web-agent-bridge 2.3.1 → 2.4.0

package/sdk/index.d.ts

@@ -209,3 +209,86 @@ export declare class WABMultiAgent {
   /** Close all browser sessions. */
   close(): Promise<void>;
 }
+
+// ─── WABUniversalAgent — Works on ANY page, no bridge needed ───────────
+
+export interface UniversalAnalysis {
+  url: string;
+  domain: string;
+  products?: Array<{
+    name?: string;
+    price?: number;
+    currency?: string;
+    originalPrice?: number;
+    rating?: number;
+    method?: string;
+  }>;
+  fairness?: {
+    total: number;
+    category: string;
+    breakdown: Record<string, number>;
+    wabBridge?: { installed: boolean; bonus?: number; hasNegotiation?: boolean };
+    platform?: { size: string; commission: number };
+  };
+  darkPatterns?: Array<{ type: string; severity?: string; matches?: string[] }>;
+  alerts?: Array<{ title: string; description?: string; severity?: string }>;
+}
+
+export interface UniversalDeal {
+  name?: string;
+  source?: string;
+  domain?: string;
+  priceUsd?: number;
+  rating?: number;
+  url?: string;
+  compositeScore?: number;
+  wabBridge?: boolean;
+  canNegotiate?: boolean;
+  fairness?: { total: number; category: string };
+}
+
+export interface UniversalDealsResult {
+  deals: UniversalDeal[];
+  insights?: Array<{ icon?: string; text: string }>;
+  sourcesChecked?: number;
+}
+
+export interface UniversalFairness {
+  domain: string;
+  total: number;
+  category: string;
+  breakdown: Record<string, number>;
+  wabBridge?: { installed: boolean; bonus?: number };
+  platform?: { size: string; commission: number };
+}
+
+export declare class WABUniversalAgent {
+  constructor(serverUrl?: string);
+
+  /** Extract products, prices, and metadata from any URL. */
+  extract(url: string): Promise<any>;
+
+  /** Full analysis: extract + fairness + fraud detection + dark patterns. */
+  analyze(url: string): Promise<UniversalAnalysis>;
+
+  /** Compare prices across multiple sources. */
+  compare(query: string, category?: string): Promise<any>;
+
+  /** Find and rank the best deals with fairness scoring. */
+  deals(query: string, category?: string, lang?: string): Promise<UniversalDealsResult>;
+
+  /** Get fairness score for a domain. */
+  fairness(domain: string): Promise<UniversalFairness>;
+
+  /** Detect dark patterns on a URL. */
+  darkPatterns(url: string): Promise<any>;
+
+  /** Get price history for a domain. */
+  priceHistory(domain: string): Promise<any>;
+
+  /** Get top fairness-scored sites. */
+  topFair(limit?: number): Promise<any>;
+
+  /** Get all known competing sources. */
+  sources(): Promise<any>;
+}

