@nordsym/apiclaw 1.5.9 → 1.5.10

package/src/execute.ts

@@ -402,6 +402,21 @@ const apiEndpoints: Record<string, Record<string, { url: string; method: string;
     run_code: { url: 'https://api.e2b.dev/v1/sandboxes', method: 'POST' },
     run_shell: { url: 'https://api.e2b.dev/v1/sandboxes', method: 'POST' },
   },
+  apilayer: {
+    exchange_rates: { url: 'https://api.apilayer.com/exchangerates_data/latest', method: 'GET' },
+    market_data: { url: 'http://api.marketstack.com/v1/eod', method: 'GET' },
+    aviation: { url: 'http://api.aviationstack.com/v1/flights', method: 'GET' },
+    pdf_generate: { url: 'https://api.pdflayer.com/api/convert', method: 'GET' },
+    screenshot: { url: 'https://api.screenshotlayer.com/api/capture', method: 'GET' },
+    verify_email: { url: 'https://api.apilayer.com/email_verification/check', method: 'GET' },
+    verify_number: { url: 'https://api.apilayer.com/number_verification/validate', method: 'GET' },
+    vat_check: { url: 'http://apilayer.net/api/validate', method: 'GET' },
+    world_news: { url: 'https://api.apilayer.com/world_news/search-news', method: 'GET' },
+    finance_news: { url: 'https://api.apilayer.com/financelayer/news', method: 'GET' },
+    scrape: { url: 'https://api.apilayer.com/adv_scraper/scraper', method: 'GET' },
+    image_crop: { url: 'https://api.apilayer.com/image_crop/crop', method: 'GET' },
+    skills: { url: 'https://api.apilayer.com/skills', method: 'GET' },
+  },
 };
 
