web-agent-bridge 1.0.0 → 1.1.0

package/script/ai-agent-bridge.js

@@ -1,14 +1,16 @@
 /**
- * Web Agent Bridge v1.0.0
- * Open-source middleware for AI agent ↔ website interaction
+ * Web Agent Bridge v1.1.0
+ * Open protocol + runtime for AI agent ↔ website interaction
  * https://github.com/web-agent-bridge
  * License: MIT
  */
 (function (global) {
   'use strict';
 
-  const VERSION = '1.0.0';
+  const VERSION = '1.1.0';
+  const PROTOCOL_VERSION = '1.0';
   const LICENSING_SERVER = 'https://api.webagentbridge.com';
+  const DISCOVERY_PATHS = ['/agent-bridge.json', '/.well-known/wab.json'];
 
   // ─── Default Configuration ────────────────────────────────────────────
   const DEFAULT_CONFIG = {
@@ -22,12 +24,6 @@
       automatedLogin: false,
       extractData: false
     },
-    features: {
-      advancedAnalytics: false,
-      realTimeUpdates: false,
-      customActions: false,
-      webhooks: false
-    },
     restrictions: {
       allowedSelectors: [],
       blockedSelectors: ['.private', '[data-private]', '[data-no-agent]'],
@@ -39,7 +35,19 @@
       level: 'basic'
     },
     subscriptionTier: 'free',
-    licenseKey: null
+    licenseKey: null,
+    /** Public site id from dashboard (preferred). Used with configEndpoint for token exchange — license key stays off the page. */
+    siteId: null,
+    /** Base URL for /api/license/* (verify, track). Default: current origin, else LICENSING_SERVER. */
+    apiBaseUrl: null,
+    features: {
+      advancedAnalytics: false,
+      realTimeUpdates: false,
+      customActions: false,
+      webhooks: false,
+      /** Send execute events to POST /api/license/track (populates admin analytics). */
+      reportUsage: true
+    }
   };
 
   // ─── Rate Limiter ─────────────────────────────────────────────────────
@@ -348,15 +356,28 @@
   }
 
   // ─── Stealth / Human-like Interaction ─────────────────────────────────
-  // Makes automation interactions look natural to anti-bot systems
+  // ⚠️ ETHICAL USE POLICY:
+  // Stealth mode simulates human-like interaction patterns for LEGITIMATE uses:
+  //   - Accessibility testing    - QA automation on YOUR OWN sites
+  //   - UX research with consent - Authorized penetration testing
+  // DO NOT use to bypass anti-bot protections on sites you do not own or control.
+  // Misuse violates the MIT license terms and is the user's legal responsibility.
   const Stealth = {
     _enabled: false,
+    _consentGiven: false,
 
-    enable() { this._enabled = true; },
+    enable(consent) {
+      if (consent !== true) {
+        console.warn('[WAB] Stealth mode requires explicit consent: stealth.enable(true)');
+        return;
+      }
+      this._consentGiven = true;
+      this._enabled = true;
+    },
     disable() { this._enabled = false; },
     get isEnabled() { return this._enabled; },
 
-    // Random delay between min and max ms, with optional Gaussian distribution
+    // Random delay between min and max ms
     delay(min = 50, max = 300) {
       if (!this._enabled) return Promise.resolve();
       const duration = min + Math.floor(Math.random() * (max - min));
@@ -557,13 +578,15 @@
       this.authenticated = false;
       this.agentInfo = null;
       this._licenseVerified = null;
+      this._discoveryDoc = null;
       this._ready = false;
       this._readyCallbacks = [];
       this._mutationObserver = null;
+      this._eventSubscriptions = new Map();
 