package/sdk/index.js

@@ -254,7 +254,121 @@ class WABAgent {
   }
 }
 
+/**
+ * WABUniversalAgent — Works on ANY page, no bridge script needed.
+ * Uses server-side extraction, analysis, and comparison APIs.
+ */
+class WABUniversalAgent {
+  /**
+   * @param {string} [serverUrl='http://localhost:3000'] — WAB server URL
+   */
+  constructor(serverUrl = 'http://localhost:3000') {
+    this.serverUrl = serverUrl.replace(/\/$/, '');
+  }
+
+  /** @private */
+  async _post(path, body) {
+    const res = await fetch(`${this.serverUrl}${path}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    });
+    if (!res.ok) throw new Error(`WAB API error ${res.status}: ${await res.text()}`);
+    return res.json();
+  }
+
+  /** @private */
+  async _get(path) {
+    const res = await fetch(`${this.serverUrl}${path}`);
+    if (!res.ok) throw new Error(`WAB API error ${res.status}: ${await res.text()}`);
+    return res.json();
+  }
+
+  /**
+   * Extract products, prices, and metadata from any URL.
+   * @param {string} url
+   * @returns {Promise<object>}
+   */
+  async extract(url) {
+    return this._post('/api/universal/extract', { url });
+  }
+
+  /**
+   * Full analysis: extract + fairness + fraud detection + dark patterns.
+   * @param {string} url
+   * @returns {Promise<object>}
+   */
+  async analyze(url) {
+    return this._post('/api/universal/analyze', { url });
+  }
+
+  /**
+   * Compare prices across multiple sources.
+   * @param {string} query — Product or service to search for
+   * @param {string} [category='product'] — 'product', 'hotel', 'flight'
+   * @returns {Promise<object>}
+   */
+  async compare(query, category = 'product') {
+    return this._post('/api/universal/compare', { query, category });
+  }
+
+  /**
+   * Find and rank the best deals with fairness scoring.
+   * @param {string} query
+   * @param {string} [category='product']
+   * @param {string} [lang='en']
+   * @returns {Promise<object>}
+   */
+  async deals(query, category = 'product', lang = 'en') {
+    return this._post('/api/universal/deals', { query, category, lang });
+  }
+
+  /**
+   * Get fairness score for a domain.
+   * @param {string} domain
+   * @returns {Promise<object>}
+   */
+  async fairness(domain) {
+    return this._post('/api/universal/fairness', { domain });
+  }
+
+  /**
+   * Detect dark patterns on a URL.
+   * @param {string} url
+   * @returns {Promise<object>}
+   */
+  async darkPatterns(url) {
+    return this._post('/api/universal/dark-patterns', { url });
+  }
+
+  /**
+   * Get price history for a domain.
+   * @param {string} domain
+   * @returns {Promise<object>}
+   */
+  async priceHistory(domain) {
+    return this._get(`/api/universal/history?domain=${encodeURIComponent(domain)}`);
+  }
+
+  /**
+   * Get top fairness-scored sites.
+   * @param {number} [limit=20]
+   * @returns {Promise<object>}
+   */
+  async topFair(limit = 20) {
+    return this._get(`/api/universal/top-fair?limit=${limit}`);
+  }
+
+  /**
+   * Get all known competing sources.
+   * @returns {Promise<object>}
+   */
+  async sources() {
+    return this._get('/api/universal/sources');
+  }
+}
+
 const { WABMultiAgent } = require('./multi-agent');
 const { WABAgentMesh } = require('./agent-mesh');
 
-module.exports = { WABAgent, WABMultiAgent, WABAgentMesh };
+module.exports = { WABAgent, WABUniversalAgent, WABMultiAgent, WABAgentMesh };

package/sdk/package.json

@@ -1,6 +1,6 @@
 {
   "name": "web-agent-bridge-sdk",
-  "version": "2.3.0",
+  "version": "2.4.0",
   "description": "SDK for building AI agents that interact with Web Agent Bridge (WAB)",
   "main": "index.js",
   "license": "MIT",

package/server/config/secrets.js

@@ -33,10 +33,12 @@ function isProd() {
 function assertSecretsAtStartup() {
   if (isTest()) return;
   if (isProd() && !process.env.JWT_SECRET) {
-    _autoUserSecret = generateAutoSecret('JWT_SECRET');
+    console.error('[WAB] FATAL: JWT_SECRET is not set in production. Refusing to start with insecure defaults.');
+    process.exit(1);
   }
   if (isProd() && !process.env.JWT_SECRET_ADMIN) {
-    _autoAdminSecret = generateAutoSecret('JWT_SECRET_ADMIN');
+    console.error('[WAB] FATAL: JWT_SECRET_ADMIN is not set in production. Refusing to start with insecure defaults.');
+    process.exit(1);
   }
 }
 