 /**
@@ -1644,6 +1659,238 @@ const handlers: Record<string, Record<string, (params: any, creds: any) => Promi
       };
     },
   },
+
+  // APILayer - 14 APIs via one provider
+  apilayer: {
+    // Helper to pick the right key per action
+    exchange_rates: async (params, creds) => {
+      const key = creds.APILAYER_EXCHANGERATE_KEY || creds.api_key;
+      const { base = 'USD', symbols, date } = params;
+      const endpoint = date ? 'historical' : 'latest';
+      const url = new URL(`https://api.apilayer.com/exchangerates_data/${endpoint}`);
+      url.searchParams.set('base', base);
+      if (symbols) url.searchParams.set('symbols', symbols);
+      if (date) url.searchParams.set('date', date);
+
+      const response = await fetchWithRetry(url.toString(), {
+        headers: { 'apikey': key },
+      }, { provider: 'apilayer', action: 'exchange_rates' });
+
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'exchange_rates', (data.message as string) || 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'exchange_rates', data };
+    },
+
+    market_data: async (params, creds) => {
+      const key = creds.APILAYER_MARKETSTACK_KEY || creds.api_key;
+      const { symbols, date_from, date_to, limit = 10 } = params;
+      if (!symbols) return createErrorResult('apilayer', 'market_data', 'Missing required param: symbols', ERROR_CODES.INVALID_PARAMS);
+
+      const url = new URL('http://api.marketstack.com/v1/eod');
+      url.searchParams.set('access_key', key);
+      url.searchParams.set('symbols', symbols);
+      url.searchParams.set('limit', limit.toString());
+      if (date_from) url.searchParams.set('date_from', date_from);
+      if (date_to) url.searchParams.set('date_to', date_to);
+
+      const response = await fetchWithRetry(url.toString(), {}, { provider: 'apilayer', action: 'market_data' });
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'market_data', (data.error as any)?.message || 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'market_data', data };
+    },
+
+    aviation: async (params, creds) => {
+      const key = creds.APILAYER_AVIATIONSTACK_KEY || creds.api_key;
+      const { flight_iata, dep_iata, arr_iata, airline_iata } = params;
+      const url = new URL('http://api.aviationstack.com/v1/flights');
+      url.searchParams.set('access_key', key);
+      if (flight_iata) url.searchParams.set('flight_iata', flight_iata);
+      if (dep_iata) url.searchParams.set('dep_iata', dep_iata);
+      if (arr_iata) url.searchParams.set('arr_iata', arr_iata);
+      if (airline_iata) url.searchParams.set('airline_iata', airline_iata);
+
+      const response = await fetchWithRetry(url.toString(), {}, { provider: 'apilayer', action: 'aviation' });
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'aviation', 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'aviation', data };
+    },
+
+    pdf_generate: async (params, creds) => {
+      const key = creds.APILAYER_PDFLAYER_KEY || creds.api_key;
+      const { document_url, document_html, page_size = 'A4' } = params;
+      if (!document_url && !document_html) return createErrorResult('apilayer', 'pdf_generate', 'Missing: document_url or document_html', ERROR_CODES.INVALID_PARAMS);
+
+      const url = new URL('https://api.pdflayer.com/api/convert');
+      url.searchParams.set('access_key', key);
+      url.searchParams.set('page_size', page_size);
+      if (document_url) url.searchParams.set('document_url', document_url);
+      if (document_html) url.searchParams.set('document_html', document_html);
+
+      const response = await fetchWithRetry(url.toString(), {}, { provider: 'apilayer', action: 'pdf_generate' });
+      const contentType = response.headers.get('content-type') || '';
+      if (contentType.includes('application/pdf')) {
+        return { success: true, provider: 'apilayer', action: 'pdf_generate', data: { message: 'PDF generated', content_type: 'application/pdf', size: response.headers.get('content-length') } };
+      }
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'pdf_generate', (data.error as any)?.info || 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'pdf_generate', data };
+    },
+
+    screenshot: async (params, creds) => {
+      const key = creds.APILAYER_SCREENSHOTLAYER_KEY || creds.api_key;
+      const { url: targetUrl, viewport = '1440x900', fullpage = 0 } = params;
+      if (!targetUrl) return createErrorResult('apilayer', 'screenshot', 'Missing required param: url', ERROR_CODES.INVALID_PARAMS);
+
+      const url = new URL('https://api.screenshotlayer.com/api/capture');
+      url.searchParams.set('access_key', key);
+      url.searchParams.set('url', targetUrl);
+      url.searchParams.set('viewport', viewport);
+      url.searchParams.set('fullpage', fullpage.toString());
+
+      const response = await fetchWithRetry(url.toString(), {}, { provider: 'apilayer', action: 'screenshot' });
+      const contentType = response.headers.get('content-type') || '';
+      if (contentType.includes('image/')) {
+        return { success: true, provider: 'apilayer', action: 'screenshot', data: { message: 'Screenshot captured', content_type: contentType, url: url.toString() } };
+      }
+      const data = await response.json() as Record<string, unknown>;
+      return { success: true, provider: 'apilayer', action: 'screenshot', data };
+    },
+
+    verify_email: async (params, creds) => {
+      const key = creds.APILAYER_EMAILVERIFY_KEY || creds.api_key;
+      const { email } = params;
+      if (!email) return createErrorResult('apilayer', 'verify_email', 'Missing required param: email', ERROR_CODES.INVALID_PARAMS);
+
+      const url = new URL('https://api.apilayer.com/email_verification/check');
+      url.searchParams.set('email', email);
+
+      const response = await fetchWithRetry(url.toString(), {
+        headers: { 'apikey': key },
