npm - web-agent-bridge - Versions diffs - 2.3.0 → 2.4.0 - Mend

web-agent-bridge 2.3.0 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/README.ar.md +506 -31
package/README.md +574 -47
package/bin/agent-runner.js +10 -1
package/package.json +12 -4
package/public/agent-workspace.html +347 -0
package/public/browser.html +484 -0
package/public/commander-dashboard.html +243 -0
package/public/css/agent-workspace.css +1713 -0
package/public/css/premium.css +317 -317
package/public/demo.html +259 -259
package/public/index.html +738 -644
package/public/js/agent-workspace.js +1740 -0
package/public/mesh-dashboard.html +309 -382
package/public/premium-dashboard.html +2487 -2487
package/public/premium.html +791 -791
package/public/script/wab.min.js +124 -87
package/script/ai-agent-bridge.js +154 -84
package/sdk/agent-mesh.js +287 -171
package/sdk/commander.js +262 -0
package/sdk/index.d.ts +83 -0
package/sdk/index.js +374 -260
package/sdk/package.json +1 -1
package/server/config/secrets.js +13 -5
package/server/index.js +191 -5
package/server/middleware/adminAuth.js +6 -1
package/server/middleware/auth.js +11 -2
package/server/middleware/rateLimits.js +78 -2
package/server/migrations/002_premium_features.sql +418 -418
package/server/migrations/003_ads_integer_cents.sql +33 -0
package/server/models/db.js +121 -1
package/server/routes/admin-premium.js +671 -671
package/server/routes/admin.js +16 -2
package/server/routes/ads.js +130 -0
package/server/routes/agent-workspace.js +378 -0
package/server/routes/api.js +21 -2
package/server/routes/auth.js +26 -6
package/server/routes/commander.js +316 -0
package/server/routes/mesh.js +370 -201
package/server/routes/premium-v2.js +686 -686
package/server/routes/premium.js +724 -724
package/server/routes/sovereign.js +78 -0
package/server/routes/universal.js +177 -0
package/server/routes/wab-api.js +20 -5
package/server/services/agent-chat.js +506 -0
package/server/services/agent-learning.js +230 -77
package/server/services/agent-memory.js +625 -625
package/server/services/agent-mesh.js +260 -67
package/server/services/agent-symphony.js +553 -517
package/server/services/agent-tasks.js +1807 -0
package/server/services/commander.js +738 -0
package/server/services/edge-compute.js +440 -0
package/server/services/fairness-engine.js +409 -0
package/server/services/local-ai.js +389 -0
package/server/services/plugins.js +771 -747
package/server/services/price-intelligence.js +565 -0
package/server/services/price-shield.js +1137 -0
package/server/services/search-engine.js +357 -0
package/server/services/security.js +513 -0
package/server/services/self-healing.js +843 -843
package/server/services/swarm.js +788 -788
package/server/services/universal-scraper.js +661 -0
package/server/services/vision.js +871 -871
package/server/ws.js +61 -1
package/public/admin/dashboard.html +0 -848
package/public/admin/login.html +0 -84
package/public/video/tutorial.mp4 +0 -0

