@profullstack/threatcrush 0.1.0

package/src/commands/scan.ts

@@ -0,0 +1,212 @@
+import { readdirSync, readFileSync, statSync } from 'node:fs';
+import { join, relative, extname } from 'node:path';
+import chalk from 'chalk';
+import ora from 'ora';
+import { banner, logger } from '../core/logger.js';
+
+interface ScanFinding {
+  file: string;
+  line: number;
+  type: string;
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  message: string;
+  snippet: string;
+}
+
+// Secret patterns
+const SECRET_PATTERNS: Array<{
+  name: string;
+  pattern: RegExp;
+  severity: 'medium' | 'high' | 'critical';
+}> = [
+  { name: 'AWS Access Key', pattern: /(?:AKIA[0-9A-Z]{16})/g, severity: 'critical' },
+  { name: 'AWS Secret Key', pattern: /(?:aws_secret_access_key|AWS_SECRET)\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi, severity: 'critical' },
+  { name: 'GitHub Token', pattern: /(?:ghp_[A-Za-z0-9]{36}|github_pat_[A-Za-z0-9_]{82})/g, severity: 'critical' },
+  { name: 'Generic API Key', pattern: /(?:api[_-]?key|apikey)\s*[=:]\s*['"]([A-Za-z0-9\-_]{20,})['"]?/gi, severity: 'high' },
+  { name: 'Generic Secret', pattern: /(?:secret|password|passwd|pwd)\s*[=:]\s*['"]([^'"]{8,})['"]?/gi, severity: 'high' },
+  { name: 'Private Key', pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g, severity: 'critical' },
+  { name: 'JWT Token', pattern: /eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_.+/=]*/g, severity: 'high' },
+  { name: 'Slack Token', pattern: /xox[bpors]-[A-Za-z0-9-]{10,}/g, severity: 'critical' },
+  { name: 'Stripe Key', pattern: /(?:sk_live_|pk_live_|sk_test_|pk_test_)[A-Za-z0-9]{20,}/g, severity: 'critical' },
+  { name: 'Database URL', pattern: /(?:postgres|mysql|mongodb|redis):\/\/[^\s'"]+/gi, severity: 'high' },
+  { name: 'Bearer Token', pattern: /Bearer\s+[A-Za-z0-9\-_\.]{20,}/g, severity: 'medium' },
+  { name: 'Hex Token (32+)', pattern: /(?:token|key|secret|auth)\s*[=:]\s*['"]?([0-9a-f]{32,})['"]?/gi, severity: 'medium' },
+];
+
+// File permission / misconfig checks
+const MISCONFIG_FILES = [
+  { pattern: '.env', message: '.env file found — may contain secrets' },
+  { pattern: '.env.local', message: '.env.local file found — may contain secrets' },
+  { pattern: '.env.production', message: '.env.production file found — may contain secrets' },
+  { pattern: 'id_rsa', message: 'Private SSH key found' },
+  { pattern: 'id_ed25519', message: 'Private SSH key found' },
+  { pattern: '.pem', message: 'PEM certificate/key file found' },
+  { pattern: '.p12', message: 'PKCS#12 keystore found' },
+  { pattern: '.keystore', message: 'Keystore file found' },
+];
+
+const SKIP_DIRS = new Set([
+  'node_modules', '.git', '.next', 'dist', 'build', '__pycache__',
+  '.venv', 'vendor', '.terraform', 'coverage', '.cache',
+]);
+
+const SCAN_EXTENSIONS = new Set([
+  '.ts', '.js', '.tsx', '.jsx', '.py', '.rb', '.go', '.java',
+  '.php', '.rs', '.c', '.cpp', '.h', '.yml', '.yaml', '.json',
+  '.toml', '.ini', '.cfg', '.conf', '.env', '.sh', '.bash',
+  '.tf', '.hcl', '.xml', '.properties', '.gradle',
+]);
+
+export async function scanCommand(targetPath: string): Promise<void> {
+  banner();
+  logger.info(`Scanning ${chalk.white(targetPath)} for security issues...\n`);
+
+  const spinner = ora({ text: 'Scanning files...', color: 'green' }).start();