-      // Enable stealth mode if configured
-      if (this.config.stealth?.enabled) {
-        this.stealth.enable();
+      // Enable stealth mode if configured (requires consent: true)
+      if (this.config.stealth?.enabled && this.config.stealth?.consent === true) {
+        this.stealth.enable(true);
       }
 
       this._init();
@@ -571,7 +594,11 @@
 
     // ── Initialization ──────────────────────────────────────────────────
     async _init() {
-      if (this.config.licenseKey) {
+      await this._fetchDiscoveryDocument();
+
+      if (this.config.configEndpoint && (this.config.siteId || this.config._licenseKey || this.config.licenseKey)) {
+        await this._secureLicenseExchange();
+      } else if (this.config.licenseKey) {
         await this._verifyLicense();
       } else {
         this._licenseVerified = { tier: 'free', valid: true };
@@ -583,8 +610,54 @@
       this._ready = true;
       this._readyCallbacks.forEach(cb => cb());
       this._readyCallbacks = [];
-      this.events.emit('ready', { version: VERSION, tier: this.getEffectiveTier() });
-      this.logger.log('init', { version: VERSION, tier: this.getEffectiveTier(), security: 'sandbox-active' });
+      this.events.emit('ready', { version: VERSION, protocol: PROTOCOL_VERSION, tier: this.getEffectiveTier() });
+      this.logger.log('init', { version: VERSION, protocol: PROTOCOL_VERSION, tier: this.getEffectiveTier(), security: 'sandbox-active' });
+    }
+
+    async _fetchDiscoveryDocument() {
+      var base = this._getLicenseApiBase();
+      for (var i = 0; i < DISCOVERY_PATHS.length; i++) {
+        try {
+          var res = await fetch(base + DISCOVERY_PATHS[i], { method: 'GET', credentials: 'omit' });
+          if (res.ok) {
+            this._discoveryDoc = await res.json();
+            this.logger.log('discovery', { path: DISCOVERY_PATHS[i], provider: this._discoveryDoc.provider });
+            this.events.emit('discovery', this._discoveryDoc);
+            return;
+          }
+        } catch (_) {}
+      }
+    }
+
+    // Secure license exchange: POST license key to server, get session token back
+    // License key is transmitted once via POST (not visible in page source)
+    async _secureLicenseExchange() {
+      try {
+        const endpoint = this.config.configEndpoint;
+        const body = this.config.siteId
+          ? { siteId: this.config.siteId }
+          : { licenseKey: this.config._licenseKey || this.config.licenseKey };
+        const res = await fetch(endpoint, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify(body)
+        });
+        if (res.ok) {
+          const data = await res.json();
+          this._licenseVerified = { tier: data.tier, valid: true, sessionToken: data.sessionToken };
+          delete this.config._licenseKey;
+          if (data.expiresIn) {
+            if (this._tokenRefreshTimer) clearTimeout(this._tokenRefreshTimer);
+            this._tokenRefreshTimer = setTimeout(() => {
+              this._secureLicenseExchange();
+            }, Math.floor(data.expiresIn * 800));
+          }
+        } else {
+          this._licenseVerified = { tier: 'free', valid: false, error: 'Token exchange failed' };
+        }
+      } catch (e) {
+        this._licenseVerified = { tier: this.config.subscriptionTier || 'free', valid: false, error: 'Offline' };
+      }
     }
 
     // Store fingerprints for all discovered actions (self-healing)
@@ -642,10 +715,42 @@
       return result;
     }
 
+    _getLicenseApiBase() {
+      const c = this.config;
+      if (c.apiBaseUrl) return String(c.apiBaseUrl).replace(/\/$/, '');
+      if (typeof global.location !== 'undefined' && location && location.origin) return location.origin;
+      return LICENSING_SERVER;
+    }
+
+    /**
+     * Report action execution to WAB (fills platform analytics in admin).
+     */
+    _maybeReportUsage(actionName, triggerType, success) {
+      try {
+        const sessionToken = this._licenseVerified && this._licenseVerified.sessionToken;
+        if (!sessionToken || (this.config.features && this.config.features.reportUsage === false)) return;
+        const base = this._getLicenseApiBase();
+        const payload = JSON.stringify({
+          sessionToken,
+          actionName,
+          triggerType: triggerType || 'unknown',
+          success: success !== false
+        });
+        fetch(`${base}/api/license/track`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: payload,
+          keepalive: true,
+          mode: 'cors',
+          credentials: 'omit'
+        }).catch(function () {});
+      } catch (e) { /* ignore */ }
+    }
+
     // ── License Verification ────────────────────────────────────────────
     async _verifyLicense() {
       try {
-        const res = await fetch(`${LICENSING_SERVER}/api/license/verify`, {
+        const res = await fetch(`${this._getLicenseApiBase()}/api/license/verify`, {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
           body: JSON.stringify({
@@ -903,12 +1008,14 @@
 
         this.events.emit('action:after', { action: actionName, result });
         this.logger.log('execute_result', { action: actionName, success: result.success }, 'detailed');
+        this._maybeReportUsage(actionName, action.trigger, !!(result && result.success !== false));
         return result;
 
