GHOSTPORT PHANTOM OS

PATCH & FEATURE LOG

Last updated: April 22, 2026 • Covering: Pre-Audit + Rounds 1–16 (authoritative count) + Theme Engine + Fleet Integration + Family Shield + SNI Inspector + Full-Stack Hardening + NIST Compliance Sprint + Dual-Tunnel Architecture + Independent Pen Test (passed) + v1.1.0 ship

From March 17, 2026 through the v1.1.0 beta-to-friends ship on April 22, 2026, we conducted a comprehensive multi-round security audit of every component in GhostPort Phantom OS — from the Express API server and frontend SPA to nftables firewall profiles, shell scripts, systemd services, and the EC2 fleet infrastructure. This log documents 311+ bugs found and patched across 16 audit rounds, an independent third-party penetration test passed with no blocking findings, dual-tunnel architecture, a theme engine with RGB breathing mode, Family Shield parental controls, the fleet integration system with Stripe subscriptions, and a NIST Cybersecurity Framework compliance sprint.

311+

BUGS FOUND

AUDIT ROUNDS

PASS

3RD-PARTY PEN TEST

NIST CSF SCORE

Round 20 — Data Plane Separation + Dual-Tunnel Architecture — April 4, 2026

Dual-tunnel live • Control/data plane separated • 3,330 Mbps throughput • 0.023ms jitter • WiFi WAN shipped

3,330

MBPS DOWN

0.023

MS JITTER

PACKET LOSS

TUNNELS

Dual-Tunnel Architecture — Full Article →

Control plane (fleet API, bridge) and data plane (internet relay) now run on independent EC2 instances with separate WireGuard tunnels. Single point of failure eliminated.

Data plane (ARM64 Graviton) — Dedicated internet relay with 3,330 Mbps down / 3,132 Mbps up raw throughput
DoubleHop routing verified — Exit IP confirmed [data-plane IP] end-to-end
Tunnel jitter 0.023ms — Competitive gaming viable through the VPN
MTU fixed to 1420 — 3x download speed improvement by eliminating jumbo frame fragmentation
PersistentKeepalive 25 — Set on all peers across both planes
DNS zero-leak — Unbound locked to VPN subnet only; QUIC blocked to prevent bypass
SSH hardened — Tailscale-only access on data plane, no public SSH exposure
WiFi WAN shipped — Pi can now use WiFi as WAN uplink instead of Ethernet

Round 19 — AI Security Hardening + NIST Compliance — March 30–31, 2026

5-layer AI anti-injection defense • NIST CSF Level 1 • AES-encrypted bridge • Control tag filtering • 18 articles live • auditd integrity monitoring

SECURITY LAYERS

ARTICLES LIVE

TAGS BLOCKED

AUDIT RULES

AI-to-AI Security Suite — Industry First

Five independent security layers protecting Claude-to-Claude communication, deployed in response to the Claude Code source leak. No other consumer router has cryptographically authenticated AI agent communication.

HMAC-SHA256 message signing — Every bridge message cryptographically signed; forged messages rejected at the API
AES encrypted storage — Message bodies encrypted before database storage; DB dump yields only ciphertext
Nonce + replay protection — 5-minute timestamp window + unique nonces; replayed messages rejected
Prompt injection detection — Pattern matching on all external data; flagged to security audit trail
Control tag filtering — 11 Claude Code internal XML tags blocked at API level; attackers cannot inject tool calls or system overrides

Infrastructure Hardening

File permissions locked — CLAUDE.md, memory files, credentials all mode 600; .claude/ directory mode 700
auditd integrity monitoring — 4 new rules: tamper detection on CLAUDE.md, memory directory, settings, credentials
Security logging — BRIDGE_CONTROL_TAG_ATTACK and PROMPT_INJECTION_ATTEMPT events in security.log
NIST CSF Level 1 achieved — 110 NIST 800-171 controls mapped, 22-point audit closed

New Content & Assets

AI Security Architecture article — How we secure AI-to-AI communication (published openly)
NIST Compliance article — Federal cybersecurity standards on a Raspberry Pi
GhostPort User Guide — Non-technical guide: setup, modes, Family Shield, troubleshooting
“Stop Feeding The Machine” PDF — Privacy resource deployed across all domains

Bug Fixes

White theme palette fix — 16 pages patched; hex-to-HSL was mapping #FFFFFF to hue 0 (red)
WPA3-SAE transition mode — Enabled on hostapd for stronger WiFi encryption
IPv6 disabled — Kernel-level sysctl, eliminating leak surface
PWA shipped — Service worker, cache-first, offline fallback, mobile bottom nav

Round 18 — Content Blitz + Fleet API Expansion — March 29, 2026

11 blog articles deployed • 4 new fleet API endpoints • RSS feed • Ukrainian privacy tool • Full system verification pass

ARTICLES LIVE

NEW ENDPOINTS

SITEMAP URLS

LANGUAGE ADDED

Blog Content Library

Article	Target Audience
FCC Router Ban	Privacy-conscious homeowners, tech news readers
Ohio Age Verification	Civil liberties, parents, privacy advocates
RAM-Only Servers	Technical audience, VPN users, security researchers
ISP Sells Your Data	General public, ISP customers
Smart TV Spying	Cord-cutters, smart home users
Parental Controls Don’t Work	Parents, educators
DNS Privacy Hole	Tech-curious, security-aware users
TikTok Ban Failed	Parents, policy watchers
VPN Truth	VPN shoppers, privacy beginners
Data Brokers	General public, privacy advocates
Open-Source Hardware	Makers, homelabbers, security-conscious buyers

New Fleet API Endpoints

Endpoint	Purpose
`POST /fleet/devices/<id>/regenerate-backup-codes`	Consumer self-service: queue TOTP backup code regeneration via license key
`POST /fleet/licenses/validate`	Check license key validity without activating
`POST /fleet/subscription`	View subscription info (tier, status, dates) via license key
`POST /fleet/devices/<id>/onboarding-complete`	Device reports setup complete, marks active

Infrastructure

RSS feed — blog.ghostporttechnologies.com/feed.xml with all 11 articles
Ukrainian privacy tool — Full translation at tools.ghostporttechnologies.com/ua.html adapted for wartime threat model
Cross-linked articles — Every article links to 2-3 related pieces for SEO and reader retention
Full system verification — All services, endpoints, scripts, permissions, crons, and web properties confirmed operational

Round 17 — TOTP 2FA + Command Widget + Security Audit — March 28, 2026

Two-factor authentication • Floating command widget • Full-stack security audit • Passcode hardening • Fleet agent lockdown • db_lock on all writes

TOTP ENDPOINTS

30+

DB WRITES LOCKED

AGENT VULNS FIXED

AUDIT ITEMS LEFT

TOTP Two-Factor Authentication

Full 2FA lifecycle built from scratch. Authenticator app support (Google Authenticator, Authy, etc.) with QR code setup featuring the GhostPort pirate logo overlay (H-level error correction).

Two-step login — Passcode first, then 6-digit TOTP code. Animated transition between steps.
8 backup codes — Generated on setup, one-time use, displayed in grid
Resync — If authenticator drifts, resync without full re-setup
Fleet reset — "Forgot access?" button on login page calls fleet API to clear TOTP remotely via license key verification
Dashboard Settings UI — Enable/disable/resync under Security section
Consumer lockout — gp-passcode reset blocked on provisioned (customer) devices

Floating Command Widget

New ★ skull FAB replaces the standalone theme picker. Draggable, position saved to localStorage. Expands to show:

Quick Mode Switch — 4 privacy mode buttons with active mode highlighted green
Theme Palette — 8 color swatches + RGB breathing cycle + custom picker
Tooltip — "quick modes :D" on first visit

Passcode Security Hardening

Plaintext removed — Passcode no longer stored in cleartext in auth.json
gp-passcode show removed — No way to display passcode in plaintext
GPIO recovery auto-delete — Recovery file self-destructs after 5 minutes

Full-Stack Security Audit (EC2)

Severity	Issue	Fix
CRITICAL	Fleet API: undefined logger crashes TOTP reset endpoint	Fixed to `access_logger`
HIGH	30+ DB write operations had no concurrency lock — race conditions in device registration, license activation, Stripe webhooks	Added `db_lock` to every write path
HIGH	Hardcoded admin token in check-cert.sh	Now reads from auth.json dynamically
HIGH	Watchdog silently swallowed all exceptions	Proper error handling, logs failures, clean exit on config error
CRITICAL	Fleet agent: `bash -c "$payload"` allowed arbitrary shell execution	Replaced with strict command type whitelist (totp-reset, mode-switch, update, reboot only)
CRITICAL	Fleet agent: JSON encoding via triple-quoted string interpolation	Result passed via stdin to Python
MEDIUM	Command result status accepted any string	Validated: only completed/failed/error
MEDIUM	Agent device ID silently lost on malformed response	Validation added, exits on empty ID

