.claude/TODO.md

@@ -61,18 +61,14 @@
 
 ### 🟠 T1 — Plan d'enforcement sécurité (mission CSPN ; détection→action)
 - #498 Phase 7 — WAF active enforcement (mitm→CrowdSec→nft drop) *(worktree actif)*
-- ✅ #519 Phase 13 — enforcement plane **FERMÉ 2026-06-22** (livré + réparé :
-  blacklist-sync avortait sur NXDOMAIN + timeout unit → fix `|| true` +
-  TimeoutStartSec 600 ; vérifié live, default-off). Inclut 13.B #522.
+- #519 Phase 13 — protection enforcement plane **[vérifier→fermer]** (TODO dit COMPLETE)
+- #522 Phase 13.B — DNS-guard : domaines blocklistés → nft blacklist
 - #455 secubox-egress — détection egress + corrélation RDS multi-signaux
 - #500 Phase 8 — Utiq operator-grade tracking (detect/alert/bypass)
-- #514 Phase 12 — plateforme anti-human-detection (parent ; sous-tracks fermés)
-- ✅ #515 Phase 12.A CDN cache detection — **FERMÉ** (live, `social_host_meta.cdn_vendor`)
-- ✅ #516 Phase 12.B anti-bot detection — **FERMÉ** (live via #564/#565, `social_antibot`)
+- #514 Phase 12 — plateforme anti-human-detection (parent)
+- #515 Phase 12.A — détection CDN cache passive **[vérifier]** (partiel via social graph)
+- #516 Phase 12.B — détection anti-bot/'prove human' passive **[vérifier]** (partiel)
 - #525 Phase 14 — plan de déception (idée future, parké)
-- ⬜ Suivi #519 perf (non bloquant) : DNS-guard ne résout que les 2000 premiers
-  domaines/cycle (5523 en base) → couverture partielle ; résolution séquentielle
-  lourde sur board saturé. Option : résolution parallèle bornée + rotation du cap.
 
 ### 🟡 T2 — UX / Hub / conscommateurs report (worktrees actifs + polish)
 - #615 security-posture dans la sidebar Hub *(worktree actif)*

.claude/WIP.md

@@ -10,26 +10,9 @@
   /social/me + report PDF live) · #495 Phase 5 mitm-LXC (superseded par #662 Go
   sbxmitm host) · #531 APK one-tap (superseded par #685/#686 non-root) ·
   #486 geoip/ASN+flags+catégories dans rapports (livré master : geo.py + dpi_class.py +
-  report wiring ; complémentaire de #718 ASN collector ; worktree stale nettoyé) ·
-  #515 CDN detection (live `social_host_meta.cdn_vendor`) · #516 anti-bot detection
-  (live via #564/#565) · #519 enforcement plane (livré + **réparé** : blacklist-sync
-  avortait NXDOMAIN + timeout unit → fix `|| true` + TimeoutStartSec 600, vérifié live,
-  default-off ; inclut #522). Toolbox source bumpé 2.7.18 (fix live-patché sur gk2) ·
-  #468 /etc/secubox traversal (source+live = 0755, secrets/CA enfants restent 0750).
+  report wiring ; complémentaire de #718 ASN collector ; worktree stale nettoyé).
 - **Actives (worktrees en cours)** : #655 webext banner · #615 security-posture ·
   #494 secubox-core ExecStart · #498 Phase 7 WAF enforcement · #485 SOC scoring.
-
-### 🔎 Reco T0 — recon live gk2 2026-06-24 (avant fix)
-- **#494/#471/#421** : la vraie régression live = `/run/secubox` = 1777 **secubox:secubox**
-  (règle dure = 1777 **root:root**). Possédé par le worktree `fix/494-…` → ne pas collisionner.
-- **#447** : pas une fuite — `password_hash=null` → lockout kiosk + user CI parasite ;
-  **CI-image-gated** (rpi400, pas gk2).
-- **#91** : `haproxy.cfg` active valide ; backup `*.broken-by-haproxyctl-*` prouve le bug
-  passé ; drift-guard #627 rattrape. Root cause = generate `haproxyctl` (api/main.py l.846/896).
-- **#53** : Wazuh hors stack documenté (Suricata+CrowdSec), aucune unit sur gk2 →
-  décider **remove vs keep-masked**, pas de boucle évidente dans `api/main.py`.
-- **#65** : `common/nginx/webui.conf` routes hardcodées → passer à `include secubox.d/*.conf`.
-- **#121** : `scripts/metablog-ingest.sh` laisse `sites/*` en root:root → `chown -R secubox:secubox`.
 - **Backlog/future** : #685/#686 APK non-root (plan verrouillé) · #592 webmail-hub ·
   #514/#515/#516/#519/#522/#525 Phase 12-14 (#515 CDN / #516 anti-bot partiellement
   couverts par antibot_sites/opgrade_sites du social graph) · #500 Utiq · #497/#480/

