web-agent-bridge 1.0.0 → 1.1.0

package/server/routes/api.js

@@ -47,7 +47,10 @@ router.put('/sites/:id/config', authenticateToken, (req, res) => {
   if (!config) return res.status(400).json({ error: 'Config is required' });
 
   try {
-    updateSiteConfig.run(JSON.stringify(config), req.params.id, req.user.id);
+    const r = updateSiteConfig.run(JSON.stringify(config), req.params.id, req.user.id);
+    if (r.changes === 0) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
     res.json({ success: true });
   } catch (err) {
     res.status(500).json({ error: 'Failed to update config' });
@@ -61,7 +64,10 @@ router.put('/sites/:id/tier', authenticateToken, (req, res) => {
   }
 
   try {
-    updateSiteTier.run(tier, req.params.id, req.user.id);
+    const r = updateSiteTier.run(tier, req.params.id, req.user.id);
+    if (r.changes === 0) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
     res.json({ success: true, tier });
   } catch (err) {
     res.status(500).json({ error: 'Failed to update tier' });
@@ -70,7 +76,10 @@ router.put('/sites/:id/tier', authenticateToken, (req, res) => {
 
 router.delete('/sites/:id', authenticateToken, (req, res) => {
   try {
-    deleteSite.run(req.params.id, req.user.id);
+    const r = deleteSite.run(req.params.id, req.user.id);
+    if (r.changes === 0) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
     res.json({ success: true });
   } catch (err) {
     res.status(500).json({ error: 'Failed to delete site' });
@@ -103,19 +112,27 @@ router.get('/sites/:id/snippet', authenticateToken, (req, res) => {
   }
 
   const config = JSON.parse(site.config || '{}');
-  const snippet = `<!-- Web Agent Bridge -->
+  const snippet = `<!-- Web Agent Bridge (Secure Mode + NoJS Fallback) -->
 <script>
 window.AIBridgeConfig = {
-  licenseKey: "${site.license_key}",
-  subscriptionTier: "${site.tier}",
+  siteId: "${site.id}",
+  configEndpoint: "/api/license/token",
   agentPermissions: ${JSON.stringify(config.agentPermissions || {}, null, 4)},
   restrictions: ${JSON.stringify(config.restrictions || {}, null, 4)},
   logging: ${JSON.stringify(config.logging || {}, null, 4)}
 };
 </script>
-<script src="/script/ai-agent-bridge.js"></script>`;
-
-  res.json({ snippet, licenseKey: site.license_key });
+<script src="/script/ai-agent-bridge.js"></script>
+<noscript>
+  <!-- Automatic NoJS Fallback: tracking + CSS analytics + SSR bridge -->
+  <link rel="stylesheet" href="/api/noscript/css/${site.id}">
+  <img src="/api/noscript/pixel/${site.id}?action=pageview&t=noscript" width="1" height="1" alt="" style="position:absolute;opacity:0;">
+  <meta name="wab:site-id" content="${site.id}">
+  <meta name="wab:noscript" content="true">
+  <meta name="wab:bridge" content="/api/noscript/bridge/${site.id}">
+</noscript>`;
+
+  res.json({ snippet, siteId: site.id });
 });
 
 module.exports = router;

package/server/routes/billing.js

@@ -0,0 +1,45 @@
+/**
+ * Billing Routes (Customer-facing Stripe integration)
+ */
+
+const express = require('express');
+const router = express.Router();
+const { authenticateToken } = require('../middleware/auth');
+const { getPlatformSetting } = require('../models/db');
+const { createCheckoutSession, createPortalSession, isStripeConfigured } = require('../services/stripe');
+
+// ─── Create Checkout Session ──────────────────────────────────────────
+router.post('/checkout', authenticateToken, async (req, res) => {
+  const { siteId, tier } = req.body;
+  if (!siteId || !tier) return res.status(400).json({ error: 'siteId and tier required' });
+  if (!['starter', 'pro', 'enterprise'].includes(tier)) return res.status(400).json({ error: 'Invalid tier' });
+
+  if (!isStripeConfigured()) {
+    return res.status(503).json({ error: 'Payment system not configured' });
+  }
+
+  try {
+    const session = await createCheckoutSession({ userId: req.user.id, userEmail: req.user.email, siteId, tier });
+    res.json(session);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── Customer Portal ──────────────────────────────────────────────────
+router.post('/portal', authenticateToken, async (req, res) => {
+  try {
+    const session = await createPortalSession(req.user.id);
+    res.json(session);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── Stripe Config (public key for frontend) ─────────────────────────
+router.get('/config', (req, res) => {
+  const publishableKey = getPlatformSetting('stripe_publishable_key');
+  res.json({ configured: isStripeConfigured(), publishableKey: publishableKey || null });
+});
+
+module.exports = router;

