web-agent-bridge 1.0.0 → 1.1.1

package/server/services/stripe.js

@@ -0,0 +1,192 @@
+/**
+ * Stripe Payment Integration Service
+ */
+
+const {
+  getPlatformSetting,
+  saveStripeCustomer,
+  getStripeCustomer,
+  saveStripeSubscription,
+  updateStripeSubscription,
+  getStripeSubscriptionBySubId,
+  savePayment,
+  updateSiteTier,
+  findSiteById
+} = require('../models/db');
+
+let stripe = null;
+
+function getStripe() {
+  if (stripe) return stripe;
+  const key = process.env.STRIPE_SECRET_KEY || getPlatformSetting('stripe_secret_key');
+  if (!key) return null;
+  stripe = require('stripe')(key);
+  return stripe;
+}
+
+function getStripePrices() {
+  return {
+    starter: process.env.STRIPE_PRICE_STARTER || getPlatformSetting('stripe_price_starter'),
+    pro: process.env.STRIPE_PRICE_PRO || getPlatformSetting('stripe_price_pro'),
+    enterprise: process.env.STRIPE_PRICE_ENTERPRISE || getPlatformSetting('stripe_price_enterprise')
+  };
+}
+
+async function createCheckoutSession({ userId, userEmail, siteId, tier }) {
+  const site = findSiteById.get(siteId);
+  if (!site || site.user_id !== userId) {
+    throw new Error('Site not found or access denied');
+  }
+
+  const s = getStripe();
+  if (!s) throw new Error('Stripe not configured');
+
+  const prices = getStripePrices();
+  const priceId = prices[tier];
+  if (!priceId) throw new Error(`No price configured for tier: ${tier}`);
+
+  // Get or create Stripe customer
+  let customer = getStripeCustomer(userId);
+  if (!customer) {
+    const stripeCustomer = await s.customers.create({ email: userEmail, metadata: { wab_user_id: userId } });
+    saveStripeCustomer(userId, stripeCustomer.id);
+    customer = { stripe_customer_id: stripeCustomer.id };
+  }
+
+  const baseUrl = process.env.BASE_URL || 'https://webagentbridge.com';
+
+  const session = await s.checkout.sessions.create({
+    customer: customer.stripe_customer_id,
+    mode: 'subscription',
+    payment_method_types: ['card'],
+    line_items: [{ price: priceId, quantity: 1 }],
+    metadata: { wab_user_id: userId, wab_site_id: siteId, tier },
+    success_url: `${baseUrl}/dashboard?payment=success&session_id={CHECKOUT_SESSION_ID}`,
+    cancel_url: `${baseUrl}/dashboard?payment=cancelled`
+  });
+
+  return { sessionId: session.id, url: session.url };
+}
+
+async function createPortalSession(userId) {
+  const s = getStripe();
+  if (!s) throw new Error('Stripe not configured');
+
+  const customer = getStripeCustomer(userId);
+  if (!customer) throw new Error('No Stripe customer found');
+
+  const baseUrl = process.env.BASE_URL || 'https://webagentbridge.com';
+
+  const session = await s.billingPortal.sessions.create({
+    customer: customer.stripe_customer_id,
+    return_url: `${baseUrl}/dashboard`
+  });
+
+  return { url: session.url };
+}
+
+function handleWebhookEvent(event) {
+  switch (event.type) {
+    case 'checkout.session.completed': {
+      const session = event.data.object;
+      const { wab_user_id, wab_site_id, tier } = session.metadata || {};
+      if (wab_user_id && wab_site_id && session.subscription) {
+        saveStripeSubscription({
+          userId: wab_user_id,