@@ -44,14 +46,20 @@ function getJwtUserSecret() {
   if (isTest()) {
     return process.env.JWT_SECRET || 'test-secret-key-for-testing';
   }
-  return process.env.JWT_SECRET || _autoUserSecret || 'dev-user-secret-change-in-development';
+  if (process.env.JWT_SECRET) return process.env.JWT_SECRET;
+  // Dev mode: generate ephemeral secret per process (not hardcoded)
+  if (!_autoUserSecret) _autoUserSecret = generateAutoSecret('JWT_SECRET');
+  return _autoUserSecret;
 }
 
 function getJwtAdminSecret() {
   if (isTest()) {
-    return process.env.JWT_SECRET_ADMIN || process.env.JWT_SECRET || 'test-secret-key-for-testing-admin';
+    return process.env.JWT_SECRET_ADMIN || 'test-secret-key-for-testing-admin';
   }
-  return process.env.JWT_SECRET_ADMIN || process.env.JWT_SECRET || _autoAdminSecret || _autoUserSecret || 'dev-admin-secret-change-in-development';
+  if (process.env.JWT_SECRET_ADMIN) return process.env.JWT_SECRET_ADMIN;
+  // Dev mode: generate separate ephemeral secret (never share with user secret)
+  if (!_autoAdminSecret) _autoAdminSecret = generateAutoSecret('JWT_SECRET_ADMIN');
+  return _autoAdminSecret;
 }
 
 function signUserToken(payload, options = {}) {

package/server/index.js

@@ -11,7 +11,10 @@ const rateLimit = require('express-rate-limit');
 const path = require('path');
 const { setupWebSocket } = require('./ws');
 const { runMigrations } = require('./utils/migrate');
-const { maybeBootstrapAdmin } = require('./models/db');
+const { maybeBootstrapAdmin, db } = require('./models/db');
+const { initSearchEngine, search, getSuggestions, getTrendingSearches, getSearchStats, purgeOldCache } = require('./services/search-engine');
+const { processMessage: agentChat } = require('./services/agent-chat');
+const agentTasks = require('./services/agent-tasks');
 
 const authRoutes = require('./routes/auth');
 const apiRoutes = require('./routes/api');
@@ -21,6 +24,14 @@ const billingRoutes = require('./routes/billing');
 const sovereignRoutes = require('./routes/sovereign');
 const meshRoutes = require('./routes/mesh');
 const commanderRoutes = require('./routes/commander');
+const adsRoutes = require('./routes/ads');
+const wabApiRoutes = require('./routes/wab-api');
+const noscriptRoutes = require('./routes/noscript');
+const discoveryRoutes = require('./routes/discovery');
+const premiumRoutes = require('./routes/premium');
+const adminPremiumRoutes = require('./routes/admin-premium');
+const workspaceRoutes = require('./routes/agent-workspace');
+const universalRoutes = require('./routes/universal');
 const { handleWebhookRequest } = require('./services/stripe');
 
 const app = express();
@@ -62,11 +73,11 @@ app.use(
         defaultSrc: ["'self'"],
         scriptSrc,
         scriptSrcAttr: scriptSrc,
-        styleSrc,
+        styleSrc: [...styleSrc, 'https://fonts.googleapis.com'],
         imgSrc: ["'self'", 'data:', 'https:'],
         connectSrc: ["'self'", 'ws:', 'wss:'],
-        fontSrc: ["'self'", 'https:', 'data:'],
-        frameSrc: ["'none'"],
+        fontSrc: ["'self'", 'https://fonts.gstatic.com', 'https:', 'data:'],
+        frameSrc: ["'self'", 'https:', 'http:'],
         frameAncestors: ["'none'"],
         objectSrc: ["'none'"],
         baseUri: ["'self'"],
@@ -119,6 +130,51 @@ app.use('/api/billing', apiLimiter, billingRoutes);
 app.use('/api/sovereign', apiLimiter, sovereignRoutes);
 app.use('/api/mesh', apiLimiter, meshRoutes);
 app.use('/api/commander', apiLimiter, commanderRoutes);
+app.use('/api/ads', apiLimiter, adsRoutes);
+app.use('/api/wab', wabApiRoutes);
+app.use('/api/noscript', apiLimiter, noscriptRoutes);
+app.use('/api/discovery', apiLimiter, discoveryRoutes);
+app.use('/api/premium', apiLimiter, premiumRoutes);
+app.use('/api/admin/premium', apiLimiter, adminPremiumRoutes);
+app.use('/api/workspace', apiLimiter, workspaceRoutes);
+app.use('/api/universal', apiLimiter, universalRoutes);
+
+// ─── WAB Search Engine ────────────────────────────────────────────────
+
+const searchLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 30,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many search requests, please slow down' }
+});
+
+app.get('/api/search', searchLimiter, async (req, res) => {
+  const q = (req.query.q || '').trim();
+  if (!q) return res.json({ results: [], cached: false });
+  if (q.length > 200) return res.status(400).json({ error: 'Query too long' });
+  const crypto = require('crypto');
+  const ipHash = crypto.createHash('sha256').update(req.ip || '').digest('hex').slice(0, 16);
+  const result = await search(q, ipHash);
+  res.json(result);
+});
+
+app.get('/api/search/suggest', searchLimiter, (req, res) => {
+  const q = (req.query.q || '').trim();
+  if (!q) return res.json({ suggestions: [] });
+  const suggestions = getSuggestions(q, 8);
+  res.json({ suggestions });
+});
+
+app.get('/api/search/trending', apiLimiter, (req, res) => {
+  const trending = getTrendingSearches(10);
+  res.json({ trending });
+});
+
+app.get('/api/search/stats', apiLimiter, (req, res) => {
+  const stats = getSearchStats();
+  res.json(stats);
+});
 
