From 9f0570350a5bd1574e6c7b92044dc7428d437cbd Mon Sep 17 00:00:00 2001
From: Anthony Ettinger <anthony@chovy.com>
Date: Mon, 15 Jun 2026 14:17:36 +0000
Subject: [PATCH] docs: add ugig.net gig postings for each launch PRD

One ready-to-post gig per PRD under docs/prds/gigs/ (title, skills, budget,
repo/branch, spec link, scope, acceptance). Index in gigs/README.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .../prds/gigs/00-detection-data-model-ugig.md | 40 +++++++++++++++++++
 .../gigs/01-detection-rule-engine-ugig.md     | 39 ++++++++++++++++++
 .../gigs/02-firewall-auto-remediation-ugig.md | 38 ++++++++++++++++++
 docs/prds/gigs/03-hardening-scanner-ugig.md   | 34 ++++++++++++++++
 .../gigs/04-network-monitor-module-ugig.md    | 35 ++++++++++++++++
 docs/prds/gigs/05-dns-monitor-module-ugig.md  | 31 ++++++++++++++
 docs/prds/gigs/06-code-scanner-engine-ugig.md | 36 +++++++++++++++++
 docs/prds/gigs/07-pentest-engine-ugig.md      | 35 ++++++++++++++++
 .../gigs/08-alerting-and-alert-rules-ugig.md  | 35 ++++++++++++++++
 .../gigs/09-module-sdk-and-publish-ugig.md    | 35 ++++++++++++++++
 .../gigs/10-dashboard-detections-feed-ugig.md | 33 +++++++++++++++
 .../11-dashboard-hardening-findings-ugig.md   | 33 +++++++++++++++
 .../12-remediation-and-blocklist-ui-ugig.md   | 34 ++++++++++++++++
 docs/prds/gigs/13-alert-settings-ui-ugig.md   | 34 ++++++++++++++++
 .../prds/gigs/14-pwa-offline-and-push-ugig.md | 34 ++++++++++++++++
 .../prds/gigs/15-self-hosting-package-ugig.md | 35 ++++++++++++++++
 docs/prds/gigs/16-module-marketplace-ugig.md  | 35 ++++++++++++++++
 docs/prds/gigs/README.md                      | 30 ++++++++++++++
 18 files changed, 626 insertions(+)
 create mode 100644 docs/prds/gigs/00-detection-data-model-ugig.md
 create mode 100644 docs/prds/gigs/01-detection-rule-engine-ugig.md
 create mode 100644 docs/prds/gigs/02-firewall-auto-remediation-ugig.md
 create mode 100644 docs/prds/gigs/03-hardening-scanner-ugig.md
 create mode 100644 docs/prds/gigs/04-network-monitor-module-ugig.md
 create mode 100644 docs/prds/gigs/05-dns-monitor-module-ugig.md
 create mode 100644 docs/prds/gigs/06-code-scanner-engine-ugig.md
 create mode 100644 docs/prds/gigs/07-pentest-engine-ugig.md
 create mode 100644 docs/prds/gigs/08-alerting-and-alert-rules-ugig.md
 create mode 100644 docs/prds/gigs/09-module-sdk-and-publish-ugig.md
 create mode 100644 docs/prds/gigs/10-dashboard-detections-feed-ugig.md
 create mode 100644 docs/prds/gigs/11-dashboard-hardening-findings-ugig.md
 create mode 100644 docs/prds/gigs/12-remediation-and-blocklist-ui-ugig.md
 create mode 100644 docs/prds/gigs/13-alert-settings-ui-ugig.md
 create mode 100644 docs/prds/gigs/14-pwa-offline-and-push-ugig.md
 create mode 100644 docs/prds/gigs/15-self-hosting-package-ugig.md
 create mode 100644 docs/prds/gigs/16-module-marketplace-ugig.md
 create mode 100644 docs/prds/gigs/README.md

diff --git a/docs/prds/gigs/00-detection-data-model-ugig.md b/docs/prds/gigs/00-detection-data-model-ugig.md
new file mode 100644
index 0000000..af555e0
--- /dev/null
+++ b/docs/prds/gigs/00-detection-data-model-ugig.md
@@ -0,0 +1,40 @@
+# Build the ThreatCrush detection data model & event ingest
+
+> ugig.net gig posting — implements [PRD-00](../00-detection-data-model.md)
+
+- **Title:** Build the ThreatCrush detection data model & event ingest
+- **Skills required:** `postgres`, `supabase`, `sql`, `rls`, `typescript`, `nextjs`, `zod`, `api-design`
+- **Budget type:** fixed
+- **Budget (USD):** 1,200 – 2,000
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/detection-data-model`
+- **Spec:** `docs/prds/00-detection-data-model.md`
+
+## What we need
+
+The backbone every other detection feature depends on. ThreatCrush's shipped
+schema has servers/properties but **none** of the detection tables the product
+is built around. We need the data model plus one authenticated, normalized
+ingest path the daemon writes to — privacy-first (normalized detections only, no
+raw logs by default).
