post: commit e8778da in bojemoi

post: commit 760c08d in bojemoi
post: push 1 commit(s) to bojemoi/main
2026-04-24 23:00:23 +02:00 · 2026-04-24 22:38:10 +02:00 · 2026-04-24 22:36:06 +02:00 · 2026-04-24 22:36:03 +02:00 · 2026-04-24 22:34:17 +02:00 · 2026-04-24 22:34:13 +02:00
185 changed files with 9784 additions and 20 deletions
--- a/content/posts/alertmanager-docker-secrets-fr.md
+++ b/content/posts/alertmanager-docker-secrets-fr.md
@@ -0,0 +1,174 @@
 ---
 title: "Zéro credential en clair dans alertmanager.yml — Docker secrets à la rescousse"
 date: 2026-03-14T21:00:00+00:00
 draft: false
 tags: ["cybersecurity", "devops", "docker", "docker-swarm", "homelab", "selfhosted", "infosec", "opensource", "blue-team", "soc", "gitops", "debutant-en-cyber", "apprendre-la-cyber", "build-in-public", "french-tech"]
 summary: "Mon alertmanager.yml avait deux credentials en clair : un token Telegram et un mot de passe SMTP. Je les ai migrés vers des Docker secrets en dix minutes — sans patcher l'image ni écrire une ligne de script."
 description: "Migration pas-à-pas de credentials Alertmanager vers des Docker secrets en Swarm mode : bot_token_file et smtp_auth_password_file, sans entrypoint personnalisé."
 author: "Bojemoi"
 ShowToc: true
 ShowReadingTime: true
 ---
 J'ai intégré Trivy dans mon pipeline CI pour scanner mes Dockerfiles. Premier résultat : Trivy me signale des secrets hardcodés dans mon propre `alertmanager.yml` commité en clair dans le repo.
 Ironie du sort — l'outil de scan de sécurité me trouve une faille dans ma configuration de monitoring.
 ## Le Problème
 Mon `alertmanager.yml` contenait deux credentials en clair :
 ```yaml
 global:
  smtp_auth_password: '8_qz7oZmQVBGhkvo-U64tA'   # mot de passe SMTP Proton Mail Bridge
 receivers:
  - name: 'telegram-perimeter'
    telegram_configs:
      - bot_token: '8174135689:AAH...'             # token du bot Telegram
 ```
 Ces deux valeurs étaient commitées dans le repo Git. Toute personne ayant accès au repo (ou à un backup) pouvait :
 - Envoyer des messages à n'importe quel chat Telegram via le bot
 - S'authentifier sur le serveur SMTP du bridge Protonmail
 ## La Solution Native d'Alertmanager
 Alertmanager supporte nativement la lecture de credentials depuis des fichiers, via les paramètres suffixés `_file`. Pas besoin de script d'entrypoint, pas besoin de patcher l'image.
 | Paramètre inline | Équivalent fichier |
 |---|---|
 | `bot_token` | `bot_token_file` |
 | `smtp_auth_password` | `smtp_auth_password_file` |
 | `api_key` (PagerDuty, etc.) | `api_key_file` |
 La documentation Alertmanager liste ces variantes pour la plupart des intégrations. C'est la façon propre de gérer les secrets en environnement conteneurisé.
 ## Mise en Œuvre en Docker Swarm
 ### 1. Créer les secrets Docker
 Le token Telegram existait déjà comme secret Swarm (`telegram_bot_token`, créé 6 semaines plus tôt pour le service Telegram). Réutilisation directe.
 Pour le mot de passe SMTP, création d'un nouveau secret :
 ```bash
 echo -n '8_qz7oZmQVBGhkvo-U64tA' | docker secret create alertmanager_smtp_pass -
 ```
 ```bash
 docker secret ls | grep -E "telegram_bot|smtp"
 # rfi2cjxk...   telegram_bot_token      6 weeks ago
 # r5zodtm4...   alertmanager_smtp_pass  just now
 ```
 ### 2. Mettre à Jour alertmanager.yml
 ```yaml
 global:
  smtp_auth_password_file: /run/secrets/alertmanager_smtp_pass   # ← fichier
 receivers:
  - name: 'telegram-perimeter'
    telegram_configs:
      - bot_token_file: /run/secrets/telegram_bot_token           # ← fichier
 ```
 Les credentials en clair disparaissent du fichier. Le repo est propre.
 ### 3. Monter les Secrets dans la Stack
 Dans la définition du service alertmanager (`stack/01-service-hl.yml`) :
 ```yaml
 services:
  alertmanager:
    # ...
    secrets:
      - telegram_bot_token
      - alertmanager_smtp_pass
 secrets:
  telegram_bot_token:
    external: true
  alertmanager_smtp_pass:
    external: true
 ```
 ### 4. Appliquer sans Rebuild
 Puisqu'il n'y a pas de changement d'image, un simple `service update` suffit :
 ```bash
 # Première migration (bot token)
 docker service update \
  --secret-add telegram_bot_token \
  --force \
  base_alertmanager
 # Deuxième migration (SMTP)
 docker service update \
  --secret-add alertmanager_smtp_pass \
  --force \
  base_alertmanager
 ```
 Docker Swarm monte automatiquement les secrets dans `/run/secrets/<nom>` à l'intérieur du container. Alertmanager lit les fichiers au démarrage.
 ## Vérification
 ```bash
 docker service ps base_alertmanager
 # Running   21 seconds ago   ← pas de crash
 docker service logs base_alertmanager --since 30s
 # level=INFO msg="Loading configuration file" ...
 # (pas d'erreur d'authentification)
 ```
 Et dans `alertmanager.yml` désormais commité :
 ```yaml
 global:
  smtp_auth_password_file: /run/secrets/alertmanager_smtp_pass
 receivers:
  - name: 'telegram-perimeter'
    telegram_configs:
      - bot_token_file: /run/secrets/telegram_bot_token
 ```
 Aucun credential en clair. Trivy est content.
 ## Ce que Docker Swarm Garantit sur les Secrets
 - Les secrets sont chiffrés au repos (dans la Raft store) et en transit (TLS mutuel entre les nœuds)
 - Montés en `tmpfs` dans le container — jamais écrits sur disque
 - Visibles uniquement par les tâches qui en ont besoin (déclaration explicite dans le service)
 - Non récupérables via `docker secret inspect` (seulement les métadonnées)
 Pour les faire tourner sur les bons nœuds, les contraintes de placement Swarm font déjà le travail.
 ## Generalisation
 Ce pattern `*_file` n'est pas propre à Alertmanager. On le retrouve dans :
 - **Prometheus** : `bearer_token_file`, `password_file` dans les scrape configs
 - **Grafana** : `GF_DATABASE_PASSWORD__FILE`, `GF_SECURITY_ADMIN_PASSWORD__FILE`
 - **Loki** : idem via les variables d'environnement `_FILE`
 - **Traefik** : les providers supportent les fichiers de secrets
 Le principe est identique : paramètre standard remplacé par son équivalent `_file` pointant vers `/run/secrets/<nom>`.
 ## Bilan
 | | Avant | Après |
 |---|---|---|
 | Credentials dans le repo | ✗ 2 en clair | ✓ 0 |
 | Alertmanager fonctionnel | ✓ | ✓ |
 | Changement d'image requis | — | Non |
 | Script d'entrypoint custom | — | Non |
 | Temps de migration | — | ~15 min |
 La leçon : avant d'écrire un script de substitution de variables ou de patcher une image, vérifier si l'outil ne supporte pas déjà nativement la lecture depuis des fichiers. Alertmanager, Prometheus, Grafana — la plupart des outils de l'écosystème Prometheus le font.
--- a/content/posts/bojemoi-lab-architecture.md
+++ b/content/posts/bojemoi-lab-architecture.md
@@ -0,0 +1,187 @@
 ---
 title: "Bojemoi Lab — Architecture Globale"
 date: 2026-03-12T20:00:00+01:00
 draft: false
 tags: ["infrastructure", "docker-swarm", "cybersecurity", "homelab", "devops", "selfhosted", "threat-intelligence", "osint", "machine-learning", "build-in-public", "french-tech", "blue-team", "soc"]
 summary: "Schéma complet de Bojemoi Lab : 4 nœuds Swarm, 12 stacks, 43 services — scan internet, threat intel multi-sources, honeypot, IDS/IPS, et intégration MCP/Claude."
 description: "Architecture détaillée de Bojemoi Lab : pipeline de scan (ak47/bm12/uzi), threat intelligence (razvedka/vigie/dozor/ml-threat), défense (Suricata/CrowdSec/honeypot), observabilité (Prometheus/Grafana/Loki/Tempo), et MCP server pour Claude Code."
 author: "Bojemoi"
 ShowToc: true
 ShowReadingTime: true
 ---
 Voici l'architecture actuelle de Bojemoi Lab, telle qu'elle tourne en ce moment — pas un croquis de projet, mais le reflet de ce qui est déployé.
 4 nœuds Swarm, 12 stacks, ~43 services. 6,15 millions d'hôtes scannés, 33,7 millions de services en base.
 ---
 ## Vue d'ensemble
 ```
 ┌──────────────────────────────────────────────────────────────────────┐
 │                        INTERNET / EXTERNAL                           │
 │  ANSSI/CERT-FR • Telegram Channels • VirusTotal • AbuseIPDB • OTX   │
 │  Shodan • X/Twitter • MITRE ATT&CK feeds • XenServer (on-prem)      │
 └────────────────────────────┬─────────────────────────────────────────┘
                             │
 ┌────────────────────────────▼─────────────────────────────────────────┐
 │                   LIGHTSAIL (bojemoi.me)                              │
 │  Nginx (80/443) • Gitea (gitea.bojemoi.me) • Hugo blog               │
 │  Apache (8080) • cloud-init/configs • Gitea Actions CI               │
 └────────────────────────────┬─────────────────────────────────────────┘
                             │ SSH/GitOps
 ┌────────────────────────────▼─────────────────────────────────────────┐
 │                   DOCKER SWARM CLUSTER                                │
 │                                                                       │
 │  ┌─────────────────────────────────────────────────────────────┐     │
 │  │  meta-76 (MANAGER) — Intel i9, 16 GB RAM                   │     │
 │  │                                                              │     │
 │  │  ┌─── BASE STACK ──────────────────────────────────────┐   │     │
 │  │  │  PostgreSQL (msf, threat_intel, razvedka, vigie,    │   │     │
 │  │  │             telegram_bot, deployments, ip2location) │   │     │
 │  │  │  Prometheus • Grafana • Loki • Tempo • Alloy        │   │     │
 │  │  │  Alertmanager • PgAdmin • cAdvisor • node-exporter  │   │     │
 │  │  │  Postfix • Proton Mail Bridge • Koursk (rsync)      │   │     │
 │  │  │  Provisioning API (FastAPI, port 8000→28080)        │   │     │
 │  │  └─────────────────────────────────────────────────────┘   │     │
 │  │                                                              │     │
 │  │  ┌─── BOOT STACK ──┐  ┌─── MCP STACK ───────────────┐    │     │
 │  │  │  Traefik (proxy) │  │  mcp-server (port 8001)     │    │     │
 │  │  │  CrowdSec (WAF) │  │  Claude Code integration     │    │     │
 │  │  └─────────────────┘  └─────────────────────────────┘    │     │
 │  └─────────────────────────────────────────────────────────────┘     │
 │                                                                       │
 │  ┌────────────────────────────────────────────────────────────────┐  │
 │  │  WORKERS: meta-68, meta-69, meta-70                            │  │
 │  │                                                                  │  │
 │  │  ┌─── BORODINO STACK ──────────────────────────────────────┐  │  │
 │  │  │  ak47  (x15) → Nmap CIDR scan → msf.hosts/services     │  │  │
 │  │  │  bm12  (x15) → Deep fingerprint + NSE → classify hosts  │  │  │
 │  │  │  uzi   (x3)  → Metasploit exploits (MODE_RUN=0)        │  │  │
 │  │  └─────────────────────────────────────────────────────────┘  │  │
 │  │                                                                  │  │
 │  │  ┌─── PENTEST STACK ──────────┐  ┌─── TELEGRAM ────────────┐ │  │
 │  │  │  Faraday (port 5985)       │  │  telegram-bot            │ │  │
 │  │  │  OWASP ZAP                 │  │  Redis pub/sub           │ │  │
 │  │  │  Nuclei (25 templates)     │  │  Bot: @Betty_Bombers_bot │ │  │
 │  │  │  Samsonov (import)         │  │  Group: Bojemoi PTaaS    │ │  │
 │  │  │  Tsushima (aggregator)     │  └─────────────────────────┘ │  │
 │  │  └────────────────────────────┘                               │  │
 │  │                                                                  │  │
 │  │  ┌─── THREAT INTEL ─────────────────────────────────────────┐ │  │
 │  │  │  razvedka  → DDoS prediction (Telegram channels HU/RU)   │ │  │
 │  │  │  vigie     → CERT-FR bulletin monitor (ANSSI RSS)        │ │  │
 │  │  │  dozor     → Suricata rule generator (IoC feeds)         │ │  │
 │  │  │  ml-threat → ML scoring + MITRE ATT&CK mapping          │ │  │
 │  │  └─────────────────────────────────────────────────────────┘ │  │
 │  │                                                                  │  │
 │  │  ┌─── DEFENSE ──────────┐  ┌─── HONEYPOT ─────────────────┐ │  │
 │  │  │  Suricata (host mode) │  │  medved (host mode)          │ │  │
 │  │  │  EVE enricher         │  │  SSH/HTTP/RDP/SMB/FTP/Telnet │ │  │
 │  │  │  CrowdSec (WAF)       │  │  → PostgreSQL + Faraday      │ │  │
 │  │  └──────────────────────┘  └─────────────────────────────┘ │  │
 │  └────────────────────────────────────────────────────────────────┘  │
 └──────────────────────────────────────────────────────────────────────┘
 ```
 ---
 ## Flux de Données — Pipeline de Scan
 ```
 ip2location DB
      │
      ▼
  ak47 (x15)          ← scans CIDRs via db_nmap
      │ msf.hosts
      ▼
  bm12 (x15)          ← deep NSE fingerprinting (25 catégories)
      │ hosts.scan_details (JSON) + comments + scan_status='bm12_v2'
      ▼
  uzi (x3)            ← Metasploit exploits (désactivé)
      │
      ▼
  Faraday             ← workspace pentest
      │
      ▼
  Samsonov/Tsushima   ← import + agrégation
      │
      ▼
  Telegram Bot        ← notification + commandes manuelles
 ```
 ---
 ## Stack Files → Services
 | Stack | Services clés | Placement |
 |-------|--------------|-----------|
 | `01-service-hl.yml` | postgres, prometheus, grafana, loki, alertmanager, postfix, provisioning | manager |
 | `boot stack` | traefik, crowdsec | manager |
 | `40-service-borodino.yml` | ak47, bm12, uzi, faraday, zaproxy, nuclei | workers |
 | `45-service-ml-threat-intel.yml` | ml-threat-intel-api | workers |
 | `46-service-razvedka.yml` | razvedka | workers |
 | `47-service-vigie.yml` | vigie | workers |
 | `48-service-dozor.yml` | dozor, eve-cleaner | workers |
 | `49-service-mcp.yml` | mcp-server | manager |
 | `50-service-trivy.yml` | trivy scanner | CI/CD only |
 | `60-service-telegram.yml` | telegram-bot, redis | workers |
 | `65-service-medved.yml` | medved honeypot | manager (host ports) |
 | `01-suricata-host.yml` | suricata, enricher | host compose (hors swarm) |
 ---
 ## Observabilité
 ```
 Services → metrics → Prometheus → Grafana dashboards
 Services → logs    → Loki       → Grafana explore
 Services → traces  → Tempo      → Grafana explore
 Alloy (collector unifié) → pipeline tout-en-un
 Alertmanager → Postfix/ProtonBridge → Email chiffré
 ```
 ---
 ## Bases de Données (PostgreSQL)
 | Database | Usage | Taille estimée |
 |----------|-------|---------------|
 | `msf` | Metasploit — hosts (6,15M), services (33,7M), vulns | 9 GB |
 | `bojemoi_threat_intel` | ML scoring, OSINT cache, IoC | ~2 GB |
 | `ip2location` | CIDRs géolocalisés pour scanning | ~500 MB |
 | `razvedka` | Mentions hacktivist, alertes DDoS | ~100 MB |
 | `vigie` | Bulletins CERT-FR, watchlist matches | ~50 MB |
 | `telegram_bot` | Historique chats, commandes | ~500 MB |
 | `honeypot_events` | Captures medved (SSH, HTTP, RDP...) | ~1 GB |
 | `deployments` | Audit orchestrateur + blockchain | ~100 MB |
 ---
 ## Réseaux Overlay (Swarm)
 | Réseau | Services |
 |--------|---------|
 | `backend` | postgres, redis, tous les services data |
 | `monitoring` | prometheus, grafana, loki, tempo, alloy |
 | `proxy` | traefik, crowdsec |
 | `pentest` | faraday, zaproxy, nuclei, samsonov, mcp-server |
 | `rsync_network` | koursk master/slave |
 | `mail` | postfix, protonmail-bridge, alertmanager |
 | `telegram_net` | telegram-bot |
 ---
 ## Résumé
 - **4 nœuds Swarm** — 1 manager (meta-76) + 3 workers (meta-68/69/70)
 - **12 stacks** — ~43 services distincts
 - **9 GB de données** — 6,15M hosts scannés, 33,7M services
 - **Pipeline CI/CD** — GitLab + Trivy + Gitea Actions
 - **Interfaces de contrôle** — Telegram bot, MCP server (Claude), API REST
 - **Threat Intel multi-sources** — OSINT, ML, CTI feeds, honeypot, IDS
 Tout est open source, versionné sur Gitea, déployé via CI/CD.
 → [gitea.bojemoi.me](https://gitea.bojemoi.me)
--- a/content/posts/bojemoi-lab-sur-dockerhub.md
+++ b/content/posts/bojemoi-lab-sur-dockerhub.md
@@ -0,0 +1,160 @@
 ---
 title: "Bojemoi Lab sur Docker Hub : 21 images open source pour un homelab red-team"
 date: 2026-03-01
 draft: false
 tags: ["homelab", "docker", "docker-swarm", "devops", "selfhosted", "opensource", "cybersecurity", "infosec", "osint", "threat-intelligence", "build-in-public", "french-tech"]
 summary: "J'ai publié les 21 images Docker de Bojemoi Lab sur Docker Hub. Tour d'horizon de ce que fait chaque composant et comment tout ça s'articule."
 description: "Publication des images Docker de Bojemoi Lab sur Docker Hub — 21 images couvrant le scanning réseau, la threat intelligence ML, le honeypot multi-protocole, la veille CVE et plus encore."
 author: "Bojemoi"
 ShowToc: true
 ShowReadingTime: true
 ---
 Les images Docker de Bojemoi Lab sont maintenant publiques sur Docker Hub : [`hub.docker.com/u/bettybombers696`](https://hub.docker.com/u/bettybombers696).
 21 images. Un cluster Swarm de 4 nœuds. Quelques semaines de build en public. Voilà ce que ça donne.
 ---
 ## Pourquoi publier ?
 Bojemoi Lab tourne sur un registre Docker local (`localhost:5000`). Pratique pour le cluster, mais ça ne sort pas de la maison. Publier sur Docker Hub, c'est :
 1. **Garder une trace** — un registre public comme backup des images buildées
 2. **Rendre ça reproductible** — quelqu'un d'autre peut puller et tester
 3. **Build in public** — assumer ce qu'on construit, même quand c'est encore rough
 Ce n'est pas du code parfait. C'est un lab qui tourne en prod, avec des vraies données de scan, des vraies alertes, et des vraies erreurs de conception corrigées en cours de route.
