@harbinger-ai/harbinger 0.1.0

package/lib/ai/model-router.js

@@ -0,0 +1,254 @@
+/**
+ * SmartModelRouter — Local-first model routing for agents.
+ *
+ * Picks the cheapest sufficient model for each task. Five complexity tiers,
+ * per-agent overrides, provider health checks. Integrates with the bot's
+ * createModel() for actual LangChain model instantiation.
+ *
+ * Adapted from Harbinger's agents/shared/model-router.js.
+ */
+
+import { createModel } from './model.js';
+
+export class SmartModelRouter {
+  constructor(opts = {}) {
+    this.localOnly = opts.localOnly || false;
+
+    // Provider registry — local providers first
+    this.providers = {
+      ollama:    { type: 'local',  baseUrl: 'http://localhost:11434', models: ['llama3', 'codellama', 'mistral', 'phi3'] },
+      lmstudio:  { type: 'local',  baseUrl: 'http://localhost:1234/v1', models: ['local-model'] },
+      anthropic:  { type: 'cloud', models: ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-haiku-4-5-20251001'] },
+      openai:     { type: 'cloud', models: ['gpt-4o', 'gpt-4o-mini', 'o1'] },
+      google:     { type: 'cloud', models: ['gemini-2.0-flash', 'gemini-pro'] },
+    };
+
+    // Complexity tiers — tokens and time budgets
+    this.tiers = {
+      trivial:  { maxTokens: 500,   timeout: 1000,  description: 'Greetings, simple lookups' },
+      simple:   { maxTokens: 2000,  timeout: 5000,  description: 'Single-step tasks, short answers' },
+      moderate: { maxTokens: 4000,  timeout: 15000, description: 'Multi-step analysis, code review' },
+      complex:  { maxTokens: 8000,  timeout: 30000, description: 'Deep reasoning, exploit dev' },
+      massive:  { maxTokens: 32000, timeout: 60000, description: 'Full codebase analysis, report gen' },
+    };
+
+    // Default route table — local-first
+    this.routes = {
+      trivial:  { provider: 'ollama', model: 'llama3',     fallback: null },
+      simple:   { provider: 'ollama', model: 'llama3',     fallback: null },
+      moderate: { provider: 'ollama', model: 'codellama',  fallback: { provider: 'anthropic', model: 'claude-sonnet-4-6' } },
+      complex:  { provider: 'anthropic', model: 'claude-sonnet-4-6', fallback: { provider: 'anthropic', model: 'claude-opus-4-6' } },
+      massive:  { provider: 'anthropic', model: 'claude-opus-4-6',   fallback: { provider: 'anthropic', model: 'claude-opus-4-6' } },
+    };
+
+    // Per-agent overrides
+    this.agentOverrides = opts.agentOverrides || {};
+  }
+
+  /**
+   * Select the best model for a task.
+   *
+   * Priority chain:
+   * 1. User preference (explicit model request)
+   * 2. Agent override (pinned model for this agent)
+   * 3. Complexity classification → route table
+   * 4. Provider health check → fallback if primary down
+   */
+  async selectModel(task, context = {}) {
+    // 1. User preference wins
+    if (context.preferredModel) {
+      return { provider: context.preferredProvider || 'anthropic', model: context.preferredModel, reason: 'user_preference' };
+    }
+
+    // 2. Agent override
+    if (context.agentId && this.agentOverrides[context.agentId]) {
+      const override = this.agentOverrides[context.agentId];
+      return { ...override, reason: 'agent_override' };
+    }
+
+    // 3. Classify complexity
+    const complexity = this.assessComplexity(task);
+    const route = this.routes[complexity];
+
+    if (!route) {
+      return { provider: 'ollama', model: 'llama3', complexity, reason: 'default_fallback' };
+    }
+
+    // 4. Local mode enforcement
+    if (this.localOnly && this.providers[route.provider]?.type === 'cloud') {
+      return { provider: 'ollama', model: 'llama3', complexity, reason: 'local_mode_enforced' };
+    }
+
+    // 5. Health check primary provider
+    const primaryAvailable = await this.isProviderAvailable(route.provider);
+    if (primaryAvailable) {
+      return { provider: route.provider, model: route.model, complexity, reason: 'route_table' };
+    }
+
+    // 6. Fallback
+    if (route.fallback) {
+      const fallbackAvailable = await this.isProviderAvailable(route.fallback.provider);
+      if (fallbackAvailable) {
+        return { ...route.fallback, complexity, reason: 'fallback' };
+      }
+    }
+
+    // 7. Last resort — local model
+    return { provider: 'ollama', model: 'llama3', complexity, reason: 'last_resort' };
+  }
+
+  /**
+   * Assess task complexity based on content analysis.
+   * Returns: 'trivial' | 'simple' | 'moderate' | 'complex' | 'massive'
+   */
+  assessComplexity(task) {
+    if (!task || typeof task !== 'string') return 'simple';
+
+    let score = 0;
+    const text = task.toLowerCase();
+
+    // Token estimate — rough proxy
+    const tokenEstimate = text.split(/\s+/).length * 1.3;