+
+## Scope
+
+1. One Supabase migration adding `detections`, `remediation_actions`,
+   `hardening_findings`, `allowlists`, `alert_destinations`, `alert_rules`,
+   `rule_registry` (columns per the PRD), org-scoped with RLS that mirrors the
+   existing `organizations_and_servers` policies.
+2. `POST /api/events` — validate a batch of normalized detection + heartbeat
+   payloads against a shared zod schema (exported from `apps/sdk`), upsert into
+   `detections`, update `servers.last_seen_at`. Agent auth via the existing
+   server enrollment token / API key.
+3. Read endpoints: `GET /api/servers/[id]/detections|findings|remediations`.
+4. The shared payload schema lives in `apps/sdk` and is imported by both the web
+   API and the CLI (no duplicate definitions).
+
+## Acceptance criteria
+
+- Migration applies cleanly; RLS verified with a cross-org test (no leakage).
+- Daemon can POST a normalized detection and it appears in `detections`.
+- No raw log lines are stored unless explicitly opted in.
+- PR with green CI and the shared schema wired into both web + CLI.
+</content>
diff --git a/docs/prds/gigs/01-detection-rule-engine-ugig.md b/docs/prds/gigs/01-detection-rule-engine-ugig.md
new file mode 100644
index 0000000..6d05171
--- /dev/null
+++ b/docs/prds/gigs/01-detection-rule-engine-ugig.md
@@ -0,0 +1,39 @@
+# Build the ThreatCrush detection rule engine & rule packs
+
+> ugig.net gig posting — implements [PRD-01](../01-detection-rule-engine.md)
+
+- **Title:** Build the ThreatCrush detection rule engine & rule packs
+- **Skills required:** `typescript`, `nodejs`, `linux`, `security`, `log-parsing`, `json-schema`, `vitest`, `ci`
+- **Budget type:** fixed
+- **Budget (USD):** 2,000 – 3,500
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/detection-rule-engine`
+- **Spec:** `docs/prds/01-detection-rule-engine.md`
+
+## What we need
+
+Detections today are hardcoded inside the `ssh-guard` module. We need a typed,
+declarative rule format and an engine that evaluates rules over event windows
+from the daemon's watchers — so detections are versioned, auditable, and
+community-editable instead of buried in code.
+
+## Scope
+
+1. A typed rule schema (defined in `apps/sdk`): id, title, description,
+   source_types, match conditions, threshold, window, severity, remediation
+   suggestions, tags, distro/service compatibility.
+2. An engine that consumes normalized events from `apps/cli/src/daemon/watchers`,
+   maintains sliding windows, and emits detections conforming to PRD-00.
+3. A curated default rule pack (auth/ssh/recon) loaded at daemon start; operator
+   overrides from `/etc/threatcrush/rules.d/`.
+4. Per-rule + per-source suppression/cooldown to cut noise; register loaded rules
+   into `rule_registry`.
+5. `threatcrush rules list|show <id>|test <fixture>`; CI that validates every
+   shipped rule and runs log-fixture tests.
+
+## Acceptance criteria
+
+- `ssh-guard`'s current detections reproduced from rules with no regression.
+- Suppression demonstrably collapses repeat events.
+- CI validates all rules + fixtures; rule schema published from `apps/sdk`.
+- PR with green CI and docs for authoring a rule.
+</content>
diff --git a/docs/prds/gigs/02-firewall-auto-remediation-ugig.md b/docs/prds/gigs/02-firewall-auto-remediation-ugig.md
new file mode 100644
index 0000000..884237e
--- /dev/null
+++ b/docs/prds/gigs/02-firewall-auto-remediation-ugig.md
@@ -0,0 +1,38 @@
+# Build ThreatCrush firewall auto-remediation (nftables/iptables)
+
+> ugig.net gig posting — implements [PRD-02](../02-firewall-auto-remediation.md)
+
+- **Title:** Build ThreatCrush firewall auto-remediation (nftables/iptables)
+- **Skills required:** `typescript`, `nodejs`, `linux`, `nftables`, `iptables`, `networking`, `security`, `systemd`
+- **Budget type:** fixed
+- **Budget (USD):** 1,800 – 3,000
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/firewall-remediation`
+- **Spec:** `docs/prds/02-firewall-auto-remediation.md`
+
+## What we need
+
+The product's central promise — "what the tool already blocked" — is currently
+vapor: there is zero firewall code. Build the `firewall-rules` module that blocks
+offending IPs in response to detections, safe-by-default, with a clean audit
+trail synced to `remediation_actions`.
+
+## Scope
+
+1. Firewall adapters: nftables first, iptables fallback, auto-detected behind a
+   generic interface.
+2. Actions: temporary ban (with expiry), permanent blocklist, unblock; a daemon
+   worker that unblocks expired bans (mirror the existing `runs-worker`).
+3. Dry-run mode (default until opted in), allowlist enforcement (reads
+   `allowlists`), full local + server-synced audit trail.
+4. Graceful `EACCES` handling when the daemon lacks `CAP_NET_ADMIN` — surface a
+   hardening recommendation instead of crashing.
