@harbinger-ai/harbinger 0.1.0

package/lib/db/api-keys.js

@@ -0,0 +1,163 @@
+import { randomUUID, randomBytes, createHash, timingSafeEqual } from 'crypto';
+import { eq } from 'drizzle-orm';
+import { getDb } from './index.js';
+import { settings } from './schema.js';
+
+const KEY_PREFIX = 'tpb_';
+
+// In-memory cache: { key_hash, id } or null
+let _cache = null;
+
+/**
+ * Generate a new API key: tpb_ + 64 hex chars (32 random bytes).
+ * @returns {string}
+ */
+export function generateApiKey() {
+  return KEY_PREFIX + randomBytes(32).toString('hex');
+}
+
+/**
+ * Hash an API key using SHA-256.
+ * @param {string} key - Raw API key
+ * @returns {string} Hex digest
+ */
+export function hashApiKey(key) {
+  return createHash('sha256').update(key).digest('hex');
+}
+
+/**
+ * Lazy-load the API key hash into the in-memory cache.
+ */
+function _ensureCache() {
+  if (_cache !== null) return _cache;
+
+  const db = getDb();
+  const row = db
+    .select()
+    .from(settings)
+    .where(eq(settings.type, 'api_key'))
+    .get();
+
+  if (row) {
+    const parsed = JSON.parse(row.value);
+    _cache = { keyHash: parsed.key_hash, id: row.id };
+  } else {
+    _cache = false; // no key exists — distinguish from "not loaded yet"
+  }
+  return _cache;
+}
+
+/**
+ * Clear the in-memory cache (call after create/delete).
+ */
+export function invalidateApiKeyCache() {
+  _cache = null;
+}
+
+/**
+ * Create (or replace) the API key. Deletes any existing key first.
+ * @param {string} createdBy - User ID
+ * @returns {{ key: string, record: object }}
+ */
+export function createApiKeyRecord(createdBy) {
+  const db = getDb();
+
+  // Delete any existing API key
+  db.delete(settings).where(eq(settings.type, 'api_key')).run();
+
+  const key = generateApiKey();
+  const keyHash = hashApiKey(key);
+  const keyPrefix = key.slice(0, 8); // "tpb_" + first 4 hex chars
+  const now = Date.now();
+
+  const record = {
+    id: randomUUID(),
+    type: 'api_key',
+    key: 'api_key',
+    value: JSON.stringify({ key_prefix: keyPrefix, key_hash: keyHash, last_used_at: null }),
+    createdBy,
+    createdAt: now,
+    updatedAt: now,
+  };
+
+  db.insert(settings).values(record).run();
+  invalidateApiKeyCache();
+
+  return {
+    key,
+    record: {
+      id: record.id,
+      keyPrefix,
+      createdAt: now,
+      lastUsedAt: null,
+    },
+  };
+}
+
+/**
+ * Get the current API key metadata (no hash).
+ * @returns {object|null}
+ */
+export function getApiKey() {
+  const db = getDb();
+  const row = db
+    .select()
+    .from(settings)
+    .where(eq(settings.type, 'api_key'))
+    .get();
+
+  if (!row) return null;
+
+  const parsed = JSON.parse(row.value);
+  return {
+    id: row.id,
+    keyPrefix: parsed.key_prefix,
+    createdAt: row.createdAt,
+    lastUsedAt: parsed.last_used_at,
+  };
+}
+
+/**
+ * Delete the API key.
+ */
+export function deleteApiKey() {
+  const db = getDb();
+  db.delete(settings).where(eq(settings.type, 'api_key')).run();
+  invalidateApiKeyCache();
+}
+
+/**
+ * Verify a raw API key against the cached hash.
+ * @param {string} rawKey - Raw API key from request header
+ * @returns {object|null} Record if valid, null otherwise
+ */
+export function verifyApiKey(rawKey) {
+  if (!rawKey || !rawKey.startsWith(KEY_PREFIX)) return null;
+
+  const keyHash = hashApiKey(rawKey);
+  const cached = _ensureCache();
+
+  if (!cached) return null;
+  const a = Buffer.from(cached.keyHash, 'hex');
+  const b = Buffer.from(keyHash, 'hex');
+  if (a.length !== b.length || !timingSafeEqual(a, b)) return null;
+
+  // Update last_used_at in background (non-blocking)
+  try {
+    const db = getDb();
+    const now = Date.now();
+    const row = db.select().from(settings).where(eq(settings.id, cached.id)).get();
+    if (row) {
+      const parsed = JSON.parse(row.value);
+      parsed.last_used_at = now;
+      db.update(settings)
+        .set({ value: JSON.stringify(parsed), updatedAt: now })
+        .where(eq(settings.id, cached.id))
+        .run();
+    }
+  } catch {
+    // Non-fatal: last_used_at is informational
+  }
+
+  return cached;
+}