+    if (tokenEstimate > 500) score += 2;
+    if (tokenEstimate > 2000) score += 2;
+    if (tokenEstimate > 5000) score += 2;
+
+    // Reasoning depth indicators
+    if (/\b(analyze|explain|compare|evaluate|synthesize)\b/.test(text)) score += 2;
+    if (/\b(why|how|reason|because|therefore)\b/.test(text)) score += 1;
+
+    // Code task indicators
+    if (/\b(code|function|class|implement|refactor|debug)\b/.test(text)) score += 2;
+    if (/\b(exploit|vulnerability|payload|injection|bypass)\b/.test(text)) score += 3;
+
+    // Math/logic indicators
+    if (/\b(calculate|equation|algorithm|optimize|crypto)\b/.test(text)) score += 2;
+
+    // Conversational / trivial indicators
+    if (/^(hi|hello|hey|thanks|ok|yes|no)\b/i.test(text)) return 'trivial';
+    if (text.length < 20) return 'trivial';
+
+    // Map score to tier
+    if (score <= 1) return 'trivial';
+    if (score <= 3) return 'simple';
+    if (score <= 6) return 'moderate';
+    if (score <= 9) return 'complex';
+    return 'massive';
+  }
+
+  /**
+   * Check if a provider is reachable.
+   */
+  async isProviderAvailable(providerName) {
+    const provider = this.providers[providerName];
+    if (!provider) return false;
+
+    try {
+      // Local providers: hit their health endpoint
+      if (provider.type === 'local') {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 3000);
+        const url = providerName === 'ollama'
+          ? `${provider.baseUrl}/api/tags`
+          : `${provider.baseUrl}/models`;
+        const res = await fetch(url, { signal: controller.signal });
+        clearTimeout(timeout);
+        return res.ok;
+      }
+
+      // Cloud providers: assume available if configured (don't waste API calls)
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Get the current route table (for Settings UI).
+   */
+  getRoutes() {
+    return Object.entries(this.routes).map(([tier, route]) => ({
+      tier,
+      ...this.tiers[tier],
+      provider: route.provider,
+      model: route.model,
+      fallbackProvider: route.fallback?.provider || null,
+      fallbackModel: route.fallback?.model || null,
+    }));
+  }
+
+  /**
+   * Update a route in the table.
+   */
+  updateRoute(tier, update) {
+    if (!this.routes[tier]) return false;
+    Object.assign(this.routes[tier], update);
+    return true;
+  }
+}
+
+let _router = null;
+
+/** Get the SmartModelRouter singleton (lazy-initialized). */
+export function getModelRouter() {
+  if (!_router) {
+    _router = new SmartModelRouter({
+      localOnly: process.env.LOCAL_ONLY === 'true',
+    });
+  }
+  return _router;
+}
+
+/**
+ * Create a LangChain model routed by task complexity.
+ * Uses the SmartModelRouter to pick provider/model, then delegates to createModel().
+ *
+ * @param {string} task - The task description to route on
+ * @param {object} [context={}] - Optional routing context (agentId, preferredModel, etc.)
+ * @returns {Promise<import('@langchain/core/language_models/chat_models').BaseChatModel>}
+ */
+export async function createRoutedModel(task, context = {}) {
+  const router = getModelRouter();
+  const selection = await router.selectModel(task, context);
+
+  // Temporarily override env vars so createModel() picks the right provider/model
+  const origProvider = process.env.LLM_PROVIDER;
+  const origModel = process.env.LLM_MODEL;
+
+  try {
+    process.env.LLM_PROVIDER = selection.provider === 'ollama' ? 'custom' : selection.provider;
+    process.env.LLM_MODEL = selection.model;
+
+    // For local providers, set the base URL
+    if (selection.provider === 'ollama') {
+      const origBaseUrl = process.env.OPENAI_BASE_URL;
+      process.env.OPENAI_BASE_URL = 'http://localhost:11434/v1';
+      try {
+        return await createModel();
+      } finally {
+        if (origBaseUrl !== undefined) process.env.OPENAI_BASE_URL = origBaseUrl;
+        else delete process.env.OPENAI_BASE_URL;
+      }
+    }
+
+    if (selection.provider === 'lmstudio') {
+      const origBaseUrl = process.env.OPENAI_BASE_URL;
+      process.env.OPENAI_BASE_URL = 'http://localhost:1234/v1';
+      process.env.LLM_PROVIDER = 'custom';
+      try {
+        return await createModel();
+      } finally {
+        if (origBaseUrl !== undefined) process.env.OPENAI_BASE_URL = origBaseUrl;
+        else delete process.env.OPENAI_BASE_URL;
+      }
+    }
+
+    return await createModel();
+  } finally {
+    // Restore original env vars
+    if (origProvider !== undefined) process.env.LLM_PROVIDER = origProvider;
+    else delete process.env.LLM_PROVIDER;
+    if (origModel !== undefined) process.env.LLM_MODEL = origModel;
+    else delete process.env.LLM_MODEL;
+  }
+}

