||||
</select>
|
||||
</label>
|
||||
<label>Jeton de session (optionnel — sinon appairage auto via R3)
|
||||
<input id="token" type="text" placeholder="mac.exp.nonce.sig" autocomplete="off">
|
||||
</label>
|
||||
|
||||
<button id="save">Enregistrer</button>
|
||||
<p id="msg"></p>
|
||||
|
||||
<script src="../api.js"></script>
|
||||
<script src="options.js"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
const api = globalThis.SbxApi;
|
||||
const $ = (id) => document.getElementById(id);
|
||||
|
||||
async function load() {
|
||||
const cfg = await api.getConfig();
|
||||
$("host").value = cfg.host;
|
||||
$("token").value = cfg.token || "";
|
||||
$("since").value = String(cfg.since);
|
||||
}
|
||||
|
||||
$("save").addEventListener("click", async () => {
|
||||
await api.setConfig({
|
||||
host: $("host").value.trim() || api.DEFAULTS.host,
|
||||
token: $("token").value.trim(),
|
||||
since: parseInt($("since").value, 10) || api.DEFAULTS.since,
|
||||
});
|
||||
api.ext.runtime.sendMessage({ type: "refresh" });
|
||||
$("msg").textContent = "Enregistré ✓";
|
||||
setTimeout(() => ($("msg").textContent = ""), 1500);
|
||||
});
|
||||
|
||||
load();
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
//
|
||||
// Dependency-free mini "Round-Eye" cartographie : the device at the
|
||||
// centre, top trackers on an outer ring, radius/colour by hits + tier.
|
||||
// A compact stand-in for the full d3 view served at /social/{token}.
|
||||
|
||||
const SVGNS = "http://www.w3.org/2000/svg";
|
||||
const PAL = {
|
||||
base: "#c9a84c", // gold
|
||||
cdn: "#00d4ff", // cyan
|
||||
ab: "#e63946", // cinnabar (anti-bot)
|
||||
opg: "#6e40c9", // void purple (operator-grade)
|
||||
eye: "#00ff41", // matrix green
|
||||
link: "#2a2a3a",
|
||||
};
|
||||
|
||||
function el(name, attrs) {
|
||||
const n = document.createElementNS(SVGNS, name);
|
||||
for (const k in attrs) n.setAttribute(k, attrs[k]);
|
||||
return n;
|
||||
}
|
||||
|
||||
function tierOf(node) {
|
||||
if (node.opgrade_vendor) return "opg";
|
||||
if (node.antibot_vendor) return "ab";
|
||||
if (node.cdn_vendor) return "cdn";
|
||||
return "base";
|
||||
}
|
||||
|
||||
function renderGraph(svg, data) {
|
||||
while (svg.firstChild) svg.removeChild(svg.firstChild);
|
||||
const W = 260, H = 180, cx = W / 2, cy = H / 2;
|
||||
|
||||
const nodes = (data && data.nodes ? data.nodes.slice() : [])
|
||||
.sort((a, b) => (b.hits || 0) - (a.hits || 0))
|
||||
.slice(0, 14);
|
||||
|
||||
if (!nodes.length) {
|
||||
const t = el("text", { x: cx, y: cy, fill: "#6b6b7a", "font-size": 11,
|
||||
"text-anchor": "middle" });
|
||||
t.textContent = "Aucun traceur détecté pour l'instant";
|
||||
svg.appendChild(t);
|
||||
return;
|
||||
}
|
||||
|
||||
const maxHits = Math.max(...nodes.map((n) => n.hits || 1));
|
||||
const R = 66;
|
||||
|
||||
// spokes first (under the dots)
|
||||
nodes.forEach((n, i) => {
|
||||
const a = (i / nodes.length) * Math.PI * 2 - Math.PI / 2;
|
||||
const x = cx + Math.cos(a) * R, y = cy + Math.sin(a) * R;
|
||||
svg.appendChild(el("line", { x1: cx, y1: cy, x2: x, y2: y,
|
||||
stroke: PAL.link, "stroke-width": 1 }));
|
||||
});
|
||||
|
||||
// tracker dots
|
||||
nodes.forEach((n, i) => {
|
||||
const a = (i / nodes.length) * Math.PI * 2 - Math.PI / 2;
|
||||
const x = cx + Math.cos(a) * R, y = cy + Math.sin(a) * R;
|
||||
const r = 3 + Math.round(6 * Math.sqrt((n.hits || 1) / maxHits));
|
||||
const fill = PAL[tierOf(n)];
|
||||
const c = el("circle", { cx: x, cy: y, r, fill, "fill-opacity": 0.85 });
|
||||
const title = el("title", {});
|
||||
title.textContent = `${n.domain} — ${n.hits || 0} hits`
|
||||
+ (n.cdn_vendor ? ` · ${n.cdn_vendor}` : "")
|
||||
+ (n.antibot_vendor ? ` · anti-bot ${n.antibot_vendor}` : "")
|
||||
+ (n.opgrade_vendor ? ` · opérateur ${n.opgrade_vendor}` : "");
|
||||
c.appendChild(title);
|
||||
svg.appendChild(c);
|
||||
});
|
||||
|
||||
// the eye (device) at the centre
|
||||
svg.appendChild(el("circle", { cx, cy, r: 13, fill: "#0c0c12",
|
||||
stroke: PAL.eye, "stroke-width": 2 }));
|
||||
svg.appendChild(el("circle", { cx, cy, r: 4.5, fill: PAL.eye }));
|
||||
}
|
||||
|
||||
globalThis.renderGraph = renderGraph;
|
||||
|
|
@ -1,92 +0,0 @@
|
|||
/* SPDX-License-Identifier: LicenseRef-CMSD-1.0 */
|
||||
/* SecuBox cyberpunk/hermetic palette (DESIGN-CHARTER) */
|
||||
:root {
|
||||
--cosmos: #0a0a0f;
|
||||
--gold: #c9a84c;
|
||||
--cinnabar: #e63946;
|
||||
--matrix: #00ff41;
|
||||
--void: #6e40c9;
|
||||
--cyan: #00d4ff;
|
||||
--text: #e8e6d9;
|
||||
--muted: #6b6b7a;
|
||||
}
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
width: 300px;
|
||||
margin: 0;
|
||||
background: var(--cosmos);
|
||||
color: var(--text);
|
||||
font: 13px/1.4 system-ui, "Segoe UI", sans-serif;
|
||||
padding: 10px 12px 8px;
|
||||
}
|
||||
header {
|
||||
display: flex; align-items: center; justify-content: space-between;
|
||||
margin-bottom: 8px;
|
||||
}
|
||||
.logo { color: var(--gold); font-weight: 700; letter-spacing: .5px; }
|
||||
.r3 {
|
||||
font-size: 10px; font-weight: 700; padding: 2px 6px; border-radius: 4px;
|
||||
border: 1px solid currentColor;
|
||||
}
|
||||
.r3.on { color: var(--matrix); }
|
||||
.r3.off { color: var(--muted); }
|
||||
.muted { color: var(--muted); font-size: 11px; }
|
||||
.err { color: var(--cinnabar); font-size: 11px; min-height: 14px; }
|
||||
|
||||
label { display: block; font-size: 11px; color: var(--muted); margin: 8px 0 4px; }
|
||||
input[type=text] {
|
||||
width: 100%; padding: 7px 8px; border-radius: 6px;
|
||||
border: 1px solid #333; background: #14141c; color: var(--text);
|
||||
}
|
||||
button {
|
||||
cursor: pointer; border: 1px solid #333; border-radius: 6px;
|
||||
background: #14141c; color: var(--text); padding: 7px 8px; font-size: 12px;
|
||||
}
|
||||
button:hover { border-color: var(--gold); }
|
||||
button.go {
|
||||
width: 100%; margin-top: 8px; background: var(--gold); color: var(--cosmos);
|
||||
font-weight: 700; border-color: var(--gold);
|
||||
}
|
||||
button.danger { color: var(--cinnabar); border-color: var(--cinnabar); }
|
||||
|
||||
.stats { display: grid; grid-template-columns: 1fr 1fr 1fr 1fr; gap: 6px; margin-bottom: 8px; }
|
||||
.stat {
|
||||
background: #12121a; border: 1px solid #222; border-radius: 6px;
|
||||
padding: 6px 2px; text-align: center;
|
||||
}
|
||||
.stat b { display: block; font-size: 16px; color: var(--gold); }
|
||||
.stat span { font-size: 9px; color: var(--muted); }
|
||||
.stat.warn b { color: var(--cinnabar); }
|
||||
.stat.opg b { color: var(--void); }
|
||||
|
||||
#graph { width: 100%; height: 180px; background: #0c0c12; border-radius: 8px; display: block; }
|
||||
|
||||
.toplist { margin: 8px 0; max-height: 132px; overflow-y: auto; }
|
||||
.row {
|
||||
display: flex; align-items: center; gap: 6px; padding: 3px 2px;
|
||||
border-bottom: 1px solid #1a1a22; font-size: 11px;
|
||||
}
|
||||
.row .fav { width: 16px; height: 16px; border-radius: 3px; flex-shrink: 0; background: #1a1a22; object-fit: contain; }
|
||||
.row .dom { flex: 1; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
|
||||
.row .hits { color: var(--muted); }
|
||||
|
||||
/* #574 — protection panel */
|
||||
#protect { margin: 8px 0; padding: 8px; background: #0e0e15; border: 1px solid #222; border-radius: 8px; }
|
||||
.phead { color: var(--matrix); font-weight: 700; font-size: 12px; margin-bottom: 6px; }
|
||||
.gstat { color: var(--muted); font-weight: 400; font-size: 10px; }
|
||||
.tg { display: flex; align-items: center; gap: 6px; font-size: 11px; padding: 3px 0; }
|
||||
.tg select { margin-left: auto; background: #14141c; color: var(--text); border: 1px solid #333; border-radius: 4px; }
|
||||
#protect input { accent-color: var(--void); }
|
||||
.tier { font-size: 9px; padding: 1px 4px; border-radius: 3px; }
|
||||
.tier.cdn { background: #1d2a33; color: var(--cyan); }
|
||||
.tier.ab { background: #2a1416; color: var(--cinnabar); }
|
||||
.tier.opg { background: #1e1430; color: var(--void); }
|
||||
|
||||
.actions { display: grid; grid-template-columns: 1fr 1fr; gap: 6px; margin: 6px 0; }
|
||||
.actions button:last-child { grid-column: 1 / 3; }
|
||||
|
||||
footer {
|
||||
display: flex; justify-content: space-between; align-items: center;
|
||||
margin-top: 6px; padding-top: 6px; border-top: 1px solid #1a1a22;
|
||||
}
|
||||
footer a { color: var(--cyan); text-decoration: none; font-size: 11px; }
|
||||
|
|
@ -1,68 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
<html lang="fr">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<link rel="stylesheet" href="popup.css">
|
||||
<title>SecuBox Cartographie</title>
|
||||
</head>
|
||||
<body>
|
||||
<header>
|
||||
<span class="logo">👁️ VILLAGE3B</span>
|
||||
<span id="tordot" class="r3 off" title="Mode Tor" style="display:none">🧅</span>
|
||||
<span id="r3dot" class="r3 off" title="État du tunnel R3">R3</span>
|
||||
</header>
|
||||
|
||||
<!-- Pairing (shown when no token) -->
|
||||
<section id="pair" hidden>
|
||||
<p class="muted">Connecte-toi à la cabine pour voir qui t'observe.</p>
|
||||
<label>Borne
|
||||
<input id="host" type="text" placeholder="kbin.gk2.secubox.in" autocomplete="off">
|
||||
</label>
|
||||
<button id="pairBtn" class="go">Appairer (R3)</button>
|
||||
<p id="pairMsg" class="err"></p>
|
||||
</section>
|
||||
|
||||
<!-- Live view (shown when paired) -->
|
||||
<section id="live" hidden>
|
||||
<div class="stats">
|
||||
<div class="stat"><b id="sTrackers">–</b><span>traceurs</span></div>
|
||||
<div class="stat"><b id="sSites">–</b><span>sites</span></div>
|
||||
<div class="stat warn"><b id="sAntibot">–</b><span>anti-bot</span></div>
|
||||
<div class="stat opg"><b id="sOpgrade">–</b><span>opérateur</span></div>
|
||||
</div>
|
||||
|
||||
<svg id="graph" viewBox="0 0 260 180" role="img" aria-label="Mini cartographie"></svg>
|
||||
|
||||
<div class="toplist" id="topList"></div>
|
||||
|
||||
<section id="protect">
|
||||
<div class="phead">🛡 Protection <span id="ghostStat" class="gstat"></span></div>
|
||||
<label class="tg"><input type="checkbox" data-f="ad_ghost"> Masquer pubs/bannières (R3+)</label>
|
||||
<label class="tg"><input type="checkbox" data-f="ad_ghost_block"> Bloquer hôtes pub (économie)</label>
|
||||
<label class="tg"><input type="checkbox" data-f="banner"> Bannière transparence</label>
|
||||
<label class="tg">Mode protecteur
|
||||
<select data-f="protective"><option value="off">off</option><option value="alert">alert</option><option value="spoof">spoof</option></select>
|
||||
</label>
|
||||
<p id="protectMsg" class="muted"></p>
|
||||
</section>
|
||||
|
||||
<div class="actions">
|
||||
<button id="openFull">🗺️ Cartographie complète</button>
|
||||
<button id="pdf">📄 Rapport PDF</button>
|
||||
<button id="wipe" class="danger">🧹 Effacer mes données</button>
|
||||
</div>
|
||||
<p id="liveMsg" class="muted"></p>
|
||||
</section>
|
||||
|
||||
<footer>
|
||||
<a href="#" id="settings">Réglages</a>
|
||||
<span class="muted" id="ver"></span>
|
||||
</footer>
|
||||
|
||||
<script src="../api.js"></script>
|
||||
<script src="graph.js"></script>
|
||||
<script src="popup.js"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -1,194 +0,0 @@
|
|||
// SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
// Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
//
|
||||
// SecuBox-Deb :: webext-toolbox :: popup controller
|
||||
|
||||
// NB: api.js (loaded first in this page) already declares `const ext` in the
|
||||
// shared script scope — re-declaring it here is a "redeclaration of const ext"
|
||||
// SyntaxError that aborts popup.js. Use api.ext instead.