+          siteId: wab_site_id,
+          stripeSubId: session.subscription,
+          stripePriceId: null,
+          tier: tier || 'starter',
+          status: 'active',
+          periodStart: new Date().toISOString(),
+          periodEnd: null
+        });
+        updateSiteTier.run(tier || 'starter', wab_site_id, wab_user_id);
+      }
+      break;
+    }
+
+    case 'invoice.payment_succeeded': {
+      const invoice = event.data.object;
+      if (invoice.subscription) {
+        const sub = getStripeSubscriptionBySubId(invoice.subscription);
+        if (sub) {
+          savePayment({
+            userId: sub.user_id,
+            stripePaymentId: invoice.payment_intent,
+            amount: invoice.amount_paid,
+            currency: invoice.currency,
+            status: 'succeeded',
+            description: `Subscription payment - ${sub.tier}`
+          });
+          updateStripeSubscription(invoice.subscription, {
+            status: 'active',
+            periodStart: new Date(invoice.period_start * 1000).toISOString(),
+            periodEnd: new Date(invoice.period_end * 1000).toISOString()
+          });
+        }
+      }
+      break;
+    }
+
+    case 'customer.subscription.updated': {
+      const subscription = event.data.object;
+      updateStripeSubscription(subscription.id, {
+        status: subscription.status === 'active' ? 'active' : subscription.status === 'past_due' ? 'past_due' : subscription.status === 'trialing' ? 'trialing' : 'cancelled'
+      });
+      break;
+    }
+
+    case 'customer.subscription.deleted': {
+      const subscription = event.data.object;
+      const sub = getStripeSubscriptionBySubId(subscription.id);
+      if (sub) {
+        updateStripeSubscription(subscription.id, { status: 'cancelled' });
+        updateSiteTier.run('free', sub.site_id, sub.user_id);
+      }
+      break;
+    }
+
+    case 'invoice.payment_failed': {
+      const invoice = event.data.object;
+      if (invoice.subscription) {
+        updateStripeSubscription(invoice.subscription, { status: 'past_due' });
+      }
+      break;
+    }
+  }
+}
+
+function isStripeConfigured() {
+  const key = process.env.STRIPE_SECRET_KEY || getPlatformSetting('stripe_secret_key');
+  return !!key;
+}
+
+/**
+ * Express webhook handler: verifies Stripe signature, then dispatches business logic.
+ */
+function handleWebhookRequest(req) {
+  const sig = req.headers['stripe-signature'];
+  const raw = req.body;
+  const whSecret = process.env.STRIPE_WEBHOOK_SECRET || getPlatformSetting('stripe_webhook_secret');
+  if (!whSecret) {
+    throw new Error('Stripe webhook secret not configured (STRIPE_WEBHOOK_SECRET or platform stripe_webhook_secret)');
+  }
+  if (!sig) {
+    throw new Error('Missing Stripe-Signature header');
+  }
+  const s = getStripe();
+  if (!s) throw new Error('Stripe not configured');
+  const event = s.webhooks.constructEvent(raw, sig, whSecret);
+  handleWebhookEvent(event);
+}
+
+module.exports = {
+  getStripe,
+  createCheckoutSession,
+  createPortalSession,
+  handleWebhookEvent,
+  handleWebhookRequest,
+  isStripeConfigured,
+  getStripePrices
+};