package/lib/ai/model.js

@@ -0,0 +1,73 @@
+import { ChatAnthropic } from '@langchain/anthropic';
+
+const DEFAULT_MODELS = {
+  anthropic: 'claude-sonnet-4-20250514',
+  openai: 'gpt-4o',
+  google: 'gemini-2.5-pro',
+};
+
+/**
+ * Create a LangChain chat model based on environment configuration.
+ *
+ * Config env vars:
+ *   LLM_PROVIDER    — "anthropic" (default), "openai", "google"
+ *   LLM_MODEL       — Model name override (e.g. "claude-sonnet-4-20250514")
+ *   ANTHROPIC_API_KEY — Required for anthropic provider
+ *   OPENAI_API_KEY   — Required for openai provider (optional with OPENAI_BASE_URL)
+ *   OPENAI_BASE_URL  — Custom OpenAI-compatible base URL (e.g. http://localhost:11434/v1 for Ollama)
+ *   GOOGLE_API_KEY   — Required for google provider
+ *
+ * @param {object} [options]
+ * @param {number} [options.maxTokens=4096] - Max tokens for the response
+ * @returns {import('@langchain/core/language_models/chat_models').BaseChatModel}
+ */
+export async function createModel(options = {}) {
+  const provider = process.env.LLM_PROVIDER || 'anthropic';
+  const modelName = process.env.LLM_MODEL || DEFAULT_MODELS[provider] || DEFAULT_MODELS.anthropic;
+  const maxTokens = options.maxTokens || Number(process.env.LLM_MAX_TOKENS) || 4096;
+
+  switch (provider) {
+    case 'anthropic': {
+      const apiKey = process.env.ANTHROPIC_API_KEY;
+      if (!apiKey) {
+        throw new Error('ANTHROPIC_API_KEY environment variable is required');
+      }
+      return new ChatAnthropic({
+        modelName,
+        maxTokens,
+        anthropicApiKey: apiKey,
+      });
+    }
+    case 'custom':
+    case 'openai': {
+      const { ChatOpenAI } = await import('@langchain/openai');
+      const apiKey = provider === 'custom'
+        ? (process.env.CUSTOM_API_KEY || 'not-needed')
+        : process.env.OPENAI_API_KEY;
+      const baseURL = process.env.OPENAI_BASE_URL;
+      if (!apiKey && !baseURL) {
+        throw new Error('OPENAI_API_KEY environment variable is required (or set OPENAI_BASE_URL for local models)');
+      }
+      const config = { modelName, maxTokens };
+      config.apiKey = apiKey || 'not-needed';
+      if (baseURL) {
+        config.configuration = { baseURL };
+      }
+      return new ChatOpenAI(config);
+    }
+    case 'google': {
+      const { ChatGoogleGenerativeAI } = await import('@langchain/google-genai');
+      const apiKey = process.env.GOOGLE_API_KEY;
+      if (!apiKey) {
+        throw new Error('GOOGLE_API_KEY environment variable is required');
+      }
+      return new ChatGoogleGenerativeAI({
+        model: modelName,
+        maxOutputTokens: maxTokens,
+        apiKey,
+      });
+    }
+    default:
+      throw new Error(`Unknown LLM provider: ${provider}`);
+  }
+}