|
||||
const api = globalThis.SbxApi;
|
||||
const $ = (id) => document.getElementById(id);
|
||||
let curHost = api.DEFAULTS.host; // for favicon URLs (#555)
|
||||
|
||||
function show(which) {
|
||||
$("pair").hidden = which !== "pair";
|
||||
$("live").hidden = which !== "live";
|
||||
}
|
||||
|
||||
function fillTopList(nodes) {
|
||||
const list = $("topList");
|
||||
list.innerHTML = "";
|
||||
(nodes || [])
|
||||
.slice()
|
||||
.sort((a, b) => (b.hits || 0) - (a.hits || 0))
|
||||
.slice(0, 5)
|
||||
.forEach((n) => {
|
||||
const row = document.createElement("div");
|
||||
row.className = "row";
|
||||
// favicon of the major site/tracker (cabine proxy) — not an IP (#555)
|
||||
const fav = document.createElement("img");
|
||||
fav.className = "fav";
|
||||
fav.loading = "lazy";
|
||||
fav.alt = "";
|
||||
fav.src = api.faviconUrl(curHost, n.domain || n.id);
|
||||
fav.addEventListener("error", () => { fav.style.visibility = "hidden"; });
|
||||
row.appendChild(fav);
|
||||
const dom = document.createElement("span");
|
||||
dom.className = "dom";
|
||||
dom.textContent = n.domain || n.id;
|
||||
row.appendChild(dom);
|
||||
if (n.opgrade_vendor) addTier(row, "opg", n.opgrade_vendor);
|
||||
else if (n.antibot_vendor) addTier(row, "ab", n.antibot_vendor);
|
||||
else if (n.cdn_vendor) addTier(row, "cdn", n.cdn_vendor);
|
||||
const hits = document.createElement("span");
|
||||
hits.className = "hits";
|
||||
hits.textContent = (n.hits || 0) + "×";
|
||||
row.appendChild(hits);
|
||||
list.appendChild(row);
|
||||
});
|
||||
}
|
||||
function addTier(row, cls, label) {
|
||||
const t = document.createElement("span");
|
||||
t.className = "tier " + cls;
|
||||
t.textContent = label;
|
||||
row.appendChild(t);
|
||||
}
|
||||
|
||||
function paint(data) {
|
||||
const s = data.stats || {};
|
||||
$("sTrackers").textContent = s.total_trackers ?? 0;
|
||||
$("sSites").textContent = s.total_sites ?? 0;
|
||||
$("sAntibot").textContent = s.antibot_sites ?? 0;
|
||||
$("sOpgrade").textContent = s.opgrade_sites ?? 0;
|
||||
globalThis.renderGraph($("graph"), data);
|
||||
fillTopList(data.nodes);
|
||||
}
|
||||
|
||||
// #574 — protection stats + live filter toggles in the popup.
|
||||
async function loadProtection() {
|
||||
const sec = $("protect");
|
||||
if (!sec) return;
|
||||
const g = await api.ghost(curHost);
|
||||
if (g) {
|
||||
$("ghostStat").textContent =
|
||||
`${g.blocked_requests || 0} bloqués · ~${g.mb_saved_est || 0} Mo · ${g.pages_cleaned || 0} nettoyées`;
|
||||
}
|
||||
const f = await api.getAdminFilters(curHost);
|
||||
if (!f) { sec.style.opacity = "0.5"; return; }
|
||||
sec.style.opacity = "1";
|
||||
sec.querySelectorAll("[data-f]").forEach((el) => {
|
||||
const k = el.dataset.f;
|
||||
if (el.type === "checkbox") el.checked = !!f[k];
|
||||
else el.value = f[k];
|
||||
});
|
||||
if (!sec.dataset.wired) {
|
||||
sec.dataset.wired = "1";
|
||||
sec.querySelectorAll("[data-f]").forEach((el) => {
|
||||
el.addEventListener("change", async () => {
|
||||
const v = el.type === "checkbox" ? el.checked : el.value;
|
||||
try {
|
||||
await api.setAdminFilters(curHost, { [el.dataset.f]: v });
|
||||
$("protectMsg").textContent = "✓ appliqué";
|
||||
setTimeout(() => ($("protectMsg").textContent = ""), 1000);
|
||||
loadProtection();
|
||||
} catch (e) {
|
||||
$("protectMsg").textContent = "erreur : " + e.message;
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
async function load() {
|
||||
const cfg = await api.getConfig();
|
||||
curHost = cfg.host || api.DEFAULTS.host;
|
||||
$("ver").textContent = "v" + (api.ext.runtime.getManifest().version || "");
|
||||
|
||||
// tunnel indicator
|
||||
api.r3Check(cfg.host).then((r) => {
|
||||
const dot = $("r3dot");
|
||||
dot.className = "r3 " + (r.tunnel ? "on" : "off");
|
||||
dot.title = r.tunnel ? `Tunnel R3 actif (${r.peer_ip || "?"})` : "Hors tunnel R3";
|
||||
});
|
||||
|
||||
// #683 — Tor egress indicator (only visible when kbin Tor mode is on)
|
||||
api.torStatus(cfg.host).then((t) => {
|
||||
const dot = $("tordot");
|
||||
if (!dot) return;
|
||||
if (t && t.tor_mode) {
|
||||
dot.style.display = "";
|
||||
dot.className = "r3 " + (t.running ? "on" : "off");
|
||||
dot.title = t.running
|
||||
? `Mode Tor actif — sortie anonymisée${t.exit_ip ? " (" + t.exit_ip + ")" : ""}`
|
||||
: "Mode Tor activé — démarrage du tunnel…";
|
||||
} else {
|
||||
dot.style.display = "none";
|
||||
}
|
||||
});
|
||||
|
||||
if (!cfg.token) {
|
||||
$("host").value = cfg.host;
|
||||
show("pair");
|
||||
return;
|
||||
}
|
||||
show("live");
|
||||
$("liveMsg").textContent = "Chargement…";
|
||||
try {
|
||||
const data = await api.graph(cfg.host, cfg.token, cfg.since);
|
||||
paint(data);
|
||||
$("liveMsg").textContent = "";
|
||||
loadProtection();
|
||||
} catch (e) {
|
||||
if (String(e.message) === "token-expired") {
|
||||
// token died — drop it and go back to pairing
|
||||
await api.setConfig({ token: "" });
|
||||
show("pair");
|
||||
$("host").value = cfg.host;
|
||||
$("pairMsg").textContent = "Session expirée — ré-appaire.";
|
||||
} else {
|
||||
$("liveMsg").textContent = "Erreur : " + e.message;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// ── events ──
|
||||
$("pairBtn").addEventListener("click", async () => {
|
||||
const host = $("host").value.trim() || api.DEFAULTS.host;
|
||||
$("pairMsg").textContent = "Appairage…";
|
||||
try {
|
||||
await api.setConfig({ host });
|
||||
const token = await api.pair(host);
|
||||
await api.setConfig({ token });
|
||||
api.ext.runtime.sendMessage({ type: "refresh" });
|
||||
await load();
|
||||
} catch (e) {
|
||||
$("pairMsg").textContent = e.message + " (es-tu sur le tunnel ?)";
|
||||
}
|
||||
});
|
||||
|
||||
$("openFull").addEventListener("click", async () => {
|
||||
const cfg = await api.getConfig();
|
||||
api.ext.tabs.create({ url: api.socialUrl(cfg.host, cfg.token) });
|
||||
});
|
||||
$("pdf").addEventListener("click", async () => {
|
||||
const cfg = await api.getConfig();
|
||||
api.ext.tabs.create({ url: api.reportUrl(cfg.host, cfg.token) });
|
||||
});
|
||||
$("wipe").addEventListener("click", async () => {
|
||||
if (!confirm("Effacer toutes tes données de cartographie sur la cabine ?")) return;
|
||||
const cfg = await api.getConfig();
|
||||
try {
|
||||
const r = await api.wipe(cfg.host, cfg.token);
|
||||
$("liveMsg").textContent = `Effacé : ${r.rows_deleted ?? 0} entrées.`;
|
||||
await api.setConfig({ token: "" });
|
||||
setTimeout(load, 800);
|
||||
} catch (e) {
|
||||
$("liveMsg").textContent = "Erreur effacement : " + e.message;
|
||||
}
|
||||
});
|
||||
$("settings").addEventListener("click", (e) => {
|
||||
e.preventDefault();
|
||||
api.ext.runtime.openOptionsPage();
|
||||
});
|
||||
|
||||
load();
|
||||
|
|
@ -55,13 +55,4 @@ server {
|
|||
proxy_pass http://unix:/run/secubox/system.sock:/;
|
||||
include /etc/nginx/snippets/secubox-proxy.conf;
|
||||
}
|
||||
|
||||
# #65: per-module routes self-register here. Every module package drops a
|
||||
# /etc/nginx/secubox-routes.d/<module>.conf (location-only snippet) at
|
||||
# install time, so a newly added module's /<module>/ + /api/v1/<module>/
|
||||
# routes are picked up automatically — no more hand-editing this file per
|
||||
# module. This is the ACTIVE include (matches the deployed webui.conf).
|
||||
# The crowdsec/waf/system blocks above stay hardcoded: those core packages
|
||||
# only ship the legacy secubox.d/ snippet, so they would NOT duplicate here.
|
||||
include /etc/nginx/secubox-routes.d/*.conf;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,10 +0,0 @@
|
|||
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
# Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
"""Shared classifiers used by mitm-ingest enrich_hooks across modules.
