web-agent-bridge 1.2.0 → 2.0.0

package/server/services/premium.js

@@ -0,0 +1,1883 @@
+const { db } = require('../models/db');
+const { v4: uuidv4 } = require('uuid');
+const crypto = require('crypto');
+const bcrypt = require('bcryptjs');
+const path = require('path');
+const fs = require('fs');
+const http = require('http');
+const https = require('https');
+const { URL } = require('url');
+
+// ═══════════════════════════════════════════════════════════════════════
+// 1. Agent Traffic Intelligence
+// ═══════════════════════════════════════════════════════════════════════
+
+const BOT_PATTERNS = [
+  { pattern: /googlebot/i, name: 'Googlebot', platform: 'Google', type: 'friendly' },
+  { pattern: /bingbot/i, name: 'Bingbot', platform: 'Microsoft', type: 'friendly' },
+  { pattern: /yandexbot/i, name: 'YandexBot', platform: 'Yandex', type: 'friendly' },
+  { pattern: /baiduspider/i, name: 'Baiduspider', platform: 'Baidu', type: 'friendly' },
+  { pattern: /duckduckbot/i, name: 'DuckDuckBot', platform: 'DuckDuckGo', type: 'friendly' },
+  { pattern: /slurp/i, name: 'Slurp', platform: 'Yahoo', type: 'friendly' },
+  { pattern: /facebot|facebookexternalhit/i, name: 'Facebot', platform: 'Meta', type: 'friendly' },
+  { pattern: /twitterbot/i, name: 'Twitterbot', platform: 'Twitter/X', type: 'friendly' },
+  { pattern: /linkedinbot/i, name: 'LinkedInBot', platform: 'LinkedIn', type: 'friendly' },
+  { pattern: /applebot/i, name: 'Applebot', platform: 'Apple', type: 'friendly' },
+  { pattern: /gptbot/i, name: 'GPTBot', platform: 'OpenAI', type: 'friendly' },
+  { pattern: /chatgpt-user/i, name: 'ChatGPT-User', platform: 'OpenAI', type: 'friendly' },
+  { pattern: /oai-searchbot/i, name: 'OAI-SearchBot', platform: 'OpenAI', type: 'friendly' },
+  { pattern: /claude-web/i, name: 'Claude-Web', platform: 'Anthropic', type: 'friendly' },
+  { pattern: /claudebot/i, name: 'ClaudeBot', platform: 'Anthropic', type: 'friendly' },
+  { pattern: /anthropic-ai/i, name: 'Anthropic-AI', platform: 'Anthropic', type: 'friendly' },
+  { pattern: /cohere-ai/i, name: 'Cohere-AI', platform: 'Cohere', type: 'friendly' },
+  { pattern: /perplexitybot/i, name: 'PerplexityBot', platform: 'Perplexity', type: 'friendly' },
+  { pattern: /gemini/i, name: 'Gemini', platform: 'Google', type: 'friendly' },
+  { pattern: /petalbot/i, name: 'PetalBot', platform: 'Huawei', type: 'friendly' },
+  { pattern: /semrushbot/i, name: 'SemrushBot', platform: 'Semrush', type: 'suspicious' },
+  { pattern: /ahrefsbot/i, name: 'AhrefsBot', platform: 'Ahrefs', type: 'suspicious' },
+  { pattern: /mj12bot/i, name: 'MJ12Bot', platform: 'Majestic', type: 'suspicious' },
+  { pattern: /dotbot/i, name: 'DotBot', platform: 'Moz', type: 'suspicious' },
+  { pattern: /scrapy/i, name: 'Scrapy', platform: 'Unknown', type: 'aggressive' },
+  { pattern: /httpclient/i, name: 'HTTPClient', platform: 'Unknown', type: 'suspicious' },
+  { pattern: /python-requests/i, name: 'Python-Requests', platform: 'Python', type: 'suspicious' },
+  { pattern: /curl\//i, name: 'cURL', platform: 'CLI', type: 'suspicious' },
+  { pattern: /wget\//i, name: 'Wget', platform: 'CLI', type: 'suspicious' },
+  { pattern: /go-http-client/i, name: 'Go-HTTP-Client', platform: 'Go', type: 'suspicious' },
+  { pattern: /java\//i, name: 'Java-HTTP', platform: 'Java', type: 'suspicious' },
+  { pattern: /headlesschrome/i, name: 'HeadlessChrome', platform: 'Puppeteer', type: 'aggressive' },
+  { pattern: /phantomjs/i, name: 'PhantomJS', platform: 'PhantomJS', type: 'aggressive' },
+];
+
+function parseUserAgent(uaString) {
+  if (!uaString) return { agentName: 'Unknown', platform: 'Unknown', agentType: 'unknown' };
+
+  for (const bot of BOT_PATTERNS) {
+    if (bot.pattern.test(uaString)) {
+      return { agentName: bot.name, platform: bot.platform, agentType: bot.type };
+    }
+  }
+
+  let platform = 'Unknown';
+  if (/windows/i.test(uaString)) platform = 'Windows';
+  else if (/macintosh|mac os/i.test(uaString)) platform = 'macOS';
+  else if (/linux/i.test(uaString)) platform = 'Linux';
+  else if (/android/i.test(uaString)) platform = 'Android';
+  else if (/iphone|ipad/i.test(uaString)) platform = 'iOS';
+
+  let agentName = 'Browser';
+  if (/chrome/i.test(uaString) && !/edge|opr/i.test(uaString)) agentName = 'Chrome';
+  else if (/firefox/i.test(uaString)) agentName = 'Firefox';
+  else if (/safari/i.test(uaString) && !/chrome/i.test(uaString)) agentName = 'Safari';
+  else if (/edg/i.test(uaString)) agentName = 'Edge';
+  else if (/opr|opera/i.test(uaString)) agentName = 'Opera';
+
+  return { agentName, platform, agentType: 'unknown' };
+}
+
+function hashIP(ip) {
+  return crypto.createHash('sha256').update(ip + (process.env.IP_SALT || 'wab-salt')).digest('hex').substring(0, 16);
+}
+
+function recordAgentVisit(siteId, { userAgent, ip, country }) {
+  const { agentName, platform, agentType } = parseUserAgent(userAgent);
+  const ipHash = hashIP(ip || '0.0.0.0');
+
+  const existing = db.prepare(
+    `SELECT id, total_requests FROM agent_profiles WHERE site_id = ? AND agent_signature = ? AND ip_hash = ?`
+  ).get(siteId, agentName, ipHash);
+
+  if (existing) {
+    db.prepare(
+      `UPDATE agent_profiles SET total_requests = total_requests + 1, last_seen = datetime('now'), country = COALESCE(?, country), platform = COALESCE(?, platform) WHERE id = ?`
+    ).run(country || null, platform, existing.id);
+    return { id: existing.id, new: false };
+  }
+
+  const id = uuidv4();
+  db.prepare(
+    `INSERT INTO agent_profiles (id, site_id, agent_signature, agent_type, platform, country, ip_hash, last_seen, total_requests) VALUES (?, ?, ?, ?, ?, ?, ?, datetime('now'), 1)`
+  ).run(id, siteId, agentName, agentType, platform, country || null, ipHash);
+  return { id, new: true };
+}
+
+function getAgentProfiles(siteId, { limit = 50, offset = 0, type } = {}) {
+  if (type) {
+    return db.prepare(
+      `SELECT * FROM agent_profiles WHERE site_id = ? AND agent_type = ? ORDER BY last_seen DESC LIMIT ? OFFSET ?`
+    ).all(siteId, type, limit, offset);
+  }
+  return db.prepare(
+    `SELECT * FROM agent_profiles WHERE site_id = ? ORDER BY last_seen DESC LIMIT ? OFFSET ?`
+  ).all(siteId, limit, offset);
+}
+
+function getAnomalyAlerts(siteId, { limit = 50, acknowledged } = {}) {
+  if (acknowledged !== undefined) {
+    return db.prepare(
+      `SELECT * FROM anomaly_alerts WHERE site_id = ? AND acknowledged = ? ORDER BY created_at DESC LIMIT ?`
+    ).all(siteId, acknowledged ? 1 : 0, limit);
+  }
+  return db.prepare(
+    `SELECT * FROM anomaly_alerts WHERE site_id = ? ORDER BY created_at DESC LIMIT ?`
+  ).all(siteId, limit);
+}
+
+function checkForAnomalies(siteId) {
+  const alerts = [];
+
+  const recentCount = db.prepare(
+    `SELECT COUNT(*) as c FROM agent_profiles WHERE site_id = ? AND last_seen >= datetime('now', '-1 minute')`
+  ).get(siteId).c;
+
+  if (recentCount > 1000) {
+    const id = db.prepare(
+      `INSERT INTO anomaly_alerts (site_id, alert_type, severity, message, metadata) VALUES (?, 'traffic_spike', 'high', ?, ?)`
+    ).run(siteId, `Traffic spike detected: ${recentCount} requests in the last minute`, JSON.stringify({ count: recentCount }));
+    alerts.push({ id: id.lastInsertRowid, type: 'traffic_spike', severity: 'high', count: recentCount });
+  }
+
+  const suspiciousAgents = db.prepare(
+    `SELECT agent_signature, COUNT(*) as c FROM agent_profiles WHERE site_id = ? AND agent_type IN ('aggressive', 'suspicious') AND first_seen >= datetime('now', '-1 hour') GROUP BY agent_signature HAVING c >= 5`
+  ).all(siteId);
+
+  for (const agent of suspiciousAgents) {
+    const alreadyAlerted = db.prepare(
+      `SELECT id FROM anomaly_alerts WHERE site_id = ? AND alert_type = 'suspicious_agent' AND message LIKE ? AND created_at >= datetime('now', '-1 hour')`
+    ).get(siteId, `%${agent.agent_signature}%`);
+
+    if (!alreadyAlerted) {
+      const res = db.prepare(
+        `INSERT INTO anomaly_alerts (site_id, alert_type, severity, message, metadata) VALUES (?, 'suspicious_agent', 'medium', ?, ?)`
+      ).run(siteId, `Suspicious agent activity: ${agent.agent_signature} (${agent.c} profiles in last hour)`, JSON.stringify({ agent: agent.agent_signature, count: agent.c }));
+      alerts.push({ id: res.lastInsertRowid, type: 'suspicious_agent', severity: 'medium', agent: agent.agent_signature });
+    }
+  }
+
+  const aggressiveCount = db.prepare(
+    `SELECT COUNT(*) as c FROM agent_profiles WHERE site_id = ? AND agent_type = 'aggressive' AND last_seen >= datetime('now', '-10 minutes')`
+  ).get(siteId).c;
+
+  if (aggressiveCount > 10) {
+    const res = db.prepare(
+      `INSERT INTO anomaly_alerts (site_id, alert_type, severity, message, metadata) VALUES (?, 'aggressive_swarm', 'critical', ?, ?)`
+    ).run(siteId, `Aggressive bot swarm: ${aggressiveCount} aggressive agents in last 10 minutes`, JSON.stringify({ count: aggressiveCount }));
+    alerts.push({ id: res.lastInsertRowid, type: 'aggressive_swarm', severity: 'critical', count: aggressiveCount });
+  }
+
+  return alerts;
+}
+
+function acknowledgeAlert(alertId, siteId) {
+  const result = db.prepare(
+    `UPDATE anomaly_alerts SET acknowledged = 1 WHERE id = ? AND site_id = ?`
+  ).run(alertId, siteId);
+  return result.changes > 0;
+}
+
+function getTrafficStats(siteId, days = 30) {
+  const since = new Date(Date.now() - days * 86400000).toISOString();
+
+  const totalAgents = db.prepare(
+    `SELECT COUNT(*) as c FROM agent_profiles WHERE site_id = ? AND last_seen >= ?`
+  ).get(siteId, since).c;
+
+  const byType = db.prepare(
+    `SELECT agent_type, COUNT(*) as count, SUM(total_requests) as requests FROM agent_profiles WHERE site_id = ? AND last_seen >= ? GROUP BY agent_type`
+  ).all(siteId, since);
+
+  const byCountry = db.prepare(