       } catch (err) {
         const error = { success: false, error: err.message };
         this.events.emit('error', { action: actionName, error: err.message });
         this.logger.log('execute_error', { action: actionName, error: err.message });
+        this._maybeReportUsage(actionName, action.trigger, false);
         return error;
       }
     }
@@ -1090,6 +1197,50 @@
       this.events.emit('action:unregistered', { name });
     }
 
+    // ── Protocol Discovery ──────────────────────────────────────────────
+    discover() {
+      return {
+        wab_version: PROTOCOL_VERSION,
+        runtime_version: VERSION,
+        discovery_document: this._discoveryDoc,
+        page: this.getPageInfo(),
+        actions: this.getActions(),
+        fairness: this._discoveryDoc ? this._discoveryDoc.fairness : null,
+        transport: {
+          js_global: { enabled: true, interface: 'window.AICommands' },
+          bidi: { enabled: true, interface: 'window.__wab_bidi' },
+          noscript: { enabled: !!(this.config.siteId) }
+        }
+      };
+    }
+
+    subscribe(eventName, callback) {
+      if (typeof callback !== 'function') return { success: false, error: 'callback must be a function' };
+      var id = 'sub_' + (++this.security._commandCounter);
+      this._eventSubscriptions.set(id, { event: eventName, callback });
+      this.events.on(eventName, callback);
+      return { success: true, subscriptionId: id, event: eventName };
+    }
+
+    unsubscribe(subscriptionId) {
+      var sub = this._eventSubscriptions.get(subscriptionId);
+      if (!sub) return { success: false, error: 'Subscription not found' };
+      this.events.off(sub.event, sub.callback);
+      this._eventSubscriptions.delete(subscriptionId);
+      return { success: true };
+    }
+
+    ping() {
+      return {
+        pong: true,
+        version: VERSION,
+        protocol: PROTOCOL_VERSION,
+        timestamp: Date.now(),
+        ready: this._ready,
+        locked: this.security.isLocked
+      };
+    }
+
     // ── Discovery / Info ────────────────────────────────────────────────
     getActions(category) {
       if (category) return this.registry.getByCategory(category);
@@ -1167,8 +1318,13 @@
     toJSON() {
       return {
         version: VERSION,
+        protocol: PROTOCOL_VERSION,
         page: this.getPageInfo(),
-        actions: this.getActions()
+        actions: this.getActions(),
+        discovery: this._discoveryDoc ? {
+          provider: this._discoveryDoc.provider,
+          fairness: this._discoveryDoc.fairness
+        } : null
       };
     }
 
@@ -1178,6 +1334,7 @@
       return {
         type: 'wab:context',
         version: VERSION,
+        protocol: PROTOCOL_VERSION,
         context: {
           url: location.href,
           title: document.title,
@@ -1192,7 +1349,9 @@
           })),
           permissions: this._getEffectivePermissions(),
           tier: this.getEffectiveTier()
-        }
+        },
+        discovery: this._discoveryDoc || null,
+        fairness: this._discoveryDoc ? this._discoveryDoc.fairness : null
       };
     }
 
@@ -1234,6 +1393,24 @@
         case 'wab.getPageInfo':
           return { ...responseBase, result: this.getPageInfo() };
 