+  const findings: ScanFinding[] = [];
+  let filesScanned = 0;
+
+  try {
+    scanDirectory(targetPath, targetPath, findings, () => {
+      filesScanned++;
+      spinner.text = `Scanning files... (${filesScanned} files)`;
+    });
+  } catch (err: any) {
+    spinner.fail(`Scan failed: ${err.message}`);
+    return;
+  }
+
+  spinner.succeed(`Scanned ${filesScanned} files\n`);
+
+  // Print results
+  if (findings.length === 0) {
+    console.log(chalk.green.bold('  ✓ No security issues found!'));
+    console.log();
+    return;
+  }
+
+  // Group by severity
+  const critical = findings.filter((f) => f.severity === 'critical');
+  const high = findings.filter((f) => f.severity === 'high');
+  const medium = findings.filter((f) => f.severity === 'medium');
+  const low = findings.filter((f) => f.severity === 'low');
+
+  console.log(chalk.white.bold('  Scan Results'));
+  console.log(chalk.gray('  ' + '─'.repeat(70)));
+  console.log(
+    `  ${chalk.red.bold(critical.length + ' critical')}  ` +
+    `${chalk.red(high.length + ' high')}  ` +
+    `${chalk.yellow(medium.length + ' medium')}  ` +
+    `${chalk.gray(low.length + ' low')}`,
+  );
+  console.log(chalk.gray('  ' + '─'.repeat(70)));
+  console.log();
+
+  const allFindings = [...critical, ...high, ...medium, ...low];
+  for (const finding of allFindings) {
+    const sev =
+      finding.severity === 'critical' ? chalk.bgRed.white.bold(` ${finding.severity.toUpperCase()} `) :
+      finding.severity === 'high' ? chalk.red(`[${finding.severity.toUpperCase()}]`) :
+      finding.severity === 'medium' ? chalk.yellow(`[${finding.severity.toUpperCase()}]`) :
+      chalk.gray(`[${finding.severity.toUpperCase()}]`);
+
+    console.log(`  ${sev} ${chalk.white.bold(finding.type)}`);
+    console.log(`    ${chalk.gray('File:')} ${chalk.cyan(finding.file)}:${chalk.yellow(String(finding.line))}`);
+    console.log(`    ${chalk.gray('Info:')} ${finding.message}`);
+    if (finding.snippet) {
+      // Redact the actual secret value
+      const redacted = finding.snippet.replace(
+        /(['"]?)([A-Za-z0-9+/=\-_]{16,})(['"]?)/g,
+        '$1' + chalk.red('*'.repeat(16)) + '$3',
+      );
+      console.log(`    ${chalk.gray('Code:')} ${redacted.trim()}`);
+    }
+    console.log();
+  }
+
+  console.log(chalk.gray('  ' + '─'.repeat(70)));
+  console.log(`  ${chalk.white.bold(`${findings.length} issue(s) found`)} across ${filesScanned} files`);
+  console.log();
+}
+
+function scanDirectory(
+  basePath: string,
+  currentPath: string,
+  findings: ScanFinding[],
+  onFile: () => void,
+): void {
+  let entries;
+  try {
+    entries = readdirSync(currentPath, { withFileTypes: true });
+  } catch {
+    return; // Permission denied or similar
+  }
+
+  for (const entry of entries) {
+    const fullPath = join(currentPath, entry.name);
+
+    if (entry.isDirectory()) {
+      if (SKIP_DIRS.has(entry.name)) continue;
+      scanDirectory(basePath, fullPath, findings, onFile);
+      continue;
+    }
+
+    if (!entry.isFile()) continue;
+
+    // Check for misconfig files
+    for (const mc of MISCONFIG_FILES) {
+      if (entry.name === mc.pattern || entry.name.endsWith(mc.pattern)) {
+        findings.push({
+          file: relative(basePath, fullPath),
+          line: 0,