package/server/routes/sovereign.js CHANGED Viewed

@@ -12,6 +12,7 @@ const { authenticateToken } = require('../middleware/auth');
 const reputation = require('../services/reputation');
 const negotiation = require('../services/negotiation');
 const verification = require('../services/verification');
+const priceShield = require('../services/price-shield');
 // ═══════════════════════════════════════════════════════════════════════
 // REPUTATION API
@@ -304,4 +305,81 @@ router.get('/dashboard/sovereign', authenticateToken, (req, res) => {
   res.json(dashboardData);
 });
+// ═══════════════════════════════════════════════════════════════════════
+// DYNAMIC PRICING SHIELD API
+// ═══════════════════════════════════════════════════════════════════════
+// Get available identity personas
+router.get('/price-shield/personas', (req, res) => {
+  res.json(priceShield.getPersonas());
+});
+// Create a new price scan
+router.post('/price-shield/scans', (req, res) => {
+  const { siteId, url, itemName, category } = req.body;
+  if (!url) {
+    return res.status(400).json({ error: 'url is required' });
+  }
+  const result = priceShield.createScan({ siteId, url, itemName, category });
+  res.json(result);
+});
+// Record a probe result for a scan
+router.post('/price-shield/scans/:scanId/probes', (req, res) => {
+  const { personaId, priceText, currency, responseHeaders, cookiesReceived, durationMs } = req.body;
+  if (!personaId || !priceText) {
+    return res.status(400).json({ error: 'personaId and priceText are required' });
+  }
+  const result = priceShield.recordProbe(req.params.scanId, {
+    personaId, priceText, currency, responseHeaders, cookiesReceived, durationMs
+  });
+  if (result.error) return res.status(400).json(result);
+  res.json(result);
+});
+// Analyze a scan (after probes are recorded)
+router.post('/price-shield/scans/:scanId/analyze', (req, res) => {
+  const result = priceShield.analyzeScan(req.params.scanId);
+  if (result.error) return res.status(400).json(result);
+  res.json(result);
+});
+// Quick scan — all-in-one (provide probes + get analysis)
+router.post('/price-shield/quick-scan', (req, res) => {
+  const { url, itemName, siteId, category, probes } = req.body;
+  if (!url || !probes || !Array.isArray(probes) || probes.length < 2) {
+    return res.status(400).json({ error: 'url and at least 2 probes are required' });
+  }
+  const result = priceShield.quickScan({ url, itemName, siteId, category, probes });
+  if (result.error) return res.status(400).json(result);
+  res.json(result);
+});
+// Get scan report
+router.get('/price-shield/scans/:scanId', (req, res) => {
+  const result = priceShield.getScanReport(req.params.scanId);
+  if (result.error) return res.status(404).json(result);
+  res.json(result);
+});
+// Get global price shield statistics
+router.get('/price-shield/stats', (req, res) => {
+  res.json(priceShield.getGlobalStats());
+});
+// Get price history for a URL
+router.get('/price-shield/history', (req, res) => {
+  const url = req.query.url;
+  if (!url) return res.status(400).json({ error: 'url query parameter is required' });
+  const limit = Math.min(parseInt(req.query.limit) || 30, 100);
+  res.json(priceShield.getPriceHistory(url, limit));
+});
+// Get manipulation log for a site
+router.get('/price-shield/manipulations/:siteId', (req, res) => {
+  const limit = Math.min(parseInt(req.query.limit) || 20, 100);
+  const result = priceShield.getGlobalStats();
+  res.json(result.topManipulators.find(m => m.siteId === req.params.siteId) || { siteId: req.params.siteId, incidents: 0 });
+});
 module.exports = router;