package/server/routes/discovery.js

@@ -0,0 +1,324 @@
+/**
+ * WAB Discovery Protocol — Auto-generated discovery documents and
+ * public registry of WAB-enabled sites with fairness scoring.
+ */
+
+const express = require('express');
+const router = express.Router();
+const { findSiteById, db } = require('../models/db');
+const { authenticateToken } = require('../middleware/auth');
+const {
+  calculateNeutralityScore,
+  fairnessWeightedSearch,
+  registerInDirectory,
+  getDirectoryListings,
+  generateFairnessReport
+} = require('../services/fairness');
+
+const WAB_VERSION = '1.1.0';
+
+// ─── Helpers ─────────────────────────────────────────────────────────
+
+function findSiteByDomain(domain) {
+  if (!domain) return null;
+  const normalized = domain.toLowerCase().replace(/^www\./, '');
+  return db.prepare(
+    'SELECT * FROM sites WHERE LOWER(REPLACE(domain, "www.", "")) = ? AND active = 1 LIMIT 1'
+  ).get(normalized);
+}
+
+function getRequestDomain(req) {
+  const origin = req.get('origin');
+  if (origin) {
+    try { return new URL(origin).hostname; } catch (_) {}
+  }
+  const host = req.get('host');
+  if (host) return host.split(':')[0];
+  return req.hostname;
+}
+
+function parseSiteConfig(site) {
+  try { return JSON.parse(site.config || '{}'); } catch (_) { return {}; }
+}
+
+function buildDiscoveryDocument(site) {
+  const config = parseSiteConfig(site);
+  const perms = config.agentPermissions || {};
+  const restrictions = config.restrictions || {};
+  const features = config.features || {};
+
+  const enabledActions = Object.entries(perms)
+    .filter(([, v]) => v)
+    .map(([k]) => k);
+
+  const featureList = ['auto_discovery', 'noscript_fallback'];
+  if (features.advancedAnalytics) featureList.push('advanced_analytics');
+  if (features.realTimeUpdates) featureList.push('real_time_updates');
+  if (perms.apiAccess) featureList.push('api_access');
+
+  const dirEntry = db.prepare('SELECT * FROM wab_directory WHERE site_id = ?').get(site.id);
+  const neutralityScore = calculateNeutralityScore(site);
+
+  return {
+    wab_version: WAB_VERSION,
+    generated_at: new Date().toISOString(),
+    provider: {
+      name: site.name,
+      domain: site.domain,
+      category: (dirEntry && dirEntry.category) || config.category || 'general',
+      description: site.description || ''
+    },
+    capabilities: {
+      commands: enabledActions,
+      permissions: perms,
+      tier: site.tier,
+      transport: ['js_global', 'http', 'websocket'],
+      features: featureList
+    },
+    agent_access: {
+      bridge_script: '/script/ai-agent-bridge.js',
+      api_base: '/api/license',
+      websocket: '/ws/analytics',
+      noscript: '/api/noscript',
+      discovery: '/api/discovery'
+    },
+    fairness: {
+      is_independent: dirEntry ? !!dirEntry.is_independent : false,
+      commission_rate: dirEntry ? dirEntry.commission_rate : 0,
+      direct_benefit: dirEntry ? (dirEntry.direct_benefit || '') : '',
+      neutrality_score: neutralityScore
+    },
+    security: {
+      session_required: true,
+      origin_validation: true,
+      rate_limit: (restrictions.rateLimit && restrictions.rateLimit.maxCallsPerMinute) || 60,
+      sandbox: true
+    },
+    endpoints: {
+      token_exchange: '/api/license/token',
+      verify: '/api/license/verify',
+      track: '/api/license/track',
+      actions: `/api/discovery/${site.id}`,
+      bridge_page: `/api/noscript/bridge/${site.id}`
+    }
+  };
+}
+