Infrastructure

TOTP reset endpoint — POST /fleet/devices/<id>/reset-totp — consumer self-service via license key, rate limited 3/day
Logrotate — Added for moltbook-posts.log (10MB max, 4 weekly rotations)
Agent state file — Moved from world-readable /tmp to /var/run/ghostport/ mode 0600
3 blog articles deployed — FCC router ban, Ohio age verification, RAM-only servers
Ukrainian privacy tool — Full translation at tools.ghostporttechnologies.com/ua.html
Moltbook cron — 2 posts/day + 1 engage session on autopilot
Google Search Console — Verification + sitemap across 5 subdomains

Round 16 — SNI Inspector + Bug Hunt — March 28, 2026

New feature: TLS SNI Inspector for Family Shield • Full-codebase 3-agent parallel audit • 56 bugs found, 25 patched • nftables hardening • 6 files modified

BUGS FOUND

BUGS PATCHED

NEW FILES

FILES MODIFIED

New Feature: SNI Inspector

Family Shield can now block HTTPS connections that bypass DNS filtering. When a shielded device uses hardcoded IPs or DoH to dodge Pi-hole, the SNI Inspector reads the hostname from the unencrypted TLS ClientHello — zero decryption, zero MITM — and drops the connection if it matches a blocked domain.

Transparent proxy — nftables REDIRECT intercepts port 443 for shielded devices only
Per-device scoping — Only devices marked as “shielded” in Family Shield are inspected
Fail-closed — Connections with no extractable SNI are blocked (prevents opaque tunnel bypass)
Three-layer blocking — DNS (Pi-hole) + IP ranges (nftables ASN sets) + SNI inspection
Auto start/stop — Inspector starts when Family Shield is enabled, stops when disabled
Blocklist sync — Reads Pi-hole gravity DB directly + cached hint file from server

New Files

File	What
`sni-inspector.py`	Python daemon — transparent TLS SNI blocker with SO_ORIGINAL_DST, thread-per-connection, 60s blocklist reload
`scripts/gp-ssl-inspect`	Management script — start/stop/status/add-device/remove-device/flush/restore
`systemd/ghostport-sni.service`	systemd unit with CAP_NET_ADMIN + CAP_NET_RAW, auto-restore device rules on start

Bug Hunt — Critical & High Fixes

Severity	File	Bug	Fix
CRITICAL	`ghostport-server.js`	`writeAuth()` missing passcode field in `initAuth()`	Added plaintext passcode to auth.json for `gp-passcode show`
CRITICAL	`ghostport-server.js`	`stopKillSwitch()` unhandled promise rejection	Added `.catch()` to mode restore promise chain
CRITICAL	`ghostport-server.js`	Passcode change loses `provisioned` flag — device appears unactivated	`writeAuth()` now preserves `provisioned: auth.provisioned`
CRITICAL	`gp-ssl-inspect`	Command injection — IP interpolated into `python3 -c` strings	Complete rewrite: all values passed via `sys.argv`
HIGH	`ghostport-server.js`	`fsIpBlock()` no category validation before shell exec	Added `/^[a-z_]+$/` regex guard + 10s exec timeout
HIGH	`gp-ssl-inspect`	IP validation allows octets 256+ (regex `[0-9]{1,3}`)	Added octet bounds check: `1 ≤ octet ≤ 254`
HIGH	`sni-inspector.py`	Boolean `running` flag not thread-safe	Replaced with `threading.Event()`
HIGH	`sni-inspector.py`	PID file created with 0644 permissions	Use `os.open()` with `0o600` mode
HIGH	`zerotrust.nft`	`table ip nat` instead of `table inet nat`	Changed to `table inet nat` (consistent with doublehop/zhop)

Bug Hunt — Medium Fixes

Severity	File	Bug	Fix
MEDIUM	`arsenal.js`	Inline `onclick` handler in schedule rendering — DOM injection risk	Replaced with event delegation via `data-sched-id` attribute
MEDIUM	`ghostport-server.js`	Pi-hole re-auth stampede — concurrent 401s trigger parallel auth	Added re-auth mutex (`piholeReauthPromise` singleton)
MEDIUM	`ghostport-server.js`	SNI functions fire-and-forget with no error propagation	Converted to `run()` promises with octet bounds validation
MEDIUM	`ghostport-server.js`	`escapeHtml()` applied server-side to client hostnames (double-encoding)	Removed — frontend already escapes on render
MEDIUM	`ghostport-server.js`	WireGuard temp file created with 0644 default permissions	Use `fs.openSync()` with `0o600` mode
MEDIUM	`ghostport-server.js`	`withArsenal()` mutex breaks chain on error (blocks all future writes)	Chain recovery: failed writes resolve the lock so next write proceeds
MEDIUM	`sni-inspector.py`	Fail-open on missing SNI — allowed connections with no hostname	Changed to fail-closed: block if SNI is None
MEDIUM	`sni-inspector.py`	Non-ASCII bytes in SNI could cause decode errors	Use `errors="replace"` + reject hostnames containing replacement chars
MEDIUM	`*.nft` (all 3)	Forward chains missing `ct state invalid drop`	Added to zerotrust, doublehop, and zhop profiles

Bug Hunt — Low Fixes

Severity	File	Bug	Fix
LOW	`ghostport-server.js`	Ticket description missing max length check	Added 5000-char limit validation
LOW	`sni-inspector.py`	Double-close on client socket (handle_client + proxy_connection both close)	handle_client owns close in `finally`, proxy only closes remote
LOW	`sni-inspector.py`	Proxy loop reads dead socket after peer disconnect	Added `done` flag with immediate break
LOW	`sni-inspector.py`	`IP_TRANSPARENT` failure silently ignored	Added warning log so admins know transparent proxying may fail

Architecture: Three-Layer Family Shield Blocking

Family Shield now implements defense-in-depth with three independent blocking layers:

Layer 1: DNS — Pi-hole gravity blocks domains for shielded devices via FamilyShield group assignment
Layer 2: IP — nftables sets block ASN IP ranges for services like TikTok, Facebook, Twitter (catches hardcoded IPs)
Layer 3: SNI — Transparent TLS inspection reads hostname from ClientHello and blocks if it matches the blocklist (catches DoH bypass)

All three layers activate automatically per-device when a client is marked as shielded. Unshielded devices are never inspected or filtered.

Round 15 — Production Readiness — March 25, 2026

Batch 1 shipping prep • 5-phase sprint: activation bugs, GPIO recovery, OTA updates, manufacturing provisioning, mDNS • 6 new files, 3 modified

ACTIVATION BUGS FIXED

NEW SCRIPTS

NEW SERVICES

UNITS SHIPPING

Phase 1 — Activation Bug Fixes

Severity	Bug	Fix
CRITICAL	“Already activated” false positive — `initAuth()` generates hash on first boot, so activation rejects fresh devices	Added `provisioned: false` flag to auth.json during `initAuth()`. Activation checks `provisioned !== true` instead of hash existence
CRITICAL	Fleet token read from `fleet.json` which doesn’t exist yet at first activation time	Activation now reads from `/etc/ghostport/fleet-auth.json` (baked during manufacturing) with `fleet.json` fallback
HIGH	Plaintext passcode not stored — `gp-passcode show` would fail after activation	Activation now writes `{ passcode, hash, salt, provisioned }` matching `gp-passcode reset` behavior

Auto-Redirect for Fresh Devices

Unprovisioned devices now auto-redirect / → /install.html so customers land on setup instead of a login page with no passcode.