+        case 'wab.discover':
+          return { ...responseBase, result: this.discover() };
+
+        case 'wab.authenticate':
+          if (!command.params?.key) {
+            return { id: command.id, error: { code: 'invalid argument', message: 'Agent key required' } };
+          }
+          return { ...responseBase, result: this.authenticate(command.params.key, command.params.meta || {}) };
+
+        case 'wab.subscribe':
+          if (!command.params?.event) {
+            return { id: command.id, error: { code: 'invalid argument', message: 'Event name required' } };
+          }
+          return { ...responseBase, result: this.subscribe(command.params.event, command.params.callback || function() {}) };
+
+        case 'wab.ping':
+          return { ...responseBase, result: this.ping() };
+
         default:
           return { id: command.id, error: { code: 'unknown command', message: `Unknown method: ${command.method}` } };
       }
@@ -1261,18 +1438,72 @@
     global.AICommands = bridge;
     global.WebAgentBridge = WebAgentBridge;
 
+    // WAB Protocol interface
+    global.__wab_protocol = {
+      version: VERSION,
+      protocol: PROTOCOL_VERSION,
+      discover: () => bridge.discover(),
+      ping: () => bridge.ping()
+    };
+
     // WebDriver BiDi compatibility: expose via __wab_bidi channel
     global.__wab_bidi = {
       version: VERSION,
+      protocol: PROTOCOL_VERSION,
       send: async (command) => bridge.executeBiDi(command),
       getContext: () => bridge.toBiDi()
     };
 
+    // Inject NoJS fallback elements for pages that might disable JS later or
+    // for hybrid environments (SSR, partial hydration, headless crawlers).
+    if (config.siteId) {
+      injectNoScriptFallback(config);
+    }
+
     if (typeof CustomEvent !== 'undefined') {
       document.dispatchEvent(new CustomEvent('wab:ready', { detail: { version: VERSION } }));
     }
   }
 
+  function injectNoScriptFallback(config) {
+    try {
+      var siteId = config.siteId;
+      var base = config.apiBaseUrl || '';
+
+      // Add <noscript> block if not already present
+      if (!document.querySelector('noscript [src*="noscript/pixel/' + siteId + '"]')) {
+        var ns = document.createElement('noscript');
+        ns.innerHTML =
+          '<link rel="stylesheet" href="' + base + '/api/noscript/css/' + siteId + '">' +
+          '<img src="' + base + '/api/noscript/pixel/' + siteId + '?action=pageview&t=noscript" width="1" height="1" alt="" style="position:absolute;opacity:0">';
+        document.body.appendChild(ns);
+      }
+
+      // Expose noscript endpoints on the bridge for AI agents
+      global.__wab_noscript = {
+        pixel: base + '/api/noscript/pixel/' + siteId,
+        css: base + '/api/noscript/css/' + siteId,
+        bridge: base + '/api/noscript/bridge/' + siteId,
+        embed: base + '/api/noscript/embed/' + siteId,
+        serverTrack: base + '/api/noscript/server-track',
+        status: base + '/api/noscript/status/' + siteId
+      };
+
+      // Add meta tags for crawlers/agents that read HTML
+      if (!document.querySelector('meta[name="wab:noscript"]')) {
+        var meta1 = document.createElement('meta');
+        meta1.name = 'wab:noscript';
+        meta1.content = 'true';
+        document.head.appendChild(meta1);
+
+        var meta2 = document.createElement('meta');
+        meta2.name = 'wab:bridge';
+        meta2.content = base + '/api/noscript/bridge/' + siteId;
+        document.head.appendChild(meta2);
+      }
+    } catch (_) {}
+  }
+
   if (document.readyState === 'loading') {
     document.addEventListener('DOMContentLoaded', autoInit);
   } else {

package/sdk/index.js

@@ -149,6 +149,30 @@ class WABAgent {
     return results;
   }
 
+  /**
+   * Get the WAB discovery document for the current page.
+   * @returns {Promise<object>}
+   */
+  async discover() {
+    if (this.useBiDi) {
+      const result = await this._bidiSend('wab.discover');
+      return result.result || result;
+    }
+    return this.page.evaluate(() => window.AICommands.discover());
+  }
+
+  /**
+   * Ping the bridge for a health check.
+   * @returns {Promise<object>}
+   */
+  async ping() {
+    if (this.useBiDi) {
+      const result = await this._bidiSend('wab.ping');
+      return result.result || result;
+    }
+    return this.page.evaluate(() => window.AICommands.ping());
+  }
+
   /**
    * Get BiDi context (only available when useBiDi is true).
    * @returns {Promise<object>}
@@ -157,6 +181,18 @@ class WABAgent {
     return this.page.evaluate(() => window.__wab_bidi.getContext());
   }
 