package/server/utils/cache.js

@@ -0,0 +1,125 @@
+/**
+ * WAB Caching Layer — In-memory cache with TTL for hot data
+ * Reduces DB reads for license verification, config, and stats
+ */
+class Cache {
+  constructor(defaultTTL = 60000) {
+    this.store = new Map();
+    this.defaultTTL = defaultTTL;
+    this._interval = setInterval(() => this._cleanup(), 120000);
+  }
+
+  get(key) {
+    const entry = this.store.get(key);
+    if (!entry) return undefined;
+    if (Date.now() > entry.expiresAt) {
+      this.store.delete(key);
+      return undefined;
+    }
+    entry.hits++;
+    return entry.value;
+  }
+
+  set(key, value, ttl) {
+    this.store.set(key, {
+      value,
+      expiresAt: Date.now() + (ttl || this.defaultTTL),
+      hits: 0
+    });
+  }
+
+  del(key) {
+    this.store.delete(key);
+  }
+
+  invalidatePattern(pattern) {
+    for (const key of this.store.keys()) {
+      if (key.includes(pattern)) this.store.delete(key);
+    }
+  }
+
+  stats() {
+    return {
+      size: this.store.size,
+      keys: Array.from(this.store.keys())
+    };
+  }
+
+  _cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.store) {
+      if (now > entry.expiresAt) this.store.delete(key);
+    }
+  }
+
+  destroy() {
+    clearInterval(this._interval);
+    this.store.clear();
+  }
+}
+
+/**
+ * Analytics Queue — Batches analytics inserts for better write performance
+ * Flushes every N seconds or when buffer reaches max size.
+ * maxBufferTotal caps memory if DB writes fail repeatedly (DoS mitigation).
+ */
+class AnalyticsQueue {
+  constructor(db, options = {}) {
+    this.db = db;
+    this.buffer = [];
+    this.maxSize = options.maxSize || 50;
+    this.maxBufferTotal = options.maxBufferTotal || 5000;
+    this.flushInterval = options.flushInterval || 5000;
+    this._timer = setInterval(() => this.flush(), this.flushInterval);
+  }
+
+  push(analytic) {
+    while (this.buffer.length >= this.maxBufferTotal) {
+      this.buffer.shift();
+      console.warn('[WAB] Analytics buffer at cap; dropped oldest event');
+    }
+    this.buffer.push(analytic);
+    if (this.buffer.length >= this.maxSize) {
+      this.flush();
+    }
+  }
+
+  flush() {
+    if (this.buffer.length === 0) return;
+    const batch = this.buffer.splice(0);
+
+    try {
+      const insert = this.db.prepare(
+        `INSERT INTO analytics (site_id, action_name, agent_id, trigger_type, success, metadata) VALUES (?, ?, ?, ?, ?, ?)`
+      );
+      const insertMany = this.db.transaction((items) => {
+        for (const item of items) {
+          insert.run(
+            item.siteId,
+            item.actionName,
+            item.agentId || null,
+            item.triggerType || null,
+            item.success ? 1 : 0,
+            JSON.stringify(item.metadata || {})
+          );
+        }
+      });
+      insertMany(batch);
+    } catch (err) {
+      console.error('[WAB Cache] Analytics batch insert failed:', err.message);
+      while (this.buffer.length + batch.length > this.maxBufferTotal) {
+        batch.shift();
+      }
+      this.buffer.unshift(...batch);
+    }
+  }
+
+  destroy() {
+    clearInterval(this._timer);
+    this.flush();
+  }
+}
+
+const cache = new Cache(60000);
+
+module.exports = { Cache, AnalyticsQueue, cache };