Phase 2 — GPIO Reset Button & Factory Reset

Physical Recovery (gp-reset-button)

10-second hold (GPIO 17) — Passcode reset. New passcode saved to /etc/ghostport/last-reset-passcode.txt
30-second hold — Full factory reset via gp-factory-reset
Internal pull-up, button between GPIO 17 and GND, debounced
ghostport-reset.service runs daemon at boot

Factory Reset Hardened (gp-factory-reset)

Standalone script callable from GPIO, SSH, or API
Removes all config except Tailscale enrollment (preserves remote management)
Resets WiFi SSID/password to defaults, clears dnsmasq leases
Now also cleans: admin-auth.json, update-state.json, version.json
API endpoint refactored to delegate to the script (single source of truth)

Phase 3 — OTA Auto-Update Mechanism

gp-update (check | apply | rollback | status)

check — Calls fleet checkin endpoint, stores result in update-state.json
apply — Downloads tarball, verifies SHA-256, extracts to staging, runs gp-deploy --update
Safety — If port 4200 not responding within 60s after update, auto-rollback from /opt/ghostport-backup/
rollback — Manual rollback to previous version from backup
ghostport-update.timer checks every 30 minutes with 5-minute randomized delay
Version tracking: /etc/ghostport/version.json + GET /api/system/version + version in /api/status

Phase 4 — Manufacturing Provisioning

gp-provision — One-Command Setup

sudo gp-provision --tailscale-key=tskey-auth-... --license-key=GP-XXXX-XXXX-XXXX

Deploys latest code via gp-deploy --update
Sets hostname to ghostport-<serial>
Enrolls Tailscale with auth key and tagged hostname
Writes fleet-auth.json with provisioning token
Runs full connectivity smoke test (dashboard, Tailscale, hostapd, Pi-hole, nftables)
Writes provision report to /etc/ghostport/provision.json
Batch workflow: one reusable Tailscale auth key per batch (90-day, tag:ghostport)

Phase 5 — SSL & mDNS Polish

Customer-Friendly Access

mDNS — avahi-daemon advertises ghostport.local on port 4200. Customers type http://ghostport.local:4200 instead of IP addresses
Tailscale HTTPS — After enrollment, tailscale cert provides valid Let’s Encrypt certs for remote admin on port 4201
Cert priority — Server tries Tailscale certs first, falls back to self-signed. Cert source logged at startup
gp-deploy now auto-configures avahi service file and enables the daemon

Files Changed

File	Action	What
`ghostport-server.js`	Modified	Activation fixes, provisioned flag, auto-redirect, version API, cert priority, factory reset delegation
`scripts/gp-factory-reset`	New	Standalone factory reset with Tailscale preservation
`scripts/gp-reset-button`	New	GPIO 17 reset button daemon (10s/30s holds)
`scripts/gp-update`	New	OTA update mechanism with SHA-256 verification and auto-rollback
`scripts/gp-provision`	New	One-command manufacturing provisioning
`scripts/gp-deploy`	Modified	Version tracking, avahi/mDNS setup, new service enablement
`systemd/ghostport-reset.service`	New	GPIO reset button daemon service
`systemd/ghostport-update.service`	New	OTA update check oneshot
`systemd/ghostport-update.timer`	New	30-minute update check timer

Manufacturing Pipeline — Fully Wired

Both the Pi and EC2 fleet server are now end-to-end ready for Batch 1. Here’s the production workflow:

Golden image — Clone the dev Pi’s SD card as the base image for all 10 units
Per-unit provisioning — Flash card, boot, run gp-provision with Tailscale auth key + license key + fleet token
Automated smoke test — Provision script verifies dashboard, Tailscale, hostapd, Pi-hole, and nftables before writing pass/fail report
Customer unboxing — Power on → connect to “GhostPort Router” WiFi → ghostport.local:4200 → install.html → enter license key → get passcode + WiFi credentials → done
Day-2 operations — OTA updates via fleet API every 30 min, GPIO reset button for password recovery, factory reset preserves Tailscale for remote management

EC2 Fleet API — OTA + Provisioning Live

Server-side changes deployed by EC2 Claude in parallel:

Device checkin — Accepts current_version with semver comparison, only offers upgrades (no downgrades)
Update distribution — Drop a ghostport-X.Y.Z.tar.gz into the updates directory and all devices see it on next checkin
Provisioning token — Scoped role that can only register devices and check in — cannot access tenants, bridge, or admin endpoints
v0.1.0 baseline tarball — 20MB, SHA-256 verified, deployed and confirmed via gp-update check

Hardware: GPIO Reset Button

12mm low-profile momentary push button between GPIO 17 and GND. No external resistor needed (internal pull-up). Customer recovery without SSH access:

10-second hold — Passcode reset, new passcode written to recovery file
30-second hold — Full factory reset, preserves Tailscale enrollment for remote management

Round 14 — NIST Compliance Sprint — March 24, 2026

Full NIST Cybersecurity Framework compliance push • Centralized logging, IDS deployed, 10 compliance documents created • Score: 65 → 90/100

NIST SCORE

DOCS CREATED

TOOLS DEPLOYED

PAGES HARDENED

NIST Framework Scores

Function	Before	After	What Changed
Identify	8/10	10/10	Asset inventory, risk register (32 risks), data classification (3 tiers), dependency audit
Protect	7/10	9/10	CSRF tokens on all state-changing endpoints, CSP headers deployed (unsafe-inline still needed on main dashboard), unattended-upgrades, sudo hardening, security dev guide. Remaining: full CSP unsafe-inline removal, disk encryption
Detect	5/10	10/10	auditd (Pi+EC2), AIDE file integrity, centralized log shipping to EC2, psad port scan detection, rkhunter + chkrootkit rootkit scans, alert monitor with bridge notifications
Respond	6/10	10/10	6-scenario incident response playbook, communication plan with escalation matrix, alert monitoring every 10 minutes
Recover	5/10	8/10	Full restore runbook (EC2 + Pi), AMI snapshot, log retention (90 days). Remaining: S3 automated backups, golden SD image

CSP Hardening — JS Extraction (Secondary Pages)

File	What Changed	External JS Created
pwa.html	26 onclick handlers + inline script extracted	pwa-app.js
da.html	10 onclick/onkeydown handlers + inline script extracted	da-app.js
login.html	onsubmit + 2 inline script blocks extracted	login.js
install.html	Inline script block extracted	install.js

CSP header deployed: default-src 'self'; frame-ancestors 'none'; base-uri 'self'. Secondary pages (login, install, da, pwa) fully use external JS. Main dashboard still requires unsafe-inline — full extraction planned for future session.

Security Tooling Deployed

auditd — Pi: 24 rules (config access, privilege escalation, user changes). EC2: fleet-specific rules (Stripe keys, auth, WG configs)
AIDE — File integrity monitoring with 65MB baseline database, daily cron at 6am UTC
psad — Real-time port scan detection from nftables drop logs (DL1–DL5 threat levels)
rkhunter + chkrootkit — Weekly rootkit scans (Sunday 3am/4am UTC)
Centralized logging — Hourly cron ships ghostport journal, auditd, auth, AIDE, and fail2ban logs from Pi to EC2 ([log directory]). 90-day retention with auto-cleanup
Alert monitor — Every 10 minutes: checks fail2ban bans, auth failures, disk usage, service health, AIDE changes, auditd privilege escalation, psad port scans, rkhunter warnings. Alerts via Claude bridge

Compliance Documentation

Risk Register — 32 risks across 10 categories with likelihood/impact/mitigation
Data Classification — 3 tiers: Restricted (Stripe keys, WG keys), Internal (fleet database, configs), Public (blog, health endpoints)
Asset Inventory — All hardware, services, ports, and dependencies documented
Incident Response Plan — 6 scenario playbooks (breach, DDoS, key compromise, service outage, supply chain, data leak)
Communication Plan — Escalation paths and notification matrix
Restore Runbook — EC2 from AMI (30–60 min RTO), Pi from golden image (15 min) or git (45–90 min)
Security Dev Guide — Coding rules: input validation, secrets management, auth patterns, firewall rules, dependency management
Dependency Audit — npm: 0 vulnerabilities. pip: 1 low-risk (urllib3, system-managed, non-exploitable)

Infrastructure Improvements

demo.ghostporttechnologies.com — SSL certificate deployed, nginx server block configured
Google Fonts references removed from all HTML files (CSP compliance)
rp_filter=1 enabled on Pi (anti-spoofing)
logrotate configured for ghostport + auditd logs (90-day retention)
PermitRootLogin no on both Pi and EC2
unattended-upgrades enabled on Pi for automatic security patches

Round 13 — Investor Portal & Repo Sync — March 24, 2026

Investor page hardening, SEO schema, animation reliability, nftables repo sync • 5 issues found, 5 patched

PATCHED

CRITICAL

HIGH

MEDIUM

#	Severity	System	Bug	Fix
1	HIGH	Investor page	`noindex, nofollow` meta tag blocking all search engine indexing — invisible to Google	Changed to `index, follow` with canonical URL and keyword meta
2	MED	Investor page	No JSON-LD structured data — search engines can’t identify organization, products, or pricing	Added `@graph` schema: Organization, WebPage, Product (3 tiers with prices)
3	MED	Investor page	Revenue counters stuck at $0K on mobile — IntersectionObserver threshold (15%) too high for tall stacked panels	Lowered threshold to 5%, removed -50px rootMargin, added 4-second fallback timer
4	MED	nftables repo	All 5 nft profiles drifted from live — repo missing IPv6 drops, QUIC block, explicit port rules, DNS prerouting, drop logging	Synced all profiles: `common.nft`, `isp.nft`, `zerotrust.nft`, `doublehop.nft`, `zhop.nft`
5	MED	Investor page	IntersectionObserver used `rootMargin: '0px 0px -50px 0px'` clipping bottom of viewport — sections near page bottom never triggered	Removed negative rootMargin so full viewport is the trigger zone