+// ═════════════════════════════════════════════════════════════════════
+// 1. GET /.well-known/wab.json — Standard discovery location
+// ═════════════════════════════════════════════════════════════════════
+
+router.get('/.well-known/wab.json', (req, res) => {
+  try {
+    const domain = getRequestDomain(req);
+    const site = findSiteByDomain(domain);
+
+    if (!site) {
+      return res.status(404).json({
+        error: 'No WAB-enabled site found for this domain',
+        domain,
+        hint: 'Register your site at /dashboard to enable WAB discovery'
+      });
+    }
+
+    const doc = buildDiscoveryDocument(site);
+    res.set('Cache-Control', 'public, max-age=300');
+    res.set('X-WAB-Version', WAB_VERSION);
+    res.json(doc);
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to generate discovery document' });
+  }
+});
+
+// ═════════════════════════════════════════════════════════════════════
+// 2. GET /agent-bridge.json — Alternative discovery location
+// ═════════════════════════════════════════════════════════════════════
+
+router.get('/agent-bridge.json', (req, res) => {
+  try {
+    const domain = getRequestDomain(req);
+    const site = findSiteByDomain(domain);
+
+    if (!site) {
+      return res.status(404).json({
+        error: 'No WAB-enabled site found for this domain',
+        domain,
+        hint: 'Register your site at /dashboard to enable WAB discovery'
+      });
+    }
+
+    const doc = buildDiscoveryDocument(site);
+    res.set('Cache-Control', 'public, max-age=300');
+    res.set('X-WAB-Version', WAB_VERSION);
+    res.json(doc);
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to generate discovery document' });
+  }
+});
+
+// ═════════════════════════════════════════════════════════════════════
+// 3. GET /api/discovery/registry — Public registry with fairness scoring
+//    (defined BEFORE :siteId to avoid route shadowing)
+// ═════════════════════════════════════════════════════════════════════
+
+router.get('/api/discovery/registry', (req, res) => {
+  try {
+    const category = req.query.category || 'all';
+    const limit = Math.min(parseInt(req.query.limit) || 50, 200);
+    const offset = parseInt(req.query.offset) || 0;
+
+    const listings = getDirectoryListings(category, { limit, offset });
+
+    const registry = listings.map(entry => ({
+      siteId: entry.id,
+      name: entry.name,
+      domain: entry.domain,
+      description: entry.description || '',
+      category: entry.category || 'general',
+      tier: entry.tier,
+      neutrality_score: entry.neutrality_score || 0,
+      is_independent: !!entry.is_independent,
+      tags: safeParseTags(entry.tags),
+      discovery_url: `/api/discovery/${entry.id}`
+    }));
+
+    res.json({
+      wab_version: WAB_VERSION,
+      total: registry.length,
+      category,
+      listings: registry
+    });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to fetch registry' });
+  }
+});
+
+// ═════════════════════════════════════════════════════════════════════
+// 4. POST /api/discovery/register — Register site in WAB directory
+// ═════════════════════════════════════════════════════════════════════
+
+router.post('/api/discovery/register', authenticateToken, (req, res) => {
+  try {
+    const { siteId, category, tags, is_independent, commission_rate, direct_benefit, trust_signature } = req.body;
+
+    if (!siteId) {
+      return res.status(400).json({ error: 'siteId is required' });
+    }
+
+    const site = findSiteById.get(siteId);