 app.get('/dashboard', (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'dashboard.html'));
@@ -153,6 +209,125 @@ app.get('/terms', (req, res) => {
 app.get('/cookies', (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'cookies.html'));
 });
+app.get('/browser', (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'browser.html'));
+});
+app.get('/workspace', (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'agent-workspace.html'));
+});
+
+// Browser downloads
+app.use('/downloads', express.static(path.join(__dirname, '..', 'downloads'), {
+  maxAge: '1d',
+  setHeaders: (res, filePath) => {
+    res.set('Content-Disposition', 'attachment');
+  }
+}));
+
+// Agent chat endpoint for WAB Browser — Real AI Agent
+const chatLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 20,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many messages, please slow down' }
+});
+
+app.post('/api/wab/agent-chat', chatLimiter, async (req, res) => {
+  const { message, context, sessionId, taskId, taskAction } = req.body || {};
+  if (!message || typeof message !== 'string') {
+    return res.status(400).json({ error: 'Message required' });
+  }
+  if (message.length > 3000) {
+    return res.status(400).json({ error: 'Message too long' });
+  }
+
+  const sid = sessionId || req.ip || 'anonymous';
+
+  try {
+    // ── Task actions (user responding to an active task) ──
+    if (taskId && taskAction) {
+      if (taskAction === 'answer') {
+        const result = agentTasks.answerClarification(taskId, message);
+        if (result.status === 'planning') {
+          // Auto-execute after planning
+          const execResult = await agentTasks.executeTask(taskId);
+          return res.json({ ...execResult, type: 'task' });
+        }
+        return res.json({ ...result, type: 'task' });
+      }
+      if (taskAction === 'select') {
+        const idx = parseInt(message.replace(/\D/g, '')) - 1;
+        const result = agentTasks.selectOffer(taskId, idx);
+        return res.json({ ...result, type: 'task' });
+      }
+      if (taskAction === 'cancel') {
+        const result = agentTasks.cancelTask(taskId);
+        return res.json({ ...result, type: 'task' });
+      }
+    }
+
+    // ── Check if user wants to select from existing offers ──
+    if (!taskId) {
+      const selectMatch = message.match(/(?:اختر|اخت(?:ا|ي)ر|select|choose|pick)\s*(\d+)/i);
+      if (selectMatch) {
+        const tasks = agentTasks.getSessionTasks(sid, 1);
+        if (tasks.length > 0 && tasks[0].status === 'presenting') {
+          const idx = parseInt(selectMatch[1]) - 1;
+          const result = agentTasks.selectOffer(tasks[0].id, idx);
+          return res.json({ ...result, type: 'task' });
+        }
+      }
+    }
+
+    // ── Detect URL paste — create URL negotiation task ──
+    const urlData = agentTasks.parseBookingUrl(message);
+    if (urlData) {
+      const task = agentTasks.createUrlTask(sid, message, urlData);
+      const execResult = await agentTasks.executeUrlTask(task.taskId);
+      return res.json({ ...execResult, type: 'task', urlData });
+    }
+
+    // ── Detect if this is a task-type request (booking, shopping, etc.) ──
+    const intent = agentTasks.detectIntent(message);
+    if (intent.confidence >= 0.7 && intent.intent !== 'general') {
+      const task = agentTasks.createTask(sid, message);
+
+      if (task.status === 'clarifying') {
+        return res.json({ ...task, type: 'task' });
+      }
+
+      // If requirements are complete, auto-execute
+      const execResult = await agentTasks.executeTask(task.taskId);
+      return res.json({ ...execResult, type: 'task' });
+    }
+
+    // ── Regular chat (not a task) ──
+    const chatContext = {
+      url: context?.url || '',
+      platform: context?.platform || 'unknown',
+      sessionId: sid,
+    };
+    const result = await agentChat(message, chatContext);
+    res.json(result);
+  } catch (err) {
+    console.error('[agent-chat] Error:', err.message);
+    res.json({ reply: '🤖 عذراً، حدث خطأ. حاول مرة أخرى.', type: 'text' });
+  }
+});
+
+// Agent task status & history
+app.get('/api/wab/agent-task/:id', chatLimiter, (req, res) => {
+  const state = agentTasks.getTaskState(req.params.id);
+  if (!state) return res.status(404).json({ error: 'Task not found' });
+  res.json(state);
+});
+
+app.get('/api/wab/agent-tasks', chatLimiter, (req, res) => {
+  const sid = req.query.sessionId || req.ip || 'anonymous';
+  const tasks = agentTasks.getSessionTasks(sid, 20);
+  res.json({ tasks });
+});
 