Investor Portal Enhancements (This Session)

Interactive product screenshot gallery with click-to-swap (4 screenshots: dashboard, arsenal, Family Shield, login)
Full color theme picker with 7 preset colors + RGB rainbow breathing mode
Mobile hamburger nav with full-screen overlay
Financial projections recalculated: Y1 $118K, Y2 $386K, Y3 $782K at updated pricing ($275/$290/$345)
Problem section redesigned: hero stat (130M breaches), 2x2 card grid, stat strip
OG/Twitter Card meta tags for social sharing
Founder photo section with Marine squad photo
CTA updated: “Request the One-Pager” → invest@ghostporttechnologies.com

EC2 Claude Hardening Verification

Verified all 12 hardening patches from EC2 Claude’s March 24 session are active and running
Confirmed live nftables ruleset matches hardened common.nft (explicit port rules, drop logging)
Synced all 5 firewall profiles from /etc/gpmodes/ into /opt/ghostport/ repo
Bridge API confirmed operational over WireGuard tunnel (correctly not exposed via public nginx)

Round 12 — Full-Stack Hardening — March 24, 2026

Cross-platform audit covering Pi server, EC2 fleet API, nftables profiles, and sudo permissions. 12 vulnerabilities patched across both systems.

PATCHED

CRITICAL

HIGH

MEDIUM

#	Severity	System	Bug	Fix
1	CRIT	Pi — sudoers	Wildcard sudo on `sed -i `, `chmod `, `grep *` — any code exec as ghostport-admin = instant root	Restricted each command to specific file paths only
2	CRIT	EC2 — fleet API server	No Content-Length limit on POST bodies — memory exhaustion DoS	Added 1MB max body size with 413 rejection
3	HIGH	Pi — server.js	Passcode hash comparison used `!==` — timing side-channel attack	Replaced with `crypto.timingSafeEqual()` on login and change-passcode
4	HIGH	EC2 — fleet API server	Stripe webhook verification skipped when secret was empty — forged events accepted	Made fail-closed: reject all webhooks if secret not configured
5	HIGH	EC2 — fleet API server	No replay protection on Stripe webhook signatures — captured events replayable forever	Added 5-minute timestamp window check
6	HIGH	EC2 — UFW	SSH port 22 open to all IPs — brute-force surface from internet	Locked SSH to WireGuard subnet `[WG subnet]` only
7	MED	Pi — server.js	Firewall repair endpoint didn’t validate mode string before shell interpolation	Added whitelist validation `["isp","zerotrust","doublehop","zhop"]`
8	MED	Pi — server.js	Sessions kept alive indefinitely via sliding window — no absolute expiry	Added 7-day hard maximum session lifetime
9	MED	Pi — server.js	Lynis temp report file never cleaned up — `reportFile` out of scope in `finally`	Moved variable declaration to outer scope
10	MED	EC2 — fleet API server	Rate limiter never pruned stale IPs — memory leak over time	Background thread prunes expired entries every 5 minutes
11	MED	EC2 — fleet API server	Bridge messages table grows unbounded — no TTL on read messages	Daily pruning of read messages older than 7 days
12	MED	Pi — common.nft	Blanket `iifname accept` on LAN/Tailscale — all ports exposed to AP clients	Replaced with explicit port rules (53, 67, 80, 22, 4200–4202)

Infrastructure Hardening

EC2 disk expanded from 8GB to 14GB (was at 80% capacity)
SSL certificate monitor deployed — daily cron checks expiry + disk usage, alerts via bridge
Stripe API keys rotated after exposure in conversation logs
UptimeRobot monitoring on api.ghostporttechnologies.com/webhooks/health
AMI snapshot taken: [redacted]
EC2 kernel updated and rebooted cleanly
Claude-to-Claude bridge upgraded to ack-based reads — no more message loss on context compaction

Round 11 — March 23, 2026

3 parallel audit agents • 68 bugs found across server, frontend, firewall, and system scripts • Automated pipeline deployment

Critical (5)

#	File	Bug
158	CRIT server.js	/api/fleet/activate unauthenticated — attacker can set all credentials and take over device before legitimate activation
159	CRIT server.js	/api/fleet/activate race condition — concurrent requests both pass “already activated” check, overwriting credentials
160	CRIT gp-new	Hardcoded fleet API bearer token in plaintext — anyone with script read access can impersonate fleet registrations
161	CRIT gp-blog-deploy	StrictHostKeyChecking=no on SSH disables host key verification — enables MITM on deployment pipeline
162	CRIT gp-passcode	Command injection via AUTH_FILE path interpolated unescaped into python3/node eval strings

High (14)

#	File	Bug
163	HIGH server.js	Session sliding window resets 24h TTL on every request — sessions effectively never expire (7-day absolute limit only)
164	HIGH server.js	/api/auth/check and session middleware have divergent TTL behavior
165	HIGH server.js	CSP allows `unsafe-inline` for script-src and style-src — enables XSS through inline injection
166	HIGH server.js	HTTP port 4200 sends session cookies without Secure flag — cleartext over LAN
167–168	HIGH common.nft	Management chain accepts ALL traffic from LAN_IF/TS_IF at priority -100 — mode-specific input restrictions never evaluated
169–170	HIGH isp/zerotrust.nft	Forward chain policy is `accept` instead of `drop` — unmatched forwarded traffic passes through
171	HIGH zerotrust.nft	DoH block only covers 7 resolver IPs — hundreds of providers not blocked
172	HIGH doublehop.nft	No DNS leak protection in output chain — Pi can send cleartext DNS out eth0 bypassing WG tunnel
173	HIGH gp-mode	Rollback subshell race — may fork gp-mode before PID killed, causing concurrent nftables modifications
174	HIGH gp-mode	mktemp WireGuard config world-readable — briefly exposes WG private keys in /tmp
175	HIGH arsenal.js	Schedule delete onclick — escapeHtml doesn’t escape backslash, potential JS string breakout

Medium (27) & Low (22)

#	Sev	Category	Description
176	MED	Security	/api/tools/backup exposes WiFi passphrase to authenticated users
177	MED	RaceCondition	withArsenal mutex swallows errors, stale data in subsequent calls
178	MED	Validation	WireGuard PostUp/PostDown strip is case-insensitive but wg-quick is case-sensitive
179	MED	Security	/api/tools/restore accepts hostapd config with minimal validation
180	MED	Auth	Lockout by req.ip — NAT shared IP locks out all LAN users
181	MED	RaceCondition	Concurrent mode switch requests read same previousMode
182	MED	Security	/api/ticket sends unsanitized description to Discord webhook
183	MED	Firewall	No DoQ/DoH blocking to unlisted servers beyond 7 IPs
184–185	MED	DNS	gp-dns-upstream sed not idempotent; wildcard catches invalid modes silently
186–187	MED	Logic	gp-dns-switch references unbound (inactive); no root check
188	MED	RaceCondition	gp-mode has no mutex/lockfile for concurrent invocations
189	MED	Security	nftables backup world-readable in /tmp
190	MED	DNS	gp-dns-watchdog restarts wg-quick@wg0 conflicting with gp-mode manual setup
191	MED	Security	gp-blog-generate interpolates results into HTML without escaping
192–198	MED	Logic/UI	Toggle desync on rapid clicks, stacked arm timers, missing res.ok checks, no domain/WG validation, hardcoded Pi-hole status & DNS resolver label
199–202	MED	Security	Backup import no schema validation, logo leaks referrer (missing noreferrer), WiFi password in stdout
203–225	LOW	Various	SSL cert never reloaded, run() errors ignored, double-sanitized password, login attempt count leak, unlimited sessions/schedules, fsIpBlock fire-and-forget, IPv6 input unfiltered, rollback PID writable, QUIC self-traffic, passcode show/reset mismatch, blog round detection, password complexity, sed without sudo, innerHTML race, DNS alert placement, WiFi charset, window.close blocked, polling overlap, no ARIA/a11y, 401 redirect bug, hardcoded version

Round 10 — March 23, 2026

3 parallel audit agents • 82 bugs found across server, frontend, and system scripts • 21 patches applied

Critical (11)

#	File	Bug	Fix
92–100	CRIT arsenal.js	9 XSS vulnerabilities — `data.error`, `data.status`, and speed test values injected unsanitized into innerHTML across DNS Leak, Ping, IP Leak, Speed Test, System Update, Blocked Domains, and Security Scan results	All values wrapped in `escapeHtml()`
101	CRIT server.js	Hardcoded fleet token fallback — anyone reading source can register rogue devices	Removed fallback, fleet.json required
102	CRIT gp-mode	DoubleHop/ZHop applies nftables forward-drop before wg0 exists — connectivity blackout, full LAN outage if WireGuard fails	Reordered: `start_wg0` now runs before `apply_profile`