+    if (!site) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+    if (site.user_id !== req.user.id) {
+      return res.status(403).json({ error: 'You do not own this site' });
+    }
+
+    const result = registerInDirectory(siteId, {
+      category,
+      tags,
+      is_independent,
+      commission_rate,
+      direct_benefit,
+      trust_signature
+    });
+
+    if (!result.success) {
+      return res.status(400).json({ error: result.error });
+    }
+
+    const report = generateFairnessReport(siteId);
+
+    res.status(201).json({
+      success: true,
+      registration: result,
+      fairness_report: report
+    });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to register site' });
+  }
+});
+
+// ═════════════════════════════════════════════════════════════════════
+// 5. GET /api/discovery/search — Search WAB sites (fairness-weighted)
+// ═════════════════════════════════════════════════════════════════════
+
+router.get('/api/discovery/search', (req, res) => {
+  try {
+    const query = req.query.q || '';
+    const category = req.query.category || null;
+    const limit = Math.min(parseInt(req.query.limit) || 20, 100);
+
+    let sql = `
+      SELECT s.*, d.category, d.tags, d.is_independent, d.commission_rate,
+             d.direct_benefit, d.neutrality_score, d.trust_signature
+      FROM wab_directory d
+      JOIN sites s ON d.site_id = s.id AND s.active = 1
+      WHERE d.listed = 1
+    `;
+    const params = [];
+
+    if (category) {
+      sql += ' AND d.category = ?';
+      params.push(category);
+    }
+
+    sql += ' ORDER BY d.neutrality_score DESC LIMIT ?';
+    params.push(limit * 3);
+
+    const candidates = db.prepare(sql).all(...params);
+    const results = fairnessWeightedSearch(query, candidates).slice(0, limit);
+
+    res.json({
+      wab_version: WAB_VERSION,
+      query,
+      total: results.length,
+      results: results.map(r => ({
+        siteId: r.id,
+        name: r.name,
+        domain: r.domain,
+        description: r.description || '',
+        category: r.category || 'general',
+        tier: r.tier,
+        neutrality_score: r._neutralityScore,
+        is_independent: r._isIndependent,
+        relevance_score: r._relevance,
+        fairness_boost: r._fairnessBoost,
+        final_score: r._finalScore,
+        tags: safeParseTags(r.tags),
+        discovery_url: `/api/discovery/${r.id}`
+      }))
+    });
+  } catch (err) {
+    res.status(500).json({ error: 'Search failed' });
+  }
+});
+
+// ═════════════════════════════════════════════════════════════════════
+// 6. GET /api/discovery/:siteId — Discovery doc for a specific site
+//    (defined AFTER named routes to prevent shadowing)
+// ═════════════════════════════════════════════════════════════════════
+
+router.get('/api/discovery/:siteId', (req, res) => {
+  try {
+    const site = findSiteById.get(req.params.siteId);
+    if (!site || !site.active) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+
+    const doc = buildDiscoveryDocument(site);
+    res.set('Cache-Control', 'public, max-age=300');
+    res.set('X-WAB-Version', WAB_VERSION);
+    res.json(doc);
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to generate discovery document' });
+  }
+});
+
+// ─── Utility ─────────────────────────────────────────────────────────
+
+function safeParseTags(tags) {
+  if (Array.isArray(tags)) return tags;
+  try { return JSON.parse(tags || '[]'); } catch (_) { return []; }
+}
+
+module.exports = router;