 ---
 ## Ce que contient le lab
 Bojemoi Lab est un homelab red-team / threat intelligence qui tourne sur Docker Swarm (4 nœuds, Alpine/BusyBox). Les composants couvrent l'ensemble du cycle :
 ```
 RECONNAISSANCE → SCANNING → EXPLOITATION → ANALYSE → DÉFENSE
 ```
 Voici les grandes familles :
 ### Scanning et reconnaissance
 **`borodino`** — le cœur offensif. Trois workers indépendants :
 - `ak47` : scanne des plages CIDR via `db_nmap -sS -A -O`, alimente la base Metasploit
 - `bm12` : fingerprinting profond des hôtes existants — 25 catégories de scripts NSE, classification (web / mail / dns / iot / vpn...), résultats stockés en JSON
 - `uzi` : exploitation via `pymetasploit3`, cible les hôtes Linux vulnérables identifiés par bm12
 **`tsushima`** — pipeline masscan avec rotation VPN pour du scanning haute vitesse.
 **`oblast` / `oblast-1`** — OWASP ZAP pour le scan de vulnérabilités web.
 ### Threat intelligence
 **`ml-threat-intel`** — le composant le plus élaboré. Une API FastAPI qui :
 - Classe les IOCs (IP, domaines, hashs) en `benign / suspicious / malicious`
 - Score la réputation de 0 à 100
 - Agrège VirusTotal (35%), AbuseIPDB (30%), AlienVault OTX (20%), Shodan (15%)
 - Lance des investigations complètes en 4 phases avec corrélation IA (Claude Haiku pour les menaces faibles, Claude Sonnet pour les critiques)
 **`razvedka`** — collecte OSINT depuis des canaux Telegram et Twitter. Extraction NLP, scoring "buzz", stockage PostgreSQL. Le composant qui surveille ce que les attaquants disent avant d'agir.
 ### Défense et monitoring
 **`dozor`** — agrégateur de feeds de menaces. Télécharge les blacklists, génère des règles Suricata, les recharge à chaud.
 **`vigie`** — veille CVE. Surveille des flux RSS/Atom (CERT, NVD, advisories constructeurs), matche contre une watchlist de produits, alerte.
 **`suricata-attack-enricher`** — enrichit les alertes Suricata avec du contexte threat intel avant de les envoyer au SIEM.
 **`suricata_exporter`** — exporte les métriques Suricata vers Prometheus.
 ### Honeypot
 **`medved`** — honeypot multi-protocole : SSH, HTTP, RDP, SMB, FTP, Telnet. Capture les tentatives de connexion, les credentials, reporte dans Faraday.
 ### Alertes et interaction
 **`telegram-bot`** — le bot `@Betty_Bombers_bot`. Commandes `/analyze <ip>`, `/batch`, `/stats`. Les alertes critiques (score > 80) partent directement dans le groupe PTaaS.
 ### Infrastructure
 **`provisioning`** — orchestrateur FastAPI pour déployer des VMs XenServer et des services Docker via GitOps (source de config : Gitea).
 **`bojemoi-mcp`** — serveur MCP local. Claude Code peut interroger la DB Metasploit (6M+ hôtes), lancer des scans nmap, faire de l'OSINT et gérer Faraday — en langage naturel, sans quitter le terminal.
 **`koursk` / `koursk-1` / `koursk-2`** — rsync daemon pour la réplication entre nœuds, avec exporter Prometheus.
 **`karacho`** — API blockchain + PostgreSQL.
 **`samsonov`** — intégration Faraday pour centraliser les findings de sécurité.
 ---
 ## La base de données derrière tout ça
 Tout converge dans PostgreSQL (sur le manager, stack `base`) :
 | Base | Contenu | Taille |
 |------|---------|--------|
 | `msf` | Hosts (6,15M), services (33,7M) — DB Metasploit | ~9 GB |
 | `ip2location` | CIDRs géolocalisés — source de cibles pour ak47 | — |
 | `bojemoi_threat_intel` | Cache IOCs, historique d'analyses, investigations | — |
 | `faraday` | Findings de sécurité | — |
 Un apprentissage douloureux : `ORDER BY RANDOM()` sur 6 millions de lignes = PostgreSQL à 459% CPU, load average à 9. Remplacé par `TABLESAMPLE SYSTEM()`. PostgreSQL est retombé à 29% CPU.
 ---
 ## Ce qui n'est PAS dans les images
 Les images ne contiennent pas :
 - Les credentials (clés API VirusTotal, AbuseIPDB, Anthropic, tokens Telegram...)
 - Les données de scan (volumes PostgreSQL gitignorés)
 - Les configurations réseau Swarm (overlay networks, secrets Docker)
 Tout ça reste dans des Docker secrets et des volumes locaux. Les images sont des binaires propres.
 ---
 ## Stack technique
 ```
 Orchestration  : Docker Swarm — 4 nœuds (meta-76 manager, meta-68/69/70 workers)
 Base           : PostgreSQL 15, SQLAlchemy 2.0
 Monitoring     : Prometheus + Grafana + Loki + Promtail
 IDS            : Suricata 7 + CrowdSec
 Vuln mgmt      : Faraday
 API            : FastAPI + Uvicorn (Python 3.11)
 IA             : Claude API (Anthropic) — Haiku + Sonnet
 Lang           : Python, Bash/Ash (Alpine), un peu de Ruby (borodino)
 ```
 ---
 ## Reproduire le lab
 Les images sont publiques. Pour les puller :
 ```bash
 docker pull bettybombers696/ml-threat-intel:latest
 docker pull bettybombers696/borodino:latest
 docker pull bettybombers696/medved:latest
 # etc.
 ```
 Chaque image a un README sur Docker Hub avec les variables d'environnement et les dépendances.
 Ce n'est pas un projet clé en main — les stack files Swarm, les secrets et la config réseau ne sont pas inclus. Mais les images sont là pour être inspectées, forkées ou adaptées.
 ---
 ## La suite
 Les prochains posts couvriront en détail certains composants — notamment `ml-threat-intel` (le pipeline ML + agents Claude) et `razvedka` (l'OSINT Telegram). Il y a des choses intéressantes à raconter sur ce qui marche et ce qui ne marche pas quand on fait du threat intel en homelab.
 ---
 *Build in public. Même les parties rough.*
 #homelab #docker #docker-swarm #selfhosted #opensource #cybersecurity #osint #threat-intelligence #build-in-public #french-tech #devops #infosec
--- a/content/posts/commits/2026-02-17-commit-5f9715b.md
+++ b/content/posts/commits/2026-02-17-commit-5f9715b.md
@@ -1,19 +0,0 @@
 ---
 title: "[bojemoi_ml-threat-intel] test: verify post-commit blog hook"
 date: 2026-02-17T14:31:11+01:00
 draft: false
 tags: ["commit", "bojemoi_ml-threat-intel", "main"]
 categories: ["Git Activity"]
 summary: "Commit 5f9715b par Betty dans bojemoi_ml-threat-intel"
 author: "Betty"
 ---
 ## Commit `5f9715b`
 | | |
 |---|---|
 | **Repository** | bojemoi_ml-threat-intel |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `5f9715b71adf49032a217f73b09ea24fd411ab2b` |
--- a/content/posts/commits/2026-02-17-commit-c4f8505.md
+++ b/content/posts/commits/2026-02-17-commit-c4f8505.md
@@ -0,0 +1,19 @@
 ---
 title: "[bojemoi_ml-threat-intel] test: post-commit hook v2"
 date: 2026-02-17T14:36:50+01:00
 draft: false
 tags: ["commit", "bojemoi_ml-threat-intel", "main"]
 categories: ["Git Activity"]
 summary: "Commit c4f8505 par Betty dans bojemoi_ml-threat-intel"
 author: "Betty"
 ---
 ## Commit `c4f8505`
 | | |
 |---|---|
 | **Repository** | bojemoi_ml-threat-intel |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `c4f85050833ffe297836af8fa290ee4900db2924` |
--- a/content/posts/commits/2026-02-18-commit-6de2dcd.md
+++ b/content/posts/commits/2026-02-18-commit-6de2dcd.md
@@ -0,0 +1,38 @@
 ---
 title: "[bojemoi] volumes: add Tempo datasource to Grafana, update rsync config"
 date: 2026-02-18T14:34:16+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 6de2dcd par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `6de2dcd`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `6de2dcd450f64b1c857e11b0e7ae661cc474b95a` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	volumes/grafana/provisioning/datasources/datasources.yml
 M	volumes/rsync/configs/rsyncd.conf
 ```
 ### Diff Summary
 ```
 .../provisioning/datasources/datasources.yml       | 18 ++++++++++++++
 volumes/rsync/configs/rsyncd.conf                  | 29 ++++++++++++++++------
 2 files changed, 39 insertions(+), 8 deletions(-)
 ```
--- a/content/posts/commits/2026-02-18-commit-8f38bf5.md
+++ b/content/posts/commits/2026-02-18-commit-8f38bf5.md
@@ -0,0 +1,41 @@
 ---
 title: "[bojemoi] borodino: fix uzi exploit engine bugs"
 date: 2026-02-18T22:30:28+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 8f38bf5 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `8f38bf5`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `8f38bf54d39adf04b07890662dd528d0b861ee3a` |
 ### Description
 - Skip local exploits when no active sessions exist instead of hardcoding SESSION=1
 - Skip exploits with unresolvable missing required fields (PASSWORD, USERNAME, etc.)
 - Move console.is_busy() wait inside payload loop to avoid console overload
 - Fix else branch (MODE_RUN=0) to iterate payloads with proper loop
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi | 82 ++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 71 insertions(+), 11 deletions(-)
 ```
--- a/content/posts/commits/2026-02-18-commit-a8337f3.md
+++ b/content/posts/commits/2026-02-18-commit-a8337f3.md
@@ -0,0 +1,48 @@
 ---
 title: "[bojemoi] Fix borodino uzi-service: launch msfrpcd locally at container startup"
 date: 2026-02-18T14:32:46+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit a8337f3 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `a8337f3`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `a8337f3d02bd0786ea47fa994ff76f55d9a8781a` |
 ### Description
 - Add start_uzi.sh entrypoint: starts msfrpcd (SSL, 127.0.0.1:55553),
  waits for it to be ready, then exec thearm_uzi
 - Update thearm_uzi: connect to 127.0.0.1 instead of 192.168.1.47
 - Update Dockerfile.borodino: copy start_uzi.sh into image
 - Update stack: use start_uzi.sh as command, raise memory limit to 1536M
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/Dockerfile.borodino
 A	borodino/start_uzi.sh
 M	borodino/thearm_uzi
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/Dockerfile.borodino  |  1 +
 borodino/start_uzi.sh         | 47 +++++++++++++++++++++++++++++++++++++++++++
 borodino/thearm_uzi           |  2 +-
 stack/40-service-borodino.yml | 33 ++++++++++++++----------------
 4 files changed, 64 insertions(+), 19 deletions(-)
 ```
--- a/content/posts/commits/2026-02-18-commit-b76f9a8.md
+++ b/content/posts/commits/2026-02-18-commit-b76f9a8.md
@@ -0,0 +1,42 @@
 ---
 title: "[bojemoi] samsonov: integrate bojemoi-mitre-attack library for vuln enrichment"
 date: 2026-02-18T14:34:05+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit b76f9a8 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `b76f9a8`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `b76f9a8c91801390d4a209540279e9580cb5f113` |
 ### Description
 Install shared MITRE ATT&CK library in samsonov image and enrich
 Faraday vulnerabilities with technique ID, tactic, confidence, and
 ATT&CK reference URL via _enrich_with_attack_tags().
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	samsonov/Dockerfile.samsonov
 M	samsonov/pentest_orchestrator/plugins/plugin_faraday.py
 ```
 ### Diff Summary
 ```
 samsonov/Dockerfile.samsonov                       |  6 +-
 .../pentest_orchestrator/plugins/plugin_faraday.py | 71 ++++++++++++++++++----
 2 files changed, 64 insertions(+), 13 deletions(-)
 ```
--- a/content/posts/commits/2026-02-18-commit-c33a4a5.md
+++ b/content/posts/commits/2026-02-18-commit-c33a4a5.md
@@ -0,0 +1,41 @@
 ---
 title: "[bojemoi] borodino: bm12 v2 - targeted NSE scripts and server classification"
 date: 2026-02-18T14:34:00+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit c33a4a5 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `c33a4a5`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `c33a4a56d19f3f7cc98230d49a748e96d497872b` |
 ### Description
 Replaces wildcard NSE scripts with 25 targeted categories (http, ssh,
 smtp, smb, dns, mysql, rdp, etc.), single msfconsole per host instead
 of one per service, and classifies server type stored in hosts.comments,
 hosts.scan_details, and hosts.scan_status='bm12_v2'.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_bm12
 ```
 ### Diff Summary
 ```
 borodino/thearm_bm12 | 389 +++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 332 insertions(+), 57 deletions(-)
 ```
--- a/content/posts/commits/2026-02-18-commit-c4c408c.md
+++ b/content/posts/commits/2026-02-18-commit-c4c408c.md
@@ -0,0 +1,54 @@
 ---
 title: "[bojemoi] stacks: various updates - suricata enricher, network fixes, placement cleanup"
 date: 2026-02-18T14:34:11+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit c4c408c par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `c4c408c`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `c4c408c139fb503c78d04943e1e1a006357f44e8` |
 ### Description
 - hl: fix rsync_network to use overlay driver with attachable
 - suricata-host: add suricata-attack-enricher service
 - ml-threat-intel: remove hardcoded node.hostname placement constraint
 - razvedka/vigie/dozor: minor image/config updates
 - remove samsonov stack (service migrated)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-service-hl.yml
 M	stack/01-suricata-host.yml
 M	stack/45-service-ml-threat-intel.yml
 M	stack/46-service-razvedka.yml
 M	stack/47-service-vigie.yml
 M	stack/48-service-dozor.yml
 D	stack/60-service-samsonov.yml
 ```
 ### Diff Summary
 ```
 stack/01-service-hl.yml              |   9 +-
 stack/01-suricata-host.yml           |  16 ++++
 stack/45-service-ml-threat-intel.yml |   3 -
 stack/46-service-razvedka.yml        |   2 +-
 stack/47-service-vigie.yml           |   2 +-
 stack/48-service-dozor.yml           |   2 +-
 stack/60-service-samsonov.yml        | 164 -----------------------------------
 7 files changed, 25 insertions(+), 173 deletions(-)
 ```
--- a/content/posts/commits/2026-02-19-commit-571da38.md
+++ b/content/posts/commits/2026-02-19-commit-571da38.md
@@ -0,0 +1,48 @@
 ---
 title: "[bojemoi] docker: fix compileall -b for importable .pyc without source"
 date: 2026-02-19T22:49:44+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 571da38 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `571da38`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `571da389d630243db62524b86be10253d4f03bc4` |
 ### Description
 compileall without -b generates __pycache__/module.cpython-XY.pyc which
 Python only uses as cache when .py exists. Use -b to generate module.pyc
 alongside source so SourcelessFileLoader can find it after .py deletion.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	dozor/Dockerfile.dozor
 M	medved/Dockerfile.medved
 M	provisioning/Dockerfile.provisioning
 M	razvedka/Dockerfile.razvedka
 M	vigie/Dockerfile.vigie
 ```
 ### Diff Summary
 ```
 dozor/Dockerfile.dozor               | 2 +-
 medved/Dockerfile.medved             | 2 +-
 provisioning/Dockerfile.provisioning | 2 +-
 razvedka/Dockerfile.razvedka         | 2 +-
 vigie/Dockerfile.vigie               | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)
 ```
--- a/content/posts/commits/2026-02-19-commit-a067c7e.md
+++ b/content/posts/commits/2026-02-19-commit-a067c7e.md
@@ -0,0 +1,71 @@
 ---
 title: "[bojemoi] docker: compile Python sources, add .dockerignore for sensitive files"
 date: 2026-02-19T22:15:38+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit a067c7e par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `a067c7e`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `a067c7e1bedb33cae7814f8559b4e8a035807873` |
 ### Description
 - compileall + delete .py in: razvedka, vigie, dozor, medved,
  suricata-attack-enricher, karacho, provisioning
 - provisioning: remove PYTHONDONTWRITEBYTECODE, remove .env COPY from image
 - .dockerignore: exclude .env, *.ovpn (borodino), *.pem, *.key, __pycache__
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	borodino/.dockerignore
 A	dozor/.dockerignore
 M	dozor/Dockerfile.dozor
 A	karacho/.dockerignore
 M	karacho/Dockerfile.karacho
 A	medved/.dockerignore
 M	medved/Dockerfile.medved
 A	provisioning/.dockerignore
 M	provisioning/Dockerfile.provisioning
 A	razvedka/.dockerignore
 M	razvedka/Dockerfile.razvedka
 A	samsonov/.dockerignore
 A	suricata-attack-enricher/.dockerignore
 A	suricata-attack-enricher/Dockerfile
 A	vigie/.dockerignore
 M	vigie/Dockerfile.vigie
 ```
 ### Diff Summary
 ```
 borodino/.dockerignore                 |  7 +++++++
 dozor/.dockerignore                    |  7 +++++++
 dozor/Dockerfile.dozor                 |  4 ++++
 karacho/.dockerignore                  |  7 +++++++
 karacho/Dockerfile.karacho             | 10 +++++-----
 medved/.dockerignore                   |  7 +++++++
 medved/Dockerfile.medved               |  3 +++
 provisioning/.dockerignore             |  8 ++++++++
 provisioning/Dockerfile.provisioning   |  5 +++--
 razvedka/.dockerignore                 |  7 +++++++
 razvedka/Dockerfile.razvedka           |  3 +++
 samsonov/.dockerignore                 |  7 +++++++
 suricata-attack-enricher/.dockerignore |  7 +++++++
 suricata-attack-enricher/Dockerfile    | 19 +++++++++++++++++++
 vigie/.dockerignore                    |  7 +++++++
 vigie/Dockerfile.vigie                 |  4 ++++
 16 files changed, 105 insertions(+), 7 deletions(-)
 ```
--- a/content/posts/commits/2026-02-19-commit-ac1bc9a.md
+++ b/content/posts/commits/2026-02-19-commit-ac1bc9a.md
@@ -0,0 +1,43 @@
 ---
 title: "[bojemoi] uzi: add reverse shell listener via bojemoi.me relay"
 date: 2026-02-19T16:58:21+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit ac1bc9a par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `ac1bc9a`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `ac1bc9a42204e527116c4bdd82e0f4fa9088567e` |
 ### Description
 - Stack: 1 replica pinned to meta-68, port 4444 host mode, LHOST/LPORT env vars
 - thearm_uzi: start multi/handler at boot (linux/x64/meterpreter/reverse_tcp)
 - thearm_uzi: LHOST/LPORT from env, fix LHOST injection in exploit options
 - Infra: autossh reverse tunnel meta-68 → bojemoi.me:4444 (GatewayPorts clientspecified)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi           | 37 +++++++++++++++++++++++--------------
 stack/40-service-borodino.yml | 31 +++++++++++++++++++++++++++++--
 2 files changed, 52 insertions(+), 16 deletions(-)
 ```
--- a/content/posts/commits/2026-02-20-commit-3c0dd23.md
+++ b/content/posts/commits/2026-02-20-commit-3c0dd23.md
@@ -0,0 +1,43 @@
 ---
 title: "[bojemoi] suricata: rotate eve.json hourly, add eve-cleaner sidecar (24h retention)"
 date: 2026-02-20T16:39:48+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 3c0dd23 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `3c0dd23`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `3c0dd2318ac8d164cd2c1e6cc35ad16d392bad89` |
 ### Description
 - suricata.yaml: filetype regular -> rotating, rotate-interval: 1h
  Creates eve.<timestamp>.json files hourly instead of one growing file
 - dozor stack: add eve-cleaner service (alpine) that deletes rotated
  eve.json files older than KEEP_HOURS=24h, runs every hour
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/48-service-dozor.yml
 M	volumes/suricata/suricata.yaml
 ```
 ### Diff Summary
 ```
 stack/48-service-dozor.yml     | 38 ++++++++++++++++++++++++++++++++++++++
 volumes/suricata/suricata.yaml |  3 ++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-02-20-commit-7912a80.md
+++ b/content/posts/commits/2026-02-20-commit-7912a80.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi_boot] boot: add json-file logging limits to all services"
 date: 2026-02-20T16:39:41+01:00
 draft: false
 tags: ["commit", "bojemoi_boot", "main"]
 categories: ["Git Activity"]
 summary: "Commit 7912a80 par Betty dans bojemoi_boot"
 author: "Betty"
 ---
 ## Commit `7912a80`
 | | |
 |---|---|
 | **Repository** | bojemoi_boot |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `7912a80485cae7a7a8a77da4cb8e5c1813a64e4a` |
 ### Description
 - docker-socket-proxy, registry, dnsmask: max-size 10m, max-file 3
 - traefik: max-size 50m, max-file 5 (access logs more verbose)
 - image-pusher: max-size 50m, max-file 2 (build output can be large)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-boot-service.yml
 ```
 ### Diff Summary
 ```
 stack/01-boot-service.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 ```
--- a/content/posts/commits/2026-02-20-commit-a5b1d18.md
+++ b/content/posts/commits/2026-02-20-commit-a5b1d18.md
@@ -0,0 +1,49 @@
 ---
 title: "[bojemoi_boot] image-pusher: add Phase 3 to build locally-built images from Dockerfiles"
 date: 2026-02-20T16:09:34+01:00
 draft: false
 tags: ["commit", "bojemoi_boot", "main"]
 categories: ["Git Activity"]
 summary: "Commit a5b1d18 par Betty dans bojemoi_boot"
 author: "Betty"
 ---
 ## Commit `a5b1d18`
 | | |
 |---|---|
 | **Repository** | bojemoi_boot |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `a5b1d18919775e615a0d5c2b690458074bfd7290` |
 ### Description
 - Add build_local_images() (Phase 3) covering 16 custom images:
  borodino, koursk, koursk-2, ml-threat-intel, telegram-bot, vigie,
  dozor, razvedka, medved, karacho, tsushima, oblast, oblast-1,
  provisioning, suricata-attack-enricher, pentest-orchestrator
 - Mount /opt/bojemoi, /opt/bojemoi-telegram, /opt/bojemoi-ml-threat
  as read-only volumes in image-pusher so Dockerfiles are accessible
 - Skip build if image already present in registry (idempotent)
 - Add external mappings: redis-exporter, faraday, nuclei
 - Mark all custom-built images as SKIP in get_source_image() (Phase 2)
 - Fix suricata_exporter mapping (was corelight/, now SKIP/custom-built)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	scripts/push-images.sh
 M	stack/01-boot-service.yml
 ```
 ### Diff Summary
 ```
 scripts/push-images.sh    | 104 ++++++++++++++++++++++++++++++++++++++++++----
 stack/01-boot-service.yml |  11 +++++
 2 files changed, 106 insertions(+), 9 deletions(-)
 ```
--- a/content/posts/commits/2026-02-21-commit-21aeedf.md
+++ b/content/posts/commits/2026-02-21-commit-21aeedf.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] suricata: fix filetype rotating -> regular, update eve-cleaner to size-based truncation"
 date: 2026-02-21T17:57:48+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 21aeedf par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `21aeedf`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `21aeedf94885178bcc296daf4aa748cc264f8723` |
 ### Description
 Suricata 8.0.3 does not support filetype: rotating. Revert to regular filetype.
