web-agent-bridge 2.3.1 → 2.5.0

package/server/routes/sovereign.js

@@ -12,6 +12,7 @@ const { authenticateToken } = require('../middleware/auth');
 const reputation = require('../services/reputation');
 const negotiation = require('../services/negotiation');
 const verification = require('../services/verification');
+const priceShield = require('../services/price-shield');
 
 // ═══════════════════════════════════════════════════════════════════════
 // REPUTATION API
@@ -304,4 +305,81 @@ router.get('/dashboard/sovereign', authenticateToken, (req, res) => {
   res.json(dashboardData);
 });
 
+// ═══════════════════════════════════════════════════════════════════════
+// DYNAMIC PRICING SHIELD API
+// ═══════════════════════════════════════════════════════════════════════
+
+// Get available identity personas
+router.get('/price-shield/personas', (req, res) => {
+  res.json(priceShield.getPersonas());
+});
+
+// Create a new price scan
+router.post('/price-shield/scans', (req, res) => {
+  const { siteId, url, itemName, category } = req.body;
+  if (!url) {
+    return res.status(400).json({ error: 'url is required' });
+  }
+  const result = priceShield.createScan({ siteId, url, itemName, category });
+  res.json(result);
+});
+
+// Record a probe result for a scan
+router.post('/price-shield/scans/:scanId/probes', (req, res) => {
+  const { personaId, priceText, currency, responseHeaders, cookiesReceived, durationMs } = req.body;
+  if (!personaId || !priceText) {
+    return res.status(400).json({ error: 'personaId and priceText are required' });
+  }
+  const result = priceShield.recordProbe(req.params.scanId, {
+    personaId, priceText, currency, responseHeaders, cookiesReceived, durationMs
+  });
+  if (result.error) return res.status(400).json(result);
+  res.json(result);
+});
+
+// Analyze a scan (after probes are recorded)
+router.post('/price-shield/scans/:scanId/analyze', (req, res) => {
+  const result = priceShield.analyzeScan(req.params.scanId);
+  if (result.error) return res.status(400).json(result);
+  res.json(result);
+});
+
+// Quick scan — all-in-one (provide probes + get analysis)
+router.post('/price-shield/quick-scan', (req, res) => {
+  const { url, itemName, siteId, category, probes } = req.body;
+  if (!url || !probes || !Array.isArray(probes) || probes.length < 2) {
+    return res.status(400).json({ error: 'url and at least 2 probes are required' });
+  }
+  const result = priceShield.quickScan({ url, itemName, siteId, category, probes });
+  if (result.error) return res.status(400).json(result);
+  res.json(result);
+});
+
+// Get scan report
+router.get('/price-shield/scans/:scanId', (req, res) => {
+  const result = priceShield.getScanReport(req.params.scanId);
+  if (result.error) return res.status(404).json(result);
+  res.json(result);
+});
+
+// Get global price shield statistics
+router.get('/price-shield/stats', (req, res) => {
+  res.json(priceShield.getGlobalStats());
+});
+
+// Get price history for a URL
+router.get('/price-shield/history', (req, res) => {
+  const url = req.query.url;
+  if (!url) return res.status(400).json({ error: 'url query parameter is required' });
+  const limit = Math.min(parseInt(req.query.limit) || 30, 100);
+  res.json(priceShield.getPriceHistory(url, limit));
+});
+
+// Get manipulation log for a site
+router.get('/price-shield/manipulations/:siteId', (req, res) => {
+  const limit = Math.min(parseInt(req.query.limit) || 20, 100);
+  const result = priceShield.getGlobalStats();
+  res.json(result.topManipulators.find(m => m.siteId === req.params.siteId) || { siteId: req.params.siteId, incidents: 0 });
+});
+
 module.exports = router;