package/server/utils/migrate.js

@@ -0,0 +1,81 @@
+/**
+ * Database Migration Runner
+ * Tracks and applies SQL migrations from server/migrations/ in order.
+ * Uses a `_migrations` table to record applied migrations.
+ */
+const Database = require('better-sqlite3');
+const path = require('path');
+const fs = require('fs');
+
+const DATA_DIR = process.env.NODE_ENV === 'test'
+  ? path.join(__dirname, '..', '..', 'data-test')
+  : path.join(__dirname, '..', '..', 'data');
+if (!fs.existsSync(DATA_DIR)) fs.mkdirSync(DATA_DIR, { recursive: true });
+
+const dbFile = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const db = new Database(path.join(DATA_DIR, dbFile));
+
+// Ensure migrations tracking table exists
+db.exec(`
+  CREATE TABLE IF NOT EXISTS _migrations (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name TEXT UNIQUE NOT NULL,
+    applied_at TEXT DEFAULT (datetime('now'))
+  );
+`);
+
+const MIGRATIONS_DIR = path.join(__dirname, '..', 'migrations');
+
+function getAppliedMigrations() {
+  return new Set(
+    db.prepare('SELECT name FROM _migrations ORDER BY id').all().map(r => r.name)
+  );
+}
+
+function runMigrations() {
+  if (!fs.existsSync(MIGRATIONS_DIR)) {
+    console.log('No migrations directory found.');
+    return;
+  }
+
+  const files = fs.readdirSync(MIGRATIONS_DIR)
+    .filter(f => f.endsWith('.sql'))
+    .sort();
+
+  const applied = getAppliedMigrations();
+  let count = 0;
+
+  const applyMigration = db.transaction((name, sql) => {
+    db.exec(sql);
+    db.prepare('INSERT INTO _migrations (name) VALUES (?)').run(name);
+  });
+
+  for (const file of files) {
+    if (applied.has(file)) continue;
+
+    const sql = fs.readFileSync(path.join(MIGRATIONS_DIR, file), 'utf8');
+    try {
+      applyMigration(file, sql);
+      console.log(`  ✅ Migration applied: ${file}`);
+      count++;
+    } catch (err) {
+      console.error(`  ❌ Migration failed: ${file} — ${err.message}`);
+      process.exit(1);
+    }
+  }
+
+  if (count === 0) {
+    console.log('  All migrations up to date.');
+  } else {
+    console.log(`  ${count} migration(s) applied.`);
+  }
+}
+
+// Run when called directly: node server/utils/migrate.js
+if (require.main === module) {
+  console.log('Running database migrations...');
+  runMigrations();
+  db.close();
+}
+
+module.exports = { runMigrations };

package/server/utils/secureFields.js

@@ -0,0 +1,50 @@
+/**
+ * Optional AES-256-GCM encryption for sensitive DB fields (e.g. SMTP password).
+ * Set CREDENTIALS_ENCRYPTION_KEY (any long random string) to enable at-rest encryption.
+ */
+
+const crypto = require('crypto');
+
+const PREFIX = 'enc:v1:';
+
+function getKey() {
+  const raw = process.env.CREDENTIALS_ENCRYPTION_KEY;
+  if (!raw || String(raw).length < 8) return null;
+  return crypto.createHash('sha256').update(String(raw)).digest();
+}
+
+function encryptOptional(plain) {
+  if (plain == null || plain === '') return plain;
+  const key = getKey();
+  if (!key) return plain;
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const enc = Buffer.concat([cipher.update(String(plain), 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return `${PREFIX}${iv.toString('hex')}:${tag.toString('hex')}:${enc.toString('hex')}`;
+}
+
+function decryptOptional(stored) {
+  if (stored == null || stored === '') return stored;
+  if (typeof stored !== 'string' || !stored.startsWith(PREFIX)) return stored;
+  const key = getKey();
+  if (!key) {
+    console.warn('[WAB] CREDENTIALS_ENCRYPTION_KEY missing; cannot decrypt stored credential');
+    return null;
+  }
+  try {
+    const rest = stored.slice(PREFIX.length);
+    const [ivHex, tagHex, dataHex] = rest.split(':');
+    const iv = Buffer.from(ivHex, 'hex');
+    const tag = Buffer.from(tagHex, 'hex');
+    const data = Buffer.from(dataHex, 'hex');
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(data), decipher.final()]).toString('utf8');
+  } catch (e) {
+    console.error('[WAB] Decrypt failed:', e.message);
+    return null;
+  }
+}
+
+module.exports = { encryptOptional, decryptOptional };

package/server/ws.js

@@ -1,7 +1,6 @@
 const WebSocket = require('ws');
-const jwt = require('jsonwebtoken');
-
-const JWT_SECRET = process.env.JWT_SECRET || 'dev-secret-change-in-production';
+const { verifyUserToken, verifyAdminToken } = require('./config/secrets');
+const { findSiteById } = require('./models/db');
 
