Merge branch 'master' of github.com:profullstack/threatcrush

Author: ralyodio

.dockerignore

@@ -0,0 +1,20 @@
+node_modules
+.next
+.git
+.github
+.vscode
+*.md
+!README.md
+.DS_Store
+.env.local
+.env.*.local
+*.tsbuildinfo
+cli/dist
+cli/node_modules
+desktop/dist
+desktop/node_modules
+mobile/node_modules
+mobile/.expo
+extension/dist
+extension/node_modules
+.qwen

.github/workflows/desktop-release.yml

@@ -49,7 +49,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 24
+          node-version: 22
           cache: 'pnpm'
 
       - name: Install dependencies
@@ -97,14 +97,6 @@ jobs:
       - name: Package desktop app
         working-directory: desktop
         run: npx electron-builder --${{ matrix.platform }} --${{ matrix.arch }} --publish never
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # macOS notarization
-          APPLE_ID: ${{ secrets.APPLE_ID }}
-          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
-          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
-          # Windows signing
-          WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4

.github/workflows/mobile-release.yml

@@ -49,7 +49,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 24
+          node-version: 22
           cache: 'pnpm'
 
       - name: Install dependencies

.github/workflows/npm-publish.yml

@@ -27,7 +27,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 24
+          node-version: 22
           cache: 'pnpm'
           registry-url: 'https://registry.npmjs.org'
 

.github/workflows/pr-checks.yml

@@ -24,17 +24,28 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 24
+          node-version: 22
           cache: 'pnpm'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
       - name: Build CLI
         run: pnpm --filter @profullstack/threatcrush build
+        env:
+          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
+          SUPABASE_SERVICE_ROLE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }}
 
       - name: Build landing page
         run: pnpm --filter threatcrush build
+        env:
+          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
+          SUPABASE_SERVICE_ROLE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }}
 
       - name: Type check CLI
         run: pnpm --filter @profullstack/threatcrush exec tsc --noEmit
+        env:
+          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}

.github/workflows/submit-packages.yml

@@ -35,7 +35,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 24
+          node-version: 22
           cache: 'pnpm'
 
       - name: Install dependencies
@@ -148,7 +148,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 24
+          node-version: 22
           cache: 'pnpm'
 
       - name: Install dependencies

.gitignore

@@ -4,3 +4,4 @@ data/
 .env.local
 .env
 supabase/supabase/.temp
+.qwen/

Dockerfile

@@ -1,30 +1,31 @@
-FROM node:22-slim AS base
-RUN corepack enable && corepack prepare pnpm@10.26.2 --activate
+FROM node:22-slim
+
+RUN corepack enable && corepack prepare pnpm@10.33.0 --activate
+
+# Install git for postinstall hook
+RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
 
-# --- deps ---
-FROM base AS deps
 WORKDIR /app
+
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY cli/package.json cli/
 COPY desktop/package.json desktop/
 COPY mobile/package.json mobile/
+COPY extension/package.json extension/
+
 RUN pnpm install --frozen-lockfile
 
-# --- builder ---
-FROM base AS builder
-WORKDIR /app
-COPY --from=deps /app/node_modules ./node_modules
 COPY . .
+
 RUN pnpm build
 
-# --- runner ---
-FROM node:22-slim AS runner
-WORKDIR /app
+# Next.js standalone output doesn't include static assets — copy them in
+RUN cp -r .next/static .next/standalone/.next/static
+
 ENV NODE_ENV=production
 ENV HOSTNAME=0.0.0.0
-
-COPY --from=builder /app/.next/standalone ./
-COPY --from=builder /app/.next/static ./.next/static
-COPY --from=builder /app/public ./public
+ENV PORT=3000
 
 EXPOSE 3000
-CMD ["node", "server.js"]
+
+CMD ["node", ".next/standalone/server.js"]