+          type: 'Sensitive File',
+          severity: 'high',
+          message: mc.message,
+          snippet: '',
+        });
+      }
+    }
+
+    // Only scan text files with known extensions
+    const ext = extname(entry.name).toLowerCase();
+    if (!SCAN_EXTENSIONS.has(ext) && !entry.name.startsWith('.env')) continue;
+
+    // Skip large files
+    try {
+      const stat = statSync(fullPath);
+      if (stat.size > 1024 * 1024) continue; // Skip >1MB
+    } catch {
+      continue;
+    }
+
+    onFile();
+
+    // Scan file content
+    let content: string;
+    try {
+      content = readFileSync(fullPath, 'utf-8');
+    } catch {
+      continue;
+    }
+
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      // Skip comments
+      if (line.trim().startsWith('//') && !line.includes('password') && !line.includes('secret')) continue;
+
+      for (const pattern of SECRET_PATTERNS) {
+        pattern.pattern.lastIndex = 0;
+        if (pattern.pattern.test(line)) {
+          findings.push({
+            file: relative(basePath, fullPath),
+            line: i + 1,
+            type: pattern.name,
+            severity: pattern.severity,
+            message: `Possible ${pattern.name} detected`,
+            snippet: line.length > 120 ? line.slice(0, 120) + '...' : line,
+          });
+        }
+      }
+    }
+  }
+}

package/src/commands/status.ts

@@ -0,0 +1,86 @@
+import chalk from 'chalk';
+import { banner, logger } from '../core/logger.js';
+import { discoverModules } from '../core/module-loader.js';
+import { initStateDB, getEventCount, getThreatCount, getRecentEvents } from '../core/state.js';
+
+export async function statusCommand(): Promise<void> {
+  banner();
+
+  // Check if daemon is running (look for PID file or process)
+  const daemonRunning = checkDaemon();
+
+  console.log(chalk.green.bold('  Daemon Status'));
+  console.log(chalk.gray('  ' + '─'.repeat(50)));
+  console.log(`  Status:     ${daemonRunning ? chalk.green.bold('● RUNNING') : chalk.yellow('○ NOT RUNNING')}`);
+  console.log(`  PID:        ${daemonRunning ? chalk.white('—') : chalk.gray('N/A')}`);
+  console.log(`  Uptime:     ${daemonRunning ? chalk.white('—') : chalk.gray('N/A')}`);
+  console.log();
+
+  // Show modules
+  const modules = discoverModules();
+  console.log(chalk.green.bold('  Loaded Modules'));
+  console.log(chalk.gray('  ' + '─'.repeat(50)));
+
+  if (modules.length === 0) {
+    console.log(chalk.gray('  No modules found. Run `threatcrush init` to set up.'));
+  } else {
+    for (const mod of modules) {
+      const enabled = mod.config.enabled !== false;
+      const status = enabled ? chalk.green('● enabled ') : chalk.gray('○ disabled');
+      console.log(`  ${status}  ${chalk.white.bold(mod.manifest.name.padEnd(18))} ${chalk.gray('v' + mod.manifest.version)}`);
+    }
+  }
+  console.log();
+
+  // Show event stats
+  try {
+    initStateDB();
+    const totalEvents = getEventCount();
+    const totalThreats = getThreatCount();
+    const last24h = getEventCount(new Date(Date.now() - 86400000));
+    const threats24h = getThreatCount(new Date(Date.now() - 86400000));
+
+    console.log(chalk.green.bold('  Event Statistics'));
+    console.log(chalk.gray('  ' + '─'.repeat(50)));
+    console.log(`  Total events:     ${chalk.white(totalEvents.toString())}`);