package/server/routes/universal.js

@@ -0,0 +1,177 @@
+/**
+ * WAB Universal Agent — Server Routes
+ * ═══════════════════════════════════════════════════════════════════
+ * API endpoints for the Universal Agent mode.
+ * Used by: WAB Browser, Chrome Extension, direct API calls.
+ *
+ * All endpoints work WITHOUT requiring the target site to install any script.
+ */
+
+const express = require('express');
+const router = express.Router();
+const scraper = require('../services/universal-scraper');
+const priceIntel = require('../services/price-intelligence');
+const fairness = require('../services/fairness-engine');
+
+// ─── POST /api/universal/extract ─────────────────────────────────────
+// Extract prices/products from a URL (server-side fetch)
+router.post('/extract', async (req, res) => {
+  const { url } = req.body;
+  if (!url) return res.status(400).json({ error: 'URL required' });
+
+  try {
+    const result = await scraper.fetchAndExtract(url);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── POST /api/universal/analyze ─────────────────────────────────────
+// Full analysis: extract + fraud detection + trust score
+// Accepts either a URL (server-side fetch) or pre-extracted data (from browser)
+router.post('/analyze', async (req, res) => {
+  const { url, extraction } = req.body;
+
+  try {
+    let result;
+
+    if (extraction) {
+      // Data already extracted by browser/extension
+      const processed = scraper.processBrowserExtraction(extraction);
+      result = await priceIntel.analyzePrice(extraction.url || url || '', processed);
+
+      // Add dark pattern detection if text available
+      if (extraction.darkPatterns) {
+        result.darkPatterns = extraction.darkPatterns;
+      }
+    } else if (url) {
+      // Server-side fetch and analyze
+      result = await priceIntel.analyzePrice(url);
+    } else {
+      return res.status(400).json({ error: 'URL or extraction data required' });
+    }
+
+    // Add fairness score for the domain
+    if (result.domain) {
+      result.fairness = fairness.calculateFairnessScore(result.domain, {
+        fraudAlerts: (result.alerts || []).length,
+      });
+    }
+
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── POST /api/universal/compare ─────────────────────────────────────
+// Compare prices across multiple sources
+router.post('/compare', async (req, res) => {
+  const { query, category, maxSources } = req.body;
+  if (!query) return res.status(400).json({ error: 'Query required' });
+
+  try {
+    const result = await priceIntel.compareAcrossSources(
+      query,
+      category || 'product',
+      { maxSources: maxSources || 8 }
+    );
+
+    // Apply fairness ranking
+    if (result.results && result.results.length > 0) {
+      result.results = fairness.rankWithFairness(result.results, {
+        avgPrice: result.avgPrice,
+      });
+    }
+
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── POST /api/universal/deals ───────────────────────────────────────
+// Find best deals with fairness ranking + fraud detection
+router.post('/deals', async (req, res) => {
+  const { query, category, lang } = req.body;
+  if (!query) return res.status(400).json({ error: 'Query required' });
+
+  try {
+    const result = await priceIntel.findBestDeals(
+      query,
+      category || 'product',
+      { lang: lang || 'en' }
+    );
+
+    // Apply fairness ranking to deals
+    if (result.deals && result.deals.length > 0) {
+      result.deals = fairness.rankWithFairness(result.deals, {
+        avgPrice: result.deals.reduce((s, d) => s + (d.priceUsd || 0), 0) / result.deals.length,
+      });
+    }
+
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── POST /api/universal/fairness ────────────────────────────────────
+// Get fairness score for a domain
+router.post('/fairness', (req, res) => {
+  const { domain, url } = req.body;
+  const d = domain || (url ? (() => { try { return new URL(url).hostname; } catch (_) { return ''; } })() : '');
+  if (!d) return res.status(400).json({ error: 'Domain or URL required' });
+
+  const score = fairness.calculateFairnessScore(d);
+  res.json(score);
+});
+
+// ─── POST /api/universal/dark-patterns ───────────────────────────────
+// Detect dark patterns in page text
+router.post('/dark-patterns', (req, res) => {
+  const { text, lang } = req.body;
+  if (!text) return res.status(400).json({ error: 'Text required' });
+
+  const patterns = fairness.detectDarkPatterns(text, lang || 'en');
+  res.json({ patterns, count: patterns.length });
+});
+
+// ─── GET /api/universal/history ──────────────────────────────────────
+// Get price history for a URL
+router.get('/history', (req, res) => {
+  const { url } = req.query;
+  if (!url) return res.status(400).json({ error: 'URL required' });
+
+  const history = scraper.getPriceHistory(url, 30);
+  res.json({ url, history });
+});
+
+// ─── GET /api/universal/top-fair ─────────────────────────────────────
+// Get top fairness-ranked sites
+router.get('/top-fair', (req, res) => {
+  const limit = parseInt(req.query.limit) || 20;
+  const sites = fairness.getTopFairSites(limit);
+  res.json({ sites });
+});
+
+// ─── GET /api/universal/extraction-script ────────────────────────────
+// Get the browser extraction script (for dynamic injection)
+router.get('/extraction-script', (req, res) => {
+  res.set('Content-Type', 'application/javascript');
+  res.send(scraper.getBrowserExtractionScript());
+});
+
+// ─── GET /api/universal/sources ──────────────────────────────────────
+// List all competing sources by category
+router.get('/sources', (req, res) => {
+  const { category } = req.query;
+  if (category && priceIntel.COMPETING_SOURCES[category]) {
+    res.json({ category, sources: priceIntel.COMPETING_SOURCES[category] });
+  } else {
+    res.json(priceIntel.COMPETING_SOURCES);
+  }
+});
+
+module.exports = router;