High (10)

#	File	Bug	Fix
103	HIGH server.js:90	Family Shield IP blocks silently fail to restore on startup — `FAMILY_SHIELD_IP_RANGES` const in temporal dead zone when called	Moved startup restore code after all const declarations
104	HIGH server.js	No CSRF protection on any POST endpoint	Noted for next round — requires token infrastructure
105	HIGH server.js	Backup endpoint exposes WiFi passphrase in plaintext JSON	Noted — add passphrase stripping
106	HIGH common.nft	SSH (port 22) open on ALL interfaces including WAN (eth0)	Restricted to `$LAN_IF` and `$TS_IF` only
107	HIGH gp-passcode	`show` command broken — auth.json stores hash+salt, not plaintext after reset	Noted — remove `show` or store encrypted copy
108	HIGH index.html	`esc()` doesn't escape single quotes — XSS risk in single-quoted onclick attributes	Added `.replace(/'/g,"'")`
109	HIGH arsenal.js	`escapeHtml()` same single-quote gap	Added `.replace(/'/g,"'")`
110	HIGH arsenal.js	Fetch wrapper 401 redirect can loop — `Request.toString()` returns `[object Request]`	Noted — fix URL check
111	HIGH index.html	Google Fonts privacy leak — dashboard phones home to Google on every load	Replaced with system fonts (`Courier New`, `Georgia`)
112	HIGH server.js	hostapd POST reads config without `sudo` — fails on root-owned files	Added `sudo cat` to match GET handler

Medium (27) & Low (14)

41 additional issues found across session handling (sliding TTL, 60s lockout, weak passcode policy), null pointer risks in arsenal.js (6 elements), DNS watchdog restarting wrong service in tunnel modes, common.nft priority override, incomplete DoH/DoT blocking, Family Shield race conditions, and various minor issues (duplicate CSS, hardcoded Mullvad DNS, missing aria labels).

DNS Watchdog — Now mode-aware: restarts WireGuard in doublehop/zhop, cloudflared in isp/zerotrust
gp-mode rollback — Fixed $0 path resolution: now uses full /usr/local/bin/gp-mode path
Pi-hole status — Hardcoded “UP” dot in UI never updates (noted)
Tailscale toggle — UI allows stopping Tailscale despite “never stop” safety rule (noted)
Reboot UX — No reconnection logic after reboot — shows “REBOOTING...” forever (noted)

Cumulative Security Posture

By Severity (All 10 Rounds)

Severity	Count	Examples
CRIT	22	Command injection via WireGuard config, DNS upstream timing, mutex deadlock, undeclared variable crash, XSS (setup flow, arsenal errors, speed test), flushTally crash-loop, hardcoded fleet token, doublehop ordering bug
HIGH	42	Arsenal race conditions, XSS across 5+ HTML files, IPv6 firewall bypass, mode string injection, DoS via speedtest, DHCP hostname XSS, SSH exposed on WAN, IP block startup failure, Google Fonts privacy leak, single-quote escape gap
MED	59	Error info leaks, trust proxy spoofing, session TTL, factory reset incomplete, webhook injection, DNS test rate limit, Pi-hole v6 API format, toggle race conditions, DNS watchdog mode-unaware, null pointer risks
LOW	22	Temp file cleanup, trailing slash 404s, ISP IP cache staleness, hardcoded CSS colors, shell quoting, duplicate CSS, missing aria labels, hardcoded Mullvad DNS

By Category (All 10 Rounds)

Category	Count	Examples
Cross-Site Scripting (XSS)	28	Log output, diagnostics, scan results, hostname, setup summary, device info, QA checklist, arsenal error responses (9), single-quote escape gaps (2)
Information Disclosure	20	Error message leaks (15), webhook URL exposure, hardcoded fleet token, WiFi passphrase in backups, Google Fonts privacy leak, internal path leaks
Race Conditions	11	Arsenal mutex, restore serialization, schedule ID collision, mutex deadlock fix, Family Shield toggle race, activation TOCTOU
Firewall / Network Bypass	11	IPv6 tunnel leak, kill switch HTTPS port, DNS prerouting, SSH on WAN, doublehop ordering, incomplete DoH/DoT blocking
Command / Shell Injection	8	WireGuard PostUp, sed injection, shell interpolation quoting, mode string injection
Input Validation	10	Mode whitelist, SSID control chars, parseInt NaN fallback, ticket sanitization, weak passcode policy, boolean type coercion
Symlink / Temp File	7	Predictable `/tmp/gp-*` names → `crypto.randomBytes`, WG key in temp file
Resource Exhaustion	5	Speedtest rate limit, DNS test throttle, session pruning, Lynis lock recovery, no rate limit on auth endpoints
Startup / Boot	4	IP block TDZ failure, DNS watchdog mode-unaware, rollback path resolution, boot service ordering
Crash / Syntax Error	1	Duplicate try{} block in flushTally() causing SyntaxError crash-loop (162 restarts)

Files Modified

File	Patches	Description
`ghostport-server.js`	66	Express API server + Family Shield endpoints + IP blocking + auth hardening
`public/index.html`	12	Main frontend SPA + Family Shield UI + system fonts
`public/arsenal.js`	20	Security tools module + XSS fixes
`public/pwa.html`	3	PWA onboarding
`public/da.html`	5	Device admin panel
`public/sw.js`	1	Service worker rewrite
`gp-mode`	7	Mode switching + doublehop ordering fix + rollback path fix
`gp-mode-boot`	1	Boot restore script
`gp-dns-upstream`	2	DNS upstream switcher
`gp-dns-watchdog`	—	Mode-aware DNS watchdog cron (new)
`isp.nft`	1	ISP firewall profile
`zerotrust.nft`	1	ZeroTrust firewall profile
`common.nft`	3	Shared firewall rules + SSH WAN restriction + LAN port lockdown
`gp-heartbeat`	—	Fleet heartbeat agent (new)
`gp-new`	—	Fleet registration script (updated)
`public/install.html`	—	Customer activation page (new)
`gp-fs-ipblock`	—	Family Shield IP blocker (new, integrated into server)
`fleet API server`	5	EC2 fleet API — body limits, Stripe hardening, rate limiter, bridge pruning
`010_ghostport-hardened`	1	Sudoers — wildcard commands replaced with specific paths

New Feature — Family Shield (March 22, 2026)

🛡 Parental Controls with DNS + IP Blocking

Family Shield is a dual-layer parental control system that combines Pi-hole DNS filtering with nftables IP-range firewall rules. DNS blocking alone can’t stop apps like TikTok that use CDN fallbacks and hardcoded IPs — so we added firewall rules that block entire ASN-owned IP ranges at the packet level.

5 Categories — Adult Content, Gambling, Meta Apps (FB/IG/WhatsApp), TikTok, X (formerly Twitter)
DNS Blocking — Pi-hole v6 group-based filtering with 22,459+ domain blocklists per category
IP-Range Blocking — nftables sets blocking ByteDance (13 CIDR ranges), Meta (16 ranges), and X/Twitter (6 ranges) at the packet level
Per-Device Shielding — Shield specific devices without blocking yourself. DISCOVER button scans for connected clients
Master Toggle — One switch enables/disables all parental controls. Category toggles for granular control
Persistent Config — Settings saved to /etc/ghostport/family-shield.json, IP blocks restored on server restart

Family Shield — Bugs Fixed During Development

#	Severity	Component	Bug	Fix
85	HIGH	Server	Pi-hole v6 `_suggestions` API returns array format, not object — device discovery and shielding broken	Rewrote parsing for `{clients: [{addresses, names}]}` format in 3 endpoints
86	HIGH	Server	Pi-hole v6 lists API requires `?type=block` as query parameter, not in JSON body	Added query parameter to all POST/PUT list endpoint URLs
87	MED	Frontend	Toggle race condition — `load()` polling overwrites toggle state during API calls	Added `fs.busy` flag, `load()` skips when busy
88	MED	Config	`family-shield.json` owned by root, server runs as ghostport-admin	Fixed ownership with `chown ghostport-admin:ghostport-admin`
89	MED	Pi-hole	Session exhaustion — default max 16 sessions burned by debug restarts	Bumped to 64 via `pihole-FTL --config webserver.api.max_sessions 64`
90	HIGH	Pi-hole	Gravity database corruption from repeated FTL restarts — tables missing	Rebuilt gravity.db from scratch, re-added blocklists and groups
91	MED	Blocking	TikTok DNS blocking ineffective — app uses Akamai CDN fallbacks	Added nftables IP-range blocking for ByteDance ASN ranges

Phase 2 — Fleet Integration (March 21, 2026)

Heartbeat Agent (gp-heartbeat)

Systemd timer-driven agent that checks in with the EC2 fleet server every 5 minutes. Each heartbeat sends the device’s firmware version, uptime, and current mode. The fleet server responds with subscription status and any pending commands (e.g., mode change, config update).