+5. CLI: `threatcrush block <ip> [--ttl] | unblock <ip> | blocklist |
+   allowlist add|remove`; `[remediation]` config block in `threatcrushd.conf`.
+
+## Acceptance criteria
+
+- nftables + iptables adapters pass integration tests in a container.
+- Dry-run writes an audit entry but makes no firewall change.
+- Allowlisted IP is never blocked; expired bans auto-clear; manual unblock works.
+- Actions surface in the dashboard via `remediation_actions`. PR with green CI.
+</content>
diff --git a/docs/prds/gigs/03-hardening-scanner-ugig.md b/docs/prds/gigs/03-hardening-scanner-ugig.md
new file mode 100644
index 0000000..ff87126
--- /dev/null
+++ b/docs/prds/gigs/03-hardening-scanner-ugig.md
@@ -0,0 +1,34 @@
+# Build the ThreatCrush hardening scanner
+
+> ugig.net gig posting — implements [PRD-03](../03-hardening-scanner.md)
+
+- **Title:** Build the ThreatCrush hardening scanner
+- **Skills required:** `typescript`, `nodejs`, `linux`, `ssh-hardening`, `security`, `sysadmin`, `vitest`
+- **Budget type:** fixed
+- **Budget (USD):** 1,500 – 2,500
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/hardening-scanner`
+- **Spec:** `docs/prds/03-hardening-scanner.md`
+
+## What we need
+
+A key differentiator and an MVP feature that doesn't exist yet: a local hardening
+scanner that runs on enrollment and on demand, producing plain-English findings
+with recommended fixes and a per-server hardening score.
+
+## Scope
+
+1. The nine initial checks from the PRD: SSH password auth, root SSH login, weak
+   SSH config, missing auto security updates, firewall inactive, exposed ports,
+   fail2ban present, world-writable sensitive dirs, risky service exposure.
+2. Each check returns key, severity, status (pass/warn/fail), explanation, fix.
+3. `threatcrush harden` (color report) + `threatcrush harden --json`; auto-run
+   after `init`/enrollment; results synced to `hardening_findings` (PRD-00).
+4. A hardening score surfaced in `threatcrush status` and the dashboard.
+
+## Acceptance criteria
+
+- All nine checks implemented with fix guidance; runs without root where possible
+  and degrades gracefully on `EACCES`.
+- Findings persist to `hardening_findings`; score computed and shown in `status`.
+- PR with green CI and unit tests covering each check's pass/fail logic.
+</content>
diff --git a/docs/prds/gigs/04-network-monitor-module-ugig.md b/docs/prds/gigs/04-network-monitor-module-ugig.md
new file mode 100644
index 0000000..820427c
--- /dev/null
+++ b/docs/prds/gigs/04-network-monitor-module-ugig.md
@@ -0,0 +1,35 @@
+# Build the ThreatCrush network monitor module
+
+> ugig.net gig posting — implements [PRD-04](../04-network-monitor-module.md)
+
+- **Title:** Build the ThreatCrush network monitor module
+- **Skills required:** `typescript`, `nodejs`, `linux`, `networking`, `conntrack`, `security`, `performance`
+- **Budget type:** fixed
+- **Budget (USD):** 2,000 – 3,500
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/network-monitor`
+- **Spec:** `docs/prds/04-network-monitor-module.md`
+
+## What we need
+
+The README's hero output shows port scans and SYN floods detected across "every
+port" and lists `network-monitor` as a bundled module — but it doesn't exist.
+Build a lightweight connection-level monitor (no heavy DPI) that powers the
+headline detections.
+
+## Scope
+
+1. A connection source adapter (prefer conntrack / `ss` / `/proc/net/*`;
+   document privilege needs) — low idle CPU/memory.
+2. Port-scan heuristic (many ports / short window / single source) and SYN-flood
+   heuristic (half-open ratio).
+3. Thresholds driven by the rule engine (PRD-01), not hardcoded; detections flow
+   to `detections` (PRD-00) and can trigger firewall bans (PRD-02).
+4. Graceful `EACCES` degradation.
+
+## Acceptance criteria
+
+- A simulated `nmap` scan against the host is detected within the configured
+  window and (if enabled) triggers a ban.
+- Idle overhead stays within the PRD perf budget.
+- PR with green CI and a fixture-based test for the scan/flood heuristics.
+</content>
diff --git a/docs/prds/gigs/05-dns-monitor-module-ugig.md b/docs/prds/gigs/05-dns-monitor-module-ugig.md
new file mode 100644
index 0000000..9bd4256
--- /dev/null
+++ b/docs/prds/gigs/05-dns-monitor-module-ugig.md
@@ -0,0 +1,31 @@
+# Build the ThreatCrush DNS monitor module
+
+> ugig.net gig posting — implements [PRD-05](../05-dns-monitor-module.md)
+
+- **Title:** Build the ThreatCrush DNS monitor module
+- **Skills required:** `typescript`, `nodejs`, `linux`, `dns`, `security`, `entropy-analysis`
+- **Budget type:** fixed
+- **Budget (USD):** 1,500 – 2,500
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/dns-monitor`
+- **Spec:** `docs/prds/05-dns-monitor-module.md`
+
+## What we need
+
+The README claims DNS-tunneling/DGA detection and lists `dns-monitor` as a
+bundled module — it doesn't exist. Build the module that catches DNS-based
+exfiltration and DGA beaconing.