package/lib/db/chats.js

@@ -0,0 +1,145 @@
+import { randomUUID } from 'crypto';
+import { eq, desc, asc } from 'drizzle-orm';
+import { getDb } from './index.js';
+import { chats, messages } from './schema.js';
+
+/**
+ * Create a new chat.
+ * @param {string} userId
+ * @param {string} [title='New Chat']
+ * @param {string} [id] - Optional chat ID (UUID). Generated if not provided.
+ * @returns {object} The created chat
+ */
+export function createChat(userId, title = 'New Chat', id = null) {
+  const db = getDb();
+  const now = Date.now();
+  const chat = {
+    id: id || randomUUID(),
+    userId,
+    title,
+    createdAt: now,
+    updatedAt: now,
+  };
+  db.insert(chats).values(chat).run();
+  return chat;
+}
+
+/**
+ * Get all chats for a user, ordered by most recently updated.
+ * @param {string} userId
+ * @returns {object[]}
+ */
+export function getChatsByUser(userId) {
+  const db = getDb();
+  return db
+    .select()
+    .from(chats)
+    .where(eq(chats.userId, userId))
+    .orderBy(desc(chats.updatedAt))
+    .all();
+}
+
+/**
+ * Get a single chat by ID.
+ * @param {string} chatId
+ * @returns {object|undefined}
+ */
+export function getChatById(chatId) {
+  const db = getDb();
+  return db.select().from(chats).where(eq(chats.id, chatId)).get();
+}
+
+/**
+ * Update a chat's title.
+ * @param {string} chatId
+ * @param {string} title
+ */
+export function updateChatTitle(chatId, title) {
+  const db = getDb();
+  db.update(chats)
+    .set({ title, updatedAt: Date.now() })
+    .where(eq(chats.id, chatId))
+    .run();
+}
+
+/**
+ * Toggle a chat's starred status.
+ * @param {string} chatId
+ * @returns {number} The new starred value (0 or 1)
+ */
+export function toggleChatStarred(chatId) {
+  const db = getDb();
+  const chat = db.select({ starred: chats.starred }).from(chats).where(eq(chats.id, chatId)).get();
+  const newValue = chat?.starred ? 0 : 1;
+  db.update(chats)
+    .set({ starred: newValue })
+    .where(eq(chats.id, chatId))
+    .run();
+  return newValue;
+}
+
+/**
+ * Delete a chat and all its messages.
+ * @param {string} chatId
+ */
+export function deleteChat(chatId) {
+  const db = getDb();
+  db.delete(messages).where(eq(messages.chatId, chatId)).run();
+  db.delete(chats).where(eq(chats.id, chatId)).run();
+}
+
+/**
+ * Delete all chats and messages for a user.
+ * @param {string} userId
+ */
+export function deleteAllChatsByUser(userId) {
+  const db = getDb();
+  const userChats = db
+    .select({ id: chats.id })
+    .from(chats)
+    .where(eq(chats.userId, userId))
+    .all();
+
+  for (const chat of userChats) {
+    db.delete(messages).where(eq(messages.chatId, chat.id)).run();
+  }
+  db.delete(chats).where(eq(chats.userId, userId)).run();
+}
+
+/**
+ * Get all messages for a chat, ordered by creation time.
+ * @param {string} chatId
+ * @returns {object[]}
+ */
+export function getMessagesByChatId(chatId) {
+  const db = getDb();
+  return db
+    .select()
+    .from(messages)
+    .where(eq(messages.chatId, chatId))
+    .orderBy(asc(messages.createdAt))
+    .all();
+}
+
+/**
+ * Save a message to a chat. Also updates the chat's updatedAt timestamp.
+ * @param {string} chatId
+ * @param {string} role - 'user' or 'assistant'
+ * @param {string} content
+ * @param {string} [id] - Optional message ID
+ * @returns {object} The created message
+ */
+export function saveMessage(chatId, role, content, id = null) {
+  const db = getDb();
+  const now = Date.now();
+  const message = {
+    id: id || randomUUID(),
+    chatId,
+    role,
+    content,
+    createdAt: now,
+  };
+  db.insert(messages).values(message).run();
+  db.update(chats).set({ updatedAt: now }).where(eq(chats.id, chatId)).run();
+  return message;
+}