+    console.log(`  Total threats:    ${chalk.red(totalThreats.toString())}`);
+    console.log(`  Events (24h):     ${chalk.white(last24h.toString())}`);
+    console.log(`  Threats (24h):    ${chalk.red(threats24h.toString())}`);
+    console.log();
+
+    // Show recent events
+    const recent = getRecentEvents(5);
+    if (recent.length > 0) {
+      console.log(chalk.green.bold('  Recent Events'));
+      console.log(chalk.gray('  ' + '─'.repeat(50)));
+      for (const evt of recent) {
+        const sev = evt.severity === 'critical' || evt.severity === 'high'
+          ? chalk.red(`[${evt.severity.toUpperCase()}]`)
+          : evt.severity === 'medium'
+            ? chalk.yellow(`[${evt.severity.toUpperCase()}]`)
+            : chalk.green(`[${evt.severity.toUpperCase()}]`);
+        console.log(`  ${chalk.gray(evt.timestamp.toISOString().slice(0, 19))} ${sev.padEnd(20)} ${evt.message}`);
+      }
+    }
+  } catch {
+    console.log(chalk.gray('  No event data available. Start monitoring to collect events.'));
+  }
+
+  console.log();
+}
+
+function checkDaemon(): boolean {
+  try {
+    const { execSync } = await_import_child_process();
+    execSync('pgrep -f threatcrushd', { stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// Avoid top-level await for dynamic import
+function await_import_child_process() {
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
+  return require('node:child_process');
+}

package/src/core/config.ts

@@ -0,0 +1,96 @@
+import { readFileSync, existsSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+import TOML from '@iarna/toml';
+import type { ThreatCrushConfig, ModuleConfig } from '../types/config.js';
+
+const DEFAULT_CONFIG_PATH = '/etc/threatcrush/threatcrushd.conf';
+const DEFAULT_CONFDIR = '/etc/threatcrush/threatcrushd.conf.d';
+
+const DEFAULT_CONFIG: ThreatCrushConfig = {
+  daemon: {
+    pid_file: '/var/run/threatcrush/threatcrushd.pid',
+    log_level: 'info',
+    log_file: '/var/log/threatcrush/threatcrushd.log',
+    state_db: '/var/lib/threatcrush/state.db',
+  },
+  api: {
+    enabled: true,
+    bind: '127.0.0.1:9393',
+    tls: false,
+  },
+  alerts: {},
+  modules: {
+    auto_update: true,
+    update_interval: '24h',
+    module_dir: '/etc/threatcrush/modules',
+    config_dir: DEFAULT_CONFDIR,
+  },
+};
+
+export function loadConfig(configPath?: string): ThreatCrushConfig {
+  const path = configPath || DEFAULT_CONFIG_PATH;
+  if (!existsSync(path)) {
+    return { ...DEFAULT_CONFIG };
+  }
+
+  try {
+    const raw = readFileSync(path, 'utf-8');
+    const parsed = TOML.parse(raw) as unknown as Partial<ThreatCrushConfig>;
+    return {
+      daemon: { ...DEFAULT_CONFIG.daemon, ...parsed.daemon },
+      api: { ...DEFAULT_CONFIG.api, ...parsed.api },
+      alerts: parsed.alerts || {},
+      modules: { ...DEFAULT_CONFIG.modules, ...parsed.modules },
+      license: parsed.license,
+    };
+  } catch {
+    return { ...DEFAULT_CONFIG };
+  }
+}
+
+export function loadModuleConfigs(confDir?: string): Map<string, ModuleConfig> {
+  const dir = confDir || DEFAULT_CONFDIR;
+  const configs = new Map<string, ModuleConfig>();
+
+  if (!existsSync(dir)) {
+    return configs;
+  }
+
+  const files = readdirSync(dir).filter((f) => f.endsWith('.conf'));
+  for (const file of files) {