|
||||
|
||||
- host_app : host/SNI → app + category + emoji
|
||||
- cookie : cookie name → provider + category + emoji
|
||||
- avatar : UA → device + browser + os + emoji
|
||||
- ja4 : TLS ClientHello fingerprint hash
|
||||
"""
|
||||
from . import host_app, cookie, avatar, ja4 # noqa: F401
|
||||
|
|
@ -1,116 +0,0 @@
|
|||
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
# Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
|
||||
"""Avatar analysis : UA + Client Hints → device emoji + readable name."""
|
||||
from __future__ import annotations
|
||||
|
||||
import re
|
||||
|
||||
# Devices identification patterns. Order = priority (first match wins).
|
||||
DEVICE_PATTERNS = [
|
||||
# ── iPhone ──
|
||||
(re.compile(r"iPhone\s?OS\s?(\d+_\d+)|iPhone.*OS\s?(\d+_\d+)", re.I),
|
||||
"iPhone", "📱", "iPhone iOS {}"),
|
||||
(re.compile(r"iPhone", re.I), "iPhone", "📱", "iPhone"),
|
||||
# ── iPad ──
|
||||
(re.compile(r"iPad", re.I), "iPad", "📱", "iPad"),
|
||||
# ── Mac ──
|
||||
(re.compile(r"Mac OS X (\d+[._]\d+)", re.I), "Mac", "💻", "macOS {}"),
|
||||
(re.compile(r"Macintosh", re.I), "Mac", "💻", "Mac"),
|
||||
# ── Android ──
|
||||
(re.compile(r"Pixel\s?(\d+)", re.I), "Pixel", "📱", "Pixel {}"),
|
||||
(re.compile(r"SM-[A-Z]\d+", re.I), "Samsung", "📱", "Samsung"),
|
||||
(re.compile(r"Android (\d+)", re.I), "Android", "📱", "Android {}"),
|
||||
(re.compile(r"Android", re.I), "Android", "📱", "Android"),
|
||||
# ── Windows ──
|
||||
(re.compile(r"Windows NT 11"), "Windows", "💻", "Windows 11"),
|
||||
(re.compile(r"Windows NT 10"), "Windows", "💻", "Windows 10"),
|
||||
(re.compile(r"Windows NT"), "Windows", "💻", "Windows"),
|
||||
# ── Linux ──
|
||||
(re.compile(r"Linux", re.I), "Linux", "🐧", "Linux"),
|
||||
# ── Game / IoT ──
|
||||
(re.compile(r"PlayStation", re.I), "PlayStation", "🎮", "PlayStation"),
|
||||
(re.compile(r"Xbox", re.I), "Xbox", "🎮", "Xbox"),
|
||||
(re.compile(r"Nintendo", re.I), "Nintendo", "🎮", "Nintendo"),
|
||||
(re.compile(r"AppleTV", re.I), "Apple TV", "📺", "Apple TV"),
|
||||
(re.compile(r"Roku", re.I), "Roku", "📺", "Roku"),
|
||||
# ── Bot / known clients ──
|
||||
(re.compile(r"curl/", re.I), "curl", "🛠", "curl"),
|
||||
(re.compile(r"wget/", re.I), "wget", "🛠", "wget"),
|
||||
]
|
||||
|
||||
BROWSER_PATTERNS = [
|
||||
(re.compile(r"Edg/(\d+)"), "Edge", "🪟", "Edge {}"),
|
||||
(re.compile(r"Chrome/(\d+)"), "Chrome", "🟢", "Chrome {}"),
|
||||
(re.compile(r"Firefox/(\d+)"), "Firefox","🦊", "Firefox {}"),
|
||||
(re.compile(r"Safari/(\d+)"), "Safari", "🧭", "Safari"),
|
||||
(re.compile(r"OPR/(\d+)|Opera/(\d+)"), "Opera", "🔴", "Opera"),
|
||||
(re.compile(r"DuckDuckGo/(\d+)"), "DuckDuckGo", "🦆", "DuckDuckGo {}"),
|
||||
]
|
||||
|
||||
|
||||
def classify_user_agent(ua: str) -> dict:
|
||||
"""Returns {device, device_emoji, os_label, browser, browser_emoji, browser_label, raw}."""
|
||||
if not ua:
|
||||
return {"device": "unknown", "device_emoji": "❔", "os_label": "?",
|
||||
"browser": "unknown", "browser_emoji": "❔", "browser_label": "?",
|
||||
"raw": ""}
|
||||
device_match = None
|
||||
device_label = "unknown"
|
||||
for pattern, label, emoji, template in DEVICE_PATTERNS:
|
||||
m = pattern.search(ua)
|
||||
if m:
|
||||
# Try to fill the template with first non-None group
|
||||
groups = [g for g in m.groups() if g]
|
||||
if groups and "{}" in template:
|
||||
device_label = template.format(groups[0].replace("_", "."))
|
||||
else:
|
||||
device_label = template
|
||||
device_match = {"device": label, "device_emoji": emoji,
|
||||
"os_label": device_label}
|
||||
break
|
||||
if not device_match:
|
||||
device_match = {"device": "unknown", "device_emoji": "❔",
|
||||
"os_label": ua[:50]}
|
||||
browser_match = None
|
||||
for pattern, label, emoji, template in BROWSER_PATTERNS:
|
||||
m = pattern.search(ua)
|
||||
if m:
|
||||
groups = [g for g in m.groups() if g]
|
||||
if groups and "{}" in template:
|
||||
bl = template.format(groups[0])
|
||||
else:
|
||||
bl = template
|
||||
browser_match = {"browser": label, "browser_emoji": emoji, "browser_label": bl}
|
||||
break
|
||||
if not browser_match:
|
||||
browser_match = {"browser": "unknown", "browser_emoji": "❔", "browser_label": "?"}
|
||||
|
||||
return {**device_match, **browser_match, "raw": ua[:200]}
|
||||
|
||||
|
||||
def analyze_user_agents(ua_set: set[str] | list[str]) -> dict:
|
||||
"""Aggregate a set of UAs : returns {devices, browsers, most_common, raw_count}."""
|
||||
if not ua_set:
|
||||
return {"devices": {}, "browsers": {}, "most_common": None, "raw_count": 0}
|
||||
devices: dict[str, dict] = {}
|
||||
browsers: dict[str, dict] = {}
|
||||
for ua in ua_set:
|
||||
cls = classify_user_agent(ua)
|
||||
d = cls["device"]
|
||||
if d not in devices:
|
||||
devices[d] = {"count": 0, "emoji": cls["device_emoji"], "os_label": cls["os_label"]}
|
||||
devices[d]["count"] += 1
|
||||
b = cls["browser"]
|
||||
if b not in browsers:
|
||||
browsers[b] = {"count": 0, "emoji": cls["browser_emoji"], "label": cls["browser_label"]}
|
||||
browsers[b]["count"] += 1
|
||||
# Most common device
|
||||
most_common = max(devices.items(), key=lambda x: x[1]["count"])[0] if devices else None
|
||||
return {
|
||||
"devices": devices,
|
||||
"browsers": browsers,
|
||||
"most_common": most_common,
|
||||
"most_common_emoji": devices[most_common]["emoji"] if most_common else "❔",
|
||||
"raw_count": len(ua_set),
|
||||
}
|
||||
|
|
@ -1,140 +0,0 @@
|
|||
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
# Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
|
||||
"""Cookie analysis : identify trackers + providers + categorize.
|
||||
|
||||
Phase 2a+ heuristic: pattern matching sur les noms de cookies bien connus,
|
||||
mapping vers fournisseur + catégorie (analytics / advertising / social / etc.).
|
||||
|
||||
Database extensible — pour Phase 3 on chargera depuis cookiepedia ou EasyList.
|
||||
"""
|
||||
from __future__ import annotations
|
||||
|
||||
import re
|
||||
|
||||
# Pattern → (provider, category, emoji)
|
||||
COOKIE_PATTERNS = [
|
||||
# ── Analytics ──
|
||||
(re.compile(r"^_ga(_|$|t)"), "Google Analytics", "analytics", "📊"),
|
||||
(re.compile(r"^_gid$"), "Google Analytics", "analytics", "📊"),
|
||||
(re.compile(r"^_gat"), "Google Analytics", "analytics", "📊"),
|
||||
(re.compile(r"^_gcl_au$"), "Google Ads conversion", "advertising", "💰"),
|
||||
(re.compile(r"^_pk_(id|ses|cvar)"), "Matomo / Piwik", "analytics", "📊"),
|
||||
(re.compile(r"^plausible_"), "Plausible", "analytics", "📊"),
|
||||
(re.compile(r"^_mkto_trk$"), "Marketo", "analytics", "📊"),
|
||||
(re.compile(r"^__hssc$|^__hstc$"), "HubSpot", "analytics", "📊"),
|
||||
(re.compile(r"^mp_[a-z0-9]+_mixpanel"), "Mixpanel", "analytics", "📊"),
|
||||
(re.compile(r"^amplitude_"), "Amplitude", "analytics", "📊"),
|
||||
(re.compile(r"^optimizelyEndUserId$"), "Optimizely", "analytics", "📊"),
|
||||
(re.compile(r"^_hjSession"), "Hotjar", "analytics", "📊"),
|
||||
(re.compile(r"^_hjFirstSeen$"), "Hotjar", "analytics", "📊"),
|
||||
(re.compile(r"^crisp-client/session/"), "Crisp Chat", "analytics", "💬"),
|
||||
# ── Advertising / Tracking ──
|
||||
(re.compile(r"^_fbp$|^fr$"), "Facebook Pixel", "advertising","🎯"),
|
||||
(re.compile(r"^IDE$"), "Google DoubleClick", "advertising","🎯"),
|
||||
(re.compile(r"^NID$"), "Google", "advertising","🎯"),
|
||||
(re.compile(r"^DSID$"), "Google DoubleClick", "advertising","🎯"),
|
||||
(re.compile(r"^uid$|^bcookie$|^lidc$"), "LinkedIn Insight", "advertising","💼"),
|
||||
(re.compile(r"^MUID$|^_uetsid$|^_uetvid$"), "Microsoft Clarity / Bing Ads", "advertising", "🎯"),
|
||||
(re.compile(r"^_pin_unauth$|^_pinterest_ct_"), "Pinterest", "advertising","📌"),
|
||||
(re.compile(r"^tt_appInfo$|^tt_webid"), "TikTok", "advertising","🎵"),
|
||||
(re.compile(r"^_ttp$"), "TikTok Pixel", "advertising","🎵"),
|
||||
(re.compile(r"^ANID$"), "Google", "advertising","🎯"),
|
||||
(re.compile(r"^__qca$"), "Quantcast", "advertising","🎯"),
|
||||
(re.compile(r"^__gads$|^__gpi$"), "Google AdSense", "advertising","💰"),
|
||||
(re.compile(r"^test_cookie$"), "Google", "advertising","🎯"),
|
||||
# ── Social ──
|
||||
(re.compile(r"^c_user$|^xs$|^datr$"), "Facebook", "social", "👥"),
|
||||
(re.compile(r"^sb$|^locale$|^wd$"), "Facebook", "social", "👥"),
|
||||
(re.compile(r"^twid$|^ct0$|^auth_token$"), "Twitter / X", "social", "👥"),
|
||||
(re.compile(r"^li_at$"), "LinkedIn", "social", "👥"),
|
||||
(re.compile(r"^IG_"), "Instagram", "social", "👥"),
|
||||
# ── Auth / Session (legit, no tracker) ──
|
||||
(re.compile(r"^session(_id)?$|^sessionid$"), "Session generic", "session", "🔑"),
|
||||
(re.compile(r"^csrftoken$|^_csrf$"), "CSRF token", "session", "🔒"),
|
||||
(re.compile(r"^XSRF-TOKEN$"), "XSRF token", "session", "🔒"),
|
||||
(re.compile(r"^remember_token$"), "Remember-me", "session", "🔑"),
|
||||
(re.compile(r"^PHPSESSID$"), "PHP session", "session", "🔑"),
|
||||
(re.compile(r"^JSESSIONID$"), "Java session", "session", "🔑"),
|
||||
(re.compile(r"^connect\.sid$"), "Express.js session", "session", "🔑"),
|
||||
# ── CDN / infra ──
|
||||
(re.compile(r"^__cf_bm$|^cf_clearance$"), "Cloudflare", "infra", "☁"),
|
||||
(re.compile(r"^_dd_s$"), "Datadog RUM", "monitoring", "📈"),
|
||||
]
|
||||
|
||||
|
||||
def classify_cookie_name(name: str) -> dict:
|
||||
"""Returns {provider, category, emoji} for a single cookie name.