package/server/routes/wab-api.js

@@ -9,8 +9,11 @@
 
 const express = require('express');
 const router = express.Router();
+const crypto = require('crypto');
 const { findSiteById, findSiteByLicense, recordAnalytic, db } = require('../models/db');
 const { broadcastAnalytic } = require('../ws');
+const { wabAuthenticateLimiter, wabActionLimiter, searchLimiter } = require('../middleware/rateLimits');
+const { auditLog } = require('../services/security');
 const {
   calculateNeutralityScore,
   fairnessWeightedSearch,
@@ -82,7 +85,7 @@ function buildErrorResponse(id, code, message) {
 // POST /api/wab/authenticate — session token exchange
 // ═════════════════════════════════════════════════════════════════════
 
-router.post('/authenticate', (req, res) => {
+router.post('/authenticate', wabAuthenticateLimiter, (req, res) => {
   try {
     const { siteId, apiKey, meta } = req.body;
     if (!siteId && !apiKey) {
@@ -91,12 +94,22 @@ router.post('/authenticate', (req, res) => {
 
     let site;
     if (apiKey) {
-      site = db.prepare('SELECT * FROM sites WHERE api_key = ? AND active = 1').get(apiKey);
+      // Timing-safe API key lookup: hash the provided key and compare against stored hashes
+      // to prevent timing attacks on the raw key comparison
+      const allActive = db.prepare('SELECT * FROM sites WHERE active = 1 AND api_key IS NOT NULL').all();
+      site = allActive.find(s => {
+        if (!s.api_key) return false;
+        const a = Buffer.from(s.api_key);
+        const b = Buffer.from(apiKey);
+        if (a.length !== b.length) return false;
+        return crypto.timingSafeEqual(a, b);
+      }) || null;
     } else {
       site = findSiteById.get(siteId);
     }
 
     if (!site) {
+      auditLog({ actorType: 'agent', action: 'wab_auth_failed', details: { siteId }, ip: req.ip, outcome: 'denied', severity: 'warning' });
       return res.status(404).json(buildErrorResponse(null, 'not_found', 'Site not found or invalid credentials'));
     }
 