package/lib/ai/tools.js

@@ -0,0 +1,84 @@
+import fs from 'fs';
+import { tool } from '@langchain/core/tools';
+import { z } from 'zod';
+import { createJob } from '../tools/create-job.js';
+import { getJobStatus } from '../tools/github.js';
+import { claudeMd, skillGuidePath } from '../paths.js';
+
+const createJobTool = tool(
+  async ({ job_description }) => {
+    const result = await createJob(job_description);
+    return JSON.stringify({
+      success: true,
+      job_id: result.job_id,
+      branch: result.branch,
+      title: result.title,
+    });
+  },
+  {
+    name: 'create_job',
+    description:
+      'Create an autonomous job that runs a Docker agent in a container. The Docker agent has full filesystem access, web search, browser automation, and other abilities. The job description you provide becomes the Docker agent\'s task prompt. Returns the job ID and branch name.',
+    schema: z.object({
+      job_description: z
+        .string()
+        .describe(
+          'Detailed job description including context and requirements. Be specific about what needs to be done.'
+        ),
+    }),
+  }
+);
+
+const getJobStatusTool = tool(
+  async ({ job_id }) => {
+    const result = await getJobStatus(job_id);
+    return JSON.stringify(result);
+  },
+  {
+    name: 'get_job_status',
+    description:
+      'Check status of running jobs. Returns list of active workflow runs with timing and current step. Use when user asks about job progress, running jobs, or job status.',
+    schema: z.object({
+      job_id: z
+        .string()
+        .optional()
+        .describe(
+          'Optional: specific job ID to check. If omitted, returns all running jobs.'
+        ),
+    }),
+  }
+);
+
+const getSystemTechnicalSpecsTool = tool(
+  async () => {
+    try {
+      return fs.readFileSync(claudeMd, 'utf8');
+    } catch {
+      return 'No technical documentation found (CLAUDE.md not present in project root).';
+    }
+  },
+  {
+    name: 'get_system_technical_specs',
+    description:
+      'Read the system architecture and technical documentation (CLAUDE.md). You MUST call this before modifying any config file (CRONS.json, TRIGGERS.json, etc.) or system infrastructure — config entries have advanced fields (per-entry LLM overrides, webhook options, etc.) that are only documented here. Also use this when you need to understand how the system works — event handler, Docker agent, API routes, database, GitHub Actions, deployment, or file structure. NOT for skill creation (use get_skill_building_guide for that).',
+    schema: z.object({}),
+  }
+);
+
+const getSkillBuildingGuideTool = tool(
+  async () => {
+    try {
+      return fs.readFileSync(skillGuidePath, 'utf8');
+    } catch {
+      return 'Skill guide not found.';
+    }
+  },
+  {
+    name: 'get_skill_building_guide',
+    description:
+      'Load the guide for creating, modifying, and understanding agent skills. You MUST call this before creating or modifying any skill — the guide contains required file structure, naming conventions, SKILL.md frontmatter format, activation steps, and testing procedures that are only documented there. Skills are lightweight bash/Node.js wrappers in `skills/` that extend what agents can do. NOT for understanding the system architecture (use get_system_technical_specs for that).',
+    schema: z.object({}),
+  }
+);
+
+export { createJobTool, getJobStatusTool, getSystemTechnicalSpecsTool, getSkillBuildingGuideTool };

package/lib/auth/actions.js

@@ -0,0 +1,28 @@
+'use server';
+
+import { createFirstUser } from '../db/users.js';
+
+/**
+ * Create the first admin user (setup action).
+ * Uses atomic createFirstUser() to prevent race conditions.
+ * No session/token is created — the admin must log in through the normal auth flow.
+ *
+ * @param {string} email
+ * @param {string} password
+ * @returns {Promise<{ success?: boolean, error?: string }>}
+ */
+export async function setupAdmin(email, password) {
+  if (!email || !password) {
+    return { error: 'Email and password are required.' };
+  }
+  if (password.length < 8) {
+    return { error: 'Password must be at least 8 characters.' };
+  }
+
+  const created = createFirstUser(email, password);
+  if (!created) {
+    return { error: 'Setup already completed.' };
+  }
+
+  return { success: true };
+}