+
+## Scope
+
+1. A DNS event source (resolver/query logs or passive `:53` observation);
+   document what each environment realistically provides.
+2. Tunneling heuristics: TXT query rate, label length, entropy thresholds.
+3. DGA heuristics: domain entropy / n-gram / dictionary checks.
+4. Thresholds via the rule engine (PRD-01); detections to `detections` (PRD-00).
+
+## Acceptance criteria
+
+- A scripted DNS-tunneling pattern and a high-entropy DGA burst are both flagged.
+- Low false positives against a normal-traffic fixture corpus.
+- PR with green CI and the fixture corpus committed.
+</content>
diff --git a/docs/prds/gigs/06-code-scanner-engine-ugig.md b/docs/prds/gigs/06-code-scanner-engine-ugig.md
new file mode 100644
index 0000000..83b92de
--- /dev/null
+++ b/docs/prds/gigs/06-code-scanner-engine-ugig.md
@@ -0,0 +1,36 @@
+# Mature the ThreatCrush code scanner engine
+
+> ugig.net gig posting — implements [PRD-06](../06-code-scanner-engine.md)
+
+- **Title:** Mature the ThreatCrush code scanner engine
+- **Skills required:** `typescript`, `nodejs`, `static-analysis`, `security`, `secrets-detection`, `cve`, `llm-integration`
+- **Budget type:** fixed
+- **Budget (USD):** 2,000 – 3,500
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/code-scanner`
+- **Spec:** `docs/prds/06-code-scanner-engine.md`
+
+## What we need
+
+`threatcrush scan ./src` exists but its coverage needs to reach launch quality
+and match the README's claims (vulnerabilities, secrets, misconfig, dependency
+CVEs) plus the usage-billed `scan.deep` AI tier.
+
+## Scope
+
+1. Secrets (entropy + known-token regexes, with allowlist), language-aware static
+   risky-call detection (JS/TS, Python first), common misconfig checks.
+2. Dependency CVEs: parse lockfiles, check against an advisory source (OSV /
+   GitHub Advisory DB).
+3. `scan.deep`: AI-assisted triage, metered via CoinPayPortal, explicit opt-in;
+   default model = latest Claude (Opus 4.8) per repo guidance; degrade to the free
+   scan when no keys/credits.
+4. Output: `--json`, severity per finding, CI-friendly exit codes; optional
+   persistence of findings for the dashboard.
+
+## Acceptance criteria
+
+- Documented coverage matrix; README claims match implemented checks.
+- Secrets + dependency-CVE detection verified against a seeded fixture repo.
+- `scan.deep` gated behind opt-in + billing; gracefully degrades without keys.
+- PR with green CI.
+</content>
diff --git a/docs/prds/gigs/07-pentest-engine-ugig.md b/docs/prds/gigs/07-pentest-engine-ugig.md
new file mode 100644
index 0000000..5b3e4d6
--- /dev/null
+++ b/docs/prds/gigs/07-pentest-engine-ugig.md
@@ -0,0 +1,35 @@
+# Mature the ThreatCrush pentest engine
+
+> ugig.net gig posting — implements [PRD-07](../07-pentest-engine.md)
+
+- **Title:** Mature the ThreatCrush pentest engine
+- **Skills required:** `typescript`, `nodejs`, `web-security`, `owasp`, `pentesting`, `api-fuzzing`, `security`
+- **Budget type:** fixed
+- **Budget (USD):** 2,500 – 4,000
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/pentest-engine`
+- **Spec:** `docs/prds/07-pentest-engine.md`
+
+## What we need
+
+`threatcrush pentest URL` is wired into the web `properties`/`property_runs`
+model, but the engine's check coverage needs a documented, launch-quality suite
+with strict "authorized targets only" guardrails (testing the user's own
+properties).
+
+## Scope
+
+1. Authorization gate: only run against verified/owned properties; record consent
+   (tie to the existing property-ownership verification).
+2. Check suite: SQLi, reflected/stored XSS, SSRF, open redirect, security
+   headers, basic API fuzzing — documented with severity mapping.
+3. Safety: rate limits, non-destructive probes, scope/robots respect.
+4. Parity: identical engine for CLI `pentest` and server-scheduled `property_runs`;
+   findings conform to the schema the property detail page + CSV export consume.
+
+## Acceptance criteria
+
+- CLI and scheduled runs produce identical findings for the same target.
+- Authorization guardrail blocks scanning of unverified domains.
+- Documented check coverage; README claims match.
+- PR with green CI; findings render in property detail + CSV export.