@@ -105,7 +118,9 @@ router.post('/authenticate', (req, res) => {
       try {
         const reqDomain = new URL(origin).hostname.replace(/^www\./, '');
         const siteDomain = site.domain.replace(/^www\./, '');
-        if (reqDomain !== siteDomain && reqDomain !== 'localhost' && reqDomain !== '127.0.0.1') {
+        const isProduction = process.env.NODE_ENV === 'production';
+        const isLocalhost = reqDomain === 'localhost' || reqDomain === '127.0.0.1';
+        if (reqDomain !== siteDomain && !(isLocalhost && !isProduction)) {
           return res.status(403).json(buildErrorResponse(null, 'origin_mismatch', 'Origin does not match site domain'));
         }
       } catch (_) {}
@@ -193,7 +208,7 @@ router.get('/actions', (req, res) => {
 // POST /api/wab/actions/:name — execute action (with tracking)
 // ═════════════════════════════════════════════════════════════════════
 
-router.post('/actions/:name', requireSession, (req, res) => {
+router.post('/actions/:name', requireSession, wabActionLimiter, (req, res) => {
   try {
     const actionName = req.params.name;
     const site = findSiteById.get(req.wabSession.siteId);
@@ -333,7 +348,7 @@ router.get('/page-info', (req, res) => {
 // GET /api/wab/search — fairness-weighted search (MCP adapter uses this)
 // ═════════════════════════════════════════════════════════════════════
 
-router.get('/search', (req, res) => {
+router.get('/search', searchLimiter, (req, res) => {
   try {
     const query = req.query.q || '';
     const category = req.query.category || null;