package/lib/auth/config.js

@@ -0,0 +1,27 @@
+import NextAuth from 'next-auth';
+import Credentials from 'next-auth/providers/credentials';
+import { authConfig } from './edge-config.js';
+
+export const { handlers, signIn, signOut, auth } = NextAuth({
+  ...authConfig,
+  providers: [
+    Credentials({
+      credentials: {
+        email: { label: 'Email', type: 'email' },
+        password: { label: 'Password', type: 'password' },
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials?.password) return null;
+
+        const { getUserByEmail, verifyPassword } = await import('../db/users.js');
+        const user = getUserByEmail(credentials.email);
+        if (!user) return null;
+
+        const valid = await verifyPassword(user, credentials.password);
+        if (!valid) return null;
+
+        return { id: user.id, email: user.email, role: user.role };
+      },
+    }),
+  ],
+});

package/lib/auth/edge-config.js

@@ -0,0 +1,27 @@
+/**
+ * Edge-safe auth configuration — shared between middleware and server.
+ * Contains only JWT/session/callbacks/pages config. No providers, no DB imports.
+ * Both instances use the same AUTH_SECRET for JWT signing/verification.
+ *
+ * Official pattern: https://authjs.dev/guides/edge-compatibility
+ */
+export const authConfig = {
+  providers: [],
+  session: { strategy: 'jwt' },
+  pages: { signIn: '/login' },
+  callbacks: {
+    jwt({ token, user }) {
+      if (user) {
+        token.role = user.role;
+      }
+      return token;
+    },
+    session({ session, token }) {
+      if (session.user) {
+        session.user.id = token.sub;
+        session.user.role = token.role;
+      }
+      return session;
+    },
+  },
+};

package/lib/auth/index.js

@@ -0,0 +1,27 @@
+import { handlers, auth } from './config.js';
+
+// Re-export Auth.js route handlers (GET + POST for [...nextauth])
+export const { GET, POST } = handlers;
+
+// Re-export auth for session checking
+export { auth };
+
+/**
+ * Get the auth state for the main page (server component).
+ * Returns both the session and whether setup is needed, in one call.
+ * DB import is dynamic so it doesn't get pulled in at module level.
+ *
+ * @returns {Promise<{ session: object|null, needsSetup: boolean }>}
+ */
+export async function getPageAuthState() {
+  const { getUserCount } = await import('../db/users.js');
+  const [session, userCount] = await Promise.all([
+    auth(),
+    Promise.resolve(getUserCount()),
+  ]);
+
+  return {
+    session,
+    needsSetup: userCount === 0,
+  };
+}

package/lib/auth/middleware.js

@@ -0,0 +1,53 @@
+import NextAuth from 'next-auth';
+import { authConfig } from './edge-config.js';
+import { NextResponse } from 'next/server';
+
+const { auth } = NextAuth(authConfig);
+
+export const middleware = auth((req) => {
+  const { pathname } = req.nextUrl;
+
+  // API routes use their own centralized auth (checkAuth in api/index.js)
+  if (pathname.startsWith('/api')) return;
+
+  // Static assets from public/ — skip auth for common file extensions
+  if (/\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js|woff2?|ttf|eot|mp4|webm)$/i.test(pathname)) {
+    return;
+  }
+
+  // /login is the only unprotected page (login + first-user setup)
+  if (pathname === '/login') {
+    if (req.auth) return NextResponse.redirect(new URL('/', req.url));
+    return;
+  }
+
+  // Everything else requires auth
+  if (!req.auth) {
+    const response = NextResponse.redirect(new URL('/login', req.url));
+
+    // Clear stale session cookies that can't be decrypted (e.g. after AUTH_SECRET rotation
+    // or container restart). Auth.js clears these internally in route handlers via
+    // sessionStore.clean(), but NOT in middleware — so the bad cookie loops forever.
+    // Only session-token cookies are cleared; csrf-token and callback-url are left intact.
+    const cookieNames = Object.keys(req.cookies.getAll().reduce((acc, c) => { acc[c.name] = true; return acc; }, {}));
+    const staleSessionCookies = cookieNames.filter(name =>
+      name === 'authjs.session-token' ||
+      name === '__Secure-authjs.session-token' ||
+      /^authjs\.session-token\.\d+$/.test(name) ||
+      /^__Secure-authjs\.session-token\.\d+$/.test(name)
+    );
+
+    if (staleSessionCookies.length > 0) {
+      for (const name of staleSessionCookies) {
+        response.cookies.set(name, '', { maxAge: 0, path: '/' });
+      }
+    }
+
+    return response;
+  }
+});
+
+export const config = {
+  // Exclude all _next internal paths (static chunks, HMR, images, Turbopack dev assets)
+  matcher: ['/((?!_next|favicon.ico).*)'],
+};