 eve-cleaner now truncates files by size (eve.json > 5G, fast/stats.log > 500M)
 instead of deleting rotated files that never existed.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-suricata-host.yml
 ```
 ### Diff Summary
 ```
 stack/01-suricata-host.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 ```
--- a/content/posts/commits/2026-02-21-commit-cd5405c.md
+++ b/content/posts/commits/2026-02-21-commit-cd5405c.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] suricata: add eve-cleaner sidecar on manager for 24h log retention"
 date: 2026-02-21T17:54:17+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit cd5405c par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `cd5405c`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `cd5405cabdfd0ef46abed984ace27aa9c752d755` |
 ### Description
 Move log cleanup to 01-suricata-host.yml (standalone compose on manager)
 instead of dozor stack (workers). eve-cleaner deletes rotated eve.*.json
 older than 24h and truncates fast.log/stats.log > 200MB, runs hourly.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-suricata-host.yml
 ```
 ### Diff Summary
 ```
 stack/01-suricata-host.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 ```
--- a/content/posts/commits/2026-02-22-commit-6860941.md
+++ b/content/posts/commits/2026-02-22-commit-6860941.md
@@ -0,0 +1,44 @@
 ---
 title: "[bojemoi-telegram] osint: add Wayback Machine historical lookup to /register flow"
 date: 2026-02-22T14:01:37+01:00
 draft: false
 tags: ["commit", "bojemoi-telegram", "master"]
 categories: ["Git Activity"]
 summary: "Commit 6860941 par Betty dans bojemoi-telegram"
 author: "Betty"
 ---
 ## Commit `6860941`
 | | |
 |---|---|
 | **Repository** | bojemoi-telegram |
 | **Branch** | `master` |
 | **Author** | Betty |
 | **Hash** | `6860941921d261840211ea4aa2ed591e6063c28e` |
 ### Description
 Query the CDX API (web.archive.org) for URLs historically served
 directly from the target IP. Runs in parallel with OTX and other
 sources — no data stored, results displayed in the OSINT report.
 Adds to OSINTResult: wayback_snapshot_count, wayback_domains,
 wayback_first_seen, wayback_last_seen. Visible in the WAYBACK
 MACHINE section of format_osint_text().
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	telegram-bot/osint.py
 ```
 ### Diff Summary
 ```
 telegram-bot/osint.py | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 ```
--- a/content/posts/commits/2026-02-22-commit-777f5de.md
+++ b/content/posts/commits/2026-02-22-commit-777f5de.md
@@ -0,0 +1,36 @@
 ---
 title: "[bojemoi] telegram: add json-file logging with 10m/3 rotation"
 date: 2026-02-22T14:02:20+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 777f5de par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `777f5de`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `777f5de9379f10e28882c1fd09085b8fc745b0f7` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/60-service-telegram.yml
 ```
 ### Diff Summary
 ```
 stack/60-service-telegram.yml | 5 +++++
 1 file changed, 5 insertions(+)
 ```
--- a/content/posts/commits/2026-02-23-commit-41bed88.md
+++ b/content/posts/commits/2026-02-23-commit-41bed88.md
@@ -0,0 +1,58 @@
 ---
 title: "[bojemoi] stack: add json-file logging (10m/3) to all services"
 date: 2026-02-23T17:58:40+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 41bed88 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `41bed88`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `41bed886c9d424b11c57c1e6566b2611c1fcd20d` |
 ### Description
 - Add json-file driver with max-size 10m / max-file 3 to all stack services
  (01-hl, 40-borodino, 45-ml-threat, 46-razvedka, 47-vigie, 65-medved)
 - Reduce ak47/bm12 replicas from 15 to 5 (matches max_replicas_per_node constraint)
 - suricata: fix filetype rotating -> regular (already stable via eve-cleaner)
 - borodino: remove list_vpn/ovpn from .dockerignore, add db_rebuild_cache in start_uzi.sh
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/.dockerignore
 M	borodino/start_uzi.sh
 M	stack/01-service-hl.yml
 M	stack/40-service-borodino.yml
 M	stack/45-service-ml-threat-intel.yml
 M	stack/46-service-razvedka.yml
 M	stack/47-service-vigie.yml
 M	stack/65-service-medved.yml
 M	volumes/suricata/suricata.yaml
 ```
 ### Diff Summary
 ```
 borodino/.dockerignore               |   2 -
 borodino/start_uzi.sh                |   5 ++
 stack/01-service-hl.yml              | 106 ++++++++++++++++++++++++++++++++---
 stack/40-service-borodino.yml        |  80 +++++++++++++++++++++++++-
 stack/45-service-ml-threat-intel.yml |   5 ++
 stack/46-service-razvedka.yml        |   5 ++
 stack/47-service-vigie.yml           |   5 ++
 stack/65-service-medved.yml          |   5 ++
 volumes/suricata/suricata.yaml       |   3 +-
 9 files changed, 202 insertions(+), 14 deletions(-)
 ```
--- a/content/posts/commits/2026-02-23-commit-729d1e3.md
+++ b/content/posts/commits/2026-02-23-commit-729d1e3.md
@@ -0,0 +1,49 @@
 ---
 title: "[bojemoi] orchestrator: add Rapid7 debug VM support, fix middleware lazy init"
 date: 2026-02-23T17:58:46+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 729d1e3 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `729d1e3`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `729d1e3d9767cca8e824a6cf0acf4d3c0b3b71cd` |
 ### Description
 - Add MSF_DB_NAME/MSF_DB_URL to Settings for host_debug table access
 - Add Rapid7Manager integration (deploy/register/status endpoints)
 - Add Rapid7DeployRequest, Rapid7RegisterRequest, Rapid7DeployResponse,
  Rapid7StatusResponse schemas
 - Fix IPValidationMiddleware: lazy-init ip2location_client from app.state
  to avoid NoneType errors on startup before client is ready
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	provisioning/orchestrator/app/config.py
 M	provisioning/orchestrator/app/main.py
 M	provisioning/orchestrator/app/middleware/ip_validation.py
 M	provisioning/orchestrator/app/models/schemas.py
 ```
 ### Diff Summary
 ```
 provisioning/orchestrator/app/config.py            |   7 +
 provisioning/orchestrator/app/main.py              | 207 ++++++++++++++++++++-
 .../orchestrator/app/middleware/ip_validation.py   |   9 +-
 provisioning/orchestrator/app/models/schemas.py    |  76 ++++++++
 4 files changed, 287 insertions(+), 12 deletions(-)
 ```
--- a/content/posts/commits/2026-02-23-commit-7e823e7.md
+++ b/content/posts/commits/2026-02-23-commit-7e823e7.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi-telegram] telegram: remove docker-compose.yml, clean deploy.sh"
 date: 2026-02-23T17:58:53+01:00
 draft: false
 tags: ["commit", "bojemoi-telegram", "master"]
 categories: ["Git Activity"]
 summary: "Commit 7e823e7 par Betty dans bojemoi-telegram"
 author: "Betty"
 ---
 ## Commit `7e823e7`
 | | |
 |---|---|
 | **Repository** | bojemoi-telegram |
 | **Branch** | `master` |
 | **Author** | Betty |
 | **Hash** | `7e823e7e473e8ac5941e04fb143bd2b31ae8df16` |
 ### Description
 Docker Compose file no longer used — deployment via Docker Swarm stack only.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	telegram-bot/deploy.sh
 D	telegram-bot/docker-compose.yml
 ```
 ### Diff Summary
 ```
 telegram-bot/deploy.sh          |  1 -
 telegram-bot/docker-compose.yml | 58 -----------------------------------------
 2 files changed, 59 deletions(-)
 ```
--- a/content/posts/commits/2026-02-23-commit-a5d5aec.md
+++ b/content/posts/commits/2026-02-23-commit-a5d5aec.md
@@ -0,0 +1,36 @@
 ---
 title: "[bojemoi] build: update BUILD_PROMPT.md"
 date: 2026-02-23T17:58:49+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit a5d5aec par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `a5d5aec`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `a5d5aecbda956a032e9bed354a7c91ecd7c46667` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	BUILD_PROMPT.md
 ```
 ### Diff Summary
 ```
 BUILD_PROMPT.md | 516 ++++++++++++++++++++++++++------------------------------
 1 file changed, 241 insertions(+), 275 deletions(-)
 ```
--- a/content/posts/commits/2026-02-23-commit-c03df13.md
+++ b/content/posts/commits/2026-02-23-commit-c03df13.md
@@ -0,0 +1,45 @@
 ---
 title: "[bojemoi-telegram] telegram: add IPv6 support — ALLOWED_IP_RANGES + ip-api.com fallback"
 date: 2026-02-23T15:25:22+01:00
 draft: false
 tags: ["commit", "bojemoi-telegram", "master"]
 categories: ["Git Activity"]
 summary: "Commit c03df13 par Betty dans bojemoi-telegram"
 author: "Betty"
 ---
 ## Commit `c03df13`
 | | |
 |---|---|
 | **Repository** | bojemoi-telegram |
 | **Branch** | `master` |
 | **Author** | Betty |
 | **Hash** | `c03df130d577b4723e238a5f1c50785ee6aac1d0` |
 ### Description
 - config.py: extend default ALLOWED_IP_RANGES to include ::/0 so IPv6
  addresses pass the is_ip_allowed() check out of the box
 - crud.py: get_country_by_ip() now tries ip2location_db1 first (IPv4),
  then falls back to ip-api.com/json/{ip} for IPv6 (and IPv4 if
  ip2location fails); no API key required
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	telegram-bot/config.py
 M	telegram-bot/database/crud.py
 ```
 ### Diff Summary
 ```
 telegram-bot/config.py        |  2 +-
 telegram-bot/database/crud.py | 27 ++++++++++++++++++++-------
 2 files changed, 21 insertions(+), 8 deletions(-)
 ```
--- a/content/posts/commits/2026-02-23-commit-dc1cc3d.md
+++ b/content/posts/commits/2026-02-23-commit-dc1cc3d.md
@@ -0,0 +1,56 @@
 ---
 title: "[bojemoi] borodino: add IPv6 support — ak47, bm12, uzi"
 date: 2026-02-23T15:25:14+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit dc1cc3d par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `dc1cc3d`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `dc1cc3dd1f188347076b568735ca4f63beacd072` |
 ### Description
 - import_ipv6_cidrs.sh: new script to create ip2location_db1_v6 table
  and populate it from RIPE NCC delegated stats (curl -4, BEGIN/COMMIT batch)
 - thearm_ak47: alternate 50/50 between ip2location_db1 (v4) and
  ip2location_db1_v6 (v6) each iteration, fallback on the other table
  if empty; detect IPv6 CIDR via ":" and pass -6 to db_nmap
 - thearm_bm12: import ipaddress; filter fe80::/10 link-local addresses
  in TABLESAMPLE queries; detect IPv6 in build_nmap_command() and
  prepend -6 to db_nmap
 - thearm_uzi: import ipaddress; filter fe80::/10 in get_random_host();
  wrap IPv6 addresses in brackets for Metasploit RHOSTS ([addr])
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	borodino/import_ipv6_cidrs.sh
 M	borodino/thearm_ak47
 M	borodino/thearm_bm12
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/import_ipv6_cidrs.sh | 54 +++++++++++++++++++++++++++++++++++++++++++
 borodino/thearm_ak47          | 38 +++++++++++++++++++++++++-----
 borodino/thearm_bm12          | 17 +++++++++++---
 borodino/thearm_uzi           | 41 ++++++++++++++++++++++++++++----
 4 files changed, 136 insertions(+), 14 deletions(-)
 ```
--- a/content/posts/commits/2026-02-24-commit-23d6c54.md
+++ b/content/posts/commits/2026-02-24-commit-23d6c54.md
@@ -0,0 +1,41 @@
 ---
 title: "[bojemoi] scripts: add blog automation scripts"
 date: 2026-02-24T22:49:16+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 23d6c54 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `23d6c54`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `23d6c5467adcd31a6b4834d3f9e93c60b6cc0b59` |
 ### Description
 - commits-to-posts.sh : génère des posts Hugo depuis l'historique git
 - post-commit-blog.sh : publie automatiquement sur le blog après chaque commit
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	scripts/commits-to-posts.sh
 A	scripts/post-commit-blog.sh
 ```
 ### Diff Summary
 ```
 scripts/commits-to-posts.sh | 123 ++++++++++++++++++++++++++++++++++++++++++++
 scripts/post-commit-blog.sh | 110 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 233 insertions(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-393c5e7.md
+++ b/content/posts/commits/2026-02-24-commit-393c5e7.md
@@ -0,0 +1,43 @@
 ---
 title: "[bojemoi] blog,osint: add draft posts and OSINT report"
 date: 2026-02-24T22:49:26+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 393c5e7 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `393c5e7`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `393c5e72f065cbf9f22b94843373778a1a4685df` |
 ### Description
 - blog/ : posts EN et FR threat intelligence homelab
 - osint-reports/ : rapport OSINT progruzspb.ru (2026-02-22)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	blog/Building a Homelab Threat Intelligence Platform with ML.md
 A	blog/threat-intel-homelab-post-fr.md
 A	osint-reports/progruzspb-ru-20260222.md
 ```
 ### Diff Summary
 ```
 ...Homelab Threat Intelligence Platform with ML.md | 291 ++++++++++++++++++++
 blog/threat-intel-homelab-post-fr.md               | 305 +++++++++++++++++++++
 osint-reports/progruzspb-ru-20260222.md            | 138 ++++++++++
 3 files changed, 734 insertions(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-3f2b20a.md
+++ b/content/posts/commits/2026-02-24-commit-3f2b20a.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] suricata: switch enricher to postgres service name + secret"
 date: 2026-02-24T22:46:54+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 3f2b20a par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `3f2b20a`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `3f2b20ae70bfc83a1084cf3ee4f5bf09fe819363` |
 ### Description
 - DB_HOST: IP fixe → nom de service 'postgres'
 - Credentials: bojemoi/db_password → postgres/postgres_password
 - Ajout réseau backend et secret postgres_password
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-suricata-host.yml
 ```
 ### Diff Summary
 ```
 stack/01-suricata-host.yml | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)
 ```
--- a/content/posts/commits/2026-02-24-commit-50c07b9.md
+++ b/content/posts/commits/2026-02-24-commit-50c07b9.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] protonmail: add 2FA handling and SMTP password logging"
 date: 2026-02-24T22:46:49+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 50c07b9 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `50c07b9`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `50c07b90d4cd6182161fb23c200db9fc062e2b59` |
 ### Description
 - log_user 1 pour la visibilité expect
 - Gestion du prompt two-factor (skip avec \r)
 - Commande 'info' post-login pour exposer le mot de passe SMTP bridge dans les logs Docker
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	entrypoint-protonmail.sh
 ```
 ### Diff Summary
 ```
 entrypoint-protonmail.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-636b468.md
+++ b/content/posts/commits/2026-02-24-commit-636b468.md
@@ -0,0 +1,36 @@
 ---
 title: "[bojemoi] gitignore: exclude blog-repo/ (nested git repo)"
 date: 2026-02-24T22:49:29+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 636b468 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `636b468`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `636b468a2ab5fe64655989d294d7904e19ac394f` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	.gitignore
 ```
 ### Diff Summary
 ```
 .gitignore | 1 +
 1 file changed, 1 insertion(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-6971479.md
+++ b/content/posts/commits/2026-02-24-commit-6971479.md
@@ -0,0 +1,38 @@
 ---
 title: "[bojemoi-telegram] config: add Telegram broadcast chat IDs to .env.example"
 date: 2026-02-24T22:45:03+01:00
 draft: false
 tags: ["commit", "bojemoi-telegram", "master"]
 categories: ["Git Activity"]
 summary: "Commit 6971479 par Betty dans bojemoi-telegram"
 author: "Betty"
 ---
 ## Commit `6971479`
 | | |
 |---|---|
 | **Repository** | bojemoi-telegram |
 | **Branch** | `master` |
 | **Author** | Betty |
 | **Hash** | `69714793fbc892de117f68947222fda84375abc2` |
 ### Description
 Group PTaaS (-5087117106) and channel (@bojemoi_ptaas).
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	telegram-bot/.env.example
 ```
 ### Diff Summary
 ```
 telegram-bot/.env.example | 4 ++++
 1 file changed, 4 insertions(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-7751c16.md
+++ b/content/posts/commits/2026-02-24-commit-7751c16.md
@@ -0,0 +1,41 @@
 ---
 title: "[bojemoi] suricata-attack-enricher: add enricher service"
 date: 2026-02-24T22:49:12+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 7751c16 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `7751c16`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `7751c16f9c238e6f3a624d664d7ea601945213a4` |
 ### Description
 Service Python async : suit eve.json Suricata en temps réel, mappe chaque
 alerte vers ATT&CK, insère en batch dans bojemoi_threat_intel (batch 50 / flush 5s).
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	suricata-attack-enricher/enricher.py
 A	suricata-attack-enricher/requirements.txt
 ```
 ### Diff Summary
 ```
 suricata-attack-enricher/enricher.py      | 235 ++++++++++++++++++++++++++++++
 suricata-attack-enricher/requirements.txt |   1 +
 2 files changed, 236 insertions(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-b5dc6b3.md
+++ b/content/posts/commits/2026-02-24-commit-b5dc6b3.md
@@ -0,0 +1,36 @@
 ---
 title: "[bojemoi] orchestrator: add Rapid7 VM manager service"
 date: 2026-02-24T22:49:23+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit b5dc6b3 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `b5dc6b3`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `b5dc6b34e2b46f18c4773f7069f2d65115213406` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	provisioning/orchestrator/app/services/rapid7_manager.py
 ```
 ### Diff Summary
 ```
 .../orchestrator/app/services/rapid7_manager.py    | 115 +++++++++++++++++++++
 1 file changed, 115 insertions(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-b64e232.md
+++ b/content/posts/commits/2026-02-24-commit-b64e232.md
@@ -0,0 +1,115 @@
 ---
 title: "[bojemoi] mitre-attack: add bojemoi-mitre-attack library to all consumers"
 date: 2026-02-24T22:49:07+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit b64e232 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `b64e232`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `b64e232db8b8605ccf391faec1a220b3da4c3910` |
 ### Description
 Package Python partagé mappant 35+ catégories Suricata → techniques ATT&CK.