+    `SELECT country, COUNT(*) as count FROM agent_profiles WHERE site_id = ? AND last_seen >= ? AND country IS NOT NULL GROUP BY country ORDER BY count DESC LIMIT 20`
+  ).all(siteId, since);
+
+  const byPlatform = db.prepare(
+    `SELECT platform, COUNT(*) as count FROM agent_profiles WHERE site_id = ? AND last_seen >= ? GROUP BY platform ORDER BY count DESC`
+  ).all(siteId, since);
+
+  const totalRequests = db.prepare(
+    `SELECT COALESCE(SUM(total_requests), 0) as c FROM agent_profiles WHERE site_id = ? AND last_seen >= ?`
+  ).get(siteId, since).c;
+
+  return { totalAgents, totalRequests, byType, byCountry, byPlatform };
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 2. Advanced Exploit Shield
+// ═══════════════════════════════════════════════════════════════════════
+
+function logSecurityEvent(siteId, { eventType, severity, agentSignature, ipHash, details }) {
+  const result = db.prepare(
+    `INSERT INTO security_events (site_id, event_type, severity, agent_signature, ip_hash, details) VALUES (?, ?, ?, ?, ?, ?)`
+  ).run(siteId, eventType, severity || 'medium', agentSignature || null, ipHash || null, JSON.stringify(details || {}));
+  return { id: result.lastInsertRowid };
+}
+
+function getSecurityEvents(siteId, { limit = 50, severity, since } = {}) {
+  const conditions = ['site_id = ?'];
+  const params = [siteId];
+
+  if (severity) {
+    conditions.push('severity = ?');
+    params.push(severity);
+  }
+  if (since) {
+    conditions.push('created_at >= ?');
+    params.push(since);
+  }
+
+  params.push(limit);
+  return db.prepare(
+    `SELECT * FROM security_events WHERE ${conditions.join(' AND ')} ORDER BY created_at DESC LIMIT ?`
+  ).all(...params);
+}
+
+function blockAgent(siteId, { agentSignature, reason, expiresAt }) {
+  const id = uuidv4();
+  db.prepare(
+    `INSERT INTO blocked_agents (id, site_id, agent_signature, reason, expires_at) VALUES (?, ?, ?, ?, ?)`
+  ).run(id, siteId, agentSignature, reason || null, expiresAt || null);
+  return { id, agentSignature, reason };
+}
+
+function unblockAgent(blockId, siteId) {
+  const result = db.prepare(
+    `UPDATE blocked_agents SET active = 0 WHERE id = ? AND site_id = ?`
+  ).run(blockId, siteId);
+  return result.changes > 0;
+}
+
+function isAgentBlocked(siteId, agentSignature) {
+  const row = db.prepare(
+    `SELECT id FROM blocked_agents WHERE site_id = ? AND agent_signature = ? AND active = 1 AND (expires_at IS NULL OR expires_at > datetime('now'))`
+  ).get(siteId, agentSignature);
+  return !!row;
+}
+
+function getBlockedAgents(siteId) {
+  return db.prepare(
+    `SELECT * FROM blocked_agents WHERE site_id = ? AND active = 1 AND (expires_at IS NULL OR expires_at > datetime('now')) ORDER BY blocked_at DESC`
+  ).all(siteId);
+}
+
+function getSecurityReport(siteId, days = 30) {
+  const since = new Date(Date.now() - days * 86400000).toISOString();
+
+  const eventsByType = db.prepare(
+    `SELECT event_type, COUNT(*) as count FROM security_events WHERE site_id = ? AND created_at >= ? GROUP BY event_type ORDER BY count DESC`
+  ).all(siteId, since);
+
+  const severityDist = db.prepare(
+    `SELECT severity, COUNT(*) as count FROM security_events WHERE site_id = ? AND created_at >= ? GROUP BY severity`
+  ).all(siteId, since);
+
+  const topBlocked = db.prepare(
+    `SELECT agent_signature, COUNT(*) as count FROM blocked_agents WHERE site_id = ? AND blocked_at >= ? GROUP BY agent_signature ORDER BY count DESC LIMIT 10`
+  ).all(siteId, since);
+
+  const timeline = db.prepare(
+    `SELECT date(created_at) as day, COUNT(*) as count FROM security_events WHERE site_id = ? AND created_at >= ? GROUP BY day ORDER BY day`
+  ).all(siteId, since);
+
+  const totalEvents = db.prepare(
+    `SELECT COUNT(*) as c FROM security_events WHERE site_id = ? AND created_at >= ?`
+  ).get(siteId, since).c;
+
+  const activeBlocks = db.prepare(
+    `SELECT COUNT(*) as c FROM blocked_agents WHERE site_id = ? AND active = 1`
+  ).get(siteId).c;
+
+  return { totalEvents, activeBlocks, eventsByType, severityDist, topBlocked, timeline };
+}
+
+const INJECTION_PATTERNS = [
+  /[;|`$]/, /\.\.\//,
+  /<script/i, /javascript:/i, /on\w+\s*=/i,
+  /select\s+.+\s+from\s/i, /union\s+select/i, /drop\s+table/i,
+  /insert\s+into/i, /delete\s+from/i, /update\s+\w+\s+set/i, /alter\s+table/i,
+  /eval\s*\(/, /exec\s*\(/, /require\s*\(/, /import\s*\(/,
+];
+
+function autoDetectThreats(siteId, { ip, userAgent, action }) {
+  const ipHash = hashIP(ip || '0.0.0.0');
+  const { agentName } = parseUserAgent(userAgent);
+
+  if (isAgentBlocked(siteId, agentName)) {
+    return { blocked: true, reason: 'Agent is on the blocklist' };
+  }
+
+  if (action) {
+    for (const pat of INJECTION_PATTERNS) {
+      if (pat.test(action)) {
+        logSecurityEvent(siteId, {
+          eventType: 'injection_attempt',
+          severity: 'high',
+          agentSignature: agentName,
+          ipHash,
+          details: { action, pattern: pat.toString() },
+        });
+        return { blocked: true, reason: 'Potential injection attack detected in action' };
+      }
+    }
+  }
+
+  const recentFromIp = db.prepare(
+    `SELECT COUNT(*) as c FROM security_events WHERE site_id = ? AND ip_hash = ? AND created_at >= datetime('now', '-1 minute')`
+  ).get(siteId, ipHash).c;
+
+  if (recentFromIp > 100) {
+    logSecurityEvent(siteId, {
+      eventType: 'rate_limit_exceeded',
+      severity: 'high',
+      agentSignature: agentName,
+      ipHash,
+      details: { requestsPerMinute: recentFromIp },
+    });
+    return { blocked: true, reason: 'Rate limit exceeded from this IP' };
+  }
+
+  return { blocked: false, reason: null };
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 3. Smart Actions Library
+// ═══════════════════════════════════════════════════════════════════════
+
+function getActionPacks({ platform, tierRequired } = {}) {
+  const conditions = [];
+  const params = [];
+
+  if (platform) {
+    conditions.push('platform = ?');
+    params.push(platform);
+  }
+  if (tierRequired) {
+    conditions.push('tier_required = ?');
+    params.push(tierRequired);
+  }
+
+  const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
+  return db.prepare(
+    `SELECT * FROM action_packs ${where} ORDER BY name`
+  ).all(...params);
+}
+
+function getActionPack(packId) {
+  return db.prepare(`SELECT * FROM action_packs WHERE id = ?`).get(packId) || null;
+}
+
+function installPack(siteId, packId, config = {}) {
+  const existing = db.prepare(
+    `SELECT id FROM installed_packs WHERE site_id = ? AND pack_id = ?`
+  ).get(siteId, packId);
+
+  if (existing) {
+    db.prepare(`UPDATE installed_packs SET config = ? WHERE id = ?`).run(JSON.stringify(config), existing.id);
+    return { id: existing.id, updated: true };
+  }
+
+  const id = uuidv4();
+  db.prepare(
+    `INSERT INTO installed_packs (id, site_id, pack_id, config) VALUES (?, ?, ?, ?)`
+  ).run(id, siteId, packId, JSON.stringify(config));
+  return { id, updated: false };
+}
+
+function uninstallPack(installId, siteId) {
+  const result = db.prepare(
+    `DELETE FROM installed_packs WHERE id = ? AND site_id = ?`
+  ).run(installId, siteId);
+  return result.changes > 0;
+}
+
+function getInstalledPacks(siteId) {
+  return db.prepare(
+    `SELECT ip.*, ap.name, ap.platform, ap.description, ap.version, ap.icon, ap.tier_required FROM installed_packs ip JOIN action_packs ap ON ip.pack_id = ap.id WHERE ip.site_id = ? ORDER BY ip.installed_at DESC`
+  ).all(siteId);
+}
+
+function getPackActions(packId) {
+  const pack = db.prepare(`SELECT actions_json FROM action_packs WHERE id = ?`).get(packId);
+  if (!pack) return null;
+  try {
+    return JSON.parse(pack.actions_json);
+  } catch {
+    return [];
+  }
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 4. Custom AI Agents
+// ═══════════════════════════════════════════════════════════════════════
+
+function parseSchedule(schedule) {
+  if (!schedule) return null;
+  const now = new Date();
+
+  const everyHoursMatch = schedule.match(/^every\s+(\d+)h$/i);
+  if (everyHoursMatch) {
+    const hours = parseInt(everyHoursMatch[1], 10);
+    return new Date(now.getTime() + hours * 3600000);
+  }
+
+  const everyMinMatch = schedule.match(/^every\s+(\d+)m$/i);
+  if (everyMinMatch) {
+    const mins = parseInt(everyMinMatch[1], 10);
+    return new Date(now.getTime() + mins * 60000);
+  }
+
+  const dailyMatch = schedule.match(/^daily\s+(\d{1,2}):(\d{2})$/i);
+  if (dailyMatch) {
+    const h = parseInt(dailyMatch[1], 10);
+    const m = parseInt(dailyMatch[2], 10);
+    const next = new Date(now);
+    next.setHours(h, m, 0, 0);
+    if (next <= now) next.setDate(next.getDate() + 1);
+    return next;
+  }
+
+  const weeklyMatch = schedule.match(/^weekly\s+(mon|tue|wed|thu|fri|sat|sun)\s+(\d{1,2}):(\d{2})$/i);
+  if (weeklyMatch) {
+    const dayMap = { sun: 0, mon: 1, tue: 2, wed: 3, thu: 4, fri: 5, sat: 6 };
+    const targetDay = dayMap[weeklyMatch[1].toLowerCase()];
+    const h = parseInt(weeklyMatch[2], 10);
+    const m = parseInt(weeklyMatch[3], 10);
+    const next = new Date(now);
+    next.setHours(h, m, 0, 0);
+    const currentDay = now.getDay();
+    let daysUntil = targetDay - currentDay;
+    if (daysUntil < 0 || (daysUntil === 0 && next <= now)) daysUntil += 7;
+    next.setDate(next.getDate() + daysUntil);
+    return next;
+  }
+
+  return null;
+}
+
+function createAgent(userId, siteId, { name, description, steps, schedule }) {
+  const id = uuidv4();
+  const nextRun = schedule ? parseSchedule(schedule) : null;
+  db.prepare(
+    `INSERT INTO custom_agents (id, user_id, site_id, name, description, steps_json, schedule, next_run) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+  ).run(id, userId, siteId, name, description || null, JSON.stringify(steps || []), schedule || null, nextRun ? nextRun.toISOString() : null);
+  return { id, name, description, schedule, next_run: nextRun ? nextRun.toISOString() : null };
+}
+