TODO.md

@@ -0,0 +1,157 @@
+# ThreatCrush TODO
+
+Generated: 2026-04-11
+
+---
+
+## 🔴 Blockers (Must fix before production launch)
+
+### 1. Phone / SMS Verification ✅ FIXED
+- [x] **Replaced stub phone verification** — `src/app/api/auth/verify-phone/route.ts` now calls `supabase.auth.verifyOtp()` to validate the OTP against Supabase's stored code.
+- [x] **Created `send-phone-code` endpoint** — `src/app/api/auth/send-phone-code/route.ts` triggers Supabase OTP generation, which fires the Telnyx webhook.
+- [x] **Updated frontend** — `src/app/auth/verify/page.tsx` now has a "Send verification code" button and proper OTP input flow. Removed "Beta: Any 6-digit code" warning.
+- [x] **Tests updated** — Added tests for invalid OTP, wrong user OTP, and new `send-phone-code` endpoint tests.
+- [ ] **Runtime requirement**: `TELNYX_API_KEY` and `TELNYX_PHONE_NUMBER` env vars must be configured (Telnyx hook at `src/app/api/hooks/send-sms/route.ts` is already implemented).
+- [ ] **Supabase dashboard**: Set the SMS webhook URL to `https://your-domain.com/api/hooks/send-sms` in Supabase Auth settings.
+
+### 2. Supabase Credentials ✅ FIXED
+- [x] Removed placeholder fallbacks in `src/lib/supabase.ts` — now throws at startup if env vars are not set.
+- [x] Added same guard to `src/app/api/auth/callback/route.ts`.
+- [x] Added runtime validation with clear error messages.
+- [x] **Linked remote project** via `supabase link --project-ref odhaoehucfyrqhanthyq`.
+- [x] **Synced migration history** — all 5 migrations (waitlist, referrals, modules_marketplace, users, + remote 20260406180000) are applied and matched.
+- [x] **Verified `user_profiles` table** exists and accessible on remote.
+- [x] **Verified Telnyx SMS** — API key works, `+19492847328` is active with messaging enabled.
+- [ ] **Supabase dashboard (manual step)**: In Supabase Dashboard → Auth → SMS → configure webhook URL to `https://threatcrush.com/api/hooks/send-sms` with secret `ad6a68662e81fba4c6beb8f7674a15cbdc28946eec8066397bcaf36599f7ceda`. Enable phone provider "Twilio Verify / custom provider" pointing to the webhook.
+
+### 3. CLI Commands — All Gated
+All commands below currently just prompt for email and say "Coming soon — ThreatCrush is in private beta." (`cli/src/index.ts`):
+- [ ] `threatcrush monitor`
+- [ ] `threatcrush tui`
+- [ ] `threatcrush init`
+- [ ] `threatcrush scan`
+- [ ] `threatcrush pentest`
+- [ ] `threatcrush status`
+- [ ] `threatcrush start`
+- [ ] `threatcrush stop`
+- [ ] `threatcrush logs`
+- [ ] `threatcrush activate`
+- [ ] `threatcrush modules` (gated at line 283)
+- [ ] `threatcrush store` (gated at line 290)
+- [ ] `threatcrush store search` (gated at line 296)
+- [ ] `threatcrush update --modules` — says "Module updates coming soon" (line 235)
+
+### 4. TUI Dashboard — Not Implemented
+- [ ] Create `cli/src/tui/dashboard.js` — referenced by `cli/src/commands/monitor.ts:31` but the entire `cli/src/tui/` directory does not exist.
+
+### 5. Module Marketplace — Not Functional
+- [ ] `threatcrush modules install` — says "Module marketplace is not yet available" (`cli/src/commands/modules.ts:57-60`).
+- [ ] Local module install (`./path`) — says "This feature is coming soon" (`cli/src/commands/modules.ts:54`).
+- [ ] Build real backend for module install/purchase flows (store pages exist but are UI-only).
+
+### 6. Module SDK — Not Published
+- [ ] Publish `@threatcrush/sdk` package. The `boilerplates/module-example/src/index.ts` defines its own `ModuleContext` and `EventPayload` interfaces instead of importing from `@threatcrush/sdk`.
+
+### 7. Desktop Release Pipeline — Failing
+- [ ] Fix packaging configuration in GitHub Actions desktop release workflow (fails on all matrix targets: Linux, macOS, Windows).
+- [ ] Configure macOS signing/notarization secrets: `APPLE_CERTIFICATE`, `APPLE_CERTIFICATE_PASSWORD`, `KEYCHAIN_PASSWORD`, `APPLE_ID`, `APPLE_APP_SPECIFIC_PASSWORD`, `APPLE_TEAM_ID`.
+- [ ] Configure Windows signing secrets: `WINDOWS_CERTIFICATE`, `WINDOWS_CERTIFICATE_PASSWORD`.
+- [ ] Verify GitHub Releases are created properly on tag pushes.
+- [ ] Generate and attach checksums.
+- [ ] Decide how website download buttons should work (direct GitHub release assets vs. first-party downloads page).
+- [ ] Update `/docs/releases` with confirmed artifact names.
+- [ ] Update homepage/download section only after at least one successful release.
+
+### 8. Desktop App — Placeholder IPC
+- [ ] `connectDaemon()` in `desktop/src/preload/index.ts` is a placeholder — always returns `Promise.resolve(false)`. No real IPC with the daemon is implemented.
+
+---
+
+## 🟡 Significant Gaps
+
+### 9. Mobile App — Skipped for now
+- [ ] EAS login, Expo project setup, `EXPO_TOKEN` GitHub secret
+- [ ] Produce preview build in EAS
+- [ ] Apple App Store Connect and Google Play setup