 Ajouté dans bojemoi-mitre-attack/ (source), samsonov/ et suricata-attack-enricher/.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/PKG-INFO
 A	bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/SOURCES.txt
 A	bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/dependency_links.txt
 A	bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/top_level.txt
 A	bojemoi-mitre-attack/bojemoi_mitre_attack/__init__.py
 A	bojemoi-mitre-attack/bojemoi_mitre_attack/formatters.py
 A	bojemoi-mitre-attack/bojemoi_mitre_attack/mapper.py
 A	bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/__init__.py
 A	bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/osint.py
 A	bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/suricata.py
 A	bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/vulnerability.py
 A	bojemoi-mitre-attack/bojemoi_mitre_attack/models.py
 A	bojemoi-mitre-attack/setup.py
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/PKG-INFO
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/SOURCES.txt
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/dependency_links.txt
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/top_level.txt
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack/__init__.py
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack/formatters.py
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack/mapper.py
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/__init__.py
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/osint.py
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/suricata.py
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/vulnerability.py
 A	samsonov/bojemoi-mitre-attack/bojemoi_mitre_attack/models.py
 A	samsonov/bojemoi-mitre-attack/setup.py
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/PKG-INFO
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/SOURCES.txt
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/dependency_links.txt
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack.egg-info/top_level.txt
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack/__init__.py
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack/formatters.py
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack/mapper.py
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/__init__.py
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/osint.py
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/suricata.py
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack/mappings/vulnerability.py
 A	suricata-attack-enricher/bojemoi-mitre-attack/bojemoi_mitre_attack/models.py
 A	suricata-attack-enricher/bojemoi-mitre-attack/setup.py
 ```
 ### Diff Summary
 ```
 .../bojemoi_mitre_attack.egg-info/PKG-INFO         |   7 +
 .../bojemoi_mitre_attack.egg-info/SOURCES.txt      |  13 +
 .../dependency_links.txt                           |   1 +
 .../bojemoi_mitre_attack.egg-info/top_level.txt    |   1 +
 .../bojemoi_mitre_attack/__init__.py               |  23 ++
 .../bojemoi_mitre_attack/formatters.py             | 136 +++++++++
 .../bojemoi_mitre_attack/mapper.py                 | 324 +++++++++++++++++++++
 .../bojemoi_mitre_attack/mappings/__init__.py      |  11 +
 .../bojemoi_mitre_attack/mappings/osint.py         |  54 ++++
 .../bojemoi_mitre_attack/mappings/suricata.py      |  99 +++++++
 .../bojemoi_mitre_attack/mappings/vulnerability.py |  73 +++++
 .../bojemoi_mitre_attack/models.py                 |  36 +++
 bojemoi-mitre-attack/setup.py                      |  10 +
 .../bojemoi_mitre_attack.egg-info/PKG-INFO         |   7 +
 .../bojemoi_mitre_attack.egg-info/SOURCES.txt      |  13 +
 .../dependency_links.txt                           |   1 +
 .../bojemoi_mitre_attack.egg-info/top_level.txt    |   1 +
 .../bojemoi_mitre_attack/__init__.py               |  23 ++
 .../bojemoi_mitre_attack/formatters.py             | 136 +++++++++
 .../bojemoi_mitre_attack/mapper.py                 | 324 +++++++++++++++++++++
 .../bojemoi_mitre_attack/mappings/__init__.py      |  11 +
 .../bojemoi_mitre_attack/mappings/osint.py         |  54 ++++
 .../bojemoi_mitre_attack/mappings/suricata.py      |  99 +++++++
 .../bojemoi_mitre_attack/mappings/vulnerability.py |  73 +++++
 .../bojemoi_mitre_attack/models.py                 |  36 +++
 samsonov/bojemoi-mitre-attack/setup.py             |  10 +
 .../bojemoi_mitre_attack.egg-info/PKG-INFO         |   7 +
 .../bojemoi_mitre_attack.egg-info/SOURCES.txt      |  13 +
 .../dependency_links.txt                           |   1 +
 .../bojemoi_mitre_attack.egg-info/top_level.txt    |   1 +
 .../bojemoi_mitre_attack/__init__.py               |  23 ++
 .../bojemoi_mitre_attack/formatters.py             | 136 +++++++++
 .../bojemoi_mitre_attack/mapper.py                 | 324 +++++++++++++++++++++
 .../bojemoi_mitre_attack/mappings/__init__.py      |  11 +
 .../bojemoi_mitre_attack/mappings/osint.py         |  54 ++++
 .../bojemoi_mitre_attack/mappings/suricata.py      |  99 +++++++
 .../bojemoi_mitre_attack/mappings/vulnerability.py |  73 +++++
 .../bojemoi_mitre_attack/models.py                 |  36 +++
 .../bojemoi-mitre-attack/setup.py                  |  10 +
 39 files changed, 2364 insertions(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-c335d28.md
+++ b/content/posts/commits/2026-02-24-commit-c335d28.md
@@ -0,0 +1,36 @@
 ---
 title: "[bojemoi] grafana: add MITRE ATT&CK attack heatmap dashboard"
 date: 2026-02-24T22:49:23+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit c335d28 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `c335d28`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `c335d28cd5e811c1deee93b22cee4b6396878349` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	volumes/suricata/config/classification.config
 ```
 ### Diff Summary
 ```
 .../provisioning/dashboards/attack-heatmap.json    | 277 +++++++++++++++++++++
 1 file changed, 277 insertions(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-cfe9eaf.md
+++ b/content/posts/commits/2026-02-24-commit-cfe9eaf.md
@@ -0,0 +1,46 @@
 ---
 title: "[bojemoi] protonmail-bridge: fix libfido2, add auto-login via secrets"
 date: 2026-02-24T13:33:54+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit cfe9eaf par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `cfe9eaf`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `cfe9eafa51768b67d15c13ba486c61d2391da2e3` |
 ### Description
 - Add libfido2-1 and expect to image (bridge v3.22.0 requires libfido2)
 - Replace entrypoint with auto-login script using Docker secrets
  (proton_username, proton_password) via expect CLI automation
 - GPG key + pass store initialized on first run from /root volume
 - Mount proton_username and proton_password secrets in stack service
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	Dockerfile.protonmail-bridge
 A	entrypoint-protonmail.sh
 M	stack/01-service-hl.yml
 ```
 ### Diff Summary
 ```
 Dockerfile.protonmail-bridge |  8 ++++++
 entrypoint-protonmail.sh     | 62 ++++++++++++++++++++++++++++++++++++++++++++
 stack/01-service-hl.yml      |  3 +++
 3 files changed, 73 insertions(+)
 ```
--- a/content/posts/commits/2026-02-24-commit-deed427.md
+++ b/content/posts/commits/2026-02-24-commit-deed427.md
@@ -0,0 +1,41 @@
 ---
 title: "[bojemoi] borodino: fix psycopg2 % escaping in LIKE clauses (bm12, uzi)"
 date: 2026-02-24T22:46:45+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit deed427 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `deed427`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `deed427c6f139dd2b299bfef13b2cd98b7abeb98` |
 ### Description
 %s → %%s dans les patterns LIKE fe80:% pour éviter l'interpolation
 psycopg2 sur les requêtes TABLESAMPLE.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_bm12
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_bm12 | 4 ++--
 borodino/thearm_uzi  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)
 ```
--- a/content/posts/commits/2026-02-24-commit-f2a54a2.md
+++ b/content/posts/commits/2026-02-24-commit-f2a54a2.md
@@ -0,0 +1,39 @@
 ---
 title: "[bojemoi_boot] stack: remove unused deploy template, add registry note"
 date: 2026-02-24T22:54:50+01:00
 draft: false
 tags: ["commit", "bojemoi_boot", "main"]
 categories: ["Git Activity"]
 summary: "Commit f2a54a2 par Betty dans bojemoi_boot"
 author: "Betty"
 ---
 ## Commit `f2a54a2`
 | | |
 |---|---|
 | **Repository** | bojemoi_boot |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `f2a54a25a1499e62a78ee4bfff3d65e1a0d030ea` |
 ### Description
 - Suppression du x-deploy-template inutilisé
 - Note: images depuis Docker Hub uniquement (pas le registry local)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-boot-service.yml
 ```
 ### Diff Summary
 ```
 stack/01-boot-service.yml | 28 ++--------------------------
 1 file changed, 2 insertions(+), 26 deletions(-)
 ```
--- a/content/posts/commits/2026-02-25-commit-f0d9fc1.md
+++ b/content/posts/commits/2026-02-25-commit-f0d9fc1.md
@@ -0,0 +1,49 @@
 ---
 title: "[bojemoi] borodino/bm12: add OSINT enrichment after host fingerprinting"
 date: 2026-02-25T18:42:57+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit f0d9fc1 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `f0d9fc1`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `f0d9fc1897d7ae9732249c3a353ae671e392c09d` |
 ### Description
 - Add osint_lookup.py: synchronous OSINT module (ip-api, AlienVault OTX,
  ThreatCrowd + optional AbuseIPDB/VirusTotal/Shodan via env vars)
 - Integrate into thearm_bm12: OSINT runs after nmap scan, results merged
  into hosts.scan_details JSON and hosts.info flagged for malicious IPs
 - Dockerfile: copy osint_lookup.py to /usr/bin/
 - Stack: expose ABUSEIPDB_API_KEY, VIRUSTOTAL_API_KEY, SHODAN_API_KEY env vars
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/Dockerfile.borodino
 A	borodino/osint_lookup.py
 M	borodino/thearm_bm12
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/Dockerfile.borodino  |   1 +
 borodino/osint_lookup.py      | 213 ++++++++++++++++++++++++++++++++++++++++++
 borodino/thearm_bm12          |  83 +++++++++++-----
 stack/40-service-borodino.yml |   3 +
 4 files changed, 279 insertions(+), 21 deletions(-)
 ```
--- a/content/posts/commits/2026-02-26-commit-a302a34.md
+++ b/content/posts/commits/2026-02-26-commit-a302a34.md
@@ -0,0 +1,45 @@
 ---
 title: "[bojemoi] alertmanager,bridge: fix SMTP auth after Proton session expiry"
 date: 2026-02-26T13:13:46+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit a302a34 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `a302a34`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `a302a34a0c4ac9160850de55d98552dde96296f7` |
 ### Description
 - Update SMTP password in alertmanager.yml (new bridge session)
 - Fix smtp_from address and switch to insecure_skip_verify for internal TLS
 - Simplify entrypoint-protonmail.sh: remove auto-login logic, rely on vault
 - Update SMTP password comment in stack for reference
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	entrypoint-protonmail.sh
 M	stack/01-service-hl.yml
 M	volumes/alertmanager/alertmanager.yml
 ```
 ### Diff Summary
 ```
 entrypoint-protonmail.sh              | 84 ++++++++++++-----------------------
 stack/01-service-hl.yml               |  2 +-
 volumes/alertmanager/alertmanager.yml |  8 ++--
 3 files changed, 33 insertions(+), 61 deletions(-)
 ```
--- a/content/posts/commits/2026-02-26-commit-f7f8635.md
+++ b/content/posts/commits/2026-02-26-commit-f7f8635.md
@@ -0,0 +1,38 @@
 ---
 title: "[bojemoi] blog: add drafts — OSINT lookup and Metasploitable2 post"
 date: 2026-02-26T23:46:48+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit f7f8635 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `f7f8635`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `f7f86355e7582842929d071dbaa46123907c3372` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	blog/adding OSINT lookup during IPs scanning.md
 A	blog/blog_metasplable pour uzi
 ```
 ### Diff Summary
 ```
 blog/adding OSINT lookup during IPs scanning.md | 350 ++++++++++++++++++++++++
 blog/blog_metasplable pour uzi                  |   8 +
 2 files changed, 358 insertions(+)
 ```
--- a/content/posts/commits/2026-02-27-commit-5934bd9.md
+++ b/content/posts/commits/2026-02-27-commit-5934bd9.md
@@ -0,0 +1,47 @@
 ---
 title: "[bojemoi] medved: fix faraday reporter infinite retry loop + http port 8000"
 date: 2026-02-27T23:48:41+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 5934bd9 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `5934bd9`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `5934bd97bda6cd0b39ef57117122f4ba96b24b95` |
 ### Description
 faraday_reporter: when Faraday returns 409 CONFLICT (vuln already exists),
 events were never marked as reported_to_faraday=TRUE because MARK_REPORTED
 only ran when vuln_id != 0. This caused 25k+ events to be retried every 60s,
 flooding logs with "Failed to create vuln" warnings. Fix: catch
 httpx.HTTPStatusError 409 explicitly and set should_mark_reported=True.
 medved stack: change HTTP honeypot published port from 8888 to 8000
 (port 80 taken by Traefik, port 8080 taken by dnsmasq).
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	medved/honeypot/faraday_reporter.py
 M	stack/65-service-medved.yml
 ```
 ### Diff Summary
 ```
 medved/honeypot/faraday_reporter.py | 14 +++++++++++++-
 stack/65-service-medved.yml         |  2 +-
 2 files changed, 14 insertions(+), 2 deletions(-)
 ```
--- a/content/posts/commits/2026-02-27-commit-626cceb.md
+++ b/content/posts/commits/2026-02-27-commit-626cceb.md
@@ -0,0 +1,42 @@
 ---
 title: "[bojemoi] medved: move PG_PASSWORD and FARADAY_PASSWORD to Docker secrets"
 date: 2026-02-27T23:58:16+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 626cceb par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `626cceb`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `626cceb4565c9bfa38b9c86abb49cdfc00ee378a` |
 ### Description
 Replace plaintext passwords in environment variables with Docker secrets
 medved_pg_password and medved_faraday_password. config.py uses a
 model_validator to read /run/secrets/ after pydantic env loading.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	medved/honeypot/config.py
 M	stack/65-service-medved.yml
 ```
 ### Diff Summary
 ```
 medved/honeypot/config.py   | 17 +++++++++++++++++
 stack/65-service-medved.yml | 11 +++++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)
 ```
--- a/content/posts/commits/2026-02-27-commit-922a790.md
+++ b/content/posts/commits/2026-02-27-commit-922a790.md
@@ -0,0 +1,44 @@
 ---
 title: "[bojemoi] mcp: move PG_PASSWORD and FARADAY_PASSWORD to Docker secrets"
 date: 2026-02-27T23:53:40+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 922a790 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `922a790`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `922a790edac1bc33b06039dbb17b8ddca2d80b15` |
 ### Description
 Replace plaintext passwords in environment variables with Docker secrets
 mcp_pg_password and mcp_faraday_password. Code reads /run/secrets/ first,
 falls back to env var for local dev compatibility.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	mcp-server/tools/database.py
 A	mcp-server/tools/faraday.py
 A	stack/49-service-mcp.yml
 ```
 ### Diff Summary
 ```
 mcp-server/tools/database.py | 180 +++++++++++++++++++++++++++++++++++++++++++
 mcp-server/tools/faraday.py  | 126 ++++++++++++++++++++++++++++++
 stack/49-service-mcp.yml     |  70 +++++++++++++++++
 3 files changed, 376 insertions(+)
 ```
--- a/content/posts/commits/2026-02-28-commit-d32b868.md
+++ b/content/posts/commits/2026-02-28-commit-d32b868.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] base: fix postfix-exporter crash on missing mail.log"
 date: 2026-02-28T23:32:46+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit d32b868 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `d32b868`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `d32b868fa3ec8feb6e84c15a4c0c2ac4272da287` |
 ### Description
 The exporter binary defaults to /var/log/mail.log and requires a log
 source to be configured. Remove the unused env var and pass the path
 explicitly via CLI flag. The file is pre-created in the shared volume.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-service-hl.yml
 ```
 ### Diff Summary
 ```
 stack/01-service-hl.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-0cd3d6c.md
+++ b/content/posts/commits/2026-03-01-commit-0cd3d6c.md
@@ -0,0 +1,47 @@
 ---
 title: "[bojemoi] uzi: shell→meterpreter upgrade + fix Telegram chat_id"
 date: 2026-03-01T13:31:20+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 0cd3d6c par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `0cd3d6c`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `0cd3d6c5380737493f70bf353ed97fb2005fc1c6` |
 ### Description
 - Add upgrade_to_meterpreter(): injects msfvenom ELF stager via base64 into
  shell sessions, connects bind_tcp handler — no LHOST/reverse routing needed
 - Add handle_new_sessions(): auto-upgrades new shell sessions, deduplicates
  via upgraded_sessions set, then sends Telegram alert
 - Fix port conflict: kill stale stager on bind_port before injection (fuser -k)
 - Fix read_secret(): env var now takes priority over Docker secret file,
  allowing TELEGRAM_ALERT_CHAT_ID override without recreating shared secrets
 - Stack: add BIND_PORT=5556, PYTHONUNBUFFERED=1, TELEGRAM_ALERT_CHAT_ID=-5087117106
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi           | 123 ++++++++++++++++++++++++++++++++++++++++--
 stack/40-service-borodino.yml |   3 ++
 2 files changed, 121 insertions(+), 5 deletions(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-0d8daa6.md
+++ b/content/posts/commits/2026-03-01-commit-0d8daa6.md
@@ -0,0 +1,52 @@
 ---
 title: "[bojemoi] borodino: uzi debug mode + lhost DNS + traefik meterpreter + mcp startover"
 date: 2026-03-01T11:28:00+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 0d8daa6 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `0d8daa6`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `0d8daa6342c3df30e8337cd0669bf2cde4113fd5` |
 ### Description
 - Dockerfile: remove hardcoded VPN config files from image
 - start_uzi.sh: log LHOST/LPORT at startup
 - stack/borodino: switch uzi to DEBUG_MODE=1, LHOST=lhost.bojemoi.lab,
  MODE_RUN=1, remove port 4444 host mode, add Traefik TCP passthrough
  for meterpreter; bm12 DEBUG_MODE=1 replicas=1; pentest network name fix
 - scripts/startover.sh: add mcp stack deployment
 - dnsmask: add lhost.bojemoi.lab → 192.168.1.121 for meterpreter listener
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/Dockerfile.borodino
 M	borodino/start_uzi.sh
 M	scripts/startover.sh
 M	stack/40-service-borodino.yml
 M	volumes/dnsmask/dnsmask.d/01-base.conf
 ```
 ### Diff Summary
 ```
 borodino/Dockerfile.borodino           |  2 --
 borodino/start_uzi.sh                  |  2 ++
 scripts/startover.sh                   |  1 +
 stack/40-service-borodino.yml          | 20 +++++++++++---------
 volumes/dnsmask/dnsmask.d/01-base.conf |  3 +++
 5 files changed, 17 insertions(+), 11 deletions(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-17760b5.md
+++ b/content/posts/commits/2026-03-01-commit-17760b5.md
@@ -0,0 +1,50 @@
 ---
 title: "[bojemoi-telegram] telegram: remove Twitter/X integration — API is paid"
 date: 2026-03-01T19:34:45+01:00
 draft: false
 tags: ["commit", "bojemoi-telegram", "master"]
 categories: ["Git Activity"]
 summary: "Commit 17760b5 par Betty dans bojemoi-telegram"
 author: "Betty"
 ---
 ## Commit `17760b5`
 | | |
 |---|---|
 | **Repository** | bojemoi-telegram |
 | **Branch** | `master` |
 | **Author** | Betty |
 | **Hash** | `17760b5fb170f9d07bf107585c9c49bc0047338c` |
 ### Description
 X API v2 requires paid plan even for basic posting.
 Removed: integrations/twitter_x.py, scripts/share_blog_x.py,
 /tweet command, tweepy dependency, TWITTER_* config entries.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 D	scripts/share_blog_x.py
 M	telegram-bot/bot.py
 M	telegram-bot/config.py
 M	telegram-bot/integrations/__init__.py
 D	telegram-bot/integrations/twitter_x.py
 M	telegram-bot/requirements.txt
 ```
 ### Diff Summary
 ```
 scripts/share_blog_x.py                | 69 ---------------------------------
 telegram-bot/bot.py                    | 35 -----------------
 telegram-bot/config.py                 |  5 ---
 telegram-bot/integrations/__init__.py  |  6 ---
 telegram-bot/integrations/twitter_x.py | 70 ----------------------------------
 telegram-bot/requirements.txt          |  3 --
 6 files changed, 188 deletions(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-1844950.md
+++ b/content/posts/commits/2026-03-01-commit-1844950.md
@@ -0,0 +1,36 @@
 ---
 title: "[bojemoi] uzi: disable DEBUG_MODE (back to production targets)"
 date: 2026-03-01T13:32:05+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 1844950 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `1844950`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `184495028b9dbdd1191d92fd3913bd9ff45bf4b4` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 stack/40-service-borodino.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-1b836c1.md
+++ b/content/posts/commits/2026-03-01-commit-1b836c1.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] uzi: wrap LHOST/LPORT in try/except — handles all edge cases"
 date: 2026-03-01T15:02:16+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 1b836c1 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `1b836c1`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `1b836c11efad8d8b6f55ed4beac048aa01489e60` |
 ### Description
 shell_bind_tcp_random_port contains 'bind' but exposes no LPORT.
