gandalf/secubox-openwrt
gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
secubox-openwrt/.codex/requirements.md
CyberMind-FR d9534270c8 codex
2025-12-28 07:01:22 +01:00

54 lines
6.0 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Requirements
## Functional Requirements
- **luci-app-secubox**: Provide a central dashboard showing module status, monitoring cards, module launchers, alerts, and developer status (views `dashboard.js`, `modules*.js`, `dev-status.js`).
- **luci-app-system-hub**: Expose health scoring, service control, diagnostics, backup/restore, remote access, and the bonus development status tab with matching widgets (`overview.js`, `services.js`, `components.js`, `logs.js`, `backup.js`, `diagnostics.js`, `remote.js`, `dev-status.js`).
- **luci-app-crowdsec-dashboard**: Surface CrowdSec bans, alerts, bouncer state, metrics, and configuration actions (views `overview.js`, `alerts.js`, `decisions.js`, `bouncers.js`, `metrics.js`, `settings.js`).
- **luci-app-netdata-dashboard**: Embed Netdata telemetry (system, network, processes, realtime, settings) using SecuBox cards and gauges.
- **luci-app-netifyd-dashboard**: Show DPI data: applications, devices, flows, risks, “top talkers,” and configuration controls.
- **luci-app-network-modes**: Let users toggle router/AP/relay/sniffer modes via wizard flows while preserving backup/restore safeguards.
- **luci-app-wireguard-dashboard**: Monitor tunnels, peers, traffic, configs, QR codes, and enforce never exposing private keys.
- **luci-app-client-guardian**: Manage NAC zones, portals, captive flow, parental policies, alerts, logs, and quarantine defaults.
- **luci-app-auth-guardian**: Run authentication flows (sessions, vouchers, OAuth, splash, bypass) with secure portal assets.
- **luci-app-bandwidth-manager**: Configure QoS classes, scheduling, quotas, per-client stats, and media-aware prioritization.
- **luci-app-media-flow**: Detect streaming/VoIP services, alert on anomalies, show live bandwidth breakdown by service/client/history.
- **luci-app-cdn-cache**: Configure caching policies, show cache metrics, allow maintenance tasks (purge, preload).
- **luci-app-vhost-manager**: Create local virtual hosts, SSL bindings, redirects, certificate management, and view logs.
- **luci-app-traffic-shaper**: Provide CAKE/HTB based presets, classes, rules, and stats with one-click templates (gaming, streaming, etc.).
- **luci-app-ksm-manager**: Manage secure keys/secrets/HSM credentials, track audits, and guard SSH certificate flows.
## Non-Functional Requirements
- **Security & Permissions**: RPCD scripts must be installed with 755 through `PKG_FILE_MODES`; CSS/JS/Menu/ACL remain 644. ACL JSON must enumerate every ubus method. Do not widen ACLs without justification.
- **Design System**: Use `system-hub/common.css` variables (`--sh-*`), Inter + JetBrains Mono fonts, gradient classes, and provide `[data-theme="dark"]` overrides. No hardcoded colors.
- **Performance**: Views should batch RPC calls via `Promise.all`, re-use API helpers, and throttle `poll.add` intervals per module spec (commonly 530s).
- **Reliability**: Always run validation (`./secubox-tools/validate-modules.sh` / `validate-module-generation.sh`) and fix permissions before committing. Deployments must include remote permission fixes plus LuCI cache flush/resets.
- **Privacy**: Modules such as Client Guardian, Auth Guardian, and WireGuard must never display secrets (e.g., mask private keys, credentials, vouchers).
## Compatibility Matrix
| OpenWrt Version | Status | Package Format | Notes |
|-----------------|--------|----------------|-------|
| 25.12.0-rc1 | Testing | `.apk` | Uses new apk package manager |
| 24.10.x | Supported (recommended) | `.ipk` | Default CI target |
| 23.05.x | Supported | `.ipk` | Previous stable |
| 22.03.x | Supported | `.ipk` | LTS |
| 21.02.x | Partial | `.ipk` | End of support |
| SNAPSHOT | Supported | `.apk` | Bleeding edge |
Architectures covered by CI/local-build: `x86-64`, `x86-generic`, `aarch64-cortex-a53`, `aarch64-cortex-a72`, `aarch64-generic`, `mediatek-filogic`, `rockchip-armv8`, `bcm27xx-bcm2711`, `arm-cortex-a7-neon`, `arm-cortex-a9-neon`, `qualcomm-ipq40xx`, `qualcomm-ipq806x`, `mips-24kc`, `mipsel-24kc`, `mipsel-74kc`.
## Invariants (Must Never Break)
1. **RPCD naming**: `root/usr/libexec/rpcd/luci.<module>` must match every `rpc.declare({object:'luci.<module>'})` reference and ACL entry.
2. **Menu path alignment**: `root/usr/share/luci/menu.d/*.json` `path` fields must match the view filenames (`htdocs/luci-static/resources/view/<module>/<view>.js`).
3. **File permissions**: RPCD=755, helper scripts=755, CSS/JS/Menu/ACL/UCI=644. Always run `./secubox-tools/fix-permissions.sh --local` and `--remote`.
4. **Design system compliance**: Use shared CSS variables, fonts, and gradient/button classes; implement `[data-theme="dark"]` overrides.
5. **Validation gate**: Do not merge or deploy without passing `./secubox-tools/validate-modules.sh` (7 checks) and, when applicable, `validate-module-generation.sh` / `pre-push-validation.sh`.
6. **ACL integrity**: ACL JSON must explicitly cover every ubus method (read vs write) and only expose necessary resources.
7. **Deployment hygiene**: Use `deploy-module-template.sh` or module-specific deploy scripts so backups, LuCI cache clearing, and service restarts happen consistently.
## Acceptance Criteria Patterns
- ✅ UI work: All new views/styles follow the SecuBox design system, support dark mode, validate RPC responses, and update UI state/polling without console errors.
- ✅ RPC additions: Updated `api.js`, `root/usr/libexec/rpcd/luci.<module>`, menu/ACL JSON, and documentation; ubus methods tested via `ubus call luci.<module> <method>`.
- ✅ Packaging changes: `Makefile` builds locally via `make package/luci-app-<module>/compile V=s` or `./secubox-tools/local-build.sh build luci-app-<module>`; `PKG_FILE_MODES` covers executables; README updated if behavior changes.
- ✅ Deployment: `ROUTER=<host> ./deploy-module-template.sh <module>` completes, `./secubox-tools/fix-permissions.sh --remote <host>` run, `ubus list | grep luci.<module>` returns, and LuCI tab loads without 404/403/-32000 errors.
- ✅ Documentation: If UX or API contracts change, update the corresponding module README and reference sections (`DEVELOPMENT-GUIDELINES`, `MODULE_STATUS`, or other docs) or log a TODO when unsure.
Reference in New Issue View Git Blame Copy Permalink