package/lib/db/index.js

@@ -0,0 +1,52 @@
+import fs from 'fs';
+import path from 'path';
+import Database from 'better-sqlite3';
+import { drizzle } from 'drizzle-orm/better-sqlite3';
+import { migrate } from 'drizzle-orm/better-sqlite3/migrator';
+import { thepopebotDb, dataDir, PROJECT_ROOT } from '../paths.js';
+import * as schema from './schema.js';
+
+let _db = null;
+
+/**
+ * Get or create the Drizzle database instance (lazy singleton).
+ * @returns {import('drizzle-orm/better-sqlite3').BetterSQLite3Database}
+ */
+export function getDb() {
+  if (!_db) {
+    // Ensure data directory exists
+    if (!fs.existsSync(dataDir)) {
+      fs.mkdirSync(dataDir, { recursive: true });
+    }
+    const sqlite = new Database(thepopebotDb);
+    sqlite.pragma('journal_mode = WAL');
+    _db = drizzle(sqlite, { schema });
+  }
+  return _db;
+}
+
+/**
+ * Initialize the database — apply pending migrations.
+ * Called from instrumentation.js at server startup.
+ * Uses Drizzle Kit migrations from the package's drizzle/ folder.
+ */
+export function initDatabase() {
+  if (!fs.existsSync(dataDir)) {
+    fs.mkdirSync(dataDir, { recursive: true });
+  }
+
+  const sqlite = new Database(thepopebotDb);
+  sqlite.pragma('journal_mode = WAL');
+  const db = drizzle(sqlite, { schema });
+
+  // Resolve migrations folder from the installed package.
+  // import.meta.url doesn't survive webpack bundling, so resolve from PROJECT_ROOT.
+  const migrationsFolder = path.join(PROJECT_ROOT, 'node_modules', 'thepopebot', 'drizzle');
+
+  migrate(db, { migrationsFolder });
+
+  sqlite.close();
+
+  // Force re-creation of drizzle instance on next getDb() call
+  _db = null;
+}

package/lib/db/notifications.js

@@ -0,0 +1,99 @@
+import { randomUUID } from 'crypto';
+import { eq, desc, sql } from 'drizzle-orm';
+import { getDb } from './index.js';
+import { notifications, subscriptions } from './schema.js';
+
+/**
+ * Create a notification, then distribute to all subscribers.
+ * @param {string} notificationText - Human-readable notification text
+ * @param {object} payload - Raw webhook payload
+ * @returns {object} The created notification
+ */
+export async function createNotification(notificationText, payload) {
+  const db = getDb();
+  const now = Date.now();
+  const row = {
+    id: randomUUID(),
+    notification: notificationText,
+    payload: JSON.stringify(payload),
+    read: 0,
+    createdAt: now,
+  };
+  db.insert(notifications).values(row).run();
+
+  // Distribute to subscribers (fire-and-forget)
+  distributeNotification(notificationText).catch((err) => {
+    console.error('Failed to distribute notification:', err);
+  });
+
+  return row;
+}
+
+/**
+ * Get all notifications, newest first.
+ * @returns {object[]}
+ */
+export function getNotifications() {
+  const db = getDb();
+  return db
+    .select()
+    .from(notifications)
+    .orderBy(desc(notifications.createdAt))
+    .all();
+}
+
+/**
+ * Get count of unread notifications.
+ * @returns {number}
+ */
+export function getUnreadCount() {
+  const db = getDb();
+  const result = db
+    .select({ count: sql`count(*)` })
+    .from(notifications)
+    .where(eq(notifications.read, 0))
+    .get();
+  return result?.count ?? 0;
+}
+
+/**
+ * Mark all notifications as read.
+ */
+export function markAllRead() {
+  const db = getDb();
+  db.update(notifications)
+    .set({ read: 1 })
+    .where(eq(notifications.read, 0))
+    .run();
+}
+
+/**
+ * Get all subscriptions.
+ * @returns {object[]}
+ */
+export function getSubscriptions() {
+  const db = getDb();
+  return db.select().from(subscriptions).all();
+}
+
+/**
+ * Distribute a notification to all subscribers.
+ * @param {string} notificationText - The notification message
+ */
+async function distributeNotification(notificationText) {
+  const subs = getSubscriptions();
+  if (!subs.length) return;
+
+  for (const sub of subs) {
+    try {
+      if (sub.platform === 'telegram') {
+        const botToken = process.env.TELEGRAM_BOT_TOKEN;
+        if (!botToken) continue;
+        const { sendMessage } = await import('../tools/telegram.js');
+        await sendMessage(botToken, sub.channelId, notificationText);
+      }
+    } catch (err) {
+      console.error(`Failed to send to ${sub.platform}/${sub.channelId}:`, err);
+    }
+  }
+}