+    try {
+      const raw = readFileSync(join(dir, file), 'utf-8');
+      const parsed = TOML.parse(raw) as Record<string, unknown>;
+      for (const [name, config] of Object.entries(parsed)) {
+        configs.set(name, config as ModuleConfig);
+      }
+    } catch {
+      // skip bad configs
+    }
+  }
+
+  return configs;
+}
+
+export function generateDefaultConfig(detectedServices: string[]): string {
+  const config: Record<string, unknown> = {
+    daemon: DEFAULT_CONFIG.daemon,
+    api: DEFAULT_CONFIG.api,
+    modules: DEFAULT_CONFIG.modules,
+  };
+
+  return TOML.stringify(config as any);
+}
+
+export function generateModuleConfig(
+  moduleName: string,
+  defaults: Record<string, unknown> = {},
+): string {
+  const config: Record<string, unknown> = {
+    [moduleName]: {
+      enabled: true,
+      ...defaults,
+    },
+  };
+  return TOML.stringify(config as any);
+}

package/src/core/log-parser.ts

@@ -0,0 +1,149 @@
+import type { ParsedLogLine, NginxLogEntry, AuthLogEntry, SyslogEntry } from '../types/events.js';
+
+// Nginx combined log format:
+// 127.0.0.1 - - [04/Apr/2026:12:00:00 +0000] "GET /path HTTP/1.1" 200 1234 "-" "Mozilla/5.0"
+const NGINX_REGEX = /^(\S+) \S+ \S+ \[([^\]]+)\] "(\S+) (\S+) \S+" (\d{3}) (\d+) "[^"]*" "([^"]*)"/;
+
+// Auth.log format:
+// Apr  4 12:00:00 hostname sshd[1234]: Failed password for user from 1.2.3.4 port 22 ssh2
+const AUTH_REGEX = /^(\w+\s+\d+\s+[\d:]+)\s+\S+\s+(\S+?)(?:\[\d+\])?:\s+(.*)/;
+
+// Syslog format:
+// Apr  4 12:00:00 hostname process[pid]: message
+const SYSLOG_REGEX = /^(\w+\s+\d+\s+[\d:]+)\s+\S+\s+(\S+?)(?:\[\d+\])?:\s+(.*)/;
+
+// Extract IP from auth messages
+const IP_REGEX = /(?:from|FROM)\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/;
+const USER_REGEX = /(?:for|user)\s+(\S+?)(?:\s+from|\s*$)/;
+
+// Attack pattern signatures
+export const ATTACK_PATTERNS = {
+  sqli: [
+    /(?:union\s+(?:all\s+)?select)/i,
+    /(?:select\s+.*\s+from\s+)/i,
+    /(?:insert\s+into\s+)/i,
+    /(?:drop\s+(?:table|database))/i,
+    /(?:or\s+1\s*=\s*1)/i,
+    /(?:'\s*(?:or|and)\s+')/i,
+    /(?:--\s*$|;\s*--)/,
+    /(?:\/\*.*\*\/)/,
+  ],
+  xss: [
+    /<script[^>]*>/i,
+    /javascript\s*:/i,
+    /on(?:load|error|click|mouseover)\s*=/i,
+    /eval\s*\(/i,
+    /document\.(?:cookie|write|location)/i,
+  ],
+  path_traversal: [
+    /\.\.\//,
+    /\.\.\\/, 
+    /etc\/(?:passwd|shadow|hosts)/,
+    /proc\/self/,
+    /windows\/system32/i,
+  ],
+  rfi: [
+    /(?:https?|ftp):\/\/.*\?/i,
+    /php:\/\/(?:input|filter)/i,
+    /data:\/\//i,
+  ],
+};
+
+export function parseNginxLog(line: string): NginxLogEntry | null {
+  const match = line.match(NGINX_REGEX);
+  if (!match) return null;
+
+  return {
+    timestamp: parseNginxTimestamp(match[2]),
+    raw: line,
+    source: 'nginx',
+    fields: {
+      ip: match[1],
+      method: match[3],
+      path: match[4],
+      status: match[5],
+      size: match[6],
+      user_agent: match[7],
+    },
+  };
+}
+
+export function parseAuthLog(line: string): AuthLogEntry | null {
+  const match = line.match(AUTH_REGEX);
+  if (!match) return null;
+
+  const ipMatch = match[3].match(IP_REGEX);
+  const userMatch = match[3].match(USER_REGEX);
+
+  return {
+    timestamp: parseSyslogTimestamp(match[1]),
+    raw: line,