package/server/routes/license.js

@@ -1,31 +1,221 @@
 const express = require('express');
+const crypto = require('crypto');
 const router = express.Router();
-const { verifyLicense, recordAnalytic, findSiteByLicense } = require('../models/db');
+const {
+  verifyLicense,
+  recordAnalytic,
+  findSiteByLicense,
+  findSiteById,
+  db
+} = require('../models/db');
 const { broadcastAnalytic } = require('../ws');
+const { cache, AnalyticsQueue } = require('../utils/cache');
+const { licenseTokenLimiter, licenseTrackLimiter } = require('../middleware/rateLimits');
 
+const analyticsQueue = new AnalyticsQueue(db, { maxSize: 50, maxBufferTotal: 5000 });
+
+// ─── Session Token Store (in-memory, TTL 1 hour) ────────────────────
+const sessionTokens = new Map();
+const SESSION_TTL = 60 * 60 * 1000;
+
+setInterval(() => {
+  const now = Date.now();
+  for (const [token, data] of sessionTokens) {
+    if (now > data.expiresAt) sessionTokens.delete(token);
+  }
+}, 5 * 60 * 1000);
+
+function normalizeHost(host) {
+  if (!host) return '';
+  let h = String(host).toLowerCase().trim();
+  if (h.startsWith('www.')) h = h.slice(4);
+  return h;
+}
+
+function getRequestHostname(req) {
+  const origin = req.get('origin') || req.get('referer');
+  try {
+    return origin ? new URL(origin).hostname : req.hostname;
+  } catch {
+    return req.hostname;
+  }
+}
+
+function allowDevInsecureOrigin(hostname) {
+  if (process.env.NODE_ENV === 'production') return false;
+  if (process.env.ALLOW_INSECURE_LICENSE_ORIGIN !== 'true') return false;
+  const n = normalizeHost(hostname);
+  return n === 'localhost' || n === '127.0.0.1' || n === '[::1]';
+}
+
+// ─── Verify (domain + license OR session + siteId) ─────────────────
 router.post('/verify', (req, res) => {
-  const { domain, licenseKey } = req.body;
+  const { domain, licenseKey, siteId, sessionToken } = req.body;
+
+  if (sessionToken && siteId) {
+    const session = sessionTokens.get(sessionToken);
+    if (!session || Date.now() > session.expiresAt) {
+      sessionTokens.delete(sessionToken);
+      return res.json({ valid: false, error: 'Session expired or invalid', tier: 'free' });
+    }
+    const requestDomain = getRequestHostname(req);
+    if (normalizeHost(requestDomain) !== normalizeHost(session.domain)) {
+      return res.json({ valid: false, error: 'Domain mismatch', tier: 'free' });
+    }
+    if (session.siteId !== siteId) {
+      return res.json({ valid: false, error: 'Invalid site', tier: 'free' });
+    }
+    return res.json({
+      valid: true,
+      tier: session.tier,
+      domain: session.domain,
+      allowedPermissions: session.permissions
+    });
+  }
 
   if (!domain || !licenseKey) {
-    return res.status(400).json({ valid: false, error: 'Domain and licenseKey are required', tier: 'free' });
+    return res.status(400).json({ valid: false, error: 'Domain and licenseKey are required (or sessionToken + siteId)', tier: 'free' });
   }
 
+  const cacheKey = `license:${domain}:${licenseKey}`;
+  const cached = cache.get(cacheKey);
+  if (cached) return res.json(cached);
+
   const result = verifyLicense(domain, licenseKey);
+  cache.set(cacheKey, result, 60000);
   res.json(result);
 });
 
-router.post('/track', (req, res) => {
-  const { licenseKey, actionName, agentId, triggerType, success, metadata } = req.body;
+// ─── Token exchange: siteId (preferred) or licenseKey (legacy) ─────
+router.post('/token', licenseTokenLimiter, (req, res) => {
+  const { licenseKey, siteId } = req.body;
+  const domain = getRequestHostname(req);
+  const normReq = normalizeHost(domain);
+
+  const finishSession = (site, result) => {
+    const sessionToken = crypto.randomBytes(32).toString('hex');
+    const expiresAt = Date.now() + SESSION_TTL;
+    sessionTokens.set(sessionToken, {
+      siteId: site.id,
+      domain: site.domain,
+      tier: result.tier,
+      permissions: result.allowedPermissions,
+      expiresAt
+    });
+    res.json({
+      sessionToken,
+      siteId: site.id,
+      tier: result.tier,
+      permissions: result.allowedPermissions,
+      expiresIn: SESSION_TTL / 1000
+    });
+  };
+
+  if (siteId && !licenseKey) {
+    const site = findSiteById.get(siteId);
+    if (!site || !site.active) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+    const originOk =
+      normReq === normalizeHost(site.domain) ||
+      allowDevInsecureOrigin(domain);
+    if (!originOk) {
+      return res.status(403).json({ error: 'Origin does not match registered site domain' });
+    }
+    const cacheKey = `license:${site.domain}:${site.license_key}`;
+    let result = cache.get(cacheKey);
+    if (!result) {
+      result = verifyLicense(site.domain, site.license_key);
+      cache.set(cacheKey, result, 60000);
+    }
+    if (!result.valid) {
+      return res.status(403).json({ error: result.error || 'Invalid license', tier: 'free' });
+    }
+    return finishSession(site, result);
+  }
 