+- [ ] Replace minimal sanity screen in `mobile/app/index.tsx` with real functionality
+- [ ] Replace hardcoded demo data in `mobile/src/stores/events.ts` with real API calls
+- [ ] Integrate E2E encryption (`mobile/src/lib/crypto.ts`) into real communication flow
+
+### 10. Browser Extension — Demo Data Only
+- [ ] Replace `checkForEvents()` demo data with real API calls (`extension/src/background/index.js:58-59`).
+- [ ] Implement real `scanUrl()` — currently always returns `{ status: 'secure' }` (line 130).
+- [ ] Show scan results in popup UI instead of just logging to console (`extension/src/popup/components/QuickActions.jsx:19`).
+- [ ] Replace demo data in `fetchStats()` with real API calls (`extension/src/store/events.js:4`). Uncomment real `chrome.runtime.sendMessage` call (line 50).
+- [ ] Submit to Chrome Web Store, Firefox Add-ons, Safari (all "coming soon" per README).
+
+### 11. Usage / Billing API — Demo Data Fallback
+- [ ] Connect real CoinPayPortal API (requires `COINPAYPORTAL_API_KEY` and `COINPAYPORTAL_BUSINESS_ID` env vars).
+- [ ] Implement `daily_spend` and `module_breakdown` arrays (currently returned empty even when API is connected, `src/app/api/usage/route.ts:186-187`).
+- [ ] Implement real top-up flow (currently shows alert: "Demo mode: Top-up simulated!" at `src/app/usage/usage-content.tsx:86`).
+
+### 12. Waitlist API — Payment Methods Not Implemented
+- [ ] Implement crypto payments — currently says "Crypto payments coming soon" (`src/app/api/waitlist/route.ts:142`).
+- [ ] Implement card payments — currently says "Card payments coming soon" (`src/app/api/waitlist/route.ts:245`).
+- [ ] Implement payment method selection in UI (`src/components/WaitlistModal.tsx:116`).
+
+### 13. Homepage — Features Marked "Coming Soon"
+- [ ] Implement three "Coming soon" feature sections on homepage (`src/app/page.tsx:601, 624, 650`).
+
+### 14. Package Manager Submissions — Placeholder Hashes
+- [ ] Replace `SHA256_PLACEHOLDER` in Homebrew submission (`scripts/lib/package-managers/homebrew.ts:58-59`).
+- [ ] Replace `SHA256_PLACEHOLDER` in Winget submission (`scripts/lib/package-managers/winget.ts:41`).
+- [ ] Replace `SHA256_PLACEHOLDER` in Scoop submission (`scripts/lib/package-managers/scoop.ts:69`).
+
+---
+
+## 🔵 Future / Nice-to-Have
+
+### 15. PRD Roadmap — Phase 1 (MVP)
+- [ ] CLI scaffold with `init`, `monitor`, `status` commands (exists but gated).
+- [ ] Core module: `log-watcher` (partially implemented in CLI monitor command).
+- [ ] Core module: `ssh-guard` (partially implemented in CLI monitor command).
+- [ ] Alert system (webhook).
+- [ ] systemd unit file.
+
+### 16. PRD Roadmap — Phase 2 (Beta)
+- [ ] Core module: `network-monitor` (pcap-based).
+- [ ] Core module: `code-scanner` (CLI scan command exists but is gated).
+- [ ] Core module: `pentest-engine`.
+- [ ] Module store on threatcrush.com (store pages exist but are UI-only).
+- [ ] `threatcrush modules install/publish` commands (gated).
+- [ ] License activation (gated).
+
+### 17. PRD Roadmap — Phase 3 (Launch)
+- [ ] Core module: `dns-monitor`.
+- [ ] Core module: `firewall-rules`.
+- [ ] Dashboard web UI.
+- [ ] Cloud sync.
+- [ ] Enterprise features.
+
+### 18. Docker / NPM / CI Workflows
+- [ ] Retest Docker publish workflow (had issues with Docker Hub auth; needs retest after GHCR-only fallback fix).
+- [ ] Confirm `npm-publish.yml` workflow works with real secrets.
+- [ ] Confirm `docker-publish.yml` workflow works with real secrets.
+- [ ] Confirm `submit-packages.yml` workflow works with real secrets.
+
+### 19. Hardware Appliance — Future Plans Only
+- The entire "ThreatCrush Box" hardware appliance line (Stick, Mini, Rack) is a future plan per `docs/FUTURE_PLANS.md`. Timeline starts Q3 2026 for software MVP and extends to 2028 for enterprise hardware. No action needed now.
+
+---
+
+## Quick Reference
+
+| Category | Key Files |
+|---|---|
+| Phone verification | `src/app/api/auth/verify-phone/route.ts` |
+| Supabase config | `src/lib/supabase.ts` |
+| CLI commands | `cli/src/index.ts`, `cli/src/commands/*.ts` |
+| TUI dashboard | `cli/src/tui/` (missing entirely) |
+| Module marketplace | `cli/src/commands/modules.ts` |
+| Desktop app | `desktop/src/preload/index.ts`, `.github/workflows/desktop-release.yml` |
+| Mobile app | `mobile/app/index.tsx`, `mobile/src/stores/events.ts`, `mobile/src/lib/crypto.ts` |
+| Browser extension | `extension/src/background/index.js`, `extension/src/store/events.js` |
+| Usage/billing | `src/app/api/usage/route.ts`, `src/app/usage/usage-content.tsx` |
+| Waitlist/payments | `src/app/api/waitlist/route.ts`, `src/components/WaitlistModal.tsx` |
+| Homepage | `src/app/page.tsx` |
+| Package managers | `scripts/lib/package-managers/homebrew.ts`, `winget.ts`, `scoop.ts` |