+    source: 'auth',
+    fields: {
+      process: match[2],
+      message: match[3],
+      ip: ipMatch?.[1],
+      user: userMatch?.[1],
+    },
+  };
+}
+
+export function parseSyslog(line: string): SyslogEntry | null {
+  const match = line.match(SYSLOG_REGEX);
+  if (!match) return null;
+
+  return {
+    timestamp: parseSyslogTimestamp(match[1]),
+    raw: line,
+    source: 'syslog',
+    fields: {
+      facility: 'syslog',
+      process: match[2],
+      message: match[3],
+    },
+  };
+}
+
+export function detectAttackPattern(path: string): string | null {
+  for (const [type, patterns] of Object.entries(ATTACK_PATTERNS)) {
+    for (const pattern of patterns) {
+      if (pattern.test(path)) {
+        return type;
+      }
+    }
+  }
+  return null;
+}
+
+export function autoDetectParser(line: string): ParsedLogLine | null {
+  // Try nginx first (most specific format)
+  const nginx = parseNginxLog(line);
+  if (nginx) return nginx;
+
+  // Try auth log
+  const auth = parseAuthLog(line);
+  if (auth) return auth;
+
+  // Fall back to generic syslog
+  return parseSyslog(line);
+}
+
+function parseNginxTimestamp(s: string): Date {
+  // "04/Apr/2026:12:00:00 +0000"
+  try {
+    const cleaned = s.replace(/(\d{2})\/(\w{3})\/(\d{4}):/, '$2 $1, $3 ');
+    return new Date(cleaned);
+  } catch {
+    return new Date();
+  }
+}
+
+function parseSyslogTimestamp(s: string): Date {
+  // "Apr  4 12:00:00" — no year, assume current
+  try {
+    const withYear = `${s} ${new Date().getFullYear()}`;
+    return new Date(withYear);
+  } catch {
+    return new Date();
+  }
+}

package/src/core/logger.ts

@@ -0,0 +1,62 @@
+import chalk from 'chalk';
+import type { EventSeverity } from '../types/events.js';
+
+const SEVERITY_COLORS: Record<EventSeverity, (s: string) => string> = {
+  info: chalk.green,
+  low: chalk.cyan,
+  medium: chalk.yellow,
+  high: chalk.red,
+  critical: chalk.bgRed.white.bold,
+};
+
+const LEVEL_COLORS: Record<string, (s: string) => string> = {
+  debug: chalk.gray,
+  info: chalk.green,
+  warn: chalk.yellow,
+  error: chalk.red,
+};
+
+export function severityColor(severity: EventSeverity, text: string): string {
+  return (SEVERITY_COLORS[severity] || chalk.white)(text);
+}
+
+export function formatTimestamp(date: Date = new Date()): string {
+  return chalk.gray(date.toISOString().replace('T', ' ').slice(0, 19));
+}
+
+export function formatEvent(
+  module: string,
+  severity: EventSeverity,
+  message: string,
+  ip?: string,
+): string {
+  const ts = formatTimestamp();
+  const sev = severityColor(severity, `[${severity.toUpperCase()}]`.padEnd(10));
+  const mod = chalk.cyan(`[${module}]`.padEnd(14));
+  const src = ip ? chalk.magenta(` (${ip})`) : '';
+  return `${ts} ${sev} ${mod} ${message}${src}`;
+}
+
+export const logger = {
+  debug: (msg: string) => console.log(`${formatTimestamp()} ${LEVEL_COLORS.debug('[DEBUG]')}   ${msg}`),
+  info: (msg: string) => console.log(`${formatTimestamp()} ${LEVEL_COLORS.info('[INFO]')}    ${msg}`),
+  warn: (msg: string) => console.log(`${formatTimestamp()} ${LEVEL_COLORS.warn('[WARN]')}    ${msg}`),
+  error: (msg: string) => console.error(`${formatTimestamp()} ${LEVEL_COLORS.error('[ERROR]')}   ${msg}`),
+  success: (msg: string) => console.log(`${formatTimestamp()} ${chalk.green('[OK]')}      ${msg}`),