package/server/routes/universal.js ADDED Viewed

@@ -0,0 +1,177 @@
+/**
+ * WAB Universal Agent — Server Routes
+ * ═══════════════════════════════════════════════════════════════════
+ * API endpoints for the Universal Agent mode.
+ * Used by: WAB Browser, Chrome Extension, direct API calls.
+ *
+ * All endpoints work WITHOUT requiring the target site to install any script.
+ */
+const express = require('express');
+const router = express.Router();
+const scraper = require('../services/universal-scraper');
+const priceIntel = require('../services/price-intelligence');
+const fairness = require('../services/fairness-engine');
+// ─── POST /api/universal/extract ─────────────────────────────────────
+// Extract prices/products from a URL (server-side fetch)
+router.post('/extract', async (req, res) => {
+  const { url } = req.body;
+  if (!url) return res.status(400).json({ error: 'URL required' });
+  try {
+    const result = await scraper.fetchAndExtract(url);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+// ─── POST /api/universal/analyze ─────────────────────────────────────
+// Full analysis: extract + fraud detection + trust score
+// Accepts either a URL (server-side fetch) or pre-extracted data (from browser)
+router.post('/analyze', async (req, res) => {
+  const { url, extraction } = req.body;
+  try {
+    let result;
+    if (extraction) {
+      // Data already extracted by browser/extension
+      const processed = scraper.processBrowserExtraction(extraction);
+      result = await priceIntel.analyzePrice(extraction.url || url || '', processed);
+      // Add dark pattern detection if text available
+      if (extraction.darkPatterns) {
+        result.darkPatterns = extraction.darkPatterns;
+      }
+    } else if (url) {
+      // Server-side fetch and analyze
+      result = await priceIntel.analyzePrice(url);
+    } else {
+      return res.status(400).json({ error: 'URL or extraction data required' });
+    }
+    // Add fairness score for the domain
+    if (result.domain) {
+      result.fairness = fairness.calculateFairnessScore(result.domain, {
+        fraudAlerts: (result.alerts || []).length,
+      });
+    }
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+// ─── POST /api/universal/compare ─────────────────────────────────────
+// Compare prices across multiple sources
+router.post('/compare', async (req, res) => {
+  const { query, category, maxSources } = req.body;
+  if (!query) return res.status(400).json({ error: 'Query required' });
+  try {
+    const result = await priceIntel.compareAcrossSources(
+      query,
+      category || 'product',
+      { maxSources: maxSources || 8 }
+    );
+    // Apply fairness ranking
+    if (result.results && result.results.length > 0) {
+      result.results = fairness.rankWithFairness(result.results, {
+        avgPrice: result.avgPrice,
+      });
+    }
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+// ─── POST /api/universal/deals ───────────────────────────────────────
+// Find best deals with fairness ranking + fraud detection
+router.post('/deals', async (req, res) => {
+  const { query, category, lang } = req.body;
+  if (!query) return res.status(400).json({ error: 'Query required' });
+  try {
+    const result = await priceIntel.findBestDeals(
+      query,
+      category || 'product',
+      { lang: lang || 'en' }
+    );
+    // Apply fairness ranking to deals
+    if (result.deals && result.deals.length > 0) {
+      result.deals = fairness.rankWithFairness(result.deals, {
+        avgPrice: result.deals.reduce((s, d) => s + (d.priceUsd || 0), 0) / result.deals.length,
+      });
+    }
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+// ─── POST /api/universal/fairness ────────────────────────────────────
+// Get fairness score for a domain
+router.post('/fairness', (req, res) => {
+  const { domain, url } = req.body;
+  const d = domain || (url ? (() => { try { return new URL(url).hostname; } catch (_) { return ''; } })() : '');
+  if (!d) return res.status(400).json({ error: 'Domain or URL required' });
+  const score = fairness.calculateFairnessScore(d);
+  res.json(score);
+});
+// ─── POST /api/universal/dark-patterns ───────────────────────────────
+// Detect dark patterns in page text
+router.post('/dark-patterns', (req, res) => {
+  const { text, lang } = req.body;
+  if (!text) return res.status(400).json({ error: 'Text required' });
+  const patterns = fairness.detectDarkPatterns(text, lang || 'en');
+  res.json({ patterns, count: patterns.length });
+});
+// ─── GET /api/universal/history ──────────────────────────────────────
+// Get price history for a URL
+router.get('/history', (req, res) => {
+  const { url } = req.query;
+  if (!url) return res.status(400).json({ error: 'URL required' });
+  const history = scraper.getPriceHistory(url, 30);
+  res.json({ url, history });
+});
+// ─── GET /api/universal/top-fair ─────────────────────────────────────
+// Get top fairness-ranked sites
+router.get('/top-fair', (req, res) => {
+  const limit = parseInt(req.query.limit) || 20;
+  const sites = fairness.getTopFairSites(limit);
+  res.json({ sites });
+});
+// ─── GET /api/universal/extraction-script ────────────────────────────
+// Get the browser extraction script (for dynamic injection)
+router.get('/extraction-script', (req, res) => {
+  res.set('Content-Type', 'application/javascript');
+  res.send(scraper.getBrowserExtractionScript());
+});
+// ─── GET /api/universal/sources ──────────────────────────────────────
+// List all competing sources by category
+router.get('/sources', (req, res) => {
+  const { category } = req.query;
+  if (category && priceIntel.COMPETING_SOURCES[category]) {
+    res.json({ category, sources: priceIntel.COMPETING_SOURCES[category] });
+  } else {
+    res.json(priceIntel.COMPETING_SOURCES);
+  }
+});
+module.exports = router;