 const pkg = require('../package.json');
 app.use(`/v${pkg.version.split('.')[0]}`, express.static(path.join(__dirname, '..', 'script')));
@@ -170,6 +345,10 @@ if (process.env.NODE_ENV !== 'test') {
   console.log('Running database migrations...');
   runMigrations();
   maybeBootstrapAdmin();
+  initSearchEngine(db);
+
+  // Purge old search cache every hour
+  setInterval(purgeOldCache, 60 * 60 * 1000);
 
   const server = http.createServer(app);
   setupWebSocket(server);

package/server/middleware/adminAuth.js

@@ -1,9 +1,10 @@
 const { signAdminToken, verifyAdminToken } = require('../config/secrets');
+const { isJWTRevoked } = require('../services/security');
 
 function generateAdminToken(admin) {
   return signAdminToken(
     { id: admin.id, email: admin.email, name: admin.name, role: admin.role, isAdmin: true },
-    { expiresIn: '12h' }
+    { expiresIn: '4h' }
   );
 }
 
@@ -16,11 +17,15 @@ function authenticateAdmin(req, res, next) {
   }
 
   try {
+    if (isJWTRevoked(token)) {
+      return res.status(403).json({ error: 'Token has been revoked' });
+    }
     const decoded = verifyAdminToken(token);
     if (!decoded.isAdmin) {
       return res.status(403).json({ error: 'Admin privileges required' });
     }
     req.admin = decoded;
+    req._rawToken = token;
     next();
   } catch (err) {
     return res.status(403).json({ error: 'Invalid or expired admin token' });

package/server/middleware/auth.js

@@ -1,9 +1,10 @@
 const { signUserToken, verifyUserToken } = require('../config/secrets');
+const { isJWTRevoked } = require('../services/security');
 
 function generateToken(user) {
   return signUserToken(
     { id: user.id, email: user.email, name: user.name },
-    { expiresIn: '7d' }
+    { expiresIn: '24h' }
   );
 }
 