+      }, { provider: 'apilayer', action: 'verify_email' });
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'verify_email', 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'verify_email', data };
+    },
+
+    verify_number: async (params, creds) => {
+      const key = creds.APILAYER_NUMVERIFY_KEY || creds.api_key;
+      const { number } = params;
+      if (!number) return createErrorResult('apilayer', 'verify_number', 'Missing required param: number', ERROR_CODES.INVALID_PARAMS);
+
+      const url = new URL('https://api.apilayer.com/number_verification/validate');
+      url.searchParams.set('number', number);
+
+      const response = await fetchWithRetry(url.toString(), {
+        headers: { 'apikey': key },
+      }, { provider: 'apilayer', action: 'verify_number' });
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'verify_number', 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'verify_number', data };
+    },
+
+    vat_check: async (params, creds) => {
+      const key = creds.APILAYER_VATLAYER_KEY || creds.api_key;
+      const { vat_number } = params;
+      if (!vat_number) return createErrorResult('apilayer', 'vat_check', 'Missing required param: vat_number', ERROR_CODES.INVALID_PARAMS);
+
+      const url = new URL('http://apilayer.net/api/validate');
+      url.searchParams.set('access_key', key);
+      url.searchParams.set('vat_number', vat_number);
+
+      const response = await fetchWithRetry(url.toString(), {}, { provider: 'apilayer', action: 'vat_check' });
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'vat_check', 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'vat_check', data };
+    },
+
+    world_news: async (params, creds) => {
+      const key = creds.APILAYER_WORLDNEWS_KEY || creds.api_key;
+      const { text, source_countries, language = 'en', number = 5 } = params;
+
+      const url = new URL('https://api.apilayer.com/world_news/search-news');
+      if (text) url.searchParams.set('text', text);
+      if (source_countries) url.searchParams.set('source-countries', source_countries);
+      url.searchParams.set('language', language);
+      url.searchParams.set('number', number.toString());
+
+      const response = await fetchWithRetry(url.toString(), {
+        headers: { 'apikey': key },
+      }, { provider: 'apilayer', action: 'world_news' });
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'world_news', 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'world_news', data };
+    },
+
+    finance_news: async (params, creds) => {
+      const key = creds.APILAYER_FINANCENEWS_KEY || creds.api_key;
+      const { tickers, text, number = 5 } = params;
+
+      const url = new URL('https://api.apilayer.com/financelayer/news');
+      if (tickers) url.searchParams.set('tickers', tickers);
+      if (text) url.searchParams.set('keywords', text);
+      url.searchParams.set('limit', number.toString());
+
+      const response = await fetchWithRetry(url.toString(), {
+        headers: { 'apikey': key },
+      }, { provider: 'apilayer', action: 'finance_news' });
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'finance_news', 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'finance_news', data };
+    },
+
+    scrape: async (params, creds) => {
+      const key = creds.APILAYER_SCRAPER_KEY || creds.api_key;
+      const { url: targetUrl } = params;
+      if (!targetUrl) return createErrorResult('apilayer', 'scrape', 'Missing required param: url', ERROR_CODES.INVALID_PARAMS);
+
+      const url = new URL('https://api.apilayer.com/adv_scraper/scraper');
+      url.searchParams.set('url', targetUrl);
+
+      const response = await fetchWithRetry(url.toString(), {
+        headers: { 'apikey': key },
+      }, { provider: 'apilayer', action: 'scrape' });
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'scrape', 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'scrape', data };
+    },
+
+    image_crop: async (params, creds) => {
+      const key = creds.APILAYER_IMAGECROP_KEY || creds.api_key;
+      const { url: imageUrl, width, height } = params;
+      if (!imageUrl) return createErrorResult('apilayer', 'image_crop', 'Missing required param: url', ERROR_CODES.INVALID_PARAMS);
+
+      const url = new URL('https://api.apilayer.com/image_crop/crop');
+      url.searchParams.set('url', imageUrl);
+      if (width) url.searchParams.set('width', width.toString());
+      if (height) url.searchParams.set('height', height.toString());
+
+      const response = await fetchWithRetry(url.toString(), {
+        headers: { 'apikey': key },
+      }, { provider: 'apilayer', action: 'image_crop' });
+      const contentType = response.headers.get('content-type') || '';
+      if (contentType.includes('image/')) {
+        return { success: true, provider: 'apilayer', action: 'image_crop', data: { message: 'Image cropped', content_type: contentType } };
+      }
+      const data = await response.json() as Record<string, unknown>;
+      return { success: true, provider: 'apilayer', action: 'image_crop', data };
+    },
+
+    skills: async (params, creds) => {
+      const key = creds.APILAYER_SKILLAPI_KEY || creds.api_key;
+      const { q } = params;
+      if (!q) return createErrorResult('apilayer', 'skills', 'Missing required param: q', ERROR_CODES.INVALID_PARAMS);
+
+      const url = new URL('https://api.apilayer.com/skills');
+      url.searchParams.set('q', q);
+
+      const response = await fetchWithRetry(url.toString(), {
+        headers: { 'apikey': key },
+      }, { provider: 'apilayer', action: 'skills' });
+      const data = await response.json() as Record<string, unknown>;
+      if (!response.ok) return createErrorResult('apilayer', 'skills', 'Request failed', statusToErrorCode(response.status));
+      return { success: true, provider: 'apilayer', action: 'skills', data };
+    },
+  },
 };
 