|
||||
Unknown → {provider: 'unknown', category: 'other', emoji: '❔'}."""
|
||||
for pattern, provider, category, emoji in COOKIE_PATTERNS:
|
||||
if pattern.search(name):
|
||||
return {"provider": provider, "category": category, "emoji": emoji}
|
||||
return {"provider": "unknown", "category": "other", "emoji": "❔"}
|
||||
|
||||
|
||||
def parse_cookie_header(header_value: str) -> list[str]:
|
||||
"""Parse 'Cookie:' or 'Set-Cookie:' value, return list of cookie NAMES."""
|
||||
if not header_value:
|
||||
return []
|
||||
names = []
|
||||
for part in header_value.split(";"):
|
||||
if "=" in part:
|
||||
n = part.split("=", 1)[0].strip()
|
||||
if n:
|
||||
names.append(n)
|
||||
return names
|
||||
|
||||
|
||||
def analyze_cookie_events(cookie_events: list[dict]) -> dict:
|
||||
"""Aggregate cookie events into stats + per-provider breakdown.
|
||||
|
||||
Input : list of {url, set_cookie_count, cookie_count, ...} from local_store
|
||||
(note : Phase 1.5 stored only counts, not names. Phase 2a+ local_store
|
||||
should store names. Until then, this function works on whatever's present.)
|
||||
|
||||
Returns :
|
||||
{
|
||||
providers: {provider: {count, category, emoji}, ...},
|
||||
categories: {category: count, ...},
|
||||
unknown_count: int,
|
||||
}
|
||||
"""
|
||||
providers: dict[str, dict] = {}
|
||||
categories: dict[str, int] = {}
|
||||
unknown_count = 0
|
||||
|
||||
for ev in cookie_events:
|
||||
# The cookie name might be in `set_cookie_names` or `cookie_names` if Phase 2a+
|
||||
# local_store. Backward-compat : skip if absent.
|
||||
for key in ("set_cookie_names", "cookie_names"):
|
||||
names = ev.get(key, [])
|
||||
if not isinstance(names, list):
|
||||
continue
|
||||
for n in names:
|
||||
cls = classify_cookie_name(n)
|
||||
p = cls["provider"]
|
||||
if p == "unknown":
|
||||
unknown_count += 1
|
||||
else:
|
||||
if p not in providers:
|
||||
providers[p] = {"count": 0, "category": cls["category"],
|
||||
"emoji": cls["emoji"]}
|
||||
providers[p]["count"] += 1
|
||||
cat = cls["category"]
|
||||
categories[cat] = categories.get(cat, 0) + 1
|
||||
|
||||
return {
|
||||
"providers": providers,
|
||||
"categories": categories,
|
||||
"unknown_count": unknown_count,
|
||||
}
|
||||
|
||||
|
||||
# Quick lookup for live use in /report endpoints
|
||||
def top_providers(cookie_events: list[dict], limit: int = 10) -> list[dict]:
|
||||
"""Returns top providers by hit count : [{provider, count, category, emoji}, ...]"""
|
||||
stats = analyze_cookie_events(cookie_events)
|
||||
return sorted(
|
||||
[{"provider": p, **v} for p, v in stats["providers"].items()],
|
||||
key=lambda x: -x["count"],
|
||||
)[:limit]
|
||||
|
|
@ -1,84 +0,0 @@
|
|||
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||
# Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||
|
||||
"""JA4 / JA4-like TLS ClientHello fingerprint.
|
||||
|
||||
Reference: https://github.com/FoxIO-LLC/ja4 (BSD-3)
|
||||
|
||||
Phase 2c implementation : compute a deterministic, JA4-style fingerprint
|
||||
hash from cipher_suites + alpn_protocols + extensions. The output is
|
||||
12-char hex (truncated SHA256), suitable for matching against external
|
||||
JA4 databases (custom curation, not the full FoxIO format).
|
||||
|
||||
This is NOT the canonical FoxIO JA4 string. It's a deterministic
|
||||
fingerprint that's stable per-client-stack, so the same iPhone Safari
|
||||
will always yield the same hash. We can map known hashes to bots,
|
||||
trackers, malware C2 in Phase 3.
|
||||
"""
|
||||
from __future__ import annotations
|
||||
|
||||
import hashlib
|
||||
|
||||
|
||||
def _sort_norm(items: list | None) -> str:
|
||||
"""Sort + join items as canonical comma-separated lowercase string."""
|
||||
if not items:
|
||||
return ""
|
||||
parts = []
|
||||
for x in items:
|
||||
if isinstance(x, bytes):
|
||||
parts.append(x.hex())
|
||||
else:
|
||||
parts.append(str(x).lower())
|
||||
return ",".join(sorted(parts))
|
||||
|
||||
|
||||
def compute_ja4_hash(
|
||||
*,
|
||||
sni: str | None = None,
|
||||
alpn_protocols: list | None = None,
|
||||
cipher_suites: list | None = None,
|
||||
extensions: list | None = None,
|
||||
transport: str = "t", # 't' for TCP, 'q' for QUIC
|
||||
tls_version: str = "13", # 13 for TLS 1.3, 12 for TLS 1.2
|
||||
) -> dict:
|
||||
"""Compute a JA4-style fingerprint dict.
|
||||
|
||||
Returns {
|
||||
fingerprint : 12-char hex hash,
|
||||
transport : t/q,
|
||||
tls_version : 13/12,
|
||||
alpn_count : int,
|
||||
cipher_count : int,
|
||||
ext_count : int,
|
||||
sni_present : bool,
|
||||
raw_repr : compact str repr for debug,
|
||||
}
|
||||
"""
|
||||
alpn_str = _sort_norm(alpn_protocols)
|
||||
cipher_str = _sort_norm(cipher_suites)
|
||||
ext_str = _sort_norm(extensions)
|
||||
raw = f"{transport}{tls_version}|alpn={alpn_str}|c={cipher_str}|x={ext_str}"
|
||||
h = hashlib.sha256(raw.encode("utf-8", errors="ignore")).hexdigest()[:12]
|
||||
return {
|
||||
"fingerprint": h,
|
||||
"transport": transport,
|
||||
"tls_version": tls_version,
|
||||
"alpn_count": len(alpn_protocols or []),
|
||||
"cipher_count": len(cipher_suites or []),
|
||||
"ext_count": len(extensions or []),
|
||||
"sni_present": bool(sni),
|
||||
"raw_repr": raw[:200],
|
||||
}
|
||||
|
||||
|
||||
# Phase 3-ready : map known JA4 hashes to client tags. Empty for now.
|
||||
KNOWN_JA4_FINGERPRINTS: dict[str, dict] = {
|
||||
# "abc123def456": {"label": "iPhone Safari 17.x", "category": "browser", "trust": "high"},
|
||||
# "deadbeef0000": {"label": "Tor Browser 14.x", "category": "browser-anon", "trust": "medium"},
|
||||
}
|
||||
|
||||
|
||||
def lookup_ja4(fingerprint: str) -> dict | None:
|
||||
"""Return known label for a fingerprint, or None if unknown."""
|
||||
return KNOWN_JA4_FINGERPRINTS.get(fingerprint)
|
||||
|
|
@ -1,107 +0,0 @@
|
|||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
# AI Handover — prompt Mistral.ai (reprise du code + analyse projet)
|
||||
|
||||
Prompt prêt à coller dans **Mistral Le Chat** (ou via l'API) pour qu'un agent
|
||||
reprenne le code SecuBox-Deb et analyse le projet.
|
||||
|
||||
**Usage :** Le Chat n'a pas accès au dépôt ni au board `gk2` par défaut. Pour une
|
||||
vraie reprise, lance l'agent dans un IDE/agent ayant accès au filesystem + SSH,
|
||||
ou colle-lui `CLAUDE.md` + `.claude/*` en contexte. Mets à jour la section
|
||||
« ÉTAT ACTUEL » depuis `.claude/HISTORY.md` avant chaque réutilisation.
|
||||
|
||||
---
|
||||
|
||||
```
|
||||
# RÔLE
|
||||
Tu es un ingénieur senior Debian / Python / sécurité réseau qui REPREND le projet
|
||||
SecuBox-Deb. Tu travailles méthodiquement : tu LIS avant d'écrire, tu vérifies
|
||||
avant d'affirmer, tu respectes à la lettre les conventions ci-dessous, et tu
|
||||
n'inventes pas de fichiers/commandes — tu les vérifies dans le dépôt. Langue : français.
|
||||
|
||||
# CONTEXTE PROJET
|
||||
SecuBox-Deb = plateforme cybersécurité CyberMind, portage Debian 12 (Bookworm)
|
||||
ARM64 depuis OpenWrt, cible ANSSI CSPN. Matériel : MOCHAbin / ESPRESSObin
|
||||
(Marvell Armada, aarch64). Dev : Gérald Kerma (Gandalf). Dépôt :
|
||||
github.com/CyberMind-FR/secubox-deb.
|
||||
Stack : Debian bookworm, kernel 6.x, nftables (PAS iptables), Unbound (Vortex DNS),
|
||||
HAProxy + mitmproxy (WAF), Suricata + CrowdSec, FastAPI/Uvicorn (sockets unix par
|
||||
module), LXC (pas Docker pour les apps), WireGuard, SQLite par défaut.
|
||||
Palette cyberpunk/hermétique : cosmos #0a0a0f, gold #c9a84c, cinnabar #e63946,
|
||||
matrix #00ff41, void #6e40c9, cyan #00d4ff. Polices Cinzel / IM Fell / JetBrains Mono.
|
||||
|
||||
# À LIRE EN PREMIER (sources de vérité)
|
||||
1. CLAUDE.md + .claude/CLAUDE.md — règles impératives.
|
||||
2. .claude/WIP.md — travail en cours + « Next Up ».
|
||||
3. .claude/HISTORY.md — historique daté (commence par l'entrée la plus récente).
|
||||
4. .claude/PATTERNS.md, .claude/MODULE-COMPLIANCE.md, .claude/MIGRATION-MAP.md.
|
||||
5. docs/TOOLS.md, scripts/README.md.
|
||||
|
||||
# RÈGLES IMPÉRATIVES (non négociables)
|
||||
- nftables DEFAULT DROP ; jamais iptables ni uci/LuCI.