package/lib/db/schema.js

@@ -0,0 +1,145 @@
+import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core';
+
+export const users = sqliteTable('users', {
+  id: text('id').primaryKey(),
+  email: text('email').notNull().unique(),
+  passwordHash: text('password_hash').notNull(),
+  role: text('role').notNull().default('admin'),
+  createdAt: integer('created_at').notNull(),
+  updatedAt: integer('updated_at').notNull(),
+});
+
+export const chats = sqliteTable('chats', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull(),
+  title: text('title').notNull().default('New Chat'),
+  starred: integer('starred').notNull().default(0),
+  createdAt: integer('created_at').notNull(),
+  updatedAt: integer('updated_at').notNull(),
+});
+
+export const messages = sqliteTable('messages', {
+  id: text('id').primaryKey(),
+  chatId: text('chat_id').notNull(),
+  role: text('role').notNull(),
+  content: text('content').notNull(),
+  createdAt: integer('created_at').notNull(),
+});
+
+export const notifications = sqliteTable('notifications', {
+  id: text('id').primaryKey(),
+  notification: text('notification').notNull(),
+  payload: text('payload').notNull(),
+  read: integer('read').notNull().default(0),
+  createdAt: integer('created_at').notNull(),
+});
+
+export const subscriptions = sqliteTable('subscriptions', {
+  id: text('id').primaryKey(),
+  platform: text('platform').notNull(),
+  channelId: text('channel_id').notNull(),
+  createdAt: integer('created_at').notNull(),
+});
+
+export const settings = sqliteTable('settings', {
+  id: text('id').primaryKey(),
+  type: text('type').notNull(),
+  key: text('key').notNull(),
+  value: text('value').notNull(),
+  createdBy: text('created_by'),
+  createdAt: integer('created_at').notNull(),
+  updatedAt: integer('updated_at').notNull(),
+});
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Bug Bounty
+// ─────────────────────────────────────────────────────────────────────────────
+
+export const programs = sqliteTable('programs', {
+  id: text('id').primaryKey(),
+  name: text('name').notNull(),
+  platform: text('platform').notNull().default('custom'), // hackerone, bugcrowd, intigriti, yeswehack, federacy, custom
+  url: text('url'),
+  scopeUrl: text('scope_url'),
+  minBounty: integer('min_bounty'),
+  maxBounty: integer('max_bounty'),
+  status: text('status').notNull().default('active'), // active, paused, retired
+  notes: text('notes'),
+  syncHandle: text('sync_handle'), // platform-specific handle for synced programs
+  lastSyncedAt: integer('last_synced_at'),
+  createdAt: integer('created_at').notNull(),
+  updatedAt: integer('updated_at').notNull(),
+});
+
+export const targets = sqliteTable('targets', {
+  id: text('id').primaryKey(),
+  programId: text('program_id'),
+  type: text('type').notNull().default('domain'), // domain, ip, url, wildcard, api, mobile, cidr
+  value: text('value').notNull(),
+  status: text('status').notNull().default('in_scope'), // in_scope, out_of_scope, testing, completed
+  technologies: text('technologies'), // JSON array of detected tech
+  notes: text('notes'),
+  lastScannedAt: integer('last_scanned_at'),
+  syncSource: text('sync_source'), // hackerone, bugcrowd, intigriti, yeswehack, federacy
+  syncProgramHandle: text('sync_program_handle'), // handle from synced platform
+  createdAt: integer('created_at').notNull(),
+  updatedAt: integer('updated_at').notNull(),
+});
+
+export const findings = sqliteTable('findings', {
+  id: text('id').primaryKey(),
+  targetId: text('target_id'),
+  title: text('title').notNull(),
+  severity: text('severity').notNull().default('info'), // critical, high, medium, low, info
+  type: text('type').notNull(), // xss, sqli, ssrf, idor, rce, lfi, open_redirect, subdomain_takeover, info_disclosure, misconfig, etc.
+  status: text('status').notNull().default('new'), // new, triaging, confirmed, reported, duplicate, resolved, bounty_paid
+  description: text('description'),
+  stepsToReproduce: text('steps_to_reproduce'),
+  impact: text('impact'),
+  evidence: text('evidence'), // JSON array of screenshot URLs or file paths
+  bountyAmount: integer('bounty_amount'),
+  reportUrl: text('report_url'),
+  agentId: text('agent_id'), // which agent discovered this
+  toolId: text('tool_id'), // which tool found it
+  rawOutput: text('raw_output'), // raw tool output
+  reportedAt: integer('reported_at'),
+  createdAt: integer('created_at').notNull(),
+  updatedAt: integer('updated_at').notNull(),
+});
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Tool Registry
+// ─────────────────────────────────────────────────────────────────────────────
+
+export const tools = sqliteTable('tools', {
+  id: text('id').primaryKey(),
+  catalogId: text('catalog_id'), // links to built-in catalog entry
+  name: text('name').notNull(),
+  slug: text('slug').notNull().unique(),
+  category: text('category').notNull(),
+  description: text('description'),
+  dockerImage: text('docker_image'),
+  installCmd: text('install_cmd'),
+  sourceUrl: text('source_url'), // GitHub URL
+  version: text('version'),
+  installed: integer('installed').notNull().default(0),
+  enabled: integer('enabled').notNull().default(1),
+  config: text('config'), // JSON tool-specific config
+  mcpServerId: text('mcp_server_id'), // if exposed via MCP
+  createdAt: integer('created_at').notNull(),
+  updatedAt: integer('updated_at').notNull(),
+});
+
+export const dockerContainers = sqliteTable('docker_containers', {
+  id: text('id').primaryKey(),
+  toolId: text('tool_id'),
+  containerId: text('container_id'), // Docker container ID
+  imageName: text('image_name').notNull(),
+  status: text('status').notNull().default('created'), // created, running, stopped, error
+  agentId: text('agent_id'),
+  ports: text('ports'), // JSON port mapping
+  env: text('env'), // JSON env vars (secrets redacted)
+  logs: text('logs'),
+  createdAt: integer('created_at').notNull(),
+  stoppedAt: integer('stopped_at'),
+});