+function updateAgent(agentId, userId, updates) {
+  const fields = [];
+  const params = [];
+
+  if (updates.name !== undefined) { fields.push('name = ?'); params.push(updates.name); }
+  if (updates.description !== undefined) { fields.push('description = ?'); params.push(updates.description); }
+  if (updates.steps !== undefined) { fields.push('steps_json = ?'); params.push(JSON.stringify(updates.steps)); }
+  if (updates.schedule !== undefined) {
+    fields.push('schedule = ?');
+    params.push(updates.schedule);
+    const nextRun = parseSchedule(updates.schedule);
+    fields.push('next_run = ?');
+    params.push(nextRun ? nextRun.toISOString() : null);
+  }
+  if (updates.status !== undefined) { fields.push('status = ?'); params.push(updates.status); }
+
+  if (fields.length === 0) return false;
+  params.push(agentId, userId);
+  const result = db.prepare(
+    `UPDATE custom_agents SET ${fields.join(', ')} WHERE id = ? AND user_id = ?`
+  ).run(...params);
+  return result.changes > 0;
+}
+
+function deleteAgent(agentId, userId) {
+  const result = db.prepare(
+    `DELETE FROM custom_agents WHERE id = ? AND user_id = ?`
+  ).run(agentId, userId);
+  return result.changes > 0;
+}
+
+function getAgents(userId, siteId) {
+  if (siteId) {
+    return db.prepare(
+      `SELECT * FROM custom_agents WHERE user_id = ? AND site_id = ? ORDER BY created_at DESC`
+    ).all(userId, siteId);
+  }
+  return db.prepare(
+    `SELECT * FROM custom_agents WHERE user_id = ? ORDER BY created_at DESC`
+  ).all(userId);
+}
+
+function getAgent(agentId, userId) {
+  return db.prepare(
+    `SELECT * FROM custom_agents WHERE id = ? AND user_id = ?`
+  ).get(agentId, userId) || null;
+}
+
+async function runAgent(agentId, userId) {
+  const agent = db.prepare(
+    `SELECT * FROM custom_agents WHERE id = ? AND user_id = ?`
+  ).get(agentId, userId);
+  if (!agent) return null;
+
+  const site = db.prepare(`SELECT * FROM sites WHERE id = ?`).get(agent.site_id);
+  const baseUrl = site && site.domain ? (site.domain.startsWith('http') ? site.domain : `https://${site.domain}`) : null;
+
+  const runId = uuidv4();
+  db.prepare(
+    `INSERT INTO agent_runs (id, agent_id, status) VALUES (?, ?, 'running')`
+  ).run(runId, agentId);
+
+  let steps;
+  try { steps = JSON.parse(agent.steps_json); } catch { steps = []; }
+
+  const results = [];
+  let failed = false;
+  let lastResponse = null;
+
+  for (let i = 0; i < steps.length; i++) {
+    const step = steps[i];
+    const actionName = step.action || step.name || `step_${i}`;
+    const stepStart = Date.now();
+
+    try {
+      let output = null;
+
+      if (actionName === 'navigate' || actionName === 'goto' || actionName === 'fetch') {
+        const targetUrl = step.url || step.value || (baseUrl ? `${baseUrl}${step.path || '/'}` : null);
+        if (!targetUrl) throw new Error('No URL specified for navigate step');
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), step.timeoutMs || 15000);
+        try {
+          const resp = await fetch(targetUrl, {
+            method: step.method || 'GET',
+            headers: { 'User-Agent': 'WAB-Agent/1.0', ...(step.headers || {}) },
+            body: step.body ? (typeof step.body === 'string' ? step.body : JSON.stringify(step.body)) : undefined,
+            signal: controller.signal,
+            redirect: 'follow',
+          });
+          clearTimeout(timeout);
+          const contentType = resp.headers.get('content-type') || '';
+          let body;
+          if (contentType.includes('json')) {
+            body = await resp.json();
+          } else {
+            const text = await resp.text();
+            body = text.slice(0, 5000);
+          }
+          lastResponse = body;
+          output = { status: resp.status, statusText: resp.statusText, contentType, bodyLength: typeof body === 'string' ? body.length : JSON.stringify(body).length, url: resp.url };
+          if (resp.status >= 400) throw new Error(`HTTP ${resp.status}: ${resp.statusText}`);
+        } catch (fetchErr) {
+          clearTimeout(timeout);
+          throw fetchErr;
+        }
+
+      } else if (actionName === 'click' || actionName === 'fill' || actionName === 'select' || actionName === 'submit') {
+        if (!baseUrl) throw new Error('Site has no domain configured for DOM actions');
+        const wabUrl = `${baseUrl}/api/wab/actions/${actionName}`;
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), step.timeoutMs || 10000);
+        try {
+          const resp = await fetch(wabUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'User-Agent': 'WAB-Agent/1.0' },
+            body: JSON.stringify({ selector: step.selector, value: step.value, siteId: agent.site_id }),
+            signal: controller.signal,
+          });
+          clearTimeout(timeout);
+          output = await resp.json().catch(() => ({ status: resp.status }));
+          if (resp.status >= 400) throw new Error(`WAB action ${actionName} failed: ${resp.status}`);
+        } catch (fetchErr) {
+          clearTimeout(timeout);
+          throw fetchErr;
+        }
+
+      } else if (actionName === 'wait' || actionName === 'delay' || actionName === 'sleep') {
+        const ms = Math.min(step.waitMs || step.ms || step.value || 1000, 30000);
+        await new Promise(resolve => setTimeout(resolve, ms));
+        output = { waited: ms };
+
+      } else if (actionName === 'extract' || actionName === 'read') {
+        if (!baseUrl) throw new Error('Site has no domain configured');
+        const readUrl = `${baseUrl}/api/wab/read`;
+        const resp = await fetch(readUrl, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json', 'User-Agent': 'WAB-Agent/1.0' },
+          body: JSON.stringify({ selector: step.selector, siteId: agent.site_id }),
+        });
+        output = await resp.json().catch(() => ({ status: resp.status }));
+
+      } else if (actionName === 'assert' || actionName === 'check') {
+        const actual = lastResponse;
+        const expected = step.expected || step.value;
+        if (expected && typeof actual === 'string' && !actual.includes(expected)) {
+          throw new Error(`Assertion failed: response does not contain "${expected}"`);
+        }
+        if (expected && typeof actual === 'object' && step.path) {
+          const val = step.path.split('.').reduce((o, k) => o && o[k], actual);
+          if (String(val) !== String(expected)) throw new Error(`Assertion failed: ${step.path} = ${val}, expected ${expected}`);
+        }
+        output = { assertion: 'passed', actual: typeof actual === 'string' ? actual.slice(0, 200) : actual };
+
+      } else if (actionName === 'log') {
+        output = { logged: step.value || step.message || '' };
+
+      } else {
+        if (baseUrl) {
+          const resp = await fetch(`${baseUrl}/api/wab/actions/${actionName}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'User-Agent': 'WAB-Agent/1.0' },
+            body: JSON.stringify({ ...step, siteId: agent.site_id }),
+          }).catch(e => ({ status: 0, statusText: e.message, json: () => Promise.resolve({ error: e.message }) }));
+          output = typeof resp.json === 'function' ? await resp.json().catch(() => ({})) : { status: resp.status };
+        } else {
+          output = { warning: `Unknown action "${actionName}" and no domain to send WAB command` };
+        }
+      }
+
+      const duration = Date.now() - stepStart;
+      results.push({ step: i, action: actionName, status: 'success', output, durationMs: duration });
+    } catch (err) {
+      const duration = Date.now() - stepStart;
+      results.push({ step: i, action: actionName, status: 'failed', error: err.message, durationMs: duration });
+      failed = true;
+      break;
+    }
+  }
+
+  const finalStatus = failed ? 'failed' : 'success';
+  db.prepare(
+    `UPDATE agent_runs SET status = ?, finished_at = datetime('now'), result_json = ? WHERE id = ?`
+  ).run(finalStatus, JSON.stringify({ steps: results }), runId);
+
+  db.prepare(
+    `UPDATE custom_agents SET run_count = run_count + 1, last_run = datetime('now') WHERE id = ?`
+  ).run(agentId);
+
+  if (agent.schedule) {
+    updateNextRun(agentId, agent.schedule);
+  }
+
+  return { id: runId, agentId, status: finalStatus, steps: results };
+}
+
+function getAgentRuns(agentId, { limit = 20 } = {}) {
+  return db.prepare(
+    `SELECT * FROM agent_runs WHERE agent_id = ? ORDER BY started_at DESC LIMIT ?`
+  ).all(agentId, limit);
+}
+
+function getScheduledAgents() {
+  return db.prepare(
+    `SELECT * FROM custom_agents WHERE schedule IS NOT NULL AND status = 'active' AND next_run <= datetime('now')`
+  ).all();
+}
+
+function updateNextRun(agentId, schedule) {
+  const next = parseSchedule(schedule);
+  db.prepare(
+    `UPDATE custom_agents SET next_run = ? WHERE id = ?`
+  ).run(next ? next.toISOString() : null, agentId);
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 5. Webhooks & CRM
+// ═══════════════════════════════════════════════════════════════════════
+
+function createWebhook(siteId, { name, url, events, secret }) {
+  const id = uuidv4();
+  const webhookSecret = secret || crypto.randomBytes(32).toString('hex');
+  db.prepare(
+    `INSERT INTO webhook_endpoints (id, site_id, name, url, events, secret) VALUES (?, ?, ?, ?, ?, ?)`
+  ).run(id, siteId, name || 'Webhook', url, JSON.stringify(events || ['*']), webhookSecret);
+  return { id, name: name || 'Webhook', url, secret: webhookSecret };
+}
+
+function updateWebhook(webhookId, siteId, updates) {
+  const fields = [];
+  const params = [];
+
+  if (updates.name !== undefined) { fields.push('name = ?'); params.push(updates.name); }
+  if (updates.url !== undefined) { fields.push('url = ?'); params.push(updates.url); }
+  if (updates.events !== undefined) { fields.push('events = ?'); params.push(JSON.stringify(updates.events)); }