+  threat: (msg: string, ip?: string) => {
+    const src = ip ? chalk.magenta(` from ${ip}`) : '';
+    console.log(`${formatTimestamp()} ${chalk.red.bold('[THREAT]')}  ${chalk.red(msg)}${src}`);
+  },
+};
+
+export function banner(): void {
+  console.log(chalk.green.bold(`
+  ████████╗██╗  ██╗██████╗ ███████╗ █████╗ ████████╗ ██████╗██████╗ ██╗   ██╗███████╗██╗  ██╗
+  ╚══██╔══╝██║  ██║██╔══██╗██╔════╝██╔══██╗╚══██╔══╝██╔════╝██╔══██╗██║   ██║██╔════╝██║  ██║
+     ██║   ███████║██████╔╝█████╗  ███████║   ██║   ██║     ██████╔╝██║   ██║███████╗███████║
+     ██║   ██╔══██║██╔══██╗██╔══╝  ██╔══██║   ██║   ██║     ██╔══██╗██║   ██║╚════██║██╔══██║
+     ██║   ██║  ██║██║  ██║███████╗██║  ██║   ██║   ╚██████╗██║  ██║╚██████╔╝███████║██║  ██║
+     ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝   ╚═╝    ╚═════╝╚═╝  ╚═╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝
+  `));
+  console.log(chalk.gray('  All-in-one security agent daemon — v0.1.0\n'));
+}

package/src/core/module-loader.ts

@@ -0,0 +1,73 @@
+import { existsSync, readdirSync, readFileSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+import TOML from '@iarna/toml';
+import type { LoadedModule } from '../types/module.js';
+import type { ModuleConfig, ModuleManifest } from '../types/config.js';
+import { loadModuleConfigs } from './config.js';
+
+const SYSTEM_MODULE_DIR = '/etc/threatcrush/modules';
+const SYSTEM_CONFDIR = '/etc/threatcrush/threatcrushd.conf.d';
+
+export function discoverModules(
+  moduleDir?: string,
+  confDir?: string,
+): LoadedModule[] {
+  const modules: LoadedModule[] = [];
+  const configs = loadModuleConfigs(confDir || SYSTEM_CONFDIR);
+
+  // Search paths: system dir + local ./modules/
+  const searchPaths = [
+    moduleDir || SYSTEM_MODULE_DIR,
+    resolve(process.cwd(), 'modules'),
+  ];
+
+  // Also check for built-in modules relative to this package
+  const builtinDir = resolve(import.meta.dirname || '.', '..', 'modules');
+  if (existsSync(builtinDir)) {
+    searchPaths.push(builtinDir);
+  }
+
+  for (const basePath of searchPaths) {
+    if (!existsSync(basePath)) continue;
+
+    const entries = readdirSync(basePath, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue;
+
+      const modPath = join(basePath, entry.name);
+      const manifestPath = join(modPath, 'mod.toml');
+
+      if (!existsSync(manifestPath)) continue;
+
+      try {
+        const raw = readFileSync(manifestPath, 'utf-8');
+        const manifest = TOML.parse(raw) as unknown as ModuleManifest;
+        const config = configs.get(manifest.module.name) || { enabled: true };
+
+        modules.push({
+          manifest: {
+            name: manifest.module.name,
+            version: manifest.module.version,
+            description: manifest.module.description,
+            author: manifest.module.author,
+          },
+          config,
+          status: 'loaded',
+          eventCount: 0,
+          path: modPath,
+        });
+      } catch {
+        // skip bad modules
+      }
+    }
+  }
+
+  return modules;
+}
+
+export function getBuiltinModulePaths(): string[] {
+  return [
+    resolve(import.meta.dirname || '.', '..', 'modules', 'log-watcher'),
+    resolve(import.meta.dirname || '.', '..', 'modules', 'ssh-guard'),
+  ];
+}