 Rather than enumerate exceptions, catch KeyError silently for any
 payload option that doesn't exist.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-29a2c80.md
+++ b/content/posts/commits/2026-03-01-commit-29a2c80.md
@@ -0,0 +1,39 @@
 ---
 title: "[bojemoi-telegram] scripts: add share_blog_x.py — post Docker Hub blog post to @Bojemoi_Lab"
 date: 2026-03-01T19:10:50+01:00
 draft: false
 tags: ["commit", "bojemoi-telegram", "master"]
 categories: ["Git Activity"]
 summary: "Commit 29a2c80 par Betty dans bojemoi-telegram"
 author: "Betty"
 ---
 ## Commit `29a2c80`
 | | |
 |---|---|
 | **Repository** | bojemoi-telegram |
 | **Branch** | `master` |
 | **Author** | Betty |
 | **Hash** | `29a2c80adfbfc92065d1261f8bbd2eee5b8ca608` |
 ### Description
 One-shot script to tweet the Docker Hub announcement as a thread.
 Reads credentials from telegram-bot/.env. Run once keys are configured.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	scripts/share_blog_x.py
 ```
 ### Diff Summary
 ```
 scripts/share_blog_x.py | 69 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 ```
--- a/content/posts/commits/2026-03-01-commit-48dea1e.md
+++ b/content/posts/commits/2026-03-01-commit-48dea1e.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] uzi: display sessions after each payload attempt"
 date: 2026-03-01T11:23:28+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 48dea1e par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `48dea1e`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `48dea1e145e599757839ce75ab31597b1c675193` |
 ### Description
 Print active sessions immediately after each exploit/payload run
 instead of only at the end of the host scan. Send Telegram alert
 on the spot if a new session is detected.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi | 4 ++++
 1 file changed, 4 insertions(+)
 ```
--- a/content/posts/commits/2026-03-01-commit-4da8aa1.md
+++ b/content/posts/commits/2026-03-01-commit-4da8aa1.md
@@ -0,0 +1,36 @@
 ---
 title: "[bojemoi] uzi: fix range starting at 0 — first exploit was always skipped"
 date: 2026-03-01T11:18:39+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 4da8aa1 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `4da8aa1`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `4da8aa161169190fbb2e08f5b91274c01b944d65` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-57fd2a5.md
+++ b/content/posts/commits/2026-03-01-commit-57fd2a5.md
@@ -0,0 +1,51 @@
 ---
 title: "[bojemoi-telegram] telegram: add Twitter/X integration — /tweet command via API v2"
 date: 2026-03-01T19:08:58+01:00
 draft: false
 tags: ["commit", "bojemoi-telegram", "master"]
 categories: ["Git Activity"]
 summary: "Commit 57fd2a5 par Betty dans bojemoi-telegram"
 author: "Betty"
 ---
 ## Commit `57fd2a5`
 | | |
 |---|---|
 | **Repository** | bojemoi-telegram |
 | **Branch** | `master` |
 | **Author** | Betty |
 | **Hash** | `57fd2a5bd70e596843b838a36a0e0a5f24ac4c11` |
 ### Description
 - integrations/twitter_x.py: TwitterXClient (post_tweet, post_thread) via tweepy OAuth 1.0a
 - config.py: read TWITTER_API_KEY / SECRET / ACCESS_TOKEN / ACCESS_TOKEN_SECRET from secrets or env
 - bot.py: /tweet command posts to @Bojemoi_Lab, returns tweet URL
 - requirements.txt: add tweepy>=4.14.0
 Credentials (TWITTER_API_KEY etc.) set in .env — bot gracefully disabled if missing.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	telegram-bot/bot.py
 M	telegram-bot/config.py
 M	telegram-bot/integrations/__init__.py
 A	telegram-bot/integrations/twitter_x.py
 M	telegram-bot/requirements.txt
 ```
 ### Diff Summary
 ```
 telegram-bot/bot.py                    | 37 ++++++++++++++++++
 telegram-bot/config.py                 |  6 +++
 telegram-bot/integrations/__init__.py  |  6 +++
 telegram-bot/integrations/twitter_x.py | 70 ++++++++++++++++++++++++++++++++++
 telegram-bot/requirements.txt          |  3 ++
 5 files changed, 122 insertions(+)
 ```
--- a/content/posts/commits/2026-03-01-commit-650bc6a.md
+++ b/content/posts/commits/2026-03-01-commit-650bc6a.md
@@ -0,0 +1,41 @@
 ---
 title: "[bojemoi] uzi: fix payload execution — load payload object with LHOST/LPORT"
 date: 2026-03-01T00:02:38+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 650bc6a par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `650bc6a`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `650bc6a66ea07b4ce05d0d80f497fb8732810f33` |
 ### Description
 Passing a payload string to run_module_with_output() caused ValueError
 because pymetasploit3 requires a configured PayloadModule object.
 Now loads the payload via client.modules.use() and sets LHOST/LPORT
 before execution, so exploits actually run against the target.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi | 121 ++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 109 insertions(+), 12 deletions(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-6eaba66.md
+++ b/content/posts/commits/2026-03-01-commit-6eaba66.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] bm12: debug mode sequential iteration over host_debug"
 date: 2026-03-01T11:06:32+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 6eaba66 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `6eaba66`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `6eaba6610e81bb4a43a00ddd5863d3127f36a396` |
 ### Description
 Same fix as uzi: load all host_debug records upfront ordered by id,
 iterate sequentially, stop after last record instead of looping
 infinitely on the same host.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_bm12
 ```
 ### Diff Summary
 ```
 borodino/thearm_bm12 | 121 ++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 114 insertions(+), 7 deletions(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-80f619f.md
+++ b/content/posts/commits/2026-03-01-commit-80f619f.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] uzi: skip LPORT for non-network payloads (generic, exec, download_exec)"
 date: 2026-03-01T15:00:02+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 80f619f par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `80f619f`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `80f619feee2d271a6684bc493f251b2c15dbc78a` |
 ### Description
 Payloads like cmd/unix/generic, php/exec, php/download_exec don't expose
 LPORT either. Guard both LHOST and LPORT with an is_network_payload check
 (payload name contains 'reverse' or 'bind').
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-a3e96f6.md
+++ b/content/posts/commits/2026-03-01-commit-a3e96f6.md
@@ -0,0 +1,36 @@
 ---
 title: "[bojemoi] bm12: back to production (DEBUG_MODE=0, 5 replicas)"
 date: 2026-03-01T15:07:29+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit a3e96f6 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `a3e96f6`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `a3e96f637a1804cecbf0f6f68a7a8187f695f1bc` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 stack/40-service-borodino.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-ad69e0f.md
+++ b/content/posts/commits/2026-03-01-commit-ad69e0f.md
@@ -0,0 +1,41 @@
 ---
 title: "[bojemoi] uzi: fix KeyError RHOSTS + debug mode sequential iteration"
 date: 2026-03-01T11:03:58+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit ad69e0f par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `ad69e0f`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `ad69e0f087d5ced8bec7e86a7414cff25e2de112` |
 ### Description
 - use runoptions.get() instead of [] to avoid KeyError on exploits
  without RHOSTS/RPORT (e.g. exploit/multi/fileformat/zip_slip)
 - debug mode: load all host_debug records upfront, iterate sequentially
  by id, stop after last record instead of looping infinitely
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi | 75 ++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 60 insertions(+), 15 deletions(-)
 ```
--- a/content/posts/commits/2026-03-01-commit-ecc2fa3.md
+++ b/content/posts/commits/2026-03-01-commit-ecc2fa3.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] uzi: skip LHOST for bind payloads — only set on reverse payloads"
 date: 2026-03-01T14:57:51+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit ecc2fa3 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `ecc2fa3`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `ecc2fa358aacd4166fe8b6c98dc03a491f73624a` |
 ### Description
 Bind payloads (bind_tcp, bind_awk, bind_netcat, etc.) don't expose an
 LHOST option; setting it caused KeyError spam on every attempt.
 Guard the assignment with `if 'reverse' in payload`.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-03-03-commit-4e0c344.md
+++ b/content/posts/commits/2026-03-03-commit-4e0c344.md
@@ -0,0 +1,39 @@
 ---
 title: "[bojemoi] ci(trivy): authenticate git clone with GITEA_TOKEN"
 date: 2026-03-03T20:23:27+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 4e0c344 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `4e0c344`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `4e0c344989164ca152594d85be1d257f88db1c8e` |
 ### Description
 Repo is private — pass oauth2 token in clone URL to avoid
 "could not read Username" error.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	.gitea/workflows/trivy.yml
 ```
 ### Diff Summary
 ```
 .gitea/workflows/trivy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-03-03-commit-a0760dd.md
+++ b/content/posts/commits/2026-03-03-commit-a0760dd.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] ci: add Trivy security scan workflow (misconfig + secrets)"
 date: 2026-03-03T20:16:27+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit a0760dd par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `a0760dd`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `a0760dd8976da397f6270effe123ddba1e4db04a` |
 ### Description
 Scans 30+ Dockerfiles and 10 stack YAMLs for HIGH/CRITICAL misconfigurations
 and exposed secrets on every push to main. Advisory mode (exit-code 0) to
 avoid blocking deployments during initial noise triage.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	.gitea/workflows/trivy.yml
 ```
 ### Diff Summary
 ```
 .gitea/workflows/trivy.yml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 ```
--- a/content/posts/commits/2026-03-03-commit-fb0c2c1.md
+++ b/content/posts/commits/2026-03-03-commit-fb0c2c1.md
@@ -0,0 +1,39 @@
 ---
 title: "[bojemoi] ci(trivy): fix clone path — use /repo instead of /workspace"
 date: 2026-03-03T20:21:24+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit fb0c2c1 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `fb0c2c1`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `fb0c2c15dd9aa09ae05aefc489dea66074da6b29` |
 ### Description
 Runner mounts a volume at /workspace/bojemoi/bojemoi by default,
 causing git clone to fail with "not an empty directory".
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	.gitea/workflows/trivy.yml
 ```
 ### Diff Summary
 ```
 .gitea/workflows/trivy.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 ```
--- a/content/posts/commits/2026-03-04-commit-988b7d2.md
+++ b/content/posts/commits/2026-03-04-commit-988b7d2.md
@@ -0,0 +1,42 @@
 ---
 title: "[bojemoi] blog: add Alpine Linux post (FR + EN)"
 date: 2026-03-04T20:34:50+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 988b7d2 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `988b7d2`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `988b7d2c70a1d4ca2fa4a0d32d1d5a22511d867e` |
 ### Description
 Personal story behind the project origin: why Alpine Linux was chosen
 for Bojemoi Lab, how Docker Swarm was adopted, and the workflow shift
 triggered by Claude's answer on Git vs. AI-generated code.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	blog/choisir-alpine-linux-en.md
 A	blog/choisir-alpine-linux-fr.md
 ```
 ### Diff Summary
 ```
 blog/choisir-alpine-linux-en.md | 93 +++++++++++++++++++++++++++++++++++++++++
 blog/choisir-alpine-linux-fr.md | 93 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 186 insertions(+)
 ```
--- a/content/posts/commits/2026-03-14-commit-17c82ec.md
+++ b/content/posts/commits/2026-03-14-commit-17c82ec.md
@@ -0,0 +1,42 @@
 ---
 title: "[bojemoi] sec: move alertmanager Telegram bot_token to Docker secret"
 date: 2026-03-14T21:58:15+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 17c82ec par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `17c82ec`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `17c82ec0d417b70ba3082159a3932542be1d48f8` |
 ### Description
 Replace plaintext bot_token in alertmanager.yml with bot_token_file
 pointing to /run/secrets/telegram_bot_token (existing external secret).
 Mount the secret in the alertmanager service definition.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-service-hl.yml
 M	volumes/alertmanager/alertmanager.yml
 ```
 ### Diff Summary
 ```
 stack/01-service-hl.yml               | 2 ++
 volumes/alertmanager/alertmanager.yml | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-03-14-commit-487dbeb.md
+++ b/content/posts/commits/2026-03-14-commit-487dbeb.md
@@ -0,0 +1,137 @@
 ---
 title: "[bojemoi] feat: sentinel IoT detector, trivy CI split, MCP server, provisioning hardening"
 date: 2026-03-14T21:52:42+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 487dbeb par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `487dbeb`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `487dbeb8e3c3b20fbe5aef6bb0a7ee9dd7db82ea` |
 ### Description
 sentinel:
 - mosquitto config renamed to mosquitto_passwd_v2 (external)
 - collector: Docker secrets support for MQTT/PG passwords
 - SQL: fix timezone-aware index (DATE(first_seen AT TIME ZONE 'UTC'))
 - alertmanager: Telegram receiver for perimeter alerts (immediate routing)
 - prometheus: add sentinel-collector scrape config + alert rules
 - grafana: sentinel dashboard + postgres datasource
 - startover: add sentinel (stack 55) to boot sequence
 trivy:
 - CI: split into security:trivy:dockerfile (config scan) + security:trivy:images (registry scan)
 - images job: pulls localhost:5000 images, CRITICAL blocks, HIGH logged
 - SARIF artifacts for both jobs
 - new stack/50-service-trivy.yml + trivy-scanner/
 - startover: add trivy (stack 50) to boot sequence
 mcp-server:
 - new mcp-server/ (server.py, tools/nmap.py, tools/osint.py)
 - .mcp.json: Claude Code MCP config → http://localhost:8001/sse
 provisioning:
 - Dockerfile: multi-stage build, non-root user, no curl (urllib healthcheck)
 - runtime: libpq5 only (no -dev), compiled .pyc, no source files
 borodino:
 - uzi: DEBUG_MODE=1 (test against Metasploitable 192.168.1.2)
 grafana:
 - stack 01: add SENTINEL_PG_PASS env var
 blog: 10 new posts (MCP, Trivy, architecture, DockerHub, Alpine)
 archi.md: architecture overview doc
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	.mcp.json
 A	archi.md
 A	blog/architecture-bojemoi-lab-linkedin.md
 A	blog/architecture-bojemoi-lab-telegram.md
 A	blog/bojemoi-lab-sur-dockerhub.md
 A	blog/choisir alpine linux.md
 A	blog/mcp-server-bojemoi-lab.md
 A	blog/trivy-gitea-actions-en.md
 A	blog/trivy-gitea-actions-fr.md
 A	blog/tryvi implement.md
 A	blog/turn into MCP.md
 A	claude/Dockerfile
 A	claude/claude.sh
 A	mcp-server/Dockerfile
 A	mcp-server/requirements.txt
 A	mcp-server/server.py
 A	mcp-server/tools/__init__.py
 A	mcp-server/tools/nmap.py
 A	mcp-server/tools/osint.py
 M	provisioning/Dockerfile.provisioning
 M	scripts/startover.sh
 M	sentinel/collector/collector.py
 M	sentinel/sql/02-tables.sql
 M	stack/.gitlab-ci.yml
 M	stack/01-service-hl.yml
 M	stack/40-service-borodino.yml
 A	stack/50-service-trivy.yml
 M	stack/55-service-sentinel.yml
 A	trivy-scanner/Dockerfile
 A	trivy-scanner/scan-images.sh
 M	volumes/alertmanager/alertmanager.yml
 A	volumes/grafana/dashboards/sentinel.json
 A	volumes/grafana/datasources/sentinel-postgres.yml
 M	volumes/prometheus/prometheus.yml
 A	volumes/prometheus/rules/sentinel_alerts.yml
 ```
 ### Diff Summary
 ```
 .mcp.json                                         |   8 +
 archi.md                                          | 165 +++++++++++++
 blog/architecture-bojemoi-lab-linkedin.md         |  26 ++
 blog/architecture-bojemoi-lab-telegram.md         |  23 ++
 blog/bojemoi-lab-sur-dockerhub.md                 | 160 ++++++++++++
 blog/choisir alpine linux.md                      |  37 +++
 blog/mcp-server-bojemoi-lab.md                    | 125 ++++++++++
 blog/trivy-gitea-actions-en.md                    | 104 ++++++++
 blog/trivy-gitea-actions-fr.md                    | 104 ++++++++
 blog/tryvi implement.md                           |  95 +++++++
 blog/turn into MCP.md                             | 223 +++++++++++++++++
 claude/Dockerfile                                 |   3 +
 claude/claude.sh                                  |   9 +
 mcp-server/Dockerfile                             |  22 ++
 mcp-server/requirements.txt                       |   6 +
 mcp-server/server.py                              | 288 ++++++++++++++++++++++
 mcp-server/tools/__init__.py                      |   0
 mcp-server/tools/nmap.py                          |  95 +++++++
 mcp-server/tools/osint.py                         | 140 +++++++++++
 provisioning/Dockerfile.provisioning              |  55 +++--
 scripts/startover.sh                              |   2 +
 sentinel/collector/collector.py                   |  15 +-
 sentinel/sql/02-tables.sql                        |   2 +-
 stack/.gitlab-ci.yml                              | 107 +++++++-
 stack/01-service-hl.yml                           |   1 +
 stack/40-service-borodino.yml                     |   2 +-
 stack/50-service-trivy.yml                        |  23 ++
 stack/55-service-sentinel.yml                     |   4 +-
 trivy-scanner/Dockerfile                          |  14 ++
 trivy-scanner/scan-images.sh                      |  78 ++++++
 volumes/alertmanager/alertmanager.yml             |  29 +++
 volumes/grafana/dashboards/sentinel.json          | 235 ++++++++++++++++++
 volumes/grafana/datasources/sentinel-postgres.yml |  16 ++
 volumes/prometheus/prometheus.yml                 |   7 +
 volumes/prometheus/rules/sentinel_alerts.yml      |  52 ++++
 35 files changed, 2244 insertions(+), 31 deletions(-)
 ```
--- a/content/posts/commits/2026-03-14-commit-54cb79f.md
+++ b/content/posts/commits/2026-03-14-commit-54cb79f.md
@@ -0,0 +1,61 @@
 ---
 title: "[bojemoi] feat(sentinel): add MQTT broker + collector stack"
 date: 2026-03-14T21:29:41+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 54cb79f par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `54cb79f`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `54cb79febc29019f1ff67feecaa3d69c413b9739` |
 ### Description
 - eclipse-mosquitto via local registry (localhost:5000/mosquitto:2.0)
 - sentinel-collector image built from sentinel/collector/
 - mosquitto passwd file injected as Docker config (uid 1883, mode 0400)
 - secrets: sentinel_mqtt_pass, sentinel_pg_pass (external)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	sentinel/collector/Dockerfile
 A	sentinel/collector/collector.py
 A	sentinel/collector/requirements.txt
 A	sentinel/esp32/sentinel_probe.ino
 A	sentinel/mosquitto/mosquitto.conf
 A	sentinel/setup.sh
 A	sentinel/sql/01-init-db.sql
 A	sentinel/sql/02-tables.sql
 A	sentinel/sql/03-grants.sql
 A	sentinel/sql/apply.sh
 A	stack/55-service-sentinel.yml
 ```
 ### Diff Summary
 ```
 sentinel/collector/Dockerfile       |   9 +
 sentinel/collector/collector.py     | 337 ++++++++++++++++++++++++++++++++++++
 sentinel/collector/requirements.txt |   3 +
 sentinel/esp32/sentinel_probe.ino   | 213 +++++++++++++++++++++++
 sentinel/mosquitto/mosquitto.conf   |  18 ++
 sentinel/setup.sh                   |  50 ++++++
 sentinel/sql/01-init-db.sql         |  28 +++
 sentinel/sql/02-tables.sql          |  93 ++++++++++
 sentinel/sql/03-grants.sql          |  18 ++
 sentinel/sql/apply.sh               |  45 +++++
 stack/55-service-sentinel.yml       | 140 +++++++++++++++
 11 files changed, 954 insertions(+)
 ```
--- a/content/posts/commits/2026-03-14-commit-8d7722b.md
+++ b/content/posts/commits/2026-03-14-commit-8d7722b.md
@@ -0,0 +1,42 @@
 ---
 title: "[bojemoi] sec: move alertmanager SMTP password to Docker secret"
 date: 2026-03-14T22:01:42+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 8d7722b par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `8d7722b`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `8d7722b8fc79d99c88d2e641c453391a8ddbe2a1` |
 ### Description
 Replace plaintext smtp_auth_password with smtp_auth_password_file
 pointing to /run/secrets/alertmanager_smtp_pass (new external secret).