 // Map of siteId → Set of WebSocket clients
 const siteClients = new Map();
@@ -20,16 +19,39 @@ function setupWebSocket(server) {
         const msg = JSON.parse(data);
 
         if (msg.type === 'auth') {
-          // Authenticate via JWT token and subscribe to a site
-          const decoded = jwt.verify(msg.token, JWT_SECRET);
-          if (decoded && msg.siteId) {
-            authenticatedSiteId = msg.siteId;
-            if (!siteClients.has(msg.siteId)) {
-              siteClients.set(msg.siteId, new Set());
+          if (!msg.token || !msg.siteId) {
+            ws.send(JSON.stringify({ type: 'error', message: 'token and siteId required' }));
+            return;
+          }
+
+          let decoded;
+          let isAdmin = false;
+          try {
+            decoded = verifyUserToken(msg.token);
+          } catch {
+            try {
+              decoded = verifyAdminToken(msg.token);
+              isAdmin = decoded.isAdmin === true;
+            } catch {
+              ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
+              return;
+            }
+          }
+
+          if (!isAdmin) {
+            const site = findSiteById.get(msg.siteId);
+            if (!site || site.user_id !== decoded.id) {
+              ws.send(JSON.stringify({ type: 'error', message: 'Forbidden: not your site' }));
+              return;
             }
-            siteClients.get(msg.siteId).add(ws);
-            ws.send(JSON.stringify({ type: 'auth:success', siteId: msg.siteId }));
           }
+
+          authenticatedSiteId = msg.siteId;
+          if (!siteClients.has(msg.siteId)) {
+            siteClients.set(msg.siteId, new Set());
+          }
+          siteClients.get(msg.siteId).add(ws);
+          ws.send(JSON.stringify({ type: 'auth:success', siteId: msg.siteId }));
         }
       } catch (e) {
         ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
@@ -46,7 +68,6 @@ function setupWebSocket(server) {
     });
   });
 
-  // Heartbeat to clean up dead connections
   const interval = setInterval(() => {
     wss.clients.forEach((ws) => {
       if (!ws.isAlive) return ws.terminate();
@@ -60,7 +81,6 @@ function setupWebSocket(server) {
   return wss;
 }
 
-// Broadcast an analytics event to all clients watching a specific site
 function broadcastAnalytic(siteId, eventData) {
   const clients = siteClients.get(siteId);
   if (!clients || clients.size === 0) return;