+  if (updates.secret !== undefined) { fields.push('secret = ?'); params.push(updates.secret); }
+  if (updates.active !== undefined) { fields.push('active = ?'); params.push(updates.active ? 1 : 0); }
+
+  if (fields.length === 0) return false;
+  params.push(webhookId, siteId);
+  const result = db.prepare(
+    `UPDATE webhook_endpoints SET ${fields.join(', ')} WHERE id = ? AND site_id = ?`
+  ).run(...params);
+  return result.changes > 0;
+}
+
+function deleteWebhook(webhookId, siteId) {
+  const result = db.prepare(
+    `DELETE FROM webhook_endpoints WHERE id = ? AND site_id = ?`
+  ).run(webhookId, siteId);
+  return result.changes > 0;
+}
+
+function getWebhooks(siteId) {
+  return db.prepare(
+    `SELECT * FROM webhook_endpoints WHERE site_id = ? ORDER BY created_at DESC`
+  ).all(siteId);
+}
+
+function triggerWebhooks(siteId, eventType, payload) {
+  const webhooks = db.prepare(
+    `SELECT * FROM webhook_endpoints WHERE site_id = ? AND active = 1`
+  ).all(siteId);
+
+  const results = [];
+  for (const wh of webhooks) {
+    let events;
+    try { events = JSON.parse(wh.events); } catch { events = ['*']; }
+    if (!events.includes('*') && !events.includes(eventType)) continue;
+
+    const body = JSON.stringify({ event: eventType, payload, timestamp: new Date().toISOString() });
+
+    let signature = null;
+    if (wh.secret) {
+      signature = crypto.createHmac('sha256', wh.secret).update(body).digest('hex');
+    }
+
+    const promise = new Promise((resolve) => {
+      try {
+        const parsed = new URL(wh.url);
+        const mod = parsed.protocol === 'https:' ? https : http;
+        const req = mod.request(parsed, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-WAB-Signature': signature || '',
+            'X-WAB-Event': eventType,
+          },
+          timeout: 10000,
+        }, (res) => {
+          let data = '';
+          res.on('data', (chunk) => { data += chunk; });
+          res.on('end', () => {
+            db.prepare(
+              `INSERT INTO webhook_logs (webhook_id, event_type, payload, response_code, response_body) VALUES (?, ?, ?, ?, ?)`
+            ).run(wh.id, eventType, body, res.statusCode, data.substring(0, 2000));
+
+            db.prepare(
+              `UPDATE webhook_endpoints SET last_triggered = datetime('now'), failure_count = CASE WHEN ? >= 400 THEN failure_count + 1 ELSE 0 END WHERE id = ?`
+            ).run(res.statusCode, wh.id);
+
+            resolve({ webhookId: wh.id, status: res.statusCode, success: res.statusCode < 400 });
+          });
+        });
+
+        req.on('error', (err) => {
+          db.prepare(
+            `INSERT INTO webhook_logs (webhook_id, event_type, payload, response_code, response_body) VALUES (?, ?, ?, ?, ?)`
+          ).run(wh.id, eventType, body, 0, err.message);
+
+          db.prepare(
+            `UPDATE webhook_endpoints SET last_triggered = datetime('now'), failure_count = failure_count + 1 WHERE id = ?`
+          ).run(wh.id);
+
+          resolve({ webhookId: wh.id, status: 0, success: false, error: err.message });
+        });
+
+        req.on('timeout', () => { req.destroy(); });
+        req.write(body);
+        req.end();
+      } catch (err) {
+        db.prepare(
+          `INSERT INTO webhook_logs (webhook_id, event_type, payload, response_code, response_body) VALUES (?, ?, ?, ?, ?)`
+        ).run(wh.id, eventType, body, 0, err.message);
+
+        resolve({ webhookId: wh.id, status: 0, success: false, error: err.message });
+      }
+    });
+
+    results.push(promise);
+  }
+
+  return Promise.allSettled(results).then((settled) =>
+    settled.map((r) => r.status === 'fulfilled' ? r.value : { success: false, error: r.reason })
+  );
+}
+
+function getWebhookLogs(webhookId, { limit = 50 } = {}) {
+  return db.prepare(
+    `SELECT * FROM webhook_logs WHERE webhook_id = ? ORDER BY created_at DESC LIMIT ?`
+  ).all(webhookId, limit);
+}
+
+function addCrmIntegration(siteId, { provider, config }) {
+  const id = uuidv4();
+  db.prepare(
+    `INSERT INTO crm_integrations (id, site_id, provider, config) VALUES (?, ?, ?, ?)`
+  ).run(id, siteId, provider, JSON.stringify(config || {}));
+  return { id, provider };
+}
+
+function updateCrmIntegration(integrationId, siteId, updates) {
+  const fields = [];
+  const params = [];
+
+  if (updates.provider !== undefined) { fields.push('provider = ?'); params.push(updates.provider); }
+  if (updates.config !== undefined) { fields.push('config = ?'); params.push(JSON.stringify(updates.config)); }
+  if (updates.active !== undefined) { fields.push('active = ?'); params.push(updates.active ? 1 : 0); }
+
+  if (fields.length === 0) return false;
+  params.push(integrationId, siteId);
+  const result = db.prepare(
+    `UPDATE crm_integrations SET ${fields.join(', ')} WHERE id = ? AND site_id = ?`
+  ).run(...params);
+  return result.changes > 0;
+}
+
+function deleteCrmIntegration(integrationId, siteId) {
+  const result = db.prepare(
+    `DELETE FROM crm_integrations WHERE id = ? AND site_id = ?`
+  ).run(integrationId, siteId);
+  return result.changes > 0;
+}
+
+function getCrmIntegrations(siteId) {
+  return db.prepare(
+    `SELECT * FROM crm_integrations WHERE site_id = ? ORDER BY created_at DESC`
+  ).all(siteId);
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 6. Multi-Tenant
+// ═══════════════════════════════════════════════════════════════════════
+
+function inviteSubUser(parentUserId, { email, name, password, role, siteAccess, quotaActionsMonth }) {
+  const id = uuidv4();
+  const hashed = bcrypt.hashSync(password, 12);
+  db.prepare(
+    `INSERT INTO sub_users (id, parent_user_id, email, password, name, role, site_access, quota_actions_month) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+  ).run(id, parentUserId, email, hashed, name, role || 'viewer', JSON.stringify(siteAccess || ['*']), quotaActionsMonth || null);
+  return { id, email, name, role: role || 'viewer' };
+}
+
+function getSubUsers(parentUserId) {
+  const rows = db.prepare(
+    `SELECT id, parent_user_id, email, name, role, site_access, quota_actions_month, actions_used_month, invited_at, accepted_at, active FROM sub_users WHERE parent_user_id = ? ORDER BY invited_at DESC`
+  ).all(parentUserId);
+  return rows;
+}
+
+function updateSubUser(subUserId, parentUserId, updates) {
+  const fields = [];
+  const params = [];
+
+  if (updates.name !== undefined) { fields.push('name = ?'); params.push(updates.name); }
+  if (updates.email !== undefined) { fields.push('email = ?'); params.push(updates.email); }
+  if (updates.role !== undefined) { fields.push('role = ?'); params.push(updates.role); }
+  if (updates.siteAccess !== undefined) { fields.push('site_access = ?'); params.push(JSON.stringify(updates.siteAccess)); }
+  if (updates.quotaActionsMonth !== undefined) { fields.push('quota_actions_month = ?'); params.push(updates.quotaActionsMonth); }
+  if (updates.active !== undefined) { fields.push('active = ?'); params.push(updates.active ? 1 : 0); }
+  if (updates.password !== undefined) { fields.push('password = ?'); params.push(bcrypt.hashSync(updates.password, 12)); }
+
+  if (fields.length === 0) return false;
+  params.push(subUserId, parentUserId);
+  const result = db.prepare(
+    `UPDATE sub_users SET ${fields.join(', ')} WHERE id = ? AND parent_user_id = ?`
+  ).run(...params);
+  return result.changes > 0;
+}
+
+function deleteSubUser(subUserId, parentUserId) {
+  const result = db.prepare(
+    `DELETE FROM sub_users WHERE id = ? AND parent_user_id = ?`
+  ).run(subUserId, parentUserId);
+  return result.changes > 0;
+}
+
+function loginSubUser({ email, password }) {
+  const user = db.prepare(`SELECT * FROM sub_users WHERE email = ? AND active = 1`).get(email);
+  if (!user) return null;
+  if (!bcrypt.compareSync(password, user.password)) return null;
+  if (!user.accepted_at) {
+    db.prepare(`UPDATE sub_users SET accepted_at = datetime('now') WHERE id = ?`).run(user.id);
+  }
+  return { id: user.id, parentUserId: user.parent_user_id, email: user.email, name: user.name, role: user.role };
+}
+
+function checkSubUserAccess(subUserId, siteId) {
+  const user = db.prepare(
+    `SELECT site_access, active FROM sub_users WHERE id = ?`
+  ).get(subUserId);
+  if (!user || !user.active) return false;
+
+  let access;
+  try { access = JSON.parse(user.site_access); } catch { access = []; }
+  return access.includes('*') || access.includes(siteId);
+}
+
+function incrementSubUserUsage(subUserId) {
+  const user = db.prepare(
+    `SELECT quota_actions_month, actions_used_month FROM sub_users WHERE id = ? AND active = 1`
+  ).get(subUserId);
+  if (!user) return { allowed: false, remaining: 0 };
+
+  if (user.quota_actions_month !== null && user.actions_used_month >= user.quota_actions_month) {
+    return { allowed: false, remaining: 0 };
+  }
+
+  db.prepare(`UPDATE sub_users SET actions_used_month = actions_used_month + 1 WHERE id = ?`).run(subUserId);
+
+  const remaining = user.quota_actions_month !== null
+    ? user.quota_actions_month - user.actions_used_month - 1
+    : null;
+  return { allowed: true, remaining };
+}
+
+function resetMonthlyUsage() {
+  const result = db.prepare(`UPDATE sub_users SET actions_used_month = 0`).run();
+  return result.changes;
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 7. Support Tickets
+// ═══════════════════════════════════════════════════════════════════════
+
+const SLA_HOURS = { low: 72, normal: 48, high: 24, urgent: 4 };
+
+function createTicket(userId, { subject, priority, category }) {
+  const id = uuidv4();
+  const prio = priority || 'normal';
+  const slaHours = SLA_HOURS[prio] || 48;
+  const slaDeadline = new Date(Date.now() + slaHours * 3600000).toISOString();
+
+  db.prepare(
+    `INSERT INTO support_tickets (id, user_id, subject, priority, category, sla_deadline) VALUES (?, ?, ?, ?, ?, ?)`
+  ).run(id, userId, subject, prio, category || null, slaDeadline);