 Mount the secret in the alertmanager service definition.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-service-hl.yml
 M	volumes/alertmanager/alertmanager.yml
 ```
 ### Diff Summary
 ```
 stack/01-service-hl.yml               | 3 +++
 volumes/alertmanager/alertmanager.yml | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-03-18-commit-1041a8b.md
+++ b/content/posts/commits/2026-03-18-commit-1041a8b.md
@@ -0,0 +1,39 @@
 ---
 title: "[bojemoi] blog: add alertmanager Docker secrets post (FR)"
 date: 2026-03-18T13:52:12+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 1041a8b par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `1041a8b`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `1041a8bda741d876cf2219db23acbc10e7e304f0` |
 ### Description
 Article sur la gestion des credentials alertmanager (SMTP, Telegram)
 via Docker secrets — zéro credential en clair dans les stack files.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	blog/alertmanager-docker-secrets-fr.md
 ```
 ### Diff Summary
 ```
 blog/alertmanager-docker-secrets-fr.md | 174 +++++++++++++++++++++++++++++++++
 1 file changed, 174 insertions(+)
 ```
--- a/content/posts/commits/2026-03-18-commit-8671e81.md
+++ b/content/posts/commits/2026-03-18-commit-8671e81.md
@@ -0,0 +1,48 @@
 ---
 title: "[bojemoi] feat: add breachforum CTI discovery service (stack 66)"
 date: 2026-03-18T13:50:59+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 8671e81 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `8671e81`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `8671e81c7066d225e67a59773637a06cc0471a0f` |
 ### Description
 Multi-source .onion discovery: Ahmia, Reddit, Tor directories.
 Validates via embedded Tor SOCKS5, stores in PostgreSQL (bojemoi_cti),
 alerts Telegram PTaaS group on new discoveries. Runs hourly loop.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	discovery/Dockerfile
 A	discovery/breachforum_discovery_api.py
 A	discovery/breachforum_onion_discovery.py
 A	discovery/entrypoint.sh
 A	stack/66-service-discovery.yml
 ```
 ### Diff Summary
 ```
 discovery/Dockerfile                     |  34 +++
 discovery/breachforum_discovery_api.py   | 259 +++++++++++++++++++
 discovery/breachforum_onion_discovery.py | 421 +++++++++++++++++++++++++++++++
 discovery/entrypoint.sh                  |  33 +++
 stack/66-service-discovery.yml           |  73 ++++++
 5 files changed, 820 insertions(+)
 ```
--- a/content/posts/commits/2026-03-18-commit-b93e503.md
+++ b/content/posts/commits/2026-03-18-commit-b93e503.md
@@ -0,0 +1,46 @@
 ---
 title: "[bojemoi] feat(borodino/uzi): auto-detect LHOST, split LPORT_BIND, improve exploit targeting"
 date: 2026-03-18T13:52:08+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit b93e503 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `b93e503`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `b93e503aa9dad4480f64441469d4b9edfe7ea8be` |
 ### Description
 - Auto-detect public IP via ipify/ifconfig.me (fallback to local IP)
 - Split LPORT (payload) vs LPORT_BIND (handler) for NAT environments
 - Listener binds 0.0.0.0 instead of LHOST
 - get_random_host: ILIKE + filter on purpose (server/device/router/firewall)
 - Handle RPORT from open_ports, set empty string for PASSWORD fields
 - Prioritize bind payloads over reverse for internet targets
 - Remove upfront linux module search (now per-host via build_targeted_exploits)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi           | 53 +++++++++++++++++++++++++++++++++++--------
 stack/40-service-borodino.yml |  5 ++--
 2 files changed, 46 insertions(+), 12 deletions(-)
 ```
--- a/content/posts/commits/2026-03-18-commit-fced696.md
+++ b/content/posts/commits/2026-03-18-commit-fced696.md
@@ -0,0 +1,58 @@
 ---
 title: "[bojemoi] chore: add Discord bot scaffold + breachforum discovery scripts"
 date: 2026-03-18T13:52:16+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit fced696 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `fced696`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `fced6969ff26f0d023add39a0eb4bf764c2ef291` |
 ### Description
 - discord/: structure.yml + create_structure.sh for Discord bot setup
 - scripts/: original breachforum discovery archive files (Dockerfile,
  docker-compose, API, onion discovery, examples, integration guide)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	discord/.env.example
 A	discord/create_structure.sh
 A	discord/structure.yml
 A	scripts/Dockerfile.discovery
 A	scripts/INTEGRATION_GUIDE.sh
 A	scripts/README.md
 A	scripts/breachforum_discovery_api.py
 A	scripts/breachforum_onion_discovery.py
 A	scripts/docker-compose.discovery.yml
 A	scripts/examples_usage.py
 ```
 ### Diff Summary
 ```
 discord/.env.example                   |  17 ++
 discord/create_structure.sh            |  68 +++++
 discord/structure.yml                  |  38 +++
 scripts/Dockerfile.discovery           |  34 +++
 scripts/INTEGRATION_GUIDE.sh           | 205 +++++++++++++
 scripts/README.md                      | 540 +++++++++++++++++++++++++++++++++
 scripts/breachforum_discovery_api.py   | 259 ++++++++++++++++
 scripts/breachforum_onion_discovery.py | 421 +++++++++++++++++++++++++
 scripts/docker-compose.discovery.yml   |  99 ++++++
 scripts/examples_usage.py              | 301 ++++++++++++++++++
 10 files changed, 1982 insertions(+)
 ```
--- a/content/posts/commits/2026-03-21-commit-11a8e69.md
+++ b/content/posts/commits/2026-03-21-commit-11a8e69.md
@@ -0,0 +1,49 @@
 ---
 title: "[bojemoi] feat(borodino/uzi): use Claude AI to extract MSF search terms from service info"
 date: 2026-03-21T13:53:26+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 11a8e69 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `11a8e69`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `11a8e69e56d84465e551709e19aa64403cba2d6f` |
 ### Description
 - Add `s.info` column to `get_host_services_by_address` query
 - Add `extract_search_terms_via_ai()` using Claude Haiku to parse service
  info strings (e.g. "vsftpd 2.3.4" → "vsftpd", "UnrealIRCd" → "unreal")
 - Merge AI terms with static SERVICE_EXPLOIT_MAP in build_targeted_exploits
 - Fix tuple unpacking to handle 3-tuple (port, name, info)
 - Add `anthropic` pip package to Dockerfile.borodino
 - Add ANTHROPIC_API_KEY env var to uzi-service in stack
 - Set bm12-service DEBUG_MODE=1, replicas=1 for debug workflow
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/Dockerfile.borodino
 M	borodino/thearm_uzi
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/Dockerfile.borodino  |  3 +-
 borodino/thearm_uzi           | 70 ++++++++++++++++++++++++++++++++++++++++---
 stack/40-service-borodino.yml | 21 +++++--------
 3 files changed, 76 insertions(+), 18 deletions(-)
 ```
--- a/content/posts/commits/2026-03-23-commit-392a1a2.md
+++ b/content/posts/commits/2026-03-23-commit-392a1a2.md
@@ -0,0 +1,41 @@
 ---
 title: "[bojemoi] feat(borodino/uzi): enrich meterpreter Telegram alerts with sysinfo/uid/pid"
 date: 2026-03-23T18:56:51+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 392a1a2 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `392a1a2`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `392a1a2a4a7be69eb0f597ac7f6eca2b20290355` |
 ### Description
 - Add arch, tunnel_peer from MSF session dict to all alerts
 - Run sysinfo, getuid, getpid on meterpreter session after upgrade
 - Fix alert spam: send only new_shells (not all current sessions)
 - Add send_telegram_alert call on successful meterpreter upgrade
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi | 388 ++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 314 insertions(+), 74 deletions(-)
 ```
--- a/content/posts/commits/2026-03-25-commit-27f5ef4.md
+++ b/content/posts/commits/2026-03-25-commit-27f5ef4.md
@@ -0,0 +1,53 @@
 ---
 title: "[bojemoi] feat(orchestrator): add VulnHub VM automation endpoints"
 date: 2026-03-25T23:05:13+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 27f5ef4 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `27f5ef4`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `27f5ef454a4d419fd606a38a1272cdb13778148f` |
 ### Description
 - Add VULNHUB_CATALOG with 8 VMs (metasploitable2/3, dvwa, dc-1,
  kioptrix-1, basic-pentesting-1, lampiao, pwnlab-init)
 - VulnHubManager: asyncpg pool + host_debug upsert (multi-target,
  unlike rapid7 which replaces)
 - Endpoints: GET catalog, GET targets, POST deploy/{vm_id},
  DELETE {vm_id} — clone XenServer template → start → poll IP →
  register in host_debug for bm12/uzi DEBUG_MODE scanning
 - Add Pydantic models: VulnHubDeployRequest/Response, VulnHubTargetsResponse
 - Add scripts/import_vulnhub_ova.sh: xe vm-import helper for
  first-time OVA → template creation on XenServer host
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	provisioning/orchestrator/app/main.py
 M	provisioning/orchestrator/app/models/schemas.py
 A	provisioning/orchestrator/app/services/vulnhub_manager.py
 A	scripts/import_vulnhub_ova.sh
 ```
 ### Diff Summary
 ```
 provisioning/orchestrator/app/main.py              | 184 +++++++++++++++++++-
 provisioning/orchestrator/app/models/schemas.py    |  53 ++++++
 .../orchestrator/app/services/vulnhub_manager.py   | 188 +++++++++++++++++++++
 scripts/import_vulnhub_ova.sh                      | 123 ++++++++++++++
 4 files changed, 547 insertions(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-03-25-commit-2c09e8b.md
+++ b/content/posts/commits/2026-03-25-commit-2c09e8b.md
@@ -0,0 +1,36 @@
 ---
 title: "[bojemoi_boot] fix(docker-socket-proxy): enable POST/DELETE for orchestrator service management"
 date: 2026-03-25T23:19:24+01:00
 draft: false
 tags: ["commit", "bojemoi_boot", "main"]
 categories: ["Git Activity"]
 summary: "Commit 2c09e8b par Betty dans bojemoi_boot"
 author: "Betty"
 ---
 ## Commit `2c09e8b`
 | | |
 |---|---|
 | **Repository** | bojemoi_boot |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `2c09e8b58620567008227717cd3b4c1e6275b354` |
 ### Description
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-boot-service.yml
 ```
 ### Diff Summary
 ```
 stack/01-boot-service.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
 ```
--- a/content/posts/commits/2026-03-25-commit-5a9bdd9.md
+++ b/content/posts/commits/2026-03-25-commit-5a9bdd9.md
@@ -0,0 +1,56 @@
 ---
 title: "[bojemoi] feat(borodino): enrich bm12/uzi with VulnHub-style attack surface detection"
 date: 2026-03-25T22:52:46+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 5a9bdd9 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `5a9bdd9`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `5a9bdd9da9c03d43ef601a9663f565f51950dcde` |
 ### Description
 bm12:
 - NSE: add http-shellshock, http-php-version, http-webdav-scan, http-auth-finder,
  http-default-accounts to HTTP/HTTPS scripts
 - NSE: add smtp-open-relay, add nfs (nfs-ls,nfs-showmount,nfs-statfs,rpcinfo)
 - _VULN_INDICATORS: 20 patterns (vsftpd 2.3.4 backdoor, ProFTPD mod_copy, WordPress,
  Joomla, Drupal, Shellshock CGI, Tomcat manager, WebDAV, phpMyAdmin, Jenkins,
  Struts, Redis/MongoDB noauth, Samba old, SNMP public, SMTP open relay, NFS export)
 - detect_vuln_indicators(): parses service banners against _VULN_INDICATORS
 - run_scan(): call detect_vuln_indicators, store attack_surface in scan_details,
  boost type=vuln_web when web vulns detected (after IoT priority)
 uzi:
 - _OS_EXPLOIT_PATHS: add vuln_web → exploit/unix/webapp/, multi/http/, unix/http/
 - _VULN_EXPLOIT_TERMS: maps 18 vuln indicators to MSF search terms
 - get_os_paths(): handle vuln_web type
 - build_targeted_exploits(): accept scan_details, extract attack_surface terms
 - main loop: pass scan_details, apply vuln_web type override, log attack_surface
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_bm12
 M	borodino/thearm_uzi
 ```
 ### Diff Summary
 ```
 borodino/thearm_bm12 | 98 +++++++++++++++++++++++++++++++++++++++++++++++++---
 borodino/thearm_uzi  | 69 +++++++++++++++++++++++++++++-------
 2 files changed, 151 insertions(+), 16 deletions(-)
 ```
--- a/content/posts/commits/2026-03-25-commit-a79479d.md
+++ b/content/posts/commits/2026-03-25-commit-a79479d.md
@@ -0,0 +1,108 @@
 ---
 title: "[bojemoi] feat: multi-stage Dockerfiles, DVAR IoT target, bm12/uzi ARM enrichment"
 date: 2026-03-25T22:44:39+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit a79479d par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `a79479d`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `a79479d732a7eb95cb017eee5084f11e08946849` |
 ### Description
 Dockerfiles:
 - Convert 8 Dockerfiles to multi-stage / virtual build-deps pattern:
  - oblast/Dockerfile.zaproxy: remove make/ant/automake/autoconf/gcc from final stage, openjdk-jdk → jre
  - telegram-bot, discovery: proper builder/runtime stages, gcc+libpq-dev removed from runtime
  - tsushima: dedicated masscan-builder stage + --virtual .ruby-build-deps
  - borodino/Dockerfile.borodino, berezina/Dockerfile.berezina: --virtual .build-deps removed after bundle install
  - narva/Dockerfile.narva, borodino/Dockerfile.berezina: remove unused build tools (no bundle install)
 - Compile Python sources in: mcp-server, discovery, sentinel/collector, koursk-2
 - cccp.sh: docker buildx build --push (direct registry), ensure_registry() boot stack check
 DVAR IoT:
 - dvar/: Dockerfile.dvar (QEMU ARM emulation, cross-compiled vuln HTTP server), entrypoint, vuln_httpd.c
 - stack/56-service-dvar.yml: pentest + iot_network networks, worker placement
 - scripts/metasploitable2_exploit.py: Metasploitable2 exploit helper
 Borodino bm12/uzi:
 - thearm_bm12: arch detection (_ARCH_PATTERNS, _IOT_KEYWORDS), IoT/ARM banner parsing, stores arch in hosts.arch
 - thearm_uzi: ARM/MIPS payload selection, IoT OS path, host_arch from DB, generic IoT support
 - stack/40-service-borodino.yml: bm12_v3 scan_status target, updated service config
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	.dockerignore
 M	berezina/Dockerfile.berezina
 M	borodino/.dockerignore
 M	borodino/Dockerfile.berezina
 M	borodino/Dockerfile.borodino
 M	borodino/thearm_bm12
 M	borodino/thearm_uzi
 M	borodino/toto
 M	discovery/Dockerfile
 M	discovery/breachforum_onion_discovery.py
 M	discovery/entrypoint.sh
 A	dvar/Dockerfile.dvar
 A	dvar/entrypoint.sh
 A	dvar/src/vuln_httpd.c
 M	koursk-2/Dockerfile.koursk-2
 M	koursk-2/scripts/rsync-start.sh
 M	mcp-server/Dockerfile
 M	narva/Dockerfile.narva
 M	oblast/Dockerfile.zaproxy
 M	scripts/cccp.sh
 A	scripts/metasploitable2_exploit.py
 M	scripts/startover.sh
 M	sentinel/collector/Dockerfile
 M	stack/40-service-borodino.yml
 A	stack/56-service-dvar.yml
 A	toto
 M	tsushima/Dockerfile.tsushima
 ```
 ### Diff Summary
 ```
 .dockerignore                            |    1 +
 berezina/Dockerfile.berezina             |   73 +-
 borodino/.dockerignore                   |    1 +
 borodino/Dockerfile.berezina             |   29 +-
 borodino/Dockerfile.borodino             |   51 +-
 borodino/thearm_bm12                     |  151 ++++-
 borodino/thearm_uzi                      |  579 ++++++++++------
 borodino/toto                            | 1092 ++++++++++++++++++++++++++----
 discovery/Dockerfile                     |   27 +-
 discovery/breachforum_onion_discovery.py |  160 ++++-
 discovery/entrypoint.sh                  |    2 +-
 dvar/Dockerfile.dvar                     |   55 ++
 dvar/entrypoint.sh                       |   87 +++
 dvar/src/vuln_httpd.c                    |  194 ++++++
 koursk-2/Dockerfile.koursk-2             |    5 +
 koursk-2/scripts/rsync-start.sh          |    2 +-
 mcp-server/Dockerfile                    |    6 +-
 narva/Dockerfile.narva                   |   14 +-
 oblast/Dockerfile.zaproxy                |    7 +-
 scripts/cccp.sh                          |  173 +++--
 scripts/metasploitable2_exploit.py       |  388 +++++++++++
 scripts/startover.sh                     |    1 +
 sentinel/collector/Dockerfile            |    6 +-
 stack/40-service-borodino.yml            |   18 +-
 stack/56-service-dvar.yml                |   55 ++
 toto                                     |  945 ++++++++++++++++++++++++++
 tsushima/Dockerfile.tsushima             |   84 +--
 27 files changed, 3504 insertions(+), 702 deletions(-)
 ```
--- a/content/posts/commits/2026-03-25-commit-d3bbec7.md
+++ b/content/posts/commits/2026-03-25-commit-d3bbec7.md
@@ -0,0 +1,43 @@
 ---
 title: "[bojemoi] fix(orchestrator): use docker-socket-proxy instead of direct socket"
 date: 2026-03-25T23:19:08+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit d3bbec7 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `d3bbec7`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `d3bbec7b84da8e313944c74b1f56efe8c9822820` |
 ### Description
 - Remove /var/run/docker.sock bind mount from orchestrator service
  (was failing with PermissionError since container now runs non-root)
 - Add DOCKER_SWARM_URL=tcp://docker-socket-proxy:2375 env var
 - Enable POST=1 DELETE=1 on boot/docker-socket-proxy (needed for
  service create/delete via orchestrator API)
 - Fix config mode 0440→0444 so non-root appuser can read .env config
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-service-hl.yml
 ```
 ### Diff Summary
 ```
 stack/01-service-hl.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)
 ```
--- a/content/posts/commits/2026-03-26-commit-2195edf.md
+++ b/content/posts/commits/2026-03-26-commit-2195edf.md
@@ -0,0 +1,42 @@
 ---
 title: "[bojemoi] fix(zap-scanner): handle DOES_NOT_EXIST + add timeout to scan wait loops"
 date: 2026-03-26T18:34:02+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 2195edf par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `2195edf`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `2195edf5009018178f410e8e1a197ae412d059d4` |
 ### Description
 - wait_for_active_scan_completion: break on DOES_NOT_EXIST response
  (ZAP restarted → old scan ID gone), add 3600s timeout
 - wait_for_spider_completion: same fix, 1800s timeout
 - Add timeout=10s to requests.get() calls in both loops
 - Scanner was stuck since 2026-03-20 polling dead scan ID 3
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	oblast-1/zap_scanner.py
 ```
 ### Diff Summary
 ```
 oblast-1/zap_scanner.py | 55 +++++++++++++++++++++++++++++++++----------------
 1 file changed, 37 insertions(+), 18 deletions(-)
 ```
--- a/content/posts/commits/2026-03-26-commit-2a51f30.md
+++ b/content/posts/commits/2026-03-26-commit-2a51f30.md
@@ -0,0 +1,54 @@
 ---
 title: "[bojemoi] refactor(zap-scanner): Redis queue + zap_scan_log + Faraday + concurrency"
 date: 2026-03-26T18:51:18+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 2a51f30 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `2a51f30`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `2a51f3001b29121a572207ae8f42aa46964ac772` |
 ### Description
 Architecture v2:
 - DbFeeder thread: charge hosts web non scannés depuis msf.hosts
  (NOT IN zap_scan_log) → Redis queue zap:targets toutes les 300s
 - ScanWorker: N scans ZAP concurrents (défaut 3), spider→active scan,
  DOES_NOT_EXIST/timeout gérés proprement
 - zap_scan_log table: tracking persistant (host_id PK, alerts, status)
  — plus de rescans aléatoires des mêmes hosts
 - Faraday export: POST vulns via API v3 après chaque scan
 - Fix: DB_NAME 'msg' → 'msf', Redis connection error ne crashe plus
 - Stack: add REDIS_HOST/PORT, ZAP_CONCURRENCY, FARADAY_WORKSPACE,
  scanner sur réseau pentest+backend pour atteindre Redis et ZAP
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	oblast-1/Dockerfile.oblast-1
 M	oblast-1/requirements.txt
 M	oblast-1/zap_scanner.py
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 oblast-1/Dockerfile.oblast-1  |  31 +-
 oblast-1/requirements.txt     |   2 +-
 oblast-1/zap_scanner.py       | 737 ++++++++++++++++++++----------------------
 stack/40-service-borodino.yml |  42 ++-
 4 files changed, 388 insertions(+), 424 deletions(-)
 ```
--- a/content/posts/commits/2026-03-26-commit-9a69b23.md
+++ b/content/posts/commits/2026-03-26-commit-9a69b23.md
@@ -0,0 +1,50 @@
 ---
 title: "[bojemoi] refactor(borodino): standardize env var management across ak47/bm12/uzi"
 date: 2026-03-26T18:05:51+01:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 9a69b23 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `9a69b23`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `9a69b23259505b2016fee26c42a285a4896d92a2` |
 ### Description
 - Stack: add PG_HOST/PORT/USER/PASSWORD/DBNAME to all 3 services;
  add IP2LOC_DBNAME for ak47
 - ak47: replace hardcoded user/password/dbname + ping-based IP
  resolution with $PG_* env vars; use pg_isready with hostname directly
 - bm12: PG_HOST was hardcoded "postgres" → os.getenv(); remove
  hardcoded PG_PASSWORD default; add PG_PORT to psycopg2.connect()
 - uzi: same as bm12; MODE_RUN was hardcoded 1 → os.getenv("MODE_RUN")
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_ak47
 M	borodino/thearm_bm12
 M	borodino/thearm_uzi
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/thearm_ak47          | 40 ++++++++++++++++++----------------------
 borodino/thearm_bm12          |  7 ++++---
 borodino/thearm_uzi           | 23 +++++++++++------------
 stack/40-service-borodino.yml | 16 ++++++++++++++++
 4 files changed, 49 insertions(+), 37 deletions(-)
 ```
--- a/content/posts/commits/2026-03-30-commit-631b96e.md
+++ b/content/posts/commits/2026-03-30-commit-631b96e.md
@@ -0,0 +1,56 @@
 ---
 title: "[bojemoi] feat(borodino): OpenVPN gateway + fix ak47/bm12 env vars"
 date: 2026-03-30T21:24:58+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 631b96e par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `631b96e`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `631b96e0ca6c8c73c1b320dc3ca9d3ef9ec3e44c` |
 ### Description
 - Switch wg-gateway from WireGuard to OpenVPN (ProtonVPN TCP config)
  - Dockerfile.wg-gateway: wireguard-tools → openvpn
  - wg-gateway-start.sh: wg-quick → openvpn daemon, wait for tun0, NAT via tun0
  - Secrets: protonvpn_wg → protonvpn_ovpn + protonvpn_auth
 - Add route-setup.sh: split-tunnel wrapper for ak47/bm12 (RFC1918 via
  overlay, internet via VPN gateway)
 - Fix ak47/bm12 environment sections: YAML merge replaces lists, so
  postgres credentials were missing after adding SCAN_GATEWAY_HOST
 - Add .claude/commands/borodino.md skill for C2 stack operations
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	.claude/commands/borodino.md
 M	borodino/Dockerfile.borodino
 A	borodino/Dockerfile.wg-gateway
 A	borodino/route-setup.sh
 A	borodino/wg-gateway-start.sh
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 .claude/commands/borodino.md   | 156 +++++++++++++++++++++++++++++++++++++++++
 borodino/Dockerfile.borodino   |   2 +
 borodino/Dockerfile.wg-gateway |  16 +++++
 borodino/route-setup.sh        |  37 ++++++++++
 borodino/wg-gateway-start.sh   |  67 ++++++++++++++++++
 stack/40-service-borodino.yml  |  75 +++++++++++++++++++-
 6 files changed, 351 insertions(+), 2 deletions(-)
 ```
--- a/content/posts/commits/2026-03-30-commit-9eb4c92.md
+++ b/content/posts/commits/2026-03-30-commit-9eb4c92.md
@@ -0,0 +1,106 @@
 ---
 title: "[bojemoi] feat(c2): multi-redirector infrastructure + split borodino images"
 date: 2026-03-30T16:51:02+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 9eb4c92 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `9eb4c92`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `9eb4c9236b88b18f05b572b6459a3b331190a5ab` |
 ### Description
 C2 redirector infrastructure:
 - redirector/: nginx GeoIP2 container (debian:bookworm-slim) proxying to bojemoi.me:8443
 - scripts/c2-vpn-init-pki.sh: EasyRSA PKI init (CA + server cert + lab-manager client)
 - scripts/provision-redirector.sh: Fly.io redirector provisioning
 - scripts/c2-manage.sh: start/stop/list/delete management script
 - cloud-init/redirector-template.yaml: VPS cloud-init template
 Architecture: Implants → Redirectors → bojemoi.me:8443 → VPN → 192.168.1.x:4444
 Borodino image split:
 - Dockerfile.borodino: lightweight Alpine (ak47 + bm12, ~150 MB, no MSF)
 - Dockerfile.borodino-msf: full Ruby+MSF image (uzi + msf-teamserver, ~4 GB)
 - start_msf_server.sh: msfrpcd teamserver on 0.0.0.0:55553 (shared by all uzi workers)
 - start_uzi.sh: MSF_HOST support (local vs remote teamserver)
 - thearm_uzi: _pick_redirector() reads C2_REDIRECTORS env, MSF_HOST configurable
 Stack borodino:
 - New msf-teamserver service (1 replica worker, borodino-msf image)
 - uzi-service: MSF_HOST=msf-teamserver, C2_REDIRECTORS=37.16.12.4
 - ak47/bm12: now use lightweight borodino image
 Remove discovery service (breachforum scraper deprecated)
 volumes/c2-vpn/.gitignore: exclude PKI keys/certs from git
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/Dockerfile.borodino
 A	borodino/Dockerfile.borodino-msf
 A	borodino/start_msf_server.sh
 M	borodino/start_uzi.sh
 M	borodino/thearm_uzi
 A	cloud-init/redirector-template.yaml
 D	discovery/Dockerfile
 D	discovery/breachforum_discovery_api.py
 D	discovery/breachforum_onion_discovery.py
 D	discovery/entrypoint.sh
 A	redirector/Dockerfile
 A	redirector/c2-proxy.conf
 A	redirector/nginx.conf
 D	scripts/Dockerfile.discovery
 D	scripts/breachforum_discovery_api.py
 D	scripts/breachforum_onion_discovery.py
 A	scripts/c2-manage.sh
 A	scripts/c2-vpn-init-pki.sh
 D	scripts/docker-compose.discovery.yml
 A	scripts/provision-redirector.sh
 M	stack/40-service-borodino.yml
 D	stack/66-service-discovery.yml
 A	volumes/c2-vpn/.gitignore
 A	volumes/c2-vpn/README.md
 ```
 ### Diff Summary
 ```
 borodino/Dockerfile.borodino             |  62 +---
 borodino/Dockerfile.borodino-msf         |  58 ++++
 borodino/start_msf_server.sh             |  51 +++
 borodino/start_uzi.sh                    |  68 ++--
 borodino/thearm_uzi                      |  84 ++++-
 cloud-init/redirector-template.yaml      | 317 ++++++++++++++++++
 discovery/Dockerfile                     |  35 --
 discovery/breachforum_discovery_api.py   | 259 ---------------
 discovery/breachforum_onion_discovery.py | 529 -------------------------------
 discovery/entrypoint.sh                  |  33 --
 redirector/Dockerfile                    |  33 ++
 redirector/c2-proxy.conf                 |  39 +++
 redirector/nginx.conf                    |  43 +++
 scripts/Dockerfile.discovery             |  34 --
 scripts/breachforum_discovery_api.py     | 259 ---------------
 scripts/breachforum_onion_discovery.py   | 421 ------------------------
 scripts/c2-manage.sh                     | 415 ++++++++++++++++++++++++
 scripts/c2-vpn-init-pki.sh               | 255 +++++++++++++++
 scripts/docker-compose.discovery.yml     |  99 ------
 scripts/provision-redirector.sh          |  91 ++++++
 stack/40-service-borodino.yml            |  76 ++++-
 stack/66-service-discovery.yml           |  73 -----
 volumes/c2-vpn/.gitignore                |   6 +
 volumes/c2-vpn/README.md                 |  46 +++
 24 files changed, 1559 insertions(+), 1827 deletions(-)
 ```
--- a/content/posts/commits/2026-03-30-commit-dc4caca.md
+++ b/content/posts/commits/2026-03-30-commit-dc4caca.md
@@ -0,0 +1,48 @@
 ---
 title: "[bojemoi] feat(ak47): nmap local + msfrpc import via msf-teamserver (Option B)"
 date: 2026-03-30T22:05:23+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit dc4caca par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `dc4caca`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `dc4caca53147c67b9895a9badf7dcd262229b306` |
 ### Description
 Replace msfconsole db_nmap with split approach:
 - nmap -oX scan on ak47 (via ProtonVPN, no MSF required)
 - msf_import.py: import XML via db.import_data msfrpc call
 - Skip import if no hosts up (avoids RPC overhead for empty scans)
 - Add msgpack to borodino:latest pip deps
 - Add iproute2 + route-setup.sh to borodino-msf for uzi VPN routing
 - Add MSF_HOST/MSF_PORT env vars to ak47-service
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/Dockerfile.borodino
 A	borodino/msf_import.py
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/Dockerfile.borodino  |  7 +++--
 borodino/msf_import.py        | 69 +++++++++++++++++++++++++++++++++++++++++++
 stack/40-service-borodino.yml |  2 ++
 3 files changed, 75 insertions(+), 3 deletions(-)
 ```
--- a/content/posts/commits/2026-03-30-commit-ea02190.md
+++ b/content/posts/commits/2026-03-30-commit-ea02190.md
@@ -0,0 +1,47 @@
 ---
 title: "[bojemoi] feat(uzi): route exploit traffic via ProtonVPN gateway"
 date: 2026-03-30T21:37:22+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit ea02190 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `ea02190`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `ea02190a0546a0295e329eb710256cc0f3030ddb` |
 ### Description
 Add VPN routing to uzi-service (same pattern as ak47/bm12):
 - Dockerfile.borodino-msf: add iproute2 + route-setup.sh
 - uzi-service: add scan_net network, NET_ADMIN cap, SCAN_GATEWAY_HOST
 - command: route-setup.sh wrapper before start_uzi.sh
 Exploit delivery traffic now exits via ProtonVPN (149.102.244.100),
 masking worker node IPs. C2 sessions (inbound to msf-teamserver) are
 unaffected (RFC1918 routes preserved via overlay gateway).
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/Dockerfile.borodino-msf
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/Dockerfile.borodino-msf | 3 ++-
 stack/40-service-borodino.yml    | 9 ++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)
 ```
--- a/content/posts/commits/2026-03-31-commit-4c71a4d.md
+++ b/content/posts/commits/2026-03-31-commit-4c71a4d.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] feat(nuclei-api): route scans via ProtonVPN (wg-gateway)"
 date: 2026-03-31T21:04:31+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 4c71a4d par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `4c71a4d`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `4c71a4d3b9a32e326635d57f8435ef4b773b1f76` |
 ### Description
 Add scan_net + NET_ADMIN to nuclei-api. Run apk/pip/nuclei-update
 first (default route), then configure routing via wg-gateway before
 starting uvicorn. Use $$ escaping for shell vars in Docker stack YAML.
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 stack/40-service-borodino.yml | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)
 ```
--- a/content/posts/commits/2026-03-31-commit-b5b5641.md
+++ b/content/posts/commits/2026-03-31-commit-b5b5641.md
@@ -0,0 +1,77 @@
 ---
 title: "[bojemoi] feat(nuclei): Redis queue pipeline + dedicated Faraday workspaces + Redis Commander"
 date: 2026-03-31T20:36:25+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit b5b5641 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `b5b5641`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `b5b56414da22c77a1827f2b4591659727d4e3c44` |
 ### Description
 - thearm_bm12: LPUSH pentest:nuclei_queue after bm12_v3 classification (event-driven)
 - thearm_nuclei: replace DB polling with BRPOP (0 CPU idle) + 30s backfill fallback
 - thearm_logpull: pull nginx logs from Fly.io redirectors + Lightsail → redirector_hits
 - redirector/nginx.conf: real IP via fly-client-ip header, log to stdout
 - redirector/entrypoint.sh: symlink nginx logs to stdout/stderr
 - Dockerfile.borodino: add redis + openssh-client, include thearm_nuclei/logpull
 - nuclei_api/main.py: push findings to Faraday after scan
 - plugin_nuclei.py: add push_to_faraday() helper
 - stack/40-service-borodino.yml:
  - nuclei-worker: BRPOP mode, REDIS_HOST/PORT, dedicated workspace=nuclei
  - nuclei-api: workspace=nuclei, FARADAY_URL=http://faraday:5985
  - zap-scanner: workspace=zap
  - uzi-service: workspace=uzi
  - logpull service: nginx log pull worker (manager placement)
  - redis-commander: web UI at redis.bojemoi.lab
 - Remove Burp Suite plugin + stack export (replaced by Nuclei)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/Dockerfile.borodino
 A	borodino/redirector/Dockerfile
 A	borodino/redirector/entrypoint.sh
 A	borodino/redirector/nginx.conf
 M	borodino/thearm_bm12
 A	borodino/thearm_logpull
 A	borodino/thearm_nuclei
 M	samsonov/nuclei_api/main.py
 D	samsonov/pentest_orchestrator/plugins/plugin_burp.py
 M	samsonov/pentest_orchestrator/plugins/plugin_nuclei.py
 D	scripts/gameover.sh
 D	scripts/stack_burp.export
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/Dockerfile.borodino                       |   6 +-
 borodino/redirector/Dockerfile                     |  18 +
 borodino/redirector/entrypoint.sh                  |  77 ++++
 borodino/redirector/nginx.conf                     |  63 ++++
 borodino/thearm_bm12                               |  23 +-
 borodino/thearm_logpull                            | 212 +++++++++++
 borodino/thearm_nuclei                             | 410 +++++++++++++++++++++
 samsonov/nuclei_api/main.py                        | 116 +++++-
 .../pentest_orchestrator/plugins/plugin_burp.py    | 326 ----------------
 .../pentest_orchestrator/plugins/plugin_nuclei.py  |  28 ++
 scripts/gameover.sh                                |  18 -
 scripts/stack_burp.export                          |  57 ---
 stack/40-service-borodino.yml                      | 139 ++++++-
 13 files changed, 1082 insertions(+), 411 deletions(-)
 ```
--- a/content/posts/commits/2026-04-03-commit-f6b4ac5.md
+++ b/content/posts/commits/2026-04-03-commit-f6b4ac5.md
@@ -0,0 +1,85 @@
 ---
 title: "[bojemoi] feat: Ollama/Mistral local inference + remove Burp Suite + C2 listener auto-start"
 date: 2026-04-03T16:11:02+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit f6b4ac5 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `f6b4ac5`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `f6b4ac5822c8eb8186be28a2bc30af8d332757db` |
 ### Description
 Ollama/Mistral migration (ml-threat):
 - Add 51-service-ollama.yml: Ollama GPU stack on meta-68 (T400), OLLAMA_LOAD_TIMEOUT=300
 - Replace Anthropic API with Ollama OpenAI-compatible endpoint in 45-service-ml-threat-intel.yml
 - Remove anthropic_api_key secret, add OLLAMA_BASE_URL env var
 Remove Burp Suite integration:
 - Drop plugin_burp from pentest orchestrator, commands, wiki, test scripts
 - Remove burp config block from config.json
 MSF teamserver:
 - Auto-start C2 multi/handler (windows/x64/meterpreter/reverse_https) on startup
 - Support C2_REDIRECTORS env for OverrideLHOST/LPORT
 ak47: switch from msfconsole db_nmap to local nmap + msf_import.pyc
 ZAP scanner:
 - Replace token auth with basic auth (FARADAY_USER/FARADAY_PASSWORD)
 - Add faraday_get_or_create_host() for v3 API compliance
 - Skip active scan when spider finds 0 URLs (host unreachable)
 - Fix CIDR mask in build_url() and Faraday host IP
 provision-redirector.sh: embed VPN config + MSF target as Fly secrets
 Prometheus: update basicauth hash
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	.claude/commands/pentest.md
 M	borodino/start_msf_server.sh
 M	borodino/thearm_ak47
 M	oblast-1/zap_scanner.py
 M	samsonov/pentest_orchestrator/config/config.json
 M	samsonov/pentest_orchestrator/main.py
 M	scripts/provision-redirector.sh
 M	scripts/test_wget.sh
 M	stack/01-service-hl.yml
 M	stack/45-service-ml-threat-intel.yml
 A	stack/51-service-ollama.yml
 M	stack/READ.me
 M	wiki/Pentest-Orchestrator.md
 ```
 ### Diff Summary
 ```
 .claude/commands/pentest.md                      |  2 +-
 borodino/start_msf_server.sh                     | 25 +++++++-
 borodino/thearm_ak47                             |  7 +-
 oblast-1/zap_scanner.py                          | 81 +++++++++++++++++++-----
 samsonov/pentest_orchestrator/config/config.json |  7 +-
 samsonov/pentest_orchestrator/main.py            |  4 +-
 scripts/provision-redirector.sh                  | 27 +++++++-
 scripts/test_wget.sh                             |  2 -
 stack/01-service-hl.yml                          |  5 +-
 stack/45-service-ml-threat-intel.yml             |  5 +-
 stack/51-service-ollama.yml                      | 51 +++++++++++++++
 stack/READ.me                                    |  2 +-
 wiki/Pentest-Orchestrator.md                     |  1 -
 13 files changed, 179 insertions(+), 40 deletions(-)
 ```
--- a/content/posts/commits/2026-04-04-commit-fb7c5ff.md
+++ b/content/posts/commits/2026-04-04-commit-fb7c5ff.md
@@ -0,0 +1,77 @@
 ---
 title: "[bojemoi] feat: Ollama AI template gen, C2 proxy_proto, ZAP throttle, vulnx removal"
 date: 2026-04-04T00:23:54+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit fb7c5ff par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `fb7c5ff`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `fb7c5ffb383f76bef73929f3d716a83cbf252e23` |
 ### Description
 Ollama × Nuclei AI (option 1):
 - nuclei_ai.py: NucleiAI class with suggest_tags(), analyze_findings(),
  generate_templates() (up to 2 custom YAML templates per scan context)
 - main.py: scan_details field in ScanRequest, AI template pre-scan pass,
  merge results, pyyaml added to pip install
 - thearm_nuclei: enrich_tags() via Ollama, submit_scan() passes scan_details
 - 51-service-ollama.yml: placement via node.labels.nvidia.vgpu instead of hostname
 C2 redirector Proxy Protocol (real client IPs in redirector_hits):
 - nginx.conf: listen 443 ssl proxy_protocol, log $proxy_protocol_addr
 - provision-redirector.sh: --port 443:443/tcp:proxy_proto
 - thearm_logpull: FLY_API_TOKEN env var (fix broken --access-token flag),
  level_re parser (fix rfind(']') bug finding wrong bracket)
 ZAP/Faraday CPU fix (periodic 100% CPU on meta-69):
 - zap_scanner.py: time.sleep(0.15) throttle between Faraday POSTs
 - ZAP_CONCURRENCY 3→1, resource limits on zaproxy (2CPU/4G),
  zap-scanner (0.5CPU/256M), faraday (1.5CPU/2G)
 Housekeeping:
 - startover.sh: force-restart nuclei-api after borodino deploy