package/wab-mcp-adapter/README.md

@@ -0,0 +1,136 @@
+# WAB-MCP Adapter
+
+**MCP adapter for Web Agent Bridge** — exposes every capability of a WAB-enabled website as a set of [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) tools so that any MCP-compatible AI agent (Claude, GPT, Gemini, open-source LLMs, etc.) can discover, read, and interact with the site through a single, standardised interface.
+
+## Quick Start
+
+```js
+const { WABMCPAdapter } = require('wab-mcp-adapter');
+
+const adapter = new WABMCPAdapter({
+  siteUrl: 'https://example.com',
+  transport: 'http',       // 'http' | 'websocket' | 'direct'
+  apiKey: 'sk-optional',   // optional API key
+});
+
+// 1. Discover site capabilities
+const doc = await adapter.discover();
+
+// 2. Get MCP tool definitions for the AI agent
+const tools = await adapter.getTools();
+
+// 3. Execute a tool call
+const result = await adapter.executeTool('wab_execute_action', {
+  name: 'signup',
+  params: { email: 'user@example.com' },
+});
+
+// 4. Clean up
+adapter.close();
+```
+
+## API Reference
+
+### `new WABMCPAdapter(options)`
+
+| Option | Type | Default | Description |
+|---|---|---|---|
+| `siteUrl` | `string` | — | Target WAB site URL (required for `http` transport) |
+| `siteId` | `string` | `null` | WAB site identifier |
+| `apiKey` | `string` | `null` | API key for authenticated requests |
+| `transport` | `string` | `'http'` | Transport type: `http`, `websocket`, or `direct` |
+| `registryUrl` | `string` | `https://webagentbridge.com` | WAB fairness registry URL |
+| `page` | `object` | — | Puppeteer/Playwright page (required for `direct`) |
+| `wsUrl` | `string` | auto | WebSocket URL (required for `websocket` if no `siteUrl`) |
+| `timeout` | `number` | `15000` | Request timeout in milliseconds |
+
+### Methods
+
+| Method | Returns | Description |
+|---|---|---|
+| `discover(url?)` | `Promise<object>` | Fetch the WAB discovery document |
+| `getTools()` | `Promise<object[]>` | Return MCP tool definitions (built-in + site-specific) |
+| `executeTool(name, input)` | `Promise<object>` | Execute an MCP tool call |
+| `close()` | `void` | Release transport resources |
+
+## Built-in Tools
+
+These tools are always available, regardless of which site actions are discovered:
+
+| Tool | Description |
+|---|---|
+| `wab_discover` | Fetch the WAB discovery document from a site |
+| `wab_get_actions` | List available actions, optionally filtered by category |
+| `wab_execute_action` | Execute any WAB action by name and params |
+| `wab_read_content` | Read page element text by CSS selector |
+| `wab_get_page_info` | Return page metadata and bridge configuration |
+| `wab_fairness_search` | Search the WAB registry with fairness-weighted results |
+| `wab_authenticate` | Authenticate with the site using an API key |
+
+Site-specific actions are exposed as additional tools named `wab_<action_name>` and are generated automatically from the discovery document.
+
+## Transport Options
+
+| Transport | When to use | Requirements |
+|---|---|---|
+| **http** | Server-to-server or CLI tools calling a WAB site over REST | `siteUrl` |
+| **websocket** | Real-time bidirectional communication with low latency | `wsUrl` or `siteUrl` |
+| **direct** | In-browser automation with Puppeteer/Playwright | `page` object |
+
+## Fairness Protocol
+
+The WAB discovery registry uses a **fairness-weighted ranking** algorithm that prevents large, high-traffic sites from monopolising search results. When you call `wab_fairness_search`, the registry applies:
+
+- **Inverse-popularity weighting** — smaller sites receive a ranking boost.
+- **Recency bonus** — newly registered or recently updated sites surface sooner.
+- **Category balancing** — results are distributed across categories to avoid domination by a single vertical.
+
+This ensures a level playing field so every WAB-enabled site has equitable visibility to AI agents.
+
+## Integration with Claude / MCP
+
+Pass the tools returned by `getTools()` as the `tools` parameter when calling the Anthropic Messages API and route any `tool_use` blocks back through `executeTool`:
+
+```js
+const Anthropic = require('@anthropic-ai/sdk');
+const { WABMCPAdapter } = require('wab-mcp-adapter');
+
+const client = new Anthropic();
+const adapter = new WABMCPAdapter({ siteUrl: 'https://shop.example.com' });
+const tools = await adapter.getTools();
+
+let messages = [{ role: 'user', content: 'Find the signup form and register me.' }];
+
+while (true) {
+  const res = await client.messages.create({
+    model: 'claude-sonnet-4-20250514',
+    max_tokens: 1024,
+    tools,
+    messages,
+  });
+
+  if (res.stop_reason === 'end_turn') break;
+
+  const toolBlocks = res.content.filter((b) => b.type === 'tool_use');
+  if (!toolBlocks.length) break;
+
+  messages.push({ role: 'assistant', content: res.content });
+
+  const toolResults = [];
+  for (const block of toolBlocks) {
+    const result = await adapter.executeTool(block.name, block.input);
+    toolResults.push({
+      type: 'tool_result',
+      tool_use_id: block.id,
+      content: JSON.stringify(result.content),
+    });
+  }
+  messages.push({ role: 'user', content: toolResults });
+}
+
+adapter.close();
+```
+
+## License
+
+MIT — see [LICENSE](../LICENSE).