 // Get available actions for a provider (static handlers only)

package/src/hivr-whitelist.ts

@@ -0,0 +1,110 @@
+/**
+ * Hivr Bees Auto-Whitelist
+ * Dynamically fetches active agents from Hivr's Convex deployment
+ * Falls back to static whitelist if Convex is unreachable
+ */
+
+// Hivr PROD Convex deployment
+const HIVR_CONVEX_URL = "https://sensible-quail-275.convex.cloud";
+
+// Fallback static whitelist (in case Convex is down)
+const STATIC_WHITELIST = [
+  'bytebee',
+  'analyzerbee',
+  'buildbee',
+  'buzzwriter',
+  'hivemind',
+  'hivesage',
+  'symbot',
+  'hivrqueen',
+  'marketmaven',
+  'reconbee',
+  'sprintbee',
+  'quillbee',
+];
+
+// Cache whitelist for 5 minutes
+let cachedWhitelist: string[] | null = null;
+let cacheExpiry: number = 0;
+
+/**
+ * Fetch all active agents from Hivr Convex
+ */
+async function fetchHivrAgents(): Promise<string[]> {
+  try {
+    // Call Convex HTTP API directly
+    const response = await fetch(`${HIVR_CONVEX_URL}/api/query`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        path: 'agents:list',
+        args: {},
+      }),
+    });
+    
+    if (!response.ok) {
+      console.warn('[Hivr Whitelist] Convex HTTP API error, using static whitelist');
+      return STATIC_WHITELIST;
+    }
+    
+    const agents = await response.json() as any[];
+    
+    if (!agents || !Array.isArray(agents)) {
+      console.warn('[Hivr Whitelist] Invalid response from Hivr Convex, using static whitelist');
+      return STATIC_WHITELIST;
+    }
+    
+    // Extract handles (Hivr uses 'handle', not 'agentId')
+    const handles = agents
+      .map((a: any) => a.handle?.toLowerCase().trim())
+      .filter((h: string | undefined) => h && h.length > 0);
+    
+    console.log(`[Hivr Whitelist] Fetched ${handles.length} agents from Hivr`);
+    return handles;
+    
+  } catch (error) {
+    console.error('[Hivr Whitelist] Failed to fetch from Hivr Convex:', error);
+    return STATIC_WHITELIST;
+  }
+}
+
+/**
+ * Get current whitelist (cached or fresh)
+ */
+export async function getWhitelist(): Promise<string[]> {
+  const now = Date.now();
+  
+  // Return cached if still valid
+  if (cachedWhitelist && now < cacheExpiry) {
+    return cachedWhitelist;
+  }
+  
+  // Fetch fresh whitelist
+  cachedWhitelist = await fetchHivrAgents();
+  cacheExpiry = now + (5 * 60 * 1000); // 5 minutes
+  
+  return cachedWhitelist;
+}
+
+/**
+ * Check if agent is authorized
+ */
+export async function isAuthorized(agentId: string | undefined): Promise<boolean> {
+  if (!agentId) return false;
+  
+  const whitelist = await getWhitelist();
+  const normalized = agentId.toLowerCase().trim();
+  
+  return whitelist.includes(normalized);
+}
+
+/**
+ * Force refresh whitelist (call after adding new bee)
+ */
+export function invalidateCache(): void {
+  cachedWhitelist = null;
+  cacheExpiry = 0;
+  console.log('[Hivr Whitelist] Cache invalidated');
+}

