docs: close #468 (traversal source+live OK) + T0 live recon notes

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.claude/TODO.md

@@ -61,14 +61,18 @@
 
 ### 🟠 T1 — Plan d'enforcement sécurité (mission CSPN ; détection→action)
 - #498 Phase 7 — WAF active enforcement (mitm→CrowdSec→nft drop) *(worktree actif)*
-- #519 Phase 13 — protection enforcement plane **[vérifier→fermer]** (TODO dit COMPLETE)
-- #522 Phase 13.B — DNS-guard : domaines blocklistés → nft blacklist
+- ✅ #519 Phase 13 — enforcement plane **FERMÉ 2026-06-22** (livré + réparé :
+  blacklist-sync avortait sur NXDOMAIN + timeout unit → fix `|| true` +
+  TimeoutStartSec 600 ; vérifié live, default-off). Inclut 13.B #522.
 - #455 secubox-egress — détection egress + corrélation RDS multi-signaux
 - #500 Phase 8 — Utiq operator-grade tracking (detect/alert/bypass)
-- #514 Phase 12 — plateforme anti-human-detection (parent)
-- #515 Phase 12.A — détection CDN cache passive **[vérifier]** (partiel via social graph)
-- #516 Phase 12.B — détection anti-bot/'prove human' passive **[vérifier]** (partiel)
+- #514 Phase 12 — plateforme anti-human-detection (parent ; sous-tracks fermés)
+- ✅ #515 Phase 12.A CDN cache detection — **FERMÉ** (live, `social_host_meta.cdn_vendor`)
+- ✅ #516 Phase 12.B anti-bot detection — **FERMÉ** (live via #564/#565, `social_antibot`)
 - #525 Phase 14 — plan de déception (idée future, parké)
+- ⬜ Suivi #519 perf (non bloquant) : DNS-guard ne résout que les 2000 premiers
+  domaines/cycle (5523 en base) → couverture partielle ; résolution séquentielle
+  lourde sur board saturé. Option : résolution parallèle bornée + rotation du cap.
 
 ### 🟡 T2 — UX / Hub / conscommateurs report (worktrees actifs + polish)
 - #615 security-posture dans la sidebar Hub *(worktree actif)*

.claude/WIP.md

@@ -10,9 +10,26 @@
   /social/me + report PDF live) · #495 Phase 5 mitm-LXC (superseded par #662 Go
   sbxmitm host) · #531 APK one-tap (superseded par #685/#686 non-root) ·
   #486 geoip/ASN+flags+catégories dans rapports (livré master : geo.py + dpi_class.py +
-  report wiring ; complémentaire de #718 ASN collector ; worktree stale nettoyé).
+  report wiring ; complémentaire de #718 ASN collector ; worktree stale nettoyé) ·
+  #515 CDN detection (live `social_host_meta.cdn_vendor`) · #516 anti-bot detection
+  (live via #564/#565) · #519 enforcement plane (livré + **réparé** : blacklist-sync
+  avortait NXDOMAIN + timeout unit → fix `|| true` + TimeoutStartSec 600, vérifié live,
+  default-off ; inclut #522). Toolbox source bumpé 2.7.18 (fix live-patché sur gk2) ·
+  #468 /etc/secubox traversal (source+live = 0755, secrets/CA enfants restent 0750).
 - **Actives (worktrees en cours)** : #655 webext banner · #615 security-posture ·
   #494 secubox-core ExecStart · #498 Phase 7 WAF enforcement · #485 SOC scoring.
+
+### 🔎 Reco T0 — recon live gk2 2026-06-24 (avant fix)
+- **#494/#471/#421** : la vraie régression live = `/run/secubox` = 1777 **secubox:secubox**
+  (règle dure = 1777 **root:root**). Possédé par le worktree `fix/494-…` → ne pas collisionner.
+- **#447** : pas une fuite — `password_hash=null` → lockout kiosk + user CI parasite ;
+  **CI-image-gated** (rpi400, pas gk2).
+- **#91** : `haproxy.cfg` active valide ; backup `*.broken-by-haproxyctl-*` prouve le bug
+  passé ; drift-guard #627 rattrape. Root cause = generate `haproxyctl` (api/main.py l.846/896).
+- **#53** : Wazuh hors stack documenté (Suricata+CrowdSec), aucune unit sur gk2 →
+  décider **remove vs keep-masked**, pas de boucle évidente dans `api/main.py`.
+- **#65** : `common/nginx/webui.conf` routes hardcodées → passer à `include secubox.d/*.conf`.
+- **#121** : `scripts/metablog-ingest.sh` laisse `sites/*` en root:root → `chown -R secubox:secubox`.
 - **Backlog/future** : #685/#686 APK non-root (plan verrouillé) · #592 webmail-hub ·
   #514/#515/#516/#519/#522/#525 Phase 12-14 (#515 CDN / #516 anti-bot partiellement
   couverts par antibot_sites/opgrade_sites du social graph) · #500 Utiq · #497/#480/