+
+  db.prepare(
+    `INSERT INTO ticket_messages (ticket_id, sender_type, sender_id, message) VALUES (?, 'bot', 'system', ?)`
+  ).run(id, `Ticket created. Priority: ${prio}. We'll get back to you within ${slaHours} hours.`);
+
+  return { id, subject, priority: prio, slaDeadline };
+}
+
+function getTickets(userId, { status, limit = 50 } = {}) {
+  if (status) {
+    return db.prepare(
+      `SELECT t.*, (SELECT COUNT(*) FROM ticket_messages WHERE ticket_id = t.id) as message_count FROM support_tickets t WHERE t.user_id = ? AND t.status = ? ORDER BY t.updated_at DESC LIMIT ?`
+    ).all(userId, status, limit);
+  }
+  return db.prepare(
+    `SELECT t.*, (SELECT COUNT(*) FROM ticket_messages WHERE ticket_id = t.id) as message_count FROM support_tickets t WHERE t.user_id = ? ORDER BY t.updated_at DESC LIMIT ?`
+  ).all(userId, limit);
+}
+
+function getTicket(ticketId, userId) {
+  return db.prepare(
+    `SELECT t.*, (SELECT COUNT(*) FROM ticket_messages WHERE ticket_id = t.id) as message_count FROM support_tickets t WHERE t.id = ? AND t.user_id = ?`
+  ).get(ticketId, userId) || null;
+}
+
+function updateTicketStatus(ticketId, userId, status) {
+  const fields = ['status = ?', 'updated_at = datetime(\'now\')'];
+  const params = [status];
+
+  if (status === 'resolved' || status === 'closed') {
+    fields.push('resolved_at = datetime(\'now\')');
+  }
+
+  params.push(ticketId, userId);
+  const result = db.prepare(
+    `UPDATE support_tickets SET ${fields.join(', ')} WHERE id = ? AND user_id = ?`
+  ).run(...params);
+  return result.changes > 0;
+}
+
+function addTicketMessage(ticketId, { senderType, senderId, message }) {
+  const result = db.prepare(
+    `INSERT INTO ticket_messages (ticket_id, sender_type, sender_id, message) VALUES (?, ?, ?, ?)`
+  ).run(ticketId, senderType, senderId || null, message);
+
+  db.prepare(
+    `UPDATE support_tickets SET updated_at = datetime('now') WHERE id = ?`
+  ).run(ticketId);
+
+  return { id: result.lastInsertRowid };
+}
+
+function getTicketMessages(ticketId) {
+  return db.prepare(
+    `SELECT * FROM ticket_messages WHERE ticket_id = ? ORDER BY created_at ASC`
+  ).all(ticketId);
+}
+
+function getTicketStats(userId) {
+  const rows = db.prepare(
+    `SELECT status, COUNT(*) as count FROM support_tickets WHERE user_id = ? GROUP BY status`
+  ).all(userId);
+  const stats = { open: 0, in_progress: 0, waiting: 0, resolved: 0, closed: 0 };
+  for (const r of rows) stats[r.status] = r.count;
+  stats.total = Object.values(stats).reduce((a, b) => a + b, 0);
+  return stats;
+}
+
+const FAQ_ENTRIES = [
+  { keywords: ['install', 'setup', 'getting started', 'start'], response: 'To get started, add the bridge script to your website by including `<script src="your-cdn-url/ai-agent-bridge.js"></script>` before the closing </body> tag. Then configure your license key in the dashboard.' },
+  { keywords: ['license', 'key', 'activate'], response: 'You can find your license key in the Dashboard under Site Settings. Copy the key and add it to your bridge script configuration: `WebAgentBridge.init({ licenseKey: "YOUR-KEY" })`.' },
+  { keywords: ['price', 'pricing', 'cost', 'plan', 'tier', 'upgrade'], response: 'We offer Free, Starter ($19/mo), Pro ($49/mo), and Enterprise ($149/mo) plans. Visit the Billing section in your dashboard to upgrade. Each tier unlocks additional features and higher rate limits.' },
+  { keywords: ['rate limit', 'throttle', 'too many requests', '429'], response: 'Rate limits depend on your plan: Free (60/min), Starter (200/min), Pro (1000/min), Enterprise (unlimited). If you\'re hitting limits, consider upgrading or optimizing your agent\'s request frequency.' },
+  { keywords: ['block', 'bot', 'agent', 'security'], response: 'You can block specific agents in the Exploit Shield section. Go to Security → Blocked Agents and add the agent signature you want to block. You can also enable auto-detection to automatically block suspicious agents.' },
+  { keywords: ['webhook', 'notification', 'callback'], response: 'Set up webhooks in the Webhooks section. Add a URL endpoint, select the events you want to listen to, and we\'ll send POST requests with signed payloads whenever those events occur.' },
+  { keywords: ['api', 'endpoint', 'rest', 'integration'], response: 'Our REST API is available at your dashboard URL under /api/v1/. Authenticate with your API key in the X-API-Key header. Full API documentation is available in the docs section of your dashboard.' },
+  { keywords: ['cancel', 'refund', 'subscription'], response: 'You can cancel your subscription at any time from the Billing section. Your features will remain active until the end of the current billing period. For refund requests, please specify the reason and our team will review it.' },
+  { keywords: ['custom', 'script', 'bridge', 'modify'], response: 'Use the Custom Bridge Script feature to customize your bridge script. You can add plugins, custom CSS/JS, enable AMP compatibility, and toggle minification. Changes are built and deployed automatically.' },
+  { keywords: ['analytics', 'traffic', 'stats', 'report'], response: 'Analytics are available in the Traffic Intelligence section. You can view agent profiles, traffic statistics by type/country/platform, and set up anomaly alerts for unusual traffic patterns.' },
+  { keywords: ['stealth', 'detection', 'anti-bot'], response: 'Stealth Mode lets you configure human-like behavior patterns for your agents including typing speed, mouse movement, scroll behavior, and click delays. This helps agents pass anti-bot detection systems.' },
+  { keywords: ['sandbox', 'test', 'benchmark'], response: 'The Sandbox feature lets you create isolated test environments. You can simulate traffic, run benchmarks (rate limiting, response time, throughput), and compare before/after results without affecting production.' },
+  { keywords: ['password', 'login', 'account', 'reset'], response: 'To reset your password, use the "Forgot Password" link on the login page. If you\'re having trouble accessing your account, contact support with your registered email address.' },
+  { keywords: ['cdn', 'domain', 'ssl', 'cache'], response: 'CDN settings are available in the CDN section. You can configure a custom domain, manage SSL, set cache TTL, and choose edge locations. CDN stats show bandwidth usage, requests, and cache hit rates.' },
+  { keywords: ['audit', 'compliance', 'gdpr', 'hipaa', 'log'], response: 'The Audit & Compliance section provides detailed action logs, GDPR/HIPAA/SOC2 compliance modes, configurable retention policies, and export capabilities (CSV/JSON). Enable auto-purge to automatically clean old logs.' },
+];
+
+function generateBotResponse(message) {
+  if (!message) return null;
+  const lower = message.toLowerCase();
+
+  for (const faq of FAQ_ENTRIES) {
+    for (const keyword of faq.keywords) {
+      if (lower.includes(keyword)) {
+        return faq.response;
+      }
+    }
+  }
+
+  return null;
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 8. Custom Bridge Script
+// ═══════════════════════════════════════════════════════════════════════
+
+function getScriptConfig(siteId) {
+  return db.prepare(
+    `SELECT * FROM custom_scripts WHERE site_id = ?`
+  ).get(siteId) || null;
+}
+
+function updateScriptConfig(siteId, { plugins, minified, ampCompatible, autoPatch, customCss, customJs }) {
+  const existing = db.prepare(`SELECT id FROM custom_scripts WHERE site_id = ?`).get(siteId);
+
+  if (existing) {
+    const fields = [];
+    const params = [];
+    if (plugins !== undefined) { fields.push('plugins_json = ?'); params.push(JSON.stringify(plugins)); }
+    if (minified !== undefined) { fields.push('minified = ?'); params.push(minified ? 1 : 0); }
+    if (ampCompatible !== undefined) { fields.push('amp_compatible = ?'); params.push(ampCompatible ? 1 : 0); }
+    if (autoPatch !== undefined) { fields.push('auto_patch = ?'); params.push(autoPatch ? 1 : 0); }
+    if (customCss !== undefined) { fields.push('custom_css = ?'); params.push(customCss); }
+    if (customJs !== undefined) { fields.push('custom_js = ?'); params.push(customJs); }
+
+    if (fields.length === 0) return existing.id;
+    params.push(siteId);
+    db.prepare(`UPDATE custom_scripts SET ${fields.join(', ')} WHERE site_id = ?`).run(...params);
+    return existing.id;
+  }
+
+  const id = uuidv4();
+  db.prepare(
+    `INSERT INTO custom_scripts (id, site_id, plugins_json, minified, amp_compatible, auto_patch, custom_css, custom_js) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+  ).run(
+    id, siteId,
+    JSON.stringify(plugins || []),
+    minified !== undefined ? (minified ? 1 : 0) : 1,
+    ampCompatible ? 1 : 0,
+    autoPatch !== undefined ? (autoPatch ? 1 : 0) : 1,
+    customCss || null,
+    customJs || null
+  );
+  return id;
+}
+
+const AVAILABLE_PLUGINS = [
+  { id: 'consent-guard', name: 'Consent Guard', description: 'Require user consent before agent actions', code: `if(!window.__wabConsent){window.WebAgentBridge&&WebAgentBridge.on("beforeAction",function(e){if(!window.__wabConsent){e.preventDefault();console.warn("WAB: action blocked – user consent required")}});}` },
+  { id: 'session-recorder', name: 'Session Recorder', description: 'Record agent interaction sessions for replay', code: `(function(){var s=[];window.WebAgentBridge&&WebAgentBridge.on("action",function(e){s.push({t:Date.now(),a:e.action,d:e.detail})});window.__wabSessionLog=s})();` },
+  { id: 'dark-mode', name: 'Dark Mode Support', description: 'Automatically adapt agent overlay UI to dark mode', code: `(function(){if(window.matchMedia&&window.matchMedia("(prefers-color-scheme:dark)").matches){document.documentElement.classList.add("wab-dark")}})();` },