|
||||
- JAMAIS de waf_bypass : tout le trafic passe par mitmproxy.
|
||||
- Secrets hors code : /etc/secubox/secrets/ chmod 600 ; jamais en clair / en TOML versionné.
|
||||
- En-tête SPDX LicenseRef-CMSD-1.0 sur chaque fichier (vérifié par scripts/license-headers.py --check).
|
||||
- SQLite par défaut (pas MySQL/Postgres sauf exception documentée).
|
||||
- AppArmor enforce + user dédié secubox-<module> par service.
|
||||
- Packaging Architecture:all pour le Python ; debian/compat=13, Standards-Version 4.6.2.
|
||||
override_dh_strip est MORT pour Architecture:all → installer via execute_after_dh_auto_install.
|
||||
- Pas de référence « Claude Code » / outil IA dans les commits/PR.
|
||||
|
||||
# WORKFLOW (multi-agent worktree)
|
||||
- Tout travail non trivial = worktree dédié : bash scripts/agent-worktree.sh start --issue <#>
|
||||
(branche feature/<#>-… ou fix/<#>-… selon le label ; master réservé au housekeeping).
|
||||
- Cycle : issue GitHub → worktree → commits « (ref #<#>) » → PR « Closes #<#> » →
|
||||
merge → agent-worktree.sh clean <#>. Ne jamais fermer une issue automatiquement.
|
||||
- Build .deb : cd packages/<pkg> && dpkg-buildpackage -us -uc -b -d (le -d ok pour arch:all).
|
||||
|
||||
# DÉPLOIEMENT LIVE (board « gk2 »)
|
||||
- SSH : root@192.168.1.200 (LAN) ou root@10.98.0.1 (tunnel wg-admin) ; clé en place.
|
||||
- Portail toolbox = secubox-toolbox.service (host, uvicorn secubox_toolbox.app:app
|
||||
sur 0.0.0.0:8088). HAProxy : kbin.gk2.secubox.in → backend toolbox_landing → 10.99.0.1:8088.
|
||||
- R3 = 4 workers host-native secubox-toolbox-mitm-wg-worker@{1..4}.service
|
||||
(mitmdump 10.99.1.1:8081-8084) chargeant les addons depuis
|
||||
/usr/lib/secubox/toolbox/mitmproxy_addons/ (liste dans sbin/secubox-toolbox-mitm-wg-launch).
|
||||
- Recette deploy : build → scp .deb → dpkg -i --force-confold --force-confdef →
|
||||
TOUJOURS vérifier portail actif ET curl -sk https://kbin.gk2.secubox.in/ == 200
|
||||
(un upgrade SIGTERM le portail ; le postinst le relance depuis 2.6.29, mais vérifie).
|
||||
Changement d'addon → redémarrer les 4 workers SÉQUENTIELLEMENT (RAM limitée).
|
||||
Ne PAS faire de restart de masse secubox-* (~100+ daemons).
|
||||
|
||||
# ARCHITECTURE TOOLBOX (module le plus actif)
|
||||
packages/secubox-toolbox/ : FastAPI (secubox_toolbox/api.py, app.py), addons
|
||||
mitmproxy (mitmproxy_addons/), filtres modulaires (secubox_toolbox/filters.py →
|
||||
/etc/secubox/toolbox/filters.json, togglés via /admin/filters/ui). Store social :
|
||||
SQLite /var/lib/secubox/toolbox/toolbox.db (social_edges/nodes/links/host_meta/
|
||||
antibot/opgrade + threat_intel). Cartographie : www/toolbox/social.js (vues donut /
|
||||
domaines-nuggets / œil), index.html (WebUI 5 onglets). Addons : inject_banner,
|
||||
protective_mode, ad_ghost, media_cache, media_stats, social_graph, dpi, cookies,
|
||||
avatar, ja4, utiq_defense, cert_pin_detect. Niveaux clients : R0/R1 (sans
|
||||
bannière), R2 (captif), R3 (tunnel WG 10.99.1.0/24), R4 (prévu).
|
||||
|
||||
# ÉTAT ACTUEL (2026-06-14 — RAFRAÎCHIR depuis HISTORY avant réutilisation)
|
||||
secubox-toolbox 2.6.36 déployé live, kbin sain. Live : protective spoofer,
|
||||
filtres modulaires + ad-ghoster (collapse), media cache (opt-in), autolearn
|
||||
trackers, DPI media donut, cartographie donut + nuggets domaine (IPs cachées) +
|
||||
favicons, bannière guirlande + pin partagé, panneau protection webext,
|
||||
/ca/fingerprint R3, fix postinst (kbin 503), detect_antibot deployment-vs-challenge.
|
||||
Clients : APK Android v0.3.0 (zero-tap), webext v0.1.4. Fix : sync photos
|
||||
iPhone↔Nextcloud (files_antivirus off + limites PHP).
|
||||
|
||||
# TRAVAIL OUVERT
|
||||
#592 secubox-webmail-hub : inbox unifié Gmail (OAuth2) + Gandi + OVH ssl0, toutes
|
||||
les sous-boîtes/alias en une page. Design filé, BLOQUÉ : besoin d'un client OAuth
|
||||
Google (client_id/secret/redirect) + nom de vhost + décision read-only. Phase 1
|
||||
IMAP (Gandi/OVH) peut démarrer sans OAuth.
|
||||
|
||||
# TES PREMIÈRES TÂCHES
|
||||
1. ANALYSE (sans rien modifier) : lis .claude/* + CLAUDE.md, puis produis une
|
||||
synthèse structurée — architecture, état des modules (✅/🔄/⬜ via
|
||||
MIGRATION-MAP.md), dette technique, risques sécurité, écarts CSPN, backlog
|
||||
priorisé. Cite chemin:ligne.
|
||||
2. Propose un plan pour l'item « Next Up » (ou #592), conforme au workflow worktree
|
||||
+ aux règles, AVANT d'écrire du code.
|
||||
3. Toute action sur le board live : décris-la et demande confirmation si difficile
|
||||
à annuler ou exposée.
|
||||
|
||||
Commence par : « J'ai lu CLAUDE.md, .claude/WIP.md et HISTORY.md. Voici ma synthèse… »
|
||||
```
|
||||
|
|
@ -1,93 +0,0 @@
|
|||
# FAQ — kbin & le mode Tor anonymisé
|
||||
|
||||
> kbin (`kbin.gk2.secubox.in`) = le portail public de la **ToolBoX** SecuBox, premier
|
||||
> outil du couteau suisse cyber CyberMind. Cette FAQ couvre le surf protégé et le futur
|
||||
> **mode Tor quick-switch** ([#683](https://github.com/CyberMind-FR/secubox-deb/issues/683)).
|
||||
|
||||
---
|
||||
|
||||
### Qu'est-ce que kbin exactement ?
|
||||
|
||||
Le portail public de `secubox-toolbox`. On rejoint l'AP libre de la cabine, on consent,
|
||||
et tout le trafic traverse le pipeline de forge MITM SecuBox : inspection chiffrée,
|
||||
nettoyage pub/tracker, bandeau de transparence, safe browsing. Voir
|
||||
[Kbin-Toolbox](wiki/Kbin-Toolbox.md).
|
||||
|
||||
### kbin voit-il tout mon trafic ? C'est pas dangereux ?
|
||||
|
||||
C'est **consenti et éphémère**. La MAC est hashée avec un sel rotatif 24 h, aucune valeur
|
||||
de cookie brute n'est persistée, aucun mapping session ↔ identité réelle ne survit au TTL.
|
||||
Trois niveaux d'opt-in : R0 (bypass complet), R1 (analyse passive, recommandé), R2/R3
|
||||
(TLS-break + bandeau). Sans consentement, **pas** de déchiffrement.
|
||||
|
||||
### « Performance transparente », ça veut dire quoi ?
|
||||
|
||||
On ne déchiffre que ce qu'on modifie. Les flux pur-asset (vidéo, images CDN) sont
|
||||
*splicés* dès le ClientHello TLS (`tls_splice`, #649) — les workers ne forgent/déchiffrent
|
||||
pas ce qui n'a aucune valeur L7. Débit ligne, latence quasi nulle.
|
||||
|
||||
### C'est quoi « l'injection de poison et de smog » ?
|
||||
|
||||
Le trafic ad-tech et tracker n'est pas seulement bloqué : il est **empoisonné**. Anti-Track
|
||||
v2 (#633) renvoie des pseudo-réponses, neutralise les scripts CDN préchargés, et au niveau
|
||||
réseau fait de l'IP-drop + DNS-refuse. Le profil publicitaire ressort pollué, pas vide —
|
||||
indistinguable d'un vrai blocage côté tracker.
|
||||
|
||||
### Le bandeau anti-adware, il bloque quoi ?
|
||||
|
||||
Une bannière de transparence injectée dans la page : nombre de trackers vus/bloqués,
|
||||
acteurs reconnus cross-site. Elle est immune au CSP et SPA-aware (#636/#639, webext #655).
|
||||
C'est l'affichage ; le blocage réel vient des blocklists Vortex DNS + blacklist nft.
|
||||
|
||||
---
|
||||
|
||||
## Mode Tor (plan #683)
|
||||
|
||||
### Le mode Tor, ça fait quoi ?
|
||||
|
||||
Un interrupteur 🧅 sur kbin : un tap → ton surf ressort **par le réseau Tor** au lieu du
|
||||
WAN de la box. IP de sortie anonyme, identité réseau masquée — du « pseudo-network
|
||||
surfing ».
|
||||
|
||||
### Est-ce que kbin arrête de m'inspecter/protéger en mode Tor ?
|
||||
|
||||
Non. Tor se place **après** le cœur de forge MITM, sur le transport upstream (dialer
|
||||
SOCKS5). Tu gardes le poison/smog, le bandeau et le safe browsing ; **seules l'IP de sortie
|
||||
et l'identité réseau changent**.
|
||||
|
||||
### Et si Tor tombe, ça repasse en clair ?
|
||||
|
||||
**Jamais.** Le design est **fail-closed** : si Tor n'est pas disponible, le trafic est
|
||||
coupé, pas renvoyé en clearnet. L'anonymat est un invariant, pas un best-effort.
|
||||
|
||||
### Y a-t-il des fuites DNS ?
|
||||
|
||||
Non. Quand le mode Tor est actif, la résolution passe **par Tor**, pas par l'Unbound local.
|
||||
|
||||
### C'est la même chose que `secubox-exposure` ?
|
||||
|
||||
Non, direction opposée. `secubox-exposure` publie des **services cachés** Tor (entrant —
|
||||
exposer un service interne). kbin Tor endpoint fait sortir ton **surf** par Tor (sortant).
|
||||
Le contrôle Tor (bootstrap, NEWNYM/nouvelle identité) est réutilisé entre les deux.
|
||||
|
||||
### Comment je change d'IP de sortie ?
|
||||
|
||||
Bouton « nouvelle identité » (NEWNYM) → nouveau circuit Tor → nouvelle IP de sortie, à la
|
||||
volée, sans reconnecter.
|
||||
|
||||
### C'est activé par défaut ?
|
||||
|
||||
Non. **Opt-in par client** (scopé WG-hash), **défaut OFF**, respecte ton niveau de
|
||||
consentement R. Chaque bascule on/off est journalisée (audit-log CSPN immuable).