-  if (!licenseKey || !actionName) {
-    return res.status(400).json({ error: 'licenseKey and actionName are required' });
+  if (!licenseKey) {
+    return res.status(400).json({ error: 'siteId or licenseKey is required' });
   }
 
-  try {
-    const site = findSiteByLicense.get(licenseKey);
+  const cacheKey = `license:${domain}:${licenseKey}`;
+  let result = cache.get(cacheKey);
+  if (!result) {
+    result = verifyLicense(domain, licenseKey);
+    cache.set(cacheKey, result, 60000);
+  }
+  if (!result.valid) {
+    return res.status(403).json({ error: result.error || 'Invalid license', tier: 'free' });
+  }
+
+  const site = findSiteByLicense.get(licenseKey);
+  if (!site) {
+    return res.status(404).json({ error: 'Site not found' });
+  }
+
+  finishSession(site, result);
+});
+
+// ─── Validate Session Token ─────────────────────────────────────────
+router.post('/session', (req, res) => {
+  const { sessionToken } = req.body;
+  if (!sessionToken) {
+    return res.status(400).json({ valid: false, error: 'sessionToken required' });
+  }
+
+  const session = sessionTokens.get(sessionToken);
+  if (!session || Date.now() > session.expiresAt) {
+    sessionTokens.delete(sessionToken);
+    return res.status(401).json({ valid: false, error: 'Session expired or invalid' });
+  }
+
+  const requestDomain = getRequestHostname(req);
+  if (normalizeHost(requestDomain) !== normalizeHost(session.domain)) {
+    return res.status(403).json({ valid: false, error: 'Domain mismatch' });
+  }
+
+  res.json({
+    valid: true,
+    siteId: session.siteId,
+    tier: session.tier,
+    permissions: session.permissions
+  });
+});
+
+// ─── Analytics track (session-bound; licenseKey deprecated) ──────
+router.post('/track', licenseTrackLimiter, (req, res) => {
+  const { sessionToken, actionName, agentId, triggerType, success, metadata, licenseKey } = req.body;
+
+  if (!actionName) {
+    return res.status(400).json({ error: 'actionName is required' });
+  }
+
+  let site;
+  if (sessionToken) {
+    const session = sessionTokens.get(sessionToken);
+    if (!session || Date.now() > session.expiresAt) {
+      sessionTokens.delete(sessionToken);
+      return res.status(401).json({ error: 'Session expired or invalid' });
+    }
+    const requestDomain = getRequestHostname(req);
+    if (normalizeHost(requestDomain) !== normalizeHost(session.domain)) {
+      return res.status(403).json({ error: 'Origin does not match session domain' });
+    }
+    site = findSiteById.get(session.siteId);
+    if (!site || !site.active) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+  } else if (licenseKey && process.env.ALLOW_LEGACY_LICENSE_TRACK === 'true') {
+    site = findSiteByLicense.get(licenseKey);
     if (!site) return res.status(404).json({ error: 'Site not found' });
+  } else {
+    return res.status(400).json({
+      error: 'sessionToken is required. Obtain via POST /api/license/token (see installation snippet).'
+    });
+  }
 
-    recordAnalytic({
+  try {
+    analyticsQueue.push({
       siteId: site.id,
       actionName,
       agentId,
@@ -34,7 +224,6 @@ router.post('/track', (req, res) => {
       metadata
     });
 
-    // Broadcast real-time analytics via WebSocket
     broadcastAnalytic(site.id, {
       actionName,
       agentId,