5-minute cadence — systemd timer triggers gp-heartbeat script on a reliable interval
Payload — firmware version, system uptime, current firewall mode, device serial
Response — subscription tier + expiry, pending remote commands, firmware update availability

Install Page (/install)

Customer-facing dark-themed activation page served at /install. Users enter their license key to activate the device. The page auto-provisions the router without requiring prior authentication.

Dark-themed UI — matches the GhostPort Command Deck aesthetic
License key input — validates format client-side, submits to fleet activation endpoint
Auto-provisioning — on success, generates credentials and completes device setup

/api/fleet/activate Endpoint

No-auth device setup endpoint. Accepts a license key, registers the device with the fleet server, and returns freshly generated credentials for the customer.

No authentication required — designed for first-boot activation before any passcode exists
Auto-generates — dashboard passcode, WiFi AP password, and Pi-hole admin password
Fleet registration — sends device serial + license key to EC2 fleet API, receives subscription tier

gp-new --auto

Non-interactive factory provisioning mode for the gp-new registration script. Enables headless device setup during manufacturing or bulk deployment without manual prompts.

Non-interactive — all prompts bypassed with sane defaults or pre-configured values
Factory use case — flash, boot, auto-register, ship

Stripe Subscription Integration

Three-tier subscription model with webhook-driven license management. Stripe events flow to the EC2 fleet server, which updates each device’s subscription status. The Pi’s heartbeat agent picks up changes on its next check-in.

Basic — $5/mo — Core privacy routing, ISP + ZeroTrust modes
Phantom Guardian — $10/mo — All modes including DoubleHop VPN, kill switch, MAC randomization
Unholy Covenant — $15/mo — Full feature set: ZHop, scheduled mode switching, priority support

EC2 Fleet API Pipeline

End-to-end subscription lifecycle: Stripe webhook fires on payment events → EC2 fleet server updates the device record → Pi heartbeat picks up the new subscription status on next 5-minute check-in.

Stripe → Fleet — Webhook receiver on EC2 validates Stripe signatures, maps customer to device
Fleet → Pi — Heartbeat response includes updated subscription tier, expiry, and feature flags
Grace period — failed payments trigger a grace window before feature downgrade

New Feature — Theme Color Engine

🎨 Infinite Color Picker + RGB Breathing Mode

The GhostPort Command Deck now supports full UI color customization. Every element — accents, backgrounds, borders, text, glows — adapts to your chosen color in real time.

8 Preset Swatches — Green (default), Purple, Blue, Red, White, Cyan, Amber, and Gunmetal. One-click to apply.
Custom Color Picker — Pick literally any color. The entire UI derives backgrounds, borders, text, and glow values from your chosen hue using a real-time HSL engine.
RGB Breathing Mode — Smooth, continuous hue rotation powered by requestAnimationFrame. A sine-wave brightness pulse creates a living, breathing effect. Full spectrum rotation every ~6.5 seconds at 30fps.
Achromatic Support — Grey, white, and black colors are handled correctly. The engine passes saturation through to prevent unwanted red tinting on neutral colors.
Persistence — Your choice saves to localStorage and applies across both the login screen and dashboard. Survives page reloads and browser restarts.
Login Screen Sync — The authentication page matches your chosen theme, including RGB breathing mode. First impression matches the rest of the UI.
Migration — Users with older named theme values in localStorage are automatically migrated to the new hex-based system.

Round 7 — March 21, 2026

Script: fix-bugs-round7.py • 18 patches across 4 categories

#	Severity	File	Bug	Fix
66–80	MED	ghostport-server.js	15 endpoints exposed raw `e.message` in error responses. Child process errors could leak filesystem paths, command names, or internal system details to authenticated clients	All error responses now return generic messages ("Operation failed", "Mode switch failed", etc.). Full details logged server-side with `console.error()`
81	HIGH	ghostport-server.js	DHCP lease hostname from dnsmasq not HTML-escaped in `/api/arsenal/clients` response. A device with `<script>` in its hostname could inject into the client list UI	Wrapped hostname in `escapeHtml()`
82	MED	ghostport-server.js	`POST /api/arsenal/dnstest` had no rate limiting. Could be spammed to flood external DNS lookups and `ifconfig.me` requests, causing resource exhaustion	Added 30-second cooldown (same pattern as speedtest's 2-minute throttle)
83	HIGH	ghostport-server.js	Restore endpoint wrote directly to `/etc/ghostport/arsenal.json` without the `withArsenal()` mutex. Concurrent arsenal operations (toggle, schedule add) could corrupt the config file	Wrapped in `await withArsenal()` to serialize writes

Bug Fix — March 21, 2026 (Server Crash-Loop)

Post-Round 7 hotfix • Server crash-loop recovery

#	Severity	File	Bug	Fix
84	CRIT	ghostport-server.js	Duplicate `try{}` block in `flushTally()` from a prior round patch caused a `SyntaxError` on startup — server entered a crash-loop with 162 restarts before detection	Collapsed duplicate try blocks into a single `try/catch/finally` structure

Round 6 — March 21, 2026

Script: fix-bugs-round6.py • 9 patches across server & firewall

#	Severity	File	Bug	Fix
57	HIGH	ghostport-server.js	Schedule deletion endpoint had copy-pasted `finally` block from Lynis scanner — resetting unrelated `lynisScanRunning` flag and returning wrong error message ("Security scan failed")	Removed wrong `finally` block, fixed error message to "Failed to delete schedule"
58	HIGH	ghostport-server.js	6 locations used predictable temp file names in `/tmp/` (e.g. `/tmp/gp-hostapd.conf`) — symlink attack vector on world-writable directory	Added `gpTmpFile()` helper using `crypto.randomBytes(8)` for unique names. Applied to hostapd, WireGuard, restore, MAC randomization, and schedule writes
59	MED	ghostport-server.js	Restore endpoint exposed `e.message` in error response — could leak filesystem paths or command output	Replaced with generic "Config restore failed" message, logs details server-side
60	MED	ghostport-server.js	DNS leak check used `curl -4` (IPv4 only) — wouldn't detect IPv6 DNS leaks	Switched to dual-stack `curl -s` to catch both v4 and v6 leak types
61	LOW	ghostport-server.js	Gateway and speedtest ping commands passed IPs without shell quoting	Added single-quote wrapping around interpolated IP variables for defense-in-depth
62	MED	ghostport-server.js	Restore endpoint used `systemctl restart wg-quick@wg0` but gp-mode manages wg0 directly via `ip`/`wg` commands — service conflicts with existing interface	Replaced with `gp-mode` reapply for consistency with how WireGuard is actually managed
63	MED	ghostport-server.js	Kill switch nftables rules only allowed port 4200 (HTTP dashboard) but not 4201 (HTTPS) — would lose dashboard access over HTTPS during kill switch activation	Added port 4201 to kill switch accept rules
64	LOW	public/index.html	Three CSS classes (`.mode-desc`, `.log-msg.info`, `.arsenal-desc`) used hardcoded green hex values that didn't respond to theme color switching	Replaced `#6a9a6a` and `#5a8a5a` with `var(--text-dim)`
65	LOW	common.nft	Ports 80 and 443 had accept rules open to all interfaces — redundant since policy is `accept` but misleading	Already cleaned up (found pre-fixed during verification)

Round 5b — March 19, 2026

Script: fix-bugs-round5b.py • 9 bugs across 5 files • Deep audit of previously unaudited files

#	Severity	File	Bug	Fix
49	CRIT	public/pwa.html	XSS in setup summary — user-supplied name and email interpolated into innerHTML unescaped	Added `esc()` helper, escaped name, serial, and email fields
50	CRIT	public/pwa.html	XSS in log rendering — `l.msg` inserted into innerHTML without escaping	Wrapped in `esc()`
51	HIGH	public/da.html	XSS in QA error handler — `e.message` rendered as raw HTML	Added `esc()` helper, escaped error message
52	HIGH	public/da.html	XSS in log entries — `l.message` and `l.timestamp` unescaped	Escaped both fields
53	HIGH	public/da.html	XSS in device info — all API-sourced device fields rendered as raw HTML	Escaped labels and values
54	HIGH	public/da.html	XSS in QA checklist — `c.name` and `c.detail` unescaped in innerHTML	Escaped both fields
55	HIGH	isp.nft	Missing IPv6 drop in forward chain — clients can bypass routing via IPv6 tunnels	Added `meta nfproto ipv6 counter drop` to forward chain
56	HIGH	zerotrust.nft	Missing IPv6 drop in forward chain — DNS lock bypass via IPv6	Added `meta nfproto ipv6 counter drop` to forward chain
56b	MED	gp-dns-upstream	Silent failures — no error reporting if config file missing or sed replacement fails	Added file existence check and post-sed verification with error output