+  { id: 'error-tracker', name: 'Error Tracker', description: 'Capture and report agent runtime errors', code: `window.addEventListener("error",function(e){if(e.filename&&e.filename.indexOf("agent-bridge")>-1){console.error("WAB Error:",e.message);window.WebAgentBridge&&WebAgentBridge.emit("error",{msg:e.message,line:e.lineno})}});` },
+  { id: 'geo-restrict', name: 'Geo Restriction', description: 'Restrict agent access based on geolocation', code: `(function(){window.WebAgentBridge&&WebAgentBridge.on("init",function(){fetch("https://ipapi.co/json/").then(function(r){return r.json()}).then(function(d){window.__wabGeo=d.country_code})})})();` },
+  { id: 'rate-limiter-ui', name: 'Rate Limiter UI', description: 'Show visual feedback when rate limit is approaching', code: `(function(){var c=0;window.WebAgentBridge&&WebAgentBridge.on("action",function(){c++;if(c>50){var el=document.getElementById("wab-rate-warn");if(!el){el=document.createElement("div");el.id="wab-rate-warn";el.style.cssText="position:fixed;top:0;left:0;right:0;background:#f59e0b;color:#000;padding:8px;text-align:center;z-index:99999";el.textContent="Rate limit approaching";document.body.appendChild(el)}}});setInterval(function(){c=0;var el=document.getElementById("wab-rate-warn");if(el)el.remove()},60000)})();` },
+];
+
+function buildScript(siteId) {
+  const scriptPath = path.join(__dirname, '..', '..', 'script', 'ai-agent-bridge.js');
+  let baseScript;
+  try {
+    baseScript = fs.readFileSync(scriptPath, 'utf8');
+  } catch {
+    return { error: 'Base script not found' };
+  }
+
+  const config = db.prepare(`SELECT * FROM custom_scripts WHERE site_id = ?`).get(siteId);
+  if (!config) return { script: baseScript, hash: crypto.createHash('md5').update(baseScript).digest('hex') };
+
+  let script = baseScript;
+  let plugins = [];
+  try { plugins = JSON.parse(config.plugins_json); } catch { /* use empty */ }
+
+  const pluginCode = plugins
+    .map((pid) => {
+      const plug = AVAILABLE_PLUGINS.find((p) => p.id === pid);
+      return plug ? `\n/* Plugin: ${plug.name} */\n${plug.code}` : '';
+    })
+    .filter(Boolean)
+    .join('\n');
+
+  if (pluginCode) {
+    const insertPoint = script.lastIndexOf('}(');
+    if (insertPoint > -1) {
+      script = script.substring(0, insertPoint) + pluginCode + '\n' + script.substring(insertPoint);
+    } else {
+      script += '\n' + pluginCode;
+    }
+  }
+
+  if (config.custom_js) {
+    script += `\n/* Custom JS */\n${config.custom_js}\n`;
+  }
+
+  if (config.custom_css) {
+    const cssInjector = `\n(function(){var s=document.createElement("style");s.textContent=${JSON.stringify(config.custom_css)};document.head.appendChild(s)})();\n`;
+    script += cssInjector;
+  }
+
+  if (config.amp_compatible) {
+    script = script.replace(/document\.write\(/g, '/* AMP: disabled */ // document.write(');
+    script = `/* AMP Compatible */\n${script}`;
+  }
+
+  if (config.minified) {
+    script = script
+      .replace(/\/\*[\s\S]*?\*\//g, '')
+      .replace(/\/\/[^\n]*/g, '')
+      .replace(/\n\s*\n/g, '\n')
+      .replace(/^\s+/gm, '')
+      .split('\n')
+      .filter((l) => l.trim())
+      .join('\n');
+  }
+
+  const hash = crypto.createHash('md5').update(script).digest('hex');
+
+  db.prepare(
+    `UPDATE custom_scripts SET last_built = datetime('now'), script_hash = ? WHERE site_id = ?`
+  ).run(hash, siteId);
+
+  return { script, hash, size: Buffer.byteLength(script, 'utf8') };
+}
+
+function getAvailablePlugins() {
+  return AVAILABLE_PLUGINS.map(({ id, name, description }) => ({ id, name, description }));
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 9. Stealth Mode
+// ═══════════════════════════════════════════════════════════════════════
+
+function getStealthProfile(siteId) {
+  return db.prepare(
+    `SELECT * FROM stealth_profiles WHERE site_id = ? AND active = 1 ORDER BY created_at DESC LIMIT 1`
+  ).get(siteId) || null;
+}
+
+function upsertStealthProfile(siteId, profile) {
+  const existing = db.prepare(`SELECT id FROM stealth_profiles WHERE site_id = ? AND active = 1`).get(siteId);
+
+  if (existing) {
+    const fields = [];
+    const params = [];
+
+    if (profile.name !== undefined) { fields.push('name = ?'); params.push(profile.name); }
+    if (profile.typingSpeedMin !== undefined) { fields.push('typing_speed_min = ?'); params.push(profile.typingSpeedMin); }
+    if (profile.typingSpeedMax !== undefined) { fields.push('typing_speed_max = ?'); params.push(profile.typingSpeedMax); }
+    if (profile.mouseSpeed !== undefined) { fields.push('mouse_speed = ?'); params.push(profile.mouseSpeed); }
+    if (profile.scrollBehavior !== undefined) { fields.push('scroll_behavior = ?'); params.push(profile.scrollBehavior); }
+    if (profile.clickDelayMin !== undefined) { fields.push('click_delay_min = ?'); params.push(profile.clickDelayMin); }
+    if (profile.clickDelayMax !== undefined) { fields.push('click_delay_max = ?'); params.push(profile.clickDelayMax); }
+    if (profile.antiDetection !== undefined) { fields.push('anti_detection_json = ?'); params.push(JSON.stringify(profile.antiDetection)); }
+
+    if (fields.length > 0) {
+      params.push(existing.id);
+      db.prepare(`UPDATE stealth_profiles SET ${fields.join(', ')} WHERE id = ?`).run(...params);
+    }
+    return existing.id;
+  }
+
+  const id = uuidv4();
+  db.prepare(
+    `INSERT INTO stealth_profiles (id, site_id, name, typing_speed_min, typing_speed_max, mouse_speed, scroll_behavior, click_delay_min, click_delay_max, anti_detection_json) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+  ).run(
+    id, siteId,
+    profile.name || 'Default',
+    profile.typingSpeedMin || 30,
+    profile.typingSpeedMax || 120,
+    profile.mouseSpeed || 'natural',
+    profile.scrollBehavior || 'eased',
+    profile.clickDelayMin || 50,
+    profile.clickDelayMax || 400,
+    JSON.stringify(profile.antiDetection || {})
+  );
+  return id;
+}
+
+function getAntiDetectionConfig(siteId) {
+  const profile = db.prepare(
+    `SELECT anti_detection_json FROM stealth_profiles WHERE site_id = ? AND active = 1 ORDER BY created_at DESC LIMIT 1`
+  ).get(siteId);
+  if (!profile) return {};
+  try { return JSON.parse(profile.anti_detection_json); } catch { return {}; }
+}
+
+function generateStealthScript(siteId) {
+  const profile = getStealthProfile(siteId);
+  if (!profile) return '/* No stealth profile configured */';
+
+  let antiDetection;
+  try { antiDetection = JSON.parse(profile.anti_detection_json || '{}'); } catch { antiDetection = {}; }
+
+  return `(function(){
+  'use strict';
+  var cfg = {
+    typingSpeedMin: ${profile.typing_speed_min},
+    typingSpeedMax: ${profile.typing_speed_max},
+    mouseSpeed: '${profile.mouse_speed}',
+    scrollBehavior: '${profile.scroll_behavior}',
+    clickDelayMin: ${profile.click_delay_min},
+    clickDelayMax: ${profile.click_delay_max}
+  };
+
+  function rand(min, max) { return Math.floor(Math.random() * (max - min + 1)) + min; }
+
+  function humanType(el, text, cb) {
+    var i = 0;
+    function next() {
+      if (i >= text.length) { if (cb) cb(); return; }
+      var delay = rand(cfg.typingSpeedMin, cfg.typingSpeedMax);
+      if (Math.random() < 0.05) delay += rand(200, 600);
+      setTimeout(function() {
+        el.value = (el.value || '') + text[i];
+        el.dispatchEvent(new Event('input', { bubbles: true }));
+        i++;
+        next();
+      }, delay);
+    }
+    next();
+  }
+
+  function humanClick(el, cb) {
+    var delay = rand(cfg.clickDelayMin, cfg.clickDelayMax);
+    var rect = el.getBoundingClientRect();
+    var x = rect.left + rand(2, rect.width - 2);
+    var y = rect.top + rand(2, rect.height - 2);
+    el.dispatchEvent(new MouseEvent('mousemove', { clientX: x, clientY: y, bubbles: true }));
+    setTimeout(function() {
+      el.dispatchEvent(new MouseEvent('mousedown', { clientX: x, clientY: y, bubbles: true }));
+      setTimeout(function() {
+        el.dispatchEvent(new MouseEvent('mouseup', { clientX: x, clientY: y, bubbles: true }));
+        el.dispatchEvent(new MouseEvent('click', { clientX: x, clientY: y, bubbles: true }));
+        if (cb) cb();
+      }, rand(30, 80));
+    }, delay);
+  }
+
+  function humanScroll(target, cb) {
+    var current = window.scrollY;
+    var distance = target - current;
+    var steps = Math.abs(distance) < 200 ? 10 : 30;
+    var step = 0;
+    var ease = cfg.scrollBehavior === 'eased';
+    function tick() {
+      if (step >= steps) { if (cb) cb(); return; }
+      step++;
+      var t = step / steps;
+      var pos = ease ? current + distance * (t * t * (3 - 2 * t)) : current + distance * t;
+      window.scrollTo(0, pos);
+      requestAnimationFrame(tick);
+    }
+    tick();
+  }
+
+  ${antiDetection.hideWebdriver ? 'Object.defineProperty(navigator, "webdriver", { get: function() { return false; } });' : ''}
+  ${antiDetection.spoofPlugins ? 'Object.defineProperty(navigator, "plugins", { get: function() { return [1,2,3]; } });' : ''}
+  ${antiDetection.spoofLanguages ? 'Object.defineProperty(navigator, "languages", { get: function() { return ["en-US","en"]; } });' : ''}
+  ${antiDetection.mockPermissions ? 'if(navigator.permissions){var origQuery=navigator.permissions.query.bind(navigator.permissions);navigator.permissions.query=function(p){if(p.name==="notifications")return Promise.resolve({state:"prompt"});return origQuery(p)};}' : ''}
+
+  window.__wabStealth = { humanType: humanType, humanClick: humanClick, humanScroll: humanScroll, config: cfg };
+})();`;
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 10. CDN
+// ═══════════════════════════════════════════════════════════════════════
+
+function getCdnConfig(siteId) {
+  return db.prepare(`SELECT * FROM cdn_configs WHERE site_id = ?`).get(siteId) || null;
+}
+
+function upsertCdnConfig(siteId, config) {
+  const existing = db.prepare(`SELECT id FROM cdn_configs WHERE site_id = ?`).get(siteId);
+
+  if (existing) {
+    const fields = [];
+    const params = [];