|
||||
|
||||
---
|
||||
|
||||
## Voir aussi
|
||||
|
||||
- [Kbin-Toolbox](wiki/Kbin-Toolbox.md) — la page use-case complète
|
||||
- [Spec mode Tor](superpowers/specs/2026-06-19-kbin-tor-anonymized-surfing-design.md)
|
||||
- [Anti-Track](wiki/Anti-Track.md) — bloque/empoisonne/anonymise (couche DNS/IP)
|
||||
|
||||
---
|
||||
|
||||
*CyberMind — Gérald Kerma · LicenseRef-CMSD-1.0*
|
||||
|
|
@ -1,116 +0,0 @@
|
|||
# SecuBox P2P — Poster GPT & Roadmap (Gondwana Mesh)
|
||||
|
||||
> Livrable de synthèse pour les évolutions **secubox-p2p DHT / Federation / Master-link**
|
||||
> (#774 · PR #775 · branche `feature/p2p-dht-federation`).
|
||||
> Deux parties : **(1)** un prompt prêt-à-coller pour un générateur d'image GPT (poster),
|
||||
> **(2)** une **vue roadmap** textuelle des phases livrées et à venir.
|
||||
|
||||
---
|
||||
|
||||
## 1 · Prompt poster — à coller dans GPT (image)
|
||||
|
||||
> Copier le bloc ci-dessous tel quel. Format cible : affiche verticale A2 (portrait),
|
||||
> haute densité, lisible imprimée.
|
||||
|
||||
```
|
||||
Create a high-detail vertical A2 technical poster, cyberpunk-hermetic aesthetic,
|
||||
titled "SECUBOX · GONDWANA MESH" in an engraved Cinzel serif at the top, subtitle
|
||||
"Peer-to-Peer Trust Substrate — DHT · Federation · Master-Link" in JetBrains Mono.
|
||||
|
||||
PALETTE (strict): background cosmos-black #0a0a0f with subtle carbon texture; primary
|
||||
accent hermetic-gold #c9a84c; secondary cyber-cyan #00d4ff; signal matrix-green #00ff41;
|
||||
depth void-purple #6e40c9; alert cinnabar #e63946; body text warm off-white #e8e6d9,
|
||||
muted labels #6b6b7a. Everything glows softly against the dark, like an alchemical
|
||||
circuit board crossed with a star chart.
|
||||
|
||||
CENTRAL MOTIF — a triangular 3-node WireGuard mesh forming a Hamiltonian cycle (sacred
|
||||
geometry nod to GK-HAM). Three glowing nodes joined by luminous encrypted tunnels:
|
||||
• TOP node "gk2 · 10.10.0.1" wears a small hermetic-GOLD crown labelled "MASTER —
|
||||
term 1 · prio 10". Brightest, gold halo.
|
||||
• BOTTOM-LEFT node "c3box · 10.10.0.2" and BOTTOM-RIGHT node "amd64 · 10.10.0.3",
|
||||
both cyber-cyan, labelled "SATELLITE — following master". Thin heartbeat lines
|
||||
(matrix-green pulses) travel from satellites up to the crown.
|
||||
• The three tunnels are labelled "wg-mesh · 51822 · WireGuard".
|
||||
|
||||
AROUND THE MESH, three annotated technical rings (like an astrolabe), each a subsystem:
|
||||
1. DHT ring — a Kademlia constellation: small orbiting record cards reading
|
||||
"reachability record {did, id_pubkey, wg_pubkey, endpoint, ts, sig}", a wax-seal
|
||||
icon marked "Ed25519 signed", a bucket ladder, and the label "UDP :51823 ·
|
||||
iterative α-parallel lookup · peers discovered = 2 per node".
|
||||
2. FEDERATION ring — a health pulse/EKG line with green "UP" and cinnabar "DOWN"
|
||||
beacons, a debounce spring icon, label "health-checks · aiohttp+TCP probe ·
|
||||
published via DHT".
|
||||
3. MASTER-LINK ring — a crown-and-scepter election glyph over a term counter dial,
|
||||
label "UDP :51824 · deterministic election · term-based failover · signed
|
||||
heartbeats · no split-brain".
|
||||
|
||||
BOTTOM THIRD — a horizontal ROADMAP TIMELINE band on a faint void-purple rail, left to
|
||||
right, four milestones as illuminated waypoints:
|
||||
● "SHIPPED — DHT + Federation + Master-Link · LIVE on 3-node mesh" (gold, checkmark)
|
||||
● "NEXT — Mesh bans → sbxwaf engine bridge" (cyan)
|
||||
● "NEXT — macroctl on satellites (privilege path)" (cyan)
|
||||
● "HORIZON — Mesh phases 2–4 · NIZK GK-HAM binding · new macro kinds" (void-purple, dashed)
|
||||
|
||||
FOOTER strip in JetBrains Mono: "17 tasks · 132 tests · subagent-driven TDD · #774 /
|
||||
PR #775 — CyberMind · secubox.in". A small "OPAD — off by default, opt-in" seal in a
|
||||
corner.
|
||||
|
||||
STYLE: crisp vector-meets-engraving, thin glowing lines, alchemical marginalia and
|
||||
circuit traces, faint constellation grid in the background, no photographic elements,
|
||||
no people. Balanced, symmetrical, poster-grade typography. Ultra sharp, print-ready.
|
||||
```
|
||||
|
||||
**Variante courte** (si le générateur tronque) : garder le titre, la palette, le motif
|
||||
central 3-nœuds avec la couronne sur gk2, et la bande roadmap 4 jalons ; retirer le détail
|
||||
des trois anneaux.
|
||||
|
||||
---
|
||||
|
||||
## 2 · Vue Roadmap — P2P Gondwana
|
||||
|
||||
Légende : ✅ livré & live · 🔜 prochain · 🌀 horizon (conçu, non construit)
|
||||
|
||||
### ✅ SHIPPED — Substrat DHT / Federation / Master-Link (#774 · PR #775)
|
||||
|
||||
| Sous-système | Transport | État live |
|
||||
|---|---|---|
|
||||
| **Kademlia DHT** | UDP `:51823`, JSON, records `{did,id_pubkey,wg_pubkey,endpoint,ts,sig}` Ed25519 | ✅ 3 nœuds, chacun découvre les 2 autres (peers=2) |
|
||||
| **Federation health-checks** | aiohttp GET `/health` + fallback TCP, debounce up/down, publié via DHT | ✅ sweep actif sur les 3 nœuds |
|
||||
| **Master-link hiérarchique** | UDP `:51824`, élection déterministe + failover par *term* + heartbeats signés | ✅ gk2 master (term 1, prio 10), pas de split-brain |
|
||||
| **Activation** | `/etc/secubox/p2p.toml` `[dht]/[federation]/[masterlink]`, OPAD off-by-default | ✅ enabled=true sur gk2/c3box/amd64 |
|
||||
| **nginx endpoint gk2** | route `/api/v1/p2p/` → `p2p.sock` (standalone qui porte les daemons) | ✅ `/dht/peers` reflète le vrai état |
|
||||
| **nft reboot-persist** | allow `wg-mesh` udp `{51823,51824}` dans `/etc/nftables.conf` | ✅ c3box + amd64 (gk2 = 10/8 large) |
|
||||
| **Mesh viz UI** | onglet Mesh du dashboard p2p (canvas, rôle/term/DHT peers) | ✅ déployé 3 box |
|
||||
| **Auth login-bounce fix** | correctif du rebond de login | ✅ déployé 3 box |
|
||||
| **Qualité** | 17 tâches, 132 tests, SDD subagent-driven + revue adversariale | ✅ |
|
||||
|
||||
### 🔜 NEXT — court terme
|
||||
|
||||
- **🔜 Pont bans mesh → moteur sbxwaf** — aujourd'hui les bans fédérés (threatmesh #768)
|
||||
s'appliquent **au niveau nft** (`inet secubox_meshban`) uniquement. Les faire alimenter
|
||||
le moteur **sbxwaf** (bouncer CrowdSec) : `cscli decisions add --ip X -R "secubox-mesh"
|
||||
-d 4h` → LAPI → événement WAF. Anti-boucle : filtre par *reason* (`secubox-mesh`) dans
|
||||
`secubox-threatmesh-bridge` pour ne pas re-fédérer une décision déjà reçue.
|
||||
- **🔜 macroctl sur satellites** — l'unité `secubox-p2p` standalone tourne avec
|
||||
`NoNewPrivileges=yes` ⇒ `sudo macroctl activate` refusé (« NNP flag is set »). Sur gk2 ça
|
||||
marche car p2p tourne dans l'aggregator (NNP=no). Fixer proprement le chemin privilégié
|
||||
côté satellites sans affaiblir le durcissement (drop-in ciblé / helper setuid vetté).
|
||||
- **🔜 Fenêtre transitoire du socket p2p** — pendant un restart de `secubox-p2p`, le webui
|
||||
satellite renvoie 502/504 le temps que `p2p.sock` soit recréé. Lisser (socket-wait /
|
||||
`RuntimeDirectoryPreserve`) pour éviter les erreurs `apiGet` visibles à l'écran.
|
||||
|
||||
### 🌀 HORIZON — conçu, non construit
|
||||
|
||||
- **🌀 Mesh phases 2–4** (voir `project_mesh_gk2_c3box`) — au-delà du full-mesh WireGuard
|
||||
Phase 1 : orchestration, résilience multi-master régionale, exposition contrôlée.
|
||||
- **🌀 Liaison NIZK / PSI GK·HAM** — remplacer les stubs `ZKP-HAM-v1` par le vrai
|
||||
`zkp-hamiltonian` (cffi) dans les verbes annuaire/p2p.
|
||||
- **🌀 Nouveaux kinds macro** — `wg-relay`, `dns-resolver`, `http-mirror` (chaque kind =
|
||||
plugin `macros.d/<kind>` vetté + profil AppArmor, même framework que `tor-exit`).
|
||||
- **🌀 Macros en mode `pending`** — fédération cross-nœud des Subscription/APPROVE.
|
||||
- **🌀 Mesh sens master→satellite** — pull satellite→master OK ; master→satellite bloqué
|
||||
(nft c3box) ; + Freebox forward UDP 51822 pour le remote.
|
||||
|
||||
---
|
||||
|
||||
*CyberMind · Gérald Kerma · https://secubox.in — #774 / PR #775*
|
||||
|
|
@ -1,147 +0,0 @@
|
|||
<!-- SPDX-License-Identifier: LicenseRef-CMSD-1.0 -->
|
||||
# SecuBox-Deb — CSPN Test Matrix (draft)
|
||||
|
||||
Maps the ANSSI **CSPN** evaluation themes + the project's stated security
|
||||
functions (CLAUDE.md §"Contraintes ANSSI CSPN") to **concrete, mostly
|
||||
automatable tests**. Target home for the automated rows: `tests/cspn/`
|
||||
(pytest, gated in CI). Each row is an *acceptance check* with a command/
|
||||
assertion and the evidence artifact an evaluator would expect.
|
||||
|
||||
**Legend** — Type: `A`=automated (pytest/CI), `M`=manual/pentest, `D`=doc/spec.
|
||||
Status: ⬜ todo · 🔄 partial · ✅ covered.
|
||||
|
||||
> Scope note: the **cible de sécurité** (security target) must be written
|
||||
> first (TOE boundary, assumptions, threats, security functions). This
|
||||
> matrix is the *robustness + conformity* test plan that hangs off it.