packages/secubox-toolbox/debian/changelog

@@ -1,3 +1,21 @@
+secubox-toolbox (2.7.18-1~bookworm1) bookworm; urgency=medium
+
+  * #519/#522 fix(blacklist-sync): the DNS-guard domain loop aborted the whole
+    enforcement sync on the first unresolvable blocklisted domain — getent
+    returns exit 2 on NXDOMAIN and, under set -euo pipefail, the
+    `ips=$(getent ... | awk | sort)` assignment propagated that 2 (status=2,
+    INVALIDARGUMENT under systemd). Blocklisted domains are overwhelmingly
+    dead/sinkholed, so the oneshot failed every run → the nft blacklist_v4/v6
+    sets were never populated and the protection enforcement plane was inert.
+    Guard the substitution with `|| true` so a dead domain is skipped, not fatal.
+  * #519/#522 fix(blacklist-sync): a full DNS-guard sweep (~700 live resolutions)
+    runs ~3min on a loaded board but the unit's TimeoutStartSec was 120s →
+    systemd SIGTERM'd the oneshot before it loaded the sets. Raise to 600s and
+    drop the per-lookup timeout default 2s→1s so a sweep finishes well within it.
+    Verified live on gk2: sets populate (blacklist_v4=1675, blacklist_v6=207).
+
+ -- Gerald KERMA <devel@cybermind.fr>  Wed, 24 Jun 2026 09:30:00 +0000
+
 secubox-toolbox (2.7.17-1~bookworm1) bookworm; urgency=medium
 
   * #724 banner: in-banner R0..R3 level switch — the injected transparency

packages/secubox-toolbox/sbin/secubox-blacklist-sync

@@ -61,14 +61,18 @@ fi
 # Bounded : cap on domains/cycle + per-lookup timeout so the sync never
 # hangs on a dead resolver.
 DOMAIN_CAP="${SECUBOX_BL_DOMAIN_CAP:-2000}"
-RESOLVE_TIMEOUT="${SECUBOX_BL_RESOLVE_TIMEOUT:-2}"
+RESOLVE_TIMEOUT="${SECUBOX_BL_RESOLVE_TIMEOUT:-1}"
 resolved_domains=0
 if [ -r "$TOOLBOX_DB" ] && command -v sqlite3 >/dev/null 2>&1; then
     while IFS= read -r dom; do
         [ -n "$dom" ] || continue
         # getent ahosts returns both A + AAAA ; timeout guards a dead lookup.
+        # NXDOMAIN makes getent exit 2 → with pipefail+set -e the assignment
+        # would abort the whole sync on the first dead blocklisted domain
+        # (and blocklisted domains are overwhelmingly dead/sinkholed). Guard
+        # the substitution so an unresolvable domain is simply skipped.
         ips=$(timeout "$RESOLVE_TIMEOUT" getent ahosts "$dom" 2>/dev/null \
-                | awk '{print $1}' | sort -u)
+                | awk '{print $1}' | sort -u || true)
         if [ -n "$ips" ]; then
             printf '%s\n' "$ips" >> "$TMP4.raw"
             resolved_domains=$((resolved_domains + 1))

packages/secubox-toolbox/systemd/secubox-blacklist-sync.service

@@ -14,7 +14,11 @@ ExecStart=/usr/sbin/secubox-blacklist-sync
 User=root
 Nice=10
 IOSchedulingClass=idle
-TimeoutStartSec=120
+# DNS-guard resolves up to DOMAIN_CAP blocklisted domains sequentially; on a
+# loaded board that can run a few minutes. 120s was shorter than a full sweep
+# (~3min for ~700 live resolutions) → systemd SIGTERM'd the oneshot before it
+# loaded the sets. Give it headroom (#519/#522).
+TimeoutStartSec=600
 
 [Install]
 WantedBy=multi-user.target