+  /**
+   * Get the WAB protocol interface data.
+   * @returns {Promise<object>}
+   */
+  async getProtocolInfo() {
+    return this.page.evaluate(() => window.__wab_protocol ? {
+      version: window.__wab_protocol.version,
+      protocol: window.__wab_protocol.protocol,
+      discovery: window.__wab_protocol.discover()
+    } : null);
+  }
+
   /** @private */
   async _bidiSend(method, params = {}) {
     const cmd = { id: ++this._biDiId, method, params };

package/server/config/secrets.js

@@ -0,0 +1,92 @@
+/**
+ * Central JWT and startup secret checks.
+ * User tokens and admin tokens use different secrets and audiences in production.
+ */
+
+const jwt = require('jsonwebtoken');
+
+const JWT_ISSUER = 'wab';
+const JWT_AUD_USER = 'wab:user';
+const JWT_AUD_ADMIN = 'wab:admin';
+
+const jwtVerifyUser = { issuer: JWT_ISSUER, audience: JWT_AUD_USER };
+const jwtVerifyAdmin = { issuer: JWT_ISSUER, audience: JWT_AUD_ADMIN };
+
+function isTest() {
+  return process.env.NODE_ENV === 'test';
+}
+
+function isProd() {
+  return process.env.NODE_ENV === 'production';
+}
+
+function assertSecretsAtStartup() {
+  if (isTest()) return;
+  if (isProd()) {
+    if (!process.env.JWT_SECRET) {
+      throw new Error('FATAL: JWT_SECRET is required in production');
+    }
+    if (!process.env.JWT_SECRET_ADMIN) {
+      throw new Error('FATAL: JWT_SECRET_ADMIN is required in production');
+    }
+  }
+}
+
+function getJwtUserSecret() {
+  if (isTest()) {
+    return process.env.JWT_SECRET || 'test-secret-key-for-testing';
+  }
+  if (isProd()) {
+    return process.env.JWT_SECRET;
+  }
+  return process.env.JWT_SECRET || 'dev-user-secret-change-in-development';
+}
+
+function getJwtAdminSecret() {
+  if (isTest()) {
+    return process.env.JWT_SECRET_ADMIN || process.env.JWT_SECRET || 'test-secret-key-for-testing-admin';
+  }
+  if (isProd()) {
+    return process.env.JWT_SECRET_ADMIN;
+  }
+  return process.env.JWT_SECRET_ADMIN || process.env.JWT_SECRET || 'dev-admin-secret-change-in-development';
+}
+
+function signUserToken(payload, options = {}) {
+  return jwt.sign(
+    { ...payload },
+    getJwtUserSecret(),
+    { expiresIn: options.expiresIn || '7d', issuer: JWT_ISSUER, audience: JWT_AUD_USER }
+  );
+}
+
+function signAdminToken(payload, options = {}) {
+  return jwt.sign(
+    { ...payload },
+    getJwtAdminSecret(),
+    { expiresIn: options.expiresIn || '12h', issuer: JWT_ISSUER, audience: JWT_AUD_ADMIN }
+  );
+}
+
+function verifyUserToken(token) {
+  return jwt.verify(token, getJwtUserSecret(), jwtVerifyUser);
+}
+
+function verifyAdminToken(token) {
+  return jwt.verify(token, getJwtAdminSecret(), jwtVerifyAdmin);
+}
+
+module.exports = {
+  assertSecretsAtStartup,
+  getJwtUserSecret,
+  getJwtAdminSecret,
+  signUserToken,
+  signAdminToken,
+  verifyUserToken,
+  verifyAdminToken,
+  JWT_ISSUER,
+  JWT_AUD_USER,
+  JWT_AUD_ADMIN,
+  jwtVerifyUser,
+  jwtVerifyAdmin
+};