Round 5 — March 18, 2026

Script: fix-bugs-round5.py • 7 bugs, 10 patches

#	Severity	File	Bug	Fix
42	CRIT	ghostport-server.js	`ispIpCacheTime` used but never declared — DNS leak monitor crashes with ReferenceError on first run	Added `let ispIpCacheTime = 0` declaration
43	HIGH	ghostport-server.js	No rate limit on `/api/tools/speedtest` — DoS vector via repeated 60-120 second system commands	Added 2-minute cooldown between speed tests
44	HIGH	ghostport-server.js	Lynis scan flag `lynisScanRunning` not reset on exception — one crash permanently locks scanning	Moved reset to `finally` block
45	MED	ghostport-server.js	Trouble ticket description/contact accept newlines — webhook message injection	Strip `\r\n`, cap description at 500 chars, contact at 100
46	MED	ghostport-server.js	Error responses leak internal paths, stderr, and webhook URLs	Sanitized all error messages to generic strings
47	LOW	ghostport-server.js	`/login/` with trailing slash returns 404	Changed route to regex: `/^\/login\/?$/`
48	LOW	ghostport-server.js	`/install/` with trailing slash returns 404	Changed route to regex: `/^\/install\/?$/`

Round 4 — March 18, 2026

Script: fix-bugs-round4.py • 9 bugs, 12 patches

#	Severity	File	Bug	Fix
32	CRIT	ghostport-server.js	`withArsenal()` mutex deadlock — thrown error breaks promise chain permanently, all future Arsenal operations hang	Error handler catches and logs without re-throwing — chain stays alive
33	HIGH	ghostport-server.js	`stopKillSwitch()` reads mode from file and passes to `exec()` without validation — command injection via compromised modefile	Added whitelist validation before execution
34	HIGH	ghostport-server.js	`startKillSwitch()` recovery path same issue	Added whitelist validation
35	HIGH	ghostport-server.js	WireGuard stats: `parseInt(rx \|\| 0)` returns NaN on corrupted data; no array bounds check on tab-split output	Added `parseInt(x, 10) \|\| 0` fallback and `filter(line => parts.length >= 7)`
36	MED	ghostport-server.js	Restore endpoint: `fs.unlinkSync(tmpWg)` crashes on permission error	Wrapped in try-catch
37	MED	ghostport-server.js	Restore endpoint: `fs.unlinkSync(tmpHap)` same issue	Wrapped in try-catch
38	MED	ghostport-server.js	Kill switch: concurrent toggle + monitor causes state mismatch if interval becomes stale	Clears stale interval before starting new one
39	MED	ghostport-server.js	Schedule ID collision — `Date.now().toString(36)` same millisecond = same ID	Appended 4 random hex chars via `crypto.randomBytes(2)`
40	MED	ghostport-server.js	Session TTL fixed at 24h — active user kicked at expiry even during use	Sliding window: `session.created = Date.now()` on each valid request
41	LOW	ghostport-server.js	ISP IP cache never expires — DNS leak detection uses stale data if ISP changes	Added 1-hour cache expiry with `ispIpCacheTime` timestamp

Round 3 — March 18, 2026

Script: fix-bugs-round3.py • 6 bugs, 6 patches

#	Severity	File	Bug	Fix
26	HIGH	ghostport-server.js	Schedule add uses raw `readArsenal/writeArsenal` — race condition with other Arsenal ops	Wrapped in `withArsenal()` mutex
27	HIGH	ghostport-server.js	Schedule delete uses raw `readArsenal/writeArsenal`	Wrapped in `withArsenal()` mutex
28	LOW	ghostport-server.js	Temp file `/tmp/gp-sched-line` never cleaned up after cron creation	Added `fs.unlinkSync` after `tee`
29	MED	ghostport-server.js	Factory reset incomplete — doesn't clear ads tally, cron schedules, or temp files	Added cleanup for `ads-tally.json`, `ghostport-schedules`, and temp files
30	HIGH	gp-mode-boot	No fallback if saved mode fails on boot — device stuck with broken firewall	Added 30-second timeout + automatic ISP fallback on failure
31	MED	ghostport-server.js	`req.ip` spoofable via X-Forwarded-For header	Set `app.set("trust proxy", false)`

Round 2 — March 18, 2026

Scripts: fix-bugs-round2.py, fix-ads-tally.py, fix-pwa-sw.py, fix-install-route.py • XSS, session, and feature fixes

#	Severity	File	Bug	Fix
19	HIGH	public/index.html	Log function XSS — `msg` inserted into innerHTML without escaping	Added HTML entity escaping before interpolation
20	HIGH	public/index.html	Diagnostics output XSS — `c.name`, `c.detail`, `c.fix` unescaped in innerHTML	Added `esc()` helper function, escaped all diagnostic fields
21	HIGH	public/arsenal.js	Security scan output XSS — warning/suggestion `id`, `message`, `fix` unescaped	Wrapped all fields in `escapeHtml()`
22	MED	ghostport-server.js	Ads tally file not created on startup — privacy-preserving counter fails	Created `/etc/ghostport/ads-tally.json` with correct ownership
23	MED	ghostport-server.js	Sessions never pruned — memory leak over time	Added pruning interval every 10 minutes, removes expired sessions
24	MED	public/sw.js	Service worker was self-destruct script — PWA not installable	Replaced with minimal network-only SW with fetch handler for Chrome installability
25	LOW	ghostport-server.js	No public route for install page	Added `/install.html`, `/install`, and `/qr` routes before auth middleware

Round 1 — March 18, 2026

Script: fix-bugs-march18.py • 13 patches applied

#	Severity	File	Bug	Fix
13	CRIT	gp-mode	DNS upstream called inside `apply_profile()` before modefile update — wrong DNS server applied	Moved to post-modefile write for all 4 modes
14	HIGH	ghostport-server.js	Kill switch toggle uses raw `readArsenal/writeArsenal` — race condition	Wrapped in `withArsenal()` mutex
15	HIGH	ghostport-server.js	MAC randomization toggle uses raw `readArsenal/writeArsenal`	Wrapped in `withArsenal()` mutex
16	HIGH	ghostport-server.js	QUIC block toggle uses raw `readArsenal/writeArsenal`	Wrapped in `withArsenal()` mutex
17	MED	ghostport-server.js	Hostapd config read via `sudo cat` shell command	Changed to `fs.readFileSync` with graceful fallback
18	MED	ghostport-server.js	Backup version missing from export metadata	Added `version: "1.0"` to backup JSON

Pre-Audit Fixes — March 17, 2026

Scripts: fix-permissions.py, fix-restore-btn.py, fix-security-bugs.py, fix-round2.py, fix-mode-and-nft.sh, fix-dns-upstream.py, fix-pihole-cmd.py, fix-arsenal-race.py, fix-install-banner.py

#	Severity	File	Bug	Fix
1	MED	public/index.html	Restore button missing from repair panel	Added backup restore UI button
2	HIGH	ghostport-server.js	File permissions too open on config files	Enforced 0600 on auth.json, pihole.json, arsenal.json
3	CRIT	ghostport-server.js	WireGuard config accepts PostUp/PostDown directives — arbitrary root command execution	Strip dangerous directives (PostUp, PostDown, PreUp, PreDown, SaveConfig) on upload
4	HIGH	ghostport-server.js	Hostapd SSID/password not validated — newline injection into config file	Added regex validation for SSID (1-32 chars, no newlines) and password (8-63 printable ASCII)
5	HIGH	ghostport-server.js	Schedule deletion command injection via unsanitized ID in sed command	Added regex validation: schedule IDs must match `/^[a-z0-9]+$/`
6	HIGH	ghostport-server.js	Missing input validation on mode switch — arbitrary string passed to shell	Whitelist validation: mode must be one of isp, zerotrust, doublehop, zhop
7	MED	ghostport-server.js	Hostapd config read via shell `cat` — unnecessary shell invocation	Switched to `fs.readFileSync` with sudo fallback
8	CRIT	gp-mode / nftables	DNS leak monitor nftables rules used invalid mixed tcp/udp syntax	Split into separate accept+drop rules matching kill switch pattern
9	CRIT	gp-mode / gp-dns-upstream	DNS upstream switch called before mode file update — reads OLD mode, applies wrong DNS	Moved `gp-dns-upstream` call to after modefile write in every mode case
10	MED	ghostport-server.js	Pi-hole API called via deprecated CLI syntax	Updated to Pi-hole v6 REST API
11	HIGH	ghostport-server.js	Arsenal config race condition — concurrent read-modify-write on kill switch, MAC, QUIC toggles	Introduced `withArsenal(fn)` mutex pattern for atomic operations
12	MED	ghostport-server.js	Arsenal.json not created on first boot — all toggles fail with ENOENT	Added default file creation with correct ownership on startup

Compliance Posture — March 24, 2026

Full-stack compliance audit covering PCI DSS, NIST Cybersecurity Framework, CIS Benchmarks, OWASP Top 10, and SOC 2 readiness. Assessed across both the GhostPort Pi router and EC2 fleet infrastructure.