@@ -16,8 +17,13 @@ function authenticateToken(req, res, next) {
   }
 
   try {
+    // Check revocation list
+    if (isJWTRevoked(token)) {
+      return res.status(403).json({ error: 'Token has been revoked' });
+    }
     const decoded = verifyUserToken(token);
     req.user = decoded;
+    req._rawToken = token;
     next();
   } catch (err) {
     return res.status(403).json({ error: 'Invalid or expired token' });
@@ -30,7 +36,10 @@ function optionalAuth(req, res, next) {
 
   if (token) {
     try {
-      req.user = verifyUserToken(token);
+      if (!isJWTRevoked(token)) {
+        req.user = verifyUserToken(token);
+        req._rawToken = token;
+      }
     } catch (e) {
       // ignore invalid tokens for optional auth
     }

package/server/middleware/rateLimits.js

@@ -1,9 +1,75 @@
 /**
- * Stricter rate limits for license token / track endpoints (used inside license router).
+ * Comprehensive rate limits for all security-sensitive endpoints.
  */
 
 const rateLimit = require('express-rate-limit');
 
+// ─── Auth endpoints ──────────────────────────────────────────────────
+
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 10,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many authentication attempts, please try again later' }
+});
+
+const registerLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  max: 5,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many registration attempts, please try again later' }
+});
+
+const adminLoginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 5,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many admin login attempts, please try again later' }
+});
+
+// ─── WAB API endpoints ───────────────────────────────────────────────
+
+const wabAuthenticateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 20,
+  standardHeaders: true,
+  legacyHeaders: false,
+  keyGenerator: (req) => `${req.ip}:${req.body?.siteId || req.body?.apiKey || 'anon'}`,
+  message: { error: 'Too many WAB authentication attempts' }
+});
+
+const wabActionLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 60,
+  standardHeaders: true,
+  legacyHeaders: false,
+  keyGenerator: (req) => `${req.ip}:${req.wabSession?.siteId || 'anon'}`,
+  message: { error: 'Too many action requests, please slow down' }
+});
+
+// ─── General API endpoints ───────────────────────────────────────────
+
+const apiLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 100,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many requests, please try again later' }
+});
+
+const searchLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 30,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many search requests' }
+});
+
+// ─── License endpoints (existing) ────────────────────────────────────
+
 const licenseTokenLimiter = rateLimit({
   windowMs: 15 * 60 * 1000,
   max: 30,
@@ -21,4 +87,14 @@ const licenseTrackLimiter = rateLimit({
   message: { error: 'Too many track requests, please try again later' }
 });
 
-module.exports = { licenseTokenLimiter, licenseTrackLimiter };
+module.exports = {
+  authLimiter,
+  registerLimiter,
+  adminLoginLimiter,
+  wabAuthenticateLimiter,
+  wabActionLimiter,
+  apiLimiter,
+  searchLimiter,
+  licenseTokenLimiter,
+  licenseTrackLimiter,
+};

package/server/migrations/003_ads_integer_cents.sql

@@ -0,0 +1,33 @@
+-- Migration 003: Convert ads financial columns from REAL to INTEGER (cents)
+-- This avoids floating-point precision issues in billing calculations.
+--
+-- NOTE: The wab_ads table in db.js now creates with INTEGER columns directly.
+-- This migration only matters for databases created before this change.
+-- On fresh databases, db.js already has the correct schema, so this is a no-op.
+-- On existing databases, this migration was already applied.
+
+-- Ensure the table and index exist (idempotent)
+CREATE TABLE IF NOT EXISTS wab_ads (
+    id TEXT PRIMARY KEY,
+    title TEXT NOT NULL,
+    description TEXT,
+    image_url TEXT,
+    target_url TEXT NOT NULL,
+    advertiser_name TEXT NOT NULL,
+    advertiser_email TEXT NOT NULL,
+    status TEXT DEFAULT 'pending' CHECK(status IN ('pending','approved','rejected','paused','expired')),
+    position TEXT DEFAULT 'new-tab' CHECK(position IN ('new-tab','sidebar','search')),
+    budget_cents INTEGER DEFAULT 0,
+    spent_cents INTEGER DEFAULT 0,
+    cpc_cents INTEGER DEFAULT 5,
+    cpi_cents INTEGER DEFAULT 1,
+    impressions INTEGER DEFAULT 0,
+    clicks INTEGER DEFAULT 0,
+    created_at TEXT DEFAULT (datetime('now')),
+    approved_by TEXT,
+    approved_at TEXT,
+    expires_at TEXT,
+    FOREIGN KEY (approved_by) REFERENCES admins(id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_wab_ads_status ON wab_ads(status);