|
||||
|
||||
---
|
||||
|
||||
## 0. Security target & conformity (D)
|
||||
| ID | Requirement | Type | Method / artifact | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| ST-01 | Cible de sécurité rédigée (TOE, hypothèses, menaces, FS) | D | `docs/cspn/cible-securite.md` reviewed | doc complete + signed | ⬜ |
|
||||
| ST-02 | TOE boundary & versions pinned | D | version manifest (pkg list + hashes) per release | matches APT repo | ⬜ |
|
||||
| ST-03 | Conformity: spec ↔ impl traceability | D | each FS → code path + test ID | 100% FS mapped | ⬜ |
|
||||
|
||||
## 1. Cryptography — TLS / keys / RNG
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| CRY-01 | TLS 1.3 min; TLS ≤1.1 refused (HAProxy frontends) | A | `openssl s_client -tls1_1 -connect <vhost>:443` → handshake fail; `-tls1_3` → ok | 1.0/1.1/1.2-weak refused | ⬜ |
|
||||
| CRY-02 | Strong cipher suites only (no RC4/3DES/CBC-legacy) | A | `nmap --script ssl-enum-ciphers` / testssl.sh grade ≥ A | A grade, no weak | ⬜ |
|
||||
| CRY-03 | HSTS + secure headers on exposed vhosts | A | `curl -sI` → `Strict-Transport-Security`, `X-Content-Type-Options` | present | ⬜ |
|
||||
| CRY-04 | Private keys 0600, owner-restricted, not world-readable | A | `stat -c %a` on `/etc/secubox/**/key.pem`, ACME keys | 600, non-root svc owner | 🔄 |
|
||||
| CRY-05 | CA / mitm keys never in VCS or logs | A | `git grep -nE 'BEGIN (RSA |EC )?PRIVATE KEY'` == empty; journald scrub | no hits | ⬜ |
|
||||
| CRY-06 | RNG source = kernel CSPRNG for tokens/keys | A | code audit: `secrets`/`os.urandom`, no `random` for security | no `random.` in sec paths | 🔄 |
|
||||
| CRY-07 | mitm R3 CA fingerprint published & verifiable | A | `/ca/fingerprint?ca=wg` == cert on disk (sha256) | match (D5:E4:3A…) | ✅ |
|
||||
|
||||
## 2. Authentication & session
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| AUT-01 | All API endpoints require JWT (`Depends(require_jwt)`) | A | enumerate FastAPI routes; assert auth dep except allowlist | 100% gated | 🔄 |
|
||||
| AUT-02 | Unauthenticated request → 401, no data leak | A | `curl` each `/api/v1/*` sans token | 401, empty body | ⬜ |
|
||||
| AUT-03 | JWT signature verified; tampered/expired rejected | A | forge/expire token → 401 | rejected | ⬜ |
|
||||
| AUT-04 | Social/report tokens = HMAC, TTL-bound, salt-rotated | A | expired/forged `/social/{token}` → 403; salt rotates daily | rejected + rotation | 🔄 |
|
||||
| AUT-05 | No default/hardcoded credentials | A | grep configs + first-boot generates per-device secrets | none | 🔄 |
|
||||
| AUT-06 | Brute-force handled at the WAF layer (per project doctrine) | M | rate-limit probe via HAProxy/CrowdSec | throttled/banned | 🔄 |
|
||||
| AUT-07 | ZKP auth (GK-HAM-2025) NIZK soundness, G rotation 24h PFS | M+A | protocol test vectors + rotation timer check | proofs verify, rotates | ⬜ |
|
||||
|
||||
## 3. Access control / privilege separation
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| ACL-01 | Each daemon runs as `secubox-<module>` (not root) | A | `systemctl show -p User` over all `secubox-*` units | non-root each | 🔄 |
|
||||
| ACL-02 | AppArmor profile present + **enforce** per service | A | `aa-status` lists each profile in enforce | all enforce | ⬜ |
|
||||
| ACL-03 | systemd hardening (ProtectSystem, NoNewPrivileges, etc.) | A | `systemd-analyze security secubox-*` score | exposure ≤ medium | ⬜ |
|
||||
| ACL-04 | Filesystem perms: `/etc/secubox/secrets` 0600, parents traversable but not writable | A | `stat` perms + traversal test as svc user | 0600 secrets, 0755 parents | 🔄 |
|
||||
| ACL-05 | No unintended setuid/world-writable shipped | A | `find / -perm -4000 / -perm -0002` in image | known allowlist only | ⬜ |
|
||||
|
||||
## 4. Network filtering / attack surface
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| NET-01 | nftables policy DEFAULT DROP (input/forward) | A | `nft list chain inet filter input` → `policy drop` | drop | ✅ (verify) |
|
||||
| NET-02 | Only declared ports open; no stray listeners | A | `ss -tlnp` ∩ documented port map | exact match | 🔄 |
|
||||
| NET-03 | WAN-side SSH closed (key-only + source-restricted) | A | sshd `PasswordAuthentication no`; nft SSH-guard drops non-LAN/tunnel | enforced | ✅ |
|
||||
| NET-04 | No IPv6 leak past the v4 firewall guards | A | nft inet covers v6; `ss` v6 listeners reviewed | covered | ⬜ |
|
||||
| NET-05 | nft rules persist across reboot + survive pkg upgrade | A | reboot/upgrade → drop-ins reload; ruleset intact | persists | 🔄 |
|
||||
| NET-06 | DNS = Unbound only; DoH/DoT exfil detected/blocked (opt-in) | A | resolve via Unbound; DoH probe flagged | controlled | 🔄 |
|
||||
|
||||
## 5. WAF / traffic inspection integrity (no bypass)
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| WAF-01 | No `waf_bypass` anywhere; all vhosts → mitm inspector | A | grep HAProxy cfg; each backend = mitmproxy_inspector (or documented exception) | no bypass | 🔄 |
|
||||
| WAF-02 | mitm CA only trusted on consenting (R2/R3) clients | A | non-consenting client not MITM'd | scoped | ✅ |
|
||||
| WAF-03 | Banner/transparency shown to inspected clients (CSPN R2 req) | A | inspected HTML carries the banner guard | present | ✅ |
|
||||
| WAF-04 | Active interference (spoof/ghost) is opt-in + logged + reversible | A | filters default-safe; every action → audit.log; toggle off restores | conforms | ✅ |
|
||||
| WAF-05 | mitm fail-open never serves attacker-controlled content | M | malformed upstream / addon exception → flow unbroken, no inject error | safe | 🔄 |
|
||||
|
||||
## 6. Logging & audit (immutability)
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| LOG-01 | Security decisions (ban/unban/spoof/escalate/rule-change) logged to `/var/log/secubox/audit.log` | A | trigger each → grep audit line | logged | 🔄 |
|
||||
| LOG-02 | Timestamps RFC 3339 / ISO-8601 with TZ | A | regex each audit line | conforms | 🔄 |
|
||||
| LOG-03 | Append-only / rotation without truncate (immutability) | A | `chattr +a` or rotate-copy-truncate disabled; tamper test | no in-place edit | ⬜ |
|
||||
| LOG-04 | Logs free of secrets/PII (mac→hash, no tokens) | A | grep audit/journal for token/cookie/key patterns | none | 🔄 |
|
||||
| LOG-05 | Audit survives service crash + reboot | A | crash mid-write → log consistent | intact | ⬜ |
|
||||
|
||||
## 7. Configuration management & rollback (4R / double-buffer)
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| CFG-01 | Sensitive config change = shadow→validate→atomic swap | A | `secubox-params swap` flow; partial write never live | atomic | ⬜ |
|
||||
| CFG-02 | 4R rollback restores prior state (R1..R4 snapshots) | A | mutate → `rollback --target R1` → state == pre | restored | ⬜ |
|
||||
| CFG-03 | Validation rejects bad config before swap (4R: Read→Write→Validate→Rollback/Commit) | A | inject invalid → swap refused, live unchanged | refused | ⬜ |
|
||||
| CFG-04 | Config swap audit-logged + (ZKP-gated where required) | A | swap → audit line | logged | ⬜ |
|
||||
|
||||
## 8. Update mechanism
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| UPD-01 | APT repo GPG-signed; unsigned/altered pkg refused | A | tamper a .deb → `apt` refuses | refused | 🔄 |
|
||||
| UPD-02 | Upgrade preserves runtime state + restarts services (no outage) | A | upgrade → portal up, kbin 200, nft intact (regression of #581) | no downtime | ✅ |
|
||||
| UPD-03 | Downgrade / rollback path defined | D+A | pinned prior version installs cleanly | works | ⬜ |
|
||||
| UPD-04 | Reproducible build / provenance | A | CI build hashes recorded per release | recorded | 🔄 |
|
||||
|
||||
## 9. Data protection at rest
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| DAT-01 | Secrets only under `/etc/secubox/secrets` 0600, svc-owned | A | inventory + `stat` | conforms | 🔄 |
|
||||
| DAT-02 | No secrets in code / TOML / git history | A | `git log -p` + `git grep` secret patterns | none | 🔄 |
|
||||
| DAT-03 | SQLite stores hashed identifiers (mac_hash, cookie_id_hash), not raw PII | A | schema + sample-row audit | hashed | 🔄 |
|
||||
| DAT-04 | Data retention enforced (social 7d, logs rotation) | A | retention timers prune | enforced | 🔄 |
|
||||
|
||||
## 10. Resilience / fail-safe
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| RES-01 | Service crash → auto-recovery (watchdog), portal probe | A | kill portal → restored + kbin 200 | recovers | ⬜ |
|
||||
| RES-02 | RAM-pressure: no OOM cascade under load (Armada budget) | M+A | load test; per-service MemoryMax; no thundering-herd | stable | 🔄 |
|
||||
| RES-03 | Fail-secure: filter/addon error must not open the WAF or break pages | A | inject addon exception → default-drop / fail-open page-safe | secure | 🔄 |
|
||||
|
||||
## 11. Hardening / vulnerability management
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| HRD-01 | No known-vuln Python deps | A | `pip-audit` / safety in CI | 0 high/critical | ⬜ |
|
||||
| HRD-02 | No known-vuln OS packages in the image | A | `debsecan`/trivy on the image | 0 high/critical | ⬜ |
|
||||
| HRD-03 | Attack-surface minimal: unused services disabled | A | enabled-units ∩ required set | minimal | 🔄 |
|
||||
| HRD-04 | SAST clean on the codebase | A | `bandit` (py) in CI | no high | ⬜ |
|
||||
| HRD-05 | Pentest of the exposed surface (kbin, HAProxy, R3) | M | grey-box assessment report | no critical | ⬜ |
|
||||
|
||||
## 12. Conformity glue (CI)
|
||||
| ID | Requirement | Type | Method / assertion | Pass | St |
|
||||
|----|-------------|------|-------------------|------|----|
|
||||
| CI-01 | `tests/cspn/` runs in CI, gates merge | A | workflow job red on fail | gating | ⬜ |
|
||||
| CI-02 | Coverage ≥80% on security-critical modules | A | coverage report | ≥80% | ⬜ |
|
||||
| CI-03 | `compliance-lint` (AppArmor/user/secrets/no-bypass/SPDX) per PR | A | linter job | clean | 🔄 (SPDX only) |
|
||||
|
||||
---
|
||||
|
||||
## How to operationalise
|
||||
1. Write the **cible de sécurité** (ST-01) — everything else traces to it.
|
||||
2. Scaffold `tests/cspn/` (pytest), one module per theme above
|
||||
(`test_crypto.py`, `test_authz.py`, `test_firewall.py`, `test_audit.py`,
|
||||
`test_rollback.py`, …). Each `XXX-NN` ID = one test function id.
|
||||
3. Add a CI job (CI-01) running it against a built image / a staging board.
|
||||
4. Add `compliance-lint` (CI-03) for the static rows (perms, AppArmor,
|
||||
no-bypass, SPDX, no-secrets).
|
||||
5. Burn down ⬜→✅; the ✅ rows above are already verifiable today.
|
||||
|
||||
Priority order (highest CSPN risk first): **§6 audit immutability**, **§7
|
||||
4R rollback**, **§3 AppArmor enforce + privilege**, **§1 TLS**, **§12 CI
|
||||
gate/coverage** — these are the criteria most likely to fail an assessment
|
||||
today given the current ~9% test coverage.