 - Remove vulnx service (orphaned, superseded by nuclei)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/redirector/nginx.conf
 M	borodino/thearm_logpull
 M	borodino/thearm_nuclei
 M	oblast-1/zap_scanner.py
 M	samsonov/nuclei_api/main.py
 A	samsonov/nuclei_api/nuclei_ai.py
 M	scripts/provision-redirector.sh
 M	scripts/startover.sh
 M	stack/40-service-borodino.yml
 M	stack/51-service-ollama.yml
 ```
 ### Diff Summary
 ```
 borodino/redirector/nginx.conf   |  12 +-
 borodino/thearm_logpull          |  24 ++--
 borodino/thearm_nuclei           |  82 ++++++++++-
 oblast-1/zap_scanner.py          |   1 +
 samsonov/nuclei_api/main.py      |  52 ++++++-
 samsonov/nuclei_api/nuclei_ai.py | 298 +++++++++++++++++++++++++++++++++++++++
 scripts/provision-redirector.sh  |   2 +-
 scripts/startover.sh             |   6 +
 stack/40-service-borodino.yml    |  79 ++++-------
 stack/51-service-ollama.yml      |   4 +-
 10 files changed, 482 insertions(+), 78 deletions(-)
 ```
--- a/content/posts/commits/2026-04-05-commit-002f809.md
+++ b/content/posts/commits/2026-04-05-commit-002f809.md
@@ -0,0 +1,59 @@
 ---
 title: "[bojemoi] feat: uzi_scan_log + zap severity breakdown + nuclei [][]fix + eve-cleaner merge"
 date: 2026-04-05T00:12:44+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 002f809 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `002f809`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `002f809c64fe9361aa36bf46aea23b5e6fe9bf01` |
 ### Description
 - borodino/thearm_uzi: add ensure_uzi_scan_log()/mark_uzi_result(), dedup via
  NOT IN uzi_scan_log, faraday_ok tracking, PG vars fix (YAML merge caveat)
 - oblast-1/zap_scanner.py: add critical/high/medium/low/info columns + faraday_ok
  to zap_scan_log, severity_breakdown(), faraday_post_vulns() returns int
 - samsonov/nuclei_api/main.py: fix [][]bug (skip empty array lines on AI append),
  validate JSON in JSONL counter, ai_analysis stored in Redis
 - stack/01-suricata-host.yml: merge dozor eve-cleaner into single service
 - stack/40-service-borodino.yml: add PG vars to uzi-service (YAML merge fix)
 - stack/48-service-dozor.yml: remove eve-cleaner (merged into suricata stack)
 - stack/51-service-ollama.yml: minor update
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 M	oblast-1/zap_scanner.py
 M	samsonov/nuclei_api/main.py
 M	stack/01-suricata-host.yml
 M	stack/40-service-borodino.yml
 M	stack/48-service-dozor.yml
 M	stack/51-service-ollama.yml
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi           | 114 ++++++++++++++++++++++++++++++++++++----
 oblast-1/zap_scanner.py       | 117 ++++++++++++++++++++++++++++++++++++------
 samsonov/nuclei_api/main.py   |  61 +++++++++++++++++++---
 stack/01-suricata-host.yml    |  21 ++++++--
 stack/40-service-borodino.yml |   5 ++
 stack/48-service-dozor.yml    |  33 ------------
 stack/51-service-ollama.yml   |   2 +-
 7 files changed, 282 insertions(+), 71 deletions(-)
 ```
--- a/content/posts/commits/2026-04-05-commit-24c1a17.md
+++ b/content/posts/commits/2026-04-05-commit-24c1a17.md
@@ -0,0 +1,61 @@
 ---
 title: "[bojemoi] feat(grafana): dashboards bind mount + scan-results dashboard + config swap fix"
 date: 2026-04-05T00:48:14+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 24c1a17 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `24c1a17`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `24c1a17329f8046482acedb7cf6b714be7253f20` |
 ### Description
 - stack/01-service-hl.yml:
  - Grafana: bind mount /opt/bojemoi/volumes/grafana/dashboards → /var/lib/grafana/dashboards
  - Grafana: rename Docker configs (grafana-datasources_v2, grafana-dashboards-provider_v2)
    to fix immutability error + correct the datasource/dashboard config swap
  - Loki: publish port 3100 on host (mode: host) for redirector log drain via VPN
 - volumes/grafana/provisioning/dashboards/dashboards.yml:
  - Cleaned (removed embedded K8s ConfigMap garbage)
  - 3 providers: Pentest, Security, Attack Heatmap
 - volumes/grafana/provisioning/datasources/datasources.yml:
  - Added PostgreSQL-MSF datasource (postgres:5432/msf) for scan log queries
 - volumes/grafana/dashboards/pentest/scan-results.json (NEW):
  - Dashboard with 3 sections: Nuclei / ZAP / UZI
  - Stats: total scans, findings/alerts, critical/high, faraday_ok
  - Tables: top vulns per tool
  - Pie charts: status breakdown
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-service-hl.yml
 A	volumes/grafana/dashboards/pentest/scan-results.json
 M	volumes/grafana/provisioning/dashboards/dashboards.yml
 M	volumes/grafana/provisioning/datasources/datasources.yml
 ```
 ### Diff Summary
 ```
 stack/01-service-hl.yml                            |  20 +-
 .../grafana/dashboards/pentest/scan-results.json   | 202 +++++
 .../grafana/provisioning/dashboards/dashboards.yml | 838 +--------------------
 .../provisioning/datasources/datasources.yml       |  18 +
 4 files changed, 249 insertions(+), 829 deletions(-)
 ```
--- a/content/posts/commits/2026-04-05-commit-440a412.md
+++ b/content/posts/commits/2026-04-05-commit-440a412.md
@@ -0,0 +1,84 @@
 ---
 title: "[bojemoi] feat: make project distributable — templatize stacks + install wizard"
 date: 2026-04-05T22:08:33+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 440a412 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `440a412`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `440a4121d9e4b987ff859b4649c06ec9b63dbbd3` |
 ### Description
 - Add .env.example with 70+ documented variables (passwords, domains, IPs, paths)
 - Add install.sh: interactive wizard → generates .env → deploys stacks
 - Add scripts/create-secrets.sh: creates all Docker Swarm secrets interactively
 - Rewrite README.md: quickstart, architecture diagram, stack reference, ops guide
 - Templatize all 16 stack files: replace hardcoded values with ${VAR} references
  - localhost:5000 → ${IMAGE_REGISTRY}
  - bojemoi.lab → ${LAB_DOMAIN}
  - /opt/bojemoi → ${BOJEMOI_BASE_PATH}
  - passwords (bojemoi, bojemoi2, totototo) → ${POSTGRES_PASSWORD}, ${FARADAY_PASSWORD}, etc.
  - IPs, node hostnames, Telegram chat ID, C2 redirectors → env vars
 - Update .gitignore: add .env.local, .env.*.local
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	.env.example
 M	.gitignore
 M	README.md
 A	install.sh
 A	scripts/create-secrets.sh
 M	stack/01-service-hl.yml
 M	stack/01-suricata-host.yml
 M	stack/40-service-borodino.yml
 M	stack/45-service-ml-threat-intel.yml
 M	stack/46-service-razvedka.yml
 M	stack/47-service-vigie.yml
 M	stack/48-service-dozor.yml
 M	stack/49-service-mcp.yml
 M	stack/50-service-trivy.yml
 M	stack/51-service-ollama.yml
 M	stack/55-service-sentinel.yml
 M	stack/56-service-dvar.yml
 M	stack/60-service-telegram.yml
 M	stack/65-service-medved.yml
 ```
 ### Diff Summary
 ```
 .env.example                         | 224 +++++++++++++++++++
 .gitignore                           |   2 +
 README.md                            | 225 +++++++++++++++----
 install.sh                           | 415 +++++++++++++++++++++++++++++++++++
 scripts/create-secrets.sh            | 212 ++++++++++++++++++
 stack/01-service-hl.yml              | 200 ++++++++---------
 stack/01-suricata-host.yml           |  18 +-
 stack/40-service-borodino.yml        | 136 ++++++------
 stack/45-service-ml-threat-intel.yml |   8 +-
 stack/46-service-razvedka.yml        |   4 +-
 stack/47-service-vigie.yml           |   4 +-
 stack/48-service-dozor.yml           |   6 +-
 stack/49-service-mcp.yml             |   2 +-
 stack/50-service-trivy.yml           |   2 +-
 stack/51-service-ollama.yml          |  40 +++-
 stack/55-service-sentinel.yml        |   4 +-
 stack/56-service-dvar.yml            |   4 +-
 stack/60-service-telegram.yml        |   4 +-
 stack/65-service-medved.yml          |   2 +-
 19 files changed, 1280 insertions(+), 232 deletions(-)
 ```
--- a/content/posts/commits/2026-04-05-commit-454674c.md
+++ b/content/posts/commits/2026-04-05-commit-454674c.md
@@ -0,0 +1,51 @@
 ---
 title: "[bojemoi] feat(redirector): Loki log drain via VPN"
 date: 2026-04-05T00:34:18+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 454674c par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `454674c`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `454674c1bdfe9f430e84739cd50ef00fe4e3a8bf` |
 ### Description
 - Publish Loki port 3100 on manager host (mode: host)
 - Add loki-shipper.py: tails nginx access.log, batches to Loki every 5s
 - Dockerfile: add python3 + loki-shipper.py
 - entrypoint.sh: real log files (not stdout symlink) + tail for fly logs
  + start shipper after VPN tunnel is up
 - Fly.io machine updated: REDIRECTOR_NAME=redirector-1, LOKI_URL set
 Labels: job=nginx-redirector, app=redirector-1, region=cdg
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/redirector/Dockerfile
 M	borodino/redirector/entrypoint.sh
 A	borodino/redirector/loki-shipper.py
 M	stack/01-service-hl.yml
 ```
 ### Diff Summary
 ```
 borodino/redirector/Dockerfile      |  2 +
 borodino/redirector/entrypoint.sh   | 13 +++++--
 borodino/redirector/loki-shipper.py | 73 +++++++++++++++++++++++++++++++++++++
 stack/01-service-hl.yml             |  6 ++-
 4 files changed, 90 insertions(+), 4 deletions(-)
 ```
--- a/content/posts/commits/2026-04-09-commit-0699664.md
+++ b/content/posts/commits/2026-04-09-commit-0699664.md
@@ -0,0 +1,120 @@
 ---
 title: "[bojemoi] feat: multi-service updates — nuclei API, nym-proxy, grafana reorg, prometheus rules"
 date: 2026-04-09T21:55:44+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 0699664 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `0699664`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `06996646ee1025939b579d5e88de77c06bc310e1` |
 ### Description
 Services:
 - samsonov/nuclei_api: new Dockerfile + entrypoint; main.py updates
 - samsonov: add Dockerfile.nuclei
 - nym-proxy: new service (Dockerfile + entrypoint)
 - stack: add 02-service-maintenance.yml, 41-service-nym.yml
 - oblast-1: Dockerfile + zap_scanner.py updates
 - tsushima: masscan_msf_script.py updates
 - borodino: osint_lookup.py updates; thearm_ak47/bm12/logpull/nuclei refinements
 - scripts/cccp.sh: orchestration improvements
 Grafana / monitoring:
 - dashboards/security/: reorganize sentinel + vigie + security-minimal into subdir
 - dashboards/general/: add loki-stack-monitoring + nvidia-dcgm dashboards
 - dashboards/pentest/: update pentest-overview + scan-results; add vuln-management
 - provisioning/dashboards.yml: reflect new layout
 - prometheus.yml + alert_rules.yml + alerts.yml: rule updates
 - alloy/config.alloy: minor update
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/osint_lookup.py
 M	borodino/thearm_ak47
 M	borodino/thearm_bm12
 M	borodino/thearm_logpull
 M	borodino/thearm_nuclei
 A	nym-proxy/Dockerfile
 A	nym-proxy/entrypoint.sh
 M	oblast-1/Dockerfile.oblast-1
 M	oblast-1/zap_scanner.py
 A	samsonov/Dockerfile.nuclei
 A	samsonov/nuclei_api/Dockerfile
 A	samsonov/nuclei_api/entrypoint.sh
 M	samsonov/nuclei_api/main.py
 A	samsonov/nuclei_api/requirements.txt
 M	scripts/cccp.sh
 A	stack/02-service-maintenance.yml
 A	stack/41-service-nym.yml
 M	tsushima/masscan_msf_script.py
 M	volumes/alloy/config/config.alloy
 D	volumes/grafana/dashboards/dashboard-security-minimal.json
 A	volumes/grafana/dashboards/general/loki-stack-monitoring.json
 A	volumes/grafana/dashboards/general/nvidia-dcgm.json
 M	volumes/grafana/dashboards/pentest/pentest-overview.json
 M	volumes/grafana/dashboards/pentest/scan-results.json
 A	volumes/grafana/dashboards/pentest/vuln-management.json
 A	volumes/grafana/dashboards/security/dashboard-security-minimal.json
 A	volumes/grafana/dashboards/security/sentinel.json
 A	volumes/grafana/dashboards/security/vigie.json
 D	volumes/grafana/dashboards/sentinel.json
 D	volumes/grafana/dashboards/vigie.json
 M	volumes/grafana/provisioning/dashboards/dashboards.yml
 M	volumes/prometheus/prometheus.yml
 M	volumes/prometheus/rules/alert_rules.yml
 M	volumes/prometheus/rules/alerts.yml
 ```
 ### Diff Summary
 ```
 borodino/osint_lookup.py                           |   23 +-
 borodino/thearm_ak47                               |    3 +-
 borodino/thearm_bm12                               |   19 +-
 borodino/thearm_logpull                            |   19 +-
 borodino/thearm_nuclei                             |   19 +-
 nym-proxy/Dockerfile                               |   19 +
 nym-proxy/entrypoint.sh                            |   24 +
 oblast-1/Dockerfile.oblast-1                       |   10 +-
 oblast-1/zap_scanner.py                            |   26 +-
 samsonov/Dockerfile.nuclei                         |    1 +
 samsonov/nuclei_api/Dockerfile                     |   24 +
 samsonov/nuclei_api/entrypoint.sh                  |   28 +
 samsonov/nuclei_api/main.py                        |   34 +-
 samsonov/nuclei_api/requirements.txt               |    6 +
 scripts/cccp.sh                                    |  474 +++++----
 stack/02-service-maintenance.yml                   |   31 +
 stack/41-service-nym.yml                           |   67 ++
 tsushima/masscan_msf_script.py                     |   26 +-
 volumes/alloy/config/config.alloy                  |    2 +-
 .../dashboards/dashboard-security-minimal.json     |   35 -
 .../dashboards/general/loki-stack-monitoring.json  |  239 +++++
 .../grafana/dashboards/general/nvidia-dcgm.json    |  804 ++++++++++++++
 .../dashboards/pentest/pentest-overview.json       |  187 +++-
 .../grafana/dashboards/pentest/scan-results.json   | 1112 +++++++++++++++++---
 .../dashboards/pentest/vuln-management.json        |  766 ++++++++++++++
 .../security/dashboard-security-minimal.json       |   35 +
 volumes/grafana/dashboards/security/sentinel.json  |  235 +++++
 volumes/grafana/dashboards/security/vigie.json     |  146 +++
 volumes/grafana/dashboards/sentinel.json           |  235 -----
 volumes/grafana/dashboards/vigie.json              |  146 ---
 .../grafana/provisioning/dashboards/dashboards.yml |   12 +-
 volumes/prometheus/prometheus.yml                  |   17 +
 volumes/prometheus/rules/alert_rules.yml           |   15 +-
 volumes/prometheus/rules/alerts.yml                |   28 +-
 34 files changed, 3977 insertions(+), 890 deletions(-)
 ```
--- a/content/posts/commits/2026-04-09-commit-0e0519a.md
+++ b/content/posts/commits/2026-04-09-commit-0e0519a.md
@@ -0,0 +1,51 @@
 ---
 title: "[bojemoi] feat(uzi): brute-force credentials Phase 0 sur 15 services"
 date: 2026-04-09T16:22:46+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 0e0519a par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `0e0519a`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `0e0519a10341ca2a19066b4ef4d5a808477f66a6` |
 ### Description
 Remplace run_ssh_bruteforce() par une architecture générique :
 - BRUTE_MODULES dict : 15 services (ssh, ftp, telnet, smb, mysql,
  postgresql, mssql, vnc, snmp, imap, pop3, smtp, http/https,
  tomcat, mongodb) avec module MSF, ports, wordlists et options
 - run_brute_force_service() : fonction générique auxiliary MSF,
  gère USER_FILE/PASS_FILE optionnels, THREADS, extra opts,
  détection sessions et reporting Faraday
 - run_bruteforce_phase() : Phase 0 orchestre tous les services
  détectés, déduplique par module, respecte attack_surface_key
  (ex: tomcat uniquement si bm12 l'a confirmé)
 - Toutes les wordlists configurables via env vars (surchargeables
  dans le stack sans rebuild)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	borodino/thearm_uzi
 M	stack/40-service-borodino.yml
 ```
 ### Diff Summary
 ```
 borodino/thearm_uzi           | 303 +++++++++++++++++++++++++++++++++++++++++-
 stack/40-service-borodino.yml | 143 +++++++++++++-------
 2 files changed, 395 insertions(+), 51 deletions(-)
 ```
--- a/content/posts/commits/2026-04-09-commit-10af16e.md
+++ b/content/posts/commits/2026-04-09-commit-10af16e.md
@@ -0,0 +1,58 @@
 ---
 title: "[bojemoi] feat(redirector): OPSEC hardening — Let's Encrypt + header suppression + MSF keepalive"
 date: 2026-04-09T21:55:35+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 10af16e par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `10af16e`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `10af16e9fdf0d0548b10291c972dee0b08665722` |
 ### Description
 - entrypoint.sh: acquire Let's Encrypt cert via acme.sh at startup (webroot
  HTTP-01 on redirector-1.fly.dev); fallback self-signed uses CN=api.microsoft.com
  instead of CN=localhost; register-account step to avoid invalidContact error
 - nginx.conf: load headers_more module + more_clear_headers Server; add ACME
  challenge location /.well-known/acme-challenge/ and /healthz on port 80
 - Dockerfile: add ca-certificates, libnginx-mod-http-headers-more-filter, socat;
  download acme.sh script directly (avoids silent pipe install failure)
 - start_msf_server.sh: pipe stdin keepalive (tail -f /dev/null | msfconsole) to
  prevent handler exit on EOF; add watchdog loop + port 4444 readiness check
 - .claude/commands/opsec-check.md: new /opsec-check skill (6-phase C2 OPSEC audit)
 - .claude/commands/topology.md: new /topology skill (swarm service dependency check)
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 A	.claude/commands/opsec-check.md
 A	.claude/commands/topology.md
 M	borodino/redirector/Dockerfile
 M	borodino/redirector/entrypoint.sh
 M	borodino/redirector/nginx.conf
 M	borodino/start_msf_server.sh
 ```
 ### Diff Summary
 ```
 .claude/commands/opsec-check.md   | 242 ++++++++++++++++++++++++++++++++++++++
 .claude/commands/topology.md      | 150 +++++++++++++++++++++++
 borodino/redirector/Dockerfile    |  14 ++-
 borodino/redirector/entrypoint.sh |  54 +++++++--
 borodino/redirector/nginx.conf    |  21 +++-
 borodino/start_msf_server.sh      |  37 +++++-
 6 files changed, 503 insertions(+), 15 deletions(-)
 ```
--- a/content/posts/commits/2026-04-09-commit-1e20eb6.md
+++ b/content/posts/commits/2026-04-09-commit-1e20eb6.md
@@ -0,0 +1,40 @@
 ---
 title: "[bojemoi] fix(security): remove postgres port 5432 from public ingress"
 date: 2026-04-09T22:19:57+02:00
 draft: false
 tags: ["commit", "bojemoi", "main"]
 categories: ["Git Activity"]
 summary: "Commit 1e20eb6 par Betty dans bojemoi"
 author: "Betty"
 ---
 ## Commit `1e20eb6`
 | | |
 |---|---|
 | **Repository** | bojemoi |
 | **Branch** | `main` |
 | **Author** | Betty |
 | **Hash** | `1e20eb638e74ba5a2c1e0595a5992322d141a571` |
 ### Description
 Port 5432:5432 was published in ingress mode on base_postgres, making
 PostgreSQL accessible on all Swarm node IPs. Removed — postgres is only
 reachable via the backend overlay network (internal services only).
 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 ### Files Changed
 ```
 M	stack/01-service-hl.yml
 ```
 ### Diff Summary
 ```
 stack/01-service-hl.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 ```
--- a/Show More
+++ b/Show More