+</content>
diff --git a/docs/prds/gigs/08-alerting-and-alert-rules-ugig.md b/docs/prds/gigs/08-alerting-and-alert-rules-ugig.md
new file mode 100644
index 0000000..007f769
--- /dev/null
+++ b/docs/prds/gigs/08-alerting-and-alert-rules-ugig.md
@@ -0,0 +1,35 @@
+# Build ThreatCrush alerting channels & alert rules
+
+> ugig.net gig posting — implements [PRD-08](../08-alerting-and-alert-rules.md)
+
+- **Title:** Build ThreatCrush alerting channels & alert rules
+- **Skills required:** `typescript`, `nodejs`, `slack-api`, `discord-api`, `pagerduty`, `supabase`, `security`
+- **Budget type:** fixed
+- **Budget (USD):** 1,500 – 2,500
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/alerting-rules`
+- **Spec:** `docs/prds/08-alerting-and-alert-rules.md`
+
+## What we need
+
+The README promises Slack, Discord, email, webhook, and PagerDuty alerts, but the
+daemon ships only SMTP/webhook/Slack and has no alert-rules layer (no
+thresholding, severity filtering, per-server subscriptions, or rate limiting).
+Add the missing channels and the rules engine behind them.
+
+## Scope
+
+1. New channels: Discord webhook + PagerDuty Events API (keep Slack/webhook/SMTP)
+   in `apps/cli/src/daemon/alerts`.
+2. `alert_destinations` + `alert_rules` (PRD-00) as the backing model; routing: a
+   detection matches 0..n rules → fan out to mapped destinations.
+3. Rate limiting + thresholding per rule/destination; coalesce bursts.
+4. Config sync: daemon reads org-scoped rules from the server, falls back to
+   `threatcrushd.conf` for local-only mode.
+
+## Acceptance criteria
+
+- Discord + PagerDuty deliver a test alert.
+- A medium-severity detection does not page a high-only rule; per-server
+  subscription routes only that server's alerts; a flood is capped to the limit.
+- PR with green CI.
+</content>
diff --git a/docs/prds/gigs/09-module-sdk-and-publish-ugig.md b/docs/prds/gigs/09-module-sdk-and-publish-ugig.md
new file mode 100644
index 0000000..0730d05
--- /dev/null
+++ b/docs/prds/gigs/09-module-sdk-and-publish-ugig.md
@@ -0,0 +1,35 @@
+# Build & publish the ThreatCrush module SDK (`@threatcrush/sdk`)
+
+> ugig.net gig posting — implements [PRD-09](../09-module-sdk-and-publish.md)
+
+- **Title:** Build & publish the ThreatCrush module SDK (`@threatcrush/sdk`)
+- **Skills required:** `typescript`, `nodejs`, `sdk-design`, `npm-publishing`, `json-schema`, `docs`
+- **Budget type:** fixed
+- **Budget (USD):** 1,500 – 2,500
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/module-sdk`
+- **Spec:** `docs/prds/09-module-sdk-and-publish.md`
+
+## What we need
+
+`@threatcrush/sdk` is 146 lines of types, marked alpha, and unpublished —
+blocking community module authoring. Define and freeze the public module
+contract, publish it, and document authoring.
+
+## Scope
+
+1. Manifest spec (name, version, kind, entrypoint, config schema, compatibility,
+   declared capabilities) and typed lifecycle hooks (init/start/stop, event
+   subscription, detection emit, remediation request).
+2. Re-export the shared detection/rule/alert/ingest schemas (PRD-00, PRD-01) so
+   authors and the platform share one source of truth — imported by web API + CLI.
+3. Publish `@threatcrush/sdk` to npm (public) with semver + changelog, wired into
+   CI.
+4. Authoring guide + an `examples/` starter module.
+
+## Acceptance criteria
+
+- `npm i @threatcrush/sdk` works; types resolve.
+- A starter module built only against the published SDK loads in `module-host`.
+- Web API and CLI both import the shared schemas from the SDK (no duplication).
+- PR with green CI and published docs.
+</content>
diff --git a/docs/prds/gigs/10-dashboard-detections-feed-ugig.md b/docs/prds/gigs/10-dashboard-detections-feed-ugig.md
new file mode 100644
index 0000000..e0e17ac
--- /dev/null
+++ b/docs/prds/gigs/10-dashboard-detections-feed-ugig.md
@@ -0,0 +1,33 @@
+# Build the ThreatCrush dashboard detections feed
+
+> ugig.net gig posting — implements [PRD-10](../10-dashboard-detections-feed.md)
+
+- **Title:** Build the ThreatCrush dashboard detections feed
+- **Skills required:** `typescript`, `react`, `nextjs`, `tailwind`, `supabase`, `supabase-realtime`, `frontend`
+- **Budget type:** fixed
+- **Budget (USD):** 1,800 – 3,000
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/dashboard-detections`
+- **Spec:** `docs/prds/10-dashboard-detections-feed.md`
+
+## What we need
+
+The primary value screen of a security dashboard — the real-time feed of what's
+attacking the fleet — doesn't exist (the dashboard has only servers + properties).
+Build the detections feed reading from `detections` (PRD-00).