packages/secubox-toolbox/debian/changelog

@@ -1,21 +1,3 @@
-secubox-toolbox (2.7.18-1~bookworm1) bookworm; urgency=medium
-
-  * #519/#522 fix(blacklist-sync): the DNS-guard domain loop aborted the whole
-    enforcement sync on the first unresolvable blocklisted domain — getent
-    returns exit 2 on NXDOMAIN and, under set -euo pipefail, the
-    `ips=$(getent ... | awk | sort)` assignment propagated that 2 (status=2,
-    INVALIDARGUMENT under systemd). Blocklisted domains are overwhelmingly
-    dead/sinkholed, so the oneshot failed every run → the nft blacklist_v4/v6
-    sets were never populated and the protection enforcement plane was inert.
-    Guard the substitution with `|| true` so a dead domain is skipped, not fatal.
-  * #519/#522 fix(blacklist-sync): a full DNS-guard sweep (~700 live resolutions)
-    runs ~3min on a loaded board but the unit's TimeoutStartSec was 120s →
-    systemd SIGTERM'd the oneshot before it loaded the sets. Raise to 600s and
-    drop the per-lookup timeout default 2s→1s so a sweep finishes well within it.
-    Verified live on gk2: sets populate (blacklist_v4=1675, blacklist_v6=207).
-
- -- Gerald KERMA <devel@cybermind.fr>  Wed, 24 Jun 2026 09:30:00 +0000
-
 secubox-toolbox (2.7.17-1~bookworm1) bookworm; urgency=medium
 
   * #724 banner: in-banner R0..R3 level switch — the injected transparency

packages/secubox-toolbox/sbin/secubox-blacklist-sync

@@ -61,18 +61,14 @@ fi
 # Bounded : cap on domains/cycle + per-lookup timeout so the sync never
 # hangs on a dead resolver.
 DOMAIN_CAP="${SECUBOX_BL_DOMAIN_CAP:-2000}"
-RESOLVE_TIMEOUT="${SECUBOX_BL_RESOLVE_TIMEOUT:-1}"
+RESOLVE_TIMEOUT="${SECUBOX_BL_RESOLVE_TIMEOUT:-2}"
 resolved_domains=0
 if [ -r "$TOOLBOX_DB" ] && command -v sqlite3 >/dev/null 2>&1; then
     while IFS= read -r dom; do
         [ -n "$dom" ] || continue
         # getent ahosts returns both A + AAAA ; timeout guards a dead lookup.
-        # NXDOMAIN makes getent exit 2 → with pipefail+set -e the assignment
-        # would abort the whole sync on the first dead blocklisted domain
-        # (and blocklisted domains are overwhelmingly dead/sinkholed). Guard
-        # the substitution so an unresolvable domain is simply skipped.
         ips=$(timeout "$RESOLVE_TIMEOUT" getent ahosts "$dom" 2>/dev/null \
-                | awk '{print $1}' | sort -u || true)
+                | awk '{print $1}' | sort -u)
         if [ -n "$ips" ]; then
             printf '%s\n' "$ips" >> "$TMP4.raw"
             resolved_domains=$((resolved_domains + 1))

packages/secubox-toolbox/systemd/secubox-blacklist-sync.service

@@ -14,11 +14,7 @@ ExecStart=/usr/sbin/secubox-blacklist-sync
 User=root
 Nice=10
 IOSchedulingClass=idle
-# DNS-guard resolves up to DOMAIN_CAP blocklisted domains sequentially; on a
-# loaded board that can run a few minutes. 120s was shorter than a full sweep
-# (~3min for ~700 live resolutions) → systemd SIGTERM'd the oneshot before it
-# loaded the sets. Give it headroom (#519/#522).
-TimeoutStartSec=600
+TimeoutStartSec=120
 
 [Install]
 WantedBy=multi-user.target