|
||||
|
|
@ -1,101 +0,0 @@
|
|||
# 🪶 Research-Note Poster — *Gondwana Trust Substrate*
|
||||
### Sketch-design architectural poster · vulgarized · last-day evolutions + roadmap
|
||||
*2026-07-01 · CyberMind / SecuBox-Deb*
|
||||
|
||||
This note ships two things:
|
||||
1. **A ready-to-paste image-generation prompt** (for GPT-Image / Midjourney / SDXL) that renders the poster.
|
||||
2. **An ASCII layout mock** so the composition is concrete, plus the vulgarized copy the poster carries.
|
||||
|
||||
---
|
||||
|
||||
## 1 · The image-generation prompt (paste this)
|
||||
|
||||
> **A hand-drawn architectural research-note poster, "sketchnote" / engineering-lab-notebook style** — like a brilliant hacker's whiteboard photographed at 2 a.m. Ink-and-marker on aged parchment, cosmos-black background (#0a0a0f) with a subtle hexagonal grid, hand-lettered headings in a Cinzel-esque serif, body notes in a monospace "JetBrains Mono" hand, arrows drawn freehand.
|
||||
>
|
||||
> **Palette:** gold-hermetic (#c9a84c) for titles + borders, matrix-green (#00ff41) for "it works / live", cyber-cyan (#00d4ff) for data flows, cinnabar-red (#e63946) for "guarded / danger", void-purple (#6e40c9) for future/roadmap. Faint alchemical/hermetic marginalia (small circuit-sigils, a mirror glyph 🪞, tiny onion for Tor).
|
||||
>
|
||||
> **Title band (top):** big gold hand-lettering — **"GONDWANA · A VILLAGE OF BOXES THAT TRUST BY MATH, NOT BY FAITH"**. Subtitle in small caps: *"self-certifying mesh · federated services · lend-a-service macros"*.
|
||||
>
|
||||
> **Three stacked ‘strata’ drawn as geological layers of a mirror (the sketch's spine):**
|
||||
> - **Layer 1 — THE HANDSHAKE (green):** two little box-characters shaking hands; above them a speech bubble *"my name = the hash of my key"*; a rejected forger box crossed out in red with *"can't fake a name you can't compute"*.
|
||||
> - **Layer 2 — THE CATALOG (cyan):** a hand-drawn shop-shelf / market-stall labeled *"Service Registry"*; shelves hold little cards ("WAF mirror", "Suricata", "Tor exit"); an arrow *"Auto register all"* pulling neighbor stalls' cards onto your shelf.
|
||||
> - **Layer 3 — LEND-A-SERVICE MACROS (gold+onion):** a box lending a glowing **onion (Tor exit)** across a rope-bridge (the mesh) to a neighbor box, who plugs it in and their traffic pops out somewhere far away. Little padlock-robot (AppArmor) guarding the rope.
|
||||
>
|
||||
> **A freehand ‘proof strip’ across the middle (green, like a lab result taped on):** a comic 4-panel: (1) gk2 pins a "Tor exit for rent" flyer, (2) flyer flies to c3box over a dotted mesh line, (3) c3box taps it → a guard checks a signed ticket → opens a tiny gate, (4) c3box's web traffic exits as a masked Tor node — caption in green marker: **`{"IsTor": true}` — PROVEN LIVE**.
|
||||
>
|
||||
> **Right margin — "THE BOUNCER" side-sketch (red):** a stern padlock-bouncer with a checklist: *"√ real name (hash) · √ signed ticket · √ from the mesh only · √ one door, one guest · everything else: DENIED"*. Small note: *"the review robots caught ~10 booby-traps before the doors opened"*.
|
||||
>
|
||||
> **Bottom third — "HORIZON / ROADMAP" as a dotted mountain trail into a purple sunrise:** milestone flags along the trail — *"more lendable services: VPN-relay · DNS · mirror"*, *"zero-knowledge secret handshake (GK·HAM)"*, *"ask-permission mode (pending)"*, *"two-way bridges + native Tor everywhere"*. A tiny hiker box walking toward them.
|
||||
>
|
||||
> **Overall vibe:** warm, playful, hand-crafted, a little hermetic/alchemical, highly legible, poster-ratio (2:3 portrait), lots of arrows and margin doodles, feels like a research lab's celebratory wall poster. No photorealism — pure ink-sketch + marker.
|
||||
|
||||
---
|
||||
|
||||
## 2 · ASCII layout mock (the composition)
|
||||
|
||||
```
|
||||
╔══════════════════════════════════════════════════════════════════╗
|
||||
║ 🪞 G O N D W A N A — boxes that trust by MATH, not by FAITH ║ ← gold title
|
||||
║ self-certifying mesh · federated services · lend-a-service ║
|
||||
╠══════════════════════════════════════════════════════════════════╣
|
||||
║ ▓ LAYER 1 · THE HANDSHAKE (green = works) ║
|
||||
║ [box]🤝[box] "my name = hash(my key)" ║
|
||||
║ [forger]✗ "can't fake a name you must compute" ║
|
||||
║------------------------------------------------------------------║
|
||||
║ ▓ LAYER 2 · THE CATALOG (cyan = data flows) ║
|
||||
║ ┌shelf: Service Registry┐ ◀── "Auto register all" ║
|
||||
║ │ [WAF][Suricata][Tor 🧅]│ pulls neighbours' cards to you ║
|
||||
║------------------------------------------------------------------║
|
||||
║ ▓ LAYER 3 · LEND-A-SERVICE MACROS (gold + 🧅) ║
|
||||
║ gk2 [🧅]══rope-bridge (mesh)══▶ [box] c3box 🔒(AppArmor guard) ║
|
||||
║==================================================================║
|
||||
║ ✅ PROOF STRIP (taped lab result): ║
|
||||
║ gk2 posts "Tor exit for rent" → flies to c3box → guard checks ║
|
||||
║ signed ticket → opens gate → c3box exits as Tor {IsTor:true} ║
|
||||
╠══════════════════════════════════╦═══════════════════════════════╣
|
||||
║ ⛰ HORIZON / ROADMAP (purple) ║ 🔒 THE BOUNCER (red) ║
|
||||
║ ·→ more services: VPN·DNS·mirror ║ √ real name (hash) ║
|
||||
║ ·→ zero-knowledge handshake HAM ║ √ signed ticket ║
|
||||
║ ·→ ask-permission (pending) mode ║ √ from the mesh only ║
|
||||
║ ·→ two-way bridges + Tor native ║ √ one door / one guest ║
|
||||
║ 🥾 …hiker box walking the trail ║ ✗ everything else: DENIED ║
|
||||
╚══════════════════════════════════╩═══════════════════════════════╝
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 3 · The vulgarized story the poster tells
|
||||
|
||||
**The one-line pitch.** *A cluster of little security boxes (SecuBoxes) that don't need a boss or a
|
||||
central authority to trust each other — their name literally IS a fingerprint of their key, so nobody
|
||||
can impersonate anyone. On top of that trust, boxes publish a menu of services and can even lend each
|
||||
other real capabilities — like one box lending its Tor exit so another box's traffic comes out
|
||||
anonymized, far away.*
|
||||
|
||||
**What changed in the last day (three layers, all live on gk2 + c3box):**
|
||||
|
||||
| Layer | Plain-language | Under the hood |
|
||||
|------|----------------|----------------|
|
||||
| 🤝 **Handshake** | "My name is the math of my key — you can check it, you can't fake it." | did:plc self-cert; `ingest_offer` checks `did == hash(pubkey)` before trusting anything |
|
||||
| 🛒 **Catalog** | "See every box's menu on one shelf; one click subscribes you." | p2p Service Registry = live view of the federated annuaire catalog + "Auto register all" |
|
||||
| 🧅 **Lend-a-service** | "Rent my Tor exit / my relay — the guard only opens for a signed ticket." | `secubox-macro` (macroctl + tor-exit plugin, AppArmor-confined, nft-gated grant) |
|
||||
|
||||
**The headline proof.** gk2 offered its Tor exit as a service → it federated to c3box → c3box subscribed,
|
||||
activated, and pulled a *signed* grant over the mesh → gk2's firewall opened just for c3box's mesh IP →
|
||||
**c3box's traffic now exits through gk2's Tor node** (`{"IsTor":true}`). End-to-end, across two real
|
||||
machines, with a hardened privilege chain (unprivileged app → tight sudo → root dispatcher → confined
|
||||
plugin → firewall). The adversarial review loop caught **~10 critical booby-traps** before any of it shipped.
|
||||
|
||||
**The bouncer (why it's safe).** Every request is checked at the right door: a real (hash-derived) name,
|
||||
a signature that only the key-owner could make, coming *only* from the mesh, opening exactly one port for
|
||||
exactly one guest — and anything unexpected is denied by default (CSPN posture).
|
||||
|
||||
**Where the trail leads (roadmap).**
|
||||
- 🧩 **More lendable services** — the same framework, new plugins: `wg-relay` (VPN), `dns-resolver`, `http-mirror`.
|
||||
- 🕵️ **Zero-knowledge handshake** — swap the current stubs for the real GK·HAM Hamiltonian NIZK, so boxes prove things about themselves *without revealing secrets*.
|
||||
- 🙋 **Ask-permission mode** — today lending is auto-approved; next, a provider can hold a request as *pending* and approve it, which needs cross-box approval federation.
|
||||
- 🌉 **Two-way bridges + Tor everywhere** — finish the reverse mesh path and put a native Tor on every box so any box can be a full exit provider out of the box.
|
||||
|
||||
---
|
||||
|
||||
*Notebook margin, small hand: "the mirror shows the mesh; the mesh shows the mirror. — 🪞"*
|
||||
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 32 KiB |
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 26 KiB |
|
Before Width: | Height: | Size: 31 KiB After Width: | Height: | Size: 32 KiB |
|
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 35 KiB |
|
Before Width: | Height: | Size: 50 KiB After Width: | Height: | Size: 34 KiB |
|
Before Width: | Height: | Size: 48 KiB |
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 25 KiB |
|
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 36 KiB |
|
Before Width: | Height: | Size: 60 KiB After Width: | Height: | Size: 33 KiB |
|
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 31 KiB |
|
Before Width: | Height: | Size: 32 KiB |
|
Before Width: | Height: | Size: 48 KiB After Width: | Height: | Size: 34 KiB |
|
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 33 KiB |
|
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 28 KiB |
|
Before Width: | Height: | Size: 54 KiB After Width: | Height: | Size: 40 KiB |
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 71 KiB |
|
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 51 KiB |
|
Before Width: | Height: | Size: 31 KiB After Width: | Height: | Size: 28 KiB |
|
Before Width: | Height: | Size: 42 KiB After Width: | Height: | Size: 32 KiB |
|
Before Width: | Height: | Size: 15 KiB After Width: | Height: | Size: 31 KiB |
|
Before Width: | Height: | Size: 46 KiB After Width: | Height: | Size: 32 KiB |
|
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 29 KiB |
|
Before Width: | Height: | Size: 50 KiB After Width: | Height: | Size: 35 KiB |
|
Before Width: | Height: | Size: 42 KiB After Width: | Height: | Size: 27 KiB |
|
Before Width: | Height: | Size: 45 KiB After Width: | Height: | Size: 33 KiB |
|
Before Width: | Height: | Size: 36 KiB After Width: | Height: | Size: 47 KiB |
|
Before Width: | Height: | Size: 50 KiB |
|
Before Width: | Height: | Size: 45 KiB After Width: | Height: | Size: 30 KiB |
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 39 KiB |
|
Before Width: | Height: | Size: 45 KiB After Width: | Height: | Size: 26 KiB |
|
Before Width: | Height: | Size: 43 KiB |