+
+## Scope
+
+1. Fleet detections page at `org/[slug]/detections` with a filter bar (severity,
+   rule, hostname, timeframe) + pagination; a detections tab on `servers/[id]`.
+2. Near-real-time updates via Supabase Realtime with a graceful polling fallback.
+3. Detection detail: severity, rule_id (linked), source_ip, username, status,
+   linked remediation action.
+4. Overview tie-in: "recent threats" + "servers needing attention" on the org
+   overview. `GET /api/orgs/[id]/detections` with filter params.
+
+## Acceptance criteria
+
+- List renders with working severity/rule/host/timeframe filters.
+- A new detection appears without manual refresh (realtime or ≤ poll interval).
+- Usable on mobile / installed-PWA layout. PR with green CI.
+</content>
diff --git a/docs/prds/gigs/11-dashboard-hardening-findings-ugig.md b/docs/prds/gigs/11-dashboard-hardening-findings-ugig.md
new file mode 100644
index 0000000..258cd9f
--- /dev/null
+++ b/docs/prds/gigs/11-dashboard-hardening-findings-ugig.md
@@ -0,0 +1,33 @@
+# Build the ThreatCrush dashboard hardening findings view
+
+> ugig.net gig posting — implements [PRD-11](../11-dashboard-hardening-findings.md)
+
+- **Title:** Build the ThreatCrush dashboard hardening findings view
+- **Skills required:** `typescript`, `react`, `nextjs`, `tailwind`, `supabase`, `frontend`
+- **Budget type:** fixed
+- **Budget (USD):** 1,200 – 2,000
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/dashboard-findings`
+- **Spec:** `docs/prds/11-dashboard-hardening-findings.md`
+
+## What we need
+
+The first-run flow ends with "user sees findings and recommended actions," but
+neither the data nor the UI exists. Build the findings view that surfaces the
+hardening scanner's results (PRD-03) from `hardening_findings` (PRD-00).
+
+## Scope
+
+1. A server findings tab on `servers/[id]`: grouped by status/severity, each with
+   plain-English explanation + recommended fix.
+2. Per-server hardening score badge on server detail + overview; a fleet view
+   ranking servers by posture.
+3. Acknowledge / mark resolved actions (`PATCH …/findings/[id]`).
+4. `GET /api/orgs/[id]/servers/[server_id]/findings`. Responsive / PWA-friendly.
+
+## Acceptance criteria
+
+- Findings render with severity, explanation, fix; score shown on server +
+  overview.
+- Acknowledge/resolve persists and survives a re-scan correctly.
+- PR with green CI.
+</content>
diff --git a/docs/prds/gigs/12-remediation-and-blocklist-ui-ugig.md b/docs/prds/gigs/12-remediation-and-blocklist-ui-ugig.md
new file mode 100644
index 0000000..b76290c
--- /dev/null
+++ b/docs/prds/gigs/12-remediation-and-blocklist-ui-ugig.md
@@ -0,0 +1,34 @@
+# Build the ThreatCrush remediation & blocklist UI
+
+> ugig.net gig posting — implements [PRD-12](../12-remediation-and-blocklist-ui.md)
+
+- **Title:** Build the ThreatCrush remediation & blocklist UI
+- **Skills required:** `typescript`, `react`, `nextjs`, `tailwind`, `supabase`, `frontend`
+- **Budget type:** fixed
+- **Budget (USD):** 1,500 – 2,500
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/remediation-ui`
+- **Spec:** `docs/prds/12-remediation-and-blocklist-ui.md`
+
+## What we need
+
+Operators can't see or manage what the daemon blocked. Build the remediation
+history + allowlist/blocklist management UI with control actions that propagate
+back to the daemon (PRD-02).
+
+## Scope
+
+1. Remediation history (type, target, status, executed_at, expires_at) per server
+   + fleet, reading `remediation_actions`.
+2. Blocklist view: active bans with TTL countdown + unblock; allowlist add/remove
+   (IP/CIDR/user) with note; a manual-block form with optional TTL.
+3. Command propagation to the daemon (define the transport — likely a server
+   queue the daemon polls, like `runs-worker`) with status confirmation.
+4. `GET/POST …/remediations`, `…/remediations/execute`, `…/allowlists`.
+   Role-gated.
+
+## Acceptance criteria
+
+- History renders with live status; unblock round-trips and removes the ban on
+  the host; allowlist add prevents future blocks; manual block reaches the daemon.
+- PR with green CI.
+</content>
diff --git a/docs/prds/gigs/13-alert-settings-ui-ugig.md b/docs/prds/gigs/13-alert-settings-ui-ugig.md
new file mode 100644
index 0000000..fbf4cc4
--- /dev/null
+++ b/docs/prds/gigs/13-alert-settings-ui-ugig.md
@@ -0,0 +1,34 @@
+# Build the ThreatCrush alert settings UI
+
+> ugig.net gig posting — implements [PRD-13](../13-alert-settings-ui.md)
+
+- **Title:** Build the ThreatCrush alert settings UI
+- **Skills required:** `typescript`, `react`, `nextjs`, `tailwind`, `supabase`, `frontend`, `security`
+- **Budget type:** fixed
+- **Budget (USD):** 1,200 – 2,000
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/alert-settings-ui`
+- **Spec:** `docs/prds/13-alert-settings-ui.md`
+
+## What we need
+
+Alerting can only be configured by hand-editing `threatcrushd.conf` per host.