package/server/routes/wab-api.js CHANGED Viewed

@@ -9,8 +9,11 @@
 const express = require('express');
 const router = express.Router();
+const crypto = require('crypto');
 const { findSiteById, findSiteByLicense, recordAnalytic, db } = require('../models/db');
 const { broadcastAnalytic } = require('../ws');
+const { wabAuthenticateLimiter, wabActionLimiter, searchLimiter } = require('../middleware/rateLimits');
+const { auditLog } = require('../services/security');
 const {
   calculateNeutralityScore,
   fairnessWeightedSearch,
@@ -82,7 +85,7 @@ function buildErrorResponse(id, code, message) {
 // POST /api/wab/authenticate — session token exchange
 // ═════════════════════════════════════════════════════════════════════
-router.post('/authenticate', (req, res) => {
+router.post('/authenticate', wabAuthenticateLimiter, (req, res) => {
   try {
     const { siteId, apiKey, meta } = req.body;
     if (!siteId && !apiKey) {
@@ -91,12 +94,22 @@ router.post('/authenticate', (req, res) => {
     let site;
     if (apiKey) {
-      site = db.prepare('SELECT * FROM sites WHERE api_key = ? AND active = 1').get(apiKey);
+      // Timing-safe API key lookup: hash the provided key and compare against stored hashes
+      // to prevent timing attacks on the raw key comparison
+      const allActive = db.prepare('SELECT * FROM sites WHERE active = 1 AND api_key IS NOT NULL').all();
+      site = allActive.find(s => {
+        if (!s.api_key) return false;
+        const a = Buffer.from(s.api_key);
+        const b = Buffer.from(apiKey);
+        if (a.length !== b.length) return false;
+        return crypto.timingSafeEqual(a, b);
+      }) || null;
     } else {
       site = findSiteById.get(siteId);
     }
     if (!site) {
+      auditLog({ actorType: 'agent', action: 'wab_auth_failed', details: { siteId }, ip: req.ip, outcome: 'denied', severity: 'warning' });
       return res.status(404).json(buildErrorResponse(null, 'not_found', 'Site not found or invalid credentials'));
     }
@@ -105,7 +118,9 @@ router.post('/authenticate', (req, res) => {
       try {
         const reqDomain = new URL(origin).hostname.replace(/^www\./, '');
         const siteDomain = site.domain.replace(/^www\./, '');
-        if (reqDomain !== siteDomain && reqDomain !== 'localhost' && reqDomain !== '127.0.0.1') {
+        const isProduction = process.env.NODE_ENV === 'production';
+        const isLocalhost = reqDomain === 'localhost' || reqDomain === '127.0.0.1';
+        if (reqDomain !== siteDomain && !(isLocalhost && !isProduction)) {
           return res.status(403).json(buildErrorResponse(null, 'origin_mismatch', 'Origin does not match site domain'));
         }
       } catch (_) {}
@@ -193,7 +208,7 @@ router.get('/actions', (req, res) => {
 // POST /api/wab/actions/:name — execute action (with tracking)
 // ═════════════════════════════════════════════════════════════════════
-router.post('/actions/:name', requireSession, (req, res) => {
+router.post('/actions/:name', requireSession, wabActionLimiter, (req, res) => {
   try {
     const actionName = req.params.name;
     const site = findSiteById.get(req.wabSession.siteId);
@@ -333,7 +348,7 @@ router.get('/page-info', (req, res) => {
 // GET /api/wab/search — fairness-weighted search (MCP adapter uses this)
 // ═════════════════════════════════════════════════════════════════════
-router.get('/search', (req, res) => {
+router.get('/search', searchLimiter, (req, res) => {
   try {
     const query = req.query.q || '';
     const category = req.query.category || null;