package/lib/db/update-check.js

@@ -0,0 +1,96 @@
+import { randomUUID } from 'crypto';
+import { eq, and } from 'drizzle-orm';
+import { getDb } from './index.js';
+import { settings } from './schema.js';
+
+/**
+ * Get the stored available version from the DB.
+ * @returns {string|null}
+ */
+export function getAvailableVersion() {
+  const db = getDb();
+  const row = db
+    .select()
+    .from(settings)
+    .where(and(eq(settings.type, 'update'), eq(settings.key, 'available_version')))
+    .get();
+
+  return row ? row.value : null;
+}
+
+/**
+ * Set the available version in the DB (delete + insert upsert).
+ * @param {string} version
+ */
+export function setAvailableVersion(version) {
+  const db = getDb();
+  db.delete(settings)
+    .where(and(eq(settings.type, 'update'), eq(settings.key, 'available_version')))
+    .run();
+
+  const now = Date.now();
+  db.insert(settings).values({
+    id: randomUUID(),
+    type: 'update',
+    key: 'available_version',
+    value: version,
+    createdAt: now,
+    updatedAt: now,
+  }).run();
+}
+
+/**
+ * Clear the available version from the DB.
+ */
+export function clearAvailableVersion() {
+  const db = getDb();
+  db.delete(settings)
+    .where(and(eq(settings.type, 'update'), eq(settings.key, 'available_version')))
+    .run();
+}
+
+/**
+ * Get the stored release notes from the DB.
+ * @returns {string|null}
+ */
+export function getReleaseNotes() {
+  const db = getDb();
+  const row = db
+    .select()
+    .from(settings)
+    .where(and(eq(settings.type, 'update'), eq(settings.key, 'release_notes')))
+    .get();
+
+  return row ? row.value : null;
+}
+
+/**
+ * Set the release notes in the DB (delete + insert upsert).
+ * @param {string} notes
+ */
+export function setReleaseNotes(notes) {
+  const db = getDb();
+  db.delete(settings)
+    .where(and(eq(settings.type, 'update'), eq(settings.key, 'release_notes')))
+    .run();
+
+  const now = Date.now();
+  db.insert(settings).values({
+    id: randomUUID(),
+    type: 'update',
+    key: 'release_notes',
+    value: notes,
+    createdAt: now,
+    updatedAt: now,
+  }).run();
+}
+
+/**
+ * Clear the release notes from the DB.
+ */
+export function clearReleaseNotes() {
+  const db = getDb();
+  db.delete(settings)
+    .where(and(eq(settings.type, 'update'), eq(settings.key, 'release_notes')))
+    .run();
+}