+Build the dashboard UI to manage alert destinations and rules centrally. Pairs
+with the alerting engine (PRD-08).
+
+## Scope
+
+1. Destinations CRUD (Slack, Discord, email, webhook, PagerDuty) with
+   type-specific config forms; secrets encrypted at rest, never returned in
+   plaintext (reuse the existing client-side secret-encryption pattern).
+2. Rules CRUD: name, min severity, server scope (all / selected), destination
+   mapping.
+3. "Send test alert" per destination; URL validation before save.
+4. `GET/POST/PATCH/DELETE …/alert-destinations` + `…/alert-rules`,
+   `…/alert-destinations/[id]/test`. Role-gated.
+
+## Acceptance criteria
+
+- Operator adds a Slack/Discord/PagerDuty destination and sends a test.
+- A rule routes only matching detections to the chosen destination.
+- Secrets stored encrypted. PR with green CI.
+</content>
diff --git a/docs/prds/gigs/14-pwa-offline-and-push-ugig.md b/docs/prds/gigs/14-pwa-offline-and-push-ugig.md
new file mode 100644
index 0000000..4894172
--- /dev/null
+++ b/docs/prds/gigs/14-pwa-offline-and-push-ugig.md
@@ -0,0 +1,34 @@
+# Make the ThreatCrush dashboard a real PWA (offline + push)
+
+> ugig.net gig posting — implements [PRD-14](../14-pwa-offline-and-push.md)
+
+- **Title:** Make the ThreatCrush dashboard a real PWA (offline + push)
+- **Skills required:** `typescript`, `nextjs`, `pwa`, `service-workers`, `workbox`, `web-push`, `frontend`
+- **Budget type:** fixed
+- **Budget (USD):** 1,500 – 2,500
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/pwa-offline-push`
+- **Spec:** `docs/prds/14-pwa-offline-and-push.md`
+
+## What we need
+
+The app is marketed as an installable PWA and ships a `manifest.json`, but there
+is no service worker — so no offline shell, no cached views, no push. Make it a
+real PWA on Next.js 16 (App Router, `output: standalone`).
+
+## Scope
+
+1. Register a service worker: precache the app shell; runtime stale-while-
+   revalidate for overview/detections/findings reads. Validate `next-pwa`/Serwist
+   vs hand-rolled against Next 16.
+2. Meet installability criteria (Lighthouse PWA) on supported browsers; optional
+   custom install prompt; audit/complete `manifest.json`.
+3. Web Push (VAPID) opt-in subscription, delivered as a "critical alert"
+   destination type integrated with PRD-08.
+4. Cache invalidation on logout / org switch (no cross-org/user leakage).
+
+## Acceptance criteria
+
+- Lighthouse "Installable" passes; app opens offline showing last-cached data.
+- Opt-in web push delivers a critical alert to an installed PWA.
+- No stale data leaks across orgs/users after switch/logout. PR with green CI.
+</content>
diff --git a/docs/prds/gigs/15-self-hosting-package-ugig.md b/docs/prds/gigs/15-self-hosting-package-ugig.md
new file mode 100644
index 0000000..fe62275
--- /dev/null
+++ b/docs/prds/gigs/15-self-hosting-package-ugig.md
@@ -0,0 +1,35 @@
+# Build the ThreatCrush self-hosting package
+
+> ugig.net gig posting — implements [PRD-15](../15-self-hosting-package.md)
+
+- **Title:** Build the ThreatCrush self-hosting package
+- **Skills required:** `docker`, `docker-compose`, `devops`, `nextjs`, `supabase`, `postgres`, `docs`
+- **Budget type:** fixed
+- **Budget (USD):** 1,200 – 2,000
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/self-hosting`
+- **Spec:** `docs/prds/15-self-hosting-package.md`
+
+## What we need
+
+"Self-hostable" is core to the open-source positioning, but there's no turnkey
+self-host package — only a hosted `Dockerfile` + `railway.json`. Deliver a
+docker-compose control plane plus the docs to run and enroll against it.
+
+## Scope
+
+1. `docker-compose.yml` bringing up the web/API control plane (BYO Postgres /
+   external Supabase recommended to keep the image lean) with healthchecks +
+   persistence volumes.
+2. A consolidated self-host `.env.example`, clearly marking optional integrations
+   (Stripe/CoinPay/AI keys).
+3. Documented migration path (`supabase db push` or SQL editor) and a documented
+   agent-enrollment flow against `https://my-instance`.
+4. Document the local-first / normalized-only ingest privacy posture.
+
+## Acceptance criteria
+
+- `docker compose up` yields a working control plane reachable in a browser.