package/server/runtime/event-bus.js

@@ -0,0 +1,210 @@
+'use strict';
+
+/**
+ * WAB Runtime - Event Bus
+ * 
+ * Async event system with typed events, middleware, replay buffer,
+ * and dead-letter queue. This is the nervous system of the Agent OS.
+ */
+
+const crypto = require('crypto');
+
+class EventBus {
+  constructor(options = {}) {
+    this._listeners = new Map();     // event → Set<{ id, handler, filter, once }>
+    this._middleware = [];           // global middleware
+    this._history = [];              // event replay buffer
+    this._deadLetter = [];           // failed events
+    this._maxHistory = options.maxHistory || 10000;
+    this._maxDeadLetter = options.maxDeadLetter || 1000;
+    this._stats = { emitted: 0, delivered: 0, failed: 0, dropped: 0 };
+  }
+
+  /**
+   * Subscribe to an event
+   * @returns {string} subscription ID for unsubscribe
+   */
+  on(event, handler, options = {}) {
+    if (!this._listeners.has(event)) this._listeners.set(event, new Set());
+    const sub = {
+      id: `sub_${crypto.randomBytes(8).toString('hex')}`,
+      handler,
+      filter: options.filter || null,
+      once: options.once || false,
+      priority: options.priority || 0,
+    };
+    this._listeners.get(event).add(sub);
+    return sub.id;
+  }
+
+  /**
+   * Subscribe once
+   */
+  once(event, handler, options = {}) {
+    return this.on(event, handler, { ...options, once: true });
+  }
+
+  /**
+   * Unsubscribe by subscription ID
+   */
+  off(subId) {
+    for (const [, subs] of this._listeners) {
+      for (const sub of subs) {
+        if (sub.id === subId) { subs.delete(sub); return true; }
+      }
+    }
+    return false;
+  }
+
+  /**
+   * Remove all listeners for an event
+   */
+  removeAll(event) {
+    if (event) this._listeners.delete(event);
+    else this._listeners.clear();
+  }
+
+  /**
+   * Emit an event
+   */
+  async emit(event, data, metadata = {}) {
+    const envelope = {
+      id: `evt_${crypto.randomBytes(12).toString('hex')}`,
+      event,
+      data,
+      metadata: {
+        ...metadata,
+        timestamp: Date.now(),
+        source: metadata.source || 'system',
+      },
+    };
+
+    // Run global middleware
+    for (const mw of this._middleware) {
+      try {
+        const result = await mw(envelope);
+        if (result === false) {
+          this._stats.dropped++;
+          return envelope;
+        }
+      } catch (_) { /* middleware errors don't block */ }
+    }
+
+    // Store in history
+    this._history.push(envelope);
+    if (this._history.length > this._maxHistory) {
+      this._history = this._history.slice(-Math.floor(this._maxHistory * 0.8));
+    }
+
+    this._stats.emitted++;
+
+    // Get listeners (event + wildcard)
+    const listeners = [];
+    const exact = this._listeners.get(event);
+    if (exact) for (const sub of exact) listeners.push(sub);
+    const wild = this._listeners.get('*');
+    if (wild) for (const sub of wild) listeners.push(sub);
+
+    // Also match namespace wildcards: 'task.*' matches 'task.completed'
+    for (const [pattern, subs] of this._listeners) {
+      if (pattern === event || pattern === '*') continue;
+      if (pattern.endsWith('.*') && event.startsWith(pattern.slice(0, -1))) {
+        for (const sub of subs) listeners.push(sub);
+      }
+    }
+
+    // Sort by priority (higher first)
+    listeners.sort((a, b) => b.priority - a.priority);
+
+    // Dispatch
+    const toRemove = [];
+    for (const sub of listeners) {
+      try {
+        if (sub.filter && !sub.filter(envelope.data, envelope.metadata)) continue;
+        await sub.handler(envelope.data, envelope.metadata, envelope);
+        this._stats.delivered++;
+        if (sub.once) toRemove.push(sub);
+      } catch (err) {
+        this._stats.failed++;
+        this._deadLetter.push({ envelope, error: err.message, subscriberId: sub.id, timestamp: Date.now() });
+        if (this._deadLetter.length > this._maxDeadLetter) {
+          this._deadLetter = this._deadLetter.slice(-Math.floor(this._maxDeadLetter * 0.8));
+        }
+      }
+    }
+
+    // Cleanup one-time subs
+    for (const sub of toRemove) {
+      for (const [, subs] of this._listeners) subs.delete(sub);
+    }
+
+    return envelope;
+  }
+
+  /**
+   * Add global middleware
+   */
+  use(middleware) {
+    this._middleware.push(middleware);
+  }
+
+  /**
+   * Replay events matching filter since a timestamp
+   */
+  async replay(since, filter, handler) {
+    const events = this._history.filter(
+      e => e.metadata.timestamp >= since && (!filter || filter(e))
+    );
+    for (const e of events) {
+      await handler(e.data, e.metadata, e);
+    }
+    return events.length;
+  }
+
+  /**
+   * Wait for a specific event (returns a promise)
+   */
+  waitFor(event, timeout = 30000, filter = null) {
+    return new Promise((resolve, reject) => {
+      const timer = setTimeout(() => {
+        this.off(subId);
+        reject(new Error(`Timeout waiting for event: ${event}`));
+      }, timeout);
+
+      const subId = this.once(event, (data, meta) => {
+        clearTimeout(timer);
+        resolve({ data, meta });
+      }, { filter });
+    });
+  }
+
+  /**
+   * Get dead letter queue
+   */
+  getDeadLetters(limit = 50) {
+    return this._deadLetter.slice(-limit);
+  }
+
+  /**
+   * Get stats
+   */
+  getStats() {
+    return {
+      ...this._stats,
+      listeners: this._countListeners(),
+      historySize: this._history.length,
+      deadLetterSize: this._deadLetter.length,
+    };
+  }
+
+  _countListeners() {
+    let count = 0;
+    for (const [, subs] of this._listeners) count += subs.size;
+    return count;
+  }
+}
+
+// Singleton event bus for the runtime
+const bus = new EventBus();
+
+module.exports = { EventBus, bus };