package/src/http-api.ts

@@ -17,23 +17,7 @@ import { isOpenAPI, executeOpenAPI } from './open-apis.js';
 import { executeMetered } from './metered.js';
 import { logAPICall } from './analytics.js';
 import { getMachineFingerprint } from './session.js';
-
-// Hivr bees whitelist - these agents get free unlimited access
-const HIVR_BEES_WHITELIST = [
-  'bytebee',
-  'analyzerbee',
-  'buildbee',
-  'buzzwriter',
-  'hivemind',
-  'hivesage',
-  'symbot',
-  'hivrqueen',
-  'marketmaven',
-  'reconbee',
-  'sprintbee',
-  'quillbee',
-  // Add more as Hivr grows
-];
+import { isAuthorized, getProduct } from './product-whitelist.js';
 
 interface APIRequest {
   provider: string;
@@ -42,15 +26,6 @@ interface APIRequest {
   agentId: string;
 }
 
-/**
- * Check if agent is authorized (Hivr bee)
- */
-function isAuthorized(agentId: string | undefined): boolean {
-  if (!agentId) return false;
-  const normalized = agentId.toLowerCase().trim();
-  return HIVR_BEES_WHITELIST.includes(normalized);
-}
-
 /**
  * Parse JSON body from request
  */
@@ -97,7 +72,7 @@ async function handleDiscover(req: IncomingMessage, res: ServerResponse, url: UR
     return;
   }
   
-  if (!isAuthorized(agentId || undefined)) {
+  if (!(await isAuthorized(agentId || undefined))) {
     sendJSON(res, 403, { 
       error: 'Unauthorized', 
       message: 'This endpoint is restricted to Hivr bees. Contact admin@nordsym.com for access.',
@@ -109,15 +84,17 @@ async function handleDiscover(req: IncomingMessage, res: ServerResponse, url: UR
   const results = discoverAPIs(query, { category, maxResults });
   const responseTimeMs = Date.now() - startTime;
   
-  // Log to analytics
+  // Log to analytics with product info
+  const product = agentId ? getProduct(agentId) : null;
   logAPICall({
     timestamp: new Date().toISOString(),
     provider: 'apiclaw_discovery',
     action: 'discover',
     type: 'open',
-    userId: `hivr:${agentId}`,
+    userId: agentId || 'unknown',
     success: true,
     latencyMs: responseTimeMs,
+    metadata: product ? { product } : undefined,
   });
   
   sendJSON(res, 200, {
@@ -158,10 +135,15 @@ async function handleCallAPI(req: IncomingMessage, res: ServerResponse): Promise
     return;
   }
   
-  if (!isAuthorized(agentId)) {
+  // Check whitelist + access control
+  const { isAllowed } = await import('./access-control.js');
+  const accessCheck = await isAllowed(agentId, provider);
+  
+  if (!accessCheck.allowed) {
     sendJSON(res, 403, { 
-      error: 'Unauthorized', 
-      message: 'This endpoint is restricted to Hivr bees. Contact admin@nordsym.com for access.',
+      error: 'Access Denied', 
+      message: accessCheck.reason || 'Not authorized',
+      hint: 'Contact admin@nordsym.com for access',
     });
     return;
   }
@@ -201,16 +183,18 @@ async function handleCallAPI(req: IncomingMessage, res: ServerResponse): Promise
   
   const latencyMs = Date.now() - startTime;
   
-  // Log to analytics
+  // Log to analytics with product info
+  const product = getProduct(agentId);
   logAPICall({
     timestamp: new Date().toISOString(),
     provider,
     action,
     type: apiType!,
-    userId: `hivr:${agentId}`,
+    userId: agentId,
     success,
     latencyMs,
     error,
+    metadata: product ? { product } : undefined,
   });
   