+- A fresh agent enrolls against the self-hosted instance and appears in the
+  dashboard; migrations reproducible from a clean DB.
+- Self-hosting guide published. PR with green CI.
+</content>
diff --git a/docs/prds/gigs/16-module-marketplace-ugig.md b/docs/prds/gigs/16-module-marketplace-ugig.md
new file mode 100644
index 0000000..04a7aa0
--- /dev/null
+++ b/docs/prds/gigs/16-module-marketplace-ugig.md
@@ -0,0 +1,35 @@
+# Build the ThreatCrush module marketplace (catalog + publish + payments)
+
+> ugig.net gig posting — implements [PRD-16](../16-module-marketplace.md)
+
+- **Title:** Build the ThreatCrush module marketplace (catalog + publish + payments)
+- **Skills required:** `typescript`, `nextjs`, `react`, `supabase`, `payments`, `stripe`, `coinpay`, `fullstack`
+- **Budget type:** fixed
+- **Budget (USD):** 2,500 – 4,000
+- **Repo:** https://github.com/profullstack/threatcrush · branch `feat/module-marketplace`
+- **Spec:** `docs/prds/16-module-marketplace.md`
+
+## What we need
+
+The README heavily features `threatcrush store`, and the web has store/publish
+pages, but the catalog is read-only with no payments — so community module
+monetization isn't real. (Scoped as v0.2 / post-launch.) Build the full
+marketplace.
+
+## Scope
+
+1. Server-side catalog: search + list with filters; version resolution; install
+   tracking counters.
+2. Publish flow: validated submission tied to the SDK manifest (PRD-09) with
+   ownership/auth.
+3. Reviews/ratings surfaced in the store UI (tables already exist).
+4. Paid modules via the existing CoinPay/Stripe integration; entitlement check on
+   install. CLI parity: `store search/publish/install` against the live catalog.
+
+## Acceptance criteria
+
+- Search returns ranked results from the server catalog; an author can publish a
+  validated module that then appears in search.
+- A paid module requires purchase before install; entitlement enforced.
+- Install counts + reviews render in the store UI. PR with green CI.
+</content>
diff --git a/docs/prds/gigs/README.md b/docs/prds/gigs/README.md
new file mode 100644
index 0000000..d75af0f
--- /dev/null
+++ b/docs/prds/gigs/README.md
@@ -0,0 +1,30 @@
+# ThreatCrush gig postings (ugig.net)
+
+One ready-to-post [ugig.net](https://ugig.net) listing per launch PRD in
+[`../`](../README.md). Each file has a title, required skills, budget range,
+repo + suggested branch, a link to its spec, and What-we-need / Scope /
+Acceptance-criteria sections you can paste straight into a posting.
+
+| Gig | Implements | Budget (USD) |
+|---|---|---|
+| [Detection data model & event ingest](./00-detection-data-model-ugig.md) | PRD-00 | 1,200–2,000 |
+| [Detection rule engine & rule packs](./01-detection-rule-engine-ugig.md) | PRD-01 | 2,000–3,500 |
+| [Firewall auto-remediation](./02-firewall-auto-remediation-ugig.md) | PRD-02 | 1,800–3,000 |
+| [Hardening scanner](./03-hardening-scanner-ugig.md) | PRD-03 | 1,500–2,500 |
+| [Network monitor module](./04-network-monitor-module-ugig.md) | PRD-04 | 2,000–3,500 |
+| [DNS monitor module](./05-dns-monitor-module-ugig.md) | PRD-05 | 1,500–2,500 |
+| [Code scanner engine](./06-code-scanner-engine-ugig.md) | PRD-06 | 2,000–3,500 |
+| [Pentest engine](./07-pentest-engine-ugig.md) | PRD-07 | 2,500–4,000 |
+| [Alerting channels & alert rules](./08-alerting-and-alert-rules-ugig.md) | PRD-08 | 1,500–2,500 |
+| [Module SDK & npm publish](./09-module-sdk-and-publish-ugig.md) | PRD-09 | 1,500–2,500 |
+| [Dashboard detections feed](./10-dashboard-detections-feed-ugig.md) | PRD-10 | 1,800–3,000 |
+| [Dashboard hardening findings](./11-dashboard-hardening-findings-ugig.md) | PRD-11 | 1,200–2,000 |
+| [Remediation & blocklist UI](./12-remediation-and-blocklist-ui-ugig.md) | PRD-12 | 1,500–2,500 |
+| [Alert settings UI](./13-alert-settings-ui-ugig.md) | PRD-13 | 1,200–2,000 |
+| [PWA offline & push](./14-pwa-offline-and-push-ugig.md) | PRD-14 | 1,500–2,500 |
+| [Self-hosting package](./15-self-hosting-package-ugig.md) | PRD-15 | 1,200–2,000 |
+| [Module marketplace](./16-module-marketplace-ugig.md) | PRD-16 | 2,500–4,000 |
+
+Budgets are rough starting ranges, not quotes. Suggested sequencing: PRD-00 first
+(everything depends on it), then the P0 set (01, 02, 03, 08, 10, 11, 12).
+</content>