+
+    if (config.customDomain !== undefined) { fields.push('custom_domain = ?'); params.push(config.customDomain); }
+    if (config.sslStatus !== undefined) { fields.push('ssl_status = ?'); params.push(config.sslStatus); }
+    if (config.edgeLocations !== undefined) { fields.push('edge_locations = ?'); params.push(JSON.stringify(config.edgeLocations)); }
+    if (config.cacheTtl !== undefined) { fields.push('cache_ttl = ?'); params.push(config.cacheTtl); }
+    if (config.active !== undefined) { fields.push('active = ?'); params.push(config.active ? 1 : 0); }
+
+    if (fields.length > 0) {
+      params.push(existing.id);
+      db.prepare(`UPDATE cdn_configs SET ${fields.join(', ')} WHERE id = ?`).run(...params);
+    }
+    return existing.id;
+  }
+
+  const id = uuidv4();
+  db.prepare(
+    `INSERT INTO cdn_configs (id, site_id, custom_domain, ssl_status, edge_locations, cache_ttl) VALUES (?, ?, ?, ?, ?, ?)`
+  ).run(
+    id, siteId,
+    config.customDomain || null,
+    config.sslStatus || 'pending',
+    JSON.stringify(config.edgeLocations || ['us-east', 'eu-west']),
+    config.cacheTtl || 86400
+  );
+  return id;
+}
+
+function recordCdnHit(cdnId, region, bandwidth) {
+  const today = new Date().toISOString().split('T')[0];
+  const existing = db.prepare(
+    `SELECT id, requests, bandwidth as bw, cache_hits FROM cdn_stats WHERE cdn_id = ? AND region = ? AND date(recorded_at) = ?`
+  ).get(cdnId, region, today);
+
+  if (existing) {
+    db.prepare(
+      `UPDATE cdn_stats SET requests = requests + 1, bandwidth = bandwidth + ?, cache_hits = cache_hits + 1 WHERE id = ?`
+    ).run(bandwidth || 0, existing.id);
+  } else {
+    db.prepare(
+      `INSERT INTO cdn_stats (cdn_id, region, requests, bandwidth, cache_hits) VALUES (?, ?, 1, ?, 1)`
+    ).run(cdnId, region, bandwidth || 0);
+  }
+
+  db.prepare(
+    `UPDATE cdn_configs SET requests_count = requests_count + 1, bandwidth_used = bandwidth_used + ? WHERE id = ?`
+  ).run(bandwidth || 0, cdnId);
+}
+
+function getCdnStats(cdnId, days = 30) {
+  const since = new Date(Date.now() - days * 86400000).toISOString();
+
+  const daily = db.prepare(
+    `SELECT date(recorded_at) as day, SUM(requests) as requests, SUM(bandwidth) as bandwidth, SUM(cache_hits) as cache_hits FROM cdn_stats WHERE cdn_id = ? AND recorded_at >= ? GROUP BY day ORDER BY day`
+  ).all(cdnId, since);
+
+  const byRegion = db.prepare(
+    `SELECT region, SUM(requests) as requests, SUM(bandwidth) as bandwidth, AVG(avg_latency_ms) as avg_latency FROM cdn_stats WHERE cdn_id = ? AND recorded_at >= ? GROUP BY region ORDER BY requests DESC`
+  ).all(cdnId, since);
+
+  const totals = db.prepare(
+    `SELECT COALESCE(SUM(requests), 0) as requests, COALESCE(SUM(bandwidth), 0) as bandwidth, COALESCE(SUM(cache_hits), 0) as cache_hits FROM cdn_stats WHERE cdn_id = ? AND recorded_at >= ?`
+  ).get(cdnId, since);
+
+  return { daily, byRegion, totals };
+}
+
+function generateCdnUrl(siteId, customDomain) {
+  if (customDomain) {
+    return `https://${customDomain}/bridge/${siteId}/ai-agent-bridge.js`;
+  }
+  return `https://cdn.webagentbridge.com/bridge/${siteId}/ai-agent-bridge.js`;
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 11. Audit & Compliance
+// ═══════════════════════════════════════════════════════════════════════
+
+function logAudit(siteId, { userId, action, resourceType, resourceId, details, ipAddress, userAgent }) {
+  const result = db.prepare(
+    `INSERT INTO audit_logs (site_id, user_id, action, resource_type, resource_id, details, ip_address, user_agent) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+  ).run(siteId, userId || null, action, resourceType || null, resourceId || null, JSON.stringify(details || {}), ipAddress || null, userAgent || null);
+  return { id: result.lastInsertRowid };
+}
+
+function getAuditLogs(siteId, { limit = 50, offset = 0, action, since, until } = {}) {
+  const conditions = ['site_id = ?'];
+  const params = [siteId];
+
+  if (action) {
+    conditions.push('action = ?');
+    params.push(action);
+  }
+  if (since) {
+    conditions.push('created_at >= ?');
+    params.push(since);
+  }
+  if (until) {
+    conditions.push('created_at <= ?');
+    params.push(until);
+  }
+
+  const countResult = db.prepare(
+    `SELECT COUNT(*) as total FROM audit_logs WHERE ${conditions.join(' AND ')}`
+  ).get(...params);
+
+  const rows = db.prepare(
+    `SELECT * FROM audit_logs WHERE ${conditions.join(' AND ')} ORDER BY created_at DESC LIMIT ? OFFSET ?`
+  ).all(...params, limit, offset);
+
+  return { rows, total: countResult.total, limit, offset };
+}
+
+function getComplianceSettings(siteId) {
+  return db.prepare(`SELECT * FROM compliance_settings WHERE site_id = ?`).get(siteId) || null;
+}
+
+function upsertComplianceSettings(siteId, settings) {
+  const existing = db.prepare(`SELECT id FROM compliance_settings WHERE site_id = ?`).get(siteId);
+
+  if (existing) {
+    const fields = [];
+    const params = [];
+
+    if (settings.retentionDays !== undefined) { fields.push('retention_days = ?'); params.push(settings.retentionDays); }
+    if (settings.hipaaMode !== undefined) { fields.push('hipaa_mode = ?'); params.push(settings.hipaaMode ? 1 : 0); }
+    if (settings.gdprMode !== undefined) { fields.push('gdpr_mode = ?'); params.push(settings.gdprMode ? 1 : 0); }
+    if (settings.soc2Mode !== undefined) { fields.push('soc2_mode = ?'); params.push(settings.soc2Mode ? 1 : 0); }
+    if (settings.autoPurge !== undefined) { fields.push('auto_purge = ?'); params.push(settings.autoPurge ? 1 : 0); }
+
+    if (fields.length > 0) {
+      params.push(existing.id);
+      db.prepare(`UPDATE compliance_settings SET ${fields.join(', ')} WHERE id = ?`).run(...params);
+    }
+    return existing.id;
+  }
+
+  const id = uuidv4();
+  db.prepare(
+    `INSERT INTO compliance_settings (id, site_id, retention_days, hipaa_mode, gdpr_mode, soc2_mode, auto_purge) VALUES (?, ?, ?, ?, ?, ?, ?)`
+  ).run(
+    id, siteId,
+    settings.retentionDays || 90,
+    settings.hipaaMode ? 1 : 0,
+    settings.gdprMode ? 1 : 0,
+    settings.soc2Mode ? 1 : 0,
+    settings.autoPurge !== undefined ? (settings.autoPurge ? 1 : 0) : 1
+  );
+  return id;
+}
+
+function exportAuditLogs(siteId, { format = 'json', since, until } = {}) {
+  const conditions = ['site_id = ?'];
+  const params = [siteId];
+
+  if (since) { conditions.push('created_at >= ?'); params.push(since); }
+  if (until) { conditions.push('created_at <= ?'); params.push(until); }
+
+  const rows = db.prepare(
+    `SELECT * FROM audit_logs WHERE ${conditions.join(' AND ')} ORDER BY created_at DESC`
+  ).all(...params);
+
+  const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+
+  if (format === 'csv') {
+    const headers = ['id', 'site_id', 'user_id', 'action', 'resource_type', 'resource_id', 'details', 'ip_address', 'user_agent', 'created_at'];
+    const csvLines = [headers.join(',')];
+    for (const row of rows) {
+      const line = headers.map((h) => {
+        const val = row[h] != null ? String(row[h]) : '';
+        return val.includes(',') || val.includes('"') || val.includes('\n')
+          ? `"${val.replace(/"/g, '""')}"`
+          : val;
+      });
+      csvLines.push(line.join(','));
+    }
+    return { data: csvLines.join('\n'), filename: `audit-logs-${timestamp}.csv`, contentType: 'text/csv' };
+  }
+
+  return { data: JSON.stringify(rows, null, 2), filename: `audit-logs-${timestamp}.json`, contentType: 'application/json' };
+}
+
+function purgeOldLogs(siteId) {
+  const settings = db.prepare(`SELECT retention_days, auto_purge FROM compliance_settings WHERE site_id = ?`).get(siteId);
+  const retentionDays = settings ? settings.retention_days : 90;
+
+  if (settings && !settings.auto_purge) return { deleted: 0, skipped: true };
+
+  const result = db.prepare(
+    `DELETE FROM audit_logs WHERE site_id = ? AND created_at < datetime('now', ? || ' days')`
+  ).run(siteId, `-${retentionDays}`);
+
+  return { deleted: result.changes, retentionDays };
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// 12. Sandbox
+// ═══════════════════════════════════════════════════════════════════════
+
+function createSandbox(siteId, { name } = {}) {
+  const site = db.prepare(`SELECT config, tier, domain FROM sites WHERE id = ?`).get(siteId);
+  const snapshot = site ? JSON.stringify({ config: site.config, tier: site.tier, domain: site.domain, snapshotAt: new Date().toISOString() }) : '{}';
+
+  const id = uuidv4();
+  db.prepare(
+    `INSERT INTO sandbox_environments (id, site_id, name, config_snapshot) VALUES (?, ?, ?, ?)`
+  ).run(id, siteId, name || 'Default Sandbox', snapshot);
+  return { id, name: name || 'Default Sandbox', config_snapshot: snapshot };
+}
+
+function getSandboxes(siteId) {
+  return db.prepare(
+    `SELECT * FROM sandbox_environments WHERE site_id = ? ORDER BY created_at DESC`
+  ).all(siteId);
+}
+
+function deleteSandbox(sandboxId, siteId) {
+  const result = db.prepare(
+    `DELETE FROM sandbox_environments WHERE id = ? AND site_id = ?`
+  ).run(sandboxId, siteId);
+  return result.changes > 0;
+}
+
+async function simulateTraffic(sandboxId, { agentCount = 10, duration = 60, actionsPerAgent = 5 } = {}) {
+  const sandbox = db.prepare(`SELECT * FROM sandbox_environments WHERE id = ?`).get(sandboxId);
+  if (!sandbox) return null;
+
+  const site = db.prepare(`SELECT domain, config FROM sites WHERE id = ?`).get(sandbox.site_id);
+  const baseUrl = site && site.domain ? (site.domain.startsWith('http') ? site.domain : `https://${site.domain}`) : 'http://localhost:3003';
+
+  const wabEndpoints = [
+    { path: '/api/wab/ping', method: 'GET', type: 'friendly' },
+    { path: '/api/wab/discover', method: 'POST', type: 'friendly' },
+    { path: '/api/wab/page-info', method: 'POST', type: 'friendly' },
+    { path: '/api/wab/read', method: 'POST', type: 'aggressive' },