90%

OWASP TOP 10

85%

NIST CSF

SAQ-A

PCI DSS

55%

SOC 2

PCI DSS — SAQ-A Compliant

Stripe Checkout handles all card data — GhostPort never touches PAN numbers. Webhook signatures verified with fail-closed + replay protection. Stripe keys stored mode 600, rotated successfully.

Requirement	Status
No card data storage/processing	PASS
TLS on payment pages	PASS
Webhook signature verification	PASS
Access control to Stripe keys	PASS
Key rotation capability	PASS
Payment event logging	PASS

NIST Cybersecurity Framework — 65/100

Function	Score	Strong	Gaps
Identify	10/10	Asset inventory, threat assessment, risk register, data classification, asset inventory	All complete
Protect	9/10	Firewalls, auth, CSRF tokens, sessions, sudo lockdown, encrypted tunnels, AIDE, unattended-upgrades	Disk encryption pending (LUKS + EBS)
Detect	8/10	fail2ban, UptimeRobot, cert monitor, Lynis, auditd (Pi+EC2), AIDE, alert monitor, nft drop logging	Centralized logging + IDS pending
Respond	10/10	AMI snapshot, mode rollback, bridge alerts, IR playbook, alerting pipeline, communication plan, 90-day log retention	All complete
Recover	8/10	AMI snapshot, configs in git, restore runbook, failover documentation	S3 automated backups + golden image pending

CIS Benchmarks — System Hardening

Control	Pi	EC2
SSH key-only authentication	PASS	PASS
fail2ban active	PASS	PASS
AppArmor loaded	LOADED	PASS (130 profiles)
Automatic security updates	PASS	PASS
Disk encryption at rest	FAIL	FAIL
File integrity monitoring (AIDE)	PASS (65MB DB)	PLANNED
Audit daemon (auditd)	PASS (24 rules)	PASS (12 rules)
ICMP redirects disabled	PASS	PASS
ASLR enabled	PASS	PASS
Reverse path filtering	PASS (rp_filter=1)	PASS
Application log rotation	PASS (90-day)	PASS (90-day)

OWASP Top 10 — 80%

Risk	Status	Notes
A01: Broken Access Control	PASS	Tenant scoping, admin checks, auth middleware
A02: Cryptographic Failures	PASS	scrypt hashing, timingSafeEqual, TLS
A03: Injection	PASS	WG config sanitization, mode whitelists, input validation
A04: Insecure Design	PASS	CSRF tokens deployed, activation rate-limited
A05: Security Misconfiguration	PASS	CSP headers present (unsafe-inline remaining)
A06: Vulnerable Components	UNKNOWN	No dependency scanning or SBOMs
A07: Auth Failures	PASS	Rate limiting, lockout, session expiry
A08: Data Integrity Failures	PASS	Stripe signature verification, config hashing
A09: Logging & Monitoring	PASS	auditd + AIDE + alert monitor + 90-day retention
A10: SSRF	PASS	No user-controlled outbound requests

SOC 2 Readiness — 40%

Not yet required at current stage, but gaps identified for future enterprise readiness:

Criteria	Status	Gap
Access Control	PARTIAL	No MFA, no access reviews
Change Management	PARTIAL	Git repo exists, no PR reviews or staging env
Monitoring	PARTIAL	UptimeRobot + auditd + AIDE + alert monitor (centralized logging pending)
Encryption at Rest	FAIL	Neither Pi SD card nor EC2 EBS encrypted
Incident Response	PASS	IR playbook with 6 scenarios, escalation plan, communication matrix
Business Continuity	FAIL	Single EC2, no failover, no tested DR plan
Evidence Collection	PASS	auditd (Pi+EC2), AIDE, 90-day log retention

Hardening Roadmap

Tier 1 — Immediate (30 minutes)

Enable unattended-upgrades on Pi — auto-install security patches
Set PermitRootLogin no explicitly in sshd_config
Enable rp_filter = 1 — prevent IP spoofing on LAN
Add logrotate for ghostport services
Enable EBS encryption on next EC2 AMI

Tier 2 — This Month

Automated S3 backups — fleet DB, configs, certs
~~Install auditd on both systems~~ — Done
~~CSRF tokens on state-changing endpoints~~ — Done
Remove CSP unsafe-inline
~~Write incident response playbook~~ — Done — 6 scenario runbooks
~~Dependency audit~~ — Done — npm clean, pip CVEs documented (OS-managed, auto-patched)

Tier 3 — Before Enterprise Sales

SOC 2 Type I readiness assessment
SIEM / centralized logging
File integrity monitoring (AIDE or OSSEC)
Third-party penetration test
Privacy policy + terms of service (legal review)
SD card encryption (LUKS) for customer devices

What’s Next

~~Fleet Activation~~ — Shipped in Phase 2
~~Stripe Integration~~ — Shipped in Phase 2
~~Heartbeat Agent~~ — Shipped in Phase 2
~~Family Shield~~ — Shipped March 22 — DNS + IP blocking parental controls
~~SSH WAN Hardening~~ — Fixed March 23 — SSH restricted to LAN + Tailscale
~~Google Fonts Removal~~ — Fixed March 23 — Self-hosted system fonts, no external requests
~~Timing-Safe Auth~~ — Fixed March 24 — crypto.timingSafeEqual on passcode comparison
~~Session Hard Expiry~~ — Fixed March 24 — 7-day absolute max
~~Sudo Privilege Lockdown~~ — Fixed March 24 — Wildcards replaced with specific paths
~~Firewall LAN Hardening~~ — Fixed March 24 — Blanket accept replaced with port rules
~~EC2 SSH Lockdown~~ — Fixed March 24 — WireGuard tunnel only
~~Stripe Webhook Hardening~~ — Fixed March 24 — Fail-closed + replay protection
~~Investor Portal SEO~~ — Fixed March 24 — JSON-LD schema, canonical URL, search indexing enabled
~~nftables Repo Sync~~ — Fixed March 24 — All 5 firewall profiles synced with hardened live versions
~~CSRF Protection~~ — Deployed March 24 — X-CSRF-Token header on all state-changing requests
~~Firmware OTA Updates~~ — Shipped March 25 — Heartbeat-driven distribution + SHA-256 verify + auto-rollback
~~Manufacturing Provisioning~~ — Shipped March 25 — Provisioner token, auto WG key assignment
~~HMAC Command Signing~~ — Deployed March 30 — Per-device cryptographic signatures on all fleet commands
~~TOTP 2FA~~ — Deployed March 28 — QR setup, 8 backup codes, resync, fleet reset
~~Moltbook Auto-Poster~~ — Deployed March 25 — 2 posts/day + engagement via Claude API
~~Affiliate Program~~ — Deployed March 25 — SPA + API, click tracking, $20/sale commission
~~NIST CSF Level 1 Compliance~~ — Achieved March 30 — 22-point audit closed, 110 NIST controls mapped
~~Ukrainian Privacy Tool~~ — Deployed March 28 — Wartime threat model, ISP-specific scoring
~~auditd + AIDE~~ — Deployed March 24 — 24 Pi rules, 12 EC2 rules, 65MB AIDE database
~~Mobile PWA~~ — Deployed March 28 — Service worker, cache-first, offline fallback, bottom nav, onboarding
~~WPA3 Encryption~~ — Deployed March 28 — SAE transition mode on hostapd
~~IPv6 Disabled~~ — Deployed March 28 — Kernel-level sysctl, no leak surface
~~Centralized Logging~~ — Deployed March 28 — Hourly Pi log shipping to EC2 via WireGuard
~~NIST CSF 90/100~~ — Achieved March 28 — 10/10 Identify, Detect, Respond; 9/10 Protect; 8/10 Recover
~~AI Bridge Security Suite~~ — Deployed March 31 — HMAC signing, AES encryption, replay protection, injection detection, control tag filtering
~~Claude Code Hardening~~ — Deployed March 31 — File permissions 600, auditd monitoring, source-leak-aware defenses
CSP Headers — Remove unsafe-inline from main dashboard (secondary pages done)
Automated S3 Backups — Offsite backup to S3 (needs IAM role)
SD Card Encryption — LUKS on customer devices