   sendJSON(res, success ? 200 : 500, {

package/src/http-server-minimal.ts

@@ -0,0 +1,154 @@
+#!/usr/bin/env node
+/**
+ * Minimal HTTP API Server for APIClaw
+ * Bypasses chain executor imports
+ */
+
+import { createServer } from 'http';
+import { URL } from 'url';
+
+const PORT = parseInt(process.env.PORT || '3001');
+
+// Import whitelist directly
+import { isAuthorized, getProduct } from './product-whitelist.js';
+
+interface APIRequest {
+  provider: string;
+  action: string;
+  params: Record<string, any>;
+  agentId: string;
+}
+
+function sendJSON(res: any, status: number, data: any): void {
+  res.writeHead(status, {
+    'Content-Type': 'application/json',
+    'Access-Control-Allow-Origin': '*',
+  });
+  res.end(JSON.stringify(data));
+}
+
+async function parseBody<T>(req: any): Promise<T> {
+  return new Promise((resolve, reject) => {
+    let body = '';
+    req.on('data', (chunk: any) => body += chunk.toString());
+    req.on('end', () => {
+      try {
+        resolve(JSON.parse(body));
+      } catch (e) {
+        reject(new Error('Invalid JSON'));
+      }
+    });
+  });
+}
+
+const server = createServer(async (req, res) => {
+  const url = new URL(req.url || '/', `http://${req.headers.host}`);
+  
+  console.log(`[APIClaw] ${req.method} ${url.pathname}`);
+  
+  // CORS
+  if (req.method === 'OPTIONS') {
+    res.writeHead(204, {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type',
+    });
+    res.end();
+    return;
+  }
+  
+  // Health check
+  if (url.pathname === '/health') {
+    sendJSON(res, 200, { 
+      status: 'ok', 
+      service: 'apiclaw-http-api',
+      version: '2.0.0',
+      whitelist: 'multi-product',
+    });
+    return;
+  }
+  
+  // Discovery endpoint
+  if (url.pathname === '/api/discover' && req.method === 'GET') {
+    const query = url.searchParams.get('query');
+    const agentId = url.searchParams.get('agentId');
+    
+    if (!query) {
+      sendJSON(res, 400, { error: 'Missing query parameter' });
+      return;
+    }
+    
+    const authorized = await isAuthorized(agentId || undefined);
+    
+    if (!authorized) {
+      sendJSON(res, 403, {
+        error: 'Unauthorized',
+        message: 'This endpoint is restricted. Contact admin@nordsym.com',
+      });
+      return;
+    }
+    
+    const product = agentId ? getProduct(agentId) : null;
+    
+    sendJSON(res, 200, {
+      success: true,
+      query,
+      agentId,
+      product,
+      message: 'Whitelist v2.0 active - discovery endpoint placeholder',
+    });
+    return;
+  }
+  
+  // Call API endpoint
+  if (url.pathname === '/api/call_api' && req.method === 'POST') {
+    try {
+      const body = await parseBody<APIRequest>(req);
+      const { provider, action, params, agentId } = body;
+      
+      if (!provider || !action || !agentId) {
+        sendJSON(res, 400, {
+          error: 'Missing required fields',
+          required: ['provider', 'action', 'agentId', 'params'],
+        });
+        return;
+      }
+      
+      const authorized = await isAuthorized(agentId);
+      
+      if (!authorized) {
+        sendJSON(res, 403, {
+          error: 'Unauthorized',
+          message: 'Agent not whitelisted',
+        });
+        return;
+      }
+      
+      const product = getProduct(agentId);
+      
+      sendJSON(res, 200, {
+        success: true,
+        agentId,
+        provider,
+        action,
+        product,
+        message: 'Whitelist v2.0 active - execution placeholder',
+      });
+      
+    } catch (e: any) {
+      sendJSON(res, 400, { error: e.message });
+    }
+    return;
+  }
+  
+  // 404
+  sendJSON(res, 404, { error: 'Not found' });
+});
+
+server.listen(PORT, () => {
+  console.log(`\n🦞 APIClaw HTTP API (Whitelist v2.0)`);
+  console.log(`   Running on http://localhost:${PORT}`);
+  console.log(`   GET  /health`);
+  console.log(`   GET  /api/discover?query=...&agentId=...`);
+  console.log(`   POST /api/call_api\n`);
+});