+    { path: '/api/wab/actions', method: 'GET', type: 'friendly' },
+    { path: '/', method: 'GET', type: 'friendly' },
+  ];
+  const userAgents = [
+    'WAB-Agent/1.0 (Google)', 'WAB-Agent/1.0 (OpenAI)', 'WAB-Agent/1.0 (Anthropic)',
+    'Python-urllib/3.11', 'curl/8.0', 'Mozilla/5.0 (WAB Test)',
+  ];
+
+  let totalActions = 0;
+  let successCount = 0;
+  let failCount = 0;
+  const typeDist = {};
+  const responseTimes = [];
+  const statusCodes = {};
+
+  const cappedAgents = Math.min(agentCount, 50);
+  const cappedActions = Math.min(actionsPerAgent, 10);
+
+  for (let i = 0; i < cappedAgents; i++) {
+    const endpoint = wabEndpoints[i % wabEndpoints.length];
+    const ua = userAgents[i % userAgents.length];
+    typeDist[endpoint.type] = (typeDist[endpoint.type] || 0) + 1;
+
+    for (let j = 0; j < cappedActions; j++) {
+      totalActions++;
+      const start = Date.now();
+      try {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 5000);
+        const resp = await fetch(`${baseUrl}${endpoint.path}`, {
+          method: endpoint.method,
+          headers: { 'User-Agent': ua, 'Content-Type': 'application/json' },
+          body: endpoint.method === 'POST' ? JSON.stringify({ siteId: sandbox.site_id }) : undefined,
+          signal: controller.signal,
+        });
+        clearTimeout(timeout);
+        const elapsed = Date.now() - start;
+        responseTimes.push(elapsed);
+        statusCodes[resp.status] = (statusCodes[resp.status] || 0) + 1;
+        if (resp.status < 400) successCount++;
+        else failCount++;
+      } catch (_) {
+        failCount++;
+        responseTimes.push(Date.now() - start);
+      }
+    }
+  }
+
+  db.prepare(
+    `UPDATE sandbox_environments SET traffic_generated = traffic_generated + ? WHERE id = ?`
+  ).run(totalActions, sandboxId);
+
+  const avgResponseTime = responseTimes.length > 0
+    ? Math.round(responseTimes.reduce((a, b) => a + b, 0) / responseTimes.length)
+    : 0;
+  const maxResponseTime = responseTimes.length > 0 ? Math.max(...responseTimes) : 0;
+  const minResponseTime = responseTimes.length > 0 ? Math.min(...responseTimes) : 0;
+
+  return {
+    sandboxId,
+    agentCount: cappedAgents,
+    totalActions,
+    duration,
+    typeDist,
+    successCount,
+    failCount,
+    successRate: totalActions > 0 ? Math.round((successCount / totalActions) * 10000) / 100 : 0,
+    avgResponseTimeMs: avgResponseTime,
+    minResponseTimeMs: minResponseTime,
+    maxResponseTimeMs: maxResponseTime,
+    statusCodes,
+    avgActionsPerAgent: cappedAgents > 0 ? (totalActions / cappedAgents).toFixed(2) : '0',
+    simulatedAt: new Date().toISOString(),
+  };
+}
+
+async function runBenchmark(sandboxId, { benchmarkType } = {}) {
+  const sandbox = db.prepare(`SELECT * FROM sandbox_environments WHERE id = ?`).get(sandboxId);
+  if (!sandbox) return null;
+
+  const site = db.prepare(`SELECT domain FROM sites WHERE id = ?`).get(sandbox.site_id);
+  const baseUrl = site && site.domain ? (site.domain.startsWith('http') ? site.domain : `https://${site.domain}`) : 'http://localhost:3003';
+
+  let beforeValue, afterValue;
+  const type = benchmarkType || 'response_time';
+
+  const measureResponseTime = async (url, count) => {
+    const times = [];
+    for (let i = 0; i < count; i++) {
+      const start = Date.now();
+      try {
+        const ctrl = new AbortController();
+        const t = setTimeout(() => ctrl.abort(), 5000);
+        await fetch(url, { signal: ctrl.signal, headers: { 'User-Agent': 'WAB-Benchmark/1.0' } });
+        clearTimeout(t);
+        times.push(Date.now() - start);
+      } catch (_) {
+        times.push(Date.now() - start);
+      }
+    }
+    return times.length > 0 ? times.reduce((a, b) => a + b, 0) / times.length : 0;
+  };
+
+  const measureThroughput = async (url, durationMs) => {
+    let count = 0;
+    const end = Date.now() + durationMs;
+    while (Date.now() < end) {
+      try {
+        const ctrl = new AbortController();
+        const t = setTimeout(() => ctrl.abort(), 2000);
+        await fetch(url, { signal: ctrl.signal, headers: { 'User-Agent': 'WAB-Benchmark/1.0' } });
+        clearTimeout(t);
+      } catch (_) { /* count it anyway */ }
+      count++;
+    }
+    return Math.round(count / (durationMs / 1000));
+  };
+
+  switch (type) {
+    case 'rate_limit': {
+      const previous = db.prepare(
+        `SELECT after_value FROM sandbox_benchmarks WHERE sandbox_id = ? AND benchmark_type = 'rate_limit' ORDER BY recorded_at DESC LIMIT 1`
+      ).get(sandboxId);
+      beforeValue = previous ? previous.after_value : 60;
+      let accepted = 0;
+      const burstCount = 100;
+      const promises = [];
+      for (let i = 0; i < burstCount; i++) {
+        promises.push(
+          fetch(`${baseUrl}/api/wab/ping`, { headers: { 'User-Agent': 'WAB-Benchmark/1.0' } })
+            .then(r => { if (r.status < 429) accepted++; })
+            .catch(() => {})
+        );
+      }
+      await Promise.allSettled(promises);
+      afterValue = accepted;
+      break;
+    }
+    case 'response_time': {
+      beforeValue = await measureResponseTime(`${baseUrl}/`, 5);
+      beforeValue = Math.round(beforeValue * 100) / 100;
+      afterValue = await measureResponseTime(`${baseUrl}/api/wab/ping`, 10);
+      afterValue = Math.round(afterValue * 100) / 100;
+      break;
+    }
+    case 'throughput': {
+      beforeValue = await measureThroughput(`${baseUrl}/`, 3000);
+      afterValue = await measureThroughput(`${baseUrl}/api/wab/ping`, 3000);
+      break;
+    }
+    default: {
+      beforeValue = await measureResponseTime(`${baseUrl}/`, 3);
+      beforeValue = Math.round(beforeValue * 100) / 100;
+      afterValue = Math.random() * 100;
+    }
+  }
+
+  const result = db.prepare(
+    `INSERT INTO sandbox_benchmarks (sandbox_id, benchmark_type, before_value, after_value) VALUES (?, ?, ?, ?)`
+  ).run(sandboxId, type, beforeValue, afterValue);
+
+  return {
+    id: result.lastInsertRowid,
+    sandboxId,
+    benchmarkType: type,
+    beforeValue: Math.round(beforeValue * 100) / 100,
+    afterValue: Math.round(afterValue * 100) / 100,
+    improvement: Math.round(((beforeValue - afterValue) / beforeValue) * 10000) / 100,
+    unit: type === 'rate_limit' ? 'req/min' : type === 'response_time' ? 'ms' : 'req/s',
+    recordedAt: new Date().toISOString(),
+  };
+}
+
+function getBenchmarks(sandboxId) {
+  return db.prepare(
+    `SELECT * FROM sandbox_benchmarks WHERE sandbox_id = ? ORDER BY recorded_at DESC`
+  ).all(sandboxId);
+}
+
+function compareBenchmarks(sandboxId) {
+  const types = ['rate_limit', 'response_time', 'throughput'];
+  const comparison = {};
+
+  for (const type of types) {
+    const rows = db.prepare(
+      `SELECT * FROM sandbox_benchmarks WHERE sandbox_id = ? AND benchmark_type = ? ORDER BY recorded_at DESC LIMIT 2`
+    ).all(sandboxId, type);
+
+    if (rows.length >= 2) {
+      const latest = rows[0];
+      const previous = rows[1];
+      comparison[type] = {
+        latest: { before: latest.before_value, after: latest.after_value, recordedAt: latest.recorded_at },
+        previous: { before: previous.before_value, after: previous.after_value, recordedAt: previous.recorded_at },
+        delta: latest.after_value - previous.after_value,
+        improved: type === 'throughput'
+          ? latest.after_value > previous.after_value
+          : latest.after_value < previous.after_value,
+      };
+    } else if (rows.length === 1) {
+      comparison[type] = {
+        latest: { before: rows[0].before_value, after: rows[0].after_value, recordedAt: rows[0].recorded_at },
+        previous: null,
+        delta: null,
+        improved: null,
+      };
+    }
+  }
+
+  return comparison;
+}
+
+// ═══════════════════════════════════════════════════════════════════════
+// Exports
+// ═══════════════════════════════════════════════════════════════════════
+
+module.exports = {
+  // 1. Agent Traffic Intelligence
+  parseUserAgent,
+  hashIP,
+  recordAgentVisit,
+  getAgentProfiles,
+  getAnomalyAlerts,
+  checkForAnomalies,
+  acknowledgeAlert,
+  getTrafficStats,
+
+  // 2. Advanced Exploit Shield
+  logSecurityEvent,
+  getSecurityEvents,
+  blockAgent,
+  unblockAgent,
+  isAgentBlocked,
+  getBlockedAgents,
+  getSecurityReport,
+  autoDetectThreats,
+
+  // 3. Smart Actions Library
+  getActionPacks,
+  getActionPack,
+  installPack,
+  uninstallPack,
+  getInstalledPacks,
+  getPackActions,
+
+  // 4. Custom AI Agents
+  createAgent,
+  updateAgent,
+  deleteAgent,
+  getAgents,
+  getAgent,
+  runAgent,
+  getAgentRuns,
+  getScheduledAgents,
+  updateNextRun,
+  parseSchedule,
+
+  // 5. Webhooks & CRM
+  createWebhook,
+  updateWebhook,
+  deleteWebhook,
+  getWebhooks,
+  triggerWebhooks,
+  getWebhookLogs,
+  addCrmIntegration,
+  updateCrmIntegration,
+  deleteCrmIntegration,
+  getCrmIntegrations,
+
+  // 6. Multi-Tenant
+  inviteSubUser,
+  getSubUsers,
+  updateSubUser,
+  deleteSubUser,
+  loginSubUser,
+  checkSubUserAccess,
+  incrementSubUserUsage,
+  resetMonthlyUsage,
+
+  // 7. Support Tickets
+  createTicket,
+  getTickets,
+  getTicket,
+  updateTicketStatus,
+  addTicketMessage,
+  getTicketMessages,
+  getTicketStats,
+  generateBotResponse,
+
+  // 8. Custom Bridge Script
+  getScriptConfig,
+  updateScriptConfig,
+  buildScript,
+  getAvailablePlugins,
+
+  // 9. Stealth Mode
+  getStealthProfile,
+  upsertStealthProfile,
+  getAntiDetectionConfig,
+  generateStealthScript,
+
+  // 10. CDN
+  getCdnConfig,
+  upsertCdnConfig,
+  recordCdnHit,
+  getCdnStats,
+  generateCdnUrl,
+
+  // 11. Audit & Compliance
+  logAudit,
+  getAuditLogs,
+  getComplianceSettings,
+  upsertComplianceSettings,
+  exportAuditLogs,
+  purgeOldLogs,
+
+  // 12. Sandbox
+  createSandbox,
+  getSandboxes,
+  deleteSandbox,
+  simulateTraffic,
+  runBenchmark,
+  getBenchmarks,
+  compareBenchmarks,
+};